From 78835ceb9daea409b3153280658f9f8d246ed2e3 Mon Sep 17 00:00:00 2001
From: CVE Team <cve-request@mitre.org>
Date: Mon, 17 Sep 2018 10:04:47 -0400
Subject: [PATCH] - Synchronized data.

---
 2017/15xxx/CVE-2017-15705.json |  4 ++-
 2018/11xxx/CVE-2018-11780.json |  4 ++-
 2018/11xxx/CVE-2018-11781.json |  4 ++-
 2018/17xxx/CVE-2018-17141.json | 18 ++++++++++
 2018/17xxx/CVE-2018-17142.json | 62 ++++++++++++++++++++++++++++++++++
 2018/17xxx/CVE-2018-17143.json | 62 ++++++++++++++++++++++++++++++++++
 2018/8xxx/CVE-2018-8041.json   |  9 ++++-
 7 files changed, 159 insertions(+), 4 deletions(-)
 create mode 100644 2018/17xxx/CVE-2018-17141.json
 create mode 100644 2018/17xxx/CVE-2018-17142.json
 create mode 100644 2018/17xxx/CVE-2018-17143.json

diff --git a/2017/15xxx/CVE-2017-15705.json b/2017/15xxx/CVE-2017-15705.json
index 2b03969b9a9..a05f5ca146c 100644
--- a/2017/15xxx/CVE-2017-15705.json
+++ b/2017/15xxx/CVE-2017-15705.json
@@ -35,7 +35,7 @@
       "description_data" : [
          {
             "lang" : "eng",
-            "value" : "A denial of service vulnerability was identified that exists in all modern versions of Apache SpamAssassin. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the \"open\" event is immediately followed by a \"close\" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the \"text\" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future. Therefore, we strongly recommend all users of these versions upgrade to Apache SpamAssassin 3.4.2 as soon as possible."
+            "value" : "A denial of service vulnerability was identified that exists in Apache SpamAssassin before 3.4.2. The vulnerability arises with certain unclosed tags in emails that cause markup to be handled incorrectly leading to scan timeouts. In Apache SpamAssassin, using HTML::Parser, we setup an object and hook into the begin and end tag event handlers In both cases, the \"open\" event is immediately followed by a \"close\" event - even if the tag *does not* close in the HTML being parsed. Because of this, we are missing the \"text\" event to deal with the object normally. This can cause carefully crafted emails that might take more scan time than expected leading to a Denial of Service. The issue is possibly a bug or design decision in HTML::Parser that specifically impacts the way Apache SpamAssassin uses the module with poorly formed html. The exploit has been seen in the wild but not believed to have been purposefully part of a Denial of Service attempt. We are concerned that there may be attempts to abuse the vulnerability in the future."
          }
       ]
    },
@@ -54,6 +54,8 @@
    "references" : {
       "reference_data" : [
          {
+            "name" : "[announce] 20180916 [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781",
+            "refsource" : "MLIST",
             "url" : "https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c@%3Cannounce.apache.org%3E"
          }
       ]
diff --git a/2018/11xxx/CVE-2018-11780.json b/2018/11xxx/CVE-2018-11780.json
index 2fbc34a893a..97569bbd735 100644
--- a/2018/11xxx/CVE-2018-11780.json
+++ b/2018/11xxx/CVE-2018-11780.json
@@ -35,7 +35,7 @@
       "description_data" : [
          {
             "lang" : "eng",
-            "value" : "We identified a potential Remote Code Execution bug with the PDFInfo plugin. Thanks to cPanel Security Team for their report of this issue."
+            "value" : "A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2."
          }
       ]
    },
@@ -54,6 +54,8 @@
    "references" : {
       "reference_data" : [
          {
+            "name" : "[announce] 20180916 [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781",
+            "refsource" : "MLIST",
             "url" : "https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c@%3Cannounce.apache.org%3E"
          }
       ]
diff --git a/2018/11xxx/CVE-2018-11781.json b/2018/11xxx/CVE-2018-11781.json
index 0a7eced3719..29975e14bff 100644
--- a/2018/11xxx/CVE-2018-11781.json
+++ b/2018/11xxx/CVE-2018-11781.json
@@ -35,7 +35,7 @@
       "description_data" : [
          {
             "lang" : "eng",
-            "value" : "This release fixes a local user code injection in the meta rule syntax. Thanks again to cPanel Security Team for their report of this issue. Upgrading to 3.4.2 is highly recommended."
+            "value" : "Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax."
          }
       ]
    },
@@ -54,6 +54,8 @@
    "references" : {
       "reference_data" : [
          {
+            "name" : "[announce] 20180916 [SECURITY] Apache SpamAssassin 3.4.2 resolves CVE-2017-15705, CVE-2016-1238, CVE-2018-11780 & CVE-2018-11781",
+            "refsource" : "MLIST",
             "url" : "https://lists.apache.org/thread.html/7f6a16bc0fd0fd5e67c7fd95bd655069a2ac7d1f88e42d3c853e601c@%3Cannounce.apache.org%3E"
          }
       ]
diff --git a/2018/17xxx/CVE-2018-17141.json b/2018/17xxx/CVE-2018-17141.json
new file mode 100644
index 00000000000..8000ef937b5
--- /dev/null
+++ b/2018/17xxx/CVE-2018-17141.json
@@ -0,0 +1,18 @@
+{
+   "CVE_data_meta" : {
+      "ASSIGNER" : "cve@mitre.org",
+      "ID" : "CVE-2018-17141",
+      "STATE" : "RESERVED"
+   },
+   "data_format" : "MITRE",
+   "data_type" : "CVE",
+   "data_version" : "4.0",
+   "description" : {
+      "description_data" : [
+         {
+            "lang" : "eng",
+            "value" : "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem.  When the candidate has been publicized, the details for this candidate will be provided."
+         }
+      ]
+   }
+}
diff --git a/2018/17xxx/CVE-2018-17142.json b/2018/17xxx/CVE-2018-17142.json
new file mode 100644
index 00000000000..8aa52954c9d
--- /dev/null
+++ b/2018/17xxx/CVE-2018-17142.json
@@ -0,0 +1,62 @@
+{
+   "CVE_data_meta" : {
+      "ASSIGNER" : "cve@mitre.org",
+      "ID" : "CVE-2018-17142",
+      "STATE" : "PUBLIC"
+   },
+   "affects" : {
+      "vendor" : {
+         "vendor_data" : [
+            {
+               "product" : {
+                  "product_data" : [
+                     {
+                        "product_name" : "n/a",
+                        "version" : {
+                           "version_data" : [
+                              {
+                                 "version_value" : "n/a"
+                              }
+                           ]
+                        }
+                     }
+                  ]
+               },
+               "vendor_name" : "n/a"
+            }
+         ]
+      }
+   },
+   "data_format" : "MITRE",
+   "data_type" : "CVE",
+   "data_version" : "4.0",
+   "description" : {
+      "description_data" : [
+         {
+            "lang" : "eng",
+            "value" : "The html package (aka x/net/html) through 2018-09-17 in Go mishandles <math><template><mo><template>, leading to a \"panic: runtime error\" in parseCurrentToken in parse.go during an html.Parse call."
+         }
+      ]
+   },
+   "problemtype" : {
+      "problemtype_data" : [
+         {
+            "description" : [
+               {
+                  "lang" : "eng",
+                  "value" : "n/a"
+               }
+            ]
+         }
+      ]
+   },
+   "references" : {
+      "reference_data" : [
+         {
+            "name" : "https://github.com/golang/go/issues/27702",
+            "refsource" : "MISC",
+            "url" : "https://github.com/golang/go/issues/27702"
+         }
+      ]
+   }
+}
diff --git a/2018/17xxx/CVE-2018-17143.json b/2018/17xxx/CVE-2018-17143.json
new file mode 100644
index 00000000000..c2e998ad79e
--- /dev/null
+++ b/2018/17xxx/CVE-2018-17143.json
@@ -0,0 +1,62 @@
+{
+   "CVE_data_meta" : {
+      "ASSIGNER" : "cve@mitre.org",
+      "ID" : "CVE-2018-17143",
+      "STATE" : "PUBLIC"
+   },
+   "affects" : {
+      "vendor" : {
+         "vendor_data" : [
+            {
+               "product" : {
+                  "product_data" : [
+                     {
+                        "product_name" : "n/a",
+                        "version" : {
+                           "version_data" : [
+                              {
+                                 "version_value" : "n/a"
+                              }
+                           ]
+                        }
+                     }
+                  ]
+               },
+               "vendor_name" : "n/a"
+            }
+         ]
+      }
+   },
+   "data_format" : "MITRE",
+   "data_type" : "CVE",
+   "data_version" : "4.0",
+   "description" : {
+      "description_data" : [
+         {
+            "lang" : "eng",
+            "value" : "The html package (aka x/net/html) through 2018-09-17 in Go mishandles <template><tBody><isindex/action=0>, leading to a \"panic: runtime error\" in inBodyIM in parse.go during an html.Parse call."
+         }
+      ]
+   },
+   "problemtype" : {
+      "problemtype_data" : [
+         {
+            "description" : [
+               {
+                  "lang" : "eng",
+                  "value" : "n/a"
+               }
+            ]
+         }
+      ]
+   },
+   "references" : {
+      "reference_data" : [
+         {
+            "name" : "https://github.com/golang/go/issues/27704",
+            "refsource" : "MISC",
+            "url" : "https://github.com/golang/go/issues/27704"
+         }
+      ]
+   }
+}
diff --git a/2018/8xxx/CVE-2018-8041.json b/2018/8xxx/CVE-2018-8041.json
index 056091c13ac..3de4e2c5f3f 100644
--- a/2018/8xxx/CVE-2018-8041.json
+++ b/2018/8xxx/CVE-2018-8041.json
@@ -35,7 +35,7 @@
       "description_data" : [
          {
             "lang" : "eng",
-            "value" : "Apache Camel's Mail is vulnerable to path traversal"
+            "value" : "Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal."
          }
       ]
    },
@@ -54,7 +54,14 @@
    "references" : {
       "reference_data" : [
          {
+            "name" : "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2",
+            "refsource" : "CONFIRM",
             "url" : "http://camel.apache.org/security-advisories.data/CVE-2018-8041.txt.asc?version=1&modificationDate=1536746339000&api=v2"
+         },
+         {
+            "name" : "https://issues.apache.org/jira/browse/CAMEL-12630",
+            "refsource" : "CONFIRM",
+            "url" : "https://issues.apache.org/jira/browse/CAMEL-12630"
          }
       ]
    }