[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-11470/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 894b7786 by Salvatore Bonaccorso at 2019-04-23T20:58:07Z Add Debian bug reference for CVE-2019-11470/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,7 @@ CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image:: NOTE: https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014 NOTE: https://github.com/strukturag/libheif/issues/123 CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) - - imagemagick + - imagemagick (bug #927830) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/894b7786b7c55f3b9f19d00be029677bd53f4c32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/894b7786b7c55f3b9f19d00be029677bd53f4c32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11470/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f0330c0 by Salvatore Bonaccorso at 2019-04-23T20:51:28Z Add CVE-2019-11470/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,9 @@ CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image:: NOTE: https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014 NOTE: https://github.com/strukturag/libheif/issues/123 CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472 + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) TODO: check CVE-2018-20821 (The parsing component in LibSass through 3.5.5 allows attackers to cau ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f0330c040ab4fedd9035baa8c5c4782a6464d6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f0330c040ab4fedd9035baa8c5c4782a6464d6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-11472/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 193e9178 by Salvatore Bonaccorso at 2019-04-23T20:38:11Z Add Debian bug reference for CVE-2019-11472/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,7 @@ CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...) - - imagemagick + - imagemagick (bug #927828) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4 CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/193e9178724dca532ad5233de4a4cffea4d5c2ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/193e9178724dca532ad5233de4a4cffea4d5c2ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11471/libheif
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db437a62 by Salvatore Bonaccorso at 2019-04-23T20:36:04Z Add CVE-2019-11471/libheif - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,7 +33,9 @@ CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4 CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) - TODO: check + - libheif + NOTE: https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014 + NOTE: https://github.com/strukturag/libheif/issues/123 CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) TODO: check CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db437a6256b812188d093eb9737c4cb0bddefa6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db437a6256b812188d093eb9737c4cb0bddefa6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11472/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f7499da by Salvatore Bonaccorso at 2019-04-23T20:28:07Z Add CVE-2019-11472/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,9 @@ CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546 + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4 CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) TODO: check CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f7499da59a2c25abd6407ed9aa62f97ac370803 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f7499da59a2c25abd6407ed9aa62f97ac370803 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11473/graphicsmagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb2bc45e by Salvatore Bonaccorso at 2019-04-23T20:20:47Z Add CVE-2019-11473/graphicsmagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,9 @@ CVE-2019-11474 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a deni ...) - TODO: check + - graphicsmagick 1.4~hg15976-1 + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...) TODO: check CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb2bc45e079d6a5fa7f56c42cee0e0e3b940f950 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb2bc45e079d6a5fa7f56c42cee0e0e3b940f950 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f74a79e by Moritz Muehlenhoff at 2019-04-23T20:19:27Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -901,7 +901,7 @@ CVE-2019-11078 (MKCMS V5.0 has a CSRF vulnerability to add a new admin user via CVE-2019-11077 (FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new a ...) NOT-FOR-US: FastAdmin CVE-2019-11076 (Cribl UI 1.5.0 allows remote attackers to run arbitrary commands via a ...) - TODO: check + NOT-FOR-US: Cribl UI CVE-2019-11075 RESERVED CVE-2019-11074 @@ -1488,7 +1488,7 @@ CVE-2019-10866 CVE-2019-10865 RESERVED CVE-2019-10864 (The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowin ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2019-10863 (A command injection vulnerability exists in TeemIp versions before 2.4 ...) NOT-FOR-US: TeemIp IPAM CVE-2019-10862 @@ -2899,7 +2899,7 @@ CVE-2019-1003040 (A sandbox bypass vulnerability in Jenkins Script Security Plug CVE-2019-10249 RESERVED CVE-2019-10248 (Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts fo ...) - TODO: check + NOT-FOR-US: Eclipse Vorto CVE-2019-10247 (In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, ...) TODO: check CVE-2019-10246 (In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server runnin ...) @@ -9657,7 +9657,7 @@ CVE-2019-7729 (An issue was discovered in the Bosch Smart Camera App before 1.3. CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before 1.3.1 for ...) NOT-FOR-US: Bosch Smart Camera App CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an unauthe ...) - TODO: check + NOT-FOR-US: NICE Engage CVE-2019-7726 RESERVED CVE-2019-7725 @@ -13718,11 +13718,11 @@ CVE-2019-6159 CVE-2019-6158 RESERVED CVE-2019-6157 (In various firmware versions of Lenovo System x, the integrated manage ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2019-6156 (In Lenovo systems, SMM BIOS Write Protection is used to prevent writes ...) NOT-FOR-US: Lenovo CVE-2019-6155 (A potential vulnerability was found in an SMI handler in various BIOS ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2019-6154 (A DLL search path vulnerability was reported in Lenovo Bootable Genera ...) NOT-FOR-US: Lenovo CVE-2019-6153 @@ -22895,9 +22895,9 @@ CVE-2019-2721 (Vulnerability in the Oracle VM VirtualBox component of Oracle Vir - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2720 (Vulnerability in the Oracle Data Integrator component of Oracle Fusion ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2719 (Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM ( ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2718 RESERVED CVE-2019-2717 @@ -22909,34 +22909,34 @@ CVE-2019-2715 CVE-2019-2714 RESERVED CVE-2019-2713 (Vulnerability in the Oracle Commerce Merchandising component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2712 (Vulnerability in the Oracle Commerce Platform component of Oracle Comm ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2711 RESERVED CVE-2019-2710 RESERVED CVE-2019-2709 (Vulnerability in the Oracle Transportation Management component of Ora ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2708 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2707 (Vulnerability in the PeopleSoft Enterprise ELM Enterprise Learning Man ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2706 (Vulnerability in the Oracle Business Process Management Suite componen ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2705 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2704 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2703 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2702 (Vulnerability in the Oracle Hospitality Cruise Dining Room Management ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2701 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2700 (Vulnerability in the PeopleSoft Enterprise ELM component of Oracle Peo ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2699
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d0c0018 by security tracker role at 2019-04-23T20:10:24Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,43 @@ +CVE-2019-11485 + RESERVED +CVE-2019-11484 + RESERVED +CVE-2019-11483 + RESERVED +CVE-2019-11482 + RESERVED +CVE-2019-11481 + RESERVED +CVE-2019-11480 + RESERVED +CVE-2019-11479 + RESERVED +CVE-2019-11478 + RESERVED +CVE-2019-11477 + RESERVED +CVE-2019-11476 + RESERVED +CVE-2019-11475 + RESERVED +CVE-2019-11474 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a deni ...) + TODO: check +CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a deni ...) + TODO: check +CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...) + TODO: check +CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) + TODO: check +CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) + TODO: check +CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) + TODO: check +CVE-2018-20821 (The parsing component in LibSass through 3.5.5 allows attackers to cau ...) + TODO: check +CVE-2018-20820 (read_ujpg in jpgcoder.cc in Dropbox Lepton 1.2.1 allows attackers to c ...) + TODO: check +CVE-2018-20819 (io/ZlibCompression.cc in the decompression component in Dropbox Lepton ...) + TODO: check CVE-2019-11469 (Zoho ManageEngine Applications Manager 12 through 14 allows FaultTempl ...) NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2019-11468 @@ -858,8 +898,8 @@ CVE-2019-11078 (MKCMS V5.0 has a CSRF vulnerability to add a new admin user via NOT-FOR-US: MKCMS CVE-2019-11077 (FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new a ...) NOT-FOR-US: FastAdmin -CVE-2019-11076 - RESERVED +CVE-2019-11076 (Cribl UI 1.5.0 allows remote attackers to run arbitrary commands via a ...) + TODO: check CVE-2019-11075 RESERVED CVE-2019-11074 @@ -1445,8 +1485,8 @@ CVE-2019-10866 RESERVED CVE-2019-10865 RESERVED -CVE-2019-10864 - RESERVED +CVE-2019-10864 (The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowin ...) + TODO: check CVE-2019-10863 (A command injection vulnerability exists in TeemIp versions before 2.4 ...) NOT-FOR-US: TeemIp IPAM CVE-2019-10862 @@ -1877,8 +1917,8 @@ CVE-2019-10712 RESERVED CVE-2019-10711 RESERVED -CVE-2019-10710 - RESERVED +CVE-2019-10710 (Insecure permissions in the Web management portal on all IP cameras ba ...) + TODO: check CVE-2019-10709 RESERVED CVE-2019-10708 (S-CMS PHP v1.0 has SQL injection via the 4/js/scms.php?action=unlike i ...) @@ -9614,8 +9654,8 @@ CVE-2019-7729 (An issue was discovered in the Bosch Smart Camera App before 1.3. NOT-FOR-US: Bosch Smart Camera App CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before 1.3.1 for ...) NOT-FOR-US: Bosch Smart Camera App -CVE-2019-7727 - RESERVED +CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an unauthe ...) + TODO: check CVE-2019-7726 RESERVED CVE-2019-7725 @@ -10869,14 +10909,13 @@ CVE-2019-7305 [extplorer exposes /usr and /etc/extplorer over HTTP] RESERVED - extplorer NOTE: https://bugs.launchpad.net/ubuntu/+source/extplorer/+bug/1822013 -CVE-2019-7304 [Local privilege escalation via snapd socket] - RESERVED +CVE-2019-7304 (Canonical snapd before version 2.37.1 incorrectly performed socket own ...) - snapd 2.37.1-1 [stretch] - snapd (Vulnerable code introduced later) NOTE: https://bugs.launchpad.net/snapd/+bug/1813365 NOTE: Introduced in 2.28, fixed in 2.37.1 -CVE-2019-7303 - RESERVED +CVE-2019-7303 (A vulnerability in the seccomp filters of Canonical snapd before versi ...) + TODO: check CVE-2019-7302 RESERVED CVE-2019-7301 (Zen Load Balancer 3.10.1 allows remote authenticated admin users to ex ...) @@ -18807,7 +18846,7 @@ CVE-2019-3840 (A NULL pointer dereference flaw was discovered in libvirt before CVE-2019-3839 RESERVED CVE-2019-3838 (It was found that the forceput operator could be extracted from the De ...) - {DSA-4432-1} + {DSA-4432-1 DLA-1761-1} [experimental] - ghostscript 9.27~~dc1~dfsg-1 - ghostscript 9.27~dfsg-1 (bug #925257) NOTE: https://www.openwall.com/lists/oss-security/2019/03/21/1 @@ -18827,7 +18866,7 @@ CVE-2019-3836 (It was discovered in gnutls before version 3.6.7 upstream that th NOTE:
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2019-11459/{atril,evince}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 691615c2 by Salvatore Bonaccorso at 2019-04-23T19:59:10Z Add Debian bug references for CVE-2019-11459/{atril,evince} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,8 +27,8 @@ CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3 [jessie] - gnome-desktop3 (Vulnerable embedded gnome-desktop thumbnail script introduced later) NOTE: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112 CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) - - atril - - evince + - atril (bug #927821) + - evince (bug #927820) NOTE: https://gitlab.gnome.org/GNOME/evince/issues/1129 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7 CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel befo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/691615c2f98f8032d29f6c96370d7e8cd3c56012 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/691615c2f98f8032d29f6c96370d7e8cd3c56012 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-11358/node-jquery fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1fce5445 by Salvatore Bonaccorso at 2019-04-23T19:03:59Z CVE-2019-11358/node-jquery fixed in unstable Thanks: Xavier Guimard y...@debian.org - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -453,7 +453,7 @@ CVE-2019-11358 (jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other {DSA-4434-1} - drupal7 (bug #927330) - jquery 3.3.1~dfsg-2 (bug #927385) - - node-jquery (bug #927466) + - node-jquery 2.2.4+dfsg-4 (bug #927466) [stretch] - jquery (Minor issue; can be fixed via point release) NOTE: https://www.drupal.org/sa-core-2019-006 NOTE: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1fce544568f898019f6f966b695032497b24c3b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1fce544568f898019f6f966b695032497b24c3b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11459/{atril,evince}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: defbecde by Salvatore Bonaccorso at 2019-04-23T17:25:46Z Add CVE-2019-11459/{atril,evince} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,10 @@ CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3 [jessie] - gnome-desktop3 (Vulnerable embedded gnome-desktop thumbnail script introduced later) NOTE: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112 CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) - TODO: check + - atril + - evince + NOTE: https://gitlab.gnome.org/GNOME/evince/issues/1129 + NOTE: Fixed by: https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7 CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel befo ...) - linux 3.11.7-1 NOTE: Fixed by: https://git.kernel.org/linus/f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/defbecdef0c47f445000fbf6ee2e7e3e71764fd3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/defbecdef0c47f445000fbf6ee2e7e3e71764fd3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on evolution in data/dla-needed.txt
Jonas Meurer pushed to branch master at Debian Security Tracker / security-tracker Commits: ec0ae80b by Jonas Meurer at 2019-04-23T15:18:25Z Update notes on evolution in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,8 @@ claws-mail NOTE: 20190408: patch not yet available -- evolution (Jonas Meurer) - NOTE: 20190418: working on it, but needs more debugging + NOTE: 20190423: I have a fixed version ready for upload, but futher debugging + NOTE: 20190423: is required for evolution-data-server. -- evolution-data-server (Jonas Meurer) NOTE: 20190418: working on it, but needs more debugging View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec0ae80b441d84b19ad5120f7e95fb6d01d97d4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec0ae80b441d84b19ad5120f7e95fb6d01d97d4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20230/pspp fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f51e487 by Salvatore Bonaccorso at 2019-04-23T13:58:40Z CVE-2018-20230/pspp fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21245,7 +21245,7 @@ CVE-2018-20232 (The labels widget gadget in Atlassian Jira before version 7.6.11 CVE-2018-20231 (Cross Site Request Forgery (CSRF) in the two-factor-authentication plu ...) NOT-FOR-US: two-factor-authentication plugin for WordPress CVE-2018-20230 (An issue was discovered in PSPP 1.2.0. There is a heap-based buffer ov ...) - - pspp (bug #916902) + - pspp 1.2.0-3 (bug #916902) [stretch] - pspp (Minor issue) [jessie] - pspp (Crash cannot be observed under normal conditions) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1660318 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f51e487cb1401e30f4f32bfd3c063add0f2fbc3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f51e487cb1401e30f4f32bfd3c063add0f2fbc3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11460/gnome-desktop3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bae6e217 by Salvatore Bonaccorso at 2019-04-23T13:58:03Z Add CVE-2019-11460/gnome-desktop3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,7 +22,10 @@ CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 a [jessie] - nautilus (Vulnerable embedded gnome-desktop thumbnail script introduced later) NOTE: https://gitlab.gnome.org/GNOME/nautilus/issues/987 CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 pr ...) - TODO: check + - gnome-desktop3 + [stretch] - gnome-desktop3 (Vulnerable embedded gnome-desktop thumbnail script introduced later) + [jessie] - gnome-desktop3 (Vulnerable embedded gnome-desktop thumbnail script introduced later) + NOTE: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112 CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) TODO: check CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel befo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bae6e217d8d0e5e32e398c260c9ccb45e252dd4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bae6e217d8d0e5e32e398c260c9ccb45e252dd4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1761-1 for ghostscript
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2be8de89 by Sylvain Beucler at 2019-04-23T11:46:46Z Reserve DLA-1761-1 for ghostscript - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Apr 2019] DLA-1761-1 ghostscript - security update + {CVE-2019-3835 CVE-2019-3838} + [jessie] - ghostscript 9.26a~dfsg-0+deb8u2 [22 Apr 2019] DLA-1760-1 wget - security update {CVE-2019-5953} [jessie] - wget 1.16-1+deb8u6 = data/dla-needed.txt = @@ -35,10 +35,6 @@ faad2 (Hugo Lefeuvre) NOTE: need to check which other issues have been addressed by these fixes + one more NOTE: patch and we will be fit for upload. -- -ghostscript (Sylvain Beucler) - NOTE: 20190327: https://lists.debian.org/debian-lts/2019/03/msg00122.html - NOTE: 20190409: will backport 9.27 following stable-security (cf. dsa-needed.txt) --- gpac (Thorsten Alteholz) -- gradle View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2be8de89fe602e1b144492f1c9478fd299952235 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2be8de89fe602e1b144492f1c9478fd299952235 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-11461/nautilus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a23c6a2b by Salvatore Bonaccorso at 2019-04-23T11:28:27Z Update status for CVE-2019-11461/nautilus To be checked if it is used in buster and above actually. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,6 +18,8 @@ CVE-2019-11462 RESERVED CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.3 ...) - nautilus + [stretch] - nautilus (Vulnerable embedded gnome-desktop thumbnail script introduced later) + [jessie] - nautilus (Vulnerable embedded gnome-desktop thumbnail script introduced later) NOTE: https://gitlab.gnome.org/GNOME/nautilus/issues/987 CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 pr ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a23c6a2bef36def825e2021fea48067bf1d66c76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a23c6a2bef36def825e2021fea48067bf1d66c76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f9df40e by Moritz Muehlenhoff at 2019-04-23T11:26:03Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80345,6 +80345,7 @@ CVE-2018-1329 REJECTED CVE-2018-1328 RESERVED + NOT-FOR-US: Apache Zeppelin CVE-2018-1327 (The Apache Struts REST Plugin is using XStream library which is vulner ...) - libstruts1.2-java (Specific to 2.x) NOTE: https://cwiki.apache.org/confluence/display/WW/S2-056 @@ -80383,6 +80384,7 @@ CVE-2018-1318 (Adding method ACLs in remap.config can cause a segfault when the NOTE: https://github.com/apache/trafficserver/commit/e6dfda305acf85250861ecfa14a7bd6bb2fad5c3 CVE-2018-1317 RESERVED + NOT-FOR-US: Apache Zeppelin CVE-2018-1316 (The ODE process deployment web service was sensible to deployment mess ...) NOT-FOR-US: Apache ODE CVE-2018-1315 (In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run u ...) @@ -98407,6 +98409,7 @@ CVE-2017-12620 (When loading models or dictionaries that contain XML it is possi NOT-FOR-US: Apache OpenNLP CVE-2017-12619 RESERVED + NOT-FOR-US: Apache Zeppelin CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior fail to val ...) {DLA-1163-1} - apr-util 1.6.1-1 (low; bug #879996) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f9df40e616020879e7df5f21672f2a49c4b5cae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f9df40e616020879e7df5f21672f2a49c4b5cae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ncurses/CVE-2018-19217: already fixed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a7b3b7ba by Sylvain Beucler at 2019-04-23T09:31:12Z ncurses/CVE-2018-19217: already fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30957,10 +30957,11 @@ CVE-2018-19218 (In LibSass 3.5-stable, there is an illegal address access at Sas - libsass NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643758 CVE-2018-19217 (** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL poi ...) - - ncurses (unimportant) + - ncurses 6.0+20170701-1 + [stretch] - ncurses 6.0+20161126-1+deb9u1 + [jessie] - ncurses 5.9+20140913-1+deb8u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643753 - NOTE: not reproduced, no reporter feedback, upstream considers invalid, minor potential severity (local DoS) - NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-04/msg7.html + NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-04/msg00020.html CVE-2018-19216 (Netwide Assembler (NASM) before 2.13.02 has a use-after-free in detoke ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7b3b7ba6683dbcd1ff817e90f5a91d9161df450 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7b3b7ba6683dbcd1ff817e90f5a91d9161df450 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2013-7470/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 473e11a2 by Salvatore Bonaccorso at 2019-04-23T09:18:08Z Add CVE-2013-7470/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24,7 +24,8 @@ CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3 CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) TODO: check CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel befo ...) - TODO: check + - linux 3.11.7-1 + NOTE: Fixed by: https://git.kernel.org/linus/f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b CVE-2019-11458 RESERVED CVE-2019-11457 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/473e11a22f87516fd527485d6bcbd685b5c503c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/473e11a22f87516fd527485d6bcbd685b5c503c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11461/nautilus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62b107c4 by Salvatore Bonaccorso at 2019-04-23T09:15:05Z Add CVE-2019-11461/nautilus - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,8 @@ CVE-2019-11463 (A memory leak in archive_read_format_zip_cleanup in archive_read CVE-2019-11462 RESERVED CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.3 ...) - TODO: check + - nautilus + NOTE: https://gitlab.gnome.org/GNOME/nautilus/issues/987 CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 pr ...) TODO: check CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62b107c47368209ce616e74a47183fe596df0ab7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62b107c47368209ce616e74a47183fe596df0ab7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2019-5428/jquery
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5d5d0e4 by Salvatore Bonaccorso at 2019-04-23T09:13:55Z Add note for CVE-2019-5428/jquery Already in contact with MITRE CNA to resolve the issue. This seems to be a duplicate of CVE-2019-11358 but maybe there is a scrict CNA rules reasoning for the two CVEs. As such we might then just track the fixed versions for src:jquery accordingly. - - - - - e25e1b30 by Salvatore Bonaccorso at 2019-04-23T09:13:55Z Wrap note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5178,7 +5178,8 @@ CVE-2019-9619 [not enabled pam_systemd for non-interactive sessions] [jessie] - systemd (Too intrusive change for a stable release) NOTE: https://bugs.launchpad.net/bugs/1812316 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756 - NOTE: for a stable release, activating pam_systemd for non-interactive sessions will likely have all sorts of unexpected/unwanted side-effects, so CAVE + NOTE: For a stable release, activating pam_systemd for non-interactive sessions will + NOTE: likely have all sorts of unexpected/unwanted side-effects. CVE-2019-9618 RESERVED CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) @@ -15459,7 +15460,8 @@ CVE-2019-5430 CVE-2019-5429 RESERVED CVE-2019-5428 (A prototype pollution vulnerability exists in jQuery versions 3.4 ...) - TODO: check + NOTE: Duplicate of CVE-2019-11358 + TODO: check (MITRE already contacted) CVE-2019-5427 (c3p0 version 0.9.5.4 may be exploited by a billion laughs attack ...) TODO: check CVE-2019-5426 (In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ea484be4170b36da89bec294a5d2c1b299560535...e25e1b30ca7ce81c09878a9d21223bdc3707053a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ea484be4170b36da89bec294a5d2c1b299560535...e25e1b30ca7ce81c09878a9d21223bdc3707053a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libarchive n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ea484be4 by Moritz Muehlenhoff at 2019-04-23T09:07:31Z libarchive n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,9 @@ CVE-2019-11465 CVE-2019-11464 RESERVED CVE-2019-11463 (A memory leak in archive_read_format_zip_cleanup in archive_read_suppo ...) - TODO: check + - libarchive (Vulnerable code not present) + NOTE: Introduced in https://github.com/libarchive/libarchive/commit/121035c83e18b70d3128e9ac966109ebedb7e516 + NOTE: Fix: https://github.com/libarchive/libarchive/commit/ba641f73f3d758d9032b3f0e5597a9c6e593a505 CVE-2019-11462 RESERVED CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea484be4170b36da89bec294a5d2c1b299560535 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea484be4170b36da89bec294a5d2c1b299560535 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Update metadata on currently open systemd issues.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a2a94b11 by Mike Gabriel at 2019-04-23T08:54:06Z data/CVE/list: Update metadata on currently open systemd issues. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5173,8 +5173,10 @@ CVE-2019-9619 [not enabled pam_systemd for non-interactive sessions] - systemd [buster] - systemd (Too intrusive change for a stable release) [stretch] - systemd (Too intrusive change for a stable release) + [jessie] - systemd (Too intrusive change for a stable release) NOTE: https://bugs.launchpad.net/bugs/1812316 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756 + NOTE: for a stable release, activating pam_systemd for non-interactive sessions will likely have all sorts of unexpected/unwanted side-effects, so CAVE CVE-2019-9618 RESERVED CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) @@ -36953,7 +36955,7 @@ CVE-2018-16889 (Ceph does not properly sanitize encryption keys in debug logging CVE-2018-16888 (It was discovered systemd does not correctly check the content of PIDF ...) - systemd 237-1 (low) [stretch] - systemd (Minor issue, too intrusive to backport) - [jessie] - systemd (low priority because this is inherently a bug in the PID file logic) + [jessie] - systemd (low priority because this is inherently a bug in the PID file logic, too intrusive to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1662867 NOTE: Upstream issue: https://github.com/systemd/systemd/issues/6632 NOTE: Upstream patches: https://github.com/systemd/systemd/pull/7816 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2a94b119157e98368b79a2684764f4824db9369 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2a94b119157e98368b79a2684764f4824db9369 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 59a81271 by Salvatore Bonaccorso at 2019-04-23T08:50:16Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2019-11469 (Zoho ManageEngine Applications Manager 12 through 14 allows FaultTempl ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2019-11468 RESERVED CVE-2019-11467 @@ -181,9 +181,9 @@ CVE-2019-11386 CVE-2019-11385 RESERVED CVE-2019-11384 (The Zalora application 6.15.1 for Android stores confidential informat ...) - TODO: check + NOT-FOR-US: Zalora application for Android CVE-2019-11383 (An issue was discovered in the Medha WiFi FTP Server application 1.8.3 ...) - TODO: check + NOT-FOR-US: Medha WiFi FTP Server application for Android CVE-2019-11382 RESERVED CVE-2019-11381 @@ -3491,7 +3491,7 @@ CVE-2019-9956 (In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overfl NOTE: https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94 CVE-2019-9955 (On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2019-9954 RESERVED CVE-2019-9953 @@ -8033,7 +8033,7 @@ CVE-2019-8454 CVE-2019-8453 (Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are ta ...) NOT-FOR-US: Check Point ZoneAlarm CVE-2019-8452 (A hard-link created from log file archive of Check Point ZoneAlarm up ...) - TODO: check + NOT-FOR-US: Check Point ZoneAlarm CVE-2019-8451 RESERVED CVE-2019-8450 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a812711bb2d5649d0e1f068929c98b9f787c12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a812711bb2d5649d0e1f068929c98b9f787c12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add projectzero issue references for CVE-2019-{3842,9619}/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09bfb4b6 by Salvatore Bonaccorso at 2019-04-23T08:26:02Z Add projectzero issue references for CVE-2019-{3842,9619}/systemd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5174,6 +5174,7 @@ CVE-2019-9619 [not enabled pam_systemd for non-interactive sessions] [buster] - systemd (Too intrusive change for a stable release) [stretch] - systemd (Too intrusive change for a stable release) NOTE: https://bugs.launchpad.net/bugs/1812316 + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756 CVE-2019-9618 RESERVED CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) @@ -18775,6 +18776,7 @@ CVE-2019-3843 CVE-2019-3842 (In systemd before v242-rc4, it was discovered that pam_systemd does no ...) {DSA-4428-1} - systemd 241-3 + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756 NOTE: https://bugs.launchpad.net/bugs/1812316 NOTE: https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a CVE-2019-3841 (Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive, were re ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09bfb4b649717174817706c0e59455883c1c47c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09bfb4b649717174817706c0e59455883c1c47c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d20b38ca by security tracker role at 2019-04-23T08:10:15Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2019-11469 (Zoho ManageEngine Applications Manager 12 through 14 allows FaultTempl ...) + TODO: check +CVE-2019-11468 + RESERVED +CVE-2019-11467 + RESERVED +CVE-2019-11466 + RESERVED +CVE-2019-11465 + RESERVED +CVE-2019-11464 + RESERVED +CVE-2019-11463 (A memory leak in archive_read_format_zip_cleanup in archive_read_suppo ...) + TODO: check +CVE-2019-11462 + RESERVED +CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.3 ...) + TODO: check +CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 pr ...) + TODO: check +CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) + TODO: check +CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel befo ...) + TODO: check CVE-2019-11458 RESERVED CVE-2019-11457 @@ -156,10 +180,10 @@ CVE-2019-11386 RESERVED CVE-2019-11385 RESERVED -CVE-2019-11384 - RESERVED -CVE-2019-11383 - RESERVED +CVE-2019-11384 (The Zalora application 6.15.1 for Android stores confidential informat ...) + TODO: check +CVE-2019-11383 (An issue was discovered in the Medha WiFi FTP Server application 1.8.3 ...) + TODO: check CVE-2019-11382 RESERVED CVE-2019-11381 @@ -2820,12 +2844,12 @@ CVE-2019-1003040 (A sandbox bypass vulnerability in Jenkins Script Security Plug NOT-FOR-US: Jenkins plugin CVE-2019-10249 RESERVED -CVE-2019-10248 - RESERVED -CVE-2019-10247 - RESERVED -CVE-2019-10246 - RESERVED +CVE-2019-10248 (Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts fo ...) + TODO: check +CVE-2019-10247 (In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, ...) + TODO: check +CVE-2019-10246 (In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server runnin ...) + TODO: check CVE-2019-10245 (In Eclipse OpenJ9 prior to the 0.14.0 release, the Java bytecode verif ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2019-10244 (In Eclipse Kura versions up to 4.0.0, the Web UI package and component ...) @@ -2834,8 +2858,8 @@ CVE-2019-10243 (In Eclipse Kura versions up to 4.0.0, Kura exposes the underlyin NOT-FOR-US: Eclipse Kura CVE-2019-10242 (In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked ...) NOT-FOR-US: Eclipse Kura -CVE-2019-10241 - RESERVED +CVE-2019-10241 (In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.1 ...) + TODO: check CVE-2019-10240 (Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifac ...) NOT-FOR-US: Eclipse hawkBit CVE-2017-18365 (The Management Console in GitHub Enterprise 2.8.x before 2.8.7 has a d ...) @@ -3466,8 +3490,8 @@ CVE-2019-9956 (In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overfl NOTE: https://github.com/ImageMagick/ImageMagick/issues/1523 NOTE: https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94 -CVE-2019-9955 - RESERVED +CVE-2019-9955 (On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, ...) + TODO: check CVE-2019-9954 RESERVED CVE-2019-9953 @@ -8007,8 +8031,8 @@ CVE-2019-8454 RESERVED CVE-2019-8453 (Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are ta ...) NOT-FOR-US: Check Point ZoneAlarm -CVE-2019-8452 - RESERVED +CVE-2019-8452 (A hard-link created from log file archive of Check Point ZoneAlarm up ...) + TODO: check CVE-2019-8451 RESERVED CVE-2019-8450 @@ -14123,7 +14147,7 @@ CVE-2019-5954 RESERVED CVE-2019-5953 [Buffer overflow vulnerability] RESERVED - {DSA-4425-1} + {DSA-4425-1 DLA-1760-1} - wget 1.20.1-1.1 (bug #926389) NOTE: https://jvn.jp/en/jp/JVN25261088/ NOTE: https://lists.gnu.org/archive/html/bug-wget/2019-04/msg1.html @@ -15429,10 +15453,10 @@ CVE-2019-5430 RESERVED CVE-2019-5429 RESERVED -CVE-2019-5428 - RESERVED -CVE-2019-5427 - RESERVED +CVE-2019-5428 (A prototype pollution vulnerability exists in jQuery versions 3.4 ...) + TODO: check +CVE-2019-5427 (c3p0 version 0.9.5.4 may be exploited by a billion laughs attack ...) + TODO: check CVE-2019-5426 (In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated ...) NOT-FOR-US: Ubiquiti CVE-2019-5425
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-11445 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 934d1071 by Salvatore Bonaccorso at 2019-04-23T07:45:16Z Mark CVE-2019-11445 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28,7 +28,7 @@ CVE-2019-11447 (An issue was discovered in CutePHP CuteNews 2.1.2. An attacker c CVE-2019-11446 (An issue was discovered in ATutor through 2.2.4. It allows the user to ...) NOT-FOR-US: ATutor CVE-2019-11445 (OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JS ...) - TODO: check + NOT-FOR-US: OpenKM CVE-2019-11444 (An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker ca ...) NOT-FOR-US: Liferay Portal CE CVE-2019-11443 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/934d1071ade09e6f1611a9801809b9c3be4843fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/934d1071ade09e6f1611a9801809b9c3be4843fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits