[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1125/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 715cc3ba by Salvatore Bonaccorso at 2019-08-07T04:28:27Z Add CVE-2019-1125/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38527,8 +38527,10 @@ CVE-2019-1127 (A remote code execution vulnerability exists in the way that Dire NOT-FOR-US: Microsoft CVE-2019-1126 (A security feature bypass vulnerability exists in Active Directory Fed ...) NOT-FOR-US: Microsoft -CVE-2019-1125 +CVE-2019-1125 [Spectre v1 SWAPGS] RESERVED + - linux + NOTE: https://access.redhat.com/articles/4329821 CVE-2019-1124 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1123 (A remote code execution vulnerability exists in the way that DirectWri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/715cc3ba771f3ff7134fa71521901bd42d531340 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/715cc3ba771f3ff7134fa71521901bd42d531340 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reassociate some NFUs for TeamPass to src:teampass and itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab635994 by Salvatore Bonaccorso at 2019-08-06T21:09:53Z Reassociate some NFUs for TeamPass to src:teampass and itp'ed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5880,7 +5880,7 @@ CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt( NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the sources/items. ...) - NOT-FOR-US: TeamPass + - teampass (bug #730180) CVE-2019-12949 (In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authen ...) NOT-FOR-US: pfSense CVE-2019-12948 (A vulnerability in the web-based management interface of VVX, Trio, So ...) @@ -21167,7 +21167,7 @@ CVE-2019-102 (Gitea version 1.6.2 and earlier contains a Incorrect Access Co - gitea NOTE: https://github.com/go-gitea/gitea/pull/5631 CVE-2019-101 (TeamPass version 2.1.27 and earlier contains a Storing Passwords in a ...) - NOT-FOR-US: TeamPass + - teampass (bug #730180) CVE-2018-20753 (Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 be ...) NOT-FOR-US: Kaseya VSA RMM CVE-2018-20752 (An issue was discovered in Recon-ng before 4.9.5. Lack of validation i ...) @@ -100875,7 +100875,7 @@ CVE-2017-15280 (XML external entity (XXE) vulnerability in Umbraco CMS before 7. CVE-2017-15279 (Cross-site scripting (XSS) vulnerability in Umbraco CMS before 7.7.3 a ...) NOT-FOR-US: Umbraco CMS CVE-2017-15278 (Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. ...) - NOT-FOR-US: TeamPass + - teampass (bug #730180) CVE-2017-15277 (ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and GraphicsMagick ...) {DSA-4321-1 DSA-4040-1 DSA-4032-1 DLA-1456-1 DLA-1140-1 DLA-1139-1} - imagemagick 8:6.9.9.34+dfsg-3 (bug #878578) @@ -118489,7 +118489,7 @@ CVE-2017-9438 (libyara/re.c in the regexp module in YARA 3.5.0 allows remote att CVE-2017-9437 (Openbravo Business Suite 3.0 is affected by SQL injection. This vulner ...) NOT-FOR-US: Openbravo Business Suite CVE-2017-9436 (TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.que ...) - NOT-FOR-US: TeamPass + - teampass (bug #730180) CVE-2017-9435 (Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection in user ...) - dolibarr 5.0.4+dfsg3-1 (bug #864569) NOTE: https://github.com/Dolibarr/dolibarr/commit/70636cc59ffa1ffbc0ce3dba315d7d9b837aad04 @@ -180358,11 +180358,11 @@ CVE-2015-7566 (The clie_5_attach function in drivers/usb/serial/visor.c in the L CVE-2015-7565 (Cross-site scripting (XSS) vulnerability in Ember.js 1.8.x through 1.1 ...) NOT-FOR-US: ember.js CVE-2015-7564 (Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier ...) - NOT-FOR-US: TeamPass + - teampass (bug #730180) CVE-2015-7563 (Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and ...) - NOT-FOR-US: TeamPass + - teampass (bug #730180) CVE-2015-7562 (Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 ...) - NOT-FOR-US: TeamPass + - teampass (bug #730180) CVE-2015-7561 (Kubernetes in OpenShift3 allows remote authenticated users to use the ...) NOT-FOR-US: OpenShift CVE-2015-7560 (The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4. ...) @@ -259036,7 +259036,7 @@ CVE-2012-2236 (SQL injection vulnerability in users.php in PHP Gift Registry 1.5 CVE-2012-2235 (Cross-site scripting (XSS) vulnerability in Support Incident Tracker ( ...) NOT-FOR-US: Support Incident Tracker CVE-2012-2234 (Cross-site scripting (XSS) vulnerability in sources/users.queries.php ...) - NOT-FOR-US: TeamPass.net + - teampass (bug #730180) CVE-2012-2233 RESERVED CVE-2012-2232 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab635994dfee3ac5cc6149499cfc7547b26ecb38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab635994dfee3ac5cc6149499cfc7547b26ecb38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim tomcat8 + more explanations + last CVE was not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e45c62f2 by Sylvain Beucler at 2019-08-06T20:45:52Z dla: claim tomcat8 + more explanations + last CVE was not-affected - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -132,11 +132,13 @@ subversion -- tika -- -tomcat8 +tomcat8 (Sylvain Beucler) NOTE: 20190522: FTBFS NOTE: Test SSL certificate expired, see https://bz.apache.org/bugzilla/show_bug.cgi?id=57655 NOTE: Attempt to solve this by using certificates from latest tomcat8 package failed (Brian). - NOTE: 20190701: New CVE just piled up. + NOTE: 20190806: Abhijith says no: https://lists.debian.org/debian-lts/2019/07/msg00053.html + NOTE: 20190806: tomcat8 has an history of unexplained FTBFS: https://lists.debian.org/debian-lts/2018/07/msg00103.html + NOTE: 20190806: certificate updated in 8.0.14-1+deb8u12 expired 2019-02-27 indeed (Beuc) -- wireshark (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e45c62f2729055aedab1c73c49652ec386e54a66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e45c62f2729055aedab1c73c49652ec386e54a66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 848d51b0 by Salvatore Bonaccorso at 2019-08-06T20:37:56Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2019-14699 CVE-2019-14698 RESERVED CVE-2019-14696 (Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/ind ...) - TODO: check + NOT-FOR-US: Open-School CVE-2019-14695 (A SQL injection vulnerability exists in the Sygnoos Popup Builder plug ...) NOT-FOR-US: Sygnoos Popup Builder plugin for WordPress CVE-2019-14694 @@ -552,7 +552,7 @@ CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior CVE-2019-14474 RESERVED CVE-2019-14473 (eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but la ...) - TODO: check + NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14472 (Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO. ...) NOT-FOR-US: Zumo CVE-2019-14471 (TestLink 1.9.19 has XSS via the error.php message parameter. ...) @@ -1455,9 +1455,9 @@ CVE-2019-14349 (EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of CVE-2019-14348 (The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to ...) NOT-FOR-US: BearDev JoomSport plugin for WordPress CVE-2019-14347 (Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unpriv ...) - TODO: check + NOT-FOR-US: Schben Adive CVE-2019-14346 (Internal/Views/config.php in Schben Adive 2.0.7 allows admin/config CS ...) - TODO: check + NOT-FOR-US: Schben Adive CVE-2019-14345 RESERVED CVE-2019-14344 @@ -5299,7 +5299,7 @@ CVE-2019-13145 CVE-2019-13144 REJECTED CVE-2019-13143 (An HTTP parameter pollution issue was discovered on Shenzhen Dragon Br ...) - TODO: check + NOT-FOR-US: Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 CVE-2019-13142 (The RzSurroundVADStreamingService (RzSurroundVADStreamingService.exe) ...) NOT-FOR-US: Razer Surround CVE-2019-13141 @@ -5880,7 +5880,7 @@ CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt( NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the sources/items. ...) - TODO: check + NOT-FOR-US: TeamPass CVE-2019-12949 (In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authen ...) NOT-FOR-US: pfSense CVE-2019-12948 (A vulnerability in the web-based management interface of VVX, Trio, So ...) @@ -24588,21 +24588,21 @@ CVE-2019-6003 CVE-2019-6002 (Cross-site scripting vulnerability in Central Dogma 0.17.0 to 0.40.1 a ...) NOT-FOR-US: Central Dogma CVE-2019-6001 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-6000 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5999 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5998 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5997 RESERVED CVE-2019-5996 RESERVED CVE-2019-5995 (Missing authorization vulnerability exists in EOS series digital camer ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5994 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5993 RESERVED CVE-2019-5992 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/848d51b09de77c0f3f9145b904c99c09d8811489 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/848d51b09de77c0f3f9145b904c99c09d8811489 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1469{1,2,3}/adplug issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af349777 by Salvatore Bonaccorso at 2019-08-06T20:25:02Z Add CVE-2019-1469{1,2,3}/adplug issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,11 +33,14 @@ CVE-2019-14694 CVE-2019-14693 RESERVED CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in ...) - TODO: check + - adplug + NOTE: https://github.com/adplug/adplug/issues/87 CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in ...) - TODO: check + - adplug + NOTE: https://github.com/adplug/adplug/issues/86 CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_ ...) - TODO: check + - adplug + NOTE: https://github.com/adplug/adplug/issues/85 CVE-2019-14697 (musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...) - musl 1.1.23-2 NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/af3497770714145e72b2345600c24306611f9ff7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/af3497770714145e72b2345600c24306611f9ff7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec18a486 by Salvatore Bonaccorso at 2019-08-06T20:18:01Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,7 @@ CVE-2019-14698 CVE-2019-14696 (Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/ind ...) TODO: check CVE-2019-14695 (A SQL injection vulnerability exists in the Sygnoos Popup Builder plug ...) - TODO: check + NOT-FOR-US: Sygnoos Popup Builder plugin for WordPress CVE-2019-14694 RESERVED CVE-2019-14693 @@ -1107,49 +1107,49 @@ CVE-2016-10799 CVE-2016-10798 RESERVED CVE-2016-10797 (cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certifica ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10796 (cPanel before 58.0.4 initially uses weak permissions for Apache HTTP S ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10795 (cPanel before 59..145 allows stored XSS in the WHM tail_upcp2.cgi ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10794 (cPanel before 59..145 allows arbitrary file-read operations becaus ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10793 (cPanel before 59..145 allows arbitrary code execution due to an in ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10792 (cPanel before 59..145 allows code execution in the context of othe ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10791 (cPanel before 60.0.15 does not ensure that system accounts lack a vali ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10790 (cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpa ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10789 (cPanel before 60.0.25 allows code execution via the cpsrvd 403 error r ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10788 (cPanel before 60.0.25 allows arbitrary code execution via Maketext in ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10787 (The Host Access Control feature in cPanel before 60.0.25 mishandles ac ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10786 (cPanel before 60.0.25 allows members of the nobody group to read Apach ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10785 (cPanel before 60.0.25 allows attackers to discover file contents durin ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10784 (cPanel before 60.0.25 allows self XSS in the alias upload interface (S ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10783 (cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182) ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10782 (cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10781 (cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180). ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10780 (cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-1 ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10779 (cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SE ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10778 (cPanel before 60.0.25 allows self stored XSS in the listftpstable API ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10777 (cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodi ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10776 (cPanel before 60.0.25 allows stored XSS during the homedir removal pha ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10775 (cPanel before 60.0.25 allows arbitrary file-chown operations via reass ...) NOT-FOR-US: cPanel CVE-2016-10774 (cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec18a486122114d91596684966ec47c872c7f3ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec18a486122114d91596684966ec47c872c7f3ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b0620f3 by security tracker role at 2019-08-06T20:10:32Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,44 @@ -CVE-2019-14697 [x87 float stack imbalance] +CVE-2019-14710 + RESERVED +CVE-2019-14709 + RESERVED +CVE-2019-14708 + RESERVED +CVE-2019-14707 + RESERVED +CVE-2019-14706 + RESERVED +CVE-2019-14705 + RESERVED +CVE-2019-14704 + RESERVED +CVE-2019-14703 + RESERVED +CVE-2019-14702 + RESERVED +CVE-2019-14701 + RESERVED +CVE-2019-14700 + RESERVED +CVE-2019-14699 + RESERVED +CVE-2019-14698 + RESERVED +CVE-2019-14696 (Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/ind ...) + TODO: check +CVE-2019-14695 (A SQL injection vulnerability exists in the Sygnoos Popup Builder plug ...) + TODO: check +CVE-2019-14694 + RESERVED +CVE-2019-14693 + RESERVED +CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in ...) + TODO: check +CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in ...) + TODO: check +CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_ ...) + TODO: check +CVE-2019-14697 (musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...) - musl 1.1.23-2 NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e @@ -508,8 +548,8 @@ CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14474 RESERVED -CVE-2019-14473 - RESERVED +CVE-2019-14473 (eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but la ...) + TODO: check CVE-2019-14472 (Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO. ...) NOT-FOR-US: Zumo CVE-2019-14471 (TestLink 1.9.19 has XSS via the error.php message parameter. ...) @@ -1066,50 +1106,50 @@ CVE-2016-10799 RESERVED CVE-2016-10798 RESERVED -CVE-2016-10797 - RESERVED -CVE-2016-10796 - RESERVED -CVE-2016-10795 - RESERVED -CVE-2016-10794 - RESERVED -CVE-2016-10793 - RESERVED -CVE-2016-10792 - RESERVED -CVE-2016-10791 - RESERVED -CVE-2016-10790 - RESERVED -CVE-2016-10789 - RESERVED -CVE-2016-10788 - RESERVED -CVE-2016-10787 - RESERVED -CVE-2016-10786 - RESERVED -CVE-2016-10785 - RESERVED -CVE-2016-10784 - RESERVED -CVE-2016-10783 - RESERVED -CVE-2016-10782 - RESERVED -CVE-2016-10781 - RESERVED -CVE-2016-10780 - RESERVED -CVE-2016-10779 - RESERVED -CVE-2016-10778 - RESERVED -CVE-2016-10777 - RESERVED -CVE-2016-10776 - RESERVED +CVE-2016-10797 (cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certifica ...) + TODO: check +CVE-2016-10796 (cPanel before 58.0.4 initially uses weak permissions for Apache HTTP S ...) + TODO: check +CVE-2016-10795 (cPanel before 59..145 allows stored XSS in the WHM tail_upcp2.cgi ...) + TODO: check +CVE-2016-10794 (cPanel before 59..145 allows arbitrary file-read operations becaus ...) + TODO: check +CVE-2016-10793 (cPanel before 59..145 allows arbitrary code execution due to an in ...) + TODO: check +CVE-2016-10792 (cPanel before 59..145 allows code execution in the context of othe ...) + TODO: check +CVE-2016-10791 (cPanel before 60.0.15 does not ensure that system accounts lack a vali ...) + TODO: check +CVE-2016-10790 (cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpa ...) + TODO: check +CVE-2016-10789 (cPanel before 60.0.25 allows code execution via the cpsrvd 403 error r ...) + TODO: check +CVE-2016-10788 (cPanel before 60.0.25 allows arbitrary code execution via Maketext in ...) + TODO: check +CVE-2016-10787 (The Host Access Control feature in cPanel before 60.0.25 mishandles ac ...) + TODO: check +CVE-2016-10786 (cPanel before 60.0.25 allows members of the nobody group to read Apach ...) + TODO: check +CVE-2016-10785 (cPanel before 60.0.25 allows attackers to discover file contents durin ...) + TODO: check +CVE-2016-10784 (cPanel before 60.0.25 allows self XSS in the alias upload interface (S ...) + TODO: check +CVE-2016-10783 (cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182) ...) + TODO: check +CVE-2016-10782 (cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs ...) + TODO: check +CVE-2016-10781 (cPanel before 60.0.25 allows self X
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14697/musl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5cd796b by Salvatore Bonaccorso at 2019-08-06T19:26:57Z Add CVE-2019-14697/musl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2019-14697 [x87 float stack imbalance] + - musl 1.1.23-2 + NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 + NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e + NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/1 CVE-2019-14689 RESERVED CVE-2019-14688 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b5cd796b5ff803bbb0e04380f402fa25288461ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b5cd796b5ff803bbb0e04380f402fa25288461ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process CVE-2019-14475 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45a1b4c8 by Salvatore Bonaccorso at 2019-08-06T19:15:08Z Process CVE-2019-14475 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -500,7 +500,7 @@ CVE-2019-14477 CVE-2019-14476 RESERVED CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use s ...) - TODO: check + NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14474 RESERVED CVE-2019-14473 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45a1b4c8ab736240c7d034af4ac43e0f675704bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45a1b4c8ab736240c7d034af4ac43e0f675704bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9f3ed30 by Salvatore Bonaccorso at 2019-08-06T14:53:01Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -392,7 +392,7 @@ CVE-2019-14523 (An issue was discovered in Schism Tracker through 20190722. Ther CVE-2019-14522 RESERVED CVE-2019-14521 (The api/admin/logoupload Logo File upload feature in EMCA Energy Logse ...) - TODO: check + NOT-FOR-US: EMCA Energy Logserver CVE-2019-14520 RESERVED CVE-2019-14519 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d9f3ed305726c6d513e8df85890b691b0c045792 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d9f3ed305726c6d513e8df85890b691b0c045792 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14664/enigmail
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f25561ed by Salvatore Bonaccorso at 2019-08-06T14:40:31Z Add CVE-2019-14664/enigmail - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52,7 +52,8 @@ CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array i - brandy (bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/8/ CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypted emai ...) - TODO: check + - enigmail + NOTE: https://sourceforge.net/p/enigmail/bugs/984/ CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fi ...) - brandy (bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/6/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f25561ed9523053c4d05fddd1d9e03a3dc27e656 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f25561ed9523053c4d05fddd1d9e03a3dc27e656 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove note for CVE-2019-12933, this was found to be a duplicate
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 94385c42 by Salvatore Bonaccorso at 2019-08-06T14:35:06Z Remove note for CVE-2019-12933, this was found to be a duplicate - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5874,7 +5874,6 @@ CVE-2019-12935 (Shopware before 5.5.8 has XSS via the Query String to the backen NOT-FOR-US: Shopware CVE-2019-12933 REJECTED - NOT-FOR-US: PIX-Link Repeater/Router LV-WR09 CVE-2019-12932 (A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly e ...) NOT-FOR-US: SeedDMS CVE-2019-12931 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/94385c42e174038dec6d68f0b5b2736d13e33100 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/94385c42e174038dec6d68f0b5b2736d13e33100 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Four python-django issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 928c309b by Salvatore Bonaccorso at 2019-08-06T12:20:20Z Four python-django issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1741,25 +1741,25 @@ CVE-2019-14237 CVE-2019-14236 RESERVED CVE-2019-14235 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django (bug #934026) + - python-django 2:2.2.4-1 (bug #934026) [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/cf694e6852b0da7799f8b53f1fb2f7d20cf17534 (2.2.x) NOTE: https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79 (1.11.x) CVE-2019-14234 [SQL injection possibility in key and index lookups for JSONField/HStoreField] RESERVED - - python-django (bug #934026) + - python-django 2:2.2.4-1 (bug #934026) [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (2.2.x) NOTE: https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef (1.11.x) CVE-2019-14233 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django (bug #934026) + - python-django 2:2.2.4-1 (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/e34f3c0e9ee5fc9022428fe91640638bafd4cda7 (2.2.x) NOTE: https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72 (1.11.x) CVE-2019-14232 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django (bug #934026) + - python-django 2:2.2.4-1 (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/c3289717c6f21a8cf23daff1c78c0c014b94041f (2.2.x) NOTE: https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d (1.11.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/928c309b9314b77fa463d98f81f90495a690a1be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/928c309b9314b77fa463d98f81f90495a690a1be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1872-1 for python-django
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 12a95a17 by Chris Lamb at 2019-08-06T09:53:56Z Reserve DLA-1872-1 for python-django - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Aug 2019] DLA-1872-1 python-django - security update + {CVE-2019-14232 CVE-2019-14233} + [jessie] - python-django 1.7.11-1+deb8u7 [06 Aug 2019] DLA-1866-2 glib2.0 - regression update {CVE-2019-13012} [jessie] - glib2.0 2.42.1-1+deb8u3 = data/dla-needed.txt = @@ -88,8 +88,6 @@ proftpd-dfsg (Markus Koschany) NOTE: 20190804: The update is ready but I waited for a maintainer reaction. NOTE: Stable update was released today. -- -python-django (Chris Lamb) --- python2.7 (Thorsten Alteholz) NOTE: 20190804: need to check fails with test suite unrelated to this patch -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/12a95a17d3a36739d0e89fe35abc1dea7f9417d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/12a95a17d3a36739d0e89fe35abc1dea7f9417d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] python-django in jessie LTS is not vulnerable to CVE-2019-14234
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dc2c871 by Chris Lamb at 2019-08-06T09:25:18Z python-django in jessie LTS is not vulnerable to CVE-2019-14234 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1749,6 +1749,7 @@ CVE-2019-14235 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x b CVE-2019-14234 [SQL injection possibility in key and index lookups for JSONField/HStoreField] RESERVED - python-django (bug #934026) + [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (2.2.x) NOTE: https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef (1.11.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2dc2c87112b7f9adbb1abf2ba15089e78ab49580 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2dc2c87112b7f9adbb1abf2ba15089e78ab49580 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for jessie.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f82c3ebd by Chris Lamb at 2019-08-06T09:18:11Z data/dla-needed.txt: Triage python-django for jessie. - - - - - 98604709 by Chris Lamb at 2019-08-06T09:20:28Z data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,6 +88,8 @@ proftpd-dfsg (Markus Koschany) NOTE: 20190804: The update is ready but I waited for a maintainer reaction. NOTE: Stable update was released today. -- +python-django (Chris Lamb) +-- python2.7 (Thorsten Alteholz) NOTE: 20190804: need to check fails with test suite unrelated to this patch -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/684829d7190a15e1f467e7955135fd09df01bef4...986047094a2bdca39dad28e29759f37709f6af5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/684829d7190a15e1f467e7955135fd09df01bef4...986047094a2bdca39dad28e29759f37709f6af5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add bug number for recent Django CVEs.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 37046140 by Chris Lamb at 2019-08-06T09:15:26Z Add bug number for recent Django CVEs. - - - - - 684829d7 by Chris Lamb at 2019-08-06T09:15:27Z python-django in jessie LTS is not vulnerable to CVE-2019-14235. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1741,23 +1741,24 @@ CVE-2019-14237 CVE-2019-14236 RESERVED CVE-2019-14235 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django + - python-django (bug #934026) + [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/cf694e6852b0da7799f8b53f1fb2f7d20cf17534 (2.2.x) NOTE: https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79 (1.11.x) CVE-2019-14234 [SQL injection possibility in key and index lookups for JSONField/HStoreField] RESERVED - - python-django + - python-django (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (2.2.x) NOTE: https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef (1.11.x) CVE-2019-14233 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django + - python-django (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/e34f3c0e9ee5fc9022428fe91640638bafd4cda7 (2.2.x) NOTE: https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72 (1.11.x) CVE-2019-14232 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django + - python-django (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/c3289717c6f21a8cf23daff1c78c0c014b94041f (2.2.x) NOTE: https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d (1.11.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b1ecf63ba6e52a6aea4f87cf07239ce8820b11a0...684829d7190a15e1f467e7955135fd09df01bef4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b1ecf63ba6e52a6aea4f87cf07239ce8820b11a0...684829d7190a15e1f467e7955135fd09df01bef4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add oss-security reference for CVE-2019-13232 issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1ecf63b by Salvatore Bonaccorso at 2019-08-06T09:06:54Z Add oss-security reference for CVE-2019-13232 issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5015,6 +5015,7 @@ CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a NOTE: Further commit needed: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc NOTE: No security impact, crash in CLI tool, any server implementing automatic extraction needs NOTE: to apply resource limits anyway + NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/3 CVE-2019-13231 RESERVED CVE-2019-13230 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1ecf63ba6e52a6aea4f87cf07239ce8820b11a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1ecf63ba6e52a6aea4f87cf07239ce8820b11a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dd2bbf18 by Salvatore Bonaccorso at 2019-08-06T08:54:38Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,17 +33,17 @@ CVE-2019-14674 CVE-2019-14673 RESERVED CVE-2019-14672 (Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of fi ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14671 (Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attac ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14670 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14669 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14668 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14667 (Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due t ...) - TODO: check + NOT-FOR-US: Firefly CVE-2015-9292 RESERVED CVE-2019-14666 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd2bbf1890e2e01879e36f5806e5e666ba5d6d72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd2bbf1890e2e01879e36f5806e5e666ba5d6d72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three additional u-boot issues (CVE-2019-1310{4,5,6})
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3949e480 by Salvatore Bonaccorso at 2019-08-06T08:47:49Z Add three additional u-boot issues (CVE-2019-1310{4,5,6}) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5393,17 +5393,28 @@ CVE-2019-13107 (Multiple integer overflows exist in MATIO before 1.5.16, related NOTE: Several commits between 1.5.15..1.5.16: https://github.com/tbeu/matio/compare/f8cd397...fabac6c CVE-2019-13106 RESERVED + - u-boot (low) + [buster] - u-boot (Minor issue) + [stretch] - u-boot (Minor issue) + NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375516.html CVE-2019-13105 RESERVED + - u-boot (low) + [buster] - u-boot (Minor issue) + [stretch] - u-boot (Minor issue) + NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375513.html CVE-2019-13104 RESERVED + - u-boot (low) + [buster] - u-boot (Minor issue) + [stretch] - u-boot (Minor issue) + NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375514.html CVE-2019-13103 (A crafted self-referential DOS partition table will cause all Das U-Bo ...) - u-boot (low) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) [jessie] - u-boot (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375512.html - NOTE: There are other (possibly-incoming) fixes in the same thread. CVE-2019-13102 RESERVED CVE-2019-13101 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3949e480c341dc1535db1d742258f2cce3b00fcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3949e480c341dc1535db1d742258f2cce3b00fcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage open-cobol for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4396cef3 by Chris Lamb at 2019-08-06T08:19:37Z Triage open-cobol for jessie LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -331,6 +331,7 @@ CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_prog [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) + [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/584/ CVE-2019-14540 RESERVED @@ -371,6 +372,7 @@ CVE-2019-14528 (GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) + [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/583/ CVE-2019-14527 RESERVED @@ -474,6 +476,7 @@ CVE-2019-14486 (GnuCOBOL 2.2 has a buffer overflow in cb_evaluate_expr in cobc/f [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) + [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/582/ CVE-2019-14485 RESERVED @@ -514,6 +517,7 @@ CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) + [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/581/ CVE-2019-14467 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4396cef3ee8ebb1103aa38b14912b1e073e4101a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4396cef3ee8ebb1103aa38b14912b1e073e4101a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage u-boot for jessie LTS and add a note about other fixes.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5564b73d by Chris Lamb at 2019-08-06T08:18:24Z Triage u-boot for jessie LTS and add a note about other fixes. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5397,7 +5397,9 @@ CVE-2019-13103 (A crafted self-referential DOS partition table will cause all Da - u-boot (low) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) + [jessie] - u-boot (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375512.html + NOTE: There are other (possibly-incoming) fixes in the same thread. CVE-2019-13102 RESERVED CVE-2019-13101 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5564b73ddd9b943f2c5b9e145fb687908ba9c8ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5564b73ddd9b943f2c5b9e145fb687908ba9c8ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fc25561 by security tracker role at 2019-08-06T08:10:22Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,10 +1,58 @@ +CVE-2019-14689 + RESERVED +CVE-2019-14688 + RESERVED +CVE-2019-14687 + RESERVED +CVE-2019-14686 + RESERVED +CVE-2019-14685 + RESERVED +CVE-2019-14684 + RESERVED +CVE-2019-14683 + RESERVED +CVE-2019-14682 + RESERVED +CVE-2019-14681 + RESERVED +CVE-2019-14680 + RESERVED +CVE-2019-14679 + RESERVED +CVE-2019-14678 + RESERVED +CVE-2019-14677 + RESERVED +CVE-2019-14676 + RESERVED +CVE-2019-14675 + RESERVED +CVE-2019-14674 + RESERVED +CVE-2019-14673 + RESERVED +CVE-2019-14672 (Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of fi ...) + TODO: check +CVE-2019-14671 (Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attac ...) + TODO: check +CVE-2019-14670 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) + TODO: check +CVE-2019-14669 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) + TODO: check +CVE-2019-14668 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) + TODO: check +CVE-2019-14667 (Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due t ...) + TODO: check +CVE-2015-9292 + RESERVED CVE-2019-14666 RESERVED CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array in vari ...) - brandy (bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/8/ -CVE-2019-14664 - RESERVED +CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypted emai ...) + TODO: check CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fi ...) - brandy (bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/6/ @@ -447,8 +495,8 @@ CVE-2019-14477 RESERVED CVE-2019-14476 RESERVED -CVE-2019-14475 - RESERVED +CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use s ...) + TODO: check CVE-2019-14474 RESERVED CVE-2019-14473 @@ -5804,7 +5852,8 @@ CVE-2019-12934 (An issue was discovered in the wp-code-highlightjs plugin throug NOT-FOR-US: wp-code-highlightjs plugin for WordPress CVE-2019-12935 (Shopware before 5.5.8 has XSS via the Query String to the backend/Logi ...) NOT-FOR-US: Shopware -CVE-2019-12933 (An XSS issue on the PIX-Link Repeater/Router LV-WR09 with firmware v28 ...) +CVE-2019-12933 + REJECTED NOT-FOR-US: PIX-Link Repeater/Router LV-WR09 CVE-2019-12932 (A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly e ...) NOT-FOR-US: SeedDMS @@ -7027,7 +7076,7 @@ CVE-2019-12452 (types/types.go in Containous Traefik 1.7.x through 1.7.11, when CVE-2019-12451 RESERVED CVE-2019-13012 (The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 ...) - {DLA-1866-1} + {DLA-1866-2 DLA-1866-1} [experimental] - glib2.0 2.60.0-1 - glib2.0 2.60.5-1 (bug #931234) [buster] - glib2.0 (Minor issue) @@ -14436,7 +14485,7 @@ CVE-2019-1010027 RESERVED CVE-2019-1010026 RESERVED -CVE-2019-1010025 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...) +CVE-2019-1010025 (** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The ...) - glibc (unimportant) NOTE: Not treated as a security issue by upstream NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22853 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fc25561532264c8f0b02fd8b4efae1a24fa8620 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fc25561532264c8f0b02fd8b4efae1a24fa8620 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Three libxslt issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2a881a3 by Salvatore Bonaccorso at 2019-08-06T07:46:14Z Three libxslt issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5264,7 +5264,7 @@ CVE-2019-13119 RESERVED CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping characters of ...) {DLA-1860-1} - - libxslt (low; bug #931320; bug #933743) + - libxslt 1.1.32-2.1 (low; bug #931320; bug #933743) [buster] - libxslt (Minor issue) [stretch] - libxslt (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069 @@ -5272,7 +5272,7 @@ CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping characte NOTE: https://oss-fuzz.com/testcase-detail/5197371471822848 CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an xsl:number with certain format stri ...) {DLA-1860-1} - - libxslt (low; bug #931321; bug #933743) + - libxslt 1.1.32-2.1 (low; bug #931321; bug #933743) [buster] - libxslt (Minor issue) [stretch] - libxslt (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471 @@ -10613,7 +10613,7 @@ CVE-2019-11069 (Sequelize version 5 before 5.3.0 does not properly ensure that s NOT-FOR-US: Sequelize CVE-2019-11068 (libxslt through 1.1.33 allows bypass of a protection mechanism because ...) {DLA-1756-1} - - libxslt (bug #926895; bug #933743) + - libxslt 1.1.32-2.1 (bug #926895; bug #933743) [buster] - libxslt (Minor issue) [stretch] - libxslt (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libxslt/issues/12 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2a881a3b9bf03eed80888faa350ddf61c159bcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2a881a3b9bf03eed80888faa350ddf61c159bcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits