[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-11470/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 894b7786 by Salvatore Bonaccorso at 2019-04-23T20:58:07Z Add Debian bug reference for CVE-2019-11470/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,7 @@ CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image:: NOTE: https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014 NOTE: https://github.com/strukturag/libheif/issues/123 CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) - - imagemagick + - imagemagick (bug #927830) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/894b7786b7c55f3b9f19d00be029677bd53f4c32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/894b7786b7c55f3b9f19d00be029677bd53f4c32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11470/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f0330c0 by Salvatore Bonaccorso at 2019-04-23T20:51:28Z Add CVE-2019-11470/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,9 @@ CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image:: NOTE: https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014 NOTE: https://github.com/strukturag/libheif/issues/123 CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472 + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) TODO: check CVE-2018-20821 (The parsing component in LibSass through 3.5.5 allows attackers to cau ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f0330c040ab4fedd9035baa8c5c4782a6464d6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4f0330c040ab4fedd9035baa8c5c4782a6464d6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-11472/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 193e9178 by Salvatore Bonaccorso at 2019-04-23T20:38:11Z Add Debian bug reference for CVE-2019-11472/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,7 @@ CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...) - - imagemagick + - imagemagick (bug #927828) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4 CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/193e9178724dca532ad5233de4a4cffea4d5c2ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/193e9178724dca532ad5233de4a4cffea4d5c2ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11471/libheif
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db437a62 by Salvatore Bonaccorso at 2019-04-23T20:36:04Z Add CVE-2019-11471/libheif - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,7 +33,9 @@ CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4 CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) - TODO: check + - libheif + NOTE: https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014 + NOTE: https://github.com/strukturag/libheif/issues/123 CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) TODO: check CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db437a6256b812188d093eb9737c4cb0bddefa6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/db437a6256b812188d093eb9737c4cb0bddefa6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11472/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f7499da by Salvatore Bonaccorso at 2019-04-23T20:28:07Z Add CVE-2019-11472/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,9 @@ CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...) - TODO: check + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546 + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4 CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) TODO: check CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f7499da59a2c25abd6407ed9aa62f97ac370803 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f7499da59a2c25abd6407ed9aa62f97ac370803 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11473/graphicsmagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb2bc45e by Salvatore Bonaccorso at 2019-04-23T20:20:47Z Add CVE-2019-11473/graphicsmagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,9 @@ CVE-2019-11474 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause a deni ...) - TODO: check + - graphicsmagick 1.4~hg15976-1 + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd + NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8 CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...) TODO: check CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb2bc45e079d6a5fa7f56c42cee0e0e3b940f950 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cb2bc45e079d6a5fa7f56c42cee0e0e3b940f950 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f74a79e by Moritz Muehlenhoff at 2019-04-23T20:19:27Z NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -901,7 +901,7 @@ CVE-2019-11078 (MKCMS V5.0 has a CSRF vulnerability to add a new admin user via CVE-2019-11077 (FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add a new a ...) NOT-FOR-US: FastAdmin CVE-2019-11076 (Cribl UI 1.5.0 allows remote attackers to run arbitrary commands via a ...) - TODO: check + NOT-FOR-US: Cribl UI CVE-2019-11075 RESERVED CVE-2019-11074 @@ -1488,7 +1488,7 @@ CVE-2019-10866 CVE-2019-10865 RESERVED CVE-2019-10864 (The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowin ...) - TODO: check + NOT-FOR-US: Wordpress plugin CVE-2019-10863 (A command injection vulnerability exists in TeemIp versions before 2.4 ...) NOT-FOR-US: TeemIp IPAM CVE-2019-10862 @@ -2899,7 +2899,7 @@ CVE-2019-1003040 (A sandbox bypass vulnerability in Jenkins Script Security Plug CVE-2019-10249 RESERVED CVE-2019-10248 (Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts fo ...) - TODO: check + NOT-FOR-US: Eclipse Vorto CVE-2019-10247 (In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, ...) TODO: check CVE-2019-10246 (In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server runnin ...) @@ -9657,7 +9657,7 @@ CVE-2019-7729 (An issue was discovered in the Bosch Smart Camera App before 1.3. CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before 1.3.1 for ...) NOT-FOR-US: Bosch Smart Camera App CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an unauthe ...) - TODO: check + NOT-FOR-US: NICE Engage CVE-2019-7726 RESERVED CVE-2019-7725 @@ -13718,11 +13718,11 @@ CVE-2019-6159 CVE-2019-6158 RESERVED CVE-2019-6157 (In various firmware versions of Lenovo System x, the integrated manage ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2019-6156 (In Lenovo systems, SMM BIOS Write Protection is used to prevent writes ...) NOT-FOR-US: Lenovo CVE-2019-6155 (A potential vulnerability was found in an SMI handler in various BIOS ...) - TODO: check + NOT-FOR-US: Lenovo CVE-2019-6154 (A DLL search path vulnerability was reported in Lenovo Bootable Genera ...) NOT-FOR-US: Lenovo CVE-2019-6153 @@ -22895,9 +22895,9 @@ CVE-2019-2721 (Vulnerability in the Oracle VM VirtualBox component of Oracle Vir - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2720 (Vulnerability in the Oracle Data Integrator component of Oracle Fusion ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2719 (Vulnerability in the Oracle Knowledge component of Oracle Siebel CRM ( ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2718 RESERVED CVE-2019-2717 @@ -22909,34 +22909,34 @@ CVE-2019-2715 CVE-2019-2714 RESERVED CVE-2019-2713 (Vulnerability in the Oracle Commerce Merchandising component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2712 (Vulnerability in the Oracle Commerce Platform component of Oracle Comm ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2711 RESERVED CVE-2019-2710 RESERVED CVE-2019-2709 (Vulnerability in the Oracle Transportation Management component of Ora ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2708 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2707 (Vulnerability in the PeopleSoft Enterprise ELM Enterprise Learning Man ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2706 (Vulnerability in the Oracle Business Process Management Suite componen ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2705 (Vulnerability in the Oracle Outside In Technology component of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2704 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2703 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...) - virtualbox 6.0.6-dfsg-1 [jessie] - virtualbox (DSA-3699-1) CVE-2019-2702 (Vulnerability in the Oracle Hospitality Cruise Dining Room Management ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2701 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2700 (Vulnerability in the PeopleSoft Enterprise ELM component of Oracle Peo ...) - TODO: check + NOT-FOR-US: Oracle CVE-2019-2699
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7d0c0018 by security tracker role at 2019-04-23T20:10:24Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,43 @@
+CVE-2019-11485
+ RESERVED
+CVE-2019-11484
+ RESERVED
+CVE-2019-11483
+ RESERVED
+CVE-2019-11482
+ RESERVED
+CVE-2019-11481
+ RESERVED
+CVE-2019-11480
+ RESERVED
+CVE-2019-11479
+ RESERVED
+CVE-2019-11478
+ RESERVED
+CVE-2019-11477
+ RESERVED
+CVE-2019-11476
+ RESERVED
+CVE-2019-11475
+ RESERVED
+CVE-2019-11474 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to
cause a deni ...)
+ TODO: check
+CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to
cause a deni ...)
+ TODO: check
+CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing
component of Ima ...)
+ TODO: check
+CVE-2019-11471 (libheif 1.4.0 has a use-after-free in
heif::HeifContext::Image::set_al ...)
+ TODO: check
+CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16
allows attack ...)
+ TODO: check
+CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service
(uncontrol ...)
+ TODO: check
+CVE-2018-20821 (The parsing component in LibSass through 3.5.5 allows
attackers to cau ...)
+ TODO: check
+CVE-2018-20820 (read_ujpg in jpgcoder.cc in Dropbox Lepton 1.2.1 allows
attackers to c ...)
+ TODO: check
+CVE-2018-20819 (io/ZlibCompression.cc in the decompression component in
Dropbox Lepton ...)
+ TODO: check
CVE-2019-11469 (Zoho ManageEngine Applications Manager 12 through 14 allows
FaultTempl ...)
NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2019-11468
@@ -858,8 +898,8 @@ CVE-2019-11078 (MKCMS V5.0 has a CSRF vulnerability to add
a new admin user via
NOT-FOR-US: MKCMS
CVE-2019-11077 (FastAdmin V1.0.0.20190111_beta has a CSRF vulnerability to add
a new a ...)
NOT-FOR-US: FastAdmin
-CVE-2019-11076
- RESERVED
+CVE-2019-11076 (Cribl UI 1.5.0 allows remote attackers to run arbitrary
commands via a ...)
+ TODO: check
CVE-2019-11075
RESERVED
CVE-2019-11074
@@ -1445,8 +1485,8 @@ CVE-2019-10866
RESERVED
CVE-2019-10865
RESERVED
-CVE-2019-10864
- RESERVED
+CVE-2019-10864 (The WP Statistics plugin through 12.6.2 for WordPress has XSS,
allowin ...)
+ TODO: check
CVE-2019-10863 (A command injection vulnerability exists in TeemIp versions
before 2.4 ...)
NOT-FOR-US: TeemIp IPAM
CVE-2019-10862
@@ -1877,8 +1917,8 @@ CVE-2019-10712
RESERVED
CVE-2019-10711
RESERVED
-CVE-2019-10710
- RESERVED
+CVE-2019-10710 (Insecure permissions in the Web management portal on all IP
cameras ba ...)
+ TODO: check
CVE-2019-10709
RESERVED
CVE-2019-10708 (S-CMS PHP v1.0 has SQL injection via the
4/js/scms.php?action=unlike i ...)
@@ -9614,8 +9654,8 @@ CVE-2019-7729 (An issue was discovered in the Bosch Smart
Camera App before 1.3.
NOT-FOR-US: Bosch Smart Camera App
CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before
1.3.1 for ...)
NOT-FOR-US: Bosch Smart Camera App
-CVE-2019-7727
- RESERVED
+CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an
unauthe ...)
+ TODO: check
CVE-2019-7726
RESERVED
CVE-2019-7725
@@ -10869,14 +10909,13 @@ CVE-2019-7305 [extplorer exposes /usr and
/etc/extplorer over HTTP]
RESERVED
- extplorer
NOTE: https://bugs.launchpad.net/ubuntu/+source/extplorer/+bug/1822013
-CVE-2019-7304 [Local privilege escalation via snapd socket]
- RESERVED
+CVE-2019-7304 (Canonical snapd before version 2.37.1 incorrectly performed
socket own ...)
- snapd 2.37.1-1
[stretch] - snapd (Vulnerable code introduced later)
NOTE: https://bugs.launchpad.net/snapd/+bug/1813365
NOTE: Introduced in 2.28, fixed in 2.37.1
-CVE-2019-7303
- RESERVED
+CVE-2019-7303 (A vulnerability in the seccomp filters of Canonical snapd
before versi ...)
+ TODO: check
CVE-2019-7302
RESERVED
CVE-2019-7301 (Zen Load Balancer 3.10.1 allows remote authenticated admin
users to ex ...)
@@ -18807,7 +18846,7 @@ CVE-2019-3840 (A NULL pointer dereference flaw was
discovered in libvirt before
CVE-2019-3839
RESERVED
CVE-2019-3838 (It was found that the forceput operator could be extracted from
the De ...)
- {DSA-4432-1}
+ {DSA-4432-1 DLA-1761-1}
[experimental] - ghostscript 9.27~~dc1~dfsg-1
- ghostscript 9.27~dfsg-1 (bug #925257)
NOTE: https://www.openwall.com/lists/oss-security/2019/03/21/1
@@ -18827,7 +18866,7 @@ CVE-2019-3836 (It was discovered in gnutls before
version 3.6.7 upstream that th
NOTE:
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2019-11459/{atril,evince}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
691615c2 by Salvatore Bonaccorso at 2019-04-23T19:59:10Z
Add Debian bug references for CVE-2019-11459/{atril,evince}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -27,8 +27,8 @@ CVE-2019-11460 (An issue was discovered in GNOME
gnome-desktop 3.26, 3.28, and 3
[jessie] - gnome-desktop3 (Vulnerable embedded
gnome-desktop thumbnail script introduced later)
NOTE: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail()
functions ...)
- - atril
- - evince
+ - atril (bug #927821)
+ - evince (bug #927820)
NOTE: https://gitlab.gnome.org/GNOME/evince/issues/1129
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7
CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux
kernel befo ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/691615c2f98f8032d29f6c96370d7e8cd3c56012
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/691615c2f98f8032d29f6c96370d7e8cd3c56012
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-11358/node-jquery fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1fce5445 by Salvatore Bonaccorso at 2019-04-23T19:03:59Z
CVE-2019-11358/node-jquery fixed in unstable
Thanks: Xavier Guimard y...@debian.org
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -453,7 +453,7 @@ CVE-2019-11358 (jQuery before 3.4.0, as used in Drupal,
Backdrop CMS, and other
{DSA-4434-1}
- drupal7 (bug #927330)
- jquery 3.3.1~dfsg-2 (bug #927385)
- - node-jquery (bug #927466)
+ - node-jquery 2.2.4+dfsg-4 (bug #927466)
[stretch] - jquery (Minor issue; can be fixed via point
release)
NOTE: https://www.drupal.org/sa-core-2019-006
NOTE: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1fce544568f898019f6f966b695032497b24c3b7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1fce544568f898019f6f966b695032497b24c3b7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11459/{atril,evince}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
defbecde by Salvatore Bonaccorso at 2019-04-23T17:25:46Z
Add CVE-2019-11459/{atril,evince}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -27,7 +27,10 @@ CVE-2019-11460 (An issue was discovered in GNOME
gnome-desktop 3.26, 3.28, and 3
[jessie] - gnome-desktop3 (Vulnerable embedded
gnome-desktop thumbnail script introduced later)
NOTE: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112
CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail()
functions ...)
- TODO: check
+ - atril
+ - evince
+ NOTE: https://gitlab.gnome.org/GNOME/evince/issues/1129
+ NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/evince/commit/3e38d5ad724a042eebadcba8c2d57b0f48b7a8c7
CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux
kernel befo ...)
- linux 3.11.7-1
NOTE: Fixed by:
https://git.kernel.org/linus/f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/defbecdef0c47f445000fbf6ee2e7e3e71764fd3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/defbecdef0c47f445000fbf6ee2e7e3e71764fd3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on evolution in data/dla-needed.txt
Jonas Meurer pushed to branch master at Debian Security Tracker / security-tracker Commits: ec0ae80b by Jonas Meurer at 2019-04-23T15:18:25Z Update notes on evolution in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,8 @@ claws-mail NOTE: 20190408: patch not yet available -- evolution (Jonas Meurer) - NOTE: 20190418: working on it, but needs more debugging + NOTE: 20190423: I have a fixed version ready for upload, but futher debugging + NOTE: 20190423: is required for evolution-data-server. -- evolution-data-server (Jonas Meurer) NOTE: 20190418: working on it, but needs more debugging View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec0ae80b441d84b19ad5120f7e95fb6d01d97d4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec0ae80b441d84b19ad5120f7e95fb6d01d97d4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-20230/pspp fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f51e487 by Salvatore Bonaccorso at 2019-04-23T13:58:40Z CVE-2018-20230/pspp fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21245,7 +21245,7 @@ CVE-2018-20232 (The labels widget gadget in Atlassian Jira before version 7.6.11 CVE-2018-20231 (Cross Site Request Forgery (CSRF) in the two-factor-authentication plu ...) NOT-FOR-US: two-factor-authentication plugin for WordPress CVE-2018-20230 (An issue was discovered in PSPP 1.2.0. There is a heap-based buffer ov ...) - - pspp (bug #916902) + - pspp 1.2.0-3 (bug #916902) [stretch] - pspp (Minor issue) [jessie] - pspp (Crash cannot be observed under normal conditions) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1660318 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f51e487cb1401e30f4f32bfd3c063add0f2fbc3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f51e487cb1401e30f4f32bfd3c063add0f2fbc3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11460/gnome-desktop3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bae6e217 by Salvatore Bonaccorso at 2019-04-23T13:58:03Z Add CVE-2019-11460/gnome-desktop3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,7 +22,10 @@ CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 a [jessie] - nautilus (Vulnerable embedded gnome-desktop thumbnail script introduced later) NOTE: https://gitlab.gnome.org/GNOME/nautilus/issues/987 CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 pr ...) - TODO: check + - gnome-desktop3 + [stretch] - gnome-desktop3 (Vulnerable embedded gnome-desktop thumbnail script introduced later) + [jessie] - gnome-desktop3 (Vulnerable embedded gnome-desktop thumbnail script introduced later) + NOTE: https://gitlab.gnome.org/GNOME/gnome-desktop/issues/112 CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) TODO: check CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel befo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bae6e217d8d0e5e32e398c260c9ccb45e252dd4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bae6e217d8d0e5e32e398c260c9ccb45e252dd4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-1761-1 for ghostscript
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2be8de89 by Sylvain Beucler at 2019-04-23T11:46:46Z
Reserve DLA-1761-1 for ghostscript
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[23 Apr 2019] DLA-1761-1 ghostscript - security update
+ {CVE-2019-3835 CVE-2019-3838}
+ [jessie] - ghostscript 9.26a~dfsg-0+deb8u2
[22 Apr 2019] DLA-1760-1 wget - security update
{CVE-2019-5953}
[jessie] - wget 1.16-1+deb8u6
=
data/dla-needed.txt
=
@@ -35,10 +35,6 @@ faad2 (Hugo Lefeuvre)
NOTE: need to check which other issues have been addressed by these fixes +
one more
NOTE: patch and we will be fit for upload.
--
-ghostscript (Sylvain Beucler)
- NOTE: 20190327: https://lists.debian.org/debian-lts/2019/03/msg00122.html
- NOTE: 20190409: will backport 9.27 following stable-security (cf.
dsa-needed.txt)
---
gpac (Thorsten Alteholz)
--
gradle
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2be8de89fe602e1b144492f1c9478fd299952235
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2be8de89fe602e1b144492f1c9478fd299952235
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2019-11461/nautilus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a23c6a2b by Salvatore Bonaccorso at 2019-04-23T11:28:27Z Update status for CVE-2019-11461/nautilus To be checked if it is used in buster and above actually. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,6 +18,8 @@ CVE-2019-11462 RESERVED CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.3 ...) - nautilus + [stretch] - nautilus (Vulnerable embedded gnome-desktop thumbnail script introduced later) + [jessie] - nautilus (Vulnerable embedded gnome-desktop thumbnail script introduced later) NOTE: https://gitlab.gnome.org/GNOME/nautilus/issues/987 CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 pr ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a23c6a2bef36def825e2021fea48067bf1d66c76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a23c6a2bef36def825e2021fea48067bf1d66c76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1f9df40e by Moritz Muehlenhoff at 2019-04-23T11:26:03Z
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -80345,6 +80345,7 @@ CVE-2018-1329
REJECTED
CVE-2018-1328
RESERVED
+ NOT-FOR-US: Apache Zeppelin
CVE-2018-1327 (The Apache Struts REST Plugin is using XStream library which is
vulner ...)
- libstruts1.2-java (Specific to 2.x)
NOTE: https://cwiki.apache.org/confluence/display/WW/S2-056
@@ -80383,6 +80384,7 @@ CVE-2018-1318 (Adding method ACLs in remap.config can
cause a segfault when the
NOTE:
https://github.com/apache/trafficserver/commit/e6dfda305acf85250861ecfa14a7bd6bb2fad5c3
CVE-2018-1317
RESERVED
+ NOT-FOR-US: Apache Zeppelin
CVE-2018-1316 (The ODE process deployment web service was sensible to
deployment mess ...)
NOT-FOR-US: Apache ODE
CVE-2018-1315 (In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement
is run u ...)
@@ -98407,6 +98409,7 @@ CVE-2017-12620 (When loading models or dictionaries
that contain XML it is possi
NOT-FOR-US: Apache OpenNLP
CVE-2017-12619
RESERVED
+ NOT-FOR-US: Apache Zeppelin
CVE-2017-12618 (Apache Portable Runtime Utility (APR-util) 1.6.0 and prior
fail to val ...)
{DLA-1163-1}
- apr-util 1.6.1-1 (low; bug #879996)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f9df40e616020879e7df5f21672f2a49c4b5cae
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1f9df40e616020879e7df5f21672f2a49c4b5cae
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ncurses/CVE-2018-19217: already fixed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a7b3b7ba by Sylvain Beucler at 2019-04-23T09:31:12Z ncurses/CVE-2018-19217: already fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30957,10 +30957,11 @@ CVE-2018-19218 (In LibSass 3.5-stable, there is an illegal address access at Sas - libsass NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643758 CVE-2018-19217 (** DISPUTED ** In ncurses, possibly a 6.x version, there is a NULL poi ...) - - ncurses (unimportant) + - ncurses 6.0+20170701-1 + [stretch] - ncurses 6.0+20161126-1+deb9u1 + [jessie] - ncurses 5.9+20140913-1+deb8u1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643753 - NOTE: not reproduced, no reporter feedback, upstream considers invalid, minor potential severity (local DoS) - NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-04/msg7.html + NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-04/msg00020.html CVE-2018-19216 (Netwide Assembler (NASM) before 2.13.02 has a use-after-free in detoke ...) - nasm 2.13.02-0.1 [stretch] - nasm (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7b3b7ba6683dbcd1ff817e90f5a91d9161df450 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a7b3b7ba6683dbcd1ff817e90f5a91d9161df450 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2013-7470/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 473e11a2 by Salvatore Bonaccorso at 2019-04-23T09:18:08Z Add CVE-2013-7470/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24,7 +24,8 @@ CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3 CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) TODO: check CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel befo ...) - TODO: check + - linux 3.11.7-1 + NOTE: Fixed by: https://git.kernel.org/linus/f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b CVE-2019-11458 RESERVED CVE-2019-11457 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/473e11a22f87516fd527485d6bcbd685b5c503c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/473e11a22f87516fd527485d6bcbd685b5c503c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-11461/nautilus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62b107c4 by Salvatore Bonaccorso at 2019-04-23T09:15:05Z Add CVE-2019-11461/nautilus - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,8 @@ CVE-2019-11463 (A memory leak in archive_read_format_zip_cleanup in archive_read CVE-2019-11462 RESERVED CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.3 ...) - TODO: check + - nautilus + NOTE: https://gitlab.gnome.org/GNOME/nautilus/issues/987 CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and 3.30 pr ...) TODO: check CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail() functions ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62b107c47368209ce616e74a47183fe596df0ab7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62b107c47368209ce616e74a47183fe596df0ab7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add note for CVE-2019-5428/jquery
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5d5d0e4 by Salvatore Bonaccorso at 2019-04-23T09:13:55Z Add note for CVE-2019-5428/jquery Already in contact with MITRE CNA to resolve the issue. This seems to be a duplicate of CVE-2019-11358 but maybe there is a scrict CNA rules reasoning for the two CVEs. As such we might then just track the fixed versions for src:jquery accordingly. - - - - - e25e1b30 by Salvatore Bonaccorso at 2019-04-23T09:13:55Z Wrap note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5178,7 +5178,8 @@ CVE-2019-9619 [not enabled pam_systemd for non-interactive sessions] [jessie] - systemd (Too intrusive change for a stable release) NOTE: https://bugs.launchpad.net/bugs/1812316 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756 - NOTE: for a stable release, activating pam_systemd for non-interactive sessions will likely have all sorts of unexpected/unwanted side-effects, so CAVE + NOTE: For a stable release, activating pam_systemd for non-interactive sessions will + NOTE: likely have all sorts of unexpected/unwanted side-effects. CVE-2019-9618 RESERVED CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) @@ -15459,7 +15460,8 @@ CVE-2019-5430 CVE-2019-5429 RESERVED CVE-2019-5428 (A prototype pollution vulnerability exists in jQuery versions 3.4 ...) - TODO: check + NOTE: Duplicate of CVE-2019-11358 + TODO: check (MITRE already contacted) CVE-2019-5427 (c3p0 version 0.9.5.4 may be exploited by a billion laughs attack ...) TODO: check CVE-2019-5426 (In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an unauthenticated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ea484be4170b36da89bec294a5d2c1b299560535...e25e1b30ca7ce81c09878a9d21223bdc3707053a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ea484be4170b36da89bec294a5d2c1b299560535...e25e1b30ca7ce81c09878a9d21223bdc3707053a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libarchive n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ea484be4 by Moritz Muehlenhoff at 2019-04-23T09:07:31Z libarchive n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,9 @@ CVE-2019-11465 CVE-2019-11464 RESERVED CVE-2019-11463 (A memory leak in archive_read_format_zip_cleanup in archive_read_suppo ...) - TODO: check + - libarchive (Vulnerable code not present) + NOTE: Introduced in https://github.com/libarchive/libarchive/commit/121035c83e18b70d3128e9ac966109ebedb7e516 + NOTE: Fix: https://github.com/libarchive/libarchive/commit/ba641f73f3d758d9032b3f0e5597a9c6e593a505 CVE-2019-11462 RESERVED CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6 and 3.3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea484be4170b36da89bec294a5d2c1b299560535 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea484be4170b36da89bec294a5d2c1b299560535 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: Update metadata on currently open systemd issues.
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a2a94b11 by Mike Gabriel at 2019-04-23T08:54:06Z data/CVE/list: Update metadata on currently open systemd issues. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5173,8 +5173,10 @@ CVE-2019-9619 [not enabled pam_systemd for non-interactive sessions] - systemd [buster] - systemd (Too intrusive change for a stable release) [stretch] - systemd (Too intrusive change for a stable release) + [jessie] - systemd (Too intrusive change for a stable release) NOTE: https://bugs.launchpad.net/bugs/1812316 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756 + NOTE: for a stable release, activating pam_systemd for non-interactive sessions will likely have all sorts of unexpected/unwanted side-effects, so CAVE CVE-2019-9618 RESERVED CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers can ex ...) @@ -36953,7 +36955,7 @@ CVE-2018-16889 (Ceph does not properly sanitize encryption keys in debug logging CVE-2018-16888 (It was discovered systemd does not correctly check the content of PIDF ...) - systemd 237-1 (low) [stretch] - systemd (Minor issue, too intrusive to backport) - [jessie] - systemd (low priority because this is inherently a bug in the PID file logic) + [jessie] - systemd (low priority because this is inherently a bug in the PID file logic, too intrusive to backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1662867 NOTE: Upstream issue: https://github.com/systemd/systemd/issues/6632 NOTE: Upstream patches: https://github.com/systemd/systemd/pull/7816 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2a94b119157e98368b79a2684764f4824db9369 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2a94b119157e98368b79a2684764f4824db9369 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 59a81271 by Salvatore Bonaccorso at 2019-04-23T08:50:16Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2019-11469 (Zoho ManageEngine Applications Manager 12 through 14 allows FaultTempl ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Applications Manager CVE-2019-11468 RESERVED CVE-2019-11467 @@ -181,9 +181,9 @@ CVE-2019-11386 CVE-2019-11385 RESERVED CVE-2019-11384 (The Zalora application 6.15.1 for Android stores confidential informat ...) - TODO: check + NOT-FOR-US: Zalora application for Android CVE-2019-11383 (An issue was discovered in the Medha WiFi FTP Server application 1.8.3 ...) - TODO: check + NOT-FOR-US: Medha WiFi FTP Server application for Android CVE-2019-11382 RESERVED CVE-2019-11381 @@ -3491,7 +3491,7 @@ CVE-2019-9956 (In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overfl NOTE: https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979 NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94 CVE-2019-9955 (On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2019-9954 RESERVED CVE-2019-9953 @@ -8033,7 +8033,7 @@ CVE-2019-8454 CVE-2019-8453 (Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062 are ta ...) NOT-FOR-US: Check Point ZoneAlarm CVE-2019-8452 (A hard-link created from log file archive of Check Point ZoneAlarm up ...) - TODO: check + NOT-FOR-US: Check Point ZoneAlarm CVE-2019-8451 RESERVED CVE-2019-8450 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a812711bb2d5649d0e1f068929c98b9f787c12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/59a812711bb2d5649d0e1f068929c98b9f787c12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add projectzero issue references for CVE-2019-{3842,9619}/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
09bfb4b6 by Salvatore Bonaccorso at 2019-04-23T08:26:02Z
Add projectzero issue references for CVE-2019-{3842,9619}/systemd
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5174,6 +5174,7 @@ CVE-2019-9619 [not enabled pam_systemd for
non-interactive sessions]
[buster] - systemd (Too intrusive change for a stable release)
[stretch] - systemd (Too intrusive change for a stable
release)
NOTE: https://bugs.launchpad.net/bugs/1812316
+ NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756
CVE-2019-9618
RESERVED
CVE-2019-9617 (An issue was discovered in OFCMS before 1.1.3. Remote attackers
can ex ...)
@@ -18775,6 +18776,7 @@ CVE-2019-3843
CVE-2019-3842 (In systemd before v242-rc4, it was discovered that pam_systemd
does no ...)
{DSA-4428-1}
- systemd 241-3
+ NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1756
NOTE: https://bugs.launchpad.net/bugs/1812316
NOTE:
https://github.com/systemd/systemd/commit/83d4ab55336ff8a0643c6aa627b31e351a24040a
CVE-2019-3841 (Kubevirt/virt-cdi-importer, versions 1.4.0 to 1.5.3 inclusive,
were re ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09bfb4b649717174817706c0e59455883c1c47c5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/09bfb4b649717174817706c0e59455883c1c47c5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d20b38ca by security tracker role at 2019-04-23T08:10:15Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,27 @@
+CVE-2019-11469 (Zoho ManageEngine Applications Manager 12 through 14 allows
FaultTempl ...)
+ TODO: check
+CVE-2019-11468
+ RESERVED
+CVE-2019-11467
+ RESERVED
+CVE-2019-11466
+ RESERVED
+CVE-2019-11465
+ RESERVED
+CVE-2019-11464
+ RESERVED
+CVE-2019-11463 (A memory leak in archive_read_format_zip_cleanup in
archive_read_suppo ...)
+ TODO: check
+CVE-2019-11462
+ RESERVED
+CVE-2019-11461 (An issue was discovered in GNOME Nautilus 3.30 prior to 3.30.6
and 3.3 ...)
+ TODO: check
+CVE-2019-11460 (An issue was discovered in GNOME gnome-desktop 3.26, 3.28, and
3.30 pr ...)
+ TODO: check
+CVE-2019-11459 (The tiff_document_render() and tiff_document_get_thumbnail()
functions ...)
+ TODO: check
+CVE-2013-7470 (cipso_v4_validate in include/net/cipso_ipv4.h in the Linux
kernel befo ...)
+ TODO: check
CVE-2019-11458
RESERVED
CVE-2019-11457
@@ -156,10 +180,10 @@ CVE-2019-11386
RESERVED
CVE-2019-11385
RESERVED
-CVE-2019-11384
- RESERVED
-CVE-2019-11383
- RESERVED
+CVE-2019-11384 (The Zalora application 6.15.1 for Android stores confidential
informat ...)
+ TODO: check
+CVE-2019-11383 (An issue was discovered in the Medha WiFi FTP Server
application 1.8.3 ...)
+ TODO: check
CVE-2019-11382
RESERVED
CVE-2019-11381
@@ -2820,12 +2844,12 @@ CVE-2019-1003040 (A sandbox bypass vulnerability in
Jenkins Script Security Plug
NOT-FOR-US: Jenkins plugin
CVE-2019-10249
RESERVED
-CVE-2019-10248
- RESERVED
-CVE-2019-10247
- RESERVED
-CVE-2019-10246
- RESERVED
+CVE-2019-10248 (Eclipse Vorto versions prior to 0.11 resolved Maven build
artifacts fo ...)
+ TODO: check
+CVE-2019-10247 (In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26
and older, ...)
+ TODO: check
+CVE-2019-10246 (In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the
server runnin ...)
+ TODO: check
CVE-2019-10245 (In Eclipse OpenJ9 prior to the 0.14.0 release, the Java
bytecode verif ...)
NOT-FOR-US: Eclipse OpenJ9
CVE-2019-10244 (In Eclipse Kura versions up to 4.0.0, the Web UI package and
component ...)
@@ -2834,8 +2858,8 @@ CVE-2019-10243 (In Eclipse Kura versions up to 4.0.0,
Kura exposes the underlyin
NOT-FOR-US: Eclipse Kura
CVE-2019-10242 (In Eclipse Kura versions up to 4.0.0, the SkinServlet did not
checked ...)
NOT-FOR-US: Eclipse Kura
-CVE-2019-10241
- RESERVED
+CVE-2019-10241 (In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older,
and 9.4.1 ...)
+ TODO: check
CVE-2019-10240 (Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build
artifac ...)
NOT-FOR-US: Eclipse hawkBit
CVE-2017-18365 (The Management Console in GitHub Enterprise 2.8.x before 2.8.7
has a d ...)
@@ -3466,8 +3490,8 @@ CVE-2019-9956 (In ImageMagick 7.0.8-35 Q16, there is a
stack-based buffer overfl
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1523
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/34a6a5a45e83a4af852090b4e43f168a380df979
NOTE: ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/90401e430840c5ff31ad870f4370bbda1318ac94
-CVE-2019-9955
- RESERVED
+CVE-2019-9955 (On Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40,
USG40W, ...)
+ TODO: check
CVE-2019-9954
RESERVED
CVE-2019-9953
@@ -8007,8 +8031,8 @@ CVE-2019-8454
RESERVED
CVE-2019-8453 (Some of the DLLs loaded by Check Point ZoneAlarm up to 15.4.062
are ta ...)
NOT-FOR-US: Check Point ZoneAlarm
-CVE-2019-8452
- RESERVED
+CVE-2019-8452 (A hard-link created from log file archive of Check Point
ZoneAlarm up ...)
+ TODO: check
CVE-2019-8451
RESERVED
CVE-2019-8450
@@ -14123,7 +14147,7 @@ CVE-2019-5954
RESERVED
CVE-2019-5953 [Buffer overflow vulnerability]
RESERVED
- {DSA-4425-1}
+ {DSA-4425-1 DLA-1760-1}
- wget 1.20.1-1.1 (bug #926389)
NOTE: https://jvn.jp/en/jp/JVN25261088/
NOTE: https://lists.gnu.org/archive/html/bug-wget/2019-04/msg1.html
@@ -15429,10 +15453,10 @@ CVE-2019-5430
RESERVED
CVE-2019-5429
RESERVED
-CVE-2019-5428
- RESERVED
-CVE-2019-5427
- RESERVED
+CVE-2019-5428 (A prototype pollution vulnerability exists in jQuery versions
3.4 ...)
+ TODO: check
+CVE-2019-5427 (c3p0 version 0.9.5.4 may be exploited by a billion laughs
attack ...)
+ TODO: check
CVE-2019-5426 (In Ubiquiti Networks EdgeSwitch X v1.1.0 and prior, an
unauthenticated ...)
NOT-FOR-US: Ubiquiti
CVE-2019-5425
[Git][security-tracker-team/security-tracker][master] Mark CVE-2019-11445 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 934d1071 by Salvatore Bonaccorso at 2019-04-23T07:45:16Z Mark CVE-2019-11445 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28,7 +28,7 @@ CVE-2019-11447 (An issue was discovered in CutePHP CuteNews 2.1.2. An attacker c CVE-2019-11446 (An issue was discovered in ATutor through 2.2.4. It allows the user to ...) NOT-FOR-US: ATutor CVE-2019-11445 (OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JS ...) - TODO: check + NOT-FOR-US: OpenKM CVE-2019-11444 (An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker ca ...) NOT-FOR-US: Liferay Portal CE CVE-2019-11443 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/934d1071ade09e6f1611a9801809b9c3be4843fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/934d1071ade09e6f1611a9801809b9c3be4843fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
