[Git][security-tracker-team/security-tracker][master] Update CVE-2018-1785{0,1} information
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f513b3fd by Salvatore Bonaccorso at 2018-10-03T05:38:54Z Update CVE-2018-1785{0,1} information MITRE confirmed asked rejection and will update the CVE entries. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79,14 +79,10 @@ CVE-2018-17853 RESERVED CVE-2018-17852 (A SQL injection was discovered in WUZHI CMS 4.1.0 in ...) NOT-FOR-US: WUZHI CMS -CVE-2018-17851 (An issue was discovered in JsonCpp 1.8.4. An unhandled exception ...) - - libjsoncpp - [stretch] - libjsoncpp (Minor issue) - NOTE: https://github.com/open-source-parsers/jsoncpp/issues/823 -CVE-2018-17850 (An issue was discovered in JsonCpp 1.8.4. An unhandled exception ...) - - libjsoncpp - [stretch] - libjsoncpp (Minor issue) - NOTE: https://github.com/open-source-parsers/jsoncpp/issues/824 +CVE-2018-17851 + REJECTED +CVE-2018-17850 + REJECTED CVE-2018-17849 RESERVED CVE-2018-17848 (The html package (aka x/net/html) through 2018-09-25 in Go mishandles ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f513b3fdd25f8be889af8cea1daba0b555ff2fdf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f513b3fdd25f8be889af8cea1daba0b555ff2fdf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add ignored tag for arm64/kvm issue for jessie
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20310109 by Salvatore Bonaccorso at 2018-10-03T05:21:50Z Add ignored tag for arm64/kvm issue for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,6 +8,7 @@ CVE-2018-17883 RESERVED CVE-2018- [arm64/kvm: Privilege escalation by taking control of the KVM hypervisor] - linux + [jessie] - linux (arm64 not supported in jessie LTS) NOTE: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d NOTE: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 CVE-2018-17884 (XSS exists in admin/gb-dashboard-widget.php in the Gwolle Guestbook ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20310109c864ff911369bf327d4ab3fbb5e6aadb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20310109c864ff911369bf327d4ab3fbb5e6aadb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1529-1 for linux
Ben Hutchings pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f8c350e by Ben Hutchings at 2018-10-03T03:36:50Z Reserve DLA-1529-1 for linux - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Oct 2018] DLA-1529-1 linux - security update + {CVE-2018-3620 CVE-2018-3639 CVE-2018-5391 CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363 CVE-2018-9516 CVE-2018-10021 CVE-2018-10323 CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-13093 CVE-2018-13094 CVE-2018-13405 CVE-2018-13406 CVE-2018-14609 CVE-2018-14617 CVE-2018-14633 CVE-2018-14634 CVE-2018-14678 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276 CVE-2018-16658 CVE-2018-17182} + [jessie] - linux 3.16.59-1 [02 Oct 2018] DLA-1528-1 strongswan - security update {CVE-2018-17540} [jessie] - strongswan 5.2.1-6+deb8u8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f8c350e720f04f023a9a0748676c99a138a4b1f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f8c350e720f04f023a9a0748676c99a138a4b1f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1785{0,1}/libjsoncpp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 60e97442 by Salvatore Bonaccorso at 2018-10-02T21:24:00Z Add CVE-2018-1785{0,1}/libjsoncpp Not convinced that they are actually security issues, the library should not use assertions in the first place. For now tracking them as such. In case the CVEs are either REJECTED which means we can remove the source package tracking, or disputed, where we then can possibly downgrade severity to unimportant. For now leaving as such. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79,9 +79,13 @@ CVE-2018-17853 CVE-2018-17852 (A SQL injection was discovered in WUZHI CMS 4.1.0 in ...) NOT-FOR-US: WUZHI CMS CVE-2018-17851 (An issue was discovered in JsonCpp 1.8.4. An unhandled exception ...) - TODO: check + - libjsoncpp + [stretch] - libjsoncpp (Minor issue) + NOTE: https://github.com/open-source-parsers/jsoncpp/issues/823 CVE-2018-17850 (An issue was discovered in JsonCpp 1.8.4. An unhandled exception ...) - TODO: check + - libjsoncpp + [stretch] - libjsoncpp (Minor issue) + NOTE: https://github.com/open-source-parsers/jsoncpp/issues/824 CVE-2018-17849 RESERVED CVE-2018-17848 (The html package (aka x/net/html) through 2018-09-25 in Go mishandles ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/60e974421d5f9a9a536ac675e95a7ed37b908d5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/60e974421d5f9a9a536ac675e95a7ed37b908d5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aeac497f by Salvatore Bonaccorso at 2018-10-02T20:23:12Z Process several NFUs - - - - - 2eb2dd8a by Salvatore Bonaccorso at 2018-10-02T20:37:23Z Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2018-17887 RESERVED CVE-2018-17886 (An issue was discovered in JEESNS 1.3. The XSS filter in ...) - TODO: check + NOT-FOR-US: JEESNS CVE-2018-17885 RESERVED CVE-2018-17883 @@ -105,11 +105,11 @@ CVE-2018-17840 CVE-2018-17839 RESERVED CVE-2018-17838 (An issue was discovered in JTBC(PHP) 3.0.1.6. Arbitrary file read ...) - TODO: check + NOT-FOR-US: JTBC CVE-2018-17837 (An issue was discovered in JTBC(PHP) 3.0.1.6. Arbitrary file deletion ...) - TODO: check + NOT-FOR-US: JTBC CVE-2018-17836 (An issue was discovered in JTBC(PHP) 3.0.1.6. It allows remote ...) - TODO: check + NOT-FOR-US: JTBC CVE-2018-17835 (An issue was discovered in GetSimple CMS 3.3.15. An administrator can ...) NOT-FOR-US: GetSimple CMS CVE-2018-17834 @@ -219,9 +219,9 @@ CVE-2018-17789 CVE-2018-17788 RESERVED CVE-2018-17787 (On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 ...) - TODO: check + NOT-FOR-US: D-Link DIR-823G devices CVE-2018-17786 (On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, ...) - TODO: check + NOT-FOR-US: D-Link DIR-823G devices CVE-2018-17785 (In blynk-server in Blynk before 0.39.7, Directory Traversal exists via ...) NOT-FOR-US: blynk-server in Blynk CVE-2018-17784 @@ -604,25 +604,25 @@ CVE-2018-17598 CVE-2018-17597 RESERVED CVE-2018-17596 (In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2018-17595 (In the 5.4.0 version of the Fork CMS software, HTML Injection and ...) - TODO: check + NOT-FOR-US: Fork CMS CVE-2018-17594 (AirTies Air 5443v2 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5443v2 devices CVE-2018-17593 (AirTies Air 5453 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5453 devices CVE-2018-17592 RESERVED CVE-2018-17591 (AirTies Air 5343v2 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5343v2 devices CVE-2018-17590 (AirTies Air 5442 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5442 devices CVE-2018-17589 (AirTies Air 5650 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5650 devices CVE-2018-17588 (AirTies Air 5021 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5021 devices CVE-2018-17587 (AirTies Air 5750 devices with software 1.0.0.18 have XSS via the ...) - TODO: check + NOT-FOR-US: AirTies Air 5750 devices CVE-2018-17586 RESERVED CVE-2018-17585 @@ -971,7 +971,7 @@ CVE-2018-17429 CVE-2018-17428 RESERVED CVE-2018-17427 (SIMDComp before 0.1.0 allows remote attackers to cause a denial of ...) - TODO: check + NOT-FOR-US: SIMDComp CVE-2018-17426 RESERVED CVE-2018-17425 @@ -5028,9 +5028,9 @@ CVE-2018-15755 CVE-2018-15754 RESERVED CVE-2018-15753 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) ...) - TODO: check + NOT-FOR-US: MensaMax application for Android CVE-2018-15752 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) ...) - TODO: check + NOT-FOR-US: MensaMax application for Android CVE-2018-15751 RESERVED CVE-2018-15750 @@ -5149,11 +5149,11 @@ CVE-2018-15704 CVE-2018-15703 RESERVED CVE-2018-15702 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2018-15701 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2018-15700 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2018-15699 (ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15698 (ASUSTOR Data Master 3.1.5 and below allows authenticated remote ...) @@ -5556,7 +5556,7 @@ CVE-2018-15565 (An issue was discovered in daveismyname simple-cms through 2014- CVE-2018-15564 (An issue was discovered in daveismyname simple-cms through 2014-03-11. ...) NOT-FOR-US: simple-cms CVE-2018-15563 (_core/admin/pages/add/ in Subrion CMS 4.2.1
[Git][security-tracker-team/security-tracker][master] CVE-2017-17781 got finally properly rejected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b33c701b by Salvatore Bonaccorso at 2018-10-02T20:11:41Z CVE-2017-17781 got finally properly rejected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38698,10 +38698,6 @@ CVE-2017-17782 (In GraphicsMagick 1.3.27a, there is a heap-based buffer over-rea NOTE: https://sourceforge.net/p/graphicsmagick/bugs/530/ CVE-2017-17781 REJECTED - - php-horde - - php-horde-turba - NOTE: http://code610.blogspot.com/2017/12/modus-operandi-horde-52x.html - NOTE: https://bugs.horde.org/ticket/14857 CVE-2017-17780 (The Clockwork SMS clockwork-test-message.php component has XSS via a ...) NOT-FOR-US: Clockwork SMS plugins for WordPress CVE-2017-17779 (Paid To Read Script 2.0.5 has SQL injection via the referrals.php id ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b33c701bbcbfac2f1eb9235574218989b4684e98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b33c701bbcbfac2f1eb9235574218989b4684e98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7529bba3 by security tracker role at 2018-10-02T20:10:33Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,8 +1,16 @@ +CVE-2018-17887 + RESERVED +CVE-2018-17886 (An issue was discovered in JEESNS 1.3. The XSS filter in ...) + TODO: check +CVE-2018-17885 + RESERVED +CVE-2018-17883 + RESERVED CVE-2018- [arm64/kvm: Privilege escalation by taking control of the KVM hypervisor] - linux NOTE: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d NOTE: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 -CVE-2018-17884 +CVE-2018-17884 (XSS exists in admin/gb-dashboard-widget.php in the Gwolle Guestbook ...) NOT-FOR-US: WordPress plugin gwolle-gb CVE-2018-17882 RESERVED @@ -210,10 +218,10 @@ CVE-2018-17789 RESERVED CVE-2018-17788 RESERVED -CVE-2018-17787 - RESERVED -CVE-2018-17786 - RESERVED +CVE-2018-17787 (On D-Link DIR-823G devices, the GoAhead configuration allows /HNAP1 ...) + TODO: check +CVE-2018-17786 (On D-Link DIR-823G devices, ExportSettings.sh, upload_settings.cgi, ...) + TODO: check CVE-2018-17785 (In blynk-server in Blynk before 0.39.7, Directory Traversal exists via ...) NOT-FOR-US: blynk-server in Blynk CVE-2018-17784 @@ -595,26 +603,26 @@ CVE-2018-17598 RESERVED CVE-2018-17597 RESERVED -CVE-2018-17596 - RESERVED -CVE-2018-17595 - RESERVED -CVE-2018-17594 - RESERVED -CVE-2018-17593 - RESERVED +CVE-2018-17596 (In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was ...) + TODO: check +CVE-2018-17595 (In the 5.4.0 version of the Fork CMS software, HTML Injection and ...) + TODO: check +CVE-2018-17594 (AirTies Air 5443v2 devices with software 1.0.0.18 have XSS via the ...) + TODO: check +CVE-2018-17593 (AirTies Air 5453 devices with software 1.0.0.18 have XSS via the ...) + TODO: check CVE-2018-17592 RESERVED -CVE-2018-17591 - RESERVED -CVE-2018-17590 - RESERVED -CVE-2018-17589 - RESERVED -CVE-2018-17588 - RESERVED -CVE-2018-17587 - RESERVED +CVE-2018-17591 (AirTies Air 5343v2 devices with software 1.0.0.18 have XSS via the ...) + TODO: check +CVE-2018-17590 (AirTies Air 5442 devices with software 1.0.0.18 have XSS via the ...) + TODO: check +CVE-2018-17589 (AirTies Air 5650 devices with software 1.0.0.18 have XSS via the ...) + TODO: check +CVE-2018-17588 (AirTies Air 5021 devices with software 1.0.0.18 have XSS via the ...) + TODO: check +CVE-2018-17587 (AirTies Air 5750 devices with software 1.0.0.18 have XSS via the ...) + TODO: check CVE-2018-17586 RESERVED CVE-2018-17585 @@ -713,7 +721,7 @@ CVE-2018-17541 RESERVED CVE-2018-17540 [denial-of-service vulnerability in the gmp plugin] RESERVED - {DSA-4309-1} + {DSA-4309-1 DLA-1528-1} - strongswan 5.7.1-1 NOTE: https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html CVE-2018-17539 @@ -1979,8 +1987,7 @@ CVE-2018-16986 RESERVED CVE-2018-16985 (In Lizard (formerly LZ5) 2.0, use of an invalid memory address was ...) NOT-FOR-US: Lizard -CVE-2018-16984 [Password hash disclosure to "view only" admin users] - RESERVED +CVE-2018-16984 (An issue was discovered in Django 2.1 before 2.1.2, in which ...) [experimental] - python-django 2:2.1.2-1 - python-django (bug #910016; vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2018/oct/01/security-release/ @@ -5020,10 +5027,10 @@ CVE-2018-15755 RESERVED CVE-2018-15754 RESERVED -CVE-2018-15753 - RESERVED -CVE-2018-15752 - RESERVED +CVE-2018-15753 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) ...) + TODO: check +CVE-2018-15752 (An issue was discovered in the MensaMax (aka com.breustedt.mensamax) ...) + TODO: check CVE-2018-15751 RESERVED CVE-2018-15750 @@ -5548,8 +,8 @@ CVE-2018-15565 (An issue was discovered in daveismyname simple-cms through 2014- NOT-FOR-US: simple-cms CVE-2018-15564 (An issue was discovered in daveismyname simple-cms through 2014-03-11. ...) NOT-FOR-US: simple-cms -CVE-2018-15563 - RESERVED +CVE-2018-15563 (_core/admin/pages/add/ in Subrion CMS 4.2.1 has XSS via the titles[en] ...) + TODO: check CVE-2018-15562 (CMS ISWEB 3.5.3 has XSS via the ordineRis, sezioneRicerca, or ...) NOT-FOR-US: CMS ISWEB CVE-2018-15561 @@ -13080,8 +13087,8 @@ CVE-2018-12475 RESERVED CVE-2018-12474 RESERVED -CVE-2018-12473 - RESERVED +CVE-2018-12473 (A path traversal traversal
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 91d93203 by Henri Salo at 2018-10-02T19:37:36Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,6 +2,8 @@ CVE-2018- [arm64/kvm: Privilege escalation by taking control of the KVM hype - linux NOTE: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d NOTE: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 +CVE-2018-17884 + NOT-FOR-US: WordPress plugin gwolle-gb CVE-2018-17882 RESERVED CVE-2018-17881 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/91d93203dff6462ea0701d880700d0169bbd7a9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/91d93203dff6462ea0701d880700d0169bbd7a9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new linux issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d0d1218 by Salvatore Bonaccorso at 2018-10-02T18:31:50Z Add new linux issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2018- [arm64/kvm: Privilege escalation by taking control of the KVM hypervisor] + - linux + NOTE: https://git.kernel.org/linus/d26c25a9d19b5976b319af528886f89cf455692d + NOTE: https://git.kernel.org/linus/2a3f93459d689d990b3ecfbe782fec89b97d3279 CVE-2018-17882 RESERVED CVE-2018-17881 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d0d121831b3c9c84245b7ae3a88e6359bdae957 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3d0d121831b3c9c84245b7ae3a88e6359bdae957 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record version entering unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf0cf258 by Salvatore Bonaccorso at 2018-10-02T15:42:50Z Record version entering unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24882,7 +24882,7 @@ CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in . NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548930 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/15/ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) - - libpodofo 0.9.6~rc1+dfsg-1 (low; bug #892556) + - libpodofo 0.9.6+dfsg-3 (low; bug #892556) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -33481,7 +33481,7 @@ CVE-2018-5311 (The Easy Custom Auto Excerpt plugin 2.4.6 for WordPress has XSS v CVE-2018-5310 (In the Media from FTP plugin before 9.85 for WordPress, Directory ...) NOT-FOR-US: "Media from FTP" plugin for WordPress CVE-2018-5309 (In PoDoFo 0.9.5, there is an integer overflow in the ...) - - libpodofo 0.9.6~rc1+dfsg-1 (low) + - libpodofo 0.9.6+dfsg-3 (low) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -33559,7 +33559,7 @@ CVE-2018-5298 (In the Procter Gamble Oral-B App (aka com.pg.or CVE-2018-5297 RESERVED CVE-2018-5296 (In PoDoFo 0.9.5, there is an uncontrolled memory allocation in the ...) - - libpodofo 0.9.6+dfsg-1 (low) + - libpodofo 0.9.6+dfsg-3 (low) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) @@ -76004,7 +76004,7 @@ CVE-2017-8054 (The function PdfPagesTree::GetPageNodeFromArray in PdfPageTree.cp NOTE: ... and re-fixed in: https://sourceforge.net/p/podofo/code/1882 NOTE: and https://sourceforge.net/p/podofo/code/1883 CVE-2017-8053 (PoDoFo 0.9.5 allows denial of service (infinite recursion and stack ...) - - libpodofo 0.9.6+dfsg-1 (bug #860994) + - libpodofo 0.9.6+dfsg-3 (bug #860994) [stretch] - libpodofo (Minor issue) [jessie] - libpodofo (Minor issue) [wheezy] - libpodofo (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf0cf258f73cefebd23eb4df61f62b8c126df518 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf0cf258f73cefebd23eb4df61f62b8c126df518 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1528-1 for strongswan
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 6720cb31 by Chris Lamb at 2018-10-02T09:58:32Z Reserve DLA-1528-1 for strongswan - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[02 Oct 2018] DLA-1528-1 strongswan - security update + {CVE-2018-17540} + [jessie] - strongswan 5.2.1-6+deb8u8 [01 Oct 2018] DLA-1527-2 ghostscript - regression update [jessie] - ghostscript 9.06~dfsg-2+deb8u10 [30 Sep 2018] DLA-1527-1 ghostscript - security update = data/dla-needed.txt = @@ -81,8 +81,6 @@ spamassassin NOTE: 20180925: wait for feedback (anarcat) NOTE: 20180925: 20180920021632.5ak6iznomgw5q...@ctrl.internal.morgul.net -- -strongswan (Chris Lamb) --- symfony (Thorsten Alteholz) -- thunderbird View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6720cb318e2d3532eefa34351712cb1b804923f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6720cb318e2d3532eefa34351712cb1b804923f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a5e1bc3 by Salvatore Bonaccorso at 2018-10-02T08:35:52Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,7 @@ CVE-2018-17876 CVE-2018-17875 RESERVED CVE-2018-17874 (ExpressionEngine before 4.3.5 has reflected XSS. ...) - TODO: check + NOT-FOR-US: ExpressionEngine CVE-2018-17873 RESERVED CVE-2018-17872 @@ -23,13 +23,13 @@ CVE-2018-17872 CVE-2018-17871 RESERVED CVE-2018-17870 (An issue was discovered in BTITeam XBTIT 2.5.4. The returnto ...) - TODO: check + NOT-FOR-US: BTITeam XBTIT CVE-2018-17869 (DASAN H660GW devices do not implement any CSRF protection mechanism. ...) - TODO: check + NOT-FOR-US: DASAN H660GW devices CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the Port Forwarding ...) - TODO: check + NOT-FOR-US: DASAN H660GW devices CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices allows remote ...) - TODO: check + NOT-FOR-US: DASAN H660GW device CVE-2018-17866 RESERVED CVE-2018-17865 @@ -55,9 +55,9 @@ CVE-2018-17856 CVE-2018-17855 RESERVED CVE-2015-9270 (XSS exists in the the-holiday-calendar plugin before 1.11.3 for ...) - TODO: check + NOT-FOR-US: the-holiday-calendar plugin for WordPress CVE-2015-9269 (The export/content.php exportarticle feature in the ...) - TODO: check + NOT-FOR-US: wordpress-mobile-pack plugin for WordPress CVE-2018-17854 (SIMDComp before 0.1.1 allows remote attackers to cause a denial of ...) NOT-FOR-US: SIMDComp CVE-2018-17853 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a5e1bc377cb21adac76fb591e99add7a26e40ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0a5e1bc377cb21adac76fb591e99add7a26e40ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20a1b7b9 by security tracker role at 2018-10-02T08:10:31Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,63 @@ +CVE-2018-17882 + RESERVED +CVE-2018-17881 + RESERVED +CVE-2018-17880 + RESERVED +CVE-2018-17879 + RESERVED +CVE-2018-17878 + RESERVED +CVE-2018-17877 + RESERVED +CVE-2018-17876 + RESERVED +CVE-2018-17875 + RESERVED +CVE-2018-17874 (ExpressionEngine before 4.3.5 has reflected XSS. ...) + TODO: check +CVE-2018-17873 + RESERVED +CVE-2018-17872 + RESERVED +CVE-2018-17871 + RESERVED +CVE-2018-17870 (An issue was discovered in BTITeam XBTIT 2.5.4. The returnto ...) + TODO: check +CVE-2018-17869 (DASAN H660GW devices do not implement any CSRF protection mechanism. ...) + TODO: check +CVE-2018-17868 (DASAN H660GW devices have Stored XSS in the Port Forwarding ...) + TODO: check +CVE-2018-17867 (The Port Forwarding functionality on DASAN H660GW devices allows remote ...) + TODO: check +CVE-2018-17866 + RESERVED +CVE-2018-17865 + RESERVED +CVE-2018-17864 + RESERVED +CVE-2018-17863 + RESERVED +CVE-2018-17862 + RESERVED +CVE-2018-17861 + RESERVED +CVE-2018-17860 + RESERVED +CVE-2018-17859 + RESERVED +CVE-2018-17858 + RESERVED +CVE-2018-17857 + RESERVED +CVE-2018-17856 + RESERVED +CVE-2018-17855 + RESERVED +CVE-2015-9270 (XSS exists in the the-holiday-calendar plugin before 1.11.3 for ...) + TODO: check +CVE-2015-9269 (The export/content.php exportarticle feature in the ...) + TODO: check CVE-2018-17854 (SIMDComp before 0.1.1 allows remote attackers to cause a denial of ...) NOT-FOR-US: SIMDComp CVE-2018-17853 @@ -647,6 +707,7 @@ CVE-2018-17541 RESERVED CVE-2018-17540 [denial-of-service vulnerability in the gmp plugin] RESERVED + {DSA-4309-1} - strongswan 5.7.1-1 NOTE: https://www.strongswan.org/blog/2018/10/01/strongswan-vulnerability-(cve-2018-17540).html CVE-2018-17539 @@ -1956,7 +2017,7 @@ CVE-2018-16967 RESERVED CVE-2018-16966 RESERVED -CVE-2018-16965 (In Zoho ManageEngine SupportCenter Plus 8.1.0, there is HTML Injection ...) +CVE-2018-16965 (In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there ...) NOT-FOR-US: Zoho CVE-2018-16964 RESERVED @@ -3188,9 +3249,9 @@ CVE-2018-16439 CVE-2018-16438 (An issue was discovered in the HDF HDF5 1.8.20 library. There is an out ...) - hdf5 NOTE: H5L_extern_query@H5Lexternal.c:498-10___out-of-bounds-read -CVE-2018-16437 (Gxlcms 2.0 has Directory Traversal exploitable by an administrator. ...) +CVE-2018-16437 (Gxlcms 2.0 before bug fix 20180915 has Directory Traversal exploitable ...) NOT-FOR-US: Gxlcms -CVE-2018-16436 (Gxlcms 2.0 has SQL Injection exploitable by an administrator. ...) +CVE-2018-16436 (Gxlcms 2.0 before bug fix 20180915 has SQL Injection exploitable by an ...) NOT-FOR-US: Gxlcms CVE-2018-16435 (Little CMS (aka Little Color Management System) 2.9 has an integer ...) {DSA-4289-1 DSA-4284-1 DLA-1496-1} @@ -5074,12 +5135,12 @@ CVE-2018-15704 RESERVED CVE-2018-15703 RESERVED -CVE-2018-15702 - RESERVED -CVE-2018-15701 - RESERVED -CVE-2018-15700 - RESERVED +CVE-2018-15702 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) + TODO: check +CVE-2018-15701 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) + TODO: check +CVE-2018-15700 (The web interface in TP-Link TL-WRN841N 0.9.1 4.16 v0348.0 is ...) + TODO: check CVE-2018-15699 (ASUSTOR Data Master 3.1.5 and below makes an HTTP request for a ...) NOT-FOR-US: ASUSTOR Data Master CVE-2018-15698 (ASUSTOR Data Master 3.1.5 and below allows authenticated remote ...) @@ -36707,14 +36768,14 @@ CVE-2018-4003 RESERVED CVE-2018-4002 RESERVED -CVE-2018-4001 - RESERVED -CVE-2018-4000 - RESERVED -CVE-2018-3999 - RESERVED -CVE-2018-3998 - RESERVED +CVE-2018-4001 (An exploitable uninitialized pointer vulnerability exists in the ...) + TODO: check +CVE-2018-4000 (An exploitable double-free vulnerability exists in the Office Open XML ...) + TODO: check +CVE-2018-3999 (An exploitable stack-based buffer overflow vulnerability exists in the ...) + TODO: check +CVE-2018-3998 (An exploitable heap-based buffer overflow vulnerability exists in the ...) + TODO: check CVE-2018-3997 RESERVED CVE-2018-3996 @@ -36741,26 +36802,26 @@ CVE-2018-3986 RESERVED CVE-2018-3985 RESERVED -CVE-2018-3984 - RESERVED +CVE-2018-3984 (An exploitable uninitialized length vulnerability exists within
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-17581/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b395210e by Salvatore Bonaccorso at 2018-10-02T07:40:03Z Update information for CVE-2018-17581/exiv2 Mark severity as low. Add bug reference to #910060. Mark as no-dsa for stretch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -560,7 +560,8 @@ CVE-2018-17583 CVE-2018-17582 (tcpreplay v4.3.0 contains a heap-based buffer over-read. The ...) TODO: check CVE-2018-17581 (CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has ...) - - exiv2 + - exiv2 (low; bug #910060) + [stretch] - exiv2 (Minor issue) NOTE: https://github.com/Exiv2/exiv2/issues/460 CVE-2018-17580 (A heap-based buffer over-read exists in the function fast_edit_packet() ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b395210e6e860651630d0af47079b961ba7d3757 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b395210e6e860651630d0af47079b961ba7d3757 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] allocate DSA for strongSwan
Yves-Alexis Perez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ebcf529 by Yves-Alexis Perez at 2018-10-02T07:32:24Z allocate DSA for strongSwan - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[01 Oct 2018] DSA-4309-1 strongswan - security update + {CVE-2018-17540} + [stretch] - strongswan 5.5.1-4+deb9u4 [01 Oct 2018] DSA-4308-1 linux - security update {CVE-2018-6554 CVE-2018-6555 CVE-2018-7755 CVE-2018-9363 CVE-2018-9516 CVE-2018-10902 CVE-2018-10938 CVE-2018-13099 CVE-2018-14609 CVE-2018-14617 CVE-2018-14633 CVE-2018-14678 CVE-2018-14734 CVE-2018-15572 CVE-2018-15594 CVE-2018-16276 CVE-2018-16658 CVE-2018-17182} [stretch] - linux 4.9.110-3+deb9u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2ebcf5294770e0e3a0c0facc8645cecc4eb34194 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2ebcf5294770e0e3a0c0facc8645cecc4eb34194 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-17581/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bda3137 by Salvatore Bonaccorso at 2018-10-02T07:19:40Z Add CVE-2018-17581/exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -560,7 +560,8 @@ CVE-2018-17583 CVE-2018-17582 (tcpreplay v4.3.0 contains a heap-based buffer over-read. The ...) TODO: check CVE-2018-17581 (CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has ...) - TODO: check + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/460 CVE-2018-17580 (A heap-based buffer over-read exists in the function fast_edit_packet() ...) TODO: check CVE-2018-17579 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bda3137c8fac29b29b1182eba6719abcc3db42b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8bda3137c8fac29b29b1182eba6719abcc3db42b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new gitlab issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cdb50af9 by Salvatore Bonaccorso at 2018-10-02T06:09:13Z Add new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -651,10 +651,14 @@ CVE-2018-17539 RESERVED CVE-2018-17538 (** DISPUTED ** Axon (formerly TASER International) Evidence Sync ...) NOT-FOR-US: Axon Evidence Sync -CVE-2018-17537 +CVE-2018-17537 [Persistent XSS package.json] RESERVED -CVE-2018-17536 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17536 [Persistent XSS merge request project import] RESERVED + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17535 RESERVED CVE-2018-17534 @@ -811,20 +815,34 @@ CVE-2018-17457 RESERVED CVE-2018-17456 RESERVED -CVE-2018-17455 +CVE-2018-17455 [IDOR merge request approvals] RESERVED -CVE-2018-17454 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17454 [Persistent XSS on issue details] RESERVED -CVE-2018-17453 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17453 [GRPC::Unknown logging token disclosure] RESERVED -CVE-2018-17452 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17452 [validate_localhost function in url_blocker.rb could be bypassed] RESERVED -CVE-2018-17451 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17451 [Slack integration CSRF Oauth2] RESERVED -CVE-2018-17450 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17450 [SSRF GCP access token disclosure] RESERVED -CVE-2018-17449 + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ +CVE-2018-17449 [Confidential information disclosure in events API endpoint] RESERVED + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-17448 RESERVED CVE-2018-17447 @@ -5650,8 +5668,10 @@ CVE-2018-15475 RESERVED CVE-2018-15474 (** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formula ...) TODO: check -CVE-2018-15472 +CVE-2018-15472 [Diff formatter DoS in Sidekiq jobs] RESERVED + - gitlab + NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/ CVE-2018-15467 RESERVED CVE-2018-15466 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cdb50af927384d75fef60244c5a6c732e2809f52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cdb50af927384d75fef60244c5a6c732e2809f52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits