[Git][security-tracker-team/security-tracker][master] 3 commits: Triage CVE-2018-18520 (elfutils) in jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 96b0b4d6 by Chris Lamb at 2018-10-20T01:54:38Z Triage CVE-2018-18520 (elfutils) in jessie LTS. - - - - - a8f3a38c by Chris Lamb at 2018-10-20T01:55:17Z Triage CVE-2018-18521 (elfutils) for jessie LTS. - - - - - 7cf9b14a by Chris Lamb at 2018-10-20T01:56:59Z data/dla-needed.txt: Triage imagemagick for jessie. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -15,11 +15,13 @@ CVE-2018-18522 CVE-2018-18521 (Divide-by-zero vulnerabilities in the function arlib_add_symbols() in ...) - elfutils (low; bug #911413) [stretch] - elfutils (Minor issue) + [jessie] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23786 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html CVE-2018-18520 (An Invalid Memory Address Dereference exists in the function elf_end in ...) - elfutils (low; bug #911414) [stretch] - elfutils (Minor issue) + [jessie] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23787 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html CVE-2018-18519 = data/dla-needed.txt = @@ -35,6 +35,8 @@ ghostscript (Markus Koschany) gnutls28 (Antoine Beaupre) NOTE: 20180824: Upstream patch is quite invasive, adding new options etc. (Chris Lamb) -- +imagemagick +-- libav (Hugo Lefeuvre) NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop. NOTE: 20180118: It is unlikely that he will start again in the next weeks. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7dd531e9ccf4e1abaea32533cb7383117a05f027...7cf9b14a27733f996e0659a020e6b303865c90ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7dd531e9ccf4e1abaea32533cb7383117a05f027...7cf9b14a27733f996e0659a020e6b303865c90ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2018-18385 (asciidoctor) for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7dd531e9 by Chris Lamb at 2018-10-20T01:53:15Z Triage CVE-2018-18385 (asciidoctor) for jessie LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -347,6 +347,7 @@ CVE-2018-18386 (drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows lo CVE-2018-18385 (Asciidoctor v1.5.7.1 allows remote attackers to cause a denial of ...) - asciidoctor (low) [stretch] - asciidoctor (Minor issue) + [wheezy] - asciidoctor (Minor issue) NOTE: https://github.com/asciidoctor/asciidoctor/issues/2888 CVE-2018-18384 (Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive ...) - unzip 6.0-11 (bug #741384) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7dd531e9ccf4e1abaea32533cb7383117a05f027 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7dd531e9ccf4e1abaea32533cb7383117a05f027 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fdf7576b by Moritz Muehlenhoff at 2018-10-19T22:56:33Z stretch triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -13,11 +13,13 @@ CVE-2018-18523 CVE-2018-18522 RESERVED CVE-2018-18521 (Divide-by-zero vulnerabilities in the function arlib_add_symbols() in ...) - - elfutils (bug #911413) + - elfutils (low; bug #911413) + [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23786 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html CVE-2018-18520 (An Invalid Memory Address Dereference exists in the function elf_end in ...) - - elfutils (bug #911414) + - elfutils (low; bug #911414) + [stretch] - elfutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23787 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html CVE-2018-18519 @@ -288,8 +290,9 @@ CVE-2018-18411 CVE-2018-18410 RESERVED CVE-2018-18409 (A stack-based buffer over-read exists in setbit() at iptree.h of ...) - - tcpflow (bug #911263) + - tcpflow (unimportant; bug #911263) NOTE: https://github.com/simsong/tcpflow/issues/195 + NOTE: Crash in CLI tool, no security impact CVE-2018-18408 (A use-after-free was discovered in the tcpbridge binary of Tcpreplay ...) - tcpreplay NOTE: https://github.com/appneta/tcpreplay/issues/489 @@ -342,7 +345,8 @@ CVE-2018-18386 (drivers/tty/n_tty.c in the Linux kernel before 4.14.11 allows lo [jessie] - linux 3.16.56-1 NOTE: Fixed by: https://git.kernel.org/linus/966031f340185eddd05affcf72b740549f056348 CVE-2018-18385 (Asciidoctor v1.5.7.1 allows remote attackers to cause a denial of ...) - - asciidoctor + - asciidoctor (low) + [stretch] - asciidoctor (Minor issue) NOTE: https://github.com/asciidoctor/asciidoctor/issues/2888 CVE-2018-18384 (Info-ZIP UnZip 6.0 has a buffer overflow in list.c, when a ZIP archive ...) - unzip 6.0-11 (bug #741384) @@ -1323,6 +1327,7 @@ CVE-2018-18026 RESERVED CVE-2018-18025 (In ImageMagick 7.0.8-13 Q16, there is a heap-based buffer over-read in ...) - imagemagick + [stretch] - imagemagick (Fix along in next DSA) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1335 CVE-2018-18024 (In ImageMagick 7.0.8-13 Q16, there is an infinite loop in the ...) - imagemagick (low) @@ -9432,6 +9437,7 @@ CVE-2018-14636 (Live-migrated instances are briefly able to inspect traffic for [jessie] - neutron (Minor issue) CVE-2018-14635 (When using the Linux bridge ml2 driver, non-privileged tenants are ...) - neutron 2:13.0.0-1 + [stretch] - neutron (Minor issue) [jessie] - neutron (Minor issue) NOTE: https://bugs.launchpad.net/neutron/+bug/1757482 NOTE: https://git.openstack.org/cgit/openstack/neutron/commit/?id=54aa6e81cb17b33ce4d5d469cc11dec2869c762d = data/dsa-needed.txt = @@ -17,6 +17,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- ceph -- +chromium-browser +-- ghostscript (carnil) Regression update: #909076, possibly #909929 (but see upstream issue), and #909957 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fdf7576b3ba1ef06ba079bfcc334c7444d223a43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fdf7576b3ba1ef06ba079bfcc334c7444d223a43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: List php-zend-db as removed from everywhere
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 661c2930 by Salvatore Bonaccorso at 2018-10-19T21:57:47Z List php-zend-db as removed from everywhere - - - - - bace08f8 by Salvatore Bonaccorso at 2018-10-19T22:00:54Z Add CVE-2018-4013/liblivemedia - - - - - 2 changed files: - data/CVE/list - data/packages/removed-packages Changes: = data/CVE/list = @@ -38578,7 +38578,9 @@ CVE-2018-4015 CVE-2018-4014 RESERVED CVE-2018-4013 (An exploitable code execution vulnerability exists in the HTTP ...) - TODO: check + - liblivemedia 2018.10.17-1 + NOTE: http://lists.live555.com/pipermail/live-devel/2018-October/021071.html + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0684 CVE-2018-4012 RESERVED CVE-2018-4011 = data/packages/removed-packages = @@ -689,3 +689,4 @@ kdeadmin automake1.10 ctdb gcc-mozilla +php-zend-db View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/748f82f3294b0ac7f6234deccbd9c4ed242acdb0...bace08f8c70842bf6cba22a40f1de5d1533184c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/748f82f3294b0ac7f6234deccbd9c4ed242acdb0...bace08f8c70842bf6cba22a40f1de5d1533184c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add bug reference for CVE-2018-18521/elfutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9e39437 by Salvatore Bonaccorso at 2018-10-19T21:52:22Z Add bug reference for CVE-2018-18521/elfutils - - - - - 748f82f3 by Salvatore Bonaccorso at 2018-10-19T21:55:35Z Add bug reference for CVE-2018-18520/elfutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,11 +13,11 @@ CVE-2018-18523 CVE-2018-18522 RESERVED CVE-2018-18521 (Divide-by-zero vulnerabilities in the function arlib_add_symbols() in ...) - - elfutils + - elfutils (bug #911413) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23786 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html CVE-2018-18520 (An Invalid Memory Address Dereference exists in the function elf_end in ...) - - elfutils + - elfutils (bug #911414) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23787 NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html CVE-2018-18519 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/773b351584342c94885eab909330d12133309728...748f82f3294b0ac7f6234deccbd9c4ed242acdb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/773b351584342c94885eab909330d12133309728...748f82f3294b0ac7f6234deccbd9c4ed242acdb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2018-18521/elfutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc343bd6 by Salvatore Bonaccorso at 2018-10-19T21:42:12Z Add CVE-2018-18521/elfutils - - - - - 773b3515 by Salvatore Bonaccorso at 2018-10-19T21:43:43Z Add CVE-2018-18520/elfutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,9 +13,13 @@ CVE-2018-18523 CVE-2018-18522 RESERVED CVE-2018-18521 (Divide-by-zero vulnerabilities in the function arlib_add_symbols() in ...) - TODO: check + - elfutils + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23786 + NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00055.html CVE-2018-18520 (An Invalid Memory Address Dereference exists in the function elf_end in ...) - TODO: check + - elfutils + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23787 + NOTE: https://sourceware.org/ml/elfutils-devel/2018-q4/msg00057.html CVE-2018-18519 RESERVED CVE-2018-18518 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/51edc77f90e5ef9a8e31643a027bcc0695d794cd...773b351584342c94885eab909330d12133309728 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/51edc77f90e5ef9a8e31643a027bcc0695d794cd...773b351584342c94885eab909330d12133309728 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate CVE-2018-14772 with ajaxplorer
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 51edc77f by Salvatore Bonaccorso at 2018-10-19T21:36:04Z Associate CVE-2018-14772 with ajaxplorer - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9044,7 +9044,7 @@ CVE-2018-14773 (An issue was discovered in Http Foundation in Symfony 2.7.0 thro - symfony 3.4.14+dfsg-1 NOTE: https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers CVE-2018-14772 (Pydio 4.2.1 through 8.2.1 has an authenticated remote code execution ...) - TODO: check + - ajaxplorer (bug #668381) CVE-2018-14771 (VIVOTEK FD8177 devices before XX-VVTK-xx06a allow remote attackers ...) NOT-FOR-US: VIVOTEK FD8177 devices CVE-2018-14770 (VIVOTEK FD8177 devices before XX-VVTK-xx06a allow remote attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51edc77f90e5ef9a8e31643a027bcc0695d794cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/51edc77f90e5ef9a8e31643a027bcc0695d794cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8fc103a by Salvatore Bonaccorso at 2018-10-19T21:35:20Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2018-18528 RESERVED CVE-2018-18527 (OwnTicket 2018-05-23 allows SQL Injection via the showTicketId or ...) - TODO: check + NOT-FOR-US: OwnTicket CVE-2018-18526 RESERVED CVE-2018-18525 @@ -313,19 +313,19 @@ CVE-2018-18398 CVE-2018-18397 RESERVED CVE-2018-18396 (Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device ...) - TODO: check + NOT-FOR-US: Moxa CVE-2018-18395 (Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device ...) - TODO: check + NOT-FOR-US: Moxa CVE-2018-18394 (Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT ...) - TODO: check + NOT-FOR-US: Moxa CVE-2018-18393 (Password Management Issue in Moxa ThingsPro IIoT Gateway and Device ...) - TODO: check + NOT-FOR-US: Moxa CVE-2018-18392 (Privilege Escalation via Broken Access Control in Moxa ThingsPro IIoT ...) - TODO: check + NOT-FOR-US: Moxa CVE-2018-18391 (User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device ...) - TODO: check + NOT-FOR-US: Moxa CVE-2018-18390 (User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management ...) - TODO: check + NOT-FOR-US: Moxa CVE-2018-18389 (Due to incorrect access control in Neo4j Enterprise Database Server ...) NOT-FOR-US: Neo4J server CVE-2018-18388 @@ -7841,15 +7841,15 @@ CVE-2018-15318 CVE-2018-15317 RESERVED CVE-2018-15316 (In F5 BIG-IP APM 13.0.0-13.1.1.1, APM Client 7.1.5-7.1.6, and/or Edge ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2018-15315 (On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a reflected ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2018-15314 (On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2018-15313 (On F5 BIG-IP AFM 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, there is a ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2018-15312 (On F5 BIG-IP 13.0.0-13.1.1.1 and 12.1.0-12.1.3.6, a reflected ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2018-15311 (When F5 BIG-IP 13.0.0-13.1.0.5, 12.1.0-12.1.3.5, 11.6.0-11.6.3.2, or ...) NOT-FOR-US: F5 BIG-IP CVE-2018-15310 (A vulnerability in BIG-IP APM portal access 11.5.1-11.5.7, ...) @@ -13875,27 +13875,27 @@ CVE-2018-12825 (Adobe Flash Player 30.0.0.134 and earlier have a security bypass CVE-2018-12824 (Adobe Flash Player 30.0.0.134 and earlier have an out-of-bounds read ...) NOT-FOR-US: Adobe CVE-2018-12823 (Adobe Digital Editions versions 4.5.8 and below have a heap overflow ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12822 (Adobe Digital Editions versions 4.5.8 and below have an use after free ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12821 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12820 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12819 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12818 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12817 RESERVED CVE-2018-12816 (Adobe Digital Editions versions 4.5.8 and below have an out of bounds ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12815 (Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and ...) NOT-FOR-US: Adobe CVE-2018-12814 (Adobe Digital Editions versions 4.5.8 and below have a heap overflow ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12813 (Adobe Digital Editions versions 4.5.8 and below have a heap overflow ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-12812 (Adobe Acrobat and Reader 2018.011.20038 and earlier, 2017.011.30079 and ...) NOT-FOR-US: Adobe CVE-2018-12811 (Adobe Photoshop CC 2018 before 19.1.6 and Photoshop CC 2017 before ...) @@ -18740,9 +18740,9 @@ CVE-2018-11082 (Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundr CVE-2018-11081 (Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior ...) NOT-FOR-US: Pivotal CVE-2018-11080 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, ...) - TODO: check + NOT-FOR-US: EMC Secure Remote Services CVE-2018-11079 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, ...) -
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c7e147c1 by security tracker role at 2018-10-19T20:10:44Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,79 @@ +CVE-2018-18528 + RESERVED +CVE-2018-18527 (OwnTicket 2018-05-23 allows SQL Injection via the showTicketId or ...) + TODO: check +CVE-2018-18526 + RESERVED +CVE-2018-18525 + RESERVED +CVE-2018-18524 + RESERVED +CVE-2018-18523 + RESERVED +CVE-2018-18522 + RESERVED +CVE-2018-18521 (Divide-by-zero vulnerabilities in the function arlib_add_symbols() in ...) + TODO: check +CVE-2018-18520 (An Invalid Memory Address Dereference exists in the function elf_end in ...) + TODO: check +CVE-2018-18519 + RESERVED +CVE-2018-18518 + RESERVED +CVE-2018-18517 + RESERVED +CVE-2018-18516 + RESERVED +CVE-2018-18515 + RESERVED +CVE-2018-18514 + RESERVED +CVE-2018-18513 + RESERVED +CVE-2018-18512 + RESERVED +CVE-2018-18511 + RESERVED +CVE-2018-18510 + RESERVED +CVE-2018-18509 + RESERVED +CVE-2018-18508 + RESERVED +CVE-2018-18507 + RESERVED +CVE-2018-18506 + RESERVED +CVE-2018-18505 + RESERVED +CVE-2018-18504 + RESERVED +CVE-2018-18503 + RESERVED +CVE-2018-18502 + RESERVED +CVE-2018-18501 + RESERVED +CVE-2018-18500 + RESERVED +CVE-2018-18499 + RESERVED +CVE-2018-18498 + RESERVED +CVE-2018-18497 + RESERVED +CVE-2018-18496 + RESERVED +CVE-2018-18495 + RESERVED +CVE-2018-18494 + RESERVED +CVE-2018-18493 + RESERVED +CVE-2018-18492 + RESERVED +CVE-2018-18491 + RESERVED CVE-2018-18490 RESERVED CVE-2018-18489 @@ -236,20 +312,20 @@ CVE-2018-18398 RESERVED CVE-2018-18397 RESERVED -CVE-2018-18396 - RESERVED -CVE-2018-18395 - RESERVED -CVE-2018-18394 - RESERVED -CVE-2018-18393 - RESERVED -CVE-2018-18392 - RESERVED -CVE-2018-18391 - RESERVED -CVE-2018-18390 - RESERVED +CVE-2018-18396 (Remote Code Execution in Moxa ThingsPro IIoT Gateway and Device ...) + TODO: check +CVE-2018-18395 (Hidden Token Access in Moxa ThingsPro IIoT Gateway and Device ...) + TODO: check +CVE-2018-18394 (Sensitive Information Stored in Clear Text in Moxa ThingsPro IIoT ...) + TODO: check +CVE-2018-18393 (Password Management Issue in Moxa ThingsPro IIoT Gateway and Device ...) + TODO: check +CVE-2018-18392 (Privilege Escalation via Broken Access Control in Moxa ThingsPro IIoT ...) + TODO: check +CVE-2018-18391 (User Privilege Escalation in Moxa ThingsPro IIoT Gateway and Device ...) + TODO: check +CVE-2018-18390 (User Enumeration in Moxa ThingsPro IIoT Gateway and Device Management ...) + TODO: check CVE-2018-18389 (Due to incorrect access control in Neo4j Enterprise Database Server ...) NOT-FOR-US: Neo4J server CVE-2018-18388 @@ -3737,7 +3813,7 @@ CVE-2018-16953 (The AjaxView::DisplayResponse() function of the portalpages.dll NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2018-16952 (The Oracle WebCenter Interaction Portal 10.3.3 does not implement ...) NOT-FOR-US: Oracle WebCenter Interaction Portal -CVE-2017-18348 +CVE-2017-18348 (Splunk Enterprise 6.6.x, when configured to run as root but drop ...) NOT-FOR-US: Splunk CVE-2017-18347 (Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 ...) NOT-FOR-US: STMicroelectronics STM32F0 series devices @@ -5338,7 +5414,7 @@ CVE-2018-16312 RESERVED CVE-2018-16311 RESERVED -CVE-2018-16310 (Technicolor TG588V V2 devices allow remote attackers to cause a denial ...) +CVE-2018-16310 (** DISPUTED ** Technicolor TG588V V2 devices allow remote attackers ...) NOT-FOR-US: Technicolor CVE-2018-16309 REJECTED @@ -6285,7 +6361,7 @@ CVE-2018-15908 (In Artifex Ghostscript 9.23 before 2018-08-23, attackers are abl NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0d3901189f245232f0161addf215d7268c4d05a3 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699657 NOTE: https://www.kb.cert.org/vuls/id/332928 -CVE-2018-15907 (Technicolor (formerly RCA) TC8305C devices allow remote attackers to ...) +CVE-2018-15907 (** DISPUTED ** Technicolor (formerly RCA) TC8305C devices allow ...) NOT-FOR-US: Technicolor (formerly RCA) TC8305C devices CVE-2018-15906 RESERVED @@ -6524,7 +6600,7 @@ CVE-2018-15853 (Endless recursion exists in xkbcomp/expr.c in xkbcommon and ...) [jessie] - libxkbcommon (Minor issue) NOTE: https://github.com/xkbcommon/libxkbcommon/commit/1f9d1248c07cda8aaff762429c0dce146de8632a NOTE: https://lists.freedesktop.org/archives/wayland-devel/2018-August/039232.html
[Git][security-tracker-team/security-tracker][master] Add jessie entries for drupal7 until CVEs assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c9abe0c4 by Salvatore Bonaccorso at 2018-10-19T18:26:21Z Add jessie entries for drupal7 until CVEs assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65,11 +65,13 @@ CVE-2018-18462 CVE-2018- [Injection in DefaultMailSystem::mail()] - drupal7 (bug #911337) [stretch] - drupal7 7.52-2+deb9u5 + [jessie] - drupal 7.32-1+deb8u13 NOTE: https://www.drupal.org/sa-core-2018-006 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=ee301cf5ebff3534b59fcece583b3a0e4f094f15 CVE-2018- [External URL injection through URL aliases] - drupal7 (bug #911336) [stretch] - drupal7 7.52-2+deb9u5 + [jessie] - drupal 7.32-1+deb8u13 NOTE: https://www.drupal.org/sa-core-2018-006 NOTE: http://cgit.drupalcode.org/drupal/commit/?id=ee301cf5ebff3534b59fcece583b3a0e4f094f15 CVE-2018-18461 (The Arigato Autoresponder and Newsletter (aka bft-autoresponder) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9abe0c45fc3a0fb47a423615245f93dcf74486b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9abe0c45fc3a0fb47a423615245f93dcf74486b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1550-1 for drupal
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 77e9ef68 by Chris Lamb at 2018-10-19T14:55:47Z Reserve DLA-1550-1 for drupal - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[19 Oct 2018] DLA-1550-1 drupal - security update + [jessie] - drupal 7.32-1+deb8u13 [18 Oct 2018] DLA-1549-1 xen - security update {CVE-2017-14316 CVE-2017-14317 CVE-2017-14319 CVE-2017-15588 CVE-2017-15589 CVE-2017-15590 CVE-2017-15597 CVE-2017-17046 CVE-2017-17563 CVE-2017-17564 CVE-2017-17565 CVE-2017-17566 CVE-2018-10471 CVE-2018-10982} [jessie] - xen 4.4.4lts2-0+deb8u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/77e9ef6864aa3b8f7d7ed3d9f562a6780a11c3ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/77e9ef6864aa3b8f7d7ed3d9f562a6780a11c3ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2018-18483 (binutils) for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ffb4eed3 by Chris Lamb at 2018-10-19T12:38:59Z Triage CVE-2018-18483 (binutils) for jessie LTS. - - - - - 053fe2ee by Chris Lamb at 2018-10-19T12:39:10Z Triage CVE-2018-18484 (binutils) for jessie LTS. - - - - - 489eac22 by Chris Lamb at 2018-10-19T12:40:09Z data/dla-needed.txt: Triage drupal7 for jessie. - - - - - 3003d9b4 by Chris Lamb at 2018-10-19T12:40:53Z data/dla-needed.txt: Claim drupal7. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -13,10 +13,12 @@ CVE-2018-18485 (An issue was discovered in PHPSHE 1.7. admin.php?mod=dbact= CVE-2018-18484 (An issue was discovered in cp-demangle.c in GNU libiberty, as ...) - binutils [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 CVE-2018-18483 (The get_count function in cplus-dem.c in GNU libiberty, as distributed ...) - binutils [stretch] - binutils (Minor issue) + [jessie] - binutils (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23767 CVE-2018-18482 (An issue was discovered in libpg_query 10-1.0.2. There is a memory leak ...) NOT-FOR-US: libpg_query = data/dla-needed.txt = @@ -15,6 +15,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues -- clamav -- +drupal7 (Chris Lamb) +-- enigmail NOTE: 20180926: see 871s9fps8e@curie.anarc.at before working on this (anarcat) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/aa58d758d3e3f05c89acda599627bc8cba0a0516...3003d9b46c33ccd88d5ba76a624ca27440ae4b4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/aa58d758d3e3f05c89acda599627bc8cba0a0516...3003d9b46c33ccd88d5ba76a624ca27440ae4b4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add commit for CVE-2017-9935/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2825dc6 by Salvatore Bonaccorso at 2018-10-19T10:48:43Z Add commit for CVE-2017-9935/tiff - - - - - aa58d758 by Salvatore Bonaccorso at 2018-10-19T10:48:44Z Update information on CVE-2018-17795/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1785,11 +1785,14 @@ CVE-2018-17797 (An issue was discovered in zzcms 8.3. user/zssave.php allows rem CVE-2018-17796 (An issue was discovered in MRCMS (aka mushroom) through 3.1.2. The ...) NOT-FOR-US: MRCMS CVE-2018-17795 (The function t2p_write_pdf in tiff2pdf.c in LibTIFF 4.0.9 allows remote ...) - - tiff - [jessie] - tiff (possibly a duplicate, can be revisited later) + - tiff 4.0.9-2 + [stretch] - tiff 4.0.8-2+deb9u2 + [jessie] - tiff 4.0.3-12.3+deb8u5 - tiff3 NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2816 - NOTE: Seems like duplicate. Waiting info from reporter + NOTE: Similar issue as CVE-2017-9935 but not considered the same, but adressed + NOTE: with same commit. + NOTE: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 CVE-2018-17794 (An issue was discovered in cplus-dem.c in GNU libiberty, as distributed ...) - binutils (low) [stretch] - binutils (Minor issue) @@ -70504,6 +70507,7 @@ CVE-2017-9935 (In LibTIFF 4.0.8, there is a heap-based buffer overflow in the .. - tiff3 [wheezy] - tiff3 (does not build vulnerable tiff2pdf) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2704 + NOTE: https://gitlab.com/libtiff/libtiff/commit/3dd8f6a357981a4090f126ab9025056c938b6940 CVE-2017-9934 (Missing CSRF token checks and improper input validation in Joomla! CMS ...) NOT-FOR-US: Joomla CVE-2017-9933 (Improper cache invalidation in Joomla! CMS 1.7.3 through 3.7.2 leads ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/57079f7f9d8e0d58a3d80145cc9d6360a4a831aa...aa58d758d3e3f05c89acda599627bc8cba0a0516 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/57079f7f9d8e0d58a3d80145cc9d6360a4a831aa...aa58d758d3e3f05c89acda599627bc8cba0a0516 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add commit for CVE-2018-12086 fix
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 57079f7f by Thorsten Alteholz at 2018-10-19T10:41:11Z add commit for CVE-2018-12086 fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15942,6 +15942,7 @@ CVE-2018-12086 (Buffer overflow in OPC UA applications allows remote attackers t - wireshark 2.6.4-1 [stretch] - wireshark (Fix along in next DSA) NOTE: https://www.wireshark.org/security/wnpa-sec-2018-50.html + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=28a7a79cac425d1b1ecf06e73add41edd2241e49 CVE-2018-12085 (Liblouis 3.6.0 has a stack-based Buffer Overflow in the function ...) - liblouis 3.5.0-4 (bug #901202) [stretch] - liblouis 3.0.0-3+deb9u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57079f7f9d8e0d58a3d80145cc9d6360a4a831aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/57079f7f9d8e0d58a3d80145cc9d6360a4a831aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2018-18408/tcpreplay
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3cf4811 by Salvatore Bonaccorso at 2018-10-19T10:34:37Z Add CVE-2018-18408/tcpreplay - - - - - cf72946d by Salvatore Bonaccorso at 2018-10-19T10:34:38Z Add CVE-2018-18407/tcpreplay - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -207,9 +207,11 @@ CVE-2018-18409 (A stack-based buffer over-read exists in setbit() at iptree.h of - tcpflow (bug #911263) NOTE: https://github.com/simsong/tcpflow/issues/195 CVE-2018-18408 (A use-after-free was discovered in the tcpbridge binary of Tcpreplay ...) - TODO: check + - tcpreplay + NOTE: https://github.com/appneta/tcpreplay/issues/489 CVE-2018-18407 (A heap-based buffer over-read was discovered in the tcpreplay-edit ...) - TODO: check + - tcpreplay + NOTE: https://github.com/appneta/tcpreplay/issues/488 CVE-2018-18406 RESERVED CVE-2018-18405 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9e764643c640f4ef392fc11b856fcb74ca620e27...cf72946def94ef7249e2a2370f8235b5367a47f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/9e764643c640f4ef392fc11b856fcb74ca620e27...cf72946def94ef7249e2a2370f8235b5367a47f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark CVE-2018-18225 as not affected for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e764643 by Thorsten Alteholz at 2018-10-19T10:26:12Z mark CVE-2018-18225 as not affected for Jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -778,6 +778,7 @@ CVE-2018-18226 (In Wireshark 2.6.0 to 2.6.3, the Steam IHS Discovery dissector c CVE-2018-18225 (In Wireshark 2.6.0 to 2.6.3, the CoAP dissector could crash. This was ...) - wireshark 2.6.4-1 [stretch] - wireshark (Fix along in next DSA) + [jessie] - wireshark (Vulnerable code not present, 2.31-continue-code added in v2.1.0) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15172 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=09a02cc1ea6de9f6c6cae75b3510a5477ef5f555 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-49.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e764643c640f4ef392fc11b856fcb74ca620e27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e764643c640f4ef392fc11b856fcb74ca620e27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-18483/binutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4b465f3 by Salvatore Bonaccorso at 2018-10-19T10:27:47Z Add CVE-2018-18483/binutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,9 @@ CVE-2018-18484 (An issue was discovered in cp-demangle.c in GNU libiberty, as .. [stretch] - binutils (Minor issue) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 CVE-2018-18483 (The get_count function in cplus-dem.c in GNU libiberty, as distributed ...) - TODO: check + - binutils + [stretch] - binutils (Minor issue) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23767 CVE-2018-18482 (An issue was discovered in libpg_query 10-1.0.2. There is a memory leak ...) NOT-FOR-US: libpg_query CVE-2018-18481 (A heap-based buffer over-read exists in libopencad 0.2.0 in the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4b465f37f122f6603decaf324e6dee2f5b159a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c4b465f37f122f6603decaf324e6dee2f5b159a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-18484/binutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8be4b379 by Salvatore Bonaccorso at 2018-10-19T10:26:55Z Add CVE-2018-18484/binutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,9 @@ CVE-2018-18486 (An issue was discovered in PHPSHE 1.7. SQL injection exists via CVE-2018-18485 (An issue was discovered in PHPSHE 1.7. admin.php?mod=dbact=del allows ...) NOT-FOR-US: PHPSHE CVE-2018-18484 (An issue was discovered in cp-demangle.c in GNU libiberty, as ...) - TODO: check + - binutils + [stretch] - binutils (Minor issue) + NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87636 CVE-2018-18483 (The get_count function in cplus-dem.c in GNU libiberty, as distributed ...) TODO: check CVE-2018-18482 (An issue was discovered in libpg_query 10-1.0.2. There is a memory leak ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8be4b379ccfd8d6d1b7f34b05a05f360c2d867ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8be4b379ccfd8d6d1b7f34b05a05f360c2d867ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34f3435f by Salvatore Bonaccorso at 2018-10-19T10:25:37Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,13 +3,13 @@ CVE-2018-18490 CVE-2018-18489 RESERVED CVE-2018-18488 (In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection ...) - TODO: check + NOT-FOR-US: Gxlcms CVE-2018-18487 (In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database ...) - TODO: check + NOT-FOR-US: Gxlcms CVE-2018-18486 (An issue was discovered in PHPSHE 1.7. SQL injection exists via the ...) - TODO: check + NOT-FOR-US: PHPSHE CVE-2018-18485 (An issue was discovered in PHPSHE 1.7. admin.php?mod=dbact=del allows ...) - TODO: check + NOT-FOR-US: PHPSHE CVE-2018-18484 (An issue was discovered in cp-demangle.c in GNU libiberty, as ...) TODO: check CVE-2018-18483 (The get_count function in cplus-dem.c in GNU libiberty, as distributed ...) @@ -1393,7 +1393,7 @@ CVE-2018-17965 (ImageMagick 7.0.7-28 has a memory leak vulnerability in WriteSGI - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1052 CVE-2018-17964 (Aryanic HighPortal 12.5 has XSS via an Add Tags action. ...) - TODO: check + NOT-FOR-US: Aryanic HighPortal CVE-2018-17963 (qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes ...) - qemu - qemu-kvm @@ -6114,21 +6114,21 @@ CVE-2018-15978 CVE-2018-15977 RESERVED CVE-2018-15976 (Adobe Technical Communications Suite versions 1.0.5.1 and below have ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15975 RESERVED CVE-2018-15974 (Adobe Framemaker versions 1.0.5.1 and below have an insecure library ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15973 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15972 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15971 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15970 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15969 (Adobe Experience Manager versions 6.4, 6.3, 6.2, 6.1, and 6.0 have a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2018-15968 (Adobe Acrobat and Reader versions 2018.011.20063 and earlier, ...) NOT-FOR-US: Adobe CVE-2018-15967 (Adobe Flash Player versions 30.0.0.154 and earlier have a privilege ...) @@ -6693,7 +6693,7 @@ CVE-2018-15767 CVE-2018-15766 (On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint ...) NOT-FOR-US: Dell CVE-2018-15765 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, ...) - TODO: check + NOT-FOR-US: EMC Secure Remote Services CVE-2018-15764 (Dell EMC ESRS Policy Manager versions 6.8 and prior contain a remote ...) NOT-FOR-US: EMC ESRS Policy Manager CVE-2018-15763 (Pivotal Container Service, versions prior to 1.2.0, contains an ...) @@ -7011,7 +7011,7 @@ CVE-2018-15618 CVE-2018-15617 RESERVED CVE-2018-15616 (A vulnerability in the Web UI component of Avaya Aura System Platform ...) - TODO: check + NOT-FOR-US: Avaya Aura System Platform CVE-2018-15615 (A vulnerability in the Supervisor component of Avaya Call Management ...) NOT-FOR-US: Avaya CVE-2018-15614 @@ -7394,7 +7394,7 @@ CVE-2018-15494 (In Dojo Toolkit before 1.14, there is unescaped string injection - dojo 1.14.1+dfsg1-1 (bug #906540) NOTE: https://github.com/dojo/dojox/pull/283 CVE-2018-15493 (vBulletin 5.4.3 has an Open Redirect. ...) - TODO: check + NOT-FOR-US: vBulletin CVE-2018-15492 (A vulnerability in the lservnt.exe component of Sentinel License ...) NOT-FOR-US: Sentinel License Manager CVE-2018-15491 (A vulnerability in the permission and encryption implementation of ...) @@ -7497,13 +7497,13 @@ CVE-2018-15440 CVE-2018-15439 RESERVED CVE-2018-15438 (A vulnerability in the web-based management interface of Cisco Prime ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-15437 RESERVED CVE-2018-15436 (A vulnerability in the web-based management interface of Cisco Webex ...) NOT-FOR-US: Cisco CVE-2018-15435 (A vulnerability in the web-based management interface of Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2018-15434 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2018-15433 (A vulnerability in the server backup function of
[Git][security-tracker-team/security-tracker][master] mark CVE-2018-18227 as not affected for Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 373c306f by Thorsten Alteholz at 2018-10-19T09:42:07Z mark CVE-2018-18227 as not affected for Jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -760,6 +760,7 @@ CVE-2018-18228 CVE-2018-18227 (In Wireshark 2.6.0 to 2.6.3 and 2.4.0 to 2.4.9, the MS-WSP protocol ...) - wireshark 2.6.4-1 [stretch] - wireshark (Fix along in next DSA) + [jessie] - wireshark (Vulnerable code not present, mswsp support added in v1.99.9) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15119 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d443be449a52f95df5754adc39e1f3472fec2f03 NOTE: https://www.wireshark.org/security/wnpa-sec-2018-47.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/373c306fc26285dfbcdd7dfda29b503835badc78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/373c306fc26285dfbcdd7dfda29b503835badc78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gitlab fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e877ea1 by Moritz Muehlenhoff at 2018-10-19T09:16:13Z gitlab fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9465,23 +9465,23 @@ CVE-2018-14598 (An issue was discovered in XListExtensions in ListExt.c in libX1 [wheezy] - libx11 (Minor issue) NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/commit/e83722768fd5c467ef61fa159e8c6278770b45c2 CVE-2018-14606 (An issue was discovered in GitLab Community and Enterprise Edition ...) - - gitlab + - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Only affects 10.6 and later) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14605 (An issue was discovered in GitLab Community and Enterprise Edition ...) - - gitlab + - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Only affects 10.7 and later) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14604 (An issue was discovered in GitLab Community and Enterprise Edition ...) - - gitlab + - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Only affects 10.7 and later) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14603 (An issue was discovered in GitLab Community and Enterprise Edition ...) - - gitlab + - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Scheduled for removal in next point release) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14602 (An issue was discovered in GitLab Community and Enterprise Edition ...) - - gitlab + - gitlab 10.8.7+dfsg-1 [stretch] - gitlab (Affects 9.0 and later only) NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/ CVE-2018-14601 (An issue was discovered in GitLab Community and Enterprise Edition ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6e877ea16173603ba26aeaf20620807332ca3f6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6e877ea16173603ba26aeaf20620807332ca3f6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d00458d by Henri Salo at 2018-10-19T08:34:04Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3722,6 +3722,8 @@ CVE-2018-16953 (The AjaxView::DisplayResponse() function of the portalpages.dll NOT-FOR-US: Oracle WebCenter Interaction Portal CVE-2018-16952 (The Oracle WebCenter Interaction Portal 10.3.3 does not implement ...) NOT-FOR-US: Oracle WebCenter Interaction Portal +CVE-2017-18348 + NOT-FOR-US: Splunk CVE-2017-18347 (Incorrect access control in RDP Level 1 on STMicroelectronics STM32F0 ...) NOT-FOR-US: STMicroelectronics STM32F0 series devices CVE-2018-16976 (Gitolite before 3.6.9 does not (in certain configurations involving ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d00458d13dadeb300b6ffb5f365a636545e1b2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5d00458d13dadeb300b6ffb5f365a636545e1b2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ca4f323 by security tracker role at 2018-10-19T08:10:18Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2018-18490 + RESERVED +CVE-2018-18489 + RESERVED +CVE-2018-18488 (In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, SQL Injection ...) + TODO: check +CVE-2018-18487 (In \lib\admin\action\dataaction.class.php in Gxlcms v2.0, the database ...) + TODO: check +CVE-2018-18486 (An issue was discovered in PHPSHE 1.7. SQL injection exists via the ...) + TODO: check +CVE-2018-18485 (An issue was discovered in PHPSHE 1.7. admin.php?mod=dbact=del allows ...) + TODO: check +CVE-2018-18484 (An issue was discovered in cp-demangle.c in GNU libiberty, as ...) + TODO: check +CVE-2018-18483 (The get_count function in cplus-dem.c in GNU libiberty, as distributed ...) + TODO: check CVE-2018-18482 (An issue was discovered in libpg_query 10-1.0.2. There is a memory leak ...) NOT-FOR-US: libpg_query CVE-2018-18481 (A heap-based buffer over-read exists in libopencad 0.2.0 in the ...) @@ -6673,8 +6689,8 @@ CVE-2018-15767 RESERVED CVE-2018-15766 (On install, Dell Encryption versions prior 10.0.1 and Dell Endpoint ...) NOT-FOR-US: Dell -CVE-2018-15765 - RESERVED +CVE-2018-15765 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, ...) + TODO: check CVE-2018-15764 (Dell EMC ESRS Policy Manager versions 6.8 and prior contain a remote ...) NOT-FOR-US: EMC ESRS Policy Manager CVE-2018-15763 (Pivotal Container Service, versions prior to 1.2.0, contains an ...) @@ -6687,12 +6703,12 @@ CVE-2018-15760 RESERVED CVE-2018-15759 RESERVED -CVE-2018-15758 - RESERVED +CVE-2018-15758 (Spring Security OAuth, versions 2.3 prior to 2.3.4, and 2.2 prior to ...) + TODO: check CVE-2018-15757 RESERVED -CVE-2018-15756 - RESERVED +CVE-2018-15756 (Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, ...) + TODO: check CVE-2018-15755 (Cloud Foundry CF Networking Release, versions 2.11.0 prior to 2.16.0, ...) NOT-FOR-US: Cloud Foundry CVE-2018-15754 @@ -8836,8 +8852,8 @@ CVE-2018-14809 (Fuji Electric V-Server 4.0.3.0 and prior, A use after free ...) NOT-FOR-US: Fuji Electric V-Server CVE-2018-14808 (Emerson AMS Device Manager v12.0 to v13.5. Non-administrative users ...) NOT-FOR-US: Emerson AMS Device Manager -CVE-2018-14807 - RESERVED +CVE-2018-14807 (A stack-based buffer overflow vulnerability in Opto 22 PAC Control ...) + TODO: check CVE-2018-14806 RESERVED CVE-2018-14805 (ABB eSOMS version 6.0.2 may allow unauthorized access to the system ...) @@ -18629,10 +18645,10 @@ CVE-2018-11082 (Cloud Foundry UAA, all versions prior to 4.20.0 and Cloud Foundr NOT-FOR-US: Cloud Foundry CVE-2018-11081 (Pivotal Operations Manager, versions 2.2.x prior to 2.2.1, 2.1.x prior ...) NOT-FOR-US: Pivotal -CVE-2018-11080 - RESERVED -CVE-2018-11079 - RESERVED +CVE-2018-11080 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, ...) + TODO: check +CVE-2018-11079 (Dell EMC Secure Remote Services, versions prior to 3.32.00.08, ...) + TODO: check CVE-2018-11078 (Dell EMC VPlex GeoSynchrony, versions prior to 6.1, contains an ...) NOT-FOR-US: EMC VPlex GeoSynchrony CVE-2018-11077 @@ -143516,7 +143532,7 @@ CVE-2015-4644 (The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (ak NOTE: https://bugs.php.net/bug.php?id=69667 NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64 NOTE: http://www.openwall.com/lists/oss-security/2015/06/18/3 -CVE-2015-4639 (Multiple cross-site request forgery (CSRF) vulnerabilities in Koha ...) +CVE-2015-4639 (Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl ...) NOT-FOR-US: Koha CVE-2015-4638 (The FastL4 virtual server in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ...) NOT-FOR-US: FastL4 @@ -143531,14 +143547,14 @@ CVE-2015-4634 (SQL injection vulnerability in graphs.php in Cacti before 0.8.8e - cacti 0.8.8e+ds1-1 NOTE: http://bugs.cacti.net/view.php?id=2577 NOTE: http://svn.cacti.net/viewvc?view=rev=7731 -CVE-2015-4633 - RESERVED -CVE-2015-4632 - RESERVED -CVE-2015-4631 - RESERVED -CVE-2015-4630 - RESERVED +CVE-2015-4633 (Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, ...) + TODO: check +CVE-2015-4632 (Multiple directory traversal vulnerabilities in Koha 3.14.x before ...) + TODO: check +CVE-2015-4631 (Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x ...) + TODO: check +CVE-2015-4630
[Git][security-tracker-team/security-tracker][master] three unimportant gm issues fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a0d582e9 by Moritz Muehlenhoff at 2018-10-19T07:20:40Z three unimportant gm issues fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61171,7 +61171,7 @@ CVE-2017-1002150 (python-fedora 0.8.0 and lower is vulnerable to an open redirec CVE-2017-13649 (UnrealIRCd 4.0.13 and earlier creates a PID file after dropping ...) - unrealircd (bug #515130) CVE-2017-13648 (In GraphicsMagick 1.3.26, a memory leak vulnerability was found in the ...) - - graphicsmagick (unimportant) + - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/433/ CVE-2017-13647 RESERVED @@ -62198,7 +62198,7 @@ CVE-2017-13149 (An information disclosure vulnerability in the Android media fra CVE-2017-13148 (A denial of service vulnerability in the Android media framework ...) NOT-FOR-US: Android Media Framework CVE-2017-13147 (In GraphicsMagick 1.3.26, an allocation failure vulnerability was found ...) - - graphicsmagick (unimportant) + - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/446/ CVE-2017-13146 (In ImageMagick before 6.9.8-5 and 7.x before 7.0.5-6, there is a memory ...) {DLA-1081-1} @@ -62423,7 +62423,7 @@ CVE-2017-13068 (QNAP has already patched this vulnerability. This security conce CVE-2017-13067 (QNAP has patched a remote code execution vulnerability affecting the ...) NOT-FOR-US: QNAP CVE-2017-13066 (GraphicsMagick 1.3.26 has a memory leak vulnerability in the function ...) - - graphicsmagick (unimportant) + - graphicsmagick 1.3.27-1 (unimportant) NOTE: https://sourceforge.net/p/graphicsmagick/bugs/430/ CVE-2017-13065 (GraphicsMagick 1.3.26 has a NULL pointer dereference vulnerability in ...) {DSA-4321-1 DLA-1401-1 DLA-1082-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0d582e9cb97f8ac6710769548351646c01b5bac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a0d582e9cb97f8ac6710769548351646c01b5bac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits