Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e9bbf74f by security tracker role at 2019-12-10T20:10:21Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,97 @@
+CVE-2020-2509
+ RESERVED
+CVE-2020-2508
+ RESERVED
+CVE-2020-2507
+ RESERVED
+CVE-2020-2506
+ RESERVED
+CVE-2020-2505
+ RESERVED
+CVE-2020-2504
+ RESERVED
+CVE-2020-2503
+ RESERVED
+CVE-2020-2502
+ RESERVED
+CVE-2020-2501
+ RESERVED
+CVE-2020-2500
+ RESERVED
+CVE-2020-2499
+ RESERVED
+CVE-2020-2498
+ RESERVED
+CVE-2020-2497
+ RESERVED
+CVE-2020-2496
+ RESERVED
+CVE-2020-2495
+ RESERVED
+CVE-2020-2494
+ RESERVED
+CVE-2020-2493
+ RESERVED
+CVE-2020-2492
+ RESERVED
+CVE-2020-2491
+ RESERVED
+CVE-2020-2490
+ RESERVED
+CVE-2019-19701
+ RESERVED
+CVE-2019-19700
+ RESERVED
+CVE-2019-19699
+ RESERVED
+CVE-2019-19698 (marc-q libwav through 2017-04-20 has a NULL pointer
dereference in wav ...)
+ TODO: check
+CVE-2019-19697
+ RESERVED
+CVE-2019-19696
+ RESERVED
+CVE-2019-19695
+ RESERVED
+CVE-2019-19694
+ RESERVED
+CVE-2019-19693
+ RESERVED
+CVE-2019-19692
+ RESERVED
+CVE-2019-19691
+ RESERVED
+CVE-2019-19690
+ RESERVED
+CVE-2019-19689
+ RESERVED
+CVE-2019-19688
+ RESERVED
+CVE-2019-19687 (OpenStack Keystone 15.0.0 and 16.0.0 is affected by Data
Leakage in th ...)
+ TODO: check
+CVE-2019-19686
+ RESERVED
+CVE-2019-19685 (RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable
to CSRF ...)
+ TODO: check
+CVE-2019-19684 (nopCommerce v4.2.0 allows privilege escalation via file upload
in Pres ...)
+ TODO: check
+CVE-2019-19683 (RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable
to ../ ...)
+ TODO: check
+CVE-2019-19682 (nopCommerce through 4.20 allows XSS in the SaveStoreMappings
of the co ...)
+ TODO: check
+CVE-2019-19681
+ RESERVED
+CVE-2019-19680
+ RESERVED
+CVE-2019-19679 (In "Xray Test Management for Jira" prior to version 3.5.5,
remote auth ...)
+ TODO: check
+CVE-2019-19678 (In "Xray Test Management for Jira" prior to version 3.5.5,
remote auth ...)
+ TODO: check
+CVE-2019-19677
+ RESERVED
+CVE-2019-19676
+ RESERVED
+CVE-2019-19675
+ RESERVED
CVE-2019-19674
RESERVED
CVE-2019-19673
@@ -55,10 +149,10 @@ CVE-2019-19648 (In the macho_parse_file functionality in
macho/macho.c of YARA 3
NOTE: https://github.com/VirusTotal/yara/issues/1178
CVE-2019-19647 (radare2 through 4.0.0 lacks validation of the content variable
in the ...)
TODO: check
-CVE-2019-19646
- RESERVED
-CVE-2019-19645
- RESERVED
+CVE-2019-19646 (pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an
integrity_ ...)
+ TODO: check
+CVE-2019-19645 (alter.c in SQLite through 3.30.1 allows attackers to trigger
infinite ...)
+ TODO: check
CVE-2019-19644
RESERVED
CVE-2019-19643
@@ -100,6 +194,7 @@ CVE-2019-19632
CVE-2019-19631
RESERVED
CVE-2019-19630 (HTMLDOC 1.9.7 allows a stack-based buffer overflow in the
hd_strlcpy() ...)
+ {DLA-2026-1}
- htmldoc <unfixed> (low)
[buster] - htmldoc <no-dsa> (Minor issue)
[stretch] - htmldoc <no-dsa> (Minor issue)
@@ -173,8 +268,8 @@ CVE-2019-19604
NOTE: version for sake of robustness/hardening. In particular, the
server-side protection
NOTE: provided by the fsck is useful for protecting unpatched clients
that are affected
NOTE: by the bug.
-CVE-2019-19603
- RESERVED
+CVE-2019-19603 (SQLite 3.30.1, during handling of CREATE TABLE and CREATE VIEW
stateme ...)
+ TODO: check
CVE-2019-19601 (OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l
because of ...)
- texlive-bin <undetermined>
NOTE: https://github.com/pkubowicz/opendetex/issues/60
@@ -2665,8 +2760,8 @@ CVE-2019-19252 (vcs_write in drivers/tty/vt/vc_screen.c
in the Linux kernel thro
[stretch] - linux <not-affected> (Vulnerability introduced later)
[jessie] - linux <not-affected> (Vulnerability introduced later)
NOTE:
https://lore.kernel.org/lkml/[email protected]/
-CVE-2019-19251
- RESERVED
+CVE-2019-19251 (The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on
macOS ma ...)
+ TODO: check
CVE-2019-19250 (OpenTrade before 2019-11-23 allows SQL injection, related to
server/mo ...)
NOT-FOR-US: OpenTrade
CVE-2019-19249 (Controllers/InvitationsController.cs in QueryTree before
3.0.99-beta m ...)
@@ -2717,8 +2812,8 @@ CVE-2019-19232
RESERVED
CVE-2019-19231
RESERVED
-CVE-2019-19230
- RESERVED
+CVE-2019-19230 (An unsafe deserialization vulnerability exists in CA Release
Automatio ...)
+ TODO: check
CVE-2019-19229 (admincgi-bin/service.fcgi on Fronius Solar Inverter devices
before 3.1 ...)
NOT-FOR-US: Fronius Solar Inverter devices
CVE-2019-19228 (Fronius Solar Inverter devices before 3.14.1 (HM 1.12.1) allow
attacke ...)
@@ -6258,16 +6353,19 @@ CVE-2019-18680 (An issue was discovered in the Linux
kernel 4.4.x before 4.4.195
- linux <not-affected> (Vulnerable code not present)
NOTE: https://lkml.org/lkml/2019/9/18/337
CVE-2019-18679 (An issue was discovered in Squid 2.x, 3.x, and 4.x through
4.8. Due to ...)
+ {DLA-2028-1}
- squid 4.9-1
- squid3 <removed>
NOTE: Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_11.txt
CVE-2019-18678 (An issue was discovered in Squid 3.x and 4.x through 4.8. It
allows at ...)
+ {DLA-2028-1}
- squid 4.9-1
- squid3 <removed>
NOTE: Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch
NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_10.txt
CVE-2019-18677 (An issue was discovered in Squid 3.x and 4.x through 4.8 when
the appe ...)
+ {DLA-2028-1}
- squid 4.9-1
- squid3 <removed>
NOTE: Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch
@@ -7162,8 +7260,8 @@ CVE-2019-18382 (An issue was discovered on AVStar PE204
3.10.70 IP camera device
NOT-FOR-US: AVStar PE204
CVE-2019-18381 (Norton Password Manager, prior to 6.6.2.5, may be susceptible
to a cro ...)
NOT-FOR-US: Norton Password Manager
-CVE-2019-18380
- RESERVED
+CVE-2019-18380 (Symantec Industrial Control System Protection (ICSP), versions
6.x.x, ...)
+ TODO: check
CVE-2019-18379
RESERVED
CVE-2019-18378
@@ -8596,8 +8694,8 @@ CVE-2019-18192 (GNU Guix 1.0.1 allows local users to gain
access to an arbitrary
NOTE: https://issues.guix.gnu.org/issue/37744
CVE-2019-18191
RESERVED
-CVE-2019-18190
- RESERVED
+CVE-2019-18190 (Trend Micro Security (Consumer) 2020 (v16.x) is affected by a
vulnerab ...)
+ TODO: check
CVE-2019-18189 (A directory traversal vulnerability in Trend Micro Apex One,
OfficeSca ...)
NOT-FOR-US: Trend Micro
CVE-2019-18188 (Trend Micro Apex One could be exploited by an attacker
utilizing a com ...)
@@ -10138,6 +10236,7 @@ CVE-2019-17533 (Mat_VarReadNextInfo4 in mat4.c in MATIO
1.5.17 omits a certain '
CVE-2019-17532 (An issue was discovered on Belkin Wemo Switch 28B
WW_2.00.11057.PVT-OW ...)
NOT-FOR-US: Belkin
CVE-2019-17531 (A Polymorphic Typing issue was discovered in FasterXML
jackson-databin ...)
+ {DLA-2030-1}
- jackson-databind <unfixed>
NOTE: https://github.com/FasterXML/jackson-databind/issues/2498
NOTE:
https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0
@@ -10808,6 +10907,7 @@ CVE-2019-17269 (Intellian Remote Access 3.18 allows
remote attackers to execute
CVE-2019-17268
RESERVED
CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML
jackson-databin ...)
+ {DLA-2030-1}
- jackson-databind 2.10.0-1
NOTE: https://github.com/FasterXML/jackson-databind/issues/2460
NOTE:
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb
@@ -11398,6 +11498,7 @@ CVE-2019-17013
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17013
CVE-2019-17012
RESERVED
+ {DSA-4580-1 DLA-2029-1}
- firefox 71.0-1
- firefox-esr 68.3.0esr-1
- thunderbird 1:68.3.0-1
@@ -11406,6 +11507,7 @@ CVE-2019-17012
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17012
CVE-2019-17011
RESERVED
+ {DSA-4580-1 DLA-2029-1}
- firefox 71.0-1
- firefox-esr 68.3.0esr-1
- thunderbird 1:68.3.0-1
@@ -11414,6 +11516,7 @@ CVE-2019-17011
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17011
CVE-2019-17010
RESERVED
+ {DSA-4580-1 DLA-2029-1}
- firefox 71.0-1
- firefox-esr 68.3.0esr-1
- thunderbird 1:68.3.0-1
@@ -11430,6 +11533,7 @@ CVE-2019-17009
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17009
CVE-2019-17008
RESERVED
+ {DSA-4580-1 DLA-2029-1}
- firefox 71.0-1
- firefox-esr 68.3.0esr-1
- thunderbird 1:68.3.0-1
@@ -11449,6 +11553,7 @@ CVE-2019-17006
RESERVED
CVE-2019-17005
RESERVED
+ {DSA-4580-1 DLA-2029-1}
- firefox 71.0-1
- firefox-esr 68.3.0esr-1
- thunderbird 1:68.3.0-1
@@ -13179,7 +13284,7 @@ CVE-2019-16350 (ffjpeg before 2019-08-18 has a NULL
pointer dereference in idct2
NOT-FOR-US: ffjpeg
CVE-2019-16349 (Bento4 1.5.1-628 has a NULL pointer dereference in
AP4_ByteStream::Rea ...)
NOT-FOR-US: Bento4
-CVE-2019-16348 (marc-q libwav through 2019-08-15 has a NULL pointer
dereference in gai ...)
+CVE-2019-16348 (marc-q libwav through 2017-04-20 has a NULL pointer
dereference in gai ...)
NOT-FOR-US: libwav
CVE-2019-16347 (ngiflib 0.4 has a heap-based buffer overflow in WritePixels()
in ngifl ...)
NOT-FOR-US: ngiflib
@@ -13531,7 +13636,7 @@ CVE-2016-10939 (The xtremelocator plugin 1.5 for
WordPress has SQL injection via
CVE-2016-10938 (The copy-me plugin 1.0.0 for WordPress has CSRF for copying
non-public ...)
NOT-FOR-US: Wordpress plugin
CVE-2019-16255 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through
2.6.4 allow ...)
- {DLA-2007-1}
+ {DLA-2027-1 DLA-2007-1}
- ruby2.5 2.5.7-1
- ruby2.3 <removed>
- ruby2.1 <removed>
@@ -13539,7 +13644,7 @@ CVE-2019-16255 (Ruby through 2.4.7, 2.5.x through
2.5.6, and 2.6.x through 2.6.4
NOTE:
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
NOTE: ruby2.5:
https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640
CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through
2.6.4 allow ...)
- {DLA-2007-1}
+ {DLA-2027-1 DLA-2007-1}
- ruby2.5 2.5.7-1
- ruby2.3 <removed>
- ruby2.1 <removed>
@@ -13721,7 +13826,7 @@ CVE-2019-16203
CVE-2019-16202 (MISP before 2.4.115 allows privilege escalation in certain
situations. ...)
NOT-FOR-US: MISP
CVE-2019-16201 (WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x
through 2.5 ...)
- {DLA-2007-1}
+ {DLA-2027-1 DLA-2007-1}
- ruby2.5 2.5.7-1
- ruby2.3 <removed>
- ruby2.1 <removed>
@@ -20233,8 +20338,8 @@ CVE-2019-14253 (An issue was discovered in
servletcontroller in the secure porta
NOT-FOR-US: Publisure
CVE-2019-14252 (An issue was discovered in the secure portal in Publisure
2.1.2. Once ...)
NOT-FOR-US: Publisure
-CVE-2019-14251
- RESERVED
+CVE-2019-14251 (An issue was discovered in T24 in TEMENOS Channels R15.01. The
login p ...)
+ TODO: check
CVE-2019-14250 (An issue was discovered in GNU libiberty, as distributed in
GNU Binuti ...)
- binutils 2.33-1 (unimportant)
NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90924
@@ -25645,6 +25750,7 @@ CVE-2019-12527 (An issue was discovered in Squid 4.0.23
through 4.7. When checki
NOTE: than the length of the target buffer, whilst in 4.x the entire
input is decoded
NOTE: without regard for the size of the target buffer.
CVE-2019-12526 (An issue was discovered in Squid before 4.9. URN response
handling in ...)
+ {DLA-2028-1}
- squid 4.9-1
- squid3 <removed>
NOTE: Squid 4:
http://www.squid-cache.org/Versions/v4/changesets/squid-4-7aa0184a720fd216191474e079f4fe87de7c4f5a.patch
@@ -25993,7 +26099,7 @@ CVE-2019-12426
CVE-2019-12425
RESERVED
CVE-2019-12424
- RESERVED
+ REJECTED
CVE-2019-12423
RESERVED
CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember
me" config ...)
@@ -26589,6 +26695,7 @@ CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds
access occurs because of m
[stretch] - freeimage <postponed> (Revisit when upstream fixes are
available)
NOTE:
https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the
TIFFReadDirectory ...)
+ {DLA-2031-1}
- freeimage <unfixed> (bug #929597)
[buster] - freeimage <postponed> (Revisit when upstream fixes are
available)
[stretch] - freeimage <postponed> (Revisit when upstream fixes are
available)
@@ -26600,6 +26707,7 @@ CVE-2019-12212 (When FreeImage 3.18.0 reads a special
JXR file, the StreamCalcIF
[stretch] - freeimage <postponed> (Revisit when upstream fixes are
available)
NOTE:
https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/
CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to
the Load ...)
+ {DLA-2031-1}
- freeimage <unfixed> (bug #929597)
[buster] - freeimage <postponed> (Revisit when upstream fixes are
available)
[stretch] - freeimage <postponed> (Revisit when upstream fixes are
available)
@@ -43877,8 +43985,8 @@ CVE-2019-6194
RESERVED
CVE-2019-6193
RESERVED
-CVE-2019-6192
- RESERVED
+CVE-2019-6192 (A potential vulnerability has been reported in Lenovo Power
Management ...)
+ TODO: check
CVE-2019-6191 (A potential vulnerability in the discontinued LenovoPaper
software ver ...)
NOT-FOR-US: Lenovo
CVE-2019-6190
@@ -43895,8 +44003,8 @@ CVE-2019-6185
RESERVED
CVE-2019-6184 (A potential vulnerability in the discontinued Customer
Engagement Serv ...)
NOT-FOR-US: Lenovo
-CVE-2019-6183
- RESERVED
+CVE-2019-6183 (A denial of service vulnerability has been reported in Lenovo
Energy M ...)
+ TODO: check
CVE-2019-6182 (A stored CSV Injection vulnerability was reported in Lenovo
XClarity A ...)
NOT-FOR-US: Lenovo
CVE-2019-6181 (A reflected cross-site scripting (XSS) vulnerability was
reported in L ...)
@@ -47554,8 +47662,8 @@ CVE-2019-4665
RESERVED
CVE-2019-4664
RESERVED
-CVE-2019-4663
- RESERVED
+CVE-2019-4663 (IBM WebSphere Application Server - Liberty is vulnerable to
cross-site ...)
+ TODO: check
CVE-2019-4662
RESERVED
CVE-2019-4661
@@ -47638,8 +47746,8 @@ CVE-2019-4623
RESERVED
CVE-2019-4622
RESERVED
-CVE-2019-4621
- RESERVED
+CVE-2019-4621 (IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0
through 2 ...)
+ TODO: check
CVE-2019-4620
RESERVED
CVE-2019-4619
@@ -47656,10 +47764,10 @@ CVE-2019-4614
RESERVED
CVE-2019-4613
RESERVED
-CVE-2019-4612
- RESERVED
-CVE-2019-4611
- RESERVED
+CVE-2019-4612 (IBM Planning Analytics 2.0 is vulnerable to malicious file
upload in t ...)
+ TODO: check
+CVE-2019-4611 (IBM Planning Analytics 2.0 is vulnerable to cross-site
scripting. This ...)
+ TODO: check
CVE-2019-4610
RESERVED
CVE-2019-4609
@@ -47838,8 +47946,8 @@ CVE-2019-4523 (IBM DB2 High Performance Unload load for
LUW 6.1 and 6.5 is vulne
NOT-FOR-US: IBM
CVE-2019-4522
RESERVED
-CVE-2019-4521
- RESERVED
+CVE-2019-4521 (Platform System Manager in IBM Cloud Pak System 2.3 is
potentially vul ...)
+ TODO: check
CVE-2019-4520 (IBM Security Directory Server 6.4.0 uses an inadequate account
lockout ...)
NOT-FOR-US: IBM
CVE-2019-4519
@@ -48024,8 +48132,8 @@ CVE-2019-4430 (IBM Maximo Asset Management 7.6 could
allow a remote attacker to
NOT-FOR-US: IBM
CVE-2019-4429
RESERVED
-CVE-2019-4428
- RESERVED
+CVE-2019-4428 (IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through
1.3.0 is ...)
+ TODO: check
CVE-2019-4427
RESERVED
CVE-2019-4426
@@ -48392,8 +48500,8 @@ CVE-2019-4246 (IBM Daeja ViewONE Virtual 5.0 through
5.0.6 could expose internal
NOT-FOR-US: IBM
CVE-2019-4245
RESERVED
-CVE-2019-4244
- RESERVED
+CVE-2019-4244 (IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a
remote atta ...)
+ TODO: check
CVE-2019-4243 (IBM SmartCloud Analytics 1.3.1 through 1.3.5 allows
unauthorized discl ...)
NOT-FOR-US: IBM
CVE-2019-4242
@@ -48690,8 +48798,8 @@ CVE-2019-4097
RESERVED
CVE-2019-4096
RESERVED
-CVE-2019-4095
- RESERVED
+CVE-2019-4095 (IBM Cloud Pak System 2.3 is vulnerable to cross-site request
forgery w ...)
+ TODO: check
CVE-2019-4094 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect
Server) 9.7, ...)
NOT-FOR-US: IBM
CVE-2019-4093 (IBM Tivoli Storage Manager (IBM Spectrum Protect 8.1.7) could
allow a ...)
@@ -58100,6 +58208,7 @@ CVE-2019-1388 (An elevation of privilege vulnerability
exists in the Windows Cer
NOT-FOR-US: Microsoft
CVE-2019-1387
RESERVED
+ {DSA-4581-1}
- git 1:2.24.0-2
NOTE:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=a8dee3ca610f5a1d403634492136c887f83b59d2
CVE-2019-1386
@@ -58173,10 +58282,12 @@ CVE-2019-1354
NOTE:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=e1d911dd4c7b76a5a8cec0f5c8de15981e34da83
CVE-2019-1353
RESERVED
+ {DSA-4581-1}
- git 1:2.24.0-2
NOTE:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=9102f958ee5254b10c0be72672aa3305bf4f4704
CVE-2019-1352
RESERVED
+ {DSA-4581-1}
- git 1:2.24.0-2
NOTE:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=7c3745fc6185495d5765628b4dfe1bd2c25a2981
CVE-2019-1351
@@ -58191,10 +58302,12 @@ CVE-2019-1350
NOTE:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=6d8684161ee9c03bed5cb69ae76dfdddb85a0003
CVE-2019-1349
RESERVED
+ {DSA-4581-1}
- git 1:2.24.0-2
NOTE:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=0060fd1511b94c918928fa3708f69a3f33895a4a
CVE-2019-1348
RESERVED
+ {DSA-4581-1}
- git 1:2.24.0-2
NOTE:
https://git.kernel.org/pub/scm/git/git.git/commit/?id=68061e3470210703cb15594194718d35094afdc0
CVE-2019-1347 (A denial of service vulnerability exists when Windows
improperly handl ...)
@@ -67254,7 +67367,7 @@ CVE-2018-17187 (The Apache Qpid Proton-J transport
includes an optional wrapper
CVE-2018-17186 (An administrator with workflow definition entitlements can use
DTD to ...)
NOT-FOR-US: Apache Syncope
CVE-2018-17185
- RESERVED
+ REJECTED
CVE-2018-17184 (A malicious user with enough administration entitlements can
inject ht ...)
NOT-FOR-US: Apache Syncope
CVE-2018-17182 (An issue was discovered in the Linux kernel through 4.18.8.
The vmacac ...)
@@ -105549,7 +105662,7 @@ CVE-2017-17744 (A cross-site scripting (XSS)
vulnerability in the custom-map plu
CVE-2017-17743 (Improper input sanitization within the restricted
administration shell ...)
NOT-FOR-US: UCOPIA Wireless Appliance
CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4,
2.5.x befo ...)
- {DSA-4259-1 DLA-1421-1 DLA-1359-1 DLA-1358-1}
+ {DSA-4259-1 DLA-2027-1 DLA-1421-1 DLA-1359-1 DLA-1358-1}
- ruby2.5 2.5.1-1
- ruby2.3 <removed>
- ruby2.1 <removed>
@@ -177156,8 +177269,7 @@ CVE-2016-1000110 (The CGIHandler class in Python
before 2.7.12 does not protect
CVE-2016-1000109
RESERVED
- hhvm 3.12.11+dfsg-1 (unimportant)
-CVE-2016-1000107
- RESERVED
+CVE-2016-1000107 (inets in Erlang possibly 22.1 and earlier follows RFC 3875
section 4.1 ...)
- erlang <unfixed> (unimportant)
NOTE: https://bugs.erlang.org/browse/ERL-198
NOTE: No part of Erlang does set HTTP_PROXY based on a Proxy: header,
just hardening
@@ -179745,8 +179857,7 @@ CVE-2016-1000111
NOTE:
https://github.com/twisted/twisted/commit/bcac75e6180c9eee4337322c109eb5d1cac51165
NOTE: No part of Twisted does set HTTP_PROXY based on a Proxy: header,
upstream plans
NOTE: to drop related CGI code in future release
-CVE-2016-1000108
- RESERVED
+CVE-2016-1000108 (yaws before 2.0.4 does not attempt to address RFC 3875
section 4.1.18 ...)
- yaws 2.0.3-2 (bug #832433)
[jessie] - yaws 1.98-4+deb8u1
[wheezy] - yaws <no-dsa> (Minor issue; can be fixed along with a future
DSA)
@@ -199551,8 +199662,8 @@ CVE-2015-7894 (The DCMProvider service in Samsung
LibQjpeg on a Samsung SM-G925V
NOT-FOR-US: Samsung
CVE-2015-7893 (SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email
content, ...)
NOT-FOR-US: Samsung
-CVE-2015-7892
- RESERVED
+CVE-2015-7892 (Stack-based buffer overflow in the m2m1shot_compat_ioctl32
function in ...)
+ TODO: check
CVE-2015-7891 (Race condition in the ioctl implementation in the Samsung
Graphics 2D ...)
NOT-FOR-US: Samsung Graphics 2D driver on Samsung devices with Android
CVE-2015-7890
@@ -211994,10 +212105,10 @@ CVE-2015-3428
RESERVED
CVE-2015-3426
RESERVED
-CVE-2015-3425
- RESERVED
-CVE-2015-3424
- RESERVED
+CVE-2015-3425 (Cross-site scripting (XSS) vulnerability in Accentis Content
Resource ...)
+ TODO: check
+CVE-2015-3424 (SQL injection vulnerability in Accentis Content Resource
Management Sy ...)
+ TODO: check
CVE-2015-3423
RESERVED
CVE-2015-3422 (Cross-site scripting (XSS) vulnerability in SearchBlox before
8.2.1 al ...)
@@ -216942,8 +217053,7 @@ CVE-2015-1854 (389 Directory Server before 1.3.3.10
allows attackers to bypass i
{DLA-1428-1}
- 389-ds-base 1.3.3.10-1 (bug #783923)
NOTE: Patch applied to CentOS package:
https://git.centos.org/raw/rpms!389-ds-base.git!/309aa9ee631432d72c845f70df2ce6475055423b/SOURCES!0062-CVE-2015-1854-389ds-base-access-control-bypass-with-.patch
-CVE-2015-1853 [authentication doesn't protect symmetric associations against
DoS attacks]
- RESERVED
+CVE-2015-1853 (chrony before 1.31.1 does not properly protect state variables
in auth ...)
{DSA-3222-1 DLA-193-1}
- chrony 1.30-2 (bug #782160)
NOTE: Fix:
http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=d856bd34c4862398411d29200520e3a3b1d4569e
@@ -220718,8 +220828,7 @@ CVE-2015-0842 [SQL injection issues (potential auth
bypass)]
- yubiserver 0.6-1 (bug #796495)
[jessie] - yubiserver <no-dsa> (Minor issue)
[wheezy] - yubiserver <no-dsa> (Minor issue)
-CVE-2015-0841 [off-by-one buffer overflow in Listener::checkActivity in
libcapsinetwork/monopd]
- RESERVED
+CVE-2015-0841 (Off-by-one error in the readBuf function in listener.cpp in
libcapsine ...)
- libcapsinetwork <removed> (bug #781044; unimportant)
[experimental] - monopd 0.9.8-1
- monopd <unfixed> (bug #781043; unimportant)
@@ -237888,8 +237997,7 @@ CVE-2014-3657 (The virDomainListPopulate function in
conf/domain_conf.c in libvi
[squeeze] - libvirt <not-affected> (Vulnerable code introduced later)
NOTE: Upstream fix:
http://libvirt.org/git/?p=libvirt.git;a=commit;h=fc22b2e74890873848b43fffae43025d22053669
(v1.2.9)
NOTE: Introduced by:
libvirt.org/git/?p=libvirt.git;a=commit;h=2c6808044408fba9ff9547ad88bb8a0f44ee21a0
(v0.10.0-rc0)
-CVE-2014-3656
- RESERVED
+CVE-2014-3656 (JBoss KeyCloak: XSS in login-status-iframe.html ...)
NOT-FOR-US: JBoss KeyCloak
CVE-2014-3655 (JBoss KeyCloak is vulnerable to soft token deletion via CSRF
...)
NOT-FOR-US: JBoss KeyCloak
@@ -248020,8 +248128,7 @@ CVE-2014-0244 (The sys_recvfrom function in nmbd in
Samba 3.6.x before 3.6.24, 4
CVE-2014-0243 (Check_MK through 1.2.5i2p1 allows local users to read arbitrary
files ...)
- check-mk <not-affected> (Vulnerable code not present)
NOTE: https://www.lsexperts.de/advisories/lse-2014-05-21.txt
-CVE-2014-0242 [information disclosure via Content-Type response header]
- RESERVED
+CVE-2014-0242 (mod_wsgi module before 3.4 for Apache, when used in embedded
mode, mig ...)
{DSA-2937-1}
- mod-wsgi 3.4-3
NOTE:
https://github.com/GrahamDumpleton/mod_wsgi/commit/b0a149c1f5e569932325972e2e20176a42e43517
@@ -256252,8 +256359,7 @@ CVE-2013-4186
CVE-2013-4185 (Algorithmic complexity vulnerability in OpenStack Compute
(Nova) befor ...)
- nova 2013.1.2-3 (low; bug #718907)
[wheezy] - nova <no-dsa> (Minor issue)
-CVE-2013-4184 [symlink attacks]
- RESERVED
+CVE-2013-4184 (Perl module Data::UUID from CPAN version 1.219 vulnerable to
symlink a ...)
- libdata-uuid-perl <unfixed> (unimportant; bug #718949)
NOTE: https://github.com/rjbs/Data-UUID/issues/5
NOTE: Neutralised by kernel temp hardening
@@ -256431,8 +256537,7 @@ CVE-2013-4135 (The vos command in OpenAFS 1.6.x
before 1.6.5, when using the -en
CVE-2013-4134 (OpenAFS before 1.4.15, 1.6.x before 1.6.5, and 1.7.x before
1.7.26 use ...)
{DSA-2729-1}
- openafs 1.6.5-1
-CVE-2013-4133 [memory leak]
- RESERVED
+CVE-2013-4133 (kde-workspace before 4.10.5 has a memory leak in plasma desktop
...)
- kde-workspace 4:4.10.5-3 (unimportant; bug #717180)
NOTE: https://bugs.kde.org/show_bug.cgi?id=314919
NOTE: Plain bug, security implication rather far-fetched
@@ -256493,8 +256598,7 @@ CVE-2013-4122 (Cyrus SASL 2.1.23, 2.1.26, and earlier
does not properly handle w
NOTE: Was originally already fixed in 2.1.25.dfsg1-14 (cf. #716835)
CVE-2013-4121
REJECTED
-CVE-2013-4120
- RESERVED
+CVE-2013-4120 (Katello has a Denial of Service vulnerability in API OAuth
authenticat ...)
NOT-FOR-US: Katello
CVE-2013-4119 (FreeRDP before 1.1.0-beta+2013071101 allows remote attackers to
cause ...)
- freerdp <not-affected> (The server part is not build)
@@ -261343,8 +261447,7 @@ CVE-2013-2184 (Movable Type before 5.2.6 does not
properly use the Storable::tha
[squeeze] - movabletype-opensource <no-dsa> (Minor issue)
NOTE: http://seclists.org/oss-sec/2013/q2/568
NOTE:
http://www.movabletype.org/documentation/appendices/release-notes/movable-type-526-release-notes.html
-CVE-2013-2183
- RESERVED
+CVE-2013-2183 (Monkey HTTP Daemon has local security bypass ...)
- monkey <removed> (low)
[squeeze] - monkey <no-dsa> (Minor issue)
CVE-2013-2182 (The Mandril security plugin in Monkey HTTP Daemon (monkeyd)
before 1.5 ...)
@@ -261393,12 +261496,10 @@ CVE-2013-2168 (The _dbus_printf_string_upper_bound
function in dbus/dbus-sysdeps
{DSA-2707-1}
- dbus 1.6.12-1
[squeeze] - dbus <not-affected> (Introduced in 1.4.16)
-CVE-2013-2167 [middleware memcache signing bypass]
- RESERVED
+CVE-2013-2167 (python-keystoneclient version 0.2.3 to 0.2.5 has middleware
memcache s ...)
- python-keystoneclient 1:0.2.5-2 (bug #713819)
[wheezy] - python-keystoneclient <not-affected> (Vulnerable code not
present)
-CVE-2013-2166 [middleware memcache encryption bypass]
- RESERVED
+CVE-2013-2166 (python-keystoneclient version 0.2.3 to 0.2.5 has middleware
memcache e ...)
- python-keystoneclient 1:0.2.5-2 (bug #713819)
[wheezy] - python-keystoneclient <not-affected> (Vulnerable code not
present)
CVE-2013-2165 (ResourceBuilderImpl.java in the RichFaces 3.x through 5.x
implementati ...)
@@ -261421,8 +261522,7 @@ CVE-2013-2161 (XML injection vulnerability in
account/utils.py in OpenStack Swif
[wheezy] - swift 1.4.8-2+deb7u1
CVE-2013-2160 (The streaming XML parser in Apache CXF 2.5.x before 2.5.10,
2.6.x befo ...)
NOT-FOR-US: Apache CXF
-CVE-2013-2159 [monkey broken authentication]
- RESERVED
+CVE-2013-2159 (Monkey HTTP Daemon: broken user name authentication ...)
- monkey <removed>
[squeeze] - monkey <no-dsa> (Minor issue)
CVE-2013-2158 (Cross-site request forgery (CSRF) vulnerability in the Services
module ...)
@@ -261653,8 +261753,7 @@ CVE-2013-2097 [zPanel themes remote command execution
as root]
CVE-2013-2096 (OpenStack Compute (Nova) Folsom, Grizzly, and Havana does not
verify t ...)
- nova 2013.1.2-2 (low; bug #710157)
[wheezy] - nova <no-dsa> (Minor issue)
-CVE-2013-2095
- RESERVED
+CVE-2013-2095 (rubygem-openshift-origin-controller: API can be used to create
applica ...)
NOT-FOR-US: openshift-origin-controller Ruby Gem
CVE-2013-2094 (The perf_swevent_init function in kernel/events/core.c in the
Linux ke ...)
{DSA-2669-1}
@@ -262671,8 +262770,7 @@ CVE-2013-1795 (Integer overflow in ptserver in
OpenAFS before 1.6.2 allows remot
CVE-2013-1794 (Buffer overflow in certain client utilities in OpenAFS before
1.6.2 al ...)
{DSA-2638-1}
- openafs 1.6.1-3
-CVE-2013-1793
- RESERVED
+CVE-2013-1793 (openstack-utils openstack-db has insecure password creation ...)
NOT-FOR-US: openstack-utils
CVE-2013-1792 (Race condition in the install_user_keyrings function in
security/keys/ ...)
{DSA-2668-1}
@@ -263126,8 +263224,7 @@ CVE-2013-1690 (Mozilla Firefox before 22.0, Firefox
ESR 17.x before 17.0.7, Thun
- iceape <removed>
[squeeze] - iceape <end-of-life>
[wheezy] - iceape <end-of-life>
-CVE-2013-1689
- RESERVED
+CVE-2013-1689 (Mozilla Firefox 20.0a1 and earlier allows remote attackers to
cause a ...)
[wheezy] - iceape <end-of-life>
CVE-2013-1688 (The Profiler implementation in Mozilla Firefox before 22.0
parses untr ...)
- iceweasel <not-affected> (Only affects Firefox > 17)
@@ -267189,8 +267286,7 @@ CVE-2013-0343 (The ipv6_create_tempaddr function in
net/ipv6/addrconf.c in the L
- linux 3.10.11-1 (low)
[wheezy] - linux 3.2.51-1
- linux-2.6 <removed> (low)
-CVE-2013-0342 [CreateID() creates serialized packet IDs for RADIUS]
- RESERVED
+CVE-2013-0342 (The CreateID function in packet.py in pyrad before 2.1 uses
sequential ...)
- pyrad <unfixed> (low; bug #701151)
[buster] - pyrad <no-dsa> (Minor issue)
[stretch] - pyrad <no-dsa> (Minor issue)
@@ -267335,8 +267431,7 @@ CVE-2013-0294 [potentially predictable password
hashing]
- pyrad 2.0-2 (low; bug #700669)
[wheezy] - pyrad 1.2-1+deb7u2
[squeeze] - pyrad 1.2-1+deb6u1
-CVE-2013-0293 [Lock screen accepts F2 to drop to shell]
- RESERVED
+CVE-2013-0293 (oVirt Node: Lock screen accepts F2 to drop to shell causing
privilege ...)
- ovirt-node <itp> (bug #502024)
CVE-2013-0292 (The dbus_g_proxy_manager_filter function in dbus-gproxy in
Dbus-glib b ...)
- dbus-glib 0.100.1-1 (bug #700638; high)
@@ -270026,7 +270121,7 @@ CVE-2012-5621
(lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 al
- ekiga 3.2.7-6 (bug #702282; low)
[squeeze] - ekiga <no-dsa> (Minor issue)
CVE-2012-5620
- RESERVED
+ REJECTED
NOT-FOR-US: Docecot non-issue, see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695138#15
CVE-2012-5619 (The Sleuth Kit (TSK) 4.0.1 does not properly handle "."
(dotfile) file ...)
- sleuthkit 4.1.2-1 (unimportant; bug #695097)
@@ -280725,8 +280820,7 @@ CVE-2012-1579 (The resource loader in MediaWiki
1.17.x before 1.17.3 and 1.18.x
- mediawiki <not-affected> (Vulnerable code not present, see bug
#666269)
CVE-2012-1578 (Multiple cross-site request forgery (CSRF) vulnerabilities in
MediaWik ...)
- mediawiki <not-affected> (Vulnerable code not present, see bug
#666269)
-CVE-2012-1577
- RESERVED
+CVE-2012-1577 (lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with
0. ...)
- dietlibc 0.33~cvs20120325-1 (unimportant)
CVE-2012-1576 (The myuser_delete function in libathemecore/account.c in Atheme
5.x be ...)
NOT-FOR-US: atheme
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9bbf74fc0a5a55b060fc1a22c17471ae0ebed22
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9bbf74fc0a5a55b060fc1a22c17471ae0ebed22
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
