[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso Fri, 06 Apr 2018 13:11:16 -0700

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
a4a617b6 by security tracker role at 2018-04-06T20:10:18+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1,3 +1,5 @@
+CVE-2018-9838 (The caml_ba_deserialize function in byterun/bigarray.c in the 
standard ...)
+       TODO: check
 CVE-2018-XXXX [wordpress: Don't treat localhost as same host by default]
        - wordpress <unfixed> (bug #895034)
        NOTE: https://core.trac.wordpress.org/changeset/42894
@@ -1038,25 +1040,25 @@ CVE-2018-9326
 CVE-2018-9325
        RESERVED
 CVE-2018-9324
-       RESERVED
+       REJECTED
 CVE-2018-9323
-       RESERVED
+       REJECTED
 CVE-2018-9322
        RESERVED
 CVE-2018-9321
-       RESERVED
+       REJECTED
 CVE-2018-9320
        RESERVED
 CVE-2018-9319
-       RESERVED
+       REJECTED
 CVE-2018-9318
        RESERVED
 CVE-2018-9317
-       RESERVED
+       REJECTED
 CVE-2018-9316
-       RESERVED
+       REJECTED
 CVE-2018-9315
-       RESERVED
+       REJECTED
 CVE-2018-9314
        RESERVED
 CVE-2018-9313
@@ -4033,6 +4035,7 @@ CVE-2018-8090
 CVE-2018-8089
        RESERVED
 CVE-2018-8088 (org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J 
before ...)
+       {DLA-1342-1}
        - libslf4j-java 1.7.25-3 (bug #893684)
        NOTE: 
https://github.com/qos-ch/slf4j/commit/d2b27fba88e983f921558da27fc29b5f5d269405
        NOTE: https://jira.qos.ch/browse/SLF4J-430
@@ -5506,18 +5509,22 @@ CVE-2018-7556 (LimeSurvey 2.6.x before 2.6.7, 2.7x.x 
before 2.73.1, and 3.x befo
 CVE-2018-7555
        RESERVED
 CVE-2018-7554 (There is an invalid free in ReadImage in input-bmp.ci that 
leads to a ...)
+       {DLA-1340-1}
        - sam2p <removed>
        [jessie] - sam2p <ignored> (Consider removal in next point release)
        NOTE: https://github.com/pts/sam2p/issues/29
 CVE-2018-7553 (There is a heap-based buffer overflow in the pcxLoadRaster 
function of ...)
+       {DLA-1340-1}
        - sam2p <removed>
        [jessie] - sam2p <ignored> (Consider removal in next point release)
        NOTE: https://github.com/pts/sam2p/issues/32
 CVE-2018-7552 (There is an invalid free in Mapping::DoubleHash::clear in 
mapping.cpp ...)
+       {DLA-1340-1}
        - sam2p <removed>
        [jessie] - sam2p <ignored> (Consider removal in next point release)
        NOTE: https://github.com/pts/sam2p/issues/30
 CVE-2018-7551 (There is an invalid free in MiniPS::delete0 in minips.cpp that 
leads to ...)
+       {DLA-1340-1}
        - sam2p <removed>
        [jessie] - sam2p <ignored> (Consider removal in next point release)
        NOTE: https://github.com/pts/sam2p/issues/28
@@ -5665,8 +5672,8 @@ CVE-2018-7508 (A Cross-site Scripting issue was 
discovered in OSIsoft PI Web API
        NOT-FOR-US: OSIsoft PI
 CVE-2018-7507
        RESERVED
-CVE-2018-7506
-       RESERVED
+CVE-2018-7506 (The private key of the web server in Moxa MXview versions 2.8 
and ...)
+       TODO: check
 CVE-2018-7505
        RESERVED
 CVE-2018-7504 (A Protection Mechanism Failure issue was discovered in OSIsoft 
PI ...)
@@ -5729,6 +5736,7 @@ CVE-2018-7489 (FasterXML jackson-databind before 2.8.11.1 
and 2.9.x before 2.9.5
 CVE-2018-7488
        RESERVED
 CVE-2018-7487 (There is a heap-based buffer overflow in the LoadPCX function 
of ...)
+       {DLA-1340-1}
        - sam2p <removed>
        [jessie] - sam2p <ignored> (Consider removal in next point release)
        NOTE: https://github.com/pts/sam2p/issues/18
@@ -8836,10 +8844,10 @@ CVE-2017-18100
        RESERVED
 CVE-2017-18099
        RESERVED
-CVE-2017-18098
-       RESERVED
-CVE-2017-18097
-       RESERVED
+CVE-2017-18098 (The searchrequest-xml resource in Atlassian Jira before 
version 7.6.1 ...)
+       TODO: check
+CVE-2017-18097 (The Trello board importer resource in Atlassian Jira before 
version ...)
+       TODO: check
 CVE-2017-18096 (The OAuth status rest resource in Atlassian Application Links 
before ...)
        NOT-FOR-US: Atlassian Application Links
 CVE-2017-18095 (The SnippetRPCServiceImpl class in Atlassian Crucible before 
version ...)
@@ -22776,12 +22784,12 @@ CVE-2018-1274
        RESERVED
 CVE-2018-1273
        RESERVED
-CVE-2018-1272
-       RESERVED
-CVE-2018-1271
-       RESERVED
-CVE-2018-1270
-       RESERVED
+CVE-2018-1272 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 
prior ...)
+       TODO: check
+CVE-2018-1271 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 
prior ...)
+       TODO: check
+CVE-2018-1270 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 
prior ...)
+       TODO: check
 CVE-2018-1269
        RESERVED
 CVE-2018-1268
@@ -34550,6 +34558,7 @@ CVE-2017-14451
        RESERVED
 CVE-2017-14450 [Simple DirectMedia Layer SDL2_Image LWZ Decompression Buffer 
Overflow Vulnerability]
        RESERVED
+       {DLA-1341-1}
        - libsdl2-image 2.0.3+dfsg1-1
        - sdl-image1.2 1.2.12-8
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0499
@@ -34562,6 +34571,7 @@ CVE-2017-14449 [Simple DirectMedia Layer SDL2_image 
do_layer_surface Double-Free
        NOTE: https://hg.libsdl.org/SDL_image/rev/d0142861559c
 CVE-2017-14448 [Simple DirectMedia Layer SDL2_image load_xcf_tile_rle 
Decompression Code Execution Vulnerability]
        RESERVED
+       {DLA-1341-1}
        - libsdl2-image 2.0.3+dfsg1-1
        - sdl-image1.2 1.2.12-8
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0497
@@ -34578,18 +34588,21 @@ CVE-2017-14443
        RESERVED
 CVE-2017-14442 [Simple DirectMedia Layer SDL2_image Image Palette Population 
Code Execution Vulnerability]
        RESERVED
+       {DLA-1341-1}
        - libsdl2-image 2.0.3+dfsg1-1
        - sdl-image1.2 1.2.12-8
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0491
        NOTE: https://hg.libsdl.org/SDL_image/rev/37445f6180a8
 CVE-2017-14441 [Simple DirectMedia Layer SDL2_image ICO Pitch Handling Code 
Execution Vulnerability]
        RESERVED
+       {DLA-1341-1}
        - libsdl2-image 2.0.3+dfsg1-1
        - sdl-image1.2 1.2.12-8
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0490
        NOTE: https://hg.libsdl.org/SDL_image/rev/a1e9b624ca10
 CVE-2017-14440 [Simple DirectMedia Layer SDL2_image ILBM CMAP Parsing Code 
Execution Vulnerability]
        RESERVED
+       {DLA-1341-1}
        - libsdl2-image 2.0.3+dfsg1-1
        - sdl-image1.2 1.2.12-8
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489
@@ -41546,6 +41559,7 @@ CVE-2017-12123
        RESERVED
 CVE-2017-12122 [Simple DirectMedia Layer SDL2_Image IMG_LoadLBM_RW Code 
Execution Vulnerability]
        RESERVED
+       {DLA-1341-1}
        - libsdl2-image 2.0.3+dfsg1-1
        - sdl-image1.2 1.2.12-8
        NOTE: 
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0488
@@ -129185,7 +129199,7 @@ CVE-2015-1419 (Unspecified vulnerability in vsftpd 
3.0.2 and earlier allows remo
        NOTE: Not a real security feature according the manpage and upstream
 CVE-2015-1418 (The do_ed_script function in pch.c in GNU patch through 2.7.6, 
and ...)
        NOT-FOR-US: patch as used in FreeBSD specifically
-CVE-2018-1000156 [input validation vulnerability when processing patch files]
+CVE-2018-1000156 (GNU Patch version 2.7.6 contains an input validation 
vulnerability ...)
        - patch 2.7.6-2 (bug #894993)
        NOTE: Upstream bug: https://savannah.gnu.org/bugs/?53566
        NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/
@@ -145120,8 +145134,8 @@ CVE-2014-5074 (Siemens SIMATIC S7-1500 CPU devices 
with firmware before 1.6 allo
        NOT-FOR-US: Siemens SIMATIC S7-1500 CPU devices
 CVE-2014-5073 (vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 
28657 ...)
        NOT-FOR-US: VMTurbo Operations Manager
-CVE-2014-5072
-       RESERVED
+CVE-2014-5072 (Cross-site request forgery (CSRF) vulnerability in WP Security 
Audit ...)
+       TODO: check
 CVE-2014-5071 (SQL injection vulnerability in the checkPassword function in 
...)
        NOT-FOR-US: Symmetricom
 CVE-2014-5070 (Symmetricom s350i 2.70.15 allows remote authenticated users to 
gain ...)
@@ -145207,8 +145221,8 @@ CVE-2014-5036 (The Storage Controller (SC) component 
in Eucalyptus 3.4.2 through
        - eucalyptus <removed>
 CVE-2014-5035 (The Netconf (TCP) service in OpenDaylight 1.0 allows remote 
attackers ...)
        NOT-FOR-US: Opendaylight
-CVE-2014-5034
-       RESERVED
+CVE-2014-5034 (Cross-site request forgery (CSRF) vulnerability in the Brute 
Force ...)
+       TODO: check
 CVE-2014-5023 (Repository.php in Gitter, as used in Gitlist, allows remote 
attackers ...)
        - gitlist <itp> (bug #750368)
 CVE-2014-5018 (Incomplete blacklist vulnerability in the autoEscape function 
in ...)
@@ -149132,8 +149146,7 @@ CVE-2014-3541 (The Repositories component in Moodle 
through 2.3.11, 2.4.x before
        NOTE: 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-45616
 CVE-2014-3540
        REJECTED
-CVE-2014-3539 [pickle.load of remotely supplied data with no authentication 
required]
-       RESERVED
+CVE-2014-3539 (base/oi/doa.py in the Rope library in CPython (aka Python) 
allows ...)
        - rope 0.10.3-1 (bug #777525)
        [jessie] - rope <no-dsa> (Minor issue)
        [squeeze] - rope <no-dsa> (Minor issue)
@@ -152484,8 +152497,8 @@ CVE-2014-2361 (OleumTech WIO DH2 Wireless Gateway and 
Sensor Wireless I/O Module
        NOT-FOR-US: OleumTech Wireless Gateway
 CVE-2014-2360 (OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O 
Modules ...)
        NOT-FOR-US: OleumTech Wireless Gateway
-CVE-2014-2359
-       RESERVED
+CVE-2014-2359 (OleumTech Wireless Sensor Network devices allow remote 
attackers to ...)
+       TODO: check
 CVE-2014-2358 (Multiple cross-site request forgery (CSRF) vulnerabilities in 
the ...)
        NOT-FOR-US: Fox-IT Fox DataDiode
 CVE-2014-2357 (The GPT library in the Telegyr 8979 Master Protocol application 
in ...)
@@ -155890,8 +155903,7 @@ CVE-2014-1228
        RESERVED
 CVE-2014-1227
        RESERVED
-CVE-2014-1226
-       RESERVED
+CVE-2014-1226 (The pipe_init_terminal function in main.c in s3dvt allows local 
users ...)
        - s3d 0.2.2-13 (unimportant)
        NOTE: http://hmarco.org/bugs/CVE-2014-1226-s3dvt_0.2.2-root-shell.html
        NOTE: Additional patch hunk applied in 0.2.2-11 (experimental) only
@@ -159791,8 +159803,7 @@ CVE-2013-6878
        NOT-FOR-US: MijoSearch
 CVE-2013-6877 (Heap-based buffer overflow in RealNetworks RealPlayer before 
17.0.4.61 ...)
        NOT-FOR-US: RealPlayer
-CVE-2013-6876
-       RESERVED
+CVE-2013-6876 (The (1) pty_init_terminal and (2) pipe_init_terminal functions 
in ...)
        - s3d 0.2.2-9 (unimportant)
        NOTE: http://hmarco.org/bugs/s3dvt_0.2.2-root-shell.html
        NOTE: Not running with elevated privileges in Debian packaging



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4a617b60955451d138ec501ce53ac1476718f37

---
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a4a617b60955451d138ec501ce53ac1476718f37
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
Secure-testing-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits

[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] automatic update

Reply via email to