[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso Tue, 19 Nov 2019 12:11:41 -0800


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
7158540c by security tracker role at 2019-11-19T20:10:27Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,7 @@
+CVE-2019-19119
+       RESERVED
+CVE-2019-19118
+       RESERVED
 CVE-2019-19117 (/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM 
K2(PSG12 ...)
        NOT-FOR-US: PHICOMM K2(PSG1218) devices
 CVE-2019-19116
@@ -161,7 +165,7 @@ CVE-2019-19051 (A memory leak in the 
i2400m_op_rfkill_sw_toggle() function in dr
        NOTE: 
https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407
 CVE-2019-19050 (A memory leak in the crypto_reportstat() function in 
crypto/crypto_use ...)
        - linux <unfixed>
-CVE-2019-19049 (A memory leak in the unittest_data_add() function in 
drivers/of/unitte ...)
+CVE-2019-19049 (** DISPUTED ** A memory leak in the unittest_data_add() 
function in dr ...)
        - linux <unfixed>
        NOTE: 
https://git.kernel.org/linus/e13de8fe0d6a51341671bbe384826d527afe8d44
 CVE-2019-19048 (A memory leak in the crypto_reportstat() function in 
drivers/virt/vbox ...)
@@ -405,8 +409,7 @@ CVE-2019-18936
        RESERVED
 CVE-2019-18935
        RESERVED
-CVE-2019-18934 [Vulnerability in IPSEC module]
-       RESERVED
+CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a vulnerability in the 
ipsec modul ...)
        - unbound <unfixed> (unimportant)
        [stretch] - unbound <not-affected> (ipsecmod module introduced later)
        [jessie] - unbound <not-affected> (ipsecmod module introduced later)
@@ -501,6 +504,7 @@ CVE-2019-18891
        RESERVED
 CVE-2019-18890 [SQL injection]
        RESERVED
+       {DSA-4574-1}
        - redmine 3.4.2-1
        NOTE: https://www.redmine.org/news/125
        NOTE: 
https://www.redmine.org/projects/redmine/repository/revisions/16196
@@ -7363,6 +7367,7 @@ CVE-2015-9457 (The pretty-link plugin before 1.6.8 for 
WordPress has PrliLinksCo
 CVE-2019-17428
        RESERVED
 CVE-2019-17427 (In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent 
XSS exists ...)
+       {DSA-4574-1}
        - redmine 4.0.4-1
        NOTE: Fixed in 3.4.11 and 4.0.4
        NOTE: 
https://github.com/redmine/redmine/commit/899fc2e0cd2bcb4f5f9333b612b160bb9c6e803b
@@ -8759,10 +8764,10 @@ CVE-2019-16863 (STMicroelectronics ST33TPHF2ESPI TPM 
devices before 2019-09-12 a
        NOT-FOR-US: STMicroelectronics
 CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 
5.x befor ...)
        NOT-FOR-US: OpenEMR
-CVE-2019-16861
-       RESERVED
-CVE-2019-16860
-       RESERVED
+CVE-2019-16861 (Code42 server through 7.0.2 for Windows has an Untrusted 
Search Path.  ...)
+       TODO: check
+CVE-2019-16860 (Code42 app through version 7.0.2 for Windows has an Untrusted 
Search P ...)
+       TODO: check
 CVE-2019-16859
        RESERVED
 CVE-2019-16858
@@ -25997,8 +26002,8 @@ CVE-2019-11291
        RESERVED
 CVE-2019-11290
        RESERVED
-CVE-2019-11289
-       RESERVED
+CVE-2019-11289 (Cloud Foundry Routing, all versions before 0.193.0, does not 
properly  ...)
+       TODO: check
 CVE-2019-11288
        RESERVED
 CVE-2019-11287
@@ -166927,8 +166932,7 @@ CVE-2016-1000238
        RESERVED
 CVE-2016-1000237
        RESERVED
-CVE-2016-1000236
-       RESERVED
+CVE-2016-1000236 (Node-cookie-signature before 1.0.6 is affected by a timing 
attack due  ...)
        - node-cookie-signature 1.1.0-1 (unimportant; bug #838618)
        NOTE: https://nodesecurity.io/advisories/134
        NOTE: 
https://github.com/tj/node-cookie-signature/commit/39791081692e9e14aa62855369e1c7f80fbfd50e
@@ -174152,8 +174156,7 @@ CVE-2016-1000100
        REJECTED
 CVE-2016-1000008
        RESERVED
-CVE-2016-1000006
-       RESERVED
+CVE-2016-1000006 (hhvm before 3.12.11 has a use-after-free in the 
serialize_memoize_para ...)
        - hhvm 3.12.11+dfsg-1
 CVE-2016-1000005
        RESERVED
@@ -230105,8 +230108,7 @@ CVE-2014-5441 (Multiple cross-site scripting (XSS) 
vulnerabilities in app/views/
        NOT-FOR-US: Fat Free CRM
 CVE-2014-5440 (SQL injection vulnerability in Login.aspx in MPEX Business 
Solutions M ...)
        NOT-FOR-US: MX-SmartTimer
-CVE-2014-5439
-       RESERVED
+CVE-2014-5439 (sniffit 0.3.7 and prior: A configuration file can be leveraged 
to exec ...)
        {DLA-713-1}
        - sniffit 0.3.7.beta-20 (bug #845122)
        [jessie] - sniffit 0.3.7.beta-17+deb8u1
@@ -265107,8 +265109,7 @@ CVE-2012-6137 (rhn-migrate-classic-to-rhsm tool in 
Red Hat subscription-manager
 CVE-2012-6136
        RESERVED
        - tuned <not-affected> (Fixed before initial release to Debian)
-CVE-2012-6135
-       RESERVED
+CVE-2012-6135 (RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers 
to dele ...)
        - ruby-passenger <not-affected> (Vulnerable code not present; bug 
#702219)
        NOTE: 4.0.0 betas only
 CVE-2012-6134 (Cross-site request forgery (CSRF) vulnerability in the 
omniauth-oauth2 ...)
@@ -265361,12 +265362,10 @@ CVE-2012-6072 (CRLF injection vulnerability in 
Jenkins before 1.491, Jenkins LTS
        - jenkins-winstone 0.9.10-jenkins-37+dfsg-2 (bug #696974)
        NOTE: 
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20
        NOTE: http://www.openwall.com/lists/oss-security/2012/12/28/1
-CVE-2012-6071 [libnusoap-php: Curl insecure usage]
-       RESERVED
+CVE-2012-6071 (nuSOAP before 0.7.3-5 does not properly check the hostname of a 
cert. ...)
        - nusoap 0.7.3-5 (low; bug #696707)
        [squeeze] - nusoap <no-dsa> (Minor issue)
-CVE-2012-6070 [falconpl: Curl insecure usage]
-       RESERVED
+CVE-2012-6070 (Falconpl before 0.9.6.9-git20120606 misuses the libcurl API 
which may  ...)
        - falconpl 0.9.6.9-git20120606-2 (bug #696681)
 CVE-2011-5250
        RESERVED
@@ -279289,12 +279288,10 @@ CVE-2012-0845 (SimpleXMLRPCServer.py in 
SimpleXMLRPCServer in Python before 2.6.
 CVE-2012-0844
        RESERVED
        - netsurf 2.8-2 (bug #659376)
-CVE-2012-0843
-       RESERVED
+CVE-2012-0843 (uzbl: Information disclosure via world-readable cookies storage 
file ...)
        - uzbl 0.0.0~git.20111128-2 (bug #659379)
        [squeeze] - uzbl <no-dsa> (Minor issue)
-CVE-2012-0842 [surf info leak]
-       RESERVED
+CVE-2012-0842 (surf: cookie jar has read access from other local user ...)
        - surf 0.4.1-6 (bug #659296)
 CVE-2012-0841 (libxml2 before 2.8.0 computes hash values without restricting 
the abil ...)
        {DSA-2417-1}
@@ -279345,8 +279342,7 @@ CVE-2012-0825 (Drupal 6.x before 6.23 and 7.x before 
7.11 does not verify that A
        {DSA-2776-1}
        - drupal7 7.11-1
        - drupal6 6.26-1
-CVE-2012-0824
-       RESERVED
+CVE-2012-0824 (gnusound 0.7.5 has format string issue ...)
        - gnusound <removed> (low; bug #654270)
        [squeeze] - gnusound 0.7.5-3+squeeze1
 CVE-2012-0823 (VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote 
attackers  ...)
@@ -281092,16 +281088,14 @@ CVE-2011-4969 (Cross-site scripting (XSS) 
vulnerability in jQuery before 1.6.3,
        [squeeze] - jquery <no-dsa> (Minor issue)
        NOTE: http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/
        NOTE: 
https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9
-CVE-2011-4968 [nginx http proxy module does not verify peer identity of https 
origin server]
-       RESERVED
+CVE-2011-4968 (nginx http proxy module does not verify peer identity of https 
origin  ...)
        - nginx 1.9.1-1 (low; bug #697940)
        [jessie] - nginx <no-dsa> (Minor issue)
        [squeeze] - nginx <no-dsa> (Minor issue)
        [wheezy] - nginx <no-dsa> (Minor issue)
        NOTE: http://trac.nginx.org/nginx/ticket/13
        NOTE: Upstream commit: 
http://trac.nginx.org/nginx/changeset/060c2e692b96a150b584b8e30d596be1f2defa9c/nginx
-CVE-2011-4967
-       RESERVED
+CVE-2011-4967 (tog-Pegasus has a package hash collision DoS vulnerability ...)
        NOT-FOR-US: OpenPegasus
 CVE-2011-4966 (modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when 
unix mode ...)
        - freeradius 2.1.12+dfsg-1.2 (low; bug #694407)
@@ -281135,13 +281129,11 @@ CVE-2011-4956 (Cross-site scripting (XSS) 
vulnerability in WordPress before 3.1.
        - wordpress 3.2.1+dfsg-1
 CVE-2011-4955 (Multiple cross-site scripting (XSS) vulnerabilities in 
ui_stats.php in ...)
        NOT-FOR-US: wordpress bsuite plugin
-CVE-2011-4954
-       RESERVED
+CVE-2011-4954 (cobbler has local privilege escalation via the use of insecure 
locatio ...)
        - cobbler <not-affected> (Fixed before initial upload)
 CVE-2011-4953 (The set_mgmt_parameters function in item.py in cobbler before 
2.2.2 al ...)
        - cobbler <not-affected> (Fixed before initial upload)
-CVE-2011-4952
-       RESERVED
+CVE-2011-4952 (cobbler: Web interface lacks CSRF protection when using Django 
framewo ...)
        - cobbler <not-affected> (Fixed before initial upload)
 CVE-2011-4951 (Open redirect vulnerability in phpgwapi/ntlm/index.php in 
EGroupware E ...)
        NOT-FOR-US: EGroupware
@@ -281239,8 +281231,7 @@ CVE-2011-4921 (SQL injection vulnerability in 
usersettings.php in e107 0.7.26, a
        NOT-FOR-US: e107
 CVE-2011-4920 (Multiple cross-site scripting (XSS) vulnerabilities in e107 
0.7.26, an ...)
        NOT-FOR-US: e107
-CVE-2011-4919 [mpack info disclosure]
-       RESERVED
+CVE-2011-4919 (mpack 1.6 has information disclosure via eavesdropping on mails 
sent b ...)
        - mpack 1.6-8 (low; bug #655971)
        [squeeze] - mpack <no-dsa> (Minor issue)
        NOTE: http://openwall.com/lists/oss-security/2011/12/31/1
@@ -287938,11 +287929,9 @@ CVE-2011-2923
        RESERVED
        - foomatic-filters <unfixed> (unimportant)
        NOTE: debug mode-only
-CVE-2011-2922
-       RESERVED
+CVE-2011-2922 (ktsuss versions 1.4 and prior spawns the GTK interface to run 
as root. ...)
        - ktsuss <removed>
-CVE-2011-2921
-       RESERVED
+CVE-2011-2921 (ktsuss versions 1.4 and prior has the uid set to root and does 
not dro ...)
        - ktsuss <removed>
 CVE-2011-2920 (Multiple cross-site scripting (XSS) vulnerabilities in 
Spacewalk 1.6,  ...)
        NOT-FOR-US: Red Hat Network Satellite server
@@ -291662,7 +291651,7 @@ CVE-2011-1590 (The X.509if dissector in Wireshark 
1.2.x before 1.2.16 and 1.4.x
 CVE-2011-1589 (Directory traversal vulnerability in Path.pm in Mojolicious 
before 1.1 ...)
        {DSA-2221-1}
        - libmojolicious-perl 1.16-1
-CVE-2011-1588 (Thunar 1.2 through 1.2.1 could crash when copy and pasting a 
file name ...)
+CVE-2011-1588 (Thunar before 1.3.1 could crash when copy and pasting a file 
name with ...)
        - thunar <not-affected> (Introduced in 1.2, only in experimental)
        NOTE: 
http://git.xfce.org/xfce/thunar/diff/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa
 CVE-2011-1587 (Cross-site scripting (XSS) vulnerability in MediaWiki before 
1.16.4, w ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7158540c01cd12b403e2b35d01a027a57caea78f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7158540c01cd12b403e2b35d01a027a57caea78f
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

Reply via email to