[Git][security-tracker-team/security-tracker][master] Add CVE-2019-951{2,4}/golang
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a149b30b by Salvatore Bonaccorso at 2019-08-15T06:35:09Z Add CVE-2019-951{2,4}/golang - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16890,11 +16890,27 @@ CVE-2019-9516 (Some HTTP/2 implementations are vulnerable to a header leak, pote CVE-2019-9515 (Some HTTP/2 implementations are vulnerable to a settings flood, potent ...) TODO: check CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, potential ...) - TODO: check + - golang-1.13 + - golang-1.12 1.12.8-1 + - golang-1.11 + - golang-1.8 + - golang-1.7 + - golang + NOTE: Issue: https://github.com/golang/go/issues/33606 + NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) + NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12) CVE-2019-9513 (Some HTTP/2 implementations are vulnerable to resource loops, potentia ...) TODO: check CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potentially ...) - TODO: check + - golang-1.13 + - golang-1.12 1.12.8-1 + - golang-1.11 + - golang-1.8 + - golang-1.7 + - golang + NOTE: Issue: https://github.com/golang/go/issues/33606 + NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) + NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12) CVE-2019-9511 (Some HTTP/2 implementations are vulnerable to window size manipulation ...) TODO: check CVE-2019-9510 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a149b30bf8063bfef7adf780c28fed36817012d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a149b30bf8063bfef7adf780c28fed36817012d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add wpa to dsa-needed list (needs check)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5ff4185 by Salvatore Bonaccorso at 2019-08-15T13:26:39Z Add wpa to dsa-needed list (needs check) - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -64,5 +64,8 @@ teeworlds/oldstable -- wordpress -- +wpa + Maintainer proposed an update, actually need to check if we want to release DSA and ack/nack proposed debdiff +-- xen/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b5ff41858ae1f8ec8afb40261a508cb46031cdab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b5ff41858ae1f8ec8afb40261a508cb46031cdab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1886-1 for openjdk-7
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7554bec6 by Markus Koschany at 2019-08-15T12:57:57Z Reserve DLA-1886-1 for openjdk-7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Aug 2019] DLA-1886-1 openjdk-7 - security update + {CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816} + [jessie] - openjdk-7 7u231-2.6.19-1~deb8u1 [13 Aug 2019] DLA-1885-1 linux-4.9 - security update {CVE-2017-18509 CVE-2018-5995 CVE-2018-20836 CVE-2018-20856 CVE-2019-1125 CVE-2019-3882 CVE-2019-3900 CVE-2019-10207 CVE-2019-10638 CVE-2019-10639 CVE-2019-13631 CVE-2019-13648 CVE-2019-14283 CVE-2019-14284} [jessie] - linux-4.9 4.9.168-1+deb9u5~deb8u1 = data/dla-needed.txt = @@ -82,10 +82,6 @@ linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) -- -openjdk-7 (Markus Koschany) - NOTE: 20190804: The new OpenJDK 7 package needs more testing because this is - NOTE: the first package which we could not simply backport. --- python2.7 (Thorsten Alteholz) NOTE: 20190804: need to check fails with test suite unrelated to this patch -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7554bec6a26b9d9d3aa71f8a0960071472773d5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7554bec6a26b9d9d3aa71f8a0960071472773d5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one WordPress plugin issue as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6286e817 by Salvatore Bonaccorso at 2019-08-15T08:11:12Z Process one WordPress plugin issue as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2820,7 +2820,7 @@ CVE-2019-14218 CVE-2019-14217 RESERVED CVE-2019-14216 (An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icon ...) - TODO: check + NOT-FOR-US: svg-vector-icon-plugin (aka WP SVG Icons) plugin for WordPress CVE-2019-14215 (An issue was discovered in Foxit PhantomPDF before 8.3.11. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14214 (An issue was discovered in Foxit PhantomPDF before 8.3.10. The applica ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6286e8172216e58e870f68ffbd2cb26f2d4b387c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6286e8172216e58e870f68ffbd2cb26f2d4b387c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dad8e755 by security tracker role at 2019-08-15T08:10:18Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,27 @@ +CVE-2019-15063 + RESERVED +CVE-2019-15062 (An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an ...) + TODO: check +CVE-2019-15061 + RESERVED +CVE-2019-15060 + RESERVED +CVE-2019-15059 + RESERVED +CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer ov ...) + TODO: check +CVE-2019-15057 + RESERVED +CVE-2019-15056 + RESERVED CVE-2019-15055 RESERVED CVE-2019-15054 RESERVED CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Confluenc ...) TODO: check -CVE-2019-15052 - RESERVED +CVE-2019-15052 (The HTTP client in the Build tool in Gradle before 5.6 sends authentic ...) + TODO: check CVE-2019-15051 RESERVED CVE-2019-15050 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) @@ -1362,10 +1378,10 @@ CVE-2019-14528 (GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in [stretch] - open-cobol (Minor issue) [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/583/ -CVE-2019-14527 - RESERVED -CVE-2019-14526 - RESERVED +CVE-2019-14527 (An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices befor ...) + TODO: check +CVE-2019-14526 (An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices befor ...) + TODO: check CVE-2019-14525 (In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019. ...) NOT-FOR-US: Octopus Deploy CVE-2019-14524 (An issue was discovered in Schism Tracker through 20190722. There is a ...) @@ -2190,8 +2206,8 @@ CVE-2019-14429 RESERVED CVE-2019-14428 RESERVED -CVE-2019-14427 - RESERVED +CVE-2019-14427 (XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch ...) + TODO: check CVE-2019-14426 RESERVED CVE-2019-14425 @@ -2803,8 +2819,8 @@ CVE-2019-14218 RESERVED CVE-2019-14217 RESERVED -CVE-2019-14216 - RESERVED +CVE-2019-14216 (An issue was discovered in the svg-vector-icon-plugin (aka WP SVG Icon ...) + TODO: check CVE-2019-14215 (An issue was discovered in Foxit PhantomPDF before 8.3.11. The applica ...) NOT-FOR-US: Foxit PhantomPDF CVE-2019-14214 (An issue was discovered in Foxit PhantomPDF before 8.3.10. The applica ...) @@ -6649,8 +6665,8 @@ CVE-2019-13032 (An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/c75c100218ed5c0e7652947051e28b54a75212ae NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/b4f4a70f604ddcb4e8e343aa0e690764fc46d780 NOTE: Negligible security impact -CVE-2019-13030 - RESERVED +CVE-2019-13030 (eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prio ...) + TODO: check CVE-2019-13029 (Multiple stored Cross-site scripting (XSS) issues in the admin panel a ...) NOT-FOR-US: REDCap CVE-2019-13028 (An incorrect implementation of a local web server in eID client (Windo ...) @@ -8666,8 +8682,8 @@ CVE-2019-12264 (Wind River VxWorks 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7 has Inco NOT-FOR-US: Wind River VxWorks CVE-2019-12263 (Wind River VxWorks 6.9.4 and vx7 has a Buffer Overflow in the TCP comp ...) NOT-FOR-US: Wind River VxWorks -CVE-2019-12262 - RESERVED +CVE-2019-12262 (Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and 7 has Incorrect Access Contr ...) + TODO: check CVE-2019-12261 (Wind River VxWorks 6.7 though 6.9 and vx7 has a Buffer Overflow in the ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12260 (Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP compon ...) @@ -9114,10 +9130,10 @@ CVE-2019-12106 (The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1 NOTE: https://github.com/miniupnp/miniupnp/commit/cd506a67e174a45c6a202eff182a712955ed6d6f CVE-2019-12105 RESERVED -CVE-2019-12104 - RESERVED -CVE-2019-12103 - RESERVED +CVE-2019-12104 (The web-based configuration interface of the TP-Link M7350 V3 with fir ...) + TODO: check +CVE-2019-12103 (The web-based configuration interface of the TP-Link M7350 V3 with fir ...) + TODO: check CVE-2019-12102 (** DISPUTED ** Kentico 11 through 12 lets attackers upload and explore ...) NOT-FOR-US: Kentico CVE-2019-12101 (coap_decode_option in coap.c in LibNyoci 0.07.00rc1 mishandles certain ...) @@ -16700,14 +16716,14 @@ CVE-2019-9587 (There is a stack consumption issue in md5Round1() located in Decr - xpdf (xpdf in Debian
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14809/golang
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ecf05d92 by Salvatore Bonaccorso at 2019-08-15T06:31:31Z Add CVE-2019-14809/golang - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -687,7 +687,13 @@ CVE-2019-14811 CVE-2019-14810 RESERVED CVE-2019-14809 (net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malfo ...) - TODO: check + - golang-1.13 + - golang-1.12 1.12.8-1 + - golang-1.11 + - golang + NOTE: Issue: https://github.com/golang/go/issues/29098 + NOTE: https://github.com/golang/go/commit/c1d9ca70995dc232a2145e3214f94e03409f6fcc (golang-1.11) + NOTE: https://github.com/golang/go/commit/3226f2d492963d361af9dfc6714ef141ba606713 (golang-1.12) CVE-2019-14808 RESERVED CVE-2019-14807 (In the MobileFrontend extension 1.31 through 1.33 for MediaWiki, XSS e ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecf05d9273d60e86be9af6061001e67921e6017f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ecf05d9273d60e86be9af6061001e67921e6017f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tracking for golang-1.8 and golang-1.7 as well
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 65bcf8e2 by Salvatore Bonaccorso at 2019-08-15T06:33:05Z Add tracking for golang-1.8 and golang-1.7 as well - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -690,6 +690,8 @@ CVE-2019-14809 (net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles - golang-1.13 - golang-1.12 1.12.8-1 - golang-1.11 + - golang-1.8 + - golang-1.7 - golang NOTE: Issue: https://github.com/golang/go/issues/29098 NOTE: https://github.com/golang/go/commit/c1d9ca70995dc232a2145e3214f94e03409f6fcc (golang-1.11) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/65bcf8e2914ce0abf007514a171dda85835f8871 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/65bcf8e2914ce0abf007514a171dda85835f8871 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-15062/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d90852fc by Salvatore Bonaccorso at 2019-08-15T18:11:24Z Add CVE-2019-15062/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,8 @@ CVE-2019-15063 RESERVED CVE-2019-15062 (An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an ...) - TODO: check + - dolibarr + NOTE: https://github.com/Dolibarr/dolibarr/issues/11671 CVE-2019-15061 RESERVED CVE-2019-15060 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d90852fc30725db1617484ea0ee25a43cc22aa15 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d90852fc30725db1617484ea0ee25a43cc22aa15 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09f269d8 by Salvatore Bonaccorso at 2019-08-15T18:13:05Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,21 +20,21 @@ CVE-2019-15055 CVE-2019-15054 RESERVED CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Confluenc ...) - TODO: check + NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server CVE-2019-15052 (The HTTP client in the Build tool in Gradle before 5.6 sends authentic ...) TODO: check CVE-2019-15051 RESERVED CVE-2019-15050 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2019-15049 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2019-15048 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2019-15047 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2019-15046 (Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthentica ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-15045 RESERVED CVE-2019-15044 @@ -244,7 +244,7 @@ CVE-2019-14976 (iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords par CVE-2019-14975 (Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_ch ...) TODO: check CVE-2019-14974 (SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.h ...) - TODO: check + NOT-FOR-US: SugarCRM CVE-2019-14973 (_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through ...) - tiff 4.0.10+git190814-1 (bug #934780) - tiff3 @@ -1380,9 +1380,9 @@ CVE-2019-14528 (GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/583/ CVE-2019-14527 (An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices befor ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2019-14526 (An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices befor ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2019-14525 (In Octopus Deploy 2019.4.0 through 2019.6.x before 2019.6.6, and 2019. ...) NOT-FOR-US: Octopus Deploy CVE-2019-14524 (An issue was discovered in Schism Tracker through 20190722. There is a ...) @@ -2208,7 +2208,7 @@ CVE-2019-14429 CVE-2019-14428 RESERVED CVE-2019-14427 (XSS exists in WEB STUDIO Ultimate Loan Manager 2.0 by adding a branch ...) - TODO: check + NOT-FOR-US: WEB STUDIO Ultimate Loan Manager CVE-2019-14426 RESERVED CVE-2019-14425 @@ -6667,7 +6667,7 @@ CVE-2019-13032 (An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/b4f4a70f604ddcb4e8e343aa0e690764fc46d780 NOTE: Negligible security impact CVE-2019-13030 (eQ-3 Homematic CCU3 AddOn 'Mediola NEO Server for Homematic CCU3' prio ...) - TODO: check + NOT-FOR-US: eQ-3 Homematic CCU3 CVE-2019-13029 (Multiple stored Cross-site scripting (XSS) issues in the admin panel a ...) NOT-FOR-US: REDCap CVE-2019-13028 (An incorrect implementation of a local web server in eID client (Windo ...) @@ -8684,7 +8684,7 @@ CVE-2019-12264 (Wind River VxWorks 6.6, 6.7, 6.8, 6.9.3, 6.9.4, and Vx7 has Inco CVE-2019-12263 (Wind River VxWorks 6.9.4 and vx7 has a Buffer Overflow in the TCP comp ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12262 (Wind River VxWorks 6.6, 6.7, 6.8, 6.9 and 7 has Incorrect Access Contr ...) - TODO: check + NOT-FOR-US: Wind River VxWorks CVE-2019-12261 (Wind River VxWorks 6.7 though 6.9 and vx7 has a Buffer Overflow in the ...) NOT-FOR-US: Wind River VxWorks CVE-2019-12260 (Wind River VxWorks 6.9 and vx7 has a Buffer Overflow in the TCP compon ...) @@ -9132,9 +9132,9 @@ CVE-2019-12106 (The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1 CVE-2019-12105 RESERVED CVE-2019-12104 (The web-based configuration interface of the TP-Link M7350 V3 with fir ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2019-12103 (The web-based configuration interface of the TP-Link M7350 V3 with fir ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2019-12102 (** DISPUTED ** Kentico 11 through 12 lets attackers upload and explore ...) NOT-FOR-US: Kentico CVE-2019-12101 (coap_decode_option in coap.c in LibNyoci 0.07.00rc1 mishandles certain ...) @@ -16718,13 +16718,13 @@ CVE-2019-9587 (There is a stack consumption issue in
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-14433/nova
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fb25fd2 by Salvatore Bonaccorso at 2019-08-15T19:07:38Z Add fixed version for CVE-2019-14433/nova The prepared 2:19.0.1-2 was never uploaded so the first version really including the fix was actually really this new upstream version import. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2194,7 +2194,7 @@ CVE-2019-14435 CVE-2019-14434 RESERVED CVE-2019-14433 (An issue was discovered in OpenStack Nova before 17.0.12, 18.x before ...) - - nova (bug #934114) + - nova 2:19.0.2-1 (bug #934114) NOTE: https://security.openstack.org/ossa/OSSA-2019-003.html NOTE: https://launchpad.net/bugs/1837877 CVE-2019-14432 (Incorrect authentication of application WebSocket connections in Loom ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6fb25fd245f2ee9de20a06b6d74102f965e62b6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6fb25fd245f2ee9de20a06b6d74102f965e62b6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1887-1 for freetype
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f70c8dc by Thorsten Alteholz at 2019-08-15T20:16:54Z Reserve DLA-1887-1 for freetype - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Aug 2019] DLA-1887-1 freetype - security update + {CVE-2015-9290} + [jessie] - freetype 2.5.2-3+deb8u3 [15 Aug 2019] DLA-1886-1 openjdk-7 - security update {CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2816} [jessie] - openjdk-7 7u231-2.6.19-1~deb8u1 = data/dla-needed.txt = @@ -27,8 +27,6 @@ freeimage NOTE: https://lists.debian.org/debian-lts/2019/05/msg00079.html NOTE: 20190707: maintainer is waiting for upstream https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929597 -- -freetype (Thorsten Alteholz) --- golang-go.crypto NOTE: 20190707: Check that an upload of this will not require reverse build-deps to also be recompiled (see previous golang uploads?). (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f70c8dcd0a9960a10917fb9521d7d07196c444b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f70c8dcd0a9960a10917fb9521d7d07196c444b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-10140/linux (not-affected)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 645eda5c by Salvatore Bonaccorso at 2019-08-15T18:31:34Z Add CVE-2019-10140/linux (not-affected) The vulnerability was introduced specific in Red Hat due to a human error in backporting process for a change in overlayfs. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14257,6 +14257,7 @@ CVE-2019-10141 (A vulnerability was found in openstack-ironic-inspector all vers NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1711722 CVE-2019-10140 RESERVED + - linux (Vulnerability introduce in Red Hat specific backport) CVE-2019-10139 (During HE deployment via cockpit-ovirt, cockpit-ovirt generates an ans ...) NOT-FOR-US: cockpit-ovirt CVE-2019-10138 (A flaw was discovered in the python-novajoin plugin, all versions up t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/645eda5c3ab9ca0da62ee87eae1558ba172f87be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/645eda5c3ab9ca0da62ee87eae1558ba172f87be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track for now a new sqlite3 issue (needs to be further checked)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9e69eed by Salvatore Bonaccorso at 2019-08-15T19:48:01Z Track for now a new sqlite3 issue (needs to be further checked) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2019- [division by zero in the query planner] + - sqlite3 3.29.0-2 + NOTE: Fixed by: https://www.sqlite.org/src/info/d93508fc9913cfe6 + NOTE: Introduced by: https://www.sqlite.org/src/info/90e36676476e8db0 CVE-2019-15063 RESERVED CVE-2019-15062 (An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9e69eed0be306000613faf32a006794707d6ab2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e9e69eed0be306000613faf32a006794707d6ab2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add apache2 to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc5980d6 by Salvatore Bonaccorso at 2019-08-15T20:36:00Z Add apache2 to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -15,6 +15,8 @@ If needed, specify the release by adding a slash after the name of the source pa 389-ds-base (fw) Thorsten Alteholz proposed an update -- +apache2 +-- evince/oldstable -- faad2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc5980d62bd30a613a5b8db34ee345ea18f44ec0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc5980d62bd30a613a5b8db34ee345ea18f44ec0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for three CVEs affecting golang-1.11
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c2998f9 by Salvatore Bonaccorso at 2019-08-15T19:50:06Z Track fixes for three CVEs affecting golang-1.11 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -710,7 +710,7 @@ CVE-2019-14810 CVE-2019-14809 (net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malfo ...) - golang-1.13 - golang-1.12 1.12.8-1 - - golang-1.11 + - golang-1.11 1.11.13-1 - golang-1.8 - golang-1.7 - golang @@ -16916,7 +16916,7 @@ CVE-2019-9515 (Some HTTP/2 implementations are vulnerable to a settings flood, p CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, potential ...) - golang-1.13 - golang-1.12 1.12.8-1 - - golang-1.11 + - golang-1.11 1.11.13-1 - golang-1.8 - golang-1.7 - golang @@ -16928,7 +16928,7 @@ CVE-2019-9513 (Some HTTP/2 implementations are vulnerable to resource loops, pot CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potentially ...) - golang-1.13 - golang-1.12 1.12.8-1 - - golang-1.11 + - golang-1.11 1.11.13-1 - golang-1.8 - golang-1.7 - golang View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c2998f9eb2c2c6b59229bdee14fddecc04e05b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c2998f9eb2c2c6b59229bdee14fddecc04e05b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libreoffice DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 74f546b3 by Moritz Muehlenhoff at 2019-08-15T19:59:57Z libreoffice DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[15 Aug 2019] DSA-4501-1 libreoffice - security update + {CVE-2019-9850 CVE-2019-9851 CVE-2019-9852} + [stretch] - libreoffice 1:5.2.7-1+deb9u10 + [buster] - libreoffice 1:6.1.5-3+deb10u3 [12 Aug 2019] DSA-4500-1 chromium - security update {CVE-2019-5805 CVE-2019-5806 CVE-2019-5807 CVE-2019-5808 CVE-2019-5809 CVE-2019-5810 CVE-2019-5811 CVE-2019-5813 CVE-2019-5814 CVE-2019-5815 CVE-2019-5818 CVE-2019-5819 CVE-2019-5820 CVE-2019-5821 CVE-2019-5822 CVE-2019-5823 CVE-2019-5824 CVE-2019-5825 CVE-2019-5826 CVE-2019-5827 CVE-2019-5828 CVE-2019-5829 CVE-2019-5830 CVE-2019-5831 CVE-2019-5832 CVE-2019-5833 CVE-2019-5834 CVE-2019-5836 CVE-2019-5837 CVE-2019-5838 CVE-2019-5839 CVE-2019-5840 CVE-2019-5842 CVE-2019-5847 CVE-2019-5848 CVE-2019-5849 CVE-2019-5850 CVE-2019-5851 CVE-2019-5852 CVE-2019-5853 CVE-2019-5854 CVE-2019-5855 CVE-2019-5856 CVE-2019-5857 CVE-2019-5858 CVE-2019-5859 CVE-2019-5860 CVE-2019-5861 CVE-2019-5862 CVE-2019-5864 CVE-2019-5865 CVE-2019-5867 CVE-2019-5868} [buster] - chromium 76.0.3809.100-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74f546b36b1eab77797774b01eec4217c96e18d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/74f546b36b1eab77797774b01eec4217c96e18d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b95a0f9f by security tracker role at 2019-08-15T20:10:26Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,75 @@ +CVE-2019-15082 + RESERVED +CVE-2019-15081 (OpenCart 3.x, when the attacker has login access to the admin panel, a ...) + TODO: check +CVE-2019-15080 + RESERVED +CVE-2019-15079 + RESERVED +CVE-2019-15078 + RESERVED +CVE-2019-15077 + RESERVED +CVE-2019-15076 + RESERVED +CVE-2019-15075 + RESERVED +CVE-2019-15074 + RESERVED +CVE-2019-15073 + RESERVED +CVE-2019-15072 + RESERVED +CVE-2019-15071 + RESERVED +CVE-2019-15070 + RESERVED +CVE-2019-15069 + RESERVED +CVE-2019-15068 + RESERVED +CVE-2019-15067 + RESERVED +CVE-2019-15066 + RESERVED +CVE-2019-15065 + RESERVED +CVE-2019-15064 + RESERVED +CVE-2017-18525 + RESERVED +CVE-2017-18524 + RESERVED +CVE-2017-18523 + RESERVED +CVE-2017-18522 + RESERVED +CVE-2017-18521 + RESERVED +CVE-2017-18520 + RESERVED +CVE-2017-18519 + RESERVED +CVE-2017-18518 + RESERVED +CVE-2017-18517 + RESERVED +CVE-2017-18516 + RESERVED +CVE-2016-10893 + RESERVED +CVE-2016-10892 + RESERVED +CVE-2016-10891 + RESERVED +CVE-2016-10890 + RESERVED +CVE-2015-9319 + RESERVED +CVE-2015-9318 + RESERVED +CVE-2015-9317 + RESERVED CVE-2019- [division by zero in the query planner] - sqlite3 3.29.0-2 NOTE: Fixed by: https://www.sqlite.org/src/info/d93508fc9913cfe6 @@ -739,8 +811,8 @@ CVE-2017-18486 (Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate NOT-FOR-US: Jitbit Helpdesk CVE-2019-14801 (The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress ...) NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress -CVE-2019-14800 - RESERVED +CVE-2019-14800 (The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress ...) + TODO: check CVE-2019-14799 (The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress ...) NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress CVE-2019-14798 (The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authent ...) @@ -749,8 +821,8 @@ CVE-2019-14797 (The 10Web Photo Gallery plugin before 1.5.23 for WordPress has a NOT-FOR-US: 10Web Photo Gallery plugin for WordPress CVE-2019-14796 (The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products ...) NOT-FOR-US: mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin for WordPress -CVE-2019-14795 - RESERVED +CVE-2019-14795 (The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress h ...) + TODO: check CVE-2019-14794 (The Meta Box plugin before 4.16.2 for WordPress mishandles the uploadi ...) NOT-FOR-US: Meta Box plugin for WordPress CVE-2019-14793 (The Meta Box plugin before 4.16.3 for WordPress allows file deletion v ...) @@ -759,20 +831,20 @@ CVE-2019-14792 (The WP Google Maps plugin before 7.11.35 for WordPress allows XS NOT-FOR-US: WP Google Maps plugin for WordPress CVE-2019-14791 (The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XS ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress -CVE-2019-14790 - RESERVED -CVE-2019-14789 - RESERVED -CVE-2019-14788 - RESERVED +CVE-2019-14790 (The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS ...) + TODO: check +CVE-2019-14789 (The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin ...) + TODO: check +CVE-2019-14788 (wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribu ...) + TODO: check CVE-2019-14787 (The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XS ...) NOT-FOR-US: Tribulant Newsletters plugin for WordPress -CVE-2019-14786 - RESERVED +CVE-2019-14786 (The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users t ...) + TODO: check CVE-2019-14785 (The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress h ...) NOT-FOR-US: "CP Contact Form with PayPal" plugin for WordPress -CVE-2019-14784 - RESERVED +CVE-2019-14784 (The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress h ...) + TODO: check CVE-2019-14783 (On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, Fo ...) NOT-FOR-US: Samsung CVE-2019-14782 @@ -840,8 +912,8 @@ CVE-2019-14757 RESERVED CVE-2019-14756 RESERVED -CVE-2019-14755 - RESERVED +CVE-2019-14755 (The profile photo upload feature in Leaf Admin 61.9.0212.10 f allows U ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Add golang-golang-x-net-dev fo CVE-2019-951{2,4}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2d6328e by Salvatore Bonaccorso at 2019-08-15T19:58:16Z Add golang-golang-x-net-dev fo CVE-2019-951{2,4} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16920,6 +16920,7 @@ CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, pote - golang-1.8 - golang-1.7 - golang + - golang-golang-x-net-dev NOTE: Issue: https://github.com/golang/go/issues/33606 NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12) @@ -16932,6 +16933,7 @@ CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potent - golang-1.8 - golang-1.7 - golang + - golang-golang-x-net-dev NOTE: Issue: https://github.com/golang/go/issues/33606 NOTE: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 (golang-1.11) NOTE: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c (golang-1.12) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2d6328e6720251fd3f3f49460b1dea244c0ad60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b2d6328e6720251fd3f3f49460b1dea244c0ad60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a7aa825 by Salvatore Bonaccorso at 2019-08-15T20:44:26Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2019-15082 RESERVED CVE-2019-15081 (OpenCart 3.x, when the attacker has login access to the admin panel, a ...) - TODO: check + NOT-FOR-US: OpenCart CVE-2019-15080 RESERVED CVE-2019-15079 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a7aa8251ce33028b3ea510dfea1222edc00f195 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6a7aa8251ce33028b3ea510dfea1222edc00f195 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11733/firefox (mfsa2019-24)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c916a635 by Salvatore Bonaccorso at 2019-08-15T19:01:47Z Add CVE-2019-11733/firefox (mfsa2019-24) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9938,6 +9938,8 @@ CVE-2019-11734 RESERVED CVE-2019-11733 RESERVED + - firefox 68.0.2-1 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/#CVE-2019-11733 CVE-2019-11732 RESERVED CVE-2019-11731 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c916a63568553175516876bb7d63d47b140f9702 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c916a63568553175516876bb7d63d47b140f9702 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-14274/mcpp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d3756c8 by Salvatore Bonaccorso at 2019-08-15T19:02:33Z Add fixed version for CVE-2019-14274/mcpp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2664,7 +2664,7 @@ CVE-2019-14275 (Xfig fig2dev 3.2.7a has a stack-based buffer overflow in the cal NOTE: https://sourceforge.net/p/mcj/tickets/52/ NOTE: Crash in CLI tool, no security impact, hardening build CVE-2019-14274 (MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() function i ...) - - mcpp (bug #933497) + - mcpp 2.7.2-5 (bug #933497) [buster] - mcpp (Minor issue) [stretch] - mcpp (Minor issue) [jessie] - mcpp (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d3756c893cb3f9376e88aef8b52b0ec09ecfac5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d3756c893cb3f9376e88aef8b52b0ec09ecfac5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-985{0,1,2}/libreoffice information
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b27cc3f by Salvatore Bonaccorso at 2019-08-15T20:17:34Z Add CVE-2019-985{0,1,2}/libreoffice information - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15885,15 +15885,21 @@ CVE-2019-9854 RESERVED CVE-2019-9853 RESERVED -CVE-2019-9852 +CVE-2019-9852 [Insufficient URL encoding flaw in allowed script location check] RESERVED {DSA-4501-1} -CVE-2019-9851 + - libreoffice 1:6.3.0-1 + NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9852/ +CVE-2019-9851 [LibreLogo global-event script execution] RESERVED {DSA-4501-1} -CVE-2019-9850 + - libreoffice 1:6.3.0-1 + NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9851/ +CVE-2019-9850 [Insufficient url validation allowing LibreLogo script execution] RESERVED {DSA-4501-1} + - libreoffice 1:6.3.0-1 + NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2019-9850/ CVE-2019-9849 (LibreOffice has a 'stealth mode' in which only documents from location ...) {DSA-4483-1} [experimental] - libreoffice 1:6.3.0~beta2-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b27cc3f1daaba7acd3e78400d87be7751ecd816 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8b27cc3f1daaba7acd3e78400d87be7751ecd816 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Proces some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a2aec6b by Salvatore Bonaccorso at 2019-08-15T20:24:28Z Proces some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -812,7 +812,7 @@ CVE-2017-18486 (Jitbit Helpdesk before 9.0.3 allows remote attackers to escalate CVE-2019-14801 (The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress ...) NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress CVE-2019-14800 (The FV Flowplayer Video Player plugin before 7.3.15.727 for WordPress ...) - TODO: check + NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress CVE-2019-14799 (The FV Flowplayer Video Player plugin before 7.3.14.727 for WordPress ...) NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress CVE-2019-14798 (The 10Web Photo Gallery plugin before 1.5.25 for WordPress has Authent ...) @@ -822,7 +822,7 @@ CVE-2019-14797 (The 10Web Photo Gallery plugin before 1.5.23 for WordPress has a CVE-2019-14796 (The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products ...) NOT-FOR-US: mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin for WordPress CVE-2019-14795 (The toggle-the-title (aka Toggle The Title) plugin 1.4 for WordPress h ...) - TODO: check + NOT-FOR-US: toggle-the-title (aka Toggle The Title) plugin for WordPress CVE-2019-14794 (The Meta Box plugin before 4.16.2 for WordPress mishandles the uploadi ...) NOT-FOR-US: Meta Box plugin for WordPress CVE-2019-14793 (The Meta Box plugin before 4.16.3 for WordPress allows file deletion v ...) @@ -832,19 +832,19 @@ CVE-2019-14792 (The WP Google Maps plugin before 7.11.35 for WordPress allows XS CVE-2019-14791 (The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XS ...) NOT-FOR-US: Appointment Booking Calendar plugin for WordPress CVE-2019-14790 (The limb-gallery (aka Limb Gallery) plugin 1.4.0 for WordPress has XSS ...) - TODO: check + NOT-FOR-US: limb-gallery (aka Limb Gallery) plugin for WordPress CVE-2019-14789 (The Custom 404 Pro plugin 3.2.8 for WordPress has XSS via the wp-admin ...) - TODO: check + NOT-FOR-US: Custom 404 Pro plugin for WordPress CVE-2019-14788 (wp-admin/admin-ajax.php?action=newsletters_exportmultiple in the Tribu ...) - TODO: check + NOT-FOR-US: Tribulant Newsletters plugin for WordPress CVE-2019-14787 (The Tribulant Newsletters plugin before 4.6.19 for WordPress allows XS ...) NOT-FOR-US: Tribulant Newsletters plugin for WordPress CVE-2019-14786 (The Rank Math SEO plugin 1.0.27 for WordPress allows non-admin users t ...) - TODO: check + NOT-FOR-US: Rank Math SEO plugin for WordPress CVE-2019-14785 (The "CP Contact Form with PayPal" plugin before 1.2.99 for WordPress h ...) NOT-FOR-US: "CP Contact Form with PayPal" plugin for WordPress CVE-2019-14784 (The "CP Contact Form with PayPal" plugin before 1.2.98 for WordPress h ...) - TODO: check + NOT-FOR-US: "CP Contact Form with PayPal" plugin for WordPress CVE-2019-14783 (On Samsung mobile devices with N(7.x), and O(8.x), P(9.0) software, Fo ...) NOT-FOR-US: Samsung CVE-2019-14782 @@ -5311,7 +5311,7 @@ CVE-2019-13580 CVE-2019-13579 RESERVED CVE-2019-13578 (A SQL injection vulnerability exists in the Impress GiveWP Give plugin ...) - TODO: check + NOT-FOR-US: Impress GiveWP Give plugin for WordPress CVE-2019-13577 (SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthe ...) NOT-FOR-US: SnmpAdm.exe in MAPLE WBT SNMP Administrator CVE-2018-20852 (http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a2aec6b4027780b86de2dea18f8cb133749dcbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5a2aec6b4027780b86de2dea18f8cb133749dcbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Track for now a new sqlite3 issue (needs to be further checked)"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec3eff19 by Salvatore Bonaccorso at 2019-08-16T04:10:55Z Revert Track for now a new sqlite3 issue (needs to be further checked) This looks more like a bug with negligible security impact per se. This reverts commit e9e69eed0be306000613faf32a006794707d6ab2. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70,10 +70,6 @@ CVE-2015-9318 RESERVED CVE-2015-9317 RESERVED -CVE-2019- [division by zero in the query planner] - - sqlite3 3.29.0-2 - NOTE: Fixed by: https://www.sqlite.org/src/info/d93508fc9913cfe6 - NOTE: Introduced by: https://www.sqlite.org/src/info/90e36676476e8db0 CVE-2019-15063 RESERVED CVE-2019-15062 (An issue was discovered in Dolibarr 11.0.0-alpha. A user can store an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec3eff19b776bd598c91ebe06280eed72fa5a02d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec3eff19b776bd598c91ebe06280eed72fa5a02d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14975/mupdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f691202 by Salvatore Bonaccorso at 2019-08-16T04:06:05Z Add CVE-2019-14975/mupdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -318,7 +318,10 @@ CVE-2019-14977 CVE-2019-14976 (iCMS 7.0.15 allows admincp.php?app=apps XSS via the keywords parameter ...) NOT-FOR-US: idreamsoft iCMS CVE-2019-14975 (Artifex MuPDF before 1.16.0 has a heap-based buffer over-read in fz_ch ...) - TODO: check + - mupdf (Vulnerable code introduced later) + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701292 + NOTE: Introduced by: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=abcb3e68670ebc2e5127953462a026fe1a5dd321 (1.16.0-rc1) + NOTE: Fixed by: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=97096297d409ec6f206298444ba00719607e8ba8 (1.16.0) CVE-2019-14974 (SugarCRM Enterprise 9.0.0 allows mobile/error-not-supported-platform.h ...) NOT-FOR-US: SugarCRM CVE-2019-14973 (_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f691202e228559b35401e0e15a122a42db330d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f691202e228559b35401e0e15a122a42db330d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-15099/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd5155ff by Salvatore Bonaccorso at 2019-08-16T04:34:58Z Add CVE-2019-15099/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2019-15099 [Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe] + - linux + NOTE: https://lore.kernel.org/linux-wireless/20190804003101.11541-1-benqu...@gmail.com/T/#u CVE-2019-15098 [Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe] - linux NOTE: https://lore.kernel.org/linux-wireless/20190804002905.11292-1-benqu...@gmail.com/T/#u View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd5155ff77783a0cab7d9b2a867ce9afea962f0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fd5155ff77783a0cab7d9b2a867ce9afea962f0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-15098/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab4f3e00 by Salvatore Bonaccorso at 2019-08-16T04:29:12Z Add CVE-2019-15098/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2019-15098 [Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe] + - linux + NOTE: https://lore.kernel.org/linux-wireless/20190804002905.11292-1-benqu...@gmail.com/T/#u CVE-2019-15090 [scsi: qedi: remove memset/memcpy to nfunc and use func instead] - linux 5.2.6-1 [stretch] - linux (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab4f3e005dcffab5a8e6ebd3142e8509c7fc6b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab4f3e005dcffab5a8e6ebd3142e8509c7fc6b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2016-10894/xtrlock
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fbe7a98 by Salvatore Bonaccorso at 2019-08-16T04:16:10Z Add CVE-2016-10894/xtrlock - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56,6 +56,8 @@ CVE-2017-18517 RESERVED CVE-2017-18516 RESERVED +CVE-2016-10894 [xtrlock does not block multitouch events] + - xtrlock (bug #830726) CVE-2016-10893 RESERVED CVE-2016-10892 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5fbe7a9875ea34a74bb2a169306f2f950a58aee7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5fbe7a9875ea34a74bb2a169306f2f950a58aee7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-15090/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cc522e9 by Salvatore Bonaccorso at 2019-08-16T04:26:23Z Add CVE-2019-15090/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2019-15090 [scsi: qedi: remove memset/memcpy to nfunc and use func instead] + - linux 5.2.6-1 + [stretch] - linux (Vulnerable code introduced later) + [jessie] - linux (Vulnerable code introduced later) + NOTE: Fixed by: https://git.kernel.org/linus/c09581a52765a85f19fc35340127396d5e3379cc CVE-2019-15082 RESERVED CVE-2019-15081 (OpenCart 3.x, when the attacker has login access to the admin panel, a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2cc522e998eef29e43a87d58cf4dba909298329c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2cc522e998eef29e43a87d58cf4dba909298329c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits