Author: sectracker Date: 2017-04-28 09:10:13 +0000 (Fri, 28 Apr 2017) New Revision: 51140
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-04-28 08:57:54 UTC (rev 51139) +++ data/CVE/list 2017-04-28 09:10:13 UTC (rev 51140) @@ -38,8 +38,7 @@ NOT-FOR-US: RIOS OS CVE-2017-8288 (gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to ...) - gnome-shell <unfixed> -CVE-2017-8305 [Buffer overflow in own strlcpy implementation] - RESERVED +CVE-2017-8305 (The UDFclient (before 0.8.8) custom strlcpy implementation has a buffer ...) - udfclient <unfixed> (bug #861347) CVE-2017-8301 (LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if ...) - libressl <itp> (bug #754513) @@ -177,7 +176,7 @@ RESERVED CVE-2017-8226 RESERVED -CVE-2017-8283 (dpkg-source in dpkg through 1.8.23 is able to use a non-GNU patch ...) +CVE-2017-8283 (dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU ...) - dpkg <unfixed> (unimportant) NOTE: http://www.openwall.com/lists/oss-security/2017/04/20/2 CVE-2017-8225 (On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files ...) @@ -973,8 +972,8 @@ [wheezy] - mantis <end-of-life> (Unsupported in Wheezy LTS) CVE-2017-7896 (Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 ...) NOT-FOR-US: Trend Micro -CVE-2017-7895 - RESERVED +CVE-2017-7895 (The NFSv2 and NFSv3 server implementations in the Linux kernel through ...) + TODO: check CVE-2016-10345 (In Phusion Passenger before 5.1.0, a known /tmp filename was used ...) - passenger <unfixed> (unimportant) NOTE: https://github.com/phusion/passenger/commit/e5b4b0824d6b648525b4bf63d9fa37e5beeae441 @@ -1796,10 +1795,12 @@ CVE-2017-7620 RESERVED CVE-2017-7618 (crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to ...) + {DLA-922-1} - linux <unfixed> [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: http://marc.info/?l=linux-crypto-vger&m=149181655623850&w=2 CVE-2017-7616 (Incorrect error handling in the set_mempolicy and mbind compat syscalls ...) + {DLA-922-1} - linux <unfixed> [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: Fixed by: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 (4.11-rc6) @@ -2232,6 +2233,7 @@ NOTE: but needs confirmation. CVE-2017-7472 [keyctl_set_reqkey_keyring() leaks thread keyrings] RESERVED + {DLA-922-1} - linux <unfixed> NOTE: https://lkml.org/lkml/2017/4/1/235 NOTE: https://lkml.org/lkml/2017/4/3/724 @@ -2726,6 +2728,7 @@ CVE-2016-10304 (The SAP EP-RUNTIME component in SAP NetWeaver AS JAVA 7.5 allows ...) NOT-FOR-US: SAP CVE-2017-7308 (The packet_set_ring function in net/packet/af_packet.c in the Linux ...) + {DLA-922-1} - linux 4.9.18-1 [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: Fixed by: https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2 @@ -2746,6 +2749,7 @@ CVE-2017-7293 (The Dolby DAX2 and DAX3 API services are vulnerable to a privilege ...) NOT-FOR-US: Dolby CVE-2017-7294 (The vmw_surface_define_ioctl function in ...) + {DLA-922-1} - linux 4.9.18-1 [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: Fixed by: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678 @@ -2932,6 +2936,7 @@ CVE-2017-7270 RESERVED CVE-2017-7273 (The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux ...) + {DLA-922-1} - linux 4.9.6-1 [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: Fixed by: https://git.kernel.org/linus/1ebb71143758f45dc0fa76e2f48429e13b16d110 @@ -2973,6 +2978,7 @@ CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows ...) NOT-FOR-US: Hardware bug in AMD Ryzen CPUs, cannot be fixed via micro code updates, but only BIOS updates CVE-2017-7261 (The vmw_surface_define_ioctl function in ...) + {DLA-922-1} - linux 4.9.18-1 [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: Fixed by: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd @@ -3316,6 +3322,7 @@ [wheezy] - erlang <not-affected> (Vulnerable code not present) NOTE: https://github.com/erlang/otp/pull/1108 CVE-2017-7184 (The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the ...) + {DLA-922-1} - linux 4.9.18-1 (low) [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: Unprivileged user namespaces are disabled in Debian, this only affects @@ -3827,6 +3834,7 @@ CVE-2017-9999 REJECTED CVE-2017-6951 (The keyring_search_aux function in security/keys/keyring.c in the Linux ...) + {DLA-922-1} - linux 4.0.2-1 [jessie] - linux <no-dsa> (Will be fixed in point release) CVE-2017-6950 (SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended ...) @@ -6534,7 +6542,7 @@ CVE-2017-5971 RESERVED CVE-2017-5970 (The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the ...) - {DSA-3791-1} + {DSA-3791-1 DLA-922-1} - linux 4.9.10-1 NOTE: Fixed by: https://github.com/torvalds/linux/commit/34b2cef20f19c87999fff3da4071e66937db9644 (v4.10-rc8) NOTE: Introduced by: https://github.com/torvalds/linux/commit/f84af32cbca70a3c6d30463dc08c7984af11c277 (v2.6.35-rc1) @@ -6549,6 +6557,7 @@ CVE-2017-5968 RESERVED CVE-2017-5967 (The time subsystem in the Linux kernel through 4.9.9, when ...) + {DLA-922-1} - linux 4.9.13-1 (low) [jessie] - linux <no-dsa> (Will be fixed in point release) CVE-2017-5966 @@ -6848,6 +6857,7 @@ NOTE: https://github.com/TigerVNC/tigervnc/commit/8aa4bc53206c2430bbf0c8f4b642f59a379ee649 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1023012 CVE-2016-10200 (Race condition in the L2TPv3 IP Encapsulation feature in the Linux ...) + {DLA-922-1} - linux 4.8.15-1 [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: Fixed by: https://git.kernel.org/linus/32c231164b762dddefa13af5a0101032c70b50ef (v4.9-rc7) @@ -16151,6 +16161,7 @@ RESERVED - foreman <itp> (bug #663101) CVE-2017-2671 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel ...) + {DLA-922-1} - linux <unfixed> [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: http://www.openwall.com/lists/oss-security/2017/03/24/6 @@ -16222,6 +16233,7 @@ RESERVED NOT-FOR-US: jenkins-ssh-slaves-plugin CVE-2017-2647 (The KEYS subsystem in the Linux kernel before 3.18 allows local users ...) + {DLA-922-1} - linux 4.0.2-1 [jessie] - linux <no-dsa> (Will be fixed in point release) NOTE: Fixed by: https://git.kernel.org/linus/c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 (v3.18-rc1) @@ -21619,6 +21631,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1399333 CVE-2016-9604 RESERVED + {DLA-922-1} - linux <unfixed> NOTE: Fixed by: https://git.kernel.org/linus/ee8f844e3c5a73b999edf733df1c529d6503ec2f CVE-2016-9603 [cirrus: heap buffer overflow via vnc connection] @@ -46152,6 +46165,7 @@ CVE-2016-2189 REJECTED CVE-2016-2188 (The iowarrior_probe function in drivers/usb/misc/iowarrior.c in the ...) + {DLA-922-1} - linux 4.9.16-1 [jessie] - linux <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1317018 _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits