Author: sectracker Date: 2017-10-02 21:10:14 +0000 (Mon, 02 Oct 2017) New Revision: 56367
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-10-02 21:01:41 UTC (rev 56366) +++ data/CVE/list 2017-10-02 21:10:14 UTC (rev 56367) @@ -1,3 +1,5 @@ +CVE-2017-14990 (WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but ...) + TODO: check CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ...) - imagemagick <unfixed> NOTE: https://github.com/ImageMagick/ImageMagick/issues/781 @@ -22,12 +24,12 @@ NOT-FOR-US: ATutor CVE-2017-14980 RESERVED -CVE-2017-14979 - RESERVED +CVE-2017-14979 (Gxlcms uses an unsafe character-replacement approach in an attempt to ...) + TODO: check CVE-2017-14978 RESERVED CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler ...) - - poppler <unfixed> (low) + - poppler <unfixed> (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103045 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19eedc6fb693a62f305e13079501e3105f869f3c CVE-2017-14976 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) @@ -35,7 +37,7 @@ NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102724 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=da63c35549e8852a410946ab016a3f25ac701bdf CVE-2017-14975 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler ...) - - poppler <unfixed> (low) + - poppler <unfixed> (low) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a5e5649ecf16fa05770620dbbd4985935dc2bbff CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor ...) @@ -570,18 +572,18 @@ NOT-FOR-US: GeniXCMS CVE-2017-14760 (SQL Injection exists in /includes/event-management/index.php in the ...) NOT-FOR-US: Event Espresso Lite -CVE-2017-14759 - RESERVED -CVE-2017-14758 - RESERVED -CVE-2017-14757 - RESERVED -CVE-2017-14756 - RESERVED -CVE-2017-14755 - RESERVED -CVE-2017-14754 - RESERVED +CVE-2017-14759 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14758 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14757 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14756 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14755 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check +CVE-2017-14754 (OpenText Document Sciences xPression (formerly EMC Document Sciences ...) + TODO: check CVE-2017-14753 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14752 @@ -607,7 +609,7 @@ NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=94670f6cf11fc29cc6db6814b38c4305d9bcac96 (master) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6ff33ca50c1180725dde11c84ee93fcdb4235ef (binutils-2_29-branch) CVE-2017-14867 (Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x ...) - {DSA-3984-1} + {DSA-3984-1 DLA-1120-1} - git 1:2.14.2-1 (bug #876854) NOTE: http://www.openwall.com/lists/oss-security/2017/09/26/9 NOTE: https://public-inbox.org/git/xmqqy3p29ekj....@gitster.mtv.corp.google.com/T/#u @@ -1319,21 +1321,25 @@ NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45 CVE-2017-14494 RESERVED + {DSA-3989-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33e3f1029c9ec6c63e430ff51063a6301d4b2262 CVE-2017-14493 RESERVED + {DSA-3989-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3d4ff1ba8419546490b464418223132529514033 CVE-2017-14492 RESERVED + {DSA-3989-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=24036ea507862c7b7898b68289c8130f85599c10 CVE-2017-14491 RESERVED + {DSA-3989-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=0549c73b7ea6b22a3c49beb4d432f185a81efcbc @@ -6270,8 +6276,8 @@ NOTE: https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ CVE-2017-12793 RESERVED -CVE-2017-12792 - RESERVED +CVE-2017-12792 (Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP ...) + TODO: check CVE-2017-12791 (Directory traversal vulnerability in minion id validation in SaltStack ...) - salt <unfixed> (bug #872399) [stretch] - salt <no-dsa> (Minor issue) @@ -6740,8 +6746,7 @@ [jessie] - jenkins-commons-jelly <ignored> (Minor issue, only used by Jenkins which got removed) [wheezy] - jenkins-commons-jelly <ignored> (Minor issue, only used by Jenkins which got removed) NOTE: http://www.openwall.com/lists/oss-security/2017/09/27/6 -CVE-2017-12620 - RESERVED +CVE-2017-12620 (When loading models or dictionaries that contain XML it is possible to ...) NOT-FOR-US: Apache OpenNLP CVE-2017-12619 RESERVED @@ -10258,11 +10263,9 @@ NOT-FOR-US: Tilde CMS CVE-2017-11323 (Stack-based buffer overflow in ESTsoft ALZip 8.51 and earlier allows ...) NOT-FOR-US: ESTsoft ALZip -CVE-2017-11322 - RESERVED +CVE-2017-11322 (The chroothole_client executable in UCOPIA Wireless Appliance before ...) NOT-FOR-US: UCOPIA Wireless Appliance -CVE-2017-11321 - RESERVED +CVE-2017-11321 (The restricted shell interface in UCOPIA Wireless Appliance before ...) NOT-FOR-US: UCOPIA Wireless Appliance CVE-2017-11320 (Persistent XSS through the SSID of nearby Wi-Fi devices on Technicolor ...) NOT-FOR-US: Technicolor TC7337 routers @@ -12896,8 +12899,7 @@ NOTE: https://github.com/hannob/optionsbleed NOTE: Patch: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch NOTE: Patch backport for 2.2: https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch -CVE-2017-9797 - RESERVED +CVE-2017-9797 (When an Apache Geode cluster before v1.2.1 is operating in secure ...) NOT-FOR-US: Apache Geode CVE-2017-9796 RESERVED @@ -15152,10 +15154,10 @@ RESERVED CVE-2017-9539 RESERVED -CVE-2017-9538 - RESERVED -CVE-2017-9537 - RESERVED +CVE-2017-9538 (The 'Upload logo from external path' function of SolarWinds Network ...) + TODO: check +CVE-2017-9537 (Persistent cross-site scripting (XSS) in the Add Node function of ...) + TODO: check CVE-2017-9536 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers to ...) NOT-FOR-US: IrfanView CVE-2017-9535 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers to ...) @@ -25989,10 +25991,10 @@ RESERVED CVE-2017-6091 RESERVED -CVE-2017-6090 - RESERVED -CVE-2017-6089 - RESERVED +CVE-2017-6090 (Unrestricted file upload vulnerability in clients/editclient.php in ...) + TODO: check +CVE-2017-6089 (SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows ...) + TODO: check CVE-2017-6088 (Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 ...) NOT-FOR-US: EyesOfNetwork CVE-2017-6087 (EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated ...) @@ -38898,8 +38900,8 @@ RESERVED CVE-2017-1570 RESERVED -CVE-2017-1569 - RESERVED +CVE-2017-1569 (IBM WebSphere Commerce 7.0 and 8.0 contains an unspecified ...) + TODO: check CVE-2017-1568 RESERVED CVE-2017-1567 @@ -39178,8 +39180,8 @@ NOT-FOR-US: IBM CVE-2017-1430 RESERVED -CVE-2017-1429 - RESERVED +CVE-2017-1429 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) + TODO: check CVE-2017-1428 (IBM Cognos Analytics 11.0 could allow a remote attacker to hijack the ...) NOT-FOR-US: IBM CVE-2017-1427 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) @@ -39298,8 +39300,8 @@ NOT-FOR-US: IBM CVE-2017-1370 (IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could disclose sensitive ...) NOT-FOR-US: IBM -CVE-2017-1369 - RESERVED +CVE-2017-1369 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) + TODO: check CVE-2017-1368 RESERVED CVE-2017-1367 @@ -39308,8 +39310,8 @@ RESERVED CVE-2017-1365 RESERVED -CVE-2017-1364 - RESERVED +CVE-2017-1364 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) + TODO: check CVE-2017-1363 RESERVED CVE-2017-1362 (IBM Security Identity Manager Adapters 6.0 and 7.0 stores user ...) @@ -39318,8 +39320,8 @@ RESERVED CVE-2017-1360 RESERVED -CVE-2017-1359 - RESERVED +CVE-2017-1359 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) + TODO: check CVE-2017-1358 RESERVED CVE-2017-1357 (IBM Maximo Asset Management 7.5 and 7.6 could allow an authenticated ...) @@ -39346,8 +39348,8 @@ NOT-FOR-US: IBM CVE-2017-1346 (IBM Business Process Manager 7.5, 8.0, and 8.5 temporarily stores ...) NOT-FOR-US: IBM -CVE-2017-1345 - RESERVED +CVE-2017-1345 (IBM Insights Foundation for Energy 2.0 is vulnerable to cross-site ...) + TODO: check CVE-2017-1344 RESERVED CVE-2017-1343 @@ -39366,10 +39368,10 @@ NOT-FOR-US: IBM CVE-2017-1336 RESERVED -CVE-2017-1335 - RESERVED -CVE-2017-1334 - RESERVED +CVE-2017-1335 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) + TODO: check +CVE-2017-1334 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) + TODO: check CVE-2017-1333 RESERVED CVE-2017-1332 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This ...) @@ -39388,8 +39390,8 @@ NOT-FOR-US: IBM CVE-2017-1325 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM -CVE-2017-1324 - RESERVED +CVE-2017-1324 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) + TODO: check CVE-2017-1323 RESERVED CVE-2017-1322 (IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity ...) @@ -39414,8 +39416,8 @@ RESERVED CVE-2017-1312 RESERVED -CVE-2017-1311 - RESERVED +CVE-2017-1311 (IBM Insights Foundation for Energy 2.0 is vulnerable to SQL injection. ...) + TODO: check CVE-2017-1310 (IBM Informix Dynamic Server 12.1 could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2017-1309 (IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores user ...) @@ -51241,8 +51243,8 @@ NOTE: This is though only Windows/IIS specific, thus marked as not-affected, cf. #840000 CVE-2016-6807 (Custom commands may be executed on Ambari Agent (2.4.x, before 2.4.2) ...) NOT-FOR-US: Ambari Agent -CVE-2016-6806 - RESERVED +CVE-2016-6806 (Apache Wicket 6.x before 6.25.0, 7.x before 7.5.0, and 8.0.0-M1 ...) + TODO: check CVE-2016-6805 (Apache Ignite before 1.9 allows man-in-the-middle attackers to read ...) NOT-FOR-US: Apache Ignite CVE-2016-6804 @@ -69003,7 +69005,7 @@ - guacamole <not-affected> (Vulnerable code not present) CVE-2016-1565 (Cross-site scripting (XSS) vulnerability in the Field Group module ...) NOT-FOR-US: Field Group module for Drupal -CVE-2015-8768 (install.py in click allows remote attackers to gain privileges via a ...) +CVE-2015-8768 (click/install.py in click does not require files in package filesystem ...) NOT-FOR-US: Click package manager NOTE: http://www.ubuntu.com/usn/usn-2771-1/ CVE-2015-8766 (Multiple cross-site scripting (XSS) vulnerabilities in ...) @@ -75573,8 +75575,7 @@ RESERVED CVE-2015-7982 RESERVED -CVE-2015-7980 - RESERVED +CVE-2015-7980 (Cross-site scripting (XSS) vulnerability in the Compass Rose module ...) NOT-FOR-US: Drupal addon Compass Rose CVE-2015-7990 (Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the ...) {DSA-3396-1 DLA-360-1} @@ -76026,12 +76027,12 @@ NOT-FOR-US: Huawei CVE-2015-7844 (Huawei FusionAccess with software V100R005C10,V100R005C20 could allow ...) NOT-FOR-US: Huawei -CVE-2015-7843 - RESERVED +CVE-2015-7843 (The management interface on Huawei FusionServer rack servers RH2288 V3 ...) + TODO: check CVE-2015-7842 RESERVED -CVE-2015-7841 - RESERVED +CVE-2015-7841 (The login page of the server on Huawei FusionServer rack servers ...) + TODO: check CVE-2015-7872 (The key_gc_unused_keys function in security/keys/gc.c in the Linux ...) {DSA-3396-1} - linux 4.2.5-1 @@ -77522,12 +77523,12 @@ NOTE: See CVE-2015-7686 for the underlying CWE-407 ("Algorithmic Complexity") NOTE: issue still present in 1.908 NOTE: http://www.openwall.com/lists/oss-security/2015/10/02/13 -CVE-2015-7359 - RESERVED -CVE-2015-7358 - RESERVED -CVE-2015-7357 - RESERVED +CVE-2015-7359 (The (1) IsVolumeAccessibleByCurrentUser and (2) MountDevice methods in ...) + TODO: check +CVE-2015-7358 (The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt ...) + TODO: check +CVE-2015-7357 (Cross-site scripting (XSS) vulnerability in the uDesign (aka U-Design) ...) + TODO: check CVE-2015-7356 RESERVED CVE-2015-7355 @@ -78481,8 +78482,8 @@ NOT-FOR-US: Openfire CVE-2015-6972 (Multiple cross-site scripting (XSS) vulnerabilities in Ignite Realtime ...) NOT-FOR-US: Openfire -CVE-2015-6971 - RESERVED +CVE-2015-6971 (Lenovo System Update (formerly ThinkVantage System Update) before ...) + TODO: check CVE-2015-6970 RESERVED CVE-2015-6969 (Cross-site scripting (XSS) vulnerability in js/2k11.min.js in the 2k11 ...) @@ -79634,8 +79635,7 @@ RESERVED CVE-2015-6577 RESERVED -CVE-2015-6576 - RESERVED +CVE-2015-6576 (Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers ...) NOT-FOR-US: Atlassian Bamboo CVE-2015-6575 (SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I does ...) NOT-FOR-US: libstagefright in Android @@ -88641,8 +88641,8 @@ NOT-FOR-US: ThinkServer CVE-2015-3322 (Lenovo ThinkServer RD350, RD450, RD550, RD650, and TD350 servers ...) NOT-FOR-US: ThinkServer -CVE-2015-3321 - RESERVED +CVE-2015-3321 (Services and files in Lenovo Fingerprint Manager before 8.01.42 have ...) + TODO: check CVE-2015-3320 (Lenovo USB Enhanced Performance Keyboard software before 2.0.2.2 ...) NOT-FOR-US: Lenovo USB Enhanced Performance Keyboard software CVE-2014-9717 (fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH ...) @@ -125222,8 +125222,8 @@ {DSA-2854-1} - mumble 1.2.4-0.2 (bug #737739) [squeeze] - mumble <not-affected> (Opus support not present) -CVE-2014-0043 - RESERVED +CVE-2014-0043 (In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls ...) + TODO: check CVE-2014-0042 (OpenStack Heat Templates (heat-templates), as used in Red Hat ...) NOT-FOR-US: openstack-heat-templates CVE-2014-0041 (OpenStack Heat Templates (heat-templates), as used in Red Hat ...) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits