Author: sectracker Date: 2017-02-13 21:10:13 +0000 (Mon, 13 Feb 2017) New Revision: 48884
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-02-13 19:18:41 UTC (rev 48883) +++ data/CVE/list 2017-02-13 21:10:13 UTC (rev 48884) @@ -1,3 +1,21 @@ +CVE-2017-5981 + RESERVED +CVE-2017-5980 + RESERVED +CVE-2017-5979 + RESERVED +CVE-2017-5978 + RESERVED +CVE-2017-5977 + RESERVED +CVE-2017-5976 + RESERVED +CVE-2017-5975 + RESERVED +CVE-2017-5974 + RESERVED +CVE-2017-5973 + RESERVED CVE-2017-5972 RESERVED CVE-2016-10224 @@ -54,6 +72,7 @@ CVE-2017-5954 (An issue was discovered in the serialize-to-js package 0.5.0 for ...) NOT-FOR-US: serialize-to-js Node package CVE-2017-5953 (vim before patch 8.0.0322 does not properly validate values for tree ...) + {DLA-822-1} - vim 2:8.0.0197-2 (bug #854969) NOTE: Fixed by https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d CVE-2017-5952 @@ -5460,8 +5479,8 @@ RESERVED CVE-2017-3903 RESERVED -CVE-2017-3902 - RESERVED +CVE-2017-3902 (Cross-site scripting (XSS) vulnerability in the Web user interface ...) + TODO: check CVE-2017-3901 RESERVED CVE-2017-3900 @@ -5472,8 +5491,8 @@ RESERVED CVE-2017-3897 RESERVED -CVE-2017-3896 - RESERVED +CVE-2017-3896 (Unvalidated parameter vulnerability in the remote log viewing ...) + TODO: check CVE-2017-3895 RESERVED CVE-2016-10087 (The png_set_text_2 function in libpng 0.71 before 1.0.67, 1.2.x before ...) @@ -5794,8 +5813,7 @@ [jessie] - ikiwiki <not-affected> (Incomplete fix for CVE-2016-10026 not applied) [wheezy] - ikiwiki <not-affected> (Incomplete fix for CVE-2016-10026 not applied) NOTE: https://ikiwiki.info/security/#cve-2016-9645 -CVE-2016-10026 [authorization bypass when reverting changes] - RESERVED +CVE-2016-10026 (ikiwiki 3.20161219 does not properly check if a revision changes the ...) {DSA-3760-1 DLA-812-1} - ikiwiki 3.20161219 NOTE: http://ikiwiki.info/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed/ @@ -17443,8 +17461,7 @@ NOTE: https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/ NOTE: This is not a real problem in imagemagick but caused by the "observer" (the address sanitizer), cf. NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30908#p140255 . -CVE-2016-8859 [Regex integer overflow in buffer size computations] - RESERVED +CVE-2016-8859 (Multiple integer overflows in the TRE library and musl libc allow ...) {DLA-687-1} - tre 0.8.0-5 (bug #842169) [jessie] - tre 0.8.0-4+deb8u1 @@ -17993,8 +18010,7 @@ - linux <unfixed> [jessie] - linux <not-affected> (Vulnerable code not present) [wheezy] - linux <not-affected> (Vulnerable code not present) -CVE-2016-8659 [privilege escalation via ptrace] - RESERVED +CVE-2016-8659 (Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which might ...) - bubblewrap 0.1.2-2 (bug #840605) NOTE: https://github.com/projectatomic/bubblewrap/issues/107 CVE-2016-8658 (Stack-based buffer overflow in the brcmf_cfg80211_start_ap function in ...) @@ -18217,8 +18233,8 @@ RESERVED CVE-2016-8496 RESERVED -CVE-2016-8495 - RESERVED +CVE-2016-8495 (FortiManager does not properly validate TLS certificates when probing ...) + TODO: check CVE-2016-8494 (Insufficient verification of uploaded files allows attackers with ...) NOT-FOR-US: Fortiguard CVE-2016-8493 @@ -21323,8 +21339,7 @@ NOTE: https://sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a/ CVE-2016-7566 RESERVED -CVE-2016-7565 - RESERVED +CVE-2016-7565 (install/index.php in Exponent CMS 2.3.9 allows remote attackers to ...) NOT-FOR-US: Exponent CMS CVE-2016-7564 (Heap-based buffer overflow in the Fp_toString function in jsfunction.c ...) NOT-FOR-US: MuJS @@ -25948,8 +25963,7 @@ RESERVED CVE-2016-6212 (The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the Views ...) - drupal8 <itp> (bug #756305) -CVE-2016-6210 [User enumeration via covert timing channel] - RESERVED +CVE-2016-6210 (sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user ...) {DSA-3626-1 DLA-578-1} - openssh 1:7.2p2-6 (bug #831902) NOTE: http://seclists.org/fulldisclosure/2016/Jul/51 @@ -26334,8 +26348,7 @@ NOTE: http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3 NOTE: and possibly http://www.sqlite.org/cgi/src/info/614bb709d34e1148 NOTE: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt -CVE-2016-6129 - RESERVED +CVE-2016-6129 (The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, ...) {DLA-612-1} - libtomcrypt 1.17-8 (bug #837042) [jessie] - libtomcrypt <no-dsa> (Minor issue) @@ -30179,8 +30192,8 @@ NOTE: gif2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed although technically still present in the source package CVE-2016-5101 (Unspecified vulnerability in Opera Mail before 2016-02-16 on Windows ...) NOT-FOR-US: Opera -CVE-2016-5100 - RESERVED +CVE-2016-5100 (Froxlor before 0.9.35 uses the PHP rand function for random number ...) + TODO: check CVE-2016-5099 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before ...) {DSA-3627-1} - phpmyadmin 4:4.6.2-1 (low) @@ -31741,11 +31754,9 @@ - ikiwiki 3.20160506 NOTE: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7 NOTE: http://www.openwall.com/lists/oss-security/2016/05/06/8 -CVE-2016-4547 - RESERVED +CVE-2016-4547 (Samsung devices with Android KK(4.4), L(5.0/5.1), or M(6.0) allow ...) NOT-FOR-US: Samsung Android component -CVE-2016-4546 - RESERVED +CVE-2016-4546 (Samsung devices with Android KK(4.4) or L(5.0/5.1) allow local users ...) NOT-FOR-US: Samsung Android component CVE-2016-4570 (The mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and possibly ...) - mxml 2.9-1 (bug #825855) @@ -33555,8 +33566,7 @@ - imlib2 1.4.8-1 (bug #639414) NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882 NOTE: http://www.openwall.com/lists/oss-security/2016/04/10/5 -CVE-2016-3995 [Timing Attack Counter Measure AES] - RESERVED +CVE-2016-3995 (The timing attack protection in Rijndael::Enc::ProcessAndXorBlock and ...) - libcrypto++ 5.6.3-6 [jessie] - libcrypto++ 5.6.1-6+deb8u2 [wheezy] - libcrypto++ 5.6.1-6+deb7u2 @@ -34646,8 +34656,7 @@ RESERVED CVE-2016-3617 RESERVED -CVE-2016-3616 [null pointer dereference in cjpeg] - RESERVED +CVE-2016-3616 (The cjpeg utility in libjpeg allows remote attackers to cause a denial ...) - libjpeg-turbo 1:1.4.2-1 [jessie] - libjpeg-turbo <no-dsa> (Minor issue) NOTE: libjpeg-turbo: Fixed by: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/6709e4a0cfa44d4f54ee8ad05753d4aa9260cb91 (1.4.2) @@ -36977,12 +36986,11 @@ NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=415ab35a441eca767d033a2702223e785b9d5190 (v2.6.0-rc0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303106 NOTE: http://www.openwall.com/lists/oss-security/2016/03/02/8 -CVE-2016-2788 - RESERVED +CVE-2016-2788 (MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet ...) - mcollective <unfixed> (bug #850968) NOTE: https://puppet.com/security/cve/cve-2016-2788 -CVE-2016-2787 - RESERVED +CVE-2016-2787 (The Puppet Communications Protocol in Puppet Enterprise 2015.3.x ...) + TODO: check CVE-2016-2786 (The pxp-agent component in Puppet Enterprise 2015.3.x before 2015.3.3 ...) - puppet <not-affected> (pxp-agent not packaged in Debian) NOTE: https://puppet.com/security/cve/cve-2016-2786 @@ -37558,8 +37566,7 @@ NOTE: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13999.patch NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch NOTE: Upstream confirmed it does not affect squid 2.7.x -CVE-2016-2568 [Program run via pkexec as unprivileged user can escape to parent session via TIOCSTI ioctl] - RESERVED +CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to escape to ...) - policykit-1 <unfixed> (bug #816062; bug #812512) [jessie] - policykit-1 <no-dsa> (Minor issue) [wheezy] - policykit-1 <no-dsa> (Minor issue) @@ -40881,8 +40888,7 @@ - eglibc <removed> NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18985 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7 -CVE-2015-8771 [Possibility of code injection when setting passwords for Samba] - RESERVED +CVE-2015-8771 (The generate_smb_nt_hash function in include/functions.inc in GOsa ...) {DLA-562-1 DLA-408-1} - gosa 2.7.4+reloaded2-6 [jessie] - gosa 2.7.4+reloaded2-1+deb8u2 @@ -41480,8 +41486,7 @@ - guacamole <not-affected> (Vulnerable code not present) CVE-2016-1565 (Cross-site scripting (XSS) vulnerability in the Field Group module ...) NOT-FOR-US: Field Group module for Drupal -CVE-2015-8768 - RESERVED +CVE-2015-8768 (install.py in click allows remote attackers to gain privileges via a ...) NOT-FOR-US: Click package manager NOTE: http://www.ubuntu.com/usn/usn-2771-1/ CVE-2015-8766 (Multiple cross-site scripting (XSS) vulnerabilities in ...) @@ -42240,8 +42245,7 @@ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1294039 NOTE: In 1.900.1-5.1 this issue was fixed as part of the patch for CVE-2008-3520 NOTE: like other distribution did. -CVE-2015-8750 - RESERVED +CVE-2015-8750 (libdwarf 20151114 and earlier allows remote attackers to cause a ...) {DLA-669-1 DLA-388-1} - dwarfutils 20160507-1 (bug #813182) [jessie] - dwarfutils 20120410-2+deb8u1 @@ -42588,8 +42592,7 @@ NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8 NOTE: Fixed for 2.23 upstream -CVE-2014-9760 [XSS vulnerability during session log on] - RESERVED +CVE-2014-9760 (Cross-site scripting (XSS) vulnerability in the displayLogin function ...) - gosa 2.7.4+reloaded1-5 [wheezy] - gosa 2.7.4-4.3~deb7u2 [squeeze] - gosa 2.6.11-3+squeeze4 _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits