[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Fri Dec 13 20:10:34 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6ff23843 by security tracker role at 2019-12-13T20:10:26Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,23 @@
+CVE-2019-19793 (In Cyxtera AppGate SDP Client 4.1.x through 4.3.x before 4.3.2 on Wind ...)
+ TODO: check
+CVE-2019-19792
+ RESERVED
+CVE-2019-19791
+ RESERVED
+CVE-2019-19790 (Path traversal in RadChart in Telerik UI for ASP.NET AJAX allows a rem ...)
+ TODO: check
+CVE-2019-19789
+ RESERVED
+CVE-2019-19788
+ RESERVED
+CVE-2019-19787 (ATasm 1.06 has a stack-based buffer overflow in the get_signed_express ...)
+ TODO: check
+CVE-2019-19786 (ATasm 1.06 has a stack-based buffer overflow in the parse_expr() funct ...)
+ TODO: check
+CVE-2019-19785 (ATasm 1.06 has a stack-based buffer overflow in the to_comma() functio ...)
+ TODO: check
+CVE-2019-19784
+ RESERVED
CVE-2019-19783
RESERVED
CVE-2019-19782 (The FTP client in AceaXe Plus 1.0 allows a buffer overflow via a long ...)
@@ -22,8 +42,8 @@ CVE-2019-19776
RESERVED
CVE-2019-19775
RESERVED
-CVE-2019-19774
- RESERVED
+CVE-2019-19774 (An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP ...)
+ TODO: check
CVE-2019-19773
RESERVED
CVE-2019-19772
@@ -1147,8 +1167,7 @@ CVE-2019-19724
RESERVED
CVE-2019-19723
RESERVED
-CVE-2019-19722
- RESERVED
+CVE-2019-19722 (In Dovecot before 2.3.9.2, an attacker can crash a push-notification d ...)
- dovecot <not-affected> (Only affects 2.3.9)
NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/2
NOTE: https://github.com/dovecot/core/commit/1307766b6f5d97341a47376657d342bcefd10f1b
@@ -4161,8 +4180,8 @@ CVE-2019-19503
RESERVED
CVE-2019-19502 (pluginconfig.php in the Image Uploader and Browser plugin before 4.1.9 ...)
NOT-FOR-US: ckeditor plugin
-CVE-2019-19501
- RESERVED
+CVE-2019-19501 (VeraCrypt 1.24 allows Local Privilege Escalation during execution of V ...)
+ TODO: check
CVE-2019-19500
RESERVED
CVE-2019-19499
@@ -4597,8 +4616,8 @@ CVE-2019-19399
RESERVED
CVE-2019-19398
RESERVED
-CVE-2019-19397
- RESERVED
+CVE-2019-19397 (There is a weak algorithm vulnerability in some Huawei products. The a ...)
+ TODO: check
CVE-2019-19396 (illumos, as used in OmniOS Community Edition before r151030y, allows a ...)
NOT-FOR-US: illumos
CVE-2019-19395
@@ -6233,8 +6252,7 @@ CVE-2019-18840 (In wolfSSL 4.1.0 through 4.2.0c, there are missing sanity checks
NOTE: https://github.com/wolfSSL/wolfssl/commit/52f28bd5149360f8e3bf8ca13d3fb9a77283df7c
CVE-2019-18839 (FUDForum 3.0.9 is vulnerable to Stored XSS via the nlogin parameter. T ...)
NOT-FOR-US: FUDForum
-CVE-2019-18838
- RESERVED
+CVE-2019-18838 (An issue was discovered in Envoy 1.12.0. Upon receipt of a malformed H ...)
NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651)
CVE-2019-18837 (An issue was discovered in crun before 0.10.5. With a crafted image, i ...)
- crun <not-affected> (Fixed in initial upload)
@@ -6343,11 +6361,9 @@ CVE-2019-18804 (DjVuLibre 3.5.27 has a NULL pointer dereference in the function
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125/
CVE-2019-18803
RESERVED
-CVE-2019-18802
- RESERVED
+CVE-2019-18802 (An issue was discovered in Envoy 1.12.0. An untrusted remote client ma ...)
NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651)
-CVE-2019-18801
- RESERVED
+CVE-2019-18801 (An issue was discovered in Envoy 1.12.0. An untrusted remote client ma ...)
NOT-FOR-US: envoy proxy (not the same as itp'ed envoy, #758651)
CVE-2019-18800 (Viber through 11.7.0.5 allows a remote attacker who can capture a vict ...)
NOT-FOR-US: Viber
@@ -9772,16 +9788,19 @@ CVE-2019-18348 (An issue was discovered in urllib2 in Python 2.x through 2.7.17
NOTE: not the case in all suites, but the issue is minor in general and would
NOTE: tend to a no-dsa/ignored tag in those suites.
CVE-2019-18347 (A stored XSS issue was discovered in DAViCal through 1.1.8. It does no ...)
+ {DSA-4582-1}
- davical 1.1.9.2-1 (bug #946343)
NOTE: https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/
NOTE: https://gitlab.com/davical-project/davical/commit/86a8ec5302b705cd11f0373eefbe2168799b277b
NOTE: https://gitlab.com/davical-project/davical/commit/a3acb770ac6bc807feb2015b4eb10ab641322d19
CVE-2019-18346 (A CSRF issue was discovered in DAViCal through 1.1.8. If an authentica ...)
+ {DSA-4582-1}
- davical 1.1.9.2-1 (bug #946343)
NOTE: https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/
NOTE: https://gitlab.com/davical-project/davical/commit/86a8ec5302b705cd11f0373eefbe2168799b277b
NOTE: https://gitlab.com/davical-project/davical/commit/a3acb770ac6bc807feb2015b4eb10ab641322d19
CVE-2019-18345 (A reflected XSS issue was discovered in DAViCal through 1.1.8. It echo ...)
+ {DSA-4582-1}
- davical 1.1.9.2-1 (bug #946343)
NOTE: https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/
NOTE: https://gitlab.com/davical-project/davical/commit/86a8ec5302b705cd11f0373eefbe2168799b277b
@@ -12361,8 +12380,8 @@ CVE-2016-11014 (NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Co
NOT-FOR-US: NETGEAR
CVE-2019-17600 (Intelbras IWR 1000N 1.6.4 devices allow disclosure of the administrato ...)
NOT-FOR-US: Intelbras IWR 1000N devices
-CVE-2019-17599
- RESERVED
+CVE-2019-17599 (The quiz-master-next (aka Quiz And Survey Master) plugin before 6.3.5 ...)
+ TODO: check
CVE-2019-17598 (An issue was discovered in Lightbend Play Framework 2.5.x through 2.6. ...)
NOT-FOR-US: Lightbend Play Framework
CVE-2019-17597
@@ -13666,8 +13685,8 @@ CVE-2019-17125
RESERVED
CVE-2019-17124 (Kramer VIAware 2.5.0719.1034 has Incorrect Access Control. ...)
NOT-FOR-US: Kramer VIAware
-CVE-2019-17123
- RESERVED
+CVE-2019-17123 (The eGain Web Email API 11+ allows spoofed messages because the fromNa ...)
+ TODO: check
CVE-2019-17122
RESERVED
CVE-2019-17121 (REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-si ...)
@@ -22481,8 +22500,8 @@ CVE-2019-14346 (Internal/Views/config.php in Schben Adive 2.0.7 allows admin/con
NOT-FOR-US: Schben Adive
CVE-2019-14345 (TemaTres 3.0 allows remote unprivileged users to create an administrat ...)
NOT-FOR-US: TemaTres
-CVE-2019-14344
- RESERVED
+CVE-2019-14344 (TemaTres 3.0 has reflected XSS via the replace_string or search_string ...)
+ TODO: check
CVE-2019-14343 (TemaTres 3.0 has stored XSS via the value parameter to the vocab/admin ...)
NOT-FOR-US: TemaTres
CVE-2019-14342
@@ -25990,8 +26009,8 @@ CVE-2019-13349 (In Knowage through 6.1.1, an authenticated user that accesses th
NOT-FOR-US: Knowage
CVE-2019-13348 (In Knowage through 6.1.1, an authenticated user who accesses the datas ...)
NOT-FOR-US: Knowage
-CVE-2019-13347
- RESERVED
+CVE-2019-13347 (An issue was discovered in the SAML Single Sign On (SSO) plugin for se ...)
+ TODO: check
CVE-2019-13346 (In MyT 1.5.1, the User[username] parameter has XSS. ...)
NOT-FOR-US: MyT
CVE-2019-13345 (The cachemgr.cgi web module of Squid through 4.7 has XSS via the user_ ...)
@@ -48749,10 +48768,10 @@ CVE-2019-5293 (Some Huawei products have a memory leak vulnerability when handli
NOT-FOR-US: Huawei
CVE-2019-5292 (Honor 10 Lite, Honor 8A, Huawei Y6 mobile phones with the versions bef ...)
NOT-FOR-US: Huawei
-CVE-2019-5291
- RESERVED
-CVE-2019-5290
- RESERVED
+CVE-2019-5291 (Some Huawei products have an insufficient verification of data authent ...)
+ TODO: check
+CVE-2019-5290 (Huawei S5700 and S6700 have a DoS security vulnerability. Attackers wi ...)
+ TODO: check
CVE-2019-5289 (Gauss100 OLTP database in ManageOne with versions of 6.5.0 have an out ...)
NOT-FOR-US: Huawei
CVE-2019-5288 (P30 smart phones with versions earlier than ELLE-AL00B 9.1.0.193(C00E1 ...)
@@ -48829,14 +48848,14 @@ CVE-2019-5253
RESERVED
CVE-2019-5252
RESERVED
-CVE-2019-5251
- RESERVED
-CVE-2019-5250
- RESERVED
+CVE-2019-5251 (There is a path traversal vulnerability in several Huawei smartphones. ...)
+ TODO: check
+CVE-2019-5250 (Mate 20 Pro smartphones with versions earlier than 9.1.0.135(C00E133R3 ...)
+ TODO: check
CVE-2019-5249
RESERVED
-CVE-2019-5248
- RESERVED
+CVE-2019-5248 (CloudEngine 12800 has a DoS vulnerability. An attacker of a neighborin ...)
+ TODO: check
CVE-2019-5247 (Huawei Atlas 300, Atlas 500 have a buffer overflow vulnerability. A lo ...)
NOT-FOR-US: Huawei
CVE-2019-5246 (Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0 ...)
@@ -50592,8 +50611,8 @@ CVE-2019-4428 (IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3
NOT-FOR-US: IBM
CVE-2019-4427
RESERVED
-CVE-2019-4426
- RESERVED
+CVE-2019-4426 (The Case Builder component shipped with 18.0.0.1 through 19.0.0.2 and ...)
+ TODO: check
CVE-2019-4425 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, and 18.0.0.2 coul ...)
NOT-FOR-US: IBM
CVE-2019-4424 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0. ...)
@@ -241117,8 +241136,7 @@ CVE-2014-3497 (Cross-site scripting (XSS) vulnerability in OpenStack Swift 1.11.
[wheezy] - swift <not-affected> (Only affects 1.11.0 to 1.13.1)
CVE-2014-3496 (cartridge_repository.rb in OpenShift Origin and Enterprise 1.2.8 throu ...)
NOT-FOR-US: OpenShift Origin
-CVE-2014-3495 [improper verification of SSL certificates]
- RESERVED
+CVE-2014-3495 (duplicity 0.6.24 has improper verification of SSL certificates ...)
- duplicity 0.6.21-1 (low; bug #751902)
[wheezy] - duplicity <no-dsa> (Minor issue)
NOTE: Since python-boto 2.6.0, cf. #751902, boto's default is now to enable
@@ -244438,8 +244456,7 @@ CVE-2013-7335 (Open redirect vulnerability in DotNetNuke (DNN) before 6.2.9 and
NOT-FOR-US: DotNetNuke
CVE-2013-7334 (Cross-site request forgery (CSRF) vulnerability in ImageCMS before 4.2 ...)
NOT-FOR-US: ImageCMS
-CVE-2014-2387 [pen: insecure temporary filename]
- RESERVED
+CVE-2014-2387 (Pen 0.18.0 has Insecure Temporary File Creation vulnerabilities ...)
- pen 0.22.1-1 (low; bug #741370)
[squeeze] - pen <no-dsa> (Minor issue)
[wheezy] - pen <no-dsa> (Minor issue)
@@ -245650,8 +245667,7 @@ CVE-2014-1881 (Apache Cordova 3.3.0 and earlier and Adobe PhoneGap 2.9.0 and ear
NOT-FOR-US: Apache Cordova
CVE-2014-1868 (Restlet Framework 2.1.x before 2.1.7 and 2.x.x before 2.2 RC1, when us ...)
- restlet <itp> (bug #596472)
-CVE-2014-1867
- RESERVED
+CVE-2014-1867 (suPHP before 0.7.2 source-highlighting feature allows security bypass ...)
- suphp <removed> (bug #736969)
[squeeze] - suphp <no-dsa> (Minor issue)
[wheezy] - suphp <no-dsa> (Minor issue)
@@ -250592,8 +250608,7 @@ CVE-2014-0242 (mod_wsgi module before 3.4 for Apache, when used in embedded mode
{DSA-2937-1}
- mod-wsgi 3.4-3
NOTE: https://github.com/GrahamDumpleton/mod_wsgi/commit/b0a149c1f5e569932325972e2e20176a42e43517
-CVE-2014-0241
- RESERVED
+CVE-2014-0241 (rubygem-hammer_cli_foreman: File /etc/hammer/cli.modules.d/foreman.yml ...)
NOT-FOR-US: hammer_cli_foreman ruby gem
CVE-2014-0240 (The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled ...)
{DSA-2937-1}
@@ -250721,8 +250736,7 @@ CVE-2014-0213 (Multiple cross-site request forgery (CSRF) vulnerabilities in mod
- moodle 2.6.3-1
[squeeze] - moodle <not-affected> (Vulnerable code not present)
NOTE: http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-44606
-CVE-2014-0212 [on-demand ACL policy loading enables a denial of service by consuming all available file descriptors]
- RESERVED
+CVE-2014-0212 (qpid-cpp: ACL policies only loaded if the acl-file option specified en ...)
- qpid-cpp <removed> (low; bug #772794)
[wheezy] - qpid-cpp <no-dsa> (Minor issue)
NOTE: Upstream issue: https://issues.apache.org/jira/browse/QPID-4938
@@ -250783,8 +250797,7 @@ CVE-2014-0198 (The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0
- openssl 1.0.1g-4 (bug #747432)
[squeeze] - openssl <not-affected> (vulnerable code not present)
NOTE: http://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321
-CVE-2014-0197
- RESERVED
+CVE-2014-0197 (CFME: CSRF protection vulnerability via permissive check of the referr ...)
NOT-FOR-US: CloudForms Management Engine
CVE-2014-0196 (The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel th ...)
{DSA-2928-1 DSA-2926-1}
@@ -250863,8 +250876,7 @@ CVE-2014-0177 (The am function in lib/hub/commands.rb in hub before 1.12.1 allow
NOT-FOR-US: Github client
CVE-2014-0176 (Cross-site scripting (XSS) vulnerability in application/panel_control ...)
NOT-FOR-US: RedHat CloudForms Management Engine
-CVE-2014-0175 [default password set at install]
- RESERVED
+CVE-2014-0175 (mcollective has a default password set at install ...)
- mcollective <unfixed> (unimportant)
NOTE: Password rotation is documented in README.Debian
CVE-2014-0174 (Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ff238430b318c99899b6e639b922b5437a97567
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6ff238430b318c99899b6e639b922b5437a97567
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191213/334d5849/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list