Author: sectracker Date: 2017-03-13 21:10:12 +0000 (Mon, 13 Mar 2017) New Revision: 49656
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-03-13 20:23:52 UTC (rev 49655) +++ data/CVE/list 2017-03-13 21:10:12 UTC (rev 49656) @@ -135,8 +135,7 @@ NOT-FOR-US: MaNGOSWebV4 CVE-2017-6808 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 -CVE-2017-6807 [apache mod mellon cross-site session transfer vulnerability] - RESERVED +CVE-2017-6807 (mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session ...) - libapache2-mod-auth-mellon 0.12.0-2 CVE-2017-6806 RESERVED @@ -817,16 +816,19 @@ [wheezy] - imagemagick <not-affected> (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/d31fec57e9dfb0516deead2053a856e3c71e9751 CVE-2017-6500 (An issue was discovered in ImageMagick 6.9.7. A specially crafted sun ...) + {DSA-3808-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856879) NOTE: https://github.com/ImageMagick/ImageMagick/commit/3007531bfd326c5c1e29cd41d2cd80c166de8528 NOTE: https://github.com/ImageMagick/ImageMagick/issues/375 NOTE: https://github.com/ImageMagick/ImageMagick/issues/376 CVE-2017-6499 (An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially ...) + {DSA-3808-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856880) [wheezy] - imagemagick <not-affected> (vulnerable code not present) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3358f060fc182551822576b2c0a8850faab5d543 CVE-2017-6498 (An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files could ...) + {DSA-3808-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856878) NOTE: https://github.com/ImageMagick/ImageMagick/commit/65f75a32a93ae4044c528a987a68366ecd4b46b9 NOTE: https://github.com/ImageMagick/ImageMagick/pull/359 @@ -1033,42 +1035,52 @@ CVE-2017-6427 (A Buffer Overflow was discovered in EvoStream Media Server 1.7.1. A ...) NOT-FOR-US: EvoStream Media Server CVE-2017-6849 [NULL pointer dereference in PoDoFo::PdfColorGray::~PdfColorGray (PdfColor.cpp)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/10 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp CVE-2017-6848 [NULL pointer dereference in PoDoFo::PdfXObject::PdfXObject (PdfXObject.cpp)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/9 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp CVE-2017-6847 [NULL pointer dereference in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/8 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h CVE-2017-6846 [NULL pointer dereference in GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace (graphicsstack.h)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/7 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp CVE-2017-6845 [NULL pointer dereference in PoDoFo::PdfColor::operator= (PdfColor.cpp)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/6 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp CVE-2017-6844 [global buffer overflow in PoDoFo::PdfParser::ReadXRefSubsection (PdfParser.cpp)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/5 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp CVE-2017-6843 [heap-based buffer overflow in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/4 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h CVE-2017-6842 [NULL pointer dereference in ColorChanger::GetColorFromStack (colorchanger.cpp)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/3 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp CVE-2017-6841 [NULL pointer dereference in GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement (graphicsstack.h)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/2 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h CVE-2017-6840 [invalid memory read in ColorChanger::GetColorFromStack (colorchanger.cpp)] + RESERVED - libpodofo <unfixed> (bug #856592) NOTE: http://www.openwall.com/lists/oss-security/2017/03/02/1 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp @@ -2151,19 +2163,19 @@ CVE-2017-6012 RESERVED CVE-2017-6011 (An issue was discovered in icoutils 0.31.1. An out-of-bounds read ...) - {DSA-3807-1} + {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854054) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=bf97b99109607d4367a4e57df9a37cbcac02e220 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=45a0207225df4cd4b82f41eee636e21f11a7db74 NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256393 CVE-2017-6010 (An issue was discovered in icoutils 0.31.1. A buffer overflow was ...) - {DSA-3807-1} + {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854054) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=bf97b99109607d4367a4e57df9a37cbcac02e220 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=45a0207225df4cd4b82f41eee636e21f11a7db74 NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256393 CVE-2017-6009 (An issue was discovered in icoutils 0.31.1. A buffer overflow was ...) - {DSA-3807-1} + {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854050) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=f148ae5af1c9eeb85610a5653a7f625dd6c3ac2e NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256407 @@ -3592,10 +3604,12 @@ CVE-2017-5582 RESERVED CVE-2017-6852 [jasper: heap-based buffer overflow in jpc_dec_decodepkt (jpc_t2dec.c)] + RESERVED - jasper <unfixed> NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/114 NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/10 CVE-2017-6850 [jasper: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c)] + RESERVED - jasper <unfixed> (unimportant) NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/112 NOTE: http://www.openwall.com/lists/oss-security/2017/01/25/8 @@ -19975,12 +19989,15 @@ NOTE: is very similar. NOTE: https://lists.gnu.org/archive/html/bug-bash/2015-12/msg00112.html CVE-2016-10249 [heap-based buffer overflow in jpc_dec_tiledecode (jpc_dec.c)] + RESERVED + {DLA-739-1} - jasper <removed> NOTE: Fixed by: https://github.com/mdadams/jasper/commit/988f8365f7d8ad8073b6786e433d34c553ecf568 (version-1.900.12) NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-heap-based-buffer-overflow-in-jpc_dec_tiledecode-jpc_dec-c/ NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00001-jasper-heapoverflow-jpc_dec_tiledecode NOTE: http://www.openwall.com/lists/oss-security/2016/10/23/7 CVE-2016-10250 [NULL pointer dereference in jp2_colr_destroy (jp2_cod.c) (incomplete fix for CVE-2016-8887)] + RESERVED - jasper <not-affected> (Incomplete fix for CVE-206-8887 not applied) NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00002-jasper-NULLptr-jp2_colr_destroy NOTE: https://blogs.gentoo.org/ago/2016/10/23/jasper-null-pointer-dereference-in-jp2_colr_destroy-jp2_cod-c-incomplete-fix-for-cve-2016-8887 @@ -88758,8 +88775,8 @@ RESERVED CVE-2014-3927 RESERVED -CVE-2014-3926 - RESERVED +CVE-2014-3926 (Cross-site scripting (XSS) vulnerability in lg.cgi in Cougar LG 1.9 ...) + TODO: check CVE-2014-3924 (Multiple cross-site scripting (XSS) vulnerabilities in Webmin before ...) NOT-FOR-US: Webmin CVE-2014-3923 (Multiple cross-site scripting (XSS) vulnerabilities in the Digital ...) _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits