[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Jan 17 08:10:24 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
569788a6 by security tracker role at 2019-01-17T08:10:10Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,61 @@
+CVE-2019-6483
+ RESERVED
+CVE-2019-6482
+ RESERVED
+CVE-2019-6481
+ RESERVED
+CVE-2019-6480
+ RESERVED
+CVE-2019-6479
+ RESERVED
+CVE-2019-6478
+ RESERVED
+CVE-2019-6477
+ RESERVED
+CVE-2019-6476
+ RESERVED
+CVE-2019-6475
+ RESERVED
+CVE-2019-6474
+ RESERVED
+CVE-2019-6473
+ RESERVED
+CVE-2019-6472
+ RESERVED
+CVE-2019-6471
+ RESERVED
+CVE-2019-6470
+ RESERVED
+CVE-2019-6469
+ RESERVED
+CVE-2019-6468
+ RESERVED
+CVE-2019-6467
+ RESERVED
+CVE-2019-6466
+ RESERVED
+CVE-2019-6465
+ RESERVED
+CVE-2019-6464
+ RESERVED
+CVE-2019-6463
+ RESERVED
+CVE-2018-20733 (BI Web Services in SAS Web Infrastructure Platform before 9.4M6 allows ...)
+ TODO: check
+CVE-2018-20732 (SAS Web Infrastructure Platform before 9.4M6 allows remote attackers to ...)
+ TODO: check
+CVE-2018-20731 (A stored cross site scripting (XSS) vulnerability in NeDi before 1.7Cp3 ...)
+ TODO: check
+CVE-2018-20730 (A SQL injection vulnerability in NeDi before 1.7Cp3 allows any user to ...)
+ TODO: check
+CVE-2018-20729 (A reflected cross site scripting (XSS) vulnerability in NeDi before ...)
+ TODO: check
+CVE-2018-20728 (A cross site request forgery (CSRF) vulnerability in NeDi before 1.7Cp3 ...)
+ TODO: check
+CVE-2018-20727 (Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow ...)
+ TODO: check
+CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows ...)
+ TODO: check
CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite loop in ...)
- cairo <unfixed>
NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/353
@@ -18266,12 +18324,12 @@ CVE-2018-18816
RESERVED
CVE-2018-18815
RESERVED
-CVE-2018-18814
- RESERVED
-CVE-2018-18813
- RESERVED
-CVE-2018-18812
- RESERVED
+CVE-2018-18814 (The TIBCO Spotfire authentication component of TIBCO Software Inc.'s ...)
+ TODO: check
+CVE-2018-18813 (The Spotfire web server component of TIBCO Software Inc.'s TIBCO ...)
+ TODO: check
+CVE-2018-18812 (The Spotfire Library component of TIBCO Software Inc.'s TIBCO Spotfire ...)
+ TODO: check
CVE-2018-18811
RESERVED
CVE-2018-18810 (The Administrator Service component of TIBCO Software Inc.'s TIBCO ...)
@@ -21773,6 +21831,7 @@ CVE-2018-17461 (An out of bounds read in PDFium in Google Chrome prior to 68.0.3
CVE-2018-17460
RESERVED
CVE-2018-17457 (An object lifecycle issue in Blink could lead to a use after free in ...)
+ {DSA-4289-1}
- chromium-browser 69.0.3497.81-1
[jessie] - chromium-browser <end-of-life> (End of life, see DSA 4020)
CVE-2018-17456 (Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x ...)
@@ -26119,8 +26178,8 @@ CVE-2018-15784
RESERVED
CVE-2018-15783
REJECTED
-CVE-2018-15782
- RESERVED
+CVE-2018-15782 (The Quick Setup component of RSA Authentication Manager versions prior ...)
+ TODO: check
CVE-2018-15781
RESERVED
CVE-2018-15780 (RSA Archer versions prior to 6.5.0.1 contain an improper access ...)
@@ -53796,40 +53855,34 @@ CVE-2018-5742 [Crash from assertion error when debug log level is 10 and log ent
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1655844
NOTE: https://bugs.centos.org/view.php?id=15528
NOTE: Introduced by https://bugzilla.redhat.com/show_bug.cgi?id=1452091
-CVE-2018-5741 [Update policies krb5-subdomain and ms-subdomain]
- RESERVED
+CVE-2018-5741 (To provide fine-grained controls over the ability to use Dynamic DNS ...)
- bind9 1:9.11.5+dfsg-1 (unimportant)
NOTE: https://kb.isc.org/docs/cve-2018-5741
NOTE: No code fix provided; Incorrect documentation of krb5-subdomain and ms-subdomain update policies.
NOTE: Will be adressed in 9.11.5, 9.12.3
-CVE-2018-5740 [A flaw in the "deny-answer-aliases" feature can cause an INSIST assertion failure in named]
- RESERVED
+CVE-2018-5740 ("deny-answer-aliases" is a little-used feature intended to help ...)
{DLA-1485-1}
- bind9 1:9.11.4.P1+dfsg-1 (bug #905743)
[stretch] - bind9 <postponed> (Can be fixed along in the next DSA)
NOTE: https://kb.isc.org/article/AA-01639/74/CVE-2018-5740
NOTE: https://gitlab.isc.org/isc-projects/bind9/merge_requests/607/commits
-CVE-2018-5739 [failure to release memory may exhaust system resources]
- RESERVED
+CVE-2018-5739 (An extension to hooks capabilities which debuted in Kea 1.4.0 ...)
- isc-kea <not-affected> (Vulnerable code introduced in Kea 1.4.0)
NOTE: https://kb.isc.org/article/AA-01626
NOTE: 1.4.0-1 was uploaded to experimental as https://tracker.debian.org/news/973011
NOTE: Tracking bug as #903729 with RC severity so this version does
NOTE: not enter unstable without fix.
-CVE-2018-5738 [Some versions of BIND can improperly permit recursive query service to unauthorized clients]
- RESERVED
+CVE-2018-5738 (Change #4777 (introduced in October 2017) introduced an unforeseen ...)
- bind9 1:9.11.3+dfsg-2 (bug #901483)
[stretch] - bind9 <not-affected> (Vulnerable code introduced later)
[jessie] - bind9 <not-affected> (Vulnerable code introduced later)
NOTE: Introduced by upstream change #4777
NOTE: Introduced by: https://gitlab.isc.org/isc-projects/bind9/commit/89636d8f305956ad42e95a988502c7345e85ffe1
NOTE: https://kb.isc.org/article/AA-01616/0/CVE-2018-5738
-CVE-2018-5737 [serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.]
- RESERVED
+CVE-2018-5737 (A problem with the implementation of the new serve-stale feature in ...)
- bind9 <not-affected> (only affects 9.12, not yet packaged)
NOTE: https://kb.isc.org/article/AA-01606
-CVE-2018-5736 [Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c]
- RESERVED
+CVE-2018-5736 (An error in zone database reference counting can lead to an assertion ...)
- bind9 <not-affected> (only affects 9.12, not yet packaged)
NOTE: https://kb.isc.org/article/AA-01602
CVE-2018-5735 [assertion failure in validator.c:1858]
@@ -53840,12 +53893,10 @@ CVE-2018-5735 [assertion failure in validator.c:1858]
NOTE: Mark as fixed version the 1:9.9.3.dfsg.P2-1 as the related code was
NOTE: added upstream in 9.9.3b1. The issue though does not affect bind9 upstream
NOTE: and is only triggered as described in #889285.
-CVE-2018-5734 [A malformed request can trigger an assertion failure in badcache.c]
- RESERVED
+CVE-2018-5734 (While handling a particular type of malformed packet BIND erroneously ...)
- bind9 <not-affected> (Only affects Supported Preview Edition/Subscription Edition)
NOTE: https://kb.isc.org/article/AA-01562/74/CVE-2018-5734
-CVE-2018-5733 [A malicious client can overflow a reference counter in ISC dhcpd]
- RESERVED
+CVE-2018-5733 (A malicious client which is allowed to send very large amounts of ...)
{DSA-4133-1 DLA-1313-1}
- isc-dhcp 4.3.5-3.1 (bug #891785)
NOTE: https://kb.isc.org/article/AA-01567/75/CVE-2018-5733
@@ -67857,7 +67908,7 @@ CVE-2017-17199 (Huawei DP300 V500R002C00; RP200 V500R002C00; V600R006C00; TE30 .
CVE-2017-17198
RESERVED
CVE-2017-17197
- RESERVED
+ REJECTED
CVE-2017-17196
RESERVED
CVE-2017-17195
@@ -113494,15 +113545,13 @@ CVE-2017-3147
RESERVED
CVE-2017-3146
RESERVED
-CVE-2017-3145 [Improper fetch cleanup sequencing in the resolver can cause named to crash]
- RESERVED
+CVE-2017-3145 (BIND was improperly sequencing cleanup operations on upstream ...)
{DSA-4089-1 DLA-1255-1}
- bind9 1:9.11.2.P1-1
NOTE: https://kb.isc.org/article/AA-01542
NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=053b51c4dbd28f6e4de71ce4268a6f606025d76d
NOTE: Fixed by (9.10.6-P1): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=55baf7d7e25c0e6444cb7e415f14d9e0819b5508
-CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty message is received allowing denial-of-service]
- RESERVED
+CVE-2017-3144 (A vulnerability stemming from failure to properly clean up closed ...)
{DSA-4133-1}
- isc-dhcp 4.3.5-3.1 (bug #887413)
[wheezy] - isc-dhcp <no-dsa> (Minor issue)
@@ -113510,24 +113559,20 @@ CVE-2017-3144 [dhcp: omapi code doesn't free socket descriptors when empty messa
NOTE: https://bugs.isc.org/Public/Bug/Display.html?id=46767
NOTE: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=1a6b62fe17a42b00fa234d06b6dfde3d03451894
NOTE: Fixes for 4.3.6p1: https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=99a25aedea02d9c259cb8fabf4be700fb32571a3
-CVE-2017-3143 [An error in TSIG authentication can permit unauthorized dynamic updates]
- RESERVED
+CVE-2017-3143 (An attacker who is able to send and receive messages to an ...)
{DSA-3904-1 DLA-1025-1}
- bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564)
NOTE: https://kb.isc.org/article/AA-01503
NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669
-CVE-2017-3142 [An error in TSIG authentication can permit unauthorized zone transfers]
- RESERVED
+CVE-2017-3142 (An attacker who is able to send and receive messages to an ...)
{DSA-3904-1 DLA-1025-1}
- bind9 1:9.10.3.dfsg.P4-12.4 (bug #866564)
NOTE: https://kb.isc.org/article/AA-01504
NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=581c1526ab0f74a177980da9ff0514f795ed8669
-CVE-2017-3141
- RESERVED
+CVE-2017-3141 (The BIND installer on Windows uses an unquoted service path which can ...)
- bind9 <not-affected> (Affects only Windows systems)
NOTE: https://kb.isc.org/article/AA-01496
-CVE-2017-3140 [An error processing RPZ rules can cause named to loop endlessly after handling a query]
- RESERVED
+CVE-2017-3140 (If named is configured to use Response Policy Zones (RPZ) an error ...)
- bind9 <not-affected> (Upstream change #4377 not backported/included)
NOTE: https://kb.isc.org/article/AA-01495
NOTE: Fixed by (master): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=2648c49be78568ba9f4123d22122f2a649e2e1b7
@@ -113537,8 +113582,7 @@ CVE-2017-3140 [An error processing RPZ rules can cause named to loop endlessly a
CVE-2017-3139
RESERVED
- bind9 <not-affected> (RHEL6 specific)
-CVE-2017-3138 [named exits with a REQUIRE assertion failure if it receives a null command string on its control channel]
- RESERVED
+CVE-2017-3138 (named contains a feature which allows operators to issue commands to a ...)
{DSA-3854-1 DLA-957-1}
- bind9 1:9.10.3.dfsg.P4-12.3 (bug #860226)
NOTE: https://kb.isc.org/article/AA-01471
@@ -113548,8 +113592,7 @@ CVE-2017-3138 [named exits with a REQUIRE assertion failure if it receives a nul
NOTE: commands was added only in 9.11.0 and before existing commands permitted
NOTE: over the control channel were already be given to cause the server to stop.
NOTE: The CVE-2017-3138 is barely an issue in practice anyway.
-CVE-2017-3137 [A response packet can cause a resolver to terminate when processing an answer containing a CNAME or DNAME]
- RESERVED
+CVE-2017-3137 (Mistaken assumptions about the ordering of records in the answer ...)
{DSA-3854-1 DLA-957-1}
- bind9 1:9.10.3.dfsg.P4-12.3 (bug #860225)
NOTE: https://kb.isc.org/article/AA-01466
@@ -113557,14 +113600,12 @@ CVE-2017-3137 [A response packet can cause a resolver to terminate when processi
NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=69fd759b4aa02047e42e5cf4227f8257c4547988
NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=6841d7b854c15df9ec56cab38da201b315bbcabb (reimplentation)
NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=7ab9e8e00775782d474522a5b2bffba8daefefa5 (regression fix)
-CVE-2017-3136 [An error handling synthesized records could cause an assertion failure when using DNS64 with "break-dnssec yes;"]
- RESERVED
+CVE-2017-3136 (A query with a specific set of characteristics could cause a server ...)
{DSA-3854-1 DLA-957-1}
- bind9 1:9.10.3.dfsg.P4-12.3 (bug #860224)
NOTE: https://kb.isc.org/article/AA-01465
NOTE: Fixed by (9.10.x): https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commitdiff;h=764240ca07ab1b796226d5402ccd9fbfa77ec32a
-CVE-2017-3135 [Assertion failure when using DNS64 and RPZ can lead to crash]
- RESERVED
+CVE-2017-3135 (Under some conditions when using both DNS64 and RPZ to rewrite query ...)
{DSA-3795-1 DLA-843-1}
- bind9 1:9.10.3.dfsg.P4-12 (bug #855520)
NOTE: https://kb.isc.org/article/AA-01453
@@ -114044,8 +114085,7 @@ CVE-2016-9780
REJECTED
CVE-2016-9779
REJECTED
-CVE-2016-9778 [An error handling certain queries using the nxdomain-redirect feature could cause a REQUIRE assertion failure in db.c]
- RESERVED
+CVE-2016-9778 (An error in handling certain queries can cause an assertion failure ...)
- bind9 <not-affected> (Only Supported Preview Edition/Subscription Edition and 9.11.x)
NOTE: https://kb.isc.org/article/AA-01442/0
CVE-2016-9771
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/569788a63ffc07578efc2f62f60e7e7637103b58
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/569788a63ffc07578efc2f62f60e7e7637103b58
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190117/4851cf4c/attachment.html>
More information about the debian-security-tracker-commits
mailing list