[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso Tue, 19 Nov 2019 00:10:49 -0800


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
cc126160 by security tracker role at 2019-11-19T08:10:23Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,11 @@
+CVE-2019-19117 (/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM 
K2(PSG12 ...)
+       TODO: check
+CVE-2019-19116
+       RESERVED
+CVE-2019-19115
+       RESERVED
+CVE-2019-19114
+       RESERVED
 CVE-2019-19113 (main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall 
(aka Ne ...)
        NOT-FOR-US: newbee-mall
 CVE-2019-19112
@@ -503,17 +511,20 @@ CVE-2019-18889 [Forbid serializing AbstractAdapter and 
TagAwareAdapter instances
        NOTE: 
https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a
 CVE-2019-18888 [Prevent argument injection in a MimeTypeGuesser]
        RESERVED
+       {DSA-4573-1 DLA-1999-1}
        - symfony 4.3.8+dfsg-1
        NOTE: 
https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser
        NOTE: 
https://github.com/symfony/symfony/commit/691486e43ce0e4893cd703e221bafc10a871f365
        NOTE: 
https://github.com/symfony/symfony/commit/77ddabf2e785ea85860d2720cc86f7c5d8967ed5
 CVE-2019-18887 [Use constant time comparison in UriSigner]
        RESERVED
+       {DSA-4573-1 DLA-1999-1}
        - symfony 4.3.8+dfsg-1
        NOTE: 
https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
        NOTE: 
https://github.com/symfony/symfony/commit/cccefe6a7f12e776df0665aeb77fe9294c285fbb
 CVE-2019-18886 [Prevent user enumeration using switch user functionality]
        RESERVED
+       {DLA-1999-1}
        - symfony 4.3.8+dfsg-1
        NOTE: 
https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality
        NOTE: 
https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332
@@ -4081,8 +4092,8 @@ CVE-2019-18375
        RESERVED
 CVE-2019-18374
        RESERVED
-CVE-2019-18373
-       RESERVED
+CVE-2019-18373 (Norton App Lock, prior to 1.4.0.503, may be susceptible to a 
bypass ex ...)
+       TODO: check
 CVE-2019-18372 (Symantec Endpoint Protection, prior to 14.2 RU2, may be 
susceptible to ...)
        NOT-FOR-US: Symantec Endpoint Protection
 CVE-2019-18371 (An issue was discovered on Xiaomi Mi WiFi R3G devices before 
2.28.23-s ...)
@@ -4425,8 +4436,8 @@ CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 
1.3.7rc2 allows remote
        NOTE: https://github.com/proftpd/proftpd/issues/846
 CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG 
Zephyrus M GM ...)
        NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS 
laptops with BIOS 313
-CVE-2019-18215
-       RESERVED
+CVE-2019-18215 (An issue was discovered in signmgr.dll 6.5.0.819 in Comodo 
Internet Se ...)
+       TODO: check
 CVE-2019-18214 (The Video_Converter app 0.1.0 for Nextcloud allows denial of 
service ( ...)
        NOT-FOR-US: Video_Converter app for Nextcloud
 CVE-2019-18213 (XML Language Server (aka lsp4xml) before 0.9.1, as used in Red 
Hat XML ...)
@@ -8078,8 +8089,8 @@ CVE-2019-17087
        RESERVED
 CVE-2019-17086
        RESERVED
-CVE-2019-17085
-       RESERVED
+CVE-2019-17085 (XXE attack vulnerability on Micro Focus Operations Agent, 
affected ver ...)
+       TODO: check
 CVE-2019-17084
        RESERVED
 CVE-2019-17083
@@ -13896,8 +13907,8 @@ CVE-2019-15056
        RESERVED
 CVE-2019-15055 (MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 
improperly  ...)
        NOT-FOR-US: MikroTik RouterOS
-CVE-2019-15054
-       RESERVED
+CVE-2019-15054 (Multiple cross-site scripting (XSS) vulnerabilities in 
Mailbird before ...)
+       TODO: check
 CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for 
Confluenc ...)
        NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence 
Server
 CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication 
credentials  ...)
@@ -14492,7 +14503,7 @@ CVE-2019-14871
        RESERVED
 CVE-2019-14870
        RESERVED
-CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 
9.28, where ...)
+CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 
9.50, where ...)
        {DSA-4569-1 DLA-1992-1}
        - ghostscript <unfixed> (bug #944760)
        NOTE: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f0aa1140032746e5a0abfc40f4cef
@@ -14717,7 +14728,7 @@ CVE-2019-14818 (A flaw was found in all dpdk version 
17.x.x before 17.11.8, 16.x
        - dpdk 18.11.4-1
        NOTE: http://mails.dpdk.org/archives/announce/2019-November/000293.html
        NOTE: https://bugs.dpdk.org/show_bug.cgi?id=363
-CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.28, in 
the .pdfex ...)
+CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.50, in 
the .pdfex ...)
        {DSA-4518-1 DLA-1915-1}
        - ghostscript 9.28~~rc2~dfsg-1
        NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701450
@@ -14737,7 +14748,7 @@ CVE-2019-14815
 CVE-2019-14814 (There is heap-based buffer overflow in Linux kernel, all 
versions up t ...)
        {DLA-1930-1}
        - linux 5.2.17-1
-CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.28, in 
the sets ...)
+CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.50, in 
the sets ...)
        {DSA-4518-1 DLA-1915-1}
        - ghostscript 9.28~~rc2~dfsg-1
        NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701443
@@ -14756,7 +14767,7 @@ CVE-2019-14812
        NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated 
starting
        NOTE: from 
http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff
        NOTE: which changed the access to file permissions.
-CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.28, in 
the .pdf_h ...)
+CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.50, in 
the .pdf_h ...)
        {DSA-4518-1 DLA-1915-1}
        - ghostscript 9.28~~rc2~dfsg-1
        NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701445
@@ -21643,6 +21654,7 @@ CVE-2019-12839 (In OrangeHRM 4.3.1 and before, there is 
an input validation erro
 CVE-2013-7472 (The "Count per Day" plugin before 3.2.6 for WordPress allows 
XSS via t ...)
        NOT-FOR-US: "Count per Day" plugin for WordPress
 CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 
allows SQL ...)
+       {DSA-4572-1}
        - slurm-llnl 19.05.3.2-1 (bug #931880)
        [stretch] - slurm-llnl <no-dsa> (Too intrusive to backport)
        NOTE: 
https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html
@@ -22756,8 +22768,7 @@ CVE-2019-12424
        RESERVED
 CVE-2019-12423
        RESERVED
-CVE-2019-12422 [weak cookie vulnerability]
-       RESERVED
+CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember 
me" config ...)
        - shiro <unfixed>
        NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1
        TODO: check details on fix
@@ -22785,8 +22796,8 @@ CVE-2019-12411
        RESERVED
 CVE-2019-12410 (While investigating UBSAN errors in 
https://github.com/apache/arrow/pu ...)
        NOT-FOR-US: Apache Arrow
-CVE-2019-12409
-       RESERVED
+CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an 
insecure settin ...)
+       TODO: check
 CVE-2019-12408 (It was discovered that the C++ implementation (which underlies 
the R,  ...)
        NOT-FOR-US: Apache Arrow
 CVE-2019-12407 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully 
crafted plugin ...)
@@ -22798,7 +22809,7 @@ CVE-2019-12405 (Improper authentication is possible in 
Apache Traffic Control ve
 CVE-2019-12404 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully 
crafted plugin ...)
        - jspwiki <removed>
 CVE-2019-12403
-       RESERVED
+       REJECTED
 CVE-2019-12402 (The file name encoding algorithm used internally in Apache 
Commons Com ...)
        - libcommons-compress-java 1.18-3 (low; bug #939610)
        [buster] - libcommons-compress-java <no-dsa> (Minor issue)
@@ -27377,10 +27388,10 @@ CVE-2019-10766
        RESERVED
 CVE-2019-10765
        RESERVED
-CVE-2019-10764
-       RESERVED
-CVE-2019-10763
-       RESERVED
+CVE-2019-10764 (In elliptic-php versions priot to 1.0.6, Timing attacks might 
be possi ...)
+       TODO: check
+CVE-2019-10763 (pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. 
An attack ...)
+       TODO: check
 CVE-2019-10762 (columnQuote in medoo before 1.7.5 allows remote attackers to 
perform a ...)
        NOT-FOR-US: medoo
 CVE-2019-10761
@@ -29324,8 +29335,7 @@ CVE-2019-10072 (The fix for CVE-2019-0199 was 
incomplete and did not address HTT
        NOTE: 
https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E
 CVE-2019-10071 (The code which checks HMAC in form submissions used 
String.equals() fo ...)
        NOT-FOR-US: Apache Tapestry
-CVE-2019-10070
-       RESERVED
+CVE-2019-10070 (Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to 
Stored  ...)
        NOT-FOR-US: Apache Atlas
 CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to 
the des ...)
        NOT-FOR-US: Godot
@@ -231141,8 +231151,7 @@ CVE-2014-5047
        RESERVED
 CVE-2014-5046
        RESERVED
-CVE-2014-5118
-       RESERVED
+CVE-2014-5118 (A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in 
the bo ...)
        NOT-FOR-US: tboot
 CVE-2014-5117 (Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a 
circuit ...)
        {DSA-2993-1 DLA-17-1}
@@ -270088,20 +270097,16 @@ CVE-2012-4443 (Monkey HTTP Daemon 0.9.3 uses a real 
UID of root and a real GID o
        - monkey <removed> (unimportant; bug #688008)
 CVE-2012-4442 (Monkey HTTP Daemon 0.9.3 retains the supplementary group IDs of 
the ro ...)
        - monkey <removed> (unimportant; bug #688007)
-CVE-2012-4441 [jenkins XSS in CI game plugin]
-       RESERVED
+CVE-2012-4441 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS 
before ...)
        - jenkins <not-affected> (Plugin not built in Debian source package)
        NOTE: 
http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4440 [jenkins XSS in Violations plugin]
-       RESERVED
+CVE-2012-4440 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS 
before ...)
        - jenkins <not-affected> (Plugin not built in Debian source package)
        NOTE: 
http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4439 [jenkins XSS]
-       RESERVED
+CVE-2012-4439 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS 
before ...)
        - jenkins 1.447.2+dfsg-2 (bug #688298)
        NOTE: 
http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4438 [jenkins remote code execution]
-       RESERVED
+CVE-2012-4438 (Jenkins main before 1.482 and LTS before 1.466.2 allows remote 
attacke ...)
        - jenkins 1.447.2+dfsg-2 (bug #688298)
        NOTE: 
http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
 CVE-2012-4437 (Cross-site scripting (XSS) vulnerability in the SmartyException 
class  ...)
@@ -298624,7 +298629,7 @@ CVE-2010-3847 (elf/dl-load.c in ld.so in the GNU C 
Library (aka glibc or libc6)
 CVE-2010-3846 (Array index error in the apply_rcs_change function in rcs.c in 
CVS 1.1 ...)
        - cvs <not-affected> (vulnerable code not present)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3852
-CVE-2010-3844 (An unchecked sscanf() call in ettercap 0.7.3 allows an insecure 
tempor ...)
+CVE-2010-3844 (An unchecked sscanf() call in ettercap before 0.7.5 allows an 
insecure ...)
        - ettercap 1:0.7.4-1 (unimportant; bug #600130)
        NOTE: Very far-fetched attack vector
 CVE-2010-3843
@@ -323697,8 +323702,7 @@ CVE-2002-2427 (The security handler in GoAhead 
WebServer before 2.1.1 allows rem
        NOT-FOR-US: GoAhead WebServer
 CVE-2008-7272 (FireGPG before 0.6 handle user&#8217;s passphrase and decrypted 
cleart ...)
        - iceweasel-firegpg <removed> (bug #514386)
-CVE-2008-7273 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
-       RESERVED
+CVE-2008-7273 (A symlink issue exists in Iceweasel-firegpg before 0.6 due to 
insecure ...)
        - iceweasel-firegpg <removed> (bug #514386)
 CVE-2009-0431 (SQL injection vulnerability in Default.asp in LinksPro Standard 
Editio ...)
        NOT-FOR-US: LinksPro



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc1261606d0622597baeb73d346faff4f95c36cb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc1261606d0622597baeb73d346faff4f95c36cb
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

Reply via email to