[Git][security-tracker-team/security-tracker][master] new radare issue

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3a49c93b by Moritz Muehlenhoff at 2019-12-13T11:01:04Z
new radare issue
new potential kopano/cups issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2547,7 +2547,8 @@ CVE-2019-19648 (In the macho_parse_file functionality in macho/macho.c of YARA 3
 	- yara <unfixed>
 	NOTE: https://github.com/VirusTotal/yara/issues/1178
 CVE-2019-19647 (radare2 through 4.0.0 lacks validation of the content variable in the  ...)
-	TODO: check
+	- radare2 <unfixed>
+	NOTE: https://github.com/radareorg/radare2/issues/15545
 CVE-2019-19646 (pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an integrity_ ...)
 	- sqlite3 <not-affected> (Generated column support added later)
 	NOTE: https://github.com/sqlite/sqlite/commit/926f796e8feec15f3836aa0a060ed906f8ae04d3
@@ -14642,11 +14643,13 @@ CVE-2019-16775 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arb
 	NOTE: https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
 	NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
 CVE-2019-16774 (In phpfastcache before 5.1.3, there is a possible object injection vul ...)
-	TODO: check
+	- kopano-webapp-plugin-files <undetermined>
+	TODO: kopano-webapp-plugin-files embeds phpfastcache, needs verification whether
+	TODO: actually vulnerable
 CVE-2019-16773
 	RESERVED
 CVE-2019-16772 (The serialize-to-js NPM package before version 3.0.1 is vulnerable to  ...)
-	TODO: check
+	NOT-FOR-US: serialize-to-js Node package
 CVE-2019-16771 (Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable ...)
 	NOT-FOR-US: Armeria
 CVE-2019-16770 (In Puma before version 4.3.2, a poorly-behaved client could use keepal ...)
@@ -14656,7 +14659,7 @@ CVE-2019-16770 (In Puma before version 4.3.2, a poorly-behaved client could use
 	NOTE: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
 	NOTE: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
 CVE-2019-16769 (The serialize-javascript npm package before version 2.1.1 is vulnerabl ...)
-	TODO: check
+	NOT-FOR-US: serialize-javascript Node package
 CVE-2019-16768 (In affected versions of Sylius, exception messages from internal excep ...)
 	NOT-FOR-US: Sylius
 CVE-2019-16767 (The admin sys mode is now conditional and dedicated for the special ca ...)
@@ -51530,7 +51533,7 @@ CVE-2019-3953 (Stack-based buffer overflow in Advantech WebAccess/SCADA 8.4.0 al
 CVE-2019-3952
 	RESERVED
 CVE-2019-3951 (Advantech WebAccess before 8.4.3 allows unauthenticated remote attacke ...)
-	TODO: check
+	NOT-FOR-US: Advantech WebAccess
 CVE-2019-3950 (Arlo Basestation firmware 1.12.0.1_27940 and prior contain a hardcoded ...)
 	NOT-FOR-US: Arlo Basestation firmware
 CVE-2019-3949 (Arlo Basestation firmware 1.12.0.1_27940 and prior firmware contain a  ...)
@@ -57612,17 +57615,18 @@ CVE-2019-2234
 CVE-2019-2233 (In getUserCount and getCount of UserSwitcherController.java, there is  ...)
 	NOT-FOR-US: Android
 CVE-2019-2232 (In handleRun of TextLine.java, there is a possible application crash d ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2231 (In Blob::Blob of blob.cpp, there is a possible unencrypted master key  ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2230 (In nfcManager_routeAid and nfcManager_unrouteAid of NativeNfcManager.c ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2229 (In updateWidget of BaseWidgetProvider.java, there is a possible leak o ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2228 (In array_find of array.c, there is a possible out-of-bounds read due t ...)
-	TODO: check
+	- cups <unfixed>
+	TODO: Might affect cups, needs clarification
 CVE-2019-2227 (In DeepCopy of btif_av.cc, there is a possible out of bounds read due  ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2226 (In device_class_to_int of device_class.cc, there is a possible out of  ...)
 	TODO: check
 CVE-2019-2225 (When pairing with a Bluetooth device, it may be possible to pair a mal ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a49c93b5d32b4fc01778b8765613f7f48284fc6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3a49c93b5d32b4fc01778b8765613f7f48284fc6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191213/23c99bdd/attachment-0001.html>