[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for 1.9.x branch for CVE-2018-1002100/kubernetes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 59dbabd0 by Salvatore Bonaccorso at 2019-05-19T15:23:14Z Add upstream commit reference for 1.9.x branch for CVE-2018-1002100/kubernetes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57160,6 +57160,7 @@ CVE-2018-1000171 CVE-2018-1002100 (In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to versio ...) - kubernetes NOTE: https://github.com/kubernetes/kubernetes/issues/61297 + NOTE: https://github.com/kubernetes/kubernetes/commit/f180c969ccd47b9d00dbaf5cbd5b37eb8b49ae08 (1.9.x) CVE-2018-1000170 (A cross-site scripting vulnerability exists in Jenkins 2.115 and older ...) - jenkins CVE-2018-1000169 (An exposure of sensitive information vulnerability exists in Jenkins 2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59dbabd040978c746c81874ed50dd60a54397561 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59dbabd040978c746c81874ed50dd60a54397561 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2018-1002101/kubernetes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 314a5e2c by Salvatore Bonaccorso at 2019-05-19T15:31:36Z Update status for CVE-2018-1002101/kubernetes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52635,7 +52635,7 @@ CVE-2018-11709 (wpforo_get_request_uri in wpf-includes/functions.php in the wpFo CVE-2018-11708 RESERVED CVE-2018-1002101 (In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, ...) - - kubernetes + - kubernetes (Vulnerable code introduced later; Windows specific) NOTE: https://github.com/kubernetes/kubernetes/issues/65750 CVE-2016-1000343 (In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key ...) {DLA-1418-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/314a5e2c6e445bbbd48e71304595c0e31585cfbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/314a5e2c6e445bbbd48e71304595c0e31585cfbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-1002100/kubernetes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abe5b5d0 by Salvatore Bonaccorso at 2019-05-19T15:33:07Z Add Debian bug reference for CVE-2018-1002100/kubernetes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57158,7 +57158,7 @@ CVE-2018-10097 (XSS exists in Domain Trader 2.5.3 via the recoverlogin.php email CVE-2018-1000171 REJECTED CVE-2018-1002100 (In Kubernetes versions 1.5.x, 1.6.x, 1.7.x, 1.8.x, and prior to versio ...) - - kubernetes + - kubernetes (bug #929225) NOTE: https://github.com/kubernetes/kubernetes/issues/61297 NOTE: https://github.com/kubernetes/kubernetes/commit/f180c969ccd47b9d00dbaf5cbd5b37eb8b49ae08 (1.9.x) CVE-2018-1000170 (A cross-site scripting vulnerability exists in Jenkins 2.115 and older ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abe5b5d0a5647647f75470185379518652def479 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abe5b5d0a5647647f75470185379518652def479 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2018-18443/openexr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ed0b370f by Salvatore Bonaccorso at 2019-05-19T15:54:42Z Update status for CVE-2018-18443/openexr The issue as in CVE-2018-18443 is actually not a heap-based buffer overflow but rather a minor memory leak. Mark the issue as unimportant mentioning in the note the reason for severity unimportant. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34823,11 +34823,9 @@ CVE-2018-18444 (makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of - openexr (unimportant) NOTE: Issue in exrmultiview which is not installed in the binary package. CVE-2018-18443 (OpenEXR 2.3.0 has a memory leak in ThreadPool in IlmBase/IlmThread/Ilm ...) - - openexr (low) - [buster] - openexr (Minor issue) - [stretch] - openexr (Minor issue) - [jessie] - openexr (Minor issue) + - openexr (unimportant) NOTE: https://github.com/openexr/openexr/issues/350 + NOTE: Memory leak with overall negligible security impact CVE-2018-18442 (D-Link DCS-825L devices with firmware 1.08 do not employ a suitable me ...) NOT-FOR-US: D-Link CVE-2018-18441 (D-Link DCS series Wi-Fi cameras expose sensitive information regarding ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed0b370f94a8287f4a3d4aeec11743d9e23b3be4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed0b370f94a8287f4a3d4aeec11743d9e23b3be4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-11766/dhcpcd5 as no-dsa for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2937055a by Salvatore Bonaccorso at 2019-05-19T19:59:08Z Mark CVE-2019-11766/dhcpcd5 as no-dsa for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -862,6 +862,7 @@ CVE-2019-11767 (Server side request forgery (SSRF) in phpBB before 3.2.6 allows NOTE: https://www.phpbb.com/community/viewtopic.php?f=14&t=2509941 CVE-2019-11766 (dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over ...) - dhcpcd5 7.1.0-2 (bug #928440) + [stretch] - dhcpcd5 (Minor issue) [jessie] - dhcpcd5 (Vulnerable code not present; D6_OPTION_PD_EXCLUDE support added later) NOTE: https://roy.marples.name/cgit/dhcpcd.git/commit/?&id=c1ebeaafeb324bac997984abdcee2d4e8b61a8a8 NOTE: https://roy.marples.name/cgit/dhcpcd.git/commit/?&id=896ef4a54b0578985e5e1360b141593f1d62837b View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2937055ab87a0131a0241563371d3e37a542a42d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2937055ab87a0131a0241563371d3e37a542a42d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1007{6,7,8}/jspwiki
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d84ff549 by Salvatore Bonaccorso at 2019-05-19T20:04:28Z Add CVE-2019-1007{6,7,8}/jspwiki - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4976,10 +4976,13 @@ CVE-2019-10079 RESERVED CVE-2019-10078 RESERVED + - jspwiki CVE-2019-10077 RESERVED + - jspwiki CVE-2019-10076 RESERVED + - jspwiki CVE-2019-10075 RESERVED CVE-2019-10074 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d84ff549c74bcf9d72ebd6532cdc0077f9e58e6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d84ff549c74bcf9d72ebd6532cdc0077f9e58e6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc6cd07a by security tracker role at 2019-05-19T20:10:35Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2019-12184 (There is XSS in browser/components/MarkdownPreview.js in BoostIO Boost ...) + TODO: check +CVE-2019-12183 + RESERVED +CVE-2019-12182 + RESERVED +CVE-2019-12181 + RESERVED +CVE-2019-12180 + RESERVED +CVE-2019-12179 + RESERVED +CVE-2019-12178 + RESERVED +CVE-2019-12177 + RESERVED +CVE-2019-12176 + RESERVED CVE-2019-12175 RESERVED CVE-2019-12174 @@ -1325,6 +1343,7 @@ CVE-2019-11577 (dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna i [jessie] - dhcpcd5 (Vulnerable code not present) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=8d11b33f6c60e2db257130fa383ba76b6018bcf6 CVE-2019-11579 (dhcp.c in dhcpcd before 7.2.1 contains a 1-byte read overflow with DHO ...) + {DLA-1793-1} - dhcpcd5 7.1.0-2 (low; bug #928104) [stretch] - dhcpcd5 (Minor issue) NOTE: https://roy.marples.name/git/dhcpcd.git/commit/?id=4b67f6f1038fd4ad5ca7734eaaeba1b2ec4816b8 @@ -20667,7 +20686,7 @@ CVE-2019-3840 (A NULL pointer dereference flaw was discovered in libvirt before NOTE: https://www.redhat.com/archives/libvir-list/2019-January/msg00241.html NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=7cfd1fbb1332ae5df678b9f41a62156cb2e88c73 CVE-2019-3839 (It was found that in ghostscript some privileged operators remained ac ...) - {DSA-4442-1} + {DSA-4442-1 DLA-1792-1} - ghostscript 9.27~dfsg-1 NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=4ec9ca74bed49f2a82acb4bf430eae0d8b3b75c9 NOTE: To prevent pdf2dsc regression additionally: @@ -22589,6 +22608,7 @@ CVE-2018-20363 (LibRaw::raw2image in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL NOTE: Additionally needed: https://github.com/LibRaw/LibRaw/commit/a7c17cb6bbec1e79f058d84511f9c3b142cbdfa7 NOTE: CVE-2018-20363, CVE-2018-20364 and CVE-2018-20365 have same root cause CVE-2018-20362 (A NULL pointer dereference was discovered in ifilter_bank of libfaad/f ...) + {DLA-1791-1} - faad2 2.8.8-2 (low) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/26 @@ -23199,12 +23219,14 @@ CVE-2018-20199 (A NULL pointer dereference was discovered in ifilter_bank of lib [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/24 CVE-2018-20198 (A NULL pointer dereference was discovered in ifilter_bank of libfaad/f ...) + {DLA-1791-1} - faad2 2.8.8-2 (low) [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/23 NOTE: same underlying issue as CVE-2018-20362, same fix: NOTE: https://github.com/knik0/faad2/commit/466b01d504d7e45 CVE-2018-20197 (There is a stack-based buffer underflow in the third instance of the c ...) + {DLA-1791-1} - faad2 2.8.8-2 NOTE: https://github.com/knik0/faad2/issues/20 NOTE: very similar to CVE-2018-20194, same fix: @@ -23218,6 +23240,7 @@ CVE-2018-20195 (A NULL pointer dereference was discovered in ic_predict of libfa [stretch] - faad2 (Minor issue) NOTE: https://github.com/knik0/faad2/issues/25 CVE-2018-20194 (There is a stack-based buffer underflow in the third instance of the c ...) + {DLA-1791-1} - faad2 2.8.8-2 NOTE: https://github.com/knik0/faad2/issues/21 NOTE: https://github.com/knik0/faad2/commit/6b4a7cde30f2e2c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc6cd07afb75335719c506dfa9bf2cc480713562 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dc6cd07afb75335719c506dfa9bf2cc480713562 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4dc64674 by Salvatore Bonaccorso at 2019-05-19T20:34:33Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2019-12184 (There is XSS in browser/components/MarkdownPreview.js in BoostIO Boost ...) - TODO: check + NOT-FOR-US: Boostnote CVE-2019-12183 RESERVED CVE-2019-12182 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4dc64674c8a66d0f36524220a529cfb527985996 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4dc64674c8a66d0f36524220a529cfb527985996 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2019-11833/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 48e8aec9 by Salvatore Bonaccorso at 2019-05-19T20:47:20Z Reference upstream commit for CVE-2019-11833/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -735,6 +735,7 @@ CVE-2019-11834 (cJSON before 1.7.11 allows out-of-bounds access, related to \x00 NOTE: https://github.com/DaveGamble/cJSON/issues/337 CVE-2019-11833 (fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zero out ...) - linux + NOTE: Fixed by: https://git.kernel.org/linus/592acbf16821288ecdc4192c47e3774a4c48bb64 CVE-2019-11832 (TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execut ...) NOT-FOR-US: Typo3 CVE-2019-11831 (The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48e8aec9c724c1a7a39e2d2c8d921be74411dfe6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/48e8aec9c724c1a7a39e2d2c8d921be74411dfe6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track poposed update for mariadb-10.1 via stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a689170 by Salvatore Bonaccorso at 2019-05-20T07:33:07Z Track poposed update for mariadb-10.1 via stretch-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -75,3 +75,7 @@ CVE-2018-1320 [stretch] - libthrift-java 0.9.1-2.1~deb9u1 CVE-2019-11675 [stretch] - groonga 6.1.5-1+deb9u1 +CVE-2019-2627 + [stretch] - mariadb-10.1 10.1.40-0+deb9u1 +CVE-2019-2614 + [stretch] - mariadb-10.1 10.1.40-0+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a689170774ed0d8578e0f6d84c3429e3f03c85e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7a689170774ed0d8578e0f6d84c3429e3f03c85e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c15e48ea by security tracker role at 2019-05-20T08:10:14Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,41 @@ +CVE-2019-12203 + RESERVED +CVE-2019-12202 + RESERVED +CVE-2019-12201 + RESERVED +CVE-2019-12200 + RESERVED +CVE-2019-12199 + RESERVED +CVE-2019-12198 (In GoHttp through 2017-07-25, there is a stack-based buffer over-read ...) + TODO: check +CVE-2019-12197 + RESERVED +CVE-2019-12196 + RESERVED +CVE-2019-12195 + RESERVED +CVE-2019-12194 + RESERVED +CVE-2019-12193 + RESERVED +CVE-2019-12192 + RESERVED +CVE-2019-12191 + RESERVED +CVE-2019-12190 + RESERVED +CVE-2019-12189 + RESERVED +CVE-2019-12188 + RESERVED +CVE-2019-12187 + RESERVED +CVE-2019-12186 + RESERVED +CVE-2019-12185 (eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/con ...) + TODO: check CVE-2019-12184 (There is XSS in browser/components/MarkdownPreview.js in BoostIO Boost ...) NOT-FOR-US: Boostnote CVE-2019-12183 @@ -20887,6 +20925,7 @@ CVE-2019-3797 (This affects Spring Data JPA in versions up to and including 2.1. CVE-2019-3796 RESERVED CVE-2019-3795 (Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, ...) + {DLA-1794-1} - libspring-security-2.0-java NOTE: https://github.com/spring-projects/spring-security/commit/6f02f690ac65ccf99d8df47ac3d730a68f87c569 CVE-2019-3794 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c15e48ea1212b386e9be9e13621913eeb53847c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c15e48ea1212b386e9be9e13621913eeb53847c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove some no-dsa tagged entries which got an update in DLA-1796-1
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09f9a290 by Salvatore Bonaccorso at 2019-05-20T12:03:31Z Remove some no-dsa tagged entries which got an update in DLA-1796-1 One got an update in the same DLA but was previously marked as not-affected. Assuming that triage was wrong and the inclusion of the fix is correct, drop the previous entry as well in the same run. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10204,7 +10204,6 @@ CVE-2019-8323 [Escape sequence injection vulnerability in API response handling] - ruby2.1 - rubygems - jruby (bug #925987) - [jessie] - jruby (Vulnerable code introduced later) NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/ NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b @@ -64805,7 +64804,6 @@ CVE-2018-178 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby1.9.1 - rubygems - jruby 9.1.17.0-1 (bug #895778) - [jessie] - jruby (See DSA-4219-1) NOTE: https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-177 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) @@ -64816,7 +64814,6 @@ CVE-2018-177 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby1.9.1 - rubygems - jruby 9.1.17.0-1 (bug #895778) - [jessie] - jruby (See DSA-4219-1) NOTE: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-176 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) @@ -64827,7 +64824,6 @@ CVE-2018-176 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby1.9.1 - rubygems - jruby 9.1.17.0-1 (bug #895778) - [jessie] - jruby (See DSA-4219-1) NOTE: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-175 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) @@ -64838,7 +64834,6 @@ CVE-2018-175 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - ruby1.9.1 - rubygems - jruby 9.1.17.0-1 (bug #895778) - [jessie] - jruby (See DSA-4219-1) NOTE: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83 NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-174 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) @@ -64851,7 +64846,6 @@ CVE-2018-174 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 - rubygems [wheezy] - rubygems (Minor issue) - jruby 9.1.17.0-1 (bug #895778) - [jessie] - jruby (See DSA-4219-1) NOTE: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/ CVE-2018-173 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09f9a290dd3d8ad2e7894ef01f253643f579ff94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09f9a290dd3d8ad2e7894ef01f253643f579ff94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6d8cd22 by Salvatore Bonaccorso at 2019-05-20T12:26:10Z Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2019-12200 CVE-2019-12199 RESERVED CVE-2019-12198 (In GoHttp through 2017-07-25, there is a stack-based buffer over-read ...) - TODO: check + NOT-FOR-US: GoHttp CVE-2019-12197 RESERVED CVE-2019-12196 @@ -35,7 +35,7 @@ CVE-2019-12187 CVE-2019-12186 RESERVED CVE-2019-12185 (eLabFTW 1.8.5 is vulnerable to arbitrary file uploads via the /app/con ...) - TODO: check + NOT-FOR-US: eLabFTW CVE-2019-12184 (There is XSS in browser/components/MarkdownPreview.js in BoostIO Boost ...) NOT-FOR-US: Boostnote CVE-2019-12183 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6d8cd22b3b04d140f6c8280e6c37be50005a032 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c6d8cd22b3b04d140f6c8280e6c37be50005a032 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2018-20839/systemd as no-dsa for stretch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 842186ac by Salvatore Bonaccorso at 2019-05-20T12:52:12Z Mark CVE-2018-20839/systemd as no-dsa for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -108,6 +108,7 @@ CVE-2019-12150 RESERVED CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows attackers ...) - systemd 241-4 (bug #929116) + [stretch] - systemd (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 NOTE: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f NOTE: https://github.com/systemd/systemd/pull/12378 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/842186aca574cb0ccb2827757876c6480b3bb3f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/842186aca574cb0ccb2827757876c6480b3bb3f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix for CVE-2018-19105/librecad proposed for stretch-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47acd3fa by Salvatore Bonaccorso at 2019-05-20T16:24:05Z Fix for CVE-2018-19105/librecad proposed for stretch-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -79,3 +79,5 @@ CVE-2019-2627 [stretch] - mariadb-10.1 10.1.40-0+deb9u1 CVE-2019-2614 [stretch] - mariadb-10.1 10.1.40-0+deb9u1 +CVE-2018-19105 + [stretch] - librecad 2.1.2-1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47acd3fa87f468c8ce11b5c778b036b2c54581ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/47acd3fa87f468c8ce11b5c778b036b2c54581ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in note related to mc-clear passthrough for qemu + libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f94de95 by Salvatore Bonaccorso at 2019-05-20T19:41:09Z Fix typo in note related to mc-clear passthrough for qemu + libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2554,7 +2554,7 @@ CVE-2019-11091 [MDSUM Microarchitectural Data Sampling Uncacheable Memory] NOTE: https://xenbits.xen.org/xsa/advisory-297.html NOTE: libvirt support for md-clear CPUID bit: NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85 - NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu adnd #929154 for libvirt + NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu and #929154 for libvirt CVE-2019-11090 RESERVED CVE-2019-11089 @@ -51476,7 +51476,7 @@ CVE-2018-12130 [MFBDS Microarchitectural Fill Buffer Data Sampling] NOTE: https://xenbits.xen.org/xsa/advisory-297.html NOTE: libvirt support for md-clear CPUID bit: NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85 - NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu adnd #929154 for libvirt + NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu and #929154 for libvirt CVE-2018-12129 RESERVED CVE-2018-12128 @@ -51492,7 +51492,7 @@ CVE-2018-12127 [MLPDS Microarchitectural Load Port Data Sampling] NOTE: https://xenbits.xen.org/xsa/advisory-297.html NOTE: libvirt support for md-clear CPUID bit: NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85 - NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu adnd #929154 for libvirt + NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu and #929154 for libvirt CVE-2018-12126 [MSBDS Microarchitectural Store Buffer Data Sampling] RESERVED {DSA-4447-1 DSA--1 DLA-1789-1 DLA-1787-1} @@ -51504,7 +51504,7 @@ CVE-2018-12126 [MSBDS Microarchitectural Store Buffer Data Sampling] NOTE: https://xenbits.xen.org/xsa/advisory-297.html NOTE: libvirt support for md-clear CPUID bit: NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=538d873571d7a682852dc1d70e5f4478f4d64e85 - NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu adnd #929154 for libvirt + NOTE: qemu and libvirt need updates to passthrough md-clear, see #929067 for qemu and #929154 for libvirt CVE-2018-12125 RESERVED CVE-2018-12124 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f94de9528a67ee9024c57e310d6da1b345024a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f94de9528a67ee9024c57e310d6da1b345024a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-0201/zookeeper
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: de86434c by Salvatore Bonaccorso at 2019-05-20T20:00:31Z Add CVE-2019-0201/zookeeper - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32501,8 +32501,10 @@ CVE-2019-0203 RESERVED CVE-2019-0202 RESERVED -CVE-2019-0201 +CVE-2019-0201 [Information disclosure vulnerability] RESERVED + - zookeeper + NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-1392 CVE-2019-0200 (A Denial of Service vulnerability was found in Apache Qpid Broker-J ve ...) - qpid-java (bug #840131) CVE-2019-0199 (The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de86434cbfbee264315ffd7d52ac71cc418da58f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de86434cbfbee264315ffd7d52ac71cc418da58f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 690a5d4e by security tracker role at 2019-05-20T20:10:21Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,73 @@ +CVE-2019-12238 + RESERVED +CVE-2019-12237 + RESERVED +CVE-2019-12236 + RESERVED +CVE-2019-12235 + RESERVED +CVE-2019-12234 + RESERVED +CVE-2019-12233 + RESERVED +CVE-2019-12232 + RESERVED +CVE-2019-12231 + RESERVED +CVE-2019-12230 + RESERVED +CVE-2019-12229 + RESERVED +CVE-2019-12228 + RESERVED +CVE-2019-12227 + RESERVED +CVE-2019-12226 + RESERVED +CVE-2019-12225 + RESERVED +CVE-2019-12224 + RESERVED +CVE-2019-12223 + RESERVED +CVE-2019-1 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) + TODO: check +CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) + TODO: check +CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) + TODO: check +CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) + TODO: check +CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) + TODO: check +CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) + TODO: check +CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) + TODO: check +CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discovered in ...) + TODO: check +CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...) + TODO: check +CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...) + TODO: check +CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize ...) + TODO: check +CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load ...) + TODO: check +CVE-2019-12210 + RESERVED +CVE-2019-12209 + RESERVED +CVE-2019-12208 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) + TODO: check +CVE-2019-12207 (njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in ...) + TODO: check +CVE-2019-12206 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) + TODO: check +CVE-2019-12205 + RESERVED +CVE-2019-12204 + RESERVED CVE-2019-12203 RESERVED CVE-2019-12202 @@ -779,7 +849,7 @@ CVE-2019-11833 (fs/ext4/extents.c in the Linux kernel through 5.1.2 does not zer CVE-2019-11832 (TYPO3 8.x before 8.7.25 and 9.x before 9.5.6 allows remote code execut ...) NOT-FOR-US: Typo3 CVE-2019-11831 (The PharStreamWrapper (aka phar-stream-wrapper) package 2.x before 2.1 ...) - {DSA-4445-1} + {DSA-4445-1 DLA-1797-1} - drupal7 (bug #928688) NOTE: https://www.drupal.org/SA-CORE-2019-007 CVE-2019-11830 (PharMetaDataInterceptor in the PharStreamWrapper (aka phar-stream-wrap ...) @@ -828,8 +898,8 @@ CVE-2019-11810 (An issue was discovered in the Linux kernel before 5.0.7. A NULL - linux 4.19.37-1 [stretch] - linux 4.9.168-1 NOTE: Fixed by: https://git.kernel.org/linus/bcf3b67d16a4c8ffae0aa79de5853435e683945c -CVE-2019-11809 - RESERVED +CVE-2019-11809 (An issue was discovered in Joomla! before 3.9.6. The debug views of co ...) + TODO: check CVE-2018-20836 (An issue was discovered in the Linux kernel before 4.20. There is a ra ...) - linux NOTE: Fixed by: https://git.kernel.org/linus/b90cd6f2b905905fb42671009dc0e27c310a16ae @@ -1548,10 +1618,12 @@ CVE-2019-11508 (In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 CVE-2019-11507 (In Pulse Secure Pulse Connect Secure (PCS) 8.3.x before 8.3R7.1 and 9. ...) NOT-FOR-US: Pulse Secure Pulse Connect Secure CVE-2019-11506 (In GraphicsMagick from version 1.3.30 to 1.4 snapshot-20190403 Q8, the ...) + {DLA-1795-1} - graphicsmagick 1.4~hg15968-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/57ac0ae85e2a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/604/ CVE-2019-11505 (In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8, ther ...) + {DLA-1795-1} - graphicsmagick 1.4~hg15968-1 NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/85f5bdcd246a NOTE: https://sourceforge.net/p/graphicsmagick/bugs/605/ @@ -1640,11 +1712,13 @@ CVE-2019-11476 CVE-2019-11475 RESERVED CVE-2019-11474 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a deni ...) + {DLA-1795-1} - graphicsmagick 1.4~hg15976-1
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-0201/zookeeper
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15899e23 by Salvatore Bonaccorso at 2019-05-20T20:11:00Z Add Debian bug reference for CVE-2019-0201/zookeeper - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32577,7 +32577,7 @@ CVE-2019-0202 RESERVED CVE-2019-0201 [Information disclosure vulnerability] RESERVED - - zookeeper + - zookeeper (bug #929283) NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-1392 CVE-2019-0200 (A Denial of Service vulnerability was found in Apache Qpid Broker-J ve ...) - qpid-java (bug #840131) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15899e23aaaf65c551947dab1dffa1fd6ab1d8df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/15899e23aaaf65c551947dab1dffa1fd6ab1d8df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2019-12215/matomo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0918b884 by Salvatore Bonaccorso at 2019-05-20T20:15:01Z Add CVE-2019-12215/matomo - - - - - 83f7157e by Salvatore Bonaccorso at 2019-05-20T20:16:20Z Update two references for piwik to matomo Apparently the upstream project was renamed (again) as Matomo. Make all ITP bug references to #448532 conform to one planned source package name. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45,7 +45,7 @@ CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) TODO: check CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discovered in ...) - TODO: check + - matomo (bug #448532) CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...) TODO: check CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...) @@ -170715,9 +170715,9 @@ CVE-2015-7818 (The administration-panel web service in IBM System Networking Swi CVE-2015-7817 (Race condition in the administration-panel web service in IBM System N ...) NOT-FOR-US: IBM CVE-2015-7816 (The DisplayTopKeywords function in plugins/Referrers/Controller.php in ...) - - piwik (bug #448532) + - matomo (bug #448532) CVE-2015-7815 (Directory traversal vulnerability in core/ViewDataTable/Factory.php in ...) - - piwik (bug #448532) + - matomo (bug #448532) CVE-2015-7814 (Race condition in the relinquish_memory function in arch/arm/domain.c ...) {DSA-3414-1} - xen 4.6.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/15899e23aaaf65c551947dab1dffa1fd6ab1d8df...83f7157e5c34cdd63683854c0792cc716d5dd2e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/15899e23aaaf65c551947dab1dffa1fd6ab1d8df...83f7157e5c34cdd63683854c0792cc716d5dd2e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1221{1,2,3,4}/freeimage
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5947e5ab by Salvatore Bonaccorso at 2019-05-20T20:25:06Z Add CVE-2019-1221{1,2,3,4}/freeimage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,13 +47,17 @@ CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discovered in ...) - matomo (bug #448532) CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...) - TODO: check + - freeimage + NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...) - TODO: check + - freeimage + NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize ...) - TODO: check + - freeimage + NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load ...) - TODO: check + - freeimage + NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12210 RESERVED CVE-2019-12209 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5947e5ab6ada93aa134f413ef88ed33ad2061cbc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5947e5ab6ada93aa134f413ef88ed33ad2061cbc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process three NFUs for njs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fba4db74 by Salvatore Bonaccorso at 2019-05-20T20:27:21Z Process three NFUs for njs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,11 +63,11 @@ CVE-2019-12210 CVE-2019-12209 RESERVED CVE-2019-12208 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) - TODO: check + NOT-FOR-US: njs CVE-2019-12207 (njs through 0.3.1, used in NGINX, has a heap-based buffer over-read in ...) - TODO: check + NOT-FOR-US: njs CVE-2019-12206 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) - TODO: check + NOT-FOR-US: njs CVE-2019-12205 RESERVED CVE-2019-12204 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fba4db745a4649d166bf9122c7c5eca6c5add86b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fba4db745a4649d166bf9122c7c5eca6c5add86b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 132a1a68 by Salvatore Bonaccorso at 2019-05-20T20:34:10Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -903,7 +903,7 @@ CVE-2019-11810 (An issue was discovered in the Linux kernel before 5.0.7. A NULL [stretch] - linux 4.9.168-1 NOTE: Fixed by: https://git.kernel.org/linus/bcf3b67d16a4c8ffae0aa79de5853435e683945c CVE-2019-11809 (An issue was discovered in Joomla! before 3.9.6. The debug views of co ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2018-20836 (An issue was discovered in the Linux kernel before 4.20. There is a ra ...) - linux NOTE: Fixed by: https://git.kernel.org/linus/b90cd6f2b905905fb42671009dc0e27c310a16ae @@ -10193,7 +10193,7 @@ CVE-2019-8354 (An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_d CVE-2019-8353 RESERVED CVE-2019-8352 (By default, BMC PATROL Agent through 11.3.01 uses a static encryption ...) - TODO: check + NOT-FOR-US: BMC PATROL Agent CVE-2019-8351 (Heimdal Thor Agent 2.5.17x before 2.5.173 does not verify X.509 certif ...) NOT-FOR-US: Heimdal Thor Agent CVE-2019-8350 (The Simple - Better Banking application 2.45.0 through 2.45.3 (fixed i ...) @@ -19756,7 +19756,7 @@ CVE-2019-4295 CVE-2019-4294 RESERVED CVE-2019-4293 (IBM Storwize V7000 Unified (2073) 1.6 configuration may allow an attac ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4292 RESERVED CVE-2019-4291 @@ -20226,7 +20226,7 @@ CVE-2019-4060 CVE-2019-4059 (IBM Rational ClearCase 1.0.0.0 GIT connector does not sufficiently pro ...) NOT-FOR-US: IBM CVE-2019-4058 (IBM BigFix Platform 9.2 and 9.5 could allow a low-privilege user to ma ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4057 RESERVED CVE-2019-4056 @@ -20320,7 +20320,7 @@ CVE-2019-4013 (IBM BigFix Platform 9.5 could allow any authenticated user to upl CVE-2019-4012 (IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is ...) NOT-FOR-US: IBM CVE-2019-4011 (IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site scripting. ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4010 RESERVED CVE-2019-4009 @@ -29980,7 +29980,7 @@ CVE-2019-1010 CVE-2019-1009 RESERVED CVE-2019-1008 (A security feature bypass vulnerability exists in Dynamics On Premise, ...) - TODO: check + NOT-FOR-US: Microsoft Dynamics On-Premise CVE-2019-1007 RESERVED CVE-2019-1006 @@ -51204,7 +51204,7 @@ CVE-2018-12272 (xowl/request.php in Ximdex 4.0 has XSS via the content parameter CVE-2018-12271 (** DISPUTED ** An issue was discovered in the com.getdropbox.Dropbox a ...) NOT-FOR-US: com.getdropbox.Dropbox app for IOS CVE-2018-12270 (In Valve Steam 1528829181 BETA, it is possible to perform a homograph ...) - TODO: check + NOT-FOR-US: Valve Steam CVE-2018-12269 RESERVED CVE-2018-12268 (acccheck.pl in acccheck 0.2.1 allows Command Injection via shell metac ...) @@ -80351,7 +80351,7 @@ CVE-2018-2007 (IBM API Connect 2018.1 and 2018.4.1.2 uses weaker than expected c CVE-2018-2006 (IBM Robotic Process Automation with Automation Anywhere 11 could allow ...) NOT-FOR-US: IBM CVE-2018-2005 (IBM BigFix Platform 9.2 and 9.5 stores potentially sensitive informati ...) - TODO: check + NOT-FOR-US: IBM CVE-2018-2004 (IBM Jazz Reporting Service (JRS) 6.0 through 6.0.6 is vulnerable to cr ...) NOT-FOR-US: IBM CVE-2018-2003 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/132a1a688deaaa55a74479f0e77f772fe4d79ea8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/132a1a688deaaa55a74479f0e77f772fe4d79ea8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert CVE-2018-12270 back to check
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0134df9d by Salvatore Bonaccorso at 2019-05-20T21:00:17Z Revert CVE-2018-12270 back to check Marking it as NFU as per "Valve Steam" was defintively prematurely, there is for instance src:steam in the archive which might be impacted by the issue. The CVE description and references are unfortunately not enlightening regarding if src;steam might be affected. Cf. https://github.com/VixusFoxy/CVE/wiki/CVE-2018-12270 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51272,7 +51272,7 @@ CVE-2018-12272 (xowl/request.php in Ximdex 4.0 has XSS via the content parameter CVE-2018-12271 (** DISPUTED ** An issue was discovered in the com.getdropbox.Dropbox a ...) NOT-FOR-US: com.getdropbox.Dropbox app for IOS CVE-2018-12270 (In Valve Steam 1528829181 BETA, it is possible to perform a homograph ...) - NOT-FOR-US: Valve Steam + TODO: check CVE-2018-12269 RESERVED CVE-2018-12268 (acccheck.pl in acccheck 0.2.1 allows Command Injection via shell metac ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0134df9d68d2c5618361d488590fe2737327fd6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0134df9d68d2c5618361d488590fe2737327fd6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking of some new SDL issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92b2bf8d by Salvatore Bonaccorso at 2019-05-20T21:18:08Z Add initial tracking of some new SDL issues Please make sure first that the tracking is correct, the bug reports are at the stage of just beeing dropped in in upstream's bugzilla and neither yet acknowledged by upstream. The source package name tracking might not be 100% correct a this stage and might need to be adjusted when details become clear. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,19 +31,40 @@ CVE-2019-12224 CVE-2019-12223 RESERVED CVE-2019-1 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - TODO: check + - libsdl2 + - libsdl1.2 + NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4621 + TODO: check details and correct vulnerability location CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - TODO: check + - libsdl2 + - libsdl1.2 + NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4628 + TODO: check details and correct vulnerability location CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - TODO: check + - libsdl2 + - libsdl1.2 + NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4627 + TODO: check details and correct vulnerability location CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - TODO: check + - libsdl2 + - libsdl1.2 + NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4625 + TODO: check details and correct vulnerability location CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - TODO: check + - libsdl2-image + - sdl-image1.2 + NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4620 + TODO: check details and correct vulnerability location CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - TODO: check + - libsdl2 + - libsdl1.2 + NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4626 + TODO: check details and correct vulnerability location CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - TODO: check + - libsdl2-image + - sdl-image1.2 + NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4619 + TODO: check details and correct vulnerability location CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discovered in ...) - matomo (bug #448532) CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92b2bf8d6e2d194cc3e39a45c9c27d38378c5d03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92b2bf8d6e2d194cc3e39a45c9c27d38378c5d03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e21fd778 by security tracker role at 2019-05-21T08:10:20Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2019-12246 + RESERVED +CVE-2019-12245 + RESERVED +CVE-2019-12244 + RESERVED +CVE-2019-12243 + RESERVED +CVE-2019-12242 + RESERVED +CVE-2019-12241 (The Carts Guru plugin 1.4.5 for WordPress allows Insecure Deserializat ...) + TODO: check +CVE-2019-12240 (The Virim plugin 0.4 for WordPress allows Insecure Deserialization via ...) + TODO: check +CVE-2019-12239 (The WP Booking System plugin 1.5.1 for WordPress has no CSRF protectio ...) + TODO: check CVE-2019-12238 RESERVED CVE-2019-12237 @@ -905,8 +921,8 @@ CVE-2019-11818 (Alkacon OpenCMS v10.5.4 and before is affected by stored cross s NOT-FOR-US: Alkacon OpenCMS CVE-2019-11817 RESERVED -CVE-2019-11816 - RESERVED +CVE-2019-11816 (Incorrect access control in the WebUI in OPNsense before version 19.1. ...) + TODO: check CVE-2019-11814 (An issue was discovered in app/webroot/js/misp.js in MISP before 2.4.1 ...) NOT-FOR-US: MISP CVE-2019-11813 (An issue was discovered in app/View/Elements/Events/View/value_field.c ...) @@ -5134,14 +5150,11 @@ CVE-2019-10080 RESERVED CVE-2019-10079 RESERVED -CVE-2019-10078 - RESERVED +CVE-2019-10078 (A carefully crafted plugin link invocation could trigger an XSS vulner ...) - jspwiki -CVE-2019-10077 - RESERVED +CVE-2019-10077 (A carefully crafted InterWiki link could trigger an XSS vulnerability ...) - jspwiki -CVE-2019-10076 - RESERVED +CVE-2019-10076 (A carefully crafted malicious attachment could trigger an XSS vulnerab ...) - jspwiki CVE-2019-10075 RESERVED @@ -28402,7 +28415,7 @@ CVE-2018-19827 (In LibSass 3.5.5, a use-after-free vulnerability exists in the S - libsass [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2782 -CVE-2018-19826 (In inspect.cpp in LibSass 3.5.5, a high memory footprint caused by an ...) +CVE-2018-19826 (** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprin ...) - libsass [stretch] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/2781 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e21fd778dd372eb52b3753ccaef71844aa45ab62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e21fd778dd372eb52b3753ccaef71844aa45ab62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-10132/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e5cce126 by Salvatore Bonaccorso at 2019-05-21T19:45:15Z Add CVE-2019-10132/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4996,8 +4996,10 @@ CVE-2019-10134 RESERVED CVE-2019-10133 RESERVED -CVE-2019-10132 +CVE-2019-10132 [Insecure permissions for systemd socket for virtlockd/virtlogd] RESERVED + - libvirt + NOTE: https://security.libvirt.org/2019/0003.html CVE-2019-10131 (An off-by-one read vulnerability was discovered in ImageMagick before ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 - imagemagick 8:6.9.10.2+dfsg-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5cce1263c6605ee3cb2d5b7a84b7f87d8a47f41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e5cce1263c6605ee3cb2d5b7a84b7f87d8a47f41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-10141/ironic-inspector
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ac0a7f7 by Salvatore Bonaccorso at 2019-05-21T19:46:55Z Add Debian bug reference for CVE-2019-10141/ironic-inspector - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4977,7 +4977,7 @@ CVE-2019-10142 RESERVED CVE-2019-10141 RESERVED - - ironic-inspector + - ironic-inspector (bug #929332) NOTE: https://review.opendev.org/#/c/660234/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1711722 CVE-2019-10140 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ac0a7f7fc9f159855343b9b9022e0dd236f3f57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ac0a7f7fc9f159855343b9b9022e0dd236f3f57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-10132/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3183fd22 by Salvatore Bonaccorso at 2019-05-21T20:02:36Z Add Debian bug reference for CVE-2019-10132/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4998,7 +4998,7 @@ CVE-2019-10133 RESERVED CVE-2019-10132 [Insecure permissions for systemd socket for virtlockd/virtlogd] RESERVED - - libvirt + - libvirt (bug #929334) NOTE: https://security.libvirt.org/2019/0003.html CVE-2019-10131 (An off-by-one read vulnerability was discovered in ImageMagick before ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3183fd223af7456756815712e323d210c4d74bfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3183fd223af7456756815712e323d210c4d74bfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 05e7b420 by security tracker role at 2019-05-21T20:10:26Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,41 @@ +CVE-2019-12265 + RESERVED +CVE-2019-12264 + RESERVED +CVE-2019-12263 + RESERVED +CVE-2019-12262 + RESERVED +CVE-2019-12261 + RESERVED +CVE-2019-12260 + RESERVED +CVE-2019-12259 + RESERVED +CVE-2019-12258 + RESERVED +CVE-2019-12257 + RESERVED +CVE-2019-12256 + RESERVED +CVE-2019-12255 + RESERVED +CVE-2019-12254 + RESERVED +CVE-2019-12253 (my little forum before 2.4.20 allows CSRF to delete posts, as demonstr ...) + TODO: check +CVE-2019-12252 (In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the low ...) + TODO: check +CVE-2019-12251 (sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index. ...) + TODO: check +CVE-2019-12250 (IdentityServer IdentityServer4 through 2.4 has stored XSS via the http ...) + TODO: check +CVE-2019-12249 + RESERVED +CVE-2019-12248 + RESERVED +CVE-2019-12247 + RESERVED CVE-2019-12246 RESERVED CVE-2019-12245 @@ -135,10 +173,10 @@ CVE-2019-12192 RESERVED CVE-2019-12191 RESERVED -CVE-2019-12190 - RESERVED -CVE-2019-12189 - RESERVED +CVE-2019-12190 (XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel t ...) + TODO: check +CVE-2019-12189 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. The ...) + TODO: check CVE-2019-12188 RESERVED CVE-2019-12187 @@ -364,6 +402,7 @@ CVE-2019-12088 CVE-2019-12087 (** DISPUTED ** Samsung S9+, S10, and XCover 4 P(9.0) devices can becom ...) NOT-FOR-US: Samsung devices CVE-2019-12086 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) + {DLA-1798-1} - jackson-databind 2.9.8-2 (bug #929177) NOTE: https://github.com/FasterXML/jackson-databind/issues/2326 CVE-2019-12085 @@ -4550,11 +4589,9 @@ CVE-2019-10322 RESERVED CVE-2019-10321 RESERVED -CVE-2019-10320 - RESERVED +CVE-2019-10320 (Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permi ...) NOT-FOR-US: Jenkins plugin -CVE-2019-10319 - RESERVED +CVE-2019-10319 (A missing permission check in Jenkins PAM Authentication Plugin 1.5 an ...) NOT-FOR-US: Jenkins plugin CVE-2019-10318 (Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret une ...) NOT-FOR-US: Jenkins Azure AD Plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/05e7b420d30cfee69eaf2040ac8054108df76f2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/05e7b420d30cfee69eaf2040ac8054108df76f2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f7209e4 by Salvatore Bonaccorso at 2019-05-21T20:28:11Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,11 +23,11 @@ CVE-2019-12255 CVE-2019-12254 RESERVED CVE-2019-12253 (my little forum before 2.4.20 allows CSRF to delete posts, as demonstr ...) - TODO: check + NOT-FOR-US: my little forum CVE-2019-12252 (In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the low ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-12251 (sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index. ...) - TODO: check + NOT-FOR-US: UCMS CVE-2019-12250 (IdentityServer IdentityServer4 through 2.4 has stored XSS via the http ...) TODO: check CVE-2019-12249 @@ -174,9 +174,9 @@ CVE-2019-12192 CVE-2019-12191 RESERVED CVE-2019-12190 (XSS was discovered in CentOS-WebPanel.com (aka CWP) CentOS Web Panel t ...) - TODO: check + NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel CVE-2019-12189 (An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. The ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus CVE-2019-12188 RESERVED CVE-2019-12187 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f7209e4fee1be864a91b9e098a8e6aa8cfbd50f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f7209e4fee1be864a91b9e098a8e6aa8cfbd50f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-10132/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a10e048 by Salvatore Bonaccorso at 2019-05-21T20:29:22Z Update status for CVE-2019-10132/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5036,6 +5036,8 @@ CVE-2019-10133 CVE-2019-10132 [Insecure permissions for systemd socket for virtlockd/virtlogd] RESERVED - libvirt (bug #929334) + [stretch] - libvirt (Vulnerable code introduced in 4.1.0-rc1) + [jessie] - libvirt (Vulnerable code introduced in 4.1.0-rc1) NOTE: https://security.libvirt.org/2019/0003.html CVE-2019-10131 (An off-by-one read vulnerability was discovered in ImageMagick before ...) [experimental] - imagemagick 8:6.9.10.2+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a10e048b1d565e087150d97126d613244bbd645 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a10e048b1d565e087150d97126d613244bbd645 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-5421/ruby-devise
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c30eceea by Salvatore Bonaccorso at 2019-05-21T21:25:41Z Add fixed version via unstable for CVE-2019-5421/ruby-devise - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17604,7 +17604,7 @@ CVE-2019-5423 (Path traversal vulnerability in http-live-simulator npm package v CVE-2019-5422 (XSS in buttle npm package version 0.2.0 causes execution of attacker-p ...) NOT-FOR-US: buttle node module CVE-2019-5421 (Plataformatec Devise version 4.5.0 and earlier, using the lockable mod ...) - - ruby-devise (bug #926348) + - ruby-devise 4.5.0-3 (bug #926348) [stretch] - ruby-devise (Minor issue) NOTE: https://github.com/plataformatec/devise/issues/4981 NOTE: https://github.com/plataformatec/devise/pull/4996 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c30eceea10acfba8546d9d8c82414d8bd3dc0b5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c30eceea10acfba8546d9d8c82414d8bd3dc0b5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new firefox issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 79b3b518 by Salvatore Bonaccorso at 2019-05-21T21:58:01Z Add new firefox issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1205,35 +1205,57 @@ CVE-2019-11702 RESERVED CVE-2019-11701 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11701 CVE-2019-11700 RESERVED + - firefox (Windows-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11700 CVE-2019-11699 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11699 CVE-2019-11698 RESERVED + - firefox - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11698 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11698 CVE-2019-11697 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11697 CVE-2019-11696 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11696 CVE-2019-11695 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11695 CVE-2019-11694 RESERVED + - firefox (Windows-specific) - firefox-esr (Windows-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11694 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11694 CVE-2019-11693 RESERVED + - firefox - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11693 CVE-2019-11692 RESERVED + - firefox - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11692 CVE-2019-11691 RESERVED + - firefox - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11691 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11691 CVE-2019-11690 (gen_rand_uuid in lib/uuid.c in Das U-Boot v2014.04 through v2019.04 la ...) - u-boot 2019.01+dfsg-6 (low; bug #928557) @@ -6528,32 +6550,48 @@ CVE-2019-9822 RESERVED CVE-2019-9821 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9821 CVE-2019-9820 RESERVED + - firefox - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9820 CVE-2019-9819 RESERVED + - firefox - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9819 CVE-2019-9818 RESERVED + - firefox (Windows-specific) - firefox-esr (Windows-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9818 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9818 CVE-2019-9817 RESERVED + - firefox - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9817 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9817 CVE-2019-9816 RESERVED + - firefox - firefox-esr + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9816 CVE-2019-9815 RESERVED + - firefox (MacOS-specific) - firefox-esr (MacOS-specific) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9815 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9815 CVE-2019-9814 RESERVED + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9814 CVE-2019-9813 (Incorrect handling of __proto__ mutations may lead to type confusion i ...) {DSA-4417-1 DLA-1727-1} - firefox 66.0.1-1 @@ -6603,7 +6641,9 @@ CVE-2019-9801 (Firefox will accept any registered Program ID as an external prot NOTE
[Git][security-tracker-team/security-tracker][master] Fixes for mfsa2019-14/firefox-esr adressed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bcb5eacc by Salvatore Bonaccorso at 2019-05-22T07:31:11Z Fixes for mfsa2019-14/firefox-esr adressed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1218,7 +1218,7 @@ CVE-2019-11699 CVE-2019-11698 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11698 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11698 CVE-2019-11697 @@ -1242,19 +1242,19 @@ CVE-2019-11694 CVE-2019-11693 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11693 CVE-2019-11692 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11692 CVE-2019-11691 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11691 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11691 CVE-2019-11690 (gen_rand_uuid in lib/uuid.c in Das U-Boot v2014.04 through v2019.04 la ...) @@ -6555,13 +6555,13 @@ CVE-2019-9821 CVE-2019-9820 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9820 CVE-2019-9819 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9819 CVE-2019-9818 @@ -6573,13 +6573,13 @@ CVE-2019-9818 CVE-2019-9817 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9817 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9817 CVE-2019-9816 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9816 CVE-2019-9815 @@ -6642,7 +6642,7 @@ CVE-2019-9801 (Firefox will accept any registered Program ID as an external prot CVE-2019-9800 RESERVED - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9800 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9800 CVE-2019-9799 (Insufficient bounds checking of data during inter-process communicatio ...) @@ -6653,7 +6653,7 @@ CVE-2019-9798 (On Android systems, Firefox can load a library from APITRACE_LIB, NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9798 CVE-2019-9797 (Cross-origin images can be read in violation of the same-origin policy ...) - firefox 66.0-1 - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9797 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9797 CVE-2019-9796 (A use-after-free vulnerability can occur when the SMIL animation contr ...) @@ -12949,7 +12949,7 @@ CVE-2019-7317 (png_image_free in png.c in libpng 1.6.36 has a use-after-free bec {DSA-4435-1} - libpng1.6 1.6.36-4 (bug #921355) - firefox - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12803 NOTE: https://github.com/glennrp/libpng/issues/275 NOTE: https://github.com/glennrp/libpng/commit/9c0d5c77bf5bf2d7c1e11f388de40a70e0191550 @@ -16670,7 +16670,7 @@ CVE-2019-5798 RESERVED {DSA-4421-1} - chromium 73.0.3683.75-1 - - firefox-esr + - firefox-esr 60.7.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-5798 CVE-2019-5797 RESERVED @@ -34965,8 +34965,10 @@ CVE-2018-18512 (A use-after-free vulnerability can occur while
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-5436/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b1b79c8 by Salvatore Bonaccorso at 2019-05-22T07:36:40Z Add CVE-2019-5436/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17636,8 +17636,12 @@ CVE-2019-5438 (Path traversal using symlink in npm harp module versions <= 0. TODO: check CVE-2019-5437 (Information exposure through the directory listing in npm's harp modul ...) TODO: check -CVE-2019-5436 +CVE-2019-5436 [TFTP receive buffer overflow] RESERVED + - curl + NOTE: https://curl.haxx.se/docs/CVE-2019-5436.html + NOTE: Introduced by: https://github.com/curl/curl/commit/0516ce7786e95 + NOTE: Fixed by: https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 CVE-2019-5435 RESERVED CVE-2019-5434 (An attacker could send a specifically crafted payload to the XML-RPC i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5b1b79c829286fc4da81cef9c6f4307a69e0f3a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5b1b79c829286fc4da81cef9c6f4307a69e0f3a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-5435/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aef66ae by Salvatore Bonaccorso at 2019-05-22T07:41:15Z Add CVE-2019-5435/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17642,8 +17642,12 @@ CVE-2019-5436 [TFTP receive buffer overflow] NOTE: https://curl.haxx.se/docs/CVE-2019-5436.html NOTE: Introduced by: https://github.com/curl/curl/commit/0516ce7786e95 NOTE: Fixed by: https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 -CVE-2019-5435 +CVE-2019-5435 [Integer overflows in curl_url_set] RESERVED + - curl + NOTE: https://curl.haxx.se/docs/CVE-2019-5435.html + NOTE: Introduced by: https://github.com/curl/curl/commit/fb30ac5a2d63773c52 + NOTE: Fixed by: https://github.com/curl/curl/commit/5fc28510a4664f4 CVE-2019-5434 (An attacker could send a specifically crafted payload to the XML-RPC i ...) NOT-FOR-US: Revive Adserver CVE-2019-5433 (A user having access to the UI of a Revive Adserver instance could be ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aef66aefaee891faa7321f86c8132c5b62eda62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9aef66aefaee891faa7321f86c8132c5b62eda62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-5436/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0eee76f0 by Salvatore Bonaccorso at 2019-05-22T07:44:36Z Add Debian bug reference for CVE-2019-5436/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17638,7 +17638,7 @@ CVE-2019-5437 (Information exposure through the directory listing in npm's harp TODO: check CVE-2019-5436 [TFTP receive buffer overflow] RESERVED - - curl + - curl (bug #929351) NOTE: https://curl.haxx.se/docs/CVE-2019-5436.html NOTE: Introduced by: https://github.com/curl/curl/commit/0516ce7786e95 NOTE: Fixed by: https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0eee76f0a2ff716d19cf7d0caf69dc5577ac84c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0eee76f0a2ff716d19cf7d0caf69dc5577ac84c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-5435/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ac6e5b7 by Salvatore Bonaccorso at 2019-05-22T07:46:19Z Add Debian bug reference for CVE-2019-5435/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17644,7 +17644,7 @@ CVE-2019-5436 [TFTP receive buffer overflow] NOTE: Fixed by: https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275 CVE-2019-5435 [Integer overflows in curl_url_set] RESERVED - - curl + - curl (bug #929352) NOTE: https://curl.haxx.se/docs/CVE-2019-5435.html NOTE: Introduced by: https://github.com/curl/curl/commit/fb30ac5a2d63773c52 NOTE: Fixed by: https://github.com/curl/curl/commit/5fc28510a4664f4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ac6e5b7c89c664d6d991ae4f8ff6a22c3b81e52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ac6e5b7c89c664d6d991ae4f8ff6a22c3b81e52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-12155/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f93f274 by Salvatore Bonaccorso at 2019-05-22T07:57:15Z Add CVE-2019-12155/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -243,8 +243,12 @@ CVE-2019-12157 RESERVED CVE-2019-12156 RESERVED -CVE-2019-12155 +CVE-2019-12155 [qxl: null pointer dereference while releasing spice resources] RESERVED + - qemu + - qemu-kvm + NOTE: https://www.openwall.com/lists/oss-security/2019/05/22/1 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99 CVE-2019-12154 RESERVED CVE-2019-12153 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f93f2747ea03a9022be2aec5f6ce1254a50b064 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3f93f2747ea03a9022be2aec5f6ce1254a50b064 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad3b2b34 by security tracker role at 2019-05-22T08:10:24Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2019-12274 + RESERVED +CVE-2019-12273 + RESERVED +CVE-2019-12272 + RESERVED +CVE-2019-12271 + RESERVED +CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configur ...) + TODO: check +CVE-2019-12269 (Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PG ...) + TODO: check +CVE-2019-12268 + RESERVED +CVE-2019-12267 + RESERVED +CVE-2019-12266 + RESERVED CVE-2019-12265 RESERVED CVE-2019-12264 @@ -5264,8 +5282,7 @@ CVE-2019-10069 RESERVED CVE-2019-10068 (An issue was discovered in Kentico before 12.0.15. Due to a failure to ...) NOT-FOR-US: Kentico -CVE-2019-10067 [OSA-2019-05] - RESERVED +CVE-2019-10067 (An issue was discovered in Open Ticket Request System (OTRS) 7.x throu ...) - otrs2 6.0.18-1 [buster] - otrs2 6.0.16-2 [stretch] - otrs2 (Non-free not supported) @@ -5273,8 +5290,7 @@ CVE-2019-10067 [OSA-2019-05] NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/8a489236336ddc82e745c27abb32dfa1ceefb0f4 NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/67158d8b08309859572c795982ecc7c52484ab0e NOTE: https://community.otrs.com/security-advisory-2019-05-security-update-for-otrs-framework/ -CVE-2019-10066 [OSA-2019-06] - RESERVED +CVE-2019-10066 (An issue was discovered in Open Ticket Request System (OTRS) 7.x throu ...) - otrs2 6.0.18-1 [buster] - otrs2 6.0.16-2 [stretch] - otrs2 (Vulnerable code introduced later) @@ -5714,8 +5730,7 @@ CVE-2019-9894 (A remotely triggerable memory overwrite in RSA key exchange in Pu - putty 0.70-6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-rsa-kex-integer-overflow.html NOTE: https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=d82854999516046122501b2e145099740ed0284f -CVE-2019-9892 [OSA-2019-04] - RESERVED +CVE-2019-9892 (An issue was discovered in Open Ticket Request System (OTRS) 5.x throu ...) {DLA-1774-1} - otrs2 6.0.18-1 [buster] - otrs2 6.0.16-2 @@ -14845,8 +14860,8 @@ CVE-2019-6515 (An issue was discovered in WSO2 API Manager 2.6.0. Uploaded docum NOT-FOR-US: WSO2 CVE-2019-6514 (An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible ...) NOT-FOR-US: WSO2 -CVE-2019-6513 - RESERVED +CVE-2019-6513 (An issue was discovered in WSO2 API Manager 2.6.0. It is possible for ...) + TODO: check CVE-2019-6512 (An issue was discovered in WSO2 API Manager 2.6.0. It is possible to f ...) NOT-FOR-US: WSO2 CVE-2019-6511 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad3b2b34989386f9a9461ae86e9b18f0b984b73a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad3b2b34989386f9a9461ae86e9b18f0b984b73a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-12155/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 75eb9fa4 by Salvatore Bonaccorso at 2019-05-22T08:12:59Z Add Debian bug reference for CVE-2019-12155/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -263,7 +263,7 @@ CVE-2019-12156 RESERVED CVE-2019-12155 [qxl: null pointer dereference while releasing spice resources] RESERVED - - qemu + - qemu (bug #929353) - qemu-kvm NOTE: https://www.openwall.com/lists/oss-security/2019/05/22/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=d52680fc932efb8a2f334cc6993e705ed1e31e99 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/75eb9fa4c98a1529e6189aa2815309a6034ca734 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/75eb9fa4c98a1529e6189aa2815309a6034ca734 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-12269/enigmail
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 999620c2 by Salvatore Bonaccorso at 2019-05-22T08:17:09Z Add CVE-2019-12269/enigmail - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,8 @@ CVE-2019-12271 CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configur ...) TODO: check CVE-2019-12269 (Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PG ...) - TODO: check + - enigmail + NOTE: https://sourceforge.net/p/enigmail/bugs/983/ CVE-2019-12268 RESERVED CVE-2019-12267 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/999620c2e5609eed4f2223abdc2d59eb252c18bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/999620c2e5609eed4f2223abdc2d59eb252c18bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-12269/enigmail
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a90ebbae by Salvatore Bonaccorso at 2019-05-22T12:32:05Z Add Debian bug reference for CVE-2019-12269/enigmail - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2019-12271 CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configur ...) TODO: check CVE-2019-12269 (Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PG ...) - - enigmail + - enigmail (bug #929363) NOTE: https://sourceforge.net/p/enigmail/bugs/983/ CVE-2019-12268 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a90ebbae72a68a2b63d6be93f001284885f50ff2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a90ebbae72a68a2b63d6be93f001284885f50ff2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-12247/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3b2def6 by Salvatore Bonaccorso at 2019-05-22T12:37:06Z Add CVE-2019-12247/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,8 +53,11 @@ CVE-2019-12249 RESERVED CVE-2019-12248 RESERVED -CVE-2019-12247 +CVE-2019-12247 [qemu-guest-agent: integer overflow while running guest-exec command] RESERVED + - qemu + - qemu-kvm + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html CVE-2019-12246 RESERVED CVE-2019-12245 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3b2def6ba22b86f862c09b6b02fee1205dcb55a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b3b2def6ba22b86f862c09b6b02fee1205dcb55a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-12247/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e7035e9 by Salvatore Bonaccorso at 2019-05-22T12:48:00Z Add Debian bug reference for CVE-2019-12247/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,7 +55,7 @@ CVE-2019-12248 RESERVED CVE-2019-12247 [qemu-guest-agent: integer overflow while running guest-exec command] RESERVED - - qemu + - qemu (bug #929365) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html CVE-2019-12246 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e7035e9af66d7e551714dccdc9f3871ba6ed6ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e7035e9af66d7e551714dccdc9f3871ba6ed6ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2019-5435/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6105 by Salvatore Bonaccorso at 2019-05-22T13:09:49Z Update information for CVE-2019-5435/curl curl_url_set function introduced in later versions, in 7.62.0 only. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17698,6 +17698,8 @@ CVE-2019-5436 [TFTP receive buffer overflow] CVE-2019-5435 [Integer overflows in curl_url_set] RESERVED - curl (bug #929352) + [stretch] - curl (Vulnerable code introduced later) + [jessie] - curl (Vulnerable code introduced later) NOTE: https://curl.haxx.se/docs/CVE-2019-5435.html NOTE: Introduced by: https://github.com/curl/curl/commit/fb30ac5a2d63773c52 NOTE: Fixed by: https://github.com/curl/curl/commit/5fc28510a4664f4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6105f423ace84ac9ad9e220db875a1ba0d24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6105f423ace84ac9ad9e220db875a1ba0d24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e1632e0 by security tracker role at 2019-05-22T20:10:24Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,31 @@ +CVE-2019-12287 + RESERVED +CVE-2019-12286 + RESERVED +CVE-2019-12285 + RESERVED +CVE-2019-12284 + RESERVED +CVE-2019-12283 + RESERVED +CVE-2019-12282 + RESERVED +CVE-2019-12281 + RESERVED +CVE-2019-12280 + RESERVED +CVE-2019-12279 (Nagios XI 5.6.1 allows SQL injection via the username parameter to log ...) + TODO: check +CVE-2019-12278 + RESERVED +CVE-2019-12277 (Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as de ...) + TODO: check +CVE-2019-12276 + RESERVED +CVE-2019-12275 + RESERVED +CVE-2016-10750 (In Hazelcast before 3.11, the cluster join procedure is vulnerable to ...) + TODO: check CVE-2019-12274 RESERVED CVE-2019-12273 @@ -53,8 +81,7 @@ CVE-2019-12249 RESERVED CVE-2019-12248 RESERVED -CVE-2019-12247 [qemu-guest-agent: integer overflow while running guest-exec command] - RESERVED +CVE-2019-12247 (QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files d ...) - qemu (bug #929365) - qemu-kvm NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html @@ -241,8 +268,8 @@ CVE-2019-12169 RESERVED CVE-2019-12168 (Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code ...) NOT-FOR-US: Four-Faith Wireless Mobile Router F3x24 devices -CVE-2019-12167 - RESERVED +CVE-2019-12167 (httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1 ...) + TODO: check CVE-2019-12166 RESERVED CVE-2019-12165 @@ -391,8 +418,8 @@ CVE-2019-12104 RESERVED CVE-2019-12103 RESERVED -CVE-2019-12102 - RESERVED +CVE-2019-12102 (Kentico 11 through 12 lets attackers upload and explore files without ...) + TODO: check CVE-2019-12101 (coap_decode_option in coap.c in LibNyoci 0.07.00rc1 mishandles certain ...) NOT-FOR-US: LibNyoci CVE-2019-12100 @@ -512,8 +539,8 @@ CVE-2019-12047 (Gridea v0.8.0 has an XSS vulnerability through which the Nodejs NOT-FOR-US: Gridea CVE-2019-12045 RESERVED -CVE-2019-12044 - RESERVED +CVE-2019-12044 (A Buffer Overflow exists in Citrix NetScaler Gateway 10.5.x before 10. ...) + TODO: check CVE-2019-12043 (In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, wh ...) NOT-FOR-US: remarkable CVE-2019-12042 @@ -820,8 +847,7 @@ CVE-2019-11892 RESERVED CVE-2019-11891 RESERVED -CVE-2019-12046 [lemonldap-ng tokens allows anonymous session when stored in session DB] - RESERVED +CVE-2019-12046 (LemonLDAP::NG -2.0.3 has Incorrect Access Control. ...) {DSA-4446-1 DLA-1790-1} - lemonldap-ng 2.0.2+ds-7+deb10u1 (bug #928944) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1742 @@ -850,8 +876,8 @@ CVE-2019-11882 RESERVED CVE-2019-11881 RESERVED -CVE-2019-11880 - RESERVED +CVE-2019-11880 (CommSy through 8.6.5 has SQL Injection via the cid parameter. This is ...) + TODO: check CVE-2019-11879 (** DISPUTED ** The WEBrick gem 1.4.2 for Ruby allows directory travers ...) TODO: check CVE-2019-11878 (An issue was discovered on XiongMai Besder IP20H1 V4.02.R12.00035520.1 ...) @@ -928,8 +954,8 @@ CVE-2019-11844 (An HTML Injection vulnerability has been discovered on the RICOH NOT-FOR-US: RICOH CVE-2019-11843 RESERVED -CVE-2019-11841 - RESERVED +CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...) + TODO: check CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...) TODO: check CVE-2019-11839 (njs through 0.3.1, used in NGINX, has a heap-based buffer overflow in ...) @@ -1243,6 +1269,7 @@ CVE-2019-11699 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11699 CVE-2019-11698 RESERVED + {DSA-4448-1} - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -1271,6 +1298,7 @@ CVE-2019-11694 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11694 CVE-2019-11693 RESERVED + {DSA-4448-1} - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -1279,6 +1307,7 @@ CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11693 CVE-2019-11692 RESERVED + {DSA-4448-1} - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -1287,6 +1316,7 @@ CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 43648f71 by Salvatore Bonaccorso at 2019-05-22T20:23:34Z Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11593,7 +11593,7 @@ CVE-2019-7843 CVE-2019-7842 (Adobe Media Encoder version 13.0.2 has a use-after-free vulnerability. ...) TODO: check CVE-2019-7841 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7840 RESERVED CVE-2019-7839 @@ -11603,163 +11603,163 @@ CVE-2019-7838 CVE-2019-7837 (Adobe Flash Player versions 32.0.0.171 and earlier, 32.0.0.171 and ear ...) NOT-FOR-US: Adobe CVE-2019-7836 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7835 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7834 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7833 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7832 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7831 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7830 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7829 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7828 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7827 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7826 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7825 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7824 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7823 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7822 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7821 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7820 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7819 RESERVED CVE-2019-7818 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7817 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7816 RESERVED CVE-2019-7815 RESERVED CVE-2019-7814 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7813 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7812 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7811 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7810 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7809 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7808 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7807 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7806 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7805 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7804 (Adobe Acrobat and Reader
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d234294 by Salvatore Bonaccorso at 2019-05-22T20:36:44Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,11 +15,11 @@ CVE-2019-12281 CVE-2019-12280 RESERVED CVE-2019-12279 (Nagios XI 5.6.1 allows SQL injection via the username parameter to log ...) - TODO: check + NOT-FOR-US: Nagios XI CVE-2019-12278 RESERVED CVE-2019-12277 (Blogifier 2.3 before 2019-05-11 does not properly restrict APIs, as de ...) - TODO: check + NOT-FOR-US: Blogifier CVE-2019-12276 RESERVED CVE-2019-12275 @@ -35,7 +35,7 @@ CVE-2019-12272 CVE-2019-12271 RESERVED CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configur ...) - TODO: check + NOT-FOR-US: OpenText Brava! CVE-2019-12269 (Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PG ...) - enigmail (bug #929363) NOTE: https://sourceforge.net/p/enigmail/bugs/983/ @@ -269,7 +269,7 @@ CVE-2019-12169 CVE-2019-12168 (Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code ...) NOT-FOR-US: Four-Faith Wireless Mobile Router F3x24 devices CVE-2019-12167 (httpGetSet/httpGet.htm on Emerson Network Power Liebert Challenger 5.1 ...) - TODO: check + NOT-FOR-US: Emerson Network Power Liebert Challenger CVE-2019-12166 RESERVED CVE-2019-12165 @@ -419,7 +419,7 @@ CVE-2019-12104 CVE-2019-12103 RESERVED CVE-2019-12102 (Kentico 11 through 12 lets attackers upload and explore files without ...) - TODO: check + NOT-FOR-US: Kentico CVE-2019-12101 (coap_decode_option in coap.c in LibNyoci 0.07.00rc1 mishandles certain ...) NOT-FOR-US: LibNyoci CVE-2019-12100 @@ -540,7 +540,7 @@ CVE-2019-12047 (Gridea v0.8.0 has an XSS vulnerability through which the Nodejs CVE-2019-12045 RESERVED CVE-2019-12044 (A Buffer Overflow exists in Citrix NetScaler Gateway 10.5.x before 10. ...) - TODO: check + NOT-FOR-US: Citrix NetScaler Gateway CVE-2019-12043 (In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, wh ...) NOT-FOR-US: remarkable CVE-2019-12042 @@ -877,7 +877,7 @@ CVE-2019-11882 CVE-2019-11881 RESERVED CVE-2019-11880 (CommSy through 8.6.5 has SQL Injection via the cid parameter. This is ...) - TODO: check + NOT-FOR-US: CommSy CVE-2019-11879 (** DISPUTED ** The WEBrick gem 1.4.2 for Ruby allows directory travers ...) TODO: check CVE-2019-11878 (An issue was discovered on XiongMai Besder IP20H1 V4.02.R12.00035520.1 ...) @@ -1460,7 +1460,7 @@ CVE-2019-11636 (Zcash 2.x allows an inexpensive approach to "fill all transactio CVE-2019-11635 RESERVED CVE-2019-11634 (Citrix Workspace App before 1904 for Windows has Incorrect Access Cont ...) - TODO: check + NOT-FOR-US: Citrix Workspace App CVE-2019-11633 (HoneyPress through 2016-09-27 can be fingerprinted by attackers becaus ...) NOT-FOR-US: HoneyPress CVE-2019-11632 (In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019. ...) @@ -1734,7 +1734,7 @@ CVE-2019-11538 (In Pulse Secure Pulse Connect Secure version 9.0RX before 9.0R3. CVE-2019-11537 (In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/ ...) NOT-FOR-US: osTicket CVE-2019-11536 (Kalki Kalkitech SYNC3000 Substation DCU GPC v2.22.6, 2.23.0, 2.24.0, 3 ...) - TODO: check + NOT-FOR-US: Kalki Kalkitech CVE-2019-11535 RESERVED CVE-2019-11534 @@ -2512,7 +2512,7 @@ CVE-2019-11233 CVE-2019-11232 RESERVED CVE-2019-11231 (An issue was discovered in GetSimple CMS through 3.3.15. insufficient ...) - TODO: check + NOT-FOR-US: GetSimple CMS CVE-2019-11230 RESERVED CVE-2019-11229 (models/repo_mirror.go in Gitea before 1.7.6 and 1.8.x before 1.8-RC3 m ...) @@ -10271,9 +10271,9 @@ CVE-2019-8445 CVE-2019-8444 RESERVED CVE-2019-8443 (The ViewUpgrades resource in Jira before version 7.13.4, from version ...) - TODO: check + NOT-FOR-US: Atlassian Jira CVE-2019-8442 (The CachingResourceDownloadRewriteRule class in Jira before version 7. ...) - TODO: check + NOT-FOR-US: Atlassian Jira CVE-2019-8441 RESERVED CVE-2019-8440 (An issue was discovered in DiliCMS 2.4.0. There is a Stored XSS Vulner ...) @@ -11587,11 +11587,11 @@ CVE-2019-7846 CVE-2019-7845 RESERVED CVE-2019-7844 (Adobe Media Encoder version 13.0.2 has an out-of-bounds read vulnerabi ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7843 RESERVED CVE-2019-7842 (Adobe Media Encoder version 13.0.2 has a use-after-free vulnerability. ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7841 (Adobe Acrobat and Reader ver
[Git][security-tracker-team/security-tracker][master] Add CVE-2016-10750/hazalcast (itp'ed)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a959abe6 by Salvatore Bonaccorso at 2019-05-22T20:37:46Z Add CVE-2016-10750/hazalcast (itp'ed) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2019-12276 CVE-2019-12275 RESERVED CVE-2016-10750 (In Hazelcast before 3.11, the cluster join procedure is vulnerable to ...) - TODO: check + - hazelcast (bug #745640) CVE-2019-12274 RESERVED CVE-2019-12273 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a959abe681c77e516c44d39f09f5b1a74c1250cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a959abe681c77e516c44d39f09f5b1a74c1250cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-10142/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0128a457 by Salvatore Bonaccorso at 2019-05-22T21:09:25Z Add CVE-2019-10142/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5118,8 +5118,11 @@ CVE-2019-10144 RESERVED CVE-2019-10143 RESERVED -CVE-2019-10142 +CVE-2019-10142 [drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl] RESERVED + - linux (unimportant) + NOTE: Fixed by: https://git.kernel.org/linus/6a024330650e24556b8a18cc654ad00cfecf6c6c + NOTE: CONFIG_FSL_HV_MANAGER not enabled in kernel builds in Debian. CVE-2019-10141 RESERVED - ironic-inspector 8.0.0-3 (bug #929332) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0128a457281d32a84d0b50ed5c780b4ca29b4fbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0128a457281d32a84d0b50ed5c780b4ca29b4fbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for wpa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01fb53c5 by Salvatore Bonaccorso at 2019-05-22T21:34:50Z Update status for wpa - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -61,7 +61,7 @@ thunderbird (jmm) wordpress -- wpa - Maintainer prepared an update, needs review and ack + Maintainer prepared an update -- xen -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01fb53c5e12d34a3a9aca766aba09f5b861604ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01fb53c5e12d34a3a9aca766aba09f5b861604ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix for firefox via experimental
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf00fd56 by Salvatore Bonaccorso at 2019-05-23T08:05:52Z Track fix for firefox via experimental The upload went to experimental actually given cbindgen is not available in unstable, so we won't see updates to unstable probably for firefox until buster release. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1277,6 +1277,7 @@ CVE-2019-11702 RESERVED CVE-2019-11701 RESERVED + [experimental] - firefox 67.0-1 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11701 CVE-2019-11700 @@ -1285,11 +1286,13 @@ CVE-2019-11700 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11700 CVE-2019-11699 RESERVED + [experimental] - firefox 67.0-1 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11699 CVE-2019-11698 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -1298,14 +1301,17 @@ CVE-2019-11698 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11698 CVE-2019-11697 RESERVED + [experimental] - firefox 67.0-1 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11697 CVE-2019-11696 RESERVED + [experimental] - firefox 67.0-1 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11696 CVE-2019-11695 RESERVED + [experimental] - firefox 67.0-1 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11695 CVE-2019-11694 @@ -1319,6 +1325,7 @@ CVE-2019-11694 CVE-2019-11693 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -1328,6 +1335,7 @@ CVE-2019-11693 CVE-2019-11692 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -1337,6 +1345,7 @@ CVE-2019-11692 CVE-2019-11691 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -6648,11 +6657,13 @@ CVE-2019-9822 RESERVED CVE-2019-9821 RESERVED + [experimental] - firefox 67.0-1 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9821 CVE-2019-9820 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -6662,6 +6673,7 @@ CVE-2019-9820 CVE-2019-9819 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -6679,6 +6691,7 @@ CVE-2019-9818 CVE-2019-9817 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -6688,6 +6701,7 @@ CVE-2019-9817 CVE-2019-9816 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -6704,6 +6718,7 @@ CVE-2019-9815 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9815 CVE-2019-9814 RESERVED + [experimental] - firefox 67.0-1 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9814 CVE-2019-9813 (Incorrect handling of __proto__ mutations may lead to type confusion i ...) @@ -6756,6 +6771,7 @@ CVE-2019-9801 (Firefox will accept any registered Program ID as an external prot CVE-2019-9800 RESERVED {DSA-4448-1} + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird @@ -13069,6 +13085,7 @@ CVE-2019-7318 CVE-2019-7317 (png_image_free in png.c in libpng 1.6.36 has a use-after-free because ...) {DSA-4448-1 DSA-4435-1} - libpng1.6 1.6.36-4 (bug #921355) + [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - thunderbird View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf00fd56eba86d61c705aa2814e9e276f010ff88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bf00fd56eba86d61c705aa2814e9e276f010ff88 You're receiving this email because of your account on salsa.
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f6dc995 by security tracker role at 2019-05-23T08:10:15Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2019-12294 + RESERVED +CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-read in J ...) + TODO: check +CVE-2019-12292 + RESERVED +CVE-2019-12291 + RESERVED +CVE-2019-12290 + RESERVED +CVE-2019-12289 + RESERVED +CVE-2019-12288 + RESERVED CVE-2019-12287 RESERVED CVE-2019-12286 @@ -1594,6 +1608,7 @@ CVE-2019-11627 (gpg-key2ps in signing-party 1.1.x and 2.x before 2.10-1 contains [stretch] - signing-party (Will be fixed via point release) NOTE: https://salsa.debian.org/signing-party-team/signing-party/commit/cd69b6c0426a6160ef3de03fce9c7f112166d5a8 CVE-2019-11599 (The coredump implementation in the Linux kernel before 5.0.10 does not ...) + {DLA-1799-1} - linux 4.19.37-1 NOTE: https://marc.info/?l=linux-mm&m=155355419911404&w=2 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1790 @@ -1891,6 +1906,7 @@ CVE-2019-11487 (The Linux kernel before 5.1-rc5 allows page->_refcount refere NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1752 NOTE: https://lwn.net/Articles/786044/ CVE-2019-11486 (The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in t ...) + {DLA-1799-1} - linux 4.19.37-1 NOTE: https://git.kernel.org/linus/c7084edc3f6d67750f50d4183134c4fb5712a5c8 NOTE: Upstream commits marks driver as BROKEN and can be considered fixed starting @@ -2299,6 +2315,7 @@ CVE-2019-11339 (The studio profile decoder in libavcodec/mpeg4videodec.c in FFmp NOTE: https://github.com/FFmpeg/FFmpeg/commit/1f686d023b95219db933394a7704ad9aa5f01cbb NOTE: https://github.com/FFmpeg/FFmpeg/commit/d227ed5d598340e719eff7156b1aa0a4469e9a6a CVE-2019-11338 (libavcodec/hevcdec.c in FFmpeg 4.1.2 mishandles detection of duplicate ...) + {DSA-4449-1} - ffmpeg 7:4.1.3-1 - libav NOTE: https://github.com/FFmpeg/FFmpeg/commit/54655623a82632e7624714d7b2a3e039dc5faa7e @@ -2640,6 +2657,7 @@ CVE-2019-11191 (The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled - linux (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2019/04/03/4 CVE-2019-11190 (The Linux kernel before 4.8 allows local users to bypass ASLR on setui ...) + {DLA-1799-1} - linux 4.8.5-1 NOTE: https://git.kernel.org/linus/9f834ec18defc369d73ccf9e87a2790bfa05bf46 (4.8-rc5) NOTE: https://www.openwall.com/lists/oss-security/2019/04/03/4 @@ -2839,7 +2857,7 @@ CVE-2019-11092 RESERVED CVE-2019-11091 [MDSUM Microarchitectural Data Sampling Uncacheable Memory] RESERVED - {DSA-4447-1 DSA--1 DLA-1789-1 DLA-1787-1} + {DSA-4447-1 DSA--1 DLA-1799-1 DLA-1789-1 DLA-1787-1} - intel-microcode 3.20190514.1 - linux 4.19.37-2 - xen (bug #929129) @@ -7053,6 +7071,7 @@ CVE-2019-9720 CVE-2019-9719 RESERVED CVE-2019-9718 (In FFmpeg 4.1, a denial of service in the subtitle decoder allows atta ...) + {DSA-4449-1} - ffmpeg 7:4.1.3-1 (low; bug #92) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982 - libav @@ -7641,6 +7660,7 @@ CVE-2019-9504 RESERVED CVE-2019-9503 [brcmfmac: add subtype check for event handling in data path] RESERVED + {DLA-1799-1} - linux NOTE: https://git.kernel.org/linus/a4176ec356c73a46c07c181c6d04039fafa34a9f (5.1-rc1) CVE-2019-9502 @@ -14265,38 +14285,38 @@ CVE-2019-6823 RESERVED CVE-2019-6822 RESERVED -CVE-2019-6821 - RESERVED -CVE-2019-6820 - RESERVED -CVE-2019-6819 - RESERVED +CVE-2019-6821 (CWE-330: Use of Insufficiently Random Values vulnerability, which coul ...) + TODO: check +CVE-2019-6820 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) + TODO: check +CVE-2019-6819 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) + TODO: check CVE-2019-6818 RESERVED CVE-2019-6817 RESERVED -CVE-2019-6816 - RESERVED -CVE-2019-6815 - RESERVED -CVE-2019-6814 - RESERVED +CVE-2019-6816 (In Modicon Quantum all firmware versions, a CWE-94: Code Injection vul ...) + TODO: check +CVE-2019-6815 (In Modicon Quantum all firmware versions, CWE-264: Permissions, Privil ...) + TODO: check +CVE-2019-6814 (An Improper Access Control: CWE-284 vulnerability exists in the NET55X ...) + TODO: check CVE-2019-6813 RESERVED -CVE-2019-6812 - RESERVED +CVE-2
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24f14056 by Salvatore Bonaccorso at 2019-05-23T08:20:35Z Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14286,25 +14286,25 @@ CVE-2019-6823 CVE-2019-6822 RESERVED CVE-2019-6821 (CWE-330: Use of Insufficiently Random Values vulnerability, which coul ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6820 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6819 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6818 RESERVED CVE-2019-6817 RESERVED CVE-2019-6816 (In Modicon Quantum all firmware versions, a CWE-94: Code Injection vul ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6815 (In Modicon Quantum all firmware versions, CWE-264: Permissions, Privil ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6814 (An Improper Access Control: CWE-284 vulnerability exists in the NET55X ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6813 RESERVED CVE-2019-6812 (A CWE-798 use of hardcoded credentials vulnerability exists in BMX-NOR ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6811 RESERVED CVE-2019-6810 @@ -14312,11 +14312,11 @@ CVE-2019-6810 CVE-2019-6809 RESERVED CVE-2019-6808 (A CWE-284: Improper Access Control vulnerability exists in all version ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6807 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6806 (A CWE-200: Information Exposure vulnerability exists in all versions o ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2019-6805 (SQL Injection was found in S-CMS version V3.0 via the alipay/alipayapi ...) NOT-FOR-US: S-CMS CVE-2019-6804 (An XSS issue was discovered on the Job Edit page in Rundeck Community ...) @@ -44967,7 +44967,7 @@ CVE-2018-14731 (An issue was discovered in HMRServer.js in Parcel parcel-bundler CVE-2018-14730 (An issue was discovered in Browserify-HMR. Attackers are able to steal ...) NOT-FOR-US: Browserify-HMR CVE-2018-14729 (The database backup feature in upload/source/admincp/admincp_db.php in ...) - TODO: check + NOT-FOR-US: Discuz! CVE-2018-14728 (upload.php in Responsive FileManager 9.13.1 allows SSRF via the url pa ...) NOT-FOR-US: Responsive FileManager CVE-2018-14727 @@ -63372,41 +63372,41 @@ CVE-2018-7858 (Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx V [wheezy] - qemu-kvm (Vulnerable code not present) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2018-03/msg02174.html CVE-2018-7857 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7856 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7855 (A CWE-248 Uncaught Exception vulnerability exists in all versions of t ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7854 (A CWE-248 Uncaught Exception vulnerability exists in all versions of t ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7853 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7852 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7851 (CWE-119: Buffer errors vulnerability exists in Modicon M580 with firmw ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7850 (A CWE-807: Reliance on Untrusted Inputs in a Security Decision vulnera ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7849 (A CWE-248: Uncaught Exception vulnerability exists in all versions of ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7848 (A CWE-200: Information Exposure vulnerability exists in all versions o ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7847 (A CWE-284: Improper Access Control vulnerability exists in all version ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7846 (A CWE-501: Trust Boundary Violation vulnerability on connection to the ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2018-7845 (A CWE-125: Out-of-bounds
[Git][security-tracker-team/security-tracker][master] Add CVE-2017-5984/libav
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72572f25 by Salvatore Bonaccorso at 2019-05-23T08:23:02Z Add CVE-2017-5984/libav - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -121214,7 +121214,10 @@ CVE-2017-5985 (lxc-user-nic in Linux Containers (LXC) allows local users with a NOTE: stable-2.0: https://github.com/lxc/lxc/commit/d512bd5efb0e407eba350c4e649c464a65b712a3 NOTE: stable-1.0: https://github.com/lxc/lxc/commit/c905f00ad78b78a5e9c0d67504b86e00dfe085ec CVE-2017-5984 (In libavcodec in Libav 9.21, ff_h264_execute_ref_pic_marking() has a h ...) - TODO: check + - libav + NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1019 + NOTE: https://patches.libav.org/patch/62534/ + TODO: check if affects src:ffmpeg CVE-2017-5983 (The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3. ...) NOT-FOR-US: JIRA Workflow Designer Plugin CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72572f2581b270c8acfe7102148d022d8738f63a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/72572f2581b270c8acfe7102148d022d8738f63a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-12293/poppler
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5a42f3e by Salvatore Bonaccorso at 2019-05-23T08:29:11Z Add CVE-2019-12293/poppler - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,8 @@ CVE-2019-12294 RESERVED CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-read in J ...) + - poppler + NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/768 TODO: check CVE-2019-12292 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5a42f3eaaa64002f3d80c68fea49f3995224b87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5a42f3eaaa64002f3d80c68fea49f3995224b87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to upstream commit for CVE-2019-12293/poppler
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fd9b70b by Salvatore Bonaccorso at 2019-05-23T08:33:19Z Add reference to upstream commit for CVE-2019-12293/poppler - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2019-12294 CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-read in J ...) - poppler NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/768 - TODO: check + NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c CVE-2019-12292 RESERVED CVE-2019-12291 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fd9b70b4828edcef28a35428e9954594af01369 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fd9b70b4828edcef28a35428e9954594af01369 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-12293/poppler
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4792ee8 by Salvatore Bonaccorso at 2019-05-23T08:54:57Z Add Debian bug reference for CVE-2019-12293/poppler - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2019-12294 RESERVED CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-read in J ...) - - poppler + - poppler (bug #929423) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/768 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c CVE-2019-12292 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4792ee8f21382b75c884b685fa2259ed6dce264 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b4792ee8f21382b75c884b685fa2259ed6dce264 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-12295/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 93fa by Salvatore Bonaccorso at 2019-05-23T14:38:37Z Add CVE-2019-12295/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2019-12295 [dissection engine crash] + - wireshark + NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 + NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820 + NOTE: https://www.wireshark.org/security/wnpa-sec-2019-19.html CVE-2019-12294 RESERVED CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-read in J ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93fad78ef451c26879a220033b631c96e89e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93fad78ef451c26879a220033b631c96e89e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2018-20509
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f6ca385 by Salvatore Bonaccorso at 2019-05-23T16:28:45Z Add fixed version for CVE-2018-20509 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22685,7 +22685,7 @@ CVE-2018-20510 (The print_binder_transaction_ilocked function in drivers/android - linux 4.16.5-1 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8ca86f1639ec5890d400fff9211aca22d0a392eb CVE-2018-20509 (The print_binder_ref_olocked function in drivers/android/binder.c in t ...) - - linux + - linux 4.14.2-1 NOTE: https://security.netapp.com/advisory/ntap-20190517-0002/ CVE-2018-20508 (CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This ...) NOT-FOR-US: CrashFix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f6ca385a2ffd520874d7b6b061ad847190ac2cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f6ca385a2ffd520874d7b6b061ad847190ac2cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-12295/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 71a470d8 by Salvatore Bonaccorso at 2019-05-23T18:02:43Z Add Debian bug reference for CVE-2019-12295/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2019-12295 [dissection engine crash] - - wireshark + - wireshark (bug #929446) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820 NOTE: https://www.wireshark.org/security/wnpa-sec-2019-19.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71a470d8dc75df0d5a38a182ca7bb4757031f01b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71a470d8dc75df0d5a38a182ca7bb4757031f01b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d464583 by Salvatore Bonaccorso at 2019-05-23T19:35:19Z thunderbird issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1317,7 +1317,7 @@ CVE-2019-11698 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11698 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11698 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11698 @@ -1350,7 +1350,7 @@ CVE-2019-11693 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11693 @@ -1360,7 +1360,7 @@ CVE-2019-11692 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11692 @@ -1370,7 +1370,7 @@ CVE-2019-11691 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11691 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-11691 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11691 @@ -6691,7 +6691,7 @@ CVE-2019-9820 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9820 @@ -6701,7 +6701,7 @@ CVE-2019-9819 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9819 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9819 @@ -6719,7 +6719,7 @@ CVE-2019-9817 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9817 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9817 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9817 @@ -6729,7 +6729,7 @@ CVE-2019-9816 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9816 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9816 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9816 @@ -6799,7 +6799,7 @@ CVE-2019-9800 [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9800 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9800 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9800 @@ -6813,7 +6813,7 @@ CVE-2019-9797 (Cross-origin images can be read in violation of the same-origin p {DSA-4448-1} - firefox 66.0-1 - firefox-esr 60.7.0esr-1 - - thunderbird + - thunderbird 1:60.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9797 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-14/#CVE-2019-9797 NOTE: https://www.mozilla.org/en-US/security
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8373080c by security tracker role at 2019-05-23T20:10:18Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,30 @@ -CVE-2019-12295 [dissection engine crash] +CVE-2019-12308 + RESERVED +CVE-2019-12307 + RESERVED +CVE-2019-12306 + RESERVED +CVE-2019-12305 + RESERVED +CVE-2019-12304 + RESERVED +CVE-2019-12303 + RESERVED +CVE-2019-12302 + RESERVED +CVE-2019-12301 (The Percona Server 5.6.44-85.0-1 packages for Debian and Ubuntu suffer ...) + TODO: check +CVE-2019-12300 (Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted au ...) + TODO: check +CVE-2019-12299 + RESERVED +CVE-2019-12298 (Leanify 0.4.3 allows remote attackers to trigger an out-of-bounds writ ...) + TODO: check +CVE-2019-12297 (An issue was discovered in scopd on Motorola routers CX2 1.01 and M2 1 ...) + TODO: check +CVE-2019-12296 + RESERVED +CVE-2019-12295 (In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the ...) - wireshark (bug #929446) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820 @@ -15,10 +41,10 @@ CVE-2019-12291 RESERVED CVE-2019-12290 RESERVED -CVE-2019-12289 - RESERVED -CVE-2019-12288 - RESERVED +CVE-2019-12289 (An issue was discovered in upgrade_firmware.cgi on VStarcam 100T (C782 ...) + TODO: check +CVE-2019-12288 (An issue was discovered in upgrade_htmls.cgi on VStarcam 100T (C7824WI ...) + TODO: check CVE-2019-12287 RESERVED CVE-2019-12286 @@ -51,8 +77,8 @@ CVE-2019-12274 RESERVED CVE-2019-12273 RESERVED -CVE-2019-12272 - RESERVED +CVE-2019-12272 (In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/band ...) + TODO: check CVE-2019-12271 RESERVED CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configur ...) @@ -585,8 +611,8 @@ CVE-2019-12044 (A Buffer Overflow exists in Citrix NetScaler Gateway 10.5.x befo NOT-FOR-US: Citrix NetScaler Gateway CVE-2019-12043 (In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, wh ...) NOT-FOR-US: remarkable -CVE-2019-12042 - RESERVED +CVE-2019-12042 (Insecure permissions of the section object Global\PandaDevicesAgentSha ...) + TODO: check CVE-2019-12041 (lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression De ...) NOT-FOR-US: remarkable CVE-2019-12040 @@ -932,8 +958,8 @@ CVE-2019-11875 RESERVED CVE-2019-11874 RESERVED -CVE-2019-11873 - RESERVED +CVE-2019-11873 (wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when ...) + TODO: check CVE-2019-11872 RESERVED CVE-2019-11871 (The Custom Field Suite plugin before 2.5.15 for WordPress has XSS for ...) @@ -1313,7 +1339,7 @@ CVE-2019-11699 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11699 CVE-2019-11698 RESERVED - {DSA-4448-1} + {DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -1346,7 +1372,7 @@ CVE-2019-11694 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11694 CVE-2019-11693 RESERVED - {DSA-4448-1} + {DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -1356,7 +1382,7 @@ CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11693 CVE-2019-11692 RESERVED - {DSA-4448-1} + {DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -1366,7 +1392,7 @@ CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11692 CVE-2019-11691 RESERVED - {DSA-4448-1} + {DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -3192,8 +3218,8 @@ CVE-2019-10979 RESERVED CVE-2019-10978 RESERVED -CVE-2019-10977 - RESERVED +CVE-2019-10977 (In Mitsubishi Electric MELSEC-Q series Ethernet module QJ71E71-100 ser ...) + TODO: check CVE-2019-10976 RESERVED CVE-2019-10975 @@ -3514,8 +3540,8 @@ CVE-2019-10869 (Path Traversal and Unrestricted File Upload exists in the Ninja NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2019-10867 (An issue was discovered in Pimcore before 5.7.1. An attacker with clas ...) NOT-FOR-US: Pimcore -CVE-2019-10866 - RESERVED
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 22a93a32 by Salvatore Bonaccorso at 2019-05-24T06:49:17Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13618,89 +13618,89 @@ CVE-2019-7140 (Adobe Acrobat and Reader versions 2019.010.20100 and earlier, 201 CVE-2019-7139 (An unauthenticated user can execute arbitrary code through an SQL inje ...) NOT-FOR-US: Magento CVE-2019-7138 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerabilit ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7137 (Adobe Bridge CC versions 9.0.2 have a memory corruption vulnerability. ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7136 (Adobe Bridge CC versions 9.0.2 have an use after free vulnerability. S ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7135 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerabilit ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7134 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerabilit ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7133 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerabilit ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7132 (Adobe Bridge CC versions 9.0.2 have an out-of-bounds write vulnerabili ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7131 RESERVED CVE-2019-7130 (Adobe Bridge CC versions 9.0.2 have a heap overflow vulnerability. Suc ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7129 RESERVED CVE-2019-7128 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7127 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7126 RESERVED CVE-2019-7125 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) NOT-FOR-US: Adobe CVE-2019-7124 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7123 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7122 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7121 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7120 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7119 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7118 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7117 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7116 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7115 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7114 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7113 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7112 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7111 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7110 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7109 (Adobe Acrobat and Reader versions 2019.010.20098 and earlier, 2019.010 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7108 (Adobe Flash Player versions 32.0.0.156 and earlier, 32.0.0.156 and ear ...) NOT-FOR-US: Adobe Flash Player CVE-2019-7107 (Adobe InDesign versions 14.0.1 and below have an unsafe hyperlink proc ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7106 (Adobe XD versions 16.0 and earlier have a path traversal vulnerability ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7105 (Adobe XD versions 16.0 and earlier have a path traversal vulnerability ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-7104 (Adobe Shockwave Player versions 12.3.4.204 and
[Git][security-tracker-team/security-tracker][master] Add fixed version for advancecomp issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ab92d0c by Salvatore Bonaccorso at 2019-05-24T06:50:41Z Add fixed version for advancecomp issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10505,7 +10505,7 @@ CVE-2019-8385 CVE-2019-8384 RESERVED CVE-2019-8383 (An issue was discovered in AdvanceCOMP through 2.1. An invalid memory ...) - - advancecomp (bug #928730) + - advancecomp 2.1-2.1 (bug #928730) [stretch] - advancecomp (Minor issue) [jessie] - advancecomp (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/272/ @@ -10519,7 +10519,7 @@ CVE-2019-8381 (An issue was discovered in Tcpreplay 4.3.1. An invalid memory acc CVE-2019-8380 (An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereferenc ...) NOT-FOR-US: Bento4 CVE-2019-8379 (An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer der ...) - - advancecomp (bug #928729) + - advancecomp 2.1-2.1 (bug #928729) [stretch] - advancecomp (Minor issue) [jessie] - advancecomp (Minor issue) NOTE: https://sourceforge.net/p/advancemame/bugs/271/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ab92d0c2edc924f28556f48eb20cfc96e2e374d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3ab92d0c2edc924f28556f48eb20cfc96e2e374d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-10143/freefradius
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c574ebce by Salvatore Bonaccorso at 2019-05-24T06:54:08Z Add CVE-2019-10143/freefradius - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5199,8 +5199,10 @@ CVE-2019-10145 RESERVED CVE-2019-10144 RESERVED -CVE-2019-10143 +CVE-2019-10143 [privilege escalation due to insecure logration] RESERVED + - freeradius + NOTE: https://github.com/FreeRADIUS/freeradius-server/pull/2666 CVE-2019-10142 [drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl] RESERVED - linux (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c574ebcebbaeb2447bc448a2e8c60ac2c79b100b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c574ebcebbaeb2447bc448a2e8c60ac2c79b100b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cae35133 by Salvatore Bonaccorso at 2019-05-24T07:05:54Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,7 @@ CVE-2019-12299 CVE-2019-12298 (Leanify 0.4.3 allows remote attackers to trigger an out-of-bounds writ ...) TODO: check CVE-2019-12297 (An issue was discovered in scopd on Motorola routers CX2 1.01 and M2 1 ...) - TODO: check + NOT-FOR-US: Motorola CVE-2019-12296 RESERVED CVE-2019-12295 (In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the ...) @@ -42,9 +42,9 @@ CVE-2019-12291 CVE-2019-12290 RESERVED CVE-2019-12289 (An issue was discovered in upgrade_firmware.cgi on VStarcam 100T (C782 ...) - TODO: check + NOT-FOR-US: VStarcam CVE-2019-12288 (An issue was discovered in upgrade_htmls.cgi on VStarcam 100T (C7824WI ...) - TODO: check + NOT-FOR-US: VStarcam CVE-2019-12287 RESERVED CVE-2019-12286 @@ -78,7 +78,7 @@ CVE-2019-12274 CVE-2019-12273 RESERVED CVE-2019-12272 (In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/band ...) - TODO: check + NOT-FOR-US: OpenWrt LuCI CVE-2019-12271 RESERVED CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configur ...) @@ -3219,7 +3219,7 @@ CVE-2019-10979 CVE-2019-10978 RESERVED CVE-2019-10977 (In Mitsubishi Electric MELSEC-Q series Ethernet module QJ71E71-100 ser ...) - TODO: check + NOT-FOR-US: Mitsubishi CVE-2019-10976 RESERVED CVE-2019-10975 @@ -3541,7 +3541,7 @@ CVE-2019-10869 (Path Traversal and Unrestricted File Upload exists in the Ninja CVE-2019-10867 (An issue was discovered in Pimcore before 5.7.1. An attacker with clas ...) NOT-FOR-US: Pimcore CVE-2019-10866 (In the Form Maker plugin before 1.13.3 for WordPress, it's possible to ...) - TODO: check + NOT-FOR-US: Form Maker plugin for WordPress CVE-2019-10865 RESERVED CVE-2019-10864 (The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowin ...) @@ -3565,19 +3565,19 @@ CVE-2019-10856 (In Jupyter Notebook before 5.7.8, an open redirect can occur via NOTE: https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4 NOTE: https://github.com/jupyter/notebook/commit/979e0bd15e794ceb00cc63737fcd5fd9addc4a99 CVE-2019-10855 (Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 ...) - TODO: check + NOT-FOR-US: Computrols CBAS CVE-2019-10854 (Computrols CBAS 18.0.0 allows Authenticated Command Injection. ...) - TODO: check + NOT-FOR-US: Computrols CBAS CVE-2019-10853 (Computrols CBAS 18.0.0 allows Authentication Bypass. ...) - TODO: check + NOT-FOR-US: Computrols CBAS CVE-2019-10852 (Computrols CBAS 18.0.0 allows Authenticated Blind SQL Injection via th ...) - TODO: check + NOT-FOR-US: Computrols CBAS CVE-2019-10851 (Computrols CBAS 18.0.0 has hard-coded encryption keys. ...) - TODO: check + NOT-FOR-US: Computrols CBAS CVE-2019-10850 (Computrols CBAS 18.0.0 has Default Credentials. ...) - TODO: check + NOT-FOR-US: Computrols CBAS CVE-2019-10849 (Computrols CBAS 18.0.0 allows unprotected Subversion (SVN) directory / ...) - TODO: check + NOT-FOR-US: Computrols CBAS CVE-2019-10848 RESERVED CVE-2019-10847 @@ -5684,7 +5684,7 @@ CVE-2019-9951 (Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultr CVE-2019-9950 (Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My ...) NOT-FOR-US: Western Digital CVE-2019-9949 (Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, EX4100 ...) - TODO: check + NOT-FOR-US: Western Digital CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: scheme, w ...) - python2.7 2.7.16-2 NOTE: https://bugs.python.org/issue35907 @@ -65633,9 +65633,9 @@ CVE-2018-7204 (inc/logger.php in the Giribaz File Manager plugin before 5.0.2 fo CVE-2018-7203 (Cross-site scripting (XSS) vulnerability in Twonky Server 7.0.11 throu ...) NOT-FOR-US: Twonky Server CVE-2018-7202 (An issue was discovered in ProjectSend before r1053. XSS exists in the ...) - TODO: check + NOT-FOR-US: ProjectSend CVE-2018-7201 (CSV Injection was discovered in ProjectSend before r1053, affecting vi ...) - TODO: check + NOT-FOR-US: ProjectSend CVE-2018-7200 RESERVED CVE-2018-7199 @@ -85471,9 +85471,9 @@ CVE-2017-17063 CVE-2017-17062 (The backend component in Open-Xchange OX App Suite before 7.6.3-rev35, ...) NOT-FOR-US: Open-Xchange CVE-2017-17061 (OX Software GmbH OX App Suite 7.8.4 and earlier is affected by: Cross ...) -
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-10143/freeradius
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4de580bc by Salvatore Bonaccorso at 2019-05-24T07:06:43Z Add Debian bug reference for CVE-2019-10143/freeradius - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5201,7 +5201,7 @@ CVE-2019-10144 RESERVED CVE-2019-10143 [privilege escalation due to insecure logration] RESERVED - - freeradius + - freeradius (bug #929466) NOTE: https://github.com/FreeRADIUS/freeradius-server/pull/2666 CVE-2019-10142 [drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl] RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4de580bce91dfc4e9b2e0aca8cb9182f90efc066 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4de580bce91dfc4e9b2e0aca8cb9182f90efc066 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2016-8901/b2evolution
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b890d60 by Salvatore Bonaccorso at 2019-05-24T07:08:15Z Add CVE-2016-8901/b2evolution - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139674,7 +139674,7 @@ CVE-2016-8903 (SQL injection vulnerability in the "Site Browser > Templates p CVE-2016-8902 (SQL injection vulnerability in the categoriesServlet servlet in dotCMS ...) NOT-FOR-US: dotCMS CVE-2016-8901 (b2evolution 6.7.6 suffer from an Object Injection vulnerability in /ht ...) - TODO: check + - b2evolution CVE-2016-8900 RESERVED CVE-2016-8899 (Exponent CMS version 2.3.9 suffers from a Object Injection vulnerabili ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9b890d60ee0bac17a3a4ad5635cb547a7e84c7dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9b890d60ee0bac17a3a4ad5635cb547a7e84c7dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11873/wolfssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98421ab1 by Salvatore Bonaccorso at 2019-05-24T07:07:49Z Add CVE-2019-11873/wolfssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -959,7 +959,7 @@ CVE-2019-11875 CVE-2019-11874 RESERVED CVE-2019-11873 (wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when ...) - TODO: check + - wolfssl CVE-2019-11872 RESERVED CVE-2019-11871 (The Custom Field Suite plugin before 2.5.15 for WordPress has XSS for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98421ab1bbf373a8a250ce99cce21aba5f491a03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/98421ab1bbf373a8a250ce99cce21aba5f491a03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2017-15652/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abd2b58e by Salvatore Bonaccorso at 2019-05-24T07:15:21Z Add CVE-2017-15652/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91442,7 +91442,11 @@ CVE-2017-15654 (Highly predictable session tokens in the HTTPd server in all cur CVE-2017-15653 (Improper administrator IP validation after his login in the HTTPd serv ...) NOT-FOR-US: HTTPd server in Asus asuswrt CVE-2017-15652 (Artifex Ghostscript 9.22 is affected by: Obtain Information. The impac ...) - TODO: check + - ghostscript 9.25~dfsg-1 + [stretch] - ghostscript 9.25~dfsg-0+deb9u1 + [jessie] - ghostscript 9.26a~dfsg-0+deb8u1 + NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698676 CVE-2017-15651 (PRTG Network Monitor 17.3.33.2830 allows remote authenticated administ ...) NOT-FOR-US: PRTG Network Monitor CVE-2017-15649 (net/packet/af_packet.c in the Linux kernel before 4.13.6 allows local ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abd2b58e47cfa48cbd5be82df6bc8647c08e9f49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/abd2b58e47cfa48cbd5be82df6bc8647c08e9f49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tag information for CVE-2017-15652/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f469bd4 by Salvatore Bonaccorso at 2019-05-24T07:16:47Z Add tag information for CVE-2017-15652/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91445,7 +91445,7 @@ CVE-2017-15652 (Artifex Ghostscript 9.22 is affected by: Obtain Information. The - ghostscript 9.25~dfsg-1 [stretch] - ghostscript 9.25~dfsg-0+deb9u1 [jessie] - ghostscript 9.26a~dfsg-0+deb8u1 - NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e + NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=2fc463d0e (ghostpdl-9.23rc1) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698676 CVE-2017-15651 (PRTG Network Monitor 17.3.33.2830 allows remote authenticated administ ...) NOT-FOR-US: PRTG Network Monitor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f469bd418dada6bad6007f1ea4826d8b6d97a00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f469bd418dada6bad6007f1ea4826d8b6d97a00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-11873
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 478c0956 by Salvatore Bonaccorso at 2019-05-24T07:42:39Z Add Debian bug reference for CVE-2019-11873 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -960,7 +960,7 @@ CVE-2019-11875 CVE-2019-11874 RESERVED CVE-2019-11873 (wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when ...) - - wolfssl + - wolfssl (bug #929468) CVE-2019-11872 RESERVED CVE-2019-11871 (The Custom Field Suite plugin before 2.5.15 for WordPress has XSS for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/478c095699051ab936e6dc061db2b58ccdadddad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/478c095699051ab936e6dc061db2b58ccdadddad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-12269/enigmail
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b6ff63ee by Salvatore Bonaccorso at 2019-05-24T07:50:27Z Add fixed version for CVE-2019-12269/enigmail - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84,7 +84,7 @@ CVE-2019-12271 CVE-2019-12270 (OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configur ...) NOT-FOR-US: OpenText Brava! CVE-2019-12269 (Enigmail before 2.0.11 allows PGP signature spoofing: for an inline PG ...) - - enigmail (bug #929363) + - enigmail 2:2.0.11+ds1-1 (bug #929363) [jessie] - enigmail (see https://lists.debian.org/debian-lts-announce/2019/02/msg2.html) NOTE: https://sourceforge.net/p/enigmail/bugs/983/ CVE-2019-12268 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b6ff63ee5c9ae10cd5104dabf974011c060fb7a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b6ff63ee5c9ae10cd5104dabf974011c060fb7a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0dd2b79 by security tracker role at 2019-05-24T08:10:29Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2019-12311 + RESERVED +CVE-2019-12310 + RESERVED +CVE-2019-12309 (dotCMS before 5.1.0 has a path traversal vulnerability exploitable by ...) + TODO: check CVE-2019-12308 RESERVED CVE-2019-12307 @@ -3584,8 +3590,8 @@ CVE-2019-10848 RESERVED CVE-2019-10847 RESERVED -CVE-2019-10846 - RESERVED +CVE-2019-10846 (Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scr ...) + TODO: check CVE-2019-10845 (An issue was discovered in Uniqkey Password Manager 1.14. When enterin ...) NOT-FOR-US: Uniqkey Password Manager CVE-2019-10844 (nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka n ...) @@ -16840,30 +16846,23 @@ CVE-2019-5806 CVE-2019-5805 RESERVED - chromium 74.0.3729.108-1 -CVE-2019-5804 - RESERVED +CVE-2019-5804 (Incorrect command line processing in Chrome in Google Chrome prior to ...) - chromium (Windows-specific) -CVE-2019-5803 - RESERVED +CVE-2019-5803 (Insufficient policy enforcement in Content Security Policy in Google C ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5802 - RESERVED +CVE-2019-5802 (Incorrect handling of download origins in Navigation in Google Chrome ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5801 - RESERVED +CVE-2019-5801 (Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to ...) - chromium (iOS specific) -CVE-2019-5800 - RESERVED +CVE-2019-5800 (Insufficient policy enforcement in Blink in Google Chrome prior to 73. ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5799 - RESERVED +CVE-2019-5799 (Incorrect inheritance of a new document's policy in Content Security P ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5798 - RESERVED +CVE-2019-5798 (Lack of correct bounds checking in Skia in Google Chrome prior to 73.0 ...) {DSA-4448-1 DSA-4421-1 DLA-1800-1} - chromium 73.0.3683.75-1 - firefox-esr 60.7.0esr-1 @@ -16874,44 +16873,34 @@ CVE-2019-5797 RESERVED {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5796 - RESERVED +CVE-2019-5796 (Data race in extensions guest view in Google Chrome prior to 73.0.3683 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5795 - RESERVED +CVE-2019-5795 (Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allo ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5794 - RESERVED +CVE-2019-5794 (Incorrect handling of cancelled requests in Navigation in Google Chrom ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5793 - RESERVED +CVE-2019-5793 (Insufficient policy enforcement in extensions in Google Chrome prior t ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5792 - RESERVED +CVE-2019-5792 (Integer overflow in PDFium in Google Chrome prior to 73.0.3683.75 allo ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5791 - RESERVED +CVE-2019-5791 (Inappropriate optimization in V8 in Google Chrome prior to 73.0.3683.7 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5790 - RESERVED +CVE-2019-5790 (An integer overflow leading to an incorrect capacity of a buffer in Ja ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5789 - RESERVED +CVE-2019-5789 (An integer overflow that leads to a use-after-free in WebMIDI in Googl ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5788 - RESERVED +CVE-2019-5788 (An integer overflow that leads to a use-after-free in Blink Storage in ...) {DSA-4421-1} - chromium 73.0.3683.75-1 -CVE-2019-5787 - RESERVED +CVE-2019-5787 (Use-after-garbage-collection in Blink in Google Chrome prior to 73.0.3 ...) {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5786 @@ -29349,8 +29338,8 @@ CVE-2018-19616 (An issue was discovered in Rockwell Automation Allen-Bradley Pow NOT-FOR-US: Rockwell Automation Allen-Bradley PowerMonitor 1000 CVE-2018-19615 (Rockwell Automation Allen-Bradley PowerMonitor 1000 all versions. A re ...) NOT-FOR-US: Rockwell Automation Allen-Bradley PowerMonitor 1000 -CVE-2018-19614 - RESERVED +CVE-2018-19614 (XSS exists in the /cmdexec/cmdexe?cmd= function in Westermo DR-250 Pre ...) + TODO: check CVE-2018-19613 RESERVED CVE-2018-19612 @@ -33023,6 +33012,7 @@ CVE-2019-0203 CVE-2019-0202 RESERVED CVE-2019-0201 (An iss
[Git][security-tracker-team/security-tracker][master] Remove one ignored status for buster for poppler
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: adbe661a by Salvatore Bonaccorso at 2019-05-24T12:41:34Z Remove one ignored status for buster for poppler poppler got an unblock thus the issue is going to be adressed in testing/buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3527,7 +3527,6 @@ CVE-2019-10874 (Cross Site Request Forgery (CSRF) in the bolt/upload File Upload NOT-FOR-US: Bolt CMS CVE-2019-10873 (An issue was discovered in Poppler 0.74.0. There is a NULL pointer der ...) - poppler 0.71.0-4 (low; bug #926532) - [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) [jessie] - poppler (vulnerable code is not present) NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/748 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/adbe661a710359ca37b2934d9c69fc2cc8e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/adbe661a710359ca37b2934d9c69fc2cc8e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f007459 by Salvatore Bonaccorso at 2019-05-24T12:47:57Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2019-12311 CVE-2019-12310 RESERVED CVE-2019-12309 (dotCMS before 5.1.0 has a path traversal vulnerability exploitable by ...) - TODO: check + NOT-FOR-US: dotCMS CVE-2019-12308 RESERVED CVE-2019-12307 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f0074590ecb0b41ca6663d0d52b21e37abe79af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f0074590ecb0b41ca6663d0d52b21e37abe79af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f334f8e4 by Salvatore Bonaccorso at 2019-05-24T14:34:47Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33059,6 +33059,7 @@ CVE-2019-0189 RESERVED CVE-2019-0188 RESERVED + NOT-FOR-US: Apache Camel CVE-2019-0187 (Unauthenticated RCE is possible when JMeter is used in distributed mod ...) - jakarta-jmeter [stretch] - jakarta-jmeter (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f334f8e4e8bf0f32cbfc07c8bb2189456581dab1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f334f8e4e8bf0f32cbfc07c8bb2189456581dab1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c98a3831 by Salvatore Bonaccorso at 2019-05-24T15:30:53Z Process some NFUs - - - - - c1f0cd0c by Salvatore Bonaccorso at 2019-05-24T15:34:24Z Add CVE-2016-7151/capstone - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2019-12300 (Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submit CVE-2019-12299 RESERVED CVE-2019-12298 (Leanify 0.4.3 allows remote attackers to trigger an out-of-bounds writ ...) - TODO: check + NOT-FOR-US: Leanify CVE-2019-12297 (An issue was discovered in scopd on Motorola routers CX2 1.01 and M2 1 ...) NOT-FOR-US: Motorola CVE-2019-12296 @@ -619,7 +619,7 @@ CVE-2019-12044 (A Buffer Overflow exists in Citrix NetScaler Gateway 10.5.x befo CVE-2019-12043 (In remarkable 1.7.1, lib/parser_inline.js mishandles URL filtering, wh ...) NOT-FOR-US: remarkable CVE-2019-12042 (Insecure permissions of the section object Global\PandaDevicesAgentSha ...) - TODO: check + NOT-FOR-US: Panda products CVE-2019-12041 (lib/common/html_re.js in remarkable 1.7.1 allows Regular Expression De ...) NOT-FOR-US: remarkable CVE-2019-12040 @@ -3590,7 +3590,7 @@ CVE-2019-10848 CVE-2019-10847 RESERVED CVE-2019-10846 (Computrols CBAS 18.0.0 allows Unauthenticated Reflected Cross-Site Scr ...) - TODO: check + NOT-FOR-US: Computrols CBAS CVE-2019-10845 (An issue was discovered in Uniqkey Password Manager 1.14. When enterin ...) NOT-FOR-US: Uniqkey Password Manager CVE-2019-10844 (nbla/logger.cpp in libnnabla.a in Sony Neural Network Libraries (aka n ...) @@ -29338,7 +29338,7 @@ CVE-2018-19616 (An issue was discovered in Rockwell Automation Allen-Bradley Pow CVE-2018-19615 (Rockwell Automation Allen-Bradley PowerMonitor 1000 all versions. A re ...) NOT-FOR-US: Rockwell Automation Allen-Bradley PowerMonitor 1000 CVE-2018-19614 (XSS exists in the /cmdexec/cmdexe?cmd= function in Westermo DR-250 Pre ...) - TODO: check + NOT-FOR-US: Westermo routers CVE-2018-19613 RESERVED CVE-2018-19612 @@ -121734,7 +121734,7 @@ CVE-2017-5873 (Unquoted Windows search path vulnerability in the guest service i CVE-2017-5872 (The TCP/IP networking module in Unisys ClearPath MCP systems with TCP- ...) NOT-FOR-US: Unisys ClearPath CVE-2017-5871 (Odoo Version <= 8.0-20160726 and Version 9 is affected by: CWE-601: ...) - TODO: check + NOT-FOR-US: Odoo CVE-2017-5870 (Multiple cross-site scripting (XSS) vulnerabilities in ViMbAdmin 3.0.1 ...) NOT-FOR-US: ViMbAdmin CVE-2017-5869 (Directory traversal vulnerability in the file import feature in Nuxeo ...) @@ -145137,7 +145137,9 @@ CVE-2016-7153 (The HTTP/2 protocol does not consider the role of the TCP congest CVE-2016-7152 (The HTTPS protocol does not consider the role of the TCP congestion wi ...) NOTE: CVE assigned for the HTTP/2 protocol issue CVE-2016-7151 (Capstone 3.0.4 has an out-of-bounds vulnerability (SEGV caused by a re ...) - TODO: check + - capstone + NOTE: https://github.com/aquynh/capstone/commit/87a25bb543c8e4c09b48d4b4a6c7db31ce58df06 (4.0-alpha4) + NOTE: https://github.com/aquynh/capstone/pull/725 CVE-2016-7150 (Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earl ...) NOT-FOR-US: b2evolution CVE-2016-7149 (Cross-site scripting (XSS) vulnerability in b2evolution 6.7.5 and earl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f334f8e4e8bf0f32cbfc07c8bb2189456581dab1...c1f0cd0ccc54ba6ab14de55ad06a1473b5145ea1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f334f8e4e8bf0f32cbfc07c8bb2189456581dab1...c1f0cd0ccc54ba6ab14de55ad06a1473b5145ea1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15819380 by security tracker role at 2019-05-24T20:10:25Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,43 @@ +CVE-2019-12321 + RESERVED +CVE-2019-12320 + RESERVED +CVE-2019-12319 + RESERVED +CVE-2019-12318 + RESERVED +CVE-2019-12317 + RESERVED +CVE-2019-12316 + RESERVED +CVE-2019-12315 (Samsung SCX-824 printers allow a reflected Cross-Site-Scripting (XSS) ...) + TODO: check +CVE-2019-12314 (Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute pa ...) + TODO: check +CVE-2019-12313 (XSS exists in Shave before 2.5.3 because output encoding is mishandled ...) + TODO: check +CVE-2019-12312 (In Libreswan before 3.28, an assertion failure can lead to a pluto IKE ...) + TODO: check +CVE-2017-18375 (Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php ...) + TODO: check +CVE-2016-10759 (The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resu ...) + TODO: check +CVE-2016-10758 (PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php f ...) + TODO: check +CVE-2016-10757 (In Redaxo 5.2.0, the cron management of the admin panel suffers from C ...) + TODO: check +CVE-2016-10756 (Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload becaus ...) + TODO: check +CVE-2016-10755 (AbanteCart 1.2.8 allows SQL Injection via the source_language paramete ...) + TODO: check +CVE-2016-10754 (modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection ...) + TODO: check +CVE-2016-10753 (e107 2.1.2 allows PHP Object Injection with resultant SQL injection, b ...) + TODO: check +CVE-2016-10752 (serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote atta ...) + TODO: check +CVE-2016-10751 (osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the ...) + TODO: check CVE-2019-12311 RESERVED CVE-2019-12310 @@ -286,8 +326,8 @@ CVE-2019-12197 RESERVED CVE-2019-12196 RESERVED -CVE-2019-12195 - RESERVED +CVE-2019-12195 (TP-Link TL-WR840N v5 0005 devices allow XSS via the network name. ...) + TODO: check CVE-2019-12194 RESERVED CVE-2019-12193 @@ -366,8 +406,7 @@ CVE-2019-12157 RESERVED CVE-2019-12156 RESERVED -CVE-2019-12155 [qxl: null pointer dereference while releasing spice resources] - RESERVED +CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NUL ...) - qemu (bug #929353) - qemu-kvm NOTE: https://www.openwall.com/lists/oss-security/2019/05/22/1 @@ -380,8 +419,8 @@ CVE-2019-12152 RESERVED CVE-2019-12151 RESERVED -CVE-2019-12150 - RESERVED +CVE-2019-12150 (Karamasoft UltimateEditor 1 does not ensure that an uploaded file is a ...) + TODO: check CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows attackers ...) - systemd 241-4 (bug #929116) [stretch] - systemd (Minor issue) @@ -959,10 +998,10 @@ CVE-2019-11878 (An issue was discovered on XiongMai Besder IP20H1 V4.02.R12.0003 NOT-FOR-US: XiongMai Besder IP20H1 cameras CVE-2019-11877 RESERVED -CVE-2019-11876 - RESERVED -CVE-2019-11875 - RESERVED +CVE-2019-11876 (In PrestaShop 1.7.5.2, the shop_country parameter in the install/index ...) + TODO: check +CVE-2019-11875 (In AutomateAppCore.dll in Blue Prism Robotic Process Automation 6.4.0. ...) + TODO: check CVE-2019-11874 RESERVED CVE-2019-11873 (wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when ...) @@ -1603,8 +1642,8 @@ CVE-2019-11606 (doorGets 7.0 has a sensitive information disclosure vulnerabilit NOT-FOR-US: doorGets CVE-2019-11605 RESERVED -CVE-2019-11604 - RESERVED +CVE-2019-11604 (An issue was discovered in Quest KACE Systems Management Appliance bef ...) + TODO: check CVE-2019-11603 RESERVED CVE-2019-11602 @@ -2331,6 +2370,7 @@ CVE-2019-11347 CVE-2018-20817 (SV_SteamAuthClient in various Activision Infinity Ward Call of Duty ga ...) NOT-FOR-US: Activision CVE-2019-11555 (The EAP-pwd implementation in hostapd (EAP server) before 2.8 and wpa_ ...) + {DSA-4450-1} - wpa 2:2.7+git20190128+0c1e29f-5 (bug #927463) NOTE: https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt NOTE: Patches: https://w1.fi/security/2019-5/ @@ -3407,6 +3447,7 @@ CVE-2019-10904 (Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi NOTE: https://issues.roundup-tracker.org/issue2551035 NOTE: https://bitbucket.org/python/roundup/commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b35b316f by Salvatore Bonaccorso at 2019-05-24T20:41:17Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2019-12316 CVE-2019-12315 (Samsung SCX-824 printers allow a reflected Cross-Site-Scripting (XSS) ...) TODO: check CVE-2019-12314 (Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute pa ...) - TODO: check + NOT-FOR-US: Deltek Maconomy CVE-2019-12313 (XSS exists in Shave before 2.5.3 because output encoding is mishandled ...) TODO: check CVE-2019-12312 (In Libreswan before 3.28, an assertion failure can lead to a pluto IKE ...) @@ -23,7 +23,7 @@ CVE-2017-18375 (Ampache 3.8.3 allows PHP Object Instantiation via democratic.aja CVE-2016-10759 (The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resu ...) TODO: check CVE-2016-10758 (PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php f ...) - TODO: check + NOT-FOR-US: PHPKIT CVE-2016-10757 (In Redaxo 5.2.0, the cron management of the admin panel suffers from C ...) TODO: check CVE-2016-10756 (Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload becaus ...) @@ -31,9 +31,9 @@ CVE-2016-10756 (Kliqqi 3.0.0.5 allows CSRF with resultant Arbitrary File Upload CVE-2016-10755 (AbanteCart 1.2.8 allows SQL Injection via the source_language paramete ...) TODO: check CVE-2016-10754 (modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL injection ...) - TODO: check + NOT-FOR-US: Vtiger CRM CVE-2016-10753 (e107 2.1.2 allows PHP Object Injection with resultant SQL injection, b ...) - TODO: check + NOT-FOR-US: e107 CVE-2016-10752 (serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote atta ...) TODO: check CVE-2016-10751 (osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b35b316f5ac05d05f2394c29e976b143b520f215 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b35b316f5ac05d05f2394c29e976b143b520f215 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2017-18375/ampache
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8654763f by Salvatore Bonaccorso at 2019-05-24T20:44:08Z Add CVE-2017-18375/ampache - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2019-12313 (XSS exists in Shave before 2.5.3 because output encoding is mish CVE-2019-12312 (In Libreswan before 3.28, an assertion failure can lead to a pluto IKE ...) TODO: check CVE-2017-18375 (Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php ...) - TODO: check + - ampache CVE-2016-10759 (The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resu ...) TODO: check CVE-2016-10758 (PHPKIT 1.6.6 allows arbitrary File Upload, as demonstrated by a .php f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8654763f239bc362995ffeed92105cb96a419ae1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8654763f239bc362995ffeed92105cb96a419ae1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2016-10752/serendipity
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7aeaa7c8 by Salvatore Bonaccorso at 2019-05-24T20:44:44Z Add CVE-2016-10752/serendipity - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,7 +35,7 @@ CVE-2016-10754 (modules/Calendar/Activity.php in Vtiger CRM 6.5.0 allows SQL inj CVE-2016-10753 (e107 2.1.2 allows PHP Object Injection with resultant SQL injection, b ...) NOT-FOR-US: e107 CVE-2016-10752 (serendipity_moveMediaDirectory in Serendipity 2.0.3 allows remote atta ...) - TODO: check + - serendipity CVE-2016-10751 (osClass 3.6.1 allows oc-admin/plugins.php Directory Traversal via the ...) TODO: check CVE-2019-12311 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7aeaa7c8cd7b6618a7e55763cef5da0659fb7ddb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7aeaa7c8cd7b6618a7e55763cef5da0659fb7ddb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-12312/libreswan
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e7e49cf by Salvatore Bonaccorso at 2019-05-24T20:59:44Z Add CVE-2019-12312/libreswan - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,9 @@ CVE-2019-12314 (Deltek Maconomy 2.2.5 is prone to local file inclusion via absol CVE-2019-12313 (XSS exists in Shave before 2.5.3 because output encoding is mishandled ...) TODO: check CVE-2019-12312 (In Libreswan before 3.28, an assertion failure can lead to a pluto IKE ...) - TODO: check + - libreswan + NOTE: https://github.com/libreswan/libreswan/issues/246 + NOTE: https://github.com/libreswan/libreswan/commit/7142d2c37d58cf024595a7549f0fb0d3946682f8 CVE-2017-18375 (Ampache 3.8.3 allows PHP Object Instantiation via democratic.ajax.php ...) - ampache CVE-2016-10759 (The Xinha plugin in Precurio 2.1 allows Directory Traversal, with resu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e7e49cfdbcdbcb64d3234de686a47eac8712c53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9e7e49cfdbcdbcb64d3234de686a47eac8712c53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Unmark CVE-2018-20839/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 224d75ff by Salvatore Bonaccorso at 2019-05-25T07:40:29Z Unmark CVE-2018-20839/systemd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -424,12 +424,13 @@ CVE-2019-12151 CVE-2019-12150 (Karamasoft UltimateEditor 1 does not ensure that an uploaded file is a ...) TODO: check CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows attackers ...) - - systemd 241-4 (bug #929116) + - systemd (bug #929116) [stretch] - systemd (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993 NOTE: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f NOTE: https://github.com/systemd/systemd/pull/12378 - NOTE: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929229 (regression) + NOTE: The fix introduced a regression, cf. https://bugs.debian.org/929229 + NOTE: Issue was originally fixed for unstable in 241-4 but was reverted in 241-5 CVE-2019-12149 RESERVED CVE-2019-12148 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/224d75ff32b62e31b930bf20fbe9ac96088c10e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/224d75ff32b62e31b930bf20fbe9ac96088c10e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21fb7d50 by security tracker role at 2019-05-25T08:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -571,7 +571,7 @@ CVE-2019-12088 CVE-2019-12087 (** DISPUTED ** Samsung S9+, S10, and XCover 4 P(9.0) devices can becom ...) NOT-FOR-US: Samsung devices CVE-2019-12086 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) - {DLA-1798-1} + {DSA-4452-1 DLA-1798-1} - jackson-databind 2.9.8-2 (bug #929177) NOTE: https://github.com/FasterXML/jackson-databind/issues/2326 NOTE: https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024 @@ -1388,7 +1388,7 @@ CVE-2019-11699 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-11699 CVE-2019-11698 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -1421,7 +1421,7 @@ CVE-2019-11694 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11694 CVE-2019-11693 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -1431,7 +1431,7 @@ CVE-2019-11693 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11693 CVE-2019-11692 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -1441,7 +1441,7 @@ CVE-2019-11692 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-11692 CVE-2019-11691 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -6771,7 +6771,7 @@ CVE-2019-9821 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-13/#CVE-2019-9821 CVE-2019-9820 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -6781,7 +6781,7 @@ CVE-2019-9820 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9820 CVE-2019-9819 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -6799,7 +6799,7 @@ CVE-2019-9818 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9818 CVE-2019-9817 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -6809,7 +6809,7 @@ CVE-2019-9817 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-15/#CVE-2019-9817 CVE-2019-9816 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -6879,7 +6879,7 @@ CVE-2019-9801 (Firefox will accept any registered Program ID as an external prot NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9801 CVE-2019-9800 RESERVED - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} [experimental] - firefox 67.0-1 - firefox - firefox-esr 60.7.0esr-1 @@ -6894,7 +6894,7 @@ CVE-2019-9798 (On Android systems, Firefox can load a library from APITRACE_LIB, - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9798 CVE-2019-9797 (Cross-origin images can be read in violation of the same-origin policy ...) - {DSA-4448-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DLA-1800-1} - firefox 66.0-1 - firefox-esr 60.7.0esr-1 - thunderbird 1:60.7.0-1 @@ -13194,7 +13194,7 @@ CVE-2019-7319 CVE-2019-7318 RESERVED CVE-2019-7317 (png_image_free in png.c in libpng 1.6.36 has a use-after-free because ...) - {DSA-4448-1 DSA-4435-1 DLA-1800-1} + {DSA-4451-1 DSA-4448-1 DSA-4435-1 DLA-1800-1} - libpng1.6 1.6.36-4 (bug #921355) [experimental] - firefox 67.0-1 - firefox @@ -16908,7 +16908,7 @@ CVE-2019-5799 (Incorrect inheritance of a new document's policy in Content Secur {DSA-4421-1} - chromium 73.0.3683.75-1 CVE-2019-5798 (Lack of correct bounds checking in Skia in Google Chrome
[Git][security-tracker-team/security-tracker][master] Correct source package tracking for CVE-2019-12221
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fae85ac1 by Salvatore Bonaccorso at 2019-05-25T12:50:22Z Correct source package tracking for CVE-2019-12221 After further investigation Hugo Lefeuvre found the root cause for he CVE and can be associated with libsdl2-image and sdl-image1.2. Thus the explicitly added TODO item can be dropped and source packages adjusted accordingly. Details in https://bugzilla.libsdl.org/show_bug.cgi?id=4628#c2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -242,14 +242,13 @@ CVE-2019-1 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4621 TODO: check details and correct vulnerability location CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - - libsdl2 - [stretch] - libsdl2 (Minor issue) - [jessie] - libsdl2 (Minor issue) - - libsdl1.2 - [stretch] - libsdl1.2 (Minor issue) - [jessie] - libsdl1.2 (Minor issue) + - libsdl2-image + [stretch] - libsdl2-image (Minor issue) + [jessie] - libsdl2-image (Minor issue) + - sdl-image1.2 + [stretch] - sdl-image1.2 (Minor issue) + [jessie] - sdl-image1.2 (Minor issue) NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4628 - NOTE: affects libsdl2-image/sdl-image1.2, not libsdl2/libsdl1.2 CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...) - libsdl2 [stretch] - libsdl2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fae85ac1d5d2f7a9c765f900a3543cbad8b72e33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fae85ac1d5d2f7a9c765f900a3543cbad8b72e33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-11811/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4ddab3d by Salvatore Bonaccorso at 2019-05-25T19:25:44Z Update status for CVE-2019-11811/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1144,6 +1144,8 @@ CVE-2019-11815 (An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in NOTE: Fixed by: https://git.kernel.org/linus/cb66ddd156203daefb8d71158036b27b0e2caf63 CVE-2019-11811 (An issue was discovered in the Linux kernel before 5.0.4. There is a u ...) - linux 4.19.37-1 + [stretch] - linux (Vulnerable code not present) + [jessie] - linux (Vulnerable code not present) NOTE: Fixed by: https://git.kernel.org/linus/401e7e88d4ef80188ffa07095ac00456f901b8c4 CVE-2019-11810 (An issue was discovered in the Linux kernel before 5.0.7. A NULL point ...) - linux 4.19.37-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d4ddab3daba9f0dfb660ece02329d936233b3d4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d4ddab3daba9f0dfb660ece02329d936233b3d4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2018-20510
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd43949d by Salvatore Bonaccorso at 2019-05-25T19:37:19Z Update information for CVE-2018-20510 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22750,6 +22750,7 @@ CVE-2018-20512 (EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of NOT-FOR-US: EPON CPE-WiFi devices CVE-2018-20510 (The print_binder_transaction_ilocked function in drivers/android/binde ...) - linux 4.16.5-1 + [jessie] - linux 3.16.57-1 NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8ca86f1639ec5890d400fff9211aca22d0a392eb CVE-2018-20509 (The print_binder_ref_olocked function in drivers/android/binder.c in t ...) - linux 4.14.2-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd43949ddef8ae2f9bd7bd918ae3ede613543a6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd43949ddef8ae2f9bd7bd918ae3ede613543a6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ae76b13 by security tracker role at 2019-05-25T20:10:23Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3105,6 +3105,7 @@ CVE-2019-11037 (In PHP imagick extension in versions between 3.3.0 and 3.4.4, wr NOTE: https://bugs.php.net/bug.php?id=77791 NOTE: https://github.com/mkoppanen/imagick/commits/bugfix_77791 CVE-2019-11036 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...) + {DLA-1803-1} - php7.3 (bug #928421) - php7.0 [stretch] - php7.0 (Fix along in future update) @@ -3112,6 +3113,7 @@ CVE-2019-11036 (When processing certain files, PHP EXIF extension in versions 7. NOTE: Fixed in 7.1.29, 7.2.18, 7.3.5 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77950 CVE-2019-11035 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...) + {DLA-1803-1} - php7.3 7.3.4-1 - php7.0 [stretch] - php7.0 (Fix along in future update) @@ -3119,6 +3121,7 @@ CVE-2019-11035 (When processing certain files, PHP EXIF extension in versions 7. NOTE: Fixed in 7.1.28, 7.2.17, 7.3.4 NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77831 CVE-2019-11034 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...) + {DLA-1803-1} - php7.3 7.3.4-1 - php7.0 [stretch] - php7.0 (Fix along in future update) @@ -17874,6 +17877,7 @@ CVE-2019-5437 (Information exposure through the directory listing in npm's harp NOT-FOR-US: npm harp module CVE-2019-5436 [TFTP receive buffer overflow] RESERVED + {DLA-1804-1} - curl (bug #929351) NOTE: https://curl.haxx.se/docs/CVE-2019-5436.html NOTE: Introduced by: https://github.com/curl/curl/commit/0516ce7786e95 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ae76b1370ddc372cc65d6d3c4e5c07696016ccf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ae76b1370ddc372cc65d6d3c4e5c07696016ccf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit for CVE-2019-10143/freeradius
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c9752b83 by Salvatore Bonaccorso at 2019-05-26T14:45:19Z Add upstream commit for CVE-2019-10143/freeradius - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5266,6 +5266,7 @@ CVE-2019-10144 CVE-2019-10143 (It was discovered freeradius up to and including version 3.0.19 does n ...) - freeradius (unimportant; bug #929466) NOTE: https://github.com/FreeRADIUS/freeradius-server/pull/2666 + NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/1f233773962bf1a9c2d228a180eacddb9db2d574 NOTE: This is not a security issue per se CVE-2019-10142 [drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl] RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9752b83a773e6ad65866e48a818463a628be355 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9752b83a773e6ad65866e48a818463a628be355 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-12886/gcc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 425e885c by Salvatore Bonaccorso at 2019-05-26T18:51:31Z Add CVE-2018-12886/gcc This defintively is not DSA material thus go and mark directly any source affecting stable as ignored already as backporting the fix will be quite intrusive. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49750,7 +49750,14 @@ CVE-2018-12888 CVE-2018-12887 RESERVED CVE-2018-12886 (stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in fu ...) - TODO: check + - gcc-snapshot + - gcc-8 + - gcc-7 + - gcc-6 + [stretch] - gcc-6 (Too intrusive to backport) + - gcc-4.9 + - gcc-4.8 + NOTE: https://gcc.gnu.org/viewcvs/gcc/trunk/gcc/config/arm/arm-protos.h?revision=266379&view=markup CVE-2018-12885 (The randMod() function of the smart contract implementation for MyCryp ...) NOT-FOR-US: MyCryptoChamp CVE-2018-12884 (In Octopus Deploy 3.0 onwards (before 2018.6.7), an authenticated user ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/425e885c945d222ae1ad77f444ddbc88f53daed9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/425e885c945d222ae1ad77f444ddbc88f53daed9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44f76234 by security tracker role at 2019-05-27T08:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -529,6 +529,7 @@ CVE-2019-12107 (The upnp_event_prepare function in upnpevents.c in MiniUPnP Mini NOTE: https://github.com/miniupnp/miniupnp/commit/bec6ccec63cadc95655721bc0e1dd49dac759d94 TODO: check, might affect minidlna CVE-2019-12106 (The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and ...) + {DLA-1805-1} - minissdpd 1.5.20190210-1 (bug #929297) NOTE: https://github.com/miniupnp/miniupnp/commit/cd506a67e174a45c6a202eff182a712955ed6d6f CVE-2019-12105 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44f762345732b0fba06d3e29a67ecb1de175bba6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/44f762345732b0fba06d3e29a67ecb1de175bba6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bug reference for freeimage issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dff56a0b by Salvatore Bonaccorso at 2019-05-27T10:28:31Z Add bug reference for freeimage issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -290,16 +290,16 @@ CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discovered in ...) - matomo (bug #448532) CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...) - - freeimage + - freeimage (bug #929597) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDirectory ...) - - freeimage + - freeimage (bug #929597) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize ...) - - freeimage + - freeimage (bug #929597) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12211 (When FreeImage 3.18.0 reads a tiff file, it will be handed to the Load ...) - - freeimage + - freeimage (bug #929597) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/e06734bed5/ CVE-2019-12210 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dff56a0b50da52ac54c171a3715f7c284dc5366b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dff56a0b50da52ac54c171a3715f7c284dc5366b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2019-12106/minissdpd as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b4fe260 by Salvatore Bonaccorso at 2019-05-27T12:12:19Z Mark CVE-2019-12106/minissdpd as no-dsa - - - - - ca4a034a by Salvatore Bonaccorso at 2019-05-27T12:12:19Z Track proposed fix for CVE-2019-12106 via stretch-pu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -532,6 +532,7 @@ CVE-2019-12107 (The upnp_event_prepare function in upnpevents.c in MiniUPnP Mini CVE-2019-12106 (The updateDevice function in minissdpd.c in MiniUPnP MiniSSDPd 1.4 and ...) {DLA-1805-1} - minissdpd 1.5.20190210-1 (bug #929297) + [stretch] - minissdpd (Minor issue) NOTE: https://github.com/miniupnp/miniupnp/commit/cd506a67e174a45c6a202eff182a712955ed6d6f CVE-2019-12105 RESERVED = data/next-point-update.txt = @@ -81,3 +81,5 @@ CVE-2019-2614 [stretch] - mariadb-10.1 10.1.40-0+deb9u1 CVE-2018-19105 [stretch] - librecad 2.1.2-1+deb9u1 +CVE-2019-12106 + [stretch] - minissdpd 1.2.20130907-4.1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6a7cb531fab0a2106dd0375c8ecc25634c454909...ca4a034a0e012b218db8ff387b886ab1523d10c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6a7cb531fab0a2106dd0375c8ecc25634c454909...ca4a034a0e012b218db8ff387b886ab1523d10c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2017-15365: group source package entries
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34155b2b by Salvatore Bonaccorso at 2019-05-27T15:06:20Z CVE-2017-15365: group source package entries - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -92326,8 +92326,8 @@ CVE-2017-15365 (sql/event_data_objects.cc in MariaDB before 10.1.30 and 10.2.x b - mariadb-10.2 (bug #884065) - mariadb-10.1 1:10.1.34-1 (bug #885345) - mariadb-10.0 - - percona-xtrabackup [jessie] - mariadb-10.0 (vulnerable code not present) + - percona-xtrabackup [jessie] - percona-xtrabackup (vulnerable code not present) - mysql-5.7 - mysql-5.5 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34155b2b8ef5844af81665dc11e07ef41b364955 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/34155b2b8ef5844af81665dc11e07ef41b364955 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-12295/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9351ed2b by Salvatore Bonaccorso at 2019-05-27T15:07:50Z Add fixed version via unstable for CVE-2019-12295/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -76,7 +76,7 @@ CVE-2019-12297 (An issue was discovered in scopd on Motorola routers CX2 1.01 an CVE-2019-12296 RESERVED CVE-2019-12295 (In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the ...) - - wireshark (low; bug #929446) + - wireshark 2.6.8-1.1 (low; bug #929446) [stretch] - wireshark (Minor issue) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9351ed2b7b0baf6536d948b464b0a1911d93accc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9351ed2b7b0baf6536d948b464b0a1911d93accc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2018-11802 from the branch_6_6
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 19067384 by Salvatore Bonaccorso at 2019-05-27T18:32:16Z Reference fix for CVE-2018-11802 from the branch_6_6 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52946,6 +52946,7 @@ CVE-2018-11802 [Rule-base Authorization plugin skips authorization if querying n - lucene-solr [jessie] - lucene-solr (Vulnerable code is not present) NOTE: https://issues.apache.org/jira/browse/SOLR-12514 + NOTE: Fixed by: https://github.com/apache/lucene-solr/commit/add003f217806afb4e1604f697cdb0a5a7115895 (releases/lucene-solr/6.6.6) CVE-2018-11801 RESERVED NOT-FOR-US: Apache Fineract View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/190673842f35dd1c0aef15045e26d8f0154915eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/190673842f35dd1c0aef15045e26d8f0154915eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits