[Git][security-tracker-team/security-tracker][master] xpdf triage

Tue, 02 Jul 2019 04:13:35 -0700 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
696c4a8d by Moritz Muehlenhoff at 2019-07-02T11:12:03Z
xpdf triage
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -247,7 +247,7 @@ CVE-2019-13052 (Logitech Unifying devices allow live 
decryption if the pairing o
 CVE-2019-13051
        RESERVED
 CVE-2019-13050 (Interaction between the sks-keyserver code through 1.2.0 of 
the SKS ke ...)
-       TODO: check
+       NOT-FOR-US: Conceptual weakness in PGP keyserver design
 CVE-2019-13049 (An integer wrap in kernel/sys/syscall.c in ToaruOS 1.10.10 
allows user ...)
        NOT-FOR-US: ToaruOS
 CVE-2019-13048 (kernel/sys/syscall.c in ToaruOS through 1.10.9 allows a denial 
of serv ...)
@@ -307,7 +307,7 @@ CVE-2019-13026
 CVE-2019-13025
        RESERVED
 CVE-2019-13024 (Centreon V19.04 allows the attacker to execute arbitrary 
system comman ...)
-       TODO: check
+       NOT-FOR-US: Centreon
 CVE-2019-13023
        RESERVED
 CVE-2019-13022
@@ -439,7 +439,7 @@ CVE-2019-12970 (XSS was discovered in SquirrelMail through 
1.4.22 and 1.5.x thro
 CVE-2019-12969
        RESERVED
 CVE-2019-12968 (A vulnerability was found in the Sonic Robo Blast 2 (SRB2) 
plugin (EP_ ...)
-       TODO: check
+       NOT-FOR-US: Sonic Robo Blast 2
 CVE-2019-12967
        RESERVED
 CVE-2019-12966 (FeHelper through 2019-06-19 allows arbitrary code execution 
during a J ...)
@@ -482,9 +482,12 @@ CVE-2019-12960 (LiveZilla Server before 8.0.1.1 is 
vulnerable to SQL Injection i
 CVE-2019-12959
        RESERVED
 CVE-2019-12958 (In Xpdf 4.01.01, a heap-based buffer over-read could be 
triggered in F ...)
-       TODO: check
+       - xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
+       NOTE: CVE-2017-14976 in poppler
 CVE-2019-12957 (In Xpdf 4.01.01, a buffer over-read could be triggered in 
FoFiType1C:: ...)
-       TODO: check
+       - xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
+       - poppler 0.22.5-4
+       NOTE: poppler fix: 
https://gitlab.freedesktop.org/poppler/poppler/commit/96931732f343d2bbda9af9488b485da031866c3b
 CVE-2019-12956
        RESERVED
 CVE-2019-12955
@@ -496,7 +499,8 @@ CVE-2019-12953
 CVE-2019-12952
        RESERVED
 CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The 
parse_mqtt() func ...)
-       TODO: check
+       NOT-FOR-US: Cesanta Mongoose
+       NOTE: smplayer embeds a copy, which is unused in any released version 
and disabled since 18.5.0~ds1-1
 CVE-2019-12950
        RESERVED
 CVE-2019-12949 (In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick 
an authen ...)
@@ -1518,7 +1522,8 @@ CVE-2019-12517
 CVE-2019-12516
        RESERVED
 CVE-2019-12515 (There is an out-of-bounds read vulnerability in the function 
FlateStre ...)
-       TODO: check
+       - xpdf <not-affected> (xpdf in Debian uses poppler, which is not 
affected or fixed)
+       NOTE: 
https://github.com/PanguL4b/pocs/tree/master/xpdf/out-of-bounds-read-in-FlateStream__getChar
 CVE-2019-12514
        RESERVED
 CVE-2019-12513
@@ -1571,7 +1576,9 @@ CVE-2019-12495 (An issue was discovered in Tiny C 
Compiler (aka TinyCC or TCC) 0
 CVE-2019-12494 (In Gardener before 0.20.0, incorrect access control in seed 
clusters a ...)
        NOT-FOR-US: Gardener
 CVE-2019-12493 (A stack-based buffer over-read exists in 
PostScriptFunction::transform ...)
-       TODO: check
+       - xpdf <not-affected> (xpdf in Debian uses poppler, which is not 
affected or fixed)
+       - poppler 0.44.0-2
+       NOTE: 
https://gitlab.freedesktop.org/poppler/poppler/commit/37840827c4073dedfd37915a74eb8fe0c44843c3
 CVE-2019-12492 (Gallagher Command Centre before 7.80.939, 7.90.x before 
7.90.961, and  ...)
        NOT-FOR-US: Gallagher Command Centre
 CVE-2019-12491 (OnApp before 5.0.0-88, 5.5.0-93, and 6.0.0-196 allows an 
attacker to r ...)
@@ -3372,7 +3379,7 @@ CVE-2019-11772
 CVE-2019-11771
        RESERVED
 CVE-2019-11770 (In Eclipse Buildship versions prior to 3.1.1, the build files 
indicate ...)
-       TODO: check
+       NOT-FOR-US: Eclipse Buildship
 CVE-2019-11769
        RESERVED
 CVE-2019-11768 (An issue was discovered in phpMyAdmin before 4.9.0.1. A 
vulnerability  ...)
@@ -5499,7 +5506,7 @@ CVE-2019-10981 (In Vijeo Citect 7.30 and 7.40, and 
CitectSCADA 7.30 and 7.40, a
 CVE-2019-10980
        RESERVED
 CVE-2019-10979 (SICK MSC800 all versions prior to Version 4.0, the affected 
firmware v ...)
-       TODO: check
+       NOT-FOR-US: SICK MSC800
 CVE-2019-10978
        RESERVED
 CVE-2019-10977 (In Mitsubishi Electric MELSEC-Q series Ethernet module 
QJ71E71-100 ser ...)
@@ -9507,7 +9514,7 @@ CVE-2019-9725 (The Web manager (aka Commander) on Korenix 
JetPort 5601 and 5601f
 CVE-2019-9724 (aquaverde Aquarius CMS through 4.3.5 allows Information 
Exposure throu ...)
        NOT-FOR-US: aquaverde Aquarius CMS
 CVE-2019-9723 (LogicalDOC Community Edition 8.x before 8.2.1 has a path 
traversal vul ...)
-       TODO: check
+       NOT-FOR-US: LogicalDOC
 CVE-2019-9722
        RESERVED
 CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 
allows attac ...)
@@ -9564,9 +9571,9 @@ CVE-2019-9704 (Vixie Cron before the 3.0pl1-133 Debian 
package allows local user
        [stretch] - cron <no-dsa> (Minor issue, will be fixed via point update)
        NOTE: Fixed by: https://salsa.debian.org/debian/cron/commit/f2525567
 CVE-2019-9703 (Symantec Endpoint Encryption, prior to SEE 11.3.0, may be 
susceptible  ...)
-       TODO: check
+       NOT-FOR-US: Symantec
 CVE-2019-9702 (Symantec Endpoint Encryption, prior to SEE 11.3.0, may be 
susceptible  ...)
-       TODO: check
+       NOT-FOR-US: Symantec
 CVE-2019-9701 (DLP 15.5 MP1 and all prior versions may be susceptible to a 
cross-site ...)
        NOT-FOR-US: DLP (Symantec)
 CVE-2019-9700
@@ -14519,15 +14526,15 @@ CVE-2019-7672 (Prima Systems FlexAir devices have 
Hard-coded Credentials. ...)
 CVE-2019-7671 (Prima Systems FlexAir devices allow Authenticated Stored XSS. 
...)
        NOT-FOR-US: Prima Systems FlexAir devices
 CVE-2019-7670 (Prima Systems FlexAir devices allow Authenticated Command 
Injection re ...)
-       TODO: check
+       NOT-FOR-US: Prima Systems FlexAir devices
 CVE-2019-7669 (Prima Systems FlexAir devices allow Unauthenticated Command 
Injection  ...)
-       TODO: check
+       NOT-FOR-US: Prima Systems FlexAir devices
 CVE-2019-7668 (Prima Systems FlexAir devices have Default Credentials. ...)
-       TODO: check
+       NOT-FOR-US: Prima Systems FlexAir devices
 CVE-2019-7667 (Prima Systems FlexAir devices allow unauthenticated download of 
the da ...)
-       TODO: check
+       NOT-FOR-US: Prima Systems FlexAir devices
 CVE-2019-7666 (Prima Systems FlexAir devices allow authentication with MD5 
hashes dir ...)
-       TODO: check
+       NOT-FOR-US: Prima Systems FlexAir devices
 CVE-2019-7665 (In elfutils 0.175, a heap-based buffer over-read was discovered 
in the ...)
        {DLA-1689-1}
        - elfutils 0.176-1 (low; bug #921880)
@@ -15723,27 +15730,27 @@ CVE-2019-7285
 CVE-2019-7284
        RESERVED
 CVE-2019-7281 (Prima Systems FlexAir devices allow Cross-Site Request Forgery 
(CSRF). ...)
-       TODO: check
+       NOT-FOR-US: Prima Systems FlexAir
 CVE-2019-7280 (Prima Systems FlexAir devices have an Insufficient Session-ID 
Length. ...)
-       TODO: check
+       NOT-FOR-US: Prima Systems FlexAir
 CVE-2019-7279 (Optergy Proton/Enterprise devices have Hard-coded Credentials. 
...)
-       TODO: check
+       NOT-FOR-US: Optergy Proton
 CVE-2019-7278 (Optergy Proton/Enterprise devices have an Unauthenticated SMS 
Sending  ...)
-       TODO: check
+       NOT-FOR-US: Optergy Proton
 CVE-2019-7277 (Optergy Proton/Enterprise devices allow Unauthenticated 
Internal Netwo ...)
-       TODO: check
+       NOT-FOR-US: Optergy Proton
 CVE-2019-7276 (Optergy Proton/Enterprise devices allow Remote Root Code 
Execution via ...)
-       TODO: check
+       NOT-FOR-US: Optergy Proton
 CVE-2019-7275 (Optergy Proton/Enterprise devices allow Open Redirect. ...)
-       TODO: check
+       NOT-FOR-US: Optergy Proton
 CVE-2019-7274 (Optergy Proton/Enterprise devices allow Authenticated File 
Upload with ...)
-       TODO: check
+       NOT-FOR-US: Optergy Proton
 CVE-2019-7273 (Optergy Proton/Enterprise devices allow Cross-Site Request 
Forgery (CS ...)
-       TODO: check
+       NOT-FOR-US: Optergy Proton
 CVE-2019-7272 (Optergy Proton/Enterprise devices allow Username Disclosure. 
...)
-       TODO: check
+       NOT-FOR-US: Optergy Proton
 CVE-2019-7271 (Nortek Linear eMerge 50P/5000P devices have Default 
Credentials. ...)
-       TODO: check
+       NOT-FOR-US: Nortek Linear
 CVE-2019-7270
        RESERVED
 CVE-2019-7269
@@ -15876,7 +15883,7 @@ CVE-2019-7217 (Citrix ShareFile through 19.1 allows 
User Enumeration. It is poss
 CVE-2019-7216 (An issue was discovered in FileChucker 4.99e-free-e02. 
filechucker.cgi ...)
        NOT-FOR-US: FileChucker
 CVE-2019-7215 (Progress Sitefinity 10.1.6536 does not invalidate session 
cookies upon ...)
-       TODO: check
+       NOT-FOR-US: Progress Sitefinity
 CVE-2019-7214 (SmarterTools SmarterMail 16.x before build 6985 allows 
deserialization ...)
        NOT-FOR-US: SmarterTools SmarterMail
 CVE-2019-7213 (SmarterTools SmarterMail 16.x before build 6985 allows 
directory trave ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/696c4a8d34e28b0f4f6ca9011f00b812f8d46f32

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/696c4a8d34e28b0f4f6ca9011f00b812f8d46f32
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to