Author: jmm
Date: 2017-01-30 18:32:21 +0000 (Mon, 30 Jan 2017)
New Revision: 48561
Modified:
data/CVE/list
Log:
new phpmailer issue
qemu no-dsa
android NFUs
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-01-30 17:41:41 UTC (rev 48560)
+++ data/CVE/list 2017-01-30 18:32:21 UTC (rev 48561)
@@ -270,7 +270,7 @@
CVE-2017-5555
RESERVED
CVE-2017-5554 (An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS
before ...)
- TODO: check
+ NOT-FOR-US: OnePlus 3 / 3T OxygenOS
CVE-2017-5553 (Cross-site scripting (XSS) vulnerability in ...)
- b2evolution <removed>
CVE-2017-5545 (The main function in plistutil.c in libimobiledevice libplist
through ...)
@@ -362,12 +362,12 @@
NOTE: http://www.openwall.com/lists/oss-security/2017/01/20/6
CVE-2016-10155 [watchdog: memory leakage in virtual hardware watchdog
wdt_i6300esb; CVE for the memory consumption issue, not an information
disclosure issue]
RESERVED
- - qemu 1:2.8+dfsg-2 (bug #852232)
+ - qemu 1:2.8+dfsg-2 (low; bug #852232)
+ [jessie] - qemu <no-dsa> (Minor issue)
- qemu-kvm <removed>
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2016-12/msg03104.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415199
NOTE: Fixed by:
http://git.qemu.org/?p=qemu.git;a=commit;h=eb7a20a3616085d46aa6b4b4224e15587ec67e6e
- TODO: check affected versions
CVE-2016-10154 [cifs: Fix smbencrypt() to stop pointing a scatterlist at the
stack]
RESERVED
- linux 4.9.2-1
@@ -1119,9 +1119,9 @@
NOTE: changed a malloc'ed buffer for a static one.
NOTE: https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00001.html
CVE-2017-5329 (Palo Alto Networks Terminal Services Agent before 7.0.7 allows
local ...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks Terminal Services Agent
CVE-2017-5328 (Palo Alto Networks Terminal Services Agent before 7.0.7 allows
...)
- TODO: check
+ NOT-FOR-US: Palo Alto Networks Terminal Services Agent
CVE-2017-5327
RESERVED
CVE-2017-5326
@@ -1333,7 +1333,7 @@
CVE-2017-5224
RESERVED
CVE-2017-5223 (An issue was discovered in PHPMailer before 5.2.22. PHPMailer's
msgHTML ...)
- TODO: check
+ - libphp-phpmailer <unfixed>
CVE-2017-5222
RESERVED
CVE-2017-5221
@@ -7237,7 +7237,7 @@
CVE-2016-9796 (Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different
ORBs ...)
NOT-FOR-US: Alcatel-Lucent OmniVista
CVE-2016-9795 (The casrvc program in CA Common Services, as used in CA Client
...)
- TODO: check
+ NOT-FOR-US: CA Common Services
CVE-2016-9792
RESERVED
CVE-2016-9791
@@ -12694,7 +12694,7 @@
CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver
could ...)
TODO: check
CVE-2017-0392 (A denial of service vulnerability in VBRISeeker.cpp in
libstagefright ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2017-0391 (A denial of service vulnerability in decoder/ihevcd_decode.c in
...)
TODO: check
CVE-2017-0390 (A denial of service vulnerability in Tremolo/dpen.s in
Mediaserver ...)
@@ -22546,9 +22546,9 @@
CVE-2016-6767 (A denial of service vulnerability in Mediaserver could enable
an ...)
TODO: check
CVE-2016-6766 (A denial of service vulnerability in libmedia and
libstagefright in ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-6765 (A denial of service vulnerability in libstagefright in
Mediaserver ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-6764 (A denial of service vulnerability in Mediaserver could enable
an ...)
TODO: check
CVE-2016-6763 (A denial of service vulnerability in Telephony could enable a
local ...)
@@ -22635,11 +22635,11 @@
CVE-2016-6723 (A denial of service vulnerability in Proxy Auto Config in
Android 4.x ...)
TODO: check
CVE-2016-6722 (An information disclosure vulnerability in libstagefright in
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-6721 (An information disclosure vulnerability in Mediaserver in
Android 6.x ...)
TODO: check
CVE-2016-6720 (An information disclosure vulnerability in libstagefright in
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-6719 (An elevation of privilege vulnerability in the Bluetooth
component in ...)
TODO: check
CVE-2016-6718 (An elevation of privilege vulnerability in the Account Manager
Service ...)
@@ -22667,7 +22667,7 @@
CVE-2016-6707 (An elevation of privilege vulnerability in System Server in
Android ...)
TODO: check
CVE-2016-6706 (An elevation of privilege vulnerability in libstagefright in
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-6705 (An elevation of privilege vulnerability in Mediaserver in
Android ...)
TODO: check
CVE-2016-6704 (An elevation of privilege vulnerability in Mediaserver in
Android 4.x ...)
@@ -22681,7 +22681,7 @@
CVE-2016-6700 (An elevation of privilege vulnerability in libzipfile in
Android 4.x ...)
TODO: check
CVE-2016-6699 (A remote code execution vulnerability in libstagefright in
Mediaserver ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-6698 (An information disclosure vulnerability in Qualcomm components
...)
TODO: check
CVE-2016-6697
@@ -32688,7 +32688,7 @@
CVE-2016-3921 (libsysutils/src/FrameworkListener.cpp in Framework Listener in
Android ...)
TODO: check
CVE-2016-3920 (id3/ID3.cpp in libstagefright in mediaserver in Android 5.0.x
before ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3919
REJECTED
CVE-2016-3918 (email/provider/AttachmentProvider.java in AOSP Mail in Android
4.x ...)
@@ -32710,7 +32710,7 @@
CVE-2016-3910 (services/soundtrigger/SoundTriggerHwService.cpp in mediaserver
in ...)
TODO: check
CVE-2016-3909 (The SoftMPEG4 component in libstagefright in mediaserver in
Android ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3908 (The Lock Settings Service in Android 6.x before 2016-10-01 and
7.0 ...)
TODO: check
CVE-2016-3907 (An information disclosure vulnerability in Qualcomm components
...)
@@ -32730,7 +32730,7 @@
CVE-2016-3900 (cmds/servicemanager/service_manager.c in ServiceManager in
Android ...)
TODO: check
CVE-2016-3899 (OMXCodec.cpp in libstagefright in mediaserver in Android 4.x
before ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3898 (Telephony in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1,
6.x ...)
TODO: check
CVE-2016-3897 (The WifiEnterpriseConfig class in
net/wifi/WifiEnterpriseConfig.java ...)
@@ -32784,11 +32784,11 @@
CVE-2016-3873 (The NVIDIA kernel in Android before 2016-09-05 on Nexus 9
devices ...)
TODO: check
CVE-2016-3872 (Buffer overflow in codecs/on2/dec/SoftVPX.cpp in libstagefright
in ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3871 (Multiple buffer overflows in codecs/mp3dec/SoftMP3.cpp in ...)
TODO: check
CVE-2016-3870 (omx/SimpleSoftOMXComponent.cpp in libstagefright in mediaserver
in ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3869 (The Broadcom Wi-Fi driver in Android before 2016-09-05 on Nexus
5, ...)
TODO: check
CVE-2016-3868 (The Qualcomm power driver in Android before 2016-09-05 on Nexus
5X and ...)
@@ -32874,19 +32874,19 @@
CVE-2016-3831 (The telephony component in Android 4.x before 4.4.4, 5.0.x
before ...)
TODO: check
CVE-2016-3830 (codecs/aacdec/SoftAAC2.cpp in libstagefright in mediaserver in
Android ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3829 (The ih264d decoder in mediaserver in Android 6.x before
2016-08-01 ...)
TODO: check
CVE-2016-3828 (decoder/ih264d_api.c in mediaserver in Android 6.x before
2016-08-01 ...)
TODO: check
CVE-2016-3827 (codecs/hevcdec/SoftHEVC.cpp in libstagefright in mediaserver in
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3826 (services/audioflinger/Effects.cpp in mediaserver in Android 4.x
before ...)
TODO: check
CVE-2016-3825 (mm-video-v4l2/vidc/venc/src/omx_video_base.cpp in mediaserver
in ...)
TODO: check
CVE-2016-3824 (omx/OMXNodeInstance.cpp in libstagefright in mediaserver in
Android ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3823 (The secure-session feature in the mm-video-v4l2 venc component
in ...)
TODO: check
CVE-2016-3822 (exif.c in Matthias Wandel jhead 2.87, as used in libjhead in
Android ...)
@@ -33002,7 +33002,7 @@
CVE-2016-3767 (The MediaTek Wi-Fi driver in Android before 2016-07-05 on
Android One ...)
TODO: check
CVE-2016-3766 (MPEG4Extractor.cpp in libstagefright in mediaserver in Android
4.x ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-3765 (decoder/impeg2d_bitstream.c in mediaserver in Android 6.x
before ...)
TODO: check
CVE-2016-3764 (media/libmediaplayerservice/MetadataRetrieverClient.cpp in
mediaserver ...)
@@ -36783,9 +36783,9 @@
CVE-2016-2507 (Integer overflow in codecs/on2/h264dec/source/h264bsd_storage.c
in ...)
TODO: check
CVE-2016-2506 (DRMExtractor.cpp in libstagefright in mediaserver in Android
4.x ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2505 (mpeg2ts/ATSParser.cpp in libstagefright in mediaserver in
Android 6.x ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2504 (The Qualcomm GPU driver in Android before 2016-08-05 on Nexus
5, 5X, ...)
TODO: check
CVE-2016-2503 (The Qualcomm GPU driver in Android before 2016-07-05 on Nexus
5X and ...)
@@ -36797,7 +36797,7 @@
CVE-2016-2500 (Activity Manager in Android 5.0.x before 5.0.2, 5.1.x before
5.1.1, ...)
TODO: check
CVE-2016-2499 (AudioSource.cpp in libstagefright in mediaserver in Android 4.x
before ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2498 (The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus
7 ...)
TODO: check
CVE-2016-2497
(services/core/java/com/android/server/pm/PackageManagerService.java in ...)
@@ -36805,7 +36805,7 @@
CVE-2016-2496 (The Framework UI permission-dialog implementation in Android
6.x ...)
TODO: check
CVE-2016-2495 (SampleTable.cpp in libstagefright in mediaserver in Android 4.x
before ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2494 (Off-by-one error in sdcard/sdcard.c in Android 4.x before
4.4.4, 5.0.x ...)
TODO: check
CVE-2016-2493 (The Broadcom Wi-Fi driver in Android before 2016-06-01 on Nexus
5, ...)
@@ -36821,13 +36821,13 @@
CVE-2016-2488 (The Qualcomm camera driver in Android before 2016-06-01 on
Nexus 5, ...)
TODO: check
CVE-2016-2487 (libstagefright in mediaserver in Android 4.x before 4.4.4,
5.0.x ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2486 (mp3dec/SoftMP3.cpp in libstagefright in mediaserver in Android
4.x ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2485 (libstagefright in mediaserver in Android 4.x before 4.4.4,
5.0.x ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2484 (libstagefright in mediaserver in Android 4.x before 4.4.4,
5.0.x ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2483 (The mm-video-v4l2 venc component in mediaserver in Android 4.x
before ...)
TODO: check
CVE-2016-2482 (The mm-video-v4l2 vdec component in mediaserver in Android 4.x
before ...)
@@ -36869,7 +36869,7 @@
CVE-2016-2464 (libvpx in libwebm in mediaserver in Android 4.x before 4.4.4,
5.0.x ...)
TODO: check
CVE-2016-2463 (Multiple integer overflows in the h264dec component in
libstagefright ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-2462 (OpenSSLCipher.java in Conscrypt in Android 6.x before
2016-05-01 ...)
NOT-FOR-US: Android
CVE-2016-2461 (OpenSSLCipher.java in Conscrypt in Android 6.x before
2016-05-01 ...)
@@ -42900,7 +42900,7 @@
CVE-2016-0843 (The Qualcomm ARM processor performance-event manager in Android
4.x ...)
TODO: check
CVE-2016-0842 (The H.264 decoder in libstagefright in Android 6.x before
2016-04-01 ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-0841 (media/libmedia/mediametadataretriever.cpp in mediaserver in
Android ...)
TODO: check
CVE-2016-0840 (Multiple stack-based buffer underflows in
decoder/ih264d_parse_cavlc.c ...)
@@ -42910,7 +42910,7 @@
CVE-2016-0838 (Sonivox in mediaserver in Android 4.x before 4.4.4, 5.0.x
before ...)
TODO: check
CVE-2016-0837 (MPEG4Extractor.cpp in libstagefright in mediaserver in Android
4.x ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-0836 (Stack-based buffer overflow in decoder/impeg2d_vld.c in
mediaserver in ...)
TODO: check
CVE-2016-0835 (decoder/impeg2d_dec_hdr.c in mediaserver in Android 6.x before
...)
@@ -42936,7 +42936,7 @@
CVE-2016-0825 (The Widevine Trusted Application in Android 6.0.1 before
2016-03-01 ...)
TODO: check
CVE-2016-0824 (libmpeg2 in libstagefright in Android 6.x before 2016-03-01
allows ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-0823 (The pagemap_open function in fs/proc/task_mmu.c in the Linux
kernel ...)
- linux 4.0.2-1
[jessie] - linux 3.16.7-ckt11-1
@@ -42984,7 +42984,7 @@
CVE-2016-0804 (The NuPlayer::GenericSource::notifyPreparedAndCleanup function
in ...)
TODO: check
CVE-2016-0803 (libstagefright in mediaserver in Android 4.x before 4.4.4, 5.x
before ...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2016-0802 (The Broadcom Wi-Fi driver in the kernel in Android 4.x before
4.4.4, ...)
NOT-FOR-US: Android drivers
CVE-2016-0801 (The Broadcom Wi-Fi driver in the kernel in Android 4.x before
4.4.4, ...)
@@ -50960,9 +50960,9 @@
CVE-2015-6633 (The display drivers in Android before 5.1.1 LMY48Z and 6.0
before ...)
TODO: check
CVE-2015-6632 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2015-6631 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2015-6630 (SystemUI in Android 5.x before 5.1.1 LMY48Z and 6.0 before
2015-12-01 ...)
TODO: check
CVE-2015-6629 (Wi-Fi in Android 5.x before 5.1.1 LMY48Z allows attackers to
obtain ...)
@@ -50972,7 +50972,7 @@
CVE-2015-6627 (The Audio component in Android before 5.1.1 LMY48Z and 6.0
before ...)
TODO: check
CVE-2015-6626 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2015-6625 (System Server in Android 6.0 before 2015-12-01 allows attackers
to ...)
TODO: check
CVE-2015-6624 (System Server in Android 6.0 before 2015-12-01 allows attackers
to ...)
@@ -50984,7 +50984,7 @@
CVE-2015-6621 (SystemUI in Android 5.x before 5.1.1 LMY48Z and 6.0 before
2015-12-01 ...)
TODO: check
CVE-2015-6620 (libstagefright in Android before 5.1.1 LMY48Z and 6.0 before
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2015-6619 (The kernel in Android before 5.1.1 LMY48Z and 6.0 before
2015-12-01 ...)
TODO: check
CVE-2015-6618 (Bluetooth in Android 4.4 and 5.x before 5.1.1 LMY48Z allows ...)
@@ -51004,7 +51004,7 @@
CVE-2015-6611 (mediaserver in Android before 5.1.1 LMY48X and 6.0 before
2015-11-01 ...)
TODO: check
CVE-2015-6610 (libstagefright in Android before 5.1.1 LMY48X and 6.0 before
...)
- TODO: check
+ NOT-FOR-US: libstagefright
CVE-2015-6609 (libutils in Android before 5.1.1 LMY48X and 6.0 before
2015-11-01 ...)
- android-platform-frameworks-native <unfixed> (unimportant; bug
#806375)
CVE-2015-6608 (mediaserver in Android 5.x before 5.1.1 LMY48X and 6.0 before
...)
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
