CVE-2017-20001 (The AES encryption project 7.x and 8.x for Drupal does not sufficientl ...) NOT-FOR-US: AES encryption project for Drupal CVE-2017-18926 (raptor_xml_writer_start_element_common in raptor_xml_writer.c in Rapto ...) {DSA-4785-1 DLA-2438-1} - raptor - raptor2 2.0.14-1.1 (bug #973889) NOTE: Fixed by: https://github.com/dajobe/raptor/commit/590681e546cd9aa18d57dc2ea1858cb734a3863f NOTE: https://www.openwall.com/lists/oss-security/2017/06/07/1 CVE-2017-18925 (opentmpfiles through 0.3.1 allows local users to take ownership of arb ...) - opentmpfiles (bug #973242) NOTE: https://github.com/OpenRC/opentmpfiles/issues/4 CVE-2017-18924 (** DISPUTED ** oauth2-server (aka node-oauth2-server) through 3.1.1 im ...) NOT-FOR-US: node-oauth2-server CVE-2017-18923 (beroNet VoIP Gateways before 3.0.16 have a PHP script that allows down ...) NOT-FOR-US: beroNet CVE-2017-18922 (It was discovered that websockets.c in LibVNCServer prior to 0.9.12 di ...) - libvncserver 0.9.12+dfsg-3 [buster] - libvncserver (Required change too invasive, minor issue) [stretch] - libvncserver (Required change too invasive, minor issue) NOTE: https://github.com/LibVNC/libvncserver/commit/aac95a9dcf4bbba87b76c72706c3221a842ca433 NOTE: https://www.openwall.com/lists/oss-security/2020/06/30/2 CVE-2017-18921 (An issue was discovered in Mattermost Server before 3.6.0 and 3.5.2. X ...) NOT-FOR-US: Mattermost CVE-2017-18920 (An issue was discovered in Mattermost Server before 3.6.2. The WebSock ...) NOT-FOR-US: Mattermost CVE-2017-18919 (An issue was discovered in Mattermost Server before 3.7.0 and 3.6.3. A ...) NOT-FOR-US: Mattermost CVE-2017-18918 (An issue was discovered in Mattermost Server before 3.7.3 and 3.6.5. A ...) NOT-FOR-US: Mattermost CVE-2017-18917 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18916 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18915 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18914 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18913 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18912 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18911 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18910 (An issue was discovered in Mattermost Server before 3.8.2, 3.7.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18909 (An issue was discovered in Mattermost Server before 3.9.0 when SAML is ...) NOT-FOR-US: Mattermost CVE-2017-18908 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18907 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18906 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18905 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18904 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18903 (An issue was discovered in Mattermost Server before 4.0.0, 3.10.2, and ...) NOT-FOR-US: Mattermost CVE-2017-18902 (An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and ...) NOT-FOR-US: Mattermost CVE-2017-18901 (An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and ...) NOT-FOR-US: Mattermost CVE-2017-18900 (An issue was discovered in Mattermost Server before 4.1.0, 4.0.4, and ...) NOT-FOR-US: Mattermost CVE-2017-18899 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18898 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18897 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18896 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18895 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18894 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18893 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18892 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18891 (An issue was discovered in Mattermost Server before 4.2.0, 4.1.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18890 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18889 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18888 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18887 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18886 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18885 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18884 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18883 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18882 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18881 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18880 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18879 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18878 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18877 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18876 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18875 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18874 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18873 (An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and ...) NOT-FOR-US: Mattermost CVE-2017-18872 (An issue was discovered in Mattermost Server before 4.4.3 and 4.3.3. A ...) NOT-FOR-US: Mattermost CVE-2017-18871 (An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, 4.3. ...) NOT-FOR-US: Mattermost CVE-2017-18870 (An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and ...) NOT-FOR-US: Mattermost CVE-2017-18869 (A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 co ...) - node-chownr 1.1.1-1 (bug #909024) NOTE: https://github.com/isaacs/chownr/issues/14 NOTE: https://snyk.io/vuln/npm:chownr:20180731 CVE-2017-18868 (Digi XBee 2 devices do not have an effective protection mechanism agai ...) NOT-FOR-US: Digi XBee 2 devices CVE-2017-18867 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18866 (Certain NETGEAR devices are affected by stored XSS. This affects R9000 ...) NOT-FOR-US: Netgear CVE-2017-18865 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18864 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18863 (Certain NETGEAR devices are affected by command execution via a PHP fo ...) NOT-FOR-US: Netgear CVE-2017-18862 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18861 (Certain NETGEAR devices are affected by CSRF. This affects ReadyNAS Su ...) NOT-FOR-US: Netgear CVE-2017-18860 (Certain NETGEAR devices are affected by debugging command execution. T ...) NOT-FOR-US: Netgear CVE-2017-18859 (Certain NETGEAR devices are affected by slowdown/stoppage. This affect ...) NOT-FOR-US: Netgear CVE-2017-18858 (Certain NETGEAR devices are affected by command execution. This affect ...) NOT-FOR-US: Netgear CVE-2017-18857 (The NETGEAR Insight application before 2.42 for Android and iOS is aff ...) NOT-FOR-US: Netgear CVE-2017-18856 (NETGEAR ReadyNAS devices before 6.6.1 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2017-18855 (NETGEAR WNR854T devices before 1.5.2 are affected by command execution ...) NOT-FOR-US: Netgear CVE-2017-18854 (NETGEAR ReadyNAS 6.6.1 and earlier is affected by command injection. ...) NOT-FOR-US: Netgear CVE-2017-18853 (Certain NETGEAR devices are affected by password recovery and file acc ...) NOT-FOR-US: Netgear CVE-2017-18852 (Certain NETGEAR devices are affected by CSRF and authentication bypass ...) NOT-FOR-US: NETGEAR CVE-2017-18851 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: NETGEAR CVE-2017-18850 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: NETGEAR CVE-2017-18849 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: NETGEAR CVE-2017-18848 (Certain NETGEAR devices are affected by CSRF. This affects R6300v2 bef ...) NOT-FOR-US: NETGEAR CVE-2017-18847 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: NETGEAR CVE-2017-18846 (Certain NETGEAR devices are affected by a stack-based buffer overflow. ...) NOT-FOR-US: NETGEAR CVE-2017-18845 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2017-18844 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2017-18843 (Certain NETGEAR devices are affected by disclosure of administrative c ...) NOT-FOR-US: NETGEAR CVE-2017-18842 (Certain NETGEAR devices are affected by CSRF. This affects R7300 befor ...) NOT-FOR-US: NETGEAR CVE-2017-18841 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: NETGEAR CVE-2017-18840 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: NETGEAR CVE-2017-18839 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18838 (Certain NETGEAR devices are affected by privilege escalation. This aff ...) NOT-FOR-US: NETGEAR CVE-2017-18837 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18836 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: NETGEAR CVE-2017-18835 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) NOT-FOR-US: NETGEAR CVE-2017-18834 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) NOT-FOR-US: NETGEAR CVE-2017-18833 (Certain NETGEAR devices are affected by reflected XSS. This affects M4 ...) NOT-FOR-US: NETGEAR CVE-2017-18832 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18831 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18830 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18829 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18828 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18827 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18826 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18825 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: NETGEAR CVE-2017-18824 (Certain NETGEAR devices are affected by directory traversal. This affe ...) NOT-FOR-US: NETGEAR CVE-2017-18823 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: NETGEAR CVE-2017-18822 (Certain NETGEAR devices are affected by vertical privilege escalation. ...) NOT-FOR-US: NETGEAR CVE-2017-18821 (Certain NETGEAR devices are affected by stored XSS. This affects M4300 ...) NOT-FOR-US: Netgear CVE-2017-18820 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18819 (NETGEAR ReadyNAS OS 6 devices, running ReadyNAS OS versions prior to 6 ...) NOT-FOR-US: Netgear CVE-2017-18818 RESERVED CVE-2017-18817 RESERVED CVE-2017-18816 (NETGEAR ReadyNAS OS 6 devices, running ReadyNAS OS versions prior to 6 ...) NOT-FOR-US: Netgear CVE-2017-18815 (NETGEAR ReadyNAS OS 6 devices, running ReadyNAS OS versions prior to 6 ...) NOT-FOR-US: Netgear CVE-2017-18814 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18813 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18812 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18811 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18810 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18809 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18808 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18807 (NETGEAR ReadyNAS OS 6 devices running ReadyNAS OS versions prior to 6. ...) NOT-FOR-US: Netgear CVE-2017-18806 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18805 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18804 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18803 (NETGEAR R7800 devices before 1.0.2.30 are affected by incorrect config ...) NOT-FOR-US: Netgear CVE-2017-18802 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18801 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18800 (Certain NETGEAR devices are affected by reflected XSS. This affects R6 ...) NOT-FOR-US: Netgear CVE-2017-18799 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18798 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18797 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18796 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18795 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18794 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18793 (NETGEAR R7800 devices before 1.0.2.36 are affected by command injectio ...) NOT-FOR-US: Netgear CVE-2017-18792 (NETGEAR D6100 devices before 1.0.0.50_0.0.50 are affected by command i ...) NOT-FOR-US: Netgear CVE-2017-18791 (Certain NETGEAR devices are affected by CSRF. This affects R6050/JR615 ...) NOT-FOR-US: Netgear CVE-2017-18790 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2017-18789 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2017-18788 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18787 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18786 (Certain NETGEAR devices are affected by command injection. This affect ...) NOT-FOR-US: Netgear CVE-2017-18785 (Certain NETGEAR devices are affected by XSS. This affects D3600 before ...) NOT-FOR-US: Netgear CVE-2017-18784 (Certain NETGEAR devices are affected by XSS. This affects D6200 before ...) NOT-FOR-US: Netgear CVE-2017-18783 (Certain NETGEAR devices are affected by XSS. This affects D6200 before ...) NOT-FOR-US: Netgear CVE-2017-18782 (Certain NETGEAR devices are affected by CSRF. This affects D6200 befor ...) NOT-FOR-US: Netgear CVE-2017-18781 (Certain NETGEAR devices are affected by CSRF. This affects D6200 befor ...) NOT-FOR-US: Netgear CVE-2017-18780 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2017-18779 (Certain NETGEAR devices are affected by a buffer overflow. This affect ...) NOT-FOR-US: Netgear CVE-2017-18778 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18777 (Certain NETGEAR devices are affected by administrative password disclo ...) NOT-FOR-US: Netgear CVE-2017-18776 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18775 (Certain NETGEAR devices are affected by CSRF. This affects R6100 befor ...) NOT-FOR-US: Netgear CVE-2017-18774 REJECTED CVE-2017-18773 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18772 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18771 REJECTED CVE-2017-18770 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2017-18769 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18768 (Certain NETGEAR devices are affected by CSRF. This affects EX6100 befo ...) NOT-FOR-US: Netgear CVE-2017-18767 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18766 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18765 (Certain NETGEAR devices are affected by denial of service. This affect ...) NOT-FOR-US: Netgear CVE-2017-18764 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18763 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18762 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18761 (NETGEAR R8000 devices before 1.0.4.2 are affected by a stack-based buf ...) NOT-FOR-US: Netgear CVE-2017-18760 REJECTED CVE-2017-18759 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18758 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18757 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18756 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18755 (Certain NETGEAR devices are affected by CSRF. This affects R6300v2 bef ...) NOT-FOR-US: Netgear CVE-2017-18754 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18753 REJECTED CVE-2017-18752 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18751 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18750 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18749 (Certain NETGEAR devices are affected by CSRF. This affects JNR1010v2 b ...) NOT-FOR-US: Netgear CVE-2017-18748 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18747 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18746 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18745 (Certain NETGEAR devices are affected by stored XSS. This affects R6400 ...) NOT-FOR-US: Netgear CVE-2017-18744 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18743 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18742 (Certain NETGEAR devices are affected by CSRF. This affects JR6150 befo ...) NOT-FOR-US: Netgear CVE-2017-18741 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18740 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18739 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18738 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18737 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18736 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18735 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18734 (Certain NETGEAR devices are affected by command injection by an unauth ...) NOT-FOR-US: Netgear CVE-2017-18733 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18732 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18731 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18730 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18729 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18728 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18727 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18726 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18725 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18724 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18723 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18722 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18721 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18720 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear CVE-2017-18719 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18718 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18717 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18716 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18715 (Certain NETGEAR devices are affected by reflected XSS. This affects EX ...) NOT-FOR-US: Netgear CVE-2017-18714 (NETGEAR WNDR4500v3 devices before 1.0.0.48 are affected by denial of s ...) NOT-FOR-US: Netgear CVE-2017-18713 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18712 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18711 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18710 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) NOT-FOR-US: Netgear CVE-2017-18709 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18708 (Certain NETGEAR devices are affected by CSRF. This affects R8300 befor ...) NOT-FOR-US: Netgear CVE-2017-18707 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2017-18706 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18705 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) NOT-FOR-US: Netgear CVE-2017-18704 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18703 (Certain NETGEAR devices are affected by CSRF. This affects D1500 befor ...) NOT-FOR-US: Netgear CVE-2017-18702 (NETGEAR R6220 devices before 1.1.0.60 are affected by incorrect config ...) NOT-FOR-US: Netgear CVE-2017-18701 (Certain NETGEAR devices are affected by reflected XSS. This affects R6 ...) NOT-FOR-US: Netgear CVE-2017-18700 (Certain NETGEAR devices are affected by stored XSS. This affects D6400 ...) NOT-FOR-US: Netgear CVE-2017-18699 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18698 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18697 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18696 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18695 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18694 (An issue was discovered on Samsung mobile devices with software throug ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18693 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18692 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18691 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18690 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18689 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18688 (An issue was discovered on Samsung mobile devices with L(5.1), M(6.0), ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18687 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18686 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18685 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18684 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18683 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18682 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18681 (An issue was discovered on Samsung Galaxy S5 mobile devices with softw ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18680 (An issue was discovered on Samsung mobile devices with L(5.0/5.1) and ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18679 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18678 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18677 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18676 (An issue was discovered on Samsung mobile devices with N(7.0) (Qualcom ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18675 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18674 (An issue was discovered on Samsung mobile devices with N(7.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18673 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18672 (An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6 ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18671 (An issue was discovered on Samsung mobile devices with L(5.0/5.1), M(6 ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18670 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18669 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18668 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18667 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18666 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18665 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18664 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18663 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18662 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18661 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18660 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18659 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18658 (An issue was discovered on Samsung mobile devices with M(6.0) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18657 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18656 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18655 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18654 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18653 (An issue was discovered on Samsung mobile devices with KK(4.4), L(5.0/ ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18652 (An issue was discovered on Samsung mobile devices with M(6.0) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18651 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18650 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18649 (An issue was discovered on Samsung mobile devices with N(7.x) software ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18648 (An issue was discovered on Samsung mobile devices with KK(4.4.x), L(5. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18647 (An issue was discovered on Samsung mobile devices with M(6,x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18646 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18645 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18644 (An issue was discovered on Samsung mobile devices with L(5.1), M(6.x), ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18643 (An issue was discovered on Samsung mobile devices with M(6.x) and N(7. ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18642 (Syska Smart Bulb devices through 2017-08-06 receive RGB parameters ove ...) NOT-FOR-US: Syska Smart Bulb devices CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...) - lxc-templates [buster] - lxc-templates (Minor issue) - lxc 1:3.0.3-1 (low) [stretch] - lxc (Minor issue) [jessie] - lxc (https://lists.debian.org/debian-lts/2020/02/msg00102.html) NOTE: LXC 3.0.2 split the templates out to separate lxc-templates. NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447 NOTE: Some of the templates were switched to fetch the pacakges over HTTPS, cf. NOTE: https://github.com/lxc/lxc/pull/1371 for the lxc-fedora template. CVE-2017-18640 (The Alias feature in SnakeYAML 1.18 allows entity expansion during a l ...) - snakeyaml 1.25+ds-3 (bug #952683) [buster] - snakeyaml (Minor issue) [stretch] - snakeyaml (Minor issue) [jessie] - snakeyaml (unclear security impact) NOTE: https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion NOTE: Patch to introduce a configuration option to restrict aliases for NOTE: collections: NOTE: https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c CVE-2017-18639 (Progress Sitefinity CMS before 10.1 allows XSS via /Pages Parameter : ...) NOT-FOR-US: Progress Sitefinity CMS CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using user input ...) {DLA-1986-1} - ruby-haml 5.0.4-1 [stretch] - ruby-haml (Minor issue) NOTE: https://snyk.io/vuln/SNYK-RUBY-HAML-20362 NOTE: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 CVE-2017-18638 (send_email in graphite-web/webapp/graphite/composer/views.py in Graphi ...) {DLA-1962-1} - graphite-web 1.1.4-5 [buster] - graphite-web 1.1.4-3+deb10u1 NOTE: https://github.com/graphite-project/graphite-web/issues/2008 NOTE: https://github.com/graphite-project/graphite-web/pull/2499 NOTE: https://github.com/graphite-project/graphite-web/security/advisories/GHSA-vfj6-275q-4pvm CVE-2017-18637 RESERVED CVE-2017-18636 (CDG through 2017-01-01 allows downloadDocument.jsp?command=download&am ...) NOT-FOR-US: CDG CVE-2017-18635 (An XSS vulnerability was discovered in noVNC before 0.6.2 in which the ...) {DLA-1946-1} - novnc 1:1.0.0-1 [stretch] - novnc (Minor issue) NOTE: https://bugs.launchpad.net/horizon/+bug/1656435 NOTE: https://github.com/novnc/noVNC/commit/6048299a138e078aed210f163111698c8c526a13#diff-286f7dc7b881e942e97cd50c10898f03L534 NOTE: https://github.com/novnc/noVNC/issues/748 CVE-2017-18634 (The newspaper theme before 6.7.2 for WordPress has script injection vi ...) NOT-FOR-US: newspaper theme for WordPress CVE-2017-18633 RESERVED CVE-2017-18632 RESERVED CVE-2017-18631 RESERVED CVE-2017-18630 RESERVED CVE-2017-18629 RESERVED CVE-2017-18628 RESERVED CVE-2017-18627 RESERVED CVE-2017-18626 RESERVED CVE-2017-18625 RESERVED CVE-2017-18624 RESERVED CVE-2017-18623 RESERVED CVE-2017-18622 RESERVED CVE-2017-18621 RESERVED CVE-2017-18620 RESERVED CVE-2017-18619 RESERVED CVE-2017-18618 RESERVED CVE-2017-18617 RESERVED CVE-2017-18616 RESERVED CVE-2017-18615 (The kama-clic-counter plugin before 3.5.0 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18614 (The kama-clic-counter plugin 3.4.9 for WordPress has SQL injection via ...) NOT-FOR-US: Wordpress plugin CVE-2017-18613 (The trust-form plugin 2.0 for WordPress has XSS via the wp-admin/admin ...) NOT-FOR-US: Wordpress plugin CVE-2017-18612 (The wp-whois-domain plugin 1.0.0 for WordPress has XSS via the pages/f ...) NOT-FOR-US: Wordpress plugin CVE-2017-18611 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCC ...) NOT-FOR-US: magic-fields plugin for WordPress CVE-2017-18610 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCC ...) NOT-FOR-US: magic-fields plugin for WordPress CVE-2017-18609 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the cus ...) NOT-FOR-US: magic-fields plugin for WordPress CVE-2017-18608 (The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS ...) NOT-FOR-US: spotim-comments plugin for WordPress CVE-2017-18607 (The avada theme before 5.1.5 for WordPress has CSRF. ...) NOT-FOR-US: avada theme for WordPress CVE-2017-18606 (The avada theme before 5.1.5 for WordPress has stored XSS. ...) NOT-FOR-US: avada theme for WordPress CVE-2017-18605 (The gravitate-qa-tracker plugin through 1.2.1 for WordPress has PHP Ob ...) NOT-FOR-US: gravitate-qa-tracker plugin for WordPress CVE-2017-18604 (The sitebuilder-dynamic-components plugin through 1.0 for WordPress ha ...) NOT-FOR-US: sitebuilder-dynamic-components plugin for WordPress CVE-2017-18603 (The postman-smtp plugin through 2017-10-04 for WordPress has XSS via t ...) NOT-FOR-US: postman-smtp plugin for WordPress CVE-2017-18602 (The examapp plugin 1.0 for WordPress has SQL injection via the wp-admi ...) NOT-FOR-US: examapp plugin for WordPress CVE-2017-18601 (The examapp plugin 1.0 for WordPress has XSS via exam input text field ...) NOT-FOR-US: examapp plugin for WordPress CVE-2017-18600 (The formcraft3 plugin before 3.4 for WordPress has stored XSS via the ...) NOT-FOR-US: formcraft3 plugin for WordPress CVE-2017-18599 (The Pinfinity theme before 2.0 for WordPress has XSS via the s paramet ...) NOT-FOR-US: Pinfinity theme for WordPress CVE-2017-18598 (The Qards plugin through 2017-10-11 for WordPress has XSS via a remote ...) NOT-FOR-US: Qards plugin for WordPress CVE-2017-18597 (The jtrt-responsive-tables plugin before 4.1.2 for WordPress has SQL I ...) NOT-FOR-US: jtrt-responsive-tables plugin for WordPress CVE-2017-18596 (The elementor plugin before 1.8.0 for WordPress has incorrect access c ...) NOT-FOR-US: elementor plugin for WordPress CVE-2017-18595 (An issue was discovered in the Linux kernel before 4.14.11. A double f ...) - linux 4.14.12-1 [stretch] - linux 4.9.80-1 [jessie] - linux 3.16.56-1 NOTE: https://git.kernel.org/linus/4397f04575c44e1440ec2e49b6302785c95fd2f8 CVE-2017-18594 (nse_libssh2.cc in Nmap 7.70 is subject to a denial of service conditio ...) - nmap 7.80+dfsg1-1 (unimportant) NOTE: https://github.com/nmap/nmap/commit/350bbe0597d37ad67abe5fef8fba984707b4e9ad NOTE: https://github.com/nmap/nmap/issues/1077 NOTE: https://github.com/nmap/nmap/issues/1227 NOTE: Crash in CLI tool, no security impact CVE-2017-18593 (The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cas ...) NOT-FOR-US: updraftplus plugin for WordPress CVE-2017-18592 (The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has ...) NOT-FOR-US: woocommerce-catalog-enquiry plugin for WordPress CVE-2017-18591 (The gd-rating-system plugin before 2.1 for WordPress has XSS in log.ph ...) NOT-FOR-US: gd-rating-system plugin for WordPress CVE-2017-18590 (The timesheet plugin before 0.1.5 for WordPress has multiple XSS issue ...) NOT-FOR-US: timesheet plugin for WordPress CVE-2017-18589 (An issue was discovered in the cookie crate before 0.7.6 for Rust. Lar ...) - rust-cookie (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2017-0005.html CVE-2017-18588 (An issue was discovered in the security-framework crate before 0.1.12 ...) - rust-security-framework-sys (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2017-0003.html CVE-2017-18587 (An issue was discovered in the hyper crate before 0.9.18 for Rust. It ...) - rust-hyper (Fixed before initial upload to archive) NOTE: https://rustsec.org/advisories/RUSTSEC-2017-0002.html CVE-2017-18586 (The insert-pages plugin before 3.2.4 for WordPress has directory trave ...) NOT-FOR-US: insert-pages plugin for WordPress CVE-2017-18585 (The posts-in-page plugin before 1.3.0 for WordPress has ic_add_posts t ...) NOT-FOR-US: posts-in-page plugin for WordPress CVE-2017-18584 (The post-pay-counter plugin before 2.731 for WordPress has no permissi ...) NOT-FOR-US: post-pay-counter plugin for WordPress CVE-2017-18583 (The post-pay-counter plugin before 2.731 for WordPress has PHP Object ...) NOT-FOR-US: post-pay-counter plugin for WordPress CVE-2017-18582 (The time-sheets plugin before 1.5.2 for WordPress has multiple XSS iss ...) NOT-FOR-US: time-sheets plugin for WordPress CVE-2017-18581 (The time-sheets plugin before 1.5.0 for WordPress has XSS via the old ...) NOT-FOR-US: time-sheets plugin for WordPress CVE-2017-18580 (The shortcodes-ultimate plugin before 5.0.1 for WordPress has remote c ...) NOT-FOR-US: shortcodes-ultimate plugin for WordPress CVE-2017-18579 (The corner-ad plugin before 1.0.8 for WordPress has XSS. ...) NOT-FOR-US: corner-ad plugin for WordPress CVE-2017-18578 (The crafty-social-buttons plugin before 1.5.8 for WordPress has XSS. ...) NOT-FOR-US: crafty-social-buttons plugin for WordPress CVE-2017-18577 (The mailchimp-for-wp plugin before 4.1.8 for WordPress has XSS via the ...) NOT-FOR-US: mailchimp-for-wp plugin for WordPress CVE-2017-18576 (The event-notifier plugin before 1.2.1 for WordPress has XSS via the l ...) NOT-FOR-US: event-notifier plugin for WordPress CVE-2017-18575 (The newstatpress plugin before 1.2.5 for WordPress has multiple stored ...) NOT-FOR-US: newstatpress plugin for WordPress CVE-2017-18574 (The ninja-forms plugin before 3.0.31 for WordPress has insufficient HT ...) NOT-FOR-US: ninja-forms plugin for WordPress CVE-2017-18573 (The simple-login-log plugin before 1.1.2 for WordPress has SQL injecti ...) NOT-FOR-US: simple-login-log plugin for WordPress CVE-2017-18572 (The gnucommerce plugin before 1.4.2 for WordPress has XSS. ...) NOT-FOR-US: gnucommerce plugin for WordPress CVE-2017-18571 (The search-everything plugin before 8.1.7 for WordPress has SQL inject ...) NOT-FOR-US: search-everything plugin for WordPress CVE-2017-18570 (The cforms2 plugin before 14.13 for WordPress has SQL injection in the ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2017-18569 (The my-wp-translate plugin before 1.0.4 for WordPress has CSRF. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18568 (The my-wp-translate plugin before 1.0.4 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18567 (The wp-all-import plugin before 3.4.6 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18566 (The user-role plugin before 1.5.6 for WordPress has multiple XSS issue ...) NOT-FOR-US: Wordpress plugin CVE-2017-18565 (The updater plugin before 1.35 for WordPress has multiple XSS issues. ...) NOT-FOR-US: updater plugin for WordPress CVE-2017-18564 (The sender plugin before 1.2.1 for WordPress has multiple XSS issues. ...) NOT-FOR-US: sender plugin for WordPress CVE-2017-18563 (The rsvp plugin before 2.3.8 for WordPress has persistent XSS via the ...) NOT-FOR-US: rsvp plugin for WordPress CVE-2017-18562 (The error-log-viewer plugin before 1.0.6 for WordPress has multiple XS ...) NOT-FOR-US: error-log-viewer plugin for WordPress CVE-2017-18561 (The embed-comment-images plugin before 0.6 for WordPress has XSS. ...) NOT-FOR-US: embed-comment-images plugin for WordPress CVE-2017-18560 (The content-audit plugin before 1.9.2 for WordPress has XSS. ...) NOT-FOR-US: content-audit plugin for WordPress CVE-2017-18559 (The cforms2 plugin before 14.13.3 for WordPress has multiple XSS issue ...) NOT-FOR-US: cforms2 plugin for WordPress CVE-2017-18558 (The bws-testimonials plugin before 0.1.9 for WordPress has multiple XS ...) NOT-FOR-US: bws-testimonials plugin for WordPress CVE-2017-18557 (The bws-google-maps plugin before 1.3.6 for WordPress has multiple XSS ...) NOT-FOR-US: bws-google-maps plugin for WordPress CVE-2017-18556 (The bws-google-analytics plugin before 1.7.1 for WordPress has multipl ...) NOT-FOR-US: bws-google-analytics plugin for WordPress CVE-2017-18555 (The booking-sms plugin before 1.1.0 for WordPress has XSS. ...) NOT-FOR-US: booking-sms plugin for WordPress CVE-2017-18554 (The analytics-tracker plugin before 1.1.1 for WordPress has XSS via a ...) NOT-FOR-US: analytics-tracker plugin for WordPress CVE-2017-18553 (The ad-buttons plugin before 2.3.2 for WordPress has XSS. ...) NOT-FOR-US: ad-buttons plugin for WordPress CVE-2017-18552 (An issue was discovered in net/rds/af_rds.c in the Linux kernel before ...) - linux 4.11.6-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/780e982905bef61d13496d9af5310bf4af3a64d3 CVE-2017-18551 (An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux k ...) - linux 4.14.17-1 [stretch] - linux 4.9.168-1 [jessie] - linux 3.16.56-1 NOTE: https://git.kernel.org/linus/89c6efa61f5709327ecfa24bff18e57a4e80c7fa CVE-2017-18550 (An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linu ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/342ffc26693b528648bdc9377e51e4f2450b4860 CVE-2017-18549 (An issue was discovered in drivers/scsi/aacraid/commctrl.c in the Linu ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/342ffc26693b528648bdc9377e51e4f2450b4860 CVE-2017-18548 (The note-press plugin before 0.1.2 for WordPress has SQL injection. ...) NOT-FOR-US: note-press plugin for WordPress CVE-2017-18547 (The nelio-ab-testing plugin before 4.6.4 for WordPress has CSRF in exp ...) NOT-FOR-US: nelio-ab-testing plugin for WordPress CVE-2017-18546 (The jayj-quicktag plugin before 1.3.2 for WordPress has CSRF. ...) NOT-FOR-US: jayj-quicktag plugin for WordPress CVE-2017-18545 (The invite-anyone plugin before 1.3.16 for WordPress has incorrect esc ...) NOT-FOR-US: invite-anyone plugin for WordPress CVE-2017-18544 (The invite-anyone plugin before 1.3.16 for WordPress has admin-panel C ...) NOT-FOR-US: invite-anyone plugin for WordPress CVE-2017-18543 (The invite-anyone plugin before 1.3.16 for WordPress has incorrect acc ...) NOT-FOR-US: invite-anyone plugin for WordPress CVE-2017-18542 (The zendesk-help-center plugin before 1.0.5 for WordPress has multiple ...) NOT-FOR-US: zendesk-help-center plugin for WordPress CVE-2017-18541 (The xo-security plugin before 1.5.3 for WordPress has XSS. ...) NOT-FOR-US: xo-security plugin for WordPress CVE-2017-18540 (The weblibrarian plugin before 3.4.8.7 for WordPress has XSS via front ...) NOT-FOR-US: weblibrarian plugin for WordPress CVE-2017-18539 (The weblibrarian plugin before 3.4.8.6 for WordPress has XSS via front ...) NOT-FOR-US: weblibrarian plugin for WordPress CVE-2017-18538 (The weblibrarian plugin before 3.4.8.5 for WordPress has XSS via front ...) NOT-FOR-US: weblibrarian plugin for WordPress CVE-2017-18537 (The visitors-online plugin before 1.0.0 for WordPress has multiple XSS ...) NOT-FOR-US: visitors-online plugin for WordPress CVE-2017-18536 (The stop-user-enumeration plugin before 1.3.8 for WordPress has XSS. ...) NOT-FOR-US: stop-user-enumeration plugin for WordPress CVE-2017-18535 (The smokesignal plugin before 1.2.7 for WordPress has XSS. ...) NOT-FOR-US: smokesignal plugin for WordPress CVE-2017-18534 (The share-on-diaspora plugin before 0.7.2 for WordPress has reflected ...) NOT-FOR-US: share-on-diaspora plugin for WordPress CVE-2017-18533 (The rimons-twitter-widget plugin before 1.3 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18532 (The realty plugin before 1.1.0 for WordPress has multiple XSS issues. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18531 (The raygun4wp plugin before 1.8.3 for WordPress has XSS in the setting ...) NOT-FOR-US: Wordpress plugin CVE-2017-18530 (The rating-bws plugin before 0.2 for WordPress has multiple XSS issues ...) NOT-FOR-US: Wordpress plugin CVE-2017-18529 (The promobar plugin before 1.1.1 for WordPress has multiple XSS issues ...) NOT-FOR-US: Wordpress plugin CVE-2017-18528 (The pdf-print plugin before 1.9.4 for WordPress has multiple XSS issue ...) NOT-FOR-US: Wordpress plugin CVE-2017-18527 (The pagination plugin before 1.0.7 for WordPress has multiple XSS issu ...) NOT-FOR-US: Wordpress plugin CVE-2017-18526 (The moreads-se plugin before 1.4.7 for WordPress has XSS. ...) NOT-FOR-US: Wordpress plugin CVE-2017-18525 (The megamenu plugin before 2.4 for WordPress has XSS. ...) NOT-FOR-US: megamenu plugin for WordPress CVE-2017-18524 (The football-pool plugin before 2.6.5 for WordPress has multiple XSS i ...) NOT-FOR-US: Wordpress plugin CVE-2017-18523 (The eelv-newsletter plugin before 4.6.1 for WordPress has CSRF in the ...) NOT-FOR-US: Wordpress plugin CVE-2017-18522 (The eelv-newsletter plugin before 4.6.1 for WordPress has XSS in the a ...) NOT-FOR-US: Wordpress plugin CVE-2017-18521 (The democracy-poll plugin before 5.4 for WordPress has CSRF via wp-adm ...) NOT-FOR-US: democracy-poll plugin for WordPress CVE-2017-18520 (The democracy-poll plugin before 5.4 for WordPress has XSS via update_ ...) NOT-FOR-US: Wordpress plugin CVE-2017-18519 (The customer-area plugin before 7.4.3 for WordPress has XSS via admin ...) NOT-FOR-US: Wordpress plugin CVE-2017-18518 (The bws-smtp plugin before 1.1.0 for WordPress has multiple XSS issues ...) NOT-FOR-US: Wordpress plugin CVE-2017-18517 (The bws-pinterest plugin before 1.0.5 for WordPress has multiple XSS i ...) NOT-FOR-US: Wordpress plugin CVE-2017-18516 (The bws-linkedin plugin before 1.0.5 for WordPress has multiple XSS is ...) NOT-FOR-US: bws-linkedin plugin for WordPress CVE-2017-18515 (The wp-statistics plugin before 12.0.8 for WordPress has SQL injection ...) NOT-FOR-US: wp-statistics plugin for WordPress CVE-2017-18514 (The simple-login-log plugin before 1.1.2 for WordPress has SQL injecti ...) NOT-FOR-US: simple-login-log plugin for WordPress CVE-2017-18513 (The responsive-menu plugin before 3.1.4 for WordPress has no CSRF prot ...) NOT-FOR-US: responsive-menu plugin for WordPress CVE-2017-18512 (The newsletter-by-supsystic plugin before 1.1.8 for WordPress has CSRF ...) NOT-FOR-US: newsletter-by-supsystic plugin for WordPress CVE-2017-18511 (The custom-sidebars plugin before 3.0.8.1 for WordPress has CSRF. ...) NOT-FOR-US: custom-sidebars plugin for WordPress CVE-2017-18510 (The custom-sidebars plugin before 3.1.0 for WordPress has CSRF related ...) NOT-FOR-US: custom-sidebars plugin for WordPress CVE-2017-18508 (The wp-live-chat-support plugin before 7.1.03 for WordPress has XSS. ...) NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2017-18507 (The wp-live-chat-support plugin before 7.1.05 for WordPress has XSS. ...) NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2017-18506 (The woocommerce-pdf-invoices-packing-slips plugin before 2.0.13 for Wo ...) NOT-FOR-US: woocommerce-pdf-invoices-packing-slips plugin for WordPress CVE-2017-18505 (The twitter-plugin plugin before 2.55 for WordPress has XSS. ...) NOT-FOR-US: twitter-plugin plugin for WordPress CVE-2017-18504 (The twitter-cards-meta plugin before 2.5.0 for WordPress has CSRF. ...) NOT-FOR-US: twitter-cards-meta plugin for WordPress CVE-2017-18503 (The twitter-cards-meta plugin before 2.5.0 for WordPress has XSS. ...) NOT-FOR-US: twitter-cards-meta plugin for WordPress CVE-2017-18502 (The subscriber plugin before 1.3.5 for WordPress has multiple XSS issu ...) NOT-FOR-US: subscriber plugin for WordPress CVE-2017-18501 (The social-login-bws plugin before 0.2 for WordPress has multiple XSS ...) NOT-FOR-US: social-login-bws plugin for WordPress CVE-2017-18500 (The social-buttons-pack plugin before 1.1.1 for WordPress has multiple ...) NOT-FOR-US: social-buttons-pack plugin for WordPress CVE-2017-18499 (The simple-membership plugin before 3.5.7 for WordPress has XSS. ...) NOT-FOR-US: simple-membership plugin for WordPress CVE-2017-18498 (The simple-job-board plugin before 2.4.4 for WordPress has reflected X ...) NOT-FOR-US: simple-job-board plugin for WordPress CVE-2017-18497 (The liveforms plugin before 3.4.0 for WordPress has XSS. ...) NOT-FOR-US: liveforms plugin for WordPress CVE-2017-18496 (The htaccess plugin before 1.7.6 for WordPress has multiple XSS issues ...) NOT-FOR-US: htaccess plugin for WordPress CVE-2017-18495 (The gravity-forms-sms-notifications plugin before 2.4.0 for WordPress ...) NOT-FOR-US: gravity-forms-sms-notifications plugin for WordPress CVE-2017-18494 (The custom-search-plugin plugin before 1.36 for WordPress has multiple ...) NOT-FOR-US: custom-search-plugin plugin for WordPress CVE-2017-18493 (The custom-admin-page plugin before 0.1.2 for WordPress has multiple X ...) NOT-FOR-US: custom-admin-page plugin for WordPress CVE-2017-18492 (The contact-form-to-db plugin before 1.5.7 for WordPress has multiple ...) NOT-FOR-US: contact-form-to-db plugin for WordPress CVE-2017-18491 (The contact-form-plugin plugin before 4.0.6 for WordPress has multiple ...) NOT-FOR-US: contact-form-plugin plugin for WordPress CVE-2017-18490 (The contact-form-multi plugin before 1.2.1 for WordPress has multiple ...) NOT-FOR-US: contact-form-multi plugin for WordPress CVE-2017-18489 (The contact-form-7-sms-addon plugin before 2.4.0 for WordPress has XSS ...) NOT-FOR-US: contact-form-7-sms-addon plugin for WordPress CVE-2017-18488 (The Backup Guard plugin before 1.1.47 for WordPress has multiple XSS i ...) NOT-FOR-US: Backup Guard plugin for WordPress CVE-2017-18487 (The adsense-plugin (aka Google AdSense) plugin before 1.44 for WordPre ...) NOT-FOR-US: adsense-plugin (aka Google AdSense) plugin for WordPress CVE-2017-18486 (Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate privi ...) NOT-FOR-US: Jitbit Helpdesk CVE-2017-18485 (Cognitoys Dino devices allow profiles_add.html CSRF. ...) NOT-FOR-US: Cognitoys Dino CVE-2017-18484 (Cognitoys Dino devices allow XSS via the SSID. ...) NOT-FOR-US: Cognitoys Dino CVE-2017-18509 (An issue was discovered in net/ipv6/ip6mr.c in the Linux kernel before ...) {DSA-4497-1 DLA-1885-1 DLA-1884-1} - linux 4.11.6-1 NOTE: https://git.kernel.org/linus/99253eb750fda6a644d5188fb26c43bad8d5a745 NOTE: https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-inetcsklistenstop-gpf CVE-2017-18483 (ANNKE SP1 HD wireless camera 3.4.1.1604071109 devices allow XSS via a ...) NOT-FOR-US: ANNKE SP1 HD wireless camera devices CVE-2017-18482 (cPanel before 62.0.4 allows resellers to use the WHM enqueue_transfer_ ...) NOT-FOR-US: cPanel CVE-2017-18481 (cPanel before 62.0.4 allows stored XSS in the WHM Account Suspension L ...) NOT-FOR-US: cPanel CVE-2017-18480 (cPanel before 62.0.4 does not enforce account ownership for has_mycnf_ ...) NOT-FOR-US: cPanel CVE-2017-18479 (In cPanel before 62.0.4, WHM SSL certificate generation uses an unrese ...) NOT-FOR-US: cPanel CVE-2017-18478 (In cPanel before 62.0.4 incorrect ACL checks could occur in xml-api fo ...) NOT-FOR-US: cPanel CVE-2017-18477 (In cPanel before 62.0.4, Exim transports could execute in the context ...) NOT-FOR-US: cPanel CVE-2017-18476 (Leech Protect in cPanel before 62.0.4 does not protect certain directo ...) NOT-FOR-US: cPanel CVE-2017-18475 (In cPanel before 62.0.4, Exim piped filters ran in the context of an i ...) NOT-FOR-US: cPanel CVE-2017-18474 (cPanel before 62.0.4 allows arbitrary file-read operations via Exim va ...) NOT-FOR-US: cPanel CVE-2017-18473 (cPanel before 62.0.4 allows self XSS on the webmail Password and Secur ...) NOT-FOR-US: cPanel CVE-2017-18472 (cPanel before 62.0.4 allows reflected XSS in reset-password interfaces ...) NOT-FOR-US: cPanel CVE-2017-18471 (cPanel before 62.0.4 allows self XSS on the paper_lantern password-cha ...) NOT-FOR-US: cPanel CVE-2017-18470 (cPanel before 62.0.4 has a fixed password for the Munin MySQL test acc ...) NOT-FOR-US: cPanel CVE-2017-18469 (cPanel before 62.0.17 allows demo accounts to execute code via an NVDa ...) NOT-FOR-US: cPanel CVE-2017-18468 (cPanel before 62.0.17 allows demo accounts to execute code via the Hta ...) NOT-FOR-US: cPanel CVE-2017-18467 (cPanel before 62.0.17 allows access to restricted resources because of ...) NOT-FOR-US: cPanel CVE-2017-18466 (cPanel before 62.0.17 does not properly recognize domain ownership dur ...) NOT-FOR-US: cPanel CVE-2017-18465 (cPanel before 62.0.17 does not have a sufficient list of reserved user ...) NOT-FOR-US: cPanel CVE-2017-18464 (cPanel before 62.0.17 allows arbitrary file-overwrite operations via t ...) NOT-FOR-US: cPanel CVE-2017-18463 (cPanel before 62.0.17 allows code execution in the context of the root ...) NOT-FOR-US: cPanel CVE-2017-18462 (cPanel before 62.0.17 allows a CPHulk one-day ban bypass when IP based ...) NOT-FOR-US: cPanel CVE-2017-18461 (cPanel before 62.0.17 allows does not preserve security policy questio ...) NOT-FOR-US: cPanel CVE-2017-18460 (cPanel before 62.0.17 allows arbitrary code execution during automatic ...) NOT-FOR-US: cPanel CVE-2017-18459 (cPanel before 62.0.17 allows arbitrary code execution during account m ...) NOT-FOR-US: cPanel CVE-2017-18458 (cPanel before 62.0.17 allows file overwrite when renaming an account ( ...) NOT-FOR-US: cPanel CVE-2017-18457 (cPanel before 62.0.17 allows arbitrary file-read operations via WHM /s ...) NOT-FOR-US: cPanel CVE-2017-18456 (cPanel before 62.0.17 allows self XSS in the WHM cPAddons showsecurity ...) NOT-FOR-US: cPanel CVE-2017-18455 (In cPanel before 62.0.17, addon domain conversion did not require a pa ...) NOT-FOR-US: cPanel CVE-2017-18454 (cPanel before 62.0.24 allows stored XSS in the WHM cPAddons install in ...) NOT-FOR-US: cPanel CVE-2017-18453 (cPanel before 64.0.21 does not preserve supplemental groups across acc ...) NOT-FOR-US: cPanel CVE-2017-18452 (cPanel before 64.0.21 allows code execution via Rails configuration fi ...) NOT-FOR-US: cPanel CVE-2017-18451 (cPanel before 64.0.21 allows attackers to read a user's crontab file d ...) NOT-FOR-US: cPanel CVE-2017-18450 (cPanel before 64.0.21 allows certain file-chmod operations via /script ...) NOT-FOR-US: cPanel CVE-2017-18449 (cPanel before 64.0.21 allows certain file-rename operations in the con ...) NOT-FOR-US: cPanel CVE-2017-18448 (cPanel before 64.0.21 allows certain file-read operations via a Server ...) NOT-FOR-US: cPanel CVE-2017-18447 (cPanel before 64.0.21 allows demo accounts to execute code via the Cla ...) NOT-FOR-US: cPanel CVE-2017-18446 (cPanel before 64.0.21 allows file-read and file-write operations for d ...) NOT-FOR-US: cPanel CVE-2017-18445 (cPanel before 64.0.21 does not enforce demo restrictions for SSL API c ...) NOT-FOR-US: cPanel CVE-2017-18444 (cPanel before 64.0.21 allows demo accounts to execute SSH API commands ...) NOT-FOR-US: cPanel CVE-2017-18443 (cPanel before 64.0.21 allows demo and suspended accounts to use SSH po ...) NOT-FOR-US: cPanel CVE-2017-18442 (cPanel before 64.0.21 allows demo accounts to execute Cpanel::SPFUI AP ...) NOT-FOR-US: cPanel CVE-2017-18441 (cPanel before 64.0.21 allows demo accounts to redirect web traffic (SE ...) NOT-FOR-US: cPanel CVE-2017-18440 (cPanel before 64.0.21 allows demo users to execute traceroute via api2 ...) NOT-FOR-US: cPanel CVE-2017-18439 (cPanel before 64.0.21 allows demo accounts to execute code via an Imag ...) NOT-FOR-US: cPanel CVE-2017-18438 (cPanel before 64.0.21 allows demo accounts to execute code via Encodin ...) NOT-FOR-US: cPanel CVE-2017-18437 (cPanel before 64.0.21 allows a Webmail account to execute code via for ...) NOT-FOR-US: cPanel CVE-2017-18436 (cPanel before 64.0.21 allows demo accounts to read files via a Fileman ...) NOT-FOR-US: cPanel CVE-2017-18435 (cPanel before 64.0.21 allows demo accounts to execute code via the Box ...) NOT-FOR-US: cPanel CVE-2017-18434 (cPanel before 64.0.21 allows code execution in the context of the root ...) NOT-FOR-US: cPanel CVE-2017-18433 (cPanel before 64.0.21 allows code execution by webmail and demo accoun ...) NOT-FOR-US: cPanel CVE-2017-18432 (In cPanel before 64.0.21, Horde MySQL to SQLite conversion can leak a ...) NOT-FOR-US: cPanel CVE-2017-18431 (cPanel before 66.0.1 does not reliably perform suspend/unsuspend opera ...) NOT-FOR-US: cPanel CVE-2017-18430 (In cPanel before 66.0.2, user and group ownership may be incorrectly s ...) NOT-FOR-US: cPanel CVE-2017-18429 (In cPanel before 66.0.2, Apache HTTP Server SSL domain logs can persis ...) NOT-FOR-US: cPanel CVE-2017-18428 (In cPanel before 66.0.2, Apache HTTP Server domlogs become temporarily ...) NOT-FOR-US: cPanel CVE-2017-18427 (In cPanel before 66.0.2, weak log-file permissions can occur after acc ...) NOT-FOR-US: cPanel CVE-2017-18426 (cPanel before 66.0.2 allows resellers to read other accounts' domain l ...) NOT-FOR-US: cPanel CVE-2017-18425 (In cPanel before 66.0.2, the cpdavd_error_log file can be created with ...) NOT-FOR-US: cPanel CVE-2017-18424 (In cPanel before 66.0.2, the Apache HTTP Server configuration file is ...) NOT-FOR-US: cPanel CVE-2017-18423 (In cPanel before 66.0.2, domain log files become readable after log pr ...) NOT-FOR-US: cPanel CVE-2017-18422 (In cPanel before 66.0.2, EasyApache 4 conversion sets weak domlog owne ...) NOT-FOR-US: cPanel CVE-2017-18421 (cPanel before 66.0.2 allows demo accounts to create databases and user ...) NOT-FOR-US: cPanel CVE-2017-18420 (cPanel before 66.0.2 allows stored XSS during WHM cPAddons processing ...) NOT-FOR-US: cPanel CVE-2017-18419 (cPanel before 66.0.2 allows stored XSS during WHM cPAddons uninstallat ...) NOT-FOR-US: cPanel CVE-2017-18418 (cPanel before 66.0.2 allows stored XSS during WHM cPAddons file operat ...) NOT-FOR-US: cPanel CVE-2017-18417 (cPanel before 66.0.2 allows stored XSS during WHM cPAddons installatio ...) NOT-FOR-US: cPanel CVE-2017-18416 (cPanel before 67.9999.103 allows arbitrary file-overwrite operations d ...) NOT-FOR-US: cPanel CVE-2017-18415 (cPanel before 67.9999.103 allows code execution in the context of the ...) NOT-FOR-US: cPanel CVE-2017-18414 (cPanel before 67.9999.103 allows an open redirect in /unprotected/redi ...) NOT-FOR-US: cPanel CVE-2017-18413 (In cPanel before 67.9999.103, the backup system overwrites root's home ...) NOT-FOR-US: cPanel CVE-2017-18412 (cPanel before 67.9999.103 allows Apache HTTP Server log files to becom ...) NOT-FOR-US: cPanel CVE-2017-18411 (The "addon domain conversion" feature in cPanel before 67.9999.103 can ...) NOT-FOR-US: cPanel CVE-2017-18410 (In cPanel before 67.9999.103, a user account's backup archive could co ...) NOT-FOR-US: cPanel CVE-2017-18409 (In cPanel before 67.9999.103, the backup interface could return a back ...) NOT-FOR-US: cPanel CVE-2017-18408 (cPanel before 67.9999.103 allows stored XSS in WHM MySQL Password Chan ...) NOT-FOR-US: cPanel CVE-2017-18407 (cPanel before 67.9999.103 does not enforce SSL hostname verification f ...) NOT-FOR-US: cPanel CVE-2017-18406 (cPanel before 67.9999.103 allows SQL injection during eximstats proces ...) NOT-FOR-US: cPanel CVE-2017-18405 (cPanel before 68.0.15 allows arbitrary file-read operations because of ...) NOT-FOR-US: cPanel CVE-2017-18404 (cPanel before 68.0.15 allows domain data to be deleted for domains wit ...) NOT-FOR-US: cPanel CVE-2017-18403 (cPanel before 68.0.15 allows code execution in the context of the nobo ...) NOT-FOR-US: cPanel CVE-2017-18402 (cPanel before 68.0.15 allows stored XSS during a cpaddons moderated up ...) NOT-FOR-US: cPanel CVE-2017-18401 (cPanel before 68.0.15 allows user accounts to be partially created wit ...) NOT-FOR-US: cPanel CVE-2017-18400 (cPanel before 68.0.15 allows local root code execution via cpdavd (SEC ...) NOT-FOR-US: cPanel CVE-2017-18399 (cPanel before 68.0.15 allows attackers to read root's crontab file dur ...) NOT-FOR-US: cPanel CVE-2017-18398 (DnsUtils in cPanel before 68.0.15 allows zone creation for hostname an ...) NOT-FOR-US: cPanel CVE-2017-18397 (cPanel before 68.0.15 does not preserve permissions for local backup t ...) NOT-FOR-US: cPanel CVE-2017-18396 (cPanel before 68.0.15 allows arbitrary file-read operations via Exim v ...) NOT-FOR-US: cPanel CVE-2017-18395 (cPanel before 68.0.15 does not block a username of ssl (SEC-328). ...) NOT-FOR-US: cPanel CVE-2017-18394 (cPanel before 68.0.15 does not have a sufficient list of reserved user ...) NOT-FOR-US: cPanel CVE-2017-18393 (cPanel before 68.0.15 does not block a username of postmaster, which m ...) NOT-FOR-US: cPanel CVE-2017-18392 (cPanel before 68.0.15 allows collisions because PostgreSQL databases c ...) NOT-FOR-US: cPanel CVE-2017-18391 (cPanel before 68.0.15 allows attackers to read backup files because th ...) NOT-FOR-US: cPanel CVE-2017-18390 (cPanel before 68.0.15 allows code execution in the context of the root ...) NOT-FOR-US: cPanel CVE-2017-18389 (cPanel before 68.0.15 allows string format injection in dovecot-xaps-p ...) NOT-FOR-US: cPanel CVE-2017-18388 (cPanel before 68.0.15 can perform unsafe file operations because Jails ...) NOT-FOR-US: cPanel CVE-2017-18387 (cPanel before 68.0.15 allows arbitrary code execution via Maketext inj ...) NOT-FOR-US: cPanel CVE-2017-18386 (cPanel before 68.0.15 allows arbitrary code execution via Maketext inj ...) NOT-FOR-US: cPanel CVE-2017-18385 (cPanel before 68.0.15 allows unprivileged users to access restricted d ...) NOT-FOR-US: cPanel CVE-2017-18384 (cPanel before 68.0.15 allows jailed accounts to restore files that are ...) NOT-FOR-US: cPanel CVE-2017-18383 (cPanel before 68.0.15 writes home-directory backups to an incorrect lo ...) NOT-FOR-US: cPanel CVE-2017-18382 (cPanel before 68.0.15 allows use of an unreserved e-mail address in DN ...) NOT-FOR-US: cPanel CVE-2017-18381 (The installation process in Open edX before 2017-01-10 exposes a Mongo ...) NOT-FOR-US: Open edX CVE-2017-18380 (edx-platform before 2017-08-03 allows attackers to trigger password-re ...) NOT-FOR-US: Open edX CVE-2017-18379 (In the Linux kernel before 4.14, an out of boundary access happened in ...) - linux 4.14.2-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0c319d3a144d4b8f1ea2047fd614d2149b68f889 CVE-2017-18378 (In NETGEAR ReadyNAS Surveillance before 1.4.3-17 x86 and before 1.1.4- ...) NOT-FOR-US: NETGEAR CVE-2017-18377 (An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. T ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM cameras CVE-2017-18376 (An improper authorization check in the User API in TheHive before 2.13 ...) NOT-FOR-US: User API in TheHive Project CVE-2017-18375 (Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php ...) - ampache [jessie] - ampache (Minor issue) NOTE: https://fenceposterror.github.io/2017/06/16/Hacking-For-Fun-And-Non-Profit.html NOTE: https://github.com/ampache/ampache/issues/1555 CVE-2017-18374 (The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 rou ...) NOT-FOR-US: ZyXEL CVE-2017-18373 (The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed ...) NOT-FOR-US: Billion 5200W-T TCLinux router CVE-2017-18372 (The Billion 5200W-T TCLinux Fw $7.3.8.0 v008 130603 router distributed ...) NOT-FOR-US: Billion 5200W-T TCLinux router CVE-2017-18371 (The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by Tru ...) NOT-FOR-US: ZyXEL CVE-2017-18370 (The ZyXEL P660HN-T1A v2 TCLinux Fw #7.3.37.6 router distributed by Tru ...) NOT-FOR-US: ZyXEL CVE-2017-18369 (The Billion 5200W-T 1.02b.rc5.dt49 router distributed by TrueOnline ha ...) NOT-FOR-US: Billion 5200W-T router CVE-2017-18368 (The ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 rou ...) NOT-FOR-US: ZyXEL CVE-2017-18367 (libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR ...) {DLA-2320-1} - golang-github-seccomp-libseccomp-golang 0.9.0-2 (bug #927981) NOTE: https://github.com/seccomp/libseccomp-golang/issues/22 NOTE: https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e CVE-2017-18366 (Subrion CMS 4.1.5 has CSRF in blog/delete/. ...) NOT-FOR-US: Subrion CMS CVE-2017-18365 (The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a d ...) NOT-FOR-US: GitHub Enterprise CVE-2017-18364 (phpFK lite has XSS via the faq.php, members.php, or search.php query s ...) NOT-FOR-US: phpFK CVE-2017-18363 RESERVED CVE-2017-1000000 REJECTED CVE-2017-18362 (ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is v ...) NOT-FOR-US: ConnectWise ManagedITSync CVE-2017-18361 (In Pylons Colander through 1.6, the URL validator allows an attacker t ...) - python-colander [stretch] - python-colander (Minor issue) [jessie] - python-colander (Minor issue) NOTE: https://github.com/Pylons/colander/issues/290 NOTE: https://github.com/Pylons/colander/pull/323 CVE-2017-18360 (In change_port_settings in drivers/usb/serial/io_ti.c in the Linux ker ...) - linux 4.9.30-1 [jessie] - linux 3.16.48-1 NOTE: Fixed by: https://git.kernel.org/linus/6aeb75e6adfaed16e58780309613a578fe1ee90b CVE-2017-18359 (PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows remote attac ...) {DLA-1653-1} - postgis 2.3.3+dfsg-1 (low) [stretch] - postgis (Minor issue) NOTE: https://trac.osgeo.org/postgis/ticket/3704 NOTE: https://trac.osgeo.org/postgis/changeset/15444 NOTE: https://trac.osgeo.org/postgis/changeset/15445 CVE-2017-18358 (LimeSurvey before 2.72.4 has Stored XSS by using the Continue Later (a ...) - limesurvey (bug #472802) CVE-2017-18357 (Shopware before 5.3.4 has a PHP Object Instantiation issue via the sor ...) NOT-FOR-US: Shopware CVE-2017-18356 (In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an at ...) NOT-FOR-US: Automattic WooCommerce plugin for WordPress CVE-2017-1002157 (modulemd 1.3.1 and earlier uses an unsafe function for processing exte ...) NOT-FOR-US: modulemd CVE-2017-1002152 (Bodhi 2.9.0 and lower is vulnerable to cross-site scripting resulting ...) NOT-FOR-US: Bodhi CVE-2017-18355 (Installed packages are exposed by node_modules in Rendertron 1.0.0, al ...) NOT-FOR-US: Rendertron CVE-2017-18354 (Rendertron 1.0.0 allows for alternative protocols such as 'file://' in ...) NOT-FOR-US: Rendertron CVE-2017-18353 (Rendertron 1.0.0 includes an _ah/stop route to shutdown the Chrome ins ...) NOT-FOR-US: Rendertron CVE-2017-18352 (Error reporting within Rendertron 1.0.0 allows reflected Cross Site Sc ...) NOT-FOR-US: Rendertron CVE-2017-18351 RESERVED CVE-2017-18350 (bitcoind and Bitcoin-Qt prior to 0.15.1 have a stack-based buffer over ...) - bitcoin 0.15.1~dfsg-1 CVE-2017-18349 (parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pi ...) NOT-FOR-US: FastjsonEngine CVE-2017-18348 (Splunk Enterprise 6.6.x, when configured to run as root but drop privi ...) NOT-FOR-US: Splunk CVE-2017-18347 (Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 ...) NOT-FOR-US: STMicroelectronics STM32F0 series devices CVE-2017-1000600 (WordPress version <4.9 contains a CWE-20 Input Validation vulnerabi ...) - wordpress 4.9.1+dfsg-1 [stretch] - wordpress (requires authenticated user, root cause in PHP phar:// unserialization and requires thorough application-level checks, no upstream patch) [jessie] - wordpress (requires authenticated user, root cause in PHP phar:// unserialization and requires thorough application-level checks, no upstream patch) NOTE: https://www.theregister.co.uk/2018/08/20/php_unserialisation_wordpress_vuln/ NOTE: https://cdn2.hubspot.net/hubfs/3853213/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-....pdf NOTE: https://twitter.com/_s_n_t/status/1030573635617124353 (possible mitigation) NOTE: https://www.slideshare.net/_s_n_t/php-unserialization-vulnerabilities-what-are-we-missing (75-76, pre-4.9 POP chain) NOTE: https://github.com/WordPress/WordPress/commit/0a3b7d8e31def538cf531791efe8bf33e6e243cc (4.9 POP chain break) NOTE: Wordpress before 4.9 is vulnerable on its own. After 4.9 you need to have NOTE: vulnerable module installed on the site as well. Due to an incomplete fix NOTE: in 4.9 there exists CVE-2018-1000773. CVE-2017-18346 (SQL injection vulnerability in /wbg/core/_includes/authorization.inc.p ...) NOT-FOR-US: CMS Web-Gooroo CVE-2017-18345 (The Joomanager component through 2.0.0 for Joomla! has an arbitrary fi ...) NOT-FOR-US: Joomla addon CVE-2017-18344 (The timer_create syscall implementation in kernel/time/posix-timers.c ...) - linux 4.14.12-1 [stretch] - linux 4.9.82-1+deb9u1 [jessie] - linux 3.16.56-1 NOTE: Fixed by: https://git.kernel.org/linus/cef31d9af908243421258f1df35a4a644604efbe CVE-2017-18343 (** DISPUTED ** The debug handler in Symfony before v2.7.33, 2.8.x befo ...) - symfony 3.4.0+dfsg-1 (unimportant) NOTE: https://github.com/symfony/debug/pull/7/commits/e48bda29143bd1a83001780b4a78e483822d985c NOTE: https://github.com/symfony/symfony/issues/27987 NOTE: https://github.com/symfony/symfony/pull/23684 CVE-2017-18342 (In PyYAML before 5.1, the yaml.load() API could execute arbitrary code ...) - pyyaml 5.1.2-1 (unimportant; bug #902878) NOTE: This is a well-known design deficiency in pyyaml, various CVE IDs have been assigned NOTE: to applications misusing the API over the years. The CVE ID was assigned to raise NOTE: awareness (and 5.1 now fixes the default behaviour as well) NOTE: https://github.com/yaml/pyyaml/pull/74 CVE-2017-18341 REJECTED CVE-2017-18340 REJECTED CVE-2017-18339 REJECTED CVE-2017-18338 REJECTED CVE-2017-18337 REJECTED CVE-2017-18336 REJECTED CVE-2017-18335 REJECTED CVE-2017-18334 REJECTED CVE-2017-18333 REJECTED CVE-2017-18332 (Security keys are logged when any WCDMA call is configured or reconfig ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18331 (Improper access control on secure display buffers in snapdragon automo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18330 (Buffer overflow in AES-CCM and AES-GCM encryption via initialization v ...) NOT-FOR-US: snapdragon CVE-2017-18329 (Possible Buffer overflow when transmitting an RTP packet in snapdragon ...) NOT-FOR-US: snapdragon CVE-2017-18328 (Use after free in QSH client rule processing in snapdragon mobile and ...) NOT-FOR-US: snapdragon CVE-2017-18327 (Security keys are logged when any WCDMA call is configured or reconfig ...) NOT-FOR-US: snapdragon CVE-2017-18326 (Cryptographic keys are printed in modem debug messages in snapdragon m ...) NOT-FOR-US: snapdragon CVE-2017-18325 REJECTED CVE-2017-18324 (Cryptographic key material leaked in debug messages - GERAN in snapdra ...) NOT-FOR-US: snapdragon CVE-2017-18323 (Cryptographic key material leaked in TDSCDMA RRC debug messages in sna ...) NOT-FOR-US: snapdragon CVE-2017-18322 (Cryptographic key material leaked in WCDMA debug messages in snapdrago ...) NOT-FOR-US: snapdragon CVE-2017-18321 (Security keys used by the terminal and NW for a session could be leake ...) NOT-FOR-US: snapdragon CVE-2017-18320 (QSEE unload attempt on a 3rd party TEE without previously loading resu ...) NOT-FOR-US: snapdragon CVE-2017-18319 (Information leak in UIM API debug messages in snapdragon mobile and sn ...) NOT-FOR-US: snapdragon CVE-2017-18318 (Missing validation check on CRL issuer name in Snapdragon Automobile, ...) NOT-FOR-US: Snapdragon CVE-2017-18317 (Restrictions related to the modem (sim lock, sim kill) can be bypassed ...) NOT-FOR-US: Snapdragon CVE-2017-18316 (Secure application can access QSEE kernel memory through Ontario kerne ...) NOT-FOR-US: Snapdragon CVE-2017-18315 (Buffer over-read vulnerabilities in an older version of ASN.1 parser i ...) NOT-FOR-US: Snapdragon CVE-2017-18314 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9206, MDM9607, ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18313 (Under certain mode of operations, HLOS may be able get direct or indir ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18312 (While accessing SafeSwitch services, third party can manipulate a give ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18311 (XPU Master privilege escalation is possible due to improper access con ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18310 (ClientEnv exposes services 0-32 to HLOS in Snapdragon Automobile, Snap ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18309 (A micro-core of QMP transportation may cause a macro-core to read from ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18308 (Modem segments are unlocked after authentication, leaving modem segmen ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18307 RESERVED CVE-2017-18306 RESERVED CVE-2017-18305 (XBL sec mem dump system call allows complete control of EL3 by unlocki ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18304 (Insufficient memory allocation in boot due to incorrect size being pas ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18303 (While processing the sensors registry configuration file, if inputs ar ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18302 (In Snapdragon (Automobile ,Mobile) in version MSM8996AU, SD 425, SD 42 ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18301 (In Small Cell SoC and Snapdragon (Automobile, Mobile, Wear) in version ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18300 (Secure display content could be accessed by third party trusted applic ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18299 (Improper translation table consolidation logic leads to resource exhau ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18298 (Lack of Input Validation in SDMX API can lead to NULL pointer access i ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18297 (Double memory free while closing TEE SE API Session management in Snap ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18296 (Access control on applications is not applied while accessing SafeSwit ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18295 (Possible buffer overflow if input is not null terminated in DSP Servic ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18294 (While reading file class type from ELF header, a buffer overread may h ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18293 (When a particular GPIO is protected by blocking access to the correspo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18292 (Secure app running in non secure space can restart TZ by calling Widev ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18291 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18290 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18289 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exist in l ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18288 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18287 (An issue was discovered in PvPGN Stats 2.4.6. SQL Injection exists in ...) NOT-FOR-US: PvPGN Stats (relates to pvpgn, but the PHP utilities allowing integration with a PvPGN game server) CVE-2017-18286 (nZEDb v0.7.3.3 has XSS in the 404 error page. ...) NOT-FOR-US: nZEDb CVE-2017-18285 (The Gentoo app-backup/burp package before 2.1.32 has incorrect group o ...) - burp (/etc/burp is owned by root:root in Debian) CVE-2017-18284 (The Gentoo app-backup/burp package before 2.1.32 sets the ownership of ...) - burp (Debian package uses /var/run for the PID file) CVE-2017-0921 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10 ...) [experimental] - gitlab 10.7.5+dfsg-1 - gitlab 10.7.7+dfsg-2 (bug #900522) NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/ CVE-2017-18283 (Possible memory corruption when Read Val Blob Req is received with inv ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18282 (Non-secure SW can cause SDCC to generate secure bus accesses, which ma ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18281 (A bool variable in Video function, which gets typecasted to int before ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18280 (In Snapdragon (Automobile, Mobile, Wear) in version MDM9607, MSM8909W, ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18279 (Lack of check of buffer length before copying can lead to buffer overf ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18278 (An integer underflow may occur due to lack of check when received data ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18277 (When dynamic memory allocation fails, currently the process sleeps for ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18276 (Secure camera logic allows display/secure camera controllers to access ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18275 (A new account can be inserted into simContacts service using Android c ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18274 (While iterating through the models contained in a fixed-size array in ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18273 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulner ...) {DLA-2366-1 DLA-1785-1 DLA-1381-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) NOTE: https://github.com/ImageMagick/ImageMagick/issues/910 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b8fcb59e9e1d1189caf2e0f5e39346944dcd6b9d CVE-2017-18272 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-25, there is a use-after-fr ...) - imagemagick 8:6.9.9.34+dfsg-3 [stretch] - imagemagick (Vulnerable code not present) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/918 NOTE: https://github.com/ImageMagick/ImageMagick/commit/93d029b70ac766ce0b5d7261a2dd334535f48038 CVE-2017-18271 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-22, an infinite loop vulner ...) {DLA-2366-1 DLA-1785-1 DLA-1381-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) NOTE: https://github.com/ImageMagick/ImageMagick/issues/911 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7523250e2664028aa1d8f02d2d7ae49c769a851e CVE-2017-18269 (An SSE2-optimized memmove implementation for i386 in sysdeps/i386/i686 ...) - glibc 2.27-3 [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Vulnerable code not present) - eglibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22644 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cd66c0e584c6d692bc8347b5e72723d02b8a8ada CVE-2017-18270 (In the Linux kernel before 4.13.5, a local user could create keyrings ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.56-1 [wheezy] - linux 3.2.101-1 NOTE: Fixed by: https://git.kernel.org/linus/237bbd29f7a049d310d907f4b2716a7feef9abf3 (4.14-rc3) CVE-2017-18268 (Symantec IntelligenceCenter 3.3 is vulnerable to the Return of the Ble ...) NOT-FOR-US: Symantec CVE-2017-18267 (The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler thr ...) {DLA-2287-1 DLA-1562-1} [experimental] - poppler 0.65.0-1 - poppler 0.69.0-2 (bug #898357) [wheezy] - poppler (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=104942 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103238 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=60b4fe65bc9dc9b82bbadf0be2e3781be796a13d CVE-2017-18266 (The open_envvar function in xdg-open in xdg-utils before 1.1.3 does no ...) {DSA-4211-1 DLA-1384-1} - xdg-utils 1.1.3-1 (bug #898317) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103807 NOTE: Upstream bug discussed possible other approach to fix the issue. NOTE: Fixed by: https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb CVE-2017-18265 (Prosody before 0.10.0 allows remote attackers to cause a denial of ser ...) {DSA-4198-1} - prosody 0.10.0-1 (bug #875829) [jessie] - prosody (Only exploitable with a LuaSocket version not in jessie) [wheezy] - prosody (Vulnerable code not present) NOTE: https://prosody.im/issues/issue/987 CVE-2017-18264 (An issue was discovered in libraries/common.inc.php in phpMyAdmin 4.0 ...) {DLA-1415-1} - phpmyadmin 4:4.6.6-2 NOTE: https://www.phpmyadmin.net/security/PMASA-2017-8/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/7232271a379396ca1d4b083af051262057003c41 (4.7-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/b6ca92cc75c8a16001425be7881e73430bcc35b8 (4.0-branch) NOTE: If the issue is triggerable depends as well on the used PHP version. CVE-2017-18263 (Seagate Media Server in Seagate Personal Cloud before 4.3.18.4 has dir ...) NOT-FOR-US: Seagate CVE-2017-18262 (Blackboard Learn (Since at least 17th of October 2017) has allowed Unv ...) NOT-FOR-US: Blackboard Learn CVE-2017-18261 (The arch_timer_reg_read_stable macro in arch/arm64/include/asm/arch_ti ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/adb4f11e0a8f4e29900adb2b7af28b6bbd5c1fa4 (4.13-rc6) CVE-2017-18260 (Dolibarr ERP/CRM is affected by multiple SQL injection vulnerabilities ...) - dolibarr CVE-2017-18259 (Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS) in v ...) - dolibarr CVE-2017-18257 (The __get_data_block function in fs/f2fs/data.c in the Linux kernel be ...) {DSA-4188-1} - linux 4.11.6-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/b86e33075ed1909d8002745b56ecf73b833db143 CVE-2017-18258 (The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote ...) {DLA-2369-1 DLA-1524-1} [experimental] - libxml2 2.9.7+dfsg-1 - libxml2 2.9.10+dfsg-2 (low; bug #895245) [buster] - libxml2 2.9.4+dfsg1-7+deb10u1 [wheezy] - libxml2 (Minor issue; wait for upstream fix for upstream bug 794914) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=786696 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb NOTE: When fixing this issue make sure to not open CVE-2018-9251 and apply NOTE: the fix for CVE-2018-9251 / https://bugzilla.gnome.org/show_bug.cgi?id=794914 CVE-2017-18256 (Brave Browser before 0.13.0 allows remote attackers to cause a denial ...) - brave-browser (bug #864795) CVE-2017-18255 (The perf_cpu_time_max_percent_handler function in kernel/events/core.c ...) {DLA-1423-1} - linux 4.11.6-1 (unimportant) [stretch] - linux 4.9.107-1 NOTE: https://git.kernel.org/linus/1572e45a924f254d9570093abde46430c3172e3d CVE-2017-18254 (An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerabil ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/commit/24d5699753170c141b46816284430516c2d48fed NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/53ea13989003cdb4955024f95b4a0158a2e871c6 NOTE: https://github.com/ImageMagick/ImageMagick/issues/808 CVE-2017-18253 (An issue was discovered in ImageMagick 7.0.7. A NULL pointer dereferen ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/794 NOTE: https://github.com/ImageMagick/ImageMagick/commit/de5deab202c340162b65f65bafbbe17b1eda2c1a CVE-2017-18252 (An issue was discovered in ImageMagick 7.0.7. The MogrifyImageList fun ...) {DLA-2333-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/802 NOTE: https://github.com/ImageMagick/ImageMagick/commit/12f34b60564de1cbec08e23e2413dab5b64daeb7 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bb04ccb34fd45e9c3020786857fb79b09f44d7db CVE-2017-18251 (An issue was discovered in ImageMagick 7.0.7. A memory leak vulnerabil ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/809 NOTE: https://github.com/ImageMagick/ImageMagick/commit/12a43437fec6f9245327636dc2730863bb9fdd8b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/99718b41102f26f802311045e882aa947ef2941b CVE-2017-18250 (An issue was discovered in ImageMagick 7.0.7. A NULL pointer dereferen ...) - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/793 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2f368e74a51ec7541b6595af712d17d6d1376534 CVE-2017-18249 (The add_free_nid function in fs/f2fs/node.c in the Linux kernel before ...) {DLA-1715-1} - linux 4.12.6-1 [stretch] - linux 4.9.144-1 [jessie] - linux (Hard to backport and low priority outside of Android) [wheezy] - linux (Vulnerable code not present) - linux-4.9 NOTE: Fixed by: https://git.kernel.org/linus/30a61ddf8117c26ac5b295e1233eaa9629a94ca3 CVE-2017-18248 (The add_job function in scheduler/ipp.c in CUPS before 2.2.6, when D-B ...) {DLA-1412-1 DLA-1387-1} - cups 2.2.6-1 [stretch] - cups 2.2.1-8+deb9u3 NOTE: https://github.com/apple/cups/commit/49fa4983f25b64ec29d548ffa3b9782426007df3 NOTE: https://github.com/apple/cups/issues/5143 CVE-2017-18247 (The av_audio_fifo_size function in libavutil/audio_fifo.c in Libav 12. ...) - libav (low) [jessie] - libav (Minor issue, clean crash, not reproducible with 11.12) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1089 NOTE: referenced patch 27085d1b should protect direct ./avconv vectors but situation is unclear for library vectors CVE-2017-18246 (The pcm_encode_frame function in libavcodec/pcm.c in Libav 12.2 allows ...) - libav (low) [jessie] - libav (Minor issue, oob read, not reproducible with 11.12, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1095 CVE-2017-18245 (The mpc8_probe function in libavformat/mpc8.c in Libav 12.2 allows rem ...) {DLA-2021-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1094 NOTE: new 2019 PoC crash with non-null, non-asan segfault, 32-bit only CVE-2017-18244 (The stereo_processing function in libavcodec/aacps.c in Libav 12.2 all ...) - libav (low) [jessie] - libav (not reproducible with 11.12, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1105 CVE-2017-18243 (The unpack_parse_unit function in libavcodec/dirac_parser.c in Libav 1 ...) - libav (low) [jessie] - libav (not reproducible with 11.12, 32-bit only, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1088 CVE-2017-18242 (The apply_dependent_coupling function in libavcodec/aacdec.c in Libav ...) - libav (low) [jessie] - libav (not reproducible with 11.12, no patch) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1093 CVE-2017-18241 (fs/f2fs/segment.c in the Linux kernel before 4.13 allows local users t ...) {DSA-4188-1 DSA-4187-1} - linux 4.13.4-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/d4fdf8ba0e5808ba9ad6b44337783bd9935e0982 CVE-2017-18240 (The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownersh ...) - collectd (Init scripts shipped by Debian are not affected) CVE-2017-18239 (A time-sensitive equality check on the JWT signature in the JsonWebTok ...) NOT-FOR-US: authentikat-jwt CVE-2017-18238 (An issue was discovered in Exempi before 2.4.4. The TradQT_Manager::Pa ...) {DLA-1310-1} - exempi 2.4.4-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102483 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=886cd1d2314755adb1f4cdb99c16ff00830f0331 CVE-2017-18237 (An issue was discovered in Exempi before 2.4.3. The PostScript_Support ...) - exempi 2.4.3-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) [wheezy] - exempi (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101914 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=f19d0107fbae1fb41836cd110d4425e407e64048 CVE-2017-18236 (An issue was discovered in Exempi before 2.4.4. The ASF_Support::ReadH ...) {DLA-1310-1} - exempi 2.4.4-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102484 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=fe59605d3520bf2ca4e0a963d194f10e9fee5806 CVE-2017-18235 (An issue was discovered in Exempi before 2.4.3. The VPXChunk class in ...) - exempi 2.4.3-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) [wheezy] - exempi (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101913 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=9e76a7782a54a242f18d609e7ba32bf1c430a5e4 CVE-2017-18234 (An issue was discovered in Exempi before 2.4.3. It allows remote attac ...) {DLA-1310-1} - exempi 2.4.3-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100397 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=c26d5beb60a5a85f76259f50ed3e08c8169b0a0c CVE-2017-18233 (An issue was discovered in Exempi before 2.4.4. Integer overflow in th ...) {DLA-1310-1} - exempi 2.4.4-1 (low) [stretch] - exempi (Minor issue) [jessie] - exempi (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102151 NOTE: https://cgit.freedesktop.org/exempi/commit/?id=65a8492832b7335ffabd01f5f64d89dec757c260 CVE-2017-18232 (The Serial Attached SCSI (SAS) implementation in the Linux kernel thro ...) {DSA-4187-1} - linux 4.15.17-1 [stretch] - linux (Minor issue) [jessie] - linux (Minor issue) [wheezy] - linux (Vulnerability introduced later) - linux-4.9 NOTE: Fixed by: https://git.kernel.org/linus/0558f33c06bb910e2879e355192227a8e8f0219d CVE-2017-18231 (An issue was discovered in GraphicsMagick 1.3.26. A NULL pointer deref ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/ea074081678b NOTE: https://sourceforge.net/p/graphicsmagick/bugs/475/ CVE-2017-18230 (An issue was discovered in GraphicsMagick 1.3.26. A NULL pointer deref ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/53a4d841e90f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/473/ CVE-2017-18229 (An issue was discovered in GraphicsMagick 1.3.26. An allocation failur ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/752c0b41fa32 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/461/ CVE-2017-18228 (Remedy Mid Tier in BMC Remedy AR System 9.1 allows XSS via the ATTKey ...) NOT-FOR-US: Remedy Mid Tier in BMC Remedy AR System CVE-2017-18227 (TitanHQ WebTitan Gateway has incorrect certificate validation for the ...) NOT-FOR-US: TitanHQ WebTitan Gateway CVE-2017-18226 (The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of ...) - jabberd2 (low; bug #902783) [bullseye] - jabberd2 (Minor issue, default init system not affected) [buster] - jabberd2 (Minor issue, default init system not affected) [stretch] - jabberd2 (Minor issue, default init system not affected) NOTE: https://bugs.gentoo.org/631068 CVE-2017-18225 (The Gentoo net-im/jabberd2 package through 2.6.1 installs jabberd, jab ...) - jabberd2 (Installed with correct permissions in Debian) NOTE: https://bugs.gentoo.org/629412 CVE-2017-18224 (In the Linux kernel before 4.15, fs/ocfs2/aops.c omits use of a semaph ...) {DSA-4188-1} - linux 4.15.4-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/3e4c56d41eef5595035872a2ec5a483f42e8917f CVE-2017-18223 (BMC Remedy AR System before 9.1 SP3, when Remedy AR Authentication is ...) NOT-FOR-US: BMC Remedy AR System CVE-2017-18222 (In the Linux kernel before 4.12, Hisilicon Network Subsystem (HNS) doe ...) {DSA-4188-1} - linux 4.15.17-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-18221 (The __munlock_pagevec function in mm/mlock.c in the Linux kernel befor ...) - linux 4.11.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.48-1 [wheezy] - linux (Vulnerable code introduce later) CVE-2017-18220 (The ReadOneJNGImage and ReadJNGImage functions in coders/png.c in Grap ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.26-8 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/98721124e51f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/438/ NOTE: Issue is related to CVE-2017-11403 but not the same issue. CVE-2017-18219 (An issue was discovered in GraphicsMagick 1.3.26. An allocation failur ...) {DSA-4321-1 DLA-1456-1 DLA-1322-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/cadd4b0522fa NOTE: https://sourceforge.net/p/graphicsmagick/bugs/459/ CVE-2017-18218 (In drivers/net/ethernet/hisilicon/hns/hns_enet.c in the Linux kernel b ...) {DSA-4188-1} - linux 4.13.4-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/27463ad99f738ed93c7c8b3e2e5bc8c4853a2ff2 CVE-2017-18217 (An issue was discovered in InvoicePlane before 1.5.5. It was observed ...) NOT-FOR-US: InvoicePlane CVE-2017-18216 (In fs/ocfs2/cluster/nodemanager.c in the Linux kernel before 4.15, loc ...) {DSA-4188-1 DSA-4187-1 DLA-1369-1} - linux 4.15.4-1 NOTE: Fixed by: https://git.kernel.org/linus/853bc26a7ea39e354b9f8889ae7ad1492ffa28d2 CVE-2017-18215 (xvpng.c in xv 3.10a has memory corruption (out-of-bounds write) when d ...) - xv CVE-2017-18213 (In Exponent CMS before 2.4.1 Patch #6, certain admin users can elevate ...) NOT-FOR-US: Exponent CMS CVE-2017-18214 (The moment module before 2.19.3 for Node.js is prone to a regular expr ...) - node-moment 2.19.3+ds-1 (unimportant) NOTE: fixed in 2.19.3 upstream NOTE: https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb NOTE: https://github.com/moment/moment/pull/4326 NOTE: https://github.com/moment/moment/issues/4163 NOTE: https://nodesecurity.io/advisories/532 NOTE: nodejs not covered by security support CVE-2017-18212 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...) - iotjs 1.0+715-1 [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/2140 CVE-2017-18211 (In ImageMagick 7.0.7, a NULL pointer dereference vulnerability was fou ...) {DLA-2366-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) [jessie] - imagemagick (vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/792 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/96c2fab85e1699c87080271254c5a01387805564 NOTE: https://github.com/ImageMagick/ImageMagick/commit/22eec833cd72b5abab2627fcacc27d2dfb6aa6e7 CVE-2017-18210 (In ImageMagick 7.0.7, a NULL pointer dereference vulnerability was fou ...) - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/791 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d2b87b403059af21db3002db95f4603f32b492ef NOTE: The commit referenced the wrong issue in the upstream issue tracker, but NOTE: as noted in https://github.com/ImageMagick/ImageMagick/issues/791#issuecomment-334050314 CVE-2017-18209 (In the GetOpenCLCachedFilesDirectory function in magick/opencl.c in Im ...) {DLA-2366-1} - imagemagick 8:6.9.9.34+dfsg-3 (low) [jessie] - imagemagick (vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/790 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6ac2858a87df6d645813e43928b4f01a3169ad3f NOTE: https://github.com/ImageMagick/ImageMagick/commit/cca91aa1861818342e3d072bb0fad7dc4ffac24a CVE-2017-18208 (The madvise_willneed function in mm/madvise.c in the Linux kernel befo ...) - linux 4.14.7-1 [stretch] - linux 4.9.80-1 [jessie] - linux 3.16.57-1 [wheezy] - linux (Only affects ARM with XIP enabled) NOTE: Fixed by: https://git.kernel.org/linus/6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91 CVE-2017-18207 (** DISPUTED ** The Wave_read._read_fmt_chunk function in Lib/wave.py i ...) NOTE: Nonsense report for Python CVE-2017-18206 (In utils.c in zsh before 5.4, symlink expansion had a buffer overflow. ...) {DLA-2470-1 DLA-1304-1} - zsh 5.4.1-1 [jessie] - zsh (Minor issue) NOTE: https://sourceforge.net/p/zsh/code/ci/c7a9cf465dd620ef48d586026944d9bd7a0d5d6d CVE-2017-18205 (In builtin.c in zsh before 5.4, when sh compatibility mode is used, th ...) - zsh 5.4.1-1 (unimportant) NOTE: https://sourceforge.net/p/zsh/code/ci/eb783754bdb74377f3cea4ceca9c23a02ea1bf58 NOTE: no security impact CVE-2017-18204 (The ocfs2_setattr function in fs/ocfs2/file.c in the Linux kernel befo ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 CVE-2017-18203 (The dm_get_from_kobject function in drivers/md/dm.c in the Linux kerne ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.7-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/b9a41d21dceadf8104812626ef85dc56ee8a60ed CVE-2017-18202 (The __oom_reap_task_mm function in mm/oom_kill.c in the Linux kernel b ...) - linux 4.14.7-1 [stretch] - linux 4.9.80-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/687cb0884a714ff484d038e9190edc874edcf146 CVE-2017-18201 (An issue was discovered in GNU libcdio before 2.0.0. There is a double ...) - libcdio 2.0.0-2 (bug #891638) [stretch] - libcdio (Vulnerable code introduced post 0.92) [jessie] - libcdio (Vulnerable code introduced post 0.92) [wheezy] - libcdio (Vulnerable code introduced post 0.92) NOTE: Fixed by https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=f6f9c48fb40b8a1e8218799724b0b61a7161eb1d NOTE: with https://git.savannah.gnu.org/cgit/libcdio.git/commit/?id=dec2f876c2d7162da213429bce1a7140cdbdd734 CVE-2017-18200 (The f2fs implementation in the Linux kernel before 4.14 mishandles ref ...) - linux (Vulnerable code not present) CVE-2017-18199 (realloc_symlink in rock.c in GNU libcdio before 1.0.0 allows remote at ...) - libcdio 1.0.0-1 (low) [stretch] - libcdio (Minor issue) [jessie] - libcdio (Minor issue) [wheezy] - libcdio (Minor issue) NOTE: https://savannah.gnu.org/bugs/?52264 CVE-2017-18198 (print_iso9660_recurse in iso-info.c in GNU libcdio before 1.0.0 allows ...) - libcdio 1.0.0-1 (low) [stretch] - libcdio (Minor issue) [jessie] - libcdio (Minor issue) [wheezy] - libcdio (Minor issue) NOTE: https://savannah.gnu.org/bugs/?52265 CVE-2017-18197 (In mxGraphViewImageReader.java in mxGraph before 3.7.6, the SAXParserF ...) {DLA-1299-1} - libjgraphx-java 2.1.0.7-2 (low; bug #891796) [stretch] - libjgraphx-java (Minor issue) [jessie] - libjgraphx-java (Minor issue) NOTE: https://github.com/jgraph/mxgraph/issues/124 NOTE: https://bitbucket.org/jgraph/mxgraph2/commits/7d159ca3259b961cbb1c51b4ea42cb408c624ff1 CVE-2017-18195 (An issue was discovered in tools/conversations/view_ajax.php in Concre ...) NOT-FOR-US: Concrete5 CVE-2017-18194 (SQL injection vulnerability in users/signup.php in the "signup" compon ...) NOT-FOR-US: HamayeshNegar CMS CVE-2017-18193 (fs/f2fs/extent_cache.c in the Linux kernel before 4.13 mishandles exte ...) {DSA-4188-1} - linux 4.13.4-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/dad48e73127ba10279ea33e6dbc8d3905c4d31c0 CVE-2017-6932 (Drupal core 7.x versions before 7.57 has an external link injection vu ...) {DSA-4123-1 DLA-1295-1} - drupal7 7.57-1 (bug #891154) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6929 (A jQuery cross site scripting vulnerability is present when making Aja ...) {DSA-4123-1 DLA-1295-1} - drupal7 7.57-1 (bug #891153) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6928 (Drupal core 7.x versions before 7.57 when using Drupal's private file ...) {DSA-4123-1 DLA-1295-1} - drupal7 7.57-1 (bug #891152) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6927 (Drupal 8.4.x versions before 8.4.5 and Drupal 7.x versions before 7.57 ...) {DSA-4123-1 DLA-1295-1} - drupal8 (bug #756305) - drupal7 7.57-1 (bug #891150) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-18192 (smart/calculator/gallerylock/CalculatorActivity.java in the "Photo,Vid ...) NOT-FOR-US: "Photo,Video Locker-Calculator" application for Android CVE-2017-18191 (An issue was discovered in OpenStack Nova 15.x through 15.1.0 and 16.x ...) - nova 2:17.0.0-1 [stretch] - nova (Minor issue) [jessie] - nova (Minor issue) [wheezy] - nova (Not supported in Wheezy) NOTE: https://launchpad.net/bugs/1739593 NOTE: https://review.openstack.org/539893 CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in scheduler/c ...) {DLA-1412-1 DLA-1288-1} - cups 2.2.3-2 [stretch] - cups 2.2.1-8+deb9u1 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1048 NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2) CVE-2017-18189 (In the startread function in xa.c in Sound eXchange (SoX) through 14.4 ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #881121) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://github.com/mansr/sox/commit/7a8ceb86212b28243bbb6d0de636f0dfbe833e53 CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlinks sys ...) - opentmpfiles (bug #973246) NOTE: https://github.com/OpenRC/opentmpfiles/issues/3 CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through a ...) {DSA-4147-1 DSA-4138-1} - mbedtls 2.7.0-2 - polarssl [wheezy] - polarssl (vulnerable code not present) NOTE: https://github.com/ARMmbed/mbedtls/commit/83c9f495ffe70c7dd280b41fdfd4881485a3bc28 CVE-2017-18186 (An issue was discovered in QPDF before 7.0.0. There is an infinite loo ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/85f05cc57ffa0a863d9d9b23e73acea9410b2937 NOTE: https://github.com/qpdf/qpdf/issues/149 CVE-2017-18185 (An issue was discovered in QPDF before 7.0.0. There is a large heap-ba ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/ec7d74a386c0b2f38990079c3b0d2a2b30be0e71 NOTE: https://github.com/qpdf/qpdf/issues/150 CVE-2017-18184 (An issue was discovered in QPDF before 7.0.0. There is a stack-based o ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/dea704f0ab7f625e1e7b3f9a1110b45b63157317 NOTE: https://github.com/qpdf/qpdf/issues/147 CVE-2017-18183 (An issue was discovered in QPDF before 7.0.0. There is an infinite loo ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/commit/8249a26d69f72b9cda584c14cc3f12769985e481 NOTE: https://github.com/qpdf/qpdf/issues/143 CVE-2017-18182 RESERVED CVE-2017-18181 RESERVED CVE-2017-18180 RESERVED CVE-2017-18179 (Progress Sitefinity 9.1 uses wrap_access_token as a non-expiring authe ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18178 (Authenticate/SWT in Progress Sitefinity 9.1 has an open redirect issue ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18177 (Progress Sitefinity 9.1 has XSS via the Last name, First name, and Abo ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18176 (Progress Sitefinity 9.1 has XSS via file upload, because JavaScript co ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18175 (Progress Sitefinity 9.1 has XSS via the Content Management Template Co ...) NOT-FOR-US: Progress Sitefinity CVE-2017-18174 (In the Linux kernel before 4.7, the amd_gpio_remove function in driver ...) - linux (Vulnerable code not present) NOTE: double-free introduced and fixed in the 4.11 release cycle CVE-2017-18173 (In case of using an invalid android verified boot signature with very ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18172 (In a device, with screen size 1440x2560, the check of contiguous buffe ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18171 (Improper input validation for GATT data packet received in Bluetooth C ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18170 (Improper input validation in Bluetooth Controller function can lead to ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18169 (User process can perform the kernel DOS in ashmem when doing cache mai ...) - linux (Android-specific) CVE-2017-18168 RESERVED CVE-2017-18167 RESERVED CVE-2017-18166 RESERVED CVE-2017-18165 RESERVED CVE-2017-18164 RESERVED CVE-2017-18163 RESERVED CVE-2017-18162 RESERVED CVE-2017-18161 RESERVED CVE-2017-18160 (AGPS session failure in GNSS module due to cyphersuites are hardcoded ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18159 (In Android releases from CAF using the linux kernel (Android for MSM, ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18158 (Possible buffer overflows and array out of bounds accesses in Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18157 (A Use After Free Condition can occur in Thermal Engine in Snapdragon A ...) NOT-FOR-US: Snapdragon CVE-2017-18156 (While processing camera buffers in camera driver, a use after free con ...) NOT-FOR-US: Snapdragon CVE-2017-18155 (While playing HEVC content using HD DMB in Snapdragon Automobile and S ...) NOT-FOR-US: Snapdragon CVE-2017-18154 (A crafted binder request can cause an arbitrary unmap in MediaServer i ...) NOT-FOR-US: Android Mediaserver CVE-2017-18153 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2017-18152 RESERVED CVE-2017-18151 RESERVED CVE-2017-18150 RESERVED CVE-2017-18149 RESERVED CVE-2017-18148 RESERVED CVE-2017-18147 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18146 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18145 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18144 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18143 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18142 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18141 (When a 3rd party TEE has been loaded it is possible for the non-secure ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18140 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18139 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18138 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18137 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18136 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18135 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18134 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18133 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18132 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18131 (In QTEE, an incorrect fuse value can be blown in Snapdragon Automobile ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18130 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18129 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18128 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18127 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18126 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18125 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18124 (During secure boot, addition is performed on uint8 ptrs which led to o ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18123 (The call parameter of /lib/exe/ajax.php in DokuWiki through 2017-02-19 ...) {DLA-1413-1 DLA-1269-1} - dokuwiki 0.0.20160626.a-2.1 (bug #889281) NOTE: https://github.com/splitbrain/dokuwiki/issues/2029 NOTE: https://github.com/splitbrain/dokuwiki/commit/238b8e878ad48f370903465192b57c2072f65d86 CVE-2017-18122 (A signature-validation bypass issue was discovered in SimpleSAMLphp th ...) {DSA-4127-1 DLA-1273-1} - simplesamlphp 1.15.0-1 (bug #889286) NOTE: https://simplesamlphp.org/security/201710-01 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/e2d53086abbb253efb24ddcb49b116246eb0b6ca (v1.14.17) CVE-2017-18121 (The consentAdmin module in SimpleSAMLphp through 1.14.15 is vulnerable ...) {DSA-4127-1 DLA-1273-1} - simplesamlphp 1.15.0-1 (bug #889286) NOTE: https://simplesamlphp.org/security/201709-01 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/34e1bdb7660c0c9b627f8e5f0ca224a6afe641a8 (v1.14.16) CVE-2017-18120 (A double-free bug in the read_gif function in gifread.c in gifsicle 1. ...) - gifsicle 1.91-1 (unimportant; bug #878739; bug #881120) NOTE: https://github.com/kohler/gifsicle/issues/117 NOTE: https://github.com/kohler/gifsicle/commit/118a46090c50829dc543179019e6140e1235f909 NOTE: Crash in CLI tool, no security impact CVE-2017-18119 RESERVED CVE-2017-18118 RESERVED CVE-2017-18117 RESERVED CVE-2017-18116 RESERVED CVE-2017-18115 RESERVED CVE-2017-18114 RESERVED CVE-2017-18113 RESERVED CVE-2017-18112 (Affected versions of Atlassian Fisheye allow remote attackers to view ...) NOT-FOR-US: Atlassian CVE-2017-18111 (The OAuthHelper in Atlassian Application Links before version 5.0.10, ...) NOT-FOR-US: Atlassian Application Links CVE-2017-18110 (The administration backup restore resource in Atlassian Crowd before v ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18109 (The login resource of CrowdId in Atlassian Crowd before version 3.0.2 ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18108 (The administration SMTP configuration resource in Atlassian Crowd befo ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18107 (Various resources in the Crowd Demo application of Atlassian Crowd bef ...) NOT-FOR-US: Atlassian CVE-2017-18106 (The identifier_hash for a session token in Atlassian Crowd before vers ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18105 (The console login resource in Atlassian Crowd before version 3.0.2 and ...) NOT-FOR-US: Atlassian Crowd CVE-2017-18104 (The Webhooks component of Atlassian Jira before version 7.6.7 and from ...) NOT-FOR-US: Atlassian Jira CVE-2017-18103 (The atlassian-http library, as used in various Atlassian products, bef ...) NOT-FOR-US: Atlassian CVE-2017-18102 (The wiki markup component of atlassian-renderer from version 8.0.0 bef ...) NOT-FOR-US: wiki markup component of atlassian-renderer CVE-2017-18101 (Various administrative external system import resources in Atlassian J ...) NOT-FOR-US: Atlassian CVE-2017-18100 (The agile wallboard gadget in Atlassian Jira before version 7.8.1 allo ...) NOT-FOR-US: Atlassian CVE-2017-18099 RESERVED CVE-2017-18098 (The searchrequest-xml resource in Atlassian Jira before version 7.6.1 ...) NOT-FOR-US: Atlassian CVE-2017-18097 (The Trello board importer resource in Atlassian Jira before version 7. ...) NOT-FOR-US: Atlassian CVE-2017-18096 (The OAuth status rest resource in Atlassian Application Links before v ...) NOT-FOR-US: Atlassian Application Links CVE-2017-18095 (The SnippetRPCServiceImpl class in Atlassian Crucible before version 4 ...) NOT-FOR-US: Atlassian Crucible CVE-2017-18094 (Various resources in Atlassian Fisheye and Crucible before version 4.4 ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18093 (Various resources in Atlassian Fisheye and Crucible before version 4.4 ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18092 (The print snippet resource in Atlassian Crucible before version 4.4.3 ...) NOT-FOR-US: Atlassian Crucible CVE-2017-18091 (The admin backupprogress action in Atlassian Fisheye and Crucible befo ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18090 (Various resources in Atlassian Fisheye before version 4.5.1 (the fixed ...) NOT-FOR-US: Atlassian Fisheye CVE-2017-18089 (The view review history resource in Atlassian Crucible before version ...) NOT-FOR-US: Atlassian Crucible CVE-2017-18088 (Various plugin servlet resources in Atlassian Bitbucket Server before ...) NOT-FOR-US: Atlassian Bitbucket Server CVE-2017-18087 (The download commit resource in Atlassian Bitbucket Server from versio ...) NOT-FOR-US: Atlassian Bitbucket Server CVE-2017-18086 (Various resources in Atlassian Confluence Server before version 6.4.2 ...) NOT-FOR-US: Atlassian Confluence CVE-2017-18085 (The viewdefaultdecorator resource in Atlassian Confluence Server befor ...) NOT-FOR-US: Atlassian Confluence CVE-2017-18084 (The usermacros resource in Atlassian Confluence Server before version ...) NOT-FOR-US: Atlassian Confluence CVE-2017-18083 (The editinword resource in Atlassian Confluence Server before version ...) NOT-FOR-US: Atlassian Confluence CVE-2017-18082 (The plan configure branches resource in Atlassian Bamboo before versio ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18081 (The signupUser resource in Atlassian Bamboo before version 6.3.1 allow ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18080 (The saveConfigureSecurity resource in Atlassian Bamboo before version ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-1000510 (Croogo version 2.3.1-17-g6f82e6c contains a Cross Site Scripting (XSS) ...) NOT-FOR-US: Croogo CVE-2017-1000509 (Dolibarr version 6.0.2 contains a Cross Site Scripting (XSS) vulnerabi ...) - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/7727 CVE-2017-1000508 (Invoice Plane version 1.5.4 and earlier contains a Cross Site Scriptin ...) NOT-FOR-US: Invoice Plane CVE-2017-1000507 (Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XSS) vulne ...) NOT-FOR-US: Canvs Canvas CVE-2017-1000506 (Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS ...) NOT-FOR-US: Mautic CVE-2017-18079 (drivers/input/serio/i8042.c in the Linux kernel before 4.12.4 allows a ...) - linux 4.12.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 [wheezy] - linux 3.2.96-1 NOTE: Fixed by: https://git.kernel.org/linus/340d394a789518018f834ff70f7534fc463d3226 CVE-2017-18078 (systemd-tmpfiles in systemd before 237 attempts to support ownership/p ...) {DLA-1762-1} - systemd 237-1 (unimportant) NOTE: https://github.com/systemd/systemd/issues/7736 NOTE: https://github.com/systemd/systemd/commit/5579f85663d10269e7ac7464be6548c99cea4ada (v237) NOTE: Neutralised by kernel hardening CVE-2017-18077 (index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expr ...) - node-brace-expansion 1.1.8-1 (unimportant; bug #862712) [stretch] - node-brace-expansion 1.1.6-1+deb9u1 NOTE: https://nodesecurity.io/advisories/338 NOTE: https://github.com/juliangruber/brace-expansion/issues/33 NOTE: https://github.com/juliangruber/brace-expansion/pull/35/commits/b13381281cead487cbdbfd6a69fb097ea5e456c3 NOTE: nodejs not covered by security support CVE-2017-18076 (In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value ...) {DSA-4109-1} [experimental] - ruby-omniauth 1.6.1-1 - ruby-omniauth 1.3.1-2 (bug #888523) NOTE: https://github.com/omniauth/omniauth/pull/867 CVE-2017-1000505 (In Jenkins Script Security Plugin version 1.36 and earlier, users with ...) NOT-FOR-US: Jenkins Script Security Plugin CVE-2017-1000468 REJECTED CVE-2017-1000464 REJECTED CVE-2017-1000414 (ImpulseAdventure JPEGsnoop version 1.7.5 is vulnerable to a division b ...) NOT-FOR-US: ImpulseAdventure JPEGsnoop CVE-2017-1000504 (A race condition during Jenkins 2.94 and earlier; 2.89.1 and earlier s ...) - jenkins CVE-2017-1000503 (A race condition during Jenkins 2.81 through 2.94 (inclusive); 2.89.1 ...) - jenkins CVE-2017-1000502 (Users with permission to create or configure agents in Jenkins 1.37 an ...) - jenkins CVE-2017-1000474 (Soyket Chowdhury Vehicle Sales Management System version 2017-07-30 is ...) NOT-FOR-US: Soyket Chowdhury Vehicle Sales Management System CVE-2017-1000475 (FreeSSHd 1.3.1 version is vulnerable to an Unquoted Path Service allow ...) NOT-FOR-US: FreeSSHd CVE-2017-18075 (crypto/pcrypt.c in the Linux kernel before 4.14.13 mishandles freeing ...) - linux 4.14.13-1 [stretch] - linux 4.9.80-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/d76c68109f37cb85b243a1cf0f40313afd2bae68 CVE-2017-18074 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18073 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18072 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18071 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18070 (In wma_ndp_end_response_event_handler(), the variable len_end_rsp is a ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18069 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-18068 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18067 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18066 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18065 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18064 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18063 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18062 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18061 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18060 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18059 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18058 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18057 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18056 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18055 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18054 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18053 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18052 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18051 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18050 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-18049 (In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3 ...) NOT-FOR-US: SilverStripe CVE-2017-18048 (Monstra CMS 3.0.4 allows users to upload arbitrary files, which leads ...) NOT-FOR-US: Monstra CMS CVE-2017-1000417 (MatrixSSL version 3.7.2 adopts a collision-prone OID comparison logic ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2017-1000416 (axTLS version 1.5.3 has a coding error in the ASN.1 parser resulting i ...) - axtls (Fixed with initial upload to Debian) CVE-2017-18047 (Buffer Overflow in the FTP client in LabF nfsAxe 3.7 allows remote FTP ...) NOT-FOR-US: LabF nfsAxe CVE-2017-18046 (Buffer overflow on Dasan GPON ONT WiFi Router H640X 12.02-01121 2.77p1 ...) NOT-FOR-US: Dasan GPON ONT WiFi Router devices CVE-2017-18045 (JBMC DirectAdmin before 1.52, when the email_ftp_password_change setti ...) NOT-FOR-US: JBMC DirectAdmin CVE-2017-18044 (A Command Injection issue was discovered in ContentStore/Base/CVDataPi ...) NOT-FOR-US: Commvault CVE-2017-18043 (Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) ...) {DSA-4213-1 DLA-1497-1} - qemu 1:2.10.0+dfsg-2 [wheezy] - qemu (vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (vulnerable code not present) NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commit;h=2098b073f398cd628c09c5a78537a6854 NOTE: Broken since: https://git.qemu.org/?p=qemu.git;a=object;h=292c8e50 (v1.5.0) NOTE: Fix included in 1:2.10.0+dfsg-2 via debian/patches/qemu-2.10.1.diff patch CVE-2017-18042 (The update user administration resource in Atlassian Bamboo before ver ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18041 (The viewDeploymentVersionJiraIssuesDialog resource in Atlassian Bamboo ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18040 (The viewDeploymentVersionCommits resource in Atlassian Bamboo before v ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-18039 (The IncomingMailServers resource in Atlassian Jira from version 6.2.1 ...) NOT-FOR-US: Atlassian Jira CVE-2017-18038 (The repository settings resource in Atlassian Bitbucket Server before ...) NOT-FOR-US: Atlassian Bitbucket CVE-2017-18037 (The git repository tag rest resource in Atlassian Bitbucket Server fro ...) NOT-FOR-US: Atlassian Bitbucket CVE-2017-18036 (The Github repository importer in Atlassian Bitbucket Server before ve ...) NOT-FOR-US: Atlassian Bitbucket CVE-2017-18035 (The /rest/review-coverage-chart/1.0/data/<repository_name>/.json ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18034 (The source browse resource in Atlassian Fisheye and Crucible before ve ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-18033 (The Jira-importers-plugin in Atlassian Jira before version 7.6.1 allow ...) NOT-FOR-US: Jira-importers-plugin in Atlassian Jira CVE-2017-18032 (The download-manager plugin before 2.9.52 for WordPress has XSS via th ...) NOT-FOR-US: download-manager plugin for WordPress CVE-2017-18031 RESERVED CVE-2017-18030 (The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qe ...) {DLA-1497-1} - qemu 1:2.8+dfsg-4 [wheezy] - qemu 1.1.2+dfsg-6+deb7u22 - qemu-kvm [wheezy] - qemu-kvm 1.1.2+dfsg-6+deb7u21 NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=f153b563f8cf121aebf5a2fff5f0110faf58ccb3 CVE-2017-18029 (In ImageMagick 7.0.6-10 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/691 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d3144a8be81aed6e635de68f0d8e97881638a398 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/77fcc8d92a602299a23be9ac76887ba6cfe50bd3 CVE-2017-18028 (In ImageMagick 7.0.7-1 Q16, a memory exhaustion vulnerability was foun ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/736 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/740985d9bd3f1c50d622c3496bb2e75d44b65a91 NOTE: https://github.com/ImageMagick/ImageMagick/commit/32a3eeb9e0da083cbc05909e4935efdbf9846df9 CVE-2017-18027 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/734 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a43f4155ee916fbed080acd534232a9d2396b5b5 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6a88a234cbb88a06fcb7e7ebe6668267b72fa787 CVE-2017-1000441 REJECTED CVE-2017-1000439 REJECTED CVE-2017-1000465 (Sulu-standard version 1.6.6 is vulnerable to stored cross-site scripti ...) NOT-FOR-US: Sulu-standard CVE-2017-1000429 (rui Li finecms 5.0.10 is vulnerable to a reflected XSS in the file Wei ...) NOT-FOR-US: rui Li finecms CVE-2017-1000428 (flatCore-CMS 1.4.6 is vulnerable to reflected XSS in user_management.p ...) NOT-FOR-US: flatCore-CMS CVE-2017-18026 (Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #887307) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/issues/27516 (private) NOTE: https://github.com/redmine/redmine/commit/ca87bf766cdc70179cb2dce03015d78ec9c13ebd NOTE: https://github.com/redmine/redmine/commit/58ed8655136ff2fe5ff7796859bf6a399c76c678 NOTE: https://github.com/redmine/redmine/commit/9d797400eaec5f9fa7ba9507c82d9c18cb91d02e NOTE: upstream fixed in 3.2.9, 3.3.6 and 3.4.4 CVE-2017-1000415 (MatrixSSL version 3.7.2 has an incorrect UTCTime date range validation ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) CVE-2017-18025 (cgi-bin/drknow.cgi in Innotube ITGuard-Manager 0.0.0.1 allows remote a ...) NOT-FOR-US: Innotube ITGuard-Manager CVE-2017-18024 (AvantFAX 3.3.3 has XSS via an arbitrary parameter name to the default ...) NOT-FOR-US: AvantFAX CVE-2017-18023 (Office Tracker 11.2.5 has XSS via the logincount parameter to the /otw ...) NOT-FOR-US: Office Tracker CVE-2017-18022 (In ImageMagick 7.0.7-12 Q16, there are memory leaks in MontageImageCom ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/904 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8cf0676455929a067257400e8020dea6ca94c1a4 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e7649e96a7730dd116afb629b372c5772be0b900 CVE-2017-18021 (It was discovered that QtPass before 1.2.1, when using the built-in pa ...) - qtpass 1.2.1-1 [stretch] - qtpass 1.1.6-1+deb9u1 NOTE: https://lists.zx2c4.com/pipermail/password-store/2018-January/003165.html NOTE: https://github.com/IJHack/QtPass/issues/338 CVE-2017-18020 (On Samsung mobile devices with L(5.x), M(6.x), and N(7.x) software and ...) NOT-FOR-US: Samsung mobile devices CVE-2017-18019 (In K7 Total Security before 15.1.0.305, user-controlled input to the K ...) NOT-FOR-US: K7 Total Security CVE-2017-18018 (In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does no ...) - coreutils (unimportant) NOTE: http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html NOTE: https://www.openwall.com/lists/oss-security/2018/01/04/3 NOTE: Documentation patches proposed: NOTE: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html NOTE: https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html NOTE: Neutralised by kernel hardening CVE-2017-1000500 REJECTED CVE-2017-1000499 (phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a ...) - phpmyadmin (Only affects phpMyAdmin starting from 4.7.0) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-9/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/edd929216ade9f7c150a262ba3db44db0fed0e1b (4.7-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/72f109a99c82b14c07dcb19946ba9b76efc32a1b (4.8-branch) CVE-2017-1000498 (AndroidSVG version 1.2.2 is vulnerable to XXE attacks in the SVG parsi ...) NOT-FOR-US: AndroidSVG CVE-2017-1000497 (Pepperminty-Wiki version 0.15 is vulnerable to XXE attacks in the gets ...) NOT-FOR-US: Pepperminty-Wiki CVE-2017-1000496 (Commsy version 9.0.0 is vulnerable to XXE attacks in the configuration ...) NOT-FOR-US: Commsy CVE-2017-1000495 (QuickApps CMS version 2.0.0 is vulnerable to Stored Cross-site Scripti ...) NOT-FOR-US: QuickApps CMS CVE-2017-1000494 (Uninitialized stack variable vulnerability in NameValueParserEndElt (u ...) {DLA-1811-1} - miniupnpd 2.0.20171212-1 (bug #887129) [stretch] - miniupnpd 1.8.20140523-4.1+deb9u1 - miniupnpc 2.0.20171212-3 (unimportant) NOTE: https://github.com/miniupnp/miniupnp/issues/268 NOTE: https://github.com/miniupnp/miniupnp/commit/7aeb624b44f86d335841242ff427433190e7168a NOTE: https://github.com/miniupnp/miniupnp/commit/a0573e251817ec090a8c9f9f41b56d720c835a6c CVE-2017-1000490 (Mautic versions 1.0.0 - 2.11.0 are vulnerable to allowing any authoriz ...) NOT-FOR-US: Mautic CVE-2017-1000489 (Mautic versions 2.0.0 - 2.11.0 with a SSO plugin installed could allow ...) NOT-FOR-US: Mautic CVE-2017-1000488 (Mautic version 2.1.0 - 2.11.0 is vulnerable to an inline JS XSS attack ...) NOT-FOR-US: Mautic CVE-2017-1000487 (Plexus-utils before 3.0.16 is vulnerable to command injection because ...) {DSA-4149-1 DSA-4146-1 DLA-1237-1 DLA-1236-1} - plexus-utils 1:1.5.15-5 - plexus-utils2 3.0.22-1 NOTE: https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522 NOTE: https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41 CVE-2017-1000486 (Primetek Primefaces 5.x is vulnerable to a weak encryption flaw result ...) NOT-FOR-US: Primetek Primefaces CVE-2017-1000485 (Nylas Mail Lives 2.2.2 uses 0755 permissions for $HOME/.nylas-mail, wh ...) NOT-FOR-US: Nylas Mail Lives CVE-2017-1000484 (By linking to a specific url in Plone 2.5-5.1rc1 with a parameter, an ...) NOT-FOR-US: Plone CVE-2017-1000483 (Accessing private content via str.format in through-the-web templates ...) NOT-FOR-US: Plone CVE-2017-1000482 (A member of the Plone 2.5-5.1rc1 site could set javascript in the home ...) NOT-FOR-US: Plone CVE-2017-1000481 (When you visit a page where you need to login, Plone 2.5-5.1rc1 sends ...) NOT-FOR-US: Plone CVE-2017-1000480 (Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when call ...) {DSA-4094-1 DLA-1249-1} - smarty - smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-3 (bug #886460) NOTE: https://github.com/smarty-php/smarty/commit/614ad1f8b9b00086efc123e49b7bb8efbfa81b61 CVE-2017-1000479 (pfSense versions 2.4.1 and lower are vulnerable to clickjacking attack ...) NOT-FOR-US: pfSense CVE-2017-1000478 (ELabftw version 1.7.8 is vulnerable to stored cross-site scripting in ...) NOT-FOR-US: ELabftw CVE-2017-1000477 (XMLBundle version 0.1.7 is vulnerable to XXE attacks which can result ...) NOT-FOR-US: XMLBundle CVE-2017-1000476 (ImageMagick 7.0.7-12 Q16, a CPU exhaustion vulnerability was found in ...) {DLA-2366-1 DLA-1785-1 DLA-1229-1} - imagemagick 8:6.9.9.34+dfsg-3 NOTE: https://github.com/ImageMagick/ImageMagick/issues/867 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e5dae180b9236bccd73ce93bfce81e99232a8533 CVE-2017-1000473 (Linux Dash up to version v2 is vulnerable to multiple command injectio ...) NOT-FOR-US: Linux Dash CVE-2017-1000472 (The ZipCommon::isValidPath() function in Zip/src/ZipCommon.cpp in POCO ...) {DSA-4083-1 DLA-1239-1} - poco 1.8.0-2 NOTE: https://github.com/pocoproject/poco/issues/1968 CVE-2017-1000471 (EmbedThis GoAhead Webserver version 4.0.0 is vulnerable to a NULL poin ...) NOT-FOR-US: EmbedThis GoAhead Webserver CVE-2017-1000470 (EmbedThis GoAhead Webserver versions 4.0.0 and earlier is vulnerable t ...) NOT-FOR-US: EmbedThis GoAhead Webserver CVE-2017-1000469 (Cobbler version up to 2.8.2 is vulnerable to a command injection vulne ...) - cobbler (bug #886480) NOTE: https://github.com/cobbler/cobbler/issues/1845 CVE-2017-1000467 (LavaLite version 5.2.4 is vulnerable to stored cross-site scripting vu ...) NOT-FOR-US: LavaLite CVE-2017-1000462 (BookStack version 0.18.4 is vulnerable to stored cross-site scripting, ...) NOT-FOR-US: BookStack CVE-2017-1000461 (Brave Software's Brave Browser, version 0.19.73 (and earlier) is vulne ...) - brave-browser (bug #864795) CVE-2017-1000460 (In line libavcodec/h264dec.c:500 in libav(v13_dev0), ffmpeg(n3.4), chr ...) {DLA-1740-1} - libav - ffmpeg 7:3.1.1-1 NOTE: https://bugzilla.libav.org/show_bug.cgi?id=952 NOTE: https://lists.ffmpeg.org/pipermail/ffmpeg-cvslog/2017-January/104221.html CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicate ...) - leptonlib 1.74.4-2 (low; bug #885704) [stretch] - leptonlib (Minor issue) [jessie] - leptonlib (Vulnerable code not present) [wheezy] - leptonlib (Vulnerable code not present) CVE-2017-18017 (The tcpmss_mangle_packet function in net/netfilter/xt_TCPMSS.c in the ...) {DSA-4187-1 DLA-1369-1} - linux 4.11.6-1 [stretch] - linux 4.9.47-1 NOTE: Fixed by: https://git.kernel.org/linus/2638fd0f92d4397884fd991d8f4925cb3f081901 CVE-2017-18016 (Parity Browser 1.6.10 and earlier allows remote attackers to bypass th ...) NOT-FOR-US: Paritytech Parity Ethereum CVE-2017-1000493 (Rocket.Chat Server version 0.59 and prior is vulnerable to a NoSQL inj ...) NOT-FOR-US: Rocket.Chat Server CVE-2017-1000492 (Leanote-desktop version v2.5 is vulnerable to a XSS which leads to cod ...) NOT-FOR-US: Leanote-desktop CVE-2017-1000491 (Shiba markdown live preview app version 1.1.0 is vulnerable to XSS whi ...) NOT-FOR-US: Shiba markdown live preview app CVE-2017-1000466 (Invoice Ninja version 3.8.1 is vulnerable to stored cross-site scripti ...) NOT-FOR-US: Invoice Ninja CVE-2017-1000463 (Leafpub version 1.2.0-beta6 is vulnerable to stored cross-site scripti ...) NOT-FOR-US: Leafpub CVE-2017-1000459 (Leanote version <= 2.5 is vulnerable to XSS due to not sanitized in ...) NOT-FOR-US: Leanote CVE-2017-1000438 (In OMERO 5.3.3 or earlier a user could create an OriginalFile and adju ...) NOT-FOR-US: OMERO CVE-2017-1000437 (Creolabs Gravity 1.0 contains a stack based buffer overflow in the ope ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000434 (Wordpress plugin Furikake version 0.1.0 is vulnerable to an Open Redir ...) NOT-FOR-US: Wordpress plugin Furikake CVE-2017-1000433 (pysaml2 version 4.4.0 and older accept any password when run with pyth ...) {DLA-2577-1 DLA-1410-1} - python-pysaml2 4.5.0-2 (bug #886423) NOTE: https://github.com/rohe/pysaml2/issues/451 NOTE: Fixed by: https://github.com/rohe/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5 CVE-2017-1000432 (Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting to ...) NOT-FOR-US: Vanilla Forums CVE-2017-1000427 (marked version 0.3.6 and earlier is vulnerable to an XSS attack in the ...) - node-marked 0.3.9+dfsg-1 (unimportant; bug #886451) NOTE: https://github.com/chjj/marked/commit/cd2f6f5b7091154c5526e79b5f3bfb4d15995a51 NOTE: nodejs not covered by security support CVE-2017-1000426 (MapProxy version 1.10.3 and older is vulnerable to a Cross Site Script ...) - mapproxy 1.10.4-1 (low) [stretch] - mapproxy 1.9.0-3+deb9u1 NOTE: https://github.com/mapproxy/mapproxy/issues/322 NOTE: https://github.com/mapproxy/mapproxy/commit/2e102843203c11b02c002daa08ca59d05d5eff5a (master) NOTE: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28 (1.10.x) CVE-2017-1000425 (Cross-site scripting (XSS) vulnerability in the /html/portal/flash.jsp ...) NOT-FOR-US: Liferay Portal CE CVE-2017-1000458 (Bro before Bro v2.5.2 is vulnerable to an out of bounds write in the C ...) - bro 2.5.2-1 [stretch] - bro (Minor issue) NOTE: https://bro-tracker.atlassian.net/browse/BIT-1856 NOTE: https://github.com/bro/bro/commit/6c0f101a62489b1c5927b4ed63b0e1d37db40282 CVE-2017-1000457 (Cross-site scripting (XSS) vulnerability in Help.aspx in mojoPortal ve ...) NOT-FOR-US: mojoPortal CVE-2017-1000456 (freedesktop.org libpoppler 0.60.1 fails to validate boundaries in Text ...) {DSA-4097-1 DLA-1228-1} - poppler 0.61.1-2 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103116 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=7ee9dadef37b20bca707a6b1e858e17d191e368b CVE-2017-1000455 (GuixSD prior to Git commit 5e66574a128937e7f2fcf146d146225703ccfd5d us ...) - guix (Fixed before initial upload to Debian) NOTE: https://lists.gnu.org/archive/html/guix-devel/2017-10/msg00090.html NOTE: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=5e66574a128937e7f2fcf146d146225703ccfd5d (v0.14.0) CVE-2017-1000454 (CMS Made Simple 2.1.6, 2.2, 2.2.1 are vulnerable to Smarty Template In ...) NOT-FOR-US: CMS Made Simple CVE-2017-1000453 (CMS Made Simple version 2.1.6 and 2.2 are vulnerable to Smarty templat ...) NOT-FOR-US: CMS Made Simple CVE-2017-1000452 (An XML Signature Wrapping vulnerability exists in Samlify 2.2.0 and ea ...) NOT-FOR-US: Samlify CVE-2017-1000451 (fs-git is a file system like api for git repository. The fs-git versio ...) NOT-FOR-US: fs-git CVE-2017-1000450 (In opencv/modules/imgcodecs/src/utils.cpp, functions FillUniColor and ...) {DLA-1438-1 DLA-1235-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #886282) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9723 NOTE: https://github.com/blendin/pocs/blob/master/opencv/0.OOB_Write_FillUniColor NOTE: https://github.com/opencv/opencv/pull/9726 CVE-2017-1000449 REJECTED CVE-2017-1000448 (Structured Data Linter versions 2.4.1 and older are vulnerable to a di ...) NOT-FOR-US: Structured Data Linter CVE-2017-1000445 (ImageMagick 7.0.7-1 and older version are vulnerable to null pointer d ...) {DLA-2366-1 DLA-1785-1 DLA-1229-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #886281) NOTE: https://github.com/ImageMagick/ImageMagick/issues/775 NOTE: https://github.com/ImageMagick/ImageMagick/commit/441fde32557eb3cec573b0f877ac324173feed7f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/839a14e43d0c88db7b3fffe8aa4ec57d80c93623 CVE-2017-1000444 (Eleix Openhacker version 0.1.47 is vulnerable to an SQL injection in t ...) NOT-FOR-US: Eleix Openhacker CVE-2017-1000443 (Eleix Openhacker version 0.1.47 is vulnerable to a XSS vulnerability i ...) NOT-FOR-US: Eleix Openhacker CVE-2017-1000442 (Passbolt API version 1.6.4 and older are vulnerable to a XSS in the ur ...) NOT-FOR-US: Passbolt API CVE-2017-1000431 (eZ Systems eZ Publish version 5.4.0 to 5.4.9, and 5.3.12 and older, is ...) NOT-FOR-US: eZ Systems eZ Publish CVE-2017-1000430 (rust-base64 version <= 0.5.1 is vulnerable to a buffer overflow whe ...) NOTE: https://github.com/RustSec/advisory-db/blob/master/crates/base64/RUSTSEC-2017-0004.toml NOT-FOR-US: rust-base64 CVE-2017-1000424 (Github Electron version 1.6.4 - 1.6.11 and 1.7.0 - 1.7.5 is vulnerable ...) - electron (bug #842420) CVE-2017-1000423 (b2evolution version 6.6.0 - 6.8.10 is vulnerable to input validation ( ...) - b2evolution CVE-2017-1000422 (Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer ove ...) {DSA-4088-1 DLA-1234-1} - gdk-pixbuf 2.36.11-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785973 NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=0012e066ba37439d402ce46afbc1311530a4ec61 CVE-2017-1000421 (Gifsicle gifview 1.89 and older is vulnerable to a use-after-free in t ...) {DSA-4084-1 DLA-1233-1} - gifsicle 1.90-1 NOTE: https://github.com/kohler/gifsicle/issues/114 NOTE: https://github.com/kohler/gifsicle/commit/81fd7823f6d9c85ab598bc850e40382068361185 CVE-2017-1000420 (Syncthing version 0.14.33 and older is vulnerable to symlink traversal ...) - syncthing 0.14.36+ds1-1 [stretch] - syncthing (Minor issue) NOTE: https://github.com/syncthing/syncthing/commit/1f09488a0f1fdca07076b007b9789f23a6df1060 (v0.14.34) NOTE: https://github.com/syncthing/syncthing/commit/a0f771c221f6ef18fcc496e736670d85f36b8dec NOTE: https://github.com/syncthing/syncthing/issues/4286 CVE-2017-1000419 (phpBB version 3.2.0 is vulnerable to SSRF in the Remote Avatar functio ...) - phpbb3 [jessie] - phpbb3 (Vulnerable code not present) [wheezy] - phpbb3 (Vulnerable code not present) CVE-2017-1000418 (The WildMidi_Open function in WildMIDI since commit d8a466829c67cacbb1 ...) - wildmidi 0.4.2-1 (bug #886503) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (Vulnerable code introduced later) [wheezy] - wildmidi (Vulnerable code introduced later) NOTE: https://github.com/Mindwerks/wildmidi/issues/178 NOTE: https://github.com/Mindwerks/wildmidi/commit/814f31d8eceda8401eb812fc2e94ed143fdad0ab CVE-2017-1000413 (Linaro's open source TEE solution called OP-TEE, version 2.4.0 (and ol ...) NOT-FOR-US: OP-TEE CVE-2017-1000412 (Linaro's open source TEE solution called OP-TEE, version 2.4.0 (and ol ...) NOT-FOR-US: OP-TEE CVE-2017-18015 (The ILLID Share This Image plugin before 1.04 for WordPress has XSS vi ...) NOT-FOR-US: ILLID Share This Image plugin for WordPress CVE-2017-18014 (An NC-25986 issue was discovered in the Logging subsystem of Sophos XG ...) NOT-FOR-US: Sophos CVE-2017-18013 (In LibTIFF 4.0.9, there is a Null-Pointer Dereference in the tif_print ...) {DSA-4100-1 DLA-1260-1 DLA-1259-1} - tiff 4.0.9-3 (bug #885985) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2770 NOTE: https://gitlab.com/libtiff/libtiff/commit/c6f41df7b581402dfba3c19a1e3df4454c551a01 CVE-2017-18012 (The Z-URL Preview plugin 1.6.1 for WordPress has XSS via the class.zli ...) NOT-FOR-US: Z-URL Preview plugin for WordPress CVE-2017-18011 (The MyCBGenie Affiliate Ads for Clickbank Products plugin through 1.6 ...) NOT-FOR-US: MyCBGenie Affiliate Ads for Clickbank Products plugin WordPress CVE-2017-18010 (The E-goi Smart Marketing SMS and Newsletters Forms plugin before 2.0. ...) NOT-FOR-US: E-goi Smart Marketing SMS and Newsletters Forms plugin for WordPress CVE-2017-18009 (In OpenCV 3.3.1, a heap-based buffer over-read exists in the function ...) [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 4.1.2+dfsg-3 (low; bug #924884) [buster] - opencv (Minor issue) [stretch] - opencv (Vulnerable code introduced later) [jessie] - opencv (Vulnerable code introduced later) [wheezy] - opencv (Vulnerable code introduced later) NOTE: https://github.com/opencv/opencv/issues/10479 NOTE: Introduced after: https://github.com/opencv/opencv/commit/7469c935f3ec8e9fe4f56b7eed07b284b7b7b5df NOTE: Fixed: https://github.com/opencv/opencv/commit/4ca89db22dea962690f31c1781bce5937ee91837 CVE-2017-18008 (In ImageMagick 7.0.7-17 Q16, there is a Memory Leak in ReadPWPImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/921 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1a5f95fc018a5667de5a9448aee9d7251b2eb952 CVE-2017-18007 RESERVED CVE-2017-18006 (netpub/server.np in Extensis Portfolio NetPublish has XSS in the quick ...) NOT-FOR-US: Extensis Portfolio NetPublish CVE-2017-18005 (Exiv2 0.26 has a Null Pointer Dereference in the Exiv2::DataValue::toL ...) - exiv2 0.27.2-6 (low; bug #885981) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/168 NOTE: Fixed via: https://github.com/Exiv2/exiv2/pull/199 CVE-2017-18004 (Zurmo 3.2.3 allows XSS via the latitude or longitude parameter to maps ...) NOT-FOR-US: Zurmo CVE-2017-18003 RESERVED CVE-2017-18002 RESERVED CVE-2017-18001 (Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote att ...) NOT-FOR-US: Trustwave Secure Web Gateway CVE-2017-18000 RESERVED CVE-2017-17999 (SQL injection vulnerability in RISE Ultimate Project Manager 1.9 allow ...) NOT-FOR-US: RISE Ultimate Project Manager CVE-2017-17998 RESERVED CVE-2017-17997 (In Wireshark before 2.2.12, the MRDISC dissector misuses a NULL pointe ...) {DLA-1634-1} - wireshark 2.4.0-1 [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-02.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14299 NOTE: https://code.wireshark.org/review/#/c/25063/ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=80a695869c9aef2fb473d9361da068022be7cb50 CVE-2017-17996 (A buffer overflow vulnerability in "Add command" functionality exists ...) NOT-FOR-US: Flexense SyncBreeze Enterprise CVE-2017-17995 (Biometric Shift Employee Management System has XSS via the Last_Name p ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17994 (Biometric Shift Employee Management System has XSS via the criteria pa ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17993 (Biometric Shift Employee Management System has XSS via the amount para ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17992 (Biometric Shift Employee Management System allows Arbitrary File Downl ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17991 (Biometric Shift Employee Management System has XSS via the expense_nam ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17990 (Biometric Shift Employee Management System has CSRF via index.php in a ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17989 (Biometric Shift Employee Management System has XSS via the index.php h ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17988 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17987 (PHP Scripts Mall Muslim Matrimonial Script allows arbitrary file uploa ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17986 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/caste ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17985 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/state ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17984 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/event ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17983 (PHP Scripts Mall Muslim Matrimonial Script has SQL injection via the v ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17982 (PHP Scripts Mall Muslim Matrimonial Script has CSRF via admin/subadmin ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17981 (PHP Scripts Mall Muslim Matrimonial Script has XSS via the admin/slide ...) NOT-FOR-US: PHP Scripts Mall Muslim Matrimonial Script CVE-2017-17980 RESERVED CVE-2017-17979 RESERVED CVE-2017-17978 RESERVED CVE-2017-17977 RESERVED CVE-2017-17976 (In Utilities.php in Perfex CRM 1.9.7, Unrestricted file upload can lea ...) NOT-FOR-US: Perfex CRM CVE-2017-17975 (Use-after-free in the usbtv_probe function in drivers/media/usb/usbtv/ ...) {DSA-4188-1} - linux 4.15.17-1 [jessie] - linux (Vulnerable code path not present) [wheezy] - linux (Vulnerable code path not present) CVE-2017-17974 (BA SYSTEMS BAS Web on BAS920 devices (with Firmware 01.01.00*, HTTPser ...) NOT-FOR-US: BA SYSTEMS BAS Web on BAS920 devices CVE-2017-17973 (** DISPUTED ** In LibTIFF 4.0.8, there is a heap-based use-after-free ...) - tiff (unimportant) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2769 NOTE: Details on the issue are not confirmed by the reporter after several attempts NOTE: and this does like a non-issue. More reprodicibly reports are from SUSE in NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1074318#c5 claiming this might be NOTE: a duplicate of CVE-2017-9935. Unless the reporter provides more details on NOTE: upstream report go and consider this as non-issue. CVE-2017-1000447 REJECTED CVE-2017-1000446 REJECTED CVE-2017-1000440 REJECTED CVE-2017-1000436 REJECTED CVE-2017-1000435 REJECTED CVE-2017-1000501 (Awstats version 7.6 and earlier is vulnerable to a path traversal flaw ...) {DSA-4092-1 DLA-1238-1} - awstats 7.6+dfsg-2 (bug #885835) NOTE: https://github.com/eldy/awstats/commit/cf219843a74c951bf5986f3a7fffa3dcf99c3899 NOTE: https://github.com/eldy/awstats/commit/06c0ab29c1e5059d9e0279c6b64d573d619e1651 CVE-2017-17972 (packages/subjects/pub/subjects.php in Archon 3.21 rev-1 has XSS in the ...) NOT-FOR-US: Archon CVE-2017-17971 (The test_sql_and_script_inject function in htdocs/main.inc.php in Doli ...) - dolibarr (bug #885828) NOTE: https://github.com/Dolibarr/dolibarr/issues/8000 CVE-2017-17970 (Multiple SQL injection vulnerabilities in Muviko 1.1 allow remote atta ...) NOT-FOR-US: Muviko CVE-2017-17969 (Heap-based buffer overflow in the NCompress::NShrink::CDecoder::CodeRe ...) {DSA-4104-1 DLA-1268-1} - p7zip 16.02+dfsg-5 (bug #888297) NOTE: https://landave.io/2018/01/7-zip-multiple-memory-corruptions-via-rar-and-zip/ NOTE: Fixed in upstream 18.00-beta. CVE-2017-17968 (A buffer overflow vulnerability in NetTransport.exe in NetTransport Do ...) NOT-FOR-US: NetTransport Download Manager CVE-2017-17967 (pptreader.dll in Kingsoft WPS Office 10.1.0.6930 allows remote attacke ...) NOT-FOR-US: Kingsoft WPS Office CVE-2017-17966 RESERVED CVE-2017-17965 RESERVED CVE-2017-17964 RESERVED CVE-2017-17963 RESERVED CVE-2017-17962 RESERVED CVE-2017-17961 RESERVED CVE-2017-17960 (PHP Scripts Mall PHP Multivendor Ecommerce has CSRF via admin/sellerup ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17959 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the s ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17958 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the my_wishlist ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17957 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the m ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17956 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the admin/selle ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17955 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the shopping-ca ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17954 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the seller-view ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17953 (PHP Scripts Mall PHP Multivendor Ecommerce has XSS via the category.ph ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17952 (PHP Scripts Mall PHP Multivendor Ecommerce has a predicable registrati ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17951 (PHP Scripts Mall PHP Multivendor Ecommerce has SQL Injection via the s ...) NOT-FOR-US: PHP Scripts Mall PHP Multivendor Ecommerce CVE-2017-17950 (Cells Blog 3.5 has SQL Injection via the pub_readpost.php ptid paramet ...) NOT-FOR-US: Cells Blog CVE-2017-17949 (Cells Blog 3.5 has XSS via the pub_readpost.php fmid parameter. ...) NOT-FOR-US: Cells Blog CVE-2017-17948 (Cells Blog 3.5 has XSS via the jfdname parameter in an act=showpic req ...) NOT-FOR-US: Cells Blog CVE-2017-17947 (A cross site scripting issue has been found in custompage.cgi in Pulse ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2017-1000411 (OpenFlow Plugin and OpenDayLight Controller versions Nitrogen, Carbon, ...) NOT-FOR-US: OpenDayLight CVE-2017-17946 (A buffer overflow in Handy Password 4.9.3 allows remote attackers to e ...) NOT-FOR-US: Handy Password CVE-2017-17945 (The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing ...) NOT-FOR-US: ASUS HiVivo CVE-2017-17944 (The ASUS Vivobaby application before 1.1.09 for Android has Missing SS ...) NOT-FOR-US: ASUS Vivobaby application CVE-2017-17943 RESERVED CVE-2017-17942 (In LibTIFF 4.0.9, there is a heap-based buffer over-read in the functi ...) - tiff 4.0.6-3 (unimportant; bug #885579) [jessie] - tiff 4.0.3-12.3+deb8u2 - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2767 NOTE: https://gitlab.com/libtiff/libtiff/issues/120 NOTE: No patch available. Marked as wontfix by upstream. NOTE: bmp2tiff was removed in 4.0.6-3 and DSA 3762, marking as fixed NOTE: although technically still present in the source package. CVE-2017-17941 (PHP Scripts Mall Single Theater Booking has SQL Injection via the admi ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17940 (PHP Scripts Mall Single Theater Booking has XSS via the title paramete ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17939 (PHP Scripts Mall Single Theater Booking has CSRF via admin/sitesetting ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17938 (PHP Scripts Mall Single Theater Booking has XSS via the admin/viewthea ...) NOT-FOR-US: PHP Scripts Mall Single Theater Booking CVE-2017-17937 (Vanguard Marketplace Digital Products PHP has XSS via the phps_query p ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17936 (Vanguard Marketplace Digital Products PHP has CSRF via /search. ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17935 (The File_read_line function in epan/wslua/wslua_file.c in Wireshark th ...) {DLA-1634-1} - wireshark 2.4.4-1 (bug #885831) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14295 NOTE: https://code.wireshark.org/review/#/c/24997/ NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=137ab7d5681486c6d6cc8faac4300b7cd4ec0cf1 CVE-2017-17934 (ImageMagick 7.0.7-17 Q16 x86_64 has memory leaks in coders/msl.c, rela ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/920 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3755d2289b032919c065f6ab11ef570063f7f828 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/08278c7cf1c0b4f1da4cdcfaa857ff6b2373a1b2 CVE-2017-17933 (cgi/surgeftpmgr.cgi (aka the Web Manager interface on TCP port 7021 or ...) NOT-FOR-US: NetWin SurgeFTP CVE-2017-17932 (A buffer overflow vulnerability exists in MediaServer.exe in ALLPlayer ...) NOT-FOR-US: ALLPlayer CVE-2017-17931 (PHP Scripts Mall Resume Clone Script has SQL Injection via the forget. ...) NOT-FOR-US: PHP Scripts Mall Resume Clone Script CVE-2017-17930 (PHP Scripts Mall Professional Service Script has CSRF via admin/genera ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17929 (PHP Scripts Mall Professional Service Script has XSS via the admin/ban ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17928 (PHP Scripts Mall Professional Service Script has SQL injection via the ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17927 (PHP Scripts Mall Professional Service Script allows remote attackers t ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17926 (PHP Scripts Mall Professional Service Script has a predicable registra ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17925 (PHP Scripts Mall Professional Service Script has XSS via the admin/gen ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17924 (PHP Scripts Mall Professional Service Script allows remote attackers t ...) NOT-FOR-US: PHP Scripts Mall Professional Service Script CVE-2017-17923 RESERVED CVE-2017-17922 RESERVED CVE-2017-17921 RESERVED CVE-2017-17920 (** DISPUTED ** SQL injection vulnerability in the 'reorder' method in ...) - rails (unimportant) NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ NOTE: All of those methods accept arbitrary SQL by design. CVE-2017-17919 (** DISPUTED ** SQL injection vulnerability in the 'order' method in Ru ...) - rails (unimportant) NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ NOTE: All of those methods accept arbitrary SQL by design. CVE-2017-17918 RESERVED CVE-2017-17917 (** DISPUTED ** SQL injection vulnerability in the 'where' method in Ru ...) - rails (unimportant) NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ NOTE: All of those methods accept arbitrary SQL by design. CVE-2017-17916 (** DISPUTED ** SQL injection vulnerability in the 'find_by' method in ...) - rails (unimportant) NOTE: https://kay-malwarebenchmark.github.io/blog/ruby-on-rails-arbitrary-sql-injection/ NOTE: All of those methods accept arbitrary SQL by design. CVE-2017-17915 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buff ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/1721f1b7e67a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/535/ CVE-2017-17914 (In ImageMagick 7.0.7-16 Q16, a vulnerability was found in the function ...) {DLA-2366-1 DLA-1785-1 DLA-1227-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #886584) NOTE: https://github.com/ImageMagick/ImageMagick/issues/908 NOTE: https://github.com/ImageMagick/ImageMagick/commit/650ec57d84b7b1dce66435b8cd3b58f7ae66db1b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/42781eeebadf111a2e01559735ea504a78192046 CVE-2017-17913 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a stack-based buf ...) {DSA-4321-1} - graphicsmagick 1.3.27-3 [jessie] - graphicsmagick (webp feature was not compiled in) [wheezy] - graphicsmagick (webp feature has not been implemented) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/88313ebe379c NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/6dda3c33f35f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/536/ CVE-2017-17912 (In GraphicsMagick 1.4 snapshot-20171217 Q8, there is a heap-based buff ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-3 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/0d871e813a4f NOTE: https://sourceforge.net/p/graphicsmagick/bugs/533/ CVE-2017-17911 (packages/core/contact.php in Archon 3.21 rev-1 has XSS in the referer ...) NOT-FOR-US: Archon CVE-2017-17910 (On Hoermann BiSecur devices before 2018, a vulnerability can be exploi ...) NOT-FOR-US: Hoermann BiSecur CVE-2017-17909 (PHP Scripts Mall Responsive Realestate Script has XSS via the admin/ge ...) NOT-FOR-US: PHP Scripts Mall Responsive Realestate Script CVE-2017-17908 (PHP Scripts Mall Responsive Realestate Script has CSRF via admin/gener ...) NOT-FOR-US: PHP Scripts Mall Responsive Realestate Script CVE-2017-17907 (PHP Scripts Mall Car Rental Script has XSS via the admin/areaedit.php ...) NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17906 (PHP Scripts Mall Car Rental Script has SQL Injection via the admin/car ...) NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17905 (PHP Scripts Mall Car Rental Script has CSRF via admin/sitesettings.php ...) NOT-FOR-US: PHP Scripts Mall Car Rental Script CVE-2017-17904 (FS Lynda Clone has XSS via the keywords parameter to tutorial/ or the ...) NOT-FOR-US: FS Lynda Clone CVE-2017-17903 (FS Lynda Clone has CSRF via user/edit_profile, as demonstrated by addi ...) NOT-FOR-US: FS Lynda Clone CVE-2017-17902 (SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of ...) NOT-FOR-US: Kliqqi CMS CVE-2017-17901 (ZyXEL P-660HW v3 devices allow remote attackers to cause a denial of s ...) NOT-FOR-US: ZyXEL CVE-2017-17900 (SQL injection vulnerability in fourn/index.php in Dolibarr ERP/CRM ver ...) - dolibarr (bug #885321) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17899 (SQL injection vulnerability in adherents/subscription/info.php in Doli ...) - dolibarr (bug #885321) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17898 (Dolibarr ERP/CRM version 6.0.4 does not block direct requests to *.tpl ...) - dolibarr (bug #885321) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c NOTE: https://github.com/Dolibarr/dolibarr/commit/6a62e139604dbbd5729e57df2433b37a5950c35c CVE-2017-17897 (SQL injection vulnerability in comm/multiprix.php in Dolibarr ERP/CRM ...) - dolibarr (bug #885321) NOTE: https://github.com/Dolibarr/dolibarr/commit/4a5988accbb770b74105baacd5a034689272128c CVE-2017-17896 (Readymade Job Site Script has XSS via the keyword parameter to the /jo ...) NOT-FOR-US: Readymade Job Site Script CVE-2017-17895 (Readymade Job Site Script has SQL Injection via the location_name arra ...) NOT-FOR-US: Readymade Job Site Script CVE-2017-17894 (Readymade Job Site Script has CSRF via the /job URI. ...) NOT-FOR-US: Readymade Job Site Script CVE-2017-17893 (Readymade Video Sharing Script has XSS via the search_video.php search ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17892 (Readymade Video Sharing Script has SQL Injection via the viewsubs.php ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17891 (Readymade Video Sharing Script has CSRF via user-profile-edit.php. ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17890 RESERVED CVE-2017-17889 (Kliqqi CMS 3.5.2 has XSS via a crafted group name in pligg/groups.php, ...) NOT-FOR-US: Kliqqi CMS CVE-2017-17888 (cgi-bin/write.cgi in Anti-Web through 3.8.7, as used on NetBiter / HMS ...) NOT-FOR-US: Anti-Web CVE-2017-17887 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/903 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7a42f63927e7f2e26846b7ed4560e9cb4984af7b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dddce3e790b5b0f5dad91a7960de67af5bdea789 CVE-2017-17886 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/874 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8204599ef0e85324876459e5d45db00660920482 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4a71d71f4ae289b6672102efaef6543643e8efb8 CVE-2017-17885 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/879 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba085736fd49ad89c1937d1ee2b80ae4e11ab97 NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/5e863ae629010110772321fd181bac34c4b57345 CVE-2017-17884 (In ImageMagick 7.0.7-16 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/902 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4d6accd355119d54429a86a1859b8329f0130f30 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/82f20a898107a9c1ef6ad2024c4b191719b294ea CVE-2017-17883 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/877 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b0a7241df0f889cc3158ba82774ff21fa1da87ec NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2a1ec7d97f356e9fb6dbc328da17d93ab7a8167c CVE-2017-17882 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/880 NOTE: https://github.com/ImageMagick/ImageMagick/commit/903f14eb94521aa6dca9d9ac55d3d9a6c7676a63 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/92fbef516b94ed96fa2a672831acd5dafb242ac5 CVE-2017-17881 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/878 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ece953bbe14e8514afc23e05e4030eea872e29da NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/aa601d79a630f6de0694fadbeee31456a357fa73 CVE-2017-17880 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a stack-based ...) - imagemagick 8:6.9.9.39+dfsg-1 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/907 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4b5d1edb02c432040e3ff894d0c461bcce6fd2c9 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/663b3b432c202cd2aeda7ea7e82b74cce51ab1cf NOTE: webp support not enabled, see #806425 CVE-2017-17879 (In ImageMagick 7.0.7-16 Q16 x86_64 2017-12-21, there is a heap-based b ...) {DSA-4204-1 DSA-4074-1 DLA-1227-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #885125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/906 NOTE: https://github.com/ImageMagick/ImageMagick/commit/72b3994a948a8a90dc664f3e7f72464878a31fbf NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e41f18ecccbdd1c38e1382057718e91e8f8d6d80 CVE-2017-17878 (An issue was discovered in Valve Steam Link build 643. Root passwords ...) NOT-FOR-US: Valve Steam Link CVE-2017-17877 (An issue was discovered in Valve Steam Link build 643. When the SSH da ...) NOT-FOR-US: Valve Steam Link CVE-2017-17876 (Biometric Shift Employee Management System 3.0 allows remote attackers ...) NOT-FOR-US: Biometric Shift Employee Management System CVE-2017-17875 (The JEXTN FAQ Pro extension 4.0.0 for Joomla! has SQL Injection via th ...) NOT-FOR-US: JEXTN FAQ Pro extension for Joomla! CVE-2017-17874 (Vanguard Marketplace Digital Products PHP 1.4 allows arbitrary file up ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17873 (Vanguard Marketplace Digital Products PHP 1.4 has SQL Injection via th ...) NOT-FOR-US: Vanguard Marketplace Digital Products PHP CVE-2017-17872 (The JEXTN Video Gallery extension 3.0.5 for Joomla! has SQL Injection ...) NOT-FOR-US: JEXTN Video Gallery extension for Joomla! CVE-2017-17871 (The "JEXTN Question And Answer" extension 3.1.0 for Joomla! has SQL In ...) NOT-FOR-US: "JEXTN Question And Answer" extension for Joomla! CVE-2017-17870 (The JBuildozer extension 1.4.1 for Joomla! has SQL Injection via the a ...) NOT-FOR-US: JBuildozer extension for Joomla! CVE-2017-17869 (The mgl-instagram-gallery plugin for WordPress has XSS via the single- ...) NOT-FOR-US: mgl-instagram-gallery plugin for WordPress CVE-2017-17868 (In Liferay Portal 6.1.0, the tags section has XSS via a Public Render ...) NOT-FOR-US: Liferay Portal CVE-2017-17867 (Inteno iopsys 2.0-3.14 and 4.0 devices allow remote authenticated user ...) NOT-FOR-US: Inteno iopsys CVE-2017-17866 (pdf/pdf-write.c in Artifex MuPDF before 1.12.0 mishandles certain leng ...) {DSA-4334-1} - mupdf 1.12.0+ds1-1 (bug #885120) [jessie] - mupdf (Minor issue) [wheezy] - mupdf (Minor issue) NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;h=520cc26d18c9ee245b56e9e91f9d4fcae02be5f0 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698699 (not public) CVE-2017-17865 RESERVED CVE-2017-17864 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 mishandles st ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-17863 (kernel/bpf/verifier.c in the Linux kernel 4.9.x through 4.9.71 does no ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://www.spinics.net/lists/stable/msg206985.html CVE-2017-17862 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 ignores unrea ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/c131187db2d3fa2f8bf32fdf4e9a4ef805168467 NOTE: https://www.spinics.net/lists/stable/msg206984.html CVE-2017-17861 RESERVED CVE-2017-17860 (In Samsung Gear products, Bluetooth link key is updated to the differe ...) NOT-FOR-US: Samsung CVE-2017-17859 (Samsung Internet Browser 6.2.01.12 allows remote attackers to bypass t ...) NOT-FOR-US: Samsung Internet Browser CVE-2017-17858 (Heap-based buffer overflow in the ensure_solid_xref function in pdf/pd ...) - mupdf (Vulnerable code introduced in 1.11.1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698819 (not public) NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;a=commit;h=55c3f68d638ac1263a386e0aaa004bb6e8bde731 NOTE: Commit https://git.ghostscript.com/?p=mupdf.git;a=commit;h=f595e889b91a674eb94db7ca4d832da54f5194cd NOTE: switches to use int64_t for public file API offsets and introduced the flaw. NOTE: https://github.com/mzet-/Security-Advisories/blob/master/mzet-adv-2017-01.md CVE-2017-17851 RESERVED CVE-2017-17850 (An issue was discovered in Asterisk 13.18.4 and older, 14.7.4 and olde ...) - asterisk 1:13.18.5~dfsg-1 (bug #885072) [stretch] - asterisk (Vulnerable code introduced after 13.15.0) [jessie] - asterisk (Vulnerable code introduced after 13.15.0) [wheezy] - asterisk (Vulnerable code introduced after 13.15.0) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-014.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27480 CVE-2017-17849 (A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 a ...) NOT-FOR-US: GetGo Download Manager CVE-2017-17857 (The check_stack_boundary function in kernel/bpf/verifier.c in the Linu ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469 CVE-2017-17856 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f CVE-2017-17855 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14 CVE-2017-17854 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03 CVE-2017-17853 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941 CVE-2017-17852 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introdued later) [jessie] - linux (Vulnerable code introdued later) [wheezy] - linux (Vulnerable code introdued later) NOTE: Fixed by: https://git.kernel.org/linus/468f6eafa6c44cb2c5d8aad35e12f06c240a812a CVE-2017-17842 RESERVED CVE-2017-17841 (Palo Alto Networks PAN-OS 6.1, 7.1, and 8.0.x before 8.0.7, when an in ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-17840 (An issue was discovered in Open-iSCSI through 2.0.875. A local attacke ...) - open-iscsi 2.0.874-5 (bug #885021) [stretch] - open-iscsi (Minor issue) [jessie] - open-iscsi (Minor issue, iscsiuio not built in this version, source affected) [wheezy] - open-iscsi (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/12/13/2 NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=1072312 NOTE: Specfic CVE fixed by https://github.com/open-iscsi/open-iscsi/pull/72/commits/b9c33683bdc0aed28ffe31c3f3d50bf5cdf519ea NOTE: But all of the commits in https://github.com/open-iscsi/open-iscsi/pull/72 NOTE: should be applied. NOTE: Not marking the issue as unimportant, since vulnerable source is present, but NOTE: not in all suites iscsiuio is built. CVE-2017-17839 REJECTED CVE-2017-17838 REJECTED CVE-2017-17837 (The Apache DeltaSpike-JSF 1.8.0 module has a XSS injection leak in the ...) NOT-FOR-US: Apache DeltaSpike-JSF module CVE-2017-17836 (In Apache Airflow 1.8.2 and earlier, an experimental Airflow feature d ...) - airflow (bug #819700) CVE-2017-17835 (In Apache Airflow 1.8.2 and earlier, a CSRF vulnerability allowed for ...) - airflow (bug #819700) CVE-2017-17834 REJECTED CVE-2017-17833 (OpenSLP releases in the 1.0.2 and 1.1.0 code streams have a heap-relat ...) {DLA-2025-1 DLA-1364-1} - openslp-dfsg (low) NOTE: https://sourceforge.net/p/openslp/mercurial/ci/151f07745901cbdba6e00e4889561b4083250da1/ CVE-2017-17832 (ServersCheck Monitoring Software before 14.2.3 is prone to a cross-sit ...) NOT-FOR-US: ServersCheck Monitoring Software CVE-2017-17843 (An issue was discovered in Enigmail before 1.9.9 that allows remote at ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17844 (An issue was discovered in Enigmail before 1.9.9. A remote attacker ca ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17845 (An issue was discovered in Enigmail before 1.9.9. Improper Random Secr ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17846 (An issue was discovered in Enigmail before 1.9.9. Regular expressions ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17847 (An issue was discovered in Enigmail before 1.9.9. Signature spoofing i ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17848 (An issue was discovered in Enigmail before 1.9.9. In a variant of CVE- ...) {DSA-4070-1 DLA-1219-1} - enigmail 2:1.9.9-1 NOTE: https://enigmail.net/download/other/Enigmail%20Pentest%20Report%20by%20Cure53%20-%20Excerpt.pdf CVE-2017-17831 (GitHub Git LFS before 2.1.1 allows remote attackers to execute arbitra ...) - git-lfs (Fixed before initial upload to Debian) NOTE: https://github.com/git-lfs/git-lfs/pull/2242 NOTE: https://github.com/git-lfs/git-lfs/releases/tag/v2.1.1 CVE-2017-17830 (Bus Booking Script has CSRF via admin/new_master.php. ...) NOT-FOR-US: Bus Booking Script CVE-2017-17829 (Bus Booking Script has SQL Injection via the admin/view_seatseller.php ...) NOT-FOR-US: Bus Booking Script CVE-2017-17828 (Bus Booking Script has XSS via the results.php datepicker parameter or ...) NOT-FOR-US: Bus Booking Script CVE-2017-17827 (Piwigo 2.9.2 is vulnerable to Cross-Site Request Forgery via /admin.ph ...) - piwigo NOTE: https://github.com/Piwigo/Piwigo/issues/822 NOTE: https://github.com/Piwigo/Piwigo/commit/c3b4c6f7f0ddeaea492080fb8211d7b4cfedaf6f NOTE: https://github.com/Piwigo/Piwigo/commit/77f02bfd76ed13dd14044d04cdd8d28213e1848d CVE-2017-17826 (The Configuration component of Piwigo 2.9.2 is vulnerable to Persisten ...) - piwigo CVE-2017-17825 (The Batch Manager component of Piwigo 2.9.2 is vulnerable to Persisten ...) - piwigo CVE-2017-17824 (The Batch Manager component of Piwigo 2.9.2 is vulnerable to SQL Injec ...) - piwigo CVE-2017-17823 (The Configuration component of Piwigo 2.9.2 is vulnerable to SQL Injec ...) - piwigo CVE-2017-17822 (The List Users API of Piwigo 2.9.2 is vulnerable to SQL Injection via ...) - piwigo CVE-2017-17821 (WTF/wtf/FastBitVector.h in WebKit, as distributed in Safari Technology ...) - webkit2gtk 2.22.0-2 (unimportant) NOTE: https://bugs.webkit.org/show_bug.cgi?id=181020 (not public) NOTE: Not covered by security support CVE-2017-17820 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_l ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392433 CVE-2017-17819 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address acces ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392435 NOTE: https://github.com/netwide-assembler/nasm/commit/7524cfd91492e6e3719b959498be584a9ced13af (nasm-2.13.02rc3) CVE-2017-17818 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392428 CVE-2017-17817 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_v ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392427 CVE-2017-17816 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_g ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392426 CVE-2017-17815 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address acces ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://github.com/netwide-assembler/nasm/commit/c9244eaadd05b27637cde06021bac3fa1d920aa3 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392436 CVE-2017-17814 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in do_d ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392430 CVE-2017-17813 (In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in the ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392429 CVE-2017-17812 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://github.com/netwide-assembler/nasm/commit/9b7ee09abfd426b99aa1ea81d19a3b2818eeabf9 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392424 CVE-2017-17811 (In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392432 CVE-2017-17810 (In Netwide Assembler (NASM) 2.14rc0, there is a "SEGV on unknown addre ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) [wheezy] - nasm (Minor issue) NOTE: https://github.com/netwide-assembler/nasm/commit/59ce1c67b16967c652765e62aa130b7e43f21dd4 (nasm-2.13.02rc3) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392431 CVE-2017-17809 (In Golden Frog VyprVPN before 2.15.0.5828 for macOS, the vyprvpnservic ...) NOT-FOR-US: Golden Frog VyprVPN CVE-2017-17808 RESERVED CVE-2017-17807 (The KEYS subsystem in the Linux kernel before 4.14.6 omitted an access ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: Fixed by: https://git.kernel.org/linus/4dca6ea1d9432052afb06baf2e3ae78188a4410b (v4.15-rc3) CVE-2017-17806 (The HMAC implementation (crypto/hmac.c) in the Linux kernel before 4.1 ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: Fixed by: https://git.kernel.org/linus/af3ff8045bbf3e32f1a448542e73abb4c8ceb6f1 (v4.15-rc4) CVE-2017-17805 (The Salsa20 encryption algorithm in the Linux kernel before 4.14.8 doe ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: Fixed by: https://git.kernel.org/linus/ecaaab5649781c5a0effdaf298a925063020500e (4.15-rc4) CVE-2017-17804 (In IKARUS anti.virus 2.16.20, the driver file (ntguard.SYS) allows loc ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-17803 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17802 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17801 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17800 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17799 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17798 (In TG Soft Vir.IT eXplorer Lite 8.5.42, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17797 (In IKARUS anti.virus 2.16.20, the driver file (ntguard.SYS) allows loc ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-17796 (In TG Soft Vir.IT eXplorer Lite 8.5.65, the driver file (VIRAGTLT.SYS) ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17795 (In IKARUS anti.virus 2.16.20, the driver file (ntguard.SYS) allows loc ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-17794 (validate_form_preferences in admin/preferences.php in BlogoText throug ...) NOT-FOR-US: BlogoText CVE-2017-17793 (Information Disclosure vulnerability in creer_fichier_zip in admin/mai ...) NOT-FOR-US: BlogoText CVE-2017-17792 (Cross site scripting (XSS) vulnerability in the markup_clean_href func ...) NOT-FOR-US: BlogoText CVE-2017-17791 RESERVED CVE-2017-17790 (The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 us ...) {DSA-4259-1 DLA-1421-1 DLA-1222-1 DLA-1221-1} - ruby2.5 2.5.0-1 (bug #884878) - ruby2.3 (bug #884879) - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://github.com/ruby/ruby/pull/1777 NOTE: Fixed by: https://github.com/ruby/ruby/commit/e7464561b5151501beb356fc750d5dd1a88014f7 CVE-2017-17783 (In GraphicsMagick 1.3.27a, there is a buffer over-read in ReadPALMImag ...) {DSA-4321-1} - graphicsmagick 1.3.27-2 (bug #884904) [jessie] - graphicsmagick (Minor issue) [wheezy] - graphicsmagick (vulnerable code not present, unreproducible with ASAN) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=60932931559a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/529/ CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-read in R ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-2 (bug #884905) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=8e3d2264109c NOTE: https://sourceforge.net/p/graphicsmagick/bugs/530/ CVE-2017-17781 REJECTED CVE-2017-17780 (The Clockwork SMS clockwork-test-message.php component has XSS via a c ...) NOT-FOR-US: Clockwork SMS plugins for WordPress CVE-2017-17779 (Paid To Read Script 2.0.5 has SQL injection via the referrals.php id p ...) NOT-FOR-US: Paid To Read Script CVE-2017-17778 (Paid To Read Script 2.0.5 has XSS via the referrals.php tier parameter ...) NOT-FOR-US: Paid To Read Script CVE-2017-17777 (Paid To Read Script 2.0.5 has authentication bypass in the admin panel ...) NOT-FOR-US: Paid To Read Script CVE-2017-17776 (Paid To Read Script 2.0.5 has full path disclosure via an invalid admi ...) NOT-FOR-US: Paid To Read Script CVE-2017-17775 (Piwigo 2.9.2 has XSS via the name parameter in an admin.php?page=album ...) - piwigo CVE-2017-17774 (admin/configuration.php in Piwigo 2.9.2 has CSRF. ...) - piwigo CVE-2017-17773 (In Snapdragon Automobile, Snapdragon Wearable and Snapdragon Mobile MD ...) NOT-FOR-US: Android Qualcomm closed-source components CVE-2017-17772 RESERVED NOT-FOR-US: Qualcomm component for Android CVE-2017-17771 (In msm_isp_prepare_v4l2_buf in Android for MSM, Firefox OS for MSM, an ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17770 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Android Linux component (source code not availalable, so probably Android-specific) CVE-2017-17769 (Information leakage in Android for MSM, Firefox OS for MSM, and QRD An ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17768 RESERVED CVE-2017-17767 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17766 (In wma_peer_info_event_handler() in Android for MSM, Firefox OS for MS ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17765 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17764 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17763 (SuperBeam through 4.1.3, when using the LAN or WiFi Direct Share featu ...) NOT-FOR-US: SuperBeam CVE-2017-17762 (XML external entity (XXE) vulnerability in Episerver 7 patch 4 and ear ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-17761 (An issue was discovered on Ichano AtHome IP Camera devices. The device ...) NOT-FOR-US: Ichano AtHome IP Camera CVE-2017-17476 (Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5. ...) {DSA-4069-1 DLA-1215-1} - otrs2 6.0.3-1 (bug #884801) NOTE: https://www.otrs.com/security-advisory-2017-10-security-update-otrs-framework/ NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/36e3be99cfe8a9e09afa1b75fdc39f3e28f561fc NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/720c73fbf53e476ca7dfdf2ae1d4d3d2aad2b953 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/26707eaaa791648e6c7ad6aeaa27efd70e7c66eb CVE-2017-17785 (In GIMP 2.8.22, there is a heap-based buffer overflow in the fli_read_ ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (bug #884836) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=739133 NOTE: https://git.gnome.org/browse/gimp/commit/?id=edb251a7ef1602d20a5afcbf23f24afb163de63b (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=1882bac996a20ab5c15c42b0c5e8f49033a1af54 (gimp-2-8) NOTE: Can be reproduced (at least in wheezy) with "valgrind --trace-children=yes gimp " CVE-2017-17786 (In GIMP 2.8.22, there is a heap-based buffer over-read in ReadImage in ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (unimportant; bug #884862) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=739134 NOTE: https://git.gnome.org/browse/gimp/commit/?id=674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=8ea316667c8a3296bce2832b3986b58d0fdfc077 (master) NOTE: https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=ef9c821fff8b637a2178eab1c78cae6764c50e12 (gimp-2-8) NOTE: https://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=22e2571c25425f225abdb11a566cc281fca6f366 (gimp-2-8) NOTE: Crash in desktop tool, no/negligible security impact CVE-2017-17788 (In GIMP 2.8.22, there is a stack-based buffer over-read in xcf_load_st ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (unimportant; bug #885347) NOTE: https://git.gnome.org/browse/gimp/commit/?id=702c4227e8b6169f781e4bb5ae4b5733f51ab126 (master) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790783 NOTE: Crash in desktop tool, no/negligible security impact CVE-2017-17784 (In GIMP 2.8.22, there is a heap-based buffer over-read in load_image i ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (unimportant; bug #884925) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790784 NOTE: https://git.gnome.org/browse/gimp/commit/?id=06d24a79af94837d615d0024916bb95a01bf3c59 (master) NOTE: https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270 (gimp-2-8) NOTE: Crash in desktop tool, no/negligible security impact CVE-2017-17789 (In GIMP 2.8.22, there is a heap-based buffer overflow in read_channel_ ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (bug #884837) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790849 NOTE: https://git.gnome.org/browse/GIMP/commit/?id=28e95fbeb5720e6005a088fa811f5bf3c1af48b8 (master) NOTE: https://git.gnome.org/browse/GIMP/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f (gimp-2-8) NOTE: Cannot be reproduced in wheezy with "valgrind --trace-children=yes gimp " NOTE: Some OOB read/write can be reproduced in sid with "valgrind --trace-children=yes gimp " CVE-2017-17787 (In GIMP 2.8.22, there is a heap-based buffer over-read in read_creator ...) {DSA-4077-1 DLA-1220-1} - gimp 2.8.20-1.1 (unimportant; bug #884927) NOTE: https://git.gnome.org/browse/GIMP/commit/?id=eb2980683e6472aff35a3117587c4f814515c74d (master) NOTE: https://git.gnome.org/browse/GIMP/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d (gimp-2-8) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=790853 NOTE: Crash in desktop tool, no/negligible security impact CVE-2017-17760 (OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData fun ...) {DLA-1438-1 DLA-1235-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #885843) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/10351 NOTE: https://github.com/opencv/opencv/pull/10369/commits/7bbe1a53cfc097b82b1589f7915a2120de39274c CVE-2017-17759 (Conarc iChannel allows remote attackers to obtain sensitive informatio ...) NOT-FOR-US: Conarc iChannel CVE-2017-17758 (TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to ...) NOT-FOR-US: TP-Link CVE-2017-17757 (TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to ...) NOT-FOR-US: TP-Link CVE-2017-17756 RESERVED CVE-2017-17755 RESERVED CVE-2017-17754 RESERVED CVE-2017-17753 (Multiple cross-site scripting (XSS) vulnerabilities in the esb-csv-imp ...) NOT-FOR-US: esb-csv-import-export plugin for WordPress CVE-2017-17752 (Ability Mail Server 3.3.2 has Cross Site Scripting (XSS) via the body ...) NOT-FOR-US: Ability Mail Server CVE-2017-17751 (Bose SoundTouch devices allows remote attackers to achieve remote cont ...) NOT-FOR-US: Bose SoundTouch devices CVE-2017-17750 (Bose SoundTouch devices allow XSS via a crafted public playlist from S ...) NOT-FOR-US: Bose SoundTouch devices CVE-2017-17749 (Bose SoundTouch devices allow XSS via crafted song data from a music s ...) NOT-FOR-US: Bose SoundTouch devices CVE-2017-17748 RESERVED CVE-2017-17747 (Weak access controls in the Device Logout functionality on the TP-Link ...) NOT-FOR-US: TP-Link CVE-2017-17746 (Weak access control methods on the TP-Link TL-SG108E 1.0.0 allow any u ...) NOT-FOR-US: TP-Link CVE-2017-17745 (Cross-site scripting (XSS) vulnerability in system_name_set.cgi in TP- ...) NOT-FOR-US: TP-Link CVE-2017-17744 (A cross-site scripting (XSS) vulnerability in the custom-map plugin th ...) NOT-FOR-US: custom-map plugin for WordPress CVE-2017-17743 (Improper input sanitization within the restricted administration shell ...) NOT-FOR-US: UCOPIA Wireless Appliance CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x befo ...) {DSA-4259-1 DLA-2330-1 DLA-2027-1 DLA-1421-1 DLA-1359-1 DLA-1358-1} - jruby (bug #972230) - ruby2.5 2.5.1-1 - ruby2.3 - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/ NOTE: https://github.com/jruby/jruby/releases/tag/9.2.12.0 NOTE: https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16 CVE-2017-17741 (The KVM implementation in the Linux kernel through 4.14.7 allows attac ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: https://www.spinics.net/lists/kvm/msg160796.html CVE-2017-17740 (contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when bot ...) - openldap (unimportant) NOTE: http://www.openldap.org/its/index.cgi/Incoming?id=8759 NOTE: nops slapd-module not built CVE-2017-17739 (The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and bel ...) NOT-FOR-US: BrightSign Digital Signage CVE-2017-17738 (The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and bel ...) NOT-FOR-US: BrightSign Digital Signage CVE-2017-17737 (The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and bel ...) NOT-FOR-US: BrightSign Digital Signage CVE-2017-17736 (Kentico 9.0 before 9.0.51 and 10.0 before 10.0.48 allows remote attack ...) NOT-FOR-US: Kentico CVE-2017-17735 (CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login inf ...) NOT-FOR-US: CMS Made Simple (CMSMS) CVE-2017-17734 (CMS Made Simple (CMSMS) before 2.2.5 does not properly cache login inf ...) NOT-FOR-US: CMS Made Simple (CMSMS) CVE-2017-17733 (Maccms 8.x allows remote command execution via the wd parameter in an ...) NOT-FOR-US: Maccms CVE-2017-17732 RESERVED CVE-2017-17731 (DedeCMS through 5.7 has SQL Injection via the $_FILES superglobal to p ...) NOT-FOR-US: DedeCMS CVE-2017-17730 (DedeCMS through 5.7 has SQL Injection via the logo parameter to plus/f ...) NOT-FOR-US: DedeCMS CVE-2017-17729 RESERVED CVE-2017-17728 RESERVED CVE-2017-17727 (DedeCMS through 5.6 allows arbitrary file upload and PHP code executio ...) NOT-FOR-US: DedeCMS CVE-2017-17726 RESERVED CVE-2017-17725 (In Exiv2 0.26, there is an integer overflow leading to a heap-based bu ...) - exiv2 (Introduced in 0.26; only affected experimental) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1525055 NOTE: https://github.com/Exiv2/exiv2/issues/188 NOTE: https://github.com/Exiv2/exiv2/pull/193 CVE-2017-17724 (In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Ip ...) - exiv2 (Introduced in 0.26; only affected experimental; bug #891783) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524107 NOTE: https://github.com/Exiv2/exiv2/issues/210 NOTE: https://github.com/Exiv2/exiv2/commit/962962a8e9885ccbca28f624492f1427152a0695 CVE-2017-17723 (In Exiv2 0.26, there is a heap-based buffer over-read in the Exiv2::Im ...) - exiv2 (Introduced in 0.26; only affected experimental) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524104 NOTE: https://github.com/Exiv2/exiv2/issues/229 NOTE: https://github.com/Exiv2/exiv2/commit/36df4bc997d74ecc447e4541e2fc3fda10586103 CVE-2017-17722 (In Exiv2 0.26, there is a reachable assertion in the readHeader functi ...) - exiv2 (Vulnerable code introduced in 0.26; only affected experimental; bug #891044) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524116 NOTE: https://github.com/Exiv2/exiv2/issues/208 NOTE: https://github.com/Exiv2/exiv2/issues/228 (duplicate) NOTE: https://github.com/Kicer86/exiv2/commit/1647908e00a4df7246d76678e59587e62c690dcd CVE-2017-17721 (CWEBNET/WOSummary/List in ZUUSE BEIMS ContractorWeb .NET 5.18.0.0 allo ...) NOT-FOR-US: ZUUSE BEIMS ContractorWeb .NET CVE-2017-17720 RESERVED CVE-2017-17719 (A cross-site scripting (XSS) vulnerability in the wp-concours plugin t ...) NOT-FOR-US: wp-concours plugin for WordPress CVE-2017-17718 (The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SS ...) - ruby-net-ldap 0.16.1-1 (bug #884693) [stretch] - ruby-net-ldap (Minor issue) [jessie] - ruby-net-ldap (Documentation already states that there is no validation) [wheezy] - ruby-net-ldap (Doc always said that there is no validation) NOTE: https://github.com/ruby-ldap/ruby-net-ldap/issues/258 NOTE: Versions < 0.10 properly acknowledge in their documentation the lack of any SSL NOTE: validation, see https://sources.debian.org/src/ruby-net-ldap/0.8.0-1/lib/net/ldap.rb/#L476 NOTE: In wheezy/jessie, only reverse dependencies are redmine (which is unsupported in wheezy) NOTE: and ruby-omniauth-ldap (which has no reverse dep either). CVE-2017-17717 (Sonatype Nexus Repository Manager through 2.14.5 has weak password enc ...) NOT-FOR-US: Sonatype Nexus CVE-2017-17716 (GitLab 9.4.x before 9.4.2 does not support LDAP SSL certificate verifi ...) - gitlab (vulnerable version never uploaded to the archive) CVE-2017-17715 (The saveFile method in MediaController.java in the Telegram Messenger ...) NOT-FOR-US: Telegram Messenger for Android CVE-2017-17714 (Trape before 2017-11-05 has XSS via the /nr red parameter, the /nr vId ...) NOT-FOR-US: Trape CVE-2017-17713 (Trape before 2017-11-05 has SQL injection via the /nr red parameter, t ...) NOT-FOR-US: Trape CVE-2017-17712 (The raw_sendmsg() function in net/ipv4/raw.c in the Linux kernel throu ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/8f659a03a0ba9289b9aeb9b4470e6fb263d6f483 CVE-2017-17711 RESERVED CVE-2017-17710 RESERVED CVE-2017-17709 RESERVED CVE-2017-17708 (Because of insufficient authorization checks it is possible for any au ...) NOT-FOR-US: Pleasant Password Server CVE-2017-17707 (Due to missing authorization checks, any authenticated user is able to ...) NOT-FOR-US: Pleasant Password Server CVE-2017-17706 RESERVED CVE-2017-17705 RESERVED CVE-2017-17704 (A door-unlocking issue was discovered on Software House iStar Ultra de ...) NOT-FOR-US: Software House iStar Ultra devices CVE-2017-17703 (Synacor Zimbra Collaboration Suite (ZCS) before 8.8.3 has Persistent X ...) NOT-FOR-US: Zimbra CVE-2017-17702 RESERVED CVE-2017-17701 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17700 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17699 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17698 (Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflect ...) NOT-FOR-US: Zoho ManageEngine Password Manager Pro CVE-2017-17697 (The Ping() function in ui/api/target.go in Harbor through 1.3.0-rc4 ha ...) NOT-FOR-US: Harbor CVE-2017-17696 (Techno - Portfolio Management Panel through 2017-11-16 allows full pat ...) NOT-FOR-US: Techno - Portfolio Management Panel CVE-2017-17695 (Techno - Portfolio Management Panel through 2017-11-16 allows SQL Inje ...) NOT-FOR-US: Techno - Portfolio Management Panel CVE-2017-17694 (Techno - Portfolio Management Panel through 2017-11-16 allows XSS via ...) NOT-FOR-US: Techno - Portfolio Management Panel CVE-2017-17693 (Techno - Portfolio Management Panel through 2017-11-16 does not check ...) NOT-FOR-US: Techno - Portfolio Management Panel CVE-2017-17692 (Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass th ...) NOT-FOR-US: Samsung Internet Browser CVE-2017-17691 (Homeputer CL Studio fur HomeMatic 4.0 Rel 160808 and earlier uses clea ...) NOT-FOR-US: Homeputer CL Studio fur HomeMatic CVE-2017-17690 RESERVED CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) malleabi ...) - evolution (bug #898633; unimportant) - kf5-messagelib 4:18.08.1-1 (bug #899127) [stretch] - kf5-messagelib (Defaults to secure handling, change to disable it entirely can be fixed via spu) - kdepim (bug #899128) [stretch] - kdepim (Defaults to secure handling, change to disable it entirely can be fixed via spu) [jessie] - kdepim (Defaults to secure handling, change to disable it entirely can be fixed via spu) NOTE: https://efail.de NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796135 NOTE: https://dot.kde.org/2018/05/15/efail-and-kmail NOTE: protocol vulnerability can't be fixed in implementations but they can prevent exploitation by disabling loading of remote content NOTE: kmail bug is #898634, but src:kmail is not affected, the code in question is in kf5-messagelib NOTE: kf5-messagelib: https://phabricator.kde.org/D12391 (v18.04.1) NOTE: kf5-messagelib: https://phabricator.kde.org/D12393 (v18.04.1) NOTE: kmail: https://phabricator.kde.org/D12394 CVE-2017-17688 (** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode ...) - enigmail 2:2.0.6.1-4 (bug #898630) [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) NOTE: vulnerability is in the clients handling, not in OpenPGP NOTE: https://efail.de NOTE: possibly https://sourceforge.net/p/enigmail/source/ci/f6c111 and https://sourceforge.net/p/enigmail/source/ci/d2a83a NOTE: Marking the first 2.x version which reached unstable as fixed, see discussion in #898630 CVE-2017-17687 RESERVED CVE-2017-17686 RESERVED CVE-2017-17685 RESERVED CVE-2017-17684 (Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c04 ...) NOT-FOR-US: Panda Global Protection CVE-2017-17683 (Panda Global Protection 17.0.1 allows a system crash via a 0xb3702c44 ...) NOT-FOR-US: Panda Global Protection CVE-2017-17682 (In ImageMagick 7.0.7-12 Q16, a large loop vulnerability was found in t ...) {DLA-2366-1 DLA-1785-1 DLA-1227-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #885942) NOTE: https://github.com/ImageMagick/ImageMagick/issues/870 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/da649f031e36753c69268c5c027e695b8ae45e9a NOTE: https://github.com/ImageMagick/ImageMagick/commit/06c8dd4de59e48d282d4f224faa64ab9012a711a CVE-2017-17681 (In ImageMagick 7.0.7-12 Q16, an infinite loop vulnerability was found ...) {DLA-2333-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #885941) [jessie] - imagemagick (Minor issue) [wheezy] - imagemagick (vulnerable code not present, unreproducible) NOTE: https://github.com/ImageMagick/ImageMagick/issues/869 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f6ca1441a5260165dabc627d26f60c32af1d5678 NOTE: different fix: https://github.com/ImageMagick/ImageMagick/commit/73d59a74e0b0a864c1a9581b8a4bdbee427125e2 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/edf1b9408492b97cd08111a0a9cb123f6391dc5b NOTE: different fix for IM-6: https://github.com/ImageMagick/ImageMagick/commit/cae42160e5ab6de4b2a9433267e143ce295ae957 NOTE: The fix involves all done changes on the relevant part of coders/psd.c between NOTE: (and including) edf1b9408492b97cd08111a0a9cb123f6391dc5b and cae42160e5ab6de4b2a9433267e143ce295ae957 . CVE-2017-17680 (In ImageMagick 7.0.7-12 Q16, a memory leak vulnerability was found in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/873 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/69601843684dd038a8397e1a12dd15777d2513bf NOTE: https://github.com/ImageMagick/ImageMagick/commit/7b97357e7f8d6ae848a4c699fe17db6fcf4bd7a9 CVE-2017-17679 RESERVED CVE-2017-17678 RESERVED CVE-2017-17677 RESERVED CVE-2017-17676 RESERVED CVE-2017-17675 RESERVED CVE-2017-17674 RESERVED CVE-2017-17673 RESERVED CVE-2017-17672 (In vBulletin through 5.3.x, there is an unauthenticated deserializatio ...) NOT-FOR-US: vBulletin CVE-2017-17671 (vBulletin through 5.3.x on Windows allows remote PHP code execution be ...) NOT-FOR-US: vBulletin CVE-2017-17670 (In VideoLAN VLC media player through 2.2.8, there is a type conversion ...) {DSA-4203-1} - vlc 3.0.0~rc2-1 [jessie] - vlc (See DSA-4203-1) [wheezy] - vlc (Not supported in wheezy LTS) NOTE: https://www.openwall.com/lists/oss-security/2017/12/15/1 NOTE: POC: https://gist.github.com/dyntopia/194d912287656f66dd502158b0cd2e68 CVE-2017-17669 (There is a heap-based buffer over-read in the Exiv2::Internal::PngChun ...) - exiv2 0.27.2-6 (bug #886006) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) [wheezy] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/187 CVE-2017-17668 (Memory write mechanism in NCR S1 Dispenser controller before firmware ...) NOT-FOR-US: NCR S1 Dispenser controller CVE-2017-17667 RESERVED CVE-2017-17666 RESERVED CVE-2017-17665 (In Octopus Deploy before 4.1.3, the machine update process doesn't che ...) NOT-FOR-US: Octopus Deploy CVE-2017-17664 (A Remote Crash issue was discovered in Asterisk Open Source 13.x befor ...) - asterisk 1:13.18.5~dfsg-1 (bug #884345) [stretch] - asterisk 1:13.14.1~dfsg-2+deb9u3 [jessie] - asterisk (Vulnerable code introduced later) [wheezy] - asterisk (Vulnerable code introduced later) NOTE: http://downloads.digium.com/pub/security/AST-2017-012.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27382 NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27429 CVE-2017-17663 (The htpasswd implementation of mini_httpd before v1.28 and of thttpd b ...) - mini-httpd (unimportant) - thttpd (unimportant) NOTE: http://acme.com/updates/archive/199.html CVE-2017-17662 (Directory traversal in the HTTP server on Yawcam 0.2.6 through 0.6.0 d ...) NOT-FOR-US: Yawcam CVE-2017-17661 RESERVED CVE-2017-17660 RESERVED CVE-2017-17659 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17658 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17657 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17656 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17655 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17654 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17653 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17652 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17651 (Paid To Read Script 2.0.5 has SQL Injection via the admin/userview.php ...) NOT-FOR-US: Paid To Read Script CVE-2017-17650 RESERVED CVE-2017-17649 (Readymade Video Sharing Script 3.2 has HTML Injection via the single-v ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17648 (Entrepreneur Dating Script 2.0.1 has SQL Injection via the search_resu ...) NOT-FOR-US: Entrepreneur Dating Script CVE-2017-17647 RESERVED CVE-2017-17646 RESERVED CVE-2017-17645 (Bus Booking Script 1.0 has SQL Injection via the txtname parameter to ...) NOT-FOR-US: Bus Booking Script CVE-2017-17644 RESERVED CVE-2017-17643 (FS Lynda Clone 1.0 has SQL Injection via the keywords parameter to tut ...) NOT-FOR-US: FS Lynda Clone CVE-2017-17642 (Basic Job Site Script 2.0.5 has SQL Injection via the keyword paramete ...) NOT-FOR-US: Basic Job Site Script CVE-2017-17641 (Resume Clone Script 2.0.5 has SQL Injection via the preview.php id par ...) NOT-FOR-US: Resume Clone Script CVE-2017-17640 (Advanced World Database 2.0.5 has SQL Injection via the city.php count ...) NOT-FOR-US: Advanced World Database CVE-2017-17639 (Muslim Matrimonial Script 3.02 has SQL Injection via the success-story ...) NOT-FOR-US: Muslim Matrimonial Script CVE-2017-17638 (Groupon Clone Script 3.01 has SQL Injection via the city_ajax.php stat ...) NOT-FOR-US: Groupon Clone Script CVE-2017-17637 (Car Rental Script 2.0.4 has SQL Injection via the countrycode1.php val ...) NOT-FOR-US: Car Rental Script CVE-2017-17636 (MLM Forced Matrix 2.0.9 has SQL Injection via the news-detail.php newi ...) NOT-FOR-US: MLM Forced Matrix CVE-2017-17635 (MLM Forex Market Plan Script 2.0.4 has SQL Injection via the news_deta ...) NOT-FOR-US: MLM Forex Market Plan Script CVE-2017-17634 (Single Theater Booking Script 3.2.1 has SQL Injection via the findcity ...) NOT-FOR-US: Single Theater Booking Script CVE-2017-17633 (Multiplex Movie Theater Booking Script 3.1.5 has SQL Injection via the ...) NOT-FOR-US: Multiplex Movie Theater Booking Script CVE-2017-17632 (Responsive Events And Movie Ticket Booking Script 3.2.1 has SQL Inject ...) NOT-FOR-US: Responsive Events And Movie Ticket Booking Script CVE-2017-17631 (Multireligion Responsive Matrimonial 4.7.2 has SQL Injection via the s ...) NOT-FOR-US: Multireligion Responsive Matrimonial CVE-2017-17630 (Yoga Class Script 1.0 has SQL Injection via the /list city parameter. ...) NOT-FOR-US: Yoga Class Script CVE-2017-17629 (Secure E-commerce Script 2.0.1 has SQL Injection via the category.php ...) NOT-FOR-US: Secure E-commerce Script CVE-2017-17628 (Responsive Realestate Script 3.2 has SQL Injection via the property-li ...) NOT-FOR-US: Responsive Realestate Script CVE-2017-17627 (Readymade Video Sharing Script 3.2 has SQL Injection via the single-vi ...) NOT-FOR-US: Readymade Video Sharing Script CVE-2017-17626 (Readymade PHP Classified Script 3.3 has SQL Injection via the /categor ...) NOT-FOR-US: Readymade PHP Classified Script CVE-2017-17625 (Professional Service Script 1.0 has SQL Injection via the service-list ...) NOT-FOR-US: Professional Service Script CVE-2017-17624 (PHP Multivendor Ecommerce 1.0 has SQL Injection via the single_detail. ...) NOT-FOR-US: PHP Multivendor Ecommerce CVE-2017-17623 (Opensource Classified Ads Script 3.2 has SQL Injection via the advance ...) NOT-FOR-US: Opensource Classified Ads Script CVE-2017-17622 (Online Exam Test Application Script 1.6 has SQL Injection via the exam ...) NOT-FOR-US: Online Exam Test Application Script CVE-2017-17621 (Multivendor Penny Auction Clone Script 1.0 has SQL Injection via the P ...) NOT-FOR-US: Multivendor Penny Auction Clone Script CVE-2017-17620 (Lawyer Search Script 1.1 has SQL Injection via the /lawyer-list city p ...) NOT-FOR-US: Lawyer Search Script CVE-2017-17619 (Laundry Booking Script 1.0 has SQL Injection via the /list city parame ...) NOT-FOR-US: Laundry Booking Script CVE-2017-17618 (Kickstarter Clone Script 2.0 has SQL Injection via the investcalc.php ...) NOT-FOR-US: Kickstarter Clone Script CVE-2017-17617 (Foodspotting Clone Script 1.0 has SQL Injection via the quicksearch.ph ...) NOT-FOR-US: Foodspotting Clone Script CVE-2017-17616 (Event Search Script 1.0 has SQL Injection via the /event-list city par ...) NOT-FOR-US: Event Search Script CVE-2017-17615 (Facebook Clone Script 1.0 has SQL Injection via the friend-profile.php ...) NOT-FOR-US: Facebook Clone Script CVE-2017-17614 (Food Order Script 1.0 has SQL Injection via the /list city parameter. ...) NOT-FOR-US: Food Order Script CVE-2017-17613 (Freelance Website Script 2.0.6 has SQL Injection via the jobdetails.ph ...) NOT-FOR-US: Freelance Website Script CVE-2017-17612 (Hot Scripts Clone 3.1 has SQL Injection via the /categories subctid or ...) NOT-FOR-US: Hot Scripts Clone CVE-2017-17611 (Doctor Search Script 1.0 has SQL Injection via the /list city paramete ...) NOT-FOR-US: Doctor Search Script CVE-2017-17610 (E-commerce MLM Software 1.0 has SQL Injection via the service_detail.p ...) NOT-FOR-US: E-commerce MLM Software CVE-2017-17609 (Chartered Accountant Booking Script 1.0 has SQL Injection via the /ser ...) NOT-FOR-US: Chartered Accountant Booking Script CVE-2017-17608 (Child Care Script 1.0 has SQL Injection via the /list city parameter. ...) NOT-FOR-US: Child Care Script CVE-2017-17607 (CMS Auditor Website 1.0 has SQL Injection via the PATH_INFO to /news-d ...) NOT-FOR-US: CMS Auditor Website CVE-2017-17606 (Co-work Space Search Script 1.0 has SQL Injection via the /list city p ...) NOT-FOR-US: Co-work Space Search Script CVE-2017-17605 (Consumer Complaints Clone Script 1.0 has SQL Injection via the other-u ...) NOT-FOR-US: Consumer Complaints Clone Script CVE-2017-17604 (Entrepreneur Bus Booking Script 3.0.4 has SQL Injection via the booker ...) NOT-FOR-US: Entrepreneur Bus Booking Script CVE-2017-17603 (Advanced Real Estate Script 4.0.7 has SQL Injection via the search-res ...) NOT-FOR-US: Advanced Real Estate Script CVE-2017-17602 (Advance B2B Script 2.1.3 has SQL Injection via the tradeshow-list-deta ...) NOT-FOR-US: Advance B2B Script CVE-2017-17601 (Cab Booking Script 1.0 has SQL Injection via the /service-list city pa ...) NOT-FOR-US: Cab Booking Script CVE-2017-17600 (Basic B2B Script 2.0.8 has SQL Injection via the product_details.php i ...) NOT-FOR-US: Basic B2B Script CVE-2017-17599 (Advance Online Learning Management Script 3.1 has SQL Injection via th ...) NOT-FOR-US: Advance Online Learning Management Script CVE-2017-17598 (Affiliate MLM Script 1.0 has SQL Injection via the product-category.ph ...) NOT-FOR-US: Affiliate MLM Script CVE-2017-17597 (Nearbuy Clone Script 3.2 has SQL Injection via the category_list.php s ...) NOT-FOR-US: Nearbuy Clone Script CVE-2017-17596 (Entrepreneur Job Portal Script 2.0.6 has SQL Injection via the jobsear ...) NOT-FOR-US: Entrepreneur Job Portal Script CVE-2017-17595 (Beauty Parlour Booking Script 1.0 has SQL Injection via the /list gend ...) NOT-FOR-US: Beauty Parlour Booking Script CVE-2017-17594 (DomainSale PHP Script 1.0 has SQL Injection via the domain.php id para ...) NOT-FOR-US: DomainSale PHP Script CVE-2017-17593 (Simple Chatting System 1.0 allows Arbitrary File Upload via view/my_pr ...) NOT-FOR-US: Simple Chatting System CVE-2017-17592 (Website Auction Marketplace 2.0.5 has SQL Injection via the search.php ...) NOT-FOR-US: Website Auction Marketplace CVE-2017-17591 (Realestate Crowdfunding Script 2.7.2 has SQL Injection via the single- ...) NOT-FOR-US: Realestate Crowdfunding Script CVE-2017-17590 (FS Stackoverflow Clone 1.0 has SQL Injection via the /question keyword ...) NOT-FOR-US: FS Stackoverflow Clone CVE-2017-17589 (FS Thumbtack Clone 1.0 has SQL Injection via the browse-category.php c ...) NOT-FOR-US: FS Thumbtack Clone CVE-2017-17588 (FS IMDB Clone 1.0 has SQL Injection via the movie.php f parameter, tvs ...) NOT-FOR-US: FS IMDB Clone CVE-2017-17587 (FS Indiamart Clone 1.0 has SQL Injection via the catcompany.php token ...) NOT-FOR-US: FS Indiamart Clone CVE-2017-17586 (FS Olx Clone 1.0 has SQL Injection via the subpage.php scat parameter ...) NOT-FOR-US: FS Olx Clone CVE-2017-17585 (FS Monster Clone 1.0 has SQL Injection via the Employer_Details.php id ...) NOT-FOR-US: FS Monster Clone CVE-2017-17584 (FS Makemytrip Clone 1.0 has SQL Injection via the show-flight-result.p ...) NOT-FOR-US: FS Makemytrip Clone CVE-2017-17583 (FS Shutterstock Clone 1.0 has SQL Injection via the /Category keywords ...) NOT-FOR-US: FS Shutterstock Clone CVE-2017-17582 (FS Grubhub Clone 1.0 has SQL Injection via the /food keywords paramete ...) NOT-FOR-US: FS Grubhub Clone CVE-2017-17581 (FS Quibids Clone 1.0 has SQL Injection via the itechd.php productid pa ...) NOT-FOR-US: FS Quibids Clone CVE-2017-17580 (FS Linkedin Clone 1.0 has SQL Injection via the group.php grid paramet ...) NOT-FOR-US: FS Linkedin Clone CVE-2017-17579 (FS Freelancer Clone 1.0 has SQL Injection via the profile.php u parame ...) NOT-FOR-US: FS Freelancer Clone CVE-2017-17578 (FS Crowdfunding Script 1.0 has SQL Injection via the latest_news_detai ...) NOT-FOR-US: FS Crowdfunding Script CVE-2017-17577 (FS Trademe Clone 1.0 has SQL Injection via the search_item.php search ...) NOT-FOR-US: FS Trademe Clone CVE-2017-17576 (FS Gigs Script 1.0 has SQL Injection via the browse-category.php cat p ...) NOT-FOR-US: FS Gigs Script CVE-2017-17575 (FS Groupon Clone 1.0 has SQL Injection via the item_details.php id par ...) NOT-FOR-US: FS Groupon Clone CVE-2017-17574 (FS Care Clone 1.0 has SQL Injection via the searchJob.php jobType or j ...) NOT-FOR-US: FS Care Clone CVE-2017-17573 (FS Ebay Clone 1.0 has SQL Injection via the product.php id parameter, ...) NOT-FOR-US: FS Ebay Clone CVE-2017-17572 (FS Amazon Clone 1.0 has SQL Injection via the PATH_INFO to /VerAyari. ...) NOT-FOR-US: FS Amazon Clone CVE-2017-17571 (FS Foodpanda Clone 1.0 has SQL Injection via the /food keywords parame ...) NOT-FOR-US: FS Foodpanda Clone CVE-2017-17570 (FS Expedia Clone 1.0 has SQL Injection via the pages.php or content.ph ...) NOT-FOR-US: FS Expedia Clone CVE-2017-17569 (Scubez Posty Readymade Classifieds has XSS via the admin/user_activate ...) NOT-FOR-US: Scubez Posty Readymade Classifieds CVE-2017-17568 (Scubez Posty Readymade Classifieds has Incorrect Access Control for vi ...) NOT-FOR-US: Scubez Posty Readymade Classifieds CVE-2017-17567 (Scubez Posty Readymade Classifieds has SQL Injection via the admin/use ...) NOT-FOR-US: Scubez Posty Readymade Classifieds CVE-2017-17562 (Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is ...) NOT-FOR-US: Embedthis GoAhead CVE-2017-17561 (SeaCMS 6.56 allows remote authenticated administrators to execute arbi ...) NOT-FOR-US: SeaCMS CVE-2017-17560 (An issue was discovered on Western Digital MyCloud PR4100 2.30.172 dev ...) NOT-FOR-US: Western Digital MyCloud CVE-2017-17559 RESERVED CVE-2017-17565 (An issue was discovered in Xen through 4.9.x allowing PV guest OS user ...) {DSA-4112-1 DLA-1549-1 DLA-1230-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-251.html CVE-2017-17564 (An issue was discovered in Xen through 4.9.x allowing guest OS users t ...) {DSA-4112-1 DLA-1549-1 DLA-1230-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-250.html CVE-2017-17563 (An issue was discovered in Xen through 4.9.x allowing guest OS users t ...) {DSA-4112-1 DLA-1549-1 DLA-1230-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-249.html CVE-2017-17566 (An issue was discovered in Xen through 4.9.x allowing PV guest OS user ...) {DSA-4112-1 DLA-1549-1 DLA-1230-1} - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 NOTE: https://xenbits.xen.org/xsa/advisory-248.html CVE-2017-17558 (The usb_destroy_configuration function in drivers/usb/core/config.c in ...) {DSA-4082-1 DSA-4073-1 DLA-1232-1} - linux 4.14.7-1 NOTE: https://www.spinics.net/lists/linux-usb/msg163644.html NOTE: Fixed by: https://git.kernel.org/linus/48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 CVE-2017-17557 (In Foxit Reader before 9.1 and Foxit PhantomPDF before 9.1, a flaw exi ...) NOT-FOR-US: Foxit Reader CVE-2017-17556 (A debug tool in Synaptics TouchPad drivers allows local users with adm ...) NOT-FOR-US: debug tool in Synaptics TouchPad drivers CVE-2017-17555 (The swri_audio_convert function in audioconvert.c in FFmpeg libswresam ...) - aubio 0.4.6-1 (low; bug #884232) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) [wheezy] - aubio (Minor issue) NOTE: Fixed by: https://github.com/aubio/aubio/commit/265fe9a2ca606f8b9ae4a110390f26c139c01ad7 NOTE: https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference(DoS)%20Vulnerability%20was%20found%20in%20function%20swri_audio_convert%20of%20ffmpeg%20libswresample.md NOTE: aubio initializes libswresample with 2 channels and then passes data NOTE: that contains just one channel. Not an issue in src:ffmpeg. NOTE: https://github.com/aubio/aubio/issues/137 CVE-2017-17554 (A NULL pointer dereference (DoS) Vulnerability was found in the functi ...) - aubio 0.4.6-1 (low; bug #884237) [stretch] - aubio (Minor issue) [jessie] - aubio (Minor issue) [wheezy] - aubio (Minor issue) NOTE: Fixed by: https://github.com/aubio/aubio/commit/a81b12a3b4174953b3bc7ef4c37103f4d5636740 NOTE: https://github.com/IvanCql/vulnerability/blob/master/An%20NULL%20pointer%20dereference(DoS)%20Vulnerability%20was%20found%20in%20function%20%20aubio_source_avcodec_readframe%20of%20aubio.md NOTE: https://github.com/aubio/aubio/issues/137 CVE-2017-17553 (The Dolphin Browser for Android 12.0.2 suffers from an insecure parsin ...) NOT-FOR-US: Dolphin Browser for Android CVE-2017-17552 (/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allo ...) NOT-FOR-US: Zoho ManageEngine AD Manager Plus CVE-2017-17551 (The Backup and Restore feature in Mobotap Dolphin Browser for Android ...) NOT-FOR-US: Dolphin Browser for Android CVE-2017-17550 (ZyXEL ZyWALL USG 2.12 AQQ.2 and 3.30 AQQ.7 devices are affected by a C ...) NOT-FOR-US: ZyXEL CVE-2017-17549 (Citrix NetScaler Application Delivery Controller (ADC) and NetScaler G ...) NOT-FOR-US: Citrix NetScaler Application Delivery Controller CVE-2017-17548 RESERVED CVE-2017-17547 RESERVED CVE-2017-17546 RESERVED CVE-2017-17545 RESERVED CVE-2017-17544 (A privilege escalation vulnerability in Fortinet FortiOS 6.0.0 to 6.0. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-17543 (Users' VPN authentication credentials are unsafely encrypted in Fortin ...) NOT-FOR-US: Fortinet FortiClient CVE-2017-17542 RESERVED CVE-2017-17541 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6. ...) NOT-FOR-US: Fortinet CVE-2017-17540 (The presence of a hardcoded account in Fortinet FortiWLC 8.3.3 allows ...) NOT-FOR-US: Fortinet FortiWLC CVE-2017-17539 (The presence of a hardcoded account in Fortinet FortiWLC 7.0.11 and ea ...) NOT-FOR-US: Fortinet FortiWLC CVE-2017-17538 (MikroTik v6.40.5 devices allow remote attackers to cause a denial of s ...) NOT-FOR-US: MikroTik CVE-2017-17537 (MikroTik RouterBOARD v6.39.2 and v6.40.5 allows an unauthenticated rem ...) NOT-FOR-US: MikroTik CVE-2017-17536 (Phabricator before 2017-11-10 does not block the --config and --debugg ...) - phabricator (unimportant) NOTE: Fixed by: https://github.com/phacility/phabricator/commit/a7921a4448093d00defa8bd18f35b8c8f8bf3314 NOTE: Starting with 0~git20160726-3 the Phabricator package is not built NOTE: The issue is unfixed in the source up to 0~git20170812-1 NOTE: Fixed in 0~git20171202-1 (not yet accepted from NEW) CVE-2017-17535 (lib/gui.py in Bob Hepple gjots2 2.4.1 does not validate strings before ...) - gjots2 (unimportant) NOTE: https://sources.debian.org/src/gjots2/2.4.1-2/lib/gui.py/?hl=2188#L2188 CVE-2017-17534 (uiutil.c in Mensis 0.0.080507 does not validate strings before launchi ...) - mensis (unimportant) NOTE: https://sources.debian.org/src/mensis/0.0.080507-4/uiutil.c/?hl=293#L428 CVE-2017-17533 (** DISPUTED ** default.tcl in Tkabber 1.1 does not validate strings be ...) NOTE: Originally assigned for src:tkabber NOTE: https://sources.debian.org/src/tkabber/1.1-1/default.tcl/?hl=118#L118 NOTE: TCL's exec call does not involve the shell. It does its own argument parsing NOTE: which safely forwards the content of any variable. No command injection is NOTE: thus possible. See https://tcl.tk/man/tcl/TclCmd/exec.htm NOTE: MITRE only considers this as DISPUTED rather than fully REJECT The CVE. CVE-2017-17532 (examples/framework/news/news3.py in Kiwi 1.9.22 does not validate stri ...) - kiwi (unimportant) NOTE: https://sources.debian.org/src/kiwi/1.9.22-4/examples/framework/news/news3.py/?hl=88#L88 NOTE: Only in examples code, negligible impact CVE-2017-17531 (gozilla.c in GNU GLOBAL 4.8.6 does not validate strings before launchi ...) - global 6.6.1-1 (unimportant; bug #884912) [stretch] - global 6.5.6-2+deb9u1 NOTE: https://sources.debian.org/src/global/4.8.6-2/gozilla/gozilla.c/#L269 CVE-2017-17530 (common/help.c in Geomview 1.9.5 does not validate strings before launc ...) - geomview (unimportant) NOTE: https://sources.debian.org/src/geomview/1.9.5-1/src/bin/geomview/common/help.c/?hl=51#L83 CVE-2017-17529 (af/util/xp/ut_go_file.cpp in AbiWord 3.0.2-2 does not validate strings ...) - abiword (unimportant; bug #884923) NOTE: Non-issue, nothing exploitable, should be rejected CVE-2017-17528 (backends/platform/sdl/posix/posix.cpp in ScummVM 1.9.0 does not valida ...) - scummvm (unimportant) [wheezy] - scummvm (Vulnerable code not there) NOTE: https://sources.debian.org/src/scummvm/1.9.0+dfsg-2/backends/platform/sdl/posix/posix.cpp/?hl=274#L274 CVE-2017-17527 (** DISPUTED ** delphi_gui/WWWBrowserRunnerDM.pas in PasDoc 0.14 does n ...) - pasdoc 0.15.0-1 (unimportant) NOTE: https://sources.debian.org/src/pasdoc/0.14.0-1/source/delphi_gui/WWWBrowserRunnerDM.pas/?hl=63#L63 NOTE: Marked as unimportant since issue in unused code. MITRE marks CVE as NOTE: disputed. CVE-2017-17526 (Input.cc in Bernard Parisse Giac 1.2.3.57 does not validate strings be ...) - giac (unimportant) NOTE: https://sources.debian.org/src/giac/1.2.3.57+dfsg1-2/src/Input.cc/?hl=68#L77 CVE-2017-17525 (guiclient/guiclient.cpp in xTuple PostBooks 4.7.0 does not validate st ...) - postbooks (unimportant) NOTE: https://sources.debian.org/src/postbooks/4.7.0-3/guiclient/guiclient.cpp/?hl=1610#L1610 CVE-2017-17524 (library/www_browser.pl in SWI-Prolog 7.2.3 does not validate strings b ...) - swi-prolog (unimportant) NOTE: https://sources.debian.org/src/swi-prolog/7.2.3+dfsg-1/library/www_browser.pl/?hl=68#L68 NOTE: In wheezy it is technically possible to trigger an argument injection NOTE: vulnerability however it is quoted in an unusual way which makes it highly NOTE: unlikely that it going to be. CVE-2017-17523 (lilypond-invoke-editor in LilyPond 2.19.80 does not validate strings b ...) - lilypond 2.18.2-12 (bug #884136) [jessie] - lilypond (Minor issue) [wheezy] - lilypond (Minor issue) NOTE: https://sourceforge.net/p/testlilyissues/issues/5243/ CVE-2017-17522 (** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not vali ...) - jython (unimportant) [wheezy] - jython (Vulnerable code is not provided in the binary package) - python2.6 (unimportant) - python2.7 (unimportant) - python3.2 (unimportant) - python3.4 (unimportant) - python3.5 (unimportant) - python3.6 (unimportant) - python3.7 (unimportant) NOTE: Lib/webbrowser.py does not validate strings before launching the program NOTE: specified by the BROWSER environment variable. NOTE: https://bugs.python.org/issue32367 NOTE: Hardly an issue with security impact, as the problematic code further relies NOTE: on subprocess.Popen with the default shell=False. CVE-2017-17521 (uiutil.c in FontForge through 20170731 does not validate strings befor ...) - fontforge (unimportant) NOTE: https://sources.debian.org/src/fontforge/1:20170731%7Edfsg-1/fontforgeexe/uiutil.c/#L285 CVE-2017-17520 (** DISPUTED ** tools/url_handler.pl in TIN 2.4.1 does not validate str ...) - tin (unimportant) NOTE: https://sources.debian.org/src/tin/1:2.4.1-1/tools/url_handler.pl/?hl=120#L120 NOTE: Documentation has a clear SECURITY section mentioning that [...] url_handler NOTE: does not try hard to shell escape its input nor does it convert relative URLs NOTE: into abosulte ones. If you use url_handler.pl from other applications be sure to NOTE: at least shell escaped its input. CVE-2017-17519 (batteriesConfig.mlp in OCaml Batteries Included (aka ocaml-batteries) ...) - ocaml-batteries (unimportant) NOTE: https://sources.debian.org/src/ocaml-batteries/2.6.0-1/src/batteriesConfig.mlp/?hl=23#L23 CVE-2017-17518 (** DISPUTED ** swt/motif/browser.c in White_dune (aka whitedune) 0.30. ...) - whitedune (unimportant) NOTE: https://sources.debian.org/src/whitedune/0.30.10-2.1/src/swt/motif/browser.c/?hl=159#L214 CVE-2017-17517 (libsylph/utils.c in Sylpheed through 3.6 does not validate strings bef ...) - sylpheed (unimportant) NOTE: https://sources.debian.org/src/sylpheed/3.5.1-1/libsylph/utils.c/?hl=4292#L4292 CVE-2017-17516 (scripts/inspect_webbrowser.py in Reddit Terminal Viewer (RTV) 1.19.0 d ...) - rtv (unimportant) NOTE: https://sources.debian.org/src/rtv/1.20.0+dfsg-1/scripts/inspect_webbrowser.py/ CVE-2017-17515 (** DISPUTED ** etc/ObjectList in Metview 4.7.3 does not validate strin ...) - metview (unimportant) NOTE: https://sources.debian.org/src/metview/4.7.2-3/share/metview/etc/ObjectList/?hl=2857#L2857 CVE-2017-17514 (** DISPUTED ** boxes.c in nip2 8.4.0 does not validate strings before ...) - nip2 (unimportant) NOTE: https://sources.debian.org/src/nip2/8.4.0-1/src/boxes.c/?hl=727#L727 CVE-2017-17513 (TeX Live through 20170524 does not validate strings before launching t ...) - texlive-base (unimportant) [wheezy] - texlive-base (Vulnerable code do not exist) - texlive-bin (unimportant) [wheezy] - texlive-bin (Vulnerable code do not exist) - context (unimportant) [wheezy] - context (Vulnerable code do not exist) NOTE: https://sources.debian.org/src/texlive-base/2017.20171128-1/texmf-dist/tex/luatex/lualibs/lualibs-os.lua/#L153 NOTE: https://sources.debian.org/src/texlive-bin/2016.20160513.41080.dfsg-2/texk/texlive/linked_scripts/context/stubs/unix/mtxrun/#L3004 NOTE: https://sources.debian.org/src/context/2017.05.15.20170613-2/texmf-dist/scripts/context/stubs/mswin/mtxrun.lua/?hl=3424#L3424 CVE-2017-17512 (sensible-browser in sensible-utils before 0.0.11 does not validate str ...) {DSA-4071-1 DLA-1209-1} - sensible-utils 0.0.11 (bug #881767) NOTE: https://anonscm.debian.org/git/collab-maint/sensible-utils.git/commit/?id=e16c937c43126df7f08d355277f99dd94cc21ce5 CVE-2017-17511 (KildClient 3.1.0 does not validate strings before launching the progra ...) {DLA-1210-1} - kildclient 3.2.0-1 (bug #885007) [stretch] - kildclient 3.1.0-1+deb9u1 [jessie] - kildclient (Minor issue) NOTE: https://sources.debian.org/src/kildclient/3.1.0-1/src/worldgui.c/?hl=1159#L1159 NOTE: https://sources.debian.org/src/kildclient/3.1.0-1/src/prefs.c/?hl=324#L324 CVE-2017-17510 RESERVED CVE-2017-17509 (In HDF5 1.10.1, there is an out of bounds write vulnerability in the f ...) - hdf5 1.10.4+repack-1 (bug #884365) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/5-hdf5-heap-overflow-H5G__ent_decode_vec NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/2636f401ba236e99adda4cc50fb89bebbe0b73fd CVE-2017-17508 (In HDF5 1.10.1, there is a divide-by-zero vulnerability in the functio ...) - hdf5 1.10.4+repack-1 (bug #884365) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/1-hdf5-divbyzero-H5T_set_loc NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/0a7128c0d5bd035288be7b02ca9cf9bba321aadd CVE-2017-17507 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the fu ...) - hdf5 (unimportant; bug #915807) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/3-hdf5-outbound-read-H5T_conv_struct_opt NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: Fixing the bug requires an ABI changes thus upstream will only include a fix NOTE: on a major version bump. NOTE: Negligible security impact CVE-2017-17506 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the fu ...) - hdf5 1.10.4+repack-1 (bug #884365) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/4-hdf5-outbound-read-H5Opline_pline_decode NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/b1a6873b1021c967b661727edae9de87d194f744 CVE-2017-17505 (In HDF5 1.10.1, there is a NULL pointer dereference in the function H5 ...) - hdf5 1.10.4+repack-1 (bug #884365) [stretch] - hdf5 (Minor issue) [jessie] - hdf5 (Minor issue) [wheezy] - hdf5 (Minor issue) NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/2-hdf5-null-pointer-H5O_pline_decode NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/7e3f95679677db07a5cc606f5edfb723ea56d04e CVE-2017-17504 (ImageMagick before 7.0.7-12 has a coders/png.c Magick_png_read_raw_pro ...) {DSA-4204-1 DSA-4074-1 DLA-1227-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #885340) NOTE: https://github.com/ImageMagick/ImageMagick/issues/872 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/ce3a586a43a7d13442587eb7f28d129557b6a135 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/59c49559e302e06bfba46cb6feb4e39adbe675b6 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/fb89192c4ca1600741af79dd22166a7d91e76924 CVE-2017-17503 (ReadGRAYImage in coders/gray.c in GraphicsMagick 1.3.26 has a magick/i ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/460ef5e858ad NOTE: https://sourceforge.net/p/graphicsmagick/bugs/522/ CVE-2017-17502 (ReadCMYKImage in coders/cmyk.c in GraphicsMagick 1.3.26 has a magick/i ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/a9c425688397 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/521/ CVE-2017-17501 (WriteOnePNGImage in coders/png.c in GraphicsMagick 1.3.26 has a heap-b ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/5b8414c0d0c4 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/526/ CVE-2017-17500 (ReadRGBImage in coders/rgb.c in GraphicsMagick 1.3.26 has a magick/imp ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/1366f2dd9931 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/523/ CVE-2017-17499 (ImageMagick before 6.9.9-24 and 7.x before 7.0.7-12 has a use-after-fr ...) {DSA-4074-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #885339) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/8c35502217c1879cb8257c617007282eee3fe1cc NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dd96d671e4d5ae22c6894c302e8996c13f24c45a NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=33078&sid=5fbb164c3830293138917f9b14264ed1 CVE-2017-17498 (WritePNMImage in coders/pnm.c in GraphicsMagick 1.3.26 allows remote a ...) {DSA-4321-1 DLA-1401-1 DLA-1231-1} - graphicsmagick 1.3.27-1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f1c418ef0260 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/525/ CVE-2017-17497 (In Tidy 5.7.0, the prvTidyTidyMetaCharset function in clean.c allows a ...) - tidy-html5 2:5.6.0-3 [stretch] - tidy-html5 (Vulnerable code introduced after 5.6.0) - tidy (Vulnerable code not present) NOTE: https://github.com/htacg/tidy-html5/issues/656 NOTE: https://github.com/htacg/tidy-html5/commit/a111d7a9691953f903ffa1fdbc3762dec22fc215 NOTE: Issue originally never in DEbian because teh vulnerable code was NOTE: introduced in 5.6.0. But with the 2:5.6.0-1 upload the package got NOTE: vulnerable and needed a targeted fix via 2:5.6.0-3 upload. CVE-2017-17496 REJECTED CVE-2017-17495 RESERVED CVE-2017-17494 RESERVED CVE-2017-17493 RESERVED CVE-2017-17492 RESERVED CVE-2017-17491 RESERVED CVE-2017-17490 RESERVED CVE-2017-17489 RESERVED CVE-2017-17488 RESERVED CVE-2017-17487 RESERVED CVE-2017-17486 RESERVED CVE-2017-17485 (FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allo ...) {DSA-4114-1} - jackson-databind 2.9.4-1 (bug #888318) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0 NOTE: https://github.com/FasterXML/jackson-databind/issues/1855 CVE-2017-17484 (The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Compone ...) - icu (Vulnerable code not present, only experimental was ever affected and fixed in 60.2-1) NOTE: https://ssl.icu-project.org/trac/ticket/13510 NOTE: https://ssl.icu-project.org/trac/ticket/13490 NOTE: Fixed by: https://ssl.icu-project.org/trac/changeset/40714 NOTE: Testcase: https://ssl.icu-project.org/trac/changeset/40715 NOTE: POC: https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.2.cpp NOTE: Introduced by https://ssl.icu-project.org/trac/changeset/40455/ CVE-2017-17483 RESERVED CVE-2017-17482 (An issue was discovered in OpenVMS through V8.4-2L2 on Alpha and throu ...) NOT-FOR-US: OpenVMS CVE-2017-17481 RESERVED CVE-2017-17480 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...) {DSA-4405-1 DLA-1579-1} - openjpeg2 2.3.0-2 (bug #884738) NOTE: https://github.com/uclouvain/openjpeg/issues/1044 NOTE: https://github.com/uclouvain/openjpeg/commit/0bc90e4062a5f9258c91eca018c019b179066c62 CVE-2017-17479 (In OpenJPEG 2.3.0, a stack-based buffer overflow was discovered in the ...) - openjpeg2 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/1044 NOTE: Debian packaging does not build JPWL, has BUILD_JPWL:BOOL=OFF CVE-2017-17478 (An XSS issue was discovered in Designer Studio in Pegasystems Pega Pla ...) NOT-FOR-US: Pegasystems Pega Platform CVE-2017-17477 (Pexip Infinity before 17 allows an unauthenticated remote attacker to ...) NOT-FOR-US: Pexip Infinity CVE-2017-17475 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17474 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17473 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17472 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17471 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17470 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17469 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17468 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain privile ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17467 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17466 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to gain privile ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17465 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17464 (K7Sentry.sys 15.1.0.59 in K7 Antivirus 15.1.0309 has a NULL pointer de ...) NOT-FOR-US: K7 Antivirus CVE-2017-17463 (Vivo modems allow remote attackers to obtain sensitive information by ...) NOT-FOR-US: Vivo modems CVE-2017-17462 RESERVED CVE-2017-17461 REJECTED CVE-2017-17460 RESERVED CVE-2017-17459 (http_transport.c in Fossil before 2.4, when the SSH sync protocol is u ...) - fossil 1:2.4-1 [stretch] - fossil (Minor issue) [jessie] - fossil (Minor issue) [wheezy] - fossil (Minor issue) NOTE: https://www.fossil-scm.org/xfer/info/1f63db591c77108c CVE-2017-17458 (In Mercurial before 4.4.1, it is possible that a specially malformed r ...) {DLA-2293-1 DLA-1414-2 DLA-1414-1 DLA-1224-1} - mercurial 4.4.1-1 NOTE: https://bz.mercurial-scm.org/show_bug.cgi?id=5730 NOTE: https://www.mercurial-scm.org/pipermail/mercurial-devel/2017-November/107333.html NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.4.1_.282017-11-07.29 NOTE: Fixed by: https://mercurial-scm.org/repo/hg/rev/071cbeba4212 NOTE: Alternative workaround/additionally needed: https://mercurial-scm.org/repo/hg/rev/5e27afeddaee CVE-2017-1002102 (In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to version ...) - kubernetes 1.7.16+dfsg-1 (bug #894051) NOTE: https://github.com/kubernetes/kubernetes/issues/60814 CVE-2017-1002101 (In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to version ...) - kubernetes 1.7.16+dfsg-1 (bug #892801) NOTE: https://github.com/kubernetes/kubernetes/issues/60813 CVE-2017-17457 REJECTED CVE-2017-17456 REJECTED CVE-2017-17455 (Mahara 16.10 before 16.10.7, 17.04 before 17.04.5, and 17.10 before 17 ...) - mahara CVE-2017-17454 (Mahara 16.10 before 16.10.7 and 17.04 before 17.04.5 and 17.10 before ...) - mahara CVE-2017-17453 RESERVED CVE-2017-17452 RESERVED CVE-2017-17451 (The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsub ...) NOT-FOR-US: Wordpress plugin CVE-2017-17450 (net/netfilter/xt_osf.c in the Linux kernel through 4.14.4 does not req ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (User namespaces not supported) NOTE: https://lkml.org/lkml/2017/12/5/982 CVE-2017-17449 (The __netlink_deliver_tap_skb function in net/netlink/af_netlink.c in ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2017/12/5/950 CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4.14.4 ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (User namespaces not supported) NOTE: https://patchwork.kernel.org/patch/10089373/ CVE-2017-17447 RESERVED CVE-2017-17445 RESERVED CVE-2017-17444 RESERVED CVE-2017-17443 (OPC Foundation Local Discovery Server (LDS) 1.03.370 required a securi ...) NOT-FOR-US: OPC Foundation Local Discovery Server CVE-2017-17442 (In BlackBerry UEM Management Console version 12.7.1 and earlier, a ref ...) NOT-FOR-US: BlackBerry CVE-2017-17441 RESERVED CVE-2017-17446 (The Mem_File_Reader::read_avail function in Data_Reader.cpp in the Gam ...) - game-music-emu 0.6.2-1 (bug #883691) [stretch] - game-music-emu (Minor issue) [jessie] - game-music-emu (Minor issue) [wheezy] - game-music-emu (Minor issue) NOTE: https://bitbucket.org/mpyne/game-music-emu/issues/14/addresssanitizer-negative-size-param-size NOTE: Patch: https://bitbucket.org/mpyne/game-music-emu/commits/205290614cdc057541b26adeea05a9d45993f860 NOTE: Additional hardening: https://bitbucket.org/mpyne/game-music-emu/commits/4a441e94cba14268bc4e983d4dfd6ed112084d00 CVE-2017-17440 (GNU Libextractor 1.6 allows remote attackers to cause a denial of serv ...) - libextractor 1:1.6-2 (bug #883528) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 [wheezy] - libextractor (Minor issue) NOTE: Fixed by: https://git.gnunet.org/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e CVE-2017-17439 (In Heimdal through 7.4, remote unauthenticated attackers are able to c ...) {DSA-4055-1} - heimdal 7.5.0+dfsg-1 (bug #878144) [jessie] - heimdal (Vulnerability introduced in 7.0) [wheezy] - heimdal (Vulnerability introduced in 7.0) NOTE: https://github.com/heimdal/heimdal/issues/353 NOTE: Fixed by: https://github.com/heimdal/heimdal/commit/749d377fa357351a7bbba51f8aae72cdf0629592 (7.1) NOTE: Fixed by: https://github.com/heimdal/heimdal/commit/1a6a6e462dc2ac6111f9e02c6852ddec4849b887 (master) CVE-2017-17438 RESERVED CVE-2017-17437 RESERVED CVE-2017-17436 (An issue was discovered in the software on Vaultek Gun Safe VT20i prod ...) NOT-FOR-US: Vaultek Gun Safe CVE-2017-17435 (An issue was discovered in the software on Vaultek Gun Safe VT20i prod ...) NOT-FOR-US: Vaultek Gun Safe CVE-2017-17434 (The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, do ...) {DSA-4068-1 DLA-1218-1} - rsync 3.1.2-2.1 (bug #883665) NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1 NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9 CVE-2017-17433 (The recv_files function in receiver.c in the daemon in rsync 3.1.2, an ...) {DSA-4068-1 DLA-1218-1} - rsync 3.1.2-2.1 (bug #883667) NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=3e06d40029cfdce9d0f73d87cfd4edaf54be9c51 CVE-2017-17431 (GeniXCMS 1.1.5 has XSS via the from, id, lang, menuid, mod, q, status, ...) NOT-FOR-US: GeniXCMS CVE-2017-17430 (Sangoma NetBorder / Vega Session Controller before 2.3.12-80-GA allows ...) NOT-FOR-US: Sangoma NetBorder / Vega Session Controller CVE-2017-17429 (In K7 Antivirus Premium before 15.1.0.53, user-controlled input to the ...) NOT-FOR-US: K7 Antivirus CVE-2017-17428 (Cavium Nitrox SSL, Nitrox V SSL, and TurboSSL software development kit ...) NOT-FOR-US: Cisco ACE NOTE: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher NOTE: https://robotattack.org/ CVE-2017-17427 (Radware Alteon devices with a firmware version between 31.0.0.0-31.0.3 ...) NOT-FOR-US: Radware NOTE: https://portals.radware.com/getattachment/21be0b7b-fa1c-4cbc-8bd2-c19946aee270/Security-Advisory-Adaptive-chosen-ciphertext-atta/ NOTE: https://robotattack.org/ CVE-2017-17426 (The malloc function in the GNU C Library (aka glibc or libc6) 2.26 cou ...) - glibc (Issue introduced in glibc-2.26 with addition of per-thread cache to malloc) - eglibc (Issue introduced in glibc-2.26 with addition of per-thread cache to malloc) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22375 NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5c3fafc4307c9b7a4c7d5cb381fcdbfad340bcc NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=34697694e8a93b325b18f25f7dcded55d6baeaf6 NOTE: The upload of 2.26-0experimental2 to experimental fixed the issue (cf. #883729). CVE-2017-1000410 (The Linux kernel version 3.3-rc1 and later is affected by a vulnerabil ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (Vulnerable code introduced in 3.3) NOTE: https://www.openwall.com/lists/oss-security/2017/12/06/3 CVE-2017-1000409 (A buffer overflow in glibc 2.5 (released on September 29, 2006) and ca ...) - glibc 2.25-5 (bug #884133) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/12/11/4 CVE-2017-1000408 (A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached ...) - glibc 2.25-5 (bug #884132) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/12/11/4 CVE-2017-17432 (OpenAFS 1.x before 1.6.22 does not properly validate Rx ack packets, w ...) {DSA-4067-1 DLA-1213-1} - openafs 1.6.22-1 (bug #883602) NOTE: https://www.openafs.org/pages/security/OPENAFS-SA-2017-001.txt CVE-2017-17425 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17424 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17423 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17422 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17421 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17420 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17419 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17418 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17417 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17416 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17415 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17414 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17413 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17412 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Quest NetVault Backup CVE-2017-17411 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: web management portal of Linksys WVBR0 WVBR0 CVE-2017-17410 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender Internet Security 2018 CVE-2017-17409 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender Internet Security 2018 CVE-2017-17408 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender Internet Security 2018 CVE-2017-17407 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: NetGain CVE-2017-17406 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: NetGain CVE-2017-17405 (Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, get ...) {DSA-4259-1 DLA-1421-1 DLA-1222-1 DLA-1221-1} - ruby2.5 2.5.0~rc1-1 (bug #884437) - ruby2.3 2.3.6-1 (bug #884438) - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ NOTE: https://github.com/ruby/ruby/commit/6d3f72e5be2312be312f2acbf3465b05293c1431 NOTE: ruby2.3: https://github.com/ruby/ruby/commit/1cfe43fd85c66a9e2b5068480b3e043c31e6b8ca NOTE: ruby2.3: https://github.com/ruby/ruby/commit/3ec034c597e6d40543bb844dc8f96645bef4bed2 CVE-2017-17404 RESERVED CVE-2017-17403 RESERVED CVE-2017-17402 RESERVED CVE-2017-17401 RESERVED CVE-2017-17400 RESERVED CVE-2017-17399 RESERVED CVE-2017-17398 RESERVED CVE-2017-17397 RESERVED CVE-2017-17396 RESERVED CVE-2017-17395 RESERVED CVE-2017-17394 RESERVED CVE-2017-17393 RESERVED CVE-2017-17392 RESERVED CVE-2017-17391 RESERVED CVE-2017-17390 RESERVED CVE-2017-17389 RESERVED CVE-2017-17388 RESERVED CVE-2017-17387 RESERVED CVE-2017-17386 RESERVED CVE-2017-17385 RESERVED CVE-2017-17384 (ISPConfig 3.x before 3.1.9 allows remote authenticated users to obtain ...) NOT-FOR-US: ISPConfig CVE-2017-17383 (Jenkins through 2.93 allows remote authenticated administrators to con ...) - jenkins CVE-2017-17382 (Citrix NetScaler Application Delivery Controller (ADC) and NetScaler G ...) NOT-FOR-US: Citrix NOTE: https://support.citrix.com/article/CTX230238 NOTE: https://robotattack.org/ CVE-2017-17381 (The Virtio Vring implementation in QEMU allows local OS guest users to ...) {DSA-4213-1} - qemu 1:2.11+dfsg-1 (bug #883625) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Can be fixed along in later update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in later update) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg00166.html CVE-2017-17380 REJECTED CVE-2017-17379 REJECTED CVE-2017-17378 REJECTED CVE-2017-17377 REJECTED CVE-2017-17376 REJECTED CVE-2017-17375 REJECTED CVE-2017-17374 REJECTED CVE-2017-17373 REJECTED CVE-2017-17372 REJECTED CVE-2017-17371 REJECTED CVE-2017-17370 REJECTED CVE-2017-17369 REJECTED CVE-2017-17368 REJECTED CVE-2017-17367 REJECTED CVE-2017-17366 REJECTED CVE-2017-17365 REJECTED CVE-2017-17364 REJECTED CVE-2017-17363 REJECTED CVE-2017-17362 REJECTED CVE-2017-17361 REJECTED CVE-2017-17360 REJECTED CVE-2017-17359 REJECTED CVE-2017-17358 REJECTED CVE-2017-17357 REJECTED CVE-2017-17356 REJECTED CVE-2017-17355 REJECTED CVE-2017-17354 REJECTED CVE-2017-17353 REJECTED CVE-2017-17352 REJECTED CVE-2017-17351 REJECTED CVE-2017-17350 REJECTED CVE-2017-17349 REJECTED CVE-2017-17348 REJECTED CVE-2017-17347 REJECTED CVE-2017-17346 REJECTED CVE-2017-17345 REJECTED CVE-2017-17344 REJECTED CVE-2017-17343 REJECTED CVE-2017-17342 REJECTED CVE-2017-17341 REJECTED CVE-2017-17340 REJECTED CVE-2017-17339 REJECTED CVE-2017-17338 REJECTED CVE-2017-17337 REJECTED CVE-2017-17336 REJECTED CVE-2017-17335 REJECTED CVE-2017-17334 REJECTED CVE-2017-17333 REJECTED CVE-2017-17332 REJECTED CVE-2017-17331 REJECTED CVE-2017-17330 (Huawei AR3200 V200R005C32; V200R006C10; V200R006C11; V200R007C00; V200 ...) NOT-FOR-US: Huawei CVE-2017-17329 (Huawei ViewPoint 8660 V100R008C03 have a memory leak vulnerability. Th ...) NOT-FOR-US: Huawei CVE-2017-17328 (Huawei smartphones with software of MHA-AL00AC00B125 have an integer o ...) NOT-FOR-US: Huawei CVE-2017-17327 (Huawei smartphones with software of MHA-AL00AC00B125 have an improper ...) NOT-FOR-US: Huawei CVE-2017-17326 (Huawei Mate 9 Pro Smartphones with software of LON-AL00BC00B139D; LON- ...) NOT-FOR-US: Huawei CVE-2017-17325 (Huawei video applications HiCinema with software of 8.0.3.308; 8.0.4.3 ...) NOT-FOR-US: Huawei CVE-2017-17324 (Huawei Mate 9 Pro smartphones with software LON-AL00BC00B139D; LON-AL0 ...) NOT-FOR-US: Huawei CVE-2017-17323 (Huawei iBMC V200R002C10; V200R002C20; V200R002C30 have an improper aut ...) NOT-FOR-US: Huawei CVE-2017-17322 (Huawei Honor Smart Scale Application with software of 1.1.1 has an inf ...) NOT-FOR-US: Huawei CVE-2017-17321 (Huawei eNSP software with software of versions earlier than V100R002C0 ...) NOT-FOR-US: Huawei CVE-2017-17320 (Huawei Mate 9 Pro smartphones with software of LON-AL00BC00B139D, LON- ...) NOT-FOR-US: Huawei CVE-2017-17319 (Huawei P9 smartphones with the versions before EVA-AL10C00B399SP02 hav ...) NOT-FOR-US: Huawei CVE-2017-17318 (Huawei MBB (Mobile Broadband) products E5771h-937 with the versions be ...) NOT-FOR-US: Huawei CVE-2017-17317 (Common Open Policy Service Protocol (COPS) module in Huawei USG6300 V1 ...) NOT-FOR-US: Huawei CVE-2017-17316 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17315 (Huawei DP300 V500R002C00; RP200 V600R006C00; TE30 V100R001C10; V500R00 ...) NOT-FOR-US: Huawei CVE-2017-17314 (Huawei DP300 V500R002C00, RP200 V600R006C00, TE30 V100R001C10, V500R00 ...) NOT-FOR-US: Huawei CVE-2017-17313 (The inputhub driver of HUAWEI P9 Lite mobile phones with Versions earl ...) NOT-FOR-US: inputhub driver of HUAWEI P9 Lite mobile phones CVE-2017-17312 (Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR ...) NOT-FOR-US: Huawei CVE-2017-17311 (Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR ...) NOT-FOR-US: Huawei CVE-2017-17310 (Electronic Numbers to URI Mapping (ENUM) module in some Huawei product ...) NOT-FOR-US: Huawei CVE-2017-17309 (Huawei HG255s-10 V100R001C163B025SP02 has a path traversal vulnerabili ...) NOT-FOR-US: Huawei CVE-2017-17308 (SCCPX module in Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C ...) NOT-FOR-US: Huawei CVE-2017-17307 (Some Huawei Smartphones with software of VNS-L21AUTC555B141 have an ou ...) NOT-FOR-US: Huawei CVE-2017-17306 (Some Huawei Smartphones with software of VNS-L21AUTC555B141, VNS-L21C1 ...) NOT-FOR-US: Huawei CVE-2017-17305 (Some Huawei Firewall products USG2205BSR V300R001C10SPC600; USG2220BSR ...) NOT-FOR-US: Huawei CVE-2017-17304 (The CIDAM Protocol on some Huawei Products has multiple input validati ...) NOT-FOR-US: Huawei CVE-2017-17303 (Huawei DP300 V500R002C00; V500R002C00B010; V500R002C00B011; V500R002C0 ...) NOT-FOR-US: Huawei CVE-2017-17302 (Huawei DP300 V500R002C00, RP200 V600R006C00, TE30 V100R001C10, V500R00 ...) NOT-FOR-US: Huawei CVE-2017-17301 (Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17300 (Huawei S12700 V200R008C00, V200R009C00, S5700 V200R007C00, V200R008C00 ...) NOT-FOR-US: Huawei CVE-2017-17299 (Huawei AR120-S V200R006C10, V200R007C00, AR1200 V200R006C10, V200R006C ...) NOT-FOR-US: Huawei CVE-2017-17298 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17297 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17296 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17295 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17294 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17293 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17292 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17291 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17290 (The Light Directory Access Protocol (LDAP) clients of Huawei TE60 with ...) NOT-FOR-US: Huawei CVE-2017-17289 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17288 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17287 (Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, V20 ...) NOT-FOR-US: Huawei CVE-2017-17286 (Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, V20 ...) NOT-FOR-US: Huawei CVE-2017-17285 (Bluetooth module in some Huawei mobile phones with software LON-AL00BC ...) NOT-FOR-US: Huawei CVE-2017-17284 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17283 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17282 (SCCP (Signalling Connection Control Part) module in Huawei DP300 V500R ...) NOT-FOR-US: Huawei CVE-2017-17281 (SFTP module in Huawei DP300 V500R002C00; RP200 V600R006C00; TE30 V100R ...) NOT-FOR-US: Huawei CVE-2017-17280 (NFC (Near Field Communication) module in Huawei mobile phones with sof ...) NOT-FOR-US: Huawei CVE-2017-17279 (The soundtrigger module in Huawei Mate 9 Pro smart phones with softwar ...) NOT-FOR-US: Huawei CVE-2017-17278 REJECTED CVE-2017-17277 REJECTED CVE-2017-17276 REJECTED CVE-2017-17275 REJECTED CVE-2017-17274 REJECTED CVE-2017-17273 REJECTED CVE-2017-17272 REJECTED CVE-2017-17271 REJECTED CVE-2017-17270 REJECTED CVE-2017-17269 REJECTED CVE-2017-17268 REJECTED CVE-2017-17267 REJECTED CVE-2017-17266 REJECTED CVE-2017-17265 REJECTED CVE-2017-17264 REJECTED CVE-2017-17263 REJECTED CVE-2017-17262 REJECTED CVE-2017-17261 REJECTED CVE-2017-17260 REJECTED CVE-2017-17259 REJECTED CVE-2017-17258 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17257 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17256 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17255 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17254 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17253 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17252 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17251 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-17250 (Huawei AR120-S V200R005C32; AR1200 V200R005C32; AR1200-S V200R005C32; ...) NOT-FOR-US: Huawei CVE-2017-17249 REJECTED CVE-2017-17248 REJECTED CVE-2017-17247 REJECTED CVE-2017-17246 REJECTED CVE-2017-17245 REJECTED CVE-2017-17244 REJECTED CVE-2017-17243 REJECTED CVE-2017-17242 REJECTED CVE-2017-17241 REJECTED CVE-2017-17240 REJECTED CVE-2017-17239 REJECTED CVE-2017-17238 REJECTED CVE-2017-17237 REJECTED CVE-2017-17236 REJECTED CVE-2017-17235 REJECTED CVE-2017-17234 REJECTED CVE-2017-17233 REJECTED CVE-2017-17232 REJECTED CVE-2017-17231 REJECTED CVE-2017-17230 REJECTED CVE-2017-17229 REJECTED CVE-2017-17228 REJECTED CVE-2017-17227 (GPU driver in Huawei Mate 10 smart phones with the versions before ALP ...) NOT-FOR-US: Huawei CVE-2017-17226 (The TripAdvisor app with the versions before TAMobileApp-24.6.4 pre-in ...) NOT-FOR-US: The TripAdvisor app on Huawei CVE-2017-17225 (The Near Field Communication (NFC) module in Huawei Mate 9 Pro mobile ...) NOT-FOR-US: Huawei CVE-2017-17224 (Some Huawei smart phones with versions earlier than Harry-AL00C 9.1.0. ...) NOT-FOR-US: Huawei smart phones CVE-2017-17223 (Huawei eSpace 7910 V200R003C30; eSpace 7950 V200R003C30; eSpace 8950 V ...) NOT-FOR-US: Huawei CVE-2017-17222 (Import Language Package function in Huawei eSpace 7950 V200R003C30; eS ...) NOT-FOR-US: Huawei CVE-2017-17221 (Import Signal Tone function in Huawei eSpace 7950 V200R003C30; eSpace ...) NOT-FOR-US: Huawei CVE-2017-17220 (SCCPX module in Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C ...) NOT-FOR-US: Huawei CVE-2017-17219 (SCCPX module in Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C ...) NOT-FOR-US: Huawei CVE-2017-17218 (SCCPX module in Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C ...) NOT-FOR-US: Huawei CVE-2017-17217 (Media Gateway Control Protocol (MGCP) in Huawei DP300 V500R002C00; RP2 ...) NOT-FOR-US: Huawei CVE-2017-17216 (Media Gateway Control Protocol (MGCP) in Huawei DP300 V500R002C00; RP2 ...) NOT-FOR-US: Huawei CVE-2017-17215 (Huawei HG532 with some customized versions has a remote code execution ...) NOT-FOR-US: Huawei CVE-2017-17214 REJECTED CVE-2017-17213 REJECTED CVE-2017-17212 REJECTED CVE-2017-17211 REJECTED CVE-2017-17210 REJECTED CVE-2017-17209 REJECTED CVE-2017-17208 REJECTED CVE-2017-17207 REJECTED CVE-2017-17206 REJECTED CVE-2017-17205 REJECTED CVE-2017-17204 REJECTED CVE-2017-17203 REJECTED CVE-2017-17202 (Huawei AR120-S V200R005C32, V200R006C10, V200R007C00, V200R008C20, V20 ...) NOT-FOR-US: Huawei CVE-2017-17201 (Some huawei smartphones with software BTV-DL09C233B350, Berlin-L21HNC4 ...) NOT-FOR-US: Huawei CVE-2017-17200 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17199 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17198 REJECTED CVE-2017-17197 REJECTED CVE-2017-17196 REJECTED CVE-2017-17195 REJECTED CVE-2017-17194 REJECTED CVE-2017-17193 REJECTED CVE-2017-17192 REJECTED CVE-2017-17191 REJECTED CVE-2017-17190 REJECTED CVE-2017-17189 REJECTED CVE-2017-17188 REJECTED CVE-2017-17187 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17186 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17185 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17184 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17183 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17182 (Huawei DP300 V500R002C00, RP200 V500R002C00, V600R006C00, TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17181 REJECTED CVE-2017-17180 REJECTED CVE-2017-17179 REJECTED CVE-2017-17178 REJECTED CVE-2017-17177 REJECTED CVE-2017-17176 (The hardware security module of Mate 9 and Mate 9 Pro Huawei smart pho ...) NOT-FOR-US: Huawei CVE-2017-17175 (Short Message Service (SMS) module of Mate 9 Pro Huawei smart phones w ...) NOT-FOR-US: Huawei CVE-2017-17174 (Some Huawei products RSE6500 V500R002C00; SoftCo V200R003C20SPCb00; VP ...) NOT-FOR-US: Huawei CVE-2017-17173 (Due to insufficient parameters verification GPU driver of Mate 9 Pro H ...) NOT-FOR-US: Huawei CVE-2017-17172 (Huawei smart phones LYO-L21 with software LYO-L21C479B107, LYO-L21C479 ...) NOT-FOR-US: Huawei CVE-2017-17171 (Some Huawei smart phones have the denial of service (DoS) vulnerabilit ...) NOT-FOR-US: Huawei CVE-2017-17170 (The CIDAM Protocol on some Huawei Products has multiple input validati ...) NOT-FOR-US: Huawei CVE-2017-17169 (The CIDAM Protocol on some Huawei Products has multiple input validati ...) NOT-FOR-US: Huawei CVE-2017-17168 (The CIDAM Protocol on some Huawei Products has multiple input validati ...) NOT-FOR-US: Huawei CVE-2017-17167 (Huawei DP300 V500R002C00; TP3206 V100R002C00; ViewPoint 9030 V100R011C ...) NOT-FOR-US: Huawei CVE-2017-17166 (Huawei DP300 V500R002C00, Secospace USG6300 V500R001C00, V500R001C20, ...) NOT-FOR-US: Huawei CVE-2017-17165 (IPv6 function in Huawei Quidway S2700 V200R003C00SPC300, Quidway S5300 ...) NOT-FOR-US: Huawei CVE-2017-17164 (Huawei Secospace AntiDDoS8000 V500R001C20SPC500 have a memory leak vul ...) NOT-FOR-US: Huawei CVE-2017-17163 (Huawei Secospace USG6600 V500R001C30SPC100 has an Out-of-Bounds memory ...) NOT-FOR-US: Huawei CVE-2017-17162 (Huawei Secospace USG6600 V500R001C30SPC100, Secospace USG6600 V500R001 ...) NOT-FOR-US: Huawei CVE-2017-17161 (The 'Find Phone' function in some Huawei smart phones with software ea ...) NOT-FOR-US: Huawei CVE-2017-17160 (Huawei AR120-S V200R006C10, V200R007C00, AR1200 V200R006C10, V200R006C ...) NOT-FOR-US: Huawei CVE-2017-17159 (Some Huawei smart phones with software of NXT-AL10C00B386, NXT-CL00C92 ...) NOT-FOR-US: Huawei CVE-2017-17158 (Some Huawei smart phones with the versions before Berlin-L21HNC185B381 ...) NOT-FOR-US: Huawei CVE-2017-17157 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17156 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17155 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17154 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17153 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17152 (IKEv2 in Huawei IPS Module V500R001C00, V500R001C00SPC200, V500R001C00 ...) NOT-FOR-US: Huawei CVE-2017-17151 (Huawei AR100, AR100-S, AR110-S, AR120, AR120-S, AR1200, AR1200-S, AR15 ...) NOT-FOR-US: Huawei CVE-2017-17150 (Timergrp module in Huawei DP300 V500R002C00; RP200 V500R002C00; V600R0 ...) NOT-FOR-US: Huawei CVE-2017-17149 (Huawei HiWallet App with the versions before 8.0.4 has an arbitrary lo ...) NOT-FOR-US: Huawei CVE-2017-17148 (Huawei DP300 V500R002C00 have a DoS vulnerability due to the lack of v ...) NOT-FOR-US: Huawei CVE-2017-17147 (Huawei DP300 V500R002C00 have an integer overflow vulnerability due to ...) NOT-FOR-US: Huawei CVE-2017-17146 (Huawei DP300 V500R002C00 have a buffer overflow vulnerability due to t ...) NOT-FOR-US: Huawei CVE-2017-17145 (Huawei Honor V9 Play smart phones with the versions before Jimmy-AL00A ...) NOT-FOR-US: Huawei CVE-2017-17144 (Backup feature of SIP module in Huawei DP300 V500R002C00; V500R002C00S ...) NOT-FOR-US: Huawei CVE-2017-17143 (SIP module in Huawei DP300 V500R002C00; V500R002C00SPC100; V500R002C00 ...) NOT-FOR-US: Huawei CVE-2017-17142 (SIP module in Huawei DP300 V500R002C00; V500R002C00SPC100; V500R002C00 ...) NOT-FOR-US: Huawei CVE-2017-17141 (Huawei S12700 V200R005C00; V200R006C00; V200R007C00; V200R007C01; V200 ...) NOT-FOR-US: Huawei CVE-2017-17140 (Huawei Enjoy 5s and Y6 Pro smartphones with software the versions befo ...) NOT-FOR-US: Huawei CVE-2017-17139 (Huawei Mate 9 and Mate 9 pro smart phones with software the versions b ...) NOT-FOR-US: Huawei CVE-2017-17138 (PEM module of DP300 V500R002C00; IPS Module V500R001C00; V500R001C30; ...) NOT-FOR-US: Huawei CVE-2017-17137 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R0 ...) NOT-FOR-US: Huawei CVE-2017-17136 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R0 ...) NOT-FOR-US: Huawei CVE-2017-17135 (PEM module of Huawei DP300 V500R002C00; IPS Module V500R001C00; V500R0 ...) NOT-FOR-US: Huawei CVE-2017-17134 (XML parser in Huawei DP300 V500R002C00; RP200 V500R002C00SPC200; V600R ...) NOT-FOR-US: Huawei CVE-2017-17133 (Huawei VP9660 V500R002C10 has a null pointer reference vulnerability i ...) NOT-FOR-US: Huawei CVE-2017-17132 (Huawei VP9660 V500R002C10 has a uncontrolled format string vulnerabili ...) NOT-FOR-US: Huawei CVE-2017-17131 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 V100R00 ...) NOT-FOR-US: Huawei CVE-2017-17130 (The ff_free_picture_tables function in libavcodec/mpegpicture.c in Lib ...) {DLA-1630-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1100 CVE-2017-17129 (The ff_vc1_mc_4mv_chroma4 function in libavcodec/vc1_mc.c in Libav 12. ...) - libav (Vulnerable code introduced in 12.x) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1101 CVE-2017-17128 (The h264_slice_init function in libavcodec/h264_slice.c in Libav 12.2 ...) - libav [jessie] - libav (Unable to reproduce on i386 and amd64 with current version and upstream Git; upstream bug also closed WORKSFORME) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1104 CVE-2017-17127 (The vc1_decode_frame function in libavcodec/vc1dec.c in Libav 12.2 all ...) {DLA-2021-1} - libav [wheezy] - libav (Minor issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1099 NOTE: Duplicate of CVE-2018-19130 CVE-2017-17126 (The load_debug_section function in readelf.c in GNU Binutils 2.29.1 al ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22510 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f425ec6600b69e39eb605f3128806ff688137ea8 CVE-2017-17125 (nm.c and objdump.c in GNU Binutils 2.29.1 mishandle certain global sym ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22443 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=160b1a618ad94988410dc81fce9189fcda5b7ff4 CVE-2017-17124 (The _bfd_coff_read_string_table function in coffgen.c in the Binary Fi ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22507 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b0029dce6867de1a2828293177b0e030d2f0f03c CVE-2017-17123 (The coff_slurp_reloc_table function in coffcode.h in the Binary File D ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22509 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4581a1c7d304ce14e714b27522ebf3d0188d6543 CVE-2017-17122 (The dump_relocs_in_section function in objdump.c in GNU Binutils 2.29. ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22508 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d785b7d4b877ed465d04072e17ca19d0f47d840f CVE-2017-17121 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) [experimental] - binutils 2.29.51.20171208-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22506 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b23dc97fe237a1d9e850d7cbeee066183a00630b CVE-2017-17120 RESERVED CVE-2017-17119 RESERVED CVE-2017-17118 RESERVED CVE-2017-17117 RESERVED CVE-2017-17116 RESERVED CVE-2017-17115 RESERVED CVE-2017-17114 (ntguard.sys and ntguard_x64.sys 0.18780.0.0 in IKARUS anti.virus 2.16. ...) NOT-FOR-US: IKARUS CVE-2017-17113 (ntguard_x64.sys 0.18780.0.0 in IKARUS anti.virus 2.16.15 has a NULL po ...) NOT-FOR-US: IKARUS CVE-2017-17112 (ntguard_x64.sys 0.18780.0.0 in IKARUS anti.virus 2.16.15 has a Pool Co ...) NOT-FOR-US: IKARUS CVE-2017-17111 (Posty Readymade Classifieds Script 1.0 allows an attacker to inject SQ ...) NOT-FOR-US: Posty Readymade Classifieds Script CVE-2017-17110 (Techno Portfolio Management Panel 1.0 allows an attacker to inject SQL ...) NOT-FOR-US: Techno Portfolio Management Panel CVE-2017-17109 RESERVED CVE-2017-17108 (Path traversal vulnerability in the administrative panel in KonaKart e ...) NOT-FOR-US: KonaKart eCommerce Platform CVE-2017-17107 (Zivif PR115-204-P-RS V2.3.4.2103 web cameras contain a hard-coded cat1 ...) NOT-FOR-US: Zivif web cameras CVE-2017-17106 (Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtain ...) NOT-FOR-US: Zivif web cameras CVE-2017-17105 (Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 (and possibly in-betw ...) NOT-FOR-US: Zivif web cameras CVE-2017-17104 (Fiyo CMS 2.0.7 has an arbitrary file read vulnerability in dapur/apps/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-17103 (Fiyo CMS 2.0.7 has SQL injection in /apps/app_user/sys_user.php via $_ ...) NOT-FOR-US: Fiyo CMS CVE-2017-17102 (Fiyo CMS 2.0.7 has SQL injection in /system/site.php via $_REQUEST['li ...) NOT-FOR-US: Fiyo CMS CVE-2017-17101 (An issue was discovered in Apexis APM-H803-MPC software, as used with ...) NOT-FOR-US: Apexis CVE-2017-17100 RESERVED CVE-2017-17099 (There exists an unauthenticated SEH based Buffer Overflow vulnerabilit ...) NOT-FOR-US: Flexense SyncBreeze Enterprise CVE-2017-17098 (The writeLog function in fn_common.php in gps-server.net GPS Tracking ...) NOT-FOR-US: gps-server.net GPS Tracking Software CVE-2017-17097 (gps-server.net GPS Tracking Software (self hosted) 2.x has a password ...) NOT-FOR-US: gps-server.net GPS Tracking Software CVE-2017-17096 (Cross-site scripting (XSS) vulnerability in the Content Cards plugin b ...) NOT-FOR-US: Wordpress plugin CVE-2017-17090 (An issue was discovered in chan_skinny.c in Asterisk Open Source 13.18 ...) {DSA-4076-1 DLA-1225-1} - asterisk 1:13.18.3~dfsg-1 (bug #883342) NOTE: http://downloads.digium.com/pub/security/AST-2017-013.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27452 CVE-2017-17089 (custom/run.cgi in Webmin before 1.870 allows remote authenticated admi ...) - webmin CVE-2017-17091 (wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser k ...) {DSA-4090-1 DLA-1216-1} - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17093 (wp-includes/general-template.php in WordPress before 4.9.1 does not pr ...) {DSA-4090-1 DLA-1216-1} - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/3713ac5ebc90fb2011e98dfd691420f43da6c09a NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17094 (wp-includes/feed.php in WordPress before 4.9.1 does not properly restr ...) {DSA-4090-1 DLA-1216-1} - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17092 (wp-includes/functions.php in WordPress before 4.9.1 does not require t ...) {DSA-4090-1 DLA-1216-1} - wordpress 4.9.1+dfsg-1 (bug #883314) NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509 NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/ CVE-2017-17095 (tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to ...) {DSA-4349-1 DLA-2009-1} - tiff 4.0.9-5 (unimportant; bug #883320) - tiff3 (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750 NOTE: Crash in CLI tool not treated as a security issue NOTE: https://gitlab.com/libtiff/libtiff/commit/9171da596c88e6a2dadcab4a3a89dddd6e1b4655 CVE-2017-17088 (The Enterprise version of SyncBreeze 10.2.12 and earlier is affected b ...) NOT-FOR-US: SyncBreeze CVE-2017-17087 (fileio.c in Vim prior to 8.0.1263 sets the group ownership of a .swp f ...) {DLA-1871-1} - vim 2:8.0.1401-1 [stretch] - vim (Minor issue) [wheezy] - vim (Minor issue) NOTE: https://github.com/vim/vim/commit/5a73e0ca54c77e067c3b12ea6f35e3e8681e8cf8 (8.0.1263) CVE-2017-17086 (Indeo Otter through 1.7.4 mishandles a "</script>" substring in ...) NOT-FOR-US: Indeo Otter CVE-2017-17085 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the CIP Safety dissec ...) {DSA-4060-1 DLA-1226-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14250 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f5939debe96e3c3953c6020818f1fbb80eb83ce8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-49.html CVE-2017-17084 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the IWARP_MPA dissect ...) {DSA-4060-1 DLA-1226-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14236 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8502fe94ef9e431860921507e1a351c5e3f5c634 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-47.html CVE-2017-17083 (In Wireshark 2.4.0 to 2.4.2 and 2.2.0 to 2.2.10, the NetBIOS dissector ...) {DSA-4060-1 DLA-1226-1} - wireshark 2.4.3-1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14249 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=79768d63d14fbce6bf7fb4d4a1c86be0c5205eb3 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-48.html CVE-2017-17082 REJECTED CVE-2017-17081 (The gmc_mmx function in libavcodec/x86/mpegvideodsp.c in FFmpeg 2.3 an ...) {DSA-4099-1} - ffmpeg 7:3.4.1-1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/58cf31cee7a456057f337b3102a03206d833d5e8 CVE-2017-17080 (elf.c in the Binary File Descriptor (BFD) library (aka libbfd), as dis ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22421 CVE-2017-17079 REJECTED CVE-2017-17078 REJECTED CVE-2017-17077 REJECTED CVE-2017-17076 REJECTED CVE-2017-17075 REJECTED CVE-2017-17074 REJECTED CVE-2017-17073 REJECTED CVE-2017-17072 REJECTED CVE-2017-17071 REJECTED CVE-2017-17070 REJECTED CVE-2017-17069 (ActiveSetupN.exe in Amazon Audible for Windows before November 2017 al ...) NOT-FOR-US: ActiveSetupN.exe in Amazon Audible for Windows CVE-2017-17068 (A cross-origin vulnerability has been discovered in the Auth0 auth0.js ...) NOT-FOR-US: Auth0 auth0.js library CVE-2017-17067 (Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6 ...) NOT-FOR-US: Splunk Web CVE-2017-17066 (The (1) i2pd before 2.17 and (2) kovri pre-alpha implementations of th ...) - i2pd (Fixed before/with the initial upload to Debian) NOTE: Issue fixed with 2.17.0 upstream CVE-2017-17065 (An issue was discovered on D-Link DIR-605L Model B before FW2.11betaB0 ...) NOT-FOR-US: D-Link CVE-2017-17064 RESERVED CVE-2017-17063 RESERVED CVE-2017-17062 (The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, ...) NOT-FOR-US: Open-Xchange CVE-2017-17061 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-17060 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Insecu ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-17059 (XSS exists in the amtyThumb amty-thumb-recent-post (aka amtyThumb post ...) NOT-FOR-US: WordPress plugin wp-thumb-post CVE-2017-1000385 (The Erlang otp TLS server answers with different TLS alerts to differe ...) {DSA-4057-1 DLA-1207-1} - erlang 1:20.1.7+dfsg-1 NOTE: https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM NOTE: https://github.com/erlang/otp/commit/38b07caa2a1c6cd3537eadd36770afa54f067562 (OTP-20.1.7) NOTE: https://github.com/erlang/otp/commit/3b4386dd19b7e669f557c95ace8d7ba228291927 (OTP-19.3.6.4) NOTE: https://github.com/erlang/otp/commit/de3b9cdb8521d7edd524b4e17d1e3f883f832ec0 (OTP-18.3.4.7) NOTE: https://robotattack.org/ CVE-2017-17058 (** DISPUTED ** The WooCommerce plugin through 3.x for WordPress has a ...) NOT-FOR-US: WooCommerce plugin for WordPress CVE-2017-17057 (There is a reflected XSS vulnerability in ZKTime Web 2.0.1.12280. The ...) NOT-FOR-US: ZKTeco ZKTime Web Software CVE-2017-17056 (The ZKTime Web Software 2.0.1.12280 allows the Administrator to elevat ...) NOT-FOR-US: ZKTeco ZKTime Web Software CVE-2017-17055 (Artica Web Proxy before 3.06.112911 allows remote attackers to execute ...) NOT-FOR-US: Artica Web Proxy CVE-2017-17054 (In aubio 0.4.6, a divide-by-zero error exists in the function new_aubi ...) - aubio 0.4.6-1 (bug #883355) [stretch] - aubio (Minor issue) [jessie] - aubio (Vulnerability introduced in 0.4.3) [wheezy] - aubio (Vulnerability introduced in 0.4.3) NOTE: https://github.com/aubio/aubio/issues/148 CVE-2017-17050 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17049 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-17048 RESERVED CVE-2017-17047 RESERVED CVE-2017-17043 (The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflecte ...) NOT-FOR-US: Emag Marketplace Connector for WordPress CVE-2017-17053 (The init_new_context function in arch/x86/include/asm/mmu_context.h in ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/ccd5b3235180eef3cfec337df1c8554ab151b5cc CVE-2017-17052 (The mm_init function in kernel/fork.c in the Linux kernel before 4.12. ...) - linux 4.12.12-1 [stretch] - linux 4.9.47-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/2b7e8665b4ff51c034c55df3cff76518d1a9ee3a CVE-2017-17042 (lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not ...) - yard 0.9.12-1 [stretch] - yard (Minor issue) [jessie] - yard (Minor issue) [wheezy] - yard (Minor issue) NOTE: Fixed by: https://github.com/lsegal/yard/commit/b0217b3e30dc53d057b1682506333335975e62b4 (0.9.11) CVE-2017-17041 RESERVED CVE-2017-17040 RESERVED CVE-2017-17039 RESERVED CVE-2017-17038 RESERVED CVE-2017-17037 RESERVED CVE-2017-17036 RESERVED CVE-2017-17035 RESERVED CVE-2017-17034 RESERVED CVE-2017-17033 (A buffer overflow vulnerability in password function in QNAP QTS versi ...) NOT-FOR-US: QNAP QTS CVE-2017-17032 (A buffer overflow vulnerability in password function in QNAP QTS versi ...) NOT-FOR-US: QNAP QTS CVE-2017-17031 (A buffer overflow vulnerability in password function in QNAP QTS versi ...) NOT-FOR-US: QNAP QTS CVE-2017-17030 (A buffer overflow vulnerability in login function in QNAP QTS version ...) NOT-FOR-US: QNAP QTS CVE-2017-17029 (A buffer overflow vulnerability in login function in QNAP QTS version ...) NOT-FOR-US: QNAP QTS CVE-2017-17028 (A buffer overflow vulnerability in external device function in QNAP QT ...) NOT-FOR-US: QNAP QTS CVE-2017-17027 (A buffer overflow vulnerability in FTP service in QNAP QTS version 4.2 ...) NOT-FOR-US: QNAP QTS CVE-2017-17045 (An issue was discovered in Xen through 4.9.x allowing HVM guest OS use ...) {DSA-4050-1 DLA-1559-1 DLA-1230-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-247.html CVE-2017-17044 (An issue was discovered in Xen through 4.9.x allowing HVM guest OS use ...) {DSA-4050-1 DLA-1559-1 DLA-1230-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-246.html CVE-2017-17046 (An issue was discovered in Xen through 4.9.x on the ARM platform allow ...) {DSA-4050-1 DLA-1549-1} - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (arm not supported) NOTE: https://xenbits.xen.org/xsa/advisory-245.html CVE-2017-17026 RESERVED CVE-2017-17025 RESERVED CVE-2017-17024 RESERVED CVE-2017-17023 (The Sophos UTM VPN endpoint interacts with client software provided by ...) NOT-FOR-US: Sophos IPSec Client and NCP "Secure Entry Client" CVE-2017-17022 RESERVED CVE-2017-17021 RESERVED CVE-2017-17020 (On D-Link DCS-5009 devices with firmware 1.08.11 and earlier, DCS-5010 ...) NOT-FOR-US: D-Link CVE-2017-17019 RESERVED CVE-2017-17018 RESERVED CVE-2017-17017 RESERVED CVE-2017-17016 RESERVED CVE-2017-17015 RESERVED CVE-2017-17014 RESERVED CVE-2017-17013 RESERVED CVE-2017-17012 RESERVED CVE-2017-17011 RESERVED CVE-2017-17010 (Untrusted search path vulnerability in Content Manager Assistant for P ...) NOT-FOR-US: Content Manager Assistant for PlayStation CVE-2017-17009 REJECTED CVE-2017-17008 REJECTED CVE-2017-17007 REJECTED CVE-2017-17006 REJECTED CVE-2017-17005 REJECTED CVE-2017-17004 REJECTED CVE-2017-17003 REJECTED CVE-2017-17002 REJECTED CVE-2017-17001 REJECTED CVE-2017-17000 REJECTED CVE-2017-16999 REJECTED CVE-2017-16998 REJECTED CVE-2017-16997 (elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2 ...) - glibc 2.25-6 (bug #884615) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=22625 NOTE: Proposed patch: https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html CVE-2017-16996 (kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local ...) - linux 4.14.7-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/0c17d1d2c61936401f4702e1846e2c19b200f958 CVE-2017-16995 (The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f CVE-2017-1001004 (typed-function before 0.10.6 had an arbitrary code execution in the Ja ...) NOT-FOR-US: typed-function CVE-2017-1001003 (math.js before 3.17.0 had an issue where private properties such as a ...) NOT-FOR-US: math.js CVE-2017-1001002 (math.js before 3.17.0 had an arbitrary code execution in the JavaScrip ...) NOT-FOR-US: math.js CVE-2017-1000214 (GitPHP by xiphux is vulnerable to OS Command Injections ...) NOT-FOR-US: GitPHP CVE-2017-1000207 (A vulnerability in Swagger-Parser's version <= 1.0.30 and Swagger c ...) NOT-FOR-US: Swagger-Parser CVE-2017-1000159 (Command injection in evince via filename when printing to PDF. This af ...) {DSA-4624-1 DLA-1882-1 DLA-1881-1 DLA-1204-1} - atril 1.20.0-1 (low) [stretch] - atril 1.16.1-2+deb9u2 - evince 3.25.92-1 (low) [stretch] - evince (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784947 NOTE: Introduced by: https://git.gnome.org/browse/evince/commit/?id=1fcca0b8041de0d6074d7e17fba174da36c65f99 (EVINCE_0_9_1) NOTE: Fixed by: https://git.gnome.org/browse/evince/commit/?id=350404c76dc8601e2cdd2636490e2afc83d3090e (3.25.91) CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux kernel b ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced in 4.0) [wheezy] - linux (Vulnerable code introduced in 4.0) NOTE: Fixed by: https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1) CVE-2017-16993 REJECTED CVE-2017-16992 REJECTED CVE-2017-16991 REJECTED CVE-2017-16990 REJECTED CVE-2017-16989 REJECTED CVE-2017-16988 REJECTED CVE-2017-16987 REJECTED CVE-2017-16986 REJECTED CVE-2017-16985 REJECTED CVE-2017-16984 REJECTED CVE-2017-16983 REJECTED CVE-2017-16982 REJECTED CVE-2017-16981 REJECTED CVE-2017-16980 REJECTED CVE-2017-16979 REJECTED CVE-2017-16978 REJECTED CVE-2017-16977 REJECTED CVE-2017-16976 REJECTED CVE-2017-16975 REJECTED CVE-2017-16974 REJECTED CVE-2017-16973 REJECTED CVE-2017-16972 REJECTED CVE-2017-16971 REJECTED CVE-2017-16970 REJECTED CVE-2017-16969 REJECTED CVE-2017-16968 REJECTED CVE-2017-16967 REJECTED CVE-2017-16966 REJECTED CVE-2017-16965 REJECTED CVE-2017-16964 REJECTED CVE-2017-16963 RESERVED CVE-2017-16962 (The WebMail components (Crystal, pronto, and pronto4) in CommuniGate P ...) NOT-FOR-US: CommuniGate Pro CVE-2017-16961 (A SQL injection vulnerability in core/inc/auto-modules.php in BigTree ...) NOT-FOR-US: BigTree CMS CVE-2017-16960 (TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authentic ...) NOT-FOR-US: TP-Link CVE-2017-16959 (The locale feature in cgi-bin/luci on TP-Link TL-WVR, TL-WAR, TL-ER, a ...) NOT-FOR-US: TP-Link CVE-2017-16958 (TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authentic ...) NOT-FOR-US: TP-Link CVE-2017-16957 (TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authentic ...) NOT-FOR-US: TP-Link CVE-2017-16956 (b3log Symphony (aka Sym) 2.2.0 allows an XSS attack by sending a priva ...) NOT-FOR-US: b3log Symphony CVE-2017-16955 (SQL injection vulnerability in the InLinks plugin through 1.1 for Word ...) NOT-FOR-US: InLinks plugin for WordPress CVE-2017-16954 RESERVED CVE-2017-16953 (connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic A ...) NOT-FOR-US: ZTE CVE-2017-16952 (KMPlayer 4.2.2.4 allows remote attackers to cause a denial of service ...) NOT-FOR-US: K-Multimedia Player CVE-2017-16951 (Winamp Pro 5.66 Build 3512 allows remote attackers to cause a denial o ...) NOT-FOR-US: Winamp CVE-2017-16950 (Cross - site scripting (XSS) vulnerability in UrBackup Server before 2 ...) - urbackup-server (bug #697325) CVE-2017-16949 (An issue was discovered in the AccessKeys AccessPress Anonymous Post P ...) NOT-FOR-US: AccessKeys AccessPress Anonymous Post Pro plugin for WordPress CVE-2017-16948 (TG Soft Vir.IT eXplorer Lite 8.5.42 allows local users to cause a deni ...) NOT-FOR-US: TG Soft Vir.IT eXplorer Lite CVE-2017-16947 RESERVED CVE-2017-16946 (The admin_edit function in app/Controller/UsersController.php in MISP ...) NOT-FOR-US: MISP CVE-2017-16945 (The standardrestorer binary in Arq 5.10 and earlier for Mac allows loc ...) NOT-FOR-US: standardrestorer binary in Arq CVE-2017-16942 (In libsndfile 1.0.25 (fixed in 1.0.26), a divide-by-zero error exists ...) - libsndfile 1.0.27-1 [jessie] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/341 CVE-2017-16944 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) {DSA-4053-1} - exim4 4.89-13 (bug #882671) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) [wheezy] - exim4 (ESMTP CHUNKING extension introduced in 4.88) NOTE: https://bugs.exim.org/show_bug.cgi?id=2201 NOTE: https://git.exim.org/exim.git/commitdiff/178ecb70987f024f0e775d87c2f8b2cf587dd542 NOTE: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html NOTE: 4.89-10 adds a workaround which disables the affected code by default CVE-2017-16943 (The receive_msg function in receive.c in the SMTP daemon in Exim 4.88 ...) {DSA-4053-1} - exim4 4.89-12 (bug #882648) [jessie] - exim4 (ESMTP CHUNKING extension introduced in 4.88) [wheezy] - exim4 (ESMTP CHUNKING extension introduced in 4.88) NOTE: https://bugs.exim.org/show_bug.cgi?id=2199 NOTE: https://git.exim.org/exim.git/commitdiff/4e6ae6235c68de243b1c2419027472d7659aa2b4 NOTE: https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html NOTE: https://twitter.com/philpennock/status/934270613811875840 NOTE: 4.89-10 adds a workaround which disables the affected code by default CVE-2017-16941 (** DISPUTED ** October CMS through 1.0.428 does not prevent use of .ht ...) NOT-FOR-US: October CMS CVE-2017-16940 RESERVED CVE-2017-16939 (The XFRM dump policy implementation in net/xfrm/xfrm_user.c in the Lin ...) {DSA-4082-1 DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/1137b5e2529a8f5ca8ee709288ecba3e68044df2 CVE-2017-16938 (A global buffer overflow in OptiPNG 0.7.6 allows remote attackers to c ...) {DSA-4058-1 DLA-1196-1} - optipng 0.7.6-1.1 (bug #878839) NOTE: https://sourceforge.net/p/optipng/bugs/69/ CVE-2017-16937 RESERVED CVE-2017-16936 (Directory Traversal vulnerability in app_data_center on Shenzhen Tenda ...) NOT-FOR-US: Shenzhen Tenda CVE-2017-16935 (Ametys before 4.0.3 requires authentication only for URIs containing a ...) NOT-FOR-US: Ametys CMS CVE-2017-16934 (The web server on DBL DBLTek devices allows remote attackers to execut ...) NOT-FOR-US: DBL DBLTek devices CVE-2017-16933 (etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown ca ...) - icinga2 2.8.4-1 (low; bug #883247) [stretch] - icinga2 (Minor issue) [jessie] - icinga2 (Minor issue) NOTE: https://github.com/Icinga/icinga2/issues/5793 NOTE: CVE is for the unsafe use of chown(1) CVE-2017-16932 (parser.c in libxml2 before 2.9.5 does not prevent infinite recursion i ...) {DLA-1194-1} [experimental] - libxml2 2.9.7+dfsg-1 - libxml2 2.9.10+dfsg-2 (bug #882613) [buster] - libxml2 (Minor issue; too intrusive to backport) [stretch] - libxml2 (Minor issue; too intrusive to backport) [jessie] - libxml2 (Minor issue; too intrusive to backport) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=759579 NOTE: https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961 NOTE: Applying only 899a5d9f0ed13b8e32449a08a361e0de127dd961 does not completely NOTE: fix the issue, see https://bugs.debian.org/882613#12 for discussion. CVE-2017-16931 (parser.c in libxml2 before 2.9.5 mishandles parameter-entity reference ...) {DLA-1194-1} - libxml2 2.9.4+dfsg1-3.1 [stretch] - libxml2 2.9.4+dfsg1-2.2+deb9u1 [jessie] - libxml2 2.9.1+dfsg1-5+deb8u5 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=766956 NOTE: https://github.com/GNOME/libxml2/commit/e26630548e7d138d2c560844c43820b6767251e3 NOTE: Not a duplicate but a variant of the issue of CVE-2017-9049 and CVE-2017-9050 CVE-2017-16930 (The remote management interface on the Claymore Dual GPU miner 10.1 al ...) NOT-FOR-US: Claymore's Dual Ethereum+Decred AMD+NVIDIA GPU Miner CVE-2017-16929 (The remote management interface on the Claymore Dual GPU miner 10.1 is ...) NOT-FOR-US: Claymore's Dual Ethereum+Decred AMD+NVIDIA GPU Miner CVE-2017-16928 (The arq_updater binary in Arq 5.10 and earlier for Mac allows local us ...) NOT-FOR-US: arq_updater binary in Arq CVE-2017-16927 (The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the sessio ...) {DLA-1203-1} - xrdp 0.9.4-3 (bug #882463) [stretch] - xrdp 0.9.1-9+deb9u2 [jessie] - xrdp (Minor issue) NOTE: Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958 NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA NOTE: Originally fixed with upstream patch in 0.9.4-2 but which caused regression NOTE: thus marking it only as fixed in the followup version, cf. #884702 CVE-2017-16926 (Ohcount 3.0.0 is prone to a command injection via specially crafted fi ...) - ohcount 3.1.0-1 (bug #882372) [stretch] - ohcount (Minor issue) [jessie] - ohcount (Minor issue) [wheezy] - ohcount (Minor issue) NOTE: https://github.com/blackducksoftware/ohcount/commit/6bed45d6fb7c080ae5c163c12b4eb8749a3492ac (v3.1.0) CVE-2017-16925 RESERVED CVE-2017-16924 (Remote Information Disclosure and Escalation of Privileges in ManageEn ...) NOT-FOR-US: ManageEngine Desktop Central CVE-2017-16923 (Command Injection vulnerability in app_data_center on Shenzhen Tenda A ...) NOT-FOR-US: Shenzhen Tenda CVE-2017-16922 (In com.wowza.wms.timedtext.http.HTTPProviderCaptionFile in Wowza Strea ...) NOT-FOR-US: Wowza CVE-2017-16921 (In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and includin ...) {DSA-4066-1 DLA-1212-1} - otrs2 6.0.2-1 (bug #883774) NOTE: https://www.otrs.com/security-advisory-2017-09-security-update-otrs-framework/ NOTE: https://bugs.otrs.org/show_bug.cgi?id=13357 NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/d12797bf1efa6722c2ba9af6d8238446c2903cd1 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/d433518d7bd8e9e079af67ef9ea7079cd2f59646 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/368bc37f137e6344f4db014ee2e03c38e2fc62d2 NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/4043ebb2580cd8f87e7758e95bf0d77eea5c82ae CVE-2017-16920 (v5/config/system.php in dayrui FineCms 5.2.0 has a default SYS_KEY val ...) NOT-FOR-US: dayrui FineCms CVE-2017-16919 (MapOS 3.1.11 and earlier has a Stored Cross-site Scripting (XSS) vulne ...) NOT-FOR-US: MapOS CVE-2017-16918 RESERVED CVE-2017-16917 RESERVED CVE-2017-16916 RESERVED CVE-2017-16915 RESERVED CVE-2017-16914 (The "stub_send_ret_submit()" function (drivers/usb/usbip/stub_tx.c) in ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/be6123df1ea8f01ee2f896a16c2b7be3e4557a5a CVE-2017-16913 (The "stub_recv_cmd_submit()" function (drivers/usb/usbip/stub_rx.c) in ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/c6688ef9f29762e65bce325ef4acd6c675806366 CVE-2017-16912 (The "get_pipe()" function (drivers/usb/usbip/stub_rx.c) in the Linux K ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 CVE-2017-16911 (The vhci_hcd driver in the Linux Kernel before version 4.14.8 and 4.4. ...) {DSA-4187-1 DLA-1369-1} - linux 4.14.12-1 [stretch] - linux 4.9.80-1 NOTE: Fixed by: https://git.kernel.org/linus/2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 CVE-2017-16910 (An error within the "LibRaw::xtrans_interpolate()" function (internal/ ...) - libraw 0.18.6-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16909 (An error related to the "LibRaw::panasonic_load_raw()" function (dcraw ...) - libraw 0.18.6-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field during crea ...) {DLA-2350-1} - php-horde-kronolith 4.2.24-1 (bug #909738) [jessie] - php-horde-kronolith (vulnerable code not present) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: https://github.com/horde/kronolith/commit/39f740068ad21618f6f70b6e37855c61cadbd716 CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the Color field ...) {DLA-2349-1 DLA-2348-1 DLA-1536-1 DLA-1535-1} - php-horde 5.2.18+debian0-1 (bug #909739) - php-horde-core 2.31.3+debian0-1 (bug #909800) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: php-horde: https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230 NOTE: php-horde-core: https://github.com/horde/Core/commit/ecea6ea740419e19122a50579ba2903c1cb71d7a CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL field in a ...) {DLA-2351-1 DLA-1537-1} - php-horde-kronolith 4.2.24-1 (bug #909737) NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html NOTE: https://bugs.horde.org/ticket/14857 NOTE: https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d CVE-2017-16905 (The DuoLingo TinyCards application before 1.0 for Android has one use ...) NOT-FOR-US: DuoLingo TinyCards application CVE-2017-16904 (The Public tologin feature in admin.php in LvyeCMS through 3.1 allows ...) NOT-FOR-US: LvyeCMS CVE-2017-16903 (LvyeCMS through 3.1 allows remote attackers to upload and execute arbi ...) NOT-FOR-US: LvyeCMS CVE-2017-16902 (On the Vonage VDV-23 115 3.2.11-0.9.40 home router, sending a long str ...) NOT-FOR-US: Vonage VDV-23 115 3.2.11-0.9.40 home router CVE-2017-16901 RESERVED CVE-2017-16900 (Incorrect Access Control in Hunesion i-oneNet 3.0.6042.1200 allows the ...) NOT-FOR-US: Hunesion i-oneNet CVE-2017-16899 (An array index error in the fig2dev program in Xfig 3.2.6a allows remo ...) - fig2dev 1:3.2.6a-5 (bug #881143) [stretch] - fig2dev 1:3.2.6a-2+deb9u1 - transfig [jessie] - transfig 1:3.2.5.e-4+deb8u1 [wheezy] - transfig (Minor issue) CVE-2017-16898 (The printMP3Headers function in util/listmp3.c in libming v0.4.8 or ea ...) {DLA-1240-1} - ming NOTE: https://github.com/libming/libming/issues/75 CVE-2017-16897 (A vulnerability has been discovered in the Auth0 passport-wsfed-saml2 ...) NOT-FOR-US: Auth0 passport-wsfed-saml2 library CVE-2017-16896 (A SQL injection in classes/handler/public.php in the forgotpass compon ...) - tt-rss 17.4+git20180312+dfsg-1 (bug #882543) NOTE: https://discourse.tt-rss.org/t/sql-injection-in-forgotpass-fixed/669 NOTE: https://git.tt-rss.org/git/tt-rss/commit/2352c320c2ed34ec7df1ad22f0c55a1b26489815 CVE-2017-16895 (The (1) arq_updater, (2) arqcommitter, (3) standardrestorer, (4) arqgl ...) NOT-FOR-US: Arq CVE-2017-16894 (In Laravel framework through 5.5.21, remote attackers can obtain sensi ...) NOT-FOR-US: Laravel framework CVE-2017-16893 (The application Piwigo is affected by an SQL injection vulnerability i ...) - piwigo CVE-2017-16892 (In Bftpd before 4.7, there is a memory leak in the file rename functio ...) - bftpd (bug #640469) NOTE: http://bftpd.sourceforge.net/news.html#032390 CVE-2017-16891 RESERVED CVE-2017-16890 (SWFTools 0.9.2 has a divide-by-zero error in the wav_convert2mono func ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/57 NOTE: Crash in CLI tool, no security impact CVE-2017-16889 RESERVED CVE-2017-16888 RESERVED CVE-2017-16887 (The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 ...) NOT-FOR-US: FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 CVE-2017-16886 (The portal on FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 ...) NOT-FOR-US: FiberHome Mobile WIFI Device Model LM53Q1 VH519R05C01S38 CVE-2017-16885 (Improper Permissions Handling in the Portal on FiberHome LM53Q1 VH519R ...) NOT-FOR-US: FiberHome LM53Q1 VH519R05C01S38 devices CVE-2017-1000407 (The Linux Kernel 2.6.32 and later are affected by a denial of service, ...) {DSA-4082-1 DSA-4073-1 DLA-1200-1} - linux 4.14.7-1 NOTE: https://www.spinics.net/lists/kvm/msg159809.html CVE-2017-1000406 (OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a passw ...) NOT-FOR-US: OpenDayLight CVE-2017-1000405 (The Linux Kernel versions 2.6.38 through 4.14 have a problematic use o ...) - linux 4.14.2-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (vulnerable code not present, cf. kernel-sec information) NOTE: Fixed by: https://git.kernel.org/linus/a8f97366452ed491d13cf1e44241bc0b5740b1f0 NOTE: https://www.openwall.com/lists/oss-security/2017/11/30/1 NOTE: https://github.com/bindecy/HugeDirtyCowPOC CVE-2017-1000404 (The Jenkins Delivery Pipeline Plugin version 1.0.7 and earlier used th ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000403 (Jenkins Speaks! Plugin, all current versions, allows users with Job/Co ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000402 (Jenkins Swarm Plugin Client 3.4 and earlier bundled a version of the c ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000401 (The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control ...) - jenkins CVE-2017-1000400 (The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /job/(j ...) - jenkins CVE-2017-1000399 (The Jenkins 2.73.1 and earlier, 2.83 and earlier remote API at /queue/ ...) - jenkins CVE-2017-1000398 (The remote API in Jenkins 2.73.1 and earlier, 2.83 and earlier at /com ...) - jenkins CVE-2017-1000397 (Jenkins Maven Plugin 2.17 and earlier bundled a version of the commons ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000396 (Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the ...) - jenkins CVE-2017-1000395 (Jenkins 2.73.1 and earlier, 2.83 and earlier provides information abou ...) - jenkins CVE-2017-1000394 (Jenkins 2.73.1 and earlier, 2.83 and earlier bundled a version of the ...) - jenkins CVE-2017-1000393 (Jenkins 2.73.1 and earlier, 2.83 and earlier users with permission to ...) - jenkins CVE-2017-1000392 (Jenkins 2.88 and earlier; 2.73.2 and earlier Autocompletion suggestion ...) - jenkins CVE-2017-1000391 (Jenkins versions 2.88 and earlier and 2.73.2 and earlier stores metada ...) - jenkins CVE-2017-1000390 (Jenkins Multijob plugin version 1.25 and earlier did not check permiss ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000389 (Some URLs provided by Jenkins global-build-stats plugin version 1.4 an ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000388 (Jenkins Dependency Graph Viewer plugin 0.12 and earlier did not perfor ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000387 (Jenkins Build-Publisher plugin version 1.21 and earlier stores credent ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000386 (Jenkins Active Choices plugin version 1.5.3 and earlier allowed users ...) NOT-FOR-US: Jenkins plugin CVE-2017-16884 (Cross-site scripting (XSS) vulnerability in MistServer before 2.13 all ...) NOT-FOR-US: MistServer CVE-2017-16883 (The outputSWF_TEXT_RECORD function in util/outputscript.c in libming & ...) {DLA-1240-1} - ming NOTE: https://github.com/libming/libming/issues/77 CVE-2017-16882 (Icinga Core through 1.14.0 initially executes bin/icinga as root but s ...) - icinga (Doesn't affect Icinga 1.x as packaged in Debian) NOTE: https://github.com/Icinga/icinga-core/issues/1601 NOTE: State is not fully correct, since "affected" source would be there, NOTE: But Debian does not install the binaries nor configuration files as NOTE: respective icinga user. CVE-2017-16881 (b3log Symphony (aka Sym) 2.2.0 does not properly address XSS in JSON o ...) NOT-FOR-US: b3log Symphony CVE-2017-16880 (The dump function in Util/TemplateHelper.php in filp whoops before 2.1 ...) NOT-FOR-US: filp whoops CVE-2017-1000230 (The Snap7 Server version 1.4.1 can be crashed when the ItemCount field ...) NOT-FOR-US: Snap7 Server CVE-2017-1000227 (Stored XSS in Salutation Responsive WordPress + BuddyPress Theme versi ...) NOT-FOR-US: Wordpress plugin CVE-2017-1000221 (In Opencast 2.2.3 and older if user names overlap, the Opencast search ...) NOT-FOR-US: Opencast CVE-2017-1000217 (Opencast 2.3.2 and older versions are vulnerable to script injections ...) NOT-FOR-US: Opencast CVE-2017-1000190 (SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability ...) - simple-xml 2.7.1-3 (low; bug #888547) [stretch] - simple-xml (Minor issue) [jessie] - simple-xml (Minor issue) [wheezy] - simple-xml (Minor issue) NOTE: https://github.com/ngallagher/simplexml/issues/18 NOTE: Fixing commit in a new fork of the library (which is renamed simple-xml-safe): NOTE: https://github.com/dweiss/simplexml/commit/c8d4b4310549bfaf6dc0a20abea7fbcca6e51edd CVE-2017-1000163 (The Phoenix Framework versions 1.0.0 through 1.0.4, 1.1.0 through 1.1. ...) NOT-FOR-US: Phoenix Framework CVE-2017-1000128 (Exiv2 0.26 contains a stack out of bounds read in JPEG2000 parser ...) - exiv2 (Vulnerable code introduced in 0.26; only affected experimental) NOTE: https://www.openwall.com/lists/oss-security/2017/06/30/1 NOTE: https://github.com/Exiv2/exiv2/issues/177 CVE-2017-1000127 (Exiv2 0.26 contains a heap buffer overflow in tiff parser ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888863) NOTE: https://www.openwall.com/lists/oss-security/2017/06/30/1 NOTE: https://github.com/Exiv2/exiv2/issues/176 CVE-2017-1000126 (exiv2 0.26 contains a Stack out of bounds read in webp parser ...) - exiv2 (WebP support introduced in 0.26; only affected experimental; bug #888864) NOTE: https://www.openwall.com/lists/oss-security/2017/06/30/1 NOTE: https://github.com/Exiv2/exiv2/issues/175 CVE-2017-16879 (Stack-based buffer overflow in the _nc_write_entry function in tinfo/w ...) - ncurses 6.0+20171125-1 (bug #882620) [stretch] - ncurses 6.0+20161126-1+deb9u2 [jessie] - ncurses 5.9+20140913-1+deb8u3 [wheezy] - ncurses (Minor issue) NOTE: PoC https://packetstormsecurity.com/files/download/145045/tic-overflow.tgz NOTE: http://invisible-island.net/ncurses/NEWS.html#t20171125 CVE-2017-16878 (Cross-site scripting (XSS) vulnerability in the Captive Portal functio ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-16877 (ZEIT Next.js before 2.4.1 has directory traversal under the /_next and ...) NOT-FOR-US: ZEIT Next.js CVE-2017-16876 (Cross-site scripting (XSS) vulnerability in the _keyify function in mi ...) - mistune 0.8.1-1 [stretch] - mistune (Minor issue) NOTE: https://github.com/lepture/mistune/commit/5f06d724bc05580e7f203db2d4a4905fc1127f98 CVE-2017-16875 (An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in P ...) {DSA-4170-1} - pjproject 2.7.1~dfsg-1 [jessie] - pjproject (Minor issue) NOTE: https://trac.pjsip.org/repos/ticket/2055 NOTE: https://trac.pjsip.org/repos/changeset/5680 NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2017-16874 RESERVED CVE-2017-16873 (It is possible to exploit an unsanitized PATH in the suid binary that ...) NOT-FOR-US: vagrant-vmware-fusion CVE-2017-1000233 REJECTED CVE-2017-1000222 REJECTED CVE-2017-1000215 (ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticate ...) - xrootd (Fixed with first upload to Debian) CVE-2017-1000212 (Elixir's vim plugin, alchemist.vim is vulnerable to remote code execut ...) NOT-FOR-US: Elixir's vim plugin CVE-2017-1000211 (Lynx before 2.8.9dev.16 is vulnerable to a use after free in the HTML ...) {DLA-1175-1} - lynx 2.8.9dev16-1 [stretch] - lynx (Minor issue) - lynx-cur [jessie] - lynx-cur (Minor issue) NOTE: https://github.com/ThomasDickey/lynx-snapshots/commit/280a61b300a1614f6037efc0902ff7ecf17146e9 CVE-2017-1000206 (samtools htslib library version 1.4.0 and earlier is vulnerable to buf ...) - htslib 1.4.1-1 [stretch] - htslib (Minor issue) [jessie] - htslib (Minor issue) CVE-2017-1000204 REJECTED CVE-2017-1000203 (ROOT version 6.9.03 and below is vulnerable to an authenticated shell ...) - root-system [jessie] - root-system (Minor issue) [wheezy] - root-system (Minor issue as it's restricted to authenticated users) NOTE: https://github.com/root-project/root/commit/88ccff152604e0f1012653a596d802ff7ede3145#diff-6cd6f6c31bac70116b7ca7abdc8e517e CVE-2017-1000192 (Cygnux sysPass version 2.1.7 and older is vulnerable to a Local File I ...) NOT-FOR-US: Cygnux sysPass CVE-2017-1000191 (Jool 3.5.0-3.5.1 is vulnerable to a kernel crashing packet resulting i ...) NOT-FOR-US: Jool CVE-2017-1000170 (jqueryFileTree 2.1.5 and older Directory Traversal ...) NOT-FOR-US: jqueryFileTree CVE-2017-1000169 (QuickerBB version <= 0.7.2 is vulnerable to arbitrary file writes w ...) NOT-FOR-US: QuickerBB CVE-2017-1000168 (sodiumoxide 0.0.13 and older scalarmult() vulnerable to degenerate pub ...) NOT-FOR-US: sodiumoxide CVE-2017-1000161 REJECTED CVE-2017-16872 (An issue was discovered in Teluu pjproject (pjlib and pjlib-util) in P ...) {DSA-4170-1} - pjproject 2.7.1~dfsg-1 [jessie] - pjproject (Minor issue) NOTE: https://trac.pjsip.org/repos/ticket/2056 NOTE: https://trac.pjsip.org/repos/changeset/5682 NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2017-16871 (** DISPUTED ** The UpdraftPlus plugin through 1.13.12 for WordPress al ...) NOT-FOR-US: UpdraftPlus plugin for WordPress CVE-2017-16870 (** DISPUTED ** The UpdraftPlus plugin through 1.13.12 for WordPress ha ...) NOT-FOR-US: UpdraftPlus plugin for WordPress CVE-2017-16869 (** DISPUTED ** p_mach.cpp in UPX 3.94 allows remote attackers to cause ...) - upx-ucl 3.94-4 (bug #882041; unimportant) NOTE: https://github.com/upx/upx/issues/146 NOTE: crash in CLI tool, no security impact CVE-2017-16868 (In SWFTools 0.9.2, the wav_convert2mono function in lib/wav.c does not ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/52 NOTE: Crash in CLI tool, no security impact CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 deauthentica ...) NOT-FOR-US: Amazon Key CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis ...) - ruby-redis-store 1.1.6-2 (bug #882034) [stretch] - ruby-redis-store 1.1.6-1+deb9u1 NOTE: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 is vulnerab ...) - codeigniter (bug #471583) CVE-2017-1000246 (Python package pysaml2 version 4.4.0 and earlier reuses the initializa ...) - python-pysaml2 4.5.0-4 (bug #882012) [stretch] - python-pysaml2 (Minor issue) [jessie] - python-pysaml2 (Minor issue) NOTE: https://github.com/rohe/pysaml2/issues/417 NOTE: https://github.com/c00kiemon5ter/pysaml2/commit/7323f5c20efb59424d853c822e7a26d1aa3e84aa CVE-2017-1000241 (The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected ...) NOT-FOR-US: OpenEMR CVE-2017-1000240 (The application OpenEMR is affected by multiple reflected & stored ...) NOT-FOR-US: OpenEMR CVE-2017-1000239 (InvoicePlane version 1.4.10 is vulnerable to a Stored Cross Site Scrip ...) NOT-FOR-US: InvoicePlane CVE-2017-1000238 (InvoicePlane version 1.4.10 is vulnerable to a Arbitrary File Upload r ...) NOT-FOR-US: InvoicePlane CVE-2017-1000237 (I, Librarian version <=4.6 & 4.7 is vulnerable to Server-Side R ...) - i-librarian (bug #649291) CVE-2017-1000236 (I, Librarian version <=4.6 & 4.7 is vulnerable to Reflected Cro ...) - i-librarian (bug #649291) CVE-2017-1000235 (I, Librarian version <=4.6 & 4.7 is vulnerable to OS Command In ...) - i-librarian (bug #649291) CVE-2017-1000234 (I, Librarian version <=4.6 & 4.7 is vulnerable to Directory Enu ...) - i-librarian (bug #649291) CVE-2017-1000232 (A double-free vulnerability in str2host.c in ldns 1.7.0 have unspecifi ...) - ldns 1.7.0-4 (bug #882014) [stretch] - ldns (Minor issue) [jessie] - ldns (Minor issue) [wheezy] - ldns (Vulnerable code not present) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1257 NOTE: https://git.nlnetlabs.nl/ldns/commit/?id=3bdeed02505c9bbacb3b64a97ddcb1de967153b7 CVE-2017-1000231 (A double-free vulnerability in parse.c in ldns 1.7.0 have unspecified ...) {DLA-1182-1} - ldns 1.7.0-4 (bug #882015) [stretch] - ldns (Minor issue) [jessie] - ldns (Minor issue) NOTE: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1256 NOTE: https://git.nlnetlabs.nl/ldns/commit/?id=c8391790c96d4c8a2c10f9ab1460fda83b509fc2 CVE-2017-1000229 (Integer overflow bug in function minitiff_read_info() of optipng 0.7.6 ...) {DSA-4058-1 DLA-1184-1} - optipng 0.7.6-1.1 (bug #882032) NOTE: https://sourceforge.net/p/optipng/bugs/65/ NOTE: Proposed patch: https://sourceforge.net/p/optipng/bugs/_discuss/thread/2a56b3aa/f6bb/attachment/0001-Prevent-integer-overflow-bug-65-CVE-2017-1000229.patch CVE-2017-1000228 (nodejs ejs versions older than 2.5.3 is vulnerable to remote code exec ...) NOT-FOR-US: nodejs ejs CVE-2017-1000226 (Stop User Enumeration 1.3.8 allows user enumeration via the REST API ...) NOT-FOR-US: Wordpress plugin CVE-2017-1000225 (Reflected XSS in Relevanssi Premium version 1.14.8 when using relevans ...) NOT-FOR-US: Relevanssi CVE-2017-1000224 (CSRF in YouTube (WordPress plugin) could allow unauthenticated attacke ...) NOT-FOR-US: Wordpress plugin CVE-2017-1000223 (A stored web content injection vulnerability (WCI, a.k.a XSS) is prese ...) NOT-FOR-US: MODX Revolution CVE-2017-1000220 (soyuka/pidusage <=1.1.4 is vulnerable to command injection in the m ...) NOT-FOR-US: soyuka/pidusage CVE-2017-1000219 (npm/KyleRoss windows-cpu all versions vulnerable to command injection ...) NOT-FOR-US: npm/KyleRoss windows-cpu CVE-2017-1000218 (LightFTP version 1.1 is vulnerable to a buffer overflow in the "writel ...) NOT-FOR-US: LightFTP CVE-2017-1000213 (WBCE v1.1.11 is vulnerable to reflected XSS via the "begriff" POST par ...) NOT-FOR-US: WBCE CVE-2017-1000210 (picoTCP (versions 1.7.0 - 1.5.0) is vulnerable to stack buffer overflo ...) NOT-FOR-US: picoTCP CVE-2017-1000209 (The Java WebSocket client nv-websocket-client does not verify that the ...) NOT-FOR-US: Java WebSocket client nv-websocket-client CVE-2017-1000208 (A vulnerability in Swagger-Parser's (version <= 1.0.30) yaml parsin ...) NOT-FOR-US: Swagger-Parser CVE-2017-1000197 (October CMS build 412 is vulnerable to file path modification in asset ...) NOT-FOR-US: October CMS CVE-2017-1000196 (October CMS build 412 is vulnerable to PHP code execution in the asset ...) NOT-FOR-US: October CMS CVE-2017-1000195 (October CMS build 412 is vulnerable to PHP object injection in asset m ...) NOT-FOR-US: October CMS CVE-2017-1000194 (October CMS build 412 is vulnerable to Apache configuration modificati ...) NOT-FOR-US: October CMS CVE-2017-1000193 (October CMS build 412 is vulnerable to stored WCI (a.k.a XSS) in brand ...) NOT-FOR-US: October CMS CVE-2017-1000189 (nodejs ejs version older than 2.5.5 is vulnerable to a denial-of-servi ...) NOT-FOR-US: nodejs ejs CVE-2017-1000188 (nodejs ejs version older than 2.5.5 is vulnerable to a Cross-site-scri ...) NOT-FOR-US: nodejs ejs CVE-2017-1000187 (In SWFTools, an address access exception was found in pdf2swf. FoFiTru ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/36 NOTE: Crash in CLI tool, no security implications CVE-2017-1000186 (In SWFTools, a stack overflow was found in pdf2swf. ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/34 NOTE: Crash in CLI tool, no security implications CVE-2017-1000185 (In SWFTools, a memcpy buffer overflow was found in gif2swf. ...) - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/33 CVE-2017-1000182 (In SWFTools, a memory leak was found in wav2swf. ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/30 NOTE: Crash in CLI tool, no security implications CVE-2017-1000176 (In SWFTools, a memcpy buffer overflow was found in swfc. ...) - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/23 CVE-2017-1000174 (In SWFTools, an address access exception was found in swfdump swf_GetB ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/21 NOTE: Crash in CLI tool, no security implications CVE-2017-1000173 (Creolabs Gravity Version: 1.0 Heap Overflow Potential Code Execution. ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000172 (Creolabs Gravity Version: 1.0 Use-After-Free Possible code execution. ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000164 (Tine 2.0 version 2017.02.4 is vulnerable to XSS in the Addressbook res ...) NOT-FOR-US: Tine groupware CVE-2017-1000160 (EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting ...) NOT-FOR-US: EllisLab ExpressionEngine CVE-2017-1000158 (CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow ...) {DSA-4307-1 DLA-1520-1 DLA-1519-1 DLA-1190-1 DLA-1189-1} - python3.5 3.5.5-1 - python3.4 - python2.7 2.7.13-4 [stretch] - python2.7 2.7.13-2+deb9u2 - python2.6 NOTE: https://bugs.python.org/issue30657 NOTE: 2.7 https://github.com/python/cpython/commit/c3c9db89273fabc62ea1b48389d9a3000c1c03ae (v2.7.14rc1) NOTE: 3.4 https://github.com/python/cpython/commit/6c004b40f9d51872d848981ef1a18bb08c2dfc42 (v3.4.8rc1) NOTE: 3.5 https://github.com/python/cpython/commit/fd8614c5c5466a14a945db5b059c10c0fb8f76d9 (v3.5.5rc1) NOTE: The 2.7.13-4 upload included the commit in debian/patches/git-updates.diff CVE-2017-1000129 (Serendipity 2.0.3 is vulnerable to a SQL injection in the blog compone ...) - serendipity CVE-2017-1000125 (Codiad(full version) is vulnerable to write anything to configure file ...) NOT-FOR-US: Codiad CVE-2017-16866 (dayrui FineCms 5.2.0 before 2017.11.16 has Cross Site Scripting (XSS) ...) NOT-FOR-US: dayrui FineCms CVE-2017-16865 (The Trello importer in Atlassian Jira before version 7.6.1 allows remo ...) NOT-FOR-US: Atlassian Jira CVE-2017-16864 (The issue search resource in Atlassian Jira before version 7.4.2 allow ...) NOT-FOR-US: Atlassian Jira CVE-2017-16863 (The PieChart gadget in Atlassian Jira before version 7.5.3 allows remo ...) NOT-FOR-US: PieChart gadget in Atlassian Jira CVE-2017-16862 (The IncomingMailServers resource in Atlassian Jira before version 7.6. ...) NOT-FOR-US: Atlassian Jira CVE-2017-16861 (It was possible for double OGNL evaluation in certain redirect action ...) NOT-FOR-US: Atlassian Fisheye and Crucible CVE-2017-16860 (The invalidRedirectUrl template in Atlassian Application Links before ...) NOT-FOR-US: Atlassian CVE-2017-16859 (The review attachment resource in Atlassian Fisheye and Crucible befor ...) NOT-FOR-US: Atlassian CVE-2017-16858 (The 'crowd-application' plugin module (notably used by the Google Apps ...) NOT-FOR-US: 'crowd-application' plugin module in Atlassian Crowd CVE-2017-16857 (It is possible to bypass the bitbucket auto-unapprove plugin via minim ...) NOT-FOR-US: Atlassian CVE-2017-16856 (The RSS Feed macro in Atlassian Confluence before version 6.5.2 allows ...) NOT-FOR-US: Atlassian Confluence CVE-2017-16855 REJECTED CVE-2017-16854 (In Open Ticket Request System (OTRS) through 3.3.20, 4 through 4.0.26, ...) {DSA-4066-1 DLA-1212-1} - otrs2 6.0.2-1 NOTE: https://www.otrs.com/security-advisory-2017-08-security-update-otrs-framework/ NOTE: https://bugs.otrs.org/show_bug.cgi?id=13347 NOTE: OTRS-6: https://github.com/OTRS/otrs/commit/867aba14900f17caacb0285a08b6981bbdbbe016 NOTE: OTRS-5: https://github.com/OTRS/otrs/commit/8748d040058695fda5c9cfcb2a78d8947ed4188d NOTE: OTRS-4: https://github.com/OTRS/otrs/commit/e0deab303e3d0f7c860bba291410512734f4d6b0 CVE-2017-16851 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16850 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16849 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16848 (Zoho ManageEngine Applications Manager 13 allows SQL injection via the ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16847 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16846 (Zoho ManageEngine Applications Manager 13 before build 13530 allows SQ ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2017-16845 (hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values dur ...) {DSA-4213-1 DLA-1497-1} - qemu 1:2.12~rc3+dfsg-1 (bug #882136) [wheezy] - qemu (Can be fixed along in a future update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in a future update) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg02982.html NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=802cbcb73002b92e6ddc8464d39b668a71b78d74 CVE-2017-16844 (Heap-based buffer overflow in the loadbuf function in formisc.c in for ...) {DSA-4041-1 DLA-1173-1} - procmail 3.22-26 (bug #876511) CVE-2017-16843 (Vonage VDV-23 115 3.2.11-0.9.40 devices have stored XSS via the NewKey ...) NOT-FOR-US: Vonage VDV-23 CVE-2017-16842 (Cross-site scripting (XSS) vulnerability in admin/google_search_consol ...) NOT-FOR-US: Yoast SEO plugin for WordPress CVE-2017-16841 (LanSweeper 6.0.100.75 has XSS via the description parameter to /Calend ...) NOT-FOR-US: LanSweeper CVE-2017-16840 (The VC-2 Video Compression encoder in FFmpeg 3.0 and 3.4 allows remote ...) {DSA-4049-1} - ffmpeg 7:3.4.1-1 NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=a94cb36ab2ad99d3a1331c9f91831ef593d94f74 CVE-2017-16839 (Hashicorp vagrant-vmware-fusion 5.0.4 allows local users to steal root ...) NOT-FOR-US: vagrant-vmware-fusion CVE-2017-16838 RESERVED CVE-2017-16837 (Certain function pointers in Trusted Boot (tboot) through 1.9.6 are no ...) - tboot (Fixed with first upload to Debian) NOTE: https://sourceforge.net/p/tboot/code/ci/521c58e51eb5be105a29983742850e72c44ed80e/ CVE-2017-16836 (Arris TG1682G devices with Comcast TG1682_2.0s7_PRODse 10.0.59.SIP.PC2 ...) NOT-FOR-US: Arris TG1682G devices CVE-2017-16835 (The "Photo,Video Locker-Calculator" application 12.0 for Android has a ...) NOT-FOR-US: Photo Video Locker-Calculator application for Android CVE-2017-16834 (PNP4Nagios through 0.6.26 has /usr/bin/npcd and npcd.cfg owned by an u ...) - pnp4nagios (/etc/pnp4nagios and its content is installed as root by the Debian package) NOTE: https://github.com/lingej/pnp4nagios/issues/140 CVE-2017-16833 (Stored cross-site scripting (XSS) vulnerability in Gemirro before 0.16 ...) NOT-FOR-US: Gemirro CVE-2017-16853 (The DynamicMetadataProvider class in saml/saml2/metadata/impl/DynamicM ...) {DSA-4039-1 DLA-1178-1} - opensaml2 2.6.1-1 (bug #881856) NOTE: https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commit;h=6182b0acf2df670e75423c2ed7afe6950ef11c9d NOTE: https://shibboleth.net/community/advisories/secadv_20171115.txt CVE-2017-16852 (shibsp/metadata/DynamicMetadataProvider.cpp in the Dynamic MetadataPro ...) {DSA-4038-1 DLA-1179-1} - shibboleth-sp2 2.6.1+dfsg1-1 (bug #881857) NOTE: https://git.shibboleth.net/view/?p=cpp-sp.git;a=commit;h=b66cceb0e992c351ad5e2c665229ede82f261b16 NOTE: https://shibboleth.net/community/advisories/secadv_20171115.txt CVE-2017-16832 (The pe_bfd_read_buildid function in peicode.h in the Binary File Descr ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22373 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0bb6961f18b8e832d88b490d421ca56cea16c45b CVE-2017-16831 (coffgen.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22385 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6cee897971d4d7cd37d2a686bb6d2aa3e759c8ca CVE-2017-16830 (The print_gnu_property_note function in readelf.c in GNU Binutils 2.29 ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22384 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=6ab2c4ed51f9c4243691755e1b1d2149c6a426f4 CVE-2017-16829 (The _bfd_elf_parse_gnu_properties function in elf-properties.c in the ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22307 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cf54ebff3b7361989712fd9c0128a9b255578163 CVE-2017-16828 (The display_debug_frames function in dwarf.c in GNU Binutils 2.29.1 al ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22386 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bf59c5d5f4f5b8b4da1f5f605cfa546f8029b43d CVE-2017-16827 (The aout_get_external_symbols function in aoutx.h in the Binary File D ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22306 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0301ce1486b1450f219202677f30d0fa97335419 CVE-2017-16826 (The coff_slurp_line_table function in coffcode.h in the Binary File De ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22376 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a67d66eb97e7613a38ffe6622d837303b3ecd31d CVE-2017-16825 RESERVED CVE-2017-16824 RESERVED CVE-2017-16823 RESERVED CVE-2017-16822 RESERVED CVE-2017-16821 (b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.jav ...) NOT-FOR-US: b3log Symphony CVE-2017-16819 (A stored cross-site scripting vulnerability in the Icon Time Systems R ...) NOT-FOR-US: Icon Time Systems RTC-1000 CVE-2017-16818 (RADOS Gateway in Ceph 12.1.0 through 12.2.1 allows remote authenticate ...) - ceph (Vulnerable code introduced after 12.1.0) NOTE: https://github.com/ceph/ceph/commit/b3118cabb8060a8cc6a01c4e8264cb18e7b1745a CVE-2017-16817 RESERVED CVE-2017-16816 (The condor_schedd component in HTCondor before 8.6.8 and 8.7.x before ...) - condor 8.6.8~dfsg.1-1 [stretch] - condor (VOMS support disabled) [jessie] - condor (Minor issue) [wheezy] - condor (Minor issue) NOTE: http://research.cs.wisc.edu/htcondor//security/vulnerabilities/HTCONDOR-2017-0001.html CVE-2017-16815 (installer.php in the Snap Creek Duplicator (WordPress Site Migration & ...) NOT-FOR-US: Snap Creek Duplicator (WordPress Site Migration & Backup) plugin for WordPress CVE-2017-16820 (The csnmp_read_table function in snmp.c in the SNMP plugin in collectd ...) - collectd 5.8.0-1 (bug #881757) [stretch] - collectd (Minor issue) [jessie] - collectd (Minor issue) [wheezy] - collectd (Vulnerable code not present) NOTE: https://github.com/collectd/collectd/issues/2291 CVE-2017-16814 (A Directory Traversal issue was discovered in the Foxit MobilePDF app ...) NOT-FOR-US: Foxit CVE-2017-16813 (A denial-of-service issue was discovered in the Foxit MobilePDF app be ...) NOT-FOR-US: Foxit CVE-2017-16812 RESERVED CVE-2017-16811 RESERVED CVE-2017-16810 (Cross-site scripting (XSS) vulnerability in the All Variables tab in O ...) NOT-FOR-US: Octopus Deploy CVE-2017-16809 RESERVED CVE-2017-16808 (tcpdump before 4.9.3 has a heap-based buffer over-read related to aoe_ ...) - tcpdump 4.9.3~git20190901-1 (unimportant; bug #881862) NOTE: https://github.com/the-tcpdump-group/tcpdump/issues/645 NOTE: Crash in CLI tool, no security impact CVE-2017-16807 (A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3 ...) NOT-FOR-US: Kirby Panel CVE-2017-16806 (The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ul ...) NOT-FOR-US: Ulterius CVE-2017-16805 (In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a ...) - radare2 2.1.0+dfsg-1 (bug #882134) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Vulnerable code does not exist; no dwarf support) NOTE: https://github.com/radare/radare2/commit/2ca9ab45891b6ae8e32b6c28c81eebca059cbe5d NOTE: https://github.com/radare/radare2/issues/8813 CVE-2017-16803 (In Libav through 11.11 and 12.x through 12.1, the smacker_decode_tree ...) {DSA-4119-1} - libav (low) - ffmpeg 7:2.2.1-1 NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1098 NOTE: https://github.com/libav/libav/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f NOTE: ffmpeg: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/cd4663dc80323ba64989d0c103d51ad3ee0e9c2f NOTE: ffmpeg originally fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/b829da363985cb2f80130bba304cc29a632f6446 CVE-2017-16802 (In the sharingGroupPopulateOrganisations function in app/webroot/js/mi ...) NOT-FOR-US: MISP CVE-2017-16804 (In Redmine before 3.2.7 and 3.3.x before 3.3.4, the reminders function ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/issues/25713 (private) NOTE: upstream fixed in 3.2.7, 3.3.4 and 3.4.0 NOTE: https://github.com/redmine/redmine/commit/0f09f161f64f4190a52166675ff380a15b72a8bc CVE-2017-16801 (Cross-site scripting (XSS) vulnerability in Octopus Deploy 3.7.0-3.17. ...) NOT-FOR-US: Octopus Deploy CVE-2017-16800 RESERVED CVE-2017-16799 (In CMS Made Simple 2.2.3.1, in modules/New/action.addcategory.php, sto ...) NOT-FOR-US: CMS Made Simple CVE-2017-16798 (In CMS Made Simple 2.2.3.1, the is_file_acceptable function in modules ...) NOT-FOR-US: CMS Made Simple CVE-2017-16797 (In SWFTools 0.9.2, the png_load function in lib/png.c does not properl ...) - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/51 CVE-2017-16796 (In SWFTools 0.9.2, the png_load function in lib/png.c does not check t ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/51 NOTE: Crash in CLI tool, no security implications CVE-2017-16795 RESERVED CVE-2017-16794 (The png_load function in lib/png.c in SWFTools 0.9.2 does not properly ...) - swftools (unimportant) NOTE: https://github.com/matthiaskramm/swftools/issues/50 NOTE: Crash in CLI tool, no security implications CVE-2017-16793 (The wav_convert2mono function in lib/wav.c in SWFTools 0.9.2 does not ...) - swftools [stretch] - swftools (Minor issue) [jessie] - swftools (Minor issue) [wheezy] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/47 CVE-2017-16792 (Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem in ...) NOT-FOR-US: geminabox CVE-2017-16791 RESERVED CVE-2017-16790 (An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3. ...) {DSA-4262-1} - symfony 3.4.0+dfsg-1 [jessie] - symfony (vulnerable code introduced in 2.4.*) NOTE: https://symfony.com/blog/cve-2017-16790-ensure-that-submitted-data-are-uploaded-files NOTE: https://github.com/symfony/symfony/pull/24993 CVE-2017-16789 (Cross-site scripting (XSS) vulnerability in Integration Matters nJAMS ...) NOT-FOR-US: TIBCO CVE-2017-16788 (Directory traversal vulnerability in the "Upload Groupkey" functionali ...) NOT-FOR-US: Meinberg LANTIME CVE-2017-16787 (The Web Configuration Utility in Meinberg LANTIME devices with firmwar ...) NOT-FOR-US: Meinberg LANTIME CVE-2017-16786 (The Web Configuration Utility in Meinberg LANTIME devices with firmwar ...) NOT-FOR-US: Meinberg LANTIME CVE-2017-16784 (In CMS Made Simple 2.2.2, there is Reflected XSS via the cntnt01detail ...) NOT-FOR-US: CMS Made Simple CVE-2017-16783 (In CMS Made Simple 2.1.6, there is Server-Side Template Injection via ...) NOT-FOR-US: CMS Made Simple CVE-2017-16782 (In Home Assistant before 0.57, it is possible to inject JavaScript cod ...) NOT-FOR-US: Home Assistant CVE-2017-16781 (The installer in MyBB before 1.8.13 has XSS. ...) NOT-FOR-US: MyBB CVE-2017-16780 (The installer in MyBB before 1.8.13 allows remote attackers to execute ...) NOT-FOR-US: MyBB CVE-2017-16785 (Cacti 1.1.27 has reflected XSS via the PATH_INFO to host.php. ...) - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1071 NOTE: this is more or less a dublicate of CVE-2017-16641 NOTE: one of the applied patches reopened the vulnerability CVE-2017-16779 RESERVED CVE-2017-16778 (An access control weakness in the DTMF tone receiver of Fermax Outdoor ...) NOT-FOR-US: Fermax Outdoor Panel CVE-2017-16777 (If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-16776 (Security researchers discovered an authentication bypass vulnerability ...) NOT-FOR-US: Conserus Workflow Intelligence CVE-2017-16775 (Improper restriction of rendered UI layers or frames vulnerability in ...) NOT-FOR-US: Synology CVE-2017-16774 (Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotifica ...) NOT-FOR-US: Synology CVE-2017-16773 (Improper authorization vulnerability in Highlight Preview in Synology ...) NOT-FOR-US: Synology CVE-2017-16772 (Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUploa ...) NOT-FOR-US: Synology Photo Station CVE-2017-16771 (Cross-site scripting (XSS) vulnerability in Log Viewer in Synology Pho ...) NOT-FOR-US: Synology Photo Station CVE-2017-16770 (File and directory information exposure vulnerability in SYNO.Surveill ...) NOT-FOR-US: Synology Surveillance Station CVE-2017-16769 (Exposure of private information vulnerability in Photo Viewer in Synol ...) NOT-FOR-US: Synology Photo Station CVE-2017-16768 (Cross-site scripting (XSS) vulnerability in User Policy editor in Syno ...) NOT-FOR-US: Synology MailPlus Server CVE-2017-16767 (Cross-site scripting (XSS) vulnerability in User Profile in Synology S ...) NOT-FOR-US: Synology Surveillance Station CVE-2017-16766 (An improper access control vulnerability in synodsmnotify in Synology ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-16765 (XSS exists on D-Link DWR-933 1.00(WW)B17 devices via cgi-bin/gui.cgi. ...) NOT-FOR-US: D-Link CVE-2017-16764 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: django_make_app CVE-2017-16763 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: Confire CVE-2017-16762 (Sanic before 0.5.1 allows reading arbitrary files with directory trave ...) NOT-FOR-US: Sanic CVE-2017-16761 (An Open Redirect vulnerability in Inedo BuildMaster before 5.8.2 allow ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16760 (Inedo BuildMaster before 5.8.2 has XSS. ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16759 (The installation process in LibreNMS before 2017-08-18 allows remote a ...) NOT-FOR-US: LibreNMS CVE-2017-16758 (Cross-site scripting (XSS) vulnerability in admin/partials/uif-access- ...) NOT-FOR-US: Wordpress plugin CVE-2017-16757 (Hola VPN 1.34 has weak permissions (Everyone:F) under %PROGRAMFILES%, ...) NOT-FOR-US: Hola VPN CVE-2017-16756 (An issue was discovered in Userscape HelpSpot before 4.7.2. A cross-si ...) NOT-FOR-US: Userscape HelpSpot CVE-2017-16755 (An issue was discovered in Userscape HelpSpot before 4.7.2. A reflecte ...) NOT-FOR-US: Userscape HelpSpot CVE-2017-16754 (Bolt before 3.3.6 does not properly restrict access to _profiler route ...) NOT-FOR-US: Bolt CMS CVE-2017-16753 (An Improper Input Validation issue was discovered in Advantech WebAcce ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16752 RESERVED CVE-2017-16751 (A Stack-based Buffer Overflow issue was discovered in Delta Electronic ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation Screen Editor CVE-2017-16750 RESERVED CVE-2017-16749 (A Use-after-Free issue was discovered in Delta Electronics Delta Indus ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation Screen Editor CVE-2017-16748 (An attacker can log into the local Niagara platform (Niagara AX Framew ...) NOT-FOR-US: Niagara AX CVE-2017-16747 (An Out-of-bounds Write issue was discovered in Delta Electronics Delta ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation Screen Editor CVE-2017-16746 RESERVED CVE-2017-16745 (A Type Confusion issue was discovered in Delta Electronics Delta Indus ...) NOT-FOR-US: Delta Electronics Delta Industrial Automation Screen Editor CVE-2017-16744 (A path traversal vulnerability in Tridium Niagara AX Versions 3.8 and ...) NOT-FOR-US: Niagara AX CVE-2017-16743 (An Improper Authorization issue was discovered in PHOENIX CONTACT FL S ...) NOT-FOR-US: PHOENIX CONTACT FL SWITCH CVE-2017-16742 RESERVED CVE-2017-16741 (An Information Exposure issue was discovered in PHOENIX CONTACT FL SWI ...) NOT-FOR-US: PHOENIX CONTACT FL SWITCH CVE-2017-16740 (A Buffer Overflow issue was discovered in Rockwell Automation Allen-Br ...) NOT-FOR-US: Rockwell Automation Allen-Bradley MicroLogix 1400 Controllers CVE-2017-16739 (An issue was discovered in WECON Technology LEVI Studio HMI Editor v1. ...) NOT-FOR-US: WECON Technology LEVI Studio HMI Editor CVE-2017-16738 RESERVED CVE-2017-16737 (An issue was discovered in WECON Technology LEVI Studio HMI Editor v1. ...) NOT-FOR-US: WECON Technology LEVI Studio HMI Editor CVE-2017-16736 (An Unrestricted Upload Of File With Dangerous Type issue was discovere ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16735 (A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 ...) NOT-FOR-US: Ecava IntegraXor CVE-2017-16734 RESERVED CVE-2017-16733 (A SQL Injection issue was discovered in Ecava IntegraXor v 6.1.1030.1 ...) NOT-FOR-US: Ecava IntegraXor CVE-2017-16732 (A use-after-free issue was discovered in Advantech WebAccess versions ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16731 (An Unprotected Transport of Credentials issue was discovered in ABB El ...) NOT-FOR-US: Ellipse CVE-2017-16730 RESERVED CVE-2017-16729 RESERVED CVE-2017-16728 (An Untrusted Pointer Dereference issue was discovered in Advantech Web ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16727 (A Credentials Management issue was discovered in Moxa NPort W2150A ver ...) NOT-FOR-US: Moxa CVE-2017-16726 (Beckhoff TwinCAT supports communication over ADS. ADS is a protocol fo ...) NOT-FOR-US: Beckhoff TwinCAT CVE-2017-16725 (A Stack-based Buffer Overflow issue was discovered in Xiongmai Technol ...) NOT-FOR-US: Xiongmai Technology IP Cameras and DVRs CVE-2017-16724 (A Stack-based Buffer Overflow issue was discovered in Advantech WebAcc ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16723 (A Cross-site Scripting issue was discovered in PHOENIX CONTACT FL COMS ...) NOT-FOR-US: PHOENIX CVE-2017-16722 RESERVED CVE-2017-16721 (A Cross-site Scripting issue was discovered in Geovap Reliance SCADA V ...) NOT-FOR-US: Geovap Reliance SCADA CVE-2017-16720 (A Path Traversal issue was discovered in WebAccess versions 8.3.2 and ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16719 (An Injection issue was discovered in Moxa NPort 5110 Version 2.2, NPor ...) NOT-FOR-US: Moxa CVE-2017-16718 (Beckhoff TwinCAT 3 supports communication over ADS. ADS is a protocol ...) NOT-FOR-US: Beckhoff TwinCAT CVE-2017-16717 (A Heap-based Buffer Overflow issue was discovered in WECON LeviStudio ...) NOT-FOR-US: WECON LeviStudio HMI CVE-2017-16716 (A SQL Injection issue was discovered in WebAccess versions prior to 8. ...) NOT-FOR-US: Advantech WebAccess CVE-2017-16715 (An Information Exposure issue was discovered in Moxa NPort 5110 Versio ...) NOT-FOR-US: Moxa CVE-2017-16714 (In Ice Qube Thermal Management Center versions prior to version 4.13, ...) NOT-FOR-US: Ice Qube Thermal Management Center CVE-2017-16713 RESERVED CVE-2017-16712 RESERVED CVE-2017-16711 (The swf_DefineLosslessBitsTagToImage function in lib/modules/swfbits.c ...) - swftools (unimportant; bug #881390) NOTE: https://github.com/matthiaskramm/swftools/issues/46 NOTE: Crash in CLI tool, no security implications CVE-2017-16710 (Cross-site scripting (XSS) vulnerability in Crestron Airmedia AM-100 d ...) NOT-FOR-US: Creston CVE-2017-16709 (Crestron Airmedia AM-100 devices with firmware before 1.6.0 and AM-101 ...) NOT-FOR-US: Creston CVE-2017-16708 RESERVED CVE-2017-16707 RESERVED CVE-2017-16706 RESERVED CVE-2017-16705 RESERVED CVE-2017-16704 RESERVED CVE-2017-16703 RESERVED CVE-2017-16702 RESERVED CVE-2017-16701 RESERVED CVE-2017-16700 RESERVED CVE-2017-16699 RESERVED CVE-2017-16698 RESERVED CVE-2017-16697 RESERVED CVE-2017-16696 RESERVED CVE-2017-16695 RESERVED CVE-2017-16694 RESERVED CVE-2017-16693 RESERVED CVE-2017-16692 RESERVED CVE-2017-16691 (SAP Note Assistant tool (SAP BASIS from 7.00 to 7.02, from 7.10 to 7.1 ...) NOT-FOR-US: SAP Note Assistant CVE-2017-16690 (A malicious DLL preload attack possible on NwSapSetup and Installation ...) NOT-FOR-US: SAP Plant Connectivity CVE-2017-16689 (A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SA ...) NOT-FOR-US: SAP KERNEL CVE-2017-16688 RESERVED CVE-2017-16687 (The user self-service tools of SAP HANA extended application services, ...) NOT-FOR-US: SAP HANA CVE-2017-16686 RESERVED CVE-2017-16685 (Cross-Site scripting (XSS) in SAP Business Warehouse Universal Data In ...) NOT-FOR-US: SAP Business Warehouse Universal Data Integration CVE-2017-16684 (SAP Business Intelligence Promotion Management Application, Enterprise ...) NOT-FOR-US: SAP Business Intelligence Promotion Management Application CVE-2017-16683 (Denial of Service (DOS) in SAP Business Objects Platform, Enterprise 4 ...) NOT-FOR-US: SAP Business Objects Platform CVE-2017-16682 (SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 t ...) NOT-FOR-US: SAP NetWeaver Internet Transaction Server CVE-2017-16681 (Cross-Site Scripting (XSS) vulnerability in SAP Business Intelligence ...) NOT-FOR-US: SAP Business Intelligence Promotion Management Application CVE-2017-16680 (Two potential audit log injections in SAP HANA extended application se ...) NOT-FOR-US: SAP HANA extended application services CVE-2017-16679 (URL redirection vulnerability in SAP's Startup Service, SAP KERNEL 32 ...) NOT-FOR-US: SAP's Startup Service CVE-2017-16678 (Server Side Request Forgery (SSRF) vulnerability in SAP NetWeaver Know ...) NOT-FOR-US: SAP NetWeaver Knowledge Management Configuration Service CVE-2017-16677 RESERVED CVE-2017-16676 RESERVED CVE-2017-16675 RESERVED CVE-2017-16674 (Datto Windows Agent allows unauthenticated remote command execution vi ...) NOT-FOR-US: Datto Windows Agent CVE-2017-16673 (Datto Backup Agent 1.0.6.0 and earlier does not authenticate incoming ...) NOT-FOR-US: Datto Backup Agent CVE-2017-16672 (An issue was discovered in Asterisk Open Source 13 before 13.18.1, 14 ...) - asterisk 1:13.18.1~dfsg-1 (bug #881256) [stretch] - asterisk 1:13.14.1~dfsg-2+deb9u3 [jessie] - asterisk (Vulnerable code not present) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.digium.com/pub/security/AST-2017-011.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-011-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27345 CVE-2017-16671 (A Buffer Overflow issue was discovered in Asterisk Open Source 13 befo ...) - asterisk 1:13.18.1~dfsg-1 (bug #881257) [stretch] - asterisk 1:13.14.1~dfsg-2+deb9u3 [jessie] - asterisk (Vulnerable code do not exist) [wheezy] - asterisk (Vulnerable code do not exist) NOTE: http://downloads.digium.com/pub/security/AST-2017-010.html NOTE: http://downloads.asterisk.org/pub/security/AST-2017-010-13.diff NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27337 CVE-2017-16670 (The project import functionality in SoapUI 5.3.0 allows remote attacke ...) NOT-FOR-US: SoapUI CVE-2017-16669 (coders/wpg.c in GraphicsMagick 1.3.26 allows remote attackers to cause ...) {DSA-4321-1 DLA-1401-1 DLA-1168-1} - graphicsmagick 1.3.26-19 (bug #881391) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/450/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/135bdcb88b8d NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/1b9e64a8901e NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2a21cda3145b NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2b7c826d36af NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/3dc7b4e3779d NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/75245a215fff NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/fcd3ed3394f6 CVE-2017-16668 RESERVED CVE-2017-16666 (Xplico before 1.2.1 allows remote authenticated users to execute arbit ...) NOT-FOR-US: Xplico CVE-2017-16665 (RemObjects Remoting SDK 9 1.0.0.0 for Delphi is vulnerable to a reflec ...) NOT-FOR-US: RemObjects Remoting SDK CVE-2017-16664 (Code injection exists in Kernel/System/Spelling.pm in Open Ticket Requ ...) {DSA-4047-1 DLA-1212-1} - otrs2 5.0.24-1 (bug #882370) NOTE: https://www.otrs.com/security-advisory-2017-07-security-update-otrs-framework/ NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/4c36932d0c42343f21246a107e17a2ebbd9c2c7d NOTE: OTRS 3.3: https://github.com/OTRS/otrs/commit/2e58a4bbd99b2477d72c3b2d9fef009537ab19ce CVE-2017-16667 (backintime (aka Back in Time) before 1.1.24 did improper escaping/quot ...) - backintime 1.1.24-0.1 (bug #881205) [stretch] - backintime (Minor issue) [jessie] - backintime (Minor issue) [wheezy] - backintime (Vulnerable code does not exist) NOTE: https://github.com/bit-team/backintime/issues/834 NOTE: https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3 CVE-2017-16663 (In sam2p 0.49.4, there are integer overflows (with resultant heap-base ...) {DLA-1185-1} - sam2p [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/16 CVE-2017-16662 RESERVED CVE-2017-16659 (The Gentoo mail-filter/assp package 1.9.8.13030 and earlier allows loc ...) NOT-FOR-US: assp as packaged by Gentoo CVE-2017-16658 RESERVED CVE-2017-16657 RESERVED CVE-2017-16656 RESERVED CVE-2017-16655 RESERVED CVE-2017-16654 (An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3. ...) {DSA-4262-1 DLA-1707-1} - symfony 3.4.0+dfsg-1 NOTE: https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths NOTE: https://github.com/symfony/symfony/pull/24994 CVE-2017-16653 (An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3. ...) {DSA-4262-1} - symfony 3.4.0+dfsg-1 [jessie] - symfony (vulnerable code not present in branch 2.3) NOTE: https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https NOTE: https://github.com/symfony/symfony/pull/24992 CVE-2017-16652 (An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2 ...) {DSA-4262-1 DLA-1707-1} - symfony 3.4.0+dfsg-1 NOTE: https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers NOTE: https://github.com/symfony/symfony/pull/24995 NOTE: See CVE-2018-11408 to address original incomplete fix for CVE-2017-16652 CVE-2017-16651 (Roundcube Webmail before 1.1.10, 1.2.x before 1.2.7, and 1.3.x before ...) {DSA-4030-1 DLA-1193-1} - roundcube 1.3.3+dfsg.1-1 NOTE: master: https://github.com/roundcube/roundcubemail/commit/2a32f51c91d5e9c7b1a9d931846dd44c008ff36d NOTE: release-1.3: https://github.com/roundcube/roundcubemail/commit/c90ad5a97784fb32683b8e3c21d6c95baab6d806 NOTE: release-1.2: https://github.com/roundcube/roundcubemail/commit/9be2224c779d7abc7b29eea2b83a8a3671c543e0 NOTE: release-1.1: https://github.com/roundcube/roundcubemail/commit/e757cc410145d043c30889d28fa0b5f67a5cf2fd NOTE: release-1.0: https://github.com/roundcube/roundcubemail/commit/8d87bb34f3c6103ab81e5342d8b3d297832d178a NOTE: https://github.com/roundcube/roundcubemail/issues/6026 CVE-2017-16650 (The qmi_wwan_bind function in drivers/net/usb/qmi_wwan.c in the Linux ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16649 (The usbnet_generic_cdc_bind function in drivers/net/usb/cdc_ether.c in ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16648 (The dvb_frontend_free function in drivers/media/dvb-core/dvb_frontend. ...) - linux (Vulnerable code not present) CVE-2017-16647 (drivers/net/usb/asix_devices.c in the Linux kernel through 4.13.11 all ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16646 (drivers/media/usb/dvb-usb/dib0700_devices.c in the Linux kernel throug ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16645 (The ims_pcu_get_cdc_union_desc function in drivers/input/misc/ims-pcu. ...) - linux 4.14.2-1 (unimportant) [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.56-1 [wheezy] - linux (Vulnerable code not present) NOTE: CONFIG_INPUT_IMS_PCU is not set in Debian config CVE-2017-16644 (The hdpvr_probe function in drivers/media/usb/hdpvr/hdpvr-core.c in th ...) {DSA-4073-1} - linux 4.14.7-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-16643 (The parse_hid_report_descriptor function in drivers/input/tablet/gtco. ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16642 (In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an e ...) {DSA-4081-1 DSA-4080-1} - php7.1 7.1.11-1 - php7.0 7.0.25-1 - php5 [wheezy] - php5 (Vulnerable code not present; proof of concept produces expected non-buggy output; upstream patch also appears overly intrusive) NOTE: Fixed in: 5.6.32, 7.0.25, 7.1.11 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=75055 NOTE: https://github.com/derickr/timelib/commit/aa9156006e88565e1f1a5f7cc088b18322d57536 NOTE: https://github.com/php/php-src/commit/5c0455bf2c8cd3c25401407f158e820aa3b239e1 CVE-2017-16661 (Cacti 1.1.27 allows remote authenticated administrators to read arbitr ...) - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1066 NOTE: affected code was introduced in the 1.x release CVE-2017-16660 (Cacti 1.1.27 allows remote authenticated administrators to conduct Rem ...) - cacti 1.1.27+ds1-3 [stretch] - cacti (Vulnerable code does not exist) [jessie] - cacti (Vulnerable code does not exist) [wheezy] - cacti (Vulnerable code does not exist) NOTE: https://github.com/Cacti/cacti/issues/1066 NOTE: affected code was introduced in the 1.x release CVE-2017-16641 (lib/rrd.php in Cacti 1.1.27 allows remote authenticated administrators ...) - cacti 1.1.27+ds1-3 (bug #881110) [stretch] - cacti (Minor issue, due to CVE-2009-4112 does not make sense to isolately fix unless CVE-2009-4112 adressed upstream) [jessie] - cacti (Minor issue, due to CVE-2009-4112 does not make sense to isolately fix unless CVE-2009-4112 adressed upstream) [wheezy] - cacti (Minor issue, due to CVE-2009-4112 does not make sense to isolately fix unless CVE-2009-4112 adressed upstream) NOTE: https://github.com/Cacti/cacti/issues/1057 NOTE: https://github.com/Cacti/cacti/commit/e8088bb6593e6a49d000c342d17402f01db8740e CVE-2017-16640 RESERVED CVE-2017-16639 (Tor Browser on Windows before 8.0 allows remote attackers to bypass th ...) NOT-FOR-US: Tor Browser on Windows CVE-2017-16638 (The Gentoo net-misc/vde package before version 2.3.2-r4 may allow memb ...) NOT-FOR-US: Gentoo net-misc/vde packaging issue CVE-2017-16637 (In Vectura Perfect Privacy VPN Manager v1.10.10 and v1.10.11, when res ...) NOT-FOR-US: Vectura Perfect Privacy VPN Manager CVE-2017-16636 (In Bludit v1.5.2 and v2.0.1, an XSS vulnerability is located in the ne ...) NOT-FOR-US: Bludit CVE-2017-16635 (In TinyWebGallery v2.4, an XSS vulnerability is located in the `mkname ...) NOT-FOR-US: TinyWebGallery CVE-2017-16634 (In Joomla! before 3.8.2, a bug allowed third parties to bypass a user' ...) NOT-FOR-US: Joomla! CVE-2017-16633 (In Joomla! before 3.8.2, a logic bug in com_fields exposed read-only i ...) NOT-FOR-US: Joomla! CVE-2017-16632 RESERVED CVE-2017-16631 RESERVED CVE-2017-16630 RESERVED CVE-2017-16629 RESERVED CVE-2017-16628 RESERVED CVE-2017-16627 RESERVED CVE-2017-16626 RESERVED CVE-2017-16625 RESERVED CVE-2017-16624 RESERVED CVE-2017-16623 RESERVED CVE-2017-16622 RESERVED CVE-2017-16621 RESERVED CVE-2017-16620 RESERVED CVE-2017-16619 RESERVED CVE-2017-16618 (An exploitable vulnerability exists in the YAML loading functionality ...) NOT-FOR-US: OwlMixin CVE-2017-16617 RESERVED CVE-2017-16616 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: pyanyapi CVE-2017-16615 (An exploitable vulnerability exists in the YAML parsing functionality ...) NOT-FOR-US: MLAlchemy CVE-2017-16614 (SSRF (Server Side Request Forgery) in tpshop 2.0.5 and 2.0.6 allows re ...) NOT-FOR-US: tpshop CVE-2017-16613 (An issue was discovered in middleware.py in OpenStack Swauth through 1 ...) {DSA-4044-1} - swauth 1.2.0-4 (bug #882314) NOTE: https://bugs.launchpad.net/swift/+bug/1655781 CVE-2017-16612 (libXcursor before 1.1.15 has various integer overflows that could lead ...) {DSA-4059-1 DLA-1201-1} - libxcursor 1:1.1.14-3.1 (bug #883792) - wayland 1.14.0-2 (bug #889681) [stretch] - wayland 1.12.0-1+deb9u1 [jessie] - wayland (Minor issue) [wheezy] - wayland (vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/11/28/6 NOTE: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2 NOTE: Wayland: https://bugs.freedesktop.org/show_bug.cgi?id=103961 NOTE: Wayland: https://cgit.freedesktop.org/wayland/wayland/commit/?id=5d201df72f3d4f4cb8b8f75f980169b03507da38 NOTE: For src:wayland originally fixed in 1.14.0-2 but the 1.15.0-1 upload NOTE: did not merge in the 1.14.0-2 upload. CVE-2017-16611 (In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker ...) - libxfont 1:2.0.3-1 (low; bug #883929) [stretch] - libxfont (Minor issue) [jessie] - libxfont (Minor issue) [wheezy] - libxfont (Minor issue) - libxfont1 (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2017/11/28/7 NOTE: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=7b377456f95d2ec3ead40f4fb74ea620191f88c8 NOTE: (for 1.5.x): https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?h=libXfont-1.5-branch&id=5ed8ac0e4f063825b8ecda48e9a111d3ce92e825 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188049718337&w=2 NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188044218304&w=2 CVE-2017-16610 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Netgain CVE-2017-16609 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16608 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Netgain CVE-2017-16607 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16606 (This vulnerability allows remote attackers to execute code by creating ...) NOT-FOR-US: Netgain CVE-2017-16605 (This vulnerability allows remote attackers to overwrite arbitrary file ...) NOT-FOR-US: Netgain CVE-2017-16604 (This vulnerability allows remote attackers to overwrite arbitrary file ...) NOT-FOR-US: Netgain CVE-2017-16603 (This vulnerability allows remote attackers to execute code by creating ...) NOT-FOR-US: Netgain CVE-2017-16602 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Netgain CVE-2017-16601 (This vulnerability allows remote attackers to overwrite arbitrary file ...) NOT-FOR-US: Netgain CVE-2017-16600 (This vulnerability allows remote attackers to overwrite files on vulne ...) NOT-FOR-US: Netgain CVE-2017-16599 (This vulnerability allows remote attackers to delete arbitrary files o ...) NOT-FOR-US: Netgain CVE-2017-16598 (This vulnerability allows remote attackers to execute code by overwrit ...) NOT-FOR-US: Netgain CVE-2017-16597 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Netgain CVE-2017-16596 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16595 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16594 (This vulnerability allows remote attackers to create arbitrary files o ...) NOT-FOR-US: Netgain CVE-2017-16593 (This vulnerability allows remote attackers to delete arbitrary files o ...) NOT-FOR-US: Netgain CVE-2017-16592 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16591 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Netgain CVE-2017-16590 (This vulnerability allows remote attackers to bypass authentication on ...) NOT-FOR-US: Netgain CVE-2017-16589 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16588 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16587 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16586 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16585 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16584 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16583 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16582 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16581 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16580 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16579 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16578 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16577 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16576 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16575 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16574 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16573 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-16572 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16571 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-16570 (KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by ...) NOT-FOR-US: KeystoneJS CVE-2017-16569 (An Open URL Redirect issue exists in Zurmo 3.2.1.57987acc3018 via an h ...) NOT-FOR-US: Zurmo CVE-2017-16568 (Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9. ...) NOT-FOR-US: Logitech Media Server CVE-2017-16567 (Cross-site scripting (XSS) vulnerability in Logitech Media Server 7.9. ...) NOT-FOR-US: Logitech Media Server CVE-2017-16566 (On Jooan IP Camera A5 2.3.36 devices, an insecure FTP server does not ...) NOT-FOR-US: Jooan IP Camera A5 2.3.36 devices CVE-2017-16565 (Cross-Site Request Forgery (CSRF) in /cgi-bin/login on Vonage (Grandst ...) NOT-FOR-US: Vonage CVE-2017-16564 (Stored Cross-site scripting (XSS) vulnerability in /cgi-bin/config2 on ...) NOT-FOR-US: Vonage CVE-2017-16563 (Cross-Site Request Forgery (CSRF) in the Basic Settings screen on Vona ...) NOT-FOR-US: Vonage CVE-2017-16562 (The UserPro plugin before 4.9.17.1 for WordPress, when used on a site ...) NOT-FOR-US: WordPress plugin userpro CVE-2017-16561 (/view/friend_profile.php in Ingenious School Management System 2.3.0 i ...) NOT-FOR-US: Ingenious School Management System CVE-2017-16560 (SanDisk Secure Access 3.01 vault decrypts and copies encrypted files t ...) NOT-FOR-US: SanDisk Secure Access CVE-2017-16559 RESERVED CVE-2017-16558 (Contao 3.0.0 to 3.5.30 and 4.0.0 to 4.4.7 contains an SQL injection vu ...) NOT-FOR-US: Contao CVE-2017-16557 (K7 Antivirus Premium before 15.1.0.53 allows local users to gain privi ...) NOT-FOR-US: K7 Antivirus CVE-2017-16556 (In K7 Antivirus Premium before 15.1.0.53, user-controlled input can be ...) NOT-FOR-US: K7 Antivirus CVE-2017-16555 (K7 Antivirus Premium before 15.1.0.53 allows local users to gain privi ...) NOT-FOR-US: K7 Antivirus CVE-2017-16554 (K7 Antivirus Premium before 15.1.0.53 allows local users to write to a ...) NOT-FOR-US: K7 Antivirus CVE-2017-16553 (K7 Antivirus Premium before 15.1.0.53 allows local users to gain privi ...) NOT-FOR-US: K7 Antivirus CVE-2017-16552 (K7 Antivirus Premium before 15.1.0.53 allows local users to write to a ...) NOT-FOR-US: K7 Antivirus CVE-2017-16551 (K7 Antivirus Premium before 15.1.0.53 allows local users to gain privi ...) NOT-FOR-US: K7 Antivirus CVE-2017-16550 (K7 Antivirus Premium before 15.1.0.53 allows local users to write to a ...) NOT-FOR-US: K7 Antivirus CVE-2017-16549 (K7 Antivirus Premium before 15.1.0.53 allows local users to write to a ...) NOT-FOR-US: K7 Antivirus CVE-2017-16548 (The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-develo ...) {DSA-4068-1 DLA-1218-1} - rsync 3.1.2-2.1 (bug #880954) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13112 NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=47a63d90e71d3e19e0e96052bb8c6b9cb140ecc1 CVE-2017-16547 (The DrawImage function in magick/render.c in GraphicsMagick 1.3.26 doe ...) {DSA-4321-1 DLA-1456-1 DLA-1170-1} - graphicsmagick 1.3.26-18 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/785758bbbfcc NOTE: https://sourceforge.net/p/graphicsmagick/bugs/517/ CVE-2017-16546 (The ReadWPGImage function in coders/wpg.c in ImageMagick 7.0.7-9 does ...) {DSA-4074-1 DSA-4040-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #881392) [wheezy] - imagemagick (Vulnerable code not present; PoC from GitHub issue results in memory allocation exception thrown at coders/wpg.c:1109 and valgrind does not report any issues) NOTE: https://github.com/ImageMagick/ImageMagick/commit/2130bf6f89ded32ef0c88a11694f107c52566c53 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e04cf3e9524f50ca336253513d977224e083b816 NOTE: https://github.com/ImageMagick/ImageMagick/issues/851 CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.26 doe ...) {DSA-4321-1} - graphicsmagick 1.3.26-18 [jessie] - graphicsmagick 1.3.20-3+deb8u3 [wheezy] - graphicsmagick (Not possible to trigger with presented test case) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8086faa52d0 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/519/ NOTE: The wheezy version gives an assert before the vulnerability can be triggered. Due to this NOTE: the severity of the wheezy version is low even though the vulnerable code is still present. NOTE: The patch is trivial so it may be worth fixing in combination with some other fix. CVE-2017-16544 (In the add_match function in libbb/lineedit.c in BusyBox through 1.27. ...) {DLA-2559-1 DLA-1445-1} - busybox 1:1.27.2-2 (bug #882258) [wheezy] - busybox (Minor issue) NOTE: https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/ NOTE: https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 CVE-2017-16543 (Zoho ManageEngine Applications Manager 13 before build 13500 allows SQ ...) NOT-FOR-US: Zoho CVE-2017-16542 (Zoho ManageEngine Applications Manager 13 before build 13500 allows Po ...) NOT-FOR-US: Zoho CVE-2017-16541 (Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to ...) {DSA-4327-1 DLA-1575-1} - firefox 62.0-1 (unimportant) - firefox-esr 60.2.0esr-1 (unimportant) [stretch] - firefox-esr 60.2.0esr-1~deb9u2 - thunderbird 1:60.2.1-1 NOTE: https://trac.torproject.org/projects/tor/ticket/24052 NOTE: https://blog.torproject.org/tor-browser-709-released NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-20/#CVE-2017-16541 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-21/#CVE-2017-16541 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/#CVE-2017-16541 CVE-2017-16540 (OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database co ...) NOT-FOR-US: OpenEMR CVE-2017-16539 (The DefaultLinuxSpec function in oci/defaults.go in Docker Moby throug ...) - docker.io 1.13.1~ds3-1 (bug #900140) NOTE: https://github.com/moby/moby/pull/35399 NOTE: https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1 CVE-2017-16538 (drivers/media/usb/dvb-usb-v2/lmedm04.c in the Linux kernel through 4.1 ...) {DSA-4082-1 DSA-4073-1} - linux 4.14.7-1 [wheezy] - linux (Vulnerable code not present) CVE-2017-16537 (The imon_probe function in drivers/media/rc/imon.c in the Linux kernel ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16536 (The cx231xx_usb_probe function in drivers/media/usb/cx231xx/cx231xx-ca ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16535 (The usb_get_bos_descriptor function in drivers/usb/core/config.c in th ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/1c0edc3633b56000e18d82fc241e3995ca18a69e CVE-2017-16534 (The cdc_parse_cdc_header function in drivers/usb/core/message.c in the ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/2e1c42391ff2556387b3cb6308b24f6f65619feb CVE-2017-16533 (The usbhid_parse function in drivers/hid/usbhid/hid-core.c in the Linu ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/f043bfc98c193c284e2cd768fefabe18ac2fed9b CVE-2017-16532 (The get_endpoints function in drivers/usb/misc/usbtest.c in the Linux ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/7c80f9e4a588f1925b07134bb2e3689335f6c6d8 CVE-2017-16531 (drivers/usb/core/config.c in the Linux kernel before 4.13.6 allows loc ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/bd7a3fe770ebd8391d1c7d072ff88e9e76d063eb CVE-2017-16530 (The uas driver in the Linux kernel before 4.13.6 allows local users to ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/786de92b3cb26012d3d0f00ee37adf14527f35c4 CVE-2017-16529 (The snd_usb_create_streams function in sound/usb/card.c in the Linux k ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/bfc81a8bc18e3c4ba0cbaa7666ff76be2f998991 CVE-2017-16528 (sound/core/seq_device.c in the Linux kernel before 4.13.4 allows local ...) - linux 4.13.4-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/fc27fe7e8deef2f37cba3f2be2d52b6ca5eb9d57 CVE-2017-16527 (sound/usb/mixer.c in the Linux kernel before 4.13.8 allows local users ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/124751d5e63c823092060074bd0abaae61aaa9c4 CVE-2017-16526 (drivers/uwb/uwbd.c in the Linux kernel before 4.13.6 allows local user ...) {DSA-4187-1 DLA-1369-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 NOTE: Fixed by: https://git.kernel.org/linus/bbf26183b7a6236ba602f4d6a2f7cade35bba043 CVE-2017-16525 (The usb_serial_console_disconnect function in drivers/usb/serial/conso ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 CVE-2017-16524 (Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unre ...) NOT-FOR-US: Samsung SRN-1670D devices CVE-2017-16523 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ES_113WJY0b ...) NOT-FOR-US: MitraStar CVE-2017-16522 (MitraStar GPT-2541GNAC (HGU) 1.00(VNJ0)b1 and DSL-100HN-T1 ES_113WJY0b ...) NOT-FOR-US: MitraStar CVE-2017-16521 (In Inedo BuildMaster before 5.8.2, XslTransform was used where XslComp ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16520 (Inedo BuildMaster before 5.8.2 does not properly restrict creation of ...) NOT-FOR-US: Inedo BuildMaster CVE-2017-16519 RESERVED CVE-2017-16518 RESERVED CVE-2017-16517 RESERVED CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is suppl ...) {DLA-1167-1} - ruby-yajl 1.2.0-3.1 (low; bug #880691) [stretch] - ruby-yajl (Minor issue) [jessie] - ruby-yajl (Minor issue) NOTE: https://github.com/brianmario/yajl-ruby/issues/176 NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce CVE-2017-16515 RESERVED CVE-2017-16514 (Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities ...) NOT-FOR-US: WebsiteBaker CVE-2017-16513 (Ipswitch WS_FTP Professional before 12.6.0.3 has buffer overflows in t ...) NOT-FOR-US: Ipswitch WS_FTP Professional CVE-2017-16512 (The vagrant update process in Hashicorp vagrant-vmware-fusion 5.0.2 th ...) NOT-FOR-US: vagrant-vmware-fusion CVE-2017-16511 RESERVED CVE-2017-1000171 (Mahara Mobile before 1.2.1 is vulnerable to passwords being sent to th ...) - mahara CVE-2017-1000157 (Mahara 15.04 before 15.04.13 and 16.04 before 16.04.7 and 16.10 before ...) - mahara CVE-2017-1000156 (Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before ...) - mahara CVE-2017-1000155 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-1000154 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-1000153 (Mahara 15.04 before 15.04.10 and 15.10 before 15.10.6 and 16.04 before ...) - mahara CVE-2017-1000152 (Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 running PHP 5.3 a ...) - mahara CVE-2017-1000151 (Mahara 15.04 before 15.04.9 and 15.10 before 15.10.5 and 16.04 before ...) - mahara CVE-2017-1000150 (Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to ...) - mahara CVE-2017-1000149 (Mahara 1.10 before 1.10.9 and 15.04 before 15.04.6 and 15.10 before 15 ...) - mahara CVE-2017-1000148 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-1000147 (Mahara 1.9 before 1.9.8 and 1.10 before 1.10.6 and 15.04 before 15.04. ...) - mahara CVE-2017-1000146 (Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04. ...) - mahara CVE-2017-1000145 (Mahara 1.9 before 1.9.7 and 1.10 before 1.10.5 and 15.04 before 15.04. ...) - mahara CVE-2017-1000144 (Mahara 1.9 before 1.9.6 and 1.10 before 1.10.4 and 15.04 before 15.04. ...) - mahara CVE-2017-1000143 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000142 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000141 (An issue was discovered in Mahara before 18.10.0. It mishandled user r ...) - mahara NOTE: https://bugs.launchpad.net/mahara/+bug/1422492 CVE-2017-1000140 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000139 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000138 (Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to p ...) - mahara CVE-2017-1000137 (Mahara 1.10 before 1.10.0 and 15.04 before 15.04.0 are vulnerable to p ...) - mahara CVE-2017-1000136 (Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 an ...) - mahara CVE-2017-1000135 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000134 (Mahara 1.8 before 1.8.6 and 1.9 before 1.9.4 and 1.10 before 1.10.1 an ...) - mahara CVE-2017-1000133 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-1000132 (Mahara 1.8 before 1.8.7 and 1.9 before 1.9.5 and 1.10 before 1.10.3 an ...) - mahara CVE-2017-1000131 (Mahara 15.04 before 15.04.8 and 15.10 before 15.10.4 and 16.04 before ...) - mahara CVE-2017-16510 (WordPress before 4.8.3 is affected by an issue where $wpdb->prepare ...) {DSA-4090-1 DLA-1160-1} - wordpress 4.8.3+dfsg-1 (bug #880528) NOTE: https://wpvulndb.com/vulnerabilities/8941 NOTE: https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d NOTE: https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html CVE-2017-16509 REJECTED CVE-2017-16508 REJECTED CVE-2017-16507 REJECTED CVE-2017-16506 REJECTED CVE-2017-16505 REJECTED CVE-2017-16504 REJECTED CVE-2017-16503 REJECTED CVE-2017-16502 REJECTED CVE-2017-16501 REJECTED CVE-2017-16500 REJECTED CVE-2017-16499 REJECTED CVE-2017-16498 REJECTED CVE-2017-16497 REJECTED CVE-2017-16496 REJECTED CVE-2017-16495 REJECTED CVE-2017-16494 REJECTED CVE-2017-16493 REJECTED CVE-2017-16492 REJECTED CVE-2017-16491 REJECTED CVE-2017-16490 REJECTED CVE-2017-16489 REJECTED CVE-2017-16488 REJECTED CVE-2017-16487 REJECTED CVE-2017-16486 REJECTED CVE-2017-16485 REJECTED CVE-2017-16484 REJECTED CVE-2017-16483 REJECTED CVE-2017-16482 REJECTED CVE-2017-16481 REJECTED CVE-2017-16480 REJECTED CVE-2017-16479 REJECTED CVE-2017-16478 REJECTED CVE-2017-16477 REJECTED CVE-2017-16476 REJECTED CVE-2017-16475 REJECTED CVE-2017-16474 REJECTED CVE-2017-16473 REJECTED CVE-2017-16472 REJECTED CVE-2017-16471 REJECTED CVE-2017-16470 REJECTED CVE-2017-16469 REJECTED CVE-2017-16468 REJECTED CVE-2017-16467 REJECTED CVE-2017-16466 REJECTED CVE-2017-16465 REJECTED CVE-2017-16464 REJECTED CVE-2017-16463 REJECTED CVE-2017-16462 REJECTED CVE-2017-16461 REJECTED CVE-2017-16460 REJECTED CVE-2017-16459 REJECTED CVE-2017-16458 REJECTED CVE-2017-16457 REJECTED CVE-2017-16456 REJECTED CVE-2017-16455 REJECTED CVE-2017-16454 REJECTED CVE-2017-16453 REJECTED CVE-2017-16452 REJECTED CVE-2017-16451 REJECTED CVE-2017-16450 REJECTED CVE-2017-16449 REJECTED CVE-2017-16448 REJECTED CVE-2017-16447 REJECTED CVE-2017-16446 REJECTED CVE-2017-16445 REJECTED CVE-2017-16444 REJECTED CVE-2017-16443 REJECTED CVE-2017-16442 REJECTED CVE-2017-16441 REJECTED CVE-2017-16440 REJECTED CVE-2017-16439 REJECTED CVE-2017-16438 REJECTED CVE-2017-16437 REJECTED CVE-2017-16436 REJECTED CVE-2017-16435 REJECTED CVE-2017-16434 REJECTED CVE-2017-16433 REJECTED CVE-2017-16432 REJECTED CVE-2017-16431 REJECTED CVE-2017-16430 REJECTED CVE-2017-16429 REJECTED CVE-2017-16428 REJECTED CVE-2017-16427 REJECTED CVE-2017-16426 REJECTED CVE-2017-16425 REJECTED CVE-2017-16424 REJECTED CVE-2017-16423 REJECTED CVE-2017-16422 REJECTED CVE-2017-16421 REJECTED CVE-2017-16420 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16419 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16418 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16417 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16416 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16415 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16414 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16413 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16412 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16411 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16410 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16409 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16408 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16407 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16406 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16405 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16404 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16403 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16402 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16401 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16400 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16399 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16398 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16397 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16396 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16395 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16394 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16393 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16392 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16391 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16390 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16389 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16388 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16387 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16386 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16385 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16384 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16383 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16382 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16381 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16380 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16379 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16378 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16377 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16376 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16375 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16374 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16373 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16372 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16371 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16370 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16369 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16368 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16367 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16366 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16365 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16364 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16363 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16362 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16361 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16360 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-16359 (In radare 2.0.1, a pointer wraparound vulnerability exists in store_ve ...) - radare2 2.1.0+dfsg-1 (bug #880616) [jessie] - radare2 (Vulnerable code introduced later) [wheezy] - radare2 (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/62e39f34b2705131a2d08aff0c2e542c6a52cf0e NOTE: https://github.com/radare/radare2/commit/d21e91f075a7a7a8ed23baa5c1bb1fac48313882 NOTE: https://github.com/radare/radare2/commit/fbaf24bce7ea4211e4608b3ab6c1b45702cb243d NOTE: https://github.com/radare/radare2/issues/8764 CVE-2017-16358 (In radare 2.0.1, an out-of-bounds read vulnerability exists in string_ ...) - radare2 2.1.0+dfsg-1 (bug #880619) [jessie] - radare2 (Vulnerable code introduced later) [wheezy] - radare2 (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/d31c4d3cbdbe01ea3ded16a584de94149ecd31d9 NOTE: https://github.com/radare/radare2/issues/8748 CVE-2017-16357 (In radare 2.0.1, a memory corruption vulnerability exists in store_ver ...) - radare2 2.1.0+dfsg-1 (bug #880620) [jessie] - radare2 (Vulnerable code introduced later) [wheezy] - radare2 (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/commit/0b973e28166636e0ff1fad80baa0385c9c09c53a NOTE: https://github.com/radare/radare2/issues/8742 CVE-2017-16356 (Reflected XSS in Kubik-Rubik SIGE (aka Simple Image Gallery Extended) ...) NOT-FOR-US: Kubik-Rubik SIGE CVE-2017-16355 (In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed ...) {DSA-4415-1} - passenger 5.0.30-1.1 (bug #884463) - ruby-passenger [jessie] - ruby-passenger (Minor issue) [wheezy] - ruby-passenger (Vulnerable code introduced later) NOTE: https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/ NOTE: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf NOTE: https://www.openwall.com/lists/oss-security/2017/11/21/2 and following. NOTE: Problem mitigated in versions prior to 5.0.10 where root privileges were required to NOTE: get the status information. CVE-2017-16354 RESERVED CVE-2017-16353 (GraphicsMagick 1.3.26 is vulnerable to a memory information disclosure ...) {DSA-4321-1 DLA-1401-1 DLA-1159-1} - graphicsmagick 1.3.26-17 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=e4e1c2a581d8 NOTE: https://blogs.securiteam.com/index.php/archives/3494 CVE-2017-16352 (GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vu ...) {DSA-4321-1 DLA-1456-1 DLA-1159-1} - graphicsmagick 1.3.26-17 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=7292230dd185 NOTE: https://blogs.securiteam.com/index.php/archives/3494 CVE-2017-1001001 (PluXml version 5.6 is vulnerable to stored cross-site scripting vulner ...) - pluxml 5.6-1 (bug #881796) [stretch] - pluxml (Minor issue) [jessie] - pluxml (Minor issue) NOTE: https://github.com/pluxml/PluXml/issues/253 CVE-2017-1000244 (Jenkins Favorite Plugin version 2.2.0 and older is vulnerable to CSRF ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000243 (Jenkins Favorite Plugin 2.1.4 and older does not perform permission ch ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000242 (Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file wit ...) NOT-FOR-US: Jenkins plugin CVE-2017-16351 REJECTED CVE-2017-16350 REJECTED CVE-2017-16349 (An exploitable XML external entity vulnerability exists in the reporti ...) NOT-FOR-US: SAP CVE-2017-16348 (An exploitable denial of service vulnerability exists in Insteon Hub r ...) NOT-FOR-US: Insteon Hub CVE-2017-16347 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16346 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16345 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16344 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16343 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16342 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16341 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16340 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16339 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16338 (An attacker could send an authenticated HTTP request to trigger this v ...) NOT-FOR-US: Insteon Hub CVE-2017-16337 (On Insteon Hub 2245-222 devices with firmware version 1012, specially ...) NOT-FOR-US: Insteon Hub CVE-2017-16336 RESERVED CVE-2017-16335 RESERVED CVE-2017-16334 RESERVED CVE-2017-16333 RESERVED CVE-2017-16332 RESERVED CVE-2017-16331 RESERVED CVE-2017-16330 RESERVED CVE-2017-16329 RESERVED CVE-2017-16328 RESERVED CVE-2017-16327 RESERVED CVE-2017-16326 RESERVED CVE-2017-16325 RESERVED CVE-2017-16324 RESERVED CVE-2017-16323 RESERVED CVE-2017-16322 RESERVED CVE-2017-16321 RESERVED CVE-2017-16320 RESERVED CVE-2017-16319 RESERVED CVE-2017-16318 RESERVED CVE-2017-16317 RESERVED CVE-2017-16316 RESERVED CVE-2017-16315 RESERVED CVE-2017-16314 RESERVED CVE-2017-16313 RESERVED CVE-2017-16312 RESERVED CVE-2017-16311 RESERVED CVE-2017-16310 RESERVED CVE-2017-16309 RESERVED CVE-2017-16308 RESERVED CVE-2017-16307 RESERVED CVE-2017-16306 RESERVED CVE-2017-16305 RESERVED CVE-2017-16304 RESERVED CVE-2017-16303 RESERVED CVE-2017-16302 RESERVED CVE-2017-16301 RESERVED CVE-2017-16300 RESERVED CVE-2017-16299 RESERVED CVE-2017-16298 RESERVED CVE-2017-16297 RESERVED CVE-2017-16296 RESERVED CVE-2017-16295 RESERVED CVE-2017-16294 RESERVED CVE-2017-16293 RESERVED CVE-2017-16292 RESERVED CVE-2017-16291 RESERVED CVE-2017-16290 RESERVED CVE-2017-16289 RESERVED CVE-2017-16288 RESERVED CVE-2017-16287 RESERVED CVE-2017-16286 RESERVED CVE-2017-16285 RESERVED CVE-2017-16284 RESERVED CVE-2017-16283 RESERVED CVE-2017-16282 RESERVED CVE-2017-16281 RESERVED CVE-2017-16280 RESERVED CVE-2017-16279 RESERVED CVE-2017-16278 RESERVED CVE-2017-16277 RESERVED CVE-2017-16276 RESERVED CVE-2017-16275 RESERVED CVE-2017-16274 RESERVED CVE-2017-16273 RESERVED CVE-2017-16272 RESERVED CVE-2017-16271 RESERVED CVE-2017-16270 RESERVED CVE-2017-16269 RESERVED CVE-2017-16268 RESERVED CVE-2017-16267 RESERVED CVE-2017-16266 RESERVED CVE-2017-16265 RESERVED CVE-2017-16264 RESERVED CVE-2017-16263 RESERVED CVE-2017-16262 RESERVED CVE-2017-16261 RESERVED CVE-2017-16260 RESERVED CVE-2017-16259 RESERVED CVE-2017-16258 RESERVED CVE-2017-16257 RESERVED CVE-2017-16256 RESERVED CVE-2017-16255 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-16254 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-16253 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-16252 (Specially crafted commands sent through the PubNub service in Insteon ...) NOT-FOR-US: Insteon Hub CVE-2017-16251 (A vulnerability in the conferencing component of Mitel ST 14.2, releas ...) NOT-FOR-US: Mitel CVE-2017-16250 (A vulnerability in Mitel ST 14.2, release GA28 and earlier, could allo ...) NOT-FOR-US: Mitel CVE-2017-16249 (The Debut embedded http server contains a remotely exploitable denial ...) NOT-FOR-US: Debut embedded http server CVE-2017-16247 RESERVED CVE-2017-16246 RESERVED CVE-2017-16245 RESERVED CVE-2017-16244 (Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426 ...) NOT-FOR-US: OctoberCMS CVE-2017-16243 RESERVED CVE-2017-16242 (An issue was discovered on MECO USB Memory Stick with Fingerprint MECO ...) NOT-FOR-US: MECO CVE-2017-1000384 REJECTED CVE-2017-1000383 (GNU Emacs version 25.3.1 (and other versions most likely) ignores umas ...) NOTE: This CVE assignment is nonsense, GNU emacs reuses the umask of the original NOTE: file when creating a backup file. That's hardly incorrect behaviour NOTE: Upstream report: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=29182 CVE-2017-1000382 (VIM version 8.0.1187 (and other versions most likely) ignores umask wh ...) - vim (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2017/10/31/15 NOTE: Cf. https://www.openwall.com/lists/oss-security/2017/11/01/4 NOTE: vim creates the .swp file according to the permissions of the file being NOTE: edited, admitely ignoring the umask, so in the reporters case the .swp NOTE: file is readable by others. But that seem to be the intended behaviour. CVE-2017-16248 (The Catalyst-Plugin-Static-Simple module before 0.34 for Perl allows r ...) - libcatalyst-plugin-static-simple-perl 0.34-1 (bug #880458) [stretch] - libcatalyst-plugin-static-simple-perl (Minor issue) [jessie] - libcatalyst-plugin-static-simple-perl (Minor issue) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=120558 CVE-2017-16241 (Incorrect access control in AMAG Symmetry Door Edge Network Controller ...) NOT-FOR-US: AMAG Symmetry Door Edge Network Controllers CVE-2017-16240 RESERVED CVE-2017-17051 (An issue was discovered in the default FilterScheduler in OpenStack No ...) - nova 2:16.0.3-6 (bug #883621) [stretch] - nova (Fix for CVE-2017-16239 not applied and not affecting 14.x.y) [jessie] - nova (Vulnerable code not present) [wheezy] - nova (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/12/05/5 NOTE: https://launchpad.net/bugs/1732976 CVE-2017-16239 (In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x throug ...) {DSA-4056-1} - nova 2:16.0.3-1 (bug #882009) [jessie] - nova (Vulnerble code introduced later) [wheezy] - nova (Vulnerble code introduced later) NOTE: https://launchpad.net/bugs/1664931 NOTE: https://security.openstack.org/ossa/OSSA-2017-005.html NOTE: Regression fix: https://www.openwall.com/lists/oss-security/2017/12/05/4 CVE-2017-16238 RESERVED CVE-2017-16237 (In Vir.IT eXplorer Anti-Virus before 8.5.42, the driver file (VIAGLT64 ...) NOT-FOR-US: Vir.IT eXplorer Anti-Virus CVE-2017-16236 RESERVED CVE-2017-16235 RESERVED CVE-2017-16234 RESERVED CVE-2017-16233 RESERVED CVE-2017-16232 (** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, ...) - tiff (unimportant) NOTE: http://seclists.org/oss-sec/2017/q4/168 NOTE: Related commit: https://gitlab.com/libtiff/libtiff/commit/25f9ffa56548c1846c4a1f19308b7f561f7b1ab0 NOTE: This is actually only a partial fix, but upstream will not fix it completely. NOTE: The related commit is included in 4.0.9. The underlying memory-based DOS NOTE: would still be present. CVE-2017-16231 (** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC ...) - pcre3 (unimportant) CVE-2017-16230 (In admin/write-post.php in Typecho through 1.1, one can log in to the ...) NOT-FOR-US: Typecho CVE-2017-16229 (In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based b ...) - ruby-ox 2.8.2-1 [stretch] - ruby-ox (Minor issue) [jessie] - ruby-ox (Minor issue) NOTE: https://github.com/ohler55/ox/issues/195 NOTE: https://github.com/ohler55/ox/pull/196 NOTE: https://github.com/ohler55/ox/commit/0708ae44faf2ffc3d9330daf6ae023859a8b168b CVE-2017-16228 (Dulwich before 0.18.5, when an SSH subprocess is used, allows remote a ...) - dulwich 0.18.5-1 [stretch] - dulwich (Minor issue) [jessie] - dulwich (Minor issue) [wheezy] - dulwich (Minor issue) NOTE: https://www.dulwich.io/code/dulwich/commit/7116a0cbbda571f7dac863f4b1c00b6e16d6d8d6/ NOTE: This is similar class of issue as for CVE-2017-1000117/git NOTE: But needs a separate CVE since different codebasis. CVE-2017-16227 (The aspath_put function in bgpd/bgp_aspath.c in Quagga before 1.2.2 al ...) {DSA-4011-1 DLA-1152-1} - quagga 1.2.2-1 (bug #879474) NOTE: https://lists.quagga.net/pipermail/quagga-dev/2017-September/033284.html NOTE: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7a42b78be9a4108d98833069a88e6fddb9285008 CVE-2017-16226 (The static-eval module is intended to evaluate statically-analyzable e ...) NOT-FOR-US: static-eval module CVE-2017-16225 (aegir is a module to help automate JavaScript project management. Vers ...) NOT-FOR-US: aegir CVE-2017-16224 (st is a module for serving static files. An attacker is able to craft ...) NOT-FOR-US: st CVE-2017-16223 (nodeaaaaa is a static file server. nodeaaaaa is vulnerable to a direct ...) NOT-FOR-US: nodeaaaaa CVE-2017-16222 (elding is a simple web server. elding is vulnerable to a directory tra ...) NOT-FOR-US: elding CVE-2017-16221 (yzt is a simple file server. yzt is vulnerable to a directory traversa ...) NOT-FOR-US: yzt CVE-2017-16220 (wind-mvc is an mvc framework. wind-mvc is vulnerable to a directory tr ...) NOT-FOR-US: wind-mvc CVE-2017-16219 (yttivy is a static file server. yttivy is vulnerable to a directory tr ...) NOT-FOR-US: yttivy CVE-2017-16218 (dgard8.lab6 is a static file server. dgard8.lab6 is vulnerable to a di ...) NOT-FOR-US: dgard8.lab6 CVE-2017-16217 (fbr-client sends files through sockets via socket.io and webRTC. fbr-c ...) NOT-FOR-US: fbr-client CVE-2017-16216 (tencent-server is a simple web server. tencent-server is vulnerable to ...) NOT-FOR-US: tencent-server CVE-2017-16215 (sgqserve is a simple file server. sgqserve is vulnerable to a director ...) NOT-FOR-US: sgqserve CVE-2017-16214 (peiserver is a static file server. peiserver is vulnerable to a direct ...) NOT-FOR-US: peiserver CVE-2017-16213 (mfrserver is a simple file server. mfrserver is vulnerable to a direct ...) NOT-FOR-US: mfrserver CVE-2017-16212 (ltt is a static file server. ltt is vulnerable to a directory traversa ...) NOT-FOR-US: ltt CVE-2017-16211 (lessindex is a static file server. lessindex is vulnerable to a direct ...) NOT-FOR-US: lessindex CVE-2017-16210 (jn_jj_server is a static file server. jn_jj_server is vulnerable to a ...) NOT-FOR-US: jn_jj_server CVE-2017-16209 (enserver is a simple web server. enserver is vulnerable to a directory ...) NOT-FOR-US: enserver CVE-2017-16208 (dmmcquay.lab6 is a REST server. dmmcquay.lab6 is vulnerable to a direc ...) NOT-FOR-US: dmmcquay.lab6 CVE-2017-16207 (discordi.js is a malicious module based on the discord.js library that ...) NOT-FOR-US: discordi.js CVE-2017-16206 (The cofee-script module exfiltrates sensitive data such as a user's pr ...) NOT-FOR-US: cofee-script CVE-2017-16205 (The coffescript module exfiltrates sensitive data such as a user's pri ...) NOT-FOR-US: coffescript CVE-2017-16204 (The jquey module exfiltrates sensitive data such as a user's private S ...) NOT-FOR-US: jquey CVE-2017-16203 (The coffe-script module exfiltrates sensitive data such as a user's pr ...) NOT-FOR-US: coffe-script CVE-2017-16202 (The cofeescript module exfiltrates sensitive data such as a user's pri ...) NOT-FOR-US: cofeescript CVE-2017-16201 (zjjserver is a static file server. zjjserver is vulnerable to a direct ...) NOT-FOR-US: zjjserver CVE-2017-16200 (uv-tj-demo is a static file server. uv-tj-demo is vulnerable to a dire ...) NOT-FOR-US: uv-tj-demo CVE-2017-16199 (susu-sum is a static file server. susu-sum is vulnerable to a director ...) NOT-FOR-US: sus-sum CVE-2017-16198 (ritp is a static web server. ritp is vulnerable to a directory travers ...) NOT-FOR-US: ritp CVE-2017-16197 (qinserve is a static file server. qinserve is vulnerable to a director ...) NOT-FOR-US: sinserve CVE-2017-16196 (quickserver is a simple static file server. quickserver is vulnerable ...) NOT-FOR-US: quickserver CVE-2017-16195 (pytservce is a static file server. pytservce is vulnerable to a direct ...) NOT-FOR-US: pytservce CVE-2017-16194 (picard is a micro framework. picard is vulnerable to a directory trave ...) NOT-FOR-US: picard CVE-2017-16193 (mfrs is a static file server. mfrs is vulnerable to a directory traver ...) NOT-FOR-US: mfrs CVE-2017-16192 (getcityapi.yoehoehne is a web server. getcityapi.yoehoehne is vulnerab ...) NOT-FOR-US: getcityapi.yoehoehne CVE-2017-16191 (cypserver is a static file server. cypserver is vulnerable to a direct ...) NOT-FOR-US: cypserver CVE-2017-16190 (dcdcdcdcdc is a static file server. dcdcdcdcdc is vulnerable to a dire ...) NOT-FOR-US: dcdcdcdcdc CVE-2017-16189 (sly07 is an API for censoring text. sly07 is vulnerable to a directory ...) NOT-FOR-US: sly07 CVE-2017-16188 (reecerver is a web server. reecerver is vulnerable to a directory trav ...) NOT-FOR-US: reecerver CVE-2017-16187 (open-device creates a web interface for any device. open-device is vul ...) NOT-FOR-US: open-device CVE-2017-16186 (360class.jansenhm is a static file server. 360class.jansenhm is vulner ...) NOT-FOR-US: 360class.jansenhm CVE-2017-16185 (uekw1511server is a static file server. uekw1511server is vulnerable t ...) NOT-FOR-US: uekw1511server CVE-2017-16184 (scott-blanch-weather-app is a sample Node.js app using Express 4. scot ...) NOT-FOR-US: scott-blanch-weather-app CVE-2017-16183 (iter-server is a static file server. iter-server is vulnerable to a di ...) NOT-FOR-US: iter-server CVE-2017-16182 (serverxxx is a static file server. serverxxx is vulnerable to a direct ...) NOT-FOR-US: serverxxx CVE-2017-16181 (wintiwebdev is a static file server. wintiwebdev is vulnerable to a di ...) NOT-FOR-US: wintiwebdev CVE-2017-16180 (serverabc is a static file server. serverabc is vulnerable to a direct ...) NOT-FOR-US: serverabc CVE-2017-16179 (dasafio is a web server. dasafio is vulnerable to a directory traversa ...) NOT-FOR-US: dasafio CVE-2017-16178 (intsol-package is a file server. intsol-package is vulnerable to a dir ...) NOT-FOR-US: intsol-package CVE-2017-16177 (chatbyvista is a file server. chatbyvista is vulnerable to a directory ...) NOT-FOR-US: chatbyvista CVE-2017-16176 (jansenstuffpleasework is a file server. jansenstuffpleasework is vulne ...) NOT-FOR-US: jansenstuffpleasework CVE-2017-16175 (ewgaddis.lab6 is a file server. ewgaddis.lab6 is vulnerable to a direc ...) NOT-FOR-US: ewgaddis.lab6 CVE-2017-16174 (whispercast is a file server. whispercast is vulnerable to a directory ...) NOT-FOR-US: whispercast CVE-2017-16173 (utahcityfinder constructs lists of Utah cities with a certain prefix. ...) NOT-FOR-US: utahcityfinder CVE-2017-16172 (section2.madisonjbrooks12 is a simple web server. section2.madisonjbro ...) NOT-FOR-US: section2.madisonjbrooks12 CVE-2017-16171 (hcbserver is a static file server. hcbserver is vulnerable to a direct ...) NOT-FOR-US: hcbserver CVE-2017-16170 (liuyaserver is a static file server. liuyaserver is vulnerable to a di ...) NOT-FOR-US: liuyaserver CVE-2017-16169 (looppake is a simple http server. looppake is vulnerable to a director ...) NOT-FOR-US: looppake CVE-2017-16168 (wffserve is vulnerable to a directory traversal issue, giving an attac ...) NOT-FOR-US: wffserve CVE-2017-16167 (yyooopack is a simple file server. yyooopack is vulnerable to a direct ...) NOT-FOR-US: yyooopack CVE-2017-16166 (byucslabsix is an http server. byucslabsix is vulnerable to a director ...) NOT-FOR-US: byucslabsix CVE-2017-16165 (calmquist.static-server is a static file server. calmquist.static-serv ...) NOT-FOR-US: calmquist.static-server CVE-2017-16164 (desafio is a simple web server. desafio is vulnerable to a directory t ...) NOT-FOR-US: desafio CVE-2017-16163 (dylmomo is a simple file server. dylmomo is vulnerable to a directory ...) NOT-FOR-US: dylmomo CVE-2017-16162 (22lixian is a simple file server. 22lixian is vulnerable to a director ...) NOT-FOR-US: 22lixian CVE-2017-16161 (shenliru is a simple file server. shenliru is vulnerable to a director ...) NOT-FOR-US: shenliru CVE-2017-16160 (11xiaoli is a simple file server. 11xiaoli is vulnerable to a director ...) NOT-FOR-US: 11xiaoli CVE-2017-16159 (caolilinode is a simple file server. caolilinode is vulnerable to a di ...) NOT-FOR-US: caolilinode CVE-2017-16158 (dcserver is a static file server. dcserver is vulnerable to a director ...) NOT-FOR-US: dcserver CVE-2017-16157 (censorify.tanisjr is a simple web server and API RESTful service. cens ...) NOT-FOR-US: censorify.tanisjr CVE-2017-16156 (myprolyz is a static file server. myprolyz is vulnerable to a director ...) NOT-FOR-US: myprolyz CVE-2017-16155 (fast-http-cli is the command line interface for fast-http, a simple we ...) NOT-FOR-US: fast-http-cli CVE-2017-16154 (earlybird is a web server module for early development. earlybird is v ...) NOT-FOR-US: earlybird CVE-2017-16153 (gaoxuyan is vulnerable to a directory traversal issue, giving an attac ...) NOT-FOR-US: gaoxuyan CVE-2017-16152 (static-html-server is a static file server. static-html-server is vuln ...) NOT-FOR-US: static-html-server CVE-2017-16151 (Based on details posted by the ElectronJS team; A remote code executio ...) NOT-FOR-US: Electron CVE-2017-16150 (wanggoujing123 is a simple webserver. wanggoujing123 is vulnerable to ...) NOT-FOR-US: wanggoujing123 CVE-2017-16149 (zwserver is a weather web server. zwserver is vulnerable to a director ...) NOT-FOR-US: zwserver CVE-2017-16148 (serve46 is a static file server. serve46 is vulnerable to a directory ...) NOT-FOR-US: serve46 CVE-2017-16147 (shit-server is a file server. shit-server is vulnerable to a directory ...) NOT-FOR-US: shit-server CVE-2017-16146 (mockserve is a file server. mockserve is vulnerable to a directory tra ...) NOT-FOR-US: mockserve CVE-2017-16145 (sspa is a server dedicated to single-page apps. sspa is vulnerable to ...) NOT-FOR-US: sspa CVE-2017-16144 (myserver.alexcthomas18 is a file server. myserver.alexcthomas18 is vul ...) NOT-FOR-US: myserver.alexcthomas18 CVE-2017-16143 (commentapp.stetsonwood is an http server. commentapp.stetsonwood is vu ...) NOT-FOR-US: commentapp.stetsonwood CVE-2017-16142 (infraserver is a RESTful server. infraserver is vulnerable to a direct ...) NOT-FOR-US: infraserver CVE-2017-16141 (lab6drewfusbyu is an http server. lab6drewfusbyu is vulnerable to a di ...) NOT-FOR-US: lab6drewfusbyu CVE-2017-16140 (lab6.brit95 is a file server. lab6.brit95 is vulnerable to a directory ...) NOT-FOR-US: lab6.brit95 CVE-2017-16139 (jikes is a file server. jikes is vulnerable to a directory traversal i ...) NOT-FOR-US: jikes CVE-2017-16138 (The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expr ...) - node-mime 2.3.1-1 (unimportant; bug #901277) NOTE: https://github.com/broofa/node-mime/issues/167 NOTE: https://nodesecurity.io/advisories/535 NOTE: https://github.com/broofa/node-mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d (1.x) NOTE: https://github.com/broofa/node-mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0 (2.x) NOTE: nodejs not covered by security support CVE-2017-16137 (The debug module is vulnerable to regular expression denial of service ...) - node-debug 3.1.0-1 (unimportant) NOTE: https://nodesecurity.io/advisories/534 NOTE: nodejs not covered by security support CVE-2017-16136 (method-override is a module used by the Express.js framework to let yo ...) NOT-FOR-US: method-override nodejs module CVE-2017-16135 (serverzyy is a static file server. serverzyy is vulnerable to a direct ...) NOT-FOR-US: serverzyy CVE-2017-16134 (http_static_simple is an http server. http_static_simple is vulnerable ...) NOT-FOR-US: http_static_simple CVE-2017-16133 (goserv is an http server. goserv is vulnerable to a directory traversa ...) NOT-FOR-US: goserv CVE-2017-16132 (simple-npm-registry is a local npm package cache. simple-npm-registry ...) NOT-FOR-US: simple-npm-registry CVE-2017-16131 (unicorn-list is a web framework. unicorn-list is vulnerable to a direc ...) NOT-FOR-US: unicorn-list CVE-2017-16130 (exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxx ...) NOT-FOR-US: exxxxxxxxxxx CVE-2017-16129 (The HTTP client module superagent is vulnerable to ZIP bomb attacks. I ...) - node-superagent 0.20.0+dfsg-2 [stretch] - node-superagent 0.20.0+dfsg-1+deb9u2 [jessie] - node-superagent (Nodejs in jessie not covered by security support) NOTE: https://github.com/visionmedia/superagent/issues/1259 NOTE: https://nodesecurity.io/advisories/479 CVE-2017-16128 (The module npm-script-demo opened a connection to a command and contro ...) NOT-FOR-US: npm-script-demo CVE-2017-16127 (The module pandora-doomsday infects other modules. It's since been unp ...) NOT-FOR-US: pandora-doomsday CVE-2017-16126 (The module botbait is a tool to be used to track bot and automated too ...) NOT-FOR-US: botbait CVE-2017-16125 (rtcmulticonnection-client is a signaling implementation for RTCMultiCo ...) NOT-FOR-US: rtcmulticonnection-client CVE-2017-16124 (node-server-forfront is a simple static file server. node-server-forfr ...) NOT-FOR-US: node-server-forfront CVE-2017-16123 (welcomyzt is a simple file server. welcomyzt is vulnerable to a direct ...) NOT-FOR-US: welcomyzt CVE-2017-16122 (cuciuci is a simple fileserver. cuciuci is vulnerable to a directory t ...) NOT-FOR-US: cuciuci CVE-2017-16121 (datachannel-client is a signaling implementation for DataChannel.js. d ...) NOT-FOR-US: datachannel-client CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a director ...) NOT-FOR-US: liyujing CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...) - node-fresh 0.2.0-2 (bug #927715) [stretch] - node-fresh (Nodejs in stretch not covered by security support) [jessie] - node-fresh (Nodejs in jessie not covered by security support) NOTE: https://nodesecurity.io/advisories/526 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...) NOT-FOR-US: forwarded nodejs module CVE-2017-16117 (slug is a module to slugify strings, even if they contain unicode. slu ...) NOT-FOR-US: slug node module CVE-2017-16116 (The string module is a module that provides extra string operations. T ...) NOT-FOR-US: string node module CVE-2017-16115 (The timespan module is vulnerable to regular expression denial of serv ...) NOT-FOR-US: timespane node module CVE-2017-16114 (The marked module is vulnerable to a regular expression denial of serv ...) - node-marked 0.3.9+dfsg-1 (unimportant) NOTE: https://nodesecurity.io/advisories/531 CVE-2017-16113 (The parsejson module is vulnerable to regular expression denial of ser ...) NOT-FOR-US: parsejson node module CVE-2017-16112 REJECTED CVE-2017-16111 (The content module is a module to parse HTTP Content-* headers. It is ...) NOT-FOR-US: node content CVE-2017-16110 (weather.swlyons is a simple web server for weather updates. weather.sw ...) NOT-FOR-US: weather.swlyons CVE-2017-16109 (easyquick is a simple web server. easyquick is vulnerable to a directo ...) NOT-FOR-US: easyquick CVE-2017-16108 (gaoxiaotingtingting is an HTTP server. gaoxiaotingtingting is vulnerab ...) NOT-FOR-US: gaoxiaotingtingting CVE-2017-16107 (pooledwebsocket is vulnerable to a directory traversal issue, giving a ...) NOT-FOR-US: pooledwebsocket CVE-2017-16106 (tmock is a static file server. tmock is vulnerable to a directory trav ...) NOT-FOR-US: tmock CVE-2017-16105 (serverwzl is a simple http server. serverwzl is vulnerable to a direct ...) NOT-FOR-US: serverwzl CVE-2017-16104 (citypredict.whauwiller is vulnerable to a directory traversal issue, g ...) NOT-FOR-US: citypredict.whauwiller CVE-2017-16103 (serveryztyzt is a simple http server. serveryztyzt is vulnerable to a ...) NOT-FOR-US: serveryztyzt CVE-2017-16102 (serverhuwenhui is a simple http server. serverhuwenhui is vulnerable t ...) NOT-FOR-US: serverhuwenhui CVE-2017-16101 (serverwg is a simple http server. serverwg is vulnerable to a director ...) NOT-FOR-US: serverwg CVE-2017-16100 (dns-sync is a sync/blocking dns resolver. If untrusted user input is a ...) NOT-FOR-US: dns-sync CVE-2017-16099 (The no-case module is vulnerable to regular expression denial of servi ...) NOT-FOR-US: no-case CVE-2017-16098 (charset 1.0.0 and below are vulnerable to regular expression denial of ...) NOT-FOR-US: charset CVE-2017-16097 (tiny-http is a simple http server. tiny-http is vulnerable to a direct ...) NOT-FOR-US: tiny-http CVE-2017-16096 (serveryaozeyan is a simple HTTP server. serveryaozeyan is vulnerable t ...) NOT-FOR-US: serveryaozeyan CVE-2017-16095 (serverliujiayi1 is a simple http server. serverliujiayi1 is vulnerable ...) NOT-FOR-US: serverliujiayi1 CVE-2017-16094 (iter-http is a server for static files. iter-http is vulnerable to a d ...) NOT-FOR-US: iter-http CVE-2017-16093 (cyber-js is a simple http server. A cyberjs server is vulnerable to a ...) NOT-FOR-US: cyber-js CVE-2017-16092 (Sencisho is a simple http server for local development. Sencisho is vu ...) NOT-FOR-US: Sencisho CVE-2017-16091 (xtalk helps your browser talk to nodex, a simple web framework. xtalk ...) NOT-FOR-US: xtalk (not the chat client) CVE-2017-16090 (fsk-server is a simple http server. fsk-server is vulnerable to a dire ...) NOT-FOR-US: fsk-server CVE-2017-16089 (serverlyr is a simple http server. serverlyr is vulnerable to a direct ...) NOT-FOR-US: serverlyr CVE-2017-16088 (The safe-eval module describes itself as a safer version of eval. By a ...) NOT-FOR-US: safe-eval CVE-2017-16087 RESERVED CVE-2017-16086 (ua-parser is a port of Browserscope's user agent parser. ua-parser is ...) NOT-FOR-US: ua-parser CVE-2017-16085 (tinyserver2 is a webserver for static files. tinyserver2 is vulnerable ...) NOT-FOR-US: tinyserver2 CVE-2017-16084 (list-n-stream is a server for static files to list and stream local vi ...) NOT-FOR-US: list-n-stream CVE-2017-16083 (node-simple-router is a minimalistic router for Node. node-simple-rout ...) NOT-FOR-US: node-simple-router CVE-2017-16082 (A remote code execution vulnerability was found within the pg module w ...) - node-postgres 7.7.1-1 (unimportant) NOTE: https://nodesecurity.io/advisories/521 NOTE: nodejs not covered by security support CVE-2017-16081 (cross-env.js was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16080 (nodesass was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16079 (smb was a malicious module published with the intent to hijack environ ...) NOT-FOR-US: malicious node module CVE-2017-16078 (shadowsock was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16077 (mongose was a malicious module published with the intent to hijack env ...) NOT-FOR-US: malicious node module CVE-2017-16076 (proxy.js was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16075 (http-proxy.js was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16074 (crossenv was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16073 (noderequest was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16072 (nodemailer.js was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16071 (nodemailer-js was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16070 (nodecaffe was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16069 (nodeffmpeg was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16068 (ffmepg was a malicious module published with the intent to hijack envi ...) NOT-FOR-US: malicious node module CVE-2017-16067 (node-opencv was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16066 (opencv.js was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16065 (openssl.js was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16064 (node-openssl was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16063 (node-opensl was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16062 (node-tkinter was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16061 (tkinter was a malicious module published with the intent to hijack env ...) NOT-FOR-US: malicious node module CVE-2017-16060 (babelcli was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16059 (mssql-node was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16058 (gruntcli was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16057 (nodemssql was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16056 (mssql.js was a malicious module published with the intent to hijack en ...) NOT-FOR-US: malicious node module CVE-2017-16055 (`sqlserver` was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16054 (`nodefabric` was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16053 (`fabric-js` was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16052 (`node-fabric` was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16051 (`sqliter` was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16050 (`sqlite.js` was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16049 (`nodesqlite` was a malicious module published with the intent to hijac ...) NOT-FOR-US: malicious node module CVE-2017-16048 (`node-sqlite` was a malicious module published with the intent to hija ...) NOT-FOR-US: malicious node module CVE-2017-16047 (mysqljs was a malicious module published with the intent to hijack env ...) NOT-FOR-US: malicious node module CVE-2017-16046 (`mariadb` was a malicious module published with the intent to hijack e ...) NOT-FOR-US: malicious node module CVE-2017-16045 (`jquery.js` was a malicious module published with the intent to hijack ...) NOT-FOR-US: malicious node module CVE-2017-16044 (`d3.js` was a malicious module published with the intent to hijack env ...) NOT-FOR-US: malicious node module CVE-2017-16043 (Shout is an IRC client. Because the `/topic` command in messages is un ...) NOT-FOR-US: Shout CVE-2017-16042 (Growl adds growl notification support to nodejs. Growl before 1.10.2 d ...) - node-growl 1.10.5-1 (unimportant; bug #900868) [stretch] - node-growl 1.7.0-1+deb9u1 NOTE: Issue: https://github.com/tj/node-growl/issues/60 NOTE: https://github.com/tj/node-growl/pull/61 NOTE: https://nodesecurity.io/advisories/146 NOTE: nodejs not covered by security support CVE-2017-16041 (ikst versions before 1.1.2 download resources over HTTP, which leaves ...) NOT-FOR-US: ikst CVE-2017-16040 (gfe-sass is a library for promises (CommonJS/Promises/A,B,D) gfe-sass ...) NOT-FOR-US: gfe-sass CVE-2017-16039 (`hftp` is a static http or ftp server `hftp` is vulnerable to a direct ...) NOT-FOR-US: hftp CVE-2017-16038 (`f2e-server` 1.12.11 and earlier is vulnerable to a directory traversa ...) NOT-FOR-US: f2e-server CVE-2017-16037 (`gomeplus-h5-proxy` is vulnerable to a directory traversal issue, allo ...) NOT-FOR-US: gomeplus-h5-proxy CVE-2017-16036 (`badjs-sourcemap-server` receives files sent by `badjs-sourcemap`. `ba ...) NOT-FOR-US: badjs-sourcemap-server CVE-2017-16035 (The hubl-server module is a wrapper for the HubL Development Server. D ...) NOT-FOR-US: hubl-server CVE-2017-16034 RESERVED CVE-2017-16033 RESERVED CVE-2017-16032 RESERVED CVE-2017-16031 (Socket.io is a realtime application framework that provides communicat ...) NOT-FOR-US: Socket.io CVE-2017-16030 (Useragent is used to parse useragent headers. It uses several regular ...) NOT-FOR-US: useragent nodejs module CVE-2017-16029 (hostr is a simple web server that serves up the contents of the curren ...) NOT-FOR-US: hostr CVE-2017-16028 (react-native-meteor-oauth is a library for Oauth2 login to a Meteor se ...) NOT-FOR-US: react-native-meteor-oauth CVE-2017-16027 RESERVED CVE-2017-16026 (Request is an http client. If a request is made using ```multipart```, ...) - node-request 2.88.1-1 (bug #901708) [stretch] - node-request (Nodejs in stretch not covered by security support) [jessie] - node-request (Nodejs in jessie not covered by security support) NOTE: https://github.com/request/request/issues/1904 NOTE: https://nodesecurity.io/advisories/309 NOTE: https://github.com/request/request/pull/2018 CVE-2017-16025 (Nes is a websocket extension library for hapi. Hapi is a webserver fra ...) NOT-FOR-US: Nes CVE-2017-16024 (The sync-exec module is used to simulate child_process.execSync in nod ...) NOT-FOR-US: sync-exec CVE-2017-16023 (Decamelize is used to convert a dash/dot/underscore/space separated st ...) - node-decamelize (Fixed before initial upload to Debian) NOTE: https://github.com/sindresorhus/decamelize/issues/5 NOTE: https://github.com/sindresorhus/decamelize/commit/76d47d8de360afb574da2e34db87430ce11094e0 NOTE: nodejs not covered by security support CVE-2017-16022 (Morris.js creates an svg graph, with labels that appear when hovering ...) NOT-FOR-US: Morris.js CVE-2017-16021 (uri-js is a module that tries to fully implement RFC 3986. One of thes ...) NOT-FOR-US: uri-js nodejs module CVE-2017-16020 (Summit is a node web framework. When using the PouchDB driver in the m ...) NOT-FOR-US: Summit CVE-2017-16019 (GitBook is a command line tool (and Node.js library) for building beau ...) NOT-FOR-US: GitBook CVE-2017-16018 (Restify is a framework for building REST APIs. Restify >=2.0.0 < ...) NOT-FOR-US: Restify CVE-2017-16017 (sanitize-html is a library for scrubbing html input for malicious valu ...) NOT-FOR-US: sanitize-html CVE-2017-16016 (Sanitize-html is a library for scrubbing html input of malicious value ...) NOT-FOR-US: sanitize-html CVE-2017-16015 (Forms is a library for easily creating HTML forms. Versions before 1.3 ...) NOT-FOR-US: Forms CVE-2017-16014 (Http-proxy is a proxying library. Because of the way errors are handle ...) - node-http-proxy (bug #896978) NOTE: https://nodesecurity.io/advisories/323 NOTE: https://github.com/nodejitsu/node-http-proxy/pull/101 CVE-2017-16013 (hapi is a web and services application framework. When hapi >= 15.0 ...) NOT-FOR-US: hapi CVE-2017-16012 REJECTED CVE-2017-16011 REJECTED CVE-2017-16010 (i18next is a language translation framework. When using the .init meth ...) - libjs-i18next (unimportant) NOTE: https://github.com/i18next/i18next/pull/826 NOTE: https://nodesecurity.io/advisories/326 NOTE: nodejs not covered by security support CVE-2017-16009 (ag-grid is an advanced data grid that is library agnostic. ag-grid is ...) NOT-FOR-US: ag-grid CVE-2017-16008 (i18next is a language translation framework. Because of how the interp ...) NOT-FOR-US: i18next CVE-2017-16007 (node-jose is a JavaScript implementation of the JSON Object Signing an ...) NOT-FOR-US: node-jose CVE-2017-16006 (Remarkable is a markdown parser. In versions 1.6.2 and lower, remarkab ...) NOT-FOR-US: Remarkable CVE-2017-16005 (Http-signature is a "Reference implementation of Joyent's HTTP Signatu ...) - node-http-signature (Fixed before initial upload to Debian) NOTE: https://github.com/joyent/node-http-signature/issues/10 NOTE: https://nodesecurity.io/advisories/318 NOTE: nodejs not covered by security support CVE-2017-16004 RESERVED CVE-2017-16003 (windows-build-tools is a module for installing C++ Build Tools for Win ...) NOT-FOR-US: windows-build-tools CVE-2017-16002 RESERVED CVE-2017-16001 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) NOT-FOR-US: VMware CVE-2017-16000 (SQL injection vulnerability in the EyesOfNetwork web interface (aka eo ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15999 (In the "NQ Contacts Backup & Restore" application 1.1 for Android, ...) NOT-FOR-US: Contacts Backup & Restore CVE-2017-15998 (In the "NQ Contacts Backup & Restore" application 1.1 for Android, ...) NOT-FOR-US: Contacts Backup & Restore CVE-2017-15997 (In the "NQ Contacts Backup & Restore" application 1.1 for Android, ...) NOT-FOR-US: Contacts Backup & Restore CVE-2017-15996 (elfcomm.c in readelf in GNU Binutils 2.29 allows remote attackers to c ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22361 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d91f0b20e561e326ee91a09a76206257bde8438b CVE-2017-15995 RESERVED CVE-2017-15994 (rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums ...) - rsync (Problematic code to allow checksum choice only introduced after 3.1.2 release) NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=7b8a4ecd6ff9cdf4e5d3850ebf822f1e989255b3 NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=9a480deec4d20277d8e20bc55515ef0640ca1e55 NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=c252546ceeb0925eb8a4061315e3ff0a8c55b48b NOTE: And possibly the following two commits on top: NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=bc112b0e7feece62ce98708092306639a8a53cce NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=416e719bea4f5466c8dd2b34cac0059b6ff84ff3 NOTE: The following commit introduced special handling of archaic versions / handling of NOTE: --checksum-choice option to choose the checksum algorithms: NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=a5a7d3a297b836387b0ac677383bdddaf2ac3598 CVE-2017-15993 (Zomato Clone Script allows SQL Injection via the restaurant-menu.php r ...) NOT-FOR-US: Zomato Clone Script CVE-2017-15992 (Website Broker Script allows SQL Injection via the 'status_id' Paramet ...) NOT-FOR-US: Website Broker Script CVE-2017-15991 (Vastal I-Tech Agent Zone (aka The Real Estate Script) allows SQL Injec ...) NOT-FOR-US: Vastal I-Tech Agent Zone CVE-2017-15990 (Php Inventory & Invoice Management System allows Arbitrary File Up ...) NOT-FOR-US: Php Inventory & Invoice Management System CVE-2017-15989 (Online Exam Test Application allows SQL Injection via the resources.ph ...) NOT-FOR-US: Online Exam Test Application CVE-2017-15988 (Nice PHP FAQ Script allows SQL Injection via the index.php nice_theme ...) NOT-FOR-US: PHP FAQ Script CVE-2017-15987 (Fake Magazine Cover Script allows SQL Injection via the rate.php value ...) NOT-FOR-US: Fake Magazine Cover Script CVE-2017-15986 (CPA Lead Reward Script allows SQL Injection via the username parameter ...) NOT-FOR-US: CPA Lead Reward Script CVE-2017-15985 (Basic B2B Script allows SQL Injection via the product_view1.php pid or ...) NOT-FOR-US: Basic B2B Script CVE-2017-15984 (Creative Management System (CMS) Lite 1.4 allows SQL Injection via the ...) NOT-FOR-US: Creative Management System (CMS) Lite CVE-2017-15983 (MyMagazine Magazine & Blog CMS 1.0 allows SQL Injection via the id ...) NOT-FOR-US: MyMagazine Magazine & Blog CMS CVE-2017-15982 (Dynamic News Magazine & Blog CMS 1.0 allows SQL Injection via the ...) NOT-FOR-US: Dynamic News Magazine & Blog CMS CVE-2017-15981 (Responsive Newspaper Magazine & Blog CMS 1.0 allows SQL Injection ...) NOT-FOR-US: Responsive Newspaper Magazine & Blog CMS CVE-2017-15980 (US Zip Codes Database Script 1.0 allows SQL Injection via the state pa ...) NOT-FOR-US: US Zip Codes Database Script CVE-2017-15979 (Shareet - Photo Sharing Social Network 1.0 allows SQL Injection via th ...) NOT-FOR-US: Shareet - Photo Sharing Social Network CVE-2017-15978 (AROX School ERP PHP Script 1.0 allows SQL Injection via the office_adm ...) NOT-FOR-US: AROX School ERP PHP Script CVE-2017-15977 (Protected Links - Expiring Download Links 1.0 allows SQL Injection via ...) NOT-FOR-US: Protected Links - Expiring Download Links CVE-2017-15976 (ZeeBuddy 2x allows SQL Injection via the admin/editadgroup.php groupid ...) NOT-FOR-US: ZeeBuddy CVE-2017-15975 (Vastal I-Tech Dating Zone 0.9.9 allows SQL Injection via the 'product_ ...) NOT-FOR-US: Vastal I-Tech Dating Zone CVE-2017-15974 (tPanel 2009 allows SQL injection for Authentication Bypass via 'or 1=1 ...) NOT-FOR-US: tPanel CVE-2017-15973 (Sokial Social Network Script 1.0 allows SQL Injection via the id param ...) NOT-FOR-US: Sokial Social Network Script CVE-2017-15972 (SoftDatepro Dating Social Network 1.3 allows SQL Injection via the vie ...) NOT-FOR-US: SoftDatepro Dating Social Network CVE-2017-15971 (Same Sex Dating Software Pro 1.0 allows SQL Injection via the viewprof ...) NOT-FOR-US: Same Sex Dating Software Pro CVE-2017-15970 (PHP CityPortal 2.0 allows SQL Injection via the nid parameter to index ...) NOT-FOR-US: PHP CityPortal CVE-2017-15969 (PG All Share Video 1.0 allows SQL Injection via the PATH_INFO to searc ...) NOT-FOR-US: PG All Share Video CVE-2017-15968 (MyBuilder Clone 1.0 allows SQL Injection via the phpsqlsearch_genxml.p ...) NOT-FOR-US: MyBuilder Clone CVE-2017-15967 (Mailing List Manager Pro 3.0 allows SQL Injection via the edit paramet ...) NOT-FOR-US: Mailing List Manager Pro CVE-2017-15966 (The Zh YandexMap (aka com_zhyandexmap) component 6.1.1.0 for Joomla! a ...) NOT-FOR-US: Zh YandexMap CVE-2017-15965 (The NS Download Shop (aka com_ns_downloadshop) component 2.2.6 for Joo ...) NOT-FOR-US: NS Download Shop CVE-2017-15964 (Job Board Script Software allows SQL Injection via the PATH_INFO to a ...) NOT-FOR-US: Job Board Script Software CVE-2017-15963 (iTech Gigs Script 1.21 allows SQL Injection via the browse-scategory.p ...) NOT-FOR-US: iTech Gigs Script CVE-2017-15962 (iStock Management System 1.0 allows Arbitrary File Upload via user/pro ...) NOT-FOR-US: iStock Management System CVE-2017-15961 (iProject Management System 1.0 allows SQL Injection via the ID paramet ...) NOT-FOR-US: iProject Management System CVE-2017-15960 (Article Directory Script 3.0 allows SQL Injection via the id parameter ...) NOT-FOR-US: Article Directory Scrip CVE-2017-15959 (Adult Script Pro 2.2.4 allows SQL Injection via the PATH_INFO to a /do ...) NOT-FOR-US: Adult Script Pro CVE-2017-15958 (D-Park Pro Domain Parking Script 1.0 allows SQL Injection via the user ...) NOT-FOR-US: D-Park Pro Domain Parking Script CVE-2017-15957 (my_profile.php in Ingenious School Management System 2.3.0 allows a st ...) NOT-FOR-US: Ingenious School Management System CVE-2017-15956 (ConverTo Video Downloader & Converter 1.4.1 allows Arbitrary File ...) NOT-FOR-US: ConverTo Video Downloader CVE-2017-15955 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to an "Ac ...) {DSA-4026-1 DLA-1158-1} - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/4 CVE-2017-15954 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap ...) {DSA-4026-1 DLA-1158-1} - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/3 CVE-2017-15953 (bchunk (related to BinChunker) 1.2.0 and 1.2.1 is vulnerable to a heap ...) {DSA-4026-1 DLA-1158-1} - bchunk 1.2.0-12.1 (bug #880116) NOTE: https://github.com/extramaster/bchunk/issues/2 CVE-2017-15952 RESERVED CVE-2017-15951 (The KEYS subsystem in the Linux kernel before 4.13.10 does not correct ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/363b02dab09b3226f3bd1420dad9c72b79a42a76 (v4.14-rc6) CVE-2017-15950 (Flexense SyncBreeze Enterprise version 10.1.16 is vulnerable to a buff ...) NOT-FOR-US: Flexense SyncBreeze CVE-2017-15949 (Xavier PHP Management Panel 2.4 allows SQL injection via the usertoedi ...) NOT-FOR-US: Xavier PHP Management Panel CVE-2017-15948 (Perch Content Management System 3.0.3 allows unrestricted file upload ...) NOT-FOR-US: Perch Content Management System CVE-2017-15947 (Simple ASC Content Management System v1.2 has XSS in the location fiel ...) NOT-FOR-US: Simple ASC Content Management CVE-2017-15946 (In the com_tag component 1.7.6 for Joomla!, a SQL injection vulnerabil ...) NOT-FOR-US: Joomla addon CVE-2017-15945 (The installation scripts in the Gentoo dev-db/mysql, dev-db/mariadb, d ...) NOT-FOR-US: Gentoo installation scripts CVE-2017-15944 (Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x be ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15943 (The configuration file import for applications, spyware and vulnerabil ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15942 (Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x be ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15941 (Cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15940 (The web interface packet capture management component in Palo Alto Net ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-15939 (dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) - binutils (Incomplete fix not applied) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22205 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a54018b72d75abf2e74bf36016702da06399c1d9 NOTE: https://blogs.gentoo.org/ago/2017/10/24/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c-incomplete-fix-for-cve-2017-15023/ CVE-2017-15938 (dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22209 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1b86808a86077722ee4f42ff97f836b12420bb2a NOTE: https://blogs.gentoo.org/ago/2017/10/24/binutils-invalid-memory-read-in-find_abstract_instance_name-dwarf2-c/ CVE-2017-15937 (Artica Pandora FMS version 7.0 leaks a full installation pathname via ...) NOT-FOR-US: Artica Pandora FMS CVE-2017-15936 (In Artica Pandora FMS version 7.0, an Attacker with write Permission c ...) NOT-FOR-US: Artica Pandora FMS CVE-2017-15935 (Artica Pandora FMS version 7.0 is vulnerable to remote PHP code execut ...) NOT-FOR-US: Artica Pandora FMS CVE-2017-15934 (Artica Pandora FMS version 7.0 is vulnerable to stored Cross-Site Scri ...) NOT-FOR-US: Artica Pandora FMS CVE-2017-15933 (SQL injection vulnerability vulnerability in the EyesOfNetwork web int ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15932 (In radare2 2.0.1, an integer exception (negative number leading to an ...) - radare2 2.1.0+dfsg-1 (bug #880024) [jessie] - radare2 (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/commit/44ded3ff35b8264f54b5a900cab32ec489d9e5b9 NOTE: https://github.com/radare/radare2/issues/8743 CVE-2017-15931 (In radare2 2.0.1, an integer exception (negative number leading to an ...) - radare2 2.1.0+dfsg-1 (bug #880025) [jessie] - radare2 (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/commit/c6d0076c924891ad9948a62d89d0bcdaf965f0cd NOTE: https://github.com/radare/radare2/issues/8731 CVE-2017-15930 (In ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26, a Null Po ...) {DSA-4321-1 DLA-1456-1 DLA-1154-1} - graphicsmagick 1.3.26-16 (bug #879999) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=6fc54b6d2be8 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=da135eaedc3b NOTE: https://sourceforge.net/p/graphicsmagick/bugs/518/ CVE-2017-15929 RESERVED CVE-2017-15928 (In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation ...) - ruby-ox 2.8.2-1 (bug #881445) [stretch] - ruby-ox 2.1.1-2+deb9u1 [jessie] - ruby-ox 2.1.1-2+deb8u1 NOTE: https://github.com/ohler55/ox/issues/194 NOTE: https://github.com/ohler55/ox/commit/e4565dbc167f0d38c3f93243d7a4fcfc391cbfc8 CVE-2017-15927 RESERVED CVE-2017-15926 RESERVED CVE-2017-15925 RESERVED CVE-2017-15923 (Konversation 1.4.x, 1.5.x, 1.6.x, and 1.7.x before 1.7.3 allow remote ...) {DSA-4033-1 DLA-1174-1} - konversation 1.7.3-1 (bug #881586) NOTE: https://github.com/KDE/konversation/commit/6a7f59ee1b9dbc6e5cf9e5f3b306504d02b73ef0 CVE-2017-15922 (In GNU Libextractor 1.4, there is an out-of-bounds read in the EXTRACT ...) {DLA-1198-1} - libextractor 1:1.6-2 (low; bug #880016) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html NOTE: Fixed by: https://git.gnunet.org/libextractor.git/commit/?id=d4d488b0e5ab13dda241d688d87a07816368f117 CVE-2017-15921 (In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186 ...) NOT-FOR-US: Watchdog Anti-Malware CVE-2017-15920 (In Watchdog Anti-Malware 2.74.186.150 and Online Security Pro 2.74.186 ...) NOT-FOR-US: Watchdog Anti-Malware CVE-2017-15918 (Sera 1.2 stores the user's login password in plain text in their home ...) NOT-FOR-US: Sera CVE-2017-15917 (In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to create ...) NOT-FOR-US: Paessler PRTG Network Monitor CVE-2017-15908 (In systemd 223 through 235, a remote DNS server can respond with a cus ...) - systemd 235-3 (bug #880026) [stretch] - systemd 232-25+deb9u2 [jessie] - systemd (Vulnerable code introduced later) [wheezy] - systemd (Vulnerable code introduced later) NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351 NOTE: https://github.com/systemd/systemd/pull/7184 NOTE: Fix: https://github.com/systemd/systemd/commit/9f939335a07085aa9a9663efd1dca06ef6405d62 CVE-2017-15919 (The ultimate-form-builder-lite plugin before 1.3.7 for WordPress has S ...) NOT-FOR-US: WordPress plugin ultimate-form-builder-lite CVE-2017-15916 RESERVED CVE-2017-15915 RESERVED CVE-2017-15914 (Incorrect implementation of access controls allows remote users to ove ...) - borgbackup 1.1.3-1 [stretch] - borgbackup (Only affects 1.1.0, 1.1.1 and 1.1.2 releases) NOTE: https://borgbackup.readthedocs.io/en/stable/changes.html#version-1-1-3-2017-11-27 CVE-2017-15913 (The Installer in Whale allows DLL hijacking. ...) NOT-FOR-US: Installer in Whale CVE-2017-15912 RESERVED CVE-2017-15911 (The Admin Console in Ignite Realtime Openfire Server before 4.1.7 allo ...) NOT-FOR-US: Ignite Realtime Openfire Server CVE-2017-15910 RESERVED CVE-2017-15909 (D-Link DGS-1500 Ax devices before 2.51B021 have a hardcoded password, ...) NOT-FOR-US: D-Link CVE-2017-15907 (SQL injection vulnerability in phpCollab 2.5.1 and earlier allows remo ...) NOT-FOR-US: phpCollab CVE-2017-15906 (The process_open function in sftp-server.c in OpenSSH before 7.6 does ...) {DLA-1500-1} - openssh 1:7.6p1-1 (low) [stretch] - openssh 1:7.4p1-10+deb9u3 [wheezy] - openssh (Minor issue) NOTE: https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19 CVE-2017-15905 RESERVED CVE-2017-15904 RESERVED CVE-2017-15903 RESERVED CVE-2017-15902 RESERVED CVE-2017-15901 RESERVED CVE-2017-15900 RESERVED CVE-2017-15899 RESERVED CVE-2017-15898 RESERVED CVE-2017-15897 (Node.js had a bug in versions 8.X and 9.X which caused buffers to not ...) - nodejs (Only affects 8.x and 9.x) CVE-2017-15896 (Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards ...) - nodejs (HTTP2 module only in 8.x and 9.x and Debian package uses the system copy of OpenSSL) CVE-2017-15895 (Directory traversal vulnerability in the SYNO.FileStation.Extract in S ...) NOT-FOR-US: Synology Router Manager CVE-2017-15894 (Directory traversal vulnerability in the SYNO.FileStation.Extract in S ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-15893 (Directory traversal vulnerability in the SYNO.FileStation.Extract in S ...) NOT-FOR-US: Synology File Station CVE-2017-15892 (Multiple cross-site scripting (XSS) vulnerabilities in Slash Command C ...) NOT-FOR-US: Synology Chat CVE-2017-15891 (Improper access control vulnerability in SYNO.Cal.EventBase in Synolog ...) NOT-FOR-US: Synology Calendar CVE-2017-15890 (Cross-site scripting (XSS) vulnerability in Disclaimer in Synology Mai ...) NOT-FOR-US: Synology CVE-2017-15889 (Command injection vulnerability in smart.cgi in Synology DiskStation M ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-15888 (Cross-site scripting (XSS) vulnerability in Custom Internet Radio List ...) NOT-FOR-US: Synology CVE-2017-15887 (An improper restriction of excessive authentication attempts vulnerabi ...) NOT-FOR-US: Synology CVE-2017-15886 (Server-side request forgery (SSRF) vulnerability in Link Preview in Sy ...) NOT-FOR-US: Synology Chat CVE-2017-15885 (Reflected XSS in the web administration portal on the Axis 2100 Networ ...) NOT-FOR-US: Axis CVE-2017-15884 (In HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-15883 (Sitefinity 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, and 10.x allow remo ...) NOT-FOR-US: Sitefinity CVE-2017-15882 (The London Trust Media Private Internet Access (PIA) application befor ...) NOT-FOR-US: London Trust Media Private Internet Access (PIA) application CVE-2017-15881 (Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 a ...) NOT-FOR-US: KeystoneJS CVE-2017-15880 (SQL injection vulnerability vulnerability in the EyesOfNetwork web int ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15879 (CSV Injection (aka Excel Macro Injection or Formula Injection) exists ...) NOT-FOR-US: KeystoneJS CVE-2017-15878 (A cross-site scripting (XSS) vulnerability exists in fields/types/mark ...) NOT-FOR-US: KeystoneJS CVE-2017-15877 (Insecure Permissions vulnerability in db.php file in GPWeb 8.4.61 allo ...) NOT-FOR-US: GPWeb CVE-2017-15876 (Unrestricted File Upload vulnerability in GPWeb 8.4.61 allows remote a ...) NOT-FOR-US: GPWeb CVE-2017-15875 (SQL injection vulnerability in Password Recovery in GPWeb 8.4.61 allow ...) NOT-FOR-US: GPWeb CVE-2017-15874 (archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integ ...) - busybox 1:1.27.2-2 (bug #879732) [stretch] - busybox (Vulnerable code not present) [jessie] - busybox (Vulnerable code not present) [wheezy] - busybox (Vulnerable code not present) NOTE: https://bugs.busybox.net/show_bug.cgi?id=10436 NOTE: Introduced in: https://git.busybox.net/busybox/commit/?id=3989e5adf454a3ab98412b249c2c9bd2a3175ae0 NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b CVE-2017-15873 (The get_next_block function in archival/libarchive/decompress_bunzip2. ...) {DLA-2559-1 DLA-1445-1} - busybox 1:1.27.2-2 (bug #879732) [wheezy] - busybox (Minor issue) NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=0402cb32df015d9372578e3db27db47b33d5c7b0 NOTE: https://bugs.busybox.net/show_bug.cgi?id=10431 CVE-2017-15872 (phpwcms 1.8.9 has XSS in include/inc_tmpl/admin.edituser.tmpl.php and ...) NOT-FOR-US: phpwcms CVE-2017-15871 (** DISPUTED ** The deserialize function in serialize-to-js through 1.1 ...) NOT-FOR-US: Disputed serialize-to-js issue CVE-2017-15870 (Palo Alto Networks GlobalProtect Agent before 4.0.3 allows attackers w ...) NOT-FOR-US: Palo Alto Networks GlobalProtect Agent CVE-2017-15869 (Cross-site scripting (XSS) vulnerability in knowledgebase.php in LiveZ ...) NOT-FOR-US: LiveZilla CVE-2017-15868 (The bnep_add_connection function in net/bluetooth/bnep/core.c in the L ...) {DSA-4082-1 DLA-1200-1} - linux 4.0.2-1 NOTE: Fixed by: https://git.kernel.org/linus/71bb99a02b32b4cc4265118e85f6035ca72923f0 (v3.19-rc3) CVE-2017-15867 (Multiple cross-site scripting (XSS) vulnerabilities in the user-login- ...) NOT-FOR-US: user-login-history plugin for WordPress CVE-2017-15866 RESERVED CVE-2017-15865 (bgpd in FRRouting (FRR) before 2.0.2 and 3.x before 3.0.2, as used in ...) - frr (Fixed before initial upload) CVE-2017-15864 (In the Agent Frontend in Open Ticket Request System (OTRS) 3.3.x throu ...) {DLA-1212-1} - otrs2 4.0.7-2 [jessie] - otrs2 3.3.18-1+deb8u2 NOTE: https://www.otrs.com/security-advisory-2017-06-security-update-otrs-3-3/ NOTE: https://github.com/OTRS/otrs/compare/3bc58ebeb9bdbe8107251a03cf7b9b8cfc515f53...80a0a9a138278d63a2621d146eb3c29e982aa2d5 NOTE: Root cause for the issue is the recursive parsing handling in the old NOTE: DTL template engine that OTRS used up to OTRS 3.3. Starting with OTRS 4 NOTE: OTRS switched to a new Template::Toolkit based engine which does not perform NOTE: recursive parsing and not affected by this issue. CVE-2017-15863 (Cross Site Scripting (XSS) exists in the wp-noexternallinks plugin bef ...) NOT-FOR-US: WordPress plugin wp-noexternallinks CVE-2017-15862 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15861 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15860 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15859 (While processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE_DECR_ ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15858 RESERVED CVE-2017-15857 (In the camera driver, an out-of-bounds access can occur due to an erro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15856 (Due to a race condition while processing the power stats debug file to ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15855 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15854 (The value of fix_param->num_chans is received from firmware and if ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15853 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15852 (Information leak of the ISPIF base address in Android for MSM, Firefox ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15851 (Lack of copy_from_user and information leak in function "msm_ois_subde ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15850 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15849 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15848 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15847 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15846 (In the video_ioctl2() function in the camera driver in Android for MSM ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15845 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15844 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15843 (Due to a race condition in a bus driver, a double free in msm_bus_floo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15842 (Buffer might get used after it gets freed due to unlocking the mutex b ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15841 (When HOST sends a Special command ID packet, Controller triggers a RAM ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15840 REJECTED CVE-2017-15839 REJECTED CVE-2017-15838 REJECTED CVE-2017-15837 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15836 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15835 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15834 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15833 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15832 RESERVED NOT-FOR-US: Qualcomm components for Android CVE-2017-15831 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15830 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15829 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15828 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15827 RESERVED CVE-2017-15826 (Due to a race condition in MDSS rotator in Android for MSM, Firefox OS ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15825 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15824 (In Android releases from CAF using the linux kernel (Android for MSM, ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15823 (In spectral_create_samp_msg() in Android for MSM, Firefox OS for MSM, ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15822 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15821 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15820 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15819 RESERVED CVE-2017-15818 (In all android releases (Android for MSM, Firefox OS for MSM, QRD Andr ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15817 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-15816 REJECTED CVE-2017-15815 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15814 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-15813 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm closed-source components on Android CVE-2017-15812 (The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a ...) NOT-FOR-US: Wordpress plugin CVE-2017-15811 (The Pootle Button plugin before 1.2.0 for WordPress has XSS via the as ...) NOT-FOR-US: Wordpress plugin CVE-2017-15810 (The PopCash.Net Code Integration Tool plugin before 1.1 for WordPress ...) NOT-FOR-US: Wordpress plugin CVE-2017-15809 (In phpMyFaq before 2.9.9, there is XSS in admin/tags.main.php via a cr ...) NOT-FOR-US: phpMyFaq CVE-2017-15808 (In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php. ...) NOT-FOR-US: phpMyFaq CVE-2017-15807 RESERVED CVE-2017-15806 (The send function in the ezcMailMtaTransport class in Zeta Components ...) NOT-FOR-US: Zeta Components Mail CVE-2017-15805 (Cisco Small Business SA520 and SA540 devices with firmware 2.1.71 and ...) NOT-FOR-US: Cisco CVE-2017-15804 (The glob function in glob.c in the GNU C Library (aka glibc or libc6) ...) - glibc 2.25-3 (low; bug #879955) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc (low) [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22332 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 CVE-2017-15803 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15802 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15801 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15800 REJECTED CVE-2017-15799 REJECTED CVE-2017-15798 REJECTED CVE-2017-15797 REJECTED CVE-2017-15796 REJECTED CVE-2017-15795 REJECTED CVE-2017-15794 REJECTED CVE-2017-15793 REJECTED CVE-2017-15792 REJECTED CVE-2017-15791 REJECTED CVE-2017-15790 REJECTED CVE-2017-15789 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15788 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15787 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15786 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15785 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15784 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15783 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15782 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15781 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15780 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15779 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15778 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15777 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15776 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15775 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15774 (XnView Classic for Windows Version 2.43 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-15773 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15772 (XnView Classic for Windows Version 2.43 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-15771 REJECTED CVE-2017-15770 REJECTED CVE-2017-15769 (IrfanView 4.50 - 64bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-15768 (IrfanView version 4.50 - 64bit allows attackers to cause a denial of s ...) NOT-FOR-US: IrfanView CVE-2017-15767 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15766 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15765 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15764 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15763 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15762 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15761 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15760 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15759 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15758 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15757 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15756 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15755 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15754 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15753 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15752 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15751 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15750 (IrfanView 4.50 - 64bit with BabaCAD4Image plugin version 1.3 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15749 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15748 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15747 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15746 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15745 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15744 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15743 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15742 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15741 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15740 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15739 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15738 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15737 (IrfanView 4.50 - 64bit with CADImage plugin version 12.0.0.5 allows at ...) NOT-FOR-US: IrfanView CVE-2017-15736 (Cross-site scripting (XSS) vulnerability (stored) in SPIP before 3.1.7 ...) {DSA-4228-1} - spip 3.1.4-4 (bug #879954) [wheezy] - spip (vulnerable code not present) NOTE: https://core.spip.net/projects/spip/repository/revisions/23701 CVE-2017-15735 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) f ...) NOT-FOR-US: phpMyFAQ CVE-2017-15734 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15733 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15732 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15731 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15730 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) i ...) NOT-FOR-US: phpMyFAQ CVE-2017-15729 (In phpMyFAQ before 2.9.9, there is Cross-Site Request Forgery (CSRF) f ...) NOT-FOR-US: phpMyFAQ CVE-2017-15728 (In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) v ...) NOT-FOR-US: phpMyFAQ CVE-2017-15727 (In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) v ...) NOT-FOR-US: phpMyFAQ CVE-2017-15726 RESERVED CVE-2017-15725 (An XML External Entity Injection vulnerability exists in Dzone AnswerH ...) NOT-FOR-US: Dzone AnswerHub CVE-2017-15724 RESERVED CVE-2017-15723 (In Irssi before 1.0.5, overlong nicks or targets may result in a NULL ...) {DSA-4016-1} - irssi 1.0.5-1 (bug #879521) [wheezy] - irssi (Vulnerable code introduced in 0.8.17) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15722 (In certain cases, Irssi before 1.0.5 may fail to verify that a Safe ch ...) {DSA-4016-1 DLA-1217-1} - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15721 (In Irssi before 1.0.5, certain incorrectly formatted DCC CTCP messages ...) {DSA-4016-1 DLA-1217-1} - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15720 (In Apache Airflow 1.8.2 and earlier, an authenticated user can execute ...) - airflow (bug #819700) CVE-2017-15719 (In Wicket jQuery UI 6.28.0 and earlier, 7.9.1 and earlier, and 8.0.0-M ...) NOT-FOR-US: Wicket jQuery UI CVE-2017-15718 (The YARN NodeManager in Apache Hadoop 2.7.3 and 2.7.4 can leak the pas ...) - hadoop (bug #793644) CVE-2017-15717 (A flaw in the way URLs are escaped and encoded in the org.apache.sling ...) NOT-FOR-US: Apache Sling CVE-2017-15716 REJECTED CVE-2017-15715 (In Apache httpd 2.4.0 to 2.4.29, the expression specified in <Files ...) {DSA-4164-1} - apache2 2.4.33-1 [wheezy] - apache2 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2018/03/24/6 CVE-2017-15714 (The BIRT plugin in Apache OFBiz 16.11.01 to 16.11.03 does not escape u ...) NOT-FOR-US: BIRT plugin in Apache OFBiz CVE-2017-15713 (Vulnerability in Apache Hadoop 0.23.x, 2.x before 2.7.5, 2.8.x before ...) - hadoop (bug #793644) CVE-2017-15712 (Vulnerability allows a user of Apache Oozie 3.1.3-incubating to 4.3.0 ...) NOT-FOR-US: Apache Oozie CVE-2017-15711 REJECTED CVE-2017-15710 (In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29 ...) {DSA-4164-1 DLA-1389-1} - apache2 2.4.33-1 NOTE: https://www.openwall.com/lists/oss-security/2018/03/24/8 CVE-2017-15709 (When using the OpenWire protocol in ActiveMQ versions 5.14.0 to 5.15.2 ...) - activemq 5.15.3-1 (bug #890352) [stretch] - activemq (Minor issue) [jessie] - activemq (Issue introduced with OpenWire protocol support) [wheezy] - activemq (Issue introduced with OpenWire protocol support) CVE-2017-15708 (In Apache Synapse, by default no authentication is required for Java R ...) NOT-FOR-US: Apache Synapse CVE-2017-15707 (In Apache Struts 2.5 to 2.5.14, the REST Plugin is using an outdated J ...) - libstruts1.2-java (Specific to 2.x) CVE-2017-15706 (As part of the fix for bug 61201, the documentation for Apache Tomcat ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.24-1 [stretch] - tomcat8 (Issue introduced later) [jessie] - tomcat8 (Issue introduced later) - tomcat8.0 (unimportant) NOTE: tomcat8.0 builds only tomcat8.0-user and libtomcat8.0-java - tomcat7 (Only affects 7.0.79 to 7.0.82, Upstream bugzilla entry bz#61201 not addressed) NOTE: https://svn.apache.org/r1814828 (7.0.x) NOTE: https://svn.apache.org/r1814827 (8.0.x) NOTE: https://svn.apache.org/r1814826 (8.5.x) NOTE: Introduced by fix for https://bz.apache.org/bugzilla/show_bug.cgi?id=61201 NOTE: https://lists.apache.org/thread.html/e1ef853fc0079cdb55befbd2dac042934e49288b476d5f6a649e5da2@%3Cannounce.tomcat.apache.org%3E CVE-2017-15705 (A denial of service vulnerability was identified that exists in Apache ...) {DLA-1578-1} - spamassassin 3.4.2-1 (bug #908969) [stretch] - spamassassin 3.4.2-1~deb9u1 NOTE: https://www.openwall.com/lists/oss-security/2018/09/16/1 CVE-2017-15704 REJECTED CVE-2017-15703 (Any authenticated user (valid client certificate but without ACL permi ...) NOT-FOR-US: Apache NiFi CVE-2017-15702 (In Apache Qpid Broker-J 0.18 through 0.32, if the broker is configured ...) - qpid-java (bug #840131) CVE-2017-15701 (In Apache Qpid Broker-J versions 6.1.0 through 6.1.4 (inclusive) the b ...) - qpid-java (bug #840131) CVE-2017-15700 (A flaw in the org.apache.sling.auth.core.AuthUtil#isRedirectValid meth ...) NOT-FOR-US: Apache Sling Authentication Service CVE-2017-15699 (A Denial of Service vulnerability was found in Apache Qpid Dispatch Ro ...) - qpid-dispatch (bug #737776) NOTE: https://www.openwall.com/lists/oss-security/2018/02/13/5 CVE-2017-15698 (When parsing the AIA-Extension field of a client certificate, Apache T ...) {DSA-4118-1 DLA-1276-1} - tomcat-native 1.2.16-1 NOTE: https://lists.apache.org/thread.html/6eb0a53e5827d97db1a05c736d01101fec21202a5b8fc77bb0eaaed8@%3Cannounce.tomcat.apache.org%3E NOTE: http://svn.apache.org/r1815200 NOTE: http://svn.apache.org/r1815218 NOTE: Affects: 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 CVE-2017-15697 (A malicious X-ProxyContextPath or X-Forwarded-Context header containin ...) NOT-FOR-US: Apache NiFi CVE-2017-15696 (When an Apache Geode cluster before v1.4.0 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-15695 (When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with ...) NOT-FOR-US: Apache Geode CVE-2017-15694 (When an Apache Geode server versions 1.0.0 to 1.8.0 is operating in se ...) NOT-FOR-US: Apache Geode CVE-2017-15693 (In Apache Geode before v1.4.0, the Geode server stores application obj ...) NOT-FOR-US: Apache Geode CVE-2017-15692 (In Apache Geode before v1.4.0, the TcpServer within the Geode locator ...) NOT-FOR-US: Apache Geode CVE-2017-15691 (In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to 3.0.0 ...) - uimaj 2.10.2-1 (bug #897009) [stretch] - uimaj (Minor issue) [jessie] - uimaj (Minor issue) [wheezy] - uimaj (Minor issue) NOTE: https://uima.apache.org/security_report#CVE-2017-15691 CVE-2017-15924 (In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsin ...) {DSA-4009-1} - shadowsocks-libev 3.1.0+ds-2 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/ NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/1734 NOTE: https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275 CVE-2017-15690 RESERVED CVE-2017-15689 RESERVED CVE-2017-15688 RESERVED CVE-2017-15687 (DOM Based Cross Site Scripting (XSS) exists in Logitech Media Server 7 ...) NOT-FOR-US: Logitech CVE-2017-15686 (Crafter CMS Crafter Studio 3.0.1 is affected by: Cross Site Scripting ...) NOT-FOR-US: Crafter CMS Crafter Studio CVE-2017-15685 (Crafter CMS Crafter Studio 3.0.1 is affected by: XML External Entity ( ...) NOT-FOR-US: Crafter CMS Crafter Studio CVE-2017-15684 (Crafter CMS Crafter Studio 3.0.1 has a directory traversal vulnerabili ...) NOT-FOR-US: Crafter CMS Crafter Studio CVE-2017-15683 (In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is abl ...) NOT-FOR-US: Crafter CMS Crafter Studio CVE-2017-15682 (In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is abl ...) NOT-FOR-US: Crafter CMS Crafter Studio CVE-2017-15681 (In Crafter CMS Crafter Studio 3.0.1 a directory traversal vulnerabilit ...) NOT-FOR-US: Crafter CMS Crafter Studio CVE-2017-15680 (In Crafter CMS Crafter Studio 3.0.1 an IDOR vulnerability exists which ...) NOT-FOR-US: Crafter CMS Crafter Studio CVE-2017-15679 RESERVED CVE-2017-15678 RESERVED CVE-2017-15677 RESERVED CVE-2017-15676 RESERVED CVE-2017-15675 RESERVED CVE-2017-15674 RESERVED CVE-2017-15673 (The files function in the administration section in CS-Cart 4.6.2 and ...) NOT-FOR-US: CS-Cart CVE-2017-15672 (The read_header function in libavcodec/ffv1dec.c in FFmpeg 2.4 and 3.3 ...) {DSA-4049-1 DLA-1630-1} - ffmpeg 7:3.4-1 - libav NOTE: Fixed by: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=c20f4fcb74da2d0432c7b54499bb98f48236b904 CVE-2017-15671 (The glob function in glob.c in the GNU C Library (aka glibc or libc6) ...) [experimental] - glibc 2.26-0experimental0 - glibc 2.25-3 (low; bug #879500) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc (low) [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22325 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c66c908230169c1bab1f83b071eb585baa214b9f CVE-2017-15670 (The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by- ...) [experimental] - glibc 2.26-0experimental0 - glibc 2.25-3 (low; bug #879501) [stretch] - glibc 2.24-11+deb9u4 [jessie] - glibc (Minor issue) - eglibc (low) [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22320 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c369d66e5426a30e4725b100d5cd28e372754f90 (master) NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a76376df7c07e577a9515c3faa5dbd50bda5da07 (release/2.26/master) CVE-2017-15669 RESERVED CVE-2017-15668 RESERVED CVE-2017-15667 (In Flexense SysGauge Server 3.6.18, the Control Protocol suffers from ...) NOT-FOR-US: Flexense SysGauge Server CVE-2017-15666 RESERVED CVE-2017-15665 (In Flexense DiskBoss Enterprise 8.5.12, the Control Protocol suffers f ...) NOT-FOR-US: Flexense DiskBoss Enterprise CVE-2017-15664 (In Flexense Sync Breeze Enterprise v10.1.16, the Control Protocol suff ...) NOT-FOR-US: Flexense Sync Breeze Enterprise CVE-2017-15663 (In Flexense Disk Pulse Enterprise v10.1.18, the Control Protocol suffe ...) NOT-FOR-US: Flexense Disk Pulse Enterprise CVE-2017-15662 (In Flexense VX Search Enterprise v10.1.12, the Control Protocol suffer ...) NOT-FOR-US: Flexense VX Search Enterprise CVE-2017-15661 RESERVED CVE-2017-15660 RESERVED CVE-2017-15659 RESERVED CVE-2017-15658 RESERVED CVE-2017-15657 RESERVED CVE-2017-15656 (Password are stored in plaintext in nvram in the HTTPd server in all c ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15655 (Multiple buffer overflow vulnerabilities exist in the HTTPd server in ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15654 (Highly predictable session tokens in the HTTPd server in all current v ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15653 (Improper administrator IP validation after his login in the HTTPd serv ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15652 (Artifex Ghostscript 9.22 is affected by: Obtain Information. The impac ...) - ghostscript 9.25~dfsg-1 [stretch] - ghostscript 9.25~dfsg-0+deb9u1 [jessie] - ghostscript 9.26a~dfsg-0+deb8u1 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e (ghostpdl-9.23rc1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698676 CVE-2017-15651 (PRTG Network Monitor 17.3.33.2830 allows remote authenticated administ ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15649 (net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/008ba2a13f2d04c947adc536d19debb8fe66f110 NOTE: Fixed by: https://git.kernel.org/linus/4971613c1639d8e5f102c4e797c3bf8f83a5a69e CVE-2017-15648 (In PHPSUGAR PHP Melody before 2.7.3, page_manager.php has XSS via the ...) NOT-FOR-US: PHPSUGAR PHP Melody CVE-2017-15647 (On FiberHome routers, Directory Traversal exists in /cgi-bin/webproc v ...) NOT-FOR-US: On FiberHome CVE-2017-15646 (Webmin before 1.860 has XSS with resultant remote code execution. Unde ...) - webmin CVE-2017-15645 (CSRF exists in Webmin 1.850. By sending a GET request to at/create_job ...) - webmin CVE-2017-15644 (SSRF exists in Webmin 1.850 via the PATH_INFO to tunnel/link.cgi, as d ...) - webmin CVE-2017-15643 (An active network attacker (MiTM) can achieve remote code execution on ...) NOT-FOR-US: IKARUS Anti Virus CVE-2017-15650 (musl libc before 1.1.17 has a buffer overflow via crafted DNS replies ...) - musl 1.1.17-1 [stretch] - musl (Minor issue) [jessie] - musl (Minor issue) NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395 CVE-2017-15642 (In lsx_aiffstartread in aiff.c in Sound eXchange (SoX) 14.4.2, there i ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #882144) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://sourceforge.net/p/sox/bugs/298/ NOTE: https://github.com/mansr/sox/commit/0be259eaa9ce3f3fa587a3ef0cf2c0b9c73167a2 CVE-2017-15641 RESERVED CVE-2017-15640 (app/sections/user-menu.php in phpIPAM before 1.3.1 has XSS via the ip ...) NOT-FOR-US: phpIPAM CVE-2017-15639 (tasks/feed/readRSS.cfm in Mura CMS before 6.2 allows attackers to bypa ...) NOT-FOR-US: Mura CMS CVE-2017-15638 (The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux Enterpri ...) NOT-FOR-US: SuSEfirewall2 in SUSE CVE-2017-15637 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15636 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15635 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15634 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15633 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15632 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15631 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15630 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15629 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15628 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15627 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15626 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15625 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15624 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15623 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15622 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15621 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15620 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15619 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15618 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15617 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15616 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15615 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15614 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15613 (TP-Link WVR, WAR and ER devices allow remote authenticated administrat ...) NOT-FOR-US: TP-Link CVE-2017-15612 (mistune.py in Mistune 0.7.4 allows XSS via an unexpected newline (such ...) - mistune 0.8-1 (bug #879098) [stretch] - mistune (Minor issue) NOTE: https://github.com/lepture/mistune/pull/140 NOTE: https://github.com/lepture/mistune/commit/d6f0b6402299bf5a380e7b4e77bd80e8736630fe CVE-2017-15611 (In Octopus before 3.17.7, an authenticated user who was explicitly gra ...) NOT-FOR-US: Octopus Deploy CVE-2017-15610 (An issue was discovered in Octopus before 3.17.7. When the special Gue ...) NOT-FOR-US: Octopus Deploy CVE-2017-15609 (Octopus before 3.17.7 allows attackers to obtain sensitive cleartext i ...) NOT-FOR-US: Octopus Deploy CVE-2017-15608 (Inedo ProGet before 5.0 Beta5 has CSRF, allowing an attacker to change ...) NOT-FOR-US: Inedo ProGet CVE-2017-15607 (Inedo Otter before 1.7.4 has directory traversal in filesystem-based r ...) NOT-FOR-US: Inedo Otter CVE-2017-15606 RESERVED CVE-2017-15605 RESERVED CVE-2017-15604 RESERVED CVE-2017-15603 RESERVED CVE-2017-15602 (In GNU Libextractor 1.4, there is an integer signedness error for the ...) {DLA-1198-1} - libextractor 1:1.6-1 (low) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html NOTE: Fixed by https://git.gnunet.org/libextractor.git/commit/?id=ffab889c1710c7646af9ed360c796a2a0a619efc CVE-2017-15601 (In GNU Libextractor 1.4, there is a heap-based buffer overflow in the ...) {DLA-1198-1} - libextractor 1:1.6-1 (low) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00006.html NOTE: Fixed by https://git.gnunet.org/libextractor.git/commit/?id=f813535dad4ad860b989952a46266a1469801091 CVE-2017-15600 (In GNU Libextractor 1.4, there is a NULL Pointer Dereference in the EX ...) {DLA-1198-1} - libextractor 1:1.6-1 (low) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1501695 NOTE: Fixed by https://git.gnunet.org/libextractor.git/commit/?id=38e8933539ee9d044057b18a971c2eae3c21aba7 CVE-2017-15599 RESERVED CVE-2017-15598 RESERVED CVE-2017-15597 (An issue was discovered in Xen through 4.9.x. Grant copying code made ...) {DSA-4050-1 DLA-1549-1} - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-236.html CVE-2017-15586 RESERVED CVE-2017-15585 RESERVED CVE-2017-15584 RESERVED CVE-2017-15583 (The embedded web server on ABB Fox515T 1.0 devices is vulnerable to Lo ...) NOT-FOR-US: ABB Fox515T 1.0 devices CVE-2017-15582 (In net.MCrypt in the "Diary with lock" (aka WriteDiary) application 4. ...) NOT-FOR-US: Diary with lock CVE-2017-15581 (In the "Diary with lock" (aka WriteDiary) application 4.72 for Android ...) NOT-FOR-US: Diary with lock CVE-2017-15580 (osTicket 1.10.1 provides a functionality to upload 'html' files with a ...) NOT-FOR-US: osTicket CVE-2017-15579 (In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via an aa_pa ...) NOT-FOR-US: PHPSUGAR PHP Melody CVE-2017-15578 (In PHPSUGAR PHP Melody before 2.7.3, SQL Injection exists via the imag ...) NOT-FOR-US: PHPSUGAR PHP Melody CVE-2017-15567 (** DISPUTED ** The certificate import component in IDEMIA (formerly Mo ...) NOT-FOR-US: IDEMIA CVE-2017-15566 (Insecure SPANK environment variable handling exists in SchedMD Slurm b ...) {DSA-4023-1} - slurm-llnl 17.02.9-1 (bug #880530) [jessie] - slurm-llnl (Vulnerable code introduced later) [wheezy] - slurm-llnl (Vulnerable code introduced later) NOTE: https://bugs.schedmd.com/show_bug.cgi?id=4228 (not public) NOTE: Fixed by: https://github.com/SchedMD/slurm/commit/b30e9e9ee2ade6951bfaf28e15ef77325a206971 CVE-2017-15565 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the GfxImageCo ...) {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (bug #879066) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103016 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19ebd40547186a8ea6da08c8d8e2a6d6b7e84f5d CVE-2017-15564 REJECTED CVE-2017-15563 REJECTED CVE-2017-15562 REJECTED CVE-2017-15561 REJECTED CVE-2017-15560 REJECTED CVE-2017-15559 REJECTED CVE-2017-15558 REJECTED CVE-2017-15557 REJECTED CVE-2017-15556 REJECTED CVE-2017-15555 REJECTED CVE-2017-15554 REJECTED CVE-2017-15553 REJECTED CVE-2017-15552 REJECTED CVE-2017-15551 REJECTED CVE-2017-15550 (An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. ...) NOT-FOR-US: EMC Avamar Server CVE-2017-15549 (An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. ...) NOT-FOR-US: EMC Avamar Server CVE-2017-15548 (An issue was discovered in EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4. ...) NOT-FOR-US: EMC Avamar Server CVE-2017-15547 REJECTED CVE-2017-15546 (The Security Console in EMC RSA Authentication Manager 8.2 SP1 P6 and ...) NOT-FOR-US: EMC RSA Authentication Manager CVE-2017-15545 REJECTED CVE-2017-15544 REJECTED CVE-2017-15543 REJECTED CVE-2017-15542 REJECTED CVE-2017-15541 REJECTED CVE-2017-15540 REJECTED CVE-2017-15539 (SQL Injection exists in zorovavi/blog through 2017-10-17 via the id pa ...) NOT-FOR-US: zorovavi/blog CVE-2017-15587 (An integer overflow was discovered in pdf_read_new_xref_section in pdf ...) {DSA-4006-2 DSA-4006-1 DLA-1164-1} - mupdf 1.11+ds1-2 (bug #879055) NOTE: https://git.ghostscript.com/?p=mupdf.git;h=82df2631d7d0446b206ea6b434ea609b6c28b0e8 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698605 (not public) NOTE: https://nandynarwhals.org/CVE-2017-15587/ CVE-2017-15538 (Stored XSS vulnerability in the Media Objects component of ILIAS befor ...) NOT-FOR-US: ILIAS CVE-2017-15536 (An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.x ...) NOT-FOR-US: Cloudera Data Science Workbench CVE-2017-15535 (MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by- ...) - mongodb (wire protocol compression introduced in 3.4.x and disabled by default) NOTE: https://jira.mongodb.org/browse/SERVER-31273 CVE-2017-15534 (The Norton App Lock prior to version 1.3.0.13 can be susceptible to an ...) NOT-FOR-US: Noron App Lock CVE-2017-15533 (Symantec SSL Visibility (SSLV) 3.8.4FC, 3.10 prior to 3.10.4.1, 3.11, ...) NOT-FOR-US: Symantec CVE-2017-15532 (Prior to 10.6.4, Symantec Messaging Gateway may be susceptible to a pa ...) NOT-FOR-US: Symantec CVE-2017-15531 (Symantec Reporter 9.5 prior to 9.5.4.1 and 10.1 prior to 10.1.5.5 does ...) NOT-FOR-US: Symantec CVE-2017-15530 (Prior to 4.4.1.10, the Norton Family Android App can be susceptible to ...) NOT-FOR-US: Norton CVE-2017-15529 (Prior to 4.4.1.10, the Norton Family Android App can be susceptible to ...) NOT-FOR-US: Norton CVE-2017-15528 (Prior to v 7.6, the Install Norton Security (INS) product can be susce ...) NOT-FOR-US: Install Norton Security CVE-2017-15527 (Prior to ITMS 8.1 RU4, the Symantec Management Console can be suscepti ...) NOT-FOR-US: Symantec CVE-2017-15526 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be susceptib ...) NOT-FOR-US: Symantec CVE-2017-15525 (Prior to SEE v11.1.3MP1, Symantec Endpoint Encryption can be susceptib ...) NOT-FOR-US: Symantec CVE-2017-15524 (The Application Firewall Pack (AFP, aka Web Application Firewall) comp ...) NOT-FOR-US: Kemp Load Balancer CVE-2017-15523 REJECTED CVE-2017-15522 REJECTED CVE-2017-15521 REJECTED CVE-2017-15520 REJECTED CVE-2017-15519 (Versions of SnapCenter 2.0 through 3.0.1 allow unauthenticated remote ...) NOT-FOR-US: SnapCenter CVE-2017-15518 (All versions of OnCommand API Services prior to 2.1 and NetApp Service ...) NOT-FOR-US: NetApp CVE-2017-15517 (AltaVault OST Plug-in versions prior to 1.2.2 may allow attackers to o ...) NOT-FOR-US: AltaVault OST Plug-in CVE-2017-15516 (NetApp SnapCenter Server versions 1.1 through 2.x are susceptible to a ...) NOT-FOR-US: NetApp CVE-2017-15515 (NetApp SnapCenter Server prior to 4.0 is susceptible to cross site scr ...) NOT-FOR-US: NetApp SnapCenter Server CVE-2017-15514 REJECTED CVE-2017-15568 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #882544) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: upstream fixed in 3.2.8, 3.3.5 and 3.4.3 NOTE: https://github.com/redmine/redmine/commit/94f7cfbf990028348b9262578acbc53a94fce448 CVE-2017-15569 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #882545) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508 CVE-2017-15570 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #882547) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b CVE-2017-15571 (In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, X ...) {DSA-4191-1} - redmine 3.4.4-1 (bug #882548) [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/27186 (private) NOTE: https://github.com/redmine/redmine/commit/273dd9cb3bcfb1e0a0b90570b3b34eafa07d67aa CVE-2017-15573 (In Redmine before 3.2.6 and 3.3.x before 3.3.3, XSS exists because mar ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/25503 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15572 (In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can o ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/24416 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15575 (In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a che ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/24307 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15574 (In Redmine before 3.2.6 and 3.3.x before 3.3.3, stored XSS is possible ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/24199 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15576 (Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rend ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/23803 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15577 (Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering o ...) {DSA-4191-1} - redmine 3.4.2-1 [jessie] - redmine (Not supported in Jessie-LTS) [wheezy] - redmine (Not supported in wheezy LTS) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://www.redmine.org/issues/23793 (private) NOTE: upstream fixed in 3.2.6 and 3.3.3 CVE-2017-15537 (The x86/fpu (Floating Point Unit) subsystem in the Linux kernel before ...) - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/814fb7bb7db5433757d76f4c4502c96fc53b0b5e (v4.14-rc3) CVE-2017-15513 REJECTED CVE-2017-15512 REJECTED CVE-2017-15511 REJECTED CVE-2017-15510 REJECTED CVE-2017-15509 REJECTED CVE-2017-15508 REJECTED CVE-2017-15507 REJECTED CVE-2017-15506 REJECTED CVE-2017-15505 REJECTED CVE-2017-15504 REJECTED CVE-2017-15503 REJECTED CVE-2017-15502 REJECTED CVE-2017-15501 REJECTED CVE-2017-15500 REJECTED CVE-2017-15499 REJECTED CVE-2017-15498 REJECTED CVE-2017-15497 REJECTED CVE-2017-15496 REJECTED CVE-2017-15495 REJECTED CVE-2017-15494 REJECTED CVE-2017-15493 REJECTED CVE-2017-15492 REJECTED CVE-2017-15491 REJECTED CVE-2017-15490 REJECTED CVE-2017-15489 REJECTED CVE-2017-15488 REJECTED CVE-2017-15487 REJECTED CVE-2017-15486 REJECTED CVE-2017-15485 REJECTED CVE-2017-15484 REJECTED CVE-2017-15483 REJECTED CVE-2017-15482 REJECTED CVE-2017-15481 REJECTED CVE-2017-15480 REJECTED CVE-2017-15479 REJECTED CVE-2017-15478 REJECTED CVE-2017-15477 REJECTED CVE-2017-15476 REJECTED CVE-2017-15475 REJECTED CVE-2017-15474 REJECTED CVE-2017-15473 REJECTED CVE-2017-15472 REJECTED CVE-2017-15471 REJECTED CVE-2017-15470 REJECTED CVE-2017-15469 REJECTED CVE-2017-15468 REJECTED CVE-2017-15467 REJECTED CVE-2017-15466 REJECTED CVE-2017-15465 REJECTED CVE-2017-15464 REJECTED CVE-2017-15463 REJECTED CVE-2017-15462 REJECTED CVE-2017-15461 REJECTED CVE-2017-15460 REJECTED CVE-2017-15459 REJECTED CVE-2017-15458 REJECTED CVE-2017-15457 REJECTED CVE-2017-15456 REJECTED CVE-2017-15455 REJECTED CVE-2017-15454 REJECTED CVE-2017-15453 REJECTED CVE-2017-15452 REJECTED CVE-2017-15451 REJECTED CVE-2017-15450 REJECTED CVE-2017-15449 REJECTED CVE-2017-15448 REJECTED CVE-2017-15447 REJECTED CVE-2017-15446 REJECTED CVE-2017-15445 REJECTED CVE-2017-15444 REJECTED CVE-2017-15443 REJECTED CVE-2017-15442 REJECTED CVE-2017-15441 REJECTED CVE-2017-15440 REJECTED CVE-2017-15439 REJECTED CVE-2017-15438 REJECTED CVE-2017-15437 REJECTED CVE-2017-15436 REJECTED CVE-2017-15435 REJECTED CVE-2017-15434 REJECTED CVE-2017-15433 REJECTED CVE-2017-15432 REJECTED CVE-2017-15431 RESERVED CVE-2017-15430 (Insufficient data validation in Chromecast plugin in Google Chrome pri ...) - chromium-browser (Plugin specific to Chrome) CVE-2017-15429 (Inappropriate implementation in V8 WebAssembly JS bindings in Google C ...) {DSA-4103-1} - chromium-browser 64.0.3282.119-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15428 (Insufficient data validation in V8 builtins string generator could lea ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15427 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15426 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15425 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15424 (Insufficient policy enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15423 (Inappropriate implementation in BoringSSL SPAKE2 in Google Chrome prio ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15422 (Integer overflow in international date handling in International Compo ...) {DSA-4150-1} - icu 57.1-9 (bug #892766) [wheezy] - icu (Vulnerable code not present) NOTE: https://code.google.com/p/chromium/issues/detail?id=774382 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1523136 NOTE: Issue fixed in: https://ssl.icu-project.org/trac/changeset/40654 CVE-2017-15421 RESERVED CVE-2017-15420 (Incorrect handling of back navigations in error pages in Navigation in ...) {DSA-4103-1 DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15419 (Insufficient policy enforcement in Resource Timing API in Google Chrom ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15418 (Use of uninitialized memory in Skia in Google Chrome prior to 63.0.323 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15417 (Inappropriate implementation in Skia canvas composite operations in Go ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15416 (Heap buffer overflow in Blob API in Google Chrome prior to 63.0.3239.8 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15415 (Incorrect serialization in IPC in Google Chrome prior to 63.0.3239.84 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15414 RESERVED CVE-2017-15413 (Type confusion in WebAssembly in V8 in Google Chrome prior to 63.0.323 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15412 (Use after free in libxml2 before 2.9.5, as used in Google Chrome prior ...) {DSA-4086-1 DLA-1211-1} - libxml2 2.9.4+dfsg1-5.2 (bug #883790) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=727039 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783160 (not public) NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=0f3b843b3534784ef57a4f9b874238aa1fda5a73 CVE-2017-15411 (Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowe ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15410 (Use after free in PDFium in Google Chrome prior to 63.0.3239.84 allowe ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15409 (Heap buffer overflow in Skia in Google Chrome prior to 63.0.3239.84 al ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15408 (Heap buffer overflow in Omnibox in Google Chrome prior to 63.0.3239.84 ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15407 (Out-of-bounds Write in the QUIC networking stack in Google Chrome prio ...) {DSA-4064-1} - chromium-browser 63.0.3239.84-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15406 (A stack buffer overflow in V8 in Google Chrome prior to 62.0.3202.75 a ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15405 (Inappropriate symlink handling and a race condition in the stateful re ...) NOT-FOR-US: Chrome OS CVE-2017-15404 (An ability to process crash dumps under root privileges and inappropri ...) NOT-FOR-US: Chrome OS CVE-2017-15403 (Insufficient data validation in crosh could lead to a command injectio ...) NOT-FOR-US: Chrome OS CVE-2017-15402 (Using an ID that can be controlled by a compromised renderer which all ...) NOT-FOR-US: Chrome OS CVE-2017-15401 (A memory corruption bug in WebAssembly could lead to out of bounds rea ...) NOT-FOR-US: Chrome OS CVE-2017-15400 (Insufficient restriction of IPP filters in CUPS in Google Chrome OS pr ...) {DSA-4243-1} - cups 2.2.3-2 [jessie] - cups (Vulnerable code not present, ppdCreateFromIPP() introduced in v2.2.0) [wheezy] - cups (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=777215 NOTE: Patches from upstream to restrict what filters will be accpeted NOTE: https://github.com/apple/cups/commit/07428f6a640ff93aa0b4cc69ca372e2cf8490e41 (v2.2.2) NOTE: https://github.com/apple/cups/commit/1add23375658e9163e5493ee19de7c9f7a9b483b (v2.2.2) CVE-2017-15399 (A use after free in V8 in Google Chrome prior to 62.0.3202.89 allowed ...) {DSA-4024-1} - chromium-browser 62.0.3202.89-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15398 (A stack buffer overflow in the QUIC networking stack in Google Chrome ...) {DSA-4024-1} - chromium-browser 62.0.3202.89-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15397 (Inappropriate implementation in ChromeVox in Google Chrome OS prior to ...) NOT-FOR-US: ChromeVox in Google Chrome OS CVE-2017-15396 (A stack buffer overflow in NumberingSystem in International Components ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-15395 (A use after free in Blink in Google Chrome prior to 62.0.3202.62 allow ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15394 (Insufficient Policy Enforcement in Extensions in Google Chrome prior t ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15393 (Insufficient Policy Enforcement in Devtools remote debugging in Google ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15392 (Insufficient data validation in V8 in Google Chrome prior to 62.0.3202 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15391 (Insufficient Policy Enforcement in Extensions in Google Chrome prior t ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15390 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15389 (An insufficient watchdog timer in navigation in Google Chrome prior to ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15388 (Iteration through non-finite points in Skia in Google Chrome prior to ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15387 (Insufficient enforcement of Content Security Policy in Blink in Google ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15386 (Incorrect implementation in Blink in Google Chrome prior to 62.0.3202. ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-15385 (The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c ...) - radare2 2.1.0+dfsg-1 (bug #879119) [jessie] - radare2 (Vulnerable code introduced in 0.10.2) [wheezy] - radare2 (Vulnerable code introduced in 0.10.2) NOTE: https://github.com/radare/radare2/issues/8685 NOTE: https://github.com/radare/radare2/commit/21a6f570ba33fa9f52f1bba87f07acc4e8c178f4 CVE-2017-15384 (rate-me.php in Rate Me 1.0 has XSS via the id field in a rate action. ...) NOT-FOR-US: Rate Me CVE-2017-15383 (Nero 7.10.1.0 has an unquoted BINARY_PATH_NAME for NBService, exploita ...) NOT-FOR-US: Nero CVE-2017-15382 RESERVED CVE-2017-15381 (SQL Injection exists in E-Sic 1.0 via the f parameter to esiclivre/res ...) NOT-FOR-US: E-Sic CVE-2017-15380 (XSS exists in the E-Sic 1.0 /cadastro/index.php URI (aka the requester ...) NOT-FOR-US: E-Sic CVE-2017-15379 (An authentication bypass exists in the E-Sic 1.0 /index (aka login) UR ...) NOT-FOR-US: E-Sic CVE-2017-15378 (SQL Injection exists in the E-Sic 1.0 password reset parameter (aka th ...) NOT-FOR-US: E-Sic CVE-2017-15377 (In Suricata before 4.x, it was possible to trigger lots of redundant c ...) {DLA-1603-1} - suricata 1:4.0.0-1 (low) [stretch] - suricata (Minor issue) [wheezy] - suricata (Vulnerable code introduced later) NOTE: https://github.com/OISF/suricata/pull/2680/commits/47afc577ff763150f9b47f10331f5ef9eb847a57 NOTE: https://redmine.openinfosecfoundation.org/issues/2231 NOTE: introduced in https://github.com/OISF/suricata/commit/35f1f7e8d944a3 CVE-2017-15376 (The TELNET service in Mobatek MobaXterm 10.4 does not require authenti ...) NOT-FOR-US: Mobatek MobaXterm CVE-2017-15375 (Multiple client-side cross site scripting vulnerabilities have been di ...) NOT-FOR-US: WpJobBoard CVE-2017-15374 (Shopware v5.2.5 - v5.3 is vulnerable to cross site scripting in the cu ...) NOT-FOR-US: Shopware CVE-2017-15373 (E-Sic 1.0 allows SQL injection via the q parameter to esiclivre/restri ...) NOT-FOR-US: E-Sic CVE-2017-15372 (There is a stack-based buffer overflow in the lsx_ms_adpcm_block_expan ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #878808) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500553 NOTE: https://github.com/mansr/sox/commit/001c337552912d286ba68086ac378f6fdc1e8b50 CVE-2017-15371 (There is a reachable assertion abort in the function sox_append_commen ...) {DLA-1705-1 DLA-1197-1} - sox 14.4.2-2 (bug #878809) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500570 NOTE: https://github.com/mansr/sox/commit/818bdd0ccc1e5b6cae742c740c17fd414935cf39 CVE-2017-15370 (There is a heap-based buffer overflow in the ImaExpandS function of im ...) {DLA-1695-1 DLA-1197-1} - sox 14.4.2-2 (bug #878810) [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500554 NOTE: https://github.com/mansr/sox/commit/ef3d8be0f80cbb650e4766b545d61e10d7a24c9e CVE-2017-15369 (The build_filter_chain function in pdf/pdf-stream.c in Artifex MuPDF b ...) - mupdf (Vulnerable code introduced later) NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;h=c2663e51238ec8256da7fc61ad580db891d9fe9a NOTE: Introduced by: https://git.ghostscript.com/?p=mupdf.git;h=2707fa9e8e6d17d794330e719dec1b08161fb045 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698592 CVE-2017-15368 (The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 al ...) - radare2 2.1.0+dfsg-1 (bug #878767) [jessie] - radare2 (Vulnerable code introduced in 2.0.0) [wheezy] - radare2 (Vulnerable code introduced in 2.0.0) NOTE: https://github.com/radare/radare2/issues/8673 NOTE: https://github.com/radare/radare2/commit/52b1526443c1f433087928291d1c3d37a5600515 CVE-2017-15367 (Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vuln ...) NOT-FOR-US: Bacula-Web CVE-2017-15366 (Before Thornberry NDoc version 8.0, laptop clients and the server have ...) NOT-FOR-US: Thornberry NDoc CVE-2017-15365 (sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x before ...) {DSA-4341-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 1:10.1.34-1 (bug #885345) - mariadb-10.0 [jessie] - mariadb-10.0 (vulnerable code not present) - percona-xtrabackup [jessie] - percona-xtrabackup (vulnerable code not present) - mysql-5.7 - mysql-5.5 (Vulnerable code not present) NOTE: MariaDB: Fixed in 10.2.10, 10.1.30 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1524234 NOTE: https://www.percona.com/doc/percona-xtradb-cluster/LATEST/release-notes/Percona-XtraDB-Cluster-5.7.19-29.22-3.html NOTE: Likely (unconfirmed) fix: https://github.com/MariaDB/server/commit/0b5a5258abbeaf8a0c3a18c7e753699787fdf46e?diff=unified NOTE: Possibly only introduced with https://github.com/MariaDB/server/commit/df4dd593f29aec8e2116aec1775ad4b8833d8c93 (mariadb-10.1.1) NOTE: starting to be present in mariadb-10.1.1. CVE-2017-15364 (The foreach function in ext/ccsv.c in Ccsv 1.1.0 allows remote attacke ...) NOT-FOR-US: ccsv CVE-2017-15363 (Directory traversal vulnerability in public/examples/resources/getsour ...) NOT-FOR-US: Luracast Restler CVE-2017-15362 (osTicket 1.10.1 allows arbitrary client-side JavaScript code execution ...) NOT-FOR-US: osTicket CVE-2017-15361 (The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module ...) NOT-FOR-US: Infineon RSA library CVE-2017-15360 (PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cros ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15359 (In the 3CX Phone System 15.5.3554.1, the Management Console typically ...) NOT-FOR-US: 3CX Phone System CVE-2017-15358 (Race condition in the Charles Proxy Settings suid binary in Charles Pr ...) NOT-FOR-US: Charles Proxy CVE-2017-15357 (The setpermissions function in the auto-updater in Arq before 5.9.7 fo ...) NOT-FOR-US: Arq CVE-2017-15356 (Huawei DP300, V500R002C00, RP200, V600R006C00, TE30, V100R001C10, V500 ...) NOT-FOR-US: Huawei CVE-2017-15355 (Huawei DP300, V500R002C00, RP200, V600R006C00, TE30, V100R001C10, V500 ...) NOT-FOR-US: Huawei CVE-2017-15354 (Huawei DP300, V500R002C00, RP200, V600R006C00, TE30, V100R001C10, V500 ...) NOT-FOR-US: Huawei CVE-2017-15353 (Huawei DP300, V500R002C00, RP200, V500R002C00, V600R006C00, RSE6500, V ...) NOT-FOR-US: Huawei CVE-2017-15352 (Huawei OceanStor 2800 V3, V300R003C00, V300R003C20, OceanStor 5300 V3, ...) NOT-FOR-US: Huawei CVE-2017-15351 (The 'Find Phone' function in Huawei Honor V9 play smart phones with ve ...) NOT-FOR-US: Huawei CVE-2017-15350 (The Common Open Policy Service Protocol (COPS) module in Huawei DP300 ...) NOT-FOR-US: Huawei CVE-2017-15349 (Huawei CloudEngine 12800 V100R003C00, V100R005C00, V100R005C10, V100R0 ...) NOT-FOR-US: Huawei CVE-2017-15348 (Huawei IPS Module V500R001C00, NGFW Module V500R001C00, NIP6300 V500R0 ...) NOT-FOR-US: Huawei CVE-2017-15347 (Huawei Mate 9 Pro mobile phones with software of versions earlier than ...) NOT-FOR-US: Huawei CVE-2017-15346 (XML parser in Huawei S12700 V200R005C00,S1700 V200R009C00, V200R010C00 ...) NOT-FOR-US: Huawei CVE-2017-15345 (Huawei Smartphones with software LON-L29DC721B186 have a denial of ser ...) NOT-FOR-US: Huawei CVE-2017-15344 (Huawei AR3200 with software V200R006C10, V200R006C11, V200R007C00, V20 ...) NOT-FOR-US: Huawei CVE-2017-15343 (Huawei AR3200 with software V200R006C10, V200R006C11, V200R007C00, V20 ...) NOT-FOR-US: Huawei CVE-2017-15342 (Huawei DP300 V500R002C00, TE60 V600R006C00, TP3106 V100R002C00, eSpace ...) NOT-FOR-US: Huawei CVE-2017-15341 (Huawei AR3200 V200R008C20, V200R008C30, TE40 V600R006C00, TE50 V600R00 ...) NOT-FOR-US: Huawei CVE-2017-15340 (Huawei smartphones with software of TAG-AL00C92B168 have an informatio ...) NOT-FOR-US: Huawei CVE-2017-15339 (The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V1 ...) NOT-FOR-US: Huawei CVE-2017-15338 (The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V1 ...) NOT-FOR-US: Huawei CVE-2017-15337 (The SIP module in Huawei DP300 V500R002C00, IPS Module V100R001C10, V1 ...) NOT-FOR-US: Huawei CVE-2017-15336 (The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R00 ...) NOT-FOR-US: Huawei CVE-2017-15335 (The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R00 ...) NOT-FOR-US: Huawei CVE-2017-15334 (The SIP backup feature in Huawei DP300 V500R002C00, IPS Module V100R00 ...) NOT-FOR-US: Huawei CVE-2017-15333 (XML parser in Huawei S12700 V200R005C00,S1700 V200R009C00, V200R010C00 ...) NOT-FOR-US: Huawei CVE-2017-15332 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-15331 (Huawei AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30, AR1 ...) NOT-FOR-US: Huawei CVE-2017-15330 (The Flp Driver in some Huawei smartphones of the software Vicky-AL00AC ...) NOT-FOR-US: Huawei CVE-2017-15329 (Huawei UMA V200R001C00 has a SQL injection vulnerability in the operat ...) NOT-FOR-US: Huawei CVE-2017-15328 (Huawei HG8245H version earlier than V300R018C00SPC110 has an authentic ...) NOT-FOR-US: Huawei CVE-2017-15327 (S12700 V200R005C00, V200R006C00, V200R006C01, V200R007C00, V200R007C01 ...) NOT-FOR-US: Huawei CVE-2017-15326 (DBS3900 TDD LTE V100R003C00, V100R004C10 have a weak encryption algori ...) NOT-FOR-US: Huawei CVE-2017-15325 (The Bdat driver of Prague smart phones with software versions earlier ...) NOT-FOR-US: Bdat driver of Prague smart phones CVE-2017-15324 (Huawei S5700 and S6700 with software of V200R005C00 have a DoS vulnera ...) NOT-FOR-US: Huawei CVE-2017-15323 (Huawei DP300 V500R002C00, NIP6600 V500R001C00, V500R001C20, V500R001C3 ...) NOT-FOR-US: Huawei CVE-2017-15322 (Some Huawei smartphones with software of BGO-L03C158B003CUSTC158D001 a ...) NOT-FOR-US: Huawei CVE-2017-15321 (Huawei FusionSphere OpenStack V100R006C000SPC102 (NFV) has an informat ...) NOT-FOR-US: Huawei CVE-2017-15320 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R00 ...) NOT-FOR-US: Huawei CVE-2017-15319 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R00 ...) NOT-FOR-US: Huawei CVE-2017-15318 (RP200 V500R002C00, V600R006C00; TE30 V100R001C10, V500R002C00, V600R00 ...) NOT-FOR-US: Huawei CVE-2017-15317 (AR120-S V200R006C10, V200R007C00, V200R008C20, V200R008C30; AR1200 V20 ...) NOT-FOR-US: Huawei CVE-2017-15316 (The GPU driver of Mate 9 Huawei smart phones with software before MHA- ...) NOT-FOR-US: Huawei CVE-2017-15315 (Patch module of Huawei NIP6300 V500R001C20SPC100, V500R001C20SPC200, N ...) NOT-FOR-US: Huawei CVE-2017-15314 (Huawei DP300 V500R002C00, RP200 V500R002C00SPC200, V600R006C00, TE30 V ...) NOT-FOR-US: Huawei CVE-2017-15313 (Huawei SmartCare V200R003C10 has a CSV injection vulnerability. An rem ...) NOT-FOR-US: Huawei CVE-2017-15312 (Huawei SmartCare V200R003C10 has a stored XSS (cross-site scripting) v ...) NOT-FOR-US: Huawei CVE-2017-15311 (The baseband modules of Mate 10, Mate 10 Pro, Mate 9, Mate 9 Pro Huawe ...) NOT-FOR-US: Huawei CVE-2017-15310 (Huawei iReader app before 8.0.2.301 has an arbitrary file deletion vul ...) NOT-FOR-US: Huawei CVE-2017-15309 (Huawei iReader app before 8.0.2.301 has a path traversal vulnerability ...) NOT-FOR-US: Huawei CVE-2017-15308 (Huawei iReader app before 8.0.2.301 has an input validation vulnerabil ...) NOT-FOR-US: Huawei CVE-2017-15307 (Huawei Honor 8 smartphone with software versions earlier than FRD-L04C ...) NOT-FOR-US: Huawei CVE-2017-15306 (The kvm_vm_ioctl_check_extension function in arch/powerpc/kvm/powerpc. ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/ac64115a66c18c01745bbd3c47a36b124e5fd8c0 (4.14-rc7) CVE-2017-15305 (XSS exists in NexusPHP 1.5 via the keyword parameter to messages.php. ...) NOT-FOR-US: NexusPHP CVE-2017-15304 (/bin/login.php in the Web Panel on the Airtame HDMI dongle with firmwa ...) NOT-FOR-US: Airtame HDMI dongle CVE-2017-15303 (In CPUID CPU-Z before 1.43, there is an arbitrary memory write that re ...) NOT-FOR-US: CPUID CPU-Z CVE-2017-15302 (In CPUID CPU-Z through 1.81, there are improper access rights to a ker ...) NOT-FOR-US: CPUID CPU-Z CVE-2017-15301 RESERVED CVE-2017-15300 (The miner statistics HTTP API in EWBF Cuda Zcash Miner Version 0.3.4b ...) NOT-FOR-US: EWBF Cuda Zcash Miner CVE-2017-15299 (The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use o ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/60ff5b2f547af3828aebafd54daded44cfb0807a (4.14-rc6) CVE-2017-15298 (Git through 2.14.2 mishandles layers of tree objects, which allows rem ...) - git 1:2.16.1-1 (unimportant) NOTE: https://kate.io/blog/git-bomb/ NOTE: https://github.com/Katee/git-bomb NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=a937b37e766479c8e780b17cce9c4b252fd97e40 NOTE: No practical security implications CVE-2017-15297 (SAP Hostcontrol does not require authentication for the SOAP SAPContro ...) NOT-FOR-US: SAP CVE-2017-15296 (The Java component in SAP CRM has CSRF. This is SAP Security Note 2478 ...) NOT-FOR-US: SAP CVE-2017-15295 (Xpress Server in SAP POS does not require authentication for read/writ ...) NOT-FOR-US: SAP CVE-2017-15294 (The Java administration console in SAP CRM has XSS. This is SAP Securi ...) NOT-FOR-US: SAP CVE-2017-15293 (Xpress Server in SAP POS does not require authentication for file read ...) NOT-FOR-US: SAP CVE-2017-15292 RESERVED CVE-2017-15291 (Cross-site scripting (XSS) vulnerability in the Wireless MAC Filtering ...) NOT-FOR-US: TP-LINK TL-MR3220 wireless routers CVE-2017-15290 (Mirasys Video Management System (VMS) 6.x before 6.4.6, 7.x before 7.5 ...) NOT-FOR-US: Mirasys Video Management System CVE-2017-15594 (An issue was discovered in Xen through 4.9.x allowing x86 SVM PV guest ...) {DSA-4050-1 DLA-1559-1} - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (minor issue) NOTE: https://xenbits.xen.org/xsa/advisory-244.html CVE-2017-15592 (An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS ...) {DSA-4050-1 DLA-1559-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-243.html CVE-2017-15593 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1559-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-242.html CVE-2017-15588 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1549-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-241.html CVE-2017-15595 (An issue was discovered in Xen through 4.9.x allowing x86 PV guest OS ...) {DSA-4050-1 DLA-1559-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-240.html CVE-2017-15589 (An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS ...) {DSA-4050-1 DLA-1549-1 DLA-1181-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-239.html CVE-2017-15591 (An issue was discovered in Xen 4.5.x through 4.9.x allowing attackers ...) {DSA-4050-1} - xen 4.8.2+xsa245-0+deb9u1 [jessie] - xen (Only affects 4.5 and later) [wheezy] - xen (Only affects 4.5 and later) NOTE: https://xenbits.xen.org/xsa/advisory-238.html CVE-2017-15590 (An issue was discovered in Xen through 4.9.x allowing x86 guest OS use ...) {DSA-4050-1 DLA-1549-1} - xen 4.8.2+xsa245-0+deb9u1 [wheezy] - xen (Patches too intrusive to backport) NOTE: https://xenbits.xen.org/xsa/advisory-237.html CVE-2017-15289 (The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow ...) {DSA-4213-1 DLA-1497-1} - qemu 1:2.11+dfsg-1 (bug #880832) [wheezy] - qemu (Can be fixed along in a future update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in a future update) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02557.html NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=eb38e1bc3740725ca29a535351de94107ec58d51 CVE-2017-15288 (The compilation daemon in Scala before 2.10.7, 2.11.x before 2.11.12, ...) - scala 2.11.12-1 (unimportant) NOTE: http://scala-lang.org/news/security-update-nov17.html NOTE: For 2.11.x: https://github.com/scala/scala/pull/6108 NOTE: For 2.12.x: https://github.com/scala/scala/pull/6120 NOTE: For 2.10.x: https://github.com/scala/scala/pull/6128 NOTE: Neutralised by kernel hardening CVE-2017-15287 (There is XSS in the BouquetEditor WebPlugin for Dream Multimedia Dream ...) NOT-FOR-US: BouquetEditor WebPlugin CVE-2017-15286 (SQLite 3.20.1 has a NULL pointer dereference in tableColumnList in she ...) - sqlite3 3.20.1-2 (low; bug #878680) [stretch] - sqlite3 (Vulnerable code introduced later) [jessie] - sqlite3 (Vulnerable code introduced later) [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://github.com/Ha0Team/crash-of-sqlite3/blob/master/poc.md NOTE: https://www.sqlite.org/src/info/5d0ceb8dcdef92cd CVE-2017-15285 (X-Cart 5.2.23, 5.3.1.9, 5.3.2.13, and 5.3.3 is vulnerable to Remote Co ...) NOT-FOR-US: X-Cart CVE-2017-15284 (Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), all ...) NOT-FOR-US: OctoberCMS CVE-2017-15283 RESERVED CVE-2017-15282 RESERVED CVE-2017-15281 (ReadPSDImage in coders/psd.c in ImageMagick 7.0.7-6 allows remote atta ...) {DLA-2366-1 DLA-1785-1 DLA-1139-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878579) NOTE: https://github.com/ImageMagick/ImageMagick/issues/832 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e9d1c2adae866861a291535997b2263f26becb1e NOTE: https://github.com/ImageMagick/ImageMagick/commit/32cbfceeee57962321b2ead627129c9d9ffbfcdb CVE-2017-15280 (XML external entity (XXE) vulnerability in Umbraco CMS before 7.7.3 al ...) NOT-FOR-US: Umbraco CMS CVE-2017-15279 (Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 a ...) NOT-FOR-US: Umbraco CMS CVE-2017-15278 (Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. ...) - teampass (bug #730180) CVE-2017-15277 (ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick ...) {DSA-4321-1 DSA-4040-1 DSA-4032-1 DLA-1456-1 DLA-1140-1 DLA-1139-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878578) - graphicsmagick 1.3.26-14 NOTE: IM6: https://github.com/ImageMagick/ImageMagick/commit/10aae21bf9dac47e16d8fcde7eba7f7f9d1e52f8 NOTE: https://github.com/ImageMagick/ImageMagick/issues/592 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/923c4a525c99 NOTE: https://github.com/neex/gifoeb CVE-2017-15276 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-15275 (Samba before 4.7.3 might allow remote attackers to obtain sensitive in ...) {DSA-4043-1 DLA-1183-1} - samba 2:4.7.1+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-15275.html CVE-2017-15274 (security/keys/keyctl.c in the Linux kernel before 4.11.5 does not cons ...) - linux 4.11.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.48-1 [wheezy] - linux 3.2.93-1 NOTE: Fixed by: https://git.kernel.org/linus/5649645d725c73df4302428ee4e02c869248b4c5 (4.12-rc5) CVE-2017-15273 (Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10 ...) - mahara NOTE: https://mahara.org/interaction/forum/topic.php?id=8081 CVE-2017-15272 (The PSFTPd 10.0.4 Build 729 server stores its configuration inside PSF ...) NOT-FOR-US: PSFTPd CVE-2017-15271 (A use-after-free issue could be triggered remotely in the SFTP compone ...) NOT-FOR-US: PSFTPd CVE-2017-15270 (The PSFTPd 10.0.4 Build 729 server does not properly escape data befor ...) NOT-FOR-US: PSFTPd CVE-2017-15269 (The PSFTPd 10.0.4 Build 729 server does not prevent FTP bounce scans b ...) NOT-FOR-US: PSFTPd CVE-2017-15268 (Qemu through 2.10.0 allows remote attackers to cause a memory leak by ...) {DSA-4213-1} - qemu 1:2.11+dfsg-1 (bug #880836) [jessie] - qemu (I/O channels driver websockets introduced later) [wheezy] - qemu (I/O channels driver websockets introduced later) - qemu-kvm (I/O channels driver websockets introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg02278.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1496879 NOTE: https://bugs.launchpad.net/bugs/1718964 NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=a7b20a8efa28e5f22c26c06cd06c2f12bc863493 CVE-2017-15267 (In GNU Libextractor 1.4, there is a NULL Pointer Dereference in flac_m ...) {DLA-1198-1} - libextractor 1:1.6-1 (bug #878314) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00003.html NOTE: http://openwall.com/lists/oss-security/2017/10/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1499600 NOTE: Fixed by: https://git.gnunet.org/libextractor.git/commit/?id=6095d7132b57fc7368fc7a40bab2a71b735724d2 CVE-2017-15266 (In GNU Libextractor 1.4, there is a Divide-By-Zero in EXTRACTOR_wav_ex ...) {DLA-1198-1} - libextractor 1:1.6-1 (bug #878314) [stretch] - libextractor 1:1.3-4+deb9u1 [jessie] - libextractor 1:1.3-2+deb8u1 NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00002.html NOTE: http://openwall.com/lists/oss-security/2017/10/11/1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1499599 NOTE: Fixed by: https://git.gnunet.org/libextractor.git/commit/?id=b577d5452c5c4ee9d552da62a24b95f461551fe2 CVE-2017-15265 (Race condition in the ALSA subsystem in the Linux kernel before 4.13.8 ...) {DLA-1200-1} - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1062520 NOTE: http://mailman.alsa-project.org/pipermail/alsa-devel/2017-October/126292.html CVE-2017-15264 (IrfanView version 4.44 (32bit) allows attackers to cause a denial of s ...) NOT-FOR-US: IrfanView CVE-2017-15263 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15262 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15261 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15260 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15259 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15258 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15257 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15256 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15255 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15254 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15253 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15252 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15251 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15250 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15249 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15248 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15247 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15246 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15245 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15244 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15243 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15242 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15241 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15240 (IrfanView version 4.44 (32bit) with PDF plugin version 4.43 allows att ...) NOT-FOR-US: IrfanView CVE-2017-15239 (IrfanView 4.44 - 32bit with PDF plugin version 4.43 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-15238 (ReadOneJNGImage in coders/png.c in GraphicsMagick 1.3.26 has a use-aft ...) {DSA-4321-1} - graphicsmagick 1.3.26-14 [jessie] - graphicsmagick (Vulnerable code not present) [wheezy] - graphicsmagick (Vulnerable code do not exist) NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=93bdb9b30076 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=df946910910d NOTE: https://sourceforge.net/p/graphicsmagick/bugs/469/ CVE-2017-15237 RESERVED CVE-2017-15236 (Tiandy IP cameras 5.56.17.120 do not properly restrict a certain propr ...) NOT-FOR-US: Tiandy IP cameras CVE-2017-15235 (The File Manager (gollem) module 3.0.11 in Horde Groupware 5.2.21 allo ...) {DLA-2352-1} - php-horde-gollem 3.0.12-1 [jessie] - php-horde-gollem (Minor issue) NOTE: https://blogs.securiteam.com/index.php/archives/3454 NOTE: https://lists.horde.org/archives/announce/2017/001260.html NOTE: https://github.com/horde/gollem/commit/416249efa0fb9e98b596783565258806542a2c51 CVE-2017-15234 RESERVED CVE-2017-15233 RESERVED CVE-2017-15232 (libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and j ...) - libjpeg-turbo 1:2.0.5-1 (unimportant; bug #878567) - libjpeg6b (Vulnerable code not present) - libjpeg8 (Vulnerable code not present) - libjpeg9 (Vulnerable code not present) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/pull/182 NOTE: https://github.com/mozilla/mozjpeg/issues/268 NOTE: IJG libjpeg releases not affected, see https://lists.debian.org/debian-lts/2017/10/msg00061.html NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/073b0e88a192adebbb479ee2456beb089d8b5de7 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/5bc43c7821df982f65aa1c738f67fbf7cba8bd69 NOTE: Crash in CLI tools, no security impact CVE-2017-15231 RESERVED CVE-2017-15230 RESERVED CVE-2017-15229 RESERVED CVE-2017-15228 (Irssi before 1.0.5, when installing themes with unterminated colour fo ...) {DSA-4016-1 DLA-1217-1} - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15227 (Irssi before 1.0.5, while waiting for the channel synchronisation, may ...) {DSA-4016-1 DLA-1217-1} - irssi 1.0.5-1 (bug #879521) NOTE: https://irssi.org/security/irssi_sa_2017_10.txt NOTE: https://github.com/irssi/irssi/commit/43e44d553d44e313003cee87e6ea5e24d68b84a1 CVE-2017-15226 (Zyxel NBG6716 V1.00(AAKG.9)C0 devices allow command injection in the o ...) NOT-FOR-US: Zyxel CVE-2017-15225 (_bfd_dwarf2_cleanup_debug_info in dwarf2.c in the Binary File Descript ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22212 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b55ec8b676ed05d93ee49d6c79ae0403616c4fb0 CVE-2017-15224 RESERVED CVE-2017-15223 (Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2 a ...) NOT-FOR-US: ArGoSoft Mini Mail Server CVE-2017-15222 (Buffer Overflow vulnerability in Ayukov NFTPD 2.0 and earlier allows r ...) NOT-FOR-US: Ayukov NFTPD CVE-2017-15221 (ASX to MP3 converter 3.1.3.7.2010.11.05 has a buffer overflow via a cr ...) NOT-FOR-US: ASX to MP3 converter CVE-2017-15220 (Flexense VX Search Enterprise 10.1.12 is vulnerable to a buffer overfl ...) NOT-FOR-US: Flexense VX Search Enterprise CVE-2017-15219 (The dotCMS 4.1.1 application is vulnerable to Stored Cross-Site Script ...) NOT-FOR-US: dotCMS CVE-2017-15218 (ImageMagick 7.0.7-2 has a memory leak in ReadOneJNGImage in coders/png ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/760 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/698c09d05a749664288281012f319cd51da664ee NOTE: https://github.com/ImageMagick/ImageMagick/commit/6387479aa974709d5c329c8efbde38175f386844 CVE-2017-15217 (ImageMagick 7.0.7-2 has a memory leak in ReadSGIImage in coders/sgi.c. ...) [experimental] - imagemagick 8:6.9.9.34+dfsg-1 - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/759 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9bad9cd6752bf8dc5825f555fd1117855bd2fc47 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8fa3c10977f668c92688272a4802f4477df61076 CVE-2017-15216 (MISP before 2.4.81 has a potential reflected XSS in a quickDelete acti ...) NOT-FOR-US: MISP CVE-2017-15215 (Reflected XSS vulnerability in Shaarli v0.9.1 allows an unauthenticate ...) - shaarli (Fixed before initial re-upload to the archive) CVE-2017-15214 (Stored XSS vulnerability in Flyspray 1.0-rc4 before 1.0-rc6 allows an ...) NOT-FOR-US: Flyspray CVE-2017-15213 (Stored XSS vulnerability in Flyspray before 1.0-rc6 allows an authenti ...) NOT-FOR-US: Flyspray CVE-2017-15212 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15211 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15210 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15209 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15208 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15207 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15206 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15205 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15204 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15203 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15202 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15201 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15200 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15199 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15198 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15197 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15196 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15195 (In Kanboard before 1.0.47, by altering form data, an authenticated use ...) - kanboard (bug #790814) CVE-2017-15193 (In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the MBIM dissector cou ...) - wireshark 2.4.2-1 (low) [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14056 NOTE: https://code.wireshark.org/review/23537 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=afb9ff7982971aba6e42472de0db4c1bedfc641b NOTE: https://www.wireshark.org/security/wnpa-sec-2017-43.html CVE-2017-15192 (In Wireshark 2.4.0 to 2.4.1 and 2.2.0 to 2.2.9, the BT ATT dissector c ...) - wireshark 2.4.2-1 (low) [jessie] - wireshark (Vulnerable code introduced in version 1.99) [wheezy] - wireshark (Vulnerable code introduced in version 1.99) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14049 NOTE: https://code.wireshark.org/review/23470 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3689dc1db36037436b1616715f9a3f888fc9a0f6 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-42.html CVE-2017-15191 (In Wireshark 2.4.0 to 2.4.1, 2.2.0 to 2.2.9, and 2.0.0 to 2.0.15, the ...) {DLA-1634-1} - wireshark 2.4.2-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14068 NOTE: https://code.wireshark.org/review/23591 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8dbb21dfde14221dab09b6b9c7719b9067c1f06e NOTE: https://www.wireshark.org/security/wnpa-sec-2017-44.html CVE-2017-15190 (In Wireshark 2.4.0 to 2.4.1, the RTSP dissector could crash. This was ...) - wireshark 2.4.2-1 (low) [stretch] - wireshark (Only affects 2.4) [jessie] - wireshark (Only affects 2.4) [wheezy] - wireshark (Only affects 2.4) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14077 NOTE: https://code.wireshark.org/review/23635 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e27870eaa6efa1c2dac08aa41a67fe9f0839e6e0 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-45.html CVE-2017-15189 (In Wireshark 2.4.0 to 2.4.1, the DOCSIS dissector could go into an inf ...) - wireshark 2.4.2-1 (low) [jessie] - wireshark (vulnerable code not present) [wheezy] - wireshark (vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14080 NOTE: https://code.wireshark.org/review/23663 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=625bab309d9dd21db2d8ae2aa3511810d32842a8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-46.html NOTE: vulnerable introduced in https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3e1828e35188e1 CVE-2017-15188 (A persistent (stored) XSS vulnerability in the EyesOfNetwork web inter ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-15187 RESERVED CVE-2017-15194 (include/global_session.php in Cacti 1.1.25 has XSS related to (1) the ...) - cacti 1.1.25+ds1-1 (bug #878304) [stretch] - cacti (Vulnerable code introduced in 1.0.0) [jessie] - cacti (Vulnerable code introduced in 1.0.0) [wheezy] - cacti (Vulnerable code introduced in 1.0.0) NOTE: https://github.com/Cacti/cacti/issues/1010 NOTE: https://github.com/Cacti/cacti/commit/93f661d8adcfa6618b11522cdab30e97bada33fd NOTE: https://github.com/Cacti/cacti/commit/4f87256e63859117f81d2a2bd40c9c730e39b65d CVE-2017-15186 (Double free vulnerability in FFmpeg 3.3.4 and earlier allows remote at ...) {DSA-4049-1} - ffmpeg 7:3.4-1 - libav [jessie] - libav (vulnerable code was introduced later) NOTE: https://www.openwall.com/lists/oss-security/2017/10/20/4 NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/df62b70de8aaa285168e72fe8f6e740843ca91fa CVE-2017-15185 (plugins/ogg.c in Libmp3splt 0.9.2 calls the libvorbis vorbis_block_cle ...) - mp3splt 2.6.2+20170630-2 [jessie] - mp3splt (Vulnerable code not present) [wheezy] - mp3splt (Vulnerable code does not exist) - libmp3splt [stretch] - libmp3splt (Minor issue) [jessie] - libmp3splt (Minor issue) [wheezy] - libmp3splt (Minor issue) NOTE: https://anonscm.debian.org/cgit/users/ron/mp3splt.git/commit/?id=18f018cd774cb931116ce06a520dc0c5f9443932 CVE-2017-15184 REJECTED CVE-2017-15183 REJECTED CVE-2017-15182 REJECTED CVE-2017-15181 REJECTED CVE-2017-15180 REJECTED CVE-2017-15179 REJECTED CVE-2017-15178 REJECTED CVE-2017-15177 REJECTED CVE-2017-15176 REJECTED CVE-2017-15175 REJECTED CVE-2017-15174 REJECTED CVE-2017-15173 REJECTED CVE-2017-15172 REJECTED CVE-2017-15171 REJECTED CVE-2017-15170 REJECTED CVE-2017-15169 REJECTED CVE-2017-15168 REJECTED CVE-2017-15167 REJECTED CVE-2017-15166 REJECTED CVE-2017-15165 REJECTED CVE-2017-15164 REJECTED CVE-2017-15163 REJECTED CVE-2017-15162 REJECTED CVE-2017-15161 REJECTED CVE-2017-15160 REJECTED CVE-2017-15159 REJECTED CVE-2017-15158 REJECTED CVE-2017-15157 REJECTED CVE-2017-15156 REJECTED CVE-2017-15155 REJECTED CVE-2017-15154 REJECTED CVE-2017-15153 REJECTED CVE-2017-15152 REJECTED CVE-2017-15151 REJECTED CVE-2017-15150 REJECTED CVE-2017-15149 REJECTED CVE-2017-15148 REJECTED CVE-2017-15147 REJECTED CVE-2017-15146 REJECTED CVE-2017-15145 REJECTED CVE-2017-15144 REJECTED CVE-2017-15143 REJECTED CVE-2017-15142 REJECTED CVE-2017-15141 REJECTED CVE-2017-15140 REJECTED CVE-2017-15139 (A vulnerability was found in openstack-cinder releases up to and inclu ...) [experimental] - cinder 2:13.0.0-1 - cinder 2:13.0.0-2 [stretch] - cinder (Minor issue) [jessie] - cinder (ScaleIO Driver support does not exist) NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0084 NOTE: https://bugs.launchpad.net/ossn/+bug/1699573 CVE-2017-15138 (The OpenShift Enterprise cluster-read can access webhook tokens which ...) NOT-FOR-US: atomic-openshift CVE-2017-15137 (The OpenShift image import whitelist failed to enforce restrictions co ...) NOT-FOR-US: atomic-openshift CVE-2017-15136 (When registering and activating a new system with Red Hat Satellite 6 ...) NOT-FOR-US: Red Hat Satellite 6 CVE-2017-15135 (It was found that 389-ds-base since 1.3.6.1 up to and including 1.4.0. ...) - 389-ds-base 1.3.7.9-1 (bug #888451) [stretch] - 389-ds-base (Affected code was never backported) [jessie] - 389-ds-base (vulnerable code (patch for CVE-2016-5405) not applied) CVE-2017-15134 (A stack buffer overflow flaw was found in the way 389-ds-base 1.3.6.x ...) {DLA-1428-1} - 389-ds-base 1.3.7.9-1 (bug #888452) [stretch] - 389-ds-base (Minor issue) NOTE: Fixed by: https://pagure.io/389-ds-base/c/6aa2acdc3cad9 CVE-2017-15133 (A denial of service flaw was found in miekg-dns before 1.0.4. A remote ...) - golang-github-miekg-dns 0.0~git20170501.0.f282f80-3 (bug #888777) [stretch] - golang-github-miekg-dns (Minor issue) NOTE: https://github.com/miekg/dns/issues/627 NOTE: https://github.com/miekg/dns/pull/631 CVE-2017-15132 (A flaw was found in dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SA ...) {DSA-4130-1 DLA-1333-1} - dovecot 1:2.2.34-1 (bug #888432) NOTE: Fixed by: https://github.com/dovecot/core/commit/1a29ed2f96da1be22fa5a4d96c7583aa81b8b060.patch NOTE: Regression fix needed on top: https://github.com/dovecot/core/commit/a9b135760aea6d1790d447d351c56b78889dac22 CVE-2017-15131 (It was found that system umask policy is not being honored when creati ...) - xdg-user-dirs (unimportant) NOTE: The CVE relates that created directories by xdg-user-dirs might not NOTE: respect a system policy for user created files by setting a umask NOTE: system-wide in e.g. /etc/profile due to xdg-user-dirs beeing invoked NOTE: from Xsession scripts. This can be mitigated by e.g. using pam_umask NOTE: on session start and having it when xdg-user-dirs is executed. NOTE: In Debian xdg-user-dirs starting from 0.15-3 replaces the use of NOTE: /etc/X11/Xsession.d/*xdg-user-dirs-update with an autostart .desktop NOTE: file for user-dirs-update primarly to work as well with Wayland NOTE: sessions. NOTE: Enforcements can be achieved e.g. by using pam_umask. NOTE: http://bugs.freedesktop.org/show_bug.cgi?id=102303 CVE-2017-15130 (A denial of service flaw was found in dovecot before 2.2.34. An attack ...) {DSA-4130-1 DLA-1333-1} - dovecot 1:2.2.34-1 (bug #891820) NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html NOTE: https://github.com/dovecot/core/commit/22311315b9f780211329c1522eb5aaa4faaa9391 NOTE: https://github.com/dovecot/core/commit/f3504763c27c2661716c0d1dbd3e0fc662107a21 NOTE: https://github.com/dovecot/core/commit/02da33a59fddd51cc3b8d95989de95574b7332f1 NOTE: https://github.com/dovecot/core/commit/390592e6af07e02064ebdbb1bbcf06528887370f NOTE: https://github.com/dovecot/core/commit/bc27538d084e01a7a1aca3330e27aebfc0e311eb NOTE: https://github.com/dovecot/core/commit/00016646cc32a3fa1cf54c22ed7388ed06bbc0f1 CVE-2017-15129 (A use-after-free vulnerability was found in network namespaces code af ...) - linux 4.14.12-1 [stretch] - linux 4.9.80-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/21b5944350052d2583e82dd59b19a9ba94a007f0 CVE-2017-15128 (A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetl ...) - linux 4.13.13-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: http://post-office.corp.redhat.com/archives/rhkernel-list/2017-October/msg09574.html CVE-2017-15127 (A flaw was found in the hugetlb_mcopy_atomic_pte function in mm/hugetl ...) - linux 3.13.4-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/5af10dfd0afc559bb4b0f7e3e8227a1578333995 CVE-2017-15126 (A use-after-free flaw was found in fs/userfaultfd.c in the Linux kerne ...) - linux 4.13.10-1 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/384632e67e0829deb8015ee6ad916b180049d252 CVE-2017-15125 (A flaw was found in CloudForms before 5.9.0.22 in the self-service UI ...) NOT-FOR-US: Red Hat CloudForms CVE-2017-15124 (VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older wa ...) {DSA-4213-1} - qemu 1:2.12~rc3+dfsg-1 (bug #884806) [jessie] - qemu (invasive patch, also builds on 2.5 socket refactoring, tentative backport crashes, no other distro fix for 2.1) [wheezy] - qemu (Can be fixed along in later update) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in later update) NOTE: https://www.openwall.com/lists/oss-security/2017/12/19/4 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-12/msg03705.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg00796.html CVE-2017-15123 (A flaw was found in the CloudForms web interface, versions 5.8 - 5.10, ...) NOT-FOR-US: CloudForms CVE-2017-15122 RESERVED CVE-2017-15121 (A non-privileged user is able to mount a fuse filesystem on RHEL 6 or ...) - linux 3.11.5-1 [wheezy] - linux (Too much work to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1520893 NOTE: Fixed by: https://git.kernel.org/linus/5a7203947a1d9b6f3a00a39fda08c2466489555f (v3.11-rc1) CVE-2017-15120 (An issue has been found in the parsing of authoritative answers in Pow ...) {DSA-4063-1} - pdns-recursor 4.1.0-1 [jessie] - pdns-recursor (Vulnerable code introduced in 4.0.0) [wheezy] - pdns-recursor (Vulnerable code introduced in 4.0.0) NOTE: Patch: https://downloads.powerdns.com/patches/2017-08 NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-08.html CVE-2017-15119 (The Network Block Device (NBD) server in Quick Emulator (QEMU) before ...) {DSA-4213-1} - qemu 1:2.11+dfsg-1 (bug #883399) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05044.html CVE-2017-15118 (A stack-based buffer overflow vulnerability was found in NBD server im ...) - qemu 1:2.11+dfsg-1 (bug #883406) [stretch] - qemu (Vulnerable code introduced in 2.10) [jessie] - qemu (Vulnerable code introduced in 2.10) [wheezy] - qemu (Vulnerable code introduced in 2.10) - qemu-kvm (Vulnerable code introduced in 2.10) NOTE: Introduced by: https://git.qemu.org/?p=qemu.git;a=commit;h=f37708f6b8 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg05045.html CVE-2017-15117 REJECTED CVE-2017-15116 (The rngapi_reset function in crypto/rng.c in the Linux kernel before 4 ...) - linux 4.2.1-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-15115 (The sctp_do_peeloff function in net/sctp/socket.c in the Linux kernel ...) {DLA-1200-1} - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: https://git.kernel.org/linus/df80cd9b28b9ebaa284a41df611dbf3a2d05ca74 (v4.14-rc6) CVE-2017-15114 (When libvirtd is configured by OSP director (tripleo-heat-templates) t ...) - tripleo-heat-templates (Vulnerability introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510015 NOTE: Bug: https://bugs.launchpad.net/tripleo/+bug/1730370 NOTE: TLS libvirt live migration disabled in: https://review.openstack.org/#/c/519015/ NOTE: TLS libvirt live migration introduced in: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=fa740c5e49994ffdd3a5aa1f43a0305c8e5a0b3a NOTE: Re-enabled libvirt TLS with SASL auth: NOTE: https://bugs.launchpad.net/tripleo/+bug/1732479 CVE-2017-15113 (ovirt-engine before version 4.1.7.6 with log level set to DEBUG includ ...) NOT-FOR-US: ovirt-engine CVE-2017-15112 (keycloak-httpd-client-install versions before 0.8 allow users to insec ...) NOT-FOR-US: Keycloak CVE-2017-15111 (keycloak-httpd-client-install versions before 0.8 insecurely creates t ...) NOT-FOR-US: Keycloak CVE-2017-15110 (In Moodle 3.x, students can find out email addresses of other students ...) - moodle CVE-2017-15109 RESERVED CVE-2017-15108 (spice-vdagent up to and including 0.17.0 does not properly escape save ...) {DLA-2524-1} - spice-vdagent 0.18.0-1 (bug #883238) [jessie] - spice-vdagent (Minor issue) [wheezy] - spice-vdagent (Vulnerable code not present) NOTE: Fixed by: https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1510864 CVE-2017-15107 (A vulnerability was found in the implementation of DNSSEC in Dnsmasq u ...) - dnsmasq 2.79-1 (bug #888200) [stretch] - dnsmasq (Minor issue) [jessie] - dnsmasq (Minor issue) [wheezy] - dnsmasq (Minor issue) NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2018q1/011896.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=4fe6744a220eddd3f1749b40cac3dfc510787de6 NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=cd7df612b14ec1bf831a966ccaf076be0dae7404 NOTE: https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be CVE-2017-15106 RESERVED CVE-2017-15105 (A flaw was found in the way unbound before 1.6.8 validated wildcard-sy ...) {DLA-1676-1 DLA-1264-1} - unbound 1.7.1-1 (bug #887733) [stretch] - unbound 1.6.0-3+deb9u2 NOTE: https://unbound.net/downloads/CVE-2017-15105.txt NOTE: https://unbound.net/downloads/patch_cve_2017_15105.diff NOTE: https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be CVE-2017-15104 (An access flaw was found in Heketi 5, where the heketi.json configurat ...) - heketi (bug #903384) CVE-2017-15103 (A security-check flaw was found in the way the Heketi 5 server API han ...) - heketi (bug #903384) CVE-2017-15102 (The tower_probe function in drivers/usb/misc/legousbtower.c in the Lin ...) - linux 4.7.8-1 [jessie] - linux 3.16.43-1 [wheezy] - linux 3.2.86-1 NOTE: Fixed by: https://git.kernel.org/linus/2fae9e5a7babada041e2e161699ade2447a01989 (4.9-rc1) CVE-2017-15101 (A missing patch for a stack-based buffer overflow in findTable() was f ...) - liblouis (Incomplete fix not applied in Debian) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1492701#c12 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1511023 CVE-2017-15100 (An attacker submitting facts to the Foreman server containing HTML can ...) - foreman (bug #663101) CVE-2017-15099 (INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10 ...) {DSA-4028-1} - postgresql-10 10.1-1 - postgresql-9.6 - postgresql-9.4 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) - postgresql-9.1 (ON CONFLICT DO UPDATE and RLS introduced in 9.5) CVE-2017-15098 (Invalid json_populate_recordset or jsonb_populate_recordset function c ...) {DSA-4028-1 DSA-4027-1} - postgresql-10 10.1-1 - postgresql-9.6 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code does not exist) CVE-2017-15097 (Privilege escalation flaws were found in the Red Hat initialization sc ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1508985 NOTE: Similar issues as CVE-2016-1255 in Debian NOT-FOR-US: Red Hat specific provides scripts for starting the database server during system boot and for initializing the database CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null pointe ...) - glusterfs 3.12.2-2 (bug #880017) [stretch] - glusterfs (Vulnerable code introduced later) [jessie] - glusterfs (Vulnerable code introduced later) [wheezy] - glusterfs (Vulnerable code introduced later) NOTE: https://review.gluster.org/18538 (master) NOTE: https://review.gluster.org/18539 (release-3.10) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1502928 NOTE: Fixed by: http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac CVE-2017-15095 (A deserialization flaw was discovered in the jackson-databind in versi ...) {DSA-4037-1 DLA-2342-1 DLA-2091-1} - jackson-databind 2.9.1-1 - libjackson-json-java 1.9.13-2 NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1) NOTE: misses the further sets of blacklists, in particular as well NOTE: https://github.com/FasterXML/jackson-databind/commit/3bfbb835 NOTE: which was already for CVE-2017-7525 but then the further tickets and patches NOTE: to block more dangerous types (at leas they are): NOTE: https://github.com/FasterXML/jackson-databind/issues/1680 NOTE: https://github.com/FasterXML/jackson-databind/issues/1723 NOTE: https://github.com/FasterXML/jackson-databind/issues/1737 NOTE: https://github.com/FasterXML/jackson-databind/commit/e8f043d1 NOTE: https://github.com/FasterXML/jackson-databind/commit/ddfddfba NOTE: This CVE-2017-15095 should be considered to include everything in NOTE: NO_DESER_CLASS_NAMES as of: NOTE: https://github.com/FasterXML/jackson-databind/blob/7093008aa2afe8068e120df850189ae072dfa1b2/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java#L43 NOTE: Details: https://www.openwall.com/lists/oss-security/2017/11/02/3 NOTE: For libjackson-json-java: NOTE: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31 CVE-2017-15094 (An issue has been found in the DNSSEC parsing code of PowerDNS Recurso ...) - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-07.html NOTE: https://downloads.powerdns.com/patches/2017-07/ CVE-2017-15093 (When api-config-dir is set to a non-empty value, which is not the case ...) - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor 3.6.2-2+deb8u4 [wheezy] - pdns-recursor (Vulnerable code introduced later) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-06.html NOTE: https://downloads.powerdns.com/patches/2017-06/ CVE-2017-15092 (A cross-site scripting issue has been found in the web interface of Po ...) - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-05.html NOTE: https://downloads.powerdns.com/patches/2017-05/ CVE-2017-15091 (An issue has been found in the API component of PowerDNS Authoritative ...) - pdns 4.0.5-1 [stretch] - pdns 4.0.3-1+deb9u2 [jessie] - pdns 3.4.1-4+deb8u8 [wheezy] - pdns (Vulnerable code not present) NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2017-04.html NOTE: https://downloads.powerdns.com/patches/2017-04/ CVE-2017-15090 (An issue has been found in the DNSSEC validation component of PowerDNS ...) - pdns-recursor 4.0.7-1 [stretch] - pdns-recursor 4.0.4-1+deb9u2 [jessie] - pdns-recursor (Issue introduced in 4.0.0) [wheezy] - pdns-recursor (Issue introduced in 4.0.0) NOTE: https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2017-03.html NOTE: https://downloads.powerdns.com/patches/2017-03/ CVE-2017-15089 (It was found that the Hotrod client in Infinispan before 9.2.0.CR1 wou ...) NOT-FOR-US: infinispan CVE-2017-15088 (plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka ...) - krb5 1.15.2-2 (unimportant; bug #871698) NOTE: https://github.com/krb5/krb5/pull/707 NOTE: Fixed by: https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4 NOTE: Red Hat eanbled the code in question in the KDC and thus having it NOTE: exposed as network-facing issue. For Debian and upstream the code only NOTE: runs on client systems, and only with a certificate that is explicitly NOTE: configured locally, leading to a local kinit crash if passed a crafted NOTE: local certificate. This is hardly has any harmful security implication. CVE-2017-15087 (It was discovered that the fix for CVE-2017-12163 was not properly shi ...) - samba (Incomplete Red Hat backport for CVE-2017-12163) CVE-2017-15086 (It was discovered that the fix for CVE-2017-12151 was not properly shi ...) - samba (Incomplete Red Hat backport for CVE-2017-12151) CVE-2017-15085 (It was discovered that the fix for CVE-2017-12150 was not properly shi ...) - samba (Incomplete Red Hat backport for CVE-2017-12150) CVE-2017-15084 (The web UI in Rapid7 Metasploit before 4.14.1-20170828 allows logout C ...) NOT-FOR-US: Metasploit Framework CVE-2017-15083 REJECTED CVE-2017-15082 RESERVED CVE-2017-15081 (In PHPSUGAR PHP Melody CMS 2.6.1, SQL Injection exists via the playlis ...) NOT-FOR-US: PHPSUGAR PHP Melody CMS CVE-2017-15080 RESERVED CVE-2017-15079 (The Smush Image Compression and Optimization plugin before 2.7.6 for W ...) NOT-FOR-US: Smush Image Compression and Optimization plugin for WordPress CVE-2017-15078 REJECTED CVE-2017-15077 REJECTED CVE-2017-15076 REJECTED CVE-2017-15075 REJECTED CVE-2017-15074 REJECTED CVE-2017-15073 REJECTED CVE-2017-15072 REJECTED CVE-2017-15071 REJECTED CVE-2017-15070 REJECTED CVE-2017-15069 REJECTED CVE-2017-15068 REJECTED CVE-2017-15067 REJECTED CVE-2017-15066 REJECTED CVE-2017-15065 REJECTED CVE-2017-15064 REJECTED CVE-2017-1002153 (Koji 1.13.0 does not properly validate SCM paths, allowing an attacker ...) - koji 1.16.0-1 (bug #877921) [stretch] - koji 1.10.0-1+deb9u1 NOTE: https://pagure.io/koji/issue/563 NOTE: https://pagure.io/koji/c/ba7b5a3cbed11ade11c3af5e834c9a6de4f6d7c3 CVE-2017-1000257 (An IMAP FETCH response line indicates the size of the returned data, i ...) {DSA-4007-1 DLA-1143-1} - curl 7.56.1-1 NOTE: https://curl.haxx.se/docs/adv_20171023.html CVE-2017-1000256 (libvirt version 2.3.0 and later is vulnerable to a bad default configu ...) {DSA-4003-1} - libvirt 3.8.0-3 (bug #878799) [jessie] - libvirt (Vulnerable code introduced later) [wheezy] - libvirt (Vulnerable code introduced later) NOTE: https://www.redhat.com/archives/libvirt-announce/2017-October/msg00001.html NOTE: https://security.libvirt.org/2017/0002.html NOTE: Broken by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=ce61c16450d4992612d1fc6f39a39e79bfccead5 (master) NOTE: Fixed by: http://libvirt.org/git/?p=libvirt.git;a=commit;h=441d3eb6d1be940a67ce45a286602a967601b157 (master) CVE-2017-1000255 (On Linux running on PowerPC hardware (Power8 or later) a user process ...) - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/265e60a170d0a0ecfc2d20490134ed2c48dd45ab CVE-2017-15063 (There are CSRF vulnerabilities in Subrion CMS 4.1.x through 4.1.5, and ...) NOT-FOR-US: Subrion CMS CVE-2017-15062 RESERVED CVE-2017-15061 RESERVED CVE-2017-15060 RESERVED CVE-2017-15059 RESERVED CVE-2017-15058 RESERVED CVE-2017-15057 RESERVED CVE-2017-15056 (p_lx_elf.cpp in UPX 3.94 mishandles ELF headers, which allows remote a ...) - upx-ucl 3.94-4 (unimportant) NOTE: https://github.com/upx/upx/issues/128 NOTE: https://github.com/upx/upx/commit/ef336dbcc6dc8344482f8cf6c909ae96c3286317 NOTE: crash in CLI tool, no security impact CVE-2017-15055 (TeamPass before 2.1.27.9 does not properly enforce item access control ...) - teampass (bug #730180) CVE-2017-15054 (An arbitrary file upload vulnerability, present in TeamPass before 2.1 ...) - teampass (bug #730180) CVE-2017-15053 (TeamPass before 2.1.27.9 does not properly enforce manager access cont ...) - teampass (bug #730180) CVE-2017-15052 (TeamPass before 2.1.27.9 does not properly enforce manager access cont ...) - teampass (bug #730180) CVE-2017-15051 (Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass ...) - teampass (bug #730180) CVE-2017-15050 RESERVED CVE-2017-15049 (The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900 ...) NOT-FOR-US: Zoom CVE-2017-15048 (Stack-based buffer overflow in the ZoomLauncher binary in the Zoom cli ...) NOT-FOR-US: Zoom CVE-2017-15047 (The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows atta ...) - redis 4:4.0.2-5 (bug #878076; unimportant) [jessie] - redis (Vulnerable code introduced later) [wheezy] - redis (Vulnerable code introduced later) NOTE: https://github.com/antirez/redis/issues/4278 NOTE: Pull request: https://github.com/antirez/redis/pull/4365 CVE-2017-15046 (LAME 3.99.5, 3.99.4, 3.98.4, 3.98.2, 3.98 and 3.97 have a stack-based ...) - lame 3.99.5+repack1-8 [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://sourceforge.net/p/lame/bugs/479/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-15045 (LAME 3.99.5, 3.98.4, 3.98.2 and 3.98 has a heap-based buffer over-read ...) - lame 3.99.5+repack1-8 [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://sourceforge.net/p/lame/bugs/478/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-15044 (The default installation of DocuWare Fulltext Search server through 6. ...) NOT-FOR-US: DocuWare Fulltext Search server CVE-2017-15043 (A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS ...) NOT-FOR-US: Sierra Wireless AirLink routers CVE-2017-15042 (An unintended cleartext issue exists in Go before 1.8.4 and 1.9.x befo ...) - golang-1.9 1.9.1-1 - golang-1.8 1.8.4-1 [stretch] - golang-1.8 (Minor issue, would require builds of all go packages in stable) - golang-1.7 [stretch] - golang-1.7 (Minor issue, would require builds of all go packages in stable) - golang [jessie] - golang (Minor issue, would require builds of all go packages in stable) [wheezy] - golang (Vulnerable code introduced later in version 1.1) NOTE: https://github.com/golang/go/issues/22134 NOTE: https://golang.org/cl/68023 NOTE: https://golang.org/cl/68210 NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ CVE-2017-15041 (Go before 1.8.4 and 1.9.x before 1.9.1 allows "go get" remote command ...) {DLA-1148-1} - golang-1.9 1.9.1-1 - golang-1.8 1.8.4-1 [stretch] - golang-1.8 (Minor issue) - golang-1.7 [stretch] - golang-1.7 (Minor issue) - golang [jessie] - golang (Minor issue) NOTE: https://go.googlesource.com/go/+/a4544a0f8af001d1fb6df0e70750f570ec49ccf9%5E%21/ NOTE: https://github.com/golang/go/issues/22125 NOTE: https://golang.org/cl/68022 (1.9.x) NOTE: https://golang.org/cl/68190 (1.8.x) NOTE: https://github.com/golang/go/commit/533ee44cd45c064608ee2b833af9e86ef1cb294e (regression) NOTE: https://groups.google.com/d/msg/golang-dev/RinSE3EiJBI/kYL7zb07AgAJ CVE-2017-15040 RESERVED CVE-2017-15039 (Cross-site scripting (XSS) exists in Zurmo 3.2.1.57987acc3018 via a da ...) NOT-FOR-US: Zurmo CVE-2017-15038 (Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU ...) {DSA-4213-1 DLA-1497-1 DLA-1129-1 DLA-1128-1} - qemu 1:2.10.0+dfsg-2 (bug #877890) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-10/msg00729.html CVE-2017-15037 (In FreeBSD through 11.1, the smb_strdupin function in sys/netsmb/smb_s ...) - kfreebsd-10 (unimportant; bug #877903) NOTE: kfreebsd not covered by security support CVE-2017-15036 RESERVED CVE-2017-15035 (EmTec PyroBatchFTP before 3.18 allows remote servers to cause a denial ...) NOT-FOR-US: EmTec PyroBatchFTP CVE-2017-15034 RESERVED CVE-2017-15033 (ImageMagick version 7.0.7-2 contains a memory leak in ReadYUVImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/pull/756 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ef8f40689ac452398026c07da41656a7c87e4683 CVE-2017-15032 (ImageMagick version 7.0.7-2 contains a memory leak in ReadYCBCRImage i ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/pull/752 NOTE: https://github.com/ImageMagick/ImageMagick/commit/241988ca28139ad970c1d9717c419f41e360ddb0 CVE-2017-15031 (In all versions of ARM Trusted Firmware up to and including v1.4, not ...) NOT-FOR-US: ARM Trusted Firmware CVE-2017-15030 (Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-15029 (Open-Xchange GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-15028 RESERVED CVE-2017-15027 RESERVED CVE-2017-15026 RESERVED CVE-2017-15025 (decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) libra ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-divide-by-zero-in-decode_line_info-dwarf2-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22186 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d8010d3e75ec7194a4703774090b27486b742d48 CVE-2017-15024 (find_abstract_instance_name in dwarf2.c in the Binary File Descriptor ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-infinite-loop-in-find_abstract_instance_name-dwarf2-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22187 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52a93b95ec0771c97e26f0bb28630a271a667bd2 CVE-2017-15023 (read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-concat_filename-dwarf2-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22200 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c361faae8d964db951b7100cada4dcdc983df1bf NOTE: When this issue is fixed it is to make sure to not open CVE-2017-15939, i.e. NOTE: not to apply the incomplete fix. See notes on CVE-2017-15939 CVE-2017-15022 (dwarf2.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-null-pointer-dereference-in-bfd_hash_hash-hash-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22201 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=11855d8a1f11b102a702ab76e95b22082cccf2f8 CVE-2017-15021 (bfd_get_debug_link_info_1 in opncls.c in the Binary File Descriptor (B ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-bfd_getl32-opncls-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22197 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=52b36c51e5bf6d7600fdc6ba115b170b0e78e31d CVE-2017-15020 (dwarf1.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/10/03/binutils-heap-based-buffer-overflow-in-parse_die-dwarf1-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22202 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1da5c9a485f3dcac4c45e96ef4b7dae5948314b5 CVE-2017-15019 (LAME 3.99.5 has a NULL Pointer Dereference in the hip_decode_init func ...) - lame 3.100-1 [stretch] - lame (Minor issue) [jessie] - lame (Minor issue) NOTE: https://sourceforge.net/p/lame/bugs/477/ CVE-2017-15018 (LAME 3.99.5, 3.99.4, 3.99.3, 3.99.2, 3.99.1, 3.99, 3.98.4, 3.98.2 and ...) - lame 3.99.5+repack1-8 [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://sourceforge.net/p/lame/bugs/480/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-15017 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability i ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878554) NOTE: https://github.com/ImageMagick/ImageMagick/issues/723 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5a1006a249516a875558c3d642e719b1eac8f820 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0cff8bac0a47f8693cfe57f026fcd752689ff375 CVE-2017-15016 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability i ...) {DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/725 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8254d24b86a62803231773ecf54c707aef4a1457 NOTE: https://github.com/ImageMagick/ImageMagick/commit/27f8ba82ddd665ab41cef6588128f680cbd69905 NOTE: emf.c not compiled under Debian CVE-2017-15015 (ImageMagick 7.0.7-0 Q16 has a NULL pointer dereference vulnerability i ...) {DLA-2366-1 DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878555) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/724 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/0cbb3b3b02e7af493a9aafa8f7e7d23fc70644e4 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a0cef9db632ef8e1b9de4c463700c6a24d4f96ca CVE-2017-15014 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-15013 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-15012 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-1000120 ([ERPNext][Frappe Version <= 7.1.27] SQL injection vulnerability in ...) NOT-FOR-US: ERPNext Frappe framework CVE-2017-1000119 (October CMS build 412 is vulnerable to PHP code execution in the file ...) NOT-FOR-US: October CMS CVE-2017-1000118 (Akka HTTP versions <= 10.0.5 Illegal Media Range in Accept Header C ...) NOT-FOR-US: Akka HTTP CVE-2017-1000114 (The Datadog Plugin stores an API key to access the Datadog service in ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000113 (The Deploy to container Plugin stored passwords unencrypted as part of ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000110 (Blue Ocean allows the creation of GitHub organization folders that are ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000109 (The custom Details view of the Static Analysis Utilities based OWASP D ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000106 (Blue Ocean allows the creation of GitHub organization folders that are ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000105 (The optional Run/Artifacts permission can be enabled by setting a Java ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000104 (The Config File Provider Plugin is used to centrally manage configurat ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000103 (The custom Details view of the Static Analysis Utilities based DRY Plu ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000102 (The Details view of some Static Analysis Utilities based plugins, was ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000098 (The net/http package's Request.ParseMultipartForm method starts writin ...) {DLA-1123-1} - golang-1.9 (Fixed before initial release to Debian) - golang-1.8 (Fixed before initial release to Debian) - golang-1.7 1.7.4-1 - golang [jessie] - golang (Minor issue) NOTE: https://groups.google.com/forum/#!msg/golang-dev/4NdLzS8sls8/uIz8QlnIBQAJ NOTE: https://golang.org/cl/30410 NOTE: https://golang.org/issue/17965 CVE-2017-1000097 (On Darwin, user's trust preferences for root certificates were not hon ...) - golang (OS X specific issue) - golang-1.7 (OS X specific issue) - golang-1.8 (OS X specific issue) - golang-1.9 (OS X specific issue) NOTE: https://github.com/golang/go/issues/18141 CVE-2017-15011 (The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and S ...) - qbittorrent (Only affects Windows) CVE-2017-15010 (A ReDoS (regular expression denial of service) flaw was found in the t ...) - node-tough-cookie 2.3.4+dfsg-1 (bug #877660) NOTE: https://github.com/salesforce/tough-cookie/issues/92 NOTE: https://nodesecurity.io/advisories/525 CVE-2017-15009 (PRTG Network Monitor version 17.3.33.2830 is vulnerable to reflected C ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15008 (PRTG Network Monitor version 17.3.33.2830 is vulnerable to stored Cros ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15007 RESERVED CVE-2017-15006 RESERVED CVE-2017-15005 RESERVED CVE-2017-15004 RESERVED CVE-2017-15003 RESERVED CVE-2017-15002 RESERVED CVE-2017-15001 RESERVED CVE-2017-15000 RESERVED CVE-2017-14999 RESERVED CVE-2017-14998 RESERVED CVE-2017-14997 (GraphicsMagick 1.3.26 allows remote attackers to cause a denial of ser ...) {DSA-4321-1 DLA-1456-1 DLA-1130-1} - graphicsmagick 1.3.26-13 NOTE: https://sourceforge.net/p/graphicsmagick/code/ci/0683f8724200495059606c03f04e0d589b33ebe8/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/511/ CVE-2017-14996 RESERVED CVE-2017-14995 (The Management Console in WSO2 Application Server 5.3.0, WSO2 Business ...) NOT-FOR-US: WSO2 Application Server CVE-2017-14994 (ReadDCMImage in coders/dcm.c in GraphicsMagick 1.3.26 allows remote at ...) {DSA-4321-1 DLA-1456-1 DLA-1130-1} - graphicsmagick 1.3.26-13 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=b3eca3eaa264 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/512/ CVE-2017-14993 (OXID eShop Community Edition before 6.0.0 RC3 (development), 4.10.x be ...) NOT-FOR-US: OXID eShop Community Edition CVE-2017-14992 (Lack of content verification in Docker-CE (Also known as Moby) version ...) - docker.io 18.03.1+dfsg1-2 (bug #908055) - golang-github-vbatts-tar-split 0.10.2-1 (bug #908056) [stretch] - golang-github-vbatts-tar-split (Minor issue) NOTE: Issue needs to be fixed in src:golang-github-vbatts-tar-split first NOTE: https://github.com/vbatts/tar-split/issues/41 NOTE: docker.io needs then a rebuild with a fixed golang-github-vbatts-tar-split NOTE: version. NOTE: 17.12.1+dfsg-1 was the first upload (to experimental) using the fixed version NOTE: golang-github-vbatts-tar-split. CVE-2017-14991 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel before ...) - linux 4.13.4-1 [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/3e0097499839e0fe3af380410eababe5a47c4cf9 CVE-2017-14758 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: EMC CVE-2017-14990 (WordPress 4.8.2 stores cleartext wp_signups.activation_key values (but ...) {DSA-3997-1} - wordpress 4.8.2+dfsg-2 (bug #877629) [wheezy] - wordpress (Fix requires database upgrade which is too intrusive compared to the actual benefit.) NOTE: https://core.trac.wordpress.org/ticket/38474 CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in ImageMa ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878562) NOTE: https://github.com/ImageMagick/ImageMagick/issues/781 NOTE: https://github.com/ImageMagick/ImageMagick/commit/97740ccc177ee264e79091fa573d994eb6b05628 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093 CVE-2017-14988 (** DISPUTED ** Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2 ...) - openexr (bug #878551; unimportant) NOTE: https://github.com/openexr/openexr/issues/248 NOTE: Issue in the use of openexr via ImageMagick, no real security impact CVE-2017-14987 RESERVED CVE-2017-14986 RESERVED CVE-2017-14985 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web inte ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14984 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web inte ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14983 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web inte ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14982 RESERVED CVE-2017-14981 (Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The ...) NOT-FOR-US: ATutor CVE-2017-14980 (Buffer overflow in Sync Breeze Enterprise 10.0.28 allows remote attack ...) NOT-FOR-US: Sync Breeze Enterprise CVE-2017-14979 (Gxlcms uses an unsafe character-replacement approach in an attempt to ...) NOT-FOR-US: Gxlcms CVE-2017-14978 RESERVED CVE-2017-14977 (The FoFiTrueType::getCFFBlock function in FoFiTrueType.cc in Poppler 0 ...) {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877952) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=103045 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=19eedc6fb693a62f305e13079501e3105f869f3c CVE-2017-14976 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0. ...) {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877954) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102724 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=da63c35549e8852a410946ab016a3f25ac701bdf CVE-2017-14975 (The FoFiType1C::convertToType0 function in FoFiType1C.cc in Poppler 0. ...) {DSA-4079-1 DLA-1177-1} - poppler 0.61.1-2 (low; bug #877957) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102653 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=a5e5649ecf16fa05770620dbbd4985935dc2bbff CVE-2017-14974 (The *_get_synthetic_symtab functions in the Binary File Descriptor (BF ...) - binutils 2.29.1-2 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: First version containing the fix was 2.29.1-2, which was quickly followed by NOTE: a fixed 2.29.1-3 for unrelated issues. NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22163 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e70c19e3a4c26e9c1ebf0c9170d105039b56d7cf CVE-2017-14973 (IDenticard Two-Reader Controller Configuration Manager 1.18.8 (396) is ...) NOT-FOR-US: IDenticard Two-Reader Controller Configuration Manager CVE-2017-14972 (InFocus Mondopad 2.2.08 is vulnerable to authentication bypass when ac ...) NOT-FOR-US: InFocus Mondopad CVE-2017-14971 (Infocus Mondopad 2.2.08 is vulnerable to a Hashed Credential Disclosur ...) NOT-FOR-US: InFocus Mondopad CVE-2017-14970 (In lib/ofp-util.c in Open vSwitch (OvS) before 2.8.1, there are multip ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (unimportant; bug #877543) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339085.html NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-September/339086.html NOTE: Not considered a security issue by upstream, see #877543 CVE-2017-14969 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14968 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14967 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14966 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14965 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14964 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14963 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14962 (In IKARUS anti.virus before 2.16.18, the ntguard.sys driver contains a ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14961 (In IKARUS anti.virus 2.16.7, the ntguard.sys driver contains an Arbitr ...) NOT-FOR-US: IKARUS anti.virus CVE-2017-14960 (xDashboard in OpenText Document Sciences xPression (formerly EMC Docum ...) NOT-FOR-US: EMC Document Sciences xPression CVE-2017-14959 RESERVED CVE-2017-14958 (lib.php in PivotX 2.3.11 does not properly block uploads of dangerous ...) NOT-FOR-US: PivotX CVE-2017-14957 (Stored XSS vulnerability via a comment in inc/conv.php in BlogoText be ...) NOT-FOR-US: BlogoText CVE-2017-14956 (AlienVault USM v5.4.2 and earlier offers authenticated users the funct ...) NOT-FOR-US: AlienVault CVE-2017-14955 (Check_MK before 1.2.8p26 mishandles certain errors within the failed-l ...) - check-mk 1.2.8p26-1 [wheezy] - check-mk (Vulnerable code not present) NOTE: http://mathias-kettner.com/check_mk_werks.php?edition_id=raw&branch=1.2.8 NOTE: https://mathias-kettner.de/check_mk_werks.php?werk_id=5208&HTML=yes NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=a4a2cc1f30ff6032899ca80eed29fa26b8898c54 CVE-2017-14954 (The waitid implementation in kernel/exit.c in the Linux kernel through ...) - linux (Vulnerable code introduced in v4.13-rc1) NOTE: Fixed by: https://git.kernel.org/linus/6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 CVE-2017-14953 (** DISPUTED ** HikVision Wi-Fi IP cameras, when used in a wired config ...) NOT-FOR-US: HikVision CVE-2017-14952 (Double free in i18n/zonemeta.cpp in International Components for Unico ...) - icu 57.1-7 (bug #878840) [stretch] - icu 57.1-6+deb9u1 [jessie] - icu 52.1-8+deb8u6 [wheezy] - icu (Can be fixed in next update) NOTE: http://www.sourcebrella.com/blog/double-free-vulnerability-international-components-unicode-icu/ NOTE: http://bugs.icu-project.org/trac/changeset/40324/trunk/icu4c/source/i18n/zonemeta.cpp CVE-2017-14951 RESERVED CVE-2017-14950 RESERVED CVE-2017-14949 (Restlet Framework before 2.3.12 allows remote attackers to access arbi ...) - restlet (bug #596472) CVE-2017-14948 (Certain D-Link products are affected by: Buffer Overflow. This affects ...) NOT-FOR-US: D-Link CVE-2017-14947 (Artifex GSView 6.0 Beta on Windows allows attackers to execute arbitra ...) NOT-FOR-US: GSView (different from gv) CVE-2017-14946 (Artifex GSView 6.0 Beta on Windows allows attackers to cause a denial ...) NOT-FOR-US: GSView (different from gv) CVE-2017-14945 (Artifex GSView 6.0 Beta on Windows allows attackers to cause a denial ...) NOT-FOR-US: GSView (different from gv) CVE-2017-14944 (Inedo ProGet before 4.7.14 does not properly address dangerous package ...) NOT-FOR-US: Inedo ProGet CVE-2017-14943 (Trapeze TransitMaster is vulnerable to information disclosure (emails ...) NOT-FOR-US: Trapeze TransitMaster CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the configura ...) NOT-FOR-US: Intelbras WRN 150 devices CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosur ...) - jasperreports (bug #880467; bug #884131) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941 CVE-2017-14940 (scan_unit_for_symbols in dwarf2.c in the Binary File Descriptor (BFD) ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22166 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d76029f92182c3682d8be2c833d45bc9a2068fe NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-null-pointer-dereference-in-scan_unit_for_symbols-dwarf2-c CVE-2017-14939 (decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) libra ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22169 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724 NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c CVE-2017-14938 (_bfd_elf_slurp_version_tables in elf.c in the Binary File Descriptor ( ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22166 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bd61e135492ecf624880e6b78e5fcde3c9716df6 NOTE: https://blogs.gentoo.org/ago/2017/09/26/binutils-memory-allocation-failure-in-_bfd_elf_slurp_version_tables-elf-c/ CVE-2017-14937 (The airbag detonation algorithm allows injury to passenger-car occupan ...) NOT-FOR-US: passenger-car CVE-2017-14936 RESERVED CVE-2017-14935 (Pulse Secure Pulse One On-Premise 2.0.1649 and below does not properly ...) NOT-FOR-US: Pulse Secure CVE-2017-14934 (process_debug_info in dwarf.c in the Binary File Descriptor (BFD) libr ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22219 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=19485196044b2521af979f1e5c4a89bfb90fba0b CVE-2017-14933 (read_formatted_entries in dwarf2.c in the Binary File Descriptor (BFD) ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22210 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=30d0157a2ad64e64e5ff9fcc0dbe78a3e682f573 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=33e0a9a056bd23e923b929a4f2ab049ade0b1c32 CVE-2017-14932 (decode_line_info in dwarf2.c in the Binary File Descriptor (BFD) libra ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22204 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e338894dc2e603683bed2172e8e9f25b29051005 CVE-2017-14931 (ExifImageFile::readDQT in ExifImageFileRead.cpp in OpenExif 2.1.4 allo ...) NOT-FOR-US: OpenExif CVE-2017-14930 (Memory leak in decode_line_info in dwarf2.c in the Binary File Descrip ...) [experimental] - binutils 2.29.51.20171128-1 - binutils 2.29.90.20180122-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22191 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a26a013f22a19e2c16729e64f40ef8a7dfcc086e CVE-2017-14929 (In Poppler 0.59.0, memory corruption occurs in a call to Object::dictL ...) - poppler 0.61.1-2 (bug #877222) [stretch] - poppler 0.48.0-2+deb9u2 [jessie] - poppler (Minor impact, too intrusive to backport) [wheezy] - poppler (unreproducible, requires API change which appears to be too intrusive in this case.) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102969 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=2c92c7b6a828c9db8a38f079ea7a3d51c12a481d CVE-2017-14928 (In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia ...) {DLA-2440-1} - poppler 0.61.1-2 (low; bug #877231) [jessie] - poppler (Problematic code introduced in 0.36) [wheezy] - poppler (Problematic code introduced in 0.36) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102607 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=1316c7a41f4dd7276f404f775ebb5fef2d24ab1c CVE-2017-14927 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the SplashOutp ...) - poppler 0.61.1-2 (low; bug #877237) [stretch] - poppler (Vulnerable code introduced in 0.49) [jessie] - poppler (Vulnerable code introduced in 0.49) [wheezy] - poppler (Vulnerable code introduced in 0.49) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102604 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=6472d8493f7e82cc78b41da20a2bf19fcb4e0a7d CVE-2017-14926 (In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia ...) {DLA-2440-1} - poppler 0.61.1-2 (low; bug #877239) [jessie] - poppler (Problematic code introduced in 0.36) [wheezy] - poppler (Problematic code introduced in 0.36) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102601 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=2532df6060092e9fab7f041ae9598aff9cdd94bb CVE-2017-14925 (Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tik ...) - tikiwiki CVE-2017-14924 (Cross-Site Request Forgery (CSRF) vulnerability via IMG element in Tik ...) - tikiwiki CVE-2017-14923 (Stored XSS vulnerability via IMG element at "Leadname" of CRM in Tine ...) NOT-FOR-US: Tine groupware CVE-2017-14922 (Stored XSS vulnerability via IMG element at "History" of Profile, Cale ...) NOT-FOR-US: Tine groupware CVE-2017-14921 (Stored XSS vulnerability via IMG element at "Filename" of Filemanager ...) NOT-FOR-US: Tine groupware CVE-2017-14920 (Stored XSS vulnerability in eGroupware Community Edition before 16.1.2 ...) NOT-FOR-US: eGroupware CVE-2017-14919 (Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows r ...) - nodejs (Debian didn't use an affected zlib version) NOTE: Debian doesn't use zlib 1.2.9 yet NOTE: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ CVE-2017-14918 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14917 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14916 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14915 (In Android before 2018-01-05 on Qualcomm Snapdragon Mobile SD 625, SD ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14914 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14913 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14912 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14911 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14910 (In Snapdragon Automobile, Snapdragon IoT and Snapdragon Mobile MDM9206 ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14909 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14908 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14907 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm closed-source components on Android CVE-2017-14906 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14905 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14904 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android MediaServer CVE-2017-14903 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14902 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android CVE-2017-14901 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14900 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14899 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14898 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14897 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android CVE-2017-14896 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14895 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android CVE-2017-14894 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14893 (While flashing meta image, a buffer over-read may potentially occur wh ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14892 (In the function msm_pcm_hw_params() in Android for MSM, Firefox OS for ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14891 (In the KGSL driver function _gpuobj_map_useraddr() in Android for MSM, ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14890 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14889 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14888 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14887 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14886 RESERVED CVE-2017-14885 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14884 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14883 (In the function wma_unified_power_debug_stats_event_handler() in Andro ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14882 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14881 (While calling the IPA IOCTL handler for IPA_IOC_ADD_HDR_PROC_CTX in An ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14880 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14879 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14878 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14877 (While the IPA driver in Android for MSM, Firefox OS for MSM, and QRD A ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14876 (In msm_ispif_config_stereo() in Android for MSM, Firefox OS for MSM, a ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14875 (In the handler for the ioctl command VIDIOC_MSM_ISP_DUAL_HW_LPM_MODE i ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-14874 RESERVED CVE-2017-14873 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14872 (While flashing a meta image, a buffer over-read can potentially occur ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14871 RESERVED CVE-2017-14870 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14869 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-14868 (Restlet Framework before 2.3.11, when using SimpleXMLProvider, allows ...) - restlet (bug #596472) CVE-2017-14866 (There is a heap-based buffer overflow in the Exiv2::s2Data function of ...) - exiv2 (Versions prior to 0.26 don't parse ICC profiles yet; only affected experimental; bug #880015) NOTE: https://github.com/Exiv2/exiv2/issues/140 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494781 CVE-2017-14865 (There is a heap-based buffer overflow in the Exiv2::us2Data function o ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888865) NOTE: https://github.com/Exiv2/exiv2/issues/134 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494778 NOTE: Patch: https://github.com/Exiv2/exiv2/commit/d3c2b9938583440f87ce9115de5a7e8cd8f8db57 CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::getULon ...) {DLA-1147-1} - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/73 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494467 NOTE: Patches here: https://github.com/Exiv2/exiv2/pull/110 NOTE: Depends on: https://github.com/Exiv2/exiv2/commit/65f45a350516bfde4941d7906f2d67462f48d1ca CVE-2017-14863 (A NULL pointer dereference was discovered in Exiv2::Image::printIFDStr ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888866) NOTE: https://github.com/Exiv2/exiv2/issues/132 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494443 CVE-2017-14862 (An Invalid memory address dereference was discovered in Exiv2::DataVal ...) {DLA-1147-1} - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/75 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494786 NOTE: Patches here: https://github.com/Exiv2/exiv2/pull/110 NOTE: Depends on: https://github.com/Exiv2/exiv2/commit/65f45a350516bfde4941d7906f2d67462f48d1ca CVE-2017-14861 (There is a stack consumption vulnerability in the Exiv2::Internal::str ...) - exiv2 (printIFDStructure introduced in 0.26; only affected experimental; bug #880027) NOTE: https://github.com/Exiv2/exiv2/issues/139 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494787 CVE-2017-14860 (There is a heap-based buffer over-read in the Exiv2::Jp2Image::readMet ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888867) NOTE: https://github.com/Exiv2/exiv2/issues/71 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494776 NOTE: Patch: https://github.com/Exiv2/exiv2/pull/108 CVE-2017-14859 (An Invalid memory address dereference was discovered in Exiv2::StringV ...) {DLA-1147-1} - exiv2 0.27.2-6 (low) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/74 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494780 NOTE: Patches here: https://github.com/Exiv2/exiv2/pull/110 NOTE: Depends on: https://github.com/Exiv2/exiv2/commit/65f45a350516bfde4941d7906f2d67462f48d1ca CVE-2017-14858 (There is a heap-based buffer overflow in the Exiv2::l2Data function of ...) - exiv2 (TIFF meta data handler doesn't parse ICC profiles; only affected experimental; bug #897134) NOTE: https://github.com/Exiv2/exiv2/issues/138 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494782 CVE-2017-14857 (In Exiv2 0.26, there is an invalid free in the Image class in image.cp ...) - exiv2 (Vulnerable code not present; only affected experimental; bug #888869) NOTE: https://github.com/Exiv2/exiv2/issues/76 NOTE: https://github.com/Exiv2/exiv2/issues/124 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495043 CVE-2017-14856 RESERVED CVE-2017-14855 (Red Lion HMI panels allow remote attackers to cause a denial of servic ...) NOT-FOR-US: Red Lion HMI CVE-2017-14854 (A stack buffer overflow exists in one of the Orpak SiteOmat CGI compon ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14853 (The Orpak SiteOmat OrCU component is vulnerable to code injection, for ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14852 (An insecure communication was found between a user and the Orpak SiteO ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14851 (A SQL injection vulnerability exists in all Orpak SiteOmat versions pr ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14850 (All known versions of the Orpak SiteOmat web management console is vul ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14849 (Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintende ...) - nodejs (Vulnerable code introduced in 8.5.0) NOTE: https://nodejs.org/en/blog/vulnerability/september-2017-path-validation/ NOTE: https://twitter.com/nodejs/status/913131152868876288 CVE-2017-14848 (WPHRM Human Resource Management System for WordPress 1.0 allows SQL In ...) NOT-FOR-US: Wordpress plugin CVE-2017-14847 (Mojoomla WPAMS Apartment Management System for WordPress allows SQL In ...) NOT-FOR-US: Mojoomla WPAMS Apartment Management System for WordPress CVE-2017-14846 (Mojoomla Hospital Management System for WordPress allows SQL Injection ...) NOT-FOR-US: Mojoomla Hospital Management System for WordPress CVE-2017-14845 (Mojoomla WPCHURCH Church Management System for WordPress allows SQL In ...) NOT-FOR-US: Mojoomla WPCHURCH Church Management System for WordPress CVE-2017-14844 (Mojoomla WPGYM WordPress Gym Management System allows SQL Injection vi ...) NOT-FOR-US: Mojoomla WPGYM WordPress Gym Management System CVE-2017-14843 (Mojoomla School Management System for WordPress allows SQL Injection v ...) NOT-FOR-US: Mojoomla School Management System for WordPress CVE-2017-14842 (Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress allows SQL I ...) NOT-FOR-US: Mojoomla SMSmaster Multipurpose SMS Gateway for WordPress CVE-2017-14841 (Mojoomla Annual Maintenance Contract (AMC) Management System allows Ar ...) NOT-FOR-US: Mojoomla Annual Maintenance Contract (AMC) Management System CVE-2017-14840 (TeamWork TicketPlus allows Arbitrary File Upload in updateProfile. ...) NOT-FOR-US: TeamWork TicketPlus CVE-2017-14839 (TeamWork Photo Fusion allows Arbitrary File Upload in changeAvatar and ...) NOT-FOR-US: TeamWork Photo Fusion CVE-2017-14838 (TeamWork Job Links allows Arbitrary File Upload in profileChange and c ...) NOT-FOR-US: TeamWork Job Links CVE-2017-14837 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14836 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14835 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14834 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14833 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14832 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14831 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14830 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14829 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14828 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14827 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14826 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14825 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14824 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14823 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-14822 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-14821 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-14820 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-14819 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-14818 (This vulnerability allows remote attackers to disclose sensitive on vu ...) NOT-FOR-US: Foxit Reader CVE-2017-14817 REJECTED CVE-2017-14816 REJECTED CVE-2017-14815 REJECTED CVE-2017-14814 REJECTED CVE-2017-14813 REJECTED CVE-2017-14812 REJECTED CVE-2017-14811 REJECTED CVE-2017-14810 REJECTED CVE-2017-14809 REJECTED CVE-2017-14808 REJECTED CVE-2017-14807 (An Improper Neutralization of Special Elements used in an SQL Command ...) NOT-FOR-US: SUSE Studio CVE-2017-14806 (A Improper Certificate Validation vulnerability in susestudio-common o ...) NOT-FOR-US: SUSE Studio CVE-2017-14805 RESERVED CVE-2017-14804 (The build package before 20171128 did not check directory names during ...) - obs-build 20180302-1 (bug #887306) [stretch] - obs-build 20160921-1+deb9u1 [jessie] - obs-build (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1069904 CVE-2017-14803 (In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server w ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-14802 (Novell Access Manager Admin Console and IDP servers before 4.3.3 have ...) NOT-FOR-US: Novell Access Manager Admin Console CVE-2017-14801 (Reflected XSS in the NetIQ Access Manager before 4.3.3 allowed attacke ...) NOT-FOR-US: NetIQ CVE-2017-14800 (A reflected cross site scripting attack in the NetIQ Access Manager be ...) NOT-FOR-US: NetIQ CVE-2017-14799 (A cross site scripting attack in handling the ESP login parameter hand ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-14798 (A race condition in the postgresql init script could be used by attack ...) NOT-FOR-US: SuSE-specific flaw in Postgres init script CVE-2017-14797 (Lack of Transport Encryption in the public API in Philips Hue Bridge B ...) NOT-FOR-US: Philips Hue CVE-2017-14796 (The hevc_write_frame function in libbpg.c in libbpg 0.9.7 allows remot ...) NOT-FOR-US: libbpg CVE-2017-14795 (The hevc_write_frame function in libbpg.c in libbpg 0.9.7 allows remot ...) NOT-FOR-US: libbpg CVE-2017-14794 REJECTED CVE-2017-14793 REJECTED CVE-2017-14792 REJECTED CVE-2017-14791 REJECTED CVE-2017-14790 REJECTED CVE-2017-14789 REJECTED CVE-2017-14788 REJECTED CVE-2017-14787 REJECTED CVE-2017-14786 REJECTED CVE-2017-14785 REJECTED CVE-2017-14784 REJECTED CVE-2017-14783 REJECTED CVE-2017-14782 REJECTED CVE-2017-14781 REJECTED CVE-2017-14780 REJECTED CVE-2017-14779 REJECTED CVE-2017-14778 REJECTED CVE-2017-14777 REJECTED CVE-2017-14776 REJECTED CVE-2017-14775 (Laravel before 5.5.10 mishandles the remember_me token verification pr ...) NOT-FOR-US: Laravel CVE-2017-14774 RESERVED CVE-2017-14773 (Skybox Manager Client Application prior to 8.5.501 is prone to an elev ...) NOT-FOR-US: Skybox Manager Client Application CVE-2017-14772 (Skybox Manager Client Application is prone to information disclosure v ...) NOT-FOR-US: Skybox Manager Client Application CVE-2017-14771 (Skybox Manager Client Application prior to 8.5.501 is prone to an arbi ...) NOT-FOR-US: Skybox Manager Client Application CVE-2017-14770 (Skybox Manager Client Application prior to 8.5.501 is prone to an info ...) NOT-FOR-US: Skybox Manager Client Application CVE-2017-14769 RESERVED CVE-2017-14768 RESERVED CVE-2017-14767 (The sdp_parse_fmtp_config_h264 function in libavformat/rtpdec_h264.c i ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/c42a1388a6d1bfd8001bf6a4241d8ca27e49326d NOTE: Fixed in 3.2.8 NOTE: The check is completely missing in Jessie. It should be added. CVE-2017-14766 (The Simple Student Result plugin before 1.6.4 for WordPress has an Aut ...) NOT-FOR-US: Wordpress plugin CVE-2017-14765 (In GeniXCMS 1.1.4, gxadmin/index.php has XSS via the Menu ID field in ...) NOT-FOR-US: GeniXCMS CVE-2017-14764 (In the Upload Modules page in GeniXCMS 1.1.4, remote authenticated use ...) NOT-FOR-US: GeniXCMS CVE-2017-14763 (In the Install Themes page in GeniXCMS 1.1.4, remote authenticated use ...) NOT-FOR-US: GeniXCMS CVE-2017-14762 (In GeniXCMS 1.1.4, /inc/lib/Control/Backend/menus.control.php has XSS ...) NOT-FOR-US: GeniXCMS CVE-2017-14761 (In GeniXCMS 1.1.4, /inc/lib/backend/menus.control.php has XSS via the ...) NOT-FOR-US: GeniXCMS CVE-2017-14760 (SQL Injection exists in /includes/event-management/index.php in the ev ...) NOT-FOR-US: Event Espresso Lite CVE-2017-14759 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14757 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14756 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14755 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14754 (OpenText Document Sciences xPression (formerly EMC Document Sciences x ...) NOT-FOR-US: OpenText Document Sciences xPression CVE-2017-14753 (Cross-site scripting (XSS) vulnerability in the EyesOfNetwork web inte ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14752 (Mahara 15.04 before 15.04.15, 16.04 before 16.04.9, 16.10 before 16.10 ...) - mahara NOTE: https://mahara.org/interaction/forum/topic.php?id=8083 CVE-2017-14751 (The Intense WP "WP Jobs" plugin 1.5 for WordPress has XSS, related to ...) NOT-FOR-US: Wordpress plugin CVE-2017-14750 RESERVED CVE-2017-14749 (JerryScript 1.0 allows remote attackers to cause a denial of service ( ...) - iotjs 1.0+715-1 [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/2008 CVE-2017-14748 (Race condition in Blizzard Overwatch 1.15.0.2 allows remote authentica ...) NOT-FOR-US: Blizzard Overwatch CVE-2017-14747 RESERVED CVE-2017-14746 (Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote a ...) {DSA-4043-1} - samba 2:4.7.1+dfsg-2 [wheezy] - samba (Issue introduced in 4.0.0) NOTE: https://www.samba.org/samba/security/CVE-2017-14746.html CVE-2017-14745 (The *_get_synthetic_symtab functions in the Binary File Descriptor (BF ...) - binutils 2.29-11 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22148 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=94670f6cf11fc29cc6db6814b38c4305d9bcac96 (master) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e6ff33ca50c1180725dde11c84ee93fcdb4235ef (binutils-2_29-branch) CVE-2017-14867 (Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x ...) {DSA-3984-1 DLA-1120-1} - git 1:2.14.2-1 (bug #876854) NOTE: https://www.openwall.com/lists/oss-security/2017/09/26/9 NOTE: https://public-inbox.org/git/xmqqy3p29ekj.fsf@gitster.mtv.corp.google.com/T/#u CVE-2017-14744 (UEditor 1.4.3.3 has XSS via the SRC attribute of an IFRAME element. ...) NOT-FOR-US: UEditor CVE-2017-14743 (Faleemi FSC-880 00.01.01.0048P2 devices allow unauthenticated SQL inje ...) NOT-FOR-US: Faleemi FSC-880 00.01.01.0048P2 devices CVE-2017-14742 (Buffer overflow in LabF nfsAxe FTP client 3.7 allows an attacker to ex ...) NOT-FOR-US: LabF nfsAxe CVE-2017-14741 (The ReadCAPTIONImage function in coders/caption.c in ImageMagick 7.0.7 ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878548) NOTE: https://github.com/ImageMagick/ImageMagick/issues/771 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d8e14899c562157c7760a77fc91625a27cb596f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bb11d07139efe0f5e4ce0e4afda32abdbe82fa9d CVE-2017-14740 (Cross-site scripting (XSS) vulnerability in GeniXCMS 1.1.0 allows remo ...) NOT-FOR-US: GeniXCMS CVE-2017-14739 (The AcquireResampleFilterThreadSet function in magick/resample-private ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878547) NOTE: https://github.com/ImageMagick/ImageMagick/issues/780 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6017a80fe8327fefb77fa677d81154db2b857d1d NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/700fcf95b2c3f554dfbe75833b91f19dde208089 NOTE: Requires additional fixes: NOTE: https://github.com/ImageMagick/ImageMagick/commit/bbc582d5439a7f9338c6bdc8c34b1ae221ae5214 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/67a633df9386704f45d1ad24f7f5af8a5d11f4a3 CVE-2017-14738 (FileRun (version 2017.09.18 and below) suffers from a remote SQL injec ...) NOT-FOR-US: FileRun CVE-2017-14737 (A cryptographic cache-based side channel in the RSA implementation in ...) {DLA-1125-1} - botan1.10 1.10.17-0.1 (bug #877436) [stretch] - botan1.10 (Minor issue) [jessie] - botan1.10 (Minor issue) NOTE: https://github.com/randombit/botan/issues/1222 NOTE: https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/wang-shuai NOTE: for 1.10: https://github.com/randombit/botan/commit/aeb87170d1b9013b079c300c8858bad477d30bd4 NOTE: for 2.x: https://github.com/randombit/botan/commit/95df7f155570949837e8e28e733f3d59408092da CVE-2017-14736 RESERVED CVE-2017-14735 (OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstr ...) NOT-FOR-US: OWASP AntiSamy CVE-2017-14734 (The build_msps function in libbpg.c in libbpg 0.9.7 allows remote atta ...) NOT-FOR-US: libbpg CVE-2017-14733 (ReadRLEImage in coders/rle.c in GraphicsMagick 1.3.26 mishandles RLE h ...) {DSA-4321-1 DLA-1401-1 DLA-1130-1} - graphicsmagick 1.3.26-13 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=5381c71724e3 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/458/ CVE-2017-14732 RESERVED CVE-2017-14731 (ofx_proc_file in ofx_preproc.cpp in LibOFX 0.9.12 allows remote attack ...) {DLA-1192-1} - libofx 1:0.9.11-5 (bug #877442) [stretch] - libofx 1:0.9.10-2+deb9u1 [jessie] - libofx 1:0.9.10-1+deb8u1 NOTE: https://github.com/libofx/libofx/issues/10 NOTE: https://github.com/libofx/libofx/commit/fad8418f34094de42e1307113598e0e8bee0a2bd CVE-2017-14730 (The init script in the Gentoo app-admin/logstash-bin package before 5. ...) NOT-FOR-US: Gentoo packagin flaw for Logstash CVE-2017-14729 (The *_get_synthetic_symtab functions in the Binary File Descriptor (BF ...) - binutils 2.29.1-2 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: First version containing the fix was 2.29.1-2, which was quickly followed by NOTE: a fixed 2.29.1-3 for unrelated issues. NOTE: https://blogs.gentoo.org/ago/2017/09/25/binutils-heap-based-buffer-overflow-in-_bfd_x86_elf_get_synthetic_symtab-elfxx-x86-c/ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22170 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=56933f9e3e90eebf1018ed7417d6c1184b91db6b NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=commitdiff;h=61e3bf5f83f7e505b6bc51ef65426e5b31e6e360 CVE-2017-14728 (An authentication bypass was found in an unknown area of the SiteOmat ...) NOT-FOR-US: Orpak SiteOmat CVE-2017-14726 (Before version 4.8.2, WordPress was vulnerable to a cross-site scripti ...) {DSA-3997-1} - wordpress 4.8.2+dfsg-1 (bug #876274) [wheezy] - wordpress (Vulnerable code not present) NOTE: https://core.trac.wordpress.org/changeset/41395 CVE-2017-14725 (Before version 4.8.2, WordPress was susceptible to an open redirect at ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41398 CVE-2017-14724 (Before version 4.8.2, WordPress was vulnerable to cross-site scripting ...) - wordpress 4.8.2+dfsg-1 (bug #876274) [stretch] - wordpress 4.7.5+dfsg-2+deb9u1 [jessie] - wordpress (Vulnerable code not present) [wheezy] - wordpress (Vulnerable code not present) NOTE: https://core.trac.wordpress.org/changeset/41448 CVE-2017-14723 (Before version 4.8.2, WordPress mishandled % characters and additional ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41470 NOTE: https://core.trac.wordpress.org/changeset/41496 NOTE: https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48 NOTE: https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec NOTE: https://medium.com/websec/wordpress-sqli-bbb2afcc8e94 NOTE: https://medium.com/websec/wordpress-sqli-poc-f1827c20bf8e CVE-2017-14722 (Before version 4.8.2, WordPress allowed a Directory Traversal attack i ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41397 CVE-2017-14721 (Before version 4.8.2, WordPress allowed Cross-Site scripting in the pl ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41412 CVE-2017-14720 (Before version 4.8.2, WordPress allowed a Cross-Site scripting attack ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41412 CVE-2017-14719 (Before version 4.8.2, WordPress was vulnerable to a directory traversa ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41457 CVE-2017-14718 (Before version 4.8.2, WordPress was susceptible to a Cross-Site Script ...) {DSA-3997-1 DLA-1151-1} - wordpress 4.8.2+dfsg-1 (bug #876274) NOTE: https://core.trac.wordpress.org/changeset/41393 CVE-2017-14727 (logger.c in the logger plugin in WeeChat before 1.9.1 allows a crash v ...) {DLA-1111-1} - weechat 1.9.1-1 (bug #876553) [stretch] - weechat 1.6-1+deb9u2 [jessie] - weechat 1.0.1-1+deb8u2 NOTE: Fixed by: https://github.com/weechat/weechat/commit/f105c6f0b56fb5687b2d2aedf37cb1d1b434d556 CVE-2017-14717 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Descripti ...) NOT-FOR-US: EPESI CVE-2017-14716 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Title par ...) NOT-FOR-US: EPESI CVE-2017-14715 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Alerts Ti ...) NOT-FOR-US: EPESI CVE-2017-14714 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Subj ...) NOT-FOR-US: EPESI CVE-2017-14713 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Phonecalls Desc ...) NOT-FOR-US: EPESI CVE-2017-14712 (In EPESI 1.8.2 rev20170830, there is Stored XSS in the Tasks Phonecall ...) NOT-FOR-US: EPESI CVE-2017-14711 (The Kickbase GmbH "Kickbase Bundesliga Manager" app before 2.2.1 -- ak ...) NOT-FOR-US: Kickbase GmbH "Kickbase Bundesliga Manager" CVE-2017-14710 (The Shein Group Ltd. "SHEIN - Fashion Shopping" app -- aka shein fashi ...) NOT-FOR-US: Fashion Shopping app CVE-2017-14709 (The komoot GmbH "Komoot - Cycling & Hiking Maps" app before 9.3.2 ...) NOT-FOR-US: Cycling & Hiking Maps app CVE-2017-14708 RESERVED CVE-2017-14707 RESERVED CVE-2017-14706 (DenyAll WAF before 6.4.1 allows unauthenticated remote attackers to ob ...) NOT-FOR-US: DenyAll WAF CVE-2017-14705 (DenyAll WAF before 6.4.1 allows unauthenticated remote command executi ...) NOT-FOR-US: DenyAll WAF CVE-2017-14704 (Multiple unrestricted file upload vulnerabilities in the (1) imageSubm ...) NOT-FOR-US: Claydip Laravel Airbnb Clone CVE-2017-14703 (SQL injection vulnerability in Cash Back Comparison Script 1.0 allows ...) NOT-FOR-US: Cash Back Comparison Script CVE-2017-14702 (ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: ERS Data System CVE-2017-14701 RESERVED CVE-2017-14700 RESERVED CVE-2017-14699 (Multiple XML external entity (XXE) vulnerabilities in the AiCloud feat ...) NOT-FOR-US: ASUS routers CVE-2017-14698 (ASUS DSL-AC51, DSL-AC52U, DSL-AC55U, DSL-N55U C1, DSL-N55U D1, DSL-AC5 ...) NOT-FOR-US: ASUS routers CVE-2017-14697 RESERVED CVE-2017-14696 (SaltStack Salt before 2016.3.8, 2016.11.x before 2016.11.8, and 2017.7 ...) - salt 2016.11.8+dfsg1-1 (bug #879090) [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt (Minor issue) NOTE: Fixed by: https://github.com/saltstack/salt/commit/5f8b5e1a0f23fe0f2be5b3c3e04199b57a53db5b NOTE: Fixed by: https://github.com/saltstack/salt/commit/89e084bda356739de645c15e7d1968afebdcc56e (2016.11) CVE-2017-14695 (Directory traversal vulnerability in minion id validation in SaltStack ...) - salt 2016.11.8+dfsg1-1 (bug #879089) [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt (Minor issue) NOTE: Fixed by: https://github.com/saltstack/salt/commit/80d90307b07b3703428ecbb7c8bb468e28a9ae6d NOTE: Fixed by: https://github.com/saltstack/salt/commit/206ae23f15cb7ec95a07dee4cbe9802da84f9c42 (2016.11) CVE-2017-14694 (Foxit Reader 8.3.2.25013 and earlier and Foxit PhantomPDF 8.3.2.25013 ...) NOT-FOR-US: Foxit Reader CVE-2017-14693 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-14692 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14691 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14690 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14689 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14688 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14687 (Artifex MuPDF 1.11 allows attackers to cause a denial of service or po ...) {DSA-4006-1 DLA-1164-1} - mupdf 1.11+ds1-1.1 (bug #877379) [jessie] - mupdf (Minor issue) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698558 NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;h=2b16dbd8f73269cb15ca61ece75cf8d2d196ed28 NOTE: Several fz_xml_tag && !strcmp idoms are used in older versions CVE-2017-14686 (Artifex MuPDF 1.11 allows attackers to execute arbitrary code or cause ...) {DSA-4006-1} - mupdf 1.11+ds1-1.1 (bug #877379) [jessie] - mupdf (vulnerable code not present, poc not effective) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698540 NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1 CVE-2017-14685 (Artifex MuPDF 1.11 allows attackers to cause a denial of service or po ...) {DSA-4006-1} - mupdf 1.11+ds1-1.1 (bug #877379) [jessie] - mupdf (vulnerable code not present, poc not effective) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698539 NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;h=ab1a420613dec93c686acbee2c165274e922f82a CVE-2017-14684 (In ImageMagick 7.0.7-4 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant; bug #876487) NOTE: https://github.com/ImageMagick/ImageMagick/issues/770 NOTE: https://github.com/ImageMagick/ImageMagick/commit/dd367e0c3c3f37fbf1c20fa107b67a668b22c6e2 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/a25142f284384a10306f14393d9bfd7af95ddfff CVE-2017-14683 (geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated b ...) NOT-FOR-US: geminabox CVE-2017-14682 (GetNextToken in MagickCore/token.c in ImageMagick 7.0.6 allows remote ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #876488) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32726 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3bee958ee63eb6ec62834d0c7b28b4b6835e6a00 CVE-2017-14681 (The daemon in P3Scan 3.0_rc1 and earlier creates a p3scan.pid file aft ...) - p3scan (bug #876674) [stretch] - p3scan (Minor issue) [jessie] - p3scan (Minor issue) [wheezy] - p3scan (Minor issue) NOTE: https://sourceforge.net/p/p3scan/bugs/33/ CVE-2017-14680 (ZKTeco ZKTime Web 2.0.1.12280 allows remote attackers to obtain sensit ...) NOT-FOR-US: ZKTeco ZKTime Web CVE-2017-14679 REJECTED CVE-2017-14678 REJECTED CVE-2017-14677 REJECTED CVE-2017-14676 REJECTED CVE-2017-14675 REJECTED CVE-2017-14674 REJECTED CVE-2017-14673 REJECTED CVE-2017-14672 REJECTED CVE-2017-14671 REJECTED CVE-2017-14670 REJECTED CVE-2017-14669 REJECTED CVE-2017-14668 REJECTED CVE-2017-14667 REJECTED CVE-2017-14666 REJECTED CVE-2017-14665 REJECTED CVE-2017-14664 REJECTED CVE-2017-14663 REJECTED CVE-2017-14662 REJECTED CVE-2017-14661 REJECTED CVE-2017-14660 REJECTED CVE-2017-14659 REJECTED CVE-2017-14658 REJECTED CVE-2017-14657 REJECTED CVE-2017-14656 REJECTED CVE-2017-14655 REJECTED CVE-2017-14654 RESERVED CVE-2017-14653 (member/Orderinfo.asp in ASP4CMS AspCMS 2.7.2 allows remote authenticat ...) NOT-FOR-US: ASP4CMS AspCMS CVE-2017-14652 (SQL Injection vulnerability in mobiquo/lib/classTTForum.php in the Tap ...) NOT-FOR-US: Tapatalk plugin for MyBB CVE-2017-14651 (WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_colle ...) NOT-FOR-US: WSO2 Data Analytics Server CVE-2017-14649 (ReadOneJNGImage in coders/png.c in GraphicsMagick version 1.3.26 does ...) - graphicsmagick 1.3.26-12 (unimportant; bug #876460) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/358608a46f0a NOTE: https://blogs.gentoo.org/ago/2017/09/19/graphicsmagick-assertion-failure-in-pixel_cache-c/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/439/ CVE-2017-14648 (A global buffer overflow was discovered in the iteration_loop function ...) NOT-FOR-US: BladeEnc CVE-2017-14647 (A heap-based buffer overflow was discovered in AP4_VisualSampleEntry:: ...) NOT-FOR-US: Bento4 CVE-2017-14646 (The AP4_AvccAtom and AP4_HvccAtom classes in Bento4 version 1.5.0-617 ...) NOT-FOR-US: Bento4 CVE-2017-14645 (A heap-based buffer over-read was discovered in AP4_BitStream::ReadByt ...) NOT-FOR-US: Bento4 CVE-2017-14644 (A heap-based buffer overflow was discovered in the AP4_HdlrAtom class ...) NOT-FOR-US: Bento4 CVE-2017-14643 (The AP4_HdlrAtom class in Core/Ap4HdlrAtom.cpp in Bento4 version 1.5.0 ...) NOT-FOR-US: Bento4 CVE-2017-14642 (A NULL pointer dereference was discovered in the AP4_HdlrAtom class in ...) NOT-FOR-US: Bento4 CVE-2017-14641 (A NULL pointer dereference was discovered in the AP4_DataAtom class in ...) NOT-FOR-US: Bento4 CVE-2017-14640 (A NULL pointer dereference was discovered in AP4_AtomSampleTable::GetS ...) NOT-FOR-US: Bento4 CVE-2017-14639 (AP4_VisualSampleEntry::ReadFields in Core/Ap4SampleEntry.cpp in Bento4 ...) NOT-FOR-US: Bento4 CVE-2017-14638 (AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp in Be ...) NOT-FOR-US: Bento4 CVE-2017-14637 (In sam2p 0.49.3, there is an invalid read of size 2 in the parse_rgb f ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 5) CVE-2017-14636 (Because of an integer overflow in sam2p 0.49.3, a loop executes 0xffff ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 4) CVE-2017-14635 (In Open Ticket Request System (OTRS) 3.3.x before 3.3.18, 4.x before 4 ...) {DSA-4021-1 DLA-1119-1} - otrs2 5.0.23-1 (bug #876462) NOTE: https://github.com/OTRS/otrs/commit/a4093dc404fcbd87b235b31c72913141672f2a85 (rel-5_0) NOTE: https://github.com/OTRS/otrs/commit/00bcc89dc2443b5d8b34a0908e224373926aa618 (rel-5_0) NOTE: https://github.com/OTRS/otrs/commit/b69c2533c951fa72bfe238f255ce76352f054897 (rel-5_0) NOTE: https://github.com/OTRS/otrs/commit/b92ec17196ac3e1fdcab40fbb16dbb602d5d52b5 (rel-5_0) NOTE: https://github.com/OTRS/otrs/commit/3ccc426ec220267d0cac8e3fdc39015a3db7d720 (rel-3_3) NOTE: https://github.com/OTRS/otrs/commit/f27dc65e4a937ba832d60e212ce6c9e3a28e406b (rel-3_3) NOTE: https://github.com/OTRS/otrs/commit/454c50116c2bf82dcd9dfee9146a7416be686875 (rel-3_3) NOTE: https://github.com/OTRS/otrs/commit/5468720cc8225a85699b1977ff230adbf9f8362d (rel-3_3) NOTE: https://github.com/OTRS/otrs/commit/0583dfda7bc9c7d76457aad68083f4b28a288ce5 (rel-3_3) NOTE: https://www.otrs.com/security-advisory-2017-04-security-update-otrs-versions/ CVE-2017-14650 (A Remote Code Execution vulnerability has been found in the Horde_Imag ...) {DSA-4276-1 DLA-1395-1} - php-horde-image 2.5.2-1 (bug #876400) NOTE: https://marc.info/?l=horde-announce&m=150600299528079&w=2 NOTE: https://github.com/horde/horde/commit/eb3afd14c22c77ae0d29e2848f5ac726ef6e7c5b CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the function do ...) {DLA-2418-1 DLA-1618-1} - libsndfile 1.0.28-5 (bug #876783) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/318 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788 CVE-2017-14633 (In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability ...) {DSA-4113-1 DLA-2039-1 DLA-1368-1} - libvorbis 1.3.5-4.1 (bug #876778) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2329 NOTE: https://github.com/xiph/vorbis/pull/34 NOTE: https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993 CVE-2017-14632 (Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing uni ...) {DSA-4113-1 DLA-1368-1} - libvorbis 1.3.5-4.1 (bug #876779) [jessie] - libvorbis (Vulnerable code not present) [wheezy] - libvorbis (Vulnerable code not present) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2328 NOTE: https://github.com/xiph/vorbis/issues/29 NOTE: https://github.com/xiph/vorbis/pull/34 CVE-2017-14631 (In sam2p 0.49.3, the pcxLoadRaster function in in_pcx.cpp has an integ ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 1) CVE-2017-14630 (In sam2p 0.49.3, an integer overflow exists in the pcxLoadImage24 func ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 6) CVE-2017-14629 (In sam2p 0.49.3, the in_xpm_reader function in in_xpm.cpp has an integ ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 3) CVE-2017-14628 (In sam2p 0.49.3, a heap-based buffer overflow exists in the pcxLoadIma ...) {DLA-1127-1} - sam2p (bug #876744) [jessie] - sam2p 0.49.2-3+deb8u1 NOTE: https://github.com/pts/sam2p/issues/14 (bug 2) CVE-2017-14627 (Stack-based buffer overflows in CyberLink LabelPrint 2.5 allow remote ...) NOT-FOR-US: CyberLink LabelPrint CVE-2017-14626 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability i ...) {DLA-2366-1 DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878524) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/720 NOTE: https://github.com/ImageMagick/ImageMagick/issues/721 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/90b301db18434b2c2228776d06c2898b5fed74f0 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/cc797c296c30f3ec31cd02418b58a2c27549b0a9 CVE-2017-14625 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability i ...) {DLA-2366-1 DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #877355) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/721 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/cc797c296c30f3ec31cd02418b58a2c27549b0a9 CVE-2017-14624 (ImageMagick 7.0.7-0 Q16 has a NULL Pointer Dereference vulnerability i ...) {DLA-2366-1 DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #877354) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/722 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9ff805077fd5297dc41dc989f9dba59877e12f97 CVE-2017-14623 (In the ldap.v2 (aka go-ldap) package through 2.5.0 for Go, an attacker ...) - golang-github-go-ldap-ldap 2.5.1-1 (low; bug #876404) [stretch] - golang-github-go-ldap-ldap 2.4.1-1+deb9u1 NOTE: https://github.com/go-ldap/ldap/pull/126 NOTE: https://github.com/go-ldap/ldap/commit/95ede1266b237bf8e9aa5dce0b3250e51bfefe66 CVE-2017-14622 (Multiple cross-site scripting (XSS) vulnerabilities in the 2kb Amazon ...) NOT-FOR-US: 2kb Amazon Affiliates Store plugin for WordPress CVE-2017-14621 (Portus 2.2.0 has XSS via the Team field, related to typeahead. ...) NOT-FOR-US: Portus CVE-2017-14620 (SmarterStats Version 11.3.6347 will Render the Referer Field of HTTP L ...) NOT-FOR-US: SmarterStats CVE-2017-14619 (Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 all ...) NOT-FOR-US: phpMyFAQ CVE-2017-14618 (Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFA ...) NOT-FOR-US: phpMyFAQ CVE-2017-14617 (In Poppler 0.59.0, a floating point exception occurs in the ImageStrea ...) {DLA-1116-1} - poppler 0.61.1-2 (bug #876385) [stretch] - poppler (Minor issue) [jessie] - poppler (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102854 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=939465c40902d72e0c05d4f3a27ee67e4a007ed7 NOTE: The patch applied in 0.48.0-2+deb9u1 (stretch) and 0.26.5-2+deb8u2 (jessie) NOTE: does not completely fix the issue thus still marked as unfixed even if the NOTE: CVE is recorded in debian/changelog. CVE-2017-14616 (An FBX-5312 issue was discovered in WatchGuard Fireware before 12.0. I ...) NOT-FOR-US: WatchGuard Fireware CVE-2017-14615 (An FBX-5313 issue was discovered in WatchGuard Fireware before 12.0. W ...) NOT-FOR-US: WatchGuard Fireware CVE-2017-14614 (Directory traversal vulnerability in the Visor GUI Console in GridGain ...) NOT-FOR-US: GridGain CVE-2017-14613 RESERVED CVE-2017-14612 ("Shpock Boot Sale & Classifieds" app before 3.17.0 -- aka shpock-b ...) NOT-FOR-US: Book sale app CVE-2017-14611 (SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remote att ...) NOT-FOR-US: Cockpit CMS (different from src:cockpit) CVE-2017-14610 (bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos 16.2.6 a ...) - bareos (low; bug #877334) [buster] - bareos (Minor issue) [stretch] - bareos (Minor issue) [jessie] - bareos (Minor issue) NOTE: https://bugs.bareos.org/view.php?id=847 CVE-2017-14609 (The server daemons in Kannel 1.5.0 and earlier create a PID file after ...) - kannel (No real security issue in combination with start-stop-daemon from dpkg, see #877361) NOTE: https://redmine.kannel.org/issues/771 CVE-2017-14608 (In LibRaw through 0.18.4, an out of bounds read flaw related to kodak_ ...) {DLA-1109-1} - libraw 0.18.5-1 (low) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21 NOTE: https://github.com/LibRaw/LibRaw/issues/101 CVE-2017-14607 (In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to Read ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878527) NOTE: IM6 patch: https://github.com/ImageMagick/ImageMagick/commit/cd665c3d05b46d1579c738a72214175ff50aec74 NOTE: https://github.com/ImageMagick/ImageMagick/issues/765 CVE-2017-14606 RESERVED CVE-2017-14605 RESERVED CVE-2017-14604 (GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by ...) {DSA-3994-1} - nautilus 3.25.90-1 (bug #860268) [jessie] - nautilus (Minor issue, issue mitigated because does not silently decompress tarballs) [wheezy] - nautilus (Minor issue, issue mitigated because does not silently decompress tarballs) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777991 NOTE: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/ NOTE: https://github.com/freedomofpress/securedrop/issues/2238 NOTE: https://github.com/GNOME/nautilus/commit/1630f53481f445ada0a455e9979236d31a8d3bb0 CVE-2017-14603 (In Asterisk 11.x before 11.25.3, 13.x before 13.17.2, and 14.x before ...) {DSA-3990-1} - asterisk 1:13.17.2~dfsg-1 (bug #876328) [wheezy] - asterisk (strictrtp option is disabled by default. Too intrusive too backport) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-008.html NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27274 NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27252 CVE-2017-14602 (A vulnerability has been identified in the management interface of Cit ...) NOT-FOR-US: Citrix CVE-2017-14601 (Pragyan CMS v3.0 is vulnerable to a Boolean-based SQL injection in cms ...) NOT-FOR-US: Pragyan CMS CVE-2017-14600 (Pragyan CMS v3.0 is vulnerable to an Error-Based SQL injection in cms/ ...) NOT-FOR-US: Pragyan CMS CVE-2017-14599 RESERVED CVE-2017-14598 RESERVED CVE-2017-14597 (AdminPanel in AfterLogic WebMail 7.7 and Aurora 7.7.5 has XSS via the ...) NOT-FOR-US: AfterLogic WebMail CVE-2017-14596 (In Joomla! before 3.8.0, inadequate escaping in the LDAP authenticatio ...) NOT-FOR-US: Joomla! CVE-2017-14595 (In Joomla! before 3.8.0, a logic bug in a SQL query could lead to the ...) NOT-FOR-US: Joomla! CVE-2017-14594 (The printable searchrequest issue resource in Atlassian Jira before ve ...) NOT-FOR-US: Atlassian Jira CVE-2017-14593 (Sourcetree for Windows had several argument and command injection bugs ...) NOT-FOR-US: Atlassian Sourcetree CVE-2017-14592 (Sourcetree for macOS had several argument and command injection bugs i ...) NOT-FOR-US: Atlassian Sourcetree CVE-2017-14591 (Atlassian Fisheye and Crucible versions less than 4.4.3 and version 4. ...) NOT-FOR-US: Atlassian CVE-2017-14590 (Bamboo did not check that the name of a branch in a Mercurial reposito ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-14589 (It was possible for double OGNL evaluation in FreeMarker templates thr ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-14588 (Various resources in Atlassian Fisheye and Crucible before version 4.4 ...) NOT-FOR-US: Atlassian CVE-2017-14587 (The administration user deletion resource in Atlassian Fisheye and Cru ...) NOT-FOR-US: Atlassian CVE-2017-14586 (The Hipchat for Mac desktop client is vulnerable to client-side remote ...) NOT-FOR-US: Atlassian CVE-2017-14585 (A Server Side Request Forgery (SSRF) vulnerability could lead to remot ...) NOT-FOR-US: Atlassian CVE-2017-14584 RESERVED CVE-2017-14583 (NetApp Clustered Data ONTAP versions 9.x prior to 9.1P10 and 9.2P2 are ...) NOT-FOR-US: NetApp Clustered Data ONTAP CVE-2017-14582 (The Zoho Site24x7 Mobile Network Poller application before 1.1.5 for A ...) NOT-FOR-US: Zoho CVE-2017-XXXX [pcb code injection by malicious layout file] - pcb-rnd 1.2.5-2 (bug #876540) [stretch] - pcb-rnd 1.1.4-2 CVE-2017-14581 (The Host Control web service in SAP NetWeaver AS JAVA 7.0 through 7.5 ...) NOT-FOR-US: SAP CVE-2017-14580 (XnView Classic for Windows Version 2.41 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14579 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14578 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-14577 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14576 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14575 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14574 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14573 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14572 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14571 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14570 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14569 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14568 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14567 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14566 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14565 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14564 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14563 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14562 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14561 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14560 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14559 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14558 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14557 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14556 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14555 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14554 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14553 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14552 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14551 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14550 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14549 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14548 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14547 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14546 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14545 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14544 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14543 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14542 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14541 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14540 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-14539 (IrfanView 4.44 - 32bit allows attackers to cause a denial of service o ...) NOT-FOR-US: IrfanView CVE-2017-14538 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14537 (trixbox 2.8.0.4 has path traversal via the xajaxargs array parameter t ...) NOT-FOR-US: trixbox CVE-2017-14536 (trixbox 2.8.0.4 has XSS via the PATH_INFO to /maint/index.php or /user ...) NOT-FOR-US: trixbox CVE-2017-14535 (trixbox 2.8.0.4 has OS command injection via shell metacharacters in t ...) NOT-FOR-US: trixbox CVE-2017-14534 (Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via t ...) NOT-FOR-US: NexusPHP CVE-2017-14533 (ImageMagick 7.0.6-6 has a memory leak in ReadMATImage in coders/mat.c. ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/648 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f1f2089e79bcf5714cefba7cdc47049b4ac53c6b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bdfc5538051ad0d1c2083ba2a29180ff6abea907 CVE-2017-14532 (ImageMagick 7.0.7-0 has a NULL Pointer Dereference in TIFFIgnoreTags i ...) {DLA-2366-1 DLA-1785-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878541) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/719 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1942317d9208ea17ee17d976a39768cd51d74160 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c55fb18c3f78445d100a378ab8b3c0acd53c6590 CVE-2017-14531 (ImageMagick 7.0.7-0 has a memory exhaustion issue in ReadSUNImage in c ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/718 NOTE: https://github.com/ImageMagick/ImageMagick/commit/69967f4161bd14d8e03ea463d6545da442a6ea78 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1385a09732c261f1f403a9af6700979ca56c76d3 CVE-2017-14530 (WP_Admin_UI in the Crony Cronjob Manager plugin before 0.4.7 for WordP ...) NOT-FOR-US: Crony Cronjob Manager plugin for WordPress CVE-2017-14529 (The pe_print_idata function in peXXigen.c in the Binary File Descripto ...) - binutils 2.29-10 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22113 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=4d465c689a8fb27212ef358d0aee89d60dee69a6 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582 CVE-2017-14528 (The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has ...) {DLA-2523-1} [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 (bug #878544) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Can't reproduce crash with file) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2730 NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32560 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/6f7cba13ebae405b2689647a2277827f1c272364 CVE-2017-14527 (Multiple XML external entity (XXE) vulnerabilities in the OpenText Doc ...) NOT-FOR-US: OpenText Documentum Webtop CVE-2017-14526 (Multiple XML external entity (XXE) vulnerabilities in the OpenText Doc ...) NOT-FOR-US: OpenText Documentum Administrator CVE-2017-14525 (Multiple open redirect vulnerabilities in OpenText Documentum Webtop 6 ...) NOT-FOR-US: OpenText Documentum Webtop CVE-2017-14524 (Multiple open redirect vulnerabilities in OpenText Documentum Administ ...) NOT-FOR-US: OpenText Documentum Administrator CVE-2017-14523 (** DISPUTED ** WonderCMS 2.3.1 is vulnerable to an HTTP Host header i ...) NOT-FOR-US: WonderCMS CVE-2017-14522 (** DISPUTED ** In WonderCMS 2.3.1, the application's input fields acc ...) NOT-FOR-US: WonderCMS CVE-2017-14521 (In WonderCMS 2.3.1, the upload functionality accepts random applicatio ...) NOT-FOR-US: WonderCMS CVE-2017-14520 (In Poppler 0.59.0, a floating point exception occurs in Splash::scaleI ...) {DSA-4079-1} - poppler 0.61.1-2 (low; bug #876081) [wheezy] - poppler (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102719 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=504b3590182175390f474657a372e78fb1508262 CVE-2017-14519 (In Poppler 0.59.0, memory corruption occurs in a call to Object::strea ...) {DSA-4079-1 DLA-1116-1} - poppler 0.61.1-2 (bug #876086) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102701 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=aaf5327649e8f7371c9d3270e7813c43ddfd47ee CVE-2017-14518 (In Poppler 0.59.0, a floating point exception exists in the isImageInt ...) {DSA-4079-1} - poppler 0.61.1-2 (low; bug #876082) [wheezy] - poppler (vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102688 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=80f9819b6233f9f9b5fd44f0e4cad026e5d048c2 CVE-2017-14517 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the XRef::pars ...) {DSA-4079-1 DLA-1116-1} - poppler 0.61.1-2 (low; bug #876079) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102687 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=476394e7a025e02e4897da2e765df2c895d0708f CVE-2017-14516 (Cross-Site Scripting (XSS) exists in SAP Business Objects Financial Co ...) NOT-FOR-US: SAP Business Objects Financial Consolidation CVE-2017-14515 (Heap-based Buffer Overflow on Tenda W15E devices before 15.11.0.14 all ...) NOT-FOR-US: Tenda W15E devices CVE-2017-14514 (Directory Traversal on Tenda W15E devices before 15.11.0.14 allows rem ...) NOT-FOR-US: Tenda W15E devices CVE-2017-14513 (Directory traversal vulnerability in MetInfo 5.3.17 allows remote atta ...) NOT-FOR-US: MetInfo CVE-2017-14512 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via t ...) NOT-FOR-US: NexusPHP CVE-2017-14511 (An issue was discovered in SAP E-Recruiting (aka ERECRUIT) 605 through ...) NOT-FOR-US: SAP CVE-2017-14510 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2 ...) NOT-FOR-US: SugarCRM CVE-2017-14509 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2 ...) NOT-FOR-US: SugarCRM CVE-2017-14508 (An issue was discovered in SugarCRM before 7.7.2.3, 7.8.x before 7.8.2 ...) NOT-FOR-US: SugarCRM CVE-2017-14507 (Multiple SQL injection vulnerabilities in the Content Timeline plugin ...) NOT-FOR-US: Content Timeline plugin for WordPress CVE-2017-14506 (geminabox (aka Gem in a Box) before 0.13.6 has XSS, as demonstrated by ...) NOT-FOR-US: geminabox CVE-2017-14505 (DrawGetStrokeDashArray in wand/drawing-wand.c in ImageMagick 7.0.7-1 m ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878545) NOTE: https://github.com/ImageMagick/ImageMagick/issues/716 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6ad5fc3c9b652eec27fc0b1a0817159f8547d5d9 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f7b0cf098bc800c5b6181dc522a99997bfee8948 CVE-2017-14504 (ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not ensure ...) {DSA-4321-1 DLA-1456-1 DLA-1130-1} - graphicsmagick 1.3.26-11 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick?cmd=changeset;node=fb09ca6dd22c NOTE: https://sourceforge.net/p/graphicsmagick/bugs/465/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/466/ CVE-2017-14503 (libarchive 3.3.2 suffers from an out-of-bounds read within lha_read_da ...) {DSA-4360-1 DLA-1600-1} - libarchive 3.2.2-4.1 (bug #875960) [wheezy] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/948 NOTE: https://github.com/libarchive/libarchive/commit/2c8c83b9731ff822fad6cc8c670ea5519c366a14 CVE-2017-14502 (read_header in archive_read_support_format_rar.c in libarchive 3.3.2 s ...) {DSA-4360-1 DLA-1600-1} - libarchive 3.2.2-4.1 (bug #875974) [wheezy] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573 CVE-2017-14501 (An out-of-bounds read flaw exists in parse_file_info in archive_read_s ...) {DSA-4360-1 DLA-1600-1} - libarchive 3.2.2-4.2 (bug #875966) [wheezy] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/949 NOTE: https://github.com/libarchive/libarchive/commit/f9569c086ff29259c73790db9cbf39fe8fb9d862 CVE-2017-14500 (Improper Neutralization of Special Elements used in an OS Command in t ...) {DSA-3977-1 DLA-1104-1} - newsbeuter 2.9-7 (bug #876004) NOTE: http://openwall.com/lists/oss-security/2017/09/16/1 NOTE: newsbeuter-2.9.x: https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333 NOTE: master: https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260 NOTE: https://github.com/akrennmair/newsbeuter/issues/598 CVE-2017-14499 RESERVED CVE-2017-14498 (SilverStripe CMS before 3.6.1 has XSS via an SVG document that is mish ...) NOT-FOR-US: SilverStripe CMS CVE-2017-14497 (The tpacket_rcv function in net/packet/af_packet.c in the Linux kernel ...) - linux 4.12.13-1 [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/edbd58be15a957f6a760c4a514cd475217eb97fd (v4.13) CVE-2017-14496 (Integer underflow in the add_pseudoheader function in dnsmasq before 2 ...) - dnsmasq 2.78-1 [stretch] - dnsmasq 2.76-5+deb9u1 [jessie] - dnsmasq (Vulnerable code introduced later) [wheezy] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=897c113fda0886a28a986cc6ba17bb93bd6cb1c7 CVE-2017-14495 (Memory leak in dnsmasq before 2.78, when the --add-mac, --add-cpe-id o ...) - dnsmasq 2.78-1 [stretch] - dnsmasq 2.76-5+deb9u1 [jessie] - dnsmasq (Vulnerable code introduced later) [wheezy] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=51eadb692a5123b9838e5a68ecace3ac579a3a45 CVE-2017-14494 (dnsmasq before 2.78, when configured as a relay, allows remote attacke ...) {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=33e3f1029c9ec6c63e430ff51063a6301d4b2262 CVE-2017-14493 (Stack-based buffer overflow in dnsmasq before 2.78 allows remote attac ...) {DSA-3989-1} - dnsmasq 2.78-1 [wheezy] - dnsmasq (Vulnerable code introduced later) NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=3d4ff1ba8419546490b464418223132529514033 CVE-2017-14492 (Heap-based buffer overflow in dnsmasq before 2.78 allows remote attack ...) {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=24036ea507862c7b7898b68289c8130f85599c10 CVE-2017-14491 (Heap-based buffer overflow in dnsmasq before 2.78 allows remote attack ...) {DSA-3989-1 DLA-1124-1} - dnsmasq 2.78-1 NOTE: https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=0549c73b7ea6b22a3c49beb4d432f185a81efcbc NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=62cb936cb7ad5f219715515ae7d32dd281a5aa1f CVE-2017-14490 RESERVED CVE-2017-14489 (The iscsi_if_rx function in drivers/scsi/scsi_transport_iscsi.c in the ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: https://patchwork.kernel.org/patch/9923803/ NOTE: Fixed by: https://git.kernel.org/linus/c88f0e6b06f4092995688211a631bb436125d77b CVE-2017-14488 RESERVED CVE-2017-14487 (The OhMiBod Remote app for Android and iOS allows remote attackers to ...) NOT-FOR-US: OhMiBod Remote app CVE-2017-14486 (The Vibease Wireless Remote Vibrator app for Android and the Vibease C ...) NOT-FOR-US: Vibease Wireless Remote Vibrator app CVE-2017-14485 RESERVED CVE-2017-14484 (The Gentoo sci-mathematics/gimps package before 28.10-r1 for Great Int ...) NOT-FOR-US: Gentoo packaging flaw in gimps CVE-2017-14483 (flower.initd in the Gentoo dev-python/flower package before 0.9.1-r1 f ...) - flower (Gentoo-specific issue, Debian doesn't provide an init script at all) CVE-2017-1002100 (Default access permissions for Persistent Volumes (PVs) created by the ...) - kubernetes (Vulnerable code not yet present) CVE-2017-1002028 (Vulnerability in wordpress plugin wordpress-gallery-transformation v1. ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002027 (Vulnerability in wordpress plugin rk-responsive-contact-form v1.0, The ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002026 (Vulnerability in wordpress plugin Event Expresso Free v3.1.37.11.L, Th ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002025 (Vulnerability in wordpress plugin add-edit-delete-listing-for-member-m ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002023 (Vulnerability in wordpress plugin Easy Team Manager v1.3.2, The code d ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002022 (Vulnerability in wordpress plugin surveys v1.01.8, The code in questio ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002021 (Vulnerability in wordpress plugin surveys v1.01.8, The code in individ ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002020 (Vulnerability in wordpress plugin surveys v1.01.8, The code in survey_ ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002019 (Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form an ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002018 (Vulnerability in wordpress plugin eventr v1.02.2, The edit.php form an ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002017 (Vulnerability in wordpress plugin gift-certificate-creator v1.0, The c ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002016 (Vulnerability in wordpress plugin flickr-picture-backup v0.7, The code ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002015 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002014 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002013 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002012 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002011 (Vulnerability in wordpress plugin image-gallery-with-slideshow v1.5.2, ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002010 (Vulnerability in wordpress plugin Membership Simplified v1.58, The cod ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002009 (Vulnerability in wordpress plugin Membership Simplified v1.58, The cod ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002008 (Vulnerability in wordpress plugin membership-simplified-for-oap-member ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002007 (Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/sav ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002006 (Vulnerability in wordpress plugin DTracker v1.5, The code dtracker/sav ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002005 (Vulnerability in wordpress plugin DTracker v1.5, In file ./dtracker/de ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002004 (Vulnerability in wordpress plugin DTracker v1.5, In file ./dtracker/do ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002003 (Vulnerability in wordpress plugin wp2android-turn-wp-site-into-android ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002002 (Vulnerability in wordpress plugin webapp-builder v2.0, The plugin incl ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002001 (Vulnerability in wordpress plugin mobile-app-builder-by-wappress v1.05 ...) NOT-FOR-US: Wordpress plugin CVE-2017-1002000 (Vulnerability in wordpress plugin mobile-friendly-app-builder-by-easyt ...) NOT-FOR-US: Wordpress plugin CVE-2017-14481 (In the MMM::Agent::Helpers::Network::send_arp function in MySQL Multi- ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14480 (In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi- ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14479 (In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi- ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14478 (In the MMM::Agent::Helpers::Network::clear_ip function in MySQL Multi- ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14477 (In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Ma ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14476 (In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Ma ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14475 (In the MMM::Agent::Helpers::Network::add_ip function in MySQL Multi-Ma ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14474 (In the MMM::Agent::Helpers::_execute function in MySQL Multi-Master Re ...) NOT-FOR-US: MySQL ulti-Master Replication Manager CVE-2017-14473 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14472 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14471 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14470 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14469 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14468 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14467 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14466 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14465 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14464 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14463 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14462 (An exploitable access control vulnerability exists in the data, progra ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-14461 (A specially crafted email delivered over SMTP and passed on to Dovecot ...) {DSA-4130-1 DLA-1333-1} - dovecot 1:2.2.34-1 (bug #891819) NOTE: https://www.dovecot.org/list/dovecot-news/2018-February/000370.html NOTE: https://github.com/dovecot/core/commit/30dc856f7b97b75b0e0d69f5003d5d99a13249b4 NOTE: https://github.com/dovecot/core/commit/8d65e2345e1dbedb00b662ee0abd05be2e7e6b7e NOTE: https://github.com/dovecot/core/commit/b72d864b8c34cb21076214c0b28101baec530141 NOTE: https://github.com/dovecot/core/commit/e9b86842441a668b30796bff7d60828614570a1b NOTE: https://github.com/dovecot/core/commit/f5cd17a27f0b666567747f8c921ebe1026970f11 NOTE: https://github.com/dovecot/core/commit/18a7a161c8dae6f630770a3cbab7374a0c3dd732 NOTE: https://github.com/dovecot/core/commit/0ed696987e5e5d44e971da2a10f6275b276ece34 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0510 CVE-2017-14460 (An exploitable overly permissive cross-domain (CORS) whitelist vulnera ...) - parity (bug #890550) CVE-2017-14459 (An exploitable OS Command Injection vulnerability exists in the Telnet ...) NOT-FOR-US: Moxa CVE-2017-14458 (An exploitable use-after-free vulnerability exists in the JavaScript e ...) NOT-FOR-US: Foxit PDF Reader CVE-2017-14457 (An exploitable information leak/denial of service vulnerability exists ...) - cpp-etherum (bug #860434) CVE-2017-14456 REJECTED CVE-2017-14455 (On Insteon Hub 2245-222 devices with firmware version 1012, specially ...) NOT-FOR-US: Insteon Hub CVE-2017-14454 RESERVED CVE-2017-14453 (On Insteon Hub 2245-222 devices with firmware version 1012, specially ...) NOT-FOR-US: Insteon Hub CVE-2017-14452 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-14451 (An exploitable out-of-bounds read vulnerability exists in libevm (Ethe ...) NOT-FOR-US: CPP-Ethereum CVE-2017-14450 (A buffer overflow vulnerability exists in the GIF image parsing functi ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0499 NOTE: https://hg.libsdl.org/SDL_image/rev/45e750f92c84 CVE-2017-14449 (A double-Free vulnerability exists in the XCF image rendering function ...) {DSA-4177-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 (Vulnerable code not present) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0498 NOTE: https://hg.libsdl.org/SDL_image/rev/d0142861559c CVE-2017-14448 (An exploitable code execution vulnerability exists in the XCF image re ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0497 NOTE: https://hg.libsdl.org/SDL_image/rev/7df1580f1695 CVE-2017-14447 (An exploitable buffer overflow vulnerability exists in the PubNub mess ...) NOT-FOR-US: Insteon Hub CVE-2017-14446 (An exploitable stack-based buffer overflow vulnerability exists in Ins ...) NOT-FOR-US: Insteon Hub CVE-2017-14445 (An exploitable buffer overflow vulnerability exists in Insteon Hub run ...) NOT-FOR-US: Insteon Hub CVE-2017-14444 (An exploitable buffer overflow vulnerability exists in Insteon Hub run ...) NOT-FOR-US: Insteon Hub CVE-2017-14443 (An exploitable information leak vulnerability exists in Insteon Hub ru ...) NOT-FOR-US: Insteon Hub CVE-2017-14442 (An exploitable code execution vulnerability exists in the BMP image re ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0491 NOTE: https://hg.libsdl.org/SDL_image/rev/37445f6180a8 CVE-2017-14441 (An exploitable code execution vulnerability exists in the ICO image re ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0490 NOTE: https://hg.libsdl.org/SDL_image/rev/a1e9b624ca10 CVE-2017-14440 (An exploitable code execution vulnerability exists in the ILBM image r ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0489 NOTE: https://hg.libsdl.org/SDL_image/rev/bfa08dc02b3c CVE-2017-14439 (Exploitable denial of service vulnerabilities exists in the Service Ag ...) NOT-FOR-US: Moxa CVE-2017-14438 (Exploitable denial of service vulnerabilities exists in the Service Ag ...) NOT-FOR-US: Moxa CVE-2017-14437 (An exploitable denial of service vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14436 (An exploitable denial of service vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14435 (An exploitable denial of service vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14434 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14433 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14432 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-14430 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14429 (The DHCP client on D-Link DIR-850L REV. A (with firmware through FW114 ...) NOT-FOR-US: D-Link CVE-2017-14428 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14427 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14426 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14425 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14424 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14423 (htdocs/parentalcontrols/bind.php on D-Link DIR-850L REV. A (with firmw ...) NOT-FOR-US: D-Link CVE-2017-14422 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) a ...) NOT-FOR-US: D-Link CVE-2017-14421 (D-Link DIR-850L REV. B (with firmware through FW208WWb02) devices have ...) NOT-FOR-US: D-Link CVE-2017-14420 (The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with fi ...) NOT-FOR-US: D-Link CVE-2017-14419 (The D-Link NPAPI extension, as used on D-Link DIR-850L REV. A (with fi ...) NOT-FOR-US: D-Link CVE-2017-14418 (The D-Link NPAPI extension, as used in conjunction with D-Link DIR-850 ...) NOT-FOR-US: D-Link CVE-2017-14417 (register_send.php on D-Link DIR-850L REV. B (with firmware through FW2 ...) NOT-FOR-US: D-Link CVE-2017-14416 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14415 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14414 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14413 (D-Link DIR-850L REV. A (with firmware through FW114WWb07_h2ab_beta1) d ...) NOT-FOR-US: D-Link CVE-2017-14412 (An invalid memory write was discovered in copy_mp in interface.c in mp ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-invalid-memory-write-in-copy_mp-mpglibdblinterface-c/ CVE-2017-14411 (A stack-based buffer overflow was discovered in copy_mp in interface.c ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-copy_mp-mpglibdblinterface-c/ CVE-2017-14410 (A buffer over-read was discovered in III_i_stereo in layer3.c in mpgli ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_i_stereo-mpglibdbllayer3-c/ CVE-2017-14409 (A buffer overflow was discovered in III_dequantize_sample in layer3.c ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-global-buffer-overflow-in-iii_dequantize_sample-mpglibdbllayer3-c/ CVE-2017-14408 (A stack-based buffer over-read was discovered in dct36 in layer3.c in ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-dct36-mpglibdbllayer3-c/ CVE-2017-14407 (A stack-based buffer over-read was discovered in filterYule in gain_an ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-stack-based-buffer-overflow-in-filteryule-gain_analysis-c/ NOTE: Not reproducible with 1.6.2. NOTE: Caught by ASAN according to CVE. mp3gain is compiled with ASAN on: amd64 i386 armel armhf powerpc CVE-2017-14406 (A NULL pointer dereference was discovered in sync_buffer in interface. ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://blogs.gentoo.org/ago/2017/09/08/mp3gain-null-pointer-dereference-in-sync_buffer-mpglibdblinterface-c/ CVE-2017-14405 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows remote comma ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14404 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows local file i ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14403 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection v ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14402 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection v ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14401 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 has SQL injection v ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14400 (In ImageMagick 7.0.7-1 Q16, the PersistPixelCache function in magick/c ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878546) NOTE: https://github.com/ImageMagick/ImageMagick/issues/746 NOTE: im6 patch: https://github.com/ImageMagick/ImageMagick/commit/04b863f15effa4375e4ee42f413f0246062b48af NOTE: im6 patch: https://github.com/ImageMagick/ImageMagick/commit/44a55580ac8c01d8cff1e6e0063820af113f8591 CVE-2017-14399 (In BlackCat CMS 1.2.2, unrestricted file upload is possible in backend ...) NOT-FOR-US: BlackCat CMS CVE-2017-14398 (rzpnk.sys in Razer Synapse 2.20.15.1104 allows local users to read and ...) NOT-FOR-US: Razer Synapse CVE-2017-14397 (AnyDesk before 3.6.1 on Windows has a DLL injection vulnerability. ...) NOT-FOR-US: AnyDesk CVE-2017-14396 (In osTicket before 1.10.1, SQL injection is possible by constructing a ...) NOT-FOR-US: osTicket CVE-2017-14395 (Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) ...) NOT-FOR-US: OpenAM CVE-2017-14394 (OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) ...) NOT-FOR-US: OpenAM CVE-2017-14393 REJECTED CVE-2017-14392 REJECTED CVE-2017-14391 REJECTED CVE-2017-14390 (In Cloud Foundry Foundation cf-deployment v0.35.0, a misconfiguration ...) NOT-FOR-US: Cloud Foundry CVE-2017-14389 (An issue was discovered in Cloud Foundry Foundation capi-release (all ...) NOT-FOR-US: Cloud Foundry CVE-2017-14388 (Cloud Foundry Foundation GrootFS release 0.3.x versions prior to 0.30. ...) NOT-FOR-US: Cloud Foundry Foundation GrootFS CVE-2017-14387 (The NFS service in EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, and 8. ...) NOT-FOR-US: EMC Isilon OneFS CVE-2017-14386 (The web user interface of Dell 2335dn and 2355dn Multifunction Laser P ...) NOT-FOR-US: Dell CVE-2017-14385 (An issue was discovered in EMC Data Domain DD OS 5.7 family, versions ...) NOT-FOR-US: EMC Data Domain DD OS CVE-2017-14384 (In Dell Storage Manager versions earlier than 16.3.20, the EMConfigMig ...) NOT-FOR-US: EMConfigMigration service CVE-2017-14383 (In Dell EMC VNX2 versions prior to Operating Environment for File 8.1. ...) NOT-FOR-US: EMC VNX CVE-2017-14382 REJECTED CVE-2017-14381 REJECTED CVE-2017-14380 (In EMC Isilon OneFS 8.1.0.0, 8.0.1.0 - 8.0.1.1, 8.0.0.0 - 8.0.0.4, 7.2 ...) NOT-FOR-US: EMC Isilon OneFS CVE-2017-14379 (EMC RSA Authentication Manager before 8.2 SP1 P6 has a cross-site scri ...) NOT-FOR-US: EMC RSA CVE-2017-14378 (EMC RSA Authentication Agent API 8.5 for C and RSA Authentication Agen ...) NOT-FOR-US: EMC RSA CVE-2017-14377 (EMC RSA Authentication Agent for Web: Apache Web Server version 8.0 an ...) NOT-FOR-US: EMC RSA CVE-2017-14376 (EMC AppSync Server prior to 3.5.0.1 contains database accounts with ha ...) NOT-FOR-US: EMC AppSync Server CVE-2017-14375 (EMC Unisphere for VMAX Virtual Appliance (vApp) versions prior to 8.4. ...) NOT-FOR-US: EMC CVE-2017-14374 (The SMI-S service in Dell Storage Manager versions earlier than 16.3.2 ...) NOT-FOR-US: Dell CVE-2017-14373 (EMC RSA Authentication Manager 8.2 SP1 P4 and earlier contains a refle ...) NOT-FOR-US: RSA Authentication Manager CVE-2017-14372 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by reflected cros ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-14371 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by reflected cros ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-14370 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-s ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-14369 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by a privilege es ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-14368 RESERVED CVE-2017-14367 RESERVED CVE-2017-14366 RESERVED CVE-2017-14365 RESERVED CVE-2017-14364 RESERVED CVE-2017-14363 (Cross-Site Scripting (XSS) vulnerability has been identified in Micro ...) NOT-FOR-US: Micro Focus Operations Manager CVE-2017-14362 (Cross-Site Request Forgery vulnerability in Micro Focus Project and Po ...) NOT-FOR-US: Micro Focus Project and Portfolio Management Center CVE-2017-14361 (Man-In-The-Middle vulnerability in Micro Focus Project and Portfolio M ...) NOT-FOR-US: Micro Focus Project and Portfolio Management Center CVE-2017-14360 (A potential security vulnerability has been identified in HPE Content ...) NOT-FOR-US: HPE CVE-2017-14359 (A potential security vulnerability has been identified in HPE Performa ...) NOT-FOR-US: HPE Performance Center CVE-2017-14358 (A URL redirection to untrusted site vulnerability in HP ArcSight ESM a ...) NOT-FOR-US: HP ArcSight CVE-2017-14357 (A Reflected and Stored Cross-Site Scripting (XSS) vulnerability in HP ...) NOT-FOR-US: HP ArcSight CVE-2017-14356 (An SQL Injection vulnerability in HP ArcSight ESM and HP ArcSight ESM ...) NOT-FOR-US: HP ArcSight CVE-2017-14355 (A potential security vulnerability has been identified in HPE Connecte ...) NOT-FOR-US: HPE Connected Backup CVE-2017-14354 (A remote cross-site scripting vulnerability in HP UCMDB Foundation Sof ...) NOT-FOR-US: HP UCMDB Foundation CVE-2017-14353 (A remote code execution vulnerability in HP UCMDB Foundation Software ...) NOT-FOR-US: HP UCMDB Foundation CVE-2017-14352 (A potential security vulnerability has been identified in HP UCMDB Con ...) NOT-FOR-US: HP CVE-2017-14351 (A potential security vulnerability has been identified in HP UCMDB Con ...) NOT-FOR-US: HP CVE-2017-14350 (A potential security vulnerability has been identified in HPE Applicat ...) NOT-FOR-US: HP CVE-2017-14349 (An authentication vulnerability in HPE SiteScope product versions 11.2 ...) NOT-FOR-US: HP CVE-2017-14347 (NexusPHP 1.5.beta5.20120707 has XSS in the returnto parameter to fun.p ...) NOT-FOR-US: NexusPHP CVE-2017-14346 (upload.php in tianchoy/blog through 2017-09-12 allows unrestricted fil ...) NOT-FOR-US: tianchoy/blog CVE-2017-14345 (SQL Injection exists in tianchoy/blog through 2017-09-12 via the id pa ...) NOT-FOR-US: tianchoy/blog CVE-2017-14344 (This vulnerability allows local attackers to escalate privileges on Ju ...) NOT-FOR-US: Jungo WinDriver CVE-2017-14343 (ImageMagick 7.0.6-6 has a memory leak vulnerability in ReadXCFImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/649 CVE-2017-14342 (ImageMagick 7.0.6-6 has a memory exhaustion vulnerability in ReadWPGIm ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/650 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4e378ea8fb99e869768f34e900105e8c769adfcd NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6d5b22baedd49ef8a35011789bd600762ce1ef21 CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGImage in ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #876105) NOTE: https://github.com/ImageMagick/ImageMagick/issues/654 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d63315a64267c565d1f34b9cb523a14616fed24 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 CVE-2017-14348 (LibRaw before 0.18.4 has a heap-based Buffer Overflow in the processCa ...) - libraw 0.18.5-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Vulnerable code not present) [wheezy] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/100 NOTE: https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2 CVE-2017-14340 (The XFS_IS_REALTIME_INODE macro in fs/xfs/xfs_linux.h in the Linux ker ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: Fixed by: https://git.kernel.org/linus/b31ff3cdf540110da4572e3e29bd172087af65cc CVE-2017-14339 (The DNS packet parser in YADIFA before 2.2.6 does not check for the pr ...) {DSA-4001-1} - yadifa 2.2.6-1 (bug #876315) NOTE: https://www.tarlogic.com/blog/fuzzing-yadifa-dns/ NOTE: https://github.com/yadifa/yadifa/blob/v2.2.6/ChangeLog CVE-2017-14338 RESERVED CVE-2017-14337 (When MISP before 2.4.80 is configured with X.509 certificate authentic ...) NOT-FOR-US: MISP (Malware Information Sharing Platform and Threat Sharing) CVE-2017-14336 RESERVED CVE-2017-14335 (On Beijing Hanbang Hanbanggaoke devices, because user-controlled input ...) NOT-FOR-US: Beijing Hanbang Hanbanggaoke devices CVE-2017-14334 RESERVED CVE-2017-14333 (The process_version_sections function in readelf.c in GNU Binutils 2.2 ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21990 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=452bf675ea772002aa86fb1d28f3474da70ee1de CVE-2017-14332 (Extreme EXOS 15.7, 16.x, 21.x, and 22.x allows remote attackers to hij ...) NOT-FOR-US: Extreme EXOS CVE-2017-14331 (Extreme EXOS 16.x, 21.x, and 22.x allows administrators to bypass the ...) NOT-FOR-US: Extreme EXOS CVE-2017-14330 (Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a ro ...) NOT-FOR-US: Extreme EXOS CVE-2017-14329 (Extreme EXOS 16.x, 21.x, and 22.x allows administrators to obtain a ro ...) NOT-FOR-US: Extreme EXOS CVE-2017-14328 (Extreme EXOS 15.7, 16.x, 21.x, and 22.x allows remote attackers to tri ...) NOT-FOR-US: Extreme EXOS CVE-2017-14327 (Extreme EXOS 16.x, 21.x, and 22.x allows administrators to read arbitr ...) NOT-FOR-US: Extreme EXOS CVE-2017-14326 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/740 NOTE: https://github.com/ImageMagick/ImageMagick/commit/dfefe8de5068a547ae4097c69456f02f93935164 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/a542c9f9a53327b623333150874d4e5a5b3bcbd0 CVE-2017-14325 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/741 CVE-2017-14324 (In ImageMagick 7.0.7-1 Q16, a memory leak vulnerability was found in t ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/739 NOTE: https://github.com/ImageMagick/ImageMagick/commit/399631650b38eaf21c2f3c306b8b74e66be6a0d2 CVE-2017-14323 (SSRF (Server Side Request Forgery) in getRemoteImage.php in Ueditor in ...) NOT-FOR-US: Onethink CVE-2017-14322 (The function in charge to check whether the user is already logged in ...) NOT-FOR-US: Interspire Email Marketer CVE-2017-14321 (Multiple cross-site scripting (XSS) vulnerabilities in the administrat ...) NOT-FOR-US: Mirasvit Helpdesk MX CVE-2017-14320 (Mirasvit Helpdesk MX before 1.5.3 might allow remote attackers to exec ...) NOT-FOR-US: Mirasvit Helpdesk MX CVE-2017-14319 (A grant unmapping issue was discovered in Xen through 4.9.x. When remo ...) {DSA-4050-1 DLA-1549-1 DLA-1132-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-234.html CVE-2017-14318 (An issue was discovered in Xen 4.5.x through 4.9.x. The function `__gn ...) {DSA-4050-1 DLA-1132-1} - xen 4.8.2+xsa245-0+deb9u1 [jessie] - xen (Only affects 4.5 and later) NOTE: https://xenbits.xen.org/xsa/advisory-232.html NOTE: Wheezy will be affected with the upcoming grant table backport CVE-2017-14317 (A domain cleanup issue was discovered in the C xenstore daemon (aka cx ...) {DSA-4050-1 DLA-1549-1 DLA-1132-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-233.html CVE-2017-14316 (A parameter verification issue was discovered in Xen through 4.9.x. Th ...) {DSA-4050-1 DLA-1549-1 DLA-1132-1} - xen 4.8.2+xsa245-0+deb9u1 NOTE: https://xenbits.xen.org/xsa/advisory-231.html CVE-2017-14315 (In Apple iOS 7 through 9, due to a BlueBorne flaw in the implementatio ...) NOT-FOR-US: Apple CVE-2017-14314 (Off-by-one error in the DrawImage function in magick/render.c in Graph ...) {DSA-4321-1 DLA-1401-1 DLA-1130-1} - graphicsmagick 1.3.26-10 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/2835184bfb78 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/448/ CVE-2017-14312 (Nagios Core through 4.3.4 initially executes /usr/sbin/nagios as root ...) - nagios3 (Doesn't affect Nagios as packaged in Debian) NOTE: https://github.com/NagiosEnterprises/nagioscore/issues/424 NOTE: State is not fully correct, since "affected" source would be there. CVE-2017-15596 (An issue was discovered in Xen 4.4.x through 4.9.x allowing ARM guest ...) {DSA-3969-1} - xen 4.8.1-1+deb9u3 [wheezy] - xen (No arm support in Wheezy) NOTE: https://xenbits.xen.org/xsa/advisory-235.html CVE-2017-14311 (The Winring0x32.sys driver in NetMechanica NetDecision 5.8.2 allows lo ...) NOT-FOR-US: NetMechanica NetDecision CVE-2017-14310 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14309 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14308 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14307 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14306 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14305 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14304 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14303 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14302 (STDU Viewer 1.6.375 allows attackers to cause a denial of service or p ...) NOT-FOR-US: STDU Viewer CVE-2017-14301 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14300 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14299 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14298 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14297 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14296 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14295 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14294 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14293 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14292 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14291 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14290 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14289 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14288 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14287 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14286 (STDU Viewer 1.6.375 allows attackers to execute arbitrary code or caus ...) NOT-FOR-US: STDU Viewer CVE-2017-14285 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14284 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14283 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14282 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14281 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14280 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14279 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14278 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14277 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14276 (XnView Classic for Windows Version 2.40 allows attackers to cause a de ...) NOT-FOR-US: XnView CVE-2017-14275 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14274 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14273 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14272 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14271 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14270 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-14482 (GNU Emacs before 25.3 allows remote attackers to execute arbitrary cod ...) {DSA-3975-1 DSA-3970-1 DLA-1101-1} - emacs25 25.2+1-6 (bug #875447) - emacs24 (bug #875448) - emacs23 (bug #875449) NOTE: https://www.openwall.com/lists/oss-security/2017/09/11/1 NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=28350 NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-25&id=9ad0fcc54442a9a01d41be19880250783426db70 CVE-2017-14313 (The shibboleth_login_form function in shibboleth.php in the Shibboleth ...) {DSA-3973-1 DLA-1096-1} - wordpress-shibboleth 1.8-1 (bug #874416) NOTE: https://github.com/michaelryanmcneill/shibboleth/commit/1d65ad6786282d23ba1865f56e2fd19188e7c26a NOTE: https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/ CVE-2017-14269 (EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices allow remote attack ...) NOT-FOR-US: EE 4GEE WiFi MBB CVE-2017-14268 (EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have XSS in the sms ...) NOT-FOR-US: EE 4GEE WiFi MBB CVE-2017-14267 (EE 4GEE WiFi MBB (before EE60_00_05.00_31) devices have CSRF, related ...) NOT-FOR-US: EE 4GEE WiFi MBB CVE-2017-14266 (tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow vulnera ...) - tcpreplay 3.4.4-3 [jessie] - tcpreplay 3.4.4-2+deb8u1 [wheezy] - tcpreplay 3.4.3-2+wheezy2 NOTE: Fixed by http://launchpadlibrarian.net/270778908/tcpreplay_3.4.4-2_3.4.4-3.diff.gz NOTE: Not a duplicate of CVE-2016-6160 the detailed MITRE description, but both issues NOTE: are addressed with the same patch: NOTE: Patch enforce-maxpacket.patch addresses the issue CVE-2017-14265 (A Stack-based Buffer Overflow was discovered in xtrans_interpolate in ...) - libraw 0.18.5-1 [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/99 NOTE: https://github.com/LibRaw/LibRaw/commit/82616eff4c7f7437e96bdeeed238c3ef3dc12d60 CVE-2017-14264 RESERVED CVE-2017-14263 (Honeywell NVR devices allow remote attackers to create a user account ...) NOT-FOR-US: Honeywell CVE-2017-14262 (On Samsung NVR devices, remote attackers can read the MD5 password has ...) NOT-FOR-US: Samsung CVE-2017-14261 (In the SDK in Bento4 1.5.0-616, the AP4_StszAtom class in Ap4StszAtom. ...) NOT-FOR-US: Bento4 CVE-2017-14260 (In the SDK in Bento4 1.5.0-616, the AP4_StssAtom class in Ap4StssAtom. ...) NOT-FOR-US: Bento4 CVE-2017-14259 (In the SDK in Bento4 1.5.0-616, the AP4_StscAtom class in Ap4StscAtom. ...) NOT-FOR-US: Bento4 CVE-2017-14258 (In the SDK in Bento4 1.5.0-616, SetItemCount in Core/Ap4StscAtom.h fil ...) NOT-FOR-US: Bento4 CVE-2017-14257 (In the SDK in Bento4 1.5.0-616, AP4_AtomSampleTable::GetSample in Core ...) NOT-FOR-US: Bento4 CVE-2017-14256 RESERVED CVE-2017-14255 RESERVED CVE-2017-14254 RESERVED CVE-2017-14253 RESERVED CVE-2017-14252 (SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5 ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14251 (Unrestricted File Upload vulnerability in the fileDenyPattern in sysex ...) - typo3-src [wheezy] - typo3-src (Not supported in Wheezy LTS) CVE-2017-14250 (In TP-LINK TL-WR741N / TL-WR741ND 150M Wireless Lite N Router with Fir ...) NOT-FOR-US: TP-LINK Router CVE-2017-14249 (ImageMagick 7.0.6-8 Q16 mishandles EOF checks in ReadMPCImage in coder ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #876099) NOTE: https://github.com/ImageMagick/ImageMagick/issues/708 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2071d67ebf729f76d73c33c1152df4816d1d79ac NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/66112b7a7b64f688efe6fec53a829874a74dea04 CVE-2017-14248 (A heap-based buffer over-read in SampleImage() in MagickCore/resize.c ...) - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/issues/717 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5402b6e0fcf8b694ae2af6a6652ebb8ce0ccf46 CVE-2017-14247 (SQL Injection exists in the EyesOfNetwork web interface (aka eonweb) 5 ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14246 (An out of bounds read in the function d2ulaw_array() in ulaw.c of libs ...) {DLA-2418-1 DLA-1618-1} - libsndfile 1.0.28-5 (low; bug #876682) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f CVE-2017-14245 (An out of bounds read in the function d2alaw_array() in alaw.c of libs ...) {DLA-2418-1 DLA-1618-1} - libsndfile 1.0.28-5 (low; bug #876682) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f CVE-2017-14244 (An authentication bypass vulnerability on iBall Baton ADSL2+ Home Rout ...) NOT-FOR-US: iBall CVE-2017-14243 (An authentication bypass vulnerability on UTStar WA3002G4 ADSL Broadba ...) NOT-FOR-US: UTStar CVE-2017-14242 (SQL injection vulnerability in don/list.php in Dolibarr version 6.0.0 ...) - dolibarr (bug #885319) NOTE: https://github.com/Dolibarr/dolibarr/commit/33e2179b65331d9d9179b59d746817c5be1fecdb CVE-2017-14241 (Cross-site scripting (XSS) vulnerability in Dolibarr ERP/CRM 6.0.0 all ...) - dolibarr (bug #885320) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14240 (There is a sensitive information disclosure vulnerability in document. ...) - dolibarr (bug #885320) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14239 (Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CR ...) - dolibarr (bug #885320) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14238 (SQL injection vulnerability in admin/menus/edit.php in Dolibarr ERP/CR ...) - dolibarr (bug #885320) NOTE: https://github.com/Dolibarr/dolibarr/commit/d26b2a694de30f95e46ea54ea72cc54f0d38e548 CVE-2017-14237 RESERVED CVE-2017-14236 RESERVED CVE-2017-14235 RESERVED CVE-2017-14234 RESERVED CVE-2017-14233 RESERVED CVE-2017-14232 (The read_chunk function in flif-dec.cpp in Free Lossless Image Format ...) - flif CVE-2017-14231 (GeniXCMS before 1.1.0 allows remote attackers to cause a denial of ser ...) NOT-FOR-US: GenixCMS CVE-2017-14230 (In the mboxlist_do_find function in imap/mboxlist.c in Cyrus IMAP befo ...) - cyrus-imapd (Vulnerable code introduced later) - cyrus-imapd-2.4 (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/cyrusimap/cyrus-imapd/commit/6bd33275368edfa71ae117de895488584678ac79 NOTE: Introduced by: https://github.com/cyrusimap/cyrus-imapd/commit/1fe918087237f55e09a37fa414bf988873739021 (cyrus-imapd-3.0.0-beta1) NOTE: https://github.com/cyrusimap/cyrus-imapd/issues/2132 CVE-2017-14229 (There is an infinite loop in the jpc_dec_tileinit function in jpc/jpc_ ...) - jasper [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) NOTE: https://github.com/mdadams/jasper/issues/146 NOTE: Possible false-positive, cf. https://github.com/mdadams/jasper/issues/146#issuecomment-330674648 CVE-2017-14228 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address acces ...) - nasm 2.13.02-0.1 (unimportant; bug #874731) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392423 NOTE: Crash in CLI tool, no securiy impact CVE-2017-14227 (In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-it ...) - libbson 1.8.0-1 (bug #874754) [stretch] - libbson (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489355 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489356 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489362 NOTE: Latest https://github.com/mongodb/libbson/commit/0f501e7ed51a42d5502d319bce35b41f1a3aa112 (1.7.0-rc0) NOTE: uncovers the issue, which introduces UTF-8 validation during JSON encoding. NOTE: Only after that the utf8_len=4294967295 as shown with the POC is passed to NOTE: bson_utf8_validate via src/bson/bson-iter.c:2069 NOTE: Still the underlying issue in bson-iter.c when parsing BSON with a codewscope NOTE: type is present in earlier versions. NOTE: Upstream issue: https://jira.mongodb.org/browse/CDRIVER-2269 NOTE: Fixed by: https://github.com/mongodb/libbson/commit/42900956dc461dfe7fb91d93361d10737c1602b3 CVE-2017-14226 (WP1StylesListener.cpp, WP5StylesListener.cpp, and WP42StylesListener.c ...) - libwpd 0.10.2-1 (bug #876001) [stretch] - libwpd 0.10.1-5+deb9u1 [jessie] - libwpd 0.10.0-2+deb8u1 [wheezy] - libwpd (Vulnerable code do not exist) NOTE: https://bugs.documentfoundation.org/show_bug.cgi?id=112269 NOTE: https://sourceforge.net/p/libwpd/code/ci/0329a9c57f9b3b0efa0f09a5235dfd90236803a5/ NOTE: https://sourceforge.net/p/libwpd/code/ci/f40827b3eae260ce657c67d9fecc855b09dea3c3/ CVE-2017-14225 (The av_color_primaries_name function in libavutil/pixdesc.c in FFmpeg ...) {DSA-3996-1} - ffmpeg 7:3.3.4-1 (low) - libav [jessie] - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/837cb4325b712ff1aab531bf41668933f61d75d2 CVE-2017-14224 (A heap-based buffer overflow in WritePCXImage in coders/pcx.c in Image ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #876097) NOTE: https://github.com/ImageMagick/ImageMagick/issues/733 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7f2d6fe34d695d3445e2d50937db5541a1b76bde NOTE: https://github.com/ImageMagick/ImageMagick/commit/c6409227c430f114b6425337e64b848535b62e0b CVE-2017-14223 (In libavformat/asfdec_f.c in FFmpeg 3.3.3, a DoS in asf_build_simple_i ...) {DSA-3996-1 DLA-1654-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/afc9c683ed9db01edb357bc8c19edad4282b3a97 CVE-2017-14222 (In libavformat/mov.c in FFmpeg 3.3.3, a DoS in read_tfra() due to lack ...) {DSA-3996-1} - ffmpeg 7:3.3.4-1 (low) - libav [jessie] - libav (vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/9cb4eb772839c5e1de2855d126bf74ff16d13382 CVE-2017-14221 RESERVED CVE-2017-14220 RESERVED CVE-2017-14219 (XSS (persistent) on the Intelbras Wireless N 150Mbps router with firmw ...) NOT-FOR-US: Intelbras Wireless N 150Mbps router CVE-2017-14218 RESERVED CVE-2017-14217 RESERVED CVE-2017-14216 RESERVED CVE-2017-14215 RESERVED CVE-2017-14214 RESERVED CVE-2017-14213 RESERVED CVE-2017-14212 RESERVED CVE-2017-14211 RESERVED CVE-2017-14210 RESERVED CVE-2017-14209 RESERVED CVE-2017-14208 REJECTED CVE-2017-14207 REJECTED CVE-2017-14206 REJECTED CVE-2017-14205 REJECTED CVE-2017-14204 REJECTED CVE-2017-14203 REJECTED CVE-2017-14202 (Improper Restriction of Operations within the Bounds of a Memory Buffe ...) NOT-FOR-US: Zephyr CVE-2017-14201 (Use After Free vulnerability in the Zephyr shell allows a serial or te ...) NOT-FOR-US: Zephyr CVE-2017-14200 REJECTED CVE-2017-14199 (A buffer overflow has been found in the Zephyr Project's getaddrinfo() ...) NOT-FOR-US: Zephyr OS CVE-2017-14198 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x befor ...) NOT-FOR-US: Squiz Matrix CVE-2017-14197 (An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x befor ...) NOT-FOR-US: Squiz Matrix CVE-2017-14196 (An issue was discovered in Squiz Matrix from 5.3 through to 5.3.6.1 an ...) NOT-FOR-US: Squiz Matrix CVE-2017-14195 (The call_msg function in controllers/Form.php in dayrui FineCms 5.0.11 ...) NOT-FOR-US: dayrui FineCms CVE-2017-14194 (The out function in controllers/member/Login.php in dayrui FineCms 5.0 ...) NOT-FOR-US: dayrui FineCms CVE-2017-14193 (The oauth function in controllers/member/api.php in dayrui FineCms 5.0 ...) NOT-FOR-US: dayrui FineCms CVE-2017-14192 (The checktitle function in controllers/member/api.php in dayrui FineCm ...) NOT-FOR-US: dayrui FineCms CVE-2017-14191 (An Improper Access Control vulnerability in Fortinet FortiWeb 5.6.0 up ...) NOT-FOR-US: Fortinet CVE-2017-14190 (A Cross-site Scripting vulnerability in Fortinet FortiOS 5.6.0 to 5.6. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-14189 (An improper access control vulnerability in Fortinet FortiWebManager 5 ...) NOT-FOR-US: Fortinet CVE-2017-14188 RESERVED CVE-2017-14187 (A local privilege escalation and local code execution vulnerability in ...) NOT-FOR-US: Fortinet CVE-2017-14186 (A Cross-site Scripting (XSS) vulnerability in Fortinet FortiOS 6.0.0 t ...) NOT-FOR-US: Fortinet CVE-2017-14185 (An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5 ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-14184 (An Information Disclosure vulnerability in Fortinet FortiClient for Wi ...) NOT-FOR-US: Fortinet CVE-2017-14183 RESERVED CVE-2017-14182 (A Denial of Service (DoS) vulnerability in Fortinet FortiOS 5.4.0 to 5 ...) NOT-FOR-US: Fortinet CVE-2017-14180 (Apport 2.13 through 2.20.7 does not properly handle crashes originatin ...) NOT-FOR-US: Apport CVE-2017-14179 (Apport before 2.13 does not properly handle crashes originating from a ...) NOT-FOR-US: Apport CVE-2017-14178 (In snapd 2.27 through 2.29.2 the 'snap logs' command could be made to ...) - snapd 2.30-1 [stretch] - snapd (Issue introduced in 2.27) NOTE: https://launchpad.net/bugs/1730255 CVE-2017-14177 (Apport through 2.20.7 does not properly handle core dumps from setuid ...) NOT-FOR-US: Apport CVE-2017-14181 (DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 ...) NOT-FOR-US: aacplusenc CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() du ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875502) NOTE: https://github.com/ImageMagick/ImageMagick/issues/712 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/b8c63b156bf26b52e710b1a0643c846a6cd01e56 CVE-2017-14174 (In coders/psd.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSDLayersInte ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875503) NOTE: https://github.com/ImageMagick/ImageMagick/issues/714 NOTE: https://github.com/ImageMagick/ImageMagick/commit/04a567494786d5bb50894fc8bb8fea0cf496bea8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f68a98a9d385838a1c73ec960a14102949940a64 CVE-2017-14173 (In the function ReadTXTImage() in coders/txt.c in ImageMagick 7.0.6-10 ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875504) NOTE: https://github.com/ImageMagick/ImageMagick/issues/713 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/48bcf7c39302cdf9b0d9202ad03bf1b95152c44d CVE-2017-14172 (In coders/ps.c in ImageMagick 7.0.7-0 Q16, a DoS in ReadPSImage() due ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875506) NOTE: https://github.com/ImageMagick/ImageMagick/issues/715 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8598a497e2d1f556a34458cf54b40ba40674734c CVE-2017-14171 (In libavformat/nsvdec.c in FFmpeg 2.4 and 3.3.3, a DoS in nsv_parse_NS ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/c24bcb553650b91e9eff15ef6e54ca73de2453b7 CVE-2017-14170 (In libavformat/mxfdec.c in FFmpeg 3.3.3 -> 2.4, a DoS in mxf_read_i ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/900f39692ca0337a98a7cf047e4e2611071810c2 CVE-2017-14169 (In the mxf_read_primer_pack function in libavformat/mxfdec.c in FFmpeg ...) {DSA-3996-1 DLA-1654-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: libav in Jessie uses a different guard for item_num. Check whether NOTE: the guard is necessary at all. NOTE: https://github.com/FFmpeg/FFmpeg/commit/9d00fb9d70ee8c0cc7002b89318c5be00f1bbdad CVE-2017-14168 RESERVED CVE-2017-14167 (Integer overflow in the load_multiboot function in hw/i386/multiboot.c ...) {DSA-3991-1 DLA-1497-1 DLA-1129-1 DLA-1128-1} - qemu 1:2.10.0-1 (bug #874606) - qemu-kvm NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-09/msg01483.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489375 CVE-2017-14163 (An issue was discovered in Mahara before 15.04.14, 16.x before 16.04.8 ...) - mahara CVE-2017-14162 RESERVED CVE-2017-14161 RESERVED CVE-2017-14166 (libarchive 3.3.2 allows remote attackers to cause a denial of service ...) {DSA-4360-1 DLA-1600-1 DLA-1092-1} - libarchive 3.2.2-3.1 (bug #874539) NOTE: https://www.openwall.com/lists/oss-security/2017/09/06/5 NOTE: https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71 NOTE: https://github.com/libarchive/libarchive/issues/935 CVE-2017-14165 (The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has ...) - graphicsmagick 1.3.26-9 (unimportant; bug #874724) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa NOTE: https://www.openwall.com/lists/oss-security/2017/09/06/4 NOTE: https://sourceforge.net/p/graphicsmagick/bugs/442/ CVE-2017-14160 (The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 ...) {DLA-2013-1} - libvorbis 1.3.6-2 (bug #876780) [stretch] - libvorbis (Minor issue) [wheezy] - libvorbis (Minor issue, can be revisited once fixed upstream) NOTE: https://www.openwall.com/lists/oss-security/2017/09/21/2 NOTE: https://www.openwall.com/lists/oss-security/2017/09/21/3 NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2330 NOTE: Upstream fix: https://gitlab.xiph.org/xiph/vorbis/commit/018ca26dece618457dd13585cad52941193c4a25 CVE-2017-14176 (Bazaar through 2.7.0, when Subprocess SSH is used, allows remote attac ...) {DSA-4052-1 DLA-1107-1} - bzr 2.7.0+bzr6622-7 (bug #874429) - breezy 3.0.0~bzr6772-1 NOTE: https://bugs.launchpad.net/bzr/+bug/1710979 CVE-2017-14159 (slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping ...) - openldap (unimportant) NOTE: http://www.openldap.org/its/index.cgi?findid=8703 NOTE: Negligible security impact, but filed #877512 CVE-2017-14158 (Scrapy 1.4 allows remote attackers to cause a denial of service (memor ...) - python-scrapy (unimportant; bug #875947) NOTE: http://blog.csdn.net/wangtua/article/details/75228728 NOTE: https://github.com/scrapy/scrapy/issues/482 NOTE: Negligable security impact CVE-2017-14157 RESERVED CVE-2017-14156 (The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in th ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 (low) CVE-2017-14155 RESERVED CVE-2017-14154 RESERVED CVE-2017-14153 (This vulnerability allows local attackers to escalate privileges on Ju ...) NOT-FOR-US: Jungo WinDriver CVE-2017-14164 (A size-validation issue was discovered in opj_j2k_write_sot in lib/ope ...) - openjpeg2 (Incomplete fix for CVE-2017-14152 not applied) CVE-2017-14152 (A mishandled zero case was discovered in opj_j2k_set_cinema_parameters ...) {DSA-4013-1} - openjpeg2 2.3.0-1 (bug #874431) NOTE: https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_write_bytes_le-cio-c/ NOTE: https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154 NOTE: https://github.com/uclouvain/openjpeg/issues/985 NOTE: When fixing this issue make sure to apply the complete fix including the following NOTE: commit: NOTE: https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a NOTE: to not make openjpeg2 vulnerable to CVE-2017-14164. CVE-2017-14151 (An off-by-one error was discovered in opj_tcd_code_block_enc_allocate_ ...) - openjpeg2 2.3.0-1 (bug #874430) [stretch] - openjpeg2 2.1.2-1.1+deb9u2 [jessie] - openjpeg2 (Vulnerable code introduced later, see #874430) NOTE: https://blogs.gentoo.org/ago/2017/08/16/openjpeg-heap-based-buffer-overflow-in-opj_mqc_flush-mqc-c/ NOTE: https://github.com/uclouvain/openjpeg/commit/afb308b9ccbe129608c9205cf3bb39bbefad90b9 NOTE: https://github.com/uclouvain/openjpeg/issues/982 CVE-2017-1000254 (libcurl may read outside of a heap allocated buffer when doing FTP. Wh ...) {DSA-3992-1 DLA-1121-1} - curl 7.56.1-1 (bug #877671) NOTE: https://curl.haxx.se/docs/adv_20171004.html NOTE: Patch: https://curl.haxx.se/CVE-2017-1000254.patch NOTE: Introduced by: https://github.com/curl/curl/commit/415d2e7cb7 NOTE: Upstream fix: https://github.com/curl/curl/commit/5ff2c5ff25750aba1a8f64fbcad8e5b891512584 CVE-2017-1000253 (Linux distributions that have not patched their long-term kernels with ...) - linux 4.0.2-1 [jessie] - linux 3.16.7-ckt11-1 [wheezy] - linux 3.2.71-1 CVE-2017-1000252 (The KVM subsystem in the Linux kernel through 4.13.3 allows guest OS u ...) - linux 4.12.13-1 [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/3a8b0677fc6180a467e26cc32ce6b0c09a32f9bb (v4.14-rc1) NOTE: https://marc.info/?l=kvm&m=150549145711115&w=2 NOTE: https://marc.info/?l=kvm&m=150549146311117&w=2 CVE-2017-1000251 (The native Bluetooth stack in the Linux Kernel (BlueZ), starting at th ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 (bug #875881) NOTE: Fixed by: https://git.kernel.org/linus/e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 NOTE: https://www.armis.com/blueborne/ NOTE: https://access.redhat.com/security/vulnerabilities/blueborne CVE-2017-1000250 (All versions of the SDP server in BlueZ 5.46 and earlier are vulnerabl ...) {DSA-3972-1 DLA-1103-1} - bluez 5.46-1 (bug #875633) NOTE: https://www.armis.com/blueborne/ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=9e009647b14e810e06626dde7f1bb9ea3c375d09 CVE-2017-1000249 (An issue in file() was introduced in commit 9611f31313a93aa036389c5f3b ...) {DSA-3965-1} - file 1:5.32-1 [jessie] - file (Vulnerable code introduced later) [wheezy] - file (Vulnerable code introduced later) NOTE: Upstream fix: https://github.com/file/file/commit/35c94dc6acc418f1ad7f6241a6680e5327495793 NOTE: Introduced by: https://github.com/file/file/commit/9611f31313a93aa036389c5f3b15eea53510d4d1 CVE-2017-14150 RESERVED CVE-2017-14149 (GoAhead 3.4.0 through 3.6.5 has a NULL Pointer Dereference in the webs ...) NOT-FOR-US: GoAhead CVE-2017-14148 RESERVED CVE-2017-14147 (An issue was discovered on FiberHome User End Routers Bearing Model Nu ...) NOT-FOR-US: FiberHome CVE-2017-14146 (HelpDEZk 1.1.1 allows remote authenticated users to execute arbitrary ...) NOT-FOR-US: HelpDEZk CVE-2017-14145 (HelpDEZk 1.1.1 has SQL Injection in app\modules\admin\controllers\logi ...) NOT-FOR-US: HelpDEZk CVE-2017-14144 RESERVED CVE-2017-14143 (The getUserzoneCookie function in Kaltura before 13.2.0 uses a hardcod ...) NOT-FOR-US: Kaltura CVE-2017-14142 (Multiple cross-site scripting (XSS) vulnerabilities in Kaltura before ...) NOT-FOR-US: Kaltura CVE-2017-14141 (The wiki_decode Developer System Helper function in the admin panel in ...) NOT-FOR-US: Kaltura CVE-2017-14140 (The move_pages system call in mm/migrate.c in the Linux kernel before ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.12-1 NOTE: Fixed by: https://git.kernel.org/linus/197e7e521384a23b9e585178f3f11c9fa08274b9 CVE-2017-14139 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMSLImage i ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/578 NOTE: https://github.com/ImageMagick/ImageMagick/commit/955bd1008a5371bbd1b8db0a1e41e333ebfc63ef NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dbe0008c6fa225d01085ca86f3e425c306ee6240 NOTE: Requires: https://github.com/ImageMagick/ImageMagick/commit/d426a1dc84cfdafdac67bdb2a1ecc6e1798053e6 NOTE: Requires: https://github.com/ImageMagick/ImageMagick/commit/0dfce0579c881245e495aa2d8d114e63b96a860e CVE-2017-14138 (ImageMagick 7.0.6-5 has a memory leak vulnerability in ReadWEBPImage i ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/639 CVE-2017-14137 (ReadWEBPImage in coders/webp.c in ImageMagick 7.0.6-5 has an issue whe ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/641 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cb63560ba25e4a6c51ab282538c24877fff7d471 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/cfc2bd4c87481d4cf60308cc6ffd3c61288ff004 NOTE: ImageMagick in Debian not compiled with webp support (--with-webp=yes) CVE-2017-14136 (OpenCV (Open Source Computer Vision Library) 3.3 has an out-of-bounds ...) - opencv (Incomplete patch never shipped) NOTE: https://github.com/opencv/opencv/issues/9443 NOTE: https://github.com/opencv/opencv/pull/9448 CVE-2017-14135 (enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py in the we ...) NOT-FOR-US: webadmin plugin for opendreambox CVE-2017-14134 (A Reflected XSS Vulnerability affects the forgotten password page of M ...) NOT-FOR-US: Maplesoft Maple CVE-2017-14133 RESERVED CVE-2017-14132 (JasPer 1.900.8, 1.900.9, 1.900.10, 1.900.11, 1.900.12, 1.900.13, 1.900 ...) {DLA-1583-1} - jasper (low) [wheezy] - jasper (Minor issue) NOTE: https://github.com/mdadams/jasper/issues/147 NOTE: The suggested fix by thoger addresses the reported issue. CVE-2017-14131 RESERVED CVE-2017-14130 (The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary Fi ...) - binutils 2.29-9 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22058 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=2a143b99fc4a5094a9cf128f3184d8e6818c8229 CVE-2017-14129 (The read_section function in dwarf2.c in the Binary File Descriptor (B ...) - binutils 2.29-10 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22047 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e4f2723003859dc6b33ca0dadbc4a7659ebf1643 CVE-2017-14128 (The decode_line_info function in dwarf2.c in the Binary File Descripto ...) - binutils 2.29-9 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22059 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7e8b60085eb3e6f2c41bc0c00c0d759fa7f72780 CVE-2017-14127 (Command Injection in the Ping Module in the Web Interface on Technicol ...) NOT-FOR-US: Technicolor CVE-2017-14126 (The Participants Database plugin before 1.7.5.10 for WordPress has XSS ...) NOT-FOR-US: Wordpress plugin CVE-2017-14125 (SQL injection vulnerability in the Responsive Image Gallery plugin bef ...) NOT-FOR-US: Responsive Image Gallery plugin for WordPress CVE-2017-14124 (In eLux RP 5.x before 5.5.1000 LTSR and 5.6.x before 5.6.2 CR when cla ...) NOT-FOR-US: eLux CVE-2017-14123 (Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upl ...) NOT-FOR-US: Zoho ManageEngine CVE-2017-14122 (unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a stack-based b ...) {DLA-2567-1} - unrar-free 1:0.0.1+cvs20140707-4 (unimportant; bug #874060) NOTE: https://www.openwall.com/lists/oss-security/2017/08/20/1 NOTE: Crash in CLI tool, no security impact CVE-2017-14121 (The DecodeNumber function in unrarlib.c in unrar 0.0.1 (aka unrar-free ...) {DLA-2567-1} - unrar-free 1:0.0.1+cvs20140707-4 (unimportant; bug #874061) NOTE: https://www.openwall.com/lists/oss-security/2017/08/20/1 NOTE: Crash in CLI tool, no security impact CVE-2017-14120 (unrar 0.0.1 (aka unrar-free or unrar-gpl) suffers from a directory tra ...) {DLA-2567-1 DLA-1091-1} - unrar-free 1:0.0.1+cvs20140707-2 (bug #874059) [jessie] - unrar-free (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/08/20/1 NOTE: Proposed patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=874059;filename=874059.diff.txt;msg=29 CVE-2017-14119 (In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14118 (In the EyesOfNetwork web interface (aka eonweb) 5.1-0, module\tool_all ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14117 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG5 ...) NOT-FOR-US: Arris CVE-2017-14116 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG599 device, ...) NOT-FOR-US: Arris CVE-2017-14115 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589 and NVG5 ...) NOT-FOR-US: Arris CVE-2017-14114 (RTPproxy through 2.2.alpha.20160822 has a NAT feature that results in ...) - rtpproxy (unimportant; bug #874070) NOTE: https://rtpbleed.com/ NOTE: https://github.com/sippy/rtpproxy/issues/70 NOTE: Design limitation in RTP protocol CVE-2017-14113 REJECTED CVE-2017-14112 RESERVED CVE-2017-14111 (The workstation logging function in Philips IntelliSpace Cardiovascula ...) NOT-FOR-US: Philips IntelliSpace Cardiovascular and Xcelera CVE-2017-14110 RESERVED CVE-2017-1000201 (The tcmu-runner daemon in tcmu-runner version 1.0.5 to 1.2.0 is vulner ...) NOT-FOR-US: tcmu-runner CVE-2017-1000200 (tcmu-runner version 1.0.5 to 1.2.0 is vulnerable to a dbus triggered N ...) NOT-FOR-US: tcmu-runner CVE-2017-1000199 (tcmu-runner version 0.91 up to 1.20 is vulnerable to information discl ...) NOT-FOR-US: tcmu-runner CVE-2017-1000198 (tcmu-runner daemon version 0.9.0 to 1.2.0 is vulnerable to invalid mem ...) NOT-FOR-US: tcmu-runner CVE-2017-14109 RESERVED CVE-2017-14108 (libgedit.a in GNOME gedit through 3.22.1 allows remote attackers to ca ...) - gedit (unimportant; bug #875311) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=791037 NOTE: negligible security impact CVE-2017-14107 (The _zip_read_eocd64 function in zip_open.c in libzip before 1.3.0 mis ...) [experimental] - libzip 1.3.0+dfsg.1-1 - libzip 1.5.1-3 (low; bug #874010) [stretch] - libzip (Minor issue) [jessie] - libzip (Minor issue) [wheezy] - libzip (Minor issue) - php5 (unimportant) [jessie] - php5 5.6.33+dfsg-0+deb8u1 NOTE: https://blogs.gentoo.org/ago/2017/09/01/libzip-memory-allocation-failure-in-_zip_cdir_grow-zip_dirent-c/ NOTE: https://github.com/nih-at/libzip/commit/9b46957ec98d85a572e9ef98301247f39338a3b5 NOTE: PHP commit: https://github.com/php/php-src/commit/f6e8ce812174343b5c9fd1860f9e2e2864428567 NOTE: Marked as unimportant, php5 uses system libzip since 5.4.5-1 CVE-2017-14105 (HiveManager Classic through 8.1r1 allows arbitrary JSP code execution ...) NOT-FOR-US: HiveManager CVE-2017-14104 RESERVED CVE-2017-14106 (The tcp_disconnect function in net/ipv4/tcp.c in the Linux kernel befo ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: Fixed by: https://git.kernel.org/linus/499350a5a6e7512d9ed369ed63a4244b6536f4f8 (v4.12-rc3) CVE-2017-14103 (The ReadJNGImage and ReadOneJNGImage functions in coders/png.c in Grap ...) {DLA-1130-1} - graphicsmagick 1.3.26-8 [stretch] - graphicsmagick (Incomplete fix for CVE-2017-11403 not applied) [jessie] - graphicsmagick (Incomplete fix for CVE-2017-11403 not applied) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f NOTE: https://www.openwall.com/lists/oss-security/2017/09/01/6 NOTE: https://blogs.gentoo.org/ago/2017/07/12/graphicsmagick-use-after-free-in-closeblob-blob-c/ CVE-2017-14102 (MIMEDefang 2.80 and earlier creates a PID file after dropping privileg ...) - mimedefang 2.83-1 (bug #877363) [stretch] - mimedefang (Minor issue) [jessie] - mimedefang (Minor issue) [wheezy] - mimedefang (Minor issue only exploitable if daemon is compromised in some other way) NOTE: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038077.html NOTE: http://lists.roaringpenguin.com/pipermail/mimedefang/2017-August/038085.html CVE-2017-14101 (A security researcher found an XML External Entity (XXE) vulnerability ...) NOT-FOR-US: Conserus Image Repository CVE-2017-14097 (An improper access control vulnerability in Trend Micro Smart Protecti ...) NOT-FOR-US: Trend Micro CVE-2017-14096 (A stored cross site scripting (XSS) vulnerability in Trend Micro Smart ...) NOT-FOR-US: Trend Micro CVE-2017-14095 (A vulnerability in Trend Micro Smart Protection Server (Standalone) ve ...) NOT-FOR-US: Trend Micro CVE-2017-14094 (A vulnerability in Trend Micro Smart Protection Server (Standalone) ve ...) NOT-FOR-US: Trend Micro CVE-2017-14093 (The Log Query and Quarantine Query pages in Trend Micro ScanMail for E ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2017-14092 (The absence of Anti-CSRF tokens in Trend Micro ScanMail for Exchange 1 ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2017-14091 (A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in wh ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2017-14090 (A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in wh ...) NOT-FOR-US: Trend Micro ScanMail for Exchange CVE-2017-14089 (An Unauthorized Memory Corruption vulnerability in Trend Micro OfficeS ...) NOT-FOR-US: Trend Micro CVE-2017-14088 (Memory Corruption Privilege Escalation vulnerabilities in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2017-14087 (A Host Header Injection vulnerability in Trend Micro OfficeScan XG (12 ...) NOT-FOR-US: Trend Micro CVE-2017-14086 (Pre-authorization Start Remote Process vulnerabilities in Trend Micro ...) NOT-FOR-US: Trend Micro CVE-2017-14085 (Information disclosure vulnerabilities in Trend Micro OfficeScan 11.0 ...) NOT-FOR-US: Trend Micro CVE-2017-14084 (A potential Man-in-the-Middle (MitM) attack vulnerability in Trend Mic ...) NOT-FOR-US: Trend Micro CVE-2017-14083 (A vulnerability in Trend Micro OfficeScan 11.0 and XG allows remote un ...) NOT-FOR-US: Trend Micro CVE-2017-14082 (An uninitialized pointer information disclosure vulnerability in Trend ...) NOT-FOR-US: Trend Micro CVE-2017-14081 (Proxy command injection vulnerabilities in Trend Micro Mobile Security ...) NOT-FOR-US: Trend Micro Mobile Security CVE-2017-14080 (Authentication bypass vulnerability in Trend Micro Mobile Security (En ...) NOT-FOR-US: Trend Micro Mobile Security CVE-2017-14079 (Unrestricted file uploads in Trend Micro Mobile Security (Enterprise) ...) NOT-FOR-US: Trend Micro Mobile Security CVE-2017-14078 (SQL Injection vulnerabilities in Trend Micro Mobile Security (Enterpri ...) NOT-FOR-US: Trend Micro Mobile Security CVE-2017-14098 (In the pjsip channel driver (res_pjsip) in Asterisk 13.x before 13.17. ...) - asterisk 1:13.17.1~dfsg-1 (bug #873909) [stretch] - asterisk (Vulnerable code not present; issue introduced in 13.15) [jessie] - asterisk (Vulnerable code not present; issue introduced in 13.15) [wheezy] - asterisk (Vulnerable code not present; issue introduced in 13.15) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27152 NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27152 CVE-2017-14100 (In Asterisk 11.x before 11.25.2, 13.x before 13.17.1, and 14.x before ...) {DSA-3964-1 DLA-1122-1} - asterisk 1:13.17.1~dfsg-1 (bug #873908) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27103 NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27103 CVE-2017-14099 (In res/res_rtp_asterisk.c in Asterisk 11.x before 11.25.2, 13.x before ...) {DSA-3964-1} - asterisk 1:13.17.1~dfsg-1 (bug #873907) [wheezy] - asterisk (strictrtp option is disabled by default. Too intrusive too backport) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-27013 NOTE: Fix: https://gerrit.asterisk.org/#/q/topic:ASTERISK-27013 CVE-2017-14077 (HTML Injection in Securimage 3.6.4 and earlier allows remote attackers ...) NOT-FOR-US: Securimage CVE-2017-14076 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the id paramet ...) NOT-FOR-US: NexusPHP CVE-2017-14075 (This vulnerability allows local attackers to escalate privileges on Ju ...) NOT-FOR-US: Jungo WinDriver CVE-2017-14074 RESERVED CVE-2017-14073 RESERVED CVE-2017-14072 RESERVED CVE-2017-14071 RESERVED CVE-2017-14070 (Cross Site Scripting (XSS) exists in NexusPHP 1.5.beta5.20120707 via t ...) NOT-FOR-US: NexusPHP CVE-2017-14069 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the usernw arr ...) NOT-FOR-US: NexusPHP CVE-2017-14068 RESERVED CVE-2017-14067 RESERVED CVE-2017-14066 RESERVED CVE-2017-14065 RESERVED CVE-2017-14064 (Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can e ...) {DSA-3966-1 DLA-1421-1 DLA-1114-1} - ruby2.3 2.3.3-1+deb9u1 (bug #873906) - ruby2.1 - ruby1.9.1 NOTE: https://bugs.ruby-lang.org/issues/13853 NOTE: https://github.com/flori/json/commit/8f782fd8e181d9cfe9387ded43a5ca9692266b85 CVE-2017-14062 (Integer overflow in the decode_digit function in puny_decode.c in Libi ...) {DSA-3988-1 DLA-1447-1 DLA-1085-1 DLA-1084-1} - libidn2-0 2.0.2-4 (bug #873902) - libidn 1.33-2 (bug #873903) [stretch] - libidn 1.33-1+deb9u1 NOTE: https://gitlab.com/libidn/libidn2/commit/3284eb342cd0ed1a18786e3fcdf0cdd7e76676bd CVE-2017-14061 (Integer overflow in the _isBidi function in bidi.c in Libidn2 before 2 ...) - libidn2-0 2.0.2-4 (bug #873904) [stretch] - libidn2-0 (Vulnerable code not present) [jessie] - libidn2-0 (Vulnerable code not present) [wheezy] - libidn2-0 (Vulnerable code not present) - libidn (Vulnerable code not present) NOTE: https://gitlab.com/libidn/libidn2/commit/16853b6973a1e72fee2b7cccda85472cb9951305 CVE-2017-14060 (In ImageMagick 7.0.6-10, a NULL Pointer Dereference issue is present i ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878506) NOTE: https://github.com/ImageMagick/ImageMagick/issues/710 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c535e1f1a6b1faaa35e007df4fc535ec08daa97c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5bdfef29f5e6744f36f25ec04583c6b6f4a13b48 CVE-2017-14059 (In FFmpeg 3.3.3, a DoS in cine_read_header() due to lack of an EOF che ...) {DSA-3996-1} - ffmpeg 7:3.3.4-1 (low) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/7e80b63ecd259d69d383623e75b318bf2bd491f6 CVE-2017-14058 (In FFmpeg 2.4 and 3.3.3, the read_data function in libavformat/hls.c d ...) {DSA-3996-1 DLA-1740-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/7ec414892ddcad88313848494b6fc5f437c9ca4a CVE-2017-14057 (In FFmpeg 3.3.3, a DoS in asf_read_marker() due to lack of an EOF (End ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/7f9ec5593e04827249e7aeb466da06a98a0d7329 NOTE: libav: The vulnerable code is in asfdec.c. CVE-2017-14056 (In libavformat/rl2.c in FFmpeg 3.3.3, a DoS in rl2_read_header() due t ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/96f24d1bee7fe7bac08e2b7c74db1a046c9dc0de CVE-2017-14055 (In libavformat/mvdec.c in FFmpeg 3.3.3, a DoS in mv_read_header() due ...) {DSA-3996-1 DLA-1630-1} - ffmpeg 7:3.3.4-1 (low) - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/4f05e2e2dc1a89f38cd9f0960a6561083d714f1e CVE-2017-14054 (In libavformat/rmdec.c in FFmpeg 3.3.3, a DoS in ivr_read_header() due ...) {DSA-3996-1} - ffmpeg 7:3.3.4-1 (low) - libav [jessie] - libav (vulnerable code is not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/124eb202e70678539544f6268efc98131f19fa49 CVE-2017-14053 (NetApp OnCommand Unified Manager for Clustered Data ONTAP before 7.2P1 ...) NOT-FOR-US: NetApp CVE-2017-14052 RESERVED CVE-2017-14063 (Async Http Client (aka async-http-client) before 2.0.35 can be tricked ...) - async-http-client (Vulnerable code introduced later after port to new Request API) NOTE: https://github.com/AsyncHttpClient/async-http-client/issues/1455 NOTE: https://github.com/AsyncHttpClient/async-http-client/commit/eb9e3347e45319be494db24d285a2aee4396f5d3 CVE-2017-14050 (In BlackCat CMS 1.2, backend/addons/install.php allows remote authenti ...) NOT-FOR-US: BlackCat CMS CVE-2017-14049 (In BlackCat CMS 1.2, backend/settings/ajax_save_settings.php allows re ...) NOT-FOR-US: BlackCat CMS CVE-2017-14048 (BlackCat CMS 1.2 allows remote authenticated users to inject arbitrary ...) NOT-FOR-US: BlackCat CMS CVE-2017-14047 RESERVED CVE-2017-14046 RESERVED CVE-2017-14045 RESERVED CVE-2017-14044 RESERVED CVE-2017-14043 RESERVED CVE-2017-14038 (CrushFTP before 7.8.0 and 8.x before 8.2.0 has a redirect vulnerabilit ...) NOT-FOR-US: CrushFTP CVE-2017-14037 (CrushFTP before 7.8.0 and 8.x before 8.2.0 has an HTTP header vulnerab ...) NOT-FOR-US: CrushFTP CVE-2017-14036 (CrushFTP before 7.8.0 and 8.x before 8.2.0 has XSS. ...) NOT-FOR-US: CrushFTP CVE-2017-14035 (CrushFTP 8.x before 8.2.0 has a serialization vulnerability. ...) NOT-FOR-US: CrushFTP CVE-2017-14051 (An integer overflow in the qla2x00_sysfs_write_optrom_ctl function in ...) {DLA-1200-1} - linux 4.12.13-1 (unimportant) [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux 3.16.43-2+deb8u5 NOTE: Fixed by: https://git.kernel.org/linus/e6f77540c067b48dee10f1e33678415bfcc89017 NOTE: https://patchwork.kernel.org/patch/9929625/ NOTE: Non issue, only "exploitable" with root access CVE-2017-14034 (The restore_tqb_pixels function in hevc_filter.c in libavcodec, as use ...) NOT-FOR-US: libbpg NOTE: Issue 3 from https://github.com/ebel34/bpg-web-encoder/issues/1 CVE-2017-14033 (The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2. ...) {DSA-4031-1 DLA-1421-1 DLA-1114-1} - ruby2.3 2.3.5-1 (bug #875928) - ruby2.1 - ruby1.9.1 - ruby1.8 (vunlerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1058757 NOTE: https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/ NOTE: https://github.com/ruby/openssl/commit/1648afef33c1d97fb203c82291b8a61269e85d3b CVE-2017-14031 (An Improper Access Control issue was discovered in Trihedral VTScada 1 ...) NOT-FOR-US: Trihedral VTScada CVE-2017-14030 (An issue was discovered in Moxa MXview v2.8 and prior. The unquoted se ...) NOT-FOR-US: Moxa MXview CVE-2017-14029 (An Uncontrolled Search Path Element issue was discovered in Trihedral ...) NOT-FOR-US: Trihedral VTScada CVE-2017-14028 (A Resource Exhaustion issue was discovered in Moxa NPort 5110 Version ...) NOT-FOR-US: Moxa CVE-2017-14027 (A Use of Hard-coded Credentials issue was discovered in Korenix JetNet ...) NOT-FOR-US: Korenix CVE-2017-14026 (In Ice Qube Thermal Management Center versions prior to version 4.13, ...) NOT-FOR-US: Ice Qube Thermal Management Center CVE-2017-14025 (An Improper Input Validation issue was discovered in ABB FOX515T relea ...) NOT-FOR-US: ABB FOX515T CVE-2017-14024 (A Stack-based Buffer Overflow issue was discovered in Schneider Electr ...) NOT-FOR-US: Schneider Electric CVE-2017-14023 (An Improper Input Validation issue was discovered in Siemens SIMATIC P ...) NOT-FOR-US: Siemens CVE-2017-14022 (An Improper Input Validation issue was discovered in Rockwell Automati ...) NOT-FOR-US: Rockwell Automation FactoryTalk Alarms and Events CVE-2017-14021 (A Use of Hard-coded Cryptographic Key issue was discovered in Korenix ...) NOT-FOR-US: Korenix CVE-2017-14020 (In AutomationDirect CLICK Programming Software (Part Number C0-PGMSW) ...) NOT-FOR-US: AutomationDirect CVE-2017-14019 (An Unquoted Search Path or Element issue was discovered in Progea Movi ...) NOT-FOR-US: Progea Movicon CVE-2017-14018 (An improper authentication issue was discovered in Johnson & Johns ...) NOT-FOR-US: Johnson & Johnson Ethicon Endo-Surgery Generator Gen11 CVE-2017-14017 (An Uncontrolled Search Path Element issue was discovered in Progea Mov ...) NOT-FOR-US: Progea Movicon CVE-2017-14016 (A Stack-based Buffer Overflow issue was discovered in Advantech WebAcc ...) NOT-FOR-US: Advantech CVE-2017-14015 RESERVED CVE-2017-14014 (Boston Scientific ZOOM LATITUDE PRM Model 3120 uses a hard-coded crypt ...) NOT-FOR-US: Boston Scientific ZOOM LATITUDE PRM Model 3120 CVE-2017-14013 (A Client-Side Enforcement of Server-Side Security issue was discovered ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14012 (Boston Scientific ZOOM LATITUDE PRM Model 3120 does not encrypt PHI at ...) NOT-FOR-US: Boston Scientific ZOOM LATITUDE PRM Model 3120 CVE-2017-14011 (A Cross-Site Request Forgery issue was discovered in ProMinent MultiFL ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14010 (In SpiderControl MicroBrowser Windows XP, Vista 7, 8 and 10, Versions ...) NOT-FOR-US: SpiderControl CVE-2017-14009 (An Information Exposure issue was discovered in ProMinent MultiFLEX M1 ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14008 (GE Centricity PACS RA1000, diagnostic image analysis, all current vers ...) NOT-FOR-US: GE Centricity PACS RA1000 CVE-2017-14007 (An Insufficient Session Expiration issue was discovered in ProMinent M ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14006 (GE Xeleris versions 1.0,1.1,2.1,3.0,3.1, medical imaging systems, all ...) NOT-FOR-US: GE Xeleris CVE-2017-14005 (An Unverified Password Change issue was discovered in ProMinent MultiF ...) NOT-FOR-US: ProMinent MultiFLEX M10a Controller CVE-2017-14004 (GE GEMNet License server (EchoServer) all current versions are affecte ...) NOT-FOR-US: GE GEMNet License server CVE-2017-14003 (An Authentication Bypass by Spoofing issue was discovered in LAVA Ethe ...) NOT-FOR-US: LAVA Ether-Serial Link CVE-2017-14002 (GE Infinia/Infinia with Hawkeye 4 medical imaging systems all current ...) NOT-FOR-US: GE Infinia/Infinia with Hawkeye 4 medical imaging systems CVE-2017-14001 (An Improper Neutralization of Special Elements used in an OS Command i ...) NOT-FOR-US: Asterisk GUI NOTE: Different from standard asterisk: https://wiki.asterisk.org/wiki/display/AST/Asterisk+GUI CVE-2017-14000 (An Improper Authentication issue was discovered in Ctek SkyRouter Seri ...) NOT-FOR-US: Ctek SkyRouter CVE-2017-13999 (A Stack-based Buffer Overflow issue was discovered in WECON LEVI Studi ...) NOT-FOR-US: WECON LEVI Studio HMI Editor CVE-2017-13998 (An Insufficiently Protected Credentials issue was discovered in LOYTEC ...) NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13997 (A Missing Authentication for Critical Function issue was discovered in ...) NOT-FOR-US: Schneider CVE-2017-13996 (A Relative Path Traversal issue was discovered in LOYTEC LVIS-3ME vers ...) NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13995 (An Improper Authentication issue was discovered in iniNet Solutions in ...) NOT-FOR-US: iniNet Solutions iniNet Webserver CVE-2017-13994 (A Cross-site Scripting issue was discovered in LOYTEC LVIS-3ME version ...) NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13993 (An Uncontrolled Search Path or Element issue was discovered in i-SENS ...) NOT-FOR-US: i-SENS SmartLog Diabetes Management Software CVE-2017-13992 (An Insufficient Entropy issue was discovered in LOYTEC LVIS-3ME versio ...) NOT-FOR-US: LOYTEC LVIS-3ME CVE-2017-13991 (An information leakage vulnerability in ArcSight ESM and ArcSight ESM ...) NOT-FOR-US: ArcSight CVE-2017-13990 (An information leakage vulnerability in ArcSight ESM and ArcSight ESM ...) NOT-FOR-US: ArcSight CVE-2017-13989 (An improper access control vulnerability in ArcSight ESM and ArcSight ...) NOT-FOR-US: ArcSight CVE-2017-13988 (An improper access control vulnerability in ArcSight ESM and ArcSight ...) NOT-FOR-US: ArcSight CVE-2017-13987 (An insufficient access control vulnerability in ArcSight ESM and ArcSi ...) NOT-FOR-US: ArcSight CVE-2017-13986 (A reflected Cross-Site Scripting(XSS) vulnerability in ArcSight ESM an ...) NOT-FOR-US: ArcSight CVE-2017-13985 (An authentication vulnerability in HPE BSM Platform Application Perfor ...) NOT-FOR-US: HP CVE-2017-13984 (An authentication vulnerability in HPE BSM Platform Application Perfor ...) NOT-FOR-US: HP CVE-2017-13983 (An authentication vulnerability in HPE BSM Platform Application Perfor ...) NOT-FOR-US: HP CVE-2017-13982 (A directory traversal vulnerability in HPE BSM Platform Application Pe ...) NOT-FOR-US: HP CVE-2017-13981 RESERVED CVE-2017-13980 RESERVED CVE-2017-13979 RESERVED CVE-2017-13978 RESERVED CVE-2017-13977 RESERVED CVE-2017-13976 RESERVED CVE-2017-13975 RESERVED CVE-2017-13974 RESERVED CVE-2017-13973 RESERVED CVE-2017-13972 RESERVED CVE-2017-13971 RESERVED CVE-2017-13970 RESERVED CVE-2017-13969 RESERVED CVE-2017-13968 RESERVED CVE-2017-13967 RESERVED CVE-2017-13966 RESERVED CVE-2017-13965 RESERVED CVE-2017-13964 RESERVED CVE-2017-13963 RESERVED CVE-2017-13962 RESERVED CVE-2017-13961 RESERVED CVE-2017-13960 RESERVED CVE-2017-13959 RESERVED CVE-2017-13958 RESERVED CVE-2017-13957 RESERVED CVE-2017-13956 RESERVED CVE-2017-13955 RESERVED CVE-2017-13954 RESERVED CVE-2017-13953 RESERVED CVE-2017-13952 RESERVED CVE-2017-13951 RESERVED CVE-2017-13950 RESERVED CVE-2017-13949 RESERVED CVE-2017-13948 RESERVED CVE-2017-13947 RESERVED CVE-2017-13946 RESERVED CVE-2017-13945 RESERVED CVE-2017-13944 RESERVED CVE-2017-13943 RESERVED CVE-2017-13942 RESERVED CVE-2017-13941 RESERVED CVE-2017-13940 RESERVED CVE-2017-13939 RESERVED CVE-2017-13938 RESERVED CVE-2017-13937 RESERVED CVE-2017-13936 RESERVED CVE-2017-13935 RESERVED CVE-2017-13934 RESERVED CVE-2017-13933 RESERVED CVE-2017-13932 RESERVED CVE-2017-13931 RESERVED CVE-2017-13930 RESERVED CVE-2017-13929 RESERVED CVE-2017-13928 RESERVED CVE-2017-13927 RESERVED CVE-2017-13926 RESERVED CVE-2017-13925 RESERVED CVE-2017-13924 RESERVED CVE-2017-13923 RESERVED CVE-2017-13922 RESERVED CVE-2017-13921 RESERVED CVE-2017-13920 RESERVED CVE-2017-13919 RESERVED CVE-2017-13918 RESERVED CVE-2017-13917 RESERVED CVE-2017-13916 RESERVED CVE-2017-13915 RESERVED CVE-2017-13914 RESERVED CVE-2017-13913 RESERVED CVE-2017-13912 RESERVED CVE-2017-13911 (A configuration issue was addressed with additional restrictions. This ...) NOT-FOR-US: Apple CVE-2017-13910 RESERVED CVE-2017-13909 RESERVED CVE-2017-13908 RESERVED CVE-2017-13907 RESERVED CVE-2017-13906 RESERVED CVE-2017-13905 RESERVED CVE-2017-13904 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13903 (An issue was discovered in certain Apple products. iOS before 11.2.1 i ...) NOT-FOR-US: Apple CVE-2017-13902 RESERVED CVE-2017-13901 RESERVED CVE-2017-13900 RESERVED CVE-2017-13899 RESERVED CVE-2017-13898 RESERVED CVE-2017-13897 RESERVED CVE-2017-13896 RESERVED CVE-2017-13895 RESERVED CVE-2017-13894 RESERVED CVE-2017-13893 RESERVED CVE-2017-13892 RESERVED CVE-2017-13891 (In iOS before 11.2, an inconsistent user interface issue was addressed ...) NOT-FOR-US: Apple CVE-2017-13890 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13889 (In macOS High Sierra before 10.13.3, Security Update 2018-001 Sierra, ...) NOT-FOR-US: Apple CVE-2017-13888 (In iOS before 11.2, a type confusion issue was addressed with improved ...) NOT-FOR-US: Apple CVE-2017-13887 (In macOS High Sierra before 10.13.2, a logic issue existed in APFS whe ...) NOT-FOR-US: Apple CVE-2017-13886 (In macOS High Sierra before 10.13.2, an access issue existed with priv ...) NOT-FOR-US: Apple CVE-2017-13885 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-13884 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-13883 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13882 RESERVED CVE-2017-13881 RESERVED CVE-2017-13880 RESERVED CVE-2017-13879 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13878 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13877 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13876 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13875 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13874 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13873 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13872 (An issue was discovered in certain Apple products. macOS High Sierra b ...) NOT-FOR-US: Apple CVE-2017-13871 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13870 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-13869 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13868 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13867 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13866 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-13865 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13864 (An issue was discovered in certain Apple products. iCloud before 7.2 o ...) NOT-FOR-US: Apple CVE-2017-13863 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13862 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13861 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13860 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13859 RESERVED CVE-2017-13858 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13857 RESERVED CVE-2017-13856 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-13855 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13854 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13853 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-13852 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13851 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-13850 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-13849 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13848 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13847 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-13846 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:pcre3, but Apple doesn't play by the rules CVE-2017-13845 RESERVED CVE-2017-13844 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13843 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13842 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13841 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13840 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13839 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-13838 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13837 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-13836 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13835 RESERVED CVE-2017-13834 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13833 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13832 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13831 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13830 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13829 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13828 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13827 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-13826 REJECTED CVE-2017-13825 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13824 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13823 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13822 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13821 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13820 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13819 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13818 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13817 (An out-of-bounds read issue was discovered in certain Apple products. ...) NOT-FOR-US: Apple CVE-2017-13816 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13815 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-13814 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13813 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13812 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Potentially src:libarchive, but Apple doesn't play by the rules CVE-2017-13811 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13810 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13809 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13808 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13807 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13806 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-13805 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13804 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13803 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13802 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13801 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13800 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13799 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-13798 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13797 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple-specific Webkit change (since not mentioned in webkitgtk releases) CVE-2017-13796 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13795 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13794 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13793 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13792 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13791 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13790 (An issue was discovered in certain Apple products. Safari before 11.0. ...) NOT-FOR-US: Apple Safari CVE-2017-13789 (An issue was discovered in certain Apple products. Safari before 11.0. ...) NOT-FOR-US: Apple Safari CVE-2017-13788 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.3-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13787 RESERVED CVE-2017-13786 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13785 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13784 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13783 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0009.html NOTE: Not covered by security support CVE-2017-13782 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-13781 RESERVED CVE-2017-13780 (The EyesOfNetwork web interface (aka eonweb) 5.1-0 allows directory tr ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-14032 (ARM mbed TLS before 1.3.21 and 2.x before 2.1.9, if optional authentic ...) {DSA-3967-1} - mbedtls 2.6.0-1 (bug #873557) - polarssl [jessie] - polarssl (Vulnerable code not present) [wheezy] - polarssl (Vulnerable code not present) NOTE: Affected versions: all from version 1.3.10 up and including 2.1 and later releases NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-02 NOTE: https://github.com/ARMmbed/mbedtls/commit/31458a18788b0cf0b722acda9bb2f2fe13a3fb32 NOTE: https://github.com/ARMmbed/mbedtls/commit/d15795acd5074e0b44e71f7ede8bdfe1b48591fc CVE-2017-13779 (GSTN_offline_tool in India Goods and Services Tax Network (GSTN) Offli ...) NOT-FOR-US: India Goods and Services Tax Network CVE-2017-13778 (Fiyo CMS 2.0.7 has XSS in dapur\apps\app_config\sys_config.php via the ...) NOT-FOR-US: Fiyo CMS CVE-2017-13777 (GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() ...) {DSA-4321-1 DLA-1456-1 DLA-1082-1} - graphicsmagick 1.3.26-8 (low) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e CVE-2017-13776 (GraphicsMagick 1.3.26 has a denial of service issue in ReadXBMImage() ...) {DSA-4321-1 DLA-1456-1 DLA-1082-1} - graphicsmagick 1.3.26-8 (low) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/233a720bfd5e CVE-2017-13775 (GraphicsMagick 1.3.26 has a denial of service issue in ReadJNXImage() ...) {DSA-4321-1 DLA-1456-1} - graphicsmagick 1.3.26-8 (low) [wheezy] - graphicsmagick (Vulnerable code not present) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/b037d79b6ccd CVE-2017-13774 (Hikvision iVMS-4200 devices before v2.6.2.7 allow local users to gener ...) NOT-FOR-US: Hikvision CVE-2017-13773 RESERVED CVE-2017-13772 (Multiple stack-based buffer overflows in TP-Link WR940N WiFi routers w ...) NOT-FOR-US: TP-Link CVE-2017-13771 (Lexmark Scan To Network (SNF) 3.2.9 and earlier stores network configu ...) NOT-FOR-US: Lexmark Scan To Network CVE-2017-13770 RESERVED CVE-2017-13769 (The WriteTHUMBNAILImage function in coders/thumbnail.c in ImageMagick ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #878507) NOTE: https://github.com/ImageMagick/ImageMagick/issues/705 NOTE: https://github.com/ImageMagick/ImageMagick/commit/45d342155b5e9b83904c695411d20f33cf9b524c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/457e63263de6f732785608504b6e607799ad3dd5 NOTE: Extra checks: NOTE: https://github.com/ImageMagick/ImageMagick/commit/5a3897693a8b4e97add649c0ca1d538bd90f59c9 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/abb9d1322317733b799e8b87b2e346b3038f3260 CVE-2017-13768 (Null Pointer Dereference in the IdentifyImage function in MagickCore/i ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875352) NOTE: https://github.com/ImageMagick/ImageMagick/issues/706 NOTE: https://github.com/ImageMagick/ImageMagick/commit/152e510e2b7858efe5992ed95090d8e0049417f3 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/2c1b360d80e5f8f7c7108c0afedde64ab79318ff CVE-2017-13767 (In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the MSDP diss ...) - wireshark 2.4.1-1 [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13933 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f18ace2a2683418a9368a8dfd92da6bd8213e15 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-38.html CVE-2017-13766 (In Wireshark 2.4.0 and 2.2.0 to 2.2.8, the Profinet I/O dissector coul ...) - wireshark 2.4.1-1 [stretch] - wireshark 2.2.6+g32dac6a-2+deb9u1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13847 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2096bc1e5078732543e0a3ee115a2ce520a72bbc NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=af7b093ca528516c14247acb545046199d30843e NOTE: https://www.wireshark.org/security/wnpa-sec-2017-39.html CVE-2017-13765 (In Wireshark 2.4.0, 2.2.0 to 2.2.8, and 2.0.0 to 2.0.14, the IrCOMM di ...) {DLA-1634-1} - wireshark 2.4.1-1 [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13929 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=94666d4357096fc45e3bcad3d9414a14f0831bc8 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-41.html CVE-2017-13764 (In Wireshark 2.4.0, the Modbus dissector could crash with a NULL point ...) - wireshark 2.4.1-1 [jessie] - wireshark (vulnerable request not implemented) [wheezy] - wireshark (vulnerable request not implemented) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13925 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b87ffbd12bddf64582c0a6e082b462744474de94 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-40.html CVE-2017-13763 (ONOS versions 1.8.0, 1.9.0, and 1.10.0 do not restrict the amount of m ...) NOT-FOR-US: ONOS CVE-2017-13762 (ONOS versions 1.8.0, 1.9.0, and 1.10.0 are vulnerable to XSS. ...) NOT-FOR-US: ONOS CVE-2017-13761 (The Fastly CDN module before 1.2.26 for Magento2, when used with a thi ...) NOT-FOR-US: Fastly CDN module for Magento2 CVE-2017-13760 (In The Sleuth Kit (TSK) 4.4.2, fls hangs on a corrupt exfat image in t ...) - sleuthkit 4.4.2-3 (unimportant; bug #873724) NOTE: https://github.com/sleuthkit/sleuthkit/issues/906 NOTE: Negligible security impact CVE-2017-13759 RESERVED CVE-2017-13758 (In ImageMagick 7.0.6-10, there is a heap-based buffer overflow in the ...) {DSA-4040-1 DSA-4032-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878508) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32583 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/ef6cee1bcf144b7c9285787920361a53296e7907 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/57eced684ad0660fe580800d977ba94623ec67ac CVE-2017-13757 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.29-10 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22018 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=90efb6422939ca031804266fba669f77c22a274a CVE-2017-13756 (In The Sleuth Kit (TSK) 4.4.2, opening a crafted disk image triggers i ...) - sleuthkit 4.4.2-3 (unimportant; bug #873725) NOTE: https://github.com/sleuthkit/sleuthkit/issues/914 NOTE: Negligible security impact CVE-2017-13755 (In The Sleuth Kit (TSK) 4.4.2, opening a crafted ISO 9660 image trigge ...) - sleuthkit 4.4.2-3 (unimportant; bug #873726) NOTE: https://github.com/sleuthkit/sleuthkit/issues/913 NOTE: Negligible security impact CVE-2017-13754 (Cross-site scripting (XSS) vulnerability in the "advanced settings - t ...) NOT-FOR-US: Wibu-Systems CVE-2017-13753 REJECTED CVE-2017-13752 (There is a reachable assertion abort in the function jpc_dequantize() ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485276 CVE-2017-13751 (There is a reachable assertion abort in the function calcstepsizes() i ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485283 CVE-2017-13750 (There is a reachable assertion abort in the function jpc_dec_process_s ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485280 CVE-2017-13749 (There is a reachable assertion abort in the function jpc_pi_nextrpcl() ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485285 CVE-2017-13748 (There are lots of memory leaks in JasPer 2.0.12, triggered in the func ...) {DLA-1583-1} - jasper (low) [wheezy] - jasper (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485287 NOTE: https://github.com/mdadams/jasper/issues/168 NOTE: Fixed by https://github.com/mdadams/jasper/pull/159 but still no upstream comment. CVE-2017-13747 (There is a reachable assertion abort in the function jpc_floorlog2() i ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485282 CVE-2017-13746 (There is a reachable assertion abort in the function jpc_dec_process_s ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485286 CVE-2017-13745 (There is a reachable assertion abort in the function jpc_dec_process_s ...) - jasper (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485274 CVE-2017-13744 (There is an illegal address access in the function _lou_getALine() in ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484338 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/edf8ee00197e5a9b062554bdca00fe1617d257a4 CVE-2017-13743 (There is a buffer overflow in Liblouis 3.2.0, triggered in the functio ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484335 CVE-2017-13742 (There is a stack-based buffer overflow in Liblouis 3.2.0, triggered in ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484334 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/d8cfdf1ab64a4c9c6685efe45bc735f68dac618c CVE-2017-13741 (There is a use-after-free in the function compileBrailleIndicator() in ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484332 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/af5791ea792acc0a9707738001aa1df3daff7a66 CVE-2017-13740 (There is a stack-based buffer overflow in Liblouis 3.2.0, triggered in ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484306 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/d8cfdf1ab64a4c9c6685efe45bc735f68dac618c CVE-2017-13739 (There is a heap-based buffer overflow that causes a more than two thou ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484299 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/d8cfdf1ab64a4c9c6685efe45bc735f68dac618c CVE-2017-13738 (There is an illegal address access in the _lou_getALine function in co ...) - liblouis 3.3.0-1 (low; bug #874302) [stretch] - liblouis 3.0.0-3+deb9u1 [jessie] - liblouis (Minor issue) [wheezy] - liblouis (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484297 NOTE: Proposed fix via pull request: https://github.com/liblouis/liblouis/pull/393/commits/edf8ee00197e5a9b062554bdca00fe1617d257a4 CVE-2017-13737 (There is an invalid free in the MagickFree function in magick/memory.c ...) {DSA-4321-1 DLA-1456-1 DLA-1140-1} - graphicsmagick 1.3.26-15 (low; bug #878511) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484196 NOTE: Fixed by: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/3db9449e3d6a/ CVE-2017-13736 (There are lots of memory leaks in the GMCommand function in magick/com ...) - graphicsmagick (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484192 CVE-2017-13735 (There is a floating point exception in the kodak_radc_load_raw functio ...) - libraw 0.18.5-1 (low; bug #874729) [stretch] - libraw (Minor issue) [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/issues/96 NOTE: Isolated patch: https://github.com/LibRaw/LibRaw/files/1276421/radc_divbyzero.txt NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1483988 CVE-2017-13734 (There is an illegal address access in the _nc_safe_strcat function in ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484291 CVE-2017-13733 (There is an illegal address access in the fmt_entry function in progs/ ...) - ncurses 6.0+20170902-1 (bug #873746) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484290 CVE-2017-13732 (There is an illegal address access in the function dump_uses() in prog ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484287 CVE-2017-13731 (There is an illegal address access in the function postprocess_termcap ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484285 CVE-2017-13730 (There is an illegal address access in the function _nc_read_entry_sour ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484284 CVE-2017-13729 (There is an illegal address access in the _nc_save_str function in all ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484276 CVE-2017-13728 (There is an infinite loop in the next_char function in comp_scan.c in ...) - ncurses 6.0+20170827-1 (bug #873723) [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1484274 CVE-2017-13727 (There is a reachable assertion abort in the function TIFFWriteDirector ...) {DSA-4100-1 DLA-1093-1} - tiff 4.0.8-5 (bug #873879) - tiff3 [wheezy] - tiff3 (Vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2728 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/b6af137bf9ef852f1a48a50a5afb88f9e9da01cc CVE-2017-13726 (There is a reachable assertion abort in the function TIFFWriteDirector ...) {DSA-4100-1 DLA-1093-1} - tiff 4.0.8-5 (bug #873880) - tiff3 [wheezy] - tiff3 (Vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2727 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/f91ca83a21a6a583050e5a5755ce1441b2bf1d7e CVE-2017-13725 (The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer ov ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13724 (On the Axesstel MU553S MU55XS-V1.14, there is a Stored Cross Site Scri ...) NOT-FOR-US: Axesstel MU553S MU55XS-V1.14 CVE-2017-13723 (In X.Org Server (aka xserver and xorg-server) before 1.19.4, a local a ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.4-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=94f11ca5cf011ef123bd222cabeaef6f424d76ac NOTE: This is in libxkbfile in wheezy CVE-2017-13722 (In the pcfGetProperties function in bitmap/pcfread.c in libXfont throu ...) {DSA-3995-1 DLA-1126-1} - libxfont 1:2.0.1-4 - libxfont1 (unimportant) NOTE: Fixed by: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=672bb944311392e2415b39c0d63b1e1902905bcd NOTE: libxfont1 is only used by xfonts-utils, no security impact CVE-2017-13721 (In X.Org Server (aka xserver and xorg-server) before 1.19.4, an attack ...) {DSA-4000-1} - xorg-server 2:1.19.4-1 [wheezy] - xorg-server (Vulnerable code introduced later) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=b95f25af141d33a65f6f821ea9c003f66a01e1f1 CVE-2017-13720 (In the PatternMatch function in fontfile/fontdir.c in libXfont through ...) {DSA-3995-1 DLA-1126-1} - libxfont 1:2.0.1-4 - libxfont1 (unimportant) NOTE: Fixed by: https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608 NOTE: libxfont1 is only used by xfonts-utils, no security impact CVE-2017-13719 (The Amcrest IPM-721S Amcrest_IPC-AWXX_Eng_N_V2.420.AC00.17.R.20170322 ...) NOT-FOR-US: Amcrest CVE-2017-13718 (The HTTP API supported by Starry Station (aka Starry Router) allows br ...) NOT-FOR-US: Starry Station CVE-2017-13717 (Starry Station (aka Starry Router) sets the Access-Control-Allow-Origi ...) NOT-FOR-US: Starry Station CVE-2017-13716 (The C++ symbol demangler routine in cplus-dem.c in libiberty, as distr ...) - binutils (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22009 NOTE: Underlying bug is though in the C++ demangler part of libiberty, but MITRE NOTE: has assigned it specifically to the issue as raised within binutils. NOTE: binutils not covered by security support CVE-2017-13715 (The __skb_flow_dissect function in net/core/flow_dissector.c in the Li ...) - linux 4.3.1-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/a6e544b0a88b53114bfa5a57e21b7be7a8dfc9d0 (4.3-rc1) NOTE: Introduced by: https://git.kernel.org/linus/b3baa0fbd02a1a9d493d8cb92ae4a4491b9e9d13 (4.2-rc1) CVE-2017-13714 RESERVED CVE-2017-13713 (T&W WIFI Repeater BE126 allows remote authenticated users to execu ...) NOT-FOR-US: T&W WIFI Repeater BE126 CVE-2017-13712 (NULL Pointer Dereference in the id3v2AddAudioDuration function in libm ...) - lame 3.100-1 (low) [stretch] - lame (Minor issue) [jessie] - lame (Minor issue) NOTE: https://sourceforge.net/p/lame/bugs/472/ CVE-2017-13711 (Use-after-free vulnerability in the sofree function in slirp/socket.c ...) {DSA-3991-1} - qemu 1:2.10.0-1 (bug #873875) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg05201.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1486400 CVE-2017-14041 (A stack-based buffer overflow was discovered in the pgxtoimage functio ...) {DSA-4013-1} - openjpeg2 2.3.0-1 (bug #874115) NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/e5285319229a5d77bf316bb0d3a6cbd3cb8666d9 NOTE: Reproducer: https://blogs.gentoo.org/ago/2017/08/28/openjpeg-stack-based-buffer-overflow-write-in-pgxtoimage-convert-c/ NOTE: https://github.com/uclouvain/openjpeg/issues/997 CVE-2017-14040 (An invalid write access was discovered in bin/jp2/convert.c in OpenJPE ...) {DSA-4013-1} - openjpeg2 2.3.0-1 (bug #874117) NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281 NOTE: Reproducer: https://blogs.gentoo.org/ago/2017/08/28/openjpeg-invalid-memory-write-in-tgatoimage-convert-c/ NOTE: https://github.com/uclouvain/openjpeg/issues/995 CVE-2017-14039 (A heap-based buffer overflow was discovered in the opj_t2_encode_packe ...) {DSA-4013-1} - openjpeg2 2.3.0-1 (bug #874118) NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/c535531f03369623b9b833ef41952c62257b507e NOTE: Reproducer: https://blogs.gentoo.org/ago/2017/08/28/openjpeg-heap-based-buffer-overflow-in-opj_t2_encode_packet-t2-c/ NOTE: https://github.com/uclouvain/openjpeg/issues/992 NOTE: The issue is covered by https://github.com/uclouvain/openjpeg/commit/4241ae6fbbf1de9658764a80944dc8108f2b4154 CVE-2017-14042 (A memory allocation failure was discovered in the ReadPNMImage functio ...) - graphicsmagick 1.3.26-9 (unimportant; bug #873538) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/3bbf7a13643d NOTE: https://blogs.gentoo.org/ago/2017/08/28/graphicsmagick-memory-allocation-failure-in-magickrealloc-memory-c-2/ NOTE: https://sourceforge.net/p/graphicsmagick/bugs/441/ CVE-2017-13710 (The setup_group function in elf.c in the Binary File Descriptor (BFD) ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0c54f69295208331faab9bc5e995111a35672f9b CVE-2017-13708 (Buffer overflow in the web server service in VX Search Enterprise 10.0 ...) NOT-FOR-US: VX Search Enterprise CVE-2017-13707 (Privilege escalation in Replibit Backup Manager earlier than version 2 ...) NOT-FOR-US: Replibit CVE-2017-13706 (XML external entity (XXE) vulnerability in the import package function ...) NOT-FOR-US: Lansweeper CVE-2017-13709 (In FlightGear before version 2017.3.1, Main/logger.cxx in the FGLogger ...) - flightgear 1:2017.2.1+dfsg-4 (low; bug #873439) [stretch] - flightgear 1:2016.4.4+dfsg-3+deb9u1 [jessie] - flightgear 3.0.0-5+deb8u3 NOTE: https://www.openwall.com/lists/oss-security/2017/08/27/1 CVE-2017-13705 RESERVED CVE-2017-13704 (In dnsmasq before 2.78, if the DNS packet size does not match the expe ...) - dnsmasq 2.78-1 (bug #877102) [stretch] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) [jessie] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) [wheezy] - dnsmasq (Vulnerable code not present; Upstream: Regression introduced in 2.77) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495510 NOTE: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2017q3/011729.html NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=63437ffbb58837b214b4b92cb1c54bc5f3279928 CVE-2017-13703 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: Moxa CVE-2017-13702 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: Moxa CVE-2017-13701 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: Moxa CVE-2017-13700 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: Moxa CVE-2017-13699 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: MOXA CVE-2017-13698 (An issue was discovered on MOXA EDS-G512E 5.1 build 16072215 devices. ...) NOT-FOR-US: MOXA CVE-2017-13697 (controllers/member/api.php in dayrui FineCms 5.0.11 has XSS related to ...) NOT-FOR-US: FineCMS CVE-2017-13696 (A buffer overflow vulnerability lies in the web server component of Du ...) NOT-FOR-US: Dup Scout Enterprise CVE-2017-1000122 (The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, do ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0007.html NOTE: Not covered by security support CVE-2017-1000121 (The UNIX IPC layer in WebKit, including WebKitGTK+ prior to 2.16.3, do ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0007.html NOTE: Not covered by security support CVE-2017-13695 (The acpi_ns_evaluate() function in drivers/acpi/acpica/nseval.c in the ...) - acpica-unix 20180209-1 (unimportant) - linux 4.17.3-1 (unimportant) NOTE: https://patchwork.kernel.org/patch/9850567/ NOTE: non-issue/no relevant security impact CVE-2017-13694 (The acpi_ps_complete_final_op() function in drivers/acpi/acpica/psobje ...) - acpica-unix 20180209-1 (unimportant) - linux (unimportant) NOTE: https://patchwork.kernel.org/patch/9806085/ NOTE: non-issue/no relevant security impact CVE-2017-13693 (The acpi_ds_create_operands() function in drivers/acpi/acpica/dsutils. ...) - acpica-unix 20180209-1 (unimportant) - linux (unimportant) NOTE: https://patchwork.kernel.org/patch/9919053/ NOTE: non-issue/no relevant security impact CVE-2017-13692 (In Tidy 5.5.31, the IsURLCodePoint function in attrs.c allows attacker ...) - tidy-html5 (Vulnerable code introduced later) - tidy (Vulnerable code introduced later) NOTE: https://github.com/htacg/tidy-html5/issues/588 CVE-2017-13691 RESERVED CVE-2017-13690 (The IKEv2 parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13689 (The IKEv1 parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13688 (The OLSR parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13687 (The Cisco HDLC parser in tcpdump before 4.9.2 has a buffer over-read i ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13686 (net/ipv4/route.c in the Linux kernel 4.13-rc1 through 4.13-rc6 is too ...) - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/bc3aae2bbac46dd894c89db5d5e98f7f0ef9e205 CVE-2017-13685 (The dump_callback function in SQLite 3.20.0 allows remote attackers to ...) - sqlite3 3.20.1-1 (unimportant; bug #873762) NOTE: https://sqlite.org/src/info/02f0f4c54f2819b3 NOTE: http://www.mail-archive.com/sqlite-users%40mailinglists.sqlite.org/msg105314.html NOTE: Crash in the command-line shell program, not the the core SQLite library. CVE-2017-13684 (Unisys Libra 64xx and 84xx and FS601 class systems with MCP-FIRMWARE b ...) NOT-FOR-US: Unisys Libra CVE-2017-13683 (In Symantec Endpoint Encryption before SEE 11.1.3HF3, a kernel memory ...) NOT-FOR-US: Symantec CVE-2017-13682 (In Symantec Encryption Desktop before SED 10.4.1 MP2HF1, a kernel memo ...) NOT-FOR-US: Symantec CVE-2017-13681 (Symantec Endpoint Protection prior to SEP 12.1 RU6 MP9 could be suscep ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2017-13680 (Prior to SEP 12.1 RU6 MP9 & SEP 14 RU1 Symantec Endpoint Protectio ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2017-13679 (A denial of service (DoS) attack in Symantec Encryption Desktop before ...) NOT-FOR-US: Symantec CVE-2017-13678 (Stored XSS vulnerability in the Symantec Advanced Secure Gateway (ASG) ...) NOT-FOR-US: Symantec CVE-2017-13677 (Denial-of-service (DoS) vulnerability in the Symantec Advanced Secure ...) NOT-FOR-US: Symantec CVE-2017-13676 (Norton Remove & Reinstall can be susceptible to a DLL preloading v ...) NOT-FOR-US: Symantec CVE-2017-13675 (A denial of service (DoS) attack in Symantec Endpoint Encryption befor ...) NOT-FOR-US: Symantec CVE-2017-13674 (Symantec ProxyClient 3.4 for Windows is susceptible to a privilege esc ...) NOT-FOR-US: Symantec ProxyClient CVE-2017-13673 (The vga display update in mis-calculated the region for the dirty bitm ...) - qemu 1:2.10.0+dfsg-2 [stretch] - qemu (Vulnerable code introduced later) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04685.html NOTE: Fixed by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=d6f7f3b0cf4b6c5e7cdff9dfa6d20545e1051375 (v2.10.1) NOTE: Introduced by: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=fec5e8c92becad223df9d972770522f64aafdb72 NOTE: In the unstable upload the fix is integrated in debian/patches/qemu-2.10.1.diff CVE-2017-13672 (QEMU (aka Quick Emulator), when built with the VGA display emulator su ...) {DSA-3991-1} - qemu 1:2.10.0-1 (low; bug #873851) [jessie] - qemu (Minor issue, root DoS, too complex to backport) [wheezy] - qemu (Can be fixed along in a future DSA) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along in a future DSA) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg04684.html NOTE: Fixed by https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=3d90c6254863693a6b13d918d2b8682e08bbc681 NOTE: CentOS7 has a backport/upgrade(?) for their frankenstein version NOTE: http://vault.centos.org/7.6.1810/updates/Source/SPackages/qemu-kvm-1.5.3-160.el7_6.3.src.rpm CVE-2017-13671 (app/View/Helper/CommandHelper.php in MISP before 2.4.79 has persistent ...) NOT-FOR-US: MISP (Malware Information Sharing Platform and Threat Sharing) CVE-2017-13670 (In BlackCat CMS 1.2, remote authenticated users can upload any file vi ...) NOT-FOR-US: BlackCat CMS CVE-2017-13669 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the setanswere ...) NOT-FOR-US: NexusPHP CVE-2017-13668 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-13667 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: SSRF. ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-13666 (An integer underflow vulnerability exists in pixel-a.asm, the x86 asse ...) - x265 (Affected code is not enabled) CVE-2017-13665 RESERVED CVE-2017-13664 (Password file exposure in firmware in iSmartAlarm CubeOne version 2.2. ...) NOT-FOR-US: iSmartAlarm CubeOne CVE-2017-13663 (Encryption key exposure in firmware in iSmartAlarm CubeOne version 2.2 ...) NOT-FOR-US: iSmartAlarm CubeOne CVE-2017-13662 RESERVED CVE-2017-13661 RESERVED CVE-2017-13660 RESERVED CVE-2017-13659 RESERVED CVE-2017-13657 REJECTED CVE-2017-13656 REJECTED CVE-2017-13655 REJECTED CVE-2017-13654 REJECTED CVE-2017-13653 REJECTED CVE-2017-13652 (NetApp OnCommand Insight version 7.3.0 and versions prior to 7.2.0 are ...) NOT-FOR-US: NetApp CVE-2017-13651 REJECTED CVE-2017-13650 RESERVED CVE-2017-1002150 (python-fedora 0.8.0 and lower is vulnerable to an open redirect result ...) - python-fedora 0.9.0-1 [stretch] - python-fedora (Minor issue) [jessie] - python-fedora (Minor issue) NOTE: https://github.com/fedora-infra/python-fedora/commit/b27f38a67573f4c989710c9bfb726dd4c1eeb929.patch CVE-2017-13649 (UnrealIRCd 4.0.13 and earlier creates a PID file after dropping privil ...) - unrealircd (bug #515130) CVE-2017-13648 (In GraphicsMagick 1.3.26, a memory leak vulnerability was found in the ...) - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/433/ CVE-2017-13647 RESERVED CVE-2017-13646 RESERVED CVE-2017-13645 RESERVED CVE-2017-13644 RESERVED CVE-2017-13643 RESERVED CVE-2017-13642 RESERVED CVE-2017-13641 RESERVED CVE-2017-13640 RESERVED CVE-2017-13639 RESERVED CVE-2017-13638 RESERVED CVE-2017-13637 RESERVED CVE-2017-13636 RESERVED CVE-2017-13635 RESERVED CVE-2017-13634 RESERVED CVE-2017-13633 RESERVED CVE-2017-13632 RESERVED CVE-2017-13631 RESERVED CVE-2017-13630 RESERVED CVE-2017-13629 RESERVED CVE-2017-13628 RESERVED CVE-2017-13627 RESERVED CVE-2017-13626 RESERVED CVE-2017-13625 RESERVED CVE-2017-13624 RESERVED CVE-2017-13623 RESERVED CVE-2017-13622 RESERVED CVE-2017-13621 RESERVED CVE-2017-13620 RESERVED CVE-2017-13619 RESERVED CVE-2017-13618 RESERVED CVE-2017-13617 RESERVED CVE-2017-13616 RESERVED CVE-2017-13615 RESERVED CVE-2017-13614 RESERVED CVE-2017-13613 RESERVED CVE-2017-13612 RESERVED CVE-2017-13611 RESERVED CVE-2017-13610 RESERVED CVE-2017-13609 RESERVED CVE-2017-13608 RESERVED CVE-2017-13607 RESERVED CVE-2017-13606 RESERVED CVE-2017-13605 RESERVED CVE-2017-13604 RESERVED CVE-2017-13603 RESERVED CVE-2017-13602 RESERVED CVE-2017-13601 RESERVED CVE-2017-13600 RESERVED CVE-2017-13599 RESERVED CVE-2017-13598 RESERVED CVE-2017-13597 RESERVED CVE-2017-13596 RESERVED CVE-2017-13595 RESERVED CVE-2017-13594 RESERVED CVE-2017-13593 RESERVED CVE-2017-13592 RESERVED CVE-2017-13591 RESERVED CVE-2017-13590 RESERVED CVE-2017-13589 RESERVED CVE-2017-13588 RESERVED CVE-2017-13587 RESERVED CVE-2017-13586 RESERVED CVE-2017-13585 RESERVED CVE-2017-13584 RESERVED CVE-2017-13583 RESERVED CVE-2017-13582 RESERVED CVE-2017-13581 RESERVED CVE-2017-13580 RESERVED CVE-2017-13579 RESERVED CVE-2017-13578 RESERVED CVE-2017-13577 RESERVED CVE-2017-13576 RESERVED CVE-2017-13575 RESERVED CVE-2017-13574 RESERVED CVE-2017-13573 RESERVED CVE-2017-13572 RESERVED CVE-2017-13571 RESERVED CVE-2017-13570 RESERVED CVE-2017-13569 RESERVED CVE-2017-13568 RESERVED CVE-2017-13567 RESERVED CVE-2017-13566 RESERVED CVE-2017-13565 RESERVED CVE-2017-13564 RESERVED CVE-2017-13563 RESERVED CVE-2017-13562 RESERVED CVE-2017-13561 RESERVED CVE-2017-13560 RESERVED CVE-2017-13559 RESERVED CVE-2017-13558 RESERVED CVE-2017-13557 RESERVED CVE-2017-13556 RESERVED CVE-2017-13555 RESERVED CVE-2017-13554 RESERVED CVE-2017-13553 RESERVED CVE-2017-13552 RESERVED CVE-2017-13551 RESERVED CVE-2017-13550 RESERVED CVE-2017-13549 RESERVED CVE-2017-13548 RESERVED CVE-2017-13547 RESERVED CVE-2017-13546 RESERVED CVE-2017-13545 RESERVED CVE-2017-13544 RESERVED CVE-2017-13543 RESERVED CVE-2017-13542 RESERVED CVE-2017-13541 RESERVED CVE-2017-13540 RESERVED CVE-2017-13539 RESERVED CVE-2017-13538 RESERVED CVE-2017-13537 RESERVED CVE-2017-13536 RESERVED CVE-2017-13535 RESERVED CVE-2017-13534 RESERVED CVE-2017-13533 RESERVED CVE-2017-13532 RESERVED CVE-2017-13531 RESERVED CVE-2017-13530 RESERVED CVE-2017-13529 RESERVED CVE-2017-13528 RESERVED CVE-2017-13527 RESERVED CVE-2017-13526 RESERVED CVE-2017-13525 RESERVED CVE-2017-13524 RESERVED CVE-2017-13523 RESERVED CVE-2017-13522 RESERVED CVE-2017-13521 RESERVED CVE-2017-13520 RESERVED CVE-2017-13519 RESERVED CVE-2017-13518 RESERVED CVE-2017-13517 RESERVED CVE-2017-13516 RESERVED CVE-2017-13515 RESERVED CVE-2017-13514 RESERVED CVE-2017-13513 RESERVED CVE-2017-13512 RESERVED CVE-2017-13511 RESERVED CVE-2017-13510 RESERVED CVE-2017-13509 RESERVED CVE-2017-13508 RESERVED CVE-2017-13507 RESERVED CVE-2017-13506 RESERVED CVE-2017-13505 RESERVED CVE-2017-13504 RESERVED CVE-2017-13503 RESERVED CVE-2017-13502 RESERVED CVE-2017-13501 RESERVED CVE-2017-13500 RESERVED CVE-2017-13499 RESERVED CVE-2017-13498 RESERVED CVE-2017-13497 RESERVED CVE-2017-13496 RESERVED CVE-2017-13495 RESERVED CVE-2017-13494 RESERVED CVE-2017-13493 RESERVED CVE-2017-13492 RESERVED CVE-2017-13491 RESERVED CVE-2017-13490 RESERVED CVE-2017-13489 RESERVED CVE-2017-13488 RESERVED CVE-2017-13487 RESERVED CVE-2017-13486 RESERVED CVE-2017-13485 RESERVED CVE-2017-13484 RESERVED CVE-2017-13483 RESERVED CVE-2017-13482 RESERVED CVE-2017-13481 RESERVED CVE-2017-13480 RESERVED CVE-2017-13479 RESERVED CVE-2017-13478 RESERVED CVE-2017-13477 RESERVED CVE-2017-13476 RESERVED CVE-2017-13475 RESERVED CVE-2017-13474 RESERVED CVE-2017-13473 RESERVED CVE-2017-13472 RESERVED CVE-2017-13471 RESERVED CVE-2017-13470 RESERVED CVE-2017-13469 RESERVED CVE-2017-13468 RESERVED CVE-2017-13467 RESERVED CVE-2017-13466 RESERVED CVE-2017-13465 RESERVED CVE-2017-13464 RESERVED CVE-2017-13463 RESERVED CVE-2017-13462 RESERVED CVE-2017-13461 RESERVED CVE-2017-13460 RESERVED CVE-2017-13459 RESERVED CVE-2017-13458 RESERVED CVE-2017-13457 RESERVED CVE-2017-13456 RESERVED CVE-2017-13455 RESERVED CVE-2017-13454 RESERVED CVE-2017-13453 RESERVED CVE-2017-13452 RESERVED CVE-2017-13451 RESERVED CVE-2017-13450 RESERVED CVE-2017-13449 RESERVED CVE-2017-13448 RESERVED CVE-2017-13447 RESERVED CVE-2017-13446 RESERVED CVE-2017-13445 RESERVED CVE-2017-13444 RESERVED CVE-2017-13443 RESERVED CVE-2017-13442 RESERVED CVE-2017-13441 RESERVED CVE-2017-13440 RESERVED CVE-2017-13439 RESERVED CVE-2017-13438 RESERVED CVE-2017-13437 RESERVED CVE-2017-13436 RESERVED CVE-2017-13435 RESERVED CVE-2017-13434 RESERVED CVE-2017-13433 RESERVED CVE-2017-13432 RESERVED CVE-2017-13431 RESERVED CVE-2017-13430 RESERVED CVE-2017-13429 RESERVED CVE-2017-13428 RESERVED CVE-2017-13427 RESERVED CVE-2017-13426 RESERVED CVE-2017-13425 RESERVED CVE-2017-13424 RESERVED CVE-2017-13423 RESERVED CVE-2017-13422 RESERVED CVE-2017-13421 RESERVED CVE-2017-13420 RESERVED CVE-2017-13419 RESERVED CVE-2017-13418 RESERVED CVE-2017-13417 RESERVED CVE-2017-13416 RESERVED CVE-2017-13415 RESERVED CVE-2017-13414 RESERVED CVE-2017-13413 RESERVED CVE-2017-13412 RESERVED CVE-2017-13411 RESERVED CVE-2017-13410 RESERVED CVE-2017-13409 RESERVED CVE-2017-13408 RESERVED CVE-2017-13407 RESERVED CVE-2017-13406 RESERVED CVE-2017-13405 RESERVED CVE-2017-13404 RESERVED CVE-2017-13403 RESERVED CVE-2017-13402 RESERVED CVE-2017-13401 RESERVED CVE-2017-13400 RESERVED CVE-2017-13399 RESERVED CVE-2017-13398 RESERVED CVE-2017-13397 RESERVED CVE-2017-13396 RESERVED CVE-2017-13395 RESERVED CVE-2017-13394 RESERVED CVE-2017-13393 RESERVED CVE-2017-13392 RESERVED CVE-2017-13391 RESERVED CVE-2017-13390 RESERVED CVE-2017-13389 RESERVED CVE-2017-13388 RESERVED CVE-2017-13387 RESERVED CVE-2017-13386 RESERVED CVE-2017-13385 RESERVED CVE-2017-13384 RESERVED CVE-2017-13383 RESERVED CVE-2017-13382 RESERVED CVE-2017-13381 RESERVED CVE-2017-13380 RESERVED CVE-2017-13379 RESERVED CVE-2017-13378 RESERVED CVE-2017-13377 RESERVED CVE-2017-13376 RESERVED CVE-2017-13375 RESERVED CVE-2017-13374 RESERVED CVE-2017-13373 RESERVED CVE-2017-13372 RESERVED CVE-2017-13371 RESERVED CVE-2017-13370 RESERVED CVE-2017-13369 RESERVED CVE-2017-13368 RESERVED CVE-2017-13367 RESERVED CVE-2017-13366 RESERVED CVE-2017-13365 RESERVED CVE-2017-13364 RESERVED CVE-2017-13363 RESERVED CVE-2017-13362 RESERVED CVE-2017-13361 RESERVED CVE-2017-13360 RESERVED CVE-2017-13359 RESERVED CVE-2017-13358 RESERVED CVE-2017-13357 RESERVED CVE-2017-13356 RESERVED CVE-2017-13355 RESERVED CVE-2017-13354 RESERVED CVE-2017-13353 RESERVED CVE-2017-13352 RESERVED CVE-2017-13351 RESERVED CVE-2017-13350 RESERVED CVE-2017-13349 RESERVED CVE-2017-13348 RESERVED CVE-2017-13347 RESERVED CVE-2017-13346 RESERVED CVE-2017-13345 RESERVED CVE-2017-13344 RESERVED CVE-2017-13343 RESERVED CVE-2017-13342 RESERVED CVE-2017-13341 RESERVED CVE-2017-13340 RESERVED CVE-2017-13339 RESERVED CVE-2017-13338 RESERVED CVE-2017-13337 RESERVED CVE-2017-13336 RESERVED CVE-2017-13335 RESERVED CVE-2017-13334 RESERVED CVE-2017-13333 RESERVED CVE-2017-13332 RESERVED CVE-2017-13331 RESERVED CVE-2017-13330 RESERVED CVE-2017-13329 RESERVED CVE-2017-13328 RESERVED CVE-2017-13327 RESERVED CVE-2017-13326 RESERVED CVE-2017-13325 RESERVED CVE-2017-13324 RESERVED CVE-2017-13323 RESERVED NOT-FOR-US: Android CVE-2017-13322 RESERVED NOT-FOR-US: Android CVE-2017-13321 RESERVED NOT-FOR-US: Android CVE-2017-13320 RESERVED NOT-FOR-US: Android Media Framework CVE-2017-13319 RESERVED NOT-FOR-US: Android Media Framework CVE-2017-13318 RESERVED NOT-FOR-US: Android Media Framework CVE-2017-13317 RESERVED NOT-FOR-US: Android Media Framework CVE-2017-13316 RESERVED NOT-FOR-US: Android CVE-2017-13315 RESERVED CVE-2017-13314 RESERVED CVE-2017-13313 RESERVED CVE-2017-13312 RESERVED CVE-2017-13311 RESERVED CVE-2017-13310 RESERVED CVE-2017-13309 RESERVED CVE-2017-13308 RESERVED CVE-2017-13307 (A elevation of privilege vulnerability in the Upstream kernel pci sysf ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13306 (A elevation of privilege vulnerability in the Upstream kernel mnh driv ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13305 (A information disclosure vulnerability in the Upstream kernel encrypte ...) {DLA-1731-1} - linux 4.12.6-1 [stretch] - linux 4.9.82-1+deb9u1 NOTE: Fixed by: https://git.kernel.org/linus/794b4bc292f5d31739d89c0202c54e7dc9bc3add CVE-2017-13304 (A information disclosure vulnerability in the Upstream kernel mnh_sm d ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13303 (A information disclosure vulnerability in the Broadcom bcmdhd driver. ...) NOT-FOR-US: Broadcom components for Android CVE-2017-13302 (A denial of service vulnerability in the Android system (system ui). P ...) NOT-FOR-US: Android CVE-2017-13301 (A denial of service vulnerability in the Android system (system ui). P ...) NOT-FOR-US: Android CVE-2017-13300 (A denial of service vulnerability in the Android media framework (libh ...) NOT-FOR-US: Android media framework CVE-2017-13299 (A other vulnerability in the Android media framework (libavc). Product ...) NOT-FOR-US: Android media framework CVE-2017-13298 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13297 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13296 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13295 (A denial of service vulnerability in the Android framework (package in ...) NOT-FOR-US: Android CVE-2017-13294 (A information disclosure vulnerability in the Android framework (aosp ...) NOT-FOR-US: Android framework (aosp email application) CVE-2017-13293 (In the nfc_hci_cmd_received() function of core.c, there is a possible ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13292 (In wl_get_assoc_ies of wl_cfg80211.c, there is a possible out of bound ...) NOT-FOR-US: Broadcom components for Android CVE-2017-13291 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible N ...) NOT-FOR-US: Android CVE-2017-13290 (In sdp_server_handle_client_req of sdp_server.cc, there is an out of b ...) NOT-FOR-US: Android CVE-2017-13289 (In writeToParcel and createFromParcel of RttManager.java, there is a p ...) NOT-FOR-US: Android CVE-2017-13288 (In writeToParcel and readFromParcel of PeriodicAdvertisingReport.java, ...) NOT-FOR-US: Android CVE-2017-13287 (In createFromParcel of VerifyCredentialResponse.java, there is a possi ...) NOT-FOR-US: Android CVE-2017-13286 (In writeToParcel and readFromParcel of OutputConfiguration.java, there ...) NOT-FOR-US: Android CVE-2017-13285 (In SvoxSsmlParser and startElement of svox_ssml_parser.cpp, there is a ...) NOT-FOR-US: Android CVE-2017-13284 (In config_set_string of config.cc, it is possible to pair a second BT ...) NOT-FOR-US: Android CVE-2017-13283 (In avrc_ctrl_pars_vendor_rsp of bluetooth avrcp_ctrl, there is a possi ...) NOT-FOR-US: Android CVE-2017-13282 (In avrc_ctrl_pars_vendor_rsp of avrc_pars_ct.cc, there is a possible s ...) NOT-FOR-US: Android CVE-2017-13281 (In avrc_pars_browsing_cmd of avrc_pars_tg.cc, there is a possible stac ...) NOT-FOR-US: Android CVE-2017-13280 (In the FrameSequence_gif::FrameSequence_gif function of libframesequen ...) NOT-FOR-US: Android media framework CVE-2017-13279 (In M3UParser::parse of M3UParser.cpp, there is a memory resource exhau ...) NOT-FOR-US: Android media framework CVE-2017-13278 (In MediaPlayerService::Client::notify of MediaPlayerService.cpp, there ...) NOT-FOR-US: Android media framework CVE-2017-13277 (In ihevcd_fmt_conv of ihevcd_fmt_conv.c, there is a possible out of bo ...) NOT-FOR-US: Android media framework CVE-2017-13276 (In CProgramConfig_ReadHeightExt of tpdec_asc.cpp, there is a possible ...) NOT-FOR-US: Android media framework CVE-2017-13275 (In getVSCoverage of CmapCoverage.cpp, there is a possible out of bound ...) NOT-FOR-US: Android CVE-2017-13274 (In the getHost() function of UriTest.java, there is the possibility of ...) NOT-FOR-US: Android CVE-2017-13273 (In xt_qtaguid.c, there is a race condition due to insufficient locking ...) NOT-FOR-US: Android CVE-2017-13272 (In alarm_ready_generic of alarm.cc, there is a possible out of bounds ...) NOT-FOR-US: Android CVE-2017-13271 (A elevation of privilege vulnerability in the upstream kernel mnh_sm d ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13270 (A elevation of privilege vulnerability in the upstream kernel mnh_sm d ...) NOT-FOR-US: Android kernel (no source release, so apparently not in mainline) CVE-2017-13269 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android CVE-2017-13268 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android CVE-2017-13267 (In avrc_pars_vendor_cmd of avrc_pars_tg.cc, there is a possible stack ...) NOT-FOR-US: Android CVE-2017-13266 (In avrc_pars_vendor_cmd of avrc_pars_tg.cc, there is a possible stack ...) NOT-FOR-US: Android CVE-2017-13265 (A elevation of privilege vulnerability in the Android system (OTA upda ...) NOT-FOR-US: Android CVE-2017-13264 (A other vulnerability in the Android media framework (Avcdec). Product ...) NOT-FOR-US: Android Media Framework CVE-2017-13263 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-13262 (In bnep_data_ind of bnep_main.cc, there is a possible out of bounds re ...) NOT-FOR-US: Android CVE-2017-13261 (In bnep_process_control_packet of bnep_utils.cc, there is a possible o ...) NOT-FOR-US: Android CVE-2017-13260 (In bnep_data_ind of bnep_main.cc, there is a possible out of bounds re ...) NOT-FOR-US: Android CVE-2017-13259 (In functionality implemented in sdp_discovery.cc, there are possible o ...) NOT-FOR-US: Android CVE-2017-13258 (In bnep_data_ind of bnep_main.cc, there is a possible out of bounds re ...) NOT-FOR-US: Android CVE-2017-13257 (In bta_pan_data_buf_ind_cback of bta_pan_act.cc there is a use after f ...) NOT-FOR-US: Android CVE-2017-13256 (In process_service_search_attr_req of sdp_server.cc, there is an out o ...) NOT-FOR-US: Android CVE-2017-13255 (In process_service_attr_req of sdp_server.c, there is an out of bounds ...) NOT-FOR-US: Android CVE-2017-13254 (A other vulnerability in the Android media framework (AACExtractor). P ...) NOT-FOR-US: Android Media Framework CVE-2017-13253 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out ...) NOT-FOR-US: Android Media Framework CVE-2017-13252 (In CryptoHal::decrypt of CryptoHal.cpp, there is an out of bounds writ ...) NOT-FOR-US: Android Media Framework CVE-2017-13251 (In impeg2d_dec_pic_data_thread of impeg2d_dec_hdr.c, there is a possib ...) NOT-FOR-US: Android Media Framework CVE-2017-13250 (In ih264d_fmt_conv_420sp_to_420p of ih264d_utils.c, there is an out of ...) NOT-FOR-US: Android Media Framework CVE-2017-13249 (In impeg2d_api_set_display_frame of impeg2d_api_main.c, there is an ou ...) NOT-FOR-US: Android Media Framework CVE-2017-13248 (In impeg2_idct_recon_sse42() of impeg2_idct_recon_sse42_intr.c, there ...) NOT-FOR-US: Android Media Framework CVE-2017-13247 (In the Pixel 2 bootloader, there is a missing permission check which b ...) NOT-FOR-US: HTC Android components CVE-2017-13246 (A information disclosure vulnerability in the Upstream kernel network ...) NOT-FOR-US: Closed source network driver for Pixel phones CVE-2017-13245 (A elevation of privilege vulnerability in the Upstream kernel audio dr ...) NOT-FOR-US: Closed source audio driver for Pixel phones CVE-2017-13244 (A elevation of privilege vulnerability in the Upstream kernel easel. P ...) NOT-FOR-US: Easel driver for Pixel phones CVE-2017-13243 (A information disclosure vulnerability in the Android system (ui). Pro ...) NOT-FOR-US: Android CVE-2017-13242 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android CVE-2017-13241 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13240 (A information disclosure vulnerability in the Android framework (crypt ...) NOT-FOR-US: Android CVE-2017-13239 (A information disclosure vulnerability in the Android framework (ui fr ...) NOT-FOR-US: Android CVE-2017-13238 (In XBLRamDump mode, there is a debug feature that can be used to dump ...) NOT-FOR-US: HTC Android components CVE-2017-13237 RESERVED CVE-2017-13236 (In the KeyStore service, there is a permissions bypass that allows acc ...) NOT-FOR-US: Android CVE-2017-13235 (A other vulnerability in the Android media framework (n/a). Product: A ...) NOT-FOR-US: Android Media Framework CVE-2017-13234 (In DLSParser of the sonivox library, there is possible resource exhaus ...) NOT-FOR-US: Android Media Framework CVE-2017-13233 (In ihevcd_ctb_boundary_strength_pbslice of libhevc, there is possible ...) NOT-FOR-US: Android Media Framework CVE-2017-13232 (In audioserver, there is an out-of-bounds write due to a log statement ...) NOT-FOR-US: Android Media Framework CVE-2017-13231 (In libmediadrm, there is an out-of-bounds write due to improper input ...) NOT-FOR-US: Android Media Framework CVE-2017-13230 (In hevc codec, there is an out-of-bounds write due to an incorrect bou ...) NOT-FOR-US: Android Media Framework CVE-2017-13229 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-13228 (In function ih264d_ref_idx_reordering of libavc, there is an out-of-bo ...) NOT-FOR-US: Android Media Framework CVE-2017-13227 RESERVED NOT-FOR-US: Android CVE-2017-13226 (An elevation of privilege vulnerability in the MediaTek mtk. Product: ...) NOT-FOR-US: Mediatek components for Android CVE-2017-13225 (In libMtkOmxVdec.so there is a possible heap buffer overflow. This cou ...) NOT-FOR-US: Mediatek components for Android CVE-2017-13224 RESERVED CVE-2017-13223 RESERVED CVE-2017-13222 (An information disclosure vulnerability in the Upstream kernel kernel. ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13221 (An elevation of privilege vulnerability in the Upstream kernel wifi dr ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13220 (An elevation of privilege vulnerability in the Upstream kernel bluez. ...) {DSA-4187-1} - linux 4.0.2-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/51bda2bca53b265715ca1852528f38dc67429d9a CVE-2017-13219 (A denial of service vulnerability in the Upstream kernel synaptics tou ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13218 (Access to CNTVCT_EL0 in Small Cell SoC, Snapdragon Automobile, Snapdra ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13217 (In DisplayFtmItem in the bootloader, there is an out-of-bounds write d ...) NOT-FOR-US: Android kernel component (no source release, no apparently not affecting mainline) CVE-2017-13216 (In ashmem_ioctl of ashmem.c, there is an out-of-bounds write due to in ...) - linux 4.14.17-1 (unimportant) [stretch] - linux 4.9.80-1 [jessie] - linux 3.16.56-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/443064cb0b1fb4569fe0a71209da7625129f CVE-2017-13215 (A elevation of privilege vulnerability in the Upstream kernel skcipher ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 [wheezy] - linux 3.2.78-1 CVE-2017-13214 (In the hardware HEVC decoder, some media files could cause a page faul ...) NOT-FOR-US: HTC components for Android CVE-2017-13213 (An elevation of privilege vulnerability in the Broadcom bcmdhd driver. ...) NOT-FOR-US: Broadcom component for Android CVE-2017-13212 (An elevation of privilege vulnerability in the Android system (systemu ...) NOT-FOR-US: Android CVE-2017-13211 (In bta_scan_results_cb_impl of btif_ble_scanner.cc, there is possible ...) NOT-FOR-US: Android CVE-2017-13210 (In CameraDeviceClient::submitRequestList of CameraDeviceClient.cpp, th ...) NOT-FOR-US: Android CVE-2017-13209 (In the ServiceManager::add function in the hardware service manager, t ...) NOT-FOR-US: Android CVE-2017-13208 (In receive_packet of libnetutils/packet.c, there is a possible out-of- ...) NOT-FOR-US: Android CVE-2017-13207 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13206 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13205 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13204 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13203 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13202 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13201 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13200 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13199 (In Bitmap.ccp if Bitmap.nativeCreate fails an out of memory exception ...) NOT-FOR-US: Android media framework CVE-2017-13198 (A vulnerability in the Android media framework (ex) related to composi ...) NOT-FOR-US: Android media framework CVE-2017-13197 (In the ihevcd_parse_slice.c function, slave threads are not joined if ...) NOT-FOR-US: Android media framework CVE-2017-13196 (In several places in ihevcd_decode.c, a dead loop could occur due to i ...) NOT-FOR-US: Android media framework CVE-2017-13195 (In the ihevcd_parse_sps function of ihevcd_parse_headers.c, several pa ...) NOT-FOR-US: Android media framework CVE-2017-13194 (A vulnerability in the Android media framework (libvpx) related to odd ...) {DSA-4132-1 DLA-1290-1} - libvpx 1.7.0-2 NOTE: Android patch: https://android.googlesource.com/platform/external/libvpx/+/55cd1dd7c8d0a3de907d22e0f12718733f4e41d9 CVE-2017-13193 (In ihevcd_decode.c there is a possible infinite loop due to bytes for ...) NOT-FOR-US: Android media framework CVE-2017-13192 (In the ihevcd_parse_slice_header function of ihevcd_parse_slice_header ...) NOT-FOR-US: Android media framework CVE-2017-13191 (In the ihevcd_decode function of ihevcd_decode.c, there is an infinite ...) NOT-FOR-US: Android media framework CVE-2017-13190 (A vulnerability in the Android media framework (libhevc) related to ha ...) NOT-FOR-US: Android media framework CVE-2017-13189 (A vulnerability in the Android media framework (libavc) related to han ...) NOT-FOR-US: Android media framework CVE-2017-13188 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13187 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13186 (A vulnerability in the Android media framework (libavc) related to inc ...) NOT-FOR-US: Android media framework CVE-2017-13185 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-13184 (In the enableVSyncInjections function of SurfaceFlinger, there is a po ...) NOT-FOR-US: Android media framework CVE-2017-13183 (In the OMXNodeInstance::useBuffer and IOMX::freeBuffer functions, ther ...) NOT-FOR-US: Android media framework CVE-2017-13182 (In the sendFormatChange function of ACodec, there is a possible intege ...) NOT-FOR-US: Android media framework CVE-2017-13181 (In the doGetThumb and getThumbnail functions of MtpServer, there is a ...) NOT-FOR-US: Android media framework CVE-2017-13180 (In the onQueueFilled function of SoftAVCDec, there is a possible out-o ...) NOT-FOR-US: Android media framework CVE-2017-13179 (In the ihevcd_allocate_static_bufs and ihevcd_create functions of Soft ...) NOT-FOR-US: Android media framework CVE-2017-13178 (In the initDecoder function of SoftAVCDec, there is a possible out-of- ...) NOT-FOR-US: Android media framework CVE-2017-13177 (In several functions of libhevc, NEON registers are not preserved. Thi ...) NOT-FOR-US: Android media framework CVE-2017-13176 (In the parseURL function of URLStreamHandler, there is improper input ...) NOT-FOR-US: Android CVE-2017-13175 (An information disclosure vulnerability in the NVIDIA libwilhelm. Prod ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-13174 (An elevation of privilege vulnerability in the kernel edl. Product: An ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13173 (An elevation of privilege vulnerability in the MediaTek system server. ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-13172 (An elevation of privilege vulnerability in the MediaTek bluetooth driv ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-13171 (An elevation of privilege vulnerability in the MediaTek performance se ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-13170 (An elevation of privilege vulnerability in the MediaTek display driver ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-13169 (An information disclosure vulnerability in the kernel camera server. P ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13168 (An elevation of privilege vulnerability in the kernel scsi driver. Pro ...) - linux 4.17.6-1 [stretch] - linux 4.9.130-1 NOTE: Fixed by: https://git.kernel.org/linus/26b5b874aff5659a7e26e5b1997e3df2c41fa7fd CVE-2017-13167 (An elevation of privilege vulnerability in the kernel sound timer. Pro ...) - linux 4.4.2-1 [jessie] - linux 3.16.7-ckt25-1 NOTE: Fixed by: https://git.kernel.org/linus/c3b1681375dc6e71d89a3ae00cc3ce9e775a8917 NOTE: Fixed by: https://git.kernel.org/linus/4dff5c7b7093b19c19d3a100f8a3ad87cb7cd9e7 CVE-2017-13166 (An elevation of privilege vulnerability in the kernel v4l2 video drive ...) {DSA-4187-1 DSA-4120-1 DLA-1369-1} - linux 4.15.4-1 NOTE: https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-13166.html NOTE: https://git.kernel.org/linus/a1dfb4c48cc1e64eeb7800a27c66a6f7e88d075a CVE-2017-13165 (An elevation of privilege vulnerability in the kernel file system. Pro ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13164 (An information disclosure vulnerability in the kernel binder driver. P ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13163 (An elevation of privilege vulnerability in the kernel mtp usb driver. ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13162 (An elevation of privilege vulnerability in the kernel binder. Product: ...) NOT-FOR-US: Android kernel components (no source release, so apparently not present in mainline) CVE-2017-13161 (An elevation of privilege vulnerability in the Broadcom wireless drive ...) NOT-FOR-US: Broadcom components for Android CVE-2017-13160 (A remote code execution vulnerability in the Android system (bluetooth ...) NOT-FOR-US: Android CVE-2017-13159 (An information disclosure vulnerability in the Android system (activit ...) NOT-FOR-US: Android CVE-2017-13158 (An information disclosure vulnerability in the Android system (activit ...) NOT-FOR-US: Android CVE-2017-13157 (An information disclosure vulnerability in the Android system (activit ...) NOT-FOR-US: Android CVE-2017-13156 (An elevation of privilege vulnerability in the Android system (art). P ...) - android-platform-system-core (Not exploitable on Debian, see #890949) CVE-2017-13155 RESERVED CVE-2017-13154 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13153 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13152 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13151 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-13150 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13149 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13148 (A denial of service vulnerability in the Android media framework (libm ...) NOT-FOR-US: Android Media Framework CVE-2017-13147 (In GraphicsMagick 1.3.26, an allocation failure vulnerability was foun ...) - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/446/ CVE-2017-13146 (In ImageMagick before 6.9.8-5 and 7.x before 7.0.5-6, there is a memor ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870013) NOTE: https://github.com/ImageMagick/ImageMagick/commit/437a35e57db5ec078f4a3ccbf71f941276e88430 CVE-2017-13141 (In ImageMagick before 6.9.9-4 and 7.x before 7.0.6-4, a crafted file c ...) {DSA-4019-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870116) NOTE: https://github.com/ImageMagick/ImageMagick/issues/600 CVE-2017-13138 (DOM based Cross-site scripting (XSS) vulnerability in the Bridge theme ...) NOT-FOR-US: Wordpress theme CVE-2017-13137 (The FormCraft Basic plugin 1.0.5 for WordPress has SQL injection in th ...) NOT-FOR-US: Wordpress plugin CVE-2017-13136 (The image_alloc function in bpgenc.c in libbpg 0.9.7 has an integer ov ...) NOT-FOR-US: libbpg CVE-2017-13135 (A NULL Pointer Dereference exists in VideoLAN x265, as used in libbpg ...) - x265 2.6-3 (low) [stretch] - x265 (Minor issue) NOTE: https://github.com/ebel34/bpg-web-encoder/issues/1 NOTE: https://bitbucket.org/multicoreware/x265/issues/385/cve-2017-13135 NOTE: https://bitbucket.org/multicoreware/x265/commits/78c0f2c8ba087b38e291226a9555b4b4dab323a5/raw CVE-2017-13134 (In ImageMagick 7.0.6-6 and GraphicsMagick 1.3.26, a heap-based buffer ...) {DSA-4321-1 DSA-4040-1 DSA-4032-1 DLA-1401-1 DLA-1170-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #873099) - graphicsmagick 1.3.26-19 (bug #881524) NOTE: https://github.com/ImageMagick/ImageMagick/issues/670 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5304ae14655a67b9a3db00563fe44d9abd6de4f0 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/1b234b4fe2ec864b2d5af898a31c06c9736da904 NOTE: GraphicsMagick: http://hg.code.sf.net/p/graphicsmagick/code/rev/1b47e0078e05 CVE-2017-13133 (In ImageMagick 7.0.6-8, the load_level function in coders/xcf.c lacks ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #873100) NOTE: https://github.com/ImageMagick/ImageMagick/issues/679 NOTE: https://github.com/ImageMagick/ImageMagick/commit/19dbe11c5060f66abb393d1945107c5f54894fa8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/fad03699658d2607562a8487c944c300d59a1ca5 CVE-2017-13132 (In ImageMagick 7.0.6-8, the WritePDFImage function in coders/pdf.c ope ...) - imagemagick (Vulnerable code not present, introduced in 7.0.1-0) NOTE: https://github.com/ImageMagick/ImageMagick/issues/674 CVE-2017-13131 (In ImageMagick 7.0.6-8, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/676 CVE-2017-13130 (mcmnm in BMC Patrol allows local users to gain privileges via a crafte ...) NOT-FOR-US: BMC Patrol CVE-2017-13129 (Cross-site request forgery (CSRF) vulnerability in ZKTeco ZKTime Web 2 ...) NOT-FOR-US: ZKTeco ZKTime Web CVE-2017-13128 RESERVED CVE-2017-13127 (The VIP.com application for IOS and Android allows remote attackers to ...) NOT-FOR-US: VIP.com app CVE-2017-13126 REJECTED CVE-2017-13125 REJECTED CVE-2017-13124 REJECTED CVE-2017-13123 REJECTED CVE-2017-13122 REJECTED CVE-2017-13121 REJECTED CVE-2017-13120 REJECTED CVE-2017-13119 REJECTED CVE-2017-13118 REJECTED CVE-2017-13117 REJECTED CVE-2017-13116 REJECTED CVE-2017-13115 REJECTED CVE-2017-13114 REJECTED CVE-2017-13113 REJECTED CVE-2017-13112 REJECTED CVE-2017-13111 REJECTED CVE-2017-13110 REJECTED CVE-2017-13109 REJECTED CVE-2017-13108 (DFNDR Security Antivirus, Anti-hacking & Cleaner, 5.0.9, 2017-11-0 ...) NOT-FOR-US: DFNDR Security Antivirus, Anti-hacking & Cleaner CVE-2017-13107 (Live.me - live stream video chat, 3.7.20, 2017-11-06, Android applicat ...) NOT-FOR-US: Live.me - live stream video chat Android application CVE-2017-13106 (Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient, 5. ...) NOT-FOR-US: Cheetahmobile CM Launcher 3D - Theme, wallpaper, Secure, Efficient Android application CVE-2017-13105 (Hi Security Virus Cleaner - Antivirus, Booster, 3.7.1.1329, 2017-09-13 ...) NOT-FOR-US: Hi Security Virus Cleaner - Antivirus, Booster Android application CVE-2017-13104 (Uber Technologies, Inc. UberEATS: Uber for Food Delivery, 1.108.10001, ...) NOT-FOR-US: Uber Technologies, Inc. UberEATS: Uber for Food Delivery iOS application CVE-2017-13103 REJECTED CVE-2017-13102 (Gameloft Asphalt Xtreme: Offroad Rally Racing, 1.6.0, 2017-08-13, iOS ...) NOT-FOR-US: Gameloft Asphalt Xtreme: Offroad Rally Racing iOS application CVE-2017-13101 (Musical.ly Inc., musical.ly - your video social network, 6.1.6, 2017-1 ...) NOT-FOR-US: Musical.ly Inc., musical.ly - your video social network iOS application CVE-2017-13100 (DistinctDev, Inc., The Moron Test, 6.3.1, 2017-05-04, iOS application ...) NOT-FOR-US: DistinctDev, Inc., The Moron Test iOS application CVE-2017-13099 (wolfSSL prior to version 3.12.2 provides a weak Bleichenbacher oracle ...) - wolfssl 3.13.0+dfsg-1 (bug #884235) NOTE: https://github.com/wolfSSL/wolfssl/pull/1229 NOTE: https://robotattack.org/ CVE-2017-13098 (BouncyCastle TLS prior to version 1.0.3, when configured to use the JC ...) {DSA-4072-1} - bouncycastle 1.58-1 (bug #884241) [jessie] - bouncycastle (Vulnerable code introduced in 1.56 with tls API addition) [wheezy] - bouncycastle (Vulnerable code not present) NOTE: Introduced by: https://github.com/bcgit/bc-java/commit/9b53e60792e14c65cd1dbfad65e88ec5949ce4b3 NOTE: Fixed by: https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c NOTE: Fixed in 1.59 beta 9 NOTE: https://robotattack.org/ CVE-2017-13097 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13096 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13095 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13094 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13093 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13092 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13091 (The P1735 IEEE standard describes flawed methods for encrypting electr ...) NOT-FOR-US: P1735 IEEE standard CVE-2017-13090 (The retr.c:fd_read_body() function is called when processing OK respon ...) {DSA-4008-1 DLA-1149-1} - wget 1.19.2-1 (bug #879957) NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=ba6b44f6745b14dce414761a8e4b35d31b176bba CVE-2017-13089 (The http.c:skip_short_body() function is called in some circumstances, ...) {DSA-4008-1 DLA-1149-1} - wget 1.19.2-1 (bug #879957) NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=d892291fb8ace4c3b734ea5125770989c215df3f CVE-2017-13088 (Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows rein ...) {DSA-3999-1 DLA-1150-1} - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13087 (Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows rein ...) {DSA-3999-1 DLA-1150-1} - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13086 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Tun ...) {DSA-3999-1 DLA-1150-1} - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13085 RESERVED CVE-2017-13084 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Sta ...) - wpa (unimportant) NOTE: From https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt NOTE: As far as the related CVE-2017-13084 (reinstallation of the STK key in NOTE: the PeerKey handshake) is concerned, it should be noted that PeerKey NOTE: implementation in wpa_supplicant is not fully functional and the actual NOTE: installation of the key into the driver does not work. As such, this NOTE: item is not applicable in practice. Furthermore, the PeerKey handshake NOTE: for IEEE 802.11e DLS is obsolete and not known to have been deployed. CVE-2017-13083 (Akeo Consulting Rufus prior to version 2.17.1187 does not adequately v ...) NOT-FOR-US: Akeo Consulting Rufus CVE-2017-13082 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allow ...) {DSA-3999-1 DLA-1150-1} - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13081 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allow ...) {DSA-3999-1 DLA-1573-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13080 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Gro ...) {DSA-3999-1 DLA-1573-1 DLA-1200-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: https://w1.fi/security/2017-1/ NOTE: https://git.kernel.org/linus/fdf7cb4185b60c68e1a75e61691c4afdc15dea0e (v4.14-rc6) CVE-2017-13079 (Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allow ...) {DSA-3999-1 DLA-1573-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13078 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Gro ...) {DSA-3999-1 DLA-1573-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13077 (Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Pai ...) {DSA-3999-1 DLA-1573-1 DLA-1150-1} - firmware-nonfree 20180825-1 [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) - wpa 2:2.4-1.1 NOTE: https://w1.fi/security/2017-1/ CVE-2017-13076 RESERVED CVE-2017-13075 RESERVED CVE-2017-13074 RESERVED CVE-2017-13073 (Cross-site scripting (XSS) vulnerability in QNAP NAS application Photo ...) NOT-FOR-US: NAP NAS application Photo Station CVE-2017-13072 (Cross-site scripting (XSS) vulnerability in App Center in QNAP QTS 4.2 ...) NOT-FOR-US: QNAP CVE-2017-13071 (QNAP has already patched this vulnerability. This security concern all ...) NOT-FOR-US: QNAP CVE-2017-13070 (A DLL Hijacking vulnerability in QNAP Qsync for Windows (exe) version ...) NOT-FOR-US: QNAP CVE-2017-13069 (QNAP discovered a number of command injection vulnerabilities found in ...) NOT-FOR-US: QNAP CVE-2017-13068 (QNAP has already patched this vulnerability. This security concern all ...) NOT-FOR-US: QNAP CVE-2017-13067 (QNAP has patched a remote code execution vulnerability affecting the Q ...) NOT-FOR-US: QNAP CVE-2017-13066 (GraphicsMagick 1.3.26 has a memory leak vulnerability in the function ...) - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/430/ CVE-2017-13065 (GraphicsMagick 1.3.26 has a NULL pointer dereference vulnerability in ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} - graphicsmagick 1.3.26-7 (bug #873119) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/435/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a CVE-2017-13064 (GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability i ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} - graphicsmagick 1.3.26-7 (bug #873129) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/436/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a CVE-2017-13063 (GraphicsMagick 1.3.26 has a heap-based buffer overflow vulnerability i ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} - graphicsmagick 1.3.26-7 (bug #873130) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/434/ NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/54f48ab2d52a CVE-2017-13062 (In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/669 CVE-2017-13061 (In ImageMagick 7.0.6-5, a length-validation vulnerability was found in ...) {DLA-2366-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #873131) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/645 NOTE: https://github.com/ImageMagick/ImageMagick/commit/90ed66889d6455a1d7f36e939977fa099e2d7ca7 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/90ed66889d6455a1d7f36e939977fa099e2d7ca7 CVE-2017-13060 (In ImageMagick 7.0.6-5, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/644 CVE-2017-13059 (In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/667 CVE-2017-13058 (In ImageMagick 7.0.6-6, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/666 CVE-2017-13057 RESERVED CVE-2017-13056 (The launchURL function in PDF-XChange Viewer 2.5 (Build 314.0) might a ...) NOT-FOR-US: PDF-XChange Viewer CVE-2017-13055 (The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13054 (The LLDP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13053 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13052 (The CFM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13051 (The RSVP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13050 (The RPKI-Router parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13049 (The Rx protocol parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13048 (The RSVP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13047 (The ISO ES-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13046 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13045 (The VQP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13044 (The HNCP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13043 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13042 (The HNCP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13041 (The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13040 (The MPTCP parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13039 (The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13038 (The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13037 (The IP parser in tcpdump before 4.9.2 has a buffer over-read in print- ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13036 (The OSPFv3 parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13035 (The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13034 (The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13033 (The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13032 (The RADIUS parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13031 (The IPv6 fragmentation header parser in tcpdump before 4.9.2 has a buf ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13030 (The PIM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13029 (The PPP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13028 (The BOOTP parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13027 (The LLDP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13026 (The ISO IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13025 (The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13024 (The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13023 (The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13022 (The IP parser in tcpdump before 4.9.2 has a buffer over-read in print- ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13021 (The ICMPv6 parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13020 (The VTP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13019 (The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13018 (The PGM parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13017 (The DHCPv6 parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13016 (The ISO ES-IS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13015 (The EAP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13014 (The White Board protocol parser in tcpdump before 4.9.2 has a buffer o ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13013 (The ARP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13012 (The ICMP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13011 (Several protocol parsers in tcpdump before 4.9.2 could cause a buffer ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13010 (The BEEP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13009 (The IPv6 mobility parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13008 (The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13007 (The Apple PKTAP parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13006 (The L2TP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13005 (The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13004 (The Juniper protocols parser in tcpdump before 4.9.2 has a buffer over ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13003 (The LMP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13002 (The AODV parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13001 (The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-13000 (The IEEE 802.15.4 parser in tcpdump before 4.9.2 has a buffer over-rea ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12999 (The IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12998 (The IS-IS parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12997 (The LLDP parser in tcpdump before 4.9.2 could enter an infinite loop d ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12996 (The PIMv2 parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12995 (The DNS parser in tcpdump before 4.9.2 could enter an infinite loop du ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12994 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12993 (The Juniper protocols parser in tcpdump before 4.9.2 has a buffer over ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12992 (The RIPng parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12991 (The BGP parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12990 (The ISAKMP parser in tcpdump before 4.9.2 could enter an infinite loop ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12989 (The RESP parser in tcpdump before 4.9.2 could enter an infinite loop d ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12988 (The telnet parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12987 (The IEEE 802.11 parser in tcpdump before 4.9.2 has a buffer over-read ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12986 (The IPv6 routing header parser in tcpdump before 4.9.2 has a buffer ov ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12985 (The IPv6 parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12984 (PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, adm ...) NOT-FOR-US: PHPMyWind CVE-2017-12983 (Heap-based buffer overflow in the ReadSFWImage function in coders/sfw. ...) {DSA-4040-1 DSA-4032-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #873134) NOTE: https://github.com/ImageMagick/ImageMagick/issues/682 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d4145e664aea3752ca6d3bf1ee825352b595dab5 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/26078285f49c361ad8ddc8e14bd1d4aab7ed5682 CVE-2017-12981 (NexusPHP 1.5.beta5.20120707 has SQL Injection in forummanage.php via t ...) NOT-FOR-US: NexusPHP CVE-2017-12980 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) - dokuwiki 0.0.20180422.a-1 (bug #872941) [jessie] - dokuwiki (Minor issue) [wheezy] - dokuwiki (Minor issue) NOTE: https://github.com/splitbrain/dokuwiki/issues/2081 NOTE: https://github.com/splitbrain/dokuwiki/commit/f883db117a4fdeae72071db41b3ef5932d6335da CVE-2017-12979 (DokuWiki through 2017-02-19c has stored XSS when rendering a malicious ...) - dokuwiki 0.0.20180422.a-1 (bug #872940) [jessie] - dokuwiki (Minor issue) [wheezy] - dokuwiki (Minor issue) NOTE: https://github.com/splitbrain/dokuwiki/issues/2080 NOTE: https://github.com/splitbrain/dokuwiki/commit/56bd9509ab2037512829392fda6427af7f390724 CVE-2017-12978 (lib/html.php in Cacti before 1.1.18 has XSS via the title field of an ...) - cacti 1.1.18+ds1-1 [stretch] - cacti (Vulnerable code, external link support, introduced later) [jessie] - cacti (Vulnerable code, external link support, introduced later) [wheezy] - cacti (Vulnerable code, external link support, introduced later) NOTE: https://github.com/Cacti/cacti/commit/9c610a7a4e29595dcaf7d7082134e4b89619ea24 NOTE: https://github.com/Cacti/cacti/issues/918 CVE-2017-12977 (The Web-Dorado "Photo Gallery by WD - Responsive Photo Gallery" plugin ...) NOT-FOR-US: Web-Dorado plugin for Wordpress CVE-2017-1000216 REJECTED CVE-2017-1000205 REJECTED CVE-2017-1000202 REJECTED CVE-2017-1000184 REJECTED CVE-2017-1000183 REJECTED CVE-2017-1000181 REJECTED CVE-2017-1000180 REJECTED CVE-2017-1000179 REJECTED CVE-2017-1000178 REJECTED CVE-2017-1000177 REJECTED CVE-2017-1000175 REJECTED CVE-2017-1000167 REJECTED CVE-2017-1000166 REJECTED CVE-2017-1000165 REJECTED CVE-2017-1000162 REJECTED CVE-2017-1000124 REJECTED CVE-2017-1000123 REJECTED CVE-2017-12982 (The bmp_read_info_header function in bin/jp2/convertbmp.c in OpenJPEG ...) - openjpeg2 2.3.0-1 (unimportant) NOTE: https://github.com/uclouvain/openjpeg/issues/983 NOTE: https://github.com/uclouvain/openjpeg/commit/baf0c1ad4572daa89caa3b12985bdd93530f0dd7 CVE-2017-12975 RESERVED CVE-2017-12974 (Nimbus JOSE+JWT before 4.36 proceeds with ECKey construction without e ...) NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12973 (Nimbus JOSE+JWT before 4.39 proceeds improperly after detection of an ...) NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12972 (In Nimbus JOSE+JWT before 4.39, there is no integer-overflow check whe ...) NOT-FOR-US: Nimbus JOSE + JWT CVE-2017-12976 (git-annex before 6.20170818 allows remote attackers to execute arbitra ...) {DSA-4010-1 DLA-1495-1 DLA-1144-1} - git-annex 6.20170818-1 (bug #873088) NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=df11e54788b254efebb4898b474de11ae8d3b471 NOTE: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=c24d0f0e8984576654e2be149005bc884fe0403a NOTE: http://source.git-annex.branchable.com/?p=source.git;a=blob;f=doc/bugs/dashed_ssh_hostname_security_hole.mdwn NOTE: jessie patch: https://gitlab.com/anarcat/git-annex/commit/58daf6cbe4c1ea1cf71f3a538a0e27b5075c7265 NOTE: stretch patch: https://gitlab.com/anarcat/git-annex/commit/115585df48dce16aa702663dab220de625b9de7d NOTE: This is similar class of issue as for CVE-2017-1000117/git CVE-2017-12971 (Cross-site scripting (XSS) vulnerability in Apache2Triad 1.5.4 allows ...) NOT-FOR-US: Apache2Triad CVE-2017-12970 (Cross-site request forgery (CSRF) vulnerability in Apache2Triad 1.5.4 ...) NOT-FOR-US: Apache2Triad CVE-2017-12969 (Buffer overflow in the ViewerCtrlLib.ViewerCtrl ActiveX control in Ava ...) NOT-FOR-US: Avaya IP Office Contact Center CVE-2017-12968 RESERVED CVE-2017-12967 (The getsym function in tekhex.c in the Binary File Descriptor (BFD) li ...) - binutils 2.29-5 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21962 CVE-2017-12966 (The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in libasn1 ...) - asn1c (unimportant) CVE-2017-12965 (Session fixation vulnerability in Apache2Triad 1.5.4 allows remote att ...) NOT-FOR-US: Apache2Triad CVE-2017-12964 (There is a stack consumption issue in LibSass 3.4.5 that is triggered ...) NOTE: Bogus report against historic libsass version CVE-2017-12963 (There is an illegal address access in Sass::Eval::operator() in eval.c ...) NOTE: Bogus report against historic libsass version CVE-2017-12962 (There are memory leaks in LibSass 3.4.5 triggered by deeply nested cod ...) NOTE: Bogus report against historic libsass version CVE-2017-12961 (There is an assertion abort in the function parse_attributes() in data ...) - pspp 1.0.1-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482436 NOTE: Crash in CLI tool, no security impact CVE-2017-12960 (There is a reachable assertion abort in the function dict_rename_var() ...) - pspp 1.0.1-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482433 NOTE: Crash in CLI tool, no security impact CVE-2017-12959 (There is a reachable assertion abort in the function dict_add_mrset() ...) - pspp 1.0.1-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482432 NOTE: Crash in CLI tool, no security impact CVE-2017-12958 (There is an illegal address access in the function output_hex() in dat ...) - pspp 1.0.1-1 (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482429 NOTE: Crash in CLI tool, no security impact CVE-2017-12957 (There is a heap-based buffer over-read in libexiv2 in Exiv2 0.26 that ...) - exiv2 (Incorrect memory allocation introduced in 0.26) NOTE: https://github.com/Exiv2/exiv2/issues/60 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482423 NOTE: Experimental is affected, tracking as #876242 CVE-2017-12956 (There is an illegal address access in Exiv2::FileIo::path[abi:cxx11]() ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888872) NOTE: https://github.com/Exiv2/exiv2/issues/59 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482296 CVE-2017-12955 (There is a heap-based buffer overflow in basicio.cpp of Exiv2 0.26. Th ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #888873) NOTE: https://github.com/Exiv2/exiv2/issues/58 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482295 CVE-2017-12954 (The gig::Region::GetSampleFromWavePool function in gig.cpp in libgig 4 ...) - libgig 4.0.0-5 (low; bug #877652) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3350 CVE-2017-12953 (The gig::Instrument::UpdateRegionKeyTable function in gig.cpp in libgi ...) - libgig 4.0.0-4 (low; bug #873718) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3348 CVE-2017-12952 (The LoadString function in helper.h in libgig 4.0.0 allows remote atta ...) - libgig 4.0.0-4 (low; bug #873718) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3348 CVE-2017-12951 (The gig::DimensionRegion::CreateVelocityTable function in gig.cpp in l ...) - libgig 4.0.0-5 (low; bug #877651) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3349 CVE-2017-12950 (The gig::Region::Region function in gig.cpp in libgig 4.0.0 allows rem ...) - libgig 4.0.0-4 (low; bug #873718) [stretch] - libgig (Minor issue) [jessie] - libgig (Minor issue) [wheezy] - libgig (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Aug/39 (provides repoducer files) NOTE: http://svn.linuxsampler.org/cgi-bin/viewvc.cgi?view=revision&revision=3348 CVE-2017-12949 (lib\modules\contributors\contributor_list_table.php in the Podlove Pod ...) NOT-FOR-US: Podlove Podcast Publisher plugin for Wordpress CVE-2017-12948 (Core\Admin\PFTemplater.php in the PressForward plugin 4.3.0 and earlie ...) NOT-FOR-US: PressForward plugin for Wordpress CVE-2017-12947 (classes\controller\admin\modals.php in the Easy Modal plugin before 2. ...) NOT-FOR-US: Easy Modal plugin for WordPress CVE-2017-12946 (classes\controller\admin\modals.php in the Easy Modal plugin before 2. ...) NOT-FOR-US: Easy Modal plugin for WordPress CVE-2017-12945 (Insufficient validation of user-supplied input for the Solstice Pod be ...) NOT-FOR-US: Solstice Pod CVE-2017-12944 (The TIFFReadDirEntryArray function in tif_read.c in LibTIFF 4.0.8 mish ...) {DSA-4100-1 DLA-1093-1} - tiff 4.0.8-6 (bug #872607) - tiff3 [wheezy] - tiff3 (Vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2725 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/dc02f9050311a90b3c0655147cee09bfa7081cfc CVE-2017-12943 (D-Link DIR-600 Rev Bx devices with v2.x firmware allow remote attacker ...) NOT-FOR-US: D-Link DIR-600 Rev Bx devices CVE-2017-12939 (A Remote Code Execution vulnerability was identified in all Windows ve ...) NOT-FOR-US: Unity Editor CVE-2017-12942 (libunrar.a in UnRAR before 5.5.7 has a buffer overflow in the Unpack:: ...) - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: https://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12941 (libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Unpa ...) - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: https://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12940 (libunrar.a in UnRAR before 5.5.7 has an out-of-bounds read in the Enco ...) - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: https://www.openwall.com/lists/oss-security/2017/08/18/6 CVE-2017-12938 (UnRAR before 5.5.7 allows remote attackers to bypass a directory-trave ...) - unrar-nonfree 1:5.5.8-1 [stretch] - unrar-nonfree (Non-free not supported) [jessie] - unrar-nonfree (Non-free not supported) [wheezy] - unrar-nonfree (Non-free not supported) NOTE: https://www.openwall.com/lists/oss-security/2017/08/18/2 CVE-2017-12937 (The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.26 has ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} - graphicsmagick 1.3.26-6 (bug #872574) NOTE: https://www.openwall.com/lists/oss-security/2017/08/18/5 NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/95d00d55e978 CVE-2017-12936 (The ReadWMFImage function in coders/wmf.c in GraphicsMagick 1.3.26 has ...) {DSA-4321-1 DLA-1456-1 DLA-1082-1} - graphicsmagick 1.3.26-6 (bug #872575) NOTE: https://www.openwall.com/lists/oss-security/2017/08/18/3 NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/be898b7c97bd CVE-2017-12935 (The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 mis ...) {DSA-4321-1 DLA-1456-1 DLA-1082-1} - graphicsmagick 1.3.26-6 (bug #872576) NOTE: https://www.openwall.com/lists/oss-security/2017/08/18/4 NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/cd699a44f188 CVE-2017-12934 (ext/standard/var_unserializer.re in PHP 7.0.x before 7.0.21 and 7.1.x ...) {DSA-4080-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 NOTE: Fixed in 7.1.7, 7.0.21 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74101 CVE-2017-12933 (The finish_nested_data function in ext/standard/var_unserializer.re in ...) {DSA-4081-1 DSA-4080-1 DLA-1076-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 - php5 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74111 CVE-2017-12932 (ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x ...) {DSA-4080-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 NOTE: Fixed in 7.1.8, 7.0.22 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74103 NOTE: https://github.com/php/php-src/commit/1a23ebc1fff59bf480ca92963b36eba5c1b904c4 CVE-2017-12931 RESERVED CVE-2017-12930 (SQL Injection in the admin interface in TecnoVISION DLX Spot Player4 v ...) NOT-FOR-US: TecnoVISION DLX Spot Player4 CVE-2017-12929 (Arbitrary File Upload in resource.php of TecnoVISION DLX Spot Player4 ...) NOT-FOR-US: TecnoVISION DLX Spot Player4 CVE-2017-12928 (A hard-coded password of tecn0visi0n for the dlxuser account in TecnoV ...) NOT-FOR-US: TecnoVISION DLX Spot Player4 CVE-2017-12926 RESERVED CVE-2017-12918 RESERVED CVE-2017-12917 RESERVED CVE-2017-12916 RESERVED CVE-2017-12915 RESERVED CVE-2017-12914 RESERVED CVE-2017-12913 RESERVED CVE-2017-12912 (The "mpglibDBL/layer3.c" file in MP3Gain 1.5.2.r2 has a vulnerability ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU CVE-2017-12911 (The "apetag.c" file in MP3Gain 1.5.2.r2 has a vulnerability which resu ...) - mp3gain 1.6.2-1 [wheezy] - mp3gain NOTE: https://drive.google.com/open?id=0B9DojFnTUSNGeS1hZlJkeGVkYlU CVE-2017-12910 (SQL injection vulnerability in massmail.php in NexusPHP 1.5 allows rem ...) NOT-FOR-US: NexusPHP CVE-2017-12909 (SQL injection vulnerability in modtask.php in NexusPHP 1.5 allows remo ...) NOT-FOR-US: NexusPHP CVE-2017-12908 (SQL injection vulnerability in takeconfirm.php in NexusPHP 1.5 allows ...) NOT-FOR-US: NexusPHP CVE-2017-12907 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the url ...) NOT-FOR-US: NexusPHP CVE-2017-12906 (Multiple cross-site scripting (XSS) vulnerabilities in NexusPHP allow ...) NOT-FOR-US: NexusPHP CVE-2017-12905 (Server Side Request Forgery vulnerability in Vebto Pixie Image Editor ...) NOT-FOR-US: Vebto Pixie Image Editor CVE-2017-12904 (Improper Neutralization of Special Elements used in an OS Command in b ...) {DSA-3947-1 DLA-1061-1} - newsbeuter 2.9-6 NOTE: https://github.com/akrennmair/newsbeuter/issues/591 NOTE: https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307 CVE-2017-12903 RESERVED CVE-2017-12902 (The Zephyr parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12901 (The EIGRP parser in tcpdump before 4.9.2 has a buffer over-read in pri ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12900 (Several protocol parsers in tcpdump before 4.9.2 could cause a buffer ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12899 (The DECnet parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12898 (The NFS parser in tcpdump before 4.9.2 has a buffer over-read in print ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12897 (The ISO CLNS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12896 (The ISAKMP parser in tcpdump before 4.9.2 has a buffer over-read in pr ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12895 (The ICMP parser in tcpdump before 4.9.2 has a buffer over-read in prin ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12894 (Several protocol parsers in tcpdump before 4.9.2 could cause a buffer ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12893 (The SMB/CIFS parser in tcpdump before 4.9.2 has a buffer over-read in ...) {DSA-3971-1 DLA-1097-1} - tcpdump 4.9.2-1 CVE-2017-12925 (Double free vulnerability in DfFromLB in docfile.cxx in libfpx 1.3.1_p ...) NOT-FOR-US: libfpx CVE-2017-12924 (CDirVector::GetTable in dirfunc.hxx in libfpx 1.3.1_p6 allows remote a ...) NOT-FOR-US: libfpx CVE-2017-12923 (OLEStream::WriteVT_LPSTR in olestrm.cpp in libfpx 1.3.1_p6 allows remo ...) NOT-FOR-US: libfpx CVE-2017-12922 (wchar.c in libfpx 1.3.1_p6 allows remote attackers to cause a denial o ...) NOT-FOR-US: libfpx CVE-2017-12921 (PFileFlashPixView::GetGlobalInfoProperty in f_fpxvw.cpp in libfpx 1.3. ...) NOT-FOR-US: libfpx CVE-2017-12920 (CDirectory::GetDirEntry in dir.cxx in libfpx 1.3.1_p6 allows remote at ...) NOT-FOR-US: libfpx CVE-2017-12919 (Heap-based buffer overflow in OLEStream::WriteVT_LPSTR in olestrm.cpp ...) NOT-FOR-US: libfpx CVE-2017-12927 (A cross-site scripting vulnerability exists in Cacti 1.1.17 in the met ...) - cacti 1.1.17+ds1-2 (bug #872478) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/issues/907 NOTE: https://github.com/Cacti/cacti/commit/a032ce0be6a4ea47862c594e40a619ac8de1ef99 CVE-2017-1000108 (The Pipeline: Input Step Plugin by default allowed users with Item/Rea ...) NOT-FOR-US: Jenkins Input Step Plugin CVE-2017-1000107 (Script Security Plugin did not apply sandboxing restrictions to constr ...) NOT-FOR-US: Jenkins Script Security Plugin CVE-2017-12892 (Foxit PDF Compressor installers from versions from 7.0.0.183 to 7.7.2. ...) NOT-FOR-US: Foxit PDF Compressor CVE-2017-12891 RESERVED CVE-2017-12890 RESERVED CVE-2017-12889 RESERVED CVE-2017-12888 RESERVED CVE-2017-12887 RESERVED CVE-2017-12886 RESERVED CVE-2017-12885 (OX Software GmbH App Suite 7.8.4 and earlier is affected by: Cross Sit ...) NOT-FOR-US: OX Software GmbH App Suite CVE-2017-12884 (OX Software GmbH App Suite 7.8.4 and earlier is affected by: Informati ...) NOT-FOR-US: OX Software GmbH App Suite CVE-2017-12883 (Buffer overflow in the S_grok_bslash_N function in regcomp.c in Perl 5 ...) {DSA-3982-1} - perl 5.26.0-8 (bug #875597) [wheezy] - perl (Vulnerable code introduced later) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131598 (not yet public) NOTE: https://perl5.git.perl.org/perl.git/commitdiff/2be4edede4ae226e2eebd4eff28cedd2041f300f NOTE: maint-5.26: https://perl5.git.perl.org/perl.git/commitdiff/2692dda97731c37082a0075eff50d741901c665f NOTE: maint-5.24: https://perl5.git.perl.org/perl.git/commitdiff/40b3cdad3649334585cee8f4630ec9a025e62be6 CVE-2017-12882 (Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin ...) NOT-FOR-US: Spring Batch Admin CVE-2017-12881 (Cross-site request forgery (CSRF) vulnerability in the Spring Batch Ad ...) NOT-FOR-US: Spring Batch Admin CVE-2017-12880 REJECTED CVE-2017-12879 (Cross-site scripting (XSS-STORED) vulnerability in the DEVICES OR SENS ...) NOT-FOR-US: Paessler PRTG Network Monitor CVE-2017-12878 RESERVED CVE-2017-12877 (Use-after-free vulnerability in the DestroyImage function in image.c i ...) {DSA-4074-1 DSA-4040-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #872373) NOTE: https://github.com/ImageMagick/ImageMagick/issues/662 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/98dda239ec398dd56453460849b4c9057fc424e5 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/04178de2247e353fc095846784b9a10fefdbf890 NOTE: This doesn't affect the base releases, but got introduced via security fixes, which got backported to older suites CVE-2017-12876 (Heap-based buffer overflow in enhance.c in ImageMagick before 7.0.6-6 ...) - imagemagick (Specific to Imagemagick 7, 6.x uses fixed pixel cache morphology) NOTE: https://github.com/ImageMagick/ImageMagick/issues/663 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1cc6f0ccc92c20c7cab6c4a7335daf29c91f0d8e CVE-2017-12875 (The WritePixelCachePixels function in ImageMagick 7.0.6-6 allows remot ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #873871) NOTE: https://github.com/ImageMagick/ImageMagick/issues/659 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6f95e543c80319721e22d623bb23712cd29afa9e NOTE: https://github.com/ImageMagick/ImageMagick/commit/d96b55ea41e71de43663818ccd17c6af3fa6c4fd CVE-2017-12866 RESERVED CVE-2017-12865 (Stack-based buffer overflow in "dnsproxy.c" in connman 1.34 and earlie ...) {DSA-3956-1 DLA-1078-1} - connman 1.35-1 (bug #872844) NOTE: https://git.kernel.org/pub/scm/network/connman/connman.git/commit/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71 (1.35) CVE-2017-12864 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ReadNumber did ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #875345) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9372 CVE-2017-12863 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function PxMDecoder::re ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #875344) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9371 CVE-2017-12862 (In modules/imgcodecs/src/grfmt_pxm.cpp, the length of buffer AutoBuffe ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #875342) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9370 CVE-2017-12861 (The Epson "EasyMP" software is designed to remotely stream a users com ...) NOT-FOR-US: Epson "EasyMP" CVE-2017-12860 (The Epson "EasyMP" software is designed to remotely stream a users com ...) NOT-FOR-US: Epson "EasyMP" CVE-2017-12859 (NetApp Data ONTAP before 8.2.5, when operating in 7-Mode in NFS enviro ...) NOT-FOR-US: NetApp CVE-2017-12858 (Double free vulnerability in the _zip_dirent_read function in zip_dire ...) - libzip (Vulnerable code introduced later) NOTE: Introduced after: https://github.com/nih-at/libzip/commit/796c5968ad679220db3fb65ec6f48c66e554e5d5 (rel-1-2-0) NOTE: Fixed by: https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796 (rel-1-3-0) CVE-2017-12857 (Polycom SoundStation IP, VVX, and RealPresence Trio that are running s ...) NOT-FOR-US: Polycom CVE-2017-12856 (Cross-site scripting (XSS) vulnerability in C.P.Sub 5.2 allows remote ...) NOT-FOR-US: C.P.Sub CVE-2017-12854 RESERVED CVE-2017-12874 (The InfoCard module 1.0 for SimpleSAMLphp allows attackers to spoof XM ...) {DSA-4127-1 DLA-1205-1} - simplesamlphp 1.14.11-1 NOTE: Issue lies in simplesamlphp/simplesamlphp-module-infocard and fixed NOTE: in 1.0.1. The module is embedded in src:simplesamlphp NOTE: https://simplesamlphp.org/security/201612-03 NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp-module-infocard/commit/7353762acacd827a61378629f87de991451089da CVE-2017-12873 (SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain se ...) {DSA-4127-1 DLA-1205-1} - simplesamlphp 1.14.11-1 NOTE: https://simplesamlphp.org/security/201612-04 NOTE: Patches: https://github.com/simplesamlphp/simplesamlphp/commit/90dca835158495b173808273e7df127303b8b953aa NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/e2daf4ceb6e580815c3741384b3a09b85a5fc231 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/300d8aa48fe93706ade95be481c68e9cf2f32d1f CVE-2017-12872 (The (1) Htpasswd authentication source in the authcrypt module and (2) ...) {DLA-1408-1 DLA-1205-1} - simplesamlphp 1.14.15-1 [stretch] - simplesamlphp (Minor issue) NOTE: https://simplesamlphp.org/security/201703-01 NOTE: Patches: https://github.com/simplesamlphp/simplesamlphp/commit/ab7761d4a523a4ed00479fb1ddba688e7ca72439 NOTE: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1 CVE-2017-12871 (The aesEncrypt method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAML ...) - simplesamlphp 1.14.15-1 [stretch] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) [jessie] - simplesamlphp (Vulnerable code not present) [wheezy] - simplesamlphp (Vulnerable code not present) NOTE: https://simplesamlphp.org/security/201703-02 CVE-2017-12870 (SimpleSAMLphp 1.14.12 and earlier make it easier for man-in-the-middle ...) - simplesamlphp 1.14.15-1 [stretch] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) [jessie] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) [wheezy] - simplesamlphp (Minor issue mitigated by HTTPS usage, hard to backport) NOTE: https://simplesamlphp.org/security/201704-01 CVE-2017-12869 (The multiauth module in SimpleSAMLphp 1.14.13 and earlier allows remot ...) {DSA-4127-1 DLA-1205-1} - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201704-02 NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/f1e485284dd428ab3cd9500c62e19c7c7234be9a CVE-2017-12868 (The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleS ...) {DLA-1408-1 DLA-1205-1} - simplesamlphp 1.14.15-1 [stretch] - simplesamlphp (Only affects setups with old PHP versions not found in stable) NOTE: https://simplesamlphp.org/security/201705-01 NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/caf764cc2c9b68ac29741070ebdf133a595443f1 CVE-2017-12867 (The SimpleSAML_Auth_TimeLimitedToken class in SimpleSAMLphp 1.14.14 an ...) {DSA-4127-1 DLA-1205-1} - simplesamlphp 1.14.15-1 NOTE: https://simplesamlphp.org/security/201708-01 NOTE: Patch: https://github.com/simplesamlphp/simplesamlphp/commit/608f24c2d5afd70c2af050785d2b12f878b33c68 CVE-2017-12855 (Xen maintains the _GTF_{read,writ}ing bits as appropriate, to inform t ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-230.html CVE-2017-12853 (The RealTime RWR-3G-100 Router Firmware Version : Ver1.0.56 is affecte ...) NOT-FOR-US: RealTime RWR-3G-100 Router Firmware CVE-2017-12852 (The numpy.pad function in Numpy 1.13.1 and older versions is missing i ...) - python-numpy 1:1.14.3-1 (unimportant; bug #872407) NOTE: https://github.com/numpy/numpy/issues/9560#issuecomment-322395292 NOTE: Negligible security impact CVE-2017-12851 (An authenticated standard user could reset the password of the admin b ...) - kanboard (bug #790814) CVE-2017-12850 (An authenticated standard user could reset the password of other users ...) - kanboard (bug #790814) NOTE: https://github.com/kanboard/kanboard/commit/88dd6abbf3f519897f2f6280e95c9eec9123a4ae CVE-2017-12849 (Response discrepancy in the login and password reset forms in SilverSt ...) NOT-FOR-US: SilverStripe CMS CVE-2017-12848 RESERVED CVE-2017-12847 (Nagios Core before 4.3.3 creates a nagios.lock PID file after dropping ...) - nagios3 [jessie] - nagios3 (Minor issue) [wheezy] - nagios3 (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/08/16/7 NOTE: https://github.com/NagiosEnterprises/nagioscore/issues/404 NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/1b197346d490df2e2d3b1dcce5ac6134ad0c8752 NOTE: https://github.com/orlitzky/nagioscore/commit/3baffa78bafebbbdf9f448890ba5a952ea2d73cb CVE-2017-12846 RESERVED CVE-2017-12845 RESERVED CVE-2017-12844 (Cross-site scripting (XSS) vulnerability in the admin panel in IceWarp ...) NOT-FOR-US: IceWarp CVE-2017-12843 (Cyrus IMAP before 3.0.3 allows remote authenticated users to write to ...) - cyrus-imapd (Vulnerable code introduced later) - cyrus-imapd-2.4 (Vulnerable code introduced later) NOTE: https://github.com/cyrusimap/cyrus-imapd/commit/d734a23122155f3522a8cb6aef118223aa73cde0 CVE-2017-12842 (Bitcoin Core before 0.14 allows an attacker to create an ostensibly va ...) - bitcoin 0.14.2~dfsg-1~exp2 CVE-2017-12841 RESERVED CVE-2017-12840 (A kernel driver, namely DLMFENC.sys, bundled with the DESLock+ client ...) NOTE: DESLock+ CVE-2017-12839 (A heap-based buffer over-read in the getbits function in src/libmpg123 ...) - mpg123 1.25.6-1 [stretch] - mpg123 (Minor issue) [jessie] - mpg123 (Minor issue) NOTE: https://sourceforge.net/p/mpg123/bugs/255/ NOTE: https://www.mpg123.de/cgi-bin/scm/mpg123/trunk/src/libmpg123/getbits.h?r1=2024&r2=4323&sortby=date CVE-2017-12838 (Cross-site request forgery (CSRF) vulnerability in NexusPHP 1.5 allows ...) NOT-FOR-US: NexusPHP CVE-2017-12837 (Heap-based buffer overflow in the S_regatom function in regcomp.c in P ...) {DSA-3982-1} - perl 5.26.0-8 (bug #875596) [wheezy] - perl (Vulnerable code introduced after 5.14.4) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131582 (not yet public) NOTE: https://perl5.git.perl.org/perl.git/commitdiff/96c83ed78aeea1a0496dd2b2d935869a822dc8a5 NOTE: maint-5.26: https://perl5.git.perl.org/perl.git/commitdiff/66288bb3f44c8aa5122e5f40d8cfc0eada8b1695 NOTE: maint-5.24: https://perl5.git.perl.org/perl.git/commitdiff/f7e5417e7bffba03947b66e4d8622d7c220f2876 CVE-2017-12835 REJECTED CVE-2017-12834 REJECTED CVE-2017-12833 REJECTED CVE-2017-12832 REJECTED CVE-2017-12831 REJECTED CVE-2017-12830 REJECTED CVE-2017-12829 REJECTED CVE-2017-12828 REJECTED CVE-2017-12827 REJECTED CVE-2017-12826 REJECTED CVE-2017-12825 RESERVED CVE-2017-12824 (Special crafted InPage document leads to arbitrary code execution in I ...) NOT-FOR-US: InPage CVE-2017-12823 (Kernel pool memory corruption in one of drivers in Kaspersky Embedded ...) NOT-FOR-US: Kaspersky CVE-2017-12822 (Remote enabling and disabling admin interface in Gemalto's HASP SRM, S ...) NOT-FOR-US: Gemalto CVE-2017-12821 (Memory corruption in Gemalto's HASP SRM, Sentinel HASP and Sentinel LD ...) NOT-FOR-US: Gemalto CVE-2017-12820 (Arbitrary memory read from controlled memory pointer in Gemalto's HASP ...) NOT-FOR-US: Gemalto CVE-2017-12819 (Remote manipulations with language pack updater lead to NTLM-relay att ...) NOT-FOR-US: Gemalto CVE-2017-12818 (Stack overflow in custom XML-parser in Gemalto's HASP SRM, Sentinel HA ...) NOT-FOR-US: Gemalto CVE-2017-12817 (In Kaspersky Internet Security for Android 11.12.4.1622, some of the a ...) NOT-FOR-US: Kaspersky Internet Security for Android CVE-2017-12816 (In Kaspersky Internet Security for Android 11.12.4.1622, some of appli ...) NOT-FOR-US: Kaspersky Internet Security for Android CVE-2017-12815 (Analysis of the Bomgar Remote Support Portal JavaStart.jar Applet 5279 ...) NOT-FOR-US: Bomgar Remote Support Portal JavaStart Applet CVE-2017-12814 (Stack-based buffer overflow in the CPerlHost::Add method in win32/perl ...) - perl (Windows specific issue) NOTE: https://rt.perl.org/Public/Bug/Display.html?id=131665 (not yet public) CVE-2017-12813 (PHPJabbers File Sharing Script 1.0 has stored XSS in the comments sect ...) NOT-FOR-US: PHPJabbers File Sharing Script CVE-2017-12812 (PHPJabbers Night Club Booking Software has stored XSS in the name para ...) NOT-FOR-US: PHPJabbers Night Club Booking Software CVE-2017-12811 (PHPJabbers Star Rating Script 4.0 has stored XSS via a rating item. ...) NOT-FOR-US: PHPJabbers Star Rating Script CVE-2017-12810 (PHPJabbers PHP Newsletter Script 4.2 has stored XSS in lists in the ad ...) NOT-FOR-US: PHPJabbers PHP Newsletter Script CVE-2017-12809 (QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM ...) {DSA-3991-1} - qemu 1:2.10.0-1 (bug #873849) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-08/msg01850.html CVE-2017-12808 RESERVED CVE-2017-12807 REJECTED CVE-2017-12806 (In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in ...) {DLA-2366-1} - imagemagick 8:6.9.9.34+dfsg-3 [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/660 CVE-2017-12805 (In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in ...) {DLA-2333-1} - imagemagick 8:6.9.9.34+dfsg-3 [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/664 CVE-2017-12804 (The iwgif_init_screen function in imagew-gif.c:510 in ImageWorsener 1. ...) NOT-FOR-US: ImageWorsener CVE-2017-12803 (The Node_ValidatePtr function in corec/corec/node/node.c in mkclean 0. ...) NOT-FOR-US: mkclean CVE-2017-12802 (The EBML_IntegerValue function in ebmlnumber.c in libebml2 through 201 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12801 (The UpdateDataSize function in ebmlmaster.c in libebml2 through 2012-0 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12800 (The EBML_FindNextElement function in ebmlmain.c in libebml2 through 20 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12836 (CVS 1.12.x, when configured to use SSH for remote repositories, might ...) {DSA-3940-1 DLA-1056-1} - cvs 2:1.12.13+real-24 (bug #871810) NOTE: https://www.openwall.com/lists/oss-security/2017/08/11/1 CVE-2017-12799 (The elf_read_notesfunction in bfd/elf.c in GNU Binutils 2.29 allows re ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21933 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=957e1fc1c5d0262e4b2f764cf031ad1458446498 CVE-2017-12798 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the q p ...) NOT-FOR-US: NexusPHP CVE-2017-12797 (Integer overflow in the INT123_parse_new_id3 function in the ID3 parse ...) - mpg123 1.25.6-1 [stretch] - mpg123 (Minor issue) [jessie] - mpg123 (Minor issue) [wheezy] - mpg123 (Minor issue) NOTE: https://sourceforge.net/p/mpg123/bugs/254/ NOTE: https://sourceforge.net/p/mpg123/mailman/message/35987663/ CVE-2017-12796 (The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distri ...) NOT-FOR-US: OpenMRS addon CVE-2017-12795 (OpenMRS openmrs-module-htmlformentry 3.3.2 is affected by: (Improper I ...) NOT-FOR-US: OpenMRS CVE-2017-12794 (In Django 1.10.x before 1.10.8 and 1.11.x before 1.11.5, HTML autoesca ...) - python-django 1:1.11.5-1 (low; bug #874415) [stretch] - python-django 1:1.10.7-2+deb9u2 [jessie] - python-django (Vulnerable code do not exist) [wheezy] - python-django (Vulnerable code do not exist) NOTE: https://www.djangoproject.com/weblog/2017/sep/05/security-releases/ CVE-2017-12793 RESERVED CVE-2017-12792 (Multiple cross-site request forgery (CSRF) vulnerabilities in NexusPHP ...) NOT-FOR-US: NexusPHP CVE-2017-12791 (Directory traversal vulnerability in minion id validation in SaltStack ...) - salt 2016.11.8+dfsg1-1 (bug #872399) [stretch] - salt 2016.11.2+ds-1+deb9u1 [jessie] - salt (Minor issue) NOTE: https://github.com/saltstack/salt/pull/42944 NOTE: https://github.com/saltstack/salt/commit/6366e05d0d70bd709cc4233c3faf32a759d0173a NOTE: https://docs.saltstack.com/en/2016.11/topics/releases/2016.11.7.html CVE-2017-12790 (Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The ...) NOT-FOR-US: Metinfo CVE-2017-12789 (Metinfo 5.3.18 is affected by: Cross Site Request Forgery (CSRF). The ...) NOT-FOR-US: Metinfo CVE-2017-12788 (Multiple cross-site scripting (XSS) vulnerabilities in admin/index.php ...) NOT-FOR-US: Metinfo CVE-2017-12787 (A network interface of the novi_process_manager_daemon service, includ ...) NOT-FOR-US: NoviWare CVE-2017-12786 (Network interfaces of the cliengine and noviengine services, included ...) NOT-FOR-US: NoviWare CVE-2017-12785 (The novish command-line interface, included in the NoviWare software d ...) NOT-FOR-US: NoviWare CVE-2017-12784 (In Youngzsoft CCFile (aka CC File Transfer) 3.6, by sending a crafted ...) NOT-FOR-US: Youngzsoft CCFile CVE-2017-12783 (The ReadDataFloat function in ebmlnumber.c in libebml2 through 2012-08 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12782 (The ReadData function in ebmlmaster.c in libebml2 through 2012-08-26 a ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12781 (The EBML_BufferToID function in ebmlelement.c in libebml2 through 2012 ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12780 (The ReadData function in ebmlstring.c in libebml2 through 2012-08-26 a ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12779 (The Node_GetData function in corec/corec/node/node.c in mkvalidator 0. ...) NOT-FOR-US: libembl2 (different codebase than src:libebml) CVE-2017-12778 (** DISPUTED ** The UI Lock feature in qBittorrent version 3.3.15 is vu ...) NOT-FOR-US: qBittorrent non issue CVE-2017-1000112 (Linux kernel: Exploitable memory corruption due to UFO to non-UFO path ...) {DSA-3981-1} - linux 4.12.6-1 (low) [wheezy] - linux (Low severity and difficult to backport) NOTE: Introduced by: https://git.kernel.org/linus/e89e9cf539a28df7d0eb1d0a545368e9920b34ac (2.6.15-rc1) NOTE: Fixed by: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa CVE-2017-1000111 (Linux kernel: heap out-of-bounds in AF_PACKET sockets. This new issue ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: Introduced by: https://git.kernel.org/linus/8913336a7e8d56e984109a3137d6c0e3362596a4 (2.6.27-rc1) NOTE: Fixed by: https://git.kernel.org/linus/c27927e372f0785f3303e8fad94b85945e2c97b7 NOTE: Non-privileged user namespaces disabled by default, only exploitable by arbitrary user if sysctl kernel.unprivileged_userns_clone=1 CVE-2017-1000117 (A malicious third-party can give a crafted "ssh://..." URL to an unsus ...) {DSA-3934-1 DLA-1068-1} - git 1:2.14.1-1 NOTE: https://public-inbox.org/git/xmqqh8xf482j.fsf@gitster.mtv.corp.google.com/T/#u CVE-2017-1000116 (Mercurial prior to 4.3 did not adequately sanitize hostnames passed to ...) {DSA-3963-1 DLA-1072-1} - mercurial 4.3.1-1 (bug #871710) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29 NOTE: 11 patches need to be applied, the following are for 4.2: NOTE: https://www.mercurial-scm.org/repo/hg/rev/53224b1ffbc2 NOTE: https://www.mercurial-scm.org/repo/hg/rev/e10745311406 NOTE: https://www.mercurial-scm.org/repo/hg/rev/f93975a5ebe8 NOTE: https://www.mercurial-scm.org/repo/hg/rev/f9134e96ed0f NOTE: https://www.mercurial-scm.org/repo/hg/rev/92b583e3e522 NOTE: https://www.mercurial-scm.org/repo/hg/rev/08cfc4baf3ba NOTE: https://www.mercurial-scm.org/repo/hg/rev/55681baf4cf9 NOTE: https://www.mercurial-scm.org/repo/hg/rev/173ecccb9ee7 NOTE: https://www.mercurial-scm.org/repo/hg/rev/ca398a50ca00 NOTE: https://www.mercurial-scm.org/repo/hg/rev/00a75672a9cb NOTE: https://www.mercurial-scm.org/repo/hg/rev/943c91326b23 NOTE: 3.7 and 4.1 backports also available at https://bitbucket.org/atlassian/mercurial/commits/branch/sec-3.7 NOTE: and https://bitbucket.org/octobus/mercurial-backport/branch/backport-4.1 CVE-2017-1000115 (Mercurial prior to version 4.3 is vulnerable to a missing symlink chec ...) {DSA-3963-1 DLA-1072-1} - mercurial 4.3.1-1 (bug #871709) NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/47ea28293d30 (test) NOTE: https://www.mercurial-scm.org/repo/hg/rev/377e8ddaebef (fix) NOTE: 3.7 and 4.1 backports available at https://bitbucket.org/atlassian/mercurial/commits/branch/sec-3.7 NOTE: and https://bitbucket.org/octobus/mercurial-backport/branch/backport-4.1CVE-2017-12777 CVE-2017-12777 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via some pa ...) NOT-FOR-US: NexusPHP CVE-2017-12776 (SQL injection vulnerability in reports.php in NexusPHP 1.5 allows remo ...) NOT-FOR-US: NexusPHP CVE-2017-12775 (qa-include/qa-install.php in Question2Answer before 1.7.5 allows remot ...) NOT-FOR-US: question2answer CVE-2017-12774 (finecms in 1.9.5\controllers\member\ContentController.php allows remot ...) NOT-FOR-US: FineCMS CVE-2017-12773 RESERVED CVE-2017-12772 RESERVED CVE-2017-12771 RESERVED CVE-2017-12770 RESERVED CVE-2017-12769 RESERVED CVE-2017-12768 RESERVED CVE-2017-12767 RESERVED CVE-2017-12766 RESERVED CVE-2017-12765 RESERVED CVE-2017-12764 RESERVED CVE-2017-12763 (An unspecified server utility in NoMachine before 5.3.10 on Mac OS X a ...) NOT-FOR-US: NoMachine CVE-2017-12762 (In /drivers/isdn/i4l/isdn_net.c: A user-controlled buffer is copied in ...) - linux 4.13.4-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/9f5af546e6acc30f075828cb58c7f09665033967 (v4.13-rc4) NOTE: Driver is disabled since squeeze and unmaintained for a long time CVE-2017-12761 (http://codecanyon.net/user/Endober WebFile Explorer 1.0 is affected by ...) NOT-FOR-US: Endober WebFile Explorer CVE-2017-12760 (Ynet Interactive - http://demo.ynetinteractive.com/mobiketa/ Mobiketa ...) NOT-FOR-US: Ynet Interactive CVE-2017-12759 (Ynet Interactive - http://demo.ynetinteractive.com/soa/ SOA School Man ...) NOT-FOR-US: Ynet Interactive CVE-2017-12758 (https://www.joomlaextensions.co.in/ Joomla! Component Appointment 1.1 ...) NOT-FOR-US: Joomla! Component Appointment CVE-2017-12757 (Certain Ambit Technologies Pvt. Ltd products are affected by: SQL Inje ...) NOT-FOR-US: Ambit CVE-2017-12756 (Command inject in transfer from another server in extplorer 2.1.9 and ...) {DLA-1063-1} - extplorer NOTE: http://extplorer.net/news/21 CVE-2017-12755 RESERVED CVE-2017-12754 (Stack buffer overflow in httpd in Asuswrt-Merlin firmware 380.67_0RT-A ...) NOT-FOR-US: Asuswrt-Merlin firmware CVE-2017-12753 RESERVED CVE-2017-12752 RESERVED CVE-2017-12751 RESERVED CVE-2017-12750 RESERVED CVE-2017-12749 RESERVED CVE-2017-12748 RESERVED CVE-2017-12747 RESERVED CVE-2017-12746 RESERVED CVE-2017-12745 RESERVED CVE-2017-12744 RESERVED CVE-2017-12743 RESERVED CVE-2017-12742 RESERVED CVE-2017-12741 (A vulnerability has been identified in Development/Evaluation Kits for ...) NOT-FOR-US: Siemens CVE-2017-12740 (Siemens LOGO! Soft Comfort (All versions before V8.2) lacks integrity ...) NOT-FOR-US: Siemens CVE-2017-12739 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) NOT-FOR-US: Siemens CVE-2017-12738 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) NOT-FOR-US: Siemens CVE-2017-12737 (An issue was discovered on Siemens SICAM RTUs SM-2556 COM Modules with ...) NOT-FOR-US: Siemens CVE-2017-12736 (A vulnerability has been identified in RUGGEDCOM ROS for RSL910 device ...) NOT-FOR-US: Siemens CVE-2017-12735 (A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS varian ...) NOT-FOR-US: Siemens CVE-2017-12734 (A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS varian ...) NOT-FOR-US: Siemens CVE-2017-12733 (A Missing Authentication for Critical Function issue was discovered in ...) NOT-FOR-US: SiteSentinel CVE-2017-12732 (A Stack-based Buffer Overflow issue was discovered in GE CIMPLICITY Ve ...) NOT-FOR-US: GE CIMPLICITY CVE-2017-12731 (A SQL Injection issue was discovered in OPW Fuel Management Systems Si ...) NOT-FOR-US: SiteSentinel CVE-2017-12730 (An Unquoted Search Path issue was discovered in mySCADA myPRO Versions ...) NOT-FOR-US: mySCADA myPRO CVE-2017-12729 (A SQL Injection issue was discovered in Moxa SoftCMS Live Viewer throu ...) NOT-FOR-US: Moxa SoftCMS Live Viewer CVE-2017-12728 (An Improper Privilege Management issue was discovered in SpiderControl ...) NOT-FOR-US: SpiderControl SCADA Web Server CVE-2017-12727 RESERVED CVE-2017-12726 (A Use of Hard-coded Password issue was discovered in Smiths Medical Me ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12725 (A Use of Hard-coded Credentials issue was discovered in Smiths Medical ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12724 (A Use of Hard-coded Credentials issue was discovered in Smiths Medical ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12723 (A Password in Configuration File issue was discovered in Smiths Medica ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12722 (An Out-of-bounds Read issue was discovered in Smiths Medical Medfusion ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12721 (An Improper Certificate Validation issue was discovered in Smiths Medi ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12720 (An Improper Access Control issue was discovered in Smiths Medical Medf ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12719 (An Untrusted Pointer Dereference issue was discovered in Advantech Web ...) NOT-FOR-US: Advantech CVE-2017-12718 (A Classic Buffer Overflow issue was discovered in Smiths Medical Medfu ...) NOT-FOR-US: Smiths Medical Medfusion CVE-2017-12717 (An Uncontrolled Search Path Element issue was discovered in Advantech ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12716 (Abbott Laboratories Accent and Anthem pacemakers manufactured prior to ...) NOT-FOR-US: Abbott Laboratories Accent and Anthem pacemakers CVE-2017-12715 RESERVED CVE-2017-12714 (Abbott Laboratories pacemakers manufactured prior to Aug 28, 2017 do n ...) NOT-FOR-US: Abbott Laboratories pacemakers CVE-2017-12713 (An Incorrect Permission Assignment for Critical Resource issue was dis ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12712 (The authentication algorithm in Abbott Laboratories pacemakers manufac ...) NOT-FOR-US: Abbott Laboratories pacemakers CVE-2017-12711 (An Incorrect Privilege Assignment issue was discovered in Advantech We ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12710 (A SQL Injection issue was discovered in Advantech WebAccess versions p ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12709 (A Use of Hard-Coded Credentials issue was discovered in MRD-305-DIN ve ...) NOT-FOR-US: Westermo devices CVE-2017-12708 (An Improper Restriction Of Operations Within The Bounds Of A Memory Bu ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12707 (A Stack-based Buffer Overflow issue was discovered in SpiderControl SC ...) NOT-FOR-US: SpiderControl SCADA MicroBrowser CVE-2017-12706 (A stack-based buffer overflow issue was discovered in Advantech WebAcc ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12705 (A Heap-Based Buffer Overflow issue was discovered in Advantech WebOP. ...) NOT-FOR-US: Advantech CVE-2017-12704 (A heap-based buffer overflow issue was discovered in Advantech WebAcce ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12703 (A Cross-Site Request Forgery (CSRF) issue was discovered in Westermo M ...) NOT-FOR-US: Westermo CVE-2017-12702 (An Externally Controlled Format String issue was discovered in Advante ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12701 (BMC Medical Luna CPAP Machines released prior to July 1, 2017, contain ...) NOT-FOR-US: BMC Medical Luna CPAP Machines CVE-2017-12700 RESERVED CVE-2017-12699 (An Incorrect Default Permissions issue was discovered in AzeoTech DAQF ...) NOT-FOR-US: AzeoTech DAQFactory CVE-2017-12698 (An Improper Authentication issue was discovered in Advantech WebAccess ...) NOT-FOR-US: Advantech WebAccess CVE-2017-12697 (A Man-in-the-Middle issue was discovered in General Motors (GM) and Sh ...) NOT-FOR-US: General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client CVE-2017-12696 RESERVED CVE-2017-12695 (An Improper Authentication issue was discovered in General Motors (GM) ...) NOT-FOR-US: General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client CVE-2017-12694 (A Directory Traversal issue was discovered in SpiderControl SCADA Web ...) NOT-FOR-US: SpiderControl SCADA Web Server CVE-2017-1000101 (curl supports "globbing" of URLs, in which a user can pass a numerical ...) {DSA-3992-1} - curl 7.55.0-1 (bug #871554) [wheezy] - curl (Vulnerable code not present, introduced later in 7.34.0) NOTE: https://curl.haxx.se/docs/adv_20170809A.html NOTE: https://curl.haxx.se/CVE-2017-1000101.patch CVE-2017-1000100 (When doing a TFTP transfer and curl/libcurl is given a URL that contai ...) {DSA-3992-1 DLA-1062-1} - curl 7.55.0-1 (bug #871555) NOTE: https://curl.haxx.se/docs/adv_20170809B.html NOTE: https://curl.haxx.se/CVE-2017-1000100.patch CVE-2017-1000099 (When asking to get a file from a file:// URL, libcurl provides a featu ...) - curl (Only affects 7.54.1, no affected version ever in the archive) NOTE: https://curl.haxx.se/docs/adv_20170809C.html NOTE: https://curl.haxx.se/CVE-2017-1000099.patch NOTE: Introduced by: https://github.com/curl/curl/commit/7c312f84ea930d8 CVE-2017-12693 (The ReadBMPImage function in coders/bmp.c in ImageMagick 7.0.6-6 allow ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875341) NOTE: https://github.com/ImageMagick/ImageMagick/issues/652 NOTE: https://github.com/ImageMagick/ImageMagick/commit/75fcbf5d649bba046c6a0db650a518f7bfc0fb3f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6709bd585b9609a9cf98a7042089f3e725886d5e CVE-2017-12692 (The ReadVIFFImage function in coders/viff.c in ImageMagick 7.0.6-6 all ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875339) NOTE: https://github.com/ImageMagick/ImageMagick/issues/653 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4a25fe5447bfb3a1918a2e9d595928e853b09d2e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5919dc606bc1d6022d3d2d205a91fdbe98de9e15 CVE-2017-12691 (The ReadOneLayer function in coders/xcf.c in ImageMagick 7.0.6-6 allow ...) {DLA-2366-1 DLA-1785-1 DLA-1131-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #875338) NOTE: https://github.com/ImageMagick/ImageMagick/issues/656 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f1ea048a3a34df293764502401d966aeacf9179d NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/68bbe7b8b226ed79e339296793f68f1b2bebc519 CVE-2017-12690 RESERVED CVE-2017-12689 RESERVED CVE-2017-12688 RESERVED CVE-2017-12687 RESERVED CVE-2017-12686 RESERVED CVE-2017-12685 RESERVED CVE-2017-12684 RESERVED CVE-2017-12683 RESERVED CVE-2017-12682 RESERVED CVE-2017-12681 RESERVED CVE-2017-12680 (Cross-Site Scripting (XSS) exists in NexusPHP 1.5 via the type paramet ...) NOT-FOR-US: NexusPHP CVE-2017-12679 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater ...) NOT-FOR-US: NexusPHP CVE-2017-12678 (In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefac ...) - taglib 1.11.1+dfsg.1-0.2 (bug #871511) [stretch] - taglib (Minor issue) [jessie] - taglib (Vulnerable code not present) [wheezy] - taglib (Vulnerable code not present) - silverjuke (Vulnerable code not present, based on older taglib version) NOTE: https://github.com/taglib/taglib/issues/829 NOTE: https://github.com/taglib/taglib/pull/831/commits/eb9ded1206f18f2c319157337edea2533a40bea6#diff-37f706c8696a7c1ca939b169c0a04d97 CVE-2017-12677 (IdentityServer3 2.4.x, 2.5.x, and 2.6.x before 2.6.1 has XSS in an Ang ...) NOT-FOR-US: IdentityServer CVE-2017-12676 (In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870118) NOTE: https://github.com/ImageMagick/ImageMagick/issues/618 NOTE: https://github.com/ImageMagick/ImageMagick/commit/387adbe4b05a545b9f3972e862602480c850303c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7287f50888c26b133ee173816332fcaec4e8cb62 CVE-2017-12675 (In ImageMagick 7.0.6-3, a missing check for multidimensional data was ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870022) NOTE: https://github.com/ImageMagick/ImageMagick/issues/616 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7a020acbcfea6e53eff6766c87ea175eac9dcd18 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/e33a39a6a168cdd800fd160e8f93f0059432bdf7 CVE-2017-12674 (In ImageMagick 7.0.6-2, a CPU exhaustion vulnerability was found in th ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #872609) NOTE: https://github.com/ImageMagick/ImageMagick/issues/604 NOTE: https://github.com/ImageMagick/ImageMagick/commit/91651bd482b6637cf650700ffd7b3b63de1cb049 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5a91708c6b70bd4e3d2b931465307e0aeababb3c CVE-2017-12673 (In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870117) NOTE: https://github.com/ImageMagick/ImageMagick/issues/619 CVE-2017-12672 (In ImageMagick 7.0.6-3, a memory leak vulnerability was found in the f ...) - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870021) NOTE: https://github.com/ImageMagick/ImageMagick/issues/617 CVE-2017-12671 (In ImageMagick 7.0.6-3, a missing NULL assignment was found in coders/ ...) {DSA-4019-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870119) NOTE: https://github.com/ImageMagick/ImageMagick/issues/621 CVE-2017-12669 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteCALSImage ...) - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870475) NOTE: https://github.com/ImageMagick/ImageMagick/issues/571 CVE-2017-12668 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePCXImage i ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870489) NOTE: https://github.com/ImageMagick/ImageMagick/issues/575 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2ba8f335fa06daf1165e0878462686028e633a74 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/560e6e512961008938aa1d1b9aab06347b1c8f9b CVE-2017-12667 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadMATImage in ...) - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870015) NOTE: https://github.com/ImageMagick/ImageMagick/issues/553 CVE-2017-12666 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteINLINEImag ...) - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870482) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/572 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d5559407ce29f4371e5df9c1cbde65455fe5854c NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/45aeda5da9eb328689afc221fa3b7dfa5cdea54d CVE-2017-12665 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePICTImage ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870501) NOTE: https://github.com/ImageMagick/ImageMagick/issues/577 NOTE: https://github.com/ImageMagick/ImageMagick/commit/c1b09bbec148f6ae11d0b686fdb89ac6dc0ab14e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/859084b4fd966ac007965c3d85caabccd8aee9b4 CVE-2017-12663 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WriteMAPImage i ...) - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870483) NOTE: https://github.com/ImageMagick/ImageMagick/issues/573 CVE-2017-12662 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePDFImage i ...) - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870492) NOTE: https://github.com/ImageMagick/ImageMagick/issues/576 CVE-2017-12661 RESERVED CVE-2017-12660 RESERVED CVE-2017-12659 RESERVED CVE-2017-12658 RESERVED CVE-2017-12657 RESERVED CVE-2017-12656 RESERVED CVE-2017-12655 (Cross-Site Scripting (XSS) exists in NexusPHP version v1.5 via the que ...) NOT-FOR-US: NexusPHP CVE-2017-12654 (The ReadPICTImage function in coders/pict.c in ImageMagick 7.0.6-3 all ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870502) NOTE: https://github.com/ImageMagick/ImageMagick/issues/620 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ffcb8f8e2248fde38a2cb30aeb48403d2b3471cc NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f2c26fa4db84e92d754c7f8b269db2883cf7f32c CVE-2017-12653 (360 Total Security 9.0.0.1202 before 2017-07-07 allows Privilege Escal ...) NOT-FOR-US: 360 Total Security CVE-2017-12652 (libpng before 1.6.32 does not properly check the length of chunks agai ...) - libpng1.6 1.6.32-1 [stretch] - libpng1.6 (Minor issue) NOTE: https://github.com/glennrp/libpng/commit/347538efbdc21b8df684ebd92d37400b3ce85d55 NOTE: https://github.com/glennrp/libpng/commit/a1fe2c98489519d415b72bc0026f0c86d82278b7 NOTE: https://github.com/glennrp/libpng/commit/095b4ce16bb46acb259ea1a4ca6562a623e58d93 NOTE: https://github.com/glennrp/libpng/commit/2dbef2f2a9e759a80d2decb6862518acf4919c59 NOTE: https://github.com/glennrp/libpng/commit/2dca15686fadb1b8951cb29b02bad4cae73448da NOTE: https://github.com/glennrp/libpng/commit/fcd1bb93124d76059abef98216d8390f520c577b NOTE: https://github.com/glennrp/libpng/commit/13bc0b6b1f8f2f2491fcc9f0c1c939ff06e13c15 CVE-2017-12651 (Cross Site Request Forgery (CSRF) exists in the Blacklist and Whitelis ...) NOT-FOR-US: Loginizer plugin for WordPress CVE-2017-12650 (SQL Injection exists in the Loginizer plugin before 1.3.6 for WordPres ...) NOT-FOR-US: Loginizer plugin for WordPress CVE-2017-12649 (XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted title or ...) NOT-FOR-US: Liferay Portal CVE-2017-12648 (XSS exists in Liferay Portal before 7.0 CE GA4 via a bookmark URL. ...) NOT-FOR-US: Liferay Portal CVE-2017-12647 (XSS exists in Liferay Portal before 7.0 CE GA4 via a Knowledge Base ar ...) NOT-FOR-US: Liferay Portal CVE-2017-12646 (XSS exists in Liferay Portal before 7.0 CE GA4 via a login name, passw ...) NOT-FOR-US: Liferay Portal CVE-2017-12645 (XSS exists in Liferay Portal before 7.0 CE GA4 via an invalid portletI ...) NOT-FOR-US: Liferay Portal CVE-2017-12644 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadDCMImage in ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/551 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a33f7498f9052b50e8fe8c8422a11ba84474cb42 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/9f375e7080a2c1044cd546854d0548b4bfb429d0 CVE-2017-12642 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadMPCImage in ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869796) NOTE: https://github.com/ImageMagick/ImageMagick/issues/552 CVE-2017-12641 (ImageMagick 7.0.6-1 has a memory leak vulnerability in ReadOneJNGImage ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870108) NOTE: https://github.com/ImageMagick/ImageMagick/issues/550 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3320955045e5a2a22c13a04fa9422bb809e75eda CVE-2017-12640 (ImageMagick 7.0.6-1 has an out-of-bounds read vulnerability in ReadOne ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870106) NOTE: https://github.com/ImageMagick/ImageMagick/issues/542 NOTE: https://github.com/ImageMagick/ImageMagick/commit/78d4c5db50fbab0b4beb69c46c6167f2c6513dec CVE-2017-12639 (Stack based buffer overflow in Ipswitch IMail server up to and includi ...) NOT-FOR-US: Ipswitch IMail CVE-2017-12638 (Stack based buffer overflow in Ipswitch IMail server up to and includi ...) NOT-FOR-US: Ipswitch IMail CVE-2017-12637 (Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/ ...) NOT-FOR-US: SAP CVE-2017-12636 (CouchDB administrative users can configure the database server via HTT ...) {DLA-1252-1} - couchdb NOTE: https://www.openwall.com/lists/oss-security/2017/11/14/6 NOTE: Likely patch for 1.2.x: https://github.com/apache/couchdb/commit/9a28df7e9703a1a3420e7616c4d33a523ee06354 NOTE: Possibly needs more updates: https://github.com/apache/couchdb/commit/bf6b6a1c84321baee2c4ad354059a45e0b8fdec7 CVE-2017-12635 (Due to differences in the Erlang-based JSON parser and JavaScript-base ...) {DLA-1252-1} - couchdb NOTE: https://www.openwall.com/lists/oss-security/2017/11/14/6 NOTE: Likely patch for 1.2.x: https://github.com/apache/couchdb/commit/3706a77c13a78672e5a3fbde06e7bffd3665f73b CVE-2017-12634 (The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20. ...) NOT-FOR-US: Apache Camel CVE-2017-12633 (The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20 ...) NOT-FOR-US: Apache Camel CVE-2017-12632 (A malicious host header in an incoming HTTP request could cause NiFi t ...) NOT-FOR-US: Apache NiFi CVE-2017-12631 (Apache CXF Fediz ships with a number of container-specific plugins to ...) NOT-FOR-US: Apache CXF CVE-2017-12630 (In Apache Drill 1.11.0 and earlier when submitting form from Query pag ...) NOT-FOR-US: Apache Drill CVE-2017-12629 (Remote code execution occurs in Apache Solr before 7.1 with Apache Luc ...) {DSA-4124-1 DLA-1254-1} - lucene-solr 3.6.2+dfsg-11 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1501529 NOTE: http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-td4358308.html NOTE: http://lucene.472066.n3.nabble.com/Re-Several-critical-vulnerabilities-discovered-in-Apache-Solr-XXE-amp-RCE-tt4358355.html NOTE: Patch removing RunExecutableListener: https://github.com/apache/lucene-solr/commit/7b313bb597a6d1f78773dc9c00f484c078a46c25 NOTE: Patch disallowing XXE: https://github.com/apache/lucene-solr/commit/926cc4d65b6d2cc40ff07f76d50ddeda947e3cc4 CVE-2017-12628 (The JMX server embedded in Apache James, also used by the command line ...) NOT-FOR-US: Apache James CVE-2017-12627 (In Apache Xerces-C XML Parser library before 3.2.1, processing of exte ...) {DLA-1328-1} - xerces-c 3.2.1+debian-1 (bug #894050) [stretch] - xerces-c 3.1.4+debian-2+deb9u1 [jessie] - xerces-c 3.1.1-5.1+deb8u4 NOTE: https://svn.apache.org/r1819998 NOTE: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt CVE-2017-12626 (Apache POI in versions prior to release 3.17 are vulnerable to Denial ...) - libapache-poi-java 3.17-1 (bug #888651) [stretch] - libapache-poi-java (Minor issue) [jessie] - libapache-poi-java (Minor issue) [wheezy] - libapache-poi-java (Minor issue) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61338 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61294 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=52372 NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61295 CVE-2017-12625 (Apache Hive 2.1.x before 2.1.2, 2.2.x before 2.2.1, and 2.3.x before 2 ...) NOT-FOR-US: Apache Hive CVE-2017-12624 (Apache CXF supports sending and receiving attachments via either the J ...) NOT-FOR-US: Apache CXF CVE-2017-12623 (An authorized user could upload a template which contained malicious c ...) NOT-FOR-US: Apache NiFi CVE-2017-12622 (When an Apache Geode cluster before v1.3.0 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-12621 (During Jelly (xml) file parsing with Apache Xerces, if a custom doctyp ...) - jenkins-commons-jelly [jessie] - jenkins-commons-jelly (Minor issue, only used by Jenkins which got removed) [wheezy] - jenkins-commons-jelly (Minor issue, only used by Jenkins which got removed) NOTE: https://www.openwall.com/lists/oss-security/2017/09/27/6 CVE-2017-12620 (When loading models or dictionaries that contain XML it is possible to ...) NOT-FOR-US: Apache OpenNLP CVE-2017-12619 (Apache Zeppelin prior to 0.7.3 was vulnerable to session fixation whic ...) NOT-FOR-US: Apache Zeppelin CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to val ...) {DLA-1163-1} - apr-util 1.6.1-1 (low; bug #879996) [stretch] - apr-util (Minor issue) [jessie] - apr-util (Minor issue) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E NOTE: https://github.com/apache/apr/commit/f672b565c825c34de9ee298b5bdc62c01cdd6147 CVE-2017-12617 (When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22 ...) {DLA-1166-1} - tomcat8 (Specific to running Tomcat on Windows) - tomcat8.0 (Specific to running Tomcat on Windows) - tomcat7 (Specific to running Tomcat on Windows) NOTE: https://svn.apache.org/r1809673 (8.5.x) NOTE: https://svn.apache.org/r1809675 (8.5.x) NOTE: https://svn.apache.org/r1809896 (8.5.x) NOTE: https://svn.apache.org/r1809921 (8.0.x) NOTE: https://svn.apache.org/r1809978 (7.0.x) NOTE: https://svn.apache.org/r1809992 (7.0.x) NOTE: https://svn.apache.org/r1810014 (7.0.x) NOTE: https://svn.apache.org/r1810026 (7.0.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 CVE-2017-12616 (When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it w ...) {DLA-1400-1 DLA-1108-1} - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 NOTE: https://svn.apache.org/r1804729 CVE-2017-12615 (When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs e ...) - tomcat7 (Windows-specific) CVE-2017-12614 (It was noticed an XSS in certain 404 pages that could be exploited to ...) - airflow (bug #819700) CVE-2017-12613 (When apr_time_exp*() or apr_os_exp_time*() functions are invoked with ...) {DLA-1162-1} - apr 1.6.3-1 (low; bug #879708) [stretch] - apr (Minor issue) [jessie] - apr (Minor issue) NOTE: mail-archives.apache.org/mod_mbox/apr-dev/201710.mbox/%3CCACsi252POs4toeJJciwg09_eu2cO3XFg%3DUqsPjXsfjDoeC3-UQ%40mail.gmail.com%3E NOTE: Fixed by: https://github.com/apache/apr/commit/ad958385a4180d7a83d90589689fcd36e3bbc57a CVE-2017-12612 (In Apache Spark 1.6.0 until 2.1.1, the launcher API performs unsafe de ...) - apache-spark (bug #802194) CVE-2017-12611 (In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (Minor issue) NOTE: Only a problem if the application programmer has made a security mistake. NOTE: https://struts.apache.org/docs/s2-053.html CVE-2017-12610 (In Apache Kafka 0.10.0.0 to 0.10.2.1 and 0.11.0.0 to 0.11.0.1, authent ...) - kafka (bug #786460) CVE-2017-12609 REJECTED CVE-2017-12608 (A vulnerability in Apache OpenOffice Writer DOC file parser before 4.1 ...) {DSA-4022-1 DLA-1214-1} - libreoffice 1:5.0.2-1 NOTE: https://www.talosintelligence.com/reports/TALOS-2017-0301 NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2017-12608 NOTE: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commitdiff_plain;h=42a709d1ef647aab9a1c9422b4e25ecaee857aba CVE-2017-12607 (A vulnerability in OpenOffice's PPT file parser before 4.1.4, and spec ...) {DSA-4022-1 DLA-1214-1} - libreoffice 1:5.0.2-1 NOTE: https://www.talosintelligence.com/reports/TALOS-2017-0300 NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2017-12607 NOTE: https://cgit.freedesktop.org/libreoffice/core/commit/?id=334dba623dfb0c4fb2b5292c2d03741b7b33aef1 CVE-2017-12606 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12605 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12604 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12603 (OpenCV (Open Source Computer Vision Library) through 3.3 has an invali ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12602 (OpenCV (Open Source Computer Vision Library) through 3.3 has a denial ...) [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872045) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) [wheezy] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9311 CVE-2017-12601 (OpenCV (Open Source Computer Vision Library) through 3.3 has a buffer ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12600 (OpenCV (Open Source Computer Vision Library) through 3.3 has a denial ...) [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872045) [stretch] - opencv (Minor issue) [jessie] - opencv (Minor issue) [wheezy] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9311 CVE-2017-12599 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12598 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12597 (OpenCV (Open Source Computer Vision Library) through 3.3 has an out-of ...) {DLA-1438-1 DLA-1117-1} [experimental] - opencv 3.4.4+dfsg-1~exp1 - opencv 3.2.0+dfsg-6 (bug #872044) [stretch] - opencv (Minor issue) NOTE: https://github.com/opencv/opencv/issues/9309 CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read ...) {DLA-2358-1} - openexr 2.2.0-11.1 (bug #877352) [jessie] - openexr (Minor issue) [wheezy] - openexr 1.6.1-6+deb7u1 NOTE: https://github.com/openexr/openexr/issues/238 NOTE: Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c CVE-2017-12595 (The tokenizer in QPDF 6.0.0 and 7.0.b1 is recursive for arrays and dic ...) - qpdf 7.0.0-1 [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/146 NOTE: Fixed by: https://github.com/qpdf/qpdf/commit/ad527a64f93dca12f6aabab2ca99ae5eb352ab4b CVE-2017-12594 RESERVED CVE-2017-12593 (ASUS DSL-N10S V2.1.16_APAC devices allow CSRF. ...) NOT-FOR-US: ASUS DSL-N10S V2.1.16_APAC devices CVE-2017-12592 (ASUS DSL-N10S V2.1.16_APAC devices have a privilege escalation vulnera ...) NOT-FOR-US: ASUS DSL-N10S V2.1.16_APAC devices CVE-2017-12591 (ASUS DSL-N10S V2.1.16_APAC devices have reflected and stored cross sit ...) NOT-FOR-US: ASUS DSL-N10S V2.1.16_APAC devices CVE-2017-12590 (ASUS RT-N14UHP devices before 3.0.0.4.380.8015 have a reflected XSS vu ...) NOT-FOR-US: ASUS RT-N14UHP devices CVE-2017-12589 (ToMAX R60G R60GV2-V2.0-v.2.6.3-170330 devices do not have any protecti ...) NOT-FOR-US: ToMAX R60G R60GV2-V2.0-v.2.6.3-170330 devices CVE-2017-12588 (The zmq3 input and output modules in rsyslog before 8.28.0 interpreted ...) - rsyslog 8.28.0-1 (unimportant) NOTE: https://github.com/rsyslog/rsyslog/commit/062d0c671a29f7c6f7dff4a2f1f35df375bbb30b NOTE: https://github.com/rsyslog/rsyslog/pull/1565 NOTE: The zmq3 input and output modules are not enabled and built in Debian CVE-2017-12587 (ImageMagick 7.0.6-1 has a large loop vulnerability in the ReadPWPImage ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (bug #870526) NOTE: https://github.com/ImageMagick/ImageMagick/issues/535 NOTE: https://github.com/ImageMagick/ImageMagick/commit/bb5b16c512977e8134701063e0adb05a4a342add NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/d4192df5eb03892089806d52a317cc3101856726 CVE-2017-12586 (SLiMS 8 Akasia through 8.3.1 has an arbitrary file reading issue becau ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2017-12585 (SLiMS 8 Akasia through 8.3.1 has SQL injection in admin/AJAX_lookup_ha ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2017-12584 (There is no CSRF mitigation in SLiMS 8 Akasia through 8.3.1. Also, an ...) NOT-FOR-US: SLiMS 8 Akasia CVE-2017-12583 (DokuWiki through 2017-02-19b has XSS in the at parameter (aka the DATE ...) - dokuwiki 0.0.20180422.a-1 (bug #870903) [jessie] - dokuwiki (Vulnerable code not present) [wheezy] - dokuwiki (Vulnerable code not present) NOTE: https://github.com/splitbrain/dokuwiki/issues/2061 CVE-2017-12582 (Unprivileged user can access all functions in the Surveillance Station ...) NOT-FOR-US: QNAP CVE-2017-12581 (GitHub Electron before 1.6.8 allows remote command execution because o ...) - electron (bug #842420) CVE-2017-12580 (An issue was discovered in IDM UltraEdit through 24.10.0.32. To exploi ...) NOT-FOR-US: IDM UltraEdit CVE-2017-12579 (An insecure suid wrapper binary in the HashiCorp Vagrant VMware Fusion ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-12578 RESERVED CVE-2017-12577 (An issue was discovered on the PLANEX CS-QR20 1.30. A hardcoded accoun ...) NOT-FOR-US: PLANEX CVE-2017-12576 (An issue was discovered on the PLANEX CS-QR20 1.30. A hidden and undoc ...) NOT-FOR-US: PLANEX CVE-2017-12575 (An issue was discovered on the NEC Aterm WG2600HP2 1.0.2. The router h ...) NOT-FOR-US: NEC CVE-2017-12574 (An issue was discovered on PLANEX CS-W50HD devices with firmware befor ...) NOT-FOR-US: PLANEX CVE-2017-12573 (An issue was discovered on PLANEX CS-W50HD devices with firmware befor ...) NOT-FOR-US: PLANEX CVE-2017-12572 (Persistent Cross Site Scripting (XSS) exists in Splunk Enterprise 6.5. ...) NOT-FOR-US: Splunk CVE-2017-12571 RESERVED CVE-2017-12570 RESERVED CVE-2017-12569 RESERVED CVE-2017-12568 (Denial of Service vulnerability in Debut embedded httpd 1.20 in Brothe ...) NOT-FOR-US: Brother CVE-2017-12567 (SQL injection exists in Quest KACE Asset Management Appliance 6.4.1208 ...) NOT-FOR-US: Quest KACE Asset Management Appliance CVE-2017-12566 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870503) NOTE: https://github.com/ImageMagick/ImageMagick/issues/603 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2477eacf09d3a26efe814590a5dbbe1efd16764f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/27b3b9ca5cfb7b8935852cf315abc005ea7c1e16 CVE-2017-12565 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870115) NOTE: https://github.com/ImageMagick/ImageMagick/issues/602 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e0e544bb173213df00f82a810d66321e1bb4f3c8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4d0ac66c9778faebd2d1fac7140462b043626458 CVE-2017-12564 (In ImageMagick 7.0.6-2, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870017) NOTE: https://github.com/ImageMagick/ImageMagick/issues/601 NOTE: https://github.com/ImageMagick/ImageMagick/commit/ff3faa31166439d81b72de22daea2b6404569137 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/a4779cfbee2e4235fa9f9f8f2e58dca17f7ccc6b CVE-2017-12563 (In ImageMagick 7.0.6-2, a memory exhaustion vulnerability was found in ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (low; bug #870530) NOTE: https://github.com/ImageMagick/ImageMagick/issues/599 NOTE: https://github.com/ImageMagick/ImageMagick/commit/82b53bd74df1489332e4043035a51b43f54d43f1 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7d3af83d8b946f952bfd028451e6dfb1f7ace07a CVE-2017-12561 (A remote code execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12560 (A Remote Denial of Service vulnerability in HPE Intelligent Management ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12559 (A Remote Denial of Service vulnerability in HPE Intelligent Management ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12558 (A Remote Code Execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12557 (A Remote Code Execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12556 (A Remote Code Execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12555 (A remote arbitrary file download and disclosure of information vulnera ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12554 (A remote code execution vulnerability in HPE intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12553 (A local authentication bypass vulnerability in HPE System Management H ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12552 (A local arbitrary execution of commands vulnerability in HPE System Ma ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12551 (A local arbitrary execution of commands vulnerability in HPE System Ma ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12550 (A local security misconfiguration vulnerability in HPE System Manageme ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12549 (A local authentication bypass vulnerability in HPE System Management H ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12548 (A local arbitrary command execution vulnerability in HPE System Manage ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12547 (A local arbitrary command execution vulnerability in HPE System Manage ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12546 (A local buffer overflow vulnerability in HPE System Management Homepag ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12545 (A remote denial of service vulnerability in HPE System Management Home ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12544 (A cross-site scripting vulnerability in HPE System Management Homepage ...) NOT-FOR-US: HPE System Management Homepage CVE-2017-12543 (A remote disclosure of information vulnerability in Moonshot Remote Co ...) NOT-FOR-US: Moonshot Remote Console Administrator Pro CVE-2017-12542 (A authentication bypass and execution of code vulnerability in HPE Int ...) NOT-FOR-US: HPE ILO 4 CVE-2017-12541 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12540 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12539 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12538 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12537 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12536 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12535 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12534 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12533 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12532 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12531 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12530 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12529 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12528 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12527 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12526 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12525 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12524 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12523 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12522 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12521 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12520 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12519 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12518 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12517 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12516 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12515 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12514 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12513 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12512 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12511 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12510 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12509 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12508 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12507 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12506 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12505 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12504 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12503 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12502 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12501 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12500 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12499 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12498 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12497 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12496 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12495 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12494 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12493 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12492 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12491 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12490 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12489 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12488 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12487 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-12486 RESERVED CVE-2017-12485 RESERVED CVE-2017-12484 RESERVED CVE-2017-12483 RESERVED CVE-2017-12482 (The ledger::parse_date_mask_routine function in times.cc in Ledger 3.1 ...) - ledger 3.1.2+dfsg1-1 (low; bug #870900) [stretch] - ledger (Minor issue) [jessie] - ledger (Minor issue) [wheezy] - ledger (Minor issue) NOTE: http://bugs.ledger-cli.org/show_bug.cgi?id=1224 NOTE: https://github.com/ledger/ledger/issues/1224 NOTE: https://github.com/ledger/ledger/commit/7c0ae5b02571e21f97d45f5d091cb78af9885713 CVE-2017-12481 (The find_option function in option.cc in Ledger 3.1.1 allows remote at ...) - ledger 3.1.2+dfsg1-1 (low; bug #870900) [stretch] - ledger (Minor issue) [jessie] - ledger (Minor issue) [wheezy] - ledger (Minor issue) NOTE: http://bugs.ledger-cli.org/show_bug.cgi?id=1222 NOTE: https://github.com/ledger/ledger/issues/1222 NOTE: https://github.com/ledger/ledger/commit/c5343f18744d0f6fddcc590f9a54c23674d8c489 CVE-2017-12480 (Sandboxie installer 5071703 has a DLL Hijacking or Unsafe DLL Loading ...) NOT-FOR-US: Sandboxie CVE-2017-12479 (It was discovered that an issue in the session logic in Unitrends Back ...) NOT-FOR-US: Unitrends Backup CVE-2017-12478 (It was discovered that the api/storage web interface in Unitrends Back ...) NOT-FOR-US: Unitrends Backup CVE-2017-12477 (It was discovered that the bpserverd proprietary protocol in Unitrends ...) NOT-FOR-US: Unitrends Backup CVE-2017-12476 (The AP4_AvccAtom::InspectFields function in Core/Ap4AvccAtom.cpp in Be ...) NOT-FOR-US: Bento4 CVE-2017-12475 (The AP4_Processor::Process function in Core/Ap4Processor.cpp in Bento4 ...) NOT-FOR-US: Bento4 CVE-2017-12474 (The AP4_AtomSampleTable::GetSample function in Core/Ap4AtomSampleTable ...) NOT-FOR-US: Bento4 CVE-2017-12473 (ccnl_ccntlv_bytes2pkt in CCN-lite allows context-dependent attackers t ...) NOT-FOR-US: CCN-lite CVE-2017-12472 (ccnl-ext-mgmt.c in CCN-lite before 2.00 allows context-dependent attac ...) NOT-FOR-US: CCN-lite CVE-2017-12471 (The cnb_parse_lev function in CCN-lite before 2.00 allows context-depe ...) NOT-FOR-US: CCN-lite CVE-2017-12470 (Integer overflow in the ndn_parse_sequence function in CCN-lite before ...) NOT-FOR-US: CCN-lite CVE-2017-12469 (Buffer overflow in util/ccnl-common.c in CCN-lite before 2.00 allows c ...) NOT-FOR-US: CCN-lite CVE-2017-12468 (Buffer overflow in ccn-lite-ccnb2xml.c in CCN-lite before 2.00 allows ...) NOT-FOR-US: CCN-lite CVE-2017-12467 (Memory leak in CCN-lite before 2.00 allows context-dependent attackers ...) NOT-FOR-US: CCN-lite CVE-2017-12466 (CCN-lite before 2.00 allows context-dependent attackers to have unspec ...) NOT-FOR-US: CCN-lite CVE-2017-12465 (Multiple integer overflows in CCN-lite before 2.00 allow context-depen ...) NOT-FOR-US: CCN-lite CVE-2017-12464 (ccn-lite-valid.c in CCN-lite before 2.00 allows context-dependent atta ...) NOT-FOR-US: CCN-lite CVE-2017-12463 (Memory leak in the ccnl_app_RX function in ccnl-uapi.c in CCN-lite bef ...) NOT-FOR-US: CCN-lite CVE-2017-12462 RESERVED CVE-2017-12461 RESERVED CVE-2017-12460 (An issue was discovered in Barco ClickShare CSM-1 firmware before v1.7 ...) NOT-FOR-US: Barco ClickShare CSM-1 firmware CVE-2017-12459 (The bfd_mach_o_read_symtab_strtab function in bfd/mach-o.c in the Bina ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12458 (The nlm_swap_auxiliary_headers_in function in bfd/nlmcode.h in the Bin ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12457 (The bfd_make_section_with_flags function in section.c in the Binary Fi ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;a=patch;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12456 (The read_symbol_stabs_debugging_info function in rddbg.c in GNU Binuti ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 CVE-2017-12455 (The evax_bfd_print_emh function in vms-alpha.c in the Binary File Desc ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12454 (The _bfd_vms_slurp_egsd function in bfd/vms-alpha.c in the Binary File ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 CVE-2017-12453 (The _bfd_vms_slurp_eeom function in libbfd.c in the Binary File Descri ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 CVE-2017-12452 (The bfd_mach_o_i386_canonicalize_one_reloc function in bfd/mach-o-i386 ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ca4cf9b9c622a5695e01f7f5815a7382a31fcf51 CVE-2017-12451 (The _bfd_xcoff_read_ar_hdr function in bfd/coff-rs6000.c and bfd/coff6 ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21786 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=29866fa186ee3ebda5242221607dba360b2e541e CVE-2017-12450 (The alpha_vms_object_p function in bfd/vms-alpha.c in the Binary File ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21813 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8a2df5e2df374289e00ecd8f099eb46d76ef982e CVE-2017-12449 (The _bfd_vms_save_sized_string function in vms-misc.c in the Binary Fi ...) - binutils 2.29-8 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21840 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8bdf0be19d2777565a8b1c88347f65d6a4b8c5fc CVE-2017-12448 (The bfd_cache_close function in bfd/cache.c in the Binary File Descrip ...) - binutils 2.29-9 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21787 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=909e4e716c4d77e33357bbe9bc902bfaf2e1af24 CVE-2017-12447 (GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus ...) - gdk-pixbuf 2.34.0-1 [jessie] - gdk-pixbuf 2.31.1-2+deb8u5 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785979 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/b7bf6fbfb310fceba2d35d4de143b8d5ffdad990 (2.33.2) CVE-2017-12446 RESERVED CVE-2017-12445 (The JB2BitmapCoder::code_row_by_refinement function in jb2/bmpcoder.cp ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12444 (The mdjvu_bitmap_get_bounding_box function in base/4bitmap.c in minidj ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12443 (The mdjvu_bitmap_pack_row function in base/4bitmap.c in minidjvu 0.8 c ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12442 (The row_is_empty function in base/4bitmap.c:272 in minidjvu 0.8 can ca ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12441 (The row_is_empty function in base/4bitmap.c:274 in minidjvu 0.8 can ca ...) - minidjvu (unimportant; bug #871495) NOTE: https://sourceforge.net/p/minidjvu/bugs/8/ CVE-2017-12440 (Aodh as packaged in Openstack Ocata and Newton before change-ID I8fd11 ...) {DSA-3953-1} - aodh 5.0.0-2 (bug #872605) NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0080 NOTE: Master: https://review.openstack.org/#/c/493823/ NOTE: Ocata: https://review.openstack.org/#/c/493824/ NOTE: Newton: https://review.openstack.org/#/c/493826/ NOTE: https://github.com/openstack/aodh/commit/cb90d3ad472bba8d648803ca94a9196dff97f0e8 CVE-2017-12439 (SocuSoft Flash Slideshow Maker Professional through v5.20, when the ad ...) NOT-FOR-US: SocuSoft Flash Slideshow Maker Professional CVE-2017-12438 RESERVED CVE-2017-12437 RESERVED CVE-2017-12436 RESERVED CVE-2017-12435 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (low; bug #870504) NOTE: https://github.com/ImageMagick/ImageMagick/issues/543 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2dd8d55742fce7d079b6a16039c18e49c091224f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/44cb8dfd4cbe6fc475c863a5946cff64e34c2088 CVE-2017-12433 (In ImageMagick 7.0.6-1, a memory leak vulnerability was found in the f ...) {DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (unimportant; bug #872481) NOTE: https://github.com/ImageMagick/ImageMagick/issues/548 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7beec9a7a8a5701652b313e6e94bafd36b3627dc NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/0a170d18390d3762586f164e6abe3c4766d14620 CVE-2017-12432 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (low; bug #870491) [stretch] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/536 NOTE: https://github.com/ImageMagick/ImageMagick/commit/061de02095a56d438409c63f723f340b2d9d36c7 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/3ded916c5da6febe9660c3cfa44c3114567adf74 CVE-2017-12429 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in ...) {DLA-2366-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/545 NOTE: https://github.com/ImageMagick/ImageMagick/commit/30a74ed25a4890acfa94f452d653d54c9628c87e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/3ac6c73d39d59a7b0285b3756810272121759a31 NOTE: The fix applied for #869727 included the change for upstream issue 545, cf. NOTE: https://github.com/ImageMagick/ImageMagick/issues/546#issuecomment-313968413 CVE-2017-12427 (The ProcessMSLScript function in coders/msl.c in ImageMagick before 6. ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870525) NOTE: https://github.com/ImageMagick/ImageMagick/issues/636 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/e793eb203e5e0f91f5037aed6585e81b1e27395b NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/841f7b27dc88c685c61252d59b7e20e94c982456 CVE-2017-12426 (GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17. ...) - gitlab 9.5.4+dfsg-7 (bug #872190; unimportant) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/35212 NOTE: The fix for git for CVE-2017-1000117 mitgates the issue in gitlab itself. NOTE: The CVE is for the issue when importing a project via crafted SSH URLs, NOTE: which becomes ineffective with a fixed git version itself. CVE-2017-12424 (In shadow before 4.5, the newusers tool could be made to manipulate in ...) - shadow 1:4.5-1 (bug #756630) [stretch] - shadow (Minor issue) [jessie] - shadow (Minor issue) [wheezy] - shadow (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675 NOTE: https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952 (4.5) CVE-2017-12423 (NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authen ...) NOT-FOR-US: NetApp CVE-2017-12422 (NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before 10.3 ...) NOT-FOR-US: NetApp CVE-2017-12421 (NetApp Clustered Data ONTAP 8.3.x before 8.3.2P12 allows remote authen ...) NOT-FOR-US: NetApp CVE-2017-12420 (Heap-based buffer overflow in the SMB implementation in NetApp Cluster ...) NOT-FOR-US: NetApp CVE-2017-12419 (If, after successful installation of MantisBT through 2.5.2 on MySQL/M ...) - mantis [wheezy] - mantis (Not supported in Wheezy) NOTE: https://mantisbt.org/bugs/view.php?id=23173 CVE-2017-12418 (ImageMagick 7.0.6-5 has memory leaks in the parse8BIMW and format8BIM ...) {DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (unimportant; bug #872498) NOTE: https://github.com/ImageMagick/ImageMagick/issues/643 NOTE: https://github.com/ImageMagick/ImageMagick/commit/46382526a3f09cebf9f2af680fc55b2a668fcbef NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bfd93888beccf2eff49cc9abfa6b5167c9c9109d CVE-2017-12417 RESERVED CVE-2017-12416 (Cross-site scripting (XSS) vulnerability in the GlobalProtect internal ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-12415 (OXID eShop Community Edition before 6.0.0 RC2 (development), 4.10.x be ...) NOT-FOR-US: OXID eShop CVE-2017-12414 (Format Factory 4.1.0 has a DLL Hijacking Vulnerability because an untr ...) NOT-FOR-US: Format Factory CVE-2017-12413 (AXIS 2100 devices 2.43 have XSS via the URI, possibly related to admin ...) NOT-FOR-US: AXIS 2100 devices CVE-2017-12412 (ccn-lite-ccnb2xml in CCN-lite before 2.0.0 allows context-dependent at ...) NOT-FOR-US: CCN-lite CVE-2017-12411 RESERVED CVE-2017-12410 (It is possible to exploit a Time of Check & Time of Use (TOCTOU) v ...) NOT-FOR-US: Kaseya Virtual System Administrator agent CVE-2017-12409 RESERVED CVE-2017-12408 RESERVED CVE-2017-12407 RESERVED CVE-2017-12406 RESERVED CVE-2017-12405 RESERVED CVE-2017-12404 RESERVED CVE-2017-12403 RESERVED CVE-2017-12402 RESERVED CVE-2017-12401 RESERVED CVE-2017-12400 RESERVED CVE-2017-12399 RESERVED CVE-2017-12398 RESERVED CVE-2017-12397 RESERVED CVE-2017-12396 RESERVED CVE-2017-12395 RESERVED CVE-2017-12394 RESERVED CVE-2017-12393 RESERVED CVE-2017-12392 RESERVED CVE-2017-12391 RESERVED CVE-2017-12390 RESERVED CVE-2017-12389 RESERVED CVE-2017-12388 RESERVED CVE-2017-12387 RESERVED CVE-2017-12386 RESERVED CVE-2017-12385 RESERVED CVE-2017-12384 RESERVED CVE-2017-12383 RESERVED CVE-2017-12382 RESERVED CVE-2017-12381 RESERVED CVE-2017-12380 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11945 NOTE: https://github.com/vrtadmin/clamav-devel/commit/39c89d14a61aef2958b8ea64ade1be7a5faca897 CVE-2017-12379 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11944 NOTE: https://github.com/vrtadmin/clamav-devel/commit/0604618374dc0dfd148b0ce7bf7a3d2b7528e66b CVE-2017-12378 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11946 NOTE: https://github.com/vrtadmin/clamav-devel/commit/292d6878fa3e7fd2ab0f7275a78190639ad116d4 NOTE: https://github.com/vrtadmin/clamav-devel/commit/0cf813f835e48ab0f94dd54200ceba0dc25fa1c4 CVE-2017-12377 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11943 NOTE: https://github.com/vrtadmin/clamav-devel/commit/38da4800bfb2d6b13579950b6543302d13e3015c NOTE: https://github.com/vrtadmin/clamav-devel/commit/e887f113242ffcb0ea8735c3f567c6be77f382d6 CVE-2017-12376 (ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerab ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11942 NOTE: https://github.com/vrtadmin/clamav-devel/commit/c8ba4ae2e47a4f49add3e85ef7041b166be6bfdb CVE-2017-12375 (The ClamAV AntiVirus software versions 0.99.2 and prior contain a vuln ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11940 NOTE: https://github.com/vrtadmin/clamav-devel/commit/d1100be31a567718ce7c7dd6e6c632eddab55209 CVE-2017-12374 (The ClamAV AntiVirus software versions 0.99.2 and prior contain a vuln ...) {DLA-1261-1} - clamav 0.99.3~beta2+dfsg-1 (bug #888484) [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11939 NOTE: https://github.com/vrtadmin/clamav-devel/commit/7cf2a701041b775dda9743d01665279facc9b326 CVE-2017-12373 (A vulnerability in the TLS protocol implementation of legacy Cisco ASA ...) NOT-FOR-US: Cisco CVE-2017-12372 (A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerab ...) NOT-FOR-US: Cisco CVE-2017-12371 (A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerab ...) NOT-FOR-US: Cisco CVE-2017-12370 (A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerab ...) NOT-FOR-US: Cisco CVE-2017-12369 (A "Cisco WebEx Network Recording Player Out-of-Bounds Vulnerability" e ...) NOT-FOR-US: Cisco CVE-2017-12368 (A "Cisco WebEx Network Recording Player Remote Code Execution Vulnerab ...) NOT-FOR-US: Cisco CVE-2017-12367 (A "Cisco WebEx Network Recording Player Denial of Service Vulnerabilit ...) NOT-FOR-US: Cisco CVE-2017-12366 (A vulnerability in Cisco WebEx Meeting Center could allow an unauthent ...) NOT-FOR-US: Cisco CVE-2017-12365 (A vulnerability in Cisco WebEx Event Center could allow an authenticat ...) NOT-FOR-US: Cisco CVE-2017-12364 (A SQL Injection vulnerability in the web framework of Cisco Prime Serv ...) NOT-FOR-US: Cisco CVE-2017-12363 (A vulnerability in Cisco WebEx Meeting Server could allow an unauthent ...) NOT-FOR-US: Cisco CVE-2017-12362 (A vulnerability in Cisco Meeting Server versions prior to 2.2.2 could ...) NOT-FOR-US: Cisco CVE-2017-12361 (A vulnerability in Cisco Jabber for Windows could allow an unauthentic ...) NOT-FOR-US: Cisco CVE-2017-12360 (A vulnerability in Cisco WebEx Network Recording Player for WebEx Reco ...) NOT-FOR-US: Cisco CVE-2017-12359 (A Buffer Overflow vulnerability in Cisco WebEx Network Recording Playe ...) NOT-FOR-US: Cisco CVE-2017-12358 (A vulnerability in the web-based management interface of Cisco Jabber ...) NOT-FOR-US: Cisco CVE-2017-12357 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-12356 (A vulnerability in the web-based management interface of Cisco Jabber ...) NOT-FOR-US: Cisco CVE-2017-12355 (A vulnerability in the Local Packet Transport Services (LPTS) ingress ...) NOT-FOR-US: Cisco CVE-2017-12354 (A vulnerability in the web-based interface of Cisco Secure Access Cont ...) NOT-FOR-US: Cisco CVE-2017-12353 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) sc ...) NOT-FOR-US: Cisco CVE-2017-12352 (A vulnerability in certain system script files that are installed at b ...) NOT-FOR-US: Cisco CVE-2017-12351 (A vulnerability in the guest shell feature of Cisco NX-OS System Softw ...) NOT-FOR-US: Cisco CVE-2017-12350 (A vulnerability in Cisco Umbrella Insights Virtual Appliances 2.1.0 an ...) NOT-FOR-US: Cisco CVE-2017-12349 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2017-12348 (Multiple vulnerabilities in the web-based management interface of Cisc ...) NOT-FOR-US: Cisco CVE-2017-12347 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12346 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12345 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12344 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12343 (Multiple vulnerabilities in Cisco Data Center Network Manager (DCNM) S ...) NOT-FOR-US: Cisco CVE-2017-12342 (A vulnerability in the Open Agent Container (OAC) feature of Cisco Nex ...) NOT-FOR-US: Cisco CVE-2017-12341 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12340 (A vulnerability in Cisco NX-OS System Software running on Cisco MDS Mu ...) NOT-FOR-US: Cisco CVE-2017-12339 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12338 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12337 (A vulnerability in the upgrade mechanism of Cisco collaboration produc ...) NOT-FOR-US: Cisco CVE-2017-12336 (A vulnerability in the TCL scripting subsystem of Cisco NX-OS System S ...) NOT-FOR-US: Cisco CVE-2017-12335 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12334 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12333 (A vulnerability in Cisco NX-OS System Software could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-12332 (A vulnerability in Cisco NX-OS System Software patch installation coul ...) NOT-FOR-US: Cisco CVE-2017-12331 (A vulnerability in Cisco NX-OS System Software could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-12330 (A vulnerability in the CLI of Cisco NX-OS System Software could allow ...) NOT-FOR-US: Cisco CVE-2017-12329 (A vulnerability in the CLI of Cisco Firepower Extensible Operating Sys ...) NOT-FOR-US: Cisco CVE-2017-12328 (A vulnerability in Session Initiation Protocol (SIP) call handling in ...) NOT-FOR-US: Cisco CVE-2017-12327 RESERVED CVE-2017-12326 RESERVED CVE-2017-12325 RESERVED CVE-2017-12324 RESERVED CVE-2017-12323 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12322 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12321 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12320 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12319 (A vulnerability in the Border Gateway Protocol (BGP) over an Ethernet ...) NOT-FOR-US: Cisco CVE-2017-12318 (A vulnerability in the TCP state machine of Cisco RF Gateway 1 devices ...) NOT-FOR-US: Cisco CVE-2017-12317 (The Cisco AMP For Endpoints application allows an authenticated, local ...) NOT-FOR-US: Cisco CVE-2017-12316 (A vulnerability in the Guest Portal login page of Cisco Identity Servi ...) NOT-FOR-US: Cisco CVE-2017-12315 (A vulnerability in system logging when replication is being configured ...) NOT-FOR-US: Cisco CVE-2017-12314 (A vulnerability in the Cisco FindIT Network Discovery Utility could al ...) NOT-FOR-US: Cisco CVE-2017-12313 (An untrusted search path (aka DLL Preload) vulnerability in the Cisco ...) NOT-FOR-US: Cisco CVE-2017-12312 (An untrusted search path (aka DLL Preloading) vulnerability in the Cis ...) NOT-FOR-US: Cisco CVE-2017-12311 (A vulnerability in the H.264 decoder function of Cisco Meeting Server ...) NOT-FOR-US: Cisco CVE-2017-12310 (A vulnerability in the auto discovery phase of Cisco Spark Hybrid Cale ...) NOT-FOR-US: Cisco CVE-2017-12309 (A vulnerability in the Cisco Email Security Appliance (ESA) could allo ...) NOT-FOR-US: Cisco CVE-2017-12308 (A vulnerability in the web framework of Cisco Small Business Managed S ...) NOT-FOR-US: Cisco CVE-2017-12307 (A vulnerability in the web framework of Cisco Small Business Managed S ...) NOT-FOR-US: Cisco CVE-2017-12306 (A vulnerability in the upgrade process of Cisco Spark Board could allo ...) NOT-FOR-US: Cisco CVE-2017-12305 (A vulnerability in the debug interface of Cisco IP Phone 8800 series c ...) NOT-FOR-US: Cisco CVE-2017-12304 (A vulnerability in the IOS daemon (IOSd) web-based management interfac ...) NOT-FOR-US: Cisco CVE-2017-12303 (A vulnerability in the Advanced Malware Protection (AMP) file filterin ...) NOT-FOR-US: Cisco CVE-2017-12302 (A vulnerability in the Cisco Unified Communications Manager SQL databa ...) NOT-FOR-US: Cisco CVE-2017-12301 (A vulnerability in the Python scripting subsystem of Cisco NX-OS Softw ...) NOT-FOR-US: Cisco CVE-2017-12300 (A vulnerability in the SNORT detection engine of Cisco Firepower Syste ...) NOT-FOR-US: Cisco CVE-2017-12299 (A vulnerability exists in the process of creating default IP blocks du ...) NOT-FOR-US: Cisco CVE-2017-12298 (A vulnerability in Cisco WebEx Meeting Center could allow an unauthent ...) NOT-FOR-US: Cisco CVE-2017-12297 (A vulnerability in Cisco WebEx Meeting Center could allow an authentic ...) NOT-FOR-US: Cisco CVE-2017-12296 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-12295 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-12294 (A vulnerability in Cisco WebEx Meetings Server could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-12293 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-12292 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12291 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12290 (Multiple vulnerabilities in the web interface of the Cisco Registered ...) NOT-FOR-US: Cisco CVE-2017-12289 (A vulnerability in conditional, verbose debug logging for the IPsec fe ...) NOT-FOR-US: Cisco CVE-2017-12288 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-12287 (A vulnerability in the cluster database (CDB) management component of ...) NOT-FOR-US: Cisco CVE-2017-12286 (A vulnerability in the web interface of Cisco Jabber could allow an au ...) NOT-FOR-US: Cisco CVE-2017-12285 (A vulnerability in the web interface of Cisco Network Analysis Module ...) NOT-FOR-US: Cisco CVE-2017-12284 (A vulnerability in the web interface of Cisco Jabber for Windows Clien ...) NOT-FOR-US: Cisco CVE-2017-12283 (A vulnerability in the handling of 802.11w Protected Management Frames ...) NOT-FOR-US: Cisco CVE-2017-12282 (A vulnerability in the Access Network Query Protocol (ANQP) ingress fr ...) NOT-FOR-US: Cisco CVE-2017-12281 (A vulnerability in the implementation of Protected Extensible Authenti ...) NOT-FOR-US: Cisco CVE-2017-12280 (A vulnerability in the Control and Provisioning of Wireless Access Poi ...) NOT-FOR-US: Cisco CVE-2017-12279 (A vulnerability in the packet processing code of Cisco IOS Software fo ...) NOT-FOR-US: Cisco CVE-2017-12278 (A vulnerability in the Simple Network Management Protocol (SNMP) subsy ...) NOT-FOR-US: Cisco CVE-2017-12277 (A vulnerability in the Smart Licensing Manager service of the Cisco Fi ...) NOT-FOR-US: Cisco CVE-2017-12276 (A vulnerability in the web framework code for the SQL database interfa ...) NOT-FOR-US: Cisco CVE-2017-12275 (A vulnerability in the implementation of 802.11v Basic Service Set (BS ...) NOT-FOR-US: Cisco CVE-2017-12274 (A vulnerability in Extensible Authentication Protocol (EAP) ingress fr ...) NOT-FOR-US: Cisco CVE-2017-12273 (A vulnerability in 802.11 association request frame processing for the ...) NOT-FOR-US: Cisco CVE-2017-12272 (A vulnerability in the web framework code of Cisco IOS XE Software cou ...) NOT-FOR-US: Cisco CVE-2017-12271 (A vulnerability in Cisco SPA300 and SPA500 Series IP Phones could allo ...) NOT-FOR-US: Cisco CVE-2017-12270 (A vulnerability in the gRPC code of Cisco IOS XR Software for Cisco Ne ...) NOT-FOR-US: Cisco CVE-2017-12269 (A vulnerability in the web UI of Cisco Spark Messaging Software could ...) NOT-FOR-US: Cisco CVE-2017-12268 (A vulnerability in the Network Access Manager (NAM) of Cisco AnyConnec ...) NOT-FOR-US: Cisco CVE-2017-12267 (A vulnerability in the Independent Computing Architecture (ICA) accele ...) NOT-FOR-US: Cisco CVE-2017-12266 (A vulnerability in the routine that loads DLL files in Cisco Meeting A ...) NOT-FOR-US: Cisco CVE-2017-12265 (A vulnerability in the web-based management interface of Cisco Adaptiv ...) NOT-FOR-US: Cisco CVE-2017-12264 (A vulnerability in the Web Admin Interface of Cisco Meeting Server cou ...) NOT-FOR-US: Cisco CVE-2017-12263 (A vulnerability in the web interface of Cisco License Manager software ...) NOT-FOR-US: Cisco CVE-2017-12262 (A vulnerability within the firewall configuration of the Cisco Applica ...) NOT-FOR-US: Cisco CVE-2017-12261 (A vulnerability in the restricted shell of the Cisco Identity Services ...) NOT-FOR-US: Cisco CVE-2017-12260 (A vulnerability in the implementation of Session Initiation Protocol ( ...) NOT-FOR-US: Cisco CVE-2017-12259 (A vulnerability in the implementation of Session Initiation Protocol ( ...) NOT-FOR-US: Cisco CVE-2017-12258 (A vulnerability in the web-based UI of Cisco Unified Communications Ma ...) NOT-FOR-US: Cisco CVE-2017-12257 (A vulnerability in the web framework of Cisco WebEx Meetings Server co ...) NOT-FOR-US: Cisco CVE-2017-12256 (A vulnerability in the Akamai Connect feature of Cisco Wide Area Appli ...) NOT-FOR-US: Cisco CVE-2017-12255 (A vulnerability in the CLI of Cisco UCS Central Software could allow a ...) NOT-FOR-US: Cisco CVE-2017-12254 (A vulnerability in the web interface of Cisco Unified Intelligence Cen ...) NOT-FOR-US: Cisco CVE-2017-12253 (A vulnerability in the Cisco Unified Intelligence Center could allow a ...) NOT-FOR-US: Cisco CVE-2017-12252 (A vulnerability in the Cisco FindIT Network Discovery Utility could al ...) NOT-FOR-US: Cisco CVE-2017-12251 (A vulnerability in the web console of the Cisco Cloud Services Platfor ...) NOT-FOR-US: Cisco CVE-2017-12250 (A vulnerability in the HTTP web interface for Cisco Wide Area Applicat ...) NOT-FOR-US: Cisco CVE-2017-12249 (A vulnerability in the Traversal Using Relay NAT (TURN) server include ...) NOT-FOR-US: Cisco Meeting Server CVE-2017-12248 (A vulnerability in the web framework code of Cisco Unified Intelligenc ...) NOT-FOR-US: Cisco CVE-2017-12247 RESERVED CVE-2017-12246 (A vulnerability in the implementation of the direct authentication fea ...) NOT-FOR-US: Cisco CVE-2017-12245 (A vulnerability in SSL traffic decryption for Cisco Firepower Threat D ...) NOT-FOR-US: Cisco CVE-2017-12244 (A vulnerability in the detection engine parsing of IPv6 packets for Ci ...) NOT-FOR-US: Cisco CVE-2017-12243 (A vulnerability in the Cisco Unified Computing System (UCS) Manager, C ...) NOT-FOR-US: Cisco CVE-2017-12242 RESERVED CVE-2017-12241 RESERVED CVE-2017-12240 (The DHCP relay subsystem of Cisco IOS 12.2 through 15.6 and Cisco IOS ...) NOT-FOR-US: Cisco CVE-2017-12239 (A vulnerability in motherboard console ports of line cards for Cisco A ...) NOT-FOR-US: Cisco CVE-2017-12238 (A vulnerability in the Virtual Private LAN Service (VPLS) code of Cisc ...) NOT-FOR-US: Cisco CVE-2017-12237 (A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module ...) NOT-FOR-US: Cisco CVE-2017-12236 (A vulnerability in the implementation of the Locator/ID Separation Pro ...) NOT-FOR-US: Cisco CVE-2017-12235 (A vulnerability in the implementation of the PROFINET Discovery and Co ...) NOT-FOR-US: Cisco CVE-2017-12234 (Multiple vulnerabilities in the implementation of the Common Industria ...) NOT-FOR-US: Cisco CVE-2017-12233 (Multiple vulnerabilities in the implementation of the Common Industria ...) NOT-FOR-US: Cisco CVE-2017-12232 (A vulnerability in the implementation of a protocol in Cisco Integrate ...) NOT-FOR-US: Cisco CVE-2017-12231 (A vulnerability in the implementation of Network Address Translation ( ...) NOT-FOR-US: Cisco CVE-2017-12230 (A vulnerability in the web-based user interface (web UI) of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2017-12229 (A vulnerability in the REST API of the web-based user interface (web U ...) NOT-FOR-US: Cisco CVE-2017-12228 (A vulnerability in the Cisco Network Plug and Play application of Cisc ...) NOT-FOR-US: Cisco CVE-2017-12227 (A vulnerability in the SQL database interface for Cisco Emergency Resp ...) NOT-FOR-US: Cisco CVE-2017-12226 (A vulnerability in the web-based Wireless Controller GUI of Cisco IOS ...) NOT-FOR-US: Cisco CVE-2017-12225 (A vulnerability in the web functionality of the Cisco Prime LAN Manage ...) NOT-FOR-US: Cisco CVE-2017-12224 (A vulnerability in the ability for guest users to join meetings via a ...) NOT-FOR-US: Cisco CVE-2017-12223 (A vulnerability in the ROM Monitor (ROMMON) code of Cisco IR800 Integr ...) NOT-FOR-US: Cisco CVE-2017-12222 (A vulnerability in the wireless controller manager of Cisco IOS XE cou ...) NOT-FOR-US: Cisco CVE-2017-12221 (A vulnerability in the web framework of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2017-12220 (A vulnerability in the web-based management interface of Cisco Firepow ...) NOT-FOR-US: Cisco CVE-2017-12219 (A vulnerability in the handling of IP fragments for the Cisco Small Bu ...) NOT-FOR-US: Cisco CVE-2017-12218 (A vulnerability in the malware detection functionality within Advanced ...) NOT-FOR-US: Cisco CVE-2017-12217 (A vulnerability in the General Packet Radio Service (GPRS) Tunneling P ...) NOT-FOR-US: Cisco CVE-2017-12216 (A vulnerability in the web-based user interface of Cisco SocialMiner c ...) NOT-FOR-US: Cisco CVE-2017-12215 (A vulnerability in the email message filtering feature of Cisco AsyncO ...) NOT-FOR-US: Cisco CVE-2017-12214 (A vulnerability in the Operations, Administration, Maintenance, and Pr ...) NOT-FOR-US: Cisco CVE-2017-12213 (A vulnerability in the dynamic access control list (ACL) feature of Ci ...) NOT-FOR-US: Cisco CVE-2017-12212 (A vulnerability in the web framework of Cisco Unity Connection could a ...) NOT-FOR-US: Cisco CVE-2017-12211 (A vulnerability in the IPv6 Simple Network Management Protocol (SNMP) ...) NOT-FOR-US: Cisco CVE-2017-12210 RESERVED CVE-2017-12209 RESERVED CVE-2017-12208 RESERVED CVE-2017-12207 RESERVED CVE-2017-12206 RESERVED CVE-2017-12205 RESERVED CVE-2017-12204 RESERVED CVE-2017-12203 RESERVED CVE-2017-12202 RESERVED CVE-2017-12201 RESERVED CVE-2017-12425 (An issue was discovered in Varnish HTTP Cache 4.0.1 through 4.0.4, 4.1 ...) {DSA-3924-1} - varnish 5.0.0-7.1 (bug #870467) [wheezy] - varnish (code path is not exposed to clients) NOTE: https://www.varnish-cache.org/security/VSV00001.html#vsv00001 NOTE: https://github.com/varnishcache/varnish-cache/issues/2379 NOTE: https://github.com/varnishcache/varnish-cache/commit/09731b24b2225e3c0d66d3ec1b4fedef6fa22b6e CVE-2017-12200 (The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has XS ...) NOT-FOR-US: Wordpress plugin CVE-2017-12199 (The Etoile Ultimate Product Catalog plugin 4.2.11 for WordPress has SQ ...) NOT-FOR-US: Wordpress plugin CVE-2017-12198 RESERVED CVE-2017-12197 (It was found that libpam4j up to and including 1.8 did not properly va ...) {DSA-4025-1 DLA-1165-1} - libpam4j 1.4-3 (bug #879001) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503103 NOTE: https://github.com/kohsuke/libpam4j/issues/18 NOTE: (Non-upstream) patch: https://github.com/letonez/libpam4j/commit/84f32f4001fc6bdcc125ccc959081de022d18b6d CVE-2017-12196 (undertow before versions 1.4.18.SP1, 2.0.2.Final, 1.4.24.Final was fou ...) - undertow 1.4.25-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1503055 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/facb33a5cedaf4b7b96d3840a08210370a806870 NOTE: See also https://github.com/undertow-io/undertow/commit/8804170ce3186bdd83b486959399ec7ac0f59d0f CVE-2017-12195 (A flaw was found in all Openshift Enterprise versions using the opensh ...) NOT-FOR-US: OpenShift CVE-2017-12194 (A flaw was found in the way spice-client processed certain messages se ...) - spice-gtk 0.35-1 (bug #898503) [stretch] - spice-gtk (Minor issue) [jessie] - spice-gtk (Minor issue) [wheezy] - spice-gtk (Vulnerable code is not in any binary package, only in the source package) NOTE: Proposed patches in: https://bugzilla.redhat.com/show_bug.cgi?id=1240165 NOTE: Although not present in the binary packages the (de)marshal.py are used to NOTE: generate repsecitve code which should be in libspice-common-client. CVE-2017-12193 (The assoc_array_insert_into_terminal_node function in lib/assoc_array. ...) - linux 4.13.13-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code introduced in 3.13-rc1) NOTE: Fixed by: https://git.kernel.org/linus/ea6789980fdaa610d7eb63602c746bf6ec70cd2b (4.14-rc7) NOTE: Introduced by: https://git.kernel.org/linus/3cb989501c2688cacbb7dc4b0d353faf838f53a1 (3.13-rc1) CVE-2017-12192 (The keyctl_read_key function in security/keys/keyctl.c in the Key Mana ...) - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/37863c43b2c6464f252862bf2e9768264e961678 (4.14-rc3) NOTE: Introduced by: https://git.kernel.org/linus/61ea0c0ba904a55f55317d850c1072ff7835ac92 (3.13-rc1) CVE-2017-12191 (A flaw was found in the CloudForms account configuration when using VM ...) NOT-FOR-US: Red Hat CloudForms CVE-2017-12190 (The bio_map_user_iov and bio_unmap_user functions in block/bio.c in th ...) {DLA-1200-1} - linux 4.13.10-1 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1495089 CVE-2017-12189 (It was discovered that the jboss init script as used in Red Hat JBoss ...) NOT-FOR-US: Red Hat JBoss; jbossas init script CVE-2017-12188 (arch/x86/kvm/mmu.c in the Linux kernel through 4.13.5, when nested vir ...) - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1500380 NOTE: https://www.spinics.net/lists/kvm/msg156651.html CVE-2017-12187 (xorg-x11-server before 1.19.5 was missing length validation in RENDER ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e CVE-2017-12186 (xorg-x11-server before 1.19.5 was missing length validation in X-Resou ...) {DSA-4000-1} - xorg-server 2:1.19.5-1 [wheezy] - xorg-server (Vulnerable code introduced later) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e CVE-2017-12185 (xorg-x11-server before 1.19.5 was missing length validation in MIT-SCR ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e CVE-2017-12184 (xorg-x11-server before 1.19.5 was missing length validation in XINERAM ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=cad5a1050b7184d828aef9c1dd151c3ab649d37e CVE-2017-12183 (xorg-x11-server before 1.19.5 was missing length validation in XFIXES ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=55caa8b08c84af2b50fbc936cf334a5a93dd7db5 CVE-2017-12182 (xorg-x11-server before 1.19.5 was missing length validation in XFree86 ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=1b1d4c04695dced2463404174b50b3581dbd857b CVE-2017-12181 (xorg-x11-server before 1.19.5 was missing length validation in XFree86 ...) {DSA-4000-1} - xorg-server 2:1.19.5-1 [wheezy] - xorg-server (Vulnerable code introduced later) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=1b1d4c04695dced2463404174b50b3581dbd857b CVE-2017-12180 (xorg-x11-server before 1.19.5 was missing length validation in XFree86 ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=1b1d4c04695dced2463404174b50b3581dbd857b CVE-2017-12179 (xorg-x11-server before 1.19.5 was vulnerable to integer overflow in (S ...) {DSA-4000-1} - xorg-server 2:1.19.5-1 [wheezy] - xorg-server (Vulnerable code introduced later) CVE-2017-12178 (xorg-x11-server before 1.19.5 had wrong extra length check in ProcXICh ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=859b08d523307eebde7724fd1a0789c44813e821 CVE-2017-12177 (xorg-x11-server before 1.19.5 was vulnerable to integer overflow in Pr ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=4ca68b878e851e2136c234f40a25008297d8d831 CVE-2017-12176 (xorg-x11-server before 1.19.5 was missing extra length validation in P ...) {DSA-4000-1 DLA-1186-1} - xorg-server 2:1.19.5-1 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=b747da5e25be944337a9cd1415506fc06b70aa81 CVE-2017-12175 (Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule ...) NOT-FOR-US: Red Hat Satellite CVE-2017-12174 (It was found that when Artemis and HornetQ before 2.4.0 are configured ...) NOT-FOR-US: Artemis and HornetQ CVE-2017-12173 (It was found that sssd's sysdb_search_user_by_upn_res() function befor ...) - sssd 1.15.3-2 (bug #877885) [stretch] - sssd 1.15.0-3+deb9u1 [jessie] - sssd (Vulnerable code introduced later) [wheezy] - sssd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1498173 NOTE: Fixed by: https://pagure.io/SSSD/sssd/c/1f2662c8f97c9c0fa250055d4b6750abfc6d0835 NOTE: Introduced by https://pagure.io/SSSD/sssd/c/7ecb5aea65cb1899f16e7a41bffa93d074defd4a (sssd-1_12_0) CVE-2017-12172 (PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, ...) - postgresql-10 10.1-1 (unimportant) - postgresql-9.6 (unimportant) [stretch] - postgresql-9.6 9.6.6-0+deb9u1 - postgresql-9.4 (unimportant) [jessie] - postgresql-9.4 9.4.15-0+deb8u1 - postgresql-9.1 (unimportant) [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code not installed) NOTE: Issue in sample init-scirpt as provided by postgresql project, but not installed CVE-2017-12171 (A regression was found in the Red Hat Enterprise Linux 6.9 version of ...) - apache2 (Introduced by Red Hat RHEL 6.9 specific non-security patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1493056 CVE-2017-12170 (Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was vuln ...) - pure-ftpd (Fedora specific packaging error) CVE-2017-12169 (It was found that FreeIPA 4.2.0 and later could disclose password hash ...) - freeipa (unimportant; bug #895950) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1487697 NOTE: Proposed patch: https://bugzilla.redhat.com/attachment.cgi?id=1331008 NOTE: Negligible security impact CVE-2017-12168 (The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the Lin ...) - linux 4.8.11-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/9e3f7a29694049edd728e2400ab57ad7553e5aa9 (4.9-rc6) CVE-2017-12167 (It was found in EAP 7 before 7.0.9 that properties based files of the ...) NOT-FOR-US: Red Hat JBoss EAP CVE-2017-12166 (OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to ...) - openvpn 2.4.4-1 (bug #877089) [stretch] - openvpn (Minor issue) [jessie] - openvpn (Minor issue) [wheezy] - openvpn (Minor issue) NOTE: https://community.openvpn.net/openvpn/wiki/CVE-2017-12166 NOTE: https://www.openwall.com/lists/oss-security/2017/09/28/2 NOTE: https://community.openvpn.net/openvpn/changeset/3b1a61e9fb27213c46f76312f4065816bee8ed01/ (master) NOTE: https://community.openvpn.net/openvpn/changeset/c7e259160b28e94e4ea7f0ef767f8134283af255/ (release/2.4) NOTE: https://community.openvpn.net/openvpn/changeset/fce34375295151f548a26c2d0eb30141e427c81a/ (release/2.3) NOTE: https://community.openvpn.net/openvpn/changeset/a9f5c744d6b09f2495ca48d2c926efd3a4b981e6/ (release/2.2) CVE-2017-12165 (It was discovered that Undertow before 1.4.17, 1.3.31 and 2.0.0 proces ...) - undertow 2.0.23-1 (bug #885338) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490301 NOTE: Fix likely included in the same commit as the fix for CVE-2017-7559 NOTE: https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 CVE-2017-12164 (A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer se ...) - gdm3 3.26.0-1 [stretch] - gdm3 (Vulnerable code not present) [jessie] - gdm3 (Vulnerable code not present) [wheezy] - gdm3 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1490417 NOTE: Introduced in https://git.gnome.org/browse/gdm/commit/?id=ff98b28 CVE-2017-12163 (An information leak flaw was found in the way SMB1 protocol was implem ...) {DSA-3983-1 DLA-1110-1} - samba 2:4.6.7+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-12163.html CVE-2017-12162 RESERVED CVE-2017-12161 (It was found that keycloak before 3.4.2 final would permit misuse of a ...) NOT-FOR-US: Keycloak CVE-2017-12160 (It was found that Keycloak oauth would permit an authenticated resourc ...) NOT-FOR-US: Keycloak CVE-2017-12159 (It was found that the cookie used for CSRF prevention in Keycloak was ...) NOT-FOR-US: Keycloak CVE-2017-12158 (It was found that Keycloak would accept a HOST header URL in the admin ...) NOT-FOR-US: Keycloak CVE-2017-12157 (In Moodle 3.x, various course reports allow teachers to view details a ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=358586 CVE-2017-12156 (Moodle 3.x has XSS in the contact form on the "non-respondents" page i ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=358585 CVE-2017-12155 (A resource-permission flaw was found in the openstack-tripleo-heat-tem ...) - tripleo-heat-templates (bug #900176) NOTE: https://bugs.launchpad.net/tripleo/+bug/1720787 CVE-2017-12154 (The prepare_vmcs02 function in arch/x86/kvm/vmx.c in the Linux kernel ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: Fixed by: https://git.kernel.org/linus/51aa68e7d57e3217192d88ce90fd5b8ef29ec94f (v4.14-rc1) NOTE: https://www.spinics.net/lists/kvm/msg155414.html CVE-2017-12153 (A security flaw was discovered in the nl80211_set_rekey_data() functio ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.13-1 NOTE: https://marc.info/?t=150525503100001&r=1&w=2 NOTE: https://marc.info/?l=linux-wireless&m=150525493517953&w=2 CVE-2017-12152 RESERVED CVE-2017-12151 (A flaw was found in the way samba client before samba 4.4.16, samba 4. ...) {DSA-3983-1} - samba 2:4.6.7+dfsg-2 [wheezy] - samba (Vulnerable code introduced later) NOTE: https://www.samba.org/samba/security/CVE-2017-12151.html CVE-2017-12150 (It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x ...) {DSA-3983-1 DLA-1110-1} - samba 2:4.6.7+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-12150.html CVE-2017-12149 (In Jboss Application Server as shipped with Red Hat Enterprise Applica ...) - jbossas4 [wheezy] - jbossas4 (incomplete packaging, 4.x series released more than nine years ago.) CVE-2017-12148 (A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 w ...) NOT-FOR-US: Ansible Tower CVE-2017-12147 RESERVED CVE-2017-12146 (The driver_override implementation in drivers/base/platform.c in the L ...) - linux 4.11.11-1 [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/6265539776a0810b7ce6398c27866ddb9c6bd154 (v4.13-rc1) CVE-2017-12145 (In libquicktime 1.2.4, an allocation failure was found in the function ...) - libquicktime (unimportant) NOTE: Negligible security impact CVE-2017-12144 (In ytnef 1.9.2, an allocation failure was found in the function TNEFFi ...) - libytnef 1.9.3-1 (bug #870817) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/51 NOTE: https://github.com/ohwgiles/ytnef/commit/a341b7f1bf8a2c59ece89f2d6cdc09856d501cc0 CVE-2017-12143 (In libquicktime 1.2.4, an allocation failure was found in the function ...) - libquicktime (unimportant) NOTE: Negligible security impact CVE-2017-12142 (In ytnef 1.9.2, an invalid memory read vulnerability was found in the ...) - libytnef 1.9.3-1 (low; bug #870816) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/49 NOTE: https://github.com/Yeraze/ytnef/commit/35dc50190aac54947bafb3d84ab7727e940c6236 CVE-2017-12141 (In ytnef 1.9.2, a heap-based buffer overflow vulnerability was found i ...) - libytnef 1.9.3-1 (low; bug #870815) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/50 CVE-2017-12140 (The ReadDCMImage function in coders\dcm.c in ImageMagick 7.0.6-1 has a ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.9.34+dfsg-3 (low; bug #873059) NOTE: https://github.com/ImageMagick/ImageMagick/issues/533 NOTE: https://github.com/ImageMagick/ImageMagick/commit/94933146cb2d9d95889a385f08d5eb5f92d4e3cd NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/6bf56fbe1fc551f198c3491ed58d56bb5efea23c CVE-2017-12139 (XOOPS Core 2.5.8 has stored XSS in imagemanager.php because of missing ...) NOT-FOR-US: XOOPS CVE-2017-12138 (XOOPS Core 2.5.8 has a stored URL redirect bypass vulnerability in /mo ...) NOT-FOR-US: XOOPS CVE-2017-12137 (arch/x86/mm.c in Xen allows local PV guest OS users to gain host OS pr ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-227.html CVE-2017-12136 (Race condition in the grant table code in Xen 4.6.x through 4.9.x allo ...) - xen 4.8.1-1+deb9u3 [stretch] - xen 4.8.1-1+deb9u3 [jessie] - xen (Only affects 4.6 and later) [wheezy] - xen (Only affects 4.6 and later) NOTE: https://xenbits.xen.org/xsa/advisory-228.html CVE-2017-12135 (Xen allows local OS guest users to cause a denial of service (crash) o ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-226.html CVE-2017-12134 (The xen_biovec_phys_mergeable function in drivers/xen/biomerge.c in Xe ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.12-1 NOTE: https://xenbits.xen.org/xsa/advisory-229.html NOTE: https://git.kernel.org/linus/462cdace790ac2ed6aad1b19c9c0af0143b6aab0 (v4.13-rc6) CVE-2017-12133 (Use-after-free vulnerability in the clntudp_call function in sunrpc/cl ...) - glibc 2.24-15 (bug #870648) [stretch] - glibc 2.24-11+deb9u2 [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: issue introduced by fix for CVE-2016-4429 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21115 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d42eed4a044e5e10dfb885cf9891c2518a72a491 CVE-2017-12132 (The DNS stub resolver in the GNU C Library (aka glibc or libc6) before ...) [experimental] - glibc 2.25-0experimental1 - glibc 2.25-1 (bug #870650) [stretch] - glibc (Minor issue) [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21361 NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e14a27723cc3a154d67f3f26e719d08c0ba9ad25 NOTE: https://arxiv.org/pdf/1205.4011.pdf CVE-2017-12131 (The Easy Testimonials plugin 3.0.4 for WordPress has XSS in include/se ...) NOT-FOR-US: Wordpress plugin CVE-2017-12130 (An exploitable NULL pointer dereference vulnerability exists in the ti ...) NOT-FOR-US: tinysvcmdns CVE-2017-12129 (An exploitable Weak Cryptography for Passwords vulnerability exists in ...) NOT-FOR-US: Moxa CVE-2017-12128 (An exploitable information disclosure vulnerability exists in the Serv ...) NOT-FOR-US: Moxa CVE-2017-12127 (A password storage vulnerability exists in the operating system functi ...) NOT-FOR-US: Moxa CVE-2017-12126 (An exploitable cross-site request forgery vulnerability exists in the ...) NOT-FOR-US: Moxa CVE-2017-12125 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-12124 (An exploitable denial of service vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-12123 (An exploitable clear text transmission of password vulnerability exist ...) NOT-FOR-US: Moxa CVE-2017-12122 (An exploitable code execution vulnerability exists in the ILBM image r ...) {DSA-4184-1 DSA-4177-1 DLA-1341-1} - libsdl2-image 2.0.3+dfsg1-1 - sdl-image1.2 1.2.12-8 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0488 NOTE: https://hg.libsdl.org/SDL_image/rev/16772bbb1b09 NOTE: https://hg.libsdl.org/SDL_image/rev/97f7f01e0665 CVE-2017-12121 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-12120 (An exploitable command injection vulnerability exists in the web serve ...) NOT-FOR-US: Moxa CVE-2017-12119 (An exploitable unhandled exception vulnerability exists in multiple AP ...) - cpp-ethereum (bug #860434) CVE-2017-12118 (An exploitable improper authorization vulnerability exists in miner_st ...) - cpp-ethereum (bug #860434) CVE-2017-12117 (An exploitable improper authorization vulnerability exists in miner_st ...) - cpp-ethereum (bug #860434) CVE-2017-12116 (An exploitable improper authorization vulnerability exists in miner_se ...) - cpp-ethereum (bug #860434) CVE-2017-12115 (An exploitable improper authorization vulnerability exists in miner_se ...) - cpp-ethereum (bug #860434) CVE-2017-12114 (An exploitable improper authorization vulnerability exists in admin_pe ...) - cpp-ethereum (bug #860434) CVE-2017-12113 (An exploitable improper authorization vulnerability exists in admin_no ...) - cpp-ethereum (bug #860434) CVE-2017-12112 (An exploitable improper authorization vulnerability exists in admin_ad ...) - cpp-ethereum (bug #860434) CVE-2017-12111 (An exploitable out-of-bounds vulnerability exists in the xls_addCell f ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0463 CVE-2017-12110 (An exploitable integer overflow vulnerability exists in the xls_append ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0462 CVE-2017-12109 (An exploitable integer overflow vulnerability exists in the xls_prepar ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0461 CVE-2017-12108 (An exploitable integer overflow vulnerability exists in the xls_prepar ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0460 CVE-2017-12107 (An memory corruption vulnerability exists in the .PCX parsing function ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-12106 (A memory corruption vulnerability exists in the .TGA parsing functiona ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-12105 (An exploitable integer overflow exists in the way that the Blender ope ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0457 CVE-2017-12104 (An exploitable integer overflow exists in the way that the Blender ope ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0456 CVE-2017-12103 (An exploitable integer overflow exists in the way that the Blender ope ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0455 CVE-2017-12102 (An exploitable integer overflow exists in the way that the Blender ope ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0454 CVE-2017-12101 (An exploitable integer overflow exists in the 'modifier_mdef_compact_i ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0453 CVE-2017-12100 (An exploitable integer overflow exists in the 'multires_load_old_dm' f ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0452 CVE-2017-12099 (An exploitable integer overflow exists in the upgrade of the legacy Me ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0451 CVE-2017-12098 (An exploitable cross site scripting (XSS) vulnerability exists in the ...) - ruby-rails-admin (bug #900178) [stretch] - ruby-rails-admin (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 NOTE: https://github.com/sferik/rails_admin/issues/2985 NOTE: https://github.com/sferik/rails_admin/commit/44f09ed72b5e0e917a5d61bd89c48d97c494b41c CVE-2017-12097 (An exploitable cross site scripting (XSS) vulnerability exists in the ...) NOT-FOR-US: delayed_job_web rails gem CVE-2017-12096 (An exploitable vulnerability exists in the WiFi management of Circle w ...) NOT-FOR-US: Circle of Disney CVE-2017-12095 (An exploitable vulnerability exists in the WiFi Access Point feature o ...) NOT-FOR-US: Circle of Disney CVE-2017-12094 (An exploitable vulnerability exists in the WiFi Channel parsing of Cir ...) NOT-FOR-US: Circle with Disney CVE-2017-12093 (An exploitable insufficient resource pool vulnerability exists in the ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12092 (An exploitable file write vulnerability exists in the memory module fu ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12091 REJECTED CVE-2017-12090 (An exploitable denial of service vulnerability exists in the processin ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12089 (An exploitable denial of service vulnerability exists in the program d ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12088 (An exploitable denial of service vulnerability exists in the Ethernet ...) NOT-FOR-US: Allen Bradley Micrologix CVE-2017-12087 (An exploitable heap overflow vulnerability exists in the tinysvcmdns l ...) - shairport-sync 3.1.4-1 (unimportant; bug #882508) NOTE: Debian build uses Avahi instead NOTE: https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1729668 CVE-2017-12086 (An exploitable integer overflow exists in the 'BKE_mesh_calc_normals_t ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0438 CVE-2017-12085 (An exploitable routing vulnerability exists in the Circle with Disney ...) NOT-FOR-US: Circle with Disney CVE-2017-12084 (A backdoor vulnerability exists in remote control functionality of Cir ...) NOT-FOR-US: Circle with Disney CVE-2017-12083 (An exploitable information disclosure vulnerability exists in the apid ...) NOT-FOR-US: Circle with Disney CVE-2017-12082 (An exploitable integer overflow exists in the 'CustomData' Mesh loadin ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0434 CVE-2017-12081 (An exploitable integer overflow exists in the upgrade of a legacy Mesh ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0433 CVE-2017-12080 (An information exposure vulnerability in default HTTP configuration fi ...) NOT-FOR-US: Synology Photo Station CVE-2017-12079 (Files or directories accessible to external parties vulnerability in p ...) NOT-FOR-US: Synology Photo Station CVE-2017-12078 (Command injection vulnerability in EZ-Internet in Synology Router Mana ...) NOT-FOR-US: Synology CVE-2017-12077 (Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwa ...) NOT-FOR-US: Synology CVE-2017-12076 (Uncontrolled Resource Consumption vulnerability in SYNO.Core.PortForwa ...) NOT-FOR-US: Synology CVE-2017-12075 (Command injection vulnerability in EZ-Internet in Synology DiskStation ...) NOT-FOR-US: Synology CVE-2017-12074 (Directory traversal vulnerability in the SYNO.DNSServer.Zone.MasterZon ...) NOT-FOR-US: Synology CVE-2017-12073 RESERVED CVE-2017-12072 (Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in ...) NOT-FOR-US: Synology CVE-2017-12071 (Server-side request forgery (SSRF) vulnerability in file_upload.php in ...) NOT-FOR-US: Synology CVE-2017-12070 (Unsigned versions of the DLLs distributed by the OPC Foundation may be ...) NOT-FOR-US: OPC Foundation CVE-2017-12069 (An XXE vulnerability has been identified in OPC Foundation UA .NET Sam ...) NOT-FOR-US: OPC Foundation UA .NET Sampe code and Local Discovery Server affecting various vendors CVE-2017-12068 (The Event List plugin 0.7.9 for WordPress has XSS in the slug array pa ...) NOT-FOR-US: Wordpress plugin CVE-2017-12067 (Potrace 1.14 has a heap-based buffer over-read in the interpolate_cubi ...) - potrace 1.15-1 (unimportant; bug #870356) NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/potrace/heap-buffer-overflow-mkbitmap NOTE: Upstream bug report https://sourceforge.net/p/potrace/bugs/22/ NOTE: Crash only in CLI tool mkbitmap, negligible security impact CVE-2017-12066 (Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Ca ...) - cacti 1.1.16+ds1-1 (bug #870354) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/commit/bd0e586f6f46d814930226f1516a194e7e72293e NOTE: https://github.com/Cacti/cacti/issues/877 CVE-2017-12065 (spikekill.php in Cacti before 1.1.16 might allow remote attackers to e ...) - cacti 1.1.16+ds1-1 (bug #870353) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/commit/bd0e586f6f46d814930226f1516a194e7e72293e NOTE: https://github.com/Cacti/cacti/issues/877 CVE-2017-12064 (The csv_log_html function in library/edihistory/edih_csv_inc.php in Op ...) NOT-FOR-US: OpenEMR CVE-2017-12063 RESERVED CVE-2017-12062 (An XSS issue was discovered in manage_user_page.php in MantisBT 2.x be ...) - mantis [wheezy] - mantis (Not supported in Wheezy LTS) CVE-2017-12061 (An XSS issue was discovered in admin/install.php in MantisBT before 1. ...) - mantis [wheezy] - mantis (Not supported in Wheezy LTS) CVE-2017-12060 RESERVED CVE-2017-12059 RESERVED CVE-2017-12058 RESERVED CVE-2017-12057 RESERVED CVE-2017-12056 RESERVED CVE-2017-12055 RESERVED CVE-2017-12054 RESERVED CVE-2017-12053 RESERVED CVE-2017-12052 RESERVED CVE-2017-12051 RESERVED CVE-2017-12050 RESERVED CVE-2017-12049 RESERVED CVE-2017-12048 RESERVED CVE-2017-12047 RESERVED CVE-2017-12046 RESERVED CVE-2017-12045 RESERVED CVE-2017-12044 RESERVED CVE-2017-12043 RESERVED CVE-2017-12042 RESERVED CVE-2017-12041 RESERVED CVE-2017-12040 RESERVED CVE-2017-12039 RESERVED CVE-2017-12038 RESERVED CVE-2017-12037 RESERVED CVE-2017-12036 RESERVED CVE-2017-12035 RESERVED CVE-2017-12034 RESERVED CVE-2017-12033 RESERVED CVE-2017-12032 RESERVED CVE-2017-12031 RESERVED CVE-2017-12030 RESERVED CVE-2017-12029 RESERVED CVE-2017-12028 RESERVED CVE-2017-12027 RESERVED CVE-2017-12026 RESERVED CVE-2017-12025 RESERVED CVE-2017-12024 RESERVED CVE-2017-12023 RESERVED CVE-2017-12022 RESERVED CVE-2017-12021 RESERVED CVE-2017-12020 RESERVED CVE-2017-12019 RESERVED CVE-2017-12018 RESERVED CVE-2017-12017 RESERVED CVE-2017-12016 RESERVED CVE-2017-12015 RESERVED CVE-2017-12014 RESERVED CVE-2017-12013 RESERVED CVE-2017-12012 RESERVED CVE-2017-12011 RESERVED CVE-2017-12010 RESERVED CVE-2017-12009 RESERVED CVE-2017-12008 RESERVED CVE-2017-12007 RESERVED CVE-2017-12006 RESERVED CVE-2017-12005 RESERVED CVE-2017-12004 RESERVED CVE-2017-12003 RESERVED CVE-2017-12002 RESERVED CVE-2017-12001 RESERVED CVE-2017-12000 RESERVED CVE-2017-11999 RESERVED CVE-2017-11998 RESERVED CVE-2017-11997 RESERVED CVE-2017-11996 RESERVED CVE-2017-11995 RESERVED CVE-2017-11994 RESERVED CVE-2017-11993 RESERVED CVE-2017-11992 RESERVED CVE-2017-11991 RESERVED CVE-2017-11990 RESERVED CVE-2017-11989 RESERVED CVE-2017-11988 RESERVED CVE-2017-11987 RESERVED CVE-2017-11986 RESERVED CVE-2017-11985 RESERVED CVE-2017-11984 RESERVED CVE-2017-11983 RESERVED CVE-2017-11982 RESERVED CVE-2017-11981 RESERVED CVE-2017-11980 RESERVED CVE-2017-11979 RESERVED CVE-2017-11978 RESERVED CVE-2017-11977 RESERVED CVE-2017-11976 RESERVED CVE-2017-11975 RESERVED CVE-2017-11974 RESERVED CVE-2017-11973 RESERVED CVE-2017-11972 RESERVED CVE-2017-11971 RESERVED CVE-2017-11970 RESERVED CVE-2017-11969 RESERVED CVE-2017-11968 RESERVED CVE-2017-11967 RESERVED CVE-2017-11966 RESERVED CVE-2017-11965 RESERVED CVE-2017-11964 RESERVED CVE-2017-11963 RESERVED CVE-2017-11962 RESERVED CVE-2017-11961 RESERVED CVE-2017-11960 RESERVED CVE-2017-11959 RESERVED CVE-2017-11958 RESERVED CVE-2017-11957 RESERVED CVE-2017-11956 RESERVED CVE-2017-11955 RESERVED CVE-2017-11954 RESERVED CVE-2017-11953 RESERVED CVE-2017-11952 RESERVED CVE-2017-11951 RESERVED CVE-2017-11950 RESERVED CVE-2017-11949 RESERVED CVE-2017-11948 RESERVED CVE-2017-11947 RESERVED CVE-2017-11946 RESERVED CVE-2017-11945 RESERVED CVE-2017-11944 RESERVED CVE-2017-11943 RESERVED CVE-2017-11942 RESERVED CVE-2017-11941 RESERVED CVE-2017-11940 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-11939 (Microsoft Office 2016 Click-to-Run (C2R) allows an information disclos ...) NOT-FOR-US: Microsoft CVE-2017-11938 RESERVED CVE-2017-11937 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-11936 (Microsoft SharePoint Enterprise Server 2016 allows an elevation of pri ...) NOT-FOR-US: Microsoft CVE-2017-11935 (Microsoft Office 2016 Click-to-Run (C2R) allows a remote code executio ...) NOT-FOR-US: Microsoft CVE-2017-11934 (Microsoft Office 2013 RT SP1, Microsoft Office 2013 SP1, and Microsoft ...) NOT-FOR-US: Microsoft CVE-2017-11933 RESERVED CVE-2017-11932 (Microsoft Exchange Server 2016 CU5 and Microsoft Exchange Server 2016 ...) NOT-FOR-US: Microsoft CVE-2017-11931 RESERVED CVE-2017-11930 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11929 RESERVED CVE-2017-11928 RESERVED CVE-2017-11927 (Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft Windows CVE-2017-11926 RESERVED CVE-2017-11925 RESERVED CVE-2017-11924 RESERVED CVE-2017-11923 RESERVED CVE-2017-11922 RESERVED CVE-2017-11921 RESERVED CVE-2017-11920 RESERVED CVE-2017-11919 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11918 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11917 RESERVED CVE-2017-11916 (ChakraCore allows an attacker to execute arbitrary code in the context ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11915 RESERVED CVE-2017-11914 (ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, an ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11913 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11912 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11911 (ChakraCore and Windows 10 1511, 1607, 1703, 1709, and Windows Server 2 ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11910 (ChakraCore and Windows 10 Gold, 1511, 1607, 1703, 1709, and Windows Se ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11909 (ChakraCore and Windows 10 1511, 1607, 1703, 1709, and Windows Server 2 ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11908 (ChakraCore and Windows 10 1709 allows an attacker to execute arbitrary ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11907 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11906 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11905 (ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, an ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11904 RESERVED CVE-2017-11903 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11902 RESERVED CVE-2017-11901 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11900 RESERVED CVE-2017-11899 (Device Guard in Windows 10 1511, 1607, 1703 and 1709, Windows Server 2 ...) NOT-FOR-US: Microsoft Windows CVE-2017-11898 RESERVED CVE-2017-11897 RESERVED CVE-2017-11896 RESERVED CVE-2017-11895 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11894 (ChakraCore, and Internet Explorer in Microsoft Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11893 (ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, an ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11892 RESERVED CVE-2017-11891 RESERVED CVE-2017-11890 (Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 a ...) NOT-FOR-US: Microsoft Windows CVE-2017-11889 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft ChakraCore CVE-2017-11888 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, a ...) NOT-FOR-US: Microsoft Edge CVE-2017-11887 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft Internet Explorer CVE-2017-11886 (Microsoft Windows 7 SP1, Windows Server 2008 and R2 SP1, Windows 8.1 a ...) NOT-FOR-US: Microsoft Windows CVE-2017-11885 (Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft Windows CVE-2017-11884 (Microsoft Excel 2016 Click-to-Run (C2R) allows an attacker to run arbi ...) NOT-FOR-US: Microsoft CVE-2017-11883 (.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remot ...) NOT-FOR-US: .NET core CVE-2017-11882 (Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pa ...) NOT-FOR-US: Microsoft CVE-2017-11881 RESERVED CVE-2017-11880 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11879 (ASP.NET Core 2.0 allows an attacker to steal log-in session informatio ...) NOT-FOR-US: Microsoft CVE-2017-11878 (Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 Service Pack ...) NOT-FOR-US: Microsoft CVE-2017-11877 (Microsoft Excel 2007 Service Pack 3, Microsoft Excel 2010 Service Pack ...) NOT-FOR-US: Microsoft CVE-2017-11876 (Microsoft Project Server and Microsoft SharePoint Enterprise Server 20 ...) NOT-FOR-US: Microsoft CVE-2017-11875 RESERVED CVE-2017-11874 (Microsoft Edge in Microsoft Windows 10 1703, 1709, Windows Server, ver ...) NOT-FOR-US: Microsoft CVE-2017-11873 (ChakraCore and Microsoft Edge in Windows 10 1511, 1607, 1703, 1709, Wi ...) NOT-FOR-US: Microsoft CVE-2017-11872 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-11871 (ChakraCore and Microsoft Edge in Windows 10 1703, 1709, and Windows Se ...) NOT-FOR-US: Microsoft CVE-2017-11870 (ChakraCore and Microsoft Edge in Windows 10 1703, 1709, and Windows Se ...) NOT-FOR-US: Microsoft CVE-2017-11869 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft CVE-2017-11868 RESERVED CVE-2017-11867 RESERVED CVE-2017-11866 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft CVE-2017-11865 RESERVED CVE-2017-11864 RESERVED CVE-2017-11863 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, W ...) NOT-FOR-US: Microsoft CVE-2017-11862 (ChakraCore and Microsoft Edge in Windows 10 1709 and Windows Server, v ...) NOT-FOR-US: Microsoft CVE-2017-11861 (Microsoft Edge in Windows 10 1607, 1703, 1709, Windows Server 2016 and ...) NOT-FOR-US: Microsoft CVE-2017-11860 RESERVED CVE-2017-11859 RESERVED CVE-2017-11858 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11857 RESERVED CVE-2017-11856 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11855 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11854 (Microsoft Word 2007 Service Pack 3, Microsoft Word 2010 Service Pack 2 ...) NOT-FOR-US: Microsoft CVE-2017-11853 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11852 (Microsoft GDI Component in Windows 7 SP1 and Windows Server 2008 SP2 a ...) NOT-FOR-US: Microsoft CVE-2017-11851 (The Windows kernel component on Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11850 (Microsoft Graphics Component in Windows 8.1 and RT 8.1, Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-11849 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11848 (Internet Explorer in Microsoft Microsoft Windows 7 SP1, Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-11847 (Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11846 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11845 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-11844 (Microsoft Edge in Microsoft Windows 10 1703, 1709 and Windows Server, ...) NOT-FOR-US: Microsoft CVE-2017-11843 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11842 (Windows kernel in Windows 8.1 and RT 8.1, Server 2012 and R2, Windows ...) NOT-FOR-US: Microsoft CVE-2017-11841 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft CVE-2017-11840 (ChakraCore and Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 17 ...) NOT-FOR-US: Microsoft CVE-2017-11839 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, 1709, Windows Ser ...) NOT-FOR-US: Microsoft CVE-2017-11838 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11837 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11836 (ChakraCore, and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 160 ...) NOT-FOR-US: Microsoft CVE-2017-11835 (Microsoft graphics in Windows 7 SP1 and Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-11834 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11833 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, 1709, W ...) NOT-FOR-US: Microsoft CVE-2017-11832 (The Microsoft Windows embedded OpenType (EOT) font engine in Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-11831 (Windows kernel in Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-11830 (Device Guard in Windows 10 Gold, 1511, 1607, 1703, and 1709, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11829 (Microsoft Windows 10 allows an elevation of privilege vulnerability wh ...) NOT-FOR-US: Microsoft CVE-2017-11828 RESERVED CVE-2017-11827 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-11826 (Microsoft Office 2010, SharePoint Enterprise Server 2010, SharePoint S ...) NOT-FOR-US: Microsoft CVE-2017-11825 (Microsoft Office 2016 Click-to-Run (C2R) and Microsoft Office 2016 for ...) NOT-FOR-US: Microsoft CVE-2017-11824 (The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11823 (The Microsoft Device Guard on Microsoft Windows 10 Gold, 1511, 1607, a ...) NOT-FOR-US: Microsoft CVE-2017-11822 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11821 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allows an a ...) NOT-FOR-US: Microsoft CVE-2017-11820 (Microsoft SharePoint Enterprise Server 2013 SP1 and Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-11819 (Microsoft Windows 7 SP1 allows an attacker to execute arbitrary code i ...) NOT-FOR-US: Microsoft CVE-2017-11818 (The Microsoft Windows Storage component on Microsoft Windows 8.1, Wind ...) NOT-FOR-US: Microsoft CVE-2017-11817 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11816 (The Microsoft Windows Graphics Device Interface (GDI) on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-11815 (The Microsoft Server Block Message (SMB) on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-11814 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11813 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-11812 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703 ...) NOT-FOR-US: Microsoft CVE-2017-11811 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11810 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11809 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11808 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11807 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allows an a ...) NOT-FOR-US: Microsoft CVE-2017-11806 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allows an a ...) NOT-FOR-US: Microsoft CVE-2017-11805 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allows an a ...) NOT-FOR-US: Microsoft CVE-2017-11804 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11803 (Microsoft Edge in Microsoft Windows 10 1703, 1709 and Windows Server, ...) NOT-FOR-US: Microsoft CVE-2017-11802 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11801 (ChakraCore allows an attacker to execute arbitrary code in the context ...) NOT-FOR-US: Microsoft CVE-2017-11800 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11799 (ChakraCore and Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11798 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-11797 (ChakraCore allows an attacker to execute arbitrary code in the context ...) NOT-FOR-US: Microsoft CVE-2017-11796 (ChakraCore and Microsoft Edge in Windows 10 1703 allows an attacker to ...) NOT-FOR-US: Microsoft CVE-2017-11795 RESERVED CVE-2017-11794 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to obta ...) NOT-FOR-US: Microsoft CVE-2017-11793 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11792 (ChakraCore and Microsoft Edge in Microsoft Windows 10 1703 allow an at ...) NOT-FOR-US: Microsoft CVE-2017-11791 (ChakraCore and Internet Explorer in Microsoft Windows 7 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-11790 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11789 RESERVED CVE-2017-11788 (Windows Search in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-11787 RESERVED CVE-2017-11786 (Skype for Business in Microsoft Lync 2013 SP1 and Skype for Business 2 ...) NOT-FOR-US: Skype CVE-2017-11785 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11784 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11783 (Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-11782 (The Microsoft Server Block Message (SMB) on Microsoft Windows 10 1607 ...) NOT-FOR-US: Microsoft CVE-2017-11781 (The Microsoft Server Block Message (SMB) on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-11780 (The Server Message Block 1.0 (SMBv1) on Microsoft Windows Server 2008 ...) NOT-FOR-US: Microsoft CVE-2017-11779 (The Microsoft Windows Domain Name System (DNS) DNSAPI.dll on Microsoft ...) NOT-FOR-US: Microsoft CVE-2017-11778 RESERVED CVE-2017-11777 (Microsoft SharePoint Enterprise Server 2013 SP1 and Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-11776 (Microsoft Outlook 2016 allows an attacker to obtain the email content ...) NOT-FOR-US: Microsoft CVE-2017-11775 (Microsoft SharePoint Enterprise Server 2013 SP1 and Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-11774 (Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2 ...) NOT-FOR-US: Microsoft CVE-2017-11773 RESERVED CVE-2017-11772 (The Microsoft Windows Search component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11771 (The Microsoft Windows Search component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11770 (.NET Core 1.0, 1.1, and 2.0 allow an unauthenticated attacker to remot ...) NOT-FOR-US: .NET Core CVE-2017-11769 (The Microsoft Windows TRIE component on Microsoft Windows 10 Gold, 151 ...) NOT-FOR-US: Microsoft CVE-2017-11768 (Windows Media Player in Windows 7 SP1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-11767 (ChakraCore allows an attacker to gain the same user rights as the curr ...) NOT-FOR-US: Microsoft CVE-2017-11766 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-11765 (The Microsoft Windows Kernel component on Microsoft Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-11764 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-11763 (The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11762 (The Microsoft Graphics Component on Microsoft Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-11761 (Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016 allo ...) NOT-FOR-US: Microsoft CVE-2017-11760 (uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated ...) NOT-FOR-US: ProjeQtOr CVE-2017-11759 RESERVED CVE-2017-11758 RESERVED CVE-2017-11757 (Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 ...) NOT-FOR-US: Actian Pervasive PSQL server CVE-2017-XXXX [executes javascript code downloaded from insecure URL] - smplayer 17.7.0~ds0-1 (low; bug #870233) [stretch] - smplayer (Minor issue) [jessie] - smplayer (Minor issue) [wheezy] - smplayer (vulnerable code not present) NOTE: The version tracking here is not 100% since the vulnerable code still would NOTE: be present in the source. Users though need to explicitly rebuilt the package NOTE: changing the upstream pro file to enable YT_USE_YTSIG. YT_USE_YTSIG is NOTE: disabled by default on upstream since 17.2.0 CVE-2017-13140 (In ImageMagick before 6.9.9-1 and 7.x before 7.0.6-2, the ReadOnePNGIm ...) {DSA-4019-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870111) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/596 NOTE: https://github.com/ImageMagick/ImageMagick/commit/62fcf3d9638b87cd7ac81962cadf5bf88db62fa0 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/75f7e994e4e990627a5a37385bcc9a0205013645 CVE-2017-13139 (In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, the ReadOneMNGIm ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870109) NOTE: https://github.com/ImageMagick/ImageMagick/commit/22e0310345499ffe906c604428f2a3a668942b05 CVE-2017-12643 (ImageMagick 7.0.6-1 has a memory exhaustion vulnerability in ReadOneJN ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (low; bug #870107) NOTE: https://github.com/ImageMagick/ImageMagick/issues/549 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9eedb5660f1704cde8e8cd784c5c2a09dd2fd60f CVE-2017-13142 (In ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1, a crafted PNG fi ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (low; bug #870105) NOTE: https://github.com/ImageMagick/ImageMagick/commit/46e3aabbf8d59a1bdebdbb65acb9b9e0484577d3 NOTE: https://github.com/ImageMagick/ImageMagick/commit/aa84944b405acebbeefe871d0f64969b9e9f31ac CVE-2017-11756 (In Earcms Ear Music through 4.1 build 20170710, remote authenticated u ...) NOT-FOR-US: Earcms CVE-2017-11755 (The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 al ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/634 NOTE: Possibly fixed by same commit as issue #631 upstream CVE-2017-11754 (The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 al ...) - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/633 NOTE: ossibly fixed by same commit as issue #631 upstream CVE-2017-11753 (The GetImageDepth function in MagickCore/attribute.c in ImageMagick 7. ...) - imagemagick (Affects only ImageMagick-7; vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/629 CVE-2017-11752 (The ReadMAGICKImage function in coders/magick.c in ImageMagick 7.0.6-4 ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870481) NOTE: https://github.com/ImageMagick/ImageMagick/issues/628 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/21d19d0c64ff070dbf37279432837bf425c0d5dd NOTE: https://github.com/ImageMagick/ImageMagick/commit/9eccfd52199616da66c93b6d627d4d4126f5a5f0 CVE-2017-11751 (The WritePICONImage function in coders/xpm.c in ImageMagick 7.0.6-4 al ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-16 (unimportant; bug #870480) NOTE: https://github.com/ImageMagick/ImageMagick/issues/631 NOTE: https://github.com/ImageMagick/ImageMagick/commit/cb713211bad3fa4f0c535255fa043917482fc964 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/b04e9c949d917a4a603f1a9bfe09737246229323 CVE-2017-11750 (The ReadOneJNGImage function in coders/png.c in ImageMagick 6.9.9-4 an ...) - imagemagick 8:6.9.7.4+dfsg-16 (bug #870478) [stretch] - imagemagick (Incomplete patch for upstream issues/618 not applied) [jessie] - imagemagick (Incomplete patch for upstream issues/618 not applied) [wheezy] - imagemagick (Incomplete patch for upstream issues/618 not applied) NOTE: https://github.com/ImageMagick/ImageMagick/issues/632 NOTE: Introduced by: https://github.com/ImageMagick/ImageMagick/commit/8cc53f1d8946bad2a2c62e084aaf956d4d889f08 NOTE: Introduced by (ImageMagick-6): https://github.com/ImageMagick/ImageMagick/commit/3cba1bb43acf5b3cba7388f67bf87b6f192138f0 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/1828667e81e53345cfb3eb46539d78757f1aa680 NOTE: Fixed by (ImageMagick-6): https://github.com/ImageMagick/ImageMagick/commit/253d56027765dcbd8d6bc2bbd7d59aa41dab60e7 NOTE: Issue introduced by the original patch for https://github.com/ImageMagick/ImageMagick/issues/618 CVE-2017-11749 (InternetSoft FTP Commander 8.02 and prior has an untrusted search path ...) NOT-FOR-US: InternetSoft FTP Commander CVE-2017-11748 (VIT Spider Player 2.5.3 has an untrusted search path, allowing DLL hij ...) NOT-FOR-US: VIT Spider Player CVE-2017-11747 (main.c in Tinyproxy 1.8.4 and earlier creates a /run/tinyproxy/tinypro ...) {DLA-2163-1} - tinyproxy 1.10.0-1 (bug #870307) [stretch] - tinyproxy 1.8.4-3~deb9u2 [wheezy] - tinyproxy (Minor issue) NOTE: https://github.com/tinyproxy/tinyproxy/issues/106 CVE-2017-11746 (Tenshi 0.15 creates a tenshi.pid file after dropping privileges to a n ...) {DLA-1069-1} - tenshi 0.13-2.1 (unimportant; bug #871321) [stretch] - tenshi 0.13-2.1~deb9u1 NOTE: https://github.com/inversepath/tenshi/issues/6 NOTE: https://github.com/inversepath/tenshi/commit/d0e7f28c13ffbd5888b31d6532c2faf78f10f176 NOTE: Negligible security impact CVE-2017-11745 RESERVED CVE-2017-11744 (In MODX Revolution 2.5.7, the "key" and "name" parameters in the Syste ...) NOT-FOR-US: MODX Revolution CVE-2017-11743 (MEDHOST Connex contains a hard-coded Mirth Connect admin credential th ...) NOT-FOR-US: MEDHOST Connex CVE-2017-11742 (The writeRandomBytes_RtlGenRandom function in xmlparse.c in libexpat i ...) - expat (Windows specfic issue) CVE-2017-11741 (HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) bef ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-11740 (In Zoho ManageEngine Application Manager 13.1 Build 13100, the adminis ...) NOT-FOR-US: Zoho ManageEngine Application Manager CVE-2017-11739 (In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenti ...) NOT-FOR-US: Zoho ManageEngine Application Manager CVE-2017-11738 (In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, th ...) NOT-FOR-US: Zoho ManageEngine Application Manager CVE-2017-11737 (interface/js/app/history.js in WebUI in Rspamd before 1.6.3 allows XSS ...) - rspamd 1.7.6-1 [jessie] - rspamd (Vulnerable code not present) NOTE: https://github.com/vstakhov/rspamd/issues/1738 NOTE: https://github.com/rspamd/rspamd/pull/1739 CVE-2017-11736 (SQL injection vulnerability in core\admin\auto-modules\forms\process.p ...) NOT-FOR-US: BigTree CMS CVE-2017-11735 REJECTED CVE-2017-11734 (A heap-based buffer over-read was found in the function decompileCALLF ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/83 CVE-2017-11733 (A null pointer dereference vulnerability was found in the function sta ...) {DLA-1176-1} - ming NOTE: https://github.com/libming/libming/issues/78 CVE-2017-11732 (A heap-based buffer overflow vulnerability was found in the function d ...) {DLA-1240-1} - ming NOTE: https://github.com/libming/libming/issues/80 CVE-2017-11731 (An invalid memory read vulnerability was found in the function OpCode ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/84 CVE-2017-11730 (A heap-based buffer over-read was found in the function OpCode (called ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/81 CVE-2017-11729 (A heap-based buffer over-read was found in the function OpCode (called ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/79 CVE-2017-11728 (A heap-based buffer over-read was found in the function OpCode (called ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/82 CVE-2017-11727 (services/system_io/actionprocessor/Contact.rails in ConnectWise Manage ...) NOT-FOR-US: ConnectWise Manage CVE-2017-11726 (services/system_io/actionprocessor/System.rails in ConnectWise Manage ...) NOT-FOR-US: ConnectWise Manage CVE-2017-11725 (The share function in Thycotic Secret Server before 10.2.000019 mishan ...) NOT-FOR-US: Thycotic Secret Server CVE-2017-11723 (Directory traversal vulnerability in plugins/ImageManager/backend.php ...) NOT-FOR-US: Xinha CVE-2017-11724 (The ReadMATImage function in coders/mat.c in ImageMagick through 6.9.9 ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870023) NOTE: https://github.com/ImageMagick/ImageMagick/issues/624 NOTE: https://github.com/ImageMagick/ImageMagick/commit/5163756a1f829a561912dfdb74a0dae41d8ed8cf CVE-2017-12670 (In ImageMagick 7.0.6-3, missing validation was found in coders/mat.c, ...) {DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870020) [stretch] - imagemagick (Minor issue, PoC triggers earlier assertion, fix reverted upstream) NOTE: https://github.com/ImageMagick/ImageMagick/issues/610 NOTE: https://github.com/ImageMagick/ImageMagick/commit/d9f1a91d93871cc6a5c0b99e8bacad4d730acf36 NOTE: https://github.com/ImageMagick/ImageMagick/commit/de8cdeceafdc7bbdfcc55cd08e6a8b0cc979c91c NOTE: https://github.com/ImageMagick/ImageMagick6/commit/ab440f9ea11e0dbefb7a808cbb9441198758b0cb NOTE: https://github.com/ImageMagick/ImageMagick6/commit/75db34b6a4d642cb6f88c792942de27490c900e0 NOTE: fix reverted with CVE-2017-18029 NOTE: triggered by CVE-2017-12877 CVE-2017-13658 (In ImageMagick before 6.9.9-3 and 7.x before 7.0.6-3, there is a missi ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #870019) NOTE: https://github.com/ImageMagick/ImageMagick/issues/598 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e5c063a1007506ba69e97a35effcdef944421c89 CVE-2017-12434 (In ImageMagick 7.0.6-1, a missing NULL check vulnerability was found i ...) {DSA-4019-1} - imagemagick 8:6.9.7.4+dfsg-14 (bug #870014) [stretch] - imagemagick (Minor issue) [jessie] - imagemagick (vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/547 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6767f31cac3eacdc9dc41b3193a73bdd37610375 CVE-2017-13143 (In ImageMagick before 6.9.7-6 and 7.x before 7.0.4-6, the ReadMATImage ...) {DSA-4204-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (bug #870012) NOTE: https://github.com/ImageMagick/ImageMagick/issues/362 NOTE: https://github.com/ImageMagick/ImageMagick/commit/51b0ae01709adc1e4a9245e158ef17b85a110960 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f86268752ffc70e40b6e1afdebfc96dcc29452db CVE-2017-11722 (The WriteOnePNGImage function in coders/png.c in GraphicsMagick 1.3.26 ...) {DSA-4321-1} - graphicsmagick 1.3.26-4 (bug #870158) [jessie] - graphicsmagick (vulnerable code not present) [wheezy] - graphicsmagick (vulnerable code not present) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f423ba88ca4e CVE-2017-11721 (Buffer overflow in ioquake3 before 2017-08-02 allows remote attackers ...) {DSA-3948-1 DSA-3941-1} - ioquake3 1.36+u20170803+dfsg1-1 (bug #870725) [wheezy] - ioquake3 (games are not supported in Wheezy) NOTE: https://github.com/ioquake/ioq3/commit/d2b1d124d4055c2fcbe5126863487c52fd58cca1 - iortcw 1.51+dfsg1-3 (bug #870811) NOTE: https://github.com/iortcw/iortcw/commit/260c39a29af517a08b3ee1a0e78ad654bdd70934 NOTE: Also affects openjk (only in experimental; fixed in 0~20170718+dfsg1-2 CVE-2017-11720 (There is a division-by-zero vulnerability in LAME 3.99.5, caused by a ...) - lame 3.99.5+repack1-6 (low; bug #870809; bug #777159) [wheezy] - lame 3.99.5+repack1-3+deb7u1 NOTE: https://sourceforge.net/p/lame/bugs/460/ NOTE: Duplicate/same as: https://blogs.gentoo.org/ago/2017/06/17/lame-divide-by-zero-in-parse_wave_header-get_audio-c/ CVE-2017-11719 (The dnxhd_decode_header function in libavcodec/dnxhddec.c in FFmpeg 3. ...) {DSA-3957-1} - ffmpeg 7:3.3.3-1 - libav [jessie] - libav (Issue only present in ffmpeg since 6f1ccca4) NOTE: https://github.com/FFmpeg/FFmpeg/commit/296debd213bd6dce7647cedd34eb64e5b94cdc92 NOTE: Fixed in 3.2.7 CVE-2017-11718 (There is URL Redirector Abuse in MetInfo through 5.3.17 via the gourl ...) NOT-FOR-US: MetInfo CVE-2017-11717 (MetInfo through 5.3.17 accepts the same CAPTCHA response for 120 secon ...) NOT-FOR-US: MetInfo CVE-2017-11716 (MetInfo through 5.3.17 allows stored XSS via HTML Edit Mode. ...) NOT-FOR-US: MetInfo CVE-2017-11715 (job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php exte ...) NOT-FOR-US: MetInfo CVE-2017-11714 (psi/ztoken.c in Artifex Ghostscript 9.21 mishandles references to the ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869977) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698158 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=671fd59eb657743aa86fbc1895cb15872a317caa (ghostpdl-9.22rc1) CVE-2017-11713 RESERVED CVE-2017-11712 RESERVED CVE-2017-11711 RESERVED CVE-2017-11710 RESERVED CVE-2017-11709 RESERVED CVE-2017-11708 RESERVED CVE-2017-11707 RESERVED CVE-2017-11706 (The Boozt Fashion application before 2.3.4 for Android allows remote a ...) NOT-FOR-US: Boozt Fashion application CVE-2017-11705 (A memory leak was found in the function parseSWF_SHAPEWITHSTYLE in uti ...) - ming [wheezy] - ming (Minor issue present everywhere in the source code, hard to fix) NOTE: https://github.com/libming/libming/issues/71 CVE-2017-11704 (A heap-based buffer over-read was found in the function decompileIF in ...) {DLA-1133-1} - ming NOTE: https://github.com/libming/libming/issues/76 CVE-2017-11703 (A memory leak vulnerability was found in the function parseSWF_DOACTIO ...) - ming [wheezy] - ming (Minor issue present everywhere in the source code, hard to fix) NOTE: https://github.com/libming/libming/issues/72 CVE-2017-11702 RESERVED CVE-2017-11701 RESERVED CVE-2017-11700 RESERVED CVE-2017-11699 RESERVED CVE-2017-11698 (Heap-based buffer overflow in the __get_page function in lib/dbm/src/h ...) - nss (bug #873259; unimportant) NOTE: Issues triggered by crafted DBM databases, which would NOTE: require local user access to a machine running NSS and NOTE: crafting the local DBM files. NOTE: http://seclists.org/fulldisclosure/2017/Aug/17 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360779 CVE-2017-11697 (The __hash_open function in hash.c:229 in Mozilla Network Security Ser ...) - nss (bug #873258; unimportant) NOTE: Issues triggered by crafted DBM databases, which would NOTE: require local user access to a machine running NSS and NOTE: crafting the local DBM files. NOTE: http://seclists.org/fulldisclosure/2017/Aug/17 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360900 CVE-2017-11696 (Heap-based buffer overflow in the __hash_open function in lib/dbm/src/ ...) - nss (bug #873257; unimportant) NOTE: Issues triggered by crafted DBM databases, which would NOTE: require local user access to a machine running NSS and NOTE: crafting the local DBM files. NOTE: http://seclists.org/fulldisclosure/2017/Aug/17 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360778 CVE-2017-11695 (Heap-based buffer overflow in the alloc_segs function in lib/dbm/src/h ...) - nss (bug #873256; unimportant) NOTE: Issues triggered by crafted DBM databases, which would NOTE: require local user access to a machine running NSS and NOTE: crafting the local DBM files. NOTE: http://seclists.org/fulldisclosure/2017/Aug/17 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1360782 CVE-2017-11694 (MEDHOST Document Management System contains hard-coded credentials tha ...) NOT-FOR-US: MEDHOST Document Management System CVE-2017-11693 (MEDHOST Document Management System contains hard-coded credentials tha ...) NOT-FOR-US: MEDHOST Document Management System CVE-2017-11692 (The function "Token& Scanner::peek" in scanner.cpp in yaml-cpp 0.5 ...) - yaml-cpp 0.6.3-1 (low; bug #870326) [buster] - yaml-cpp (Minor issue) [stretch] - yaml-cpp (Minor issue) [jessie] - yaml-cpp (Minor issue) [wheezy] - yaml-cpp (Minor issue) - yaml-cpp0.3 (bug #870327) [stretch] - yaml-cpp0.3 (Minor issue) [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/519 NOTE: https://github.com/jbeder/yaml-cpp/commit/c9460110e072df84b7dee3eb651f2ec5df75fb18 CVE-2017-11690 RESERVED CVE-2017-11689 RESERVED CVE-2017-11688 RESERVED CVE-2017-11687 (Multiple Persistent cross-site scripting (XSS) vulnerabilities in Even ...) NOT-FOR-US: Zoho ManageEngine Event Log Analyzer CVE-2017-11686 (Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attac ...) NOT-FOR-US: Zoho ManageEngine Event Log Analyzer CVE-2017-11685 (Multiple Reflective cross-site scripting (XSS) vulnerabilities in sear ...) NOT-FOR-US: Zoho ManageEngine Event Log Analyzer CVE-2017-11684 (There is an illegal address access in the build_table function in liba ...) - libav [jessie] - libav 6:11.11-1~deb8u1 - ffmpeg 7:2.3.1-1 NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1073 NOTE: Fixed by https://github.com/libav/libav/commit/ec683ed527cef9aad208d1daeb10d0e7fb63e75e.patch CVE-2017-11683 (There is a reachable assertion in the Internal::TiffReader::visitDirec ...) {DLA-1147-1} - exiv2 0.27.2-6 (unimportant) NOTE: http://dev.exiv2.org/issues/1307 NOTE: https://github.com/Exiv2/exiv2/issues/57 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1475124 NOTE: Problematic assert() exists in all versions in Debian. NOTE: Negligable security impact CVE-2017-11682 (Stored Cross-site scripting vulnerability in Hashtopussy 0.4.0 allows ...) NOT-FOR-US: Hashtopussy CVE-2017-11681 (Incorrect Access Control vulnerability in Hashtopussy 0.4.0 allows rem ...) NOT-FOR-US: Hashtopussy CVE-2017-11680 (Cross-Site Request Forgery (CSRF) exists in Hashtopussy 0.4.0, allowin ...) NOT-FOR-US: Hashtopussy CVE-2017-11679 (Cross-Site Request Forgery (CSRF) exists in Hashtopus 1.5g via the pas ...) NOT-FOR-US: Hashtopus CVE-2017-11678 (SQL injection vulnerability in Hashtopus 1.5g allows remote authentica ...) NOT-FOR-US: Hashtopus CVE-2017-11677 (Cross-site scripting (XSS) vulnerability in Hashtopus 1.5g allows remo ...) NOT-FOR-US: Hashtopus CVE-2017-11676 RESERVED CVE-2017-11675 (The traverseStrictSanitize function in admin_dir/includes/classes/Admi ...) NOT-FOR-US: ZenCart CVE-2017-11674 (Reporter.exe in Acunetix 8 allows remote attackers to cause a denial o ...) NOT-FOR-US: Acunetix CVE-2017-11673 (Reporter.exe in Acunetix 8 allows remote attackers to execute arbitrar ...) NOT-FOR-US: Acunetix CVE-2017-11672 (The OPC Foundation Local Discovery Server (LDS) before 1.03.367 is ins ...) NOT-FOR-US: OPC Foundation Local Discovery Server CVE-2017-11671 (Under certain circumstances, the ix86_expand_builtin function in i386. ...) - gcc-6 6.3.0-12 - gcc-5 5.4.1-10 - gcc-4.9 [jessie] - gcc-4.9 (Minor issue) - gcc-4.8 [jessie] - gcc-4.8 (Minor issue) - gcc-4.7 [wheezy] - gcc-4.7 (Minor issue) - gcc-4.6 [wheezy] - gcc-4.6 (Minor issue) NOTE: http://openwall.com/lists/oss-security/2017/07/27/2 NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80180 NOTE: https://gcc.gnu.org/ml/gcc-patches/2017-03/msg01349.html CVE-2017-11670 (A length validation (leading to out-of-bounds read and write) flaw was ...) NOT-FOR-US: eapmd5pass CVE-2017-11669 (An out-of-bounds read flaw related to the assess_packet function in ea ...) NOT-FOR-US: eapmd5pass CVE-2017-11668 (An out-of-bounds read flaw related to the assess_packet function in ea ...) NOT-FOR-US: eapmd5pass CVE-2017-13145 (In ImageMagick before 6.9.8-8 and 7.x before 7.0.5-9, the ReadJP2Image ...) {DSA-4019-1 DLA-1785-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869830) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/501 NOTE: https://github.com/ImageMagick/ImageMagick/commit/acee073df34aa4d491bf5cb74d3a15fc80f0a3aa NOTE: https://github.com/ImageMagick/ImageMagick/commit/ac23b02ecb741e5de60f5235ea443790c88a0b80 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b0c5222ce31e8f941fa02ff9c7a040fb2db30dbc CVE-2017-11691 (Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti ...) - cacti 1.1.15+ds1-1 (bug #869848) [stretch] - cacti (Vulnerable code introduced later with addition of user profile management page for users) [jessie] - cacti (Vulnerable code introduced later with addition of user profile management page for users) [wheezy] - cacti (Vulnerable code introduced later with addition of user profile management page for users) NOTE: https://github.com/Cacti/cacti/issues/867 NOTE: /for/fohttps://github.com/Cacti/cacti/commit/104090aeead4aa433bf1f18cd6d52dcfeb71236c CVE-2017-11667 (OpenProject before 6.1.6 and 7.x before 7.0.3 mishandles session expir ...) NOT-FOR-US: OpenProject CVE-2017-11666 (Cross-site scripting (XSS) vulnerability in js/ViewerPanel.js in the f ...) NOT-FOR-US: Kopano CVE-2017-11665 (The ff_amf_get_field_value function in libavformat/rtmppkt.c in FFmpeg ...) {DSA-3957-1} - ffmpeg 7:3.3.3-1 NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/ffcc82219cef0928bed2d558b19ef6ea35634130 NOTE: Fixed in 3.2.7 CVE-2017-11664 (The _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0. ...) - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11663 (The _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0. ...) - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11662 (The _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause ...) - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11661 (The _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0. ...) - wildmidi 0.4.2-1 (low; bug #871616) [stretch] - wildmidi (Minor issue) [jessie] - wildmidi (vulnerable code not present) [wheezy] - wildmidi (vulnerable code not present) NOTE: http://seclists.org/fulldisclosure/2017/Aug/12 NOTE: https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd CVE-2017-11660 RESERVED CVE-2017-11659 RESERVED CVE-2017-11658 (In the WP Rocket plugin 2.9.3 for WordPress, the Local File Inclusion ...) NOT-FOR-US: Wordpress plugin CVE-2017-11657 (Dashlane might allow local users to gain privileges by placing a Troja ...) NOT-FOR-US: Dashlane CVE-2017-11656 RESERVED CVE-2017-11655 (A memory leak was found in the way SIPcrack 0.2 handled processing of ...) - sipcrack (unimportant; bug #869803) NOTE: https://www.openwall.com/lists/oss-security/2017/07/26/1 NOTE: Negligible security impact CVE-2017-11654 (An out-of-bounds read and write flaw was found in the way SIPcrack 0.2 ...) - sipcrack (unimportant; bug #869803) NOTE: https://www.openwall.com/lists/oss-security/2017/07/26/1 NOTE: Negligible security impact CVE-2017-11653 (Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the D ...) NOT-FOR-US: Razer Synapse CVE-2017-11652 (Razer Synapse 2.20.15.1104 and earlier uses weak permissions for the C ...) NOT-FOR-US: Razer Synapse CVE-2017-11651 (NexusPHP V1.5 has XSS via a javascript: or data: URL in a UBBCode url ...) NOT-FOR-US: NexusPHP CVE-2017-11650 (Cross-site scripting (XSS) vulnerability in DrayTek Vigor AP910C devic ...) NOT-FOR-US: DrayTek CVE-2017-11649 (Cross-site request forgery (CSRF) vulnerability in DrayTek Vigor AP910 ...) NOT-FOR-US: DrayTek CVE-2017-11648 (Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices do ...) NOT-FOR-US: Techroutes TR 1803-3G Wireless Cellular Router/Modem 2.4.25 devices CVE-2017-11647 (NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1. ...) NOT-FOR-US: NetComm Wireless 4GT101W routers CVE-2017-11646 (NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1. ...) NOT-FOR-US: NetComm Wireless 4GT101W routers CVE-2017-11645 (NetComm Wireless 4GT101W routers with Hardware: 0.01 / Software: V1.1. ...) NOT-FOR-US: NetComm Wireless 4GT101W routers CVE-2017-11644 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (unimportant; bug #870016) NOTE: https://github.com/ImageMagick/ImageMagick/issues/587 NOTE: https://github.com/ImageMagick/ImageMagick/commit/a6802e21d824e786d1e2a8440cf749a6e1a8d95f NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/418f88dd18af34b6cb64f709567c81b89865d7bc CVE-2017-11643 (GraphicsMagick 1.3.26 has a heap overflow in the WriteCMYKImage() func ...) {DSA-4321-1 DLA-1401-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870157) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/d00b74315a71 CVE-2017-11642 (GraphicsMagick 1.3.26 has a NULL pointer dereference in the WriteMAPIm ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870156) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/29550606d8b9 CVE-2017-11641 (GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function i ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870155) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/db732abd9318 CVE-2017-11640 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870067) NOTE: https://github.com/ImageMagick/ImageMagick/issues/584 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1b811f7e7dad92b2992939f854201370a7d8084a NOTE: https://github.com/ImageMagick/ImageMagick/commit/1fcd0feb93b51b9363176097ee5f360c62687d86 CVE-2017-11639 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4204-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (bug #870065) NOTE: https://github.com/ImageMagick/ImageMagick/issues/588 NOTE: https://github.com/ImageMagick/ImageMagick/commit/65b7c57502bb2b6d22f607383e87cc3eaed94014 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8ec8ca4c61b1199b727cf52e440f3db79a5b0d0a CVE-2017-11638 (GraphicsMagick 1.3.26 has a segmentation violation in the WriteMAPImag ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870154) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/29550606d8b9 CVE-2017-11637 (GraphicsMagick 1.3.26 has a NULL pointer dereference in the WritePCLIm ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870153) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f3ffc5541257 CVE-2017-11636 (GraphicsMagick 1.3.26 has a heap overflow in the WriteRGBImage() funct ...) {DSA-4321-1 DLA-1401-1 DLA-1045-1} - graphicsmagick 1.3.26-4 (bug #870149) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/39961adf974c CVE-2017-11635 (An issue was discovered on Wireless IP Camera 360 devices. Attackers c ...) NOT-FOR-US: Wireless IP Camera 360 devices CVE-2017-11634 (An issue was discovered on Wireless IP Camera 360 devices. Remote atta ...) NOT-FOR-US: Wireless IP Camera 360 devices CVE-2017-11633 (An issue was discovered on Wireless IP Camera 360 devices. Remote atta ...) NOT-FOR-US: Wireless IP Camera 360 devices CVE-2017-11632 (An issue was discovered on Wireless IP Camera 360 devices. A root acco ...) NOT-FOR-US: Wireless IP Camera 360 devices CVE-2017-11631 (dapur/app/app_user/controller/status.php in Fiyo CMS 2.0.7 has SQL inj ...) NOT-FOR-US: Fiyo CMS CVE-2017-11630 (dapur\apps\app_config\controller\backuper.php in Fiyo CMS 2.0.7 allows ...) NOT-FOR-US: Fiyo CMS CVE-2017-11629 (dayrui FineCms through 5.0.10 has Cross Site Scripting (XSS) in contro ...) NOT-FOR-US: FineCMS CVE-2017-11628 (In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, a sta ...) {DSA-4081-1 DSA-4080-1 DLA-1066-1} - php7.1 7.1.8-1 (low) - php7.0 7.0.22-1 (low) - php5 (low) NOTE: https://bugs.php.net/bug.php?id=74603 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 NOTE: Fixed by https://git.php.net/?p=php-src.git;a=commit;h=05255749139b3686c8a6a58ee01131ac0047465e CVE-2017-11627 (A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #871320) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/118 CVE-2017-11626 (A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #871320) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/119 CVE-2017-11625 (A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #871320) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/120 CVE-2017-11624 (A stack-consumption vulnerability was found in libqpdf in QPDF 6.0.0, ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #871320) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://github.com/qpdf/qpdf/issues/117 CVE-2017-11623 RESERVED CVE-2017-11622 RESERVED CVE-2017-11621 RESERVED CVE-2017-11620 RESERVED CVE-2017-11619 RESERVED CVE-2017-XXXX [out-of-bounds read in eexec_line()] - t1utils 1.40-1 (bug #868134; unimportant) [jessie] - t1utils (Vulnerable code introduced in 1.39) [wheezy] - t1utils (Vulnerable code introduced in 1.39) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/kohler/t1utils/issues/6 CVE-2017-13144 (In ImageMagick before 6.9.7-10, there is a crash (rather than a "width ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869728) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31438 NOTE: https://github.com/ImageMagick/ImageMagick/commit/9b580ad0564aefd9beeccbcbb8d62ccd05795a84 CVE-2017-12430 (In ImageMagick 7.0.6-1, a memory exhaustion vulnerability was found in ...) {DLA-2366-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (low; bug #869727) NOTE: https://github.com/ImageMagick/ImageMagick/issues/546 NOTE: https://github.com/ImageMagick/ImageMagick/commit/98e5d0001cda195da0e8ea7650ab85c6f8333ff5 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/8d537f6d778675e08ef9d238606d05101bf471b9 CVE-2017-XXXX [memory leak in quantize] - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869722) [wheezy] - imagemagick 8:6.7.7.10-5+deb7u16 NOTE: Workaround entry for DLA-1081-1 since no CVE assigned NOTE: https://github.com/ImageMagick/ImageMagick/issues/574 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7b604a554dfb6630fe32e739334fa57341dc6123 CVE-2017-12664 (ImageMagick 7.0.6-2 has a memory leak vulnerability in WritePALMImage ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869721) NOTE: https://github.com/ImageMagick/ImageMagick/issues/574 NOTE: https://github.com/ImageMagick/ImageMagick/commit/db1ffb6cf44bcfe5c4d5fcf9d9109ded5617387f CVE-2017-12431 (In ImageMagick 7.0.6-1, a use-after-free vulnerability was found in th ...) {DSA-4040-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869715) NOTE: https://github.com/ImageMagick/ImageMagick/issues/555 NOTE: https://github.com/ImageMagick/ImageMagick/commit/784fcac688161aeaea221e00b706c88b08196945 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/5660836f9197107e9c38f14f27a45c2d9f26afe2 CVE-2017-12428 (In ImageMagick 7.0.6-1, a memory leak vulnerability was found in the f ...) {DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869713) NOTE: https://github.com/ImageMagick/ImageMagick/issues/544 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b2b48d50300a9fbcd0aa0d9230fd6d7a08f7671e NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/f37d26336bf13737db45e556c25fc098f8a8b277 CVE-2017-11618 RESERVED CVE-2017-11617 (Cross-site scripting (XSS) vulnerability in atmail prior to version 7. ...) - atmailopen CVE-2017-11616 RESERVED CVE-2017-11615 (A sandbox escape in the Lua interface in Wube Factorio before 0.15.31 ...) NOT-FOR-US: Wube Factorio CVE-2017-11614 (MEDHOST Connex contains hard-coded credentials that are used for custo ...) NOT-FOR-US: MEDHOST Connex CVE-2017-11613 (In LibTIFF 4.0.8, there is a denial of service vulnerability in the TI ...) {DSA-4349-1 DLA-1411-1 DLA-1391-1} - tiff 4.0.9-5 (low; bug #869823) - tiff3 [wheezy] - tiff3 (Minor issue, revisit once fixed upstream) NOTE: https://gist.github.com/dazhouzhou/1a3b7400547f23fe316db303ab9b604f NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2724 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1475530 NOTE: Upstream fix 1/2: https://gitlab.com/libtiff/libtiff/commit/3719385a3fac5cfb20b487619a5f08abbf967cf8 NOTE: Upstream fix 2/2: https://gitlab.com/libtiff/libtiff/commit/7a092f8af2568d61993a8cc2e7a35a998d7d37be CVE-2017-11612 (In Joomla! before 3.7.4, inadequate filtering of potentially malicious ...) NOT-FOR-US: Joomla! CVE-2017-11611 (Wolf CMS 0.8.3.1 allows Cross-Site Scripting (XSS) attacks. The vulner ...) NOT-FOR-US: Wolf CMS CVE-2017-11610 (The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2 ...) {DSA-3942-1 DLA-1047-1} - supervisor 3.3.1-1.1 (bug #870187) NOTE: https://github.com/Supervisor/supervisor/issues/964 NOTE: 3.3.3 https://github.com/Supervisor/supervisor/commit/058f46141e346b18dee0497ba11203cb81ecb19e NOTE: 3.2.4 https://github.com/Supervisor/supervisor/commit/aac3c21893cab7361f5c35c8e20341b298f6462e NOTE: 3.1.4 https://github.com/Supervisor/supervisor/commit/dbe0f55871a122eac75760aef511efc3a8830b88 NOTE: 3.0.1 https://github.com/Supervisor/supervisor/commit/83060f3383ebd26add094398174f1de34cf7b7f0 CVE-2017-11609 RESERVED CVE-2017-11608 (There is a heap-based buffer over-read in the Sass::Prelexer::re_lineb ...) - libsass 3.4.6-1 (bug #870186) [stretch] - libsass (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474276 NOTE: https://github.com/sass/libsass/commit/648f763ede97f9a2c2c843a0a18ac18bbde3507b (3.4.6) CVE-2017-11607 RESERVED CVE-2017-11606 RESERVED CVE-2017-11605 (There is a heap based buffer over-read in LibSass 3.4.5, related to ad ...) NOTE: Bogus report against historic libsass version CVE-2017-11604 RESERVED CVE-2017-11603 RESERVED CVE-2017-11602 RESERVED CVE-2017-11601 RESERVED CVE-2017-11600 (net/xfrm/xfrm_policy.c in the Linux kernel through 4.12.3, when CONFIG ...) {DSA-3981-1 DLA-1099-1} - linux 4.12.6-1 NOTE: http://seclists.org/bugtraq/2017/Jul/30 CVE-2017-11599 RESERVED CVE-2017-11598 RESERVED CVE-2017-11597 RESERVED CVE-2017-11596 RESERVED CVE-2017-11595 RESERVED CVE-2017-11594 (Cross-site scripting (XSS) vulnerability in the Markdown parser in Loo ...) - loomio (bug #756319) CVE-2017-11593 (Cross-site scripting (XSS) vulnerability in the Markdown Preview Plus ...) NOT-FOR-US: Chrome extension Markdown Preview Plus CVE-2017-11592 (There is a Mismatched Memory Management Routines vulnerability in the ...) - exiv2 (printTiffStructure introduced in 0.26; only affected experimental; bug #895568) NOTE: https://github.com/Exiv2/exiv2/issues/56 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473889 CVE-2017-11591 (There is a Floating point exception in the Exiv2::ValueType function i ...) {DLA-1147-1} - exiv2 0.27.2-6 (low; bug #876893) [buster] - exiv2 (Minor issue) [stretch] - exiv2 (Minor issue) [jessie] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/55 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473888 NOTE: Reproducible in wheezy/jessie/stretch/sid(0.25-3.1)/experimental(0.26-1). CVE-2017-11590 (There is a NULL pointer dereference in the caseless_hash function in g ...) {DLA-1054-1} - libgxps 0.3.0-1 (low; bug #870183) [stretch] - libgxps (Minor issue) [jessie] - libgxps (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473167 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785479 NOTE: Fixed by: https://git.gnome.org/browse/libgxps/commit/?id=9d5d2920 CVE-2017-11589 (On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00 ...) NOT-FOR-US: Cisco CVE-2017-11588 (On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00 ...) NOT-FOR-US: Cisco CVE-2017-11587 (On Cisco DDR2200 ADSL2+ Residential Gateway DDR2200B-NA-AnnexA-FCC-V00 ...) NOT-FOR-US: Cisco CVE-2017-11586 (dayrui FineCms 5.0.9 has URL Redirector Abuse via the url parameter in ...) NOT-FOR-US: FineCms CVE-2017-11585 (dayrui FineCms 5.0.9 has remote PHP code execution via the param param ...) NOT-FOR-US: FineCms CVE-2017-11584 (dayrui FineCms 5.0.9 has SQL Injection via the field parameter in an a ...) NOT-FOR-US: FineCms CVE-2017-11583 (dayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an a ...) NOT-FOR-US: FineCms CVE-2017-11582 (dayrui FineCms 5.0.9 has SQL Injection via the num parameter in an act ...) NOT-FOR-US: FineCms CVE-2017-11581 (dayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php ...) NOT-FOR-US: FineCms CVE-2017-11580 (Blipcare Wifi blood pressure monitor BP700 10.1 devices allow memory c ...) NOT-FOR-US: Blipcare Wifi blood pressure monitor BP700 10.1 devices CVE-2017-11579 (In the most recent firmware for Blipcare, the device provides an open ...) NOT-FOR-US: Blipcare CVE-2017-11578 (It was discovered as a part of the research on IoT devices in the most ...) NOT-FOR-US: Blipcare CVE-2017-11577 (FontForge 20161012 is vulnerable to a buffer over-read in getsid (pars ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3088 NOTE: https://github.com/fontforge/fontforge/commit/3245d354865def9d712bdffe61fa211ad6aa4081 CVE-2017-11576 (FontForge 20161012 does not ensure a positive size in a weight vector ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3091 NOTE: https://github.com/fontforge/fontforge/commit/df349365630344ef3004a3c7934c7e7496692fb1 CVE-2017-11575 (FontForge 20161012 is vulnerable to a buffer over-read in strnmatch (c ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3096 NOTE: https://github.com/fontforge/fontforge/commit/4de0c58a01e5e30610c200e9aea98bc7db12c7ac CVE-2017-11574 (FontForge 20161012 is vulnerable to a heap-based buffer overflow in re ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3090 NOTE: https://github.com/fontforge/fontforge/commit/62b6433a81ee7ed6e0ac2d6b09ac85b885046ac3 CVE-2017-11573 (FontForge 20161012 is vulnerable to a buffer over-read in ValidatePost ...) - fontforge (unimportant; bug #873588) NOTE: https://github.com/fontforge/fontforge/issues/3098 NOTE: Crash in GUI tool/related desktop libs, no security impact CVE-2017-11572 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in r ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3092 CVE-2017-11571 (FontForge 20161012 is vulnerable to a stack-based buffer overflow in a ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3087 NOTE: https://github.com/fontforge/fontforge/commit/5a0c6522682b0788fc478dd159dd6168cb5fa38b CVE-2017-11570 (FontForge 20161012 is vulnerable to a buffer over-read in umodenc (par ...) - fontforge (unimportant; bug #873587) NOTE: https://github.com/fontforge/fontforge/issues/3097 NOTE: Crash in GUI tool/related desktop libs, no security impact CVE-2017-11569 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in r ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3093 NOTE: https://github.com/fontforge/fontforge/commit/7bfec47910293bf149b8debe44c6f3f788506092 CVE-2017-11568 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in P ...) {DSA-3958-1 DLA-1065-1} - fontforge 1:20170731~dfsg-1 (bug #869614) NOTE: https://github.com/fontforge/fontforge/issues/3089 CVE-2017-11567 (Cross-site request forgery (CSRF) vulnerability in Mongoose Web Server ...) NOT-FOR-US: Mongoose CVE-2017-11566 (AppUse 4.0 allows shell command injection via a proxy field. ...) NOT-FOR-US: AppUse CVE-2017-1002151 (Pagure 3.3.0 and earlier is vulnerable to loss of confidentially due t ...) - pagure (Fixed before initial upload to the archive) NOTE: https://pagure.io/pagure/pull-request/2426 CVE-2017-11564 (The D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has multiple command i ...) NOT-FOR-US: D-Link CVE-2017-11563 (D-Link EyeOn Baby Monitor (DCS-825L) 1.08.1 has a remote code executio ...) NOT-FOR-US: D-Link CVE-2017-11562 (A Session Fixation Vulnerability exists in the MT4 Networks SenhaSegur ...) NOT-FOR-US: MT4 SenhaSegura CVE-2017-11561 (An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authen ...) NOT-FOR-US: ZOHO ManageEngine OpManager CVE-2017-11560 (An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding ...) NOT-FOR-US: ZOHO ManageEngine OpManager CVE-2017-11559 (An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiK ...) NOT-FOR-US: ZOHO ManageEngine OpManager CVE-2017-11558 RESERVED CVE-2017-11557 (An issue was discovered in ZOHO ManageEngine Applications Manager 12.3 ...) NOT-FOR-US: ZOHO ManageEngine Applications Manager CVE-2017-11556 (There is a stack consumption vulnerability in the Parser::advanceToNex ...) - libsass 3.5.4-1 (bug #870182) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2447 NOTE: https://github.com/sass/libsass/commit/7664114543757e932f5b1a2ff5295aa9b34f8623 CVE-2017-11555 (There is an illegal address access in the Eval::operator function in e ...) - libsass 3.5.4-1 (bug #870182) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2446 NOTE: https://github.com/sass/libsass/commit/946ef4995bee1b19de581b69850e1eb841c06b12 CVE-2017-11554 (There is a stack consumption vulnerability in the lex function in pars ...) - libsass 3.5.4-1 (bug #870182) [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2445 NOTE: https://github.com/sass/libsass/commit/7664114543757e932f5b1a2ff5295aa9b34f8623 CVE-2017-11553 (There is an illegal address access in the extend_alias_table function ...) - exiv2 (Vulnerable code introduced after 0.25; only present in experimental; bug #888874) NOTE: https://github.com/Exiv2/exiv2/issues/54 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1471772 CVE-2017-11552 (mpg321.c in mpg321 0.3.2-1 does not properly manage memory for use wit ...) - mpg321 0.3.2-2 (bug #870406) [stretch] - mpg321 (Minor issue) [jessie] - mpg321 (Minor issue) [wheezy] - mpg321 (Minor issue) NOTE: CVE was originally assigned for libmad, but further analysis has shown NOTE: that the underlying issue is in src:mpg321 NOTE: Cf. https://bugs.debian.org/870406#25 for more Details. NOTE: http://seclists.org/fulldisclosure/2017/Jul/94 CVE-2017-11551 (The id3_field_parse function in field.c in libid3tag 0.15.1b allows re ...) - libid3tag 0.15.1b-5 (bug #870333) NOTE: http://seclists.org/fulldisclosure/2017/Jul/85 NOTE: Same issue as #304913 CVE-2017-11550 (The id3_ucs4_length function in ucs4.c in libid3tag 0.15.1b allows rem ...) - libid3tag 0.15.1b-9 (bug #405801) NOTE: http://seclists.org/fulldisclosure/2017/Jul/85 NOTE: Addressed by the 11_unknown_encoding.dpatch patch CVE-2017-11549 (The play_midi function in playmidi.c in TiMidity++ 2.14.0 allows remot ...) - timidity (unimportant; bug #870338) NOTE: http://seclists.org/fulldisclosure/2017/Jul/83 NOTE: https://sourceforge.net/p/timidity/discussion/217458/thread/9a1c9620/ NOTE: Crash in CLI tool, no security impact CVE-2017-11548 (The _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 a ...) - libao (unimportant; bug #870608) NOTE: http://seclists.org/fulldisclosure/2017/Jul/84 NOTE: Not a security issue in ao, needs to be validated in applications using it, see #870608 CVE-2017-11547 (The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows ...) - timidity 2.14.0-4 (unimportant; bug #870338) NOTE: http://seclists.org/fulldisclosure/2017/Jul/83 NOTE: https://sourceforge.net/p/timidity/discussion/217458/thread/9a1c9620/ NOTE: Crash in CLI tool, no security impact CVE-2017-11546 (The insert_note_steps function in readmidi.c in TiMidity++ 2.14.0 allo ...) - timidity 2.14.0-4 (unimportant; bug #870338) NOTE: http://seclists.org/fulldisclosure/2017/Jul/83 NOTE: https://sourceforge.net/p/timidity/discussion/217458/thread/9a1c9620/ NOTE: Crash in CLI tool, no security impact CVE-2017-11545 REJECTED CVE-2017-11544 REJECTED CVE-2017-11543 (tcpdump 4.9.0 has a buffer overflow in the sliplink_print function in ...) {DSA-3971-1 DLA-1090-1} - tcpdump 4.9.1-3 (bug #873806) NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/7039327875525278d17edee59720e29a3e76b7b3 NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/global-overflow/print-sl CVE-2017-11542 (tcpdump 4.9.0 has a heap-based buffer over-read in the pimv1_print fun ...) {DSA-3971-1 DLA-1090-1} - tcpdump 4.9.1-3 (bug #873805) NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/bed48062a64fca524156d7684af19f5b4a116fae NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/heap-buffer-overflow/print-pim CVE-2017-11541 (tcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print func ...) {DSA-3971-1 DLA-1090-1} - tcpdump 4.9.1-3 (bug #873804) NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/21d702a136c5c16882e368af7c173df728242280 NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/tcpdump-vul/heap-buffer-overflow/util-print CVE-2017-11540 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) - imagemagick (Only affects ImageMagick-7 series) NOTE: https://github.com/ImageMagick/ImageMagick/issues/581 CVE-2017-11539 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-15 (unimportant; bug #870120) NOTE: https://github.com/ImageMagick/ImageMagick/issues/582 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4e81160d66f02bf7b4f569669ca7dd80d416ba6e NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/36aad912d1f405a28a9a1204120b569e7da5898e CVE-2017-11538 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) - imagemagick (Vulnerable code introduced later, cf bug #870110) NOTE: https://github.com/ImageMagick/ImageMagick/issues/569 NOTE: https://github.com/ImageMagick/ImageMagick/commit/0a80c9e5f293a8de51011ac784ac52b96932c08f NOTE: Introduced after: https://github.com/ImageMagick/ImageMagick/commit/0bf18387ae1336475631284854b664d0e2d89697 CVE-2017-11537 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (low; bug #869712) NOTE: https://github.com/ImageMagick/ImageMagick/issues/560 NOTE: https://github.com/ImageMagick/ImageMagick/commit/2bbc1b96f0d9371df675fdf7b8fc9bd4a42ae9cd NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/bac384563f557d1ac7413d2eaec00dd59c3cc29b CVE-2017-11536 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869831) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/567 NOTE: https://github.com/ImageMagick/ImageMagick/commit/167e1538ae9818d46c9462a4273082871e35a480 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/dba1ccfbcdf61c0eb599c7c308b42ed46dc92be6 CVE-2017-11535 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4204-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869827) NOTE: https://github.com/ImageMagick/ImageMagick/issues/561 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b8647f11ddfd6f85a6cc39654c7e78c2bc6412e4 NOTE: Imagemagick-6: https://github.com/ImageMagick/ImageMagick/commit/bba95cfcc19fa8a261e12692f31279148ad42441 CVE-2017-11534 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869711) NOTE: https://github.com/ImageMagick/ImageMagick/issues/564 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3f21b17f06eacb40dab08738e0abf68fb0d58c90 CVE-2017-11533 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DSA-4204-1 DSA-4019-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (bug #869834) NOTE: https://github.com/ImageMagick/ImageMagick/issues/562 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f0c29cc251578fe0ad8ec7b72f2487a77a1696b8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/ed1fd69231ab21dc540167c63bc3b0fa3282ec59 CVE-2017-11532 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869726) NOTE: https://github.com/ImageMagick/ImageMagick/issues/563 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/d60d705cddac7fa5d0e6596c183bbb9b46a57161 CVE-2017-11531 (When ImageMagick 7.0.6-1 processes a crafted file in convert, it can l ...) {DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (unimportant; bug #869725) NOTE: https://github.com/ImageMagick/ImageMagick/issues/566 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/c81594c6ee93581b97e8f8c743200b1366d83989 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1885ab1231e82f90d3f0e839555ee3e1a441bbf8 CVE-2017-11521 (The SdpContents::Session::Medium::parse function in resip/stack/SdpCon ...) {DLA-1439-1 DLA-1040-1} - resiprocate (low; bug #869404) [stretch] - resiprocate (Minor issue) NOTE: https://github.com/resiprocate/resiprocate/pull/88 NOTE: https://github.com/resiprocate/resiprocate/pull/88/commits/4b8ffa5afd3291a2701f8d39c31ada443f79a5c8 CVE-2017-11520 RESERVED CVE-2017-11519 (passwd_recovery.lua on the TP-Link Archer C9(UN)_V2_160517 allows an a ...) NOT-FOR-US: TP-Link CVE-2017-11518 RESERVED CVE-2017-11517 (Stack-based buffer overflow in GCoreServer.exe in the server in Geuteb ...) NOT-FOR-US: Geutebrueck Gcore CVE-2017-11516 (An XSS vulnerability exists in framework/views/errorHandler/exception. ...) NOT-FOR-US: Yii Framework CVE-2017-11515 RESERVED CVE-2017-11514 RESERVED CVE-2017-11513 RESERVED CVE-2017-11512 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file ...) NOT-FOR-US: ManageEngine ServiceDesk CVE-2017-11511 (The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file ...) NOT-FOR-US: ManageEngine ServiceDesk CVE-2017-11510 (An information leak exists in Wanscam's HW0021 network camera that all ...) NOT-FOR-US: Wanscam's HW0021 network camera CVE-2017-11509 (An authenticated remote attacker can execute arbitrary code in Firebir ...) {DLA-2129-1 DLA-1374-1} - firebird3.0 3.0.3.32900.ds4-3 [stretch] - firebird3.0 (Minor issue, can be fixed along in a future update) - firebird2.5 NOTE: https://www.tenable.com/security/research/tra-2017-36 NOTE: Firebird upstream responded to Tenable the issue is not intended to be addressed NOTE: in "any current release". NOTE: Issue adressed by disabling UDFs in firebird.conf, this is not a source code fix, NOTE: and might actually be considered more justof a mitigation. NOTE: Steps to reproduce (partly) in: https://lists.debian.org/874lk9wyz5.fsf@curie.anarc.at CVE-2017-11508 (SecurityCenter versions 5.5.0, 5.5.1 and 5.5.2 contain a SQL Injection ...) NOT-FOR-US: SecurityCenter CVE-2017-11507 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) - check-mk 1.2.8p26-1 [wheezy] - check-mk (Minor issue) NOTE: http://mathias-kettner.com/check_mk_werks.php?werk_id=7661 NOTE: https://www.tenable.com/security/research/tra-2017-20 CVE-2017-11506 (When linking a Nessus scanner or agent to Tenable.io or other manager, ...) NOT-FOR-US: Nessus CVE-2017-11565 (debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor wa ...) - tor 0.3.1.7-1 (bug #869153) [stretch] - tor (Minor issue) [jessie] - tor (aa-exec in jessie is located in /usr/sbin/) [wheezy] - tor (aa-exec in jessie is located in /usr/sbin/) NOTE: https://twitter.com/pissquark/status/888142796414226432 CVE-2017-11523 (The ReadTXTImage function in coders/txt.c in ImageMagick through 6.9.9 ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-14 (low; bug #869210) NOTE: https://github.com/ImageMagick/ImageMagick/issues/591 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/83e0f8ffd7eeb7661b0ff83257da23d24ca7f078 NOTE: Fixed by (ImageMagick-6): https://github.com/ImageMagick/ImageMagick/commit/a8f9c2aabed37cd6a728532d1aed13ae0f3dfd78 CVE-2017-11522 (The WriteOnePNGImage function in coders/png.c in ImageMagick through 6 ...) - imagemagick (bug #869209; vulnerable code not present, ImageMagick-7 issue only) NOTE: https://github.com/ImageMagick/ImageMagick/issues/586 NOTE: https://github.com/ImageMagick/ImageMagick/commit/816ecab6c532ae086ff4186b3eaf4aa7092d536f CVE-2017-11504 RESERVED CVE-2017-11503 (PHPMailer 5.2.23 has XSS in the "From Email Address" and "To Email Add ...) - libphp-phpmailer 6.0.6-0.1 (unimportant) NOTE: code_generator.phps installed to examples CVE-2017-11502 (Technicolor DPC3928AD DOCSIS devices allow remote attackers to read ar ...) NOT-FOR-US: Technicolor CVE-2017-11501 (NixOS 17.03 and earlier has an unintended default absence of SSL Certi ...) NOT-FOR-US: NixOS CVE-2017-11500 (A directory traversal vulnerability exists in MetInfo 5.3.17. A remote ...) NOT-FOR-US: MetInfo CVE-2017-11499 (Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11. ...) - nodejs 4.8.4~dfsg-1 (bug #868162; unimportant) NOTE: https://nodejs.org/en/blog/release/v6.11.1/ NOTE: https://nodejs.org/en/blog/release/v4.8.4/ CVE-2017-11498 (Buffer overflow in hasplms in Gemalto ACC (Admin Control Center), all ...) NOT-FOR-US: Gemalto ACC CVE-2017-11497 (Stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) ...) NOT-FOR-US: Gemalto ACC CVE-2017-11496 (Stack buffer overflow in hasplms in Gemalto ACC (Admin Control Center) ...) NOT-FOR-US: Gemalto ACC CVE-2017-11495 (PHICOMM K2(PSG1218) devices V22.5.11.5 and earlier allow unauthenticat ...) NOT-FOR-US: PHICOMM CVE-2017-11494 (SQL injection vulnerability in SOL.Connect ISET-mpp meter 1.2.4.2 and ...) NOT-FOR-US: SOL.Connect ISET-mpp meter CVE-2017-11493 REJECTED CVE-2017-11492 REJECTED CVE-2017-11491 REJECTED CVE-2017-11490 REJECTED CVE-2017-11489 REJECTED CVE-2017-11488 REJECTED CVE-2017-11487 REJECTED CVE-2017-11486 REJECTED CVE-2017-11485 REJECTED CVE-2017-11484 REJECTED CVE-2017-11483 REJECTED CVE-2017-11482 (The Kibana fix for CVE-2017-8451 was found to be incomplete. With X-Pa ...) - kibana (bug #700337) CVE-2017-11481 (Kibana versions prior to 6.0.1 and 5.6.5 had a cross-site scripting (X ...) - kibana (bug #700337) CVE-2017-11480 (Packetbeat versions prior to 5.6.4 are affected by a denial of service ...) NOT-FOR-US: Packetbeat CVE-2017-11479 (Kibana versions prior to 5.6.1 had a cross-site scripting (XSS) vulner ...) - kibana (bug #700337) CVE-2017-11477 RESERVED CVE-2017-11476 RESERVED CVE-2017-11475 (GLPI before 9.1.5.1 has SQL Injection in the condition rule field, exp ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11474 (GLPI before 9.1.5.1 has SQL Injection in the $crit variable in inc/com ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11471 (IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/upt ...) NOT-FOR-US: IDERA Uptime Monitor CVE-2017-11470 (IDERA Uptime Monitor 7.8 has SQL injection in /gadgets/definitions/upt ...) NOT-FOR-US: IDERA Uptime Monitor CVE-2017-11469 (get2post.php in IDERA Uptime Monitor 7.8 has directory traversal in th ...) NOT-FOR-US: IDERA Uptime Monitor CVE-2017-11468 (Docker Registry before 2.6.2 in Docker Distribution does not properly ...) - docker-registry 2.6.2~ds1-1 (bug #869242) CVE-2017-11467 (OrientDB through 2.2.22 does not enforce privilege requirements during ...) NOT-FOR-US: OrientDB CVE-2017-11465 (The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows a ...) - ruby2.3 (Specific to Ruby 2.4) - ruby2.1 (Specific to Ruby 2.4) CVE-2017-11464 (A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in G ...) {DLA-2285-1} - librsvg 2.40.18-1 (bug #869129) [jessie] - librsvg (Vulnerable code introduced in 2.40.9) [wheezy] - librsvg (Vulnerable code introduced in 2.40.9) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783835 NOTE: Introduced in: https://git.gnome.org/browse/librsvg/commit/?id=054807726db76558728e7a7513aabc4698b3dc95 (2.40.9) NOTE: Fixed by: https://git.gnome.org/browse/librsvg/commit/?id=ecf9267a24b2c3c0cd211dbdfa9ef2232511972a CVE-2017-11473 (Buffer overflow in the mp_override_legacy_irq() function in arch/x86/k ...) - linux 4.13.4-1 (unimportant) [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 [wheezy] - linux 3.2.96-1 NOTE: Fixed by: https://git.kernel.org/linus/dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 NOTE: Non-issue since ACPI tables are trusted CVE-2017-11472 (The acpi_ns_terminate() function in drivers/acpi/acpica/nsutils.c in t ...) - linux 4.12.6-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/3b2d69114fefa474fca542e51119036dceb4aa6f (4.12-rc1) NOTE: Non-issue since ACPI tables are trusted CVE-2017-11466 (Arbitrary file upload vulnerability in com/dotmarketing/servlets/AjaxF ...) NOT-FOR-US: dotCMS CVE-2017-11463 (In Ivanti Service Desk (formerly LANDESK Management Suite) versions be ...) NOT-FOR-US: LANDESK CVE-2017-11462 (Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attacker ...) - krb5 1.15.2-1 (low; bug #873563) [stretch] - krb5 (Minor issue, might lead to behaviour changes) [jessie] - krb5 (Minor issue, might lead to behaviour changes) [wheezy] - krb5 (Minor issue, might lead to behaviour changes) NOTE: Fixed by: https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf NOTE: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598 CVE-2017-11461 (NetApp OnCommand Unified Manager for 7-mode (core package) versions pr ...) NOT-FOR-US: NetApp CVE-2017-11460 (Cross-site scripting (XSS) vulnerability in the DataArchivingService s ...) NOT-FOR-US: SAP CVE-2017-11459 (SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via ...) NOT-FOR-US: SAP CVE-2017-11458 (Cross-site scripting (XSS) vulnerability in the ctcprotocol/Protocol s ...) NOT-FOR-US: SAP CVE-2017-11457 (XML external entity (XXE) vulnerability in com.sap.km.cm.ice in SAP Ne ...) NOT-FOR-US: SAP CVE-2017-11456 (Geneko GWR routers allow directory traversal sequences starting with a ...) NOT-FOR-US: Geneko GWR routers CVE-2017-11455 (diag.cgi in Pulse Connect Secure 8.2R1 through 8.2R5, 8.1R1 through 8. ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11454 RESERVED CVE-2017-11453 RESERVED CVE-2017-11452 RESERVED CVE-2017-11451 RESERVED CVE-2017-11450 (coders/jpeg.c in ImageMagick before 7.0.6-1 allows remote attackers to ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867894) NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/948356eec65aea91995d4b7cc487d197d2c5f602 CVE-2017-11449 (coders/mpc.c in ImageMagick before 7.0.6-1 does not enable seekable st ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867896) NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/b007dd3a048097d8f58949297f5b434612e1e1a3#diff-cdb21e3ad4d6e304030bd19bdc881fce NOTE: https://github.com/ImageMagick/ImageMagick/commit/529ff26b68febb2ac03062c58452ea0b4c6edbc1#diff-cdb21e3ad4d6e304030bd19bdc881fce CVE-2017-11448 (The ReadJPEGImage function in coders/jpeg.c in ImageMagick before 7.0. ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867893) NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1737ac82b335e53376382c07b9a500d73dd2aa11 CVE-2017-11447 (The ReadSCREENSHOTImage function in coders/screenshot.c in ImageMagick ...) {DSA-3914-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867897) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/556 NOTE: https://github.com/ImageMagick/ImageMagick/commit/8c10b9247509c0484b55330458846115131ec2ae#diff-0a5dc34e461f3c458e758c199f2dc46d CVE-2017-11446 (The ReadPESImage function in coders\pes.c in ImageMagick 7.0.6-1 has a ...) {DSA-4019-1 DLA-1785-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-13 (low; bug #868950) NOTE: https://github.com/ImageMagick/ImageMagick/issues/537 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/787ee25e9fb0e4e0509121342371d925fe5044f8 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/96182884778bfc43d6a9a0abd90cedb5d8cf8977 CVE-2017-11445 (Subrion CMS before 4.1.6 has a SQL injection vulnerability in /front/a ...) NOT-FOR-US: Subrion CMS CVE-2017-11444 (Subrion CMS before 4.1.5.10 has a SQL injection vulnerability in /fron ...) NOT-FOR-US: Subrion CMS CVE-2017-11443 RESERVED CVE-2017-11442 RESERVED CVE-2017-11441 (The WHM Upload Locale interface in cPanel before 56.0.51, 58.x before ...) NOT-FOR-US: WHM Upload Locale interface in cPanel CVE-2017-11440 (In Sitecore 8.2, there is absolute path traversal via the shell/Applic ...) NOT-FOR-US: Sitecore CVE-2017-11439 (In Sitecore 8.2, there is reflected XSS in the shell/Applications/Tool ...) NOT-FOR-US: Sitecore CVE-2017-11438 (GitLab Community Edition (CE) and Enterprise Edition (EE) before 9.0.1 ...) - gitlab (Only affects 8.5 onwards) NOTE: https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/ CVE-2017-11437 (GitLab Enterprise Edition (EE) before 8.17.7, 9.0.11, 9.1.8, 9.2.8, an ...) - gitlab (Only affects Enterprise Edition) NOTE: https://gitlab.com/gitlab-org/gitlab-ee/issues/2905 NOTE: https://about.gitlab.com/2017/07/19/gitlab-9-dot-3-dot-8-released/ CVE-2017-11436 (D-Link DIR-615 before v20.12PTb04 has a second admin account with a 0x ...) NOT-FOR-US: D-Link CVE-2017-11435 (The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authenticat ...) NOT-FOR-US: Humax Wi-Fi Router model HG100R-* CVE-2017-11434 (The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) ...) {DSA-3925-1 DLA-1497-1 DLA-1071-1 DLA-1070-1} - qemu 1:2.8+dfsg-7 (bug #869171) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg05001.html CVE-2017-11433 RESERVED CVE-2017-11432 RESERVED CVE-2017-11431 RESERVED CVE-2017-11430 (OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the ...) - ruby-omniauth-saml (The actual vulnerability is in ruby-saml, which is used by the Debian package) NOTE: The change in 1.10.0 simply bumps the version requirement NOTE: https://github.com/omniauth/omniauth-saml/issues/156 NOTE: https://github.com/omniauth/omniauth-saml/pull/157 NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11429 (Clever saml2-js 2.0 and earlier may incorrectly utilize the results of ...) NOT-FOR-US: Clever saml2-js NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://nodesecurity.io/advisories/567 NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11428 (OneLogin Ruby-SAML 1.6.0 and earlier may incorrectly utilize the resul ...) - ruby-saml 1.7.2-1 (bug #892865) [stretch] - ruby-saml (Minor issue) NOTE: fixed in 1.7.0 NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 NOTE: https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f CVE-2017-11427 (OneLogin PythonSAML 2.3.0 and earlier may incorrectly utilize the resu ...) NOT-FOR-US: OneLogin python-saml NOTE: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations NOTE: https://www.kb.cert.org/vuls/id/475445 CVE-2017-11426 RESERVED CVE-2017-11425 RESERVED CVE-2017-11424 (In PyJWT 1.5.0 and below the `invalid_strings` check in `HMACAlgorithm ...) {DSA-3979-1} - pyjwt 1.4.2-1.1 (bug #873244) NOTE: https://github.com/jpadilla/pyjwt/pull/277 CVE-2017-11423 (The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha, ...) {DSA-3946-1 DLA-1279-1} - libmspack 0.6-1 (bug #868956) - clamav 0.99.3~beta1+dfsg-1 (unimportant) [stretch] - clamav 0.99.4+dfsg-1+deb9u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public) NOTE: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38 NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul NOTE: ClamAV: https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13 NOTE: ClamaV: https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96 NOTE: ClamAV uses the libmspack system library when available. This is the NOTE: case from starting from Debian Jessie. Debian Wheezy does not have NOTE: libmspack and thus need to have the fix as well in the src:clamav source package. CVE-2017-11422 (Statamic framework before 2.6.0 does not correctly check a session's p ...) NOT-FOR-US: Statamic CVE-2017-11420 (Stack-based buffer overflow in ASUS_Discovery.c in networkmap in Asusw ...) NOT-FOR-US: ASUS CVE-2017-11419 (Fiyo CMS 2.0.7 has SQL injection in /apps/app_article/controller/edito ...) NOT-FOR-US: Fiyo CMS CVE-2017-11418 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-11417 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-11416 (Fiyo CMS 2.0.7 has SQL injection in /apps/app_comment/controller/inser ...) NOT-FOR-US: Fiyo CMS CVE-2017-11415 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/sys_article ...) NOT-FOR-US: Fiyo CMS CVE-2017-11414 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/sys_comment ...) NOT-FOR-US: Fiyo CMS CVE-2017-11413 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_article/controller/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-11412 (Fiyo CMS 2.0.7 has SQL injection in dapur/apps/app_comment/controller/ ...) NOT-FOR-US: Fiyo CMS CVE-2017-11411 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the openSAFETY di ...) - wireshark 2.4.0-1 (bug #870179) [stretch] - wireshark (Incomplete fix for CVE-2017-9350 not applied) [jessie] - wireshark (Incomplete fix for CVE-2017-9350 not applied) [wheezy] - wireshark (Incomplete fix for CVE-2017-9350 not applied) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13755 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a83a324acdfc07a0ca8b65e6ebaba3374ab19c76 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html CVE-2017-11410 (In Wireshark through 2.0.13 and 2.2.x through 2.2.7, the WBXML dissect ...) - wireshark 2.4.0-1 (bug #870180) [jessie] - wireshark (Incomplete fix for CVE-2017-7702 not applied) [wheezy] - wireshark (Incomplete fix for CVE-2017-7702 not applied) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13796 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=3c7168cc5f044b4da8747d35da0b2b204dabf398 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-13.html CVE-2017-11409 (In Wireshark 2.0.0 to 2.0.13, the GPRS LLC dissector could go into a l ...) {DLA-1634-1} - wireshark 2.2.0~rc1+g438c022-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13603 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=57b83bbbd76f543eb8d108919f13b662910bff9a NOTE: https://www.wireshark.org/security/wnpa-sec-2017-37.html NOTE: Technically the 2.2.0~rc1+g438c022-1 is just the first version in unstable NOTE: after 2.1.0 from upstream. Upstream changed the types in llc_gprs_dissect_xid NOTE: in version 2.1.0. CVE-2017-11408 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP dissector co ...) {DSA-4060-1 DLA-1226-1} - wireshark 2.4.0-1 (bug #870172) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13780 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a102c172b0b2fe231fdb49f4f6694603f5b93b0c NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e57c86ef8e3b57b7f90c224f6053d1eacf20e1ba NOTE: https://www.wireshark.org/security/wnpa-sec-2017-34.html CVE-2017-11407 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector coul ...) {DLA-1634-1} - wireshark 2.4.0-1 (low; bug #870172) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13792 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4e54dae7f0d7840836ee6d5ce1e688f152ab2978 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-35.html CVE-2017-11406 (In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector ...) {DLA-1634-1} - wireshark 2.4.0-1 (bug #870172) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13797 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=250216263c3a3f2c651e80d9c6b3dc0adc53dc2c NOTE: https://www.wireshark.org/security/wnpa-sec-2017-36.html CVE-2017-11405 (In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators ...) NOT-FOR-US: CMS Made Simple CVE-2017-11404 (In CMS Made Simple (CMSMS) 2.2.2, remote authenticated administrators ...) NOT-FOR-US: CMS Made Simple CVE-2017-11403 (The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-3 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/d0a76868ca37 NOTE: When fixing this CVE make sure to not make the fix incomplete and open the CVE-2017-14103 NOTE: issue. See: https://www.openwall.com/lists/oss-security/2017/09/01/6 NOTE: The addition required commit is: http://hg.code.sf.net/p/graphicsmagick/code/rev/98721124e51f CVE-2017-11402 (An issue has been discovered on the Belden Hirschmann Tofino Xenon Sec ...) NOT-FOR-US: Belden Hirschmann Tofino Xenon Security Appliance CVE-2017-11401 (An issue has been discovered on the Belden Hirschmann Tofino Xenon Sec ...) NOT-FOR-US: Belden Hirschmann Tofino Xenon Security Appliance CVE-2017-11400 (An issue has been discovered on the Belden Hirschmann Tofino Xenon Sec ...) NOT-FOR-US: Belden Hirschmann Tofino Xenon Security Appliance CVE-2017-11421 (gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection wh ...) - gnome-exe-thumbnailer 0.9.5-1 (bug #868705) [stretch] - gnome-exe-thumbnailer 0.9.4-2+deb9u1 NOTE: http://news.dieweltistgarnichtso.net/posts/gnome-thumbnailer-msi-fail.html NOTE: https://github.com/gnome-exe-thumbnailer/gnome-exe-thumbnailer/commit/1d8e3102dd8fd23431ae6127d14a236da6b4a4a5 CVE-2017-11399 (Integer overflow in the ape_decode_frame function in libavcodec/apedec ...) {DSA-3957-1} - ffmpeg 7:3.3.3-1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/ba4beaf6149f7241c8bd85fe853318c2f6837ad0 NOTE: Fixed in 3.2.7 CVE-2017-11398 (A session hijacking via log disclosure vulnerability in Trend Micro Sm ...) NOT-FOR-US: Trend Micro CVE-2017-11397 (A service DLL preloading vulnerability in Trend Micro Encryption for E ...) NOT-FOR-US: Trend Micro CVE-2017-11396 (Vulnerability issues with the web service inspection of input paramete ...) NOT-FOR-US: Trend Micro Web Security Virtual Appliance CVE-2017-11395 (Command injection vulnerability in Trend Micro Smart Protection Server ...) NOT-FOR-US: Trend Micro Smart Protection Server CVE-2017-11394 (Proxy command injection vulnerability in Trend Micro OfficeScan 11 and ...) NOT-FOR-US: Trend Micro CVE-2017-11393 (Proxy command injection vulnerability in Trend Micro OfficeScan 11 and ...) NOT-FOR-US: Trend Micro CVE-2017-11392 (Proxy command injection vulnerability in Trend Micro InterScan Messagi ...) NOT-FOR-US: Trend Micro CVE-2017-11391 (Proxy command injection vulnerability in Trend Micro InterScan Messagi ...) NOT-FOR-US: Trend Micro CVE-2017-11390 (XML external entity (XXE) processing vulnerability in Trend Micro Cont ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11389 (Directory traversal vulnerability in Trend Micro Control Manager 6.0 a ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11388 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11387 (Authentication Bypass in Trend Micro Control Manager 6.0 causes Inform ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11386 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11385 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11384 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11383 (SQL Injection in Trend Micro Control Manager 6.0 causes Remote Code Ex ...) NOT-FOR-US: Trend Micro Control Manager CVE-2017-11382 (Denial of Service vulnerability in Trend Micro Deep Discovery Email In ...) NOT-FOR-US: Trend Micro CVE-2017-11381 (A command injection vulnerability exists in Trend Micro Deep Discovery ...) NOT-FOR-US: Trend Micro Deep Discovery Director CVE-2017-11380 (Backup archives were found to be encrypted with a static password acro ...) NOT-FOR-US: Trend Micro Deep Discovery Director CVE-2017-11379 (Configuration and database backup archives are not signed or validated ...) NOT-FOR-US: Trend Micro Deep Discovery Director CVE-2017-11378 RESERVED CVE-2017-11377 RESERVED CVE-2017-11376 RESERVED CVE-2017-11375 RESERVED CVE-2017-11374 RESERVED CVE-2017-11373 RESERVED CVE-2017-11372 RESERVED CVE-2017-11371 RESERVED CVE-2017-11370 RESERVED CVE-2017-11369 RESERVED CVE-2017-11368 (In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker ...) {DLA-1058-1} - krb5 1.15.1-2 (bug #869260) [stretch] - krb5 1.15-1+deb9u1 [jessie] - krb5 1.12.1+dfsg-19+deb8u3 NOTE: https://github.com/krb5/krb5/pull/678/commits/a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2 CVE-2017-11367 (The shoco_decompress function in the API in shoco through 2017-07-17 a ...) NOT-FOR-US: shoco CVE-2017-11366 (components/filemanager/class.filemanager.php in Codiad before 2.8.4 is ...) NOT-FOR-US: Codiad CVE-2017-11365 (Certain Symfony products are affected by: Incorrect Access Control. Th ...) - symfony (introduced in versions that were never packaged in Debian) NOTE: https://symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue CVE-2017-11364 (The CMS installer in Joomla! before 3.7.4 does not verify a user's own ...) NOT-FOR-US: Joomla! CVE-2017-11363 RESERVED CVE-2017-11362 (In PHP 7.x before 7.0.21 and 7.1.x before 7.1.7, ext/intl/msgformat/ms ...) - php7.1 7.1.8-1 (unimportant) - php7.0 7.0.22-1 (unimportant) - php5 (unimportant) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73473 NOTE: Fixed in 7.1.7, 7.0.21 NOTE: Only triggerable by malicious script CVE-2017-11361 (Inteno routers have a JUCI ACL misconfiguration that allows the "user" ...) NOT-FOR-US: Inteno routers CVE-2017-11360 (The ReadRLEImage function in coders\rle.c in ImageMagick 7.0.6-1 has a ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867808) NOTE: https://github.com/ImageMagick/ImageMagick/issues/518 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/224bc946b24824a77e8e8c52ee07e9bc65796e30 CVE-2017-11359 (The wavwritehdr function in wav.c in Sound eXchange (SoX) 14.4.2 allow ...) {DLA-1705-1 DLA-1197-1} - sox 14.4.2-2 (bug #870328) [stretch] - sox 14.4.1-5+deb9u2 NOTE: http://seclists.org/fulldisclosure/2017/Jul/81 NOTE: Upstream bug report https://sourceforge.net/p/sox/bugs/296/ NOTE: https://github.com/mansr/sox/commit/8b590b3a52f4ccc4eea3f41b4a067c38b3565b60 CVE-2017-11358 (The read_samples function in hcom.c in Sound eXchange (SoX) 14.4.2 all ...) {DLA-1705-1 DLA-1197-1} - sox 14.4.2-2 (bug #870328) [stretch] - sox 14.4.1-5+deb9u2 NOTE: http://seclists.org/fulldisclosure/2017/Jul/81 NOTE: Upstream bug report https://sourceforge.net/p/sox/bugs/296/ NOTE: https://github.com/mansr/sox/commit/6cb44a44b9eda6b321ccdbf6483348d4a9798b00 CVE-2017-11357 (Progress Telerik UI for ASP.NET AJAX before R2 2017 SP2 does not prope ...) NOT-FOR-US: Progress Telerik UI CVE-2017-11356 (The application distribution export functionality in PEGA Platform 7.2 ...) NOT-FOR-US: PEGA Platform CVE-2017-11355 (Multiple cross-site scripting (XSS) vulnerabilities in PEGA Platform 7 ...) NOT-FOR-US: PEGA Platform CVE-2017-11354 (Fiyo CMS v2.0.7 has an SQL injection vulnerability in dapur/apps/app_a ...) NOT-FOR-US: Fiyo CMS CVE-2017-11351 (Axesstel MU553S MU55XS-V1.14 devices have a default password of admin ...) NOT-FOR-US: Axesstel MU553S MU55XS-V1.14 CVE-2017-11350 (Cross-Site Request Forgery (CSRF) exists in cgi-bin/ConfigSet on Axess ...) NOT-FOR-US: Axesstel MU553S MU55XS-V1.14 CVE-2017-11349 (dataTaker DT8x dEX 1.72.007 allows remote attackers to compose program ...) NOT-FOR-US: dataTaker CVE-2017-11348 (In Octopus Deploy 3.x before 3.15.4, an authenticated user with Packag ...) NOT-FOR-US: Octopus Deploy CVE-2017-11347 (Authenticated Code Execution Vulnerability in MetInfo 5.3.17 allows a ...) NOT-FOR-US: MetInfo CVE-2017-11346 (Zoho ManageEngine Desktop Central before build 100092 allows remote at ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2017-11345 (Stack buffer overflow in networkmap in Asuswrt-Merlin firmware for ASU ...) NOT-FOR-US: ASUS CVE-2017-11344 (Global buffer overflow in networkmap in Asuswrt-Merlin firmware for AS ...) NOT-FOR-US: ASUS CVE-2017-11353 (yadm (yet another dotfile manager) 1.10.0 has a race condition (relate ...) - yadm 1.11.1-1 (bug #868300) [stretch] - yadm 1.06-1+deb9u1 NOTE: https://github.com/TheLocehiliosan/yadm/issues/74 CVE-2017-11343 (Due to an incomplete fix for CVE-2012-6125, all versions of CHICKEN Sc ...) - chicken 4.12.0-0.2 (bug #870266) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html CVE-2017-11342 (There is an illegal address access in ast.cpp of LibSass 3.4.5. A craf ...) NOTE: Bogus report against historic libsass version CVE-2017-11341 (There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5. ...) NOTE: Bogus report against historic libsass version CVE-2017-11340 (There is a Segmentation fault in the XmpParser::terminate() function i ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/53 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470950 NOTE: Not reproducible in wheezy/jessie/stretch, I get "The file contains data of an unknown image type". NOTE: Reproducible with 0.26-1 (experimental) although I get another error "free(): invalid next size (fast)". CVE-2017-11339 (There is a heap-based buffer overflow in the Image::printIFDStructure ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/52 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470946 NOTE: Not reproducible in wheezy/jessie/stretch, I get "The file contains data of an unknown image type". NOTE: Reproducible with 0.26-1 (experimental) although I get another error "free(): invalid next size (fast)". CVE-2017-11338 (There is an infinite loop in the Exiv2::Image::printIFDStructure funct ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/51 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470913 NOTE: Not reproducible in wheezy/jessie/stretch, I get "No Exif data found in the file". NOTE: Reproducible with 0.26-1 (experimental). CVE-2017-11337 (There is an invalid free in the Action::TaskFactory::cleanup function ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/50 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470737 NOTE: Not reproducible in wheezy/jessie/stretch (even with valgrind), I get "No Exif data found in the file". NOTE: Reproducible with 0.26-1 (experimental). NOTE: Action::TaskFactory::cleanup function is the same in all versions, so the problem is likely an earlier memory corruption. CVE-2017-11336 (There is a heap-based buffer over-read in the Image::printIFDStructure ...) - exiv2 (Vulnerable code introduced after 0.25; only affected experimental; bug #868578) NOTE: https://github.com/Exiv2/exiv2/issues/49 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470729 NOTE: Not reproducible in wheezy/jessie/stretch (even with valgrind). NOTE: Reproducible with 0.26-1 (experimental) although I get another error "free(): invalid next size (fast)". CVE-2017-11335 (There is a heap based buffer overflow in tools/tiff2pdf.c of LibTIFF 4 ...) {DSA-4100-1 DLA-1094-1 DLA-1093-1} - tiff 4.0.8-4 (bug #868513) [stretch] - tiff (Minor issue) [jessie] - tiff (Minor issue) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2715 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/69bfeec247899776b1b396651adb47436e5f1556 CVE-2017-11529 (The ReadMATImage function in coders/mat.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867823) NOTE: https://github.com/ImageMagick/ImageMagick/issues/525 CVE-2017-11478 (The ReadOneDJVUImage function in coders/djvu.c in ImageMagick through ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867826) NOTE: https://github.com/ImageMagick/ImageMagick/issues/528 CVE-2017-11526 (The ReadOneMNGImage function in coders/png.c in ImageMagick before 6.9 ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867825) NOTE: https://github.com/ImageMagick/ImageMagick/issues/527 CVE-2017-11505 (The ReadOneJNGImage function in coders/png.c in ImageMagick through 6. ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867824) [jessie] - imagemagick (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/issues/526 CVE-2017-11530 (The ReadEPTImage function in coders/ept.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867821) NOTE: https://github.com/ImageMagick/ImageMagick/issues/524 CVE-2017-11524 (The WriteBlob function in MagickCore/blob.c in ImageMagick before 6.9. ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867798) NOTE: https://github.com/ImageMagick/ImageMagick/issues/506 CVE-2017-11334 (The address_space_write_continue function in exec.c in QEMU (aka Quick ...) {DSA-3925-1} - qemu 1:2.8+dfsg-7 (bug #869173) [jessie] - qemu (Minor issue, root DoS, Xen regression, multiple refactorings after 2.5, no reproducer) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-07/msg03775.html NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=f5aa69bdc3418773f26747ca282c291519626ece NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 NOTE: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1752761 CVE-2017-11333 (The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbi ...) {DSA-4113-1 DLA-2039-1 DLA-1368-1} - libvorbis 1.3.5-4.1 (low; bug #870341) NOTE: http://seclists.org/fulldisclosure/2017/Jul/82 NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2332 NOTE: Fixed by: https://gitlab.xiph.org/xiph/vorbis/commit/a79ec216cd119069c68b8f3542c6a425a74ab993 CVE-2017-11332 (The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows ...) {DLA-1705-1 DLA-1197-1} - sox 14.4.2-2 (bug #870328) [stretch] - sox 14.4.1-5+deb9u2 NOTE: http://seclists.org/fulldisclosure/2017/Jul/81 NOTE: Upstream bug report https://sourceforge.net/p/sox/bugs/296/ NOTE: https://github.com/mansr/sox/commit/7405bcaacb1ded8c595cb751d407cf738cb26571 CVE-2017-11331 (The wav_open function in oggenc/audio.c in Xiph.Org vorbis-tools 1.4.0 ...) - vorbis-tools (unimportant) NOTE: The issue is "covered" by the fix applied in 0016-oggenc-validate-count-of-channels-in-the-header-CVE-.patch NOTE: still the return of malloc is not checked. NOTE: http://seclists.org/fulldisclosure/2017/Jul/80 NOTE: Crash in CLI tool only, negligible security impact CVE-2017-11330 (The DivFixppCore::avi_header_fix function in DivFix++Core.cpp in DivFi ...) NOT-FOR-US: DivFix++ CVE-2017-11329 (GLPI before 9.1.5 allows SQL injection via an ajax/getDropdownValue.ph ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11328 (Heap buffer overflow in the yr_object_array_set_item() function in obj ...) - yara 3.6.3+dfsg-1 [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: Fixed by: https://github.com/VirusTotal/yara/commit/4a342f01e5439b9bb901aff1c6c23c536baeeb3f CVE-2017-11327 (An issue was discovered in Tilde CMS 1.0.1. It is possible to retrieve ...) NOT-FOR-US: Tilde CMS CVE-2017-11326 (An issue was discovered in Tilde CMS 1.0.1. It is possible to bypass t ...) NOT-FOR-US: Tilde CMS CVE-2017-11325 (An issue was discovered in Tilde CMS 1.0.1. Arbitrary files can be rea ...) NOT-FOR-US: Tilde CMS CVE-2017-11324 (An issue was discovered in Tilde CMS 1.0.1. Due to missing escaping of ...) NOT-FOR-US: Tilde CMS CVE-2017-11323 (Stack-based buffer overflow in ESTsoft ALZip 8.51 and earlier allows r ...) NOT-FOR-US: ESTsoft ALZip CVE-2017-11322 (The chroothole_client executable in UCOPIA Wireless Appliance before 5 ...) NOT-FOR-US: UCOPIA Wireless Appliance CVE-2017-11321 (The restricted shell interface in UCOPIA Wireless Appliance before 5.1 ...) NOT-FOR-US: UCOPIA Wireless Appliance CVE-2017-11320 (Persistent XSS through the SSID of nearby Wi-Fi devices on Technicolor ...) NOT-FOR-US: Technicolor TC7337 routers CVE-2017-11319 (Perspective ICM Investigation & Case 5.1.1.16 allows remote authen ...) NOT-FOR-US: Perspective ICM Investigation CVE-2017-11318 (Cobian Backup 11 client allows man-in-the-middle attackers to add and ...) NOT-FOR-US: Cobian CVE-2017-11317 (Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 ...) NOT-FOR-US: Progress Telerik UI CVE-2017-11316 RESERVED CVE-2017-11315 RESERVED CVE-2017-11314 RESERVED CVE-2017-11313 RESERVED CVE-2017-11312 RESERVED CVE-2017-11311 (soundlib/Load_psm.cpp in OpenMPT through 1.26.12.00 and libopenmpt bef ...) - libopenmpt 0.2.8461~beta26-1 (bug #867579) [stretch] - libopenmpt 0.2.7386~beta20.3-3+deb9u2 CVE-2017-11310 (The read_user_chunk_callback function in coders\png.c in ImageMagick 7 ...) - imagemagick (Vulnerable code not present, Only affects ImageMagick-7) NOTE: https://github.com/ImageMagick/ImageMagick/issues/517 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/8ca35831e91c3db8c6d281d09b605001003bec08 CVE-2017-11309 (Buffer overflow in the SoftConsole client in Avaya IP Office before 10 ...) NOT-FOR-US: Avaya IP Office CVE-2017-11308 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11307 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11306 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11305 (A regression affecting Adobe Flash Player version 27.0.0.187 (and earl ...) NOT-FOR-US: Adobe CVE-2017-11304 (An issue was discovered in Adobe Photoshop 18.1.1 (2017.1.1) and earli ...) NOT-FOR-US: Adobe CVE-2017-11303 (An issue was discovered in Adobe Photoshop 18.1.1 (2017.1.1) and earli ...) NOT-FOR-US: Adobe CVE-2017-11302 (An issue was discovered in Adobe InDesign 12.1.0 and earlier versions. ...) NOT-FOR-US: Adobe CVE-2017-11301 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11300 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11299 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11298 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11297 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11296 (An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0 ...) NOT-FOR-US: Adobe CVE-2017-11295 (An issue was discovered in Adobe DNG Converter 9.12.1 and earlier vers ...) NOT-FOR-US: Adobe CVE-2017-11294 (An issue was discovered in Adobe Shockwave 12.2.9.199 and earlier. An ...) NOT-FOR-US: Adobe CVE-2017-11293 (An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 an ...) NOT-FOR-US: Adobe CVE-2017-11292 (Adobe Flash Player version 27.0.0.159 and earlier has a flawed bytecod ...) NOT-FOR-US: Adobe Flash Player CVE-2017-11291 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11290 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11289 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11288 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11287 (An issue was discovered in Adobe Connect 9.6.2 and earlier versions. A ...) NOT-FOR-US: Adobe CVE-2017-11286 (Adobe ColdFusion has an XML external entity (XXE) injection vulnerabil ...) NOT-FOR-US: Adobe ColdFusion CVE-2017-11285 (Adobe ColdFusion has a cross-site scripting (XSS) vulnerability. This ...) NOT-FOR-US: Adobe ColdFusion CVE-2017-11284 (Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. ...) NOT-FOR-US: Adobe ColdFusion CVE-2017-11283 (Adobe ColdFusion has an Untrusted Data Deserialization vulnerability. ...) NOT-FOR-US: Adobe ColdFusion CVE-2017-11282 (Adobe Flash Player has an exploitable memory corruption vulnerability ...) NOT-FOR-US: Adobe CVE-2017-11281 (Adobe Flash Player has an exploitable memory corruption vulnerability ...) NOT-FOR-US: Adobe CVE-2017-11280 (Adobe Digital Editions 4.5.4 and earlier has an exploitable memory cor ...) NOT-FOR-US: Adobe CVE-2017-11279 (Adobe Digital Editions 4.5.4 and earlier has an exploitable use after ...) NOT-FOR-US: Adobe CVE-2017-11278 (Adobe Digital Editions 4.5.4 and earlier has an exploitable memory cor ...) NOT-FOR-US: Adobe CVE-2017-11277 (Adobe Digital Editions 4.5.4 and earlier has an exploitable memory cor ...) NOT-FOR-US: Adobe CVE-2017-11276 (Adobe Digital Editions 4.5.4 and earlier has an exploitable memory cor ...) NOT-FOR-US: Adobe CVE-2017-11275 (Adobe Digital Editions 4.5.4 and earlier has an exploitable heap overf ...) NOT-FOR-US: Adobe CVE-2017-11274 (Adobe Digital Editions 4.5.4 and earlier has an exploitable use after ...) NOT-FOR-US: Adobe CVE-2017-11273 (An issue was discovered in Adobe Digital Editions 4.5.6 and earlier ve ...) NOT-FOR-US: Adobe CVE-2017-11272 (Adobe Digital Editions 4.5.4 and earlier has a security bypass vulnera ...) NOT-FOR-US: Adobe CVE-2017-11271 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11270 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11269 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11268 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11267 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11266 REJECTED CVE-2017-11265 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11264 REJECTED CVE-2017-11263 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11262 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11261 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11260 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11259 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11258 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11257 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11256 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11255 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11254 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11253 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11252 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11251 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11250 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11249 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11248 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11247 REJECTED CVE-2017-11246 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11245 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11244 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11243 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11242 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11241 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11240 (Adobe Acrobat and Reader versions 2017.012.20098 and earlier, 2017.011 ...) NOT-FOR-US: Adobe CVE-2017-11239 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11238 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11237 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11236 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11235 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11234 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11233 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11232 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11231 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11230 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11229 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11228 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11227 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11226 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11225 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-11224 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11223 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11222 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11221 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11220 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11219 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11218 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11217 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11216 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11215 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-11214 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11213 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-11212 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11211 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11210 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-11209 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-1000083 (backend/comics/comics-document.c (aka the comic book backend) in GNOME ...) {DSA-3916-1 DSA-3911-1 DLA-1031-1} - evince 3.22.1-4 - atril 1.16.1-2.1 (bug #868500) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784630 CVE-2017-11208 RESERVED CVE-2017-11207 RESERVED CVE-2017-11206 RESERVED CVE-2017-11205 RESERVED CVE-2017-11204 RESERVED CVE-2017-11203 RESERVED CVE-2017-11202 (FineCMS through 2017-07-12 allows XSS in visitors.php because JavaScri ...) NOT-FOR-US: FineCMS CVE-2017-11201 (application/core/controller/images.php in FineCMS through 2017-07-12 a ...) NOT-FOR-US: FineCMS CVE-2017-11200 (SQL Injection exists in FineCMS through 2017-07-12 via the application ...) NOT-FOR-US: FineCMS CVE-2017-11199 RESERVED CVE-2017-11198 (Cross-site scripting (XSS) vulnerability in /application/lib/ajax/get_ ...) NOT-FOR-US: FineCMS CVE-2017-11197 RESERVED CVE-2017-12562 (Heap-based Buffer Overflow in the psf_binheader_writef function in com ...) {DLA-1049-1} - libsndfile 1.0.28-3 (bug #869166) [stretch] - libsndfile (Minor issue) [jessie] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/292 NOTE: https://github.com/erikd/libsndfile/commit/cf7a8182c2642c50f1cf90dddea9ce96a8bad2e8 CVE-2017-11196 (Pulse Connect Secure 8.3R1 has CSRF in logout.cgi. The logout function ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11195 (Pulse Connect Secure 8.3R1 has Reflected XSS in launchHelp.cgi. The he ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11194 (Pulse Connect Secure 8.3R1 has Reflected XSS in adminservercacertdetai ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11193 (Pulse Connect Secure 8.3R1 has CSRF in diag.cgi. In the panel, the dia ...) NOT-FOR-US: Pulse Connect Secure CVE-2017-11192 RESERVED CVE-2017-11191 (** DISPUTED ** FreeIPA 4.x with API version 2.213 allows a remote auth ...) NOTE: non-issue claimed for freepia CVE-2017-11190 (unrarlib.c in unrar-free 0.0.1, when _DEBUG_LOG mode is enabled, might ...) - unrar-free (unimportant) NOTE: Affected debug code not enabled CVE-2017-11189 (unrarlib.c in unrar-free 0.0.1 might allow remote attackers to cause a ...) - unrar-free (unimportant) NOTE: Crash in CLI tool, no security impact CVE-2017-11187 (phpMyFAQ before 2.9.8 does not properly mitigate brute-force attacks t ...) NOT-FOR-US: phpMyFAQ CVE-2017-11186 RESERVED CVE-2017-11185 (The gmp plugin in strongSwan before 5.6.0 allows remote attackers to c ...) {DSA-3962-1 DLA-1059-1} - strongswan 5.6.0-1 (bug #872155) NOTE: https://www.strongswan.org/blog/2017/08/14/strongswan-vulnerability-(cve-2017-11185).html NOTE: https://git.strongswan.org/?p=strongswan.git;a=commit;h=ef5c37fcdf47273feea320091598135688df4ef7 CVE-2017-11184 (SQL injection exists in front/devicesoundcard.php in GLPI before 9.1.5 ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11183 (front/backup.php in GLPI before 9.1.5 allows remote authenticated admi ...) - glpi (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2017-11182 (In Rise Ultimate Project Manager v1.8, XSS vulnerabilities were found ...) NOT-FOR-US: Rise Ultimate Project Manager CVE-2017-11181 (In Rise Ultimate Project Manager v1.8, XSS vulnerabilities were found ...) NOT-FOR-US: Rise Ultimate Project Manager CVE-2017-11180 (FineCMS through 2017-07-11 has stored XSS in the logging functionality ...) NOT-FOR-US: FineCMS CVE-2017-11179 (FineCMS through 2017-07-11 has stored XSS in route=admin when modifyin ...) NOT-FOR-US: FineCMS CVE-2017-11178 (In FineCMS through 2017-07-11, application/core/controller/style.php a ...) NOT-FOR-US: FineCMS CVE-2017-11177 (TRITON AP-EMAIL 8.2 before 8.2 IB does not properly restrict file acce ...) NOT-FOR-US: TRITON CVE-2017-11176 (The mq_notify function in the Linux kernel through 4.11.9 does not set ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 NOTE: Fixed by: https://git.kernel.org/linus/f991af3daabaecff34684fd51fac80319d1baad1 CVE-2017-11175 (In J2 Innovations FIN Stack 4.0, the authentication webform is vulnera ...) NOT-FOR-US: J2 Innovations FIN Stack CVE-2017-11174 (In install/page_dbsettings.php in the Core distribution of XOOPS 2.5.8 ...) NOT-FOR-US: XOOPS CVE-2017-11173 (Missing anchor in generated regex for rack-cors before 0.4.1 allows a ...) {DSA-3931-1} - ruby-rack-cors 0.4.1-1 [jessie] - ruby-rack-cors (Vulnerable code not present) CVE-2017-11172 RESERVED CVE-2017-1000096 (Arbitrary code execution due to incomplete sandbox protection: Constru ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000095 (The default whitelist included the following unsafe entries: DefaultGr ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000094 (Docker Commons Plugin provides a list of applicable credential IDs to ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000093 (Poll SCM Plugin was not requiring requests to its API be sent via POST ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000092 (Git Plugin connects to a user-specified Git repository as part of form ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000091 (GitHub Branch Source Plugin connects to a user-specified GitHub API UR ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000090 (Role-based Authorization Strategy Plugin was not requiring requests to ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000089 (Builds in Jenkins are associated with an authentication that controls ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000088 (The Sidebar Link plugin allows users able to configure jobs, views, an ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000087 (GitHub Branch Source provides a list of applicable credential IDs to a ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000086 (The Periodic Backup Plugin did not perform any permission checks, allo ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000085 (Subversion Plugin connects to a user-specified Subversion repository a ...) NOT-FOR-US: Jenkins plugin CVE-2017-1000084 (Parameterized Trigger Plugin fails to check Item/Build permission: The ...) NOT-FOR-US: Jenkins plugin CVE-2017-11171 (Bad reference counting in the context of accept_ice_connection() in gs ...) - gnome-session 2.30.0-1 NOTE: https://github.com/GNOME/gnome-session/commit/b0dc999e0b45355314616321dbb6cb71e729fc9d CVE-2017-11170 (The ReadTGAImage function in coders\tga.c in ImageMagick 7.0.5-6 has a ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #868184) NOTE: https://github.com/ImageMagick/ImageMagick/issues/472 CVE-2017-11169 (Privilege Escalation on iBall iB-WRA300N3GT iB-WRA300N3GT_1.1.1 device ...) NOT-FOR-US: iBall iB-WRA300N3GT iB-WRA300N3GT_1.1.1 devices CVE-2017-11168 RESERVED CVE-2017-11167 (FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by ...) NOT-FOR-US: FineCMS CVE-2017-11166 (The ReadXWDImage function in coders\xwd.c in ImageMagick 7.0.5-6 has a ...) - imagemagick 8:6.9.7.4+dfsg-7 (unimportant; bug #868263) [wheezy] - imagemagick 8:6.7.7.10-5+deb7u14 NOTE: https://github.com/ImageMagick/ImageMagick/issues/471 CVE-2017-11165 (dataTaker DT80 dEX 1.50.012 allows remote attackers to obtain sensitiv ...) NOT-FOR-US: dataTaker CVE-2017-11164 (In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exe ...) - pcre3 (unimportant) NOTE: http://openwall.com/lists/oss-security/2017/07/11/3 CVE-2017-11163 (Cross-site scripting (XSS) vulnerability in aggregate_graphs.php in Ca ...) - cacti 1.1.12+ds1-1 (bug #868080) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/issues/847 NOTE: aggregate_graphs.php not available in 0.8.8. NOTE: Upstream claims fix for CVE-2017-10970 also fixes this CVE NOTE: but produced this patch anyway: https://github.com/Cacti/cacti/commit/bf5b1309dcf68578c3bdc4db54112dfb2e8ec4f4 CVE-2017-11162 (Directory traversal vulnerability in synphotoio in Synology Photo Stat ...) NOT-FOR-US: Synology CVE-2017-11161 (Multiple SQL injection vulnerabilities in Synology Photo Station befor ...) NOT-FOR-US: Synology CVE-2017-11160 (Multiple untrusted search path vulnerabilities in installer in Synolog ...) NOT-FOR-US: Installer in Synology Assistant CVE-2017-11159 (Multiple untrusted search path vulnerabilities in installer in Synolog ...) NOT-FOR-US: Installer in Synology Photo Station Uploader CVE-2017-11158 (Multiple untrusted search path vulnerabilities in the installer in Syn ...) NOT-FOR-US: Synology Cloud Station Drive CVE-2017-11157 (Multiple untrusted search path vulnerabilities in the installer in Syn ...) NOT-FOR-US: Synology CVE-2017-11156 (Synology Download Station 3.8.x before 3.8.5-3475 and 3.x before 3.5-2 ...) NOT-FOR-US: Synology Download Station CVE-2017-11155 (An information exposure vulnerability in index.php in Synology Photo S ...) NOT-FOR-US: Synology Photo Station CVE-2017-11154 (Unrestricted file upload vulnerability in PixlrEditorHandler.php in Sy ...) NOT-FOR-US: Synology Photo Station CVE-2017-11153 (Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology ...) NOT-FOR-US: Synology Photo Station CVE-2017-11152 (Directory traversal vulnerability in PixlrEditorHandler.php in Synolog ...) NOT-FOR-US: Synology Photo Station CVE-2017-11151 (A vulnerability in synotheme_upload.php in Synology Photo Station befo ...) NOT-FOR-US: Synology Photo Station CVE-2017-11150 (Command injection vulnerability in Document.php in Synology Office 2.2 ...) NOT-FOR-US: Synology Office CVE-2017-11149 (Server-side request forgery (SSRF) vulnerability in Downloader in Syno ...) NOT-FOR-US: Synology Download Station CVE-2017-11148 (Server-side request forgery (SSRF) vulnerability in link preview in Sy ...) NOT-FOR-US: Synology Chat CVE-2017-11146 REJECTED CVE-2017-11145 (In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, an er ...) {DSA-4081-1 DSA-4080-1 DLA-1034-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74819 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 NOTE: Fixed by: https://github.com/php/php-src/commit/e8b7698f5ee757ce2c8bd10a192a491a498f891c NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-1000362 (The re-key admin monitor was introduced in Jenkins 1.498 and re-encryp ...) - jenkins CVE-2017-1000081 (Linux foundation ONOS 1.9.0 is vulnerable to unauthenticated upload of ...) NOT-FOR-US: ONOS CVE-2017-1000080 (Linux foundation ONOS 1.9.0 allows unauthenticated use of websockets. ...) NOT-FOR-US: ONOS CVE-2017-1000079 (Linux foundation ONOS 1.9.0 is vulnerable to a DoS. ...) NOT-FOR-US: ONOS CVE-2017-1000078 (Linux foundation ONOS 1.9 is vulnerable to XSS in the device. registra ...) NOT-FOR-US: ONOS CVE-2017-1000077 REJECTED CVE-2017-1000076 REJECTED CVE-2017-1000075 (Creolabs Gravity version 1.0 is vulnerable to a stack overflow in the ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000074 (Creolabs Gravity version 1.0 is vulnerable to a stack overflow in the ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000073 (Creolabs Gravity version 1.0 is vulnerable to a heap overflow in an un ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000072 (Creolabs Gravity version 1.0 is vulnerable to a Double Free in gravity ...) NOT-FOR-US: Creolabs Gravity CVE-2017-1000071 (Jasig phpCAS version 1.3.4 is vulnerable to an authentication bypass i ...) - php-cas 1.3.6-1 (bug #868466) [stretch] - php-cas (Minor issue) [jessie] - php-cas (Minor issue) [wheezy] - php-cas (Minor issue, only works with old CAS server) NOTE: https://github.com/Jasig/phpCAS/issues/228 NOTE: Fixed by: https://github.com/apereo/phpCAS/commit/c9ba00327fd0ac8faecc62ce150c1986022856cd NOTE: The vulnerability only exists when the server is affected by NOTE: another very old vulnerability fixed in 2010. CVE-2017-1000070 (The Bitly oauth2_proxy in version 2.1 and earlier was affected by an o ...) NOT-FOR-US: Bitly oauth2_proxy CVE-2017-1000069 (CSRF in Bitly oauth2_proxy 2.1 during authentication flow ...) NOT-FOR-US: Bitly oauth2_proxy CVE-2017-1000068 (TestTrack Server versions 1.0 and earlier are vulnerable to an authent ...) NOT-FOR-US: TestTrack CVE-2017-1000067 (MODX Revolution version 2.x - 2.5.6 is vulnerable to blind SQL injecti ...) NOT-FOR-US: MODX Revolution CVE-2017-1000066 (The entry details view function in KeePass version 1.32 inadvertently ...) - keepass2 (Only affects 1.x) CVE-2017-1000065 (Multiple Cross-site scripting (XSS) vulnerabilities in rpc.php in Open ...) NOT-FOR-US: OpenMediaVault CVE-2017-1000064 (kittoframework kitto version 0.5.1 is vulnerable to memory exhaustion ...) NOT-FOR-US: kittoframework kitto CVE-2017-1000063 (kittoframework kitto version 0.5.1 is vulnerable to an XSS in the 404 ...) NOT-FOR-US: kittoframework kitto CVE-2017-1000062 (kittoframework kitto 0.5.1 is vulnerable to directory traversal in the ...) NOT-FOR-US: kittoframework kitto CVE-2017-1000061 (xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansio ...) - xmlsec1 1.2.24-1 [stretch] - xmlsec1 (Minor issue) [jessie] - xmlsec1 (Minor issue) [wheezy] - xmlsec1 (Minor issue) NOTE: https://github.com/lsh123/xmlsec/issues/43 CVE-2017-1000060 (EyesOfNetwork (EON) 5.1 Unauthenticated SQL Injection in eonweb leadin ...) NOT-FOR-US: EyesOfNetwork (EON) CVE-2017-1000059 (Live Helper Chat version 2.06v and older is vulnerable to Cross-Site S ...) NOT-FOR-US: Live Helper Chat CVE-2017-1000058 (Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one ...) NOT-FOR-US: chevereto CMS CVE-2017-1000057 REJECTED CVE-2017-1000056 (Kubernetes version 1.5.0-1.5.4 is vulnerable to a privilege escalation ...) - kubernetes 1.5.5+dfsg-1 NOTE: https://github.com/kubernetes/kubernetes/issues/43459 CVE-2017-1000055 REJECTED CVE-2017-1000054 (Rocket.Chat version 0.8.0 and newer is vulnerable to XSS in the markdo ...) NOT-FOR-US: Rocket.Chat CVE-2017-1000053 (Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to ...) NOT-FOR-US: Elixir Plug CVE-2017-1000052 (Elixir Plug before v1.0.4, v1.1.7, v1.2.3 and v1.3.2 is vulnerable to ...) NOT-FOR-US: Elixir Plug CVE-2017-1000051 (Cross-site scripting (XSS) vulnerability in pad export in XWiki labs C ...) NOT-FOR-US: XWiki labs CVE-2017-1000049 REJECTED CVE-2017-1000048 (the web framework using ljharb's qs module older than v6.3.2, v6.2.3, ...) NOT-FOR-US: ljharb CVE-2017-1000047 (rbenv (all current versions) is vulnerable to Directory Traversal in t ...) - rbenv (bug #869702) [buster] - rbenv (Minor issue) [stretch] - rbenv (Minor issue) [jessie] - rbenv (Minor issue) [wheezy] - rbenv (Minor issue) NOTE: https://github.com/rbenv/rbenv/issues/977 NOTE: .ruby-version is .rbenv-version in wheezy CVE-2017-1000046 (Mautic 2.6.1 and earlier fails to set flags on session cookies ...) NOT-FOR-US: Mautic CVE-2017-1000045 REJECTED CVE-2017-1000043 (Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulne ...) NOT-FOR-US: Mapbox.js CVE-2017-1000042 (Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulne ...) NOT-FOR-US: Mapbox.js CVE-2017-1000039 (Framadate version 1.0 is vulnerable to Formula Injection in the CSV Ex ...) NOT-FOR-US: Framadate CVE-2017-1000038 (WordPress plugin Relevanssi version 3.5.7.1 is vulnerable to stored XS ...) NOT-FOR-US: WordPress plugin CVE-2017-1000037 (RVM automatically loads environment variables from files in $PWD resul ...) NOT-FOR-US: RVM CVE-2017-1000036 REJECTED CVE-2017-1000035 (Tiny Tiny RSS before 829d478f is vulnerable to XSS window.opener attac ...) - tt-rss 17.1+git20170410+dfsg-1 NOTE: https://git.tt-rss.org/git/tt-rss/commit/829d478f1b054c8ce1eeb4f15170dc4a1abb3e47 CVE-2017-1000034 (Akka versions <=2.4.16 and 2.5-M1 are vulnerable to a java deserial ...) NOT-FOR-US: Akka CVE-2017-1000033 (Wordpress Plugin Vospari Forms version < 1.4 is vulnerable to a ref ...) NOT-FOR-US: WordPress plugin CVE-2017-1000032 (Cross-Site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remot ...) - cacti 0.8.8b+dfsg-6 [wheezy] - cacti 0.8.8a+dfsg-5+deb7u3 NOTE: MITRE will not reject the entry, but the issue is already covered by the NOTE: patch as for CVE-2014-4002. See discussion in NOTE: https://github.com/distributedweaknessfiling/DWF-CVE-Database/issues/27 CVE-2017-1000031 (SQL injection vulnerability in graph_templates_inputs.php in Cacti 0.8 ...) - cacti 0.8.8e+ds1-1 [jessie] - cacti (Minor issue, can be mitigated with Web Application Firewalls) [wheezy] - cacti (Minor issue, can be mitigated with Web Application Firewalls) NOTE: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2016-007/?fid=7789 NOTE: MITRE disagrees that this CVE is a duplicate of CVE-2014-4002 and CVE-2016-3172. NOTE: MITRE believes that CVE-2017-1000031 is a different vulnerability than NOTE: CVE-2014-4002 and CVE-2016-3172. This is because they seprate on vulnerability NOTE: type, so it cannot be a duplicate of CVE-2014-4002 despite sharing attack NOTE: vectors with this vulnerability, and covers different attack vectors than NOTE: CVE-2016-3172 despite sharing vulnerability type, and appears to be NOTE: independently fixable from said vulnerability based on the fix provided here: NOTE: https://github.com/Cacti/cacti/issues/866 NOTE: According to https://github.com/Cacti/cacti/issues/866#issuecomment-316865448 NOTE: the first issue was fixed by https://github.com/Cacti/cacti/commit/be800c9e552d2929106b576922e9693c83b4bd46 NOTE: whereas the second issue was fixed by https://github.com/Cacti/cacti/commit/4e4dd6784adfc07b6011da999809d86a06f0f4e5 NOTE: After the request to MITRE to reject this CVE, elbrus discovered that also NOTE: CVE-2015-4634 seems part of the duplication. Upstream commit 4e4dd67 was in the NOTE: preperation git tree for 1.x, its equivalent svn commit was used to fix NOTE: CVE-2015-4634 in Debian. CVE-2017-1000030 (Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulne ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-1000029 (Oracle, GlassFish Server Open Source Edition 3.0.1 (build 22) is vulne ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-1000028 (Oracle, GlassFish Server Open Source Edition 4.1 is vulnerable to both ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-1000027 (Koozali Foundation SME Server versions 8.x, 9.x, 10.x are vulnerable t ...) NOT-FOR-US: Koozali Foundation SME Server CVE-2017-1000026 (Chef Software's mixlib-archive versions 0.3.0 and older are vulnerable ...) {DSA-3915-1} - ruby-mixlib-archive 0.4.1-1 (bug #868572) NOTE: https://github.com/chef/mixlib-archive/pull/6 NOTE: https://github.com/chef/mixlib-archive/pull/6/commits/3a874a24aed6ee93fbccf97efe0ecc999bafe87d CVE-2017-1000025 (GNOME Web (Epiphany) 3.23 before 3.23.5, 3.22 before 3.22.6, 3.20 befo ...) - epiphany-browser 3.22.6-1 (unimportant) NOTE: webkit not covered by security support CVE-2017-1000024 (Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable ...) - shotwell 0.25.4+really0.24.5-0.1 (unimportant) CVE-2017-1000023 (LogicalDoc Community Edition 7.5.3 and prior is vulnerable to an XSS w ...) NOT-FOR-US: LogicalDoc Community Edition CVE-2017-1000022 (LogicalDoc Community Edition 7.5.3 and prior contain an Incorrect acce ...) NOT-FOR-US: LogicalDoc Community Edition CVE-2017-1000021 (LogicalDoc Community Edition 7.5.3 and prior is vulnerable to XXE when ...) NOT-FOR-US: LogicalDoc Community Edition CVE-2017-1000020 (SYN Flood or FIN Flood attack in ECos 1 and other versions embedded de ...) NOT-FOR-US: ECos CVE-2017-1000018 (phpMyAdmin 4.0, 4.4., and 4.6 are vulnerable to a DOS attack in the re ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-7 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/afe84645f29f5acc9970f3ffa5673585bf2dee7d (4.0-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/4549ebde5a044b42c36da50dbf1af76a88545352 (4.4-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/96b4f13e54c9ebbebfd19d0690bfa0812b6818c1 (4.6-branch) CVE-2017-1000017 (phpMyAdmin 4.0, 4.4 and 4.6 are vulnerable to a weakness where a user ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-6 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/f8ad5bd759156c8c00a1c3e0ef374660027a3bb4 (4.0-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ca8edbcd83fcd624701f43c99e7e675c1ab20387 (4.{4,6}-branch) CVE-2017-1000016 (A weakness was discovered where an attacker can inject arbitrary value ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-5 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3b6ed1f9ecaab86c488d106b1588d7683a6d53ef CVE-2017-1000015 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a CSS injection attack ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-4 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/8a0816266cc1db9e9889829f9f0d88a19650c977 (4.0-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/bd3677f161977bf0cc800cae82e65355bf49f342 (4.4-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3a6247674e653507294f23480b4c0e1c532badbe (4.6-branch) CVE-2017-1000014 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to a DOS weakness in the t ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-3 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/3d230b6ab76ff018645f2090c2664169835f465b (4.{0,4,6}-branch) CVE-2017-1000013 (phpMyAdmin 4.0, 4.4, and 4.6 are vulnerable to an open redirect weakne ...) - phpmyadmin 4:4.6.6-1 (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2017-1 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/7fe97a1f3c4695f630e39d9433b8fa7539eee30e (4.0-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1e5c0ae5b44c58296e11b92497767c8677653cba (4.4-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/4c84070ad6136c3158caa93286754ebbfbce61ab (4.6-branch) NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/e37bf40f44a3272a6709eb5b38feccac41658e3f (4.6-branch) CVE-2017-1000012 (MySQL Dumper version 1.24 is vulnerable to stored XSS when displaying ...) NOT-FOR-US: MySQL Dumper CVE-2017-1000011 (MyWebSQL version 3.6 is vulnerable to stored XSS in the database manag ...) NOT-FOR-US: MyWebSQL CVE-2017-1000010 (Audacity 2.1.2 through 2.3.2 is vulnerable to Dll HIjacking in the avf ...) - audacity (Specific to Windows packaging) CVE-2017-1000009 (Akeneo PIM CE and EE <1.6.6, <1.5.15, <1.4.28 are vulnerable ...) NOT-FOR-US: Akeneo PIM CVE-2017-1000008 (Chyrp Lite version 2016.04 is vulnerable to a CSRF in the user setting ...) NOT-FOR-US: Chyrp Lite CVE-2017-1000007 (txAWS (all current versions) fail to perform complete certificate veri ...) NOT-FOR-US: txAWS CVE-2017-1000006 (Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an X ...) NOT-FOR-US: plotly.js (different from the plotly Python package) CVE-2017-1000005 (PHPMiniAdmin version 1.9.160630 is vulnerable to stored XSS in the nam ...) NOT-FOR-US: PHPMiniAdmin CVE-2017-1000004 (ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in ...) NOT-FOR-US: ATutor CVE-2017-1000003 (ATutor versions 2.2.1 and earlier are vulnerable to an incorrect acces ...) NOT-FOR-US: ATutor CVE-2017-1000002 (ATutor versions 2.2.1 and earlier are vulnerable to a directory traver ...) NOT-FOR-US: ATutor CVE-2017-1000001 (FedMsg 0.18.1 and older is vulnerable to a message validation flaw res ...) - fedmsg (bug #868508) [jessie] - fedmsg (Minor issue) NOTE: https://github.com/fedora-infra/fedmsg/commit/5c21cf88a CVE-2017-11141 (The ReadMATImage function in coders\mat.c in ImageMagick 7.0.5-6 has a ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #868264) NOTE: https://github.com/ImageMagick/ImageMagick/issues/469 NOTE: https://github.com/ImageMagick/ImageMagick/commit/353b942bd83da7e1356ba99c942848bd1871ee9f CVE-2017-11140 (The ReadJPEGImage function in coders/jpeg.c in GraphicsMagick 1.3.26 c ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-3 (low) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/b4139088b49a CVE-2017-11139 (GraphicsMagick 1.3.26 has double free vulnerabilities in the ReadOneJN ...) {DSA-4321-1} - graphicsmagick 1.3.26-2 (low) [jessie] - graphicsmagick (vulnerable code for CVE-2017-11102 not applied in Jessie) [wheezy] - graphicsmagick (vulnerable code for CVE-2017-11102 not applied in Wheezy) NOTE: Fixed by: http://hg.code.sf.net/p/graphicsmagick/code/rev/4d0baa77245b CVE-2017-11138 RESERVED CVE-2017-11137 RESERVED CVE-2017-11136 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11135 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11134 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11133 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11132 (An issue was discovered in heinekingmedia StashCat before 1.5.18 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11131 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11130 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11129 (An issue was discovered in heinekingmedia StashCat through 1.7.5 for A ...) NOT-FOR-US: heinekingmedia StashCat CVE-2017-11128 (Bolt CMS 3.2.14 allows stored XSS via text input, as demonstrated by t ...) NOT-FOR-US: Bolt CMS CVE-2017-11127 (Bolt CMS 3.2.14 allows stored XSS by uploading an SVG document with a ...) NOT-FOR-US: Bolt CMS CVE-2017-11126 (The III_i_stereo function in libmpg123/layer3.c in mpg123 through 1.25 ...) - mpg123 1.25.3-1 (unimportant) NOTE: no security impact CVE-2017-11125 (libxar.so in xar 1.6.1 has a NULL pointer dereference in the xar_get_p ...) - xar CVE-2017-11124 (libxar.so in xar 1.6.1 has a NULL pointer dereference in the xar_unser ...) - xar CVE-2017-11123 RESERVED CVE-2017-11122 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56, an attacker can t ...) NOT-FOR-US: Broadcom CVE-2017-11121 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, p ...) NOT-FOR-US: Broadcom CVE-2017-11120 (On Broadcom BCM4355C0 Wi-Fi chips 9.44.78.27.0.1.56 and other chips, a ...) NOT-FOR-US: Broadcom CVE-2017-11119 (The chk_mem_access function in cpu/nes6502/nes6502.c in libnosefart.a ...) - xine-lib-1.2 (it is built with --disable-nosefart) - xine-lib (it is built with --disable-nosefart) NOTE: https://sourceforge.net/p/nosefart/bugs/6/ CVE-2017-11118 (The ExifImageFile::readImage function in ExifImageFileRead.cpp in Open ...) NOT-FOR-US: OpenExif CVE-2017-11117 (The ExifImageFile::readDHT function in ExifImageFileRead.cpp in OpenEx ...) NOT-FOR-US: OpenExif CVE-2017-11116 (The ExifImageFile::readDQT function in ExifImageFileRead.cpp in OpenEx ...) NOT-FOR-US: OpenExif CVE-2017-11115 (The ExifJpegHUFFTable::deriveTable function in ExifHuffmanTable.cpp in ...) NOT-FOR-US: OpenExif CVE-2017-11114 (The put_chars function in html_r.c in Twibright Links 2.14 allows remo ...) - links2 2.14-3 (unimportant; bug #870299) NOTE: PoC: http://seclists.org/fulldisclosure/2017/Jul/76 CVE-2017-11527 (The ReadDPXImage function in coders/dpx.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867812) NOTE: https://github.com/ImageMagick/ImageMagick/issues/523 CVE-2017-11528 (The ReadDIBImage function in coders/dib.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867811) NOTE: https://github.com/ImageMagick/ImageMagick/issues/522 CVE-2017-11525 (The ReadCINImage function in coders/cin.c in ImageMagick before 6.9.9- ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867810) NOTE: https://github.com/ImageMagick/ImageMagick/issues/519 CVE-2017-11188 (The ReadDPXImage function in coders\dpx.c in ImageMagick 7.0.6-0 has a ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867806) NOTE: https://github.com/ImageMagick/ImageMagick/issues/509 CVE-2017-11113 (In ncurses 6.0, there is a NULL Pointer Dereference in the _nc_parse_e ...) - ncurses 6.0+20170701-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464691 CVE-2017-11112 (In ncurses 6.0, there is an attempted 0xffffffffffffffff access in the ...) - ncurses 6.0+20170701-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464686 CVE-2017-11111 (In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers ...) {DLA-1041-1} - nasm 2.13.02-0.1 (bug #867988) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392415 CVE-2017-11110 (The ole_init function in ole.c in catdoc 0.95 allows remote attackers ...) {DSA-3917-1 DLA-1037-1} - catdoc 1:0.95-3 (bug #867717) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468471 CVE-2017-11109 (Vim 8.0 allows attackers to cause a denial of service (invalid free) o ...) {DLA-1871-1 DLA-1030-1} - vim 2:8.0.0197-5 (low; bug #867720) [stretch] - vim 2:8.0.0197-4+deb9u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468492 CVE-2017-11108 (tcpdump 4.9.0 allows remote attackers to cause a denial of service (he ...) {DSA-3971-1 DLA-1090-1} - tcpdump 4.9.1-1 (bug #867718) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1468504 NOTE: Proposed patch: https://github.com/the-tcpdump-group/tcpdump/pull/617 NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/d9e65de3d94698ec90dbca42962a30dd2f0680e1 (4.9.1) CVE-2017-11107 (phpLDAPadmin through 1.2.3 has XSS in htdocs/entry_chooser.php via the ...) {DLA-1561-1 DLA-1019-1} - phpldapadmin 1.2.2-6.2 (bug #867719) NOTE: https://github.com/leenooks/phpLDAPadmin/issues/50 NOTE: https://bugs.launchpad.net/ubuntu/+source/phpldapadmin/+bug/1701731 CVE-2017-11106 RESERVED CVE-2017-11105 (The OnePlus 2 Primary Bootloader (PBL) does not validate the SBL1 part ...) NOT-FOR-US: OnePlus CVE-2017-1000050 (JasPer 2.0.12 is vulnerable to a NULL pointer exception in the functio ...) - jasper (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2017/03/06/1 NOTE: https://github.com/mdadams/jasper/issues/120 NOTE: Fixed by: https://github.com/mdadams/jasper/commit/58ba0365d911b9f9dd68e9abf826682c0b4f2293 CVE-2017-1002024 (Vulnerability in web application Kind Editor v4.1.12, kindeditor/php/u ...) NOT-FOR-US: kindeditor CVE-2017-11103 (Heimdal before 7.4 allows remote attackers to impersonate services wit ...) {DSA-3912-1 DSA-3909-1 DLA-1027-1} - heimdal 7.4.0.dfsg.1-1 (bug #868208) - samba 2:4.6.5+dfsg-4 (bug #868209) [wheezy] - samba (Heimdal is only used in 4.x, wheezy ships 3.6.6) - samba4 [wheezy] - samba4 (dynamically linked against system heimdal) NOTE: https://orpheus-lyre.info/ NOTE: https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea NOTE: samba's source package embeds heimdal but the binary is statically linked to src:heimdal NOTE: https://www.samba.org/samba/security/CVE-2017-11103.html NOTE: Upstream Samba Bug: https://bugzilla.samba.org/show_bug.cgi?id=12894 CVE-2017-11102 (The ReadOneJNGImage function in coders/png.c in GraphicsMagick 1.3.26 ...) {DSA-4321-1 DLA-1456-1 DLA-1045-1} - graphicsmagick 1.3.26-2 (bug #867746) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/d445af60a8d5 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/dea93a690fc1 NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/4d0baa77245b NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e8f859704230 CVE-2017-11101 (When SWFTools 0.9.2 processes a crafted file in swfcombine, it can lea ...) - swftools (unimportant; bug #871022) NOTE: https://github.com/matthiaskramm/swftools/issues/26 CVE-2017-11100 (When SWFTools 0.9.2 processes a crafted file in swfextract, it can lea ...) - swftools (unimportant; bug #871024) NOTE: https://github.com/matthiaskramm/swftools/issues/27 CVE-2017-11099 (When SWFTools 0.9.2 processes a crafted file in wav2swf, it can lead t ...) - swftools (unimportant; bug #871018) NOTE: https://github.com/matthiaskramm/swftools/issues/31 CVE-2017-11098 (When SWFTools 0.9.2 processes a crafted file in png2swf, it can lead t ...) - swftools (unimportant; bug #871020) NOTE: https://github.com/matthiaskramm/swftools/issues/32 CVE-2017-11097 (When SWFTools 0.9.2 processes a crafted file in swfc, it can lead to a ...) - swftools (unimportant; bug #871025) NOTE: https://github.com/matthiaskramm/swftools/issues/24 CVE-2017-11096 (When SWFTools 0.9.2 processes a crafted file in swfcombine, it can lea ...) - swftools (unimportant; bug #871026) NOTE: https://github.com/matthiaskramm/swftools/issues/25 CVE-2017-11095 RESERVED CVE-2017-11094 RESERVED CVE-2017-11093 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11092 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11091 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11090 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11089 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) - linux 4.12.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 NOTE: Fixed by: https://git.kernel.org/linus/8feb69c7bd89513be80eb19198d48f154b254021 CVE-2017-11088 (Improper Input Validation in Linux io-prefetch in Snapdragon Mobile an ...) NOT-FOR-US: Snapdragon CVE-2017-11087 (libOmxVenc in Android for MSM, Firefox OS for MSM, and QRD Android cop ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-11086 RESERVED CVE-2017-11085 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11084 RESERVED CVE-2017-11083 RESERVED CVE-2017-11082 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11081 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11080 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11079 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11078 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11077 RESERVED CVE-2017-11076 RESERVED CVE-2017-11075 (In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11074 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11073 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11072 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: HTC component for Android CVE-2017-11071 RESERVED CVE-2017-11070 RESERVED CVE-2017-11069 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11068 RESERVED CVE-2017-11067 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11066 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11065 RESERVED CVE-2017-11064 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11063 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11062 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11061 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11060 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11059 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11058 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11057 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11056 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11055 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11054 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11053 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11052 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11051 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11050 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11049 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11048 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11047 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11046 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11045 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11044 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11043 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11042 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11041 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-11040 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-11039 RESERVED CVE-2017-11038 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11037 RESERVED CVE-2017-11036 RESERVED CVE-2017-11035 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11034 RESERVED CVE-2017-11033 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11032 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11031 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11030 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11029 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11028 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android CVE-2017-11027 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11026 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11025 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11024 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11023 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11022 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11021 RESERVED CVE-2017-11020 RESERVED CVE-2017-11019 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11018 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11017 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11016 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11015 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11014 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11013 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11012 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11011 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11010 (In Android before 2018-01-05 on Qualcomm Snapdragon IoT, Snapdragon Mo ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11009 RESERVED CVE-2017-11008 REJECTED CVE-2017-11007 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11006 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm closed-source components for Android CVE-2017-11005 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm closed-source components for Android CVE-2017-11004 (A non-secure user may be able to access certain registers in snapdrago ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11003 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-11002 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-11001 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-11000 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10999 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10998 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10997 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10996 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-10995 (The mng_get_long function in coders/png.c in ImageMagick 7.0.6-0 allow ...) {DSA-4204-1 DLA-1081-1} - imagemagick 8:6.9.6.2+dfsg-2 (bug #867748) NOTE: https://github.com/ImageMagick/ImageMagick/issues/538 NOTE: https://github.com/ImageMagick/ImageMagick/commit/24430226caf7eb468b4180f2883b2563e8cc1b23 NOTE: https://github.com/ImageMagick/ImageMagick/commit/1fdc09dc8f9522f07f5f501fe8453765ad82556c NOTE: The second commit is not security sensitive relevant, cf. NOTE: https://github.com/ImageMagick/ImageMagick/issues/538#issuecomment-317047977 CVE-2017-10994 (Foxit Reader before 8.3.1 and PhantomPDF before 8.3.1 have an Arbitrar ...) NOT-FOR-US: Foxit Reader CVE-2017-10993 (Contao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to i ...) NOT-FOR-US: Contao CVE-2017-10992 (In HPE Storage Essentials 9.5.0.142, there is Unauthenticated Java Des ...) NOT-FOR-US: HPE CVE-2017-10991 (The WP Statistics plugin through 12.0.9 for WordPress has XSS in the r ...) NOT-FOR-US: Wordpress plugin CVE-2017-10990 RESERVED CVE-2017-10989 (The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3 ...) {DLA-1633-1 DLA-1018-1} - sqlite3 3.19.3-3 (bug #867618) [stretch] - sqlite3 3.16.2-5+deb9u1 NOTE: https://sqlite.org/src/vpatch?from=0db20efe201736b3&to=66de6f4a9504ec26 NOTE: https://sqlite.org/src/info/66de6f4a NOTE: https://bugs.launchpad.net/ubuntu/+source/sqlite3/+bug/1700937 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2405 NOTE: http://marc.info/?l=sqlite-users&m=149933696214713&w=2 CVE-2017-10988 REJECTED CVE-2017-10987 (An FR-GV-304 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Buff ...) - freeradius 3.0.15+dfsg-1 (bug #868765) [stretch] - freeradius 3.0.12+dfsg-5+deb9u1 [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-304 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/19a18bf7c8af649c9e9742fb6a046f6aff639866 CVE-2017-10986 (An FR-GV-303 issue in FreeRADIUS 3.x before 3.0.15 allows "DHCP - Infi ...) - freeradius 3.0.15+dfsg-1 (bug #868765) [stretch] - freeradius 3.0.12+dfsg-5+deb9u1 [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-303 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/21e2e95751bfb54c0fb0328392d06671a75c191c CVE-2017-10985 (An FR-GV-302 issue in FreeRADIUS 3.x before 3.0.15 allows "Infinite lo ...) - freeradius 3.0.15+dfsg-1 (bug #868765) [stretch] - freeradius 3.0.12+dfsg-5+deb9u1 [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-302 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/6726c16549b131ed39f6f8886cdf5d9d922a9a97 CVE-2017-10984 (An FR-GV-301 issue in FreeRADIUS 3.x before 3.0.15 allows "Write overf ...) - freeradius 3.0.15+dfsg-1 (bug #868765) [stretch] - freeradius 3.0.12+dfsg-5+deb9u1 [jessie] - freeradius (Only affects 3.x series) [wheezy] - freeradius (Only affects 3.x series) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-301 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/931850e5d2f65193520c2d9c9878148c0cdc16a6 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/4b059296e14b6ab75dc17163077490528a819806 CVE-2017-10983 (An FR-GV-206 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0. ...) {DSA-3930-1 DLA-1064-1} - freeradius 3.0.15+dfsg-1 (bug #868765) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-206 NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/ec08b30f87066f82073d02fab57e8ffeef81373d NOTE: 3.x: https://github.com/FreeRADIUS/freeradius-server/commit/5759b20af99af6d30924f0efd8da5eac2a17163d CVE-2017-10982 (An FR-GV-205 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Buff ...) {DLA-1064-1} - freeradius 3.0.12+dfsg-3 [jessie] - freeradius 2.2.5+dfsg-0.2+deb8u1 NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-205 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/10b6de9345c9e0d9d4d5e0426fa5c3d68d702875 NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10981 (An FR-GV-204 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Memo ...) {DLA-1064-1} - freeradius 3.0.12+dfsg-3 [jessie] - freeradius 2.2.5+dfsg-0.2+deb8u1 NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-204 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/812766e2150faa07b4c574e51393b014feaffe6c NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10980 (An FR-GV-203 issue in FreeRADIUS 2.x before 2.2.10 allows "DHCP - Memo ...) {DLA-1064-1} - freeradius 3.0.12+dfsg-3 [jessie] - freeradius 2.2.5+dfsg-0.2+deb8u1 NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-203 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/ef0727fc68e211a36637b5c4e4a6fa1326f0a029 NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10979 (An FR-GV-202 issue in FreeRADIUS 2.x before 2.2.10 allows "Write overf ...) {DLA-1064-1} - freeradius 3.0.12+dfsg-3 [jessie] - freeradius 2.2.5+dfsg-0.2+deb8u1 NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-202 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/ae3ba0011e7d299e92c45300e0137a56a650e8f5 NOTE: Mark as fixed in 3.0.12+dfsg-3 the first 3.x version in unstable NOTE: This is not fully technically correct, the issue affects only the 2.x NOTE: series but not 3.x. CVE-2017-10978 (An FR-GV-201 issue in FreeRADIUS 2.x before 2.2.10 and 3.x before 3.0. ...) {DSA-3930-1 DLA-1064-1} - freeradius 3.0.15+dfsg-1 (bug #868765) NOTE: http://freeradius.org/security/fuzzer-2017.html#FR-GV-201 NOTE: 2.x: https://github.com/FreeRADIUS/freeradius-server/commit/38ee90f2a5a28dc5887a30bdfdc98109c0418e68 NOTE: 3.x: https://github.com/FreeRADIUS/freeradius-server/commit/fc8662d7e827f630d515eaa0bddfa94754c8047f CVE-2017-1000082 (systemd v233 and earlier fails to safely parse usernames starting with ...) - systemd 234-1 (unimportant) [jessie] - systemd (Vulnerable code introduced in systemd-229) [wheezy] - systemd (Vulnerable code introduced in systemd-229) NOTE: https://github.com/systemd/systemd/issues/6237 NOTE: Fixed by: https://github.com/systemd/systemd/commit/bb28e68477a3a39796e4999a6cbc6ac6345a9159 NOTE: https://www.openwall.com/lists/oss-security/2017/07/02/1 CVE-2017-10977 RESERVED CVE-2017-10976 (When SWFTools 0.9.2 processes a crafted file in ttftool, it can lead t ...) - swftools (unimportant) NOTE: ttftool not shipped in Debian package CVE-2017-10975 (Cross-site scripting (XSS) vulnerability in Lutim before 0.8 might all ...) NOT-FOR-US: Lutim CVE-2017-10974 (Yaws 1.91 allows Unauthenticated Remote File Disclosure via HTTP Direc ...) - yaws 1.91-2 NOTE: Slightly different, additional CVE assignment which MITRE insists on, but fixed by the NOTE: original patch for CVE-2011-4350 CVE-2017-10973 (In FineCMS before 2017-07-06, application/lib/ajax/get_image_data.php ...) NOT-FOR-US: FineCMS CVE-2017-10970 (Cross-site scripting (XSS) vulnerability in link.php in Cacti 1.1.12 a ...) - cacti 1.1.12+ds1-1 (bug #867532) [stretch] - cacti (Vulnerable code introduced later) [jessie] - cacti (Vulnerable code introduced later) [wheezy] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/issues/838 NOTE: https://github.com/Cacti/cacti/commit/3381cba6a9e36b01ed0ab0acfd41b00487966cb5 CVE-2017-11147 (In PHP before 5.6.30 and 7.x before 7.0.15, the PHAR archive handler c ...) {DLA-1034-1} - php7.1 7.1.1-1 - php7.0 7.0.15-1 - php5 [jessie] - php5 5.6.30+dfsg-0+deb8u1 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73773 NOTE: Fixed in 7.1.1, 7.0.15, 5.6.30 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=e5246580a85f031e1a3b8064edbaa55c1643a451 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-11144 (In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the o ...) {DSA-4081-1 DSA-4080-1 DLA-1034-1} - php7.1 7.1.8-1 - php7.0 7.0.22-1 - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74651 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=89637c6b41b510c20d262c17483f582f115c66d6 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=73cabfedf519298e1a11192699f44d53c529315e NOTE: https://git.php.net/?p=php-src.git;a=commit;h=91826a311dd37f4c4e5d605fa7af331e80ddd4c3 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-11143 (In PHP before 5.6.31, an invalid free in the WDDX deserialization of b ...) {DSA-4081-1 DLA-1034-1} - php7.1 (Only affected 5.6) - php7.0 (Only affected 5.6) - php5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74145 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7 NOTE: https://git.php.net/?p=php-src.git;a=commitdiff;h=f269cdcd4f76accbecd03884f327cffb9a7f1ca9 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-11142 (In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remot ...) {DSA-4081-1} - php7.1 7.1.3+-1 - php7.0 7.0.17-1 - php5 [wheezy] - php5 (vulnerable code not present) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73807 NOTE: Fixed in 7.1.3, 7.0.17, 5.6.31 NOTE: https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3 NOTE: https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3 NOTE: http://openwall.com/lists/oss-security/2017/07/10/6 CVE-2017-10972 (Uninitialized data in endianness conversion in the XEvent handling of ...) {DSA-3905-1 DLA-1026-1} - xorg-server 2:1.19.3-2 (bug #867492) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=05442de962d3dc624f79fc1a00eca3ffc5489ced NOTE: https://www.openwall.com/lists/oss-security/2017/07/06/6 CVE-2017-10971 (In the X.Org X server before 2017-06-19, a user authenticated to an X ...) {DSA-3905-1 DLA-1026-1} - xorg-server 2:1.19.3-2 (bug #867492) NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455 NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=8caed4df36b1f802b4992edcfd282cbeeec35d9d NOTE: https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c NOTE: https://www.openwall.com/lists/oss-security/2017/07/06/6 CVE-2017-10969 RESERVED CVE-2017-10968 (In FineCMS through 2017-07-07, application\core\controller\template.ph ...) NOT-FOR-US: FineCMS CVE-2017-10967 (In FineCMS before 2017-07-06, application\core\controller\config.php a ...) NOT-FOR-US: FineCMS CVE-2017-10966 (An issue was discovered in Irssi before 1.0.4. While updating the inte ...) {DLA-1089-1} - irssi 1.0.4-1 (low; bug #867598) [stretch] - irssi 1.0.2-1+deb9u2 [jessie] - irssi 0.8.17-1+deb8u5 NOTE: https://irssi.org/security/irssi_sa_2017_07.txt NOTE: https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291 CVE-2017-10965 (An issue was discovered in Irssi before 1.0.4. When receiving messages ...) {DLA-1089-1} - irssi 1.0.4-1 (low; bug #867598) [stretch] - irssi 1.0.2-1+deb9u2 [jessie] - irssi 0.8.17-1+deb8u5 NOTE: https://irssi.org/security/irssi_sa_2017_07.txt NOTE: https://github.com/irssi/irssi/commit/5e26325317c72a04c1610ad952974e206384d291 CVE-2017-10964 RESERVED CVE-2017-10963 (In Knox SDS IAM (Identity Access Management) and EMM (Enterprise Mobil ...) NOT-FOR-US: Samsung CVE-2017-10962 (REDCap before 7.5.1 has XSS via the query string. ...) NOT-FOR-US: REDCap CVE-2017-10961 (REDCap before 7.5.1 has CSRF in the deletion feature of the File Repos ...) NOT-FOR-US: REDCap CVE-2017-10960 RESERVED CVE-2017-10959 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10958 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10957 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10956 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-10955 (** DISPUTED ** This vulnerability allows remote attackers to execute a ...) NOT-FOR-US: EMC CVE-2017-10954 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bitdefender Internet Security Internet Security 2018 CVE-2017-10953 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10952 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10951 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10950 (This vulnerability allows local attackers to execute arbitrary code on ...) NOT-FOR-US: Bitdefender Total Security CVE-2017-10949 (Directory Traversal in Dell Storage Manager 2016 R2.1 causes Informati ...) NOT-FOR-US: Dell Storage Manager CVE-2017-10948 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10947 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10946 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10945 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10944 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-10943 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-10942 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Reader CVE-2017-10941 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Foxit Reader CVE-2017-10940 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Joyent CVE-2017-10939 REJECTED CVE-2017-10938 REJECTED CVE-2017-10937 (SQL injection vulnerability in all versions prior to V2.01.05.09 of th ...) NOT-FOR-US: ZTE CVE-2017-10936 (SQL injection vulnerability in all versions prior to V4.01.01 of the Z ...) NOT-FOR-US: ZTE ZXCDN-SNS CVE-2017-10935 (All versions prior to ZSRV2 V3.00.40 of the ZTE ZXR10 1800-2S products ...) NOT-FOR-US: ZTE ZXR10 1800-2S products CVE-2017-10934 (All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product use ...) NOT-FOR-US: ZTE ZXIPTV-EPG product CVE-2017-10933 (All versions prior to V2.06.00.00 of ZTE ZXDT22 SF01, an monitoring sy ...) NOT-FOR-US: ZTE ZXDT22 SF01 CVE-2017-10932 (All versions prior to V12.17.20 of the ZTE Microwave NR8000 series pro ...) NOT-FOR-US: ZTE Microwave CVE-2017-10931 (The ZXR10 1800-2S before v3.00.40 incorrectly restricts the download o ...) NOT-FOR-US: ZXR10 1800-2S CVE-2017-10930 (The ZXR10 1800-2S before v3.00.40 incorrectly restricts access to a re ...) NOT-FOR-US: ZXR10 1800-2S CVE-2017-10929 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 al ...) {DLA-1016-1} - radare2 1.6.0+dfsg-1 (low; bug #867369) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/7855 NOTE: https://github.com/radare/radare2/commit/c57997e76ec70862174a1b3b3aeb62a6f8570e85 CVE-2017-10928 (In ImageMagick 7.0.6-0, a heap-based buffer over-read in the GetNextTo ...) {DSA-3914-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #867367) NOTE: https://github.com/ImageMagick/ImageMagick/issues/539 CVE-2017-10927 RESERVED CVE-2017-10926 (IrfanView 4.44 (32bit) with FPX Plugin 4.47 might allow attackers to c ...) NOT-FOR-US: IrfanView CVE-2017-10925 (IrfanView 4.44 (32bit) with FPX Plugin 4.47 might allow attackers to c ...) NOT-FOR-US: IrfanView CVE-2017-10924 (IrfanView 4.44 (32bit) with FPX Plugin 4.47 allows attackers to execut ...) NOT-FOR-US: IrfanView CVE-2017-10910 (MQTT.js 2.x.x prior to 2.15.0 issue in handling PUBLISH tickets may le ...) - node-mqtt (Fixed before initial upload) CVE-2017-10909 (Untrusted search path vulnerability in Music Center for PC version 1.0 ...) NOT-FOR-US: Music Center for PC CVE-2017-10908 (H2O version 2.2.3 and earlier allows remote attackers to cause a denia ...) - h2o 2.2.4+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1544 CVE-2017-10907 (Directory traversal vulnerability in OneThird CMS Show Off v1.85 and e ...) NOT-FOR-US: OneThird CMS Show Off CVE-2017-10906 (Escape sequence injection vulnerability in Fluentd versions 0.12.29 th ...) NOT-FOR-US: Fluentd CVE-2017-10905 (A vulnerability in applications created using Qt for Android prior to ...) NOT-FOR-US: Qt for Android CVE-2017-10904 (Qt for Android prior to 5.9.0 allows remote attackers to execute arbit ...) NOT-FOR-US: Qt for Android CVE-2017-10903 (Improper authentication issue in PTW-WMS1 firmware version 2.000.012 a ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10902 (PTW-WMS1 firmware version 2.000.012 allows remote attackers to execute ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10901 (Buffer overflow in PTW-WMS1 firmware version 2.000.012 allows remote a ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10900 (PTW-WMS1 firmware version 2.000.012 allows remote attackers to bypass ...) NOT-FOR-US: PTW-WMS1 firmware CVE-2017-10899 (SQL injection vulnerability in the A-Reserve and A-Reserve for MT clou ...) NOT-FOR-US: A-Reserve CVE-2017-10898 (SQL injection vulnerability in the A-Member and A-Member for MT cloud ...) NOT-FOR-US: A-Member CVE-2017-10897 (Input validation issue in Buffalo BBR-4HG and and BBR-4MG broadband ro ...) NOT-FOR-US: Buffalo BBR-4HG and and BBR-4MG broadband routers CVE-2017-10896 (Cross-site scripting vulnerability in Buffalo BBR-4HG and and BBR-4MG ...) NOT-FOR-US: Buffalo BBR-4HG and and BBR-4MG broadband routers CVE-2017-10895 (sDNSProxy.exe ver1.1.0.0 and earlier allows remote attackers to cause ...) NOT-FOR-US: sDNSProxy CVE-2017-10894 (StreamRelay.NET.exe ver2.14.0.7 and earlier allows remote attackers to ...) NOT-FOR-US: StreamRelay.NET CVE-2017-10893 (Untrusted search path vulnerability in The Public Certification Servic ...) NOT-FOR-US: The Public Certification Service for Individuals CVE-2017-10892 (Untrusted search path vulnerability in Music Center for PC version 1.0 ...) NOT-FOR-US: Music Center for PC CVE-2017-10891 (Untrusted search path vulnerability in Media Go version 3.2.0.191 and ...) NOT-FOR-US: Media Go CVE-2017-10890 (Session management issue in RX-V200 firmware versions prior to 09.87.1 ...) NOT-FOR-US: RX-V200 firmware CVE-2017-10889 (TablePress prior to version 1.8.1 allows an attacker to conduct XML Ex ...) NOT-FOR-US: TablePress CVE-2017-10888 (BOOK WALKER for Windows Ver.1.2.9 and earlier, BOOK WALKER for Mac Ver ...) NOT-FOR-US: BOOK WALKER CVE-2017-10887 (Untrusted search path vulnerability in BOOK WALKER for Windows Ver.1.2 ...) NOT-FOR-US: BOOK WALKER CVE-2017-10886 (Cross-site scripting vulnerability in CS-Cart Japanese Edition v4.3.10 ...) NOT-FOR-US: CS-Cart CVE-2017-10885 (Untrusted search path vulnerability in HYPER SBI Ver. 2.2 and earlier ...) NOT-FOR-US: HYPER SBI CVE-2017-10884 RESERVED CVE-2017-10883 RESERVED CVE-2017-10882 RESERVED CVE-2017-10881 RESERVED CVE-2017-10880 RESERVED CVE-2017-10879 RESERVED CVE-2017-10878 RESERVED CVE-2017-10877 RESERVED CVE-2017-10876 RESERVED CVE-2017-10875 (I-O DATA DEVICE LAN DISK Connect Ver2.02 and earlier allows an attacke ...) NOT-FOR-US: I-O DATA DEVICE LAN DISK Connect CVE-2017-10874 (PWR-Q200 does not use random values for source ports of DNS query pack ...) NOT-FOR-US: PWR-Q200 CVE-2017-10873 (OpenAM (Open Source Edition) allows an attacker to bypass authenticati ...) NOT-FOR-US: OpenAM CVE-2017-10872 (H2O version 2.2.3 and earlier allows remote attackers to cause a denia ...) - h2o 2.2.4+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1543 CVE-2017-10871 (Buffer overflow in NTT DOCOMO Wi-Fi STATION L-02F Software version L02 ...) NOT-FOR-US: NTT DOCOMO Wi-Fi STATION L-02F Software CVE-2017-10870 (Memory corruption vulnerability in Rakuraku Hagaki (Rakuraku Hagaki 20 ...) NOT-FOR-US: Rakuraku Hagaki CVE-2017-10869 (Buffer overflow in H2O version 2.2.2 and earlier allows remote attacke ...) - h2o 2.2.3+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1460 CVE-2017-10868 (H2O version 2.2.2 and earlier allows remote attackers to cause a denia ...) - h2o 2.2.3+dfsg-1 (medium) NOTE: https://github.com/h2o/h2o/issues/1459 CVE-2017-10867 RESERVED CVE-2017-10866 RESERVED CVE-2017-10865 (Untrusted search path vulnerability in HIBUN Confidential File Decrypt ...) NOT-FOR-US: HIBUN Confidential File Decryption CVE-2017-10864 (Untrusted search path vulnerability in Installer of HIBUN Confidential ...) NOT-FOR-US: HIBUN Confidential File Decryption CVE-2017-10863 (Untrusted search path vulnerability in HIBUN Confidential File Decrypt ...) NOT-FOR-US: HIBUN Confidential File Decryption CVE-2017-10862 (jwt-scala 1.2.2 and earlier fails to verify token signatures correctly ...) NOT-FOR-US: jwt-scala CVE-2017-10861 (Directory traversal vulnerability in QND Advance/Standard allows an at ...) NOT-FOR-US: QND Advance/Standard CVE-2017-10860 (Untrusted search path vulnerability in "i-filter 6.0 installer" timest ...) NOT-FOR-US: i-filter 6.0 installer CVE-2017-10859 (Untrusted search path vulnerability in "i-filter 6.0 installer" timest ...) NOT-FOR-US: i-filter 6.0 installer CVE-2017-10858 (Untrusted search path vulnerability in "i-filter 6.0 install program" ...) NOT-FOR-US: i-filter 6.0 install program CVE-2017-10857 (Cybozu Office 10.0.0 to 10.6.1 allows authenticated attackers to bypas ...) NOT-FOR-US: Cybozu CVE-2017-10856 (SEIL/X 4.60 to 5.72, SEIL/B1 4.60 to 5.72, SEIL/x86 3.20 to 5.72, SEIL ...) NOT-FOR-US: SEIL CVE-2017-10855 (Untrusted search path vulnerability in FENCE-Explorer for Windows V8.4 ...) NOT-FOR-US: FENCE-Explorer for Windows CVE-2017-10854 (Corega CG-WGR1200 firmware 2.20 and earlier allows an attacker to bypa ...) NOT-FOR-US: Corega CG-WGR1200 firmware CVE-2017-10853 (Buffer overflow in Corega CG-WGR1200 firmware 2.20 and earlier allows ...) NOT-FOR-US: Corega CG-WGR1200 firmware CVE-2017-10852 (Buffer overflow in Corega CG-WGR1200 firmware 2.20 and earlier allows ...) NOT-FOR-US: Corega CG-WGR1200 firmware CVE-2017-10851 (Untrusted search path vulnerability in Installer for ContentsBridge Ut ...) NOT-FOR-US: Installer for ContentsBridge Utility for Windows CVE-2017-10850 (Untrusted search path vulnerability in Installers of ART EX Driver for ...) NOT-FOR-US: Various installer for Drivers for ApeosPort-VI and DocuCentre-VI products CVE-2017-10849 (Untrusted search path vulnerability in Self-extracting document genera ...) NOT-FOR-US: DocuWorks CVE-2017-10848 (Untrusted search path vulnerability in Installers for DocuWorks 8.0.7 ...) NOT-FOR-US: Installers for DocuWorks CVE-2017-10847 RESERVED CVE-2017-10846 (Wi-Fi STATION L-02F Software version V10b and earlier allows remote at ...) NOT-FOR-US: Wi-Fi STATION L-02F Software CVE-2017-10845 (Wi-Fi STATION L-02F Software version V10g and earlier allows remote at ...) NOT-FOR-US: Wi-Fi STATION L-02F Software CVE-2017-10844 (baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to e ...) NOT-FOR-US: baserCMS CVE-2017-10843 (baserCMS version 3.0.14 and earlier, 4.0.5 and earlier allows remote a ...) NOT-FOR-US: baserCMS CVE-2017-10842 (SQL injection vulnerability in the baserCMS 3.0.14 and earlier, 4.0.5 ...) NOT-FOR-US: baserCMS CVE-2017-10841 (Directory traversal vulnerability in WebCalendar 1.2.7 and earlier all ...) - webcalendar CVE-2017-10840 (Cross-site scripting vulnerability in WebCalendar 1.2.7 and earlier al ...) - webcalendar CVE-2017-10839 (SQL injection vulnerability in the SEO Panel prior to version 3.11.0 a ...) NOT-FOR-US: SEO Panel CVE-2017-10838 (Cross-site scripting vulnerability in SEO Panel prior to version 3.11. ...) NOT-FOR-US: SEO Panel CVE-2017-10837 (Cross-site scripting vulnerability in BackupGuard prior to version 1.1 ...) NOT-FOR-US: BackupGuard CVE-2017-10836 (Untrusted search path vulnerability in Optimal Guard 1.1.21 and earlie ...) NOT-FOR-US: Optimal Guard CVE-2017-10835 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...) NOT-FOR-US: "Dokodemo eye Smart HD" SCR02HD Firmware CVE-2017-10834 (Directory traversal vulnerability in "Dokodemo eye Smart HD" SCR02HD F ...) NOT-FOR-US: "Dokodemo eye Smart HD" SCR02HD Firmware CVE-2017-10833 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...) NOT-FOR-US: "Dokodemo eye Smart HD" SCR02HD Firmware CVE-2017-10832 ("Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows ...) NOT-FOR-US: "Dokodemo eye Smart HD" SCR02HD Firmware CVE-2017-10831 (Untrusted search path vulnerability in The electronic authentication s ...) NOT-FOR-US: The CRCA user's Software system CVE-2017-10830 (Untrusted search path vulnerability in Security Setup Tool all version ...) NOT-FOR-US: Security Setup Tool CVE-2017-10829 (Untrusted search path vulnerability in Remote Support Tool (Enkaku Sup ...) NOT-FOR-US: Remote Support Tool (Enkaku Support Tool) CVE-2017-10828 (Untrusted search path vulnerability in Flets Install Tool all versions ...) NOT-FOR-US: Flets Install Tool CVE-2017-10827 (Untrusted search path vulnerability in Flets Azukeru for Windows Auto ...) NOT-FOR-US: Flets Azukeru for Windows Auto Backup Tool CVE-2017-10826 (Untrusted search path vulnerability in Security Kinou Mihariban v1.0.2 ...) NOT-FOR-US: Security Kinou Mihariban CVE-2017-10825 (Untrusted search path vulnerability in Installer of Flets Easy Setup T ...) NOT-FOR-US: Installer of Flets Easy Setup Tool CVE-2017-10824 (Untrusted search path vulnerability in TDB CA TypeA use software Versi ...) NOT-FOR-US: TDB CA TypeA use software CVE-2017-10823 (Untrusted search path vulnerability in Installer for Shin Kinkyuji Hou ...) NOT-FOR-US: Installer for Shin Kinkyuji Houkoku Data Nyuryoku Program CVE-2017-10822 (Untrusted search path vulnerability in Installer for Shin Sekiyu Yunyu ...) NOT-FOR-US: Installer for Shin Sekiyu Yunyu Chousa Houkoku Data Nyuryoku Program CVE-2017-10821 (Untrusted search path vulnerability in Installer for Shin Kikan Toukei ...) NOT-FOR-US: Installer for Shin Kikan Toukei Houkoku Data Nyuryokuyou Program CVE-2017-10820 (Untrusted search path vulnerability in Installer of IP Messenger for W ...) NOT-FOR-US: Installer of IP Messenger for Win CVE-2017-10819 (MaLion for Mac 4.3.0 to 5.2.1 does not properly validate certificates, ...) NOT-FOR-US: MaLion CVE-2017-10818 (MaLion for Windows and Mac versions 3.2.1 to 5.2.1 uses a hardcoded cr ...) NOT-FOR-US: MaLion CVE-2017-10817 (MaLion for Windows and Mac 5.0.0 to 5.2.1 allows remote attackers to b ...) NOT-FOR-US: MaLion CVE-2017-10816 (SQL injection vulnerability in the MaLion for Windows and Mac 5.0.0 to ...) NOT-FOR-US: MaLion CVE-2017-10815 (MaLion for Windows 5.2.1 and earlier (only when "Remote Control" is in ...) NOT-FOR-US: MaLion CVE-2017-10814 (Buffer overflow in CG-WLR300NM Firmware version 1.90 and earlier allow ...) NOT-FOR-US: CG-WLR300NM Firmware CVE-2017-10813 (CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to ex ...) NOT-FOR-US: CG-WLR300NM Firmware CVE-2017-10812 (Untrusted search path vulnerability in Photo Collection PC Software Ve ...) NOT-FOR-US: Photo Collection PC Software CVE-2017-10811 (Buffalo WCR-1166DS devices with firmware 1.30 and earlier allow an att ...) NOT-FOR-US: Buffalo WCR-1166DS devices CVE-2017-10810 (Memory leak in the virtio_gpu_object_create function in drivers/gpu/dr ...) {DSA-3927-1} - linux 4.11.11-1 (low) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/385aee965b4e4c36551c362a334378d2985b722a CVE-2017-10809 RESERVED CVE-2017-10808 RESERVED CVE-2017-10806 (Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Em ...) {DSA-3925-1 DLA-1497-1} - qemu 1:2.8+dfsg-7 (bug #867751) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-05/msg03087.html CVE-2017-10807 (JabberD 2.x (aka jabberd2) before 2.6.1 allows anyone to authenticate ...) {DSA-3902-1} - jabberd2 2.6.1-1 (bug #867032) NOTE: Fixed by: https://github.com/jabberd2/jabberd2/commit/8416ae54ecefa670534f27a31db71d048b9c7f16 NOTE: https://github.com/jabberd2/jabberd2/releases/tag/jabberd-2.6.1 CVE-2017-10805 (In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise ...) - odoo (Fixed before initial upload to Debian) NOTE: https://github.com/odoo/odoo/issues/17921 CVE-2017-10804 (In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise ...) - odoo (Fixed before initial upload to Debian) NOTE: https://github.com/odoo/odoo/issues/17914 CVE-2017-10803 (In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise ...) - odoo (Fixed before initial upload to Debian) NOTE: https://github.com/odoo/odoo/issues/17898 CVE-2017-10802 RESERVED CVE-2017-10801 (phpSocial (formerly phpDolphin) before 3.0.1 has XSS in the PATH_INFO ...) NOT-FOR-US: phpSocial CVE-2017-10800 (When GraphicsMagick 1.3.25 processes a MATLAB image in coders/mat.c, i ...) {DSA-4321-1} - graphicsmagick 1.3.26-1 (bug #867060) [jessie] - graphicsmagick (Minor issue) [wheezy] - graphicsmagick (Minor issue) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/e5761e3a2012 NOTE: The above commit unfortunately is not enough. There are more related NOTE: changes, and Bob Friesenhahn commented that it's not complete. All NOTE: the rlated changesets to mat.c since the one referenced should be NOTE: picked up. CVE-2017-10799 (When GraphicsMagick 1.3.25 processes a DPX image (with metadata indica ...) {DSA-4321-1 DLA-1755-1 DLA-1045-1} - graphicsmagick 1.3.26-1 (bug #867077) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f10b9bb3ca62 CVE-2017-10798 (In ObjectPlanet Opinio before 7.6.4, there is XSS. ...) NOT-FOR-US: ObjectPlanet Opinio CVE-2017-10797 RESERVED CVE-2017-10796 (On TP-Link NC250 devices with firmware through 1.2.1 build 170515, any ...) NOT-FOR-US: TP-Link CVE-2017-10795 (Cross-site scripting (XSS) vulnerability in Subrion CMS 4.1.4 allows r ...) NOT-FOR-US: Subrion CMS CVE-2017-10794 (When GraphicsMagick 1.3.25 processes an RGB TIFF picture (with metadat ...) {DSA-4321-1} - graphicsmagick 1.3.26-1 (bug #867085) [jessie] - graphicsmagick (vulnerable code not present) [wheezy] - graphicsmagick (vulnerable code not present) NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/a20bee0a0ad2 CVE-2017-10793 (The AT&T U-verse 9.2.2h0d83 firmware for the Arris NVG589, NVG599, ...) NOT-FOR-US: Arris CVE-2017-10792 (There is a NULL Pointer Dereference in the function ll_insert() of the ...) - pspp 1.0.0-1 (unimportant; bug #866890) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1467005 NOTE: No security impact, crash in CLI tool CVE-2017-10791 (There is an Integer overflow in the hash_int function of the libpspp l ...) - pspp 1.0.0-1 (unimportant; bug #866890) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1467004 NOTE: No security impact as built in Debian CVE-2017-10790 (The _asn1_check_identifier function in GNU Libtasn1 through 4.12 cause ...) {DSA-4106-1 DLA-2255-1 DLA-1038-1} - libtasn1-6 4.12-2.1 (bug #867398) - libtasn1-3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464141 NOTE: Fixed by: https://gitlab.com/gnutls/libtasn1/commit/d8d805e1f2e6799bb2dff4871a8598dc83088a39 CVE-2017-10789 (The DBD::mysql module through 4.043 for Perl uses the mysql_ssl=1 sett ...) {DLA-1079-1} - libdbd-mysql-perl 4.046-1 (bug #866821) [stretch] - libdbd-mysql-perl (Minor issue, can be fixed via point release) [jessie] - libdbd-mysql-perl (Minor issue, can be fixed via point release) NOTE: https://github.com/perl5-dbi/DBD-mysql/issues/110 NOTE: https://github.com/perl5-dbi/DBD-mysql/pull/114 NOTE: Upstream 4.042 fixed this issue, but was reverted upstream in 4.043: NOTE: https://www.nntp.perl.org/group/perl.dbi.dev/2017/08/msg8037.html NOTE: No upstream-blessed patch available. CVE-2017-10788 (The DBD::mysql module through 4.043 for Perl allows remote attackers t ...) {DLA-1079-1} - libdbd-mysql-perl 4.046-1 (bug #866818) [stretch] - libdbd-mysql-perl (Minor issue, can be fixed via point release) [jessie] - libdbd-mysql-perl (Minor issue, can be fixed via point release) NOTE: http://seclists.org/oss-sec/2017/q2/443 NOTE: https://github.com/perl5-dbi/DBD-mysql/issues/120 NOTE: https://github.com/perl5-dbi/DBD-mysql/pull/142 CVE-2017-10787 RESERVED CVE-2017-10786 RESERVED CVE-2017-10785 RESERVED CVE-2017-10784 (The Basic authentication code in WEBrick library in Ruby before 2.2.8, ...) {DSA-4031-1 DLA-1421-1 DLA-1114-1 DLA-1113-1} - ruby2.3 2.3.5-1 (bug #875931) - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/ NOTE: https://github.com/ruby/ruby/commit/6617c41292b7d1e097abb8fdb0cab9ddd83c77e7 NOTE: https://hackerone.com/reports/223363 CVE-2017-10783 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10782 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10781 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10780 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10779 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10778 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10777 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10776 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10775 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10774 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10773 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10772 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10771 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10770 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10769 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10768 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10767 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10766 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10765 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10764 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10763 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10762 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10761 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10760 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10759 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10758 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10757 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10756 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10755 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10754 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10753 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10752 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10751 (XnView Classic for Windows Version 2.40 might allow attackers to cause ...) NOT-FOR-US: XnView CVE-2017-10750 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10749 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10748 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10747 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10746 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10745 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10744 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10743 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10742 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10741 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10740 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10739 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10738 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10737 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10736 (XnView Classic for Windows Version 2.40 allows attackers to execute ar ...) NOT-FOR-US: XnView CVE-2017-10735 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-10734 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-10733 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-10732 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-10731 (IrfanView version 4.44 (32bit) allows attackers to execute arbitrary c ...) NOT-FOR-US: IrfanView CVE-2017-10730 (IrfanView version 4.44 (32bit) allows attackers to execute arbitrary c ...) NOT-FOR-US: IrfanView CVE-2017-10729 (IrfanView version 4.44 (32bit) allows attackers to execute arbitrary c ...) NOT-FOR-US: IrfanView CVE-2017-10728 (Winamp 5.666 Build 3516(x86) might allow attackers to execute arbitrar ...) NOT-FOR-US: Winamp CVE-2017-10727 (Winamp 5.666 Build 3516(x86) might allow attackers to execute arbitrar ...) NOT-FOR-US: Winamp CVE-2017-10726 (Winamp 5.666 Build 3516(x86) might allow attackers to execute arbitrar ...) NOT-FOR-US: Winamp CVE-2017-10725 (Winamp 5.666 Build 3516(x86) allows attackers to execute arbitrary cod ...) NOT-FOR-US: Winamp CVE-2017-10724 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10723 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10722 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10721 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10720 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10719 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10718 (Recently it was discovered as a part of the research on IoT devices in ...) NOT-FOR-US: Shekar Endoscope CVE-2017-10717 RESERVED CVE-2017-10716 RESERVED CVE-2017-10715 RESERVED CVE-2017-10714 RESERVED CVE-2017-10713 RESERVED CVE-2017-10712 RESERVED CVE-2017-10711 (In SimpleRisk 20170614-001, a CSRF attack on reset.php (aka the Send P ...) NOT-FOR-US: SimpleRisk CVE-2017-10710 RESERVED CVE-2017-10709 (The lockscreen on Elephone P9000 devices (running Android 6.0) allows ...) NOT-FOR-US: Elephone P9000 devices CVE-2017-10708 (An issue was discovered in Apport through 2.20.x. In apport/report.py, ...) NOT-FOR-US: Apport CVE-2017-10707 RESERVED CVE-2017-10706 (When Antiy Antivirus Engine before 5.0.0.05171547 scans a special ZIP ...) NOT-FOR-US: When Antiy Antivirus Engine CVE-2017-10705 RESERVED CVE-2017-10704 RESERVED CVE-2017-10703 RESERVED CVE-2017-10702 RESERVED CVE-2017-10701 (Cross site scripting (XSS) vulnerability in SAP Enterprise Portal 7.50 ...) NOT-FOR-US: SAP Enterprise Portal CVE-2017-10700 (In the medialibrary component in QNAP NAS 4.3.3.0229, an un-authentica ...) NOT-FOR-US: QNAP CVE-2017-10699 (avcodec 2.2.x, as used in VideoLAN VLC media player 2.2.7-x before 201 ...) {DSA-4045-1} - vlc 2.2.6-3 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=6cc73bcad19da2cd2e95671173f2e0d203a57e9b NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=a38a85db58c569cc592d9380cc07096757ef3d49 NOTE: https://trac.videolan.org/vlc/ticket/18467 CVE-2017-10698 RESERVED CVE-2017-10697 RESERVED CVE-2017-10696 RESERVED CVE-2017-10695 RESERVED CVE-2017-10694 RESERVED CVE-2017-10693 RESERVED CVE-2017-10692 RESERVED CVE-2017-10691 RESERVED CVE-2017-10690 (In previous versions of Puppet Agent it was possible for the agent to ...) - puppet (Only affects Puppet 5, only in experimental) NOTE: https://puppet.com/security/cve/CVE-2017-10690 NOTE: https://tickets.puppetlabs.com/browse/PUP-8225 NOTE: Fixed by: https://github.com/puppetlabs/puppet/commit/bd87bef2c3862d333f4c1f2b148b147d449a375b CVE-2017-10689 (In previous versions of Puppet Agent it was possible to install a modu ...) - puppet 5.4.0-1 (bug #890412) [stretch] - puppet (Minor issue) [jessie] - puppet (Minor issue) [wheezy] - puppet (vulnerable code not present) NOTE: https://puppet.com/security/cve/CVE-2017-10689 NOTE: https://tickets.puppetlabs.com/browse/PUP-7866 NOTE: https://github.com/puppetlabs/puppet/commit/17d9e02da3882e44c1876e2805cf9708481715ee NOTE: https://github.com/puppetlabs/puppet/commit/983154f7e29a2a50d416d889a6fed012b9b12399 CVE-2017-10688 (In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDirectory ...) {DSA-3903-1 DLA-1022-1} - tiff 4.0.8-3 (bug #866611) - tiff3 [wheezy] - tiff3 (vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2712 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1 CVE-2017-10687 (In LibSass 3.4.5, there is a heap-based buffer over-read in the functi ...) NOTE: Bogus report against historic libsass version CVE-2017-10686 (In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after ...) {DLA-1041-1} - nasm 2.13.02-0.1 (bug #867988) [stretch] - nasm (Minor issue) [jessie] - nasm (Minor issue) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392414 CVE-2017-10685 (In ncurses 6.0, there is a format string vulnerability in the fmt_entr ...) - ncurses 6.0+20170701-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464692 CVE-2017-10684 (In ncurses 6.0, there is a stack-based buffer overflow in the fmt_entr ...) - ncurses 6.0+20170708-1 [stretch] - ncurses 6.0+20161126-1+deb9u1 [jessie] - ncurses 5.9+20140913-1+deb8u1 [wheezy] - ncurses (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464687 CVE-2017-10683 (In mpg123 1.25.0, there is a heap-based buffer over-read in the conver ...) {DLA-1017-1} - mpg123 1.25.1-1 (bug #866860) [stretch] - mpg123 (Minor issue) [jessie] - mpg123 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465819 NOTE: Duplicate of https://sourceforge.net/p/mpg123/bugs/252/ NOTE: Patch: http://scm.orgis.org/view/mpg123/trunk/src/libmpg123/id3.c?sortby=date&r1=4249&r2=4248&pathrev=4249 CVE-2017-10682 (SQL injection vulnerability in the administrative backend in Piwigo th ...) - piwigo CVE-2017-10681 (Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9. ...) - piwigo CVE-2017-10680 (Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9. ...) - piwigo CVE-2017-10679 (Piwigo through 2.9.1 allows remote attackers to obtain sensitive infor ...) - piwigo CVE-2017-10678 (Cross-site request forgery (CSRF) vulnerability in Piwigo through 2.9. ...) - piwigo CVE-2017-10677 (Cross-Site Request Forgery (CSRF) exists on Linksys EA4500 devices wit ...) NOT-FOR-US: Linksys EA4500 devices CVE-2017-10676 (On D-Link DIR-600M devices before C1_v3.05ENB01_beta_20170306, XSS was ...) NOT-FOR-US: D-Link CVE-2017-10675 RESERVED CVE-2017-10674 (Antiy Antivirus Engine 5.0.0.06281654 allows local users to cause a de ...) NOT-FOR-US: Antiy Antivirus Engine CVE-2017-10673 (admin/profile.php in GetSimple CMS 3.x has XSS in a name field. ...) NOT-FOR-US: GetSimple CMS CVE-2017-10672 (Use-after-free in the XML-LibXML module through 2.0129 for Perl allows ...) {DSA-4042-1 DLA-1171-1} - libxml-libxml-perl 2.0128+dfsg-5 (bug #866676) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=122246 NOTE: Pull request: https://github.com/shlomif/perl-XML-LibXML/pull/8 CVE-2017-10671 (Heap-based Buffer Overflow in the de_dotdot function in libhttpd.c in ...) - thttpd CVE-2017-10670 (An XML External Entity (XXE) issue exists in OSCI-Transport 1.2 as use ...) NOT-FOR-US: OSCI-Transport CVE-2017-10669 (Signature Wrapping exists in OSCI-Transport 1.2 as used in OSCI Transp ...) NOT-FOR-US: OSCI-Transport CVE-2017-10668 (A Padding Oracle exists in OSCI-Transport 1.2 as used in OSCI Transpor ...) NOT-FOR-US: OSCI-Transport CVE-2017-10667 (In index.php in Zen Cart 1.6.0, the products_id parameter can cause XS ...) NOT-FOR-US: Zen Cart CVE-2017-10666 RESERVED CVE-2017-10665 (Directory traversal vulnerability in ajaxfileupload.php in Kayson Grou ...) NOT-FOR-US: Kayson Group Ltd. phpGrid CVE-2017-9998 (The _dwarf_decode_s_leb128_chk function in dwarf_leb.c in libdwarf thr ...) - dwarfutils 20170416-3 (bug #866968) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465756 CVE-2017-9997 RESERVED CVE-2017-10664 (qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which a ...) {DSA-3920-1 DLA-1599-1 DLA-1071-1 DLA-1070-1} - qemu 1:2.8+dfsg-7 (bug #866674) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02693.html NOTE: Fixed by (master): http://git.qemu.org/?p=qemu.git;a=commitdiff;h=041e32b8d9d076980b4e35317c0339e57ab888f1 CVE-2017-10663 (The sanity_check_ckpt function in fs/f2fs/super.c in the Linux kernel ...) - linux 4.12.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux (Hard to backport and low priority outside of Android) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/15d3042a937c13f5d9244241c7a9c8416ff6e82a (v4.13-rc1) CVE-2017-10662 (The sanity_check_raw_super function in fs/f2fs/super.c in the Linux ke ...) - linux 4.9.30-1 [jessie] - linux (Hard to backport and low priority outside of Android) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/b9dd46188edc2f0d1f37328637860bb65a771124 (v4.12-rc1) CVE-2017-10661 (Race condition in fs/timerfd.c in the Linux kernel before 4.10.15 allo ...) {DLA-1099-1} - linux 4.9.30-1 [jessie] - linux 3.16.43-2+deb8u5 NOTE: Fixed by: https://git.kernel.org/linus/1e38da300e1e395a15048b0af1e5305bd91402f6 (v4.11-rc1) CVE-2017-10660 REJECTED CVE-2017-10659 REJECTED CVE-2017-10658 REJECTED CVE-2017-10657 REJECTED CVE-2017-10656 REJECTED CVE-2017-10655 REJECTED CVE-2017-10654 REJECTED CVE-2017-10653 REJECTED CVE-2017-10652 REJECTED CVE-2017-10651 REJECTED CVE-2017-10650 RESERVED CVE-2017-10649 RESERVED CVE-2017-10648 RESERVED CVE-2017-10647 RESERVED CVE-2017-10646 RESERVED CVE-2017-10645 RESERVED CVE-2017-10644 RESERVED CVE-2017-10643 RESERVED CVE-2017-10642 RESERVED CVE-2017-10641 RESERVED CVE-2017-10640 RESERVED CVE-2017-10639 RESERVED CVE-2017-10638 RESERVED CVE-2017-10637 RESERVED CVE-2017-10636 RESERVED CVE-2017-10635 RESERVED CVE-2017-10634 RESERVED CVE-2017-10633 RESERVED CVE-2017-10632 RESERVED CVE-2017-10631 RESERVED CVE-2017-10630 RESERVED CVE-2017-10629 RESERVED CVE-2017-10628 RESERVED CVE-2017-10627 RESERVED CVE-2017-10626 RESERVED CVE-2017-10625 RESERVED CVE-2017-10624 (Insufficient verification of node certificates in Juniper Networks Jun ...) NOT-FOR-US: Juniper CVE-2017-10623 (Lack of authentication and authorization of cluster messages in Junipe ...) NOT-FOR-US: Juniper CVE-2017-10622 (An authentication bypass vulnerability in Juniper Networks Junos Space ...) NOT-FOR-US: Juniper CVE-2017-10621 (A denial of service vulnerability in telnetd service on Juniper Networ ...) NOT-FOR-US: Juniper CVE-2017-10620 (Juniper Networks Junos OS on SRX series devices do not verify the HTTP ...) NOT-FOR-US: Juniper CVE-2017-10619 (When Express Path (formerly known as service offloading) is configured ...) NOT-FOR-US: Juniper CVE-2017-10618 (When the 'bgp-error-tolerance' feature &#xe2;&#x80;" designed ...) NOT-FOR-US: Juniper CVE-2017-10617 (The ifmap service that comes bundled with Contrail has an XML External ...) NOT-FOR-US: Juniper CVE-2017-10616 (The ifmap service that comes bundled with Juniper Networks Contrail re ...) NOT-FOR-US: Juniper CVE-2017-10615 (A vulnerability in the pluggable authentication module (PAM) of Junipe ...) NOT-FOR-US: Juniper CVE-2017-10614 (A vulnerability in telnetd service on Junos OS allows a remote attacke ...) NOT-FOR-US: Juniper CVE-2017-10613 (A vulnerability in a specific loopback filter action command, processe ...) NOT-FOR-US: Juniper CVE-2017-10612 (A persistent site scripting vulnerability in Juniper Networks Junos Sp ...) NOT-FOR-US: Juniper CVE-2017-10611 (If extended statistics are enabled via 'set chassis extended-statistic ...) NOT-FOR-US: Juniper CVE-2017-10610 (On SRX Series devices, a crafted ICMP packet embedded within a NAT64 I ...) NOT-FOR-US: Juniper CVE-2017-10609 RESERVED CVE-2017-10608 (Any Juniper Networks SRX series device with one or more ALGs enabled m ...) NOT-FOR-US: Juniper CVE-2017-10607 (Juniper Networks Junos OS 16.1R1, and services releases based off of 1 ...) NOT-FOR-US: Juniper CVE-2017-10606 (Version 4.40 of the TPM (Trusted Platform Module) firmware on Juniper ...) NOT-FOR-US: Juniper CVE-2017-10605 (On all vSRX and SRX Series devices, when the DHCP or DHCP relay is con ...) NOT-FOR-US: Juniper CVE-2017-10604 (When the device is configured to perform account lockout with a define ...) NOT-FOR-US: Juniper CVE-2017-10603 (An XML injection vulnerability in Junos OS CLI can allow a locally aut ...) NOT-FOR-US: Juniper CVE-2017-10602 (A buffer overflow vulnerability in Junos OS CLI may allow a local auth ...) NOT-FOR-US: Juniper CVE-2017-10601 (A specific device configuration can result in a commit failure conditi ...) NOT-FOR-US: Juniper CVE-2017-10600 (ubuntu-image 1.0 before 2017-07-07, when invoked as non-root, creates ...) NOT-FOR-US: ubuntu-image CVE-2017-9996 (The cdxl_decode_frame function in libavcodec/cdxl.c in FFmpeg 2.8.x be ...) - ffmpeg 7:3.2.5-1 - libav (Vulnerable feature not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/1e42736b95065c69a7481d0cf55247024f54b660 NOTE: https://github.com/FFmpeg/FFmpeg/commit/e1b60aad77c27ed5d4dfc11e5e6a05a38c70489d NOTE: The bug affects FFmpeg's support for CHUNKY cdxl files, a feature that is NOTE: not present in Libav. Libav detects CHUNKY files and bails out early. CVE-2017-9995 (libavcodec/scpr.c in FFmpeg 3.3 before 3.3.1 does not properly validat ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/2171dfae8c065878a2e130390eb78cf2947a5b69 NOTE: https://github.com/FFmpeg/FFmpeg/commit/7ac5067146613997bb38442cb022d7f41321a706 CVE-2017-9994 (libavcodec/webp.c in FFmpeg before 2.8.12, 3.0.x before 3.0.8, 3.1.x b ...) {DLA-1630-1} - ffmpeg 7:3.2.5-1 - libav [wheezy] - libav (Vulnerable code not present, WebP decoder feature introduced in v10) NOTE: https://github.com/FFmpeg/FFmpeg/commit/6b5d3fb26fb4be48e4966e4b1d97c2165538d4ef CVE-2017-9993 (FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6 ...) {DSA-3957-1 DLA-1630-1} - ffmpeg 7:3.2.6-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/189ff4219644532bdfa7bab28dfedaee4d6d4021 NOTE: https://github.com/FFmpeg/FFmpeg/commit/a5d849b149ca67ced2d271dc84db0bc95a548abb NOTE: Fixed in 3.2.6 NOTE: Jessie is only partially affected. Only the second commit is NOTE: relevant. HTTP Live Streaming filename extension code is not present. CVE-2017-9992 (Heap-based buffer overflow in the decode_dds1 function in libavcodec/d ...) {DSA-4012-1 DLA-1142-1} - ffmpeg 7:3.2.5-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/f52fbf4f3ed02a7d872d8a102006f29b4421f360 NOTE: Fixed in 11.11 CVE-2017-9991 (Heap-based buffer overflow in the xwd_decode_frame function in libavco ...) - ffmpeg 7:3.2.5-1 - libav (Vulnerable feature not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/441026fcb13ac23aa10edc312bdacb6445a0ad06 NOTE: The error occurs in the support for 8bpp XWD images where bpp and image NOTE: depth are not checked thoroughly enough. Libav does not support 8bpp NOTE: images and bails out early -- Diego Biurrun (libav project) CVE-2017-9990 (Stack-based buffer overflow in the color_string_to_rgba function in li ...) - ffmpeg (Vulnerable code not present) - libav (Vulnerable code not present) NOTE: https://github.com/FFmpeg/FFmpeg/commit/cb243972b121b1ae6b60a78ff55a0506c69f3879 CVE-2017-9989 (util/outputtxt.c in libming 0.4.8 mishandles memory allocation. A craf ...) {DLA-1176-1} - ming NOTE: https://github.com/libming/libming/issues/86 CVE-2017-9988 (The readEncUInt30 function in util/read.c in libming 0.4.8 mishandles ...) {DLA-1176-1} - ming NOTE: https://github.com/libming/libming/issues/85 CVE-2017-9987 (There is a heap-based buffer overflow in the function hpel_motion in m ...) {DLA-1907-1} - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1067 NOTE: Five different issues but only one POC instead of five attached. NOTE: Requires more information. CVE-2017-9986 (The intr function in sound/oss/msnd_pinnacle.c in the Linux kernel thr ...) - linux 4.15.4-1 (unimportant) NOTE: No security issue, only "exploitable" with malicious ISA cards CVE-2017-9985 (The snd_msndmidi_input_read function in sound/isa/msnd/msnd_midi.c in ...) - linux 4.13.4-1 (unimportant) [stretch] - linux 4.9.51-1 NOTE: No security issue, only "exploitable" with malicious ISA cards NOTE: Fixed by: https://git.kernel.org/linus/20e2b791796bd68816fa115f12be5320de2b8021 (v4.13-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=196133 CVE-2017-9984 (The snd_msnd_interrupt function in sound/isa/msnd/msnd_pinnacle.c in t ...) - linux 4.13.4-1 (unimportant) [stretch] - linux 4.9.51-1 NOTE: No security issue, only "exploitable" with malicious ISA cards NOTE: Fixed by: https://git.kernel.org/linus/20e2b791796bd68816fa115f12be5320de2b8021 (v4.13-rc1) NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=196131 CVE-2017-9983 RESERVED CVE-2017-9982 (TeamSpeak Client 3.0.19 allows remote attackers to cause a denial of s ...) - teamspeak-client [wheezy] - teamspeak-client (non-free is not supported) CVE-2017-9981 RESERVED CVE-2017-9980 (In Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, the "P ...) NOT-FOR-US: Green Packet CVE-2017-9979 (On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, if the RE ...) NOT-FOR-US: QuantaStor CVE-2017-9978 (On the OSNEXUS QuantaStor v4 virtual appliance before 4.3.1, a flaw wa ...) NOT-FOR-US: QuantaStor CVE-2017-9977 (AVG AntiVirus for MacOS with scan engine before 4668 might allow remot ...) NOT-FOR-US: AVG CVE-2017-9976 RESERVED CVE-2017-9975 REJECTED CVE-2017-9974 REJECTED CVE-2017-9973 REJECTED CVE-2017-9972 REJECTED CVE-2017-9971 REJECTED CVE-2017-9970 (A remote code execution vulnerability exists in Schneider Electric's S ...) NOT-FOR-US: Schneider Electric CVE-2017-9969 (An information disclosure vulnerability exists in Schneider Electric's ...) NOT-FOR-US: Schneider Electric CVE-2017-9968 (A security misconfiguration vulnerability exists in Schneider Electric ...) NOT-FOR-US: Schneider Electric CVE-2017-9967 (A security misconfiguration vulnerability exists in Schneider Electric ...) NOT-FOR-US: Schneider Electric CVE-2017-9966 (A privilege escalation vulnerability exists in Schneider Electric's Pe ...) NOT-FOR-US: Schneider Electric CVE-2017-9965 (An exposure of sensitive information vulnerability exists in Schneider ...) NOT-FOR-US: Schneider Electric CVE-2017-9964 (A Path Traversal issue was discovered in Schneider Electric Pelco Vide ...) NOT-FOR-US: Schneider Electric CVE-2017-9963 (A cross-site request forgery vulnerability exists on the Secure Gatewa ...) NOT-FOR-US: Schneider Electric CVE-2017-9962 (Schneider Electric's ClearSCADA versions released prior to August 2017 ...) NOT-FOR-US: Schneider Electric CVE-2017-9961 (A vulnerability exists in Schneider Electric's Pro-Face GP Pro EX vers ...) NOT-FOR-US: Schneider Electric CVE-2017-9960 (An information disclosure vulnerability exists in Schneider Electric's ...) NOT-FOR-US: Schneider Electric CVE-2017-9959 (A vulnerability exists in Schneider Electric's U.motion Builder softwa ...) NOT-FOR-US: Schneider Electric CVE-2017-9958 (An improper access control vulnerability exists in Schneider Electric' ...) NOT-FOR-US: Schneider Electric CVE-2017-9957 (A vulnerability exists in Schneider Electric's U.motion Builder softwa ...) NOT-FOR-US: Schneider Electric CVE-2017-9956 (An authentication bypass vulnerability exists in Schneider Electric's ...) NOT-FOR-US: Schneider Electric CVE-2017-9955 (The get_build_id function in opncls.c in the Binary File Descriptor (B ...) - binutils 2.29-1 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21665 CVE-2017-9954 (The getvalue function in tekhex.c in the Binary File Descriptor (BFD) ...) - binutils 2.29-1 [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21670 CVE-2017-9953 (There is an invalid free in Image::printIFDStructure that leads to a S ...) - exiv2 (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465061 NOTE: Possibly introduced after https://github.com/Exiv2/exiv2/commit/fd5e983746c336336039e91cb6b656cf8eeccdea NOTE: which introduces printIFDStructure function and later restructurated NOTE: again. Around that commit upstream source though does not build. CVE-2017-9952 RESERVED CVE-2017-9951 (The try_read_command function in memcached.c in memcached before 1.4.3 ...) {DSA-4218-1 DLA-1033-1} - memcached 1.5.0-1 (bug #868701) NOTE: https://www.twistlock.com/2017/07/13/cve-2017-9951-heap-overflow-memcached-server-1-4-38-twistlock-vulnerability-report/ NOTE: https://github.com/memcached/memcached/commit/328629445c71e6c17074f6e9e0e3ef585b58f167 CVE-2017-9950 RESERVED CVE-2017-9949 (The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 al ...) - radare2 1.6.0+dfsg-1 (bug #866068) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/7683 NOTE: https://github.com/radare/radare2/commit/796dd28aaa6b9fa76d99c42c4d5ff8b257cc2191 CVE-2017-9948 (A stack buffer overflow vulnerability has been discovered in Microsoft ...) NOT-FOR-US: Microsoft Skype CVE-2017-9947 (A vulnerability has been identified in Siemens APOGEE PXC and TALON TC ...) NOT-FOR-US: Siemens CVE-2017-9946 (A vulnerability has been identified in Siemens APOGEE PXC and TALON TC ...) NOT-FOR-US: Siemens CVE-2017-9945 (In the Siemens 7KM PAC Switched Ethernet PROFINET expansion module (Al ...) NOT-FOR-US: Siemens CVE-2017-9944 (A vulnerability has been identified in Siemens 7KT PAC1200 data manage ...) NOT-FOR-US: Siemens CVE-2017-9943 RESERVED CVE-2017-9942 (A vulnerability was discovered in Siemens SiPass integrated (All versi ...) NOT-FOR-US: Siemens CVE-2017-9941 (A vulnerability was discovered in Siemens SiPass integrated (All versi ...) NOT-FOR-US: Siemens CVE-2017-9940 (A vulnerability was discovered in Siemens SiPass integrated (All versi ...) NOT-FOR-US: Siemens CVE-2017-9939 (A vulnerability was discovered in Siemens SiPass integrated (All versi ...) NOT-FOR-US: Siemens CVE-2017-9938 (A vulnerability was discovered in Siemens SIMATIC Logon (All versions ...) NOT-FOR-US: Siemens CVE-2017-9937 (In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A cr ...) - jbigkit (unimportant; bug #869708) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2707 NOTE: The CVE was assigned for src:tiff by MITRE, but the issue actually lies NOTE: in jbigkit itself. CVE-2017-9936 (In LibTIFF 4.0.8, there is a memory leak in tif_jbig.c. A crafted TIFF ...) {DSA-3903-1 DLA-1023-1 DLA-1022-1} - tiff 4.0.8-3 (bug #866113) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2706 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fe8d7165956b88df4837034a9161dc5fd20cf67a CVE-2017-9935 (In LibTIFF 4.0.8, there is a heap-based buffer overflow in the t2p_wri ...) {DSA-4100-1 DLA-1206-1} - tiff 4.0.9-2 (bug #866109) - tiff3 [wheezy] - tiff3 (does not build vulnerable tiff2pdf) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2704 NOTE: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 CVE-2017-9934 (Missing CSRF token checks and improper input validation in Joomla! CMS ...) NOT-FOR-US: Joomla! CVE-2017-9933 (Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads t ...) NOT-FOR-US: Joomla! CVE-2017-9932 (Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb has a defa ...) NOT-FOR-US: Green Packet CVE-2017-9931 (Cross-Site Scripting (XSS) exists in Green Packet DX-350 Firmware vers ...) NOT-FOR-US: Green Packet CVE-2017-9930 (Cross-Site Request Forgery (CSRF) exists in Green Packet DX-350 Firmwa ...) NOT-FOR-US: Green Packet CVE-2017-9929 (In lrzip 0.631, a stack buffer overflow was found in the function get_ ...) - lrzip 0.631+git180517-1 (bug #866020) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/75 CVE-2017-9928 (In lrzip 0.631, a stack buffer overflow was found in the function get_ ...) - lrzip 0.631+git180517-1 (bug #866022) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/74 CVE-2017-9927 (In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attacker ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-9926 (In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attacker ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-9925 (In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attacker ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-9924 (In SWFTools 2013-04-09-1007 on Windows, png2swf allows remote attacker ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-9923 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9922 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9921 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9920 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9919 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9918 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9917 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9916 (IrfanView version 4.44 (32bit) with TOOLS Plugin 4.50 might allow atta ...) NOT-FOR-US: IrfanView CVE-2017-9915 (IrfanView version 4.44 (32bit) with TOOLS plugin 4.50 allows attackers ...) NOT-FOR-US: IrfanView CVE-2017-9914 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9913 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9912 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9911 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9910 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9909 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9908 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9907 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9906 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9905 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9904 (XnView Classic for Windows Version 2.40 allows remote attackers to cau ...) NOT-FOR-US: XnView CVE-2017-9903 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9902 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9901 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9900 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9899 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9898 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9897 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9896 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9895 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9894 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9893 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9892 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9891 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9890 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9889 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9888 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9887 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9886 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9885 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9884 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9883 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9882 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9881 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9880 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9879 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9878 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9877 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9876 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9875 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9874 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9873 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9872 (The III_dequantize_sample function in layer3.c in mpglib, as used in l ...) - lame 3.99.5+repack1-8 (bug #867725) [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c/ NOTE: https://sourceforge.net/p/lame/bugs/482/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9871 (The III_i_stereo function in layer3.c in mpglib, as used in libmpgdeco ...) - lame 3.99.5+repack1-8 (bug #867725) [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_i_stereo-layer3-c/ NOTE: https://sourceforge.net/p/lame/bugs/483/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9870 (The III_i_stereo function in layer3.c in mpglib, as used in libmpgdeco ...) - lame 3.99.5+repack1-8 (bug #867725) [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-iii_i_stereo-layer3-c/ NOTE: https://sourceforge.net/p/lame/bugs/481/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9869 (The II_step_one function in layer2.c in mpglib, as used in libmpgdecod ...) - lame 3.99.5+repack1-8 (bug #867725) [jessie] - lame 3.99.5+repack1-7+deb8u2 NOTE: https://blogs.gentoo.org/ago/2017/06/17/lame-global-buffer-overflow-in-ii_step_one-layer2-c/ NOTE: https://sourceforge.net/p/lame/bugs/475/ NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the input file, marking that as the fixed NOTE: version, although the internal lame code was only fixed in 3.100 (strictly speaking that would be NOTE: severity:unimportant for stretch onwards, but we don't have suite-specific severity annotations CVE-2017-9868 (In Mosquitto through 1.4.12, mosquitto.db (aka the persistence file) i ...) {DLA-1525-1 DLA-1146-1} - mosquitto 1.4.14-1 (bug #865959) [stretch] - mosquitto 1.4.10-3+deb9u1 NOTE: https://github.com/eclipse/mosquitto/issues/468 NOTE: https://github.com/eclipse/mosquitto/commit/09cb1b61c8f48284d9c42bd911faa7525cc689c7 CVE-2017-9867 RESERVED CVE-2017-9866 RESERVED CVE-2017-9865 (The function GfxImageColorMap::getGray in GfxState.cc in Poppler 0.54. ...) {DSA-4079-1 DLA-1074-1} - poppler 0.57.0-2 (bug #867477) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100774 NOTE: http://somevulnsofadlab.blogspot.com/2017/06/popplerstack-buffer-overflow-in.html NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=75fff6556eaf0ef3a6fcdef2c2229d0b6d1c58d9 CVE-2017-9864 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9863 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9862 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9861 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9860 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9859 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9858 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9857 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9856 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9855 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9854 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9853 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9852 (** DISPUTED ** An Incorrect Password Management issue was discovered i ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9851 (** DISPUTED ** An issue was discovered in SMA Solar Technology product ...) NOT-FOR-US: SMA Solar Technology products CVE-2017-9850 RESERVED CVE-2017-9849 RESERVED CVE-2017-9848 (SQL injection vulnerability in C_InfoService.asmx in WebServices in Ea ...) NOT-FOR-US: Easysite CVE-2017-9847 (The bdecode function in bdecode.cpp in libtorrent 1.1.3 allows remote ...) - libtorrent-rasterbar 1.1.4-1 (bug #865845) [stretch] - libtorrent-rasterbar (Minor issue) [jessie] - libtorrent-rasterbar (Minor issue) [wheezy] - libtorrent-rasterbar (new bdecode introduced in 1.1.0; vulnerable code not present) NOTE: https://github.com/arvidn/libtorrent/issues/2099 NOTE: Fixed by: https://github.com/arvidn/libtorrent/commit/ec30a5e9ec703afb8abefba757c6d401303b53db NOTE: Pre-1.1.0 versions possibly similarly affected in lazy_bdecode.cpp CVE-2017-9846 (Winmail Server 6.1 allows remote code execution by authenticated users ...) NOT-FOR-US: Winmail Server CVE-2017-9845 (disp+work 7400.12.21.30308 in SAP NetWeaver 7.40 allows remote attacke ...) NOT-FOR-US: SAP CVE-2017-9844 (SAP NetWeaver 7400.12.21.30308 allows remote attackers to cause a deni ...) NOT-FOR-US: SAP CVE-2017-9843 (SAP NetWeaver AS ABAP 7.40 allows remote authenticated users with cert ...) NOT-FOR-US: SAP CVE-2017-9842 RESERVED CVE-2017-9841 (Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 ...) - phpunit 5.4.6-2 (bug #866200) [stretch] - phpunit 5.4.6-2~deb9u1 [jessie] - phpunit (Issue introduced later; vulnerable code not present) [wheezy] - phpunit (Issue introduced later; vulnerable code not present) NOTE: https://github.com/sebastianbergmann/phpunit/pull/1956 NOTE: https://github.com/sebastianbergmann/phpunit/commit/284a69fb88a2d0845d23f42974a583d8f59bf5a5 NOTE: http://phpunit.vulnbusters.com/ CVE-2017-9840 (Dolibarr ERP/CRM 5.0.3 and prior allows low-privilege users to upload ...) - dolibarr (bug #867495) CVE-2017-9839 (Dolibarr ERP/CRM is affected by SQL injection in versions before 5.0.4 ...) - dolibarr CVE-2017-9838 (Dolibarr ERP/CRM is affected by multiple reflected Cross-Site Scriptin ...) - dolibarr CVE-2017-9837 REJECTED CVE-2017-9836 (Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote ...) - piwigo CVE-2017-9835 (The gs_alloc_ref_array function in psi/ialloc.c in Artifex Ghostscript ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869907) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697985 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=cfde94be1d4286bc47633c6e6eaf4e659bd78066 (ghostpdl-9.22rc1) CVE-2017-9834 (SQL injection vulnerability in the WatuPRO plugin before 5.5.3.7 for W ...) NOT-FOR-US: WatuPRO plugin for WordPress CVE-2017-9833 (/cgi-bin/wapopen in BOA Webserver 0.94.14rc21 allows the injection of ...) NOT-FOR-US: Undetermined product NOTE: /wapopen is not part of BOA, it's probably an insecure CGI NOTE: script used in some embedded product relying on BOA as webserver. NOTE: I asked Mitre to reject the CVE. -- Raphael Hertzog CVE-2017-9832 (An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL functi ...) {DLA-2169-1 DLA-1029-1} - libmtp 1.1.13-1 NOTE: https://sourceforge.net/p/libmtp/mailman/message/35729062/ NOTE: https://sourceforge.net/p/libmtp/code/ci/aa7d91a789873a9d86969028e57f888a1241c085/ NOTE: reduced patchset: https://lists.debian.org/87lgnzvjvb.fsf@curie.anarc.at CVE-2017-9831 (An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx f ...) {DLA-2169-1 DLA-1029-1} - libmtp 1.1.13-1 NOTE: https://sourceforge.net/p/libmtp/mailman/message/35735992/ NOTE: https://sourceforge.net/p/libmtp/code/ci/aa7d91a789873a9d86969028e57f888a1241c085/ NOTE: reduced patchset: https://lists.debian.org/87lgnzvjvb.fsf@curie.anarc.at CVE-2017-9830 (Remote Code Execution is possible in Code42 CrashPlan 5.4.x via the or ...) NOT-FOR-US: Code42 CVE-2017-9829 ('/cgi-bin/admin/downloadMedias.cgi' of the web service in most of the ...) NOT-FOR-US: VIVOTEK Network Cameras CVE-2017-9828 ('/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVO ...) NOT-FOR-US: VIVOTEK Network Cameras CVE-2017-9827 RESERVED CVE-2017-9826 RESERVED CVE-2017-11104 (Knot DNS before 2.4.5 and 2.5.x before 2.5.2 contains a flaw within th ...) {DSA-3910-1} - knot 2.5.3-1 (bug #865678) NOTE: https://lists.nic.cz/pipermail/knot-dns-users/2017-June/001144.html NOTE: http://www.synacktiv.ninja/ressources/Knot_DNS_TSIG_Signature_Forgery.pdf CVE-2017-9825 RESERVED CVE-2017-9824 RESERVED CVE-2017-9823 RESERVED CVE-2017-9822 (DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cook ...) NOT-FOR-US: DotNetNuke CVE-2017-9821 (The National Payments Corporation of India BHIM application 1.3 for An ...) NOT-FOR-US: India BHIM CVE-2017-9820 (The National Payments Corporation of India BHIM application 1.3 for An ...) NOT-FOR-US: India BHIM CVE-2017-9819 (The National Payments Corporation of India BHIM application 1.3 for An ...) NOT-FOR-US: India BHIM CVE-2017-9818 (The National Payments Corporation of India BHIM application 1.3 for An ...) NOT-FOR-US: India BHIM CVE-2017-9817 RESERVED CVE-2017-9816 (Cross-site scripting (XSS) vulnerability in Paessler PRTG Network Moni ...) NOT-FOR-US: Paessler PRTG Network Monitor CVE-2017-9815 (In LibTIFF 4.0.7, the TIFFReadDirEntryLong8Array function in libtiff/t ...) - tiff 4.0.8-1 [jessie] - tiff 4.0.3-12.3+deb8u4 [wheezy] - tiff 4.0.2-6+deb7u14 - tiff3 [wheezy] - tiff3 3.9.6-11+deb7u6 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2682 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fb3dc46a2fcf6197ff3b93fc76f0c37fddc0333b NOTE: The issue is addressed with the same commit as for CVE-2017-9403 CVE-2017-9814 (cairo-truetype-subset.c in cairo 1.15.6 and earlier allows remote atta ...) - cairo (low; bug #868580) [bullseye] - cairo (Minor issue) [buster] - cairo (Minor issue) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) [wheezy] - cairo (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101547 NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/264 CVE-2017-9813 (In Kaspersky Anti-Virus for Linux File Server before Maintenance Pack ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2017-9812 (The reportId parameter of the getReportStatus action method can be abu ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2017-9811 (The kluser is able to interact with the kav4fs-control binary in Kaspe ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2017-9810 (There are no Anti-CSRF tokens in any forms on the web interface in Kas ...) NOT-FOR-US: Kaspersky Anti-Virus CVE-2017-9809 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Inform ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-9808 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) NOT-FOR-US: OX Software GmbH OX App Suite CVE-2017-9807 (An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 o ...) NOT-FOR-US: OpenWebif plugin for E2 CVE-2017-9806 (A vulnerability in the OpenOffice Writer DOC file parser before 4.1.4, ...) - libreoffice 1:3.4.3-1 NOTE: https://www.talosintelligence.com/reports/TALOS-2017-0295 NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2017-9806 NOTE: https://gerrit.libreoffice.org/gitweb?p=core.git;a=commitdiff_plain;h=bb494d6bd8c5868f34bd8f9444ed3eb401145f10 CVE-2017-9805 (The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (vulnerable code not present) NOTE: https://struts.apache.org/docs/s2-052.html CVE-2017-9804 (In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an ap ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (Minor issue) NOTE: DOS class vulnerability and classified as low by upstream. NOTE: https://struts.apache.org/docs/s2-050.html CVE-2017-9803 (Apache Solr's Kerberos plugin can be configured to use delegation toke ...) - lucene-solr (Introduced in 6.2) CVE-2017-9802 (The Javascript method Sling.evalString() in Apache Sling Servlets Post ...) NOT-FOR-US: Apache Sling CVE-2017-9801 (When a call-site passes a subject for an email that contains line-brea ...) - commons-email (Fixed with first upload to Debian) NOTE: https://commons.apache.org/proper/commons-email/security-reports.html NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1801385 NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1801388 NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1801389 CVE-2017-9800 (A maliciously constructed svn+ssh:// URL would cause Subversion client ...) {DSA-3932-1 DLA-1052-1} - subversion 1.9.7-1 NOTE: Fixed by: http://svn.apache.org/viewvc?view=revision&sortby=rev&revision=1804691 NOTE: http://subversion.apache.org/security/CVE-2017-9800-advisory.txt CVE-2017-9799 (It was found that under some situations and configurations of Apache S ...) NOT-FOR-US: Apache Storm CVE-2017-9798 (Apache httpd allows remote attackers to read secret data from process ...) {DSA-3980-1 DLA-1102-1} - apache2 2.4.27-6 (bug #876109) NOTE: https://blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html NOTE: https://github.com/hannob/optionsbleed NOTE: Patch: https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/server/core.c?r1=1805223&r2=1807754&pathrev=1807754&view=patch NOTE: Patch backport for 2.2: https://blog.fuzzing-project.org/uploads/apache-2.2-optionsbleed-backport.patch CVE-2017-9797 (When an Apache Geode cluster before v1.2.1 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-9796 (When an Apache Geode cluster before v1.3.0 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-9795 (When an Apache Geode cluster before v1.3.0 is operating in secure mode ...) NOT-FOR-US: Apache Geode CVE-2017-9794 (When a cluster is operating in secure mode, a user with read privilege ...) NOT-FOR-US: Apache Geode CVE-2017-9793 (The REST Plugin in Apache Struts 2.1.x, 2.3.7 through 2.3.33 and 2.5 t ...) - libstruts1.2-java [wheezy] - libstruts1.2-java (vulnerable code not present) NOTE: https://struts.apache.org/docs/s2-051.html CVE-2017-9792 (In Apache Impala (incubating) before 2.10.0, a malicious user with "AL ...) NOT-FOR-US: Apache Impala CVE-2017-9791 (The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remot ...) - libstruts1.2-java (Vulnerable code not present) NOTE: Issue is specific to Struts 2.x. CVE-2017-9790 (When handling a libprocess message wrapped in an HTTP request, libproc ...) - apache-mesos (bug #760315) CVE-2017-9789 (When under stress, closing many connections, the HTTP/2 handling code ...) - apache2 (Only affected 2.4.26) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27 CVE-2017-9788 (In Apache httpd before 2.2.34 and 2.4.x before 2.4.27, the value place ...) {DSA-3913-1 DLA-1028-1} - apache2 2.4.27-1 (bug #868467) NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#2.4.27 NOTE: Fixed by (2.4.x): https://svn.apache.org/r1800955 NOTE: 2.4.x: https://github.com/apache/httpd/commit/549ba6a39aa0df78a610025f74f3a06503a70f67 NOTE: trunk: https://github.com/apache/httpd/commit/c5d3719133b9e5dab0d540c5aa03b2fdabc30395 CVE-2017-9787 (When using a Spring AOP functionality to secure Struts actions it is p ...) - libstruts1.2-java (Vulnerable code not present) NOTE: Issue is specific to Struts 2.x. NOTE: https://struts.apache.org/docs/s2-049.html CVE-2017-9786 (Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP ...) NOT-FOR-US: ProjectSend CVE-2017-9785 (Csrf.cs in NancyFX Nancy before 1.4.4 and 2.x before 2.0-dangermouse h ...) NOT-FOR-US: NancyFX Nancy CVE-2017-9784 RESERVED CVE-2017-9783 (Cross-site scripting (XSS) vulnerability in ProjectSend (formerly cFTP ...) NOT-FOR-US: ProjectSend CVE-2017-10599 RESERVED CVE-2017-10598 RESERVED CVE-2017-10597 RESERVED CVE-2017-10596 RESERVED CVE-2017-10595 RESERVED CVE-2017-10594 RESERVED CVE-2017-10593 RESERVED CVE-2017-10592 RESERVED CVE-2017-10591 RESERVED CVE-2017-10590 RESERVED CVE-2017-10589 RESERVED CVE-2017-10588 RESERVED CVE-2017-10587 RESERVED CVE-2017-10586 RESERVED CVE-2017-10585 RESERVED CVE-2017-10584 RESERVED CVE-2017-10583 RESERVED CVE-2017-10582 RESERVED CVE-2017-10581 RESERVED CVE-2017-10580 RESERVED CVE-2017-10579 RESERVED CVE-2017-10578 RESERVED CVE-2017-10577 RESERVED CVE-2017-10576 RESERVED CVE-2017-10575 RESERVED CVE-2017-10574 RESERVED CVE-2017-10573 RESERVED CVE-2017-10572 RESERVED CVE-2017-10571 RESERVED CVE-2017-10570 RESERVED CVE-2017-10569 RESERVED CVE-2017-10568 RESERVED CVE-2017-10567 RESERVED CVE-2017-10566 RESERVED CVE-2017-10565 RESERVED CVE-2017-10564 RESERVED CVE-2017-10563 RESERVED CVE-2017-10562 RESERVED CVE-2017-10561 RESERVED CVE-2017-10560 RESERVED CVE-2017-10559 RESERVED CVE-2017-10558 RESERVED CVE-2017-10557 RESERVED CVE-2017-10556 RESERVED CVE-2017-10555 RESERVED CVE-2017-10554 RESERVED CVE-2017-10553 RESERVED CVE-2017-10552 RESERVED CVE-2017-10551 RESERVED CVE-2017-10550 RESERVED CVE-2017-10549 RESERVED CVE-2017-10548 RESERVED CVE-2017-10547 RESERVED CVE-2017-10546 RESERVED CVE-2017-10545 RESERVED CVE-2017-10544 RESERVED CVE-2017-10543 RESERVED CVE-2017-10542 RESERVED CVE-2017-10541 RESERVED CVE-2017-10540 RESERVED CVE-2017-10539 RESERVED CVE-2017-10538 RESERVED CVE-2017-10537 RESERVED CVE-2017-10536 RESERVED CVE-2017-10535 RESERVED CVE-2017-10534 RESERVED CVE-2017-10533 RESERVED CVE-2017-10532 RESERVED CVE-2017-10531 RESERVED CVE-2017-10530 RESERVED CVE-2017-10529 RESERVED CVE-2017-10528 RESERVED CVE-2017-10527 RESERVED CVE-2017-10526 RESERVED CVE-2017-10525 RESERVED CVE-2017-10524 RESERVED CVE-2017-10523 RESERVED CVE-2017-10522 RESERVED CVE-2017-10521 RESERVED CVE-2017-10520 RESERVED CVE-2017-10519 RESERVED CVE-2017-10518 RESERVED CVE-2017-10517 RESERVED CVE-2017-10516 RESERVED CVE-2017-10515 RESERVED CVE-2017-10514 RESERVED CVE-2017-10513 RESERVED CVE-2017-10512 RESERVED CVE-2017-10511 RESERVED CVE-2017-10510 RESERVED CVE-2017-10509 RESERVED CVE-2017-10508 RESERVED CVE-2017-10507 RESERVED CVE-2017-10506 RESERVED CVE-2017-10505 RESERVED CVE-2017-10504 RESERVED CVE-2017-10503 RESERVED CVE-2017-10502 RESERVED CVE-2017-10501 RESERVED CVE-2017-10500 RESERVED CVE-2017-10499 RESERVED CVE-2017-10498 RESERVED CVE-2017-10497 RESERVED CVE-2017-10496 RESERVED CVE-2017-10495 RESERVED CVE-2017-10494 RESERVED CVE-2017-10493 RESERVED CVE-2017-10492 RESERVED CVE-2017-10491 RESERVED CVE-2017-10490 RESERVED CVE-2017-10489 RESERVED CVE-2017-10488 RESERVED CVE-2017-10487 RESERVED CVE-2017-10486 RESERVED CVE-2017-10485 RESERVED CVE-2017-10484 RESERVED CVE-2017-10483 RESERVED CVE-2017-10482 RESERVED CVE-2017-10481 RESERVED CVE-2017-10480 RESERVED CVE-2017-10479 RESERVED CVE-2017-10478 RESERVED CVE-2017-10477 RESERVED CVE-2017-10476 RESERVED CVE-2017-10475 RESERVED CVE-2017-10474 RESERVED CVE-2017-10473 RESERVED CVE-2017-10472 RESERVED CVE-2017-10471 RESERVED CVE-2017-10470 RESERVED CVE-2017-10469 RESERVED CVE-2017-10468 RESERVED CVE-2017-10467 RESERVED CVE-2017-10466 RESERVED CVE-2017-10465 RESERVED CVE-2017-10464 RESERVED CVE-2017-10463 RESERVED CVE-2017-10462 RESERVED CVE-2017-10461 RESERVED CVE-2017-10460 RESERVED CVE-2017-10459 RESERVED CVE-2017-10458 RESERVED CVE-2017-10457 RESERVED CVE-2017-10456 RESERVED CVE-2017-10455 RESERVED CVE-2017-10454 RESERVED CVE-2017-10453 RESERVED CVE-2017-10452 RESERVED CVE-2017-10451 RESERVED CVE-2017-10450 RESERVED CVE-2017-10449 RESERVED CVE-2017-10448 RESERVED CVE-2017-10447 RESERVED CVE-2017-10446 RESERVED CVE-2017-10445 RESERVED CVE-2017-10444 RESERVED CVE-2017-10443 RESERVED CVE-2017-10442 RESERVED CVE-2017-10441 RESERVED CVE-2017-10440 RESERVED CVE-2017-10439 RESERVED CVE-2017-10438 RESERVED CVE-2017-10437 RESERVED CVE-2017-10436 RESERVED CVE-2017-10435 RESERVED CVE-2017-10434 RESERVED CVE-2017-10433 RESERVED CVE-2017-10432 RESERVED CVE-2017-10431 RESERVED CVE-2017-10430 RESERVED CVE-2017-10429 RESERVED CVE-2017-10428 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.30-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10427 (Vulnerability in the Oracle Retail Xstore Point of Service component o ...) NOT-FOR-US: Oracle CVE-2017-10426 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10425 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10424 (Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQ ...) NOT-FOR-US: MySQL Enterprise Monitor component of Oracle MySQL CVE-2017-10423 (Vulnerability in the Oracle Retail Back Office component of Oracle Ret ...) NOT-FOR-US: Oracle CVE-2017-10422 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10421 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10420 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10419 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10418 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10417 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-10416 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-10415 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-10414 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10413 (Vulnerability in the Oracle Mobile Field Service component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10412 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10411 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10410 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10409 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10408 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.30-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10407 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.30-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10406 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10405 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10404 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10403 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10402 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10401 (Vulnerability in the Oracle Hospitality Cruise Materials Management co ...) NOT-FOR-US: Oracle CVE-2017-10400 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10399 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10398 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10397 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10396 (Vulnerability in the Oracle Hospitality Cruise AffairWhere component o ...) NOT-FOR-US: Oracle CVE-2017-10395 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10394 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10393 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10392 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.30-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10391 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10390 RESERVED CVE-2017-10389 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10388 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10387 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10386 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10385 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-10384 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4002-1 DSA-3944-1 DLA-1141-1} - mariadb-10.2 (bug #884065) - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10383 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10382 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10381 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10380 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10379 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4002-1 DSA-3944-1 DLA-1141-1} - mariadb-10.2 (bug #884065) - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10378 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4002-1 DLA-1407-1 DLA-1141-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.29-1 - mariadb-10.0 - mysql-5.7 (Fixed before initial release to Debian, upstream 5.7.12) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL NOTE: https://jira.mariadb.org/browse/MDEV-13819 NOTE: https://github.com/MariaDB/server/commit/b000e169562697aa072600695d4f0c0412f94f4f CVE-2017-10377 RESERVED CVE-2017-10376 RESERVED CVE-2017-10375 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10374 RESERVED CVE-2017-10373 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10372 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10371 RESERVED CVE-2017-10370 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10369 (Vulnerability in the Oracle Virtual Directory component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-10368 (Vulnerability in the PeopleSoft Enterprise SCM eProcurement component ...) NOT-FOR-US: Oracle CVE-2017-10367 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10366 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10365 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10364 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10363 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10362 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10361 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2017-10360 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-10359 (Vulnerability in the Oracle Hyperion BI+ component of Oracle Hyperion ...) NOT-FOR-US: Oracle CVE-2017-10358 (Vulnerability in the Oracle Hyperion Financial Reporting component of ...) NOT-FOR-US: Oracle CVE-2017-10357 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10356 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10355 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10354 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10353 (Vulnerability in the Oracle Hospitality Hotel Mobile component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10352 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10351 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10350 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 CVE-2017-10349 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10348 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10347 (Vulnerability in the Java SE, JRockit component of Oracle Java SE (sub ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10346 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10345 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10344 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10343 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10342 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10341 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10340 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10339 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10338 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10337 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10336 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10335 (Vulnerability in the PeopleSoft Enterprise PT PeopleTools component of ...) NOT-FOR-US: Oracle CVE-2017-10334 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10333 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10332 (Vulnerability in the Oracle Universal Work Queue component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10331 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10330 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-10329 (Vulnerability in the Oracle Global Order Promising component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10328 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10327 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10326 (Vulnerability in the Oracle Common Applications Calendar component of ...) NOT-FOR-US: Oracle CVE-2017-10325 (Vulnerability in the Oracle Common Applications Calendar component of ...) NOT-FOR-US: Oracle CVE-2017-10324 (Vulnerability in the Oracle Applications Technology Stack component of ...) NOT-FOR-US: Oracle CVE-2017-10323 (Vulnerability in the Oracle Web Applications Desktop Integrator compon ...) NOT-FOR-US: Oracle CVE-2017-10322 (Vulnerability in the Oracle Common Applications Calendar component of ...) NOT-FOR-US: Oracle CVE-2017-10321 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2017-10320 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mariadb-10.2 (bug #884065) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10319 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10318 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10317 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10316 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10315 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10314 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10313 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10312 (Vulnerability in the Oracle Hyperion BI+ component of Oracle Hyperion ...) NOT-FOR-US: Oracle CVE-2017-10311 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10310 (Vulnerability in the Oracle Hyperion Financial Reporting component of ...) NOT-FOR-US: Oracle CVE-2017-10309 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-9 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-10308 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10307 RESERVED CVE-2017-10306 (Vulnerability in the PeopleSoft Enterprise HCM component of Oracle Peo ...) NOT-FOR-US: Oracle CVE-2017-10305 RESERVED CVE-2017-10304 (Vulnerability in the PeopleSoft Enterprise HCM component of Oracle Peo ...) NOT-FOR-US: Oracle CVE-2017-10303 (Vulnerability in the Oracle Interaction Center Intelligence component ...) NOT-FOR-US: Oracle CVE-2017-10302 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10301 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10300 (Vulnerability in the Siebel CRM Desktop component of Oracle Siebel CRM ...) NOT-FOR-US: Oracle CVE-2017-10299 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10298 RESERVED CVE-2017-10297 RESERVED CVE-2017-10296 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10295 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10294 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10293 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Seems to be specific to Oracle Java) - openjdk-7 (Seems to be specific to Oracle Java) - openjdk-6 (Seems to be specific to Oracle Java) CVE-2017-10292 (Vulnerability in the RDBMS Security component of Oracle Database Serve ...) NOT-FOR-US: Oracle CVE-2017-10291 RESERVED CVE-2017-10290 RESERVED CVE-2017-10289 RESERVED CVE-2017-10288 RESERVED CVE-2017-10287 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10286 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1} - mariadb-10.2 (bug #884065) - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10285 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10284 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10283 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10282 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...) NOT-FOR-US: Oracle CVE-2017-10281 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10280 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10279 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10278 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10277 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-net (bug #883923) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) CVE-2017-10276 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10275 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2017-10274 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4048-1 DSA-4015-1 DLA-1187-1} - openjdk-9 9.0.1+11-1 - openjdk-8 8u151-b12-1 [experimental] - openjdk-7 7u151-2.6.11-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10273 (Vulnerability in the Oracle JDeveloper component of Oracle Fusion Midd ...) NOT-FOR-US: Oracle CVE-2017-10272 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10271 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10270 (Vulnerability in the Oracle Identity Manager Connector component of Or ...) NOT-FOR-US: Oracle CVE-2017-10269 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10268 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-4341-1 DSA-4002-1 DLA-1407-1 DLA-1141-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.29-1 - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (bug #878402) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10267 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10266 (Vulnerability in the Oracle Tuxedo component of Oracle Fusion Middlewa ...) NOT-FOR-US: Oracle CVE-2017-10265 (Vulnerability in the Oracle Integrated Lights Out Manager (ILOM) compo ...) NOT-FOR-US: Oracle CVE-2017-10264 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10263 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle CVE-2017-10262 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10261 (Vulnerability in the XML Database component of Oracle Database Server. ...) NOT-FOR-US: Oracle CVE-2017-10260 (Vulnerability in the Oracle Integrated Lights Out Manager (ILOM) compo ...) NOT-FOR-US: Oracle CVE-2017-10259 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10258 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10257 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10256 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10255 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10254 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: PeopleSoft CVE-2017-10253 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10252 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10251 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10250 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10249 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: PeopleSoft CVE-2017-10248 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10247 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10246 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10245 (Vulnerability in the Oracle General Ledger component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2017-10244 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10243 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10242 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10241 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10240 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10239 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10238 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10237 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10236 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10235 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10234 (Vulnerability in the Solaris Cluster component of Oracle Sun Systems P ...) NOT-FOR-US: Oracle CVE-2017-10233 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10232 (Vulnerability in the Hospitality WebSuite8 Cloud Service component of ...) NOT-FOR-US: Oracle CVE-2017-10231 (Vulnerability in the Oracle Hospitality Cruise AffairWhere component o ...) NOT-FOR-US: Oracle CVE-2017-10230 (Vulnerability in the Oracle Hospitality Cruise Dining Room Management ...) NOT-FOR-US: Oracle CVE-2017-10229 (Vulnerability in the Oracle Hospitality Cruise Materials Management co ...) NOT-FOR-US: Oracle CVE-2017-10228 (Vulnerability in the Oracle Hospitality Cruise Shipboard Property Mana ...) NOT-FOR-US: Oracle CVE-2017-10227 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10226 (Vulnerability in the Oracle Hospitality Cruise Fleet Management compon ...) NOT-FOR-US: Oracle CVE-2017-10225 (Vulnerability in the Oracle Hospitality RES 3700 component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10224 (Vulnerability in the Oracle Hospitality Inventory Management component ...) NOT-FOR-US: Oracle CVE-2017-10223 (Vulnerability in the Oracle Hospitality Materials Control component of ...) NOT-FOR-US: Oracle CVE-2017-10222 (Vulnerability in the Oracle Hospitality Materials Control component of ...) NOT-FOR-US: Oracle CVE-2017-10221 (Vulnerability in the Oracle Hospitality RES 3700 component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10220 (Vulnerability in the Hospitality Property Interfaces component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10219 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10218 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10217 (Vulnerability in the Oracle Hospitality Guest Access component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10216 (Vulnerability in the Hospitality Property Interfaces component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10215 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: PeopleSoft CVE-2017-10214 (Vulnerability in the Oracle Retail Xstore Point of Service component o ...) NOT-FOR-US: Oracle CVE-2017-10213 (Vulnerability in the Hospitality Suite8 component of Oracle Hospitalit ...) NOT-FOR-US: Oracle CVE-2017-10212 (Vulnerability in the Hospitality Suite8 component of Oracle Hospitalit ...) NOT-FOR-US: Oracle CVE-2017-10211 (Vulnerability in the Hospitality Suite8 component of Oracle Hospitalit ...) NOT-FOR-US: Oracle CVE-2017-10210 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10209 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10208 (Vulnerability in the Oracle Hospitality e7 component of Oracle Hospita ...) NOT-FOR-US: Oracle CVE-2017-10207 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10206 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10205 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10204 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10203 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-net (bug #883923) [stretch] - mysql-connector-net (Minor issue) [jessie] - mysql-connector-net (Minor issue) [wheezy] - mysql-connector-net (Minor issue) CVE-2017-10202 (Vulnerability in the OJVM component of Oracle Database Server. Support ...) NOT-FOR-US: Oracle CVE-2017-10201 (Vulnerability in the Oracle Hospitality e7 component of Oracle Hospita ...) NOT-FOR-US: Oracle CVE-2017-10200 (Vulnerability in the Oracle Hospitality e7 component of Oracle Hospita ...) NOT-FOR-US: Oracle CVE-2017-10199 (Vulnerability in the Oracle iLearning component of Oracle iLearning (s ...) NOT-FOR-US: Oracle CVE-2017-10198 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10197 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-10196 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10195 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10194 (Vulnerability in the Oracle Integrated Lights Out Manager (ILOM) compo ...) NOT-FOR-US: Oracle CVE-2017-10193 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10192 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10191 (Vulnerability in the Oracle Web Analytics component of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2017-10190 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2017-10189 (Vulnerability in the Hospitality Suite8 component of Oracle Hospitalit ...) NOT-FOR-US: Oracle CVE-2017-10188 (Vulnerability in the Hospitality Hotel Mobile component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10187 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10186 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10185 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10184 (Vulnerability in the Oracle Field Service component of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2017-10183 (Vulnerability in the Oracle Retail Xstore Point of Service component o ...) NOT-FOR-US: Oracle CVE-2017-10182 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-10181 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-10180 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10179 (Vulnerability in the Application Management Pack for Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2017-10178 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10177 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-10176 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 CVE-2017-10175 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-10174 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-10173 (Vulnerability in the Oracle Retail Open Commerce Platform component of ...) NOT-FOR-US: Oracle CVE-2017-10172 (Vulnerability in the Oracle Retail Open Commerce Platform component of ...) NOT-FOR-US: Oracle CVE-2017-10171 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-10170 (Vulnerability in the Oracle Field Service component of Oracle E-Busine ...) NOT-FOR-US: Oracle CVE-2017-10169 (Vulnerability in the Oracle Hospitality 9700 component of Oracle Hospi ...) NOT-FOR-US: Oracle CVE-2017-10168 (Vulnerability in the Hospitality Hotel Mobile component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10167 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10166 (Vulnerability in the Oracle Security Service component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2017-10165 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10164 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10163 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2017-10162 (Vulnerability in the Siebel Core - Server Framework component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-10161 (Vulnerability in the Oracle Engineering Data Management component of O ...) NOT-FOR-US: Oracle CVE-2017-10160 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Primavera CVE-2017-10159 (Vulnerability in the Oracle Communications Policy Management component ...) NOT-FOR-US: Oracle CVE-2017-10158 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10157 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10156 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10155 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #878398) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) NOTE: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixMSQL CVE-2017-10154 (Vulnerability in the Oracle Access Manager component of Oracle Fusion ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10153 (Vulnerability in the Oracle Communications WebRTC Session Controller c ...) NOT-FOR-US: Oracle CVE-2017-10152 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10151 (Vulnerability in the Oracle Identity Manager component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2017-10150 (Vulnerability in the Primavera Unifier component of Oracle Primavera P ...) NOT-FOR-US: Primavera CVE-2017-10149 (Vulnerability in the Primavera Unifier component of Oracle Primavera P ...) NOT-FOR-US: Primavera CVE-2017-10148 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10147 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10146 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10145 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Oracle CVE-2017-10144 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-10143 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10142 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10141 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10140 (Postfix before 2.11.10, 3.0.x before 3.0.10, 3.1.x before 3.1.6, and 3 ...) {DLA-1137-1 DLA-1136-1 DLA-1135-1} - db5.3 5.3.28-13.1 (bug #872436) [stretch] - db5.3 5.3.28-12+deb9u1 [jessie] - db5.3 5.3.28-9+deb8u1 - db5.2 - db5.1 - db4.8 - db4.7 - db4.6 - db4.5 - db4.4 - db4.3 - db4.2 - db4.1 - db4.0 - db [jessie] - db 5.1.29-9+deb8u1 NOTE: https://www.openwall.com/lists/oss-security/2017/08/12/1 NOTE: Patch as used in Fedora: https://src.fedoraproject.org/rpms/libdb/raw/8047fa8580659fcae740c25e91b490539b8453eb/f/db-5.3.28-cwd-db_config.patch NOTE: and is acknowledged by libdb upstream, cf. https://bugzilla.redhat.com/show_bug.cgi?id=1464032#c9 CVE-2017-10139 RESERVED CVE-2017-10138 RESERVED CVE-2017-10137 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10136 (Vulnerability in the Oracle Hospitality Simphony component of Oracle H ...) NOT-FOR-US: Oracle CVE-2017-10135 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 NOTE: OpenJDK-8 upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/079cd6c5de27 CVE-2017-10134 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10133 (Vulnerability in the Hospitality Hotel Mobile component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10132 (Vulnerability in the Hospitality Hotel Mobile component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10131 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-10130 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10129 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.24-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-10128 (Vulnerability in the Hospitality WebSuite8 Cloud Service component of ...) NOT-FOR-US: Oracle CVE-2017-10127 RESERVED CVE-2017-10126 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10125 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-10124 RESERVED CVE-2017-10123 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10122 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10121 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10120 (Vulnerability in the RDBMS Security component of Oracle Database Serve ...) NOT-FOR-US: Oracle CVE-2017-10119 (Vulnerability in the Oracle Service Bus component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2017-10118 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 CVE-2017-10117 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10116 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10115 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10114 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4005-1} - openjfx 8u141-b14-1 (low; bug #870860) CVE-2017-10113 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-10112 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-10111 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3919-1} - openjdk-8 8u141-b15-1 CVE-2017-10110 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10109 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10108 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10107 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10106 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10105 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-10104 (Vulnerability in the Java Advanced Management Console component of Ora ...) NOT-FOR-US: Java Advanced Management Console CVE-2017-10103 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10102 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10101 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10100 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10099 (Vulnerability in the SPARC M7, T7, S7 based Servers component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-10098 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10097 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10096 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10095 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10094 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10093 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10092 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10091 (Vulnerability in the Enterprise Manager Base Platform component of Ora ...) NOT-FOR-US: Oracle CVE-2017-10090 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 CVE-2017-10089 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10088 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10087 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10086 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-4005-1} - openjfx 8u141-b14-1 (low; bug #870860) CVE-2017-10085 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10084 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10083 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10082 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10081 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10080 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10079 (Vulnerability in the Oracle Hospitality Suites Management component of ...) NOT-FOR-US: Oracle CVE-2017-10078 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3919-1} - openjdk-8 8u141-b15-1 CVE-2017-10077 (Vulnerability in the Oracle Applications DBA component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-10076 (Vulnerability in the Oracle Hospitality Simphony First Edition Venue M ...) NOT-FOR-US: Oracle CVE-2017-10075 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-10074 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10073 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10072 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10071 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-10070 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10069 (Vulnerability in the Oracle Payment Interface component of Oracle Hosp ...) NOT-FOR-US: Oracle CVE-2017-10068 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2017-10067 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10066 (Vulnerability in the Oracle Applications Technology Stack component of ...) NOT-FOR-US: Oracle CVE-2017-10065 (Vulnerability in the Oracle Retail Point-of-Service component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-10064 (Vulnerability in the Hospitality WebSuite8 Cloud Service component of ...) NOT-FOR-US: Oracle CVE-2017-10063 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10062 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10061 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10060 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2017-10059 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10058 (Vulnerability in the Oracle Business Intelligence Enterprise Edition c ...) NOT-FOR-US: Oracle CVE-2017-10057 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub compon ...) NOT-FOR-US: Oracle CVE-2017-10056 (Vulnerability in the Oracle Hospitality 9700 component of Oracle Hospi ...) NOT-FOR-US: Oracle CVE-2017-10055 (Vulnerability in the Oracle iPlanet Web Server component of Oracle Fus ...) NOT-FOR-US: Oracle CVE-2017-10054 (Vulnerability in the Oracle Hospitality Cruise Materials Management co ...) NOT-FOR-US: Oracle CVE-2017-10053 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3954-1 DSA-3919-1 DLA-1073-1} - openjdk-8 8u141-b15-1 [experimental] - openjdk-7 7u151-2.6.11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-10052 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10051 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10050 (Vulnerability in the Oracle Hospitality Suite8 component of Oracle Hos ...) NOT-FOR-US: Oracle CVE-2017-10049 (Vulnerability in the Siebel Core CRM component of Oracle Siebel CRM (s ...) NOT-FOR-US: Oracle CVE-2017-10048 (Vulnerability in the Oracle Enterprise Repository component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-10047 (Vulnerability in the MICROS BellaVita component of Oracle Hospitality ...) NOT-FOR-US: Oracle CVE-2017-10046 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-10045 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10044 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-10043 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10042 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10041 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10040 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-10039 (Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain ...) NOT-FOR-US: Oracle CVE-2017-10038 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-10037 (Vulnerability in the Oracle BI Publisher component of Oracle Fusion Mi ...) NOT-FOR-US: Oracle CVE-2017-10036 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10035 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10034 (Vulnerability in the Oracle BI Publisher component of Oracle Fusion Mi ...) NOT-FOR-US: Oracle CVE-2017-10033 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-10032 (Vulnerability in the Oracle Transportation Management component of Ora ...) NOT-FOR-US: Oracle CVE-2017-10031 (Vulnerability in the Oracle Communications Convergence component of Or ...) NOT-FOR-US: Oracle CVE-2017-10030 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10029 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10028 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10027 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10026 (Vulnerability in the Oracle SOA Suite component of Oracle Fusion Middl ...) NOT-FOR-US: Oracle CVE-2017-10025 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10024 (Vulnerability in the BI Publisher component of Oracle Fusion Middlewar ...) NOT-FOR-US: Oracle CVE-2017-10023 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10022 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10021 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10020 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10019 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10018 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-10017 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10016 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2017-10015 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-10014 (Vulnerability in the Oracle Hospitality Hotel Mobile component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10013 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Oracle CVE-2017-10012 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10011 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10010 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10009 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10008 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10007 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10006 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10005 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-10004 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10003 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle CVE-2017-10002 (Vulnerability in the Oracle Hospitality Inventory Management component ...) NOT-FOR-US: Oracle CVE-2017-10001 (Vulnerability in the Oracle Hospitality Simphony First Edition compone ...) NOT-FOR-US: Oracle CVE-2017-10000 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...) NOT-FOR-US: Oracle CVE-2017-9782 (JasPer 2.0.12 allows remote attackers to cause a denial of service (he ...) - jasper [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) NOTE: https://github.com/mdadams/jasper/issues/140 CVE-2017-9781 (A cross site scripting (XSS) vulnerability exists in Check_MK versions ...) [experimental] - check-mk 1.4.0p9-1 - check-mk (bug #865497) [wheezy] - check-mk (Minor issue) NOTE: http://mathias-kettner.com/check_mk_werks.php?werk_id=4757 NOTE: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1 CVE-2017-9779 (OCaml compiler allows attackers to have unspecified impact via unknown ...) - ocaml 4.05.0-9 (bug #874700) [stretch] - ocaml (Minor issue) [jessie] - ocaml (Minor issue) [wheezy] - ocaml (Minor issue) NOTE: https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00094.html NOTE: https://caml.inria.fr/mantis/view.php?id=7557 NOTE: Make sure any potential advisories are clear that any created suid NOTE: binaries using ocaml must be re-created once ocaml has been updated. CVE-2017-9778 (GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length f ...) - gdb 8.3.1-1 (unimportant; bug #865607) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21600 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=723adb650a31859d7cc45832cb8adca0206455ed CVE-2017-9777 RESERVED CVE-2017-9776 (Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in ...) {DSA-4079-2 DSA-4079-1 DLA-1074-1} - poppler 0.57.0-2 (bug #865679) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101541 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/55db66c69fd56826b8523710046deab1a8d14ba2 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/22c4701d5f7be0010ee4519daa546fba5ab7ac13 CVE-2017-9775 (Stack buffer overflow in GfxState.cc in pdftocairo in Poppler before 0 ...) {DSA-4079-1 DLA-1074-1} - poppler 0.57.0-2 (bug #865680) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101540 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=8f4ff8243a3d599ff2a6c08b1da389e606ba4fc9 CVE-2017-9774 (Remote Code Execution was found in Horde_Image 2.x before 2.5.0 via a ...) {DSA-4276-1 DLA-1395-1} - php-horde-image 2.5.1-1 (bug #865505) NOTE: https://lists.horde.org/archives/announce/2017/001234.html NOTE: https://github.com/horde/horde/commit/01a11ccd37149101d67e0b20261fa48ab07dae13 NOTE: Regression in upstream patch, fixing in https://github.com/horde/Image/pull/1 CVE-2017-9773 (Denial of Service was found in Horde_Image 2.x before 2.5.0 via a craf ...) {DSA-4276-1} - php-horde-image 2.5.1-1 (bug #865504) [jessie] - php-horde-image (Only Horde_Image above 2.3.0 affected) NOTE: https://lists.horde.org/archives/announce/2017/001234.html NOTE: https://github.com/horde/horde/commit/2b8a6fe1a5fc0fc662178145f853c65956985538 CVE-2017-9772 (Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4. ...) - ocaml (Only affects 4.04.0 and 4.04.1) NOTE: https://caml.inria.fr/mantis/view.php?id=7557 CVE-2017-9771 (install\save.php in WebsiteBaker v2.10.0 allows remote attackers to ex ...) NOT-FOR-US: WebsiteBaker CVE-2017-9770 (A specially crafted IOCTL can be issued to the rzpnk.sys driver in Raz ...) NOT-FOR-US: Razer Synapse CVE-2017-9769 (A specially crafted IOCTL can be issued to the rzpnk.sys driver in Raz ...) NOT-FOR-US: Razer Synapse CVE-2017-9768 RESERVED CVE-2017-9767 (Multiple cross-site scripting (XSS) vulnerabilities in Quali CloudShel ...) NOT-FOR-US: Quali CloudShell CVE-2017-9766 (In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allow ...) {DLA-1634-1} - wireshark 2.4.0-1 (low; bug #870175) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d6e888400ba64de3147d1111a4c23edf389b0000 CVE-2017-9765 (Integer overflow in the soap_get function in Genivia gSOAP 2.7.x and 2 ...) {DLA-1036-1} - gsoap 2.8.48-1 [stretch] - gsoap 2.8.35-4+deb9u1 [jessie] - gsoap 2.8.17-1+deb8u1 - r-other-x4r 1.0.1+git20150806.c6bd9bd-2 NOTE: http://blog.senr.io/blog/devils-ivy-flaw-in-widely-used-third-party-code-impacts-millions NOTE: https://www.genivia.com/changelog.html#Version_2.8.48_upd_(06/21/2017) NOTE: SuSE patch: https://bugzilla.suse.com/attachment.cgi?id=733005 CVE-2017-9764 (Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remo ...) NOT-FOR-US: MetInfo CVE-2017-9780 (In Flatpak before 0.8.7, a third-party app repository could include ma ...) {DSA-3895-1} - flatpak 0.8.7-1 (bug #865413) NOTE: https://github.com/flatpak/flatpak/issues/845 CVE-2017-10923 (Xen through 4.8.x does not validate a vCPU array index upon the sendin ...) - xen 4.8.1-1+deb9u3 [stretch] - xen 4.8.1-1+deb9u3 [jessie] - xen (Vulnerable code not present) [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-225.html CVE-2017-10922 (The grant-table feature in Xen through 4.8.x mishandles MMIO region gr ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-224.html CVE-2017-10921 (The grant-table feature in Xen through 4.8.x does not ensure sufficien ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-224.html CVE-2017-10920 (The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_devic ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-224.html CVE-2017-10919 (Xen through 4.8.x mishandles virtual interrupt injection, which allows ...) - xen 4.8.1-1+deb9u3 [stretch] - xen 4.8.1-1+deb9u3 [jessie] - xen (No backport available, limited to arm) [wheezy] - xen (arm not supported) NOTE: https://xenbits.xen.org/xsa/advisory-223.html CVE-2017-10918 (Xen through 4.8.x does not validate memory allocations during certain ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-222.html CVE-2017-10917 (Xen through 4.8.x does not validate the port numbers of polled event c ...) {DSA-3969-1} - xen 4.8.1-1+deb9u3 [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-221.html CVE-2017-10916 (The vCPU context-switch implementation in Xen through 4.8.x improperly ...) - xen 4.8.1-1+deb9u3 [stretch] - xen 4.8.1-1+deb9u3 [jessie] - xen (Vulnerable code not present) [wheezy] - xen (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-220.html CVE-2017-10915 (The shadow-paging feature in Xen through 4.8.x mismanages page referen ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-219.html CVE-2017-10914 (The grant-table feature in Xen through 4.8.x has a race condition lead ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-218.html CVE-2017-10913 (The grant-table feature in Xen through 4.8.x provides false mapping in ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-218.html CVE-2017-10912 (Xen through 4.8.x mishandles page transfer, which allows guest OS user ...) {DSA-3969-1 DLA-1132-1} - xen 4.8.1-1+deb9u3 NOTE: https://xenbits.xen.org/xsa/advisory-217.html CVE-2017-10911 (The make_response function in drivers/block/xen-blkback/blkback.c in t ...) {DSA-3945-1 DSA-3927-1 DSA-3920-1 DLA-1497-1 DLA-1099-1} - linux 4.11.11-1 - qemu 1:2.8+dfsg-7 (bug #869706) [wheezy] - qemu (Wheezy's xen uses an embedded qemu copy) - qemu-kvm [wheezy] - qemu-kvm (Wheezy's xen uses an embedded qemu copy) NOTE: https://xenbits.xen.org/xsa/advisory-216.html CVE-2017-1000381 (The c-ares function `ares_parse_naptr_reply()`, which is used for pars ...) {DLA-998-1} - c-ares 1.12.0-4 (bug #865360) [stretch] - c-ares 1.12.0-1+deb9u1 [jessie] - c-ares 1.10.0-2+deb8u2 NOTE: https://c-ares.haxx.se/adv_20170620.html NOTE: Patch: https://c-ares.haxx.se/CVE-2017-1000381.patch CVE-2017-9763 (The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013 ...) - grub2 2.02~beta2-8 (unimportant) - radare2 1.6.0+dfsg-1 (bug #869423) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd NOTE: https://github.com/radare/radare2/issues/7723 NOTE: Not a security issue for Grub CVE-2017-9762 (The cmd_info function in libr/core/cmd_info.c in radare2 1.5.0 allows ...) - radare2 1.6.0+dfsg-1 (low; bug #869426) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/7726 NOTE: https://github.com/radare/radare2/commit/f85bc674b2a2256a364fe796351bc1971e106005 CVE-2017-9761 (The find_eoq function in libr/core/cmd.c in radare2 1.5.0 allows remot ...) - radare2 1.6.0+dfsg-1 (low; bug #869428) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/00e8f205475332d7842d0f0d1481eeab4e83017c NOTE: https://github.com/radare/radare2/issues/7727 CVE-2017-9760 RESERVED CVE-2017-9759 (SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the fi ...) NOT-FOR-US: Zenbership CVE-2017-9758 (Savitech driver packages for Windows silently install a self-signed ce ...) NOT-FOR-US: Savitech driver packages for Windows CVE-2017-9757 (IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi vi ...) NOT-FOR-US: IPFire CVE-2017-1000375 (NetBSD maps the run-time link-editor ld.so directly below the stack re ...) NOT-FOR-US: NetBSD CVE-2017-1000374 (A flaw exists in NetBSD's implementation of the stack guard page that ...) NOT-FOR-US: NetBSD CVE-2017-1000373 (The OpenBSD qsort() function is recursive, and not randomized, an atta ...) NOT-FOR-US: OpenBSD CVE-2017-1000372 (A flaw exists in OpenBSD's implementation of the stack guard page that ...) NOT-FOR-US: OpenBSD CVE-2017-1000364 (An issue was discovered in the size of the stack guard page on Linux, ...) {DSA-3886-1 DLA-993-1} - linux 4.11.6-1 [stretch] - linux 4.9.30-2+deb9u1 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000365 (The Linux Kernel imposes a size restriction on the arguments and envir ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: Fixed by: https://git.kernel.org/linus/98da7d08850fb8bdeb395d6368ed15753304aa0c CVE-2017-1000366 (glibc contains a vulnerability that allows specially crafted LD_LIBRAR ...) {DSA-3887-1 DLA-992-1} - glibc 2.24-12 - eglibc NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000369 (Exim supports the use of multiple "-p" command line arguments which ar ...) {DSA-3888-1 DLA-1001-1} - exim4 4.89-3 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000370 (The offset2lib patch as used in the Linux Kernel contains a vulnerabil ...) {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux (Memory layout is different) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000371 (The offset2lib patch as used by the Linux Kernel contains a vulnerabil ...) {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux (Memory layout is different) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000376 (libffi requests an executable stack allowing attackers to more easily ...) {DSA-3889-1 DLA-997-1} - libffi 3.2.1-4 NOTE: https://github.com/libffi/libffi/commit/978c9540154d320525488db1b7049277122f736d NOTE: and additionally cf. #751907 for the configure flag. NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000377 (An issue was discovered in the size of the default stack guard page on ...) NOT-FOR-US: GRSecurity/PAX Linux specific assignment CVE-2017-9756 (The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21595 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=cd3ea7c69acc5045eb28f9bf80d923116e15e4f5 CVE-2017-9755 (opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number o ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21594 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=0d96e4df4812c3bad77c229dfef47a9bc115ac12 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8cac017d35ef374e65acc98818a17cf8a652cbd0 CVE-2017-9754 (The process_otr function in bfd/versados.c in the Binary File Descript ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21591 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04f963fd489cae724a60140e13984415c205f4ac CVE-2017-9753 (The versados_mkobject function in bfd/versados.c in the Binary File De ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21591 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04f963fd489cae724a60140e13984415c205f4ac CVE-2017-9752 (bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbf ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21589 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c53d2e6d744da000aaafe0237bced090aab62818 CVE-2017-9751 (opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21588 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=63323b5b23bd83fa7b04ea00dff593c933e9b0e3 CVE-2017-9750 (opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for cer ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21587 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=db5fa770268baf8cc82cf9b141d69799fd485fe2 CVE-2017-9749 (The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow rem ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21586 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=08c7881b814c546efc3996fd1decdf0877f7a779 CVE-2017-9748 (The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21582 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=63634bb4a107877dd08b6282e28e11cfd1a1649e CVE-2017-9747 (The ieee_archive_p function in bfd/ieee.c in the Binary File Descripto ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21581 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=62b76e4b6e0b4cb5b3e0053d1de4097b32577049 CVE-2017-9746 (The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allow ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21580 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ae87f7e73eba29bd38b3a9684a10b948ed715612 CVE-2017-9745 (The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21579 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=76800cba595efc3fe95a446c2d664e42ae4ee869 CVE-2017-9744 (The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binar ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21578 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f461bbd847f15657f3dd2f317c30c75a7520da1f CVE-2017-9743 (The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Bin ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21577 CVE-2017-9742 (The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.2 ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21576 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e64519d1ed7fd8f990f05a5562d5b5c0c44b7d7e CVE-2017-9741 (install/make-config.php in ProjectSend r754 allows remote attackers to ...) NOT-FOR-US: ProjectSend CVE-2017-9740 (The xps_decode_font_char_imp function in xps/xpsfont.c in Artifex Ghos ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698064 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=961b10cdd71403072fb99401a45f3bef6ce53626 CVE-2017-9739 (The Ins_JMPR function in base/ttinterp.c in Artifex Ghostscript GhostX ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869910) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698063 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c501a58f8d5650c8ba21d447c0d6f07eafcb0f15 (ghostpdl-9.22rc1) CVE-2017-9738 RESERVED CVE-2017-9737 RESERVED CVE-2017-9736 (SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell ...) {DSA-3890-1} - spip 3.1.4-3 (bug #864921) [jessie] - spip (Vulnerable code not present) [wheezy] - spip (Vulnerable code not present) NOTE: https://contrib.spip.net/CRITICAL-security-update-SPIP-3-1-6-and-SPIP-3-2-Beta NOTE: https://core.spip.net/projects/spip/repository/revisions/23593 NOTE: https://core.spip.net/projects/spip/repository/revisions/23594 CVE-2017-9734 RESERVED CVE-2017-9733 RESERVED CVE-2017-9732 (The read_packet function in knc (Kerberised NetCat) before 1.11-1 is v ...) NOT-FOR-US: knc (Kerberised NetCat) CVE-2017-9731 (In meta/classes/package_ipk.bbclass in Poky in poky-pyro 17.0.0 for Yo ...) NOT-FOR-US: Poky for Yocto Project CVE-2017-9730 (SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and ...) NOT-FOR-US: nuevoMailer CVE-2017-9729 (In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) ...) - uclibc (unimportant) CVE-2017-9728 (In uClibc 0.9.33.2, there is an out-of-bounds read in the get_subexp f ...) - uclibc (unimportant) CVE-2017-9727 (The gx_ttfReader__Read function in base/gxttfb.c in Artifex Ghostscrip ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869913) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=698056 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=937ccd17ac65935633b2ebc06cb7089b91e17e6b (ghostpdl-9.22rc1) CVE-2017-9726 (The Ins_MDRP function in base/ttinterp.c in Artifex Ghostscript GhostX ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869915) NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=698055 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=7755e67116e8973ee0e3b22d653df026a84fa01b (ghostpdl-9.22rc1) CVE-2017-9735 (Jetty through 9.4.x is prone to a timing channel in util/security/Pass ...) {DLA-1021-1 DLA-1020-1} - jetty9 9.2.22-1 (bug #864898) [stretch] - jetty9 (Harmless information leak) - jetty8 [jessie] - jetty8 (Minor issue) - jetty [jessie] - jetty (Minor issue) NOTE: https://github.com/eclipse/jetty.project/issues/1556 NOTE: https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02 NOTE: https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58 NOTE: https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea CVE-2017-9725 (In all Qualcomm products with Android releases from CAF using the Linu ...) - linux 4.3.1-1 NOTE: Fixed by: https://git.kernel.org/linus/67a2e213e7e937c41c52ab5bc46bf3f4de469f6e (4.3-rc7) CVE-2017-9724 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9723 (The touchscreen driver synaptics_dsx in Android for MSM, Firefox OS fo ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-9722 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9721 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Android boot loader (aboot) CVE-2017-9720 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9719 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9718 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9717 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9716 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: qbt1000 driver in Android CVE-2017-9715 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9714 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9713 RESERVED CVE-2017-9712 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9711 RESERVED CVE-2017-9710 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9709 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9708 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9707 RESERVED CVE-2017-9706 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9705 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9704 (In all android releases(Android for MSM, Firefox OS for MSM, QRD Andro ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9703 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9702 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9701 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9700 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9699 RESERVED CVE-2017-9698 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9697 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9696 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9695 RESERVED CVE-2017-9694 (While parsing Netlink attributes in QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID ...) NOT-FOR-US: Google drivers for Android CVE-2017-9693 (The length of attribute value for STA_EXT_CAPABILITY in __wlan_hdd_cha ...) NOT-FOR-US: Google drivers for Android CVE-2017-9692 (When an atomic commit is issued on a writeback panel with a NULL outpu ...) NOT-FOR-US: Google drivers for Android CVE-2017-9691 (There is a race condition in Android for MSM, Firefox OS for MSM, and ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9690 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9689 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9688 REJECTED CVE-2017-9687 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9686 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9685 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9684 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9683 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-9682 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9681 (In Android before 2017-08-05 on Qualcomm MSM, Firefox OS for MSM, QRD ...) NOT-FOR-US: Google drivers for Android CVE-2017-9680 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Google drivers for Android CVE-2017-9679 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Google drivers for Android CVE-2017-9678 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9677 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9676 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-9675 (On D-Link DIR-605L devices, firmware before 2.08UIBetaB01.bin allows a ...) NOT-FOR-US: D-Link DIR-605L devices CVE-2017-9674 (In SimpleCE 2.3.0, an authenticated XSS vulnerability was found on ind ...) NOT-FOR-US: SimpleCE CVE-2017-9673 (In SimpleCE 2.3.0, a CSRF vulnerability can be exploited to add an adm ...) NOT-FOR-US: SimpleCE CVE-2017-9672 RESERVED CVE-2017-9671 (A heap overflow in apk (Alpine Linux's package manager) allows a remot ...) NOT-FOR-US: apk (Alpine's package manager) CVE-2017-9670 (An uninitialized stack variable vulnerability in load_tic_series() in ...) - gnuplot 5.0.5+dfsg1-7 (unimportant; bug #864901) [stretch] - gnuplot 5.0.5+dfsg1-6+deb9u1 [jessie] - gnuplot (Vulnerable code introduced later) [wheezy] - gnuplot (Vulnerable code introduced later) - gnuplot5 (unimportant; bug #864903) [jessie] - gnuplot5 (Vulnerable code introduced later) NOTE: https://sourceforge.net/p/gnuplot/bugs/1933/ NOTE: The specific CVE is for the uninitialized stack variable fixed via set.c NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1044638#c5 NOTE: Fixed by: https://github.com/gnuplot/gnuplot/commit/4e39b1d7b274c7d4a69cbaba85ff321264f4457e NOTE: Introduced by: https://github.com/gnuplot/gnuplot/commit/cd4b777389379598740fc02decff772b0e7bcbd6 NOTE: Crash in a CLI tool, no security impact CVE-2017-9669 (A heap overflow in apk (Alpine Linux's package manager) allows a remot ...) NOT-FOR-US: apk (Alpine's package manager) CVE-2017-9668 (In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user gro ...) NOT-FOR-US: CMS Made Simple CVE-2017-9667 RESERVED CVE-2017-9666 RESERVED CVE-2017-9665 RESERVED CVE-2017-9664 (In ABB SREA-01 revisions A, B, C: application versions up to 3.31.5, a ...) NOT-FOR-US: ABB CVE-2017-9663 (An Cleartext Storage of Sensitive Information issue was discovered in ...) NOT-FOR-US: General Motors (GM) and Shanghai OnStar (SOS) SOS iOS Client CVE-2017-9662 (An Improper Privilege Management issue was discovered in Fuji Electric ...) NOT-FOR-US: Fuji Electric Monitouch V-SFT CVE-2017-9661 (An Uncontrolled Search Path Element issue was discovered in SIMPlight ...) NOT-FOR-US: SIMPlight SCADA Software CVE-2017-9660 (A Heap-Based Buffer Overflow was discovered in Fuji Electric Monitouch ...) NOT-FOR-US: Fuji Electric Monitouch V-SFT CVE-2017-9659 (A Stack-Based Buffer Overflow issue was discovered in Fuji Electric Mo ...) NOT-FOR-US: Fuji Electric Monitouch V-SFT CVE-2017-9658 (Certain 802.11 network management messages have been determined to inv ...) NOT-FOR-US: Philips IntelliVue MX40 CVE-2017-9657 (Under specific 802.11 network conditions, a partial re-association of ...) NOT-FOR-US: Philips IntelliVue MX40 CVE-2017-9656 (The backend database of the Philips DoseWise Portal application versio ...) NOT-FOR-US: Philips DoseWise Portal CVE-2017-9655 (A Cross-Site Scripting issue was discovered in OSIsoft PI Integrator f ...) NOT-FOR-US: OSIsoft CVE-2017-9654 (The Philips DoseWise Portal web-based application versions 1.1.7.333 a ...) NOT-FOR-US: Philips DoseWise Portal CVE-2017-9653 (An Improper Authorization issue was discovered in OSIsoft PI Integrato ...) NOT-FOR-US: OSIsoft CVE-2017-9652 RESERVED CVE-2017-9651 RESERVED CVE-2017-9650 (An Unrestricted Upload of File with Dangerous Type issue was discovere ...) NOT-FOR-US: Automated Logic Corporation (ALC) CVE-2017-9649 (A Use of Hard-Coded Cryptographic Key issue was discovered in Mirion T ...) NOT-FOR-US: Mirion CVE-2017-9648 (An Uncontrolled Search Path Element issue was discovered in Solar Cont ...) NOT-FOR-US: Solar Controls WATTConfig M Software CVE-2017-9647 (A Stack-Based Buffer Overflow issue was discovered in the Continental ...) NOT-FOR-US: Continental AG Infineon S-Gold CVE-2017-9646 (An Uncontrolled Search Path Element issue was discovered in Solar Cont ...) NOT-FOR-US: Solar Controls Heating Control Downloader (HCDownloader) CVE-2017-9645 (An Inadequate Encryption Strength issue was discovered in Mirion Techn ...) NOT-FOR-US: Mirion CVE-2017-9644 (An Unquoted Search Path or Element issue was discovered in Automated L ...) NOT-FOR-US: Automated Logic Corporation (ALC) CVE-2017-9643 RESERVED CVE-2017-9642 RESERVED CVE-2017-9641 (PI Coresight 2016 R2 contains a cross-site request forgery vulnerabili ...) NOT-FOR-US: PI Coresight CVE-2017-9640 (A Path Traversal issue was discovered in Automated Logic Corporation ( ...) NOT-FOR-US: Automated Logic Corporation (ALC) CVE-2017-9639 (An issue was discovered in Fuji Electric V-Server Version 3.3.22.0 and ...) NOT-FOR-US: Fuji Electric V-Server CVE-2017-9638 (Mitsubishi E-Designer, Version 7.52 Build 344 contains six code sectio ...) NOT-FOR-US: Mitsubishi E-Designer CVE-2017-9637 (Schneider Electric Ampla MES 6.4 provides capability to interact with ...) NOT-FOR-US: Schneider Electric CVE-2017-9636 (Mitsubishi E-Designer, Version 7.52 Build 344 contains five code secti ...) NOT-FOR-US: Mitsubishi E-Designer CVE-2017-9635 (Schneider Electric Ampla MES 6.4 provides capability to configure user ...) NOT-FOR-US: Schneider Electric CVE-2017-9634 (Mitsubishi E-Designer, Version 7.52 Build 344 contains two code sectio ...) NOT-FOR-US: Mitsubishi E-Designer CVE-2017-9633 (An Improper Restriction of Operations within the Bounds of a Memory Bu ...) NOT-FOR-US: Continental AG Infineon S-Gold 2 CVE-2017-9632 (A Missing Encryption of Sensitive Data issue was discovered in PDQ Man ...) NOT-FOR-US: PDQ Manufacturing LaserWash CVE-2017-9631 (A Null Pointer Dereference issue was discovered in Schneider Electric ...) NOT-FOR-US: Schneider Electric CVE-2017-9630 (An Improper Authentication issue was discovered in PDQ Manufacturing L ...) NOT-FOR-US: PDQ Manufacturing LaserWash CVE-2017-9629 (A Stack-Based Buffer Overflow issue was discovered in Schneider Electr ...) NOT-FOR-US: Schneider Electric CVE-2017-9628 (An Information Exposure issue was discovered in Saia Burgess Controls ...) NOT-FOR-US: Saia Burgess Controls CVE-2017-9627 (An Uncontrolled Resource Consumption issue was discovered in Schneider ...) NOT-FOR-US: Schneider Electric CVE-2017-9626 (Systems using the Marel Food Processing Systems Pluto platform do not ...) NOT-FOR-US: Marel Food Processing Systems Pluto platform CVE-2017-9625 (An Improper Authentication issue was discovered in Envitech EnviDAS Ul ...) NOT-FOR-US: Envitech EnviDAS Ultimate CVE-2017-9624 (Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1 ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9623 (Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1 ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9622 (Multiple cross-site scripting (XSS) vulnerabilities in Telaxus/EPESI 1 ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9621 (Cross-site scripting (XSS) vulnerability in modules/Base/Lang/Administ ...) NOT-FOR-US: Telaxus/EPESI CVE-2017-9620 (The xps_select_font_encoding function in xps/xpsfont.c in Artifex Ghos ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698050 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3ee55637480d5e319a5de0481b01c3346855cbc9 CVE-2017-9619 (The xps_true_callback_glyph_name function in xps/xpsttf.c in Artifex G ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698042 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c53183d4e7103e87368b7cfa15367a47d559e323 CVE-2017-9618 (The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscrip ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698044 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3c2aebbedd37fab054e80f2e315de07d7e9b5bdb CVE-2017-9617 (In Wireshark 2.2.7, deeply nested DAAP data may cause stack exhaustion ...) - wireshark 2.4.0-1 (low; bug #870174) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13799 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=82fc557bed30b1aa69ca43a4291b64a9ce54c78a CVE-2017-9616 (In Wireshark 2.2.7, overly deep mp4 chunks may cause stack exhaustion ...) - wireshark 2.4.0-1 (low; bug #870173) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13777 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=620f69a74b18908e3424920c7bb01cb5e4cbd8b1 CVE-2017-9615 (Password exposure in Cognito Software Moneyworks 8.0.3 and earlier all ...) NOT-FOR-US: Cognito Software Moneyworks CVE-2017-9614 (The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 al ...) NOT-FOR-US: Not a bug in libjpeg itself, but incorrect API usage NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/167 CVE-2017-9613 (Stored Cross-site scripting (XSS) vulnerability in SAP SuccessFactors ...) NOT-FOR-US: SAP SuccessFactors CVE-2017-9612 (The Ins_IP function in base/ttinterp.c in Artifex Ghostscript GhostXPS ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869916) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698026 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=98f6da60b9d463c617e631fc254cf6d66f2e8e3c (ghostpdl-9.22rc1) CVE-2017-9611 (The Ins_MIRP function in base/ttinterp.c in Artifex Ghostscript GhostX ...) {DSA-3986-1 DLA-1048-1} [experimental] - ghostscript 9.22~~rc1~dfsg-1 - ghostscript 9.22~dfsg-1 (bug #869917) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698024 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=c7c55972758a93350882c32147801a3485b010fe (ghostpdl-9.22rc1) CVE-2017-9610 (The xps_load_sfnt_name function in xps/xpsfont.c in Artifex Ghostscrip ...) - ghostscript 9.22~dfsg-1 (unimportant; bug #869879) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: The Debian binary package is not affected xps/ not used NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698025 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=d2ab84732936b6e7e5a461dc94344902965e9a06 CVE-2017-9609 (Cross-site scripting (XSS) vulnerability in Blackcat CMS 1.2 allows re ...) NOT-FOR-US: Blackcat CMS CVE-2017-9608 (The dnxhd decoder in FFmpeg before 3.2.6, and 3.3.x before 3.3.3 allow ...) {DSA-3957-1} - ffmpeg 7:3.3.3-1 NOTE: https://www.openwall.com/lists/oss-security/2017/08/14/1 NOTE: https://github.com/FFmpeg/FFmpeg/commit/611b35627488a8d0763e75c25ee0875c5b7987dd NOTE: https://github.com/FFmpeg/FFmpeg/commit/0a709e2a10b8288a0cc383547924ecfe285cef89 CVE-2017-9607 (The BL1 FWU SMC handling code in ARM Trusted Firmware before 1.4 might ...) NOT-FOR-US: ARM Trusted Firmware CVE-2017-9606 (Infotecs ViPNet Client and Coordinator before 4.3.2-42442 allow local ...) NOT-FOR-US: Infotecs ViPNet Client and Coordinator CVE-2017-9604 (KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in ...) - kdepim 4:16.04.3-4 (bug #864804) [stretch] - kdepim 4:16.04.3-4~deb9u1 [jessie] - kdepim 4:4.14.1-1+deb8u1 [wheezy] - kdepim (sendlater issue is not present in kdepim-4.4.11.1+l10n) - kf5-messagelib 4:16.04.3-3 (bug #864803) [stretch] - kf5-messagelib 4:16.04.3-3~deb9u1 NOTE: Fixed by (kmail): https://commits.kde.org/kmail/78c5552be2f00a4ac25bd77ca39386522fca70a8 NOTE: Fixed by (messagelib): https://commits.kde.org/messagelib/c54706e990bbd6498e7b1597ec7900bc809e8197 NOTE: https://www.kde.org/info/security/advisory-20170615-1.txt CVE-2017-1000379 (The Linux Kernel running on AMD64 systems will sometimes map the conte ...) - linux 4.11.6-1 [stretch] - linux 4.9.30-2+deb9u1 [jessie] - linux 3.16.43-2+deb8u1 NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt CVE-2017-1000378 (The NetBSD qsort() function is recursive, and not randomized, an attac ...) NOT-FOR-US: NetBSD CVE-2017-9605 (The vmw_gb_surface_define_ioctl function (accessible via DRM_IOCTL_VMW ...) {DSA-3945-1 DSA-3927-1} - linux 4.11.6-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/06/13/2 NOTE: Fixed by: https://git.kernel.org/linus/07678eca2cf9c9a18584e546c2b2a0d0c9a3150c (v4.12-rc5) CVE-2017-9603 (SQL injection vulnerability in the WP Jobs plugin before 1.5 for WordP ...) NOT-FOR-US: WP Jobs plugin for WordPress CVE-2017-9602 (KBVault Mysql Free Knowledge Base application package 0.16a comes with ...) NOT-FOR-US: KBVault Mysql Free Knowledge Base application CVE-2017-9601 (The "FNB Kemp Mobile Banking" by First National Bank of Kemp app 3.0.2 ...) NOT-FOR-US: "FNB Kemp Mobile Banking" by First National Bank of Kemp app CVE-2017-9600 (The "Peoples Bank Tulsa" by Peoples Bank - OK app 3.0.2 -- aka peoples ...) NOT-FOR-US: "Peoples Bank Tulsa" by Peoples Bank - OK app CVE-2017-9599 (The "Fountain Trust Mobile Banking" by FOUNTAIN TRUST COMPANY app befo ...) NOT-FOR-US: "Fountain Trust Mobile Banking" by FOUNTAIN TRUST COMPANY app CVE-2017-9598 (The "Morton Credit Union Mobile Banking" by Morton Credit Union app 3. ...) NOT-FOR-US: "Morton Credit Union Mobile Banking" by Morton Credit Union app CVE-2017-9597 (The "Blue Ridge Bank and Trust Co. Mobile Banking" by Blue Ridge Bank ...) NOT-FOR-US: "Blue Ridge Bank and Trust Co. Mobile Banking" app CVE-2017-9596 (The "CFB Mobile Banking" by Citizens First Bank Wisconsin app 3.0.1 -- ...) NOT-FOR-US: "CFB Mobile Banking" by Citizens First Bank Wisconsin app CVE-2017-9595 (The "First State Bank of Bigfork Mobile Banking" by First State Bank o ...) NOT-FOR-US: "First State Bank of Bigfork Mobile Banking" by First State Bank of Bigfork app CVE-2017-9594 (The "SVB Mobile" by Sauk Valley Bank Mobile Banking app 3.0.0 -- aka s ...) NOT-FOR-US: "SVB Mobile" by Sauk Valley Bank Mobile Banking app CVE-2017-9593 (The "Oculina Mobile Banking" by Oculina Bank app 3.0.0 -- aka oculina- ...) NOT-FOR-US: "Oculina Mobile Banking" by Oculina Bank app CVE-2017-9592 (The "Your Legacy Federal Credit Union Mobile Banking" by Your Legacy F ...) NOT-FOR-US: "Your Legacy Federal Credit Union Mobile Banking" by Your Legacy Federal Credit Union app CVE-2017-9591 (The "PCB Mobile" by Phelps County Bank app 3.0.2 -- aka pcb-mobile/id4 ...) NOT-FOR-US: "PCB Mobile" by Phelps County Bank app CVE-2017-9590 (The "State Bank of Waterloo Mobile Banking" by State Bank of Waterloo ...) NOT-FOR-US: "State Bank of Waterloo Mobile Banking" by State Bank of Waterloo app CVE-2017-9589 (The "SCSB Shelbyville IL Mobile Banking" by Shelby County State Bank a ...) NOT-FOR-US: "SCSB Shelbyville IL Mobile Banking" by Shelby County State Bank app CVE-2017-9588 (The "Oritani Mobile Banking" by Oritani Bank app 3.0.0 -- aka oritani- ...) NOT-FOR-US: "Oritani Mobile Banking" by Oritani Bank app CVE-2017-9587 (The "PCSB BANK Mobile" by PCSB Bank app 3.0.4 -- aka pcsb-bank-mobile/ ...) NOT-FOR-US: "PCSB BANK Mobile" by PCSB Bank app CVE-2017-9586 (The "FSBY Mobile Banking" by First State Bank of Yoakum TX app 3.0.0 - ...) NOT-FOR-US: "FSBY Mobile Banking" by First State Bank of Yoakum TX app CVE-2017-9585 (The "Community State Bank - Lamar Mobile Banking" by Community State B ...) NOT-FOR-US: "Community State Bank - Lamar Mobile Banking" by Community State Bank - Lamar app CVE-2017-9584 (The "HBO Mobile Banking" by Heritage Bank of Ozarks app 3.0.0 -- aka h ...) NOT-FOR-US: "HBO Mobile Banking" by Heritage Bank of Ozarks app CVE-2017-9583 (The "Charlevoix State Bank" by Charlevoix State Bank app 3.0.1 -- aka ...) NOT-FOR-US: "Charlevoix State Bank" by Charlevoix State Bank app CVE-2017-9582 (The "BNB Mobile Banking" by Brady National Bank app 3.0.0 -- aka bnb-m ...) NOT-FOR-US: "BNB Mobile Banking" by Brady National Bank app CVE-2017-9581 (The "Algonquin State Bank Mobile Banking" by Algonquin State Bank app ...) NOT-FOR-US: "Algonquin State Bank Mobile Banking" by Algonquin State Bank app CVE-2017-9580 (The "Pioneer Bank & Trust Mobile Banking" by PIONEER BANK AND TRUS ...) NOT-FOR-US: "Pioneer Bank & Trust Mobile Banking" by PIONEER BANK AND TRUST app CVE-2017-9579 (The "JMCU Mobile Banking" by Joplin Metro Credit Union app 3.0.0 -- ak ...) NOT-FOR-US: "JMCU Mobile Banking" by Joplin Metro Credit Union app CVE-2017-9578 (The "RVCB Mobile" by RVCB Mobile Banking app 3.0.0 -- aka rvcb-mobile/ ...) NOT-FOR-US: "RVCB Mobile" by RVCB Mobile Banking app CVE-2017-9577 (The "First Citizens Bank-Mobile Banking" by First Citizens Bank (AL) a ...) NOT-FOR-US: "First Citizens Bank-Mobile Banking" by First Citizens Bank (AL) app CVE-2017-9576 (The "Middleton Community Bank Mobile Banking" by Middleton Community B ...) NOT-FOR-US: "Middleton Community Bank Mobile Banking" by Middleton Community Bank app CVE-2017-9575 (The "FVB Mobile Banking" by First Volunteer Bank of Tennessee app 3.1. ...) NOT-FOR-US: "FVB Mobile Banking" by First Volunteer Bank of Tennessee app CVE-2017-9574 (The "KC Area Credit Union Mobile Banking" by K C Area Credit Union app ...) NOT-FOR-US: "KC Area Credit Union Mobile Banking" by K C Area Credit Union app CVE-2017-9573 (The North Adams State Bank (Ursa) nasb-mobile-banking/id980573797 app ...) NOT-FOR-US: North Adams State Bank (Ursa) nasb-mobile-banking/id980573797 app CVE-2017-9572 (The athens-state-bank-mobile-banking/id719748589 app 3.0.0 for iOS doe ...) NOT-FOR-US: athens-state-bank-mobile-banking/id719748589 app CVE-2017-9571 (The Citizens Community Bank (TN) ccb-mobile-banking/id610030469 app 3. ...) NOT-FOR-US: Citizens Community Bank (TN) ccb-mobile-banking/id610030469 app CVE-2017-9570 (The mount-vernon-bank-trust-mobile-banking/id542706679 app 3.0.0 for i ...) NOT-FOR-US: mount-vernon-bank-trust-mobile-banking/id542706679 app CVE-2017-9569 (The Citizens Bank (TX) cbtx-on-the-go/id892396102 app 3.0.0 for iOS do ...) NOT-FOR-US: Citizens Bank (TX) cbtx-on-the-go/id892396102 app CVE-2017-9568 (The financial-plus-mobile-banking/id731070564 app 3.0.3 for iOS does n ...) NOT-FOR-US: financial-plus-mobile-banking/id731070564 app CVE-2017-9567 (The avb-bank-mobile-banking/id592565443 app 3.0.0 for iOS does not ver ...) NOT-FOR-US: avb-bank-mobile-banking/id592565443 app CVE-2017-9566 (The fsb-dequeen-mobile-banking/id1091025340 app 3.0.1 for iOS does not ...) NOT-FOR-US: fsb-dequeen-mobile-banking/id1091025340 app CVE-2017-9565 (The first-security-bank-sleepy-eye-mobile/id870531890 app 3.0.0 for iO ...) NOT-FOR-US: first-security-bank-sleepy-eye-mobile/id870531890 app CVE-2017-9564 (The community-banks-cb2go/id445828071 app 3.1.3 for iOS does not verif ...) NOT-FOR-US: community-banks-cb2go/id445828071 app CVE-2017-9563 (The First Citizens Community Bank fccb/id809930960 app 3.0.1 for iOS d ...) NOT-FOR-US: First Citizens Community Bank fccb/id809930960 app CVE-2017-9562 (The Freedom First freedom-1st-credit-union-mobile-banking/id1085229458 ...) NOT-FOR-US: Freedom First freedom-1st-credit-union-mobile-banking/id1085229458 app CVE-2017-9561 (The Lee Bank & Trust lbtc-mobile/id1068984753 app 3.0.1 for iOS do ...) NOT-FOR-US: Lee Bank & Trust lbtc-mobile/id1068984753 app CVE-2017-9560 (The cayuga-lake-national-bank/id1151601539 app 4.0.1 for iOS does not ...) NOT-FOR-US: cayuga-lake-national-bank/id1151601539 app CVE-2017-9559 (The MEA Financial vision-bank/id420406345 app 3.0.1 for iOS does not v ...) NOT-FOR-US: MEA Financial vision-bank/id420406345 app CVE-2017-9558 (The wawa-employees-credit-union-mobile/id1158082793 app 4.0.1 for iOS ...) NOT-FOR-US: wawa-employees-credit-union-mobile/id1158082793 app CVE-2017-9557 (register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allo ...) NOT-FOR-US: EFS Software Easy Chat Server CVE-2017-9556 (Cross-site scripting (XSS) vulnerability in Video Metadata Editor in S ...) NOT-FOR-US: Synology Video Station CVE-2017-9555 (Cross-site scripting (XSS) vulnerability in PixlrEditorHandler.php in ...) NOT-FOR-US: Synology Photo Station CVE-2017-9554 (An information exposure vulnerability in forget_passwd.cgi in Synology ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-9553 (A design flaw in SYNO.API.Encryption in Synology DiskStation Manager ( ...) NOT-FOR-US: Synology DiskStation Manager CVE-2017-9552 (A design flaw in authentication in Synology Photo Station 6.0-2528 thr ...) NOT-FOR-US: Synology Photo Station CVE-2017-9551 (Mahara 15.04 before 15.04.14 and 16.04 before 16.04.8 and 16.10 before ...) - mahara CVE-2017-9550 RESERVED CVE-2017-9549 RESERVED CVE-2017-9548 (admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) v ...) NOT-FOR-US: BigTree CMS CVE-2017-9547 (admin.php in BigTree through 4.2.18 has a Cross-site Scripting (XSS) v ...) NOT-FOR-US: BigTree CMS CVE-2017-9546 (admin.php in BigTree through 4.2.18 allows remote authenticated users ...) NOT-FOR-US: BigTree CMS CVE-2017-9545 (The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows ...) - mpg123 1.25.4-1 (low; bug #870799) [stretch] - mpg123 (Minor issue) [jessie] - mpg123 (Minor issue) [wheezy] - mpg123 (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Jul/65 CVE-2017-9544 (There is a remote stack-based buffer overflow (SEH) in register.ghp in ...) NOT-FOR-US: EFS Software Easy Chat Server CVE-2017-9543 (register.ghp in EFS Software Easy Chat Server versions 2.0 to 3.1 allo ...) NOT-FOR-US: EFS Software Easy Chat Server CVE-2017-9542 (D-Link DIR-615 Wireless N 300 Router allows authentication bypass via ...) NOT-FOR-US: D-Link CVE-2017-9541 RESERVED CVE-2017-9540 RESERVED CVE-2017-9539 RESERVED CVE-2017-9538 (The 'Upload logo from external path' function of SolarWinds Network Pe ...) NOT-FOR-US: SolarWinds Network Performance Monitor CVE-2017-9537 (Persistent cross-site scripting (XSS) in the Add Node function of Sola ...) NOT-FOR-US: SolarWinds Network Performance Monitor CVE-2017-9536 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9535 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9534 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9533 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9532 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9531 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows attackers t ...) NOT-FOR-US: IrfanView CVE-2017-9530 (IrfanView version 4.44 (32bit) might allow attackers to cause a denial ...) NOT-FOR-US: IrfanView CVE-2017-9529 (XnView Classic for Windows Version 2.40 allows remote attackers to exe ...) NOT-FOR-US: XnView CVE-2017-9528 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows remote atta ...) NOT-FOR-US: IrfanView CVE-2017-9527 (The mark_context_stack function in gc.c in mruby through 1.2.0 allows ...) [experimental] - mruby 1.2.0+20170601+git51e0e690-1 - mruby 1.3.0-1 (low; bug #865778) [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/3486 NOTE: Fixed by: https://github.com/mruby/mruby/commit/5c114c91d4ff31859fcd84cf8bf349b737b90d99 CVE-2017-9526 (In Libgcrypt before 1.7.7, an attacker who learns the EdDSA session ke ...) {DSA-3880-1} - libgcrypt20 1.7.6-2 - libgcrypt11 (Curve Ed25519 signing and verification introduced in 1.6.0) NOTE: master: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=5a22de904a0a366ae79f03ff1e13a1232a89e26b NOTE: 1.7.x: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=f9494b3f258e01b6af8bd3941ce436bcc00afc56 NOTE: Curve Ed25519 signing and verification inplemented in 1.6.0 with NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=bc5199a02abe428ad377443280b3eda60141a1d6 NOTE: and following refactorings. CVE-2017-9524 (The qemu-nbd server in QEMU (aka Quick Emulator), when built with the ...) {DSA-3925-1} - qemu 1:2.8+dfsg-7 (bug #865755) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-05/msg06240.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg02321.html CVE-2017-9525 (In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-1 ...) {DLA-1723-1} - cron 3.0pl1-129 (bug #864466) [stretch] - cron (Minor issue) [wheezy] - cron (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/06/08/3 CVE-2017-9523 (The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page ...) NOT-FOR-US: Sophos CVE-2017-9522 (The Time Warner firmware on Technicolor TC8717T devices sets the defau ...) NOT-FOR-US: Time Warner firmware on Technicolor TC8717T devices CVE-2017-9521 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9520 (The r_config_set function in libr/config/config.c in radare2 1.5.0 all ...) - radare2 1.6.0+dfsg-1 (low; bug #864533) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/f85bc674b2a2256a364fe796351bc1971e106005 NOTE: https://github.com/radare/radare2/issues/7698 CVE-2017-9519 (atmail before 7.8.0.2 has CSRF, allowing an attacker to create a user ...) NOT-FOR-US: atmail CVE-2017-9518 (atmail before 7.8.0.2 has CSRF, allowing an attacker to change the SMT ...) NOT-FOR-US: atmail CVE-2017-9517 (atmail before 7.8.0.2 has CSRF, allowing an attacker to upload and imp ...) NOT-FOR-US: atmail CVE-2017-9516 (Craft CMS before 2.6.2982 allows for a potential XSS attack vector by ...) NOT-FOR-US: Craft CMS CVE-2017-9515 RESERVED CVE-2017-9514 (Bamboo before 6.0.5, 6.1.x before 6.1.4, and 6.2.x before 6.2.1 had a ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-9513 (Several rest inline action resources of Atlassian Activity Streams bef ...) NOT-FOR-US: Atlassian Activity Streams CVE-2017-9512 (The mostActiveCommitters.do resource in Atlassian Fisheye and Crucible ...) NOT-FOR-US: Atlassian CVE-2017-9511 (The MultiPathResource class in Atlassian Fisheye and Crucible, before ...) NOT-FOR-US: Atlassian CVE-2017-9510 (The repository changelog resource in Atlassian Fisheye before version ...) NOT-FOR-US: Atlassian CVE-2017-9509 (The review file upload resource in Atlassian Crucible before version 4 ...) NOT-FOR-US: Atlassian CVE-2017-9508 (Various resources in Atlassian Fisheye and Crucible before version 4.4 ...) NOT-FOR-US: Atlassian CVE-2017-9507 (The review dashboard resource in Atlassian Crucible from version 4.1.0 ...) NOT-FOR-US: Atlassian CVE-2017-9506 (The IconUriServlet of the Atlassian OAuth Plugin from version 1.3.0 be ...) NOT-FOR-US: Atlassian CVE-2017-9505 (Atlassian Confluence starting with 4.3.0 before 6.2.1 did not check if ...) NOT-FOR-US: Atlassian Confluence CVE-2017-9504 REJECTED CVE-2017-9503 (QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host B ...) {DLA-2288-1 DLA-1497-1} - qemu 1:2.10.0-1 (low; bug #865754) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01313.html NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01309.html NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=87e459a810d7b1ec1638085b5a80ea3d9b43119a NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=b356807fcdfc45583c437f761fc579ab2a8eab11 NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=36c327a69d723571f02a7691631667cdb1865ee1 NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=5104fac8539eaf155fc6de93e164be43e1e62242 NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=24c0c77af515acbf0f9705e8096f33ef24d37430 NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=134550bf81a026e18cf58b81e2c2cceaf516f92e NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=660174fc1b346803b3f1d7c260e2a36329b66435 CVE-2017-9502 (In curl before 7.54.1 on Windows and DOS, libcurl's default protocol f ...) - curl (Windows only) CVE-2017-9501 (In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the func ...) {DSA-3914-1 DLA-1081-1 DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #867721) NOTE: https://github.com/ImageMagick/ImageMagick/issues/491 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/01843366d6a7b96e22ad7bb67f3df7d9fd4d5d74 CVE-2017-9500 (In ImageMagick 7.0.5-8 Q16, an assertion failure was found in the func ...) {DSA-4019-1 DLA-1785-1 DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-13 (low; bug #867778) NOTE: https://github.com/ImageMagick/ImageMagick/issues/500 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/5d95b4c24a964114e2b1ae85c2b36769251ed11d NOTE: Fixed by (6.x): https://github.com/ImageMagick/ImageMagick/commit/837085e7725f6eb591eb019e299c1ddcf34b9a79 CVE-2017-9499 (In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the func ...) - imagemagick (Vulnerable code introduced later, only affects ImageMagick 7.x) NOTE: https://github.com/ImageMagick/ImageMagick/issues/492 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/7fd419441bc7103398e313558171d342c6315f44 CVE-2017-9498 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9497 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9496 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9495 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9494 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9493 (The Comcast firmware on Motorola MX011ANM (firmware version MX011AN_2. ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9492 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9491 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9490 (The Comcast firmware on Arris TG1682G (eMTA&DOCSIS version 10.0.13 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9489 (The Comcast firmware on Cisco DPC3939B (firmware version dpc3939b-v303 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9488 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9487 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9486 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9485 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9484 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9483 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9482 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9481 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9480 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9479 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9478 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9477 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9476 (The Comcast firmware on Cisco DPC3939 (firmware version dpc3939-P20-18 ...) NOT-FOR-US: Comcast firmware on various devices CVE-2017-9475 (Comcast XFINITY WiFi Home Hotspot devices allow remote attackers to sp ...) NOT-FOR-US: Comcast XFINITY WiFi Home Hotspot devices CVE-2017-9474 (In ytnef 1.9.2, the DecompressRTF function in lib/ytnef.c allows remot ...) - libytnef 1.9.3-1 (low; bug #870192) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/40 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-heap-based-buffer-overflow-in-decompressrtf-ytnef-c/ CVE-2017-9473 (In ytnef 1.9.2, the TNEFFillMapi function in lib/ytnef.c allows remote ...) - libytnef 1.9.3-1 (low; bug #870197) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/42 NOTE: https?//github.com/Yeraze/ytnef/commit/a341b7f1bf8a2c59ece89f2d6cdc09856d501cc0 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-memory-allocation-failure-in-tneffillmapi-ytnef-c/ CVE-2017-9472 (In ytnef 1.9.2, the SwapDWord function in lib/ytnef.c allows remote at ...) - libytnef 1.9.3-1 (low; bug #870193) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/41 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-heap-based-buffer-overflow-in-swapdword-ytnef-c/ CVE-2017-9471 (In ytnef 1.9.2, the SwapWord function in lib/ytnef.c allows remote att ...) - libytnef 1.9.3-1 (low; bug #870194) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/39 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-heap-based-buffer-overflow-in-swapword-ytnef-c/ CVE-2017-9470 (In ytnef 1.9.2, the MAPIPrint function in lib/ytnef.c allows remote at ...) - libytnef 1.9.3-1 (low; bug #870196) [stretch] - libytnef (Minor issue) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/37 NOTE: https://blogs.gentoo.org/ago/2017/05/24/ytnef-null-pointer-dereference-in-mapiprint-ytnef-c/ CVE-2017-9469 (In Irssi before 1.0.3, when receiving certain incorrectly quoted DCC f ...) {DSA-3885-1 DLA-1088-1} - irssi 1.0.3-1 (bug #864400) NOTE: https://github.com/irssi/irssi/commit/30a92754bb650c3dedd507d41110443142899a65 NOTE: https://irssi.org/security/irssi_sa_2017_06.txt CVE-2017-9468 (In Irssi before 1.0.3, when receiving a DCC message without source nic ...) {DSA-3885-1 DLA-1088-1} - irssi 1.0.3-1 (bug #864400) NOTE: https://github.com/irssi/irssi/commit/528f51bfbe5c65c5b24546faa244009dd5b3c586 NOTE: https://irssi.org/security/irssi_sa_2017_06.txt CVE-2017-9467 (Cross-site scripting (XSS) vulnerability in the GlobalProtect external ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-9466 (The executable httpd on the TP-Link WR841N V8 router before TL-WR841N( ...) NOT-FOR-US: TP-Link CVE-2017-9465 (The yr_arena_write_data function in YARA 3.6.1 allows remote attackers ...) - yara 3.6.2+dfsg-1 (low; bug #864517) [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/678 NOTE: https://github.com/VirusTotal/yara/commit/992480c30f75943e9cd6245bb2015c7737f9b661 CVE-2017-9464 (An open redirect vulnerability is present in Piwigo 2.9 and probably p ...) - piwigo CVE-2017-9463 (The application Piwigo is affected by a SQL injection vulnerability in ...) - piwigo CVE-2017-9460 RESERVED CVE-2017-9459 (Cross-site scripting (XSS) vulnerability in the management web interfa ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-9458 (XML external entity (XXE) vulnerability in the GlobalProtect internal ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-9457 (Intense PC Phoenix SecureCore UEFI firmware does not perform capsule s ...) NOT-FOR-US: Intense PC (aka MintBox 2) Phoenix SecureCore UEFI firmware CVE-2017-9456 RESERVED CVE-2017-9455 RESERVED CVE-2017-9454 (Buffer overflow in the ares_parse_a_reply function in the embedded are ...) - resiprocate 1:1.11.0~beta4-1 (unimportant) NOTE: https://github.com/resiprocate/resiprocate/commit/d67a9ca6fd06ca65d23e313bdbad1ef4dd3aa0df NOTE: Fixed sourcewise in 1:1.11.0~beta4-1 but unimportant since uses the NOTE: system library. CVE-2017-9453 RESERVED CVE-2017-9452 (Cross-site scripting (XSS) vulnerability in admin.php in Piwigo 2.9.0 ...) - piwigo CVE-2017-9451 (Cross site scripting (XSS) vulnerability in pages.edit_form.php in fla ...) NOT-FOR-US: flatCore CMS CVE-2017-9450 (The Amazon Web Services (AWS) CloudFormation bootstrap tools package ( ...) NOT-FOR-US: Amazon Web Services (AWS) CloudFormation bootstrap tools package CVE-2017-9449 (SQL injection vulnerability in BigTree CMS through 4.2.18 allows remot ...) NOT-FOR-US: BigTree CMS CVE-2017-9448 (Cross-site scripting (XSS) vulnerabilities in BigTree CMS through 4.2. ...) NOT-FOR-US: BigTree CMS CVE-2017-9462 (In Mercurial before 4.1.3, "hg serve --stdio" allows remote authentica ...) {DLA-1414-1 DLA-1005-1} - mercurial 4.3.1-1 (bug #861243) [stretch] - mercurial 4.0-1+deb9u1 NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29 NOTE: https://www.mercurial-scm.org/repo/hg/rev/77eaf9539499 CVE-2017-9461 (smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial of ser ...) {DLA-1754-1} - samba 2:4.5.6+dfsg-1 (bug #864291) [wheezy] - samba (Minor, non reproducible issue) NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=10c3e3923022485c720f322ca4f0aca5d7501310 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=12572 CVE-2017-9447 (In the web interface of Parallels Remote Application Server (RAS) 15.5 ...) NOT-FOR-US: Parallels Remote Application Server CVE-2017-9446 RESERVED CVE-2017-9445 (In systemd through 233, certain sizes passed to dns_packet_new in syst ...) - systemd 233-10 (bug #866147) [stretch] - systemd 232-25+deb9u1 [jessie] - systemd (Vulnerable code not present) [wheezy] - systemd (Vulnerable code not present) NOTE: Introduced by: https://github.com/systemd/systemd/commit/a0166609f782da91710dea9183d1bf138538db37 NOTE: https://www.openwall.com/lists/oss-security/2017/06/27/8 CVE-2017-9444 (BigTree CMS through 4.2.18 has CSRF related to the core\admin\modules\ ...) NOT-FOR-US: BigTree CMS CVE-2017-9443 (** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated ...) NOT-FOR-US: BigTree CMS CVE-2017-9442 (** DISPUTED ** BigTree CMS through 4.2.18 allows remote authenticated ...) NOT-FOR-US: BigTree CMS CVE-2017-9441 (** DISPUTED ** Multiple cross-site scripting (XSS) vulnerabilities in ...) NOT-FOR-US: BigTree CMS CVE-2017-9440 (In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPS ...) {DSA-3914-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #864273) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/462 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/c2be129c25763680afeca59f4de5d6d4240ca2cf CVE-2017-9439 (In ImageMagick 7.0.5-5, a memory leak was found in the function ReadPD ...) {DSA-3914-1 DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-12 (low; bug #864274) NOTE: https://github.com/ImageMagick/ImageMagick/issues/460 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/6c6abed989ea4a3ef472db65ab487c1809a3a718 CVE-2017-9438 (libyara/re.c in the regexp module in YARA 3.5.0 allows remote attacker ...) - yara 3.6.1+dfsg-1 (low; bug #864518) [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/674 NOTE: Fixed by: https://github.com/VirusTotal/yara/commit/10e8bd3071677dd1fa76beeef4bc2fc427cea5e7 CVE-2017-9437 (Openbravo Business Suite 3.0 is affected by SQL injection. This vulner ...) NOT-FOR-US: Openbravo Business Suite CVE-2017-9436 (TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.que ...) - teampass (bug #730180) CVE-2017-9435 (Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user ...) - dolibarr 5.0.4+dfsg3-1 (bug #864569) NOTE: https://github.com/Dolibarr/dolibarr/commit/70636cc59ffa1ffbc0ce3dba315d7d9b837aad04 CVE-2017-9434 (Crypto++ (aka cryptopp) through 5.6.5 contains an out-of-bounds read v ...) - libcrypto++ 5.6.4-7 (bug #864214) [jessie] - libcrypto++ (Minor issue) [wheezy] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/414 NOTE: https://github.com/weidai11/cryptopp/commit/07dbcc3d9644b18e05c1776db2a57fe04d780965 CVE-2017-9433 (Document Liberation Project libmwaw before 2017-04-08 has an out-of-bo ...) {DSA-3875-1} - libmwaw 0.3.9-2 (bug #864366) NOTE: https://sourceforge.net/p/libmwaw/libmwaw/ci/68b3b74569881248bfb6cbb4266177cc253b292f/ CVE-2017-9432 (Document Liberation Project libstaroffice before 2017-04-07 has an out ...) - libstaroffice 0.0.3-3 (bug #864207) CVE-2017-9431 (Google gRPC before 2017-04-05 has an out-of-bounds write caused by a h ...) - grpc 1.3.2-0.1 (bug #864210) NOTE: https://github.com/grpc/grpc/pull/10492 NOTE: Fixed by: https://github.com/grpc/grpc/commit/c6ec1155d026c91b1badb07ef1605bb747cff064 CVE-2017-9430 (Stack-based buffer overflow in dnstracer through 1.9 allows attackers ...) - dnstracer (unimportant) NOTE: Crash in CLI tool, disputable if any exposed service makes use of dnstrace. NOTE: One scenario would be to have a web application that launches dnstracer NOTE: with user supplied name strings to evaluate. CVE-2017-9429 (SQL injection vulnerability in the Event List plugin 0.7.8 for WordPre ...) NOT-FOR-US: Event List plugin for WordPress CVE-2017-9428 (A directory traversal vulnerability exists in core\admin\ajax\develope ...) NOT-FOR-US: BigTree CMS CVE-2017-9427 (SQL injection vulnerability in BigTree CMS through 4.2.18 allows remot ...) NOT-FOR-US: BigTree CMS CVE-2017-9426 (ws.php in the Facetag extension 0.0.3 for Piwigo allows SQL injection ...) NOT-FOR-US: Piwigo extension CVE-2017-9425 (The Facetag extension 0.0.3 for Piwigo allows XSS via the name paramet ...) NOT-FOR-US: Piwigo extension CVE-2017-9424 (IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attacker ...) NOT-FOR-US: IdeaBlade Breeze Breeze.Server.NET CVE-2017-9423 RESERVED CVE-2017-9422 REJECTED CVE-2017-9421 (Authentication Bypass vulnerability in Accellion kiteworks before 2017 ...) NOT-FOR-US: Accellion kiteworks CVE-2017-9420 (Cross site scripting (XSS) vulnerability in the Spiffy Calendar plugin ...) NOT-FOR-US: Spiffy Calendar plugin for WordPress CVE-2017-9419 (Cross-site scripting (XSS) vulnerability in the Webhammer WP Custom Fi ...) NOT-FOR-US: Webhammer WP Custom Fields Search plugin for WordPress CVE-2017-9418 (SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for Wo ...) NOT-FOR-US: WP-Testimonials plugin for WordPress CVE-2017-9417 (Broadcom BCM43xx Wi-Fi chips allow remote attackers to execute arbitra ...) {DLA-1573-1} - firmware-nonfree 20180518-1 (bug #869639) [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) [wheezy] - firmware-nonfree (non-free not supported) NOTE: https://www.blackhat.com/us-17/briefings/schedule/#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets-7603 NOTE: https://marc.info/?l=linux-wireless&m=150391055518346&w=2 CVE-2017-9416 (Directory traversal vulnerability in tools.file_open in Odoo 8.0, 9.0, ...) - odoo (Fixed before initial upload to Debian) NOTE: https://github.com/odoo/odoo/issues/17394 CVE-2017-9415 (Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allo ...) NOT-FOR-US: Subsonic CVE-2017-9414 (Cross-site request forgery (CSRF) vulnerability in the Subscribe to Po ...) NOT-FOR-US: Subsonic CVE-2017-9413 (Multiple cross-site request forgery (CSRF) vulnerabilities in the Podc ...) NOT-FOR-US: Subsonic CVE-2017-9412 (The unpack_read_samples function in frontend/get_audio.c in LAME 3.99. ...) - lame 3.99.5+repack1-7 [wheezy] - lame 3.99.5+repack1-3+deb7u1 NOTE: Fixed by the improved 0001-Add-check-for-invalid-input-sample-rate.patch in NOTE: 3.99.5+repack1-7, https://anonscm.debian.org/cgit/pkg-multimedia/lame.git/commit/debian/patches?id=1c7c62d3c5614443524b5ad170ba2713a14d4e09 NOTE: http://seclists.org/fulldisclosure/2017/Jul/63 NOTE: https://sourceforge.net/p/lame/bugs/463/ NOTE: Invalid read in command line tool so no CVE is needed. MITRE contacted by ago@gentoo CVE-2017-9411 REJECTED CVE-2017-9410 REJECTED CVE-2017-9409 (In ImageMagick 7.0.5-5, the ReadMPCImage function in mpc.c allows atta ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-11 (low; bug #864090) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/458 CVE-2017-9408 (In Poppler 0.54.0, a memory leak vulnerability was found in the functi ...) {DSA-4079-1} - poppler 0.57.0-2 (low; bug #864009) [wheezy] - poppler (Vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100776 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=b21b041f7948680c03109f0c404400a9dbc4544c CVE-2017-9407 (In ImageMagick 7.0.5-5, the ReadPALMImage function in palm.c allows at ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-11 (low; bug #864089) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/459 CVE-2017-9406 (In Poppler 0.54.0, a memory leak vulnerability was found in the functi ...) {DSA-4079-1} - poppler 0.57.0-2 (low; bug #864010) [wheezy] - poppler (Vulnerable code not present) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100775 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=278439531b13b0b047dbe3a75aa3f1b3407c8bd4 CVE-2017-9405 (In ImageMagick 7.0.5-5, the ReadICONImage function in icon.c:452 allow ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-11 (low; bug #864087) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/457 CVE-2017-9404 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the functio ...) {DLA-984-1 DLA-983-1} - tiff 4.0.8-1 [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2688 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b NOTE: Possibly sensible to add the other memory leaks fixes in OJPEGReadHeaderInfoSecTables NOTE: method from tif_ojpeg.c, i.e.: NOTE: https://github.com/vadz/libtiff/commit/e9bd1b06fe25219cf0873fca70e46f01843fd9f4 NOTE: https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1 NOTE: Reproducing the issue itself is "covered" after fixing https://github.com/vadz/libtiff/commit/5ed9fea523316c2f5cec4d393e4d5d671c2dbc33 NOTE: To verify 2ea32f7372b65c24b2816f11c04bf59b5090d05b fixes the issue build src:tiff NOTE: with ASAN with 5ed9fea523316c2f5cec4d393e4d5d671c2dbc33 reverted. Before the NOTE: 2ea32f7372b65c24b2816f11c04bf59b5090d05b commit the Direct leak of 73 byte NOTE: with backtrace following the methods in http://bugzilla.maptools.org/show_bug.cgi?id=2688 NOTE: is shown. CVE-2017-9403 (In LibTIFF 4.0.7, a memory leak vulnerability was found in the functio ...) {DLA-984-1 DLA-983-1} - tiff 4.0.8-1 [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2689 NOTE: Fixed by: https://github.com/vadz/libtiff/commit/fb3dc46a2fcf6197ff3b93fc76f0c37fddc0333b CVE-2017-9402 RESERVED CVE-2017-9401 RESERVED CVE-2017-9400 RESERVED CVE-2017-9399 RESERVED CVE-2017-9398 RESERVED CVE-2017-9397 RESERVED CVE-2017-9396 RESERVED CVE-2017-9395 RESERVED CVE-2017-9394 (A stored cross-site scripting vulnerability in CA Identity Governance ...) NOT-FOR-US: CA Identity Governance CVE-2017-9393 (CA Identity Manager r12.6 to r12.6 SP8, 14.0, and 14.1 allows remote a ...) NOT-FOR-US: CA Identity Manager CVE-2017-9392 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9391 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9390 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera devices CVE-2017-9389 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9388 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera devices CVE-2017-9387 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9386 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9385 (An issue was discovered on Vera Veralite 1.7.481 devices. The device h ...) NOT-FOR-US: Vera CVE-2017-9384 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera devices CVE-2017-9383 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9382 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera CVE-2017-9381 (An issue was discovered on Vera VeraEdge 1.7.19 and Veralite 1.7.481 d ...) NOT-FOR-US: Vera devices CVE-2017-9380 (OpenEMR 5.0.0 and prior allows low-privilege users to upload files of ...) NOT-FOR-US: OpenEMR CVE-2017-9379 (Multiple CSRF issues exist in BigTree CMS through 4.2.18 - the clear p ...) NOT-FOR-US: BigTree CMS CVE-2017-9378 (BigTree CMS through 4.2.18 does not prevent a user from deleting their ...) NOT-FOR-US: BigTree CMS CVE-2017-9377 (A command injection was identified on Barco ClickShare Base Unit devic ...) NOT-FOR-US: Barco ClickShare Base Unit device CVE-2017-9376 (ManageEngine ServiceDesk Plus before 9314 contains a local file inclus ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2017-9375 (QEMU (aka Quick Emulator), when built with USB xHCI controller emulato ...) {DSA-3991-1 DLA-1927-1} - qemu 1:2.10.0-1 (bug #864219) [wheezy] - qemu (vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=96d87bdda3919bb16f754b3d3fd1227e1f38f13c CVE-2017-9374 (Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emu ...) {DSA-3920-1 DLA-1497-1} - qemu 1:2.8+dfsg-7 (bug #864568) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d710e1e7bd3d5bfc26b631f02ae87901ebe646b0 CVE-2017-9373 (Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emu ...) {DSA-3920-1 DLA-1497-1} - qemu 1:2.8+dfsg-7 (bug #864216) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d68f0f778e7f4fbd674627274267f269e40f0b04 CVE-2017-9371 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-9370 (An information disclosure / elevation of privilege vulnerability in th ...) NOT-FOR-US: BlackBerry CVE-2017-9369 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0 and 6.5.0 ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-9368 (An information disclosure vulnerability in the BlackBerry Workspaces S ...) NOT-FOR-US: BlackBerry Workspaces Server CVE-2017-9367 (A directory traversal vulnerability in the BlackBerry Workspaces Serve ...) NOT-FOR-US: BlackBerry Workspaces Server CVE-2017-9366 (Telaxus EPESI 1.8.2 and earlier has a Stored Cross-site Scripting (XSS ...) NOT-FOR-US: Telaxus EPESI CVE-2017-9365 (CSRF exists in BigTree CMS through 4.2.18 with the force parameter to ...) NOT-FOR-US: BigTree CMS CVE-2017-9364 (Unrestricted File Upload exists in BigTree CMS through 4.2.18: if an a ...) NOT-FOR-US: BigTree CMS CVE-2017-9363 (Untrusted Java serialization in Soffid IAM console before 1.7.5 allows ...) NOT-FOR-US: Soffid IAM console CVE-2017-9362 (ManageEngine ServiceDesk Plus before 9312 contains an XML injection at ...) NOT-FOR-US: ManageEngine ServiceDesk Plus CVE-2017-9361 (WebsiteBaker v2.10.0 has a stored XSS vulnerability in /account/detail ...) NOT-FOR-US: WebsiteBaker CVE-2017-9360 (WebsiteBaker v2.10.0 has a SQL injection vulnerability in /account/det ...) NOT-FOR-US: WebsiteBaker CVE-2017-9357 RESERVED CVE-2017-9356 (Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability ...) NOT-FOR-US: Sitecore.NET CVE-2017-9358 (A memory exhaustion vulnerability exists in Asterisk Open Source 13.x ...) - asterisk 1:13.14.1~dfsg-2 (bug #863906) [jessie] - asterisk (11.x series not affected) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-004.txt CVE-2017-9359 (The multi-part body parser in PJSIP, as used in Asterisk Open Source 1 ...) {DSA-3933-1} - pjproject 2.5.5~dfsg-6 (bug #863902) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-003.txt NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-26939 CVE-2017-9372 (PJSIP, as used in Asterisk Open Source 13.x before 13.15.1 and 14.x be ...) {DSA-3933-1} - pjproject 2.5.5~dfsg-6 (bug #863901) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-002.txt CVE-2017-9355 (XML external entity (XXE) vulnerability in the import playlist feature ...) NOT-FOR-US: Subsonic CVE-2017-9354 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector co ...) - wireshark 2.2.7-1 (bug #864058) [jessie] - wireshark (vulnerable code introduced later) [wheezy] - wireshark (vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-32.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13646 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5debcf56eda16064c10f4e22b3db326c8b53406b CVE-2017-9353 (In Wireshark 2.2.0 to 2.2.6, the IPv6 dissector could crash. This was ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-33.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13675 CVE-2017-9352 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bazaar dissector ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-22.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13599 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d8d7690a59059821e2a2a84ac8d925aa5e70b7ba CVE-2017-9351 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DHCP dissector co ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-24.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13628 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13609 CVE-2017-9350 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the openSAFETY dissec ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-28.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13649 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f6431695049116176361ce4691dfd3c77ab19858 NOTE: When fixing this entry make sure to apply the complete fix and adding NOTE: the related commits from the CVE-2017-11411. Otherwise those releases NOTE: are opened to CVE-2017-11411, which exists because of an incomplete fix. CVE-2017-9349 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DICOM dissector h ...) {DLA-1729-1} - wireshark 2.2.7-1 (low; bug #864058) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-27.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13685 CVE-2017-9348 (In Wireshark 2.2.0 to 2.2.6, the DOF dissector could read past the end ...) - wireshark 2.2.7-1 (bug #864058) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-23.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13608 CVE-2017-9347 (In Wireshark 2.2.0 to 2.2.6, the ROS dissector could crash with a NULL ...) - wireshark 2.2.7-1 (bug #864058) [stretch] - wireshark (Minor issue) [jessie] - wireshark (Only affects 2.2.x) [wheezy] - wireshark (Only affects 2.2.x) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-31.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637 CVE-2017-9346 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the SoulSeek dissecto ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-25.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13631 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7eab596c0824e6fa20aad6932bcd2fdb94b86edf CVE-2017-9345 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the DNS dissector cou ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-26.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13633 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f6408d6a8e842148f677a9f9413776ebaa150bb0 CVE-2017-9344 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the Bluetooth L2CAP d ...) {DLA-1729-1} - wireshark 2.2.7-1 (low; bug #864058) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-29.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13701 CVE-2017-9343 (In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the MSNIP dissector m ...) - wireshark 2.2.7-1 (low; bug #864058) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-30.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13725 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7c39a77e8b6ed204d7c1ec9afd712ef30ac2db26 CVE-2017-9342 RESERVED CVE-2017-9341 RESERVED CVE-2017-9340 (An attacker is logged in as a normal user and can somehow make admin t ...) - owncloud CVE-2017-9339 (A logical error in ownCloud Server before 10.0.2 caused disclosure of ...) - owncloud CVE-2017-9338 (Inadequate escaping lead to XSS vulnerability in the search module in ...) - owncloud CVE-2017-9337 (The Markdown on Save Improved plugin 2.5 for WordPress has a stored XS ...) NOT-FOR-US: Wordpress plugin CVE-2017-9336 (The WP Editor.MD plugin 1.6 for WordPress has a stored XSS vulnerabili ...) NOT-FOR-US: Wordpress plugin CVE-2017-9335 RESERVED CVE-2017-9333 (OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG ...) NOT-FOR-US: OpenWebif CVE-2017-9332 (The smarty_self function in modules/module_smarty.php in PivotX 2.3.11 ...) NOT-FOR-US: PivotX CVE-2017-9331 (The Agenda component in Telaxus EPESI 1.8.2 and earlier has a Stored C ...) NOT-FOR-US: Telaxus EPESI CVE-2017-9329 RESERVED CVE-2017-9328 (Shell metacharacter injection vulnerability in /usr/www/include/ajax/G ...) NOT-FOR-US: TerraMaster TOS CVE-2017-9327 (Secret data of processes managed by CM is not secured by file permissi ...) NOT-FOR-US: Cloudera CVE-2017-9326 (The keystore password for the Spark History Server may be exposed in u ...) NOT-FOR-US: Cloudera CVE-2017-9325 (The provided secure solrconfig.xml sample configuration does not enfor ...) NOT-FOR-US: Cloudera CVE-2017-9334 (An incorrect "pair?" check in the Scheme "length" procedure results in ...) - chicken 4.12.0-0.2 (low; bug #863884) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) [wheezy] - chicken (Minor issue) NOTE: Original announcement: http://lists.nongnu.org/archive/html/chicken-announce/2017-05/msg00000.html NOTE: Patch: http://lists.nongnu.org/archive/html/chicken-hackers/2017-05/msg00099.html CVE-2017-9330 (QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI E ...) {DSA-3920-1 DLA-1497-1} - qemu 1:2.8+dfsg-7 (bug #863943) [wheezy] - qemu (Vulnerable code no present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code no present) NOTE: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=26f670a244982335cc08943fb1ec099a2c81e42d CVE-2017-9324 (In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through ...) {DSA-3876-1} - otrs2 5.0.20-1 (bug #864319) [stretch] - otrs2 5.0.16-1+deb9u1 [wheezy] - otrs2 (does not affect version 3.1.7) NOTE: https://www.otrs.com/security-advisory-2017-03-security-update-otrs-versions/ NOTE: https://github.com/OTRS/otrs/commit/45e05f854d2dc7c9fa7dd7467ea00cdcde350ac3 CVE-2017-9323 REJECTED CVE-2017-9322 REJECTED CVE-2017-9321 REJECTED CVE-2017-9320 RESERVED CVE-2017-9319 RESERVED CVE-2017-9318 RESERVED CVE-2017-9317 (Privilege escalation vulnerability found in some Dahua IP devices. Att ...) NOT-FOR-US: Dahua CVE-2017-9316 (Firmware upgrade authentication bypass vulnerability was found in Dahu ...) NOT-FOR-US: Dahua CVE-2017-9315 (Customer of Dahua IP camera or IP PTZ could submit relevant device inf ...) NOT-FOR-US: Dahua CVE-2017-9314 (Authentication vulnerability found in Dahua NVR models NVR50XX, NVR52X ...) NOT-FOR-US: Dahua NVR CVE-2017-9313 (Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1 ...) - webmin CVE-2017-9312 (Improperly implemented option-field processing in the TCP/IP stack on ...) NOT-FOR-US: Allen-Bradley CVE-2017-9311 RESERVED CVE-2017-9309 RESERVED CVE-2017-9308 RESERVED CVE-2017-9307 (SSRF vulnerability in remotedownload.php in Allen Disk 1.6 allows remo ...) NOT-FOR-US: Allen Disk CVE-2017-9306 (inc/SP/Html/Html.class.php in sysPass 2.1.9 allows remote attackers to ...) NOT-FOR-US: sysPass CVE-2017-9305 (lib/core/TikiFilter/PreventXss.php in Tiki Wiki CMS Groupware 16.2 all ...) - tikiwiki CVE-2017-9304 (libyara/re.c in the regexp module in YARA 3.5.0 allows remote attacker ...) - yara 3.6.1+dfsg-1 (bug #863842) [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/674 NOTE: https://github.com/VirusTotal/yara/commit/925bcf3c3b0a28b5b78e25d9efda5c0bf27ae699 CVE-2017-1000380 (sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to ...) {DSA-3981-1 DLA-1099-1} - linux 4.11.6-1 NOTE: Fixed by: https://git.kernel.org/linus/d11662f4f798b50d8c8743f433842c3e40fe3378 (v4.12-rc5) NOTE: Fixed by: https://git.kernel.org/linus/ba3021b2c79b2fa9114f92790a99deb27a65b728 (v4.12-rc5) CVE-2017-1000368 (Todd Miller's sudo version 1.8.20p1 and earlier is vulnerable to an in ...) {DLA-1011-1} - sudo 1.8.20p1-1.1 (bug #863897) [buster] - sudo 1.8.19p1-2.1 [stretch] - sudo 1.8.19p1-2.1 [jessie] - sudo 1.8.10p3-1+deb8u5 NOTE: https://www.openwall.com/lists/oss-security/2017/06/02/7 NOTE: https://www.sudo.ws/repos/sudo/raw-rev/15a46f4007dd CVE-2017-1000367 (Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an inpu ...) {DSA-3867-1 DLA-970-1} - sudo 1.8.20p1-1 (bug #863731) [buster] - sudo 1.8.19p1-2 [stretch] - sudo 1.8.19p1-2 NOTE: https://www.sudo.ws/alerts/linux_tty.html NOTE: https://www.openwall.com/lists/oss-security/2017/05/30/16 NOTE: https://www.sudo.ws/repos/sudo/raw-rev/b5460cbbb11b CVE-2017-9310 (QEMU (aka Quick Emulator), when built with the e1000e NIC emulation su ...) {DSA-3920-1} - qemu 1:2.8+dfsg-7 (bug #863840) [jessie] - qemu (Vulnerable code not present; e1000e introduced in 2.7.0-rc0) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4154c7e03fa55b4cf52509a83d50d6c09d743b77 CVE-2017-9303 (Laravel 5.4.x before 5.4.22 does not properly constrain the host porti ...) NOT-FOR-US: Laravel CVE-2017-9302 (RealPlayer 16.0.2.32 allows remote attackers to cause a denial of serv ...) NOT-FOR-US: RealPlayer CVE-2017-9301 (plugins\audio_filter\libmpgatofixed32_plugin.dll in VideoLAN VLC media ...) - vlc 2.2.5.1-1 [wheezy] - vlc (Not supported in wheezy LTS) CVE-2017-9300 (plugins\codec\libflac_plugin.dll in VideoLAN VLC media player 2.2.4 al ...) {DSA-4045-1} - vlc 2.2.6-3 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=55a82442cfea9dab8b853f3a4610f2880c5fadf3 CVE-2017-9299 (Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=Age ...) NOTE: This report for OTRS is quite vague/unclear and upstream can NOTE: not track the issue down to a specific fixed release claims though that NOTE: it should not be reproducible with versions later than 3.3.17. CVE-2017-9298 (Cross-site scripting vulnerability in Hitachi Device Manager before 8. ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9297 (Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9296 (Open Redirect vulnerability in Hitachi Device Manager before 8.5.2-01 ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9295 (XXE vulnerability in Hitachi Device Manager before 8.5.2-01 and Hitach ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9294 (RMI vulnerability in Hitachi Device Manager before 8.5.2-01 allows rem ...) NOT-FOR-US: Hitacho Device Manager CVE-2017-9293 RESERVED CVE-2017-9292 (Lansweeper before 6.0.0.65 has XSS in an image retrieval URI, aka Bug ...) NOT-FOR-US: Lansweeper CVE-2017-9291 RESERVED CVE-2017-9290 RESERVED CVE-2017-9289 (Bram Korsten Note through 1.2.0 is vulnerable to a reflected XSS in no ...) NOT-FOR-US: Bram Korsten Note CVE-2017-9288 (The Raygun4WP plugin 1.8.0 for WordPress is vulnerable to a reflected ...) NOT-FOR-US: Wordpress plugin CVE-2017-9286 (The packaging of NextCloud in openSUSE used /srv/www/htdocs in an unsa ...) NOT-FOR-US: OpenSUSE specific packaging issue of NextCloud CVE-2017-9285 (NetIQ eDirectory before 9.0 SP4 did not enforce login restrictions whe ...) NOT-FOR-US: NetIQ eDirectory CVE-2017-9284 (IDM 4.6 Identity Applications prior to 4.6.2.1 may expose sensitive in ...) NOT-FOR-US: IDM CVE-2017-9283 (An out-of-bounds read (CWE-125) vulnerability exists in Micro Focus Vi ...) NOT-FOR-US: Micro Focus VisiBroker CVE-2017-9282 (An integer overflow (CWE-190) led to an out-of-bounds write (CWE-787) ...) NOT-FOR-US: Micro Focus VisiBroker CVE-2017-9281 (An integer overflow (CWE-190) potentially causing an out-of-bounds rea ...) NOT-FOR-US: Micro Focus VisiBroker CVE-2017-9280 (Some NetIQ Identity Manager Applications before Identity Manager 4.5.6 ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-9279 (NetIQ Identity Manager before 4.5.6.1 allowed uploading files with dou ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-9278 (The NetIQ Identity Manager Oracle EBS driver before 4.0.2.0 sent EBS l ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-9277 (The LDAP backend in Novell eDirectory before 9.0 SP4 when switched to ...) NOT-FOR-US: Novell eDirectory CVE-2017-9276 (Novell Access Manager iManager before 4.3.3 did not validate parameter ...) NOT-FOR-US: Novell Access Manager iManager CVE-2017-9275 (NetIQ Identity Reporting, in versions prior to 5.5 Service Pack 1, is ...) NOT-FOR-US: NetIQ Identity Reporting CVE-2017-9274 (A shell command injection in the obs-service-source_validator before 0 ...) - osc 0.162.1-1 (bug #887391) [stretch] - osc (Minor issue) [jessie] - osc (Minor issue) [wheezy] - osc (Minor issue) NOTE: Details in https://bugzilla.suse.com/show_bug.cgi?id=938556 NOTE: SUSE adressed the issue not only in the obs-service-source_validator NOTE: and adding a validation in 0.162.0 when using OBS 2.9, cf.: NOTE: https://github.com/openSUSE/osc/commit/f0325eb0b58c266eb0905ccf827dc7eb864378a1 CVE-2017-9273 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susceptib ...) NOT-FOR-US: IDM CVE-2017-9272 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susceptib ...) NOT-FOR-US: IDM CVE-2017-9271 (The commandline package update tool zypper writes HTTP proxy credentia ...) - zypper (low) [buster] - zypper (Minor issue) [jessie] - zypper (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1050625 CVE-2017-9270 (In cryptctl before version 2.0 a malicious server could send RPC reque ...) NOT-FOR-US: SuSE cryptctl CVE-2017-9269 (In libzypp before August 2018 GPG keys attached to YUM repositories we ...) - libzypp 17.3.1-1 (bug #899065) [jessie] - libzypp (Minor issue) CVE-2017-9268 (In the open build service before 201707022 the wipetrigger and rebuild ...) - open-build-service (low) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1045519 CVE-2017-9267 (In Novell eDirectory before 9.0.3.1 the LDAP interface was not strictl ...) NOT-FOR-US: Novell eDirectory CVE-2017-9266 RESERVED CVE-2017-9265 (In Open vSwitch (OvS) v2.7.0, there is a buffer over-read while parsin ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (unimportant; bug #863662) [jessie] - openvswitch (Vulnerable code not present) [wheezy] - openvswitch (Vulnerable code not present) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332965.html NOTE: OpenFlow 1.5 support still incomplete CVE-2017-9264 (In lib/conntrack.c in the firewall implementation in Open vSwitch (OvS ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (unimportant; bug #863661) [jessie] - openvswitch (Vulnerable code not present; connection tracking support introduced in 2.6.0) [wheezy] - openvswitch (Vulnerable code not present; connection tracking support introduced in 2.6.0) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329323.html NOTE: Userspace data path not enabled in Debian packaging CVE-2017-9263 (In Open vSwitch (OvS) 2.7.0, while parsing an OpenFlow role status mes ...) [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (unimportant; bug #863655) [jessie] - openvswitch (No controllers implemented, cf. #863655) [wheezy] - openvswitch (No controllers implemented, cf. #863655) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332966.html NOTE: Controllers shipped in Debian not vulnerable, see #863655 CVE-2017-9262 (In ImageMagick 7.0.5-6 Q16, the ReadJNGImage function in coders/png.c ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-10 (low; bug #863834) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/475 NOTE: https://github.com/ImageMagick/ImageMagick/commit/4649578df8dcbfb2b08d8623d52486dc124da3a8 CVE-2017-9261 (In ImageMagick 7.0.5-6 Q16, the ReadMNGImage function in coders/png.c ...) {DLA-1000-1} - imagemagick 8:6.9.7.4+dfsg-10 (low; bug #863833) [jessie] - imagemagick 8:6.8.9.9-5+deb8u10 NOTE: https://github.com/ImageMagick/ImageMagick/issues/476 NOTE: https://github.com/ImageMagick/ImageMagick/commit/01d522e990aa57cbe67d222dd5e8f7196cc6d199 CVE-2017-9260 (The TDStretchSSE::calcCrossCorr function in source/SoundTouch/sse_opti ...) - soundtouch 1.9.2-3 (low; bug #870857) [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch 1.8.0-1+deb8u1 [wheezy] - soundtouch (Minor issue) CVE-2017-9259 (The TDStretch::acceptNewOverlapLength function in source/SoundTouch/TD ...) - soundtouch 1.9.2-3 (low; bug #870856) [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch 1.8.0-1+deb8u1 [wheezy] - soundtouch (Minor issue) CVE-2017-9258 (The TDStretch::processSamples function in source/SoundTouch/TDStretch. ...) - soundtouch 1.9.2-3 (low; bug #870854) [stretch] - soundtouch 1.9.2-2+deb9u1 [jessie] - soundtouch 1.8.0-1+deb8u1 [wheezy] - soundtouch (Minor issue) CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9256 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9255 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9254 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9253 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9287 (servers/slapd/back-mdb/search.c in OpenLDAP through 2.4.44 is prone to ...) {DSA-3868-1 DLA-972-1} - openldap 2.4.44+dfsg-5 (bug #863563) NOTE: http://www.openldap.org/its/?findid=8655 NOTE: https://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e CVE-2017-9252 (andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in ...) NOT-FOR-US: FineCMS CVE-2017-9251 (andrzuk/FineCMS through 2017-05-28 is vulnerable to a reflected XSS in ...) NOT-FOR-US: FineCMS CVE-2017-9250 (The lexer_process_char_literal function in jerry-core/parser/js/js-lex ...) NOT-FOR-US: jerryscript CVE-2017-9249 (Cross-site scripting (XSS) vulnerability in Allen Disk 1.6 allows remo ...) NOT-FOR-US: Allen Disk CVE-2017-9248 (Telerik.Web.UI.dll in Progress Telerik UI for ASP.NET AJAX before R2 2 ...) NOT-FOR-US: Progress Telerik UI for ASP.NET AJAX CVE-2017-9247 (Multiple unquoted service path vulnerabilities in Sierra Wireless Wind ...) NOT-FOR-US: Sierra Wireless Windows Mobile Broadband Driver Packages CVE-2017-9246 (New Relic .NET Agent before 6.3.123.0 adds SQL injection flaws to safe ...) NOT-FOR-US: New Relic .NET Agent CVE-2017-9245 (The Google News and Weather application before 3.3.1 for Android allow ...) NOT-FOR-US: Google News and Weather application for Android CVE-2017-9244 (Cross-site scripting (XSS) vulnerability in the Trello app before 4.0. ...) NOT-FOR-US: Trello CVE-2017-9243 (Aries QWR-1104 Wireless-N Router with Firmware Version WRC.253.2.0913 ...) NOT-FOR-US: Aries QWR-1104 Wireless-N Router CVE-2017-9242 (The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux k ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: https://git.kernel.org/linus/232cd35d0804cc241eb887bb8d4d9b3b9881c64a CVE-2017-9241 RESERVED CVE-2017-9240 RESERVED CVE-2017-9239 (An issue was discovered in Exiv2 0.26. When the data structure of the ...) {DLA-963-1} - exiv2 0.25-3.1 (bug #863410) [jessie] - exiv2 (Minor issue) NOTE: http://dev.exiv2.org/issues/1296 NOTE: fix: https://github.com/Exiv2/exiv2/commit/2f8681e120d277e418941c4361c83b5028f67fd8 CVE-2017-9238 RESERVED CVE-2017-9237 RESERVED CVE-2017-9236 RESERVED CVE-2017-9235 RESERVED CVE-2017-9234 RESERVED CVE-2017-9233 (XML External Entity vulnerability in libexpat 2.2.0 and earlier (Expat ...) {DSA-3898-1 DLA-990-1} - expat 2.2.1-1 NOTE: https://libexpat.github.io/doc/cve-2017-9233/ NOTE: https://github.com/libexpat/libexpat/commit/c4bf96bb51dd2a1b0e185374362ee136fe2c9d7f CVE-2017-9232 (Juju before 1.25.12, 2.0.x before 2.0.4, and 2.1.x before 2.1.3 uses a ...) - juju CVE-2017-9231 (XML external entity (XXE) vulnerability in Citrix XenMobile Server 9.x ...) NOT-FOR-US: Citrix CVE-2017-9230 (** DISPUTED ** The Bitcoin Proof-of-Work algorithm does not consider a ...) NOT-FOR-US: Bitcoin Proof-of-Work algorithm CVE-2017-9229 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863318) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/issues/59 NOTE: https://github.com/kkos/oniguruma/commit/b690371bbf97794b4a1d3f295d4fb9a8b05d402d CVE-2017-9228 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863316) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/commit/3b63d12038c8d8fc278e81c942fa9bec7c704c8b NOTE: https://github.com/kkos/oniguruma/issues/60 CVE-2017-9227 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863315) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/commit/9690d3ab1f9bcd2db8cbe1fe3ee4a5da606b8814 NOTE: https://github.com/kkos/oniguruma/issues/58 CVE-2017-9226 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863314) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/commit/b4bf968ad52afe14e60a2dc8a95d3555c543353a NOTE: https://github.com/kkos/oniguruma/commit/f015fbdd95f76438cd86366467bb2b39870dd7c6 NOTE: https://github.com/kkos/oniguruma/issues/55 CVE-2017-9225 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) - libonig 6.1.3-2 (bug #863313) [jessie] - libonig (Vulnerable code introduced later) [wheezy] - libonig (Vulnerable code introduced later) NOTE: https://github.com/kkos/oniguruma/commit/166a6c3999bf06b4de0ab4ce6b088a468cc4029f NOTE: https://github.com/kkos/oniguruma/issues/56 CVE-2017-9224 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod i ...) {DLA-958-1} - libonig 6.1.3-2 (bug #863312) [jessie] - libonig 5.9.5-3.2+deb8u1 NOTE: https://github.com/kkos/oniguruma/commit/690313a061f7a4fa614ec5cc8368b4f2284e059b NOTE: https://github.com/kkos/oniguruma/issues/57 CVE-2017-9223 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9222 (The mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9221 (The mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9220 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9219 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9218 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Adv ...) {DLA-1077-1} - faad2 2.8.1-1 (low; bug #867724) [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1 [jessie] - faad2 2.7-8+deb8u1 CVE-2017-9217 (systemd-resolved through 233 allows remote attackers to cause a denial ...) [experimental] - systemd 233-8 - systemd 232-24 (bug #863277) [jessie] - systemd (vulnerable code introduced later) [wheezy] - systemd (vulnerable code introduced later) NOTE: https://github.com/systemd/systemd/pull/5998 CVE-2017-9216 (libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghostscri ...) - jbig2dec 0.13-5 (bug #863279) [stretch] - jbig2dec (Minor issue) [jessie] - jbig2dec (Minor issue) [wheezy] - jbig2dec (Minor issue, can be fixed in a future update) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697934 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=3ebffb1d96ba0cacec23016eccb4047dab365853 CVE-2017-9215 RESERVED CVE-2017-9214 (In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_RE ...) {DLA-2571-1} [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (bug #863228) [jessie] - openvswitch (Vulnerable code not present) [wheezy] - openvswitch (Vulnerable code not present) NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2017-May/332711.html CVE-2017-9213 RESERVED CVE-2017-9212 (The Bluetooth stack on the BMW 330i 2011 allows a remote crash of the ...) NOT-FOR-US: Bluetooth stack on the BMW 330i 2011 CVE-2017-9211 (The crypto_skcipher_init_tfm function in crypto/skcipher.c in the Linu ...) - linux 4.9.30-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/9933e113c2e87a9f46a40fde8dafbf801dca1ab9 CVE-2017-9200 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9199 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9198 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9197 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9196 (libautotrace.a in AutoTrace 0.31.1 has a "negative-size-param" issue i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9195 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9194 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9193 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9192 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9191 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9190 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9189 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9188 (libautotrace.a in AutoTrace 0.31.1 has a "left shift ... cannot be rep ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9187 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9186 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9185 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9184 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9183 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9182 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9181 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9180 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9179 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9178 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9177 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9176 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9175 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9174 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9173 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9172 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9171 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9170 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9169 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9168 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9167 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9166 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9165 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9164 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9163 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9162 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9161 (libautotrace.a in AutoTrace 0.31.1 has a "cannot be represented in typ ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9160 (libautotrace.a in AutoTrace 0.31.1 has a stack-based buffer overflow i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9159 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9158 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9157 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9156 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9155 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9154 (libautotrace.a in AutoTrace 0.31.1 allows remote attackers to cause a ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9153 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9152 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer over-read i ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9151 (libautotrace.a in AutoTrace 0.31.1 has a heap-based buffer overflow in ...) - autotrace [wheezy] - autotrace (Not supported in wheezy LTS) CVE-2017-9150 (The do_check function in kernel/bpf/verifier.c in the Linux kernel bef ...) - linux 4.9.30-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0d0e57697f162da4aa218b5feafe614fb666db07 CVE-2017-9210 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of s ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #863390) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/23/10 NOTE: https://github.com/qpdf/qpdf/issues/101 CVE-2017-9209 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of s ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #863390) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/23/10 NOTE: https://github.com/qpdf/qpdf/issues/100 CVE-2017-9208 (libqpdf.a in QPDF 6.0.0 allows remote attackers to cause a denial of s ...) [experimental] - qpdf 7.0~b1-1 - qpdf 7.0.0-1 (low; bug #863390) [stretch] - qpdf (Minor issue) [jessie] - qpdf (Minor issue) [wheezy] - qpdf (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/23/10 NOTE: https://github.com/qpdf/qpdf/issues/99 CVE-2017-9207 (The iw_get_ui16be function in imagew-util.c:422:24 in libimageworsener ...) NOT-FOR-US: ImageWorsener CVE-2017-9206 (The iw_get_ui16le function in imagew-util.c:405:23 in libimageworsener ...) NOT-FOR-US: ImageWorsener CVE-2017-9205 (The iw_get_ui16be function in imagew-util.c:422:24 in libimageworsener ...) NOT-FOR-US: ImageWorsener CVE-2017-9204 (The iw_get_ui16le function in imagew-util.c:405:23 in libimageworsener ...) NOT-FOR-US: ImageWorsener CVE-2017-9203 (imagew-main.c:960:12 in libimageworsener.a in ImageWorsener 1.3.1 allo ...) NOT-FOR-US: ImageWorsener CVE-2017-9202 (imagew-cmd.c:854:45 in libimageworsener.a in ImageWorsener 1.3.1 allow ...) NOT-FOR-US: ImageWorsener CVE-2017-9201 (imagew-cmd.c:850:46 in libimageworsener.a in ImageWorsener 1.3.1 allow ...) NOT-FOR-US: ImageWorsener CVE-2017-9148 (The TLS session cache in FreeRADIUS 2.1.1 through 2.1.7, 3.0.x before ...) {DLA-977-1} - freeradius 3.0.12+dfsg-5 (bug #863673) [jessie] - freeradius (Only affects 2.1.1 to 2.1.7 and 3.0 to 3.0.13) NOTE: https://www.openwall.com/lists/oss-security/2017/05/29/1 NOTE: http://freeradius.org/security.html#session-resumption-2017 NOTE: https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/commit/?id=8d681449aa95ee4388b5e3c266bdb070a264f563 CVE-2017-9147 (LibTIFF 4.0.7 has an invalid read in the _TIFFVGetField function in ti ...) {DLA-984-1 DLA-983-1} - tiff 4.0.8-2 (bug #863185) [jessie] - tiff 4.0.3-12.3+deb8u4 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2693 CVE-2017-9146 (The TNEFFillMapi function in lib/ytnef.c in libytnef in ytnef through ...) - libytnef 1.9.3-1 (bug #862707) [stretch] - libytnef (Minor issue, can be fixed via a point update) [jessie] - libytnef (Minor issue, can be fixed via a point update) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/47 NOTE: https://github.com/Yeraze/ytnef/commit/c576639e7e6bd9c7de0a288b9f94590d34ac9215 CVE-2017-9145 (TikiFilter.php in Tiki Wiki CMS Groupware 12.x through 16.x does not p ...) - tikiwiki CVE-2017-11352 (In ImageMagick before 7.0.5-10, a crafted RLE image can trigger a cras ...) {DSA-4040-1 DLA-1081-1} - imagemagick 8:6.9.7.4+dfsg-12 (bug #868469) [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u1 NOTE: https://github.com/ImageMagick/ImageMagick/issues/502 NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/7f1f01b695e869c410ee10e2176f8fd764f09373 NOTE: ImageMagick-7: https://github.com/ImageMagick/ImageMagick/commit/86cb33143c5b21912187403860a7c26761a3cd23 CVE-2017-9144 (In ImageMagick 7.0.5-5, a crafted RLE image can trigger a crash becaus ...) {DSA-3863-1 DLA-1081-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863126) NOTE: https://github.com/ImageMagick/ImageMagick/commit/7fdf9ea808caa3c81a0eb42656e5fafc59084198 CVE-2017-9142 (In ImageMagick 7.0.5-7 Q16, a crafted file could trigger an assertion ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863125) NOTE: https://github.com/ImageMagick/ImageMagick/issues/490 NOTE: https://github.com/ImageMagick/ImageMagick/commit/72f5c8632bff2daf3c95005f9b4cf2982786b52a CVE-2017-9141 (In ImageMagick 7.0.5-7 Q16, a crafted file could trigger an assertion ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863124) NOTE: https://github.com/ImageMagick/ImageMagick/issues/489 NOTE: https://github.com/ImageMagick/ImageMagick/commit/f5910e91b0778e03ded45b9022be8eb8f77942cd CVE-2017-9143 (In ImageMagick 7.0.5-5, the ReadARTImage function in coders/art.c allo ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #863123) NOTE: https://github.com/ImageMagick/ImageMagick/issues/456 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7b8c1df65b25d6671f113e2306982eded44ce3b4 CVE-2017-9140 (Cross-site scripting (XSS) vulnerability in Telerik.ReportViewer.WebFo ...) NOT-FOR-US: Telerik CVE-2017-9139 (There is a stack-based buffer overflow on some Tenda routers (FH1202/F ...) NOT-FOR-US: Tenda CVE-2017-9138 (There is a debug-interface vulnerability on some Tenda routers (FH1202 ...) NOT-FOR-US: Tenda CVE-2017-9137 (Ceragon FibeAir IP-10 wireless radios through 7.2.0 have a default pas ...) NOT-FOR-US: Ceragon FibeAir CVE-2017-9136 (An issue was discovered on Mimosa Client Radios before 2.2.3. In the d ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9135 (An issue was discovered on Mimosa Client Radios before 2.2.4 and Mimos ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9134 (An information-leakage issue was discovered on Mimosa Client Radios be ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9133 (An issue was discovered on Mimosa Client Radios before 2.2.3 and Mimos ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9132 (A hard-coded credentials issue was discovered on Mimosa Client Radios ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9131 (An issue was discovered on Mimosa Client Radios before 2.2.3 and Mimos ...) NOT-FOR-US: Mimosa Client Radios CVE-2017-9130 (The faacEncOpen function in libfaac/frame.c in Freeware Advanced Audio ...) - faac 1.29+git20170704-1 (bug #865909) [stretch] - faac (Non-free not supported) [jessie] - faac (Non-free not supported) NOTE: https://www.exploit-db.com/exploits/42207/ CVE-2017-9129 (The wav_open_read function in frontend/input.c in Freeware Advanced Au ...) - faac 1.29+git20170704-1 (bug #865909) [stretch] - faac (Non-free not supported) [jessie] - faac (Non-free not supported) NOTE: https://www.exploit-db.com/exploits/42207/ CVE-2017-9128 (The quicktime_video_width function in lqt_quicktime.c in libquicktime ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9127 (The quicktime_user_atoms_read_atom function in useratoms.c in libquick ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9126 (The quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9125 (The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2 ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9124 (The quicktime_match_32 function in util.c in libquicktime 1.2.4 allows ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9123 (The lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2 ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9122 (The quicktime_read_moov function in moov.c in libquicktime 1.2.4 allow ...) {DLA-1042-1} - libquicktime 2:1.2.4-11 (low; bug #864664) [stretch] - libquicktime 2:1.2.4-10+deb9u1 [jessie] - libquicktime (Minor issue) CVE-2017-9121 RESERVED CVE-2017-9120 (PHP 7.x through 7.1.5 allows remote attackers to cause a denial of ser ...) - php7.2 (unimportant) - php7.1 (unimportant) - php7.0 (unimportant) - php5 (Not reproducible, vulnerable code not present.) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74544 NOTE: Not treated as a security issue by upstream CVE-2017-9119 (The i_zval_ptr_dtor function in Zend/zend_variables.h in PHP 7.1.5 all ...) - php7.1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74593 NOTE: Only triggerable by malicious script CVE-2017-9118 (PHP 7.1.5 has an Out of bounds access in php_pcre_replace_impl via a c ...) - php7.2 (unimportant) - php7.1 (unimportant) - php7.0 (unimportant) - php5 (unimportant) NOTE: Check for Jessie again as soon as more information are available. NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74604 NOTE: Not treated as a security issue by upstream CVE-2017-9117 (In LibTIFF 4.0.7, the program processes BMP images without verifying t ...) - tiff (unimportant) - tiff3 (Does not ship libtiff-tools) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2690 NOTE: bmp2tiff utility removed in 4.0.6-3 and 4.0.3-12.3+deb8u2 CVE-2017-9116 (In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function ...) {DLA-2358-1 DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [jessie] - openexr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator functio ...) {DSA-4755-1 DLA-2358-1} - openexr 2.5.3-2 (bug #873885) [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ...) {DSA-4755-1 DLA-2358-1} - openexr 2.5.3-2 (bug #873885) [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9113 (In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels ...) {DSA-4755-1 DLA-2358-1} - openexr 2.5.3-2 (low; bug #873885) [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9112 (In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ...) {DLA-2358-1 DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [jessie] - openexr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9111 (In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function ...) {DSA-4755-1 DLA-2358-1} - openexr 2.5.3-2 (bug #873885) [jessie] - openexr (Minor issue) [wheezy] - openexr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9110 (In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function ...) {DLA-2358-1 DLA-1083-1} - openexr 2.2.0-11.1 (bug #864078) [jessie] - openexr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/12/5 NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9109 (An issue was discovered in adns before 1.5.2. It fails to ignore appar ...) - adns 1.6.0-2 (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=fcf2b4e1faf22accb6184cca595aaee602839868 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9108 (An issue was discovered in adns before 1.5.2. adnshost mishandles a mi ...) - adns 1.6.0-2 (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=72c6bfd77dfdb34457a792874fd1c3030fca90ac NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9107 (An issue was discovered in adns before 1.5.2. It overruns reading a bu ...) - adns 1.6.0-2 (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=278f8eee581c4c4a0ddd0f98c4dc8c2974cf6b90 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9106 (An issue was discovered in adns before 1.5.2. adns_rr_info mishandles ...) - adns 1.6.0-2 (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=37792aacaf7abbcdac6a02715a5ef794b5147f13 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9105 (An issue was discovered in adns before 1.5.2. It corrupts a pointer wh ...) - adns 1.6.0-2 (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=17afb298d90c5aafed76bd3855a5fe7dcd58594c NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9104 (An issue was discovered in adns before 1.5.2. It hangs, eating CPU, if ...) - adns 1.6.0-2 (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=7ba7a232de0516d2cce934bdc91627b33b46ef47 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9103 (An issue was discovered in adns before 1.5.2. pap_mailbox822 does not ...) - adns 1.6.0-2 (unimportant) NOTE: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=adns.git;a=commit;h=020d86e2eccc2dbdfa9dcca08ddb327cc7ca3ae2 NOTE: Stub resolver that should only be used with trusted recursors CVE-2017-9102 RESERVED CVE-2017-9101 (import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows re ...) NOT-FOR-US: PlaySMS CVE-2017-9100 (login.cgi on D-Link DIR-600M devices with firmware 3.04 allows remote ...) NOT-FOR-US: D-Link CVE-2017-9099 RESERVED CVE-2017-9098 (ImageMagick before 7.0.5-2 and GraphicsMagick before 1.3.24 use uninit ...) {DSA-3863-1 DLA-1456-1 DLA-960-1 DLA-953-1} - imagemagick 8:6.9.7.4+dfsg-9 (bug #862967) - graphicsmagick 1.3.24-1 NOTE: ImageMagick fix: https://github.com/ImageMagick/ImageMagick/commit/1c358ffe0049f768dd49a8a889c1cbf99ac9849b NOTE: GraphicsMagick fix: http://hg.code.sf.net/p/graphicsmagick/code/diff/0a5b75e019b6/coders/rle.c NOTE: https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html CVE-2017-9097 (In Anti-Web through 3.8.7, as used on NetBiter FGW200 devices through ...) NOT-FOR-US: Anti-Web CVE-2017-9096 (The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not dis ...) NOT-FOR-US: iText CVE-2017-9095 (XXE in Diving Log 6.0 allows attackers to remotely view local files th ...) NOT-FOR-US: Diving Log CVE-2017-9094 (The lzw_add_to_dict function in imagew-gif.c in libimageworsener.a in ...) NOT-FOR-US: ImageWorsener CVE-2017-9093 (The my_skip_input_data_fn function in imagew-jpeg.c in libimageworsene ...) NOT-FOR-US: ImageWorsener CVE-2017-9092 RESERVED CVE-2017-9091 (/admin/loginc.php in Allen Disk 1.6 doesn't check if isset($_SESSION[' ...) NOT-FOR-US: Allen Disk CVE-2017-9090 (reg.php in Allen Disk 1.6 doesn't check if isset($_SESSION['captcha'][ ...) NOT-FOR-US: Allen Disk CVE-2017-9089 RESERVED CVE-2017-9088 RESERVED CVE-2017-9087 RESERVED CVE-2017-9086 RESERVED CVE-2017-9085 (Multiple cross-site scripting (XSS) vulnerabilities in Kodak InSite 6. ...) NOT-FOR-US: Kodak InSite CVE-2017-9084 RESERVED CVE-2017-9083 (poppler 0.54.0, as used in Evince and other products, has a NULL point ...) - poppler (unimportant; bug #863016) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101084 NOTE: Does not use JPX decoder but openjpeg; affected only source wise CVE-2017-9082 RESERVED CVE-2017-9081 RESERVED CVE-2017-9080 (PlaySMS 1.4 allows remote code execution because PHP code in the name ...) NOT-FOR-US: PlaySMS CVE-2017-9079 (Dropbear before 2017.75 might allow local users to read certain files ...) {DSA-3859-1 DLA-948-1} - dropbear 2016.74-5 (bug #862970) NOTE: Patch: https://hg.ucc.asn.au/dropbear/rev/0d889b068123 CVE-2017-9078 (The server in Dropbear before 2017.75 might allow post-authentication ...) {DSA-3859-1} - dropbear 2016.74-5 (bug #862970) [wheezy] - dropbear (Vulnerable code not present) NOTE: Patch: https://hg.ucc.asn.au/dropbear/rev/c8114a48837c CVE-2017-9077 (The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52 CVE-2017-9076 (The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/83eaddab4378db256d00d295bda6ca997cd13a52 CVE-2017-9075 (The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/fdcee2cbb8438702ea1b328fb6e0ac5e9a40c7f8 CVE-2017-9074 (The IPv6 fragmentation implementation in the Linux kernel through 4.11 ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/2423496af35d94a87156b063ea5cedffc10a70a1 CVE-2017-9073 REJECTED CVE-2017-9072 (Two CalendarXP products have XSS in common parts of HTML files. Calend ...) NOT-FOR-US: CalendarXP CVE-2017-9071 (In MODX Revolution before 2.5.7, an attacker might be able to trigger ...) NOT-FOR-US: MODX Revolution CVE-2017-9070 (In MODX Revolution before 2.5.7, a user with resource edit permissions ...) NOT-FOR-US: MODX Revolution CVE-2017-9069 (In MODX Revolution before 2.5.7, a user with file upload permissions i ...) NOT-FOR-US: MODX Revolution CVE-2017-9068 (In MODX Revolution before 2.5.7, an attacker is able to trigger Reflec ...) NOT-FOR-US: MODX Revolution CVE-2017-9067 (In MODX Revolution before 2.5.7, when PHP 5.3.3 is used, an attacker i ...) NOT-FOR-US: MODX Revolution CVE-2017-9060 (Memory leak in the virtio_gpu_set_scanout function in hw/display/virti ...) - qemu 1:2.10.0-1 (unimportant) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: Marked as unimportant, since 1:2.8+dfsg-2 reverted the support for NOTE: virtio gpu (virglrenderer) and opengl, but the affected code is NOTE: still present. NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=dd248ed7e204ee8a1873914e02b8b526e8f1b80d CVE-2017-9059 (The NFSv4 implementation in the Linux kernel through 4.11.1 allows loc ...) - linux 4.9.30-1 [jessie] - linux (Introduced in 4.9) [wheezy] - linux (Introduced in 4.9) CVE-2017-9057 RESERVED CVE-2017-9056 RESERVED CVE-2017-9055 (An issue, also known as DW201703-001, was discovered in libdwarf 2017- ...) - dwarfutils 20170416-2 (bug #864064) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201703-001 CVE-2017-9054 (An issue, also known as DW201703-002, was discovered in libdwarf 2017- ...) - dwarfutils 20170416-2 (bug #864064) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201703-002 CVE-2017-9053 (An issue, also known as DW201703-005, was discovered in libdwarf 2017- ...) - dwarfutils 20170416-2 (bug #864064) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201703-005 CVE-2017-9052 (An issue, also known as DW201703-006, was discovered in libdwarf 2017- ...) - dwarfutils 20170416-2 (bug #864064) [stretch] - dwarfutils 20161124-1+deb9u1 [jessie] - dwarfutils (Minor issue) [wheezy] - dwarfutils (Minor issue) NOTE: https://www.prevanders.net/dwarfbug.html#DW201703-006 CVE-2017-9051 (libav before 12.1 is vulnerable to an invalid read of size 1 due to NU ...) - libav (low) [jessie] - libav (Tested with the original reproducer, 0.11 branch not vulnerable) [wheezy] - libav (Tested with the original reproducer, 0.8 branch not vulnerable) - ffmpeg 7:2.6.1-1 (low) NOTE: Fix in libav: https://github.com/libav/libav/commit/fe6eea99efac66839052af547426518efd970b24.patch NOTE: Fix in ffmpeg: https://github.com/FFmpeg/FFmpeg/commit/8d7ce5cdb707d4b22749f72d3f118e62e2b95cd3 NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1039 CVE-2017-9050 (libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buff ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #863018) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781361 (not public) NOTE: https://www.openwall.com/lists/oss-security/2017/05/15/1 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3 CVE-2017-9049 (libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buff ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #863019) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781205 (not public) NOTE: https://www.openwall.com/lists/oss-security/2017/05/15/1 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=e26630548e7d138d2c560844c43820b6767251e3 CVE-2017-9048 (libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a stack-based buf ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #863021) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781701 (not public) NOTE: https://www.openwall.com/lists/oss-security/2017/05/15/1 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74 CVE-2017-9047 (A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g074180 ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #863022) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781333 (not public) NOTE: https://www.openwall.com/lists/oss-security/2017/05/15/1 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=932cc9896ab41475d4aa429c27d9afd175959d74 CVE-2017-9046 (winpm-32.exe in Pegasus Mail (aka Pmail) v4.72 build 572 allows code e ...) NOT-FOR-US: Pegasus Mail CVE-2017-9045 (The Google I/O 2017 application before 5.1.4 for Android downloads mul ...) NOT-FOR-US: Google I/O 2017 application CVE-2017-9044 (The print_symbol_for_build_attribute function in readelf.c in GNU Binu ...) - binutils 2.29-1 (low) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) CVE-2017-9043 (readelf.c in GNU Binutils 2017-04-12 has a "shift exponent too large f ...) - binutils 2.29-1 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ddef72cdc10d82ba011a7ff81cafbbd3466acf54 CVE-2017-9042 (readelf.c in GNU Binutils 2017-04-12 has a "cannot be represented in t ...) - binutils 2.29-1 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf CVE-2017-9041 (GNU Binutils 2.28 allows remote attackers to cause a denial of service ...) - binutils 2.28-6 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=75ec1fdbb797a389e4fe4aaf2e15358a070dcc19 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c4ab9505b53cdc899506ed421fddb7e1f8faf7a3 CVE-2017-9040 (GNU Binutils 2017-04-03 allows remote attackers to cause a denial of s ...) - binutils 2.29-1 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7296a62a2a237f6b1ad8db8c38b090e9f592c8cf CVE-2017-9039 (GNU Binutils 2.28 allows remote attackers to cause a denial of service ...) - binutils 2.28-6 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=82156ab704b08b124d319c0decdbd48b3ca2dac5 CVE-2017-9038 (GNU Binutils 2.28 allows remote attackers to cause a denial of service ...) - binutils 2.28-6 (low; bug #863674) [stretch] - binutils (Minor issue) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f32ba72991d2406b21ab17edc234a2f3fa7fb23d CVE-2017-9037 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro Ser ...) NOT-FOR-US: Trend Micro CVE-2017-9036 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows local us ...) NOT-FOR-US: Trend Micro CVE-2017-9035 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows attacker ...) NOT-FOR-US: Trend Micro CVE-2017-9034 (Trend Micro ServerProtect for Linux 3.0 before CP 1531 allows attacker ...) NOT-FOR-US: Trend Micro CVE-2017-9033 (Cross-site request forgery (CSRF) vulnerability in Trend Micro ServerP ...) NOT-FOR-US: Trend Micro CVE-2017-9032 (Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro Ser ...) NOT-FOR-US: Trend Micro CVE-2017-9058 (In libytnef in ytnef through 1.9.2, there is a heap-based buffer over- ...) - libytnef 1.9.2-2 (low; bug #862556) [jessie] - libytnef (Minor issue) [wheezy] - libytnef (Minor issue) NOTE: https://github.com/Yeraze/ytnef/issues/45 CVE-2017-9030 (The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 f ...) NOT-FOR-US: Joomla extension CVE-2017-9029 RESERVED CVE-2017-9028 RESERVED CVE-2017-9027 RESERVED CVE-2017-9026 (Stack buffer overflow in vshttpd (aka ioos) in HooToo Trip Mate 6 (TM6 ...) NOT-FOR-US: HooHoo Trip Mate CVE-2017-9025 (Heap buffer overflow in vshttpd (aka ioos) in HooToo Trip Mate 6 (TM6) ...) NOT-FOR-US: HooHoo Trip Mate CVE-2017-9066 (In WordPress before 4.7.5, there is insufficient redirect validation i ...) {DLA-1075-1} - wordpress 4.7.5+dfsg-1 (bug #862816) [jessie] - wordpress 4.1+dfsg-1+deb8u16 NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11 CVE-2017-9065 (In WordPress before 4.7.5, there is a lack of capability checks for po ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4 CVE-2017-9064 (In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnera ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67 CVE-2017-9063 (In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/3d10fef22d788f29aed745b0f5ff6f6baea69af3 CVE-2017-9062 (In WordPress before 4.7.5, there is improper handling of post meta dat ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381 CVE-2017-9061 (In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-1 (bug #862816) NOTE: https://wordpress.org/news/2017/05/wordpress-4-7-5/ NOTE: https://github.com/WordPress/WordPress/commit/8c7ea71edbbffca5d9766b7bea7c7f3722ffafa6 CVE-2017-9024 (Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes S ...) NOT-FOR-US: Secure Bytes Cisco Configuration Manager CVE-2017-9023 (The ASN.1 parser in strongSwan before 5.5.3 improperly handles CHOICE ...) {DSA-3866-1 DLA-973-1} - strongswan 5.5.1-4 NOTE: upstream fix https://git.strongswan.org/?p=strongswan.git;a=commit;h=407fcca200fdf6a41a04ac0885a770b6b53c5d23 CVE-2017-9022 (The gmp plugin in strongSwan before 5.5.3 does not properly validate R ...) {DSA-3866-1 DLA-973-1} - strongswan 5.5.1-4 NOTE: upstream fix https://git.strongswan.org/?p=strongswan.git;a=commit;h=6681d98d18d24b31410fc12c3d61f150107481b3 CVE-2017-9021 REJECTED CVE-2017-9020 RESERVED CVE-2017-9019 RESERVED CVE-2017-9018 REJECTED CVE-2017-9017 REJECTED CVE-2017-9016 REJECTED CVE-2017-9015 REJECTED CVE-2017-9014 REJECTED CVE-2017-9013 REJECTED CVE-2017-9012 REJECTED CVE-2017-9011 REJECTED CVE-2017-9010 REJECTED CVE-2017-9009 REJECTED CVE-2017-9008 REJECTED CVE-2017-9007 REJECTED CVE-2017-9006 REJECTED CVE-2017-9005 REJECTED CVE-2017-9004 REJECTED CVE-2017-9003 (Multiple memory corruption flaws are present in ArubaOS which could al ...) NOT-FOR-US: Aruba CVE-2017-9002 (All versions of Aruba ClearPass prior to 6.6.8 contain reflected cross ...) NOT-FOR-US: Aruba CVE-2017-9001 (Aruba ClearPass 6.6.3 and later includes a feature called "SSH Lockout ...) NOT-FOR-US: Aruba CVE-2017-9000 (ArubaOS, all versions prior to 6.3.1.25, 6.4 prior to 6.4.4.16, 6.5.x ...) NOT-FOR-US: Aruba CVE-2017-8999 REJECTED CVE-2017-8998 REJECTED CVE-2017-8997 REJECTED CVE-2017-8996 REJECTED CVE-2017-8995 REJECTED CVE-2017-8994 (A input validation vulnerability in HPE Operations Orchestration produ ...) NOT-FOR-US: HPE CVE-2017-8993 (A Remote Cross-Site Scripting vulnerability in HPE Project and Portfol ...) NOT-FOR-US: HPE Project and Portfolio Management CVE-2017-8992 (HPE has identified a remote privilege escalation vulnerability in HPE ...) NOT-FOR-US: HPE CVE-2017-8991 (HPE has identified a cross site scripting (XSS) vulnerability in HPE C ...) NOT-FOR-US: HPE CVE-2017-8990 (A remote code execution vulnerability was identified in HPE Intelligen ...) NOT-FOR-US: HPE CVE-2017-8989 (A security vulnerability in HPE IceWall SSO Dfw 10.0 and 11.0 on RHEL, ...) NOT-FOR-US: HPE CVE-2017-8988 (A Remote Bypass of Security Restrictions vulnerability was identified ...) NOT-FOR-US: HPE CVE-2017-8987 (A Unauthenticated Remote Denial of Service vulnerability was identifie ...) NOT-FOR-US: HPE CVE-2017-8986 REJECTED CVE-2017-8985 (HPE XP Storage using Hitachi Global Link Manager (HGLM) has a local au ...) NOT-FOR-US: HPE XP Storage CVE-2017-8984 (A remote code execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8983 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8982 (A Remote Authentication Restriction Bypass vulnerability in HPE Intell ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8981 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8980 (A Remote Disclosure of Information vulnerability in HPE Intelligent Ma ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8979 (Security vulnerabilities in the HPE Integrated Lights-Out 2 (iLO 2) fi ...) NOT-FOR-US: HPE Integrated Lights-Out 2 (iLO 2) firmware CVE-2017-8978 (A Remote Unauthorized Disclosure of Information vulnerability in HPE I ...) NOT-FOR-US: HPE IceWall Products CVE-2017-8977 (A Remote Denial of Service vulnerability in Hewlett Packard Enterprise ...) NOT-FOR-US: Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance CVE-2017-8976 (A Remote Code Execution vulnerability in Hewlett Packard Enterprise Mo ...) NOT-FOR-US: Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance CVE-2017-8975 (A Remote Code Execution vulnerability in Hewlett Packard Enterprise Mo ...) NOT-FOR-US: Hewlett Packard Enterprise Moonshot Provisioning Manager Appliance CVE-2017-8974 (A Local Authentication Restriction Bypass vulnerability in HPE NonStop ...) NOT-FOR-US: HPE NonStop Server CVE-2017-8973 (An improper input validation vulnerability in HPE Matrix Operating Env ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-8972 (A clickjacking vulnerability in HPE Matrix Operating Environment versi ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-8971 (A clickjacking vulnerability in HPE Matrix Operating Environment versi ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-8970 (A remote unauthenticated disclosure of information vulnerability in HP ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-8969 (An improper input validation vulnerability in HPE Insight Control vers ...) NOT-FOR-US: HPE Insight Control CVE-2017-8968 (A remote execution of arbitrary code vulnerability has been identified ...) NOT-FOR-US: HPE CVE-2017-8967 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8966 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8965 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8964 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8963 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8962 (A Deserialization of Untrusted Data vulnerability in Hewlett Packard E ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8961 (A directory traversal vulnerability in HPE Intelligent Management Cent ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8960 (An Authentication Bypass vulnerability in HPE MSA 1040 and MSA 2040 SA ...) NOT-FOR-US: HPE MSA CVE-2017-8959 (An Authentication Bypass vulnerability in HPE MSA 1040 and HPE MSA 204 ...) NOT-FOR-US: HPE MSA CVE-2017-8958 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8957 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8956 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8955 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8954 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-8953 (A Remote Cross-Site Scripting (XSS) vulnerability in HPE LoadRunner v1 ...) NOT-FOR-US: HPE LoadRunner CVE-2017-8952 (A Disclosure of Sensitive Information vulnerability in HPE SiteScope v ...) NOT-FOR-US: HPE SiteScope CVE-2017-8951 (A Disclosure of Sensitive Information vulnerability in HPE SiteScope v ...) NOT-FOR-US: HPE SiteScope CVE-2017-8950 (A Disclosure of Sensitive Information vulnerability in HPE SiteScope v ...) NOT-FOR-US: HPE SiteScope CVE-2017-8949 (A Disclosure of Sensitive Information vulnerability in HPE SiteScope v ...) NOT-FOR-US: HPE SiteScope CVE-2017-8948 (A Remote Bypass Security Restriction vulnerability in HPE Network Node ...) NOT-FOR-US: HPE Network Node Manager CVE-2017-8947 (A Remote Code Execution vulnerability in HPE UCMDB version v10.10, v10 ...) NOT-FOR-US: HPE UCMDB CVE-2017-8946 (A Remote Code Execution vulnerability in HPE Aruba AirWave Glass versi ...) NOT-FOR-US: HPE Aruba AirWave Glass CVE-2017-8945 (A Remote Unauthorized Disclosure of Information vulnerability in HPE I ...) NOT-FOR-US: HPE IceWall Federation Agent CVE-2017-8944 (A Remote Disclosure of Information vulnerability in HPE Cloud Optimize ...) NOT-FOR-US: HPE Cloud Optimizer CVE-2017-8943 (The PUMA PUMATRAC app 3.0.2 for iOS does not verify X.509 certificates ...) NOT-FOR-US: PUMA PUMATRAC app CVE-2017-8942 (The YottaMark ShopWell - Healthy Diet & Grocery Food Scanner app 5 ...) NOT-FOR-US: YottaMark ShopWell app CVE-2017-8941 (The Interval International app 3.3 through 3.5.1 for iOS does not veri ...) NOT-FOR-US: Interval International app CVE-2017-8940 (The Zipongo - Healthy Recipes and Grocery Deals app before 6.3 for iOS ...) NOT-FOR-US: Zipongo app CVE-2017-8939 (The Warner Bros. ellentube app 3.1.1 through 3.1.3 for iOS does not ve ...) NOT-FOR-US: ellentube app CVE-2017-8938 (The Radio Javan app 9.3.4 through 9.6.1 for iOS does not verify X.509 ...) NOT-FOR-US: Radio Javan app CVE-2017-8937 (The Life Before Us Yo app 2.5.8 for iOS does not verify X.509 certific ...) NOT-FOR-US: Life Before Us Yo app CVE-2017-8936 (The MoboTap Dolphin Web Browser - Fast Private Internet Search app 9.2 ...) NOT-FOR-US: MoboTap Dolphin Web Browser CVE-2017-8935 (The Quest Information Systems Indiana Voters app 1.1.24 for iOS does n ...) NOT-FOR-US: Quest Information Systems Indiana Voters app CVE-2017-8932 (A bug in the standard library ScalarMult implementation of curve P-256 ...) - golang-1.8 1.8.3-1 (bug #863307) [stretch] - golang-1.8 (Minor issue, would require builds of all go packages in stable) - golang-1.7 1.7.6-1 (bug #863308) [stretch] - golang-1.7 (Minor issue, would require builds of all go packages in stable) - golang [wheezy] - golang (Vulnerable code not present, no ASM implementation of the p256 elliptic curve) [jessie] - golang (Vulnerable code not present, no ASM implementation of the p256 elliptic curve) NOTE: Upstream issue: https://github.com/golang/go/issues/20040 NOTE: Upstream patch: https://golang.org/cl/41070 NOTE: Fix for 1.7: https://go-review.googlesource.com/c/43773 NOTE: Fix for 1.8: https://go-review.googlesource.com/c/43770 CVE-2017-8931 (Bitdefender GravityZone VMware appliance before 6.2.1-35 might allow a ...) NOT-FOR-US: Bitdefender CVE-2017-8930 (Multiple cross-site request forgery (CSRF) vulnerabilities in Simple I ...) NOT-FOR-US: Simple Invoices CVE-2017-8929 (The sized_string_cmp function in libyara/sizedstr.c in YARA 3.5.0 allo ...) - yara 3.6.0+dfsg-1 [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/658 NOTE: https://github.com/VirusTotal/yara/commit/053e67e3ec81cc9268ce30eaf0d6663d8639ed1e CVE-2017-8928 (mailcow 0.14, as used in "mailcow: dockerized" and other products, has ...) NOT-FOR-US: mailcow CVE-2017-9031 (The WebUI component in Deluge before 1.3.15 contains a directory trave ...) {DSA-3856-1 DLA-943-1} - deluge 1.3.13+git20161130.48cedf63-3 (bug #862611) NOTE: http://dev.deluge-torrent.org/wiki/ReleaseNotes/1.3.15 NOTE: Fixed by: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=41acade01ae88f7b7bbdba308a0886771aa582fd CVE-2017-8934 (PCManFM 1.2.5 insecurely uses /tmp for a socket file, allowing a local ...) - pcmanfm 1.2.5-3 (low; bug #862571) [jessie] - pcmanfm (Minor issue) [wheezy] - pcmanfm (Minor issue) NOTE: Fixed by: https://git.lxde.org/gitweb/?p=lxde/pcmanfm.git;a=commitdiff;h=bc8c3d871e9ecc67c47ff002b68cf049793faf08 CVE-2017-8933 (Libmenu-cache 1.0.2 insecurely uses /tmp for a socket file, allowing a ...) - menu-cache 1.0.2-3 (low; bug #862570) [jessie] - menu-cache (Minor issue) [wheezy] - menu-cache (Minor issue) NOTE: Fixed by: https://git.lxde.org/gitweb/?p=lxde/menu-cache.git;a=commitdiff;h=56f66684592abf257c4004e6e1fff041c64a12ce CVE-2017-8927 (Buffer overflow in Larson VizEx Reader 9.7.5 allows attackers to cause ...) NOT-FOR-US: Larson VizEx Reader CVE-2017-8926 (Buffer overflow in Halliburton LogView Pro 10.0.1 allows attackers to ...) NOT-FOR-US: Halliburton LogView Pro CVE-2017-8925 (The omninet_open function in drivers/usb/serial/omninet.c in the Linux ...) {DSA-3886-1 DLA-993-1} - linux 4.9.16-1 (low) NOTE: Fixed by: https://git.kernel.org/linus/30572418b445d85fcfe6c8fe84c947d2606767d8 CVE-2017-8924 (The edge_bulk_in_callback function in drivers/usb/serial/io_ti.c in th ...) {DSA-3886-1 DLA-993-1} - linux 4.9.16-1 (low) NOTE: Fixed by: https://git.kernel.org/linus/654b404f2a222f918af9b0cd18ad469d0c941a8e CVE-2017-8923 (The zend_string_extend function in Zend/zend_string.h in PHP through 7 ...) - php7.1 (bug #881539) - php7.0 (bug #881538) [stretch] - php7.0 (Minor issue) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74577 NOTE: (Duplicate of) PHP Bug: https://bugs.php.net/bug.php?id=73122 CVE-2017-8922 RESERVED CVE-2017-8921 (In FlightGear before 2017.2.1, the FGCommand interface allows overwrit ...) - flightgear 1:2016.4.4+dfsg-3 (bug #862689) [jessie] - flightgear 3.0.0-5+deb8u2 NOTE: Fixed by: https://sourceforge.net/p/flightgear/flightgear/ci/faf872e7f71ca14c567ac7080561fc785d8d2fd0/ (next) NOTE: Fixed by: https://sourceforge.net/p/flightgear/flightgear/ci/19ab09406e4249f2c6f8ac51938258d1c51eace0/ (2016.4) NOTE: Fixed by: https://sourceforge.net/p/flightgear/flightgear/ci/c8250b10bb9a116889f831d2299678b0ef70fec2/ (3.0.0) CVE-2017-8920 (irc.cgi in CGI:IRC before 0.5.12 reflects user-supplied input from the ...) - cgiirc CVE-2017-8919 (NetApp OnCommand API Services before 1.2P3 logs the LDAP BIND password ...) NOT-FOR-US: NetApp CVE-2017-8918 (XXE in Dive Assistant - Template Builder in Blackwave Dive Assistant - ...) NOT-FOR-US: Dive Assistant CVE-2017-8917 (SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attac ...) NOT-FOR-US: Joomla! CVE-2017-8916 (In Center for Internet Security CIS-CAT Pro Dashboard before 1.0.4, an ...) NOT-FOR-US: Center for Internet Security CIS-CAT Pro Dashboard CVE-2017-8915 (sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers ...) NOT-FOR-US: SAP CVE-2017-8914 (sinopia, as used in SAP HANA XS 1.00 and 2.00, allows remote attackers ...) NOT-FOR-US: SAP CVE-2017-8913 (The Visual Composer VC70RUNTIME component in SAP NetWeaver AS JAVA 7.5 ...) NOT-FOR-US: SAP CVE-2017-8912 (** DISPUTED ** CMS Made Simple (CMSMS) 2.1.6 allows remote authenticat ...) NOT-FOR-US: CMS Made Simple CVE-2017-8911 (An integer underflow has been identified in the unicode_to_utf8() func ...) {DSA-3869-1 DLA-962-1} - tnef 1.4.12-1.2 (bug #862442) NOTE: https://github.com/verdammelt/tnef/issues/23 NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/a686971a1f124d9ae18946b1844dbc2c1f30df10 CVE-2017-8910 RESERVED CVE-2017-8909 RESERVED CVE-2017-8908 (The mark_line_tr function in gxscanc.c in Artifex Ghostscript 9.21 all ...) - ghostscript 9.22~dfsg-1 (unimportant) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697810 NOTE: edgebuffer scan converter was made default only in: https://git.ghostscript.com/?p=ghostpdl.git;h=dd5da2cb3e08398ac6d86598b36b00994d058308 NOTE: But the vulnerable code via base/gxscan.c, a new scan converter introduced in 9.20 is present. CVE-2017-8907 (Atlassian Bamboo 5.x before 5.15.7 and 6.x before 6.0.1 did not correc ...) NOT-FOR-US: Atlassian Bamboo CVE-2017-8906 (An integer underflow vulnerability exists in pixel-a.asm, the x86 asse ...) - x265 (Affected code is not enabled) NOTE: https://bitbucket.org/multicoreware/x265/issues/345/integer-underflow-in-x265-source-common CVE-2017-8902 RESERVED CVE-2017-8901 RESERVED CVE-2017-8900 (LightDM through 1.22.0, when systemd is used in Ubuntu 16.10 and 17.x, ...) - lightdm (No guest account support in Debian, cf. #661230) CVE-2017-8899 (Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has ...) NOT-FOR-US: Invision Power Services CVE-2017-8898 (Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has ...) NOT-FOR-US: Invision Power Services CVE-2017-8897 (Invision Power Services (IPS) Community Suite 4.1.19.2 and earlier has ...) NOT-FOR-US: Invision Power Services CVE-2017-8896 (ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6 ...) - owncloud CVE-2017-8895 (In Veritas Backup Exec 2014 before build 14.1.1187.1126, 15 before bui ...) NOT-FOR-US: Veritas CVE-2017-8894 (AeroAdmin 4.1 uses an insecure protocol (HTTP) to perform software upd ...) NOT-FOR-US: AeroAdmin CVE-2017-8893 (AeroAdmin 4.1 uses a function to copy data between two pointers where ...) NOT-FOR-US: AeroAdmin CVE-2017-8892 (Cross-site scripting (XSS) vulnerability in OpenText Tempo Box 10.0.3 ...) NOT-FOR-US: OpenText Tempo Box CVE-2017-8891 (Dropbox Lepton 1.2.1 allows DoS (SEGV and application crash) via a mal ...) - lepton 1.2.1+20170405-1 (bug #862446) NOTE: https://github.com/dropbox/lepton/issues/87 NOTE: https://github.com/dropbox/lepton/commit/82167c144a322cc956da45407f6dce8d4303d346 CVE-2017-8889 RESERVED CVE-2017-8888 RESERVED CVE-2017-8887 RESERVED CVE-2017-8886 RESERVED CVE-2017-8885 RESERVED CVE-2017-8884 RESERVED CVE-2017-8883 RESERVED CVE-2017-8882 RESERVED CVE-2017-8881 RESERVED CVE-2017-8880 RESERVED CVE-2017-8879 (Dolibarr ERP/CRM 4.0.4 allows password changes without supplying the c ...) - dolibarr 5.0.4+dfsg3-1 (bug #863544) CVE-2017-8878 (ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 al ...) NOT-FOR-US: ASUS CVE-2017-8877 (ASUS RT-AC* and RT-N* devices with firmware through 3.0.0.4.380.7378 a ...) NOT-FOR-US: ASUS CVE-2017-8890 (The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/657831ffc38e30092a2d5f03d385d710eb88b09a CVE-2017-8876 (Symphony 2 2.6.11 has XSS in the meta[navigation_group] parameter to c ...) NOT-FOR-US: Symphony CMS CVE-2017-8875 (CSRF in the Clean Login plugin before 1.8 for WordPress allows remote ...) NOT-FOR-US: Wordpress addon CVE-2017-8874 (Multiple cross-site request forgery (CSRF) vulnerabilities in Mautic 1 ...) NOT-FOR-US: Mautic CVE-2017-8873 RESERVED CVE-2017-8872 (The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.4 all ...) {DLA-2369-1} - libxml2 2.9.4+dfsg1-6.1 (bug #862450) [jessie] - libxml2 (Minor issue) [wheezy] - libxml2 (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=775200 NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407 CVE-2017-8871 (The cr_parser_parse_selector_core function in cr-parser.c in libcroco ...) - libcroco (bug #864666; low) [buster] - libcroco (Minor issue) [stretch] - libcroco (Minor issue) [jessie] - libcroco (Minor issue) [wheezy] - libcroco (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=782649 CVE-2017-8870 (Buffer overflow in AudioCoder 0.8.46 allows remote attackers to execut ...) NOT-FOR-US: AudioCoder CVE-2017-8869 (Buffer overflow in MediaCoder 0.8.48.5888 allows remote attackers to e ...) NOT-FOR-US: MediaCoder CVE-2017-8868 (acp/core/files.browser.php in flatCore 1.4.7 allows file deletion via ...) NOT-FOR-US: flatCore CVE-2017-8867 (Elemental Path's CogniToys Dino smart toys through firmware version 0. ...) NOT-FOR-US: Elemental Path's CogniToys Dino smart toys CVE-2017-8866 (Elemental Path's CogniToys Dino smart toys through firmware version 0. ...) NOT-FOR-US: Elemental Path's CogniToys Dino smart toys CVE-2017-8865 (Elemental Path's CogniToys Dino smart toys through firmware version 0. ...) NOT-FOR-US: Elemental Path's CogniToys Dino smart toys CVE-2017-8864 (Client-side enforcement using JavaScript of server-side security optio ...) NOT-FOR-US: Cohu CVE-2017-8863 (Information disclosure of .esp source code on the Cohu 3960 allows an ...) NOT-FOR-US: Cohu CVE-2017-8862 (The webupgrade function on the Cohu 3960HD does not verify the firmwar ...) NOT-FOR-US: Cohu CVE-2017-8861 (Missing authentication for the remote configuration port 1236/tcp on t ...) NOT-FOR-US: Cohu CVE-2017-8860 (Information disclosure through directory listing on the Cohu 3960HD al ...) NOT-FOR-US: Cohu CVE-2017-8859 (In Veritas NetBackup Appliance 3.0 and earlier, unauthenticated users ...) NOT-FOR-US: Veritas NetBackup CVE-2017-8858 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and e ...) NOT-FOR-US: Veritas NetBackup CVE-2017-8857 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and e ...) NOT-FOR-US: Veritas NetBackup CVE-2017-8856 (In Veritas NetBackup 8.0 and earlier and NetBackup Appliance 3.0 and e ...) NOT-FOR-US: Veritas NetBackup CVE-2017-1000044 (gtk-vnc 0.4.2 and older doesn't check framebuffer boundaries correctly ...) - gtk-vnc 0.4.3-1 NOTE: Fixed by: https://git.gnome.org/browse/gtk-vnc/commit/?id=f3fc5e57a78d4be9872f1394f697b9929873a737 (release-0.4.3) CVE-2017-8855 (wolfSSL before 3.11.0 does not prevent wc_DhAgree from accepting a mal ...) - wolfssl 3.12.0+dfsg-1 (bug #870170) NOTE: Fixed upstream in 3.11.0, https://github.com/wolfSSL/wolfssl/releases/tag/v3.11.0-stable CVE-2017-8854 (wolfSSL before 3.10.2 has an out-of-bounds memory access with loading ...) - wolfssl 3.10.2+dfsg-1 CVE-2017-8853 (Fiyo CMS v2.0.7 has an arbitrary file delete vulnerability in dapur/ap ...) NOT-FOR-US: Fiyo CMS CVE-2017-8852 (SAP SAPCAR 721.510 has a Heap Based Buffer Overflow Vulnerability. It ...) NOT-FOR-US: SAP CVE-2017-8851 (An issue was discovered on OnePlus One and X devices. Due to a lenient ...) NOT-FOR-US: OnePlus One CVE-2017-8850 (An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Due t ...) NOT-FOR-US: OnePlus One CVE-2017-8849 (smb4k before 2.0.1 allows local users to gain root privileges by lever ...) {DSA-3951-1 DLA-1002-1} - smb4k 1.2.1-2 (bug #862505) NOTE: https://www.openwall.com/lists/oss-security/2017/05/10/3 NOTE: https://www.kde.org/info/security/advisory-20170510-2.txt NOTE: https://github.com/stealth/plasmapulsar NOTE: smb4k 2.0.0: https://commits.kde.org/smb4k/a90289b0962663bc1d247bbbd31b9e65b2ca000e NOTE: smb4k 1.2.3: https://commits.kde.org/smb4k/71554140bdaede27b95dbe4c9b5a028a83c83cce CVE-2017-8848 (Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a pa ...) NOT-FOR-US: Allen Disk CVE-2017-8847 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrz ...) - lrzip 0.631+git180517-1 (unimportant; bug #863145) NOTE: https://github.com/ckolivas/lrzip/issues/67 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-bufreadget-libzpaq-h/ NOTE: Crash in CLI tool, no security implications CVE-2017-8846 (The read_stream function in stream.c in liblrzip.so in lrzip 0.631 all ...) - lrzip 0.631+git180517-1 (bug #863150) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/71 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-use-after-free-in-read_stream-stream-c/ CVE-2017-8845 (The lzo1x_decompress function in lzo1x_d.ch in LZO 2.08, as used in lr ...) - lrzip 0.631+git180517-1 (unimportant; bug #863151) NOTE: https://github.com/ckolivas/lrzip/issues/68 NOTE: https://github.com/ckolivas/lrzip/commit/89d7b33e6a6450eed326b40084b547d42bad333f NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-invalid-memory-read-in-lzo_decompress_buf-stream-c/ NOTE: Crash in CLI tool, no security implications CVE-2017-8844 (The read_1g function in stream.c in liblrzip.so in lrzip 0.631 allows ...) - lrzip 0.631+git180517-1 (bug #863153) [stretch] - lrzip (Minor issue) [jessie] - lrzip (Minor issue) [wheezy] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/70 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-heap-based-buffer-overflow-write-in-read_1g-stream-c/ CVE-2017-8843 (The join_pthread function in stream.c in liblrzip.so in lrzip 0.631 al ...) - lrzip 0.631+git180517-1 (unimportant; bug #863155) NOTE: https://github.com/ckolivas/lrzip/issues/69 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-null-pointer-dereference-in-join_pthread-stream-c/ NOTE: Crash in CLI tool, no security implications CVE-2017-8842 (The bufRead::get() function in libzpaq/libzpaq.h in liblrzip.so in lrz ...) - lrzip 0.631+git180517-1 (unimportant; bug #863156) NOTE: https://github.com/ckolivas/lrzip/issues/66 NOTE: https://blogs.gentoo.org/ago/2017/05/07/lrzip-divide-by-zero-in-bufreadget-libzpaq-h/ NOTE: Crash in CLI tool, no security implications CVE-2017-8841 (Arbitrary file deletion exists on Peplink Balance 305, 380, 580, 710, ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8840 (Debug information disclosure exists on Peplink Balance 305, 380, 580, ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8839 (XSS via orig_url exists on Peplink Balance 305, 380, 580, 710, 1350, a ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8838 (XSS via syncid exists on Peplink Balance 305, 380, 580, 710, 1350, and ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8837 (Cleartext password storage exists on Peplink Balance 305, 380, 580, 71 ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8836 (CSRF exists on Peplink Balance 305, 380, 580, 710, 1350, and 2500 devi ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8835 (SQL injection exists on Peplink Balance 305, 380, 580, 710, 1350, and ...) NOT-FOR-US: Peplink Balance devices CVE-2017-8834 (The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 a ...) - libcroco (bug #864666; low) [buster] - libcroco (Minor issue) [stretch] - libcroco (Minor issue) [jessie] - libcroco (Minor issue) [wheezy] - libcroco (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=782647 CVE-2017-8833 (Zen Cart 1.6.0 has XSS in the main_page parameter to index.php. NOTE: ...) NOT-FOR-US: Zen Cart CVE-2017-8832 (Allen Disk 1.6 has XSS in the id parameter to downfile.php. ...) NOT-FOR-US: Allen Disk CVE-2017-8831 (The saa7164_bus_get function in drivers/media/pci/saa7164/saa7164-bus. ...) {DLA-1200-1} - linux 4.12.6-1 [stretch] - linux 4.9.47-1 [jessie] - linux 3.16.51-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=195559 CVE-2017-8830 (In ImageMagick 7.0.5-6, the ReadBMPImage function in bmp.c:1379 allows ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (low; bug #862637) NOTE: https://github.com/ImageMagick/ImageMagick/issues/467 CVE-2017-8828 RESERVED CVE-2017-8827 (forgotpassword.php in GeniXCMS 1.0.2 lacks a rate limit, which might a ...) NOT-FOR-US: GenixCMS CVE-2017-8826 (FastStone Image Viewer 6.2 has a "User Mode Write AV" issue, possibly ...) NOT-FOR-US: FastStone Image Viewer CVE-2017-8825 (A null dereference vulnerability has been found in the MIME handling c ...) - libetpan 1.6-3 (bug #862151) [jessie] - libetpan (Minor issue) [wheezy] - libetpan (Minor issue) NOTE: https://github.com/dinhviethoa/libetpan/commit/1fe8fbc032ccda1db9af66d93016b49c16c1f22d NOTE: https://github.com/dinhviethoa/libetpan/issues/274 CVE-2017-8824 (The dccp_disconnect function in net/dccp/proto.c in the Linux kernel t ...) {DSA-4082-1 DSA-4073-1 DLA-1200-1} - linux 4.14.7-1 NOTE: http://lists.openwall.net/netdev/2017/12/04/224 NOTE: Fixed by: https://git.kernel.org/linus/69c64866ce072dea1d1e59a0d61e0f66c0dffb76 CVE-2017-8823 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/24313 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8822 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/21534 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8821 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/24246 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8820 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/24245 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8819 (In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 bef ...) {DSA-4054-1} - tor 0.3.1.9-1 [wheezy] - tor (Not supported in wheezy LTS) NOTE: https://bugs.torproject.org/24244 NOTE: https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516 CVE-2017-8818 (curl and libcurl before 7.57.0 on 32-bit platforms allow attackers to ...) - curl 7.57.0-1 [stretch] - curl (Vulnerable code not present) [jessie] - curl (Vulnerable code not present) [wheezy] - curl (Vulnerable code not present) NOTE: https://curl.haxx.se/docs/adv_2017-af0a.html NOTE: https://curl.haxx.se/CVE-2017-8818.patch CVE-2017-8817 (The FTP wildcard function in curl and libcurl before 7.57.0 allows rem ...) {DSA-4051-1 DLA-1195-1} - curl 7.57.0-1 NOTE: https://curl.haxx.se/docs/adv_2017-ae72.html NOTE: https://curl.haxx.se/CVE-2017-8817.patch CVE-2017-8816 (The NTLM authentication feature in curl and libcurl before 7.57.0 on 3 ...) {DSA-4051-1} - curl 7.57.0-1 [wheezy] - curl (Vulnerable code not present, introduced in 7.36.0) NOTE: https://curl.haxx.se/docs/adv_2017-11e7.html NOTE: https://curl.haxx.se/CVE-2017-8816.patch CVE-2017-8815 (The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T119158 CVE-2017-8814 (The language converter in MediaWiki before 1.27.4, 1.28.x before 1.28. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T124404 CVE-2017-8813 REJECTED CVE-2017-8812 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T125163 CVE-2017-8811 (The implementation of raw message parameter expansion in MediaWiki bef ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T176247 CVE-2017-8810 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T134100 CVE-2017-8809 (api.php in MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x b ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T128209 CVE-2017-8808 (MediaWiki before 1.27.4, 1.28.x before 1.28.3, and 1.29.x before 1.29. ...) {DSA-4036-1} - mediawiki 1:1.27.4-1 [wheezy] - mediawiki (Not supported in wheezy LTS) NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html NOTE: https://phabricator.wikimedia.org/T178451 CVE-2017-8807 (vbf_stp_error in bin/varnishd/cache/cache_fetch.c in Varnish HTTP Cach ...) {DSA-4034-1} - varnish 5.2.1-1 (bug #881808) [jessie] - varnish (Vulnerable code not present, issue introduced in 4.1.0) [wheezy] - varnish (Vulnerable code not present, issue introduced in 4.1.0) NOTE: http://varnish-cache.org/security/VSV00002.html NOTE: https://github.com/varnishcache/varnish-cache/pull/2429 NOTE: Fixed by: https://github.com/varnishcache/varnish-cache/commit/176f8a075a CVE-2017-8806 (The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scri ...) {DSA-4029-1 DLA-1169-1} - postgresql-common 188 CVE-2017-8805 (Debian ftpsync before 20171017 does not use the rsync --safe-links opt ...) - archvsync 20171017 NOTE: https://www.openwall.com/lists/oss-security/2017/10/17/2 NOTE: https://anonscm.debian.org/cgit/mirror/archvsync.git/commit/?id=d1ca2ab2210990b6dfb664cd6776a41b71c48016 CVE-2017-1000041 REJECTED CVE-2017-1000040 REJECTED CVE-2017-1000019 REJECTED CVE-2017-8829 (Deserialization vulnerability in lintian through 2.5.50.3 allows attac ...) - lintian 2.5.50.4 (bug #861958) [jessie] - lintian (upstream/metadata check introduced in 2.5.41; vulnerable code not present) [wheezy] - lintian (upstream/metadata check introduced in 2.5.41; vulnerable code not present) CVE-2017-8804 (** DISPUTED ** The xdr_bytes and xdr_string functions in the GNU C Lib ...) NOTE: This is not a vulnerability in glibc, but a bug in the application, see NOTE: https://sourceware.org/ml/libc-alpha/2017-05/msg00128.html and NOTE: https://sourceware.org/ml/libc-alpha/2017-05/msg00129.html NOTE: https://www.openwall.com/lists/oss-security/2017/05/05/2 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21461 CVE-2017-8803 (Notepad++ 7.3.3 (32-bit) with Hex Editor Plugin v0.9.5 might allow use ...) NOT-FOR-US: Notepad++ CVE-2017-8802 (Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite ...) NOT-FOR-US: Zimbra CVE-2017-8801 (Trend Micro OfficeScan 11.0 before SP1 CP 6325 (with Agent Module Buil ...) NOT-FOR-US: Trend Micro CVE-2017-8800 RESERVED CVE-2017-8799 (Untrusted input execution via igetwild in all iRODS versions before 4. ...) NOT-FOR-US: iRODS CVE-2017-8798 (Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v ...) {DLA-2197-1 DLA-949-1} - miniupnpc 1.9.20140610-3 (bug #862273) NOTE: https://github.com/tintinweb/pub/blob/master/pocs/cve-2017-8798/Readme.md NOTE: Fixed by: https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229 CVE-2017-8797 (The NFSv4 server in the Linux kernel before 4.11.3 does not properly v ...) - linux 4.9.30-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/b550a32e60a4941994b437a8d662432a486235a5 (4.12-rc1) NOTE: Fixed by: https://git.kernel.org/linus/f961e3f2acae94b727380c0b74e2d3954d0edf79 (4.12-rc1) CVE-2017-8796 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8795 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8794 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8793 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8792 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8791 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8790 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8789 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8788 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8787 (The PoDoFo::PdfXRefStreamParserObject::ReadXRefStreamEntry function in ...) - libpodofo 0.9.5-7 (bug #861738) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: Possible unspecified impact. Needs further analysis. NOTE: Upstream commit: https://sourceforge.net/p/podofo/code/1851 CVE-2017-8786 (pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial o ...) - pcre2 10.31-1 (unimportant; bug #861873) NOTE: https://bugs.exim.org/show_bug.cgi?id=2079 NOTE: https://blogs.gentoo.org/ago/2017/04/29/libpcre-heap-based-buffer-overflow-write-in-pcre2test-c/ NOTE: https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697 CVE-2017-8785 (FastStone Image Viewer 6.2 has a "Data from Faulting Address may be us ...) NOT-FOR-US: FastStone Image Viewer CVE-2017-8784 REJECTED CVE-2017-8783 (Synacor Zimbra Collaboration Suite (ZCS) before 8.7.10 has Persistent ...) NOT-FOR-US: Zimbra CVE-2017-8782 (The readString function in util/read.c and util/old/read.c in libming ...) {DLA-980-1} - ming NOTE: https://github.com/libming/libming/issues/70 CVE-2017-8781 (XnView Classic for Windows Version 2.40 allows user-assisted remote at ...) NOT-FOR-US: XnView CVE-2017-8780 (GeniXCMS 1.0.2 has XSS triggered by a comment that is mishandled durin ...) NOT-FOR-US: GenixCMS CVE-2017-8778 (GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 h ...) - gitlab (SVG rendering feature introduced later, cf. bug #861870) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/27471 CVE-2017-8777 (Open-Xchange GmbH OX Cloud Plugins 1.4.0 and earlier is affected by: M ...) NOT-FOR-US: Open-Xchange GmbH OX Cloud Plugins CVE-2017-8779 (rpcbind through 0.2.4, LIBTIRPC through 1.0.1 and 1.0.2-rc through 1.0 ...) {DSA-3845-1 DLA-937-1 DLA-936-1} - rpcbind 0.2.3-0.6 (bug #861835) - libtirpc 0.2.5-1.2 (bug #861834) - ntirpc 1.4.4-1 (bug #861836) NOTE: https://www.openwall.com/lists/oss-security/2017/05/04/1 NOTE: https://github.com/guidovranken/rpcbomb/ CVE-2017-8776 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10. ...) NOT-FOR-US: Quick Heal Internet Security CVE-2017-8775 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10. ...) NOT-FOR-US: Quick Heal Internet Security CVE-2017-8774 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10. ...) NOT-FOR-US: Quick Heal Internet Security CVE-2017-8773 (Quick Heal Internet Security 10.1.0.316, Quick Heal Total Security 10. ...) NOT-FOR-US: Quick Heal Internet Security CVE-2017-8772 (On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (w ...) NOT-FOR-US: BE126 WIFI repeater CVE-2017-8771 (On BE126 WIFI repeater 1.0 devices, an attacker can log into telnet (w ...) NOT-FOR-US: BE126 WIFI repeater CVE-2017-8770 (There is LFD (local file disclosure) on BE126 WIFI repeater 1.0 device ...) NOT-FOR-US: BE126 WIFI repeater CVE-2017-8769 (** DISPUTED ** Facebook WhatsApp Messenger before 2.16.323 for Android ...) NOT-FOR-US: WhatsApp Messenger CVE-2017-8768 (Atlassian SourceTree v2.5c and prior are affected by a command injecti ...) NOT-FOR-US: Atlassian SourceTree CVE-2017-8767 REJECTED CVE-2017-8766 (IrfanView version 4.44 (32bit) allows remote attackers to execute code ...) NOT-FOR-US: IrfanView CVE-2017-8765 (The function named ReadICONImage in coders\icon.c in ImageMagick 7.0.5 ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (low; bug #862653) NOTE: https://github.com/ImageMagick/ImageMagick/issues/466 CVE-2017-8764 RESERVED CVE-2017-8763 (Cross-site scripting (XSS) vulnerability in modules/Base/Box/check_for ...) NOT-FOR-US: EPESI CVE-2017-8762 (GeniXCMS 1.0.2 has XSS triggered by an authenticated user who submits ...) NOT-FOR-US: GenixCMS CVE-2017-8761 [Swift tempurl middleware reveals signatures in the logfiles] RESERVED - swift 2.17.0-2 [stretch] - swift (Minor issue) [jessie] - swift (Not supported in Jessie LTS) NOTE: https://bugs.launchpad.net/swift/+bug/1685798 CVE-2017-8760 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8759 (Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and ...) NOT-FOR-US: Microsoft CVE-2017-8758 (Microsoft Exchange Server 2016 allows an elevation of privilege vulner ...) NOT-FOR-US: Microsoft CVE-2017-8757 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8756 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8755 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8754 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8753 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8752 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Apache Atlas CVE-2017-8751 (Microsoft Edge in Microsoft Windows 1703 allows an attacker to execute ...) NOT-FOR-US: Microsoft CVE-2017-8750 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8749 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-8748 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8747 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8746 (Windows Device Guard in Windows 10 1607, 1703, and Windows Server 2016 ...) NOT-FOR-US: Microsoft CVE-2017-8745 (An elevation of privilege vulnerability exists in Microsoft SharePoint ...) NOT-FOR-US: Microsoft CVE-2017-8744 (A remote code execution vulnerability exists in Excel Services, Micros ...) NOT-FOR-US: Microsoft CVE-2017-8743 (A remote code execution vulnerability exists in Microsoft PowerPoint 2 ...) NOT-FOR-US: Microsoft CVE-2017-8742 (A remote code execution vulnerability exists in Microsoft PowerPoint 2 ...) NOT-FOR-US: Microsoft CVE-2017-8741 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-8740 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8739 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to obta ...) NOT-FOR-US: Microsoft CVE-2017-8738 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8737 (Microsoft Windows PDF Library in Microsoft Windows 8.1 and Windows RT ...) NOT-FOR-US: Microsoft CVE-2017-8736 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8735 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8734 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8733 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-8732 RESERVED CVE-2017-8731 (Microsoft Edge in Microsoft Windows 10 1607 and Windows Server 2016 al ...) NOT-FOR-US: Microsoft CVE-2017-8730 RESERVED CVE-2017-8729 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8728 (Microsoft Windows PDF Library in Microsoft Windows 8.1 and Windows RT ...) NOT-FOR-US: Microsoft CVE-2017-8727 (Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8726 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8725 (A remote code execution vulnerability exists in Microsoft Publisher 20 ...) NOT-FOR-US: Microsoft CVE-2017-8724 (Microsoft Edge in Microsoft Windows 10 Version 1703 allows an attacker ...) NOT-FOR-US: Microsoft CVE-2017-8723 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8722 RESERVED CVE-2017-8721 RESERVED CVE-2017-8720 (The Microsoft Windows graphics component on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-8719 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8718 (The Microsoft JET Database Engine in Windows Server 2008 SP2 and R2 SP ...) NOT-FOR-US: Microsoft CVE-2017-8717 (The Microsoft JET Database Engine in Windows Server 2008 SP2 and R2 SP ...) NOT-FOR-US: Microsoft CVE-2017-8716 (Windows Control Flow Guard in Microsoft Windows 10 Version 1703 allows ...) NOT-FOR-US: Microsoft CVE-2017-8715 (The Microsoft Device Guard on Microsoft Windows 10 Gold, 1511, 1607, a ...) NOT-FOR-US: Microsoft CVE-2017-8714 (The Windows Hyper-V component on Microsoft Windows 8.1, Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8713 (The Windows Hyper-V component on Microsoft Windows Windows 8.1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8712 (The Windows Hyper-V component on Microsoft Windows 10 1607, 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8711 (The Windows Hyper-V component on Microsoft Windows 10 1607 and Windows ...) NOT-FOR-US: Microsoft CVE-2017-8710 (The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8709 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8708 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8707 (The Windows Hyper-V component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8706 (The Windows Hyper-V component on Microsoft Windows 10 Gold, 1511, 1607 ...) NOT-FOR-US: Microsoft CVE-2017-8705 RESERVED CVE-2017-8704 (The Windows Hyper-V component on Microsoft Windows 10 1607 and Windows ...) NOT-FOR-US: Microsoft CVE-2017-8703 (The Microsoft Windows Subsystem for Linux on Microsoft Windows 10 1703 ...) NOT-FOR-US: Microsoft CVE-2017-8702 (Windows Error Reporting (WER) in Microsoft Windows 10 Gold, 1511, and ...) NOT-FOR-US: Microsoft CVE-2017-8701 RESERVED CVE-2017-8700 (ASP.NET Core 1.0, 1.1, and 2.0 allow an attacker to bypass Cross-origi ...) NOT-FOR-US: Microsoft CVE-2017-8699 (Windows Shell in Microsoft Windows 7 SP1, Windows Server 2008 and R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8698 RESERVED CVE-2017-8697 RESERVED CVE-2017-8696 (Windows Uniscribe in Microsoft Windows Server 2008 SP2 and R2 SP1; Win ...) NOT-FOR-US: Microsoft CVE-2017-8695 (Windows Uniscribe in Microsoft Windows Server 2008 SP2 and R2 SP1; Win ...) NOT-FOR-US: Microsoft CVE-2017-8694 (The Microsoft Windows Kernel Mode Driver on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-8693 (The Microsoft Graphics Component on Microsoft Windows 10 Gold, 1511, 1 ...) NOT-FOR-US: Microsoft CVE-2017-8692 (The Windows Uniscribe component on Microsoft Windows 8.1, Windows Serv ...) NOT-FOR-US: Microsoft CVE-2017-8691 (Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow an attacke ...) NOT-FOR-US: Microsoft Windows CVE-2017-8690 RESERVED CVE-2017-8689 (The Microsoft Windows Kernel Mode Driver on Microsoft Windows Server 2 ...) NOT-FOR-US: Microsoft CVE-2017-8688 (Windows GDI+ on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8687 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8686 (The Windows Server DHCP service in Windows Server 2012 Gold and R2, an ...) NOT-FOR-US: Microsoft CVE-2017-8685 (Windows GDI+ on Microsoft Windows Server 2008 SP2 and R2 SP1, and Wind ...) NOT-FOR-US: Microsoft CVE-2017-8684 (Windows GDI+ on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8683 (Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8682 (Windows graphics on Microsoft Windows Server 2008 SP2 and R2 SP1, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8681 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8680 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8679 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8678 (The Windows kernel component on Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-8677 (The Windows GDI+ component on Microsoft Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-8676 (The Windows Graphics Device Interface (GDI) in Microsoft Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-8675 (The Windows Kernel-Mode Drivers component on Microsoft Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8674 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8673 (The Remote Desktop Protocol (RDP) implementation in Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2017-8672 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8671 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8670 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8669 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8668 (The Volume Manager Extension Driver in Microsoft Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8667 RESERVED CVE-2017-8666 (Microsoft Win32k in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8665 (The Xamarin.iOS update component on systems running macOS allows an at ...) NOT-FOR-US: Xamarin.iOS CVE-2017-8664 (Windows Hyper-V in Windows 8.1, Windows Server 2012 Gold and R2, Windo ...) NOT-FOR-US: Microsoft CVE-2017-8663 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outloo ...) NOT-FOR-US: Microsoft CVE-2017-8662 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to disc ...) NOT-FOR-US: Microsoft CVE-2017-8661 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8660 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8659 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to obta ...) NOT-FOR-US: Microsoft CVE-2017-8658 (A remote code execution vulnerability exists in the way that the Chakr ...) NOT-FOR-US: Microsoft CVE-2017-8657 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8656 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8655 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8654 (Microsoft SharePoint Server 2010 Service Pack 2 allows a cross-site sc ...) NOT-FOR-US: Microsoft CVE-2017-8653 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-8652 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8651 (Internet Explorer in Microsoft Windows Server 2008 SP2 and Windows Ser ...) NOT-FOR-US: Microsoft CVE-2017-8650 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to expl ...) NOT-FOR-US: Microsoft CVE-2017-8649 (Microsoft Edge in Microsoft Windows 10 1607, 1703, and Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-8648 (Microsoft Edge in Microsoft Windows Version 1703 allows an attacker to ...) NOT-FOR-US: Microsoft CVE-2017-8647 (Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2017-8646 (Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 ...) NOT-FOR-US: Microsoft CVE-2017-8645 (Microsoft Edge in Windows 10 1511, 1607, 1703, and Windows Server 2016 ...) NOT-FOR-US: Microsoft CVE-2017-8644 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8643 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8642 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to elev ...) NOT-FOR-US: Microsoft CVE-2017-8641 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8640 (Microsoft Edge in Windows 10 Gold, 1511, 1607, 1703, and Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-8639 (Microsoft Edge in Windows 10 1607, 1703, and Windows Server 2016 allow ...) NOT-FOR-US: Microsoft CVE-2017-8638 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8637 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to bypa ...) NOT-FOR-US: Microsoft CVE-2017-8636 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8635 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: MIcrosoft CVE-2017-8634 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8633 (Windows Error Reporting (WER) in Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-8632 (A remote code execution vulnerability exists in Microsoft Excel 2010 S ...) NOT-FOR-US: Microsoft CVE-2017-8631 (A remote code execution vulnerability exists in Excel Services, Micros ...) NOT-FOR-US: Microsoft CVE-2017-8630 (Microsoft Office 2016 allows a remote code execution vulnerability whe ...) NOT-FOR-US: Microsoft CVE-2017-8629 (Microsoft SharePoint Server 2013 Service Pack 1 allows an elevation of ...) NOT-FOR-US: Microsoft CVE-2017-8628 (Microsoft Bluetooth Driver in Windows Server 2008 SP2, Windows 7 SP1, ...) NOT-FOR-US: Microsoft Windows NOTE: https://www.armis.com/blueborne/ CVE-2017-8627 (Windows Subsystem for Linux in Windows 10 1703, allows a denial of ser ...) NOT-FOR-US: Microsoft CVE-2017-8626 RESERVED CVE-2017-8625 (Internet Explorer in Windows 10 Gold, 1511, 1607, 1703, and Windows Se ...) NOT-FOR-US: Microsoft CVE-2017-8624 (CLFS in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 ...) NOT-FOR-US: Microsoft CVE-2017-8623 (Windows Hyper-V in Windows 10 1607, 1703, and Windows Server 2016 allo ...) NOT-FOR-US: Microsoft CVE-2017-8622 (Windows Subsystem for Linux in Windows 10 1703 allows an elevation of ...) NOT-FOR-US: Microsoft CVE-2017-8621 (Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange ...) NOT-FOR-US: Microsoft CVE-2017-8620 (Windows Search in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-8619 (Microsoft Edge on Windows 10 Gold, 1511, 1607, and 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8618 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8617 (Microsoft Edge in Windows 10 1703 Microsoft Edge allows a remote code ...) NOT-FOR-US: Microsoft CVE-2017-8616 RESERVED CVE-2017-8615 RESERVED CVE-2017-8614 RESERVED CVE-2017-8613 (Azure AD Connect Password writeback, if misconfigured during enablemen ...) NOT-FOR-US: Azure AD Connect Password writeback CVE-2017-8612 RESERVED CVE-2017-8611 (Microsoft Edge on Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8610 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to exec ...) NOT-FOR-US: Microsoft CVE-2017-8609 (Microsoft Internet Explorer in Microsoft Windows 10 Gold, 1511, 1607, ...) NOT-FOR-US: Microsoft CVE-2017-8608 (Microsoft browsers in Microsoft Windows Server 2008 and R2, Windows 8. ...) NOT-FOR-US: Microsoft CVE-2017-8607 (Microsoft browsers in Microsoft Windows 7, Windows Server 2008 and R2, ...) NOT-FOR-US: Microsoft CVE-2017-8606 (Microsoft browsers in Microsoft Windows 7, Windows Server 2008 and R2, ...) NOT-FOR-US: Microsoft CVE-2017-8605 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8604 (Microsoft Edge in Microsoft Windows 10 1511, 1607, and 1703, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-8603 (Microsoft Edge in Microsoft Windows 10 1511, 1607, and 1703, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-8602 (Microsoft browsers on Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8601 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8600 RESERVED CVE-2017-8599 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8598 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8597 (Microsoft Edge in Microsoft Windows 10 Version 1703 allows an attacker ...) NOT-FOR-US: Microsoft CVE-2017-8596 (Microsoft Edge in Microsoft Windows 10 1607, and 1703, and Windows Ser ...) NOT-FOR-US: Microsoft CVE-2017-8595 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8594 (Internet Explorer on Microsoft Windows 8.1 and Windows RT 8.1, and Win ...) NOT-FOR-US: Microsoft CVE-2017-8593 (Microsoft Win32k in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8592 (Microsoft browsers on when Microsoft Windows 7 SP1, Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-8591 (Windows Input Method Editor (IME) in Windows 8.1, Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2017-8590 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8589 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8588 (Microsoft WordPad in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1 ...) NOT-FOR-US: Microsoft CVE-2017-8587 (Windows Explorer in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8586 RESERVED CVE-2017-8585 (Microsoft .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 allow an attacker ...) NOT-FOR-US: Microsoft CVE-2017-8584 (Windows 10 1607 and Windows Server 2016 allow an attacker to execute c ...) NOT-FOR-US: Microsoft CVE-2017-8583 RESERVED CVE-2017-8582 (HTTP.sys in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8581 (Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8580 (Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8579 (The DirectX component in Microsoft Windows 10 Gold, 1511, 1607, 1703, ...) NOT-FOR-US: Microsoft CVE-2017-8578 (Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8577 (Win32k in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-8576 (The graphics component in Microsoft Windows 10 Gold, 1511, 1607, 1703, ...) NOT-FOR-US: Microsoft CVE-2017-8575 (The kernel in Microsoft Windows 10 Gold, 1511, 1607, 1703, and Windows ...) NOT-FOR-US: Windows CVE-2017-8574 (Graphics in Microsoft Windows 10 1607, 1703, and Windows Server 2016 a ...) NOT-FOR-US: Microsoft CVE-2017-8573 (Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8572 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outloo ...) NOT-FOR-US: Microsoft CVE-2017-8571 (Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outloo ...) NOT-FOR-US: Microsoft CVE-2017-8570 (Microsoft Office allows a remote code execution vulnerability due to t ...) NOT-FOR-US: Microsoft CVE-2017-8569 (Microsoft SharePoint Server allows an elevation of privilege vulnerabi ...) NOT-FOR-US: Microsoft CVE-2017-8568 RESERVED CVE-2017-8567 (A remote code execution vulnerability exists in Microsoft Excel for Ma ...) NOT-FOR-US: Microsoft CVE-2017-8566 (Microsoft Windows 1607, 1703, and Windows Server 2016 allows an elevat ...) NOT-FOR-US: Microsoft CVE-2017-8565 (Windows PowerShell in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8564 (Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8563 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8562 (Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, ...) NOT-FOR-US: Microsoft CVE-2017-8561 (Windows kernel in Microsoft Windows 8.1, Windows Server 2012 Gold and ...) NOT-FOR-US: Microsoft CVE-2017-8560 (Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange ...) NOT-FOR-US: Microsoft CVE-2017-8559 (Microsoft Exchange Server 2010 SP3, Exchange Server 2013 SP3, Exchange ...) NOT-FOR-US: Microsoft CVE-2017-8558 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8557 (Windows System Information Console in Windows Server 2008 SP2 and R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8556 (Graphics in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-8555 (Microsoft Edge in Microsoft Windows 10 1703 allows an attacker to tric ...) NOT-FOR-US: Microsoft CVE-2017-8554 (The kernel in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-8553 (An information disclosure vulnerability exists in Microsoft Windows Se ...) NOT-FOR-US: Microsoft CVE-2017-8552 (A kernel-mode driver in Microsoft Windows XP SP3, Windows XP x64 XP2, ...) NOT-FOR-US: Microsoft CVE-2017-8551 (An elevation of privilege vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-8550 (A remote code execution vulnerability exists in Skype for Business whe ...) NOT-FOR-US: Microsoft CVE-2017-8549 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8548 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8547 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8546 RESERVED CVE-2017-8545 (A spoofing vulnerability exists in when Microsoft Outlook for Mac does ...) NOT-FOR-US: Microsoft CVE-2017-8544 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8543 (Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, ...) NOT-FOR-US: Microsoft CVE-2017-8542 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8541 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8540 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8539 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8538 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8537 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8536 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8535 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-8534 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8533 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8532 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8531 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8530 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8529 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 R2 S ...) NOT-FOR-US: Microsoft CVE-2017-8528 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8527 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8526 RESERVED CVE-2017-8525 RESERVED CVE-2017-8524 (Microsoft browsers in Microsoft Windows 7 SP1, Windows Server 2008 R2 ...) NOT-FOR-US: Microsoft CVE-2017-8523 (Microsoft Edge in Microsoft Windows 10 Gold, 1511, 1607, and 1703, and ...) NOT-FOR-US: Microsoft CVE-2017-8522 (Microsoft browsers in Microsoft Windows 8.1 and Windows RT 8.1, Window ...) NOT-FOR-US: Microsoft CVE-2017-8521 (Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2017-8520 (Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2017-8519 (Internet Explorer in Microsoft Windows 7 SP1, Windows Server 2008 and ...) NOT-FOR-US: Microsoft CVE-2017-8518 (Microsoft Edge allows a remote code execution vulnerability due to the ...) NOT-FOR-US: Microsoft CVE-2017-8517 (Microsoft browsers in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2017-8516 (Microsoft SQL Server Analysis Services in Microsoft SQL Server 2012, M ...) NOT-FOR-US: Microsoft CVE-2017-8515 (Microsoft Windows 10 1511, 1607, and 1703, and Windows Server 2016 all ...) NOT-FOR-US: Microsoft CVE-2017-8514 (An information disclosure vulnerability exists when Microsoft SharePoi ...) NOT-FOR-US: Microsoft CVE-2017-8513 (A remote code execution vulnerability exists in Microsoft PowerPoint w ...) NOT-FOR-US: Microsoft CVE-2017-8512 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8511 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8510 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8509 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8508 (A security feature bypass vulnerability exists in Microsoft Office sof ...) NOT-FOR-US: Microsoft CVE-2017-8507 (A remote code execution vulnerability exists in the way Microsoft Offi ...) NOT-FOR-US: Microsoft CVE-2017-8506 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-8505 RESERVED CVE-2017-8504 (Microsoft Edge in Windows 10 1607 and 1703, and Windows Server 2016 al ...) NOT-FOR-US: Microsoft CVE-2017-8503 (Microsoft Edge in Microsoft Windows 10 1511, 1607, 1703, and Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8502 (Microsoft Office allows a remote code execution vulnerability due to t ...) NOT-FOR-US: Microsoft CVE-2017-8501 (Microsoft Office allows a remote code execution vulnerability due to t ...) NOT-FOR-US: Microsoft CVE-2017-8500 RESERVED CVE-2017-8499 (Microsoft Edge in Windows 10 1703 allows an attacker to execute arbitr ...) NOT-FOR-US: Microsoft CVE-2017-8498 (Microsoft Edge in Windows 10 1607 and 1703, and Windows Server 2016 al ...) NOT-FOR-US: Microsoft CVE-2017-8497 (Microsoft Edge in Windows 10 1607 and Windows Server 2016 allows an at ...) NOT-FOR-US: Microsoft CVE-2017-8496 (Microsoft Edge in Windows 10 1607 and Windows Server 2016 allows an at ...) NOT-FOR-US: Microsoft CVE-2017-8495 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8494 (Microsoft Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 20 ...) NOT-FOR-US: Microsoft CVE-2017-8493 (Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8492 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8491 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8490 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8489 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8488 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8487 (Windows OLE in Windows XP and Windows Server 2003 allows an attacker t ...) NOT-FOR-US: Microsoft CVE-2017-8486 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8485 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8484 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8483 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8482 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8481 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8480 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8479 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8478 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8477 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8476 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8475 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8474 (The kernel in Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2017-8473 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows S ...) NOT-FOR-US: Microsoft CVE-2017-8472 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-8471 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8470 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-8469 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8468 (Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8467 (Graphics in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP ...) NOT-FOR-US: Microsoft CVE-2017-8466 (Windows Cursor in Windows 8.1, Windows Server 2012 Gold and R2, Window ...) NOT-FOR-US: Microsoft CVE-2017-8465 (Microsoft Windows 8.1 and Windows RT 8.1, Windows Server 2012 R2, Wind ...) NOT-FOR-US: Microsoft CVE-2017-8464 (Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-8463 (Windows Shell in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2017-8462 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-8461 (Windows RPC with Routing and Remote Access enabled in Windows XP and W ...) NOT-FOR-US: Microsoft CVE-2017-8460 (Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows R ...) NOT-FOR-US: Microsoft CVE-2017-8459 (** DISPUTED ** Brave 0.12.4 has a Status Bar Obfuscation issue in whic ...) - brave-browser (bug #864795) CVE-2017-8458 (Brave 0.12.4 has a URI Obfuscation issue in which a string such as htt ...) - brave-browser (bug #864795) CVE-2017-8457 RESERVED CVE-2017-8456 RESERVED CVE-2017-8455 (Foxit Reader before 8.2.1 and PhantomPDF before 8.2.1 have an out-of-b ...) NOT-FOR-US: Foxit Reader CVE-2017-8454 (Foxit Reader before 8.2.1 and PhantomPDF before 8.2.1 have an out-of-b ...) NOT-FOR-US: Foxit Reader CVE-2017-8453 (Foxit Reader before 8.2.1 and PhantomPDF before 8.2.1 have an out-of-b ...) NOT-FOR-US: Foxit Reader CVE-2017-8452 (Kibana versions prior to 5.2.1 configured for SSL client access, file ...) - kibana (bug #700337) CVE-2017-8451 (With X-Pack installed, Kibana versions before 5.3.1 have an open redir ...) NOT-FOR-US: Kibana addon CVE-2017-8450 (X-Pack 5.1.1 did not properly apply document and field level security ...) NOT-FOR-US: Kibana addon CVE-2017-8449 (X-Pack Security 5.2.x would allow access to more fields than the user ...) NOT-FOR-US: Kibana addon CVE-2017-8448 (An error was found in the permission model used by X-Pack Alerting 5.0 ...) - kibana (bug #700337) CVE-2017-8447 (An error was found in the X-Pack Security 5.3.0 to 5.5.2 privilege enf ...) NOT-FOR-US: X-Pack plugin for Kibana CVE-2017-8446 (The Reporting feature in X-Pack in versions prior to 5.5.2 and standal ...) NOT-FOR-US: X-Pack plugin for Kibana CVE-2017-8445 (An error was found in the X-Pack Security TLS trust manager for versio ...) NOT-FOR-US: X-PackSecurity TLS trust manager plugin for Elasticsearch CVE-2017-8444 (The client-forwarder in Elastic Cloud Enterprise versions prior to 1.0 ...) NOT-FOR-US: Elastic Cloud Enterprise CVE-2017-8443 (In Kibana X-Pack security versions prior to 5.4.3 if a Kibana user ope ...) NOT-FOR-US: Kibana X-Pack Security CVE-2017-8442 (Elasticsearch X-Pack Security versions 5.0.0 to 5.4.3, when enabled, c ...) NOT-FOR-US: Elastic X-Pack Security CVE-2017-8441 (Elastic X-Pack Security versions prior to 5.4.1 and 5.3.3 did not alwa ...) NOT-FOR-US: Elastic X-Pack Security CVE-2017-8440 (Starting in version 5.3.0, Kibana had a cross-site scripting (XSS) vul ...) - kibana (bug #700337) CVE-2017-8439 (Kibana version 5.4.0 was affected by a Cross Site Scripting (XSS) bug ...) - kibana (bug #700337) CVE-2017-8438 (Elastic X-Pack Security versions 5.0.0 to 5.4.0 contain a privilege es ...) NOT-FOR-US: Elastic X-Pack Security CVE-2017-8437 RESERVED CVE-2017-8436 RESERVED CVE-2017-8435 RESERVED CVE-2017-8434 RESERVED CVE-2017-8433 RESERVED CVE-2017-8432 RESERVED CVE-2017-8431 RESERVED CVE-2017-8430 RESERVED CVE-2017-8429 RESERVED CVE-2017-8428 RESERVED CVE-2017-8427 RESERVED CVE-2017-8426 RESERVED CVE-2017-8425 RESERVED CVE-2017-8424 RESERVED CVE-2017-8423 RESERVED CVE-2017-8422 (KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to ...) {DSA-3849-1 DLA-952-1} - kauth 5.28.0-2 - kde4libs 4:4.14.26-2 NOTE: https://www.openwall.com/lists/oss-security/2017/05/10/3 NOTE: patch for kauth: https://github.com/KDE/kauth/commit/df875f725293af53399f5146362eb158b4f9216a NOTE: patch for kde4libs: https://github.com/KDE/kdelibs/commit/264e97625abe2e0334f97de17f6ffb52582888ab NOTE: https://www.kde.org/info/security/advisory-20170510-1.txt CVE-2017-8421 (The function coff_set_alignment_hook in coffcode.h in Binary File Desc ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21440 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=39ff1b79f687b65f4144ddb379f22587003443fb CVE-2017-8420 (SWFTools 2013-04-09-1007 on Windows has a "Data from Faulting Address ...) - swftools (unimportant) NOTE: No actionable information, just a crash report against a four year old release NOTE: https://github.com/matthiaskramm/swftools/issues/41 CVE-2017-8419 (LAME through 3.99.5 relies on the signed integer data type for values ...) - lame 3.99.5+repack1-7 [wheezy] - lame 3.99.5+repack1-3+deb7u1 NOTE: https://sourceforge.net/p/lame/bugs/458/ NOTE: Issue addressed in Debian via: https://sources.debian.org/patches/lame/3.99.5%2Brepack1-9/0001-Add-check-for-invalid-input-sample-rate.patch/ NOTE: in the revised version as included in 3.99.5+repack1-7 CVE-2017-8905 (Xen through 4.6.x on 64-bit platforms mishandles a failsafe callback, ...) {DSA-3847-1 DLA-964-1} - xen 4.8.0~rc3-1 (bug #861662) NOTE: https://xenbits.xen.org/xsa/advisory-215.html CVE-2017-8904 (Xen through 4.8.x mishandles the "contains segment descriptors" proper ...) {DSA-3847-1 DLA-964-1} - xen 4.8.1-1+deb9u1 (bug #861660) NOTE: https://xenbits.xen.org/xsa/advisory-214.html CVE-2017-8903 (Xen through 4.8.x on 64-bit platforms mishandles page tables after an ...) {DSA-3847-1 DLA-964-1} - xen 4.8.1-1+deb9u1 (bug #861659) NOTE: https://xenbits.xen.org/xsa/advisory-213.html CVE-2017-8418 (RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing loc ...) - rubocop 0.49.1+dfsg-1 (bug #870852) NOTE: https://github.com/bbatsov/rubocop/issues/4336 NOTE: https://github.com/bbatsov/rubocop/commit/dcb258fabd5f2624c1ea0e1634763094590c09d7 CVE-2017-8417 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8416 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8415 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8414 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The b ...) NOT-FOR-US: D-Link CVE-2017-8413 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8412 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The d ...) NOT-FOR-US: D-Link CVE-2017-8411 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8410 (An issue was discovered on D-Link DCS-1100 and DCS-1130 devices. The b ...) NOT-FOR-US: D-Link CVE-2017-8409 (An issue was discovered on D-Link DCS-1130 devices. The device require ...) NOT-FOR-US: D-Link CVE-2017-8408 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8407 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8406 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8405 (An issue was discovered on D-Link DCS-1130 and DCS-1100 devices. The b ...) NOT-FOR-US: D-Link CVE-2017-8404 (An issue was discovered on D-Link DCS-1130 devices. The device provide ...) NOT-FOR-US: D-Link CVE-2017-8403 (360fly 4K cameras allow unauthenticated Wi-Fi password changes and com ...) NOT-FOR-US: 360fly CVE-2017-8402 (PivotX 2.3.11 allows remote authenticated users to execute arbitrary P ...) NOT-FOR-US: PivotX CVE-2017-8401 (In SWFTools 0.9.2, an out-of-bounds read of heap data can occur in the ...) {DLA-995-1} - swftools (unimportant; bug #861998) NOTE: https://github.com/matthiaskramm/swftools/issues/14 NOTE: https://github.com/matthiaskramm/swftools/commit/392fb1f3cd9a5b167787c551615c651c3f5326f2 NOTE: Crash in CLI tool not considered a security issue CVE-2017-8400 (In SWFTools 0.9.2, an out-of-bounds write of heap data can occur in th ...) {DLA-995-1} - swftools 0.9.2+git20130725-4.1 (bug #861693) [jessie] - swftools (Minor issue) NOTE: https://github.com/matthiaskramm/swftools/issues/13 NOTE: https://github.com/matthiaskramm/swftools/commit/7139f3cf7c8bc576bea1dbd07c58ce1ad92b774a CVE-2017-8399 (PCRE2 before 10.30 has an out-of-bounds write caused by a stack-based ...) - pcre2 (Did only affect revision after r670 upstream; not in a released version) NOTE: Fixed by: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=783 NOTE: https://vcs.pcre.org/pcre2?view=revision&revision=674 CVE-2017-8398 (dwarf.c in GNU Binutils 2.28 is vulnerable to an invalid read of size ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21438 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=d949ff5607b9f595e0eed2ff15fbe5eb84eb3a34 CVE-2017-8397 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21434 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=04b31182bf3f8a1a76e995bdfaaaab4c009b9cb2 CVE-2017-8396 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21432 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a941291cab71b9ac356e1c03968c177c03e602ab CVE-2017-8395 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21431 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e63d123268f23a4cbc45ee55fb6dbc7d84729da3 CVE-2017-8394 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21414 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=7eacd66b086cabb1daab20890d5481894d4f56b2 CVE-2017-8393 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.28-5 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21412 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=bce964aa6c777d236fbd641f2bc7bb931cfe4bf3 CVE-2017-8392 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils (Vulnerable code introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21409 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=97e83a100aa8250be783304bfe0429761c6e6b6b NOTE: Introduced by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=3239a4231ff79bf8b67b8faaf414b1667486167c CVE-2017-8391 (The OS Installation Management component in CA Client Automation r12.9 ...) NOT-FOR-US: OS Installation Management component in CA Client Automation CVE-2017-8390 (The DNS Proxy in Palo Alto Networks PAN-OS before 6.1.18, 7.x before 7 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-8389 RESERVED CVE-2017-8388 (GeniXCMS 1.0.2 allows remote attackers to bypass the alertDanger MSG_U ...) NOT-FOR-US: GeniXCMS CVE-2017-8387 (STDU Viewer version 1.6.375 might allow user-assisted attackers to exe ...) NOT-FOR-US: STDU Viewer CVE-2017-8386 (git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7 ...) {DSA-3848-1 DLA-938-1} - git 1:2.11.0-3 NOTE: http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01337.html NOTE: http://lkml.iu.edu/hypermail/linux/kernel/1705.1/01346.html NOTE: https://insinuator.net/2017/05/git-shell-bypass-by-abusing-less-cve-2017-8386/ NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=3ec804490a265f4c418a321428c12f3f18b7eff5 CVE-2017-8385 (Craft CMS before 2.6.2976 does not prevent modification of the URL in ...) NOT-FOR-US: Craft CMS CVE-2017-8384 (Craft CMS before 2.6.2976 allows XSS attacks because an array returned ...) NOT-FOR-US: Craft CMS CVE-2017-8383 (Craft CMS before 2.6.2976 does not properly restrict viewing the conte ...) NOT-FOR-US: Craft CMS CVE-2017-8382 (admidio 3.2.8 has CSRF in adm_program/modules/members/members_function ...) NOT-FOR-US: admidio CVE-2017-8381 (XnView Classic for Windows Version 2.40 allows user-assisted remote at ...) NOT-FOR-US: XnView Classic for Windows CVE-2017-8380 (Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 all ...) - qemu 1:2.8+dfsg-5 (bug #862282) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commit;h=e23d04984a78490d8aaa5c45724a3a334933331f (v2.2.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=24dfa9fa2f90a95ac33c7372de4f4f2c8a2c141f CVE-2017-8379 (Memory leak in the keyboard input event handlers support in QEMU (aka ...) {DLA-1497-1} - qemu 1:2.8+dfsg-5 (bug #862289) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=fa18f36a461984eae50ab957e47ec78dae3c14fc CVE-2017-8378 (Heap-based buffer overflow in the PdfParser::ReadObjects function in b ...) - libpodofo 0.9.5-9 (bug #861597) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: PoC: https://github.com/xiangxiaobo/poc_and_report/tree/master/podofo_heapoverflow_PdfParser.ReadObjects NOTE: Upstream commit: https://sourceforge.net/p/podofo/code/1833/ CVE-2017-8377 (GeniXCMS 1.0.2 has SQL Injection in inc/lib/Control/Backend/menus.cont ...) NOT-FOR-US: GeniXCMS CVE-2017-8376 (GeniXCMS 1.0.2 has XSS triggered by an authenticated comment that is m ...) NOT-FOR-US: GeniXCMS CVE-2017-8375 RESERVED CVE-2017-8374 (The mad_bit_skip function in bit.c in Underbit MAD libmad 0.15.1b allo ...) {DSA-4192-1 DLA-1380-1} - libmad 0.15.1b-9 NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_bit_skip-bit-c/ NOTE: The patch from #508133 fixed things related to this, but did not fix this. NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/length-check.patch CVE-2017-8373 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b ...) {DSA-4192-1 DLA-1380-1} - libmad 0.15.1b-9 (bug #287519) NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_layer_iii-layer3-c/ NOTE: The patch from #508133 applied in 0.15.1b-4 only partially fixed it NOTE: "Duplicate with"/basically same as CVE-2017-8372 NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/md_size.diff CVE-2017-8372 (The mad_layer_III function in layer3.c in Underbit MAD libmad 0.15.1b, ...) {DSA-4192-1 DLA-1380-1} - libmad 0.15.1b-9 (bug #287519) NOTE: https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/ NOTE: The patch from #508133 applied in 0.15.1b-4 only partially fixed it NOTE: "Duplicate" with/basically same as CVE-2017-8373 NOTE: Patch in 0.15.1b-9: libmad-0.15.1b/debian/patches/md_size.diff CVE-2017-8371 (Schneider Electric StruxureWare Data Center Expert before 7.4.0 uses c ...) NOT-FOR-US: Schneider Electric CVE-2017-8370 (IrfanView version 4.44 (32bit) with FPX Plugin 4.45 allows remote atta ...) NOT-FOR-US: IrfanView CVE-2017-8369 (IrfanView version 4.44 (32bit) has a "Data from Faulting Address contr ...) NOT-FOR-US: IrfanView CVE-2017-8368 (Sublime Text 3 Build 3126 allows user-assisted attackers to cause a de ...) - sublime-text (bug #682158) CVE-2017-8367 (Buffer overflow in Ether Software Easy MOV Converter 1.4.24, Easy DVD ...) NOT-FOR-US: Ether Software CVE-2017-8366 (The strescape function in ec_strings.c in Ettercap 0.8.2 allows remote ...) {DSA-3874-1} - ettercap 1:0.8.2-5 (bug #861604) NOTE: https://github.com/Ettercap/ettercap/issues/792 NOTE: Fixed by: https://github.com/Ettercap/ettercap/commit/1083d604930ebb9f350126b83802ecd2cbc17f90 CVE-2017-8365 (The i2les_array function in pcm.c in libsndfile 1.0.28 allows remote a ...) {DLA-1618-1 DLA-956-1} - libsndfile 1.0.27-3 (bug #862202) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-i2les_array-pcm-c/ NOTE: https://github.com/erikd/libsndfile/issues/230 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 CVE-2017-8364 (The read_buf function in stream.c in rzip 2.1 allows remote attackers ...) {DLA-2189-1 DLA-955-1} - rzip 2.1-4.1 (bug #861614) NOTE: https://blogs.gentoo.org/ago/2017/04/29/rzip-heap-based-buffer-overflow-in-read_buf-stream-c/ NOTE: Patch in http://download.opensuse.org/repositories/openSUSE:/Leap:/42.2:/Update/standard/src/rzip-2.1-151.3.1.src.rpm CVE-2017-8363 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows re ...) {DLA-1618-1 DLA-956-1} - libsndfile 1.0.27-3 (bug #862203) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-heap-based-buffer-overflow-in-flac_buffer_copy-flac-c/ NOTE: https://github.com/erikd/libsndfile/issues/233 NOTE: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 NOTE: https://github.com/erikd/libsndfile/commit/cd7da8dbf6ee4310d21d9e44b385d6797160d9e8 CVE-2017-8362 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows re ...) {DLA-1618-1 DLA-956-1} - libsndfile 1.0.27-3 (bug #862204) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-invalid-memory-read-in-flac_buffer_copy-flac-c/ NOTE: https://github.com/erikd/libsndfile/issues/231 NOTE: https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808 CVE-2017-8361 (The flac_buffer_copy function in flac.c in libsndfile 1.0.28 allows re ...) {DLA-1618-1 DLA-956-1} - libsndfile 1.0.27-3 (bug #862205) NOTE: https://blogs.gentoo.org/ago/2017/04/29/libsndfile-global-buffer-overflow-in-flac_buffer_copy-flac-c/ NOTE: https://github.com/erikd/libsndfile/issues/232 NOTE: https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3 CVE-2017-8360 (Conexant Systems mictray64 task, as used on HP Elite, EliteBook, ProBo ...) NOT-FOR-US: Conexant Systems mictray64 task CVE-2017-8359 (Google gRPC before 2017-03-29 has an out-of-bounds write caused by a h ...) - grpc 1.3.2-0.1 NOTE: https://github.com/grpc/grpc/pull/10353 NOTE: Fixed by: https://github.com/grpc/grpc/commit/6544a2d5d9ecdb64214da1d228886a7d15bbf5c7 CVE-2017-8358 (LibreOffice before 2017-03-17 has an out-of-bounds write caused by a h ...) - libreoffice (Vulnerable code introduced on 2017-03-15; never in released version) NOTE: Fixed by: https://github.com/LibreOffice/core/commit/6e6e54f944a5ebb49e9110bdeff844d00a96c56c NOTE: Introduced by: https://github.com/LibreOffice/core/commit/ceb53ad9f34ae05d09f61845d581546eac0c6d60 CVE-2017-8357 (In ImageMagick 7.0.5-5, the ReadEPTImage function in ept.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862636) NOTE: https://github.com/ImageMagick/ImageMagick/issues/453 CVE-2017-8356 (In ImageMagick 7.0.5-5, the ReadSUNImage function in sun.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862635) NOTE: https://github.com/ImageMagick/ImageMagick/issues/449 CVE-2017-8355 (In ImageMagick 7.0.5-5, the ReadMTVImage function in mtv.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862634) NOTE: https://github.com/ImageMagick/ImageMagick/issues/450 CVE-2017-8354 (In ImageMagick 7.0.5-5, the ReadBMPImage function in bmp.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862633) NOTE: https://github.com/ImageMagick/ImageMagick/issues/451 CVE-2017-8353 (In ImageMagick 7.0.5-5, the ReadPICTImage function in pict.c allows at ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862632) NOTE: https://github.com/ImageMagick/ImageMagick/issues/454 CVE-2017-8352 (In ImageMagick 7.0.5-5, the ReadXWDImage function in xwd.c allows atta ...) {DSA-3863-1 DLA-1081-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862590) NOTE: https://github.com/ImageMagick/ImageMagick/issues/452 CVE-2017-8351 (In ImageMagick 7.0.5-5, the ReadPCDImage function in pcd.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862589) NOTE: https://github.com/ImageMagick/ImageMagick/issues/448 CVE-2017-8350 (In ImageMagick 7.0.5-5, the ReadJNGImage function in png.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862587) NOTE: https://github.com/ImageMagick/ImageMagick/issues/447 CVE-2017-8349 (In ImageMagick 7.0.5-5, the ReadSFWImage function in sfw.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862579) NOTE: https://github.com/ImageMagick/ImageMagick/issues/443 CVE-2017-8348 (In ImageMagick 7.0.5-5, the ReadMATImage function in mat.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862578) NOTE: https://github.com/ImageMagick/ImageMagick/issues/445 CVE-2017-8347 (In ImageMagick 7.0.5-5, the ReadEXRImage function in exr.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862577) NOTE: https://github.com/ImageMagick/ImageMagick/issues/441 CVE-2017-8346 (In ImageMagick 7.0.5-5, the ReadDCMImage function in dcm.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862575) NOTE: https://github.com/ImageMagick/ImageMagick/issues/440 CVE-2017-8345 (In ImageMagick 7.0.5-5, the ReadMNGImage function in png.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862573) NOTE: https://github.com/ImageMagick/ImageMagick/issues/442 CVE-2017-8344 (In ImageMagick 7.0.5-5, the ReadPCXImage function in pcx.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862574) NOTE: https://github.com/ImageMagick/ImageMagick/issues/446 CVE-2017-8343 (In ImageMagick 7.0.5-5, the ReadAAIImage function in aai.c allows atta ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-7 (bug #862572) NOTE: https://github.com/ImageMagick/ImageMagick/issues/444 CVE-2017-8341 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Conte ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-8340 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incor ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-8339 (PSKMAD.sys in Panda Free Antivirus 18.0 allows local users to cause a ...) NOT-FOR-US: Panda Free Antivirus CVE-2017-8338 (A vulnerability in MikroTik Version 6.38.5 could allow an unauthentica ...) NOT-FOR-US: MikroTik CVE-2017-8337 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8336 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8335 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8334 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8333 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8332 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8331 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8330 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8329 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8328 (An issue was discovered on Securifi Almond, Almond+, and Almond 2015 d ...) NOT-FOR-US: Securifi CVE-2017-8342 (Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing oracl ...) {DLA-2187-1 DLA-934-1} - radicale 1.1.1+20160115-4 (bug #861514) NOTE: https://github.com/Kozea/Radicale/commit/190b1dd795f0c552a4992445a231da760211183b (1.1.x) NOTE: https://github.com/Kozea/Radicale/commit/059ba8dec1f22ccbeab837e288b3833a099cee2d (master) CVE-2017-8327 (The bmpr_read_uncompressed function in imagew-bmp.c in libimageworsene ...) NOT-FOR-US: ImageWorsener CVE-2017-8326 (libimageworsener.a in ImageWorsener before 1.3.1 has "left shift canno ...) NOT-FOR-US: ImageWorsener CVE-2017-8325 (The iw_process_cols_to_intermediate function in imagew-main.c in libim ...) NOT-FOR-US: ImageWorsener CVE-2017-8324 RESERVED CVE-2017-8323 RESERVED CVE-2017-8322 RESERVED CVE-2017-8321 RESERVED CVE-2017-8320 RESERVED CVE-2017-8319 RESERVED CVE-2017-8318 RESERVED CVE-2017-8317 RESERVED CVE-2017-8316 (IntelliJ IDEA XML parser was found vulnerable to XML External Entity a ...) NOT-FOR-US: IntelliJ IDEA XML parser CVE-2017-8315 (Eclipse XML parser for the Eclipse IDE versions 2017.2.5 and earlier w ...) - apktool 2.2.4-1 (low) [stretch] - apktool (Minor issue) NOTE: Upstream bug with details is restricted NOTE: According to Red Hat only eclipse-andmore was affected but it was NOTE: never shipped with Debian. Apktool is affected though. NOTE: Possible fixes: https://github.com/iBotPeaches/Apktool/commit/f19317d87c316ed254aafa0a27eddd024e25ec6c NOTE: https://github.com/iBotPeaches/Apktool/commit/657a44f5938b072898a0de913c03760210e0f4ed NOTE: https://github.com/iBotPeaches/Apktool/commit/dbb144f9af5478c780e59c8b65036ae882595063 CVE-2017-8314 (Directory Traversal in Zip Extraction built-in function in Kodi 17.1 a ...) {DLA-1243-1} - kodi 2:17.1+dfsg1-3 (bug #863230) - xbmc [jessie] - xbmc (Minor issue) NOTE: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/ NOTE: https://kodi.tv/article/kodi-v172-minor-bug-fix-and-security-release NOTE: Fixed by https://github.com/xbmc/xbmc/commit/35cfe35608b15335ef21d798947fceab3f47c8d7 CVE-2017-8313 (Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to ...) {DSA-3899-1} - vlc 2.2.5-1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=05b653355ce303ada3b5e0e645ae717fea39186c CVE-2017-8312 (Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing chec ...) {DSA-3899-1} - vlc 2.2.6-1~deb9u1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=611398fc8d32f3fe4331f60b220c52ba3557beaa CVE-2017-8311 (Potential heap based buffer overflow in ParseJSS in VideoLAN VLC befor ...) {DSA-3899-1} - vlc 2.2.5-1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc.git;a=commitdiff;h=775de716add17322f24b476439f903a829446eb6 CVE-2017-8310 (Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due ...) {DSA-3899-1} - vlc 2.2.5.1-1~deb9u1 [wheezy] - vlc (Not supported in wheezy LTS) NOTE: http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328 CVE-2017-8309 (Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows r ...) {DLA-1497-1 DLA-1071-1 DLA-1070-1} - qemu 1:2.8+dfsg-5 (bug #862280) - qemu-kvm NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=3268a845f41253fb55852a8429c32b50f36f349a CVE-2017-8308 (In Avast Antivirus before v17, an unprivileged user (and thus malware ...) NOT-FOR-US: Avast Antivirus CVE-2017-8307 (In Avast Antivirus before v17, using the LPC interface API exposed by ...) NOT-FOR-US: Avast Antivirus CVE-2017-8306 RESERVED CVE-2017-8304 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8303 (An issue was discovered on Accellion FTA devices before FTA_9_12_180. ...) NOT-FOR-US: Accellion FTA devices CVE-2017-8302 (Mura CMS 7.0.6967 allows admin/?muraAction= XSS attacks, related to ad ...) NOT-FOR-US: Mura CMS CVE-2017-8300 RESERVED CVE-2017-8299 RESERVED CVE-2017-8298 (cnvs.io Canvas 3.3.0 has XSS in the title and content fields of a "Pos ...) NOT-FOR-US: cnvs.io Canvas CVE-2017-8297 (A path traversal vulnerability exists in simple-file-manager before 20 ...) NOT-FOR-US: simple-file-manager CVE-2017-8296 (kedpm 0.5 and 1.0 creates a history file in ~/.kedpm/history that is w ...) {DLA-925-1} - kedpm (bug #860817) [jessie] - kedpm 1.0+deb8u1 NOTE: patch in BTS gives workaround to always prompt for password and do not save NOTE: to database. NOTE: https://www.openwall.com/lists/oss-security/2017/04/25/9 CVE-2017-8295 (WordPress through 4.7.4 relies on the Host HTTP header for a password- ...) {DSA-3870-1 DLA-975-1} - wordpress 4.7.5+dfsg-2 (bug #862053) NOTE: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html NOTE: http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html NOTE: https://core.trac.wordpress.org/ticket/25239 NOTE: https://core.trac.wordpress.org/changeset/48601 (5.5) CVE-2017-8294 (libyara/re.c in the regex component in YARA 3.5.0 allows remote attack ...) - yara 3.6.0+dfsg-1 (bug #861590) [stretch] - yara (Minor issue, too intrusive to backport) [jessie] - yara (Minor issue, too intrusive to backport) NOTE: https://github.com/VirusTotal/yara/issues/646 NOTE: https://github.com/VirusTotal/yara/commit/83d799804648c2a0895d40a19835d9b757c6fa4e CVE-2017-8293 RESERVED CVE-2017-8292 RESERVED CVE-2017-8290 (A potential Buffer Overflow Vulnerability (from a BB Code handling iss ...) - teamspeak-server [wheezy] - teamspeak-server (non-free is not supported) CVE-2017-8289 (Stack-based buffer overflow in the ipv6_addr_from_str function in sys/ ...) NOT-FOR-US: RIOS OS CVE-2017-8288 (gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to rel ...) - gnome-shell 3.22.3-3 [jessie] - gnome-shell (Minor issue) [wheezy] - gnome-shell (Minor issue) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=781728 NOTE: https://github.com/GNOME/gnome-shell/commit/ff425d1db7082e2755d2a405af53861552acf2a1 CVE-2017-8305 (The UDFclient (before 0.8.8) custom strlcpy implementation has a buffe ...) - udfclient 0.8.8-1 (bug #861347) CVE-2017-8301 (LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_ ...) - libressl (bug #754513) NOTE: https://www.openwall.com/lists/oss-security/2017/04/27/11 CVE-2017-8291 (Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remot ...) {DSA-3838-1 DLA-932-1} - ghostscript 9.20~dfsg-3.1 (bug #861295) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697808 (duplicate of 697799) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697799 (made private) NOTE: Full report viewable at: https://bugzilla.suse.com/show_bug.cgi?id=1036453 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3 CVE-2017-8287 (FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a he ...) {DSA-3839-1 DLA-931-1} - freetype 2.6.3-3.2 (bug #861308) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b502c3e685afca098b6e8a195aded6a0 CVE-2017-8286 RESERVED CVE-2017-8285 RESERVED CVE-2017-8284 (** DISPUTED ** The disas_insn function in target/i386/translate.c in Q ...) - qemu 1:2.10.0-1 (unimportant) - qemu-kvm (unimportant) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=30663fd26c0307e414622c7a8607fbc04f92ec14 NOTE: qemu issue without security implication per upstream CVE-2017-8282 (XnView Classic for Windows Version 2.40 allows user-assisted remote at ...) NOT-FOR-US: XnView Classic for Windows CVE-2017-8281 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8280 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8279 (In android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-8278 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8277 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8276 (Improper authorization involving a fuse in TrustZone in snapdragon aut ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8275 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-8274 (In Android before security patch level 2018-04-05 on Qualcomm Snapdrag ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-8273 (In all Qualcomm products with Android release from CAF using the Linux ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8272 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8271 (Out of bound memory write can happen in the MDSS Rotator driver in all ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8270 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8269 (Userspace-controlled non null terminated parameter for IPA WAN ioctl i ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8268 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8267 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8266 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8265 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8264 (A userspace process can cause a Denial of Service in the camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8263 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8262 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8261 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8260 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8259 (In the service locator in all Qualcomm products with Android releases ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8258 (An array out-of-bounds access in all Qualcomm products with Android re ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8257 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8256 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8255 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8254 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8253 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8252 (Kernel can inject faults in computations during the execution of Trust ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8251 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8250 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8249 RESERVED CVE-2017-8248 (A buffer overflow may occur in the processing of a downlink NAS messag ...) NOT-FOR-US: Qualcomm Telephony CVE-2017-8247 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8246 (In function msm_pcm_playback_close() in all Android releases from CAF ...) - linux (Android-specific patch) CVE-2017-8245 (In all Android releases from CAF using the Linux kernel, while process ...) - linux (Android-specific patch) CVE-2017-8244 (In core_info_read and inst_info_read in all Android releases from CAF ...) - linux (Android-specific patch) CVE-2017-8243 (A buffer overflow can occur in all Qualcomm products with Android for ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-8242 (In all Android releases from CAF using the Linux kernel, a race condit ...) - linux (Android-specific patch) CVE-2017-8241 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android driver CVE-2017-8240 (In all Android releases from CAF using the Linux kernel, a kernel driv ...) - linux 4.0.2-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) CVE-2017-8239 (In all Android releases from CAF using the Linux kernel, userspace-con ...) NOT-FOR-US: Android driver CVE-2017-8238 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android driver CVE-2017-8237 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android driver CVE-2017-8236 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android driver CVE-2017-8235 (In all Android releases from CAF using the Linux kernel, a memory stru ...) NOT-FOR-US: Android driver CVE-2017-8234 (In all Android releases from CAF using the Linux kernel, an out of bou ...) NOT-FOR-US: Android driver CVE-2017-8233 (In a camera driver function in all Android releases from CAF using the ...) NOT-FOR-US: Android driver CVE-2017-8232 RESERVED CVE-2017-8231 RESERVED CVE-2017-8230 (On Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices, the users on th ...) NOT-FOR-US: Amcrest CVE-2017-8229 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices allow an unauthenti ...) NOT-FOR-US: Amcrest CVE-2017-8228 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots w ...) NOT-FOR-US: Amcrest CVE-2017-8227 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have a timeout poli ...) NOT-FOR-US: Amcrest CVE-2017-8226 (Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices have default creden ...) NOT-FOR-US: Amcrest CVE-2017-8283 (dpkg-source in dpkg 1.3.0 through 1.18.23 is able to use a non-GNU pat ...) - dpkg 1.18.24 (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2017/04/20/2 CVE-2017-8225 (On Wireless IP Camera (P2P) WIFICAM devices, access to .ini files (con ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8224 (Wireless IP Camera (P2P) WIFICAM devices have a backdoor root account ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8223 (On Wireless IP Camera (P2P) WIFICAM devices, an attacker can use the R ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8222 (Wireless IP Camera (P2P) WIFICAM devices have an "Apple Production IOS ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8221 (Wireless IP Camera (P2P) WIFICAM devices rely on a cleartext UDP tunne ...) NOT-FOR-US: Wireless IP Camera (P2P) WIFICAM devices CVE-2017-8220 (TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 1 ...) NOT-FOR-US: TP-Link CVE-2017-8219 (TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 1 ...) NOT-FOR-US: TP-Link CVE-2017-8218 (vsftpd on TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032 ...) NOT-FOR-US: TP-Link CVE-2017-8217 (TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 1 ...) NOT-FOR-US: TP-Link CVE-2017-8216 (Warsaw Huawei Smart phones with software of versions earlier than Wars ...) NOT-FOR-US: Huawei CVE-2017-8215 (Honor 8,Honor V8,Honor 9,Honor V9,Nova 2,Nova 2 Plus,P9,P10 Plus,Toron ...) NOT-FOR-US: Huawei CVE-2017-8214 (Honor 8,Honor V8,Honor 9,Honor V9,Nova 2,Nova 2 Plus,P9,P10 Plus,Toron ...) NOT-FOR-US: Huawei CVE-2017-8213 (Huawei SMC2.0 with software of V100R003C10, V100R005C00SPC100, V100R00 ...) NOT-FOR-US: Huawei CVE-2017-8212 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8211 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8210 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8209 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8208 (The driver of honor 5C,honor 6x Huawei smart phones with software of v ...) NOT-FOR-US: Huawei CVE-2017-8207 (The driver of honor 5C, honor 6x Huawei smart phones with software of ...) NOT-FOR-US: Huawei CVE-2017-8206 (HONOR 7 Lite mobile phones with software of versions earlier than NEM- ...) NOT-FOR-US: Huawei CVE-2017-8205 (The Bastet driver of Honor 9 Huawei smart phones with software of vers ...) NOT-FOR-US: Huawei CVE-2017-8204 (The Bastet driver of Honor 9 Huawei smart phones with software of vers ...) NOT-FOR-US: Huawei CVE-2017-8203 (The Bastet Driver of Nova 2 Plus,Nova 2 Huawei smart phones with softw ...) NOT-FOR-US: Huawei CVE-2017-8202 (The CameraISP driver of some Huawei smart phones with software of vers ...) NOT-FOR-US: Huawei CVE-2017-8201 (MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have ...) NOT-FOR-US: Huawei CVE-2017-8200 (MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have ...) NOT-FOR-US: Huawei CVE-2017-8199 (MAX PRESENCE V100R001C00, TP3106 V100R002C00, TP3206 V100R002C00 have ...) NOT-FOR-US: Huawei CVE-2017-8198 (FusionSphere V100R006C00SPC102(NFV) has an SQL injection vulnerability ...) NOT-FOR-US: Huawei CVE-2017-8197 (FusionSphere V100R006C00SPC102(NFV) has a command injection vulnerabil ...) NOT-FOR-US: Huawei CVE-2017-8196 (FusionSphere V100R006C00SPC102(NFV) has an incorrect authorization vul ...) NOT-FOR-US: Huawei CVE-2017-8195 (The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper auth ...) NOT-FOR-US: Huawei CVE-2017-8194 (The FusionSphere OpenStack V100R006C00SPC102(NFV) has an improper auth ...) NOT-FOR-US: Huawei CVE-2017-8193 (The FusionSphere OpenStack V100R006C00SPC102(NFV) has a command inject ...) NOT-FOR-US: Huawei CVE-2017-8192 (FusionSphere OpenStack V100R006C00 has an improper authorization vulne ...) NOT-FOR-US: Huawei CVE-2017-8191 (FusionSphere OpenStack V100R006C00SPC102(NFV)has a week cryptographic ...) NOT-FOR-US: Huawei CVE-2017-8190 (FusionSphere OpenStack V100R006C00SPC102(NFV)has an improper verificat ...) NOT-FOR-US: Huawei CVE-2017-8189 (FusionSphere OpenStack V100R006C00SPC102(NFV)has a path traversal vuln ...) NOT-FOR-US: Huawei CVE-2017-8188 (FusionSphere OpenStack V100R006C00SPC102(NFV)has a command injection v ...) NOT-FOR-US: Huawei CVE-2017-8187 (Huawei FusionSphere OpenStack V100R006C00SPC102(NFV) has a privilege e ...) NOT-FOR-US: Huawei CVE-2017-8186 (The Bastet of some Huawei mobile phones with software of earlier than ...) NOT-FOR-US: Huawei CVE-2017-8185 (ME906s-158 earlier than ME906S_Installer_13.1805.10.3 versions has a p ...) NOT-FOR-US: Huawei CVE-2017-8184 (MTK platform in Huawei smart phones with software of earlier than Nice ...) NOT-FOR-US: Huawei CVE-2017-8183 (MTK platform in Huawei smart phones with software of earlier than Nice ...) NOT-FOR-US: Huawei CVE-2017-8182 (MTK platform in Huawei smart phones with software of earlier than Nice ...) NOT-FOR-US: Huawei CVE-2017-8181 (The camera driver of MTK platform in Huawei smart phones with software ...) NOT-FOR-US: Huawei CVE-2017-8180 (The camera driver of MTK platform in Huawei smart phones with software ...) NOT-FOR-US: Huawei CVE-2017-8179 (The camera driver of MTK platform in Huawei smart phones with software ...) NOT-FOR-US: Huawei CVE-2017-8178 (Huawei Email APP Vicky-AL00 smartphones with software of earlier than ...) NOT-FOR-US: Huawei CVE-2017-8177 (Huawei APP HiWallet earlier than 5.0.3.100 versions do not support sig ...) NOT-FOR-US: Huawei CVE-2017-8176 (Huawei IPTV STB with earlier than IPTV STB V100R003C01LMYTa6SPC001 ver ...) NOT-FOR-US: Huawei CVE-2017-8175 (The Bastet of some Huawei mobile phones with software earlier than Vic ...) NOT-FOR-US: Huawei CVE-2017-8174 (Huawei USG6300 V100R001C30SPC300 and USG6600 with software of V100R001 ...) NOT-FOR-US: Huawei CVE-2017-8173 (Maya-L02,VKY-L09,VTR-L29,Vicky-AL00A,Victoria-AL00A,Warsaw-AL00 smart ...) NOT-FOR-US: Huawei CVE-2017-8172 (Isub service in P10 Plus and P10 smart phones with earlier than VKY-AL ...) NOT-FOR-US: Huawei CVE-2017-8171 (Huawei smart phones with software earlier than Vicky-AL00AC00B172D ver ...) NOT-FOR-US: Huawei CVE-2017-8170 (Huawei smart phones with software earlier than VIE-L09C40B360 versions ...) NOT-FOR-US: Huawei CVE-2017-8169 (Huawei smart phones with software earlier than VIE-L09C40B360 versions ...) NOT-FOR-US: Huawei CVE-2017-8168 (FusionSphere OpenStack with software V100R006C00SPC102(NFV) and V100R0 ...) NOT-FOR-US: Huawei CVE-2017-8167 (Huawei firewall products USG9500 V500R001C50 has a DoS vulnerability.A ...) NOT-FOR-US: Huawei CVE-2017-8166 (Huawei mobile phones Honor V9 with the software versions before Duke-A ...) NOT-FOR-US: Huawei CVE-2017-8165 (Mate 9 Huawei smart phones with versions earlier than MHA-AL00BC00B233 ...) NOT-FOR-US: Huawei CVE-2017-8164 (Some Huawei smart phones with software EVA-L09C34B142; EVA-L09C40B196; ...) NOT-FOR-US: Huawei CVE-2017-8163 (AR120-S with software V200R006C10, V200R007C00, V200R008C20, V200R008C ...) NOT-FOR-US: Huawei CVE-2017-8162 (AR120-S with software V200R006C10, V200R007C00, V200R008C20, V200R008C ...) NOT-FOR-US: Huawei CVE-2017-8161 (EVA-L09 smartphones with software Earlier than EVA-L09C25B150CUSTC25D0 ...) NOT-FOR-US: Huawei CVE-2017-8160 (The Madapt Driver of some Huawei smart phones with software Earlier th ...) NOT-FOR-US: Huawei CVE-2017-8159 (Some Huawei smartphones with software AGS-L09C233B019,AGS-W09C233B019, ...) NOT-FOR-US: Huawei CVE-2017-8158 (FusionCompute V100R005C00 and V100R005C10 have an improper authorizati ...) NOT-FOR-US: Huawei CVE-2017-8157 (OceanStor 5800 V3 with software V300R002C00 and V300R002C10, OceanStor ...) NOT-FOR-US: Huawei CVE-2017-8156 (The outdoor unit of Customer Premise Equipment (CPE) product B2338-168 ...) NOT-FOR-US: Huawei CVE-2017-8155 (The outdoor unit of Customer Premise Equipment (CPE) product B2338-168 ...) NOT-FOR-US: Huawei CVE-2017-8154 (The Themes App Honor 8 Lite Huawei mobile phones with software of vers ...) NOT-FOR-US: Huawei CVE-2017-8153 (Huawei VMall (for Android) with the versions before 1.5.8.5 have a pri ...) NOT-FOR-US: Huawei CVE-2017-8152 (Huawei Honor 5S smart phones with software the versions before TAG-TL0 ...) NOT-FOR-US: Huawei CVE-2017-8151 (Huawei Honor 5S smart phones with software the versions before TAG-TL0 ...) NOT-FOR-US: Huawei CVE-2017-8150 (The boot loaders of P10 and P10 Plus Huawei mobile phones with softwar ...) NOT-FOR-US: Huawei CVE-2017-8149 (The boot loaders of P10 and P10 Plus Huawei mobile phones with softwar ...) NOT-FOR-US: Huawei CVE-2017-8148 (Audio driver in P9 smartphones with software The versions before EVA-A ...) NOT-FOR-US: Huawei CVE-2017-8147 (AC6005 V200R006C10SPC200,AC6605 V200R006C10SPC200,AR1200 with software ...) NOT-FOR-US: Huawei CVE-2017-8146 (The call module of P10 and P10 Plus smartphones with software versions ...) NOT-FOR-US: Huawei CVE-2017-8145 (The call module of P10 and P10 Plus smartphones with software versions ...) NOT-FOR-US: Huawei CVE-2017-8144 (Honor 5A,Honor 8 Lite,Mate9,Mate9 Pro,P10,P10 Plus Huawei smartphones ...) NOT-FOR-US: Huawei CVE-2017-8143 (Wi-Fi driver of Honor 5C and P9 Lite Huawei smart phones with software ...) NOT-FOR-US: Huawei CVE-2017-8142 (The Trusted Execution Environment (TEE) module driver of Mate 9 and Ma ...) NOT-FOR-US: Huawei CVE-2017-8141 (The Touch Panel (TP) driver in P10 Plus smart phones with software ver ...) NOT-FOR-US: Huawei CVE-2017-8140 (The soundtrigger driver in P9 Plus smart phones with software versions ...) NOT-FOR-US: Huawei CVE-2017-8139 (HedEx Earlier than V200R006C00 versions have the stored cross-site scr ...) NOT-FOR-US: Huawei CVE-2017-8138 (HedEx Earlier than V200R006C00 versions has a cross-site request forge ...) NOT-FOR-US: Huawei CVE-2017-8137 (HedEx Earlier than V200R006C00 versions has a dynamic link library (DL ...) NOT-FOR-US: Huawei CVE-2017-8136 (HedEx Earlier than V200R006C00 versions has an arbitrary file download ...) NOT-FOR-US: Huawei CVE-2017-8135 (The FusionSphere OpenStack with software V100R006C00 and V100R006C10 h ...) NOT-FOR-US: Huawei CVE-2017-8134 (The FusionSphere OpenStack with software V100R006C00 and V100R006C10 h ...) NOT-FOR-US: Huawei CVE-2017-8133 (Huawei iManager NetEco with software V600R008C00 and V600R008C10 has a ...) NOT-FOR-US: Huawei CVE-2017-8132 (The FusionSphere OpenStack with software V100R006C00 and V100R006C10 h ...) NOT-FOR-US: Huawei CVE-2017-8131 (The FusionSphere OpenStack with software V100R006C00 and V100R006C10 h ...) NOT-FOR-US: Huawei CVE-2017-8130 (The UMA product with software V200R001 and V300R001 has an information ...) NOT-FOR-US: Huawei CVE-2017-8129 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8128 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8127 (The UMA product with software V200R001 has a cross-site scripting (XSS ...) NOT-FOR-US: Huawei CVE-2017-8126 (The UMA product with software V200R001 has a privilege elevation vulne ...) NOT-FOR-US: Huawei CVE-2017-8125 (The UMA product with software V200R001 and V300R001 has a cross-site s ...) NOT-FOR-US: Huawei CVE-2017-8124 (The UMA product with software V200R001 has a privilege elevation vulne ...) NOT-FOR-US: Huawei CVE-2017-8123 (The UMA product with software V200R001 has a privilege elevation vulne ...) NOT-FOR-US: Huawei CVE-2017-8122 (The UMA product with software V200R001 has a privilege elevation vulne ...) NOT-FOR-US: Huawei CVE-2017-8121 (The UMA product with software V200R001 and V300R001 has an information ...) NOT-FOR-US: Huawei CVE-2017-8120 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8119 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8118 (The UMA product with software V200R001 and V300R001 has an information ...) NOT-FOR-US: Huawei CVE-2017-8117 (The UMA product with software V200R001 and V300R001 has a privilege el ...) NOT-FOR-US: Huawei CVE-2017-8116 (The management interface for the Teltonika RUT9XX routers (aka LuCI) w ...) NOT-FOR-US: Teltonika RUT9XX routers CVE-2017-8115 (Directory traversal in setup/processors/url_search.php (aka the search ...) NOT-FOR-US: MODX CVE-2017-8114 (Roundcube Webmail allows arbitrary password resets by authenticated us ...) {DLA-933-1} - roundcube 1.2.3+dfsg.1-4 (bug #861388) NOTE: https://github.com/roundcube/roundcubemail/releases/tag/1.2.5 NOTE: https://github.com/roundcube/roundcubemail/commit/6e054a37d13dc3772d0aa454a32d5dc3bdcc7003 (1.2.x) NOTE: https://github.com/roundcube/roundcubemail/releases/tag/1.1.9 NOTE: https://github.com/roundcube/roundcubemail/commit/10b227d70a03e33682aaaa0138e84f9256f3cd50 (1.1.x) NOTE: https://github.com/roundcube/roundcubemail/releases/tag/1.0.11 NOTE: https://github.com/roundcube/roundcubemail/commit/271426429bfbb5b63e6dec91b1e4780e8ef1c67e (1.0.x) CVE-2017-8113 RESERVED CVE-2017-8112 (hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest O ...) {DLA-1497-1} - qemu 1:2.8+dfsg-5 (bug #861351) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04578.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1445621 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=f68826989cd4d1217797251339579c57b3c0934e CVE-2017-8111 RESERVED CVE-2017-8110 (www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 1069 ...) NOT-FOR-US: modified eCommerce Shopsoftware CVE-2017-8109 (The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 co ...) - salt 2016.11.5+ds-1 (bug #861219) [stretch] - salt 2016.11.2+ds-1+deb9u2 [jessie] - salt (Vulnerable code not present) NOTE: https://github.com/saltstack/salt/issues/40075 NOTE: https://github.com/saltstack/salt/pull/40609 NOTE: https://github.com/saltstack/salt/commit/8492cef7a5c8871a3978ffc2f6e48b3b960e0151 CVE-2017-8108 (Unspecified tests in Lynis before 2.5.0 allow local users to write to ...) - lynis 2.5.0-1 (unimportant) [wheezy] - lynis (Vulnerable code do not exist) NOTE: Neutralised by kernel hardening CVE-2017-8107 RESERVED CVE-2017-8106 (The handle_invept function in arch/x86/kvm/vmx.c in the Linux kernel 3 ...) - linux 3.16.2-1 [wheezy] - linux (Vulnerable code not present) NOTE: Introduced by: https://git.kernel.org/linus/bfd0a56b90005f8c8a004baf407ad90045c2b11e (3.12-rc1) NOTE: Fixed by: https://git.kernel.org/linus/4b855078601fc422dbac3059f2215e776f49780f (3.16-rc4) CVE-2017-8105 (FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a he ...) {DSA-3839-1 DLA-918-1} - freetype 2.6.3-3.2 (bug #861220) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 CVE-2017-8104 (In MyBB before 1.8.11, the smilie module allows Directory Traversal vi ...) NOT-FOR-US: MyBB CVE-2017-8103 (In MyBB before 1.8.11, the Email MyCode component allows XSS, as demon ...) NOT-FOR-US: MyBB CVE-2017-8102 (Stored XSS in Serendipity v2.1-rc1 allows an attacker to steal an admi ...) - serendipity CVE-2017-8101 (There is CSRF in Serendipity 2.0.5, allowing attackers to install any ...) - serendipity CVE-2017-8100 (There is CSRF in the CopySafe Web Protection plugin before 2.6 for Wor ...) NOT-FOR-US: CopySafe Web Protection plugin CVE-2017-8099 (There is CSRF in the WHIZZ plugin before 1.1.1 for WordPress, allowing ...) NOT-FOR-US: WHIZZ plugin for Wordpress CVE-2017-8098 (e107 2.1.4 is vulnerable to cross-site request forgery in plugin-insta ...) NOT-FOR-US: e107 CVE-2017-8097 RESERVED CVE-2017-8096 RESERVED CVE-2017-8095 RESERVED CVE-2017-8094 RESERVED CVE-2017-8093 RESERVED CVE-2017-8092 RESERVED CVE-2017-8091 RESERVED CVE-2017-8090 RESERVED CVE-2017-8089 RESERVED CVE-2017-8088 RESERVED CVE-2017-8087 (Information Leakage in PPPoE Packet Padding in AVM Fritz!Box 7490 with ...) NOT-FOR-US: AVM CVE-2017-8086 (Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in Q ...) {DLA-1497-1 DLA-1035-1 DLA-965-1} - qemu 1:2.8+dfsg-5 (bug #861348) - qemu-kvm NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4ffcdef4277a91af15a3c09f7d16af072c29f3f2 (v2.9.0-rc4) NOTE: Introduced possibly by the fix d10142c11bdcecebe97fd834a834167053b7a05c to NOTE: partially fix CVE-2016-9602. CVE-2017-8085 (In Exponent CMS before 2.4.1 Patch #5, XSS in elFinder is possible in ...) NOT-FOR-US: Exponent CMS CVE-2017-1000363 (Linux drivers/char/lp.c Out-of-Bounds Write. Due to a missing bounds c ...) {DSA-3945-1 DLA-1099-1} - linux 4.9.30-1 (low) NOTE: Fixed by: https://git.kernel.org/linus/3e21f4af170bebf47c187c1ff8bf155583c9f3b1 (4.12-rc2) NOTE: https://alephsecurity.com/vulns/aleph-2017023 CVE-2017-1000361 (DOMRpcImplementationNotAvailableException when sending Port-Status pac ...) NOT-FOR-US: OpenDaylight CVE-2017-1000360 (StreamCorruptedException and NullPointerException in OpenDaylight odl- ...) NOT-FOR-US: OpenDaylight CVE-2017-1000359 (Java out of memory error and significant increase in resource consumpt ...) NOT-FOR-US: OpenDaylight CVE-2017-1000358 (Controller throws an exception and does not allow user to add subseque ...) NOT-FOR-US: OpenDaylight CVE-2017-1000357 (Denial of Service attack when the switch rejects to receive packets fr ...) NOT-FOR-US: OpenDaylight CVE-2017-1000356 (Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier ar ...) - jenkins CVE-2017-1000355 (Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier ar ...) - jenkins CVE-2017-1000354 (Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier ar ...) - jenkins CVE-2017-1000353 (Jenkins versions 2.56 and earlier as well as 2.46.1 LTS and earlier ar ...) - jenkins CVE-2017-8084 RESERVED CVE-2017-8083 (CompuLab Intense PC and MintBox 2 devices with BIOS before 2017-05-21 ...) NOT-FOR-US: CompuLab Intense PC and MintBox 2 devices CVE-2017-8082 (concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, whic ...) NOT-FOR-US: concrete5 CVE-2017-8081 (Poor cryptographic salt initialization in admin/inc/template_functions ...) NOT-FOR-US: GetSimple CMS CVE-2017-8080 (Atlassian Hipchat Server before 2.2.4 allows remote authenticated user ...) NOT-FOR-US: HipChat CVE-2017-8079 RESERVED CVE-2017-8078 (On the TP-Link TL-SG108E 1.0, the upgrade process can be requested rem ...) NOT-FOR-US: TP-Link CVE-2017-8077 (On the TP-Link TL-SG108E 1.0, there is a hard-coded ciphering key (a l ...) NOT-FOR-US: TP-Link CVE-2017-8076 (On the TP-Link TL-SG108E 1.0, admin network communications are RC4 enc ...) NOT-FOR-US: TP-Link CVE-2017-8075 (On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credent ...) NOT-FOR-US: TP-Link CVE-2017-8074 (On the TP-Link TL-SG108E 1.0, a remote attacker could retrieve credent ...) NOT-FOR-US: TP-Link CVE-2017-8073 (WeeChat before 1.7.1 allows a remote crash by sending a filename via D ...) {DSA-3836-1 DLA-919-1} - weechat 1.7-3 (bug #861121) [stretch] - weechat 1.6-1+deb9u1 NOTE: https://github.com/weechat/weechat/commit/2fb346f25f79e412cf0ed314fdf791763c19b70b CVE-2017-8072 (The cp2112_gpio_direction_input function in drivers/hid/hid-cp2112.c i ...) - linux 4.9.10-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/8e9faa15469ed7c7467423db4c62aeed3ff4cae3 CVE-2017-8071 (drivers/hid/hid-cp2112.c in the Linux kernel 4.9.x before 4.9.9 uses a ...) - linux 4.9.10-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/7a7b5df84b6b4e5d599c7289526eed96541a0654 CVE-2017-8070 (drivers/net/usb/catc.c in the Linux kernel 4.9.x before 4.9.11 interac ...) - linux 4.9.13-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/2d6a0e9de03ee658a9adc3bfb2f0ca55dff1e478 CVE-2017-8069 (drivers/net/usb/rtl8150.c in the Linux kernel 4.9.x before 4.9.11 inte ...) - linux 4.9.13-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/7926aff5c57b577ab0f43364ff0c59d968f6a414 CVE-2017-8068 (drivers/net/usb/pegasus.c in the Linux kernel 4.9.x before 4.9.11 inte ...) - linux 4.9.10-1 (bug #852556) [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/5593523f968bc86d42a035c6df47d5e0979b5ace CVE-2017-8067 (drivers/char/virtio_console.c in the Linux kernel 4.9.x and 4.10.x bef ...) - linux 4.9.25-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/c4baad50297d84bde1a7ad45e50c73adae4a2192 CVE-2017-8066 (drivers/net/can/usb/gs_usb.c in the Linux kernel 4.9.x and 4.10.x befo ...) - linux 4.9.16-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/c919a3069c775c1c876bec55e00b2305d5125caa CVE-2017-8065 (crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 inte ...) - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/3b30460c5b0ed762be75a004e924ec3f8711e032 CVE-2017-8064 (drivers/media/usb/dvb-usb-v2/dvb_usb_core.c in the Linux kernel 4.9.x ...) {DSA-3886-1} - linux 4.9.25-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/005145378c9ad7575a01b6ce1ba118fb427f583a CVE-2017-8063 (drivers/media/usb/dvb-usb/cxusb.c in the Linux kernel 4.9.x and 4.10.x ...) - linux 4.9.25-1 [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/3f190e3aec212fc8c61e202c51400afa7384d4bc CVE-2017-8062 (drivers/media/usb/dvb-usb/dw2102.c in the Linux kernel 4.9.x and 4.10. ...) - linux 4.9.16-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/606142af57dad981b78707234cfbd15f9f7b7125 CVE-2017-8061 (drivers/media/usb/dvb-usb/dvb-usb-firmware.c in the Linux kernel 4.9.x ...) - linux 4.9.25-1 [jessie] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9-rc1 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/67b0503db9c29b04eadfeede6bebbfe5ddad94ef CVE-2017-8060 (Acceptance of invalid/self-signed TLS certificates in "Panda Mobile Se ...) NOT-FOR-US: Panda CVE-2017-8059 (Acceptance of invalid/self-signed TLS certificates in "Foxit PDF - PDF ...) NOT-FOR-US: Foxit CVE-2017-8058 (Acceptance of invalid/self-signed TLS certificates in Atlassian HipCha ...) NOT-FOR-US: HipChat CVE-2017-8057 (In Joomla! 3.4.0 through 3.6.5 (fixed in 3.7.0), multiple files caused ...) NOT-FOR-US: Joomla! CVE-2017-8056 (WatchGuard Fireware v11.12.1 and earlier mishandles requests referring ...) NOT-FOR-US: WatchGuard CVE-2017-8055 (WatchGuard Fireware allows user enumeration, e.g., in the Firebox XML- ...) NOT-FOR-US: WatchGuard CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cpp:464 ...) - libpodofo 0.9.5-9 (bug #860995) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) NOTE: and the worst case is a DoS. NOTE: http://qwertwwwe.github.io/2017/04/22/PoDoFo-0-9-5-allows-remote-attackers-to-cause-a-denial-of-service-infinit-loop/ NOTE: PoC: https://github.com/qwertwwwe/PoC/blob/master/podofo/PoC NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1872 NOTE: partially reverted in: https://sourceforge.net/p/podofo/code/1881 NOTE: ... and re-fixed in: https://sourceforge.net/p/podofo/code/1882 NOTE: and https://sourceforge.net/p/podofo/code/1883 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and stack co ...) - libpodofo 0.9.6+dfsg-3 (bug #860994) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: http://openwall.com/lists/oss-security/2017/04/22/1 NOTE: https://sourceforge.net/p/podofo/tickets/7/ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1834 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1924 CVE-2017-8052 (Craft CMS before 2.6.2974 allows XSS attacks. ...) NOT-FOR-US: Craft CMS CVE-2017-8051 (Tenable Appliance 3.5 - 4.4.0, and possibly prior versions, contains a ...) NOT-FOR-US: Tenable Appliance CVE-2017-8050 (Tenable Appliance 4.4.0, and possibly prior, contains a flaw in the We ...) NOT-FOR-US: Tenable Appliance CVE-2017-8049 REJECTED CVE-2017-8048 (In Cloud Foundry capi-release versions 1.33.0 and later, prior to 1.42 ...) NOT-FOR-US: Cloud Foundry CVE-2017-8047 (In Cloud Foundry router routing-release all versions prior to v0.163.0 ...) NOT-FOR-US: Cloud Foundry CVE-2017-8046 (Malicious PATCH requests submitted to servers using Spring Data REST v ...) NOT-FOR-US: Spring Data REST CVE-2017-8045 (In Pivotal Spring AMQP versions prior to 1.7.4, 1.6.11, and 1.5.7, an ...) NOT-FOR-US: Spring AMQP CVE-2017-8044 (In Pivotal Single Sign-On for PCF (1.3.x versions prior to 1.3.4 and 1 ...) NOT-FOR-US: Pivotal SSO CVE-2017-8043 REJECTED CVE-2017-8042 REJECTED CVE-2017-8041 (In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior ...) NOT-FOR-US: Pivotal CVE-2017-8040 (In Single Sign-On for Pivotal Cloud Foundry (PCF) 1.3.x versions prior ...) NOT-FOR-US: Pivotal CVE-2017-8039 (An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Appl ...) NOT-FOR-US: Spring Web Flow CVE-2017-8038 (In Cloud Foundry Foundation Credhub-release version 1.1.0, access cont ...) NOT-FOR-US: Cloud Foundry Foundation Credhub-release CVE-2017-8037 (In Cloud Foundry Foundation CAPI-release versions after v1.6.0 and pri ...) NOT-FOR-US: Cloud Foundry CVE-2017-8036 (An issue was discovered in the Cloud Controller API in Cloud Foundry F ...) NOT-FOR-US: Cloud Foundry CVE-2017-8035 (An issue was discovered in the Cloud Controller API in Cloud Foundry F ...) NOT-FOR-US: Cloud Foundry CVE-2017-8034 (The Cloud Controller and Router in Cloud Foundry (CAPI-release capi ve ...) NOT-FOR-US: Cloud Foundry CVE-2017-8033 (An issue was discovered in the Cloud Controller API in Cloud Foundry F ...) NOT-FOR-US: Cloud Foundry CVE-2017-8032 (In Cloud Foundry cf-release versions prior to v264; UAA release all ve ...) NOT-FOR-US: Cloud Foundry CVE-2017-8031 (An issue was discovered in Cloud Foundry Foundation cf-release (all ve ...) NOT-FOR-US: Cloud Foundry CVE-2017-8030 REJECTED CVE-2017-8029 REJECTED CVE-2017-8028 (In Pivotal Spring-LDAP versions 1.3.0 - 2.3.1, when connected to some ...) {DSA-4046-1 DLA-1180-1} - libspring-ldap-java NOTE: https://pivotal.io/security/cve-2017-8028 NOTE: https://github.com/spring-projects/spring-ldap/issues/430 CVE-2017-8027 REJECTED CVE-2017-8026 REJECTED CVE-2017-8025 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by an arbitrary f ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-8024 (EMC Isilon OneFS (versions prior to 8.1.0.1, versions prior to 8.0.1.2 ...) NOT-FOR-US: EMC CVE-2017-8023 (EMC NetWorker may potentially be vulnerable to an unauthenticated remo ...) NOT-FOR-US: EMC CVE-2017-8022 (An issue was discovered in EMC NetWorker (prior to 8.2.4.9, all suppor ...) NOT-FOR-US: EMC CVE-2017-8021 (EMC Elastic Cloud Storage (ECS) before 3.1 is affected by an undocumen ...) NOT-FOR-US: EMC Elastic Cloud Storage CVE-2017-8020 (An issue was discovered in EMC ScaleIO 2.0.1.x. A buffer overflow vuln ...) NOT-FOR-US: EMC CVE-2017-8019 (An issue was discovered in EMC ScaleIO 2.0.1.x. A vulnerability in mes ...) NOT-FOR-US: EMC CVE-2017-8018 (EMC AppSync host plug-in versions 3.5 and below (Windows platform only ...) NOT-FOR-US: EMC AppSync CVE-2017-8017 (EMC Network Configuration Manager (NCM) 9.3.x, 9.4.0.x, 9.4.1.x, and 9 ...) NOT-FOR-US: EMC Network Configuration Manager CVE-2017-8016 (RSA Archer GRC Platform prior to 6.2.0.5 is affected by stored cross-s ...) NOT-FOR-US: RSA Archer GRC Platform CVE-2017-8015 (EMC AppSync (all versions prior to 3.5) contains a SQL injection vulne ...) NOT-FOR-US: EMC CVE-2017-8014 REJECTED CVE-2017-8013 (EMC Data Protection Advisor 6.3.x before patch 67 and 6.4.x before pat ...) NOT-FOR-US: EMC Data Protection Adv CVE-2017-8012 (In EMC ViPR SRM, Storage M&R, VNX M&R, and M&R (Watch4Net) ...) NOT-FOR-US: EMC CVE-2017-8011 (EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R for SA ...) NOT-FOR-US: EMC CVE-2017-8010 REJECTED CVE-2017-8009 REJECTED CVE-2017-8008 REJECTED CVE-2017-8007 (In EMC ViPR SRM, Storage M&R, VNX M&R, and M&R (Watch4Net) ...) NOT-FOR-US: EMC CVE-2017-8006 (In EMC RSA Authentication Manager 8.2 SP1 Patch 1 and earlier, a malic ...) NOT-FOR-US: EMC CVE-2017-8005 (The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and G ...) NOT-FOR-US: EMC CVE-2017-8004 (The EMC RSA Identity Governance and Lifecycle, RSA Via Lifecycle and G ...) NOT-FOR-US: EMC CVE-2017-8003 (EMC Data Protection Advisor prior to 6.4 contains a path traversal vul ...) NOT-FOR-US: EMC Data Protection Advisor CVE-2017-8002 (EMC Data Protection Advisor prior to 6.4 contains multiple blind SQL i ...) NOT-FOR-US: EMC Data Protection Advisor CVE-2017-8001 (An issue was discovered in EMC ScaleIO 2.0.1.x. In a Linux environment ...) NOT-FOR-US: EMC CVE-2017-8000 (In EMC RSA Authentication Manager 8.2 SP1 and earlier, a malicious RSA ...) NOT-FOR-US: EMC CVE-2017-7999 (Atlassian Eucalyptus before 4.4.1, when in EDGE mode, allows remote au ...) NOT-FOR-US: Atlassian Eucalyptus CVE-2017-7998 (Multiple cross-site scripting (XSS) vulnerabilities in Gespage before ...) NOT-FOR-US: Gespage CVE-2017-7997 (Multiple SQL injection vulnerabilities in Gespage before 7.4.9 allow r ...) NOT-FOR-US: Gespage CVE-2017-7996 RESERVED CVE-2017-7995 (Xen PV guest before Xen 4.3 checked access permissions to MMIO ranges ...) {DLA-964-1} - xen 4.3.0-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1033948 CVE-2017-7994 (The function TextExtractor::ExtractText in TextExtractor.cpp:77 in PoD ...) - libpodofo 0.9.5-7 (bug #860930) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://github.com/icepng/PoC/tree/master/PoC1 NOTE: https://icepng.github.io/2017/04/21/PoDoFo-1/ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1849 CVE-2017-7993 RESERVED CVE-2017-7992 (Heartland Payment Systems Payment Gateway PHP SDK hps/heartland-php v2 ...) NOT-FOR-US: Heartland Payment Systems Payment Gateway PHP SDK CVE-2017-7991 (Exponent CMS 2.4.1 and earlier has SQL injection via a base64 serializ ...) NOT-FOR-US: Exponent CMS CVE-2017-7990 (The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resul ...) NOT-FOR-US: OpenMRS CVE-2017-7989 (In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate MIME type ...) NOT-FOR-US: Joomla! CVE-2017-7988 (In Joomla! 1.6.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2017-7987 (In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate escaping o ...) NOT-FOR-US: Joomla! CVE-2017-7986 (In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2017-7985 (In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2017-7984 (In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filtering ...) NOT-FOR-US: Joomla! CVE-2017-7983 (In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the J ...) NOT-FOR-US: Joomla! CVE-2017-7982 (Integer overflow in the plist_from_bin function in bplist.c in libimob ...) {DLA-2168-1} - libplist 1.12+git+1+e37ca00-0.3 (bug #860945) [wheezy] - libplist (Minor issue) NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/fdebf8b319b9280cd0e9b4382f2c7cbf26ef9325 NOTE: https://github.com/libimobiledevice/libplist/issues/103 NOTE: The issue seems covered in prior versions of upstream dccd9290745345896e3a4a73154576a599fd8b7b NOTE: which is CVE-2017-6440. CVE-2017-7981 (Tuleap before 9.7 allows command injection via the PhpWiki 1.3.10 Synt ...) NOT-FOR-US: Enalean Tuleap CVE-2017-7980 (Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick E ...) {DLA-1497-1 DLA-1035-1 DLA-939-1} - qemu 1:2.8+dfsg-4 - qemu-kvm NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=026aeffcb4752054830ba203020ed6eb05bcaba8 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ffaf857778286ca54e3804432a2369a279e73aa7 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=f019722cbbb45aea153294fc8921fcc96a4d3fa2 CVE-2017-7978 (Samsung Android devices with L(5.0/5.1), M(6.0), and N(7.x) software a ...) NOT-FOR-US: Samsung CVE-2017-7979 (The cookie feature in the packet action API implementation in net/sche ...) - linux (Only affects 4.11-rc1 onwards) CVE-2017-7977 (The Screensavercc component in eLux RP before 5.5.0 allows attackers t ...) NOT-FOR-US: Screensavercc component in eLux RP CVE-2017-7976 (Artifex jbig2dec 0.13 allows out-of-bounds writes and reads because of ...) {DSA-3855-1 DLA-942-1} - jbig2dec 0.13-4.1 (bug #860787) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697683 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=ed6c5133a1004ce8d CVE-2017-7975 (Artifex jbig2dec 0.13, as used in Ghostscript, allows out-of-bounds wr ...) {DSA-3855-1 DLA-942-1} - jbig2dec 0.13-4.1 (bug #860788) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697693 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e57e483298dae8b CVE-2017-7974 (A path traversal information disclosure vulnerability exists in Schnei ...) NOT-FOR-US: Schneider Electric CVE-2017-7973 (A SQL injection vulnerability exists in Schneider Electric's U.motion ...) NOT-FOR-US: Schneider Electric CVE-2017-7972 (A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1. ...) NOT-FOR-US: Schneider Electric CVE-2017-7971 (A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1. ...) NOT-FOR-US: Schneider Electric CVE-2017-7970 (A vulnerability exists in Schneider Electric's PowerSCADA Anywhere v1. ...) NOT-FOR-US: Schneider Electric CVE-2017-7969 (A cross-site request forgery vulnerability exists on the Secure Gatewa ...) NOT-FOR-US: Schneider Electric CVE-2017-7968 (An Incorrect Default Permissions issue was discovered in Schneider Ele ...) NOT-FOR-US: Schneider CVE-2017-7967 (All versions of VAMPSET software produced by Schneider Electric, prior ...) NOT-FOR-US: Schneider CVE-2017-7966 (A DLL Hijacking vulnerability in the programming software in Schneider ...) NOT-FOR-US: Schneider CVE-2017-7965 (A buffer overflow vulnerability exists in Programming Software executa ...) NOT-FOR-US: Schneider CVE-2017-7964 (Zyxel WRE6505 devices have a default TELNET password of 1234 for the r ...) NOT-FOR-US: Zyxel CVE-2017-7963 (** DISPUTED ** The GNU Multiple Precision Arithmetic Library (GMP) int ...) NOTE: PHP non-issue, might get rejected CVE-2017-7962 (The iwgif_read_image function in imagew-gif.c in libimageworsener.a in ...) NOT-FOR-US: ImageWorsener CVE-2017-7961 (** DISPUTED ** The cr_tknzr_parse_rgb function in cr-tknzr.c in libcro ...) {DLA-909-1} - libcroco 0.6.11-3 (bug #860961) [jessie] - libcroco (Minor issue; will be fixed via point release) NOTE: https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/ NOTE: https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 CVE-2017-7960 (The cr_input_new_from_uri function in cr-input.c in libcroco 0.6.11 an ...) {DLA-909-1} - libcroco 0.6.11-3 (bug #860961) [jessie] - libcroco (Minor issue; will be fixed via point release) NOTE: https://blogs.gentoo.org/ago/2017/04/17/libcroco-heap-overflow-and-undefined-behavior/ NOTE: https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394 CVE-2017-7959 RESERVED CVE-2017-7958 RESERVED CVE-2017-7957 (XStream through 1.4.9, when a certain denyTypes workaround is not used ...) {DSA-3841-1 DLA-930-1} - libxstream-java 1.4.9-2 (bug #861521) NOTE: https://x-stream.github.io/CVE-2017-7957.html NOTE: Fixed by: https://github.com/x-stream/xstream/commit/b3570be CVE-2017-7956 RESERVED CVE-2017-7955 RESERVED CVE-2017-7954 RESERVED CVE-2017-7953 (INFOR EAM V11.0 Build 201410 has XSS via comment fields. ...) NOT-FOR-US: INFOR EAM CVE-2017-7952 (INFOR EAM V11.0 Build 201410 has SQL injection via search fields, rela ...) NOT-FOR-US: INFOR EAM CVE-2017-7951 (WonderCMS before 2.0.3 has CSRF because of lack of a token in an unspe ...) NOT-FOR-US: WonderCMS CVE-2017-7950 (Nitro Pro 11.0.3 and earlier allows remote attackers to cause a denial ...) NOT-FOR-US: Nitro Pro CVE-2017-7949 RESERVED CVE-2017-7948 (Integer overflow in the mark_curve function in Artifex Ghostscript 9.2 ...) - ghostscript 9.22~dfsg-1 (unimportant) [jessie] - ghostscript (Vulnerable code not present) [wheezy] - ghostscript (Vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697762 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;h=8210a2864372723b49c526e2b102fdc00c9c4699 NOTE: edgebuffer scan converter was made default only in: https://git.ghostscript.com/?p=ghostpdl.git;h=dd5da2cb3e08398ac6d86598b36b00994d058308 NOTE: But the vulnerable code via base/gxscan.c, a new scan converter introduced in 9.20 is present. CVE-2017-7947 (NetApp Clustered Data ONTAP before 8.3.2P11, 9.0 before P4, and 9.1 be ...) NOT-FOR-US: NetApp CVE-2017-7946 (The get_relocs_64 function in libr/bin/format/mach0/mach0.c in radare2 ...) - radare2 1.1.0+dfsg-5 (low; bug #860962) [jessie] - radare2 (Minor issue) [wheezy] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/7301 NOTE: https://github.com/radare/radare2/commit/d1e8ac62c6d978d4662f69116e30230d43033c92 CVE-2017-7945 (The GlobalProtect external interface in Palo Alto Networks PAN-OS befo ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-7944 (XOOPS Core 2.5.8.1 has XSS due to unescaped HTML output of an Install ...) NOT-FOR-US: XOOPS CVE-2017-7943 (The ReadSVGImage function in svg.c in ImageMagick 7.0.5-4 allows remot ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-6 (low; bug #860736) NOTE: https://github.com/ImageMagick/ImageMagick/issues/427 CVE-2017-7942 (The ReadAVSImage function in avs.c in ImageMagick 7.0.5-4 allows remot ...) - imagemagick 8:6.9.7.4+dfsg-6 (low; bug #860735) [jessie] - imagemagick (Vulnerable code not present, does not use pixel_info yet) [wheezy] - imagemagick (Vulnerable code not present, does not use pixel_info yet) NOTE: https://github.com/ImageMagick/ImageMagick/issues/429 CVE-2017-7941 (The ReadSGIImage function in sgi.c in ImageMagick 7.0.5-4 allows remot ...) {DSA-3863-1 DLA-960-1} - imagemagick 8:6.9.7.4+dfsg-6 (low; bug #860734) NOTE: https://github.com/ImageMagick/ImageMagick/issues/428 CVE-2017-7940 (The iw_read_gif_file function in imagew-gif.c in libimageworsener.a in ...) NOT-FOR-US: ImageWorsener CVE-2017-7939 (The read_next_pam_token function in imagew-pnm.c in libimageworsener.a ...) NOT-FOR-US: ImageWorsener CVE-2017-7938 (Stack-based buffer overflow in DMitry (Deepmagic Information Gathering ...) NOT-FOR-US: DMitry CVE-2017-7937 (An Improper Authentication issue was discovered in Phoenix Contact Gmb ...) NOT-FOR-US: Phoenix Contact CVE-2017-7936 (A stack-based buffer overflow issue was discovered in NXP i.MX 50, i.M ...) NOT-FOR-US: NXP i.MX devices CVE-2017-7935 (A Resource Exhaustion issue was discovered in Phoenix Contact GmbH mGu ...) NOT-FOR-US: Phoenix Contact CVE-2017-7934 (An Improper Authentication issue was discovered in OSIsoft PI Server 2 ...) NOT-FOR-US: OSIsoft CVE-2017-7933 (In ABB IP GATEWAY 3.39 and prior, some configuration files contain pas ...) NOT-FOR-US: ABB CVE-2017-7932 (An improper certificate validation issue was discovered in NXP i.MX 28 ...) NOT-FOR-US: NXP i.MX devices CVE-2017-7931 (In ABB IP GATEWAY 3.39 and prior, by accessing a specific uniform reso ...) NOT-FOR-US: ABB CVE-2017-7930 (An Improper Authentication issue was discovered in OSIsoft PI Server 2 ...) NOT-FOR-US: OSIsoft CVE-2017-7929 (An Absolute Path Traversal issue was discovered in Advantech WebAccess ...) NOT-FOR-US: Advantech WebAccess CVE-2017-7928 (An Improper Access Control issue was discovered in Schweitzer Engineer ...) NOT-FOR-US: Schweitzer Engineering Laboratories Security Gateway CVE-2017-7927 (A Use of Password Hash Instead of Password for Authentication issue wa ...) NOT-FOR-US: Dahua CVE-2017-7926 (A Cross-Site Request Forgery issue was discovered in OSIsoft PI Web AP ...) NOT-FOR-US: OSIsoft CVE-2017-7925 (A Password in Configuration File issue was discovered in Dahua DH-IPC- ...) NOT-FOR-US: Dahua CVE-2017-7924 (An Improper Input Validation issue was discovered in Rockwell Automati ...) NOT-FOR-US: Rockwell CVE-2017-7923 (A Password in Configuration File issue was discovered in Hikvision DS- ...) NOT-FOR-US: Hikvision CVE-2017-7922 (An Improper Privilege Management issue was discovered in Cambium Netwo ...) NOT-FOR-US: Cambium Networks ePMP CVE-2017-7921 (An Improper Authentication issue was discovered in Hikvision DS-2CD2xx ...) NOT-FOR-US: Hikvision CVE-2017-7920 (An Improper Authentication issue was discovered in ABB VSN300 WiFi Log ...) NOT-FOR-US: ABB WiFi Logger Card CVE-2017-7919 (An Improper Authentication issue was discovered in Newport XPS-Cx and ...) NOT-FOR-US: Newport CVE-2017-7918 (An Improper Access Control issue was discovered in Cambium Networks eP ...) NOT-FOR-US: Cambium Networks ePMP CVE-2017-7917 (A Cross-Site Request Forgery issue was discovered in Moxa OnCell G3110 ...) NOT-FOR-US: Moxa CVE-2017-7916 (A Permissions, Privileges, and Access Controls issue was discovered in ...) NOT-FOR-US: ABB WiFi Logger Card CVE-2017-7915 (An Improper Restriction of Excessive Authentication Attempts issue was ...) NOT-FOR-US: Moxa CVE-2017-7914 (A Missing Authorization issue was discovered in Rockwell Automation Pa ...) NOT-FOR-US: Rockwell Rockwell PanelView Plus CVE-2017-7913 (A Plaintext Storage of a Password issue was discovered in Moxa OnCell ...) NOT-FOR-US: Moxa CVE-2017-7912 (Hanwha Techwin SRN-4000, SRN-4000 firmware versions prior to SRN4000_v ...) NOT-FOR-US: Hanwha Techwin firmware CVE-2017-7911 (A Code Injection issue was discovered in CyberVision Kaa IoT Platform, ...) NOT-FOR-US: CyberVision Kaa IoT Platform CVE-2017-7910 (A Stack-Based Buffer Overflow issue was discovered in Digital Canal St ...) NOT-FOR-US: Digital Canal Structural Wind Analysis CVE-2017-7909 (A Use of Client-Side Authentication issue was discovered in Advantech ...) NOT-FOR-US: Advantech CVE-2017-7908 (A heap-based buffer overflow exists in the third-party product Gigasof ...) NOT-FOR-US: Gigasoft CVE-2017-7907 (An Improper XML Parser Configuration issue was discovered in Schneider ...) NOT-FOR-US: Schneider CVE-2017-7906 (In ABB IP GATEWAY 3.39 and prior, the web server does not sufficiently ...) NOT-FOR-US: ABB CVE-2017-7905 (A Weak Cryptography for Passwords issue was discovered in General Elec ...) NOT-FOR-US: General Electric CVE-2017-7904 RESERVED CVE-2017-7903 (A Weak Password Requirements issue was discovered in Rockwell Automati ...) NOT-FOR-US: Rockwell Automation CVE-2017-7902 (A "Reusing a Nonce, Key Pair in Encryption" issue was discovered in Ro ...) NOT-FOR-US: Rockwell Automation CVE-2017-7901 (A Predictable Value Range from Previous Values issue was discovered in ...) NOT-FOR-US: Rockwell Automation CVE-2017-7900 RESERVED CVE-2017-7899 (An Information Exposure issue was discovered in Rockwell Automation Al ...) NOT-FOR-US: Rockwell Automation CVE-2017-7898 (An Improper Restriction of Excessive Authentication Attempts issue was ...) NOT-FOR-US: Rockwell Automation CVE-2017-7897 (A cross-site scripting (XSS) vulnerability in the MantisBT (2.3.x befo ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) CVE-2017-7896 (Trend Micro InterScan Messaging Security Virtual Appliance (IMSVA) 9.1 ...) NOT-FOR-US: Trend Micro CVE-2017-7895 (The NFSv2 and NFSv3 server implementations in the Linux kernel through ...) {DSA-3886-1 DLA-993-1} - linux 4.9.25-1 NOTE: Fixed by: https://git.kernel.org/linus/13bf9fbff0e5e099e2b6f003a0ab8ae145436309 CVE-2017-7894 (WinDjView 2.1 might allow user-assisted attackers to execute code via ...) NOT-FOR-US: WinDjView CVE-2017-7893 (In SaltStack Salt before 2016.3.6, compromised salt-minions can impers ...) - salt 2016.11.5+ds-1 [stretch] - salt (Minor issue) [jessie] - salt (Vulnerable code introduced later, but older versions did not verify master anyways) NOTE: https://docs.saltstack.com/en/2017.7/topics/releases/2016.3.6.html NOTE: https://github.com/saltstack/salt/issues/48939 NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40159.patch NOTE: https://patch-diff.githubusercontent.com/raw/saltstack/salt/pull/40206.patch NOTE: The behaviour though was back off by default in a later commit again NOTE: cf. https://github.com/saltstack/salt/pull/40206 NOTE: The fix is the second part of the #40159 PR, but the behaviour is turned NOTE: off by default and needs considerations of admins before enabling. We still NOTE: consider the issue as fixed starting with this change. Details in NOTE: https://github.com/saltstack/salt/issues/48939#issuecomment-410777638 CVE-2017-7892 (Sandstorm Cap'n Proto before 0.5.3.1 allows remote crashes related to ...) - capnproto 0.6.1-1 (unimportant; bug #860960) NOTE: https://github.com/sandstorm-io/capnproto/blob/master/security-advisories/2017-04-17-0-apple-clang-elides-bounds-check.md NOTE: Fixed by: https://github.com/sandstorm-io/capnproto/commit/52bc956459a5e83d7c31be95763ff6399e064ae4 NOTE: So far only Apple's compiler has been shown to apply the problematic optimization, fixed in 0.5.3.1 upstream CVE-2017-7891 (sourcebans-pp (SourceBans++) 1.5.4.7 has XSS in admin.comms.php via th ...) NOT-FOR-US: SourceBans++ CVE-2017-7890 (The GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.c in th ...) {DSA-3938-1 DLA-1055-1} - php7.1 7.1.8-1 (unimportant) - php7.0 7.0.22-1 (unimportant) - php5 (unimportant) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74435 NOTE: Fixed in 7.1.7, 7.0.21, 5.6.31 - libgd2 2.2.5-1 (bug #869263) NOTE: https://github.com/libgd/libgd/issues/399 NOTE: https://github.com/libgd/libgd/commit/c613bc169802bb4b639ee2e15c61b25b80a88424 CVE-2017-7888 (Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which ...) - dolibarr 5.0.4+dfsg3-1 (bug #863544) NOTE: https://www.openwall.com/lists/oss-security/2017/05/10/6 CVE-2017-7887 (Dolibarr ERP/CRM 4.0.4 has XSS in doli/societe/list.php via the sall p ...) - dolibarr 5.0.4+dfsg3-1 (bug #863544) NOTE: https://www.openwall.com/lists/oss-security/2017/05/10/6 CVE-2017-7886 (Dolibarr ERP/CRM 4.0.4 has SQL Injection in doli/theme/eldy/style.css. ...) - dolibarr 5.0.4+dfsg3-1 (bug #863544) NOTE: https://www.openwall.com/lists/oss-security/2017/05/10/6 CVE-2017-7885 (Artifex jbig2dec 0.13 has a heap-based buffer over-read leading to den ...) {DSA-3855-1 DLA-942-1} - jbig2dec 0.13-4.1 (bug #860460) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697703 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=b184e783702246e15 CVE-2017-7884 (In Adam Kropelin adk0212 APC UPS Daemon through 3.14.14, the default i ...) - apcupsd (Only APC UPS Daemon on Windows) CVE-2017-7889 (The mm subsystem in the Linux kernel through 3.2 does not properly enf ...) {DSA-3945-1 DLA-1099-1} - linux 4.9.25-1 NOTE: Fixed by: https://git.kernel.org/linus/a4866aa812518ed1a37d8ea0c881dc946409de94 (v4.11-rc7) CVE-2017-7883 RESERVED CVE-2017-7882 (LibreOffice before 2017-03-14 has an out-of-bounds write related to th ...) - libreoffice (Vulnerable code not present in any release) NOTE: Fixed by: https://github.com/LibreOffice/core/commit/65dcd1d8195069c8c8acb3a188b8e5616c51029c CVE-2017-7881 (BigTree CMS through 4.2.17 relies on a substring check for CSRF protec ...) NOT-FOR-US: BigTree CMS CVE-2017-7880 RESERVED CVE-2017-7879 (SQL Injection vulnerability in flatCore version 1.4.6 allows an attack ...) NOT-FOR-US: flatCore CVE-2017-7878 (SQL Injection vulnerability in flatCore version 1.4.6 allows an attack ...) NOT-FOR-US: flatCore CVE-2017-7877 (CSRF vulnerability in flatCore version 1.4.6 allows remote attackers t ...) NOT-FOR-US: flatCore CVE-2017-7876 (This command injection vulnerability in QTS allows attackers to run ar ...) NOT-FOR-US: QNAP QTS CVE-2017-7875 (In wallpaper.c in feh before v2.18.3, if a malicious client pretends t ...) {DLA-2219-1 DLA-899-1} - feh 2.18-2 (low; bug #860367) NOTE: Fixed by: https://github.com/derf/feh/commit/f7a547b7ef8fc8ebdeaa4c28515c9d72e592fb6d CVE-2017-7874 REJECTED CVE-2017-7873 RESERVED CVE-2017-7872 RESERVED CVE-2017-7871 (trollepierre/tdm before 2017-04-13 is vulnerable to a reflected XSS in ...) NOT-FOR-US: trollepierre/tdm CVE-2017-7870 (LibreOffice before 2017-01-02 has an out-of-bounds write caused by a h ...) {DSA-3837-1 DLA-910-1} - libreoffice 1:5.2.5-1 NOTE: Fixed by: https://github.com/LibreOffice/core/commit/62a97e6a561ce65e88d4c537a1b82c336f012722 CVE-2017-7869 (GnuTLS before 2017-02-20 has an out-of-bounds write caused by an integ ...) - gnutls28 3.5.8-4 [jessie] - gnutls28 3.3.8-6+deb8u5 - gnutls26 [wheezy] - gnutls26 (Minor issue) NOTE: OpenPGP-related issue NOTE: https://gitlab.com/gnutls/gnutls/commit/51464af713d71802e3c6d5ac15f1a95132a354fe NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=420 NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-3 CVE-2017-7868 (International Components for Unicode (ICU) for C/C++ before 2017-02-13 ...) {DSA-3830-1 DLA-947-1} - icu 57.1-6 (bug #860314) NOTE: http://bugs.icu-project.org/trac/changeset/39671 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=437 CVE-2017-7867 (International Components for Unicode (ICU) for C/C++ before 2017-02-13 ...) {DSA-3830-1 DLA-947-1} - icu 57.1-6 (bug #860314) NOTE: http://bugs.icu-project.org/trac/changeset/39671 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=213 CVE-2017-7866 (FFmpeg before 2017-01-23 has an out-of-bounds write caused by a stack- ...) - ffmpeg 7:3.2.4-1 - libav [jessie] - libav (vulnerable code not present) NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/e371f031b942d73e02c090170975561fabd5c264 CVE-2017-7865 (FFmpeg before 2017-01-24 has an out-of-bounds write caused by a heap-b ...) {DLA-1654-1} - ffmpeg 7:3.2.4-1 - libav NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/2080bc33717955a0e4268e738acf8c1eeddbf8cb CVE-2017-7864 (FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a he ...) - freetype (Vulnerable code not present; CFF2 support introduced in 2.7.1, cf #860313) NOTE: Fixed by: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=e6699596af5c5d6f0ae0ea06e19df87dce088df8 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=509 CVE-2017-7863 (FFmpeg before 2017-02-04 has an out-of-bounds write caused by a heap-b ...) {DLA-1654-1} - ffmpeg 7:3.2.4-1 - libav NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/e477f09d0b3619f3d29173b2cd593e17e2d1978e NOTE: libav in jessie only supports transparency with RGB palette, only parts of the upstream fix apply CVE-2017-7862 (FFmpeg before 2017-02-07 has an out-of-bounds write caused by a heap-b ...) {DSA-4012-1 DLA-1142-1} - ffmpeg 7:3.2.4-1 - libav NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/8c2ea3030af7b40a3c4275696fb5c76cdb80950a NOTE: Fixed in 11.11 CVE-2017-7861 (Google gRPC before 2017-02-22 has an out-of-bounds write related to th ...) - grpc 1.2.5-1+nmu0 (bug #860316) CVE-2017-7860 (Google gRPC before 2017-02-22 has an out-of-bounds write caused by a h ...) - grpc 1.2.5-1+nmu0 (bug #860316) CVE-2017-7859 (FFmpeg before 2017-03-05 has an out-of-bounds write caused by a heap-b ...) - ffmpeg (Only affected master, not present in a release) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1034183 NOTE: https://github.com/FFmpeg/FFmpeg/commit/70ebc05bce51215cd0857194d6cabf1e4d1440fb CVE-2017-7858 (FreeType 2 before 2017-03-07 has an out-of-bounds write related to the ...) - freetype (Vulnerable code introduced in 2.6.4) NOTE: Introduced after: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=813aca51d28704f7ffc470721167738fa8decb3d NOTE: Fixed by: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=779309744222a736eba0f1731e8162fce6288d4e NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=738 CVE-2017-7857 (FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a he ...) - freetype (Vulnerable code introduced in 2.6.4) NOTE: Introduced after: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=813aca51d28704f7ffc470721167738fa8decb3d NOTE: Fixed by: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=7bbb91fbf47fc0775cc9705673caf0c47a81f94b NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=759 CVE-2017-7856 (LibreOffice before 2017-03-11 has an out-of-bounds write caused by a h ...) - libreoffice (Didn't affect any released version of LibreOffice) CVE-2017-7855 (In the webmail component in IceWarp Server 11.3.1.5, there was an XSS ...) NOT-FOR-US: IceWarp CVE-2017-7854 (The consume_init_expr function in wasm.c in radare2 1.3.0 allows remot ...) - radare2 (Vulnerable code introduced later) CVE-2017-7853 (In libosip2 in GNU oSIP 4.1.0 and 5.0.0, a malformed SIP message can l ...) {DSA-3879-1 DLA-898-1} - libosip2 4.1.0-2.1 (bug #860287) NOTE: https://savannah.gnu.org/support/index.php?109265 NOTE: Fixed by: https://git.savannah.gnu.org/cgit/osip.git/commit/?id=1ae06daf3b2375c34af23083394a6f010be24a45 CVE-2017-7852 (D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allo ...) NOT-FOR-US: D-Link CVE-2017-7851 (D-Link DCS-936L devices with firmware before 1.05.07 have an inadequat ...) NOT-FOR-US: D-Link CVE-2017-7850 (Nessus 6.10.x before 6.10.5 was found to be vulnerable to a local priv ...) NOT-FOR-US: Nessus CVE-2017-7849 (Nessus 6.10.x before 6.10.5 was found to be vulnerable to a local deni ...) NOT-FOR-US: Nessus CVE-2017-7848 (RSS fields can inject new lines into the created email structure, modi ...) {DSA-4075-1 DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7848 CVE-2017-7847 (Crafted CSS in an RSS feed can leak and reveal local path strings, whi ...) {DSA-4075-1 DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7847 CVE-2017-7846 (It is possible to execute JavaScript in the parsed RSS feed when RSS f ...) {DSA-4075-1 DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7846 CVE-2017-7845 (A buffer overflow occurs when drawing and validating elements using Di ...) - firefox (Only affects Firefox on Windows) - firefox-esr (Only affects Firefox on Windows) - thunderbird (Only affects Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-29/#CVE-2017-7845 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7845 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7845 CVE-2017-7844 (A combination of an external SVG image referenced on a page and the co ...) - firefox 57.0.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/#CVE-2017-7844 CVE-2017-7843 (When Private Browsing mode is used, it is possible for a web worker to ...) {DSA-4062-1 DLA-1202-1} - firefox 57.0.1-1 - firefox-esr 52.5.2esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-27/#CVE-2017-7843 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/#CVE-2017-7843 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1410106 CVE-2017-7842 (If a document's Referrer Policy attribute is set to "no-referrer" some ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7842 CVE-2017-7841 RESERVED CVE-2017-7840 (JavaScript can be injected into an exported bookmarks file by placing ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7840 CVE-2017-7839 (Control characters prepended before "javascript:" URLs pasted in the a ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7839 CVE-2017-7838 (Punycode format text will be displayed for entire qualified internatio ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7838 CVE-2017-7837 (SVG loaded through "<img>" tags can use "<meta>" tags with ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7837 CVE-2017-7836 (The "pingsender" executable used by the Firefox Health Report dynamica ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7836 CVE-2017-7835 (Mixed content blocking of insecure (HTTP) sub-resources in a secure (H ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7835 CVE-2017-7834 (A "data:" URL loaded in a new tab did not inherit the Content Security ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7834 CVE-2017-7833 (Some Arabic and Indic vowel marker characters can be combined with Lat ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7833 CVE-2017-7832 (The combined, single character, version of the letter 'i' with any of ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7832 CVE-2017-7831 (A vulnerability where the security wrapper does not deny access to som ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7831 CVE-2017-7830 (The Resource Timing API incorrectly revealed navigations in cross-orig ...) {DSA-4075-1 DSA-4061-1 DSA-4035-1 DLA-1199-1 DLA-1172-1} - firefox 57.0-1 - firefox-esr 52.5.0esr-1 - thunderbird 1:52.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7830 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7830 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7830 CVE-2017-7829 (It is possible to spoof the sender's email address and display an arbi ...) {DSA-4075-1 DLA-1223-1} - thunderbird 1:52.5.2-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7829 CVE-2017-7828 (A use-after-free vulnerability can occur when flushing and resizing la ...) {DSA-4075-1 DSA-4061-1 DSA-4035-1 DLA-1199-1 DLA-1172-1} - firefox 57.0-1 - firefox-esr 52.5.0esr-1 - thunderbird 1:52.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7828 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7828 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7828 CVE-2017-7827 (Memory safety bugs were reported in Firefox 56. Some of these bugs sho ...) - firefox 57.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7827 CVE-2017-7826 (Memory safety bugs were reported in Firefox 56 and Firefox ESR 52.4. S ...) {DSA-4075-1 DSA-4061-1 DSA-4035-1 DLA-1199-1 DLA-1172-1} - firefox 57.0-1 - firefox-esr 52.5.0esr-1 - thunderbird 1:52.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-24/#CVE-2017-7826 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/#CVE-2017-7826 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-26/#CVE-2017-7826 CVE-2017-7825 (Several fonts on OS X display some Tibetan and Arabic characters as wh ...) - firefox (Only affects Firefox on OS X) - firefox-esr (Only affects Firefox on OS X) - icedove (Only affects Thunderbird on OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7825 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7825 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7825 CVE-2017-7824 (A buffer overflow occurs when drawing and validating elements with the ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7824 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7824 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7824 CVE-2017-7823 (The content security policy (CSP) "sandbox" directive did not create a ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7823 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7823 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7823 CVE-2017-7822 (The AES-GCM implementation in WebCrypto API accepts 0-length IV when i ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7822 CVE-2017-7821 (A vulnerability where WebExtensions can download and attempt to open a ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7821 CVE-2017-7820 (The "instanceof" operator can bypass the Xray wrapper mechanism. When ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7820 CVE-2017-7819 (A use-after-free vulnerability can occur in design mode when image obj ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7819 CVE-2017-7818 (A use-after-free vulnerability can occur when manipulating arrays of A ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7818 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7818 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7818 CVE-2017-7817 (A spoofing vulnerability can occur when a page switches to fullscreen ...) - firefox (Only affects Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7817 CVE-2017-7816 (WebExtensions could use popups and panels in the extension UI to load ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7816 CVE-2017-7815 (On pages containing an iframe, the "data:" protocol can be used to cre ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7815 CVE-2017-7814 (File downloads encoded with "blob:" and "data:" URL elements bypassed ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7814 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7814 CVE-2017-7813 (Inside the JavaScript parser, a cast of an integer to a narrower type ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7813 CVE-2017-7812 (If web content on a page is dragged onto portions of the browser UI, s ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7812 CVE-2017-7811 (Memory safety bugs were reported in Firefox 55. Some of these bugs sho ...) - firefox 56.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7811 CVE-2017-7810 (Memory safety bugs were reported in Firefox 55 and Firefox ESR 52.3. S ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7810 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7810 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7810 CVE-2017-7809 (A use-after-free vulnerability can occur when an editor DOM node is de ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7808 (A content security policy (CSP) "frame-ancestors" directive containing ...) - firefox 55.0-1 CVE-2017-7807 (A mechanism that uses AppCache to hijack a URL in a domain using fallb ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7806 (A use-after-free vulnerability can occur when the layer manager is fre ...) - firefox 55.0-1 CVE-2017-7805 (During TLS 1.2 exchanges, handshake hashes are generated which point t ...) {DSA-4014-1 DSA-3998-1 DSA-3987-1 DLA-1153-1 DLA-1138-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 - nss 2:3.33-1 NOTE: https://hg.mozilla.org/projects/nss/rev/839200ce0943166a079284bdf45dcc37bb672925 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1377618 (not public) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7805 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7805 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7805 CVE-2017-7804 (The destructor function for the "WindowsDllDetourPatcher" class can be ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - icedove (Windows-specific) CVE-2017-7803 (When a page's content security policy (CSP) header contains a "sandbox ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7802 (A use-after-free vulnerability can occur when manipulating the DOM dur ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7801 (A use-after-free vulnerability can occur while re-computing layout for ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7800 (A use-after-free vulnerability can occur in WebSockets when the object ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7799 (JavaScript in the "about:webrtc" page is not sanitized properly being ...) - firefox 55.0-1 CVE-2017-7798 (The Developer Tools feature suffers from a XUL injection vulnerability ...) {DSA-3928-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 CVE-2017-7797 (Response header name interning does not have same-origin protections a ...) - firefox 55.0-1 CVE-2017-7796 (On Windows systems, the logger run by the Windows updater deletes the ...) - firefox (Windows-specific) CVE-2017-7795 RESERVED CVE-2017-7794 (On Linux systems, if the content process is compromised, the sandbox b ...) - firefox 55.0-1 CVE-2017-7793 (A use-after-free vulnerability can occur in the Fetch API when the wor ...) {DSA-4014-1 DSA-3987-1 DLA-1153-1 DLA-1118-1} - firefox 56.0-1 - firefox-esr 52.4.0esr-2 - thunderbird 1:52.4.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-21/#CVE-2017-7793 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/#CVE-2017-7793 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7793 CVE-2017-7792 (A buffer overflow will occur when viewing a certificate in the certifi ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7791 (On pages containing an iframe, the "data:" protocol can be used to cre ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7790 (On Windows systems, if non-null-terminated strings are copied into the ...) - firefox (Windows-specific) CVE-2017-7789 (If a server sends two Strict-Transport-Security (STS) headers for a si ...) - firefox 55.0-1 (low) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1074642 CVE-2017-7788 (When an "iframe" has a "sandbox" attribute and its content is specifie ...) - firefox 55.0-1 CVE-2017-7787 (Same-origin policy protections can be bypassed on pages with embedded ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7786 (A buffer overflow can occur when the image renderer attempts to paint ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7785 (A buffer overflow can occur when manipulating Accessible Rich Internet ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7784 (A use-after-free vulnerability can occur when reading an image observe ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7783 (If a long user name is used in a username/password combination in a si ...) - firefox 55.0-1 CVE-2017-7782 (An error in the "WindowsDllDetourPatcher" where a RWX ("Read/Write/Exe ...) - firefox (Windows-specific) - firefox-esr (Windows-specific) - icedove (Windows-specific) CVE-2017-7781 (An error occurs in the elliptic curve point addition algorithm that us ...) - firefox 55.0-1 CVE-2017-7780 (Memory safety bugs were reported in Firefox 54. Some of these bugs sho ...) - firefox 55.0-1 CVE-2017-7779 (Memory safety bugs were reported in Firefox 54, Firefox ESR 52.2, and ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7778 (A number of security vulnerabilities in the Graphite 2 library includi ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1349310 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7778 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7778 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7778 CVE-2017-7777 (Use of uninitialized memory in Graphite2 library in Firefox before 54 ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1349310 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1358551 CVE-2017-7776 (Heap-based Buffer Overflow read in Graphite2 library in Firefox before ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1356607 CVE-2017-7775 REJECTED CVE-2017-7774 (Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphi ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1355174 CVE-2017-7773 (Heap-based Buffer Overflow write in Graphite2 library in Firefox befor ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1352747 CVE-2017-7772 (Heap-based Buffer Overflow in Graphite2 library in Firefox before 54 i ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1352745 CVE-2017-7771 (Out-of-bounds read in Graphite2 Library in Firefox before 54 in graphi ...) {DSA-3918-1 DSA-3894-1 DSA-3881-1 DLA-1013-1 DLA-1007-1 DLA-991-1} - graphite2 1.3.10-1 - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1350047 CVE-2017-7770 (A mechanism where when a new tab is loaded through JavaScript events, ...) - firefox (Only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7770 CVE-2017-7769 RESERVED CVE-2017-7768 (The Mozilla Maintenance Service can be invoked by an unprivileged user ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7768 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7768 CVE-2017-7767 (The Mozilla Maintenance Service can be invoked by an unprivileged user ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7767 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7767 CVE-2017-7766 (An attack using manipulation of "updater.ini" contents, used by the Mo ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7766 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7766 CVE-2017-7765 (The "Mark of the Web" was not correctly saved on Windows when files wi ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) - icedove (Only Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7765 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7765 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7765 CVE-2017-7764 (Characters from the "Canadian Syllabics" unicode block can be mixed wi ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7764 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7764 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7764 CVE-2017-7763 (Default fonts on OS X display some Tibetan characters as whitespace. W ...) - firefox (Only firefox on Mac OS X) - firefox-esr (Only Firefox ESR on Mac OS X) - icedove (Only Thunderbird on Mac OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7763 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7763 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7763 CVE-2017-7762 (When entered directly, Reader Mode did not strip the username and pass ...) - firefox 54.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7762 CVE-2017-7761 (The Mozilla Maintenance Service "helper.exe" application creates a tem ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7761 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7761 CVE-2017-7760 (The Mozilla Windows updater modifies some files to be updated by readi ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7760 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7760 CVE-2017-7759 (Android intent URLs given to Firefox for Android can be used to naviga ...) - firefox (Only Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7759 CVE-2017-7758 (An out-of-bounds read vulnerability with the Opus encoder when the num ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7758 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7758 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7758 CVE-2017-7757 (A use-after-free vulnerability in IndexedDB when one of its objects is ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7757 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7757 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7757 CVE-2017-7756 (A use-after-free and use-after-scope vulnerability when logging errors ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7756 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7756 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7756 CVE-2017-7755 (The Firefox installer on Windows can be made to load malicious DLL fil ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox ESR on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7755 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7755 CVE-2017-7754 (An out-of-bounds read in WebGL with a maliciously crafted "ImageInfo" ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7754 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7754 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7754 CVE-2017-7753 (An out-of-bounds read occurs when applying style rules to pseudo-eleme ...) {DSA-3968-1 DSA-3928-1 DLA-1087-1 DLA-1053-1} - firefox 55.0-1 - firefox-esr 52.3.0esr-1 - icedove 1:52.3.0-1 (bug #872834) CVE-2017-7752 (A use-after-free vulnerability during specific user interactions with ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7752 CVE-2017-7751 (A use-after-free vulnerability with content viewer listeners that resu ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7751 CVE-2017-7750 (A use-after-free vulnerability during video control operations when a ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7750 CVE-2017-7749 (A use-after-free vulnerability when using an incorrect URL during the ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-7749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7749 CVE-2017-7748 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WSP dissector cou ...) - wireshark 2.2.6+g32dac6a-1 (low) [jessie] - wireshark (Vulnerable code introduced later) [wheezy] - wireshark (Vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-21.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f55cbcde2c8f74b652add4450b0592082eb6acff NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13581 CVE-2017-7747 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the PacketBB dissecto ...) {DLA-1634-1} - wireshark 2.2.6+g32dac6a-1 [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-18.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=5cfd52d6629cf8a7ab67c6bacd3431a964f43584 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13559 CVE-2017-7746 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SLSK dissector co ...) {DLA-1634-1} - wireshark 2.2.6+g32dac6a-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-19.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=58e69cc769dea24b721abd8a29f9eedc11024b7e NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13576 CVE-2017-7745 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the SIGCOMP dissector ...) - wireshark 2.2.6+g32dac6a-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-20.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=acd8e1a9b17ad274bea1e01e10e4481508a1cbf0 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13578 CVE-2017-7744 RESERVED CVE-2017-7743 RESERVED CVE-2017-7742 (In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" func ...) {DLA-928-1} - libsndfile 1.0.27-3 (bug #860255) [jessie] - libsndfile (Minor issue) NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0 NOTE: https://blogs.gentoo.org/ago/2017/04/11/libsndfile-invalid-memory-read-and-invalid-memory-write-in/ CVE-2017-7741 (In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" func ...) {DLA-928-1} - libsndfile 1.0.27-2 [jessie] - libsndfile (Minor issue) NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0 NOTE: https://blogs.gentoo.org/ago/2017/04/11/libsndfile-invalid-memory-read-and-invalid-memory-write-in/ NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue NOTE: https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7740 RESERVED CVE-2017-7739 (A reflected Cross-site Scripting (XSS) vulnerability in web proxy disc ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7738 (An Information Disclosure vulnerability in Fortinet FortiOS 5.6.0 to 5 ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7737 (An information disclosure vulnerability in Fortinet FortiWeb 5.8.2 and ...) NOT-FOR-US: Fortinet CVE-2017-7736 (A stored Cross-site Scripting (XSS) vulnerability in Fortinet FortiWeb ...) NOT-FOR-US: Fortinet CVE-2017-7735 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.2. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7734 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-7733 (A Cross-Site-Scripting (XSS) vulnerability in Fortinet FortiOS 5.4.0 t ...) NOT-FOR-US: Fortinet CVE-2017-7732 (A reflected Cross-Site Scripting (XSS) vulnerability in Fortinet Forti ...) NOT-FOR-US: Fortinet CVE-2017-7731 (A weak password recovery vulnerability in Fortinet FortiPortal version ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7730 (iSmartAlarm cube devices allow Denial of Service. Sending a SYN flood ...) NOT-FOR-US: iSmartAlarm CVE-2017-7729 (On iSmartAlarm cube devices, there is Incorrect Access Control because ...) NOT-FOR-US: iSmartAlarm CVE-2017-7728 (On iSmartAlarm cube devices, there is authentication bypass leading to ...) NOT-FOR-US: iSmartAlarm CVE-2017-7727 REJECTED CVE-2017-7726 (iSmartAlarm cube devices have an SSL Certificate Validation Vulnerabil ...) NOT-FOR-US: iSmartAlarm CVE-2017-7725 (concrete5 8.1.0 places incorrect trust in the HTTP Host header during ...) NOT-FOR-US: concrete5 CVE-2017-7724 RESERVED CVE-2017-7723 (XSS exists in Easy WP SMTP (before 1.2.5), a WordPress Plugin, via the ...) NOT-FOR-US: Easy WP SMTP WordPress plugin CVE-2017-7722 (In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a m ...) NOT-FOR-US: SolarWinds CVE-2017-7721 (IrfanView version 4.44 (32bit) with FPX Plugin before 4.45 has an Acce ...) NOT-FOR-US: IrfanView CVE-2017-7720 (Buffer overflow in PrivateTunnel 2.7 and 2.8 allows local attackers to ...) NOT-FOR-US: PrivateTunnel CVE-2017-7719 (SQL injection in the Spider Event Calendar (aka spider-event-calendar) ...) NOT-FOR-US: Spider Event Calendar CVE-2017-7718 (hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local ...) {DLA-1497-1 DLA-1035-1 DLA-939-1} - qemu 1:2.8+dfsg-4 - qemu-kvm NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=215902d7b6fb50c6fc216fc74f770858278ed904 NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=3328c14e63f08fb07e8c6dec779c9d365e9e9864 (v2.8.1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1443441 CVE-2017-7717 (SQL injection vulnerability in the getUserUddiElements method in the E ...) NOT-FOR-US: SAP CVE-2017-7716 (The read_u32_leb128 function in libr/util/uleb128.c in radare2 1.3.0 a ...) - radare2 (Vulnerable code introduced later) NOTE: https://github.com/radare/radare2/issues/7260 CVE-2017-7715 RESERVED CVE-2017-7714 RESERVED CVE-2017-7713 RESERVED CVE-2017-7712 RESERVED CVE-2017-7711 RESERVED CVE-2017-7710 RESERVED CVE-2017-7709 RESERVED CVE-2017-7708 RESERVED CVE-2017-7707 RESERVED CVE-2017-7706 RESERVED CVE-2017-7705 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the RPC over RDMA dis ...) - wireshark 2.2.6+g32dac6a-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-15.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13558 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=08d392bbecc8fb666bf979e70a34536007b83ea2 CVE-2017-7704 (In Wireshark 2.2.0 to 2.2.5, the DOF dissector could go into an infini ...) - wireshark 2.2.6+g32dac6a-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-17.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13453 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6032b0fe5fc1176ab77e03e20765f95fbd21b19e NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=da53a90b6895e47e03c5de05edf84bd99d535fd8 CVE-2017-7703 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the IMAP dissector co ...) {DLA-1634-1} - wireshark 2.2.6+g32dac6a-1 (low) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-12.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13466 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=671e32820ab29d41d712cc8a472eab9b672684d9 CVE-2017-7702 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the WBXML dissector c ...) - wireshark 2.2.6+g32dac6a-1 (low) [jessie] - wireshark (Minor issue) [wheezy] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-13.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13477 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2f322f66cbcca2fefdaa630494f9d6c97eb659b7 NOTE: When for older releases fixing this entry, make sure to fix apply the NOTE: complete patch including https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2f322f66cbcca2fefdaa630494f9d6c97eb659b7 NOTE: to not open CVE-2017-11410. CVE-2017-7701 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the BGP dissector cou ...) - wireshark 2.2.6+g32dac6a-1 [jessie] - wireshark (Vulnerable code not present) [wheezy] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-16.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13557 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=fa31f69b407436d0946f84baa0acdcc50962bf7a CVE-2017-7700 (In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the NetScaler file pa ...) {DLA-1634-1 DLA-858-1} - wireshark 2.2.6+g32dac6a-1 (low) NOTE: https://www.wireshark.org/security/wnpa-sec-2017-14.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13478 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=8fc0af859de4993951a915ad735be350221f3f53 CVE-2017-7699 RESERVED CVE-2017-7698 (A Use After Free in the pdf2swf part of swftools 0.9.2 and earlier all ...) - swftools 0.9.2+ds1-2 NOTE: https://github.com/matthiaskramm/swftools/pull/19 NOTE: Vulnerable code removed with the 0.9.2+dfs1-2 upload CVE-2017-7697 (In libsamplerate before 0.1.9, a buffer over-read occurs in the calc_o ...) - libsamplerate 0.1.9-1 (bug #860159) [stretch] - libsamplerate (Minor issue) [jessie] - libsamplerate (Minor issue) [wheezy] - libsamplerate (Minor issue) NOTE: https://github.com/erikd/libsamplerate/issues/11 NOTE: https://blogs.gentoo.org/ago/2017/04/11/libsamplerate-global-buffer-overflow-in-calc_output_single-src_sinc-c/ NOTE: Fixed by: https://github.com/erikd/libsamplerate/commit/c3b66186656de44da18b7058aec099dbe782dd0b CVE-2017-7696 (SAP AS JAVA SSO Authentication Library 2.0 through 3.0 allow remote at ...) NOT-FOR-US: SAP CVE-2017-7695 (Unrestricted File Upload exists in BigTree CMS before 4.2.17: if an at ...) NOT-FOR-US: BigTree CMS CVE-2017-7694 (Remote Code Execution vulnerability in symphony/content/content.bluepr ...) NOT-FOR-US: Symphony CMS CVE-2017-7693 (Directory traversal vulnerability in viewer_script.jsp in Riverbed OPN ...) NOT-FOR-US: Riverbed OPNET App Response Xpert (ARX) CVE-2017-7692 (SquirrelMail 1.4.22 (and other versions before 20170427_0200-SVN) allo ...) {DSA-3852-1 DLA-941-1} - squirrelmail NOTE: https://www.openwall.com/lists/oss-security/2017/04/19/6 NOTE: https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html CVE-2017-7691 (A code injection vulnerability exists in SAP TREX / Business Warehouse ...) NOT-FOR-US: SAP TREX CVE-2017-7690 (Proxifier for Mac before 2.19.2, when first run, allows local users to ...) NOT-FOR-US: Proxifier for Mac CVE-2017-7689 (A Command Injection vulnerability in Schneider Electric homeLYnk Contr ...) NOT-FOR-US: Schneider Electric CVE-2017-7688 (Apache OpenMeetings 1.0.0 updates user password in insecure manner. ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7687 (When handling a decoding failure for a malformed URL path of an HTTP r ...) - apache-mesos (bug #760315) CVE-2017-7686 (Apache Ignite 1.0.0-RC3 to 2.0 uses an update notifier component to up ...) NOT-FOR-US: Apache Ignite CVE-2017-7685 (Apache OpenMeetings 1.0.0 responds to the following insecure HTTP meth ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7684 (Apache OpenMeetings 1.0.0 doesn't check contents of files being upload ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7683 (Apache OpenMeetings 1.0.0 displays Tomcat version and detailed error s ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7682 (Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation atta ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7681 (Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7680 (Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml fil ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7679 (In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime ...) {DSA-3896-1 DLA-1009-1} - apache2 2.4.25-4 CVE-2017-7678 (In Apache Spark before 2.2.0, it is possible for an attacker to take a ...) - apache-spark (bug #802194) CVE-2017-7677 (In environments that use external location for hive tables, Hive Autho ...) NOT-FOR-US: Apache Ranger CVE-2017-7676 (Policy resource matcher in Apache Ranger before 0.7.1 ignores characte ...) NOT-FOR-US: Apache Ranger CVE-2017-7675 (The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8 ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.16-1 [stretch] - tomcat8 8.5.14-1+deb9u2 [jessie] - tomcat8 (Only affects 8.5.0 to 8.5.15) - tomcat7 (Only affects Tomcat 8.5.x and 9.x series; vulnerable code not present) - tomcat6 (Only affects Tomcat 8.5.x and 9.x series; vulnerable code not present) NOTE: Fixed by: http://svn.apache.org/r1796091 (8.5.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61120 CVE-2017-7674 (The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.1 ...) {DSA-3974-1 DLA-1400-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.16-1 - tomcat7 7.0.72-3 [wheezy] - tomcat7 (Vulnerable code not present) NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: Fixed by: http://svn.apache.org/r1795814 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1795815 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1795816 (7.0.x) NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=61101 CVE-2017-7673 (Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7672 (If an application allows enter an URL in a form field and built-in URL ...) - libstruts1.2-java (Vulnerable code not present) NOTE: Issue is specific to Struts 2.x. CVE-2017-7671 (There is a DOS attack vulnerability in Apache Traffic Server (ATS) 5.2 ...) {DSA-4128-1} - trafficserver 7.1.2+ds-1 [wheezy] - trafficserver (Vulnerable code not present) NOTE: https://github.com/apache/trafficserver/pull/1941 CVE-2017-7670 (The Traffic Router component of the incubating Apache Traffic Control ...) NOT-FOR-US: Apache Traffic Control CVE-2017-7669 (In Apache Hadoop 2.8.0, 3.0.0-alpha1, and 3.0.0-alpha2, the LinuxConta ...) - hadoop (bug #793644) CVE-2017-7668 (The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.2 ...) {DSA-3896-1 DLA-1009-1} - apache2 2.4.25-4 CVE-2017-7667 (Apache NiFi before 0.7.4 and 1.x before 1.3.0 need to establish the re ...) NOT-FOR-US: Apache NiFi CVE-2017-7666 (Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7665 (In Apache NiFi before 0.7.4 and 1.x before 1.3.0, there are certain us ...) NOT-FOR-US: Apache NiFi CVE-2017-7664 (Uploaded XML documents were not correctly validated in Apache OpenMeet ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7663 (Both global and Room chat are vulnerable to XSS attack in Apache OpenM ...) NOT-FOR-US: Apache OpenMeetings CVE-2017-7662 (Apache CXF Fediz ships with an OpenId Connect (OIDC) service which has ...) NOT-FOR-US: Apache CXF CVE-2017-7661 (Apache CXF Fediz ships with a number of container-specific plugins to ...) NOT-FOR-US: Apache CXF CVE-2017-7660 (Apache Solr uses a PKI based mechanism to secure inter-node communicat ...) - lucene-solr (Vulnerable code introduced later) NOTE: https://issues.apache.org/jira/browse/SOLR-10624 NOTE: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf CVE-2017-7659 (A maliciously constructed HTTP/2 request could cause mod_http2 in Apac ...) - apache2 2.4.25-4 [stretch] - apache2 2.4.25-3+deb9u1 [jessie] - apache2 (Vulnerable code not present) [wheezy] - apache2 (Vulnerable code not present) NOTE: HTTP/2 support introduced in 2.4.17 NOTE: https://www.openwall.com/lists/oss-security/2017/06/19/5 CVE-2017-7658 (In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP ...) {DSA-4278-1} - jetty [jessie] - jetty (very hard to exploit, complex patch) - jetty8 [jessie] - jetty8 (very hard to exploit, complex patch) - jetty9 9.2.25-1 (low; bug #902953) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669 NOTE: https://github.com/eclipse/jetty.project/commit/a285deea NOTE: Exploit very unlikely, needs a very particular intermediary behaviour. CVE-2017-7657 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations) ...) {DSA-4278-1} - jetty [jessie] - jetty (very hard to exploit, complex patch) - jetty8 [jessie] - jetty8 (very hard to exploit, complex patch) - jetty9 9.2.25-1 (low; bug #902953) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668 NOTE: https://github.com/eclipse/jetty.project/commit/a285deea CVE-2017-7656 (In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations) ...) {DSA-4278-1} - jetty [jessie] - jetty (very hard to exploit, complex patch) - jetty8 [jessie] - jetty8 (very hard to exploit, complex patch) - jetty9 9.2.25-1 (low; bug #902953) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667 NOTE: https://github.com/eclipse/jetty.project/commit/a285deea CVE-2017-7655 (In Eclipse Mosquitto version from 1.0 to 1.4.15, a Null Dereference vu ...) {DLA-1972-1} - mosquitto 1.5.4-1 (low) [stretch] - mosquitto (Minor issue) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=533775 NOTE: https://github.com/eclipse/mosquitto/commit/79a7b36d207c9142468a7ea33695a14181a9fd24 CVE-2017-7654 (In Eclipse Mosquitto 1.4.15 and earlier, a Memory Leak vulnerability w ...) {DSA-4325-1 DLA-1525-1} - mosquitto 1.5.4-1 (bug #911265) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=533493 NOTE: https://github.com/eclipse/mosquitto/commit/51ec5601c2ec523bf2973fdc1eca77335eafb8de CVE-2017-7653 (The Eclipse Mosquitto broker up to version 1.4.15 does not reject stri ...) {DSA-4325-1 DLA-1525-1} - mosquitto 1.5.4-1 (bug #911266) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=532113 NOTE: https://github.com/eclipse/mosquitto/commit/729a09310a7a56fbe5933b70b4588049da1a42b4 CVE-2017-7652 (In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running wi ...) {DSA-4325-1 DLA-1409-1 DLA-1334-1} - mosquitto 1.4.15-1 NOTE: Patches: https://mosquitto.org/files/cve/2017-7652 NOTE: http://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/ CVE-2017-7651 (In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server ...) {DSA-4325-1 DLA-1409-1 DLA-1334-1} - mosquitto 1.4.15-1 NOTE: Patches: https://mosquitto.org/files/cve/2017-7651 NOTE: http://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/ CVE-2017-7650 (In Mosquitto before 1.4.12, pattern based ACLs can be bypassed by clie ...) {DSA-3865-1 DLA-961-1} - mosquitto 1.4.10-3 NOTE: http://mosquitto.org/2017/05/security-advisory-cve-2017-7650/ NOTE: Patches: https://mosquitto.org/files/cve/2017-7650/ CVE-2017-7649 (The network enabled distribution of Kura before 2.1.0 takes control ov ...) NOT-FOR-US: Kura CVE-2017-7648 (Foscam networked devices use the same hardcoded SSL private key across ...) NOT-FOR-US: Foscam CVE-2017-7647 (SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows ...) NOT-FOR-US: SolarWinds CVE-2017-7646 (SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4 allows ...) NOT-FOR-US: SolarWinds CVE-2017-7645 (The NFSv2/NFSv3 server in the nfsd subsystem in the Linux kernel throu ...) {DSA-3886-1 DLA-993-1} - linux 4.9.25-1 NOTE: Fixed by: https://git.kernel.org/linus/e6838a29ecb484c97e4efef9429643b9851fba6e CVE-2017-7644 (The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.1 ...) NOT-FOR-US: Management Web Interface in Palo Alto Networks PAN-OS CVE-2017-7643 (Proxifier for Mac before 2.19 allows local users to gain privileges vi ...) NOT-FOR-US: Proxifier for Mac CVE-2017-7642 (The sudo helper in the HashiCorp Vagrant VMware Fusion plugin (aka vag ...) NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin CVE-2017-7641 (QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2 ...) NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7640 (QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2 ...) NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7639 (QNAP NAS application Proxy Server through version 1.2.0 does not authe ...) NOT-FOR-US: QNAP CVE-2017-7638 (QNAP NAS application Media Streaming add-on version 421.1.0.2, 430.1.2 ...) NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7637 (QNAP NAS application Proxy Server through version 1.2.0 allows remote ...) NOT-FOR-US: QNAP CVE-2017-7636 (Cross-site scripting (XSS) vulnerability in QNAP NAS application Proxy ...) NOT-FOR-US: QNAP CVE-2017-7635 (QNAP NAS application Proxy Server through version 1.2.0 does not utili ...) NOT-FOR-US: QNAP CVE-2017-7634 (Cross-site scripting (XSS) vulnerability in QNAP NAS application Media ...) NOT-FOR-US: QNAP NAS application Media Streaming add-on CVE-2017-7633 (QNAP Qfinder Pro 6.1.0.0317 and earlier may expose sensitive informati ...) NOT-FOR-US: QNAP CVE-2017-7632 (Cross-site scripting (XSS) vulnerability in File Station of QNAP QTS 4 ...) NOT-FOR-US: File Station of QNAP QTS CVE-2017-7631 (Cross-site scripting (XSS) vulnerability in the share link function of ...) NOT-FOR-US: File Station of QNAP CVE-2017-7630 (QNAP QTS 4.2.6 build 20171026, QTS 4.3.3 build 20170727 and earlier al ...) NOT-FOR-US: QNAP CVE-2017-7629 (QNAP QTS before 4.2.6 build 20170517 has a flaw in the change password ...) NOT-FOR-US: QNAP QTS CVE-2017-7628 (The "Smart related articles" extension 1.1 for Joomla! has SQL injecti ...) NOT-FOR-US: Joomla extension CVE-2017-7627 (The "Smart related articles" extension 1.1 for Joomla! does not preven ...) NOT-FOR-US: Joomla extension CVE-2017-7626 (The "Smart related articles" extension 1.1 for Joomla! has XSS in dial ...) NOT-FOR-US: Joomla extension CVE-2017-7625 (In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the ...) NOT-FOR-US: Fiyo CMS CVE-2017-7624 (The iw_read_bmp_file function in imagew-bmp.c in libimageworsener.a in ...) NOT-FOR-US: ImageWorsener CVE-2017-7623 (The iwmiffr_convert_row32 function in imagew-miff.c in libimageworsene ...) NOT-FOR-US: ImageWorsener CVE-2017-7622 (dde-daemon, the daemon process of DDE (Deepin Desktop Environment) 15. ...) NOT-FOR-US: dde-daemon CVE-2017-7621 (Cross Site Scripting Vulnerability in core-eMLi in AuroMeera Technomet ...) NOT-FOR-US: core-eMLi CVE-2017-7620 (MantisBT before 1.3.11, 2.x before 2.3.3, and 2.4.x before 2.4.1 omits ...) - mantis [wheezy] - mantis (Not supported in Wheezy LTS) NOTE: https://mantisbt.org/bugs/view.php?id=22909 NOTE: https://mantisbt.org/bugs/view.php?id=22702 CVE-2017-7618 (crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: http://marc.info/?l=linux-crypto-vger&m=149181655623850&w=2 CVE-2017-7616 (Incorrect error handling in the set_mempolicy and mbind compat syscall ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/cf01fb9985e8deb25ccf0ea54d916b8871ae0e62 (4.11-rc6) NOTE: https://grsecurity.net/the_infoleak_that_mostly_wasnt.php CVE-2017-7615 (MantisBT through 2.3.0 allows arbitrary password reset and unauthentic ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: https://www.openwall.com/lists/oss-security/2017/04/16/2 CVE-2017-7614 (elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as ...) - binutils 2.28-4 (low; bug #859989) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/04/05/binutils-two-null-pointer-dereference-in-elflink-c/ NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=ad32986fdf9da1c8748e47b8b45100398223dba8 CVE-2017-7613 (elflint.c in elfutils 0.168 does not validate the number of sections a ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859990) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21312 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-xcalloc-xmalloc-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=4314716cd498bb51639db717bd7ce6182de33322 CVE-2017-7612 (The check_sysv_hash function in elflint.c in elfutils 0.168 allows rem ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859991) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21311 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_sysv_hash-elflint-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=61fe61898747f63eb35a81c2261f3590a3dab8fd CVE-2017-7611 (The check_symtab_shndx function in elflint.c in elfutils 0.168 allows ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859992) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21310 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_symtab_shndx-elflint-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=9a0d9d314a6342b56e3277bd7ad7ecb6e73a7d38 CVE-2017-7610 (The check_group function in elflint.c in elfutils 0.168 allows remote ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859993) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21320 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-check_group-elflint-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=fb6709f1a41b58a9557ea45b7f53ae678c660b21 CVE-2017-7609 (elf_compress.c in elfutils 0.168 does not validate the zlib compressio ...) - elfutils 0.168-1 (bug #859994) [jessie] - elfutils (Vulnerable code not present) [wheezy] - elfutils (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21301 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-memory-allocation-failure-in-__libelf_decompress-elf_compress-c/ CVE-2017-7608 (The ebl_object_note_type_name function in eblobjnotetypename.c in elfu ...) {DLA-1689-1} - elfutils 0.168-1 (bug #859995) [wheezy] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21300 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-ebl_object_note_type_name-eblobjnotetypename-c/ NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=b0b58c5e0b34e54194aa042f2310af58ee7de603 CVE-2017-7607 (The handle_gnu_hash function in readelf.c in elfutils 0.168 allows rem ...) - elfutils 0.168-1 (bug #859996) [jessie] - elfutils (vulnerable code not present) [wheezy] - elfutils (vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21299 NOTE: https://blogs.gentoo.org/ago/2017/04/03/elfutils-heap-based-buffer-overflow-in-handle_gnu_hash-readelf-c/ CVE-2017-7605 (aacplusenc.c in HE-AAC+ Codec (aka libaacplus) 2.0.2 has an assertion ...) NOT-FOR-US: libaacplus CVE-2017-7604 (au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a left-shift ...) NOT-FOR-US: libaacplus CVE-2017-7603 (au_channel.h in HE-AAC+ Codec (aka libaacplus) 2.0.2 has a signed inte ...) NOT-FOR-US: libaacplus CVE-2017-7602 (LibTIFF 4.0.7 has a signed integer overflow, which might allow remote ...) {DSA-3844-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 [wheezy] - tiff3 (vulnerable code not present) NOTE: https://github.com/vadz/libtiff/commit/66e7bd59520996740e4df5495a830b42fae48bc4 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7601 (LibTIFF 4.0.7 has a "shift exponent too large for 64-bit type long" un ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/0a76a8c765c7b8327c59646284fa78c3c27e5490 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7600 (LibTIFF 4.0.7 has an "outside the range of representable values of typ ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7599 (LibTIFF 4.0.7 has an "outside the range of representable values of typ ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7598 (tif_dirread.c in LibTIFF 4.0.7 might allow remote attackers to cause a ...) {DSA-3844-1 DLA-911-1} - tiff 4.0.7-6 (low) - tiff3 [wheezy] - tiff3 (vulnerable code not present) NOTE: https://github.com/vadz/libtiff/commit/3cfd62d77c2a7e147a05bd678524c345fa9c2bb8 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7597 (tif_dirread.c in LibTIFF 4.0.7 has an "outside the range of representa ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes CVE-2017-7596 (LibTIFF 4.0.7 has an "outside the range of representable values of typ ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 - tiff3 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-multiple-ubsan-crashes NOTE: https://github.com/vadz/libtiff/commit/3144e57770c1e4d26520d8abee750f8ac8b75490 CVE-2017-7595 (The JPEGSetupEncode function in tiff_jpeg.c in LibTIFF 4.0.7 allows re ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 (low; bug #860003) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2653 NOTE: https://blogs.gentoo.org/ago/2017/04/01/libtiff-divide-by-zero-in-jpegsetupencode-tiff_jpeg-c NOTE: https://github.com/vadz/libtiff/commit/47f2fb61a3a64667bce1a8398a8fcb1b348ff122 CVE-2017-7594 (The OJPEGReadHeaderInfoSecTablesDcTable function in tif_ojpeg.c in Lib ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 (low; bug #860001) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2659 NOTE: https://github.com/vadz/libtiff/commit/2ea32f7372b65c24b2816f11c04bf59b5090d05b NOTE: https://github.com/vadz/libtiff/commit/8283e4d1b7e53340684d12932880cbcbaf23a8c1 CVE-2017-7593 (tif_read.c in LibTIFF 4.0.7 does not ensure that tif_rawdata is proper ...) {DSA-3844-1 DLA-912-1 DLA-911-1} - tiff 4.0.7-6 (bug #860000) - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2651 NOTE: https://github.com/vadz/libtiff/commit/d60332057b9575ada4f264489582b13e30137be1 CVE-2017-7592 (The putagreytile function in tif_getimage.c in LibTIFF 4.0.7 has a lef ...) {DSA-3844-1 DLA-911-1} - tiff 4.0.7-6 (bug #859998) - tiff3 [wheezy] - tiff3 (vulnerable code not present) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2658 NOTE: https://github.com/vadz/libtiff/commit/48780b4fcc425cddc4ef8ffdf536f96a0d1b313b CVE-2017-7617 (Remote code execution can occur in Asterisk Open Source 13.x before 13 ...) - asterisk 1:13.14.1~dfsg-1 (bug #859910) [jessie] - asterisk (Vulnerable code not present) [wheezy] - asterisk (Vulnerable code not present) NOTE: http://downloads.asterisk.org/pub/security/AST-2017-001.html CVE-2017-7619 (In ImageMagick 7.0.4-9, an infinite loop can occur because of a floati ...) {DSA-3863-1 DLA-902-1} - imagemagick 8:6.9.7.4+dfsg-4 (bug #859769) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31506 NOTE: Fixed by: http://git.imagemagick.org/repos/ImageMagick/commit/63757068c803f692bd70304b06ce3406e0b67c7f CVE-2017-7606 (coders/rle.c in ImageMagick 7.0.5-4 has an "outside the range of repre ...) {DSA-3863-1 DLA-902-1} - imagemagick 8:6.9.7.4+dfsg-4 (bug #859771) NOTE: https://github.com/ImageMagick/ImageMagick/issues/415 NOTE: https://blogs.gentoo.org/ago/2017/04/02/imagemagick-undefined-behavior-in-codersrle-c/ CVE-2017-7591 (OpenIDM through 4.0.0 and 4.5.0 is vulnerable to reflected cross-site ...) NOT-FOR-US: ForgeRock OpenIDM CVE-2017-7590 (OpenIDM through 4.0.0 and 4.5.0 is vulnerable to persistent cross-site ...) NOT-FOR-US: ForgeRock OpenIDM CVE-2017-7589 (In OpenIDM through 4.0.0 before 4.5.0, the info endpoint may leak sens ...) NOT-FOR-US: ForgeRock OpenIDM CVE-2017-7588 (On certain Brother devices, authorization is mishandled by including a ...) NOT-FOR-US: Brother devices CVE-2017-7587 RESERVED CVE-2017-7586 (In libsndfile before 1.0.28, an error in the "header_read()" function ...) {DLA-928-1} - libsndfile 1.0.27-2 [jessie] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/commit/708e996c87c5fae77b104ccfeb8f6db784c32074 NOTE: https://github.com/erikd/libsndfile/commit/f457b7b5ecfe91697ed01cfc825772c4d8de1236 NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue NOTE: https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7585 (In libsndfile before 1.0.28, an error in the "flac_buffer_copy()" func ...) {DLA-928-1} - libsndfile 1.0.27-2 [jessie] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0 NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-4/ NOTE: 1.0.27-2 in unstable contain fix_bufferoverflows.patch meant to address this issue NOTE: https://sources.debian.org/data/main/libs/libsndfile/1.0.27-2/debian/patches/fix_bufferoverflows.patch CVE-2017-7584 (Memory Corruption Vulnerability in Foxit PDF Toolkit before 2.1 allows ...) NOT-FOR-US: Foxit PDF Toolkit CVE-2017-7583 (ILIAS before 5.2.3 has XSS via SVG documents. ...) NOT-FOR-US: ILIAS CVE-2017-7582 RESERVED CVE-2017-7581 (SQL injection vulnerability in NewsController.php in the News module 5 ...) NOT-FOR-US: News module for TYPO3 CVE-2017-7580 RESERVED CVE-2017-7579 (inc/PMF/Faq.php in phpMyFAQ before 2.9.7 has XSS in the question field ...) NOT-FOR-US: phpMyFAQ CVE-2017-7577 (XiongMai uc-httpd has directory traversal allowing the reading of arbi ...) NOT-FOR-US: XiongMai uc-httpd CVE-2017-7576 (DragonWave Horizon 1.01.03 wireless radios have hardcoded login creden ...) NOT-FOR-US: DragonWave Horizon CVE-2017-7575 (Schneider Electric Modicon TM221CE16R 1.3.3.3 devices allow remote att ...) NOT-FOR-US: Schneider CVE-2017-7574 (Schneider Electric SoMachine Basic 1.4 SP1 and Schneider Electric Modi ...) NOT-FOR-US: Schneider CVE-2017-7573 RESERVED CVE-2017-7572 (The _checkPolkitPrivilege function in serviceHelper.py in Back In Time ...) - backintime 1.1.12-2 (bug #859815) [jessie] - backintime (Minor issue) [wheezy] - backintime (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/04/07/2 NOTE: https://github.com/bit-team/backintime/commit/7f208dc547f569b689c888103e3b593a48cd1869 CVE-2017-7571 (public/rolechangeadmin in Faveo 1.9.3 allows CSRF. The impact is obtai ...) NOT-FOR-US: Faveo CVE-2017-7570 (PivotX 2.3.11 allows remote authenticated Advanced users to execute ar ...) NOT-FOR-US: PivotX CVE-2017-7569 (In vBulletin before 5.3.0, remote attackers can bypass the CVE-2016-64 ...) NOT-FOR-US: vBulletin CVE-2017-7568 (NetApp OnCommand Unified Manager for 7-Mode (core package) versions pr ...) NOT-FOR-US: NetApp CVE-2017-7567 RESERVED CVE-2017-7566 (MyBB before 1.8.11 allows remote attackers to bypass an SSRF protectio ...) NOT-FOR-US: MyBB CVE-2017-7565 (Splunk Hadoop Connect App has a path traversal vulnerability that allo ...) NOT-FOR-US: Splunk Hadoop Connect App CVE-2017-7564 (In ARM Trusted Firmware through 1.3, the secure self-hosted invasive d ...) NOT-FOR-US: ARM CVE-2017-7563 (In ARM Trusted Firmware 1.3, RO memory is always executable at AArch64 ...) NOT-FOR-US: ARM CVE-2017-7578 (Multiple heap-based buffer overflows in parser.c in libming 0.4.7 allo ...) {DLA-890-1} - ming NOTE: https://www.openwall.com/lists/oss-security/2017/04/07/1 NOTE: https://github.com/libming/libming/issues/68 CVE-2017-7562 (An authentication bypass flaw was found in the way krb5's certauth int ...) - krb5 (Vulnerable code introduced later, cf. #873281) NOTE: https://github.com/krb5/krb5/pull/694 NOTE: https://github.com/krb5/krb5/pull/694/commits/50fe4074f188c2d4da0c421e96553acea8378db2 NOTE: https://github.com/krb5/krb5/pull/694/commits/1de6ca2f2eb1fdbab51f1549a25a6903aefcc196 NOTE: https://github.com/krb5/krb5/pull/694/commits/b7af544e50a4d8291524f590e20dd44430bf627d CVE-2017-7561 (Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerab ...) - resteasy 3.6.2-1 (bug #873392) [jessie] - resteasy (CORS Filter added in 3.0.7.Final) - resteasy3.0 3.0.26-1 (bug #908836) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1483823 NOTE: https://issues.jboss.org/projects/RESTEASY/issues/RESTEASY-1704 NOTE: Fixed by: https://github.com/resteasy/Resteasy/commit/517db971d8f7094124416bf72091fd0b45a13028 NOTE: Fixed in 4.0.0.Beta1, 3.0.25.Final, 3.5.0.CR1 CVE-2017-7560 (It was found that rhnsd PID files are created as world-writable that a ...) - rhnsd (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1480550 NOTE: Introduced by: https://github.com/spacewalkproject/spacewalk/commit/75d9c00b96ab430221c5c7668baebebc74ddd67e CVE-2017-7559 (In Undertow 2.x before 2.0.0.Alpha2, 1.4.x before 1.4.17.Final, and 1. ...) - undertow 1.4.23-1 (bug #885576) NOTE: CVE is for an incomplete fix of CVE-2017-2666 NOTE: Invalid characters were still allowed in the query string and path parameters. NOTE: https://issues.jboss.org/browse/UNDERTOW-1165 NOTE: https://issues.jboss.org/browse/UNDERTOW-1295 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1481665#c7 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/3436b03eda8b0b62c1855698c4d7c358add836c2 CVE-2017-7558 (A kernel data leak due to an out-of-bound read was found in the Linux ...) - linux 4.12.13-1 [stretch] - linux 4.9.30-2+deb9u5 [jessie] - linux (Vulnerable code introduced later 4.7 and not backported) [wheezy] - linux (Vulnerable code introduced later 4.7 and not backported) CVE-2017-7557 (dnsdist version 1.1.0 is vulnerable to a flaw in authentication mechan ...) - dnsdist 1.2.0-1 (low; bug #872854) [stretch] - dnsdist 1.1.0-2+deb9u1 NOTE: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2017-02.html NOTE: https://downloads.powerdns.com/patches/2017-02 CVE-2017-7556 (Hawtio versions up to and including 1.5.3 are vulnerable to CSRF vulne ...) NOT-FOR-US: hawtio CVE-2017-7555 (Augeas versions up to and including 1.8.0 are vulnerable to heap-based ...) {DSA-3949-1 DLA-1067-1} - augeas 1.8.1-1 (bug #872400) NOTE: https://github.com/hercules-team/augeas/pull/480 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1478373 CVE-2017-7554 (It was found that the App Studio component of RHMAP 4.4 executes javas ...) NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7553 (The external_request api call in App Studio (millicore) allows server ...) NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7552 (A flaw was discovered in the file editor of millicore, affecting versi ...) NOT-FOR-US: Red Hat Mobile Application Platform CVE-2017-7551 (389-ds-base version before 1.3.5.19 and 1.3.6.7 are vulnerable to pass ...) - 389-ds-base 1.3.6.7-1 (bug #870752) [stretch] - 389-ds-base (Minor issue) [jessie] - 389-ds-base (vulnerable code not present) NOTE: https://pagure.io/389-ds-base/issue/49336 CVE-2017-7550 (A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x bef ...) - ansible 2.4.2.0+dfsg-1 (unimportant) NOTE: https://github.com/ansible/ansible/issues/30874 NOTE: https://github.com/ansible/ansible/pull/30875 NOTE: Just an insecure example CVE-2017-7549 (A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat Op ...) NOT-FOR-US: instack-undercloud CVE-2017-7548 (PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to a ...) {DSA-3936-1 DSA-3935-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code not present) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7547 (PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are ...) {DSA-3936-1 DSA-3935-1 DLA-1051-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7546 (PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are ...) {DSA-3936-1 DSA-3935-1 DLA-1051-1} - postgresql-9.6 9.6.4-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - postgresql-8.4 [wheezy] - postgresql-8.4 (postgresql-8.4 in wheezy only provides PL/Perl) NOTE: https://www.postgresql.org/about/news/1772/ CVE-2017-7545 (It was discovered that the XmlUtils class in jbpmmigration 6.5 perform ...) NOT-FOR-US: jbpm-designer / jBPM CVE-2017-7544 (libexif through 0.6.21 is vulnerable to out-of-bounds heap read vulner ...) {DLA-2214-1} - libexif 0.6.21-2.1 (bug #876466) [stretch] - libexif 0.6.21-2+deb9u2 [wheezy] - libexif (Minor issue) NOTE: https://sourceforge.net/p/libexif/bugs/130/ CVE-2017-7543 (A race-condition flaw was discovered in openstack-neutron before 7.2.0 ...) - neutron (Specific to Red Hat packaging) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1473792 CVE-2017-7542 (The ip6_find_1stfragopt function in net/ipv6/output_core.c in the Linu ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.12.6-1 NOTE: Fixed by: https://git.kernel.org/linus/6399f1fae4ec29fab5ec76070435555e256ca3a6 CVE-2017-7541 (The brcmf_cfg80211_mgmt_tx function in drivers/net/wireless/broadcom/b ...) {DSA-3945-1 DSA-3927-1} - linux 4.12.6-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/8f44c9a41386729fea410e688959ddaa9d51be7c CVE-2017-7540 (rubygem-safemode, as used in Foreman, versions 1.3.2 and earlier are v ...) NOT-FOR-US: Safemode ruby gem CVE-2017-7539 (An assertion-failure flaw was found in Qemu before 2.10.1, in the Netw ...) - qemu (Vulnerable code introduced in v2.9.0-rc0) - qemu-kvm (Vulnerable code introduced in v2.9.0-rc0) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=2b0bbc4f8809c972bad134bc1a2570dbb01dea0b NOTE: Introduced by: http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ff82911cd3f69f028f2537825c9720ff78bc3f19 CVE-2017-7538 (A cross-site scripting (XSS) flaw was found in how an organization nam ...) NOT-FOR-US: Red Hat Satellite CVE-2017-7537 (It was found that a mock CMC authentication plugin with a hardcoded se ...) - dogtag-pki 10.3.5+12-5 (bug #869261) NOTE: https://github.com/dogtagpki/pki/commit/876d13c6d20e7e1235b9 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470817 CVE-2017-7536 (In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it ...) - libhibernate-validator-java 4.3.3-4 (bug #885577) [stretch] - libhibernate-validator-java 4.3.3-1+deb9u1 [jessie] - libhibernate-validator-java (Vulnerable code introduced in 4.3) [wheezy] - libhibernate-validator-java (Vulnerable code introduced in 4.3) NOTE: https://github.com/hibernate/hibernate-validator/commit/0ed45f37c4680998167179e631113a2c9cb5d113 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1465573 CVE-2017-7535 (foreman before version 1.16.0 is vulnerable to a stored XSS in organiz ...) - foreman (bug #663101) CVE-2017-7534 (OpenShift Enterprise version 3.x is vulnerable to a stored XSS via the ...) NOT-FOR-US: OpenShift CVE-2017-7533 (Race condition in the fsnotify implementation in the Linux kernel thro ...) {DSA-3945-1 DSA-3927-1} - linux 4.12.6-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/08/03/2 NOTE: Fixed by: https://git.kernel.org/linus/49d31c2f389acfe83417083e1208422b4091cd9 (v4.13-rc1) CVE-2017-7532 (In Moodle 3.x, course creators are able to change system default setti ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=355556 CVE-2017-7531 (In Moodle 3.3, the course overview block reveals activities in hidden ...) - moodle (Only affects 3.3) NOTE: https://moodle.org/mod/forum/discuss.php?d=355555 CVE-2017-7530 (In CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5 ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-7529 (Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable t ...) {DSA-3908-1 DLA-1024-1} - nginx 1.13.3-1 (bug #868109) NOTE: http://mailman.nginx.org/pipermail/nginx-announce/2017/000200.html NOTE: Fixed in 1.13.3, 1.12.1. CVE-2017-7528 (Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 i ...) NOT-FOR-US: Ansible Tower CVE-2017-7527 RESERVED CVE-2017-7526 (libgcrypt before version 1.7.8 is vulnerable to a cache side-channel a ...) {DSA-3960-1 DSA-3901-1 DLA-1080-1 DLA-1015-1} - libgcrypt20 1.7.8-1 - libgcrypt11 - gnupg2 (Uses system libgcrypt) - gnupg1 1.4.22-1 [stretch] - gnupg1 (Only affects the legacy packages) - gnupg NOTE: https://eprint.iacr.org/2017/627 NOTE: Fixes for RSA exponent blinding fixes (A): NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=a9f612def801c8145d551d995475e5d51a4c988c NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=aff5fd0f2650e24cf99efcd7b499627ea48782c3 NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=312101e1f266314b4391fcdbe11c03de5c147e38 NOTE: Fixes for mpi_powm itsef (B): NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=0e6788517eac6f508fa32ec5d5c1cada7fb980bc NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=fbd10abc057453789017f11c7f1fc8e6c61b79a3 NOTE: For the particular attack to RSA, either (A) or (B) is enough. In NOTE: general cases, (A) plus (B) is needed. NOTE: For GnuPG: https://lists.gnupg.org/pipermail/gnupg-users/2017-July/058598.html NOTE: GnuPG: https://dev.gnupg.org/rC8725c99ffa41778f382ca97233183bcd687bb0ce NOTE: GnuPG1: https://dev.gnupg.org/D438 CVE-2017-7525 (A deserialization flaw was discovered in the jackson-databind, version ...) {DSA-4004-1 DLA-2342-1 DLA-2091-1} - jackson-databind 2.9.1-1 (bug #870848) - libjackson-json-java 1.9.13-2 NOTE: https://github.com/FasterXML/jackson-databind/issues/1599 NOTE: For libjackson-json-java: NOTE: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31 CVE-2017-7524 (tpm2-tools versions before 1.1.1 are vulnerable to a password leak due ...) - tpm2-tools 2.1.0-1 (bug #866257) NOTE: https://github.com/01org/tpm2.0-tools/commit/c5d72beaab1cbbbe68271f4bc4b6670d69985157 CVE-2017-7523 (Cygwin versions 1.7.2 up to and including 1.8.0 are vulnerable to buff ...) NOT-FOR-US: Cygwin CVE-2017-7522 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to deni ...) - openvpn 2.4.3-1 (unimportant) [jessie] - openvpn (x509-track implemented in 2.4.0) [wheezy] - openvpn (x509-track implemented in 2.4.0) NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/426392940c NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 NOTE: https://www.openwall.com/lists/oss-security/2017/06/21/6 NOTE: In Debian openvpn is compiled against OpenSSL, thus even affected NOTE: code present. CVE-2017-7521 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remo ...) {DSA-3900-1} - openvpn 2.4.3-1 (bug #865480) [wheezy] - openvpn (Vulnerable code not present) NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/2d032c7fcdfd692c851ea2fa858b4c2d9ea7d52d NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/cb4e35ece4a5b70b10ef9013be3bff263d82f32b NOTE: Fixed by (2.4.x): https://github.com/OpenVPN/openvpn/commit/2341f716198fa90193e040b3fdb16959a47c6c27 NOTE: Fixed by (2.4.x): https://github.com/OpenVPN/openvpn/commit/040084067119dd5a9e15eb3bcfc0079debaa3777 NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/84e1775961de1c9d2ab32159fc03f758591f5238 NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/1dde0cd6e5e6a0f2f45ec9969b7ff1b6537514ad NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 NOTE: https://www.openwall.com/lists/oss-security/2017/06/21/6 CVE-2017-7520 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to deni ...) {DSA-3900-1 DLA-999-1} - openvpn 2.4.3-1 (bug #865480) NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/7718c8984f04b507c1885f363970e2124e3c6c77 NOTE: Fixed by (2.4.x): https://github.com/OpenVPN/openvpn/commit/043fe327878eba75efa13794c9845f85c3c629f2 NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/f38a4a105979b87ebebe9be1c3d323116d3fb924 NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 NOTE: https://www.openwall.com/lists/oss-security/2017/06/21/6 CVE-2017-7519 (In Ceph, a format string flaw was found in the way libradosstriper par ...) {DSA-4339-1} - ceph 12.2.8+dfsg1-1 (bug #864535) [jessie] - ceph (Vulnerable code not present) NOTE: http://tracker.ceph.com/issues/20240 CVE-2017-7518 (A flaw was found in the Linux kernel before version 4.12 in the way th ...) {DSA-3981-1} - linux 4.11.11-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/06/23/5 NOTE: https://www.spinics.net/lists/kvm/msg151817.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1464473 NOTE: Fixed by: https://git.kernel.org/linus/c8401dda2f0a00cd25c0af6a95ed50e478d25de4 CVE-2017-7517 RESERVED NOT-FOR-US: OpenShift CVE-2017-7516 REJECTED CVE-2017-7515 (poppler through version 0.55.0 is vulnerable to an uncontrolled recurs ...) - poppler 0.57.0-2 (unimportant) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101208 NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=771c82623e8e1e0c92b8ca6f7c2b8a81ccbb60d3 NOTE: Crash in CLI tool, no security implications CVE-2017-7514 (A cross-site scripting (XSS) flaw was found in how the failed action e ...) NOT-FOR-US: Red Hat Satellite CVE-2017-7513 (It was found that Satellite 5 configured with SSL/TLS for the PostgreS ...) NOT-FOR-US: Red Hat Satellite CVE-2017-7512 (Red Hat 3scale (aka RH-3scale) API Management Platform (AMP) before 2. ...) NOT-FOR-US: Red Hat 3scale CVE-2017-7511 (poppler since version 0.17.3 has been vulnerable to NULL pointer deref ...) - poppler 0.57.0-2 (unimportant; bug #863759) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101149 NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101153 NOTE: Fixed by: https://cgit.freedesktop.org/poppler/poppler/commit/?id=5c9b08a875b07853be6c44e43ff5f7f059df666a NOTE: Crash in CLI tool, no security implications CVE-2017-7510 (In ovirt-engine 4.1, if a host was provisioned with cloud-init, the ro ...) NOT-FOR-US: ovirt-engine CVE-2017-7509 (An input validation error was found in Red Hat Certificate System's ha ...) NOT-FOR-US: Red Hat Certificate System CVE-2017-7508 (OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remo ...) {DSA-3900-1} - openvpn 2.4.3-1 (bug #865480) [wheezy] - openvpn (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/06/21/6 NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 NOTE: Fixed by (master): https://github.com/OpenVPN/openvpn/commit/c3f47077a7756de5929094569421a95aa66f2022 NOTE: Fixed by (2.4.x): https://github.com/OpenVPN/openvpn/commit/ed28cde3d8bf3f1459b2f42f0e27d64801009f92 NOTE: Fixed by (2.3.x): https://github.com/OpenVPN/openvpn/commit/fc61d1bda112ffc669dbde961fab19f60b3c7439 CVE-2017-7507 (GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dere ...) {DSA-3884-1} [experimental] - gnutls28 3.5.13-1 - gnutls28 3.5.8-6 (bug #864560) - gnutls26 [wheezy] - gnutls26 (Vulnerable code not present) NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-4 NOTE: https://gitlab.com/gnutls/gnutls/commit/4c4d35264fada08b6536425c051fb8e0b05ee86b NOTE: https://gitlab.com/gnutls/gnutls/commit/3efb6c5fd0e3822ec11879d5bcbea0e8d322cd03 NOTE: https://gitlab.com/gnutls/gnutls/commit/e1d6c59a7b0392fb3b8b75035614084a53e2c8c9 CVE-2017-7506 (spice versions though 0.13 are vulnerable to out-of-bounds memory acce ...) {DSA-3907-1} - spice 0.12.8-2.2 (bug #868083) [wheezy] - spice (Vulnerable code not introduced later) CVE-2017-7505 (Foreman since version 1.5 is vulnerable to an incorrect authorization ...) - foreman (bug #663101) CVE-2017-7504 (HTTPServerILServlet.java in JMS over HTTP Invocation Layer of the Jbos ...) NOT-FOR-US: Red Hat JBoss CVE-2017-7503 (It was found that the Red Hat JBoss EAP 7.0.5 implementation of javax. ...) NOT-FOR-US: Red Hat JBoss EAP implementation of javax.xml.transform.TransformerFactory CVE-2017-7502 (Null pointer dereference vulnerability in NSS since 3.24.0 was found w ...) {DSA-3872-1 DLA-971-1} [experimental] - nss 2:3.29-1 - nss 2:3.26.2-1.1 (bug #863839) NOTE: https://hg.mozilla.org/projects/nss/rev/55ea60effd0d CVE-2017-7501 (It was found that versions of rpm before 4.13.0.2 use temporary files ...) - rpm (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1452133 NOTE: Not supported for installations in Debian (and an unprivileged attacker would not have permissions for systems directories anyway) CVE-2017-7500 (It was found that rpm did not properly handle RPM installations when a ...) - rpm (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1450369 NOTE: Not supported for installations in Debian (and an unprivileged attacker would not have permissions for systems directories anyway) CVE-2017-7499 REJECTED CVE-2017-7498 REJECTED CVE-2017-7497 (The dialog for creating cloud volumes (cinder provider) in CloudForms ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-7496 (fedora-arm-installer up to and including 1.99.16 is vulnerable to loca ...) NOT-FOR-US: fedora-arm-installer CVE-2017-7495 (fs/ext4/inode.c in the Linux kernel before 4.6.2, when ext4 data=order ...) - linux 4.6.2-1 [jessie] - linux 3.16.39-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/06bd3c36a733ac27962fea7d6f47168841376824 CVE-2017-7494 (Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulne ...) {DSA-3860-1 DLA-951-1} - samba 2:4.5.8+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-7494.html CVE-2017-7493 (Quick Emulator (Qemu) built with the VirtFS, host directory sharing vi ...) {DLA-1497-1 DLA-1035-1 DLA-965-1} - qemu 1:2.8+dfsg-6 - qemu-kvm NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1451709 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-05/msg03663.html CVE-2017-7492 REJECTED CVE-2017-7491 (In Moodle 2.x and 3.x, a CSRF attack is possible that allows attackers ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=352355 CVE-2017-7490 (In Moodle 2.x and 3.x, searching of arbitrary blogs is possible becaus ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=352354 CVE-2017-7489 (In Moodle 2.x and 3.x, remote authenticated users can take ownership o ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=352353 CVE-2017-7488 (Authconfig version 6.2.8 is vulnerable to an Information exposure whil ...) NOT-FOR-US: authconfig in Red Hat CVE-2017-7487 (The ipxitf_ioctl function in net/ipx/af_ipx.c in the Linux kernel thro ...) {DSA-3886-1 DLA-993-1} - linux 4.9.30-1 NOTE: Fixed by: https://git.kernel.org/linus/ee0d8d8482345ff97a75a7d747efc309f13b0d80 CVE-2017-7486 (PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg ...) {DSA-3851-1 DLA-1051-1} - postgresql-9.6 9.6.3-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) - postgresql-8.4 (feature not present in 8.x) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c928addfccd7f9905472dddd94e9cd10bc3f6808 CVE-2017-7485 (In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9 ...) {DSA-3851-1} - postgresql-9.6 9.6.3-1 - postgresql-9.4 - postgresql-9.1 (bug introduced in 9.3) - postgresql-8.4 (bug introduced in 9.3) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=aafbd1df969135c185947c596c46608fc9f4a67c CVE-2017-7484 (It was found that some selectivity estimation functions in PostgreSQL ...) {DSA-3851-1} - postgresql-9.6 9.6.3-1 - postgresql-9.4 - postgresql-9.1 [jessie] - postgresql-9.1 (postgresql-9.1 in jessie only provides PL/Perl) [wheezy] - postgresql-9.1 (Vulnerable code do not exist) - postgresql-8.4 [wheezy] - postgresql-8.4 (Vulnerable code do not exist) NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c33c42362256382ed398df9dcda559cd547c68a7 NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cad15943225adbcadea51602b38b04d71d1183d2 NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=935e77d527a018b652f247c7374c558871210db6 CVE-2017-7483 (Rxvt 2.7.10 is vulnerable to a denial of service attack by passing the ...) - rxvt 1:2.7.10-7.1 (low; bug #861694) [stretch] - rxvt (Minor issue) [jessie] - rxvt (Minor issue) [wheezy] - rxvt (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/05/01/15 CVE-2017-7482 (In the Linux kernel before version 4.12, Kerberos 5 tickets decoded wh ...) {DSA-3945-1 DSA-3927-1 DLA-1099-1} - linux 4.11.11-1 NOTE: Fixed by: https://git.kernel.org/linus/5f2f97656ada8d811d3c1bef503ced266fcd53a0 CVE-2017-7481 (Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark loo ...) {DLA-2535-1} - ansible 2.3.1.0+dfsg-1 (bug #862666) [jessie] - ansible (vulnerable code introduced in version 2.x) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1450018 NOTE: Fixed by: https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2 CVE-2017-7480 (rkhunter versions before 1.4.4 are vulnerable to file download over in ...) {DLA-1039-1} - rkhunter 1.4.4-1 (bug #866677) [stretch] - rkhunter 1.4.2-6+deb9u1 [jessie] - rkhunter 1.4.2-0.4+deb8u1 NOTE: https://www.openwall.com/lists/oss-security/2017/06/29/2 NOTE: http://rkhunter.cvs.sourceforge.net/viewvc/rkhunter/rkhunter/files/rkhunter?r1=1.549&r2=1.550&view=patch CVE-2017-7479 (OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reac ...) {DLA-944-1} - openvpn 2.4.0-5 (low) [jessie] - openvpn 2.3.4-5+deb8u2 NOTE: https://github.com/OpenVPN/openvpn/commit/e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8 (master) NOTE: https://github.com/OpenVPN/openvpn/commit/591a4e574c43cb9e820950f15dcaabda261def78 (2.4.x) NOTE: https://github.com/OpenVPN/openvpn/commit/b727643cdf4e078f132a90e1c474a879a5760578 (2.3.x) NOTE: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14643.html (3 patches for 2.2.x) NOTE: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits CVE-2017-7478 (OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Deni ...) - openvpn 2.4.0-5 [jessie] - openvpn (Vulnerable code introduced later) [wheezy] - openvpn (Vulnerable code introduced later) NOTE: https://github.com/OpenVPN/openvpn/commit/5774cf4c25e1d8bf4e544702db8f157f111c9d93 (master) NOTE: https://github.com/OpenVPN/openvpn/commit/66b99a0753352c5cc43e11e39835b6423112df98 (2.4.x) NOTE: https://github.com/OpenVPN/openvpn/commit/feb35ee5cac605edddd6e9dc62941e2c53f96fb3 (2.3.x) NOTE: Introduced in: https://github.com/OpenVPN/openvpn/commit/3c1b19e04745177185decd14da82c71458442b82 (2.4.0) NOTE: Introduced in (backported to 2.3.12): https://github.com/OpenVPN/openvpn/commit/358f513c008bf01fadb82759ac75ffb8613fc785 NOTE: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits CVE-2017-7477 (Heap-based buffer overflow in drivers/net/macsec.c in the MACsec modul ...) - linux 4.9.25-1 [jessie] - linux (Introduced in 4.6) [wheezy] - linux (Introduced in 4.6) NOTE: https://www.openwall.com/lists/oss-security/2017/04/25/4 NOTE: Fixed by: https://git.kernel.org/linus/4d6fa57b4dab0d77f4d8e9d9c73d1e63f6fe8fee NOTE: Fixed by: https://git.kernel.org/linus/5294b83086cc1c35b4efeca03644cf9d12282e5b CVE-2017-7476 (Gnulib before 2017-04-26 has a heap-based buffer overflow with the TZ ...) - gnulib (Vulnerable code introduced later) NOTE: Fixed by: http://git.savannah.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=94e01571 NOTE: Introduced with 4bc76593 and 4e6e16b3f. CVE-2017-7475 (Cairo version 1.15.4 is vulnerable to a NULL pointer dereference relat ...) - cairo (low; bug #870264) [bullseye] - cairo (Minor issue) [buster] - cairo (Minor issue) [stretch] - cairo (Minor issue) [jessie] - cairo (Minor issue) [wheezy] - cairo (Minor issue) NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=100763 NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/80 CVE-2017-7474 (It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handl ...) NOT-FOR-US: Keycloak CVE-2017-7473 REJECTED CVE-2017-7472 (The KEYS subsystem in the Linux kernel before 4.10.13 allows local use ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: https://lkml.org/lkml/2017/4/1/235 NOTE: https://lkml.org/lkml/2017/4/3/724 CVE-2017-7471 (Quick Emulator (Qemu) built with the VirtFS, host directory sharing vi ...) {DLA-1035-1} - qemu 1:2.8+dfsg-5 (bug #860785) [jessie] - qemu (Vulnerable code introduced with fix for CVE-2016-9602) [wheezy] - qemu (Vulnerable code introduced with fix for CVE-2016-9602) - qemu-kvm (Vulnerable code introduced with fix for CVE-2016-9602) NOTE: Fixed by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=9c6b899f7a46893ab3b671e341a2234e9c0c060e NOTE: Fixed by (stable-2.8): http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=96bae145e27d4df62671b4eebd6c735f412016cf (v2.8.1.1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1443401 NOTE: Introduced by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=acf22d2264a131ad2695b5a18746dabf0cc8b843 NOTE: which is part of the fix for CVE-2016-9602. CVE-2017-7470 (It was found that spacewalk-channel can be used by a non-admin user or ...) NOT-FOR-US: Red Hat / spacewalk-backend CVE-2017-7469 REJECTED CVE-2017-7468 (In curl and libcurl 7.52.0 to and including 7.53.1, libcurl would atte ...) - curl 7.52.1-5 [jessie] - curl (Only affects 7.52 and later) [wheezy] - curl (Only affects 7.52 and later) NOTE: https://curl.haxx.se/docs/adv_20170419.html CVE-2017-7467 (A buffer overflow flaw was found in the way minicom before version 2.7 ...) {DLA-914-1} - minicom 2.7-1.1 (bug #860940) [jessie] - minicom 2.7-1+deb8u1 NOTE: https://www.openwall.com/lists/oss-security/2017/04/18/5 CVE-2017-7466 (Ansible before version 2.3 has an input validation vulnerability in th ...) - ansible 2.2.1.0-2 [jessie] - ansible (Vulnerable code not present) NOTE: https://github.com/ansible/ansible/commit/0d418789a298561fded9bce977d34babc9097079 (v2.3.0.0-0.1.rc1) CVE-2017-7465 (It was found that the JAXP implementation used in JBoss EAP 7.0 for XS ...) NOT-FOR-US: JBoss JAXP CVE-2017-7464 (It was found that the JAXP implementation used in JBoss EAP 7.0 for SA ...) NOT-FOR-US: JBoss JAXP CVE-2017-7463 (JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflecte ...) NOT-FOR-US: Red Hat business central CVE-2017-7462 (Intellinet NFC-30ir IP Camera has a vendor backdoor that can allow a r ...) NOT-FOR-US: Intellinet NFC-30ir IP Camera CVE-2017-7461 (Directory traversal vulnerability in the web-based management site on ...) NOT-FOR-US: Intellinet NFC-30ir IP Camera CVE-2017-7460 RESERVED CVE-2017-7459 (ntopng before 3.0 allows HTTP Response Splitting. ...) - ntopng 2.4+dfsg1-4 (bug #866719) [stretch] - ntopng (Minor issue) [jessie] - ntopng (Minor issue) NOTE: https://github.com/ntop/ntopng/commit/9469e58f07e043da712e6d6c41244852a11bcaeb CVE-2017-7458 (The NetworkInterface::getHost function in NetworkInterface.cpp in ntop ...) - ntopng 2.4+dfsg1-4 (bug #866721) [stretch] - ntopng (Minor issue) [jessie] - ntopng (Minor issue) NOTE: https://github.com/ntop/ntopng/commit/01f47e04fd7c8d54399c9e465f823f0017069f8f CVE-2017-7457 (XML External Entity via ".AOP" files used by Moxa MX-AOPC Server 1.5 r ...) NOT-FOR-US: Moxa CVE-2017-7456 (Moxa MXView 2.8 allows remote attackers to cause a Denial of Service b ...) NOT-FOR-US: Moxa CVE-2017-7455 (Moxa MXView 2.8 allows remote attackers to read web server's private k ...) NOT-FOR-US: Moxa CVE-2017-7454 (The iwgif_record_pixel function in imagew-gif.c in libimageworsener.a ...) NOT-FOR-US: ImageWorsener CVE-2017-7453 (The iwgif_record_pixel function in imagew-gif.c in libimageworsener.a ...) NOT-FOR-US: ImageWorsener CVE-2017-7452 (The iwbmp_read_info_header function in imagew-bmp.c in libimageworsene ...) NOT-FOR-US: ImageWorsener CVE-2017-7451 RESERVED CVE-2017-7450 (AIRTAME HDMI dongle with firmware before 2.2.0 allows unauthenticated ...) NOT-FOR-US: AIRTAME HDMI dongle CVE-2017-7449 RESERVED CVE-2017-7448 (The allocate_channel_framebuffer function in uncompressed_components.h ...) - lepton 1.2.1-3 (bug #859714) NOTE: https://github.com/dropbox/lepton/issues/86 NOTE: https://github.com/dropbox/lepton/commit/7789d99ac156adfd7bbf66e7824bd3e948a74cf7 CVE-2017-7447 (HelpDEZk 1.1.1 has CSRF in admin/home#/logos/ with an impact of remote ...) NOT-FOR-US: HelpDEZk CVE-2017-7446 (HelpDEZk 1.1.1 has CSRF in admin/home#/person/ with an impact of obtai ...) NOT-FOR-US: HelpDEZk CVE-2017-7445 RESERVED CVE-2017-0887 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the ...) - nextcloud (bug #835086) CVE-2017-7444 (In Veritas System Recovery before 16 SP1, there is a DLL hijacking vul ...) NOT-FOR-US: Veritas System Recovery CVE-2017-7442 (Nitro Pro 11.0.3.173 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Nitro Pro CVE-2017-7441 (In Sophos SurfRight HitmanPro before 3.7.20 Build 286 (included in the ...) NOT-FOR-US: Sophos CVE-2017-7440 (Kerio Connect 8.0.0 through 9.2.2, and Kerio Connect Client desktop ap ...) NOT-FOR-US: Kerio CVE-2017-7439 (NetApp OnCommand Unified Manager Core Package 5.x before 5.2.2P1 might ...) NOT-FOR-US: NetApp CVE-2017-7438 (NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowed cro ...) NOT-FOR-US: NetIQ Privileged Account Manager CVE-2017-7437 (NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowed cro ...) NOT-FOR-US: NetIQ Privileged Account Manager CVE-2017-7436 (In libzypp before 20170803 it was possible to retrieve unsigned packag ...) - libzypp 17.3.1-1 (bug #899065) [jessie] - libzypp (Minor issue) CVE-2017-7435 (In libzypp before 20170803 it was possible to add unsigned YUM reposit ...) - libzypp 17.3.1-1 (bug #899065) [jessie] - libzypp (Minor issue) CVE-2017-7434 (In the JDBC driver of NetIQ Identity Manager before 4.6 sending out in ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-7433 (An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe ...) NOT-FOR-US: Micro Focus Vibe CVE-2017-7432 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3 ...) NOT-FOR-US: Novell Novell iManager and NetIQ iManager CVE-2017-7431 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3 ...) NOT-FOR-US: Novell Novell iManager and NetIQ iManager CVE-2017-7430 (Novell iManager 2.7.x before 2.7 SP7 Patch 10 HF1 and NetIQ iManager 3 ...) NOT-FOR-US: Novell Novell iManager and NetIQ iManager CVE-2017-7429 (The certificate upload in NetIQ eDirectory PKI plugin before 8.8.8 Pat ...) NOT-FOR-US: NetIQ eDirectory PKI plugin CVE-2017-7428 (NetIQ iManager 3.x before 3.0.3.1 has an issue in the renegotiation of ...) NOT-FOR-US: NetIQ iManager CVE-2017-7427 (Multiple cross site scripting attacks were found in the Identity Manag ...) NOT-FOR-US: NetIQ Identity Manager Plug-in CVE-2017-7426 (The NetIQ Identity Manager Plugins before 4.6.1 contained various XML ...) NOT-FOR-US: NetIQ Identity Manager Plugins CVE-2017-7425 (Multiple potential reflected XSS issues exist in NetIQ iManager versio ...) NOT-FOR-US: NetIQ CVE-2017-7424 (A Path Traversal (CWE-22) vulnerability in esfadmingui in Micro Focus ...) NOT-FOR-US: Micro Focus CVE-2017-7423 (A Cross-Site Request Forgery (CWE-352) vulnerability in esfadmingui in ...) NOT-FOR-US: Micro Focus CVE-2017-7422 (Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilitie ...) NOT-FOR-US: Micro Focus CVE-2017-7421 (Reflected and stored Cross-Site Scripting (XSS, CWE-79) vulnerabilitie ...) NOT-FOR-US: Micro Focus CVE-2017-7420 (An Authentication Bypass (CWE-287) vulnerability in ESMAC (aka Enterpr ...) NOT-FOR-US: Micro Focus CVE-2017-7419 (A OAuth application in NetIQ Access Manager 4.3 before 4.3.2 and 4.2 b ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-7418 (ProFTPD before 1.3.5e and 1.3.6 before 1.3.6rc5 controls whether the h ...) - proftpd-dfsg 1.3.5b-4 (low; bug #859592) [jessie] - proftpd-dfsg 1.3.5-1.1+deb8u2 [wheezy] - proftpd-dfsg (Minor issue) NOTE: http://bugs.proftpd.org/show_bug.cgi?id=4295 NOTE: https://github.com/proftpd/proftpd/commit/ecff21e0d0e84f35c299ef91d7fda088e516d4ed NOTE: https://github.com/proftpd/proftpd/commit/f59593e6ff730b832dbe8754916cb5c821db579f CVE-2017-7417 RESERVED CVE-2017-7416 (ntopng before 3.0 allows XSS because GET and POST parameters are impro ...) - ntopng 3.2+dfsg1-1 (bug #866722) [stretch] - ntopng (Minor issue) [jessie] - ntopng (Minor issue) CVE-2017-7415 (Atlassian Confluence 6.x before 6.0.7 allows remote attackers to bypas ...) NOT-FOR-US: Atlassian Confluence CVE-2017-7414 (In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Editio ...) {DLA-1398-1} - php-horde-crypt 2.7.5-2 (bug #859635) CVE-2017-7413 (In Horde_Crypt before 2.7.6, as used in Horde Groupware Webmail Editio ...) {DLA-1398-1} - php-horde-crypt 2.7.5-2 (bug #859635) CVE-2017-7412 (NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which ...) NOT-FOR-US: NixOS specific Docker issue CVE-2017-7411 (An issue was discovered in Enalean Tuleap 9.6 and prior versions. The ...) NOT-FOR-US: Enalean Tuleap CVE-2017-7410 (Multiple SQL injection vulnerabilities in account/signup.php and accou ...) NOT-FOR-US: WebsiteBaker CVE-2017-7409 (Palo Alto Networks PAN-OS before 7.0.15 has XSS in the GlobalProtect e ...) NOT-FOR-US: Palo Alto Networks CVE-2017-7408 (Palo Alto Networks Traps ESM Console before 3.4.4 allows attackers to ...) NOT-FOR-US: Palo Alto Networks Traps ESM Console CVE-2017-7407 (The ourWriteOut function in tool_writeout.c in curl 7.53.1 might allow ...) {DLA-883-1} - curl 7.52.1-4 (unimportant; bug #859500) NOTE: https://github.com/curl/curl/commit/1890d59905414ab84a35892b2e45833654aa5c13 NOTE: Negligible security impact CVE-2017-7406 (The D-Link DIR-615 device before v20.12PTb04 doesn't use SSL for any o ...) NOT-FOR-US: D-Link CVE-2017-7405 (On the D-Link DIR-615 before v20.12PTb04, once authenticated, this dev ...) NOT-FOR-US: D-Link CVE-2017-7404 (On the D-Link DIR-615 before v20.12PTb04, if a victim logged in to the ...) NOT-FOR-US: D-Link CVE-2017-7403 RESERVED CVE-2017-7402 (Pixie 1.0.4 allows remote authenticated users to upload and execute ar ...) NOT-FOR-US: Pixie CMS CVE-2017-7401 (Incorrect interaction of the parse_packet() and parse_part_sign_sha256 ...) {DLA-884-1} - collectd 5.7.2-1 (bug #859494) [stretch] - collectd (Minor issue) [jessie] - collectd (Minor issue) NOTE: https://github.com/collectd/collectd/issues/2174 NOTE: https://github.com/collectd/collectd/commit/f6be4f9b49b949b379326c3d7002476e6ce4f211 CVE-2017-7400 (OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.0.0 a ...) - horizon 3:10.0.1-1 (bug #859559) [jessie] - horizon (Vulnerable code not present) [wheezy] - horizon (Vulnerable code not present) NOTE: https://launchpad.net/bugs/1667086 CVE-2017-1001000 (The register_routes function in wp-includes/rest-api/endpoints/class-w ...) - wordpress 4.7.2+dfsg-1 [jessie] - wordpress (Vulnerable code introduced after 4.4) [wheezy] - wordpress (Vulnerable code not present) NOTE: https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7 NOTE: rest-api introduced in 4.4 upstream CVE-2017-7399 (Cloudera Manager 5.8.x before 5.8.5, 5.9.x before 5.9.2, and 5.10.x be ...) NOT-FOR-US: Cloudera CVE-2017-7398 (D-Link DIR-615 HW: T1 FW:20.09 is vulnerable to Cross-Site Request For ...) NOT-FOR-US: D-Link CVE-2017-7397 (** DISPUTED ** BackBox Linux 4.6 allows remote attackers to cause a de ...) NOT-FOR-US: BackBox OS specific CVE assignment CVE-2017-7396 (In TigerVNC 1.7.1 (CConnection.cxx CConnection::CConnection), an unaut ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/436 NOTE: https://github.com/TigerVNC/tigervnc/pull/436/commits/dccb5f7d776e93863ae10bbff56a45c523c6eeb0 CVE-2017-7395 (In TigerVNC 1.7.1 (SMsgReader.cxx SMsgReader::readClientCutText), by c ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/436 NOTE: https://github.com/TigerVNC/tigervnc/pull/436/commits/bf3bdac082978ca32895a4b6a123016094905689 CVE-2017-7394 (In TigerVNC 1.7.1 (SSecurityPlain.cxx SSecurityPlain::processMsg), una ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/440 CVE-2017-7393 (In TigerVNC 1.7.1 (VNCSConnectionST.cxx VNCSConnectionST::fence), an a ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/438 CVE-2017-7392 (In TigerVNC 1.7.1 (SSecurityVeNCrypt.cxx SSecurityVeNCrypt::SSecurityV ...) - tigervnc 1.7.0+dfsg-7 (bug #859259) NOTE: https://github.com/TigerVNC/tigervnc/pull/441 CVE-2017-7391 (A Cross-Site Scripting (XSS) was discovered in 'Magmi 0.7.22'. The vul ...) NOT-FOR-US: Magmi CVE-2017-7390 (A Cross-Site Scripting (XSS) was discovered in 'SocialNetwork v1.2.1'. ...) NOT-FOR-US: SocialNetwork CVE-2017-7389 (Multiple Cross-Site Scripting (XSS) were discovered in 'openeclass Rel ...) NOT-FOR-US: The Open eClass Platform CVE-2017-7388 (A Cross-Site Scripting (XSS) was discovered in 'wallacepos v1.4.1'. Th ...) NOT-FOR-US: WallacePOS CVE-2017-7387 (TheFirstQuestion/HelpMeWatchWho before 2017-03-28 is vulnerable to a r ...) NOT-FOR-US: HelpMeWatchWho CVE-2017-7386 (citymont/symetrie v.0.9.6 is vulnerable to a reflected XSS in symetrie ...) NOT-FOR-US: symetrie CVE-2017-7385 RESERVED CVE-2017-7384 (Cross-site scripting (XSS) vulnerability in FlipBuilder Flip PDF allow ...) NOT-FOR-US: FlipBuilder Flip PDF CVE-2017-7383 (The PdfFontFactory.cpp:195:62 code in PoDoFo 0.9.5 allows remote attac ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859329) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00252-podofo-nullptr4 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7382 (The PdfFontFactory.cpp:200:88 code in PoDoFo 0.9.5 allows remote attac ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859329) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr3 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7381 (The doc/PdfPage.cpp:609:23 code in PoDoFo 0.9.5 allows remote attacker ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859329) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00251-podofo-nullptr2 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7380 (The doc/PdfPage.cpp:614:20 code in PoDoFo 0.9.5 allows remote attacker ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859329) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/04/01/3 NOTE: https://github.com/asarubbo/poc/blob/master/00250-podofo-nullptr1 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1848 CVE-2017-7379 (The PoDoFo::PdfSimpleEncoding::ConvertToEncoding function in PdfEncodi ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #859331) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/04/01/2 NOTE: upstream fix: https://sourceforge.net/p/podofo/code/1842/ CVE-2017-7378 (The PoDoFo::PdfPainter::ExpandTabs function in PdfPainter.cpp in PoDoF ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #859330) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/04/01/1 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1847 CVE-2017-7377 (The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in ...) {DLA-1497-1 DLA-1035-1 DLA-965-1} - qemu 1:2.8+dfsg-4 (bug #859854) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg05449.html NOTE: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=d63fb193e71644a073b77ff5ac6f1216f2f6cf6e NOTE: https://www.openwall.com/lists/oss-security/2017/04/03/2 NOTE: For older releases affected code is in hw/9pfs/virtio-9p.c CVE-2017-7376 (Buffer overflow in libxml2 allows remote attackers to execute arbitrar ...) {DSA-3952-1 DLA-1060-1} - libxml2 2.9.4+dfsg1-3.1 (bug #870865) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780690 (not yet public) NOTE: Android patch: https://android.googlesource.com/platform/external/libxml2/+/51e0cb2e5ec18eaf6fb331bc573ff27b743898f4 NOTE: Fix upstream: https://git.gnome.org/browse/libxml2/commit/?id=5dca9eea1bd4263bfa4d037ab2443de1cd730f7e NOTE: The upstream patch has the slight consequence that some port values end up NOTE: negative when cast to a 32-bit int. A negative port though in the URL would NOTE: make the URL invalid. It is discussed if instead it would be best to prevent NOTE: the port from ever being negative. Upstream decided to leave the above patch. CVE-2017-7375 (A flaw in libxml2 allows remote XML entity inclusion with default pars ...) {DSA-3952-1 DLA-1008-1} - libxml2 2.9.4+dfsg1-3.1 (bug #870867) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780691 (not yet public) NOTE: Android patch: https://android.googlesource.com/platform/external/libxml2/+/308396a55280f69ad4112d4f9892f4cbeff042aa NOTE: Fix upstream: https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e CVE-2017-7374 (Use-after-free vulnerability in fs/crypto/ in the Linux kernel before ...) - linux 4.9.25-1 [jessie] - linux (Vulnerable code not present; Introduced in 4.2-rc1) [wheezy] - linux (Vulnerable code not present; Introduced in 4.2-rc1) NOTE: Fixed by: https://git.kernel.org/linus/1b53cf9815bb4744958d41f3795d5d5a1d365e2d (4.11-rc4) CVE-2017-7373 (In all Android releases from CAF using the Linux kernel, a double free ...) NOT-FOR-US: Android display driver CVE-2017-7372 (In all Android releases from CAF using the Linux kernel, a race condit ...) NOT-FOR-US: Android CVE-2017-7371 (In all Android releases from CAF using the Linux kernel, a data pointe ...) NOT-FOR-US: Android CVE-2017-7370 (In all Android releases from CAF using the Linux kernel, a race condit ...) NOT-FOR-US: Android CVE-2017-7369 (In all Android releases from CAF using the Linux kernel, an array inde ...) - linux (Android-specific) CVE-2017-7368 (In all Android releases from CAF using the Linux kernel, a race condit ...) NOT-FOR-US: Android driver CVE-2017-7367 (In all Android releases from CAF using the Linux kernel, an integer un ...) NOT-FOR-US: Android CVE-2017-7366 (In all Android releases from CAF using the Linux kernel, a KGSL ioctl ...) NOT-FOR-US: Android driver CVE-2017-7365 (In all Android releases from CAF using the Linux kernel, a buffer over ...) NOT-FOR-US: Android CVE-2017-7364 (In all Qualcomm products with Android releases from CAF using the Linu ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-7363 (Pixie 1.0.4 allows an admin/index.php s=publish&m=module&x= XS ...) NOT-FOR-US: Pixie CMS CVE-2017-7362 (Pixie 1.0.4 allows an admin/index.php s=publish&m=dynamic&x= X ...) NOT-FOR-US: Pixie CMS CVE-2017-7361 (Pixie 1.0.4 allows an admin/index.php s=publish&m=static&x= XS ...) NOT-FOR-US: Pixie CMS CVE-2017-7360 (Pixie 1.0.4 allows an admin/index.php s=settings&x= XSS attack. ...) NOT-FOR-US: Pixie CMS CVE-2017-7359 (Pixie 1.0.4 allows an admin/index.php s=login&m= XSS attack. ...) NOT-FOR-US: Pixie CMS CVE-2017-7358 (In LightDM through 1.22.0, a directory traversal issue in debian/guest ...) - lightdm (Vulnerable code not present) NOTE: https://launchpad.net/bugs/1677924 NOTE: Specific script debian/guest-account.sh not merged from Ubuntu CVE-2017-7357 (Hipchat Server before 2.2.3 allows remote authenticated users with Ser ...) NOT-FOR-US: Hipchat Server CVE-2017-7356 RESERVED CVE-2017-7355 RESERVED CVE-2017-7354 RESERVED CVE-2017-7353 RESERVED CVE-2017-7352 (Stored Cross-site scripting (XSS) vulnerability in Pure Storage Purity ...) NOT-FOR-US: Pure Storage Purity CVE-2017-7351 (A SQL injection issue exists in a file upload handler in REDCap 7.x be ...) NOT-FOR-US: REDCap CVE-2017-7350 RESERVED CVE-2017-7349 RESERVED CVE-2017-7348 RESERVED CVE-2017-7347 RESERVED CVE-2017-7346 (The vmw_gb_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmw ...) {DSA-3945-1 DSA-3927-1} - linux 4.11.6-1 [wheezy] - linux (Vulnerable code introduced in 3.14) NOTE: Fixed by: https://git.kernel.org/linus/ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf CVE-2017-7345 (NetApp OnCommand Performance Manager and OnCommand Unified Manager for ...) NOT-FOR-US: NetApp CVE-2017-7344 (A privilege escalation in Fortinet FortiClient Windows 5.4.3 and earli ...) NOT-FOR-US: Fortinet FortiClient Windows CVE-2017-7343 (An open redirect vulnerability in Fortinet FortiPortal 4.0.0 and below ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7342 (A weak password recovery process vulnerability in Fortinet FortiPortal ...) NOT-FOR-US: Fortinet CVE-2017-7341 (An OS Command Injection vulnerability in Fortinet FortiWLC 6.1-2 throu ...) NOT-FOR-US: Fortinet CVE-2017-7340 (A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions ...) NOT-FOR-US: Fortinet CVE-2017-7339 (A Cross-Site Scripting vulnerability in Fortinet FortiPortal versions ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7338 (A password management vulnerability in Fortinet FortiPortal versions 4 ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7337 (An improper Access Control vulnerability in Fortinet FortiPortal versi ...) NOT-FOR-US: Fortinet FortiPortal CVE-2017-7336 (A hard-coded account named 'upgrade' in Fortinet FortiWLM 8.3.0 and lo ...) NOT-FOR-US: Fortinet CVE-2017-7335 (A Cross-Site Scripting (XSS) vulnerability in Fortinet FortiWLC 6.1-x ...) NOT-FOR-US: Fortinet CVE-2017-7334 RESERVED CVE-2017-7333 RESERVED CVE-2017-7332 RESERVED CVE-2017-7331 RESERVED CVE-2017-7330 RESERVED CVE-2017-7329 RESERVED CVE-2017-7328 RESERVED CVE-2017-7327 (Yandex Browser installer for Desktop before 17.4.1 has a DLL Hijacking ...) NOT-FOR-US: Yandex Browser installer for Desktop CVE-2017-7326 (Race condition issue in Yandex Browser for Android before 17.4.0.16 al ...) NOT-FOR-US: Yandex Browser for Android CVE-2017-7325 (Yandex Browser before 16.9.0 allows remote attackers to spoof the addr ...) NOT-FOR-US: Yandex Browser CVE-2017-7324 (setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier a ...) NOT-FOR-US: MODX Revolution CVE-2017-7323 (The (1) update and (2) package-installation features in MODX Revolutio ...) NOT-FOR-US: MODX Revolution CVE-2017-7322 (The (1) update and (2) package-installation features in MODX Revolutio ...) NOT-FOR-US: MODX Revolution CVE-2017-7321 (setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier ...) NOT-FOR-US: MODX Revolution CVE-2017-7320 (setup/controllers/language.php in MODX Revolution 2.5.4-pl and earlier ...) NOT-FOR-US: MODX Revolution CVE-2017-7319 REJECTED CVE-2017-7318 (Siklu EtherHaul devices before 7.4.0 are vulnerable to a remote comman ...) NOT-FOR-US: Siklu EtherHaul CVE-2017-7317 (An issue was discovered on Humax Digital HG100 2.0.6 devices. The atta ...) NOT-FOR-US: Humax Digital HG100 CVE-2017-7316 (An issue was discovered on Humax Digital HG100R 2.0.6 devices. There i ...) NOT-FOR-US: Humax Digital HG100R CVE-2017-7315 (An issue was discovered on Humax Digital HG100R 2.0.6 devices. To down ...) NOT-FOR-US: Humax Digital HG100R CVE-2017-7314 (An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1 ...) NOT-FOR-US: Personify360 e-Business CVE-2017-7313 (An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1 ...) NOT-FOR-US: Personify360 e-Business CVE-2017-7312 (An issue was discovered in Personify360 e-Business 7.5.2 through 7.6.1 ...) NOT-FOR-US: Personify360 e-Business CVE-2017-7311 RESERVED CVE-2017-7310 (A buffer overflow vulnerability in Import Command in SyncBreeze before ...) NOT-FOR-US: Sync Breeze Enterprise CVE-2017-7309 (A cross-site scripting (XSS) vulnerability in the MantisBT Configurati ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: https://www.openwall.com/lists/oss-security/2017/03/30/4 CVE-2017-7307 (Riverbed RiOS before 9.0.1 does not properly restrict shell access in ...) NOT-FOR-US: Riverbed RiOS CVE-2017-7306 (** DISPUTED ** Riverbed RiOS through 9.6.0 has a weak default password ...) NOT-FOR-US: Riverbed RiOS CVE-2017-7305 (** DISPUTED ** Riverbed RiOS through 9.6.0 does not require a bootload ...) NOT-FOR-US: Riverbed RiOS CVE-2017-7304 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20931 CVE-2017-7303 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20922 CVE-2017-7302 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20921 CVE-2017-7301 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20924 CVE-2017-7300 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20909 CVE-2017-7299 (The Binary File Descriptor (BFD) library (aka libbfd), as distributed ...) - binutils 2.27.51.20161220-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20908 CVE-2017-7308 (The packet_set_ring function in net/packet/af_packet.c in the Linux ke ...) {DLA-922-1} - linux 4.9.18-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/2b6867c2ce76c596676bec7d2d525af525fdc6e2 NOTE: Fixed by: https://git.kernel.org/linus/8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b NOTE: Fixed by: https://git.kernel.org/linus/bcc5364bdcfe131e6379363f089e7b4108d35b70 NOTE: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html CVE-2017-7298 (In Moodle 3.2.2+, there is XSS in the Course summary filter of the "Ad ...) - moodle (unimportant) NOTE: http://www.daimacn.com/post/12.html NOTE: https://tracker.moodle.org/browse/MDL-52038 NOTE: Not considered a security issue/bug upstream, disputed that it got a CVE NOTE: assigned. Mark as unimportant as non-issue. CVE-2017-7297 (Rancher Labs rancher server 1.2.0+ is vulnerable to authenticated user ...) NOT-FOR-US: Rancher Labs rancher server CVE-2017-7296 (An issue was discovered in Contiki Operating System 3.0. A Persistent ...) NOT-FOR-US: Contiki Operating System CVE-2017-7295 (An issue was discovered in Contiki Operating System 3.0. A use-after-f ...) NOT-FOR-US: Contiki Operating System CVE-2017-7293 (The Dolby DAX2 and DAX3 API services are vulnerable to a privilege esc ...) NOT-FOR-US: Dolby CVE-2017-7294 (The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx ...) {DLA-922-1} - linux 4.9.18-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/e7e11f99564222d82f0ce84bd521e57d78a6b678 CVE-2017-7292 RESERVED CVE-2017-7291 RESERVED CVE-2017-7290 (SQL injection vulnerability in XOOPS 2.5.7.2 and other versions before ...) NOT-FOR-US: XOOPS CVE-2017-7289 RESERVED CVE-2017-7288 (Cross-site scripting (XSS) vulnerability in Zimbra Collaboration Suite ...) NOT-FOR-US: Zimbra CVE-2017-7287 RESERVED CVE-2017-7286 REJECTED CVE-2017-7285 (A vulnerability in the network stack of MikroTik Version 6.38.5 releas ...) NOT-FOR-US: MikroTik CVE-2017-7284 (An attacker that has hijacked a Unitrends Enterprise Backup (before 9. ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7283 (An authenticated user of Unitrends Enterprise Backup before 9.1.2 can ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7282 (An issue was discovered in Unitrends Enterprise Backup before 9.1.1. T ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7281 (An issue was discovered in Unitrends Enterprise Backup before 9.1.2. A ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7280 (An issue was discovered in api/includes/systems.php in Unitrends Enter ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7279 (An unprivileged user of the Unitrends Enterprise Backup before 9.0.0 w ...) NOT-FOR-US: Unitrends Enterprise Backup CVE-2017-7278 (Unspecified vulnerability in ASSA ABLOY APTUS Styra Porttelefonkort 44 ...) NOT-FOR-US: ASSA ABLOY APTUS Styra Porttelefonkort 4400 CVE-2017-7277 (The TCP stack in the Linux kernel through 4.10.6 mishandles the SCM_TI ...) - linux (Vulnerable code introduced in 4.10-rc1) CVE-2017-7276 (There is reflected XSS in TOPdesk before 5.7.6 and 6.x and 7.x before ...) NOT-FOR-US: TOPdesk CVE-2017-7275 (The ReadPCXImage function in coders/pcx.c in ImageMagick 7.0.4.9 allow ...) - imagemagick (unimportant; bug #859025) NOTE: https://blogs.gentoo.org/ago/2017/03/27/imagemagick-memory-allocation-failure-in-acquiremagickmemory-memory-c-incomplete-fix-for-cve-2016-8862-and-cve-2016-8866/ NOTE: https://github.com/ImageMagick/ImageMagick/issues/271 NOTE: Furthermore: upstream is not able to reproduce the problem as well NOTE: The problem result in a memory allocation issue when compiled with ASAN NOTE: but unreproducible from unstream. Since no more details can be provided NOTE: and the issue not addressed, treat this as "non-issue" (and thus marked NOTE: unimportant). If in future details can be elaborated by the reporter NOTE: we might re-evaluate this entry. CVE-2017-7274 (The r_pkcs7_parse_cms function in libr/util/r_pkcs7.c in radare2 1.3.0 ...) - radare2 (Vulnerable parsers introduced in 1.3.0-git, cf. #858873) NOTE: https://github.com/radare/radare2/commit/7ab66cca5bbdf6cb2d69339ef4f513d95e532dbf NOTE: https://github.com/radare/radare2/issues/7152 CVE-2017-7271 (Reflected Cross-site scripting (XSS) vulnerability in Yii Framework be ...) - yii (bug #597899) CVE-2017-7270 RESERVED CVE-2017-7273 (The cp_report_fixup function in drivers/hid/hid-cypress.c in the Linux ...) {DLA-922-1} - linux 4.9.6-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/1ebb71143758f45dc0fa76e2f48429e13b16d110 CVE-2017-7272 (PHP through 7.1.11 enables potential SSRF in applications that accept ...) {DLA-875-1} - php7.3 [buster] - php7.3 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) - php7.1 - php7.0 [stretch] - php7.0 (Upstream patch breaks existing applications, revisit if a new approach has been identified) - php5 [jessie] - php5 (Never applied to PHP 5 by upstream, breaks existing applications) NOTE: https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a NOTE: https://bugs.php.net/bug.php?id=74216 NOTE: Fixed in 7.1.4 and 7.0.18, but were later reverted: https://bugzilla.redhat.com/show_bug.cgi?id=1437837#c3 CVE-2017-7269 (Buffer overflow in the ScStoragePathFromUrl function in the WebDAV ser ...) NOT-FOR-US: Windows CVE-2017-7268 RESERVED CVE-2017-7267 RESERVED CVE-2017-7266 (Netflix Security Monkey before 0.8.0 has an Open Redirect. The logout ...) NOT-FOR-US: Netflix Security Monkey CVE-2017-7265 RESERVED CVE-2017-7264 (Use-after-free vulnerability in the fz_subsample_pixmap function in fi ...) {DSA-3797-1} - mupdf 1.9a+ds1-3 (bug #854734) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697515 NOTE: Fix https://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 NOTE: https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/ NOTE: Related to CVE-2017-5896. But CVE-2017-7264 is for the use-after-free NOTE: vulnerability whereas CVE-2017-5896 is for the hea-based buffer overflow NOTE: in fz_subsample_pixmap. CVE-2017-7263 (The bm_readbody_bmp function in bitmap_io.c in Potrace 1.14 allows rem ...) - potrace 1.15-1 (bug #858763) [stretch] - potrace (Minor issue) [jessie] - potrace (Minor issue) [wheezy] - potrace (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/03/03/potrace-heap-based-buffer-overflow-in-bm_readbody_bmp-bitmap_io-c-incomplete-fix-for-cve-2016-8698/ NOTE: Proposed patch: https://github.com/asarubbo/poc/blob/master/00219-potrace-heapoverflow-bm_readbody_bmp-PATCH NOTE: This CVE is for an incomplete fix of CVE-2016-8698 CVE-2017-7262 (The AMD Ryzen processor with AGESA microcode through 2017-01-27 allows ...) NOT-FOR-US: Hardware bug in AMD Ryzen CPUs, cannot be fixed via micro code updates, but only BIOS updates CVE-2017-7261 (The vmw_surface_define_ioctl function in drivers/gpu/drm/vmwgfx/vmwgfx ...) {DLA-922-1} - linux 4.9.18-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/36274ab8c596f1240c606bb514da329add2a1bcd CVE-2017-7260 RESERVED CVE-2017-7259 REJECTED CVE-2017-7258 (HTTP Exploit in eMLi Portal in AuroMeera Technometrix Pvt. Ltd. eMLi a ...) NOT-FOR-US: AuroMeera Technometrix CVE-2017-7257 (XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News--&g ...) NOT-FOR-US: CMS Made Simple CVE-2017-7256 (XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News--&g ...) NOT-FOR-US: CMS Made Simple CVE-2017-7255 (XSS exists in the CMS Made Simple (CMSMS) 2.1.6 "Content-->News--&g ...) NOT-FOR-US: CMS Made Simple CVE-2017-7254 RESERVED CVE-2017-7253 (Dahua IP Camera devices 3.200.0001.6 can be exploited via these steps: ...) NOT-FOR-US: Dahua IP Camera devices CVE-2017-7252 [Incorrect bcrypt computation] RESERVED - botan1.10 (Introduced in 1.11.0) NOTE: Bug introduced in 1.11.0, fixed in 2.1.0. CVE-2017-7251 (A Cross-Site Scripting (XSS) was discovered in pi-engine/pi 2.5.0. The ...) NOT-FOR-US: pi-engine CVE-2017-7250 (A Cross-Site Scripting (XSS) was discovered in Gazelle before 2017-03- ...) NOT-FOR-US: Gazelle torrent tracker CVE-2017-7249 (Multiple Cross-Site Scripting (XSS) were discovered in Gazelle before ...) NOT-FOR-US: Gazelle torrent tracker CVE-2017-7248 (A Cross-Site Scripting (XSS) was discovered in Gazelle before 2017-03- ...) NOT-FOR-US: Gazelle torrent tracker CVE-2017-7247 (Multiple Cross-Site Scripting (XSS) were discovered in Gazelle before ...) NOT-FOR-US: Gazelle torrent tracker CVE-2017-7246 (Stack-based buffer overflow in the pcre32_copy_substring function in p ...) - pcre3 (bug #858679; unimportant) [jessie] - pcre3 (Minor issue; 32bit character support not enabled) [wheezy] - pcre3 (Vulnerable code not present) NOTE: https://bugs.exim.org/show_bug.cgi?id=2057 NOTE: https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/ NOTE: pcre32 support enabled only in pcre3/1:8.35-4 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1691 (8.41) CVE-2017-7245 (Stack-based buffer overflow in the pcre32_copy_substring function in p ...) - pcre3 (bug #858678; unimportant) [jessie] - pcre3 (Minor issue; 32bit character support not enabled) [wheezy] - pcre3 (Vulnerable code not present) NOTE: https://bugs.exim.org/show_bug.cgi?id=2055 NOTE: https://blogs.gentoo.org/ago/2017/03/20/libpcre-two-stack-based-buffer-overflow-write-in-pcre32_copy_substring-pcre_get-c/ NOTE: pcre32 support enabled only in pcre3/1:8.35-4 NOTE: Fixed by: http://vcs.pcre.org/pcre?view=revision&revision=1691 (8.41) CVE-2017-7244 (The _pcre32_xclass function in pcre_xclass.c in libpcre1 in PCRE 8.40 ...) - pcre3 2:8.39-3 (bug #858683) [jessie] - pcre3 (Minor issue; 32bit character support not enabled) [wheezy] - pcre3 (Vulnerable code not present) NOTE: https://bugs.exim.org/show_bug.cgi?id=2054 NOTE: https://blogs.gentoo.org/ago/2017/03/20/libpcre-invalid-memory-read-in-_pcre32_xclass-pcre_xclass-c/ NOTE: pcre32 support enabled only in pcre3/1:8.35-4 NOTE: Bisected and the following change addresses the issue for pcre3: NOTE: http://vcs.pcre.org/pcre?view=revision&revision=1688 (8.41) CVE-2017-7243 (Eclipse tinydtls 0.8.2 for Eclipse IoT allows remote attackers to caus ...) NOT-FOR-US: Eclipse tinydtls for Eclipse IoT CVE-2017-7242 (Multiple Cross-Site Scripting (XSS) were discovered in admin/modules c ...) NOT-FOR-US: SLiMS CVE-2017-7241 (A cross-site scripting (XSS) vulnerability in the MantisBT Move Attach ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: https://www.openwall.com/lists/oss-security/2017/03/30/4 CVE-2017-7240 (An issue was discovered on Miele Professional PST10 devices. The corre ...) NOT-FOR-US: Miele Professional PG 8528 PST10 devices CVE-2017-7239 (Ninka before 1.3.2 might allow remote attackers to obtain sensitive in ...) - ninka (Fixed with the initial release to Debian) NOTE: https://github.com/dmgerman/ninka/commit/81f185261c8863c5b84344ee31192870be939faf CVE-2017-7238 RESERVED CVE-2017-7237 (The Spiceworks TFTP Server, as distributed with Spiceworks Inventory 7 ...) NOT-FOR-US: Spiceworks CVE-2017-7236 (SQL injection vulnerability in NetApp OnCommand Unified Manager Core P ...) NOT-FOR-US: NetApp CVE-2017-7235 (An issue was discovered in cloudflare-scrape 1.6.6 through 1.7.1. A ma ...) NOT-FOR-US: cloudflare-scrape CVE-2017-7234 (A maliciously crafted URL to a Django (1.10 before 1.10.7, 1.9 before ...) {DSA-3835-1 DLA-885-1} - python-django 1:1.10.7-1 (bug #859516) NOTE: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ NOTE: Fixed by (master): https://github.com/django/django/commit/a1f948b468b6621083a03b0d53432341b7a4d753 CVE-2017-7233 (Django 1.10 before 1.10.7, 1.9 before 1.9.13, and 1.8 before 1.8.18 re ...) {DSA-3835-1 DLA-885-1} - python-django 1:1.10.7-1 (bug #859515) NOTE: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ NOTE: Fixed by (master): https://github.com/django/django/commit/5ea48a70afac5e5684b504f09286e7defdd1a81a CVE-2017-7232 RESERVED CVE-2017-7231 (pngdefry through 2017-03-22 is prone to a heap-based buffer-overflow v ...) NOT-FOR-US: pngdefry CVE-2017-7230 (A buffer overflow vulnerability in Disk Sorter Enterprise 9.5.12 and e ...) NOT-FOR-US: Disk Sorter Enterprise CVE-2017-7229 (PGP/MIME encrypted messages injected into a Vaultive O365 (before 4.5. ...) NOT-FOR-US: Vaultive O365 CVE-2017-7228 (An issue (known as XSA-212) was discovered in Xen, with fixes availabl ...) {DSA-3847-1 DLA-907-1} - xen 4.8.1-1 (bug #859560) NOTE: https://xenbits.xen.org/xsa/advisory-212.html CVE-2017-7227 (GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buf ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20906 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=406bd128dba2a59d0736839fc87a59bce319076c CVE-2017-7226 (The pe_ILF_object_p function in the Binary File Descriptor (BFD) libra ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20905 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fa6631b4eecfcca00c13b9594e6336dffd40982f CVE-2017-7225 (The find_nearest_line function in addr2line in GNU Binutils 2.28 does ...) - binutils 2.27.51.20161201-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20891 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=50455f1ab2935f7321215dfa681745c9b1cb5b19 CVE-2017-7224 (The find_nearest_line function in objdump in GNU Binutils 2.28 is vuln ...) - binutils 2.27.51.20161201-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20892 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e82ab856bb4689330c29fb9f1c57a8555b26380e CVE-2017-7223 (GNU assembler in GNU Binutils 2.28 is vulnerable to a global buffer ov ...) - binutils 2.27.51.20161212-1 [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20898 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=69ace2200106348a1b00d509a6a234337c104c17 CVE-2017-7222 (A cross-site scripting (XSS) vulnerability in MantisBT before 2.1.1 al ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) CVE-2017-7221 (OpenText Documentum Content Server has an inadequate protection mechan ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-7220 (OpenText Documentum Content Server allows superuser access via sys_obj ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-7219 (A heap overflow vulnerability in Citrix NetScaler Gateway versions 10. ...) NOT-FOR-US: Citrix CVE-2017-7218 (The Management Web Interface in Palo Alto Networks PAN-OS before 7.1.9 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-7217 (The Management Web Interface in Palo Alto Networks PAN-OS before 7.0.1 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-7216 (The Management Web Interface in Palo Alto Networks PAN-OS before 7.1.9 ...) NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2017-7215 (Cross site scripting in some view elements in the index filter tool in ...) NOT-FOR-US: MISP (Malware Information Sharing Platform and Threat Sharing) CVE-2017-7214 (An issue was discovered in exception_wrapper.py in OpenStack Nova 13.x ...) - nova 2:14.0.0-4 (bug #858568) [jessie] - nova (Vulnerable code not present) [wheezy] - nova (Not supported in Wheezy LTS) NOTE: https://bugs.launchpad.net/nova/+bug/1673569 CVE-2017-7213 (Zoho ManageEngine Desktop Central before build 100082 allows remote at ...) NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2017-7212 RESERVED CVE-2017-7211 RESERVED CVE-2017-7210 (objdump in GNU Binutils 2.28 is vulnerable to multiple heap-based buff ...) - binutils 2.28-3 (low; bug #858324) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21157 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a2dea0b20bc66a4c287c3c50002b8c3b3e9d953a CVE-2017-7209 (The dump_section_as_bytes function in readelf in GNU Binutils 2.28 acc ...) - binutils 2.28-3 (low; bug #858323) [jessie] - binutils (Vulnerable code introduced later) [wheezy] - binutils (Vulnerable code introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21135 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f055032e4e922f1e1a5e11026c7c2669fa2a7d19 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1835f746a7c7fff70a2cc03a051b14fdc6b3f73f CVE-2017-7208 (The decode_residual function in libavcodec in libav 9.21 allows remote ...) {DSA-4012-1 DLA-1142-1} - libav (low) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1000 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=522d850e68ec4b77d3477b3c8f55b1ba00a9d69a CVE-2017-7207 (The mem_get_bits_rectangle function in Artifex Software, Inc. Ghostscr ...) {DSA-3838-1 DLA-1048-1} - ghostscript 9.20~dfsg-3 (bug #858350) NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=309eca4e0a31ea70dcc844812691439312dad091 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697676 CVE-2017-7206 (The ff_h2645_extract_rbsp function in libavcodec in libav 9.21 allows ...) - libav [jessie] - libav (Vulnerable code not present) - ffmpeg (bug #872517; Previous patches mitigated the issue) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1002 NOTE: https://git.libav.org/?p=libav.git;a=commit;h=83b2b34d06e74cc8775ba3d833f9782505e17539 CVE-2017-7205 (A Cross-Site Scripting (XSS) was discovered in GamePanelX-V3 3.0.12. T ...) NOT-FOR-US: GamePanelX-V3 CVE-2017-7204 (A Cross-Site Scripting (XSS) was discovered in imdbphp 5.1.1. The vuln ...) NOT-FOR-US: imdbphp CVE-2017-7203 (A Cross-Site Scripting (XSS) was discovered in ZoneMinder before 1.30. ...) - zoneminder 1.30.4+dfsg-1 (bug #858329) [wheezy] - zoneminder (Minor issue) NOTE: https://github.com/ZoneMinder/ZoneMinder/issues/1797 NOTE: Fixed in 1.30.2 upstream. CVE-2017-7202 (Multiple Cross-Site Scripting (XSS) were discovered in SLiMS 7 Cendana ...) NOT-FOR-US: SLiMS CVE-2017-7201 RESERVED CVE-2017-7199 (Nessus 6.6.2 - 6.10.3 contains a flaw related to insecure permissions ...) NOT-FOR-US: Nessus CVE-2017-7200 (An SSRF issue was discovered in OpenStack Glance before Newton. The 'c ...) - glance 2:13.0.0-1 [jessie] - glance (Minor issue, too intrusive to backport) [wheezy] - glance (Not supported in Wheezy LTS) NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0078 NOTE: https://bugs.launchpad.net/ossn/+bug/1606495 NOTE: https://bugs.launchpad.net/ossn/+bug/1153614 NOTE: The only implemented solution is to move to the v2 API (deprecated in NOTE: 2:13.0.0-1, using that as the fixed version) CVE-2017-7198 RESERVED CVE-2017-7197 RESERVED CVE-2017-7196 RESERVED CVE-2017-7195 RESERVED CVE-2017-7194 RESERVED CVE-2017-7193 RESERVED CVE-2017-7192 (WebSocket.swift in Starscream before 2.0.4 allows an SSL Pinning bypas ...) NOT-FOR-US: Starscream CVE-2017-7190 RESERVED CVE-2017-7189 (main/streams/xp_socket.c in PHP 7.x before 2017-03-07 misparses fsocko ...) - php7.3 [buster] - php7.3 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) - php7.0 [stretch] - php7.0 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) - php5 [jessie] - php5 (Upstream patch breaks existing applications, was reverted again, revisit if a new approach has been identified) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=74192 NOTE: https://github.com/php/php-src/commit/bab0b99f376dac9170ac81382a5ed526938d595a NOTE: The commit was later on reverted again because of breaking some features. NOTE: See as well the related CVE-2017-7272. CVE-2017-7188 (Zurmo 3.1.1 Stable allows a Cross-Site Scripting (XSS) attack with a b ...) NOT-FOR-US: Zurmo CVE-2017-7187 (The sg_ioctl function in drivers/scsi/sg.c in the Linux kernel through ...) - linux 4.9.18-1 [jessie] - linux (Introduced in 3.17) [wheezy] - linux (Introduced in 3.17) NOTE: Fixed by: https://git.kernel.org/linus/bf33f87dd04c371ea33feb821b60d63d754e3124 (4.11-rc5) NOTE: Introduced by: https://git.kernel.org/linus/65c26a0f39695ba01d9693754f27ca76cc8a3ab5 (3.17-rc1) CVE-2017-7185 (Use-after-free vulnerability in the mg_http_multipart_wait_for_boundar ...) NOT-FOR-US: Mongoose CVE-2017-7183 (The TFTP server in ExtraPuTTY 0.30 and earlier allows remote attackers ...) NOT-FOR-US: ExtraPuTTY CVE-2017-7182 RESERVED CVE-2017-7181 RESERVED CVE-2017-7180 (Net Monitor for Employees Pro through 5.3.4 has an unquoted service pa ...) NOT-FOR-US: Net Monitor for Employees Pro CVE-2017-7179 RESERVED CVE-2017-7184 (The xfrm_replay_verify_len function in net/xfrm/xfrm_user.c in the Lin ...) {DLA-922-1} - linux 4.9.18-1 (low) [jessie] - linux 3.16.43-1 NOTE: Unprivileged user namespaces are disabled in Debian, this only affects NOTE: non-standard setups CVE-2017-7186 (libpcre1 in PCRE 8.40 and libpcre2 in PCRE2 10.23 allow remote attacke ...) - pcre3 2:8.39-3 (bug #858230) [jessie] - pcre3 (Minor issue; 32bit character support not enabled) [wheezy] - pcre3 (Vulnerable code not present) - pcre2 10.22-3 (bug #858233) NOTE: https://bugs.exim.org/show_bug.cgi?id=2052 NOTE: https://vcs.pcre.org/pcre/code/trunk/pcre_internal.h?r1=1649&r2=1688&sortby=date (for pcre3) NOTE: https://vcs.pcre.org/pcre/code/trunk/pcre_ucd.c?r1=1490&r2=1688&sortby=date (for pcre3) NOTE: https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_ucd.c?r1=316&r2=670&sortby=date (for pcre2) NOTE: https://vcs.pcre.org/pcre2/code/trunk/src/pcre2_internal.h?r1=600&r2=670&sortby=date (for pcre2) CVE-2017-7178 (CSRF was discovered in the web UI in Deluge before 1.3.14. The exploit ...) {DSA-3856-1 DLA-863-1} - deluge 1.3.13+git20161130.48cedf63-2 (bug #857903) NOTE: http://git.deluge-torrent.org/deluge/commit/?h=1.3-stable&id=318ab179865e0707d7945edc3a13a464a108d583 CVE-2017-9149 (Metadata Anonymisation Toolkit (MAT) 0.6 and 0.6.1 silently fails to p ...) - mat 0.6.1-4 (bug #858058) [jessie] - mat (Vulnerable code not present) [wheezy] - mat (Vulnerable code not present) NOTE: https://0xacab.org/mat/mat/issues/11527 NOTE: Fixed by: https://0xacab.org/mat/mat/commit/94ca62a429bb6a3a5f293de26053e54bbfeea9f9 NOTE: Fixed by: https://0xacab.org/mat/mat/commit/8f6303a1f26fe8dad83ba96ab8328dbdfa3af59a NOTE: Introduced by: https://0xacab.org/mat/mat/commit/0d1fe2555e90db35eeb531a1b6026ff64f1f5ae5 CVE-2017-7176 REJECTED CVE-2017-7175 (NfSen before 1.3.8 allows remote attackers to execute arbitrary OS com ...) NOT-FOR-US: NfSen CVE-2017-7174 (The user-account creation feature in Chef Manage 2.1.0 through 2.4.4 a ...) NOT-FOR-US: Chef Manage CVE-2017-7173 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7172 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7171 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7170 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7169 RESERVED CVE-2017-7168 RESERVED CVE-2017-7167 (An issue was discovered in certain Apple products. Xcode before 9.2 is ...) NOT-FOR-US: Apple CVE-2017-7166 RESERVED CVE-2017-7165 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-7164 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7163 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Intel Graphics Driver on Apple / macOS CVE-2017-7162 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7161 (An issue was discovered in certain Apple products. Safari before 11.0. ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-7160 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-7159 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7158 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7157 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-7156 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.4-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0010.html NOTE: Not covered by security support CVE-2017-7155 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Intel Graphics Driver on Apple / macOS CVE-2017-7154 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7153 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) - webkit2gtk 2.18.6-1 (unimportant) [stretch] - webkit2gtk 2.18.6-1~deb9u1 NOTE: https://webkitgtk.org/security/WSA-2018-0002.html NOTE: Not covered by security support CVE-2017-7152 (An issue was discovered in certain Apple products. iOS before 11.2 is ...) NOT-FOR-US: Apple CVE-2017-7151 (A race condition was addressed with additional validation. This issue ...) NOT-FOR-US: Apple CVE-2017-7150 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7149 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7148 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7147 (An issue was discovered in certain Apple products. The Apple Support a ...) NOT-FOR-US: Apple CVE-2017-7146 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7145 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7144 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7143 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7142 (An issue was discovered in certain Apple products. Safari before 11 is ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7141 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7140 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7139 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7138 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7137 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7136 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7135 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7134 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7133 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7132 (An issue was discovered in certain Apple products. macOS before 10.13. ...) NOT-FOR-US: Apple CVE-2017-7131 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7130 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7129 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7128 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7127 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7126 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7125 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7124 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7123 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7122 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7121 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Potentially src:file, but Apple doesn't play by the rules CVE-2017-7120 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7119 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7118 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7117 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7116 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7115 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7114 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7113 (An issue was discovered in certain Apple products. iOS before 11.1 is ...) NOT-FOR-US: Apple CVE-2017-7112 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7111 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7110 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7109 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7108 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7107 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7106 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7105 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7104 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7103 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7102 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7101 RESERVED CVE-2017-7100 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7099 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7098 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7097 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7096 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7095 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7094 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7093 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7092 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7091 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7090 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7089 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7088 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7087 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7086 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7085 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7084 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7083 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7082 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7081 (An issue was discovered in certain Apple products. iOS before 11 is af ...) - webkit2gtk 2.18.1-1 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0008.html NOTE: Not covered by security support CVE-2017-7080 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7079 (An issue was discovered in certain Apple products. iTunes before 12.7 ...) NOT-FOR-US: Apple CVE-2017-7078 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7077 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7076 (An issue was discovered in certain Apple products. Xcode before 9 is a ...) NOT-FOR-US: Apple CVE-2017-7075 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7074 (An issue was discovered in certain Apple products. macOS before 10.13 ...) NOT-FOR-US: Apple CVE-2017-7073 RESERVED CVE-2017-7072 (An issue was discovered in certain Apple products. iOS before 11 is af ...) NOT-FOR-US: Apple CVE-2017-7071 (An issue was discovered in certain Apple products. Safari before 10.1 ...) NOT-FOR-US: Apple CVE-2017-7070 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7069 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7068 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple / libarchive NOTE: Possibly Apple-specific, but noone really knows and Apple doesn't cooperate CVE-2017-7067 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7066 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7065 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-7064 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7063 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7062 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7061 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: Not covered by security support CVE-2017-7060 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7059 (A DOMParser XSS issue was discovered in certain Apple products. iOS be ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-7058 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7057 RESERVED CVE-2017-7056 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: Not covered by security support CVE-2017-7055 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7054 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7053 (An issue was discovered in certain Apple products. iTunes before 12.6. ...) NOT-FOR-US: Apple CVE-2017-7052 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.4-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7051 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7050 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7049 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7048 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7047 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7046 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7045 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7044 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7043 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7042 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7041 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7040 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7039 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7038 (A DOMParser XSS issue was discovered in certain Apple products. iOS be ...) - webkit2gtk 2.16.3-2 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7037 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7036 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7035 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7034 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7033 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7032 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7031 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7030 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7029 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7028 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7027 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7026 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7025 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7024 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7023 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7022 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7021 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7020 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7019 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7018 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.6-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7017 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7016 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7015 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7014 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-7013 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 CVE-2017-7012 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7011 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7010 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Possibly Apple-specific CVE ID for libxml2 CVE-2017-7009 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7008 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7007 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple CVE-2017-7006 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: https://webkitgtk.org/security/WSA-2017-0006.html NOTE: Not covered by security support CVE-2017-7005 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-7004 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-7003 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-7002 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7001 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Potentially src:sqlite, but Apple doesn't play by the rules CVE-2017-7000 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-6999 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6998 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6997 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6996 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6995 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6994 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6993 RESERVED CVE-2017-6992 RESERVED CVE-2017-6991 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOTE: Unspecified sqlite issue found by Apple, no further details available CVE-2017-6990 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6989 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6988 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6987 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6986 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6985 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6984 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-6983 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOTE: Unspecified sqlite issue found by Apple, no further details available CVE-2017-6982 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6981 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6980 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-6979 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-6978 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6977 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6976 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-6975 (Wi-Fi in Apple iOS before 10.3.1 does not prevent CVE-2017-6956 stack ...) NOT-FOR-US: Applie CVE-2017-6974 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-6973 (A cross-site scripting (XSS) vulnerability in the MantisBT Configurati ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: https://www.openwall.com/lists/oss-security/2017/03/30/4 CVE-2017-6972 (AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 have an e ...) NOT-FOR-US: AlienVault CVE-2017-6971 (AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow rem ...) NOT-FOR-US: AlienVault CVE-2017-6970 (AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow loc ...) NOT-FOR-US: AlienVault CVE-2017-6968 (GMV Checker ATM Security prior to 5.0.18 allows remote authenticated u ...) NOT-FOR-US: GMV Checker ATM Security CVE-2017-6969 (readelf in GNU Binutils 2.28 is vulnerable to a heap-based buffer over ...) - binutils 2.28-3 (bug #858256) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21156 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=b814a36d3440de95f2ac6eaa4fc7935c322ea456 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=43a444f9c5bfd44b4304eafd78338e21d54bea14 CVE-2017-6967 (xrdp 0.9.1 calls the PAM function auth_start_session() in an incorrect ...) {DLA-872-1} [experimental] - xrdp 0.9.2~20170325-1~exp1 - xrdp 0.9.1-9 (bug #858143) [jessie] - xrdp (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/xrdp/+bug/1672742 NOTE: https://github.com/neutrinolabs/xrdp/issues/350 NOTE: First attempt: https://github.com/neutrinolabs/xrdp/pull/694 NOTE: Followed by: https://github.com/neutrinolabs/xrdp/pull/696 NOTE: https://www.openwall.com/lists/oss-security/2017/03/18/1 NOTE: https://github.com/neutrinolabs/xrdp/pull/696/commits/44129acd210c803fc8bbcfaf1b0db05e5bb4034f CVE-2017-6966 (readelf in GNU Binutils 2.28 has a use-after-free (specifically read-a ...) - binutils 2.28-3 (bug #858263) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21139 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f84ce13b6708801ca1d6289b7c4003e2f5a6d7f9 CVE-2017-6965 (readelf in GNU Binutils 2.28 writes to illegal addresses while process ...) - binutils 2.28-3 (bug #858264) [jessie] - binutils (Minor issue) [wheezy] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=21137 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=03f7786e2f440b9892b1c34a58fb26222ce1b493 CVE-2017-6964 (dmcrypt-get-device, as shipped in the eject package of Debian and Ubun ...) {DSA-3823-1 DLA-876-1} - eject 2.1.5+deb1+cvs20081104-13.2 (bug #858872) NOTE: https://bugs.launchpad.net/ubuntu/+source/eject/+bug/1673627 CVE-2017-6963 RESERVED CVE-2017-6962 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) - apng2gif 1.8-0.1 (bug #854447) [stretch] - apng2gif (Minor issue; can be fixed via point release) [jessie] - apng2gif (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif (Vulnerable code introduced later with refactoring) CVE-2017-6961 (An issue was discovered in apng2gif 1.7. There is improper sanitizatio ...) - apng2gif 1.8-0.1 (bug #854441) [stretch] - apng2gif (Minor issue; can be fixed via point release) [jessie] - apng2gif (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif (Vulnerable code introduced later with refactoring) CVE-2017-6960 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) {DLA-2165-1 DLA-981-1} - apng2gif 1.8-0.1 (bug #854367) [stretch] - apng2gif (Minor issue; can be fixed via point release) CVE-2017-6959 REJECTED CVE-2017-6958 (An XSS vulnerability in the MantisBT Source Integration Plugin (before ...) NOT-FOR-US: MantisBT Source Integration Plugin CVE-2017-6957 (Stack-based buffer overflow in the firmware in Broadcom Wi-Fi HardMAC ...) NOT-FOR-US: Firmware on some Broadcom SoCs CVE-2017-6956 (On the Broadcom Wi-Fi HardMAC SoC with fbt firmware, a stack buffer ov ...) NOT-FOR-US: Firmware on some Broadcom SoCs CVE-2017-6955 (An issue was discovered in by-email/by-email.php in the Invite Anyone ...) NOT-FOR-US: wordpress Anyone plugin CVE-2017-6954 (An issue was discovered in includes/component.php in the BuddyPress Do ...) NOT-FOR-US: wordpress buddypress docs plugin CVE-2017-6953 (Gemalto SmartDiag Diagnosis Tool v2.5 has a stack-based Buffer Overflo ...) NOT-FOR-US: Gemalto SmartDiag Diagnosis Tool CVE-2017-6952 (Integer overflow in the cs_winkernel_malloc function in winkernel_mm.c ...) - capstone (Vulnerable code not present, in Windows specific distribution) CVE-2017-9999 REJECTED CVE-2017-6951 (The keyring_search_aux function in security/keys/keyring.c in the Linu ...) {DLA-922-1} - linux 4.0.2-1 [jessie] - linux 3.16.43-1 CVE-2017-6950 (SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended sec ...) NOT-FOR-US: SAP CVE-2017-6949 (An issue was discovered in CHICKEN Scheme through 4.12.0. When using a ...) {DLA-908-1} - chicken 4.12.0-0.2 (bug #858057) [stretch] - chicken (Minor issue) [jessie] - chicken (Minor issue) NOTE: http://lists.gnu.org/archive/html/chicken-announce/2017-03/msg00000.html CVE-2017-6948 RESERVED CVE-2017-6947 RESERVED CVE-2017-6946 RESERVED CVE-2017-6945 RESERVED CVE-2017-6944 RESERVED CVE-2017-6943 RESERVED CVE-2017-6942 RESERVED CVE-2017-6941 RESERVED CVE-2017-6940 RESERVED CVE-2017-6939 RESERVED CVE-2017-6938 RESERVED CVE-2017-6937 RESERVED CVE-2017-6936 RESERVED CVE-2017-6935 RESERVED CVE-2017-6934 RESERVED CVE-2017-6933 RESERVED CVE-2017-6931 (In Drupal versions 8.4.x versions before 8.4.5 the Settings Tray modul ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6930 (In Drupal versions 8.4.x versions before 8.4.5 when using node access ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6926 (In Drupal versions 8.4.x versions before 8.4.5 users with permission t ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/sa-core-2018-001 CVE-2017-6925 (In versions of Drupal 8 core prior to 8.3.7; There is a vulnerability ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-004 CVE-2017-6924 (In Drupal 8 prior to 8.3.7; When using the REST API, users without the ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-004 CVE-2017-6923 (In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-004 CVE-2017-6922 (In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; P ...) {DSA-3897-1 DLA-1004-1} - drupal8 (bug #756305) - drupal7 7.56-1 (bug #865498) NOTE: https://www.drupal.org/SA-CORE-2017-003 NOTE: http://cgit.drupalcode.org/drupal/diff/?h=7.x&id=600c1346ed976e6f35fc2b0f907a7837f0f7c145&id2=9eebe462d1e93e785e6c028dc6cf689623c4d936 CVE-2017-6921 (In Drupal 8 prior to 8.3.4; The file REST resource does not properly v ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-003 CVE-2017-6920 (Drupal core 8 before versions 8.3.4 allows remote attackers to execute ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-003 CVE-2017-6919 (Drupal 8 before 8.2.8 and 8.3 before 8.3.1 allows critical access bypa ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-CORE-2017-002 CVE-2017-6918 (CSRF exists in BigTree CMS 4.2.16 with the value[#][*] parameter to th ...) NOT-FOR-US: BigTree CMS CVE-2017-6917 (CSRF exists in BigTree CMS 4.2.16 with the value parameter to the admi ...) NOT-FOR-US: BigTree CMS CVE-2017-6916 (CSRF exists in BigTree CMS 4.1.18 with the nav-social[#] parameter to ...) NOT-FOR-US: BigTree CMS CVE-2017-6915 (CSRF exists in BigTree CMS 4.1.18 with the colophon parameter to the a ...) NOT-FOR-US: BigTree CMS CVE-2017-6914 (CSRF exists in BigTree CMS 4.1.18 and 4.2.16 with the id parameter to ...) NOT-FOR-US: BigTree CMS CVE-2017-6913 (Cross-site scripting (XSS) vulnerability in the Open-Xchange webmail b ...) NOT-FOR-US: Open-Xchange CVE-2017-6912 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incor ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-6911 (USB Pratirodh is prone to sensitive information disclosure. It stores ...) NOT-FOR-US: USB Pratirodh CVE-2017-6910 (The HTTP and WebSocket engine components in the server in Kaazing Gate ...) NOT-FOR-US: Kaazing Gateway CVE-2017-6909 (An issue was discovered in Shimmie <= 2.5.1. The vulnerability exis ...) NOT-FOR-US: Shimmie CVE-2017-6908 (An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability ...) NOT-FOR-US: concrete5 CVE-2017-6907 (An issue was discovered in Open.GL before 2017-03-13. The vulnerabilit ...) NOT-FOR-US: Open.GL CVE-2017-6906 (An issue was discovered in SiberianCMS before 4.10.0. The vulnerabili ...) NOT-FOR-US: SiberianCMS CVE-2017-6905 (An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability ...) NOT-FOR-US: concrete5 CVE-2017-6904 RESERVED CVE-2017-6902 REJECTED CVE-2017-6901 RESERVED CVE-2017-6900 (An issue was discovered in Riello NetMan 204 14-2 and 15-2. The issue ...) NOT-FOR-US: Riello NetMan CVE-2017-6899 (The msm_bus_dbg_update_request_write function in drivers/platform/msm/ ...) NOT-FOR-US: android_kernel_huawei_msm8916 in LineageOS (and other kernels for MSM devices) CVE-2017-6898 RESERVED CVE-2017-6897 RESERVED CVE-2017-6896 (Privilege escalation vulnerability on the DIGISOL DG-HR1400 1.00.02 wi ...) NOT-FOR-US: DIGISOL DG-HR1400 1.00.02 wireless router CVE-2017-6895 (USB Pratirodh allows remote attackers to conduct XML External Entity ( ...) NOT-FOR-US: USB Pratirodh CVE-2017-6894 RESERVED CVE-2017-6893 RESERVED CVE-2017-6892 (In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" fu ...) {DLA-2418-1 DLA-985-1} - libsndfile 1.0.28-1 (bug #864704) [jessie] - libsndfile (Minor issue) NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748 CVE-2017-6891 (Two errors in the "asn1_find_node()" function (lib/parser_aux.c) withi ...) {DSA-3861-1 DLA-950-1} - libtasn1-6 4.10-1.1 (bug #863186) - libtasn1-3 NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-11/ NOTE: https://gitlab.com/gnutls/libtasn1/commit/5520704d075802df25ce4ffccc010ba1641bd484 CVE-2017-6890 (A boundary error within the "foveon_load_camf()" function (dcraw_foveo ...) NOT-FOR-US: libraw demosaic extension (not packaged in Debian) CVE-2017-6889 (An integer overflow error within the "foveon_load_camf()" function (dc ...) NOT-FOR-US: libraw demosaic extension (not packaged in Debian) CVE-2017-6888 (An error in the "read_metadata_vorbiscomment_()" function (src/libFLAC ...) {DLA-2514-1} - flac 1.3.2-2 (low; bug #897015) [jessie] - flac (Minor issue) [wheezy] - flac (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/ NOTE: https://github.com/xiph/flac/commit/4f47b63e9c971e6391590caf00a0f2a5ed612e67 (1.3.3) NOTE: https://android.googlesource.com/platform/external/flac/+/4f47b63e9c971e6391590caf00a0f2a5ed612e67 CVE-2017-6887 (A boundary error within the "parse_tiff_ifd()" function (internal/dcra ...) {DSA-3950-1 DLA-1057-1} - libraw 0.18.2-2 (bug #864183) NOTE: https://github.com/LibRaw/LibRaw/commit/d7c3d2cb460be10a3ea7b32e9443a83c243b2251 CVE-2017-6886 (An error within the "parse_tiff_ifd()" function (internal/dcraw_common ...) {DSA-3950-1 DLA-1057-1} - libraw 0.18.2-2 (bug #864183) NOTE: https://github.com/LibRaw/LibRaw/commit/d7c3d2cb460be10a3ea7b32e9443a83c243b2251 CVE-2017-6885 (An error when handling certain external commands and services related ...) NOT-FOR-US: FlexNet CVE-2017-6903 (In ioquake3 before 2017-03-14, the auto-downloading feature has insuff ...) {DSA-3812-1} - ioquake3 1.36+u20161101+dfsg1-2 (bug #857699) [wheezy] - ioquake3 (Not supported in Wheezy LTS) - iortcw 1.50a+dfsg1-3 (bug #857714) NOTE: https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/ NOTE: Also affects openjk (only in experimental; bug #857715) CVE-2017-6884 (A command injection vulnerability was discovered on the Zyxel EMG2926 ...) NOT-FOR-US: Zyxel CVE-2017-6883 (The ConvertToPDF plugin in Foxit Reader before 8.2.1 and PhantomPDF be ...) NOT-FOR-US: Foxit CVE-2017-6882 RESERVED CVE-2017-6881 RESERVED CVE-2017-6880 (Buffer overflow in Cerberus FTP Server 8.0.10.3 allows remote attacker ...) NOT-FOR-US: Cerberus FTP Server CVE-2017-6879 RESERVED CVE-2017-6878 (Cross-site scripting (XSS) vulnerability in MetInfo 5.3.15 allows remo ...) NOT-FOR-US: MetInfo CVE-2017-6877 (Cross-site scripting (XSS) vulnerability in SVG file handling in Lutim ...) NOT-FOR-US: Lutim CVE-2017-6876 RESERVED CVE-2017-6875 RESERVED CVE-2017-6874 (Race condition in kernel/ucount.c in the Linux kernel through 4.10.2 a ...) - linux 4.9.16-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/040757f738e13caaa9c5078bca79aa97e11dde88 CVE-2017-6873 (A vulnerability was discovered in Siemens OZW672 (all versions) and OZ ...) NOT-FOR-US: Siemens CVE-2017-6872 (A vulnerability was discovered in Siemens OZW672 (all versions) and OZ ...) NOT-FOR-US: Siemens CVE-2017-6871 (A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient fo ...) NOT-FOR-US: Siemens CVE-2017-6870 (A vulnerability was discovered in Siemens SIMATIC WinCC Sm@rtClient fo ...) NOT-FOR-US: Siemens CVE-2017-6869 (A vulnerability was discovered in Siemens ViewPort for Web Office Port ...) NOT-FOR-US: Siemens CVE-2017-6868 (An Improper Authentication issue was discovered in Siemens SIMATIC CP ...) NOT-FOR-US: Siemens CVE-2017-6867 (A vulnerability was discovered in Siemens SIMATIC WinCC (V7.3 before U ...) NOT-FOR-US: Siemens CVE-2017-6866 (A vulnerability was discovered in Siemens XHQ server 4 and 5 (4 before ...) NOT-FOR-US: Siemens CVE-2017-6865 (A vulnerability has been identified in Primary Setup Tool (PST) (All v ...) NOT-FOR-US: Siemens CVE-2017-6864 (The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at ...) NOT-FOR-US: Siemens CVE-2017-6863 RESERVED CVE-2017-6862 (NETGEAR WNR2000v3 devices before 1.1.2.14, WNR2000v4 devices before 1. ...) NOT-FOR-US: NETGEAR CVE-2017-6861 RESERVED CVE-2017-6860 RESERVED CVE-2017-6859 RESERVED CVE-2017-6858 RESERVED CVE-2017-6857 RESERVED CVE-2017-6856 RESERVED CVE-2017-6855 RESERVED CVE-2017-6854 RESERVED CVE-2017-6853 RESERVED CVE-2017-6839 (Integer overflow in modules/MSADPCM.cpp in Audio File Library (aka aud ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/beacc44eb8cdf6d58717ec1a5103c5141f1b37f9 CVE-2017-6838 (Integer overflow in sfcommands/sfconvert.c in Audio File Library (aka ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6837 (WAVE.cpp in Audio File Library (aka audiofile) 0.3.6 allows remote att ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes/ NOTE: https://github.com/mpruett/audiofile/issues/41 NOTE: https://github.com/antlarr/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6836 (Heap-based buffer overflow in the Expand3To4Module::run function in li ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h NOTE: https://github.com/mpruett/audiofile/issues/40 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6835 (The reset1 function in libaudiofile/modules/BlockCodec.cpp in Audio Fi ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecreset1-blockcodec-cpp NOTE: https://github.com/mpruett/audiofile/issues/39 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6834 (Heap-based buffer overflow in the ulaw2linear_buf function in G711.cpp ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-ulaw2linear_buf-g711-cpp NOTE: https://github.com/mpruett/audiofile/issues/38 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6833 (The runPull function in libaudiofile/modules/BlockCodec.cpp in Audio F ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-divide-by-zero-in-blockcodecrunpull-blockcodec-cpp NOTE: https://github.com/mpruett/audiofile/issues/37 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6832 (Heap-based buffer overflow in the decodeBlock in MSADPCM.cpp in Audio ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcmdecodeblock-msadpcm-cpp NOTE: https://github.com/mpruett/audiofile/issues/36 NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6831 (Heap-based buffer overflow in the decodeBlockWAVE function in IMA.cpp ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-imadecodeblockwave-ima-cpp NOTE: https://github.com/mpruett/audiofile/issues/35 NOTE: https://github.com/antlarr/audiofile/commit/a2e9eab8ea87c4ffc494d839ebb4ea145eb9f2e6 CVE-2017-6830 (Heap-based buffer overflow in the alaw2linear_buf function in G711.cpp ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-alaw2linear_buf-g711-cpp NOTE: https://github.com/mpruett/audiofile/issues/34 NOTE: https://github.com/mpruett/audiofile/commit/7d65f89defb092b63bcbc5d98349fb222ca73b3c NOTE: https://github.com/antlarr/audiofile/commit/ce536d707b8e2a26baca77320398c45238224ca7 CVE-2017-6829 (The decodeSample function in IMA.cpp in Audio File Library (aka audiof ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/33 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-global-buffer-overflow-in-decodesample-ima-cpp NOTE: https://github.com/mpruett/audiofile/pull/43/commits/25eb00ce913452c2e614548d7df93070bf0d066f CVE-2017-6828 (Heap-based buffer overflow in the readValue function in FileHandle.cpp ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/31 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-readvalue-filehandle-cpp NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-6827 (Heap-based buffer overflow in the MSADPCM::initializeCoefficients func ...) {DSA-3814-1 DLA-867-1} - audiofile 0.3.6-4 (bug #857651) NOTE: https://github.com/mpruett/audiofile/issues/32 NOTE: https://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp NOTE: https://github.com/mpruett/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 CVE-2017-XXXX [Server certificates are not verified] - profanity 0.5.1-1 (bug #857546) [jessie] - profanity (Minor issue) NOTE: https://github.com/boothj5/profanity/issues/280 CVE-2017-7191 (The netjoin processing in Irssi 1.x before 1.0.2 allows attackers to c ...) - irssi 1.0.2-1 (bug #857502) [jessie] - irssi (Different code path caused the netjoins to be flushed prior reaching use-after-free condition) [wheezy] - irssi (Different code path caused the netjoins to be flushed prior reaching use-after-free condition) NOTE: https://irssi.org/security/irssi_sa_2017_03.txt NOTE: https://github.com/irssi/irssi/commit/77b2631c78461965bc9a7414aae206b5c514e1b3 CVE-2017-6826 RESERVED CVE-2017-6825 RESERVED CVE-2017-6824 RESERVED CVE-2017-6823 (Fiyo CMS 2.0.6.1 allows remote authenticated users to gain privileges ...) NOT-FOR-US: Fiyo CMS CVE-2017-6822 RESERVED CVE-2017-6821 (Directory traversal vulnerability in Zimbra Collaboration Suite (aka Z ...) NOT-FOR-US: Zimbra CVE-2017-6820 (rcube_utils.php in Roundcube before 1.1.8 and 1.2.x before 1.2.4 is su ...) {DLA-855-1} - roundcube 1.2.3+dfsg.1-3 (bug #857473) NOTE: https://github.com/roundcube/roundcubemail/commit/fa2824fdcd44af3f970b2797feb47652482c8305 NOTE: https://github.com/roundcube/roundcubemail/commit/cbd35626f7db7855f3b5e2db00d28ecc1554e9f4 NOTE: https://github.com/roundcube/roundcubemail/wiki/Changelog#release-124 NOTE: https://github.com/roundcube/roundcubemail/releases/tag/1.1.8 CVE-2017-6813 (A service provided by Zimbra Collaboration Suite (ZCS) before 8.7.6 fa ...) NOT-FOR-US: Zimbra CVE-2017-6812 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6811 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6810 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6809 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6808 (paintballrefjosh/MaNGOSWebV4 4.0.8 is vulnerable to a reflected XSS in ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6807 (mod_auth_mellon before 0.13.1 is vulnerable to a Cross-Site Session Tr ...) - libapache2-mod-auth-mellon 0.12.0-2 [jessie] - libapache2-mod-auth-mellon (Minor issue) CVE-2017-6806 RESERVED CVE-2017-6805 (Directory traversal vulnerability in the TFTP server in MobaXterm Pers ...) NOT-FOR-US: MobaXterm CVE-2017-6804 REJECTED CVE-2017-6803 (Multiple cross-site request forgery (CSRF) vulnerabilities in the web ...) NOT-FOR-US: SolarWinds (formerly Serv-U) FTP Voyager CVE-2017-6798 (Trend Micro Endpoint Sensor 1.6 before b1290 has a DLL hijacking vulne ...) NOT-FOR-US: Trend Micro Endpoint Sensor CVE-2017-6802 (An issue was discovered in ytnef before 1.9.2. There is a potential he ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.2-1 NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/22f8346c8d4f0020a40d9f258fdb3bfc097359cc CVE-2017-6801 (An issue was discovered in ytnef before 1.9.2. There is a potential ou ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.2-1 NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/3cb0f914d6427073f262e1b2b5fd973e3043cdf7 CVE-2017-6800 (An issue was discovered in ytnef before 1.9.2. An invalid memory acces ...) {DSA-3846-1} - libytnef 1.9.2-1 [wheezy] - libytnef (vulnerable code not present) NOTE: Fixed by: https://github.com/Yeraze/ytnef/commit/f98f5d4adc1c4bd4033638f6167c1bb95d642f89 CVE-2017-6799 (A cross-site scripting (XSS) vulnerability in view_filters_page.php in ...) - mantis (Vulnerable versions only 2.1.0 through 2.2.0) [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: https://github.com/mantisbt/mantisbt/commit/1677251434b6e8b2be8f1d4376a3e78f7be14d95 NOTE: http://www.mantisbt.org/bugs/view.php?id=22497 CVE-2017-6797 (A cross-site scripting (XSS) vulnerability in bug_change_status_page.p ...) - mantis [wheezy] - mantis (Unsupported in Wheezy LTS) NOTE: https://github.com/mantisbt/mantisbt/commit/a2d90ecabf3bcf3aa22ed9dbbecfd3d37902956f NOTE: https://github.com/mantisbt/mantisbt/commit/c272c3f65da9677e505ff692b1f1e476b3afa56e NOTE: http://www.mantisbt.org/bugs/view.php?id=22486 CVE-2017-6796 (A vulnerability in the USB-modem code of Cisco IOS XE Software running ...) NOT-FOR-US: Cisco CVE-2017-6795 (A vulnerability in the USB-modem code of Cisco IOS XE Software running ...) NOT-FOR-US: Cisco CVE-2017-6794 (A vulnerability in the CLI command-parsing code of Cisco Meeting Serve ...) NOT-FOR-US: Cisco CVE-2017-6793 (A vulnerability in the Inventory Management feature of Cisco Prime Col ...) NOT-FOR-US: Cisco CVE-2017-6792 (A vulnerability in the batch provisioning feature in Cisco Prime Colla ...) NOT-FOR-US: Cisco CVE-2017-6791 (A vulnerability in the Trust Verification Service (TVS) of Cisco Unifi ...) NOT-FOR-US: Cisco CVE-2017-6790 (A vulnerability in the Session Initiation Protocol (SIP) on the Cisco ...) NOT-FOR-US: Cisco CVE-2017-6789 (A vulnerability in the Cisco Unified Intelligence Center web interface ...) NOT-FOR-US: Cisco CVE-2017-6788 (The WebLaunch functionality of Cisco AnyConnect Secure Mobility Client ...) NOT-FOR-US: Cisco CVE-2017-6787 RESERVED CVE-2017-6786 (A vulnerability in Cisco Elastic Services Controller could allow an au ...) NOT-FOR-US: Cisco CVE-2017-6785 (A vulnerability in configuration modification permissions validation f ...) NOT-FOR-US: Cisco CVE-2017-6784 (A vulnerability in the web interface of the Cisco RV340, RV345, and RV ...) NOT-FOR-US: Cisco CVE-2017-6783 (A vulnerability in SNMP polling for the Cisco Web Security Appliance ( ...) NOT-FOR-US: Cisco CVE-2017-6782 (A vulnerability in the administrative web interface of Cisco Prime Inf ...) NOT-FOR-US: Cisco CVE-2017-6781 (A vulnerability in the management of shell user accounts for Cisco Pol ...) NOT-FOR-US: Cisco CVE-2017-6780 (A vulnerability in the TCP throttling process for Cisco IoT Field Netw ...) NOT-FOR-US: Cisco CVE-2017-6779 (Multiple Cisco products are affected by a vulnerability in local file ...) NOT-FOR-US: Cisco CVE-2017-6778 (A vulnerability in the Elastic Services Controller (ESC) web interface ...) NOT-FOR-US: Cisco CVE-2017-6777 (A vulnerability in the ConfD server of the Cisco Elastic Services Cont ...) NOT-FOR-US: Cisco CVE-2017-6776 (A vulnerability in the web framework of Cisco Elastic Services Control ...) NOT-FOR-US: Cisco CVE-2017-6775 (A vulnerability in the CLI of Cisco ASR 5000 Series Aggregated Service ...) NOT-FOR-US: Cisco CVE-2017-6774 (A vulnerability in Cisco ASR 5000 Series Aggregated Services Routers r ...) NOT-FOR-US: Cisco CVE-2017-6773 (A vulnerability in the CLI of Cisco ASR 5000 Series Aggregated Service ...) NOT-FOR-US: Cisco CVE-2017-6772 (A vulnerability in Cisco Elastic Services Controller (ESC) could allow ...) NOT-FOR-US: Cisco CVE-2017-6771 (A vulnerability in the AutoVNF automation tool of the Cisco Ultra Serv ...) NOT-FOR-US: Cisco CVE-2017-6770 (Cisco IOS 12.0 through 15.6, Adaptive Security Appliance (ASA) Softwar ...) NOT-FOR-US: Cisco CVE-2017-6769 (A vulnerability in the web-based management interface of the Cisco Sec ...) NOT-FOR-US: Cisco CVE-2017-6768 (A vulnerability in the build procedure for certain executable system f ...) NOT-FOR-US: Cisco CVE-2017-6767 (A vulnerability in Cisco Application Policy Infrastructure Controller ...) NOT-FOR-US: Cisco CVE-2017-6766 (A vulnerability in the Secure Sockets Layer (SSL) Decryption and Inspe ...) NOT-FOR-US: Cisco CVE-2017-6765 (A vulnerability in the web-based management interface of Cisco Adaptiv ...) NOT-FOR-US: Cisco CVE-2017-6764 (A vulnerability in the web-based management interface of Cisco Adaptiv ...) NOT-FOR-US: Cisco CVE-2017-6763 (A vulnerability in the implementation of the H.264 protocol in Cisco M ...) NOT-FOR-US: Cisco CVE-2017-6762 (A vulnerability in the web-based management interface of Cisco Jabber ...) NOT-FOR-US: Cisco CVE-2017-6761 (A vulnerability in the web-based management interface of Cisco Finesse ...) NOT-FOR-US: Cisco CVE-2017-6760 RESERVED CVE-2017-6759 (A vulnerability in the UpgradeManager of the Cisco Prime Collaboration ...) NOT-FOR-US: Cisco CVE-2017-6758 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2017-6757 (A vulnerability in Cisco Unified Communications Manager 10.5(2.10000.5 ...) NOT-FOR-US: Cisco CVE-2017-6756 (A vulnerability in the Web UI Application of the Cisco Prime Collabora ...) NOT-FOR-US: Cisco CVE-2017-6755 (A vulnerability in the web portal of the Cisco Prime Collaboration Pro ...) NOT-FOR-US: Cisco CVE-2017-6754 (A vulnerability in the web-based management interface of the Cisco Sma ...) NOT-FOR-US: Cisco CVE-2017-6753 (A vulnerability in Cisco WebEx browser extensions for Google Chrome an ...) NOT-FOR-US: Cisco CVE-2017-6752 (A vulnerability in the web interface of the Cisco Adaptive Security Ap ...) NOT-FOR-US: Cisco CVE-2017-6751 (A vulnerability in the web proxy functionality of the Cisco Web Securi ...) NOT-FOR-US: Cisco CVE-2017-6750 (A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) ...) NOT-FOR-US: Cisco CVE-2017-6749 (A vulnerability in the web-based management interface of Cisco Web Sec ...) NOT-FOR-US: Cisco CVE-2017-6748 (A vulnerability in the CLI parser of the Cisco Web Security Appliance ...) NOT-FOR-US: Cisco CVE-2017-6747 (A vulnerability in the authentication module of Cisco Identity Service ...) NOT-FOR-US: Cisco CVE-2017-6746 (A vulnerability in the web interface of the Cisco Web Security Applian ...) NOT-FOR-US: Cisco CVE-2017-6745 (A vulnerability in the cache server within Cisco Videoscape Distributi ...) NOT-FOR-US: Cisco CVE-2017-6744 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6743 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6742 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6741 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6740 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6739 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6738 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6737 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6736 (The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS 1 ...) NOT-FOR-US: Cisco CVE-2017-6735 (A vulnerability in the backup and restore functionality of Cisco FireS ...) NOT-FOR-US: Cisco CVE-2017-6734 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2017-6733 (A vulnerability in the web-based application interface of the Cisco Id ...) NOT-FOR-US: Cisco CVE-2017-6732 (A vulnerability in the installation procedure for Cisco Prime Network ...) NOT-FOR-US: Cisco CVE-2017-6731 (A vulnerability in Multicast Source Discovery Protocol (MSDP) ingress ...) NOT-FOR-US: Cisco CVE-2017-6730 (A vulnerability in the web-based GUI of Cisco Wide Area Application Se ...) NOT-FOR-US: Cisco CVE-2017-6729 (A vulnerability in the Border Gateway Protocol (BGP) processing functi ...) NOT-FOR-US: Cisco CVE-2017-6728 (A vulnerability in the CLI of Cisco IOS XR Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2017-6727 (A vulnerability in the Server Message Block (SMB) protocol of Cisco Wi ...) NOT-FOR-US: Cisco CVE-2017-6726 (A vulnerability in the CLI of the Cisco Prime Network Gateway could al ...) NOT-FOR-US: Cisco CVE-2017-6725 (A vulnerability in the web framework code of Cisco Prime Infrastructur ...) NOT-FOR-US: Cisco CVE-2017-6724 (A vulnerability in the web framework code of Cisco Prime Infrastructur ...) NOT-FOR-US: Cisco CVE-2017-6723 RESERVED CVE-2017-6722 (A vulnerability in the Extensible Messaging and Presence Protocol (XMP ...) NOT-FOR-US: Cisco CVE-2017-6721 (A vulnerability in the ingress processing of fragmented TCP packets by ...) NOT-FOR-US: Cisco CVE-2017-6720 (A vulnerability in the Secure Shell (SSH) subsystem of Cisco Small Bus ...) NOT-FOR-US: Cisco CVE-2017-6719 (A vulnerability in the CLI of Cisco IOS XR Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2017-6718 (A vulnerability in the CLI of Cisco IOS XR Software could allow an aut ...) NOT-FOR-US: Cisco CVE-2017-6717 (A vulnerability in the web framework of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2017-6716 (A vulnerability in the web framework code of Cisco Firepower Managemen ...) NOT-FOR-US: Cisco CVE-2017-6715 (A vulnerability in the web framework of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2017-6714 (A vulnerability in the AutoIT service of Cisco Ultra Services Framewor ...) NOT-FOR-US: Cisco CVE-2017-6713 (A vulnerability in the Play Framework of Cisco Elastic Services Contro ...) NOT-FOR-US: Cisco CVE-2017-6712 (A vulnerability in certain commands of Cisco Elastic Services Controll ...) NOT-FOR-US: Cisco CVE-2017-6711 (A vulnerability in the Ultra Automation Service (UAS) of the Cisco Ult ...) NOT-FOR-US: Cisco CVE-2017-6710 (A vulnerability in the Cisco Virtual Network Function (VNF) Element Ma ...) NOT-FOR-US: Cisco CVE-2017-6709 (A vulnerability in the AutoVNF tool for the Cisco Ultra Services Frame ...) NOT-FOR-US: Cisco CVE-2017-6708 (A vulnerability in the symbolic link (symlink) creation functionality ...) NOT-FOR-US: Cisco CVE-2017-6707 (A vulnerability in the CLI command-parsing code of the Cisco StarOS op ...) NOT-FOR-US: Cisco CVE-2017-6706 (A vulnerability in the logging subsystem of the Cisco Prime Collaborat ...) NOT-FOR-US: Cisco CVE-2017-6705 (A vulnerability in the filesystem of the Cisco Prime Collaboration Pro ...) NOT-FOR-US: Cisco CVE-2017-6704 (A vulnerability in the web application in the Cisco Prime Collaboratio ...) NOT-FOR-US: Cisco CVE-2017-6703 (A vulnerability in the web application in the Cisco Prime Collaboratio ...) NOT-FOR-US: Cisco CVE-2017-6702 (A vulnerability in the web framework of Cisco SocialMiner could allow ...) NOT-FOR-US: Cisco CVE-2017-6701 (A vulnerability in the web application interface of the Cisco Identity ...) NOT-FOR-US: Cisco CVE-2017-6700 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2017-6699 (A vulnerability in the web-based management interface of Cisco Prime I ...) NOT-FOR-US: Cisco CVE-2017-6698 (A vulnerability in the Cisco Prime Infrastructure (PI) and Evolved Pro ...) NOT-FOR-US: Cisco CVE-2017-6697 (A vulnerability in the web interface of Cisco Elastic Services Control ...) NOT-FOR-US: Cisco CVE-2017-6696 (A vulnerability in the file system of Cisco Elastic Services Controlle ...) NOT-FOR-US: Cisco CVE-2017-6695 (A vulnerability in the ConfD server in Cisco Ultra Services Platform c ...) NOT-FOR-US: Cisco CVE-2017-6694 (A vulnerability in the Virtual Network Function Manager's (VNFM) loggi ...) NOT-FOR-US: Cisco CVE-2017-6693 (A vulnerability in the ConfD server component of Cisco Elastic Service ...) NOT-FOR-US: Cisco CVE-2017-6692 (A vulnerability in Cisco Ultra Services Framework Element Manager coul ...) NOT-FOR-US: Cisco CVE-2017-6691 (A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers ...) NOT-FOR-US: Cisco CVE-2017-6690 (A vulnerability in the file check operation of Cisco ASR 5000 Series A ...) NOT-FOR-US: Cisco CVE-2017-6689 (A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers ...) NOT-FOR-US: Cisco CVE-2017-6688 (A vulnerability in Cisco Elastic Services Controllers could allow an a ...) NOT-FOR-US: Cisco CVE-2017-6687 (A vulnerability in Cisco Ultra Services Framework Element Manager coul ...) NOT-FOR-US: Cisco CVE-2017-6686 (A vulnerability in Cisco Ultra Services Framework Element Manager coul ...) NOT-FOR-US: Cisco CVE-2017-6685 (A vulnerability in Cisco Ultra Services Framework Staging Server could ...) NOT-FOR-US: Cisco CVE-2017-6684 (A vulnerability in Cisco Elastic Services Controllers could allow an a ...) NOT-FOR-US: Cisco CVE-2017-6683 (A vulnerability in the esc_listener.py script of Cisco Elastic Service ...) NOT-FOR-US: Cisco CVE-2017-6682 (A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers ...) NOT-FOR-US: Cisco CVE-2017-6681 (A vulnerability in the AutoVNF VNFStagingView class of Cisco Ultra Ser ...) NOT-FOR-US: Cisco CVE-2017-6680 (A vulnerability in the AutoVNF logging function of Cisco Ultra Service ...) NOT-FOR-US: Cisco CVE-2017-6679 (The Cisco Umbrella Virtual Appliance Version 2.0.3 and prior contained ...) NOT-FOR-US: Cisco CVE-2017-6678 (A vulnerability in the ingress UDP packet processing functionality of ...) NOT-FOR-US: Cisco CVE-2017-6677 RESERVED CVE-2017-6676 RESERVED CVE-2017-6675 (A vulnerability in the web interface of Cisco Industrial Network Direc ...) NOT-FOR-US: Cisco CVE-2017-6674 (A vulnerability in the feature-license management functionality of Cis ...) NOT-FOR-US: Cisco CVE-2017-6673 (A vulnerability in Cisco Firepower Management Center could allow an au ...) NOT-FOR-US: Cisco CVE-2017-6672 (A vulnerability in certain filtering mechanisms of access control list ...) NOT-FOR-US: Cisco CVE-2017-6671 (A vulnerability in the email message scanning of Cisco AsyncOS Softwar ...) NOT-FOR-US: Cisco CVE-2017-6670 (A vulnerability in the web-based GUI of Cisco Unified Communications D ...) NOT-FOR-US: Cisco CVE-2017-6669 (Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Netw ...) NOT-FOR-US: Cisco CVE-2017-6668 (Vulnerabilities in the web-based GUI of Cisco Unified Communications D ...) NOT-FOR-US: Cisco CVE-2017-6667 (A vulnerability in the update process for the dynamic JAR file of the ...) NOT-FOR-US: Cisco CVE-2017-6666 (A vulnerability in the forwarding component of Cisco IOS XR Software f ...) NOT-FOR-US: Cisco CVE-2017-6665 (A vulnerability in the Autonomic Networking feature of Cisco IOS Softw ...) NOT-FOR-US: Cisco CVE-2017-6664 (A vulnerability in the Autonomic Networking feature of Cisco IOS XE So ...) NOT-FOR-US: Cisco CVE-2017-6663 (A vulnerability in the Autonomic Networking feature of Cisco IOS Softw ...) NOT-FOR-US: Cisco CVE-2017-6662 (A vulnerability in the web-based user interface of Cisco Prime Infrast ...) NOT-FOR-US: Cisco CVE-2017-6661 (A vulnerability in the web-based management interface of Cisco Email S ...) NOT-FOR-US: Cisco CVE-2017-6660 RESERVED CVE-2017-6659 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2017-6658 (Cisco Sourcefire Snort 3.0 before build 233 has a Buffer Overread rela ...) NOT-FOR-US: Cisco CVE-2017-6657 (Cisco Sourcefire Snort 3.0 before build 233 mishandles Ether Type Vali ...) NOT-FOR-US: Cisco CVE-2017-6656 (A vulnerability in Session Initiation Protocol (SIP) call handling of ...) NOT-FOR-US: Cisco CVE-2017-6655 (A vulnerability in the Fibre Channel over Ethernet (FCoE) protocol imp ...) NOT-FOR-US: Cisco CVE-2017-6654 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-6653 (A vulnerability in the TCP throttling process for the GUI of the Cisco ...) NOT-FOR-US: Cisco CVE-2017-6652 (A vulnerability in the web framework of the Cisco TelePresence IX5000 ...) NOT-FOR-US: Cisco CVE-2017-6651 (A vulnerability in Cisco WebEx Meetings Server could allow unauthentic ...) NOT-FOR-US: Cisco CVE-2017-6650 (A vulnerability in the Telnet CLI command of Cisco NX-OS System Softwa ...) NOT-FOR-US: Cisco CVE-2017-6649 (A vulnerability in the CLI of Cisco NX-OS System Software 7.1 through ...) NOT-FOR-US: Cisco CVE-2017-6648 (A vulnerability in the Session Initiation Protocol (SIP) of the Cisco ...) NOT-FOR-US: Cisco CVE-2017-6647 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6646 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6645 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6644 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6643 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6642 (A vulnerability in the web interface of Cisco Remote Expert Manager So ...) NOT-FOR-US: Cisco CVE-2017-6641 (A vulnerability in the TCP connection handling functionality of Cisco ...) NOT-FOR-US: Cisco CVE-2017-6640 (A vulnerability in Cisco Prime Data Center Network Manager (DCNM) Soft ...) NOT-FOR-US: Cisco CVE-2017-6639 (A vulnerability in the role-based access control (RBAC) functionality ...) NOT-FOR-US: Cisco CVE-2017-6638 (A vulnerability in how DLL files are loaded with Cisco AnyConnect Secu ...) NOT-FOR-US: Cisco CVE-2017-6637 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2017-6636 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2017-6635 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2017-6634 (A vulnerability in the Device Manager web interface of Cisco Industria ...) NOT-FOR-US: Cisco CVE-2017-6633 (A vulnerability in the TCP throttling process of Cisco UCS C-Series Ra ...) NOT-FOR-US: Cisco CVE-2017-6632 (A vulnerability in the logging configuration of Secure Sockets Layer ( ...) NOT-FOR-US: Cisco CVE-2017-6631 (A vulnerability in the HTTP remote procedure call (RPC) service of set ...) NOT-FOR-US: Cisco CVE-2017-6630 (A vulnerability in the Session Initiation Protocol (SIP) implementatio ...) NOT-FOR-US: Cisco CVE-2017-6629 (A vulnerability in the ImageID parameter of Cisco Unity Connection 10. ...) NOT-FOR-US: Cisco CVE-2017-6628 (A vulnerability in SMART-SSL Accelerator functionality for Cisco Wide ...) NOT-FOR-US: Cisco CVE-2017-6627 (A vulnerability in the UDP processing code of Cisco IOS 15.1, 15.2, an ...) NOT-FOR-US: Cisco CVE-2017-6626 (A vulnerability in the Cisco Finesse Notification Service for Cisco Un ...) NOT-FOR-US: Cisco CVE-2017-6625 (A "Cisco Firepower Threat Defense 6.0.0 through 6.2.2 and Cisco ASA wi ...) NOT-FOR-US: Cisco CVE-2017-6624 (A vulnerability in Cisco IOS 15.5(3)M Software for Cisco CallManager E ...) NOT-FOR-US: Cisco CVE-2017-6623 (A vulnerability in a script file that is installed as part of the Cisc ...) NOT-FOR-US: Cisco CVE-2017-6622 (A vulnerability in the web interface for Cisco Prime Collaboration Pro ...) NOT-FOR-US: Cisco CVE-2017-6621 (A vulnerability in the web interface of Cisco Prime Collaboration Prov ...) NOT-FOR-US: Cisco CVE-2017-6620 (A vulnerability in the remote management access control list (ACL) fea ...) NOT-FOR-US: Cisco CVE-2017-6619 (A vulnerability in the web-based GUI of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2017-6618 (A vulnerability in the web-based GUI of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2017-6617 (A vulnerability in the session identification management functionality ...) NOT-FOR-US: Cisco CVE-2017-6616 (A vulnerability in the web-based GUI of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2017-6615 (A vulnerability in the Simple Network Management Protocol (SNMP) subsy ...) NOT-FOR-US: Cisco CVE-2017-6614 (A vulnerability in the file-download feature of the web user interface ...) NOT-FOR-US: Cisco CVE-2017-6613 (A vulnerability in the DNS input packet processor for Cisco Prime Netw ...) NOT-FOR-US: Cisco CVE-2017-6612 (A vulnerability in the gateway GPRS support node (GGSN) of Cisco ASR 5 ...) NOT-FOR-US: Cisco CVE-2017-6611 (A vulnerability in the web framework code of Cisco Prime Infrastructur ...) NOT-FOR-US: Cisco CVE-2017-6610 (A vulnerability in the Internet Key Exchange Version 1 (IKEv1) XAUTH c ...) NOT-FOR-US: Cisco CVE-2017-6609 (A vulnerability in the IPsec code of Cisco ASA Software could allow an ...) NOT-FOR-US: Cisco CVE-2017-6608 (A vulnerability in the Secure Sockets Layer (SSL) and Transport Layer ...) NOT-FOR-US: Cisco CVE-2017-6607 (A vulnerability in the DNS code of Cisco ASA Software could allow an u ...) NOT-FOR-US: Cisco CVE-2017-6606 (A vulnerability in a startup script of Cisco IOS XE Software could all ...) NOT-FOR-US: Cisco CVE-2017-6605 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco CVE-2017-6604 (A vulnerability in the web interface of Cisco Integrated Management Co ...) NOT-FOR-US: Cisco CVE-2017-6603 (A vulnerability in Cisco ASR 903 or ASR 920 Series Devices running wit ...) NOT-FOR-US: Cisco CVE-2017-6602 (A vulnerability in the CLI of Cisco Unified Computing System (UCS) Man ...) NOT-FOR-US: Cisco CVE-2017-6601 (A vulnerability in the CLI of the Cisco Unified Computing System (UCS) ...) NOT-FOR-US: Cisco CVE-2017-6600 (A vulnerability in the CLI of the Cisco Unified Computing System (UCS) ...) NOT-FOR-US: Cisco CVE-2017-6599 (A vulnerability in Google-defined remote procedure call (gRPC) handlin ...) NOT-FOR-US: Cisco CVE-2017-6598 (A vulnerability in the debug plug-in functionality of the Cisco Unifie ...) NOT-FOR-US: Cisco CVE-2017-6597 (A vulnerability in the local-mgmt CLI command of the Cisco Unified Com ...) NOT-FOR-US: Cisco CVE-2017-6596 (partclone.chkimg in partclone 0.2.89 is prone to a heap-based buffer o ...) {DLA-923-1} [experimental] - partclone 0.2.90-1 - partclone 0.2.89-3 (bug #857966) [jessie] - partclone (Minor issue) NOTE: https://github.com/insidej/Partclone_HeapOverFlow/blob/master/README.md NOTE: https://github.com/Thomas-Tsai/partclone/issues/91 NOTE: https://github.com/Thomas-Tsai/partclone/commit/2d6bcfd8016dc6090090934bab71c663d9a4d36d NOTE: https://github.com/Thomas-Tsai/partclone/commit/96401fb5b7221fc5f44df7079485c395f9c3a428 CVE-2017-6595 RESERVED CVE-2017-6594 (The transit path validation code in Heimdal before 7.3 might allow att ...) - heimdal 7.1.0+dfsg-12 [jessie] - heimdal (Minor issue) [wheezy] - heimdal (Minor issue) NOTE: https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837 NOTE: See https://lists.debian.org/debian-lts/2017/05/msg00010.html CVE-2017-6593 RESERVED CVE-2017-6592 RESERVED CVE-2017-6591 (There is a cross-site scripting vulnerability in django-epiceditor 0.2 ...) NOT-FOR-US: django-epiceditor CVE-2017-6590 (An issue was discovered in network-manager-applet (aka network-manager ...) - network-manager-applet (unimportant) NOTE: Marked as 'unimportant', since not exploitable in Debian, although the source NOTE: would be affected as well for Debian. NOTE: https://bugs.launchpad.net/ubuntu/+source/network-manager-applet/+bug/1668321 CVE-2017-6589 (EpicEditor through 0.2.3 has Cross-Site Scripting because of an insecu ...) NOT-FOR-US: django-epiceditor CVE-2017-6588 RESERVED CVE-2017-6587 RESERVED CVE-2017-6586 RESERVED CVE-2017-6585 RESERVED CVE-2017-6584 RESERVED CVE-2017-6583 RESERVED CVE-2017-6582 RESERVED CVE-2017-6581 RESERVED CVE-2017-6580 RESERVED CVE-2017-6579 RESERVED CVE-2017-6578 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6577 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6576 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6575 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6574 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6573 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6572 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6571 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6570 (A SQL injection issue is exploitable, with WordPress admin access, in ...) NOT-FOR-US: Mail Masta (aka mail-masta) plugin 1.0 for WordPress CVE-2017-6569 RESERVED CVE-2017-6568 RESERVED CVE-2017-6567 RESERVED CVE-2017-6566 RESERVED CVE-2017-6565 (On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the roleDia ...) NOT-FOR-US: Franklin Fueling Systems TS-550 evo CVE-2017-6564 (On Franklin Fueling Systems TS-550 evo 2.3.0.7332 devices, the Guest u ...) NOT-FOR-US: Franklin Fueling Systems TS-550 evo CVE-2017-6563 RESERVED CVE-2017-6562 (XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=file&targ ...) NOT-FOR-US: Agora-Project CVE-2017-6561 (XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=object&ac ...) NOT-FOR-US: Agora-Project CVE-2017-6560 (XSS in Agora-Project 3.2.2 exists with an index.php?ctrl=misc&acti ...) NOT-FOR-US: Agora-Project CVE-2017-6559 (XSS in Agora-Project 3.2.2 exists with an index.php?disconnect=1&m ...) NOT-FOR-US: Agora-Project CVE-2017-6558 (iball Baton 150M iB-WRA150N v1 00000001 1.2.6 build 110401 Rel.47776n ...) NOT-FOR-US: iball Baton CVE-2017-6557 (SQL injection vulnerability in ArrayOS before AG 9.4.0.135, when the p ...) NOT-FOR-US: ArrayOS CVE-2017-6556 (Cross-site scripting (XSS) vulnerability in CMS Made Simple (CMSMS) 2. ...) NOT-FOR-US: CMS Made Simple CVE-2017-6555 (Cross-site scripting (XSS) vulnerability in /admin/moduleinterface.php ...) NOT-FOR-US: CMS Made Simple CVE-2017-6554 (pmmasterd in Quest Privilege Manager before 6.0.0.061, when configured ...) NOT-FOR-US: Quest Privilege Manager CVE-2017-6553 (Buffer Overflow in Quest One Identity Privilege Manager for Unix befor ...) NOT-FOR-US: Quest One Identity Privilege Manager for Unix CVE-2017-6552 (Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 devices have an insufficiently ...) NOT-FOR-US: Livebox 3 Sagemcom CVE-2017-6551 (Pexip Infinity before 14.2 allows remote attackers to cause a denial o ...) NOT-FOR-US: Pexip Infinity CVE-2017-6550 (Multiple SQL injection vulnerabilities in Kinsey Infor-Lawson (formerl ...) NOT-FOR-US: Kinsey Infor-Lawson CVE-2017-6549 (Session hijack vulnerability in httpd on ASUS RT-N56U, RT-N66U, RT-AC6 ...) NOT-FOR-US: ASUS CVE-2017-6548 (Buffer overflows in networkmap on ASUS RT-N56U, RT-N66U, RT-AC66U, RT- ...) NOT-FOR-US: ASUS CVE-2017-6547 (Cross-site scripting (XSS) vulnerability in httpd on ASUS RT-N56U, RT- ...) NOT-FOR-US: ASUS CVE-2017-6546 RESERVED CVE-2017-6545 RESERVED CVE-2017-6544 (Gargaj/wuhu through 2017-03-08 is vulnerable to a reflected XSS in wuh ...) NOT-FOR-US: wuhu CVE-2017-6543 (Tenable Nessus before 6.10.2 (as used alone or in Tenable Appliance be ...) NOT-FOR-US: Nessus CVE-2017-6542 (The ssh_agent_channel_data function in PuTTY before 0.68 allows remote ...) - putty 0.67-3 (bug #857642) [jessie] - putty (Minor issue) [wheezy] - putty (Minor issue) NOTE: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html NOTE: Fixed by: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68) NOTE: Bug only exploitable if SSH agent forwarding enabled (not the default) and if NOTE: the attacker can already be able to connect to the Unix-domain socket NOTE: representing the forwarded agent connection. CVE-2017-6541 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6540 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6539 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6538 (A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. ...) NOT-FOR-US: webpagetest CVE-2017-6537 (A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. ...) NOT-FOR-US: webpagetest CVE-2017-6536 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6535 (Multiple Cross-Site Scripting (XSS) issues were discovered in webpaget ...) NOT-FOR-US: webpagetest CVE-2017-6534 (A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. ...) NOT-FOR-US: webpagetest CVE-2017-6533 (A Cross-Site Scripting (XSS) issue was discovered in webpagetest 3.0. ...) NOT-FOR-US: webpagetest CVE-2017-6532 (Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 ha ...) NOT-FOR-US: Televes COAXDATA GATEWAY CVE-2017-6531 (On Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 ...) NOT-FOR-US: Televes COAXDATA GATEWAY CVE-2017-6530 (Televes COAXDATA GATEWAY 1Gbps devices doc-wifi-hgw_v1.02.0014 4.20 do ...) NOT-FOR-US: Televes COAXDATA GATEWAY CVE-2017-6529 (An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vuln ...) NOT-FOR-US: dnaLIMS CVE-2017-6528 (An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is affe ...) NOT-FOR-US: dnaLIMS CVE-2017-6527 (An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vuln ...) NOT-FOR-US: dnaLIMS CVE-2017-6526 (An issue was discovered in dnaTools dnaLIMS 4-2015s13. dnaLIMS is vuln ...) NOT-FOR-US: dnaLIMS CVE-2017-6525 RESERVED CVE-2017-6524 RESERVED CVE-2017-6523 RESERVED CVE-2017-6522 RESERVED CVE-2017-6521 RESERVED CVE-2017-6520 (The Multicast DNS (mDNS) responder used in BOSE Soundtouch 30 inadvert ...) NOT-FOR-US: Multicast DNS (mDNS) responder used in BOSE Soundtouch 30 CVE-2017-6519 (avahi-daemon in Avahi through 0.6.32 and 0.7 inadvertently responds to ...) - avahi 0.7-5 (unimportant; bug #917047) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1426712 NOTE: https://github.com/lathiat/avahi/issues/203 NOTE: https://github.com/lathiat/avahi/commit/e111def44a7df4624a4aa3f85fe98054bffb6b4f CVE-2017-6518 (Cross-site scripting (XSS) vulnerability in /sanadata/seo/index.asp in ...) NOT-FOR-US: SanaCMS CVE-2017-6517 (Microsoft Skype 7.16.0.102 contains a vulnerability that could allow a ...) NOT-FOR-US: Microsoft CVE-2017-6516 (A Local Privilege Escalation Vulnerability in MagniComp's Sysinfo befo ...) NOT-FOR-US: MagniComp CVE-2017-6515 RESERVED CVE-2017-6514 (WordPress 4.7.2 mishandles listings of post authors, which allows remo ...) - wordpress (unimportant) NOTE: No security impact CVE-2017-6513 (The WHMCS Reseller Module V2 2.0.2 in Softaculous Virtualizor before 2 ...) NOT-FOR-US: Softaculous Virtualizor CVE-2017-6512 (Race condition in the rmtree and remove_tree functions in the File-Pat ...) {DSA-3873-1 DLA-978-1} - perl 5.24.1-3 (bug #863870) NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=121951 NOTE: https://github.com/jkeenan/File-Path/commit/e5ef95276ee8ad471c66ee574a5d42552b3a6af2 CVE-2017-6511 (andrzuk/FineCMS before 2017-03-06 is vulnerable to a reflected XSS in ...) NOT-FOR-US: FineCMS CVE-2017-6510 (Easy File Sharing FTP Server version 3.6 is vulnerable to a directory ...) NOT-FOR-US: Easy File Sharing FTP Server CVE-2017-6509 (Smith0r/burgundy-cms before 2017-03-06 is vulnerable to a reflected XS ...) NOT-FOR-US: burgundy-cms CVE-2017-6507 (An issue was discovered in AppArmor before 2.12. Incorrect handling of ...) - apparmor 2.11.0-3 (bug #858768) [jessie] - apparmor (Minor issue) [wheezy] - apparmor (Experimental/unsupported feature) NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3647 NOTE: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3648 NOTE: https://bugs.launchpad.net/apparmor/+bug/1668892 NOTE: affects only third-party rules, e.g. from Docker or LXC NOTE: LXC in wheezy doesn't support proper isolation CVE-2017-6814 (In WordPress before 4.7.3, there is authenticated Cross-Site Scripting ...) {DSA-3815-1 DLA-860-1} - wordpress 4.7.3+dfsg-1 (bug #857026) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7 CVE-2017-6815 (In WordPress before 4.7.3 (wp-includes/pluggable.php), control charact ...) {DSA-3815-1 DLA-860-1} - wordpress 4.7.3+dfsg-1 (bug #857026) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e CVE-2017-6816 (In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can ...) {DSA-3815-1 DLA-860-1} - wordpress 4.7.3+dfsg-1 (bug #857026) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663 CVE-2017-6817 (In WordPress before 4.7.3 (wp-includes/embed.php), there is authentica ...) {DSA-3815-1} - wordpress 4.7.3+dfsg-1 (bug #857026) [wheezy] - wordpress (vulnerable code was introduced later) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8 CVE-2017-6818 (In WordPress before 4.7.3 (wp-admin/js/tags-box.js), there is cross-si ...) - wordpress 4.7.3+dfsg-1 (bug #857026) [jessie] - wordpress (Only affects 4.7.x) [wheezy] - wordpress (Only affects 4.7.x) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9 CVE-2017-6819 (In WordPress before 4.7.3, there is cross-site request forgery (CSRF) ...) - wordpress 4.7.3+dfsg-1 (bug #857026) [jessie] - wordpress (Only affects 4.2 and later) [wheezy] - wordpress (Only affects 4.2 and later) NOTE: https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ NOTE: https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829 CVE-2017-6508 (CRLF injection vulnerability in the url_parse function in url.c in Wge ...) {DLA-851-1} - wget 1.19.1-2 (bug #857073) [buster] - wget 1.18-5 [stretch] - wget 1.18-5 [jessie] - wget 1.16-1+deb8u2 NOTE: http://lists.gnu.org/archive/html/bug-wget/2017-03/msg00018.html NOTE: http://git.savannah.gnu.org/cgit/wget.git/commit/?id=4d729e322fae359a1aefaafec1144764a54e8ad4 CVE-2017-6506 (In Azure Data Expert Ultimate 2.2.16, the SMTP verification function s ...) NOT-FOR-US: Azure Data Expert Ultimate CVE-2017-6505 (The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Qu ...) {DLA-1497-1 DLA-1071-1 DLA-1070-1} - qemu 1:2.8+dfsg-4 (bug #856969) - qemu-kvm NOTE: Fixed by: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=95ed56939eb2eaa4e2f349fe6dcd13ca4edfd8fb CVE-2017-6504 (WebUI in qBittorrent before 3.3.11 did not set the X-Frame-Options hea ...) {DLA-897-1} - qbittorrent 3.3.7-3 (low; bug #856978) [jessie] - qbittorrent (Minor issue) NOTE: https://github.com/qbittorrent/qBittorrent/commit/f5ad04766f4abaa78374ff03704316f8ce04627d NOTE: Fixed upstream in 3.3.11 CVE-2017-6503 (WebUI in qBittorrent before 3.3.11 did not escape many values, which c ...) {DLA-897-1} - qbittorrent 3.3.7-3 (low; bug #856977) [jessie] - qbittorrent (Minor issue) NOTE: https://github.com/qbittorrent/qBittorrent/commit/6ca3e4f094da0a0017cb2d483ec1db6176bb0b16 NOTE: Fixed upstream in 3.3.11 CVE-2017-6502 (An issue was discovered in ImageMagick 6.9.7. A specially crafted webp ...) - imagemagick 8:6.9.9.34+dfsg-3 (unimportant; bug #856883) NOTE: webp is disable under Debian, cf. https://bugs.debian.org/856883#14 NOTE: https://github.com/ImageMagick/ImageMagick/commit/126c7c98ea788241922c30df4a5633ea692cf8df CVE-2017-6501 (An issue was discovered in ImageMagick 6.9.7. A specially crafted xcf ...) - imagemagick 8:6.9.7.4+dfsg-2 (bug #856881) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/d31fec57e9dfb0516deead2053a856e3c71e9751 CVE-2017-6500 (An issue was discovered in ImageMagick 6.9.7. A specially crafted sun ...) {DSA-3808-1 DLA-868-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856879) NOTE: https://github.com/ImageMagick/ImageMagick/commit/3007531bfd326c5c1e29cd41d2cd80c166de8528 NOTE: https://github.com/ImageMagick/ImageMagick/issues/375 NOTE: https://github.com/ImageMagick/ImageMagick/issues/376 CVE-2017-6499 (An issue was discovered in Magick++ in ImageMagick 6.9.7. A specially ...) {DSA-3808-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856880) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=23&p=142634 NOTE: https://github.com/ImageMagick/ImageMagick/commit/3358f060fc182551822576b2c0a8850faab5d543 CVE-2017-6498 (An issue was discovered in ImageMagick 6.9.7. Incorrect TGA files coul ...) {DSA-3808-1 DLA-868-1} - imagemagick 8:6.9.7.4+dfsg-2 (bug #856878) NOTE: https://github.com/ImageMagick/ImageMagick/commit/65f75a32a93ae4044c528a987a68366ecd4b46b9 NOTE: https://github.com/ImageMagick/ImageMagick/pull/359 CVE-2017-6497 (An issue was discovered in ImageMagick 6.9.7. A specially crafted psd ...) - imagemagick 8:6.9.7.4+dfsg-2 (bug #856882) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/commit/7f2dc7a1afc067d0c89f12c82bcdec0445fb1b94 CVE-2017-6496 RESERVED CVE-2017-6495 RESERVED CVE-2017-6494 RESERVED CVE-2017-6493 RESERVED CVE-2017-6492 (SQL Injection was discovered in adm_program/modules/dates/dates_functi ...) NOT-FOR-US: Admidio CVE-2017-6491 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6490 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6489 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6488 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6487 (Multiple Cross-Site Scripting (XSS) issues were discovered in EPESI 1. ...) NOT-FOR-US: EPESI CVE-2017-6486 (A Cross-Site Scripting (XSS) issue was discovered in reasoncms before ...) NOT-FOR-US: reasoncms CVE-2017-6485 (A Cross-Site Scripting (XSS) issue was discovered in php-calendar befo ...) NOT-FOR-US: PHP-Calendar CVE-2017-6484 (Multiple Cross-Site Scripting (XSS) issues were discovered in INTER-Me ...) NOT-FOR-US: INTER-Mediator CVE-2017-6483 (Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2 ...) NOT-FOR-US: ATutor CVE-2017-6482 REJECTED CVE-2017-6481 (Multiple Cross-Site Scripting (XSS) issues were discovered in phpipam ...) NOT-FOR-US: phpipam CVE-2017-6480 (groovel/cmsgroovel before 3.3.7-beta is vulnerable to a reflected XSS ...) NOT-FOR-US: cmsgroovel CVE-2017-6479 (FenixHosting/fenix-open-source before 2017-03-04 is vulnerable to a re ...) NOT-FOR-US: FenixHosting (different than fenix game engine) CVE-2017-6478 (paintballrefjosh/MaNGOSWebV4 before 4.0.8 is vulnerable to a reflected ...) NOT-FOR-US: MaNGOSWebV4 CVE-2017-6477 RESERVED CVE-2017-6476 RESERVED CVE-2017-6475 RESERVED CVE-2017-6474 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-07.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=a998c9195f183d85f5b0bbeebba21a2d4d303d47 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13429 CVE-2017-6473 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a K12 file p ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-09.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7edc761a01cda8e1b37677f673985582330317d2 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13431 CVE-2017-6472 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an RTMPT dis ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-04.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2b3a0909beff8963b390034c594e0b6be6a4e531 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13347 CVE-2017-6471 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a WSP infini ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-05.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=62afef41277dfac37f515207ca73d33306e3302b NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13348 CVE-2017-6470 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an IAX2 infi ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-10.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=0b89174ef4c531a1917437fff586fe525ee7bf2d NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13432 CVE-2017-6469 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is an LDSS diss ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-03.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=4f753c127082d5e28abf482d6d175cbfee6661f7 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13346 CVE-2017-6468 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a NetScaler ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-08.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=9f3bc84b7e7e435c50b8b68f0fc526d0f5676cbf NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13430 CVE-2017-6467 (In Wireshark 2.2.0 to 2.2.4 and 2.0.0 to 2.0.10, there is a Netscaler ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.5+g440fd4d-2 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-11.html NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=284ad58d288722a8725401967bff0c4455488f0c NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12083 CVE-2017-6466 (F-Secure Software Updater 2.20, as distributed in several F-Secure pro ...) NOT-FOR-US: F-Secure CVE-2017-6465 (Remote Code Execution was discovered in FTPShell Client 6.53. By defau ...) NOT-FOR-US: FTPShell Client CVE-2017-6464 (NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to ...) - ntp 1:4.2.8p10+dfsg-1 (low) [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3389 NOTE: https://cure53.de/pentest-report_ntp.pdf CVE-2017-6463 (NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticate ...) - ntp 1:4.2.8p10+dfsg-1 [jessie] - ntp (Minor issue) [wheezy] - ntp (Minor issue) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3387 NOTE: https://cure53.de/pentest-report_ntp.pdf CVE-2017-6462 (Buffer overflow in the legacy Datum Programmable Time Server (DPTS) re ...) - ntp 1:4.2.8p10+dfsg-1 (unimportant) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3388 NOTE: https://cure53.de/pentest-report_ntp.pdf NOTE: Obscure legacy feature, no real impact CVE-2017-6461 REJECTED CVE-2017-6460 (Stack-based buffer overflow in the reslist function in ntpq in NTP bef ...) - ntp 1:4.2.8p10+dfsg-1 [jessie] - ntp (Vulnerable code not present) [wheezy] - ntp (Vulnerable code not present) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3377 NOTE: https://cure53.de/pentest-report_ntp.pdf CVE-2017-6459 (The Windows installer for NTP before 4.2.8p10 and 4.3.x before 4.3.94 ...) - ntp (NTP on Windows) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3382 CVE-2017-6458 (Multiple buffer overflows in the ctl_put* functions in NTP before 4.2. ...) - ntp 1:4.2.8p10+dfsg-1 (unimportant) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3379 NOTE: https://cure53.de/pentest-report_ntp.pdf NOTE: This is not a vulnerability per se, but a weakness in an internal helper function CVE-2017-6457 REJECTED CVE-2017-6456 REJECTED CVE-2017-6455 (NTP before 4.2.8p10 and 4.3.x before 4.3.94, when using PPSAPI, allows ...) - ntp (NTP on Windows) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3384 CVE-2017-6454 REJECTED CVE-2017-6453 REJECTED CVE-2017-6452 (Stack-based buffer overflow in the Windows installer for NTP before 4. ...) - ntp (NTP on Windows) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3383 CVE-2017-6451 (The mx4200_send function in the legacy MX4200 refclock in NTP before 4 ...) - ntp (Vulnerable code not enabled at build time) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3378 CVE-2017-6450 RESERVED CVE-2017-6449 RESERVED CVE-2017-6448 (The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 ...) {DLA-901-1} [experimental] - radare2 1.3.0+dfsg-1 - radare2 1.1.0+dfsg-4 (bug #859447) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/commit/f41e941341e44aa86edd4483c4487ec09a074257 (1.3.0-git) NOTE: https://github.com/radare/radare2/issues/6885 CVE-2017-6447 RESERVED CVE-2017-6446 (XSS was discovered in Dotclear v2.11.2, affecting admin/blogs.php and ...) - dotclear CVE-2017-6445 (The auto-update feature of Open Embedded Linux Entertainment Center (O ...) NOT-FOR-US: OpenELEC CVE-2017-6444 (The MikroTik Router hAP Lite 6.25 has no protection mechanism for unso ...) NOT-FOR-US: MikroTik Router hAP Lite CVE-2017-6443 (Cross-site scripting (XSS) vulnerability in EPSON TMNet WebConfig 1.00 ...) NOT-FOR-US: EPSON TMNet WebConfig CVE-2017-XXXX [dns: out of bound memory read] - suricata 3.2.1-1 (bug #856648) [jessie] - suricata 2.0.7-2+deb8u3 [wheezy] - suricata (vulnerable code not present) NOTE: https://redmine.openinfosecfoundation.org/issues/2022 NOTE: Fixed by: https://github.com/inliniac/suricata/commit/20990f7a7eb7939946a275dfc9a95426b0080a19 (3.2.1) CVE-2017-7177 (Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused ...) {DLA-1603-1 DLA-865-1} - suricata 3.2.1-1 (bug #856649) NOTE: https://redmine.openinfosecfoundation.org/issues/2019 NOTE: Fixed by: https://github.com/inliniac/suricata/commit/4a04f814b15762eb446a5ead4d69d021512df6f8 (3.2.1) CVE-2017-6442 RESERVED CVE-2017-6441 (** DISPUTED ** The _zval_get_long_func_ex in Zend/zend_operators.c in ...) NOTE: PHP bug without security relevance CVE-2017-6440 (The parse_data_node function in bplist.c in libimobiledevice libplist ...) - libplist 1.12+git+1+e37ca00-0.2 (bug #858055) [jessie] - libplist (Minor issue) [wheezy] - libplist (vulnerable code not present) NOTE: https://github.com/libimobiledevice/libplist/issues/99 NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b CVE-2017-6439 (Heap-based buffer overflow in the parse_string_node function in bplist ...) {DLA-2168-1 DLA-870-1} - libplist 1.12+git+1+e37ca00-0.1 NOTE: https://github.com/libimobiledevice/libplist/issues/95 NOTE: https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd CVE-2017-6438 (Heap-based buffer overflow in the parse_unicode_node function in bplis ...) - libplist 1.12+git+1+e37ca00-0.2 (bug #858786) [jessie] - libplist (Minor issue) [wheezy] - libplist (vulnerable code not present) NOTE: https://github.com/libimobiledevice/libplist/issues/98 NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b CVE-2017-6437 (The base64encode function in base64.c in libimobiledevice libplist 1.1 ...) - libplist 1.12+git+1+e37ca00-0.2 (bug #858787) [jessie] - libplist (Minor issue) [wheezy] - libplist (vulnerable code not present) NOTE: https://github.com/libimobiledevice/libplist/issues/100 NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b CVE-2017-6436 (The parse_string_node function in bplist.c in libimobiledevice libplis ...) {DLA-2168-1 DLA-870-1} - libplist 1.12+git+1+e37ca00-0.1 NOTE: https://github.com/libimobiledevice/libplist/issues/94 NOTE: https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd CVE-2017-6435 (The parse_string_node function in bplist.c in libimobiledevice libplis ...) {DLA-2168-1 DLA-870-1} - libplist 1.12+git+1+e37ca00-0.1 NOTE: https://github.com/libimobiledevice/libplist/issues/93 NOTE: https://github.com/libimobiledevice/libplist/commit/fbd8494d5e4e46bf2e90cb6116903e404374fb56 CVE-2017-6434 RESERVED CVE-2017-6433 RESERVED CVE-2017-6432 (An issue was discovered on Dahua DHI-HCVR7216A-S3 3.210.0001.10 build ...) NOT-FOR-US: Dahua DVR CVE-2017-6431 RESERVED CVE-2017-6430 (The compile_tree function in ef_compiler.c in the Etterfilter utility ...) {DSA-3874-1} - ettercap 1:0.8.2-4 (bug #857035) NOTE: https://github.com/Ettercap/ettercap/issues/782 NOTE: Patch: https://github.com/LocutusOfBorg/ettercap/commit/626dc56686f15f2dda13c48f78c2a666cb6d8506 CVE-2017-6429 (Buffer overflow in the tcpcapinfo utility in Tcpreplay before 4.2.0 Be ...) - tcpreplay (Vulnerable code not present) NOTE: https://github.com/appneta/tcpreplay/issues/278 NOTE: https://github.com/appneta/tcpreplay/commit/d689d14dbcd768c028eab2fb378d849e543dcfe9 CVE-2017-6428 RESERVED CVE-2017-6427 (A Buffer Overflow was discovered in EvoStream Media Server 1.7.1. A cr ...) NOT-FOR-US: EvoStream Media Server CVE-2017-6849 (The PoDoFo::PdfColorGray::~PdfColorGray function in PdfColor.cpp in Po ...) - libpodofo 0.9.5-9 (bug #861566) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/10 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcolorgraypdfcolorgray-pdfcolor-cpp NOTE: https://sourceforge.net/p/podofo/tickets/8/ NOTE: Same fix as for CVE-2017-6845 CVE-2017-6848 (The PoDoFo::PdfXObject::PdfXObject function in PdfXObject.cpp in PoDoF ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861565) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/9 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfxobjectpdfxobject-pdfxobject-cpp NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1846 CVE-2017-6847 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861564) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/8 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfvariantdelayedload-pdfvariant-h NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1846 CVE-2017-6846 (The GraphicsStack::TGraphicsStackElement::SetNonStrokingColorSpace fun ...) - libpodofo 0.9.5-9 (bug #861563) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/7 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementsetnonstrokingcolorspace-graphicsstack-h/ NOTE: https://sourceforge.net/p/podofo/tickets/9/ NOTE: Same fix as for CVE-2017-6845 CVE-2017-6845 (The PoDoFo::PdfColor::operator function in PdfColor.cpp in PoDoFo 0.9. ...) - libpodofo 0.9.5-9 (bug #861562) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: The motivation for no-dsa in wheezy is that there are no known NOTE: services that use this library (apart from desktop applications) NOTE: and the worst case is a DoS. NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/6 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-podofopdfcoloroperator-pdfcolor-cpp NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1892 CVE-2017-6844 (Buffer overflow in the PoDoFo::PdfParser::ReadXRefSubsection function ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #861561) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/5 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-global-buffer-overflow-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-6843 (Heap-based buffer overflow in the PoDoFo::PdfVariant::DelayedLoad func ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861560) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/4 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-heap-based-buffer-overflow-in-podofopdfvariantdelayedload-pdfvariant-h NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845 CVE-2017-6842 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in Po ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861559) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/3 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-colorchangergetcolorfromstack-colorchanger-cpp NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845 CVE-2017-6841 (The GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement funct ...) - libpodofo 0.9.5-9 (bug #861558) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/2 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-null-pointer-dereference-in-graphicsstacktgraphicsstackelementtgraphicsstackelement-graphicsstack-h NOTE: https://sourceforge.net/p/podofo/tickets/10/ NOTE: Same fix as for CVE-2017-6845 CVE-2017-6840 (The ColorChanger::GetColorFromStack function in colorchanger.cpp in Po ...) {DLA-968-1} - libpodofo 0.9.4-6 (bug #861557) [jessie] - libpodofo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/02/1 NOTE: https://blogs.gentoo.org/ago/2017/03/02/podofo-invalid-memory-read-in-colorchangergetcolorfromstack-colorchanger-cpp NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1844 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1845 CVE-2017-6426 (An information disclosure vulnerability in the Qualcomm SPMI driver. P ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-6425 (An information disclosure vulnerability in the Qualcomm video driver. ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-6424 (An elevation of privilege vulnerability in the Qualcomm WiFi driver. P ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-6423 (An elevation of privilege vulnerability in the Qualcomm kyro L2 driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-6422 RESERVED CVE-2017-6421 (In the touch controller function in all Qualcomm products with Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-6420 (The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 allows ...) {DLA-1261-1 DLA-1105-1} - clamav 0.99.3~beta1+dfsg-1 [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11798 NOTE: https://github.com/vrtadmin/clamav-devel/commit/dfc00cd3301a42b571454b51a6102eecf58407bc NOTE: https://github.com/vrtadmin/clamav-devel/commit/60671e3deb1df6c626e5c7e13752c2eec1649f98 CVE-2017-6419 (mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, allows ...) {DSA-3946-1 DLA-1279-1} - libmspack 0.6-1 (bug #871263) - clamav 0.99.3~beta1+dfsg-1 (unimportant) [stretch] - clamav 0.99.4+dfsg-1+deb9u1 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11701 NOTE: https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1 NOTE: ClamAV uses the libmspack system library when available. This is the NOTE: case from starting from Debian Jessie. Debian Wheezy does not have NOTE: have libmspack and thus need to have the fix as well in the NOTE: src:clamav source package. NOTE: libmspack: https://github.com/kyz/libmspack/commit/6139a0b9e93fcb7fcf423e56aa825bc869e02229 CVE-2017-6418 (libclamav/message.c in ClamAV 0.99.2 allows remote attackers to cause ...) {DLA-1261-1 DLA-1105-1} - clamav 0.99.3~beta1+dfsg-1 [stretch] - clamav 0.99.2+dfsg-6+deb9u1 [jessie] - clamav 0.99.2+dfsg-0+deb8u3 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11797 NOTE: https://github.com/vrtadmin/clamav-devel/commit/586a5180287262070637c8943f2f7efd652e4a2c CVE-2017-6417 (Code injection vulnerability in Avira Total Security Suite 15.0 (and e ...) NOT-FOR-US: Avira Total Security Suite CVE-2017-6416 (An issue was discovered in SysGauge 1.5.18. A buffer overflow vulnerab ...) NOT-FOR-US: SysGauge CVE-2017-6415 (The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1 ...) - radare2 1.1.0+dfsg-3 (bug #856572) [jessie] - radare2 (Vulnerable code introduced in 1.1.0) [wheezy] - radare2 (Vulnerable code introduced in 1.1.0) NOTE: https://github.com/radare/radare2/issues/6872 NOTE: https://github.com/radare/radare2/commit/252afb1cff9676f3ae1f341a28448bf2c8b6e308 CVE-2017-6414 (Memory leak in the vcard_apdu_new function in card_7816.c in libcacard ...) - libcacard 1:2.5.0-3 (bug #856501) NOTE: Fixed by: https://cgit.freedesktop.org/spice/libcacard/commit/?id=9113dc6a303604a2d9812ac70c17d076ef11886c CVE-2017-6413 (The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka ...) - libapache2-mod-auth-openidc 2.1.6-1 [jessie] - libapache2-mod-auth-openidc (Minor issue) NOTE: https://github.com/pingidentity/mod_auth_openidc/commit/21e3728a825c41ab41efa75e664108051bb9665e CVE-2017-6412 (In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could o ...) NOT-FOR-US: Sophos CVE-2017-6411 (Cross Site Request Forgery (CSRF) on D-Link DSL-2730U C1 IN_1.00 devic ...) NOT-FOR-US: D-Link CVE-2017-6410 (kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 call ...) {DSA-3849-1 DLA-952-1} - kio 5.28.0-2 (bug #856889) - kde4libs 4:4.14.26-2 (bug #856890) NOTE: https://www.kde.org/info/security/advisory-20170228-1.txt NOTE: Patch for kio: https://commits.kde.org/kio/f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 NOTE: Patch for kde4libs: https://commits.kde.org/kdelibs/1804c2fde7bf4e432c6cf5bb8cce5701c7010559 CVE-2017-6409 (An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBa ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6408 (An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBa ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6407 (An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBacku ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6406 (An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBacku ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6405 (An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBa ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6404 (An issue was discovered in Veritas NetBackup Before 7.7 and NetBackup ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6403 (An issue was discovered in Veritas NetBackup Before 8.0 and NetBackup ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6402 (An issue was discovered in Veritas NetBackup 8.0 and earlier and NetBa ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6401 (An issue was discovered in Veritas NetBackup before 8.0 and NetBackup ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6400 (An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBacku ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6399 (An issue was discovered in Veritas NetBackup Before 7.7.2 and NetBacku ...) NOT-FOR-US: Veritas NetBackup CVE-2017-6398 (An issue was discovered in Trend Micro InterScan Messaging Security (V ...) NOT-FOR-US: Trend Micro CVE-2017-6397 (An issue was discovered in FlightAirMap v1.0-beta.10. The vulnerabilit ...) NOT-FOR-US: FlightAirMap CVE-2017-6396 (An issue was discovered in WPO-Foundation WebPageTest 3.0. The vulnera ...) NOT-FOR-US: WPO-Foundation WebPageTest CVE-2017-6395 (An issue was discovered in HashOver 2.0. The vulnerability exists due ...) NOT-FOR-US: HashOveer CVE-2017-6394 (Multiple Cross-Site Scripting (XSS) issues were discovered in OpenEMR ...) NOT-FOR-US: OpenEMR CVE-2017-6393 (An issue was discovered in NagVis 1.9b12. The vulnerability exists due ...) - nagvis (Vulnerable code introduced in nagvis-1.8.0) NOTE: https://github.com/NagVis/nagvis/issues/91 CVE-2017-6392 (An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerabil ...) NOT-FOR-US: Kaltura server CVE-2017-6391 (An issue was discovered in Kaltura server Lynx-12.11.0. The vulnerabil ...) NOT-FOR-US: Kaltura server CVE-2017-6390 (An issue was discovered in whatanime.ga before c334dd8499a681587dd4199 ...) NOT-FOR-US: whatanime.ga CVE-2017-6389 RESERVED CVE-2017-6388 RESERVED CVE-2017-6387 (The dex_loadcode function in libr/bin/p/bin_dex.c in radare2 1.2.1 all ...) - radare2 1.1.0+dfsg-3 (bug #856574) [jessie] - radare2 (Vulnerable code not present) [wheezy] - radare2 (Vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/ead645853a63bf83d8386702cad0cf23b31d7eeb NOTE: https://github.com/radare/radare2/issues/6857 CVE-2017-6386 (Memory leak in the vrend_create_vertex_elements_state function in vren ...) - virglrenderer 0.6.0-2 (bug #858255; bug #872884) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920 CVE-2017-6385 RESERVED CVE-2017-6383 REJECTED CVE-2017-6382 RESERVED CVE-2017-6381 (A 3rd party development library including with Drupal 8 development de ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-2017-001 CVE-2017-6380 RESERVED CVE-2017-6379 (Some administrative paths in Drupal 8.2.x before 8.2.7 did not include ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-2017-001 CVE-2017-6378 RESERVED CVE-2017-6377 (When adding a private file via the editor in Drupal 8.2.x before 8.2.7 ...) - drupal8 (bug #756305) NOTE: https://www.drupal.org/SA-2017-001 CVE-2017-6376 RESERVED CVE-2017-6375 RESERVED CVE-2017-6374 RESERVED CVE-2017-6373 RESERVED CVE-2017-6372 RESERVED CVE-2017-6371 (Synchronet BBS 3.16c for Windows allows remote attackers to cause a de ...) NOT-FOR-US: Synchronet BBS CVE-2017-6370 (TYPO3 7.6.15 sends an http request to an index.php?loginProvider URI i ...) NOT-FOR-US: TYPO3 CVE-2017-6369 (Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5. ...) {DSA-3824-1 DLA-879-1} - firebird2.5 (bug #858641) - firebird3.0 3.0.1.32609.ds4-14 (bug #858644) NOTE: http://tracker.firebirdsql.org/browse/CORE-5474 NOTE: Fixed by: https://github.com/FirebirdSQL/firebird/commit/8b2a9cb44bf6055e15f016d70a6842b8ada60375 (3.0) NOTE: https://github.com/FirebirdSQL/firebird/commit/9d9b9e0c94e201da489d1da81f858c570d3ca6ef (2.5) NOTE: https://github.com/FirebirdSQL/firebird/commit/a802126cd501f641f00d6cda12d5d9ee3ecda6f5 (2.5) CVE-2017-6368 RESERVED CVE-2017-6367 (In Cerberus FTP Server 8.0.10.1, a crafted HTTP request causes the Win ...) NOT-FOR-US: Cerberus FTP Server CVE-2017-6366 (Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 rou ...) NOT-FOR-US: Netgear CVE-2017-6365 RESERVED CVE-2017-6364 RESERVED CVE-2017-6363 (** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, t ...) - libgd2 2.3.0-1 [buster] - libgd2 (Minor issue) [stretch] - libgd2 (Minor issue) [jessie] - libgd2 (Minor issue) NOTE: https://github.com/libgd/libgd/commit/0be86e1926939a98afbd2f3a23c673dfc4df2a7c NOTE: https://github.com/libgd/libgd/commit/2dbd8f6e66b73ed43d9b81a45350922b80f75397 NOTE: https://github.com/libgd/libgd/issues/383 CVE-2017-6362 (Double free vulnerability in the gdImagePngPtr function in libgd2 befo ...) {DSA-3961-1 DLA-1106-1} - libgd2 2.2.5-1 NOTE: https://github.com/libgd/libgd/issues/381 NOTE: https://github.com/libgd/libgd/commit/56ce6ef068b954ad28379e83cca04feefc51320c CVE-2017-6361 (QNAP QTS before 4.2.4 Build 20170313 allows attackers to execute arbit ...) NOT-FOR-US: QNAP CVE-2017-6360 (QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administ ...) NOT-FOR-US: QNAP CVE-2017-6359 (QNAP QTS before 4.2.4 Build 20170313 allows attackers to gain administ ...) NOT-FOR-US: QNAP CVE-2017-6358 RESERVED CVE-2017-6357 RESERVED CVE-2017-6356 (Palo Alto Networks Terminal Services (aka TS) Agent 6.0, 7.0, and 8.0 ...) NOT-FOR-US: Palo Alto Networks Terminal Services CVE-2017-6355 (Integer overflow in the vrend_create_shader function in vrend_renderer ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=93761787b29f37fa627dea9082cdfc1a1ec608d6 (0.6.0) CVE-2017-6354 RESERVED CVE-2017-6352 RESERVED CVE-2017-6351 (The WePresent WiPG-1500 device with firmware 1.0.3.7 has a manufacture ...) NOT-FOR-US: WePresent WiPG-1500 CVE-2017-6350 (An integer overflow at an unserialize_uep memory allocation site would ...) {DLA-850-1} - vim 2:8.0.0197-3 (bug #856266) [jessie] - vim 2:7.4.488-7+deb8u3 - neovim 0.1.7-4 NOTE: Fixed by: https://github.com/vim/vim/commit/0c8485f0e4931463c0f7986e1ea84a7d79f10c75 CVE-2017-6349 (An integer overflow at a u_read_undo memory allocation site would occu ...) {DLA-850-1} - vim 2:8.0.0197-3 (bug #856266) [jessie] - vim 2:7.4.488-7+deb8u3 - neovim 0.1.7-4 NOTE: Fixed by: https://github.com/vim/vim/commit/3eb1637b1bba19519885dd6d377bd5596e91d22c CVE-2017-6344 (XML External Entity (XXE) vulnerability in Grails PDF Plugin 0.6 allow ...) NOT-FOR-US: Grails PDF plugin CVE-2017-6343 (The web interface on Dahua DHI-HCVR7216A-S3 devices with NVR Firmware ...) NOT-FOR-US: Dahua devices CVE-2017-6342 (An issue was discovered on Dahua DHI-HCVR7216A-S3 devices with NVR Fir ...) NOT-FOR-US: Dahua devices CVE-2017-6341 (Dahua DHI-HCVR7216A-S3 devices with NVR Firmware 3.210.0001.10 2016-06 ...) NOT-FOR-US: Dahua devices CVE-2017-6340 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 befor ...) NOT-FOR-US: Trend Micro CVE-2017-6339 (Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 befor ...) NOT-FOR-US: Trend Micro CVE-2017-6338 (Multiple Access Control issues in Trend Micro InterScan Web Security V ...) NOT-FOR-US: Trend Micro CVE-2017-6337 RESERVED CVE-2017-6336 RESERVED CVE-2017-6334 (dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0. ...) NOT-FOR-US: NETGEAR CVE-2017-6333 RESERVED CVE-2017-6332 RESERVED CVE-2017-6331 (Prior to SEP 14 RU1 Symantec Endpoint Protection product can encounter ...) NOT-FOR-US: Symantec CVE-2017-6330 (Symantec Encryption Desktop before SED 10.4.1MP2 can allow remote atta ...) NOT-FOR-US: Symantec CVE-2017-6329 (Symantec VIP Access for Desktop prior to 2.2.4 can be susceptible to a ...) NOT-FOR-US: Symantec CVE-2017-6328 (The Symantec Messaging Gateway before 10.6.3-267 can encounter an issu ...) NOT-FOR-US: Symantec CVE-2017-6327 (The Symantec Messaging Gateway before 10.6.3-267 can encounter an issu ...) NOT-FOR-US: Symantec CVE-2017-6326 (The Symantec Messaging Gateway can encounter an issue of remote code e ...) NOT-FOR-US: Symantec CVE-2017-6325 (The Symantec Messaging Gateway can encounter a file inclusion vulnerab ...) NOT-FOR-US: Symantec CVE-2017-6324 (The Symantec Messaging Gateway, when processing a specific email attac ...) NOT-FOR-US: Symantec CVE-2017-6323 (The Symantec Management Console prior to ITMS 8.1 RU1, ITMS 8.0_POST_H ...) NOT-FOR-US: Symantec CVE-2017-6322 RESERVED CVE-2017-XXXX [scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)] - pax-utils 1.2.3-1 (unimportant; bug #856196) NOTE: https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2/ NOTE: https://github.com/gentoo/pax-utils/commit/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d NOTE: https://github.com/gentoo/pax-utils/commit/858939ea6ad63f1acb4ec74bba705c197a67d559 CVE-2017-6353 (net/sctp/socket.c in the Linux kernel through 4.10.1 does not properly ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: https://marc.info/?l=linux-netdev&m=148785309416337&w=2 CVE-2017-6348 (The hashbin_delete function in net/irda/irqueue.c in the Linux kernel ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/4c03b862b12f980456f9de92db6d508a4999b788 CVE-2017-6347 (The ip_cmsg_recv_checksum function in net/ipv4/ip_sockglue.c in the Li ...) - linux 4.9.13-1 [jessie] - linux (Vulnerable code introduced in 4.0) [wheezy] - linux (Vulnerable code introduced in 4.0) NOTE: Fixed by: https://git.kernel.org/linus/ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32 CVE-2017-6346 (Race condition in net/packet/af_packet.c in the Linux kernel before 4. ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/d199fab63c11998a602205f7ee7ff7c05c97164b CVE-2017-6345 (The LLC subsystem in the Linux kernel before 4.9.13 does not ensure th ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/8b74d439e1697110c5e5c600643e823eb1dd0762 CVE-2017-6321 RESERVED CVE-2017-6320 (A remote command injection vulnerability exists in the Barracuda Load ...) NOT-FOR-US: Barracuda CVE-2017-6319 (The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1 ...) - radare2 1.1.0+dfsg-3 (bug #856579) [jessie] - radare2 (Vulnerable code introduced in 1.1.0) [wheezy] - radare2 (Vulnerable code introduced in 1.1.0) NOTE: https://github.com/radare/radare2/issues/6836 NOTE: https://github.com/radare/radare2/commit/ad55822430a03fe075221b543efb434567e9e431 CVE-2017-6318 (saned in sane-backends 1.0.25 allows remote attackers to obtain sensit ...) {DLA-940-1} - sane-backends 1.0.25-4 (low; bug #854804) [jessie] - sane-backends 1.0.24-8+deb8u2 NOTE: Upstream patch: https://anonscm.debian.org/cgit/sane/sane-backends.git/commit/frontend/saned.c?id=42896939822b44f44ecd1b6d35afdfa4473ed35d CVE-2017-6316 (Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote ...) NOT-FOR-US: Citrix CVE-2017-6315 (Astaro Security Gateway (aka ASG) 7 allows remote attackers to execute ...) NOT-FOR-US: Astaro CVE-2017-6335 (The QuantumTransferMode function in coders/tiff.c in GraphicsMagick 1. ...) {DLA-1456-1} - graphicsmagick 1.3.25-8 [wheezy] - graphicsmagick (vulnerable code not present) NOTE: Fixed by: https://sourceforge.net/p/graphicsmagick/code/ci/6156b4c2992d855ece6079653b3b93c3229fc4b8/ CVE-2017-6317 (Memory leak in the add_shader_program function in vrend_renderer.c in ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=a2f12a1b0f95b13b6f8dc3d05d7b74b4386394e4 (0.6.0) CVE-2017-6314 (The make_available_at_least function in io-tiff.c in gdk-pixbuf allows ...) {DLA-2043-1} - gdk-pixbuf 2.36.11-2 (low; bug #856448) [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779020 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=1e513abdb55529f888233d3c96b27352d83aad5f CVE-2017-6313 (Integer underflow in the load_resources function in io-icns.c in gdk-p ...) {DLA-2043-1} - gdk-pixbuf 2.36.11-2 (low; bug #856445) [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779016 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=210b16399a492d05efb209615a143920b24251f4 NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=4cc39d479356b6b09e3d62a0f3ab424db6c266d8 CVE-2017-6312 (Integer overflow in io-ico.c in gdk-pixbuf allows context-dependent at ...) {DLA-2043-1} - gdk-pixbuf 2.36.11-2 (low; bug #856444) [stretch] - gdk-pixbuf 2.36.5-2+deb9u2 [wheezy] - gdk-pixbuf (Minor issue, can be fixed in next update) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=779012 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dec9ca22d70c0f0d4492333b4e8147afb038afd2 NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=a6303ad765882555cf1b278a09be5f9e4cf3a39d CVE-2017-6311 (gdk-pixbuf-thumbnailer.c in gdk-pixbuf allows context-dependent attack ...) - gdk-pixbuf 2.36.10-1 (bug #858491; unimportant) [jessie] - gdk-pixbuf (Code introduced in 2.36.1) [wheezy] - gdk-pixbuf (Code introduced in 2.36.1) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=778204 NOTE: http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html NOTE: Upload of gdk-pixbuf 2.36.5-3 to experimental added a new binary package containing NOTE: the thumbnailer. NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=57362ed4c1f37c05723e25e136327e262f32d35f NOTE: Fixed by: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=758655315bc3760c2d646e1e935f7448847073af NOTE: Tests: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=67a02e1bfef1ae8f7fa50ca36f6d922c1b6d3ed6 CVE-2017-6310 (An issue was discovered in tnef before 1.4.13. Four type confusions ha ...) {DSA-3798-1 DLA-839-1} - tnef 1.4.12-1.1 (bug #856117) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d NOTE: regression fixed by: https://github.com/verdammelt/tnef/commit/9c4015433ecd3177976f820f7aa524c7e64c7c92 NOTE: regression fixed by: https://github.com/verdammelt/tnef/commit/c0b99164d14dcc61348a2ddffd47dfe31d087bad CVE-2017-6309 (An issue was discovered in tnef before 1.4.13. Two type confusions hav ...) {DSA-3798-1 DLA-839-1} - tnef 1.4.12-1.1 (bug #856117) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/8dccf79857ceeb7a6d3e42c1e762e7b865d5344d CVE-2017-6308 (An issue was discovered in tnef before 1.4.13. Several Integer Overflo ...) {DSA-3798-1 DLA-839-1} - tnef 1.4.12-1.1 (bug #856117) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/c5044689e50039635e7700fe2472fd632ac77176 CVE-2017-6307 (An issue was discovered in tnef before 1.4.13. Two OOB Writes have bee ...) {DSA-3798-1 DLA-839-1} - tnef 1.4.12-1.1 (bug #856117) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-004-tnef/ NOTE: Fixed by: https://github.com/verdammelt/tnef/commit/1a17af1ed0c791aec44dbdc9eab91218cc1e335a CVE-2017-6306 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1} - libytnef 1.9.1-1 [wheezy] - libytnef (vulnerable code not present) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6305 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6304 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6303 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6302 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6301 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6300 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6299 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6298 (An issue was discovered in ytnef before 1.9.1. This is related to a pa ...) {DSA-3846-1 DLA-878-1} - libytnef 1.9.1-1 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-002-ytnef/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/15/4 NOTE: fixed in https://github.com/Yeraze/ytnef/commit/b36d6b25b7a546fc28d6c3812124e487987a4910 CVE-2017-6297 (The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does n ...) NOT-FOR-US: MikroTik RouterOS CVE-2017-6296 (NVIDIA TrustZone Software contains a TOCTOU issue in the DRM applicati ...) NOT-FOR-US: NVIDIA CVE-2017-6295 (NVIDIA TrustZone Software contains a vulnerability in the Keymaster im ...) NOT-FOR-US: NVIDIA CVE-2017-6294 (In Android before the 2018-06-05 security patch level, NVIDIA Tegra X1 ...) NOT-FOR-US: NVIDIA CVE-2017-6293 (In Android before the 2018-05-05 security patch level, NVIDIA Tegra X1 ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6292 (In Android before the 2018-06-05 security patch level, NVIDIA TLZ Trus ...) NOT-FOR-US: NVIDIA CVE-2017-6291 RESERVED CVE-2017-6290 (In Android before the 2018-06-05 security patch level, NVIDIA TLK Trus ...) NOT-FOR-US: NVIDIA CVE-2017-6289 (In Android before the 2018-05-05 security patch level, NVIDIA Trusted ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6288 (NVIDIA libnvrm contains a possible out of bounds read due to a missing ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6287 (NVIDIA libnvrm contains a possible out of bounds read due to a missing ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6286 (NVIDIA libnvomx contains a possible out of bounds write due to a missi ...) NOT-FOR-US: NVIDIA CVE-2017-6285 (NVIDIA libnvrm contains a possible out of bounds read due to a missing ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6284 (NVIDIA Security Engine contains a vulnerability in the Deterministic R ...) NOT-FOR-US: NVIDIA CVE-2017-6283 (NVIDIA Security Engine contains a vulnerability in the RSA function wh ...) NOT-FOR-US: NVIDIA CVE-2017-6282 (NVIDIA Tegra kernel driver contains a vulnerability in NVMAP where an ...) NOT-FOR-US: NVIDIA CVE-2017-6281 (NVIDIA libnvomx contains a possible out of bounds write due to a impro ...) NOT-FOR-US: NVIDIA CVE-2017-6280 (NVIDIA driver contains a possible out-of-bounds read vulnerability due ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6279 (NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnera ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6278 (NVIDIA Tegra kernel contains a vulnerability in the CORE DVFS Thermal ...) NOT-FOR-US: NVIDIA Tegra CVE-2017-6277 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6276 (NVIDIA mediaserver contains a vulnerability where it is possible a use ...) NOT-FOR-US: NVIDIA CVE-2017-6275 (An information disclosure vulnerability exists in the Thermal Driver, ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-6274 (An elevation of Privilege vulnerability exists in the Thermal Driver, ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-6273 (NVIDIA ADSP Firmware contains a vulnerability in the ADSP Loader compo ...) NOT-FOR-US: NVIDIA ADSP Firmware CVE-2017-6272 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) [experimental] - nvidia-graphics-drivers 384.90-1 - nvidia-graphics-drivers 384.98-2 (bug #876414) [stretch] - nvidia-graphics-drivers 384.130-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [bullseye] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544 CVE-2017-6271 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6270 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6269 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6268 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6267 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) [experimental] - nvidia-graphics-drivers 384.90-1 - nvidia-graphics-drivers 384.98-2 (bug #876414) [stretch] - nvidia-graphics-drivers 384.130-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [bullseye] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544 CVE-2017-6266 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) [experimental] - nvidia-graphics-drivers 384.90-1 - nvidia-graphics-drivers 384.98-2 (bug #876414) [stretch] - nvidia-graphics-drivers 384.130-1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [bullseye] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported, no updates provided by Nvidia for 340) [stretch] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/4544 CVE-2017-6265 RESERVED CVE-2017-6264 (An elevation of privilege vulnerability exists in the NVIDIA GPU drive ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-6263 (NVIDIA driver contains a vulnerability where it is possible a use afte ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6262 (NVIDIA driver contains a vulnerability where it is possible a use afte ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6261 (NVIDIA Vibrante Linux version 1.1, 2.0, and 2.2 contains a vulnerabili ...) NOT-FOR-US: NVIDIA Vibrante Linux CVE-2017-6260 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6259 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) - nvidia-graphics-drivers 375.82-1 (bug #869783) [stretch] - nvidia-graphics-drivers 375.82-1~deb9u1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Limited to E384 and E375) - nvidia-graphics-drivers-legacy-304xx (Limited to E384 and E375) CVE-2017-6258 (NVIDIA libnvmmlite_audio.so contains an elevation of privilege vulnera ...) NOT-FOR-US: Nvidia component for Android CVE-2017-6257 (NVIDIA GPU Display Driver contains a vulnerability in the kernel mode ...) - nvidia-graphics-drivers 375.82-1 (bug #869783) [stretch] - nvidia-graphics-drivers 375.82-1~deb9u1 [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Limited to E384 and E375) - nvidia-graphics-drivers-legacy-304xx (Limited to E384 and E375) CVE-2017-6256 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6255 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6254 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6253 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6252 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6251 (NVIDIA Windows GPU Display Driver contains a vulnerability in the kern ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver CVE-2017-6250 (NVIDIA GeForce Experience contains a vulnerability in NVIDIA Web Helpe ...) NOT-FOR-US: NVIDIA GeForce Experience CVE-2017-6249 (An elevation of privilege vulnerability in the NVIDIA sound driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6248 (An elevation of privilege vulnerability in the NVIDIA sound driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6247 (An elevation of privilege vulnerability in the NVIDIA sound driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-6246 RESERVED CVE-2017-6245 RESERVED CVE-2017-6244 RESERVED CVE-2017-6243 RESERVED CVE-2017-6242 RESERVED CVE-2017-6241 RESERVED CVE-2017-6240 RESERVED CVE-2017-6239 RESERVED CVE-2017-6238 RESERVED CVE-2017-6237 RESERVED CVE-2017-6236 RESERVED CVE-2017-6235 RESERVED CVE-2017-6234 RESERVED CVE-2017-6233 RESERVED CVE-2017-6232 RESERVED CVE-2017-6231 RESERVED CVE-2017-6230 (Ruckus Networks Solo APs firmware releases R110.x or before and Ruckus ...) NOT-FOR-US: Ruckus Networks firmware CVE-2017-6229 (Ruckus Networks Unleashed AP firmware releases before 200.6.10.1.x and ...) NOT-FOR-US: Ruckus Networks firmware CVE-2017-6228 RESERVED CVE-2017-6227 (A vulnerability in the IPv6 stack on Brocade Fibre Channel SAN product ...) NOT-FOR-US: Brocade CVE-2017-6226 RESERVED CVE-2017-6225 (Cross-site scripting (XSS) vulnerability in the web-based management i ...) NOT-FOR-US: Brocade CVE-2017-6224 (Ruckus Wireless Zone Director Controller firmware releases ZD9.x, ZD10 ...) NOT-FOR-US: Ruckus CVE-2017-6223 (Ruckus Wireless Zone Director Controller firmware releases ZD9.9.x, ZD ...) NOT-FOR-US: Ruckus CVE-2017-6222 RESERVED CVE-2017-6221 RESERVED CVE-2017-6220 RESERVED CVE-2017-6219 RESERVED CVE-2017-6218 RESERVED CVE-2017-6217 (paypal/adaptivepayments-sdk-php v3.9.2 is vulnerable to a reflected XS ...) NOT-FOR-US: paypal/adaptivepayments-sdk-php CVE-2017-6216 (novaksolutions/infusionsoft-php-sdk v2016-10-31 is vulnerable to a ref ...) NOT-FOR-US: novaksolutions/infusionsoft-php-sdk CVE-2017-6215 (paypal/permissions-sdk-php is vulnerable to reflected XSS in the sampl ...) NOT-FOR-US: PayPal permissions-sdk-php CVE-2017-6213 (paypal/invoice-sdk-php is vulnerable to reflected XSS in samples/permi ...) NOT-FOR-US: PayPal invoice-sdk-php CVE-2017-6212 REJECTED CVE-2017-6211 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) NOT-FOR-US: Qualcomm components for Android CVE-2017-6214 (The tcp_splice_read function in net/ipv4/tcp.c in the Linux kernel bef ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/ccf7abb93af09ad0868ae9033d1ca8108bdaec82 (v4.10-rc8) CVE-2017-6210 (The vrend_decode_reset function in vrend_decode.c in virglrenderer bef ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=0a5dff15912207b83018485f83e067474e818bab (0.6.0) CVE-2017-6209 (Stack-based buffer overflow in the parse_identifier function in tgsi_t ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: Fixed by: https://cgit.freedesktop.org/virglrenderer/commit/?id=e534b51ca3c3cd25f3990589932a9ed711c59b27 (0.6.0) CVE-2017-6208 RESERVED CVE-2017-6207 REJECTED CVE-2017-6206 (D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-15 ...) NOT-FOR-US: D-Link CVE-2017-6205 (D-Link DGS-1510-28XMP, DGS-1510-28X, DGS-1510-52X, DGS-1510-52, DGS-15 ...) NOT-FOR-US: D-Link CVE-2017-6204 RESERVED CVE-2017-6203 RESERVED CVE-2017-6202 RESERVED CVE-2017-6201 (A Server Side Request Forgery vulnerability exists in the install app ...) NOT-FOR-US: Sandstorm CVE-2017-6200 (Sandstorm before build 0.203 allows remote attackers to read any speci ...) NOT-FOR-US: Sandstorm CVE-2017-6199 (A remote attacker could bypass the Sandstorm organization restriction ...) NOT-FOR-US: Sandstorm CVE-2017-6198 (The Supervisor in Sandstorm doesn't set and enforce the resource limit ...) NOT-FOR-US: Sandstorm CVE-2017-6197 (The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 all ...) {DLA-837-1} - radare2 1.1.0+dfsg-2 (bug #856063) [jessie] - radare2 (Minor issue) NOTE: https://github.com/radare/radare2/issues/6816 NOTE: Fixed by: https://github.com/radare/radare2/commit/1ea23bd6040441a21fbcfba69dce9a01af03f989 NOTE: Although the respective new versions were only introduced in 0.10.3 NOTE: The NULL pointer dereferences are still triggerable, via the shown NOTE: vector and seen under valgrind. It might be disputable if that is the NOTE: same vulnerability though. CVE-2017-6196 (Multiple use-after-free vulnerabilities in the gx_image_enum_begin fun ...) - ghostscript (Issue introduced later, cf. bug #856142) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697596 NOTE: Fixed by: https://git.ghostscript.com/?p=ghostpdl.git;h=ecceafe3abba2714ef9b432035fe0739d9b1a283 NOTE: Possibly introduced only after https://git.ghostscript.com/?p=ghostpdl.git;h=cffb5712bc10c2c2f46adf311fc74aaae74cb784 CVE-2017-6195 (Ipswitch MOVEit Transfer (formerly DMZ) allows pre-authentication blin ...) NOT-FOR-US: Ipswitch MOVEit Transfer CVE-2017-6194 (The relocs function in libr/bin/p/bin_bflt.c in radare2 1.2.1 allows r ...) [experimental] - radare2 1.3.0+dfsg-1 - radare2 1.1.0+dfsg-4 (bug #859448) [jessie] - radare2 (Vulnerable code not present) [wheezy] - radare2 (Vulnerable code not present) NOTE: https://github.com/radare/radare2/commit/72794dc3523bbd5bb370de3c5857cb736c387e18 (1.3.0-git) NOTE: https://github.com/radare/radare2/issues/6829 CVE-2017-6193 (Buffer overflow in APNGDis 2.8 and earlier allows remote attackers to ...) NOT-FOR-US: APNGDis CVE-2017-6192 (Buffer overflow in APNGDis 2.8 and earlier allows a remote attackers t ...) NOT-FOR-US: APNGDis CVE-2017-6191 (Buffer overflow in APNGDis 2.8 and below allows a remote attacker to e ...) NOT-FOR-US: APNGDis CVE-2017-6190 (Directory traversal vulnerability in the web interface on the D-Link D ...) NOT-FOR-US: D-Link CVE-2017-6189 (Untrusted search path vulnerability in Amazon Kindle for PC before 1.1 ...) NOT-FOR-US: Amazon Kindle CVE-2017-6187 (Buffer overflow in the built-in web server in DiskSavvy Enterprise 9.4 ...) NOT-FOR-US: DiskSavvy Enterprise CVE-2017-6186 (Code injection vulnerability in Bitdefender Total Security 12.0 (and e ...) NOT-FOR-US: Bitdefender CVE-2017-6185 RESERVED CVE-2017-6184 (In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine ...) NOT-FOR-US: Sophos CVE-2017-6183 (In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine ...) NOT-FOR-US: Sophos CVE-2017-6182 (In Sophos Web Appliance (SWA) before 4.3.1.2, a section of the machine ...) NOT-FOR-US: Sophos CVE-2017-6181 (The parse_char_class function in regparse.c in the Onigmo (aka Oniguru ...) - ruby2.3 (Introduced in v2_4_0_rc1) - ruby2.1 (Introduced in v2_4_0_rc1) NOTE: Introduced by: https://github.com/ruby/ruby/commit/2873edeafb6f6df1fc99bb9b1167591b99dd378c NOTE: Fixed by: https://github.com/ruby/ruby/commit/ea940cc4dcff8d6c345d7015eda0bf06671f87e9 NOTE: https://bugs.ruby-lang.org/issues/13234 CVE-2017-6180 (Keekoon KK002 devices 1.8.12 HD have a Cross Site Request Forgery Vuln ...) NOT-FOR-US: Keekoon KK002 devices CVE-2017-6179 RESERVED CVE-2017-6178 (The IofCallDriver function in USBPcap 1.1.0.0 allows local users to ga ...) NOT-FOR-US: USBPcap CVE-2017-6177 REJECTED CVE-2017-6176 REJECTED CVE-2017-6175 REJECTED CVE-2017-6174 REJECTED CVE-2017-6173 REJECTED CVE-2017-6172 REJECTED CVE-2017-6171 REJECTED CVE-2017-6170 REJECTED CVE-2017-6169 (In versions 13.0.0, 12.0.0-12.1.3, or 11.6.0-11.6.2, an F5 BIG-IP virt ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6168 (On BIG-IP versions 11.6.0-11.6.2 (fixed in 11.6.2 HF1), 12.0.0-12.1.2 ...) NOT-FOR-US: F5 BIG-IP NOTE: https://support.f5.com/csp/article/K21905460 NOTE: https://robotattack.org/ CVE-2017-6167 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6166 (In BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, PE ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6165 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6164 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6163 (In F5 BIG-IP LTM, AAM, AFM, APM, ASM, Link Controller, PEM, PSM softwa ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6162 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6161 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6160 (In F5 BIG-IP AAM and PEM software version 12.0.0 to 12.1.1, 11.6.0 to ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6159 (F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Controlle ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6158 (In F5 BIG-IP 12.0.0-12.1.2, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11.2.1 th ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6157 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6156 (When the F5 BIG-IP 12.1.0-12.1.1, 11.6.0-11.6.1, 11.5.1-11.5.5, or 11. ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6155 (On F5 BIG-IP 13.0.0, 12.0.0-12.1.3.1, 11.6.0-11.6.2, 11.4.1-11.5.5, or ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6154 (On F5 BIG-IP systems running 13.0.0, 12.1.0 - 12.1.3.1, or 11.6.1 - 11 ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6153 (Features in F5 BIG-IP 13.0.0-13.1.0.3, 12.1.0-12.1.3.1, 11.6.1-11.6.3. ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6152 (A local user on F5 BIG-IQ Centralized Management 5.1.0-5.2.0 with the ...) NOT-FOR-US: F5 BIG-IQ Centralized Management CVE-2017-6151 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6150 (Under certain conditions for F5 BIG-IP systems 13.0.0 or 12.1.0 - 12.1 ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6149 REJECTED CVE-2017-6148 (Responses to SOCKS proxy requests made through F5 BIG-IP version 13.0. ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6147 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6146 REJECTED CVE-2017-6145 (iControl REST in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Li ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6144 (In F5 BIG-IP PEM 12.1.0 through 12.1.2 when downloading the Type Alloc ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6143 (X509 certificate verification was not correctly implemented in the IP ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6142 (X509 certificate verification was not correctly implemented in the ear ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6141 (In F5 BIG-IP LTM, AAM, AFM, APM, ASM, Link Controller, PEM, and WebSaf ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6140 (On the BIG-IP 2000s, 2200s, 4000s, 4200v, i5600, i5800, i7600, i7800, ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6139 (In F5 BIG-IP APM software version 13.0.0 and 12.1.2, under rare condit ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6138 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6137 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GT ...) NOT-FOR-US: F5 CVE-2017-6136 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6135 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6134 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6133 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, Link Controller, ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6132 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6131 (In some circumstances, an F5 BIG-IP version 12.0.0 to 12.1.2 and 13.0. ...) NOT-FOR-US: F5 CVE-2017-6130 (F5 SSL Intercept iApp 1.5.0 - 1.5.7 and SSL Orchestrator 2.0 is vulner ...) NOT-FOR-US: F5 CVE-2017-6129 (In F5 BIG-IP APM software version 13.0.0 and 12.1.2, in some circumsta ...) NOT-FOR-US: F5 BIG-IP CVE-2017-6128 (An attacker may be able to cause a denial-of-service (DoS) attack agai ...) NOT-FOR-US: F5 CVE-2017-6188 (Munin before 2.999.6 has a local file write vulnerability when CGI gra ...) {DSA-3794-1 DLA-836-1} - munin 2.0.31-1 (bug #855705) NOTE: https://github.com/munin-monitoring/munin/issues/721 CVE-2017-6127 (Multiple cross-site request forgery (CSRF) vulnerabilities in the acce ...) NOT-FOR-US: DIGISOL DG-HR1400 Wireless Router CVE-2017-6126 RESERVED CVE-2017-6125 RESERVED CVE-2017-6124 RESERVED CVE-2017-6123 RESERVED CVE-2017-6122 RESERVED CVE-2017-6121 RESERVED CVE-2017-6120 RESERVED CVE-2017-6119 RESERVED CVE-2017-6118 RESERVED CVE-2017-6117 RESERVED CVE-2017-6116 RESERVED CVE-2017-6115 RESERVED CVE-2017-6114 RESERVED CVE-2017-6113 RESERVED CVE-2017-6112 RESERVED CVE-2017-6111 RESERVED CVE-2017-6110 RESERVED CVE-2017-6109 RESERVED CVE-2017-6108 RESERVED CVE-2017-6107 RESERVED CVE-2017-6106 RESERVED CVE-2017-6105 RESERVED CVE-2017-6104 (Remote file upload vulnerability in Wordpress Plugin Mobile App Native ...) NOT-FOR-US: Wordpress plugin CVE-2017-6103 (Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1. ...) NOT-FOR-US: Wordpress plugin CVE-2017-6102 (Persistent XSS in wordpress plugin rockhoist-badges v1.2.2. ...) NOT-FOR-US: Wordpress plugin CVE-2017-6384 (Memory leak in the login_user function in saslserv/main.c in saslserv/ ...) - atheme-services 7.2.9-1 (bug #855588) [jessie] - atheme-services (versions prior to 7.2.7 not vulnerable) NOTE: 7.2.7 vulnerable, fixed in 7.2.8, but the fix introduced another DOS, fixed in 7.2.9 NOTE: (Possibly) introduced in https://github.com/atheme/atheme/commit/8ac7aa8d007331ae694f099c288e27f911e8cad1 (v7.2.7) CVE-2017-6101 RESERVED CVE-2017-6099 (Cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in ...) NOT-FOR-US: PayPal PHP Merchant SDK CVE-2017-6098 (A SQL injection issue was discovered in the Mail Masta (aka mail-masta ...) NOT-FOR-US: Mail Masta plugin for Wordpress CVE-2017-6097 (A SQL injection issue was discovered in the Mail Masta (aka mail-masta ...) NOT-FOR-US: Mail Masta plugin for Wordpress CVE-2017-6096 (A SQL injection issue was discovered in the Mail Masta (aka mail-masta ...) NOT-FOR-US: Mail Masta plugin for Wordpress CVE-2017-6095 (A SQL injection issue was discovered in the Mail Masta (aka mail-masta ...) NOT-FOR-US: Mail Masta plugin for Wordpress CVE-2017-6094 (CPEs used by subscribers on the access network receive their individua ...) NOT-FOR-US: Genexis GASP CVE-2017-6093 RESERVED CVE-2017-6092 RESERVED CVE-2017-6091 RESERVED CVE-2017-6090 (Unrestricted file upload vulnerability in clients/editclient.php in Ph ...) NOT-FOR-US: PhpCollab CVE-2017-6089 (SQL injection vulnerability in PhpCollab 2.5.1 and earlier allows remo ...) NOT-FOR-US: PhpCollab CVE-2017-6088 (Multiple SQL injection vulnerabilities in EyesOfNetwork (aka EON) 5.0 ...) NOT-FOR-US: EyesOfNetwork CVE-2017-6087 (EyesOfNetwork ("EON") 5.0 and earlier allows remote authenticated user ...) NOT-FOR-US: EyesOfNetwork CVE-2017-6086 (Multiple cross-site request forgery (CSRF) vulnerabilities in the addA ...) NOT-FOR-US: ViMbAdmin CVE-2017-6085 RESERVED CVE-2017-6084 RESERVED CVE-2017-6083 RESERVED CVE-2017-6082 RESERVED CVE-2017-6081 (A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3 ...) - zammad (bug #841355) CVE-2017-6080 (An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, an ...) - zammad (bug #841355) CVE-2017-6079 (The HTTP web-management application on Edgewater Networks Edgemarc app ...) NOT-FOR-US: Edgewater CVE-2017-6078 (FastStone MaxView 3.0 and 3.1 allows user-assisted attackers to cause ...) NOT-FOR-US: FastStone MaxView CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 al ...) NOT-FOR-US: NETGEAR CVE-2017-6076 (In versions of wolfSSL before 3.10.2 the function fp_mul_comba makes i ...) - wolfssl 3.10.2+dfsg-1 (bug #856114) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v3.10.2-stable NOTE: https://github.com/wolfSSL/wolfssl/commit/345df93978c41da1ac8047a37f1fed5286883d8d CVE-2017-6075 RESERVED CVE-2017-6074 (The dccp_rcv_state_process function in net/dccp/input.c in the Linux k ...) {DSA-3791-1 DLA-833-1} - linux 4.9.13-1 NOTE: Fixed by: https://git.kernel.org/linus/5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4 CVE-2017-6073 RESERVED CVE-2017-6072 (CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows ...) NOT-FOR-US: CMS Made Simple CVE-2017-6071 (CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows ...) NOT-FOR-US: CMS Made Simple CVE-2017-6070 (CMS Made Simple version 1.x Form Builder before version 0.8.1.6 allows ...) NOT-FOR-US: CMS Made Simple CVE-2017-6069 (Subrion CMS 4.0.5 has CSRF in admin/blog/add/. The attacker can add an ...) NOT-FOR-US: Subrion CMS CVE-2017-6068 (Subrion CMS 4.0.5 has CSRF in admin/blocks/add/. The attacker can crea ...) NOT-FOR-US: Subrion CMS CVE-2017-6067 (Symphony 2.6.9 has XSS in publish/notes/edit/##/saved/ via the bottom ...) NOT-FOR-US: Symphony CMS CVE-2017-6066 (Subrion CMS 4.0.5 has CSRF in admin/languages/edit/1/. The attacker ca ...) NOT-FOR-US: Subrion CMS CVE-2017-6065 (SQL injection vulnerability in inc/lib/Control/Backend/menus.control.p ...) NOT-FOR-US: GenixCMS CVE-2017-6064 RESERVED CVE-2017-6063 RESERVED CVE-2017-6061 (Cross-site scripting (XSS) vulnerability in the help component of SAP ...) NOT-FOR-US: SAP CVE-2017-6060 (Stack-based buffer overflow in jstest_main.c in mujstest in Artifex So ...) - mupdf 1.12.0+ds1-1 (unimportant) [wheezy] - mupdf (Vulnerable code not present) NOTE: Although jstest_main.c compiled during build and mujstest is created NOTE: it is not included in the produced binary packages NOTE: https://www.openwall.com/lists/oss-security/2017/02/18/1 CVE-2017-6058 (Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU ( ...) - qemu 1:2.8+dfsg-3 (bug #855616) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-02/msg03527.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1423358 CVE-2017-6057 RESERVED CVE-2017-6055 (XML external entity (XXE) vulnerability in eParakstitajs 3 before 1.3. ...) NOT-FOR-US: eParakstitajs and eParaksts Java lib CVE-2017-6054 (A Use of Hard-Coded Cryptographic Key issue was discovered in Hyundai ...) NOT-FOR-US: Hyundai CVE-2017-6053 (A Cross-Site Scripting issue was discovered in Trihedral VTScada Versi ...) NOT-FOR-US: Trihedral VTScada CVE-2017-6052 (A Man-in-the-Middle issue was discovered in Hyundai Motor America Blue ...) NOT-FOR-US: Hyundai CVE-2017-6051 (An Uncontrolled Search Path Element issue was discovered in BLF-Tech L ...) NOT-FOR-US: BLF-Tech LLC VisualView HMI CVE-2017-6050 (A SQL Injection issue was discovered in Ecava IntegraXor Versions 5.2. ...) NOT-FOR-US: Ecava IntegraXor CVE-2017-6049 (Detcon Sitewatch Gateway, all versions without cellular, an attacker c ...) NOT-FOR-US: Detcon Sitewatch Gateway CVE-2017-6048 (A Command Injection issue was discovered in Satel Iberia SenNet Data L ...) NOT-FOR-US: Satel Iberia SenNet Data Logger and Electricity Meters CVE-2017-6047 (Detcon Sitewatch Gateway, all versions without cellular, Passwords are ...) NOT-FOR-US: Detcon Sitewatch Gateway CVE-2017-6046 (An Insufficiently Protected Credentials issue was discovered in Sierra ...) NOT-FOR-US: Sierra Wireless AirLink Raven CVE-2017-6045 (An Information Exposure issue was discovered in Trihedral VTScada Vers ...) NOT-FOR-US: Trihedral VTScada CVE-2017-6044 (An Improper Authorization issue was discovered in Sierra Wireless AirL ...) NOT-FOR-US: Sierra Wireless AirLink Raven CVE-2017-6043 (A Resource Consumption issue was discovered in Trihedral VTScada Versi ...) NOT-FOR-US: Trihedral VTScada CVE-2017-6042 (A Cross-Site Request Forgery issue was discovered in Sierra Wireless A ...) NOT-FOR-US: Sierra Wireless AirLink Raven CVE-2017-6041 (An Unrestricted Upload issue was discovered in Marel Food Processing S ...) NOT-FOR-US: Marel CVE-2017-6040 (An Information Exposure issue was discovered in Belden Hirschmann GECK ...) NOT-FOR-US: Belden Hirschmann GECKO Lite Managed switch CVE-2017-6039 (A Use of Hard-Coded Password issue was discovered in Phoenix Broadband ...) NOT-FOR-US: Phoenix CVE-2017-6038 (A Cross-Site Request Forgery issue was discovered in Belden Hirschmann ...) NOT-FOR-US: Belden Hirschmann GECKO Lite Managed switch CVE-2017-6037 (A Heap-Based Buffer Overflow issue was discovered in Wecon Technologie ...) NOT-FOR-US: Wecon CVE-2017-6036 (A Server-Side Request Forgery issue was discovered in Belden Hirschman ...) NOT-FOR-US: Belden Hirschmann GECKO Lite Managed switch CVE-2017-6035 (A Stack-Based Buffer Overflow issue was discovered in Wecon Technologi ...) NOT-FOR-US: Wecon CVE-2017-6034 (An Authentication Bypass by Capture-Replay issue was discovered in Sch ...) NOT-FOR-US: Schneider Electric CVE-2017-6033 (A DLL Hijacking issue was discovered in Schneider Electric Interactive ...) NOT-FOR-US: Schneider Electric CVE-2017-6032 (A Violation of Secure Design Principles issue was discovered in Schnei ...) NOT-FOR-US: Schneider Electric CVE-2017-6031 (A Header Injection issue was discovered in Certec EDV GmbH atvise scad ...) NOT-FOR-US: Certec EDV GmbH atvise scada CVE-2017-6030 (A Predictable Value Range from Previous Values issue was discovered in ...) NOT-FOR-US: Schneider Electric CVE-2017-6029 (A Cross-Site Scripting issue was discovered in Certec EDV GmbH atvise ...) NOT-FOR-US: Certec EDV GmbH atvise scada CVE-2017-6028 (An Insufficiently Protected Credentials issue was discovered in Schnei ...) NOT-FOR-US: Schneider Electric CVE-2017-6027 (An Arbitrary File Upload issue was discovered in 3S-Smart Software Sol ...) NOT-FOR-US: 3S-Smart Software Solutions GmbH CODESYS Web Server CVE-2017-6026 (A Use of Insufficiently Random Values issue was discovered in Schneide ...) NOT-FOR-US: Schneider Electric CVE-2017-6025 (A Stack Buffer Overflow issue was discovered in 3S-Smart Software Solu ...) NOT-FOR-US: 3S-Smart Software Solutions GmbH CODESYS Web Server CVE-2017-6024 (A Resource Exhaustion issue was discovered in Rockwell Automation Cont ...) NOT-FOR-US: Rockwell CVE-2017-6023 (An issue was discovered in Fatek Automation PLC Ethernet Module. The a ...) NOT-FOR-US: Fatek CVE-2017-6022 (A hard-coded password issue was discovered in Becton, Dickinson and Co ...) NOT-FOR-US: BD's Kiestra PerformA and KLA Journal Service applications CVE-2017-6021 (In Schneider Electric ClearSCADA 2014 R1 (build 75.5210) and prior, 20 ...) NOT-FOR-US: Schneider CVE-2017-6020 (Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA ME LAquis S ...) NOT-FOR-US: Leao Consultoria e Desenvolvimento de Sistemas (LCDS) LTDA ME LAquis SCADA software CVE-2017-6019 (An issue was discovered in Schneider Electric Conext ComBox, model 865 ...) NOT-FOR-US: Schneider Electric CVE-2017-6018 (An open redirect issue was discovered in B. Braun Medical SpaceCom mod ...) NOT-FOR-US: SpaceCom / SpaceStation CVE-2017-6017 (A Resource Exhaustion issue was discovered in Schneider Electric Modic ...) NOT-FOR-US: Schneider Electric CVE-2017-6016 (An Improper Access Control issue was discovered in LCDS - Leao Consult ...) NOT-FOR-US: LCDS (Leao Consultoria e Desenvolvimento de Sistemas LTDA ME LAquis SCADA) CVE-2017-6015 (Without quotation marks, any whitespace in the file path for Rockwell ...) NOT-FOR-US: Rockwell CVE-2017-6014 (In Wireshark 2.2.4 and earlier, a crafted or malformed STANAG 4607 cap ...) {DSA-3811-1 DLA-826-1} - wireshark 2.2.5+g440fd4d-2 (bug #855408) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13416 CVE-2017-6013 (Subrion CMS 4.0.5.10 has SQL injection in admin/database/ via the quer ...) NOT-FOR-US: Subrion CMS CVE-2017-6012 RESERVED CVE-2017-6011 (An issue was discovered in icoutils 0.31.1. An out-of-bounds read lead ...) {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854054) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=bf97b99109607d4367a4e57df9a37cbcac02e220 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=45a0207225df4cd4b82f41eee636e21f11a7db74 NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256393 CVE-2017-6010 (An issue was discovered in icoutils 0.31.1. A buffer overflow was obse ...) {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854054) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=bf97b99109607d4367a4e57df9a37cbcac02e220 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=45a0207225df4cd4b82f41eee636e21f11a7db74 NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256393 CVE-2017-6009 (An issue was discovered in icoutils 0.31.1. A buffer overflow was obse ...) {DSA-3807-1 DLA-854-1} - icoutils 0.31.2-1 (bug #854050) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=f148ae5af1c9eeb85610a5653a7f625dd6c3ac2e NOTE: Proposed patch from Red Hat contributor: https://bugzilla.redhat.com/attachment.cgi?id=1256407 CVE-2017-6008 (A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRig ...) NOT-FOR-US: Sophos CVE-2017-6007 (A kernel pool overflow in the driver hitmanpro37.sys in Sophos SurfRig ...) NOT-FOR-US: Sophos CVE-2017-6006 REJECTED CVE-2017-6005 (Waves MaxxAudio, as installed on Dell laptops, adds a "WavesSysSvc" Wi ...) NOT-FOR-US: Waves MaxxAudio CVE-2017-6004 (The compile_bracket_matchingpath function in pcre_jit_compile.c in PCR ...) - pcre3 2:8.39-2.1 (bug #855405) [jessie] - pcre3 (Vulnerable code introduced later) [wheezy] - pcre3 (Vulnerable code introduced later) NOTE: https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch NOTE: https://bugs.exim.org/show_bug.cgi?id=2035 CVE-2017-6003 (dotCMS 3.7.0 has XSS reachable from ext/languages_manager/edit_languag ...) NOT-FOR-US: dotCMS CVE-2017-6002 (Subrion CMS 4.0.5.10 has CSRF in admin/blog/add/. The attacker can add ...) NOT-FOR-US: Subrion CMS CVE-2017-6001 (Race condition in kernel/events/core.c in the Linux kernel before 4.9. ...) {DSA-3791-1 DLA-833-1} - linux 4.9.10-1 NOTE: Fixed by: https://git.kernel.org/linus/321027c1fe77f892f4ea07846aeae08cefbbb290 CVE-2017-6000 REJECTED CVE-2017-5999 (An issue was discovered in sysPass 2.x before 2.1, in which an algorit ...) NOT-FOR-US: sysPass CVE-2017-5998 (Cross-site scripting (XSS) vulnerability in InterSect Alliance SNARE E ...) NOT-FOR-US: InterSect Alliance SNARE Epilog CVE-2017-5997 (The SAP Message Server HTTP daemon in SAP KERNEL 7.21-7.49 allows remo ...) NOT-FOR-US: SAP Message Server CVE-2017-5996 (The agent in Bomgar Remote Support 15.2.x before 15.2.3, 16.1.x before ...) NOT-FOR-US: Bomgar Remote Support CVE-2017-5995 (The NetApp ONTAP Select Deploy administration utility 2.0 through 2.2. ...) NOT-FOR-US: NetApp ONTAP Select Deploy administration utility CVE-2017-14431 (Memory leak in Xen 3.3 through 4.8.x allows guest OS users to cause a ...) {DLA-1493-1} - xen 4.8.1-1 (bug #856229) [wheezy] - xen (Minor issue) NOTE: https://xenbits.xen.org/xsa/advisory-207.html CVE-2017-XXXX [XSA-206: xenstore denial of service via repeated update] - xen 4.8.1-1 (bug #860565) [jessie] - xen 4.4.4lts1-0+deb8u1 [wheezy] - xen (Too intrusive to backport) NOTE: https://xenbits.xen.org/xsa/advisory-206.html CVE-2017-5994 (Heap-based buffer overflow in the vrend_create_vertex_elements_state f ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=114688c526fe45f341d75ccd1d85473c3b08f7a7 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422452 CVE-2017-5993 (Memory leak in the vrend_renderer_init_blit_ctx function in vrend_blit ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=6eb13f7a2dcf391ec9e19b4c2a79e68305f63c22 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422438 CVE-2017-5991 (An issue was discovered in Artifex Software, Inc. MuPDF before 1912de5 ...) {DSA-3797-1} - mupdf 1.9a+ds1-4 (low) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697500 NOTE: https://git.ghostscript.com/?p=mupdf.git;h=1912de5f08e90af1d9d0a9791f58ba3afdb9d465 CVE-2017-5990 (An issue was discovered in PhreeBooksERP before 2017-02-13. The vulner ...) NOT-FOR-US: PhreeBooksERP CVE-2017-5989 RESERVED CVE-2017-5988 (NetApp Clustered Data ONTAP 8.1 through 9.1P1, when NFS or SMB is enab ...) NOT-FOR-US: NetApp CVE-2017-5987 (The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU ...) {DLA-1497-1} - qemu 1:2.8+dfsg-3 (bug #855159) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg02776.html CVE-2017-5986 (Race condition in the sctp_wait_for_sndbuf function in net/sctp/socket ...) {DSA-3804-1 DLA-849-1} - linux 4.9.10-1 NOTE: Fixed by: https://git.kernel.org/linus/2dcab598484185dea7ec22219c76dcdd59e3cb90 CVE-2017-5985 (lxc-user-nic in Linux Containers (LXC) allows local users with a lxc-u ...) - lxc 1:2.0.7-2 (bug #857295) [jessie] - lxc 1:1.0.6-6+deb8u6 [wheezy] - lxc (vulnerable code not present) NOTE: https://lists.linuxcontainers.org/pipermail/lxc-users/2017-March/012925.html NOTE: https://launchpad.net/bugs/1654676 NOTE: master: https://github.com/lxc/lxc/commit/16af238036a5464ae8f2420ed3af214f0de875f9 NOTE: stable-2.0: https://github.com/lxc/lxc/commit/d512bd5efb0e407eba350c4e649c464a65b712a3 NOTE: stable-1.0: https://github.com/lxc/lxc/commit/c905f00ad78b78a5e9c0d67504b86e00dfe085ec CVE-2017-5984 (In libavcodec in Libav 9.21, ff_h264_execute_ref_pic_marking() has a h ...) - libav [jessie] - libav (Vulnerable code introduced later) - ffmpeg (ffmpeg not affected) NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1019 NOTE: https://patches.libav.org/patch/62534/ CVE-2017-5983 (The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3. ...) NOT-FOR-US: JIRA Workflow Designer Plugin CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi ...) - kodi 2:18.6+dfsg1-1 (bug #855225) [buster] - kodi (Minor issue) [stretch] - kodi (Minor issue) [jessie] - kodi (Minor issue) - xbmc (bug #861274) [jessie] - xbmc (Minor issue) [wheezy] - xbmc (Minor issue) NOTE: http://seclists.org/fulldisclosure/2017/Feb/27 NOTE: http://trac.kodi.tv/ticket/17314 NOTE: https://lists.debian.org/debian-lts/2017/04/msg00025.html NOTE: https://lists.debian.org/debian-lts/2017/04/msg00055.html (and followups) NOTE: https://lists.debian.org/debian-lts/2017/05/msg00006.html CVE-2017-5681 (The RSA-CRT implementation in the Intel QuickAssist Technology (QAT) E ...) NOT-FOR-US: Intel QuickAssist Technology (QAT) Engine CVE-2017-6056 (It was discovered that a programming error in the processing of HTTPS ...) {DSA-3788-1 DSA-3787-1 DLA-823-1} - tomcat8 8.0.21-2 (bug #851304) - tomcat7 7.0.72-3 (bug #854551) NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=57544 CVE-2017-5981 (seeko.c in zziplib 0.13.62 allows remote attackers to cause a denial o ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c/ CVE-2017-5980 (The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-zzip_mem_entry_new-memdisk-c/ CVE-2017-5979 (The prescan_entry function in fseeko.c in zziplib 0.13.62 allows remot ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-null-pointer-dereference-in-prescan_entry-fseeko-c/ CVE-2017-5978 (The zzip_mem_entry_new function in memdisk.c in zziplib 0.13.62 allows ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-out-of-bounds-read-in-zzip_mem_entry_new-memdisk-c/ CVE-2017-5977 (The zzip_mem_entry_extra_block function in memdisk.c in zziplib 0.13.6 ...) {DSA-3878-1} - zziplib 0.13.62-3.1 (bug #864150; bug #854727) [jessie] - zziplib (Minor issue) [wheezy] - zziplib (Minor issue) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-invalid-memory-read-in-zzip_mem_entry_extra_block-memdisk-c/ CVE-2017-5976 (Heap-based buffer overflow in the zzip_mem_entry_extra_block function ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-zzip_mem_entry_extra_block-memdisk-c/ CVE-2017-5975 (Heap-based buffer overflow in the __zzip_get64 function in fetch.c in ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get64-fetch-c/ NOTE: https://github.com/gdraheim/zziplib/commit/33d6e9c52fcf1a8983896a512033994dc2ca5734 (v0.13.63) NOTE: https://github.com/gdraheim/zziplib/commit/64e745f8a3604ba1c444febed86b5e142ce03dd7 (v0.13.63) CVE-2017-5974 (Heap-based buffer overflow in the __zzip_get32 function in fetch.c in ...) {DSA-3878-1 DLA-994-1} - zziplib 0.13.62-3.1 (bug #854727) NOTE: http://blogs.gentoo.org/ago/2017/02/09/zziplib-heap-based-buffer-overflow-in-__zzip_get32-fetch-c/ CVE-2017-5973 (The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick E ...) {DLA-1497-1 DLA-845-1 DLA-842-1} - qemu 1:2.8+dfsg-3 (bug #855611) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01101.html NOTE: https://www.openwall.com/lists/oss-security/2017/02/13/11 CVE-2017-5972 (The TCP stack in the Linux kernel 3.x does not properly implement a SY ...) - linux 4.4.2-1 [jessie] - linux (Known perfomance limitation) [wheezy] - linux (Known perfomance limitation) CVE-2017-5971 (SQL injection vulnerability in NewsBee CMS allow remote attackers to e ...) NOT-FOR-US: NewsBee CMS CVE-2017-5970 (The ipv4_pktinfo_prepare function in net/ipv4/ip_sockglue.c in the Lin ...) {DSA-3791-1 DLA-922-1} - linux 4.9.10-1 NOTE: Fixed by: https://github.com/torvalds/linux/commit/34b2cef20f19c87999fff3da4071e66937db9644 (v4.10-rc8) NOTE: Introduced by: https://github.com/torvalds/linux/commit/f84af32cbca70a3c6d30463dc08c7984af11c277 (v2.6.35-rc1) CVE-2017-5969 (** DISPUTED ** libxml2 2.9.4, when used in recover mode, allows remote ...) - libxml2 2.9.4+dfsg1-5.1 (bug #855001) [stretch] - libxml2 (Minor issue, only a denial-of-service when using recover mode) [jessie] - libxml2 (Minor issue, only a denial-of-service when using recover mode) [wheezy] - libxml2 (Minor issue, only a denial-of-service when using recover mode) NOTE: https://www.openwall.com/lists/oss-security/2016/11/05/3 NOTE: Upstream bug: https://bugzilla.gnome.org/show_bug.cgi?id=778519 NOTE: Duplicate upstream bug (contains patch): https://bugzilla.gnome.org/show_bug.cgi?id=758422 NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=94691dc884d1a8ada39f073408b4bb92fe7fe882 CVE-2017-5968 RESERVED CVE-2017-5967 (The time subsystem in the Linux kernel through 4.9.9, when CONFIG_TIME ...) - linux 4.9.13-1 (low) CVE-2017-5966 (Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators ...) NOT-FOR-US: Sitecore CVE-2017-5965 (The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authe ...) NOT-FOR-US: Sitecore CVE-2017-5964 (An issue was discovered in Emoncms through 9.8.0. The vulnerability ex ...) NOT-FOR-US: Emoncms CVE-2017-5963 (An issue was discovered in caddy (for TYPO3) before 7.2.10. The vulner ...) NOT-FOR-US: TYPO3 extension CVE-2017-5962 (An issue was discovered in contexts_wurfl (for TYPO3) before 0.4.2. Th ...) NOT-FOR-US: TYPO3 extension CVE-2017-5961 (An issue was discovered in ionize through 1.0.8. The vulnerability exi ...) NOT-FOR-US: ionize CVE-2017-5960 (An issue was discovered in Phalcon Eye through 0.4.1. The vulnerabilit ...) NOT-FOR-US: Phalcon Eye CVE-2017-5959 (CSRF token bypass in GeniXCMS before 1.0.2 could result in escalation ...) NOT-FOR-US: GenixCMS CVE-2017-5958 RESERVED CVE-2017-5957 (Stack-based buffer overflow in the vrend_decode_set_framebuffer_state ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=926b9b3460a48f6454d8bbe9e44313d86a65447f (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421126 CVE-2017-5956 (The vrend_draw_vbo function in virglrenderer before 0.6.0 allows local ...) - virglrenderer 0.6.0-1 (bug #858255) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=a5ac49940c40ae415eac0cf912eac7070b4ba95d (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421073 NOTE: The original fix opens a memory leak: https://www.openwall.com/lists/oss-security/2017/02/24/2 NOTE: Additional patch required: https://bugzilla.suse.com/attachment.cgi?id=715395 CVE-2017-5955 RESERVED CVE-2017-5954 (An issue was discovered in the serialize-to-js package 0.5.0 for Node. ...) NOT-FOR-US: serialize-to-js Node package CVE-2017-5953 (vim before patch 8.0.0322 does not properly validate values for tree l ...) {DSA-3786-1 DLA-822-1} - vim 2:8.0.0197-2 (bug #854969) - neovim 0.1.7-4 NOTE: Fixed by https://github.com/vim/vim/commit/399c297aa93afe2c0a39e2a1b3f972aebba44c9d CVE-2017-5952 RESERVED CVE-2017-5951 (The mem_get_bits_rectangle function in base/gdevmem.c in Artifex Softw ...) {DSA-3838-1 DLA-905-1} - ghostscript 9.20~dfsg-3.1 (bug #859696) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697548 NOTE: Fixed by: https://git.ghostscript.com/?p=user/chrisl/ghostpdl.git;a=commitdiff;h=bfa6b2ecbe48edc69a7d9d22a12419aed25960b8 CVE-2017-5950 (The SingleDocParser::HandleNode function in yaml-cpp (aka LibYaml-C++) ...) - yaml-cpp 0.6.3-1 (low; bug #859891) [buster] - yaml-cpp (Minor issue) [stretch] - yaml-cpp (Minor issue) [jessie] - yaml-cpp (Minor issue) [wheezy] - yaml-cpp (Minor issue) - yaml-cpp0.3 (low; bug #859892) [stretch] - yaml-cpp0.3 (Minor issue) [jessie] - yaml-cpp0.3 (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/459 NOTE: possible fix: https://github.com/jbeder/yaml-cpp/pull/489 CVE-2017-5949 (JavaScriptCore in WebKit, as distributed in Safari Technology Preview ...) - webkitgtk (unimportant) NOTE: Not covered by security support CVE-2017-5948 (An issue was discovered on OnePlus One, X, 2, 3, and 3T devices. Oxyge ...) NOT-FOR-US: OnePlus One CVE-2017-5947 (An issue was discovered in OnePlus One, X, 2, 3, 3T, and 5 devices wit ...) NOT-FOR-US: OnePlus One, X, 2, 3, 3T, and 5 devices with OxygenOS CVE-2017-5946 (The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a ...) {DSA-3801-1 DLA-846-1} - ruby-zip 1.2.0-1.1 (bug #856269) - libzip-ruby NOTE: https://github.com/rubyzip/rubyzip/issues/315 CVE-2017-5945 (An issue was discovered in the PoodLL Filter plugin through 3.0.20 for ...) NOT-FOR-US: Moodle plugin CVE-2017-5944 (The dashboard subscription interface in Request Tracker (RT) 4.x befor ...) {DSA-3882-1 DLA-987-1} - request-tracker4 4.4.1-4 CVE-2017-5943 (Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x ...) {DSA-3882-1 DLA-987-1} - request-tracker4 4.4.1-4 CVE-2017-5942 (An issue was discovered in the WP Mail plugin before 1.2 for WordPress ...) NOT-FOR-US: Wordpress plugin CVE-2017-5941 (An issue was discovered in the node-serialize package 0.0.4 for Node.j ...) NOT-FOR-US: node-serialize CVE-2017-5939 RESERVED CVE-2017-5936 (OpenStack Nova-LXD before 13.1.1 uses the wrong name for the veth pair ...) NOT-FOR-US: Nova-LXD CVE-2017-5937 (The util_format_is_pure_uint function in vrend_renderer.c in Virgil 3d ...) - virglrenderer 0.6.0-1 (bug #854728) NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=48f67f60967f963b698ec8df57ec6912a43d6282 (0.6.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420246 CVE-2017-5935 RESERVED CVE-2017-5934 (Cross-site scripting (XSS) vulnerability in the link dialogue in GUI e ...) {DSA-4318-1 DLA-1546-1} - moin 1.9.9-1+deb9u1 (bug #910776) NOTE: https://github.com/moinwiki/moin-1.9/commit/70955a8eae091cc88fd9a6e510177e70289ec024 CVE-2017-5933 (Citrix NetScaler ADC and NetScaler Gateway 10.5 before Build 65.11, 11 ...) NOT-FOR-US: Citrix CVE-2017-5932 (The path autocompletion feature in Bash 4.4 allows local users to gain ...) - bash 4.4-3 [jessie] - bash (Introduced in 4.4) [wheezy] - bash (Introduced in 4.4) NOTE: https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf NOTE: Fix http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715 CVE-2017-5931 (Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emula ...) - qemu 1:2.8+dfsg-3 (bug #854730) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01368.html NOTE: https://www.openwall.com/lists/oss-security/2017/02/07/8 CVE-2017-5930 (The AliasHandler component in PostfixAdmin before 3.0.2 allows remote ...) - postfixadmin 3.0.2-1 (bug #854742) [jessie] - postfixadmin (Vulnerable code not present) [wheezy] - postfixadmin (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/07/6 CVE-2017-5929 (QOS.ch Logback before 1.2.0 has a serialization vulnerability affectin ...) {DLA-888-1} - logback 1:1.1.9-3 (bug #857343) [jessie] - logback 1:1.1.2-1+deb8u1 NOTE: https://github.com/qos-ch/logback/commit/f46044b805bca91efe5fd6afe52257cd02f775f8 NOTE: https://github.com/qos-ch/logback/commit/979b042cb1f0b4c1e5869ccc8912e68c39f769f9 NOTE: https://github.com/qos-ch/logback/commit/7fbea6127fa98fc48368ca5e8540eefe0e60cec5 NOTE: https://github.com/qos-ch/logback/commit/3b4f605454534b304770eeee3cb343521fcd6968 NOTE: Information asked about complete patchset to fix CVE-2017-5929: http://mailman.qos.ch/pipermail/logback-user/2017-March/004875.html CVE-2017-5928 (The W3C High Resolution Time API, as implemented in various web browse ...) NOT-FOR-US: Design limitation of W3C High Resolution Time API CVE-2017-5927 (Page table walks conducted by the MMU during virtual to physical addre ...) NOT-FOR-US: Hardware issue in some Intel CPUs CVE-2017-5926 (Page table walks conducted by the MMU during virtual to physical addre ...) NOT-FOR-US: Hardware issue in some Intel CPUs CVE-2017-5925 (Page table walks conducted by the MMU during virtual to physical addre ...) NOT-FOR-US: Hardware issue in some Intel CPUs CVE-2017-5924 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a den ...) - yara 3.5.0+dfsg-9 (bug #859821) [jessie] - yara 3.1.0-2+deb8u1 NOTE: https://github.com/VirusTotal/yara/issues/593 CVE-2017-5923 (libyara/grammar.y in YARA 3.5.0 allows remote attackers to cause a den ...) - yara 3.5.0+dfsg-9 (bug #859821) [jessie] - yara 3.1.0-2+deb8u1 NOTE: https://github.com/VirusTotal/yara/issues/597 CVE-2017-5922 RESERVED CVE-2017-5921 RESERVED CVE-2017-5920 RESERVED CVE-2017-5919 (The 21st Century Insurance app 10.0.0 for iOS does not verify X.509 ce ...) NOT-FOR-US: 21st Century Insurance app for iOS CVE-2017-5918 (The Banco de Costa Rica BCR Movil app 3.7 for iOS does not verify X.50 ...) NOT-FOR-US: Banco de Costa Rica BCR Movil app for iOS CVE-2017-5917 REJECTED CVE-2017-5916 (The America's First Federal Credit Union (FCU) Mobile Banking app 3.1. ...) NOT-FOR-US: America's First Federal Credit Union (FCU) Mobile Banking app CVE-2017-5915 (The Emirates NBD Bank P.J.S.C Emirates NBD KSA app 3.10.0 through 3.10 ...) NOT-FOR-US: Emirates NBD Bank P.J.S.C Emirates NBD KSA app CVE-2017-5914 (The DOT IT Banque Zitouna app 2.1 for iOS does not verify X.509 certif ...) NOT-FOR-US: DOT IT Banque Zitouna app CVE-2017-5913 (The TradeKing Forex for iPhone app 1.2.1 for iOS does not verify X.509 ...) NOT-FOR-US: TradeKing Forex for iPhone app CVE-2017-5912 (The FOREX.com FOREXTrader for iPhone app 2.9.12 through 2.9.14 for iOS ...) NOT-FOR-US: FOREX.com FOREXTrader for iPhone app CVE-2017-5911 (The Banco Santander Mexico SA Supermovil app 3.5 through 3.7 for iOS d ...) NOT-FOR-US: Banco Santander Mexico SA Supermovil app CVE-2017-5910 RESERVED CVE-2017-5909 (The Electronic Funds Source (EFS) Mobile Driver Source app 2.5 for iOS ...) NOT-FOR-US: Electronic Funds Source (EFS) Mobile Driver Source app CVE-2017-5908 REJECTED CVE-2017-5907 (The Great Southern Bank Great Southern Mobile Banking app before 4.0.4 ...) NOT-FOR-US: Great Southern Bank Great Southern Mobile Banking app CVE-2017-5906 (The Everyday Health Diabetes in Check: Blood Glucose & Carb Tracke ...) NOT-FOR-US: Everyday Health Diabetes in Check: Blood Glucose & Carb Tracker app CVE-2017-5905 (The Dollar Bank Mobile app 2.6.3 for iOS does not verify X.509 certifi ...) NOT-FOR-US: Dollar Bank Mobile app CVE-2017-5904 RESERVED CVE-2017-5903 RESERVED CVE-2017-5902 (The PayQuicker app 1.0.0 for iOS does not verify X.509 certificates fr ...) NOT-FOR-US: PayQuicker app CVE-2017-5901 (The State Bank of India State Bank Anywhere app 5.1.0 for iOS does not ...) NOT-FOR-US: State Bank of India State Bank Anywhere app CVE-2017-5900 (Cross-site scripting (XSS) vulnerability in the NetComm NB16WV-02 rout ...) NOT-FOR-US: NetComm CVE-2017-5896 (Heap-based buffer overflow in the fz_subsample_pixmap function in fitz ...) {DSA-3797-1} - mupdf 1.9a+ds1-3 (bug #854734) [wheezy] - mupdf (vulnerable code not present) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697515 NOTE: Fix https://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27 NOTE: https://blogs.gentoo.org/ago/2017/02/09/mupdf-use-after-free-in-fz_subsample_pixmap-pixmap-c/ NOTE: https://www.openwall.com/lists/oss-security/2017/02/10/1 CVE-2017-5895 RESERVED CVE-2017-5894 RESERVED CVE-2017-5893 RESERVED CVE-2017-5892 (ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 al ...) NOT-FOR-US: ASUS CVE-2017-5891 (ASUS RT-AC* and RT-N* devices with firmware before 3.0.0.4.380.7378 ha ...) NOT-FOR-US: ASUS CVE-2017-5898 (Integer overflow in the emulated_apdu_from_guest function in usb/dev-s ...) {DLA-845-1 DLA-842-1} - qemu 1:2.8+dfsg-3 (bug #854729) [jessie] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-02/msg01075.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1419699 NOTE: http://git.qemu-project.org/?p=qemu.git;a=commit;h=c7dfbf322595ded4e70b626bf83158a9f3807c6a CVE-2017-5897 (The ip6gre_err function in net/ipv6/ip6_gre.c in the Linux kernel allo ...) {DSA-3791-1} - linux 4.9.13-1 [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/cgit/linux/kernel/git/next/linux-next.git/commit/?id=7892032cfe67f4bde6fc2ee967e45a8fbaf33756 NOTE: Introduced by: https://github.com/torvalds/linux/commit/c12b395a46646bab69089ce7016ac78177f6001f (3.7-rc1) CVE-2017-5890 RESERVED CVE-2017-5889 RESERVED CVE-2017-5888 RESERVED CVE-2017-5887 (WebSocket.swift in Starscream before 2.0.4 allows an SSL Pinning bypas ...) NOT-FOR-US: Starscream CVE-2017-5885 (Multiple integer overflows in the (1) vnc_connection_server_message an ...) {DLA-831-1} - gtk-vnc 0.6.0-3 (bug #854450) [jessie] - gtk-vnc (Minor issue) NOTE: http://openwall.com/lists/oss-security/2017/02/05/5 CVE-2017-5884 (gtk-vnc before 0.7.0 does not properly check boundaries of subrectangl ...) {DLA-831-1} - gtk-vnc 0.6.0-3 (bug #854450) [jessie] - gtk-vnc (Minor issue) NOTE: Scope of the CVE is all of https://bugzilla.gnome.org/show_bug.cgi?id=778048#c1 NOTE: http://openwall.com/lists/oss-security/2017/02/05/5 CVE-2017-5883 RESERVED CVE-2017-5882 (Cross-site scripting (XSS) vulnerability in index.asp in SANADATA Sana ...) NOT-FOR-US: SanaCMS CVE-2017-5881 (GOM Player 2.3.10.5266 allows remote attackers to cause a denial of se ...) NOT-FOR-US: GOM Player CVE-2017-5880 (Splunk Web in Splunk Enterprise versions 6.5.x before 6.5.2, 6.4.x bef ...) NOT-FOR-US: Splunk CVE-2017-5879 (An issue was discovered in Exponent CMS 2.4.1. This is a blind SQL inj ...) NOT-FOR-US: Exponent CMS CVE-2017-5878 (The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restric ...) NOT-FOR-US: AMF unmarshallers in Red5 Media Server CVE-2017-5938 (Cross-site scripting (XSS) vulnerability in the nav_path function in l ...) {DSA-3784-1 DLA-820-1} - viewvc 1.1.26-1 (bug #854681) NOTE: https://www.openwall.com/lists/oss-security/2017/02/08/7 NOTE: https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows rem ...) - openpyxl 2.3.0-3 (bug #854442) [jessie] - openpyxl (vulnerable code not present) [wheezy] - openpyxl (vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/07/5 NOTE: https://bitbucket.org/openpyxl/openpyxl/issues/749 NOTE: https://bitbucket.org/openpyxl/openpyxl/commits/3b4905f428e1 CVE-2017-6059 (Mod_auth_openidc.c in the Ping Identity OpenID Connect authentication ...) - libapache2-mod-auth-openidc 2.1.5-1 [jessie] - libapache2-mod-auth-openidc (Minor issue) NOTE: https://github.com/pingidentity/mod_auth_openidc/issues/212 CVE-2017-6062 (The "OpenID Connect Relying Party and OAuth 2.0 Resource Server" (aka ...) - libapache2-mod-auth-openidc 2.1.5-1 [jessie] - libapache2-mod-auth-openidc (support for OIDCUnAuthAction added in 1.8.5rc1) NOTE: https://github.com/pingidentity/mod_auth_openidc/issues/222 CVE-2017-XXXX [irssi memory leak] - irssi 1.0.1-1 (bug #855108) [jessie] - irssi (support for sasl not present) [wheezy] - irssi (support for sasl not present) NOTE: Patch: https://github.com/irssi/irssi/commit/19c51789967a2f63da033e60f6ef08848b9cd144 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2017/02/05/8 CVE-2017-XXXX [irssi missing null terminator] - irssi 1.0.1-1 (unimportant) NOTE: Patch: https://github.com/irssi/irssi/pull/619/commits/677fb1f55ca52d0e43c93f7d8361d333ff5bffd6 NOTE: CVE Request: https://www.openwall.com/lists/oss-security/2017/02/05/8 CVE-2017-5886 (Heap-based buffer overflow in the PoDoFo::PdfTokenizer::GetNextToken f ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #854604) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/03/podofo-heap-based-buffer-overflow-in-podofopdftokenizergetnexttoken-pdftokenizer-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/1623824.EtgW9yDooZ%40blackgate/#msg35644693 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1837 CVE-2017-5877 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack aga ...) NOT-FOR-US: dotCMS CVE-2017-5876 (XSS was discovered in dotCMS 3.7.0, with an unauthenticated attack aga ...) NOT-FOR-US: dotCMS CVE-2017-5875 (XSS was discovered in dotCMS 3.7.0, with an authenticated attack again ...) NOT-FOR-US: dotCMS CVE-2017-5874 (CSRF exists on D-Link DIR-600M Rev. Cx devices before v3.05ENB01_beta_ ...) NOT-FOR-US: D-Link CVE-2017-5873 (Unquoted Windows search path vulnerability in the guest service in Uni ...) NOT-FOR-US: Unisys CVE-2017-5872 (The TCP/IP networking module in Unisys ClearPath MCP systems with TCP- ...) NOT-FOR-US: Unisys ClearPath CVE-2017-5871 (Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: ...) - odoo (Fixed before initial upload to Debian) CVE-2017-5870 (Multiple cross-site scripting (XSS) vulnerabilities in ViMbAdmin 3.0.1 ...) NOT-FOR-US: ViMbAdmin CVE-2017-5869 (Directory traversal vulnerability in the file import feature in Nuxeo ...) NOT-FOR-US: Nuxeo CVE-2017-5868 (CRLF injection vulnerability in the web interface in OpenVPN Access Se ...) NOT-FOR-US: OpenVPN Access Server CVE-2017-5867 (ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, ...) - owncloud CVE-2017-5866 (The autocomplete feature in the E-Mail share dialog in ownCloud Server ...) - owncloud CVE-2017-5865 (The password reset functionality in ownCloud Server before 8.1.11, 8.2 ...) - owncloud CVE-2017-5864 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5863 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Incor ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5862 RESERVED CVE-2017-5861 REJECTED CVE-2017-5860 RESERVED CVE-2017-5859 (On Cambium Networks cnPilot R200/201 devices before 4.3, there is a vu ...) NOT-FOR-US: Cambium Networks cnPilot CVE-2017-5858 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: converse.js CVE-2017-5836 (The plist_free_data function in plist.c in libplist allows attackers t ...) - libplist 1.12+git+1+e37ca00-0.1 (bug #854000) [jessie] - libplist (Minor issue) [wheezy] - libplist (pointers are not incorrectly freed and non-string key nodes are officially allowed) NOTE: https://github.com/libimobiledevice/libplist/issues/86 NOTE: https://www.openwall.com/lists/oss-security/2017/01/31/6 CVE-2017-5835 (libplist allows attackers to cause a denial of service (large memory a ...) {DLA-2168-1 DLA-840-1} - libplist 1.12+git+1+e37ca00-0.1 (bug #854000) NOTE: https://github.com/libimobiledevice/libplist/issues/88 NOTE: https://www.openwall.com/lists/oss-security/2017/01/31/6 CVE-2017-5834 (The parse_dict_node function in bplist.c in libplist allows attackers ...) {DLA-2168-1 DLA-840-1} - libplist 1.12+git+1+e37ca00-0.1 (bug #854000) NOTE: https://github.com/libimobiledevice/libplist/issues/89 NOTE: https://www.openwall.com/lists/oss-security/2017/01/31/6 CVE-2017-5829 (An access restriction bypass vulnerability in HPE Aruba ClearPass Poli ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5828 (An arbitrary command execution vulnerability in HPE Aruba ClearPass Po ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5827 (A reflected cross site scripting vulnerability in HPE Aruba ClearPass ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5826 (An authenticated remote code execution vulnerability in HPE Aruba Clea ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5825 (A privilege escalation vulnerability in HPE Aruba ClearPass Policy Man ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5824 (An unauthenticated remote code execution vulnerability in HPE Aruba Cl ...) NOT-FOR-US: HPE Aruba ClearPass Policy Manager CVE-2017-5823 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5822 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5821 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5820 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5819 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5818 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5817 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5816 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5815 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5814 (A remote sql injection authentication bypass in HPE Network Automation ...) NOT-FOR-US: HPE CVE-2017-5813 (A remote unauthenticated access vulnerability in HPE Network Automatio ...) NOT-FOR-US: HPE CVE-2017-5812 (A remote sql information disclosure vulnerability in HPE Network Autom ...) NOT-FOR-US: HPE CVE-2017-5811 (A remote code execution vulnerability in HPE Network Automation versio ...) NOT-FOR-US: HPE CVE-2017-5810 (A remote sql injection vulnerability in HPE Network Automation version ...) NOT-FOR-US: HPE CVE-2017-5809 (A Remote Arbitrary Code Execution vulnerability in HPE Data Protector ...) NOT-FOR-US: HPE CVE-2017-5808 (A Remote Arbitrary Code Execution vulnerability in HPE Data Protector ...) NOT-FOR-US: HPE CVE-2017-5807 (A Remote Arbitrary Code Execution vulnerability in HPE Data Protector ...) NOT-FOR-US: HPE CVE-2017-5806 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5805 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5804 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5803 (A Remote Disclosure of Information vulnerability in HPE NonStop Server ...) NOT-FOR-US: HPE NonStop Servers CVE-2017-5802 (A Remote Gain Privileged Access vulnerability in HPE Vertica Analytics ...) NOT-FOR-US: HPE Vertica Analytics Platform CVE-2017-5801 (A Remote Unauthorized Access to Data vulnerability in HPE Business Pro ...) NOT-FOR-US: HPE Business Process Monitor CVE-2017-5800 (A Remote Cross-Site Scripting (XSS) vulnerability in HPE Operations Br ...) NOT-FOR-US: HPE Operations Bridge Analytics CVE-2017-5799 (A Remote Code Execution vulnerability in HPE OpenCall Media Platform ( ...) NOT-FOR-US: HPE OpenCall Media Platform CVE-2017-5798 (A Remote Code Execution vulnerability in HPE OpenCall Media Platform ( ...) NOT-FOR-US: HPE OpenCall Media Platform CVE-2017-5797 (A Remote Unauthenticated Disclosure of Information vulnerability in HP ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5796 (A Remote Cross Site Request Forgery (CSRF) vulnerability in HPE 2620 S ...) NOT-FOR-US: HPE 2620 Series Network Switches CVE-2017-5795 (A Local Arbitrary File Download vulnerability in HPE Intelligent Manag ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5794 (A Remote Arbitrary File Download vulnerability in HPE Intelligent Mana ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5793 (A Remote Arbitrary Code Execution vulnerability in HPE Intelligent Man ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5792 (A Remote Code Execution vulnerability in HPE Intelligent Management Ce ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5791 (The doFilter method in UrlAccessController in HPE Intelligent Manageme ...) NOT-FOR-US: HPE Intelligent Management Center NOTE: it appears that it was incorrectly used for an issue in JanTek JTC-200 CVE-2017-5790 (A remote deserialization of untrusted data vulnerability in HPE Intell ...) NOT-FOR-US: HPE Intelligent Management Center CVE-2017-5789 (HPE LoadRunner before 12.53 Patch 4 and HPE Performance Center before ...) NOT-FOR-US: HPE LoadRunner NOTE: it appears that it was incorrectly used for an issue in JanTek JTC-200 CVE-2017-5788 (A Local Disclosure of Sensitive Information vulnerability in HPE NonSt ...) NOT-FOR-US: HPE NonStop Software Essentials CVE-2017-5787 (A remote denial of service vulnerability in HPE Version Control Reposi ...) NOT-FOR-US: HPE Version Control Manager CVE-2017-5786 (A local Unauthorized Data Modification vulnerability in HPE OfficeConn ...) NOT-FOR-US: HPE OfficeConnect Network Switches CVE-2017-5785 (A remote information disclosure vulnerability in HPE Matrix Operating ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5784 (A missing HSTS Header vulnerability in HPE Matrix Operating Environmen ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5783 (A remote clickjacking vulnerability in HPE Matrix Operating Environmen ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5782 (A missing HSTS Header vulnerability in HPE Matrix Operating Environmen ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5781 (A CSRF vulnerability in HPE Matrix Operating Environment version v7.6 ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5780 (A remote clickjacking vulnerability in HPE Matrix Operating Environmen ...) NOT-FOR-US: HPE Matrix Operating Environment CVE-2017-5779 RESERVED CVE-2017-5778 RESERVED CVE-2017-5777 RESERVED CVE-2017-5776 RESERVED CVE-2017-5775 RESERVED CVE-2017-5774 RESERVED CVE-2017-5773 RESERVED CVE-2017-5772 RESERVED CVE-2017-5771 RESERVED CVE-2017-5770 RESERVED CVE-2017-5769 RESERVED CVE-2017-5768 RESERVED CVE-2017-5767 RESERVED CVE-2017-5766 RESERVED CVE-2017-5765 RESERVED CVE-2017-5764 RESERVED CVE-2017-5763 RESERVED CVE-2017-5762 RESERVED CVE-2017-5761 RESERVED CVE-2017-5760 RESERVED CVE-2017-5759 RESERVED CVE-2017-5758 RESERVED CVE-2017-5757 RESERVED CVE-2017-5756 RESERVED CVE-2017-5755 RESERVED CVE-2017-5754 (Systems with microprocessors utilizing speculative execution and indir ...) {DSA-4120-1 DSA-4082-1 DSA-4078-1 DLA-1232-1} - linux 4.14.12-1 - nvidia-graphics-drivers 384.111-1 (bug #886852) [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1 [jessie] - nvidia-graphics-drivers 340.106-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.106-1 [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1 - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - linux-grsec - xen 4.11.1~pre+1.733450b39b-1 [stretch] - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4 [jessie] - xen (Too intrusive to backport) NOTE: https://meltdownattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html NOTE: http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html NOTE: Paper: https://meltdownattack.com/meltdown.pdf NOTE: https://01.org/security/advisories/intel-oss-10003 CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and branc ...) {DSA-4188-1 DSA-4187-1 DLA-1731-1 DLA-1423-1 DLA-1422-1} - linux 4.15.11-1 - nvidia-graphics-drivers 384.111-1 (bug #886852) [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1 [jessie] - nvidia-graphics-drivers 340.106-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.106-1 [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1 - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - linux-grsec NOTE: https://spectreattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html NOTE: Paper: https://spectreattack.com/spectre.pdf NOTE: https://01.org/security/advisories/intel-oss-10002 CVE-2017-5752 RESERVED CVE-2017-5751 RESERVED CVE-2017-5750 RESERVED CVE-2017-5749 RESERVED CVE-2017-5748 RESERVED CVE-2017-5747 RESERVED CVE-2017-5746 RESERVED CVE-2017-5745 RESERVED CVE-2017-5744 RESERVED CVE-2017-5743 RESERVED CVE-2017-5742 RESERVED CVE-2017-5741 RESERVED CVE-2017-5740 RESERVED CVE-2017-5739 RESERVED CVE-2017-5738 (Escalation of privilege vulnerability in admin portal for Intel Unite ...) NOT-FOR-US: Intel Unite App CVE-2017-5737 RESERVED CVE-2017-5736 (An elevation of privilege in Intel Software Guard Extensions Platform ...) NOT-FOR-US: Intel CVE-2017-5735 REJECTED CVE-2017-5734 REJECTED CVE-2017-5733 REJECTED CVE-2017-5732 REJECTED CVE-2017-5731 (Bounds checking in Tianocompress before November 7, 2017 may allow an ...) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=686 NOTE: https://bugzilla.tianocore.org/attachment.cgi?id=150 NOTE: https://edk2-docs.gitbooks.io/security-advisory/content/edk-ii-tianocompress-bounds-checking-issues.html CVE-2017-5730 RESERVED CVE-2017-5729 (Frame replay vulnerability in Wi-Fi subsystem in Intel Dual-Band and T ...) NOT-FOR-US: Intel CVE-2017-5728 RESERVED CVE-2017-5727 (Pointer dereference in subsystem in Intel Graphics Driver 15.40.x.x, 1 ...) NOT-FOR-US: Intel CVE-2017-5726 RESERVED CVE-2017-5725 RESERVED CVE-2017-5724 RESERVED CVE-2017-5723 RESERVED CVE-2017-5722 (Incorrect policy enforcement in system firmware for Intel NUC7i3BNK, N ...) NOT-FOR-US: Intel CVE-2017-5721 (Insufficient input validation in system firmware for Intel NUC7i3BNK, ...) NOT-FOR-US: Intel CVE-2017-5720 RESERVED CVE-2017-5719 (A vulnerability in the Intel Deep Learning Training Tool Beta 1 allows ...) NOT-FOR-US: Intel CVE-2017-5718 RESERVED CVE-2017-5717 (Type Confusion in Content Protection HECI Service in Intel Graphics Dr ...) NOT-FOR-US: Intel graphics driver CVE-2017-5716 REJECTED CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and indir ...) {DSA-4213-1 DSA-4201-1 DSA-4188-1 DSA-4187-1 DLA-2148-1 DLA-1497-1 DLA-1422-1 DLA-1369-1} - linux 4.15.11-1 - intel-microcode 3.20180425.1 [stretch] - intel-microcode 3.20180425.1~deb9u1 [jessie] - intel-microcode 3.20180425.1~deb8u1 - amd64-microcode 3.20180515.1 [stretch] - amd64-microcode (Can be fixed via point release) NOTE: https://spectreattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html NOTE: Paper: https://spectreattack.com/spectre.pdf NOTE: https://www.suse.com/de-de/support/kb/doc/?id=7022512 NOTE: https://www.suse.com/support/update/announcement/2018/suse-su-20180009-1/ NOTE: For the required microcode updates in advance: NOTE: intel-microcode: https://bugs.debian.org/886367 NOTE: intel-microcode: Some microcode updates to partially adress CVE-2017-5715 included in 3.20171215.1 NOTE: Further updates in 3.20180312.1 NOTE: amd64-microcode: https://bugs.debian.org/886382 NOTE: amd64-microcode updates in 3.20180515.1 - qemu 1:2.12~rc3+dfsg-1 (bug #886532) - qemu-kvm NOTE: Qemu patches: https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg00811.html NOTE: to pass thorugh new MSR and CPUID flags from the host VM to the CPU, to NOTE: allow (future) enabling/disabling ranch prediction features in the Intel NOTE: CPU. - virtualbox 5.2.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) - nvidia-graphics-drivers 384.111-1 (bug #886852) [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1 [jessie] - nvidia-graphics-drivers 340.106-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.106-1 [stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1 - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - linux-grsec - xen 4.11.1~pre+1.733450b39b-1 [jessie] - xen (Too intrusive to backport) CVE-2017-5714 RESERVED CVE-2017-5713 RESERVED CVE-2017-5712 (Buffer overflow in Active Management Technology (AMT) in Intel Managea ...) NOT-FOR-US: Intel CVE-2017-5711 (Multiple buffer overflows in Active Management Technology (AMT) in Int ...) NOT-FOR-US: Intel CVE-2017-5710 (Multiple privilege escalations in kernel in Intel Trusted Execution En ...) NOT-FOR-US: Intel CVE-2017-5709 (Multiple privilege escalations in kernel in Intel Server Platform Serv ...) NOT-FOR-US: Intel CVE-2017-5708 (Multiple privilege escalations in kernel in Intel Manageability Engine ...) NOT-FOR-US: Intel CVE-2017-5707 (Multiple buffer overflows in kernel in Intel Trusted Execution Engine ...) NOT-FOR-US: Intel CVE-2017-5706 (Multiple buffer overflows in kernel in Intel Server Platform Services ...) NOT-FOR-US: Intel CVE-2017-5705 (Multiple buffer overflows in kernel in Intel Manageability Engine Firm ...) NOT-FOR-US: Intel CVE-2017-5704 (Platform sample code firmware included with 4th Gen Intel Core Process ...) NOT-FOR-US: Intel CVE-2017-5703 (Configuration of SPI Flash in platforms based on multiple Intel platfo ...) NOT-FOR-US: Intel CVE-2017-5702 RESERVED CVE-2017-5701 (Insecure platform configuration in system firmware for Intel NUC7i3BNK ...) NOT-FOR-US: Intel CVE-2017-5700 (Insufficient protection of password storage in system firmware for Int ...) NOT-FOR-US: Intel CVE-2017-5699 (Input validation error in Intel MinnowBoard 3 Firmware versions prior ...) NOT-FOR-US: Intel MinnowBoard 3 Firmware NOTE: https://edk2-docs.gitbooks.io/security-advisory/content/uefi-variable-deletioncorruption.html CVE-2017-5698 (Intel Active Management Technology, Intel Standard Manageability, and ...) NOT-FOR-US: Intel CVE-2017-5697 (Insufficient clickjacking protection in the Web User Interface of Inte ...) NOT-FOR-US: Intel CVE-2017-5696 (Untrusted search path in Intel Graphics Driver 15.40.x.x, 15.45.x.x, a ...) NOT-FOR-US: Intel CVE-2017-5695 (Data corruption vulnerability in firmware in Intel Solid-State Drive C ...) NOT-FOR-US: Intel CVE-2017-5694 (Data corruption vulnerability in firmware in Intel Solid-State Drive P ...) NOT-FOR-US: Intel CVE-2017-5693 (Firmware in the Intel Puma 5, 6, and 7 Series might experience resourc ...) NOT-FOR-US: Intel Puma CVE-2017-5692 (Out-of-bounds read condition in older versions of some Intel Graphics ...) NOT-FOR-US: Intel Graphics Driver for Windows CVE-2017-5691 (Incorrect check in Intel processors from 6th and 7th Generation Intel ...) NOT-FOR-US: Intel CPUs CVE-2017-5690 RESERVED CVE-2017-5689 (An unprivileged network attacker could gain system privileges to provi ...) NOT-FOR-US: Intel AMT CVE-2017-5688 (There is an escalation of privilege vulnerability in the Intel Solid S ...) NOT-FOR-US: Intel Solid State Drive Toolbox CVE-2017-5687 RESERVED CVE-2017-5686 (The BIOS in Intel NUC systems based on 6th Gen Intel Core processors p ...) NOT-FOR-US: BIOS in Intel NUC systems CVE-2017-5685 (The BIOS in Intel NUC systems based on 6th Gen Intel Core processors p ...) NOT-FOR-US: BIOS in Intel NUC systems CVE-2017-5684 (The BIOS in Intel Compute Stick systems based on 6th Gen Intel Core pr ...) NOT-FOR-US: BIOS in Intel NUC systems CVE-2017-5683 (Privilege escalation in IntelHAXM.sys driver in the Intel Hardware Acc ...) NOT-FOR-US: Intel Hardware Accelerated Execution Manager CVE-2017-5682 (Intel PSET Application Install wrapper of Intel Parallel Studio XE, In ...) NOT-FOR-US: Intel PSET CVE-2017-5680 RESERVED CVE-2017-5848 (The gst_ps_demux_parse_psm function in gst/mpegdemux/gstmpegdemux.c in ...) {DSA-3818-1 DLA-2164-1 DLA-830-1} - gst-plugins-bad1.0 1.10.4-1 (low) - gst-plugins-bad0.10 (low) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777957 NOTE: Patch: https://bugzilla.gnome.org/show_bug.cgi?id=777957#c3 CVE-2017-5847 (The gst_asf_demux_process_ext_content_desc function in gst/asfdemux/gs ...) {DSA-3821-1 DLA-2226-1 DLA-829-1} - gst-plugins-ugly1.0 1.10.4-1 (low) - gst-plugins-ugly0.10 (low) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777955 NOTE: https://github.com/GStreamer/gst-plugins-ugly/commit/d21017b52a585f145e8d62781bcc1c5fefc7ee37 CVE-2017-5846 (The gst_asf_demux_process_ext_stream_props function in gst/asfdemux/gs ...) {DSA-3821-1 DLA-2226-1 DLA-829-1} - gst-plugins-ugly1.0 1.10.3-1 (low) - gst-plugins-ugly0.10 (low) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777937 CVE-2017-5845 (The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst- ...) {DSA-3820-1} - gst-plugins-good1.0 1.10.3-1 (low) - gst-plugins-good0.10 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777532 CVE-2017-5844 (The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-medi ...) {DSA-3819-1 DLA-2126-1 DLA-827-1} - gst-plugins-base1.0 1.10.3-1 (low) - gst-plugins-base0.10 (low) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777525 CVE-2017-5843 (Multiple use-after-free vulnerabilities in the (1) gst_mini_object_unr ...) {DSA-3818-1 DLA-2164-1 DLA-830-1} - gst-plugins-bad1.0 1.10.3-1 - gst-plugins-bad0.10 (low) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777503 CVE-2017-5842 (The html_context_handle_element function in gst/subparse/samiparse.c i ...) {DSA-3819-1} - gst-plugins-base1.0 1.10.3-1 - gst-plugins-base0.10 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777502 CVE-2017-5841 (The gst_avi_demux_parse_ncdt function in gst/avi/gstavidemux.c in gst- ...) {DSA-3820-1} - gst-plugins-good1.0 1.10.3-1 (low) - gst-plugins-good0.10 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777500 CVE-2017-5840 (The qtdemux_parse_samples function in gst/isomp4/qtdemux.c in gst-plug ...) {DSA-3820-1 DLA-2225-1 DLA-828-1} - gst-plugins-good1.0 1.10.3-1 (low) - gst-plugins-good0.10 (low) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777469 CVE-2017-5839 (The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-medi ...) {DSA-3819-1} - gst-plugins-base1.0 1.10.3-1 - gst-plugins-base0.10 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777265 CVE-2017-5838 (The gst_date_time_new_from_iso8601_string function in gst/gstdatetime. ...) {DSA-3822-1} - gstreamer1.0 1.10.3-1 (low) - gstreamer0.10 (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777263 CVE-2017-5837 (The gst_riff_create_audio_caps function in gst-libs/gst/riff/riff-medi ...) {DSA-3819-1 DLA-2126-1 DLA-827-1} - gst-plugins-base1.0 1.10.3-1 (low) - gst-plugins-base0.10 (low) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/7 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=777262 CVE-2017-5851 (The free_options function in options_manager.c in mp3splt 2.6.2 allows ...) - mp3splt (unimportant) NOTE: https://github.com/asarubbo/poc/blob/master/00127-mp3splt-nullptr-free_options NOTE: https://blogs.gentoo.org/ago/2017/02/01/mp3splt-null-pointer-dereference-in-free_options-options_manager-c NOTE: No security impact, crash in CLI tool CVE-2017-5679 RESERVED CVE-2017-5678 REJECTED CVE-2017-5677 (PEAR HTML_AJAX 0.3.0 through 0.5.7 has a PHP Object Injection Vulnerab ...) NOT-FOR-US: PEAR HTML_AJAX NOTE: http://karmainsecurity.com/KIS-2017-01 CVE-2017-5676 RESERVED CVE-2017-5857 (Memory leak in the virgl_cmd_resource_unref function in hw/display/vir ...) - qemu 1:2.8+dfsg-3 (bug #853996; unimportant) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg04615.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1418382 NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/21 CVE-2017-5856 (Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c i ...) {DLA-1497-1} - qemu 1:2.8+dfsg-3 (bug #853996) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/01/19 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=765a707000e838c30b18d712fe6cb3dd8e0435f3 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1418342 CVE-2017-5855 (The PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.cpp in ...) - libpodofo 0.9.4-6 (bug #854603) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-podofopdfparserreadxrefsubsection-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1843 CVE-2017-5854 (base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to ca ...) - libpodofo 0.9.5-9 (bug #854602) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1876 NOTE: duplicate CVE: CVE-2018-5308 CVE-2017-5853 (Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote a ...) {DLA-929-1} - libpodofo 0.9.4-5 (bug #854601) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-signed-integer-overflow-in-pdfparser-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: Proposed fix: https://sourceforge.net/p/podofo/mailman/message/35692197/ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1840/ CVE-2017-5852 (The PoDoFo::PdfPage::GetInheritedKeyFromObject function in base/PdfVar ...) {DLA-929-1} - libpodofo 0.9.5-7 (low; bug #854600) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-infinite-loop-in-podofopdfpagegetinheritedkeyfromobject-pdfpage-cpp NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1835 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1838 NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1841 NOTE: further patch for ABI compatibility: https://sourceforge.net/p/podofo/mailman/message/36084628/ CVE-2017-5849 (tiffttopnm in netpbm 10.47.63 does not properly use the libtiff TIFFRG ...) - netpbm-free (vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/02/02/2 NOTE: Debian uses an unaffected fork: NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2654#c8 CVE-2017-5850 (httpd in OpenBSD allows remote attackers to cause a denial of service ...) NOT-FOR-US: OpenBSD httpd CVE-2017-5833 (Cross-site scripting (XSS) vulnerability in the invocation code genera ...) NOT-FOR-US: Revive Adserver CVE-2017-5832 (Cross-site scripting (XSS) vulnerability in Revive Adserver before 4.0 ...) NOT-FOR-US: Revive Adserver CVE-2017-5831 (Session fixation vulnerability in the forgot password mechanism in Rev ...) NOT-FOR-US: Revive Adserver CVE-2017-5830 (Revive Adserver before 4.0.1 allows remote attackers to execute arbitr ...) NOT-FOR-US: Revive Adserver CVE-2017-5675 (A command-injection vulnerability exists in a web application on a cus ...) NOT-FOR-US: GoAhead Web Server CVE-2017-5674 (A vulnerability in a custom-built GoAhead web server used on Foscam, V ...) NOT-FOR-US: GoAhead Web Server CVE-2017-5673 (In the Kunena extension 5.0.2 through 5.0.4 for Joomla!, the forum mes ...) NOT-FOR-US: Joomla extension CVE-2017-5672 (Kony Enterprise Mobile Management (EMM) before 4.2.5.2 has the vulnera ...) NOT-FOR-US: Kony Enterprise Mobile Management CVE-2017-5671 (Honeywell Intermec PM23, PM42, PM43, PC23, PC43, PD43, and PC42 indust ...) NOT-FOR-US: Honeywell CVE-2017-5670 (Riverbed RiOS through 9.6.0 deletes the secure vault with the rm progr ...) NOT-FOR-US: Riverbed RiOS CVE-2017-5669 (The do_shmat function in ipc/shm.c in the Linux kernel through 4.9.12 ...) {DSA-3804-1 DLA-849-1} - linux 4.9.13-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=192931 CVE-2017-5666 (The free_options function in options_manager.c in mp3splt 2.6.2 allows ...) - mp3splt (unimportant; bug #854278) NOTE: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c NOTE: https://sourceforge.net/p/mp3splt/bugs/209/ NOTE: Negligable security impact CVE-2017-5665 (The splt_cue_export_to_file function in cue.c in libmp3splt 0.9.2 allo ...) - mp3splt (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-null-pointer-dereference-in-splt_cue_export_to_file-cue-c NOTE: https://sourceforge.net/p/mp3splt/bugs/209/ NOTE: No security impact, crash in CLI tool CVE-2017-5664 (The error page mechanism of the Java Servlet Specification requires th ...) {DSA-3892-1 DSA-3891-1 DLA-996-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.14-2 (bug #864447) - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie [wheezy] - tomcat6 (Not supported in Wheezy) NOTE: https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3E NOTE: Fixed by: http://svn.apache.org/r1793469 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1793488 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1793489 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1793470 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1793471 (7.0.x) NOTE: Fixed by: http://svn.apache.org/r1793491 (7.0.x) CVE-2017-5663 (In Apache Fineract 0.4.0-incubating, 0.5.0-incubating, and 0.6.0-incub ...) NOT-FOR-US: Apache Fineract CVE-2017-5662 (In Apache Batik before 1.9, files lying on the filesystem of the serve ...) {DSA-4215-1 DLA-926-1} - batik 1.9-1 (bug #860566) NOTE: https://www.openwall.com/lists/oss-security/2017/04/18/1 NOTE: Upstream bug: https://issues.apache.org/jira/browse/BATIK-1139 NOTE: Fixed by: http://svn.apache.org/r1743326 NOTE: Similar issue to CVE-2015-0250 CVE-2017-5661 (In Apache FOP before 2.2, files lying on the filesystem of the server ...) {DSA-3864-1 DLA-927-1} - fop 1:2.1-6 (bug #860567) NOTE: https://www.openwall.com/lists/oss-security/2017/04/18/2 NOTE: Upstream bug: https://issues.apache.org/jira/browse/FOP-2668 NOTE: Fixed by: http://svn.apache.org/r1769967 NOTE: Fixed by: http://svn.apache.org/r1769968 (fix for Java 6) CVE-2017-5660 (There is a vulnerability in Apache Traffic Server (ATS) 6.2.0 and prio ...) {DSA-4128-1} - trafficserver 7.1.2+ds-1 [wheezy] - trafficserver (Vulnerable code not present) NOTE: https://github.com/apache/trafficserver/pull/1657 NOTE: https://issues.apache.org/jira/browse/TS-4930 CVE-2017-5659 (Apache Traffic Server before 6.2.1 generates a coredump when there is ...) - trafficserver 7.0.0-1 [wheezy] - trafficserver (PoC doesn't crash the server, fix too hard to backport) NOTE: https://issues.apache.org/jira/browse/TS-4507 NOTE: reproducer in https://issues.apache.org/jira/browse/TS-4819 (dupe of above) NOTE: https://github.com/apache/trafficserver/pull/787/commits/85c021123fd94c4d97a6015484eb1d8054bec9eb NOTE: evaluate related backport to 6.2: https://github.com/apache/trafficserver/pull/1153 CVE-2017-5658 (The statistics generator in Apache Pony Mail 0.7 to 0.9 was found to b ...) NOT-FOR-US: Apache Pony Mail CVE-2017-5657 (Several REST service endpoints of Apache Archiva are not protected aga ...) NOT-FOR-US: Apache Archiva CVE-2017-5656 (Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of c ...) NOT-FOR-US: Apache CXF CVE-2017-5655 (In Ambari 2.2.2 through 2.4.2 and Ambari 2.5.0, sensitive data may be ...) NOT-FOR-US: Apache Ambari CVE-2017-5654 (In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of ...) NOT-FOR-US: Apache Ambari CVE-2017-5653 (JAX-RS XML Security streaming clients in Apache CXF before 3.1.11 and ...) NOT-FOR-US: Apache CXF CVE-2017-5652 (During a routine security analysis, it was found that one of the ports ...) NOT-FOR-US: Impala CVE-2017-5651 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refact ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.11-2 (bug #860071) [jessie] - tomcat8 (Only affects 8.5 and later) NOTE: https://www.openwall.com/lists/oss-security/2017/04/10/21 NOTE: Fixed by: http://svn.apache.org/r1788546 (8.5.x) CVE-2017-5650 (In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handli ...) - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.11-2 (bug #860070) [jessie] - tomcat8 (Only affects 8.5 and later) NOTE: https://www.openwall.com/lists/oss-security/2017/04/10/22 NOTE: Fixed by: http://svn.apache.org/r1788480 (8.5.x) CVE-2017-5649 (Apache Geode before 1.1.1, when a cluster has enabled security by sett ...) NOT-FOR-US: Apache Geode CVE-2017-5648 (While investigating bug 60718, it was noticed that some calls to appli ...) {DSA-3843-1 DSA-3842-1 DLA-924-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.11-2 (bug #860069) - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 (Only affects 7.0 an later) NOTE: https://www.openwall.com/lists/oss-security/2017/04/10/23 NOTE: Fixed by: http://svn.apache.org/r1785775 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1785776 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1785777 (7.0.x) CVE-2017-5647 (A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0 ...) {DSA-3843-1 DSA-3842-1 DLA-924-1} - tomcat9 (Fixed before initial upload to Debian) - tomcat8 8.5.11-2 (bug #860068) - tomcat7 7.0.72-3 NOTE: Since 7.0.72-3, src:tomcat7 only builds the Servlet API - tomcat6 6.0.41-3 NOTE: Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie NOTE: https://www.openwall.com/lists/oss-security/2017/04/10/24 NOTE: Fixed by: http://svn.apache.org/r1788932 (8.5.x) NOTE: Fixed by: http://svn.apache.org/r1788999 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1789008 (7.0.x) NOTE: Fixed by: http://svn.apache.org/r1789024 (6.0.x) NOTE: Fixed by: http://svn.apache.org/r1789155 (6.0.x) NOTE: Fixed by: http://svn.apache.org/r1789856 (6.0.x) CVE-2017-5646 (For versions of Apache Knox from 0.2.0 to 0.11.0 - an authenticated us ...) NOT-FOR-US: Apache Knox CVE-2017-5645 (In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or ...) - apache-log4j2 2.7-2 (bug #860489) [jessie] - apache-log4j2 (Minor issue, no consumers of liblog4j2-java in Jessie) NOTE: https://issues.apache.org/jira/browse/LOG4J2-1863 NOTE: Fixed by: https://git-wip-us.apache.org/repos/asf?p=logging-log4j2.git;h=5dcc19215827db29c993d0305ee2b0d8dd05939d CVE-2017-5644 (Apache POI in versions prior to release 3.15 allows remote attackers t ...) - libapache-poi-java 3.17-1 (bug #858301) [stretch] - libapache-poi-java (Minor issue) [jessie] - libapache-poi-java (Minor issue) [wheezy] - libapache-poi-java (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2017/03/20/9 CVE-2017-5643 (Apache Camel's Validation Component is vulnerable against SSRF via rem ...) NOT-FOR-US: Apache Camel CVE-2017-5642 (During installation of Ambari 2.4.0 through 2.4.2, Ambari Server artif ...) NOT-FOR-US: Apache Ambari CVE-2017-5641 (Previous versions of Apache Flex BlazeDS (4.7.2 and earlier) did not r ...) NOT-FOR-US: Apache Flex BlazeDS CVE-2017-5640 (It was noticed that a malicious process impersonating an Impala daemon ...) NOT-FOR-US: Impala CVE-2017-5639 REJECTED CVE-2017-5638 (The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 an ...) - libstruts1.2-java (Only affects Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10) NOTE: https://cwiki.apache.org/confluence/display/WW/S2-045 CVE-2017-5637 (Two four letter word commands "wchp/wchc" are CPU intensive and could ...) {DSA-3871-1 DLA-986-1} - zookeeper 3.4.9-3 (bug #863811) NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-2693 CVE-2017-5636 (In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environm ...) NOT-FOR-US: Apache NiFi CVE-2017-5635 (In Apache NiFi before 0.7.2 and 1.x before 1.1.2 in a cluster environm ...) NOT-FOR-US: Apache NiFi CVE-2017-5634 (The Norwegian Air Shuttle (aka norwegian.com) airline kiosk allows phy ...) NOT-FOR-US: Norwegian CVE-2017-5633 (Multiple cross-site request forgery (CSRF) vulnerabilities on the D-Li ...) NOT-FOR-US: D-Link CVE-2017-5632 (An issue was discovered on the ASUS RT-N56U Wireless Router with Firmw ...) NOT-FOR-US: Asus router CVE-2017-5631 (An issue was discovered in KMCIS CaseAware. Reflected cross site scrip ...) NOT-FOR-US: KMCIS CaseAware CVE-2017-5630 (PECL in the download utility class in the Installer in PEAR Base Syste ...) - php5 (unimportant) - php-pear (unimportant) NOTE: https://pear.php.net/bugs/bug.php?id=21171 NOTE: pear performs no kind of authentication/integrity checks for downloads, so an attacker can MITM freely anyway CVE-2017-5629 RESERVED CVE-2017-5626 (OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fas ...) NOT-FOR-US: OxygenOS CVE-2017-5625 (In OxygenOS before 4.0.3 on OnePlus 3 and 3T devices, an unauthorized ...) NOT-FOR-US: OxygenOS CVE-2017-5624 (An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. ...) NOT-FOR-US: OxygenOS CVE-2017-5623 (An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T d ...) NOT-FOR-US: OxygenOS CVE-2017-5622 (With OxygenOS before 4.0.3, when a charger is connected to a powered-o ...) NOT-FOR-US: OxygenOS CVE-2017-5621 (An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, an ...) - zammad (bug #841355) CVE-2017-5620 (An XSS issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3 ...) - zammad (bug #841355) CVE-2017-5619 (An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, an ...) - zammad (bug #841355) CVE-2017-5609 (SQL injection vulnerability in include/functions_entries.inc.php in Se ...) - serendipity CVE-2017-5607 (Splunk Enterprise 5.0.x before 5.0.18, 6.0.x before 6.0.14, 6.1.x befo ...) NOT-FOR-US: Splunk CVE-2017-5606 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: Xabber CVE-2017-5605 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: Movim CVE-2017-5604 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - mcabber 1.0.4-1.1 (bug #854738) [jessie] - mcabber (XEP-0280: Message Carbons not implemented) [wheezy] - mcabber (XEP-0280: Message Carbons not implemented) CVE-2017-5603 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - jitsi (bug #854737) CVE-2017-5602 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - jappix (bug #619347) CVE-2017-5601 (An error in the lha_read_file_header_1() function (archive_read_suppor ...) {DLA-1600-1 DLA-810-1} - libarchive 3.2.1-6 (bug #853278) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 NOTE: https://secunia.com/secunia_research/2017-3/ CVE-2017-5667 (The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU ...) {DLA-1497-1} - qemu 1:2.8+dfsg-3 (bug #853996) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-01/msg06191.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1417559 NOTE: https://www.openwall.com/lists/oss-security/2017/01/30/2 CVE-2017-5668 (bitlbee-libpurple before 3.5.1 allows remote attackers to cause a deni ...) - bitlbee 3.5.1-1 (bug #853282) [jessie] - bitlbee (Incomplete fix for CVE-2016-10189 not applied) [wheezy] - bitlbee (Incomplete fix for CVE-2016-10189 not applied) NOTE: https://bugs.bitlbee.org/ticket/1282 NOTE: Fixed by: https://github.com/bitlbee/bitlbee/commit/30d598ce7cd3f136ee9d7097f39fa9818a272441 (3.5.1) NOTE: https://www.openwall.com/lists/oss-security/2017/01/30/4 NOTE: This CVE exists because of an incomplete fix for CVE-2016-10189 CVE-2017-5940 (Firejail before 0.9.44.6 and 0.9.38.x LTS before 0.9.38.10 LTS does no ...) - firejail 0.9.44.6-1 NOTE: Changelog mentions the new fix for CVE-2017-5180 in RELNOTES for 0.9.44.6 NOTE: an needs series of commits after 0.9.44.4 NOTE: https://github.com/netblue30/firejail/blob/0.9.44.6/RELNOTES NOTE: https://github.com/netblue30/firejail/commit/38d418505e9ee2d326557e5639e8da49c298858f (0.9.44.6) NOTE: https://github.com/netblue30/firejail/commit/b8a4ff9775318ca5e679183884a6a63f3da8f863 (0.9.44.6) NOTE: https://www.openwall.com/lists/oss-security/2017/01/29/4 CVE-2017-5899 (Directory traversal vulnerability in the setuid root helper binary in ...) - s-nail 14.8.16-1 (bug #852934) NOTE: https://www.mail-archive.com/s-nail-users@lists.sourceforge.net/msg00551.html NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f797c27efecad45af191c518b7f87fda32ada160 NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf NOTE: https://www.openwall.com/lists/oss-security/2017/01/27/7 CVE-2017-5628 (An issue was discovered in Artifex Software, Inc. MuJS before 8f62ea10 ...) - mujs (Fixed before initial upload to Debian) NOTE: http://git.ghostscript.com/?p=mujs.git;h=8f62ea10a0af68e56d5c00720523ebcba13c2e6a NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697496 CVE-2017-5627 (An issue was discovered in Artifex Software, Inc. MuJS before 4006739a ...) - mujs (Fixed before initial upload to Debian) NOTE: http://git.ghostscript.com/?p=mujs.git;h=4006739a28367c708dea19aeb19b8a1a9326ce08 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697497 CVE-2017-5617 (The SVG Salamander (aka svgSalamander) library, when used in a web app ...) {DSA-3781-1 DLA-816-1} - svgsalamander 1.1.1+dfsg-2 (bug #853134) NOTE: https://github.com/blackears/svgSalamander/issues/11 NOTE: https://www.openwall.com/lists/oss-security/2017/01/27/3 CVE-2017-5608 (Cross-site scripting (XSS) vulnerability in the image upload function ...) - piwigo CVE-2017-5600 (The Data Warehouse component in NetApp OnCommand Insight before 7.2.3 ...) NOT-FOR-US: NetApp OnCommand Insight CVE-2017-5599 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) NOT-FOR-US: eClinicalWorks CVE-2017-5598 (An issue was discovered in eClinicalWorks healow@work 8.0 build 8. Thi ...) NOT-FOR-US: eClinicalWorks CVE-2017-5612 (Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.2+dfsg-1 (bug #852767) NOTE: https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849 NOTE: https://www.openwall.com/lists/oss-security/2017/01/27/2 CVE-2017-5611 (SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Qu ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.2+dfsg-1 (bug #852767) NOTE: https://github.com/WordPress/WordPress/commit/85384297a60900004e27e417eac56d24267054cb NOTE: https://www.openwall.com/lists/oss-security/2017/01/27/2 CVE-2017-5610 (wp-admin/includes/class-wp-press-this.php in Press This in WordPress b ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.2+dfsg-1 (bug #852767) NOTE: https://github.com/WordPress/WordPress/commit/21264a31e0849e6ff793a06a17de877dd88ea454 NOTE: https://www.openwall.com/lists/oss-security/2017/01/27/2 CVE-2017-5595 (A file disclosure and inclusion vulnerability exists in web/views/file ...) {DLA-1145-1} - zoneminder 1.30.4+dfsg-1 (bug #854733) NOTE: Check https://github.com/ZoneMinder/ZoneMinder/commit/8b19fca9927cdec07cc9dd09bdcf2496a5ae69b3 CVE-2017-5594 (An issue was discovered in Pagekit CMS before 1.0.11. In this vulnerab ...) NOT-FOR-US: Pagekit CMS CVE-2017-5593 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - psi-plus (vulnerable code not present, XEP-0280 not implemented) CVE-2017-5592 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - profanity 0.5.1-1 (bug #854735) [jessie] - profanity (Vulnerable code not present) CVE-2017-5591 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) - sleekxmpp 1.3.1-6 (bug #854739) [jessie] - sleekxmpp (vulnerable code not present, XEP-0280 not implemented) [wheezy] - sleekxmpp (vulnerable code not present, XEP-0280 not implemented) - slixmpp 1.2.2-1.1 (bug #854740) CVE-2017-5590 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: ChatSecure / Zom CVE-2017-5589 (An incorrect implementation of "XEP-0280: Message Carbons" in multiple ...) NOT-FOR-US: yaxim / Bruno CVE-2017-5588 RESERVED CVE-2017-5587 RESERVED CVE-2017-5586 (OpenText Documentum D2 (formerly EMC Documentum D2) 4.x allows remote ...) NOT-FOR-US: OpenText Documentum D2 CVE-2017-5585 (OpenText Documentum Content Server (formerly EMC Documentum Content Se ...) NOT-FOR-US: OpenText Documentum Content Server CVE-2017-5584 (Cross-site scripting (XSS) vulnerability in the Management Web Interfa ...) NOT-FOR-US: Palo Alto Networks CVE-2017-5583 (The Management Web Interface in Palo Alto Networks PAN-OS before 6.1.1 ...) NOT-FOR-US: Palo Alto Networks CVE-2017-5582 RESERVED CVE-2017-6852 (Heap-based buffer overflow in the jpc_dec_decodepkt function in jpc_t2 ...) - jasper [jessie] - jasper (Minor issue) [wheezy] - jasper (Minor issue) NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/114 NOTE: https://www.openwall.com/lists/oss-security/2017/01/25/10 NOTE: The POC only triggers an assertion failure but an overflow cannot be observed. CVE-2017-6850 (The jp2_cdef_destroy function in jp2_cod.c in JasPer before 2.0.13 all ...) - jasper (unimportant) NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/112 NOTE: https://www.openwall.com/lists/oss-security/2017/01/25/8 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-6851 (The jas_matrix_bindsub function in jas_seq.c in JasPer 2.0.10 allows r ...) - jasper (unimportant) NOTE: Upstream bug: https://github.com/mdadams/jasper/issues/113 NOTE: https://www.openwall.com/lists/oss-security/2017/01/25/9 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5618 (GNU screen before 4.5.1 allows local users to modify arbitrary files a ...) - screen 4.5.0-3 (bug #852484) [stretch] - screen (Vulnerable code not present/never migrated to stretch) [jessie] - screen (Vulnerable code not present) [wheezy] - screen (Vulnerable code not present) NOTE: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html NOTE: https://savannah.gnu.org/bugs/?50142 NOTE: Introduced in (screen-v4): http://git.savannah.gnu.org/cgit/screen.git/commit/?h=screen-v4&id=5460f5d28c01a9a58e021eb1dffef2965e629d58 NOTE: Introduced in (master): http://git.savannah.gnu.org/cgit/screen.git/commit/?id=c575c40c9bd7653470639da32e06faed0a9b2ec4 NOTE: https://www.openwall.com/lists/oss-security/2017/01/24/10 CVE-2017-5597 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the DHCPv6 dissector c ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.4+gcc3dc1b-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-02.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13345 CVE-2017-5596 (In Wireshark 2.2.0 to 2.2.3 and 2.0.0 to 2.0.9, the ASTERIX dissector ...) {DSA-3811-1 DLA-858-1} - wireshark 2.2.4+gcc3dc1b-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2017-01.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13344 CVE-2017-5581 (Buffer overflow in the ModifiablePixelBuffer::fillRect function in Tig ...) - tigervnc 1.7.0+dfsg-3 (bug #852213) NOTE: https://github.com/TigerVNC/tigervnc/pull/399 NOTE: https://github.com/TigerVNC/tigervnc/commit/18c020124ff1b2441f714da2017f63dba50720ba CVE-2017-5580 (The parse_instruction function in gallium/auxiliary/tgsi/tgsi_text.c i ...) - virglrenderer 0.6.0-1 (bug #852604) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415986 NOTE: https://cgit.freedesktop.org/virglrenderer/commit/?id=28894a30a17a84529be102b21118e55d6c9f23fa (0.6.0) NOTE: https://lists.freedesktop.org/archives/virglrenderer-devel/2017-January/000105.html CVE-2017-5579 (Memory leak in the serial_exit_core function in hw/char/serial.c in QE ...) {DLA-1497-1} - qemu 1:2.8+dfsg-3 (bug #853002) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=8409dc884a201bf74b30a9d232b6bbdd00cb7e2b NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1416157 CVE-2017-5578 (Memory leak in the virtio_gpu_resource_attach_backing function in hw/d ...) - qemu 1:2.10.0-1 (unimportant) [jessie] - qemu (Vulnerable code introduced later) [wheezy] - qemu (Vulnerable code introduced later) - qemu-kvm (Vulnerable code introduced later) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=204f01b30975923c64006f8067f0937b91eea68b (v2.9.0-rc0) NOTE: Introduced after: http://git.qemu.org/?p=qemu.git;a=commit;h=62232bf48456bda4058ceae05851bc58c1032338 (v2.4.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415795 NOTE: Marked as unimportant, since 1:2.8+dfsg-2 upload reverts NOTE: enable virtio gpu (virglrenderer) and opengl support CVE-2017-5577 (The vc4_get_bcl function in drivers/gpu/drm/vc4/vc4_gem.c in the Video ...) - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/6b8ac63847bc2f958dd93c09edc941a0118992d9 NOTE: Introduced by: https://git.kernel.org/linus/d5b1a78a772f1e31a94f8babfa964152ec5e9aa5 (4.5-rc1) CVE-2017-5576 (Integer overflow in the vc4_get_bcl function in drivers/gpu/drm/vc4/vc ...) - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced later) [wheezy] - linux (Vulnerable code introduced later) NOTE: Fixed by: https://git.kernel.org/linus/0f2ff82e11c86c05d051cae32b58226392d33bbf NOTE: Introduced by: https://git.kernel.org/linus/d5b1a78a772f1e31a94f8babfa964152ec5e9aa5 (4.5-rc1) CVE-2017-5575 (SQL injection vulnerability in inc/lib/Options.class.php in GeniXCMS b ...) NOT-FOR-US: GenixCMS CVE-2017-5574 (SQL injection vulnerability in register.php in GeniXCMS before 1.0.0 a ...) NOT-FOR-US: GenixCMS CVE-2017-5573 (An issue was discovered in Linux Foundation xapi in Citrix XenServer t ...) NOT-FOR-US: Citrix CVE-2017-5572 (An issue was discovered in Linux Foundation xapi in Citrix XenServer t ...) NOT-FOR-US: Citrix CVE-2017-5571 (Open redirect vulnerability in the lmadmin component in Flexera FlexNe ...) NOT-FOR-US: Flexera FlexNet Publisher CVE-2017-5570 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) NOT-FOR-US: eClinicalWorks CVE-2017-5569 (An issue was discovered in eClinicalWorks Patient Portal 7.0 build 13. ...) NOT-FOR-US: eClinicalWorks CVE-2017-5568 RESERVED CVE-2017-5567 (Code injection vulnerability in Avast Premier 12.3 (and earlier), Inte ...) NOT-FOR-US: Avast CVE-2017-5566 (Code injection vulnerability in AVG Ultimate 17.1 (and earlier), AVG I ...) NOT-FOR-US: AVG CVE-2017-5565 (Code injection vulnerability in Trend Micro Maximum Security 11.0 (and ...) NOT-FOR-US: Trend Micro CVE-2017-5564 RESERVED CVE-2017-5563 (LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read i ...) - tiff (unimportant) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2664 NOTE: bmp2tiff utility removed in 4.0.6-3 and 4.0.3-12.3+deb8u2 CVE-2017-5562 RESERVED CVE-2017-5561 RESERVED CVE-2017-5560 RESERVED CVE-2017-5559 RESERVED CVE-2017-5558 RESERVED CVE-2017-5557 RESERVED CVE-2017-5556 (The ConvertToPDF plugin in Foxit Reader before 8.2 and PhantomPDF befo ...) NOT-FOR-US: Foxit Reader CVE-2017-5555 RESERVED CVE-2017-5554 (An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS before 4 ...) NOT-FOR-US: OnePlus 3 / 3T OxygenOS CVE-2017-5553 (Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_m ...) - b2evolution CVE-2017-5545 (The main function in plistutil.c in libimobiledevice libplist through ...) {DLA-2168-1 DLA-811-1} - libplist 1.12+git+1+e37ca00-0.1 (low; bug #852385) NOTE: https://github.com/libimobiledevice/libplist/issues/87 NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/7391a506352c009fe044dead7baad9e22dd279ee CVE-2017-5544 (An issue was discovered on FiberHome Fengine S5800 switches V210R240. ...) NOT-FOR-US: FiberHome switches CVE-2017-5543 (includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote ...) NOT-FOR-US: Subrion CMS CVE-2017-5542 (Cross-site scripting (XSS) vulnerability in template/usererror.missing ...) NOT-FOR-US: Symphony CMS CVE-2017-5541 (Directory traversal vulnerability in template/usererror.missing_extens ...) NOT-FOR-US: Symphony CMS CVE-2017-5540 RESERVED CVE-2017-5539 (The patch for directory traversal (CVE-2017-5480) in b2evolution versi ...) - b2evolution CVE-2017-5536 (The GridServer Broker, and GridServer Director components of TIBCO Sof ...) NOT-FOR-US: TIBCO GridServer CVE-2017-5535 (The GridServer Broker, GridServer Driver, and GridServer Engine compon ...) NOT-FOR-US: TIBCO GridServer CVE-2017-5534 (The tibbr user profiles components of tibbr Community, and tibbr Enter ...) NOT-FOR-US: tibbr CVE-2017-5533 (A vulnerability in the server content cache of TIBCO JasperReports Ser ...) - jasperreports (bug #884131) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: http://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-server-2017 CVE-2017-5532 (A vulnerability in the report renderer component of TIBCO JasperReport ...) - jasperreports (bug #884131) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/11/tibco-security-advisory-november-15-2017-tibco-jasperreports-2017-5532 CVE-2017-5531 (Deployments of TIBCO Managed File Transfer Command Center versions 8.0 ...) NOT-FOR-US: TIBCO CVE-2017-5530 (The tibbr web server components of tibbr Community, and tibbr Enterpri ...) NOT-FOR-US: tibbr CVE-2017-5529 (JasperReports library components contain an information disclosure vul ...) - jasperreports (bug #880467) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017-0 CVE-2017-5528 (Multiple JasperReports Server components contain vulnerabilities which ...) - jasperreports (bug #880467) [jessie] - jasperreports (no detailed information available, only needed as build-dependency for Spring) [wheezy] - jasperreports (cannot be supported due to lack of information) NOTE: https://www.tibco.com/support/advisories/2017/06/tibco-security-advisory-june-28-2017-tibco-jasperreports-server-2017 CVE-2017-5527 (TIBCO Spotfire Server 7.0.X before 7.0.2, 7.5.x before 7.5.1, 7.6.x be ...) NOT-FOR-US: TIBCO Spotfire Server CVE-2017-5616 (Cross-site scripting (XSS) vulnerability in cgiemail and cgiecho allow ...) {DLA-869-1} - cgiemail (bug #852031) NOTE: https://www.openwall.com/lists/oss-security/2017/01/20/6 CVE-2017-5615 (cgiemail and cgiecho allow remote attackers to inject HTTP headers via ...) {DLA-869-1} - cgiemail (bug #852031) NOTE: https://www.openwall.com/lists/oss-security/2017/01/20/6 CVE-2017-5614 (Open redirect vulnerability in cgiemail and cgiecho allows remote atta ...) {DLA-869-1} - cgiemail (bug #852031) NOTE: https://www.openwall.com/lists/oss-security/2017/01/20/6 CVE-2017-5613 (Format string vulnerability in cgiemail and cgiecho allows remote atta ...) {DLA-869-1} - cgiemail (bug #852031) NOTE: https://www.openwall.com/lists/oss-security/2017/01/20/6 CVE-2017-5552 (Memory leak in the virgl_resource_attach_backing function in hw/displa ...) - qemu 1:2.10.0-1 (bug #852119; unimportant) [jessie] - qemu (Vulnerable code not present) [wheezy] - qemu (Vulnerable code not present) - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg00154.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1415281 NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=33243031dad02d161225ba99d782616da133f689 (v2.9.0-rc0) NOTE: Marked as unimportant, since 1:2.8+dfsg-2 reverted the support for NOTE: virtio gpu (virglrenderer) and opengl, but the affected code is NOTE: still present. CVE-2017-5551 (The simple_set_acl function in fs/posix_acl.c in the Linux kernel befo ...) {DSA-3791-1} - linux 4.9.6-1 [wheezy] - linux 3.2.84-1 NOTE: Backported fix for CVE-2016-7097 already covered this CVE for wheezy NOTE: Fixed by: https://git.kernel.org/linus/497de07d89c1410d76a15bec2bb41f24a2a89f31 (4.10-rc4) CVE-2017-5550 (Off-by-one error in the pipe_advance function in lib/iov_iter.c in the ...) - linux 4.9.6-1 [jessie] - linux (Introduced in 4.9) [wheezy] - linux (Introduced in 4.9) NOTE: Fixed by: https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb (4.10-rc4) NOTE: Introduced by: https://github.com/torvalds/linux/commit/241699cd72a8489c9446ae3910ddd243e9b9061b (4.9-rc1) CVE-2017-5549 (The klsi_105_get_line_state function in drivers/usb/serial/kl5kusb105. ...) {DSA-3791-1 DLA-833-1} - linux 4.9.6-1 NOTE: Fixed by: https://git.kernel.org/linus/146cc8a17a3b4996f6805ee5c080e7101277c410 (4.10-rc4) CVE-2017-5548 (drivers/net/ieee802154/atusb.c in the Linux kernel 4.9.x before 4.9.6 ...) - linux 4.9.6-1 [jessie] - linux (Introduced in 4.9 in combination with VMAP_STACK) [wheezy] - linux (Introduced in 4.9 in combination with VMAP_STACK) NOTE: Fixed by: https://git.kernel.org/linus/05a974efa4bdf6e2a150e3f27dc6fcf0a9ad5655 CVE-2017-5547 (drivers/hid/hid-corsair.c in the Linux kernel 4.9.x before 4.9.6 inter ...) - linux 4.9.6-1 [jessie] - linux (Vulnerable code introduced in v4.4-rc1) [wheezy] - linux (Vulnerable code introduced in v4.4-rc1) NOTE: Fixed by: https://git.kernel.org/linus/6d104af38b570d37aa32a5803b04c354f8ed513d CVE-2017-5546 (The freelist-randomization feature in mm/slab.c in the Linux kernel 4. ...) - linux 4.9.6-1 [jessie] - linux (freelist randomisation introduced in 4.7) [wheezy] - linux (freelist randomisation introduced in 4.7) NOTE: Fixed by: https://git.kernel.org/linus/c4e490cf148e85ead0d1b1c2caaba833f1d5b29f (v4.10-rc4) CVE-2017-5538 (The kbase_dispatch function in arm/t7xx/r5p0/mali_kbase_core_linux.c i ...) NOT-FOR-US: Samsung Exynos CVE-2017-5524 (Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers ...) NOT-FOR-US: Plone CVE-2017-5537 (The password reset form in Weblate before 2.10.1 provides different er ...) - weblate (bug #745661) NOTE: https://www.openwall.com/lists/oss-security/2017/01/18/11 CVE-2017-5526 (Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows l ...) {DLA-1497-1} - qemu 1:2.8+dfsg-2 (bug #851910) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01742.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1414209 NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=069eb7b2b8fc47c7cb52e5a4af23ea98d939e3da NOTE: Sound device hotplug not supported by libvirt CVE-2017-5525 (Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows loc ...) {DLA-1497-1} - qemu 1:2.8+dfsg-2 (bug #852021) [wheezy] - qemu (Minor issue) - qemu-kvm [wheezy] - qemu-kvm (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01740.html NOTE: http://git.qemu.org/?p=qemu.git;a=commit;h=12351a91da97b414eec8cdb09f1d9f41e535a401 NOTE: Sound device hotplug not supported by libvirt CVE-2017-5523 RESERVED CVE-2017-5522 (Stack-based buffer overflow in MapServer before 6.0.6, 6.2.x before 6. ...) {DSA-3766-1 DLA-790-1} - mapserver 7.0.4-1 NOTE: https://lists.osgeo.org/pipermail/mapserver-dev/2017-January/015007.html NOTE: https://github.com/mapserver/mapserver/commit/e52a436c0e1c5e9f7ef13428dba83194a800f4df CVE-2017-2578 (In Moodle 3.x, there is XSS in the assignment submission page. ...) - moodle 2.7.18+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=345915 CVE-2017-2576 (In Moodle 2.x and 3.x, there is incorrect sanitization of attributes i ...) - moodle 2.7.18+dfsg-1 NOTE: https://moodle.org/mod/forum/discuss.php?d=345912 CVE-2017-5521 (An issue was discovered on NETGEAR R8500, R8300, R7000, R6400, R7300, ...) NOT-FOR-US: NETGEAR CVE-2017-5520 (The media rename feature in GeniXCMS through 0.0.8 does not consider a ...) NOT-FOR-US: GenixCMS CVE-2017-5519 (SQL injection vulnerability in Posts.class.php in GeniXCMS through 0.0 ...) NOT-FOR-US: GenixCMS CVE-2017-5518 (The media-file upload feature in GeniXCMS through 0.0.8 allows remote ...) NOT-FOR-US: GenixCMS CVE-2017-5517 (SQL injection vulnerability in author.control.php in GeniXCMS through ...) NOT-FOR-US: GenixCMS CVE-2017-5516 (Multiple cross-site scripting (XSS) vulnerabilities in the user forms ...) NOT-FOR-US: GenixCMS CVE-2017-5515 (Cross-site scripting (XSS) vulnerability in the user prompt function i ...) NOT-FOR-US: GenixCMS CVE-2017-5514 RESERVED CVE-2017-5513 RESERVED CVE-2017-5512 RESERVED CVE-2017-5497 RESERVED CVE-2017-5496 (Sawmill Enterprise 8.7.9 allows remote attackers to gain login access ...) NOT-FOR-US: Sawmill Enterprise CVE-2017-5495 (All versions of Quagga, 0.93 through 1.1.0, are vulnerable to an unbou ...) - quagga 1.1.1-1 (bug #852454) [jessie] - quagga (Minor issue) [wheezy] - quagga (Minor issue) NOTE: http://savannah.nongnu.org/forum/forum.php?forum_id=8783 NOTE: http://mirror.easyname.at/nongnu//quagga/quagga-1.1.1.changelog.txt NOTE: Fixed by: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=b7ceefea77a246fe5c1dcd1b91bf6079d1b97c02 NOTE: http://git.savannah.gnu.org/cgit/quagga.git/commit/?id=7d66284a5817a1613b1e4d64a0775ec04fdf8c01 CVE-2017-5494 (Multiple cross-site scripting (XSS) vulnerabilities in the file types ...) - b2evolution CVE-2017-5486 (The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in p ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5485 (The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in a ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5484 (The ATM parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5483 (The SNMP parser in tcpdump before 4.9.0 has a buffer overflow in print ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5482 (The Q.933 parser in tcpdump before 4.9.0 has a buffer overflow in prin ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5481 (Trend Micro OfficeScan 11.0 before SP1 CP 6325 and XG before CP 1352 a ...) NOT-FOR-US: Trend Micro CVE-2017-5480 (Directory traversal vulnerability in inc/files/files.ctrl.php in b2evo ...) - b2evolution CVE-2017-5479 RESERVED CVE-2017-5478 RESERVED CVE-2017-5477 RESERVED CVE-2017-5476 (Serendipity through 2.0.5 allows CSRF for the installation of an event ...) - serendipity CVE-2017-5475 (comment.php in Serendipity through 2.0.5 allows CSRF in deleting any c ...) - serendipity CVE-2017-5474 (Open redirect vulnerability in comment.php in Serendipity through 2.0. ...) - serendipity CVE-2017-5473 (Cross-site request forgery (CSRF) vulnerability in ntopng through 2.4 ...) - ntopng 2.4+dfsg1-3 (bug #852109) [jessie] - ntopng (Minor issue) NOTE: https://github.com/ntop/ntopng/commit/1b2ceac8f578a246af6351c4f476e3102cdf21b3 NOTE: https://github.com/ntop/ntopng/commit/f91fbe3d94c8346884271838ae3406ae633f6f15 CVE-2017-5472 (A use-after-free vulnerability with the frameloader during tree recons ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5472 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-5472 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-5472 CVE-2017-5471 (Memory safety bugs were reported in Firefox 53. Some of these bugs sho ...) - firefox 54.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5471 CVE-2017-5470 (Memory safety bugs were reported in Firefox 53 and Firefox ESR 52.1. S ...) {DSA-3918-1 DSA-3881-1 DLA-1007-1 DLA-991-1} - firefox 54.0-1 - firefox-esr 52.2.0esr-1 - icedove 1:52.2.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5470 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/#CVE-2017-5470 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-5470 CVE-2017-5469 (Fixed potential buffer overflows in generated Firefox code due to CVE- ...) {DSA-3831-1 DLA-906-1} - firefox-esr 45.9.0esr-1 - firefox 52.0.1-1 CVE-2017-5468 (An issue with incorrect ownership model of "privateBrowsing" informati ...) - firefox 52.0.1-1 CVE-2017-5467 (A potential memory corruption and crash when using Skia content when d ...) - firefox 52.0.1-1 CVE-2017-5466 (If a page is loaded from an original site through a hyperlink and cont ...) - firefox 52.0.1-1 CVE-2017-5465 (An out-of-bounds read while processing SVG content in "ConvolvePixel". ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5464 (During DOM manipulations of the accessibility tree through script, the ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5463 (Android intents can be used to launch Firefox for Android in reader mo ...) - firefox (Only affects Firefox on Android) CVE-2017-5462 (A flaw in DRBG number generation within the Network Security Services ...) {DSA-3872-1 DSA-3831-1 DLA-946-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 [experimental] - nss 2:3.30-1 - nss 2:3.26.2-1.1 (bug #862958) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5462 NOTE: https://hg.mozilla.org/projects/nss/rev/7248d38b76e5 CVE-2017-5461 (Mozilla Network Security Services (NSS) before 3.21.4, 3.22.x through ...) {DSA-3872-1 DSA-3831-1 DLA-946-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 [experimental] - nss 2:3.30.1-1 - nss 2:3.26.2-1.1 (bug #862958) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/#CVE-2017-5461 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-11/#CVE-2017-5461 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1344380 NOTE: https://hg.mozilla.org/projects/nss/rev/77a5bb81dbaa CVE-2017-5460 (A use-after-free vulnerability in frame selection triggered by a combi ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5459 (A buffer overflow in WebGL triggerable by web content, resulting in a ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5458 (When a "javascript:" URL is drag and dropped by a user into the addres ...) - firefox 52.0.1-1 CVE-2017-5457 RESERVED CVE-2017-5456 (A mechanism to bypass file system access protections in the sandbox us ...) - firefox 52.0.1-1 CVE-2017-5455 (The internal feed reader APIs that crossed the sandbox barrier allowed ...) - firefox 52.0.1-1 CVE-2017-5454 (A mechanism to bypass file system access protections in the sandbox to ...) - firefox 52.0.1-1 CVE-2017-5453 (A mechanism to inject static HTML into the RSS reader preview page due ...) - firefox 52.0.1-1 CVE-2017-5452 (Malicious sites can display a spoofed addressbar on a page when the ex ...) - firefox (Only affects Firefox on Android) CVE-2017-5451 (A mechanism to spoof the addressbar through the user interaction on th ...) - firefox 52.0.1-1 CVE-2017-5450 (A mechanism to spoof the Firefox for Android addressbar using a "javas ...) - firefox 52.0.1-1 CVE-2017-5449 (A possibly exploitable crash triggered during layout and manipulation ...) - firefox 52.0.1-1 CVE-2017-5448 (An out-of-bounds write in "ClearKeyDecryptor" while decrypting some Cl ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5447 (An out-of-bounds read during the processing of glyph widths during tex ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5446 (An out-of-bounds read when an HTTP/2 connection to a servers sends "DA ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5445 (A vulnerability while parsing "application/http-index-format" format c ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5444 (A buffer overflow vulnerability while parsing "application/http-index- ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5443 (An out-of-bounds write vulnerability while decoding improperly formed ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5442 (A use-after-free vulnerability during changes in style when manipulati ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5441 (A use-after-free vulnerability when holding a selection during scroll ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5440 (A use-after-free vulnerability during XSLT processing due to a failure ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5439 (A use-after-free vulnerability during XSLT processing due to poor hand ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5438 (A use-after-free vulnerability during XSLT processing due to the resul ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5437 REJECTED CVE-2017-5436 (An out-of-bounds write in the Graphite 2 library triggered with a mali ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5435 (A use-after-free vulnerability occurs during transaction processing in ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5434 (A use-after-free vulnerability occurs when redirecting focus handling ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5433 (A use-after-free vulnerability in SMIL animation functions occurs when ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5432 (A use-after-free vulnerability occurs during certain text input select ...) {DSA-3831-1 DLA-906-1} - firefox 52.0.1-1 - firefox-esr 45.9.0esr-1 CVE-2017-5431 RESERVED CVE-2017-5430 (Memory safety bugs were reported in Firefox 52, Firefox ESR 52, and Th ...) - firefox 52.0.1-1 - firefox-esr (Only affects ESR52 and Firefox) CVE-2017-5429 (Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Fire ...) {DSA-3831-1 DLA-906-1} - firefox-esr 45.9.0esr-1 - firefox 52.0.1-1 CVE-2017-5428 (An integer overflow in "createImageBitmap()" was reported through the ...) - firefox-esr (Only affects 52 ESR, which isn't packaged yet except experimental where it's fixed) - firefox 52.0.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/#CVE-2017-5428 CVE-2017-5427 (A non-existent chrome.manifest file will attempt to be loaded during s ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5427 CVE-2017-5426 (On Linux, if the secure computing mode BPF (seccomp-bpf) filter is run ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5426 CVE-2017-5425 (The Gecko Media Plugin sandbox allows access to local files that match ...) - firefox (Only Firefox on OS X) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5425 CVE-2017-5424 RESERVED CVE-2017-5423 RESERVED CVE-2017-5422 (If a malicious site uses the "view-source:" protocol in a series withi ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5422 CVE-2017-5421 (A malicious site could spoof the contents of the print preview window ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5421 CVE-2017-5420 (A "javascript:" url loaded by a malicious page can obfuscate its locat ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5420 CVE-2017-5419 (If a malicious site repeatedly triggers a modal authentication prompt, ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5419 CVE-2017-5418 (An out of bounds read error occurs when parsing some HTTP digest autho ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5418 CVE-2017-5417 (When dragging content from the primary browser pane to the addressbar ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5417 CVE-2017-5416 (In certain circumstances a networking event listener can be prematurel ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5416 CVE-2017-5415 (An attack can use a blob URL and script to spoof an arbitrary addressb ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5415 CVE-2017-5414 (The file picker dialog can choose and display the wrong local default ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5414 CVE-2017-5413 (A segmentation fault can occur during some bidirectional layout operat ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5413 CVE-2017-5412 (A buffer overflow read during SVG filter color value operations, resul ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5412 CVE-2017-5411 (A use-after-free can occur during buffer storage operations within the ...) - firefox (Only Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5411 CVE-2017-5410 (Memory corruption resulting in a potentially exploitable crash during ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5410 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5410 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5410 CVE-2017-5409 (The Mozilla Windows updater can be called by a non-privileged user to ...) - firefox (Only Firefox on Windows) - firefox-esr (Only Firefox on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5409 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5409 CVE-2017-5408 (Video files loaded video captions cross-origin without checking for th ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5408 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5408 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5408 CVE-2017-5407 (Using SVG filters that don't use the fixed point math implementation o ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5407 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5407 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5407 CVE-2017-5406 (A segmentation fault can occur in the Skia graphics library during som ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5406 CVE-2017-5405 (Certain response codes in FTP connections can result in the use of uni ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5405 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5405 CVE-2017-5404 (A use-after-free error can occur when manipulating ranges in selection ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5404 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5404 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5404 CVE-2017-5403 (When adding a range to an object in the DOM, it is possible to use "ad ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5403 CVE-2017-5402 (A use-after-free can occur when events are fired for a "FontFace" obje ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5402 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5402 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5402 CVE-2017-5401 (A crash triggerable by web content in which an "ErrorResult" reference ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5401 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5401 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5401 CVE-2017-5400 (JIT-spray targeting asm.js combined with a heap spray allows for a byp ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5400 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5400 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5400 CVE-2017-5399 (Memory safety bugs were reported in Firefox 51. Some of these bugs sho ...) - firefox 52.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5399 CVE-2017-5398 (Memory safety bugs were reported in Thunderbird 45.7. Some of these bu ...) {DSA-3832-1 DSA-3805-1 DLA-896-1 DLA-852-1} - firefox 52.0-1 - firefox-esr 45.8.0esr-1 - icedove 1:45.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5398 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-06/#CVE-2017-5398 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5398 CVE-2017-5397 (The cache directory on the local file system is set to be world writab ...) - firefox (Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-04/#CVE-2017-5397 CVE-2017-5396 (A use-after-free vulnerability in the Media Decoder when working with ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5396 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5396 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5396 CVE-2017-5395 (Malicious sites can display a spoofed location bar on a subsequently l ...) - firefox (Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5395 CVE-2017-5394 (A location bar spoofing attack where the location bar of loaded page w ...) - firefox (Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5394 CVE-2017-5393 (The "mozAddonManager" allows for the installation of extensions from t ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5393 CVE-2017-5392 (Weak proxy objects have weak references on multiple threads when they ...) - firefox (Firefox on Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5392 CVE-2017-5391 (Special "about:" pages used by web content, such as RSS feeds, can loa ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5391 CVE-2017-5390 (The JSON viewer in the Developer Tools uses insecure methods to create ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5390 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5390 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5390 CVE-2017-5389 (WebExtensions could use the "mozAddonManager" API by modifying the CSP ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5389 CVE-2017-5388 (A STUN server in conjunction with a large number of "webkitRTCPeerConn ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5388 CVE-2017-5387 (The existence of a specifically requested local file can be found due ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5387 CVE-2017-5386 (WebExtension scripts can use the "data:" protocol to affect pages load ...) {DSA-3771-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5386 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5386 CVE-2017-5385 (Data sent with in multipart channels, such as the multipart/x-mixed-re ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 CVE-2017-5384 (Proxy Auto-Config (PAC) files can specify a JavaScript function called ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5384 CVE-2017-5383 (URLs containing certain unicode glyphs for alternative hyphens and quo ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5383 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5383 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5383 CVE-2017-5382 (Feed preview for RSS feeds can be used to capture errors and exception ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5382 CVE-2017-5381 (The "export" function in the Certificate Viewer can force local filesy ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5381 CVE-2017-5380 (A potential use-after-free found through fuzzing during DOM manipulati ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5380 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5380 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5380 CVE-2017-5379 (Use-after-free vulnerability in Web Animations when interacting with c ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5379 CVE-2017-5378 (Hashed codes of JavaScript objects are shared between pages. This allo ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5378 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5378 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5378 CVE-2017-5377 (A memory corruption vulnerability in Skia that can occur when using tr ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5377 CVE-2017-5376 (Use-after-free while manipulating XSL in XSLT documents. This vulnerab ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5376 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5376 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5376 CVE-2017-5375 (JIT code allocation can allow for a bypass of ASLR and DEP protections ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5375 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5375 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5375 CVE-2017-5374 (Memory safety bugs were reported in Firefox 50.1. Some of these bugs s ...) - firefox 51.0-1 - firefox-esr (Does not affect Firefox ESR) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5374 CVE-2017-5373 (Memory safety bugs were reported in Firefox 50.1 and Firefox ESR 45.6. ...) {DSA-3832-1 DSA-3771-1 DLA-896-1 DLA-800-1} - firefox 51.0-1 - firefox-esr 45.7.0esr-1 - icedove 1:45.7.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5373 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/#CVE-2017-5373 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2017-03/#CVE-2017-5373 CVE-2017-5372 (The function msp (aka MSPRuntimeInterface) in the P4 SERVERCORE compon ...) NOT-FOR-US: SAP CVE-2017-5371 (Odata Server in SAP Adaptive Server Enterprise (ASE) 16 allows remote ...) NOT-FOR-US: SAP CVE-2017-5370 RESERVED CVE-2017-5369 RESERVED CVE-2017-5368 (ZoneMinder v1.30 and v1.29, an open-source CCTV server web application ...) - zoneminder 1.30.4+dfsg-1 (bug #854733) [wheezy] - zoneminder (Too intrusive to backport) NOTE: https://github.com/ZoneMinder/ZoneMinder/pull/1822 CVE-2017-5367 (Multiple reflected XSS vulnerabilities exist within form and link inpu ...) - zoneminder 1.30.4+dfsg-1 (bug #854733) [wheezy] - zoneminder (Minor issue) CVE-2017-5366 RESERVED CVE-2017-5365 RESERVED CVE-2017-5364 (Memory Corruption Vulnerability in Foxit PDF Toolkit v1.3 allows an at ...) NOT-FOR-US: Foxit PDF Toolkit CVE-2017-5363 RESERVED CVE-2017-5362 RESERVED CVE-2017-5361 (Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x ...) {DSA-3883-1 DSA-3882-1 DLA-988-1 DLA-987-1} - request-tracker4 4.4.1-4 - rt-authen-externalauth NOTE: https://github.com/bestpractical/rt-authen-externalauth/commit/436255c04b4881bb6d8eec9a57b8593033d863a9 CVE-2017-5360 RESERVED CVE-2017-5359 (EasyCom SQL iPlug allows remote attackers to cause a denial of service ...) NOT-FOR-US: EasyCom CVE-2017-5358 (Stack-based buffer overflows in php_Easycom5_3_0.dll in EasyCom for PH ...) NOT-FOR-US: EasyCom CVE-2017-5505 (The jas_matrix_asl function in jas_seq.c in JasPer 1.900.27 allows rem ...) - jasper (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jas_matrix_asl-jas_seq-c NOTE: https://github.com/mdadams/jasper/issues/88 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5504 (The jpc_undo_roi function in libjasper/jpc/jpc_dec.c in JasPer 1.900.2 ...) - jasper (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-read-in-jpc_undo_roi-jpc_dec-c NOTE: https://github.com/mdadams/jasper/issues/89 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5503 (The dec_clnpass function in libjasper/jpc/jpc_t1dec.c in JasPer 1.900. ...) - jasper (Vulnerable code introduced later) NOTE: https://blogs.gentoo.org/ago/2017/01/16/jasper-invalid-memory-write-in-dec_clnpass-jpc_t1dec-c NOTE: https://github.com/mdadams/jasper/issues/90 CVE-2017-5502 (libjasper/jp2/jp2_dec.c in JasPer 1.900.17 allows remote attackers to ...) - jasper (unimportant) NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00030-jasper-leftshift-jp2_dec_c NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/76 NOTE: Not suitable for code injection, hardly denial of service CVE-2017-5501 (Integer overflow in libjasper/jpc/jpc_tsfb.c in JasPer 1.900.17 allows ...) - jasper (unimportant) NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00022-jasper-signedintoverflow-jpc_tsfb_c NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/70 NOTE: Only crashes with debug builds using ubsan CVE-2017-5500 (libjasper/jpc/jpc_dec.c in JasPer 1.900.17 allows remote attackers to ...) - jasper (unimportant) NOTE: Triggers an assert. Not suitable for code injection, hardly denial of service NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00019-jasper-leftshift-jpc_dec_c NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/64 CVE-2017-5499 (Integer overflow in libjasper/jpc/jpc_dec.c in JasPer 1.900.17 allows ...) - jasper (unimportant) NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00018-jasper-signedintoverflow-jpc_dec_c NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/63 NOTE: Triggers an assert. Not suitable for code injection, hardly denial of service CVE-2017-5498 (libjasper/include/jasper/jas_math.h in JasPer 1.900.17 allows remote a ...) - jasper (unimportant) NOTE: Triggers an assert. Not suitable for code injection, hardly denial of service NOTE: Reproducer: https://github.com/asarubbo/poc/blob/master/00017-jasper-leftshift-jas_math_h NOTE: http://blogs.gentoo.org/ago/2017/01/16/jasper-multiple-crashes-with-ubsan/ NOTE: https://github.com/mdadams/jasper/issues/62 CVE-2017-5506 (Double free vulnerability in magick/profile.c in ImageMagick allows re ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851383) NOTE: https://github.com/ImageMagick/ImageMagick/issues/354 NOTE: https://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/6235f1f7a9f7b0f83b197f6cd0073dbb6602d0fb CVE-2017-5507 (Memory leak in coders/mpc.c in ImageMagick before 6.9.7-4 and 7.x befo ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851382) NOTE: https://github.com/ImageMagick/ImageMagick/commit/4493d9ca1124564da17f9b628ef9d0f1a6be9738 NOTE: https://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5508 (Heap-based buffer overflow in the PushQuantumPixel function in ImageMa ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851381) NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=31161 NOTE: https://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/379e21cd32483df6e128147af3bc4ce1f82eb9c4 CVE-2017-5509 (coders/psd.c in ImageMagick allows remote attackers to have unspecifie ...) - imagemagick 8:6.9.7.4+dfsg-1 (bug #851377) [jessie] - imagemagick (Vulnerable code not present) [wheezy] - imagemagick (Vulnerable code not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/350 NOTE: https://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2017-5510 (coders/psd.c in ImageMagick allows remote attackers to have unspecifie ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851376) NOTE: https://github.com/ImageMagick/ImageMagick/issues/348 NOTE: https://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/e87af64b1ff1635a32d9b6162f1b0e260fb54ed9 CVE-2017-5511 (coders/psd.c in ImageMagick allows remote attackers to have unspecifie ...) {DSA-3799-1 DLA-807-1} - imagemagick 8:6.9.7.4+dfsg-1 (bug #851374) NOTE: https://github.com/ImageMagick/ImageMagick/issues/347 NOTE: https://www.openwall.com/lists/oss-security/2017/01/16/6 NOTE: https://github.com/ImageMagick/ImageMagick/commit/7d65a814ac76bd04760072c33e452371692ee790 CVE-2017-5487 (wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php in t ...) - wordpress 4.7.1+dfsg-1 (bug #851310) [jessie] - wordpress (vulnerable code not present) [wheezy] - wordpress (vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8715 NOTE: https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60 CVE-2017-5488 (Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: https://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8716 NOTE: https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php CVE-2017-5489 (Cross-site request forgery (CSRF) vulnerability in WordPress before 4. ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: https://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8717 CVE-2017-5490 (Cross-site scripting (XSS) vulnerability in the theme-name fallback fu ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: https://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8718 NOTE: https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 CVE-2017-5491 (wp-mail.php in WordPress before 4.7.1 might allow remote attackers to ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: https://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8719 NOTE: https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a CVE-2017-5492 (Cross-site request forgery (CSRF) vulnerability in the widget-editing ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: https://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8720 NOTE: https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 CVE-2017-5493 (wp-includes/ms-functions.php in the Multisite WordPress API in WordPre ...) {DSA-3779-1 DLA-813-1} - wordpress 4.7.1+dfsg-1 (bug #851310) NOTE: https://www.openwall.com/lists/oss-security/2017/01/14/1 NOTE: https://wpvulndb.com/vulnerabilities/8721 NOTE: https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 CVE-2017-5356 (Irssi before 0.8.21 allows remote attackers to cause a denial of servi ...) {DLA-1217-1} - irssi 0.8.21-1 (low) [jessie] - irssi 0.8.17-1+deb8u3 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://blog.fuzzing-project.org/55-Fuzzing-Irssi-with-Perl-Scripts.html NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5355 RESERVED CVE-2017-5354 RESERVED CVE-2017-5353 RESERVED CVE-2017-5352 RESERVED CVE-2017-5351 (Samsung Note devices with KK(4.4), L(5.0/5.1), and M(6.0) software all ...) NOT-FOR-US: Samsung CVE-2017-5350 (Samsung Note devices with L(5.0/5.1), M(6.0), and N(7.0) software allo ...) NOT-FOR-US: Samsung CVE-2017-5349 RESERVED CVE-2017-5348 RESERVED CVE-2017-5347 (SQL injection vulnerability in inc/mod/newsletter/options.php in GeniX ...) NOT-FOR-US: GeniXMS CVE-2017-5346 (SQL injection vulnerability in inc/lib/Control/Backend/posts.control.p ...) NOT-FOR-US: GeniXMS CVE-2017-5345 (SQL injection vulnerability in inc/lib/Control/Ajax/tags-ajax.control. ...) NOT-FOR-US: GeniXMS CVE-2017-5344 (An issue was discovered in dotCMS through 3.6.1. The findChildrenByFil ...) NOT-FOR-US: dotCMS CVE-2017-5343 RESERVED CVE-2017-5342 (In tcpdump before 4.9.0, a bug in multiple protocol parsers (Geneve, G ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5341 (The OTV parser in tcpdump before 4.9.0 has a buffer overflow in print- ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5357 (regex.c in GNU ed before 1.14.1 allows attackers to cause a denial of ...) - ed (Vulnerable code not present, cf #851159) NOTE: https://www.openwall.com/lists/oss-security/2017/01/12/5 NOTE: The issue is only present from 1.14 onwards, and prior to 1.14.1 since upstream NOTE: changed a malloc'ed buffer for a static one. NOTE: https://lists.gnu.org/archive/html/bug-ed/2017-01/msg00001.html CVE-2017-5329 (Palo Alto Networks Terminal Services Agent before 7.0.7 allows local u ...) NOT-FOR-US: Palo Alto Networks Terminal Services Agent CVE-2017-5328 (Palo Alto Networks Terminal Services Agent before 7.0.7 allows attacke ...) NOT-FOR-US: Palo Alto Networks Terminal Services Agent CVE-2017-5327 RESERVED CVE-2017-5326 RESERVED CVE-2017-5325 RESERVED CVE-2017-5324 RESERVED CVE-2017-5323 RESERVED CVE-2017-5322 RESERVED CVE-2017-5321 RESERVED CVE-2017-5320 RESERVED CVE-2017-5319 RESERVED CVE-2017-5318 RESERVED CVE-2017-5317 RESERVED CVE-2017-5316 RESERVED CVE-2017-5315 RESERVED CVE-2017-5314 RESERVED CVE-2017-5313 RESERVED CVE-2017-5312 RESERVED CVE-2017-5311 RESERVED CVE-2017-5310 RESERVED CVE-2017-5309 RESERVED CVE-2017-5308 RESERVED CVE-2017-5307 RESERVED CVE-2017-5306 RESERVED CVE-2017-5305 RESERVED CVE-2017-5304 RESERVED CVE-2017-5303 RESERVED CVE-2017-5302 RESERVED CVE-2017-5301 RESERVED CVE-2017-5300 RESERVED CVE-2017-5299 RESERVED CVE-2017-5298 RESERVED CVE-2017-5297 RESERVED CVE-2017-5296 RESERVED CVE-2017-5295 RESERVED CVE-2017-5294 RESERVED CVE-2017-5293 RESERVED CVE-2017-5292 RESERVED CVE-2017-5291 RESERVED CVE-2017-5290 RESERVED CVE-2017-5289 RESERVED CVE-2017-5288 RESERVED CVE-2017-5287 RESERVED CVE-2017-5286 RESERVED CVE-2017-5285 RESERVED CVE-2017-5284 RESERVED CVE-2017-5283 RESERVED CVE-2017-5282 RESERVED CVE-2017-5281 RESERVED CVE-2017-5280 RESERVED CVE-2017-5279 RESERVED CVE-2017-5278 RESERVED CVE-2017-5277 RESERVED CVE-2017-5276 RESERVED CVE-2017-5275 RESERVED CVE-2017-5274 RESERVED CVE-2017-5273 RESERVED CVE-2017-5272 RESERVED CVE-2017-5271 RESERVED CVE-2017-5270 RESERVED CVE-2017-5269 RESERVED CVE-2017-5268 RESERVED CVE-2017-5267 RESERVED CVE-2017-5266 RESERVED CVE-2017-5265 RESERVED CVE-2017-5264 (Versions of Nexpose prior to 6.4.66 fail to adequately validate the so ...) NOT-FOR-US: Nexpose CVE-2017-5263 (Versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware lack ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5262 (In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, t ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5261 (In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, t ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5260 (In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, a ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5259 (In versions 4.3.2-R4 and prior of Cambium Networks cnPilot firmware, a ...) NOT-FOR-US: Cambium Networks cnPilot firmware CVE-2017-5258 (In version 3.5 and prior of Cambium Networks ePMP firmware, an attacke ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5257 (In version 3.5 and prior of Cambium Networks ePMP firmware, an attacke ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5256 (In version 3.5 and prior of Cambium Networks ePMP firmware, all authen ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5255 (In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5254 (In version 3.5 and prior of Cambium Networks ePMP firmware, the non-ad ...) NOT-FOR-US: Cambium Networks ePMP firmware CVE-2017-5253 RESERVED CVE-2017-5252 RESERVED CVE-2017-5251 (In version 1012 and prior of Insteon's Insteon Hub, the radio transmis ...) NOT-FOR-US: Insteon CVE-2017-5250 (In version 1.9.7 and prior of Insteon's Insteon for Hub Android app, t ...) NOT-FOR-US: Insteon CVE-2017-5249 (In version 6.1.0.19 and prior of Wink Labs's Wink - Smart Home Android ...) NOT-FOR-US: Wink CVE-2017-5248 RESERVED CVE-2017-5247 (Biscom Secure File Transfer is vulnerable to cross-site scripting in t ...) NOT-FOR-US: Biscom Secure File Transfer CVE-2017-5246 (Biscom Secure File Transfer is vulnerable to AngularJS expression inje ...) NOT-FOR-US: Biscom Secure File Transfer CVE-2017-5245 REJECTED CVE-2017-5244 (Routes used to stop running Metasploit tasks (either particular ones o ...) NOT-FOR-US: Metasploit CVE-2017-5243 (The default SSH configuration in Rapid7 Nexpose hardware appliances sh ...) NOT-FOR-US: Rapid7 Nexpose hardware appliances CVE-2017-5242 RESERVED CVE-2017-5241 (Biscom Secure File Transfer versions 5.0.0.0 trough 5.1.1024 are vulne ...) NOT-FOR-US: Biscom Secure File Transfer CVE-2017-5240 (Editions of Rapid7 AppSpider Pro prior to version 6.14.060 contain a h ...) NOT-FOR-US: Rapid7 AppSpider Pro CVE-2017-5239 (Due to a lack of standard encryption when transmitting sensitive infor ...) NOT-FOR-US: Eview GPS trackers CVE-2017-5238 (Due to a lack of bounds checking, several input configuration fields f ...) NOT-FOR-US: Eview GPS trackers CVE-2017-5237 (Due to a lack of authentication, an unauthenticated user who knows the ...) NOT-FOR-US: Eview GPS trackers CVE-2017-5236 (Editions of Rapid7 AppSpider Pro installers prior to version 6.14.060 ...) NOT-FOR-US: Rapid7 AppSpider Pro CVE-2017-5235 (Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 co ...) NOT-FOR-US: Rapid7 CVE-2017-5234 (Rapid7 Insight Collector installers prior to version 1.0.16 contain a ...) NOT-FOR-US: Rapid7 CVE-2017-5233 (Rapid7 AppSpider Pro installers prior to version 6.14.053 contain a DL ...) NOT-FOR-US: Rapid7 CVE-2017-5232 (All editions of Rapid7 Nexpose installers prior to version 6.4.24 cont ...) NOT-FOR-US: Rapid7 CVE-2017-5231 (All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 c ...) NOT-FOR-US: Rapid7 CVE-2017-5230 (The Java keystore in all versions and editions of Rapid7 Nexpose prior ...) NOT-FOR-US: Rapid7 CVE-2017-5229 (All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 c ...) NOT-FOR-US: Rapid7 CVE-2017-5228 (All editions of Rapid7 Metasploit prior to version 4.13.0-2017020701 c ...) NOT-FOR-US: Rapid7 CVE-2017-5227 (QNAP QTS before 4.2.4 Build 20170313 allows local users to obtain sens ...) NOT-FOR-US: QNAP CVE-2017-5225 (LibTIFF version 4.0.7 is vulnerable to a heap buffer overflow in the t ...) {DSA-3844-1 DLA-795-1} - tiff 4.0.7-5 (bug #851297) NOTE: Fixed by: https://github.com/vadz/libtiff/commit/5c080298d59efa53264d7248bbe3a04660db6ef7 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2656 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2657 CVE-2017-5224 RESERVED CVE-2017-5223 (An issue was discovered in PHPMailer before 5.2.22. PHPMailer's msgHTM ...) {DLA-1591-1 DLA-817-1} - libphp-phpmailer 5.2.14+dfsg-2.3 (bug #853232) NOTE: Fixed by: https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402 (v5.2.22) NOTE: http://kalilinux.co/2017/01/12/phpmailer-cve-2017-5223-local-information-disclosure-vulnerability-analysis/ CVE-2017-5222 RESERVED CVE-2017-5221 RESERVED CVE-2017-5220 RESERVED CVE-2017-5219 (An issue was discovered in SageCRM 7.x before 7.3 SP3. The Component M ...) NOT-FOR-US: SageCRM CVE-2017-5218 (A SQL Injection issue was discovered in SageCRM 7.x before 7.3 SP3. Th ...) NOT-FOR-US: SageCRM CVE-2017-5217 (Installing a zero-permission Android application on certain Samsung An ...) NOT-FOR-US: Samsung CVE-2017-5216 (Stack-based buffer overflow vulnerability in Netop Remote Control vers ...) NOT-FOR-US: Netop Remote Control CVE-2017-5215 (The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 f ...) NOT-FOR-US: Joomla extension CVE-2017-5214 (The Codextrous B2J Contact (aka b2j_contact) extension before 2.1.13 f ...) NOT-FOR-US: Joomla extension CVE-2017-5213 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Cross ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5212 (Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5211 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Conte ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5210 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Infor ...) NOT-FOR-US: Open-Xchange GmbH OX App Suite CVE-2017-5209 (The base64decode function in base64.c in libimobiledevice libplist thr ...) {DLA-2168-1 DLA-811-1} - libplist 1.12+git+1+e37ca00-0.1 (low; bug #851196) NOTE: Upstream bug: https://github.com/libimobiledevice/libplist/issues/84 NOTE: https://github.com/libimobiledevice/libplist/commit/3a55ddd3c4c11ce75a86afbefd085d8d397ff957 CVE-2017-5205 (The ISAKMP parser in tcpdump before 4.9.0 has a buffer overflow in pri ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5204 (The IPv6 parser in tcpdump before 4.9.0 has a buffer overflow in print ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5203 (The BOOTP parser in tcpdump before 4.9.0 has a buffer overflow in prin ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5202 (The ISO CLNS parser in tcpdump before 4.9.0 has a buffer overflow in p ...) {DSA-3775-1 DLA-809-1} - tcpdump 4.9.0-1 CVE-2017-5201 (NetApp Clustered Data ONTAP before 8.3.2P8 and 9.0 before P2 allow rem ...) NOT-FOR-US: NetApp CVE-2017-5200 (Salt-api in SaltStack Salt before 2015.8.13, 2016.3.x before 2016.3.5, ...) - salt 2016.11.2+ds-1 [jessie] - salt (Vulnerable code not present) NOTE: https://github.com/saltstack/salt/compare/c0e5a1171d7ce2ba8747a971c024632e0d96d848~1...97b0f64923bc5382531b931625267a3c30d2f17e CVE-2017-5339 REJECTED CVE-2017-5338 REJECTED CVE-2017-XXXX [multiple new security issues] - w3m 0.5.3-34 (bug #850432) [jessie] - w3m 0.5.3-19+deb8u2 [wheezy] - w3m (Minor issues) CVE-2017-5337 (Multiple heap-based buffer overflows in the read_attribute function in ...) - gnutls28 3.5.8-1 [jessie] - gnutls28 3.3.8-6+deb8u5 - gnutls26 [wheezy] - gnutls26 (Minor issue) NOTE: OpenPGP-related issue NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-2 NOTE: https://gitlab.com/gnutls/gnutls/commit/94fcf1645ea17223237aaf8d19132e004afddc1a CVE-2017-5336 (Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/op ...) - gnutls28 3.5.8-1 [jessie] - gnutls28 3.3.8-6+deb8u5 - gnutls26 [wheezy] - gnutls26 (Minor issue) NOTE: OpenPGP-related issue NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-2 NOTE: https://gitlab.com/gnutls/gnutls/commit/5140422e0d7319a8e2fe07f02cbcafc4d6538732 CVE-2017-5335 (The stream reading functions in lib/opencdk/read-packet.c in GnuTLS be ...) - gnutls28 3.5.8-1 [jessie] - gnutls28 3.3.8-6+deb8u5 - gnutls26 [wheezy] - gnutls26 (Minor issue) NOTE: OpenPGP-related issue NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-2 NOTE: https://gitlab.com/gnutls/gnutls/commit/49be4f7b82eba2363bb8d4090950dad976a77a3a CVE-2017-5334 (Double free vulnerability in the gnutls_x509_ext_import_proxy function ...) - gnutls28 3.5.8-1 [jessie] - gnutls28 3.3.8-6+deb8u5 NOTE: https://gnutls.org/security.html#GNUTLS-SA-2017-1 NOTE: https://gitlab.com/gnutls/gnutls/commit/c5aaa488a3d6df712dc8dff23a049133cab5ec1b CVE-2017-5330 (ark before 16.12.1 might allow remote attackers to execute arbitrary c ...) - ark 4:16.08.3-2 (bug #850874) [jessie] - ark (Vulnerable code introduced later) [wheezy] - ark (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/KDE/ark/commit/82fdfd24d46966a117fa625b68784735a40f9065 NOTE: "Open File" action introduced in https://github.com/KDE/ark/commit/f1cf10f25af245823f81b8ff457a04c7593dede7 (v15.11.80) CVE-2017-5226 (When executing a program via the bubblewrap sandbox, the nonpriv sessi ...) - bubblewrap 0.1.5-2 (bug #850702) NOTE: https://github.com/projectatomic/bubblewrap/issues/142 CVE-2017-5207 (Firejail before 0.9.44.4, when running a bandwidth command, allows loc ...) - firejail 0.9.44.4-1 (bug #850528) NOTE: https://github.com/netblue30/firejail/issues/1023 NOTE: Fixed by: https://github.com/netblue30/firejail/commit/5d43fdcd215203868d440ffc42036f5f5ffc89fc NOTE: https://www.openwall.com/lists/oss-security/2017/01/07/3 CVE-2017-5206 (Firejail before 0.9.44.4, when running on a Linux kernel before 4.8, a ...) - firejail 0.9.44.4-1 (bug #850558) NOTE: Fixed by: https://github.com/netblue30/firejail/commit/6b8dba29d73257311564ee7f27b9b14758cc693e CVE-2017-5199 (The editbanner feature in SolarWinds LEM (aka SIEM) through 6.3.1 allo ...) NOT-FOR-US: SolarWinds LEM CVE-2017-5198 (SolarWinds LEM (aka SIEM) before 6.3.1 has an incorrect sudo configura ...) NOT-FOR-US: SolarWinds LEM CVE-2017-5197 (There is XSS in SilverStripe CMS before 3.4.4 and 3.5.x before 3.5.2. ...) NOT-FOR-US: SilverStripe CVE-2017-5192 (When using the local_batch client from salt-api in SaltStack Salt befo ...) - salt 2016.11.2+ds-1 [jessie] - salt (Vulnerable code not present) CVE-2017-5191 (An XSS vulnerability on the /NAGErrors URI in NetIQ Access Manager 4.2 ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-5190 (NetIQ Access Manager 4.2 before SP3 HF1 and 4.3 before SP1 HF1, when c ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-5189 (NetIQ iManager before 3.0.3 delivered a SSL private key in a Java appl ...) NOT-FOR-US: NetIQ iManager CVE-2017-5188 (The bs_worker code in open build service before 20170320 followed rela ...) - open-build-service 2.7.4-3 (low; bug #900133) [stretch] - open-build-service (Minor issue) NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/00ec3c6f4132422f00d5c15e854755c331ef1661 (2.7.x) NOTE: https://github.com/openSUSE/open-build-service/commit/8595d06570ded81d8514c8c5a147b250541bf388 (2.9.x) NOTE: A followup https://bugzilla.suse.com/show_bug.cgi?id=1029824 shows NOTE: it might be wise to disallow as well other types (devices, sockets, NOTE: directories, symlinks, ...) and needs: NOTE: https://github.com/openSUSE/open-build-service/commit/ba27c91351878bc297ec4baba0bd488a2f3b568d CVE-2017-5187 (A Cross-Site Request Forgery (CWE-352) vulnerability in Directory Serv ...) NOT-FOR-US: Micro Focus CVE-2017-5186 (Novell iManager 2.7 before SP7 Patch 9, NetIQ iManager 3.x before 3.0. ...) NOT-FOR-US: Novell iManager CVE-2017-5185 (A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0 ...) NOT-FOR-US: NetIQ Sentinel CVE-2017-5184 (A vulnerability was discovered in NetIQ Sentinel Server 8.0 before 8.0 ...) NOT-FOR-US: NetIQ Sentinel CVE-2017-5183 (NetIQ Access Manager 4.2.2 and 4.3.x before 4.3.1+, when configured as ...) NOT-FOR-US: NetIQ Access Manager CVE-2017-5182 (Remote Manager in Open Enterprise Server (OES) allows unauthenticated ...) NOT-FOR-US: Open Enterprise Server CVE-2017-5181 REJECTED CVE-2017-5196 (Irssi 0.8.18 before 0.8.21 allows remote attackers to cause a denial o ...) - irssi 0.8.21-1 (bug #850403) [jessie] - irssi (Affects only 0.8.18 and later) [wheezy] - irssi (Affects only 0.8.18 and later) NOTE: https://www.openwall.com/lists/oss-security/2017/01/05/2 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5195 (Irssi 0.8.17 before 0.8.21 allows remote attackers to cause a denial o ...) - irssi 0.8.21-1 (bug #850403) [jessie] - irssi 0.8.17-1+deb8u3 [wheezy] - irssi (Affects only 0.8.17 and later) NOTE: https://www.openwall.com/lists/oss-security/2017/01/05/2 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5194 (Use-after-free vulnerability in Irssi before 0.8.21 allows remote atta ...) {DLA-1217-1} - irssi 0.8.21-1 (bug #850403) [jessie] - irssi 0.8.17-1+deb8u3 NOTE: https://www.openwall.com/lists/oss-security/2017/01/05/2 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5193 (The nickcmp function in Irssi before 0.8.21 allows remote attackers to ...) {DLA-1217-1} - irssi 0.8.21-1 (bug #850403) [jessie] - irssi 0.8.17-1+deb8u3 NOTE: https://www.openwall.com/lists/oss-security/2017/01/05/2 NOTE: https://github.com/irssi/irssi/commit/6c6c42e3d1b49d90aacc0b67f8540471cae02a1d NOTE: https://irssi.org/security/irssi_sa_2017_01.txt CVE-2017-5179 (Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9. ...) NOT-FOR-US: Nessus CVE-2017-5178 (An issue was discovered in Schneider Electric Tableau Server/Desktop V ...) NOT-FOR-US: Schneider CVE-2017-5177 (A Stack Buffer Overflow issue was discovered in VIPA Controls WinPLC7 ...) NOT-FOR-US: VIPA Controls WinPLC7 CVE-2017-5176 (A DLL Hijack issue was discovered in Rockwell Automation Connected Com ...) NOT-FOR-US: Rockwell Automation Connected Components Workbench CVE-2017-5175 (Advantech WebAccess 8.1 and earlier contains a DLL hijacking vulnerabi ...) NOT-FOR-US: Advantech WebAccess CVE-2017-5174 (An Authentication Bypass issue was discovered in Geutebruck IP Camera ...) NOT-FOR-US: Geutebruck IP Camera G-Cam/EFD-2250 CVE-2017-5173 (An Improper Neutralization of Special Elements (in an OS command) issu ...) NOT-FOR-US: Geutebruck IP Camera G-Cam/EFD-2250 CVE-2017-5172 RESERVED CVE-2017-5171 RESERVED CVE-2017-5170 (An Uncontrolled Search Path Element issue was discovered in Moxa SoftN ...) NOT-FOR-US: Moxa CVE-2017-5169 (An issue was discovered in Hanwha Techwin Smart Security Manager Versi ...) NOT-FOR-US: Hanwha Techwin CVE-2017-5168 (An issue was discovered in Hanwha Techwin Smart Security Manager Versi ...) NOT-FOR-US: Hanwha Techwin CVE-2017-5167 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5166 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5165 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5164 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5163 (An issue was discovered in Belden Hirschmann GECKO Lite Managed switch ...) NOT-FOR-US: Belden Hirschmann CVE-2017-5162 (An issue was discovered in BINOM3 Universal Multifunctional Electric P ...) NOT-FOR-US: BINOM3 CVE-2017-5161 (An issue was discovered in Sielco Sistemi Winlog Lite SCADA Software, ...) NOT-FOR-US: Sielco Sistemi CVE-2017-5160 (An Inadequate Encryption Strength issue was discovered in Schneider El ...) NOT-FOR-US: Schneider Electric CVE-2017-5159 (An issue was discovered on Phoenix Contact mGuard devices that have be ...) NOT-FOR-US: Phoenix Contact mGuard CVE-2017-5158 (An Information Exposure issue was discovered in Schneider Electric Won ...) NOT-FOR-US: Schneider Electric CVE-2017-5157 (An issue was discovered in Schneider Electric homeLYnk Controller, LSS ...) NOT-FOR-US: Schneider CVE-2017-5156 (A Cross-Site Request Forgery issue was discovered in Schneider Electri ...) NOT-FOR-US: Schneider Electric CVE-2017-5155 (An issue was discovered in Schneider Electric Wonderware Historian 201 ...) NOT-FOR-US: Schneider CVE-2017-5154 (An issue was discovered in Advantech WebAccess Version 8.1. To be able ...) NOT-FOR-US: Advantech WebAccess CVE-2017-5153 (An issue was discovered in OSIsoft PI Coresight 2016 R2 and earlier ve ...) NOT-FOR-US: OSIsoft PI Coresight CVE-2017-5152 (An issue was discovered in Advantech WebAccess Version 8.1. By accessi ...) NOT-FOR-US: Advantech WebAccess CVE-2017-5151 (An issue was discovered in VideoInsight Web Client Version 6.3.5.11 an ...) NOT-FOR-US: VideoInsight Web Client CVE-2017-5150 RESERVED CVE-2017-5149 (An issue was discovered in St. Jude Medical Merlin@home, versions prio ...) NOT-FOR-US: St. Jude Medical Merlin@home CVE-2017-5148 RESERVED CVE-2017-5147 (An Uncontrolled Search Path Element issue was discovered in AzeoTech D ...) NOT-FOR-US: AzeoTech DAQFactory CVE-2017-5146 (An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Ve ...) NOT-FOR-US: Carlo Gavazzi CVE-2017-5145 (An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Ve ...) NOT-FOR-US: Carlo Gavazzi CVE-2017-5144 (An issue was discovered in Carlo Gavazzi VMU-C EM prior to firmware Ve ...) NOT-FOR-US: Carlo Gavazzi CVE-2017-5143 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5142 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5141 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5140 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5139 (An issue was discovered in Honeywell XL Web II controller XL1000C500 X ...) NOT-FOR-US: Honeywell CVE-2017-5138 RESERVED CVE-2017-5137 (An issue was discovered on SendQuick Entera and Avera devices before 2 ...) NOT-FOR-US: SendQuick Entera and Avera devices CVE-2017-5136 (An issue was discovered on SendQuick Entera and Avera devices before 2 ...) NOT-FOR-US: SendQuick Entera and Avera devices CVE-2017-5180 (Firejail before 0.9.44.4 and 0.9.38.x LTS before 0.9.38.8 LTS does not ...) - firejail 0.9.44.2-3 (bug #850160) NOTE: https://www.openwall.com/lists/oss-security/2017/01/04/1 NOTE: https://github.com/netblue30/firejail/issues/1020 CVE-2017-5135 (Certain Technicolor devices have an SNMP access-control bypass, possib ...) NOT-FOR-US: Technicolor CVE-2017-5134 RESERVED CVE-2017-5133 (Off-by-one read/write on the heap in Blink in Google Chrome prior to 6 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5132 (Inappropriate implementation in V8 in Google Chrome prior to 62.0.3202 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5131 (An integer overflow in Skia in Google Chrome prior to 62.0.3202.62 all ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5130 (An integer overflow in xmlmemory.c in libxml2 before 2.9.5, as used in ...) {DLA-1188-1} - libxml2 2.9.4+dfsg1-5.1 (bug #880000) [stretch] - libxml2 (Minor issue) [jessie] - libxml2 (Minor issue) - chromium-browser 62.0.3202.75-1 (unimportant) NOTE: chromium-browser uses system libxml2. NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=722079 (not public) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=783026 (not public) NOTE: xmlMemoryStrdup is only for debugging with excpetion in xmlint when invoked NOTE: with --maxmem. Similar issue for xmlMallocLoc and xmlReallocLoc. NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=897dffbae322b46b83f99a607d527058a72c51ed NOTE: Needs follow up: https://git.gnome.org/browse/libxml2/commit/?id=ed48d65b4d6c5cec7be035ad5eebeba873b4b955 CVE-2017-5129 (A use after free in WebAudio in Blink in Google Chrome prior to 62.0.3 ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5128 (Heap buffer overflow in Blink in Google Chrome prior to 62.0.3202.62 a ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5127 (Use after free in PDFium in Google Chrome prior to 62.0.3202.62 allowe ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5126 (A use after free in PDFium in Google Chrome prior to 62.0.3202.62 allo ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5125 (Heap buffer overflow in Skia in Google Chrome prior to 62.0.3202.62 al ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5124 (Incorrect application of sandboxing in Blink in Google Chrome prior to ...) {DSA-4020-1} - chromium-browser 62.0.3202.75-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5123 [waitid() not calling access_ok()] RESERVED - linux 4.13.4-2 [stretch] - linux (Vulnerable code not present) [jessie] - linux (Vulnerable code not present) [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/96ca579a1ecc943b75beba58bebb0356f6cc4b51 CVE-2017-5122 (Inappropriate use of table size handling in V8 in Google Chrome prior ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5121 (Inappropriate use of JIT optimisation in V8 in Google Chrome prior to ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5120 (Inappropriate use of www mismatch redirects in browser navigation in G ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5119 (Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3 ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5118 (Blink in Google Chrome prior to 61.0.3163.79 for Mac, Windows, and Lin ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5117 (Use of an uninitialized value in Skia in Google Chrome prior to 61.0.3 ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5116 (Type confusion in V8 in Google Chrome prior to 61.0.3163.79 for Mac, W ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5115 (Type confusion in V8 in Google Chrome prior to 61.0.3163.79 for Window ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5114 (Inappropriate use of partition alloc in PDFium in Google Chrome prior ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5113 (Math overflow in Skia in Google Chrome prior to 61.0.3163.79 for Mac, ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5112 (Heap buffer overflow in WebGL in Google Chrome prior to 61.0.3163.79 f ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5111 (A use after free in PDFium in Google Chrome prior to 61.0.3163.79 for ...) {DSA-3985-1} - chromium-browser 61.0.3163.100-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5110 (Inappropriate implementation of the web payments API on blob: and data ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5109 (Inappropriate implementation of unload handler handling in permission ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5108 (Type confusion in PDFium in Google Chrome prior to 60.0.3112.78 for Ma ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5107 (A timing attack in SVG rendering in Google Chrome prior to 60.0.3112.7 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5106 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5105 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 6 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5104 (Inappropriate implementation in interstitials in Google Chrome prior t ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5103 (Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5102 (Use of an uninitialized value in Skia in Google Chrome prior to 60.0.3 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5101 (Inappropriate implementation in Omnibox in Google Chrome prior to 60.0 ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5100 (A use after free in Apps in Google Chrome prior to 60.0.3112.78 for Wi ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5099 (Insufficient validation of untrusted input in PPAPI Plugins in Google ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5098 (A use after free in V8 in Google Chrome prior to 60.0.3112.78 for Mac, ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5097 (Insufficient validation of untrusted input in Skia in Google Chrome pr ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5096 (Insufficient policy enforcement during navigation between different sc ...) - chromium-browser (Android-specific) CVE-2017-5095 (Stack overflow in PDFium in Google Chrome prior to 60.0.3112.78 for Li ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5094 (Type confusion in extensions JavaScript bindings in Google Chrome prio ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5093 (Inappropriate implementation in modal dialog handling in Blink in Goog ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5092 (Insufficient validation of untrusted input in PPAPI Plugins in Google ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5091 (A use after free in IndexedDB in Google Chrome prior to 60.0.3112.78 f ...) {DSA-3926-1} - chromium-browser 60.0.3112.78-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5090 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) - chromium-browser (Chrome on Mac) CVE-2017-5089 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) {DSA-3926-1} - chromium-browser 59.0.3071.104-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5088 (Insufficient validation of untrusted input in V8 in Google Chrome prio ...) {DSA-3926-1} - chromium-browser 59.0.3071.104-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5087 (A use after free in Blink in Google Chrome prior to 59.0.3071.104 for ...) {DSA-3926-1} - chromium-browser 59.0.3071.104-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5086 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5085 (Inappropriate implementation in Bookmarks in Google Chrome prior to 59 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5084 (Inappropriate implementation in image-burner in Google Chrome OS prior ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5083 (Inappropriate implementation in Blink in Google Chrome prior to 59.0.3 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5082 (Failure to take advantage of available mitigations in credit card auto ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5081 (Lack of verification of an extension's locale folder in Google Chrome ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5080 (A use after free in credit card autofill in Google Chrome prior to 59. ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5079 (Inappropriate implementation in Blink in Google Chrome prior to 59.0.3 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5078 (Insufficient validation of untrusted input in Blink's mailto: handling ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5077 (Insufficient validation of untrusted input in Skia in Google Chrome pr ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5076 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5075 (Inappropriate implementation in CSP reporting in Blink in Google Chrom ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5074 (A use after free in Chrome Apps in Google Chrome prior to 59.0.3071.86 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5073 (Use after free in print preview in Blink in Google Chrome prior to 59. ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5072 (Inappropriate implementation in Omnibox in Google Chrome prior to 59.0 ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5071 (Insufficient validation of untrusted input in V8 in Google Chrome prio ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5070 (Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, ...) - chromium-browser 59.0.3071.86-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5069 (Incorrect MIME type of XSS-Protection reports in Blink in Google Chrom ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5068 (Incorrect handling of picture ID in WebRTC in Google Chrome prior to 5 ...) - chromium-browser 58.0.3029.96-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5067 (An insufficient watchdog timer in navigation in Google Chrome prior to ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5066 (Insufficient consistency checks in signature handling in the networkin ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5065 (Lack of an appropriate action on page navigation in Blink in Google Ch ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5064 (Incorrect handling of DOM changes in Blink in Google Chrome prior to 5 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5063 (A numeric overflow in Skia in Google Chrome prior to 58.0.3029.81 for ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5062 (A use after free in Chrome Apps in Google Chrome prior to 58.0.3029.81 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5061 (A race condition in navigation in Google Chrome prior to 58.0.3029.81 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5060 (Insufficient Policy Enforcement in Omnibox in Google Chrome prior to 5 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5059 (Type confusion in Blink in Google Chrome prior to 58.0.3029.81 for Lin ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5058 (A use after free in PrintPreview in Google Chrome prior to 58.0.3029.8 ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5057 (Type confusion in PDFium in Google Chrome prior to 58.0.3029.81 for Ma ...) - chromium-browser 58.0.3029.81-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5056 (A use after free in Blink in Google Chrome prior to 57.0.2987.133 for ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5055 (A use after free in printing in Google Chrome prior to 57.0.2987.133 f ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5054 (An out-of-bounds read in V8 in Google Chrome prior to 57.0.2987.133 fo ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5053 (An out-of-bounds read in V8 in Google Chrome prior to 57.0.2987.133 fo ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5052 (An incorrect assumption about block structure in Blink in Google Chrom ...) - chromium-browser 57.0.2987.133-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5051 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5050 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5049 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5048 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5047 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) - chromium-browser 57.0.2987.98-1 [jessie] - chromium-browser (End of life, see DSA 4020) [wheezy] - chromium-browser (Not supported in Wheezy) NOTE: https://codereview.chromium.org/2654913002 CVE-2017-5046 (V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5045 (XSS Auditor in Google Chrome prior to 57.0.2987.98 for Mac, Windows, a ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5044 (Heap buffer overflow in filter processing in Skia in Google Chrome pri ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5043 (Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5042 (Cast in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linu ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5041 (Google Chrome prior to 57.0.2987.100 incorrectly handled back-forward ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5040 (V8 in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Linux ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5039 (A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5038 (Chrome Apps in Google Chrome prior to 57.0.2987.98 for Linux, Windows, ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5037 (An integer overflow in FFmpeg in Google Chrome prior to 57.0.2987.98 f ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5036 (A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5035 (Google Chrome prior to 57.0.2987.98 for Windows and Mac had a race con ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5034 (A use after free in PDFium in Google Chrome prior to 57.0.2987.98 for ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5033 (Blink in Google Chrome prior to 57.0.2987.98 for Mac, Windows, and Lin ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5032 (PDFium in Google Chrome prior to 57.0.2987.98 for Windows could be mad ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5031 (A use after free in ANGLE in Google Chrome prior to 57.0.2987.98 for W ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5030 (Incorrect handling of complex species in V8 in Google Chrome prior to ...) {DSA-3810-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5029 (The xsltAddTextString function in transform.c in libxslt 1.1.29, as us ...) {DSA-3810-1 DLA-866-1} - chromium-browser 57.0.2987.98-1 [wheezy] - chromium-browser (Not supported in Wheezy) - libxslt 1.1.29-2.1 (bug #858546) [jessie] - libxslt 1.1.28-2+deb8u3 NOTE: Upstream fix in libxslt: https://git.gnome.org/browse/libxslt/commit/?id=08ab2774b870de1c7b5a48693df75e8154addae5 CVE-2017-5028 (Insufficient data validation in V8 in Google Chrome prior to 56.0.2924 ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 CVE-2017-5027 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5026 (Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, failed ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5025 (FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and M ...) {DSA-3776-1} - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg 7:3.2.4-1 CVE-2017-5024 (FFmpeg in Google Chrome prior to 56.0.2924.76 for Linux, Windows and M ...) {DSA-3776-1} - chromium-browser 44.0.2403.157-1 [wheezy] - chromium-browser (Not supported in Wheezy) - ffmpeg 7:3.2.4-1 CVE-2017-5023 (Type confusion in Histogram in Google Chrome prior to 56.0.2924.76 for ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5022 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5021 (A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Win ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5020 (Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56 ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5019 (A use after free in Google Chrome prior to 56.0.2924.76 for Linux, Win ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5018 (Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56 ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5017 (Interactions with the OS in Google Chrome prior to 56.0.2924.76 for Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5016 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5015 (Google Chrome prior to 56.0.2924.76 for Linux, Windows and Mac, and 56 ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5014 (Heap buffer overflow during image processing in Skia in Google Chrome ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5013 (Google Chrome prior to 56.0.2924.76 for Linux incorrectly handled new ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5012 (A heap buffer overflow in V8 in Google Chrome prior to 56.0.2924.76 fo ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) - libv8 (unimportant) NOTE: libv8 not covered by security support CVE-2017-5011 (Google Chrome prior to 56.0.2924.76 for Windows insufficiently sanitiz ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5010 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5009 (WebRTC in Google Chrome prior to 56.0.2924.76 for Linux, Windows and M ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5008 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5007 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5006 (Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows and Ma ...) {DSA-3776-1} - chromium-browser 56.0.2924.76-3 [wheezy] - chromium-browser (Not supported in Wheezy) CVE-2017-5005 (Stack-based buffer overflow in Quick Heal Internet Security 10.1.0.316 ...) NOT-FOR-US: Quickheal CVE-2017-5333 (Integer overflow in the extract_group_icon_cursor_resource function in ...) {DSA-3765-1 DLA-789-1} - icoutils 0.31.1-1 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a NOTE: CVE for "the separate vulnerability fixed by the introduction of the "size >= sizeof(uint16_t)*2" test in NOTE: 1a108713ac26215c7568353f6e02e727e6d4b24a" NOTE: http://seclists.org/oss-sec/2017/q1/56 CVE-2017-5332 (The extract_group_icon_cursor_resource in wrestool/extract.c in icouti ...) {DSA-3765-1 DLA-789-1} - icoutils 0.31.1-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1249276 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=1a108713ac26215c7568353f6e02e727e6d4b24a NOTE: https://www.openwall.com/lists/oss-security/2017/01/10/4 NOTE: CVE for "all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a and also the index correction in NOTE: 1a108713ac26215c7568353f6e02e727e6d4b24a." CVE-2017-5331 (Integer overflow in the check_offset function in b/wrestool/fileread.c ...) {DSA-3765-1 DLA-789-1} - icoutils 0.31.1-1 NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=4fbe9222fd79ee31b7ec031b0be070a9a400d1d3 NOTE: https://www.openwall.com/lists/oss-security/2017/01/10/4 CVE-2017-5208 (Integer overflow in the wrestool program in icoutils before 0.31.1 all ...) {DSA-3756-1 DLA-789-1} - icoutils 0.31.0-4 (bug #850017) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/icoutils.git/commit/?id=0d569f458f306b88f60156d60c9cf058125cf173 NOTE: https://www.openwall.com/lists/oss-security/2017/01/08/1 CVE-2017-5340 (Zend/zend_hash.c in PHP before 7.0.15 and 7.1.x before 7.1.1 mishandle ...) - php7.1 7.1.1-1 (bug #852022) - php7.0 7.0.15-1 (bug #850158) NOTE: PHP Bug: https://bugs.php.net/bug.php?id=73832 NOTE: Fixed in PHP 7.1.1, 7.0.15 CVE-2017-5004 (EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all p ...) NOT-FOR-US: RSA Identity Governance and Lifecycle CVE-2017-5003 (EMC RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2 (all p ...) NOT-FOR-US: RSA Identity Governance and Lifecycle CVE-2017-5002 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-5001 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-5000 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-4999 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-4998 (EMC RSA Archer 5.4.1.3, 5.5.3.1, 5.5.2.3, 5.5.2, 5.5.1.3.1, 5.5.1.1 is ...) NOT-FOR-US: EMC CVE-2017-4997 (EMC VASA Provider Virtual Appliance versions 8.3.x and prior has an un ...) NOT-FOR-US: EMC CVE-2017-4996 REJECTED CVE-2017-4995 (An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE throu ...) - libspring-security-java (bug #582181) NOTE: https://pivotal.io/security/cve-2017-4995 CVE-2017-4994 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4993 REJECTED CVE-2017-4992 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4991 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4990 (In EMC Avamar Server Software 7.4.1-58, 7.4.0-242, 7.3.1-125, 7.3.0-23 ...) NOT-FOR-US: EMC CVE-2017-4989 (In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-3 ...) NOT-FOR-US: EMC CVE-2017-4988 (EMC Isilon OneFS 8.0.1.0, 8.0.0 - 8.0.0.3, 7.2.0 - 7.2.1.4, 7.1.x is a ...) NOT-FOR-US: EMC CVE-2017-4987 (In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions ...) NOT-FOR-US: EMC CVE-2017-4986 (EMC ESRS VE 3.18 or earlier contains Authentication Bypass that could ...) NOT-FOR-US: EMC CVE-2017-4985 (In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions ...) NOT-FOR-US: EMC CVE-2017-4984 (In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions ...) NOT-FOR-US: EMC CVE-2017-4983 (EMC Data Domain OS 5.2 through 5.7 before 5.7.3.0 and 6.0 before 6.0.1 ...) NOT-FOR-US: EMC Data Domain OS CVE-2017-4982 (EMC Mainframe Enablers ResourcePak Base versions 7.6.0, 8.0.0, and 8.1 ...) NOT-FOR-US: EMC Mainframe CVE-2017-4981 (EMC RSA BSAFE Cert-C before 2.9.0.5 contains a potential improper cert ...) NOT-FOR-US: EMC CVE-2017-4980 (EMC Isilon OneFS is affected by a path traversal vulnerability that ma ...) NOT-FOR-US: EMC CVE-2017-4979 (EMC Isilon OneFS 8.0.1.0, OneFS 8.0.0.0 - 8.0.0.2, OneFS 7.2.1.0 - 7.2 ...) NOT-FOR-US: EMC CVE-2017-4978 (EMC RSA Adaptive Authentication (On-Premise) versions prior to 7.3 P2 ...) NOT-FOR-US: EMC CVE-2017-4977 (EMC RSA Archer Security Operations Management with RSA Unified Collect ...) NOT-FOR-US: EMC CVE-2017-4976 (EMC ESRS Policy Manager prior to 6.8 contains an undocumented account ...) NOT-FOR-US: EMC CVE-2017-4975 (An issue was discovered in Pivotal PCF Tile Generator versions prior t ...) NOT-FOR-US: Pivotal PCF Tile Generator CVE-2017-4974 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4973 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4972 (An issue was discovered in Cloud Foundry Foundation cf-release version ...) NOT-FOR-US: Cloud Foundry CVE-2017-4971 (An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Appl ...) NOT-FOR-US: Spring Web Flow CVE-2017-4970 (An issue was discovered in Cloud Foundry Foundation cf-release v255 an ...) NOT-FOR-US: Cloud Foundry CVE-2017-4969 (The Cloud Controller in Cloud Foundry cf-release versions prior to v25 ...) NOT-FOR-US: Cloud Foundry CVE-2017-4968 REJECTED CVE-2017-4967 (An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x ...) - rabbitmq-server 3.6.10-1 (low; bug #863586) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (Minor issue) CVE-2017-4966 (An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x ...) - rabbitmq-server 3.6.10-1 (low; bug #863586) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Vulnerable code introduced later) [wheezy] - rabbitmq-server (Vulnerable code introduced later) NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-management/commit/2371633f99ad0d293899384f078872ff9e9f3e10 (rabbitmq_v3_6_9) NOTE: Introduced by: https://github.com/rabbitmq/rabbitmq-management/commit/ced47b0bdca862a58e8f31833643e948655f8368 (rabbitmq_v3_4_0) CVE-2017-4965 (An issue was discovered in these Pivotal RabbitMQ versions: all 3.4.x ...) - rabbitmq-server 3.6.10-1 (low; bug #863586) [stretch] - rabbitmq-server (Minor issue) [jessie] - rabbitmq-server (Minor issue) [wheezy] - rabbitmq-server (Minor issue) CVE-2017-4964 (Cloud Foundry Foundation BOSH Azure CPI v22 could potentially allow a ...) NOT-FOR-US: Cloud Foundry CVE-2017-4963 (An issue was discovered in Cloud Foundry Foundation Cloud Foundry rele ...) NOT-FOR-US: Cloud Foundry CVE-2017-4962 REJECTED CVE-2017-4961 (An issue was discovered in Cloud Foundry Foundation BOSH Release 261.x ...) NOT-FOR-US: Cloud Foundry CVE-2017-4960 (An issue was discovered in Cloud Foundry release v247 through v252, UA ...) NOT-FOR-US: Cloud Foundry CVE-2017-4959 (An issue was discovered in Pivotal PCF Elastic Runtime 1.8.x versions ...) NOT-FOR-US: Pivotal PCF Elastic Runtime CVE-2017-4958 REJECTED CVE-2017-4957 REJECTED CVE-2017-4956 REJECTED CVE-2017-4955 (An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions ...) NOT-FOR-US: Pivotal PCF Elastic Runtime CVE-2017-4954 RESERVED CVE-2017-4953 RESERVED CVE-2017-4952 (VMware Xenon 1.x, prior to 1.5.4-CR7_1, 1.5.7_7, 1.5.4-CR6_2, 1.3.7-CR ...) NOT-FOR-US: VMware Xenon CVE-2017-4951 (VMware AirWatch Console (9.2.x before 9.2.2 and 9.1.x before 9.1.5) co ...) NOT-FOR-US: VMware AirWatch Console CVE-2017-4950 (VMware Workstation and Fusion contain an integer overflow vulnerabilit ...) NOT-FOR-US: VMware CVE-2017-4949 (VMware Workstation and Fusion contain a use-after-free vulnerability i ...) NOT-FOR-US: VMware CVE-2017-4948 (VMware Workstation (14.x before 14.1.0 and 12.x) and Horizon View Clie ...) NOT-FOR-US: VMware CVE-2017-4947 (VMware Realize Automation (7.3 and 7.2) and vSphere Integrated Contain ...) NOT-FOR-US: VMware Realize Automation CVE-2017-4946 (The VMware V4H and V4PA desktop agents (6.x before 6.5.1) contain a pr ...) NOT-FOR-US: VMware CVE-2017-4945 (VMware Workstation (14.x and 12.x) and Fusion (10.x and 8.x) contain a ...) NOT-FOR-US: VMware CVE-2017-4944 RESERVED CVE-2017-4943 (VMware vCenter Server Appliance (vCSA) (6.5 before 6.5 U1d) contains a ...) NOT-FOR-US: VMware CVE-2017-4942 (VMware AirWatch Console (AWC) contains a Broken Access Control vulnera ...) NOT-FOR-US: VMware CVE-2017-4941 (VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG ...) NOT-FOR-US: VMware CVE-2017-4940 (The ESXi Host Client in VMware ESXi (6.5 before ESXi650-201712103-SG, ...) NOT-FOR-US: VMware CVE-2017-4939 (VMware Workstation (12.x before 12.5.8) installer contains a DLL hijac ...) NOT-FOR-US: VMware CVE-2017-4938 (VMware Workstation (12.x before 12.5.8) and Fusion (8.x before 8.5.9) ...) NOT-FOR-US: VMware CVE-2017-4937 (VMware Workstation (12.x before 12.5.8) and Horizon View Client for Wi ...) NOT-FOR-US: VMware CVE-2017-4936 (VMware Workstation (12.x before 12.5.8) and Horizon View Client for Wi ...) NOT-FOR-US: VMware CVE-2017-4935 (VMware Workstation (12.x before 12.5.8) and Horizon View Client for Wi ...) NOT-FOR-US: VMware CVE-2017-4934 (VMware Workstation (12.x before 12.5.8) and Fusion (8.x before 8.5.9) ...) NOT-FOR-US: VMware CVE-2017-4933 (VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x befor ...) NOT-FOR-US: VMware CVE-2017-4932 (VMware AirWatch Launcher for Android prior to 3.2.2 contains a vulnera ...) NOT-FOR-US: VMware CVE-2017-4931 (VMware AirWatch Console 9.x prior to 9.2.0 contains a vulnerability th ...) NOT-FOR-US: VMware CVE-2017-4930 (VMware AirWatch Console 9.x prior to 9.2.0 contains a vulnerability th ...) NOT-FOR-US: VMware CVE-2017-4929 (VMware NSX Edge (6.2.x before 6.2.9 and 6.3.x before 6.3.5) contains a ...) NOT-FOR-US: VMware CVE-2017-4928 (The flash-based vSphere Web Client (6.0 prior to 6.0 U3c and 5.5 prior ...) NOT-FOR-US: VMware CVE-2017-4927 (VMware vCenter Server (6.5 prior to 6.5 U1 and 6.0 prior to 6.0 U3c) d ...) NOT-FOR-US: VMware CVE-2017-4926 (VMware vCenter Server (6.5 prior to 6.5 U1) contains a vulnerability t ...) NOT-FOR-US: VMware CVE-2017-4925 (VMware ESXi 6.5 without patch ESXi650-201707101-SG, ESXi 6.0 without p ...) NOT-FOR-US: VMware CVE-2017-4924 (VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation ...) NOT-FOR-US: VMware CVE-2017-4923 (VMware vCenter Server (6.5 prior to 6.5 U1) contains an information di ...) NOT-FOR-US: VMware CVE-2017-4922 (VMware vCenter Server (6.5 prior to 6.5 U1) contains an information di ...) NOT-FOR-US: VMware CVE-2017-4921 (VMware vCenter Server (6.5 prior to 6.5 U1) contains an insecure libra ...) NOT-FOR-US: VMware CVE-2017-4920 (The implementation of the OSPF protocol in VMware NSX-V Edge 6.2.x pri ...) NOT-FOR-US: VMware CVE-2017-4919 (VMware vCenter Server 5.5, 6.0, 6.5 allows vSphere users with certain, ...) NOT-FOR-US: VMware vCenter Server CVE-2017-4918 (VMware Horizon View Client (2.x, 3.x and 4.x prior to 4.5.0) contains ...) NOT-FOR-US: VMware CVE-2017-4917 (VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x lo ...) NOT-FOR-US: VMware CVE-2017-4916 (VMware Workstation Pro/Player contains a NULL pointer dereference vuln ...) NOT-FOR-US: VMware CVE-2017-4915 (VMware Workstation Pro/Player contains an insecure library loading vul ...) NOT-FOR-US: VMware CVE-2017-4914 (VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x co ...) NOT-FOR-US: VMware CVE-2017-4913 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4912 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4911 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4910 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4909 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4908 (VMware Workstation (12.x prior to 12.5.3) and Horizon View Client (4.x ...) NOT-FOR-US: VMware CVE-2017-4907 (VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and ...) NOT-FOR-US: VMware CVE-2017-4906 RESERVED CVE-2017-4905 (VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without pat ...) NOT-FOR-US: VMware CVE-2017-4904 (The XHCI controller in VMware ESXi 6.5 without patch ESXi650-201703410 ...) NOT-FOR-US: VMware CVE-2017-4903 (VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without pat ...) NOT-FOR-US: VMware CVE-2017-4902 (VMware ESXi 6.5 without patch ESXi650-201703410-SG and 5.5 without pat ...) NOT-FOR-US: VMware CVE-2017-4901 (The drag-and-drop (DnD) function in VMware Workstation 12.x before ver ...) NOT-FOR-US: VMware CVE-2017-4900 (VMware Workstation Pro/Player 12.x before 12.5.3 contains a NULL point ...) NOT-FOR-US: VMware CVE-2017-4899 (VMware Workstation Pro/Player 12.x before 12.5.3 contains a security v ...) NOT-FOR-US: VMware CVE-2017-4898 (VMware Workstation Pro/Player 12.x before 12.5.3 contains a DLL loadin ...) NOT-FOR-US: VMware CVE-2017-4897 (VMware Horizon DaaS before 7.0.0 contains a vulnerability that exists ...) NOT-FOR-US: VMware Horizon DaaS CVE-2017-4896 (Airwatch Inbox for Android contains a vulnerability that may allow a r ...) NOT-FOR-US: Airwatch Inbox for Android CVE-2017-4895 (Airwatch Agent for Android contains a vulnerability that may allow a d ...) NOT-FOR-US: Airwatch Inbox for Android CVE-2017-4894 REJECTED CVE-2017-4893 REJECTED CVE-2017-4892 REJECTED CVE-2017-4891 REJECTED CVE-2017-4890 REJECTED CVE-2017-4889 REJECTED CVE-2017-4888 REJECTED CVE-2017-4887 REJECTED CVE-2017-4886 REJECTED CVE-2017-4885 REJECTED CVE-2017-4884 REJECTED CVE-2017-4883 REJECTED CVE-2017-4882 REJECTED CVE-2017-4881 REJECTED CVE-2017-4880 REJECTED CVE-2017-4879 REJECTED CVE-2017-4878 REJECTED CVE-2017-4877 REJECTED CVE-2017-4876 REJECTED CVE-2017-4875 REJECTED CVE-2017-4874 REJECTED CVE-2017-4873 REJECTED CVE-2017-4872 REJECTED CVE-2017-4871 REJECTED CVE-2017-4870 REJECTED CVE-2017-4869 REJECTED CVE-2017-4868 REJECTED CVE-2017-4867 REJECTED CVE-2017-4866 REJECTED CVE-2017-4865 REJECTED CVE-2017-4864 REJECTED CVE-2017-4863 REJECTED CVE-2017-4862 REJECTED CVE-2017-4861 REJECTED CVE-2017-4860 REJECTED CVE-2017-4859 REJECTED CVE-2017-4858 REJECTED CVE-2017-4857 REJECTED CVE-2017-4856 REJECTED CVE-2017-4855 REJECTED CVE-2017-4854 REJECTED CVE-2017-4853 REJECTED CVE-2017-4852 REJECTED CVE-2017-4851 REJECTED CVE-2017-4850 REJECTED CVE-2017-4849 REJECTED CVE-2017-4848 REJECTED CVE-2017-4847 REJECTED CVE-2017-4846 REJECTED CVE-2017-4845 REJECTED CVE-2017-4844 REJECTED CVE-2017-4843 REJECTED CVE-2017-4842 REJECTED CVE-2017-4841 REJECTED CVE-2017-4840 REJECTED CVE-2017-4839 REJECTED CVE-2017-4838 REJECTED CVE-2017-4837 REJECTED CVE-2017-4836 REJECTED CVE-2017-4835 REJECTED CVE-2017-4834 REJECTED CVE-2017-4833 REJECTED CVE-2017-4832 REJECTED CVE-2017-4831 REJECTED CVE-2017-4830 REJECTED CVE-2017-4829 REJECTED CVE-2017-4828 REJECTED CVE-2017-4827 REJECTED CVE-2017-4826 REJECTED CVE-2017-4825 REJECTED CVE-2017-4824 REJECTED CVE-2017-4823 REJECTED CVE-2017-4822 REJECTED CVE-2017-4821 REJECTED CVE-2017-4820 REJECTED CVE-2017-4819 REJECTED CVE-2017-4818 REJECTED CVE-2017-4817 REJECTED CVE-2017-4816 REJECTED CVE-2017-4815 REJECTED CVE-2017-4814 REJECTED CVE-2017-4813 REJECTED CVE-2017-4812 REJECTED CVE-2017-4811 REJECTED CVE-2017-4810 REJECTED CVE-2017-4809 REJECTED CVE-2017-4808 REJECTED CVE-2017-4807 REJECTED CVE-2017-4806 REJECTED CVE-2017-4805 REJECTED CVE-2017-4804 REJECTED CVE-2017-4803 REJECTED CVE-2017-4802 REJECTED CVE-2017-4801 REJECTED CVE-2017-4800 REJECTED CVE-2017-4799 REJECTED CVE-2017-4798 REJECTED CVE-2017-4797 REJECTED CVE-2017-4796 REJECTED CVE-2017-4795 REJECTED CVE-2017-4794 REJECTED CVE-2017-4793 REJECTED CVE-2017-4792 REJECTED CVE-2017-4791 REJECTED CVE-2017-4790 REJECTED CVE-2017-4789 REJECTED CVE-2017-4788 REJECTED CVE-2017-4787 REJECTED CVE-2017-4786 REJECTED CVE-2017-4785 REJECTED CVE-2017-4784 REJECTED CVE-2017-4783 REJECTED CVE-2017-4782 REJECTED CVE-2017-4781 REJECTED CVE-2017-4780 REJECTED CVE-2017-4779 REJECTED CVE-2017-4778 REJECTED CVE-2017-4777 REJECTED CVE-2017-4776 REJECTED CVE-2017-4775 REJECTED CVE-2017-4774 REJECTED CVE-2017-4773 REJECTED CVE-2017-4772 REJECTED CVE-2017-4771 REJECTED CVE-2017-4770 REJECTED CVE-2017-4769 REJECTED CVE-2017-4768 REJECTED CVE-2017-4767 REJECTED CVE-2017-4766 REJECTED CVE-2017-4765 REJECTED CVE-2017-4764 REJECTED CVE-2017-4763 REJECTED CVE-2017-4762 REJECTED CVE-2017-4761 REJECTED CVE-2017-4760 REJECTED CVE-2017-4759 REJECTED CVE-2017-4758 REJECTED CVE-2017-4757 REJECTED CVE-2017-4756 REJECTED CVE-2017-4755 REJECTED CVE-2017-4754 REJECTED CVE-2017-4753 REJECTED CVE-2017-4752 REJECTED CVE-2017-4751 REJECTED CVE-2017-4750 REJECTED CVE-2017-4749 REJECTED CVE-2017-4748 REJECTED CVE-2017-4747 REJECTED CVE-2017-4746 REJECTED CVE-2017-4745 REJECTED CVE-2017-4744 REJECTED CVE-2017-4743 REJECTED CVE-2017-4742 REJECTED CVE-2017-4741 REJECTED CVE-2017-4740 REJECTED CVE-2017-4739 REJECTED CVE-2017-4738 REJECTED CVE-2017-4737 REJECTED CVE-2017-4736 REJECTED CVE-2017-4735 REJECTED CVE-2017-4734 REJECTED CVE-2017-4733 REJECTED CVE-2017-4732 REJECTED CVE-2017-4731 REJECTED CVE-2017-4730 REJECTED CVE-2017-4729 REJECTED CVE-2017-4728 REJECTED CVE-2017-4727 REJECTED CVE-2017-4726 REJECTED CVE-2017-4725 REJECTED CVE-2017-4724 REJECTED CVE-2017-4723 REJECTED CVE-2017-4722 REJECTED CVE-2017-4721 REJECTED CVE-2017-4720 REJECTED CVE-2017-4719 REJECTED CVE-2017-4718 REJECTED CVE-2017-4717 REJECTED CVE-2017-4716 REJECTED CVE-2017-4715 REJECTED CVE-2017-4714 REJECTED CVE-2017-4713 REJECTED CVE-2017-4712 REJECTED CVE-2017-4711 REJECTED CVE-2017-4710 REJECTED CVE-2017-4709 REJECTED CVE-2017-4708 REJECTED CVE-2017-4707 REJECTED CVE-2017-4706 REJECTED CVE-2017-4705 REJECTED CVE-2017-4704 REJECTED CVE-2017-4703 REJECTED CVE-2017-4702 REJECTED CVE-2017-4701 REJECTED CVE-2017-4700 REJECTED CVE-2017-4699 REJECTED CVE-2017-4698 REJECTED CVE-2017-4697 REJECTED CVE-2017-4696 REJECTED CVE-2017-4695 REJECTED CVE-2017-4694 REJECTED CVE-2017-4693 REJECTED CVE-2017-4692 REJECTED CVE-2017-4691 REJECTED CVE-2017-4690 REJECTED CVE-2017-4689 REJECTED CVE-2017-4688 REJECTED CVE-2017-4687 REJECTED CVE-2017-4686 REJECTED CVE-2017-4685 REJECTED CVE-2017-4684 REJECTED CVE-2017-4683 REJECTED CVE-2017-4682 REJECTED CVE-2017-4681 REJECTED CVE-2017-4680 REJECTED CVE-2017-4679 REJECTED CVE-2017-4678 REJECTED CVE-2017-4677 REJECTED CVE-2017-4676 REJECTED CVE-2017-4675 REJECTED CVE-2017-4674 REJECTED CVE-2017-4673 REJECTED CVE-2017-4672 REJECTED CVE-2017-4671 REJECTED CVE-2017-4670 REJECTED CVE-2017-4669 REJECTED CVE-2017-4668 REJECTED CVE-2017-4667 REJECTED CVE-2017-4666 REJECTED CVE-2017-4665 REJECTED CVE-2017-4664 REJECTED CVE-2017-4663 REJECTED CVE-2017-4662 REJECTED CVE-2017-4661 REJECTED CVE-2017-4660 REJECTED CVE-2017-4659 REJECTED CVE-2017-4658 REJECTED CVE-2017-4657 REJECTED CVE-2017-4656 REJECTED CVE-2017-4655 REJECTED CVE-2017-4654 REJECTED CVE-2017-4653 REJECTED CVE-2017-4652 REJECTED CVE-2017-4651 REJECTED CVE-2017-4650 REJECTED CVE-2017-4649 REJECTED CVE-2017-4648 REJECTED CVE-2017-4647 REJECTED CVE-2017-4646 REJECTED CVE-2017-4645 REJECTED CVE-2017-4644 REJECTED CVE-2017-4643 REJECTED CVE-2017-4642 REJECTED CVE-2017-4641 REJECTED CVE-2017-4640 REJECTED CVE-2017-4639 REJECTED CVE-2017-4638 REJECTED CVE-2017-4637 REJECTED CVE-2017-4636 REJECTED CVE-2017-4635 REJECTED CVE-2017-4634 REJECTED CVE-2017-4633 REJECTED CVE-2017-4632 REJECTED CVE-2017-4631 REJECTED CVE-2017-4630 REJECTED CVE-2017-4629 REJECTED CVE-2017-4628 REJECTED CVE-2017-4627 REJECTED CVE-2017-4626 REJECTED CVE-2017-4625 REJECTED CVE-2017-4624 REJECTED CVE-2017-4623 REJECTED CVE-2017-4622 REJECTED CVE-2017-4621 REJECTED CVE-2017-4620 REJECTED CVE-2017-4619 REJECTED CVE-2017-4618 REJECTED CVE-2017-4617 REJECTED CVE-2017-4616 REJECTED CVE-2017-4615 REJECTED CVE-2017-4614 REJECTED CVE-2017-4613 REJECTED CVE-2017-4612 REJECTED CVE-2017-4611 REJECTED CVE-2017-4610 REJECTED CVE-2017-4609 REJECTED CVE-2017-4608 REJECTED CVE-2017-4607 REJECTED CVE-2017-4606 REJECTED CVE-2017-4605 REJECTED CVE-2017-4604 REJECTED CVE-2017-4603 REJECTED CVE-2017-4602 REJECTED CVE-2017-4601 REJECTED CVE-2017-4600 REJECTED CVE-2017-4599 REJECTED CVE-2017-4598 REJECTED CVE-2017-4597 REJECTED CVE-2017-4596 REJECTED CVE-2017-4595 REJECTED CVE-2017-4594 REJECTED CVE-2017-4593 REJECTED CVE-2017-4592 REJECTED CVE-2017-4591 REJECTED CVE-2017-4590 REJECTED CVE-2017-4589 REJECTED CVE-2017-4588 REJECTED CVE-2017-4587 REJECTED CVE-2017-4586 REJECTED CVE-2017-4585 REJECTED CVE-2017-4584 REJECTED CVE-2017-4583 REJECTED CVE-2017-4582 REJECTED CVE-2017-4581 REJECTED CVE-2017-4580 REJECTED CVE-2017-4579 REJECTED CVE-2017-4578 REJECTED CVE-2017-4577 REJECTED CVE-2017-4576 REJECTED CVE-2017-4575 REJECTED CVE-2017-4574 REJECTED CVE-2017-4573 REJECTED CVE-2017-4572 REJECTED CVE-2017-4571 REJECTED CVE-2017-4570 REJECTED CVE-2017-4569 REJECTED CVE-2017-4568 REJECTED CVE-2017-4567 REJECTED CVE-2017-4566 REJECTED CVE-2017-4565 REJECTED CVE-2017-4564 REJECTED CVE-2017-4563 REJECTED CVE-2017-4562 REJECTED CVE-2017-4561 REJECTED CVE-2017-4560 REJECTED CVE-2017-4559 REJECTED CVE-2017-4558 REJECTED CVE-2017-4557 REJECTED CVE-2017-4556 REJECTED CVE-2017-4555 REJECTED CVE-2017-4554 REJECTED CVE-2017-4553 REJECTED CVE-2017-4552 REJECTED CVE-2017-4551 REJECTED CVE-2017-4550 REJECTED CVE-2017-4549 REJECTED CVE-2017-4548 REJECTED CVE-2017-4547 REJECTED CVE-2017-4546 REJECTED CVE-2017-4545 REJECTED CVE-2017-4544 REJECTED CVE-2017-4543 REJECTED CVE-2017-4542 REJECTED CVE-2017-4541 REJECTED CVE-2017-4540 REJECTED CVE-2017-4539 REJECTED CVE-2017-4538 REJECTED CVE-2017-4537 REJECTED CVE-2017-4536 REJECTED CVE-2017-4535 REJECTED CVE-2017-4534 REJECTED CVE-2017-4533 REJECTED CVE-2017-4532 REJECTED CVE-2017-4531 REJECTED CVE-2017-4530 REJECTED CVE-2017-4529 REJECTED CVE-2017-4528 REJECTED CVE-2017-4527 REJECTED CVE-2017-4526 REJECTED CVE-2017-4525 REJECTED CVE-2017-4524 REJECTED CVE-2017-4523 REJECTED CVE-2017-4522 REJECTED CVE-2017-4521 REJECTED CVE-2017-4520 REJECTED CVE-2017-4519 REJECTED CVE-2017-4518 REJECTED CVE-2017-4517 REJECTED CVE-2017-4516 REJECTED CVE-2017-4515 REJECTED CVE-2017-4514 REJECTED CVE-2017-4513 REJECTED CVE-2017-4512 REJECTED CVE-2017-4511 REJECTED CVE-2017-4510 REJECTED CVE-2017-4509 REJECTED CVE-2017-4508 REJECTED CVE-2017-4507 REJECTED CVE-2017-4506 REJECTED CVE-2017-4505 REJECTED CVE-2017-4504 REJECTED CVE-2017-4503 REJECTED CVE-2017-4502 REJECTED CVE-2017-4501 REJECTED CVE-2017-4500 REJECTED CVE-2017-4499 REJECTED CVE-2017-4498 REJECTED CVE-2017-4497 REJECTED CVE-2017-4496 REJECTED CVE-2017-4495 REJECTED CVE-2017-4494 REJECTED CVE-2017-4493 REJECTED CVE-2017-4492 REJECTED CVE-2017-4491 REJECTED CVE-2017-4490 REJECTED CVE-2017-4489 REJECTED CVE-2017-4488 REJECTED CVE-2017-4487 REJECTED CVE-2017-4486 REJECTED CVE-2017-4485 REJECTED CVE-2017-4484 REJECTED CVE-2017-4483 REJECTED CVE-2017-4482 REJECTED CVE-2017-4481 REJECTED CVE-2017-4480 REJECTED CVE-2017-4479 REJECTED CVE-2017-4478 REJECTED CVE-2017-4477 REJECTED CVE-2017-4476 REJECTED CVE-2017-4475 REJECTED CVE-2017-4474 REJECTED CVE-2017-4473 REJECTED CVE-2017-4472 REJECTED CVE-2017-4471 REJECTED CVE-2017-4470 REJECTED CVE-2017-4469 REJECTED CVE-2017-4468 REJECTED CVE-2017-4467 REJECTED CVE-2017-4466 REJECTED CVE-2017-4465 REJECTED CVE-2017-4464 REJECTED CVE-2017-4463 REJECTED CVE-2017-4462 REJECTED CVE-2017-4461 REJECTED CVE-2017-4460 REJECTED CVE-2017-4459 REJECTED CVE-2017-4458 REJECTED CVE-2017-4457 REJECTED CVE-2017-4456 REJECTED CVE-2017-4455 REJECTED CVE-2017-4454 REJECTED CVE-2017-4453 REJECTED CVE-2017-4452 REJECTED CVE-2017-4451 REJECTED CVE-2017-4450 REJECTED CVE-2017-4449 REJECTED CVE-2017-4448 REJECTED CVE-2017-4447 REJECTED CVE-2017-4446 REJECTED CVE-2017-4445 REJECTED CVE-2017-4444 REJECTED CVE-2017-4443 REJECTED CVE-2017-4442 REJECTED CVE-2017-4441 REJECTED CVE-2017-4440 REJECTED CVE-2017-4439 REJECTED CVE-2017-4438 REJECTED CVE-2017-4437 REJECTED CVE-2017-4436 REJECTED CVE-2017-4435 REJECTED CVE-2017-4434 REJECTED CVE-2017-4433 REJECTED CVE-2017-4432 REJECTED CVE-2017-4431 REJECTED CVE-2017-4430 REJECTED CVE-2017-4429 REJECTED CVE-2017-4428 REJECTED CVE-2017-4427 REJECTED CVE-2017-4426 REJECTED CVE-2017-4425 REJECTED CVE-2017-4424 REJECTED CVE-2017-4423 REJECTED CVE-2017-4422 REJECTED CVE-2017-4421 REJECTED CVE-2017-4420 REJECTED CVE-2017-4419 REJECTED CVE-2017-4418 REJECTED CVE-2017-4417 REJECTED CVE-2017-4416 REJECTED CVE-2017-4415 REJECTED CVE-2017-4414 REJECTED CVE-2017-4413 REJECTED CVE-2017-4412 REJECTED CVE-2017-4411 REJECTED CVE-2017-4410 REJECTED CVE-2017-4409 REJECTED CVE-2017-4408 REJECTED CVE-2017-4407 REJECTED CVE-2017-4406 REJECTED CVE-2017-4405 REJECTED CVE-2017-4404 REJECTED CVE-2017-4403 REJECTED CVE-2017-4402 REJECTED CVE-2017-4401 REJECTED CVE-2017-4400 REJECTED CVE-2017-4399 REJECTED CVE-2017-4398 REJECTED CVE-2017-4397 REJECTED CVE-2017-4396 REJECTED CVE-2017-4395 REJECTED CVE-2017-4394 REJECTED CVE-2017-4393 REJECTED CVE-2017-4392 REJECTED CVE-2017-4391 REJECTED CVE-2017-4390 REJECTED CVE-2017-4389 REJECTED CVE-2017-4388 REJECTED CVE-2017-4387 REJECTED CVE-2017-4386 REJECTED CVE-2017-4385 REJECTED CVE-2017-4384 REJECTED CVE-2017-4383 REJECTED CVE-2017-4382 REJECTED CVE-2017-4381 REJECTED CVE-2017-4380 REJECTED CVE-2017-4379 REJECTED CVE-2017-4378 REJECTED CVE-2017-4377 REJECTED CVE-2017-4376 REJECTED CVE-2017-4375 REJECTED CVE-2017-4374 REJECTED CVE-2017-4373 REJECTED CVE-2017-4372 REJECTED CVE-2017-4371 REJECTED CVE-2017-4370 REJECTED CVE-2017-4369 REJECTED CVE-2017-4368 REJECTED CVE-2017-4367 REJECTED CVE-2017-4366 REJECTED CVE-2017-4365 REJECTED CVE-2017-4364 REJECTED CVE-2017-4363 REJECTED CVE-2017-4362 REJECTED CVE-2017-4361 REJECTED CVE-2017-4360 REJECTED CVE-2017-4359 REJECTED CVE-2017-4358 REJECTED CVE-2017-4357 REJECTED CVE-2017-4356 REJECTED CVE-2017-4355 REJECTED CVE-2017-4354 REJECTED CVE-2017-4353 REJECTED CVE-2017-4352 REJECTED CVE-2017-4351 REJECTED CVE-2017-4350 REJECTED CVE-2017-4349 REJECTED CVE-2017-4348 REJECTED CVE-2017-4347 REJECTED CVE-2017-4346 REJECTED CVE-2017-4345 REJECTED CVE-2017-4344 REJECTED CVE-2017-4343 REJECTED CVE-2017-4342 REJECTED CVE-2017-4341 REJECTED CVE-2017-4340 REJECTED CVE-2017-4339 REJECTED CVE-2017-4338 REJECTED CVE-2017-4337 REJECTED CVE-2017-4336 REJECTED CVE-2017-4335 REJECTED CVE-2017-4334 REJECTED CVE-2017-4333 REJECTED CVE-2017-4332 REJECTED CVE-2017-4331 REJECTED CVE-2017-4330 REJECTED CVE-2017-4329 REJECTED CVE-2017-4328 REJECTED CVE-2017-4327 REJECTED CVE-2017-4326 REJECTED CVE-2017-4325 REJECTED CVE-2017-4324 REJECTED CVE-2017-4323 REJECTED CVE-2017-4322 REJECTED CVE-2017-4321 REJECTED CVE-2017-4320 REJECTED CVE-2017-4319 REJECTED CVE-2017-4318 REJECTED CVE-2017-4317 REJECTED CVE-2017-4316 REJECTED CVE-2017-4315 REJECTED CVE-2017-4314 REJECTED CVE-2017-4313 REJECTED CVE-2017-4312 REJECTED CVE-2017-4311 REJECTED CVE-2017-4310 REJECTED CVE-2017-4309 REJECTED CVE-2017-4308 REJECTED CVE-2017-4307 REJECTED CVE-2017-4306 REJECTED CVE-2017-4305 REJECTED CVE-2017-4304 REJECTED CVE-2017-4303 REJECTED CVE-2017-4302 REJECTED CVE-2017-4301 REJECTED CVE-2017-4300 REJECTED CVE-2017-4299 REJECTED CVE-2017-4298 REJECTED CVE-2017-4297 REJECTED CVE-2017-4296 REJECTED CVE-2017-4295 REJECTED CVE-2017-4294 REJECTED CVE-2017-4293 REJECTED CVE-2017-4292 REJECTED CVE-2017-4291 REJECTED CVE-2017-4290 REJECTED CVE-2017-4289 REJECTED CVE-2017-4288 REJECTED CVE-2017-4287 REJECTED CVE-2017-4286 REJECTED CVE-2017-4285 REJECTED CVE-2017-4284 REJECTED CVE-2017-4283 REJECTED CVE-2017-4282 REJECTED CVE-2017-4281 REJECTED CVE-2017-4280 REJECTED CVE-2017-4279 REJECTED CVE-2017-4278 REJECTED CVE-2017-4277 REJECTED CVE-2017-4276 REJECTED CVE-2017-4275 REJECTED CVE-2017-4274 REJECTED CVE-2017-4273 REJECTED CVE-2017-4272 REJECTED CVE-2017-4271 REJECTED CVE-2017-4270 REJECTED CVE-2017-4269 REJECTED CVE-2017-4268 REJECTED CVE-2017-4267 REJECTED CVE-2017-4266 REJECTED CVE-2017-4265 REJECTED CVE-2017-4264 REJECTED CVE-2017-4263 REJECTED CVE-2017-4262 REJECTED CVE-2017-4261 REJECTED CVE-2017-4260 REJECTED CVE-2017-4259 REJECTED CVE-2017-4258 REJECTED CVE-2017-4257 REJECTED CVE-2017-4256 REJECTED CVE-2017-4255 REJECTED CVE-2017-4254 REJECTED CVE-2017-4253 REJECTED CVE-2017-4252 REJECTED CVE-2017-4251 REJECTED CVE-2017-4250 REJECTED CVE-2017-4249 REJECTED CVE-2017-4248 REJECTED CVE-2017-4247 REJECTED CVE-2017-4246 REJECTED CVE-2017-4245 REJECTED CVE-2017-4244 REJECTED CVE-2017-4243 REJECTED CVE-2017-4242 REJECTED CVE-2017-4241 REJECTED CVE-2017-4240 REJECTED CVE-2017-4239 REJECTED CVE-2017-4238 REJECTED CVE-2017-4237 REJECTED CVE-2017-4236 REJECTED CVE-2017-4235 REJECTED CVE-2017-4234 REJECTED CVE-2017-4233 REJECTED CVE-2017-4232 REJECTED CVE-2017-4231 REJECTED CVE-2017-4230 REJECTED CVE-2017-4229 REJECTED CVE-2017-4228 REJECTED CVE-2017-4227 REJECTED CVE-2017-4226 REJECTED CVE-2017-4225 REJECTED CVE-2017-4224 REJECTED CVE-2017-4223 REJECTED CVE-2017-4222 REJECTED CVE-2017-4221 REJECTED CVE-2017-4220 REJECTED CVE-2017-4219 REJECTED CVE-2017-4218 REJECTED CVE-2017-4217 REJECTED CVE-2017-4216 REJECTED CVE-2017-4215 REJECTED CVE-2017-4214 REJECTED CVE-2017-4213 REJECTED CVE-2017-4212 REJECTED CVE-2017-4211 REJECTED CVE-2017-4210 REJECTED CVE-2017-4209 REJECTED CVE-2017-4208 REJECTED CVE-2017-4207 REJECTED CVE-2017-4206 REJECTED CVE-2017-4205 REJECTED CVE-2017-4204 REJECTED CVE-2017-4203 REJECTED CVE-2017-4202 REJECTED CVE-2017-4201 REJECTED CVE-2017-4200 REJECTED CVE-2017-4199 REJECTED CVE-2017-4198 REJECTED CVE-2017-4197 REJECTED CVE-2017-4196 REJECTED CVE-2017-4195 REJECTED CVE-2017-4194 REJECTED CVE-2017-4193 REJECTED CVE-2017-4192 REJECTED CVE-2017-4191 REJECTED CVE-2017-4190 REJECTED CVE-2017-4189 REJECTED CVE-2017-4188 REJECTED CVE-2017-4187 REJECTED CVE-2017-4186 REJECTED CVE-2017-4185 REJECTED CVE-2017-4184 REJECTED CVE-2017-4183 REJECTED CVE-2017-4182 REJECTED CVE-2017-4181 REJECTED CVE-2017-4180 REJECTED CVE-2017-4179 REJECTED CVE-2017-4178 REJECTED CVE-2017-4177 REJECTED CVE-2017-4176 REJECTED CVE-2017-4175 REJECTED CVE-2017-4174 REJECTED CVE-2017-4173 REJECTED CVE-2017-4172 REJECTED CVE-2017-4171 REJECTED CVE-2017-4170 REJECTED CVE-2017-4169 REJECTED CVE-2017-4168 REJECTED CVE-2017-4167 REJECTED CVE-2017-4166 REJECTED CVE-2017-4165 REJECTED CVE-2017-4164 REJECTED CVE-2017-4163 REJECTED CVE-2017-4162 REJECTED CVE-2017-4161 REJECTED CVE-2017-4160 REJECTED CVE-2017-4159 REJECTED CVE-2017-4158 REJECTED CVE-2017-4157 REJECTED CVE-2017-4156 REJECTED CVE-2017-4155 REJECTED CVE-2017-4154 REJECTED CVE-2017-4153 REJECTED CVE-2017-4152 REJECTED CVE-2017-4151 REJECTED CVE-2017-4150 REJECTED CVE-2017-4149 REJECTED CVE-2017-4148 REJECTED CVE-2017-4147 REJECTED CVE-2017-4146 REJECTED CVE-2017-4145 REJECTED CVE-2017-4144 REJECTED CVE-2017-4143 REJECTED CVE-2017-4142 REJECTED CVE-2017-4141 REJECTED CVE-2017-4140 REJECTED CVE-2017-4139 REJECTED CVE-2017-4138 REJECTED CVE-2017-4137 REJECTED CVE-2017-4136 REJECTED CVE-2017-4135 REJECTED CVE-2017-4134 REJECTED CVE-2017-4133 REJECTED CVE-2017-4132 REJECTED CVE-2017-4131 REJECTED CVE-2017-4130 REJECTED CVE-2017-4129 REJECTED CVE-2017-4128 REJECTED CVE-2017-4127 REJECTED CVE-2017-4126 REJECTED CVE-2017-4125 REJECTED CVE-2017-4124 REJECTED CVE-2017-4123 REJECTED CVE-2017-4122 REJECTED CVE-2017-4121 REJECTED CVE-2017-4120 REJECTED CVE-2017-4119 REJECTED CVE-2017-4118 REJECTED CVE-2017-4117 REJECTED CVE-2017-4116 REJECTED CVE-2017-4115 REJECTED CVE-2017-4114 REJECTED CVE-2017-4113 REJECTED CVE-2017-4112 REJECTED CVE-2017-4111 REJECTED CVE-2017-4110 REJECTED CVE-2017-4109 REJECTED CVE-2017-4108 REJECTED CVE-2017-4107 REJECTED CVE-2017-4106 REJECTED CVE-2017-4105 REJECTED CVE-2017-4104 REJECTED CVE-2017-4103 REJECTED CVE-2017-4102 REJECTED CVE-2017-4101 REJECTED CVE-2017-4100 REJECTED CVE-2017-4099 REJECTED CVE-2017-4098 REJECTED CVE-2017-4097 REJECTED CVE-2017-4096 REJECTED CVE-2017-4095 REJECTED CVE-2017-4094 REJECTED CVE-2017-4093 REJECTED CVE-2017-4092 REJECTED CVE-2017-4091 REJECTED CVE-2017-4090 REJECTED CVE-2017-4089 REJECTED CVE-2017-4088 REJECTED CVE-2017-4087 REJECTED CVE-2017-4086 REJECTED CVE-2017-4085 REJECTED CVE-2017-4084 REJECTED CVE-2017-4083 REJECTED CVE-2017-4082 REJECTED CVE-2017-4081 REJECTED CVE-2017-4080 REJECTED CVE-2017-4079 REJECTED CVE-2017-4078 REJECTED CVE-2017-4077 REJECTED CVE-2017-4076 REJECTED CVE-2017-4075 REJECTED CVE-2017-4074 REJECTED CVE-2017-4073 REJECTED CVE-2017-4072 REJECTED CVE-2017-4071 REJECTED CVE-2017-4070 REJECTED CVE-2017-4069 REJECTED CVE-2017-4068 REJECTED CVE-2017-4067 REJECTED CVE-2017-4066 REJECTED CVE-2017-4065 REJECTED CVE-2017-4064 REJECTED CVE-2017-4063 REJECTED CVE-2017-4062 REJECTED CVE-2017-4061 REJECTED CVE-2017-4060 REJECTED CVE-2017-4059 REJECTED CVE-2017-4058 REJECTED CVE-2017-4057 (Privilege Escalation vulnerability in the web interface in McAfee Adva ...) NOT-FOR-US: McAfee CVE-2017-4056 REJECTED CVE-2017-4055 (Exploitation of Authentication vulnerability in the web interface in M ...) NOT-FOR-US: McAfee CVE-2017-4054 (Command Injection vulnerability in the web interface in McAfee Advance ...) NOT-FOR-US: McAfee CVE-2017-4053 (Command Injection vulnerability in the web interface in McAfee Advance ...) NOT-FOR-US: McAfee CVE-2017-4052 (Authentication Bypass vulnerability in the web interface in McAfee Adv ...) NOT-FOR-US: McAfee CVE-2017-4051 RESERVED CVE-2017-4050 RESERVED CVE-2017-4049 REJECTED CVE-2017-4048 REJECTED CVE-2017-4047 REJECTED CVE-2017-4046 REJECTED CVE-2017-4045 REJECTED CVE-2017-4044 REJECTED CVE-2017-4043 REJECTED CVE-2017-4042 REJECTED CVE-2017-4041 REJECTED CVE-2017-4040 REJECTED CVE-2017-4039 REJECTED CVE-2017-4038 REJECTED CVE-2017-4037 REJECTED CVE-2017-4036 RESERVED CVE-2017-4035 REJECTED CVE-2017-4034 REJECTED CVE-2017-4033 REJECTED CVE-2017-4032 REJECTED CVE-2017-4031 REJECTED CVE-2017-4030 REJECTED CVE-2017-4029 REJECTED CVE-2017-4028 (Maliciously misconfigured registry vulnerability in all Microsoft Wind ...) NOT-FOR-US: MacAfee CVE-2017-4027 REJECTED CVE-2017-4026 REJECTED CVE-2017-4025 REJECTED CVE-2017-4024 REJECTED CVE-2017-4023 REJECTED CVE-2017-4022 REJECTED CVE-2017-4021 REJECTED CVE-2017-4020 REJECTED CVE-2017-4019 REJECTED CVE-2017-4018 REJECTED CVE-2017-4017 (User Name Disclosure in the server in McAfee Network Data Loss Prevent ...) NOT-FOR-US: McAfee CVE-2017-4016 (Web Server method disclosure in the server in McAfee Network Data Loss ...) NOT-FOR-US: McAfee CVE-2017-4015 (Clickjacking vulnerability in the server in McAfee Network Data Loss P ...) NOT-FOR-US: McAfee CVE-2017-4014 (Session Side jacking vulnerability in the server in McAfee Network Dat ...) NOT-FOR-US: McAfee CVE-2017-4013 (Banner Disclosure in the server in McAfee Network Data Loss Prevention ...) NOT-FOR-US: McAfee CVE-2017-4012 (Privilege Escalation vulnerability in the server in McAfee Network Dat ...) NOT-FOR-US: McAfee CVE-2017-4011 (Embedding Script (XSS) in HTTP Headers vulnerability in the server in ...) NOT-FOR-US: McAfee CVE-2017-4010 REJECTED CVE-2017-4009 REJECTED CVE-2017-4008 REJECTED CVE-2017-4007 REJECTED CVE-2017-4006 REJECTED CVE-2017-4005 REJECTED CVE-2017-4004 REJECTED CVE-2017-4003 REJECTED CVE-2017-4002 REJECTED CVE-2017-4001 REJECTED CVE-2017-4000 REJECTED CVE-2017-3999 REJECTED CVE-2017-3998 REJECTED CVE-2017-3997 REJECTED CVE-2017-3996 RESERVED CVE-2017-3995 REJECTED CVE-2017-3994 REJECTED CVE-2017-3993 REJECTED CVE-2017-3992 REJECTED CVE-2017-3991 REJECTED CVE-2017-3990 REJECTED CVE-2017-3989 REJECTED CVE-2017-3988 RESERVED CVE-2017-3987 REJECTED CVE-2017-3986 REJECTED CVE-2017-3985 REJECTED CVE-2017-3984 REJECTED CVE-2017-3983 REJECTED CVE-2017-3982 REJECTED CVE-2017-3981 REJECTED CVE-2017-3980 (A directory traversal vulnerability in the ePO Extension in McAfee ePo ...) NOT-FOR-US: McAfee ePolicy Orchestrator CVE-2017-3979 REJECTED CVE-2017-3978 REJECTED CVE-2017-3977 REJECTED CVE-2017-3976 REJECTED CVE-2017-3975 REJECTED CVE-2017-3974 REJECTED CVE-2017-3973 REJECTED CVE-2017-3972 (Infrastructure-based foot printing vulnerability in the web interface ...) NOT-FOR-US: McAfee CVE-2017-3971 (Cryptanalysis vulnerability in the web interface in McAfee Network Sec ...) NOT-FOR-US: McAfee CVE-2017-3970 RESERVED CVE-2017-3969 (Abuse of communication channels vulnerability in the server in McAfee ...) NOT-FOR-US: McAfee CVE-2017-3968 (Session fixation vulnerability in the web interface in McAfee Network ...) NOT-FOR-US: McAfee CVE-2017-3967 (Target influence via framing vulnerability in the web interface in McA ...) NOT-FOR-US: McAfee CVE-2017-3966 (Exploitation of session variables, resource IDs and other trusted cred ...) NOT-FOR-US: McAfee CVE-2017-3965 (Cross-Site Request Forgery (CSRF) (aka Session Riding) vulnerability i ...) NOT-FOR-US: McAfee CVE-2017-3964 (Reflective Cross-Site Scripting (XSS) vulnerability in the web interfa ...) NOT-FOR-US: McAfee CVE-2017-3963 REJECTED CVE-2017-3962 (Password recovery exploitation vulnerability in the non-certificate-ba ...) NOT-FOR-US: McAfee CVE-2017-3961 (Cross-Site Scripting (XSS) vulnerability in the web interface in McAfe ...) NOT-FOR-US: McAfee CVE-2017-3960 (Exploitation of Authorization vulnerability in the web interface in Mc ...) NOT-FOR-US: McAfee CVE-2017-3959 REJECTED CVE-2017-3958 REJECTED CVE-2017-3957 REJECTED CVE-2017-3956 REJECTED CVE-2017-3955 REJECTED CVE-2017-3954 REJECTED CVE-2017-3953 REJECTED CVE-2017-3952 REJECTED CVE-2017-3951 REJECTED CVE-2017-3950 REJECTED CVE-2017-3949 REJECTED CVE-2017-3948 (Cross Site Scripting (XSS) in IMG Tags in the ePO extension in McAfee ...) NOT-FOR-US: McAfee CVE-2017-3947 REJECTED CVE-2017-3946 REJECTED CVE-2017-3945 REJECTED CVE-2017-3944 REJECTED CVE-2017-3943 REJECTED CVE-2017-3942 REJECTED CVE-2017-3941 REJECTED CVE-2017-3940 REJECTED CVE-2017-3939 REJECTED CVE-2017-3938 REJECTED CVE-2017-3937 RESERVED CVE-2017-3936 (OS Command Injection vulnerability in McAfee ePolicy Orchestrator (ePO ...) NOT-FOR-US: McAfee CVE-2017-3935 (Network Data Loss Prevention is vulnerable to MIME type sniffing which ...) NOT-FOR-US: McAfee Network Data Loss Prevention CVE-2017-3934 (Missing HTTP Strict Transport Security state information vulnerability ...) NOT-FOR-US: McAfee Network Data Loss Prevention CVE-2017-3933 (Embedding Script (XSS) in HTTP Headers vulnerability in McAfee Network ...) NOT-FOR-US: McAfee Network Data Loss Prevention CVE-2017-3932 RESERVED CVE-2017-3931 REJECTED CVE-2017-3930 REJECTED CVE-2017-3929 REJECTED CVE-2017-3928 RESERVED CVE-2017-3927 RESERVED CVE-2017-3926 RESERVED CVE-2017-3925 RESERVED CVE-2017-3924 RESERVED CVE-2017-3923 RESERVED CVE-2017-3922 RESERVED CVE-2017-3921 RESERVED CVE-2017-3920 RESERVED CVE-2017-3919 RESERVED CVE-2017-3918 RESERVED CVE-2017-3917 RESERVED CVE-2017-3916 RESERVED CVE-2017-3915 RESERVED CVE-2017-3914 RESERVED CVE-2017-3913 RESERVED CVE-2017-3912 (Bypassing password security vulnerability in McAfee Application and Ch ...) NOT-FOR-US: McAfee CVE-2017-3911 RESERVED CVE-2017-3910 RESERVED CVE-2017-3909 RESERVED CVE-2017-3908 RESERVED CVE-2017-3907 (Code Injection vulnerability in the ePolicy Orchestrator (ePO) extensi ...) NOT-FOR-US: McAfee CVE-2017-3906 RESERVED CVE-2017-3905 RESERVED CVE-2017-3904 RESERVED CVE-2017-3903 RESERVED CVE-2017-3902 (Cross-site scripting (XSS) vulnerability in the Web user interface (UI ...) NOT-FOR-US: Intel Security ePO CVE-2017-3901 RESERVED CVE-2017-3900 RESERVED CVE-2017-3899 (SQL injection vulnerability in Intel Security Advanced Threat Defense ...) NOT-FOR-US: Intel antivirus CVE-2017-3898 (A man-in-the-middle attack vulnerability in the non-certificate-based ...) NOT-FOR-US: McAfee CVE-2017-3897 (A Code Injection vulnerability in the non-certificate-based authentica ...) NOT-FOR-US: McAfee CVE-2017-3896 (Unvalidated parameter vulnerability in the remote log viewing capabili ...) NOT-FOR-US: Intel McAfee CVE-2017-3895 REJECTED CVE-2017-3894 (A stored cross site scripting vulnerability in the Management Console ...) NOT-FOR-US: BlackBerry CVE-2017-3893 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0, the defau ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-3892 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an inform ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-3891 (In BlackBerry QNX Software Development Platform (SDP) 6.6.0, an elevat ...) NOT-FOR-US: BlackBerry QNX Software Development Platform (SDP) CVE-2017-3890 (A reflected cross-site scripting vulnerability in the BlackBerry Watch ...) NOT-FOR-US: BlackBerry CVE-2017-3889 (A vulnerability in the web interface of the Cisco Registered Envelope ...) NOT-FOR-US: Cisco CVE-2017-3888 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-3887 (A vulnerability in the detection engine that handles Secure Sockets La ...) NOT-FOR-US: Cisco CVE-2017-3886 (A vulnerability in the Cisco Unified Communications Manager web interf ...) NOT-FOR-US: Cisco CVE-2017-3885 (A vulnerability in the detection engine reassembly of Secure Sockets L ...) NOT-FOR-US: Cisco CVE-2017-3884 (A vulnerability in the web interface of Cisco Prime Infrastructure and ...) NOT-FOR-US: Cisco CVE-2017-3883 (A vulnerability in the authentication, authorization, and accounting ( ...) NOT-FOR-US: Cisco CVE-2017-3882 (A vulnerability in the Universal Plug-and-Play (UPnP) implementation i ...) NOT-FOR-US: Cisco CVE-2017-3881 (A vulnerability in the Cisco Cluster Management Protocol (CMP) process ...) NOT-FOR-US: Cisco CVE-2017-3880 (An Authentication Bypass vulnerability in Cisco WebEx Meetings Server ...) NOT-FOR-US: Cisco CVE-2017-3879 (A Denial of Service vulnerability in the remote login functionality fo ...) NOT-FOR-US: Cisco CVE-2017-3878 (A Denial of Service vulnerability in the Telnet remote login functiona ...) NOT-FOR-US: Cisco CVE-2017-3877 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2017-3876 (A vulnerability in the Event Management Service daemon (emsd) of Cisco ...) NOT-FOR-US: Cisco CVE-2017-3875 (An Access-Control Filtering Mechanisms Bypass vulnerability in certain ...) NOT-FOR-US: Cisco CVE-2017-3874 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2017-3873 (A vulnerability in the Plug-and-Play (PnP) subsystem of the Cisco Airo ...) NOT-FOR-US: Cisco CVE-2017-3872 (A cross-site scripting (XSS) filter bypass vulnerability in the web-ba ...) NOT-FOR-US: Cisco CVE-2017-3871 (A RADIUS Secret Disclosure vulnerability in the web network management ...) NOT-FOR-US: Cisco CVE-2017-3870 (A vulnerability in the URL filtering feature of Cisco AsyncOS Software ...) NOT-FOR-US: Cisco CVE-2017-3869 (An API Credentials Management vulnerability in the APIs for Cisco Prim ...) NOT-FOR-US: Cisco CVE-2017-3868 (A vulnerability in the web-based management interface of Cisco UCS Dir ...) NOT-FOR-US: Cisco CVE-2017-3867 (A vulnerability in the Border Gateway Protocol (BGP) Bidirectional For ...) NOT-FOR-US: Cisco CVE-2017-3866 (A vulnerability in the web framework code of Cisco Prime Service Catal ...) NOT-FOR-US: Cisco CVE-2017-3865 (A vulnerability in the IPsec component of Cisco StarOS for Cisco ASR 5 ...) NOT-FOR-US: Cisco CVE-2017-3864 (A vulnerability in the DHCP client implementation of Cisco IOS (12.2, ...) NOT-FOR-US: Cisco CVE-2017-3863 (Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 a ...) NOT-FOR-US: Cisco CVE-2017-3862 (Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 a ...) NOT-FOR-US: Cisco CVE-2017-3861 (Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 a ...) NOT-FOR-US: Cisco CVE-2017-3860 (Multiple vulnerabilities in the EnergyWise module of Cisco IOS (12.2 a ...) NOT-FOR-US: Cisco CVE-2017-3859 (A vulnerability in the DHCP code for the Zero Touch Provisioning featu ...) NOT-FOR-US: Cisco CVE-2017-3858 (A vulnerability in the web framework of Cisco IOS XE Software could al ...) NOT-FOR-US: Cisco CVE-2017-3857 (A vulnerability in the Layer 2 Tunneling Protocol (L2TP) parsing funct ...) NOT-FOR-US: Cisco CVE-2017-3856 (A vulnerability in the web user interface of Cisco IOS XE 3.1 through ...) NOT-FOR-US: Cisco CVE-2017-3855 RESERVED CVE-2017-3854 (A vulnerability in the mesh code of Cisco Wireless LAN Controller (WLC ...) NOT-FOR-US: Cisco CVE-2017-3853 (A vulnerability in the Data-in-Motion (DMo) process installed with the ...) NOT-FOR-US: Cisco CVE-2017-3852 (A vulnerability in the Cisco application-hosting framework (CAF) compo ...) NOT-FOR-US: Cisco CVE-2017-3851 (A Directory Traversal vulnerability in the web framework code of the C ...) NOT-FOR-US: Cisco CVE-2017-3850 (A vulnerability in the Autonomic Networking Infrastructure (ANI) featu ...) NOT-FOR-US: Cisco CVE-2017-3849 (A vulnerability in the Autonomic Networking Infrastructure (ANI) regis ...) NOT-FOR-US: Cisco CVE-2017-3848 (A vulnerability in the HTTP web-based management interface of Cisco Pr ...) NOT-FOR-US: Cisco CVE-2017-3847 (A vulnerability in the web framework of Cisco Firepower Management Cen ...) NOT-FOR-US: Cisco CVE-2017-3846 (A vulnerability in the Client Manager Server of Cisco Workload Automat ...) NOT-FOR-US: Cisco CVE-2017-3845 (A vulnerability in the web-based management interface of Cisco Prime C ...) NOT-FOR-US: Cisco CVE-2017-3844 (A vulnerability in exporting functions of the user interface for Cisco ...) NOT-FOR-US: Cisco CVE-2017-3843 (A vulnerability in the file download functions for Cisco Prime Collabo ...) NOT-FOR-US: Cisco CVE-2017-3842 (A vulnerability in the web-based management interface of the Cisco Int ...) NOT-FOR-US: Cisco CVE-2017-3841 (A vulnerability in the web interface of the Cisco Secure Access Contro ...) NOT-FOR-US: Cisco CVE-2017-3840 (A vulnerability in the web interface of the Cisco Secure Access Contro ...) NOT-FOR-US: Cisco CVE-2017-3839 (An XML External Entity vulnerability in the web-based user interface o ...) NOT-FOR-US: Cisco CVE-2017-3838 (A vulnerability in Cisco Secure Access Control System (ACS) could allo ...) NOT-FOR-US: Cisco CVE-2017-3837 (An HTTP Packet Processing vulnerability in the Web Bridge interface of ...) NOT-FOR-US: Cisco CVE-2017-3836 (A vulnerability in the web framework Cisco Unified Communications Mana ...) NOT-FOR-US: Cisco CVE-2017-3835 (A vulnerability in the sponsor portal of Cisco Identity Services Engin ...) NOT-FOR-US: Cisco CVE-2017-3834 (A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Se ...) NOT-FOR-US: Cisco CVE-2017-3833 (A vulnerability in the web framework of Cisco Unified Communications M ...) NOT-FOR-US: Cisco CVE-2017-3832 (A vulnerability in the web management interface of Cisco Wireless LAN ...) NOT-FOR-US: Cisco CVE-2017-3831 (A vulnerability in the web-based GUI of Cisco Mobility Express 1800 Se ...) NOT-FOR-US: Cisco CVE-2017-3830 (A vulnerability in an internal API of the Cisco Meeting Server (CMS) c ...) NOT-FOR-US: Cisco CVE-2017-3829 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-3828 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2017-3827 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) sc ...) NOT-FOR-US: Cisco CVE-2017-3826 (A vulnerability in the Stream Control Transmission Protocol (SCTP) dec ...) NOT-FOR-US: Cisco CVE-2017-3825 (A vulnerability in the ICMP ingress packet processing of Cisco TelePre ...) NOT-FOR-US: Cisco CVE-2017-3824 (A vulnerability in the handling of list headers in Cisco cBR Series Co ...) NOT-FOR-US: Cisco CVE-2017-3823 (An issue was discovered in the Cisco WebEx Extension before 1.0.7 on G ...) NOT-FOR-US: Cisco CVE-2017-3822 (A vulnerability in the logging subsystem of the Cisco Firepower Threat ...) NOT-FOR-US: Cisco Firepower Threat Defense CVE-2017-3821 (A vulnerability in the serviceability page of Cisco Unified Communicat ...) NOT-FOR-US: Cisco CVE-2017-3820 (A vulnerability in Simple Network Management Protocol (SNMP) functions ...) NOT-FOR-US: Cisco IOS XE CVE-2017-3819 (A privilege escalation vulnerability in the Secure Shell (SSH) subsyst ...) NOT-FOR-US: Cisco CVE-2017-3818 (A vulnerability in the Multipurpose Internet Mail Extensions (MIME) sc ...) NOT-FOR-US: Cisco Email Security Appliances CVE-2017-3817 (A vulnerability in the role-based resource checking functionality of C ...) NOT-FOR-US: Cisco CVE-2017-3816 RESERVED CVE-2017-3815 (An API Privilege vulnerability in Cisco TelePresence Server Software c ...) NOT-FOR-US: Cisco CVE-2017-3814 (A vulnerability in Cisco Firepower System Software could allow an unau ...) NOT-FOR-US: Cisco Firepower System Software CVE-2017-3813 (A vulnerability in the Start Before Logon (SBL) module of Cisco AnyCon ...) NOT-FOR-US: Cisco CVE-2017-3812 (A vulnerability in the implementation of Common Industrial Protocol (C ...) NOT-FOR-US: Cisco Industrial Ethernet 2000 Series Switches CVE-2017-3811 (An XML External Entity vulnerability in Cisco WebEx Meetings Server co ...) NOT-FOR-US: Cisco CVE-2017-3810 (A vulnerability in the web framework of Cisco Prime Service Catalog co ...) NOT-FOR-US: Cisco Prime Service Catalog CVE-2017-3809 (A vulnerability in the Policy deployment module of the Cisco Firepower ...) NOT-FOR-US: Cisco Firepower Management Center CVE-2017-3808 (A vulnerability in the Session Initiation Protocol (SIP) UDP throttlin ...) NOT-FOR-US: Cisco CVE-2017-3807 (A vulnerability in Common Internet Filesystem (CIFS) code in the Clien ...) NOT-FOR-US: Cisco CVE-2017-3806 (A vulnerability in CLI command processing in the Cisco Firepower 4100 ...) NOT-FOR-US: Cisco Firepower CVE-2017-3805 (A vulnerability in the web-based management interface of Cisco IOS and ...) NOT-FOR-US: Cisco IOS CVE-2017-3804 (A vulnerability in Intermediate System-to-Intermediate System (IS-IS) ...) NOT-FOR-US: Cisco CVE-2017-3803 (A vulnerability in the Cisco IOS Software forwarding queue of Cisco 29 ...) NOT-FOR-US: Cisco CVE-2017-3802 (A vulnerability in Cisco Unified Communications Manager could allow an ...) NOT-FOR-US: Cisco CVE-2017-3801 (A vulnerability in the web-based GUI of Cisco UCS Director 6.0.0.0 and ...) NOT-FOR-US: Cisco CVE-2017-3800 (A vulnerability in the content scanning engine of Cisco AsyncOS Softwa ...) NOT-FOR-US: Cisco Email Security Appliance CVE-2017-3799 (A vulnerability in a URL parameter of Cisco WebEx Meeting Center could ...) NOT-FOR-US: Cisco CVE-2017-3798 (A cross-site scripting (XSS) filter bypass vulnerability in the web-ba ...) NOT-FOR-US: Cisco CVE-2017-3797 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-3796 (A vulnerability in Cisco WebEx Meetings Server could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-3795 (A vulnerability in Cisco WebEx Meetings Server could allow an authenti ...) NOT-FOR-US: Cisco CVE-2017-3794 (A vulnerability in Cisco WebEx Meetings Server could allow an unauthen ...) NOT-FOR-US: Cisco CVE-2017-3793 (A vulnerability in the TCP normalizer of Cisco Adaptive Security Appli ...) NOT-FOR-US: Cisco CVE-2017-3792 (A vulnerability in a proprietary device driver in the kernel of Cisco ...) NOT-FOR-US: Cisco TelePresence CVE-2017-3791 (A vulnerability in the web-based GUI of Cisco Prime Home could allow a ...) NOT-FOR-US: Cisco CVE-2017-3790 (A vulnerability in the received packet parser of Cisco Expressway Seri ...) NOT-FOR-US: Cisco Expressway CVE-2017-3789 REJECTED CVE-2017-3788 REJECTED CVE-2017-3787 REJECTED CVE-2017-3786 REJECTED CVE-2017-3785 REJECTED CVE-2017-3784 REJECTED CVE-2017-3783 REJECTED CVE-2017-3782 REJECTED CVE-2017-3781 REJECTED CVE-2017-3780 REJECTED CVE-2017-3779 REJECTED CVE-2017-3778 REJECTED CVE-2017-3777 REJECTED CVE-2017-3776 (Lenovo Help Android mobile app versions earlier than 6.1.2.0327 allowe ...) NOT-FOR-US: Lenovo Help Android mobile app CVE-2017-3775 (Some Lenovo System x server BIOS/UEFI versions, when Secure Boot mode ...) NOT-FOR-US: Lenovo CVE-2017-3774 (A stack overflow vulnerability was discovered within the web administr ...) NOT-FOR-US: IBM CVE-2017-3773 REJECTED CVE-2017-3772 RESERVED CVE-2017-3771 (System boot process is not adequately secured In Lenovo E95 and ThinkC ...) NOT-FOR-US: Lenovo CVE-2017-3770 (Privilege escalation vulnerability in LXCA versions earlier than 1.3.2 ...) NOT-FOR-US: Lenovo LXCA CVE-2017-3769 RESERVED CVE-2017-3768 (An unprivileged attacker with connectivity to the IMM2 could cause a d ...) NOT-FOR-US: IBM System x / IMM2 CVE-2017-3767 (A local privilege escalation vulnerability was identified in the Realt ...) NOT-FOR-US: Lenovo CVE-2017-3766 RESERVED CVE-2017-3765 (In Enterprise Networking Operating System (ENOS) in Lenovo and IBM Rac ...) NOT-FOR-US: IBM RackSwitch and BladeCenter products CVE-2017-3764 (A vulnerability was identified in Lenovo XClarity Administrator (LXCA) ...) NOT-FOR-US: Lenovo XClarity Administrator CVE-2017-3763 (An attacker who obtains access to the location where the LXCA file sys ...) NOT-FOR-US: Lenovo LXCA CVE-2017-3762 (Sensitive data stored by Lenovo Fingerprint Manager Pro, version 8.01. ...) NOT-FOR-US: Lenovo Fingerprint Manager Pro CVE-2017-3761 (The Lenovo Service Framework Android application executes some system ...) NOT-FOR-US: Lenovo CVE-2017-3760 (The Lenovo Service Framework Android application uses a set of nonsecu ...) NOT-FOR-US: Lenovo CVE-2017-3759 (The Lenovo Service Framework Android application accepts some response ...) NOT-FOR-US: Lenovo CVE-2017-3758 (Improper access controls on several Android components in the Lenovo S ...) NOT-FOR-US: Lenovo CVE-2017-3757 (An unquoted service path vulnerability was identified in the driver fo ...) NOT-FOR-US: Lenovo CVE-2017-3756 (A privilege escalation vulnerability was identified in Lenovo Active P ...) NOT-FOR-US: Lenovo CVE-2017-3755 RESERVED CVE-2017-3754 (Some Lenovo brand notebook systems do not have write protections prope ...) NOT-FOR-US: Lenovo CVE-2017-3753 (A vulnerability has been identified in some Lenovo products that use U ...) NOT-FOR-US: Lenovo CVE-2017-3752 (An industry-wide vulnerability has been identified in the implementati ...) NOT-FOR-US: Lenovo CVE-2017-3751 (An unquoted service path vulnerability was identified in the driver fo ...) NOT-FOR-US: driver for the ThinkPad Compact USB Keyboard with TrackPoint CVE-2017-3750 (On Lenovo VIBE mobile phones, the Lenovo Security Android application ...) NOT-FOR-US: Lenovo CVE-2017-3749 (On Lenovo VIBE mobile phones, the Idea Friend Android application allo ...) NOT-FOR-US: Lenovo CVE-2017-3748 (On Lenovo VIBE mobile phones, improper access controls on the nac_serv ...) NOT-FOR-US: Lenovo CVE-2017-3747 (Privilege escalation vulnerability in Lenovo Nerve Center for Windows ...) NOT-FOR-US: Lenovo CVE-2017-3746 (ThinkPad USB 3.0 Ethernet Adapter (part number 4X90E51405) driver, var ...) NOT-FOR-US: Lenovo CVE-2017-3745 (In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data ...) NOT-FOR-US: Lenovo CVE-2017-3744 (In the IMM2 firmware of Lenovo System x servers, remote commands issue ...) NOT-FOR-US: Lenovo CVE-2017-3743 (If multiple users are concurrently logged into a single system where o ...) NOT-FOR-US: Lenovo CVE-2017-3742 (In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4. ...) NOT-FOR-US: Lenovo CVE-2017-3741 (In the Lenovo Power Management driver before 1.67.12.24, a local user ...) NOT-FOR-US: Lenovo CVE-2017-3740 (In Lenovo Active Protection System before 1.82.0.14, an attacker with ...) NOT-FOR-US: Lenovo CVE-2017-3739 REJECTED CVE-2017-3738 (There is an overflow bug in the AVX2 Montgomery multiplication procedu ...) {DSA-4065-1} - openssl 1.1.0h-1 (low) [stretch] - openssl 1.1.0f-3+deb9u2 [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) - openssl1.0 1.0.2n-1 (low) NOTE: https://www.openssl.org/news/secadv/20171207.txt NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=e502cc86df9dafded1694fceb3228ee34d11c11a NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=ca51bafc1a88d8b8348f5fd97adc5d6ca93f8e76 CVE-2017-3737 (OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error stat ...) {DSA-4065-1} - openssl 1.1.0b-2 [jessie] - openssl (Issue introduced in 1.0.2b) [wheezy] - openssl (Issue introduced in 1.0.2b) - openssl1.0 1.0.2n-1 NOTE: Not fully correct tracking, the issue just does not affect OpenSSL 1.1.0 NOTE: thus mark as fixed in the first 1.1.0 version which entered unstable. NOTE: https://www.openssl.org/news/secadv/20171207.txt NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=898fb884b706aaeb283de4812340bb0bde8476dc NOTE: 1.0.2b introduced a hardening mechanism designed to protect against bugs NOTE: in application code. This CVE applies to the hardening mechanism being NOTE: incomplete. OpenSSL versions older than 1.0.2b don't have the hardening NOTE: mechanism at all. NOTE: Hardening mechanism introduced in: NOTE: https://git.openssl.org/?p=openssl.git;a=commit;h=e4f77bf1833245d2b6aa4ce6a16c85e1cdf78589 CVE-2017-3736 (There is a carry propagating bug in the x86_64 Montgomery squaring pro ...) {DSA-4017-1} - openssl 1.1.0g-1 [stretch] - openssl 1.1.0f-3+deb9u1 [jessie] - openssl (Vulnerable code not present) [wheezy] - openssl (Vulnerable code not present) - openssl1.0 1.0.2m-1 NOTE: https://www.openssl.org/news/secadv/20171102.txt NOTE: Fix for 1.0.2: https://git.openssl.org/?p=openssl.git;a=commit;h=38d600147331d36e74174ebbd4008b63188b321b NOTE: Fix for 1.1.0: https://git.openssl.org/?p=openssl.git;a=commit;h=4443cf7aa0099e5ce615c18cee249fff77fb0871 CVE-2017-3735 (While parsing an IPAddressFamily extension in an X.509 certificate, it ...) {DSA-4018-1 DSA-4017-1 DLA-1157-1} - openssl 1.1.0g-1 - openssl1.0 1.0.2m-1 NOTE: Fix for 1.0.2: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=31c8b265591a0aaa462a1f3eb5770661aaac67db NOTE: Fix for 1.1.0: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=068b963bb7afc57f5bdd723de0dd15e7795d5822 CVE-2017-3734 REJECTED CVE-2017-3733 (During a renegotiation handshake if the Encrypt-Then-Mac extension is ...) - openssl 1.1.0e-1 [jessie] - openssl (Only affects 1.1) [wheezy] - openssl (Only affects 1.1) - openssl1.0 (Only affects 1.1) NOTE: https://www.openssl.org/news/secadv/20170216.txt CVE-2017-3732 (There is a carry propagating bug in the x86_64 Montgomery squaring pro ...) - openssl 1.1.0d-1 [jessie] - openssl (Only affects 1.0.2 and 1.1.0) [wheezy] - openssl (Only affects 1.0.2 and 1.1.0) - openssl1.0 1.0.2k-1 NOTE: https://www.openssl.org/news/secadv/20170126.txt CVE-2017-3731 (If an SSL/TLS server or client is running on a 32-bit host, and a spec ...) {DSA-3773-1 DLA-814-1} - openssl 1.1.0d-1 - openssl1.0 1.0.2k-1 NOTE: https://www.openssl.org/news/secadv/20170126.txt NOTE: Fix for 1.0.2: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51d009043670a627d6abe66894126851cf3690e9 NOTE: Fix for 1.1.0: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f3a7e57c92b2c9b87dc4b2997f2ebda6781300d0 NOTE: and https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=00d965474b22b54e4275232bc71ee0c699c5cd21 CVE-2017-3730 (In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad par ...) - openssl 1.1.0d-1 [jessie] - openssl (Only affects OpenSSL 1.1) [wheezy] - openssl (Only affects OpenSSL 1.1) - openssl1.0 (Only affects OpenSSL 1.1) NOTE: https://www.openssl.org/news/secadv/20170126.txt CVE-2017-3729 RESERVED CVE-2017-3728 RESERVED CVE-2017-3727 RESERVED CVE-2017-3726 RESERVED CVE-2017-3725 RESERVED CVE-2017-3724 RESERVED CVE-2017-3723 RESERVED CVE-2017-3722 RESERVED CVE-2017-3721 RESERVED CVE-2017-3720 RESERVED CVE-2017-3719 RESERVED CVE-2017-3718 (Improper setting of device configuration in system firmware for Intel( ...) NOT-FOR-US: Intel CVE-2017-3717 RESERVED CVE-2017-3716 RESERVED CVE-2017-3715 RESERVED CVE-2017-3714 RESERVED CVE-2017-3713 RESERVED CVE-2017-3712 RESERVED CVE-2017-3711 RESERVED CVE-2017-3710 RESERVED CVE-2017-3709 RESERVED CVE-2017-3708 RESERVED CVE-2017-3707 RESERVED CVE-2017-3706 RESERVED CVE-2017-3705 RESERVED CVE-2017-3704 RESERVED CVE-2017-3703 RESERVED CVE-2017-3702 RESERVED CVE-2017-3701 RESERVED CVE-2017-3700 RESERVED CVE-2017-3699 RESERVED CVE-2017-3698 RESERVED CVE-2017-3697 RESERVED CVE-2017-3696 RESERVED CVE-2017-3695 RESERVED CVE-2017-3694 RESERVED CVE-2017-3693 RESERVED CVE-2017-3692 RESERVED CVE-2017-3691 RESERVED CVE-2017-3690 RESERVED CVE-2017-3689 RESERVED CVE-2017-3688 RESERVED CVE-2017-3687 RESERVED CVE-2017-3686 RESERVED CVE-2017-3685 RESERVED CVE-2017-3684 RESERVED CVE-2017-3683 RESERVED CVE-2017-3682 RESERVED CVE-2017-3681 RESERVED CVE-2017-3680 RESERVED CVE-2017-3679 RESERVED CVE-2017-3678 RESERVED CVE-2017-3677 RESERVED CVE-2017-3676 RESERVED CVE-2017-3675 RESERVED CVE-2017-3674 RESERVED CVE-2017-3673 RESERVED CVE-2017-3672 RESERVED CVE-2017-3671 RESERVED CVE-2017-3670 RESERVED CVE-2017-3669 RESERVED CVE-2017-3668 RESERVED CVE-2017-3667 RESERVED CVE-2017-3666 RESERVED CVE-2017-3665 RESERVED CVE-2017-3664 RESERVED CVE-2017-3663 RESERVED CVE-2017-3662 RESERVED CVE-2017-3661 RESERVED CVE-2017-3660 RESERVED CVE-2017-3659 RESERVED CVE-2017-3658 RESERVED CVE-2017-3657 RESERVED CVE-2017-3656 RESERVED CVE-2017-3655 RESERVED CVE-2017-3654 RESERVED CVE-2017-3653 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.26-1 - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3652 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3922-1 DLA-1043-1} - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3651 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3922-1 DLA-1043-1} - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3650 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3649 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3648 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3922-1 DLA-1043-1} - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3647 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3646 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3645 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3644 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3643 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3642 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3641 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.26-1 - mariadb-10.0 - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3640 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3639 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3638 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3637 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3636 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3955-1 DSA-3944-1 DSA-3922-1 DLA-1043-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.26-1 - mariadb-10.0 - mysql-5.7 (Only affects MySQL 5.5 and 5.6) - mysql-5.5 (bug #868788) CVE-2017-3635 {DSA-3922-1 DLA-1043-1} - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (bug #868788) CVE-2017-3634 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3633 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3632 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Oracle Solaris CVE-2017-3631 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3630 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3629 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3628 RESERVED CVE-2017-3627 RESERVED CVE-2017-3626 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Only affects 3.x) CVE-2017-3625 (Vulnerability in the Oracle WebCenter Content component of Oracle Fusi ...) NOT-FOR-US: Oracle CVE-2017-3624 RESERVED CVE-2017-3623 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3622 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3621 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3620 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3619 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3618 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3617 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3616 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3615 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3614 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3613 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3612 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3611 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3610 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3609 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3608 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3607 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3606 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3605 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3604 (Vulnerability in the Data Store component of Oracle Berkeley DB. The s ...) NOT-FOR-US: Oracle CVE-2017-3603 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3602 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3601 (Vulnerability in the Oracle API Gateway component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2017-3600 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mariadb-10.1 (Fixed before initial upload to Debian) - mariadb-10.0 10.0.28-1 [jessie] - mariadb-10.0 10.0.28-0+deb8u1 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) NOTE: https://blog.tarq.io/cve-2016-5483-backdooring-mysqldump-backups/ NOTE: Affected according to blogpost: MySQL all versions, MariaDB <= 5.5.52 and < 10.1 NOTE: Per MariaDB Security fixed with the following three commits: NOTE: https://github.com/MariaDB/server/commit/5a43a31ee81bc181eeb5ef2bf0704befa6e0594d NOTE: https://github.com/MariaDB/server/commit/01b39b7b0730102b88d8ea43ec719a75e9316a1e NOTE: https://github.com/MariaDB/server/commit/383007c75d6ef5043fa5781956a6a02b24e2b79e CVE-2017-3599 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (ONly affects MySQL 5.6 and 5.7) CVE-2017-3598 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3597 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3596 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3595 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3594 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3593 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3592 (Vulnerability in the Oracle Payables component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-3591 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3590 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) - mysql-connector-python 2.1.6-1 (bug #861511) [jessie] - mysql-connector-python (Minor issue) [wheezy] - mysql-connector-python (Minor issue, can be fixed along in a future update) CVE-2017-3589 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) {DSA-3857-1 DLA-945-1} - mysql-connector-java 5.1.42-1 CVE-2017-3588 (Vulnerability in the Solaris Cluster component of Oracle Sun Systems P ...) NOT-FOR-US: Oracle CVE-2017-3587 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3586 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) {DSA-3857-1 DLA-945-1} - mysql-connector-java 5.1.42-1 CVE-2017-3585 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3584 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3583 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-3582 (Vulnerability in the Oracle SuperCluster Specific Software component o ...) NOT-FOR-US: Solaris CVE-2017-3581 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3580 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3579 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-3578 (Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of O ...) NOT-FOR-US: Solaris CVE-2017-3577 (Vulnerability in the PeopleSoft Enterprise CS Campus Community compone ...) NOT-FOR-US: Oracle CVE-2017-3576 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3575 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3574 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3573 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3572 (Vulnerability in the Oracle Commerce Guided Search / Oracle Commerce E ...) NOT-FOR-US: Oracle CVE-2017-3571 (Vulnerability in the PeopleSoft Enterprise SCM eBill Payment component ...) NOT-FOR-US: Oracle CVE-2017-3570 (Vulnerability in the PeopleSoft Enterprise FSCM component of Oracle Pe ...) NOT-FOR-US: Oracle CVE-2017-3569 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3568 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3567 (Vulnerability in the OJVM component of Oracle Database Server. Support ...) NOT-FOR-US: Oracle CVE-2017-3566 RESERVED CVE-2017-3565 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3564 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3563 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3562 (Vulnerability in the Oracle Applications DBA component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3561 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3560 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3559 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3558 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3557 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3556 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-3555 (Vulnerability in the Oracle iReceivables component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2017-3554 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3553 (Vulnerability in the Oracle Identity Manager component of Oracle Fusio ...) NOT-FOR-US: Oracle CVE-2017-3552 (Vulnerability in the Oracle Hospitality OPERA 5 Property Services comp ...) NOT-FOR-US: Oracle CVE-2017-3551 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3550 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2017-3549 (Vulnerability in the Oracle Scripting component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3548 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3547 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3546 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3545 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3544 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3543 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3542 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3541 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3540 (Vulnerability in the Oracle WebCenter Sites component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3539 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3538 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.16-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3537 (Vulnerability in the Oracle Real-Time Scheduler component of Oracle Ut ...) NOT-FOR-US: Oracle CVE-2017-3536 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3535 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3534 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3533 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3532 (Vulnerability in the Oracle Retail Warehouse Management System compone ...) NOT-FOR-US: Oracle CVE-2017-3531 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3530 (Vulnerability in the Oracle Transportation Manager component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3529 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.20-1 (bug #868798) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3528 (Vulnerability in the Oracle Applications Framework component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3527 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3526 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3525 (Vulnerability in the PeopleSoft Enterprise SCM Service Procurement com ...) NOT-FOR-US: Oracle CVE-2017-3524 (Vulnerability in the PeopleSoft Enterprise SCM Strategic Sourcing comp ...) NOT-FOR-US: Oracle CVE-2017-3523 (Vulnerability in the MySQL Connectors component of Oracle MySQL (subco ...) {DSA-3840-1 DLA-945-1} - mysql-connector-java 5.1.41-1 NOTE: https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt CVE-2017-3522 (Vulnerability in the PeopleSoft Enterprise SCM eSupplier Connection co ...) NOT-FOR-US: Oracle CVE-2017-3521 (Vulnerability in the PeopleSoft Enterprise SCM Purchasing component of ...) NOT-FOR-US: Oracle CVE-2017-3520 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3519 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle CVE-2017-3518 (Vulnerability in the Enterprise Manager Base Platform component of Ora ...) NOT-FOR-US: Oracle CVE-2017-3517 (Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-3516 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3515 (Vulnerability in the Oracle User Management component of Oracle E-Busi ...) NOT-FOR-US: Oracle CVE-2017-3514 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Windows builds only) - openjdk-7 (Windows builds only) NOTE: Upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/95fd1952637b CVE-2017-3513 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.20-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3512 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (MacOSX builds only) - openjdk-7 (MacOSX builds only) NOTE: Upstream commit: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c878d0baff4a CVE-2017-3511 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3510 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3509 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3858-1 DLA-954-1} - openjdk-8 8u131-b11-1 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3508 (Vulnerability in the Primavera Gateway component of Oracle Primavera P ...) NOT-FOR-US: Oracle CVE-2017-3507 (Vulnerability in the Oracle Service Bus component of Oracle Fusion Mid ...) NOT-FOR-US: Oracle CVE-2017-3506 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3505 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3504 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3503 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2017-3502 (Vulnerability in the PeopleSoft Enterprise FIN Receivables component o ...) NOT-FOR-US: Oracle CVE-2017-3501 (Vulnerability in the Primavera Unifier component of Oracle Primavera P ...) NOT-FOR-US: Oracle CVE-2017-3500 (Vulnerability in the Primavera Gateway component of Oracle Primavera P ...) NOT-FOR-US: Oracle CVE-2017-3499 (Vulnerability in the Oracle Social Network component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3498 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3497 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3496 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3495 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-3494 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3493 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3492 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3491 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3490 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3489 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2017-3488 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2017-3487 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2017-3486 (Vulnerability in the SQL*Plus component of Oracle Database Server. Sup ...) NOT-FOR-US: Oracle CVE-2017-3485 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3484 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3483 (Vulnerability in the Oracle FLEXCUBE Enterprise Limits and Collateral ...) NOT-FOR-US: Oracle CVE-2017-3482 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3481 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3480 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle CVE-2017-3479 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3478 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3477 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3476 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3475 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3474 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3473 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3472 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3471 (Vulnerability in the Oracle FLEXCUBE Private Banking component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3470 (Vulnerability in the Oracle Communications Security Gateway component ...) NOT-FOR-US: Oracle CVE-2017-3469 (Vulnerability in the MySQL Workbench component of Oracle MySQL (subcom ...) - mysql-workbench 6.3.10+dfsg-1 (low; bug #861487) [stretch] - mysql-workbench (Minor issue) [jessie] - mysql-workbench (Minor issue) [wheezy] - mysql-workbench (Minor issue) CVE-2017-3468 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3467 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3466 RESERVED CVE-2017-3465 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3464 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3463 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3462 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3461 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3460 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3459 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3458 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3457 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3456 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3455 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3454 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3453 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3452 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 (Only affects MySQL 5.6) - mysql-5.5 (Only affects MySQL 5.6) CVE-2017-3451 (Vulnerability in the Oracle Retail Open Commerce Platform component of ...) NOT-FOR-US: Oracle CVE-2017-3450 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3449 RESERVED CVE-2017-3448 RESERVED CVE-2017-3447 REJECTED CVE-2017-3446 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3445 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3444 (Vulnerability in the Oracle Trade Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3443 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-3442 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2017-3441 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2017-3440 (Vulnerability in the Oracle Customer Interaction History component of ...) NOT-FOR-US: Oracle CVE-2017-3439 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3438 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3437 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3436 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3435 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3434 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3433 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3432 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3431 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3430 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3429 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3428 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3427 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3426 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3425 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3424 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3423 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3422 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3421 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3420 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3419 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3418 (Vulnerability in the Oracle CRM Technical Foundation component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3417 (Vulnerability in the Oracle Universal Work Queue component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3416 (Vulnerability in the Oracle Universal Work Queue component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3415 (Vulnerability in the Oracle Universal Work Queue component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3414 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3413 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3412 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3411 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3410 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3409 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3408 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3407 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3406 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3405 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3404 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3403 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3402 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3401 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3400 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3399 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3398 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3397 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3396 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3395 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3394 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3393 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3392 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3391 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3390 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3389 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3388 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3387 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3386 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3385 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3384 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3383 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3382 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3381 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3380 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3379 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3378 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3377 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3376 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3375 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3374 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3373 (Vulnerability in the Oracle Advanced Outbound Telephony component of O ...) NOT-FOR-US: Oracle CVE-2017-3372 (Vulnerability in the Oracle Interaction Blending component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3371 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-3370 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-3369 (Vulnerability in the Oracle iSupport component of Oracle E-Business Su ...) NOT-FOR-US: Oracle CVE-2017-3368 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-3367 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3366 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3365 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3364 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3363 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3362 (Vulnerability in the Oracle Knowledge Management component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3361 (Vulnerability in the Oracle Installed Base component of Oracle E-Busin ...) NOT-FOR-US: Oracle CVE-2017-3360 (Vulnerability in the Oracle Customer Intelligence component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3359 (Vulnerability in the Oracle Customer Intelligence component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3358 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3357 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3356 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3355 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3354 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3353 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3352 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3351 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3350 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3349 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3348 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3347 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3346 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3345 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3344 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3343 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3342 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3341 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3340 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3339 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3338 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3337 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3336 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3335 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3334 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3333 (Vulnerability in the Oracle Marketing component of Oracle E-Business S ...) NOT-FOR-US: Oracle CVE-2017-3332 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3331 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3330 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle Siebel CVE-2017-3329 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3328 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-3327 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-3326 (Vulnerability in the Oracle Common Applications component of Oracle E- ...) NOT-FOR-US: Oracle CVE-2017-3325 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle Siebel CVE-2017-3324 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle Primavera CVE-2017-3323 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) NOT-FOR-US: MySQL Cluster CVE-2017-3322 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) NOT-FOR-US: MySQL Cluster CVE-2017-3321 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) NOT-FOR-US: MySQL Cluster CVE-2017-3320 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3319 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3318 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3317 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3316 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3315 (Vulnerability in the PeopleSoft Enterprise HCM ePerformance component ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3314 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3313 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3809-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3312 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3311 (Vulnerability in the Application Testing Suite component of Oracle Ent ...) NOT-FOR-US: Oracle CVE-2017-3310 (Vulnerability in the OJVM component of Oracle Database Server. Support ...) NOT-FOR-US: Oracle CVE-2017-3309 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3308 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3944-1 DSA-3834-1 DLA-916-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 5.7.18-1 (bug #860547) - mysql-5.5 (bug #860544) CVE-2017-3307 (Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQ ...) NOT-FOR-US: MySQL Enterprise Monitor CVE-2017-3306 (Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQ ...) NOT-FOR-US: MySQL Enterprise Monitor CVE-2017-3305 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3834-1 DLA-916-1} - mysql-5.7 (Fixed before the initial release to Debian) - mysql-5.5 (bug #860544) NOTE: The issue arises because of an improper fix for the issue known under NOTE: the name BACKRONYM. The CVE CVE-2015-3152 though is explicitly only NOTE: assigned for MariaDB and Percona, thus Oracle MySQL products are not NOTE: tracked below that CVE. Later, Oracle tried to address the corresonding NOTE: issue as well in 5.5 (in 5.5.49) and 5.6 (5.6.30) series resulting in NOTE: opening CVE-2017-3305. NOTE: Cf. https://bugzilla.redhat.com/show_bug.cgi?id=1217506#c22 NOTE: https://www.openwall.com/lists/oss-security/2017/03/17/4 CVE-2017-3304 (Vulnerability in the MySQL Cluster component of Oracle MySQL (subcompo ...) - mysql-cluster (bug #833356) CVE-2017-3303 (Vulnerability in the Oracle XML Gateway component of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2017-3302 (Crash in libmysqlclient.so in Oracle MySQL before 5.6.21 and 5.7.x bef ...) {DSA-3834-1 DSA-3809-1 DLA-916-1 DLA-819-1} - mariadb-10.1 10.1.23-1 - mariadb-10.0 - mysql-5.7 (Fixed before initial release in Debian) - mysql-5.6 (Fixed before initial release in Debian) - mysql-5.5 (bug #854713; bug #860544) NOTE: Fixed by: https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc552424132806f46e93 NOTE: Fixed in Oracle MySQL 5.6.21, 5.7.5 NOTE: https://bugs.mysql.com/bug.php?id=70429 NOTE: https://bugs.mysql.com/bug.php?id=63363 NOTE: https://www.openwall.com/lists/oss-security/2017/01/28/1 CVE-2017-3301 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3300 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3299 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3298 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3297 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3296 (Vulnerability in the Oracle Commerce Platform component of Oracle Comm ...) NOT-FOR-US: Oracle Commerce CVE-2017-3295 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3294 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3293 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3292 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of Or ...) NOT-FOR-US: Oracle PeopleSoft CVE-2017-3291 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3290 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 5.1.14-dfsg-1 [jessie] - virtualbox (DSA-3699-1) [wheezy] - virtualbox (DSA 3454) CVE-2017-3289 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 CVE-2017-3288 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...) NOT-FOR-US: Oracle CVE-2017-3287 (Vulnerability in the Oracle iStore component of Oracle E-Business Suit ...) NOT-FOR-US: Oracle CVE-2017-3286 (Vulnerability in the Oracle Applications DBA component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3285 (Vulnerability in the Oracle Service Fulfillment Manager component of O ...) NOT-FOR-US: Oracle CVE-2017-3284 (Vulnerability in the Oracle Service Fulfillment Manager component of O ...) NOT-FOR-US: Oracle CVE-2017-3283 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2017-3282 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2017-3281 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2017-3280 (Vulnerability in the Oracle Partner Management component of Oracle E-B ...) NOT-FOR-US: Oracle CVE-2017-3279 (Vulnerability in the Oracle Leads Management component of Oracle E-Bus ...) NOT-FOR-US: Oracle CVE-2017-3278 (Vulnerability in the Oracle One-to-One Fulfillment component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3277 (Vulnerability in the Oracle Applications Manager component of Oracle E ...) NOT-FOR-US: Oracle CVE-2017-3276 (Vulnerability in the Solaris component of Oracle Sun Systems Products ...) NOT-FOR-US: Solaris CVE-2017-3275 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2017-3274 (Vulnerability in the Oracle Email Center component of Oracle E-Busines ...) NOT-FOR-US: Oracle CVE-2017-3273 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3272 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3271 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3270 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3269 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3268 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3267 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3266 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) NOT-FOR-US: Oracle CVE-2017-3265 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3264 (Vulnerability in the Siebel UI Framework component of Oracle Siebel CR ...) NOT-FOR-US: Oracle Siebel CVE-2017-3263 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle Primavera CVE-2017-3262 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (specific to Oracle Java) CVE-2017-3261 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3260 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 CVE-2017-3259 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...) - openjdk-8 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-7 (Deployment components not part of OpenJDK, only present in Oracle Java) - openjdk-6 (Deployment components not part of OpenJDK, only present in Oracle Java) CVE-2017-3258 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3257 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1} - mariadb-10.2 (bug #884065) - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (Only affects MySQL 5.6 and 5.7) CVE-2017-3256 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3255 (Vulnerability in the Oracle JDeveloper component of Oracle Fusion Midd ...) NOT-FOR-US: Oracle CVE-2017-3254 (Vulnerability in the Oracle Retail Invoice Matching component of Oracl ...) NOT-FOR-US: Oracle CVE-2017-3253 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3252 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3251 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 (Only affects MySQL 5.7) - mysql-5.5 (Only affects MySQL 5.7) CVE-2017-3250 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-3249 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-3248 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle CVE-2017-3247 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Vulnerable code not included, see bug #853998) CVE-2017-3246 (Vulnerability in the Oracle Application Object Library component of Or ...) NOT-FOR-US: Oracle CVE-2017-3245 (Vulnerability in the Oracle FLEXCUBE Direct Banking component of Oracl ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3244 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3243 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 (Only affects MySQL 5.5) - mysql-5.6 (Only affects MySQL 5.5) - mysql-5.5 (bug #851233) CVE-2017-3242 (Vulnerability in the Oracle VM Server for Sparc component of Oracle Su ...) NOT-FOR-US: Solaris CVE-2017-3241 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of O ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3240 (Vulnerability in the RDBMS Security component of Oracle Database Serve ...) NOT-FOR-US: Oracle CVE-2017-3239 (Vulnerability in the Oracle GlassFish Server component of Oracle Fusio ...) - glassfish (Only affects 3.x) CVE-2017-3238 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...) {DSA-3770-1 DSA-3767-1 DLA-797-1} - mariadb-10.1 10.1.21-1 (bug #851759) - mariadb-10.0 (bug #851755) - mysql-5.7 5.7.17-1 (bug #851235) - mysql-5.6 5.6.35-1 (bug #851234) - mysql-5.5 (bug #851233) CVE-2017-3237 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3236 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3235 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...) NOT-FOR-US: Oracle FLEXCUBE CVE-2017-3234 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3233 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3232 (Vulnerability in the Automatic Service Request (ASR) component of Orac ...) NOT-FOR-US: Oracle CVE-2017-3231 (Vulnerability in the Java SE, Java SE Embedded component of Oracle Jav ...) {DSA-3782-1 DLA-821-1} - openjdk-8 8u121-b13-1 [experimental] - openjdk-7 7u121-2.6.8-2 - openjdk-7 - openjdk-6 [wheezy] - openjdk-6 CVE-2017-3230 (Vulnerability in the Oracle Fusion Middleware MapViewer component of O ...) NOT-FOR-US: Oracle CVE-2017-3229 REJECTED CVE-2017-3228 REJECTED CVE-2017-3227 RESERVED CVE-2017-3226 (Das U-Boot is a device bootloader that can read its configuration from ...) - u-boot (unimportant) [wheezy] - u-boot (Vulnerable code do not exist) NOTE: jessie+ no built targets use ENV_AES by default, but fw_printenv/fw_setenv NOTE: in u-boot-tools supports it. Upstream has deprecated it and plans to remove NOTE: it in future versions. NOTE: https://www.kb.cert.org/vuls/id/166743 NOTE: Negligible security impact CVE-2017-3225 (Das U-Boot is a device bootloader that can read its configuration from ...) - u-boot (unimportant) [wheezy] - u-boot (Vulnerable code do not exist) NOTE: jessie+ no built targets use ENV_AES by default, but fw_printenv/fw_setenv NOTE: in u-boot-tools supports it. Upstream has deprecated it and plans to remove NOTE: it in future versions. NOTE: https://www.kb.cert.org/vuls/id/166743 NOTE: Negligible security impact CVE-2017-3224 (Open Shortest Path First (OSPF) protocol implementations may improperl ...) - quagga (low; bug #871617) [buster] - quagga (Minor issue) [stretch] - quagga (Minor issue) [jessie] - quagga (Minor issue) [wheezy] - quagga (Minor issue) - frr (Fixed before initial upload to Debian) NOTE: http://www.kb.cert.org/vuls/id/793496 NOTE: https://github.com/FRRouting/frr/commit/7791d3deab8f4bbee2ccdd98ea596617536bc681 CVE-2017-3223 (Dahua IP camera products using firmware versions prior to V2.400.0000. ...) NOT-FOR-US: Dahua IP camera products CVE-2017-3222 (Hard-coded credentials in AmosConnect 8 allow remote attackers to gain ...) NOT-FOR-US: AmosConnect CVE-2017-3221 (Blind SQL injection in Inmarsat AmosConnect 8 login form allows remote ...) NOT-FOR-US: AmosConnect CVE-2017-3220 RESERVED CVE-2017-3219 (Acronis True Image up to and including version 2017 Build 8053 perform ...) NOT-FOR-US: Acronis True Image CVE-2017-3218 (Samsung Magician 5.0 fails to validate TLS certificates for HTTPS soft ...) NOT-FOR-US: Samsung CVE-2017-3217 (CalAmp LMU 3030 series OBD-II CDMA and GSM devices has an SMS (text me ...) NOT-FOR-US: CalAmp LMU 3030 series OBD-II CDMA and GSM devices CVE-2017-3216 (WiMAX routers based on the MediaTek SDK (libmtk) that use a custom htt ...) NOT-FOR-US: WiMAX routers CVE-2017-3215 (The Milwaukee ONE-KEY Android mobile application uses bearer tokens wi ...) NOT-FOR-US: Milwaukee ONE-KEY Android mobile application CVE-2017-3214 (The Milwaukee ONE-KEY Android mobile application stores the master tok ...) NOT-FOR-US: Milwaukee ONE-KEY Android mobile application CVE-2017-3213 (The Think Mutual Bank Mobile Banking app 3.1.5 for iOS does not verify ...) NOT-FOR-US: Think Mutual Bank Mobile Banking app CVE-2017-3212 (The Space Coast Credit Union Mobile app 2.2 for iOS and 2.1.0.1104 for ...) NOT-FOR-US: Space Coast Credit Union Mobile app CVE-2017-3211 (Yopify, an e-commerce notification plugin, up to April 06, 2017, leaks ...) NOT-FOR-US: Yopify (e-commerce notification plugin) CVE-2017-3210 (Applications developed using the Portrait Display SDK, versions 2.30 t ...) NOT-FOR-US: Portrait Display SDK CVE-2017-3209 (The DBPOWER U818A WIFI quadcopter drone provides FTP access over its o ...) NOT-FOR-US: DBPOWER U818A WIFI quadcopter drone CVE-2017-3208 (The Java implementation of AMF3 deserializers used by WebORB for Java ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3207 (The Java implementations of AMF3 deserializers in WebORB for Java by M ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3206 (The Java implementation of AMF3 deserializers used by Flamingo amf-ser ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3205 RESERVED CVE-2017-3204 (The Go SSH library (x/crypto/ssh) by default does not verify host keys ...) - golang-go.crypto 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1 (bug #859655) [jessie] - golang-go.crypto (In jessie no rdeps using SSH, that version doesn't even support host key validation) NOTE: https://github.com/golang/crypto/commit/e4e2799dd7aab89f583e1d898300d96367750991 NOTE: https://github.com/golang/go/issues/19767 CVE-2017-3203 (The Java implementations of AMF3 deserializers in Pivotal/Spring Sprin ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3202 (The Java implementation of AMF3 deserializers used in Flamingo amf-ser ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3201 (The Java implementation of AMF3 deserializers used in Flamingo amf-ser ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3200 (The Java implementation of AMF3 deserializers used in GraniteDS, versi ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3199 (The Java implementation of GraniteDS, version 3.1.1.GA, AMF3 deseriali ...) NOT-FOR-US: AMF3 deserialisers CVE-2017-3198 (GIGABYTE BRIX UEFI firmware does not cryptographically validate images ...) NOT-FOR-US: GIGABYTE CVE-2017-3197 (GIGABYTE BRIX UEFI firmware for the GB-BSi7H-6500 (version F6) and GB- ...) NOT-FOR-US: GIGABYTE CVE-2017-3196 (PCAUSA Rawether framework does not properly validate BPF data, allowin ...) NOT-FOR-US: PCAUSA Rawether CVE-2017-3195 (Commvault Edge Communication Service (cvd) prior to version 11 SP7 or ...) NOT-FOR-US: Commvault Edge Communication Service CVE-2017-3194 (Pandora iOS app prior to version 8.3.2 fails to properly validate SSL ...) NOT-FOR-US: Pandora iOS app CVE-2017-3193 (Multiple D-Link devices including the DIR-850L firmware versions 1.14B ...) NOT-FOR-US: D-Link CVE-2017-3192 (D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 ...) NOT-FOR-US: D-Link CVE-2017-3191 (D-Link DIR-130 firmware version 1.23 and DIR-330 firmware version 1.12 ...) NOT-FOR-US: D-Link CVE-2017-3190 (Flash Seats Mobile App for Android version 1.7.9 and earlier and for i ...) NOT-FOR-US: Flash Seats Mobile App CVE-2017-3189 (The dotCMS administration panel, versions 3.7.1 and earlier, "Push Pub ...) NOT-FOR-US: dotCMS CVE-2017-3188 (The dotCMS administration panel, versions 3.7.1 and earlier, "Push Pub ...) NOT-FOR-US: dotCMS CVE-2017-3187 (The dotCMS administration panel, versions 3.7.1 and earlier, are vulne ...) NOT-FOR-US: dotCMS CVE-2017-3186 (ACTi cameras including the D, B, I, and E series using firmware versio ...) NOT-FOR-US: ACTi cameras CVE-2017-3185 (ACTi cameras including the D, B, I, and E series using firmware versio ...) NOT-FOR-US: ACTi cameras CVE-2017-3184 (ACTi cameras including the D, B, I, and E series using firmware versio ...) NOT-FOR-US: ACTi cameras CVE-2017-3183 (Sage XRT Treasury, version 3, fails to properly restrict database acce ...) NOT-FOR-US: Sage XRT Treasury CVE-2017-3182 (On the iOS platform, the ThreatMetrix SDK versions prior to 3.2 fail t ...) NOT-FOR-US: ThreatMetrix SDK CVE-2017-3181 (Multiple TIBCO Products are prone to multiple unspecified SQL-injectio ...) NOT-FOR-US: TIBCO CVE-2017-3180 (Multiple TIBCO Products are prone to multiple unspecified cross-site s ...) NOT-FOR-US: TIBCO CVE-2017-3179 REJECTED CVE-2017-3178 REJECTED CVE-2017-3177 REJECTED CVE-2017-3176 REJECTED CVE-2017-3175 REJECTED CVE-2017-3174 REJECTED CVE-2017-3173 REJECTED CVE-2017-3172 REJECTED CVE-2017-3171 REJECTED CVE-2017-3170 REJECTED CVE-2017-3169 (In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl m ...) {DSA-3896-1 DLA-1009-1} - apache2 2.4.25-4 CVE-2017-3168 REJECTED CVE-2017-3167 (In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of th ...) {DSA-3896-1 DLA-1009-1} - apache2 2.4.25-4 CVE-2017-3166 (In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-al ...) - hadoop (bug #793644) CVE-2017-3165 (In Apache Brooklyn before 0.10.0, the REST server is vulnerable to cro ...) NOT-FOR-US: Apache Brooklyn CVE-2017-3164 (Server Side Request Forgery in Apache Solr, versions 1.3 until 7.6 (in ...) - lucene-solr (unimportant; bug #922242) NOTE: https://issues.apache.org/jira/browse/SOLR-12770 CVE-2017-3163 (When using the Index Replication feature, Apache Solr nodes can pull i ...) {DSA-4124-1 DLA-1046-1} - lucene-solr 3.6.2+dfsg-11 (bug #867712) NOTE: https://issues.apache.org/jira/browse/SOLR-10031 NOTE: https://github.com/apache/lucene-solr/commit/ae789c252687dc8a18bfdb677f2e6cd14570e4db CVE-2017-3162 (HDFS clients interact with a servlet on the DataNode to browse the HDF ...) - hadoop (bug #793644) CVE-2017-3161 (The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross ...) - hadoop (bug #793644) CVE-2017-3160 (After the Android platform is added to Cordova the first time, or afte ...) NOT-FOR-US: Apache Cordova CVE-2017-3159 (Apache Camel's camel-snakeyaml component is vulnerable to Java object ...) NOT-FOR-US: Apache Camel CVE-2017-3158 (A race condition in Guacamole's terminal emulator in versions 0.9.5 th ...) - guacamole-client (bug #891798) [stretch] - guacamole-client (Minor issue) [jessie] - guacamole-client (Minor issue) - guacamole [wheezy] - guacamole (Version not vulnerable) CVE-2017-3157 (By exploiting the way Apache OpenOffice before 4.1.4 renders embedded ...) {DSA-3792-1 DLA-910-1} - libreoffice 1:5.2.3-1 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2017-3157/ CVE-2017-3156 (The OAuth2 Hawk and JOSE MAC Validation code in Apache CXF prior to 3. ...) NOT-FOR-US: Apache CXF CVE-2017-3155 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found ...) NOT-FOR-US: Apache Atlas CVE-2017-3154 (Error responses from Apache Atlas versions 0.6.0-incubating and 0.7.0- ...) NOT-FOR-US: Apache Atlas CVE-2017-3153 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found ...) NOT-FOR-US: Apache Atlas CVE-2017-3152 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found ...) NOT-FOR-US: Apache Atlas CVE-2017-3151 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating were found ...) NOT-FOR-US: Apache Atlas CVE-2017-3150 (Apache Atlas versions 0.6.0-incubating and 0.7.0-incubating use cookie ...) NOT-FOR-US: Apache Atlas CVE-2017-3149 REJECTED CVE-2017-3148 REJECTED CVE-2017-3147 REJECTED CVE-2017-3146 REJECTED CVE-2017-3145 (BIND was improperly sequencing cleanup operations on upstream recursio ...) {DSA-4089-1 DLA-1255-1} - bind9 1:9.11.2.P1-1 NOTE: https://kb.isc.org/article/AA-01542 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=053b51c4dbd28f6e4de71ce4268a6f606025d76d NOTE: Fixed by (9.10.6-P1): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=55baf7d7e25c0e6444cb7e415f14d9e0819b5508 CVE-2017-3144 (A vulnerability stemming from failure to properly clean up closed OMAP ...) {DSA-4133-1} - isc-dhcp 4.3.5-3.1 (bug #887413) [wheezy] - isc-dhcp (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1522918 NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=46767 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 CVE-2017-3143 (An attacker who is able to send and receive messages to an authoritati ...) {DSA-3904-1 DLA-1025-1} - bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564) NOTE: https://kb.isc.org/article/AA-01503 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669 CVE-2017-3142 (An attacker who is able to send and receive messages to an authoritati ...) {DSA-3904-1 DLA-1025-1} - bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564) NOTE: https://kb.isc.org/article/AA-01504 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669 CVE-2017-3141 (The BIND installer on Windows uses an unquoted service path which can ...) - bind9 (Affects only Windows systems) NOTE: https://kb.isc.org/article/AA-01496 CVE-2017-3140 (If named is configured to use Response Policy Zones (RPZ) an error pro ...) - bind9 (Upstream change #4377 not backported/included) NOTE: https://kb.isc.org/article/AA-01495 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=2648c49be78568ba9f4123d22122f2a649e2e1b7 NOTE: Introduced by: https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=aabcb1fde0ca255ff30f0a5c10cbd39f798cc5b7 NOTE: CVE-2017-3140 is introduced by the upstream change #4377 NOTE: https://www.openwall.com/lists/oss-security/2017/06/14/4 CVE-2017-3139 (A denial of service flaw was found in the way BIND handled DNSSEC vali ...) - bind9 (RHEL6 specific) CVE-2017-3138 (named contains a feature which allows operators to issue commands to a ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860226) NOTE: https://kb.isc.org/article/AA-01471 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=a636604b20cc0aaabc8edbb7595f7c1c820b7610 NOTE: In practice for any Debian version applying this commit is merely NOTE: hardening, since the feature to allow only a subset of "read only" NOTE: commands was added only in 9.11.0 and before existing commands permitted NOTE: over the control channel were already be given to cause the server to stop. NOTE: The CVE-2017-3138 is barely an issue in practice anyway. CVE-2017-3137 (Mistaken assumptions about the ordering of records in the answer secti ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860225) NOTE: https://kb.isc.org/article/AA-01466 NOTE: Additional information for backporting patch: https://www.openwall.com/lists/oss-security/2017/04/17/5 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=69fd759b4aa02047e42e5cf4227f8257c4547988 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=6841d7b854c15df9ec56cab38da201b315bbcabb (reimplentation) NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=7ab9e8e00775782d474522a5b2bffba8daefefa5 (regression fix) CVE-2017-3136 (A query with a specific set of characteristics could cause a server us ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860224) NOTE: https://kb.isc.org/article/AA-01465 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=764240ca07ab1b796226d5402ccd9fbfa77ec32a CVE-2017-3135 (Under some conditions when using both DNS64 and RPZ to rewrite query r ...) {DSA-3795-1 DLA-843-1} - bind9 1:9.10.3.dfsg.P4-12 (bug #855520) NOTE: https://kb.isc.org/article/AA-01453 NOTE: Patch for 9.9.9-P6: ftp://ftp.isc.org/isc/bind9/9.9.9-P6/patches/rt44434 CVE-2017-3134 (An escalation of privilege vulnerability in Fortinet FortiWLC-SD versi ...) NOT-FOR-US: Fortinet FortiWLC-SD CVE-2017-3133 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-3132 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.6. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-3131 (A Cross-Site Scripting vulnerability in Fortinet FortiOS versions 5.4. ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-3130 (An information disclosure vulnerability in Fortinet FortiOS 5.6.0, 5.4 ...) NOT-FOR-US: Fortinet CVE-2017-3129 (A Cross-Site Scripting vulnerability in Fortinet FortiWeb versions 5.7 ...) NOT-FOR-US: Fortinet FortiWeb CVE-2017-3128 (A stored XSS (Cross-Site-Scripting) vulnerability in Fortinet FortiOS ...) NOT-FOR-US: Fortinet FortiOS CVE-2017-3127 (A Cross-Site Scripting vulnerability in Fortinet FortiGate 5.2.0 throu ...) NOT-FOR-US: Fortinet CVE-2017-3126 (An Open Redirect vulnerability in Fortinet FortiAnalyzer 5.4.0 through ...) NOT-FOR-US: Fortinet FortiAnalyzer CVE-2017-3125 (An unauthenticated XSS vulnerability with FortiMail 5.0.0 - 5.2.9 and ...) NOT-FOR-US: FortiMail CVE-2017-3124 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3123 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3122 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3121 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3120 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3119 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3118 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3117 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3116 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3115 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3114 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-3113 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3112 (An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier v ...) NOT-FOR-US: Adobe CVE-2017-3111 (An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0 ...) NOT-FOR-US: Adobe CVE-2017-3110 (Adobe Experience Manager 6.1 and earlier has a sensitive data exposure ...) NOT-FOR-US: Adobe CVE-2017-3109 (An issue was discovered in Adobe Experience Manager 6.3, 6.2, 6.1, 6.0 ...) NOT-FOR-US: Adobe CVE-2017-3108 (Adobe Experience Manager 6.2 and earlier has a malicious file executio ...) NOT-FOR-US: Adobe CVE-2017-3107 (Adobe Experience Manager 6.3 and earlier has a misconfiguration vulner ...) NOT-FOR-US: Adobe CVE-2017-3106 (Adobe Flash Player versions 26.0.0.137 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3105 (Adobe RoboHelp has an Open Redirect vulnerability. This affects versio ...) NOT-FOR-US: Adobe CVE-2017-3104 (Adobe RoboHelp has a cross-site scripting (XSS) vulnerability. This af ...) NOT-FOR-US: Adobe CVE-2017-3103 (Adobe Connect versions 9.6.1 and earlier have a stored cross-site scri ...) NOT-FOR-US: Adobe Connect CVE-2017-3102 (Adobe Connect versions 9.6.1 and earlier have a reflected cross-site s ...) NOT-FOR-US: Adobe Connect CVE-2017-3101 (Adobe Connect versions 9.6.1 and earlier have a clickjacking vulnerabi ...) NOT-FOR-US: Adobe Connect CVE-2017-3100 (Adobe Flash Player versions 26.0.0.131 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3099 (Adobe Flash Player versions 26.0.0.131 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3098 (Adobe Captivate versions 9 and earlier have a remote code execution vu ...) NOT-FOR-US: Adobe CVE-2017-3097 (Adobe Digital Editions versions 4.5.4 and earlier contain an insecure ...) NOT-FOR-US: Adobe CVE-2017-3096 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3095 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3094 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3093 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3092 (Adobe Digital Editions versions 4.5.4 and earlier contain an insecure ...) NOT-FOR-US: Adobe CVE-2017-3091 (Adobe Digital Editions 4.5.4 and earlier versions 4.5.4 and earlier ha ...) NOT-FOR-US: Adobe CVE-2017-3090 (Adobe Digital Editions versions 4.5.4 and earlier contain an insecure ...) NOT-FOR-US: Adobe CVE-2017-3089 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3088 (Adobe Digital Editions versions 4.5.4 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-3087 (Adobe Captivate versions 9 and earlier have an information disclosure ...) NOT-FOR-US: Adobe CVE-2017-3086 (Adobe Shockwave versions 12.2.8.198 and earlier have an exploitable me ...) NOT-FOR-US: Adobe CVE-2017-3085 (Adobe Flash Player versions 26.0.0.137 and earlier have a security byp ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3084 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3083 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3082 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3081 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3080 (Adobe Flash Player versions 26.0.0.131 and earlier have a security byp ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3079 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3078 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3077 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3076 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3075 (Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3074 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3073 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3072 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3071 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3070 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3069 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3068 (Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3067 (Adobe Experience Manager Forms versions 6.2, 6.1, 6.0 have an informat ...) NOT-FOR-US: Adobe CVE-2017-3066 (Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 an ...) NOT-FOR-US: Adobe CVE-2017-3065 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3064 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3063 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3062 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3061 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3060 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3059 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3058 (Adobe Flash Player versions 25.0.0.127 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3057 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3056 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3055 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3054 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3053 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3052 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3051 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3050 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3049 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3048 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3047 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3046 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3045 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3044 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3043 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3042 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3041 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3040 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3039 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3038 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3037 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3036 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3035 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3034 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3033 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3032 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3031 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3030 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3029 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3028 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3027 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3026 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3025 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3024 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3023 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3022 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3021 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3020 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3019 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3018 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3017 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3016 (Adobe Acrobat Reader 2017.009.20058 and earlier, 2017.008.30051 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3015 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3014 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3013 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3012 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3011 (Adobe Acrobat Reader versions 11.0.19 and earlier, 15.006.30280 and ea ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-3010 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe CVE-2017-3009 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe CVE-2017-3008 (Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 an ...) NOT-FOR-US: Adobe CVE-2017-3007 (Adobe Thor versions 3.9.5.353 and earlier have a vulnerability in the ...) NOT-FOR-US: Adobe Thor CVE-2017-3006 (Adobe Thor versions 3.9.5.353 and earlier have a vulnerability related ...) NOT-FOR-US: Adobe Thor CVE-2017-3005 (Adobe Photoshop versions CC 2017 (18.0.1) and earlier, CC 2015.5.1 (17 ...) NOT-FOR-US: Adobe Photoshop CVE-2017-3004 (Adobe Photoshop versions CC 2017 (18.0.1) and earlier, CC 2015.5.1 (17 ...) NOT-FOR-US: Adobe Photoshop CVE-2017-3003 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3002 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3001 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-3000 (Adobe Flash Player versions 24.0.0.221 and earlier have a vulnerabilit ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2999 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2998 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2997 (Adobe Flash Player versions 24.0.0.221 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2996 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2995 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2994 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2993 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2992 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2991 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2990 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2989 (Adobe Campaign versions Build 8770 and earlier have an input validatio ...) NOT-FOR-US: Adobe CVE-2017-2988 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2987 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2986 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2985 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2984 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2983 (Adobe Shockwave versions 12.2.7.197 and earlier have an insecure libra ...) NOT-FOR-US: Adobe CVE-2017-2982 (Adobe Flash Player versions 24.0.0.194 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2981 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2980 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2979 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2978 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2977 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2976 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2975 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2974 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2973 (Adobe Digital Editions versions 4.5.3 and earlier have an exploitable ...) NOT-FOR-US: Adobe CVE-2017-2972 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2971 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2970 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2969 (Adobe Campaign versions 16.4 Build 8724 and earlier have a cross-site ...) NOT-FOR-US: Adobe CVE-2017-2968 (Adobe Campaign versions 16.4 Build 8724 and earlier have a code inject ...) NOT-FOR-US: Adobe CVE-2017-2967 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2966 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2965 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2964 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2963 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2962 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2961 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2960 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2959 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2958 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2957 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2956 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2955 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2954 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2953 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2952 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2951 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2950 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2949 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2948 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2947 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2946 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2945 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2944 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2943 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2942 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2941 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2940 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2939 (Adobe Acrobat Reader versions 15.020.20042 and earlier, 15.006.30244 a ...) NOT-FOR-US: Adobe Acrobat Reader CVE-2017-2938 (Adobe Flash Player versions 24.0.0.186 and earlier have a security byp ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2937 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2936 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2935 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2934 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2933 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2932 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2931 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2930 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2929 (Adobe Acrobat Chrome extension version 15.1.0.3 and earlier have a DOM ...) NOT-FOR-US: Adobe Acrobat Chrome extension CVE-2017-2928 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2927 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2926 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2925 (Adobe Flash Player versions 24.0.0.186 and earlier have an exploitable ...) NOT-FOR-US: Adobe Flash Player CVE-2017-2924 (An exploitable heap-based buffer overflow vulnerability exists in the ...) {DSA-3976-1 DLA-1098-1} - freexl 1.0.4-1 (bug #875691) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0431 NOTE: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 CVE-2017-2923 (An exploitable heap based buffer overflow vulnerability exists in the ...) {DSA-3976-1 DLA-1098-1} - freexl 1.0.4-1 (bug #875690) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0430 NOTE: https://www.gaia-gis.it/fossil/freexl/ci/40c17539ea56f0d8 CVE-2017-2922 (An exploitable memory corruption vulnerability exists in the Websocket ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2921 (An exploitable memory corruption vulnerability exists in the Websocket ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2920 (An memory corruption vulnerability exists in the .SVG parsing function ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists in the ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426 CVE-2017-2918 (An exploitable integer overflow exists in the Image loading functional ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: :https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0425 CVE-2017-2917 (An exploitable vulnerability exists in the notifications functionality ...) NOT-FOR-US: Circle with Disney CVE-2017-2916 (An exploitable vulnerability exists in the /api/CONFIG/restore functio ...) NOT-FOR-US: Circle with Disney CVE-2017-2915 (An exploitable vulnerability exists in the WiFi configuration function ...) NOT-FOR-US: Circle with Disney CVE-2017-2914 (An exploitable authentication bypass vulnerability exists in the API d ...) NOT-FOR-US: Circle with Disney CVE-2017-2913 (An exploitable vulnerability exists in the filtering functionality of ...) NOT-FOR-US: Circle with Disney CVE-2017-2912 (An exploitable vulnerability exists in the remote control functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2911 (An exploitable vulnerability exists in the remote control functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2910 (An exploitable Out-of-bounds Write vulnerability exists in the xls_add ...) - r-cran-readxl NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0417 TODO: check CVE-2017-2909 (An infinite loop programming error exists in the DNS server functional ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2908 (An exploitable integer overflow exists in the thumbnail functionality ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/07aed404cfb2759f97c60b9f64d8a9392dabaf1a NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0415 CVE-2017-2907 (An exploitable integer overflow exists in the animation playing functi ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0414 CVE-2017-2906 (An exploitable integer overflow exists in the animation playing functi ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0413 CVE-2017-2905 (An exploitable integer overflow exists in the bmp loading functionalit ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0412 CVE-2017-2904 (An exploitable integer overflow exists in the RADIANCE loading functio ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0411 CVE-2017-2903 (An exploitable integer overflow exists in the DPX loading functionalit ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0410 CVE-2017-2902 (An exploitable integer overflow exists in the DPX loading functionalit ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0409 CVE-2017-2901 (An exploitable integer overflow exists in the IRIS loading functionali ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/829916f4e57a2d1580ff3b625f6bb909b9144a20 NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0408 CVE-2017-2900 (An exploitable integer overflow exists in the PNG loading functionalit ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0407 CVE-2017-2899 (An exploitable integer overflow exists in the TIFF loading functionali ...) {DSA-4248-1 DLA-1465-1} - blender 2.79.a+dfsg0-1 [wheezy] - blender (Vulnerable but not ignored) NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0406 CVE-2017-2898 (An exploitable vulnerability exists in the signature verification of t ...) NOT-FOR-US: Circle with Disney CVE-2017-2897 (An exploitable out-of-bounds write vulnerability exists in the read_MS ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0404 CVE-2017-2896 (An exploitable out-of-bounds write vulnerability exists in the xls_mer ...) {DSA-4173-1} - r-cran-readxl 1.0.0-2 (bug #895564) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0403 CVE-2017-2895 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2894 (An exploitable stack buffer overflow vulnerability exists in the MQTT ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2893 (An exploitable NULL pointer dereference vulnerability exists in the MQ ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2892 (An exploitable arbitrary memory read vulnerability exists in the MQTT ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2891 (An exploitable use-after-free vulnerability exists in the HTTP server ...) - smplayer 18.5.0~ds1-1 (bug #898943) [stretch] - smplayer (Vulnerable code not present) [jessie] - smplayer (Vulnerable code not present) [wheezy] - smplayer (Vulnerable code not present) NOTE: 18.5.0~ds1-1 isn't fixed on the source level, but no longer builds the Chromecast support CVE-2017-2890 (An exploitable vulnerability exists in the /api/CONFIG/restore functio ...) NOT-FOR-US: Circle with Disney CVE-2017-2889 (An exploitable Denial of Service vulnerability exists in the API daemo ...) NOT-FOR-US: Circle with Disney CVE-2017-2888 (An exploitable integer overflow vulnerability exists when creating a n ...) - libsdl2 2.0.6+dfsg1-4 (bug #878264) [stretch] - libsdl2 (Minor issue) [jessie] - libsdl2 (Minor issue) - libsdl1.2 (Issue not present, SDL_CreateRGBSurface contains further check for too large width or height) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0395 NOTE: https://hg.libsdl.org/SDL/rev/7e0f1498ddb5 NOTE: https://hg.libsdl.org/SDL/rev/81a4950907a0 CVE-2017-2887 (An exploitable buffer overflow vulnerability exists in the XCF propert ...) {DSA-4184-1 DSA-4177-1 DLA-1134-1} - libsdl2-image 2.0.1+dfsg-4 (bug #878266) - sdl-image1.2 1.2.12-7 (bug #878267) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0394 NOTE: https://hg.libsdl.org/SDL_image/rev/318484db0705 CVE-2017-2886 (A memory corruption vulnerability exists in the .PSD parsing functiona ...) NOT-FOR-US: ACDSee Ultimate CVE-2017-2885 (An exploitable stack based buffer overflow vulnerability exists in the ...) {DSA-3929-1} - libsoup2.4 2.56.1-1 (bug #871650) [wheezy] - libsoup2.4 (Vulnerable code not present) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=785774 CVE-2017-2884 (An exploitable vulnerability exists in the user photo update functiona ...) NOT-FOR-US: Circle with Disney CVE-2017-2883 (An exploitable vulnerability exists in the database update functionali ...) NOT-FOR-US: Circle with Disney CVE-2017-2882 (An exploitable vulnerability exists in the servers update functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2881 (An exploitable vulnerability exists in the torlist update functionalit ...) NOT-FOR-US: Circle with Disney CVE-2017-2880 (An memory corruption vulnerability exists in the .GIF parsing function ...) NOT-FOR-US: Computerinsel Photoline CVE-2017-2879 (An exploitable buffer overflow vulnerability exists in the UPnP implem ...) NOT-FOR-US: Foscam CVE-2017-2878 (An exploitable buffer overflow vulnerability exists in the web managem ...) NOT-FOR-US: Foscam CVE-2017-2877 (A missing error check exists in the Multi-Camera interface used by the ...) NOT-FOR-US: Foscam CVE-2017-2876 (An exploitable buffer overflow vulnerability exists in the Multi-Camer ...) NOT-FOR-US: Foscam CVE-2017-2875 (An exploitable buffer overflow vulnerability exists in the Multi-Camer ...) NOT-FOR-US: Foscam CVE-2017-2874 (An information disclosure vulnerability exists in the Multi-Camera int ...) NOT-FOR-US: Foscam CVE-2017-2873 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam CVE-2017-2872 (Insufficient security checks exist in the recovery procedure used by t ...) NOT-FOR-US: Foscam CVE-2017-2871 (Insufficient security checks exist in the recovery procedure used by t ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2870 (An exploitable integer overflow vulnerability exists in the tiff_image ...) {DLA-2043-1} - gdk-pixbuf 2.36.10-1 (unimportant; bug #873787) NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=31a6cff3dfc6944aad4612a9668b8ad39122e48b NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=770986 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780269 NOTE: Built with GCC in Debian, which doesn't remove the check CVE-2017-2869 (An exploitable code execution vulnerability exists in the OpenProducer ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2868 (An exploitable code execution vulnerability exists in the NewProducerS ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2867 (An exploitable code execution vulnerability exists in the SavePatientM ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2866 (An exploitable vulnerability exists in the /api/CONFIG/backup function ...) NOT-FOR-US: Circle with Disney CVE-2017-2865 (An exploitable vulnerability exists in the firmware update functionali ...) NOT-FOR-US: Circle with Disney CVE-2017-2864 (An exploitable vulnerability exists in the generation of authenticatio ...) NOT-FOR-US: Circle with Disney CVE-2017-2863 (An out-of-bounds write vulnerability exists in the PDF parsing functio ...) NOT-FOR-US: Iceni Infix CVE-2017-2862 (An exploitable heap overflow vulnerability exists in the gdk_pixbuf__j ...) {DSA-3978-1 DLA-1100-1} - gdk-pixbuf 2.36.10-1 (bug #874552) NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=c2a40a92fe3df4111ed9da51fe3368c079b86926 NOTE: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6dd89e126a277460faafc1f679db44ccf78446fb NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=784866 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366 CVE-2017-2861 (An exploitable Denial of Service vulnerability exists in the use of a ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2860 (An exploitable denial-of-service vulnerability exists in the lookup en ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2859 REJECTED CVE-2017-2858 (An exploitable denial-of-service vulnerability exists in the traversal ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2857 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) NOT-FOR-US: Foscam CVE-2017-2856 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) NOT-FOR-US: Foscam CVE-2017-2855 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) NOT-FOR-US: Foscam CVE-2017-2854 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) NOT-FOR-US: Foscam CVE-2017-2853 (An exploitable Code Execution vulnerability exists in the RequestForPa ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2852 (An exploitable denial-of-service vulnerability exists in the unseriali ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2851 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2850 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2849 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2848 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2847 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2846 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2845 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2844 (In the web management interface in Foscam C1 Indoor HD cameras with ap ...) NOT-FOR-US: Foscam C1 Indoor HD cameras CVE-2017-2843 (In the web management interface in Foscam C1 Indoor HD Camera running ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2842 (In the web management interface in Foscam C1 Indoor HD Camera running ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2841 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2840 (A buffer overflow vulnerability exists in the ISO parsing functionalit ...) NOT-FOR-US: EZB Systems UltraISO CVE-2017-2839 (An exploitable denial of service vulnerability exists within the handl ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0341 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2838 (An exploitable denial of service vulnerability exists within the handl ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0340 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2837 (An exploitable denial of service vulnerability exists within the handl ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0339 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2836 (An exploitable denial of service vulnerability exists within the readi ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0338 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2835 (An exploitable code execution vulnerability exists in the RDP receive ...) {DSA-3923-1 DLA-1095-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0337 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2834 (An exploitable code execution vulnerability exists in the authenticati ...) {DSA-3923-1} - freerdp 1.1.0~git20140921.1.440916e+dfsg1-14 (bug #869880) [wheezy] - freerdp (vulnerable code not present) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0336 NOTE: http://blog.talosintelligence.com/2017/07/vulnerbility-spotlight-freerdp-multiple.html NOTE: https://github.com/FreeRDP/FreeRDP/commit/03ab68318966c3a22935a02838daaea7b7fbe96c (1.1) CVE-2017-2833 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2832 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2831 (An exploitable buffer overflow vulnerability exists in the web managem ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2830 (An exploitable buffer overflow vulnerability exists in the web managem ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2829 (An exploitable directory traversal vulnerability exists in the web man ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2828 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2827 (An exploitable command injection vulnerability exists in the web manag ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2826 (An information disclosure vulnerability exists in the iConfig proxy re ...) - zabbix 1:4.0.0+dfsg-1 (low) [stretch] - zabbix (Minor issue, workaround exists) [jessie] - zabbix (Minor issue, workaround exists) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0327 NOTE: Relates to the information disclosure as mentioned in (but is not the same issue) NOTE: https://support.zabbix.com/browse/ZBX-12076 NOTE: Workaround for Zabbix 3.0 exists: https://www.zabbix.com/documentation/3.0/manual/distributed_monitoring/proxies#configuration NOTE: using encrypted connections with the proxy. CVE-2017-2825 (In the trapper functionality of Zabbix Server 2.4.x, specifically craf ...) {DSA-3937-1} - zabbix 1:3.0.7+dfsg-3 (bug #863584) NOTE: http://www.talosintelligence.com/reports/TALOS-2017-0326/ NOTE: https://support.zabbix.com/browse/ZBX-12076 CVE-2017-2824 (An exploitable code execution vulnerability exists in the trapper comm ...) {DSA-3937-1} - zabbix 1:3.0.7+dfsg-3 (bug #863584) NOTE: http://www.talosintelligence.com/reports/TALOS-2017-0325/ NOTE: https://support.zabbix.com/browse/ZBX-12075 CVE-2017-2823 (A use-after-free vulnerability exists in the .ISO parsing functionalit ...) NOT-FOR-US: PowerISO CVE-2017-2822 (An exploitable code execution vulnerability exists in the image render ...) NOT-FOR-US: Lexmark CVE-2017-2821 (An exploitable use-after-free exists in the PDF parsing functionality ...) NOT-FOR-US: Lexmark CVE-2017-2820 (An exploitable integer overflow vulnerability exists in the JPEG 2000 ...) - poppler (unimportant) NOTE: Debian uses openjpeg for processing JPEG 2000 images, this advisory is NOTE: against Ubuntu, which disables openjpeg due to being in universe NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0321 CVE-2017-2819 (An exploitable heap-based buffer overflow exists in the Hangul Word Pr ...) NOT-FOR-US: Hancom Thinkfree Office NEO CVE-2017-2818 (An exploitable heap overflow vulnerability exists in the image renderi ...) - poppler (unimportant) NOTE: Debian links against libjpeg which is unaffected NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0319 CVE-2017-2817 (A stack buffer overflow vulnerability exists in the ISO parsing functi ...) NOT-FOR-US: PowerISO CVE-2017-2816 (An exploitable buffer overflow vulnerability exists in the tag parsing ...) {DLA-1192-1} - libofx 1:0.9.11-4 (bug #875801) [stretch] - libofx 1:0.9.10-2+deb9u1 [jessie] - libofx 1:0.9.10-1+deb8u1 NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0317 NOTE: https://github.com/libofx/libofx/commit/a70934eea95c76a7737b83773bffe8738935082d NOTE: https://github.com/libofx/libofx/issues/9 CVE-2017-2815 (An exploitable XML entity injection vulnerability exists in OpenFire U ...) NOT-FOR-US: OpenFire User Import Export Plugin CVE-2017-2814 (An exploitable heap overflow vulnerability exists in the image renderi ...) - poppler (unimportant) NOTE: Debian links against libjpeg which is unaffected NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0319 CVE-2017-2813 (An exploitable integer overflow vulnerability exists in the JPEG 2000 ...) NOT-FOR-US: IrfanView CVE-2017-2812 (A code execution vulnerability exists in the kdu_buffered_expand funct ...) NOT-FOR-US: Kakadu CVE-2017-2811 (A code execution vulnerability exists in the Kakadu SDK 7.9's parsing ...) NOT-FOR-US: Kakadu CVE-2017-2810 (An exploitable vulnerability exists in the Databook loading functional ...) - python-tablib 0.9.11-3 (bug #864818) [stretch] - python-tablib 0.9.11-2+deb8u1 [jessie] - python-tablib 0.9.11-2+deb8u1 NOTE: Fixed by: https://github.com/kennethreitz/tablib/commit/69abfc3ada5d754cb152119c0b4777043657cb6e NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0307 CVE-2017-2809 (An exploitable vulnerability exists in the yaml loading functionality ...) NOT-FOR-US: Ansible Vault CVE-2017-2808 (An exploitable use-after-free vulnerability exists in the account pars ...) - ledger 3.1.2+dfsg1-1 (low; bug #876659) [stretch] - ledger (Minor issue) [jessie] - ledger (Minor issue) [wheezy] - ledger (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0304 NOTE: https://github.com/ledger/ledger/issues/1723 NOTE: https://github.com/ledger/ledger/commit/f3bad93db256db07b6cb831d4d24f47543f57e4a CVE-2017-2807 (An exploitable buffer overflow vulnerability exists in the tag parsing ...) - ledger 3.1.2+dfsg1-1 (low; bug #876660) [stretch] - ledger (Minor issue) [jessie] - ledger (Minor issue) [wheezy] - ledger (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303 NOTE: https://github.com/ledger/ledger/issues/1722 NOTE: https://github.com/ledger/ledger/commit/5682f377aed5b0db6b6c4a44b1d8868103b7e9f7 CVE-2017-2806 (An exploitable arbitrary read exists in the XLS parsing of the Lexmark ...) NOT-FOR-US: Lexmark Perspective Document Filters conversion functionality CVE-2017-2805 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Foscam C1 Indoor HD Camera CVE-2017-2804 (A remote out of bound write vulnerability exists in the TIFF parsing f ...) NOT-FOR-US: Core PHOTO-PAINT X8 CVE-2017-2803 (A remote out of bound write vulnerability exists in the TIFF parsing f ...) NOT-FOR-US: Core PHOTO-PAINT X8 CVE-2017-2802 (An exploitable dll hijacking vulnerability exists in the poaService.ex ...) NOT-FOR-US: Dell CVE-2017-2801 (A programming error exists in a way Randombit Botan cryptographic libr ...) {DSA-3939-1 DLA-915-1} - botan1.10 1.10.16-1 (bug #860072) NOTE: https://github.com/randombit/botan/commit/c927101675e5f63fc0bdd93c5a4825adc54323b4 (1.10.16) NOTE: Bug introduced in 1.6.0 or earlier, fixed in 2.1.0 and 1.10.16 CVE-2017-2800 (A specially crafted x509 certificate can cause a single out of bounds ...) - wolfssl 3.12.0+dfsg-1 (bug #862154) NOTE: http://www.talosintelligence.com/reports/TALOS-2017-0293/ CVE-2017-2799 (An exploitable heap corruption vulnerability exists in the AddSst func ...) NOT-FOR-US: Antenna House DMC HTMLFilter CVE-2017-2798 (An exploitable heap corruption vulnerability exists in the GetIndexArr ...) NOT-FOR-US: Antenna House DMC HTMLFilter CVE-2017-2797 (An exploitable heap overflow vulnerability exists in the ParseEnvironm ...) NOT-FOR-US: Antenna House CVE-2017-2796 RESERVED CVE-2017-2795 (An exploitable heap corruption vulnerability exists in the Txo functio ...) NOT-FOR-US: Antenna House CVE-2017-2794 (An exploitable stack-based buffer overflow vulnerability exists in the ...) NOT-FOR-US: Antenna House CVE-2017-2793 (An exploitable heap corruption vulnerability exists in the UnCompressU ...) NOT-FOR-US: Antenna House CVE-2017-2792 (An exploitable heap corruption vulnerability exists in the iBldDirInfo ...) NOT-FOR-US: Antenna House CVE-2017-2791 (JustSystems Ichitaro 2016 Trial contains a vulnerability that exists w ...) NOT-FOR-US: JustSystems Ichitaro 2016 Trial CVE-2017-2790 (When processing a record type of 0x3c from a Workbook stream from an E ...) NOT-FOR-US: JustSystems Ichitaro Office CVE-2017-2789 (When copying filedata into a buffer, JustSystems Ichitaro Office 2016 ...) NOT-FOR-US: JustSystems Ichitaro Office 2016 Trial CVE-2017-2788 (A buffer overflows exists in the psnotifyd application of the Pharos P ...) NOT-FOR-US: Pharos PopUp Printer Client CVE-2017-2787 (A buffer overflows exists in the psnotifyd application of the Pharos P ...) NOT-FOR-US: Pharos PopUp Printer Client CVE-2017-2786 (A denial of service vulnerability exists in the psnotifyd application ...) NOT-FOR-US: Pharos PopUp Printer Client CVE-2017-2785 (An exploitable buffer overflow exists in the psnotifyd application of ...) NOT-FOR-US: Pharos PopUp Printer Client CVE-2017-2784 (An exploitable free of a stack pointer vulnerability exists in the x50 ...) - mbedtls 2.4.2-1 (bug #857560) - polarssl (bug #857561) [jessie] - polarssl 1.3.9-2.1+deb8u2 [wheezy] - polarssl (Vulnerable code not present) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01 NOTE: Wheezy do not have any elliptic curve functionality. Jessie is affected however. CVE-2017-2783 (An exploitable heap corruption vulnerability exists in the FillRowForm ...) NOT-FOR-US: AntennaHouse CVE-2017-2782 (An integer overflow vulnerability exists in the X509 certificate parsi ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0278 CVE-2017-2781 (An exploitable heap buffer overflow vulnerability exists in the X509 c ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0277 CVE-2017-2780 (An exploitable heap buffer overflow vulnerability exists in the X509 c ...) - matrixssl [wheezy] - matrixssl (not supported in Wheezy) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2017-0276 CVE-2017-2779 (An exploitable memory corruption vulnerability exists in the RSRC segm ...) NOT-FOR-US: Labview CVE-2017-2778 REJECTED CVE-2017-2777 (An exploitable heap overflow vulnerability exists in the ipStringCreat ...) NOT-FOR-US: Iceni Argus CVE-2017-2776 REJECTED CVE-2017-2775 (An exploitable memory corruption vulnerability exists in the LvVariant ...) NOT-FOR-US: Labview CVE-2017-2774 REJECTED CVE-2017-2773 (An issue was discovered in Pivotal PCF Elastic Runtime 1.6.x versions ...) NOT-FOR-US: Pivotal PCF Elastic Runtime CVE-2017-2772 REJECTED CVE-2017-2771 REJECTED CVE-2017-2770 REJECTED CVE-2017-2769 REJECTED CVE-2017-2768 (EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configurati ...) NOT-FOR-US: EMC Network Configuration Manager CVE-2017-2767 (EMC Network Configuration Manager (NCM) 9.3.x, EMC Network Configurati ...) NOT-FOR-US: EMC Network Configuration Manager CVE-2017-2766 (EMC Documentum eRoom version 7.4.4, EMC Documentum eRoom version 7.4.4 ...) NOT-FOR-US: EMC Documentum eRoom CVE-2017-2765 (EMC Isilon InsightIQ 4.1.0, 4.0.1, 4.0.0, 3.2.2, 3.2.1, 3.2.0, 3.1.1, ...) NOT-FOR-US: EMC Isilon InsightIQ CVE-2017-2764 RESERVED CVE-2017-2763 RESERVED CVE-2017-2762 RESERVED CVE-2017-2761 RESERVED CVE-2017-2760 RESERVED CVE-2017-2759 RESERVED CVE-2017-2758 RESERVED CVE-2017-2757 RESERVED CVE-2017-2756 RESERVED CVE-2017-2755 RESERVED CVE-2017-2754 RESERVED CVE-2017-2753 RESERVED CVE-2017-2752 (A potential security vulnerability caused by incomplete obfuscation of ...) NOT-FOR-US: Tommy Hilfiger TH24/7 Android app CVE-2017-2751 (A BIOS password extraction vulnerability has been reported on certain ...) NOT-FOR-US: firmware on HP notebooks CVE-2017-2750 (Insufficient Solution DLL Signature Validation allows potential execut ...) NOT-FOR-US: HP printers CVE-2017-2749 RESERVED CVE-2017-2748 (A potential security vulnerability caused by the use of insecure (http ...) NOT-FOR-US: Isaac Mizrahi Smartwatch mobile app CVE-2017-2747 (HP has identified a potential security vulnerability before IG_11_00_0 ...) NOT-FOR-US: HP printers CVE-2017-2746 (Potential security vulnerabilities have been identified with HP JetAdv ...) NOT-FOR-US: HP JetAdvantage Security Manager CVE-2017-2745 (Potential security vulnerabilities have been identified with HP JetAdv ...) NOT-FOR-US: HP JetAdvantage Security Manager CVE-2017-2744 (The vulnerability allows attacker to extract binaries into protected f ...) NOT-FOR-US: HP Support Assistant CVE-2017-2743 (HP has identified a potential security vulnerability with HP Enterpris ...) NOT-FOR-US: HP printers CVE-2017-2742 (A potential security vulnerability has been identified with HP Web Jet ...) NOT-FOR-US: HP Web JetAdmin CVE-2017-2741 (A potential security vulnerability has been identified with HP PageWid ...) NOT-FOR-US: HP printers CVE-2017-2740 (A potential security vulnerability has been identified with the comman ...) NOT-FOR-US: HP ThinPro CVE-2017-2739 (The upgrade package of Huawei Vmall APP Earlier than HwVmall 1.5.3.0 v ...) NOT-FOR-US: Huawei CVE-2017-2738 (VCM5010 with software versions earlier before V100R002C50SPC100 has an ...) NOT-FOR-US: Huawei CVE-2017-2737 (VCM5010 with software versions earlier before V100R002C50SPC100 has an ...) NOT-FOR-US: Huawei CVE-2017-2736 (VCM5010 with software versions earlier before V100R002C50SPC100 has a ...) NOT-FOR-US: Huawei CVE-2017-2735 (TIT-AL00 smartphones with software versions earlier before TIT-AL00C58 ...) NOT-FOR-US: Huawei CVE-2017-2734 (P9 Plus smartphones with software versions earlier before VIE-AL10BC00 ...) NOT-FOR-US: Huawei CVE-2017-2733 (Honor 6X smartphones with software versions earlier than BLN-AL10C00B3 ...) NOT-FOR-US: Huawei CVE-2017-2732 (Huawei Hilink APP Versions earlier before 5.0.25.306 has an informatio ...) NOT-FOR-US: Huawei CVE-2017-2731 (The vibrator service in P9 Plus smart phones with software versions ea ...) NOT-FOR-US: Huawei CVE-2017-2730 (HUAWEI HiLink APP (for IOS) versions earlier before 5.0.25.306 and HUA ...) NOT-FOR-US: Huawei CVE-2017-2729 (The boot loaders in Honor 5A smart phones with software Versions earli ...) NOT-FOR-US: Huawei CVE-2017-2728 (Some Huawei mobile phones Honor 6X Berlin-L22C636B150 and earlier vers ...) NOT-FOR-US: Huawei CVE-2017-2727 (Huawei P9 smart phones with software versions earlier before EVA-AL00C ...) NOT-FOR-US: Huawei CVE-2017-2726 (Bastet in P10 Plus and P10 smart phones with software earlier than VKY ...) NOT-FOR-US: Huawei CVE-2017-2725 (Bastet in P10 Plus and P10 smart phones with software earlier than VKY ...) NOT-FOR-US: Huawei CVE-2017-2724 (Bastet in P10 Plus and P10 smart phones with software earlier than VKY ...) NOT-FOR-US: Huawei CVE-2017-2723 (The Files APP 7.1.1.308 and earlier versions in some Huawei mobile pho ...) NOT-FOR-US: Huawei CVE-2017-2722 (DP300 V500R002C00,TE60 with software V100R001C01, V100R001C10, V100R00 ...) NOT-FOR-US: Huawei CVE-2017-2721 (Some Huawei smart phones with software Berlin-L21C10B130,Berlin-L21C18 ...) NOT-FOR-US: Huawei CVE-2017-2720 (FusionSphere OpenStack V100R006C00 has an information exposure vulnera ...) NOT-FOR-US: Huawei CVE-2017-2719 (FusionSphere OpenStack with software V100R006C00 and V100R006C10RC2 ha ...) NOT-FOR-US: Huawei CVE-2017-2718 (FusionSphere OpenStack with software V100R006C00 and V100R006C10RC2 ha ...) NOT-FOR-US: Huawei CVE-2017-2717 (honor 8 Pro with software Duke-L09C10B120 and earlier versions,Duke-L0 ...) NOT-FOR-US: Huawei CVE-2017-2716 (The camerafs driver in Mate 9 Versions earlier than MHA-AL00BC00B173 h ...) NOT-FOR-US: Huawei CVE-2017-2715 (The Files APP 7.1.1.309 and earlier versions in some Huawei mobile pho ...) NOT-FOR-US: Huawei CVE-2017-2714 (The GaussDB in FusionSphere OpenStack V100R005C10SPC705 and earlier ve ...) NOT-FOR-US: Huawei CVE-2017-2713 (HUAWEI P9 smartphones with software versions earlier before EVA-L09C43 ...) NOT-FOR-US: Huawei CVE-2017-2712 (S3300 V100R006C05 have an Ethernet in the First Mile (EFM) flapping vu ...) NOT-FOR-US: Huawei CVE-2017-2711 (P9 Plus smartphones with software earlier than VIE-AL10C00B352 version ...) NOT-FOR-US: Huawei CVE-2017-2710 (BTV-W09C229B002CUSTC229D005,BTV-W09C233B029, earlier than BTV-W09C100B ...) NOT-FOR-US: Huawei CVE-2017-2709 (HiGame with software earlier than 7.3.0 versions, SkyTone with softwar ...) NOT-FOR-US: Huawei CVE-2017-2708 (The 'Find Phone' function in Nice smartphones with software versions e ...) NOT-FOR-US: Huawei CVE-2017-2707 (Mate 9 smartphones with software MHA-AL00AC00B125 have a privilege esc ...) NOT-FOR-US: Huawei CVE-2017-2706 (Mate 9 smartphones with software MHA-AL00AC00B125 have a directory tra ...) NOT-FOR-US: Huawei CVE-2017-2705 (Huawei P9 smartphones with software versions earlier before EVA-AL10C0 ...) NOT-FOR-US: Huawei CVE-2017-2704 (Smarthome 1.0.2.364 and earlier versions,HiAPP 7.3.0.303 and earlier v ...) NOT-FOR-US: Huawei CVE-2017-2703 (Phone Finder in versions earlier before MHA-AL00BC00B156,Versions earl ...) NOT-FOR-US: Huawei CVE-2017-2702 (Phone Finder in versions earlier before MHA-AL00C00B170 can be bypass. ...) NOT-FOR-US: Huawei CVE-2017-2701 (Mate 9 with software MHA-AL00AC00B125 has a denial of service (DoS) vu ...) NOT-FOR-US: Huawei CVE-2017-2700 (AC6005 with software V200R006C10, AC6605 with software V200R006C10 hav ...) NOT-FOR-US: Huawei CVE-2017-2699 (The Huawei Themes APP in versions earlier than PLK-UL00C17B385, versio ...) NOT-FOR-US: Huawei CVE-2017-2698 (The ddr_devfreq driver in versions earlier than GRA-UL00C00B197 has bu ...) NOT-FOR-US: Huawei CVE-2017-2697 (The goldeneye driver in NMO-L31C432B120 and earlier versions,NEM-L21C4 ...) NOT-FOR-US: Huawei CVE-2017-2696 (The emerg_data driver in CAM-L21C10B130 and earlier versions, CAM-L21C ...) NOT-FOR-US: Huawei CVE-2017-2695 (TIT-AL00C583B211 has a directory traversal vulnerability which allows ...) NOT-FOR-US: Huawei CVE-2017-2694 (The AlarmService component in HwVmall with software earlier than 1.5.2 ...) NOT-FOR-US: Huawei CVE-2017-2693 (ALE-L02C635B140 and earlier versions,ALE-L02C636B140 and earlier versi ...) NOT-FOR-US: Huawei CVE-2017-2692 (The Keyguard application in ALE-L02C635B140 and earlier versions,ALE-L ...) NOT-FOR-US: Huawei CVE-2017-2691 (Huawei P9 versions earlier before EVA-AL10C00B373, versions earlier be ...) NOT-FOR-US: Huawei CVE-2017-2690 (SoftCo with software V200R003C20,eSpace U1910 with software V200R003C0 ...) NOT-FOR-US: Huawei CVE-2017-2689 (Siemens RUGGEDCOM ROX I (all versions) allow an authenticated user to ...) NOT-FOR-US: Siemens CVE-2017-2688 (The integrated web server in Siemens RUGGEDCOM ROX I (all versions) at ...) NOT-FOR-US: Siemens CVE-2017-2687 (Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability in the ...) NOT-FOR-US: Siemens CVE-2017-2686 (Siemens RUGGEDCOM ROX I (all versions) contain a vulnerability that co ...) NOT-FOR-US: Siemens CVE-2017-2685 (Siemens SINUMERIK Integrate Operate Clients between 2.0.3.00.016 (incl ...) NOT-FOR-US: Siemens CVE-2017-2684 (Siemens SIMATIC Logon prior to V1.5 SP3 Update 2 could allow an attack ...) NOT-FOR-US: Siemens CVE-2017-2683 (A non-privileged user of the Siemens web application RUGGEDCOM NMS < ...) NOT-FOR-US: Siemens CVE-2017-2682 (The Siemens web application RUGGEDCOM NMS < V1.2 on port 8080/TCP a ...) NOT-FOR-US: Siemens CVE-2017-2681 (Specially crafted PROFINET DCP packets sent on a local Ethernet segmen ...) NOT-FOR-US: Siemens CVE-2017-2680 (Specially crafted PROFINET DCP broadcast packets could cause a Denial- ...) NOT-FOR-US: Siemens CVE-2017-2679 REJECTED CVE-2017-2678 REJECTED CVE-2017-2677 REJECTED CVE-2017-2676 REJECTED CVE-2017-2675 (Little Snitch version 3.0 through 3.7.3 suffer from a local privilege ...) NOT-FOR-US: Little Snitch CVE-2017-2674 (JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored X ...) NOT-FOR-US: Red Hat business central CVE-2017-2673 (An authorization-check flaw was discovered in federation configuration ...) - keystone 2:10.0.0-9 (bug #861189) [jessie] - keystone (Vulnerable code not present) [wheezy] - keystone (Vulnerable code not present) NOTE: https://bugs.launchpad.net/keystone/+bug/1677723 CVE-2017-2672 (A flaw was found in foreman before version 1.15 in the logging of addi ...) - foreman (bug #663101) CVE-2017-2671 (The ping_unhash function in net/ipv4/ping.c in the Linux kernel throug ...) {DLA-922-1} - linux 4.9.25-1 [jessie] - linux 3.16.43-1 NOTE: https://www.openwall.com/lists/oss-security/2017/03/24/6 NOTE: Fixed by: https://git.kernel.org/linus/43a6684519ab0a6c52024b5e25322476cabad893 CVE-2017-2670 (It was found in Undertow before 1.3.28 that with non-clean TCP close, ...) {DSA-3906-1} - undertow 1.4.18-1 (bug #864405) NOTE: Fixed by https://github.com/undertow-io/undertow/commit/9bfe9fbbb595d51157b61693f072895f7dbadd1d NOTE: https://issues.jboss.org/browse/UNDERTOW-1035 CVE-2017-2669 (Dovecot before version 2.2.29 is vulnerable to a denial of service. Wh ...) - dovecot 1:2.2.27-3 (bug #860049) [jessie] - dovecot (Vulnerable code not present) [wheezy] - dovecot (Vulnerable code not present) NOTE: Fixed by: https://github.com/dovecot/core/commit/000030feb7a30f193197f1aab8a7b04a26b42735 NOTE: Introduced by: https://github.com/dovecot/core/commit/a3783f8a3c9cd816b51e77a922f82301512fcf22 CVE-2017-2668 (389-ds-base before versions 1.3.5.17 and 1.3.6.10 is vulnerable to an ...) - 389-ds-base 1.3.5.17-1 (bug #860125) [jessie] - 389-ds-base (Vulnerable code not present) NOTE: CentOS fix: https://git.centos.org/raw/rpms!389-ds-base!/c9e5dad69e2b497f118efac56f43cc6c74b6a695/SOURCES!0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1436575 CVE-2017-2667 (Hammer CLI, a CLI utility for Foreman, before version 0.10.0, did not ...) - foreman (bug #663101) CVE-2017-2666 (It was discovered in Undertow that the code that parsed the HTTP reque ...) {DSA-3906-1} - undertow 1.4.18-1 (bug #864405) NOTE: https://issues.jboss.org/browse/UNDERTOW-1101 NOTE: Fixed by https://github.com/undertow-io/undertow/commit/1e72647818c9fb31b693a953b1ae595a6c82eb7f CVE-2017-2665 (The skyring-setup command creates random password for mongodb skyring ...) NOT-FOR-US: Red Hat Storage / skyring CVE-2017-2664 (CloudForms Management Engine (cfme) before 5.7.3 and 5.8.x before 5.8. ...) NOT-FOR-US: Red Hat CloudForms CVE-2017-2663 (It was found that subscription-manager's DBus interface before 1.19.4 ...) NOT-FOR-US: candlepin / subscription-manager CVE-2017-2662 (A flaw was found in Foreman's katello plugin version 3.4.5. After sett ...) - foreman (bug #663101) CVE-2017-2661 (ClusterLabs pcs before version 0.9.157 is vulnerable to a cross-site s ...) - pcs 0.9.155+dfsg-2 (bug #858379) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1428948 NOTE: https://github.com/ClusterLabs/pcs/commit/1874a769b5720ae5430f10c6cedd234430bc703f NOTE: https://www.openwall.com/lists/oss-security/2017/03/23/2 CVE-2017-2660 REJECTED CVE-2017-2659 (It was found that dropbear before version 2013.59 with GSSAPI leaks wh ...) - dropbear 2013.60-1 NOTE: https://hg.ucc.asn.au/dropbear/rev/d7784616409a#l1.86 CVE-2017-2658 (It was discovered that the Dashbuilder login page as used in Red Hat J ...) NOT-FOR-US: JBoss BPMS CVE-2017-2657 RESERVED CVE-2017-2656 REJECTED CVE-2017-2655 REJECTED CVE-2017-2654 (jenkins-email-ext before version 2.57.1 is vulnerable to an Informatio ...) NOT-FOR-US: jenkins-email-ext CVE-2017-2653 (A number of unused delete routes are present in CloudForms before 5.7. ...) NOT-FOR-US: Red Hat CloudForms CVE-2017-2652 (It was found that there were no permission checks performed in the Dis ...) NOT-FOR-US: Jenkins plugin CVE-2017-2651 (jenkins-mailer-plugin before version 1.20 is vulnerable to an informat ...) NOT-FOR-US: jenkins-mailer-plugin CVE-2017-2650 (It was found that the use of Pipeline: Classpath Step Jenkins plugin e ...) NOT-FOR-US: Jenkins plugin CVE-2017-2649 (It was found that the Active Directory Plugin for Jenkins up to and in ...) NOT-FOR-US: Jenkins plugin CVE-2017-2648 (It was found that jenkins-ssh-slaves-plugin before version 1.15 did no ...) NOT-FOR-US: jenkins-ssh-slaves-plugin CVE-2017-2647 (The KEYS subsystem in the Linux kernel before 3.18 allows local users ...) {DLA-922-1} - linux 4.0.2-1 [jessie] - linux 3.16.43-1 NOTE: Fixed by: https://git.kernel.org/linus/c06cfb08b88dfbe13be44a69ae2fdc3a7c902d81 (v3.18-rc1) CVE-2017-2646 (It was found that when Keycloak before 2.5.5 receives a Logout request ...) NOT-FOR-US: Keycloak CVE-2017-2645 (In Moodle 3.x, XSS can occur via attachments to evidence of prior lear ...) - moodle (Only affects 3.2 to 3.2.1 and 3.1 to 3.1.4) NOTE: https://tracker.moodle.org/browse/MDL-57597 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57597 CVE-2017-2644 (In Moodle 3.x, XSS can occur via evidence of prior learning. ...) - moodle (Only affects 3.2 to 3.2.1 and 3.1 to 3.1.4) NOTE: https://tracker.moodle.org/browse/MDL-57596 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-57596 CVE-2017-2643 (In Moodle 3.2.x, global search displays user names for unauthenticated ...) - moodle (Only affects 3.2 to 3.2.1) NOTE: https://tracker.moodle.org/browse/MDL-56526 NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-56526 CVE-2017-2642 (Moodle 3.x has user fullname disclosure on the user preferences page. ...) - moodle NOTE: https://moodle.org/mod/forum/discuss.php?d=355554 CVE-2017-2641 (In Moodle 2.x and 3.x, SQL injection can occur via user preferences. ...) - moodle 2.7.19+dfsg-1 NOTE: https://tracker.moodle.org/browse/MDL-58010 NOTE: https://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-58010 CVE-2017-2640 (An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 ...) {DSA-3806-1 DLA-853-1} - pidgin 2.12.0-1 (bug #859159) NOTE: https://www.pidgin.im/news/security/?id=109 NOTE: https://bitbucket.org/pidgin/main/commits/b2fc9e774cb9 CVE-2017-2639 (It was found that CloudForms does not verify that the server hostname ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-2638 (It was found that the REST API in Infinispan before version 9.0.0 did ...) NOT-FOR-US: infinispan CVE-2017-2637 (A design flaw issue was found in the Red Hat OpenStack Platform direct ...) NOT-FOR-US: Red Hat OpenStack Platform director CVE-2017-2636 (Race condition in drivers/tty/n_hdlc.c in the Linux kernel through 4.1 ...) {DSA-3804-1 DLA-849-1} - linux 4.9.16-1 NOTE: https://www.openwall.com/lists/oss-security/2017/03/07/6 NOTE: Fixed by: https://git.kernel.org/linus/82f2341c94d270421f383641b7cd670e474db56b (v4.11-rc2) NOTE: https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html CVE-2017-2635 (A NULL pointer deference flaw was found in the way libvirt from 2.5.0 ...) - libvirt 3.0.0-3 (bug #856313) [jessie] - libvirt (Vulnerable code introduced later) [wheezy] - libvirt (Vulnerable code introduced later) NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c5f6151390ff0a8e65014172bb8c0a8d312c3353 (v3.0.0-rc1) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=c3de387380f6057ee0e46cd9f2f0a092e8070875 (v3.1.0-rc1) CVE-2017-2634 (It was found that the Linux kernel's Datagram Congestion Control Proto ...) - linux (Fixed before initial rename to src:linux) NOTE: Fixed by: https://git.kernel.org/linus/f53dc67c5e7babafe239b93a11678b0e05bead51 (2.6.25-rc1) CVE-2017-2633 (An out-of-bounds memory access issue was found in Quick Emulator (QEMU ...) - qemu 2.1+dfsg-1 [wheezy] - qemu (Can be fixed along when more severe issues are being fixed) - qemu-kvm [wheezy] - qemu-kvm (Can be fixed along when more severe issues are being fixed) NOTE: Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commitdiff;h=bea60dd7679364493a0d7f5b54316c767cf894ef NOTE: Upstream patch: http://git.qemu-project.org/?p=qemu.git;a=commit;h=9f64916da20eea67121d544698676295bbb105a7 CVE-2017-2632 (A logic error in valid_role() in CloudForms role validation before 5.7 ...) NOT-FOR-US: Red Hat CloudForms Management Engine CVE-2017-2631 RESERVED CVE-2017-2630 (A stack buffer overflow flaw was found in the Quick Emulator (QEMU) be ...) - qemu 1:2.8+dfsg-3 (bug #855227) [jessie] - qemu (Vulnerable code introduced in v2.8.0-rc0) [wheezy] - qemu (Vulnerable code introduced in v2.8.0-rc0) - qemu-kvm (Vulnerable code introduced later) NOTE: Upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1422415 CVE-2017-2629 (curl before 7.53.0 has an incorrect TLS Certificate Status Request ext ...) - curl 7.52.1-3 [jessie] - curl (Vulnerable code introduced later) [wheezy] - curl (Vulnerable code introduced later) NOTE: https://github.com/curl/curl/commit/ca6ea6d9be5102a2246dff6e17b3ee9ad4ec64d0 NOTE: Patch: https://curl.haxx.se/CVE-2017-2629.patch NOTE: https://curl.haxx.se/docs/adv_20170222.html CVE-2017-2628 (curl, as shipped in Red Hat Enterprise Linux 6 before version 7.19.7-5 ...) - curl (Red Hat specific backport issue) CVE-2017-2627 (A flaw was found in openstack-tripleo-common as shipped with Red Hat O ...) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1421917 NOT-FOR-US: RHEL packaging flaw for openstack CVE-2017-2626 (It was discovered that libICE before 1.0.9-8 used a weak entropy to ge ...) {DLA-2002-1} - libice 2:1.0.9-2 (bug #856400) [wheezy] - libice (Minor issue, can be fixed in a point update or next DSA) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ CVE-2017-2625 (It was discovered that libXdmcp before 1.1.2 including used weak entro ...) {DLA-2006-1} - libxdmcp 1:1.1.2-2 (bug #856399) [wheezy] - libxdmcp (Minor issue, can be fixed in a point update or next DSA) NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ CVE-2017-2624 (It was found that xorg-x11-server before 1.19.0 including uses memcmp( ...) {DLA-1186-1} - xorg-server 2:1.19.2-1 (low; bug #856398) [jessie] - xorg-server 2:1.16.4-1+deb8u2 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg/ CVE-2017-2623 (It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 ...) NOT-FOR-US: Red Hat rpm-ostree CVE-2017-2622 (An accessibility flaw was found in the OpenStack Workflow (mistral) se ...) - mistral (Red Hat-specific) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420992 NOTE: tracing the installation shows that mkdir -p /var/log/mistral NOTE: is executed, which depending on the umask might end in wrong NOTE: permissions. But for Debian the final permissions seem to end NOTE: to 0750, despite, owned by mistral:adm. Thus might need more NOTE: investigation to determine the affected status. CVE-2017-2621 (An access-control flaw was found in the OpenStack Orchestration (heat) ...) - heat (heat-common postinst chmod's 0750 /var/log/heat) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1420990 CVE-2017-2620 (Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA E ...) {DLA-1497-1 DLA-1270-1 DLA-845-1 DLA-842-1} - qemu 1:2.8+dfsg-3 (bug #855791) - qemu-kvm - xen 4.4.0-1 NOTE: Xen switched to qemu-system in 4.4.0-1 NOTE: https://xenbits.xen.org/xsa/advisory-209.html NOTE: Qemu upstream patch: https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html CVE-2017-2619 (Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a mali ...) {DSA-3816-1 DLA-894-1} - samba 2:4.5.6+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2017-2619.html CVE-2017-2618 (A flaw was found in the Linux kernel's handling of clearing SELinux at ...) {DSA-3791-1} - linux 4.9.10-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://github.com/torvalds/linux/commit/0c461cb727d146c9ef2d3e86214f498b78b7d125 CVE-2017-2617 (hawtio before version 1.5.5 is vulnerable to remote code execution via ...) NOT-FOR-US: hawtio CVE-2017-2616 (A race condition was found in util-linux before 2.32.1 in the way su h ...) {DSA-3793-1 DLA-838-1} - shadow 1:4.4-4 (bug #855943) NOTE: https://github.com/shadow-maint/shadow/commit/08fd4b69e84364677a10e519ccb25b71710ee686 - util-linux 2.29.2-1 (unimportant) NOTE: https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891 - coreutils 8.20-1 (unimportant) NOTE: Coreutils: Removed from source in https://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=928dd737 NOTE: and not installed by default since 2007. CVE-2017-2615 (Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator sup ...) {DLA-1497-1 DLA-845-1 DLA-842-1} - qemu 1:2.8+dfsg-3 (low; bug #854731) NOTE: Introduced with: http://git.qemu.org/?p=qemu.git;a=commit;h=d3532a0db02296e687711b8cdc7791924efccea0 (which was the fix for CVE-2014-8106) NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=62d4c6bd5263bb8413a06c80144fc678df6dfb64 CVE-2017-2614 (When updating a password in the rhvm database the ovirt-aaa-jdbc-tool ...) NOT-FOR-US: Red Hat ovirt-aaa-jdbc-tool tools CVE-2017-2613 (jenkins before versions 2.44, 2.32.2 is vulnerable to a user creation ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2612 (In Jenkins before versions 2.44, 2.32.2 low privilege users were able ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2611 (Jenkins before versions 2.44, 2.32.2 is vulnerable to an insufficient ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2610 (jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cros ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2609 (jenkins before versions 2.44, 2.32.2 is vulnerable to an information d ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2608 (Jenkins before versions 2.44, 2.32.2 is vulnerable to a remote code ex ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2607 (jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cros ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2606 (Jenkins before versions 2.44, 2.32.2 is vulnerable to an information e ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2605 REJECTED CVE-2017-2604 (In Jenkins before versions 2.44, 2.32.2 low privilege users were able ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2603 (Jenkins before versions 2.44, 2.32.2 is vulnerable to a user data leak ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2602 (jenkins before versions 2.44, 2.32.2 is vulnerable to an improper blac ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2601 (Jenkins before versions 2.44, 2.32.2 is vulnerable to a persisted cros ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2600 (In jenkins before versions 2.44, 2.32.2 node monitor data could be vie ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2599 (Jenkins before versions 2.44 and 2.32.2 is vulnerable to an insufficie ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2598 (Jenkins before versions 2.44, 2.32.2 uses AES ECB block cipher mode wi ...) - jenkins NOTE: https://jenkins.io/security/advisory/2017-02-01/ CVE-2017-2597 RESERVED CVE-2017-2596 (The nested_vmx_check_vmptr function in arch/x86/kvm/vmx.c in the Linux ...) {DSA-3791-1} - linux 4.9.13-1 [wheezy] - linux (Vulnerable code not present) NOTE: https://www.spinics.net/lists/kvm/msg144319.html NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1417812 CVE-2017-2595 (It was found that the log file viewer in Red Hat JBoss Enterprise Appl ...) - wildfly (bug #752018) CVE-2017-2594 (hawtio before versions 2.0-beta-1, 2.0-beta-2 2.0-m1, 2.0-m2, 2.0-m3, ...) NOT-FOR-US: hawtio CVE-2017-2593 RESERVED CVE-2017-2592 (python-oslo-middleware before versions 3.8.1, 3.19.1, 3.23.1 is vulner ...) - python-oslo.middleware 3.19.0-3 (bug #852742) NOTE: https://launchpad.net/bugs/1628031 CVE-2017-2591 (389-ds-base before version 1.3.6 is vulnerable to an improperly NULL t ...) - 389-ds-base 1.3.5.15-2 (bug #851769) [jessie] - 389-ds-base (Only affects 1.3.4.0 and later) NOTE: https://fedorahosted.org/389/changeset/ffda694dd622b31277da07be76d3469fad86150f/ CVE-2017-2590 (A vulnerability was found in ipa before 4.4. IdM's ca-del, ca-disable, ...) - freeipa (ca plugin introduced in 4.4) NOTE: https://pagure.io/freeipa/issue/6713 NOTE: Fixed by (master): https://pagure.io/freeipa/c/b81ac59640f0b76fa9f53cf8be441f085a7089c4?branch=master NOTE: Fixed by (ipa-4.4): https://pagure.io/freeipa/c/1aa314c79648c442473f19344387bfe11ec2141b?branch=ipa-4-4 CVE-2017-2589 (It was discovered that the hawtio servlet 1.4 uses a single HttpClient ...) NOT-FOR-US: hawtio CVE-2017-2588 RESERVED CVE-2017-2587 (A memory allocation vulnerability was found in netpbm before 10.61. A ...) - netpbm-free (vulnerable code not present) NOTE: Debian uses an old fork of netpbm NOTE: Fixed by http://pkgs.fedoraproject.org/cgit/rpms/netpbm.git/commit/?id=c16a8b893ed77fc3f6f2b382d0d47d03621ed328 CVE-2017-2586 (A null pointer dereference vulnerability was found in netpbm before 10 ...) - netpbm-free (vulnerable code not present) NOTE: Debian uses an old fork of netpbm NOTE: Fixed by http://pkgs.fedoraproject.org/cgit/rpms/netpbm.git/commit/?id=c16a8b893ed77fc3f6f2b382d0d47d03621ed328 CVE-2017-2585 (Red Hat Keycloak before version 2.5.1 has an implementation of HMAC ve ...) NOT-FOR-US: Keycloak CVE-2017-2584 (arch/x86/kvm/emulate.c in the Linux kernel through 4.9.3 allows local ...) {DSA-3791-1} - linux 4.9.6-1 [wheezy] - linux (Vulnerable code introduced in 3.6-rc1) NOTE: Upstream patch: https://www.spinics.net/lists/kvm/msg143571.html NOTE: Fixed by: https://git.kernel.org/linus/129a72a0d3c8e139a04512325384fe5ac119e74d CVE-2017-2583 (The load_segment_descriptor implementation in arch/x86/kvm/emulate.c i ...) {DSA-3791-1} - linux 4.9.6-1 [wheezy] - linux (Vulnerable code introduced in 3.6-rc1) NOTE: Fixed by: https://git.kernel.org/linus/33ab91103b3415e12457e3104f0e4517ce12d0f3 CVE-2017-2582 (It was found that while parsing the SAML messages the StaxParserUtil c ...) NOT-FOR-US: Keycloak CVE-2017-2581 (An out-of-bounds write vulnerability was found in netpbm before 10.61. ...) - netpbm-free (bug #854978) NOTE: Debian uses an old fork of netpbm NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: PoC+report attached to #854978 NOTE: Similar code path seems protected by earlier stricter size checks ("object too large") CVE-2017-2580 (An out-of-bounds write vulnerability was found in netpbm before 10.61. ...) - netpbm-free (bug #854978) [jessie] - netpbm-free (pnm/giftopnm.c and bpm/libpm.c rewritten, PoC triggers clean check "Zero byte allocation" missing in later versions) NOTE: Debian uses an old fork of netpbm NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: PoC+report attached to #854978 CVE-2017-2579 (An out-of-bounds read vulnerability was found in netpbm before 10.61. ...) - netpbm-free (bug #854978) [jessie] - netpbm-free (pnm/giftopnm.c rewritten, PoC triggers clean application error handling) NOTE: Debian uses an old fork of netpbm NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1024288 (reproducer) CVE-2017-2577 REJECTED CVE-2017-2575 (A vulnerability was found while fuzzing libbpg 0.9.7. It is a NULL poi ...) NOT-FOR-US: libbpg CVE-2017-2574 RESERVED CVE-2017-2573 RESERVED CVE-2017-2572 RESERVED CVE-2017-2571 RESERVED CVE-2017-2570 RESERVED CVE-2017-2569 RESERVED CVE-2017-2568 RESERVED CVE-2017-2567 RESERVED CVE-2017-2566 RESERVED CVE-2017-2565 RESERVED CVE-2017-2564 RESERVED CVE-2017-2563 RESERVED CVE-2017-2562 RESERVED CVE-2017-2561 RESERVED CVE-2017-2560 RESERVED CVE-2017-2559 RESERVED CVE-2017-2558 RESERVED CVE-2017-2557 RESERVED CVE-2017-2556 RESERVED CVE-2017-2555 RESERVED CVE-2017-2554 RESERVED CVE-2017-2553 RESERVED CVE-2017-2552 RESERVED CVE-2017-2551 (Vulnerability in Wordpress plugin BackWPup before v3.4.2 allows possib ...) NOT-FOR-US: Wordpress plugin BackWPup CVE-2017-2550 (Vulnerability in Easy Joomla Backup v3.2.4. The software creates a cop ...) NOT-FOR-US: Easy Joomla Backup CVE-2017-2549 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2548 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2547 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2546 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2545 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2544 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2543 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2542 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2541 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2540 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2539 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-1 (unimportant) NOTE: Not covered by security support CVE-2017-2538 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.4-1 (unimportant) [stretch] - webkit2gtk 2.16.6-0+deb9u1 NOTE: Not covered by security support CVE-2017-2537 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2536 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2535 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2534 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2533 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2532 RESERVED CVE-2017-2531 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2530 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2529 RESERVED CVE-2017-2528 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2527 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2526 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2525 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2524 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2523 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2522 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2521 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2520 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) {DLA-1633-1} - sqlite3 3.16.2-1 [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=384 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016 NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1 CVE-2017-2519 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) {DLA-1633-1} - sqlite3 3.16.0-1 [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=288 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632 NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6 CVE-2017-2518 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) {DLA-1633-1} - sqlite3 3.15.2-1 [wheezy] - sqlite3 (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=4603622180519936 NOTE: Fixed by: https://www.sqlite.org/src/info/0a98c8d76ac86412 CVE-2017-2517 (An issue was discovered in certain Apple products. iOS before 10.3.3 i ...) NOT-FOR-US: Apple Safari CVE-2017-2516 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2515 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2514 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2513 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - sqlite3 3.15.2-1 [jessie] - sqlite3 (Vulnerable code not present) [wheezy] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=171 NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5770842466156544 NOTE: Fixed by: https://www.sqlite.org/src/info/c5dbc599b910c02a CVE-2017-2512 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2511 (An issue was discovered in certain Apple products. Safari before 10.1. ...) NOT-FOR-US: Apple Safari CVE-2017-2510 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-1 (unimportant) NOTE: Not covered by security support CVE-2017-2509 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2508 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2507 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2506 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2505 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2504 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2503 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2502 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2501 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2500 (An issue was discovered in certain Apple products. Safari before 10.1. ...) NOT-FOR-US: Apple Safari CVE-2017-2499 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2498 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2497 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple CVE-2017-2496 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) - webkit2gtk 2.16.3-1 (unimportant) NOTE: Not covered by security support CVE-2017-2495 (An issue was discovered in certain Apple products. iOS before 10.3.2 i ...) NOT-FOR-US: Apple Safari CVE-2017-2494 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2493 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2492 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2491 (Use after free vulnerability in the String.replace method JavaScriptCo ...) NOT-FOR-US: Apple Safari CVE-2017-2490 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2489 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving Intel Graphics Driver CVE-2017-2488 RESERVED CVE-2017-2487 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving FontParser component CVE-2017-2486 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2485 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Security component CVE-2017-2484 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Phone component CVE-2017-2483 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2482 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2481 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2480 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2479 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2478 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2477 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Potentially src:libxslt, but Apple doesn't play by the rules CVE-2017-2476 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2475 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2474 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2473 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2472 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2471 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2470 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2469 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2468 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2467 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving ImageIO component CVE-2017-2466 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2465 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2464 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2463 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2462 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2461 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreText component CVE-2017-2460 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2459 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2458 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2457 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2456 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2455 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2454 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2453 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple Safari CVE-2017-2452 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple Siri CVE-2017-2451 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Security component CVE-2017-2450 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreText component CVE-2017-2449 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple invovling Bluetooth component CVE-2017-2448 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Keychain component CVE-2017-2447 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2446 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2445 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2444 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreGraphics component CVE-2017-2443 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving Intel Graphics Driver CVE-2017-2442 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2441 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple libc++abi component CVE-2017-2440 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving Kernel component CVE-2017-2439 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving FontParser component CVE-2017-2438 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving AppleRAID component CVE-2017-2437 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving IOFireWireAVC component CVE-2017-2436 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple involving IOFireWireAVC component CVE-2017-2435 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving CoreText component CVE-2017-2434 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving HomeKit component CVE-2017-2433 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2432 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple involving ImageIO component CVE-2017-2431 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2430 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2429 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2428 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2427 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2426 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2425 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2424 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2423 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2422 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2421 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2420 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2419 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2418 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2417 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2416 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2415 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2414 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2413 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2412 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2411 (In iOS before 11.2, exchange rates were retrieved from HTTP rather tha ...) NOT-FOR-US: Apple CVE-2017-2410 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2409 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2408 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2407 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2406 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2405 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2404 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2403 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2402 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2401 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2400 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2399 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2398 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2397 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2396 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2395 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2394 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2393 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2392 (An issue was discovered in certain Apple products. Safari before 10.1 ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2391 (An issue was discovered in certain Apple products. Pages before 6.1, N ...) NOT-FOR-US: Apple CVE-2017-2390 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple / libarchive NOTE: Possibly Apple-specific, but noone really knows and Apple doesn't cooperate CVE-2017-2389 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2388 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2387 (The Apple Music (aka com.apple.android.music) application before 2.0 f ...) NOT-FOR-US: Apple Music application for Android CVE-2017-2386 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2385 (An issue was discovered in certain Apple products. Safari before 10.1 ...) NOT-FOR-US: Apple CVE-2017-2384 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2383 (An issue was discovered in certain Apple products. iCloud before 6.2 o ...) NOT-FOR-US: Apple CVE-2017-2382 (An issue was discovered in certain Apple products. macOS Server before ...) NOT-FOR-US: Apple CVE-2017-2381 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple, that's likely just a broken sudo config CVE-2017-2380 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2379 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Apple CVE-2017-2378 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) NOT-FOR-US: Webkit / if anything of this affects Chromium/webkitgtk, the Chrome sec team will know and fix CVE-2017-2377 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2376 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkit2gtk 2.16.3-2 (unimportant) NOTE: Not covered by security support CVE-2017-2375 RESERVED CVE-2017-2374 (An issue was discovered in certain Apple products. GarageBand before 1 ...) NOT-FOR-US: Apple CVE-2017-2373 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2372 (An issue was discovered in certain Apple products. GarageBand before 1 ...) NOT-FOR-US: Apple CVE-2017-2371 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2370 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2369 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2368 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2367 (An issue was discovered in certain Apple products. iOS before 10.3 is ...) - webkitgtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2366 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2365 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2364 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.6-1 (unimportant) NOTE: Not covered by security support CVE-2017-2363 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2362 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2361 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2360 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2359 (An issue was discovered in certain Apple products. Safari before 10.0. ...) NOT-FOR-US: Apple CVE-2017-2358 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2357 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2356 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2355 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2354 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2353 (An issue was discovered in certain Apple products. macOS before 10.12. ...) NOT-FOR-US: Apple CVE-2017-2352 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2351 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) NOT-FOR-US: Apple CVE-2017-2350 (An issue was discovered in certain Apple products. iOS before 10.2.1 i ...) - webkit2gtk 2.14.4-1 (unimportant) NOTE: Not covered by security support CVE-2017-2349 (A command injection vulnerability in the IDP feature of Juniper Networ ...) NOT-FOR-US: Juniper CVE-2017-2348 (The Juniper Enhanced jdhcpd daemon may experience high CPU utilization ...) NOT-FOR-US: Juniper CVE-2017-2347 (A denial of service vulnerability in rpd daemon of Juniper Networks Ju ...) NOT-FOR-US: Juniper CVE-2017-2346 (An MS-MPC or MS-MIC Service PIC may crash when large fragmented packet ...) NOT-FOR-US: Juniper CVE-2017-2345 (On Junos OS devices with SNMP enabled, a network based attacker with u ...) NOT-FOR-US: Juniper CVE-2017-2344 (A routine within an internal Junos OS sockets library is vulnerable to ...) NOT-FOR-US: Juniper CVE-2017-2343 (The Integrated User Firewall (UserFW) feature was introduced in Junos ...) NOT-FOR-US: Juniper CVE-2017-2342 (MACsec feature on Juniper Networks Junos OS 15.1X49 prior to 15.1X49-D ...) NOT-FOR-US: Juniper CVE-2017-2341 (An insufficient authentication vulnerability on platforms where Junos ...) NOT-FOR-US: Juniper CVE-2017-2340 (On Juniper Networks Junos OS 15.1 releases from 15.1R3 to 15.1R4, 16.1 ...) NOT-FOR-US: Juniper CVE-2017-2339 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...) NOT-FOR-US: Juniper CVE-2017-2338 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...) NOT-FOR-US: Juniper CVE-2017-2337 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...) NOT-FOR-US: Juniper CVE-2017-2336 (A reflected cross site scripting vulnerability in NetScreen WebUI of J ...) NOT-FOR-US: Juniper CVE-2017-2335 (A persistent cross site scripting vulnerability in NetScreen WebUI of ...) NOT-FOR-US: Juniper CVE-2017-2334 (An information leak vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2333 (A persistent denial of service vulnerability in Juniper Networks North ...) NOT-FOR-US: Juniper CVE-2017-2332 (An insufficient authentication vulnerability in Juniper Networks North ...) NOT-FOR-US: Juniper CVE-2017-2331 (A firewall bypass vulnerability in Juniper Networks NorthStar Controll ...) NOT-FOR-US: Juniper CVE-2017-2330 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2329 (An insufficient authentication vulnerability in Juniper Networks North ...) NOT-FOR-US: Juniper CVE-2017-2328 (An information leak vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2327 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2326 (An information disclosure vulnerability in Juniper Networks NorthStar ...) NOT-FOR-US: Juniper CVE-2017-2325 (A buffer overflow vulnerability in Juniper Networks NorthStar Controll ...) NOT-FOR-US: Juniper CVE-2017-2324 (A command injection vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2323 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2322 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2321 (A vulnerability in Juniper Networks NorthStar Controller Application p ...) NOT-FOR-US: Juniper CVE-2017-2320 (A vulnerability in Juniper Networks NorthStar Controller Application p ...) NOT-FOR-US: Juniper CVE-2017-2319 (A vulnerability in Juniper Networks NorthStar Controller Application p ...) NOT-FOR-US: Juniper CVE-2017-2318 (A vulnerability in Juniper Networks NorthStar Controller Application p ...) NOT-FOR-US: Juniper CVE-2017-2317 (A denial of service vulnerability in Juniper Networks NorthStar Contro ...) NOT-FOR-US: Juniper CVE-2017-2316 (A buffer overflow vulnerability in Juniper Networks NorthStar Controll ...) NOT-FOR-US: Juniper CVE-2017-2315 (On Juniper Networks EX Series Ethernet Switches running affected Junos ...) NOT-FOR-US: Juniper CVE-2017-2314 (Receipt of a malformed BGP OPEN message may cause the routing protocol ...) NOT-FOR-US: Juniper CVE-2017-2313 (Juniper Networks devices running affected Junos OS versions may be imp ...) NOT-FOR-US: Juniper CVE-2017-2312 (On Juniper Networks devices running Junos OS affected versions and wit ...) NOT-FOR-US: Juniper CVE-2017-2311 (On Juniper Networks Junos Space versions prior to 16.1R1, an unauthent ...) NOT-FOR-US: Juniper CVE-2017-2310 (A firewall bypass vulnerability in the host based firewall of Juniper ...) NOT-FOR-US: Juniper CVE-2017-2309 (On Juniper Networks Junos Space versions prior to 16.1R1 when certific ...) NOT-FOR-US: Juniper CVE-2017-2308 (An XML External Entity Injection vulnerability in Juniper Networks Jun ...) NOT-FOR-US: Juniper CVE-2017-2307 (A reflected cross site scripting vulnerability in the administrative i ...) NOT-FOR-US: Juniper CVE-2017-2306 (On Juniper Networks Junos Space versions prior to 16.1R1, due to an in ...) NOT-FOR-US: Juniper CVE-2017-2305 (On Juniper Networks Junos Space versions prior to 16.1R1, due to an in ...) NOT-FOR-US: Juniper CVE-2017-2304 (Juniper Networks QFX3500, QFX3600, QFX5100, QFX5200, EX4300 and EX4600 ...) NOT-FOR-US: Juniper CVE-2017-2303 (On Juniper Networks products or platforms running Junos OS 12.1X46 pri ...) NOT-FOR-US: Juniper CVE-2017-2302 (On Juniper Networks products or platforms running Junos OS 12.1X46 pri ...) NOT-FOR-US: Juniper CVE-2017-2301 (On Juniper Networks products or platforms running Junos OS 11.4 prior ...) NOT-FOR-US: Juniper CVE-2017-2300 (On Juniper Networks SRX Series Services Gateways chassis clusters runn ...) NOT-FOR-US: Juniper CVE-2017-2299 (Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 mak ...) - puppet-module-puppetlabs-apache 3.0.0-1 (bug #875983) [stretch] - puppet-module-puppetlabs-apache (Minor issue) [jessie] - puppet-module-puppetlabs-apache (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2017-2299 NOTE: https://github.com/puppetlabs/puppetlabs-apache/commit/7bb35c2293c12ce52329a4391fe1f20389efef06 CVE-2017-2298 (The mcollective-sshkey-security plugin before 0.5.1 for Puppet uses a ...) NOT-FOR-US: mcollective-sshkey-security plugin CVE-2017-2297 (Puppet Enterprise versions prior to 2016.4.5 and 2017.2.1 did not corr ...) - puppet (Specific to Puppet Enterprise) CVE-2017-2296 (In Puppet Enterprise 2017.1.x and 2017.2.1, using specially formatted ...) - puppet (Specific to Puppet Enterprise) CVE-2017-2295 (Versions of Puppet prior to 4.10.1 will deserialize data off the wire ...) {DSA-3862-1 DLA-1012-1} - puppet 4.8.2-5 (bug #863212) NOTE: https://puppet.com/security/cve/cve-2017-2295 NOTE: https://github.com/puppetlabs/puppet/commit/06d8c51367ca932b9da5d9b01958cfc0adf0f2ea CVE-2017-2294 (Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 failed to ...) - puppet (Doesn't affect Puppet as shipped in Debian) NOTE: Puppet as shipped in Debian doesn't provide puppetdb yet CVE-2017-2293 (Versions of Puppet Enterprise prior to 2016.4.5 or 2017.2.1 shipped wi ...) - puppet (Specific to Puppet Enterprise) CVE-2017-2292 (Versions of MCollective prior to 2.10.4 deserialized YAML from agents ...) - mcollective 2.12.0+dfsg-1 (bug #866711) [jessie] - mcollective (Minor issue) [wheezy] - mcollective (Minor issue) NOTE: https://puppet.com/security/cve/cve-2017-2292 NOTE: https://github.com/puppetlabs/marionette-collective/commit/e0e741889f5adeb8f75387037106b0d28a9099b0 CVE-2017-2291 RESERVED CVE-2017-2290 (On Windows installations of the mcollective-puppet-agent plugin, versi ...) NOT-FOR-US: mcollective-puppet-agent plugin on Windows CVE-2017-2289 (Untrusted search path vulnerability in Installer of Qua station connec ...) NOT-FOR-US: Installer of Qua station connection tool for Windows CVE-2017-2288 (Untrusted search path vulnerability in LhaForge Ver.1.6.5 and earlier ...) NOT-FOR-US: LhaForge CVE-2017-2287 (Untrusted search path vulnerability in NFC Port Software remover Ver.1 ...) NOT-FOR-US: NFC Port Software remover CVE-2017-2286 (Untrusted search path vulnerability in NFC Port Software Version 5.5.0 ...) NOT-FOR-US: NFC Port Software CVE-2017-2285 (Cross-site scripting vulnerability in Simple Custom CSS and JS prior t ...) NOT-FOR-US: Simple Custom CSS and JS CVE-2017-2284 (Cross-site scripting vulnerability in Popup Maker prior to version 1.6 ...) NOT-FOR-US: Popup Maker CVE-2017-2283 (WN-G300R3 firmware version 1.0.2 and earlier uses hardcoded credential ...) NOT-FOR-US: WN-G300R3 firmware CVE-2017-2282 (Buffer overflow in WN-AX1167GR firmware version 3.00 and earlier allow ...) NOT-FOR-US: WN-AX1167GR firmware CVE-2017-2281 (WN-AX1167GR firmware version 3.00 and earlier allows an attacker to ex ...) NOT-FOR-US: WN-AX1167GR firmware CVE-2017-2280 (WN-AX1167GR firmware version 3.00 and earlier uses hardcoded credentia ...) NOT-FOR-US: WN-AX1167GR firmware CVE-2017-2279 (Untrusted search path vulnerability in Tween Ver1.6.6.0 and earlier al ...) NOT-FOR-US: Tween CVE-2017-2278 (The RBB SPEED TEST App for Android version 2.0.3 and earlier, RBB SPEE ...) NOT-FOR-US: RBB SPEED TEST App CVE-2017-2277 (WG-C10 v3.0.79 and earlier allows an attacker to bypass access restric ...) NOT-FOR-US: WG-C10 CVE-2017-2276 (Buffer overflow in WG-C10 v3.0.79 and earlier allows an attacker to ex ...) NOT-FOR-US: WG-C10 CVE-2017-2275 (WG-C10 v3.0.79 and earlier allows an attacker to execute arbitrary OS ...) NOT-FOR-US: WG-C10 CVE-2017-2274 (Cross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and ea ...) NOT-FOR-US: WMR-433* firmware CVE-2017-2273 (Cross-site request forgery (CSRF) vulnerability in WMR-433 firmware Ve ...) NOT-FOR-US: WMR-433* firmware CVE-2017-2272 (Untrusted search path vulnerability in Self-extracting encrypted files ...) NOT-FOR-US: AttacheCase CVE-2017-2271 (Untrusted search path vulnerability in Self-extracting encrypted files ...) NOT-FOR-US: AttacheCase CVE-2017-2270 (Untrusted search path vulnerability in Encrypted files in self-decrypt ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2269 (Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2268 (Untrusted search path vulnerability in Encrypted files in self-decrypt ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2267 (Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2266 (Untrusted search path vulnerability in Encrypted files in self-decrypt ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2265 (Untrusted search path vulnerability in FileCapsule Deluxe Portable Ver ...) NOT-FOR-US: FileCapsule Deluxe Portable CVE-2017-2264 RESERVED CVE-2017-2263 RESERVED CVE-2017-2262 RESERVED CVE-2017-2261 RESERVED CVE-2017-2260 RESERVED CVE-2017-2259 RESERVED CVE-2017-2258 (Directory traversal vulnerability in Cybozu Garoon 4.2.4 to 4.2.5 allo ...) NOT-FOR-US: Cybozu CVE-2017-2257 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.5 all ...) NOT-FOR-US: Cybozu CVE-2017-2256 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.5 all ...) NOT-FOR-US: Cybozu CVE-2017-2255 (Cross-site scripting vulnerability in Cybozu Garoon 3.7.0 to 4.2.5 all ...) NOT-FOR-US: Cybozu CVE-2017-2254 (Cybozu Garoon 3.5.0 to 4.2.5 allows an attacker to cause a denial of s ...) NOT-FOR-US: Cybozu CVE-2017-2253 (Untrusted search path vulnerability in Installer of Yahoo! Toolbar (fo ...) NOT-FOR-US: Installer of Yahoo! Toolbar (for Internet explorer) CVE-2017-2252 (Untrusted search path vulnerability in self-extracting archive files c ...) NOT-FOR-US: File Compact CVE-2017-2251 RESERVED CVE-2017-2250 RESERVED CVE-2017-2249 (Untrusted search path vulnerability in Self-extracting archive files c ...) NOT-FOR-US: Lhaz+ CVE-2017-2248 (Untrusted search path vulnerability in Installer of Lhaz+ version 3.4. ...) NOT-FOR-US: Lhaz+ CVE-2017-2247 (Untrusted search path vulnerability in Self-extracting archive files c ...) NOT-FOR-US: Lhaz CVE-2017-2246 (Untrusted search path vulnerability in Installer of Lhaz version 2.4.0 ...) NOT-FOR-US: Lhaz CVE-2017-2245 (Directory traversal vulnerability in Shortcodes Ultimate prior to vers ...) NOT-FOR-US: Shortcodes Ultimate CVE-2017-2244 (Cross-site request forgery (CSRF) vulnerability in MFC-J960DWN firmwar ...) NOT-FOR-US: MFC-J960DWN firmware CVE-2017-2243 (Cross-site scripting vulnerability in Responsive Lightbox prior to ver ...) NOT-FOR-US: Responsive Lightbox CVE-2017-2242 (Untrusted search path vulnerability in Flets Setsuzoku Tool for Window ...) NOT-FOR-US: Flets Setsuzoku Tool for Windows CVE-2017-2241 (SQL injection vulnerability in the AssetView for MacOS Ver.9.2.0 and e ...) NOT-FOR-US: AssetView for MacOS CVE-2017-2240 (Directory traversal vulnerability in AssetView for MacOS Ver.9.2.0 and ...) NOT-FOR-US: AssetView for MacOS CVE-2017-2239 (Marp versions v0.0.10 and earlier may allow an attacker to access loca ...) NOT-FOR-US: Marp CVE-2017-2238 (Cross-site request forgery (CSRF) vulnerability in Toshiba Home gatewa ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A CVE-2017-2237 (Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlie ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A firmware CVE-2017-2236 (Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlie ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A firmware CVE-2017-2235 (Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlie ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A firmware CVE-2017-2234 (Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlie ...) NOT-FOR-US: Toshiba Home gateway HEM-GW16A firmware CVE-2017-2233 (Untrusted search path vulnerability in Installer of PDF Digital Signat ...) NOT-FOR-US: PDF Digital Signature Plugin CVE-2017-2232 (Untrusted search path vulnerability in Installer of Shinseiyo Sogo Sof ...) NOT-FOR-US: Installer of Shinseiyo Sogo Soft CVE-2017-2231 (Untrusted search path vulnerability in The installer of MLIT DenshiSei ...) NOT-FOR-US: installer of MLIT DenshiSeikabutsuSakuseiShienKensa system CVE-2017-2230 (Untrusted search path vulnerability in Douro Kouji Kanseizutou Check P ...) NOT-FOR-US: Douro Kouji Kanseizutou Check Program CVE-2017-2229 (Untrusted search path vulnerability in Douroshisetu Kihon Data Sakusei ...) NOT-FOR-US: Douroshisetu Kihon Data Sakusei System CVE-2017-2228 (Untrusted search path vulnerability in Teikihoukokusho Sakuseishien To ...) NOT-FOR-US: Teikihoukokusho Sakuseishien Tool CVE-2017-2227 (Untrusted search path vulnerability in The installer of Charamin OMP V ...) NOT-FOR-US: installer of Charamin OMP CVE-2017-2226 (Untrusted search path vulnerability in Setup file of advance preparati ...) NOT-FOR-US: e-Tax CVE-2017-2225 (Untrusted search path vulnerability in EbidSettingChecker.exe (version ...) NOT-FOR-US: EbidSettingChecker.exe CVE-2017-2224 (Cross-site scripting vulnerability in Event Calendar WD prior to versi ...) NOT-FOR-US: Event Calendar WD CVE-2017-2223 (Cross-site request forgery (CSRF) vulnerability in TS-WPTCAM, TS-PTCAM ...) NOT-FOR-US: TS-WPTCAM CVE-2017-2222 (Cross-site scripting vulnerability in WP-Members prior to version 3.1. ...) NOT-FOR-US: WP-Members CVE-2017-2221 (Untrusted search path vulnerability in Installer of Baidu IME Ver3.6.1 ...) NOT-FOR-US: Installer of Baidu IME CVE-2017-2220 (Untrusted search path vulnerability in Installer of CASL II simulator ...) NOT-FOR-US: Installer of CASL II simulator CVE-2017-2219 (Untrusted search path vulnerability in the [Simeji for Windows] instal ...) NOT-FOR-US: Simeji CVE-2017-2218 (Untrusted search path vulnerability in Installer of QuickTime for Wind ...) NOT-FOR-US: Installer of QuickTime for Windows CVE-2017-2217 (Open redirect vulnerability in WordPress Download Manager prior to ver ...) NOT-FOR-US: WordPress Download Manager CVE-2017-2216 (Cross-site scripting vulnerability in WordPress Download Manager prior ...) NOT-FOR-US: WordPress Download Manager CVE-2017-2215 (Untrusted search path vulnerability in Installer of "Setup file of adv ...) NOT-FOR-US: Installer of "Setup file of advance preparation" CVE-2017-2214 (Untrusted search path vulnerability in AppCheck and AppCheck Pro prior ...) NOT-FOR-US: AppCheck CVE-2017-2213 (Untrusted search path vulnerability in SemiDynaEXE (SemiDynaEXE2008.EX ...) NOT-FOR-US: SemiDynaEXE CVE-2017-2212 (Untrusted search path vulnerability in TKY2JGD (TKY2JGD1379.EXE) ver. ...) NOT-FOR-US: TKY2JGD CVE-2017-2211 (Untrusted search path vulnerability in PatchJGD (Hyoko) (PatchJGDh101. ...) NOT-FOR-US: PatchJGD CVE-2017-2210 (Untrusted search path vulnerability in PatchJGD (PatchJGD101.EXE) ver. ...) NOT-FOR-US: PatchJGD CVE-2017-2209 (Untrusted search path vulnerability in the installer of Houkokusyo Sak ...) NOT-FOR-US: Houkokusyo Sakusei Shien Tool CVE-2017-2208 (Untrusted search path vulnerability in Installer of Electronic tenderi ...) NOT-FOR-US: Installer of Electronic tendering and bid opening system CVE-2017-2207 (Untrusted search path vulnerability in the installer of SaAT Personal ...) NOT-FOR-US: SaAT Personal CVE-2017-2206 (Untrusted search path vulnerability in the installer of SaAT Netizen v ...) NOT-FOR-US: SaAT Netizen CVE-2017-2205 RESERVED CVE-2017-2204 RESERVED CVE-2017-2203 RESERVED CVE-2017-2202 RESERVED CVE-2017-2201 RESERVED CVE-2017-2200 RESERVED CVE-2017-2199 RESERVED CVE-2017-2198 RESERVED CVE-2017-2197 RESERVED CVE-2017-2196 RESERVED CVE-2017-2195 (SQL injection vulnerability in the Multi Feed Reader prior to version ...) NOT-FOR-US: Multi Feed Reader plugin for wordpress CVE-2017-2194 (Cross-site scripting vulnerability in Source code security studying to ...) NOT-FOR-US: iCodeChecker CVE-2017-2193 (Untrusted search path vulnerability in the installer of Tera Term 4.94 ...) NOT-FOR-US: Tera Term CVE-2017-2192 (Untrusted search path vulnerability in RW-5100 tool to verify executio ...) NOT-FOR-US: RW5100 installer CVE-2017-2191 (Untrusted search path vulnerability in RW-5100 driver installer for Wi ...) NOT-FOR-US: RW5100 installer CVE-2017-2190 (Untrusted search path vulnerability in RW-4040 tool to verify executio ...) NOT-FOR-US: RW4040 CVE-2017-2189 (Untrusted search path vulnerability in RW-4040 driver installer for Wi ...) NOT-FOR-US: RW4040 CVE-2017-2188 (Untrusted search path vulnerability in Installer of Denshinouhin Check ...) NOT-FOR-US: Installer of Denshinouhin Check System CVE-2017-2187 (Cross-site scripting vulnerability in WP Live Chat Support prior to ve ...) NOT-FOR-US: WP Live Chat CVE-2017-2186 (HOME SPOT CUBE2 firmware V101 and earlier allows an attacker to bypass ...) NOT-FOR-US: HOME SPOT CUBE2 firmware CVE-2017-2185 (HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attacke ...) NOT-FOR-US: HOME SPOT CUBE2 firmware CVE-2017-2184 (Buffer overflow in HOME SPOT CUBE2 firmware V101 and earlier allows an ...) NOT-FOR-US: HOME SPOT CUBE2 firmware CVE-2017-2183 (HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attacke ...) NOT-FOR-US: HOME SPOT CUBE2 firmware CVE-2017-2182 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool CVE-2017-2181 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool CVE-2017-2180 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool CVE-2017-2179 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool CVE-2017-2178 (Untrusted search path vulnerability in Installer of electronic tenderi ...) NOT-FOR-US: electronic tendering and bid opening system CVE-2017-2177 (Untrusted search path vulnerability in Installer of Shogyo Touki Densh ...) NOT-FOR-US: Shogyo Touki Denshi Ninsho CVE-2017-2176 (Untrusted search path vulnerability in screensaver installers (jasdf_0 ...) NOT-FOR-US: screensaver installers for Windows CVE-2017-2175 (Untrusted search path vulnerability in Empirical Project Monitor - eXt ...) NOT-FOR-US: Empirical Project Monitor - eXtended CVE-2017-2174 (Cross-site scripting vulnerability in Empirical Project Monitor - eXte ...) NOT-FOR-US: Empirical Project Monitor - eXtended CVE-2017-2173 (Cross-site scripting vulnerability in Empirical Project Monitor - eXte ...) NOT-FOR-US: Empirical Project Monitor - eXtended CVE-2017-2172 (Cross-site scripting vulnerability in Cybozu KUNAI for Android 3.0.0 t ...) NOT-FOR-US: Cybozu CVE-2017-2171 (Cross-site scripting vulnerability in Captcha prior to version 4.3.0, ...) NOT-FOR-US: WordPress plugins provided by BestWebSoft CVE-2017-2170 RESERVED CVE-2017-2169 (Cross-site scripting vulnerability in MaxButtons prior to version 6.19 ...) NOT-FOR-US: MaxButtons plugin for WordPress CVE-2017-2168 (Cross-site scripting vulnerability in WP Booking System Free version p ...) NOT-FOR-US: WP Booking System CVE-2017-2167 (Untrusted search path vulnerability in Installer for PrimeDrive Deskto ...) NOT-FOR-US: PrimeDrive CVE-2017-2166 (Open redirect vulnerability in GroupSession version 4.7.0 and earlier ...) NOT-FOR-US: GroupSession CVE-2017-2165 (GroupSession versions 4.6.4 and earlier allows remote authenticated at ...) NOT-FOR-US: GroupSession CVE-2017-2164 (Cross-site scripting vulnerability in SOY CMS with installer 1.8.12 an ...) NOT-FOR-US: SOY CMS CVE-2017-2163 (Directory traversal vulnerability in SOY CMS Ver.1.8.1 to Ver.1.8.12 a ...) NOT-FOR-US: SOY CMS CVE-2017-2162 (FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and e ...) NOT-FOR-US: FlashAirTM CVE-2017-2161 (FlashAirTM SDHC Memory Card (SD-WE Series <W-03>) V3.00.02 and e ...) NOT-FOR-US: FlashAirTM CVE-2017-2160 RESERVED CVE-2017-2159 RESERVED CVE-2017-2158 (Improper verification when expanding ZIP64 archives in Lhaplus version ...) NOT-FOR-US: Lhaplus CVE-2017-2157 (Untrusted search path vulnerability in installers for The Public Certi ...) NOT-FOR-US: The Public Certification Service CVE-2017-2156 (Untrusted search path vulnerability in Vivaldi installer for Windows p ...) NOT-FOR-US: Vivaldi installer Windows CVE-2017-2155 (Buffer overflow in Hoozin Viewer 2, 3, 4.1.5.15 and earlier, 5.1.2.13 ...) NOT-FOR-US: Hoozin Viewer CVE-2017-2154 (Untrusted search path vulnerability in Hanako 2017, Hanako 2016, Hanak ...) NOT-FOR-US: Booking Calendar CVE-2017-2153 (SEIL/x86 Fuji 1.70 to 5.62, SEIL/BPV4 5.00 to 5.62, SEIL/X1 1.30 to 5. ...) NOT-FOR-US: SEIL CVE-2017-2152 (WNC01WH firmware 1.0.0.9 and earlier allows authenticated attackers to ...) NOT-FOR-US: WNC01WH firmware CVE-2017-2151 (Cross-site scripting vulnerability in Booking Calendar version 7.1 and ...) NOT-FOR-US: Booking Calendar CVE-2017-2150 (Directory traversal vulnerability in Booking Calendar version 7.0 and ...) NOT-FOR-US: Booking Calendar CVE-2017-2149 (Untrusted search path vulnerability in installers of the software for ...) NOT-FOR-US: installers of the software for SDHC/SDXC Memory Cards CVE-2017-2148 (Cross-site scripting vulnerability in WN-AC1167GR firmware version 1.0 ...) NOT-FOR-US: WN-AC1167GR firmware CVE-2017-2147 (Cross-site scripting vulnerability in WP Statistics version 12.0.4 and ...) NOT-FOR-US: WP Statistics CVE-2017-2146 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.4 all ...) NOT-FOR-US: Cybozu Garoon CVE-2017-2145 (Session fixation vulnerability in Cybozu Garoon 4.0.0 to 4.2.4 allows ...) NOT-FOR-US: Cybozu Garoon CVE-2017-2144 (Cybozu Garoon 3.0.0 to 4.2.4 may allow an attacker to lock another use ...) NOT-FOR-US: Cybozu Garoon CVE-2017-2143 (CS-Cart Japanese Edition v4.3.10-jp-1 and earlier, CS-Cart Multivendor ...) NOT-FOR-US: CS-Cart CVE-2017-2142 (Buffer overflow in WN-G300R3 firmware Ver.1.03 and earlier allows remo ...) NOT-FOR-US: WN-G300R3 firmware CVE-2017-2141 (WN-G300R3 firmware 1.03 and earlier allows attackers with administrato ...) NOT-FOR-US: WN-G300R3 firmware CVE-2017-2140 (Tablacus Explorer 17.3.30 and earlier allows arbitrary scripts to be e ...) NOT-FOR-US: Tablacus Explorer CVE-2017-2139 (CS-Cart Japanese Edition v4.3.10 and earlier (excluding v2 and v3), CS ...) NOT-FOR-US: CS-Cart CVE-2017-2138 (Cross-site request forgery (CSRF) vulnerability in CS-Cart Japanese Ed ...) NOT-FOR-US: CS-Cart CVE-2017-2137 (ProSAFE Plus Configuration Utility prior to 2.3.29 allows remote attac ...) NOT-FOR-US: ProSAFE Plus Configuration Utility CVE-2017-2136 (Cross-site scripting vulnerability in WP Statistics version 12.0.4 and ...) NOT-FOR-US: WP Statistics CVE-2017-2135 (Cross-site scripting vulnerability in WP Statistics version 12.0.1 and ...) NOT-FOR-US: WP Statistics CVE-2017-2134 (Cross-site scripting vulnerability in ASSETBASE 8.0 and earlier allows ...) NOT-FOR-US: ASSETBASE CVE-2017-2133 (SQL injection vulnerability in Panasonic KX-HJB1000 Home unit devices ...) NOT-FOR-US: Panasonic KX-HJB1000 Home unit devices CVE-2017-2132 (Panasonic KX-HJB1000 Home unit devices with firmware GHX1YG 14.50 or H ...) NOT-FOR-US: Panasonic KX-HJB1000 Home unit devices CVE-2017-2131 (Panasonic KX-HJB1000 Home unit devices with firmware GHX1YG 14.50 or H ...) NOT-FOR-US: Panasonic KX-HJB1000 Home unit devices CVE-2017-2130 (Untrusted search path vulnerability in the installer of PhishWall Clie ...) NOT-FOR-US: installer of PhishWall Client Internet Explorer CVE-2017-2129 RESERVED CVE-2017-2128 (Security guide for website operators allows remote attackers to execut ...) NOT-FOR-US: Security guide for website operators CVE-2017-2127 (Cross-site scripting vulnerability in YOP Poll versions prior to 5.8.1 ...) NOT-FOR-US: YOP Poll CVE-2017-2126 (WAPM-1166D firmware Ver.1.2.7 and earlier, WAPM-APG600H firmware Ver.1 ...) NOT-FOR-US: WAPM-* firmware CVE-2017-2125 (Privilege escalation vulnerability in CentreCOM AR260S V2 remote authe ...) NOT-FOR-US: CentreCOM AR260S CVE-2017-2124 (Cross-site scripting vulnerability in OneThird CMS v1.73 Heaven's Door ...) NOT-FOR-US: OneThird CMS CVE-2017-2123 (Cross-site scripting vulnerability in OneThird CMS v1.73 Heaven's Door ...) NOT-FOR-US: OneThird CMS CVE-2017-2122 (Cross-site scripting vulnerability in Nessus versions 6.8.0, 6.8.1, 6. ...) NOT-FOR-US: Nessus CVE-2017-2121 RESERVED CVE-2017-2120 (SQL injection vulnerability in the WBCE CMS 1.1.10 and earlier allows ...) NOT-FOR-US: WBCE CMS CVE-2017-2119 (Directory traversal vulnerability in WBCE CMS 1.1.10 and earlier allow ...) NOT-FOR-US: WBCE CMS CVE-2017-2118 (Cross-site scripting vulnerability in WBCE CMS 1.1.10 and earlier allo ...) NOT-FOR-US: WBCE CMS CVE-2017-2117 (Directory traversal vulnerability in CubeCart versions prior to 6.1.5 ...) NOT-FOR-US: CubeCart CVE-2017-2116 (Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers t ...) NOT-FOR-US: Cybozu CVE-2017-2115 (Cybozu Office 10.0.0 to 10.5.0 allows remote authenticated attackers t ...) NOT-FOR-US: Cybozu CVE-2017-2114 (Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.5.0 a ...) NOT-FOR-US: Cybozu CVE-2017-2113 (Buffer overflow in TS-WPTCAM firmware version 1.18 and earlier, TS-WPT ...) NOT-FOR-US: firmware in network cameras by I-O DATA CVE-2017-2112 (TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware versi ...) NOT-FOR-US: firmware in network cameras by I-O DATA CVE-2017-2111 (HTTP header injection vulnerability in TS-WPTCAM firmware version 1.18 ...) NOT-FOR-US: firmware in network cameras by I-O DATA CVE-2017-2110 (The Access CX App for Android prior to 2.0.0.1 and for iOS prior to 2. ...) NOT-FOR-US: CX App for Android CVE-2017-2109 (Cybozu KUNAI for Android 3.0.4 to 3.0.5.1 allow remote attackers to ob ...) NOT-FOR-US: Cybozu CVE-2017-2108 (Untrusted search path vulnerability in PrimeDrive Desktop Application ...) NOT-FOR-US: PrimeDrive Desktop Application CVE-2017-2107 (Untrusted search path vulnerability in Self-extracting archive files c ...) NOT-FOR-US: 7-ZIP32.DLL CVE-2017-2106 (Multiple cross-site scripting vulnerabilities in Webmin versions prior ...) - webmin CVE-2017-2105 (The TVer App for Android 3.2.7 and earlier does not verify X.509 certi ...) NOT-FOR-US: TVer App for Android CVE-2017-2104 (The Business LaLa Call App for Android 1.4.7 and earlier does not veri ...) NOT-FOR-US: Business LaLa Call App for Android CVE-2017-2103 (The LaLa Call App for Android 2.4.7 and earlier does not verify X.509 ...) NOT-FOR-US: LaLa Call App for Android CVE-2017-2102 (Cross-site request forgery (CSRF) vulnerability in Hands-on Vulnerabil ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool "AppGoat" for Web Application CVE-2017-2101 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool "AppGoat" for Web Application CVE-2017-2100 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool "AppGoat" for Web Application CVE-2017-2099 (Hands-on Vulnerability Learning Tool "AppGoat" for Web Application V3. ...) NOT-FOR-US: Hands-on Vulnerability Learning Tool "AppGoat" for Web Application CVE-2017-2098 (Directory traversal vulnerability in CubeCart versions prior to 6.1.4 ...) NOT-FOR-US: CubeCart CVE-2017-2097 (Cross-site request forgery (CSRF) vulnerability in Knowledge versions ...) NOT-FOR-US: Knowledge CVE-2017-2096 (smalruby-editor v0.4.0 and earlier allows remote attackers to execute ...) NOT-FOR-US: smalruby-editor CVE-2017-2095 (Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2017-2094 (Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2017-2093 (Cybozu Garoon 3.0.0 to 4.2.3 allow remote attackers to obtain tokens u ...) NOT-FOR-US: Cybozu CVE-2017-2092 (Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.3 all ...) NOT-FOR-US: Cybozu CVE-2017-2091 (Cybozu Garoon 3.0.0 to 4.2.3 allows remote authenticated attackers to ...) NOT-FOR-US: Cybozu CVE-2017-2090 (Directory traversal vulnerability in CubeCart versions prior to 6.1.4 ...) NOT-FOR-US: CubeCart CVE-2017-2089 REJECTED CVE-2017-2088 REJECTED CVE-2017-2087 REJECTED CVE-2017-2086 REJECTED CVE-2017-2085 REJECTED CVE-2017-2084 REJECTED CVE-2017-2083 REJECTED CVE-2017-2082 REJECTED CVE-2017-2081 REJECTED CVE-2017-2080 REJECTED CVE-2017-2079 REJECTED CVE-2017-2078 REJECTED CVE-2017-2077 REJECTED CVE-2017-2076 REJECTED CVE-2017-2075 REJECTED CVE-2017-2074 REJECTED CVE-2017-2073 REJECTED CVE-2017-2072 REJECTED CVE-2017-2071 REJECTED CVE-2017-2070 REJECTED CVE-2017-2069 REJECTED CVE-2017-2068 REJECTED CVE-2017-2067 REJECTED CVE-2017-2066 REJECTED CVE-2017-2065 REJECTED CVE-2017-2064 REJECTED CVE-2017-2063 REJECTED CVE-2017-2062 REJECTED CVE-2017-2061 REJECTED CVE-2017-2060 REJECTED CVE-2017-2059 REJECTED CVE-2017-2058 REJECTED CVE-2017-2057 REJECTED CVE-2017-2056 REJECTED CVE-2017-2055 REJECTED CVE-2017-2054 REJECTED CVE-2017-2053 REJECTED CVE-2017-2052 REJECTED CVE-2017-2051 REJECTED CVE-2017-2050 REJECTED CVE-2017-2049 REJECTED CVE-2017-2048 REJECTED CVE-2017-2047 REJECTED CVE-2017-2046 REJECTED CVE-2017-2045 REJECTED CVE-2017-2044 REJECTED CVE-2017-2043 REJECTED CVE-2017-2042 REJECTED CVE-2017-2041 REJECTED CVE-2017-2040 REJECTED CVE-2017-2039 REJECTED CVE-2017-2038 REJECTED CVE-2017-2037 REJECTED CVE-2017-2036 REJECTED CVE-2017-2035 REJECTED CVE-2017-2034 REJECTED CVE-2017-2033 REJECTED CVE-2017-2032 REJECTED CVE-2017-2031 REJECTED CVE-2017-2030 REJECTED CVE-2017-2029 REJECTED CVE-2017-2028 REJECTED CVE-2017-2027 REJECTED CVE-2017-2026 REJECTED CVE-2017-2025 REJECTED CVE-2017-2024 REJECTED CVE-2017-2023 REJECTED CVE-2017-2022 REJECTED CVE-2017-2021 REJECTED CVE-2017-2020 REJECTED CVE-2017-2019 REJECTED CVE-2017-2018 REJECTED CVE-2017-2017 REJECTED CVE-2017-2016 REJECTED CVE-2017-2015 REJECTED CVE-2017-2014 REJECTED CVE-2017-2013 REJECTED CVE-2017-2012 REJECTED CVE-2017-2011 REJECTED CVE-2017-2010 REJECTED CVE-2017-2009 REJECTED CVE-2017-2008 REJECTED CVE-2017-2007 REJECTED CVE-2017-2006 REJECTED CVE-2017-2005 REJECTED CVE-2017-2004 REJECTED CVE-2017-2003 REJECTED CVE-2017-2002 REJECTED CVE-2017-2001 REJECTED CVE-2017-2000 REJECTED CVE-2017-1999 REJECTED CVE-2017-1998 REJECTED CVE-2017-1997 REJECTED CVE-2017-1996 REJECTED CVE-2017-1995 REJECTED CVE-2017-1994 REJECTED CVE-2017-1993 REJECTED CVE-2017-1992 REJECTED CVE-2017-1991 REJECTED CVE-2017-1990 REJECTED CVE-2017-1989 REJECTED CVE-2017-1988 REJECTED CVE-2017-1987 REJECTED CVE-2017-1986 REJECTED CVE-2017-1985 REJECTED CVE-2017-1984 REJECTED CVE-2017-1983 REJECTED CVE-2017-1982 REJECTED CVE-2017-1981 REJECTED CVE-2017-1980 REJECTED CVE-2017-1979 REJECTED CVE-2017-1978 REJECTED CVE-2017-1977 REJECTED CVE-2017-1976 REJECTED CVE-2017-1975 REJECTED CVE-2017-1974 REJECTED CVE-2017-1973 REJECTED CVE-2017-1972 REJECTED CVE-2017-1971 REJECTED CVE-2017-1970 REJECTED CVE-2017-1969 REJECTED CVE-2017-1968 REJECTED CVE-2017-1967 REJECTED CVE-2017-1966 REJECTED CVE-2017-1965 REJECTED CVE-2017-1964 REJECTED CVE-2017-1963 REJECTED CVE-2017-1962 REJECTED CVE-2017-1961 REJECTED CVE-2017-1960 REJECTED CVE-2017-1959 REJECTED CVE-2017-1958 REJECTED CVE-2017-1957 REJECTED CVE-2017-1956 REJECTED CVE-2017-1955 REJECTED CVE-2017-1954 REJECTED CVE-2017-1953 REJECTED CVE-2017-1952 REJECTED CVE-2017-1951 REJECTED CVE-2017-1950 REJECTED CVE-2017-1949 REJECTED CVE-2017-1948 REJECTED CVE-2017-1947 REJECTED CVE-2017-1946 REJECTED CVE-2017-1945 REJECTED CVE-2017-1944 REJECTED CVE-2017-1943 REJECTED CVE-2017-1942 REJECTED CVE-2017-1941 REJECTED CVE-2017-1940 REJECTED CVE-2017-1939 REJECTED CVE-2017-1938 REJECTED CVE-2017-1937 REJECTED CVE-2017-1936 REJECTED CVE-2017-1935 REJECTED CVE-2017-1934 REJECTED CVE-2017-1933 REJECTED CVE-2017-1932 REJECTED CVE-2017-1931 REJECTED CVE-2017-1930 REJECTED CVE-2017-1929 REJECTED CVE-2017-1928 REJECTED CVE-2017-1927 REJECTED CVE-2017-1926 REJECTED CVE-2017-1925 REJECTED CVE-2017-1924 REJECTED CVE-2017-1923 REJECTED CVE-2017-1922 REJECTED CVE-2017-1921 REJECTED CVE-2017-1920 REJECTED CVE-2017-1919 REJECTED CVE-2017-1918 REJECTED CVE-2017-1917 REJECTED CVE-2017-1916 REJECTED CVE-2017-1915 REJECTED CVE-2017-1914 REJECTED CVE-2017-1913 REJECTED CVE-2017-1912 REJECTED CVE-2017-1911 REJECTED CVE-2017-1910 REJECTED CVE-2017-1909 REJECTED CVE-2017-1908 REJECTED CVE-2017-1907 REJECTED CVE-2017-1906 REJECTED CVE-2017-1905 REJECTED CVE-2017-1904 REJECTED CVE-2017-1903 REJECTED CVE-2017-1902 REJECTED CVE-2017-1901 REJECTED CVE-2017-1900 REJECTED CVE-2017-1899 REJECTED CVE-2017-1898 REJECTED CVE-2017-1897 REJECTED CVE-2017-1896 REJECTED CVE-2017-1895 REJECTED CVE-2017-1894 REJECTED CVE-2017-1893 REJECTED CVE-2017-1892 REJECTED CVE-2017-1891 REJECTED CVE-2017-1890 REJECTED CVE-2017-1889 REJECTED CVE-2017-1888 REJECTED CVE-2017-1887 REJECTED CVE-2017-1886 REJECTED CVE-2017-1885 REJECTED CVE-2017-1884 REJECTED CVE-2017-1883 REJECTED CVE-2017-1882 REJECTED CVE-2017-1881 REJECTED CVE-2017-1880 REJECTED CVE-2017-1879 REJECTED CVE-2017-1878 REJECTED CVE-2017-1877 REJECTED CVE-2017-1876 REJECTED CVE-2017-1875 REJECTED CVE-2017-1874 REJECTED CVE-2017-1873 REJECTED CVE-2017-1872 REJECTED CVE-2017-1871 REJECTED CVE-2017-1870 REJECTED CVE-2017-1869 REJECTED CVE-2017-1868 REJECTED CVE-2017-1867 REJECTED CVE-2017-1866 REJECTED CVE-2017-1865 REJECTED CVE-2017-1864 REJECTED CVE-2017-1863 REJECTED CVE-2017-1862 REJECTED CVE-2017-1861 REJECTED CVE-2017-1860 REJECTED CVE-2017-1859 REJECTED CVE-2017-1858 REJECTED CVE-2017-1857 REJECTED CVE-2017-1856 REJECTED CVE-2017-1855 REJECTED CVE-2017-1854 REJECTED CVE-2017-1853 REJECTED CVE-2017-1852 REJECTED CVE-2017-1851 REJECTED CVE-2017-1850 REJECTED CVE-2017-1849 REJECTED CVE-2017-1848 REJECTED CVE-2017-1847 REJECTED CVE-2017-1846 REJECTED CVE-2017-1845 REJECTED CVE-2017-1844 REJECTED CVE-2017-1843 REJECTED CVE-2017-1842 REJECTED CVE-2017-1841 REJECTED CVE-2017-1840 REJECTED CVE-2017-1839 REJECTED CVE-2017-1838 REJECTED CVE-2017-1837 REJECTED CVE-2017-1836 REJECTED CVE-2017-1835 REJECTED CVE-2017-1834 REJECTED CVE-2017-1833 REJECTED CVE-2017-1832 REJECTED CVE-2017-1831 REJECTED CVE-2017-1830 REJECTED CVE-2017-1829 REJECTED CVE-2017-1828 REJECTED CVE-2017-1827 REJECTED CVE-2017-1826 REJECTED CVE-2017-1825 REJECTED CVE-2017-1824 REJECTED CVE-2017-1823 REJECTED CVE-2017-1822 REJECTED CVE-2017-1821 REJECTED CVE-2017-1820 REJECTED CVE-2017-1819 REJECTED CVE-2017-1818 REJECTED CVE-2017-1817 REJECTED CVE-2017-1816 REJECTED CVE-2017-1815 REJECTED CVE-2017-1814 REJECTED CVE-2017-1813 REJECTED CVE-2017-1812 REJECTED CVE-2017-1811 REJECTED CVE-2017-1810 RESERVED CVE-2017-1809 RESERVED CVE-2017-1808 RESERVED CVE-2017-1807 RESERVED CVE-2017-1806 RESERVED CVE-2017-1805 RESERVED CVE-2017-1804 RESERVED CVE-2017-1803 RESERVED CVE-2017-1802 RESERVED CVE-2017-1801 RESERVED CVE-2017-1800 RESERVED CVE-2017-1799 RESERVED CVE-2017-1798 RESERVED CVE-2017-1797 RESERVED CVE-2017-1796 RESERVED CVE-2017-1795 (IBM WebSphere MQ 7.5, 8.0, and 9.0 through 9.0.4 could allow a local u ...) NOT-FOR-US: IBM WebSphere MQ CVE-2017-1794 (IBM Tivoli Monitoring 6.2.3 through 6.2.3.5 and 6.3.0 through 6.3.0.7 ...) NOT-FOR-US: IBM CVE-2017-1793 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2017-1792 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2017-1791 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2017-1790 (IBM DOORS Next Generation (DNG/RRC) 5.0, 5.0.1, 5.0.2, and 6.0 through ...) NOT-FOR-US: IBM DOORS Next Generation CVE-2017-1789 (IBM Tivoli Monitoring V6 6.2.3 and 6.3.0 could allow an unauthenticate ...) NOT-FOR-US: IBM CVE-2017-1788 (IBM WebSphere Application Server 9 installations using Form Login coul ...) NOT-FOR-US: IBM CVE-2017-1787 (IBM Publishing Engine 2.1.2 and 6.0.5 contains an undisclosed vulnerab ...) NOT-FOR-US: IBM Publishing Engine CVE-2017-1786 (IBM WebSphere MQ 8.0 through 8.0.0.8 and 9.0 through 9.0.4 under speci ...) NOT-FOR-US: IBM CVE-2017-1785 (IBM API Connect 5.0.7 and 5.0.8 could allow an authenticated remote us ...) NOT-FOR-US: IBM API Connect CVE-2017-1784 (IBM Cognos Analytics 11.0 could produce results in temporary files tha ...) NOT-FOR-US: IBM Cognos Analytics CVE-2017-1783 (IBM Cognos Analytics 11.0 could allow a local user to change parameter ...) NOT-FOR-US: IBM Cognos Analytics CVE-2017-1782 RESERVED CVE-2017-1781 RESERVED CVE-2017-1780 RESERVED CVE-2017-1779 (IBM Cognos Analytics 11.0 could store cached credentials locally that ...) NOT-FOR-US: IBM Cognos Analytics CVE-2017-1778 RESERVED CVE-2017-1777 RESERVED CVE-2017-1776 RESERVED CVE-2017-1775 RESERVED CVE-2017-1774 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 discloses sen ...) NOT-FOR-US: IBM Security Guardium Big Data Intelligence CVE-2017-1773 (IBM DataPower Gateways 7.1, 7,2, 7.5, and 7.6 could allow an attacker ...) NOT-FOR-US: IBM DataPower Gateways CVE-2017-1772 (IBM Worklight (IBM MobileFirst Platform Foundation 6.3, 7.0, 7.1, and ...) NOT-FOR-US: IBM CVE-2017-1771 RESERVED CVE-2017-1770 RESERVED CVE-2017-1769 (IBM Business Process Manager 8.6 is vulnerable to cross-site request f ...) NOT-FOR-US: IBM Business Process Manager CVE-2017-1768 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 generates an ...) NOT-FOR-US: IBM CVE-2017-1767 (IBM Business Process Manager 8.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2017-1766 (Due to incorrect authorization in IBM Business Process Manager 8.6 an ...) NOT-FOR-US: IBM CVE-2017-1765 (IBM Business Process Manager 8.6 could allow an authenticated user wit ...) NOT-FOR-US: IBM CVE-2017-1764 (IBM Cognos Business Intelligence 10.2, 10.2.1, 10.2.1.1, and 10.2.2, u ...) NOT-FOR-US: IBM CVE-2017-1763 RESERVED CVE-2017-1762 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2017-1761 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM WebSphere Portal CVE-2017-1760 (IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow a local user to crash t ...) NOT-FOR-US: IBM WebSphere MQ CVE-2017-1759 RESERVED CVE-2017-1758 (IBM Financial Transaction Manager for ACH Services for Multi-Platform ...) NOT-FOR-US: IBM Financial Transaction Manager for ACH Services for Multi-Platform CVE-2017-1757 (IBM Security Guardium 10.0 is vulnerable to SQL injection. A remote at ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1756 (IBM Business Process Manager 8.6 allows web pages to be stored locally ...) NOT-FOR-US: IBM CVE-2017-1755 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1754 RESERVED CVE-2017-1753 (Multiple IBM Rational products are vulnerable to HTML injection. A rem ...) NOT-FOR-US: IBM CVE-2017-1752 (IBM UrbanCode Deploy 6.1 and 6.2 could allow an authenticated privileg ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2017-1751 (IBM Robotic Process Automation with Automation Anywhere 10.0.0 is vuln ...) NOT-FOR-US: IBM Robotic Process Automation with Automation Anywhere CVE-2017-1750 (IBM Jazz Reporting Service (JRS) 5.0 through 5.0.2 and 6.0 through 6.0 ...) NOT-FOR-US: IBM Jazz Reporting Service CVE-2017-1749 (IBM UrbanCode Deploy 6.1 through 6.9.6.0 could allow a remote attacker ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2017-1748 (IBM Connections 5.0, 5.5, and 6.0 could allow a remote attacker to con ...) NOT-FOR-US: IBM CVE-2017-1747 (A specially crafted message could cause a denial of service in IBM Web ...) NOT-FOR-US: IBM CVE-2017-1746 (IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulne ...) NOT-FOR-US: IBM Jazz for Service Management CVE-2017-1745 RESERVED CVE-2017-1744 RESERVED CVE-2017-1743 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2017-1742 RESERVED CVE-2017-1741 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2017-1740 (IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, 7.0.1, and 7. ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2017-1739 (IBM Curam Social Program Management 6.0.5, 6.1.1, 6.2.0, and 7.0.1 is ...) NOT-FOR-US: IBM Curam Social Program Management CVE-2017-1738 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 c ...) NOT-FOR-US: IBM CVE-2017-1737 RESERVED CVE-2017-1736 RESERVED CVE-2017-1735 RESERVED CVE-2017-1734 (IBM Jazz Team Server affecting the following IBM Rational Products: Co ...) NOT-FOR-US: IBM CVE-2017-1733 (IBM QRadar 7.3 stores potentially sensitive information in log files t ...) NOT-FOR-US: IBM CVE-2017-1732 (IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 does n ...) NOT-FOR-US: IBM CVE-2017-1731 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2017-1730 RESERVED CVE-2017-1729 (IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 a ...) NOT-FOR-US: IBM CVE-2017-1728 RESERVED CVE-2017-1727 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 discloses sensitive ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1726 RESERVED CVE-2017-1725 (IBM Jazz Team Server affecting the following IBM Rational Products: Co ...) NOT-FOR-US: IBM CVE-2017-1724 (IBM Security QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scrip ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2017-1723 (IBM Security QRadar SIEM 7.2 and 7.3 could allow a remote attacker to ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2017-1722 (IBM Security QRadar SIEM 7.2 and 7.3 is vulnerable to SQL injection. A ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2017-1721 (IBM Security QRadar SIEM 7.2 and 7.3 could allow an unauthenticated us ...) NOT-FOR-US: IBM Security QRadar SIEM CVE-2017-1720 (IBM Notes 8.5 and 9.0 could allow a local attacker to execute arbitrar ...) NOT-FOR-US: IBM Notes CVE-2017-1719 RESERVED CVE-2017-1718 RESERVED CVE-2017-1717 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1716 (IBM Tivoli Workload Scheduler 8.6.0, 9.1.0, and 9.2.0 could disclose s ...) NOT-FOR-US: IBM Tivoli Workload Scheduler CVE-2017-1715 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1714 (IBM Notes and Domino NSD 8.5 and 9.0 could allow an authenticated loca ...) NOT-FOR-US: IBM Notes and Domino NSD CVE-2017-1713 (IBM InfoSphere Streams 4.2.1 uses weaker than expected cryptographic a ...) NOT-FOR-US: IBM CVE-2017-1712 ("A vulnerability in the TLS protocol implementation of the Domino serv ...) NOT-FOR-US: IBM CVE-2017-1711 (IBM iNotes 8.5 and 9.0 SUService can be misguided into running malicio ...) NOT-FOR-US: IBM iNotes CVE-2017-1710 (A vulnerability in the Service Assistant GUI in IBM Storwize V7000 (20 ...) NOT-FOR-US: IBM CVE-2017-1709 RESERVED CVE-2017-1708 RESERVED CVE-2017-1707 RESERVED CVE-2017-1706 RESERVED CVE-2017-1705 (IBM Security Privileged Identity Manager 2.1.0 contains left-over, sen ...) NOT-FOR-US: IBM CVE-2017-1704 RESERVED CVE-2017-1703 RESERVED CVE-2017-1702 RESERVED CVE-2017-1701 (IBM Team Concert (RTC) 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6. ...) NOT-FOR-US: IBM CVE-2017-1700 (IBM Jazz Team Server affecting the following IBM Rational Products: Co ...) NOT-FOR-US: IBM CVE-2017-1699 (IBM MQ Managed File Transfer Agent 8.0 and 9.0 sets insecure permissio ...) NOT-FOR-US: IBM MQ Managed File Transfer Agent CVE-2017-1698 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could reveal sensitive inf ...) NOT-FOR-US: IBM WebSphere Portal CVE-2017-1697 RESERVED CVE-2017-1696 (IBM QRadar 7.2 and 7.3 could allow a remote authenticated attacker to ...) NOT-FOR-US: IBM QRadar CVE-2017-1695 (IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic al ...) NOT-FOR-US: IBM CVE-2017-1694 (IBM Integration Bus 9.0 and 10.0 transmits user credentials in plain i ...) NOT-FOR-US: IBM Integration Bus CVE-2017-1693 (IBM Integration Bus 9.0 and 10.0 could allow an attacker that has capt ...) NOT-FOR-US: IBM Integration Bus CVE-2017-1692 (IBM AIX 5.3, 6.1, 7.1, and 7.2 contains an unspecified vulnerability t ...) NOT-FOR-US: IBM AIX CVE-2017-1691 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1690 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1689 (IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2017-1688 (IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2017-1687 RESERVED CVE-2017-1686 RESERVED CVE-2017-1685 RESERVED CVE-2017-1684 RESERVED CVE-2017-1683 (IBM Connections Engagement Center 6.0 is vulnerable to cross-site scri ...) NOT-FOR-US: IBM Connections Engagement Center CVE-2017-1682 (IBM Connections 4.0, 4.5, 5.0, 5.5, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM Connections CVE-2017-1681 (IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.1 ...) NOT-FOR-US: IBM WebSphere Application Server CVE-2017-1680 RESERVED CVE-2017-1679 (IBM OpenPages GRC Platform 7.2, 7.3, 7.4, and 8.0 could allow an attac ...) NOT-FOR-US: IBM CVE-2017-1678 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1677 (IBM Data Server Driver for JDBC and SQLJ (IBM DB2 for Linux, UNIX and ...) NOT-FOR-US: IBM CVE-2017-1676 RESERVED CVE-2017-1675 RESERVED CVE-2017-1674 RESERVED CVE-2017-1673 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to cr ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1672 (IBM Tivoli Key Lifecycle Manager 2.6 and 2.7 is vulnerable to cross-si ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1671 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remot ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1670 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to SQ ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1669 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 stores sensitive in ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1668 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 could allow a remot ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1667 RESERVED CVE-2017-1666 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 is vulnerable to a ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1665 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 uses weaker than ex ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1664 (IBM Tivoli Key Lifecycle Manager 2.5, 2.6, and 2.7 uses weaker than ex ...) NOT-FOR-US: IBM Tivoli Key Lifecycle Manager CVE-2017-1663 RESERVED CVE-2017-1662 RESERVED CVE-2017-1661 RESERVED CVE-2017-1660 RESERVED CVE-2017-1659 ("HCL iNotes is susceptible to a Cross-Site Scripting (XSS) Vulnerabili ...) NOT-FOR-US: HCL iNotes CVE-2017-1658 RESERVED CVE-2017-1657 RESERVED CVE-2017-1656 RESERVED CVE-2017-1655 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2017-1654 (IBM Spectrum Scale 4.1.1 and 4.2.0 - 4.2.3 could allow a local unprivi ...) NOT-FOR-US: IBM CVE-2017-1653 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 6 ...) NOT-FOR-US: IBM Jazz Foundation CVE-2017-1652 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1651 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1650 (IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2017-1649 (IBM Rational Quality Manager (RQM) 5.0 through 5.02 and 6.0 through 6. ...) NOT-FOR-US: IBM CVE-2017-1648 RESERVED CVE-2017-1647 RESERVED CVE-2017-1646 RESERVED CVE-2017-1645 RESERVED CVE-2017-1644 RESERVED CVE-2017-1643 RESERVED CVE-2017-1642 RESERVED CVE-2017-1641 RESERVED CVE-2017-1640 RESERVED CVE-2017-1639 RESERVED CVE-2017-1638 RESERVED CVE-2017-1637 RESERVED CVE-2017-1636 RESERVED CVE-2017-1635 (IBM Tivoli Monitoring V6 6.2.2.x could allow a remote attacker to exec ...) NOT-FOR-US: IBM Tivoli Monitoring CVE-2017-1634 RESERVED CVE-2017-1633 (IBM Sterling B2B Integrator 5.2 through 5.2.6 could allow an authentic ...) NOT-FOR-US: IBM CVE-2017-1632 (IBM Sterling File Gateway 2.2 is vulnerable to cross-site scripting. T ...) NOT-FOR-US: IBM Sterling File Gateway CVE-2017-1631 (IBM Jazz for Service Management (IBM Tivoli Components 1.1.3) is vulne ...) NOT-FOR-US: IBM Jazz for Service Management CVE-2017-1630 RESERVED CVE-2017-1629 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2017-1628 (IBM Business Process Manager 8.6.0.0 allows authenticated users to sto ...) NOT-FOR-US: IBM CVE-2017-1627 RESERVED CVE-2017-1626 RESERVED CVE-2017-1625 (IBM Pulse for QRadar 1.0.0 - 1.0.3 discloses sensitive information to ...) NOT-FOR-US: IBM CVE-2017-1624 (IBM QRadar 7.3 and 7.3.1 specifies permissions for a security-critical ...) NOT-FOR-US: IBM CVE-2017-1623 (IBM QRadar 7.2 and 7.3 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM QRadar CVE-2017-1622 (IBM QRadar SIEM 7.2.8 and 7.3 does not validate, or incorrectly valida ...) NOT-FOR-US: IBM CVE-2017-1621 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1620 RESERVED CVE-2017-1619 RESERVED CVE-2017-1618 RESERVED CVE-2017-1617 RESERVED CVE-2017-1616 RESERVED CVE-2017-1615 RESERVED CVE-2017-1614 RESERVED CVE-2017-1613 (IBM Connections 6.0 could allow an unauthenticated remote attacker to ...) NOT-FOR-US: IBM Connections CVE-2017-1612 (IBM WebSphere MQ 7.0, 7.1, 7.5, 8.0, and 9.0 service trace module coul ...) NOT-FOR-US: IBM WebSphere MQ CVE-2017-1611 RESERVED CVE-2017-1610 RESERVED CVE-2017-1609 (IBM Quality Manager (RQM) 5.0 through 5.0.2 and 6.0 through 6.0.6 are ...) NOT-FOR-US: IBM CVE-2017-1608 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1607 (IBM DOORS Next Generation (DNG/RRC) 6.0 is vulnerable to cross-site sc ...) NOT-FOR-US: IBM CVE-2017-1606 (IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) 3.0.0. ...) NOT-FOR-US: IBM Financial Transaction Manager CVE-2017-1605 RESERVED CVE-2017-1604 (IBM Maximo Anywhere 7.5 and 7.6 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM Maximo Anywhere CVE-2017-1603 RESERVED CVE-2017-1602 (IBM RSA DM (IBM Rational Collaborative Lifecycle Management 5.0 and 6. ...) NOT-FOR-US: IBM CVE-2017-1601 (IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 Database A ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1600 (IBM Security Guardium 10.0 Database Activity Monitor is vulnerable to ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1599 RESERVED CVE-2017-1598 (IBM Security Guardium 10.0 Database Activity Monitor uses weaker than ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1597 (IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and ...) NOT-FOR-US: IBM CVE-2017-1596 (IBM Security Guardium 10.0 Database Activity Monitor could allow a loc ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1595 (IBM Security Guardium 10.0 Database Activity Monitor could allow a loc ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1594 RESERVED CVE-2017-1593 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1592 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1591 (IBM WebSphere DataPower Appliances 7.0.0 through 7.6 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1590 RESERVED CVE-2017-1589 RESERVED CVE-2017-1588 RESERVED CVE-2017-1587 RESERVED CVE-2017-1586 RESERVED CVE-2017-1585 RESERVED CVE-2017-1584 RESERVED CVE-2017-1583 (IBM WebSphere Application Server (IBM Liberty for Java for Bluemix 3.1 ...) NOT-FOR-US: IBM CVE-2017-1582 RESERVED CVE-2017-1581 RESERVED CVE-2017-1580 RESERVED CVE-2017-1579 RESERVED CVE-2017-1578 RESERVED CVE-2017-1577 (IBM WebSphere Portal 7.0, 8.0, 8.5, and 9.0 could allow a remote attac ...) NOT-FOR-US: IBM CVE-2017-1576 RESERVED CVE-2017-1575 (IBM Sterling B2B Integrator Standard Edition (IBM Sterling File Gatewa ...) NOT-FOR-US: IBM CVE-2017-1574 RESERVED CVE-2017-1573 RESERVED CVE-2017-1572 RESERVED CVE-2017-1571 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2017-1570 (IBM Jazz Foundation products could allow an authenticated user to obta ...) NOT-FOR-US: IBM CVE-2017-1569 (IBM WebSphere Commerce 7.0 and 8.0 contains an unspecified vulnerabili ...) NOT-FOR-US: IBM CVE-2017-1568 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1567 (IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1566 RESERVED CVE-2017-1565 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1564 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1563 (IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1562 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1561 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1560 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1559 (Multiple IBM Rational products could disclose sensitive information by ...) NOT-FOR-US: IBM CVE-2017-1558 (IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2017-1557 (IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user with au ...) NOT-FOR-US: IBM WebSphere MQ CVE-2017-1556 (IBM API Connect 5.0.7.0 through 5.0.7.2 is vulnerable to a regular exp ...) NOT-FOR-US: IBM CVE-2017-1555 (IBM API Connect 5.0.0.0 through 5.0.7.2 could allow an authenticated u ...) NOT-FOR-US: IBM CVE-2017-1554 (IBM Infosphere BigInsights 4.2.0 and 4.2.5 could allow a remote attack ...) NOT-FOR-US: IBM CVE-2017-1553 (IBM Infosphere BigInsights 4.2.0 and 4.2.5 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1552 (IBM Infosphere BigInsights 4.2.0 and 4.2.5 is vulnerable to link injec ...) NOT-FOR-US: IBM CVE-2017-1551 (IBM API Connect 5.0.0.0 through 5.0.7.2 could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2017-1550 (IBM Sterling File Gateway 2.2 could allow an authenticated user to cha ...) NOT-FOR-US: IBM Sterling File Gateway CVE-2017-1549 (IBM Sterling File Gateway 2.2 is vulnerable to cross-site scripting. T ...) NOT-FOR-US: IBM Sterling File Gateway CVE-2017-1548 (IBM Sterling File Gateway 2.2 could allow a remote attacker to travers ...) NOT-FOR-US: IBM Sterling File Gateway CVE-2017-1547 RESERVED CVE-2017-1546 (IBM DOORS Next Generation (DNG/RRC) 4.07, 5.0, and 6.0 is vulnerable t ...) NOT-FOR-US: IBM DOORS Next Generation CVE-2017-1545 (IBM Doors Web Access 9.5 and 9.6 could allow an attacker with physical ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1544 (IBM Sterling B2B Integrator Standard Edition (IBM Sterling File Gatewa ...) NOT-FOR-US: IBM CVE-2017-1543 RESERVED CVE-2017-1542 RESERVED CVE-2017-1541 (A flaw in the AIX 5.3, 6.1, 7.1, and 7.2 JRE/SDK installp and updatep ...) NOT-FOR-US: IBM CVE-2017-1540 (IBM Doors Web Access 9.5 and 9.6 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1539 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to privil ...) NOT-FOR-US: IBM CVE-2017-1538 (IBM Financial Transaction Manager for ACH Services for Multi-Platform ...) NOT-FOR-US: IBM CVE-2017-1537 RESERVED CVE-2017-1536 (IBM Support Tools for Lotus WCM (IBM WebSphere Portal 7.0, 8.0, 8.5 an ...) NOT-FOR-US: IBM Support Tools for Lotus WCM CVE-2017-1535 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1534 (IBM Security Access Manager Appliance 8.0.0 and 9.0.0 could allow a re ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1533 (IBM Security Access Manager Appliance 9.0.3 is vulnerable to cross-sit ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1532 (IBM DOORS 9.5 and 9.6 is vulnerable to cross-site scripting. This vuln ...) NOT-FOR-US: IBM DOORS CVE-2017-1531 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2017-1530 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2017-1529 RESERVED CVE-2017-1528 RESERVED CVE-2017-1527 (IBM Business Process Manager 7.5, 8.0, and 8.5 is vulnerable to a XML ...) NOT-FOR-US: IBM CVE-2017-1526 RESERVED CVE-2017-1525 RESERVED CVE-2017-1524 (IBM Jazz Foundation (IBM Rational Collaborative Lifecycle Management 5 ...) NOT-FOR-US: IBM CVE-2017-1523 (IBM InfoSphere Master Data Management - Collaborative Edition 11.5 cou ...) NOT-FOR-US: IBM CVE-2017-1522 (IBM Content Navigator & CMIS 2.0.3, 3.0.0, and 3.0.1 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1521 (IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and A ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1520 (IBM DB2 9.7, 10,1, 10.5, and 11.1 is vulnerable to an unauthorized com ...) NOT-FOR-US: IBM CVE-2017-1519 (IBM DB2 10.5 and 11.1 contains a denial of service vulnerability. A re ...) NOT-FOR-US: IBM CVE-2017-1518 RESERVED CVE-2017-1517 RESERVED CVE-2017-1516 (IBM Doors Web Access 9.5 and 9.6 could allow a remote attacker to hija ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1515 (IBM Doors Web Access 9.5 and 9.6 could allow an authenticated user to ...) NOT-FOR-US: IBM Doors Web Access CVE-2017-1514 RESERVED CVE-2017-1513 RESERVED CVE-2017-1512 RESERVED CVE-2017-1511 RESERVED CVE-2017-1510 RESERVED CVE-2017-1509 (IBM Jazz Foundation products could allow an authenticated user to obta ...) NOT-FOR-US: IBM CVE-2017-1508 (IBM Informix Dynamic Server 12.1 could allow a local user logged in wi ...) NOT-FOR-US: IBM CVE-2017-1507 (IBM Jazz Foundation Products could disclose sensitive information duri ...) NOT-FOR-US: IBM Jazz Foundation Products CVE-2017-1506 (IBM Cognos TM1 10.2 and 10.2.2 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM Cognos TM1 CVE-2017-1505 RESERVED CVE-2017-1504 (IBM WebSphere Application Server version 9.0.0.4 could provide weaker ...) NOT-FOR-US: IBM CVE-2017-1503 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1502 (IBM Content Navigator & CMIS 2.0.3, 3.0.0, and 3.0.1 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1501 (IBM WebSphere Application Server 8.0, 8.5, and 9.0 could provide weake ...) NOT-FOR-US: IBM CVE-2017-1500 (A Reflected Cross Site Scripting (XSS) vulnerability exists in the aut ...) NOT-FOR-US: IBM CVE-2017-1499 (IBM Maximo Asset Management 7.5 and 7.6 could allow a remote attacker ...) NOT-FOR-US: IBM Maximo Asset Management CVE-2017-1498 (IBM Connections 5.5 is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2017-1497 (IBM Sterling File Gateway 2.2 could allow an unauthorized user to view ...) NOT-FOR-US: IBM CVE-2017-1496 (IBM Sterling B2B Integrator Standard Edition 5.2.x is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1495 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a pr ...) NOT-FOR-US: IBM CVE-2017-1494 (IBM Business Process Manager 8.5 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Business Process Manager CVE-2017-1493 (IBM UrbanCode Deploy (UCD) 6.1 and 6.2 could allow an authenticated us ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2017-1492 RESERVED CVE-2017-1491 (IBM QRadar Network Security 5.4 supports interaction between multiple ...) NOT-FOR-US: IBM CVE-2017-1490 (An unspecified vulnerability in the Lifecycle Query Engine of Jazz Rep ...) NOT-FOR-US: IBM CVE-2017-1489 (IBM Security Access Manager 6.1, 7.0, 8.0, and 9.0 e-community configu ...) NOT-FOR-US: IBM CVE-2017-1488 (An undisclosed vulnerability in Jazz common products exists with poten ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-1487 (IBM Sterling File Gateway 2.2 could allow an authenticated attacker to ...) NOT-FOR-US: IBM CVE-2017-1486 (IBM Cognos Business Intelligence 10.2, 10.2.1, 10.2.1.1, and 10.2.2 is ...) NOT-FOR-US: IBM CVE-2017-1485 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1484 (IBM WebSphere Commerce Enterprise, Professional, Express, and Develope ...) NOT-FOR-US: IBM CVE-2017-1483 (IBM Security Identity Manager Adapters 6.0 and 7.0 does not perform an ...) NOT-FOR-US: IBM CVE-2017-1482 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2017-1481 (IBM Sterling B2B Integrator Standard Edition 5.2 allows a user to view ...) NOT-FOR-US: IBM CVE-2017-1480 (IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6, and 9.0.0 ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1479 RESERVED CVE-2017-1478 (IBM Security Access Manager Appliance 9.0.0 allows web pages to be sto ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1477 (IBM Security Access Manager Appliance 9.0.3 is vulnerable to a XML Ext ...) NOT-FOR-US: IBM CVE-2017-1476 (IBM Security Access Manager Appliance 7.0.0, 8.0.0 through 8.0.1.6, an ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1475 RESERVED CVE-2017-1474 (IBM Security Access Manager Appliance 7.0.0, 8.0.0 through 8.0.1.6, an ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1473 (IBM Security Access Manager Appliance 8.0.0 through 8.0.1.6 and 9.0.0 ...) NOT-FOR-US: IBM CVE-2017-1472 RESERVED CVE-2017-1471 RESERVED CVE-2017-1470 RESERVED CVE-2017-1469 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a lo ...) NOT-FOR-US: IBM CVE-2017-1468 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a lo ...) NOT-FOR-US: IBM CVE-2017-1467 (A network layer security vulnerability in InfoSphere Information Serve ...) NOT-FOR-US: IBM CVE-2017-1466 RESERVED CVE-2017-1465 (IBM TRIRIGA 3.2, 3.3, 3.4, and 3.5 could allow a remote attacker to hi ...) NOT-FOR-US: IBM CVE-2017-1464 RESERVED CVE-2017-1463 RESERVED CVE-2017-1462 (IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM Rhapsody DM CVE-2017-1461 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1460 (IBM i OSPF 6.1, 7.1, 7.2, and 7.3 is vulnerable when a rogue router sp ...) NOT-FOR-US: IBM CVE-2017-1459 (IBM Security Access Manager Appliance 8.0.0 and 9.0.0 specifies permis ...) NOT-FOR-US: IBM Security Access Manager Appliance CVE-2017-1458 (IBM QRadar Network Security 5.4 is vulnerable to a XML External Entity ...) NOT-FOR-US: IBM CVE-2017-1457 (IBM QRadar Network Security 5.4 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2017-1456 RESERVED CVE-2017-1455 RESERVED CVE-2017-1454 RESERVED CVE-2017-1453 (IBM Security Access Manager Appliance 9.0.3 could allow a remote authe ...) NOT-FOR-US: IBM CVE-2017-1452 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1451 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1450 (IBM Emptoris Sourcing 9.5 - 10.1.3 could allow a remote attacker to co ...) NOT-FOR-US: IBM CVE-2017-1449 (IBM Emptoris Sourcing 9.5 - 10.1.3 could allow a remote attacker to co ...) NOT-FOR-US: IBM CVE-2017-1448 (IBM Emptoris Supplier Lifecycle Management 10.0.x and 10.1.x could all ...) NOT-FOR-US: IBM CVE-2017-1447 (IBM Emptoris Sourcing 9.5 - 10.1.3 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2017-1446 (IBM Emptoris Spend Analysis 9.5.0.0 through 10.1.1 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1445 (IBM Emptoris Spend Analysis 9.5.0.0 through 10.1.1 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1444 (IBM Emptoris Sourcing 9.5 - 10.1.3 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2017-1443 (IBM Emptoris Services Procurement 10.0.0.5 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1442 (IBM Emptoris Services Procurement 10.0.0.5 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1441 (IBM Emptoris Services Procurement 10.0.0.5 could allow a local user to ...) NOT-FOR-US: IBM CVE-2017-1440 (IBM Emptoris Services Procurement 10.0.0.5 could allow a remote attack ...) NOT-FOR-US: IBM CVE-2017-1439 (IBM DB2 for Linux, UNIX and Windows 9.7, 10,1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1438 (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1437 RESERVED CVE-2017-1436 RESERVED CVE-2017-1435 RESERVED CVE-2017-1434 (IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) ...) NOT-FOR-US: IBM CVE-2017-1433 (IBM WebSphere MQ 7.5, 8.0, and 9.0 could allow an authenticated user t ...) NOT-FOR-US: IBM CVE-2017-1432 RESERVED CVE-2017-1431 (IBM InfoSphere Streams 4.0, 4.1, and 4.2 is vulnerable to cross-site s ...) NOT-FOR-US: IBM CVE-2017-1430 RESERVED CVE-2017-1429 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1428 (IBM Cognos Analytics 11.0 could allow a remote attacker to hijack the ...) NOT-FOR-US: IBM CVE-2017-1427 (IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1426 RESERVED CVE-2017-1425 (IBM Business Process Manager 8.0.1.1 and 8.5.7 is vulnerable to cross- ...) NOT-FOR-US: IBM CVE-2017-1424 (IBM Business Process Manager 8.5.7 is vulnerable to cross-site scripti ...) NOT-FOR-US: IBM CVE-2017-1423 (IBM WebSphere Portal 8.5 and 9.0 exposes backend server URLs that are ...) NOT-FOR-US: IBM WebSphere Portal CVE-2017-1422 (IBM MaaS360 DTM all versions up to 3.81 does not perform proper verifi ...) NOT-FOR-US: IBM CVE-2017-1421 (IBM iNotes is vulnerable to cross-site scripting. This vulnerability a ...) NOT-FOR-US: IBM iNotes CVE-2017-1420 RESERVED CVE-2017-1419 RESERVED CVE-2017-1418 (IBM Integration Bus 9.0.0.0, 9.0.0.11, 10.0.0.0, and 10.0.0.14 (includ ...) NOT-FOR-US: IBM CVE-2017-1417 RESERVED CVE-2017-1416 RESERVED CVE-2017-1415 RESERVED CVE-2017-1414 RESERVED CVE-2017-1413 RESERVED CVE-2017-1412 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1411 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1410 RESERVED CVE-2017-1409 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1408 RESERVED CVE-2017-1407 (IBM Security Identity Manager Virtual Appliance 6.0 and 7.0 could allo ...) NOT-FOR-US: IBM CVE-2017-1406 RESERVED CVE-2017-1405 (IBM Security Identity Manager Virtual Appliance 7.0 processes patches, ...) NOT-FOR-US: IBM Security Identity Manager Virtual Appliance CVE-2017-1404 RESERVED CVE-2017-1403 RESERVED CVE-2017-1402 RESERVED CVE-2017-1401 RESERVED CVE-2017-1400 RESERVED CVE-2017-1399 RESERVED CVE-2017-1398 (IBM WebSphere Commerce Enterprise, Professional, Express, and Develope ...) NOT-FOR-US: IBM CVE-2017-1397 RESERVED CVE-2017-1396 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1395 (IBM Security Identity Governance and Intelligence Virtual Appliance 5. ...) NOT-FOR-US: IBM CVE-2017-1394 RESERVED CVE-2017-1393 RESERVED CVE-2017-1392 RESERVED CVE-2017-1391 RESERVED CVE-2017-1390 RESERVED CVE-2017-1389 RESERVED CVE-2017-1388 RESERVED CVE-2017-1387 RESERVED CVE-2017-1386 (IBM API Connect 5.0.0.0 could allow a user to bypass policy restrictio ...) NOT-FOR-US: IBM CVE-2017-1385 RESERVED CVE-2017-1384 RESERVED CVE-2017-1383 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1382 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 might create f ...) NOT-FOR-US: IBM CVE-2017-1381 (IBM WebSphere Application Server Proxy Server or On-demand-router (ODR ...) NOT-FOR-US: IBM CVE-2017-1380 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1379 (IBM API Connect 5.0.0.0 could allow a remote attacker to obtain sensit ...) NOT-FOR-US: IBM CVE-2017-1378 (IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) dis ...) NOT-FOR-US: IBM CVE-2017-1377 (IBM Runbook Automation reveals sensitive information in error messages ...) NOT-FOR-US: IBM CVE-2017-1376 (A flaw in the IBM J9 VM class verifier allows untrusted code to disabl ...) NOT-FOR-US: IBM JDK CVE-2017-1375 (IBM System Storage Storwize V7000 Unified (V7000U) 1.5 and 1.6 uses we ...) NOT-FOR-US: IBM CVE-2017-1374 (Sensitive data can be exposed in the IBM TRIRIGA Application Platform ...) NOT-FOR-US: IBM CVE-2017-1373 (Reports executed in the IBM TRIRIGA Application Platform 3.3, 3.4, and ...) NOT-FOR-US: IBM CVE-2017-1372 (IBM TRIRIGA Application Platform 3.3, 3.4, and 3.5 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1371 (Builder tools running in the IBM TRIRIGA Application Platform 3.3, 3.4 ...) NOT-FOR-US: IBM CVE-2017-1370 (IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could disclose sensitive ...) NOT-FOR-US: IBM CVE-2017-1369 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1368 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1367 (IBM Security Identity Governance and Intelligence Virtual Appliance 5. ...) NOT-FOR-US: IBM CVE-2017-1366 (IBM Security Identity Governance Virtual Appliance 5.2 through 5.2.3.2 ...) NOT-FOR-US: IBM CVE-2017-1365 (IBM Team Concert (RTC including IBM Rational Collaborative Lifecycle M ...) NOT-FOR-US: IBM Team Concert CVE-2017-1364 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1363 (IBM Team Concert (RTC) is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1362 (IBM Security Identity Manager Adapters 6.0 and 7.0 stores user credent ...) NOT-FOR-US: IBM CVE-2017-1361 RESERVED CVE-2017-1360 RESERVED CVE-2017-1359 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1358 RESERVED CVE-2017-1357 (IBM Maximo Asset Management 7.5 and 7.6 could allow an authenticated u ...) NOT-FOR-US: IBM CVE-2017-1356 (IBM Atlas eDiscovery Process Management 6.0.3 is vulnerable to SQL inj ...) NOT-FOR-US: IBM CVE-2017-1355 (IBM Atlas eDiscovery Process Management 6.0.3 stores sensitive informa ...) NOT-FOR-US: IBM CVE-2017-1354 (IBM Atlas eDiscovery Process Management 6.0.3 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2017-1353 (IBM Atlas eDiscovery Process Management 6.0.3 could allow an authentic ...) NOT-FOR-US: IBM CVE-2017-1352 (IBM Maximo Asset Management 7.5 and 7.6 could allow an authenticated u ...) NOT-FOR-US: IBM CVE-2017-1351 RESERVED CVE-2017-1350 (IBM InfoSphere Information Server 9.1, 11.3, 11.5, and 11.7 could allo ...) NOT-FOR-US: IBM InfoSphere Information Server CVE-2017-1349 (IBM Sterling B2B Integrator Standard Edition 5.2 stores potentially se ...) NOT-FOR-US: IBM CVE-2017-1348 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2017-1347 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL ...) NOT-FOR-US: IBM CVE-2017-1346 (IBM Business Process Manager 7.5, 8.0, and 8.5 temporarily stores file ...) NOT-FOR-US: IBM CVE-2017-1345 (IBM Insights Foundation for Energy 2.0 is vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2017-1344 RESERVED CVE-2017-1343 RESERVED CVE-2017-1342 (IBM Insights Foundation for Energy 2.0 could reveal sensitive informat ...) NOT-FOR-US: IBM CVE-2017-1341 (IBM WebSphere MQ 8.0 and 9.0 could allow, under special circumstances, ...) NOT-FOR-US: IBM CVE-2017-1340 (IBM Jazz Reporting Service (JRS) 6.0.4 could allow an authenticated us ...) NOT-FOR-US: IBM CVE-2017-1339 (IBM Spectrum Protect 7.1 and 8.1 (formerly Tivoli Storage Manager) Ser ...) NOT-FOR-US: IBM CVE-2017-1338 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1337 (IBM WebSphere MQ 9.0.1 and 9.0.2 Java/JMS application can incorrectly ...) NOT-FOR-US: IBM CVE-2017-1336 (IBM Infosphere BigInsights 4.2.0 could allow an attacker to inject cod ...) NOT-FOR-US: IBM CVE-2017-1335 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1334 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1333 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 could allow an unauthenti ...) NOT-FOR-US: IBM CVE-2017-1332 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1331 (IBM Content Navigator 2.0.3 and 3.0.0 is vulnerable to cross-site scri ...) NOT-FOR-US: IBM CVE-2017-1330 RESERVED CVE-2017-1329 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable t ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1328 (IBM API Connect 5.0.0.0 - 5.0.6.0 could allow a remote attacker to byp ...) NOT-FOR-US: IBM CVE-2017-1327 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1326 (IBM Sterling File Gateway does not properly restrict user requests bas ...) NOT-FOR-US: IBM CVE-2017-1325 (IBM iNotes 8.5 and 9.0 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1324 (IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2017-1323 RESERVED CVE-2017-1322 (IBM API Connect 5.0.6.0 is vulnerable to an XML External Entity Inject ...) NOT-FOR-US: IBM CVE-2017-1321 (IBM InfoSphere Information Server 9.1, 11.3, and 11.5 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1320 (IBM Tivoli Federated Identity Manager 6.2 is vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1319 (IBM Tivoli Federated Identity Manager 6.2 is affected by a vulnerabili ...) NOT-FOR-US: IBM CVE-2017-1318 (IBM MQ Appliance 8.0 and 9.0 could allow an authenticated messaging ad ...) NOT-FOR-US: IBM CVE-2017-1317 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1316 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1315 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1314 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1313 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1312 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1311 (IBM Insights Foundation for Energy 2.0 is vulnerable to SQL injection. ...) NOT-FOR-US: IBM CVE-2017-1310 (IBM Informix Dynamic Server 12.1 could allow an authenticated user to ...) NOT-FOR-US: IBM CVE-2017-1309 (IBM InfoSphere Master Data Management Server 11.0 - 11.6 stores user c ...) NOT-FOR-US: IBM CVE-2017-1308 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1307 RESERVED CVE-2017-1306 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1305 (IBM DOORS Next Generation (DNG/RRC) 6.0.2 and 6.0.3 is vulnerable to c ...) NOT-FOR-US: IBM CVE-2017-1304 (IBM has identified a vulnerability with IBM Spectrum Scale/GPFS utiliz ...) NOT-FOR-US: IBM CVE-2017-1303 (IBM WebSphere Portal and Web Content Manager 7.0, 8.0, 8.5, and 9.0 is ...) NOT-FOR-US: IBM CVE-2017-1302 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow a local u ...) NOT-FOR-US: IBM CVE-2017-1301 (IBM Spectrum Protect 7.1 and 8.1 could allow a local attacker to launc ...) NOT-FOR-US: IBM CVE-2017-1300 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1299 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1298 REJECTED CVE-2017-1297 (IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1296 RESERVED CVE-2017-1295 (IBM RSA DM contains unspecified vulnerability in CLM Applications with ...) NOT-FOR-US: IBM CVE-2017-1294 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1293 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1292 (IBM Maximo Asset Management 7.5 and 7.6 generates error messages that ...) NOT-FOR-US: IBM CVE-2017-1291 (IBM Maximo Asset Management 7.5 and 7.6 is vulnerable to HTTP response ...) NOT-FOR-US: IBM CVE-2017-1290 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1289 (IBM SDK, Java Technology Edition is vulnerable XML External Entity Inj ...) NOT-FOR-US: IBM JDK CVE-2017-1288 RESERVED CVE-2017-1287 (IBM Rhapsody DM 5.0 and 6.0 could allow a remote attacker to conduct p ...) NOT-FOR-US: IBM CVE-2017-1286 (Sensitive information about the configuration of the IBM UrbanCode Dep ...) NOT-FOR-US: IBM UrbanCode Deploy CVE-2017-1285 (IBM WebSphere MQ 9.0.1 and 9.0.2 could allow an authenticated user wit ...) NOT-FOR-US: IBM CVE-2017-1284 (IBM WebSphere MQ 9.0.1 and 9.0.2 could allow a local user with ability ...) NOT-FOR-US: IBM CVE-2017-1283 (IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user to caus ...) NOT-FOR-US: IBM CVE-2017-1282 (IBM Content Navigator & CMIS 2.0 and 3.0 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1281 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1280 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1279 (IBM Tealeaf Customer Experience 8.7, 8.8, and 9.0.2 could allow a remo ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2017-1278 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1277 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1276 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1275 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1274 (IBM Domino 8.5.3, and 9.0 is vulnerable to a stack based overflow in t ...) NOT-FOR-US: IBM CVE-2017-1273 RESERVED CVE-2017-1272 (IBM Security Guardium 10.0 and 10.5 stores sensitive information in UR ...) NOT-FOR-US: IBM CVE-2017-1271 (IBM Security Guardium 9.0, 9.1, and 9.5 supports interaction between m ...) NOT-FOR-US: IBM CVE-2017-1270 (IBM Security Guardium 10.0 does not renew a session variable after a s ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1269 (IBM Security Guardium 10.0 and 10.1 is vulnerable to SQL injection. A ...) NOT-FOR-US: IBM CVE-2017-1268 (IBM Security Guardium 10 and 10.5 uses a one-way cryptographic hash ag ...) NOT-FOR-US: IBM CVE-2017-1267 (IBM Security Guardium 10.0 and 10.1 processes patches, image backups a ...) NOT-FOR-US: IBM CVE-2017-1266 (IBM Security Guardium 10.0 specifies permissions for a security-critic ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1265 (IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and ...) NOT-FOR-US: IBM CVE-2017-1264 (IBM Security Guardium 10.0 does not prove or insufficiently proves tha ...) NOT-FOR-US: IBM CVE-2017-1263 RESERVED CVE-2017-1262 (IBM Security Guardium 10.0 is vulnerable to HTTP response splitting at ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1261 (IBM Security Guardium 10.0 stores potentially sensitive information in ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1260 RESERVED CVE-2017-1259 RESERVED CVE-2017-1258 (IBM Security Guardium 10.0 and 10.1 does not perform an authentication ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1257 (IBM Security Guardium 10.0 discloses sensitive information to unauthor ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1256 (IBM Security Guardium 10.0, 10.1 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1255 (IBM Security Guardium 10.0, 10.0.1, and 10.1 through 10.1.4 uses weake ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1254 (IBM Security Guardium 10.0 is vulnerable to a XML External Entity Inje ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1253 (IBM Security Guardium 10.0 could allow a remote authenticated attacker ...) NOT-FOR-US: IBM Security Guardium CVE-2017-1252 RESERVED CVE-2017-1251 (An undisclosed vulnerability in CLM applications may result in some ad ...) NOT-FOR-US: IBM CVE-2017-1250 (IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle ...) NOT-FOR-US: IBM CVE-2017-1249 (IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. Thi ...) NOT-FOR-US: IBM CVE-2017-1248 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable t ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1247 (IBM DOORS Next Generation (DNG/RRC) 4.0, 5.0 and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1246 RESERVED CVE-2017-1245 (IBM Rational Software Architect Design Manager 5.0 and 6.0 is vulnerab ...) NOT-FOR-US: IBM CVE-2017-1244 RESERVED CVE-2017-1243 RESERVED CVE-2017-1242 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable t ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1241 (An unspecified vulnerability in IBM Jazz Foundation based applications ...) NOT-FOR-US: IBM CVE-2017-1240 (IBM Rhapsody DM products could reveal sensitive information in HTTP 50 ...) NOT-FOR-US: IBM CVE-2017-1239 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 could reveal sen ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1238 (IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable t ...) NOT-FOR-US: IBM Quality Manager CVE-2017-1237 (IBM Jazz based applications are vulnerable to cross-site scripting. Th ...) NOT-FOR-US: IBM CVE-2017-1236 (IBM WebSphere MQ 9.0.2 could allow an authenticated user to potentiall ...) NOT-FOR-US: IBM CVE-2017-1235 (IBM WebSphere MQ 8.0 could allow an authenticated user to cause a prem ...) NOT-FOR-US: IBM CVE-2017-1234 (IBM QRadar 7.2 and 7.3 is vulnerable to cross-site scripting. This vul ...) NOT-FOR-US: IBM CVE-2017-1233 (IBM Remote Control v9 could allow a local user to use the component to ...) NOT-FOR-US: IBM Remote Control CVE-2017-1232 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmit ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1231 (IBM BigFix Platform 9.5 - 9.5.9 stores user credentials in plain in cl ...) NOT-FOR-US: IBM CVE-2017-1230 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) uses ins ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1229 (IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) could allow a rem ...) NOT-FOR-US: IBM CVE-2017-1228 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could al ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1227 (IBM Tivoli Endpoint Manager could allow a unauthorized user to consume ...) NOT-FOR-US: IBM CVE-2017-1226 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) generate ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1225 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) stores s ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1224 (IBM Tivoli Endpoint Manager uses weaker than expected cryptographic al ...) NOT-FOR-US: IBM CVE-2017-1223 (IBM Tivoli Endpoint Manager could allow a remote attacker to conduct p ...) NOT-FOR-US: IBM CVE-2017-1222 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) does not ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1221 (IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) does not require ...) NOT-FOR-US: IBM CVE-2017-1220 (IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) disclose ...) NOT-FOR-US: IBM Tivoli Endpoint Manager CVE-2017-1219 (IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Inj ...) NOT-FOR-US: IBM CVE-2017-1218 (IBM Tivoli Endpoint Manager is vulnerable to cross-site request forger ...) NOT-FOR-US: IBM CVE-2017-1217 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2017-1216 RESERVED CVE-2017-1215 RESERVED CVE-2017-1214 (IBM iNotes 8.5 and 9.0 could allow a remote attacker to send a malform ...) NOT-FOR-US: IBM CVE-2017-1213 RESERVED CVE-2017-1212 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1211 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1210 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1209 (IBM Daeja ViewONE Professional, Standard & Virtual 4.1.5.1 and 5.0 ...) NOT-FOR-US: IBM CVE-2017-1208 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to cross-s ...) NOT-FOR-US: IBM CVE-2017-1207 (IBM WebSphere Message Broker stores user credentials in plain in clear ...) NOT-FOR-US: IBM CVE-2017-1206 RESERVED CVE-2017-1205 (IBM Platform LSF 10.1 contains an unspecified vulnerability that could ...) NOT-FOR-US: IBM CVE-2017-1204 (IBM Tealeaf Customer Experience 8.7, 8.8, and 9.0.2 contains hard-code ...) NOT-FOR-US: IBM Tealeaf Customer Experience CVE-2017-1203 (IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and A ...) NOT-FOR-US: IBM CVE-2017-1202 (IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) is vulne ...) NOT-FOR-US: IBM CVE-2017-1201 (IBM BigFix Compliance Analytics 1.9.79 (TEMA SUAv1 SCA SCM) stores use ...) NOT-FOR-US: IBM CVE-2017-1200 (IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) does not ...) NOT-FOR-US: IBM CVE-2017-1199 (IBM InfoSphere Master Data Management Server 10.0, 11.0, 11.3, 11.4, 1 ...) NOT-FOR-US: IBM CVE-2017-1198 (IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) stores s ...) NOT-FOR-US: IBM CVE-2017-1197 (IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account ...) NOT-FOR-US: IBM CVE-2017-1196 (IBM BigFix Compliance (TEMA SUAv1 SCA SCM) 1.9.70 does not require tha ...) NOT-FOR-US: IBM CVE-2017-1195 (IBM Curam Social Program Management 6.0, 6.1, 6.2, and 7.0 could allow ...) NOT-FOR-US: IBM CVE-2017-1194 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1193 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow user to o ...) NOT-FOR-US: IBM CVE-2017-1192 (IBM Sterling B2B Integrator 5.2 is vulnerable to an XML External Entit ...) NOT-FOR-US: IBM CVE-2017-1191 (An undisclosed vulnerability in CLM applications (including IBM Ration ...) NOT-FOR-US: IBM Rational Collaborative Lifecycle Management CVE-2017-1190 (IBM Emptoris Strategic Supply Management Platform 10.x and 10.1 could ...) NOT-FOR-US: IBM CVE-2017-1189 (IBM WebSphere Portal and Web Content Manager 6.1, 7.0, and 8.0 is vuln ...) NOT-FOR-US: IBM CVE-2017-1188 RESERVED CVE-2017-1187 RESERVED CVE-2017-1186 RESERVED CVE-2017-1185 RESERVED CVE-2017-1184 RESERVED CVE-2017-1183 (IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) ...) NOT-FOR-US: IBM CVE-2017-1182 (IBM Tivoli Monitoring Portal v6 could allow a local (network adjacent) ...) NOT-FOR-US: Oracle Primavera CVE-2017-1181 (IBM Tivoli Monitoring Portal V6 client could allow a local attacker to ...) NOT-FOR-US: IBM CVE-2017-1180 (The IBM TRIRIGA Document Manager contains a vulnerability that could a ...) NOT-FOR-US: IBM TRIRIGA Document Manager CVE-2017-1179 (IBM BigFix Compliance Analytics 1.9.79 uses weaker than expected crypt ...) NOT-FOR-US: IBM CVE-2017-1178 (IBM Endpoint Manager for Security and Compliance 1.9.70 is vulnerable ...) NOT-FOR-US: IBM CVE-2017-1177 (IBM BigFix Compliance 1.7 through 1.9.91 discloses sensitive informati ...) NOT-FOR-US: IBM CVE-2017-1176 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a local user ...) NOT-FOR-US: IBM CVE-2017-1175 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 is vulnerable to SQL inj ...) NOT-FOR-US: IBM CVE-2017-1174 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL ...) NOT-FOR-US: IBM CVE-2017-1173 RESERVED CVE-2017-1172 RESERVED CVE-2017-1171 (The IBM TRIRIGA Application Platform 3.3, 3,4, and 3,5 contain a vulne ...) NOT-FOR-US: IBM CVE-2017-1170 (IBM WebSphere Commerce Enterprise, Professional, Express, and Develope ...) NOT-FOR-US: IBM CVE-2017-1169 (IBM DOORS next Generation (DNG/RRC) is vulnerable to cross-site script ...) NOT-FOR-US: IBM CVE-2017-1168 (IBM Rational Engineering Lifecycle Manager 4.0, 5.0, and 6.0 is vulner ...) NOT-FOR-US: IBM CVE-2017-1167 RESERVED CVE-2017-1166 RESERVED CVE-2017-1165 RESERVED CVE-2017-1164 (IBM Jazz Foundation is vulnerable to cross-site scripting. This vulner ...) NOT-FOR-US: IBM CVE-2017-1163 RESERVED CVE-2017-1162 (IBM QRadar 7.2 and 7.3 discloses sensitive information to unauthorized ...) NOT-FOR-US: IBM CVE-2017-1161 (IBM API Connect 5.0.6.0 could allow a remote attacker to execute arbit ...) NOT-FOR-US: IBM CVE-2017-1160 (IBM Financial Transaction Manager for ACH Services for Multi-Platform ...) NOT-FOR-US: IBM CVE-2017-1159 (IBM Business Process Manager 8.0 and 8.5 could allow a remote attacker ...) NOT-FOR-US: IBM CVE-2017-1158 RESERVED CVE-2017-1157 (IBM Jazz Reporting Service (JRS) 5.0 and 6.0 could allow an authentica ...) NOT-FOR-US: IBM CVE-2017-1156 (IBM WebSphere Portal 8.5 and 9.0 could allow a remote attacker to cond ...) NOT-FOR-US: IBM CVE-2017-1155 (IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could ...) NOT-FOR-US: IBM CVE-2017-1154 (IBM Algorithmics One-Algo Risk Application 4.9.1, 5.0, and 5.1.0 could ...) NOT-FOR-US: IBM CVE-2017-1153 (IBM TRIRIGA Report Manager 3.2 through 3.5 contains a vulnerability th ...) NOT-FOR-US: IBM CVE-2017-1152 (IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly up ...) NOT-FOR-US: IBM CVE-2017-1151 (IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID ...) NOT-FOR-US: IBM CVE-2017-1150 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.1 ...) NOT-FOR-US: IBM CVE-2017-1149 (IBM UrbanCode Deploy (UCD) 6.0, 6.1, and 6.2 is vulnerable to a denial ...) NOT-FOR-US: IBM CVE-2017-1148 (IBM OpenPages GRC Platform 7.2 and 7.3 with OpenPages Loss Event Entry ...) NOT-FOR-US: IBM CVE-2017-1147 (IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1146 (IBM Content Navigator 2.0.3 and 3.0.0 are vulnerable to cross-site scr ...) NOT-FOR-US: IBM CVE-2017-1145 (IBM WebSphere MQ 8.0.0.6 does not properly terminate channel agents wh ...) NOT-FOR-US: IBM CVE-2017-1144 (IBM WebSphere Message Broker could allow a local user with specialized ...) NOT-FOR-US: IBM CVE-2017-1143 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote att ...) NOT-FOR-US: IBM CVE-2017-1142 (IBM Kenexa LCMS Premier on Cloud 9.x and 10.0 could allow a remote att ...) NOT-FOR-US: IBM CVE-2017-1141 (IBM Insights Foundation for Energy 1.0, 1.5, and 1.6 could allow an au ...) NOT-FOR-US: IBM CVE-2017-1140 (IBM Business Process Manager 8.0 and 8.5 are vulnerable to cross-site ...) NOT-FOR-US: IBM CVE-2017-1139 RESERVED CVE-2017-1138 RESERVED CVE-2017-1137 (IBM WebSphere Application Server 8.0 and 8.5.5 could provide weaker th ...) NOT-FOR-US: IBM CVE-2017-1136 RESERVED CVE-2017-1135 RESERVED CVE-2017-1134 (IBM Reliable Scalable Cluster Technology could allow a local user to e ...) NOT-FOR-US: IBM CVE-2017-1133 (IBM QRadar 7.2 is vulnerable to cross-site scripting. This vulnerabili ...) NOT-FOR-US: IBM CVE-2017-1132 (IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2017-1131 (IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authen ...) NOT-FOR-US: IBM CVE-2017-1130 (IBM Notes 8.5 and 9.0 is vulnerable to a denial of service. If a user ...) NOT-FOR-US: IBM CVE-2017-1129 (IBM Notes 8.5 and 9.0 is vulnerable to a denial of service. If a user ...) NOT-FOR-US: IBM CVE-2017-1128 (IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1127 (IBM Rational DOORS Next Generation 4.0, 5.0 and 6.0 is vulnerable to c ...) NOT-FOR-US: IBM CVE-2017-1126 (IBM WebSphere Message Broker (IBM Integration Bus 9.0 and 10.0) could ...) NOT-FOR-US: IBM CVE-2017-1125 (IBM Cognos Analytics 10.1 and 10.2 could allow a local user to craft a ...) NOT-FOR-US: IBM CVE-2017-1124 (IBM Maximo Asset Management 7.1, 7.5, and 7.6 could allow a local atta ...) NOT-FOR-US: IBM CVE-2017-1123 RESERVED CVE-2017-1122 (IBM Security Guardium 8.2, 9.0, and 10.0 contains a vulnerability that ...) NOT-FOR-US: IBM CVE-2017-1121 (IBM WebSphere Application Server 7.0, 8.0, and 9.0 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2017-1120 (IBM WebSphere Portal 8.5 and 9.0 is vulnerable to cross-site scripting ...) NOT-FOR-US: IBM CVE-2017-1119 (IBM Marketing Operations 9.1.0, 9.1.2, and 10.1 could allow a remote a ...) NOT-FOR-US: IBM CVE-2017-1118 (IBM WebSphere MQ Internet Pass-Thru 2.0 and 2.1 could allow n attacker ...) NOT-FOR-US: IBM CVE-2017-1117 (IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user to caus ...) NOT-FOR-US: IBM CVE-2017-1116 (IBM Campaign 8.6, 9.0, 9.1, 9.1.1, 9.1.2, and 10.0 contains excessive ...) NOT-FOR-US: IBM CVE-2017-1115 (IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to HTML injection. A rem ...) NOT-FOR-US: IBM CVE-2017-1114 (IBM Campaign 9.1, 9.1.2, and 10 is vulnerable to cross-site scripting. ...) NOT-FOR-US: IBM CVE-2017-1113 (IBM Rational Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cros ...) NOT-FOR-US: IBM CVE-2017-1112 RESERVED CVE-2017-1111 RESERVED CVE-2017-1110 (IBM Curam Social Program Management 6.0, 6.1, 6.2, and 7.0 contains an ...) NOT-FOR-US: IBM CVE-2017-1109 RESERVED CVE-2017-1108 RESERVED CVE-2017-1107 (IBM Marketing Platform 9.1.0, 9.1.2, 10.0, and 10.1 exposes sensitive ...) NOT-FOR-US: IBM CVE-2017-1106 (IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to ...) NOT-FOR-US: IBM CVE-2017-1105 (IBM DB2 for Linux, UNIX and Windows 9.2, 10.1, 10.5, and 11.1 (include ...) NOT-FOR-US: IBM CVE-2017-1104 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2017-1103 (IBM Team Concert (RTC) is vulnerable to a denial of service, caused by ...) NOT-FOR-US: IBM CVE-2017-1102 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2017-1101 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2017-1100 (IBM Quality Manager (RQM) 4.0, 5.0, and 6.0 is vulnerable to cross-sit ...) NOT-FOR-US: IBM CVE-2017-1099 (IBM Jazz Foundation could expose potentially sensitive information to ...) NOT-FOR-US: IBM CVE-2017-1098 (IBM Emptoris Supplier Lifecycle Management 10.1.0.x is vulnerable to c ...) NOT-FOR-US: IBM CVE-2017-1097 (IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10. ...) NOT-FOR-US: IBM CVE-2017-1096 (IBM Jazz Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-si ...) NOT-FOR-US: IBM CVE-2017-1095 RESERVED CVE-2017-1094 RESERVED CVE-2017-1093 (IBM AIX 6.1, 7.1, and 7.2 could allow a local user to exploit a vulner ...) NOT-FOR-US: IBM AIX CVE-2017-1092 (IBM Informix Open Admin Tool 11.5, 11.7, and 12.1 could allow an unaut ...) NOT-FOR-US: IBM CVE-2017-1091 RESERVED CVE-2017-1090 REJECTED CVE-2017-1089 REJECTED CVE-2017-1088 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4 ...) - kfreebsd-10 (unimportant) NOTE: kfreebsd not covered by security support CVE-2017-1087 (In FreeBSD 10.x before 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE- ...) - kfreebsd-10 (unimportant) NOTE: kfreebsd not covered by security support CVE-2017-1086 (In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4 ...) - kfreebsd-10 (unimportant) NOTE: kfreebsd not covered by security support CVE-2017-1085 (In FreeBSD before 11.2-RELEASE, an application which calls setrlimit() ...) - kfreebsd-10 (unimportant) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: kfreebsd not covered by security support CVE-2017-1084 (In FreeBSD before 11.2-RELEASE, multiple issues with the implementatio ...) - kfreebsd-10 (unimportant) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: kfreebsd not covered by security support CVE-2017-1083 (In FreeBSD before 11.2-RELEASE, a stack guard-page is available but is ...) - kfreebsd-10 (unimportant) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: kfreebsd not covered by security support CVE-2017-1082 (In FreeBSD 11.x before 11.1-RELEASE and 10.x before 10.4-RELEASE, the ...) - kfreebsd-10 (unimportant) NOTE: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt NOTE: kfreebsd not covered by security support CVE-2017-1081 (In FreeBSD before 11.0-STABLE, 11.0-RELEASE-p10, 10.3-STABLE, and 10.3 ...) - kfreebsd-10 (unimportant) NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-17:04.ipfilter.asc NOTE: kfreebsd not covered by security support CVE-2017-1080 RESERVED CVE-2017-1079 RESERVED CVE-2017-1078 RESERVED CVE-2017-1077 RESERVED CVE-2017-1076 RESERVED CVE-2017-1075 RESERVED CVE-2017-1074 RESERVED CVE-2017-1073 RESERVED CVE-2017-1072 RESERVED CVE-2017-1071 RESERVED CVE-2017-1070 RESERVED CVE-2017-1069 RESERVED CVE-2017-1068 RESERVED CVE-2017-1067 RESERVED CVE-2017-1066 RESERVED CVE-2017-1065 RESERVED CVE-2017-1064 RESERVED CVE-2017-1063 RESERVED CVE-2017-1062 RESERVED CVE-2017-1061 RESERVED CVE-2017-1060 RESERVED CVE-2017-1059 RESERVED CVE-2017-1058 RESERVED CVE-2017-1057 RESERVED CVE-2017-1056 RESERVED CVE-2017-1055 RESERVED CVE-2017-1054 RESERVED CVE-2017-1053 RESERVED CVE-2017-1052 RESERVED CVE-2017-1051 RESERVED CVE-2017-1050 RESERVED CVE-2017-1049 RESERVED CVE-2017-1048 RESERVED CVE-2017-1047 RESERVED CVE-2017-1046 RESERVED CVE-2017-1045 RESERVED CVE-2017-1044 RESERVED CVE-2017-1043 RESERVED CVE-2017-1042 RESERVED CVE-2017-1041 RESERVED CVE-2017-1040 RESERVED CVE-2017-1039 RESERVED CVE-2017-1038 RESERVED CVE-2017-1037 RESERVED CVE-2017-1036 RESERVED CVE-2017-1035 RESERVED CVE-2017-1034 RESERVED CVE-2017-1033 RESERVED CVE-2017-1032 RESERVED CVE-2017-1031 RESERVED CVE-2017-1030 RESERVED CVE-2017-1029 RESERVED CVE-2017-1028 RESERVED CVE-2017-1027 RESERVED CVE-2017-1026 RESERVED CVE-2017-1025 RESERVED CVE-2017-1024 RESERVED CVE-2017-1023 RESERVED CVE-2017-1022 RESERVED CVE-2017-1021 RESERVED CVE-2017-1020 RESERVED CVE-2017-1019 RESERVED CVE-2017-1018 RESERVED CVE-2017-1017 RESERVED CVE-2017-1016 RESERVED CVE-2017-1015 RESERVED CVE-2017-1014 RESERVED CVE-2017-1013 RESERVED CVE-2017-1012 RESERVED CVE-2017-1011 RESERVED CVE-2017-1010 RESERVED CVE-2017-1009 RESERVED CVE-2017-1008 RESERVED CVE-2017-1007 RESERVED CVE-2017-1006 RESERVED CVE-2017-1005 RESERVED CVE-2017-1004 RESERVED CVE-2017-1003 RESERVED CVE-2017-1002 RESERVED CVE-2017-1001 RESERVED CVE-2017-1000 RESERVED - linux 4.12.6-1 [stretch] - linux 4.9.30-2+deb9u4 [jessie] - linux 3.16.43-2+deb8u4 NOTE: https://git.kernel.org/linus/85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa NOTE: Same commit as for CVE-2017-1000112 and thus probably should be treated NOTE: as duplicate. Defer decision to MITRE. CVE-2017-0999 RESERVED CVE-2017-0998 RESERVED CVE-2017-0997 RESERVED CVE-2017-0996 RESERVED CVE-2017-0995 RESERVED CVE-2017-0994 RESERVED CVE-2017-0993 RESERVED CVE-2017-0992 RESERVED CVE-2017-0991 RESERVED CVE-2017-0990 RESERVED CVE-2017-0989 RESERVED CVE-2017-0988 RESERVED CVE-2017-0987 RESERVED CVE-2017-0986 RESERVED CVE-2017-0985 RESERVED CVE-2017-0984 RESERVED CVE-2017-0983 RESERVED CVE-2017-0982 RESERVED CVE-2017-0981 RESERVED CVE-2017-0980 RESERVED CVE-2017-0979 RESERVED CVE-2017-0978 RESERVED CVE-2017-0977 RESERVED CVE-2017-0976 RESERVED CVE-2017-0975 RESERVED CVE-2017-0974 RESERVED CVE-2017-0973 RESERVED CVE-2017-0972 RESERVED CVE-2017-0971 RESERVED CVE-2017-0970 RESERVED CVE-2017-0969 RESERVED CVE-2017-0968 RESERVED CVE-2017-0967 RESERVED CVE-2017-0966 RESERVED CVE-2017-0965 RESERVED CVE-2017-0964 RESERVED CVE-2017-0963 RESERVED CVE-2017-0962 RESERVED CVE-2017-0961 RESERVED CVE-2017-0960 RESERVED CVE-2017-0959 RESERVED CVE-2017-0958 RESERVED CVE-2017-0957 RESERVED CVE-2017-0956 RESERVED CVE-2017-0955 RESERVED CVE-2017-0954 RESERVED CVE-2017-0953 RESERVED CVE-2017-0952 RESERVED CVE-2017-0951 RESERVED CVE-2017-0950 RESERVED CVE-2017-0949 RESERVED CVE-2017-0948 RESERVED CVE-2017-0947 RESERVED CVE-2017-0946 RESERVED CVE-2017-0945 RESERVED CVE-2017-0944 RESERVED CVE-2017-0943 RESERVED CVE-2017-0942 RESERVED CVE-2017-0941 RESERVED CVE-2017-0940 RESERVED CVE-2017-0939 RESERVED CVE-2017-0938 (Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and ...) NOT-FOR-US: airMAX CVE-2017-0937 RESERVED CVE-2017-0936 (Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorizatio ...) - nextcloud (bug #835086) CVE-2017-0935 (Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Impr ...) NOT-FOR-US: Ubiquiti Networks EdgeOS CVE-2017-0934 (Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from an Improp ...) NOT-FOR-US: Ubiquiti Networks EdgeOS CVE-2017-0933 (Ubiquiti Networks EdgeOS version 1.9.1 and prior suffer from a Cross-S ...) NOT-FOR-US: Ubiquiti Networks EdgeOS CVE-2017-0932 (Ubiquiti Networks EdgeOS version 1.9.1.1 and prior suffer from an Impr ...) NOT-FOR-US: Ubiquiti Networks EdgeOS CVE-2017-0931 (html-janitor node module suffers from a Cross-Site Scripting (XSS) vul ...) NOT-FOR-US: html-janitor node module CVE-2017-0930 (augustine node module suffers from a Path Traversal vulnerability due ...) NOT-FOR-US: augustine node module CVE-2017-0929 (DNN (aka DotNetNuke) before 9.2.0 suffers from a Server-Side Request F ...) NOT-FOR-US: DNN (aka DotNetNuke) CVE-2017-0928 (html-janitor node module suffers from an External Control of Critical ...) NOT-FOR-US: html-janitor node module CVE-2017-0927 (Gitlab Community Edition version 10.3 is vulnerable to an improper aut ...) - gitlab 10.5.5+dfsg-1 (bug #888508) [stretch] - gitlab (Doesn't affect 8.x) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0926 (Gitlab Community Edition version 10.3 is vulnerable to an improper aut ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0925 (Gitlab Enterprise Edition version 10.1.0 is vulnerable to an insuffici ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0924 (Gitlab Community Edition version 10.2.4 is vulnerable to lack of input ...) - gitlab 10.5.5+dfsg-1 [stretch] - gitlab (Only affects 9.0 and later) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0923 (Gitlab Community Edition version 9.1 is vulnerable to lack of input va ...) - gitlab 10.5.5+dfsg-1 (bug #888508) [stretch] - gitlab (Doesn't affect 8.x) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0922 (Gitlab Enterprise Edition version 10.3 is vulnerable to an authorizati ...) - gitlab 10.5.5+dfsg-1 [stretch] - gitlab (Only affects 9.1 and later) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0920 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10 ...) {DSA-4206-1} - gitlab 10.5.5+dfsg-1 NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0919 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and 10 ...) - gitlab 10.5.5+dfsg-1 NOTE: https://hackerone.com/reports/301137 NOTE: Fixed in 10.1.6, 10.2.6, and 10.3.4 CVE-2017-0918 (Gitlab Community Edition version 10.3 is vulnerable to a path traversa ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0917 (Gitlab Community Edition version 10.2.4 is vulnerable to lack of input ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0916 (Gitlab Community Edition version 10.3 is vulnerable to a lack of input ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ NOTE: https://gitlab.com/gitlab-org/gitlab-ce/commit/7fc0a6fc096768a5604d6dd24d7d952e53300c82 CVE-2017-0915 (Gitlab Community Edition version 10.2.4 is vulnerable to a lack of inp ...) {DSA-4145-1} - gitlab 10.5.5+dfsg-1 (bug #888508) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0914 (Gitlab Community and Enterprise Editions version 10.1, 10.2, and 10.2. ...) - gitlab 10.5.5+dfsg-1 [stretch] - gitlab (Only affects 9.4 and later) NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ CVE-2017-0913 (Ubiquiti UCRM versions 2.3.0 to 2.7.7 allow an authenticated user to r ...) NOT-FOR-US: Ubiquiti UCRM CVE-2017-0912 (Ubiquiti UCRM versions 2.5.0 to 2.7.7 are vulnerable to Stored Cross-s ...) NOT-FOR-US: Ubiquiti UCRM CVE-2017-0911 (Twitter Kit for iOS versions 3.0 to 3.2.1 is vulnerable to a callback ...) NOT-FOR-US: Twitter Kit for iOS CVE-2017-0910 (In Zulip Server before 1.7.1, on a server with multiple realms, a vuln ...) - zulip-server (bug #800052) CVE-2017-0909 (The private_address_check ruby gem before 0.4.1 is vulnerable to a byp ...) NOT-FOR-US: private_address_check ruby gem CVE-2017-0908 REJECTED CVE-2017-0907 (The Recurly Client .NET Library before 1.0.1, 1.1.10, 1.2.8, 1.3.2, 1. ...) NOT-FOR-US: Recurly Client .NET Library CVE-2017-0906 (The Recurly Client Python Library before 2.0.5, 2.1.16, 2.2.22, 2.3.1, ...) NOT-FOR-US: Recurly Client Python Library CVE-2017-0905 (The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, ...) NOT-FOR-US: Recurly Client Ruby Library CVE-2017-0904 (The private_address_check ruby gem before 0.4.0 is vulnerable to a byp ...) NOT-FOR-US: private_address_check ruby gem CVE-2017-0903 (RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possibl ...) {DSA-4031-1 DLA-1421-1} - ruby2.3 2.3.5-1 (bug #879231) - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Vulnerable code introduced later) - rubygems 3.2.0~rc.1-1 [wheezy] - rubygems (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2017/10/10/2 NOTE: https://justi.cz/security/2017/10/07/rubygems-org-rce.html NOTE: Fixed by: https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49 CVE-2017-0902 (RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking v ...) {DSA-3966-1 DLA-1421-1} - ruby2.3 2.3.3-1+deb9u1 (bug #873802) - ruby2.1 - ruby1.9.1 [wheezy] - ruby1.9.1 (Vulnerable code introduced later) - rubygems 3.2.0~rc.1-1 [wheezy] - rubygems (Vulnerable code introduced later) NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch CVE-2017-0901 (RubyGems version 2.6.12 and earlier fails to validate specification na ...) {DSA-3966-1 DLA-1421-1 DLA-1114-1 DLA-1112-1} - ruby2.3 2.3.3-1+deb9u1 (bug #873802) - ruby2.1 - ruby1.9.1 - rubygems 3.2.0~rc.1-1 NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch CVE-2017-0900 (RubyGems version 2.6.12 and earlier is vulnerable to maliciously craft ...) {DSA-3966-1 DLA-1421-1 DLA-1114-1 DLA-1112-1} - ruby2.3 2.3.3-1+deb9u1 (bug #873802) - ruby2.1 - ruby1.9.1 - rubygems 3.2.0~rc.1-1 NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch CVE-2017-0899 (RubyGems version 2.6.12 and earlier is vulnerable to maliciously craft ...) {DSA-3966-1 DLA-1421-1 DLA-1114-1} - ruby2.3 2.3.3-1+deb9u1 (unimportant; bug #873802) - ruby2.1 (unimportant) - ruby1.9.1 (unimportant) - rubygems 3.2.0~rc.1-1 (unimportant) NOTE: https://www.ruby-lang.org/en/news/2017/08/29/multiple-vulnerabilities-in-rubygems/ NOTE: http://blog.rubygems.org/2017/08/27/2.6.13-released.html NOTE: For Ruby 2.3.4: https://bugs.ruby-lang.org/attachments/download/6691/rubygems-2613-ruby23.patch NOTE: For Ruby 2.2.7: https://bugs.ruby-lang.org/attachments/download/6690/rubygems-2613-ruby22.patch NOTE: Not considered a vulnerability per se, if this affects a terminal emulator it's a bug there CVE-2017-0898 (Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious forma ...) {DSA-4031-1 DLA-1421-1 DLA-1114-1 DLA-1113-1} - ruby2.3 2.3.5-1 (bug #875936) - ruby2.1 - ruby1.9.1 - ruby1.8 NOTE: https://github.com/mruby/mruby/issues/3722 NOTE: https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/ NOTE: https://bugs.ruby-lang.org/issues/13499 CVE-2017-0897 (ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 cr ...) NOT-FOR-US: ExpressionEngine CVE-2017-0896 (Zulip Server 1.5.1 and below suffer from an error in the implementatio ...) - zulip-server (bug #800052) CVE-2017-0895 (Nextcloud Server before 10.0.4 and 11.0.2 are vulnerable to disclosure ...) - nextcloud (bug #835086) CVE-2017-0894 (Nextcloud Server before 11.0.3 is vulnerable to disclosure of valid sh ...) - nextcloud (bug #835086) CVE-2017-0893 (Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are shipping a vu ...) - nextcloud (bug #835086) CVE-2017-0892 (Nextcloud Server before 11.0.3 is vulnerable to an improper session ha ...) - nextcloud (bug #835086) CVE-2017-0891 (Nextcloud Server before 9.0.58 and 10.0.5 and 11.0.3 are vulnerable to ...) - nextcloud (bug #835086) CVE-2017-0890 (Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping ...) - nextcloud (bug #835086) CVE-2017-0889 (Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde ...) NOT-FOR-US: paperclip ruby gem CVE-2017-0888 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoof ...) - nextcloud (bug #835086) CVE-2017-0886 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Denial of Ser ...) - nextcloud (bug #835086) CVE-2017-0885 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a error message ...) - nextcloud (bug #835086) CVE-2017-0884 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a creation of f ...) - nextcloud (bug #835086) CVE-2017-0883 (Nextcloud Server before 9.0.55 and 10.0.2 suffers from a permission in ...) - nextcloud (bug #835086) CVE-2017-0882 (Multiple versions of GitLab expose sensitive user credentials when ass ...) - gitlab 8.13.11+dfsg-7 (bug #858410) NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/29661 NOTE: https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/ CVE-2017-0881 (An error in the implementation of an autosubscribe feature in the chec ...) NOT-FOR-US: Zulip CVE-2017-0880 (A denial of service vulnerability in the Android media framework (libs ...) - skia (bug #818180) CVE-2017-0879 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0878 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0877 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0876 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0875 RESERVED CVE-2017-0874 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android Media Framework CVE-2017-0873 (A denial of service vulnerability in the Android media framework (libm ...) NOT-FOR-US: Android Media Framework CVE-2017-0872 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0871 (An elevation of privilege vulnerability in the Android framework (fram ...) NOT-FOR-US: Android CVE-2017-0870 (An elevation of privilege vulnerability in the Android framework (libm ...) NOT-FOR-US: Android CVE-2017-0869 (NVIDIA driver contains an integer overflow vulnerability which could c ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-0868 RESERVED CVE-2017-0867 RESERVED CVE-2017-0866 (An elevation of privilege vulnerability in the Direct rendering infras ...) NOT-FOR-US: NVIDIA components for Android CVE-2017-0865 (An elevation of privilege vulnerability in the MediaTek soc driver. Pr ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0864 (An elevation of privilege vulnerability in the MediaTek ioctl (flashli ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0863 (An elevation of privilege vulnerability in the Upstream kernel video d ...) NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0862 (An elevation of privilege vulnerability in the Upstream kernel kernel. ...) NOT-FOR-US: Android driver (proprietary, not part of upstream kernel) CVE-2017-0861 (Use-after-free vulnerability in the snd_pcm_info function in the ALSA ...) {DSA-4187-1 DLA-1369-1} - linux 4.13.4-1 [stretch] - linux 4.9.80-1 NOTE: https://git.kernel.org/linus/362bca57f5d78220f8b5907b875961af9436e229 NOTE: UAF actually already removed in https://git.kernel.org/linus/e11f0f90a626f93899687b1cc909ee37dd6c5809 CVE-2017-0860 (An elevation of privilege vulnerability in the Android system (inputdi ...) NOT-FOR-US: Android CVE-2017-0859 (Another vulnerability in the Android media framework (n/a). Product: A ...) NOT-FOR-US: Android media framework CVE-2017-0858 (Another vulnerability in the Android media framework (n/a). Product: A ...) NOT-FOR-US: Android media framework CVE-2017-0857 (Another vulnerability in the Android media framework (n/a). Product: A ...) NOT-FOR-US: Android media framework CVE-2017-0856 RESERVED CVE-2017-0855 (In MPEG4Extractor.cpp, there are several places where functions return ...) NOT-FOR-US: Android media framework CVE-2017-0854 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0853 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0852 (A denial of service vulnerability in the Android media framework (libh ...) NOT-FOR-US: Android media framework CVE-2017-0851 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0850 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0849 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0848 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0847 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0846 (An information disclosure vulnerability in the Android framework (clip ...) NOT-FOR-US: Android CVE-2017-0845 (A denial of service vulnerability in the Android framework (syncstorag ...) NOT-FOR-US: Android CVE-2017-0844 RESERVED CVE-2017-0843 (An elevation of privilege vulnerability in the MediaTek ccci. Product: ...) NOT-FOR-US: MediaTek component for Android CVE-2017-0842 (An elevation of privilege vulnerability in the Android system (bluetoo ...) NOT-FOR-US: Fluoride Bluetooth stack in Android CVE-2017-0841 (A remote code execution vulnerability in the Android system (libutils) ...) - android-platform-system-core (unimportant) NOTE: Fixed by https://android.googlesource.com/platform/system/core/+/47efc676c849e3abf32001d66e2d6eb887e83c48%5E!/ CVE-2017-0840 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0839 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0838 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0837 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0836 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0835 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0834 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0833 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0832 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0831 (An elevation of privilege vulnerability in the Android framework (wind ...) NOT-FOR-US: Android CVE-2017-0830 (An elevation of privilege vulnerability in the Android framework (devi ...) NOT-FOR-US: Android CVE-2017-0829 (An elevation of privilege vulnerability in the Motorola bootloader. Pr ...) NOT-FOR-US: Motorola bootloader CVE-2017-0828 (An elevation of privilege vulnerability in the Huawei bootloader. Prod ...) NOT-FOR-US: Huawei bootloader CVE-2017-0827 (An elevation of privilege vulnerability in the MediaTek soc driver. Pr ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0826 (An elevation of privilege vulnerability in the HTC bootloader. Product ...) NOT-FOR-US: HTC bootloader CVE-2017-0825 (An information disclosure vulnerability in the Broadcom wifi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0824 (An elevation of privilege vulnerability in the Broadcom wifi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0823 (An information disclosure vulnerability in the Android system (rild). ...) NOT-FOR-US: Android (rild) CVE-2017-0822 (An elevation of privilege vulnerability in the Android system (camera) ...) - android-framework-23 (unimportant) NOTE: Fixed by https://android.googlesource.com/platform/frameworks/base/+/c574568aaede7f652432deb7707f20ae54bbdf9a CVE-2017-0821 RESERVED CVE-2017-0820 (A vulnerability in the Android media framework (n/a). Product: Android ...) NOT-FOR-US: Android media framework CVE-2017-0819 (A vulnerability in the Android media framework (n/a). Product: Android ...) NOT-FOR-US: Android media framework CVE-2017-0818 (A vulnerability in the Android media framework (n/a). Product: Android ...) NOT-FOR-US: Android media framework CVE-2017-0817 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0816 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0815 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0814 (An information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0813 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android media framework CVE-2017-0812 (An elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0811 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0810 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0809 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0808 (An information disclosure vulnerability in the Android framework (file ...) NOT-FOR-US: Android CVE-2017-0807 (An elevation of privilege vulnerability in the Android framework (ui f ...) NOT-FOR-US: Android CVE-2017-0806 (An elevation of privilege vulnerability in the Android framework (gate ...) NOT-FOR-US: Android CVE-2017-0805 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0804 (A elevation of privilege vulnerability in the MediaTek mmc driver. Pro ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0803 (A elevation of privilege vulnerability in the MediaTek accessory detec ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0802 (A elevation of privilege vulnerability in the MediaTek kernel. Product ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0801 (A elevation of privilege vulnerability in the MediaTek libmtkomxvdec. ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0800 (A elevation of privilege vulnerability in the MediaTek teei. Product: ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0799 (A elevation of privilege vulnerability in the MediaTek lastbus. Produc ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0798 (A elevation of privilege vulnerability in the MediaTek kernel. Product ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0797 (A elevation of privilege vulnerability in the MediaTek accessory detec ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0796 (A elevation of privilege vulnerability in the MediaTek auxadc driver. ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0795 (A elevation of privilege vulnerability in the MediaTek accessory detec ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0794 (A elevation of privilege vulnerability in the Upstream kernel scsi dri ...) NOT-FOR-US: Android kernel on Nexus (probably) NOTE: https://source.android.com/security/bulletin/2017-09-01 doesn't link a public patch, so probably related to some binary-only component on Nexus CVE-2017-0793 (A information disclosure vulnerability in the N/A memory subsystem. Pr ...) NOT-FOR-US: Imagetech driver for Android CVE-2017-0792 (A information disclosure vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0791 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0790 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0789 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0788 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0787 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0786 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) - linux 4.13.4-2 [stretch] - linux 4.9.65-1 [jessie] - linux 3.16.51-1 [wheezy] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/17df6453d4be17910456e99c5a85025aa1b7a246 (v4.14-rc4) CVE-2017-0785 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0784 (A elevation of privilege vulnerability in the Android system (nfc). Pr ...) NOT-FOR-US: Android CVE-2017-0783 (A information disclosure vulnerability in the Android system (bluetoot ...) NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0782 (A remote code execution vulnerability in the Android system (bluetooth ...) NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0781 (A remote code execution vulnerability in the Android system (bluetooth ...) NOT-FOR-US: Android NOTE: https://www.armis.com/blueborne/ CVE-2017-0780 (A denial of service vulnerability in the Android runtime (android mess ...) NOT-FOR-US: Android messaging CVE-2017-0779 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0778 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0777 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0776 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0775 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android Media Framework CVE-2017-0774 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android Media Framework CVE-2017-0773 (A denial of service vulnerability in the Android media framework (libh ...) NOT-FOR-US: Android Media Framework CVE-2017-0772 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android Media Framework CVE-2017-0771 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android Media Framework CVE-2017-0770 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0769 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0768 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0767 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-0766 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0765 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0764 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0763 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0762 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0761 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0760 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0759 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0758 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0757 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0756 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android Media Framework CVE-2017-0755 (A elevation of privilege vulnerability in the Android libraries (libmi ...) NOT-FOR-US: Android CVE-2017-0754 RESERVED CVE-2017-0753 (A remote code execution vulnerability in the Android libraries (libgdx ...) NOT-FOR-US: Android (libgdx) CVE-2017-0752 (A elevation of privilege vulnerability in the Android framework (windo ...) - android-framework-23 (unimportant) NOTE: Fixed by https://android.googlesource.com/platform/frameworks/base/+/6ca2eccdbbd4f11698bd5312812b4d171ff3c8ce%5E%21/ CVE-2017-0751 (An elevation of privilege vulnerability in the Qualcomm QCE driver. Pr ...) NOT-FOR-US: Google drivers for Android CVE-2017-0750 (A elevation of privilege vulnerability in the Upstream Linux file syst ...) - linux (Android-specific change) NOTE: https://source.android.com/security/bulletin/2017-08-01 CVE-2017-0749 (A elevation of privilege vulnerability in the Upstream Linux linux ker ...) - linux (Android-specific change) NOTE: https://source.android.com/security/bulletin/2017-08-01 CVE-2017-0748 (An information disclosure vulnerability in the Qualcomm audio driver. ...) NOT-FOR-US: Google drivers for Android CVE-2017-0747 (A elevation of privilege vulnerability in the Qualcomm proprietary com ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0746 (A elevation of privilege vulnerability in the Qualcomm ipa driver. Pro ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0745 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: libstagefright CVE-2017-0744 (An elevation of privilege vulnerability in the NVIDIA firmware process ...) NOT-FOR-US: Google drivers for Android CVE-2017-0743 RESERVED CVE-2017-0742 (A elevation of privilege vulnerability in the MediaTek video driver. P ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0741 (A elevation of privilege vulnerability in the MediaTek gpu driver. Pro ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0740 (A remote code execution vulnerability in the Broadcom networking drive ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0739 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0738 (A information disclosure vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0737 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: libstagefright CVE-2017-0736 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android media framework CVE-2017-0735 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android media framework CVE-2017-0734 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android media framework CVE-2017-0733 (A denial of service vulnerability in the Android media framework (libm ...) NOT-FOR-US: Android media framework CVE-2017-0732 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: libstagefright CVE-2017-0731 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: libstagefright CVE-2017-0730 (A denial of service vulnerability in the Android media framework (h264 ...) NOT-FOR-US: Android media framework CVE-2017-0729 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0728 (A denial of service vulnerability in the Android media framework (hevc ...) NOT-FOR-US: Android media framework CVE-2017-0727 (A elevation of privilege vulnerability in the Android media framework ...) NOT-FOR-US: Android media framework CVE-2017-0726 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: libstagefright CVE-2017-0725 (A denial of service vulnerability in the Android media framework (libs ...) NOT-FOR-US: Android media framework CVE-2017-0724 (A denial of service vulnerability in the Android media framework (libm ...) NOT-FOR-US: Android media framework CVE-2017-0723 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0722 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: libstagefright CVE-2017-0721 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0720 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0719 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0718 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0717 RESERVED CVE-2017-0716 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0715 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0714 (A remote code execution vulnerability in the Android media framework ( ...) NOT-FOR-US: Android media framework CVE-2017-0713 (A remote code execution vulnerability in the Android libraries (sfntly ...) NOT-FOR-US: Android CVE-2017-0712 (A elevation of privilege vulnerability in the Android framework (wi-fi ...) NOT-FOR-US: Android CVE-2017-0711 (A elevation of privilege vulnerability in the MediaTek networking driv ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0710 (A elevation of privilege vulnerability in the Upstream Linux tcb. Prod ...) NOT-FOR-US: Android Trusted Computing Base CVE-2017-0709 (A information disclosure vulnerability in the HTC sensor hub driver. P ...) NOT-FOR-US: HTC driver for Android CVE-2017-0708 (A information disclosure vulnerability in the HTC sound driver. Produc ...) NOT-FOR-US: HTC driver for Android CVE-2017-0707 (A elevation of privilege vulnerability in the HTC led driver. Product: ...) NOT-FOR-US: HTC driver for Android CVE-2017-0706 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0705 (A elevation of privilege vulnerability in the Broadcom wi-fi driver. P ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0704 (A elevation of privilege vulnerability in the Android system ui. Produ ...) NOT-FOR-US: Android CVE-2017-0703 (A elevation of privilege vulnerability in the Android system ui. Produ ...) NOT-FOR-US: Android CVE-2017-0702 (A remote code execution vulnerability in the Android system ui. Produc ...) NOT-FOR-US: Android CVE-2017-0701 (A remote code execution vulnerability in the Android system ui. Produc ...) NOT-FOR-US: Android CVE-2017-0700 (A remote code execution vulnerability in the Android system ui. Produc ...) NOT-FOR-US: Android CVE-2017-0699 (A information disclosure vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0698 (A information disclosure vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0697 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0696 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0695 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0694 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0693 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0692 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0691 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0690 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0689 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0688 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0687 (A denial of service vulnerability in the Android media framework (liba ...) NOT-FOR-US: Android media framework CVE-2017-0686 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0685 (A denial of service vulnerability in the Android media framework. Prod ...) NOT-FOR-US: Android media framework CVE-2017-0684 (A elevation of privilege vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0683 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0682 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0681 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0680 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0679 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0678 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0677 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0676 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0675 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0674 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0673 (A remote code execution vulnerability in the Android media framework. ...) NOT-FOR-US: Android media framework CVE-2017-0672 (A denial of service vulnerability in the Android libraries. Product: A ...) NOT-FOR-US: Android CVE-2017-0671 (A remote code execution vulnerability in the Android libraries. Produc ...) NOT-FOR-US: Android NOTE: Not publicly available CVE-2017-0670 (A denial of service vulnerability in the Android framework. Product: A ...) NOT-FOR-US: Android CVE-2017-0669 (A information disclosure vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0668 (A information disclosure vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0667 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0666 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0665 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0664 (A elevation of privilege vulnerability in the Android framework. Produ ...) NOT-FOR-US: Android CVE-2017-0663 (A remote code execution vulnerability in libxml2 could enable an attac ...) {DSA-3952-1 DLA-1060-1} - libxml2 2.9.4+dfsg1-3.1 (bug #870870) NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=780228 (not yet public) NOTE: https://android.googlesource.com/platform/external/libxml2/+/521b88fbb6d18312923f0df653d045384b500ffc NOTE: Fixed by: https://git.gnome.org/browse/libxml2/commit/?id=92b9e8c8b3787068565a1820ba575d042f9eec66 CVE-2017-0662 RESERVED CVE-2017-0661 RESERVED CVE-2017-0660 RESERVED CVE-2017-0659 RESERVED CVE-2017-0658 RESERVED CVE-2017-0657 RESERVED CVE-2017-0656 RESERVED CVE-2017-0655 RESERVED CVE-2017-0654 RESERVED CVE-2017-0653 RESERVED CVE-2017-0652 RESERVED CVE-2017-0651 (An information disclosure vulnerability in the kernel ION subsystem co ...) NOT-FOR-US: Android CVE-2017-0650 (An information disclosure vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0649 (An elevation of privilege vulnerability in the MediaTek sound driver c ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0648 (An elevation of privilege vulnerability in the kernel FIQ debugger cou ...) NOT-FOR-US: Android CVE-2017-0647 (An information disclosure vulnerability in libziparchive could enable ...) - android-platform-system-core 1:7.0.0+r33-2 (unimportant; bug #867229) [jessie] - android-platform-system-core (Vulnerable code not present) NOTE: No impact on SDK usage CVE-2017-0646 (An information disclosure vulnerability in Bluetooth component could e ...) NOT-FOR-US: Android CVE-2017-0645 (An elevation of privilege vulnerability in Bluetooth could enable a lo ...) NOT-FOR-US: Android CVE-2017-0644 (A remote denial of service vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0643 (A remote denial of service vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0642 (A remote denial of service vulnerability in libhevc in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0641 (A remote denial of service vulnerability in libvpx in Mediaserver coul ...) - libvpx (unimportant; bug #871931) NOTE: https://android.googlesource.com/platform/external/libvpx/+/698796fc930baecf5c3fdebef17e73d5d9a58bcb NOTE: Debian builds configures with --size-limit=16384x16384, Android lowered NOTE: the limit to something more aligned for smart phones CVE-2017-0640 (A remote denial of service vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0639 (An information disclosure vulnerability in Bluetooth component could e ...) NOT-FOR-US: Android CVE-2017-0638 (A remote code execution vulnerability in System UI component could ena ...) NOT-FOR-US: Android CVE-2017-0637 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0636 (An elevation of privilege vulnerability in the MediaTek command queue ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0635 (A remote denial of service vulnerability in HevcUtils.cpp in libstagef ...) NOT-FOR-US: libstagefright CVE-2017-0634 (An information disclosure vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0633 (An information disclosure vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0632 (An information disclosure vulnerability in the Qualcomm sound codec dr ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0631 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0630 (An information disclosure vulnerability in the kernel trace subsystem ...) - linux NOTE: https://lore.kernel.org/lkml/20180725202238.165314-1-salyzyn@android.com/ CVE-2017-0629 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0628 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0627 (An information disclosure vulnerability in the kernel UVC driver could ...) NOT-FOR-US: Android kernel CVE-2017-0626 (An information disclosure vulnerability in the Qualcomm crypto engine ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0625 (An information disclosure vulnerability in the MediaTek command queue ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0624 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0623 (An elevation of privilege vulnerability in the HTC bootloader could en ...) NOT-FOR-US: HTC driver for Android CVE-2017-0622 (An elevation of privilege vulnerability in the Goodix touchscreen driv ...) NOT-FOR-US: Goodix driver for Android CVE-2017-0621 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0620 (An elevation of privilege vulnerability in the Qualcomm Secure Channel ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0619 (An elevation of privilege vulnerability in the Qualcomm pin controller ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0618 (An elevation of privilege vulnerability in the MediaTek command queue ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0617 (An elevation of privilege vulnerability in the MediaTek video driver c ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0616 (An elevation of privilege vulnerability in the MediaTek system managem ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0615 (An elevation of privilege vulnerability in the MediaTek power driver c ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0614 (An elevation of privilege vulnerability in the Qualcomm Secure Executi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0613 (An elevation of privilege vulnerability in the Qualcomm Secure Executi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0612 (An elevation of privilege vulnerability in the Qualcomm Secure Executi ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0611 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0610 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0609 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0608 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0607 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0606 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0605 REJECTED CVE-2017-0604 (An elevation of privilege vulnerability in the kernel Qualcomm power d ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0603 (A denial of service vulnerability in libstagefright in Mediaserver cou ...) NOT-FOR-US: libstagefright CVE-2017-0602 (An information disclosure vulnerability in Bluetooth could allow a loc ...) NOT-FOR-US: Android CVE-2017-0601 (An Elevation of Privilege vulnerability in Bluetooth could potentially ...) NOT-FOR-US: Android CVE-2017-0600 (A remote denial of service vulnerability in libstagefright in Mediaser ...) NOT-FOR-US: libstagefright CVE-2017-0599 (A remote denial of service vulnerability in libhevc in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0598 (An information disclosure vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0597 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0596 (An elevation of privilege vulnerability in libstagefright in Mediaserv ...) NOT-FOR-US: libstagefright CVE-2017-0595 (An elevation of privilege vulnerability in libstagefright in Mediaserv ...) NOT-FOR-US: libstagefright CVE-2017-0594 (An elevation of privilege vulnerability in codecs/aacenc/SoftAACEncode ...) NOT-FOR-US: libstagefright CVE-2017-0593 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0592 (A remote code execution vulnerability in FLACExtractor.cpp in libstage ...) NOT-FOR-US: Android CVE-2017-0591 (A remote code execution vulnerability in libavc in Mediaserver could e ...) NOT-FOR-US: Android Mediaserver CVE-2017-0590 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0589 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0588 (A remote code execution vulnerability in id3/ID3.cpp in libstagefright ...) NOT-FOR-US: libstagefright CVE-2017-0587 (A remote code execution vulnerability in libmpeg2 in Mediaserver could ...) NOT-FOR-US: libstagefright CVE-2017-0586 (An information disclosure vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0585 (An information disclosure vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0584 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0583 (An elevation of privilege vulnerability in the Qualcomm CP access driv ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0582 (An elevation of privilege vulnerability in the HTC OEM fastboot comman ...) NOT-FOR-US: HTC driver for Android CVE-2017-0581 (An elevation of privilege vulnerability in the Synaptics Touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0580 (An elevation of privilege vulnerability in the Synaptics Touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0579 (An elevation of privilege vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0578 (An elevation of privilege vulnerability in the DTS sound driver could ...) NOT-FOR-US: DTS driver for Android CVE-2017-0577 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0576 (An elevation of privilege vulnerability in the Qualcomm crypto engine ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0575 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0574 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0573 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0572 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0571 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0570 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0569 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0568 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0567 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0566 (An elevation of privilege vulnerability in the MediaTek camera driver ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0565 (An elevation of privilege vulnerability in the MediaTek thermal driver ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0564 (An elevation of privilege vulnerability in the kernel ION subsystem co ...) NOT-FOR-US: Android ION subsystem NOTE: Linux mainline contains a copy in drivers/staging/android/ion, but since no NOTE: patch has been made available it's likely some closed-source addon CVE-2017-0563 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0562 (An elevation of privilege vulnerability in the MediaTek touchscreen dr ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0561 (A remote code execution vulnerability in the Broadcom Wi-Fi firmware c ...) {DLA-1573-1} - firmware-nonfree 20180518-1 (bug #869639) [stretch] - firmware-nonfree 20161130-4 [jessie] - firmware-nonfree (non-free not supported) CVE-2017-0560 (An information disclosure vulnerability in the factory reset process c ...) NOT-FOR-US: Android CVE-2017-0559 (An information disclosure vulnerability in libskia could enable a loca ...) - skia (bug #818180) CVE-2017-0558 (An information disclosure vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0557 (An information disclosure vulnerability in libmpeg2 in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0556 (An information disclosure vulnerability in libmpeg2 in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0555 (An information disclosure vulnerability in libavc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver/ libavc CVE-2017-0554 (An elevation of privilege vulnerability in the Telephony component cou ...) NOT-FOR-US: Android CVE-2017-0553 (An elevation of privilege vulnerability in libnl could enable a local ...) {DLA-892-1 DLA-891-1} - libnl3 3.2.27-2 (unimportant; bug #859948) - libnl (unimportant) NOTE: Fixed by: http://git.infradead.org/users/tgr/libnl.git/commit/3e18948f17148e6a3c4255bdeaaf01ef6081ceeb NOTE: Fix via Android: https://android.googlesource.com/platform/external/libnl/+/f83d9c1c67b6be69a96995e384f50b572b667df0 NOTE: Not a security issue by itself, the upstream patch protects against API misuse, NOTE: this still requires missing input validation in the application using libnl CVE-2017-0552 (A remote denial of service vulnerability in libavc in Mediaserver coul ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0551 (A remote denial of service vulnerability in libavc in Mediaserver coul ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0550 (A remote denial of service vulnerability in libavc in Mediaserver coul ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0549 (A remote denial of service vulnerability in libavc in Mediaserver coul ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0548 (A remote denial of service vulnerability in libskia could enable an at ...) - skia (bug #818180) CVE-2017-0547 (An information disclosure vulnerability in libmedia in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0546 (An elevation of privilege vulnerability in SurfaceFlinger could enable ...) NOT-FOR-US: Android CVE-2017-0545 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android CVE-2017-0544 (An elevation of privilege vulnerability in CameraBase could enable a l ...) NOT-FOR-US: Android CVE-2017-0543 (A remote code execution vulnerability in libavc in Mediaserver could e ...) NOT-FOR-US: Android Mediaserver/ libavc CVE-2017-0542 (A remote code execution vulnerability in libavc in Mediaserver could e ...) NOT-FOR-US: Android Mediaserver/ libavc CVE-2017-0541 (A remote code execution vulnerability in sonivox in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0540 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0539 (A remote code execution vulnerability in libhevc in Mediaserver could ...) NOT-FOR-US: Android Mediaserver CVE-2017-0538 (A remote code execution vulnerability in libavc in Mediaserver could e ...) NOT-FOR-US: Android Mediaserver / libavc CVE-2017-0537 (An information disclosure vulnerability in the kernel USB gadget drive ...) NOT-FOR-US: Nvidia driver for Android NOTE: https://source.android.com/security/bulletin/2017-03-01.html NOTE: Android bulletin lists as affecting only Pixel C (Tegra X1) and Tegra USB gadget mode is not in mainline Linux CVE-2017-0536 (An information disclosure vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0535 (An information disclosure vulnerability in the HTC sound codec driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0534 (An information disclosure vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0533 (An information disclosure vulnerability in the Qualcomm video driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0532 (An information disclosure vulnerability in the MediaTek video codec dr ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0531 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0530 RESERVED CVE-2017-0529 (An information disclosure vulnerability in the MediaTek driver could e ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0528 (An elevation of privilege vulnerability in the kernel security subsyst ...) NOT-FOR-US: Android bulletin lists as affecting only Pixel and Pixel XL (Qualcomm Snapdragon) so probably relates to Qualcomm driver NOTE: https://source.android.com/security/bulletin/2017-03-01.html CVE-2017-0527 (An elevation of privilege vulnerability in the HTC Sensor Hub Driver c ...) NOT-FOR-US: HTC driver for Android CVE-2017-0526 (An elevation of privilege vulnerability in the HTC Sensor Hub Driver c ...) NOT-FOR-US: HTC driver for Android CVE-2017-0525 (An elevation of privilege vulnerability in the Qualcomm IPA driver cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0524 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0523 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0522 (An elevation of privilege vulnerability in a MediaTek APK could enable ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0521 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0520 (An elevation of privilege vulnerability in the Qualcomm crypto engine ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0519 (An elevation of privilege vulnerability in the Qualcomm fingerprint se ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0518 (An elevation of privilege vulnerability in the Qualcomm fingerprint se ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0517 (An elevation of privilege vulnerability in the MediaTek hardware senso ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0516 (An elevation of privilege vulnerability in the Qualcomm input hardware ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0515 RESERVED CVE-2017-0514 RESERVED CVE-2017-0513 RESERVED CVE-2017-0512 RESERVED CVE-2017-0511 RESERVED CVE-2017-0510 (An elevation of privilege vulnerability in the kernel FIQ debugger cou ...) - linux (Android-specific patch) CVE-2017-0509 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0508 (An elevation of privilege vulnerability in the kernel ION subsystem co ...) NOT-FOR-US: Android ION subsystem NOTE: Linux mainline contains a copy in drivers/staging/android/ion, but since no NOTE: patch has been made available it's likely some closed-source addon CVE-2017-0507 (An elevation of privilege vulnerability in the kernel ION subsystem co ...) NOT-FOR-US: Android ION subsystem NOTE: Linux mainline contains a copy in drivers/staging/android/ion, but since no NOTE: patch has been made available it's likely some closed-source addon CVE-2017-0506 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0505 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0504 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0503 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0502 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0501 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0500 (An elevation of privilege vulnerability in MediaTek components, includ ...) NOT-FOR-US: MediaTek driver for Android CVE-2017-0499 (A denial of service vulnerability in Audioserver could enable a local ...) NOT-FOR-US: Android Audioserver CVE-2017-0498 (A denial of service vulnerability in Setup Wizard could allow a local ...) NOT-FOR-US: Android CVE-2017-0497 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0496 (A denial of service vulnerability in Setup Wizard could allow a local ...) NOT-FOR-US: Android CVE-2017-0495 (An information disclosure vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0494 (An information disclosure vulnerability in AOSP Messaging could enable ...) NOT-FOR-US: Android CVE-2017-0493 (An information disclosure vulnerability in File-Based Encryption could ...) NOT-FOR-US: Android CVE-2017-0492 (An elevation of privilege vulnerability in the System UI could enable ...) NOT-FOR-US: Android CVE-2017-0491 (An elevation of privilege vulnerability in Package Manager could enabl ...) NOT-FOR-US: Android CVE-2017-0490 (An elevation of privilege vulnerability in Wi-Fi could enable a local ...) NOT-FOR-US: Android CVE-2017-0489 (An elevation of privilege vulnerability in Location Manager could enab ...) NOT-FOR-US: Android CVE-2017-0488 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0487 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0486 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0485 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0484 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0483 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0482 (A denial of service vulnerability in Mediaserver could enable an attac ...) NOT-FOR-US: Android Mediaserver CVE-2017-0481 (An elevation of privilege vulnerability in NFC could enable a proximat ...) NOT-FOR-US: Android CVE-2017-0480 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0479 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0478 (A remote code execution vulnerability in the Framesequence library cou ...) NOT-FOR-US: Framesequence library CVE-2017-0477 (A remote code execution vulnerability in libgdx could enable an attack ...) - libgdx (bug #686673) CVE-2017-0476 (A remote code execution vulnerability in AOSP Messaging could enable a ...) NOT-FOR-US: Android CVE-2017-0475 (An elevation of privilege vulnerability in the recovery verifier could ...) NOT-FOR-US: Android CVE-2017-0474 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0473 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0472 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0471 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0470 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0469 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0468 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0467 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0466 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0465 (An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0464 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0463 (An elevation of privilege vulnerability in the Qualcomm networking dri ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0462 (An elevation of privilege vulnerability in the Qualcomm Seemp driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0461 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0460 (An elevation of privilege vulnerability in the Qualcomm networking dri ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0459 (An information disclosure vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0458 (An elevation of privilege vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0457 (An elevation of privilege vulnerability in the Qualcomm ADSPRPC driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0456 (An elevation of privilege vulnerability in the Qualcomm IPA driver cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0455 (An information disclosure vulnerability in the Qualcomm bootloader cou ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0454 (An elevation of privilege vulnerability in the Qualcomm audio driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0453 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0452 (An information disclosure vulnerability in the Qualcomm camera driver ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0451 (An information disclosure vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0450 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0449 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0448 (An information disclosure vulnerability in the NVIDIA video driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0447 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0446 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0445 (An elevation of privilege vulnerability in the HTC touchscreen driver ...) NOT-FOR-US: HTC driver for Android CVE-2017-0444 (An elevation of privilege vulnerability in the Realtek sound driver co ...) NOT-FOR-US: Realtek driver for Android CVE-2017-0443 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0442 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0441 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0440 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0439 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0438 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0437 (An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0436 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0435 (An elevation of privilege vulnerability in the Qualcomm sound driver c ...) NOT-FOR-US: Qualcomm driver for Android CVE-2017-0434 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0433 (An elevation of privilege vulnerability in the Synaptics touchscreen d ...) NOT-FOR-US: Synaptics driver for Android CVE-2017-0432 (An elevation of privilege vulnerability in the MediaTek driver could e ...) NOT-FOR-US: Mediatek driver for Android CVE-2017-0431 (An elevation of privilege vulnerability in Qualcomm closed source comp ...) NOT-FOR-US: Qualcomm component for Android CVE-2017-0430 (An elevation of privilege vulnerability in the Broadcom Wi-Fi driver c ...) NOT-FOR-US: Broadcom driver for Android CVE-2017-0429 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0428 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0427 (An elevation of privilege vulnerability in the kernel file system coul ...) NOT-FOR-US: Unspecified Android filesystem, apparently not in mainline NOTE: https://source.android.com/security/bulletin/2017-02-01.html NOTE: Android bulletin lists all recent devices as affected. NOTE: No source patch available, so may relate to Apache-licensed sdcardfs. CVE-2017-0426 (An information disclosure vulnerability in the Filesystem could enable ...) NOT-FOR-US: Android filesystem layout CVE-2017-0425 (An information disclosure vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0424 (An information disclosure vulnerability in AOSP Messaging could enable ...) NOT-FOR-US: Android CVE-2017-0423 (An elevation of privilege vulnerability in Bluetooth could enable a pr ...) NOT-FOR-US: Android CVE-2017-0422 (A denial of service vulnerability in Bionic DNS could enable a remote ...) NOT-FOR-US: Android CVE-2017-0421 (An information disclosure vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0420 (An information disclosure vulnerability in AOSP Mail could enable a lo ...) NOT-FOR-US: Android CVE-2017-0419 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0418 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0417 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0416 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0415 (An elevation of privilege vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0414 (An information disclosure vulnerability in AOSP Messaging could enable ...) NOT-FOR-US: Android CVE-2017-0413 (An information disclosure vulnerability in AOSP Messaging could enable ...) NOT-FOR-US: Android CVE-2017-0412 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0411 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0410 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0409 (A remote code execution vulnerability in libstagefright could enable a ...) NOT-FOR-US: libstagefright CVE-2017-0408 (A remote code execution vulnerability in libgdx could enable an attack ...) - libgdx (bug #686673) CVE-2017-0407 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0406 (A remote code execution vulnerability in Mediaserver could enable an a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0405 (A remote code execution vulnerability in Surfaceflinger could enable a ...) NOT-FOR-US: Android CVE-2017-0404 (An elevation of privilege vulnerability in the kernel sound subsystem ...) - linux (Android-specific sound system) CVE-2017-0403 (An elevation of privilege vulnerability in the kernel performance subs ...) - linux (Android-specific performance subsystem) CVE-2017-0402 (An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Audioserver CVE-2017-0401 (An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Qualcomm audio post processor CVE-2017-0400 (An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Audioserver CVE-2017-0399 (An information disclosure vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Qualcomm audio post processor CVE-2017-0398 (An information disclosure vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0397 (An information disclosure vulnerability in id3/ID3.cpp in libstagefrig ...) NOT-FOR-US: Android Mediaserver CVE-2017-0396 (An information disclosure vulnerability in visualizer/EffectVisualizer ...) NOT-FOR-US: Android Mediaserver CVE-2017-0395 (An elevation of privilege vulnerability in Contacts could enable a loc ...) NOT-FOR-US: Android Contacts CVE-2017-0394 (A denial of service vulnerability in Telephony could enable a remote a ...) NOT-FOR-US: Android Telephony CVE-2017-0393 (A denial of service vulnerability in libvpx in Mediaserver could enabl ...) - libvpx 1.6.1-1 [jessie] - libvpx (Minor issue) [wheezy] - libvpx (Minor issue) NOTE: probably fixed earlier, but this was the version checked NOTE: The wheezy source is confirmed (by code inspection) to be vulnerable. NOTE: https://android.googlesource.com/platform/external/libvpx/+/6886e8e0a9db2dbad723dc37a548233e004b33bc CVE-2017-0392 (A denial of service vulnerability in VBRISeeker.cpp in libstagefright ...) NOT-FOR-US: libstagefright CVE-2017-0391 (A denial of service vulnerability in decoder/ihevcd_decode.c in libhev ...) NOT-FOR-US: Android Mediaserver CVE-2017-0390 (A denial of service vulnerability in Tremolo/dpen.s in Mediaserver cou ...) NOT-FOR-US: Android Mediaserver CVE-2017-0389 (A denial of service vulnerability in core networking could enable a re ...) NOT-FOR-US: Android CVE-2017-0388 (An elevation of privilege vulnerability in the External Storage Provid ...) NOT-FOR-US: Android CVE-2017-0387 (An elevation of privilege vulnerability in Mediaserver could enable a ...) NOT-FOR-US: Android Mediaserver CVE-2017-0386 (An elevation of privilege vulnerability in the libnl library could ena ...) - libnl3 (Specific to Android's use of libnl) NOTE: https://github.com/thom311/libnl/issues/124 CVE-2017-0385 (An elevation of privilege vulnerability in Audioserver could enable a ...) NOT-FOR-US: Android Audioserver CVE-2017-0384 (An elevation of privilege vulnerability in lvm/wrapper/Bundle/EffectBu ...) NOT-FOR-US: Android Audioserver CVE-2017-0383 (An elevation of privilege vulnerability in the Framework APIs could en ...) NOT-FOR-US: Android CVE-2017-0382 (A remote code execution vulnerability in the Framesequence library cou ...) NOT-FOR-US: Android CVE-2017-0381 (An information disclosure vulnerability in silk/NLSF_stabilize.c in li ...) {DLA-793-1} - opus 1.2~alpha2-1 (bug #851612) [jessie] - opus (Minor issue, https://bugs.debian.org/851612#10) NOTE: Fixed by: https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409 (v1.2-alpha) NOTE: https://github.com/xiph/opus/commit/70a3d641b760b3d313b6025f82aed93a460720e5 CVE-2017-0380 (The rend_service_intro_established function in or/rendservice.c in Tor ...) {DSA-3993-1} - tor 0.3.1.7-1 (bug #876221) [jessie] - tor (Issue introduced in 0.2.7.2-alpha) [wheezy] - tor (Issue introduced in 0.2.7.2-alpha) NOTE: https://trac.torproject.org/projects/tor/ticket/23490 NOTE: https://gitweb.torproject.org/tor.git/commit/?id=09ea89764a4d3a907808ed7d4fe42abfe64bd486 CVE-2017-0379 (Libgcrypt before 1.8.1 does not properly consider Curve25519 side-chan ...) {DSA-3959-1} - libgcrypt20 1.7.9-1 (bug #873383) [jessie] - libgcrypt20 (Vulnerable code not present, no Curve25519 support) - libgcrypt11 (Vulnerable code not present, no Curve25519 support) NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=da780c8183cccc8f533c8ace8211ac2cb2bdee7b NOTE: https://eprint.iacr.org/2017/806 CVE-2017-0378 (XSS exists in the login_form function in views/helpers.php in Phamm be ...) - phamm 0.6.8-1 (bug #868988) [stretch] - phamm (Minor issue) [jessie] - phamm (Minor issue) [wheezy] - phamm (Minor issue) NOTE: https://github.com/lota/phamm/issues/21 NOTE: https://github.com/lota/phamm/commit/331bdbf0e79632385495fa62e087a6b4cf78857e CVE-2017-0377 (Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only con ...) - tor (Affects only 0.3.x series) NOTE: https://trac.torproject.org/projects/tor/ticket/22753 NOTE: https://blog.torproject.org/blog/tor-0309-released-security-update-clients CVE-2017-0376 (The hidden-service feature in Tor before 0.3.0.8 allows a denial of se ...) {DSA-3877-1 DLA-982-1} - tor 0.2.9.11-1 (bug #864424) NOTE: https://trac.torproject.org/22494 NOTE: Fixed by: https://gitweb.torproject.org/tor.git/commit/?id=56a7c5bc15e0447203a491c1ee37de9939ad1dcd NOTE: Introduced in 0.2.2.1-alpha; fixed in 0.2.4.29, 0.2.5.14, 0.2.6.12, 0.2.7.8, 0.2.8.14, 0.2.9.11 0.3.0.8, 0.3.1.3-alpha CVE-2017-0375 (The hidden-service feature in Tor before 0.3.0.8 allows a denial of se ...) - tor (Introduced in 0.3.0.1-alpha) NOTE: https://trac.torproject.org/22493 NOTE: Fixed by: https://gitweb.torproject.org/tor.git/commit/?id=79b59a2dfcb68897ee89d98587d09e55f07e68d7 NOTE: Introduced in 0.3.0.1-alpha; fixed in 0.3.0.8, 0.3.1.3-alpha CVE-2017-0374 (lib/Config/Model.pm in Config-Model (aka libconfig-model-perl) before ...) - libconfig-model-perl 2.097-2 [jessie] - libconfig-model-perl (Minor issue) [wheezy] - libconfig-model-perl (Minor issue. Perl itself has to fix this and this can not be done easily) NOTE: https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/commit/?h=stretch&id=0de8471e5a8958ad37446dfcd0362a269e3ec573 CVE-2017-0373 (The gen_class_pod implementation in lib/Config/Model/Utils/GenClassPod ...) - libconfig-model-perl 2.097-2 [jessie] - libconfig-model-perl (Minor issue) [wheezy] - libconfig-model-perl (Vulnerable code do not exist) NOTE: https://anonscm.debian.org/cgit/pkg-perl/packages/libconfig-model-perl.git/commit/?h=stretch&id=e7e5dd1a650939a0e021d1d5b311dbb3c4884773 CVE-2017-0372 (Parameters injection in the SyntaxHighlight extension of Mediawiki bef ...) - mediawiki 1:1.27.3-1 (bug #861585) [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T158689 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000209.html CVE-2017-0371 RESERVED - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T68404 CVE-2017-0370 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw were Spam b ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T48143 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0369 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw, allowing a ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T108138 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0368 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw making rawH ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T156184 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0367 (Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary d ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Vulnerable code not present) NOTE: https://phabricator.wikimedia.org/T161453 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0366 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw allowing to ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T151735 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0365 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a XSS vulnerabilit ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T144845 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0364 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where Speci ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T122209 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0363 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 has a flaw where Special:Us ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T109140 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0362 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains a flaw where the " ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T150044 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0361 (Mediawiki before 1.28.1 / 1.27.2 / 1.23.16 contains an information dis ...) - mediawiki 1:1.27.2-1 [wheezy] - mediawiki (Not supported in Wheezy LTS) NOTE: https://phabricator.wikimedia.org/T125177 NOTE: https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-April/000207.html CVE-2017-0360 (file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authentica ...) {DSA-3826-1 DLA-882-1} - tryton-server 4.2.1-2 NOTE: Fixed by: http://hg.tryton.org/trytond?cmd=changeset;node=472510fdc6f8 (4.2.x) CVE-2017-0359 (diffoscope before 77 writes to arbitrary locations on disk based on th ...) - diffoscope 77 (bug #854723) CVE-2017-0358 (Jann Horn of Google Project Zero discovered that NTFS-3G, a read-write ...) {DSA-3780-1 DLA-815-1} - ntfs-3g 1:2016.2.22AR.1-4 NOTE: PoC https://www.openwall.com/lists/oss-security/2017/02/04/1 CVE-2017-0357 (A heap-overflow flaw exists in the -tr loader of iucode-tool starting ...) - iucode-tool 2.1.1-1 [jessie] - iucode-tool (Vulnerable code not present) [wheezy] - iucode-tool (Vulnerable code not present) NOTE: https://gitlab.com/iucode-tool/iucode-tool/issues/3 CVE-2017-0356 (A flaw, similar to to CVE-2016-9646, exists in ikiwiki before 3.201701 ...) {DSA-3760-1 DLA-812-1} - ikiwiki 3.20170111 NOTE: https://ikiwiki.info/security/#cve-2017-0356 CVE-2017-0355 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0354 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0353 (All versions of the NVIDIA GPU Display Driver contain a vulnerability ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0352 (All versions of the NVIDIA GPU Display Driver contain a vulnerability ...) - nvidia-graphics-drivers 375.66-1 (bug #863515) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Only affects later driver series) - nvidia-graphics-drivers-legacy-304xx (Only affects later driver series) CVE-2017-0351 (All versions of the NVIDIA GPU Display Driver contain a vulnerability ...) - nvidia-graphics-drivers 375.66-1 (bug #863515) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Only affects later driver series) - nvidia-graphics-drivers-legacy-304xx (Only affects later driver series) CVE-2017-0350 (All versions of the NVIDIA GPU Display Driver contain a vulnerability ...) - nvidia-graphics-drivers 375.66-1 (bug #863515) [jessie] - nvidia-graphics-drivers (Non-free not supported) [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx (Only affects later driver series) - nvidia-graphics-drivers-legacy-304xx (Only affects later driver series) CVE-2017-0349 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0348 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0347 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0346 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0345 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0344 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0343 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0342 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0341 (All versions of the NVIDIA Windows GPU Display Driver contain a vulner ...) NOT-FOR-US: NVIDIA Windows drivers CVE-2017-0340 (An elevation of privilege vulnerability in the NVIDIA Libnvparser comp ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0339 (An elevation of privilege vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0338 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0337 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0336 (An information disclosure vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0335 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0334 (An information disclosure vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0333 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0332 (An elevation of privilege vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0331 (An elevation of privilege vulnerability in the NVIDIA video driver cou ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0330 (An information disclosure vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0329 (An elevation of privilege vulnerability in the NVIDIA boot and power m ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0328 (An information disclosure vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0327 (An elevation of privilege vulnerability in the NVIDIA crypto driver co ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0326 (An information disclosure vulnerability in the NVIDIA Video Driver due ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0325 (An elevation of privilege vulnerability in the NVIDIA I2C HID driver c ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0324 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0323 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0322 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0321 (All versions of NVIDIA GPU Display Driver contain a vulnerability in t ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0320 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0319 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0318 (All versions of NVIDIA Linux GPU Display Driver contain a vulnerabilit ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0317 (All versions of NVIDIA GPU and GeForce Experience installer contain a ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0316 (In GeForce Experience (GFE) 3.x before 3.10.0.55, NVIDIA Installer Fra ...) NOT-FOR-US: NVIDIA Installer Framework CVE-2017-0315 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0314 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0313 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0312 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0311 (NVIDIA GPU Display Driver R378 contains a vulnerability in the kernel ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0310 (All versions of NVIDIA GPU Display Driver contain a vulnerability in t ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0309 (All versions of NVIDIA GPU Display Driver contain a vulnerability in t ...) - nvidia-graphics-drivers 375.39-1 (bug #855277) [jessie] - nvidia-graphics-drivers 340.102-1 [wheezy] - nvidia-graphics-drivers (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx 340.102-1 (bug #855278) - nvidia-graphics-drivers-legacy-304xx 304.135-2 (bug #855279) [jessie] - nvidia-graphics-drivers-legacy-304xx 304.135-1 CVE-2017-0308 (All versions of NVIDIA Windows GPU Display Driver contain a vulnerabil ...) NOT-FOR-US: NVIDIA drivers for Windows CVE-2017-0307 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0306 (An elevation of privilege vulnerability in the NVIDIA GPU driver could ...) NOT-FOR-US: NVIDIA driver for Android CVE-2017-0305 (F5 SSL Intercept iApp version 1.5.0 - 1.5.7 is vulnerable to an unauth ...) NOT-FOR-US: F5 CVE-2017-0304 (A SQL injection vulnerability exists in the BIG-IP AFM management UI o ...) NOT-FOR-US: F5 BIG-IP CVE-2017-0303 (In F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, DNS, GTM, Link Contro ...) NOT-FOR-US: F5 CVE-2017-0302 (In F5 BIG-IP APM 12.0.0 through 12.1.2 and 13.0.0, an authenticated us ...) NOT-FOR-US: F5 CVE-2017-0301 (In F5 BIG-IP APM software versions 11.5.0, 11.5.1, 11.5.2, 11.5.3, 11. ...) NOT-FOR-US: F5 BIG-IP CVE-2017-1000245 (The SSH Plugin stores credentials which allow jobs to access remote se ...) NOT-FOR-US: Jenkins SSH plugin CVE-2017-0300 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-0299 (The kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-0298 (A DCOM object in Helppane.exe in Microsoft Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0297 (The kernel in Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2017-0296 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-0295 (Microsoft Windows 10 1607 and 1703, and Windows Server 2016 allow an a ...) NOT-FOR-US: Microsoft CVE-2017-0294 (Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-0293 (Microsoft Windows PDF Library in Windows Server 2008 R2 SP1, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-0292 (Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows R ...) NOT-FOR-US: Microsoft CVE-2017-0291 (Windows PDF in Windows 8.1, Windows Server 2012 Gold and R2, Windows R ...) NOT-FOR-US: Microsoft CVE-2017-0290 (The Microsoft Malware Protection Engine running on Microsoft Forefront ...) NOT-FOR-US: Microsoft CVE-2017-0289 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0288 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0287 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0286 (Graphics in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0285 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-0284 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-0283 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-0282 (Uniscribe in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window ...) NOT-FOR-US: Microsoft CVE-2017-0281 (Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office 20 ...) NOT-FOR-US: Microsoft CVE-2017-0280 (The Microsoft Server Message Block 1.0 (SMBv1) allows denial of servic ...) NOT-FOR-US: Microsoft CVE-2017-0279 (The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-0278 (The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-0277 (The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-0276 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0275 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0274 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0273 (The Microsoft Server Message Block 1.0 (SMBv1) allows denial of servic ...) NOT-FOR-US: Microsoft CVE-2017-0272 (The Microsoft Server Message Block 1.0 (SMBv1) server on Microsoft Win ...) NOT-FOR-US: Microsoft CVE-2017-0271 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0270 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0269 (The Microsoft Server Message Block 1.0 (SMBv1) allows denial of servic ...) NOT-FOR-US: Microsoft CVE-2017-0268 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0267 (Microsoft Server Message Block 1.0 (SMBv1) allows an information discl ...) NOT-FOR-US: Microsoft CVE-2017-0266 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0265 (Microsoft PowerPoint for Mac 2011 allows a remote code execution vulne ...) NOT-FOR-US: Microsoft CVE-2017-0264 (Microsoft PowerPoint for Mac 2011 allows a remote code execution vulne ...) NOT-FOR-US: Microsoft CVE-2017-0263 (The kernel-mode drivers in Microsoft Windows Server 2008 SP2 and R2 SP ...) NOT-FOR-US: Microsoft CVE-2017-0262 (Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a re ...) NOT-FOR-US: Microsoft CVE-2017-0261 (Microsoft Office 2010 SP2, Office 2013 SP1, and Office 2016 allow a re ...) NOT-FOR-US: Microsoft CVE-2017-0260 (A remote code execution vulnerability exists in Microsoft Office when ...) NOT-FOR-US: Microsoft CVE-2017-0259 (The Windows kernel in Microsoft Windows 8.1, Windows Server 2012 R2, W ...) NOT-FOR-US: Microsoft CVE-2017-0258 (The Windows kernel in Microsoft Windows Server 2008 SP2 and R2 SP1, Wi ...) NOT-FOR-US: Microsoft CVE-2017-0257 RESERVED CVE-2017-0256 (A spoofing vulnerability exists when the ASP.NET Core fails to properl ...) NOT-FOR-US: Microsoft CVE-2017-0255 (Microsoft SharePoint Foundation 2013 SP1 allows an elevation of privil ...) NOT-FOR-US: Microsoft CVE-2017-0254 (Microsoft Word 2007, Office 2010 SP2, Word 2010 SP2, Office Compatibil ...) NOT-FOR-US: Microsoft CVE-2017-0253 RESERVED CVE-2017-0252 (A remote code execution vulnerability exists in Microsoft Chakra Core ...) NOT-FOR-US: Microsoft CVE-2017-0251 RESERVED CVE-2017-0250 (Microsoft JET Database Engine in Windows Server 2008 SP2 and R2 SP1, W ...) NOT-FOR-US: Microsoft CVE-2017-0249 (An elevation of privilege vulnerability exists when the ASP.NET Core f ...) NOT-FOR-US: Microsoft CVE-2017-0248 (Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and ...) NOT-FOR-US: Microsoft CVE-2017-0247 (A denial of service vulnerability exists when the ASP.NET Core fails t ...) NOT-FOR-US: Microsoft CVE-2017-0246 (The Graphics Component in the kernel-mode drivers in Windows Server 20 ...) NOT-FOR-US: Microsoft CVE-2017-0245 (The kernel-mode drivers in Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0244 (The kernel in Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 al ...) NOT-FOR-US: Microsoft CVE-2017-0243 (Microsoft Office allows a remote code execution vulnerability due to t ...) NOT-FOR-US: Microsoft CVE-2017-0242 (An information disclosure vulnerability exists in the way some ActiveX ...) NOT-FOR-US: Microsoft CVE-2017-0241 (An elevation of privilege vulnerability exists when Microsoft Edge ren ...) NOT-FOR-US: Microsoft CVE-2017-0240 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0239 RESERVED CVE-2017-0238 (A remote code execution vulnerability exists in Microsoft browsers in ...) NOT-FOR-US: Microsoft CVE-2017-0237 RESERVED CVE-2017-0236 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0235 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0234 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0233 (An elevation of privilege vulnerability exists in Microsoft Edge that ...) NOT-FOR-US: Microsoft CVE-2017-0232 RESERVED CVE-2017-0231 (A spoofing vulnerability exists when Microsoft browsers render SmartSc ...) NOT-FOR-US: Microsoft CVE-2017-0230 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0229 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0228 (A remote code execution vulnerability exists in Microsoft browsers in ...) NOT-FOR-US: Microsoft CVE-2017-0227 (A remote code execution vulnerability exists in Microsoft Edge in the ...) NOT-FOR-US: Microsoft CVE-2017-0226 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2017-0225 RESERVED CVE-2017-0224 (A remote code execution vulnerability exists in the way JavaScript eng ...) NOT-FOR-US: Microsoft CVE-2017-0223 (A remote code execution vulnerability exists in Microsoft Chakra Core ...) NOT-FOR-US: Microsoft CVE-2017-0222 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2017-0221 (A vulnerability exists when Microsoft Edge improperly accesses objects ...) NOT-FOR-US: Microsoft CVE-2017-0220 (The Windows kernel in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP ...) NOT-FOR-US: Microsoft CVE-2017-0219 (Microsoft Windows 10 Gold, Windows 10 1511, Windows 10 1607, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-0218 (Microsoft Windows 10 Gold, Windows 10 1511, Windows 10 1607, and Windo ...) NOT-FOR-US: Microsoft CVE-2017-0217 RESERVED CVE-2017-0216 (Microsoft Windows 10 1511, Windows 10 1607, and Windows Server 2016 al ...) NOT-FOR-US: Microsoft CVE-2017-0215 (Microsoft Windows 10 1607 and Windows Server 2016 allow an attacker to ...) NOT-FOR-US: Microsoft CVE-2017-0214 (Windows COM in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-0213 (Windows COM Aggregate Marshaler in Microsoft Windows Server 2008 SP2 a ...) NOT-FOR-US: Microsoft CVE-2017-0212 (Windows Hyper-V allows an elevation of privilege vulnerability when Mi ...) NOT-FOR-US: Microsoft CVE-2017-0211 (An elevation of privilege vulnerability exists in Windows 10, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0210 (An elevation of privilege vulnerability exists when Internet Explorer ...) NOT-FOR-US: Microsoft CVE-2017-0209 RESERVED CVE-2017-0208 (An information disclosure vulnerability exists in Microsoft Edge when ...) NOT-FOR-US: Microsoft CVE-2017-0207 (Microsoft Outlook for Mac 2011 allows remote attackers to spoof web co ...) NOT-FOR-US: Microsoft CVE-2017-0206 RESERVED CVE-2017-0205 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2017-0204 (Microsoft Outlook 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outl ...) NOT-FOR-US: Microsoft CVE-2017-0203 (A vulnerability exists in Microsoft Edge when the Edge Content Securit ...) NOT-FOR-US: Microsoft CVE-2017-0202 (A remote code execution vulnerability exists when Internet Explorer im ...) NOT-FOR-US: Microsoft CVE-2017-0201 (A remote code execution vulnerability exists in Internet Explorer in t ...) NOT-FOR-US: Microsoft CVE-2017-0200 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2017-0199 (Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office ...) NOT-FOR-US: Microsoft CVE-2017-0198 RESERVED CVE-2017-0197 (Microsoft OneNote 2007 SP3 and Microsoft OneNote 2010 SP2 allow remote ...) NOT-FOR-US: Microsoft CVE-2017-0196 (An information disclosure vulnerability in Microsoft scripting engine ...) NOT-FOR-US: Microsoft CVE-2017-0195 (Microsoft Excel Services on Microsoft SharePoint Server 2010 SP1 and S ...) NOT-FOR-US: Microsoft CVE-2017-0194 (Microsoft Excel 2007 SP3, Microsoft Excel 2010 SP2, and Office Compati ...) NOT-FOR-US: Microsoft CVE-2017-0193 (Windows Hyper-V in Microsoft Windows Server 2008 SP2 and R2 SP1, Windo ...) NOT-FOR-US: Microsoft CVE-2017-0192 (The Adobe Type Manager Font Driver (ATMFD.dll) in Microsoft Windows Vi ...) NOT-FOR-US: Microsoft CVE-2017-0191 (A denial of service vulnerability exists in the way that Windows 7, Wi ...) NOT-FOR-US: Microsoft CVE-2017-0190 (The GDI component in Microsoft Windows Server 2008 SP2 and R2 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2017-0189 (An elevation of privilege vulnerability exists in Windows 10 when the ...) NOT-FOR-US: Microsoft CVE-2017-0188 (A Win32k information disclosure vulnerability exists in Windows 8.1, W ...) NOT-FOR-US: Microsoft CVE-2017-0187 RESERVED CVE-2017-0186 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2017-0185 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2017-0184 (A denial of service vulnerability exists when Microsoft Hyper-V runnin ...) NOT-FOR-US: Microsoft CVE-2017-0183 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2017-0182 (A denial of service vulnerability exists when Microsoft Hyper-V Networ ...) NOT-FOR-US: Microsoft CVE-2017-0181 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2017-0180 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2017-0179 (A denial of service vulnerability exists when Microsoft Hyper-V runnin ...) NOT-FOR-US: Microsoft CVE-2017-0178 (A denial of service vulnerability exists when Microsoft Hyper-V runnin ...) NOT-FOR-US: Microsoft CVE-2017-0177 RESERVED CVE-2017-0176 (A buffer overflow in Smart Card authentication code in gpkcsp.dll in M ...) NOT-FOR-US: Microsoft CVE-2017-0175 (The Windows kernel in Windows Server 2008 SP2 and R2 SP1, and Windows ...) NOT-FOR-US: Microsoft CVE-2017-0174 (Windows NetBIOS in Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, ...) NOT-FOR-US: Microsoft CVE-2017-0173 (Microsoft Windows 10 1607 and Windows Server 2016 allow an attacker to ...) NOT-FOR-US: Microsoft CVE-2017-0172 RESERVED CVE-2017-0171 (Windows DNS Server allows a denial of service vulnerability when Micro ...) NOT-FOR-US: Microsoft CVE-2017-0170 (Windows Performance Monitor in Windows Server 2008 SP2 and R2 SP1, Win ...) NOT-FOR-US: Microsoft CVE-2017-0169 (An information disclosure vulnerability exists when Windows Hyper-V ru ...) NOT-FOR-US: Microsoft CVE-2017-0168 (An information disclosure vulnerability exists when the Windows Hyper- ...) NOT-FOR-US: Microsoft CVE-2017-0167 (An information disclosure vulnerability exists in Windows 8.1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0166 (An elevation of privilege vulnerability exists in Windows when LDAP re ...) NOT-FOR-US: Microsoft CVE-2017-0165 (An elevation of privilege vulnerability exists when Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2017-0164 (A denial of service vulnerability exists in Windows 10 1607 and Window ...) NOT-FOR-US: Microsoft CVE-2017-0163 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2017-0162 (A remote code execution vulnerability exists when Windows Hyper-V Netw ...) NOT-FOR-US: Microsoft CVE-2017-0161 (The Windows NetBT Session Services component on Microsoft Windows Serv ...) NOT-FOR-US: Microsoft CVE-2017-0160 (Microsoft .NET Framework 2.0, 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 al ...) NOT-FOR-US: Microsoft CVE-2017-0159 (A security feature bypass vulnerability exists in Windows 10 1607, Win ...) NOT-FOR-US: Microsoft CVE-2017-0158 (An elevation of privilege vulnerability exists when Microsoft Windows ...) NOT-FOR-US: Microsoft CVE-2017-0157 RESERVED CVE-2017-0156 (An elevation of privilege vulnerability exists in Windows 7, Windows 8 ...) NOT-FOR-US: Microsoft CVE-2017-0155 (The Graphics component in the kernel in Microsoft Windows Vista SP2; W ...) NOT-FOR-US: Microsoft CVE-2017-0154 (Microsoft Internet Explorer 11 on Windows 10, 1511, and 1606 and Windo ...) NOT-FOR-US: Microsoft CVE-2017-0153 RESERVED CVE-2017-0152 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0151 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0150 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0149 (Microsoft Internet Explorer 9 through 11 allow remote attackers to exe ...) NOT-FOR-US: Microsoft CVE-2017-0148 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0147 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0146 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0145 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0144 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0143 (The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 S ...) NOT-FOR-US: Microsoft CVE-2017-0142 RESERVED CVE-2017-0141 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0140 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft CVE-2017-0139 RESERVED CVE-2017-0138 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0137 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0136 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0135 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft CVE-2017-0134 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0133 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0132 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0131 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0130 (The scripting engine in Microsoft Internet Explorer 9 through 11 allow ...) NOT-FOR-US: Microsoft CVE-2017-0129 (Microsoft Lync for Mac 2011 fails to properly validate certificates, a ...) NOT-FOR-US: Microsoft CVE-2017-0128 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0127 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0126 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0125 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0124 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0123 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0122 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0121 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0120 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0119 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0118 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0117 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0116 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0115 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0114 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0113 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0112 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0111 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0110 (Cross-site scripting (XSS) vulnerability in Microsoft Exchange Outlook ...) NOT-FOR-US: Microsoft CVE-2017-0109 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-0108 (The Windows Graphics Component in Microsoft Office 2007 SP3; 2010 SP2; ...) NOT-FOR-US: Microsoft CVE-2017-0107 (Microsoft SharePoint Server fails to sanitize crafted web requests, al ...) NOT-FOR-US: Microsoft CVE-2017-0106 (Microsoft Excel 2007 SP3, Microsoft Outlook 2010 SP2, Microsoft Outloo ...) NOT-FOR-US: Microsoft CVE-2017-0105 (Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word for Mac ...) NOT-FOR-US: Microsoft CVE-2017-0104 (The iSNS Server service in Microsoft Windows Server 2008 SP2 and R2, W ...) NOT-FOR-US: Microsoft CVE-2017-0103 (The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-0102 (Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 ...) NOT-FOR-US: Microsoft CVE-2017-0101 (The kernel-mode drivers in Transaction Manager in Microsoft Windows Vi ...) NOT-FOR-US: Microsoft CVE-2017-0100 (A DCOM object in Helppane.exe in Microsoft Windows 7 SP1; Windows Serv ...) NOT-FOR-US: Microsoft CVE-2017-0099 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 20 ...) NOT-FOR-US: Microsoft CVE-2017-0098 (Hyper-V in Microsoft Windows 10 Gold, 1511, and 1607; and Windows Serv ...) NOT-FOR-US: Microsoft CVE-2017-0097 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 20 ...) NOT-FOR-US: Microsoft CVE-2017-0096 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-0095 (Hyper-V in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-0094 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0093 (A remote code execution vulnerability in Microsoft Edge exists in the ...) NOT-FOR-US: Microsoft CVE-2017-0092 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0091 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0090 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0089 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0088 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0087 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0086 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0085 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0084 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0083 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0082 (The kernel-mode drivers in Microsoft Windows 10 Gold and 1511 allow lo ...) NOT-FOR-US: Microsoft CVE-2017-0081 (The kernel-mode drivers in Microsoft Windows 8.1; Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2017-0080 (The kernel-mode drivers in Microsoft Windows 10 Gold, 1511, and 1607 a ...) NOT-FOR-US: Microsoft CVE-2017-0079 (The kernel-mode drivers in Windows 8.1; Windows Server 2012 R2; Window ...) NOT-FOR-US: Microsoft CVE-2017-0078 (The kernel-mode drivers in Microsoft Windows 8.1; Windows Server 2012 ...) NOT-FOR-US: Microsoft CVE-2017-0077 (The kernel-mode drivers in Windows Server 2008 SP2 and R2 SP1, Windows ...) NOT-FOR-US: Microsoft CVE-2017-0076 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 20 ...) NOT-FOR-US: Microsoft CVE-2017-0075 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 ...) NOT-FOR-US: Microsoft CVE-2017-0074 (Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and 20 ...) NOT-FOR-US: Microsoft CVE-2017-0073 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0072 (Uniscribe in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and ...) NOT-FOR-US: Microsoft CVE-2017-0071 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0070 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0069 (Microsoft Edge allows remote attackers to spoof web content via a craf ...) NOT-FOR-US: Microsoft CVE-2017-0068 (Browsers in Microsoft Edge allow remote attackers to obtain sensitive ...) NOT-FOR-US: Microsoft CVE-2017-0067 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0066 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft CVE-2017-0065 (Microsoft Edge allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Microsoft CVE-2017-0064 (A security feature bypass vulnerability exists in Internet Explorer th ...) NOT-FOR-US: Microsoft CVE-2017-0063 (The Color Management Module (ICM32.dll) memory handling functionality ...) NOT-FOR-US: Microsoft CVE-2017-0062 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0061 (The Color Management Module (ICM32.dll) memory handling functionality ...) NOT-FOR-US: Microsoft CVE-2017-0060 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0059 (Microsoft Internet Explorer 9 through 11 allow remote attackers to obt ...) NOT-FOR-US: Microsoft CVE-2017-0058 (A Win32k information disclosure vulnerability exists in Microsoft Wind ...) NOT-FOR-US: Microsoft CVE-2017-0057 (DNS client in Microsoft Windows 8.1; Windows Server 2012 R2, Windows R ...) NOT-FOR-US: Microsoft CVE-2017-0056 (The kernel-mode drivers in Microsoft Windows Vista SP2; Windows Server ...) NOT-FOR-US: Microsoft CVE-2017-0055 (Microsoft Internet Information Server (IIS) in Windows Vista SP2; Wind ...) NOT-FOR-US: Microsoft CVE-2017-0054 RESERVED CVE-2017-0053 (Microsoft Office 2010 SP2, Office Compatibility Pack SP3, Word 2007 SP ...) NOT-FOR-US: Microsoft CVE-2017-0052 (Microsoft Office Compatibility Pack SP3, Excel 2007 SP3, Excel Viewer, ...) NOT-FOR-US: Microsoft CVE-2017-0051 (Microsoft Windows 10 1607 and Windows Server 2016 allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2017-0050 (The kernel API in Microsoft Windows Vista SP2; Windows Server 2008 SP2 ...) NOT-FOR-US: Microsoft CVE-2017-0049 (The VBScript engine in Microsoft Internet Explorer 11 allows remote at ...) NOT-FOR-US: Microsoft CVE-2017-0048 RESERVED CVE-2017-0047 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0046 RESERVED CVE-2017-0045 (Windows DVD Maker in Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 ...) NOT-FOR-US: Microsoft CVE-2017-0044 RESERVED CVE-2017-0043 (Active Directory Federation Services in Microsoft Windows 10 1607, Win ...) NOT-FOR-US: Microsoft CVE-2017-0042 (Windows Media Player in Microsoft Windows 8.1; Windows Server 2012 R2; ...) NOT-FOR-US: Microsoft CVE-2017-0041 RESERVED CVE-2017-0040 (The scripting engine in Microsoft Internet Explorer 9 through 11 allow ...) NOT-FOR-US: Microsoft CVE-2017-0039 (Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle dynamic link ...) NOT-FOR-US: Microsoft CVE-2017-0038 (gdi32.dll in Graphics Device Interface (GDI) in Microsoft Windows Vist ...) NOT-FOR-US: Microsoft CVE-2017-0037 (Microsoft Internet Explorer 10 and 11 and Microsoft Edge have a type c ...) NOT-FOR-US: Microsoft CVE-2017-0036 RESERVED CVE-2017-0035 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0034 (A remote code execution vulnerability exists when Microsoft Edge impro ...) NOT-FOR-US: Microsoft CVE-2017-0033 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2017-0032 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0031 (Microsoft Office 2010 SP2, Office Compatibility Pack SP3, Word 2007 SP ...) NOT-FOR-US: Microsoft CVE-2017-0030 (Microsoft Office 2010 SP2, Office Compatibility Pack SP3, Office Web A ...) NOT-FOR-US: Microsoft CVE-2017-0029 (Microsoft Office 2010 SP2, Word 2010 SP2, Word 2013 RT SP1, and Word 2 ...) NOT-FOR-US: Microsoft CVE-2017-0028 (A remote code execution vulnerability exists when Microsoft scripting ...) NOT-FOR-US: Microsoft CVE-2017-0027 (Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 RT SP1, Excel 201 ...) NOT-FOR-US: Microsoft CVE-2017-0026 (The kernel-mode drivers in Microsoft Windows 10 Gold, 1511, and 1607 a ...) NOT-FOR-US: Microsoft CVE-2017-0025 (The kernel-mode drivers in Microsoft Windows Vista; Windows Server 200 ...) NOT-FOR-US: Microsoft CVE-2017-0024 (The kernel-mode drivers in Microsoft Windows 10 1607 and Windows Serve ...) NOT-FOR-US: Microsoft CVE-2017-0023 (The PDF library in Microsoft Edge; Windows 8.1; Windows Server 2012 an ...) NOT-FOR-US: Microsoft CVE-2017-0022 (Microsoft XML Core Services (MSXML) in Windows 10 Gold, 1511, and 1607 ...) NOT-FOR-US: Microsoft CVE-2017-0021 (Hyper-V in Microsoft Windows 10 1607 and Windows Server 2016 does not ...) NOT-FOR-US: Microsoft CVE-2017-0020 (Microsoft Excel 2016, Excel 2010 SP2, Excel 2013 RT SP1, and Office We ...) NOT-FOR-US: Microsoft CVE-2017-0019 (Microsoft Word 2016 allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Microsoft CVE-2017-0018 (Microsoft Internet Explorer 10 and 11 allow remote attackers to execut ...) NOT-FOR-US: Microsoft CVE-2017-0017 (The RegEx class in the XSS filter in Microsoft Edge allows remote atta ...) NOT-FOR-US: Microsoft CVE-2017-0016 (Microsoft Windows 10 Gold, 1511, and 1607; Windows 8.1; Windows RT 8.1 ...) NOT-FOR-US: Microsoft CVE-2017-0015 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0014 (The Windows Graphics Component in Microsoft Office 2010 SP2; Windows S ...) NOT-FOR-US: Microsoft CVE-2017-0013 RESERVED CVE-2017-0012 (Microsoft Internet Explorer 11 and Microsoft Edge allow remote attacke ...) NOT-FOR-US: Microsoft CVE-2017-0011 (Microsoft Edge allows remote attackers to obtain sensitive information ...) NOT-FOR-US: Microsoft CVE-2017-0010 (A remote code execution vulnerability exists in the way affected Micro ...) NOT-FOR-US: Microsoft CVE-2017-0009 (Microsoft Internet Explorer 9 through 11 allow remote attackers to obt ...) NOT-FOR-US: Microsoft CVE-2017-0008 (Microsoft Internet Explorer 9 through 11 allow remote attackers to obt ...) NOT-FOR-US: Microsoft CVE-2017-0007 (Device Guard in Microsoft Windows 10 Gold, 1511, 1607, and Windows Ser ...) NOT-FOR-US: Microsoft CVE-2017-0006 (Microsoft Excel 2007 SP3, Office Compatibility Pack SP3, Excel Viewer, ...) NOT-FOR-US: Microsoft CVE-2017-0005 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-0004 (The Local Security Authority Subsystem Service (LSASS) in Microsoft Wi ...) NOT-FOR-US: Microsoft CVE-2017-0003 (Microsoft Word 2016 and SharePoint Enterprise Server 2016 allow remote ...) NOT-FOR-US: Microsoft CVE-2017-0002 (Microsoft Edge allows remote attackers to bypass the Same Origin Polic ...) NOT-FOR-US: Microsoft CVE-2017-0001 (The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Wi ...) NOT-FOR-US: Microsoft CVE-2017-7443 (apt-cacher before 1.7.15 and apt-cacher-ng before 3.4 allow HTTP respo ...) {DLA-873-1} - apt-cacher-ng 3-1 (bug #858833) [buster] - apt-cacher-ng 2-2 [stretch] - apt-cacher-ng 2-2 [jessie] - apt-cacher-ng (Minor issue) [wheezy] - apt-cacher-ng (Minor issue) - apt-cacher 1.7.15 (bug #858739) [buster] - apt-cacher 1.7.13+deb9u1 [stretch] - apt-cacher 1.7.13+deb9u1 [jessie] - apt-cacher 1.7.10+deb8u1 CVE-2017-6100 (tcpdf before 6.2.0 uploads files from the server generating PDF-files ...) - tcpdf 6.2.12+dfsg2-1 (bug #814030) [jessie] - tcpdf 6.0.093+dfsg-1+deb8u1 NOTE: https://sourceforge.net/p/tcpdf/bugs/1005/