[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Sat Dec 1 08:10:27 GMT 2018 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b7f0c2a3 by security tracker role at 2018-12-01T08:10:19Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,15 @@
+CVE-2018-19786
+	RESERVED
+CVE-2018-19785 (PHP-Proxy through 5.1.0 has Cross-Site Scripting (XSS) via the URL ...)
+	TODO: check
+CVE-2018-19784 (The str_rot_pass function in ...)
+	TODO: check
+CVE-2018-19783
+	RESERVED
+CVE-2018-19782
+	RESERVED
+CVE-2018-19781
+	RESERVED
 CVE-2018-19780
 	RESERVED
 CVE-2018-19779
@@ -5928,7 +5940,7 @@ CVE-2018-18559 (In the Linux kernel through 4.19, a use-after-free can occur due
 CVE-2018-18558
 	RESERVED
 CVE-2018-18557 (LibTIFF 4.0.9 (with JBIG enabled) decodes arbitrarily-sized JBIG into a ...)
-	{DLA-1557-1}
+	{DSA-4349-1 DLA-1557-1}
 	- tiff 4.0.9+git181026-1 (bug #911635)
 	- tiff3 <removed>
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1697
@@ -7966,9 +7978,11 @@ CVE-2018-17794 (An issue was discovered in cplus-dem.c in GNU libiberty, as dist
 	[jessie] - binutils <ignored> (Minor issue)
 	NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87350
 CVE-2015-9268 (Nullsoft Scriptable Install System (NSIS) before 2.49 has unsafe ...)
+	{DLA-1602-1}
 	- nsis 2.50-1
 	NOTE: https://sourceforge.net/p/nsis/bugs/1125/
 CVE-2015-9267 (Nullsoft Scriptable Install System (NSIS) before 2.49 uses temporary ...)
+	{DLA-1602-1}
 	- nsis 2.50-1
 	NOTE: https://sourceforge.net/p/nsis/bugs/1125/
 CVE-2018-17793 (** DISPUTED ** Virtualenv 16.0.0 allows a sandbox escape via "python ...)
@@ -9574,7 +9588,7 @@ CVE-2018-17103 (** DISPUTED ** An issue was discovered in GetSimple CMS v3.3.13.
 CVE-2018-17102 (An issue was discovered in QuickAppsCMS (aka QACMS) through ...)
 	NOT-FOR-US: QuickAppsCMS
 CVE-2018-17101 (An issue was discovered in LibTIFF 4.0.9. There are two out-of-bounds ...)
-	{DLA-1557-1}
+	{DSA-4349-1 DLA-1557-1}
 	- tiff 4.0.9+git181026-1 (bug #909037)
 	- tiff3 <removed>
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2807
@@ -11570,6 +11584,7 @@ CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows r
 	NOTE: https://github.com/Exiv2/exiv2/issues/400
 	NOTE: https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d
 CVE-2018-16335 (newoffsets handling in ChopUpSingleUncompressedStrip in tif_dirread.c ...)
+	{DSA-4349-1}
 	- tiff 4.0.9-5 (bug #907795)
 	[jessie] - tiff 4.0.3-12.3+deb8u6
 	- tiff3 <removed>
@@ -13133,10 +13148,10 @@ CVE-2018-15718
 	RESERVED
 CVE-2018-15717
 	RESERVED
-CVE-2018-15716
-	RESERVED
-CVE-2018-15715
-	RESERVED
+CVE-2018-15716 (NUUO NVRMini2 version 3.10.0 and earlier is vulnerable to ...)
+	TODO: check
+CVE-2018-15715 (Zoom clients on Windows (before version 4.1.34814.1119), Mac OS ...)
+	TODO: check
 CVE-2018-15714 (Nagios XI 5.5.6 allows reflected cross site scripting from remote ...)
 	NOT-FOR-US: Nagios XI
 CVE-2018-15713 (Nagios XI 5.5.6 allows persistent cross site scripting from remote ...)
@@ -14334,6 +14349,7 @@ CVE-2018-15211
 CVE-2018-15210
 	RESERVED
 CVE-2018-15209 (ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows ...)
+	{DSA-4349-1}
 	- tiff 4.0.9-5 (bug #905798)
 	[jessie] - tiff <not-affected> (Cannot reproduce with crash file)
 	- tiff3 <removed>
@@ -25427,7 +25443,7 @@ CVE-2018-10965
 CVE-2018-10964
 	RESERVED
 CVE-2018-10963 (The TIFFWriteDirectorySec() function in tif_dirwrite.c in LibTIFF ...)
-	{DLA-1411-1}
+	{DSA-4349-1 DLA-1411-1}
 	- tiff 4.0.9-6 (bug #898348)
 	[stretch] - tiff <no-dsa> (Minor issue)
 	- tiff3 <removed>
@@ -30901,7 +30917,7 @@ CVE-2018-8907
 CVE-2018-8906 (dsmall v20180320 has XSS via a crafted street address to ...)
 	NOT-FOR-US: dsmall
 CVE-2018-8905 (In LibTIFF 4.0.9, a heap-based buffer overflow occurs in the function ...)
-	{DLA-1411-1 DLA-1378-1 DLA-1377-1}
+	{DSA-4349-1 DLA-1411-1 DLA-1378-1 DLA-1377-1}
 	- tiff 4.0.9-6 (bug #893806)
 	- tiff3 <removed>
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2780
@@ -34836,7 +34852,7 @@ CVE-2018-7458
 CVE-2018-7457
 	RESERVED
 CVE-2018-7456 (A NULL Pointer Dereference occurs in the function TIFFPrintDirectory in ...)
-	{DLA-1411-1 DLA-1347-1 DLA-1346-1}
+	{DSA-4349-1 DLA-1411-1 DLA-1347-1 DLA-1346-1}
 	- tiff 4.0.9-5 (bug #891288)
 	- tiff3 <removed>
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2778
@@ -40387,7 +40403,7 @@ CVE-2018-5785 (In OpenJPEG 2.3.0, there is an integer overflow caused by an ...)
 	NOTE: vulnerable code introduced in
 	NOTE: https://github.com/uclouvain/openjpeg/commit/33a0e66eb129c4e91b555a6b8dd9eab512fbfeb8
 CVE-2018-5784 (In LibTIFF 4.0.9, there is an uncontrolled resource consumption in the ...)
-	{DLA-1411-1 DLA-1391-1}
+	{DSA-4349-1 DLA-1411-1 DLA-1391-1}
 	- tiff 4.0.9-4 (bug #890441)
 	- tiff3 <removed>
 	[wheezy] - tiff3 <postponed> (Minor issue, revisit once fixed upstream)
@@ -41397,7 +41413,7 @@ CVE-2018-5409
 CVE-2018-5408
 	RESERVED
 CVE-2018-5407 (Simultaneous Multi-threading (SMT) in processors can enable local ...)
-	{DLA-1586-1}
+	{DSA-4348-1 DLA-1586-1}
 	- openssl 1.1.1~~pre9-1
 	- openssl1.0 1.0.2q-1
 	NOTE: https://www.openssl.org/news/secadv/20181112.txt
@@ -45171,12 +45187,12 @@ CVE-2018-3953 (Devices in the Linksys ESeries line of routers (Linksys E1200 Fir
 	NOT-FOR-US: Linksys
 CVE-2018-3952 (An exploitable code execution vulnerability exists in the connect ...)
 	NOT-FOR-US: NordVPN
-CVE-2018-3951
-	RESERVED
-CVE-2018-3950
-	RESERVED
-CVE-2018-3949
-	RESERVED
+CVE-2018-3951 (An exploitable remote code execution vulnerability exists in the HTTP ...)
+	TODO: check
+CVE-2018-3950 (An exploitable remote code execution vulnerability exists in the ping ...)
+	TODO: check
+CVE-2018-3949 (An exploitable information disclosure vulnerability exists in the HTTP ...)
+	TODO: check
 CVE-2018-3948 (An exploitable denial-of-service vulnerability exists in the ...)
 	NOT-FOR-US: TP-Link
 CVE-2018-3947 (An exploitable information disclosure vulnerability exists in the ...)
@@ -55464,6 +55480,7 @@ CVE-2017-17092 (wp-includes/functions.php in WordPress before 4.9.1 does not req
 	NOTE: https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
 	NOTE: https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
 CVE-2017-17095 (tools/pal2rgb.c in pal2rgb in LibTIFF 4.0.9 allows remote attackers to ...)
+	{DSA-4349-1}
 	- tiff 4.0.9-5 (unimportant; bug #883320)
 	- tiff3 <removed> (unimportant)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2750
@@ -55526,7 +55543,7 @@ CVE-2018-0739 (Constructed ASN.1 types with a recursive definition (such as can
 CVE-2018-0738
 	RESERVED
 CVE-2018-0737 (The OpenSSL RSA Key generation algorithm has been shown to be ...)
-	{DLA-1449-1}
+	{DSA-4348-1 DLA-1449-1}
 	- openssl 1.1.0h-3 (low; bug #895844)
 	[wheezy] - openssl <postponed> (Can wait for next update)
 	- openssl1.0 1.0.2q-1 (low; bug #895845)
@@ -55538,13 +55555,14 @@ CVE-2018-0737 (The OpenSSL RSA Key generation algorithm has been shown to be ...
 CVE-2018-0736
 	RESERVED
 CVE-2018-0735 (The OpenSSL ECDSA signature algorithm has been shown to be vulnerable ...)
-	{DLA-1586-1}
+	{DSA-4348-1 DLA-1586-1}
 	- openssl 1.1.1a-1
 	- openssl1.0 <not-affected> (Vulnerable code never present in 1.0.2 series)
 	NOTE: https://www.openssl.org/news/secadv/20181029.txt
 	NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=b1d6d55ece1c26fa2829e2b819b038d7b6d692b4
 	NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=56fb454d281a023b3f950d969693553d3f3ceea1
 CVE-2018-0734 (The OpenSSL DSA signature algorithm has been shown to be vulnerable to ...)
+	{DSA-4348-1}
 	- openssl 1.1.1a-1
 	[jessie] - openssl <postponed> (vulnerable code not present, but see note below)
 	- openssl1.0 1.0.2q-1
@@ -55567,7 +55585,7 @@ CVE-2018-0733 (Because of an implementation bug the PA-RISC CRYPTO_memcmp functi
 	NOTE: Issue specific to HP-UX
 	NOTE: https://www.openssl.org/news/secadv/20180327.txt
 CVE-2018-0732 (During key agreement in a TLS handshake using a DH(E) based ...)
-	{DLA-1449-1}
+	{DSA-4348-1 DLA-1449-1}
 	- openssl 1.1.1-1 (low)
 	- openssl1.0 1.0.2q-1 (low)
 	[stretch] - openssl1.0 <postponed> (Minor issue, can be fixed along with next OpenSSL security release)
@@ -73874,7 +73892,7 @@ CVE-2017-11615 (A sandbox escape in the Lua interface in Wube Factorio before 0.
 CVE-2017-11614 (MEDHOST Connex contains hard-coded credentials that are used for ...)
 	NOT-FOR-US: MEDHOST Connex
 CVE-2017-11613 (In LibTIFF 4.0.8, there is a denial of service vulnerability in the ...)
-	{DLA-1411-1 DLA-1391-1}
+	{DSA-4349-1 DLA-1411-1 DLA-1391-1}
 	- tiff 4.0.9-5 (low; bug #869823)
 	- tiff3 <removed>
 	[wheezy] - tiff3 <postponed> (Minor issue, revisit once fixed upstream)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7f0c2a3769bd2143484cd0ddc1f151aacdad74e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7f0c2a3769bd2143484cd0ddc1f151aacdad74e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181201/00e7d462/attachment.html>

More information about the debian-security-tracker-commits mailing list