Author: sectracker
Date: 2017-04-28 09:10:13 +0000 (Fri, 28 Apr 2017)
New Revision: 51140
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-04-28 08:57:54 UTC (rev 51139)
+++ data/CVE/list 2017-04-28 09:10:13 UTC (rev 51140)
@@ -38,8 +38,7 @@
NOT-FOR-US: RIOS OS
CVE-2017-8288 (gnome-shell 3.22 through 3.24.1 mishandles extensions that fail
to ...)
- gnome-shell <unfixed>
-CVE-2017-8305 [Buffer overflow in own strlcpy implementation]
- RESERVED
+CVE-2017-8305 (The UDFclient (before 0.8.8) custom strlcpy implementation has
a buffer ...)
- udfclient <unfixed> (bug #861347)
CVE-2017-8301 (LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if
...)
- libressl <itp> (bug #754513)
@@ -177,7 +176,7 @@
RESERVED
CVE-2017-8226
RESERVED
-CVE-2017-8283 (dpkg-source in dpkg through 1.8.23 is able to use a non-GNU
patch ...)
+CVE-2017-8283 (dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a
non-GNU ...)
- dpkg <unfixed> (unimportant)
NOTE: http://www.openwall.com/lists/oss-security/2017/04/20/2
CVE-2017-8225 (On Wireless IP Camera (P2P) WIFICAM devices, access to .ini
files ...)
@@ -973,8 +972,8 @@
[wheezy] - mantis <end-of-life> (Unsupported in Wheezy LTS)
CVE-2017-7896 (Trend Micro InterScan Messaging Security Virtual Appliance
(IMSVA) 9.1 ...)
NOT-FOR-US: Trend Micro
-CVE-2017-7895
- RESERVED
+CVE-2017-7895 (The NFSv2 and NFSv3 server implementations in the Linux kernel
through ...)
+ TODO: check
CVE-2016-10345 (In Phusion Passenger before 5.1.0, a known /tmp filename was
used ...)
- passenger <unfixed> (unimportant)
NOTE:
https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441
@@ -1796,10 +1795,12 @@
CVE-2017-7620
RESERVED
CVE-2017-7618 (crypto/ahash.c in the Linux kernel through 4.10.9 allows
attackers to ...)
+ {DLA-922-1}
- linux <unfixed>
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: http://marc.info/?l=linux-crypto-vger&m=149181655623850&w=2
CVE-2017-7616 (Incorrect error handling in the set_mempolicy and mbind compat
syscalls ...)
+ {DLA-922-1}
- linux <unfixed>
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: Fixed by:
https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 (4.11-rc6)
@@ -2232,6 +2233,7 @@
NOTE: but needs confirmation.
CVE-2017-7472 [keyctl_set_reqkey_keyring() leaks thread keyrings]
RESERVED
+ {DLA-922-1}
- linux <unfixed>
NOTE: https://lkml.org/lkml/2017/4/1/235
NOTE: https://lkml.org/lkml/2017/4/3/724
@@ -2726,6 +2728,7 @@
CVE-2016-10304 (The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5
allows ...)
NOT-FOR-US: SAP
CVE-2017-7308 (The packet_set_ring function in net/packet/af_packet.c in the
Linux ...)
+ {DLA-922-1}
- linux 4.9.18-1
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: Fixed by:
https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2
@@ -2746,6 +2749,7 @@
CVE-2017-7293 (The Dolby DAX2 and DAX3 API services are vulnerable to a
privilege ...)
NOT-FOR-US: Dolby
CVE-2017-7294 (The vmw_surface_define_ioctl function in ...)
+ {DLA-922-1}
- linux 4.9.18-1
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: Fixed by:
https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678
@@ -2932,6 +2936,7 @@
CVE-2017-7270
RESERVED
CVE-2017-7273 (The cp_report_fixup function in drivers/hid/hid-cypress.c in
the Linux ...)
+ {DLA-922-1}
- linux 4.9.6-1
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: Fixed by:
https://git.kernel.org/linus/1ebb71143758f45dc0fa76e2f48429e13b16d110
@@ -2973,6 +2978,7 @@
CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27
allows ...)
NOT-FOR-US: Hardware bug in AMD Ryzen CPUs, cannot be fixed via micro
code updates, but only BIOS updates
CVE-2017-7261 (The vmw_surface_define_ioctl function in ...)
+ {DLA-922-1}
- linux 4.9.18-1
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: Fixed by:
https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd
@@ -3316,6 +3322,7 @@
[wheezy] - erlang <not-affected> (Vulnerable code not present)
NOTE: https://github.com/erlang/otp/pull/1108
CVE-2017-7184 (The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in
the ...)
+ {DLA-922-1}
- linux 4.9.18-1 (low)
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: Unprivileged user namespaces are disabled in Debian, this only
affects
@@ -3827,6 +3834,7 @@
CVE-2017-9999
REJECTED
CVE-2017-6951 (The keyring_search_aux function in security/keys/keyring.c in
the Linux ...)
+ {DLA-922-1}
- linux 4.0.2-1
[jessie] - linux <no-dsa> (Will be fixed in point release)
CVE-2017-6950 (SAP GUI 7.2 through 7.5 allows remote attackers to bypass
intended ...)
@@ -6534,7 +6542,7 @@
CVE-2017-5971
RESERVED
CVE-2017-5970 (The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in
the ...)
- {DSA-3791-1}
+ {DSA-3791-1 DLA-922-1}
- linux 4.9.10-1
NOTE: Fixed by:
https://github.com/torvalds/linux/commit/34b2cef20f19c87999fff3da4071e66937db9644
(v4.10-rc8)
NOTE: Introduced by:
https://github.com/torvalds/linux/commit/f84af32cbca70a3c6d30463dc08c7984af11c277
(v2.6.35-rc1)
@@ -6549,6 +6557,7 @@
CVE-2017-5968
RESERVED
CVE-2017-5967 (The time subsystem in the Linux kernel through 4.9.9, when ...)
+ {DLA-922-1}
- linux 4.9.13-1 (low)
[jessie] - linux <no-dsa> (Will be fixed in point release)
CVE-2017-5966
@@ -6848,6 +6857,7 @@
NOTE:
https://github.com/TigerVNC/tigervnc/commit/8aa4bc53206c2430bbf0c8f4b642f59a379ee649
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1023012
CVE-2016-10200 (Race condition in the L2TPv3 IP Encapsulation feature in the
Linux ...)
+ {DLA-922-1}
- linux 4.8.15-1
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: Fixed by:
https://git.kernel.org/linus/32c231164b762dddefa13af5a0101032c70b50ef (v4.9-rc7)
@@ -16151,6 +16161,7 @@
RESERVED
- foreman <itp> (bug #663101)
CVE-2017-2671 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel
...)
+ {DLA-922-1}
- linux <unfixed>
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: http://www.openwall.com/lists/oss-security/2017/03/24/6
@@ -16222,6 +16233,7 @@
RESERVED
NOT-FOR-US: jenkins-ssh-slaves-plugin
CVE-2017-2647 (The KEYS subsystem in the Linux kernel before 3.18 allows local
users ...)
+ {DLA-922-1}
- linux 4.0.2-1
[jessie] - linux <no-dsa> (Will be fixed in point release)
NOTE: Fixed by:
https://git.kernel.org/linus/c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81
(v3.18-rc1)
@@ -21619,6 +21631,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1399333
CVE-2016-9604
RESERVED
+ {DLA-922-1}
- linux <unfixed>
NOTE: Fixed by:
https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f
CVE-2016-9603 [cirrus: heap buffer overflow via vnc connection]
@@ -46152,6 +46165,7 @@
CVE-2016-2189
REJECTED
CVE-2016-2188 (The iowarrior_probe function in drivers/usb/misc/iowarrior.c in
the ...)
+ {DLA-922-1}
- linux 4.9.16-1
[jessie] - linux <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317018
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
