[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 1 21:12:43 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
daadf5f9 by security tracker role at 2019-04-01T20:11:04Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,11 +1,27 @@
+CVE-2019-10686 (An SSRF vulnerability was found in an API from Ctrip Apollo through 1. ...)
+ TODO: check
+CVE-2019-10685
+ RESERVED
+CVE-2019-10684 (Application/Admin/Controller/ConfigController.class.php in 74cms v5.0. ...)
+ TODO: check
+CVE-2019-10683
+ RESERVED
+CVE-2019-10682
+ RESERVED
+CVE-2019-10681
+ RESERVED
+CVE-2019-10680
+ RESERVED
+CVE-2019-10679
+ RESERVED
CVE-2019-10678 (Domoticz before 4.10579 neglects to categorize \n and \r as insecure a ...)
- domoticz <itp> (bug #899058)
CVE-2019-10677
RESERVED
CVE-2019-10676
RESERVED
-CVE-2019-10675 (** DISPUTED ** WordPress 5.1.1 allows remote authenticated authors to ...)
- TODO: check
+CVE-2019-10675
+ REJECTED
CVE-2019-10674
RESERVED
CVE-2019-10673
@@ -849,7 +865,7 @@ CVE-2019-10262 (A SQL Injection issue was discovered in BlueCMS 1.6. The variabl
NOT-FOR-US: BlueCMS
CVE-2019-1002162
- skopeo <itp> (bug #880199)
-CVE-2019-1002101 [Mishandling of symlinks allows for arbitrary file write via `kubectl cp`]
+CVE-2019-1002101 (The kubectl cp command allows copying files between containers and the ...)
- kubernetes <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by: https://github.com/kubernetes/kubernetes/commit/b1f85e2dfec6e64d8e1bc272251277df0058ab20
NOTE: Upstream patch: https://github.com/kubernetes/kubernetes/pull/75037
@@ -2345,7 +2361,7 @@ CVE-2019-1010002
CVE-2019-1010001
RESERVED
CVE-2019-6341 (In Drupal 7 versions prior to 7.65; Drupal 8.6 versions prior to 8.6.1 ...)
- {DSA-4412-1}
+ {DSA-4412-1 DLA-1746-1}
- drupal7 <removed> (bug #925176)
NOTE: https://www.drupal.org/SA-CORE-2019-004
CVE-2019-9893 (libseccomp before 2.4.0 did not correctly generate 64-bit syscall argu ...)
@@ -2619,7 +2635,7 @@ CVE-2019-9797
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9797
CVE-2019-9796
RESERVED
- {DSA-4420-1 DSA-4411-1 DLA-1722-1}
+ {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1}
- firefox-esr 60.6.0esr-1
- firefox 66.0-1
- thunderbird 1:60.6.1-1
@@ -2628,7 +2644,7 @@ CVE-2019-9796
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9796
CVE-2019-9795
RESERVED
- {DSA-4420-1 DSA-4411-1 DLA-1722-1}
+ {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1}
- firefox-esr 60.6.0esr-1
- firefox 66.0-1
- thunderbird 1:60.6.1-1
@@ -2645,7 +2661,7 @@ CVE-2019-9794
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9794
CVE-2019-9793
RESERVED
- {DSA-4420-1 DSA-4411-1 DLA-1722-1}
+ {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1}
- firefox-esr 60.6.0esr-1
- firefox 66.0-1
- thunderbird 1:60.6.1-1
@@ -2654,7 +2670,7 @@ CVE-2019-9793
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9793
CVE-2019-9792
RESERVED
- {DSA-4420-1 DSA-4411-1 DLA-1722-1}
+ {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1}
- firefox-esr 60.6.0esr-1
- firefox 66.0-1
- thunderbird 1:60.6.1-1
@@ -2663,7 +2679,7 @@ CVE-2019-9792
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9792
CVE-2019-9791
RESERVED
- {DSA-4420-1 DSA-4411-1 DLA-1722-1}
+ {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1}
- firefox-esr 60.6.0esr-1
- firefox 66.0-1
- thunderbird 1:60.6.1-1
@@ -2672,7 +2688,7 @@ CVE-2019-9791
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-11/#CVE-2019-9791
CVE-2019-9790
RESERVED
- {DSA-4420-1 DSA-4411-1 DLA-1722-1}
+ {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1}
- firefox-esr 60.6.0esr-1
- firefox 66.0-1
- thunderbird 1:60.6.1-1
@@ -2685,7 +2701,7 @@ CVE-2019-9789
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-07/#CVE-2019-9789
CVE-2019-9788
RESERVED
- {DSA-4420-1 DSA-4411-1 DLA-1722-1}
+ {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1}
- firefox-esr 60.6.0esr-1
- firefox 66.0-1
- thunderbird 1:60.6.1-1
@@ -3359,7 +3375,7 @@ CVE-2019-XXXX [insecure use of /tmp]
- bubblewrap 0.3.1-3 (unimportant; bug #923557)
NOTE: https://github.com/projectatomic/bubblewrap/issues/304
NOTE: Negligable security impact
-CVE-2019-1002100 [kube-apiserver: DoS with crafted patch of type json-patch]
+CVE-2019-1002100 (In all Kubernetes versions prior to v1.11.8, v1.12.6, and v1.13.4, use ...)
- kubernetes <unfixed> (bug #923686)
NOTE: https://github.com/kubernetes/kubernetes/issues/74534
NOTE: https://github.com/kubernetes/kubernetes/pull/74000
@@ -4342,8 +4358,8 @@ CVE-2019-9134
RESERVED
CVE-2019-9133
RESERVED
-CVE-2019-9132
- RESERVED
+CVE-2019-9132 (Remote code execution vulnerability exists in KaKaoTalk PC messenger w ...)
+ TODO: check
CVE-2019-9131
RESERVED
CVE-2019-9130
@@ -4889,8 +4905,7 @@ CVE-2019-8958
RESERVED
CVE-2019-8957
RESERVED
-CVE-2019-8956
- RESERVED
+CVE-2019-8956 (In the Linux Kernel before versions 4.20.8 and 4.19.21 a use-after-fre ...)
- linux 4.19.28-1
[stretch] - linux <not-affected> (Vulnerable code not present)
[jessie] - linux <not-affected> (Vulnerable code not present)
@@ -7743,7 +7758,7 @@ CVE-2019-7654
RESERVED
CVE-2019-7652
RESERVED
-CVE-2019-7651 (EPP.sys in Emsisoft Anti-Malware 2018.8.1.8923 allows an attacker to b ...)
+CVE-2019-7651 (EPP.sys in Emsisoft Anti-Malware prior to version 2018.12 allows an at ...)
NOT-FOR-US: Emsisoft Anti-Malware
CVE-2019-7650
RESERVED
@@ -10158,8 +10173,8 @@ CVE-2019-6717
RESERVED
CVE-2019-6716 (An unauthenticated Insecure Direct Object Reference (IDOR) in Wicket C ...)
NOT-FOR-US: LogonBox Nervepoint Access Manager
-CVE-2019-6715
- RESERVED
+CVE-2019-6715 (pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress al ...)
+ TODO: check
CVE-2019-6714 (An issue was discovered in BlogEngine.NET through 3.3.6.0. A path trav ...)
NOT-FOR-US: BlogEngine.NET
CVE-2019-6713 (app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows ...)
@@ -12187,14 +12202,14 @@ CVE-2019-5893 (Nelson Open Source ERP v6.3.1 allows SQL Injection via the db/uti
NOT-FOR-US: Nelson Open Source ERP
CVE-2019-5892 (bgpd in FRRouting FRR (aka Free Range Routing) 2.x and 3.x before 3.0. ...)
- frr <not-affected> (Fixed before initial upload)
-CVE-2019-5891
- RESERVED
-CVE-2019-5890
- RESERVED
-CVE-2019-5889
- RESERVED
-CVE-2019-5888
- RESERVED
+CVE-2019-5891 (An issue was discovered in OverIT Geocall 6.3 before build 2:346977. A ...)
+ TODO: check
+CVE-2019-5890 (An issue was discovered in OverIT Geocall 6.3 before build 2:346977. W ...)
+ TODO: check
+CVE-2019-5889 (An log-management directory traversal issue was discovered in OverIT G ...)
+ TODO: check
+CVE-2019-5888 (Multiple XSS vulnerabilities were discovered in OverIT Geocall 6.3 bef ...)
+ TODO: check
CVE-2019-5887 (An issue was discovered in ShopXO 1.2.0. In the UnlinkDir method of th ...)
NOT-FOR-US: ShopXO
CVE-2019-5886 (An issue was discovered in ShopXO 1.2.0. In the application\install\co ...)
@@ -13173,8 +13188,8 @@ CVE-2019-5525
RESERVED
CVE-2019-5524
RESERVED
-CVE-2019-5523
- RESERVED
+CVE-2019-5523 (VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 up ...)
+ TODO: check
CVE-2019-5522
RESERVED
CVE-2019-5521
@@ -16522,8 +16537,8 @@ CVE-2019-3877 (A vulnerability was found in mod_auth_mellon before v0.14.2. An o
- libapache2-mod-auth-mellon 0.14.2-1
[jessie] - libapache2-mod-auth-mellon <no-dsa> (Open redirect protection not present in the first place)
NOTE: https://github.com/Uninett/mod_auth_mellon/commit/62041428a32de402e0be6ba45fe12df6a83bedb8
-CVE-2019-3876
- RESERVED
+CVE-2019-3876 (A flaw was found in the /oauth/token/request custom endpoint of the Op ...)
+ TODO: check
CVE-2019-3875
RESERVED
CVE-2019-3874 (The SCTP socket buffer used by a userspace application is not accounte ...)
@@ -16654,8 +16669,7 @@ CVE-2019-3838 (It was found that the forceput operator could be extracted from t
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700576
CVE-2019-3837
RESERVED
-CVE-2019-3836
- RESERVED
+CVE-2019-3836 (It was discovered in gnutls before version 3.6.7 upstream that there i ...)
[experimental] - gnutls28 3.6.7-1
- gnutls28 3.6.7-2
[jessie] - gnutls28 <not-affected> (vulnerable code was introduced later)
@@ -23744,8 +23758,8 @@ CVE-2019-1574
RESERVED
CVE-2019-1573
RESERVED
-CVE-2019-1572
- REJECTED
+CVE-2019-1572 (PAN-OS 9.0.0 may allow an unauthenticated remote user to access php fi ...)
+ TODO: check
CVE-2019-1571 (The Expedition Migration tool 1.1.8 and earlier may allow an authentic ...)
TODO: check
CVE-2019-1570 (The Expedition Migration tool 1.1.8 and earlier may allow an authentic ...)
@@ -30422,7 +30436,7 @@ CVE-2018-18508 [NULL pointer dereference in several CMS functions resulting in a
CVE-2018-18507
RESERVED
CVE-2018-18506 (When proxy auto-detection is enabled, if a web server serves a Proxy A ...)
- {DSA-4420-1 DSA-4411-1 DLA-1722-1}
+ {DSA-4420-1 DSA-4411-1 DLA-1743-1 DLA-1722-1}
- firefox 65.0-1
- firefox-esr 60.6.0esr-1
- thunderbird 1:60.6.1-1
@@ -43905,40 +43919,40 @@ CVE-2018-13300 (In FFmpeg 4.0.1, an improper argument (AVCodecParameters) passed
[jessie] - libav <not-affected> (vulnerable code is not present)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/95556e27e2c1d56d9e18f5db34d6f756f3011148
NOTE: Fixed in 3.2.11
-CVE-2018-13299
- RESERVED
-CVE-2018-13298
- RESERVED
-CVE-2018-13297
- RESERVED
-CVE-2018-13296
- RESERVED
-CVE-2018-13295
- RESERVED
-CVE-2018-13294
- RESERVED
-CVE-2018-13293
- RESERVED
-CVE-2018-13292
- RESERVED
-CVE-2018-13291
- RESERVED
-CVE-2018-13290
- RESERVED
-CVE-2018-13289
- RESERVED
-CVE-2018-13288
- RESERVED
-CVE-2018-13287
- RESERVED
-CVE-2018-13286
- RESERVED
-CVE-2018-13285
- RESERVED
-CVE-2018-13284
- RESERVED
-CVE-2018-13283
- RESERVED
+CVE-2018-13299 (Relative path traversal vulnerability in Attachment Uploader in Synolo ...)
+ TODO: check
+CVE-2018-13298 (Channel accessible by non-endpoint vulnerability in privacy page in Sy ...)
+ TODO: check
+CVE-2018-13297 (Information exposure vulnerability in SYNO.SynologyDrive.Files in Syno ...)
+ TODO: check
+CVE-2018-13296 (Uncontrolled resource consumption vulnerability in TLS configuration i ...)
+ TODO: check
+CVE-2018-13295 (Information exposure vulnerability in SYNO.Personal.Application.Info i ...)
+ TODO: check
+CVE-2018-13294 (Information exposure vulnerability in SYNO.Personal.Profile in Synolog ...)
+ TODO: check
+CVE-2018-13293 (Cross-site scripting (XSS) vulnerability in Control Panel SSO Settings ...)
+ TODO: check
+CVE-2018-13292 (Information exposure vulnerability in /usr/syno/etc/mount.conf in Syno ...)
+ TODO: check
+CVE-2018-13291 (Information exposure vulnerability in /usr/syno/etc/mount.conf in Syno ...)
+ TODO: check
+CVE-2018-13290 (Information exposure vulnerability in SYNO.Core.ACL in Synology Router ...)
+ TODO: check
+CVE-2018-13289 (Information exposure vulnerability in SYNO.FolderSharing.List in Synol ...)
+ TODO: check
+CVE-2018-13288 (Information exposure vulnerability in SYNO.FolderSharing.List in Synol ...)
+ TODO: check
+CVE-2018-13287 (Incorrect default permissions vulnerability in synouser.conf in Synolo ...)
+ TODO: check
+CVE-2018-13286 (Incorrect default permissions vulnerability in synouser.conf in Synolo ...)
+ TODO: check
+CVE-2018-13285 (Command injection vulnerability in ftpd in Synology Router Manager (SR ...)
+ TODO: check
+CVE-2018-13284 (Command injection vulnerability in ftpd in Synology Diskstation Manage ...)
+ TODO: check
+CVE-2018-13283 (Lack of administrator control over security vulnerability in client.cg ...)
+ TODO: check
CVE-2018-13282 (Session fixation vulnerability in SYNO.PhotoStation.Auth in Synology P ...)
NOT-FOR-US: Synology Photo Station
CVE-2018-13281 (Information exposure vulnerability in SYNO.Core.ACL in Synology DiskSt ...)
@@ -55827,8 +55841,8 @@ CVE-2018-8915 (Cross-site scripting (XSS) vulnerability in Notification Center i
NOT-FOR-US: Synology
CVE-2018-8914 (SQL injection vulnerability in UPnP DMA in Synology Media Server befor ...)
NOT-FOR-US: Synology Media Server
-CVE-2018-8913
- RESERVED
+CVE-2018-8913 (Missing custom error page vulnerability in Synology Web Station before ...)
+ TODO: check
CVE-2018-8912 (Cross-site scripting (XSS) vulnerability in SYNO.NoteStation.Note in S ...)
NOT-FOR-US: Synology Note Station
CVE-2018-8911 (Cross-site scripting (XSS) vulnerability in Attachment Preview in Syno ...)
@@ -65424,8 +65438,8 @@ CVE-2018-5759 (jsparse.c in Artifex MuJS through 1.0.2 does not properly maintai
NOT-FOR-US: MuJS
CVE-2018-5758 (The Upload File functionality in upload.jspa in Aurea Jive Jive-n 9.0. ...)
NOT-FOR-US: Aurea Jive Jive-n
-CVE-2018-5757
- RESERVED
+CVE-2018-5757 (An issue was discovered on AudioCodes 450HD IP Phone devices with firm ...)
+ TODO: check
CVE-2018-5756 (The backend component in Open-Xchange OX App Suite before 7.6.3-rev36, ...)
NOT-FOR-US: Open-Xchange
CVE-2018-5755 (Absolute path traversal vulnerability in the readerengine component in ...)
@@ -69917,8 +69931,8 @@ CVE-2018-4052
RESERVED
CVE-2018-4051
RESERVED
-CVE-2018-4050
- RESERVED
+CVE-2018-4050 (An exploitable local privilege escalation vulnerability exists in the ...)
+ TODO: check
CVE-2018-4049
RESERVED
CVE-2018-4048
@@ -83325,10 +83339,10 @@ CVE-2017-16777 (If HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fu
NOT-FOR-US: HashiCorp Vagrant VMware Fusion plugin
CVE-2017-16776 (Security researchers discovered an authentication bypass vulnerability ...)
NOT-FOR-US: Conserus Workflow Intelligence
-CVE-2017-16775
- RESERVED
-CVE-2017-16774
- RESERVED
+CVE-2017-16775 (Improper restriction of rendered UI layers or frames vulnerability in ...)
+ TODO: check
+CVE-2017-16774 (Cross-site scripting (XSS) vulnerability in SYNO.Core.PersonalNotifica ...)
+ TODO: check
CVE-2017-16773 (Improper authorization vulnerability in Highlight Preview in Synology ...)
NOT-FOR-US: Synology
CVE-2017-16772 (Improper input validation vulnerability in SYNOPHOTO_Flickr_MultiUploa ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/daadf5f9576e96dd8a40cd45b07bfda111b60a4f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/daadf5f9576e96dd8a40cd45b07bfda111b60a4f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190401/b28daf48/attachment.html>
More information about the debian-security-tracker-commits
mailing list