"new" ruby issue, "new" bitcoin issues, NFUs

7 files changed, 19 insertions, 16 deletions

diff --git a/data/CVE/2011.list b/data/CVE/2011.list
index 8a77a28600..257b1a3d42 100644
--- a/data/CVE/2011.list
+++ b/data/CVE/2011.list
@@ -5149,7 +5149,7 @@ CVE-2011-3271 (Unspecified vulnerability in the Smart Install functionality in C
 CVE-2011-3270 (Unspecified vulnerability in Cisco IOS 12.2SB before 12.2(33)SB10 and  ...)
 	NOT-FOR-US: Cisco
 CVE-2011-3269 (Lexmark X, W, T, E, C, 6500e, and 25xxN devices before 2011-11-15 allo ...)
-	TODO: check
+	NOT-FOR-US: Lexmark
 CVE-2011-3268 (Buffer overflow in the crypt function in PHP before 5.3.7 allows conte ...)
 	- php5 5.3.8-1
 	[squeeze] - php5 <not-affected> (Only affected 5.3.7)
diff --git a/data/CVE/2013.list b/data/CVE/2013.list
index 994791adef..5257bd1b1c 100644
--- a/data/CVE/2013.list
+++ b/data/CVE/2013.list
@@ -6166,7 +6166,7 @@ CVE-2013-5108 (Multiple cross-site scripting (XSS) vulnerabilities in the xn fun
 CVE-2013-5107 (Directory traversal vulnerability in RockMongo 1.1.5 and earlier allow ...)
 	- rockmongo <itp> (bug #702961)
 CVE-2013-5106 (A Code Execution vulnerability exists in select.py when using python-m ...)
-	TODO: check
+	NOT-FOR-US: python vim mode, different from src:python-mode, which is for a nicer editor
 CVE-2013-5105
 	RESERVED
 CVE-2013-5104
@@ -10179,7 +10179,7 @@ CVE-2013-3630 (Moodle through 2.5.2 allows remote authenticated administrators t
 CVE-2013-3629 (ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution ...)
 	NOT-FOR-US: ISPConfig
 CVE-2013-3628 (Zabbix 2.0.9 has an Arbitrary Command Execution Vulnerability ...)
-	TODO: check
+	NOTE: Historic Zabbix issue
 CVE-2013-3627 (FrameworkService.exe in McAfee Framework Service in McAfee Managed Age ...)
 	NOT-FOR-US: McAfee
 CVE-2013-3626 (Directory traversal vulnerability in the Session Server in Attachmate  ...)
diff --git a/data/CVE/2014.list b/data/CVE/2014.list
index 9e697f5902..9526615b5c 100644
--- a/data/CVE/2014.list
+++ b/data/CVE/2014.list
@@ -20007,11 +20007,11 @@ CVE-2014-2725
 CVE-2014-2724
 	RESERVED
 CVE-2014-2723 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote  ...)
-	TODO: check
+	NOT-FOR-US: Fortinet
 CVE-2014-2722 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote  ...)
-	TODO: check
+	NOT-FOR-US: Fortinet
 CVE-2014-2721 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote  ...)
-	TODO: check
+	NOT-FOR-US: Fortinet
 CVE-2014-2720 (IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Cen ...)
 	NOT-FOR-US: IZArc Archiver
 CVE-2014-2719 (Advanced_System_Content.asp in the ASUS RT series routers with firmwar ...)
diff --git a/data/CVE/2015.list b/data/CVE/2015.list
index 0741918951..b551bd8f1b 100644
--- a/data/CVE/2015.list
+++ b/data/CVE/2015.list
@@ -16798,7 +16798,7 @@ CVE-2015-3643 (usb-creator before 0.2.38.3ubuntu0.1 on Ubuntu 12.04 LTS, before
 CVE-2015-3642 (The TLS and DTLS processing functionality in Citrix NetScaler Applicat ...)
 	NOT-FOR-US: Citrix
 CVE-2015-3641 (bitcoind and Bitcoin-Qt prior to 0.10.2 allow attackers to cause a den ...)
-	TODO: check
+	- bitcoin 0.10.2-1
 CVE-2015-3640 (phpMyBackupPro 2.5 and earlier does not properly escape the "." charac ...)
 	NOT-FOR-US: phpMyBackupPro
 CVE-2015-3639 (phpMyBackupPro 2.5 and earlier does not properly sanitize input string ...)
diff --git a/data/CVE/2016.list b/data/CVE/2016.list
index 889acfabe9..632beed3ba 100644
--- a/data/CVE/2016.list
+++ b/data/CVE/2016.list
@@ -12028,7 +12028,7 @@ CVE-2016-6920 (Heap-based buffer overflow in the decode_block function in libavc
 CVE-2016-6919
 	RESERVED
 CVE-2016-6918 (Lexmark Markvision Enterprise (MVE) before 2.4.1 allows remote attacke ...)
-	TODO: check
+	NOT-FOR-US: Lexmark
 CVE-2016-6917 (Buffer overflow in nvhost_job.c in the NVIDIA video driver for Android ...)
 	NOT-FOR-US: Nvidia driver for Android
 CVE-2016-6916 (Integer overflow in nvhost_job.c in the NVIDIA video driver for Androi ...)
@@ -25874,7 +25874,10 @@ CVE-2016-2339 (An exploitable heap overflow vulnerability exists in the Fiddle::
 	NOTE: Fixed by: https://github.com/ruby/ruby/commit/de577357e80fa15f5cf13a81aa3decc783ea929e
 	NOTE: Fixed by: https://github.com/ruby/ruby/commit/4977af3c3d54d27167bfc237f1b2802c40bddc10
 CVE-2016-2338 (An exploitable heap overflow vulnerability exists in the Psych::Emitte ...)
-	TODO: check
+	- ruby2.3 2.3.0-1
+	- ruby2.1 <removed>
+	NOTE: https://talosintelligence.com/reports/TALOS-2016-0032
+	NOTE: https://git.ruby-lang.org/ruby.git/commit/?id=db48c307944a9a18877236bdf9e9b778875f38ed
 CVE-2016-2337 (Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Att ...)
 	{DLA-1480-1}
 	- ruby2.3 2.3.0-1
diff --git a/data/CVE/2017.list b/data/CVE/2017.list
index de379c2d1c..1fb7de2106 100644
--- a/data/CVE/2017.list
+++ b/data/CVE/2017.list
@@ -663,7 +663,7 @@ CVE-2017-18352 (Error reporting within Rendertron 1.0.0 allows reflected Cross S
 CVE-2017-18351
 	RESERVED
 CVE-2017-18350 (bitcoind and Bitcoin-Qt prior to 0.15.1 have a stack-based buffer over ...)
-	TODO: check
+	- bitcoin 0.15.1~dfsg-1
 CVE-2017-18349 (parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pi ...)
 	NOT-FOR-US: FastjsonEngine
 CVE-2017-18348 (Splunk Enterprise 6.6.x, when configured to run as root but drop privi ...)
@@ -16824,7 +16824,7 @@ CVE-2017-12843 (Cyrus IMAP before 3.0.3 allows remote authenticated users to wri
 	- cyrus-imapd-2.4 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/cyrusimap/cyrus-imapd/commit/d734a23122155f3522a8cb6aef118223aa73cde0
 CVE-2017-12842 (Bitcoin Core before 0.14 allows an attacker to create an ostensibly va ...)
-	TODO: check
+	- bitcoin 0.14.2~dfsg-1~exp2
 CVE-2017-12841
 	RESERVED
 CVE-2017-12840 (A kernel driver, namely DLMFENC.sys, bundled with the DESLock+ client  ...)
@@ -22318,7 +22318,7 @@ CVE-2017-10994 (Foxit Reader before 8.3.1 and PhantomPDF before 8.3.1 have an Ar
 CVE-2017-10993 (Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to i ...)
 	NOT-FOR-US: Contao
 CVE-2017-10992 (In HPE Storage Essentials 9.5.0.142, there is Unauthenticated Java Des ...)
-	TODO: check
+	NOT-FOR-US: HPE
 CVE-2017-10991 (The WP Statistics plugin through 12.0.9 for WordPress has XSS in the r ...)
 	NOT-FOR-US: Wordpress plugin
 CVE-2017-10990
diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index a1cf06ed92..63aff9b9ee 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -21041,13 +21041,13 @@ CVE-2018-13065 (** DISPUTED ** ModSecurity 3.0.0 has XSS via an onerror attribut
 CVE-2018-13064
 	RESERVED
 CVE-2018-13063 (Easy!Appointments 1.3.0 has a Missing Authorization issue allowing ret ...)
-	TODO: check
+	NOT-FOR-US: Easy!Appointments
 CVE-2018-13062
 	RESERVED
 CVE-2018-13061
 	RESERVED
 CVE-2018-13060 (Easy!Appointments 1.3.0 has a Guessable CAPTCHA issue. ...)
-	TODO: check
+	NOT-FOR-US: Easy!Appointments
 CVE-2018-13059
 	RESERVED
 CVE-2018-13058
@@ -27739,7 +27739,7 @@ CVE-2018-10706 (An integer overflow in the transferMulti function of a smart con
 CVE-2018-10705 (The Owned smart contract implementation for Aurora DAO (AURA), an Ethe ...)
 	NOT-FOR-US: Aurora DAD
 CVE-2018-10704 (yidashi yii2cmf 2.0 has XSS via the /search q parameter. ...)
-	TODO: check
+	NOT-FOR-US: yidashi yii2cmf
 CVE-2018-10703 (An issue was discovered on Moxa AWK-3121 1.14 devices. It provides fun ...)
 	NOT-FOR-US: Moxa
 CVE-2018-10702 (An issue was discovered on Moxa AWK-3121 1.14 devices. It provides fun ...)
@@ -29177,7 +29177,7 @@ CVE-2018-10126 (LibTIFF 4.0.9 has a NULL pointer dereference in the jpeg_fdct_16
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2786
 	NOTE: Crash in CLI tool, no security impact
 CVE-2018-10125 (Contao before 4.5.7 has XSS in the system log. ...)
-	TODO: check
+	NOT-FOR-US: Contao
 CVE-2018-10123 (p910nd on Inteno IOPSYS 2.0 through 4.2.0 allows remote attackers to r ...)
 	NOT-FOR-US: p910nd on Inteno IOPSYS
 CVE-2018-10122 (QingDao Nature Easy Soft Chanzhi Enterprise Portal System (aka chanzhi ...)