Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 569788a6 by security tracker role at 2019-01-17T08:10:10Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,61 @@ +CVE-2019-6483 + RESERVED +CVE-2019-6482 + RESERVED +CVE-2019-6481 + RESERVED +CVE-2019-6480 + RESERVED +CVE-2019-6479 + RESERVED +CVE-2019-6478 + RESERVED +CVE-2019-6477 + RESERVED +CVE-2019-6476 + RESERVED +CVE-2019-6475 + RESERVED +CVE-2019-6474 + RESERVED +CVE-2019-6473 + RESERVED +CVE-2019-6472 + RESERVED +CVE-2019-6471 + RESERVED +CVE-2019-6470 + RESERVED +CVE-2019-6469 + RESERVED +CVE-2019-6468 + RESERVED +CVE-2019-6467 + RESERVED +CVE-2019-6466 + RESERVED +CVE-2019-6465 + RESERVED +CVE-2019-6464 + RESERVED +CVE-2019-6463 + RESERVED +CVE-2018-20733 (BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows ...) + TODO: check +CVE-2018-20732 (SAS Web Infrastructure Platform before 9.4M6 allows remote attackers to ...) + TODO: check +CVE-2018-20731 (A stored cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 ...) + TODO: check +CVE-2018-20730 (A SQL injection vulnerability in NeDi before 1.7Cp3 allows any user to ...) + TODO: check +CVE-2018-20729 (A reflected cross site scripting (XSS) vulnerability in NeDi before ...) + TODO: check +CVE-2018-20728 (A cross site request forgery (CSRF) vulnerability in NeDi before 1.7Cp3 ...) + TODO: check +CVE-2018-20727 (Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow ...) + TODO: check +CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows ...) + TODO: check CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite loop in ...) - cairo <unfixed> NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/353 @@ -18266,12 +18324,12 @@ CVE-2018-18816 RESERVED CVE-2018-18815 RESERVED -CVE-2018-18814 - RESERVED -CVE-2018-18813 - RESERVED -CVE-2018-18812 - RESERVED +CVE-2018-18814 (The TIBCO Spotfire authentication component of TIBCO Software Inc.'s ...) + TODO: check +CVE-2018-18813 (The Spotfire web server component of TIBCO Software Inc.'s TIBCO ...) + TODO: check +CVE-2018-18812 (The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire ...) + TODO: check CVE-2018-18811 RESERVED CVE-2018-18810 (The Administrator Service component of TIBCO Software Inc.'s TIBCO ...) @@ -21773,6 +21831,7 @@ CVE-2018-17461 (An out of bounds read in PDFium in Google Chrome prior to 68.0.3 CVE-2018-17460 RESERVED CVE-2018-17457 (An object lifecycle issue in Blink could lead to a use after free in ...) + {DSA-4289-1} - chromium-browser 69.0.3497.81-1 [jessie] - chromium-browser <end-of-life> (End of life, see DSA 4020) CVE-2018-17456 (Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x ...) @@ -26119,8 +26178,8 @@ CVE-2018-15784 RESERVED CVE-2018-15783 REJECTED -CVE-2018-15782 - RESERVED +CVE-2018-15782 (The Quick Setup component of RSA Authentication Manager versions prior ...) + TODO: check CVE-2018-15781 RESERVED CVE-2018-15780 (RSA Archer versions prior to 6.5.0.1 contain an improper access ...) @@ -53796,40 +53855,34 @@ CVE-2018-5742 [Crash from assertion error when debug log level is 10 and log ent NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1655844 NOTE: https://bugs.centos.org/view.php?id=15528 NOTE: Introduced by https://bugzilla.redhat.com/show_bug.cgi?id=1452091 -CVE-2018-5741 [Update policies krb5-subdomain and ms-subdomain] - RESERVED +CVE-2018-5741 (To provide fine-grained controls over the ability to use Dynamic DNS ...) - bind9 1:9.11.5+dfsg-1 (unimportant) NOTE: https://kb.isc.org/docs/cve-2018-5741 NOTE: No code fix provided; Incorrect documentation of krb5-subdomain and ms-subdomain update policies. NOTE: Will be adressed in 9.11.5, 9.12.3 -CVE-2018-5740 [A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named] - RESERVED +CVE-2018-5740 ("deny-answer-aliases" is a little-used feature intended to help ...) {DLA-1485-1} - bind9 1:9.11.4.P1+dfsg-1 (bug #905743) [stretch] - bind9 <postponed> (Can be fixed along in the next DSA) NOTE: https://kb.isc.org/article/AA-01639/74/CVE-2018-5740 NOTE: https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits -CVE-2018-5739 [failure to release memory may exhaust system resources] - RESERVED +CVE-2018-5739 (An extension to hooks capabilities which debuted in Kea 1.4.0 ...) - isc-kea <not-affected> (Vulnerable code introduced in Kea 1.4.0) NOTE: https://kb.isc.org/article/AA-01626 NOTE: 1.4.0-1 was uploaded to experimental as https://tracker.debian.org/news/973011 NOTE: Tracking bug as #903729 with RC severity so this version does NOTE: not enter unstable without fix. -CVE-2018-5738 [Some versions of BIND can improperly permit recursive query service to unauthorized clients] - RESERVED +CVE-2018-5738 (Change #4777 (introduced in October 2017) introduced an unforeseen ...) - bind9 1:9.11.3+dfsg-2 (bug #901483) [stretch] - bind9 <not-affected> (Vulnerable code introduced later) [jessie] - bind9 <not-affected> (Vulnerable code introduced later) NOTE: Introduced by upstream change #4777 NOTE: Introduced by: https://gitlab.isc.org/isc-projects/bind9/commit/89636d8f305956ad42e95a988502c7345e85ffe1 NOTE: https://kb.isc.org/article/AA-01616/0/CVE-2018-5738 -CVE-2018-5737 [serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.] - RESERVED +CVE-2018-5737 (A problem with the implementation of the new serve-stale feature in ...) - bind9 <not-affected> (only affects 9.12, not yet packaged) NOTE: https://kb.isc.org/article/AA-01606 -CVE-2018-5736 [Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c] - RESERVED +CVE-2018-5736 (An error in zone database reference counting can lead to an assertion ...) - bind9 <not-affected> (only affects 9.12, not yet packaged) NOTE: https://kb.isc.org/article/AA-01602 CVE-2018-5735 [assertion failure in validator.c:1858] @@ -53840,12 +53893,10 @@ CVE-2018-5735 [assertion failure in validator.c:1858] NOTE: Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was NOTE: added upstream in 9.9.3b1. The issue though does not affect bind9 upstream NOTE: and is only triggered as described in #889285. -CVE-2018-5734 [A malformed request can trigger an assertion failure in badcache.c] - RESERVED +CVE-2018-5734 (While handling a particular type of malformed packet BIND erroneously ...) - bind9 <not-affected> (Only affects Supported Preview Edition/Subscription Edition) NOTE: https://kb.isc.org/article/AA-01562/74/CVE-2018-5734 -CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd] - RESERVED +CVE-2018-5733 (A malicious client which is allowed to send very large amounts of ...) {DSA-4133-1 DLA-1313-1} - isc-dhcp 4.3.5-3.1 (bug #891785) NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733 @@ -67857,7 +67908,7 @@ CVE-2017-17199 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 . CVE-2017-17198 RESERVED CVE-2017-17197 - RESERVED + REJECTED CVE-2017-17196 RESERVED CVE-2017-17195 @@ -113494,15 +113545,13 @@ CVE-2017-3147 RESERVED CVE-2017-3146 RESERVED -CVE-2017-3145 [Improper fetch cleanup sequencing in the resolver can cause named to crash] - RESERVED +CVE-2017-3145 (BIND was improperly sequencing cleanup operations on upstream ...) {DSA-4089-1 DLA-1255-1} - bind9 1:9.11.2.P1-1 NOTE: https://kb.isc.org/article/AA-01542 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=053b51c4dbd28f6e4de71ce4268a6f606025d76d NOTE: Fixed by (9.10.6-P1): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=55baf7d7e25c0e6444cb7e415f14d9e0819b5508 -CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty message is received allowing denial-of-service] - RESERVED +CVE-2017-3144 (A vulnerability stemming from failure to properly clean up closed ...) {DSA-4133-1} - isc-dhcp 4.3.5-3.1 (bug #887413) [wheezy] - isc-dhcp <no-dsa> (Minor issue) @@ -113510,24 +113559,20 @@ CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty messa NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=46767 NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894 NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3 -CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic updates] - RESERVED +CVE-2017-3143 (An attacker who is able to send and receive messages to an ...) {DSA-3904-1 DLA-1025-1} - bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564) NOTE: https://kb.isc.org/article/AA-01503 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669 -CVE-2017-3142 [An error in TSIG authentication can permit unauthorized zone transfers] - RESERVED +CVE-2017-3142 (An attacker who is able to send and receive messages to an ...) {DSA-3904-1 DLA-1025-1} - bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564) NOTE: https://kb.isc.org/article/AA-01504 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669 -CVE-2017-3141 - RESERVED +CVE-2017-3141 (The BIND installer on Windows uses an unquoted service path which can ...) - bind9 <not-affected> (Affects only Windows systems) NOTE: https://kb.isc.org/article/AA-01496 -CVE-2017-3140 [An error processing RPZ rules can cause named to loop endlessly after handling a query] - RESERVED +CVE-2017-3140 (If named is configured to use Response Policy Zones (RPZ) an error ...) - bind9 <not-affected> (Upstream change #4377 not backported/included) NOTE: https://kb.isc.org/article/AA-01495 NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=2648c49be78568ba9f4123d22122f2a649e2e1b7 @@ -113537,8 +113582,7 @@ CVE-2017-3140 [An error processing RPZ rules can cause named to loop endlessly a CVE-2017-3139 RESERVED - bind9 <not-affected> (RHEL6 specific) -CVE-2017-3138 [named exits with a REQUIRE assertion failure if it receives a null command string on its control channel] - RESERVED +CVE-2017-3138 (named contains a feature which allows operators to issue commands to a ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860226) NOTE: https://kb.isc.org/article/AA-01471 @@ -113548,8 +113592,7 @@ CVE-2017-3138 [named exits with a REQUIRE assertion failure if it receives a nul NOTE: commands was added only in 9.11.0 and before existing commands permitted NOTE: over the control channel were already be given to cause the server to stop. NOTE: The CVE-2017-3138 is barely an issue in practice anyway. -CVE-2017-3137 [A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME] - RESERVED +CVE-2017-3137 (Mistaken assumptions about the ordering of records in the answer ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860225) NOTE: https://kb.isc.org/article/AA-01466 @@ -113557,14 +113600,12 @@ CVE-2017-3137 [A response packet can cause a resolver to terminate when processi NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=69fd759b4aa02047e42e5cf4227f8257c4547988 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=6841d7b854c15df9ec56cab38da201b315bbcabb (reimplentation) NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=7ab9e8e00775782d474522a5b2bffba8daefefa5 (regression fix) -CVE-2017-3136 [An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"] - RESERVED +CVE-2017-3136 (A query with a specific set of characteristics could cause a server ...) {DSA-3854-1 DLA-957-1} - bind9 1:9.10.3.dfsg.P4-12.3 (bug #860224) NOTE: https://kb.isc.org/article/AA-01465 NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=764240ca07ab1b796226d5402ccd9fbfa77ec32a -CVE-2017-3135 [Assertion failure when using DNS64 and RPZ can lead to crash] - RESERVED +CVE-2017-3135 (Under some conditions when using both DNS64 and RPZ to rewrite query ...) {DSA-3795-1 DLA-843-1} - bind9 1:9.10.3.dfsg.P4-12 (bug #855520) NOTE: https://kb.isc.org/article/AA-01453 @@ -114044,8 +114085,7 @@ CVE-2016-9780 REJECTED CVE-2016-9779 REJECTED -CVE-2016-9778 [An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c] - RESERVED +CVE-2016-9778 (An error in handling certain queries can cause an assertion failure ...) - bind9 <not-affected> (Only Supported Preview Edition/Subscription Edition and 9.11.x) NOTE: https://kb.isc.org/article/AA-01442/0 CVE-2016-9771 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/569788a63ffc07578efc2f62f60e7e7637103b58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/569788a63ffc07578efc2f62f60e7e7637103b58 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits