Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
66956b59 by security tracker role at 2019-10-09T20:10:20Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,81 @@
+CVE-2019-17406
+ RESERVED
+CVE-2019-17405
+ RESERVED
+CVE-2019-17404
+ RESERVED
+CVE-2019-17403
+ RESERVED
+CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in
Exiv2::getULong in ...)
+ TODO: check
+CVE-2019-17401 (libyal liblnk 20191006 has a heap-based buffer over-read in
the networ ...)
+ TODO: check
+CVE-2019-17400
+ RESERVED
+CVE-2019-17399 (The Shack Forms Pro extension before 4.0.32 for Joomla! allows
path tr ...)
+ TODO: check
+CVE-2019-17398
+ RESERVED
+CVE-2019-17397
+ RESERVED
+CVE-2019-17396
+ RESERVED
+CVE-2019-17395
+ RESERVED
+CVE-2019-17394
+ RESERVED
+CVE-2019-17393
+ RESERVED
+CVE-2019-17392
+ RESERVED
+CVE-2019-17391
+ RESERVED
+CVE-2019-17390
+ RESERVED
+CVE-2019-17389 (In RIOT 2019.07, the MQTT-SN implementation (asymcute)
mishandles erro ...)
+ TODO: check
+CVE-2019-17388
+ RESERVED
+CVE-2019-17387
+ RESERVED
+CVE-2019-17386
+ RESERVED
+CVE-2019-17385 (The animate-it plugin before 2.3.5 for WordPress has XSS. ...)
+ TODO: check
+CVE-2019-17384 (The animate-it plugin before 2.3.4 for WordPress has XSS. ...)
+ TODO: check
+CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file
permissio ...)
+ TODO: check
+CVE-2019-17382 (An issue was discovered in
zabbix.php?action=dashboard.view&dashbo ...)
+ TODO: check
+CVE-2019-17381
+ RESERVED
+CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update
Preferences in ...)
+ TODO: check
+CVE-2019-17379 (cPanel before 82.0.15 allows self stored XSS in the WHM SSL
Storage Ma ...)
+ TODO: check
+CVE-2019-17378 (cPanel before 82.0.15 allows self XSS in the SSL Key Delete
interface ...)
+ TODO: check
+CVE-2019-17377 (cPanel before 82.0.15 allows self XSS in LiveAPI example
scripts (SEC- ...)
+ TODO: check
+CVE-2019-17376 (cPanel before 82.0.15 allows self XSS in the SSL Certificate
Upload in ...)
+ TODO: check
+CVE-2019-17375 (cPanel before 82.0.15 allows API token credentials to persist
after an ...)
+ TODO: check
+CVE-2019-17374
+ RESERVED
+CVE-2019-17373 (Certain NETGEAR devices allow unauthenticated access to
critical .cgi ...)
+ TODO: check
+CVE-2019-17372 (Certain NETGEAR devices allow remote attackers to disable all
authenti ...)
+ TODO: check
+CVE-2019-17371 (libpng 1.6.37 has memory leaks in png_malloc_warn and
png_create_info_ ...)
+ TODO: check
+CVE-2019-17370 (OTCMS v3.85 allows arbitrary PHP Code Execution because
admin/sysCheck ...)
+ TODO: check
+CVE-2019-17369 (OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel
page, le ...)
+ TODO: check
+CVE-2019-17368 (S-CMS v1.5 has XSS in tpl.php via the member/member_login.php
from par ...)
+ TODO: check
CVE-2019-17367
RESERVED
CVE-2019-17366
@@ -30,10 +108,10 @@ CVE-2019-17356
RESERVED
CVE-2019-17355
RESERVED
-CVE-2019-17354
- RESERVED
-CVE-2019-17353
- RESERVED
+CVE-2019-17354 (wan.htm page on Zyxel NBG-418N v2 with firmware version
V1.00(AARP.9)C ...)
+ TODO: check
+CVE-2019-17353 (An issue discovered on D-Link DIR-615 devices with firmware
version 20 ...)
+ TODO: check
CVE-2019-17352 (In JFinal cos before 2019-08-13, as used in JFinal 4.4, there
is a vul ...)
TODO: check
CVE-2019-17339
@@ -184,7 +262,7 @@ CVE-2019-17267 (A Polymorphic Typing issue was discovered
in FasterXML jackson-d
- jackson-databind 2.10.0-1
NOTE: https://github.com/FasterXML/jackson-databind/issues/2460
NOTE:
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb
-CVE-2019-17266 (libsoup through 2.68.1 has a heap-based buffer over-read
because soup_ ...)
+CVE-2019-17266 (libsoup from versions 2.65.1 until 2.68.1 have a heap-based
buffer ove ...)
- libsoup2.4 2.68.2-1 (bug #941912)
[buster] - libsoup2.4 <not-affected> (Vulnerable code introduced in
2.65.1)
[stretch] - libsoup2.4 <not-affected> (Vulnerable code introduced in
2.65.1)
@@ -479,16 +557,16 @@ CVE-2019-17133 (In the Linux kernel through 5.3.2,
cfg80211_mgd_wext_giwessid in
NOTE: https://marc.info/?l=linux-wireless&m=157018270915487&w=2
CVE-2019-17129
RESERVED
-CVE-2019-17128
- RESERVED
+CVE-2019-17128 (Netreo OmniCenter through 12.1.1 allows unauthenticated SQL
Injection ...)
+ TODO: check
CVE-2019-17127
RESERVED
CVE-2019-17126
RESERVED
CVE-2019-17125
RESERVED
-CVE-2019-17124
- RESERVED
+CVE-2019-17124 (Kramer VIAware 2.5.0719.1034 has Incorrect Access Control. ...)
+ TODO: check
CVE-2019-17123
RESERVED
CVE-2019-17122
@@ -566,8 +644,8 @@ CVE-2019-17094
RESERVED
CVE-2019-17093
RESERVED
-CVE-2019-17092
- RESERVED
+CVE-2019-17092 (An XSS vulnerability in project list in OpenProject before
9.0.4 and 1 ...)
+ TODO: check
CVE-2019-17091 (faces/context/PartialViewContextImpl.java in Eclipse Mojarra,
as used ...)
TODO: check
CVE-2019-17090
@@ -1002,8 +1080,8 @@ CVE-2019-16907
RESERVED
CVE-2019-16906
RESERVED
-CVE-2019-16905
- RESERVED
+CVE-2019-16905 (OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with
an expe ...)
+ TODO: check
CVE-2019-16904 (TeamPass 2.1.27.36 allows Stored XSS by setting a crafted
password for ...)
- teampass <itp> (bug #730180)
CVE-2019-16903 (Platinum UPnP SDK 1.2.0 allows Directory Traversal in
Core/PltHttpServ ...)
@@ -3850,8 +3928,8 @@ CVE-2019-15861
RESERVED
CVE-2019-15860 (Xpdf 2.00 allows a SIGSEGV in XRef::constructXRef in XRef.cc.
NOTE: 2. ...)
- xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
-CVE-2019-15859
- RESERVED
+CVE-2019-15859 (Password disclosure in the web interface on socomec DIRIS A-40
devices ...)
+ TODO: check
CVE-2019-15858 (admin/includes/class.import.snippet.php in the "Woody ad
snippets" plu ...)
NOT-FOR-US: "Woody ad snippets" plugin for WordPress
CVE-2019-15857
@@ -4211,8 +4289,8 @@ CVE-2019-15721 (An issue was discovered in GitLab
Community and Enterprise Editi
NOTE:
https://about.gitlab.com/2019/08/29/security-release-gitlab-12-dot-2-dot-3-released/
CVE-2019-15720 (CloudBerry Backup v6.1.2.34 allows local privilege escalation
via a Pr ...)
NOT-FOR-US: CloudBerry Backup
-CVE-2019-15719
- RESERVED
+CVE-2019-15719 (Altair PBS Professional through 19.1.2 allows Privilege
Escalation bec ...)
+ TODO: check
CVE-2019-15718 (In systemd 240, bus_open_system_watch_bind_with_description in
shared/ ...)
- systemd 242-7 (bug #939353)
[buster] - systemd <no-dsa> (Minor issue; systemd-resolved not enabled
by default)
@@ -5578,8 +5656,8 @@ CVE-2019-15228 (FUEL CMS 1.4.4 has XSS in the Create
Blocks section of the Admin
NOT-FOR-US: FUEL CMS
CVE-2019-15227 (FlightPath 4.8.3 has XSS in the Content, Edit urgent message,
and User ...)
NOT-FOR-US: FlightPath
-CVE-2019-15226
- RESERVED
+CVE-2019-15226 (Upon receiving each incoming request header data, Envoy will
iterate o ...)
+ TODO: check
CVE-2019-15225 (In Envoy through 1.11.1, users may configure a route to match
incoming ...)
NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651)
CVE-2019-15224 (The rest-client gem 1.6.10 through 1.6.13 for Ruby, as
distributed on ...)
@@ -7105,8 +7183,8 @@ CVE-2019-14809 (net/url in Go before 1.11.13 and 1.12.x
before 1.12.8 mishandles
NOTE: Issue: https://github.com/golang/go/issues/29098
NOTE:
https://github.com/golang/go/commit/c1d9ca70995dc232a2145e3214f94e03409f6fcc
(golang-1.11)
NOTE:
https://github.com/golang/go/commit/3226f2d492963d361af9dfc6714ef141ba606713
(golang-1.12)
-CVE-2019-14808
- RESERVED
+CVE-2019-14808 (An issue was discovered in the RENPHO application 3.0.0 for
iOS. It tr ...)
+ TODO: check
CVE-2019-14807 (In the MobileFrontend extension 1.31 through 1.33 for
MediaWiki, XSS e ...)
NOT-FOR-US: MobileFrontend extension for MediaWiki
CVE-2019-14806 (Pallets Werkzeug before 0.15.3, when used with Docker, has
insufficien ...)
@@ -9137,9 +9215,9 @@ CVE-2019-14283 (In the Linux kernel before 5.2.3,
set_geometry in drivers/block/
NOTE: Fixed by:
https://git.kernel.org/linus/da99466ac243f15fbba65bd261bfc75ffa1532b6
CVE-2019-1020019 (invenio-previewer before 1.0.0a12 allows XSS. ...)
NOT-FOR-US: invenio-previewer
-CVE-2019-1020018 (Discourse before v2.4.0.beta2 lacks a confirmation screen
when logging ...)
+CVE-2019-1020018 (Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a
confirmati ...)
NOT-FOR-US: Discourse
-CVE-2019-1020017 (Discourse before v2.4.0.beta2 lacks a confirmation screen
when logging ...)
+CVE-2019-1020017 (Discourse before 2.3.0 and 2.4.x before 2.4.0.beta3 lacks a
confirmati ...)
NOT-FOR-US: Discourse
CVE-2019-1020016 (ASH-AIO before 2.0.0.3 allows an open redirect. ...)
NOT-FOR-US: ASH-AIO
@@ -11938,8 +12016,8 @@ CVE-2019-13531
RESERVED
CVE-2019-13530 (Philips IntelliVue WLAN, portable patient monitors, WLAN
Version A, Fi ...)
NOT-FOR-US: Philips
-CVE-2019-13529
- RESERVED
+CVE-2019-13529 (An attacker could send a malicious link to an authenticated
operator, ...)
+ TODO: check
CVE-2019-13528 (A specific utility may allow an attacker to gain read access
to privil ...)
NOT-FOR-US: Niagara
CVE-2019-13527 (In Rockwell Automation Arena Simulation Software Cat. 9502-Ax,
Version ...)
@@ -13253,8 +13331,8 @@ CVE-2019-13053 (Logitech Unifying devices allow
keystroke injection, bypassing e
NOT-FOR-US: Logitech
CVE-2019-13052 (Logitech Unifying devices allow live decryption if the pairing
of a ke ...)
NOT-FOR-US: Logitech
-CVE-2019-13051
- RESERVED
+CVE-2019-13051 (Pi-Hole 4.3 allows Command Injection. ...)
+ TODO: check
CVE-2019-13050 (Interaction between the sks-keyserver code through 1.2.0 of
the SKS ke ...)
NOT-FOR-US: Conceptual weakness in PGP keyserver design
CVE-2019-13049 (An integer wrap in kernel/sys/syscall.c in ToaruOS 1.10.10
allows user ...)
@@ -17947,8 +18025,8 @@ CVE-2019-11343
RESERVED
CVE-2019-11342
RESERVED
-CVE-2019-11341
- RESERVED
+CVE-2019-11341 (On certain Samsung P(9.0) phones, an attacker with physical
access can ...)
+ TODO: check
CVE-2019-11340 (util/emailutils.py in Matrix Sydent before 1.0.2 mishandles
registrati ...)
NOT-FOR-US: Matrix Sydent
CVE-2019-11339 (The studio profile decoder in libavcodec/mpeg4videodec.c in
FFmpeg 4.0 ...)
@@ -18269,8 +18347,8 @@ CVE-2019-11214
RESERVED
CVE-2019-11213 (In Pulse Secure Pulse Desktop Client and Network Connect, an
attacker ...)
NOT-FOR-US: Pulse Secure Pulse Desktop Client and Network Connect
-CVE-2019-11212
- RESERVED
+CVE-2019-11212 (The MDM server component of TIBCO Software Inc's TIBCO MDM
contains mu ...)
+ TODO: check
CVE-2019-11211 (The server component of TIBCO Software Inc.'s TIBCO Enterprise
Runtime ...)
NOT-FOR-US: TIBCO
CVE-2019-11210 (The server component of TIBCO Software Inc.'s TIBCO Enterprise
Runtime ...)
@@ -31600,8 +31678,7 @@ CVE-2019-6472 [A packet containing a malformed DUID can
cause the kea-dhcp6 serv
- isc-kea <unfixed> (bug #936040)
[stretch] - isc-kea <no-dsa> (Minor issue)
NOTE: https://kb.isc.org/docs/cve-2019-6472
-CVE-2019-6471 [A race condition when discarding malformed packets can cause
BIND to exit with an assertion failure]
- RESERVED
+CVE-2019-6471 (A race condition which may occur when discarding malformed
packets can ...)
- bind9 1:9.11.5.P4+dfsg-5.1 (bug #930746)
[stretch] - bind9 <not-affected> (Only affects 9.11 and later)
[jessie] - bind9 <not-affected> (Only affects 9.11 and later)
@@ -31620,22 +31697,18 @@ CVE-2019-6470 [DHCPv6 server crashes regularly]
NOTE: isc-dhcp builds against system bind library, and commit for
upstream
NOTE: issue 4829 is first introduced in 9.11.3+dfsg-1. The underlying
issue
NOTE: is only uncovered when build gainst versions >= 9.11.3.
-CVE-2019-6469
- RESERVED
+CVE-2019-6469 (An error in the EDNS Client Subnet (ECS) feature for recursive
resolve ...)
- bind9 <not-affected> (Only affects Supported Preview
Edition/Subscription Edition)
NOTE: https://kb.isc.org/docs/cve-2019-6469
-CVE-2019-6468
- RESERVED
+CVE-2019-6468 (In BIND Supported Preview Edition, an error in the
nxdomain-redirect f ...)
- bind9 <not-affected> (Only affects Supported Preview
Edition/Subscription Edition)
NOTE: https://kb.isc.org/docs/cve-2019-6468
-CVE-2019-6467 [An error in the nxdomain redirect feature can cause BIND to
exit with an INSIST assertion failure in query.c]
- RESERVED
+CVE-2019-6467 (A programming error in the nxdomain-redirect feature can cause
an asse ...)
- bind9 <not-affected> (Vulnerable code only present in 9.12 onwards)
NOTE: https://kb.isc.org/docs/cve-2019-6467
CVE-2019-6466
RESERVED
-CVE-2019-6465 [Zone transfer controls for writable DLZ zones were not
effective]
- RESERVED
+CVE-2019-6465 (Controls for zone transfers may not be properly applied to
Dynamically ...)
{DSA-4440-1 DLA-1697-1}
- bind9 1:9.11.5.P4+dfsg-1 (low; bug #922955)
NOTE: https://kb.isc.org/docs/cve-2019-6465
@@ -34210,10 +34283,10 @@ CVE-2019-5509
RESERVED
CVE-2019-5508
RESERVED
-CVE-2019-5507
- RESERVED
-CVE-2019-5506
- RESERVED
+CVE-2019-5507 (SnapManager for Oracle prior to version 3.4.2P1 are susceptible
to a v ...)
+ TODO: check
+CVE-2019-5506 (Clustered Data ONTAP versions 9.0 and higher do not enforce
hostname v ...)
+ TODO: check
CVE-2019-5505 (ONTAP Select Deploy administration utility versions 2.2 through
2.12.1 ...)
NOT-FOR-US: ONTAP
CVE-2019-5504 (ONTAP Select Deploy administration utility versions 2.12 &
2.12.1 ...)
@@ -36301,8 +36374,8 @@ CVE-2019-4560
RESERVED
CVE-2019-4559
RESERVED
-CVE-2019-4558
- RESERVED
+CVE-2019-4558 (A security vulnerability has been identified in all levels of
IBM Spec ...)
+ TODO: check
CVE-2019-4557
RESERVED
CVE-2019-4556
@@ -36393,8 +36466,8 @@ CVE-2019-4514 (IBM Security Key Lifecycle Manager 2.6,
2.7, 3.0, and 3.0.1 discl
NOT-FOR-US: IBM
CVE-2019-4513 (IBM Security Access Manager for Enterprise Single Sign-On 8.2.2
is vul ...)
NOT-FOR-US: IBM
-CVE-2019-4512
- RESERVED
+CVE-2019-4512 (IBM Maximo Asset Management 7.6.1.1 generates an error message
that in ...)
+ TODO: check
CVE-2019-4511
RESERVED
CVE-2019-4510
@@ -38404,10 +38477,10 @@ CVE-2019-3655
RESERVED
CVE-2019-3654
RESERVED
-CVE-2019-3653
- RESERVED
-CVE-2019-3652
- RESERVED
+CVE-2019-3653 (Improper access control vulnerability in Configuration tool in
McAfee ...)
+ TODO: check
+CVE-2019-3652 (Code Injection vulnerability in EPSetup.exe in McAfee Endpoint
Securit ...)
+ TODO: check
CVE-2019-3651
RESERVED
CVE-2019-3650
@@ -87233,8 +87306,7 @@ CVE-2018-5747 (In Long Range Zip (aka lrzip) 0.631,
there is a use-after-free in
NOTE: https://github.com/ckolivas/lrzip/issues/90
CVE-2018-5746
RESERVED
-CVE-2018-5745 [An assertion failure can occur if a trust anchor rolls over to
an unsupported key algorithm when using managed-keys]
- RESERVED
+CVE-2018-5745 ("managed-keys" is a feature which allows a BIND resolver to
automatica ...)
{DSA-4440-1 DLA-1697-1}
- bind9 1:9.11.5.P4+dfsg-1 (low; bug #922954)
NOTE: https://kb.isc.org/docs/cve-2018-5745
@@ -87242,16 +87314,14 @@ CVE-2018-5745 [An assertion failure can occur if a
trust anchor rolls over to an
NOTE:
https://gitlab.isc.org/isc-projects/bind9/commit/38c2bdba0a5b785ef9f2da2329838b931754b3e4
(test)
NOTE:
https://gitlab.isc.org/isc-projects/bind9/commit/f09352d20a9d360e50683cd1d2fc52ccedcd77a0
NOTE:
https://gitlab.isc.org/isc-projects/bind9/commit/3022633d795bc9f04103ac9a354c026ce9b4eea3
(test)
-CVE-2018-5744 [A specially crafted packet can cause named to leak memory]
- RESERVED
+CVE-2018-5744 (A failure to free memory can occur when processing messages
having a s ...)
- bind9 1:9.11.5.P4+dfsg-1 (bug #922953)
[stretch] - bind9 <not-affected> (Vulnerable code introduced later; in
.9.10 branch in 9.10.7 only)
[jessie] - bind9 <not-affected> (Vulnerable code introduced later)
NOTE: https://kb.isc.org/docs/cve-2018-5744
NOTE:
https://gitlab.isc.org/isc-projects/bind9/commit/35025b6e88b726ae89caacbb312d1b40e5c20b4d
NOTE: Test:
https://gitlab.isc.org/isc-projects/bind9/commit/fe4810f1f8f75a4d5a96542fc6085109c94a3ee5
-CVE-2018-5743 [Limiting simultaneous TCP clients is ineffective]
- RESERVED
+CVE-2018-5743 (By design, BIND is intended to limit the number of TCP clients
that ca ...)
{DSA-4440-1 DLA-1859-1}
- bind9 1:9.11.5.P4+dfsg-4 (bug #927932)
NOTE: https://kb.isc.org/docs/cve-2018-5743
@@ -87318,8 +87388,7 @@ CVE-2018-5733 (A malicious client which is allowed to
send very large amounts of
NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=47140
NOTE:
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=197b26f25309f947b97a83b8fdfc414b767798f8
(4.4.1)
NOTE: Fixes for 4.3.6p1:
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3
-CVE-2018-5732 [A specially constructed response from a malicious server can
cause a buffer overflow in dhclient]
- RESERVED
+CVE-2018-5732 (Failure to properly bounds-check a buffer used for processing
DHCP opt ...)
{DSA-4133-1 DLA-1313-1}
- isc-dhcp 4.3.5-3.1 (bug #891786)
NOTE: https://kb.isc.org/article/AA-01565/75/CVE-2018-5732
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/66956b59e7c16c2c74b666e6f5ba18e1efb9034e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/66956b59e7c16c2c74b666e6f5ba18e1efb9034e
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
