[Git][security-tracker-team/security-tracker][master] xymon spu/ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fca37c42 by Moritz Muehlenhoff at 2019-08-23T05:30:02Z xymon spu/ospu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -200,3 +200,19 @@ CVE-2017-11358 [stretch] - sox 14.4.1-5+deb9u2 CVE-2017-11332 [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-13486 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13485 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13484 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13455 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13273 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13274 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13451 + [stretch] - xymon 4.3.28-2+deb9u1 +CVE-2019-13452 + [stretch] - xymon 4.3.28-2+deb9u1 = data/next-point-update.txt = @@ -103,3 +103,19 @@ CVE-2019-3900 [buster] - linux 4.19.67-1 CVE-2019-9506 [buster] - linux 4.19.67-1 +CVE-2019-13486 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13485 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13484 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13455 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13273 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13274 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13451 + [buster] - xymon 4.3.28-5+deb10u1 +CVE-2019-13452 + [buster] - xymon 4.3.28-5+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fca37c4207e67ddf0c04d5746accfa906c4ae30f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fca37c4207e67ddf0c04d5746accfa906c4ae30f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track some more CVE fixes for src:linux with stretch-pu upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c286ed95 by Salvatore Bonaccorso at 2019-08-23T04:28:03Z Track some more CVE fixes for src:linux with stretch-pu upload One CVE was fixed already in the 4.9.185-1 upload (back then no CVE assigned) and three more in versions between 4.9.185 and 4.9.189 as uploaded and thus included as well in 4.9.189-1. - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -109,6 +109,14 @@ CVE-2019-10142 [stretch] - linux 4.9.184-1 CVE-2019-15221 [stretch] - linux 4.9.185-1 +CVE-2019-9506 + [stretch] - linux 4.9.185-1 +CVE-2019-15220 + [stretch] - linux 4.9.189-1 +CVE-2019-15211 + [stretch] - linux 4.9.189-1 +CVE-2019-15215 + [stretch] - linux 4.9.189-1 CVE-2019-10153 [stretch] - fence-agents 4.0.25-1+deb9u1 CVE-2016-10711 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c286ed95f6c2778f616c5f1e8ead9881102b23d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c286ed95f6c2778f616c5f1e8ead9881102b23d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sox opsu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ae0453fa by Moritz Muehlenhoff at 2019-08-22T21:06:30Z sox opsu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -166,3 +166,29 @@ CVE-2019-8675 [stretch] - cups 2.2.1-8+deb9u4 CVE-2019-14275 [stretch] - fig2dev 1:3.2.6a-2+deb9u2 +CVE-2019-8354 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-8355 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-8356 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-8357 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2019-1010004 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-18189 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-15642 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-15372 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-15371 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-15370 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-11359 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-11358 + [stretch] - sox 14.4.1-5+deb9u2 +CVE-2017-11332 + [stretch] - sox 14.4.1-5+deb9u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae0453fa69ffd7a702b184484d60c7a66baf68cd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ae0453fa69ffd7a702b184484d60c7a66baf68cd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: add djvulibre
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e2354555 by Thorsten Alteholz at 2019-08-22T20:38:20Z add djvulibre - - - - - 8d166c49 by Thorsten Alteholz at 2019-08-22T20:42:07Z add adplug - - - - - 38a2cb15 by Thorsten Alteholz at 2019-08-22T20:50:36Z add cimg - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -9,9 +9,14 @@ To pick an issue, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues +-- +adplug -- apache2 (Markus Koschany) -- +cimg + NOTE: inline function load_network_external is affected, variable filename +-- clamav (Hugo Lefeuvre) NOTE: wait for definitive patch to be available, then upgrade to latest upstream NOTE: release (follow stretch changes) (hle) @@ -21,6 +26,8 @@ clamav (Hugo Lefeuvre) -- dnsmasq (Mike Gabriel) -- +djvulibre (Thorsten Alteholz) +-- faad2 (Hugo Lefeuvre) NOTE: 20190820: Last PR pending review: https://github.com/knik0/faad2/pull/38 NOTE: Upload with recent patches will happen soon. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1e37e5d9935a07b83b359724166921bb7af2acbe...38a2cb157755c287167dd8220b0da034d324c316 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1e37e5d9935a07b83b359724166921bb7af2acbe...38a2cb157755c287167dd8220b0da034d324c316 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1893-1 for cups
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e37e5d9 by Thorsten Alteholz at 2019-08-22T20:30:09Z Reserve DLA-1893-1 for cups - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Aug 2019] DLA-1893-1 cups - security update + {CVE-2019-8675 CVE-2019-8696} + [jessie] - cups 1.7.5-11+deb8u5 [21 Aug 2019] DLA-1886-2 openjdk-7 - regression update [jessie] - openjdk-7 7u231-2.6.19-1~deb8u2 [20 Aug 2019] DLA-1892-1 flask - security update = data/dla-needed.txt = @@ -19,8 +19,6 @@ clamav (Hugo Lefeuvre) NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug NOTE: report) (hle) -- -cups (Thorsten Alteholz) --- dnsmasq (Mike Gabriel) -- faad2 (Hugo Lefeuvre) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e37e5d9935a07b83b359724166921bb7af2acbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e37e5d9935a07b83b359724166921bb7af2acbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1238{5,6}/ampache
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e089f2b by Salvatore Bonaccorso at 2019-08-22T20:38:27Z Add CVE-2019-1238{5,6}/ampache - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9462,9 +9462,9 @@ CVE-2019-12387 (In Twisted before 19.2.1, twisted.web did not validate or saniti [jessie] - twisted (Minor issue) NOTE: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2 CVE-2019-12386 (An issue was discovered in Ampache through 3.9.1. A stored XSS exists ...) - TODO: check + - ampache CVE-2019-12385 (An issue was discovered in Ampache through 3.9.1. The search engine is ...) - TODO: check + - ampache CVE-2019-12384 (FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to ...) {DLA-1831-1} - jackson-databind 2.9.8-3 (bug #930750) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e089f2bf3fcefd67759aea82c2adf6333d0278c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e089f2bf3fcefd67759aea82c2adf6333d0278c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-15314/tikiwiki
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 050b9ed9 by Salvatore Bonaccorso at 2019-08-22T20:37:37Z Add CVE-2019-15314/tikiwiki - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -181,7 +181,7 @@ CVE-2009-5158 (The google-analyticator plugin before 5.2.1 for WordPress has ins CVE-2008-7321 (The tubepress plugin before 1.6.5 for WordPress has XSS. ...) NOT-FOR-US: tubepress plugin for WordPress CVE-2019-15314 (tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to uplo ...) - TODO: check + - tikiwiki CVE-2019-15313 RESERVED CVE-2019-15312 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/050b9ed94dd360fc98329d9ac082e6a84f6aa76b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/050b9ed94dd360fc98329d9ac082e6a84f6aa76b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78de003a by Salvatore Bonaccorso at 2019-08-22T20:24:21Z Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,9 +63,9 @@ CVE-2019-15318 (The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for Wo CVE-2019-15317 (The give plugin before 2.4.7 for WordPress has XSS via a donor name. ...) NOT-FOR-US: give plugin for WordPress CVE-2019-15316 (Valve Steam Client for Windows through 2019-08-20 has weak folder perm ...) - TODO: check + NOT-FOR-US: Valve Steam Client for Windows CVE-2019-15315 (Valve Steam Client for Windows through 2019-08-16 allows privilege esc ...) - TODO: check + NOT-FOR-US: Valve Steam Client for Windows CVE-2018-20986 RESERVED CVE-2018-20985 (The wp-payeezy-pay plugin before 2.98 for WordPress has local file inc ...) @@ -133,7 +133,7 @@ CVE-2016-10922 (The woocommerce-store-toolkit plugin before 1.5.7 for WordPress CVE-2016-10921 (The gallery-photo-gallery plugin before 1.0.1 for WordPress has SQL in ...) NOT-FOR-US: gallery-photo-gallery plugin for WordPress CVE-2016-10920 (The gnucommerce plugin before 0.5.7-BETA for WordPress has XSS. ...) - TODO: check + NOT-FOR-US: gnucommerce plugin for WordPress CVE-2016-10919 (The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats ...) NOT-FOR-US: wassup plugin for WordPress CVE-2016-10918 (The gallery-by-supsystic plugin before 1.8.6 for WordPress has CSRF. ...) @@ -997,7 +997,7 @@ CVE-2019-15062 (An issue was discovered in Dolibarr 11.0.0-alpha. A user can sto CVE-2019-15061 RESERVED CVE-2019-15060 (The traceroute function on the TP-Link TL-WR840N v4 router with firmwa ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2019-15059 RESERVED CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer ov ...) @@ -2559,7 +2559,7 @@ CVE-2019-14471 (TestLink 1.9.19 has XSS via the error.php message parameter. ... CVE-2019-14470 RESERVED CVE-2019-14469 (In Nexus Repository Manager before 3.18.0, users with elevated privile ...) - TODO: check + NOT-FOR-US: Nexus Repository Manager CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c via c ...) - gnucobol (bug #933884) [buster] - gnucobol (Minor issue) @@ -8164,7 +8164,7 @@ CVE-2019-12891 CVE-2019-12890 (RedwoodHQ 2.5.5 does not require any authentication for database opera ...) NOT-FOR-US: RedwoodHQ CVE-2019-12889 (An unauthenticated privilege escalation exists in SailPoint Desktop Pa ...) - TODO: check + NOT-FOR-US: SailPoint Desktop Password Reset CVE-2019-12888 REJECTED CVE-2019-12887 (KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control (issue ...) @@ -13037,11 +13037,11 @@ CVE-2019-11033 (Applaud HCM 4.0.42+ uses HTML tag fields for HTML inputs in a fo CVE-2019-11032 (In EasyToRecruit (E2R) before 2.11, the upload feature and the Candida ...) NOT-FOR-US: EasyToRecruit CVE-2019-11031 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the auto-up ...) - TODO: check + NOT-FOR-US: Mirasys VMS CVE-2019-11030 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Mirasys ...) - TODO: check + NOT-FOR-US: Mirasys VMS CVE-2019-11029 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the Downloa ...) - TODO: check + NOT-FOR-US: Mirasys VMS CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability allowing ...) NOT-FOR-US: GAT-Ship Web Module CVE-2015-9284 (The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site ...) @@ -13220,7 +13220,7 @@ CVE-2019-10962 (BD Alaris Gateway versions, 1.0.13,1.1.3 Build 10,1.1.3 MR Build CVE-2019-10961 (In Advantech WebAccess HMI Designer Version 2.1.9.23 and prior, proces ...) NOT-FOR-US: Advantech WebAccess HMI Designer CVE-2019-10960 (Zebra Industrial Printers All Versions, Zebra printers are shipped wit ...) - TODO: check + NOT-FOR-US: Zebra Industrial Printers CVE-2019-10959 (BD Alaris Gateway Workstation Versions, 1.1.3 Build 10, 1.1.3 MR Build ...) NOT-FOR-US: BD Alaris Gateway CVE-2019-10958 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/78de003aa262cc45d13bc87a7cdbe88926afe6f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/78de003aa262cc45d13bc87a7cdbe88926afe6f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e12a7bb by Salvatore Bonaccorso at 2019-08-22T20:18:02Z Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2019-15331 (The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for W ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2019-15330 (The webp-express plugin before 0.14.11 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: webp-express plugin for WordPress CVE-2019-15329 RESERVED CVE-2019-15328 @@ -13,55 +13,55 @@ CVE-2019-15326 CVE-2019-15325 RESERVED CVE-2018-20988 (The wpgform plugin before 0.94 for WordPress has eval injection in the ...) - TODO: check + NOT-FOR-US: wpgform plugin for WordPress CVE-2018-20987 (The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP objec ...) - TODO: check + NOT-FOR-US: newsletters-lite plugin for WordPress CVE-2017-18586 (The insert-pages plugin before 3.2.4 for WordPress has directory trave ...) - TODO: check + NOT-FOR-US: insert-pages plugin for WordPress CVE-2016-10930 (The wp-support-plus-responsive-ticket-system plugin before 7.1.0 for W ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2015-9341 (The wp-file-upload plugin before 3.4.1 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9340 (The wp-file-upload plugin before 3.0.0 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9339 (The wp-file-upload plugin before 2.7.1 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2015-9338 (The wp-file-upload plugin before 2.5.0 for WordPress has insufficient ...) - TODO: check + NOT-FOR-US: wp-file-upload plugin for WordPress CVE-2014-10394 (The rich-counter plugin before 1.2.0 for WordPress has JavaScript inje ...) - TODO: check + NOT-FOR-US: rich-counter plugin for WordPress CVE-2014-10393 RESERVED CVE-2014-10392 (The cforms2 plugin before 10.2 for WordPress has XSS. ...) - TODO: check + NOT-FOR-US: cforms2 plugin for WordPress CVE-2014-10391 (The wp-support-plus-responsive-ticket-system plugin before 4.1 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10390 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10389 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10388 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10387 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) - TODO: check + NOT-FOR-US: wp-support-plus-responsive-ticket-system plugin for WordPress CVE-2014-10386 (The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScr ...) - TODO: check + NOT-FOR-US: wp-live-chat-support plugin for WordPress CVE-2019-15324 (The ad-inserter plugin before 2.4.22 for WordPress has remote code exe ...) - TODO: check + NOT-FOR-US: ad-inserter plugin for WordPress CVE-2019-15323 (The ad-inserter plugin before 2.4.20 for WordPress has path traversal. ...) - TODO: check + NOT-FOR-US: ad-inserter plugin for WordPress CVE-2019-15322 (The shortcode-factory plugin before 2.8 for WordPress has Local File I ...) - TODO: check + NOT-FOR-US: shortcode-factory plugin for WordPress CVE-2019-15321 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) - TODO: check + NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15320 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) - TODO: check + NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15319 (The option-tree plugin before 2.7.0 for WordPress has Object Injection ...) - TODO: check + NOT-FOR-US: option-tree plugin for WordPress CVE-2019-15318 (The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPres ...) - TODO: check + NOT-FOR-US: yikes-inc-easy-mailchimp-extender plugin for WordPress CVE-2019-15317 (The give plugin before 2.4.7 for WordPress has XSS via a donor name.
[Git][security-tracker-team/security-tracker][master] Cleanup one REJECTED entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: acb34e4b by Salvatore Bonaccorso at 2019-08-22T20:12:34Z Cleanup one REJECTED entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -360,7 +360,6 @@ CVE-2019-15232 (Live555 before 2019.08.16 has a Use-After-Free because GenericMe NOTE: Fixed upstream in 2019.08.16 according to available information. CVE-2019-15231 REJECTED - - webmin CVE-2019-15230 RESERVED CVE-2019-15229 (FUEL CMS 1.4.4 has CSRF in the blocks/create/ Create Blocks section of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/acb34e4b3920818bf4756c1411c171c2e6a4991c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/acb34e4b3920818bf4756c1411c171c2e6a4991c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c31b7a4 by security tracker role at 2019-08-22T20:10:30Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,139 +1,187 @@ -CVE-2019-15324 - RESERVED -CVE-2019-15323 - RESERVED -CVE-2019-15322 +CVE-2019-15331 (The wp-support-plus-responsive-ticket-system plugin before 9.1.2 for W ...) + TODO: check +CVE-2019-15330 (The webp-express plugin before 0.14.11 for WordPress has insufficient ...) + TODO: check +CVE-2019-15329 RESERVED -CVE-2019-15321 +CVE-2019-15328 RESERVED -CVE-2019-15320 +CVE-2019-15327 RESERVED -CVE-2019-15319 +CVE-2019-15326 RESERVED -CVE-2019-15318 +CVE-2019-15325 RESERVED -CVE-2019-15317 +CVE-2018-20988 (The wpgform plugin before 0.94 for WordPress has eval injection in the ...) + TODO: check +CVE-2018-20987 (The newsletters-lite plugin before 4.6.8.6 for WordPress has PHP objec ...) + TODO: check +CVE-2017-18586 (The insert-pages plugin before 3.2.4 for WordPress has directory trave ...) + TODO: check +CVE-2016-10930 (The wp-support-plus-responsive-ticket-system plugin before 7.1.0 for W ...) + TODO: check +CVE-2015-9341 (The wp-file-upload plugin before 3.4.1 for WordPress has insufficient ...) + TODO: check +CVE-2015-9340 (The wp-file-upload plugin before 3.0.0 for WordPress has insufficient ...) + TODO: check +CVE-2015-9339 (The wp-file-upload plugin before 2.7.1 for WordPress has insufficient ...) + TODO: check +CVE-2015-9338 (The wp-file-upload plugin before 2.5.0 for WordPress has insufficient ...) + TODO: check +CVE-2014-10394 (The rich-counter plugin before 1.2.0 for WordPress has JavaScript inje ...) + TODO: check +CVE-2014-10393 RESERVED +CVE-2014-10392 (The cforms2 plugin before 10.2 for WordPress has XSS. ...) + TODO: check +CVE-2014-10391 (The wp-support-plus-responsive-ticket-system plugin before 4.1 for Wor ...) + TODO: check +CVE-2014-10390 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) + TODO: check +CVE-2014-10389 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) + TODO: check +CVE-2014-10388 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) + TODO: check +CVE-2014-10387 (The wp-support-plus-responsive-ticket-system plugin before 4.2 for Wor ...) + TODO: check +CVE-2014-10386 (The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScr ...) + TODO: check +CVE-2019-15324 (The ad-inserter plugin before 2.4.22 for WordPress has remote code exe ...) + TODO: check +CVE-2019-15323 (The ad-inserter plugin before 2.4.20 for WordPress has path traversal. ...) + TODO: check +CVE-2019-15322 (The shortcode-factory plugin before 2.8 for WordPress has Local File I ...) + TODO: check +CVE-2019-15321 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) + TODO: check +CVE-2019-15320 (The option-tree plugin before 2.7.3 for WordPress has Object Injection ...) + TODO: check +CVE-2019-15319 (The option-tree plugin before 2.7.0 for WordPress has Object Injection ...) + TODO: check +CVE-2019-15318 (The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPres ...) + TODO: check +CVE-2019-15317 (The give plugin before 2.4.7 for WordPress has XSS via a donor name. ...) + TODO: check CVE-2019-15316 (Valve Steam Client for Windows through 2019-08-20 has weak folder perm ...) TODO: check CVE-2019-15315 (Valve Steam Client for Windows through 2019-08-16 allows privilege esc ...) TODO: check CVE-2018-20986 RESERVED -CVE-2018-20985 - RESERVED -CVE-2018-20984 - RESERVED -CVE-2018-20983 - RESERVED -CVE-2018-20982 - RESERVED -CVE-2018-20981 - RESERVED -CVE-2018-20980 - RESERVED -CVE-2018-20979 - RESERVED +CVE-2018-20985 (The wp-payeezy-pay plugin before 2.98 for WordPress has local file inc ...) + TODO: check +CVE-2018-20984 (The patreon-connect plugin before 1.2.2 for WordPress has Object Injec ...) + TODO: check +CVE-2018-20983 (The wp-retina-2x plugin before 5.2.3 for WordPress has XSS. ...) + TODO: check +CVE-2018-20982 (The media-library-assistant plugin before 2.74 for WordPress has XSS v ...) + TODO: check +CVE-2018-20981 (The ninja-forms plugin before 3.3.9 for WordPress has insufficient res ...) + TODO: check +CVE-2018-20980 (The ninja-forms plugin before 3.2.15 for WordPress has parameter tampe ...) + TODO: check +CVE-2018-20979 (The contact-form-7 plugin before 5.0.4 for WordPress has privilege esc ...) + TODO: check CVE-2017-18585 RESERVED -CVE-2017-18584 - RESERVED
[Git][security-tracker-team/security-tracker][master] CVE-2019-6956/faad2: add upstream bug report
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: a498aff5 by Hugo Lefeuvre at 2019-08-22T19:42:30Z CVE-2019-6956/faad2: add upstream bug report - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24496,6 +24496,7 @@ CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAA [buster] - faad2 (Minor issue) [stretch] - faad2 (Minor issue) NOTE: https://sourceforge.net/p/faac/bugs/240/ + NOTE: https://github.com/knik0/faad2/issues/39 CVE-2019-6955 RESERVED CVE-2019-6954 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a498aff5dead8297f65c25b6f3f83e17b7f0b1eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a498aff5dead8297f65c25b6f3f83e17b7f0b1eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: update clamav entry
Hugo Lefeuvre pushed to branch master at Debian Security Tracker / security-tracker Commits: 03c9de45 by Hugo Lefeuvre at 2019-08-22T19:39:54Z dla-needed: update clamav entry - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -16,8 +16,8 @@ clamav (Hugo Lefeuvre) NOTE: wait for definitive patch to be available, then upgrade to latest upstream NOTE: release (follow stretch changes) (hle) NOTE: https://lists.debian.org/debian-lts/2019/08/msg00023.html - NOTE: 20190818: upstream has released a new patch, waiting for the final - NOTE: release to come out (hle) + NOTE: 20190822: upstream has released 0.101.4, wait for stretch update (see bug + NOTE: report) (hle) -- cups (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03c9de45a02287c3ed4d25e09ceb54a84df1c5df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/03c9de45a02287c3ed4d25e09ceb54a84df1c5df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nginx DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c5bfeec9 by Moritz Muehlenhoff at 2019-08-22T19:34:58Z nginx DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[22 Aug 2019] DSA-4505-1 nginx - security update + {CVE-2019-9511 CVE-2019-9513 CVE-2019-9516} + [stretch] - nginx 1.10.3-1+deb9u3 + [buster] - nginx 1.14.2-2+deb10u1 [20 Aug 2019] DSA-4504-1 vlc - security update {CVE-2019-13602 CVE-2019-13962 CVE-2019-14437 CVE-2019-14438 CVE-2019-14498 CVE-2019-14533 CVE-2019-14534 CVE-2019-14535 CVE-2019-14776 CVE-2019-14777 CVE-2019-14778 CVE-2019-14970} [stretch] - vlc 3.0.8-0+deb9u1 = data/dsa-needed.txt = @@ -38,9 +38,6 @@ linux (carnil) -- mercurial/oldstable -- -nginx - Maintainer proposed debdiffs, needs to be reviewed --- nodejs -- nss (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5bfeec9920e79bca38bad137c3db7d11818fefb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c5bfeec9920e79bca38bad137c3db7d11818fefb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust fixed version for CVE-2019-14444/binutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 148fb0a8 by Salvatore Bonaccorso at 2019-08-22T19:14:40Z Adjust fixed version for CVE-2019-1/binutils The fix is already included in the upload to unstable as 2.32.51.20190813-1. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3149,7 +3149,7 @@ CVE-2007-6763 (SAS Drug Development (SDD) before 32DRG02 mishandles logout actio CVE-2019-14445 RESERVED CVE-2019-1 (apply_relocations in readelf.c in GNU Binutils 2.32 contains an intege ...) - - binutils 2.32.51.20190821-1 (unimportant) + - binutils 2.32.51.20190813-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24829 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 NOTE: binutils not covered by security support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/148fb0a85f82ff875a1cee24d0d7cb5d47cc5d85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/148fb0a85f82ff875a1cee24d0d7cb5d47cc5d85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-384{3,4}/systemd fixed with the upload to unstable of v242
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad06eba0 by Salvatore Bonaccorso at 2019-08-22T18:53:01Z CVE-2019-384{3,4}/systemd fixed with the upload to unstable of v242 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31822,7 +31822,7 @@ CVE-2019-3845 (A lack of access control was found in the message queues maintain NOT-FOR-US: qpid dispatch router CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser propert ...) [experimental] - systemd 242-1 - - systemd (bug #928102) + - systemd 242-4 (bug #928102) [buster] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [jessie] - systemd (Vulnerable code introduced later) @@ -31832,7 +31832,7 @@ CVE-2019-3844 (It was discovered that a systemd service that uses DynamicUser pr NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1814596 CVE-2019-3843 (It was discovered that a systemd service that uses DynamicUser propert ...) [experimental] - systemd 242-1 - - systemd (bug #928102) + - systemd 242-4 (bug #928102) [buster] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [stretch] - systemd (Minor issue; exploit vector needs control both of the service and a helper outside) [jessie] - systemd (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad06eba0eb8e0574f2b78a3a8ae6bca40d4a4f27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ad06eba0eb8e0574f2b78a3a8ae6bca40d4a4f27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Add note for xtrlock.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 897c6ded by Chris Lamb at 2019-08-22T16:06:27Z data/dla-needed.txt: Add note for xtrlock. - - - - - 0fbaa8f2 by Chris Lamb at 2019-08-22T16:07:46Z data/dla-needed.txt: Add attribution to notes. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,7 +27,7 @@ faad2 (Hugo Lefeuvre) NOTE: 20190820: Last PR pending review: https://github.com/knik0/faad2/pull/38 NOTE: Upload with recent patches will happen soon. NOTE: Still many open duplicates, currently triaging. - NOTE: Requested CVE number for temporary entry. + NOTE: Requested CVE number for temporary entry. (hpe) -- freeimage NOTE: Maintainer will take care of the update. @@ -121,9 +121,10 @@ wordpress NOTE: 20190614: No upstream fix yet. (apo) -- xen - NOTE: 20190629: Contacted credativ support and asked for a status update + NOTE: 20190629: Contacted credativ support and asked for a status update (apo) -- xtrlock (Chris Lamb) + NOTE: 20190822: WIP on #830726 (lamby) -- xymon (Hugo Lefeuvre) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1d4d1c7cab819722e849707b643bc1d1a59d04f1...0fbaa8f27aad4f4d4dfef96beebdae6a21949375 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/1d4d1c7cab819722e849707b643bc1d1a59d04f1...0fbaa8f27aad4f4d4dfef96beebdae6a21949375 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: mark vlc as EOL in Jessie
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: bc6f4160 by Thorsten Alteholz at 2019-08-22T13:03:58Z mark vlc as EOL in Jessie - - - - - db2474d0 by Thorsten Alteholz at 2019-08-22T13:06:42Z mark CVE-2014-10375 as no-dsa for Jessie - - - - - 1d4d1c7c by Thorsten Alteholz at 2019-08-22T13:08:01Z mark CVE-2019-13990 as no-dsa for Jessie - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1082,6 +1082,7 @@ CVE-2014-10375 (handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles - libexosip2 (bug #934766) [buster] - libexosip2 (Minor issue) [stretch] - libexosip2 (Minor issue) + [jessie] - libexosip2 (Minor issue) NOTE: http://git.savannah.nongnu.org/cgit/exosip.git/commit/?id=2549e421c14aff886629b8482c14af800f411070 CVE-2013-7476 (The simple-fields plugin before 1.2 for WordPress has CSRF in the admi ...) NOT-FOR-US: simple-fields plugin for WordPress @@ -1209,6 +1210,7 @@ CVE-2019-14970 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14969 (Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\N ...) NOT-FOR-US: Netwrix Auditor @@ -1742,16 +1744,19 @@ CVE-2019-14778 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14777 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14776 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14775 RESERVED @@ -2329,16 +2334,19 @@ CVE-2019-14535 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14534 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14533 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14532 (An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an off ...) - sleuthkit (unimportant) @@ -2431,6 +2439,7 @@ CVE-2019-14498 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTr ...) - milkytracker (bug #933964) @@ -3171,11 +3180,13 @@ CVE-2019-14438 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14437 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14436 RESERVED @@ -4321,6 +4332,7 @@ CVE-2019-13990 (initDocumentParser in xml/XMLSchedulingDataProcessor.java in Ter - libquartz-java (bug #933169) [buster] - libquartz-java (Minor issue) [stretch] - libquartz-java (Minor issue) + [jessie] - libquartz-java (Minor issue) - libquartz2-java (bug #933170) [buster] - libquartz2-java (Minor issue) [stretch] - libquartz2-java (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/fc993a944ff22cd5f642189e04a6e975bce0b14e...1d4d1c7cab819722e849707b643bc1d1a59d04f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/fc993a944ff22cd5f642189e04a6e975bce0b14e...1d4d1c7cab819722e849707b643bc1d1a59d04f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list
[Git][security-tracker-team/security-tracker][master] binutils fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fc993a94 by Moritz Muehlenhoff at 2019-08-22T09:58:22Z binutils fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3140,7 +3140,7 @@ CVE-2007-6763 (SAS Drug Development (SDD) before 32DRG02 mishandles logout actio CVE-2019-14445 RESERVED CVE-2019-1 (apply_relocations in readelf.c in GNU Binutils 2.32 contains an intege ...) - - binutils (unimportant) + - binutils 2.32.51.20190821-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24829 NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7 NOTE: binutils not covered by security support View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc993a944ff22cd5f642189e04a6e975bce0b14e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fc993a944ff22cd5f642189e04a6e975bce0b14e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bro fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e06214e3 by Moritz Muehlenhoff at 2019-08-22T09:00:36Z bro fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49845,9 +49845,9 @@ CVE-2018-17021 (Cross-site scripting (XSS) vulnerability on ASUS GT-AC5300 devic CVE-2018-17020 (ASUS GT-AC5300 devices with firmware through 3.0.0.4.384_32738 allow r ...) NOT-FOR-US: ASUS GT-AC5300 devices CVE-2018-17019 (In Bro through 2.5.5, there is a DoS in IRC protocol names command par ...) - - bro (bug #908779) + - bro 2.6.1+ds1-1 (bug #908779) [buster] - bro 2.5.5-1+deb10u1 - [stretch] - bro (Minor issue) + [stretch] - bro (Minor issue) NOTE: https://github.com/bro/bro/commit/c2b18849f8bb833253538f5dfedb4ed1dc176a30 CVE-2018-17018 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...) NOT-FOR-US: TP-Link @@ -50556,9 +50556,9 @@ CVE-2018-16808 (An issue was discovered in Dolibarr through 7.0.0. There is Stor - dolibarr NOTE: https://github.com/Dolibarr/dolibarr/issues/9449 CVE-2018-16807 (In Bro through 2.5.5, there is a memory leak potentially leading to Do ...) - - bro (low; bug #908614) + - bro 2.6.1+ds1-1 (low; bug #908614) [buster] - bro 2.5.5-1+deb10u1 - [stretch] - bro (Minor issue) + [stretch] - bro (Minor issue) NOTE: https://github.com/bro/bro/commit/34d0cf886ca16c665f673a299e295b2a2bc14533 CVE-2018-16806 (A Pektron Passive Keyless Entry and Start (PKES) system, as used on th ...) NOT-FOR-US: Tesla View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e06214e3ab5f4e119434f9a7ddbb86592c6d3ecf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e06214e3ab5f4e119434f9a7ddbb86592c6d3ecf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f8f310d2 by security tracker role at 2019-08-22T08:10:21Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,137 @@ +CVE-2019-15324 + RESERVED +CVE-2019-15323 + RESERVED +CVE-2019-15322 + RESERVED +CVE-2019-15321 + RESERVED +CVE-2019-15320 + RESERVED +CVE-2019-15319 + RESERVED +CVE-2019-15318 + RESERVED +CVE-2019-15317 + RESERVED +CVE-2019-15316 (Valve Steam Client for Windows through 2019-08-20 has weak folder perm ...) + TODO: check +CVE-2019-15315 (Valve Steam Client for Windows through 2019-08-16 allows privilege esc ...) + TODO: check +CVE-2018-20986 + RESERVED +CVE-2018-20985 + RESERVED +CVE-2018-20984 + RESERVED +CVE-2018-20983 + RESERVED +CVE-2018-20982 + RESERVED +CVE-2018-20981 + RESERVED +CVE-2018-20980 + RESERVED +CVE-2018-20979 + RESERVED +CVE-2017-18585 + RESERVED +CVE-2017-18584 + RESERVED +CVE-2017-18583 + RESERVED +CVE-2017-18582 + RESERVED +CVE-2017-18581 + RESERVED +CVE-2017-18580 + RESERVED +CVE-2017-18579 + RESERVED +CVE-2017-18578 + RESERVED +CVE-2017-18577 + RESERVED +CVE-2017-18576 + RESERVED +CVE-2017-18575 + RESERVED +CVE-2017-18574 + RESERVED +CVE-2017-18573 + RESERVED +CVE-2017-18572 + RESERVED +CVE-2017-18571 + RESERVED +CVE-2017-18570 + RESERVED +CVE-2016-10929 + RESERVED +CVE-2016-10928 + RESERVED +CVE-2016-10927 + RESERVED +CVE-2016-10926 + RESERVED +CVE-2016-10925 + RESERVED +CVE-2016-10924 + RESERVED +CVE-2016-10923 + RESERVED +CVE-2016-10922 + RESERVED +CVE-2016-10921 + RESERVED +CVE-2016-10920 + RESERVED +CVE-2016-10919 + RESERVED +CVE-2016-10918 + RESERVED +CVE-2016-10917 + RESERVED +CVE-2016-10916 + RESERVED +CVE-2015-9337 + RESERVED +CVE-2015-9336 + RESERVED +CVE-2015-9335 + RESERVED +CVE-2015-9334 + RESERVED +CVE-2015-9333 + RESERVED +CVE-2014-10385 + RESERVED +CVE-2014-10384 + RESERVED +CVE-2014-10383 + RESERVED +CVE-2014-10382 + RESERVED +CVE-2013-7483 + RESERVED +CVE-2013-7482 + RESERVED +CVE-2013-7481 + RESERVED +CVE-2013-7480 + RESERVED +CVE-2013-7479 + RESERVED +CVE-2013-7478 + RESERVED +CVE-2013-7477 + RESERVED +CVE-2012-6716 + RESERVED +CVE-2009-5158 + RESERVED +CVE-2008-7321 + RESERVED CVE-2019-15314 RESERVED CVE-2019-15313 @@ -1620,6 +1754,7 @@ CVE-2019-14776 CVE-2019-14775 RESERVED CVE-2019-12625 [clamav zip DoS] + RESERVED - clamav (bug #934359) [buster] - clamav (ClamAV is updated via -updates) [stretch] - clamav (ClamAV is updated via -updates) @@ -1831,10 +1966,10 @@ CVE-2019-14688 RESERVED CVE-2019-14687 (A DLL hijacking vulnerability exists in Trend Micro Password Manager 5 ...) NOT-FOR-US: Trend Micro -CVE-2019-14686 - RESERVED -CVE-2019-14685 - RESERVED +CVE-2019-14686 (A DLL hijacking vulnerability exists in the Trend Micro Security's 201 ...) + TODO: check +CVE-2019-14685 (A local privilege escalation vulnerability exists in Trend Micro Secur ...) + TODO: check CVE-2019-14684 (A DLL hijacking vulnerability exists in Trend Micro Password Manager 5 ...) NOT-FOR-US: Trend Micro CVE-2019-14683 (The codection "Import users from CSV with meta" plugin before 1.14.2.2 ...) @@ -11282,12 +11417,12 @@ CVE-2019-11605 RESERVED CVE-2019-11604 (An issue was discovered in Quest KACE Systems Management Appliance bef ...) NOT-FOR-US: Quest KACE Systems Management Appliance -CVE-2019-11603 - RESERVED -CVE-2019-11602 - RESERVED -CVE-2019-11601 - RESERVED +CVE-2019-11603 (A HTTP Traversal Attack in earlier versions than ProSyst mBS SDK 8.2.6 ...) + TODO: check +CVE-2019-11602 (Leakage of stack traces in remote access to backup restore in ea ...) + TODO: check +CVE-2019-11601 (A directory traversal vulnerability in remote access to backup r ...) + TODO: check CVE-2019-11600 (A SQL injection vulnerability in the activities API in OpenProject bef ...) NOT-FOR-US: OpenProject CVE-2018-20835 (A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File O ...) @@ -13824,8 +13959,8 @@ CVE-2019-10689 (VVX products using UCS software version 5.9.2 and earlier with B NOT-FOR-US: VVX products using UCS software CVE-2019-10688 (VVX products with software versions including and prior to, UCS 5.9.2 ...) NOT-FOR-US: VVX products using UCS -CVE-2019-10687 - RESERVED +CVE-2019-10687 (KBPublisher 6.0.2.1 has SQL Injection via the
[Git][security-tracker-team/security-tracker][master] ruby-rest-client n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 85c1b08b by Moritz Muehlenhoff at 2019-08-22T07:34:59Z ruby-rest-client n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -191,7 +191,7 @@ CVE-2019-15226 CVE-2019-15225 (In Envoy through 1.11.1, users may configure a route to match incoming ...) NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651) CVE-2019-15224 (The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, i ...) - TODO: check + - ruby-rest-client (Backdoored version not uploaded to Debian) CVE-2019-15223 (An issue was discovered in the Linux kernel before 5.1.8. There is a N ...) - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/0b074ab7fc0d575247b9cc9f93bb7e007ca38840 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/85c1b08b919d9c3340c2b63a23f197b1b91a2407 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/85c1b08b919d9c3340c2b63a23f197b1b91a2407 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] pump removed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 687aaa22 by Moritz Muehlenhoff at 2019-08-22T06:28:28Z pump removed libzstd n/a for oldstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1935,7 +1935,7 @@ CVE-2019-14654 (In Joomla! 3.9.7 and 3.9.8, inadequate filtering allows users au CVE-2018-20954 (The "Security and Privacy" Encryption feature in Mailpile before 1.0.0 ...) NOT-FOR-US: Mailpile CVE-2019- [Buffer overflow during processing of large server replies] - - pump (bug #933674) + - pump (bug #933674) CVE-2019-14653 (pandao Editor.md 1.5.0 allows XSS via an attribute of an ABBR or SUP e ...) NOT-FOR-US: pandao Editor.md CVE-2019-14652 @@ -10407,6 +10407,7 @@ CVE-2019-11923 RESERVED CVE-2019-11922 (A race condition in the one-pass compression functions of Zstandard pr ...) - libzstd 1.3.8+dfsg-2 + [stretch] - libzstd (Vulnerable code not present) NOTE: https://github.com/facebook/zstd/commit/3e5cdf1b6a85843e991d7d10f6a2567c15580da0 CVE-2019-11921 (An out of bounds write is possible via a specially crafted packet in c ...) NOT-FOR-US: Proxygen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/687aaa22994a5d13c34cac66ac213da0bb6a6dd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/687aaa22994a5d13c34cac66ac213da0bb6a6dd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to VLC VideoLAN-SB-VLC-308 bulletin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f977e145 by Salvatore Bonaccorso at 2019-08-22T06:17:07Z Add reference to VLC VideoLAN-SB-VLC-308 bulletin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1073,6 +1073,7 @@ CVE-2019-14970 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14969 (Netwrix Auditor before 9.8 has insecure permissions on %PROGRAMDATA%\N ...) NOT-FOR-US: Netwrix Auditor CVE-2019-14968 (An issue was discovered in imcat 4.9. There is SQL Injection via the i ...) @@ -1605,14 +1606,17 @@ CVE-2019-14778 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14777 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14776 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14775 RESERVED CVE-2019-12625 [clamav zip DoS] @@ -2188,14 +2192,17 @@ CVE-2019-14535 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14534 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14533 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14532 (An issue was discovered in The Sleuth Kit (TSK) 4.6.6. There is an off ...) - sleuthkit (unimportant) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1575 @@ -2287,6 +2294,7 @@ CVE-2019-14498 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTr ...) - milkytracker (bug #933964) NOTE: https://github.com/milkytracker/MilkyTracker/issues/182 @@ -3026,10 +3034,12 @@ CVE-2019-14438 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14437 RESERVED {DSA-4504-1} - vlc 3.0.8-1 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14436 RESERVED CVE-2019-14435 @@ -4238,6 +4248,7 @@ CVE-2019-13962 (lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VL [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=2b4f9d0b0e0861f262c90e9b9b94e7d53b864509 NOTE: https://trac.videolan.org/vlc/ticket/22240 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-13961 (A CSRF vulnerability was found in flatCore before 1.5, leading to the ...) NOT-FOR-US: flatCore CVE-2019-13960 (** DISPUTED ** In libjpeg-turbo 2.0.2, a large amount of memory can be ...) @@ -6038,6 +6049,7 @@ CVE-2019-13602 (An Integer Underflow in MP4_EIA608_Convert() in modules/demux/mp [jessie] - vlc (https://lists.debian.org/debian-security-announce/2018/msg00130.html) NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=8e8e0d72447f8378244f5b4a3dcde036dbeb1491 NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=b2b157076d9e94df34502dd8df0787deb940e938 + NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-13601 RESERVED CVE-2019-13600 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f977e145fc9670cb717506b7dbd0d9f2e90063e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f977e145fc9670cb717506b7dbd0d9f2e90063e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track assigned CVE for clamav issue (CVE-2019-12625)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92814fdd by Salvatore Bonaccorso at 2019-08-22T06:05:44Z Track assigned CVE for clamav issue (CVE-2019-12625) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1615,13 +1615,14 @@ CVE-2019-14776 - vlc 3.0.8-1 CVE-2019-14775 RESERVED -CVE-2019- [clamav zip DoS] +CVE-2019-12625 [clamav zip DoS] - clamav (bug #934359) [buster] - clamav (ClamAV is updated via -updates) [stretch] - clamav (ClamAV is updated via -updates) NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/3 NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=12356 NOTE: Partially adressed already in 0.101.2+dfsg-3 but incomplete. + NOTE: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html CVE-2019-14774 (The woo-variation-swatches (aka Variation Swatches for WooCommerce) pl ...) NOT-FOR-US: Wordpress plugin CVE-2019-14773 (admin/includes/class.actions.snippet.php in the "Woody ad snippets" pl ...) @@ -8613,8 +8614,6 @@ CVE-2019-12627 (A vulnerability in the application policy configuration of the C TODO: check CVE-2019-12626 (A vulnerability in the web-based management interface of Cisco Unified ...) TODO: check -CVE-2019-12625 - RESERVED CVE-2019-12624 (A vulnerability in the web-based management interface of Cisco IOS XE ...) TODO: check CVE-2019-12623 (A vulnerability in the web server functionality of Cisco Enterprise Ne ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92814fdd3810e68ac15c7cbdec829a11db028420 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92814fdd3810e68ac15c7cbdec829a11db028420 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take apache2 from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e00868e by Salvatore Bonaccorso at 2019-08-22T06:00:41Z Take apache2 from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -15,7 +15,7 @@ If needed, specify the release by adding a slash after the name of the source pa 389-ds-base (fw) Thorsten Alteholz proposed an update -- -apache2 +apache2 (carnil) -- evince/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e00868ed7e6562b632e3f5fc390257433007dd0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1e00868ed7e6562b632e3f5fc390257433007dd0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits