Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: ea6e94de by Moritz Muehlenhoff at 2019-01-16T19:38:13Z NFUs (and some <removed> entries no longer present in any suite) new libsass issues - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -262,7 +262,7 @@ CVE-2018-20720 (ABB Relion 630 devices 1.1 before 1.1.0.C0, 1.2 before 1.2.0.B3, CVE-2016-10738 (Zenbership v107 has CSRF via admin/cp-functions/event-add.php. ...) NOT-FOR-US: Zenbership CVE-2016-10737 (Serendipity 2.0.4 has XSS via the serendipity_admin.php ...) - TODO: check + - serendipity <removed> CVE-2019-XXXX [instability and crash due to crafted message flooding] - mumble 1.3.0~git20190114.9fcc588+dfsg-1 (bug #919249) NOTE: https://github.com/mumble-voip/mumble/issues/3505 @@ -361,7 +361,9 @@ CVE-2019-6288 CVE-2019-6287 RESERVED CVE-2019-6286 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...) - TODO: check + - libsass <unfixed> (low) + [stretch] - libsass <no-dsa> (Minor issue) + NOTE: https://github.com/sass/libsass/issues/2815 CVE-2019-6285 (The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka ...) - yaml-cpp <unfixed> (bug #919432) [stretch] - yaml-cpp <no-dsa> (Minor issue) @@ -369,9 +371,13 @@ CVE-2019-6285 (The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka [stretch] - yaml-cpp0.3 <no-dsa> (Minor issue) NOTE: https://github.com/jbeder/yaml-cpp/issues/660 CVE-2019-6284 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...) - TODO: check + - libsass <unfixed> (low) + [stretch] - libsass <no-dsa> (Minor issue) + NOTE: https://github.com/sass/libsass/issues/2816 CVE-2019-6283 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...) - TODO: check + - libsass <unfixed> (low) + [stretch] - libsass <no-dsa> (Minor issue) + NOTE: https://github.com/sass/libsass/issues/2814 CVE-2019-6282 RESERVED CVE-2019-6281 @@ -422,13 +428,13 @@ CVE-2019-6266 CVE-2019-6265 RESERVED CVE-2019-6264 (An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in ...) - TODO: check + NOT-FOR-US: Joomla CVE-2019-6263 (An issue was discovered in Joomla! before 3.9.2. Inadequate checks of ...) - TODO: check + NOT-FOR-US: Joomla CVE-2019-6262 (An issue was discovered in Joomla! before 3.9.2. Inadequate checks of ...) - TODO: check + NOT-FOR-US: Joomla CVE-2019-6261 (An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in ...) - TODO: check + NOT-FOR-US: Joomla CVE-2019-6260 RESERVED CVE-2019-6259 (An issue was discovered in idreamsoft iCMS V7.0.13. There is SQL ...) @@ -6133,13 +6139,13 @@ CVE-2019-3559 CVE-2019-3558 RESERVED CVE-2019-3557 (The implementations of streams for bz2 and php://output improperly ...) - TODO: check + - hhvm <removed> CVE-2019-3556 RESERVED CVE-2019-3555 RESERVED CVE-2019-3554 (Wangle's AcceptRoutingHandler incorrectly casts a socket when ...) - TODO: check + NOT-FOR-US: Facebook Wangle CVE-2019-3553 RESERVED CVE-2019-3552 @@ -19773,65 +19779,65 @@ CVE-2019-0032 CVE-2019-0031 RESERVED CVE-2019-0030 (Juniper ATP uses DES and a hardcoded salt for password hashing, ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0029 (Juniper ATP Series Splunk credentials are logged in a file readable by ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0028 RESERVED CVE-2019-0027 (A persistent cross-site scripting (XSS) vulnerability in the Snort ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0026 (A persistent cross-site scripting (XSS) vulnerability in the Zone ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0025 (A persistent cross-site scripting (XSS) vulnerability in RADIUS ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0024 (A persistent cross-site scripting (XSS) vulnerability in the Email ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0023 (A persistent cross-site scripting (XSS) vulnerability in the Golden VM ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0022 (Juniper ATP ships with hard coded credentials in the Cyphort Core ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0021 (On Juniper ATP, secret passphrase CLI inputs, such as "set mcm", are ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0020 (Juniper ATP ships with hard coded credentials in the Web Collector ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0019 RESERVED CVE-2019-0018 (A persistent cross-site scripting (XSS) vulnerability in the file ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0017 (The Junos Space application, which allows Device Image files to be ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0016 (A malicious authenticated user may be able to delete a device from the ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0015 (A vulnerability in the SRX Series Service Gateway allows deleted ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0014 (On QFX and PTX Series, receipt of a malformed packet for J-Flow ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0013 (The routing protocol daemon (RPD) process will crash and restart when ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0012 (A Denial of Service (DoS) vulnerability in BGP in Juniper Networks ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0011 (The Junos OS kernel crashes after processing a specific incoming ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0010 (An SRX Series Service Gateway configured for Unified Threat Management ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0009 (On EX2300 and EX3400 series, high disk I/O operations may disrupt the ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0008 RESERVED CVE-2019-0007 (The vMX Series software uses a predictable IP ID Sequence Number. This ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0006 (A certain crafted HTTP packet can trigger an uninitialized function ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0005 (On EX2300, EX3400, EX4600, QFX3K and QFX5K series, firewall filter ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0004 (On Juniper ATP, the API key and the device key are logged in a file ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0003 (When a specific BGP flowspec configuration is enabled and upon receipt ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0002 (On EX2300 and EX3400 series, stateless firewall filter configuration ...) - TODO: check + NOT-FOR-US: Juniper CVE-2019-0001 (Receipt of a malformed packet on MX Series devices with dynamic vlan ...) - TODO: check + NOT-FOR-US: Juniper CVE-2018-18250 (Icinga Web 2 before 2.6.2 allows parameters that break navigation ...) - icingaweb2 2.6.2-1 NOTE: https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180030.txt @@ -24962,7 +24968,7 @@ CVE-2018-16208 CVE-2018-16207 RESERVED CVE-2018-16206 (Cross-site scripting vulnerability in WordPress plugin spam-byebye ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2018-16205 (Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows ...) NOT-FOR-US: GROWI CVE-2018-16204 (Cross-site scripting vulnerability in Google XML Sitemaps Version ...) @@ -24982,7 +24988,7 @@ CVE-2018-16198 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home g CVE-2018-16197 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway ...) NOT-FOR-US: Toshiba CVE-2018-16196 (Multiple Yokogawa products that contain Vnet/IP Open Communication ...) - TODO: check + NOT-FOR-US: Yokogawa CVE-2018-16195 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 ...) NOT-FOR-US: Aterm firmware CVE-2018-16194 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 ...) @@ -25012,23 +25018,23 @@ CVE-2018-16183 (An unquoted search path vulnerability in some pre-installed ...) CVE-2018-16182 (Untrusted search path vulnerability in the installer of MARKET SPEED ...) NOT-FOR-US: MARKET SPEED CVE-2018-16181 (HTTP header injection vulnerability in i-FILTER Ver.9.50R05 and ...) - TODO: check + NOT-FOR-US: i-FILTER CVE-2018-16180 (Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and earlier ...) - TODO: check + NOT-FOR-US: i-FILTER CVE-2018-16179 (The Mizuho Direct App for Android version 3.13.0 and earlier does not ...) NOT-FOR-US: Mizuho Direct App for Android CVE-2018-16178 (Cybozu Garoon 3.0.0 to 4.10.0 allows remote attackers to bypass access ...) NOT-FOR-US: Cybozu Garoon CVE-2018-16177 (Untrusted search path vulnerability in The installer of Windows10 Fall ...) - TODO: check + NOT-FOR-US: Random Windows installer CVE-2018-16176 (Untrusted search path vulnerability in Installer of Mapping Tool ...) - TODO: check + NOT-FOR-US: Random Windows installer CVE-2018-16175 (SQL injection vulnerability in the LearnPress prior to version 3.1.0 ...) - TODO: check + NOT-FOR-US: LearnPress CVE-2018-16174 (Open redirect vulnerability in LearnPress prior to version 3.1.0 ...) - TODO: check + NOT-FOR-US: LearnPress CVE-2018-16173 (Cross-site scripting vulnerability in LearnPress prior to version ...) - TODO: check + NOT-FOR-US: LearnPress CVE-2018-16172 (Improper countermeasure against clickjacking attack in client ...) NOT-FOR-US: Cybozu Remote Service CVE-2018-16171 (Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to ...) @@ -25038,15 +25044,15 @@ CVE-2018-16170 (Directory traversal vulnerability in Cybozu Remote Service 3.0.0 CVE-2018-16169 (Cybozu Remote Service 3.0.0 to 3.1.0 allows remote authenticated ...) NOT-FOR-US: Cybozu Remote Service CVE-2018-16168 (LogonTracer 1.2.0 and earlier allows remote attackers to conduct ...) - TODO: check + NOT-FOR-US: LogonTracer CVE-2018-16167 (LogonTracer 1.2.0 and earlier allows remote attackers to execute ...) - TODO: check + NOT-FOR-US: LogonTracer CVE-2018-16166 (LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML ...) - TODO: check + NOT-FOR-US: LogonTracer CVE-2018-16165 (Cross-site scripting vulnerability in LogonTracer 1.2.0 and earlier ...) - TODO: check + NOT-FOR-US: LogonTracer CVE-2018-16164 (Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 ...) - TODO: check + NOT-FOR-US: Event Calendar WD CVE-2018-16163 (OpenDolphin 2.7.0 and earlier allows authenticated attackers to bypass ...) NOT-FOR-US: OpenDolphin CVE-2018-16162 (OpenDolphin 2.7.0 and earlier allows authenticated attackers to obtain ...) @@ -26892,7 +26898,7 @@ CVE-2018-15465 (A vulnerability in the authorization subsystem of Cisco Adaptive CVE-2018-15464 (A vulnerability in Cisco 900 Series Aggregation Services Router (ASR) ...) NOT-FOR-US: Cisco CVE-2018-15463 (A vulnerability in the web-based management interface of Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-15462 RESERVED CVE-2018-15461 (A vulnerability in the MyWebex component of Cisco Webex Business Suite ...) @@ -26938,7 +26944,7 @@ CVE-2018-15442 (A vulnerability in the update service of Cisco Webex Meetings De CVE-2018-15441 (A vulnerability in the web framework code of Cisco Prime License ...) NOT-FOR-US: Cisco CVE-2018-15440 (A vulnerability in the web-based management interface of Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-15439 (A vulnerability in the Cisco Small Business Switches software could ...) NOT-FOR-US: Cisco CVE-2018-15438 (A vulnerability in the web-based management interface of Cisco Prime ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea6e94de470bbd64eccdfb721e6f11f35bc0a258 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea6e94de470bbd64eccdfb721e6f11f35bc0a258 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits