[Git][security-tracker-team/security-tracker][master] new issues in sympa, triplea, ruby-json-jwt, gosa
Moritz Muehlenhoff
jmm at debian.org
Thu Jun 28 18:08:07 BST 2018
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
709b4524 by Moritz Muehlenhoff at 2018-06-28T19:07:38+02:00
new issues in sympa, triplea, ruby-json-jwt, gosa
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -15,35 +15,35 @@ CVE-2018-12921
CVE-2018-12920
RESERVED
CVE-2018-12919 (In CraftedWeb through 2013-09-24, aasp_includes/pages/notice.php allows ...)
- TODO: check
+ NOT-FOR-US: CraftedWeb
CVE-2018-12918 (In libpbc.a in PBC through 2017-03-02, there is a Segmentation fault in ...)
- TODO: check
+ NOT-FOR-US: PBC
CVE-2018-12917 (In libpbc.a in PBC through 2017-03-02, there is a heap-based buffer ...)
- TODO: check
+ NOT-FOR-US: PBC
CVE-2018-12916 (In libpbc.a in PBC through 2017-03-02, there is a Segmentation fault in ...)
- TODO: check
+ NOT-FOR-US: PBC
CVE-2018-12915 (In libpbc.a in PBC through 2017-03-02, there is a buffer over-read in ...)
- TODO: check
+ NOT-FOR-US: PBC
CVE-2018-12914 (A remote code execution issue was discovered in PublicCMS ...)
- TODO: check
+ NOT-FOR-US: PublicCMS
CVE-2018-12913 (In Miniz 2.0.7, tinfl_decompress in miniz_tinfl.c has an infinite loop ...)
- TODO: check
+ NOT-FOR-US: Miniz
CVE-2018-12912 (An issue wan discovered in admin\controllers\database.php in HongCMS ...)
- TODO: check
+ NOT-FOR-US: HongCMS
CVE-2018-12911
RESERVED
CVE-2018-12910
RESERVED
CVE-2018-12909 (** DISPUTED ** Webgrind 1.5 relies on user input to display a file, ...)
- TODO: check
+ NOT-FOR-US: Webgrind
CVE-2018-12908 (Brynamics "Online Trade - Online trading and cryptocurrency investment ...)
- TODO: check
+ NOT-FOR-US: Brynamics
CVE-2018-12907 (In Rclone 1.42, use of "rclone sync" to migrate data between two ...)
- TODO: check
+ NOT-FOR-US: Rclone
CVE-2018-12906
RESERVED
CVE-2018-12905 (joyplus-cms 1.6.0 has XSS in admin_player.php, related to ...)
- TODO: check
+ NOT-FOR-US: joyplus-cms
CVE-2017-18342 (In PyYAML before 4.1, the yaml.load() API could execute arbitrary code. ...)
- pyyaml <unfixed> (unimportant)
NOTE: This is a well-known design deficiency in pyyaml, various CVE IDs have been assigned
@@ -675,7 +675,8 @@ CVE-2018-1000557 (OCS Inventory OCS Inventory NG version ocsreports 2.4 contains
- ocsinventory-server 2.4.1+dfsg-1 (unimportant)
NOTE: Authentication is needed, only supported in trusted environments, see debtags
CVE-2018-1000556 (WordPress version 4.8 + contains a Cross Site Scripting (XSS) ...)
- TODO: check
+ NOT-FOR-US: WP Statistics plugin
+ NOTE: The CVE description is misleading, this is about a plugin, not Wordpress itself
CVE-2018-1000555
REJECTED
CVE-2018-1000554 (Trovebox version <= 4.0.0-rc6 contains a Unsafe password reset token ...)
@@ -687,7 +688,8 @@ CVE-2018-1000552 (Trovebox version <= 4.0.0-rc6 contains a SQL Injection vuln
CVE-2018-1000551 (Trovebox version <= 4.0.0-rc6 contains a PHP Type juggling ...)
NOT-FOR-US: Trovebox
CVE-2018-1000550 (The Sympa Community Sympa version prior to version 6.2.32 contains a ...)
- TODO: check
+ - sympa 6.2.32~dfsg-1
+ NOTE: https://sympa-community.github.io/security/2018-001.html
CVE-2018-1000549 (Wekan version 1.04.0 contains a Email / Username Enumeration ...)
NOT-FOR-US: Wekan
CVE-2018-1000548 (Umlet version < 14.3 contains a XML External Entity (XXE) ...)
@@ -695,7 +697,10 @@ CVE-2018-1000548 (Umlet version < 14.3 contains a XML External Entity (XXE) .
CVE-2018-1000547 (coreBOS version 7.0 and earlier contains a Incorrect Access Control ...)
NOT-FOR-US: CoreBOS
CVE-2018-1000546 (Triplea version <= 1.9.0.0.10291 contains a XML External Entity (XXE) ...)
- TODO: check
+ - triplea <unfixed> (low)
+ [stretch] - triplea <no-dsa> (Minor issue)
+ NOTE: https://0dd.zone/2018/05/31/TripleA-XXE/
+ NOTE: https://github.com/triplea-game/triplea/issues/3442
CVE-2018-1000545
REJECTED
CVE-2018-1000544 (rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory ...)
@@ -710,7 +715,9 @@ CVE-2018-1000541
CVE-2018-1000540 (LoboEvolution version < 9b75694cedfa4825d4a2330abf2719d470c654cd ...)
NOT-FOR-US: LoboEvolution
CVE-2018-1000539 (Nov json-jwt version >= 0.5.0 && < 1.9.4 contains a CWE-347: Improper ...)
- TODO: check
+ - ruby-json-jwt <unfixed>
+ NOTE: https://github.com/nov/json-jwt/pull/62
+ NOTE: https://github.com/nov/json-jwt/commit/3393f394f271c87bd42ec23c300727b4437d1638
CVE-2018-1000538 (Minio Inc. Minio S3 server version prior to ...)
NOT-FOR-US: Minion
CVE-2018-1000537 (Marlin Firmware Marlin version 1.1.x and earlier contains a Buffer ...)
@@ -732,7 +739,9 @@ CVE-2018-1000530
CVE-2018-1000529 (Grails Fields plugin version 2.2.7 contains a Cross Site Scripting ...)
TODO: check
CVE-2018-1000528 (GONICUS GOsa version before commit ...)
- TODO: check
+ - gosa <unfixed> (low)
+ NOTE: https://github.com/gosa-project/gosa-core/commit/56070d6289d47ba3f5918885954dcceb75606001
+ NOTE: https://github.com/gosa-project/gosa-core/issues/14
CVE-2018-1000527 (Froxlor version <= 0.9.39.5 contains a PHP Object Injection ...)
NOT-FOR-US: Froxlor
CVE-2018-1000526 (Openpsa contains a XML Injection vulnerability in RSS file upload ...)
@@ -23507,7 +23516,7 @@ CVE-2018-4190 (An issue was discovered in certain Apple products. iOS before 11.
CVE-2018-4189
RESERVED
CVE-2018-4188 (An issue was discovered in certain Apple products. iOS before 11.4 is ...)
- TODO: check
+ NOT-FOR-US: Safari
CVE-2018-4187 (An issue was discovered in certain Apple products. iOS before 11.3.1 ...)
NOT-FOR-US: Apple (LinkPresentation component)
CVE-2018-4186
@@ -23541,7 +23550,7 @@ CVE-2018-4173 (An issue was discovered in certain Apple products. iOS before 11.
CVE-2018-4172 (An issue was discovered in certain Apple products. iOS before 11.3 is ...)
NOT-FOR-US: Apple
CVE-2018-4171 (An issue was discovered in certain Apple products. macOS before ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2018-4170 (An issue was discovered in certain Apple products. macOS before ...)
NOT-FOR-US: Apple
CVE-2018-4169
@@ -23573,7 +23582,7 @@ CVE-2018-4161 (An issue was discovered in certain Apple products. iOS before 11.
CVE-2018-4160 (An issue was discovered in certain Apple products. macOS before ...)
NOT-FOR-US: Apple
CVE-2018-4159 (An issue was discovered in certain Apple products. macOS before ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2018-4158 (An issue was discovered in certain Apple products. iOS before 11.3 is ...)
NOT-FOR-US: Apple
CVE-2018-4157 (An issue was discovered in certain Apple products. iOS before 11.3 is ...)
@@ -23611,7 +23620,7 @@ CVE-2018-4143 (An issue was discovered in certain Apple products. iOS before 11.
CVE-2018-4142 (An issue was discovered in certain Apple products. iOS before 11.3 is ...)
NOT-FOR-US: Apple
CVE-2018-4141 (An issue was discovered in certain Apple products. macOS before ...)
- TODO: check
+ NOT-FOR-US: Apple
CVE-2018-4140 (An issue was discovered in certain Apple products. iOS before 11.3 is ...)
NOT-FOR-US: Apple
CVE-2018-4139 (An issue was discovered in certain Apple products. macOS before ...)
@@ -24262,9 +24271,9 @@ CVE-2018-3843 (An exploitable type confusion vulnerability exists in the way Fox
CVE-2018-3842 (An exploitable use of an uninitialized pointer vulnerability exists in ...)
NOT-FOR-US: Foxit PDF Reader
CVE-2018-3841 (A denial-of-service vulnerability exists in the Pixar Renderman IT ...)
- TODO: check
+ NOT-FOR-US: Renderman
CVE-2018-3840 (A denial-of-service vulnerability exists in the Pixar Renderman IT ...)
- TODO: check
+ NOT-FOR-US: Renderman
CVE-2018-3839 (An exploitable code execution vulnerability exists in the XCF image ...)
{DSA-4184-1 DSA-4177-1 DLA-1341-1}
- libsdl2-image 2.0.3+dfsg1-1
@@ -24742,7 +24751,7 @@ CVE-2018-3760 (There is an information leak vulnerability in Sprockets. Versions
NOTE: http://www.openwall.com/lists/oss-security/2018/06/19/2
NOTE: https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f
CVE-2018-3759 (private_address_check ruby gem before 0.5.0 is vulnerable to a ...)
- TODO: check
+ NOT-FOR-US: private_address_check
CVE-2018-3758 (Unrestricted file upload (RCE) in express-cart module before 1.1.7 ...)
NOT-FOR-US: express-cart
CVE-2018-3757 (Command injection exists in pdf-image v2.0.0 due to an unescaped ...)
@@ -24825,24 +24834,24 @@ CVE-2018-3728 (hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from
NOTE: https://nodesecurity.io/advisories/566
NOTE: nodejs not covered by security support
CVE-2018-3727 (626 node module suffers from a Path Traversal vulnerability due to ...)
- TODO: check
+ NOT-FOR-US: 626 node module
CVE-2018-3726 (crud-file-server node module before 0.8.0 suffers from a Cross-Site ...)
NOT-FOR-US: crud-file-server nodejs module
CVE-2018-3725 (hekto node module suffers from a Path Traversal vulnerability due to ...)
NOT-FOR-US: hekto nodejs module
CVE-2018-3724 (general-file-server node module suffers from a Path Traversal ...)
- TODO: check
+ NOT-FOR-US: general-file-server node module
CVE-2018-3723 (defaults-deep node module before 0.2.4 suffers from a Modification of ...)
- TODO: check
+ NOT-FOR-US: defaults-deep node module
CVE-2018-3722 (merge-deep node module before 3.0.1 suffers from a Modification of ...)
- TODO: check
+ NOT-FOR-US: merge-deep node module
CVE-2018-3721 (lodash node module before 4.17.5 suffers from a Modification of ...)
- node-lodash <unfixed> (unimportant; bug #890575)
NOTE: https://snyk.io/vuln/npm:lodash:20180130
NOTE: https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a
NOTE: nodejs not covered by security support
CVE-2018-3720 (assign-deep node module before 0.4.7 suffers from a Modification of ...)
- TODO: check
+ NOT-FOR-US: assign-deep node module
CVE-2018-3719 (mixin-deep node module before 1.3.1 suffers from a Modification of ...)
- node-mixin-deep <unfixed> (unimportant; bug #898315)
NOTE: https://nodesecurity.io/advisories/578
@@ -25693,7 +25702,7 @@ CVE-2018-3578 (Type mismatch for ie_len can cause the WLAN driver to allocate le
CVE-2018-3577
RESERVED
CVE-2018-3576 (improper validation of array index in WiFi driver function ...)
- TODO: check
+ NOT-FOR-US: Qualcomm components for Android
CVE-2018-3575
RESERVED
CVE-2018-3574
@@ -30358,7 +30367,7 @@ CVE-2018-1616
CVE-2018-1615
RESERVED
CVE-2018-1614 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 using ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2018-1613
RESERVED
CVE-2018-1612
@@ -30480,7 +30489,7 @@ CVE-2018-1555
CVE-2018-1554
RESERVED
CVE-2018-1553 (IBM WebSphere Application Server Liberty prior to 18.0.0.2 could allow ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2018-1552
RESERVED
CVE-2018-1551
@@ -30500,7 +30509,7 @@ CVE-2018-1545
CVE-2018-1544 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...)
NOT-FOR-US: IBM
CVE-2018-1543 (IBM WebSphere MQ 8.0 and 9.0 could allow a remote attacker to obtain ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2018-1542
RESERVED
CVE-2018-1541
@@ -30572,7 +30581,7 @@ CVE-2018-1509
CVE-2018-1508
RESERVED
CVE-2018-1507 (IBM DOORS Next Generation (DNG/RRC) 6.0.5 is vulnerable to cross-site ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2018-1506
RESERVED
CVE-2018-1505
@@ -30672,7 +30681,7 @@ CVE-2018-1459 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server)
CVE-2018-1458
RESERVED
CVE-2018-1457 (An undisclosed vulnerability in IBM Rational DOORS 9.5.1 through ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2018-1456 (IBM Rhapsody DM 5.0 through 5.0.2 and 6.0 through 6.0.5 is vulnerable ...)
NOT-FOR-US: IBM
CVE-2018-1455
@@ -30838,7 +30847,7 @@ CVE-2018-1376 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 is vulne
CVE-2018-1375 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not ...)
NOT-FOR-US: IBM
CVE-2018-1374 (An IBM WebSphere MQ (Maintenance levels 7.1.0.0 - 7.1.0.9, 7.5.0.0 - ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2018-1373 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 uses an ...)
NOT-FOR-US: IBM Security Guardium Big Data Intelligence
CVE-2018-1372 (IBM Security Guardium Big Data Intelligence (SonarG) 3.1 does not ...)
@@ -31201,9 +31210,9 @@ CVE-2018-1357
CVE-2018-1356
RESERVED
CVE-2018-1355 (An open redirect vulnerability in Fortinet FortiManager 6.0.0 and ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2018-1354 (An improper access control vulnerability in Fortinet FortiManager ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2018-1353
RESERVED
CVE-2018-1352
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/709b45245e01e6f8b08f0151032be9cfdf0cae6e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/709b45245e01e6f8b08f0151032be9cfdf0cae6e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180628/ce5a47b0/attachment.html>
More information about the debian-security-tracker-commits
mailing list