Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: cc77c8d9 by security tracker role at 2019-02-21T08:10:17Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,68 @@ +CVE-2019-8980 (A memory leak in the kernel_read_file function in fs/exec.c in the ...) + TODO: check +CVE-2019-8979 (Koseven through 3.3.9, and Kohana through 3.3.6, has SQL Injection when ...) + TODO: check +CVE-2019-8978 + RESERVED +CVE-2019-8977 + RESERVED +CVE-2019-8976 + RESERVED +CVE-2019-8975 + RESERVED +CVE-2019-8974 + RESERVED +CVE-2019-8973 + RESERVED +CVE-2019-8972 + RESERVED +CVE-2019-8971 + RESERVED +CVE-2019-8970 + RESERVED +CVE-2019-8969 + RESERVED +CVE-2019-8968 + RESERVED +CVE-2019-8967 + RESERVED +CVE-2019-8966 + RESERVED +CVE-2019-8965 + RESERVED +CVE-2019-8964 + RESERVED +CVE-2019-8963 + RESERVED +CVE-2019-8962 + RESERVED +CVE-2019-8961 + RESERVED +CVE-2019-8960 + RESERVED +CVE-2019-8959 + RESERVED +CVE-2019-8958 + RESERVED +CVE-2019-8957 + RESERVED +CVE-2019-8956 + RESERVED +CVE-2019-1000049 + REJECTED + TODO: check +CVE-2019-1000048 + REJECTED + TODO: check +CVE-2019-1000047 + REJECTED + TODO: check +CVE-2019-1000041 + REJECTED + TODO: check +CVE-2019-1000030 + REJECTED + TODO: check CVE-2019-8955 RESERVED CVE-2019-8954 (In Indexhibit 2.1.5, remote attackers can execute arbitrary code via ...) @@ -8,16 +73,16 @@ CVE-2019-8952 RESERVED CVE-2019-8951 RESERVED -CVE-2019-1003028 - RESERVED -CVE-2019-1003027 - RESERVED -CVE-2019-1003026 - RESERVED -CVE-2019-1003025 - RESERVED -CVE-2019-1003024 - RESERVED +CVE-2019-1003028 (A server-side request forgery vulnerability exists in Jenkins JMS ...) + TODO: check +CVE-2019-1003027 (A server-side request forgery vulnerability exists in Jenkins ...) + TODO: check +CVE-2019-1003026 (A server-side request forgery vulnerability exists in Jenkins ...) + TODO: check +CVE-2019-1003025 (A exposure of sensitive information vulnerability exists in Jenkins ...) + TODO: check +CVE-2019-1003024 (A sandbox bypass vulnerability exists in Jenkins Script Security ...) + TODO: check CVE-2019-8950 (The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices ...) NOT-FOR-US: DASAN CVE-2019-8949 @@ -97,7 +162,7 @@ CVE-2019-8914 RESERVED CVE-2019-8913 RESERVED -CVE-2019-8912 (In the Linux kernel through 4.20.10, af_alg_release() in ...) +CVE-2019-8912 (In the Linux kernel through 4.20.11, af_alg_release() in ...) - linux <unfixed> CVE-2019-8911 (An issue was discovered in WTCMS 1.0. It has stored XSS via the third ...) NOT-FOR-US: WTCMS @@ -1102,8 +1167,8 @@ CVE-2019-8415 RESERVED CVE-2019-8414 RESERVED -CVE-2013-7469 - RESERVED +CVE-2013-7469 (Seafile through 6.2.11 always uses the same Initialization Vector (IV) ...) + TODO: check CVE-2019-8413 (On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer ...) NOT-FOR-US: Xiaomi CVE-2019-8412 (FeiFeiCms 4.0.181010 on Windows allows remote attackers to read or ...) @@ -7551,8 +7616,8 @@ CVE-2019-5729 RESERVED CVE-2019-5728 RESERVED -CVE-2019-5727 - RESERVED +CVE-2019-5727 (Splunk Web in Splunk Enterprise 6.5.x before 6.5.5, 6.4.x before 6.4.9, ...) + TODO: check CVE-2019-5726 RESERVED CVE-2019-5725 (qibosoft through V7 allows remote attackers to read arbitrary files via ...) @@ -11259,8 +11324,8 @@ CVE-2019-3926 RESERVED CVE-2019-3925 RESERVED -CVE-2019-3924 - RESERVED +CVE-2019-3924 (MikroTik RouterOS before 6.43.12 (stable) and 6.42.12 (long-term) is ...) + TODO: check CVE-2019-3923 (Nessus versions 8.2.1 and earlier were found to contain a stored XSS ...) NOT-FOR-US: Nessus CVE-2019-3922 @@ -12360,10 +12425,10 @@ CVE-2019-3477 RESERVED CVE-2019-3476 RESERVED -CVE-2019-3475 - RESERVED -CVE-2019-3474 - RESERVED +CVE-2019-3475 (A local privilege escalation vulnerability in the famtd component of ...) + TODO: check +CVE-2019-3474 (A path traversal vulnerability in the web application component of ...) + TODO: check CVE-2019-3473 RESERVED CVE-2019-3472 @@ -16135,8 +16200,8 @@ CVE-2019-2396 (Vulnerability in the Oracle CRM Technical Foundation component of NOT-FOR-US: Oracle CVE-2019-2395 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...) NOT-FOR-US: Oracle -CVE-2018-20146 - RESERVED +CVE-2018-20146 (An issue was discovered in Liquidware ProfileUnity before 6.8.0 with ...) + TODO: check CVE-2018-20153 (In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could ...) {DLA-1673-1} - wordpress 5.0.1+dfsg1-1 (bug #916403) @@ -33265,8 +33330,8 @@ CVE-2018-15382 (A vulnerability in Cisco HyperFlex Software could allow an ...) NOT-FOR-US: Cisco CVE-2018-15381 (A Java deserialization vulnerability in Cisco Unity Express (CUE) ...) NOT-FOR-US: Cisco -CVE-2018-15380 - RESERVED +CVE-2018-15380 (A vulnerability in the cluster service manager of Cisco HyperFlex ...) + TODO: check CVE-2018-15379 (A vulnerability in which the HTTP web server for Cisco Prime ...) NOT-FOR-US: Cisco CVE-2018-15378 (A vulnerability in ClamAV versions prior to 0.100.2 could allow an ...) @@ -52581,7 +52646,7 @@ CVE-2018-8032 (Apache Axis 1.x up to and including 1.4 is vulnerable to a cross- [jessie] - axis <no-dsa> (Minor issue) NOTE: https://issues.apache.org/jira/browse/AXIS-2924 NOTE: https://svn.apache.org/r1831943 -CVE-2018-8031 (The TomEE console (tomee-webapp) has a XSS vulnerability which could ...) +CVE-2018-8031 (The Apache TomEE console (tomee-webapp) has a XSS vulnerability which ...) NOT-FOR-US: Apache TomEE CVE-2018-8030 (A Denial of Service vulnerability was found in Apache Qpid Broker-J ...) - qpid-java <itp> (bug #840131) @@ -52598,7 +52663,7 @@ CVE-2018-8026 (This vulnerability in Apache Solr 6.0.0 to 6.6.4 and 7.0.0 to 7.3 NOTE: https://issues.apache.org/jira/browse/SOLR-12450 CVE-2018-8025 (CVE-2018-8025 describes an issue in Apache HBase that affects the ...) NOT-FOR-US: Apache HBase -CVE-2018-8024 (In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible ...) +CVE-2018-8024 (In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's ...) NOT-FOR-US: Apache Spark CVE-2018-8023 (Apache Mesos can be configured to require authentication to call the ...) - apache-mesos <itp> (bug #760315) @@ -52619,7 +52684,7 @@ CVE-2018-8019 (When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 - tomcat-native 1.2.17-1 [stretch] - tomcat-native 1.2.12-2+deb9u2 NOTE: https://svn.apache.org/r1832832 -CVE-2018-8018 (In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the serialization ...) +CVE-2018-8018 (In Apache Ignite before 2.4.8 and 2.5.x before 2.5.3, the ...) NOT-FOR-US: Apache Ignite CVE-2018-8017 (In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an ...) - tika 1.20-1 (bug #914643) @@ -72489,7 +72554,7 @@ CVE-2018-1338 (A carefully crafted (or fuzzed) file can trigger an infinite loop - tika 1.18-1 [jessie] - tika <not-affected> (BGP parser introduced in 1.7) NOTE: http://www.openwall.com/lists/oss-security/2018/04/25/6 -CVE-2018-1337 (In Apache LDAP API before 1.0.2, a bug in the way the SSL Filter was ...) +CVE-2018-1337 (In Apache Directory LDAP API before 1.0.2, a bug in the way the SSL ...) NOT-FOR-US: Apache LDAP API CVE-2018-1336 (An improper handing of overflow in the UTF-8 decoder with ...) {DSA-4281-1 DLA-1491-1} @@ -72662,7 +72727,7 @@ CVE-2018-1296 (In Apache Hadoop 3.0.0-alpha1 to 3.0.0, 2.9.0, 2.8.0 to 2.8.3, an - hadoop <itp> (bug #793644) CVE-2018-1295 (In Apache Ignite 2.3 or earlier, the serialization mechanism does not ...) NOT-FOR-US: Apache Ignite -CVE-2018-1294 (If a user of Commons-Email (typically an application programmer) ...) +CVE-2018-1294 (If a user of Apache Commons Email (typically an application ...) - commons-email <not-affected> (Fixed with first upload to Debian) NOTE: https://marc.info/?i=CAF8HOZ+J3NkaywfbHuQpHxK9ZXeT4=4vs9rowcdiudnt1qa...@mail.gmail.com NOTE: Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1777030 @@ -97073,7 +97138,7 @@ CVE-2017-9804 (In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if [wheezy] - libstruts1.2-java <ignored> (Minor issue) NOTE: DOS class vulnerability and classified as low by upstream. NOTE: https://struts.apache.org/docs/s2-050.html -CVE-2017-9803 (Solr's Kerberos plugin can be configured to use delegation tokens, ...) +CVE-2017-9803 (Apache Solr's Kerberos plugin can be configured to use delegation ...) - lucene-solr <not-affected> (Introduced in 6.2) CVE-2017-9802 (The Javascript method Sling.evalString() in Apache Sling Servlets Post ...) NOT-FOR-US: Apache Sling @@ -105558,7 +105623,7 @@ CVE-2017-7660 (Apache Solr uses a PKI based mechanism to secure inter-node ...) - lucene-solr <not-affected> (Vulnerable code introduced later) NOTE: https://issues.apache.org/jira/browse/SOLR-10624 NOTE: http://git-wip-us.apache.org/repos/asf/lucene-solr/commit/2f5ecbcf -CVE-2017-7659 (A maliciously constructed HTTP/2 request could cause mod_http2 2.4.24, ...) +CVE-2017-7659 (A maliciously constructed HTTP/2 request could cause mod_http2 in ...) - apache2 2.4.25-4 [stretch] - apache2 2.4.25-3+deb9u1 [jessie] - apache2 <not-affected> (Vulnerable code not present) @@ -129684,7 +129749,7 @@ CVE-2016-8753 REJECTED CVE-2016-8752 (Apache Atlas versions 0.6.0 (incubating), 0.7.0 (incubating), and ...) NOT-FOR-US: Apache Atlas -CVE-2016-8751 (Apache Ranger before 0.6.is vulnerable to a Stored Cross-Site ...) +CVE-2016-8751 (Apache Ranger before 0.6.3 is vulnerable to a Stored Cross-Site ...) NOT-FOR-US: Apache Ranger CVE-2016-8750 (Apache Karaf prior to 4.0.8 used the LDAPLoginModule to authenticate ...) - apache-karaf <itp> (bug #881297) @@ -129742,9 +129807,9 @@ CVE-2016-8738 (In Apache Struts 2.5 through 2.5.5, if an application allows ente NOTE: https://struts.apache.org/docs/s2-044.html CVE-2016-8737 (In Apache Brooklyn before 0.10.0, the REST server is vulnerable to ...) NOT-FOR-US: Apache Brooklyn -CVE-2016-8736 (Apache Openmeetings before 3.1.2 is vulnerable to Remote Code ...) +CVE-2016-8736 (Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code ...) NOT-FOR-US: Apache OpenMeetings -CVE-2016-8735 (Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x ...) +CVE-2016-8735 (Remote code execution is possible with Apache Tomcat before 6.0.48, ...) {DSA-3739-1 DSA-3738-1 DLA-729-1 DLA-728-1} - tomcat9 <not-affected> (Fixed before initial upload to Debian) - tomcat8 8.0.39-1 @@ -129755,7 +129820,7 @@ CVE-2016-8735 (Remote code execution is possible with Apache Tomcat before 6.0.4 NOTE: Fixed by: http://svn.apache.org/r1767656 (8.0.x) NOTE: Fixed by: http://svn.apache.org/r1767676 (7.0.x) NOTE: Fixed by: http://svn.apache.org/r1767684 (6.0.x) -CVE-2016-8734 (Subversion's mod_dontdothat module and HTTP clients 1.4.0 through ...) +CVE-2016-8734 (Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 ...) - subversion 1.9.5-1 (low) [jessie] - subversion 1.8.10-6+deb8u5 [wheezy] - subversion <no-dsa> (Minor issue, binary packages not affected since built against Neon as HTTP library) @@ -135951,7 +136016,7 @@ CVE-2016-6801 (Cross-site request forgery (CSRF) vulnerability in the CSRF ...) NOTE: http://svn.apache.org/r1758791 (2.4.x) NOTE: http://svn.apache.org/r1758771 (2.6.x) NOTE: http://svn.apache.org/r1758764 (2.8.x) -CVE-2016-6800 (The default configuration of the OFBiz framework offers a blog ...) +CVE-2016-6800 (The default configuration of the Apache OFBiz framework offers a blog ...) NOT-FOR-US: Apache OFBiz CVE-2016-6799 (Product: Apache Cordova Android 5.2.2 and earlier. The application ...) NOT-FOR-US: Apache Cordova View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc77c8d9c35ed1c504547ca127c4f75d614ac34d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc77c8d9c35ed1c504547ca127c4f75d614ac34d You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits