Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
191c92be by security tracker role at 2019-11-01T20:10:23Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -6,10 +6,10 @@ CVE-2019-18656 (Pimcore 6.2.3 has XSS in the translations
grid because bundles/A
NOT-FOR-US: Pimcore
CVE-2019-18655
RESERVED
-CVE-2019-18654
- RESERVED
-CVE-2019-18653
- RESERVED
+CVE-2019-18654 (A Cross Site Scripting (XSS) issue exists in AVG AntiVirus
(Internet S ...)
+ TODO: check
+CVE-2019-18653 (A Cross Site Scripting (XSS) issue exists in Avast AntiVirus
(Free, In ...)
+ TODO: check
CVE-2019-18652
RESERVED
CVE-2019-18651
@@ -44,8 +44,8 @@ CVE-2019-18638
RESERVED
CVE-2019-18637
RESERVED
-CVE-2019-18636
- RESERVED
+CVE-2019-18636 (A cross-site scripting (XSS) vulnerability in Jitbit .NET
Forum (aka A ...)
+ TODO: check
CVE-2019-18635 (An issue was discovered in Mooltipass Moolticute through
v0.42.1 and v ...)
NOT-FOR-US: Mooltipass Moolticute
CVE-2019-18634
@@ -5240,10 +5240,10 @@ CVE-2019-16910 (Arm Mbed TLS before 2.19.0 and Arm Mbed
Crypto before 2.0.0, whe
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10
NOTE:
https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd
(2.7.12)
NOTE:
https://github.com/ARMmbed/mbedtls/commit/33f66ba6fd234114aa37f0209dac031bb2870a9b
(2.16.3)
-CVE-2019-16909
- RESERVED
-CVE-2019-16908
- RESERVED
+CVE-2019-16909 (An issue was discovered in the Infosysta "In-App & Desktop
Notific ...)
+ TODO: check
+CVE-2019-16908 (An issue was discovered in the Infosysta "In-App & Desktop
Notific ...)
+ TODO: check
CVE-2019-16907 (An issue was discovered in the Infosysta "In-App & Desktop
Notific ...)
NOT-FOR-US: Infosysta
CVE-2019-16906 (An issue was discovered in the Infosysta "In-App & Desktop
Notific ...)
@@ -8919,8 +8919,8 @@ CVE-2019-15590
RESERVED
CVE-2019-15589
RESERVED
-CVE-2019-15588
- RESERVED
+CVE-2019-15588 (There is an OS Command Injection in Nexus Repository Manager
<= 2.1 ...)
+ TODO: check
CVE-2019-15587 (In the Loofah gem for Ruby through v2.3.0 unsanitized
JavaScript may o ...)
{DSA-4554-1}
- ruby-loofah 2.3.1+dfsg-1 (bug #942894)
@@ -18526,8 +18526,8 @@ CVE-2019-12754 (Symantec My VIP portal, previous
version which has already been
NOT-FOR-US: Symantec My VIP portal
CVE-2019-12753 (An information disclosure vulnerability in Symantec Reporter
web UI 10 ...)
NOT-FOR-US: Symantec
-CVE-2019-12752
- RESERVED
+CVE-2019-12752 (The Symantec SONAR component, prior to 12.0.2, may be
susceptible to a ...)
+ TODO: check
CVE-2019-12751 (Symantec Messaging Gateway, prior to 10.7.1, may be
susceptible to a p ...)
NOT-FOR-US: Symantec
CVE-2019-12750 (Symantec Endpoint Protection, prior to 14.2 RU1 & 12.1 RU6
MP10 an ...)
@@ -25336,7 +25336,7 @@ CVE-2019-10209 (Postgresql, versions 11.x before 11.5,
is vulnerable to a memory
- postgresql-9.6 <not-affected> (Only affects PostgreSQL 11)
- postgresql-9.4 <not-affected> (Only affects PostgreSQL 11)
NOTE: https://www.postgresql.org/about/news/1960/
-CVE-2019-10208 (A flaw was discovered in postgresql where arbitrary SQL
statements can ...)
+CVE-2019-10208 (A flaw was discovered in postgresql versions 9.4.x before
9.4.24, 9.5. ...)
{DSA-4493-1 DSA-4492-1 DLA-1874-1}
- postgresql-11 11.5-1
- postgresql-9.6 <removed>
@@ -30447,6 +30447,7 @@ CVE-2019-8764
RESERVED
CVE-2019-8763
RESERVED
+ {DSA-4515-1}
- webkit2gtk 2.24.4-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in
stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in
jessie)
@@ -30515,6 +30516,7 @@ CVE-2019-8734
RESERVED
CVE-2019-8733
RESERVED
+ {DSA-4515-1}
- webkit2gtk 2.24.4-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in
stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in
jessie)
@@ -30555,6 +30557,7 @@ CVE-2019-8720
NOTE: https://webkitgtk.org/security/WSA-2019-0005.html
CVE-2019-8719
RESERVED
+ {DSA-4515-1}
- webkit2gtk 2.24.4-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in
stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in
jessie)
@@ -30583,6 +30586,7 @@ CVE-2019-8708
RESERVED
CVE-2019-8707
RESERVED
+ {DSA-4515-1}
- webkit2gtk 2.24.4-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in
stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in
jessie)
@@ -30728,6 +30732,7 @@ CVE-2019-8675 [stack-buffer-overflow in libcups's
asn1_get_type function]
NOTE:
https://github.com/apple/cups/commit/f24e6cf6a39300ad0c3726a41a4aab51ad54c109
CVE-2019-8674
RESERVED
+ {DSA-4515-1}
- webkit2gtk 2.24.4-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in
stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in
jessie)
@@ -35761,10 +35766,10 @@ CVE-2019-6660
RESERVED
CVE-2019-6659
RESERVED
-CVE-2019-6658
- RESERVED
-CVE-2019-6657
- RESERVED
+CVE-2019-6658 (On BIG-IP AFM 15.0.0-15.0.1, 14.0.0-14.1.2, 13.1.0-13.1.3.1,
and 12.1. ...)
+ TODO: check
+CVE-2019-6657 (On BIG-IP 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.2-11.6.5.1,
a refle ...)
+ TODO: check
CVE-2019-6656 (BIG-IP APM Edge Client before version 7.1.8 (7180.2019.508.705)
logs t ...)
NOT-FOR-US: F5
CVE-2019-6655 (On versions 13.0.0-13.1.0.1, 12.1.0-12.1.4.1, 11.6.1-11.6.4,
and 11.5. ...)
@@ -247427,8 +247432,7 @@ CVE-2013-4753 (Multiple cross-site scripting (XSS)
vulnerabilities in Claroline
CVE-2013-4752
RESERVED
NOT-FOR-US: Symfony HttpFoundation component
-CVE-2013-4751
- RESERVED
+CVE-2013-4751 (php-symfony2-Validator has loss of information during
serialization ...)
NOT-FOR-US: Symfony Validator component
CVE-2013-4750
RESERVED
@@ -248693,8 +248697,7 @@ CVE-2013-4368 (The outs instruction emulation in Xen
3.1.x, 4.2.x, 4.3.x, and ea
{DSA-3006-1}
- xen 4.4.0-1
[squeeze] - xen <end-of-life> (Unsupported in squeeze-lts)
-CVE-2013-4367
- RESERVED
+CVE-2013-4367 (ovirt-engine 3.2 running on Linux kernel 3.1 and newer creates
certain ...)
NOT-FOR-US: ovirt
CVE-2013-4366 (http/impl/client/HttpClientBuilder.java in Apache HttpClient
4.3.x bef ...)
- httpcomponents-client 4.3.2-1
@@ -250555,8 +250558,7 @@ CVE-2013-3720 (Cross-site scripting (XSS)
vulnerability in widget_remove.php in
NOT-FOR-US: Wordpress plugin Feedweb
CVE-2013-3719 (Cross-site scripting (XSS) vulnerability in the aiContactSafe
componen ...)
NOT-FOR-US: Joomla!
-CVE-2013-3718 [evince missing check on number of pages]
- RESERVED
+CVE-2013-3718 (evince is missing a check on number of pages which can lead to
a segme ...)
- evince 3.10.0-1
[wheezy] - evince <not-affected>
[squeeze] - evince <not-affected> (Vulnerable code not present)
@@ -252893,13 +252895,11 @@ CVE-2013-2741 (importbuddy.php in the BackupBuddy
plugin 1.3.4, 2.1.4, 2.2.25, 2
NOT-FOR-US: BackupBuddy plugin for WordPress
CVE-2013-2740
RESERVED
-CVE-2013-2739 [heap-based buffer overflow]
- RESERVED
+CVE-2013-2739 (MiniDLNA has heap-based buffer overflow ...)
- minidlna 1.1.2+dfsg-1 (low; bug #717131)
[wheezy] - minidlna <no-dsa> (Minor issue, DLNA only used in a trusted
context)
NOTE: http://www.securityfocus.com/archive/1/527299/30/0
-CVE-2013-2738 [SQL Injection]
- RESERVED
+CVE-2013-2738 (minidlna has SQL Injection that may allow retrieval of
arbitrary files ...)
- minidlna 1.1.2+dfsg-1 (low; bug #717131)
NOTE: http://www.securityfocus.com/archive/1/527299/30/0
[wheezy] - minidlna <no-dsa> (Minor issue, DLNA only used in a trusted
context)
@@ -253201,8 +253201,7 @@ CVE-2013-2602 (Multiple array index errors in the
MyHeritage SEQueryObject Activ
NOT-FOR-US: MyHeritage SEQueryObject ActiveX control
CVE-2013-2601 (The NDVM in Citrix XenClient XT before 2.1.3 and 3.x before
3.1.4 allo ...)
NOT-FOR-US: Citrix XenClient XT
-CVE-2013-2600 [MiniUPnPd information disclosure]
- RESERVED
+CVE-2013-2600 (MiniUPnPd has information disclosure use of snprintf() ...)
- miniupnpd 1.8.20130730-1 (bug #716936)
CVE-2013-2599 (A certain Qualcomm Innovation Center (QuIC) patch to the
NativeDaemonC ...)
NOT-FOR-US: Qualcomm (Android)
@@ -254209,8 +254208,7 @@ CVE-2013-2257
CVE-2013-2256 (OpenStack Compute (Nova) before 2013.1.3 and Havana before
havana-2 do ...)
- nova 2013.1.2-3 (bug #718905)
[wheezy] - nova <not-affected> (Affected code not present)
-CVE-2013-2255 [Inconsistent and non-validating HTTPS client]
- RESERVED
+CVE-2013-2255 (HTTPSConnections in OpenStack Keystone 2013, OpenStack Compute
2013.1, ...)
- keystone 2014.1-1
[wheezy] - keystone <no-dsa> (Minor issue)
- swift <not-affected> (See
https://bugs.launchpad.net/keystone/+bug/1188189/comments/5)
@@ -254297,8 +254295,7 @@ CVE-2013-2228 [RSA exponent of 1]
RESERVED
- salt 0.15.1-1
NOTE:
https://github.com/saltstack/salt/commit/e8ce66cf688b43aeb3e716e78b1af3a08e9940e3
-CVE-2013-2227 [local file inclusion]
- RESERVED
+CVE-2013-2227 (GLPI 0.83.7 has Local File Inclusion in common.tabs.php. ...)
- glpi 0.83.91-1 (bug #714720; unimportant)
NOTE: Only supported behind an authenticated HTTP zone
CVE-2013-2226 (Multiple SQL injection vulnerabilities in GLPI before 0.83.9
allow rem ...)
@@ -256416,8 +256413,7 @@ CVE-2013-1667 (The rehash mechanism in Perl 5.8.2
through 5.16.x allows context-
{DSA-2641-1}
- perl 5.14.2-19 (bug #702296)
NOTE:
http://www.nntp.perl.org/group/perl.perl5.porters/2013/03/msg199755.html
-CVE-2013-1666
- RESERVED
+CVE-2013-1666 (Foswiki before 1.1.8 contains a code injection vulnerability in
the MA ...)
- foswiki <itp> (bug #509864)
CVE-2013-1665 (The XML libraries for Python 3.4, 3.3, 3.2, 3.1, 2.7, and 2.6,
as used ...)
{DSA-2634-1}
@@ -260835,8 +260831,7 @@ CVE-2013-0191 (libpam-pgsql (aka pam_pgsql) 0.7 does
not properly handle a NULL
NOTE: bugreport: https://sourceforge.net/p/pam-pgsql/bugs/13/
CVE-2013-0187 (Foreman before 1.1 allows remote authenticated users to gain
privilege ...)
- foreman <itp> (bug #663101)
-CVE-2013-0186
- RESERVED
+CVE-2013-0186 (Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ
EVM al ...)
NOT-FOR-US: ManageIQ EVM (CloudForms)
CVE-2013-0185 (Cross-site request forgery (CSRF) vulnerability in ManageIQ
Enterprise ...)
NOT-FOR-US: ManageIQ EVM (CloudForms)
@@ -260855,16 +260850,15 @@ CVE-2013-0182 (The Payment module 7.x-1.x before
7.x-1.3 for Drupal does not pro
NOT-FOR-US: Drupal module Payment
CVE-2013-0181 (Cross-site scripting (XSS) vulnerability in Views in the Search
API (s ...)
NOT-FOR-US: Drupal module search_api
-CVE-2013-0180
- RESERVED
+CVE-2013-0180 (Insecure temporary file vulnerability in Redis 2.6 related to
/tmp/red ...)
+ TODO: check
CVE-2013-0179 (The process_bin_delete function in memcached.c in memcached
1.4.4 and ...)
- memcached 1.4.13-0.2 (low; bug #698231)
[squeeze] - memcached 1.4.5-1+deb6u1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=895054
NOTE: https://code.google.com/p/memcached/issues/detail?id=306
NOTE:
https://code.google.com/p/memcached/issues/attachmentText?id=306&aid=3060004000&name=0001-Fix-buffer-overrun-when-logging-key-to-delete-in-bin.patch
-CVE-2013-0178 [redis 2.4: Insecure temporary flaw use for redis service's vm
swap file]
- RESERVED
+CVE-2013-0178 (Insecure temporary file vulnerability in Redis before 2.6
related to / ...)
- redis 2:2.6.0-1 (low)
[squeeze] - redis <no-dsa> (Minor issue)
[wheezy] - redis <no-dsa> (Minor issue)
@@ -260923,8 +260917,7 @@ CVE-2013-0167 (VDSM in Red Hat Enterprise
Virtualization 3 and 3.2 allows privil
CVE-2013-0166 (OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before
1.0.1d do ...)
{DSA-2621-1}
- openssl 1.0.1e-1 (bug #699889)
-CVE-2013-0165
- RESERVED
+CVE-2013-0165
(cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.sh in ...)
NOT-FOR-US: OpenShift
CVE-2013-0164 (The lockwrap function in
port-proxy/bin/openshift-port-proxy-cfg in Re ...)
NOT-FOR-US: OpenShift
@@ -270240,8 +270233,7 @@ CVE-2012-2981 (Webmin 1.590 and earlier allows remote
authenticated users to exe
- webmin <removed>
CVE-2012-2980 (The Samsung and HTC onTouchEvent method implementation for
Android on ...)
NOT-FOR-US: Samsung and HTC Android
-CVE-2012-2979 [VU#517036: NSD 3.2.13 emergency release]
- RESERVED
+CVE-2012-2979 (FreeBSD NSD before 3.2.13 allows remote attackers to crash a
NSD child ...)
- nsd3 <not-affected> (Debian version not affected)
CVE-2012-2978 (query.c in NSD 3.0.x through 3.0.8, 3.1.x through 3.1.1, and
3.2.x bef ...)
{DSA-2515-1}
@@ -277193,7 +277185,7 @@ CVE-2003-1599 (PHP remote file inclusion
vulnerability in wp-links/links.all.php
NOT-FOR-US: WordPress plugin wp-links
CVE-2003-1598 (SQL injection vulnerability in log.header.php in WordPress 0.7
and ear ...)
- wordpress 1.0.1-1
-CVE-2002-2444 (Snoopy 2.0.0-1 has a security hole in exec cURL ...)
+CVE-2002-2444 (Snoopy before 2.0.0 has a security hole in exec cURL ...)
- libphp-snoopy <not-affected> (affected version never was in the repo)
NOTE: http://www.openwall.com/lists/oss-security/2014/07/18/2
NOTE: http://sourceforge.net/p/snoopy/bugs/13/
@@ -281298,8 +281290,7 @@ CVE-2011-3925 (Use-after-free vulnerability in the
Safe Browsing feature in Goog
CVE-2011-3924 (Use-after-free vulnerability in Google Chrome before
16.0.912.77 allow ...)
- chromium-browser 16.0.912.77~r118311-1
[squeeze] - chromium-browser <end-of-life>
-CVE-2011-3923 [struts ParameterInterceptor remote code execution]
- RESERVED
+CVE-2011-3923 (Apache Struts before 2.3.1.2 allows remote attackers to bypass
securit ...)
- libstruts1.2-java <not-affected> (Only affects 2.x)
NOTE: https://cwiki.apache.org/confluence/display/WW/S2-009
NOTE: http://blog.o0o.nu/2012/01/cve-2011-3923-yet-another-struts2.html
@@ -294093,7 +294084,7 @@ CVE-2010-4247 (The do_block_io_op function in (1)
drivers/xen/blkback/blkback.c
- linux-2.6 <not-affected> (changes included since introduction of dom0
support)
CVE-2010-4246 (Multiple cross-site scripting (XSS) vulnerabilities in
graph.php in pf ...)
NOT-FOR-US: pfSense
-CVE-2010-4245 (pootle 2.0.5-0.2 has XSS via 'match_names' parameter ...)
+CVE-2010-4245 (pootle 2.0.5 has XSS via 'match_names' parameter ...)
- pootle 2.0.5-0.3 (low; bug #604060)
[lenny] - pootle <not-affected> (Vulnerable code not present)
CVE-2010-4244
@@ -295784,12 +295775,10 @@ CVE-2010-3609 (The extension parser in
slp_v2message.c in OpenSLP 1.2.1, and oth
CVE-2010-3659 (Multiple cross-site scripting (XSS) vulnerabilities in TYPO3
CMS 4.1.x ...)
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
-CVE-2010-3660 [Multiple security issues]
- RESERVED
+CVE-2010-3660 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4
and 4.4.x ...)
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
-CVE-2010-3661 [Multiple security issues]
- RESERVED
+CVE-2010-3661 (TYPO3 before 4.1.14, 4.2.x before 4.2.13, 4.3.x before 4.3.4
and 4.4.x ...)
{DSA-2098-1}
- typo3-src 4.3.5-1 (bug #590719)
CVE-2010-3662 [Multiple security issues]
@@ -299464,10 +299453,10 @@ CVE-2010-2295 (page/EventHandler.cpp in WebCore in
WebKit in Google Chrome befor
[lenny] - webkit <no-dsa> (Unmaintained in Lenny, only affects fringe
apps)
- chromium-browser 5.0.375.55~r47796-1
NOTE: http://trac.webkit.org/changeset/58829
-CVE-2009-4900 (pixelpost 1.7.1-5 has XSS ...)
+CVE-2009-4900 (pixelpost 1.7.1 has XSS ...)
- pixelpost <removed> (bug #597224)
NOTE:
http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
-CVE-2009-4899 (pixelpost 1.7.1-5 has SQL injection ...)
+CVE-2009-4899 (pixelpost 1.7.1 has SQL injection ...)
- pixelpost <removed> (bug #597224)
NOTE:
http://www.pixelpost.org/blog/2009/09/02/pixelpost-173-security-update/
CVE-2009-4898 (Cross-site request forgery (CSRF) vulnerability in TWiki before
4.3.2 ...)
@@ -374472,8 +374461,7 @@ CVE-2005-3058 (Interpretation conflict in Fortinet
FortiGate 2.8, running FortiO
NOT-FOR-US: FortiGate
CVE-2005-3057 (The FTP component in FortiGate 2.8 running FortiOS 2.8MR10 and
v3beta, ...)
NOT-FOR-US: FortiGate
-CVE-2005-3056 [TWiki INCLUDE function allows arbitrary shell command execution
]
- RESERVED
+CVE-2005-3056 (TWiki allows arbitrary shell command execution via the Include
functio ...)
- twiki 20040902-2 (bug #330733; high)
CVE-2005-3055 (Linux kernel 2.6.8 to 2.6.14-rc2 allows local users to cause a
denial ...)
{DSA-1017-1}
@@ -379367,10 +379355,9 @@ CVE-2005-1841 (The control for Adobe Reader 5.0.9
and 5.0.10 on Linux, Solaris,
CVE-2005-1858 (FUSE 2.x before 2.3.0 does not properly clear previously used
memory f ...)
{DSA-744-1}
- fuse 2.3.0-1
-CVE-2005-2349 (Zoo 2.10-27 has Directory traversal ...)
+CVE-2005-2349 (Zoo 2.10 has Directory traversal ...)
- zoo 2.10-4 (low; bug #309594)
-CVE-2005-2350 [Cross Site Scripting in websieve]
- RESERVED
+CVE-2005-2350 (Cross-site scripting (XSS) vulnerability in websieve v0.62
allows remo ...)
- websieve <removed> (bug #311838; low)
CVE-2005-1840 (Directory traversal vulnerability in class.layout_phpcms.php in
phpCMS ...)
NOT-FOR-US: phpCMS
@@ -379672,8 +379659,7 @@ CVE-2002-1664 (Yahoo! Messenger before February 2002
allows remote attackers to
NOT-FOR-US: Yahoo Messenger
CVE-2005-XXXX [Unspecified issue in moodle's admin/delete.php]
- moodle 1.4.4.dfsg.1-3
-CVE-2005-2351 [Minor DoS condition in mutt due to preditable tempfiles]
- RESERVED
+CVE-2005-2351 (Mutt before 1.5.20 patch 7 allows an attacker to cause a denial
of ser ...)
- mutt 1.5.20-7 (bug #311296; unimportant)
[sarge] - mutt <no-dsa> (Minor annoyance, not a real DoS)
NOTE: An "attacker" could achieve the same by simply filling up /tmp
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/191c92be7b3caaec54c7eff589585b65ac107175
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/191c92be7b3caaec54c7eff589585b65ac107175
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
