[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1125/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 715cc3ba by Salvatore Bonaccorso at 2019-08-07T04:28:27Z Add CVE-2019-1125/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38527,8 +38527,10 @@ CVE-2019-1127 (A remote code execution vulnerability exists in the way that Dire NOT-FOR-US: Microsoft CVE-2019-1126 (A security feature bypass vulnerability exists in Active Directory Fed ...) NOT-FOR-US: Microsoft -CVE-2019-1125 +CVE-2019-1125 [Spectre v1 SWAPGS] RESERVED + - linux + NOTE: https://access.redhat.com/articles/4329821 CVE-2019-1124 (A remote code execution vulnerability exists in the way that DirectWri ...) NOT-FOR-US: Microsoft CVE-2019-1123 (A remote code execution vulnerability exists in the way that DirectWri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/715cc3ba771f3ff7134fa71521901bd42d531340 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/715cc3ba771f3ff7134fa71521901bd42d531340 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reassociate some NFUs for TeamPass to src:teampass and itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ab635994 by Salvatore Bonaccorso at 2019-08-06T21:09:53Z
Reassociate some NFUs for TeamPass to src:teampass and itp'ed
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5880,7 +5880,7 @@ CVE-2019-12951 (An issue was discovered in Mongoose
before 6.15. The parse_mqtt(
NOT-FOR-US: Cesanta Mongoose
NOTE: smplayer embeds a copy, which is unused in any released version
and disabled since 18.5.0~ds1-1
CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the
sources/items. ...)
- NOT-FOR-US: TeamPass
+ - teampass (bug #730180)
CVE-2019-12949 (In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick
an authen ...)
NOT-FOR-US: pfSense
CVE-2019-12948 (A vulnerability in the web-based management interface of VVX,
Trio, So ...)
@@ -21167,7 +21167,7 @@ CVE-2019-102 (Gitea version 1.6.2 and earlier
contains a Incorrect Access Co
- gitea
NOTE: https://github.com/go-gitea/gitea/pull/5631
CVE-2019-101 (TeamPass version 2.1.27 and earlier contains a Storing
Passwords in a ...)
- NOT-FOR-US: TeamPass
+ - teampass (bug #730180)
CVE-2018-20753 (Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and
R9.5 be ...)
NOT-FOR-US: Kaseya VSA RMM
CVE-2018-20752 (An issue was discovered in Recon-ng before 4.9.5. Lack of
validation i ...)
@@ -100875,7 +100875,7 @@ CVE-2017-15280 (XML external entity (XXE)
vulnerability in Umbraco CMS before 7.
CVE-2017-15279 (Cross-site scripting (XSS) vulnerability in Umbraco CMS before
7.7.3 a ...)
NOT-FOR-US: Umbraco CMS
CVE-2017-15278 (Cross-Site Scripting (XSS) was discovered in TeamPass before
2.1.27.9. ...)
- NOT-FOR-US: TeamPass
+ - teampass (bug #730180)
CVE-2017-15277 (ReadGIFImage in coders/gif.c in ImageMagick 7.0.6-1 and
GraphicsMagick ...)
{DSA-4321-1 DSA-4040-1 DSA-4032-1 DLA-1456-1 DLA-1140-1 DLA-1139-1}
- imagemagick 8:6.9.9.34+dfsg-3 (bug #878578)
@@ -118489,7 +118489,7 @@ CVE-2017-9438 (libyara/re.c in the regexp module in
YARA 3.5.0 allows remote att
CVE-2017-9437 (Openbravo Business Suite 3.0 is affected by SQL injection. This
vulner ...)
NOT-FOR-US: Openbravo Business Suite
CVE-2017-9436 (TeamPass before 2.1.27.4 is vulnerable to a SQL injection in
users.que ...)
- NOT-FOR-US: TeamPass
+ - teampass (bug #730180)
CVE-2017-9435 (Dolibarr ERP/CRM before 5.0.3 is vulnerable to a SQL injection
in user ...)
- dolibarr 5.0.4+dfsg3-1 (bug #864569)
NOTE:
https://github.com/Dolibarr/dolibarr/commit/70636cc59ffa1ffbc0ce3dba315d7d9b837aad04
@@ -180358,11 +180358,11 @@ CVE-2015-7566 (The clie_5_attach function in
drivers/usb/serial/visor.c in the L
CVE-2015-7565 (Cross-site scripting (XSS) vulnerability in Ember.js 1.8.x
through 1.1 ...)
NOT-FOR-US: ember.js
CVE-2015-7564 (Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and
earlier ...)
- NOT-FOR-US: TeamPass
+ - teampass (bug #730180)
CVE-2015-7563 (Cross-site request forgery (CSRF) vulnerability in TeamPass
2.1.24 and ...)
- NOT-FOR-US: TeamPass
+ - teampass (bug #730180)
CVE-2015-7562 (Multiple cross-site scripting (XSS) vulnerabilities in TeamPass
2.1.24 ...)
- NOT-FOR-US: TeamPass
+ - teampass (bug #730180)
CVE-2015-7561 (Kubernetes in OpenShift3 allows remote authenticated users to
use the ...)
NOT-FOR-US: OpenShift
CVE-2015-7560 (The SMB1 implementation in smbd in Samba 3.x and 4.x before
4.1.23, 4. ...)
@@ -259036,7 +259036,7 @@ CVE-2012-2236 (SQL injection vulnerability in
users.php in PHP Gift Registry 1.5
CVE-2012-2235 (Cross-site scripting (XSS) vulnerability in Support Incident
Tracker ( ...)
NOT-FOR-US: Support Incident Tracker
CVE-2012-2234 (Cross-site scripting (XSS) vulnerability in
sources/users.queries.php ...)
- NOT-FOR-US: TeamPass.net
+ - teampass (bug #730180)
CVE-2012-2233
RESERVED
CVE-2012-2232
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab635994dfee3ac5cc6149499cfc7547b26ecb38
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ab635994dfee3ac5cc6149499cfc7547b26ecb38
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim tomcat8 + more explanations + last CVE was not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e45c62f2 by Sylvain Beucler at 2019-08-06T20:45:52Z dla: claim tomcat8 + more explanations + last CVE was not-affected - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -132,11 +132,13 @@ subversion -- tika -- -tomcat8 +tomcat8 (Sylvain Beucler) NOTE: 20190522: FTBFS NOTE: Test SSL certificate expired, see https://bz.apache.org/bugzilla/show_bug.cgi?id=57655 NOTE: Attempt to solve this by using certificates from latest tomcat8 package failed (Brian). - NOTE: 20190701: New CVE just piled up. + NOTE: 20190806: Abhijith says no: https://lists.debian.org/debian-lts/2019/07/msg00053.html + NOTE: 20190806: tomcat8 has an history of unexplained FTBFS: https://lists.debian.org/debian-lts/2018/07/msg00103.html + NOTE: 20190806: certificate updated in 8.0.14-1+deb8u12 expired 2019-02-27 indeed (Beuc) -- wireshark (Thorsten Alteholz) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e45c62f2729055aedab1c73c49652ec386e54a66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e45c62f2729055aedab1c73c49652ec386e54a66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 848d51b0 by Salvatore Bonaccorso at 2019-08-06T20:37:56Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2019-14699 CVE-2019-14698 RESERVED CVE-2019-14696 (Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/ind ...) - TODO: check + NOT-FOR-US: Open-School CVE-2019-14695 (A SQL injection vulnerability exists in the Sygnoos Popup Builder plug ...) NOT-FOR-US: Sygnoos Popup Builder plugin for WordPress CVE-2019-14694 @@ -552,7 +552,7 @@ CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior CVE-2019-14474 RESERVED CVE-2019-14473 (eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but la ...) - TODO: check + NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14472 (Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO. ...) NOT-FOR-US: Zumo CVE-2019-14471 (TestLink 1.9.19 has XSS via the error.php message parameter. ...) @@ -1455,9 +1455,9 @@ CVE-2019-14349 (EspoCRM version 5.6.4 is vulnerable to stored XSS due to lack of CVE-2019-14348 (The BearDev JoomSport plugin 3.3 for WordPress allows SQL injection to ...) NOT-FOR-US: BearDev JoomSport plugin for WordPress CVE-2019-14347 (Internal/Views/addUsers.php in Schben Adive 2.0.7 allows remote unpriv ...) - TODO: check + NOT-FOR-US: Schben Adive CVE-2019-14346 (Internal/Views/config.php in Schben Adive 2.0.7 allows admin/config CS ...) - TODO: check + NOT-FOR-US: Schben Adive CVE-2019-14345 RESERVED CVE-2019-14344 @@ -5299,7 +5299,7 @@ CVE-2019-13145 CVE-2019-13144 REJECTED CVE-2019-13143 (An HTTP parameter pollution issue was discovered on Shenzhen Dragon Br ...) - TODO: check + NOT-FOR-US: Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 CVE-2019-13142 (The RzSurroundVADStreamingService (RzSurroundVADStreamingService.exe) ...) NOT-FOR-US: Razer Surround CVE-2019-13141 @@ -5880,7 +5880,7 @@ CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt( NOT-FOR-US: Cesanta Mongoose NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2019-12950 (An issue was discovered in TeamPass 2.1.27.35. From the sources/items. ...) - TODO: check + NOT-FOR-US: TeamPass CVE-2019-12949 (In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authen ...) NOT-FOR-US: pfSense CVE-2019-12948 (A vulnerability in the web-based management interface of VVX, Trio, So ...) @@ -24588,21 +24588,21 @@ CVE-2019-6003 CVE-2019-6002 (Cross-site scripting vulnerability in Central Dogma 0.17.0 to 0.40.1 a ...) NOT-FOR-US: Central Dogma CVE-2019-6001 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-6000 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5999 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5998 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5997 RESERVED CVE-2019-5996 RESERVED CVE-2019-5995 (Missing authorization vulnerability exists in EOS series digital camer ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5994 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...) - TODO: check + NOT-FOR-US: Canon CVE-2019-5993 RESERVED CVE-2019-5992 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/848d51b09de77c0f3f9145b904c99c09d8811489 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/848d51b09de77c0f3f9145b904c99c09d8811489 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1469{1,2,3}/adplug issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
af349777 by Salvatore Bonaccorso at 2019-08-06T20:25:02Z
Add CVE-2019-1469{1,2,3}/adplug issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -33,11 +33,14 @@ CVE-2019-14694
CVE-2019-14693
RESERVED
CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in
CmkjPlayer::load() in ...)
- TODO: check
+ - adplug
+ NOTE: https://github.com/adplug/adplug/issues/87
CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in
CdtmLoader::load() in ...)
- TODO: check
+ - adplug
+ NOTE: https://github.com/adplug/adplug/issues/86
CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in
CxadbmfPlayer::__bmf_ ...)
- TODO: check
+ - adplug
+ NOTE: https://github.com/adplug/adplug/issues/85
CVE-2019-14697 (musl libc through 1.1.23 has an x87 floating-point stack
adjustment im ...)
- musl 1.1.23-2
NOTE:
https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/af3497770714145e72b2345600c24306611f9ff7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/af3497770714145e72b2345600c24306611f9ff7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec18a486 by Salvatore Bonaccorso at 2019-08-06T20:18:01Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,7 @@ CVE-2019-14698 CVE-2019-14696 (Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/ind ...) TODO: check CVE-2019-14695 (A SQL injection vulnerability exists in the Sygnoos Popup Builder plug ...) - TODO: check + NOT-FOR-US: Sygnoos Popup Builder plugin for WordPress CVE-2019-14694 RESERVED CVE-2019-14693 @@ -1107,49 +1107,49 @@ CVE-2016-10799 CVE-2016-10798 RESERVED CVE-2016-10797 (cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certifica ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10796 (cPanel before 58.0.4 initially uses weak permissions for Apache HTTP S ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10795 (cPanel before 59..145 allows stored XSS in the WHM tail_upcp2.cgi ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10794 (cPanel before 59..145 allows arbitrary file-read operations becaus ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10793 (cPanel before 59..145 allows arbitrary code execution due to an in ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10792 (cPanel before 59..145 allows code execution in the context of othe ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10791 (cPanel before 60.0.15 does not ensure that system accounts lack a vali ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10790 (cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpa ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10789 (cPanel before 60.0.25 allows code execution via the cpsrvd 403 error r ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10788 (cPanel before 60.0.25 allows arbitrary code execution via Maketext in ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10787 (The Host Access Control feature in cPanel before 60.0.25 mishandles ac ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10786 (cPanel before 60.0.25 allows members of the nobody group to read Apach ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10785 (cPanel before 60.0.25 allows attackers to discover file contents durin ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10784 (cPanel before 60.0.25 allows self XSS in the alias upload interface (S ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10783 (cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182) ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10782 (cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10781 (cPanel before 60.0.25 allows self XSS in the UI_confirm API (SEC-180). ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10780 (cPanel before 60.0.25 allows stored XSS in the ftp_sessions API (SEC-1 ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10779 (cPanel before 60.0.25 allows stored XSS in api1_listautoresponders (SE ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10778 (cPanel before 60.0.25 allows self stored XSS in the listftpstable API ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10777 (cPanel before 60.0.25 allows self XSS in WHM Tweak Settings for autodi ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10776 (cPanel before 60.0.25 allows stored XSS during the homedir removal pha ...) - TODO: check + NOT-FOR-US: cPanel CVE-2016-10775 (cPanel before 60.0.25 allows arbitrary file-chown operations via reass ...) NOT-FOR-US: cPanel CVE-2016-10774 (cPanel before 60.0.25 allows self XSS in the tail_ea4_migration.cgi in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec18a486122114d91596684966ec47c872c7f3ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec18a486122114d91596684966ec47c872c7f3ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b0620f3 by security tracker role at 2019-08-06T20:10:32Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,44 @@ -CVE-2019-14697 [x87 float stack imbalance] +CVE-2019-14710 + RESERVED +CVE-2019-14709 + RESERVED +CVE-2019-14708 + RESERVED +CVE-2019-14707 + RESERVED +CVE-2019-14706 + RESERVED +CVE-2019-14705 + RESERVED +CVE-2019-14704 + RESERVED +CVE-2019-14703 + RESERVED +CVE-2019-14702 + RESERVED +CVE-2019-14701 + RESERVED +CVE-2019-14700 + RESERVED +CVE-2019-14699 + RESERVED +CVE-2019-14698 + RESERVED +CVE-2019-14696 (Open-School 3.0, and Community Edition 2.3, allows XSS via the osv/ind ...) + TODO: check +CVE-2019-14695 (A SQL injection vulnerability exists in the Sygnoos Popup Builder plug ...) + TODO: check +CVE-2019-14694 + RESERVED +CVE-2019-14693 + RESERVED +CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in ...) + TODO: check +CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in ...) + TODO: check +CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_ ...) + TODO: check +CVE-2019-14697 (musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...) - musl 1.1.23-2 NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e @@ -508,8 +548,8 @@ CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14474 RESERVED -CVE-2019-14473 - RESERVED +CVE-2019-14473 (eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but la ...) + TODO: check CVE-2019-14472 (Zurmo 3.2.7-2 has XSS via the app/index.php/zurmo/default PATH_INFO. ...) NOT-FOR-US: Zumo CVE-2019-14471 (TestLink 1.9.19 has XSS via the error.php message parameter. ...) @@ -1066,50 +1106,50 @@ CVE-2016-10799 RESERVED CVE-2016-10798 RESERVED -CVE-2016-10797 - RESERVED -CVE-2016-10796 - RESERVED -CVE-2016-10795 - RESERVED -CVE-2016-10794 - RESERVED -CVE-2016-10793 - RESERVED -CVE-2016-10792 - RESERVED -CVE-2016-10791 - RESERVED -CVE-2016-10790 - RESERVED -CVE-2016-10789 - RESERVED -CVE-2016-10788 - RESERVED -CVE-2016-10787 - RESERVED -CVE-2016-10786 - RESERVED -CVE-2016-10785 - RESERVED -CVE-2016-10784 - RESERVED -CVE-2016-10783 - RESERVED -CVE-2016-10782 - RESERVED -CVE-2016-10781 - RESERVED -CVE-2016-10780 - RESERVED -CVE-2016-10779 - RESERVED -CVE-2016-10778 - RESERVED -CVE-2016-10777 - RESERVED -CVE-2016-10776 - RESERVED +CVE-2016-10797 (cPanel before 58.0.4 allows WHM "Purchase and Install an SSL Certifica ...) + TODO: check +CVE-2016-10796 (cPanel before 58.0.4 initially uses weak permissions for Apache HTTP S ...) + TODO: check +CVE-2016-10795 (cPanel before 59..145 allows stored XSS in the WHM tail_upcp2.cgi ...) + TODO: check +CVE-2016-10794 (cPanel before 59..145 allows arbitrary file-read operations becaus ...) + TODO: check +CVE-2016-10793 (cPanel before 59..145 allows arbitrary code execution due to an in ...) + TODO: check +CVE-2016-10792 (cPanel before 59..145 allows code execution in the context of othe ...) + TODO: check +CVE-2016-10791 (cPanel before 60.0.15 does not ensure that system accounts lack a vali ...) + TODO: check +CVE-2016-10790 (cPanel before 60.0.25 does not use TLS for HTTP POSTs to listinput.cpa ...) + TODO: check +CVE-2016-10789 (cPanel before 60.0.25 allows code execution via the cpsrvd 403 error r ...) + TODO: check +CVE-2016-10788 (cPanel before 60.0.25 allows arbitrary code execution via Maketext in ...) + TODO: check +CVE-2016-10787 (The Host Access Control feature in cPanel before 60.0.25 mishandles ac ...) + TODO: check +CVE-2016-10786 (cPanel before 60.0.25 allows members of the nobody group to read Apach ...) + TODO: check +CVE-2016-10785 (cPanel before 60.0.25 allows attackers to discover file contents durin ...) + TODO: check +CVE-2016-10784 (cPanel before 60.0.25 allows self XSS in the alias upload interface (S ...) + TODO: check +CVE-2016-10783 (cPanel before 60.0.25 allows self stored XSS in SSL_listkeys (SEC-182) ...) + TODO: check +CVE-2016-10782 (cPanel before 60.0.25 allows self stored XSS in postgres API1 listdbs ...) + TODO: check +CVE-2016-10781 (cPanel before 60.0.25 allows self X
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14697/musl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5cd796b by Salvatore Bonaccorso at 2019-08-06T19:26:57Z Add CVE-2019-14697/musl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2019-14697 [x87 float stack imbalance] + - musl 1.1.23-2 + NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 + NOTE: https://git.musl-libc.org/cgit/musl/patch/?id=6818c31c9bc4bbad5357f1de14bedf781e5b349e + NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/1 CVE-2019-14689 RESERVED CVE-2019-14688 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b5cd796b5ff803bbb0e04380f402fa25288461ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b5cd796b5ff803bbb0e04380f402fa25288461ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process CVE-2019-14475 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45a1b4c8 by Salvatore Bonaccorso at 2019-08-06T19:15:08Z Process CVE-2019-14475 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -500,7 +500,7 @@ CVE-2019-14477 CVE-2019-14476 RESERVED CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use s ...) - TODO: check + NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3 CVE-2019-14474 RESERVED CVE-2019-14473 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45a1b4c8ab736240c7d034af4ac43e0f675704bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45a1b4c8ab736240c7d034af4ac43e0f675704bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9f3ed30 by Salvatore Bonaccorso at 2019-08-06T14:53:01Z Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -392,7 +392,7 @@ CVE-2019-14523 (An issue was discovered in Schism Tracker through 20190722. Ther CVE-2019-14522 RESERVED CVE-2019-14521 (The api/admin/logoupload Logo File upload feature in EMCA Energy Logse ...) - TODO: check + NOT-FOR-US: EMCA Energy Logserver CVE-2019-14520 RESERVED CVE-2019-14519 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d9f3ed305726c6d513e8df85890b691b0c045792 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d9f3ed305726c6d513e8df85890b691b0c045792 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-14664/enigmail
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f25561ed by Salvatore Bonaccorso at 2019-08-06T14:40:31Z Add CVE-2019-14664/enigmail - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52,7 +52,8 @@ CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array i - brandy (bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/8/ CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypted emai ...) - TODO: check + - enigmail + NOTE: https://sourceforge.net/p/enigmail/bugs/984/ CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fi ...) - brandy (bug #933996) NOTE: https://sourceforge.net/p/brandy/bugs/6/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f25561ed9523053c4d05fddd1d9e03a3dc27e656 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f25561ed9523053c4d05fddd1d9e03a3dc27e656 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove note for CVE-2019-12933, this was found to be a duplicate
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 94385c42 by Salvatore Bonaccorso at 2019-08-06T14:35:06Z Remove note for CVE-2019-12933, this was found to be a duplicate - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5874,7 +5874,6 @@ CVE-2019-12935 (Shopware before 5.5.8 has XSS via the Query String to the backen NOT-FOR-US: Shopware CVE-2019-12933 REJECTED - NOT-FOR-US: PIX-Link Repeater/Router LV-WR09 CVE-2019-12932 (A stored XSS vulnerability was found in SeedDMS 5.1.11 due to poorly e ...) NOT-FOR-US: SeedDMS CVE-2019-12931 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/94385c42e174038dec6d68f0b5b2736d13e33100 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/94385c42e174038dec6d68f0b5b2736d13e33100 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Four python-django issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 928c309b by Salvatore Bonaccorso at 2019-08-06T12:20:20Z Four python-django issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1741,25 +1741,25 @@ CVE-2019-14237 CVE-2019-14236 RESERVED CVE-2019-14235 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django (bug #934026) + - python-django 2:2.2.4-1 (bug #934026) [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/cf694e6852b0da7799f8b53f1fb2f7d20cf17534 (2.2.x) NOTE: https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79 (1.11.x) CVE-2019-14234 [SQL injection possibility in key and index lookups for JSONField/HStoreField] RESERVED - - python-django (bug #934026) + - python-django 2:2.2.4-1 (bug #934026) [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (2.2.x) NOTE: https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef (1.11.x) CVE-2019-14233 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django (bug #934026) + - python-django 2:2.2.4-1 (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/e34f3c0e9ee5fc9022428fe91640638bafd4cda7 (2.2.x) NOTE: https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72 (1.11.x) CVE-2019-14232 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django (bug #934026) + - python-django 2:2.2.4-1 (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/c3289717c6f21a8cf23daff1c78c0c014b94041f (2.2.x) NOTE: https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d (1.11.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/928c309b9314b77fa463d98f81f90495a690a1be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/928c309b9314b77fa463d98f81f90495a690a1be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1872-1 for python-django
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
12a95a17 by Chris Lamb at 2019-08-06T09:53:56Z
Reserve DLA-1872-1 for python-django
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 Aug 2019] DLA-1872-1 python-django - security update
+ {CVE-2019-14232 CVE-2019-14233}
+ [jessie] - python-django 1.7.11-1+deb8u7
[06 Aug 2019] DLA-1866-2 glib2.0 - regression update
{CVE-2019-13012}
[jessie] - glib2.0 2.42.1-1+deb8u3
=
data/dla-needed.txt
=
@@ -88,8 +88,6 @@ proftpd-dfsg (Markus Koschany)
NOTE: 20190804: The update is ready but I waited for a maintainer reaction.
NOTE: Stable update was released today.
--
-python-django (Chris Lamb)
---
python2.7 (Thorsten Alteholz)
NOTE: 20190804: need to check fails with test suite unrelated to this patch
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/12a95a17d3a36739d0e89fe35abc1dea7f9417d0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/12a95a17d3a36739d0e89fe35abc1dea7f9417d0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] python-django in jessie LTS is not vulnerable to CVE-2019-14234
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dc2c871 by Chris Lamb at 2019-08-06T09:25:18Z python-django in jessie LTS is not vulnerable to CVE-2019-14234 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1749,6 +1749,7 @@ CVE-2019-14235 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x b CVE-2019-14234 [SQL injection possibility in key and index lookups for JSONField/HStoreField] RESERVED - python-django (bug #934026) + [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (2.2.x) NOTE: https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef (1.11.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2dc2c87112b7f9adbb1abf2ba15089e78ab49580 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2dc2c87112b7f9adbb1abf2ba15089e78ab49580 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage python-django for jessie.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f82c3ebd by Chris Lamb at 2019-08-06T09:18:11Z data/dla-needed.txt: Triage python-django for jessie. - - - - - 98604709 by Chris Lamb at 2019-08-06T09:20:28Z data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,6 +88,8 @@ proftpd-dfsg (Markus Koschany) NOTE: 20190804: The update is ready but I waited for a maintainer reaction. NOTE: Stable update was released today. -- +python-django (Chris Lamb) +-- python2.7 (Thorsten Alteholz) NOTE: 20190804: need to check fails with test suite unrelated to this patch -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/684829d7190a15e1f467e7955135fd09df01bef4...986047094a2bdca39dad28e29759f37709f6af5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/684829d7190a15e1f467e7955135fd09df01bef4...986047094a2bdca39dad28e29759f37709f6af5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add bug number for recent Django CVEs.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 37046140 by Chris Lamb at 2019-08-06T09:15:26Z Add bug number for recent Django CVEs. - - - - - 684829d7 by Chris Lamb at 2019-08-06T09:15:27Z python-django in jessie LTS is not vulnerable to CVE-2019-14235. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1741,23 +1741,24 @@ CVE-2019-14237 CVE-2019-14236 RESERVED CVE-2019-14235 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django + - python-django (bug #934026) + [jessie] - python-django (Vulnerable code not present) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/cf694e6852b0da7799f8b53f1fb2f7d20cf17534 (2.2.x) NOTE: https://github.com/django/django/commit/869b34e9b3be3a4cfcb3a145f218ffd3f5e3fd79 (1.11.x) CVE-2019-14234 [SQL injection possibility in key and index lookups for JSONField/HStoreField] RESERVED - - python-django + - python-django (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/4f5b58f5cd3c57fee9972ab074f8dc6895d8f387 (2.2.x) NOTE: https://github.com/django/django/commit/ed682a24fca774818542757651bfba576c3fc3ef (1.11.x) CVE-2019-14233 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django + - python-django (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/e34f3c0e9ee5fc9022428fe91640638bafd4cda7 (2.2.x) NOTE: https://github.com/django/django/commit/52479acce792ad80bb0f915f20b835f919993c72 (1.11.x) CVE-2019-14232 (An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before ...) - - python-django + - python-django (bug #934026) NOTE: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/ NOTE: https://github.com/django/django/commit/c3289717c6f21a8cf23daff1c78c0c014b94041f (2.2.x) NOTE: https://github.com/django/django/commit/42a66e969023c00536256469f0e8b8a099ef109d (1.11.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b1ecf63ba6e52a6aea4f87cf07239ce8820b11a0...684829d7190a15e1f467e7955135fd09df01bef4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b1ecf63ba6e52a6aea4f87cf07239ce8820b11a0...684829d7190a15e1f467e7955135fd09df01bef4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add oss-security reference for CVE-2019-13232 issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1ecf63b by Salvatore Bonaccorso at 2019-08-06T09:06:54Z Add oss-security reference for CVE-2019-13232 issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5015,6 +5015,7 @@ CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a NOTE: Further commit needed: https://github.com/madler/unzip/commit/6d351831be705cc26d897db44f878a978f4138fc NOTE: No security impact, crash in CLI tool, any server implementing automatic extraction needs NOTE: to apply resource limits anyway + NOTE: https://www.openwall.com/lists/oss-security/2019/08/06/3 CVE-2019-13231 RESERVED CVE-2019-13230 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1ecf63ba6e52a6aea4f87cf07239ce8820b11a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b1ecf63ba6e52a6aea4f87cf07239ce8820b11a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dd2bbf18 by Salvatore Bonaccorso at 2019-08-06T08:54:38Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,17 +33,17 @@ CVE-2019-14674 CVE-2019-14673 RESERVED CVE-2019-14672 (Firefly III 4.7.17.5 is vulnerable to stored XSS due to the lack of fi ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14671 (Firefly III 4.7.17.3 is vulnerable to local file enumeration. An attac ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14670 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14669 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14668 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the lack of fi ...) - TODO: check + NOT-FOR-US: Firefly CVE-2019-14667 (Firefly III 4.7.17.4 is vulnerable to multiple stored XSS issues due t ...) - TODO: check + NOT-FOR-US: Firefly CVE-2015-9292 RESERVED CVE-2019-14666 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd2bbf1890e2e01879e36f5806e5e666ba5d6d72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dd2bbf1890e2e01879e36f5806e5e666ba5d6d72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three additional u-boot issues (CVE-2019-1310{4,5,6})
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3949e480 by Salvatore Bonaccorso at 2019-08-06T08:47:49Z
Add three additional u-boot issues (CVE-2019-1310{4,5,6})
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5393,17 +5393,28 @@ CVE-2019-13107 (Multiple integer overflows exist in
MATIO before 1.5.16, related
NOTE: Several commits between 1.5.15..1.5.16:
https://github.com/tbeu/matio/compare/f8cd397...fabac6c
CVE-2019-13106
RESERVED
+ - u-boot (low)
+ [buster] - u-boot (Minor issue)
+ [stretch] - u-boot (Minor issue)
+ NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375516.html
CVE-2019-13105
RESERVED
+ - u-boot (low)
+ [buster] - u-boot (Minor issue)
+ [stretch] - u-boot (Minor issue)
+ NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375513.html
CVE-2019-13104
RESERVED
+ - u-boot (low)
+ [buster] - u-boot (Minor issue)
+ [stretch] - u-boot (Minor issue)
+ NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375514.html
CVE-2019-13103 (A crafted self-referential DOS partition table will cause all
Das U-Bo ...)
- u-boot (low)
[buster] - u-boot (Minor issue)
[stretch] - u-boot (Minor issue)
[jessie] - u-boot (Minor issue)
NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375512.html
- NOTE: There are other (possibly-incoming) fixes in the same thread.
CVE-2019-13102
RESERVED
CVE-2019-13101
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3949e480c341dc1535db1d742258f2cce3b00fcc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3949e480c341dc1535db1d742258f2cce3b00fcc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage open-cobol for jessie LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4396cef3 by Chris Lamb at 2019-08-06T08:19:37Z Triage open-cobol for jessie LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -331,6 +331,7 @@ CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_prog [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) + [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/584/ CVE-2019-14540 RESERVED @@ -371,6 +372,7 @@ CVE-2019-14528 (GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) + [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/583/ CVE-2019-14527 RESERVED @@ -474,6 +476,7 @@ CVE-2019-14486 (GnuCOBOL 2.2 has a buffer overflow in cb_evaluate_expr in cobc/f [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) + [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/582/ CVE-2019-14485 RESERVED @@ -514,6 +517,7 @@ CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c [buster] - gnucobol (Minor issue) - open-cobol [stretch] - open-cobol (Minor issue) + [jessie] - open-cobol (Minor issue) NOTE: https://sourceforge.net/p/open-cobol/bugs/581/ CVE-2019-14467 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4396cef3ee8ebb1103aa38b14912b1e073e4101a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4396cef3ee8ebb1103aa38b14912b1e073e4101a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage u-boot for jessie LTS and add a note about other fixes.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5564b73d by Chris Lamb at 2019-08-06T08:18:24Z Triage u-boot for jessie LTS and add a note about other fixes. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5397,7 +5397,9 @@ CVE-2019-13103 (A crafted self-referential DOS partition table will cause all Da - u-boot (low) [buster] - u-boot (Minor issue) [stretch] - u-boot (Minor issue) + [jessie] - u-boot (Minor issue) NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375512.html + NOTE: There are other (possibly-incoming) fixes in the same thread. CVE-2019-13102 RESERVED CVE-2019-13101 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5564b73ddd9b943f2c5b9e145fb687908ba9c8ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5564b73ddd9b943f2c5b9e145fb687908ba9c8ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3fc25561 by security tracker role at 2019-08-06T08:10:22Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,10 +1,58 @@
+CVE-2019-14689
+ RESERVED
+CVE-2019-14688
+ RESERVED
+CVE-2019-14687
+ RESERVED
+CVE-2019-14686
+ RESERVED
+CVE-2019-14685
+ RESERVED
+CVE-2019-14684
+ RESERVED
+CVE-2019-14683
+ RESERVED
+CVE-2019-14682
+ RESERVED
+CVE-2019-14681
+ RESERVED
+CVE-2019-14680
+ RESERVED
+CVE-2019-14679
+ RESERVED
+CVE-2019-14678
+ RESERVED
+CVE-2019-14677
+ RESERVED
+CVE-2019-14676
+ RESERVED
+CVE-2019-14675
+ RESERVED
+CVE-2019-14674
+ RESERVED
+CVE-2019-14673
+ RESERVED
+CVE-2019-14672 (Firefly III 4.7.17.5 is vulnerable to stored XSS due to the
lack of fi ...)
+ TODO: check
+CVE-2019-14671 (Firefly III 4.7.17.3 is vulnerable to local file enumeration.
An attac ...)
+ TODO: check
+CVE-2019-14670 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the
lack of fi ...)
+ TODO: check
+CVE-2019-14669 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the
lack of fi ...)
+ TODO: check
+CVE-2019-14668 (Firefly III 4.7.17.3 is vulnerable to stored XSS due to the
lack of fi ...)
+ TODO: check
+CVE-2019-14667 (Firefly III 4.7.17.4 is vulnerable to multiple stored XSS
issues due t ...)
+ TODO: check
+CVE-2015-9292
+ RESERVED
CVE-2019-14666
RESERVED
CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array
in vari ...)
- brandy (bug #933996)
NOTE: https://sourceforge.net/p/brandy/bugs/8/
-CVE-2019-14664
- RESERVED
+CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP
encrypted emai ...)
+ TODO: check
CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in
fileio_openin in fi ...)
- brandy (bug #933996)
NOTE: https://sourceforge.net/p/brandy/bugs/6/
@@ -447,8 +495,8 @@ CVE-2019-14477
RESERVED
CVE-2019-14476
RESERVED
-CVE-2019-14475
- RESERVED
+CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and
prior use s ...)
+ TODO: check
CVE-2019-14474
RESERVED
CVE-2019-14473
@@ -5804,7 +5852,8 @@ CVE-2019-12934 (An issue was discovered in the
wp-code-highlightjs plugin throug
NOT-FOR-US: wp-code-highlightjs plugin for WordPress
CVE-2019-12935 (Shopware before 5.5.8 has XSS via the Query String to the
backend/Logi ...)
NOT-FOR-US: Shopware
-CVE-2019-12933 (An XSS issue on the PIX-Link Repeater/Router LV-WR09 with
firmware v28 ...)
+CVE-2019-12933
+ REJECTED
NOT-FOR-US: PIX-Link Repeater/Router LV-WR09
CVE-2019-12932 (A stored XSS vulnerability was found in SeedDMS 5.1.11 due to
poorly e ...)
NOT-FOR-US: SeedDMS
@@ -7027,7 +7076,7 @@ CVE-2019-12452 (types/types.go in Containous Traefik
1.7.x through 1.7.11, when
CVE-2019-12451
RESERVED
CVE-2019-13012 (The keyfile settings backend in GNOME GLib (aka glib2.0)
before 2.60.0 ...)
- {DLA-1866-1}
+ {DLA-1866-2 DLA-1866-1}
[experimental] - glib2.0 2.60.0-1
- glib2.0 2.60.5-1 (bug #931234)
[buster] - glib2.0 (Minor issue)
@@ -14436,7 +14485,7 @@ CVE-2019-1010027
RESERVED
CVE-2019-1010026
RESERVED
-CVE-2019-1010025 (GNU Libc current is affected by: Mitigation bypass. The
impact is: Att ...)
+CVE-2019-1010025 (** DISPUTED ** GNU Libc current is affected by: Mitigation
bypass. The ...)
- glibc (unimportant)
NOTE: Not treated as a security issue by upstream
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22853
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fc25561532264c8f0b02fd8b4efae1a24fa8620
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3fc25561532264c8f0b02fd8b4efae1a24fa8620
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Three libxslt issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c2a881a3 by Salvatore Bonaccorso at 2019-08-06T07:46:14Z
Three libxslt issues fixed in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5264,7 +5264,7 @@ CVE-2019-13119
RESERVED
CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type holding grouping
characters of ...)
{DLA-1860-1}
- - libxslt (low; bug #931320; bug #933743)
+ - libxslt 1.1.32-2.1 (low; bug #931320; bug #933743)
[buster] - libxslt (Minor issue)
[stretch] - libxslt (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
@@ -5272,7 +5272,7 @@ CVE-2019-13118 (In numbers.c in libxslt 1.1.33, a type
holding grouping characte
NOTE: https://oss-fuzz.com/testcase-detail/5197371471822848
CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an xsl:number with certain
format stri ...)
{DLA-1860-1}
- - libxslt (low; bug #931321; bug #933743)
+ - libxslt 1.1.32-2.1 (low; bug #931321; bug #933743)
[buster] - libxslt (Minor issue)
[stretch] - libxslt (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14471
@@ -10613,7 +10613,7 @@ CVE-2019-11069 (Sequelize version 5 before 5.3.0 does
not properly ensure that s
NOT-FOR-US: Sequelize
CVE-2019-11068 (libxslt through 1.1.33 allows bypass of a protection mechanism
because ...)
{DLA-1756-1}
- - libxslt (bug #926895; bug #933743)
+ - libxslt 1.1.32-2.1 (bug #926895; bug #933743)
[buster] - libxslt (Minor issue)
[stretch] - libxslt (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libxslt/issues/12
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2a881a3b9bf03eed80888faa350ddf61c159bcb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c2a881a3b9bf03eed80888faa350ddf61c159bcb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
