[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 5 20:10:41 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a23a2bc7 by security tracker role at 2019-12-05T20:10:29Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,22 @@
-CVE-2019-19602 [x86/fpu: Don't cache access to fpu_fpregs_owner_ctx]
+CVE-2019-19608
+ RESERVED
+CVE-2019-19607
+ RESERVED
+CVE-2019-19606
+ RESERVED
+CVE-2019-19605
+ RESERVED
+CVE-2019-19604
+ RESERVED
+CVE-2019-19603
+ RESERVED
+CVE-2019-19601 (OpenDetex 2.8.5 has a Buffer Overflow in TexOpen in detex.l because of ...)
+ TODO: check
+CVE-2019-19600
+ RESERVED
+CVE-2019-19599
+ RESERVED
+CVE-2019-19602 (fpregs_state_valid in arch/x86/include/asm/fpu/internal.h in the Linux ...)
- linux <unfixed>
[buster] - linux <not-affected> (Vulnerable code introduced later)
[stretch] - linux <not-affected> (Vulnerable code introduced later)
@@ -1040,10 +1058,10 @@ CVE-2019-19597 (D-Link DAP-1860 devices before v1.04b03 Beta allow arbitrary rem
NOT-FOR-US: D-Link
CVE-2019-19596 (GitBook through 2.6.9 allows XSS via a local .md file. ...)
TODO: check
-CVE-2019-19595
- RESERVED
-CVE-2019-19594
- RESERVED
+CVE-2019-19595 (reset/modules/advanced_form_maker_edit/multiupload/upload.php in the R ...)
+ TODO: check
+CVE-2019-19594 (reset/modules/fotoliaFoto/multi_upload.php in the RESET.PRO Adobe Stoc ...)
+ TODO: check
CVE-2019-19593
RESERVED
CVE-2019-19592
@@ -1171,10 +1189,10 @@ CVE-2019-19548
RESERVED
CVE-2019-19547
RESERVED
-CVE-2019-19546
- RESERVED
-CVE-2019-19545
- RESERVED
+CVE-2019-19546 (Norton Password Manager, prior to 6.6.2.5, may be susceptible to an in ...)
+ TODO: check
+CVE-2019-19545 (Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cro ...)
+ TODO: check
CVE-2019-19544
RESERVED
CVE-2019-19542
@@ -1731,8 +1749,8 @@ CVE-2020-1786
RESERVED
CVE-2020-1785
RESERVED
-CVE-2019-19466
- RESERVED
+CVE-2019-19466 (SCEditor 2.1.3 allows XSS. ...)
+ TODO: check
CVE-2019-19465
RESERVED
CVE-2019-19464 (The CBC Gem application before 9.24.1 for Android and before 9.26.0 fo ...)
@@ -2238,8 +2256,8 @@ CVE-2019-19319 (In the Linux kernel 5.0.21, a setxattr operation, after a mount
- linux <unfixed>
CVE-2019-19318 (In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can c ...)
- linux <unfixed>
-CVE-2019-19317
- RESERVED
+CVE-2019-19317 (lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed b ...)
+ TODO: check
CVE-2019-19316 (When using the Azure backend with a shared access signature (SAS), Ter ...)
NOT-FOR-US: Terraform
CVE-2019-19315
@@ -3098,9 +3116,9 @@ CVE-2019-19010 (Eval injection in the Math plugin of Limnoria (before 2019.11.09
CVE-2019-19009
RESERVED
CVE-2019-19008
- RESERVED
-CVE-2019-19007
- RESERVED
+ REJECTED
+CVE-2019-19007 (Intelbras IWR 3000N 1.8.7 devices allow disclosure of the administrato ...)
+ TODO: check
CVE-2019-19006 (Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197. ...)
NOT-FOR-US: FreePBX
CVE-2019-19005
@@ -6946,8 +6964,8 @@ CVE-2019-18383 (An issue was discovered on TerraMaster FS-210 4.0.19 devices. On
NOT-FOR-US: TerraMaster
CVE-2019-18382 (An issue was discovered on AVStar PE204 3.10.70 IP camera devices. A d ...)
NOT-FOR-US: AVStar PE204
-CVE-2019-18381
- RESERVED
+CVE-2019-18381 (Norton Password Manager, prior to 6.6.2.5, may be susceptible to a cro ...)
+ TODO: check
CVE-2019-18380
RESERVED
CVE-2019-18379
@@ -8396,8 +8414,7 @@ CVE-2019-18182
RESERVED
CVE-2019-18181
RESERVED
-CVE-2019-18180
- RESERVED
+CVE-2019-18180 (Improper Check for filenames with overly long extensions in PostMaster ...)
- otrs2 <unfixed> (bug #945251)
[buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
@@ -9862,6 +9879,7 @@ CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32
NOTE: https://github.com/lz4/lz4/pull/756
NOTE: https://github.com/lz4/lz4/pull/760
CVE-2019-17542 (FFmpeg before 4.2 has a heap-based buffer overflow in vqa_decode_chunk ...)
+ {DLA-2021-1}
- ffmpeg 7:4.2.1-1
[buster] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.1.x branch)
[stretch] - ffmpeg <postponed> (Minor issue, wait until fixed in 3.2.x branch)
@@ -10179,8 +10197,8 @@ CVE-2019-17439
RESERVED
CVE-2019-17438
RESERVED
-CVE-2019-17437
- RESERVED
+CVE-2019-17437 (An improper authentication check in Palo Alto Networks PAN-OS may allo ...)
+ TODO: check
CVE-2019-17436 (A Local Privilege Escalation vulnerability exists in GlobalProtect Age ...)
NOT-FOR-US: GlobalProtect Agent
CVE-2019-17435 (A Local Privilege Escalation vulnerability exists in the GlobalProtect ...)
@@ -10348,10 +10366,10 @@ CVE-2019-17390
RESERVED
CVE-2019-17389 (In RIOT 2019.07, the MQTT-SN implementation (asymcute) mishandles erro ...)
NOT-FOR-US: RIOT RIOT-OS
-CVE-2019-17388
- RESERVED
-CVE-2019-17387
- RESERVED
+CVE-2019-17388 (Weak file permissions applied to the Aviatrix VPN Client through 2.2.1 ...)
+ TODO: check
+CVE-2019-17387 (An authentication flaw in the AVPNC_RP service in Aviatrix VPN Client ...)
+ TODO: check
CVE-2019-17386 (The animate-it plugin before 2.3.6 for WordPress has CSRF in edsanimat ...)
NOT-FOR-US: Wordpress plugin
CVE-2019-17385 (The animate-it plugin before 2.3.5 for WordPress has XSS. ...)
@@ -11874,8 +11892,8 @@ CVE-2019-16771
RESERVED
CVE-2019-16770
RESERVED
-CVE-2019-16769
- RESERVED
+CVE-2019-16769 (Affected versions of this package are vulnerable to Cross-site Scripti ...)
+ TODO: check
CVE-2019-16768
RESERVED
CVE-2019-16767 (The admin sys mode is now conditional and dedicated for the special ca ...)
@@ -14302,8 +14320,8 @@ CVE-2019-15899
RESERVED
CVE-2019-15898 (Nagios Log Server before 2.0.8 allows Reflected XSS via the username o ...)
NOT-FOR-US: Nagios Log Server
-CVE-2019-15897
- RESERVED
+CVE-2019-15897 (beegfs-ctl in ThinkParQ BeeGFS through 7.1.3 allows Authentication Byp ...)
+ TODO: check
CVE-2019-15896 (An issue was discovered in the LifterLMS plugin through 3.34.5 for Wor ...)
NOT-FOR-US: LifterLMS plugin for WordPress
CVE-2019-15895 (search-exclude.php in the "Search Exclude" plugin before 1.2.4 for Wor ...)
@@ -17399,8 +17417,7 @@ CVE-2019-14912 (An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module
NOT-FOR-US: PRiSE adAS
CVE-2019-14911 (An issue was discovered in PRiSE adAS 1.7.0. The OPENSSO module does n ...)
NOT-FOR-US: PRiSE adAS
-CVE-2019-14910
- RESERVED
+CVE-2019-14910 (A vulnerability was found in keycloak 7.x, when keycloak is configured ...)
NOT-FOR-US: Keycloak
CVE-2019-14909 (A vulnerability was found in Keycloak 7.x where the user federation LD ...)
NOT-FOR-US: Keycloak
@@ -19371,6 +19388,7 @@ CVE-2019-14444 (apply_relocations in readelf.c in GNU Binutils 2.32 contains an
NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=e17869db99195849826eaaf5d2d0eb2cfdd7a2a7
NOTE: binutils not covered by security support
CVE-2019-14443 (An issue was discovered in Libav 12.3. Division by zero in range_decod ...)
+ {DLA-2021-1}
- libav <removed>
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1161#c1
CVE-2019-14442 (In mpc8_read_header in libavformat/mpc8.c in Libav 12.3, an input file ...)
@@ -29065,8 +29083,7 @@ CVE-2019-11257
RESERVED
CVE-2019-11256
RESERVED
-CVE-2019-11255
- RESERVED
+CVE-2019-11255 (Improper input validation in Kubernetes CSI sidecar containers for ext ...)
NOT-FOR-US: kubernetes-csi
CVE-2019-11254
RESERVED
@@ -41122,14 +41139,14 @@ CVE-2019-7197 (A stored cross-site scripting (XSS) vulnerability has been report
TODO: check
CVE-2019-7196
RESERVED
-CVE-2019-7195
- RESERVED
-CVE-2019-7194
- RESERVED
-CVE-2019-7193
- RESERVED
-CVE-2019-7192
- RESERVED
+CVE-2019-7195 (This external control of file name or path vulnerability allows remote ...)
+ TODO: check
+CVE-2019-7194 (This external control of file name or path vulnerability allows remote ...)
+ TODO: check
+CVE-2019-7193 (This improper input validation vulnerability allows remote attackers t ...)
+ TODO: check
+CVE-2019-7192 (This improper access control vulnerability allows remote attackers to ...)
+ TODO: check
CVE-2019-7191
RESERVED
CVE-2019-7190
@@ -41142,12 +41159,12 @@ CVE-2019-7187
RESERVED
CVE-2019-7186
RESERVED
-CVE-2019-7185
- RESERVED
-CVE-2019-7184
- RESERVED
-CVE-2019-7183
- RESERVED
+CVE-2019-7185 (This cross-site scripting (XSS) vulnerability in Music Station allows ...)
+ TODO: check
+CVE-2019-7184 (This cross-site scripting (XSS) vulnerability in Video Station allows ...)
+ TODO: check
+CVE-2019-7183 (This improper link resolution vulnerability allows remote attackers to ...)
+ TODO: check
CVE-2019-7182
RESERVED
CVE-2019-7181 (Buffer Overflow vulnerability in myQNAPcloud Connect 1.3.3.0925 and ea ...)
@@ -46323,8 +46340,8 @@ CVE-2019-5100 (An exploitable integer overflow vulnerability exists in the BMP h
NOT-FOR-US: LEADTOOLS
CVE-2019-5099 (An exploitable integer underflow vulnerability exists in the CMP-parsi ...)
NOT-FOR-US: LEADTOOLS
-CVE-2019-5098
- RESERVED
+CVE-2019-5098 (An exploitable out-of-bounds read vulnerability exists in AMD ATIDXX64 ...)
+ TODO: check
CVE-2019-5097 (A denial-of-service vulnerability exists in the processing of multi-pa ...)
NOT-FOR-US: GoAhead
CVE-2019-5096 (An exploitable code execution vulnerability exists in the processing o ...)
@@ -49538,8 +49555,8 @@ CVE-2019-3692
RESERVED
CVE-2019-3691
RESERVED
-CVE-2019-3690
- RESERVED
+CVE-2019-3690 (The chkstat tool in the permissions package followed symlinks before c ...)
+ TODO: check
CVE-2019-3689 (The nfs-utils package in SUSE Linux Enterprise Server 12 before and in ...)
{DLA-1965-1}
- nfs-utils <unfixed> (bug #940848)
@@ -56530,7 +56547,7 @@ CVE-2019-1583 (Escalation of privilege vulnerability in the Palo Alto Networks T
NOT-FOR-US: Palo Alto Networks
CVE-2019-1582 (Memory corruption in PAN-OS 8.1.9 and earlier, and PAN-OS 9.0.3 and ea ...)
NOT-FOR-US: PAN-OS
-CVE-2019-1581 (Mitigation bypass in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earl ...)
+CVE-2019-1581 (A remote code execution vulnerability in the PAN-OS SSH device managem ...)
NOT-FOR-US: PAN-OS
CVE-2019-1580 (Memory corruption in PAN-OS 7.1.24 and earlier, PAN-OS 8.0.19 and earl ...)
NOT-FOR-US: PAN-OS
@@ -56684,8 +56701,8 @@ CVE-2018-1002104
RESERVED
CVE-2018-1002103 (In Minikube versions 0.3.0-0.29.0, minikube exposes the Kubernetes Das ...)
NOT-FOR-US: minikube
-CVE-2018-1002102
- RESERVED
+CVE-2018-1002102 (Improper validation of URL redirection in the Kubernetes API server in ...)
+ TODO: check
CVE-2018-19875
RESERVED
CVE-2018-19874
@@ -61829,6 +61846,7 @@ CVE-2018-19134 (In Artifex Ghostscript through 9.25, the setpattern operator did
CVE-2018-19133 (In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email ...)
NOT-FOR-US: Flarum Core
CVE-2018-19130 (** DISPUTED ** In Libav 12.3, there is an invalid memory access in vc1 ...)
+ {DLA-2021-1}
- libav <removed>
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1139
NOTE: Duplicate of CVE-2017-17127
@@ -61838,6 +61856,7 @@ CVE-2018-19129 (In Libav 12.3, a NULL pointer dereference (RIP points to zero) i
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1138
NOTE: Duplicate of CVE-2019-14441
CVE-2018-19128 (In Libav 12.3, there is a heap-based buffer over-read in decode_frame ...)
+ {DLA-2021-1}
- libav <removed>
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1137
CVE-2018-19127 (A code injection vulnerability in /type.php in PHPCMS 2008 allows atta ...)
@@ -88955,6 +88974,7 @@ CVE-2017-18246 (The pcm_encode_frame function in libavcodec/pcm.c in Libav 12.2
[jessie] - libav <ignored> (Minor issue, oob read, not reproducible with 11.12, no patch)
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1095
CVE-2017-18245 (The mpc8_probe function in libavformat/mpc8.c in Libav 12.2 allows rem ...)
+ {DLA-2021-1}
- libav <removed>
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1094
NOTE: new 2019 PoC crash with non-null, non-asan segfault, 32-bit only
@@ -112891,6 +112911,7 @@ CVE-2017-17128 (The h264_slice_init function in libavcodec/h264_slice.c in Libav
[jessie] - libav <not-affected> (Unable to reproduce on i386 and amd64 with current version and upstream Git; upstream bug also closed WORKSFORME)
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1104
CVE-2017-17127 (The vc1_decode_frame function in libavcodec/vc1dec.c in Libav 12.2 all ...)
+ {DLA-2021-1}
- libav <removed>
[wheezy] - libav <ignored> (Minor issue)
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1099
@@ -263893,8 +263914,7 @@ CVE-2013-1400
RESERVED
CVE-2009-5134 (Buffer overflow in the "create torrent dialog" functionality in uTorre ...)
NOT-FOR-US: uTorrent
-CVE-2013-0243 [Basic constraints vulnerability]
- RESERVED
+CVE-2013-0243 (haskell-tls-extra before 0.6.1 has Basic Constraints attribute vulnera ...)
- haskell-tls-extra 0.4.6.1-1 (bug #698545)
CVE-2013-1399 (Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) ...)
- puppet <not-affected> (Only affects Puppet Enterprise)
@@ -266958,8 +266978,7 @@ CVE-2013-0328 (Cross-site scripting (XSS) vulnerability in Jenkins before 1.502
- jenkins 1.480.3+dfsg-1 (bug #700761)
CVE-2013-0327 (Cross-site request forgery (CSRF) vulnerability in Jenkins master in J ...)
- jenkins 1.480.3+dfsg-1 (bug #700761)
-CVE-2013-0326 [_base images permissions world readable]
- RESERVED
+CVE-2013-0326 (OpenStack nova base images permissions are world readable ...)
- nova <unfixed> (unimportant)
NOTE: Unfixed upstream, typical installation not multi-user anyway
CVE-2013-0325 (Multiple cross-site scripting (XSS) vulnerabilities in the Varnish mod ...)
@@ -267075,8 +267094,7 @@ CVE-2013-0285 (The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x be
NOT-FOR-US: nori Ruby gem
CVE-2013-0284 (Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communic ...)
NOT-FOR-US: newrelic_rpm Ruby gem
-CVE-2013-0283
- RESERVED
+CVE-2013-0283 (Katello: Username in Notification page has cross site scripting ...)
NOT-FOR-US: Red Hat CloudForms
CVE-2013-0282 (OpenStack Keystone Grizzly before 2013.1, Folsom 2012.1.3 and earlier, ...)
- keystone 2012.1.1-13 (bug #700947)
@@ -267493,8 +267511,7 @@ CVE-2013-0165 (cartridges/openshift-origin-cartridge-mongodb-2.2/info/bin/dump.s
NOT-FOR-US: OpenShift
CVE-2013-0164 (The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Re ...)
NOT-FOR-US: OpenShift
-CVE-2013-0163
- RESERVED
+CVE-2013-0163 (OpenShift haproxy cartridge: predictable /tmp in set-proxy connection ...)
NOT-FOR-US: OpenShift haproxy cartridge
CVE-2013-0162 (The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser ...)
- ruby-parser 2.3.1-2 (bug #701637)
@@ -281528,14 +281545,12 @@ CVE-2012-1107 (The analyzeCurrent function in ape/apeproperties.cpp in TagLib 1.
[squeeze] - taglib <no-dsa> (Minor issue)
CVE-2012-1106 (The C handler plug-in in Automatic Bug Reporting Tool (ABRT), possibly ...)
NOT-FOR-US: abrt is Red Hat / Fedora specific
-CVE-2012-1105
- RESERVED
+CVE-2012-1105 (An Information Disclosure vulnerability exists in the Jasig Project ph ...)
- moodle 2.2.7.dfsg-1 (low; bug #662945)
[squeeze] - moodle <no-dsa> (Minor issue)
- glpi 0.80.7-2 (unimportant; bug #662944)
NOTE: Only supported behind an authenticated HTTP zone
-CVE-2012-1104
- RESERVED
+CVE-2012-1104 (A Security Bypass vulnerability exists in the phpCAS 1.2.2 library fro ...)
- moodle 2.2.7.dfsg-1 (low; bug #662945)
[squeeze] - moodle <no-dsa> (Minor issue)
- glpi 0.80.7-2 (unimportant; bug #662944)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a23a2bc7ada75c3f63fc048d39d4558b15ea6688
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a23a2bc7ada75c3f63fc048d39d4558b15ea6688
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191205/eab912af/attachment.html>
More information about the debian-security-tracker-commits
mailing list