[Git][security-tracker-team/security-tracker][master] Add CVE-2019-17006/nss
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82318f79 by Salvatore Bonaccorso at 2019-12-27T07:36:25Z Add CVE-2019-17006/nss - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15256,8 +15256,13 @@ CVE-2019-17007 [nss: Handling of Netscape Certificate Sequences in CERT_DecodeCe NOTE: https://hg.mozilla.org/projects/nss/rev/1473dd7efe2ce4f8722a33ebb03a3425e09887de NOTE: Fixed in 3.44 upstream (and there was an upload of 3.44 to unstable NOTE: but then reverted until the 2:3.45-1 upload). -CVE-2019-17006 +CVE-2019-17006 [Check length of inputs for cryptographic primitives] RESERVED + - nss 2:3.47-1 + NOTE: Fixed upstream in NSS 3.46. + NOTE: Upstream bug (currently non-public): https://bugzilla.mozilla.org/show_bug.cgi?id=1539788 + NOTE: https://hg.mozilla.org/projects/nss/rev/dfd6996fe7425eb0437346d11a01082f16fcfe34 + NOTE: https://hg.mozilla.org/projects/nss/rev/9d1f5e71773d4e3146524096d74cb96c8df51abe CVE-2019-17005 RESERVED {DSA-4585-1 DSA-4580-1 DLA-2036-1 DLA-2029-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82318f791debeb4959b1b5ae17ae2573d62a8baf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/82318f791debeb4959b1b5ae17ae2573d62a8baf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: add tigervnc and claim it
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 381fe102 by Mike Gabriel at 2019-12-26T22:44:19Z data/dla-needed.txt: add tigervnc and claim it - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -121,6 +121,8 @@ sqlite3 (Thorsten Alteholz) squid3 NOTE: 20191210: Requires new API SBuf. -- +tigervnc (Mike Gabriel) +-- tomcat7 (Mike Gabriel) -- tomcat8 (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/381fe102ab6c52517d98df44860914e62bd8d8fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/381fe102ab6c52517d98df44860914e62bd8d8fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add information on CVE-2019-19882
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8f8ff2a by Salvatore Bonaccorso at 2019-12-26T22:19:03Z Add information on CVE-2019-19882 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -532,7 +532,12 @@ CVE-2019-19884 CVE-2019-19883 RESERVED CVE-2019-19882 (shadow 4.8, in certain circumstances affecting at least Gentoo, Arch L ...) - TODO: check + - shadow (unimportant) + NOTE: https://github.com/shadow-maint/shadow/pull/199 + NOTE: https://bugs.archlinux.org/task/64836 + NOTE: https://bugs.gentoo.org/702252 + NOTE: Debian builds are compiled using -with-libpam and explicitly passing + NOTE: --disable-account-tools-setuid. CVE-2019-19881 RESERVED CVE-2019-19880 (exprListAppendList in window.c in SQLite 3.30.1 allows attackers to tr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8f8ff2ac9560f7eaa62ea17631d7b00cf36aaa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e8f8ff2ac9560f7eaa62ea17631d7b00cf36aaa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-16789/waitress
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b87c62c by Salvatore Bonaccorso at 2019-12-26T21:34:40Z Add Debian bug reference for CVE-2019-16789/waitress - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15878,7 +15878,7 @@ CVE-2019-16791 CVE-2019-16790 RESERVED CVE-2019-16789 (In Waitress through version 1.4.0, if a proxy server is used in front ...) - - waitress + - waitress (bug #947433) [buster] - waitress (Minor issue) [stretch] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b87c62c49ef2aefc123f12361b183e9d8071292 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4b87c62c49ef2aefc123f12361b183e9d8071292 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-7621/kibana
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08b69602 by Salvatore Bonaccorso at 2019-12-26T21:33:36Z Add CVE-2019-7621/kibana - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43980,7 +43980,7 @@ CVE-2019-7623 CVE-2019-7622 RESERVED CVE-2019-7621 (Kibana versions before 6.8.6 and 7.5.1 contain a cross site scripting ...) - TODO: check + - kibana (bug #700337) CVE-2019-7620 (Logstash versions before 7.4.1 and 6.8.4 contain a denial of service f ...) NOT-FOR-US: Logstash Beats CVE-2019-7619 (Elasticsearch versions 7.0.0-7.3.2 and 6.7.0-6.8.3 contain a username ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08b696023ef5eddbbb921309c2d99ff9a88456c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08b696023ef5eddbbb921309c2d99ff9a88456c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30f75ae0 by Salvatore Bonaccorso at 2019-12-26T21:32:57Z Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5816,7 +5816,7 @@ CVE-2019-19400 CVE-2019-19399 RESERVED CVE-2019-19398 (M5 lite 10 with versions of 8.0.0.182(C00) have an insufficient input ...) - TODO: check + NOT-FOR-US: Huawei CVE-2019-19397 (There is a weak algorithm vulnerability in some Huawei products. The a ...) NOT-FOR-US: Huawei CVE-2019-19396 (illumos, as used in OmniOS Community Edition before r151030y, allows a ...) @@ -42491,7 +42491,7 @@ CVE-2019-8295 CVE-2019-8294 RESERVED CVE-2019-8293 (Due to a logic error in the code, upload-image-with-ajax v1.0 allows a ...) - TODO: check + NOT-FOR-US: upload-image-with-ajax CVE-2019-8292 (Online Store System v1.0 delete_product.php doesn't check to see if a ...) NOT-FOR-US: Online Store System CVE-2019-8291 (Online Store System v1.0 delete_file.php doesn't check to see if a use ...) @@ -42570,7 +42570,7 @@ CVE-2019-8257 CVE-2019-8256 (ColdFusion versions Update 6 and earlier have an insecure inherited pe ...) TODO: check CVE-2019-8255 (Brackets versions 1.14 and earlier have a command injection vulnerabil ...) - TODO: check + NOT-FOR-US: Adobe CVE-2019-8254 (Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 hav ...) NOT-FOR-US: Adobe CVE-2019-8253 (Adobe Photoshop CC versions before 20.0.8 and 21.0.x before 21.0.2 hav ...) @@ -47610,7 +47610,7 @@ CVE-2019-6237 (Multiple memory corruption issues were addressed with improved me [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0003.html CVE-2019-6236 (A race condition existed during the installation of iCloud for Windows ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-6235 (A memory corruption issue was addressed with improved validation. This ...) NOT-FOR-US: Apple CVE-2019-6234 (A memory corruption issue was addressed with improved memory handling. ...) @@ -47620,7 +47620,7 @@ CVE-2019-6233 (A memory corruption issue was addressed with improved memory hand - webkit2gtk 2.22.4-1 (unimportant) NOTE: Not covered by security support CVE-2019-6232 (A race condition existed during the installation of iTunes for Windows ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-6231 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-6230 (A memory initialization issue was addressed with improved memory handl ...) @@ -47643,7 +47643,7 @@ CVE-2019-6224 (A buffer overflow issue was addressed with improved memory handli CVE-2019-6223 (A logic issue existed in the handling of Group FaceTime calls. The iss ...) NOT-FOR-US: Apple CVE-2019-6222 (A consistency issue was addressed with improved state handling. This i ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-6221 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) NOT-FOR-US: Apple CVE-2019-6220 (An out-of-bounds read was addressed with improved input validation. Th ...) @@ -47677,13 +47677,13 @@ CVE-2019-6209 (An out-of-bounds read issue existed that led to the disclosure of CVE-2019-6208 (A memory initialization issue was addressed with improved memory handl ...) NOT-FOR-US: Apple CVE-2019-6207 (An out-of-bounds read issue existed that led to the disclosure of kern ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-6206 (An issue existed with autofill resuming after it was canceled. The iss ...) NOT-FOR-US: autofill in iOS CVE-2019-6205 (A memory corruption issue was addressed with improved lock state check ...) NOT-FOR-US: Apple CVE-2019-6204 (A logic issue was addressed with improved validation. This issue is fi ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-6203 RESERVED CVE-2019-6202 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) @@ -47800,7 +47800,7 @@ CVE-2019-6149 (An unquoted search path vulnerability was identified in Lenovo Dy CVE-2019-6148 RESERVED CVE-2019-6147 (Forcepoint NGFW Security Management Center (SMC) versions lower than 6 ...) - TODO: check + NOT-FOR-US: Forcepoint NGFW Security Management Center CVE-2019-6146 RESERVED CVE-2019-6145 (Forcepoint VPN Client for Windows versions lower than 6.6.1 have an un ...) @@ -48110,17 +48110,17 @@ CVE-2019-6034 (a-blog cms versions prior to Ver.2.10.23 (Ver.2.10.x), Ver.2.9.26 CVE-2019-6033 (Cross-site scripting vulnerability in a-blog cms versions prior to Ver ...) NOT-FOR-US: a-blog cms CVE-2019-6032 (The NT
[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fcf0e0d7 by Salvatore Bonaccorso at 2019-12-26T21:16:34Z Process some NFUs - - - - - e2f879c1 by Salvatore Bonaccorso at 2019-12-26T21:16:57Z Add CVE-2019-16789/waitress - - - - - dbdba091 by Salvatore Bonaccorso at 2019-12-26T21:17:44Z Merge remote-tracking branch 'origin/master' - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,9 +7,9 @@ CVE-2019-20001 CVE-2019-2 (The malware scan function in BullGuard Premium Protection 20.0.371.8 h ...) NOT-FOR-US: BullGuard Premium Protection CVE-2019-1 (Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) ...) - TODO: check + NOT-FOR-US: Halo CVE-2019-19998 (Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. ...) - TODO: check + NOT-FOR-US: Xiuno BBS CVE-2019-19997 RESERVED CVE-2019-19996 (An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. A malfor ...) @@ -3702,7 +3702,7 @@ CVE-2019-19683 (RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable t CVE-2019-19682 (nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the co ...) NOT-FOR-US: nopCommerce CVE-2019-19681 (Pandora FMS 7.x suffers from remote code execution vulnerability. With ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2019-19680 RESERVED CVE-2019-19679 (In "Xray Test Management for Jira" prior to version 3.5.5, remote auth ...) @@ -11240,7 +11240,7 @@ CVE-2019-18251 (In Omron CX-Supervisor, Versions 3.5 (12) and prior, Omron CX-Su CVE-2019-18250 (In all versions of ABB Power Generation Information Manager (PGIM) and ...) NOT-FOR-US: ABB CVE-2019-18249 (Reliable Controls MACH-ProWebCom/Sys, all versions prior to 2.15 (Firm ...) - TODO: check + NOT-FOR-US: Reliable Controls CVE-2019-18248 RESERVED CVE-2019-18247 (An attacker may use a specially crafted message to force Relion 650 se ...) @@ -15878,7 +15878,11 @@ CVE-2019-16791 CVE-2019-16790 RESERVED CVE-2019-16789 (In Waitress through version 1.4.0, if a proxy server is used in front ...) - TODO: check + - waitress + [buster] - waitress (Minor issue) + [stretch] - waitress (Minor issue) + NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 + NOTE: https://github.com/Pylons/waitress/commit/11d9e138125ad46e951027184b13242a3c1de017 CVE-2019-16788 RESERVED CVE-2019-16786 (Waitress through version 1.3.1 would parse the Transfer-Encoding heade ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/13d399b4dc59c1f3d5294b821f1de8613de2106f...dbdba0910571cd02900dba25036165bfc98691e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/13d399b4dc59c1f3d5294b821f1de8613de2106f...dbdba0910571cd02900dba25036165bfc98691e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-19952,imagemagick: Jessie is not affected.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 40aac991 by Markus Koschany at 2019-12-26T21:14:32Z CVE-2019-19952,imagemagick: Jessie is not affected. Instead of freeing mng_info, in Jessie an exception is thrown. - - - - - 13d399b4 by Markus Koschany at 2019-12-26T21:14:32Z Add imagemagick to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -120,6 +120,7 @@ CVE-2019-19952 (In ImageMagick 7.0.9-7 Q16, there is a use-after-free in the fun - imagemagick (low) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) + [jessie] - imagemagick (vulnerable code is not present) NOTE: https://github.com/ImageMagick/ImageMagick/issues/1791 NOTE: https://github.com/ImageMagick/ImageMagick/commit/916d7bbd2c66a286d379dbd94bc6035c8fab937c (7.x) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/7ef923841437bb57bd9b55fc0bf40ddc99b93c2b (6.x) = data/dla-needed.txt = @@ -31,6 +31,8 @@ ibus (Emilio) NOTE: 20191210: See https://bugs.debian.org/941018 NOTE: 20191210: See https://gitlab.gnome.org/GNOME/glib/merge_requests/1176 -- +imagemagick +-- intel-microcode (Markus Koschany) NOTE: 20191218: Should be based on DSA-4565-2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f4934e12ab281de2d2830564583f4adf7ededf19...13d399b4dc59c1f3d5294b821f1de8613de2106f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f4934e12ab281de2d2830564583f4adf7ededf19...13d399b4dc59c1f3d5294b821f1de8613de2106f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-5108/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4934e12 by Salvatore Bonaccorso at 2019-12-26T20:59:55Z Add CVE-2019-5108/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50391,7 +50391,8 @@ CVE-2019-5110 (Exploitable SQL injection vulnerabilities exist in the authentica CVE-2019-5109 (Exploitable SQL injection vulnerabilities exists in the authenticated ...) NOT-FOR-US: Forma LMS CVE-2019-5108 (An exploitable denial-of-service vulnerability exists in the Linux ker ...) - TODO: check + - linux + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0900 CVE-2019-5107 RESERVED CVE-2019-5106 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4934e12ab281de2d2830564583f4adf7ededf19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4934e12ab281de2d2830564583f4adf7ededf19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Splitup temporary entry for Wordpress into two assigned CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f24f42c by Salvatore Bonaccorso at 2019-12-26T20:53:09Z Splitup temporary entry for Wordpress into two assigned CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1074,10 +1074,17 @@ CVE-2019-19835 RESERVED CVE-2019-19834 RESERVED -CVE-2019- [several vulnerabilities fixed in WordPress 5.3.1] +CVE-2019-16781 - wordpress (bug #946905) + NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-pg4x-64rh-3c9v + NOTE: https://hackerone.com/reports/731301 + NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ +CVE-2019-16780 + - wordpress (bug #946905) + NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x3wp-h3qx-9w94 + NOTE: https://github.com/WordPress/wordpress-develop/commit/505dd6a20b6fc3d06130018c1caeff764248c29e + NOTE: https://hackerone.com/reports/738644 NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/ - TODO: asked maintainer to request CVEs with more insight CVE-2019-19833 (In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shu ...) NOT-FOR-US: Tautulli CVE-2019-19832 (Xerox AltaLink C8035 printers allow CSRF. A request to add users is ma ...) @@ -15895,10 +15902,6 @@ CVE-2019-16782 (There's a possible information leak / session hijack vulnerabili - ruby-rack (bug #946983) NOTE: https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38 NOTE: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3 -CVE-2019-16781 (In WordPress before 5.3.1, authenticated users with lower privileges ( ...) - TODO: check -CVE-2019-16780 (WordPress users with lower privileges (like contributors) can inject J ...) - TODO: check CVE-2019-16779 (In RubyGem excon before 0.71.0, there was a race condition around pers ...) - ruby-excon (bug #946904) NOTE: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f24f42cfb25a867ad7e65a2f9a61b0427408189 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8f24f42cfb25a867ad7e65a2f9a61b0427408189 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-1311/xerces-c
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2514eacb by Salvatore Bonaccorso at 2019-12-26T20:46:54Z Add Debian bug reference for CVE-2018-1311/xerces-c - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115359,7 +115359,7 @@ CVE-2018-1312 (In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest a - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/7 CVE-2018-1311 (The Apache Xerces-C 3.0.0 to 3.2.2 XML parser contains a use-after-fre ...) - - xerces-c + - xerces-c (bug #947431) NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt NOTE: https://issues.apache.org/jira/browse/XERCESC-2188 CVE-2018-1310 (Apache NiFi JMS Deserialization issue because of ActiveMQ client vulne ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2514eacbd414abe47575cf4b3069af7b317aae5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2514eacbd414abe47575cf4b3069af7b317aae5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-16785,CVE-2019-16786,waitress: Mark as no-dsa for Jessie
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 358db1fc by Markus Koschany at 2019-12-26T20:45:14Z CVE-2019-16785,CVE-2019-16786,waitress: Mark as no-dsa for Jessie Minor issue - - - - - 12eab616 by Markus Koschany at 2019-12-26T20:45:14Z Claim sa-exim in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -15877,12 +15877,14 @@ CVE-2019-16786 (Waitress through version 1.3.1 would parse the Transfer-Encoding - waitress (bug #947306) [buster] - waitress (Minor issue) [stretch] - waitress (Minor issue) + [jessie] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-g2xc-35jw-c63p NOTE: https://github.com/Pylons/waitress/commit/f11093a6b3240fc26830b6111e826128af7771c3 CVE-2019-16785 (Waitress through version 1.3.1 implemented a "MAY" part of the RFC7230 ...) - waitress (bug #947306) [buster] - waitress (Minor issue) [stretch] - waitress (Minor issue) + [jessie] - waitress (Minor issue) NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-pg36-wpm5-g57p NOTE: https://github.com/Pylons/waitress/commit/8eba394ad75deaf9e5cd15b78a3d16b12e6b0eba CVE-2019-16784 = data/dla-needed.txt = @@ -107,6 +107,8 @@ ruby-rack ruby-rack-cors (Utkarsh Gupta) NOTE: 20191218: Debugging test failures. (utkarsh2102) -- +sa-exim (Markus Koschany) +-- slurm-llnl NOTE: 20191125: up for testing https://people.debian.org/~abhijith/upload/slurm-llnl_14.03.9-5+deb8u5.dsc NOTE: Regression found. (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/831fad91e62673b2bed39aad6639e27269edb938...12eab6161b0ea6821a39bd6e7a95db2aa6c339a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/831fad91e62673b2bed39aad6639e27269edb938...12eab6161b0ea6821a39bd6e7a95db2aa6c339a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-1569{1,2,3,4,5}/tigervnc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 831fad91 by Salvatore Bonaccorso at 2019-12-26T20:42:07Z Add Debian bug reference for CVE-2019-1569{1,2,3,4,5}/tigervnc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18971,27 +18971,27 @@ CVE-2019-15697 CVE-2019-15696 RESERVED CVE-2019-15695 (TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflo ...) - - tigervnc + - tigervnc (bug #947428) NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/05e28490873a861379c943bf616614b78b558b89 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/6c47340e095258a959c95db9aa2a6c715d62bf7c (v1.10.1) CVE-2019-15694 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - - tigervnc + - tigervnc (bug #947428) NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/0943c006c7d900dfc0281639e992791d6c567438 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/f287032d3643a6437f7de0ed35f4c45bb735522d (v1.10.1) CVE-2019-15693 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - - tigervnc + - tigervnc (bug #947428) NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/46c081926efd83c90a45c0a96b1b5bc1927e1346 (v1.10.1) CVE-2019-15692 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - - tigervnc + - tigervnc (bug #947428) NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/ff08ca78b24b5a4ed5263245c7ce8744059ff4ad (v1.10.1) CVE-2019-15691 (TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-retu ...) - - tigervnc + - tigervnc (bug #947428) NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 NOTE: https://github.com/TigerVNC/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40 (master) NOTE: https://github.com/TigerVNC/tigervnc/commit/042de4642293df9b72a08189c249e2da79cbca91 (v1.10.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/831fad91e62673b2bed39aad6639e27269edb938 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/831fad91e62673b2bed39aad6639e27269edb938 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2018-1311/xerces-c
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4090d1b7 by Salvatore Bonaccorso at 2019-12-26T20:35:40Z Add CVE-2018-1311/xerces-c - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115357,7 +115357,9 @@ CVE-2018-1312 (In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest a - apache2 2.4.33-1 NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/7 CVE-2018-1311 (The Apache Xerces-C 3.0.0 to 3.2.2 XML parser contains a use-after-fre ...) - TODO: check + - xerces-c + NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt + NOTE: https://issues.apache.org/jira/browse/XERCESC-2188 CVE-2018-1310 (Apache NiFi JMS Deserialization issue because of ActiveMQ client vulne ...) NOT-FOR-US: Apache NiFi CVE-2018-1309 (Apache NiFi External XML Entity issue in SplitXML processor. Malicious ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4090d1b7b22742b9a717e11e4f84fda82bd28038 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4090d1b7b22742b9a717e11e4f84fda82bd28038 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 43102f71 by Salvatore Bonaccorso at 2019-12-26T20:32:21Z Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,9 +13,9 @@ CVE-2019-19998 (Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token CVE-2019-19997 RESERVED CVE-2019-19996 (An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. A malfor ...) - TODO: check + NOT-FOR-US: Intelbras IWR 3000N devices CVE-2019-19995 (A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, lead ...) - TODO: check + NOT-FOR-US: Intelbras IWR 3000N devices CVE-2019-19994 RESERVED CVE-2019-19993 @@ -17077,9 +17077,9 @@ CVE-2019-16329 CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify ...) - rpyc CVE-2019-16327 (D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypa ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-16326 (D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token ...) - TODO: check + NOT-FOR-US: D-Link CVE-2019-16325 RESERVED CVE-2019-16324 @@ -41851,21 +41851,21 @@ CVE-2019-8535 (A memory corruption issue was addressed with improved state manag CVE-2019-8534 RESERVED CVE-2019-8533 (A lock handling issue was addressed with improved lock handling. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8532 RESERVED CVE-2019-8531 RESERVED CVE-2019-8530 (This issue was addressed with improved checks. This issue is fixed in ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8529 (A memory corruption issue was addressed with improved input validation ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8528 RESERVED CVE-2019-8527 (A buffer overflow was addressed with improved size validation. This is ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8526 (A use after free issue was addressed with improved memory management. ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8525 RESERVED CVE-2019-8524 (Multiple memory corruption issues were addressed with improved memory ...) @@ -41879,59 +41879,59 @@ CVE-2019-8523 (Multiple memory corruption issues were addressed with improved me [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8522 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8521 (This issue was addressed with improved checks. This issue is fixed in ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8520 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8519 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8518 (Multiple memory corruption issues were addressed with improved memory ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8517 (An out-of-bounds read was addressed with improved bounds checking. Thi ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8516 (A validation issue was addressed with improved logic. This issue is fi ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8515 (A cross-origin issue existed with the fetch API. This was addressed wi ...) - webkit2gtk 2.24.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) [jessie] - webkit2gtk (Not covered by security support in jessie) NOTE: https://webkitgtk.org/security/WSA-2019-0002.html CVE-2019-8514 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8513 (This issue was addressed with improved checks. This issue is fixed in ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8512 (This issue was addressed with improved transparency. This issue is fix ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8511 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8510 (An out-of-bounds read issue existed that led to the disclosure of kern ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8509 RESERVED CVE-2019-8508 (A buffer overflow was addressed with improved bounds checking. This is ...) - TODO: check + NOT-FOR-US: Apple
[Git][security-tracker-team/security-tracker][master] Process some NFUs for theme(s) for WordPress
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e97ec056 by Salvatore Bonaccorso at 2019-12-26T20:21:25Z Process some NFUs for theme(s) for WordPress - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5098,11 +5098,11 @@ CVE-2019-19545 (Norton Password Manager, prior to 6.6.2.5, may be susceptible to CVE-2019-19544 RESERVED CVE-2019-19542 (The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS ...) - TODO: check + NOT-FOR-US: ListingPro theme for WordPress CVE-2019-19541 (The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS ...) - TODO: check + NOT-FOR-US: ListingPro theme for WordPress CVE-2019-19540 (The ListingPro theme before v2.0.14.2 for WordPress has Reflected XSS ...) - TODO: check + NOT-FOR-US: ListingPro theme for WordPress CVE-2019-19543 (In the Linux kernel before 5.1.6, there is a use-after-free in serial_ ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e97ec056d1b7e28becef385cc80b0c5fe87d5b9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e97ec056d1b7e28becef385cc80b0c5fe87d5b9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2019-1569{1,2,3,4,5}/tigervnc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6183e432 by Salvatore Bonaccorso at 2019-12-26T20:18:17Z Add CVE-2019-1569{1,2,3,4,5}/tigervnc Note that the CVEs are specifically for TigerVNC. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18971,15 +18971,30 @@ CVE-2019-15697 CVE-2019-15696 RESERVED CVE-2019-15695 (TigerVNC version prior to 1.10.1 is vulnerable to stack buffer overflo ...) - TODO: check + - tigervnc + NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 + NOTE: https://github.com/TigerVNC/tigervnc/commit/05e28490873a861379c943bf616614b78b558b89 (master) + NOTE: https://github.com/TigerVNC/tigervnc/commit/6c47340e095258a959c95db9aa2a6c715d62bf7c (v1.10.1) CVE-2019-15694 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - TODO: check + - tigervnc + NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 + NOTE: https://github.com/TigerVNC/tigervnc/commit/0943c006c7d900dfc0281639e992791d6c567438 (master) + NOTE: https://github.com/TigerVNC/tigervnc/commit/f287032d3643a6437f7de0ed35f4c45bb735522d (v1.10.1) CVE-2019-15693 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - TODO: check + - tigervnc + NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 + NOTE: https://github.com/TigerVNC/tigervnc/commit/b4ada8d0c6dac98c8b91fc64d112569a8ae5fb95 (master) + NOTE: https://github.com/TigerVNC/tigervnc/commit/46c081926efd83c90a45c0a96b1b5bc1927e1346 (v1.10.1) CVE-2019-15692 (TigerVNC version prior to 1.10.1 is vulnerable to heap buffer overflow ...) - TODO: check + - tigervnc + NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 + NOTE: https://github.com/TigerVNC/tigervnc/commit/996356b6c65ca165ee1ea46a571c32a1dc3c3821 (master) + NOTE: https://github.com/TigerVNC/tigervnc/commit/ff08ca78b24b5a4ed5263245c7ce8744059ff4ad (v1.10.1) CVE-2019-15691 (TigerVNC version prior to 1.10.1 is vulnerable to stack use-after-retu ...) - TODO: check + - tigervnc + NOTE: https://www.openwall.com/lists/oss-security/2019/12/20/2 + NOTE: https://github.com/TigerVNC/tigervnc/commit/d61a767d6842b530ffb532ddd5a3d233119aad40 (master) + NOTE: https://github.com/TigerVNC/tigervnc/commit/042de4642293df9b72a08189c249e2da79cbca91 (v1.10.1) CVE-2019-15690 RESERVED CVE-2019-15689 (Kaspersky Secure Connection, Kaspersky Internet Security, Kaspersky To ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6183e432bfe8cb1417a510e34b3b2800fa9a6462 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6183e432bfe8cb1417a510e34b3b2800fa9a6462 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Group source and NOTEs for CVE-2019-12422
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d26859f8 by Salvatore Bonaccorso at 2019-12-26T20:11:52Z Group source and NOTEs for CVE-2019-12422 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29873,9 +29873,9 @@ CVE-2019-12423 RESERVED CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...) - shiro + [jessie] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1 NOTE: Fixed by https://github.com/apache/shiro/commit/44f6548b97610cdf661976969d5735c0be14a57b#diff-a8fc9cf5d6f24966aa18cdf0850a730e - [jessie] - shiro (Minor issue) CVE-2019-12421 (When using an authentication mechanism other than PKI, when the user c ...) NOT-FOR-US: Apache NiFi CVE-2019-12420 (In Apache SpamAssassin before 3.4.3, a message can be crafted in a way ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d26859f810dd1924fd04f20e2ca5c4776336 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d26859f810dd1924fd04f20e2ca5c4776336 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7075a74d by security tracker role at 2019-12-26T20:10:25Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,10 +12,10 @@ CVE-2019-19998 (Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token TODO: check CVE-2019-19997 RESERVED -CVE-2019-19996 - RESERVED -CVE-2019-19995 - RESERVED +CVE-2019-19996 (An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. A malfor ...) + TODO: check +CVE-2019-19995 (A CSRF issue was discovered on Intelbras IWR 3000N 1.8.7 devices, lead ...) + TODO: check CVE-2019-19994 RESERVED CVE-2019-19993 @@ -3585,6 +3585,7 @@ CVE-2019-19711 CVE-2019-19710 RESERVED CVE-2019-19709 (MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklis ...) + {DSA-4592-1} - mediawiki 1:1.31.6-1 NOTE: https://gerrit.wikimedia.org/r/q/Ie54f366986056c876eade0fcad6c41f70b8b8de8 NOTE: https://phabricator.wikimedia.org/T239466 @@ -3692,8 +3693,8 @@ CVE-2019-19683 (RoxyFileman, as shipped with nopCommerce v4.2.0, is vulnerable t NOT-FOR-US: RoxyFileman in nopCommerce CVE-2019-19682 (nopCommerce through 4.20 allows XSS in the SaveStoreMappings of the co ...) NOT-FOR-US: nopCommerce -CVE-2019-19681 - RESERVED +CVE-2019-19681 (Pandora FMS 7.x suffers from remote code execution vulnerability. With ...) + TODO: check CVE-2019-19680 RESERVED CVE-2019-19679 (In "Xray Test Management for Jira" prior to version 3.5.5, remote auth ...) @@ -5096,12 +5097,12 @@ CVE-2019-19545 (Norton Password Manager, prior to 6.6.2.5, may be susceptible to NOT-FOR-US: Norton Password Manager CVE-2019-19544 RESERVED -CVE-2019-19542 - RESERVED -CVE-2019-19541 - RESERVED -CVE-2019-19540 - RESERVED +CVE-2019-19542 (The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS ...) + TODO: check +CVE-2019-19541 (The ListingPro theme before v2.0.14.2 for WordPress has Persistent XSS ...) + TODO: check +CVE-2019-19540 (The ListingPro theme before v2.0.14.2 for WordPress has Reflected XSS ...) + TODO: check CVE-2019-19543 (In the Linux kernel before 5.1.6, there is a use-after-free in serial_ ...) - linux 5.2.6-1 [buster] - linux 4.19.67-1 @@ -5806,8 +5807,8 @@ CVE-2019-19400 RESERVED CVE-2019-19399 RESERVED -CVE-2019-19398 - RESERVED +CVE-2019-19398 (M5 lite 10 with versions of 8.0.0.182(C00) have an insufficient input ...) + TODO: check CVE-2019-19397 (There is a weak algorithm vulnerability in some Huawei products. The a ...) NOT-FOR-US: Huawei CVE-2019-19396 (illumos, as used in OmniOS Community Edition before r151030y, allows a ...) @@ -15868,8 +15869,8 @@ CVE-2019-16791 RESERVED CVE-2019-16790 RESERVED -CVE-2019-16789 - RESERVED +CVE-2019-16789 (In Waitress through version 1.4.0, if a proxy server is used in front ...) + TODO: check CVE-2019-16788 RESERVED CVE-2019-16786 (Waitress through version 1.3.1 would parse the Transfer-Encoding heade ...) @@ -15892,10 +15893,10 @@ CVE-2019-16782 (There's a possible information leak / session hijack vulnerabili - ruby-rack (bug #946983) NOTE: https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38 NOTE: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3 -CVE-2019-16781 - RESERVED -CVE-2019-16780 - RESERVED +CVE-2019-16781 (In WordPress before 5.3.1, authenticated users with lower privileges ( ...) + TODO: check +CVE-2019-16780 (WordPress users with lower privileges (like contributors) can inject J ...) + TODO: check CVE-2019-16779 (In RubyGem excon before 0.71.0, there was a race condition around pers ...) - ruby-excon (bug #946904) NOTE: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 @@ -17075,10 +17076,10 @@ CVE-2019-16329 RESERVED CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify ...) - rpyc -CVE-2019-16327 - RESERVED -CVE-2019-16326 - RESERVED +CVE-2019-16327 (D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypa ...) + TODO: check +CVE-2019-16326 (D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token ...) + TODO: check CVE-2019-16325 RESERVED CVE-2019-16324 @@ -18969,16 +18970,16 @@ CVE-2019-15697 RESERVED CVE-2019-15696 RESERVED -CVE-2019-15695 - RESERVED -CVE-2019-15694 - RESERVED -CVE-2019-15693 - RESERVED -CVE-2019-15692 - RESERVED -CVE-2019-15691 - RESERVED +CVE-2019-15695 (TigerVNC version prior to 1.10.1 is vulnerable to stack bu
[Git][security-tracker-team/security-tracker][master] CVE-2019-12422,shiro: Mark as no-dsa for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c834d957 by Markus Koschany at 2019-12-26T20:07:10Z CVE-2019-12422,shiro: Mark as no-dsa for Jessie. Minor issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29874,6 +29874,7 @@ CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" - shiro NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1 NOTE: Fixed by https://github.com/apache/shiro/commit/44f6548b97610cdf661976969d5735c0be14a57b#diff-a8fc9cf5d6f24966aa18cdf0850a730e + [jessie] - shiro (Minor issue) CVE-2019-12421 (When using an authentication mechanism other than PKI, when the user c ...) NOT-FOR-US: Apache NiFi CVE-2019-12420 (In Apache SpamAssassin before 3.4.3, a message can be crafted in a way ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c834d9570c3b06f6d20f300f3cf09f74f9dc5b62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c834d9570c3b06f6d20f300f3cf09f74f9dc5b62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Reference advisory for CVE-2019-13611/python-engineio
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 789860f1 by Salvatore Bonaccorso at 2019-12-26T19:56:51Z Reference advisory for CVE-2019-13611/python-engineio - - - - - cfb0e797 by Salvatore Bonaccorso at 2019-12-26T19:57:46Z Add fixed version via unstable for CVE-2019-13611/python-engineio - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25644,8 +25644,9 @@ CVE-2019-13613 (CMD_FTEST_CONFIG in the TP-Link Device Debug protocol in TP-Link CVE-2019-13612 (MDaemon Email Server 19 skips SpamAssassin checks by default for e-mai ...) NOT-FOR-US: MDaemon Email Server CVE-2019-13611 (An issue was discovered in python-engineio through 3.8.2. There is a C ...) - - python-engineio (bug #932538) + - python-engineio 3.11.1-1 (bug #932538) NOTE: https://github.com/miguelgrinberg/python-engineio/issues/128 + NOTE: https://github.com/miguelgrinberg/python-engineio/security/advisories/GHSA-j3jp-gvr5-7hwq CVE-2019-13610 RESERVED CVE-2019-13609 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bba0f7cf8345e380c329723575f6a652beb3d457...cfb0e7974d982478aff455ef88b019e8a33087ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bba0f7cf8345e380c329723575f6a652beb3d457...cfb0e7974d982478aff455ef88b019e8a33087ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-12422,shiro: Link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: bba0f7cf by Markus Koschany at 2019-12-26T18:59:06Z CVE-2019-12422,shiro: Link to fixing commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29872,7 +29872,7 @@ CVE-2019-12423 CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...) - shiro NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1 - TODO: check details on fix + NOTE: Fixed by https://github.com/apache/shiro/commit/44f6548b97610cdf661976969d5735c0be14a57b#diff-a8fc9cf5d6f24966aa18cdf0850a730e CVE-2019-12421 (When using an authentication mechanism other than PKI, when the user c ...) NOT-FOR-US: Apache NiFi CVE-2019-12420 (In Apache SpamAssassin before 3.4.3, a message can be crafted in a way ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bba0f7cf8345e380c329723575f6a652beb3d457 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bba0f7cf8345e380c329723575f6a652beb3d457 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mediawiki DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: acd0f141 by Moritz Muehlenhoff at 2019-12-26T18:24:21Z mediawiki DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[26 Dec 2019] DSA-4592-1 mediawiki - security update + {CVE-2019-19709} + [stretch] - mediawiki 1:1.27.7-1~deb9u3 + [buster] - mediawiki 1:1.31.6-1~deb10u1 [20 Dec 2019] DSA-4591-1 cyrus-sasl2 - security update {CVE-2019-19906} [stretch] - cyrus-sasl2 2.1.27~101-g0780600+dfsg-3+deb9u1 = data/dsa-needed.txt = @@ -36,8 +36,6 @@ libopenmpt linux (carnil) Wait until more issues have piled up -- -mediawiki (jmm) --- mercurial/oldstable -- nodejs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/acd0f141e2af307e8b1967059d1f1e9564c974ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/acd0f141e2af307e8b1967059d1f1e9564c974ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libyang fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ed4c3f6e by Moritz Muehlenhoff at 2019-12-26T18:00:21Z libyang fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6140,11 +6140,11 @@ CVE-2019-19335 RESERVED NOT-FOR-US: OpenShift CVE-2019-19334 (In all versions of libyang before 1.0-r5, a stack-based buffer overflo ...) - - libyang (bug #946217) + - libyang 0.16.105-2 (bug #946217) [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6 CVE-2019-19333 (In all versions of libyang before 1.0-r5, a stack-based buffer overflo ...) - - libyang (bug #946217) + - libyang 0.16.105-2 (bug #946217) [buster] - libyang (Minor issue) NOTE: https://github.com/CESNET/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d CVE-2019-19332 [KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed4c3f6e221225d49e8472e7f4b0b242ba121bd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed4c3f6e221225d49e8472e7f4b0b242ba121bd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-19232,CVE-2019-19234,sudo: Mark as no-dsa for Jessie.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fe07501 by Markus Koschany at 2019-12-26T17:42:21Z CVE-2019-19232,CVE-2019-19234,sudo: Mark as no-dsa for Jessie. Minor issue because attacker must have access to a Runas ALL account already. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6460,6 +6460,7 @@ CVE-2019-19234 (In Sudo through 1.8.29, the fact that a user has been blocked (e - sudo (bug #947225) [buster] - sudo (Minor issue) [stretch] - sudo (Minor issue) + [jessie] - sudo (Minor issue) NOTE: https://www.sudo.ws/devel.html#1.8.30b2 CVE-2019-19233 RESERVED @@ -6467,6 +6468,7 @@ CVE-2019-19232 (In Sudo through 1.8.29, an attacker with access to a Runas ALL s - sudo (bug #947225) [buster] - sudo (Minor issue) [stretch] - sudo (Minor issue) + [jessie] - sudo (Minor issue) NOTE: https://www.sudo.ws/devel.html#1.8.30b2 CVE-2019-19231 (An insecure file access vulnerability exists in CA Client Automation 1 ...) NOT-FOR-US: CA Client Automation View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fe07501ee08ea88f6cd79b3863b92271656c5f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9fe07501ee08ea88f6cd79b3863b92271656c5f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2019-19906/cyrus-sasl2 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49fc6cb1 by Salvatore Bonaccorso at 2019-12-26T16:22:49Z Add fixed version for CVE-2019-19906/cyrus-sasl2 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -312,7 +312,7 @@ CVE-2019-19891 RESERVED CVE-2019-19906 (cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading ...) {DSA-4591-1 DLA-2044-1} - - cyrus-sasl2 (bug #947043) + - cyrus-sasl2 2.1.27+dfsg-2 (bug #947043) NOTE: https://github.com/cyrusimap/cyrus-sasl/issues/587 NOTE: https://www.openldap.org/its/index.cgi/Incoming?id=9123 CVE-2019-16787 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/49fc6cb150395fe54f1958ea2e38bdc7238b83e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/49fc6cb150395fe54f1958ea2e38bdc7238b83e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2019-19794/golang-github-miekg-dns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 942ada37 by Salvatore Bonaccorso at 2019-12-26T13:25:45Z Add Debian bug reference for CVE-2019-19794/golang-github-miekg-dns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1169,7 +1169,7 @@ CVE-2019-19796 (Yabasic 2.86.2 has a heap-based buffer overflow in myformat in f CVE-2019-19795 (samurai 0.7 has a heap-based buffer overflow in canonpath in util.c vi ...) NOT-FOR-US: samurai CVE-2019-19794 (The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6. ...) - - golang-github-miekg-dns + - golang-github-miekg-dns (bug #947403) NOTE: https://github.com/coredns/coredns/issues/3519 NOTE: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33 NOTE: https://github.com/miekg/dns/issues/1043 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/942ada372fe16ca89672a9609020492e50baf6fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/942ada372fe16ca89672a9609020492e50baf6fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix inconsistent leading ident before if statement
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 716bf276 by Brian May at 2019-12-26T13:21:01Z Fix inconsistent leading ident before if statement - - - - - 1 changed file: - lib/python/security_db.py Changes: = lib/python/security_db.py = @@ -1055,8 +1055,8 @@ class DB: UNION SELECT DISTINCT release, subrelease, archive, source_arch() as archs FROM source_packages) ORDER BY release_to_number(release), subrelease_to_number(subrelease), archive_to_number(archive)"""): - if "source" in archs: - sources=True +if "source" in archs: +sources=True else: sources=False (p_rel, p_subrel, p_archive, p_sources, p_archs) = result.pop() View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/716bf2761a1c30ee49d57a6278956eed0153ceb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/716bf2761a1c30ee49d57a6278956eed0153ceb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commit for CVE-2019-19794/golang-github-miekg-dns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92ed7c25 by Salvatore Bonaccorso at 2019-12-26T13:11:18Z Track upstream commit for CVE-2019-19794/golang-github-miekg-dns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1171,7 +1171,7 @@ CVE-2019-19795 (samurai 0.7 has a heap-based buffer overflow in canonpath in uti CVE-2019-19794 (The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6. ...) - golang-github-miekg-dns NOTE: https://github.com/coredns/coredns/issues/3519 - NOTE: https://github.com/miekg/dns/compare/v1.1.24...v1.1.25 + NOTE: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33 NOTE: https://github.com/miekg/dns/issues/1043 NOTE: https://github.com/miekg/dns/pull/1044 CVE-2019-19793 (In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Wind ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92ed7c25c778018e35abcfdbc8af69feb1819e73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/92ed7c25c778018e35abcfdbc8af69feb1819e73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Reference upstream commit for CVE-2019-19647/radare2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b3acc7b by Salvatore Bonaccorso at 2019-12-26T12:44:36Z Reference upstream commit for CVE-2019-19647/radare2 - - - - - a9b94d42 by Salvatore Bonaccorso at 2019-12-26T12:45:04Z Mark CVE-2019-19647/radare2 as no-dsa for buster and stretch - - - - - 46f8c7f1 by Salvatore Bonaccorso at 2019-12-26T12:52:54Z Add Debian bug reference for CVE-2019-19647/radare2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3762,8 +3762,11 @@ CVE-2019-19648 (In the macho_parse_file functionality in macho/macho.c of YARA 3 - yara NOTE: https://github.com/VirusTotal/yara/issues/1178 CVE-2019-19647 (radare2 through 4.0.0 lacks validation of the content variable in the ...) - - radare2 + - radare2 (bug #947402) + [buster] - radare2 (Minor issue) + [stretch] - radare2 (Minor issue) NOTE: https://github.com/radareorg/radare2/issues/15545 + NOTE: https://github.com/radareorg/radare2/commit/07b5e062f2d4a00403ff031302cb18dfa58e3805 (4.1.0) CVE-2019-19646 (pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_ ...) - sqlite3 (Generated column support added later) NOTE: https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6b383ca766819eaa97b59d9f5ddbf74eb490bb2b...46f8c7f1f27bf031521757237d34d5829e1e4e25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6b383ca766819eaa97b59d9f5ddbf74eb490bb2b...46f8c7f1f27bf031521757237d34d5829e1e4e25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b383ca7 by Salvatore Bonaccorso at 2019-12-26T08:18:46Z Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2019-20002 CVE-2019-20001 RESERVED CVE-2019-2 (The malware scan function in BullGuard Premium Protection 20.0.371.8 h ...) - TODO: check + NOT-FOR-US: BullGuard Premium Protection CVE-2019-1 (Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) ...) TODO: check CVE-2019-19998 (Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. ...) @@ -35,19 +35,19 @@ CVE-2019-19987 CVE-2019-19986 RESERVED CVE-2019-19985 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2019-19984 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2019-19983 (In the WordPress plugin, Fast Velocity Minify before 2.7.7, the full w ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2019-19982 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2019-19981 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2019-19980 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2019-19979 (A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2019-19978 RESERVED CVE-2019-19976 @@ -69,7 +69,7 @@ CVE-2019-19969 CVE-2019-19968 RESERVED CVE-2019-19967 (The Administration page on Connect Box EuroDOCSIS 3.0 Voice Gateway CH ...) - TODO: check + NOT-FOR-US: Connect Box EuroDOCSIS 3.0 Voice Gateway devices CVE-2019-19977 (libESMTP through 1.0.6 mishandles domain copying into a fixed-size buf ...) - libesmtp (unimportant) NOTE: https://github.com/Kirin-say/Vulnerabilities/blob/master/Stack_Overflow_in_libesmtp.md View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b383ca766819eaa97b59d9f5ddbf74eb490bb2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6b383ca766819eaa97b59d9f5ddbf74eb490bb2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 924b5d17 by security tracker role at 2019-12-26T08:10:15Z automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,76 @@ -CVE-2019-19977 [stack-based buffer over-read] +CVE-2019-20003 + RESERVED +CVE-2019-20002 + RESERVED +CVE-2019-20001 + RESERVED +CVE-2019-2 (The malware scan function in BullGuard Premium Protection 20.0.371.8 h ...) + TODO: check +CVE-2019-1 (Halo before 1.2.0-beta.1 allows Server Side Template Injection (SSTI) ...) + TODO: check +CVE-2019-19998 (Xiuno BBS 4.0 allows XXE via plugin/xn_wechat_public/route/token.php. ...) + TODO: check +CVE-2019-19997 + RESERVED +CVE-2019-19996 + RESERVED +CVE-2019-19995 + RESERVED +CVE-2019-19994 + RESERVED +CVE-2019-19993 + RESERVED +CVE-2019-19992 + RESERVED +CVE-2019-19991 + RESERVED +CVE-2019-19990 + RESERVED +CVE-2019-19989 + RESERVED +CVE-2019-19988 + RESERVED +CVE-2019-19987 + RESERVED +CVE-2019-19986 + RESERVED +CVE-2019-19985 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) + TODO: check +CVE-2019-19984 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) + TODO: check +CVE-2019-19983 (In the WordPress plugin, Fast Velocity Minify before 2.7.7, the full w ...) + TODO: check +CVE-2019-19982 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) + TODO: check +CVE-2019-19981 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) + TODO: check +CVE-2019-19980 (The WordPress plugin, Email Subscribers & Newsletters, before 4.2. ...) + TODO: check +CVE-2019-19979 (A flaw in the WordPress plugin, WP Maintenance before 5.0.6, allowed a ...) + TODO: check +CVE-2019-19978 + RESERVED +CVE-2019-19976 + RESERVED +CVE-2019-19975 + RESERVED +CVE-2019-19974 + RESERVED +CVE-2019-19973 + RESERVED +CVE-2019-19972 + RESERVED +CVE-2019-19971 + RESERVED +CVE-2019-19970 + RESERVED +CVE-2019-19969 + RESERVED +CVE-2019-19968 + RESERVED +CVE-2019-19967 (The Administration page on Connect Box EuroDOCSIS 3.0 Voice Gateway CH ...) + TODO: check +CVE-2019-19977 (libESMTP through 1.0.6 mishandles domain copying into a fixed-size buf ...) - libesmtp (unimportant) NOTE: https://github.com/Kirin-say/Vulnerabilities/blob/master/Stack_Overflow_in_libesmtp.md NOTE: NTLM support not enabled in the Debian builds. @@ -68096,8 +68168,8 @@ CVE-2018-18290 (** DISPUTED ** An issue was discovered in nc-cms through 2017-03 NOT-FOR-US: nc-cms CVE-2018-18289 (The MESILAT Zabbix plugin before 1.1.15 for Atlassian Confluence allow ...) NOT-FOR-US: Zabbix Plugin for Confluence -CVE-2018-18288 - RESERVED +CVE-2018-18288 (CrushFTP through 8.3.0 is vulnerable to credentials theft via URL redi ...) + TODO: check CVE-2018-18287 (On ASUS RT-AC58U 3.0.0.4.380_6516 devices, remote attackers can discov ...) NOT-FOR-US: ASUS RT-AC58U devices CVE-2018-18286 (SQL injection vulnerabilities in CMG Suite 8.4 SP2 and earlier, could ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/924b5d17e500858dfb64f1240ae03617b2e3411e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/924b5d17e500858dfb64f1240ae03617b2e3411e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits