Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 7867a173 by Salvatore Bonaccorso at 2018-03-10T10:42:30+01:00 Update first entries included in 9.4 - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -6622,7 +6622,7 @@ CVE-2018-5749 (install.php in Minecraft Servers List Lite before commit c1cd164 NOT-FOR-US: Minecraft Servers List Lite CVE-2018-5748 (qemu/qemu_monitor.c in libvirt allows attackers to cause a denial of ...) - libvirt 4.0.0-1 (bug #887700) - [stretch] - libvirt <no-dsa> (Minor issue) + [stretch] - libvirt 3.0.0-4+deb9u2 [jessie] - libvirt <no-dsa> (Minor issue) [wheezy] - libvirt <postponed> (Can be fixed in a later update) NOTE: https://www.redhat.com/archives/libvir-list/2017-December/msg00749.html @@ -8414,7 +8414,7 @@ CVE-2018-5079 (In K7 AntiVirus 15.1.0306, the driver file (K7FWHlpr.sys) allows NOT-FOR-US: K7 AntiVirus CVE-2017-18021 (It was discovered that QtPass before 1.2.1, when using the built-in ...) - qtpass 1.2.1-1 - [stretch] - qtpass <no-dsa> (default setup in Debian is not affected) + [stretch] - qtpass 1.1.6-1+deb9u1 NOTE: https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html NOTE: https://github.com/IJHack/QtPass/issues/338 CVE-2017-18020 (On Samsung mobile devices with L(5.x), M(6.x), and N(7.x) software and ...) @@ -11120,7 +11120,7 @@ CVE-2017-1000427 (marked version 0.3.6 and earlier is vulnerable to an XSS attac NOTE: nodejs not covered by security support CVE-2017-1000426 (MapProxy version 1.10.3 and older is vulnerable to a Cross Site ...) - mapproxy 1.10.4-1 (low) - [stretch] - mapproxy <no-dsa> (Minor issue) + [stretch] - mapproxy 1.9.0-3+deb9u1 NOTE: https://github.com/mapproxy/mapproxy/issues/322 NOTE: https://github.com/mapproxy/mapproxy/commit/2e102843203c11b02c002daa08ca59d05d5eff5a (master) NOTE: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28 (1.10.x) @@ -17728,6 +17728,7 @@ CVE-2017-17532 (examples/framework/news/news3.py in Kiwi 1.9.22 does not validat NOTE: Only in examples code, negligible impact CVE-2017-17531 (gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before ...) - global 6.6.1-1 (unimportant; bug #884912) + [stretch] - global 6.5.6-2+deb9u1 NOTE: https://sources.debian.org/src/global/4.8.6-2/gozilla/gozilla.c/#L269 CVE-2017-17530 (common/help.c in Geomview 1.9.5 does not validate strings before ...) - geomview <unfixed> (unimportant) @@ -17826,7 +17827,7 @@ CVE-2017-17512 (sensible-browser in sensible-utils before 0.0.11 does not valida CVE-2017-17511 (KildClient 3.1.0 does not validate strings before launching the program ...) {DLA-1210-1} - kildclient 3.2.0-1 (bug #885007) - [stretch] - kildclient <no-dsa> (Minor issue) + [stretch] - kildclient 3.1.0-1+deb9u1 [jessie] - kildclient <no-dsa> (Minor issue) NOTE: https://sources.debian.org/src/kildclient/3.1.0-1/src/worldgui.c/?hl=1159#L1159 NOTE: https://sources.debian.org/src/kildclient/3.1.0-1/src/prefs.c/?hl=324#L324 @@ -22242,7 +22243,7 @@ CVE-2017-1000126 (exiv2 0.26 contains a Stack out of bounds read in webp parser NOTE: https://github.com/Exiv2/exiv2/issues/175 CVE-2017-16879 (Stack-based buffer overflow in the _nc_write_entry function in ...) - ncurses 6.0+20171125-1 (bug #882620) - [stretch] - ncurses <no-dsa> (Minor issue) + [stretch] - ncurses 6.0+20161126-1+deb9u2 [jessie] - ncurses <no-dsa> (Minor issue) [wheezy] - ncurses <ignored> (Minor issue) NOTE: PoC https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz @@ -29094,13 +29095,13 @@ CVE-2017-14697 RESERVED CVE-2017-14696 (SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and ...) - salt 2016.11.8+dfsg1-1 (bug #879090) - [stretch] - salt <no-dsa> (Minor issue) + [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/saltstack/salt/commit/5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5b NOTE: Fixed by: https://github.com/saltstack/salt/commit/89e084bda356739de645c15e7d1968afebdcc56e (2016.11) CVE-2017-14695 (Directory traversal vulnerability in minion id validation in SaltStack ...) - salt 2016.11.8+dfsg1-1 (bug #879089) - [stretch] - salt <no-dsa> (Minor issue) + [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d NOTE: Fixed by: https://github.com/saltstack/salt/commit/206ae23f15cb7ec95a07dee4cbe9802da84f9c42 (2016.11) @@ -29339,7 +29340,7 @@ CVE-2017-14624 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerabi NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9ff805077fd5297dc41dc989f9dba59877e12f97 CVE-2017-14623 (In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker ...) - golang-github-go-ldap-ldap 2.5.1-1 (low; bug #876404) - [stretch] - golang-github-go-ldap-ldap <no-dsa> (Minor issue) + [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 NOTE: https://github.com/go-ldap/ldap/pull/126 NOTE: https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 CVE-2017-14622 (Multiple cross-site scripting (XSS) vulnerabilities in the 2kb Amazon ...) @@ -34955,7 +34956,7 @@ CVE-2017-12792 (Multiple cross-site request forgery (CSRF) vulnerabilities in Ne NOT-FOR-US: NexusPHP CVE-2017-12791 (Directory traversal vulnerability in minion id validation in SaltStack ...) - salt 2016.11.8+dfsg1-1 (bug #872399) - [stretch] - salt <no-dsa> (Minor issue) + [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt <no-dsa> (Minor issue) NOTE: https://github.com/saltstack/salt/pull/42944 NOTE: https://github.com/saltstack/salt/commit/6366e05d0d70bd709cc4233c3faf32a759d0173a @@ -36839,7 +36840,7 @@ CVE-2017-12134 (The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c NOTE: https://git.kernel.org/linus/462cdace790ac2ed6aad1b19c9c0af0143b6aab0 (v4.13-rc6) CVE-2017-12133 (The DNS stub resolver in the GNU C Library (glibc) before version ...) - glibc 2.24-15 (bug #870648) - [stretch] - glibc <no-dsa> (Minor issue) + [stretch] - glibc 2.24-11+deb9u2 [jessie] - glibc <no-dsa> (Minor issue) - eglibc <removed> [wheezy] - eglibc <no-dsa> (Minor issue) @@ -41660,7 +41661,7 @@ CVE-2017-9869 (The II_step_one function in layer2.c in mpglib, as used in ...) CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is ...) {DLA-1146-1} - mosquitto 1.4.14-1 (bug #865959) - [stretch] - mosquitto <no-dsa> (Minor issue) + [stretch] - mosquitto 1.4.10-3+deb9u1 [jessie] - mosquitto <no-dsa> (Minor issue) NOTE: https://github.com/eclipse/mosquitto/issues/468 NOTE: https://github.com/eclipse/mosquitto/commit/09cb1b61c8f48284d9c42bd911faa7525cc689c7 @@ -45349,17 +45350,17 @@ CVE-2017-9261 (In ImageMagick 7.0.5-6 Q16, the ReadMNGImage function in coders/p NOTE: https://github.com/ImageMagick/ImageMagick/commit/01d522e990aa57cbe67d222dd5e8f7196cc6d199 CVE-2017-9260 (The TDStretchSSE::calcCrossCorr function in ...) - soundtouch 1.9.2-3 (low; bug #870857) - [stretch] - soundtouch <no-dsa> (Minor issue) + [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch <no-dsa> (Minor issue) [wheezy] - soundtouch <no-dsa> (Minor issue) CVE-2017-9259 (The TDStretch::acceptNewOverlapLength function in ...) - soundtouch 1.9.2-3 (low; bug #870856) - [stretch] - soundtouch <no-dsa> (Minor issue) + [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch <no-dsa> (Minor issue) [wheezy] - soundtouch <no-dsa> (Minor issue) CVE-2017-9258 (The TDStretch::processSamples function in ...) - soundtouch 1.9.2-3 (low; bug #870854) - [stretch] - soundtouch <no-dsa> (Minor issue) + [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch <no-dsa> (Minor issue) [wheezy] - soundtouch <no-dsa> (Minor issue) CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware ...) @@ -50862,7 +50863,7 @@ CVE-2017-7537 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470817 CVE-2017-7536 (In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it ...) - libhibernate-validator-java 4.3.3-4 (bug #885577) - [stretch] - libhibernate-validator-java <no-dsa> (Minor issue) + [stretch] - libhibernate-validator-java 4.3.3-1+deb9u1 [jessie] - libhibernate-validator-java <not-affected> (Vulnerable code introduced in 4.3) [wheezy] - libhibernate-validator-java <not-affected> (Vulnerable code introduced in 4.3) NOTE: https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7867a173d0348da7341b40c9459898b9e1ecc6c5 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7867a173d0348da7341b40c9459898b9e1ecc6c5 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits