[Git][security-tracker-team/security-tracker][master] new catdoc non issue

Tue Feb 5 22:15:18 GMT 2019

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
90b74669 by Moritz Muehlenhoff at 2019-02-05T22:14:52Z
new catdoc non issue
new openjpeg issue
new node-lodash issue
libsolv no-dsa
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -507,7 +507,8 @@ CVE-2019-7235 (An issue was discovered in idreamsoft iCMS 7.0.13. ...)
 CVE-2019-7234 (An issue was discovered in idreamsoft iCMS 7.0.13. ...)
 	NOT-FOR-US: idreamsoft iCMS
 CVE-2019-7233 (In libdoc through 2019-01-28, doc2text in catdoc.c has a NULL pointer ...)
-	TODO: check
+	- catdoc <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2019-7232
 	RESERVED
 CVE-2019-7231
@@ -1061,7 +1062,9 @@ CVE-2019-1000018 (rssh version 2.3.4 contains a CWE-77: Improper Neutralization
 CVE-2019-6989
 	RESERVED
 CVE-2019-6988 (An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers ...)
-	TODO: check
+	- openjpeg2 <unfixed> (low)
+	[stretch] - openjpeg2 <ignored> (Minor issue)
+	NOTE: https://github.com/uclouvain/openjpeg/issues/1178
 CVE-2019-6987
 	RESERVED
 CVE-2019-6986 (SPARQL Injection in VIVO Vitro v1.10.0 allows a remote attacker to ...)
@@ -9316,20 +9319,20 @@ CVE-2018-20535 (There is a use-after-free at asm/preproc.c (function pp_getline)
 	[jessie] - nasm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392530
 CVE-2018-20534 (There is an illegal address access at src/pool.h (function ...)
-	- libsolv <unfixed>
+	- libsolv <unfixed> (low)
+	[stretch] - libsolv <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652604
 	NOTE: https://github.com/openSUSE/libsolv/pull/291
-	TODO: further check on affected versions
 CVE-2018-20533 (There is a NULL pointer dereference at ext/testcase.c (function ...)
-	- libsolv <unfixed>
+	- libsolv <unfixed> (low)
+	[stretch] - libsolv <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652599
 	NOTE: https://github.com/openSUSE/libsolv/pull/291
-	TODO: further check on affected versions
 CVE-2018-20532 (There is a NULL pointer dereference at ext/testcase.c (function ...)
-	- libsolv <unfixed>
+	- libsolv <unfixed> (low)
+	[stretch] - libsolv <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652605
 	NOTE: https://github.com/openSUSE/libsolv/pull/291
-	TODO: further check on affected versions
 CVE-2018-20531
 	RESERVED
 CVE-2018-20530 (PHP Scripts Mall Website Seller Script 2.0.5 has XSS via a Profile ...)
@@ -26815,7 +26818,7 @@ CVE-2018-16495
 CVE-2018-16494
 	RESERVED
 CVE-2018-16493 (A path traversal vulnerability was found in module ...)
-	TODO: check
+	NOT-FOR-US: node static-resource-server
 CVE-2018-16492 (A prototype pollution vulnerability was found in module extend <2.0.2, ...)
 	- node-extend 3.0.2-1 (unimportant)
 	NOTE: https://snyk.io/vuln/npm:extend:20180424
@@ -26827,29 +26830,31 @@ CVE-2018-16491 (A prototype pollution vulnerability was found in node.extend &lt
 	NOTE: https://hackerone.com/reports/430831
 	NOTE: nodejs not covered by security support
 CVE-2018-16490 (A prototype pollution vulnerability was found in module mpath <0.5.1 ...)
-	TODO: check
+	NOT-FOR-US: node mpath
 CVE-2018-16489 (A prototype pollution vulnerability was found in just-extend <4.0.0 ...)
-	TODO: check
+	NOT-FOR-US: node just-extend
 CVE-2018-16488
 	RESERVED
 CVE-2018-16487 (A prototype pollution vulnerability was found in lodash <4.17.11 where ...)
-	TODO: check
+	- node-lodash 4.17.11+dfsg-1 (unimportant)
+	NOTE: https://hackerone.com/reports/380873
+	NOTE: nodejs not covered by security support
 CVE-2018-16486 (A prototype pollution vulnerability was found in defaults-deep <=0.2.4 ...)
-	TODO: check
+	NOT-FOR-US: node defaults-deep
 CVE-2018-16485 (Path Traversal vulnerability in module m-server <1.4.1 allows ...)
-	TODO: check
+	NOT-FOR-US: node m-server
 CVE-2018-16484 (A XSS vulnerability was found in module m-server <1.4.2 that allows ...)
-	TODO: check
+	NOT-FOR-US: node m-server
 CVE-2018-16483 (A deficiency in the access control in module express-cart <=1.1.5 ...)
-	TODO: check
+	NOT-FOR-US: node express-cart
 CVE-2018-16482 (A server directory traversal vulnerability was found on node module ...)
-	TODO: check
+	NOT-FOR-US: node mcstatic
 CVE-2018-16481 (A XSS vulnerability was found in html-page <=2.1.1 that allows ...)
-	TODO: check
+	NOT-FOR-US: node html-page
 CVE-2018-16480 (A XSS vulnerability was found in module public <0.1.4 that allows ...)
-	TODO: check
+	NOT-FOR-US: node public
 CVE-2018-16479 (Path traversal vulnerability in http-live-simulator <1.0.7 causes ...)
-	TODO: check
+	NOT-FOR-US: node http-live-simulator
 CVE-2018-16478 (A Path Traversal in simplehttpserver versions <=0.2.1 allows to list ...)
 	NOT-FOR-US: simplehttpserver
 CVE-2018-16477 (A bypass vulnerability in Active Storage >= 5.2.0 for Google Cloud ...)
@@ -29044,7 +29049,7 @@ CVE-2018-15619
 CVE-2018-15618
 	RESERVED
 CVE-2018-15617 (A vulnerability in the "capro" (Call Processor) process component of ...)
-	TODO: check
+	NOT-FOR-US: Avaya
 CVE-2018-15616 (A vulnerability in the Web UI component of Avaya Aura System Platform ...)
 	NOT-FOR-US: Avaya Aura System Platform
 CVE-2018-15615 (A vulnerability in the Supervisor component of Avaya Call Management ...)
@@ -36844,7 +36849,7 @@ CVE-2018-12550
 CVE-2018-12549
 	RESERVED
 CVE-2018-12548 (In OpenJDK + Eclipse OpenJ9 version 0.11.0 builds, the public ...)
-	TODO: check
+	NOT-FOR-US: OpenJDK + Eclipse OpenJ9
 CVE-2018-12547
 	RESERVED
 CVE-2018-12546
@@ -56880,7 +56885,7 @@ CVE-2018-5562
 CVE-2018-5561
 	RESERVED
 CVE-2018-5560 (A reliance on a static, hard-coded credential in the design of the ...)
-	TODO: check
+	NOT-FOR-US: Guardzilla
 CVE-2018-5559 (In Rapid7 Komand version 0.41.0 and prior, certain endpoints that are ...)
 	NOT-FOR-US: Rapid7 Komand
 CVE-2018-5558
@@ -60993,7 +60998,7 @@ CVE-2018-3958 (A use-after-free vulnerability exists in the JavaScript engine of
 CVE-2018-3957 (A use-after-free vulnerability exists in the JavaScript engine of ...)
 	NOT-FOR-US: Foxit Software's Foxit PDF Reader
 CVE-2018-3956 (An exploitable out-of-bounds read vulnerability exists in the handling ...)
-	TODO: check
+	NOT-FOR-US: Foxit
 CVE-2018-3955 (An exploitable operating system command injection exists in the ...)
 	NOT-FOR-US: Linksys
 CVE-2018-3954 (Devices in the Linksys ESeries line of routers (Linksys E1200 Firmware ...)
@@ -71534,7 +71539,7 @@ CVE-2018-0724 (Cross-site scripting (XSS) vulnerability in Q'center Virtual Appl
 CVE-2018-0723 (Cross-site scripting (XSS) vulnerability in Q'center Virtual Appliance ...)
 	NOT-FOR-US: Q'center Virtual Appliance
 CVE-2018-0722 (Path Traversal vulnerability in Photo Station versions: 5.7.2 and ...)
-	TODO: check
+	NOT-FOR-US: QNAP
 CVE-2018-0721 (Buffer Overflow vulnerability in QNAP QTS 4.2.6 build 20180711 and ...)
 	NOT-FOR-US: QNAP QTS
 CVE-2018-0720



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90b74669902211c9fed0b9d87fdb187801ee8228

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/90b74669902211c9fed0b9d87fdb187801ee8228
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190205/37a8cba5/attachment.html>
