Author: sectracker Date: 2017-06-17 09:10:13 +0000 (Sat, 17 Jun 2017) New Revision: 52661
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-06-17 08:22:13 UTC (rev 52660) +++ data/CVE/list 2017-06-17 09:10:13 UTC (rev 52661) @@ -25,7 +25,7 @@ RESERVED CVE-2017-9726 RESERVED -CVE-2017-9735 [timing channel in Password.java] +CVE-2017-9735 (Jetty through 9.4.x is prone to a timing channel in ...) - jetty9 <unfixed> (bug #864898) - jetty8 <removed> - jetty <removed> @@ -526,8 +526,7 @@ NOT-FOR-US: Atlassian Confluence CVE-2017-9504 RESERVED -CVE-2017-9503 [scsi: null pointer dereference while processing megasas command] - RESERVED +CVE-2017-9503 (QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host ...) - qemu <unfixed> - qemu-kvm <removed> NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01313.html @@ -887,20 +886,17 @@ RESERVED CVE-2017-9376 RESERVED -CVE-2017-9375 [usb: xhci infinite recursive call via xhci_kick_ep] - RESERVED +CVE-2017-9375 (QEMU (aka Quick Emulator), when built with USB xHCI controller ...) - qemu <unfixed> (bug #864219) - qemu-kvm <removed> NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=96d87bdda3919bb16f754b3d3fd1227e1f38f13c -CVE-2017-9374 [usb: ehci host memory leakage during hotunplug] - RESERVED +CVE-2017-9374 (Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI ...) - qemu <unfixed> (bug #864568) [stretch] - qemu <no-dsa> (Minor issue) [jessie] - qemu <no-dsa> (Minor issue) - qemu-kvm <removed> NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d710e1e7bd3d5bfc26b631f02ae87901ebe646b0 -CVE-2017-9373 [ide: ahci host memory leakage during hotunplug] - RESERVED +CVE-2017-9373 (Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI ...) - qemu <unfixed> (bug #864216) - qemu-kvm <removed> NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d68f0f778e7f4fbd674627274267f269e40f0b04 @@ -1443,8 +1439,8 @@ RESERVED CVE-2017-9232 (Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses ...) - juju <removed> -CVE-2017-9231 - RESERVED +CVE-2017-9231 (XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x ...) + TODO: check CVE-2017-9230 (The Bitcoin Proof-of-Work algorithm does not consider a certain attack ...) NOT-FOR-US: Bitcoin Proof-of-Work algorithm CVE-2017-9229 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in ...) @@ -3461,14 +3457,14 @@ NOT-FOR-US: Proxmox Mail Gateway CVE-2015-9057 (Multiple cross-site scripting (XSS) vulnerabilities in Proxmox Mail ...) NOT-FOR-US: Proxmox Mail Gateway -CVE-2017-8452 - RESERVED -CVE-2017-8451 - RESERVED -CVE-2017-8450 - RESERVED -CVE-2017-8449 - RESERVED +CVE-2017-8452 (Kibana versions prior to 5.2.1 configured for SSL client access, file ...) + TODO: check +CVE-2017-8451 (With X-Pack installed, Kibana versions before 5.3.1 have an open ...) + TODO: check +CVE-2017-8450 (X-Pack 5.1.1 did not properly apply document and field level security ...) + TODO: check +CVE-2017-8449 (X-Pack Security 5.2.x would allow access to more fields than the user ...) + TODO: check CVE-2017-8448 RESERVED CVE-2017-8447 @@ -3543,16 +3539,16 @@ NOTE: https://sourceforge.net/p/lame/bugs/458/ NOTE: Issue addressed in Debian via: https://sources.debian.net/patches/lame/3.99.5%2Brepack1-9/0001-Add-check-for-invalid-input-sample-rate.patch/ NOTE: in the revised version as included in 3.99.5+repack1-7 -CVE-2016-10366 - RESERVED -CVE-2016-10365 - RESERVED -CVE-2016-10364 - RESERVED -CVE-2016-10363 - RESERVED -CVE-2016-10362 - RESERVED +CVE-2016-10366 (Kibana versions after and including 4.3 and before 4.6.2 are ...) + TODO: check +CVE-2016-10365 (Kibana versions before 4.6.3 and 5.0.1 have an open redirect ...) + TODO: check +CVE-2016-10364 (With X-Pack installed, Kibana versions 5.0.0 and 5.0.1 were not ...) + TODO: check +CVE-2016-10363 (Logstash versions prior to 2.3.3, when using the Netflow Codec plugin, ...) + TODO: check +CVE-2016-10362 (Prior to Logstash version 5.0.1, Elasticsearch Output plugin when ...) + TODO: check CVE-2016-10361 RESERVED CVE-2016-10360 @@ -3573,8 +3569,8 @@ RESERVED CVE-2016-10352 RESERVED -CVE-2015-9056 - RESERVED +CVE-2015-9056 (Kibana versions prior to 4.1.3 and 4.2.1 are vulnerable to a XSS ...) + TODO: check CVE-2017-8905 (Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, ...) {DSA-3847-1 DLA-964-1} - xen 4.8.0~rc3-1 (bug #861662) @@ -34184,17 +34180,13 @@ NOTE: https://code.wireshark.org/review/16965 NOTE: Affected versions: 2.0.0 to 2.0.5 NOTE: Fixed versions: 2.0.6 -CVE-2016-1000222 - RESERVED +CVE-2016-1000222 (Logstash prior to version 2.1.2, the CSV output can be attacked via ...) - logstash <itp> (bug #664841) -CVE-2016-1000221 - RESERVED +CVE-2016-1000221 (Logstash prior to version 2.3.4, Elasticsearch Output plugin would log ...) - logstash <itp> (bug #664841) -CVE-2016-1000220 - RESERVED +CVE-2016-1000220 (Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that ...) - kibana <itp> (bug #700337) -CVE-2016-1000219 - RESERVED +CVE-2016-1000219 (Kibana before 4.5.4 and 4.1.11 when a custom output is configured for ...) - kibana <itp> (bug #700337) CVE-2016-1000217 (Zotpress plugin for WordPress SQLi in zp_get_account() ...) NOT-FOR-US: WordPress plugin zotpress @@ -37347,8 +37339,7 @@ NOTE: https://github.com/collectd/collectd/commit/8b4fed9940e02138b7e273e56863df03d1a39ef7 CVE-2016-6253 (mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, ...) NOT-FOR-US: mail.local in NetBSD -CVE-2016-1000218 - RESERVED +CVE-2016-1000218 (Kibana Reporting plugin version 2.4.0 is vulnerable to a CSRF ...) - kibana <itp> (bug #700337) CVE-2016-1000212 [Mitigation for HTTPoxy vulnerability] {DSA-3642-1 DLA-583-1} @@ -73150,8 +73141,8 @@ [wheezy] - policykit-1 <no-dsa> (Minor issue) [squeeze] - policykit-1 <no-dsa> (Minor issue) NOTE: http://cgit.freedesktop.org/polkit/commit/?id=9f5e0c731784003bd4d6fc75ab739ff8b2ea269f -CVE-2015-3254 - RESERVED +CVE-2015-3254 (The client libraries in Apache Thrift before 0.9.3 might allow remote ...) + TODO: check CVE-2015-3253 (The MethodClosure class in runtime/MethodClosure.java in Apache Groovy ...) {DLA-274-1} - groovy 2.4.6-1 (bug #793397) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits