Author: sectracker Date: 2017-10-06 21:10:13 +0000 (Fri, 06 Oct 2017) New Revision: 56464
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-10-06 21:00:09 UTC (rev 56463) +++ data/CVE/list 2017-10-06 21:10:13 UTC (rev 56464) @@ -1,3 +1,47 @@ +CVE-2017-15083 + RESERVED +CVE-2017-15082 + RESERVED +CVE-2017-15081 + RESERVED +CVE-2017-15080 + RESERVED +CVE-2017-15079 (The Smush Image Compression and Optimization plugin before 2.7.6 for ...) + TODO: check +CVE-2017-15078 (The Intel Puma 5, 6, and 7 chips, as used on Virgin Media branded Arris ...) + TODO: check +CVE-2017-15077 (The Intel Puma 5, 6, and 7 chips, as used on UPC branded Compal ...) + TODO: check +CVE-2017-15076 (** DISPUTED ** The Intel Puma 5, 6, and 7 chips, as used on Telstra ...) + TODO: check +CVE-2017-15075 (The Intel Puma 5, 6, and 7 chips, as used on various Technicolor ...) + TODO: check +CVE-2017-15074 (The Intel Puma 5, 6, and 7 chips, as used on SMC D3G2408 devices, allow ...) + TODO: check +CVE-2017-15073 (The Intel Puma 5, 6, and 7 chips, as used on Samsung Home Media Server ...) + TODO: check +CVE-2017-15072 (The Intel Puma 5, 6, and 7 chips, as used on various Quantenna devices, ...) + TODO: check +CVE-2017-15071 (The Intel Puma 5, 6, and 7 chips, as used on NETGEAR C6300, CM400, ...) + TODO: check +CVE-2017-15070 (The Intel Puma 5, 6, and 7 chips, as used on various Linksys devices, ...) + TODO: check +CVE-2017-15069 (The Intel Puma 5, 6, and 7 chips, as used on various Hitron devices, ...) + TODO: check +CVE-2017-15068 (The Intel Puma 5, 6, and 7 chips, as used on various Comcast branded ...) + TODO: check +CVE-2017-15067 (The Intel Puma 5, 6, and 7 chips, as used on various Compal devices, ...) + TODO: check +CVE-2017-15066 (The Intel Puma 5, 6, and 7 chips, as used on various AVM FRITZ!Box ...) + TODO: check +CVE-2017-15065 (The Intel Puma 5, 6, and 7 chips, as used on ASUS CM-32 devices, allow ...) + TODO: check +CVE-2017-15064 (The Intel Puma 5, 6, and 7 chips, as used on various Arris devices, ...) + TODO: check +CVE-2017-1002153 (Koji 1.13.0 does not properly validate SCM paths, allowing an attacker ...) + TODO: check +CVE-2017-1000255 + RESERVED CVE-2017-15063 (There are CSRF vulnerabilities in Subrion CMS before 4.2.0 because of a ...) NOT-FOR-US: Subrion CMS CVE-2017-15062 @@ -35,10 +79,10 @@ CVE-2017-15047 (The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows ...) - redis <unfixed> NOTE: https://github.com/antirez/redis/issues/4278 -CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow, a different ...) +CVE-2017-15046 (LAME 3.99.5 has a stack-based buffer overflow in unpack_read_samples ...) - lame <unfixed> NOTE: https://sourceforge.net/p/lame/bugs/479/ -CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read, a different ...) +CVE-2017-15045 (LAME 3.99.5 has a heap-based buffer over-read in fill_buffer in ...) - lame <unfixed> NOTE: https://sourceforge.net/p/lame/bugs/478/ CVE-2017-15044 @@ -1597,7 +1641,7 @@ NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45 CVE-2017-14494 (dnsmasq before 2.78, when configured as a relay, allows remote ...) - {DSA-3989-1} + {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33e3f1029c9ec6c63e430ff51063a6301d4b2262 @@ -1608,12 +1652,12 @@ NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3d4ff1ba8419546490b464418223132529514033 CVE-2017-14492 (Heap-based buffer overflow in dnsmasq before 2.78 allows remote ...) - {DSA-3989-1} + {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=24036ea507862c7b7898b68289c8130f85599c10 CVE-2017-14491 (Heap-based buffer overflow in dnsmasq before 2.78 allows remote ...) - {DSA-3989-1} + {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=0549c73b7ea6b22a3c49beb4d432f185a81efcbc @@ -2559,8 +2603,8 @@ NOTE: https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_mqc_flush-mqc-c/ NOTE: https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9 NOTE: https://github.com/uclouvain/openjpeg/issues/982 -CVE-2017-1000254 [FTP PWD response parser out of bounds read] - {DLA-1121-1} +CVE-2017-1000254 (libcurl may read outside of a heap allocated buffer when doing FTP. ...) + {DSA-3992-1 DLA-1121-1} - curl <unfixed> (bug #877671) NOTE: https://curl.haxx.se/docs/adv_20171004.html NOTE: Patch: https://curl.haxx.se/CVE-2017-1000254.patch @@ -5157,10 +5201,10 @@ RESERVED CVE-2017-13070 RESERVED -CVE-2017-13069 - RESERVED -CVE-2017-13068 - RESERVED +CVE-2017-13069 (QNAP discovered a number of command injection vulnerabilities found in ...) + TODO: check +CVE-2017-13068 (QNAP has already patched this vulnerability. This security concern ...) + TODO: check CVE-2017-13067 (QNAP has patched a remote code execution vulnerability affecting the ...) NOT-FOR-US: QNAP CVE-2017-13066 (GraphicsMagick 1.3.26 has a memory leak vulnerability in the function ...) @@ -6817,12 +6861,13 @@ CVE-2017-12694 (A Directory Traversal issue was discovered in SpiderControl SCADA Web ...) NOT-FOR-US: SpiderControl SCADA Web Server CVE-2017-1000101 (curl supports "globbing" of URLs, in which a user can pass a numerical ...) + {DSA-3992-1} - curl 7.55.0-1 (bug #871554) [wheezy] - curl <not-affected> (Vulnerable code not present, introduced later in 7.34.0) NOTE: https://curl.haxx.se/docs/adv_20170809A.html NOTE: https://curl.haxx.se/CVE-2017-1000101.patch CVE-2017-1000100 (When doing a TFTP transfer and curl/libcurl is given a URL that ...) - {DLA-1062-1} + {DSA-3992-1 DLA-1062-1} - curl 7.55.0-1 (bug #871555) NOTE: https://curl.haxx.se/docs/adv_20170809B.html NOTE: https://curl.haxx.se/CVE-2017-1000100.patch @@ -10844,7 +10889,7 @@ NOT-FOR-US: Pulse Connect Secure CVE-2017-11192 RESERVED -CVE-2017-11191 (FreeIPA 4.x with API version 2.213 allows a remote authenticated users ...) +CVE-2017-11191 (** DISPUTED ** FreeIPA 4.x with API version 2.213 allows a remote ...) - freeipa <unfixed> CVE-2017-11190 (unrarlib.c in unrar-free 0.0.1, when _DEBUG_LOG mode is enabled, might ...) - unrar-free <unfixed> (unimportant) @@ -16383,10 +16428,10 @@ RESERVED CVE-2017-9274 RESERVED -CVE-2017-9273 - RESERVED -CVE-2017-9272 - RESERVED +CVE-2017-9273 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be ...) + TODO: check +CVE-2017-9272 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be ...) + TODO: check CVE-2017-9271 RESERVED CVE-2017-9270 @@ -83552,8 +83597,7 @@ NOTE: http://security.libvirt.org/2015/0003.html NOTE: Broken by https://libvirt.org/git/?p=libvirt.git;a=commit;h=155ca616eb231181f6978efc9e3a1eb0eb60af8a (v1.2.14-rc1) NOTE: and by https://libvirt.org/git/?p=libvirt.git;a=commit;h=7c2d65dde2595c07d56aad1e043f7b1836592d89 (v1.2.16-rc1) -CVE-2015-5246 - RESERVED +CVE-2015-5246 (The LDAP Authentication functionality in Foreman might allow remote ...) - foreman <itp> (bug #663101) CVE-2015-5245 (CRLF injection vulnerability in the Ceph Object Gateway (aka radosgw ...) [experimental] - ceph 0.94.3-1 @@ -92918,8 +92962,7 @@ NOTE: present since release_candidate_2013-10-28 NOTE: https://github.com/splitbrain/dokuwiki/issues/1056 NOTE: https://github.com/splitbrain/dokuwiki/commit/4970ad24ce49ec76a0ee67bca7594f918ced2f5f -CVE-2015-2158 [pngcrush_measure_idat() off-by-one error] - RESERVED +CVE-2015-2158 (Off-by-one error in the pngcrush_measure_idat function in pngcrush.c ...) - pngcrush <not-affected> (Vulnerable code not present) NOTE: Introduced by http://sourceforge.net/p/pmt/code/ci/e1a36a9639e2db16494d90459c7c2b78677a20bf/ (1.7.83) NOTE: Fixed by: http://sourceforge.net/p/pmt/code/ci/a1ce646d00a400fd9ec321ab5cb522f40b7bdfe6/ (1.7.84) @@ -94229,8 +94272,7 @@ NOTE: code does neither of the following: 1) checking for slashes after decoding NOTE: 2) checking for ordinary slashes before decoding and prohibiting overlong NOTE: encodings -CVE-2015-2297 [Remote null pointer dereference] - RESERVED +CVE-2015-2297 (nanohttp in libcsoap allows remote attackers to cause a denial of ...) - libcsoap <removed> (bug #778599) [squeeze] - libcsoap <no-dsa> (Minor issue) [wheezy] - libcsoap <no-dsa> (Minor issue) @@ -95950,8 +95992,8 @@ - ffmpeg 7:2.6.1-1 - libav <removed> NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=3859868c75313e318ebc5d0d33baada62d45dd75 -CVE-2015-1206 - RESERVED +CVE-2015-1206 (Heap-based buffer overflow in Google Chrome before M40 allows remote ...) + TODO: check CVE-2015-1204 (Cross-site scripting (XSS) vulnerability in the Save Filters ...) NOT-FOR-US: Save Filters functionality in the WP Slimstat plugin for WordPress CVE-2015-1190 @@ -102593,8 +102635,8 @@ NOT-FOR-US: ESTsoft ALUpdate CVE-2014-8493 (ZTE ZXHN H108L with firmware 4.0.0d_ZRQ_GR4 allows remote attackers to ...) NOT-FOR-US: ZTE ZXHN H108L -CVE-2014-8492 - RESERVED +CVE-2014-8492 (Multiple cross-site scripting (XSS) vulnerabilities in ...) + TODO: check CVE-2014-8491 RESERVED CVE-2014-8490 @@ -103189,8 +103231,8 @@ NOTE: Patch https://github.com/processone/ejabberd/commit/7bdc1151b CVE-2014-8759 RESERVED -CVE-2014-8758 - RESERVED +CVE-2014-8758 (Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin ...) + TODO: check CVE-2014-8757 (LG On-Screen Phone (OSP) before 4.3.010 allows remote attackers to ...) NOT-FOR-US: LG On-Screen Phone CVE-2014-8756 (The NcrCtl4.NcrNet.1 control in Panasonic Network Camera Recorder ...) @@ -105879,8 +105921,8 @@ RESERVED CVE-2014-7241 (The TSUTAYA application 5.3 and earlier for Android allows remote ...) NOT-FOR-US: TSUTAYA application for Android -CVE-2014-7240 - RESERVED +CVE-2014-7240 (Cross-site scripting (XSS) vulnerability in the Easy Contact Form ...) + TODO: check CVE-2014-7239 RESERVED CVE-2014-7238 @@ -116949,8 +116991,7 @@ - wolfssl 3.4.8+dfsg-1 (bug #792646) NOTE: wolfssl actually fixed with the initial upload to unstable after the rename NOTE: according to maintainer addressed in 3.2.0 upstream -CVE-2014-2903 - RESERVED +CVE-2014-2903 (CyaSSL does not check the key usage extension in leaf certificates, ...) - cyassl <removed> (bug #770229) - wolfssl 3.4.8+dfsg-1 (bug #792646) NOTE: wolfssl actually fixed with the initial upload to unstable after the rename @@ -125497,8 +125538,7 @@ RESERVED - docker.io 1.6.0+dfsg1-1 NOTE: According to Red Hat bug no longer present in 1.5 -CVE-2014-0047 [multiple temporary file creation vulnerabilities] - RESERVED +CVE-2014-0047 (Docker before 1.5 allows local users to have unspecified impact via ...) - docker.io 1.6.0+dfsg1-1 NOTE: According to Red Hat bug no longer present in 1.5 CVE-2014-0046 (Cross-site scripting (XSS) vulnerability in the link-to helper in ...) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits