[Git][security-tracker-team/security-tracker][master] new binutils, u-boot, kfreebsd issues

Moritz Muehlenhoff jmm at debian.org
Tue Aug 6 07:58:20 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8a0e3a94 by Moritz Muehlenhoff at 2019-08-06T06:57:46Z
new binutils, u-boot, kfreebsd issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5346,7 +5346,10 @@ CVE-2019-13105
 CVE-2019-13104
 	RESERVED
 CVE-2019-13103 (A crafted self-referential DOS partition table will cause all Das U-Bo ...)
-	TODO: check
+	- u-boot <unfixed> (low)
+	[buster] - u-boot <no-dsa> (Minor issue)
+	[stretch] - u-boot <no-dsa> (Minor issue)
+	NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375512.html
 CVE-2019-13102
 	RESERVED
 CVE-2019-13101
@@ -8349,7 +8352,7 @@ CVE-2019-11922 (A race condition in the one-pass compression functions of Zstand
 	- libzstd 1.3.8+dfsg-2
 	NOTE: https://github.com/facebook/zstd/commit/3e5cdf1b6a85843e991d7d10f6a2567c15580da0
 CVE-2019-11921 (An out of bounds write is possible via a specially crafted packet in c ...)
-	TODO: check
+	NOT-FOR-US: Proxygen
 CVE-2019-11920
 	RESERVED
 CVE-2019-11919
@@ -8680,7 +8683,7 @@ CVE-2019-11777
 CVE-2019-11776
 	RESERVED
 CVE-2019-11775 (All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loo ...)
-	TODO: check
+	NOT-FOR-US: Eclipse OpenJ9
 CVE-2019-11774
 	RESERVED
 CVE-2019-11773
@@ -14089,7 +14092,9 @@ CVE-2019-1010182 (yaml-rust 0.4.0 and earlier is affected by: Uncontrolled Recur
 CVE-2019-1010181
 	RESERVED
 CVE-2019-1010180 (GNU gdb All versions is affected by: Buffer Overflow - Out of bound me ...)
-	TODO: check
+	- binutils <unfixed> (unimportant)
+	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8ff71a9c80cfcf64c54d4ae938c644b1b1ea19fb
+	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23657
 CVE-2019-1010179 (PHKP including commit 88fd9cfdf14ea4b6ac3e3967feea7bcaabb6f03b is affe ...)
 	NOT-FOR-US: PHKP
 CVE-2019-1010178 (Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrect Access ...)
@@ -20292,7 +20297,7 @@ CVE-2019-7617
 CVE-2019-7616 (Kibana versions before 6.8.2 and 7.2.1 contain a server side request f ...)
 	- kibana <itp> (bug #700337)
 CVE-2019-7615 (A TLS certificate validation flaw was found in Elastic APM agent for R ...)
-	TODO: check
+	NOT-FOR-US: Elastic
 CVE-2019-7614 (A race condition flaw was found in the response headers Elasticsearch  ...)
 	- elasticsearch <removed>
 CVE-2019-7613 (Winlogbeat versions before 5.6.16 and 6.6.2 had an insufficient loggin ...)
@@ -25518,15 +25523,18 @@ CVE-2019-5609
 CVE-2019-5608
 	RESERVED
 CVE-2019-5607 (In FreeBSD 12.0-STABLE before r350222, 12.0-RELEASE before 12.0-RELEAS ...)
-	TODO: check
+	NOT-FOR-US: FreeBSD userspace
 CVE-2019-5606 (In FreeBSD 12.0-STABLE before r349805, 12.0-RELEASE before 12.0-RELEAS ...)
-	TODO: check
+	- kfreebsd-10 <unfixed> (unimportant)
+	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:13.pts.asc
 CVE-2019-5605 (In FreeBSD 11.3-STABLE before r350217, 11.3-RELEASE before 11.3-RELEAS ...)
-	TODO: check
+	- kfreebsd-10 <unfixed> (unimportant)
+	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:14.freebsd32.asc
 CVE-2019-5604 (In FreeBSD 12.0-STABLE before r350246, 12.0-RELEASE before 12.0-RELEAS ...)
-	TODO: check
+	NOT-FOR-US: bhyve
 CVE-2019-5603 (In FreeBSD 12.0-STABLE before r350261, 12.0-RELEASE before 12.0-RELEAS ...)
-	TODO: check
+	- kfreebsd-10 <unfixed> (unimportant)
+	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:15.mqueuefs.asc
 CVE-2019-5602 (In FreeBSD 12.0-STABLE before r349628, 12.0-RELEASE before 12.0-RELEAS ...)
 	- kfreebsd-10 <unfixed> (unimportant)
 	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:11.cd_ioctl.asc
@@ -25882,7 +25890,7 @@ CVE-2019-5451 (Bypass lock protection in the Nextcloud Android app prior to vers
 CVE-2019-5450 (Improper sanitization of HTML in directory names in the Nextcloud Andr ...)
 	NOT-FOR-US: Nextcloud Android app
 CVE-2019-5449 (A missing check in the Nextcloud Server prior to version 15.0.1 causes ...)
-	TODO: check
+	- nextcloud <itp> (bug #835086)
 CVE-2019-5448 (Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Da ...)
 	TODO: check
 CVE-2019-5447 (A path traversal vulnerability in <= v0.2.6 of http-file-server npm ...)
@@ -33161,13 +33169,13 @@ CVE-2019-2873 (Vulnerability in the Oracle VM VirtualBox component of Oracle Vir
 CVE-2019-2872
 	RESERVED
 CVE-2019-2871 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2019-2870 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2019-2869 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2019-2868 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2019-2867 (Vulnerability in the Oracle VM VirtualBox component of Oracle Virtuali ...)
 	- virtualbox 6.0.10-dfsg-1
 	[jessie] - virtualbox <end-of-life> (DSA-3699-1)
@@ -33327,7 +33335,7 @@ CVE-2019-2801 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
 CVE-2019-2800 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
 	- mysql-5.7 <not-affected> (Only affects MySQL 8)
 CVE-2019-2799 (Vulnerability in the Oracle ODBC Driver component of Oracle Database S ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2019-2798 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
 	- mysql-5.7 <not-affected> (Only affects MySQL 8)
 CVE-2019-2797 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
@@ -33423,7 +33431,7 @@ CVE-2019-2762 (Vulnerability in the Java SE, Java SE Embedded component of Oracl
 CVE-2019-2761 (Vulnerability in the Oracle Application Object Library component of Or ...)
 	NOT-FOR-US: Oracle
 CVE-2019-2760 (Vulnerability in the Data Store component of Oracle Berkeley DB. Suppo ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2019-2759 (Vulnerability in the Oracle Outside In Technology component of Oracle  ...)
 	NOT-FOR-US: Oracle
 CVE-2019-2758 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
@@ -38402,7 +38410,7 @@ CVE-2019-1128 (A remote code execution vulnerability exists in the way that Dire
 CVE-2019-1127 (A remote code execution vulnerability exists in the way that DirectWri ...)
 	NOT-FOR-US: Microsoft
 CVE-2019-1126 (A security feature bypass vulnerability exists in Active Directory Fed ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2019-1125
 	RESERVED
 CVE-2019-1124 (A remote code execution vulnerability exists in the way that DirectWri ...)
@@ -38428,7 +38436,7 @@ CVE-2019-1115
 CVE-2019-1114
 	RESERVED
 CVE-2019-1113 (A remote code execution vulnerability exists in .NET software when the ...)
-	TODO: check
+	NOT-FOR-US: Microsoft .NET
 CVE-2019-1112 (An information disclosure vulnerability exists when Microsoft Excel im ...)
 	NOT-FOR-US: Microsoft
 CVE-2019-1111 (A remote code execution vulnerability exists in Microsoft Excel softwa ...)
@@ -38504,7 +38512,7 @@ CVE-2019-1077 (An elevation of privilege vulnerability exists when the Visual St
 CVE-2019-1076 (A Cross-site Scripting (XSS) vulnerability exists when Team Foundation ...)
 	NOT-FOR-US: Microsoft
 CVE-2019-1075 (A spoofing vulnerability exists in ASP.NET Core that could lead to an  ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2019-1074 (An elevation of privilege vulnerability exists in Microsoft Windows wh ...)
 	NOT-FOR-US: Microsoft
 CVE-2019-1073 (An information disclosure vulnerability exists when the Windows kernel ...)
@@ -43238,7 +43246,7 @@ CVE-2018-18572
 CVE-2018-18571 (An Incorrect Access Control vulnerability has been identified in Citri ...)
 	NOT-FOR-US: Citrix
 CVE-2018-18570 (Planon before Live Build 41 has XSS. ...)
-	TODO: check
+	NOT-FOR-US: Planon
 CVE-2018-18569 (The Dundas BI server before 5.0.1.1010 is vulnerable to a Server-Side  ...)
 	NOT-FOR-US: Dundas BI
 CVE-2018-18568 (Polycom VVX 500 and 601 devices 5.8.0.12848 and earlier allows man-in- ...)
@@ -46853,11 +46861,11 @@ CVE-2018-17215 (An information-disclosure issue was discovered in Postman throug
 CVE-2018-17214
 	RESERVED
 CVE-2018-17213 (An issue was discovered in PrinterOn Central Print Services (CPS) thro ...)
-	TODO: check
+	NOT-FOR-US: PrinterOn Central Print Services
 CVE-2018-17212
 	RESERVED
 CVE-2018-17211 (An issue was discovered in PrinterOn Central Print Services (CPS) thro ...)
-	TODO: check
+	NOT-FOR-US: PrinterOn Central Print Services
 CVE-2018-17210 (An issue was discovered in PrinterOn Central Print Services (CPS) thro ...)
 	NOT-FOR-US: PrinterOn Central Print Services
 CVE-2018-17209



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a0e3a94549f3b57e3c7f1a5b978bca62e62800b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8a0e3a94549f3b57e3c7f1a5b978bca62e62800b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190806/8bc49c87/attachment.html>

More information about the debian-security-tracker-commits mailing list