[Git][security-tracker-team/security-tracker][master] NFUs (and some <removed> entries no longer present in any suite)

Moritz Muehlenhoff jmm at debian.org
Wed Jan 16 19:39:20 GMT 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ea6e94de by Moritz Muehlenhoff at 2019-01-16T19:38:13Z
NFUs (and some <removed> entries no longer present in any suite)
new libsass issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -262,7 +262,7 @@ CVE-2018-20720 (ABB Relion 630 devices 1.1 before 1.1.0.C0, 1.2 before 1.2.0.B3,
 CVE-2016-10738 (Zenbership v107 has CSRF via admin/cp-functions/event-add.php. ...)
 	NOT-FOR-US: Zenbership
 CVE-2016-10737 (Serendipity 2.0.4 has XSS via the serendipity_admin.php ...)
-	TODO: check
+	- serendipity <removed>
 CVE-2019-XXXX [instability and crash due to crafted message flooding]
 	- mumble 1.3.0~git20190114.9fcc588+dfsg-1 (bug #919249)
 	NOTE: https://github.com/mumble-voip/mumble/issues/3505
@@ -361,7 +361,9 @@ CVE-2019-6288
 CVE-2019-6287
 	RESERVED
 CVE-2019-6286 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...)
-	TODO: check
+	- libsass <unfixed> (low)
+	[stretch] - libsass <no-dsa> (Minor issue)
+	NOTE: https://github.com/sass/libsass/issues/2815
 CVE-2019-6285 (The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka ...)
 	- yaml-cpp <unfixed> (bug #919432)
 	[stretch] - yaml-cpp <no-dsa> (Minor issue)
@@ -369,9 +371,13 @@ CVE-2019-6285 (The SingleDocParser::HandleFlowSequence function in yaml-cpp (aka
 	[stretch] - yaml-cpp0.3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/jbeder/yaml-cpp/issues/660
 CVE-2019-6284 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...)
-	TODO: check
+	- libsass <unfixed> (low)
+	[stretch] - libsass <no-dsa> (Minor issue)
+	NOTE: https://github.com/sass/libsass/issues/2816
 CVE-2019-6283 (In LibSass 3.5.5, a heap-based buffer over-read exists in ...)
-	TODO: check
+	- libsass <unfixed> (low)
+	[stretch] - libsass <no-dsa> (Minor issue)
+	NOTE: https://github.com/sass/libsass/issues/2814
 CVE-2019-6282
 	RESERVED
 CVE-2019-6281
@@ -422,13 +428,13 @@ CVE-2019-6266
 CVE-2019-6265
 	RESERVED
 CVE-2019-6264 (An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in ...)
-	TODO: check
+	NOT-FOR-US: Joomla
 CVE-2019-6263 (An issue was discovered in Joomla! before 3.9.2. Inadequate checks of ...)
-	TODO: check
+	NOT-FOR-US: Joomla
 CVE-2019-6262 (An issue was discovered in Joomla! before 3.9.2. Inadequate checks of ...)
-	TODO: check
+	NOT-FOR-US: Joomla
 CVE-2019-6261 (An issue was discovered in Joomla! before 3.9.2. Inadequate escaping in ...)
-	TODO: check
+	NOT-FOR-US: Joomla
 CVE-2019-6260
 	RESERVED
 CVE-2019-6259 (An issue was discovered in idreamsoft iCMS V7.0.13. There is SQL ...)
@@ -6133,13 +6139,13 @@ CVE-2019-3559
 CVE-2019-3558
 	RESERVED
 CVE-2019-3557 (The implementations of streams for bz2 and php://output improperly ...)
-	TODO: check
+	 - hhvm <removed>
 CVE-2019-3556
 	RESERVED
 CVE-2019-3555
 	RESERVED
 CVE-2019-3554 (Wangle's AcceptRoutingHandler incorrectly casts a socket when ...)
-	TODO: check
+	NOT-FOR-US: Facebook Wangle
 CVE-2019-3553
 	RESERVED
 CVE-2019-3552
@@ -19773,65 +19779,65 @@ CVE-2019-0032
 CVE-2019-0031
 	RESERVED
 CVE-2019-0030 (Juniper ATP uses DES and a hardcoded salt for password hashing, ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0029 (Juniper ATP Series Splunk credentials are logged in a file readable by ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0028
 	RESERVED
 CVE-2019-0027 (A persistent cross-site scripting (XSS) vulnerability in the Snort ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0026 (A persistent cross-site scripting (XSS) vulnerability in the Zone ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0025 (A persistent cross-site scripting (XSS) vulnerability in RADIUS ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0024 (A persistent cross-site scripting (XSS) vulnerability in the Email ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0023 (A persistent cross-site scripting (XSS) vulnerability in the Golden VM ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0022 (Juniper ATP ships with hard coded credentials in the Cyphort Core ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0021 (On Juniper ATP, secret passphrase CLI inputs, such as "set mcm", are ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0020 (Juniper ATP ships with hard coded credentials in the Web Collector ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0019
 	RESERVED
 CVE-2019-0018 (A persistent cross-site scripting (XSS) vulnerability in the file ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0017 (The Junos Space application, which allows Device Image files to be ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0016 (A malicious authenticated user may be able to delete a device from the ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0015 (A vulnerability in the SRX Series Service Gateway allows deleted ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0014 (On QFX and PTX Series, receipt of a malformed packet for J-Flow ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0013 (The routing protocol daemon (RPD) process will crash and restart when ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0012 (A Denial of Service (DoS) vulnerability in BGP in Juniper Networks ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0011 (The Junos OS kernel crashes after processing a specific incoming ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0010 (An SRX Series Service Gateway configured for Unified Threat Management ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0009 (On EX2300 and EX3400 series, high disk I/O operations may disrupt the ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0008
 	RESERVED
 CVE-2019-0007 (The vMX Series software uses a predictable IP ID Sequence Number. This ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0006 (A certain crafted HTTP packet can trigger an uninitialized function ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0005 (On EX2300, EX3400, EX4600, QFX3K and QFX5K series, firewall filter ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0004 (On Juniper ATP, the API key and the device key are logged in a file ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0003 (When a specific BGP flowspec configuration is enabled and upon receipt ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0002 (On EX2300 and EX3400 series, stateless firewall filter configuration ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2019-0001 (Receipt of a malformed packet on MX Series devices with dynamic vlan ...)
-	TODO: check
+	NOT-FOR-US: Juniper
 CVE-2018-18250 (Icinga Web 2 before 2.6.2 allows parameters that break navigation ...)
 	- icingaweb2 2.6.2-1
 	NOTE: https://herolab.usd.de/wp-content/uploads/sites/4/2018/12/usd20180030.txt
@@ -24962,7 +24968,7 @@ CVE-2018-16208
 CVE-2018-16207
 	RESERVED
 CVE-2018-16206 (Cross-site scripting vulnerability in WordPress plugin spam-byebye ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2018-16205 (Cross-site scripting vulnerability in GROWI v3.2.3 and earlier allows ...)
 	NOT-FOR-US: GROWI
 CVE-2018-16204 (Cross-site scripting vulnerability in Google XML Sitemaps Version ...)
@@ -24982,7 +24988,7 @@ CVE-2018-16198 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home g
 CVE-2018-16197 (Toshiba Home gateway HEM-GW16A 1.2.9 and earlier, Toshiba Home gateway ...)
 	NOT-FOR-US: Toshiba
 CVE-2018-16196 (Multiple Yokogawa products that contain Vnet/IP Open Communication ...)
-	TODO: check
+	NOT-FOR-US: Yokogawa
 CVE-2018-16195 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 ...)
 	NOT-FOR-US: Aterm firmware
 CVE-2018-16194 (Aterm WF1200CR and Aterm WG1200CR (Aterm WF1200CR firmware Ver1.1.1 ...)
@@ -25012,23 +25018,23 @@ CVE-2018-16183 (An unquoted search path vulnerability in some pre-installed ...)
 CVE-2018-16182 (Untrusted search path vulnerability in the installer of MARKET SPEED ...)
 	NOT-FOR-US: MARKET SPEED
 CVE-2018-16181 (HTTP header injection vulnerability in i-FILTER Ver.9.50R05 and ...)
-	TODO: check
+	NOT-FOR-US: i-FILTER
 CVE-2018-16180 (Cross-site scripting vulnerability in i-FILTER Ver.9.50R05 and earlier ...)
-	TODO: check
+	NOT-FOR-US: i-FILTER
 CVE-2018-16179 (The Mizuho Direct App for Android version 3.13.0 and earlier does not ...)
 	NOT-FOR-US: Mizuho Direct App for Android
 CVE-2018-16178 (Cybozu Garoon 3.0.0 to 4.10.0 allows remote attackers to bypass access ...)
 	NOT-FOR-US: Cybozu Garoon
 CVE-2018-16177 (Untrusted search path vulnerability in The installer of Windows10 Fall ...)
-	TODO: check
+	NOT-FOR-US: Random Windows installer
 CVE-2018-16176 (Untrusted search path vulnerability in Installer of Mapping Tool ...)
-	TODO: check
+	NOT-FOR-US: Random Windows installer
 CVE-2018-16175 (SQL injection vulnerability in the LearnPress prior to version 3.1.0 ...)
-	TODO: check
+	NOT-FOR-US: LearnPress
 CVE-2018-16174 (Open redirect vulnerability in LearnPress prior to version 3.1.0 ...)
-	TODO: check
+	NOT-FOR-US: LearnPress
 CVE-2018-16173 (Cross-site scripting vulnerability in LearnPress prior to version ...)
-	TODO: check
+	NOT-FOR-US: LearnPress
 CVE-2018-16172 (Improper countermeasure against clickjacking attack in client ...)
 	NOT-FOR-US: Cybozu Remote Service
 CVE-2018-16171 (Directory traversal vulnerability in Cybozu Remote Service 3.0.0 to ...)
@@ -25038,15 +25044,15 @@ CVE-2018-16170 (Directory traversal vulnerability in Cybozu Remote Service 3.0.0
 CVE-2018-16169 (Cybozu Remote Service 3.0.0 to 3.1.0 allows remote authenticated ...)
 	NOT-FOR-US: Cybozu Remote Service
 CVE-2018-16168 (LogonTracer 1.2.0 and earlier allows remote attackers to conduct ...)
-	TODO: check
+	NOT-FOR-US: LogonTracer
 CVE-2018-16167 (LogonTracer 1.2.0 and earlier allows remote attackers to execute ...)
-	TODO: check
+	NOT-FOR-US: LogonTracer
 CVE-2018-16166 (LogonTracer 1.2.0 and earlier allows remote attackers to conduct XML ...)
-	TODO: check
+	NOT-FOR-US: LogonTracer
 CVE-2018-16165 (Cross-site scripting vulnerability in LogonTracer 1.2.0 and earlier ...)
-	TODO: check
+	NOT-FOR-US: LogonTracer
 CVE-2018-16164 (Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 ...)
-	TODO: check
+	NOT-FOR-US: Event Calendar WD
 CVE-2018-16163 (OpenDolphin 2.7.0 and earlier allows authenticated attackers to bypass ...)
 	NOT-FOR-US: OpenDolphin
 CVE-2018-16162 (OpenDolphin 2.7.0 and earlier allows authenticated attackers to obtain ...)
@@ -26892,7 +26898,7 @@ CVE-2018-15465 (A vulnerability in the authorization subsystem of Cisco Adaptive
 CVE-2018-15464 (A vulnerability in Cisco 900 Series Aggregation Services Router (ASR) ...)
 	NOT-FOR-US: Cisco
 CVE-2018-15463 (A vulnerability in the web-based management interface of Cisco ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2018-15462
 	RESERVED
 CVE-2018-15461 (A vulnerability in the MyWebex component of Cisco Webex Business Suite ...)
@@ -26938,7 +26944,7 @@ CVE-2018-15442 (A vulnerability in the update service of Cisco Webex Meetings De
 CVE-2018-15441 (A vulnerability in the web framework code of Cisco Prime License ...)
 	NOT-FOR-US: Cisco
 CVE-2018-15440 (A vulnerability in the web-based management interface of Cisco ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2018-15439 (A vulnerability in the Cisco Small Business Switches software could ...)
 	NOT-FOR-US: Cisco
 CVE-2018-15438 (A vulnerability in the web-based management interface of Cisco Prime ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea6e94de470bbd64eccdfb721e6f11f35bc0a258

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ea6e94de470bbd64eccdfb721e6f11f35bc0a258
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190116/aef78d62/attachment.html>


More information about the debian-security-tracker-commits mailing list