[Git][security-tracker-team/security-tracker][master] Track source package for CVE-2019-17402/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a46e4580 by Salvatore Bonaccorso at 2019-11-27T07:01:19Z Track source package for CVE-2019-17402/exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7851,6 +7851,11 @@ CVE-2019-17404 (Nokia IMPACT 18A: allows full path disclosure ...) CVE-2019-17403 (Nokia IMPACT 18A: An unrestricted File Upload vulnerability was f ...) NOT-FOR-US: Nokia CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getULong in ...) + - exiv2 + NOTE: https://github.com/Exiv2/exiv2/issues/1019 + NOTE: https://github.com/Exiv2/exiv2/commit/88054239e3c914862d13f6ac89a19a104fa2c076 (master) + NOTE: https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec (0.27-branch) + NOTE: Follow-up: https://github.com/Exiv2/exiv2/issues/1026 TODO: check CVE-2019-17401 (** DISPUTED ** libyal liblnk 20191006 has a heap-based buffer over-rea ...) - liblnk (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a46e458064b72980c3f34cdfcd1292bc6bb450f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a46e458064b72980c3f34cdfcd1292bc6bb450f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-14869/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a05c348 by Salvatore Bonaccorso at 2019-11-27T06:36:22Z Add fixed version for CVE-2019-14869/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14999,7 +14999,7 @@ CVE-2019-14870 RESERVED CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.50, where ...) {DSA-4569-1 DLA-1992-1} - - ghostscript (bug #944760) + - ghostscript 9.50~dfsg-3 (bug #944760) NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f0aa1140032746e5a0abfc40f4cef NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701841 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1768911 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a05c3482e1c491c871f0b275c130ac09182adbb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4a05c3482e1c491c871f0b275c130ac09182adbb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2019-14824/389-ds-base
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8237a7ec by Salvatore Bonaccorso at 2019-11-27T06:34:54Z Add fixed version via unstable for CVE-2019-14824/389-ds-base - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15194,7 +15194,7 @@ CVE-2019-14825 (A cleartext password storage issue was discovered in Katello, ve NOT-FOR-US: Katello CVE-2019-14824 (A flaw was found in the 'deref' plugin of 389-ds-base where it could u ...) {DLA-2004-1} - - 389-ds-base (bug #944150) + - 389-ds-base 1.4.2.4-1 (bug #944150) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1747448 NOTE: https://pagure.io/freeipa/issue/8050 CVE-2019-14823 (A flaw was found in the "Leaf and Chain" OCSP policy implementation in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8237a7ecdd0396f440af48db20f3d177e079e810 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8237a7ecdd0396f440af48db20f3d177e079e810 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2012-1 for libvpx
Dylan Aïssi pushed to branch master at Debian Security Tracker / security-tracker Commits: 4af6eda8 by Dylan Aïssi at 2019-11-26T21:44:38Z Reserve DLA-2012-1 for libvpx - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Nov 2019] DLA-2012-1 libvpx - security update + {CVE-2019-9232 CVE-2019-9433} + [jessie] - libvpx 1.3.0-3+deb8u2 [26 Nov 2019] DLA-2011-1 xmlrpc-epi - security update {CVE-2016-6296} [jessie] - xmlrpc-epi 0.54.2-1.1+deb8u1 = data/dla-needed.txt = @@ -73,9 +73,6 @@ libmatio (Adrian Bunk) libonig (Sylvain Beucler) 20191122: 2 new CVEs piled-up -- -libvpx (Dylan Aïssi) - NOTE: 20191125: WIP. (daissi) --- linux (Ben Hutchings) -- linux-4.9 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4af6eda8dad1ab557c97d4ea8fd4fef164712b95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4af6eda8dad1ab557c97d4ea8fd4fef164712b95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: the time for an upload has come
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ac46afd9 by Thorsten Alteholz at 2019-11-26T21:30:26Z the time for an upload has come - - - - - 953083da by Thorsten Alteholz at 2019-11-26T21:30:52Z Reserve DLA-2011-1 for xmlrpc-epi - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -173818,7 +173818,6 @@ CVE-2016-6296 (Integer signedness error in the simplestring_addn function in sim NOTE: http://git.php.net/?p=php-src.git;a=commit;h=e6c48213c22ed50b2b987b479fcc1ac709394caa NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38 - xmlrpc-epi 0.54.2-1.2 (bug #832959) - [jessie] - xmlrpc-epi (Can be fixed via point release, nothing depending on it in stable) NOTE: In stretch/sid php7.0 is using the system library not the embedded one. CVE-2016-6295 (ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x bef ...) {DSA-3631-1 DLA-628-1} = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Nov 2019] DLA-2011-1 xmlrpc-epi - security update + {CVE-2016-6296} + [jessie] - xmlrpc-epi 0.54.2-1.1+deb8u1 [26 Nov 2019] DLA-2010-1 bsdiff - security update {CVE-2014-9862} [jessie] - bsdiff 4.3-15+deb8u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c0f8eb03ce4bfdc25a88e452a0c16c4490c745da...953083dabea317f5a6249e8b832100a239a39df6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/c0f8eb03ce4bfdc25a88e452a0c16c4490c745da...953083dabea317f5a6249e8b832100a239a39df6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: the time for an upload has come
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 6229cfb6 by Thorsten Alteholz at 2019-11-26T21:26:19Z the time for an upload has come - - - - - c0f8eb03 by Thorsten Alteholz at 2019-11-26T21:26:57Z Reserve DLA-2010-1 for bsdiff - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -176967,7 +176967,6 @@ CVE-2016-5339 CVE-2014-9862 (Integer signedness error in bspatch.c in bspatch in bsdiff, as used in ...) {DLA-697-1} - bsdiff 4.3-17 - [jessie] - bsdiff (Minor issue; can be fixed via point release) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=372525 CVE-2016-5361 (programs/pluto/ikev1.c in libreswan before 3.17 retransmits in initial ...) - libreswan (Fixed before initial upload to Debian) = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Nov 2019] DLA-2010-1 bsdiff - security update + {CVE-2014-9862} + [jessie] - bsdiff 4.3-15+deb8u1 [26 Nov 2019] DLA-2009-1 tiff - security update {CVE-2017-17095 CVE-2018-12900 CVE-2018-18661 CVE-2019-6128 CVE-2019-17546} [jessie] - tiff 4.0.3-12.3+deb8u10 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ef9c6552915fb1d6d6507b3c898d0c7907c04786...c0f8eb03ce4bfdc25a88e452a0c16c4490c745da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/ef9c6552915fb1d6d6507b3c898d0c7907c04786...c0f8eb03ce4bfdc25a88e452a0c16c4490c745da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2009-1 for tiff
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: ef9c6552 by Thorsten Alteholz at 2019-11-26T21:21:56Z Reserve DLA-2009-1 for tiff - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Nov 2019] DLA-2009-1 tiff - security update + {CVE-2017-17095 CVE-2018-12900 CVE-2018-18661 CVE-2019-6128 CVE-2019-17546} + [jessie] - tiff 4.0.3-12.3+deb8u10 [25 Nov 2019] DLA-2008-1 nss - security update {CVE-2019-11745} [jessie] - nss 2:3.26-1+debu8u7 = data/dla-needed.txt = @@ -118,9 +118,6 @@ slurm-llnl (Abhijith PA) -- squid3 (Markus Koschany) -- -tiff (Thorsten Alteholz) - NOTE: 20191020: Time to fix the postponed CVE as well? (apo) --- tightvnc (Mike Gabriel) NOTE: 20191030: has open issues on its own and NOTE: 20191030: contains non-security-maintained code from libvncserver (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef9c6552915fb1d6d6507b3c898d0c7907c04786 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ef9c6552915fb1d6d6507b3c898d0c7907c04786 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2019-10195/freeipa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2701b323 by Salvatore Bonaccorso at 2019-11-26T21:05:03Z Reference upstream commit for CVE-2019-10195/freeipa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29329,6 +29329,7 @@ CVE-2019-10196 CVE-2019-10195 RESERVED - freeipa 4.8.3-1 + NOTE: https://pagure.io/freeipa/c/02ce407f5e10e670d4788778037892b58f80adc0 CVE-2019-10194 (Sensitive passwords used in deployment and configuration of oVirt Metr ...) NOT-FOR-US: ovirt-engine-metrics CVE-2019-10193 (A stack-buffer overflow vulnerability was found in the Redis hyperlogl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2701b32348c21d37a0f1d3688e6ed5adde3538a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2701b32348c21d37a0f1d3688e6ed5adde3538a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2019-14867/freeipa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ea31fa76 by Salvatore Bonaccorso at 2019-11-26T21:02:00Z Reference upstream commit for CVE-2019-14867/freeipa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15011,6 +15011,7 @@ CVE-2019-14868 CVE-2019-14867 RESERVED - freeipa 4.8.3-1 + NOTE: https://pagure.io/freeipa/c/4abd2f76d76c4c1a1ec5087ec447f4515b63c2c6 CVE-2019-14866 [improper input validation when writing tar header fields leads to unexpect tar generation] RESERVED {DLA-1981-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea31fa76784e97abd33c28c83af51efc66d3d9c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea31fa76784e97abd33c28c83af51efc66d3d9c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track two new freeipa issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0a195bb by Salvatore Bonaccorso at 2019-11-26T20:56:22Z Track two new freeipa issues Unfortunately the respective Red Hat Bugzilla entries are kept private at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14867 and https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10195 but for the fixed version via unstable trusting here the maintainer to have got it right. Thus start tracking those two new CVEs and search for details. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15010,6 +15010,7 @@ CVE-2019-14868 RESERVED CVE-2019-14867 RESERVED + - freeipa 4.8.3-1 CVE-2019-14866 [improper input validation when writing tar header fields leads to unexpect tar generation] RESERVED {DLA-1981-1} @@ -29326,6 +29327,7 @@ CVE-2019-10196 NOT-FOR-US: nodejs-http-proxy-agent CVE-2019-10195 RESERVED + - freeipa 4.8.3-1 CVE-2019-10194 (Sensitive passwords used in deployment and configuration of oVirt Metr ...) NOT-FOR-US: ovirt-engine-metrics CVE-2019-10193 (A stack-buffer overflow vulnerability was found in the Redis hyperlogl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0a195bb7425c80a29a7044db3feaf485a9959d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f0a195bb7425c80a29a7044db3feaf485a9959d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track assigned CVE for CVE-2019-14842/libnbd (#942215)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 456bed6c by Salvatore Bonaccorso at 2019-11-26T20:43:18Z Track assigned CVE for CVE-2019-14842/libnbd (#942215) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7837,7 +7837,7 @@ CVE-2019-17408 (parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 all NOT-FOR-US: ZZZCMS CVE-2019-17407 RESERVED -CVE-2019- [Remote code execution vulnerability] +CVE-2019-14842 [Remote code execution vulnerability] - libnbd 1.0.3-1 (bug #942215) NOTE: https://www.redhat.com/archives/libguestfs/2019-October/msg00060.html NOTE: https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09 (1.1.4) @@ -15145,8 +15145,6 @@ CVE-2019-14844 (A flaw was found in, Fedora versions of krb5 from 1.16.1 to, inc CVE-2019-14843 RESERVED - wildfly (bug #752018) -CVE-2019-14842 (Structured reply is a feature of the newstyle NBD protocol allowing th ...) - TODO: check CVE-2019-14841 RESERVED CVE-2019-14840 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/456bed6c2c3158f180631df5f0bb675e5179b955 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/456bed6c2c3158f180631df5f0bb675e5179b955 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Replace occurences of NFU for Centreon web UI with the ITP entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f40503be by Salvatore Bonaccorso at 2019-11-26T20:38:14Z Replace occurences of NFU for Centreon web UI with the ITP entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7536,7 +7536,7 @@ CVE-2019-17503 (An issue was discovered in Kirona Dynamic Resource Scheduling (D CVE-2019-17502 (Hydra through 0.1.8 has a NULL pointer dereference and daemon crash wh ...) NOT-FOR-US: Hydra (different from src:hydra) CVE-2019-17501 (Centreon 19.04 allows attackers to execute arbitrary OS commands via t ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-17500 RESERVED CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on Compal CH7 ...) @@ -8474,27 +8474,27 @@ CVE-2019-17109 (Koji through 1.18.0 allows remote Directory Traversal, with resu NOTE: https://docs.pagure.org/koji/CVE-2019-17109/ NOTE: https://pagure.io/koji/issue/1634 CVE-2019-17108 (Local file inclusion in brokerPerformance.php in Centreon Web before 2 ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-17107 (minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-17106 (In Centreon Web through 2.8.29, disclosure of external components' pas ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-17105 (The token generator in index.php in Centreon Web before 2.8.27 is pred ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-17104 (In Centreon VM through 19.04.3, the cookie configuration within the Ap ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2018-21025 (In Centreon VM through 19.04.3, centreon-backup.pl allows attackers to ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2018-21024 (licenseUpload.php in Centreon Web before 2.8.27 allows attackers to up ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2018-21023 (getStats.php in Centreon Web before 2.8.28 allows authenticated attack ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2018-21022 (makeXML_ListServices.php in Centreon Web before 2.8.28 allows attacker ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2018-21021 (img_gantt.php in Centreon Web before 2.8.27 allows attackers to perfor ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2018-21020 (In very rare cases, a PHP type juggling vulnerability in centreonAuth. ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-17103 RESERVED CVE-2019-17102 @@ -10253,9 +10253,9 @@ CVE-2019-16408 CVE-2019-16407 (JetBrains ReSharper installers for versions before 2019.2 had a DLL Hi ...) NOT-FOR-US: JetBrains ReSharper installer CVE-2019-16406 (Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware v ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-16405 (Centreon Web 19.04.4 allows Remote Code Execution by an administrator ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-16404 (Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php ...) NOT-FOR-US: OpenEMR CVE-2019-16403 (In Webkul Bagisto before 0.1.5, the functionalities for customers to c ...) @@ -11003,7 +11003,7 @@ CVE-2019-16196 CVE-2019-16195 (Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 a ...) - centreon-web (bug #913903) CVE-2019-16194 (SQL injection vulnerabilities in Centreon through 19.04 allow attacks ...) - NOT-FOR-US: Centreon web UI (not packaged in Debian) + - centreon-web (bug #913903) CVE-2019-16193 (In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to t ...) NOT-FOR-US: ArcGIS Enterprise CVE-2019-16192 (upload_model() in /admini/controllers/system/managemodel.php in DocCms ...) @@ -21583,7 +21583,7 @@ CVE-2019-13026 (OXID eShop 6.0.x before 6.0.5 and 6.1.x before 6.1.4 allows SQL CVE-2019-13025 (Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have Incorre ...) NOT-FOR-US: Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices CVE-2019-13024
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-16195/centreon-web (itp'ed)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d50a81bc by Salvatore Bonaccorso at 2019-11-26T20:35:07Z Add CVE-2019-16195/centreon-web (itped) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11001,7 +11001,7 @@ CVE-2019-16197 (In htdocs/societe/card.php in Dolibarr 10.0.1, the value of the CVE-2019-16196 RESERVED CVE-2019-16195 (Centreon before 2.8.30, 18.x before 18.10.8, and 19.x before 19.04.5 a ...) - TODO: check + - centreon-web (bug #913903) CVE-2019-16194 (SQL injection vulnerabilities in Centreon through 19.04 allow attacks ...) NOT-FOR-US: Centreon web UI (not packaged in Debian) CVE-2019-16193 (In ArcGIS Enterprise 10.6.1, a crafted IFRAME element can be used to t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d50a81bc8aea895bc89f532ea14640f954968919 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d50a81bc8aea895bc89f532ea14640f954968919 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8faf8e23 by Salvatore Bonaccorso at 2019-11-26T20:34:40Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -396,7 +396,7 @@ CVE-2019-19131 CVE-2019-19130 RESERVED CVE-2019-19129 (Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11 ...) - TODO: check + NOT-FOR-US: Afterlogic CVE-2019-19128 RESERVED CVE-2019-19127 @@ -7878,7 +7878,7 @@ CVE-2019-17394 (In the Seesaw Parent and Family application 6.2.5 for Android, t CVE-2019-17393 (The Customer's Tomedo Server in Version 1.7.3 communicates to the Vend ...) NOT-FOR-US: Tomedo Server CVE-2019-17392 (Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a ...) - TODO: check + NOT-FOR-US: Progress Sitefinity CVE-2019-17391 (An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-0 ...) NOT-FOR-US: Espressif ESP32 CVE-2019-17390 @@ -10291,11 +10291,11 @@ CVE-2019-16390 CVE-2019-16389 RESERVED CVE-2019-16388 (PEGA Platform 8.3.0 is vulnerable to Information disclosure via a dire ...) - TODO: check + NOT-FOR-US: PEGA Platform CVE-2019-16387 (PEGA Platform 8.3.0 is vulnerable to a direct prweb/sso/random_token/! ...) - TODO: check + NOT-FOR-US: PEGA Platform CVE-2019-16386 (PEGA Platform 7.x and 8.x is vulnerable to Information disclosure via ...) - TODO: check + NOT-FOR-US: PEGA Platform CVE-2019-16385 RESERVED CVE-2019-16384 @@ -10833,11 +10833,11 @@ CVE-2019-16245 CVE-2019-16244 RESERVED CVE-2019-16243 (On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an undocument ...) - TODO: check + NOT-FOR-US: TCL Alcatel Cingular Flip 2 B9HUAH1 devices CVE-2019-16242 (On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an engineerin ...) - TODO: check + NOT-FOR-US: TCL Alcatel Cingular Flip 2 B9HUAH1 devices CVE-2019-16241 (On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, PIN authentication can ...) - TODO: check + NOT-FOR-US: TCL Alcatel Cingular Flip 2 B9HUAH1 devices CVE-2019-16240 RESERVED CVE-2019-16239 (process_http_response in OpenConnect before 8.05 has a Buffer Overflow ...) @@ -12415,13 +12415,13 @@ CVE-2019-15690 CVE-2019-15689 RESERVED CVE-2019-15688 (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Sec ...) - TODO: check + NOT-FOR-US: Kaspersky CVE-2019-15687 (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Sec ...) - TODO: check + NOT-FOR-US: Kaspersky CVE-2019-15686 (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Sec ...) - TODO: check + NOT-FOR-US: Kaspersky CVE-2019-15685 (Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Total Sec ...) - TODO: check + NOT-FOR-US: Kaspersky CVE-2019-15684 (Kaspersky Protection extension for web browser Google Chrome prior to ...) NOT-FOR-US: Kaspersky Protection extension for web browser Google Chrome CVE-2019-15683 (TurboVNC server code contains stack buffer overflow vulnerability in c ...) @@ -16841,7 +16841,7 @@ CVE-2019-14451 (RepetierServer.exe in Repetier-Server 0.8 through 0.91 does not CVE-2019-14450 (A directory traversal vulnerability was discovered in RepetierServer.e ...) NOT-FOR-US: Repetier-Server CVE-2019-14449 (An issue was discovered in Cloudera Manager 5.x before 5.16.2, 6.0.x b ...) - TODO: check + NOT-FOR-US: Cloudera CVE-2019-14448 RESERVED CVE-2019-14447 @@ -22970,7 +22970,7 @@ CVE-2019-12491 (OnApp before 5.0.0-88, 5.5.0-93, and 6.0.0-196 allows an attacke CVE-2019-12490 RESERVED CVE-2019-12489 (An issue was discovered on Fastweb Askey RTV1907VW 0.00.81_FW_200_Aske ...) - TODO: check + NOT-FOR-US: Fastweb Askey RTV1907VW devices CVE-2019-12488 RESERVED CVE-2019-12487 @@ -38251,7 +38251,7 @@ CVE-2018-20751 (An issue was discovered in crop_page in PoDoFo 0.9.6. For a craf NOTE: https://sourceforge.net/p/podofo/tickets/33/ NOTE: https://sourceforge.net/p/podofo/code/1954 CVE-2019-7319 (An issue was discovered in Cloudera Hue 6.0.0 through 6.1.0. When usin ...) - TODO: check + NOT-FOR-US: Cloudera CVE-2019-7318 RESERVED CVE-2019-7317 (png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after- ...) @@ -39792,7 +39792,7 @@ CVE-2019-6677 CVE-2019-6676 RESERVED CVE-2019-6675 (BIG-IP configurations using Active Directory, LDAP, or Client Certific ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2019-6674 RESERVED CVE-2019-6673 @@ -51759,7 +51759,7 @@ CVE-2018-20092 (PTC ThingWorx Platform through 8.3.0 is vulnerable to a director CVE-2018-20091 (An
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-19206/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b06f326 by Salvatore Bonaccorso at 2019-11-26T20:33:27Z Add CVE-2019-19206/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -233,7 +233,7 @@ CVE-2019-19208 CVE-2019-19207 (rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. ...) NOT-FOR-US: rConfig CVE-2019-19206 (Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to J ...) - TODO: check + - dolibarr CVE-2019-19205 RESERVED CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b06f3262cf8a56834ee672b4e93119031640713 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7b06f3262cf8a56834ee672b4e93119031640713 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fdeae9f by Salvatore Bonaccorso at 2019-11-26T20:26:28Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2019-19308 CVE-2019-19307 (An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6. ...) TODO: check CVE-2019-19306 (The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via m ...) - TODO: check + NOT-FOR-US: Zoho CRM Lead Magnet plugin for WordPress CVE-2019-19305 RESERVED CVE-2019-19304 @@ -71,11 +71,11 @@ CVE-2019-19274 (typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-b CVE-2019-19273 RESERVED CVE-2015-9539 (The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows ...) - TODO: check + NOT-FOR-US: Fast Secure Contact Form plugin for WordPress CVE-2015-9538 (The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Dire ...) - TODO: check + NOT-FOR-US: NextGEN Gallery plugin for WordPress CVE-2015-9537 (The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XS ...) - TODO: check + NOT-FOR-US: NextGEN Gallery plugin for WordPress CVE-2019-19272 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Dir ...) - proftpd-dfsg 1.3.6-1 [stretch] - proftpd-dfsg (Minor issue) @@ -3851,7 +3851,7 @@ CVE-2019-18582 CVE-2019-18581 RESERVED CVE-2019-18580 (Dell EMC Storage Monitoring and Reporting version 4.3.1 contains a Jav ...) - TODO: check + NOT-FOR-US: EMC CVE-2019-18579 RESERVED CVE-2019-18578 @@ -45294,7 +45294,7 @@ CVE-2019-4389 CVE-2019-4388 RESERVED CVE-2019-4387 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.2.0 i ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4386 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 ...) NOT-FOR-US: IBM CVE-2019-4385 (IBM Spectrum Protect Plus 10.1.2 may display the vSnap CIFS password i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8fdeae9f52c182090e9f48cc43fe7958218ed52c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8fdeae9f52c182090e9f48cc43fe7958218ed52c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-19271/proftpd-dfsg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb6536a2 by Salvatore Bonaccorso at 2019-11-26T20:20:01Z Add fixed version for CVE-2019-19271/proftpd-dfsg The issue was fixed in 1.3.6 (and verified between 1.3.5e-1 and 1.3.6-1 versions in Debian). As such the fix is as well already present in buster, thus removing the no-dsa tagged entry. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -82,8 +82,7 @@ CVE-2019-19272 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3. [stretch] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/858 CVE-2019-19271 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A w ...) - - proftpd-dfsg - [buster] - proftpd-dfsg (Minor issue) + - proftpd-dfsg 1.3.6-1 [stretch] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/860 CVE-2019-19270 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. F ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb6536a2081507a85ea4bc8c5c18ee5d5a479ed7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bb6536a2081507a85ea4bc8c5c18ee5d5a479ed7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 647c9483 by security tracker role at 2019-11-26T20:10:19Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2019-19308 + RESERVED +CVE-2019-19307 (An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6. ...) + TODO: check +CVE-2019-19306 (The Zoho CRM Lead Magnet plugin 1.6.9.1 for WordPress allows XSS via m ...) + TODO: check +CVE-2019-19305 + RESERVED +CVE-2019-19304 + RESERVED +CVE-2019-19303 + RESERVED +CVE-2019-19302 + RESERVED +CVE-2019-19301 + RESERVED +CVE-2019-19300 + RESERVED +CVE-2019-19299 + RESERVED +CVE-2019-19298 + RESERVED +CVE-2019-19297 + RESERVED +CVE-2019-19296 + RESERVED +CVE-2019-19295 + RESERVED +CVE-2019-19294 + RESERVED +CVE-2019-19293 + RESERVED +CVE-2019-19292 + RESERVED +CVE-2019-19291 + RESERVED +CVE-2019-19290 + RESERVED +CVE-2019-19289 + RESERVED +CVE-2019-19288 + RESERVED +CVE-2019-19287 + RESERVED +CVE-2019-19286 + RESERVED +CVE-2019-19285 + RESERVED +CVE-2019-19284 + RESERVED +CVE-2019-19283 + RESERVED +CVE-2019-19282 + RESERVED +CVE-2019-19281 + RESERVED +CVE-2019-19280 + RESERVED +CVE-2019-19279 + RESERVED +CVE-2019-19278 + RESERVED +CVE-2019-19277 + RESERVED +CVE-2019-19276 + RESERVED +CVE-2019-19275 (typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. ...) + TODO: check +CVE-2019-19274 (typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds ...) + TODO: check +CVE-2019-19273 + RESERVED +CVE-2015-9539 (The Fast Secure Contact Form plugin before 4.0.38 for WordPress allows ...) + TODO: check +CVE-2015-9538 (The NextGEN Gallery plugin before 2.1.15 for WordPress allows ../ Dire ...) + TODO: check +CVE-2015-9537 (The NextGEN Gallery plugin before 2.1.10 for WordPress has multiple XS ...) + TODO: check CVE-2019-19272 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Dir ...) - proftpd-dfsg [buster] - proftpd-dfsg (Minor issue) @@ -156,8 +234,8 @@ CVE-2019-19208 RESERVED CVE-2019-19207 (rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. ...) NOT-FOR-US: rConfig -CVE-2019-19206 - RESERVED +CVE-2019-19206 (Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS due to J ...) + TODO: check CVE-2019-19205 RESERVED CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...) @@ -319,8 +397,8 @@ CVE-2019-19131 RESERVED CVE-2019-19130 RESERVED -CVE-2019-19129 - RESERVED +CVE-2019-19129 (Afterlogic WebMail Pro 8.3.11, and WebMail in Afterlogic Aurora 8.3.11 ...) + TODO: check CVE-2019-19128 RESERVED CVE-2019-19127 @@ -3543,27 +3621,23 @@ CVE-2019-18681 CVE-2019-18680 (An issue was discovered in the Linux kernel 4.4.x before 4.4.195. Ther ...) - linux (Vulnerable code not present) NOTE: https://lkml.org/lkml/2019/9/18/337 -CVE-2019-18679 [Information Disclosure issue in HTTP Digest Authentication] - RESERVED +CVE-2019-18679 (An issue was discovered in Squid 2.x, 3.x, and 4.x through 4.8. Due to ...) - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_11.txt -CVE-2019-18678 [HTTP Request Splitting issue in HTTP message processing] - RESERVED +CVE-2019-18678 (An issue was discovered in Squid 3.x and 4.x through 4.8. It allows at ...) - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-671ba97abe929156dc4c717ee52ad22fba0f7443.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_10.txt -CVE-2019-18677 [Cross-Site Request Forgery issue in HTTP Request processing] - RESERVED +CVE-2019-18677 (An issue was discovered in Squid 3.x and 4.x through 4.8 when the appe ...) - squid 4.9-1 - squid3 NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-36492033ea4097821a4f7ff3ddcb971fbd1e8ba0.patch NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-e5f1813a674848dde570f7920873e1071f96e0b4.patch NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_9.txt -CVE-2019-18676 [Multiple issues in URI processing] - RESERVED +CVE-2019-18676 (An issue was discovered in Squid 3.x and 4.x through 4.8. Due to incor ...) - squid 4.9-1 - squid3 NOTE: http://www.squid-cache.org/Advisories/SQUID-2019_8.txt
[Git][security-tracker-team/security-tracker][master] Add upstream commit references for CVE-2019-192{69,70}/proftpd-dfsg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45e3b426 by Salvatore Bonaccorso at 2019-11-26T20:04:16Z Add upstream commit references for CVE-2019-192{69,70}/proftpd-dfsg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,11 +13,15 @@ CVE-2019-19270 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3 [buster] - proftpd-dfsg (Minor issue) [stretch] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/859 + NOTE: https://github.com/proftpd/proftpd/commit/81cc5dce4fc0285629a1b08a07a109af10c208dd (master) + NOTE: https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f (1.3.6 branch) CVE-2019-19269 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A ...) - proftpd-dfsg [buster] - proftpd-dfsg (Minor issue) [stretch] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/861 + NOTE: https://github.com/proftpd/proftpd/commit/81cc5dce4fc0285629a1b08a07a109af10c208dd (master) + NOTE: https://github.com/proftpd/proftpd/commit/be8e1687819cb665359bd62b4c896ff4b1a09c3f (1.3.6 branch) CVE-2019-19268 RESERVED CVE-2019-19267 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45e3b426c93ca95de6020aa675697126d2d1b7e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/45e3b426c93ca95de6020aa675697126d2d1b7e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-19244/sqlite3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dce0559d by Salvatore Bonaccorso at 2019-11-26T20:00:33Z Add CVE-2019-19244/sqlite3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71,7 +71,8 @@ CVE-2019-19246 (Oniguruma through 6.9.3, as used in PHP 7.3.x and other products CVE-2019-19245 RESERVED CVE-2019-19244 (sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-sel ...) - TODO: check + - sqlite3 + NOTE: https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348 CVE-2019-19243 RESERVED CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr-y.pTab, as demonstrated by the TK_C ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dce0559dadb1ee88121e2118788e5a609ec299e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dce0559dadb1ee88121e2118788e5a609ec299e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed: Take yard
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 6477d1c2 by Adrian Bunk at 2019-11-26T14:41:12Z dla-needed: Take yard - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -135,7 +135,7 @@ xcftools (hle) -- xen -- -yard +yard (Adrian Bunk) NOTE: 20190830: second reviewer / triager needed. The security announcement states that the fix NOTE: 20190830: was done between 0.9.19 and 0.9.20. Meaningful commits are NOTE: 20190830: https://github.com/lsegal/yard/commit/225ded9ef38c6d2be5a3b0fc7effbc7d6644768d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6477d1c23b3079504d9ba77fa337c7e5a3c57b6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6477d1c23b3079504d9ba77fa337c7e5a3c57b6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] embedded-code-copies: reference php7.0 and php7.3 bugs
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 38ad8b3e by Sylvain Beucler at 2019-11-26T14:31:32Z embedded-code-copies: reference php7.0 and php7.3 bugs - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -2203,8 +2203,8 @@ libmbfl (itp: #570708) libonig - php5 5.3.2-1 (embed) - - php7.0 (embed) - - php7.3 (embed) + - php7.0 (embed; bug #945525) + - php7.3 (embed; bug #945526) xmlrpc-epi - php5 (embed) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38ad8b3efc741d39eb6c8cd26bab04bc55a159ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/38ad8b3efc741d39eb6c8cd26bab04bc55a159ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS/php-horde, php-horde-trean status updates
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: dcd56d33 by Roberto C. Sánchez at 2019-11-26T14:21:10Z LTS/php-horde, php-horde-trean status updates - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,9 +90,11 @@ otrs2 (Abhijith PA) NOTE: otrs2 is in jessie/main so it should be taken care off -- php-horde (Roberto C. Sánchez) + NOTE: 20191126: Corresponding with security team regarding CVE assignments. (roberto) -- -php-horde-trean +php-horde-trean (Roberto C. Sánchez) NOTE: 20191118: Upstream closed the ticket related to CVE-2019-12095, indicating that it is low priority for them. (roberto) + NOTE: 20191126: Corresponding with security team regarding CVE assignments. (roberto) -- python-reportlab (Hugo Lefeuvre) NOTE: 20191123: still no upstream fix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dcd56d3345e06f704b79a2e5d137ef05706a0356 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dcd56d3345e06f704b79a2e5d137ef05706a0356 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-12900 will be fixed soon
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a019faa by Thorsten Alteholz at 2019-11-26T14:06:09Z CVE-2018-12900 will be fixed soon - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75329,7 +75329,6 @@ CVE-2018-12901 (A vulnerability in the conferencing component of Mitel ST 14.2, CVE-2018-12900 (Heap-based buffer overflow in the cpSeparateBufToContigBuf function in ...) - tiff 4.0.10-4 (bug #902718) [stretch] - tiff (Minor issue, can be fixed along in future DSA) - [jessie] - tiff (Minor issue, can be fixed along in future DLA) NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2798 NOTE: https://gitlab.com/libtiff/libtiff/merge_requests/60 CVE-2018-12899 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a019faadc308e7a157fc7448626c5e15991beeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9a019faadc308e7a157fc7448626c5e15991beeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f072e44 by Moritz Muehlenhoff at 2019-11-26T12:24:43Z NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14900,7 +14900,7 @@ CVE-2019-14892 CVE-2019-14891 (A flaw was found in cri-o, as a result of all pod-related processes be ...) NOT-FOR-US: Kubernetes CRI-O CVE-2019-14890 (An attacker with low privilege could retrieve usernames and passwords ...) - TODO: check + NOT-FOR-US: Ansible Tower CVE-2019-14889 RESERVED CVE-2019-14888 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f072e44cbcc9364889053cd0c00d2e5f3d21315 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0f072e44cbcc9364889053cd0c00d2e5f3d21315 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new n/a grub issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ee65c6a1 by Moritz Muehlenhoff at 2019-11-26T11:20:28Z new n/a grub issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14965,6 +14965,10 @@ CVE-2019-14866 [improper input validation when writing tar header fields leads t NOTE: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7 CVE-2019-14865 RESERVED + - grub2 (Red Hat-specific patch) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1764925 + NOTE: https://seclists.org/oss-sec/2019/q4/101 + NOTE: Red Hat-specific patch, get added as 0131-Add-grub-set-bootflag-utility.patch in their SRPM CVE-2019-14864 RESERVED - ansible (low; bug #943768) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee65c6a138528c784a2369232146180305a66038 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ee65c6a138528c784a2369232146180305a66038 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new proftpd issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a895beca by Moritz Muehlenhoff at 2019-11-26T10:43:22Z new proftpd issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,23 @@ CVE-2019-19272 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Dir ...) - TODO: check + - proftpd-dfsg + [buster] - proftpd-dfsg (Minor issue) + [stretch] - proftpd-dfsg (Minor issue) + NOTE: https://github.com/proftpd/proftpd/issues/858 CVE-2019-19271 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A w ...) - TODO: check + - proftpd-dfsg + [buster] - proftpd-dfsg (Minor issue) + [stretch] - proftpd-dfsg (Minor issue) + NOTE: https://github.com/proftpd/proftpd/issues/860 CVE-2019-19270 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. F ...) - TODO: check + - proftpd-dfsg + [buster] - proftpd-dfsg (Minor issue) + [stretch] - proftpd-dfsg (Minor issue) + NOTE: https://github.com/proftpd/proftpd/issues/859 CVE-2019-19269 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A ...) - TODO: check + - proftpd-dfsg + [buster] - proftpd-dfsg (Minor issue) + [stretch] - proftpd-dfsg (Minor issue) + NOTE: https://github.com/proftpd/proftpd/issues/861 CVE-2019-19268 RESERVED CVE-2019-19267 @@ -4719,9 +4731,9 @@ CVE-2019-18253 CVE-2019-18252 RESERVED CVE-2019-18251 (In Omron CX-Supervisor, Versions 3.5 (12) and prior, Omron CX-Supervis ...) - TODO: check + NOT-FOR-US: Omron CVE-2019-18250 (In all versions of ABB Power Generation Information Manager (PGIM) and ...) - TODO: check + NOT-FOR-US: ABB CVE-2019-18249 RESERVED CVE-2019-18248 @@ -4739,7 +4751,7 @@ CVE-2019-18243 CVE-2019-18242 RESERVED CVE-2019-18241 (In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all ver ...) - TODO: check + NOT-FOR-US: Philips CVE-2019-18240 (In Fuji Electric V-Server 4.0.6 and prior, several heap-based buffer o ...) NOT-FOR-US: Fuji CVE-2019-18239 @@ -11429,23 +11441,23 @@ CVE-2019-16004 CVE-2019-16003 RESERVED CVE-2019-16002 (A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-W ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-16001 (A vulnerability in the loading mechanism of specific dynamic link libr ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-16000 RESERVED CVE-2019-15999 RESERVED CVE-2019-15998 (A vulnerability in the access-control logic of the NETCONF over Secure ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15997 (A vulnerability in Cisco DNA Spaces: Connector could allow an authenti ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15996 (A vulnerability in Cisco DNA Spaces: Connector could allow an authenti ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15995 (A vulnerability in the web UI of Cisco DNA Spaces: Connector could all ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15994 (A vulnerability in the web-based management interface of Cisco Stealth ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15993 RESERVED CVE-2019-15992 @@ -11453,15 +11465,15 @@ CVE-2019-15992 CVE-2019-15991 RESERVED CVE-2019-15990 (A vulnerability in the web-based management interface of certain Cisco ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15989 RESERVED CVE-2019-15988 (A vulnerability in the antispam protection mechanisms of Cisco AsyncOS ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15987 (A vulnerability in web interface of the Cisco Webex Event Center, Cisc ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15986 (A vulnerability in the CLI of Cisco Unity Express could allow an authe ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15985 RESERVED CVE-2019-15984 @@ -11487,19 +11499,19 @@ CVE-2019-15975 CVE-2019-15974 RESERVED CVE-2019-15973 (A vulnerability in the web-based management interface of Cisco Industr ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15972 (A vulnerability in the web-based management interface of Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15971 (A vulnerability in the MP3 detection engine of Cisco AsyncOS Software ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15970 RESERVED CVE-2019-15969 RESERVED CVE-2019-15968 (A vulnerability in the web-based management interface of Cisco Unified ...) - TODO: check + NOT-FOR-US: Cisco CVE-2019-15967 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...) -
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 209092d6 by security tracker role at 2019-11-26T08:10:13Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2019-19272 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. Dir ...) + TODO: check +CVE-2019-19271 (An issue was discovered in tls_verify_crl in ProFTPD before 1.3.6. A w ...) + TODO: check +CVE-2019-19270 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. F ...) + TODO: check +CVE-2019-19269 (An issue was discovered in tls_verify_crl in ProFTPD through 1.3.6b. A ...) + TODO: check +CVE-2019-19268 + RESERVED +CVE-2019-19267 + RESERVED +CVE-2019-19266 + RESERVED +CVE-2019-19265 + RESERVED +CVE-2019-19264 + RESERVED CVE-2019-19263 RESERVED CVE-2019-19262 @@ -40,8 +58,8 @@ CVE-2019-19246 (Oniguruma through 6.9.3, as used in PHP 7.3.x and other products NOTE: https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b CVE-2019-19245 RESERVED -CVE-2019-19244 - RESERVED +CVE-2019-19244 (sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-sel ...) + TODO: check CVE-2019-19243 RESERVED CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr-y.pTab, as demonstrated by the TK_C ...) @@ -4700,10 +4718,10 @@ CVE-2019-18253 RESERVED CVE-2019-18252 RESERVED -CVE-2019-18251 - RESERVED -CVE-2019-18250 - RESERVED +CVE-2019-18251 (In Omron CX-Supervisor, Versions 3.5 (12) and prior, Omron CX-Supervis ...) + TODO: check +CVE-2019-18250 (In all versions of ABB Power Generation Information Manager (PGIM) and ...) + TODO: check CVE-2019-18249 RESERVED CVE-2019-18248 @@ -4720,8 +4738,8 @@ CVE-2019-18243 RESERVED CVE-2019-18242 RESERVED -CVE-2019-18241 - RESERVED +CVE-2019-18241 (In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all ver ...) + TODO: check CVE-2019-18240 (In Fuji Electric V-Server 4.0.6 and prior, several heap-based buffer o ...) NOT-FOR-US: Fuji CVE-2019-18239 @@ -6951,8 +6969,8 @@ CVE-2019-17634 RESERVED CVE-2019-17633 RESERVED -CVE-2019-17632 - RESERVED +CVE-2019-17632 (In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4. ...) + TODO: check CVE-2019-17631 (From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such ...) NOT-FOR-US: Eclipse OpenJ9 CVE-2019-17630 (CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a cra ...) @@ -10705,6 +10723,7 @@ CVE-2016-10938 (The copy-me plugin 1.0.0 for WordPress has CSRF for copying non- NOT-FOR-US: Wordpress plugin CVE-2019-16255 [A code injection vulnerability of Shell#[] and Shell#test] RESERVED + {DLA-2007-1} - ruby2.5 2.5.7-1 - ruby2.3 - ruby2.1 @@ -10713,6 +10732,7 @@ CVE-2019-16255 [A code injection vulnerability of Shell#[] and Shell#test] NOTE: ruby2.5: https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640 CVE-2019-16254 [HTTP response splitting in WEBrick (Additional fix)] RESERVED + {DLA-2007-1} - ruby2.5 2.5.7-1 - ruby2.3 - ruby2.1 @@ -10895,6 +10915,7 @@ CVE-2019-16202 (MISP before 2.4.115 allows privilege escalation in certain situa NOT-FOR-US: MISP CVE-2019-16201 [Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication] RESERVED + {DLA-2007-1} - ruby2.5 2.5.7-1 - ruby2.3 - ruby2.1 @@ -11407,40 +11428,40 @@ CVE-2019-16004 RESERVED CVE-2019-16003 RESERVED -CVE-2019-16002 - RESERVED -CVE-2019-16001 - RESERVED +CVE-2019-16002 (A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-W ...) + TODO: check +CVE-2019-16001 (A vulnerability in the loading mechanism of specific dynamic link libr ...) + TODO: check CVE-2019-16000 RESERVED CVE-2019-15999 RESERVED -CVE-2019-15998 - RESERVED -CVE-2019-15997 - RESERVED -CVE-2019-15996 - RESERVED -CVE-2019-15995 - RESERVED -CVE-2019-15994 - RESERVED +CVE-2019-15998 (A vulnerability in the access-control logic of the NETCONF over Secure ...) + TODO: check +CVE-2019-15997 (A vulnerability in Cisco DNA Spaces: Connector could allow an authenti ...) + TODO: check +CVE-2019-15996 (A vulnerability in Cisco DNA Spaces: Connector could allow an authenti ...) + TODO: check +CVE-2019-15995 (A vulnerability in the web UI of Cisco DNA Spaces: Connector could all ...) + TODO: check +CVE-2019-15994 (A vulnerability in the web-based management interface of Cisco Stealth ...) + TODO: check