[Git][security-tracker-team/security-tracker][master] 5 commits: Add bug reference for CVE-2018-20340

Salvatore Bonaccorso carnil at debian.org
Fri Feb 8 15:19:28 GMT 2019 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5da024c1 by Salvatore Bonaccorso at 2019-02-08T15:12:50Z
Add bug reference for CVE-2018-20340

- - - - -
0dfe6465 by Salvatore Bonaccorso at 2019-02-08T15:12:50Z
Add libu2f-host to dsa-needed list

- - - - -
5f12546b by Salvatore Bonaccorso at 2019-02-08T15:12:50Z
Adjust source package name for CVE-2019-1000014

- - - - -
13ddbedc by Salvatore Bonaccorso at 2019-02-08T15:12:50Z
Add note for mariadb-10.1 entry

- - - - -
32996a85 by Salvatore Bonaccorso at 2019-02-08T15:19:01Z
Process NFUs

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3,7 +3,7 @@ CVE-2019-7634
 CVE-2019-7633
 	RESERVED
 CVE-2019-7632 (LifeSize Team, Room, Passport, and Networker 220 devices allow ...)
-	TODO: check
+	NOT-FOR-US: LifeSize devices
 CVE-2019-7631
 	RESERVED
 CVE-2019-7630
@@ -193,15 +193,15 @@ CVE-2019-7548 (SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter c
 	- sqlalchemy <undetermined>
 	TODO: check
 CVE-2019-7547 (An issue was discovered in SIDU 6.0. Because the database name is not ...)
-	TODO: check
+	NOT-FOR-US: SIDU
 CVE-2019-7546 (An issue was discovered in SIDU 6.0. The dbs parameter of the conn.php ...)
-	TODO: check
+	NOT-FOR-US: SIDU
 CVE-2019-7545 (In DbNinja 3.2.7, the Add Host function of the Manage Hosts pages has a ...)
-	TODO: check
+	NOT-FOR-US: DbNinja
 CVE-2019-7544 (An issue was discovered in MyWebSQL 3.7. The Add User function of the ...)
-	TODO: check
+	NOT-FOR-US: MyWebSQL
 CVE-2019-7543 (In KindEditor 4.1.11, the php/demo.php content1 parameter has a ...)
-	TODO: check
+	NOT-FOR-US: KindEditor
 CVE-2019-7542
 	RESERVED
 CVE-2018-20763 (In GPAC through 0.7.2, gf_text_get_utf8_line in ...)
@@ -689,7 +689,7 @@ CVE-2019-1000016 (FFMPEG version 4.1 contains a CWE-129: Improper Validation of
 CVE-2019-1000015 (Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site ...)
 	NOT-FOR-US: Chamilo Chamilo-lms
 CVE-2019-1000014 (Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing ...)
-	- rebar2 <undetermined>
+	- rebar <undetermined>
 CVE-2019-1000013 (Hex package manager hex_core version 0.3.0 and earlier contains a ...)
 	NOT-FOR-US: Hex package manager
 CVE-2019-1000012 (Hex package manager version 0.14.0 through 0.18.2 contains a Signing ...)
@@ -3435,7 +3435,7 @@ CVE-2019-6244 (An issue was discovered in UsualToolCMS 8.0. ...)
 CVE-2019-6243 (Frog CMS 0.9.5 allows XSS via the forgot password page (aka the ...)
 	NOT-FOR-US: Frog CMS
 CVE-2019-6242 (** DISPUTED ** Kentico v10.0.42 allows Global Administrators to read ...)
-	TODO: check
+	NOT-FOR-US: Kentico
 CVE-2019-6241
 	RESERVED
 CVE-2019-6240 [Arbitrary repo read in Gitlab project import]
@@ -3647,7 +3647,7 @@ CVE-2019-6141
 CVE-2019-6140
 	RESERVED
 CVE-2019-6139 (Forcepoint User ID (FUID) server versions up to 1.2 have a remote ...)
-	TODO: check
+	NOT-FOR-US: Forcepoint User ID (FUID) server
 CVE-2019-6138 (An issue has been found in libIEC61850 v1.3.1. Memory_malloc and ...)
 	NOT-FOR-US: libIEC61850
 CVE-2019-6137 (An issue was discovered in lib60870 2.1.1. LinkLayer_setAddress in ...)
@@ -10433,7 +10433,7 @@ CVE-2018-20341
 	RESERVED
 CVE-2018-20340 [buffer overflow]
 	RESERVED
-	- libu2f-host <unfixed>
+	- libu2f-host <unfixed> (bug #921726)
 	NOTE: https://www.yubico.com/support/security-advisories/ysa-2019-01/
 	NOTE: https://github.com/Yubico/libu2f-host/commit/f526546bb29f2ef704ae9850f0f4b41fea7b62a4
 	NOTE: https://github.com/Yubico/libu2f-host/commit/e77a109f8cf60d9eafdf005ab5c851d5f576c01e
@@ -15236,17 +15236,17 @@ CVE-2019-1682
 CVE-2019-1681
 	RESERVED
 CVE-2019-1680 (A vulnerability in Cisco Webex Business Suite could allow an ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1679 (A vulnerability in the web interface of Cisco TelePresence Conductor, ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1678 (A vulnerability in Cisco Meeting Server could allow an authenticated, ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1677 (A vulnerability in Cisco Webex Meetings for Android could allow an ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1676
 	RESERVED
 CVE-2019-1675 (A vulnerability in the default configuration of the Cisco Aironet ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1674
 	RESERVED
 CVE-2019-1673
@@ -15254,9 +15254,9 @@ CVE-2019-1673
 CVE-2019-1672
 	RESERVED
 CVE-2019-1671 (A vulnerability in the web-based management interface of Cisco ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1670 (A vulnerability in the web-based management interface of Cisco Unified ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1669 (A vulnerability in the data acquisition (DAQ) component of Cisco ...)
 	NOT-FOR-US: Cisco
 CVE-2019-1668 (A vulnerability in the chat feed feature of Cisco SocialMiner could ...)
@@ -15274,9 +15274,9 @@ CVE-2019-1663
 CVE-2019-1662
 	RESERVED
 CVE-2019-1661 (A vulnerability in the web-based management interface of Cisco ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1660 (A vulnerability in the Simple Object Access Protocol (SOAP) of Cisco ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1659
 	RESERVED
 CVE-2019-1658 (A vulnerability in the web-based management interface of Cisco Unified ...)
@@ -50092,11 +50092,11 @@ CVE-2018-7817 (A Use After Free (CWE-416) vulnerability exists in Zelio Soft 2 v
 CVE-2018-7816
 	RESERVED
 CVE-2018-7815 (A Type Confusion (CWE-843) vulnerability exists in Eurotherm by ...)
-	TODO: check
+	NOT-FOR-US: Schneider Electric
 CVE-2018-7814 (A Stack-based Buffer Overflow (CWE-121) vulnerability exists in ...)
-	TODO: check
+	NOT-FOR-US: Schneider Electric
 CVE-2018-7813 (A Type Confusion (CWE-843) vulnerability exists in Eurotherm by ...)
-	TODO: check
+	NOT-FOR-US: Schneider Electric
 CVE-2018-7812 (An Information Exposure through Discrepancy vulnerability exists in ...)
 	NOT-FOR-US: Schneider Electric
 CVE-2018-7811 (An Unverified Password Change vulnerability exists in the embedded web ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -27,6 +27,8 @@ glusterfs
 --
 graphicsmagick
 --
+libu2f-host
+--
 libidn
   santiago proposed debdiffs for jessie and stretch
 --
@@ -36,6 +38,7 @@ linux
   Wait until more issues have piled up
 --
 mariadb-10.1
+  https://alioth-lists.debian.net/pipermail/pkg-mysql-maint/2019-February/012771.html
 --
 mbedtls
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/399ca3f433566d955cac87e33e1b09b6b97e5a01...32996a859e120a75b4f5657e8a55809522188bc0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/399ca3f433566d955cac87e33e1b09b6b97e5a01...32996a859e120a75b4f5657e8a55809522188bc0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190208/ee4d18e8/attachment.html>

More information about the debian-security-tracker-commits mailing list