[Git][security-tracker-team/security-tracker][master] xpdf triage
Moritz Muehlenhoff
jmm at debian.org
Tue Jul 2 12:12:33 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
696c4a8d by Moritz Muehlenhoff at 2019-07-02T11:12:03Z
xpdf triage
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -247,7 +247,7 @@ CVE-2019-13052 (Logitech Unifying devices allow live decryption if the pairing o
CVE-2019-13051
RESERVED
CVE-2019-13050 (Interaction between the sks-keyserver code through 1.2.0 of the SKS ke ...)
- TODO: check
+ NOT-FOR-US: Conceptual weakness in PGP keyserver design
CVE-2019-13049 (An integer wrap in kernel/sys/syscall.c in ToaruOS 1.10.10 allows user ...)
NOT-FOR-US: ToaruOS
CVE-2019-13048 (kernel/sys/syscall.c in ToaruOS through 1.10.9 allows a denial of serv ...)
@@ -307,7 +307,7 @@ CVE-2019-13026
CVE-2019-13025
RESERVED
CVE-2019-13024 (Centreon V19.04 allows the attacker to execute arbitrary system comman ...)
- TODO: check
+ NOT-FOR-US: Centreon
CVE-2019-13023
RESERVED
CVE-2019-13022
@@ -439,7 +439,7 @@ CVE-2019-12970 (XSS was discovered in SquirrelMail through 1.4.22 and 1.5.x thro
CVE-2019-12969
RESERVED
CVE-2019-12968 (A vulnerability was found in the Sonic Robo Blast 2 (SRB2) plugin (EP_ ...)
- TODO: check
+ NOT-FOR-US: Sonic Robo Blast 2
CVE-2019-12967
RESERVED
CVE-2019-12966 (FeHelper through 2019-06-19 allows arbitrary code execution during a J ...)
@@ -482,9 +482,12 @@ CVE-2019-12960 (LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection i
CVE-2019-12959
RESERVED
CVE-2019-12958 (In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in F ...)
- TODO: check
+ - xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
+ NOTE: CVE-2017-14976 in poppler
CVE-2019-12957 (In Xpdf 4.01.01, a buffer over-read could be triggered in FoFiType1C:: ...)
- TODO: check
+ - xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
+ - poppler 0.22.5-4
+ NOTE: poppler fix: https://gitlab.freedesktop.org/poppler/poppler/commit/96931732f343d2bbda9af9488b485da031866c3b
CVE-2019-12956
RESERVED
CVE-2019-12955
@@ -496,7 +499,8 @@ CVE-2019-12953
CVE-2019-12952
RESERVED
CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt() func ...)
- TODO: check
+ NOT-FOR-US: Cesanta Mongoose
+ NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2019-12950
RESERVED
CVE-2019-12949 (In pfSense 2.4.4-p2 and 2.4.4-p3, if it is possible to trick an authen ...)
@@ -1518,7 +1522,8 @@ CVE-2019-12517
CVE-2019-12516
RESERVED
CVE-2019-12515 (There is an out-of-bounds read vulnerability in the function FlateStre ...)
- TODO: check
+ - xpdf <not-affected> (xpdf in Debian uses poppler, which is not affected or fixed)
+ NOTE: https://github.com/PanguL4b/pocs/tree/master/xpdf/out-of-bounds-read-in-FlateStream__getChar
CVE-2019-12514
RESERVED
CVE-2019-12513
@@ -1571,7 +1576,9 @@ CVE-2019-12495 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0
CVE-2019-12494 (In Gardener before 0.20.0, incorrect access control in seed clusters a ...)
NOT-FOR-US: Gardener
CVE-2019-12493 (A stack-based buffer over-read exists in PostScriptFunction::transform ...)
- TODO: check
+ - xpdf <not-affected> (xpdf in Debian uses poppler, which is not affected or fixed)
+ - poppler 0.44.0-2
+ NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/37840827c4073dedfd37915a74eb8fe0c44843c3
CVE-2019-12492 (Gallagher Command Centre before 7.80.939, 7.90.x before 7.90.961, and ...)
NOT-FOR-US: Gallagher Command Centre
CVE-2019-12491 (OnApp before 5.0.0-88, 5.5.0-93, and 6.0.0-196 allows an attacker to r ...)
@@ -3372,7 +3379,7 @@ CVE-2019-11772
CVE-2019-11771
RESERVED
CVE-2019-11770 (In Eclipse Buildship versions prior to 3.1.1, the build files indicate ...)
- TODO: check
+ NOT-FOR-US: Eclipse Buildship
CVE-2019-11769
RESERVED
CVE-2019-11768 (An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability ...)
@@ -5499,7 +5506,7 @@ CVE-2019-10981 (In Vijeo Citect 7.30 and 7.40, and CitectSCADA 7.30 and 7.40, a
CVE-2019-10980
RESERVED
CVE-2019-10979 (SICK MSC800 all versions prior to Version 4.0, the affected firmware v ...)
- TODO: check
+ NOT-FOR-US: SICK MSC800
CVE-2019-10978
RESERVED
CVE-2019-10977 (In Mitsubishi Electric MELSEC-Q series Ethernet module QJ71E71-100 ser ...)
@@ -9507,7 +9514,7 @@ CVE-2019-9725 (The Web manager (aka Commander) on Korenix JetPort 5601 and 5601f
CVE-2019-9724 (aquaverde Aquarius CMS through 4.3.5 allows Information Exposure throu ...)
NOT-FOR-US: aquaverde Aquarius CMS
CVE-2019-9723 (LogicalDOC Community Edition 8.x before 8.2.1 has a path traversal vul ...)
- TODO: check
+ NOT-FOR-US: LogicalDOC
CVE-2019-9722
RESERVED
CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 allows attac ...)
@@ -9564,9 +9571,9 @@ CVE-2019-9704 (Vixie Cron before the 3.0pl1-133 Debian package allows local user
[stretch] - cron <no-dsa> (Minor issue, will be fixed via point update)
NOTE: Fixed by: https://salsa.debian.org/debian/cron/commit/f2525567
CVE-2019-9703 (Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible ...)
- TODO: check
+ NOT-FOR-US: Symantec
CVE-2019-9702 (Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible ...)
- TODO: check
+ NOT-FOR-US: Symantec
CVE-2019-9701 (DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site ...)
NOT-FOR-US: DLP (Symantec)
CVE-2019-9700
@@ -14519,15 +14526,15 @@ CVE-2019-7672 (Prima Systems FlexAir devices have Hard-coded Credentials. ...)
CVE-2019-7671 (Prima Systems FlexAir devices allow Authenticated Stored XSS. ...)
NOT-FOR-US: Prima Systems FlexAir devices
CVE-2019-7670 (Prima Systems FlexAir devices allow Authenticated Command Injection re ...)
- TODO: check
+ NOT-FOR-US: Prima Systems FlexAir devices
CVE-2019-7669 (Prima Systems FlexAir devices allow Unauthenticated Command Injection ...)
- TODO: check
+ NOT-FOR-US: Prima Systems FlexAir devices
CVE-2019-7668 (Prima Systems FlexAir devices have Default Credentials. ...)
- TODO: check
+ NOT-FOR-US: Prima Systems FlexAir devices
CVE-2019-7667 (Prima Systems FlexAir devices allow unauthenticated download of the da ...)
- TODO: check
+ NOT-FOR-US: Prima Systems FlexAir devices
CVE-2019-7666 (Prima Systems FlexAir devices allow authentication with MD5 hashes dir ...)
- TODO: check
+ NOT-FOR-US: Prima Systems FlexAir devices
CVE-2019-7665 (In elfutils 0.175, a heap-based buffer over-read was discovered in the ...)
{DLA-1689-1}
- elfutils 0.176-1 (low; bug #921880)
@@ -15723,27 +15730,27 @@ CVE-2019-7285
CVE-2019-7284
RESERVED
CVE-2019-7281 (Prima Systems FlexAir devices allow Cross-Site Request Forgery (CSRF). ...)
- TODO: check
+ NOT-FOR-US: Prima Systems FlexAir
CVE-2019-7280 (Prima Systems FlexAir devices have an Insufficient Session-ID Length. ...)
- TODO: check
+ NOT-FOR-US: Prima Systems FlexAir
CVE-2019-7279 (Optergy Proton/Enterprise devices have Hard-coded Credentials. ...)
- TODO: check
+ NOT-FOR-US: Optergy Proton
CVE-2019-7278 (Optergy Proton/Enterprise devices have an Unauthenticated SMS Sending ...)
- TODO: check
+ NOT-FOR-US: Optergy Proton
CVE-2019-7277 (Optergy Proton/Enterprise devices allow Unauthenticated Internal Netwo ...)
- TODO: check
+ NOT-FOR-US: Optergy Proton
CVE-2019-7276 (Optergy Proton/Enterprise devices allow Remote Root Code Execution via ...)
- TODO: check
+ NOT-FOR-US: Optergy Proton
CVE-2019-7275 (Optergy Proton/Enterprise devices allow Open Redirect. ...)
- TODO: check
+ NOT-FOR-US: Optergy Proton
CVE-2019-7274 (Optergy Proton/Enterprise devices allow Authenticated File Upload with ...)
- TODO: check
+ NOT-FOR-US: Optergy Proton
CVE-2019-7273 (Optergy Proton/Enterprise devices allow Cross-Site Request Forgery (CS ...)
- TODO: check
+ NOT-FOR-US: Optergy Proton
CVE-2019-7272 (Optergy Proton/Enterprise devices allow Username Disclosure. ...)
- TODO: check
+ NOT-FOR-US: Optergy Proton
CVE-2019-7271 (Nortek Linear eMerge 50P/5000P devices have Default Credentials. ...)
- TODO: check
+ NOT-FOR-US: Nortek Linear
CVE-2019-7270
RESERVED
CVE-2019-7269
@@ -15876,7 +15883,7 @@ CVE-2019-7217 (Citrix ShareFile through 19.1 allows User Enumeration. It is poss
CVE-2019-7216 (An issue was discovered in FileChucker 4.99e-free-e02. filechucker.cgi ...)
NOT-FOR-US: FileChucker
CVE-2019-7215 (Progress Sitefinity 10.1.6536 does not invalidate session cookies upon ...)
- TODO: check
+ NOT-FOR-US: Progress Sitefinity
CVE-2019-7214 (SmarterTools SmarterMail 16.x before build 6985 allows deserialization ...)
NOT-FOR-US: SmarterTools SmarterMail
CVE-2019-7213 (SmarterTools SmarterMail 16.x before build 6985 allows directory trave ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/696c4a8d34e28b0f4f6ca9011f00b812f8d46f32
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/696c4a8d34e28b0f4f6ca9011f00b812f8d46f32
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190702/d2d6e0f4/attachment.html>
More information about the debian-security-tracker-commits
mailing list