Author: sectracker
Date: 2017-12-23 21:10:15 +0000 (Sat, 23 Dec 2017)
New Revision: 58878
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-12-23 20:12:20 UTC (rev 58877)
+++ data/CVE/list 2017-12-23 21:10:15 UTC (rev 58878)
@@ -1,13 +1,20 @@
-CVE-2017-17864 [bpf/verifier: Fix states_equal() comparison of pointer and
UNKNOWN]
+CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles
certain ...)
+ TODO: check
+CVE-2017-17865
+ RESERVED
+CVE-2017-17864 (kernel/bpf/verifier.c in the Linux kernel before 4.14
mishandles ...)
+ {DSA-4073-1}
- linux <unfixed>
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
-CVE-2017-17863 [bpf: reject out-of-bounds stack pointer calculation]
+CVE-2017-17863 (kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71
does not ...)
+ {DSA-4073-1}
- linux <unfixed>
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: https://www.spinics.net/lists/stable/msg206985.html
-CVE-2017-17862 [bpf: fix branch pruning logic]
+CVE-2017-17862 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8
ignores ...)
+ {DSA-4073-1}
- linux <unfixed>
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -98,27 +105,27 @@
CVE-2017-17832 (ServersCheck Monitoring Software before 14.2.3 is prone to a
...)
TODO: check
CVE-2017-17843 (An issue was discovered in Enigmail before 1.9.9 that allows
remote ...)
- {DSA-4070-1}
+ {DSA-4070-1 DLA-1219-1}
- enigmail 2:1.9.9-1
NOTE:
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
CVE-2017-17844 (An issue was discovered in Enigmail before 1.9.9. A remote
attacker can ...)
- {DSA-4070-1}
+ {DSA-4070-1 DLA-1219-1}
- enigmail 2:1.9.9-1
NOTE:
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
CVE-2017-17845 (An issue was discovered in Enigmail before 1.9.9. Improper
Random ...)
- {DSA-4070-1}
+ {DSA-4070-1 DLA-1219-1}
- enigmail 2:1.9.9-1
NOTE:
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
CVE-2017-17846 (An issue was discovered in Enigmail before 1.9.9. Regular
expressions ...)
- {DSA-4070-1}
+ {DSA-4070-1 DLA-1219-1}
- enigmail 2:1.9.9-1
NOTE:
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
CVE-2017-17847 (An issue was discovered in Enigmail before 1.9.9. Signature
spoofing is ...)
- {DSA-4070-1}
+ {DSA-4070-1 DLA-1219-1}
- enigmail 2:1.9.9-1
NOTE:
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
CVE-2017-17848 (An issue was discovered in Enigmail before 1.9.9. In a variant
of ...)
- {DSA-4070-1}
+ {DSA-4070-1 DLA-1219-1}
- enigmail 2:1.9.9-1
NOTE:
https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf
CVE-2017-17831 (GitHub Git LFS before 2.1.1 allows remote attackers to execute
...)
@@ -274,12 +281,15 @@
CVE-2018-3560
RESERVED
CVE-2017-17807 (The KEYS subsystem in the Linux kernel before 4.14.6 omitted
an ...)
+ {DSA-4073-1}
- linux 4.14.7-1
NOTE: Fixed by:
https://git.kernel.org/linus/4dca6ea1d9432052afb06baf2e3ae78188a4410b
(v4.15-rc3)
CVE-2017-17806 (The HMAC implementation (crypto/hmac.c) in the Linux kernel
before ...)
+ {DSA-4073-1}
- linux 4.14.7-1
NOTE: Fixed by:
https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1
(v4.15-rc4)
CVE-2017-17805 (The Salsa20 encryption algorithm in the Linux kernel before
4.14.8 does ...)
+ {DSA-4073-1}
- linux 4.14.7-1
NOTE: Fixed by:
https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e (4.15-rc4)
CVE-2017-17804 (In IKARUS anti.virus 2.16.20, the driver file (ntguard.SYS)
allows ...)
@@ -380,12 +390,14 @@
NOTE: OTRS-5:
https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953
NOTE: OTRS-4:
https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb
CVE-2017-17785 (In GIMP 2.8.22, there is a heap-based buffer overflow in the
...)
+ {DLA-1220-1}
- gimp <unfixed> (bug #884836)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=739133
NOTE:
https://git.gnome.org/browse/gimp/commit/?id=edb251a7ef1602d20a5afcbf23f24afb163de63b
(master)
NOTE:
https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54
(gimp-2-8)
NOTE: Can be reproduced (at least in wheezy) with "valgrind
--trace-children=yes gimp <reproducerfile>"
CVE-2017-17786 (In GIMP 2.8.22, there is a heap-based buffer over-read in
ReadImage in ...)
+ {DLA-1220-1}
- gimp <unfixed> (unimportant; bug #884862)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=739134
NOTE:
https://git.gnome.org/browse/gimp/commit/?id=674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b
(master)
@@ -394,17 +406,20 @@
NOTE:
https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=22e2571c25425f225abdb11a566cc281fca6f366
(gimp-2-8)
NOTE: Crash in desktop tool, no/negligable security impact
CVE-2017-17788 (In GIMP 2.8.22, there is a stack-based buffer over-read in ...)
+ {DLA-1220-1}
- gimp <unfixed> (unimportant)
NOTE:
https://git.gnome.org/browse/gimp/commit/?id=702c4227e8b6169f781e4bb5ae4b5733f51ab126
(master)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790783
NOTE: Crash in desktop tool, no/negligable security impact
CVE-2017-17784 (In GIMP 2.8.22, there is a heap-based buffer over-read in
load_image in ...)
+ {DLA-1220-1}
- gimp <unfixed> (unimportant; bug #884925)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790784
NOTE:
https://git.gnome.org/browse/gimp/commit/?id=06d24a79af94837d615d0024916bb95a01bf3c59
(master)
NOTE:
https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270
(gimp-2-8)
NOTE: Crash in desktop tool, no/negligable security impact
CVE-2017-17789 (In GIMP 2.8.22, there is a heap-based buffer overflow in ...)
+ {DLA-1220-1}
- gimp <unfixed> (bug #884837)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790849
NOTE:
https://git.gnome.org/browse/GIMP/commit/?id=28e95fbeb5720e6005a088fa811f5bf3c1af48b8
(master)
@@ -412,6 +427,7 @@
NOTE: Cannot be reproduced in wheezy with "valgrind
--trace-children=yes gimp <reproducerfile>"
NOTE: Some OOB read/write can be reproduced in sid with "valgrind
--trace-children=yes gimp <reproducerfile>"
CVE-2017-17787 (In GIMP 2.8.22, there is a heap-based buffer over-read in ...)
+ {DLA-1220-1}
- gimp <unfixed> (unimportant; bug #884927)
NOTE:
https://git.gnome.org/browse/GIMP/commit/?id=eb2980683e6472aff35a3117587c4f814515c74d
(master)
NOTE:
https://git.gnome.org/browse/GIMP/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d
(gimp-2-8)
@@ -456,6 +472,7 @@
CVE-2017-17742
RESERVED
CVE-2017-17741 (The KVM implementation in the Linux kernel through 4.14.7
allows ...)
+ {DSA-4073-1}
- linux 4.14.7-1
NOTE: https://www.spinics.net/lists/kvm/msg160796.html
CVE-2017-17740 (contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45,
when both ...)
@@ -524,6 +541,7 @@
CVE-2017-17713 (Trape before 2017-11-05 has SQL injection via the /nr red
parameter, ...)
NOT-FOR-US: Trape
CVE-2017-17712 (The raw_sendmsg() function in net/ipv4/raw.c in the Linux
kernel ...)
+ {DSA-4073-1}
- linux 4.14.7-1
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -5263,6 +5281,7 @@
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-248.html
CVE-2017-17558 (The usb_destroy_configuration function in
drivers/usb/core/config.c in ...)
+ {DSA-4073-1}
- linux 4.14.7-1
NOTE: https://www.spinics.net/lists/linux-usb/msg163644.html
NOTE: Fixed by:
https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7
@@ -5791,14 +5810,17 @@
CVE-2017-17451 (The WP Mailster plugin before 1.5.5 for WordPress has XSS in
the ...)
NOT-FOR-US: Wordpress plugin
CVE-2017-17450 (net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does
not ...)
+ {DSA-4073-1}
- linux 4.14.7-1
[wheezy] - linux <ignored> (User namespaces not supported)
NOTE: https://lkml.org/lkml/2017/12/5/982
CVE-2017-17449 (The __netlink_deliver_tap_skb function in
net/netlink/af_netlink.c in ...)
+ {DSA-4073-1}
- linux 4.14.7-1
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: https://lkml.org/lkml/2017/12/5/950
CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through
4.14.4 ...)
+ {DSA-4073-1}
- linux 4.14.7-1
[wheezy] - linux <ignored> (User namespaces not supported)
NOTE: https://patchwork.kernel.org/patch/10089373/
@@ -6076,6 +6098,7 @@
NOTE: Fixed by:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=34697694e8a93b325b18f25f7dcded55d6baeaf6
NOTE: The upload of 2.26-0experimental2 to experimental fixed the issue
(cf. #883729).
CVE-2017-1000410 (The Linux kernel version 3.3-rc1 and later is affected by a
...)
+ {DSA-4073-1}
- linux 4.14.7-1
[wheezy] - linux <not-affected> (Vulnerable code introduced in 3.3)
NOTE: http://www.openwall.com/lists/oss-security/2017/12/06/3
@@ -8486,6 +8509,7 @@
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
NOTE:
https://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958
CVE-2017-16995 (The check_alu_op function in kernel/bpf/verifier.c in the
Linux kernel ...)
+ {DSA-4073-1}
- linux 4.14.7-1
[jessie] - linux <not-affected> (Vulnerable code introduced later)
[wheezy] - linux <not-affected> (Vulnerable code introduced later)
@@ -9621,7 +9645,7 @@
CVE-2017-16885
RESERVED
CVE-2017-1000407 (The Linux Kernel 2.6.32 and later are affected by a denial
of service, ...)
- {DLA-1200-1}
+ {DSA-4073-1 DLA-1200-1}
- linux 4.14.7-1
NOTE: https://www.spinics.net/lists/kvm/msg159809.html
CVE-2017-1000406 (OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache
after a ...)
@@ -10721,6 +10745,7 @@
[stretch] - linux 4.9.65-1
[wheezy] - linux <not-affected> (Vulnerable code not present)
CVE-2017-16644 (The hdpvr_probe function in
drivers/media/usb/hdpvr/hdpvr-core.c in the ...)
+ {DSA-4073-1}
- linux 4.14.7-1
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
@@ -11010,6 +11035,7 @@
NOTE: https://github.com/moby/moby/pull/35399
NOTE:
https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
CVE-2017-16538 (drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel
through ...)
+ {DSA-4073-1}
- linux 4.14.7-1
[wheezy] - linux <not-affected> (Vulnerable code not present)
CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the
Linux kernel ...)
@@ -33961,7 +33987,7 @@
NOTE:
https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d
NOTE: https://github.com/dinhviethoa/libetpan/issues/274
CVE-2017-8824 (The dccp_disconnect function in net/dccp/proto.c in the Linux
kernel ...)
- {DLA-1200-1}
+ {DSA-4073-1 DLA-1200-1}
- linux 4.14.7-1
NOTE: http://lists.openwall.net/netdev/2017/12/04/224
NOTE: Fixed by:
https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
