Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
63e492b7 by Moritz Muehlenhoff at 2019-10-25T17:09:17Z
new qt issue
new libssh issue
new horde issues
collectd n/a
NFUs
libntlm, golang-1.[78] no-dsa
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -298,7 +298,13 @@ CVE-2019-18283
CVE-2019-18282
RESERVED
CVE-2019-18281 (An out-of-bounds memory access in the
generateDirectionalRuns() functi ...)
- TODO: check
+ - qtbase-opensource-src-gles <unfixed>
+ - qtbase-opensource-src <unfixed>
+ [buster] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [stretch] - qtbase-opensource-src <not-affected> (Vulnerable code not
present)
+ [jessie] - qtbase-opensource-src <not-affected> (Vulnerable code not
present)
+ NOTE:
https://github.com/qt/qtbase/commit/af6ac444c97ed2dc234f93fe457440c9da5482ea
+ NOTE: https://bugreports.qt.io/browse/QTBUG-77819
CVE-2019-18280 (Sourcecodester Online Grading System 1.0 is affected by a
Cross Site R ...)
NOT-FOR-US: Sourcecodester Online Grading System
CVE-2019-18279
@@ -448,9 +454,9 @@ CVE-2019-18215
CVE-2019-18214 (The Video_Converter app 0.1.0 for Nextcloud allows denial of
service ( ...)
NOT-FOR-US: Video_Converter app for Nextcloud
CVE-2019-18213 (XML Language Server (aka lsp4xml) before 0.9.1, as used in Red
Hat XML ...)
- TODO: check
+ NOT-FOR-US: XML Language Server (aka lsp4xml)
CVE-2019-18212 (XMLLanguageService.java in XML Language Server (aka lsp4xml)
before 0. ...)
- TODO: check
+ NOT-FOR-US: XML Language Server (aka lsp4xml)
CVE-2019-18211
RESERVED
CVE-2019-18210
@@ -2728,12 +2734,15 @@ CVE-2019-17596 (Go before 1.12.11 and 1.3.x before
1.13.2 can panic upon an atte
- golang-1.12 1.12.12-1 (bug #942629)
- golang-1.11 <removed>
- golang-1.8 <removed>
+ [stretch] - golang-1.8 <ignored> (Minor issue)
- golang-1.7 <removed>
+ [stretch] - golang-1.7 <ignored> (Minor issue)
- golang <removed>
[jessie] - golang <ignored> (Minor issue)
NOTE: https://golang.org/issue/34960
NOTE: https://github.com/golang/go/issues/34962 (1.13 backport)
NOTE: https://github.com/golang/go/issues/34961 (1.12 backport)
+ NOTE:
https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
CVE-2019-17595 (There is a heap-based buffer over-read in the fmt_entry
function in ti ...)
- ncurses 6.1+20191019-1 (low; bug #942401)
[buster] - ncurses <no-dsa> (Minor issue)
@@ -3026,7 +3035,7 @@ CVE-2019-17528 (An issue was discovered in Bento4
1.5.1.0. There is a SEGV in th
CVE-2019-17527
RESERVED
CVE-2019-17526 (** DISPUTED ** An issue was discovered in SageMath Sage Cell
Server th ...)
- TODO: check
+ NOT-FOR-US: Sage Cell Server (not part of SafeMath as packaged in
Debian)
CVE-2019-17525
RESERVED
CVE-2019-17524
@@ -3088,7 +3097,9 @@ CVE-2019-17500
CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on
Compal CH7 ...)
NOT-FOR-US: Compal CH7465LG devices
CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT
logic i ...)
- TODO: check
+ - libssh <unfixed>
+ NOTE:
https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
+ NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
CVE-2018-21028 (Boa through 0.94.14rc21 allows remote attackers to trigger a
memory le ...)
- boa <removed>
CVE-2018-21027 (Boa through 0.94.14rc21 allows remote attackers to trigger an
out-of-m ...)
@@ -3218,6 +3229,8 @@ CVE-2019-17456
RESERVED
CVE-2019-17455 (Libntlm through 1.5 relies on a fixed buffer size for
tSmbNtlmAuthRequ ...)
- libntlm <unfixed> (bug #942145)
+ [buster] - libntlm <no-dsa> (Minor issue)
+ [stretch] - libntlm <no-dsa> (Minor issue)
NOTE: https://gitlab.com/jas/libntlm/issues/2
CVE-2019-17454 (Bento4 1.5.1.0 has a NULL pointer dereference in
AP4_Descriptor::GetTa ...)
NOT-FOR-US: Bento4
@@ -19451,9 +19464,11 @@ CVE-2019-12097 (Telerik Fiddler v5.0.20182.28034
doesn't verify the hash of Enab
CVE-2019-12096
RESERVED
CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition
through 5.2.22 ...)
- TODO: check
+ - php-horde-trean <unfixed>
+ NOTE: https://bugs.horde.org/ticket/14926
CVE-2019-12094 (Horde Groupware Webmail Edition through 5.2.22 allows XSS via
an admin ...)
- TODO: check
+ - php-horde-groupware <unfixed>
+ NOTE: https://bugs.horde.org/ticket/14926
CVE-2019-12093
RESERVED
CVE-2019-12092
@@ -81867,7 +81882,7 @@ CVE-2018-XXXX [Multiple vulnerabilities in CiviCRM]
- civicrm 4.7.30+dfsg-1 (bug #887330)
NOTE:
https://civicrm.org/blog/dev-team/security-release-civicrm-4726-and-4633-monthly-release-4727
CVE-2017-18240 (The Gentoo app-admin/collectd package before 5.7.2-r1 sets the
ownersh ...)
- TODO: check
+ - collectd <not-affected> (Init scripts shipped by Debian are not
affected)
CVE-2018-8776
RESERVED
CVE-2018-8775
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/63e492b79ef7d091ffa71d84b302a3a41c1d6fe9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/63e492b79ef7d091ffa71d84b302a3a41c1d6fe9
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
