[Git][security-tracker-team/security-tracker][master] new non-issues in gnuchess, binaryen

Moritz Muehlenhoff jmm at debian.org
Thu Aug 29 09:57:32 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
eae60c5c by Moritz Muehlenhoff at 2019-08-29T08:56:49Z
new non-issues in gnuchess, binaryen
new issues in rust-smallvec, rust-memoffset, rust-libflate
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -41,7 +41,9 @@ CVE-2019-15769
 CVE-2019-15768
 	RESERVED
 CVE-2019-15767 (In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_ ...)
-	TODO: check
+	- gnuchess <unfixed> (unimportant; bug #936023)
+	NOTE: https://lists.gnu.org/archive/html/bug-gnu-chess/2019-08/msg00004.html
+	NOTE: Neutralised by toolchain hardening, no security impact
 CVE-2019-15766
 	RESERVED
 CVE-2019-15765
@@ -57,11 +59,15 @@ CVE-2019-15761
 CVE-2019-15760
 	RESERVED
 CVE-2019-15759 (An issue was discovered in Binaryen 1.38.32. Two visitors in ir/Expres ...)
-	TODO: check
+	- binaryen <unfixed> (unimportant; bug #936024)
+	NOTE: https://github.com/WebAssembly/binaryen/issues/2288
+	NOTE: Crash in CLI tool, no security impact
 CVE-2019-15758 (An issue was discovered in Binaryen 1.38.32. Missing validation rules  ...)
-	TODO: check
+	- binaryen <unfixed> (unimportant; bug #936024)
+	NOTE: https://github.com/WebAssembly/binaryen/issues/2288
+	NOTE: Crash in CLI tool, no security impact
 CVE-2019-15757 (libMirage 3.2.2 in CDemu has a NULL pointer dereference in the NRG par ...)
-	TODO: check
+	NOT-FOR-US: libMirage
 CVE-2019-15756
 	RESERVED
 CVE-2019-15755
@@ -139,7 +145,7 @@ CVE-2019-15722
 CVE-2019-15721
 	RESERVED
 CVE-2019-15720 (CloudBerry Backup v6.1.2.34 allows local privilege escalation via a Pr ...)
-	TODO: check
+	NOT-FOR-US: CloudBerry Backup
 CVE-2019-15719
 	RESERVED
 CVE-2019-15718
@@ -151,45 +157,45 @@ CVE-2019-15716 (WTF before 0.19.0 does not set the permissions of config.yml, wh
 CVE-2019-15715
 	RESERVED
 CVE-2019-15714 (cli/lib/main.js in Entropic before 2019-06-13 does not reject / and \  ...)
-	TODO: check
+	NOT-FOR-US: Entropic
 CVE-2019-15713 (The my-calendar plugin before 3.1.10 for WordPress has XSS. ...)
 	NOT-FOR-US: my-calendar plugin for WordPress
 CVE-2017-18593 (The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cas ...)
 	NOT-FOR-US: updraftplus plugin for WordPress
 CVE-2015-9379 (iThemes Builder Style Manager before 0.7.7 for WordPress has XSS via a ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9378 (iThemes Builder Theme Market before 5.1.27 for WordPress has XSS via a ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9377 (iThemes Builder Theme Depot before 5.0.30 for WordPress has XSS via ad ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9376 (iThemes Mobile before 1.2.8 for WordPress has XSS via add_query_arg()  ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9375 (Table Rate Shipping Add-on for iThemes Exchange before 1.1.0 for WordP ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9374 (Stripe Add-on for iThemes Exchange before 1.2.0 for WordPress has XSS  ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9373 (PayPal Pro Add-on for iThemes Exchange before 1.1.0 for WordPress has  ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9372 (Membership Add-on for iThemes Exchange before 1.3.0 for WordPress has  ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9371 (Manual Purchases Add-on for iThemes Exchange before 1.1.0 for WordPres ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9370 (Invoices Add-on for iThemes Exchange before 1.4.0 for WordPress has XS ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9369 (Easy US Sales Taxes Add-on for iThemes Exchange before 1.1.0 for WordP ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9368 (Easy EU Value Added (VAT) Taxes Add-on for iThemes Exchange before 1.2 ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9367 (Easy Canadian Sales Taxes Add-on for iThemes Exchange before 1.1.0 for ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9366 (Custom URL Tracking Add-on for iThemes Exchange before 1.1.0 for WordP ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9365 (Authorize.net Add-on for iThemes Exchange before 1.1.0 for WordPress h ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9364 (2Checkout Add-on for iThemes Exchange before 1.1.0 for WordPress has X ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9363 (iThemes Exchange before 1.12.0 for WordPress has XSS via add_query_arg ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2015-9362 (The Post Connector plugin before 1.0.4 for WordPress has XSS via add_q ...)
 	NOT-FOR-US: Post Connector plugin for WordPress
 CVE-2015-9361 (The Related Posts plugin before 1.8.2 for WordPress has XSS via add_qu ...)
@@ -546,21 +552,21 @@ CVE-2019-15576
 CVE-2019-15575
 	RESERVED
 CVE-2019-15574 (Gesior-AAC before 2019-05-01 allows serviceID SQL injection in account ...)
-	TODO: check
+	NOT-FOR-US: Gesior-AAC
 CVE-2019-15573 (Gesior-AAC before 2019-05-01 allows SQL injection in tankyou.php. ...)
-	TODO: check
+	NOT-FOR-US: Gesior-AAC
 CVE-2019-15572 (Gesior-AAC before 2019-05-01 allows ServiceCategoryID SQL injection in ...)
-	TODO: check
+	NOT-FOR-US: Gesior-AAC
 CVE-2019-15571 (The WEB control panel before 2019-04-30 for ClonOS allows SQL injectio ...)
 	NOT-FOR-US: WEB control panel for ClonOS
 CVE-2019-15570 (BEdita through 4.0.0-RC2 allows SQL injection during a save operation  ...)
-	TODO: check
+	NOT-FOR-US: BEdita
 CVE-2019-15569 (HM Courts & Tribunals ccd-data-store-api before 2019-06-10 allows  ...)
-	TODO: check
+	NOT-FOR-US: HM Courts
 CVE-2019-15568 (idseq-web before 2019-07-01 in Infectious Disease Sequencing Platform  ...)
-	TODO: check
+	NOT-FOR-US: idseq-web
 CVE-2019-15567 (OpenForis Arena before 2019-05-07 allows SQL injection in the sorting  ...)
-	TODO: check
+	NOT-FOR-US: OpenForis Arena
 CVE-2019-15566 (The Alfresco application before 1.8.7 for Android allows SQL injection ...)
 	NOT-FOR-US: Alfresco application for Android
 CVE-2019-15565 (The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL injection ...)
@@ -568,29 +574,33 @@ CVE-2019-15565 (The ICOMMKT connector before 1.0.7 for PrestaShop allows SQL inj
 CVE-2019-15564 (The Compassion Switzerland addons 10.01.4 for Odoo allow SQL injection ...)
 	NOT-FOR-US: Compassion Switzerland addons for Odoo
 CVE-2019-15563 (Observational Health Data Sciences and Informatics (OHDSI) WebAPI befo ...)
-	TODO: check
+	NOT-FOR-US: Observational Health Data Sciences and Informatics
 CVE-2019-15562 (GORM before 1.9.10 allows SQL injection via incomplete parentheses. ...)
-	TODO: check
+	NOT-FOR-US: GORM
 CVE-2019-15561 (FlashLingo before 2019-06-12 allows SQL injection, related to flashlin ...)
-	TODO: check
+	NOT-FOR-US: FlashLingo
 CVE-2019-15560 (The Reviews Module before 2019-06-14 for OpenSource Table allows SQL i ...)
-	TODO: check
+	NOT-FOR-US: OpenSource Table addon
 CVE-2019-15559 (DianoxDragon Hawn before 2019-07-10 allows SQL injection. ...)
-	TODO: check
+	NOT-FOR-US: DianoxDragon Hawn
 CVE-2019-15558 (XM^online 2 Common Utils and Endpoints 0.2.1 allows SQL injection, rel ...)
-	TODO: check
+	NOT-FOR-US: XM^online 2
 CVE-2019-15557 (XM^online 2 User Account and Authentication server 1.0.0 allows SQL in ...)
-	TODO: check
+	NOT-FOR-US: XM^online 2
 CVE-2019-15556 (Pvanloon1983 social_network before 2019-07-03 allows SQL injection in  ...)
-	TODO: check
+	NOT-FOR-US: Pvanloon1983
 CVE-2019-15555 (FredReinink Wellness-app before 2019-06-19 allows SQL injection, relat ...)
-	TODO: check
+	NOT-FOR-US: FredReinink Wellness-app
 CVE-2019-15554 (An issue was discovered in the smallvec crate before 0.6.10 for Rust.  ...)
-	TODO: check
+	- rust-smallvec 0.6.10-1
 CVE-2019-15553 (An issue was discovered in the memoffset crate before 0.5.0 for Rust.  ...)
-	TODO: check
+	- rust-memoffset <unfixed> (bug #936025)
+	NOTE: https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490
+	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0011.html
 CVE-2019-15552 (An issue was discovered in the libflate crate before 0.1.25 for Rust.  ...)
-	TODO: check
+	- rust-libflate 0.1.25-1
+	NOTE: https://github.com/sile/libflate/issues/35
+	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0010.html
 CVE-2019-15551 (An issue was discovered in the smallvec crate before 0.6.10 for Rust.  ...)
 	TODO: check
 CVE-2019-15550 (An issue was discovered in the simd-json crate before 0.1.15 for Rust. ...)
@@ -602,11 +612,11 @@ CVE-2019-15548 (An issue was discovered in the ncurses crate through 5.99.0 for
 CVE-2019-15547 (An issue was discovered in the ncurses crate through 5.99.0 for Rust.  ...)
 	TODO: check
 CVE-2019-15546 (An issue was discovered in the pancurses crate through 0.16.1 for Rust ...)
-	TODO: check
+	NOT-FOR-US: Rust crate pancurses
 CVE-2019-15545 (An issue was discovered in the libp2p-core crate before 0.8.1 for Rust ...)
-	TODO: check
+	NOT-FOR-US: Rust crate libp2p-core
 CVE-2019-15544 (An issue was discovered in the protobuf crate before 2.6.0 for Rust. A ...)
-	TODO: check
+	NOT-FOR-US: Rust crate protobuf
 CVE-2019-15543 (An issue was discovered in the slice-deque crate before 0.2.0 for Rust ...)
 	TODO: check
 CVE-2019-15542 (An issue was discovered in the ammonia crate before 2.1.0 for Rust. Th ...)
@@ -15757,7 +15767,7 @@ CVE-2019-10392
 CVE-2019-10391 (Jenkins IBM Application Security on Cloud Plugin 1.2.4 and earlier tra ...)
 	NOT-FOR-US: IBM
 CVE-2019-10390 (A sandbox bypass vulnerability in Jenkins Splunk Plugin 1.7.4 and earl ...)
-	TODO: check
+	NOT-FOR-US: Jenkins plugin
 CVE-2019-10389 (A missing permission check in Jenkins Relution Enterprise Appstore Pub ...)
 	NOT-FOR-US: Jenkins plugin
 CVE-2019-10388 (A cross-site request forgery vulnerability in Jenkins Relution Enterpr ...)
@@ -15769,9 +15779,9 @@ CVE-2019-10386 (A cross-site request forgery vulnerability in Jenkins XL TestVie
 CVE-2019-10385 (Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted ...)
 	NOT-FOR-US: Jenkins plugin
 CVE-2019-10384 (Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to ob ...)
-	TODO: check
+	NOT-FOR-US: Jenkins
 CVE-2019-10383 (A stored cross-site scripting vulnerability in Jenkins 2.191 and earli ...)
-	TODO: check
+	NOT-FOR-US: Jenkins
 CVE-2019-10382 (Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SS ...)
 	NOT-FOR-US: Jenkins plugin
 CVE-2019-10381 (Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eae60c5cec9c93164173029a1d565d2af238dbc6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/eae60c5cec9c93164173029a1d565d2af238dbc6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190829/dadadf36/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list