Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: a0099270 by security tracker role at 2019-10-30T20:10:33Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1107,14 +1107,14 @@ CVE-2019-18209 (templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the brows - etherpad-lite <itp> (bug #576998) CVE-2019-18208 RESERVED -CVE-2019-18207 - RESERVED -CVE-2019-18206 - RESERVED -CVE-2019-18205 - RESERVED -CVE-2019-18204 - RESERVED +CVE-2019-18207 (In Zucchetti InfoBusiness before and including 4.4.1, an authenticated ...) + TODO: check +CVE-2019-18206 (A cross-site request forgery (CSRF) vulnerability in Zucchetti InfoBus ...) + TODO: check +CVE-2019-18205 (Multiple Reflected Cross-site Scripting (XSS) vulnerabilities exist in ...) + TODO: check +CVE-2019-18204 (Zucchetti InfoBusiness before and including 4.4.1 allows any authentic ...) + TODO: check CVE-2019-18203 (On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabili ...) NOT-FOR-US: Ricoh CVE-2019-18202 (Information Disclosure is possible on WAGO Series PFC100 and PFC200 de ...) @@ -7428,6 +7428,7 @@ CVE-2019-16098 (The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore CVE-2019-16097 (core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users ...) NOT-FOR-US: Harbor CVE-2016-10937 (IMAPFilter through 2.6.12 does not validate the hostname in an SSL cer ...) + {DLA-1976-1} - imapfilter 1:2.6.13-1 (bug #939702) [buster] - imapfilter <no-dsa> (Minor issue) [stretch] - imapfilter <no-dsa> (Minor issue) @@ -8563,9 +8564,10 @@ CVE-2019-15684 RESERVED CVE-2019-15683 (TurboVNC server code contains stack buffer overflow vulnerability in c ...) TODO: check -CVE-2019-15682 - RESERVED +CVE-2019-15682 (RDesktop version 1.8.4 contains multiple out-of-bound access read vuln ...) + TODO: check CVE-2019-15681 (LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains ...) + {DLA-1977-1} - libvncserver <unfixed> (bug #943793) NOTE: https://github.com/LibVNC/libvncserver/commit/d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a CVE-2019-15680 (TightVNC code version 1.3.10 contains null pointer dereference in Hand ...) @@ -11143,6 +11145,7 @@ CVE-2019-14860 NOT-FOR-US: Syndesis CVE-2019-14859 [DER encoding is not being verified in signatures] RESERVED + {DLA-1978-1} - python-ecdsa 0.13.3-1 NOTE: https://github.com/warner/python-ecdsa/issues/114 NOTE: Upstream patches: @@ -11167,6 +11170,7 @@ CVE-2019-14854 NOT-FOR-US: OpenShift CVE-2019-14853 RESERVED + {DLA-1978-1} - python-ecdsa 0.13.3-1 NOTE: https://github.com/warner/python-ecdsa/issues/114 NOTE: Upstream patches: @@ -26829,9 +26833,9 @@ CVE-2019-1010098 RESERVED CVE-2019-1010097 RESERVED -CVE-2019-1010096 (domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cr ...) +CVE-2019-1010096 (DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). T ...) NOT-FOR-US: domainmod -CVE-2019-1010095 (domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cr ...) +CVE-2019-1010095 (DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). T ...) NOT-FOR-US: domainmod CVE-2019-1010094 (domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). T ...) NOT-FOR-US: domainmod @@ -30310,6 +30314,7 @@ CVE-2019-8773 CVE-2019-8772 RESERVED CVE-2019-8771 + RESERVED - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30317,11 +30322,13 @@ CVE-2019-8771 CVE-2019-8770 RESERVED CVE-2019-8769 + RESERVED - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8768 + RESERVED - webkit2gtk 2.24.0-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30335,6 +30342,7 @@ CVE-2019-8765 CVE-2019-8764 RESERVED CVE-2019-8763 + RESERVED - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30394,6 +30402,7 @@ CVE-2019-8737 CVE-2019-8736 RESERVED CVE-2019-8735 + RESERVED - webkit2gtk 2.24.2-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30401,6 +30410,7 @@ CVE-2019-8735 CVE-2019-8734 RESERVED CVE-2019-8733 + RESERVED - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30418,6 +30428,7 @@ CVE-2019-8728 CVE-2019-8727 RESERVED CVE-2019-8726 + RESERVED - webkit2gtk 2.24.3-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30433,11 +30444,13 @@ CVE-2019-8722 CVE-2019-8721 RESERVED CVE-2019-8720 + RESERVED - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0005.html CVE-2019-8719 + RESERVED - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30465,6 +30478,7 @@ CVE-2019-8709 CVE-2019-8708 RESERVED CVE-2019-8707 + RESERVED - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30609,6 +30623,7 @@ CVE-2019-8675 [stack-buffer-overflow in libcups's asn1_get_type function] [stretch] - cups 2.2.1-8+deb9u4 NOTE: https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109 CVE-2019-8674 + RESERVED - webkit2gtk 2.24.4-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -30750,6 +30765,7 @@ CVE-2019-8627 CVE-2019-8626 RESERVED CVE-2019-8625 + RESERVED - webkit2gtk 2.26.0-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -33162,11 +33178,9 @@ CVE-2019-7622 RESERVED CVE-2019-7621 RESERVED -CVE-2019-7620 - RESERVED +CVE-2019-7620 (Logstash versions before 7.4.1 and 6.8.4 contain a denial of service f ...) NOT-FOR-US: Logstash Beats -CVE-2019-7619 - RESERVED +CVE-2019-7619 (Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username ...) - elasticsearch <removed> CVE-2019-7618 (A local file disclosure flaw was found in Elastic Code versions 7.3.0, ...) NOT-FOR-US: Elastic Code @@ -56147,8 +56161,8 @@ CVE-2018-18680 RESERVED CVE-2018-18679 RESERVED -CVE-2018-18678 - RESERVED +CVE-2018-18678 (GNUBOARD5 before 5.3.2.0 has XSS that allows remote attackers to injec ...) + TODO: check CVE-2018-18677 RESERVED CVE-2018-18676 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...) @@ -62301,8 +62315,8 @@ CVE-2018-16418 (A buffer overflow when handling string concatenation in util_acl [stretch] - opensc 0.16.0-3+deb9u1 NOTE: https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad#diff-628c8445c4e7ae92bbc4be08ba11a4c3 NOTE: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ -CVE-2018-16417 - RESERVED +CVE-2018-16417 (Aruba Instant 4.x prior to 6.4.4.8-4.2.4.12, 6.5.x prior to 6.5.4.11, ...) + TODO: check CVE-2018-16416 (Cross-site request forgery (CSRF) vulnerability in my_profile/edit?inl ...) NOT-FOR-US: FUEL CMS CVE-2018-16415 @@ -91864,8 +91878,7 @@ CVE-2018-5743 (By design, BIND is intended to limit the number of TCP clients th NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/d01023aaac35543daffbdf48464e320150235d41 NOTE: Additionally: https://lists.isc.org/pipermail/bind-users/2019-April/101673.html NOTE: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1864.patch -CVE-2018-5742 [Crash from assertion error when debug log level is 10 and log entries meet buffer boundary] - RESERVED +CVE-2018-5742 (While backporting a feature for a newer branch of BIND9, RedHat introd ...) - bind9 <not-affected> (Introduced via RedHat specific backport of Negative Trust Anchor (NTA) feature) NOTE: https://www.openwall.com/lists/oss-security/2018/12/19/6 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1655844 @@ -91901,8 +91914,7 @@ CVE-2018-5737 (A problem with the implementation of the new serve-stale feature CVE-2018-5736 (An error in zone database reference counting can lead to an assertion ...) - bind9 <not-affected> (only affects 9.12, not yet packaged) NOTE: https://kb.isc.org/article/AA-01602 -CVE-2018-5735 [assertion failure in validator.c:1858] - RESERVED +CVE-2018-5735 (The Debian backport of the fix for CVE-2017-3137 leads to assertion fa ...) {DLA-1285-1} - bind9 1:9.9.3.dfsg.P2-1 (bug #889285) NOTE: Issue similar/closely related to the CVE-2017-3139 issue in Red Hat. @@ -96172,19 +96184,19 @@ CVE-2018-4082 (An issue was discovered in certain Apple products. iOS before 11. CVE-2018-4081 RESERVED CVE-2018-4080 - RESERVED + REJECTED CVE-2018-4079 - RESERVED + REJECTED CVE-2018-4078 - RESERVED + REJECTED CVE-2018-4077 - RESERVED + REJECTED CVE-2018-4076 - RESERVED + REJECTED CVE-2018-4075 - RESERVED + REJECTED CVE-2018-4074 - RESERVED + REJECTED CVE-2018-4073 (An exploitable Permission Assignment vulnerability exists in the ACEMa ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4072 (An exploitable Permission Assignment vulnerability exists in the ACEMa ...) @@ -96212,7 +96224,7 @@ CVE-2018-4062 (A hard-coded credentials vulnerability exists in the snmpd functi CVE-2018-4061 (An exploitable command injection vulnerability exists in the ACEManage ...) NOT-FOR-US: Sierra Wireless AirLink ES450 firmware CVE-2018-4060 - RESERVED + REJECTED CVE-2018-4059 (An exploitable unsafe default configuration vulnerability exists in th ...) {DSA-4373-1 DLA-1671-1} - coturn 4.5.1.0-1 @@ -96617,7 +96629,7 @@ CVE-2018-3871 (An exploitable out-of-bounds write exists in the PCX parsing func CVE-2018-3870 (An exploitable out-of-bounds write exists in the PCX parsing functiona ...) NOT-FOR-US: Canvas Draw CVE-2018-3869 - RESERVED + REJECTED CVE-2018-3868 (A specially crafted TIFF image processed via the application can lead ...) NOT-FOR-US: Computerinsel Photoline CVE-2018-3867 (An exploitable stack-based buffer overflow vulnerability exists in the ...) @@ -108529,65 +108541,65 @@ CVE-2017-16994 (The walk_hugetlb_range function in mm/pagewalk.c in the Linux ke [wheezy] - linux <not-affected> (Vulnerable code introduced in 4.0) NOTE: Fixed by: https://git.kernel.org/linus/373c4557d2aa362702c4c2d41288fb1e54990b7c (4.15-rc1) CVE-2017-16993 - RESERVED + REJECTED CVE-2017-16992 - RESERVED + REJECTED CVE-2017-16991 - RESERVED + REJECTED CVE-2017-16990 - RESERVED + REJECTED CVE-2017-16989 - RESERVED + REJECTED CVE-2017-16988 - RESERVED + REJECTED CVE-2017-16987 - RESERVED + REJECTED CVE-2017-16986 - RESERVED + REJECTED CVE-2017-16985 - RESERVED + REJECTED CVE-2017-16984 - RESERVED + REJECTED CVE-2017-16983 - RESERVED + REJECTED CVE-2017-16982 - RESERVED + REJECTED CVE-2017-16981 - RESERVED + REJECTED CVE-2017-16980 - RESERVED + REJECTED CVE-2017-16979 - RESERVED + REJECTED CVE-2017-16978 - RESERVED + REJECTED CVE-2017-16977 - RESERVED + REJECTED CVE-2017-16976 - RESERVED + REJECTED CVE-2017-16975 - RESERVED + REJECTED CVE-2017-16974 - RESERVED + REJECTED CVE-2017-16973 - RESERVED + REJECTED CVE-2017-16972 - RESERVED + REJECTED CVE-2017-16971 - RESERVED + REJECTED CVE-2017-16970 - RESERVED + REJECTED CVE-2017-16969 - RESERVED + REJECTED CVE-2017-16968 - RESERVED + REJECTED CVE-2017-16967 - RESERVED + REJECTED CVE-2017-16966 - RESERVED + REJECTED CVE-2017-16965 - RESERVED + REJECTED CVE-2017-16964 - RESERVED + REJECTED CVE-2017-16963 RESERVED CVE-2017-16962 (The WebMail components (Crystal, pronto, and pronto4) in CommuniGate P ...) @@ -110823,9 +110835,9 @@ CVE-2017-1000243 (Jenkins Favorite Plugin 2.1.4 and older does not perform permi CVE-2017-1000242 (Jenkins Git Client Plugin 2.4.2 and earlier creates temporary file wit ...) NOT-FOR-US: Jenkins plugin CVE-2017-16351 - RESERVED + REJECTED CVE-2017-16350 - RESERVED + REJECTED CVE-2017-16349 (An exploitable XML external entity vulnerability exists in the reporti ...) NOT-FOR-US: SAP CVE-2017-16348 (An exploitable denial of service vulnerability exists in Insteon Hub r ...) @@ -116739,7 +116751,7 @@ CVE-2017-14458 (An exploitable use-after-free vulnerability exists in the JavaSc CVE-2017-14457 (An exploitable information leak/denial of service vulnerability exists ...) - cpp-etherum <itp> (bug #860434) CVE-2017-14456 - RESERVED + REJECTED CVE-2017-14455 (On Insteon Hub 2245-222 devices with firmware version 1012, specially ...) NOT-FOR-US: Insteon Hub CVE-2017-14454 @@ -152582,7 +152594,7 @@ CVE-2017-2861 (An exploitable Denial of Service vulnerability exists in the use CVE-2017-2860 (An exploitable denial-of-service vulnerability exists in the lookup en ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2859 - RESERVED + REJECTED CVE-2017-2858 (An exploitable denial-of-service vulnerability exists in the traversal ...) NOT-FOR-US: Natus Xltek NeuroWorks CVE-2017-2857 (An exploitable buffer overflow vulnerability exists in the DDNS client ...) @@ -152827,11 +152839,11 @@ CVE-2017-2780 (An exploitable heap buffer overflow vulnerability exists in the X CVE-2017-2779 (An exploitable memory corruption vulnerability exists in the RSRC segm ...) NOT-FOR-US: Labview CVE-2017-2778 - RESERVED + REJECTED CVE-2017-2777 (An exploitable heap overflow vulnerability exists in the ipStringCreat ...) NOT-FOR-US: Iceni Argus CVE-2017-2776 - RESERVED + REJECTED CVE-2017-2775 (An exploitable memory corruption vulnerability exists in the LvVariant ...) NOT-FOR-US: Labview CVE-2017-2774 @@ -160839,9 +160851,9 @@ CVE-2016-9049 (An exploitable denial-of-service vulnerability exists in the fabr CVE-2016-9048 (Multiple exploitable SQL Injection vulnerabilities exists in ProcessMa ...) NOT-FOR-US: ProcessMaker Enterprise Core CVE-2016-9047 - RESERVED + REJECTED CVE-2016-9046 - RESERVED + REJECTED CVE-2016-9045 (A code execution vulnerability exists in ProcessMaker Enterprise Core ...) NOT-FOR-US: ProcessMaker Enterprise Core CVE-2016-9044 (An exploitable command execution vulnerability exists in Information B ...) @@ -162856,7 +162868,7 @@ CVE-2016-8383 (An exploitable heap corruption vulnerability exists in the Doc_Ge CVE-2016-8382 (An exploitable heap corruption vulnerability exists in the Doc_SetSumm ...) NOT-FOR-US: AntennaHouse CVE-2016-8381 - RESERVED + REJECTED CVE-2016-8380 (The web server in Phoenix Contact ILC PLCs allows access to read and w ...) NOT-FOR-US: web server in Phoenix Contact ILC PLCs CVE-2016-8379 (An issue was discovered in Moxa ioLogik E1210, firmware Version V2.4 a ...) @@ -286293,7 +286305,7 @@ CVE-2011-2187 - xscreensaver 5.14-1 (bug #627382) [squeeze] - xscreensaver <not-affected> (introduced in 5.13) CVE-2011-2186 - RESERVED + REJECTED NOTE: Disputed gitweb non-issue: https://bugzilla.redhat.com/show_bug.cgi?id=713298 CVE-2011-2181 (Multiple SQL injection vulnerabilities in A Really Simple Chat (ARSC) ...) NOT-FOR-US: A Really Simple Chat View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0099270af077cce58fc32faea6cca0d7d2abb3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0099270af077cce58fc32faea6cca0d7d2abb3a You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits