[Git][security-tracker-team/security-tracker][master] Update CVE-2018-1785{0,1} information
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f513b3fd by Salvatore Bonaccorso at 2018-10-03T05:38:54Z
Update CVE-2018-1785{0,1} information
MITRE confirmed asked rejection and will update the CVE entries.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -79,14 +79,10 @@ CVE-2018-17853
RESERVED
CVE-2018-17852 (A SQL injection was discovered in WUZHI CMS 4.1.0 in ...)
NOT-FOR-US: WUZHI CMS
-CVE-2018-17851 (An issue was discovered in JsonCpp 1.8.4. An unhandled
exception ...)
- - libjsoncpp
- [stretch] - libjsoncpp (Minor issue)
- NOTE: https://github.com/open-source-parsers/jsoncpp/issues/823
-CVE-2018-17850 (An issue was discovered in JsonCpp 1.8.4. An unhandled
exception ...)
- - libjsoncpp
- [stretch] - libjsoncpp (Minor issue)
- NOTE: https://github.com/open-source-parsers/jsoncpp/issues/824
+CVE-2018-17851
+ REJECTED
+CVE-2018-17850
+ REJECTED
CVE-2018-17849
RESERVED
CVE-2018-17848 (The html package (aka x/net/html) through 2018-09-25 in Go
mishandles ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f513b3fdd25f8be889af8cea1daba0b555ff2fdf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f513b3fdd25f8be889af8cea1daba0b555ff2fdf
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add ignored tag for arm64/kvm issue for jessie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20310109 by Salvatore Bonaccorso at 2018-10-03T05:21:50Z Add ignored tag for arm64/kvm issue for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,6 +8,7 @@ CVE-2018-17883 RESERVED CVE-2018- [arm64/kvm: Privilege escalation by taking control of the KVM hypervisor] - linux + [jessie] - linux (arm64 not supported in jessie LTS) NOTE: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d NOTE: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 CVE-2018-17884 (XSS exists in admin/gb-dashboard-widget.php in the Gwolle Guestbook ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20310109c864ff911369bf327d4ab3fbb5e6aadb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20310109c864ff911369bf327d4ab3fbb5e6aadb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1529-1 for linux
Ben Hutchings pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8f8c350e by Ben Hutchings at 2018-10-03T03:36:50Z
Reserve DLA-1529-1 for linux
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[03 Oct 2018] DLA-1529-1 linux - security update
+ {CVE-2018-3620 CVE-2018-3639 CVE-2018-5391 CVE-2018-6554 CVE-2018-6555
CVE-2018-7755 CVE-2018-9363 CVE-2018-9516 CVE-2018-10021 CVE-2018-10323
CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880
CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-13093
CVE-2018-13094 CVE-2018-13405 CVE-2018-13406 CVE-2018-14609 CVE-2018-14617
CVE-2018-14633 CVE-2018-14634 CVE-2018-14678 CVE-2018-14734 CVE-2018-15572
CVE-2018-15594 CVE-2018-16276 CVE-2018-16658 CVE-2018-17182}
+ [jessie] - linux 3.16.59-1
[02 Oct 2018] DLA-1528-1 strongswan - security update
{CVE-2018-17540}
[jessie] - strongswan 5.2.1-6+deb8u8
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f8c350e720f04f023a9a0748676c99a138a4b1f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f8c350e720f04f023a9a0748676c99a138a4b1f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1785{0,1}/libjsoncpp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
60e97442 by Salvatore Bonaccorso at 2018-10-02T21:24:00Z
Add CVE-2018-1785{0,1}/libjsoncpp
Not convinced that they are actually security issues, the library should
not use assertions in the first place. For now tracking them as such. In
case the CVEs are either REJECTED which means we can remove the source
package tracking, or disputed, where we then can possibly downgrade
severity to unimportant. For now leaving as such.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -79,9 +79,13 @@ CVE-2018-17853
CVE-2018-17852 (A SQL injection was discovered in WUZHI CMS 4.1.0 in ...)
NOT-FOR-US: WUZHI CMS
CVE-2018-17851 (An issue was discovered in JsonCpp 1.8.4. An unhandled
exception ...)
- TODO: check
+ - libjsoncpp
+ [stretch] - libjsoncpp (Minor issue)
+ NOTE: https://github.com/open-source-parsers/jsoncpp/issues/823
CVE-2018-17850 (An issue was discovered in JsonCpp 1.8.4. An unhandled
exception ...)
- TODO: check
+ - libjsoncpp
+ [stretch] - libjsoncpp (Minor issue)
+ NOTE: https://github.com/open-source-parsers/jsoncpp/issues/824
CVE-2018-17849
RESERVED
CVE-2018-17848 (The html package (aka x/net/html) through 2018-09-25 in Go
mishandles ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/60e974421d5f9a9a536ac675e95a7ed37b908d5f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/60e974421d5f9a9a536ac675e95a7ed37b908d5f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aeac497f by Salvatore Bonaccorso at 2018-10-02T20:23:12Z Process several NFUs - - - - - 2eb2dd8a by Salvatore Bonaccorso at 2018-10-02T20:37:23Z Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2018-17887 RESERVED CVE-2018-17886 (An issue was discovered in JEESNS 1.3. The XSS filter in ...) - TODO: check + NOT-FOR-US: JEESNS CVE-2018-17885 RESERVED CVE-2018-17883 @@ -105,11 +105,11 @@ CVE-2018-17840 CVE-2018-17839 RESERVED CVE-2018-17838 (An issue was discovered in JTBC(PHP) 3.0.1.6. Arbitrary file read ...) - TODO: check + NOT-FOR-US: JTBC CVE-2018-17837 (An issue was discovered in JTBC(PHP) 3.0.1.6. Arbitrary file deletion ...) - TODO: check + NOT-FOR-US: JTBC CVE-2018-17836 (An issue was discovered in JTBC(PHP) 3.0.1.6. It allows remote ...) - TODO: check + NOT-FOR-US: JTBC CVE-2018-17835 (An issue was discovered in GetSimple CMS 3.3.15. An administrator can ...) NOT-FOR-US: GetSimple CMS CVE-2018-17834 @@ -219,9 +219,9 @@ CVE-2018-17789 CVE-2018-17788 RESERVED CVE-2018-17787 (On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 ...) - TODO: check + NOT-FOR-US: D-Link DIR-823G devices CVE-2018-17786 (On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, ...) - TODO: check + NOT-FOR-US: D-Link DIR-823G devices CVE-2018-17785 (In blynk-server in Blynk before 0.39.7, Directory Traversal exists via ...) NOT-FOR-US: blynk-server in Blynk CVE-2018-17784 @@ -604,25 +604,25 @@ CVE-2018-17598 CVE-2018-17597 RESERVED CVE-2018-17596 (In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2018-17595 (In the 5.4.0 version of the Fork CMS software, HTML Injection and ...) - TODO: check + NOT-FOR-US: Fork CMS CVE-2018-17594 (AirTies Air 5443v2 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5443v2 devices CVE-2018-17593 (AirTies Air 5453 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5453 devices CVE-2018-17592 RESERVED CVE-2018-17591 (AirTies Air 5343v2 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5343v2 devices CVE-2018-17590 (AirTies Air 5442 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5442 devices CVE-2018-17589 (AirTies Air 5650 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5650 devices CVE-2018-17588 (AirTies Air 5021 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5021 devices CVE-2018-17587 (AirTies Air 5750 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5750 devices CVE-2018-17586 RESERVED CVE-2018-17585 @@ -971,7 +971,7 @@ CVE-2018-17429 CVE-2018-17428 RESERVED CVE-2018-17427 (SIMDComp before 0.1.0 allows remote attackers to cause a denial of ...) - TODO: check + NOT-FOR-US: SIMDComp CVE-2018-17426 RESERVED CVE-2018-17425 @@ -5028,9 +5028,9 @@ CVE-2018-15755 CVE-2018-15754 RESERVED CVE-2018-15753 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) ...) - TODO: check + NOT-FOR-US: MensaMax application for Android CVE-2018-15752 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) ...) - TODO: check + NOT-FOR-US: MensaMax application for Android CVE-2018-15751 RESERVED CVE-2018-15750 @@ -5149,11 +5149,11 @@ CVE-2018-15704 CVE-2018-15703 RESERVED CVE-2018-15702 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2018-15701 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2018-15700 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2018-15699 (ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15698 (ASUSTOR Data Master 3.1.5 and below allows authenticated remote ...) @@ -5556,7 +5556,7 @@ CVE-2018-15565 (An issue was discovered in daveismyname simple-cms through 2014- CVE-2018-15564 (An issue was discovered in daveismyname simple-cms through 2014-03-11. ...) NOT-FOR-US: simple-cms CVE-2018-15563 (_core/admin/pages/add/ in Subrion CMS 4.2.1
[Git][security-tracker-team/security-tracker][master] CVE-2017-17781 got finally properly rejected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b33c701b by Salvatore Bonaccorso at 2018-10-02T20:11:41Z CVE-2017-17781 got finally properly rejected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38698,10 +38698,6 @@ CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-rea NOTE: https://sourceforge.net/p/graphicsmagick/bugs/530/ CVE-2017-17781 REJECTED - - php-horde - - php-horde-turba - NOTE: http://code610.blogspot.com/2017/12/modus-operandi-horde-52x.html - NOTE: https://bugs.horde.org/ticket/14857 CVE-2017-17780 (The Clockwork SMS clockwork-test-message.php component has XSS via a ...) NOT-FOR-US: Clockwork SMS plugins for WordPress CVE-2017-17779 (Paid To Read Script 2.0.5 has SQL injection via the referrals.php id ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b33c701bbcbfac2f1eb9235574218989b4684e98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b33c701bbcbfac2f1eb9235574218989b4684e98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7529bba3 by security tracker role at 2018-10-02T20:10:33Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,8 +1,16 @@
+CVE-2018-17887
+ RESERVED
+CVE-2018-17886 (An issue was discovered in JEESNS 1.3. The XSS filter in ...)
+ TODO: check
+CVE-2018-17885
+ RESERVED
+CVE-2018-17883
+ RESERVED
CVE-2018- [arm64/kvm: Privilege escalation by taking control of the KVM
hypervisor]
- linux
NOTE:
https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d
NOTE:
https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279
-CVE-2018-17884
+CVE-2018-17884 (XSS exists in admin/gb-dashboard-widget.php in the Gwolle
Guestbook ...)
NOT-FOR-US: WordPress plugin gwolle-gb
CVE-2018-17882
RESERVED
@@ -210,10 +218,10 @@ CVE-2018-17789
RESERVED
CVE-2018-17788
RESERVED
-CVE-2018-17787
- RESERVED
-CVE-2018-17786
- RESERVED
+CVE-2018-17787 (On D-Link DIR-823G devices, the GoAhead configuration allows
/HNAP1 ...)
+ TODO: check
+CVE-2018-17786 (On D-Link DIR-823G devices, ExportSettings.sh,
upload_settings.cgi, ...)
+ TODO: check
CVE-2018-17785 (In blynk-server in Blynk before 0.39.7, Directory Traversal
exists via ...)
NOT-FOR-US: blynk-server in Blynk
CVE-2018-17784
@@ -595,26 +603,26 @@ CVE-2018-17598
RESERVED
CVE-2018-17597
RESERVED
-CVE-2018-17596
- RESERVED
-CVE-2018-17595
- RESERVED
-CVE-2018-17594
- RESERVED
-CVE-2018-17593
- RESERVED
+CVE-2018-17596 (In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability
was ...)
+ TODO: check
+CVE-2018-17595 (In the 5.4.0 version of the Fork CMS software, HTML Injection
and ...)
+ TODO: check
+CVE-2018-17594 (AirTies Air 5443v2 devices with software 1.0.0.18 have XSS via
the ...)
+ TODO: check
+CVE-2018-17593 (AirTies Air 5453 devices with software 1.0.0.18 have XSS via
the ...)
+ TODO: check
CVE-2018-17592
RESERVED
-CVE-2018-17591
- RESERVED
-CVE-2018-17590
- RESERVED
-CVE-2018-17589
- RESERVED
-CVE-2018-17588
- RESERVED
-CVE-2018-17587
- RESERVED
+CVE-2018-17591 (AirTies Air 5343v2 devices with software 1.0.0.18 have XSS via
the ...)
+ TODO: check
+CVE-2018-17590 (AirTies Air 5442 devices with software 1.0.0.18 have XSS via
the ...)
+ TODO: check
+CVE-2018-17589 (AirTies Air 5650 devices with software 1.0.0.18 have XSS via
the ...)
+ TODO: check
+CVE-2018-17588 (AirTies Air 5021 devices with software 1.0.0.18 have XSS via
the ...)
+ TODO: check
+CVE-2018-17587 (AirTies Air 5750 devices with software 1.0.0.18 have XSS via
the ...)
+ TODO: check
CVE-2018-17586
RESERVED
CVE-2018-17585
@@ -713,7 +721,7 @@ CVE-2018-17541
RESERVED
CVE-2018-17540 [denial-of-service vulnerability in the gmp plugin]
RESERVED
- {DSA-4309-1}
+ {DSA-4309-1 DLA-1528-1}
- strongswan 5.7.1-1
NOTE:
https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html
CVE-2018-17539
@@ -1979,8 +1987,7 @@ CVE-2018-16986
RESERVED
CVE-2018-16985 (In Lizard (formerly LZ5) 2.0, use of an invalid memory address
was ...)
NOT-FOR-US: Lizard
-CVE-2018-16984 [Password hash disclosure to "view only" admin users]
- RESERVED
+CVE-2018-16984 (An issue was discovered in Django 2.1 before 2.1.2, in which
...)
[experimental] - python-django 2:2.1.2-1
- python-django (bug #910016; vulnerable code not
present)
NOTE: https://www.djangoproject.com/weblog/2018/oct/01/security-release/
@@ -5020,10 +5027,10 @@ CVE-2018-15755
RESERVED
CVE-2018-15754
RESERVED
-CVE-2018-15753
- RESERVED
-CVE-2018-15752
- RESERVED
+CVE-2018-15753 (An issue was discovered in the MensaMax (aka
com.breustedt.mensamax) ...)
+ TODO: check
+CVE-2018-15752 (An issue was discovered in the MensaMax (aka
com.breustedt.mensamax) ...)
+ TODO: check
CVE-2018-15751
RESERVED
CVE-2018-15750
@@ -5548,8 +,8 @@ CVE-2018-15565 (An issue was discovered in daveismyname
simple-cms through 2014-
NOT-FOR-US: simple-cms
CVE-2018-15564 (An issue was discovered in daveismyname simple-cms through
2014-03-11. ...)
NOT-FOR-US: simple-cms
-CVE-2018-15563
- RESERVED
+CVE-2018-15563 (_core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the
titles[en] ...)
+ TODO: check
CVE-2018-15562 (CMS ISWEB 3.5.3 has XSS via the ordineRis, sezioneRicerca, or
...)
NOT-FOR-US: CMS ISWEB
CVE-2018-15561
@@ -13080,8 +13087,8 @@ CVE-2018-12475
RESERVED
CVE-2018-12474
RESERVED
-CVE-2018-12473
- RESERVED
+CVE-2018-12473 (A path traversal traversal
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 91d93203 by Henri Salo at 2018-10-02T19:37:36Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,6 +2,8 @@ CVE-2018- [arm64/kvm: Privilege escalation by taking control of the KVM hype - linux NOTE: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d NOTE: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 +CVE-2018-17884 + NOT-FOR-US: WordPress plugin gwolle-gb CVE-2018-17882 RESERVED CVE-2018-17881 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/91d93203dff6462ea0701d880700d0169bbd7a9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/91d93203dff6462ea0701d880700d0169bbd7a9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new linux issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d0d1218 by Salvatore Bonaccorso at 2018-10-02T18:31:50Z Add new linux issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2018- [arm64/kvm: Privilege escalation by taking control of the KVM hypervisor] + - linux + NOTE: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d + NOTE: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 CVE-2018-17882 RESERVED CVE-2018-17881 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d0d121831b3c9c84245b7ae3a88e6359bdae957 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d0d121831b3c9c84245b7ae3a88e6359bdae957 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record version entering unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf0cf258 by Salvatore Bonaccorso at 2018-10-02T15:42:50Z Record version entering unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24882,7 +24882,7 @@ CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in . NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548930 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/15/ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) - - libpodofo 0.9.6~rc1+dfsg-1 (low; bug #892556) + - libpodofo 0.9.6+dfsg-3 (low; bug #892556) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -33481,7 +33481,7 @@ CVE-2018-5311 (The Easy Custom Auto Excerpt plugin 2.4.6 for WordPress has XSS v CVE-2018-5310 (In the Media from FTP plugin before 9.85 for WordPress, Directory ...) NOT-FOR-US: "Media from FTP" plugin for WordPress CVE-2018-5309 (In PoDoFo 0.9.5, there is an integer overflow in the ...) - - libpodofo 0.9.6~rc1+dfsg-1 (low) + - libpodofo 0.9.6+dfsg-3 (low) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -33559,7 +33559,7 @@ CVE-2018-5298 (In the Procter Gamble Oral-B App (aka com.pg.or CVE-2018-5297 RESERVED CVE-2018-5296 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in the ...) - - libpodofo 0.9.6+dfsg-1 (low) + - libpodofo 0.9.6+dfsg-3 (low) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -76004,7 +76004,7 @@ CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cp NOTE: ... and re-fixed in: https://sourceforge.net/p/podofo/code/1882 NOTE: and https://sourceforge.net/p/podofo/code/1883 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and stack ...) - - libpodofo 0.9.6+dfsg-1 (bug #860994) + - libpodofo 0.9.6+dfsg-3 (bug #860994) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf0cf258f73cefebd23eb4df61f62b8c126df518 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf0cf258f73cefebd23eb4df61f62b8c126df518 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1528-1 for strongswan
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6720cb31 by Chris Lamb at 2018-10-02T09:58:32Z
Reserve DLA-1528-1 for strongswan
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[02 Oct 2018] DLA-1528-1 strongswan - security update
+ {CVE-2018-17540}
+ [jessie] - strongswan 5.2.1-6+deb8u8
[01 Oct 2018] DLA-1527-2 ghostscript - regression update
[jessie] - ghostscript 9.06~dfsg-2+deb8u10
[30 Sep 2018] DLA-1527-1 ghostscript - security update
=
data/dla-needed.txt
=
@@ -81,8 +81,6 @@ spamassassin
NOTE: 20180925: wait for feedback (anarcat)
NOTE: 20180925: 20180920021632.5ak6iznomgw5q...@ctrl.internal.morgul.net
--
-strongswan (Chris Lamb)
---
symfony (Thorsten Alteholz)
--
thunderbird
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6720cb318e2d3532eefa34351712cb1b804923f3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/6720cb318e2d3532eefa34351712cb1b804923f3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a5e1bc3 by Salvatore Bonaccorso at 2018-10-02T08:35:52Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,7 @@ CVE-2018-17876 CVE-2018-17875 RESERVED CVE-2018-17874 (ExpressionEngine before 4.3.5 has reflected XSS. ...) - TODO: check + NOT-FOR-US: ExpressionEngine CVE-2018-17873 RESERVED CVE-2018-17872 @@ -23,13 +23,13 @@ CVE-2018-17872 CVE-2018-17871 RESERVED CVE-2018-17870 (An issue was discovered in BTITeam XBTIT 2.5.4. The returnto ...) - TODO: check + NOT-FOR-US: BTITeam XBTIT CVE-2018-17869 (DASAN H660GW devices do not implement any CSRF protection mechanism. ...) - TODO: check + NOT-FOR-US: DASAN H660GW devices CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the Port Forwarding ...) - TODO: check + NOT-FOR-US: DASAN H660GW devices CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices allows remote ...) - TODO: check + NOT-FOR-US: DASAN H660GW device CVE-2018-17866 RESERVED CVE-2018-17865 @@ -55,9 +55,9 @@ CVE-2018-17856 CVE-2018-17855 RESERVED CVE-2015-9270 (XSS exists in the the-holiday-calendar plugin before 1.11.3 for ...) - TODO: check + NOT-FOR-US: the-holiday-calendar plugin for WordPress CVE-2015-9269 (The export/content.php exportarticle feature in the ...) - TODO: check + NOT-FOR-US: wordpress-mobile-pack plugin for WordPress CVE-2018-17854 (SIMDComp before 0.1.1 allows remote attackers to cause a denial of ...) NOT-FOR-US: SIMDComp CVE-2018-17853 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a5e1bc377cb21adac76fb591e99add7a26e40ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a5e1bc377cb21adac76fb591e99add7a26e40ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
20a1b7b9 by security tracker role at 2018-10-02T08:10:31Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,63 @@
+CVE-2018-17882
+ RESERVED
+CVE-2018-17881
+ RESERVED
+CVE-2018-17880
+ RESERVED
+CVE-2018-17879
+ RESERVED
+CVE-2018-17878
+ RESERVED
+CVE-2018-17877
+ RESERVED
+CVE-2018-17876
+ RESERVED
+CVE-2018-17875
+ RESERVED
+CVE-2018-17874 (ExpressionEngine before 4.3.5 has reflected XSS. ...)
+ TODO: check
+CVE-2018-17873
+ RESERVED
+CVE-2018-17872
+ RESERVED
+CVE-2018-17871
+ RESERVED
+CVE-2018-17870 (An issue was discovered in BTITeam XBTIT 2.5.4. The
returnto ...)
+ TODO: check
+CVE-2018-17869 (DASAN H660GW devices do not implement any CSRF protection
mechanism. ...)
+ TODO: check
+CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the Port Forwarding
...)
+ TODO: check
+CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices
allows remote ...)
+ TODO: check
+CVE-2018-17866
+ RESERVED
+CVE-2018-17865
+ RESERVED
+CVE-2018-17864
+ RESERVED
+CVE-2018-17863
+ RESERVED
+CVE-2018-17862
+ RESERVED
+CVE-2018-17861
+ RESERVED
+CVE-2018-17860
+ RESERVED
+CVE-2018-17859
+ RESERVED
+CVE-2018-17858
+ RESERVED
+CVE-2018-17857
+ RESERVED
+CVE-2018-17856
+ RESERVED
+CVE-2018-17855
+ RESERVED
+CVE-2015-9270 (XSS exists in the the-holiday-calendar plugin before 1.11.3 for
...)
+ TODO: check
+CVE-2015-9269 (The export/content.php exportarticle feature in the ...)
+ TODO: check
CVE-2018-17854 (SIMDComp before 0.1.1 allows remote attackers to cause a
denial of ...)
NOT-FOR-US: SIMDComp
CVE-2018-17853
@@ -647,6 +707,7 @@ CVE-2018-17541
RESERVED
CVE-2018-17540 [denial-of-service vulnerability in the gmp plugin]
RESERVED
+ {DSA-4309-1}
- strongswan 5.7.1-1
NOTE:
https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html
CVE-2018-17539
@@ -1956,7 +2017,7 @@ CVE-2018-16967
RESERVED
CVE-2018-16966
RESERVED
-CVE-2018-16965 (In Zoho ManageEngine SupportCenter Plus 8.1.0, there is HTML
Injection ...)
+CVE-2018-16965 (In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109,
there ...)
NOT-FOR-US: Zoho
CVE-2018-16964
RESERVED
@@ -3188,9 +3249,9 @@ CVE-2018-16439
CVE-2018-16438 (An issue was discovered in the HDF HDF5 1.8.20 library. There
is an out ...)
- hdf5
NOTE: H5L_extern_query@H5Lexternal.c:498-10___out-of-bounds-read
-CVE-2018-16437 (Gxlcms 2.0 has Directory Traversal exploitable by an
administrator. ...)
+CVE-2018-16437 (Gxlcms 2.0 before bug fix 20180915 has Directory Traversal
exploitable ...)
NOT-FOR-US: Gxlcms
-CVE-2018-16436 (Gxlcms 2.0 has SQL Injection exploitable by an administrator.
...)
+CVE-2018-16436 (Gxlcms 2.0 before bug fix 20180915 has SQL Injection
exploitable by an ...)
NOT-FOR-US: Gxlcms
CVE-2018-16435 (Little CMS (aka Little Color Management System) 2.9 has an
integer ...)
{DSA-4289-1 DSA-4284-1 DLA-1496-1}
@@ -5074,12 +5135,12 @@ CVE-2018-15704
RESERVED
CVE-2018-15703
RESERVED
-CVE-2018-15702
- RESERVED
-CVE-2018-15701
- RESERVED
-CVE-2018-15700
- RESERVED
+CVE-2018-15702 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is
...)
+ TODO: check
+CVE-2018-15701 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is
...)
+ TODO: check
+CVE-2018-15700 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is
...)
+ TODO: check
CVE-2018-15699 (ASUSTOR Data Master 3.1.5 and below makes an HTTP request for
a ...)
NOT-FOR-US: ASUSTOR Data Master
CVE-2018-15698 (ASUSTOR Data Master 3.1.5 and below allows authenticated
remote ...)
@@ -36707,14 +36768,14 @@ CVE-2018-4003
RESERVED
CVE-2018-4002
RESERVED
-CVE-2018-4001
- RESERVED
-CVE-2018-4000
- RESERVED
-CVE-2018-3999
- RESERVED
-CVE-2018-3998
- RESERVED
+CVE-2018-4001 (An exploitable uninitialized pointer vulnerability exists in
the ...)
+ TODO: check
+CVE-2018-4000 (An exploitable double-free vulnerability exists in the Office
Open XML ...)
+ TODO: check
+CVE-2018-3999 (An exploitable stack-based buffer overflow vulnerability exists
in the ...)
+ TODO: check
+CVE-2018-3998 (An exploitable heap-based buffer overflow vulnerability exists
in the ...)
+ TODO: check
CVE-2018-3997
RESERVED
CVE-2018-3996
@@ -36741,26 +36802,26 @@ CVE-2018-3986
RESERVED
CVE-2018-3985
RESERVED
-CVE-2018-3984
- RESERVED
+CVE-2018-3984 (An exploitable uninitialized length vulnerability exists within
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-17581/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b395210e by Salvatore Bonaccorso at 2018-10-02T07:40:03Z Update information for CVE-2018-17581/exiv2 Mark severity as low. Add bug reference to #910060. Mark as no-dsa for stretch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -560,7 +560,8 @@ CVE-2018-17583 CVE-2018-17582 (tcpreplay v4.3.0 contains a heap-based buffer over-read. The ...) TODO: check CVE-2018-17581 (CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has ...) - - exiv2 + - exiv2 (low; bug #910060) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/460 CVE-2018-17580 (A heap-based buffer over-read exists in the function fast_edit_packet() ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b395210e6e860651630d0af47079b961ba7d3757 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b395210e6e860651630d0af47079b961ba7d3757 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] allocate DSA for strongSwan
Yves-Alexis Perez pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2ebcf529 by Yves-Alexis Perez at 2018-10-02T07:32:24Z
allocate DSA for strongSwan
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[01 Oct 2018] DSA-4309-1 strongswan - security update
+ {CVE-2018-17540}
+ [stretch] - strongswan 5.5.1-4+deb9u4
[01 Oct 2018] DSA-4308-1 linux - security update
{CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363 CVE-2018-9516
CVE-2018-10902 CVE-2018-10938 CVE-2018-13099 CVE-2018-14609 CVE-2018-14617
CVE-2018-14633 CVE-2018-14678 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594
CVE-2018-16276 CVE-2018-16658 CVE-2018-17182}
[stretch] - linux 4.9.110-3+deb9u5
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2ebcf5294770e0e3a0c0facc8645cecc4eb34194
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2ebcf5294770e0e3a0c0facc8645cecc4eb34194
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17581/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bda3137 by Salvatore Bonaccorso at 2018-10-02T07:19:40Z Add CVE-2018-17581/exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -560,7 +560,8 @@ CVE-2018-17583 CVE-2018-17582 (tcpreplay v4.3.0 contains a heap-based buffer over-read. The ...) TODO: check CVE-2018-17581 (CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has ...) - TODO: check + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/460 CVE-2018-17580 (A heap-based buffer over-read exists in the function fast_edit_packet() ...) TODO: check CVE-2018-17579 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bda3137c8fac29b29b1182eba6719abcc3db42b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bda3137c8fac29b29b1182eba6719abcc3db42b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new gitlab issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cdb50af9 by Salvatore Bonaccorso at 2018-10-02T06:09:13Z Add new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -651,10 +651,14 @@ CVE-2018-17539 RESERVED CVE-2018-17538 (** DISPUTED ** Axon (formerly TASER International) Evidence Sync ...) NOT-FOR-US: Axon Evidence Sync -CVE-2018-17537 +CVE-2018-17537 [Persistent XSS package.json] RESERVED -CVE-2018-17536 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17536 [Persistent XSS merge request project import] RESERVED + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17535 RESERVED CVE-2018-17534 @@ -811,20 +815,34 @@ CVE-2018-17457 RESERVED CVE-2018-17456 RESERVED -CVE-2018-17455 +CVE-2018-17455 [IDOR merge request approvals] RESERVED -CVE-2018-17454 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17454 [Persistent XSS on issue details] RESERVED -CVE-2018-17453 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17453 [GRPC::Unknown logging token disclosure] RESERVED -CVE-2018-17452 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17452 [validate_localhost function in url_blocker.rb could be bypassed] RESERVED -CVE-2018-17451 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17451 [Slack integration CSRF Oauth2] RESERVED -CVE-2018-17450 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17450 [SSRF GCP access token disclosure] RESERVED -CVE-2018-17449 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17449 [Confidential information disclosure in events API endpoint] RESERVED + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17448 RESERVED CVE-2018-17447 @@ -5650,8 +5668,10 @@ CVE-2018-15475 RESERVED CVE-2018-15474 (** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula ...) TODO: check -CVE-2018-15472 +CVE-2018-15472 [Diff formatter DoS in Sidekiq jobs] RESERVED + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-15467 RESERVED CVE-2018-15466 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cdb50af927384d75fef60244c5a6c732e2809f52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cdb50af927384d75fef60244c5a6c732e2809f52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
