[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-14288 and CVE-2019-14289
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ab31c37 by Salvatore Bonaccorso at 2019-09-26T05:25:30Z Update status for CVE-2019-14288 and CVE-2019-14289 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7894,17 +7894,15 @@ CVE-2019-14290 (An issue was discovered in Xpdf 4.01.01. There is an out of boun - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/44cd46a6e04a87bd702dab4a662042f69f16c4ad CVE-2019-14289 (An issue was discovered in Xpdf 4.01.01. There is an integer overflow ...) - - poppler 0.57.0-2 - [stretch] - poppler 0.48.0-2+deb9u1 - [jessie] - poppler 0.26.5-2+deb8u4 + - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/55db66c69fd56826b8523710046deab1a8d14ba2 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/22c4701d5f7be0010ee4519daa546fba5ab7ac13 + NOTE: Issue correspond to CVE-2017-9776 for src:poppler CVE-2019-14288 (An issue was discovered in Xpdf 4.01.01. There is an Integer overflow ...) - - poppler 0.57.0-2 - [stretch] - poppler 0.48.0-2+deb9u1 - [jessie] - poppler 0.26.5-2+deb8u4 + - xpdf (xpdf in Debian uses poppler, which is fixed) NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/55db66c69fd56826b8523710046deab1a8d14ba2 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/22c4701d5f7be0010ee4519daa546fba5ab7ac13 + NOTE: Issue correspond to CVE-2017-9776 for src:poppler CVE-2019-14287 RESERVED CVE-2019-14286 (In app/webroot/js/event-graph.js in MISP 2.4.111, a stored XSS vulnera ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ab31c37ec6b45d81004659171aa24d34a6ba829 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ab31c37ec6b45d81004659171aa24d34a6ba829 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-10747/node-set-value
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20331c7b by Salvatore Bonaccorso at 2019-09-26T05:15:41Z Add Debian bug reference for CVE-2019-10747/node-set-value - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18210,7 +18210,7 @@ CVE-2019-10749 CVE-2019-10748 RESERVED CVE-2019-10747 (set-value is vulnerable to Prototype Pollution in versions lower than ...) - - node-set-value + - node-set-value (bug #941189) [stretch] - node-mixin-deep (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 CVE-2019-10746 (mixin-deep is vulnerable to Prototype Pollution in versions before 1.3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20331c7bd0065591268271a1a6bf66c21320de10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20331c7bd0065591268271a1a6bf66c21320de10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug report reference for CVE-2019-15052/gradle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 903c6ce6 by Salvatore Bonaccorso at 2019-09-26T05:08:11Z Add Debian bug report reference for CVE-2019-15052/gradle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5139,7 +5139,7 @@ CVE-2019-15054 CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Confluenc ...) NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials ...) - - gradle (low) + - gradle (low; bug #941187) NOTE: https://github.com/gradle/gradle/issues/10278 NOTE: https://github.com/gradle/gradle/pull/10176 NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/903c6ce68af9de75f856fc650fe3faaf7c1f27a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/903c6ce68af9de75f856fc650fe3faaf7c1f27a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-16370/gradle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 637484ae by Salvatore Bonaccorso at 2019-09-26T05:04:12Z Add Debian bug reference for CVE-2019-16370/gradle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1306,7 +1306,7 @@ CVE-2019-16372 CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted ...) NOT-FOR-US: LogMeIn LastPass CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...) - - gradle (low) + - gradle (low; bug #941186) NOTE: https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f CVE-2019-16369 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/637484ae524917268ab8ea230c1b5c3f3a362e92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/637484ae524917268ab8ea230c1b5c3f3a362e92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-16707/hunspell
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf7860de by Salvatore Bonaccorso at 2019-09-26T04:46:38Z Add Debian bug reference for CVE-2019-16707/hunspell - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -452,7 +452,7 @@ CVE-2019-16708 (ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, rela - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1531 CVE-2019-16707 (Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommon ...) - - hunspell (unimportant) + - hunspell (unimportant; bug #941185) NOTE: Negligible security impact NOTE: https://github.com/butterflyhack/hunspell-crash CVE-2019-16706 (kkcms v1.3 has a CSRF vulnerablity that can add an user account via ad ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf7860defceee2fea2fa9b3aa40e332f32f701c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cf7860defceee2fea2fa9b3aa40e332f32f701c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add file-roller to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fbc021bf by Salvatore Bonaccorso at 2019-09-26T04:25:13Z Add file-roller to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -28,6 +28,8 @@ e2fsprogs (carnil) -- evince/oldstable -- +file-roller (carnil) +-- freeimage -- glusterfs/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbc021bf7e32fe209f50b92fec96f903670c17e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fbc021bf7e32fe209f50b92fec96f903670c17e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take e2fsprogs as prepared by maintainer for DSA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07dac3e3 by Salvatore Bonaccorso at 2019-09-26T04:19:59Z Take e2fsprogs as prepared by maintainer for DSA - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -23,7 +23,7 @@ chromium -- curl (ghedo) -- -e2fsprogs +e2fsprogs (carnil) https://lists.debian.org/debian-security/2019/09/msg7.html -- evince/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07dac3e398a980c2a5587e74148d8952511fb4ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/07dac3e398a980c2a5587e74148d8952511fb4ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add Debian bug reference for CVE-2019-5094/e2fsprogs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 19b9b34e by Salvatore Bonaccorso at 2019-09-25T15:52:14Z Add Debian bug reference for CVE-2019-5094/e2fsprogs - - - - - 25104d8d by Salvatore Bonaccorso at 2019-09-25T15:54:08Z CVE-2016-10937/imapfilter fixed in unstable - - - - - b890bc22 by Salvatore Bonaccorso at 2019-09-26T03:46:42Z Merge remote-tracking branch origin/master - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33822,7 +33822,7 @@ CVE-2019-5096 CVE-2019-5095 RESERVED CVE-2019-5094 (An exploitable code execution vulnerability exists in the quota file f ...) - - e2fsprogs 1.45.4-1 + - e2fsprogs 1.45.4-1 (bug #941139) NOTE: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint=8dbe7b475ec5e91ed767239f0e85880f416fc384 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887 CVE-2019-5093 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/86ef5b9c4aeca36bd44a5ef25d441bbb7d44f2bf...b890bc22c68c5c01854c2a953538f786cdf386d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/86ef5b9c4aeca36bd44a5ef25d441bbb7d44f2bf...b890bc22c68c5c01854c2a953538f786cdf386d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1933-1 for ruby-nokogiri
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: 86ef5b9c by Brian May at 2019-09-26T00:54:43Z Reserve DLA-1933-1 for ruby-nokogiri - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Sep 2019] DLA-1933-1 ruby-nokogiri - security update + {CVE-2019-5477} + [jessie] - ruby-nokogiri 1.6.3.1+ds-1+deb8u1 [25 Sep 2019] DLA-1932-1 openssl - security update {CVE-2019-1547 CVE-2019-1563} [jessie] - openssl 1.0.1t-1+deb8u12 = data/dla-needed.txt = @@ -121,9 +121,6 @@ radare2 ruby-mini-magick NOTE: 20190818: backporting patch -- -ruby-nokogiri (Brian May) - NOTE: 20190830: https://lists.debian.org/debian-lts/2019/08/msg00076.html (sunweaver) --- ruby-openid NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby) NOTE: 20190701: Pinged bug (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86ef5b9c4aeca36bd44a5ef25d441bbb7d44f2bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/86ef5b9c4aeca36bd44a5ef25d441bbb7d44f2bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] imapfilter fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: de04efb2 by Moritz Muehlenhoff at 2019-09-25T21:51:42Z imapfilter fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2134,7 +2134,7 @@ CVE-2019-16098 (The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore CVE-2019-16097 (core/api/user.go in Harbor 1.7.0 through 1.8.2 allows non-admin users ...) NOT-FOR-US: Harbor CVE-2016-10937 (IMAPFilter through 2.6.12 does not validate the hostname in an SSL cer ...) - - imapfilter (bug #939702) + - imapfilter 1:2.6.13-1 (bug #939702) [buster] - imapfilter (Minor issue) [stretch] - imapfilter (Minor issue) NOTE: https://github.com/lefcha/imapfilter/issues/142 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de04efb278707814d9d58cf4c31177a631302635 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de04efb278707814d9d58cf4c31177a631302635 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mongodb issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 23febc50 by Moritz Muehlenhoff at 2019-09-25T21:45:20Z new mongodb issue NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31558,13 +31558,13 @@ CVE-2019-6012 CVE-2019-6011 RESERVED CVE-2019-6010 (Integer overflow vulnerability in LINE(Android) from 4.4.0 to the vers ...) - TODO: check + NOT-FOR-US: LINE(Android) CVE-2019-6009 (Open redirect vulnerability in SHIRASAGI v1.7.0 and earlier allows rem ...) NOT-FOR-US: SHIRASAGI CVE-2019-6008 RESERVED CVE-2019-6007 (Integer overflow vulnerability in apng-drawable 1.0.0 to 1.6.0 allows ...) - TODO: check + NOT-FOR-US: apng-drawable CVE-2019-6006 RESERVED CVE-2019-6005 (Smart TV Box firmware version prior to 1300 allows remote attackers to ...) @@ -32951,11 +32951,11 @@ CVE-2019-5487 CVE-2019-5486 RESERVED CVE-2019-5485 (NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injec ...) - TODO: check + NOT-FOR-US: node gitlabhook CVE-2019-5484 (Bower before 1.8.8 has a path traversal vulnerability permitting file ...) - TODO: check + NOT-FOR-US: Bower CVE-2019-5483 (Seneca 3.9.0 contains a vulnerability that could lead to exposing ...) - TODO: check + NOT-FOR-US: Seneca CVE-2019-5482 (Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7. ...) {DLA-1917-1} - curl 7.66.0-1 (bug #940010) @@ -32969,9 +32969,9 @@ CVE-2019-5481 (Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 NOTE: Introduced by: https://github.com/curl/curl/commit/0649433da53c7165f839e24e889e131e2894dd32 (curl-7_52_0) NOTE: Fixed by: https://github.com/curl/curl/commit/9069838b30fb3b48af0123e39f664cea683254a5 (curl-7_66_0) CVE-2019-5480 (A path traversal vulnerability in = v0.9.7 of statichttpserver npm ...) - TODO: check + NOT-FOR-US: Node statichttpserver CVE-2019-5479 (An unintended require vulnerability in v0.5.5 larvitbase-api may a ...) - TODO: check + NOT-FOR-US: Node larvitbase-api CVE-2019-5478 (A weakness was found in Encrypt Only boot mode in Zynq UltraScale+ dev ...) NOT-FOR-US: Encrypt Only boot mode in Zynq UltraScale+ devices CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and earlier allo ...) @@ -33981,7 +33981,7 @@ CVE-2019-5044 CVE-2019-5043 RESERVED CVE-2019-5042 (An exploitable Use-After-Free vulnerability exists in the way Function ...) - TODO: check + NOT-FOR-US: Aspose CVE-2019-5041 (An exploitable Stack Based Buffer Overflow vulnerability exists in the ...) NOT-FOR-US: Aspose CVE-2019-5040 (An exploitable information disclosure vulnerability exists in the Weav ...) @@ -36864,21 +36864,21 @@ CVE-2019-3765 CVE-2019-3764 RESERVED CVE-2019-3763 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) - TODO: check + NOT-FOR-US: RSA CVE-2019-3762 RESERVED CVE-2019-3761 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) - TODO: check + NOT-FOR-US: RSA CVE-2019-3760 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) - TODO: check + NOT-FOR-US: RSA CVE-2019-3759 (The RSA Identity Governance and Lifecycle software and RSA Via Lifecyc ...) - TODO: check + NOT-FOR-US: RSA CVE-2019-3758 (RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper au ...) - TODO: check + NOT-FOR-US: RSA CVE-2019-3757 RESERVED CVE-2019-3756 (RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information ...) - TODO: check + NOT-FOR-US: RSA CVE-2019-3755 RESERVED CVE-2019-3754 (Dell EMC Unity Operating Environment versions prior to 5.0.0.0.5.116, ...) @@ -37697,7 +37697,7 @@ CVE-2019-3418 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impa CVE-2019-3417 (All versions up to V1.1.10P3T18 of ZTE ZXHN F670 product are impacted ...) NOT-FOR-US: ZTE CVE-2019-3416 (All versions up to V81511329.1008 of ZTE ZXV10 B860A products are impa ...) - TODO: check + NOT-FOR-US: ZTE CVE-2019-3415 (ZTE MW NR8000V2.4.4.03 and NR8000V2.4.4.04 are impacted by path traver ...) NOT-FOR-US: ZTE CVE-2019-3414 (All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS ...) @@ -38634,7 +38634,7 @@ CVE-2018-20337 (There is a stack-based buffer overflow in the parse_makernote fu [jessie] - libraw (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/192 CVE-2018-20336 (An issue was discovered in ASUSWRT 3.0.0.4.384.20308. There is a stack ...) - TODO: check + NOT-FOR-US: ASUSWRT CVE-2018-20335 RESERVED
[Git][security-tracker-team/security-tracker][master] new node-set-value issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d6e2b85 by Moritz Muehlenhoff at 2019-09-25T21:34:21Z new node-set-value issue new libav issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16252,11 +16252,11 @@ CVE-2019-11498 (WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in Wav NOTE: https://github.com/dbry/WavPack/issues/67 NOTE: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4 CVE-2019-11497 (An issue was discovered in Couchbase Server 5.0.0. When creating a new ...) - TODO: check + NOT-FOR-US: Couchbase CVE-2019-11496 (An issue was discovered in Couchbase Server 5.0.0. Editing bucket sett ...) - TODO: check + NOT-FOR-US: Couchbase CVE-2019-11495 (Couchbase Server 5.1.1 generates insufficiently random numbers. The pr ...) - TODO: check + NOT-FOR-US: Couchbase CVE-2019-11494 (In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submission-lo ...) - dovecot 1:2.3.4.1-5 (bug #928235) [stretch] - dovecot (Vulnerable code not present, introduced in 2.3) @@ -16310,7 +16310,7 @@ CVE-2019-11477 (Jonathan Looney discovered that the TCP_SKB_CB(skb)-tcp_gso_ {DSA-4465-1 DLA-1824-1 DLA-1823-1} - linux 4.19.37-4 CVE-2019-11476 (An integer overflow in whoopsie before versions 0.2.52.5ubuntu0.1, 0.2 ...) - TODO: check + NOT-FOR-US: whoopsie CVE-2019-11475 RESERVED CVE-2019-11474 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a deni ...) @@ -16412,7 +16412,7 @@ CVE-2019-11458 (An issue was discovered in SmtpTransport in CakePHP 3.7.6. An un NOTE: https://github.com/cakephp/cakephp/commit/1a74e798309192a9895c9cedabd714ceee345f4e NOTE: https://github.com/cakephp/cakephp/pull/13153 CVE-2019-11457 (Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via /chang ...) - TODO: check + NOT-FOR-US: MicroPyramid Django CRM CVE-2019-11456 (Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. ...) NOT-FOR-US: Gila CMS CVE-2019-11455 (A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit bef ...) @@ -16628,9 +16628,9 @@ CVE-2019-11368 (Stored XSS was discovered in AUO Solar Data Recorder before 1.3. CVE-2019-11367 (An issue was discovered in AUO Solar Data Recorder before 1.3.0. The w ...) NOT-FOR-US: AUO Solar Data Recorder CVE-2019-11364 (An OS Command Injection vulnerability in Snare Central before 7.4.5 al ...) - TODO: check + NOT-FOR-US: Snare Central CVE-2019-11363 (A SQL injection vulnerability in Snare Central before 7.4.5 allows rem ...) - TODO: check + NOT-FOR-US: Snare Central CVE-2019-11362 (app/controllers/frontend/PostController.php in ROCBOSS V2.2.1 has SQL ...) NOT-FOR-US: ROCBOSS CVE-2019-11361 @@ -16735,9 +16735,9 @@ CVE-2019-11328 (An issue was discovered in Singularity 3.1.0 to 3.2.0-rc2, a mal - singularity-container (No released Debian version contains the issue, cf bug #929042) NOTE: https://www.openwall.com/lists/oss-security/2019/05/16/1 CVE-2019-11327 (An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver dev ...) - TODO: check + NOT-FOR-US: Topcon Positioning Net-G5 GNSS Receiver CVE-2019-11326 (An issue was discovered on Topcon Positioning Net-G5 GNSS Receiver dev ...) - TODO: check + NOT-FOR-US: Topcon Positioning Net-G5 GNSS Receiver CVE-2019-11325 RESERVED CVE-2019-11323 (HAProxy before 1.9.7 mishandles a reload with rotated keys, which trig ...) @@ -16834,15 +16834,15 @@ CVE-2019-11282 CVE-2019-11281 RESERVED CVE-2019-11280 (Pivotal Apps Manager, included in Pivotal Application Service versions ...) - TODO: check + NOT-FOR-US: Pivotal CVE-2019-11279 RESERVED CVE-2019-11278 RESERVED CVE-2019-11277 (Cloud Foundry NFS Volume Service, 1.7.x versions prior to 1.7.11 and 2 ...) - TODO: check + NOT-FOR-US: Cloud Foundry CVE-2019-11276 (Pivotal Apps Manager, included in Pivotal Application Service versions ...) - TODO: check + NOT-FOR-US: Pivotal CVE-2019-11275 RESERVED CVE-2019-11274 (Cloud Foundry UAA, versions prior to 74.0.0, is vulnerable to an XSS a ...) @@ -17021,11 +17021,11 @@ CVE-2019-11213 (In Pulse Secure Pulse Desktop Client and Network Connect, an att CVE-2019-11212 RESERVED CVE-2019-11211 (The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2019-11210 (The server component of TIBCO Software Inc.'s TIBCO Enterprise Runtime ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2019-11209 (The realm configuration component of TIBCO Software Inc.'s TIBCO FTL C ...) - TODO:
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 35a2cea6 by Moritz Muehlenhoff at 2019-09-25T21:09:59Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19008,65 +19008,65 @@ CVE-2019-10432 CVE-2019-10431 RESERVED CVE-2019-10430 (Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10429 (Jenkins GitLab Logo Plugin stores credentials unencrypted in its globa ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10428 (Jenkins Aqua Security Scanner Plugin 3.0.17 and earlier transmitted co ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10427 (Jenkins Aqua MicroScanner Plugin 1.0.7 and earlier transmitted configu ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10426 (Jenkins Gem Publisher Plugin stores credentials unencrypted in its glo ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10425 (Jenkins Google Calendar Plugin stores credentials unencrypted in job c ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10424 (Jenkins elOyente Plugin stores credentials unencrypted in its global c ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10423 (Jenkins CodeScan Plugin stores credentials unencrypted in its global c ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10422 (Jenkins Call Remote Job Plugin stores credentials unencrypted in job c ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10421 (Jenkins Azure Event Grid Build Notifier Plugin stores credentials unen ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10420 (Jenkins Assembla Plugin stores credentials unencrypted in its global c ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10419 (Jenkins vFabric Application Director Plugin stores credentials unencry ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10418 (Jenkins Kubernetes :: Pipeline :: Arquillian Steps Plugin provides a c ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10417 (Jenkins Kubernetes :: Pipeline :: Kubernetes Steps Plugin provides a c ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10416 (Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored cr ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10415 (Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored cr ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10414 (Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unenc ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10413 (Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10412 (Jenkins Inedo ProGet Plugin 1.2 and earlier transmitted configured cre ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10411 (Jenkins Inedo BuildMaster Plugin 2.4.0 and earlier transmitted configu ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10410 (Jenkins Log Parser Plugin 2.0 and earlier did not escape an error mess ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10409 (A missing permission check in Jenkins Project Inheritance Plugin 2.0.0 ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10408 (A cross-site request forgery vulnerability in Jenkins Project Inherita ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10407 (Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2019-10406 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or ...) - TODO: check + NOT-FOR-US: Jenkins CVE-2019-10405 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value o ...) - TODO: check + NOT-FOR-US: Jenkins CVE-2019-10404 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the ...) - TODO: check + NOT-FOR-US: Jenkins CVE-2019-10403 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the ...) - TODO: check + NOT-FOR-US: Jenkins CVE-2019-10402 (In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox ...) - TODO: check + NOT-FOR-US: Jenkins CVE-2019-10401 (In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandabl ...) - TODO: check + NOT-FOR-US: Jenkins CVE-2019-10400 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...) NOT-FOR-US: Jenkins plugin CVE-2019-10399 (A sandbox bypass vulnerability in
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a583797 by Moritz Muehlenhoff at 2019-09-25T21:00:56Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10701,9 +10701,9 @@ CVE-2019-13530 (Philips IntelliVue WLAN, portable patient monitors, WLAN Version CVE-2019-13529 RESERVED CVE-2019-13528 (A specific utility may allow an attacker to gain read access to privil ...) - TODO: check + NOT-FOR-US: Niagara CVE-2019-13527 (In Rockwell Automation Arena Simulation Software Cat. 9502-Ax, Version ...) - TODO: check + NOT-FOR-US: Rockwell CVE-2019-13526 (Datalogic AV7000 Linear barcode scanner all versions prior to 4.6.0.0 ...) NOT-FOR-US: Datalogic AV7000 Linear barcode scanner CVE-2019-13525 @@ -10830,7 +10830,7 @@ CVE-2019-13476 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.837, XSS CVE-2019-13475 (In MobaXterm 11.1, the mobaxterm: URI handler has an argument injectio ...) NOT-FOR-US: MobaXterm CVE-2019-13474 (TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110 ...) - TODO: check + NOT-FOR-US: TELESTAR CVE-2019-13473 (TELESTAR Bobs Rock Radio, Dabman D10, Dabman i30 Stereo, Imperial i110 ...) NOT-FOR-US: TELESTAR CVE-2019-13472 (PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the ...) @@ -10881,7 +10881,6 @@ CVE-2019-13456 NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/a99746c93b8b3ae3be367af0e46f0d6a9626f566 (master) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/85497b5ff37ccb656895b826b88585898c209586 (3.0.x) NOTE: Issue seems to be treated as different issue than CVE-2019-11234 and CVE-2019-11235 - TODO: double check assessment and classification CVE-2019-13455 (In Xymon through 4.3.28, a stack-based buffer overflow vulnerability e ...) {DLA-1898-1} - xymon 4.3.29-1 @@ -7,11 +6,11 @@ CVE-2019-13359 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.836, a c CVE-2019-13358 (lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows ...) NOT-FOR-US: OpenCats CVE-2019-13357 (In Total Defense Anti-virus 9.0.0.773, resource acquisition from the u ...) - TODO: check + NOT-FOR-US: Total Defense Anti-virus CVE-2019-13356 (In Total Defense Anti-virus 9.0.0.773, insecure access control for the ...) - TODO: check + NOT-FOR-US: Total Defense Anti-virus CVE-2019-13355 (In Total Defense Anti-virus 9.0.0.773, insecure access control for the ...) - TODO: check + NOT-FOR-US: Total Defense Anti-virus CVE-2019-13354 (The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org ...) NOT-FOR-US: strong_password gem CVE-2019-13353 @@ -11587,7 +11586,7 @@ CVE-2019-13193 CVE-2019-13192 RESERVED CVE-2019-13191 (A SQL injection vulnerability in IntraMaps MapControl 8 allows attacke ...) - TODO: check + NOT-FOR-US: IntraMaps MapControl CVE-2019-13190 (In Knowage through 6.1.1, the sign up page does not invalidate a valid ...) NOT-FOR-US: Knowage CVE-2019-13189 (In Knowage through 6.1.1, there is XSS via the start_url or user_id fi ...) @@ -11595,7 +11594,7 @@ CVE-2019-13189 (In Knowage through 6.1.1, there is XSS via the start_url or user CVE-2019-13188 (In Knowage through 6.1.1, an unauthenticated user can bypass access co ...) NOT-FOR-US: Knowage CVE-2019-13187 (The Rich Text Formatter (Redactor) extension through v1.1.1 for Sympho ...) - TODO: check + NOT-FOR-US: Symphony CMS addon CVE-2019-13186 (In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php via t ...) NOT-FOR-US: MiniCMS CVE-2019-13185 @@ -11720,7 +11719,7 @@ CVE-2019-13142 (The RzSurroundVADStreamingService (RzSurroundVADStreamingService CVE-2019-13141 RESERVED CVE-2019-13140 (Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 routers have a JUCI ...) - TODO: check + NOT-FOR-US: Inteno CVE-2019-13139 (In Docker before 18.09.4, an attacker who is capable of supplying or m ...) {DSA-4521-1} [experimental] - docker.io 18.09.5+dfsg1-1 @@ -11973,7 +11972,7 @@ CVE-2019-13065 CVE-2019-13064 RESERVED CVE-2019-13063 (Within Sahi Pro 8.0.0, an attacker can send a specially crafted URL to ...) - TODO: check + NOT-FOR-US: Sahi Pro CVE-2019-13062 RESERVED CVE-2019-13061 @@ -13131,7 +13130,7 @@ CVE-2019-12622 (A vulnerability in Cisco RoomOS Software could allow an authenti CVE-2019-12621 (A vulnerability in Cisco HyperFlex Software could allow an unauthentic ...) NOT-FOR-US: Cisco CVE-2019-12620 (A vulnerability in the statistics collection service of Cisco HyperFle ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-12619
[Git][security-tracker-team/security-tracker][master] new runc issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a7496e0b by Moritz Muehlenhoff at 2019-09-25T20:54:29Z new runc issue new gradle issues NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,8 @@ CVE-2019-16886 CVE-2019-16885 RESERVED CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other ...) - TODO: check + - runc + NOTE: https://github.com/opencontainers/runc/issues/2128 CVE-2019-16883 RESERVED CVE-2019-16882 (An issue was discovered in the string-interner crate before 0.7.1 for ...) @@ -1305,7 +1306,8 @@ CVE-2019-16372 CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted ...) NOT-FOR-US: LogMeIn LastPass CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...) - TODO: check + - gradle (low) + NOTE: https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f CVE-2019-16369 RESERVED CVE-2019-16368 @@ -4803,7 +4805,7 @@ CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers CVE-2019-15139 (The XWD image (X Window System window dumping file) parsing component ...) TODO: check CVE-2019-15138 (The html-pdf package 2.2.0 for Node.js has an arbitrary file read vuln ...) - TODO: check + NOT-FOR-US: node html-pdf CVE-2019-15137 (The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows f ...) NOT-FOR-US: eProsima Fast RTPS CVE-2019-15136 (The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not ...) @@ -5137,7 +5139,10 @@ CVE-2019-15054 CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Confluenc ...) NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials ...) - TODO: check + - gradle (low) + NOTE: https://github.com/gradle/gradle/issues/10278 + NOTE: https://github.com/gradle/gradle/pull/10176 + NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-4cwg-f7qc-6r95 CVE-2019-15051 RESERVED CVE-2019-15050 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7496e0b55d58e1ddeca888d66ec4942e667ae18 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7496e0b55d58e1ddeca888d66ec4942e667ae18 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 14c6455c by Moritz Muehlenhoff at 2019-09-25T20:49:01Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2019-16888 RESERVED CVE-2019-16887 (In IrfanView 4.53, Data from a Faulting Address controls a subsequent ...) - TODO: check + NOT-FOR-US: IrfanView CVE-2019-16886 RESERVED CVE-2019-16885 @@ -11,11 +11,11 @@ CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and CVE-2019-16883 RESERVED CVE-2019-16882 (An issue was discovered in the string-interner crate before 0.7.1 for ...) - TODO: check + NOT-FOR-US: Rust string-interner crate CVE-2019-16881 (An issue was discovered in the portaudio-rs crate through 0.3.1 for Ru ...) - TODO: check + NOT-FOR-US: Rustportaudio-rs crate CVE-2019-16880 (An issue was discovered in the linea crate through 0.9.4 for Rust. The ...) - TODO: check + NOT-FOR-US: Rust linea crate CVE-2019-16879 RESERVED CVE-2019-16878 @@ -39,9 +39,9 @@ CVE-2019-16870 CVE-2019-16869 RESERVED CVE-2019-16868 (emlog through 6.0.0beta has an arbitrary file deletion vulnerability v ...) - TODO: check + NOT-FOR-US: emlog CVE-2019-16867 (HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file par ...) - TODO: check + NOT-FOR-US: HongCMS CVE-2019-16866 RESERVED CVE-2015-9449 @@ -125,7 +125,7 @@ CVE-2015-9411 CVE-2015-9410 RESERVED CVE-2015-9409 (The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resu ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2019-16865 RESERVED CVE-2019-16864 @@ -475,7 +475,7 @@ CVE-2019-16703 (admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. ...) CVE-2019-16702 (Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: Integard Pro CVE-2019-16701 (pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection vi ...) - TODO: check + NOT-FOR-US: pfSense CVE-2019-16700 RESERVED CVE-2019-16699 @@ -1271,7 +1271,7 @@ CVE-2016-10975 (The fluid-responsive-slideshow plugin before 2.2.7 for WordPress CVE-2016-10974 (The fluid-responsive-slideshow plugin before 2.2.7 for WordPress has f ...) NOT-FOR-US: fluid-responsive-slideshow plugin for WordPress CVE-2019-16377 (The makandra consul gem through 1.0.2 for Ruby has Incorrect Access Co ...) - TODO: check + NOT-FOR-US: makandra consul gem CVE-2019-16376 RESERVED CVE-2019-16375 @@ -1862,7 +1862,7 @@ CVE-2019-16196 CVE-2019-16195 RESERVED CVE-2019-16194 (SQL injection vulnerabilities in Centreon through 19.04 allow attacks ...) - TODO: check + NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2019-16193 (In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to t ...) NOT-FOR-US: ArcGIS Enterprise CVE-2019-16192 (upload_model() in /admini/controllers/system/managemodel.php in DocCms ...) @@ -1874,7 +1874,7 @@ CVE-2019-16190 (SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-8 CVE-2019-16189 RESERVED CVE-2019-16188 (HCL AppScan Source before 9.03.13 is susceptible to XML External Entit ...) - TODO: check + NOT-FOR-US: HCL AppScan Source CVE-2017-18611 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCC ...) NOT-FOR-US: magic-fields plugin for WordPress CVE-2017-18610 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCC ...) @@ -3394,7 +3394,7 @@ CVE-2019-15637 (Numerous Tableau products are vulnerable to XXE via a malicious CVE-2019-15636 RESERVED CVE-2019-15635 (An issue was discovered in Grafana 5.4.0. Passwords for data sources u ...) - TODO: check + - grafana CVE-2019-15634 RESERVED CVE-2019-15633 @@ -5064,11 +5064,11 @@ CVE-2019-15071 CVE-2019-15070 RESERVED CVE-2019-15069 (An unsafe authentication interface was discovered in Smart Battery A4, ...) - TODO: check + NOT-FOR-US: Smart Battery CVE-2019-15068 (A broken access control vulnerability in Smart Battery A4, a multifunc ...) - TODO: check + NOT-FOR-US: Smart Battery CVE-2019-15067 (An authentication bypass vulnerability discovered in Smart Battery A2- ...) - TODO: check + NOT-FOR-US: Smart Battery CVE-2019-15066 RESERVED CVE-2019-15065 @@ -10668,7 +10668,7 @@ CVE-2019-13544 (Delta Electronics TPEditor, Versions 1.94 and prior. Multiple ou CVE-2019-13543 RESERVED CVE-2019-13542 (3S-Smart Software Solutions GmbH CODESYS V3 OPC UA Server, all version ...) - TODO: check + NOT-FOR-US: 3S-Smart CVE-2019-13541 RESERVED CVE-2019-13540 (Delta Electronics TPEditor,
[Git][security-tracker-team/security-tracker][master] suricata fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: aa50c9ac by Moritz Muehlenhoff at 2019-09-25T20:33:04Z suricata fixed exiv n/a NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1153,9 +1153,15 @@ CVE-2019-16413 (An issue was discovered in the Linux kernel before 5.0.4. The 9p CVE-2019-16412 (In goform/setSysTools on Tenda N301 wireless routers, attackers can tr ...) NOT-FOR-US: Tenda CVE-2019-16411 (An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 pa ...) - TODO: check + - suricata 1:4.1.5-1 (low) + [buster] - suricata (Minor issue) + [stretch] - suricata (Minor issue) + NOTE: https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/ CVE-2019-16410 (An issue was discovered in Suricata 4.1.4. By sending multiple fragmen ...) - TODO: check + - suricata 1:4.1.5-1 (low) + [buster] - suricata (Minor issue) + [stretch] - suricata (Minor issue) + NOTE: https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/ CVE-2019-16409 RESERVED CVE-2019-16408 @@ -3199,7 +3205,10 @@ CVE-2019-15701 (components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remot CVE-2019-15700 (public/js/frappe/form/footer/timeline.js in Frappe Framework 12 throug ...) NOT-FOR-US: Frappe Framework CVE-2019-15699 (An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon rec ...) - TODO: check + - suricata 1:4.1.5-1 (low) + [buster] - suricata (Minor issue) + [stretch] - suricata (Minor issue) + NOTE: https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/ CVE-2019-15698 (In Octopus Deploy 2019.7.3 through 2019.7.9, in certain circumstances, ...) NOT-FOR-US: Octopus Deploy CVE-2019-15697 @@ -4274,7 +4283,7 @@ CVE-2019-15303 CVE-2019-15302 (The pad management logic in XWiki labs CryptPad before 3.0.0 allows a ...) NOT-FOR-US: CryptPad CVE-2019-15301 (A SQL injection vulnerability in the method Terrasoft.Core.DB.Column.C ...) - TODO: check + NOT-FOR-US: Terrasoft Bpm'online CRM-System SDK CVE-2019-15300 RESERVED CVE-2019-15299 @@ -4911,7 +4920,7 @@ CVE-2019-15087 (An issue was discovered in PRiSE adAS 1.7.0. An authenticated us CVE-2019-15086 (An issue was discovered in PRiSE adAS 1.7.0. The newentityID parameter ...) NOT-FOR-US: PRiSE adAS CVE-2019-15085 (An issue was discovered in PRiSE adAS 1.7.0. The current database pass ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-15084 (Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, insta ...) NOT-FOR-US: Realtek CVE-2019-15083 @@ -5341,7 +5350,9 @@ CVE-2019-14984 (eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddO CVE-2019-14983 RESERVED CVE-2019-14982 (In Exiv2 before v0.27.2, there is an integer overflow vulnerability in ...) - TODO: check + - exiv2 (Vulnerable code not present) + NOTE: https://github.com/Exiv2/exiv2/issues/960 + NOTE: https://github.com/Exiv2/exiv2/pull/962/commits/e925bc5addd881543fa503470c8a859e112cca62 CVE-2019-14981 (In ImageMagick 7.x before 7.0.8-41 and 6.x before 6.9.10-41, there is ...) - imagemagick [jessie] - imagemagick (can be fixed along with more important issues) @@ -8068,9 +8079,9 @@ CVE-2019-14241 (HAProxy through 2.0.2 allows attackers to cause a denial of serv CVE-2019-14240 (WCMS v0.3.2 has a CSRF vulnerability, with resultant directory travers ...) NOT-FOR-US: WCMS CVE-2019-14239 (On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Acce ...) - TODO: check + NOT-FOR-US: NXP Kinetis CVE-2019-14238 (On STMicroelectronics STM32F7 devices, Proprietary Code Read Out Prote ...) - TODO: check + NOT-FOR-US: STMicroelectronics CVE-2019-14237 (On NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices, Flash Acce ...) NOT-FOR-US: NXP Kinetis KV1x, Kinetis KV3x, and Kinetis K8x devices CVE-2019-14236 (On STMicroelectronics STM32L0, STM32L1, STM32L4, STM32F4, STM32F7, and ...) @@ -8124,7 +8135,7 @@ CVE-2019-14222 (An issue was discovered in Alfresco Community Edition versions 6 CVE-2019-14221 (1CRM On-Premise Software 8.5.7 allows XSS via a payload that is mishan ...) NOT-FOR-US: 1CRM On-Premise Software CVE-2019-14220 (An issue was discovered in BlueStacks 4.110 and below on macOS and on ...) - TODO: check + NOT-FOR-US: BlueStacks CVE-2019-14219 RESERVED CVE-2019-14218 @@ -10625,11 +10636,11 @@ CVE-2019-13560 (D-Link DIR-655 C devices before 3.02B05 BETA03 allow remote atta CVE-2019-13559 RESERVED CVE-2019-13558 (In WebAccess versions 8.4.1 and prior, an exploit executed over the ne ...) - TODO: check + NOT-FOR-US: WebAccess CVE-2019-13557
[Git][security-tracker-team/security-tracker][master] lemonldap-ng DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 09d0d637 by Moritz Muehlenhoff at 2019-09-25T20:29:31Z lemonldap-ng DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[25 Sep 2019] DSA-4533-1 lemonldap-ng - security update + {CVE-2019-15941} + [buster] - lemonldap-ng 2.0.2+ds-7+deb10u2 [25 Sep 2019] DSA-4532-1 spip - security update {CVE-2019-16391 CVE-2019-16392 CVE-2019-16393 CVE-2019-16394} [stretch] - spip 3.1.4-4~deb9u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09d0d6376f6631cb307e1d95910b856f048767d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09d0d6376f6631cb307e1d95910b856f048767d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c8bc0812 by security tracker role at 2019-09-25T20:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,131 @@ +CVE-2019-16888 + RESERVED +CVE-2019-16887 (In IrfanView 4.53, Data from a Faulting Address controls a subsequent ...) + TODO: check +CVE-2019-16886 + RESERVED +CVE-2019-16885 + RESERVED +CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other ...) + TODO: check +CVE-2019-16883 + RESERVED +CVE-2019-16882 (An issue was discovered in the string-interner crate before 0.7.1 for ...) + TODO: check +CVE-2019-16881 (An issue was discovered in the portaudio-rs crate through 0.3.1 for Ru ...) + TODO: check +CVE-2019-16880 (An issue was discovered in the linea crate through 0.9.4 for Rust. The ...) + TODO: check +CVE-2019-16879 + RESERVED +CVE-2019-16878 + RESERVED +CVE-2019-16877 + RESERVED +CVE-2019-16876 + RESERVED +CVE-2019-16875 + RESERVED +CVE-2019-16874 + RESERVED +CVE-2019-16873 + RESERVED +CVE-2019-16872 + RESERVED +CVE-2019-16871 + RESERVED +CVE-2019-16870 + RESERVED +CVE-2019-16869 + RESERVED +CVE-2019-16868 (emlog through 6.0.0beta has an arbitrary file deletion vulnerability v ...) + TODO: check +CVE-2019-16867 (HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file par ...) + TODO: check +CVE-2019-16866 + RESERVED +CVE-2015-9449 + RESERVED +CVE-2015-9448 + RESERVED +CVE-2015-9447 + RESERVED +CVE-2015-9446 + RESERVED +CVE-2015-9445 + RESERVED +CVE-2015-9444 + RESERVED +CVE-2015-9443 + RESERVED +CVE-2015-9442 + RESERVED +CVE-2015-9441 + RESERVED +CVE-2015-9440 + RESERVED +CVE-2015-9439 + RESERVED +CVE-2015-9438 + RESERVED +CVE-2015-9437 + RESERVED +CVE-2015-9436 + RESERVED +CVE-2015-9435 + RESERVED +CVE-2015-9434 + RESERVED +CVE-2015-9433 + RESERVED +CVE-2015-9432 + RESERVED +CVE-2015-9431 + RESERVED +CVE-2015-9430 + RESERVED +CVE-2015-9429 + RESERVED +CVE-2015-9428 + RESERVED +CVE-2015-9427 + RESERVED +CVE-2015-9426 + RESERVED +CVE-2015-9425 + RESERVED +CVE-2015-9424 + RESERVED +CVE-2015-9423 + RESERVED +CVE-2015-9422 + RESERVED +CVE-2015-9421 + RESERVED +CVE-2015-9420 + RESERVED +CVE-2015-9419 + RESERVED +CVE-2015-9418 + RESERVED +CVE-2015-9417 + RESERVED +CVE-2015-9416 + RESERVED +CVE-2015-9415 + RESERVED +CVE-2015-9414 + RESERVED +CVE-2015-9413 + RESERVED +CVE-2015-9412 + RESERVED +CVE-2015-9411 + RESERVED +CVE-2015-9410 + RESERVED +CVE-2015-9409 (The alo-easymail plugin before 2.6.01 for WordPress has CSRF with resu ...) + TODO: check CVE-2019-16865 RESERVED CVE-2019-16864 @@ -346,8 +474,8 @@ CVE-2019-16703 (admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. ...) NOT-FOR-US: PHPMyWind CVE-2019-16702 (Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary c ...) NOT-FOR-US: Integard Pro -CVE-2019-16701 - RESERVED +CVE-2019-16701 (pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection vi ...) + TODO: check CVE-2019-16700 RESERVED CVE-2019-16699 @@ -1727,8 +1855,8 @@ CVE-2019-16196 RESERVED CVE-2019-16195 RESERVED -CVE-2019-16194 - RESERVED +CVE-2019-16194 (SQL injection vulnerabilities in Centreon through 19.04 allow attacks ...) + TODO: check CVE-2019-16193 (In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to t ...) NOT-FOR-US: ArcGIS Enterprise CVE-2019-16192 (upload_model() in /admini/controllers/system/managemodel.php in DocCms ...) @@ -1739,8 +1867,8 @@ CVE-2019-16190 (SharePort Web Access on D-Link DIR-868L REVB through 2.03, DIR-8 NOT-FOR-US: D-Link CVE-2019-16189 RESERVED -CVE-2019-16188 - RESERVED +CVE-2019-16188 (HCL AppScan Source before 9.03.13 is susceptible to XML External Entit ...) + TODO: check CVE-2017-18611 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCC ...) NOT-FOR-US: magic-fields plugin for WordPress CVE-2017-18610 (The magic-fields plugin before 1.7.2 for WordPress has XSS via the RCC ...) @@ -4926,12 +5054,12 @@ CVE-2019-15071 RESERVED CVE-2019-15070 RESERVED -CVE-2019-15069 - RESERVED -CVE-2019-15068 - RESERVED -CVE-2019-15067 - RESERVED +CVE-2019-15069 (An unsafe authentication interface was discovered in Smart Battery A4, ...) + TODO: check +CVE-2019-15068 (A broken access control vulnerability in Smart Battery A4, a multifunc ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1932-1 for openssl
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f03a2068 by Markus Koschany at 2019-09-25T19:27:48Z Reserve DLA-1932-1 for openssl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[25 Sep 2019] DLA-1932-1 openssl - security update + {CVE-2019-1547 CVE-2019-1563} + [jessie] - openssl 1.0.1t-1+deb8u12 [24 Sep 2019] DLA-1931-1 libgcrypt20 - security update {CVE-2019-13627} [jessie] - libgcrypt20 1.6.3-2+deb8u6 = data/dla-needed.txt = @@ -106,8 +106,6 @@ opendmarc (Thorsten Alteholz) -- openjpeg2 -- -openssl (Markus Koschany) --- pam-python -- poppler (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f03a206849a1d9f9b1a4a80a414ebd0ff8b3bbae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f03a206849a1d9f9b1a4a80a414ebd0ff8b3bbae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new hunspell issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ae33de2 by Moritz Muehlenhoff at 2019-09-25T14:23:53Z new hunspell issue NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -323,7 +323,9 @@ CVE-2019-16708 (ImageMagick 7.0.8-35 has a memory leak in magick/xwindow.c, rela - imagemagick (unimportant) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1531 CVE-2019-16707 (Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommon ...) - TODO: check + - hunspell (unimportant) + NOTE: Negligible security impact + NOTE: https://github.com/butterflyhack/hunspell-crash CVE-2019-16706 (kkcms v1.3 has a CSRF vulnerablity that can add an user account via ad ...) NOT-FOR-US: kkcms CVE-2018-21019 (Home Assistant before 0.67.0 was vulnerable to an information disclosu ...) @@ -794,6 +796,7 @@ CVE-2019-16525 (An XSS issue was discovered in the checklist plugin before 1.1.9 NOT-FOR-US: checklist plugin for WordPress CVE-2019-16524 RESERVED + NOT-FOR-US: Wordpress plugin CVE-2019-16523 RESERVED CVE-2019-16522 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ae33de20c111d6ece2c1183f81e097fce26a63a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ae33de20c111d6ece2c1183f81e097fce26a63a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ignore XSA-297 for jessie
Bastian Blank pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cea2fc8 by Bastian Blank at 2019-09-25T10:50:06Z Ignore XSA-297 for jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17130,6 +17130,7 @@ CVE-2019-11091 (Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Unc - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen 4.11.1+92-g6c33308a8d-1 (bug #929129) + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://git.kernel.org/linus/fa4bff165070dc40a3de35b78e4f8da8e8d85ec5 NOTE: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling NOTE: https://xenbits.xen.org/xsa/advisory-297.html @@ -67394,6 +67395,7 @@ CVE-2018-12130 (Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffe - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen 4.11.1+92-g6c33308a8d-1 (bug #929129) + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://git.kernel.org/linus/fa4bff165070dc40a3de35b78e4f8da8e8d85ec5 NOTE: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling NOTE: https://xenbits.xen.org/xsa/advisory-297.html @@ -67409,6 +67411,7 @@ CVE-2018-12127 (Microarchitectural Load Port Data Sampling (MLPDS): Load ports o - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen 4.11.1+92-g6c33308a8d-1 (bug #929129) + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://git.kernel.org/linus/fa4bff165070dc40a3de35b78e4f8da8e8d85ec5 NOTE: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling NOTE: https://xenbits.xen.org/xsa/advisory-297.html @@ -67420,6 +67423,7 @@ CVE-2018-12126 (Microarchitectural Store Buffer Data Sampling (MSBDS): Store buf - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen 4.11.1+92-g6c33308a8d-1 (bug #929129) + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://git.kernel.org/linus/fa4bff165070dc40a3de35b78e4f8da8e8d85ec5 NOTE: https://software.intel.com/security-software-guidance/software-guidance/microarchitectural-data-sampling NOTE: https://xenbits.xen.org/xsa/advisory-297.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cea2fc8f87059c0bcde0ad94bf910497f80ea29 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cea2fc8f87059c0bcde0ad94bf910497f80ea29 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2376fbcc by Moritz Muehlenhoff at 2019-09-25T08:59:14Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4772,13 +4772,13 @@ CVE-2019-15092 (The webtoffee "WordPress Users WooCommerce Customers Impor CVE-2019-15091 (filemgr.php in Artica Integria IMS 5.0.86 allows index.php?sec=wiki ...) NOT-FOR-US: Artica Integria IMS CVE-2019-15089 (An issue was discovered in PRiSE adAS 1.7.0. Forms have no CSRF protec ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-15088 (An issue was discovered in PRiSE adAS 1.7.0. Password hashes are compa ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-15087 (An issue was discovered in PRiSE adAS 1.7.0. An authenticated user can ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-15086 (An issue was discovered in PRiSE adAS 1.7.0. The newentityID parameter ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-15085 (An issue was discovered in PRiSE adAS 1.7.0. The current database pass ...) TODO: check CVE-2019-15084 (Realtek Waves MaxxAudio driver 1.6.2.0, as used on Dell laptops, insta ...) @@ -5172,9 +5172,9 @@ CVE-2019-15003 CVE-2019-15002 RESERVED CVE-2019-15001 (The Jira Importers Plugin in Atlassian Jira Server and Data Cente from ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2019-15000 (The commit diff rest endpoint in Bitbucket Server and Data Center befo ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2019-14999 (The Uninstall REST endpoint in Atlassian Universal Plugin Manager befo ...) NOT-FOR-US: Atlassian CVE-2019-14998 (The Webwork action Cross-Site Request Forgery (CSRF) protection implem ...) @@ -5186,7 +5186,7 @@ CVE-2019-14996 (The FilterPickerPopup.jspa resource in Jira before version 7.13. CVE-2019-14995 (The /rest/api/1.0/render resource in Jira before version 8.4.0 allows ...) NOT-FOR-US: Atlassian Jira CVE-2019-14994 (The Customer Context Filter in Atlassian Jira Service Desk Server and ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2019-14993 (Istio before 1.1.13 and 1.2.x before 1.2.4 mishandles regular expressi ...) NOT-FOR-US: Istio CVE-2019-14992 @@ -5488,17 +5488,17 @@ CVE-2019-14918 CVE-2019-14917 RESERVED CVE-2019-14916 (An issue was discovered in PRiSE adAS 1.7.0. A file's format is not pr ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-14915 (An issue was discovered in PRiSE adAS 1.7.0. Certificate data are not ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-14914 (An issue was discovered in PRiSE adAS 1.7.0. The path is not properly ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-14913 (An issue was discovered in PRiSE adAS 1.7.0. Log data are not properly ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-14912 (An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does n ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-14911 (An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does n ...) - TODO: check + NOT-FOR-US: PRiSE adAS CVE-2019-14910 RESERVED CVE-2019-14909 @@ -5907,7 +5907,7 @@ CVE-2019-14754 (Open-School 3.0, and Community Edition 2.3, allows SQL Injection CVE-2018-20962 (The Backpack\CRUD Backpack component before 3.4.9 for Laravel allows X ...) NOT-FOR-US: Backpack\CRUD Backpack CVE-2019-14753 (SICK FX0-GPNT0 and FX0-GENT0 devices through 3.4.0 have a Buff ...) - TODO: check + NOT-FOR-US: SICK FX0-GPNT0 and FX0-GENT0 devices CVE-2019-14752 RESERVED CVE-2019-14751 (NLTK Downloader before 3.4.5 is vulnerable to a directory traversal, a ...) @@ -6711,7 +6711,7 @@ CVE-2019-14459 (nfdump 1.6.17 and earlier is affected by an integer overflow in NOTE: https://github.com/phaag/nfdump/issues/171 NOTE: https://github.com/phaag/nfdump/commit/3b006ededaf351f1723aea6c727c9edd1b1fff9b CVE-2019-14458 (VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of ...) - TODO: check + NOT-FOR-US: VIVOTEK IP Camera devices CVE-2019-14457 (VIVOTEK IP Camera devices with firmware before 0x20x have a stack-base ...) NOT-FOR-US: VIVOTEK IP Camera devices CVE-2019-14456 (Opengear console server firmware releases prior to 4.5.0 have a stored ...) @@ -7894,11 +7894,11 @@ CVE-2019-14256 CVE-2019-14255 (A Server Side Request Forgery (SSRF) vulnerability in go-camo up to ve ...) NOT-FOR-US: go-camo CVE-2019-14254 (An issue was discovered in the secure portal in Publisure 2.1.2. Becau ...) - TODO: check + NOT-FOR-US: Publisure CVE-2019-14253 (An issue was discovered in servletcontroller in the secure portal in
[Git][security-tracker-team/security-tracker][master] new dompurify issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 317bbbe9 by Moritz Muehlenhoff at 2019-09-25T08:26:34Z new dompurify issue NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -211,7 +211,7 @@ CVE-2019-16761 CVE-2019-16760 RESERVED CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...) - TODO: check + NOT-FOR-US: vBulletin CVE-2019-16758 RESERVED CVE-2019-16757 @@ -227,7 +227,7 @@ CVE-2019-16753 CVE-2019-16752 RESERVED CVE-2019-16751 (An issue was discovered in Devise Token Auth through 1.1.2. The omniau ...) - TODO: check + NOT-FOR-US: Devise Token Auth CVE-2019-16750 RESERVED CVE-2019-16749 @@ -270,7 +270,8 @@ CVE-2019-16731 CVE-2019-16730 RESERVED CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (m ...) - TODO: check + - dompurify.js + NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/ CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel ...) - linux NOTE: https://marc.info/?l=linux-wireless=156901391225058=2 @@ -279,9 +280,9 @@ CVE-2019-16727 CVE-2019-16726 RESERVED CVE-2019-16725 (In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2019-16724 (File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary ...) - TODO: check + NOT-FOR-US: File Sharing Wizard CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authorization c ...) - cacti (bug #941036) NOTE: https://github.com/Cacti/cacti/issues/2964 @@ -326,7 +327,7 @@ CVE-2019-16707 (Hunspell 1.7.0 has an invalid read operation in SuggestMgr::left CVE-2019-16706 (kkcms v1.3 has a CSRF vulnerablity that can add an user account via ad ...) NOT-FOR-US: kkcms CVE-2018-21019 (Home Assistant before 0.67.0 was vulnerable to an information disclosu ...) - TODO: check + NOT-FOR-US: Home Assistant CVE-2019-16729 (pam-python before 1.0.7-1 has an issue in regard to the default enviro ...) - pam-python 1.0.7-1 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1150510#c1 @@ -338,11 +339,11 @@ CVE-2019-16705 (Ming (aka libming) 0.4.8 has an out of bounds read vulnerability - ming NOTE: https://github.com/libming/libming/issues/178 CVE-2019-16704 (admin/infoclass_update.php in PHPMyWind 5.6 has stored XSS. ...) - TODO: check + NOT-FOR-US: PHPMyWind CVE-2019-16703 (admin/infolist_add.php in PHPMyWind 5.6 has stored XSS. ...) - TODO: check + NOT-FOR-US: PHPMyWind CVE-2019-16702 (Integard Pro 2.2.0.9026 allows remote attackers to execute arbitrary c ...) - TODO: check + NOT-FOR-US: Integard Pro CVE-2019-16701 RESERVED CVE-2019-16700 @@ -384,9 +385,9 @@ CVE-2019-16683 CVE-2019-16682 RESERVED CVE-2018-21018 (Mastodon before 2.6.3 mishandles timeouts of incompletely established ...) - TODO: check + NOT-FOR-US: Mastodon CVE-2019-16681 (The Traveloka application 3.14.0 for Android exports com.traveloka.and ...) - TODO: check + NOT-FOR-US: Traveloka CVE-2019-16680 (An issue was discovered in GNOME file-roller before 3.29.91. It allows ...) - file-roller 3.30.0-1 NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794337 @@ -804,7 +805,7 @@ CVE-2019-16520 CVE-2019-16519 RESERVED CVE-2019-16518 (An issue was discovered on Swell Kit Mod devices that use the Vandy Va ...) - TODO: check + NOT-FOR-US: Swell Kit Mod devices CVE-2019-16517 RESERVED CVE-2019-16516 @@ -1079,7 +1080,7 @@ CVE-2019-16385 CVE-2019-16384 RESERVED CVE-2019-16383 (MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2 ...) - TODO: check + NOT-FOR-US: Progress MOVEit Transfer CVE-2019-16382 RESERVED CVE-2019-16381 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/317bbbe9cb1abc5e7341a1d8bbdb461840770ed8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/317bbbe9cb1abc5e7341a1d8bbdb461840770ed8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03695937 by security tracker role at 2019-09-25T08:10:32Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,219 @@ +CVE-2019-16865 + RESERVED +CVE-2019-16864 + RESERVED +CVE-2019-16863 + RESERVED +CVE-2019-16862 + RESERVED +CVE-2019-16861 + RESERVED +CVE-2019-16860 + RESERVED +CVE-2019-16859 + RESERVED +CVE-2019-16858 + RESERVED +CVE-2019-16857 + RESERVED +CVE-2019-16856 + RESERVED +CVE-2019-16855 + RESERVED +CVE-2019-16854 + RESERVED +CVE-2019-16853 + RESERVED +CVE-2019-16852 + RESERVED +CVE-2019-16851 + RESERVED +CVE-2019-16850 + RESERVED +CVE-2019-16849 + RESERVED +CVE-2019-16848 + RESERVED +CVE-2019-16847 + RESERVED +CVE-2019-16846 + RESERVED +CVE-2019-16845 + RESERVED +CVE-2019-16844 + RESERVED +CVE-2019-16843 + RESERVED +CVE-2019-16842 + RESERVED +CVE-2019-16841 + RESERVED +CVE-2019-16840 + RESERVED +CVE-2019-16839 + RESERVED +CVE-2019-16838 + RESERVED +CVE-2019-16837 + RESERVED +CVE-2019-16836 + RESERVED +CVE-2019-16835 + RESERVED +CVE-2019-16834 + RESERVED +CVE-2019-16833 + RESERVED +CVE-2019-16832 + RESERVED +CVE-2019-16831 + RESERVED +CVE-2019-16830 + RESERVED +CVE-2019-16829 + RESERVED +CVE-2019-16828 + RESERVED +CVE-2019-16827 + RESERVED +CVE-2019-16826 + RESERVED +CVE-2019-16825 + RESERVED +CVE-2019-16824 + RESERVED +CVE-2019-16823 + RESERVED +CVE-2019-16822 + RESERVED +CVE-2019-16821 + RESERVED +CVE-2019-16820 + RESERVED +CVE-2019-16819 + RESERVED +CVE-2019-16818 + RESERVED +CVE-2019-16817 + RESERVED +CVE-2019-16816 + RESERVED +CVE-2019-16815 + RESERVED +CVE-2019-16814 + RESERVED +CVE-2019-16813 + RESERVED +CVE-2019-16812 + RESERVED +CVE-2019-16811 + RESERVED +CVE-2019-16810 + RESERVED +CVE-2019-16809 + RESERVED +CVE-2019-16808 + RESERVED +CVE-2019-16807 + RESERVED +CVE-2019-16806 + RESERVED +CVE-2019-16805 + RESERVED +CVE-2019-16804 + RESERVED +CVE-2019-16803 + RESERVED +CVE-2019-16802 + RESERVED +CVE-2019-16801 + RESERVED +CVE-2019-16800 + RESERVED +CVE-2019-16799 + RESERVED +CVE-2019-16798 + RESERVED +CVE-2019-16797 + RESERVED +CVE-2019-16796 + RESERVED +CVE-2019-16795 + RESERVED +CVE-2019-16794 + RESERVED +CVE-2019-16793 + RESERVED +CVE-2019-16792 + RESERVED +CVE-2019-16791 + RESERVED +CVE-2019-16790 + RESERVED +CVE-2019-16789 + RESERVED +CVE-2019-16788 + RESERVED +CVE-2019-16787 + RESERVED +CVE-2019-16786 + RESERVED +CVE-2019-16785 + RESERVED +CVE-2019-16784 + RESERVED +CVE-2019-16783 + RESERVED +CVE-2019-16782 + RESERVED +CVE-2019-16781 + RESERVED +CVE-2019-16780 + RESERVED +CVE-2019-16779 + RESERVED +CVE-2019-16778 + RESERVED +CVE-2019-16777 + RESERVED +CVE-2019-16776 + RESERVED +CVE-2019-16775 + RESERVED +CVE-2019-16774 + RESERVED +CVE-2019-16773 + RESERVED +CVE-2019-16772 + RESERVED +CVE-2019-16771 + RESERVED +CVE-2019-16770 + RESERVED +CVE-2019-16769 + RESERVED +CVE-2019-16768 + RESERVED +CVE-2019-16767 + RESERVED +CVE-2019-16766 + RESERVED +CVE-2019-16765 + RESERVED +CVE-2019-16764 + RESERVED +CVE-2019-16763 + RESERVED +CVE-2019-16762 + RESERVED +CVE-2019-16761 + RESERVED +CVE-2019-16760 + RESERVED +CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...) + TODO: check +CVE-2019-16758 + RESERVED CVE-2019-16757 RESERVED CVE-2019-16756 @@ -62,10 +278,10 @@ CVE-2019-16727 RESERVED CVE-2019-16726 RESERVED -CVE-2019-16725 - RESERVED -CVE-2019-16724 - RESERVED +CVE-2019-16725 (In Joomla! 3.x before 3.9.12, inadequate escaping allowed XSS attacks ...) + TODO: check +CVE-2019-16724 (File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary ...) + TODO: check CVE-2019-16723 (In Cacti through 1.2.6, authenticated users may bypass authorization c ...) - cacti (bug #941036) NOTE: https://github.com/Cacti/cacti/issues/2964 @@ -804,10 +1020,10 @@ CVE-2019-16413 (An issue was discovered in the Linux kernel before 5.0.4. The 9p NOTE: https://git.kernel.org/linus/5e3cc1ee1405a7eb3487ed24f786dec01b4cbe1f CVE-2019-16412 (In goform/setSysTools on Tenda N301 wireless routers, attackers can tr ...) NOT-FOR-US: Tenda -CVE-2019-16411 - RESERVED -CVE-2019-16410 - RESERVED +CVE-2019-16411 (An
[Git][security-tracker-team/security-tracker][master] Set state to ignored for CVE-2017-575{3,4}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9a8358e by Salvatore Bonaccorso at 2019-09-25T07:59:17Z Set state to ignored for CVE-2017-575{3,4} As probably wanted to merge in cfc83a8703cb7ddfa9b0e9932c95b9eef806ad60. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -137139,7 +137139,7 @@ CVE-2017-5754 (Systems with microprocessors utilizing speculative execution and - linux-grsec - xen 4.11.1~pre+1.733450b39b-1 [stretch] - xen 4.8.3+comet2+shim4.10.0+comet3-1+deb9u4 - [jessie] - xen (Too intrusive to backport) + [jessie] - xen (Too intrusive to backport) NOTE: https://meltdownattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html @@ -137160,7 +137160,7 @@ CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - linux-grsec - xen 4.11.1~pre+1.733450b39b-1 - [jessie] - xen (Too intrusive to backport) + [jessie] - xen (Too intrusive to backport) NOTE: https://spectreattack.com/ NOTE: https://xenbits.xen.org/xsa/advisory-254.html NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a9a8358e8d36e7660e393b20d4960a154db9c40d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a9a8358e8d36e7660e393b20d4960a154db9c40d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Keep style of grouping source package entries, rearrange entries
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56135ce2 by Salvatore Bonaccorso at 2019-09-25T07:54:33Z Keep style of grouping source package entries, rearrange entries Please do keep the stile and group entries via source packages. - - - - - 1545a1b8 by Salvatore Bonaccorso at 2019-09-25T07:55:14Z Remove doubled added information - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47795,8 +47795,8 @@ CVE-2018-19966 (An issue was discovered in Xen through 4.11.x allowing x86 PV gu CVE-2018-19965 (An issue was discovered in Xen through 4.11.x allowing 64-bit PV guest ...) {DSA-4369-1} - xen 4.11.1-1 - NOTE: https://xenbits.xen.org/xsa/advisory-279.txt [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) + NOTE: https://xenbits.xen.org/xsa/advisory-279.txt CVE-2018-19964 (An issue was discovered in Xen 4.11.x allowing x86 guest OS users to c ...) - xen 4.11.1-1 [stretch] - xen (Only affects 4.11) @@ -91112,11 +91112,11 @@ CVE-2018-3665 (System software utilizing Lazy FP state restore technique on syst {DSA-4232-1 DLA-1422-1} - linux 4.6.1-1 - xen 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u8 + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://xenbits.xen.org/xsa/advisory-267.html NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html NOTE: Default eagerfpu=on on all CPUs: https://git.kernel.org/linus/58122bf1d856a4ea9581d62a07c557d997d46a19 NOTE: Hard-disable lazy FPU mode: https://git.kernel.org/linus/ca6938a1cd8a1c5e861a99b67f84ac166fc2b9e7 - [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) CVE-2018-3664 RESERVED CVE-2018-3663 (Escalation of privilege in Intel Saffron MemoryBase before 11.4 allows ...) @@ -91158,6 +91158,7 @@ CVE-2018-3646 (Systems with microprocessors utilizing speculative execution and - linux 4.17.15-1 [jessie] - linux (Too invasive and risky to apply) - xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) - intel-microcode 3.20180703.1 NOTE: https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault NOTE: https://foreshadowattack.eu/ @@ -91166,7 +91167,6 @@ CVE-2018-3646 (Systems with microprocessors utilizing speculative execution and NOTE: Updates were already shipped with 20180703 release, but only disclosed later, see #906158 NOTE: The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted NOTE: most server type CPUs, additional models were supported in the 3.20180807a.1 release - [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) CVE-2018-3645 (Escalation of privilege in all versions of the Intel Remote Keyboard a ...) NOT-FOR-US: Intel CVE-2018-3644 @@ -91192,6 +91192,7 @@ CVE-2018-3639 (Systems with microprocessors utilizing speculative execution and [stretch] - linux 4.9.107-1 [wheezy] - linux (Too much work to backport) - xen 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u7 + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) NOTE: https://xenbits.xen.org/xsa/advisory-263.html NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html @@ -91202,7 +91203,6 @@ CVE-2018-3639 (Systems with microprocessors utilizing speculative execution and NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=cfeea0c021db6234c154dbc723730e81553924ff NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd - [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) CVE-2018-3638 (Escalation of privilege in all versions of the Intel Remote Keyboard a ...) NOT-FOR-US: Intel CVE-2018-3637 @@ -91246,6 +91246,7 @@ CVE-2018-3620 (Systems with microprocessors utilizing speculative execution and {DSA-4279-1 DSA-4274-1 DLA-1529-1 DLA-1481-1} - linux 4.17.15-1 - xen 4.11.1~pre.20180911.5acdd26fdc+dfsg-2 + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) - intel-microcode 3.20180703.1 NOTE: Updates were already shipped with 20180703 release, but only disclosed later, see #906158 NOTE:
Processing cfc83a8703cb7ddfa9b0e9932c95b9eef806ad60 failed
The error message was: Traceback (most recent call last): File "bin/update-db", line 41, in warnings = db.readBugs(cursor, 'data') File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/security_db.py", line 967, in readBugs read_one(cls(path + srcpath)) File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/security_db.py", line 958, in read_one do_parse(source) File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/security_db.py", line 914, in do_parse for bug in source: File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/bugs.py", line 740, in __iter__ is_extend=self.is_extend)) File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/bugs.py", line 780, in finishBug bug.mergeNotes() File "/srv/security-tracker.debian.org/website/security-tracker/lib/python/bugs.py", line 286, in mergeNotes notes[key].merge(n) AttributeError: PackageNoteNoDSA instance has no attribute 'merge' Makefile:34: recipe for target 'all' failed make: *** [all] Error 1 ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update xen infos
Bastian Blank pushed to branch master at Debian Security Tracker / security-tracker Commits: cfc83a87 by Bastian Blank at 2019-09-25T07:43:44Z Update xen infos - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47796,6 +47796,7 @@ CVE-2018-19965 (An issue was discovered in Xen through 4.11.x allowing 64-bit PV {DSA-4369-1} - xen 4.11.1-1 NOTE: https://xenbits.xen.org/xsa/advisory-279.txt + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) CVE-2018-19964 (An issue was discovered in Xen 4.11.x allowing x86 guest OS users to c ...) - xen 4.11.1-1 [stretch] - xen (Only affects 4.11) @@ -91115,6 +91116,7 @@ CVE-2018-3665 (System software utilizing Lazy FP state restore technique on syst NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html NOTE: Default eagerfpu=on on all CPUs: https://git.kernel.org/linus/58122bf1d856a4ea9581d62a07c557d997d46a19 NOTE: Hard-disable lazy FPU mode: https://git.kernel.org/linus/ca6938a1cd8a1c5e861a99b67f84ac166fc2b9e7 + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) CVE-2018-3664 RESERVED CVE-2018-3663 (Escalation of privilege in Intel Saffron MemoryBase before 11.4 allows ...) @@ -91164,6 +91166,7 @@ CVE-2018-3646 (Systems with microprocessors utilizing speculative execution and NOTE: Updates were already shipped with 20180703 release, but only disclosed later, see #906158 NOTE: The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted NOTE: most server type CPUs, additional models were supported in the 3.20180807a.1 release + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) CVE-2018-3645 (Escalation of privilege in all versions of the Intel Remote Keyboard a ...) NOT-FOR-US: Intel CVE-2018-3644 @@ -91199,6 +91202,7 @@ CVE-2018-3639 (Systems with microprocessors utilizing speculative execution and NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=cfeea0c021db6234c154dbc723730e81553924ff NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) CVE-2018-3638 (Escalation of privilege in all versions of the Intel Remote Keyboard a ...) NOT-FOR-US: Intel CVE-2018-3637 @@ -91250,6 +91254,7 @@ CVE-2018-3620 (Systems with microprocessors utilizing speculative execution and NOTE: https://xenbits.xen.org/xsa/advisory-273.html NOTE: The 3.20180703.1 release for intel-microcode was the first batch of updates which targeted NOTE: most server type CPUs, additional models were supported in the 3.20180807a.1 release + [jessie] - xen (Depends on fix for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754) CVE-2018-3619 (Information disclosure vulnerability in storage media in systems with ...) NOT-FOR-US: Intel CVE-2018-3618 @@ -137141,6 +137146,9 @@ CVE-2017-5754 (Systems with microprocessors utilizing speculative execution and NOTE: http://blog.cyberus-technology.de/posts/2018-01-03-meltdown.html NOTE: Paper: https://meltdownattack.com/meltdown.pdf NOTE: https://01.org/security/advisories/intel-oss-10003 + - linux-grsec + [jessie] - xen (Too intrusive to backport) + NOTE: https://xenbits.xen.org/xsa/advisory-254.html CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and branc ...) {DSA-4188-1 DSA-4187-1 DLA-1731-1 DLA-1423-1 DLA-1422-1} - linux 4.15.11-1 @@ -137161,6 +137169,9 @@ CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and NOTE: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html NOTE: Paper: https://spectreattack.com/spectre.pdf NOTE: https://01.org/security/advisories/intel-oss-10002 + - linux-grsec + [jessie] - xen (Too intrusive to backport) + NOTE: https://xenbits.xen.org/xsa/advisory-254.html CVE-2017-5752 RESERVED CVE-2017-5751 @@ -137288,7 +137299,8 @@ CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) - linux-grsec - xen 4.11.1~pre+1.733450b39b-1 - [jessie] - xen (Too intrusive to backport) + [jessie] - xen (Too intrusive to backport) + NOTE: https://xenbits.xen.org/xsa/advisory-254.html CVE-2017-5714 RESERVED CVE-2017-5713 View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2019-5094/e2fsprogs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c7debab by Salvatore Bonaccorso at 2019-09-25T06:31:12Z Add reference for CVE-2019-5094/e2fsprogs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33458,6 +33458,7 @@ CVE-2019-5094 [A maliciously corrupted file systems can trigger buffer overruns RESERVED - e2fsprogs 1.45.4-1 NOTE: https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/?h=maint=8dbe7b475ec5e91ed767239f0e85880f416fc384 + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0887 CVE-2019-5093 RESERVED CVE-2019-5092 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c7debab9a9ad168e7a53d6231a6168231c761e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7c7debab9a9ad168e7a53d6231a6168231c761e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-4532-1 for spip (CVE-2019-1639[1-4])
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 4843f5fa by Sébastien Delafond at 2019-09-25T06:23:21Z Reserve DSA-4532-1 for spip (CVE-2019-1639[1-4]) - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[25 Sep 2019] DSA-4532-1 spip - security update + {CVE-2019-16391 CVE-2019-16392 CVE-2019-16393 CVE-2019-16394} + [stretch] - spip 3.1.4-4~deb9u3 + [buster] - spip 3.2.4-1+deb10u1 [25 Sep 2019] DSA-4531-1 linux - security update {CVE-2019-14821 CVE-2019-14835 CVE-2019-15117 CVE-2019-15118 CVE-2019-15902} [stretch] - linux 4.9.189-3+deb9u1 = data/dsa-needed.txt = @@ -72,9 +72,6 @@ slurm-llnl (jmm) -- smarty3/oldstable -- -spip (seb) - Maintainer prepared updates for review + ack --- squid3/oldstable -- sssd View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4843f5fac2d133e29f3c2727cfbc4e4dde2e186d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4843f5fac2d133e29f3c2727cfbc4e4dde2e186d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] References for exiv2 vulns
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 43c8c054 by Henri Salo at 2019-09-25T06:09:30Z References for exiv2 vulns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7319,8 +7319,12 @@ CVE-2019-14371 (An issue was discovered in Libav 12.3. There is an infinite loop - libav NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1163 CVE-2019-14370 (In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage: ...) + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/954 TODO: check CVE-2019-14369 (Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 all ...) + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/953 TODO: check CVE-2019-14368 (Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage:: ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43c8c0544697abf317812b9da94557abe0b6045b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/43c8c0544697abf317812b9da94557abe0b6045b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits