Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
569788a6 by security tracker role at 2019-01-17T08:10:10Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,61 @@
+CVE-2019-6483
+ RESERVED
+CVE-2019-6482
+ RESERVED
+CVE-2019-6481
+ RESERVED
+CVE-2019-6480
+ RESERVED
+CVE-2019-6479
+ RESERVED
+CVE-2019-6478
+ RESERVED
+CVE-2019-6477
+ RESERVED
+CVE-2019-6476
+ RESERVED
+CVE-2019-6475
+ RESERVED
+CVE-2019-6474
+ RESERVED
+CVE-2019-6473
+ RESERVED
+CVE-2019-6472
+ RESERVED
+CVE-2019-6471
+ RESERVED
+CVE-2019-6470
+ RESERVED
+CVE-2019-6469
+ RESERVED
+CVE-2019-6468
+ RESERVED
+CVE-2019-6467
+ RESERVED
+CVE-2019-6466
+ RESERVED
+CVE-2019-6465
+ RESERVED
+CVE-2019-6464
+ RESERVED
+CVE-2019-6463
+ RESERVED
+CVE-2018-20733 (BI Web Services in SAS Web Infrastructure Platform before
9.4M6 allows ...)
+ TODO: check
+CVE-2018-20732 (SAS Web Infrastructure Platform before 9.4M6 allows remote
attackers to ...)
+ TODO: check
+CVE-2018-20731 (A stored cross site scripting (XSS) vulnerability in NeDi
before 1.7Cp3 ...)
+ TODO: check
+CVE-2018-20730 (A SQL injection vulnerability in NeDi before 1.7Cp3 allows any
user to ...)
+ TODO: check
+CVE-2018-20729 (A reflected cross site scripting (XSS) vulnerability in NeDi
before ...)
+ TODO: check
+CVE-2018-20728 (A cross site request forgery (CSRF) vulnerability in NeDi
before 1.7Cp3 ...)
+ TODO: check
+CVE-2018-20727 (Multiple command injection vulnerabilities in NeDi before
1.7Cp3 allow ...)
+ TODO: check
+CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3
allows ...)
+ TODO: check
CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite
loop in ...)
- cairo <unfixed>
NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/353
@@ -18266,12 +18324,12 @@ CVE-2018-18816
RESERVED
CVE-2018-18815
RESERVED
-CVE-2018-18814
- RESERVED
-CVE-2018-18813
- RESERVED
-CVE-2018-18812
- RESERVED
+CVE-2018-18814 (The TIBCO Spotfire authentication component of TIBCO Software
Inc.'s ...)
+ TODO: check
+CVE-2018-18813 (The Spotfire web server component of TIBCO Software Inc.'s
TIBCO ...)
+ TODO: check
+CVE-2018-18812 (The Spotfire Library component of TIBCO Software Inc.'s TIBCO
Spotfire ...)
+ TODO: check
CVE-2018-18811
RESERVED
CVE-2018-18810 (The Administrator Service component of TIBCO Software Inc.'s
TIBCO ...)
@@ -21773,6 +21831,7 @@ CVE-2018-17461 (An out of bounds read in PDFium in
Google Chrome prior to 68.0.3
CVE-2018-17460
RESERVED
CVE-2018-17457 (An object lifecycle issue in Blink could lead to a use after
free in ...)
+ {DSA-4289-1}
- chromium-browser 69.0.3497.81-1
[jessie] - chromium-browser <end-of-life> (End of life, see DSA 4020)
CVE-2018-17456 (Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5,
2.17.x ...)
@@ -26119,8 +26178,8 @@ CVE-2018-15784
RESERVED
CVE-2018-15783
REJECTED
-CVE-2018-15782
- RESERVED
+CVE-2018-15782 (The Quick Setup component of RSA Authentication Manager
versions prior ...)
+ TODO: check
CVE-2018-15781
RESERVED
CVE-2018-15780 (RSA Archer versions prior to 6.5.0.1 contain an improper
access ...)
@@ -53796,40 +53855,34 @@ CVE-2018-5742 [Crash from assertion error when debug
log level is 10 and log ent
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1655844
NOTE: https://bugs.centos.org/view.php?id=15528
NOTE: Introduced by https://bugzilla.redhat.com/show_bug.cgi?id=1452091
-CVE-2018-5741 [Update policies krb5-subdomain and ms-subdomain]
- RESERVED
+CVE-2018-5741 (To provide fine-grained controls over the ability to use
Dynamic DNS ...)
- bind9 1:9.11.5+dfsg-1 (unimportant)
NOTE: https://kb.isc.org/docs/cve-2018-5741
NOTE: No code fix provided; Incorrect documentation of krb5-subdomain
and ms-subdomain update policies.
NOTE: Will be adressed in 9.11.5, 9.12.3
-CVE-2018-5740 [A flaw in the "deny-answer-aliases" feature can cause an INSIST
assertion failure in named]
- RESERVED
+CVE-2018-5740 ("deny-answer-aliases" is a little-used feature
intended to help ...)
{DLA-1485-1}
- bind9 1:9.11.4.P1+dfsg-1 (bug #905743)
[stretch] - bind9 <postponed> (Can be fixed along in the next DSA)
NOTE: https://kb.isc.org/article/AA-01639/74/CVE-2018-5740
NOTE:
https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits
-CVE-2018-5739 [failure to release memory may exhaust system resources]
- RESERVED
+CVE-2018-5739 (An extension to hooks capabilities which debuted in Kea 1.4.0
...)
- isc-kea <not-affected> (Vulnerable code introduced in Kea 1.4.0)
NOTE: https://kb.isc.org/article/AA-01626
NOTE: 1.4.0-1 was uploaded to experimental as
https://tracker.debian.org/news/973011
NOTE: Tracking bug as #903729 with RC severity so this version does
NOTE: not enter unstable without fix.
-CVE-2018-5738 [Some versions of BIND can improperly permit recursive query
service to unauthorized clients]
- RESERVED
+CVE-2018-5738 (Change #4777 (introduced in October 2017) introduced an
unforeseen ...)
- bind9 1:9.11.3+dfsg-2 (bug #901483)
[stretch] - bind9 <not-affected> (Vulnerable code introduced later)
[jessie] - bind9 <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by upstream change #4777
NOTE: Introduced by:
https://gitlab.isc.org/isc-projects/bind9/commit/89636d8f305956ad42e95a988502c7345e85ffe1
NOTE: https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
-CVE-2018-5737 [serve-stale implementation can cause an assertion failure in
rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.]
- RESERVED
+CVE-2018-5737 (A problem with the implementation of the new serve-stale
feature in ...)
- bind9 <not-affected> (only affects 9.12, not yet packaged)
NOTE: https://kb.isc.org/article/AA-01606
-CVE-2018-5736 [Multiple transfers of a zone in quick succession can cause an
assertion failure in rbtdb.c]
- RESERVED
+CVE-2018-5736 (An error in zone database reference counting can lead to an
assertion ...)
- bind9 <not-affected> (only affects 9.12, not yet packaged)
NOTE: https://kb.isc.org/article/AA-01602
CVE-2018-5735 [assertion failure in validator.c:1858]
@@ -53840,12 +53893,10 @@ CVE-2018-5735 [assertion failure in validator.c:1858]
NOTE: Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code
was
NOTE: added upstream in 9.9.3b1. The issue though does not affect bind9
upstream
NOTE: and is only triggered as described in #889285.
-CVE-2018-5734 [A malformed request can trigger an assertion failure in
badcache.c]
- RESERVED
+CVE-2018-5734 (While handling a particular type of malformed packet BIND
erroneously ...)
- bind9 <not-affected> (Only affects Supported Preview
Edition/Subscription Edition)
NOTE: https://kb.isc.org/article/AA-01562/74/CVE-2018-5734
-CVE-2018-5733 [A malicious client can overflow a reference counter in ISC
dhcpd]
- RESERVED
+CVE-2018-5733 (A malicious client which is allowed to send very large amounts
of ...)
{DSA-4133-1 DLA-1313-1}
- isc-dhcp 4.3.5-3.1 (bug #891785)
NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733
@@ -67857,7 +67908,7 @@ CVE-2017-17199 (Huawei DP300 V500R002C00; RP200
V500R002C00; V600R006C00; TE30 .
CVE-2017-17198
RESERVED
CVE-2017-17197
- RESERVED
+ REJECTED
CVE-2017-17196
RESERVED
CVE-2017-17195
@@ -113494,15 +113545,13 @@ CVE-2017-3147
RESERVED
CVE-2017-3146
RESERVED
-CVE-2017-3145 [Improper fetch cleanup sequencing in the resolver can cause
named to crash]
- RESERVED
+CVE-2017-3145 (BIND was improperly sequencing cleanup operations on upstream
...)
{DSA-4089-1 DLA-1255-1}
- bind9 1:9.11.2.P1-1
NOTE: https://kb.isc.org/article/AA-01542
NOTE: Fixed by (master):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=053b51c4dbd28f6e4de71ce4268a6f606025d76d
NOTE: Fixed by (9.10.6-P1):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=55baf7d7e25c0e6444cb7e415f14d9e0819b5508
-CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty
message is received allowing denial-of-service]
- RESERVED
+CVE-2017-3144 (A vulnerability stemming from failure to properly clean up
closed ...)
{DSA-4133-1}
- isc-dhcp 4.3.5-3.1 (bug #887413)
[wheezy] - isc-dhcp <no-dsa> (Minor issue)
@@ -113510,24 +113559,20 @@ CVE-2017-3144 [dhcp: omapi code doesn't free socket
descriptors when empty messa
NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=46767
NOTE:
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894
NOTE: Fixes for 4.3.6p1:
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3
-CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic
updates]
- RESERVED
+CVE-2017-3143 (An attacker who is able to send and receive messages to an ...)
{DSA-3904-1 DLA-1025-1}
- bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564)
NOTE: https://kb.isc.org/article/AA-01503
NOTE: Fixed by (master):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669
-CVE-2017-3142 [An error in TSIG authentication can permit unauthorized zone
transfers]
- RESERVED
+CVE-2017-3142 (An attacker who is able to send and receive messages to an ...)
{DSA-3904-1 DLA-1025-1}
- bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564)
NOTE: https://kb.isc.org/article/AA-01504
NOTE: Fixed by (master):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669
-CVE-2017-3141
- RESERVED
+CVE-2017-3141 (The BIND installer on Windows uses an unquoted service path
which can ...)
- bind9 <not-affected> (Affects only Windows systems)
NOTE: https://kb.isc.org/article/AA-01496
-CVE-2017-3140 [An error processing RPZ rules can cause named to loop endlessly
after handling a query]
- RESERVED
+CVE-2017-3140 (If named is configured to use Response Policy Zones (RPZ) an
error ...)
- bind9 <not-affected> (Upstream change #4377 not backported/included)
NOTE: https://kb.isc.org/article/AA-01495
NOTE: Fixed by (master):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=2648c49be78568ba9f4123d22122f2a649e2e1b7
@@ -113537,8 +113582,7 @@ CVE-2017-3140 [An error processing RPZ rules can
cause named to loop endlessly a
CVE-2017-3139
RESERVED
- bind9 <not-affected> (RHEL6 specific)
-CVE-2017-3138 [named exits with a REQUIRE assertion failure if it receives a
null command string on its control channel]
- RESERVED
+CVE-2017-3138 (named contains a feature which allows operators to issue
commands to a ...)
{DSA-3854-1 DLA-957-1}
- bind9 1:9.10.3.dfsg.P4-12.3 (bug #860226)
NOTE: https://kb.isc.org/article/AA-01471
@@ -113548,8 +113592,7 @@ CVE-2017-3138 [named exits with a REQUIRE assertion
failure if it receives a nul
NOTE: commands was added only in 9.11.0 and before existing commands
permitted
NOTE: over the control channel were already be given to cause the
server to stop.
NOTE: The CVE-2017-3138 is barely an issue in practice anyway.
-CVE-2017-3137 [A response packet can cause a resolver to terminate when
processing an answer containing a CNAME or DNAME]
- RESERVED
+CVE-2017-3137 (Mistaken assumptions about the ordering of records in the
answer ...)
{DSA-3854-1 DLA-957-1}
- bind9 1:9.10.3.dfsg.P4-12.3 (bug #860225)
NOTE: https://kb.isc.org/article/AA-01466
@@ -113557,14 +113600,12 @@ CVE-2017-3137 [A response packet can cause a
resolver to terminate when processi
NOTE: Fixed by (9.10.x):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=69fd759b4aa02047e42e5cf4227f8257c4547988
NOTE: Fixed by (9.10.x):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=6841d7b854c15df9ec56cab38da201b315bbcabb
(reimplentation)
NOTE: Fixed by (9.10.x):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=7ab9e8e00775782d474522a5b2bffba8daefefa5
(regression fix)
-CVE-2017-3136 [An error handling synthesized records could cause an assertion
failure when using DNS64 with "break-dnssec yes;"]
- RESERVED
+CVE-2017-3136 (A query with a specific set of characteristics could cause a
server ...)
{DSA-3854-1 DLA-957-1}
- bind9 1:9.10.3.dfsg.P4-12.3 (bug #860224)
NOTE: https://kb.isc.org/article/AA-01465
NOTE: Fixed by (9.10.x):
https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=764240ca07ab1b796226d5402ccd9fbfa77ec32a
-CVE-2017-3135 [Assertion failure when using DNS64 and RPZ can lead to crash]
- RESERVED
+CVE-2017-3135 (Under some conditions when using both DNS64 and RPZ to rewrite
query ...)
{DSA-3795-1 DLA-843-1}
- bind9 1:9.10.3.dfsg.P4-12 (bug #855520)
NOTE: https://kb.isc.org/article/AA-01453
@@ -114044,8 +114085,7 @@ CVE-2016-9780
REJECTED
CVE-2016-9779
REJECTED
-CVE-2016-9778 [An error handling certain queries using the nxdomain-redirect
feature could cause a REQUIRE assertion failure in db.c]
- RESERVED
+CVE-2016-9778 (An error in handling certain queries can cause an assertion
failure ...)
- bind9 <not-affected> (Only Supported Preview Edition/Subscription
Edition and 9.11.x)
NOTE: https://kb.isc.org/article/AA-01442/0
CVE-2016-9771
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/569788a63ffc07578efc2f62f60e7e7637103b58
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/569788a63ffc07578efc2f62f60e7e7637103b58
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
