Author: sectracker Date: 2017-09-07 09:10:14 +0000 (Thu, 07 Sep 2017) New Revision: 55532
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-09-07 08:38:48 UTC (rev 55531) +++ data/CVE/list 2017-09-07 09:10:14 UTC (rev 55532) @@ -1,3 +1,21 @@ +CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() due ...) + TODO: check +CVE-2017-14174 (In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ...) + TODO: check +CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10, ...) + TODO: check +CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due ...) + TODO: check +CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 3.3.3, a DoS in ...) + TODO: check +CVE-2017-14170 (In libavformat/mxfdec.c in FFmpeg 3.3.3, a DoS in ...) + TODO: check +CVE-2017-14169 (In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg ...) + TODO: check +CVE-2017-14168 + RESERVED +CVE-2017-14167 + RESERVED CVE-2017-14163 RESERVED CVE-2017-14162 @@ -72012,8 +72030,7 @@ NOTE: Commit fixing the issue: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=744692dc059845b2a3022119871846e74d4f6e11 (v2.6.34-rc1) CVE-2015-8320 (Apache Cordova-Android before 3.7.0 improperly generates random values ...) NOT-FOR-US: Apache Cordova -CVE-2015-8316 - RESERVED +CVE-2015-8316 (Array index error in LightDM (aka Light Display Manager) 1.14.3, ...) - lightdm 1.16.6-1 [jessie] - lightdm <not-affected> (Affects 1.14.x, 1.16.x and development 1.17.x) [wheezy] - lightdm <not-affected> (Affects 1.14.x, 1.16.x and development 1.17.x) @@ -75026,8 +75043,7 @@ NOTE: http://xenbits.xen.org/xsa/advisory-142.html CVE-2015-7296 (Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 ...) NOT-FOR-US: Securifi Almond devices -CVE-2015-7294 [LDAP Injection] - RESERVED +CVE-2015-7294 (ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP ...) NOT-FOR-US: NodeJS ldapauth NOTE: http://www.openwall.com/lists/oss-security/2015/09/18/4 NOTE: https://github.com/vesse/node-ldapauth-fork/issues/21 @@ -75137,8 +75153,8 @@ NOT-FOR-US: Boxoft CVE-2015-7242 (Cross-site scripting (XSS) vulnerability in the Push-Service-Mails ...) NOT-FOR-US: AVM -CVE-2015-7241 - RESERVED +CVE-2015-7241 (XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. ...) + TODO: check CVE-2015-7240 RESERVED CVE-2015-7239 (SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function ...) @@ -76309,8 +76325,7 @@ NOTE: https://bugs.php.net/bug.php?id=70366 NOTE: http://www.openwall.com/lists/oss-security/2015/09/07/5 NOTE: Fixed in 5.5.45 and 5.6.13 -CVE-2015-7225 [TOTP Replay Attack] - RESERVED +CVE-2015-7225 (Tinfoil Devise-two-factor before 2.0.0 does not strictly follow ...) - ruby-devise-two-factor 2.0.0-1 (bug #798466) NOTE: http://www.openwall.com/lists/oss-security/2015/09/06/2 CVE-2015-8777 (The process_envvars function in elf/rtld.c in the GNU C Library (aka ...) @@ -78289,8 +78304,7 @@ [wheezy] - wireshark <not-affected> (Vulnerable code not present) [squeeze] - wireshark <end-of-life> (Not supported in Squeeze LTS) NOTE: https://www.wireshark.org/security/wnpa-sec-2015-29.html -CVE-2015-6250 - RESERVED +CVE-2015-6250 (simple-php-captcha before commit ...) NOT-FOR-US: simple-php-captcha CVE-2015-5986 (openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x ...) - bind9 <not-affected> (Vulnerable code present only since 9.9.7) @@ -78491,10 +78505,10 @@ [squeeze] - vlc <not-affected> (Vulnerability introduced by later changes) NOTE: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=ce91452460a75d7424b165c4dc8db98114c3cbd9;hp=9e12195d3e4316278af1fa4bcb6a705ff27456fd NOTE: http://www.ocert.org/advisories/ocert-2015-009.html -CVE-2015-5948 - RESERVED -CVE-2015-5947 - RESERVED +CVE-2015-5948 (Race condition in SuiteCRM before 7.2.3 allows remote attackers to ...) + TODO: check +CVE-2015-5947 (SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary ...) + TODO: check CVE-2015-5946 (Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote ...) NOT-FOR-US: SugarCRM CVE-2015-5945 (The Sandbox subsystem in Apple OS X before 10.11.1 allows local users ...) @@ -78905,8 +78919,7 @@ NOT-FOR-US: Veeam CVE-2015-5738 (The RSA-CRT implementation in the Cavium Software Development Kit ...) - openssl <not-affected> (OpenSSL upstream is not affected) -CVE-2015-5959 - RESERVED +CVE-2015-5959 (Froxlor before 0.9.33.2 with the default configuration/setup might ...) - froxlor <itp> (bug #581792) CVE-2015-5957 (Buffer overflow in the DumpSysVar function in var.c in Remind before ...) {DLA-289-1} @@ -79222,8 +79235,7 @@ RESERVED CVE-2002-2446 (GE Healthcare Millennium MG, NC, and MyoSIGHT has a password of ...) NOT-FOR-US: Data pre-dating the Security Tracker -CVE-2015-5705 [argument injection vulnerability] - RESERVED +CVE-2015-5705 (Argument injection vulnerability in devscripts before 2.15.7 allows ...) - devscripts 2.15.8 (bug #794365) [jessie] - devscripts <not-affected> (Vulnerable code not present) [wheezy] - devscripts <not-affected> (Vulnerable code not present) @@ -80866,8 +80878,7 @@ NOT-FOR-US: JBoss EAP CVE-2015-5187 (Candlepin allows remote attackers to obtain sensitive information by ...) NOT-FOR-US: candlepin / subscription-manager -CVE-2015-5186 [log terminal emulator escape sequences handling] - RESERVED +CVE-2015-5186 (Audit before 2.4.4 in Linux does not sanitize escape characters in ...) - audit 1:2.4.4-1 (unimportant; bug #795457) NOTE: Hardening, not a vulnerability. This is treated as a vulnerability in terminal emulators NOTE: https://fedorahosted.org/audit/changeset/1122 @@ -85634,14 +85645,14 @@ - virtualbox-ose <removed> NOTE: http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html NOTE: http://venom.crowdstrike.com/ -CVE-2015-3454 - RESERVED +CVE-2015-3454 (TelescopeJS before 0.15 leaks user bcrypt password hashes in websocket ...) + TODO: check CVE-2015-3453 RESERVED CVE-2015-3452 RESERVED -CVE-2015-3450 - RESERVED +CVE-2015-3450 (Heap-based buffer overflow in libaxl 0.6.9 allows attackers to cause a ...) + TODO: check CVE-2015-3449 (The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions ...) NOT-FOR-US: SAP Afaria CVE-2015-3448 (REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and ...) @@ -86700,14 +86711,14 @@ NOTE: Patch 1/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=c4534a38b68aa07fb82318040dc8154fb48a9588 NOTE: Patch 2/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=4b4b9086d02b80549981d205fb1f495edc373538 NOTE: Patch 3/3: http://cgit.freedesktop.org/xorg/xserver/commit/?id=76636ac12f2d1dbdf7be08222f80e7505d53c451 -CVE-2015-3163 - RESERVED -CVE-2015-3162 - RESERVED -CVE-2015-3161 - RESERVED -CVE-2015-3160 - RESERVED +CVE-2015-3163 (The admin pages for power types and key types in Beaker before 20.1 do ...) + TODO: check +CVE-2015-3162 (Cross-site scripting (XSS) vulnerability in the edit comment dialog in ...) + TODO: check +CVE-2015-3161 (The search bar code in bkr/server/widgets.py in Beaker before 20.1 ...) + TODO: check +CVE-2015-3160 (XML external entity (XXE) vulnerability in bkr/server/jobs.py in ...) + TODO: check CVE-2015-3159 RESERVED NOT-FOR-US: abrt is Red Hat / Fedora specific @@ -87279,8 +87290,8 @@ NOT-FOR-US: Hajime Fujimoto mt-phpincgi CVE-2015-2944 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling ...) NOT-FOR-US: Apache Sling -CVE-2015-2943 - RESERVED +CVE-2015-2943 (Honda Moto LINC 1.6.1 does not verify SSL certificates. ...) + TODO: check CVE-2015-3026 (Icecast before 2.4.2, when a stream_auth handler is defined for URL ...) {DSA-3239-1} - icecast2 2.4.2-1 (bug #782120) @@ -89699,8 +89710,8 @@ - tcllib 1.16-dfsg-2 (low; bug #780100) [wheezy] - tcllib 1.14-dfsg-3+deb7u1 [squeeze] - tcllib <no-dsa> (Minor issue) -CVE-2015-2210 - RESERVED +CVE-2015-2210 (The help window in Epicor CRS Retail Store before 3.2.03.01.008 allows ...) + TODO: check CVE-2015-2209 (DLGuard 4.5 allows remote attackers to obtain the installation path ...) NOT-FOR-US: DLGuard CVE-2015-2208 (The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows ...) @@ -94378,8 +94389,7 @@ [jessie] - shutter 0.92-0.1+deb8u1 [squeeze] - shutter <no-dsa> (Minor issue) NOTE: https://bugs.launchpad.net/shutter/+bug/1495163 -CVE-2015-0853 [insecure use of os.system()] - RESERVED +CVE-2015-0853 (svn-workbench 1.6.2 and earlier on a system with xeyes installed ...) - svn-workbench 1.7.0-1 (low; bug #798863) [jessie] - svn-workbench <no-dsa> (Minor issue) [wheezy] - svn-workbench <no-dsa> (Minor issue) @@ -104933,8 +104943,7 @@ [squeeze] - vlc <end-of-life> (Unsupported in squeeze-lts) CVE-2014-6439 (Cross-site scripting (XSS) vulnerability in the CORS functionality in ...) - elasticsearch 1.0.3+dfsg-4 (bug #763958; low) -CVE-2014-6438 - RESERVED +CVE-2014-6438 (The URI.decode_www_form_component method in Ruby before 1.9.2-p330 ...) {DLA-275-1} - ruby1.9.1 1.9.3.0-1 - ruby1.8 <not-affected> (Vulnerable code not present) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits