[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Mon Apr 22 21:10:25 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
aa7feb43 by security tracker role at 2019-04-22T20:10:15Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,23 @@
+CVE-2019-11458
+ RESERVED
+CVE-2019-11457
+ RESERVED
+CVE-2019-11456 (Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. ...)
+ TODO: check
+CVE-2019-11455 (A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit bef ...)
+ TODO: check
+CVE-2019-11454 (Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash ...)
+ TODO: check
+CVE-2019-11453
+ RESERVED
+CVE-2019-11452 (whatsns 4.0 allows index.php?admin_category/remove.html cid[] SQL inje ...)
+ TODO: check
+CVE-2019-11451 (whatsns 4.0 allows index.php?inform/add.html qid SQL injection. ...)
+ TODO: check
+CVE-2019-11450 (whatsns 4.0 allows index.php?question/ajaxadd.html title SQL injection ...)
+ TODO: check
+CVE-2019-11449 (I, Librarian 4.10 has XSS via the notes.php notes parameter. ...)
+ TODO: check
CVE-2019-11448 (An issue was discovered in Zoho ManageEngine Applications Manager 11.0 ...)
NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2019-11447 (An issue was discovered in CutePHP CuteNews 2.1.2. An attacker can inf ...)
@@ -446,10 +466,10 @@ CVE-2019-11246
RESERVED
CVE-2019-11245
RESERVED
-CVE-2019-11244
- RESERVED
-CVE-2019-11243
- RESERVED
+CVE-2019-11244 (In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the ...)
+ TODO: check
+CVE-2019-11243 (In Kubernetes v1.12.0-v1.12.4 and v1.13.0, the rest.AnonymousClientCon ...)
+ TODO: check
CVE-2019-11242
RESERVED
CVE-2019-11241
@@ -13613,12 +13633,12 @@ CVE-2019-6159
RESERVED
CVE-2019-6158
RESERVED
-CVE-2019-6157
- RESERVED
+CVE-2019-6157 (In various firmware versions of Lenovo System x, the integrated manage ...)
+ TODO: check
CVE-2019-6156 (In Lenovo systems, SMM BIOS Write Protection is used to prevent writes ...)
NOT-FOR-US: Lenovo
-CVE-2019-6155
- RESERVED
+CVE-2019-6155 (A potential vulnerability was found in an SMI handler in various BIOS ...)
+ TODO: check
CVE-2019-6154 (A DLL search path vulnerability was reported in Lenovo Bootable Genera ...)
NOT-FOR-US: Lenovo
CVE-2019-6153
@@ -18515,19 +18535,16 @@ CVE-2019-3904
RESERVED
CVE-2019-3903
RESERVED
-CVE-2019-3902 [path-checking logic bypass vie symlinks and subrepositories]
- RESERVED
+CVE-2019-3902 (A flaw was found in Mercurial before 4.9. It was possible to use symli ...)
- mercurial 4.9-1 (bug #927674)
NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29
-CVE-2019-3901 [perf_event_open() and execve() race in setuid programs allows a data leak]
- RESERVED
+CVE-2019-3901 (A race condition in perf_event_open() allows local attackers to leak s ...)
- linux 4.6.1-1
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=807
NOTE: Fixed by: https://git.kernel.org/linus/79c9ce57eb2d5f1497546a3946b4ae21b6fdc438
CVE-2019-3900
RESERVED
-CVE-2019-3899
- RESERVED
+CVE-2019-3899 (It was found that default configuration of Heketi does not require any ...)
- heketi <itp> (bug #903384)
CVE-2019-3898
RESERVED
@@ -25448,14 +25465,17 @@ CVE-2019-1790
RESERVED
CVE-2019-1789 [An out-of-bounds heap read condition when scanning PE files]
RESERVED
+ {DLA-1759-1}
- clamav 0.101.2+dfsg-1
[stretch] - clamav <no-dsa> (Already fixed via SUA, pending inclusion in next point release)
NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
CVE-2019-1788 (A vulnerability in the Object Linking & Embedding (OLE2) file scan ...)
+ {DLA-1759-1}
- clamav 0.101.2+dfsg-1
[stretch] - clamav <no-dsa> (Already fixed via SUA, pending inclusion in next point release)
NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
CVE-2019-1787 (A vulnerability in the Portable Document Format (PDF) scanning functio ...)
+ {DLA-1759-1}
- clamav 0.101.2+dfsg-1
[stretch] - clamav <no-dsa> (Already fixed via SUA, pending inclusion in next point release)
NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
@@ -161437,14 +161457,14 @@ CVE-2016-1589
REJECTED
CVE-2016-1588
REJECTED
-CVE-2016-1587
- RESERVED
-CVE-2016-1586
- RESERVED
-CVE-2016-1585
- RESERVED
-CVE-2016-1584
- RESERVED
+CVE-2016-1587 (The Snapweb interface before version 0.21.2 was exposing controls to i ...)
+ TODO: check
+CVE-2016-1586 (A malicious webview could install long-lived unload handlers that re-u ...)
+ TODO: check
+CVE-2016-1585 (In all versions of AppArmor mount rules are accidentally widened when ...)
+ TODO: check
+CVE-2016-1584 (In all versions of Unity8 a running but not active application on a la ...)
+ TODO: check
CVE-2016-1583 (The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the ...)
{DSA-3607-1 DLA-516-1}
- linux 4.6.2-1
@@ -161454,8 +161474,8 @@ CVE-2016-1581 (LXD before 2.0.2 uses world-readable permissions for /var/lib/lxd
- lxd <itp> (bug #768073)
CVE-2016-1580 (The setup_snappy_os_mounts function in the ubuntu-core-launcher packag ...)
NOT-FOR-US: ubuntu-core-launcher
-CVE-2016-1579
- RESERVED
+CVE-2016-1579 (UDM provides support for running commands after a download is complete ...)
+ TODO: check
CVE-2016-1578 (Use-after-free vulnerability in Oxide allows remote attackers to cause ...)
NOT-FOR-US: Oxide
CVE-2016-1577 (Double free vulnerability in the jas_iccattrval_destroy function in Ja ...)
@@ -161480,8 +161500,8 @@ CVE-2016-1575 (The overlayfs implementation in the Linux kernel through 4.5.2 do
NOTE: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9f57ebcba563e0cd532926cab83c92bb4d79360
CVE-2016-1574
REJECTED
-CVE-2016-1573
- RESERVED
+CVE-2016-1573 (Versions of Unity8 before 8.11+16.04.20160122-0ubuntu1 file plugins/Da ...)
+ TODO: check
CVE-2016-1572 (mount.ecryptfs_private.c in eCryptfs-utils does not validate mount des ...)
{DSA-3450-1 DLA-397-1}
- ecryptfs-utils 106-2
@@ -187517,15 +187537,15 @@ CVE-2015-1347 (Cross-site scripting (XSS) vulnerability in client.inc.php in osT
CVE-2015-1344 (The do_write_pids function in lxcfs.c in LXCFS before 0.12 does not pr ...)
- lxcfs <not-affected> (Fixed before initial upload to the archive)
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1512854
-CVE-2015-1343
- RESERVED
+CVE-2015-1343 (All versions of unity-scope-gdrive logs search terms to syslog. ...)
+ TODO: check
CVE-2015-1342 (LXCFS before 0.12 does not properly enforce directory escapes, which m ...)
- lxcfs <not-affected> (Fixed before initial upload to the archive)
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxcfs/+bug/1508481
-CVE-2015-1341
- RESERVED
-CVE-2015-1340
- RESERVED
+CVE-2015-1341 (Any Python module in sys.path can be imported if the command line of t ...)
+ TODO: check
+CVE-2015-1340 (LXD before version 0.19-0ubuntu5 doUidshiftIntoContainer() has an unsa ...)
+ TODO: check
CVE-2015-1339 (Memory leak in the cuse_channel_release function in fs/fuse/cuse.c in ...)
- linux 4.4.2-1
[jessie] - linux <not-affected> (Vulnerable code introduced in v4.2-rc1)
@@ -187583,10 +187603,9 @@ CVE-2015-1328 (The overlayfs implementation in the linux (aka Linux kernel) pack
NOTE: http://seclists.org/oss-sec/2015/q2/717
NOTE: https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html
NOTE: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549
-CVE-2015-1327
- RESERVED
-CVE-2015-1326 [arbitrary code execution or file overwrite when templates are loaded from /tmp]
- RESERVED
+CVE-2015-1327 (Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only ...)
+ TODO: check
+CVE-2015-1326 (python-dbusmock before version 0.15.1 AddTemplate() D-Bus method call ...)
- python-dbusmock 0.15.1-1 (bug #786858)
[jessie] - python-dbusmock 0.11.4-1+deb8u1
NOTE: https://bugs.launchpad.net/python-dbusmock/+bug/1453815
@@ -187606,8 +187625,8 @@ CVE-2015-1322 (Directory traversal vulnerability in the Ubuntu network-manager p
NOTE: https://bazaar.launchpad.net/~phablet-team/network-manager/ofono-format-cleanup/view/head:/debian/patches/add_ofono_settings_support.patch
CVE-2015-1321 (Use-after-free vulnerability in the file picker implementation in Oxid ...)
NOT-FOR-US: Oxide
-CVE-2015-1320
- RESERVED
+CVE-2015-1320 (The SeaMicro provisioning of Ubuntu MAAS logs credentials, including u ...)
+ TODO: check
CVE-2015-1319 (The Unity Settings Daemon before 14.04.0+14.04.20150825-0ubuntu2 and 1 ...)
- unity <itp> (bug #609278)
CVE-2015-1318 (The crash reporting feature in Apport 2.13 through 2.17.x before 2.17. ...)
@@ -187616,8 +187635,8 @@ CVE-2015-1318 (The crash reporting feature in Apport 2.13 through 2.17.x before
NOTE: add it, as we have an explicit (bug) reference for apport
CVE-2015-1317 (Use-after-free vulnerability in Oxide before 1.5.6 and 1.6.x before 1. ...)
NOT-FOR-US: Oxide
-CVE-2015-1316
- RESERVED
+CVE-2015-1316 (Juju Core's Joyent provider before version 1.25.5 uploads the user's p ...)
+ TODO: check
CVE-2015-1315 (Buffer overflow in the charset_to_intern function in unix/unix.c in In ...)
- unzip <not-affected> (*-unzip60-alt-iconv-utf8 patch not applied in Debian)
CVE-2015-1314 (The USAA Mobile Banking application before 7.10.1 for Android displays ...)
@@ -213568,12 +213587,12 @@ CVE-2014-1430
REJECTED
CVE-2014-1429
REJECTED
-CVE-2014-1428
- RESERVED
-CVE-2014-1427
- RESERVED
-CVE-2014-1426
- RESERVED
+CVE-2014-1428 (A vulnerability in generate_filestorage_key of Ubuntu MAAS allows an a ...)
+ TODO: check
+CVE-2014-1427 (A vulnerability in the REST API of Ubuntu MAAS allows an attacker to c ...)
+ TODO: check
+CVE-2014-1426 (A vulnerability in maasserver.api.get_file_by_name of Ubuntu MAAS allo ...)
+ TODO: check
CVE-2014-1425 (cmanager 0.32 does not properly enforce nesting when modifying cgroup ...)
- cgmanager 0.33-3
[jessie] - cgmanager 0.33-2+deb8u1
@@ -259440,8 +259459,8 @@ CVE-2011-3153 (dmrc.c in Light Display Manager (aka LightDM) before 1.1.1 allows
CVE-2011-3152 (DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:0.87. ...)
- update-manager <not-affected> (ubuntu-specific issue)
NOTE: see bug #650307
-CVE-2011-3151
- RESERVED
+CVE-2011-3151 (The Ubuntu SELinux initscript before version 1:0.10 used touch to crea ...)
+ TODO: check
CVE-2011-3150 (Software Center in Ubuntu 11.10, 11.04 10.10 does not properly validat ...)
- software-center <not-affected> (ubuntu-specific issue)
NOTE: debian package does not contain the vulnerable purchaseview.py code, and probably won't ever as that's part of their commercial interface code
@@ -259453,15 +259472,14 @@ CVE-2011-3148 (Stack-based buffer overflow in the _assemble_line function in mod
{DSA-2326-1}
- pam 1.1.3-5
[lenny] - pam <not-affected> (user_env parsing not yet available)
-CVE-2011-3147
- RESERVED
+CVE-2011-3147 (Versions of nova before 2012.1 could expose hypervisor host files to a ...)
+ TODO: check
CVE-2011-3146 (librsvg before 2.34.1 uses the node name to identify the type of node, ...)
- librsvg 2.34.1-1
[squeeze] - librsvg <no-dsa> (Minor issue)
NOTE: http://git.gnome.org/browse/librsvg/commit/?id=34c95743ca692ea0e44778e41a7c0a129363de84
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=658014
-CVE-2011-3145
- RESERVED
+CVE-2011-3145 (When mount.ecrpytfs_private before version 87-0ubuntu1.2 calls setreui ...)
{DSA-2382-1}
- ecryptfs-utils 92-1
[lenny] - ecryptfs-utils <not-affected> (Vulnerable code not present)
@@ -263261,8 +263279,8 @@ CVE-2011-1832 (utils/mount.ecryptfs_private.c in ecryptfs-utils before 90 does n
CVE-2011-1831 (utils/mount.ecryptfs_private.c in ecryptfs-utils before 90 does not pr ...)
{DSA-2382-1}
- ecryptfs-utils 92-1
-CVE-2011-1830
- RESERVED
+CVE-2011-1830 (Ekiga versions before 3.3.0 attempted to load a module from /tmp/ekiga ...)
+ TODO: check
CVE-2011-1829 (APT before 0.8.15.2 does not properly validate inline GPG signatures, ...)
- apt 0.8.15.2
[squeeze] - apt <not-affected> (Vulnerable code not present)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa7feb4368b6cde5b5f779cd1e77d0f5a09eca17
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aa7feb4368b6cde5b5f779cd1e77d0f5a09eca17
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190422/339a69ff/attachment.html>
More information about the debian-security-tracker-commits
mailing list