Author: sectracker
Date: 2016-06-02 21:10:08 +0000 (Thu, 02 Jun 2016)
New Revision: 42277
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-06-02 20:58:37 UTC (rev 42276)
+++ data/CVE/list 2016-06-02 21:10:08 UTC (rev 42277)
@@ -1,3 +1,11 @@
+CVE-2016-5237
+ RESERVED
+CVE-2016-5236
+ RESERVED
+CVE-2016-5235
+ RESERVED
+CVE-2014-9803
+ RESERVED
CVE-2014-9804 [Avoid a DOS in vision.c due to an infinite loop]
- imagemagick 8:6.8.9.9-4 (bug #773834)
CVE-2014-9805 [Avoid a SEGV due to a corrupted pnm file]
@@ -345,6 +353,7 @@
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/7b1cf5784b5bcd85aa9293ecf56769f68c037231
TODO: check versions
CVE-2015-8896 [integer truncation issue]
+ {DLA-353-1}
- imagemagick 8:6.8.9.9-7 (bug #806441)
[jessie] - imagemagick 8:6.8.9.9-5+deb8u1
[wheezy] - imagemagick 8:6.7.7.10-5+deb7u4
@@ -353,6 +362,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2015/10/07/2
NOTE: http://www.openwall.com/lists/oss-security/2016/02/22/4
CVE-2015-8895 [pict/icon processing issues: Integer and Buffer overflow in
coders/icon.c]
+ {DLA-353-1}
- imagemagick 8:6.8.9.9-7 (bug #806441)
[jessie] - imagemagick 8:6.8.9.9-5+deb8u1
[wheezy] - imagemagick 8:6.7.7.10-5+deb7u4
@@ -475,8 +485,7 @@
RESERVED
CVE-2015-8881
RESERVED
-CVE-2016-5126 [block: iscsi: buffer overflow in iscsi_aio_ioctl]
- RESERVED
+CVE-2016-5126 (Heap-based buffer overflow in the iscsi_aio_ioctl function in
...)
- qemu <unfixed> (bug #826151)
[wheezy] - qemu <not-affected> (Vulnerable code not present)
- qemu-kvm <removed>
@@ -1033,8 +1042,7 @@
RESERVED
CVE-2016-4946
RESERVED
-CVE-2016-4945
- RESERVED
+CVE-2016-4945 (Cross-site scripting (XSS) vulnerability in ...)
NOT-FOR-US: Citrix NetScaler Gateway
CVE-2015-8880 (Double free vulnerability in the format printer in PHP 7.x
before ...)
- php7.0 7.0.1-1
@@ -1358,8 +1366,7 @@
RESERVED
CVE-2016-4811
RESERVED
-CVE-2016-4810
- RESERVED
+CVE-2016-4810 (Citrix Studio before 7.6.1000, Citrix XenDesktop 7.x before 7.6
LTSR ...)
NOT-FOR-US: Citrix
CVE-2016-4913 (The get_rock_ridge_filename function in fs/isofs/rock.c in the
Linux ...)
- linux 4.5.4-1
@@ -2095,8 +2102,8 @@
NOT-FOR-US: Environmental Systems Corporation
CVE-2016-4501 (Environmental Systems Corporation (ESC) 8832 Data Controller
3.02 and ...)
NOT-FOR-US: Environmental Systems Corporation
-CVE-2016-4500
- RESERVED
+CVE-2016-4500 (Moxa UC-7408 LX-Plus devices allow remote authenticated users
to write ...)
+ TODO: check
CVE-2016-4499 (Heap-based buffer overflow in Panasonic FPWIN Pro 5.x through
7.x ...)
NOT-FOR-US: Panasonic FPWIN Pro
CVE-2016-4498 (Panasonic FPWIN Pro 5.x through 7.x before 7.130 accesses an
...)
@@ -2351,8 +2358,7 @@
CVE-2016-4455
RESERVED
NOT-FOR-US: Red Hat Subscription Manager
-CVE-2016-4454 [display: vmsvga: out-of-bounds read in vmsvga_fifo_read_raw()
routine]
- RESERVED
+CVE-2016-4454 (The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in
QEMU ...)
- qemu <unfixed>
[jessie] - qemu <no-dsa> (Minor issue)
[wheezy] - qemu <no-dsa> (Minor issue)
@@ -2360,8 +2366,7 @@
[wheezy] - qemu-kvm <no-dsa> (Minor issue)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2016-05/msg05271.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1336429
-CVE-2016-4453 [display: vmsvga: infinite loop in vmsvga_fifo_run()]
- RESERVED
+CVE-2016-4453 (The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU
allows ...)
- qemu <unfixed>
[jessie] - qemu <no-dsa> (Minor issue)
[wheezy] - qemu <no-dsa> (Minor issue)
@@ -2381,6 +2386,7 @@
[wheezy] - nginx <not-affected> (Introduced in 1.3.9)
CVE-2016-4449
RESERVED
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=761430
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=b1d34de46a11323fccffa9fadeb33be670d602f5
(v2.9.4)
@@ -2395,6 +2401,7 @@
TODO: check versions, applying the two commits quite intrusive
CVE-2016-4447
RESERVED
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759573
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=00906759053986b8079985644172085f74331f83
(v2.9.4)
@@ -2446,8 +2453,7 @@
[jessie] - tika <no-dsa> (Minor issue, no standard alone package, just
a reverse dependency of jmeter)
CVE-2016-4433
RESERVED
-CVE-2016-4432
- RESERVED
+CVE-2016-4432 (The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache
Qpid ...)
NOT-FOR-US: Apache Qpid Java Broker
CVE-2016-4431
RESERVED
@@ -2471,8 +2477,7 @@
RESERVED
CVE-2016-4424
RESERVED
-CVE-2016-4423 [Large username storage in session]
- RESERVED
+CVE-2016-4423 (The attemptAuthentication function in ...)
{DSA-3588-1}
- symfony 2.8.6+dfsg-1
NOTE: https://github.com/symfony/symfony/pull/18733
@@ -2501,6 +2506,7 @@
NOTE: http://www.openwall.com/lists/oss-security/2016/05/04/2
CVE-2016-4483
RESERVED
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1 (bug #823405)
NOTE: Minor issue, only when using libxml2 using recovery mode
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=c97750d11bb8b6f3303e7131fe526a61ac65bcfd
(v2.9.4)
@@ -4441,6 +4447,7 @@
- eglibc <removed>
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20010
CVE-2016-3705 (The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex
functions ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1 (bug #823414)
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=8f30bdff69edac9075f4663ce3b56b0c52d48ce6
(v2.9.4)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=765207
@@ -4465,8 +4472,7 @@
- libndp 1.6-1 (bug #824545)
NOTE:
https://github.com/jpirko/libndp/commit/a4892df306e0532487f1634ba6d4c6d4bb381c7f
NOTE:
https://github.com/jpirko/libndp/commit/2af9a55b38b55abbf05fd116ec097d4029115839
-CVE-2016-3697 [privilege escalation via confusion of usernames and UIDs]
- RESERVED
+CVE-2016-3697 (libcontainer/user/user.go in runC before 0.1.0, as used in
Docker ...)
- docker.io <unfixed>
- runc 0.1.0+dfsg-1
NOTE:
https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091
(runc, v0.1.0)
@@ -4749,6 +4755,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1319661
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1318509
CVE-2016-3627 (The xmlStringGetNodeList function in tree.c in libxml2 2.9.3
and ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1 (bug #819006)
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=bdd66182ef53fe1f7209ab6535fda56366bd7ac9
(v2.9.4)
NOTE: http://www.openwall.com/lists/oss-security/2016/03/21/3
@@ -5841,8 +5848,7 @@
CVE-2016-3095
RESERVED
NOT-FOR-US: Pulp (Red Hat)
-CVE-2016-3094
- RESERVED
+CVE-2016-3094 (PlainSaslServer.java in Apache Qpid Java before 6.0.3, when the
broker ...)
NOT-FOR-US: Apache Qpid Java Broker
CVE-2016-3093
RESERVED
@@ -5856,8 +5862,7 @@
RESERVED
CVE-2016-3089
RESERVED
-CVE-2016-3088 [Fileserver web application vulnerability allowing RCE]
- RESERVED
+CVE-2016-3088 (The Fileserver web application in Apache ActiveMQ 5.x before
5.14.0 ...)
- activemq <unfixed>
[jessie] - activemq <not-affected> (file server was only enabled in
5.13.2+dfsg-2)
[wheezy] - activemq <not-affected> (file server was only enabled in
5.13.2+dfsg-2)
@@ -5901,8 +5906,7 @@
NOTE:
https://github.com/python-pillow/Pillow/commit/a1f244343df389cf15cdfff80327594821097295
(3.1.2)
NOTE: Marked as unimportant since source vulnerable but in Debian we do
NOTE: not built against openjpeg by default
-CVE-2016-3075 [Stack overflow in nss_dns_getnetbyname_r]
- RESERVED
+CVE-2016-3075 (Stack-based buffer overflow in the nss_dns implementation of
the ...)
{DLA-494-1}
- glibc 2.22-6
[jessie] - glibc <no-dsa> (Minor issue, can be fixed via point release)
@@ -6541,7 +6545,7 @@
CVE-2016-2850 (Botan 1.11.x before 1.11.29 does not enforce TLS policy for (1)
...)
- botan1.10 <not-affected> (Introduced in 1.11.0)
NOTE: Introduced in 1.11.0, fixed in 1.11.29
-CVE-2016-2849 (Botan before 1.10.13 and 1.11.x before 1.11.29 does not use a
...)
+CVE-2016-2849 (Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a ...)
{DSA-3565-1 DLA-449-1}
- botan1.10 <unfixed> (bug #822698)
NOTE: http://botan.randombit.net/security.html
@@ -8956,8 +8960,7 @@
- openssl <not-affected> (Only applies to EBCDIC systems)
NOTE: Fixed in master in
https://git.openssl.org/?p=openssl.git;a=commit;h=ea96ad5a206b7b5f25dad230333e8ff032df3219
NOTE: https://www.openssl.org/news/secadv/20160503.txt
-CVE-2016-2175
- RESERVED
+CVE-2016-2175 (Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not
properly ...)
- libpdfbox-java 1:1.8.12-1
NOTE: Fixed on upstream 1.8 branch in
https://svn.apache.org/viewvc?view=revision&revision=1739564
NOTE: Fixed on upstream 2.0 branch in
https://svn.apache.org/viewvc?view=revision&revision=1739565
@@ -9213,6 +9216,7 @@
CVE-2016-2093
RESERVED
CVE-2015-8806 (dict.c in libxml2 allows remote attackers to cause a denial of
service ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1 (bug #813613)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=749115
NOTE: Same fix as CVE-2016-1839 seems to resolve the issue
@@ -9462,6 +9466,7 @@
NOTE: CVE Request:
http://www.openwall.com/lists/oss-security/2016/01/26/5
NOTE:
http://sourceforge.net/p/giflib/code/ci/4cc68b315ff9a378aef6664e1be6b2144ad4a5e6/
CVE-2016-2073 (The htmlParseNameComplex function in HTMLparser.c in libxml2
allows ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1 (bug #812807)
NOTE: http://www.openwall.com/lists/oss-security/2016/01/25/6
NOTE: http://www.openwall.com/lists/oss-security/2016/01/26/8 has
details
@@ -10161,8 +10166,7 @@
CVE-2016-1919 [Weak eCryptFS Key generation from user password on KNOX 1.0 /
Android 4.3]
RESERVED
NOT-FOR-US: KNOX 1.0 / Android 4.3
-CVE-2016-1902 [SecureRandom's fallback not secure when OpenSSL fails]
- RESERVED
+CVE-2016-1902 (The nextBytes function in the SecureRandom class in Symfony
before ...)
{DSA-3588-1}
- symfony 2.7.9+dfsg-1
NOTE:
http://symfony.com/blog/cve-2016-1902-securerandom-s-fallback-not-secure-when-openssl-fails
@@ -10338,24 +10342,29 @@
- libxslt <undetermined>
TODO: check, most likely *not* only Apple specific
CVE-2016-1840 (libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=cbb271655cadeb8dbb258a64701d9a3a0c4835b4
(v2.9.4)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=757711
CVE-2016-1839 (libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=a820dbeac29d330bae4be05d9ecd939ad6b4aa33
(v2.9.4)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758605
NOTE:
https://code.google.com/p/google-security-research/issues/detail?id=637
CVE-2016-1838 (libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=db07dd613e461df93dde7902c6505629bf0734e9
(v2.9.4)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758588
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=639
CVE-2016-1837 (libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=11ed4a7a90d5ce156a18980a4ad4e53e77384852
(v2.9.4)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=760263
CVE-2016-1836 (libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
[wheezy] - libxml2 <not-affected> (Vulnerable code not present)
NOTE: Fixed by:
https://git.gnome.org/browse/libxml2/commit/?id=45752d2c334b50016666d8f0ec3691e2d680f0a0
(v2.9.4)
@@ -10363,14 +10372,17 @@
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759398
NOTE: Regression applies to Jessie, since fix backported as
0007-Fix-a-parsing-bug-on-non-ascii-element-and-CR-LF-usa.patch
CVE-2016-1835 (libxml2, as used in Apple iOS before 9.3.2 and OS X before
10.11.5, ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=38eae571111db3b43ffdeb05487c9f60551906fb
(v2.9.4)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759020
CVE-2016-1834 (libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=8fbbf5513d609c1770b391b99e33314cd0742704
(v2.9.4)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=763071
CVE-2016-1833 (libxml2, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=0bcd05c5cd83dec3406c8f68b769b1d610c72f76
(v2.9.4)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=758606
@@ -10515,6 +10527,7 @@
CVE-2016-1763 (Messages in Apple iOS before 9.3 does not ensure that an
auto-fill ...)
TODO: check
CVE-2016-1762 (libxml2 in Apple iOS before 9.3, OS X before 10.11.4, Safari
before ...)
+ {DSA-3593-1}
- libxml2 2.9.3+dfsg1-1.1
NOTE:
https://git.gnome.org/browse/libxml2/commit/?id=a7a94612aa3b16779e2c74e1fa353b5d9786c602
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759671
@@ -12508,8 +12521,7 @@
{DSA-3543-1}
- oar 2.5.7-1 (bug #819952)
NOTE:
https://raw.githubusercontent.com/oar-team/oar/ce77ffed620fdce94881c9b35064507777c24a1c/debian/patches/004-fix-oarsh-security-issue
-CVE-2016-1234
- RESERVED
+CVE-2016-1234 (Stack-based buffer overflow in the glob implementation in GNU C
...)
{DLA-494-1}
- glibc 2.22-8
[jessie] - glibc <no-dsa> (Minor issue, can be fixed in a point update)
@@ -15500,8 +15512,8 @@
RESERVED
CVE-2016-0289 (shiprec.xml in the SHIPREC application in IBM Maximo Asset
Management ...)
TODO: check
-CVE-2016-0288
- RESERVED
+CVE-2016-0288 (IBM Security AppScan Standard 8.7.x, 8.8.x, and 9.x before
9.0.3.2 and ...)
+ TODO: check
CVE-2016-0287
RESERVED
CVE-2016-0286
@@ -18284,7 +18296,7 @@
NOT-FOR-US: Adobe
CVE-2015-7828 (SAP HANA Database 1.00 SPS10 and earlier do not require ...)
NOT-FOR-US: SAP HANA
-CVE-2015-7827 (Botan before 1.10.13 and 1.11.x before 1.11.22 makes it easier
for ...)
+CVE-2015-7827 (Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier
for ...)
{DSA-3565-1 DLA-449-1}
- botan1.10 <unfixed> (bug #817932)
NOTE: Fixed in 1.11.22. Affected all previous versions
@@ -18963,8 +18975,7 @@
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c
NOTE:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e
NOTE: gtk+2.0 2.21.5-1 removed the embedded copy of gdk-pixbuf and
build-depends on external gdk-pixbuf
-CVE-2015-8875 [Integer overlows in pixops_* functions]
- RESERVED
+CVE-2015-8875 (Multiple integer overflows in the (1) pixops_composite_nearest,
(2) ...)
{DSA-3589-1 DLA-450-1}
- gdk-pixbuf 2.34.0-1
NOTE: Fixed by:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dbfe8f70471864818bf458a39c8a99640895bd22
(2.33.1)
@@ -59795,7 +59806,7 @@
NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=62497
NOTE:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2014-March/000145.html
CVE-2014-2656 [arbitrary insertions of malicious data within cube parameter]
- RESERVED
+ REJECTED
NOT-FOR-US: Hypercube
CVE-2014-2655 (SQL injection vulnerability in the gen_show_status function in
...)
{DSA-2889-1}
@@ -80198,7 +80209,7 @@
- tpp 1.3.1-3 (low; bug #706644)
[squeeze] - tpp <no-dsa> (Minor issue)
[wheezy] - tpp <no-dsa> (Minor issue)
-CVE-2016-2856 (pt_chown in the glibc package before 2.19-18+deb8u4 on Debian
jessie ...)
+CVE-2016-2856 (pt_chown in the glibc package before 2.19-18+deb8u4 on Debian
jessie; ...)
- eglibc <removed>
[squeeze] - eglibc <no-dsa> (Minor issue)
[wheezy] - eglibc <no-dsa> (Minor issue)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
