Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ea6e94de by Moritz Muehlenhoff at 2019-01-16T19:38:13Z
NFUs (and some <removed> entries no longer present in any suite)
new libsass issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -262,7 +262,7 @@ CVE-2018-20720 (ABB Relion 630 devices 1.1 before 1.1.0.C0,
1.2 before 1.2.0.B3,
CVE-2016-10738 (Zenbership v107 has CSRF via admin/cp-functions/event-add.php.
...)
NOT-FOR-US: Zenbership
CVE-2016-10737 (Serendipity 2.0.4 has XSS via the serendipity_admin.php ...)
- TODO: check
+ - serendipity <removed>
CVE-2019-XXXX [instability and crash due to crafted message flooding]
- mumble 1.3.0~git20190114.9fcc588+dfsg-1 (bug #919249)
NOTE: https://github.com/mumble-voip/mumble/issues/3505
@@ -361,7 +361,9 @@ CVE-2019-6288
CVE-2019-6287
RESERVED
CVE-2019-6286 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...)
- TODO: check
+ - libsass <unfixed> (low)
+ [stretch] - libsass <no-dsa> (Minor issue)
+ NOTE: https://github.com/sass/libsass/issues/2815
CVE-2019-6285 (The SingleDocParser::HandleFlowSequence function in yaml-cpp
(aka ...)
- yaml-cpp <unfixed> (bug #919432)
[stretch] - yaml-cpp <no-dsa> (Minor issue)
@@ -369,9 +371,13 @@ CVE-2019-6285 (The SingleDocParser::HandleFlowSequence
function in yaml-cpp (aka
[stretch] - yaml-cpp0.3 <no-dsa> (Minor issue)
NOTE: https://github.com/jbeder/yaml-cpp/issues/660
CVE-2019-6284 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...)
- TODO: check
+ - libsass <unfixed> (low)
+ [stretch] - libsass <no-dsa> (Minor issue)
+ NOTE: https://github.com/sass/libsass/issues/2816
CVE-2019-6283 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...)
- TODO: check
+ - libsass <unfixed> (low)
+ [stretch] - libsass <no-dsa> (Minor issue)
+ NOTE: https://github.com/sass/libsass/issues/2814
CVE-2019-6282
RESERVED
CVE-2019-6281
@@ -422,13 +428,13 @@ CVE-2019-6266
CVE-2019-6265
RESERVED
CVE-2019-6264 (An issue was discovered in Joomla! before 3.9.2. Inadequate
escaping in ...)
- TODO: check
+ NOT-FOR-US: Joomla
CVE-2019-6263 (An issue was discovered in Joomla! before 3.9.2. Inadequate
checks of ...)
- TODO: check
+ NOT-FOR-US: Joomla
CVE-2019-6262 (An issue was discovered in Joomla! before 3.9.2. Inadequate
checks of ...)
- TODO: check
+ NOT-FOR-US: Joomla
CVE-2019-6261 (An issue was discovered in Joomla! before 3.9.2. Inadequate
escaping in ...)
- TODO: check
+ NOT-FOR-US: Joomla
CVE-2019-6260
RESERVED
CVE-2019-6259 (An issue was discovered in idreamsoft iCMS V7.0.13. There is
SQL ...)
@@ -6133,13 +6139,13 @@ CVE-2019-3559
CVE-2019-3558
RESERVED
CVE-2019-3557 (The implementations of streams for bz2 and php://output
improperly ...)
- TODO: check
+ - hhvm <removed>
CVE-2019-3556
RESERVED
CVE-2019-3555
RESERVED
CVE-2019-3554 (Wangle's AcceptRoutingHandler incorrectly casts a socket when
...)
- TODO: check
+ NOT-FOR-US: Facebook Wangle
CVE-2019-3553
RESERVED
CVE-2019-3552
@@ -19773,65 +19779,65 @@ CVE-2019-0032
CVE-2019-0031
RESERVED
CVE-2019-0030 (Juniper ATP uses DES and a hardcoded salt for password hashing,
...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0029 (Juniper ATP Series Splunk credentials are logged in a file
readable by ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0028
RESERVED
CVE-2019-0027 (A persistent cross-site scripting (XSS) vulnerability in the
Snort ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0026 (A persistent cross-site scripting (XSS) vulnerability in the
Zone ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0025 (A persistent cross-site scripting (XSS) vulnerability in RADIUS
...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0024 (A persistent cross-site scripting (XSS) vulnerability in the
Email ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0023 (A persistent cross-site scripting (XSS) vulnerability in the
Golden VM ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0022 (Juniper ATP ships with hard coded credentials in the Cyphort
Core ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0021 (On Juniper ATP, secret passphrase CLI inputs, such as "set
mcm", are ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0020 (Juniper ATP ships with hard coded credentials in the Web
Collector ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0019
RESERVED
CVE-2019-0018 (A persistent cross-site scripting (XSS) vulnerability in the
file ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0017 (The Junos Space application, which allows Device Image files to
be ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0016 (A malicious authenticated user may be able to delete a device
from the ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0015 (A vulnerability in the SRX Series Service Gateway allows
deleted ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0014 (On QFX and PTX Series, receipt of a malformed packet for J-Flow
...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0013 (The routing protocol daemon (RPD) process will crash and
restart when ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0012 (A Denial of Service (DoS) vulnerability in BGP in Juniper
Networks ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0011 (The Junos OS kernel crashes after processing a specific
incoming ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0010 (An SRX Series Service Gateway configured for Unified Threat
Management ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0009 (On EX2300 and EX3400 series, high disk I/O operations may
disrupt the ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0008
RESERVED
CVE-2019-0007 (The vMX Series software uses a predictable IP ID Sequence
Number. This ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0006 (A certain crafted HTTP packet can trigger an uninitialized
function ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0005 (On EX2300, EX3400, EX4600, QFX3K and QFX5K series, firewall
filter ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0004 (On Juniper ATP, the API key and the device key are logged in a
file ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0003 (When a specific BGP flowspec configuration is enabled and upon
receipt ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0002 (On EX2300 and EX3400 series, stateless firewall filter
configuration ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2019-0001 (Receipt of a malformed packet on MX Series devices with dynamic
vlan ...)
- TODO: check
+ NOT-FOR-US: Juniper
CVE-2018-18250 (Icinga Web 2 before 2.6.2 allows parameters that break
navigation ...)
- icingaweb2 2.6.2-1
NOTE:
https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180030.txt
@@ -24962,7 +24968,7 @@ CVE-2018-16208
CVE-2018-16207
RESERVED
CVE-2018-16206 (Cross-site scripting vulnerability in WordPress plugin
spam-byebye ...)
- TODO: check
+ NOT-FOR-US: Wordpress plugin
CVE-2018-16205 (Cross-site scripting vulnerability in GROWI v3.2.3 and earlier
allows ...)
NOT-FOR-US: GROWI
CVE-2018-16204 (Cross-site scripting vulnerability in Google XML Sitemaps
Version ...)
@@ -24982,7 +24988,7 @@ CVE-2018-16198 (Toshiba Home gateway HEM-GW16A 1.2.9
and earlier, Toshiba Home g
CVE-2018-16197 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home
gateway ...)
NOT-FOR-US: Toshiba
CVE-2018-16196 (Multiple Yokogawa products that contain Vnet/IP Open
Communication ...)
- TODO: check
+ NOT-FOR-US: Yokogawa
CVE-2018-16195 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware
Ver1.1.1 ...)
NOT-FOR-US: Aterm firmware
CVE-2018-16194 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware
Ver1.1.1 ...)
@@ -25012,23 +25018,23 @@ CVE-2018-16183 (An unquoted search path vulnerability
in some pre-installed ...)
CVE-2018-16182 (Untrusted search path vulnerability in the installer of MARKET
SPEED ...)
NOT-FOR-US: MARKET SPEED
CVE-2018-16181 (HTTP header injection vulnerability in i-FILTER Ver.9.50R05
and ...)
- TODO: check
+ NOT-FOR-US: i-FILTER
CVE-2018-16180 (Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and
earlier ...)
- TODO: check
+ NOT-FOR-US: i-FILTER
CVE-2018-16179 (The Mizuho Direct App for Android version 3.13.0 and earlier
does not ...)
NOT-FOR-US: Mizuho Direct App for Android
CVE-2018-16178 (Cybozu Garoon 3.0.0 to 4.10.0 allows remote attackers to
bypass access ...)
NOT-FOR-US: Cybozu Garoon
CVE-2018-16177 (Untrusted search path vulnerability in The installer of
Windows10 Fall ...)
- TODO: check
+ NOT-FOR-US: Random Windows installer
CVE-2018-16176 (Untrusted search path vulnerability in Installer of Mapping
Tool ...)
- TODO: check
+ NOT-FOR-US: Random Windows installer
CVE-2018-16175 (SQL injection vulnerability in the LearnPress prior to version
3.1.0 ...)
- TODO: check
+ NOT-FOR-US: LearnPress
CVE-2018-16174 (Open redirect vulnerability in LearnPress prior to version
3.1.0 ...)
- TODO: check
+ NOT-FOR-US: LearnPress
CVE-2018-16173 (Cross-site scripting vulnerability in LearnPress prior to
version ...)
- TODO: check
+ NOT-FOR-US: LearnPress
CVE-2018-16172 (Improper countermeasure against clickjacking attack in client
...)
NOT-FOR-US: Cybozu Remote Service
CVE-2018-16171 (Directory traversal vulnerability in Cybozu Remote Service
3.0.0 to ...)
@@ -25038,15 +25044,15 @@ CVE-2018-16170 (Directory traversal vulnerability in
Cybozu Remote Service 3.0.0
CVE-2018-16169 (Cybozu Remote Service 3.0.0 to 3.1.0 allows remote
authenticated ...)
NOT-FOR-US: Cybozu Remote Service
CVE-2018-16168 (LogonTracer 1.2.0 and earlier allows remote attackers to
conduct ...)
- TODO: check
+ NOT-FOR-US: LogonTracer
CVE-2018-16167 (LogonTracer 1.2.0 and earlier allows remote attackers to
execute ...)
- TODO: check
+ NOT-FOR-US: LogonTracer
CVE-2018-16166 (LogonTracer 1.2.0 and earlier allows remote attackers to
conduct XML ...)
- TODO: check
+ NOT-FOR-US: LogonTracer
CVE-2018-16165 (Cross-site scripting vulnerability in LogonTracer 1.2.0 and
earlier ...)
- TODO: check
+ NOT-FOR-US: LogonTracer
CVE-2018-16164 (Cross-site scripting vulnerability in Event Calendar WD
version 1.1.21 ...)
- TODO: check
+ NOT-FOR-US: Event Calendar WD
CVE-2018-16163 (OpenDolphin 2.7.0 and earlier allows authenticated attackers
to bypass ...)
NOT-FOR-US: OpenDolphin
CVE-2018-16162 (OpenDolphin 2.7.0 and earlier allows authenticated attackers
to obtain ...)
@@ -26892,7 +26898,7 @@ CVE-2018-15465 (A vulnerability in the authorization
subsystem of Cisco Adaptive
CVE-2018-15464 (A vulnerability in Cisco 900 Series Aggregation Services
Router (ASR) ...)
NOT-FOR-US: Cisco
CVE-2018-15463 (A vulnerability in the web-based management interface of Cisco
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2018-15462
RESERVED
CVE-2018-15461 (A vulnerability in the MyWebex component of Cisco Webex
Business Suite ...)
@@ -26938,7 +26944,7 @@ CVE-2018-15442 (A vulnerability in the update service
of Cisco Webex Meetings De
CVE-2018-15441 (A vulnerability in the web framework code of Cisco Prime
License ...)
NOT-FOR-US: Cisco
CVE-2018-15440 (A vulnerability in the web-based management interface of Cisco
...)
- TODO: check
+ NOT-FOR-US: Cisco
CVE-2018-15439 (A vulnerability in the Cisco Small Business Switches software
could ...)
NOT-FOR-US: Cisco
CVE-2018-15438 (A vulnerability in the web-based management interface of Cisco
Prime ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea6e94de470bbd64eccdfb721e6f11f35bc0a258
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea6e94de470bbd64eccdfb721e6f11f35bc0a258
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
