Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ae59d95a by security tracker role at 2019-11-22T08:10:20Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,61 @@
+CVE-2019-19226
+ RESERVED
+CVE-2019-19225
+ RESERVED
+CVE-2019-19224
+ RESERVED
+CVE-2019-19223
+ RESERVED
+CVE-2019-19222
+ RESERVED
+CVE-2019-19221 (In Libarchive 3.4.0, archive_wstring_append_from_mbs in
archive_string ...)
+ TODO: check
+CVE-2019-19220
+ RESERVED
+CVE-2019-19219
+ RESERVED
+CVE-2019-19218
+ RESERVED
+CVE-2019-19217
+ RESERVED
+CVE-2019-19216
+ RESERVED
+CVE-2019-19215
+ RESERVED
+CVE-2019-19214
+ RESERVED
+CVE-2019-19213
+ RESERVED
+CVE-2019-19212
+ RESERVED
+CVE-2019-19211
+ RESERVED
+CVE-2019-19210
+ RESERVED
+CVE-2019-19209
+ RESERVED
+CVE-2019-19208
+ RESERVED
+CVE-2019-19207 (rConfig 3.9.2 allows devices.php?searchColumn= SQL injection.
...)
+ TODO: check
+CVE-2019-19206
+ RESERVED
+CVE-2019-19205
+ RESERVED
+CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In
the func ...)
+ TODO: check
+CVE-2019-19203 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In
the func ...)
+ TODO: check
+CVE-2019-19202 (In Vtiger 7.x before 7.2.0, the My Preferences saving
functionality al ...)
+ TODO: check
+CVE-2019-19201
+ RESERVED
+CVE-2019-19200
+ RESERVED
+CVE-2019-19199
+ RESERVED
+CVE-2019-19198
+ RESERVED
CVE-2019-19197 (IOCTL Handling in the kyrld.sys driver in Kyrol Internet
Security 9.0. ...)
TODO: check
CVE-2019-19196
@@ -578,8 +636,8 @@ CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a
vulnerability in the ipsec
[jessie] - unbound <not-affected> (ipsecmod module introduced later)
NOTE: Debian binary packages not built with --enable-ipsecmod
NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt
-CVE-2019-18933
- RESERVED
+CVE-2019-18933 (In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in
the new ...)
+ TODO: check
CVE-2019-18932
RESERVED
CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a
Buffer O ...)
@@ -675,23 +733,20 @@ CVE-2019-18890 (A SQL injection vulnerability in Redmine
through 3.2.9 and 3.3.x
NOTE:
https://www.redmine.org/projects/redmine/repository/revisions/16196
NOTE: https://www.redmine.org/issues/32374
NOTE:
https://github.com/redmine/redmine/commit/04d4a1a191c46e4595ed455372e86c66cf3f6ed7#diff-72469d98e80a60152ebcfa998306b5ecL581-R584
-CVE-2019-18889 [Forbid serializing AbstractAdapter and TagAwareAdapter
instances]
- RESERVED
+CVE-2019-18889 (An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0
through ...)
- symfony 4.3.8+dfsg-1
[buster] - symfony 3.4.22+dfsg-2+deb10u1
[stretch] - symfony <not-affected> (Vulnerable code not present)
[jessie] - symfony <not-affected> (Vulnerable code not present)
NOTE:
https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
NOTE:
https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a
-CVE-2019-18888 [Prevent argument injection in a MimeTypeGuesser]
- RESERVED
+CVE-2019-18888 (An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0
through ...)
{DSA-4573-1 DLA-1999-1}
- symfony 4.3.8+dfsg-1
NOTE:
https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser
NOTE:
https://github.com/symfony/symfony/commit/691486e43ce0e4893cd703e221bafc10a871f365
NOTE:
https://github.com/symfony/symfony/commit/77ddabf2e785ea85860d2720cc86f7c5d8967ed5
-CVE-2019-18887 [Use constant time comparison in UriSigner]
- RESERVED
+CVE-2019-18887 (An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0
through ...)
{DSA-4573-1 DLA-1999-1}
- symfony 4.3.8+dfsg-1
NOTE:
https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
@@ -20965,8 +21020,8 @@ CVE-2019-13159
RESERVED
CVE-2019-13158
RESERVED
-CVE-2019-13157
- RESERVED
+CVE-2019-13157 (nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to
overwrit ...)
+ TODO: check
CVE-2019-13156 (NDrive(1.2.2).sys in Naver Cloud Explorer has a stack-based
buffer ove ...)
NOT-FOR-US: Naver Cloud Explorer
CVE-2019-13155 (An issue was discovered in TRENDnet TEW-827DRU firmware before
2.05B11 ...)
@@ -26127,8 +26182,7 @@ CVE-2019-11327 (An issue was discovered on Topcon
Positioning Net-G5 GNSS Receiv
NOT-FOR-US: Topcon Positioning Net-G5 GNSS Receiver
CVE-2019-11326 (An issue was discovered on Topcon Positioning Net-G5 GNSS
Receiver dev ...)
NOT-FOR-US: Topcon Positioning Net-G5 GNSS Receiver
-CVE-2019-11325 [Fix escaping of strings in VarExporter]
- RESERVED
+CVE-2019-11325 (An issue was discovered in Symfony before 4.2.12 and 4.3.x
before 4.3. ...)
- symfony 4.3.8+dfsg-1
[buster] - symfony <not-affected> (Vulnerable code not present)
[stretch] - symfony <not-affected> (Vulnerable code not present)
@@ -42380,10 +42434,10 @@ CVE-2019-5639
RESERVED
CVE-2019-5638 (Rapid7 Nexpose versions 6.5.50 and prior suffer from
insufficient sess ...)
NOT-FOR-US: Rapid7 Nexpose
-CVE-2019-5637
- RESERVED
-CVE-2019-5636
- RESERVED
+CVE-2019-5637 (When Beckhoff TwinCAT is configured to use the Profinet driver,
a deni ...)
+ TODO: check
+CVE-2019-5636 (When a Beckhoff TwinCAT Runtime receives a malformed UDP
packet, the A ...)
+ TODO: check
CVE-2019-5635 (A cleartext transmission of sensitive information vulnerability
is pre ...)
NOT-FOR-US: Hickory
CVE-2019-5634 (An inclusion of sensitive information in log files
vulnerability is pr ...)
@@ -209993,8 +210047,8 @@ CVE-2015-3142 (The kernel-invoked coredump processor
in Automatic Bug Reporting
NOT-FOR-US: abrt is Red Hat / Fedora specific
CVE-2015-3141 (Multiple cross-site request forgery (CSRF) vulnerabilities in
Synametr ...)
NOT-FOR-US: Synametrics Technologies Xeams
-CVE-2015-3140
- RESERVED
+CVE-2015-3140 (Multiple cross-site request forgery (CSRF) vulnerabilities in
Synametr ...)
+ TODO: check
CVE-2015-3139
RESERVED
CVE-2015-3138 (print-wb.c in tcpdump before 4.7.4 allows remote attackers to
cause a ...)
@@ -211064,8 +211118,7 @@ CVE-2015-XXXX [crashes found with afl]
- hp2xx 3.4.4-10 (low)
[wheezy] - hp2xx 3.4.4-8+deb7u1
[squeeze] - hp2xx <no-dsa> (Minor issue)
-CVE-2015-2793 [cross-site scripting via openid_identifier]
- RESERVED
+CVE-2015-2793 (Cross-site scripting (XSS) vulnerability in
templates/openid-selector. ...)
- ikiwiki 3.20141016.2 (bug #781483)
[wheezy] - ikiwiki 3.20120629.2
[squeeze] - ikiwiki <no-dsa> (Minor issue)
@@ -223305,8 +223358,7 @@ CVE-2014-8358 (Huawei EC156, EC176, and EC177 USB
Modem products with software b
NOT-FOR-US: Huawei
CVE-2014-8357 (backupsettings.html in the web administrative portal in Zhone
zNID GPO ...)
NOT-FOR-US: ZHONE Router
-CVE-2014-8356
- RESERVED
+CVE-2014-8356 (The web administrative portal in Zhone zNID 2426A before
S3.0.501 allo ...)
NOT-FOR-US: ZHONE Router
CVE-2014-8353
RESERVED
@@ -230890,12 +230942,10 @@ CVE-2014-5269 (Plack::App::File in Plack before
1.0031 removes trailing slash ch
- libplack-perl 1.0031-1
[wheezy] - libplack-perl 0.9989-1+deb7u1
NOTE: https://github.com/plack/Plack/issues/405
-CVE-2014-5255 [Insecure use of temporary file related to the
/tmp/get_infos_dvd.sh]
- RESERVED
+CVE-2014-5255 (xcfa before 5.0.1 creates temporary files insecurely which
could allow ...)
- xcfa 5.0.1-1 (unimportant; bug #756600)
NOTE: Neutralised by kernel temp hardening
-CVE-2014-5254 [Symlink following issues]
- RESERVED
+CVE-2014-5254 (xcfa before 5.0.1 creates temporary files insecurely which
could allow ...)
- xcfa 5.0.1-1 (unimportant; bug #756600)
NOTE: Not exploitable with kernel hardening since wheezy
CVE-2014-XXXX [Enforce use of HTTPS for MathJax in IPython]
@@ -237218,8 +237268,7 @@ CVE-2014-2983 (Drupal 6.x before 6.31 and 7.x before
7.27 does not properly isol
- drupal7 7.27-1
- drupal6 <removed>
NOTE: https://drupal.org/SA-CORE-2014-002
-CVE-2014-2904
- RESERVED
+CVE-2014-2904 (wolfssl before 3.2.0 has a server certificate that is not
properly aut ...)
- cyassl <removed> (bug #770229)
- wolfssl 3.4.8+dfsg-1 (bug #792646)
NOTE: wolfssl actually fixed with the initial upload to unstable after
the rename
@@ -237229,14 +237278,12 @@ CVE-2014-2903 (CyaSSL does not check the key usage
extension in leaf certificate
- wolfssl 3.4.8+dfsg-1 (bug #792646)
NOTE: wolfssl actually fixed with the initial upload to unstable after
the rename
NOTE: according to maintainer addressed in 3.2.0 upstream
-CVE-2014-2902
- RESERVED
+CVE-2014-2902 (wolfssl before 3.2.0 does not properly authorize CA certificate
for si ...)
- cyassl <removed> (bug #770229)
- wolfssl 3.4.8+dfsg-1 (bug #792646)
NOTE: wolfssl actually fixed with the initial upload to unstable after
the rename
NOTE: according to maintainer addressed in 3.2.0 upstream
-CVE-2014-2901
- RESERVED
+CVE-2014-2901 (wolfssl before 3.2.0 does not properly issue certificates for a
server ...)
- cyassl <removed> (bug #770229)
- wolfssl 3.4.8+dfsg-1 (bug #792646)
NOTE: wolfssl actually fixed with the initial upload to unstable after
the rename
@@ -255303,14 +255350,14 @@ CVE-2013-3316
RESERVED
CVE-2013-3315 (The server in TIBCO Silver Mobile 1.1.0 does not properly
verify acces ...)
NOT-FOR-US: TIBCO
-CVE-2013-3314
- RESERVED
-CVE-2013-3313
- RESERVED
-CVE-2013-3312
- RESERVED
-CVE-2013-3311
- RESERVED
+CVE-2013-3314 (The Loftek Nexus 543 IP Camera allows remote attackers to
obtain (1) I ...)
+ TODO: check
+CVE-2013-3313 (The Loftek Nexus 543 IP Camera stores passwords in cleartext,
which al ...)
+ TODO: check
+CVE-2013-3312 (Multiple cross-site request forgery (CSRF) vulnerabilities in
the Loft ...)
+ TODO: check
+CVE-2013-3311 (Directory traversal vulnerability in the Loftek Nexus 543 IP
Camera al ...)
+ TODO: check
CVE-2013-3310
RESERVED
CVE-2009-5135 (The Java XML parser in Echo before 2.1.1 and 3.x before 3.0.b6
allows ...)
@@ -276488,11 +276535,9 @@ CVE-2012-2081 (The Organic Groups (OG) module
6.x-2.x before 6.x-2.3 for Drupal
NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-2080 (Cross-site request forgery (CSRF) vulnerability in the Node
Limit Numb ...)
NOT-FOR-US: Drupal addon module not packaged in Debian
-CVE-2012-2079
- RESERVED
+CVE-2012-2079 (A cross-site request forgery (CSRF) vulnerability in the
Activity modu ...)
NOT-FOR-US: Drupal addon module not packaged in Debian
-CVE-2012-2078
- RESERVED
+CVE-2012-2078 (Cross-site scripting (XSS) vulnerability in the Activity module
6.x-1. ...)
NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-2077 (Cross-site request forgery (CSRF) vulnerability in the
ShareThis modul ...)
NOT-FOR-US: Drupal addon module not packaged in Debian
@@ -277579,8 +277624,7 @@ CVE-2012-1639 (Multiple cross-site scripting (XSS)
vulnerabilities in product/co
NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-1638 (SQL injection vulnerability in the Search Autocomplete module
before 7 ...)
NOT-FOR-US: Drupal addon module not packaged in Debian
-CVE-2012-1637
- RESERVED
+CVE-2012-1637 (Cross-site scripting vulnerability (XSS) in the Quick Tabs
module 6.x- ...)
NOT-FOR-US: Drupal addon module not packaged in Debian
CVE-2012-1636 (Cross-site request forgery (CSRF) vulnerability in the
stickynote modu ...)
NOT-FOR-US: Drupal addon module not packaged in Debian
@@ -279073,8 +279117,8 @@ CVE-2002-2483
- linux-2.6 2.4.20
CVE-2012-1002 (SQL injection vulnerability in author/edit.php in OpenConf 4.x
before ...)
NOT-FOR-US: OpenConf
-CVE-2012-1001
- RESERVED
+CVE-2012-1001 (Multiple cross-site scripting (XSS) vulnerabilities in Chyrp
before 2. ...)
+ TODO: check
CVE-2012-1000 (Multiple cross-site scripting (XSS) vulnerabilities in LEPTON
1.1.3 an ...)
NOT-FOR-US: LEPTON
CVE-2012-0999 (SQL injection vulnerability in modules/news/rss.php in LEPTON
before 1 ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae59d95a6aec91c2a7aacf0440196531e838411c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae59d95a6aec91c2a7aacf0440196531e838411c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
