Author: sectracker Date: 2017-10-26 21:10:14 +0000 (Thu, 26 Oct 2017) New Revision: 57002
Modified: data/CVE/list Log: automatic update Modified: data/CVE/list =================================================================== --- data/CVE/list 2017-10-26 20:59:27 UTC (rev 57001) +++ data/CVE/list 2017-10-26 21:10:14 UTC (rev 57002) @@ -1,4 +1,16 @@ -CVE-2017-15919 +CVE-2017-15922 (In GNU Libextractor 1.4, there is an out-of-bounds read in the ...) + TODO: check +CVE-2017-15921 + RESERVED +CVE-2017-15920 + RESERVED +CVE-2017-15918 + RESERVED +CVE-2017-15917 (In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create ...) + TODO: check +CVE-2017-15908 (In systemd 223 through 235, a remote DNS server can respond with a ...) + TODO: check +CVE-2017-15919 (The ultimate-form-builder-lite plugin before 1.3.7 for WordPress has ...) NOT-FOR-US: WordPress plugin ultimate-form-builder-lite CVE-2017-15916 RESERVED @@ -10,8 +22,8 @@ RESERVED CVE-2017-15912 RESERVED -CVE-2017-15911 - RESERVED +CVE-2017-15911 (The Admin Console in Ignite Realtime Openfire Server before 4.1.7 ...) + TODO: check CVE-2017-15910 RESERVED CVE-2017-15909 (D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, ...) @@ -1229,8 +1241,8 @@ NOTE: https://github.com/radare/radare2/commit/52b1526443c1f433087928291d1c3d37a5600515 CVE-2017-15367 RESERVED -CVE-2017-15366 - RESERVED +CVE-2017-15366 (Before Thornberry NDoc version 8.0, laptop clients and the server have ...) + TODO: check CVE-2017-15365 RESERVED CVE-2017-15364 (The foreach function in ext/ccsv.c in Ccsv 1.1.0 allows remote ...) @@ -1903,8 +1915,8 @@ RESERVED CVE-2017-15097 RESERVED -CVE-2017-15096 - RESERVED +CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null ...) + TODO: check CVE-2017-15095 RESERVED CVE-2017-15094 @@ -2663,6 +2675,7 @@ NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1). NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): corrupted unsorted chunks" without valgrind). CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::getULong ...) + {DLA-1147-1} - exiv2 <unfixed> NOTE: https://github.com/Exiv2/exiv2/issues/73 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494467 @@ -2680,6 +2693,7 @@ NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1). NOTE: Reproducible in experimental(0.26-1) with valgrind (and "free(): invalid next size (fast)" without valgrind). CVE-2017-14862 (An Invalid memory address dereference was discovered in ...) + {DLA-1147-1} - exiv2 <unfixed> NOTE: https://github.com/Exiv2/exiv2/issues/75 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494786 @@ -2706,6 +2720,7 @@ NOTE: Unreproducible on wheezy/jessie/stretch/sid(0.25-3.1). NOTE: Reproducible in experimental(0.26-1) with valgrind (and segfault without valgrind). CVE-2017-14859 (An Invalid memory address dereference was discovered in ...) + {DLA-1147-1} - exiv2 <unfixed> NOTE: https://github.com/Exiv2/exiv2/issues/74 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494780 @@ -7684,6 +7699,7 @@ CVE-2017-12972 (In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check when ...) NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12976 (git-annex before 6.20170818 allows remote attackers to execute ...) + {DLA-1144-1} - git-annex 6.20170818-1 (bug #873088) NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471 NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a @@ -10424,14 +10440,11 @@ RESERVED CVE-2017-12161 RESERVED -CVE-2017-12160 - RESERVED +CVE-2017-12160 (It was found that Keycloak oauth would permit an authenticated ...) NOT-FOR-US: Keycloak -CVE-2017-12159 - RESERVED +CVE-2017-12159 (It was found that the cookie used for CSRF prevention in Keycloak was ...) NOT-FOR-US: Keycloak -CVE-2017-12158 - RESERVED +CVE-2017-12158 (It was found that Keycloak would accept a HOST header URL in the admin ...) NOT-FOR-US: Keycloak CVE-2017-12157 (In Moodle 3.x, various course reports allow teachers to view details ...) - moodle <removed> @@ -11617,6 +11630,7 @@ - libav <removed> - ffmpeg 7:2.3.1-1 CVE-2017-11683 (There is a reachable assertion in the ...) + {DLA-1147-1} - exiv2 <unfixed> (low) [stretch] - exiv2 <no-dsa> (Minor issue) [jessie] - exiv2 <no-dsa> (Minor issue) @@ -11974,6 +11988,7 @@ NOTE: Not reproducible in wheezy/jessie/stretch/sid(0.25-3.1). NOTE: Reproducible in experimental with version 0.26-1. CVE-2017-11591 (There is a Floating point exception in the Exiv2::ValueType function in ...) + {DLA-1147-1} - exiv2 <unfixed> (low; bug #876893) [stretch] - exiv2 <no-dsa> (Minor issue) [jessie] - exiv2 <no-dsa> (Minor issue) @@ -15260,6 +15275,7 @@ NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) is ...) + {DLA-1146-1} - mosquitto <unfixed> (bug #865959) [stretch] - mosquitto <no-dsa> (Minor issue) [jessie] - mosquitto <no-dsa> (Minor issue) @@ -23509,8 +23525,8 @@ NOT-FOR-US: Fortinet FortiOS CVE-2017-7733 RESERVED -CVE-2017-7732 - RESERVED +CVE-2017-7732 (A reflected Cross-Site Scripting (XSS) vulnerability in Fortinet ...) + TODO: check CVE-2017-7731 (A weak password recovery vulnerability in Fortinet FortiPortal ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7730 (iSmartAlarm cube devices allow Denial of Service. Sending a SYN flood ...) @@ -24935,8 +24951,8 @@ NOT-FOR-US: Fortinet FortiPortal CVE-2017-7342 RESERVED -CVE-2017-7341 - RESERVED +CVE-2017-7341 (An OS Command Injection vulnerability in Fortinet FortiWLC 6.1-2 ...) + TODO: check CVE-2017-7340 RESERVED CVE-2017-7339 (A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions ...) @@ -24947,8 +24963,8 @@ NOT-FOR-US: Fortinet FortiPortal CVE-2017-7336 (A hard-coded account named 'upgrade' in Fortinet FortiWLM 8.3.0 and ...) NOT-FOR-US: Fortinet -CVE-2017-7335 - RESERVED +CVE-2017-7335 (A Cross-Site Scripting (XSS) vulnerability in Fortinet FortiWLC 6.1-x ...) + TODO: check CVE-2017-7334 RESERVED CVE-2017-7333 @@ -29019,8 +29035,8 @@ NOT-FOR-US: InterSect Alliance SNARE Epilog CVE-2017-5997 (The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows ...) NOT-FOR-US: SAP Message Server -CVE-2017-5996 - RESERVED +CVE-2017-5996 (The agent in Bomgar Remote Support 15.2.x before 15.2.3, 16.1.x before ...) + TODO: check CVE-2017-5995 (The NetApp ONTAP Select Deploy administration utility 2.0 through ...) NOT-FOR-US: NetApp ONTAP Select Deploy administration utility CVE-2017-14431 (Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a ...) @@ -30459,6 +30475,7 @@ NOTE: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454 NOTE: http://www.openwall.com/lists/oss-security/2017/01/27/2 CVE-2017-5595 (A file disclosure and inclusion vulnerability exists in ...) + {DLA-1145-1} - zoneminder 1.30.4+dfsg-1 (bug #854733) NOTE: Check https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 CVE-2017-5594 (An issue was discovered in Pagekit CMS before 1.0.11. In this ...) @@ -35661,8 +35678,8 @@ RESERVED CVE-2017-3772 RESERVED -CVE-2017-3771 - RESERVED +CVE-2017-3771 (System boot process is not adequately secured In Lenovo E95 and ...) + TODO: check CVE-2017-3770 (Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 ...) NOT-FOR-US: Lenovo LXCA CVE-2017-3769 @@ -121835,8 +121852,7 @@ NOT-FOR-US: Intrexx CVE-2014-2024 (Cross-site scripting (XSS) vulnerability in ...) NOT-FOR-US: Open Classifieds -CVE-2014-2023 - RESERVED +CVE-2014-2023 (Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 ...) NOT-FOR-US: vBulletin CVE-2014-2022 (SQL injection vulnerability in includes/api/4/breadcrumbs_create.php ...) NOT-FOR-US: vBulletin @@ -152960,14 +152976,12 @@ [squeeze] - mediawiki <end-of-life> NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39180 NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6 -CVE-2012-4378 [DOM-based XSS] - RESERVED +CVE-2012-4378 (Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki ...) - mediawiki 1:1.19.2-1 (bug #686330) [squeeze] - mediawiki <end-of-life> NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=37587 NOTE: http://www.openwall.com/lists/oss-security/2012/08/31/6 -CVE-2012-4377 [[mediawiki stored XSS] - RESERVED +CVE-2012-4377 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.18.5 ...) - mediawiki 1:1.19.2-1 (bug #686330) [squeeze] - mediawiki <not-affected> (Introduced in 1.16) NOTE: https://bugzilla.wikimedia.org/show_bug.cgi?id=39700 @@ -160042,8 +160056,7 @@ NOT-FOR-US: Drupal addon module not packaged in Debian CVE-2012-1623 (The Registration Codes module before 6.x-2.4 for Drupal does not ...) NOT-FOR-US: Drupal addon module not packaged in Debian -CVE-2012-1622 - RESERVED +CVE-2012-1622 (Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to ...) NOT-FOR-US: Apache OFBiz CVE-2012-1621 (Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For ...) NOT-FOR-US: Apache OFBiz _______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits