Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
cc77c8d9 by security tracker role at 2019-02-21T08:10:17Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,68 @@
+CVE-2019-8980 (A memory leak in the kernel_read_file function in fs/exec.c in
the ...)
+ TODO: check
+CVE-2019-8979 (Koseven through 3.3.9, and Kohana through 3.3.6, has SQL
Injection when ...)
+ TODO: check
+CVE-2019-8978
+ RESERVED
+CVE-2019-8977
+ RESERVED
+CVE-2019-8976
+ RESERVED
+CVE-2019-8975
+ RESERVED
+CVE-2019-8974
+ RESERVED
+CVE-2019-8973
+ RESERVED
+CVE-2019-8972
+ RESERVED
+CVE-2019-8971
+ RESERVED
+CVE-2019-8970
+ RESERVED
+CVE-2019-8969
+ RESERVED
+CVE-2019-8968
+ RESERVED
+CVE-2019-8967
+ RESERVED
+CVE-2019-8966
+ RESERVED
+CVE-2019-8965
+ RESERVED
+CVE-2019-8964
+ RESERVED
+CVE-2019-8963
+ RESERVED
+CVE-2019-8962
+ RESERVED
+CVE-2019-8961
+ RESERVED
+CVE-2019-8960
+ RESERVED
+CVE-2019-8959
+ RESERVED
+CVE-2019-8958
+ RESERVED
+CVE-2019-8957
+ RESERVED
+CVE-2019-8956
+ RESERVED
+CVE-2019-1000049
+ REJECTED
+ TODO: check
+CVE-2019-1000048
+ REJECTED
+ TODO: check
+CVE-2019-1000047
+ REJECTED
+ TODO: check
+CVE-2019-1000041
+ REJECTED
+ TODO: check
+CVE-2019-1000030
+ REJECTED
+ TODO: check
CVE-2019-8955
RESERVED
CVE-2019-8954 (In Indexhibit 2.1.5, remote attackers can execute arbitrary
code via ...)
@@ -8,16 +73,16 @@ CVE-2019-8952
RESERVED
CVE-2019-8951
RESERVED
-CVE-2019-1003028
- RESERVED
-CVE-2019-1003027
- RESERVED
-CVE-2019-1003026
- RESERVED
-CVE-2019-1003025
- RESERVED
-CVE-2019-1003024
- RESERVED
+CVE-2019-1003028 (A server-side request forgery vulnerability exists in
Jenkins JMS ...)
+ TODO: check
+CVE-2019-1003027 (A server-side request forgery vulnerability exists in
Jenkins ...)
+ TODO: check
+CVE-2019-1003026 (A server-side request forgery vulnerability exists in
Jenkins ...)
+ TODO: check
+CVE-2019-1003025 (A exposure of sensitive information vulnerability exists in
Jenkins ...)
+ TODO: check
+CVE-2019-1003024 (A sandbox bypass vulnerability exists in Jenkins Script
Security ...)
+ TODO: check
CVE-2019-8950 (The backdoor account dnsekakf2$$ in /bin/login on DASAN H665
devices ...)
NOT-FOR-US: DASAN
CVE-2019-8949
@@ -97,7 +162,7 @@ CVE-2019-8914
RESERVED
CVE-2019-8913
RESERVED
-CVE-2019-8912 (In the Linux kernel through 4.20.10, af_alg_release() in ...)
+CVE-2019-8912 (In the Linux kernel through 4.20.11, af_alg_release() in ...)
- linux <unfixed>
CVE-2019-8911 (An issue was discovered in WTCMS 1.0. It has stored XSS via the
third ...)
NOT-FOR-US: WTCMS
@@ -1102,8 +1167,8 @@ CVE-2019-8415
RESERVED
CVE-2019-8414
RESERVED
-CVE-2013-7469
- RESERVED
+CVE-2013-7469 (Seafile through 6.2.11 always uses the same Initialization
Vector (IV) ...)
+ TODO: check
CVE-2019-8413 (On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer
...)
NOT-FOR-US: Xiaomi
CVE-2019-8412 (FeiFeiCms 4.0.181010 on Windows allows remote attackers to read
or ...)
@@ -7551,8 +7616,8 @@ CVE-2019-5729
RESERVED
CVE-2019-5728
RESERVED
-CVE-2019-5727
- RESERVED
+CVE-2019-5727 (Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x
before 6.4.9, ...)
+ TODO: check
CVE-2019-5726
RESERVED
CVE-2019-5725 (qibosoft through V7 allows remote attackers to read arbitrary
files via ...)
@@ -11259,8 +11324,8 @@ CVE-2019-3926
RESERVED
CVE-2019-3925
RESERVED
-CVE-2019-3924
- RESERVED
+CVE-2019-3924 (MikroTik RouterOS before 6.43.12 (stable) and 6.42.12
(long-term) is ...)
+ TODO: check
CVE-2019-3923 (Nessus versions 8.2.1 and earlier were found to contain a
stored XSS ...)
NOT-FOR-US: Nessus
CVE-2019-3922
@@ -12360,10 +12425,10 @@ CVE-2019-3477
RESERVED
CVE-2019-3476
RESERVED
-CVE-2019-3475
- RESERVED
-CVE-2019-3474
- RESERVED
+CVE-2019-3475 (A local privilege escalation vulnerability in the famtd
component of ...)
+ TODO: check
+CVE-2019-3474 (A path traversal vulnerability in the web application component
of ...)
+ TODO: check
CVE-2019-3473
RESERVED
CVE-2019-3472
@@ -16135,8 +16200,8 @@ CVE-2019-2396 (Vulnerability in the Oracle CRM
Technical Foundation component of
NOT-FOR-US: Oracle
CVE-2019-2395 (Vulnerability in the Oracle WebLogic Server component of Oracle
Fusion ...)
NOT-FOR-US: Oracle
-CVE-2018-20146
- RESERVED
+CVE-2018-20146 (An issue was discovered in Liquidware ProfileUnity before
6.8.0 with ...)
+ TODO: check
CVE-2018-20153 (In WordPress before 4.9.9 and 5.x before 5.0.1, contributors
could ...)
{DLA-1673-1}
- wordpress 5.0.1+dfsg1-1 (bug #916403)
@@ -33265,8 +33330,8 @@ CVE-2018-15382 (A vulnerability in Cisco HyperFlex
Software could allow an ...)
NOT-FOR-US: Cisco
CVE-2018-15381 (A Java deserialization vulnerability in Cisco Unity Express
(CUE) ...)
NOT-FOR-US: Cisco
-CVE-2018-15380
- RESERVED
+CVE-2018-15380 (A vulnerability in the cluster service manager of Cisco
HyperFlex ...)
+ TODO: check
CVE-2018-15379 (A vulnerability in which the HTTP web server for Cisco Prime
...)
NOT-FOR-US: Cisco
CVE-2018-15378 (A vulnerability in ClamAV versions prior to 0.100.2 could
allow an ...)
@@ -52581,7 +52646,7 @@ CVE-2018-8032 (Apache Axis 1.x up to and including 1.4
is vulnerable to a cross-
[jessie] - axis <no-dsa> (Minor issue)
NOTE: https://issues.apache.org/jira/browse/AXIS-2924
NOTE: https://svn.apache.org/r1831943
-CVE-2018-8031 (The TomEE console (tomee-webapp) has a XSS vulnerability which
could ...)
+CVE-2018-8031 (The Apache TomEE console (tomee-webapp) has a XSS vulnerability
which ...)
NOT-FOR-US: Apache TomEE
CVE-2018-8030 (A Denial of Service vulnerability was found in Apache Qpid
Broker-J ...)
- qpid-java <itp> (bug #840131)
@@ -52598,7 +52663,7 @@ CVE-2018-8026 (This vulnerability in Apache Solr 6.0.0
to 6.6.4 and 7.0.0 to 7.3
NOTE: https://issues.apache.org/jira/browse/SOLR-12450
CVE-2018-8025 (CVE-2018-8025 describes an issue in Apache HBase that affects
the ...)
NOT-FOR-US: Apache HBase
-CVE-2018-8024 (In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's
possible ...)
+CVE-2018-8024 (In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's
...)
NOT-FOR-US: Apache Spark
CVE-2018-8023 (Apache Mesos can be configured to require authentication to
call the ...)
- apache-mesos <itp> (bug #760315)
@@ -52619,7 +52684,7 @@ CVE-2018-8019 (When using an OCSP responder Apache
Tomcat Native 1.2.0 to 1.2.16
- tomcat-native 1.2.17-1
[stretch] - tomcat-native 1.2.12-2+deb9u2
NOTE: https://svn.apache.org/r1832832
-CVE-2018-8018 (In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the
serialization ...)
+CVE-2018-8018 (In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the ...)
NOT-FOR-US: Apache Ignite
CVE-2018-8017 (In Apache Tika 1.2 to 1.18, a carefully crafted file can
trigger an ...)
- tika 1.20-1 (bug #914643)
@@ -72489,7 +72554,7 @@ CVE-2018-1338 (A carefully crafted (or fuzzed) file can
trigger an infinite loop
- tika 1.18-1
[jessie] - tika <not-affected> (BGP parser introduced in 1.7)
NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/6
-CVE-2018-1337 (In Apache LDAP API before 1.0.2, a bug in the way the SSL
Filter was ...)
+CVE-2018-1337 (In Apache Directory LDAP API before 1.0.2, a bug in the way the
SSL ...)
NOT-FOR-US: Apache LDAP API
CVE-2018-1336 (An improper handing of overflow in the UTF-8 decoder with ...)
{DSA-4281-1 DLA-1491-1}
@@ -72662,7 +72727,7 @@ CVE-2018-1296 (In Apache Hadoop 3.0.0-alpha1 to 3.0.0,
2.9.0, 2.8.0 to 2.8.3, an
- hadoop <itp> (bug #793644)
CVE-2018-1295 (In Apache Ignite 2.3 or earlier, the serialization mechanism
does not ...)
NOT-FOR-US: Apache Ignite
-CVE-2018-1294 (If a user of Commons-Email (typically an application
programmer) ...)
+CVE-2018-1294 (If a user of Apache Commons Email (typically an application ...)
- commons-email <not-affected> (Fixed with first upload to Debian)
NOTE:
https://marc.info/?i=CAF8HOZ+J3NkaywfbHuQpHxK9ZXeT4=4vs9rowcdiudnt1qa...@mail.gmail.com
NOTE: Fixed by:
https://svn.apache.org/viewvc?view=revision&revision=1777030
@@ -97073,7 +97138,7 @@ CVE-2017-9804 (In Apache Struts 2.3.7 through 2.3.33
and 2.5 through 2.5.12, if
[wheezy] - libstruts1.2-java <ignored> (Minor issue)
NOTE: DOS class vulnerability and classified as low by upstream.
NOTE: https://struts.apache.org/docs/s2-050.html
-CVE-2017-9803 (Solr's Kerberos plugin can be configured to use delegation
tokens, ...)
+CVE-2017-9803 (Apache Solr's Kerberos plugin can be configured to use
delegation ...)
- lucene-solr <not-affected> (Introduced in 6.2)
CVE-2017-9802 (The Javascript method Sling.evalString() in Apache Sling
Servlets Post ...)
NOT-FOR-US: Apache Sling
@@ -105558,7 +105623,7 @@ CVE-2017-7660 (Apache Solr uses a PKI based mechanism
to secure inter-node ...)
- lucene-solr <not-affected> (Vulnerable code introduced later)
NOTE: https://issues.apache.org/jira/browse/SOLR-10624
NOTE: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf
-CVE-2017-7659 (A maliciously constructed HTTP/2 request could cause mod_http2
2.4.24, ...)
+CVE-2017-7659 (A maliciously constructed HTTP/2 request could cause mod_http2
in ...)
- apache2 2.4.25-4
[stretch] - apache2 2.4.25-3+deb9u1
[jessie] - apache2 <not-affected> (Vulnerable code not present)
@@ -129684,7 +129749,7 @@ CVE-2016-8753
REJECTED
CVE-2016-8752 (Apache Atlas versions 0.6.0 (incubating), 0.7.0 (incubating),
and ...)
NOT-FOR-US: Apache Atlas
-CVE-2016-8751 (Apache Ranger before 0.6.is vulnerable to a Stored Cross-Site
...)
+CVE-2016-8751 (Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site
...)
NOT-FOR-US: Apache Ranger
CVE-2016-8750 (Apache Karaf prior to 4.0.8 used the LDAPLoginModule to
authenticate ...)
- apache-karaf <itp> (bug #881297)
@@ -129742,9 +129807,9 @@ CVE-2016-8738 (In Apache Struts 2.5 through 2.5.5, if
an application allows ente
NOTE: https://struts.apache.org/docs/s2-044.html
CVE-2016-8737 (In Apache Brooklyn before 0.10.0, the REST server is vulnerable
to ...)
NOT-FOR-US: Apache Brooklyn
-CVE-2016-8736 (Apache Openmeetings before 3.1.2 is vulnerable to Remote Code
...)
+CVE-2016-8736 (Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code
...)
NOT-FOR-US: Apache OpenMeetings
-CVE-2016-8735 (Remote code execution is possible with Apache Tomcat before
6.0.48, 7.x ...)
+CVE-2016-8735 (Remote code execution is possible with Apache Tomcat before
6.0.48, ...)
{DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1}
- tomcat9 <not-affected> (Fixed before initial upload to Debian)
- tomcat8 8.0.39-1
@@ -129755,7 +129820,7 @@ CVE-2016-8735 (Remote code execution is possible with
Apache Tomcat before 6.0.4
NOTE: Fixed by: http://svn.apache.org/r1767656 (8.0.x)
NOTE: Fixed by: http://svn.apache.org/r1767676 (7.0.x)
NOTE: Fixed by: http://svn.apache.org/r1767684 (6.0.x)
-CVE-2016-8734 (Subversion's mod_dontdothat module and HTTP clients 1.4.0
through ...)
+CVE-2016-8734 (Apache Subversion's mod_dontdothat module and HTTP clients
1.4.0 ...)
- subversion 1.9.5-1 (low)
[jessie] - subversion 1.8.10-6+deb8u5
[wheezy] - subversion <no-dsa> (Minor issue, binary packages not
affected since built against Neon as HTTP library)
@@ -135951,7 +136016,7 @@ CVE-2016-6801 (Cross-site request forgery (CSRF)
vulnerability in the CSRF ...)
NOTE: http://svn.apache.org/r1758791 (2.4.x)
NOTE: http://svn.apache.org/r1758771 (2.6.x)
NOTE: http://svn.apache.org/r1758764 (2.8.x)
-CVE-2016-6800 (The default configuration of the OFBiz framework offers a blog
...)
+CVE-2016-6800 (The default configuration of the Apache OFBiz framework offers
a blog ...)
NOT-FOR-US: Apache OFBiz
CVE-2016-6799 (Product: Apache Cordova Android 5.2.2 and earlier. The
application ...)
NOT-FOR-US: Apache Cordova
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc77c8d9c35ed1c504547ca127c4f75d614ac34d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc77c8d9c35ed1c504547ca127c4f75d614ac34d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
