automatic update

git-svn-id: svn+ssh://svn.debian.org/svn/secure-testing@54583 e39458fd-73e7-0310-bf30-c45bca0a0e42
author: security tracker role <sectracker@debian.org> 2017-08-10 21:10:12 +0000
committer: security tracker role <sectracker@debian.org> 2017-08-10 21:10:12 +0000
commit: fc2e2ddafb2ad4e109a9a7b0c3bb28c7bad826dc (patch)
tree: cc4bb0d0a2688b75320470f312347cedaa797548
parent: 98cfdddd4c30fb2f1047a823a653100cbc091530 (diff)
4 files changed, 80 insertions, 34 deletions
diff --git a/data/CVE/2008.list b/data/CVE/2008.list
index a6469b9c0c..adedee6c6d 100644
--- a/data/CVE/2008.list
+++ b/data/CVE/2008.list
@@ -13819,9 +13819,9 @@ CVE-2008-1423 (Integer overflow in a certain quantvals and quantlist calculation
 	[squeeze] - libvorbisidec <no-dsa> (Minor issue, no dev-deps)
 	- libvorbis 1.2.0.dfsg-3.1 (bug #482518)
 CVE-2008-1422
-	RESERVED
+	REJECTED
 CVE-2008-1421
-	RESERVED
+	REJECTED
 CVE-2008-1420 (Integer overflow in residue partition value (aka partvals) evaluation ...)
 	{DSA-1591-1}
 	- libvorbisidec <not-affected> (Vulnerable code not present)
diff --git a/data/CVE/2014.list b/data/CVE/2014.list
index 7651218878..f301521c3a 100644
--- a/data/CVE/2014.list
+++ b/data/CVE/2014.list
@@ -25295,16 +25295,14 @@ CVE-2014-0147
 	- qemu-kvm <removed>
 	[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
 	[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-0146
-	RESERVED
+CVE-2014-0146 (The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 ...)
 	{DSA-3045-1 DSA-3044-1}
 	- qemu 2.0.0+dfsg-1 (bug #742730)
 	- qemu-kvm <removed>
 	[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
 	[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
 	NOTE: Upstream commit: http://git.qemu.org/?p=qemu.git;a=commit;h=11b128f4062dd7f89b14abc8877ff20d41b28be9
-CVE-2014-0145
-	RESERVED
+CVE-2014-0145 (Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, ...)
 	{DSA-3045-1 DSA-3044-1}
 	- qemu 2.0.0+dfsg-1 (bug #742730)
 	- qemu-kvm <removed>
@@ -25317,15 +25315,13 @@ CVE-2014-0144
 	- qemu-kvm <removed>
 	[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
 	[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-0143
-	RESERVED
+CVE-2014-0143 (Multiple integer overflows in the block drivers in QEMU, possibly ...)
 	{DSA-3045-1 DSA-3044-1}
 	- qemu 2.0.0+dfsg-1 (bug #742730)
 	- qemu-kvm <removed>
 	[squeeze] - qemu <end-of-life> (Unsupported in squeeze-lts)
 	[squeeze] - qemu-kvm <end-of-life> (Unsupported in squeeze-lts)
-CVE-2014-0142
-	RESERVED
+CVE-2014-0142 (QEMU, possibly before 2.0.0, allows local users to cause a denial of ...)
 	{DSA-3045-1 DSA-3044-1}
 	- qemu 2.0.0+dfsg-1 (bug #742730)
 	- qemu-kvm <removed>
diff --git a/data/CVE/2016.list b/data/CVE/2016.list
index fa7ae9801b..1cff7b825c 100644
--- a/data/CVE/2016.list
+++ b/data/CVE/2016.list
@@ -5442,8 +5442,7 @@ CVE-2016-8740 (The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4
 	[jessie] - apache2 <not-affected> (Vulnerable code not present)
 	[wheezy] - apache2 <not-affected> (Vulnerable code not present)
 	NOTE: HTTP/2 support introduced in 2.4.17
-CVE-2016-8739
-	RESERVED
+CVE-2016-8739 (The JAX-RS module in Apache CXF prior to 3.0.12 and 3.1.x prior to ...)
 	NOT-FOR-US: Apache CXF
 CVE-2016-8738
 	RESERVED
@@ -11028,8 +11027,7 @@ CVE-2016-6814
 	[jessie] - groovy2 2.2.2+dfsg-3+deb8u2
 CVE-2016-6813
 	RESERVED
-CVE-2016-6812
-	RESERVED
+CVE-2016-6812 (The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x ...)
 	NOT-FOR-US: Apache CXF
 CVE-2016-6811
 	REJECTED
@@ -11099,8 +11097,7 @@ CVE-2016-6796 [Apache Tomcat Security Manager Bypass]
 	NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1758496 (6.0.x)
 CVE-2016-6795
 	RESERVED
-CVE-2016-6794 [Apache Tomcat System Property Disclosure]
-	RESERVED
+CVE-2016-6794 (When a SecurityManager is configured, a web application's ability to ...)
 	{DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1}
 	- tomcat8 8.0.37-1 (low)
 	- tomcat7 7.0.72-1 (low; bug #842664)
@@ -17012,8 +17009,7 @@ CVE-2016-5020 (F5 BIG-IP before 12.0.0 HF3 allows remote authenticated users to
 	NOT-FOR-US: BIG-IP
 CVE-2016-5019 (CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through ...)
 	NOT-FOR-US: Apache MyFaces Trinidad
-CVE-2016-5018 [Apache Tomcat Security Manager Bypass]
-	RESERVED
+CVE-2016-5018 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to ...)
 	{DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1}
 	- tomcat8 8.0.37-1 (low)
 	- tomcat7 7.0.72-1 (low; bug #842663)
@@ -25592,6 +25588,7 @@ CVE-2016-2088 (resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS
 	- bind9 <not-affected> (Introduced in Bind 9.10)
 	NOTE: https://kb.isc.org/article/AA-01351
 CVE-2016-2087 (Directory traversal vulnerability in the client in HexChat 2.11.0 ...)
+	{DLA-1050-1}
 	- xchat 2.8.8-10
 	[jessie] - xchat <no-dsa> (Minor issue)
 	- hexchat 2.12.4-4 (bug #852275)
@@ -29377,8 +29374,7 @@ CVE-2016-0763 (The setGlobalContext method in ...)
 	- tomcat6 6.0.41-3
 	NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs
 	NOTE: Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3
-CVE-2016-0762 [Apache Tomcat Realm Timing Attack]
-	RESERVED
+CVE-2016-0762 (The Realm implementations in Apache Tomcat versions 9.0.0.M1 to ...)
 	{DSA-3721-1 DSA-3720-1 DLA-729-1 DLA-728-1}
 	- tomcat8 8.0.37-1 (low)
 	- tomcat7 7.0.72-1 (low; bug #842662)
diff --git a/data/CVE/2017.list b/data/CVE/2017.list
index 3ca306ae77..1075383bea 100644
--- a/data/CVE/2017.list
+++ b/data/CVE/2017.list
@@ -1,9 +1,54 @@
+CVE-2017-12799 (The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows ...)
+	TODO: check
+CVE-2017-12798 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the q ...)
+	TODO: check
+CVE-2017-12797
+	RESERVED
+CVE-2017-12796
+	RESERVED
+CVE-2017-12795
+	RESERVED
+CVE-2017-12794
+	RESERVED
+CVE-2017-12793
+	RESERVED
+CVE-2017-12792
+	RESERVED
+CVE-2017-12791
+	RESERVED
+CVE-2017-12790
+	RESERVED
+CVE-2017-12789
+	RESERVED
+CVE-2017-12788
+	RESERVED
+CVE-2017-12787
+	RESERVED
+CVE-2017-12786
+	RESERVED
+CVE-2017-12785
+	RESERVED
+CVE-2017-12784
+	RESERVED
+CVE-2017-12783
+	RESERVED
+CVE-2017-12782
+	RESERVED
+CVE-2017-12781
+	RESERVED
+CVE-2017-12780
+	RESERVED
+CVE-2017-12779
+	RESERVED
+CVE-2017-12778
+	RESERVED
 CVE-2017-1000112 [Exploitable memory corruption due to UFO to non-UFO path switch]
 	- linux <unfixed> (low)
 	NOTE: Introduced by: https://git.kernel.org/linus/e89e9cf539a28df7d0eb1d0a545368e9920b34ac (2.6.15-rc1)
 	NOTE: Fixed by: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa
 	NOTE: Harmless in Debian since unprivileged user namespaces are disabled
 CVE-2017-1000117
+	{DSA-3934-1}
 	- git 1:2.14.1-1
 	NOTE: https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/T/#u
 CVE-2017-1000116 [command injection on clients through malicious ssh URLs]
@@ -3941,6 +3986,7 @@ CVE-2017-11175
 CVE-2017-11174 (In install/page_dbsettings.php in the Core distribution of XOOPS ...)
 	NOT-FOR-US: XOOPS
 CVE-2017-11173 (Missing anchor in generated regex for rack-cors before 0.4.1 allows a ...)
+	{DSA-3931-1}
 	- ruby-rack-cors 0.4.1-1
 	[jessie] - ruby-rack-cors <not-affected> (Vulnerable code not present)
 CVE-2017-11172
@@ -4680,6 +4726,7 @@ CVE-2017-10984 (An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows &quot;
 	NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6
 	NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/4b059296e14b6ab75dc17163077490528a819806
 CVE-2017-10983 (An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before ...)
+	{DSA-3930-1}
 	- freeradius 3.0.15+dfsg-1 (bug #868765)
 	NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-206
 	NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/ec08b30f87066f82073d02fab57e8ffeef81373d
@@ -4717,6 +4764,7 @@ CVE-2017-10979 (An FR-GV-202 issue in FreeRADIUS 2.x before 2.2.10 allows &quot;
 	NOTE: This is not fully technically correct, the issue affects only the 2.x
 	NOTE: series but not 3.x.
 CVE-2017-10978 (An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before ...)
+	{DSA-3930-1}
 	- freeradius 3.0.15+dfsg-1 (bug #868765)
 	NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-201
 	NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68
@@ -6156,6 +6204,7 @@ CVE-2017-9801 (When a call-site passes a subject for an email that contains ...)
 	NOT-FOR-US: Apache commons email
 CVE-2017-9800 [Arbitrary code execution on clients through malicious svn+ssh URLs in svn:externals and svn:sync-from-url]
 	RESERVED
+	{DSA-3932-1}
 	- subversion 1.9.7-1
 	NOTE: Fixed by: http://svn.apache.org/viewvc?view=revision&amp;sortby=rev&amp;revision=1804691
 	NOTE: http://subversion.apache.org/security/CVE-2017-9800-advisory.txt
@@ -8852,10 +8901,12 @@ CVE-2017-9358 (A memory exhaustion vulnerability exists in Asterisk Open Source
 	[wheezy] - asterisk <not-affected> (Vulnerable code not present)
 	NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt
 CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open Source ...)
+	{DSA-3933-1}
 	- pjproject 2.5.5~dfsg-6 (bug #863902)
 	NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939
 CVE-2017-9372 (PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x ...)
+	{DSA-3933-1}
 	- pjproject 2.5.5~dfsg-6 (bug #863901)
 	NOTE: http://downloads.asterisk.org/pub/security/AST-2017-002.txt
 CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist feature ...)
@@ -11125,8 +11176,8 @@ CVE-2017-8520 (Microsoft Edge in Windows 10 1703 allows an attacker to execute .
 	NOT-FOR-US: Microsoft
 CVE-2017-8519 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...)
 	NOT-FOR-US: Microsoft
-CVE-2017-8518
-	RESERVED
+CVE-2017-8518 (Microsoft Edge allows a remote code execution vulnerability due to the ...)
+	TODO: check
 CVE-2017-8517 (Microsoft browsers in Microsoft Windows Server 2008 SP2 and R2 SP1, ...)
 	NOT-FOR-US: Microsoft
 CVE-2017-8516 (Microsoft SQL Server Analysis Services in Microsoft SQL Server 2012, ...)
@@ -13927,6 +13978,7 @@ CVE-2017-7549
 	RESERVED
 CVE-2017-7548 [lo_put() function ignores ACLs]
 	RESERVED
+	{DSA-3936-1 DSA-3935-1}
 	- postgresql-9.6 9.6.4-1
 	- postgresql-9.4 <removed>
 	- postgresql-9.1 <removed>
@@ -13935,6 +13987,7 @@ CVE-2017-7548 [lo_put() function ignores ACLs]
 	NOTE: https://www.postgresql.org/about/news/1772/
 CVE-2017-7547 [The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges]
 	RESERVED
+	{DSA-3936-1 DSA-3935-1}
 	- postgresql-9.6 9.6.4-1
 	- postgresql-9.4 <removed>
 	- postgresql-9.1 <removed>
@@ -13943,6 +13996,7 @@ CVE-2017-7547 [The "pg_user_mappings" catalog view discloses passwords to users
 	NOTE: https://www.postgresql.org/about/news/1772/
 CVE-2017-7546 [Empty password accepted in some authentication methods]
 	RESERVED
+	{DSA-3936-1 DSA-3935-1}
 	- postgresql-9.6 9.6.4-1
 	- postgresql-9.4 <removed>
 	- postgresql-9.1 <removed>
@@ -25537,8 +25591,7 @@ CVE-2017-3157
 	{DSA-3792-1 DLA-910-1}
 	- libreoffice 1:5.2.3-1
 	NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2017-3157/
-CVE-2017-3156
-	RESERVED
+CVE-2017-3156 (The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to ...)
 	NOT-FOR-US: Apache CXF
 CVE-2017-3155
 	RESERVED
@@ -26131,6 +26184,7 @@ CVE-2017-2886
 	RESERVED
 CVE-2017-2885 [stack based buffer overflow with HTTP Chunked Encoding]
 	RESERVED
+	{DSA-3929-1}
 	- libsoup2.4 2.56.1-1 (bug #871650)
 	[wheezy] - libsoup2.4 <not-affected> (Vulnerable code not present)
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785774
@@ -29387,8 +29441,8 @@ CVE-2017-1433
 	RESERVED
 CVE-2017-1432
 	RESERVED
-CVE-2017-1431
-	RESERVED
+CVE-2017-1431 (IBM InfoSphere Streams 4.0, 4.1, and 4.2 is vulnerable to cross-site ...)
+	TODO: check
 CVE-2017-1430
 	RESERVED
 CVE-2017-1429
@@ -29495,8 +29549,8 @@ CVE-2017-1379 (IBM API Connect 5.0.0.0 could allow a remote attacker to obtain .
 	NOT-FOR-US: IBM
 CVE-2017-1378
 	RESERVED
-CVE-2017-1377
-	RESERVED
+CVE-2017-1377 (IBM Runbook Automation reveals sensitive information in error messages ...)
+	TODO: check
 CVE-2017-1376
 	RESERVED
 CVE-2017-1375
@@ -29865,8 +29919,8 @@ CVE-2017-1194 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulner
 	NOT-FOR-US: IBM
 CVE-2017-1193 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow user to ...)
 	NOT-FOR-US: IBM
-CVE-2017-1192
-	RESERVED
+CVE-2017-1192 (IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External ...)
+	TODO: check
 CVE-2017-1191
 	RESERVED
 CVE-2017-1190
@@ -29901,8 +29955,8 @@ CVE-2017-1176 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a local
 	NOT-FOR-US: IBM
 CVE-2017-1175 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to SQL ...)
 	NOT-FOR-US: IBM
-CVE-2017-1174
-	RESERVED
+CVE-2017-1174 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL ...)
+	TODO: check
 CVE-2017-1173
 	RESERVED
 CVE-2017-1172
@@ -29913,8 +29967,8 @@ CVE-2017-1170 (IBM WebSphere Commerce Enterprise, Professional, Express, and ...
 	NOT-FOR-US: IBM
 CVE-2017-1169
 	RESERVED
-CVE-2017-1168
-	RESERVED
+CVE-2017-1168 (IBM Rational Engineering Lifecycle Manager 4.0, 5.0, and 6.0 is ...)
+	TODO: check
 CVE-2017-1167
 	RESERVED
 CVE-2017-1166
author	security tracker role <sectracker@debian.org>	2017-08-10 21:10:12 +0000
committer	security tracker role <sectracker@debian.org>	2017-08-10 21:10:12 +0000
commit	fc2e2ddafb2ad4e109a9a7b0c3bb28c7bad826dc (patch)
tree	cc4bb0d0a2688b75320470f312347cedaa797548
parent	98cfdddd4c30fb2f1047a823a653100cbc091530 (diff)