[Git][security-tracker-team/security-tracker][master] new nsd issue

Moritz Muehlenhoff jmm at debian.org
Thu Jul 4 12:10:12 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a2d14aed by Moritz Muehlenhoff at 2019-07-04T11:09:40Z
new nsd issue
new spring security issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -35,7 +35,12 @@ CVE-2019-13209
 CVE-2019-13208 (WavesSysSvc in Waves MAXX Audio allows privilege escalation because th ...)
 	NOT-FOR-US: Waves MAXX Audio
 CVE-2019-13207 (nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflo ...)
-	TODO: check
+	- nsd <unfixed> (low)
+	[buster] - nsd <no-dsa> (Minor issue)
+	[stretch] - nsd <no-dsa> (Minor issue)
+	- nsd3 <removed>
+	NOTE: https://github.com/NLnetLabs/nsd/issues/20
+	NOTE: https://github.com/NLnetLabs/nsd/commit/91102da24d5949ccfec8fdab5bae2d01c4cabab5
 CVE-2019-13206
 	RESERVED
 CVE-2019-13205
@@ -4942,7 +4947,7 @@ CVE-2019-11274
 CVE-2019-11273
 	RESERVED
 CVE-2019-11272 (Spring Security, versions 4.2.x up to 4.2.12, and older unsupported ve ...)
-	TODO: check
+	- libspring-security-2.0-java <removed>
 CVE-2019-11271 (Cloud Foundry BOSH 270.x versions prior to v270.1.1, contain a BOSH Di ...)
 	NOT-FOR-US: Cloud Foundry
 CVE-2019-11270
@@ -9297,7 +9302,7 @@ CVE-2019-9829 (Maccms 10 allows remote attackers to execute arbitrary PHP code b
 CVE-2019-9828
 	RESERVED
 CVE-2019-9827 (Hawt Hawtio through 2.5.0 is vulnerable to SSRF, allowing a remote att ...)
-	TODO: check
+	NOT-FOR-US: Hawtio
 CVE-2019-9826 (The fulltext search component in phpBB before 3.2.6 allows Denial of S ...)
 	{DLA-1775-1}
 	- phpbb3 <removed>
@@ -24071,7 +24076,7 @@ CVE-2019-3804 (It was found that cockpit before version 184 used glib's base64 d
 CVE-2019-3803 (Pivotal Concourse, all versions prior to 4.2.2, puts the user access t ...)
 	NOT-FOR-US: Pivotal Concourse
 CVE-2019-3802 (This affects Spring Data JPA in versions up to and including 2.1.6, 2. ...)
-	TODO: check
+	NOT-FOR-US: Pivotal Spring Data JPA
 CVE-2019-3801 (Cloud Foundry cf-deployment, versions prior to 7.9.0, contain java com ...)
 	NOT-FOR-US: Cloud Foundry
 CVE-2019-3800
@@ -24569,7 +24574,7 @@ CVE-2019-3569 (HHVM, when used with FastCGI, would bind by default to all availa
 CVE-2019-3568 (A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote  ...)
 	NOT-FOR-US: Whatsapp
 CVE-2019-3567 (In some configurations an attacker can inject a new executable path in ...)
-	TODO: check
+	NOT-FOR-US: osquery
 CVE-2019-3566 (A bug in WhatsApp for Android's messaging logic would potentially allo ...)
 	NOT-FOR-US: WhatsApp for Android
 CVE-2019-3565 (Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would n ...)
@@ -25848,15 +25853,20 @@ CVE-2018-20357 (A NULL pointer dereference was discovered in sbr_process_channel
 	[stretch] - faad2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/knik0/faad2/issues/28
 CVE-2018-20356 (An invalid read of 8 bytes due to a use-after-free vulnerability in th ...)
-	TODO: check
+	NOT-FOR-US: Cesanta Mongoose
+	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2018-20355 (An invalid write of 8 bytes due to a use-after-free vulnerability in t ...)
-	TODO: check
+	NOT-FOR-US: Cesanta Mongoose
+	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2018-20354 (An invalid read of 8 bytes due to a use-after-free vulnerability durin ...)
-	TODO: check
+	NOT-FOR-US: Cesanta Mongoose
+	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2018-20353 (An invalid read of 8 bytes due to a use-after-free vulnerability durin ...)
-	TODO: check
+	NOT-FOR-US: Cesanta Mongoose
+	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2018-20352 (Use-after-free vulnerability in the mg_cgi_ev_handler function in mong ...)
-	TODO: check
+	NOT-FOR-US: Cesanta Mongoose
+	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
 CVE-2018-20351 (The Markdown component in Evernote (Chinese) before 8.3.2 on macOS all ...)
 	NOT-FOR-US: Evernote
 CVE-2018-20350
@@ -26592,7 +26602,7 @@ CVE-2018-20162 (Digi TransPort LR54 4.4.0.26 and possible earlier devices have I
 CVE-2018-20161 (A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.1 ...)
 	NOT-FOR-US: BlinkForHome (aka Blink For Home) Sync Module
 CVE-2018-20160 (ZxChat (aka ZeXtras Chat), as used for zimbra-chat and zimbra-talk in  ...)
-	TODO: check
+	NOT-FOR-US: ZxChat
 CVE-2018-20159 (i-doit open 1.11.2 allows Remote Code Execution because ZIP archives a ...)
 	NOT-FOR-US: i-doit
 CVE-2018-20158
@@ -29668,7 +29678,7 @@ CVE-2019-2104
 CVE-2019-2103
 	RESERVED
 CVE-2019-2102 (In the Bluetooth Low Energy (BLE) specification, there is a provided e ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2101 (In uvc_parse_standard_control of uvc_driver.c, there is a possible out ...)
 	- linux <undetermined>
 	NOTE: https://source.android.com/security/bulletin/2019-06-01
@@ -29676,25 +29686,25 @@ CVE-2019-2101 (In uvc_parse_standard_control of uvc_driver.c, there is a possibl
 CVE-2019-2100
 	RESERVED
 CVE-2019-2099 (In nfa_rw_store_ndef_rx_buf of nfa_rw_act.cc, there is a possible out- ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2098 (In areNotificationsEnabledForPackage of NotificationManagerService.jav ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2097 (In HAliasAnalyzer.Query of hydrogen-alias-analysis.h, there is possibl ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2096 (In EffectRelease of EffectBundle.cpp, there is a possible memory corru ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2095 (In callGenIDChangeListeners and related functions of SkPixelRef.cpp, t ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2094 (In parseMPEGCCData of NuPlayerCCDecoder.cpp, there is a possible out o ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2093 (In huff_dec_1D of nlc_dec.cpp, there is a possible out of bounds write ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2092 (In isSeparateProfileChallengeAllowed of DevicePolicyManagerService.jav ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2091 (In GetPermittedAccessibilityServicesForUser of DevicePolicyManagerServ ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2090 (In isPackageDeviceAdminOnAnyUser of PackageManagerService.java, there  ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2019-2089
 	RESERVED
 CVE-2019-2088



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2d14aed41a289ba2e8630d4d29033268b6b58ce

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a2d14aed41a289ba2e8630d4d29033268b6b58ce
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190704/1283c6e2/attachment.html>

More information about the debian-security-tracker-commits mailing list