Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1b6bfdfa by security tracker role at 2019-05-30T20:10:22Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,14 +1,54 @@
+CVE-2019-12475
+ RESERVED
+CVE-2019-12474
+ RESERVED
+CVE-2019-12473
+ RESERVED
+CVE-2019-12472
+ RESERVED
+CVE-2019-12471
+ RESERVED
+CVE-2019-12470
+ RESERVED
+CVE-2019-12469
+ RESERVED
+CVE-2019-12468
+ RESERVED
+CVE-2019-12467
+ RESERVED
+CVE-2019-12466
+ RESERVED
+CVE-2019-12465
+ RESERVED
+CVE-2019-12464
+ RESERVED
+CVE-2019-12463
+ RESERVED
+CVE-2019-12462
+ RESERVED
+CVE-2019-12461 (Web Port 1.19.1 allows XSS via the /log type parameter. ...)
+ TODO: check
+CVE-2019-12460 (Web Port 1.19.1 allows XSS via the /access/setup type
parameter. ...)
+ TODO: check
+CVE-2019-12459 (FileRun 2019.05.21 allows customizables/plugins/audio_player
Directory ...)
+ TODO: check
+CVE-2019-12458 (FileRun 2019.05.21 allows css/ext-ux Directory Listing. ...)
+ TODO: check
+CVE-2019-12457 (FileRun 2019.05.21 allows images/extjs Directory Listing. ...)
+ TODO: check
+CVE-2018-20840 (An unhandled exception vulnerability exists during Google
Sign-In with ...)
+ TODO: check
CVE-2019-XXXX [binary can be truncated by root under certain conditions]
- firejail 0.9.58.2-2 (bug #929733)
NOTE: https://github.com/netblue30/firejail/issues/2401
CVE-2019-XXXX [seccomp bypass when joining jails]
- firejail 0.9.58.2-2 (bug #929732)
NOTE: https://github.com/netblue30/firejail/issues/2718
-CVE-2019-12456 [scsi: mpt3sas_ctl: fix double-fetch bug in _ctl_ioctl_main()]
+CVE-2019-12456 (An issue was discovered in the MPT3COMMAND case in
_ctl_ioctl_main in ...)
- linux <unfixed>
-CVE-2019-12455 [clk-sunxi: fix a missing-check bug in sunxi_divs_clk_setup()]
+CVE-2019-12455 (An issue was discovered in sunxi_divs_clk_setup in
drivers/clk/sunxi/c ...)
- linux <unfixed>
-CVE-2019-12454 [wcd9335: fix a incorrect use of kstrndup()]
+CVE-2019-12454 (An issue was discovered in wcd9335_codec_enable_dec in
sound/soc/codec ...)
- linux <not-affected> (Vulnerable code not present, introduced in
5.1-rc1)
CVE-2019-12453
RESERVED
@@ -127,7 +167,8 @@ CVE-2019-12398
RESERVED
CVE-2019-12397
RESERVED
-CVE-2019-12396 (An issue was discovered in Revive Adserver before 4.2.1. In
lib/OA/Dal ...)
+CVE-2019-12396
+ REJECTED
NOT-FOR-US: Revive Adserver
CVE-2019-12395 (In Webbukkit Dynmap 3.0-beta-3, with Spigot 1.13.2, due to a
missing l ...)
NOT-FOR-US: Webbukkit Dynmap
@@ -467,7 +508,7 @@ CVE-2019-12249
RESERVED
CVE-2019-12248
RESERVED
-CVE-2019-12247 (QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c
files d ...)
+CVE-2019-12247 (** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the
qga/comm ...)
- qemu <unfixed> (unimportant; bug #929365)
- qemu-kvm <removed> (unimportant)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html
@@ -700,6 +741,7 @@ CVE-2019-12157
CVE-2019-12156
RESERVED
CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 4.0.0
has a NUL ...)
+ {DSA-4454-1}
- qemu 1:3.1+dfsg-8 (bug #929353)
- qemu-kvm <removed>
NOTE: https://www.openwall.com/lists/oss-security/2019/05/22/1
@@ -800,20 +842,25 @@ CVE-2019-12113
CVE-2019-12112
RESERVED
CVE-2019-12111 (A Denial Of Service vulnerability in MiniUPnP MiniUPnPd
through 2.1 ex ...)
+ {DLA-1811-1}
- miniupnpd <unfixed>
NOTE:
https://github.com/miniupnp/miniupnp/commit/cb8a02af7a5677cf608e86d57ab04241cf34e24f
CVE-2019-12110 (An AddPortMapping Denial Of Service vulnerability in MiniUPnP
MiniUPnP ...)
+ {DLA-1811-1}
- miniupnpd <unfixed>
NOTE:
https://github.com/miniupnp/miniupnp/commit/f321c2066b96d18afa5158dfa2d2873a2957ef38
CVE-2019-12109 (A Denial Of Service vulnerability in MiniUPnP MiniUPnPd
through 2.1 ex ...)
+ {DLA-1811-1}
- miniupnpd <unfixed>
NOTE:
https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c
NOTE:
https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692
CVE-2019-12108 (A Denial Of Service vulnerability in MiniUPnP MiniUPnPd
through 2.1 ex ...)
+ {DLA-1811-1}
- miniupnpd <unfixed>
NOTE:
https://github.com/miniupnp/miniupnp/commit/13585f15c7f7dc28bbbba1661efb280d530d114c
NOTE:
https://github.com/miniupnp/miniupnp/commit/86030db849260dd8fb2ed975b9890aef1b62b692
CVE-2019-12107 (The upnp_event_prepare function in upnpevents.c in MiniUPnP
MiniUPnPd ...)
+ {DLA-1811-1}
- miniupnpd <unfixed>
NOTE:
https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94
TODO: check, might affect minidlna
@@ -1245,18 +1292,18 @@ CVE-2019-11898
RESERVED
CVE-2019-11897
RESERVED
-CVE-2019-11896
- RESERVED
-CVE-2019-11895
- RESERVED
-CVE-2019-11894
- RESERVED
-CVE-2019-11893
- RESERVED
-CVE-2019-11892
- RESERVED
-CVE-2019-11891
- RESERVED
+CVE-2019-11896 (A potential incorrect privilege assignment vulnerability
exists in the ...)
+ TODO: check
+CVE-2019-11895 (A potential improper access control vulnerability exists in
the JSON-R ...)
+ TODO: check
+CVE-2019-11894 (A potential improper access control vulnerability exists in
the backup ...)
+ TODO: check
+CVE-2019-11893 (A potential incorrect privilege assignment vulnerability
exists in the ...)
+ TODO: check
+CVE-2019-11892 (A potential improper access control vulnerability exists in
the JSON-R ...)
+ TODO: check
+CVE-2019-11891 (A potential incorrect privilege assignment vulnerability
exists in the ...)
+ TODO: check
CVE-2019-12046 (LemonLDAP::NG -2.0.3 has Incorrect Access Control. ...)
{DSA-4446-1 DLA-1790-1}
- lemonldap-ng 2.0.2+ds-7+deb10u1 (bug #928944)
@@ -3240,8 +3287,7 @@ CVE-2019-11093 (Unquoted service path in the installer
for the Intel(R) SCS Disc
NOT-FOR-US: Intel(R) SCS Discovery Utility
CVE-2019-11092
RESERVED
-CVE-2019-11091 [MDSUM Microarchitectural Data Sampling Uncacheable Memory]
- RESERVED
+CVE-2019-11091 (Microarchitectural Data Sampling Uncacheable Memory (MDSUM):
Uncacheab ...)
{DSA-4447-1 DSA-4444-1 DLA-1799-1 DLA-1789-1 DLA-1787-1}
- intel-microcode 3.20190514.1
- linux 4.19.37-2
@@ -7061,7 +7107,7 @@ CVE-2019-9825 (FeiFeiCMS 4.1.190209 allows remote
attackers to upload and execut
NOT-FOR-US: FeiFeiCMS
CVE-2019-9824
RESERVED
- {DLA-1781-1}
+ {DSA-4454-1 DLA-1781-1}
- qemu 1:3.1+dfsg-6
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg01871.html
@@ -7455,8 +7501,8 @@ CVE-2019-9725 (The Web manager (aka Commander) on Korenix
JetPort 5601 and 5601f
NOT-FOR-US: Korenix JetPort devices
CVE-2019-9724 (aquaverde Aquarius CMS through 4.3.5 allows Information
Exposure throu ...)
NOT-FOR-US: aquaverde Aquarius CMS
-CVE-2019-9723
- RESERVED
+CVE-2019-9723 (LogicalDOC Community Edition 8.x before 8.2.1 has a path
traversal vul ...)
+ TODO: check
CVE-2019-9722
RESERVED
CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1
allows attac ...)
@@ -7586,8 +7632,8 @@ CVE-2019-9672
RESERVED
CVE-2019-9671
RESERVED
-CVE-2019-9670
- RESERVED
+CVE-2019-9670 (mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x
before ...)
+ TODO: check
CVE-2019-9669 (The Wordfence plugin 7.2.3 for WordPress allows XSS via a
unique attac ...)
NOT-FOR-US: Wordfence plugin for WordPress
CVE-2019-9668
@@ -7954,7 +8000,7 @@ CVE-2019-9550 (DhCms through 2017-09-18 has
admin.php?r=admin/Index/index XSS. .
NOT-FOR-US: DhCms
CVE-2019-9549 (An issue was discovered in PopojiCMS v2.0.1. It has CSRF via
the po-ad ...)
NOT-FOR-US: PopojiCMS
-CVE-2019-12439 [insecure use of /tmp]
+CVE-2019-12439 (bubblewrap.c in Bubblewrap before 0.3.3 misuses temporary
directories ...)
- bubblewrap 0.3.1-3 (unimportant; bug #923557)
NOTE: https://github.com/projectatomic/bubblewrap/issues/304
NOTE: Negligable security impact
@@ -10707,8 +10753,8 @@ CVE-2019-8459
RESERVED
CVE-2019-8458
RESERVED
-CVE-2019-8457
- RESERVED
+CVE-2019-8457 (SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to
heap out-o ...)
+ TODO: check
CVE-2019-8456 (Check Point IKEv2 IPsec VPN up to R80.30, in some less common
conditio ...)
NOT-FOR-US: Check Point
CVE-2019-8455 (A hard-link created from the log file of Check Point ZoneAlarm
up to 1 ...)
@@ -14332,10 +14378,10 @@ CVE-2019-6983 (An issue was discovered in Foxit 3D
Plugin Beta before 9.4.0.1680
NOT-FOR-US: Foxit Reader
CVE-2019-6982 (An issue was discovered in Foxit 3D Plugin Beta before
9.4.0.16807 for ...)
NOT-FOR-US: Foxit Reader
-CVE-2019-6981
- RESERVED
-CVE-2019-6980
- RESERVED
+CVE-2019-6981 (Zimbra Collaboration Suite 8.7.x through 8.8.11 allows Blind
SSRF in t ...)
+ TODO: check
+CVE-2019-6980 (Synacor Zimbra Collaboration Suite 8.7.x through 8.8.11 allows
insecur ...)
+ TODO: check
CVE-2019-6979 (An issue was discovered in the User IP History Logs (aka
IP_History_Lo ...)
NOT-FOR-US: IP History Logs plugin for MyBB
CVE-2018-20745 (Yii 2.x through 2.0.15.1 actively converts a wildcard CORS
policy into ...)
@@ -14823,7 +14869,7 @@ CVE-2017-18359 (PostGIS 2.x before 2.3.3, as used with
PostgreSQL, allows remote
CVE-2019-6779 (Cscms 4.1.8 allows admin.php/links/save CSRF to add, modify, or
delete ...)
NOT-FOR-US: Cscms
CVE-2019-6778 (In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based
buffer ove ...)
- {DLA-1694-1}
+ {DSA-4454-1 DLA-1694-1}
- qemu 1:3.1+dfsg-3 (bug #921525)
- qemu-kvm <removed>
- slirp4netns 0.2.1-1
@@ -15926,10 +15972,10 @@ CVE-2019-6324
RESERVED
CVE-2019-6323
RESERVED
-CVE-2019-6322
- RESERVED
-CVE-2019-6321
- RESERVED
+CVE-2019-6322 (HP has identified a security vulnerability with some versions
of Works ...)
+ TODO: check
+CVE-2019-6321 (HP has identified a security vulnerability with some versions
of Works ...)
+ TODO: check
CVE-2019-6320
RESERVED
CVE-2019-6319
@@ -21739,6 +21785,7 @@ CVE-2019-3813 (Spice, versions 0.5.2 through 0.14.1,
are vulnerable to an out-of
NOTE: https://www.openwall.com/lists/oss-security/2019/01/28/2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665371
CVE-2019-3812 (QEMU, through version 2.10 and through version 3.1.0, is
vulnerable to ...)
+ {DSA-4454-1}
- qemu 1:3.1+dfsg-5 (bug #922635)
[jessie] - qemu <not-affected> (vulnerable code introduced later)
- qemu-kvm <removed>
@@ -24032,7 +24079,7 @@ CVE-2018-20241 (The Edit upload resource for a review
in Atlassian Fisheye and C
NOT-FOR-US: Atlassian
CVE-2018-20240 (The administrative linker functionality in Atlassian Fisheye
and Cruci ...)
NOT-FOR-US: Atlassian
-CVE-2018-20239 (Application Links before version 3.4.3, 4.6.x before 4.7.0,
5.0.x befo ...)
+CVE-2018-20239 (Application Links before version 5.0.11, from version 5.1.0
before 5.2 ...)
NOT-FOR-US: Atlassian
CVE-2018-20238 (Various rest resources in Atlassian Crowd before version 3.2.7
and fro ...)
NOT-FOR-US: Atlassian
@@ -24298,8 +24345,8 @@ CVE-2018-20162 (Digi TransPort LR54 4.4.0.26 and
possible earlier devices have I
NOT-FOR-US: Digi TransPort
CVE-2018-20161 (A design flaw in the BlinkForHome (aka Blink For Home) Sync
Module 2.1 ...)
NOT-FOR-US: BlinkForHome (aka Blink For Home) Sync Module
-CVE-2018-20160
- RESERVED
+CVE-2018-20160 (ZxChat (aka ZeXtras Chat), as used for zimbra-chat and
zimbra-talk in ...)
+ TODO: check
CVE-2018-20159 (i-doit open 1.11.2 allows Remote Code Execution because ZIP
archives a ...)
NOT-FOR-US: i-doit
CVE-2018-20158
@@ -25709,7 +25756,7 @@ CVE-2019-2700 (Vulnerability in the PeopleSoft
Enterprise ELM component of Oracl
CVE-2019-2699 (Vulnerability in the Java SE component of Oracle Java SE
(subcomponent ...)
- openjdk-8 <not-affected> (Windows-specific)
CVE-2019-2698 (Vulnerability in the Java SE component of Oracle Java SE
(subcomponent ...)
- {DLA-1782-1}
+ {DSA-4453-1 DLA-1782-1}
- openjdk-7 <removed> (low)
- openjdk-8 8u212-b03-1 (low)
- openjdk-11 11.0.3+7-1 (low)
@@ -25745,7 +25792,7 @@ CVE-2019-2686 (Vulnerability in the MySQL Server
component of Oracle MySQL (subc
CVE-2019-2685 (Vulnerability in the MySQL Server component of Oracle MySQL
(subcompon ...)
- mysql-5.7 <not-affected> (Only affects MySQL 8)
CVE-2019-2684 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle Jav ...)
- {DLA-1782-1}
+ {DSA-4453-1 DLA-1782-1}
- openjdk-7 <removed>
- openjdk-8 8u212-b03-1
- openjdk-11 11.0.3+7-1
@@ -25936,7 +25983,7 @@ CVE-2019-2604 (Vulnerability in the Oracle Marketing
component of Oracle E-Busin
CVE-2019-2603 (Vulnerability in the Oracle One-to-One Fulfillment component of
Oracle ...)
NOT-FOR-US: Oracle
CVE-2019-2602 (Vulnerability in the Java SE, Java SE Embedded component of
Oracle Jav ...)
- {DLA-1782-1}
+ {DSA-4453-1 DLA-1782-1}
- openjdk-7 <removed>
- openjdk-8 8u212-b03-1
- openjdk-11 11.0.3+7-1
@@ -32681,7 +32728,7 @@ CVE-2018-19490 (An issue was discovered in datafile.c
in Gnuplot 5.2.5. This iss
NOTE: No security impact, gnuplot can execute arbitrary commands and
need to come from a trusted source,
NOTE: see README.Debian.security (added in 5.2.6)
CVE-2018-19489 (v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to
cause a de ...)
- {DLA-1646-1}
+ {DSA-4454-1 DLA-1646-1}
- qemu 1:3.1+dfsg-1 (bug #914727)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg04489.html
@@ -33038,7 +33085,7 @@ CVE-2018-19366
CVE-2018-19365 (The REST API in Wowza Streaming Engine 4.7.4.01 allows
traversal of th ...)
NOT-FOR-US: Wowza Streaming Engine
CVE-2018-19364 (hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid
path while ...)
- {DLA-1646-1}
+ {DSA-4454-1 DLA-1646-1}
- qemu 1:3.1+dfsg-1 (bug #914599)
- qemu-kvm <removed>
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=5b76ef50f62079a2389ba28cacaf6cce68b1a0ed
@@ -33314,6 +33361,7 @@ CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8,
unmarshalling corrupt MQTT fra
[jessie] - activemq <not-affected> (MQTT support not enabled)
NOTE:
http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17,
8.5.0 ...)
+ {DLA-1810-1}
- tomcat9 <unfixed>
- tomcat8 <removed>
- tomcat7 <removed>
@@ -34450,6 +34498,7 @@ CVE-2018-18955 (In the Linux kernel 4.15.x through
4.19.x before 4.19.2, map_wri
NOTE: Introduced in https://git.kernel.org/linus/6397fac4915a
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
CVE-2018-18954 (The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu
before 3.1 al ...)
+ {DSA-4454-1}
- qemu 1:3.1+dfsg-1 (low; bug #914604)
[jessie] - qemu <not-affected> (Vulnerable code not present. ppc/pnv
lpc was added in 2.7)
- qemu-kvm <removed>
@@ -34681,7 +34730,7 @@ CVE-2018-18851
CVE-2018-18850 (In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1,
an authen ...)
NOT-FOR-US: Octopus Deploy
CVE-2018-18849 (In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows
out-of-boun ...)
- {DLA-1781-1}
+ {DSA-4454-1 DLA-1781-1}
- qemu 1:3.1+dfsg-1 (bug #912535)
- qemu-kvm <removed>
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=e58ccf039650065a9442de43c9816f81e88f27f6
@@ -35225,8 +35274,8 @@ CVE-2018-18883 (An issue was discovered in Xen 4.9.x
through 4.11.x, on Intel x8
[stretch] - xen <not-affected> (Only affects 4.9 and later)
[jessie] - xen <not-affected> (Only affects 4.9 and later)
NOTE: https://xenbits.xen.org/xsa/advisory-278.txt
-CVE-2018-18631
- RESERVED
+CVE-2018-18631 (mailboxd component in Synacor Zimbra Collaboration Suite 8.6,
8.7 befo ...)
+ TODO: check
CVE-2018-18630
RESERVED
CVE-2018-18629 (An issue was discovered in the Keybase command-line client
before 2.8. ...)
@@ -37209,7 +37258,7 @@ CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows
user-assisted XSS involving a
CVE-2018-17959
RESERVED
CVE-2018-17958 (Qemu has a Buffer Overflow in rtl8139_do_receive in
hw/net/rtl8139.c b ...)
- {DLA-1646-1}
+ {DSA-4454-1 DLA-1646-1}
- qemu 1:3.1+dfsg-1 (bug #911499)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-09/msg03269.html
@@ -39872,7 +39921,7 @@ CVE-2018-16873 (In Go before 1.10.6 and 1.11.x before
1.11.3, the "go get" comma
NOTE:
https://github.com/golang/go/commit/7ef6ee2c5727f0d11206b4d1866c18e6ab4785be
(1.10.6)
TODO: check other versions
CVE-2018-16872 (A flaw was found in qemu Media Transfer Protocol (MTP). The
code openi ...)
- {DLA-1694-1}
+ {DSA-4454-1 DLA-1694-1}
- qemu 1:3.1+dfsg-2 (bug #916397)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html
@@ -44379,8 +44428,8 @@ CVE-2018-15132 (An issue was discovered in
ext/standard/link_win32.c in PHP befo
NOTE: Fixed in 5.6.37, 7.0.31, 7.1.20, 7.2.8
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76459
NOTE:
https://github.com/php/php-src/commit/f151e048ed27f6f4eef729f3310d053ab5da71d4
-CVE-2018-15131
- RESERVED
+CVE-2018-15131 (An issue was discovered in Synacor Zimbra Collaboration Suite
8.6.x be ...)
+ TODO: check
CVE-2018-15130 (ThinkSAAS through 2018-07-25 has XSS via the
index.php?app=group&a ...)
NOT-FOR-US: ThinkSAAS
CVE-2013-7464 (In csrf-magic before 1.0.4, if $GLOBALS['csrf']['secret'] is
not confi ...)
@@ -46376,8 +46425,8 @@ CVE-2018-14427
RESERVED
CVE-2018-14426
RESERVED
-CVE-2018-14425
- RESERVED
+CVE-2018-14425 (There is a Persistent XSS vulnerability in the briefcase
component of ...)
+ TODO: check
CVE-2017-18343 (** DISPUTED ** The debug handler in Symfony before v2.7.33,
2.8.x befo ...)
- symfony 3.4.0+dfsg-1 (unimportant)
NOTE:
https://github.com/symfony/debug/pull/7/commits/e48bda29143bd1a83001780b4a78e483822d985c
@@ -47502,8 +47551,7 @@ CVE-2018-14015 (The sdb_set_internal function in sdb.c
in radare2 2.7.0 allows r
NOTE: https://github.com/radare/radare2/issues/10465
CVE-2018-14014 (In waimai Super Cms 20150505, there is a CSRF vulnerability
that can a ...)
NOT-FOR-US: waimai Super Cms
-CVE-2018-14013
- RESERVED
+CVE-2018-14013 (Synacor Zimbra Collaboration Suite Collaboration before 8.8.11
has XSS ...)
NOT-FOR-US: Zimbra
CVE-2018-14012 (WolfSight CMS 3.2 allows SQL injection via the PATH_INFO to
the defaul ...)
NOT-FOR-US: WolfSight CMS
@@ -48923,14 +48971,14 @@ CVE-2018-13370
RESERVED
CVE-2018-13369
RESERVED
-CVE-2018-13368
- RESERVED
+CVE-2018-13368 (A local privilege escalation in Fortinet FortiClient for
Windows 6.0.4 ...)
+ TODO: check
CVE-2018-13367
RESERVED
CVE-2018-13366 (An information disclosure vulnerability in Fortinet FortiOS
6.0.1, 5.6 ...)
NOT-FOR-US: Fortinet FortiOS
-CVE-2018-13365
- RESERVED
+CVE-2018-13365 (An Information Exposure vulnerability in Fortinet FortiOS
6.0.1, 5.6.5 ...)
+ TODO: check
CVE-2018-13364
RESERVED
CVE-2018-13363
@@ -50843,7 +50891,7 @@ CVE-2018-12619
CVE-2018-12618
RESERVED
CVE-2018-12617 (qmp_guest_file_read in qga/commands-posix.c and
qga/commands-win32.c i ...)
- {DLA-1694-1}
+ {DSA-4454-1 DLA-1694-1}
- qemu 1:3.1+dfsg-1 (low; bug #902725)
NOTE:
https://gist.github.com/fakhrizulkifli/c7740d28efa07dafee66d4da5d857ef6
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg03385.html
@@ -52354,8 +52402,7 @@ CVE-2018-12132
RESERVED
CVE-2018-12131 (Permissions in the driver pack installers for Intel NVMe
before versio ...)
NOT-FOR-US: Intel
-CVE-2018-12130 [MFBDS Microarchitectural Fill Buffer Data Sampling]
- RESERVED
+CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill
buffers on ...)
{DSA-4447-1 DSA-4444-1 DLA-1799-1 DLA-1789-1 DLA-1787-1}
- intel-microcode 3.20190514.1
- linux 4.19.37-2
@@ -52370,8 +52417,7 @@ CVE-2018-12129
RESERVED
CVE-2018-12128
RESERVED
-CVE-2018-12127 [MLPDS Microarchitectural Load Port Data Sampling]
- RESERVED
+CVE-2018-12127 (Microarchitectural Load Port Data Sampling (MLPDS): Load ports
on some ...)
{DSA-4447-1 DSA-4444-1 DLA-1799-1 DLA-1789-1 DLA-1787-1}
- intel-microcode 3.20190514.1
- linux 4.19.37-2
@@ -52382,8 +52428,7 @@ CVE-2018-12127 [MLPDS Microarchitectural Load Port
Data Sampling]
NOTE: libvirt support for md-clear CPUID bit:
NOTE:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85
NOTE: qemu and libvirt need updates to passthrough md-clear, see
#929067 for qemu and #929154 for libvirt
-CVE-2018-12126 [MSBDS Microarchitectural Store Buffer Data Sampling]
- RESERVED
+CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling (MSBDS): Store
buffers o ...)
{DSA-4447-1 DSA-4444-1 DLA-1799-1 DLA-1789-1 DLA-1787-1}
- intel-microcode 3.20190514.1
- linux 4.19.37-2
@@ -53185,7 +53230,7 @@ CVE-2018-11808 (Incorrect Access Control in
CustomFieldsFeedServlet in Zoho Mana
CVE-2018-11807
RESERVED
CVE-2018-11806 (m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow
via inc ...)
- {DLA-1781-1}
+ {DSA-4454-1 DLA-1781-1}
- qemu 1:3.1+dfsg-1 (bug #901017)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-06/msg01012.html
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=864036e251f54c99d31df124aad7f34f01f5344c
@@ -55627,8 +55672,8 @@ CVE-2018-10950 (mailboxd in Zimbra Collaboration Suite
8.8 before 8.8.8; 8.7 bef
NOT-FOR-US: Zimbra
CVE-2018-10949 (mailboxd in Zimbra Collaboration Suite 8.8 before 8.8.8; 8.7
before 8. ...)
NOT-FOR-US: Zimbra
-CVE-2018-10948
- RESERVED
+CVE-2018-10948 (Synacor Zimbra Admin UI in Zimbra Collaboration Suite before
8.8.0 bet ...)
+ TODO: check
CVE-2018-10947
RESERVED
CVE-2018-10946
@@ -60337,12 +60382,12 @@ CVE-2018-9195
RESERVED
CVE-2018-9194 (A plaintext recovery of encrypted messages or a
Man-in-the-middle (MiT ...)
NOT-FOR-US: Fortinet FortiOS
-CVE-2018-9193
- RESERVED
+CVE-2018-9193 (A local privilege escalation in Fortinet FortiClient for
Windows 6.0.4 ...)
+ TODO: check
CVE-2018-9192 (A plaintext recovery of encrypted messages or a
Man-in-the-middle (MiT ...)
NOT-FOR-US: Fortinet FortiOS
-CVE-2018-9191
- RESERVED
+CVE-2018-9191 (A local privilege escalation in Fortinet FortiClient for
Windows 6.0.4 ...)
+ TODO: check
CVE-2018-9190 (A null pointer dereference vulnerability in Fortinet
FortiClientWindow ...)
NOT-FOR-US: Fortinet
CVE-2018-9189
@@ -63259,8 +63304,7 @@ CVE-2018-8031 (The Apache TomEE console (tomee-webapp)
has a XSS vulnerability w
NOT-FOR-US: Apache TomEE
CVE-2018-8030 (A Denial of Service vulnerability was found in Apache Qpid
Broker-J ve ...)
- qpid-java <itp> (bug #840131)
-CVE-2018-8029
- RESERVED
+CVE-2018-8029 (In Apache Hadoop versions 3.0.0-alpha1 to 3.1.0, 2.9.0 to
2.9.1, and 2 ...)
- hadoop <itp> (bug #793644)
CVE-2018-8028 (An authenticated user can execute ALTER TABLE EXCHANGE
PARTITIONS with ...)
NOT-FOR-US: Apache Sentry
@@ -73218,6 +73262,7 @@ CVE-2017-1000496 (Commsy version 9.0.0 is vulnerable to
XXE attacks in the confi
CVE-2017-1000495 (QuickApps CMS version 2.0.0 is vulnerable to Stored
Cross-site Scripti ...)
NOT-FOR-US: QuickApps CMS
CVE-2017-1000494 (Uninitialized stack variable vulnerability in
NameValueParserEndElt (u ...)
+ {DLA-1811-1}
- miniupnpd 2.0.20171212-1 (bug #887129)
[stretch] - miniupnpd 1.8.20140523-4.1+deb9u1
- miniupnpc 2.0.20171212-3 (unimportant)
@@ -75125,8 +75170,8 @@ CVE-2018-4050 (An exploitable local privilege
escalation vulnerability exists in
NOT-FOR-US: GOG Galaxy's Games for MacOS
CVE-2018-4049 (An exploitable local privilege elevation vulnerability exists
in the f ...)
NOT-FOR-US: GOG Galaxy's Games for Windows
-CVE-2018-4048
- RESERVED
+CVE-2018-4048 (An exploitable local privilege elevation vulnerability exists
in the f ...)
+ TODO: check
CVE-2018-4047 (An exploitable privilege escalation vulnerability exists in the
helper ...)
NOT-FOR-US: Clean My Mac X
CVE-2018-4046 (An exploitable denial-of-service vulnerability exists in the
helper se ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b6bfdfa5182abd3fcaf95d5e4716da123f1dd84
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1b6bfdfa5182abd3fcaf95d5e4716da123f1dd84
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
