Author: sectracker
Date: 2017-02-13 21:10:13 +0000 (Mon, 13 Feb 2017)
New Revision: 48884
Modified:
data/CVE/list
Log:
automatic update
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-02-13 19:18:41 UTC (rev 48883)
+++ data/CVE/list 2017-02-13 21:10:13 UTC (rev 48884)
@@ -1,3 +1,21 @@
+CVE-2017-5981
+ RESERVED
+CVE-2017-5980
+ RESERVED
+CVE-2017-5979
+ RESERVED
+CVE-2017-5978
+ RESERVED
+CVE-2017-5977
+ RESERVED
+CVE-2017-5976
+ RESERVED
+CVE-2017-5975
+ RESERVED
+CVE-2017-5974
+ RESERVED
+CVE-2017-5973
+ RESERVED
CVE-2017-5972
RESERVED
CVE-2016-10224
@@ -54,6 +72,7 @@
CVE-2017-5954 (An issue was discovered in the serialize-to-js package 0.5.0
for ...)
NOT-FOR-US: serialize-to-js Node package
CVE-2017-5953 (vim before patch 8.0.0322 does not properly validate values for
tree ...)
+ {DLA-822-1}
- vim 2:8.0.0197-2 (bug #854969)
NOTE: Fixed by
https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d
CVE-2017-5952
@@ -5460,8 +5479,8 @@
RESERVED
CVE-2017-3903
RESERVED
-CVE-2017-3902
- RESERVED
+CVE-2017-3902 (Cross-site scripting (XSS) vulnerability in the Web user
interface ...)
+ TODO: check
CVE-2017-3901
RESERVED
CVE-2017-3900
@@ -5472,8 +5491,8 @@
RESERVED
CVE-2017-3897
RESERVED
-CVE-2017-3896
- RESERVED
+CVE-2017-3896 (Unvalidated parameter vulnerability in the remote log viewing
...)
+ TODO: check
CVE-2017-3895
RESERVED
CVE-2016-10087 (The png_set_text_2 function in libpng 0.71 before 1.0.67,
1.2.x before ...)
@@ -5794,8 +5813,7 @@
[jessie] - ikiwiki <not-affected> (Incomplete fix for CVE-2016-10026
not applied)
[wheezy] - ikiwiki <not-affected> (Incomplete fix for CVE-2016-10026
not applied)
NOTE: https://ikiwiki.info/security/#cve-2016-9645
-CVE-2016-10026 [authorization bypass when reverting changes]
- RESERVED
+CVE-2016-10026 (ikiwiki 3.20161219 does not properly check if a revision
changes the ...)
{DSA-3760-1 DLA-812-1}
- ikiwiki 3.20161219
NOTE:
http://ikiwiki.info/bugs/rcs_revert_can_bypass_authorization_if_affected_files_were_renamed/
@@ -17443,8 +17461,7 @@
NOTE:
https://blogs.gentoo.org/ago/2016/10/20/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862/
NOTE: This is not a real problem in imagemagick but caused by the
"observer" (the address sanitizer), cf.
NOTE:
https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=30908#p140255 .
-CVE-2016-8859 [Regex integer overflow in buffer size computations]
- RESERVED
+CVE-2016-8859 (Multiple integer overflows in the TRE library and musl libc
allow ...)
{DLA-687-1}
- tre 0.8.0-5 (bug #842169)
[jessie] - tre 0.8.0-4+deb8u1
@@ -17993,8 +18010,7 @@
- linux <unfixed>
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
-CVE-2016-8659 [privilege escalation via ptrace]
- RESERVED
+CVE-2016-8659 (Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which
might ...)
- bubblewrap 0.1.2-2 (bug #840605)
NOTE: https://github.com/projectatomic/bubblewrap/issues/107
CVE-2016-8658 (Stack-based buffer overflow in the brcmf_cfg80211_start_ap
function in ...)
@@ -18217,8 +18233,8 @@
RESERVED
CVE-2016-8496
RESERVED
-CVE-2016-8495
- RESERVED
+CVE-2016-8495 (FortiManager does not properly validate TLS certificates when
probing ...)
+ TODO: check
CVE-2016-8494 (Insufficient verification of uploaded files allows attackers
with ...)
NOT-FOR-US: Fortiguard
CVE-2016-8493
@@ -21323,8 +21339,7 @@
NOTE:
https://sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a/
CVE-2016-7566
RESERVED
-CVE-2016-7565
- RESERVED
+CVE-2016-7565 (install/index.php in Exponent CMS 2.3.9 allows remote attackers
to ...)
NOT-FOR-US: Exponent CMS
CVE-2016-7564 (Heap-based buffer overflow in the Fp_toString function in
jsfunction.c ...)
NOT-FOR-US: MuJS
@@ -25948,8 +25963,7 @@
RESERVED
CVE-2016-6212 (The Views module 7.x-3.x before 7.x-3.14 in Drupal 7.x and the
Views ...)
- drupal8 <itp> (bug #756305)
-CVE-2016-6210 [User enumeration via covert timing channel]
- RESERVED
+CVE-2016-6210 (sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for
user ...)
{DSA-3626-1 DLA-578-1}
- openssh 1:7.2p2-6 (bug #831902)
NOTE: http://seclists.org/fulldisclosure/2016/Jul/51
@@ -26334,8 +26348,7 @@
NOTE: http://www.sqlite.org/cgi/src/info/b38fe522cfc971b3
NOTE: and possibly http://www.sqlite.org/cgi/src/info/614bb709d34e1148
NOTE: https://www.korelogic.com/Resources/Advisories/KL-001-2016-003.txt
-CVE-2016-6129
- RESERVED
+CVE-2016-6129 (The rsa_verify_hash_ex function in rsa_verify_hash.c in
LibTomCrypt, ...)
{DLA-612-1}
- libtomcrypt 1.17-8 (bug #837042)
[jessie] - libtomcrypt <no-dsa> (Minor issue)
@@ -30179,8 +30192,8 @@
NOTE: gif2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed
although technically still present in the source package
CVE-2016-5101 (Unspecified vulnerability in Opera Mail before 2016-02-16 on
Windows ...)
NOT-FOR-US: Opera
-CVE-2016-5100
- RESERVED
+CVE-2016-5100 (Froxlor before 0.9.35 uses the PHP rand function for random
number ...)
+ TODO: check
CVE-2016-5099 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x
before ...)
{DSA-3627-1}
- phpmyadmin 4:4.6.2-1 (low)
@@ -31741,11 +31754,9 @@
- ikiwiki 3.20160506
NOTE:
http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7
NOTE: http://www.openwall.com/lists/oss-security/2016/05/06/8
-CVE-2016-4547
- RESERVED
+CVE-2016-4547 (Samsung devices with Android KK(4.4), L(5.0/5.1), or M(6.0)
allow ...)
NOT-FOR-US: Samsung Android component
-CVE-2016-4546
- RESERVED
+CVE-2016-4546 (Samsung devices with Android KK(4.4) or L(5.0/5.1) allow local
users ...)
NOT-FOR-US: Samsung Android component
CVE-2016-4570 (The mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and
possibly ...)
- mxml 2.9-1 (bug #825855)
@@ -33555,8 +33566,7 @@
- imlib2 1.4.8-1 (bug #639414)
NOTE:
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882
NOTE: http://www.openwall.com/lists/oss-security/2016/04/10/5
-CVE-2016-3995 [Timing Attack Counter Measure AES]
- RESERVED
+CVE-2016-3995 (The timing attack protection in
Rijndael::Enc::ProcessAndXorBlock and ...)
- libcrypto++ 5.6.3-6
[jessie] - libcrypto++ 5.6.1-6+deb8u2
[wheezy] - libcrypto++ 5.6.1-6+deb7u2
@@ -34646,8 +34656,7 @@
RESERVED
CVE-2016-3617
RESERVED
-CVE-2016-3616 [null pointer dereference in cjpeg]
- RESERVED
+CVE-2016-3616 (The cjpeg utility in libjpeg allows remote attackers to cause a
denial ...)
- libjpeg-turbo 1:1.4.2-1
[jessie] - libjpeg-turbo <no-dsa> (Minor issue)
NOTE: libjpeg-turbo: Fixed by:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/6709e4a0cfa44d4f54ee8ad05753d4aa9260cb91
(1.4.2)
@@ -36977,12 +36986,11 @@
NOTE:
http://git.qemu.org/?p=qemu.git;a=commit;h=415ab35a441eca767d033a2702223e785b9d5190
(v2.6.0-rc0)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1303106
NOTE: http://www.openwall.com/lists/oss-security/2016/03/02/8
-CVE-2016-2788
- RESERVED
+CVE-2016-2788 (MCollective 2.7.0 and 2.8.x before 2.8.9, as used in Puppet ...)
- mcollective <unfixed> (bug #850968)
NOTE: https://puppet.com/security/cve/cve-2016-2788
-CVE-2016-2787
- RESERVED
+CVE-2016-2787 (The Puppet Communications Protocol in Puppet Enterprise
2015.3.x ...)
+ TODO: check
CVE-2016-2786 (The pxp-agent component in Puppet Enterprise 2015.3.x before
2015.3.3 ...)
- puppet <not-affected> (pxp-agent not packaged in Debian)
NOTE: https://puppet.com/security/cve/cve-2016-2786
@@ -37558,8 +37566,7 @@
NOTE:
http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-13999.patch
NOTE:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch
NOTE: Upstream confirmed it does not affect squid 2.7.x
-CVE-2016-2568 [Program run via pkexec as unprivileged user can escape to
parent session via TIOCSTI ioctl]
- RESERVED
+CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to
escape to ...)
- policykit-1 <unfixed> (bug #816062; bug #812512)
[jessie] - policykit-1 <no-dsa> (Minor issue)
[wheezy] - policykit-1 <no-dsa> (Minor issue)
@@ -40881,8 +40888,7 @@
- eglibc <removed>
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18985
NOTE:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
-CVE-2015-8771 [Possibility of code injection when setting passwords for Samba]
- RESERVED
+CVE-2015-8771 (The generate_smb_nt_hash function in include/functions.inc in
GOsa ...)
{DLA-562-1 DLA-408-1}
- gosa 2.7.4+reloaded2-6
[jessie] - gosa 2.7.4+reloaded2-1+deb8u2
@@ -41480,8 +41486,7 @@
- guacamole <not-affected> (Vulnerable code not present)
CVE-2016-1565 (Cross-site scripting (XSS) vulnerability in the Field Group
module ...)
NOT-FOR-US: Field Group module for Drupal
-CVE-2015-8768
- RESERVED
+CVE-2015-8768 (install.py in click allows remote attackers to gain privileges
via a ...)
NOT-FOR-US: Click package manager
NOTE: http://www.ubuntu.com/usn/usn-2771-1/
CVE-2015-8766 (Multiple cross-site scripting (XSS) vulnerabilities in ...)
@@ -42240,8 +42245,7 @@
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1294039
NOTE: In 1.900.1-5.1 this issue was fixed as part of the patch for
CVE-2008-3520
NOTE: like other distribution did.
-CVE-2015-8750
- RESERVED
+CVE-2015-8750 (libdwarf 20151114 and earlier allows remote attackers to cause
a ...)
{DLA-669-1 DLA-388-1}
- dwarfutils 20160507-1 (bug #813182)
[jessie] - dwarfutils 20120410-2+deb8u1
@@ -42588,8 +42592,7 @@
NOTE:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
NOTE:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
NOTE: Fixed for 2.23 upstream
-CVE-2014-9760 [XSS vulnerability during session log on]
- RESERVED
+CVE-2014-9760 (Cross-site scripting (XSS) vulnerability in the displayLogin
function ...)
- gosa 2.7.4+reloaded1-5
[wheezy] - gosa 2.7.4-4.3~deb7u2
[squeeze] - gosa 2.6.11-3+squeeze4
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
