Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
51cbb654 by security tracker role at 2019-10-31T20:10:30Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,21 @@
+CVE-2019-18657 (ClickHouse before 19.13.5.44 allows HTTP header injection via
the url ...)
+ TODO: check
+CVE-2019-18656 (Pimcore 6.2.3 has XSS in the translations grid because
bundles/AdminBu ...)
+ TODO: check
+CVE-2019-18655
+ RESERVED
+CVE-2019-18654
+ RESERVED
+CVE-2019-18653
+ RESERVED
+CVE-2019-18652
+ RESERVED
+CVE-2019-18651
+ RESERVED
+CVE-2019-18650
+ RESERVED
+CVE-2018-21030 (Jupyter Notebook before 5.5.0 does not use a CSP header to
treat serve ...)
+ TODO: check
CVE-2019-18649
RESERVED
CVE-2019-18648
@@ -579,10 +597,10 @@ CVE-2019-18602 (OpenAFS before 1.6.24 and 1.8.x before
1.8.5 is prone to an info
CVE-2019-18603 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to
information l ...)
- openafs 1.8.5-1 (bug #943587)
NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-001.txt
-CVE-2019-18465
- RESERVED
-CVE-2019-18464
- RESERVED
+CVE-2019-18465 (In Progress MOVEit Transfer 11.1 before 11.1.3, a
vulnerability has be ...)
+ TODO: check
+CVE-2019-18464 (In Progress MOVEit Transfer 10.2 before 10.2.6 (2018.3), 11.0
before 1 ...)
+ TODO: check
CVE-2019-18463
RESERVED
[experimental] - gitlab 12.2.9-1
@@ -712,28 +730,22 @@ CVE-2019-18427
RESERVED
CVE-2019-18426
RESERVED
-CVE-2019-18425 [missing descriptor table limit checking in x86 PV emulation]
- RESERVED
+CVE-2019-18425 (An issue was discovered in Xen through 4.12.x allowing 32-bit
PV guest ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-298.html
-CVE-2019-18424 [passed through PCI devices may corrupt host memory after
deassignment]
- RESERVED
+CVE-2019-18424 (An issue was discovered in Xen through 4.12.x allowing
attackers to ga ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-302.html
-CVE-2019-18423 [add-to-physmap can be abused to DoS Arm hosts]
- RESERVED
+CVE-2019-18423 (An issue was discovered in Xen through 4.12.x allowing ARM
guest OS us ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-301.html
-CVE-2019-18422 [ARM: Interrupts are unconditionally unmasked in exception
handlers]
- RESERVED
+CVE-2019-18422 (An issue was discovered in Xen through 4.12.x allowing ARM
guest OS us ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-303.html
-CVE-2019-18421 [Issues with restartable PV type change operations]
- RESERVED
+CVE-2019-18421 (An issue was discovered in Xen through 4.12.x allowing x86 PV
guest OS ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-299.html
-CVE-2019-18420 [VCPUOP_initialise DoS]
- RESERVED
+CVE-2019-18420 (An issue was discovered in Xen through 4.12.x allowing x86 PV
guest OS ...)
- xen <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-296.html
CVE-2019-18419 (A cross-site scripting (XSS) vulnerability in index.php in
ClonOS WEB ...)
@@ -839,26 +851,26 @@ CVE-2019-18371 (An issue was discovered on Xiaomi Mi WiFi
R3G devices before 2.2
NOT-FOR-US: Xiaomi
CVE-2019-18370 (An issue was discovered on Xiaomi Mi WiFi R3G devices before
2.28.23-s ...)
NOT-FOR-US: Xiaomi
-CVE-2019-18369
- RESERVED
-CVE-2019-18368
- RESERVED
-CVE-2019-18367
- RESERVED
-CVE-2019-18366
- RESERVED
-CVE-2019-18365
- RESERVED
-CVE-2019-18364
- RESERVED
-CVE-2019-18363
- RESERVED
-CVE-2019-18362
- RESERVED
-CVE-2019-18361
- RESERVED
-CVE-2019-18360
- RESERVED
+CVE-2019-18369 (In JetBrains YouTrack before 2019.2.55152, removing tags from
the issu ...)
+ TODO: check
+CVE-2019-18368 (In JetBrains Toolbox App before 1.15.5666 for Windows,
privilege escal ...)
+ TODO: check
+CVE-2019-18367 (In JetBrains TeamCity before 2019.1.2, a non-destructive
operation cou ...)
+ TODO: check
+CVE-2019-18366 (In JetBrains TeamCity before 2019.1.2, secure values could be
exposed ...)
+ TODO: check
+CVE-2019-18365 (In JetBrains TeamCity before 2019.1.4, reverse tabnabbing was
possible ...)
+ TODO: check
+CVE-2019-18364 (In JetBrains TeamCity before 2019.1.4, insecure Java
Deserialization c ...)
+ TODO: check
+CVE-2019-18363 (In JetBrains TeamCity before 2019.1.2, access could be gained
to the h ...)
+ TODO: check
+CVE-2019-18362 (JetBrains MPS before 2019.2.2 exposed listening ports to the
network. ...)
+ TODO: check
+CVE-2019-18361 (JetBrains IntelliJ IDEA before 2019.2 allows local user
privilege esca ...)
+ TODO: check
+CVE-2019-18360 (In JetBrains Hub versions earlier than 2019.1.11738, username
enumerat ...)
+ TODO: check
CVE-2019-18359 (A buffer over-read was discovered in ReadMP3APETag in apetag.c
in MP3G ...)
- mp3gain <removed>
CVE-2019-18358
@@ -7056,8 +7068,8 @@ CVE-2019-16253 (The Text-to-speech Engine (aka
SamsungTTS) application before 3.
NOT-FOR-US: Samsung
CVE-2019-16252
RESERVED
-CVE-2019-16251
- RESERVED
+CVE-2019-16251 (plugin-fw/lib/yit-plugin-panel-wc.php in the YIT Plugin
Framework thro ...)
+ TODO: check
CVE-2019-16250 (includes/wizard/wizard.php in the Ocean Extra plugin through
1.5.8 for ...)
NOT-FOR-US: Ocean Extra plugin for WordPress
CVE-2019-16249 (OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load
in core ...)
@@ -13293,8 +13305,8 @@ CVE-2019-14358
RESERVED
CVE-2019-14357 (** DISPUTED ** On Mooltipass Mini devices, a side channel for
the row- ...)
NOT-FOR-US: Mooltipass Mini devices
-CVE-2019-14356
- RESERVED
+CVE-2019-14356 (** DISPUTED ** On Coldcard MK1 and MK2 devices, a side channel
for the ...)
+ TODO: check
CVE-2019-14355 (** DISPUTED ** On ShapeShift KeepKey devices, a side channel
for the r ...)
NOT-FOR-US: ShapeShift KeepKey devices
CVE-2019-14354 (On Ledger Nano S and Nano X devices, a side channel for the
row-based ...)
@@ -18805,8 +18817,8 @@ CVE-2019-12616 (An issue was discovered in phpMyAdmin
before 4.9.0. A vulnerabil
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec
CVE-2019-12613
REJECTED
-CVE-2019-12612
- RESERVED
+CVE-2019-12612 (An issue was discovered in Bitdefender BOX firmware versions
before 2. ...)
+ TODO: check
CVE-2019-12611 (An issue was discovered in Bitdefender BOX firmware versions
before 2. ...)
NOT-FOR-US: Bitdefender BOX firmware
CVE-2019-12610
@@ -43583,12 +43595,12 @@ CVE-2019-3423
RESERVED
CVE-2019-3422
RESERVED
-CVE-2019-3421
- RESERVED
+CVE-2019-3421 (The 7520V3V1.0.0B09P27 version, and all earlier versions of ZTE
produc ...)
+ TODO: check
CVE-2019-3420
RESERVED
-CVE-2019-3419
- RESERVED
+CVE-2019-3419 (A security vulnerability exists in a management port in the
version of ...)
+ TODO: check
CVE-2019-3418 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are
impacted ...)
NOT-FOR-US: ZTE
CVE-2019-3417 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are
impacted ...)
@@ -255306,23 +255318,19 @@ CVE-2013-1936
CVE-2013-1935 (A certain Red Hat patch to the KVM subsystem in the kernel
package bef ...)
- linux <not-affected> (RHEL-specific backport regression)
- linux-2.6 <not-affected> (RHEL-specific backport regression)
-CVE-2013-1934 [mantis: XSS issue in adm_config_report.php when displaying
complex value]
- RESERVED
+CVE-2013-1934 (A cross-site scripting (XSS) vulnerability in the configuration
report ...)
{DSA-3120-1}
- mantis <removed> (low; bug #717482)
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-1933 (The extract_from_ocr function in lib/docsplit/text_extractor.rb
in the ...)
NOT-FOR-US: Karteek Docsplit Ruby Gem
-CVE-2013-1932 [mantis: XSS vulnerability on Configuration Report page]
- RESERVED
+CVE-2013-1932 (A cross-site scripting (XSS) vulnerability in the configuration
report ...)
- mantis <not-affected> (affects Mantis 1.2.13 only)
NOTE: http://www.openwall.com/lists/oss-security/2013/04/04/8
-CVE-2013-1931 [mantis: XSS vulnerability when deleting a version]
- RESERVED
+CVE-2013-1931 (A cross-site scripting (XSS) vulnerability in MantisBT 1.2.14
allows r ...)
- mantis <not-affected> (affects Mantis 1.2.14 only)
NOTE: http://www.openwall.com/lists/oss-security/2013/04/04/8
-CVE-2013-1930 [mantis: Close button available to users despite workflow
restrictions]
- RESERVED
+CVE-2013-1930 (MantisBT 1.2.12 before 1.2.15 allows authenticated users to by
the wor ...)
- mantis <not-affected> (affects only Mantis 1.2.12 and later)
NOTE: http://www.openwall.com/lists/oss-security/2013/04/04/8
CVE-2013-1929 (Heap-based buffer overflow in the tg3_read_vpd function in
drivers/net ...)
@@ -255391,8 +255399,7 @@ CVE-2013-1912 (Buffer overflow in HAProxy 1.4 through
1.4.22 and 1.5-dev through
NOTE: http://git.1wt.eu/web?p=haproxy-1.4.git;a=commitdiff;h=dc80672211
CVE-2013-1911 (lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote
attack ...)
NOT-FOR-US: ldoce ruby gem
-CVE-2013-1910 [Not removing bad metadata and using it in next run]
- RESERVED
+CVE-2013-1910 (yum does not properly handle bad metadata, which allows an
attacker to ...)
- yum <unfixed> (unimportant)
NOTE:
http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=c148eb10b798270b3d15087433c8efb2a79a69d0
NOTE: Only used for bootstraps of chroots, see README.Debian
@@ -298995,8 +299002,7 @@ CVE-2010-2491 (Cross-site scripting (XSS)
vulnerability in cgi/client.py in Roun
- roundup 1.4.13-3.1 (bug #590769)
NOTE: http://bugs.gentoo.org/show_bug.cgi?id=326395
NOTE:
http://roundup.svn.sourceforge.net/viewvc/roundup?view=revision&revision=4486
-CVE-2010-2490 [murmur DoS via malformed client query]
- RESERVED
+CVE-2010-2490 (Mumble: murmur-server has DoS due to malformed client query ...)
- mumble 1.2.2-4 (bug #587713)
[lenny] - mumble <no-dsa> (Minor issue)
- qt4-x11 <not-affected> (low; bug #587713)
@@ -307182,8 +307188,7 @@ CVE-2009-4297 (Multiple cross-site request forgery
(CSRF) vulnerabilities in Moo
{DSA-1986-1}
- moodle 1.8.2.dfsg-6 (bug #559531)
NOTE: MSA-09-0022
-CVE-2009-5042 [docutils insecure usage of temporary files]
- RESERVED
+CVE-2009-5042 (python-docutils allows insecure usage of temporary files ...)
- python-docutils 0.6-2 (low; bug #560755)
[etch] - python-docutils <not-affected> (vulnerable code introduced in
0.5)
[lenny] - python-docutils 0.5-2+lenny1
@@ -309420,8 +309425,7 @@ CVE-2009-3525 (The pyGrub boot loader in Xen 3.0.3,
3.3.0, and Xen-3.3.1 does no
NOTE: This is an enhancement, not a security issue.
NOTE: A user must have access to a guest hard drive image in order to
boot it,
NOTE: so he can simply mount the drive and remove the password option.
-CVE-2009-5041 [buffer overflow in overkill]
- RESERVED
+CVE-2009-5041 (overkill has buffer overflow via long player names that can
corrupt da ...)
- overkill 0.16-14.1 (bug #549310; low)
[lenny] - overkill <no-dsa> (Minor issue)
[etch] - overkill <no-dsa> (Minor issue)
@@ -311612,8 +311616,7 @@ CVE-2009-3369 (CgiUserConfigEdit in BackupPC 3.1.0,
when SSH keys and Rsync are
- backuppc 3.1.0-8 (low; bug #542218)
[etch] - backuppc <not-affected> (No configuration GUI)
[lenny] - backuppc 3.1.0-4lenny2
-CVE-2009-5043 [burn: Insecure escaping of file names]
- RESERVED
+CVE-2009-5043 (burn allows file names to escape via mishandled quotation marks
...)
- burn 0.4.5-1 (low; bug #542329)
[lenny] - burn 0.4.3-2.1+lenny1
[etch] - burn <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/51cbb6543f4a85d923761654ea842ca59cc6d565
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/51cbb6543f4a85d923761654ea842ca59cc6d565
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
