[Git][security-tracker-team/security-tracker][master] new snakeyaml issue

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c29ee215 by Moritz Muehlenhoff at 2019-12-12T11:09:19Z
new snakeyaml issue
opensc no-dsa
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18,7 +18,7 @@ CVE-2019-19742
 CVE-2019-19741
 	RESERVED
 CVE-2019-19740 (Octeth Oempro 4.7 allows SQL injection. The parameter CampaignID in Ca ...)
-	TODO: check
+	NOT-FOR-US: Octeth Oempro
 CVE-2019-19739
 	RESERVED
 CVE-2019-19738
@@ -46,7 +46,8 @@ CVE-2019-19728
 CVE-2019-19727
 	RESERVED
 CVE-2017-18640 (The Alias feature in SnakeYAML 1.18 allows entity expansion during a l ...)
-	TODO: check
+	- snakeyaml <unfixed>
+	NOTE: https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
 CVE-2019-19726 (OpenBSD through 6.6 allows local users to escalate to root because a c ...)
 	NOT-FOR-US: OpenBSD
 CVE-2019-19725 (sysstat through 12.2.0 has a double free in check_file_actlst in sa_co ...)
@@ -1265,7 +1266,7 @@ CVE-2019-19720 (Yabasic 2.86.1 has a heap-based buffer overflow in the yylex() f
 	- yabasic <unfixed>
 	NOTE: https://github.com/marcIhm/yabasic/issues/36
 CVE-2019-19719 (Tableau Server 10.3 through 2019.4 on Windows and Linux allows XSS via ...)
-	TODO: check
+	NOT-FOR-US: Tableau Server
 CVE-2019-19718
 	RESERVED
 CVE-2019-19717
@@ -1287,7 +1288,7 @@ CVE-2019-19710
 CVE-2019-19709 (MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklis ...)
 	TODO: check
 CVE-2019-19708 (The VisualEditor extension through 1.34 for MediaWiki allows XSS via p ...)
-	TODO: check
+	NOT-FOR-US: VisualEditor MediaWiki extension
 CVE-2019-19707 (On Moxa EDS-G508E, EDS-G512E, and EDS-G516E devices (with firmware thr ...)
 	NOT-FOR-US: Moxa
 CVE-2019-19706
@@ -1297,7 +1298,7 @@ CVE-2019-19705
 CVE-2019-19704
 	RESERVED
 CVE-2019-19703 (In Ktor through 1.2.6, the client resends data from the HTTP Authoriza ...)
-	TODO: check
+	NOT-FOR-US: Ktor
 CVE-2019-19702 (The modoboa-dmarc plugin 1.1.0 for Modoboa is vulnerable to an XML Ext ...)
 	NOT-FOR-US: Modoboa
 CVE-2018-21033
@@ -3123,6 +3124,8 @@ CVE-2019-19480 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x thro
 	NOTE: free operation in sc_pkcs15_decode_prkdf_entry.
 CVE-2019-19479 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0. ...)
 	- opensc <unfixed>
+	[buster] - opensc <no-dsa> (Minor issue)
+	[stretch] - opensc <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18693
 	NOTE: https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2
 CVE-2019-19478
@@ -3590,7 +3593,7 @@ CVE-2019-19376 (In Octopus Deploy before 2019.10.6, an authenticated user with T
 CVE-2019-19375 (In Octopus Deploy before 2019.10.7, in a configuration where SSL offlo ...)
 	NOT-FOR-US: Octopus Deploy
 CVE-2019-19374 (An issue was discovered in core/assets/form/form_question_types/form_q ...)
-	TODO: check
+	NOT-FOR-US: Squiz Matrix CMS
 CVE-2019-19373 (An issue was discovered in Squiz Matrix CMS 5.5.0 prior to 5.5.0.3, 5. ...)
 	NOT-FOR-US: Squiz Matrix CMS
 CVE-2019-19372 (** DISPUTED ** A downloadFile.php download_file path traversal vulnera ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c29ee215ae034890c4822c6f122a0041307a6756

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c29ee215ae034890c4822c6f122a0041307a6756
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191212/7a764cee/attachment.html>