[Git][security-tracker-team/security-tracker][master] new go.crypto issue
Moritz Muehlenhoff
jmm at debian.org
Thu Jul 4 14:34:51 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c6171032 by Moritz Muehlenhoff at 2019-07-04T13:34:23Z
new go.crypto issue
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3338,7 +3338,7 @@ CVE-2019-11881 (A vulnerability exists in Rancher 2.1.4 in the login component,
CVE-2019-11880 (CommSy through 8.6.5 has SQL Injection via the cid parameter. This is ...)
NOT-FOR-US: CommSy
CVE-2019-11879 (** DISPUTED ** The WEBrick gem 1.4.2 for Ruby allows directory travers ...)
- TODO: check
+ NOT-FOR-US: Non issue in webrick gem
CVE-2019-11878 (An issue was discovered on XiongMai Besder IP20H1 V4.02.R12.00035520.1 ...)
NOT-FOR-US: XiongMai Besder IP20H1 cameras
CVE-2019-11877 (XSS on the PIX-Link Repeater/Router LV-WR09 with firmware v28K.MiniRou ...)
@@ -3414,7 +3414,8 @@ CVE-2019-11844 (An HTML Injection vulnerability has been discovered on the RICOH
CVE-2019-11843
RESERVED
CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...)
- TODO: check
+ - golang-go.crypto <unfixed>
+ NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...)
{DLA-1840-1}
- golang-go.crypto <unfixed>
@@ -29993,9 +29994,9 @@ CVE-2018-20016
CVE-2018-20015 (YzmCMS v5.2 has admin/role/add.html CSRF. ...)
NOT-FOR-US: YzmCMS
CVE-2018-20014 (In UrBackup 2.2.6, an attacker can send a malformed request to the cli ...)
- TODO: check
+ NOT-FOR-US: UrBackup
CVE-2018-20013 (In UrBackup 2.2.6, an attacker can send a malformed request to the cli ...)
- TODO: check
+ NOT-FOR-US: UrBackup
CVE-2018-20012 (PHPCMF 4.1.3 has XSS via the first input field to the index.php?s=memb ...)
NOT-FOR-US: PHPCMF
CVE-2018-20011 (DomainMOD 4.11.01 has XSS via the assets/add/category.php Category Nam ...)
@@ -35852,7 +35853,7 @@ CVE-2019-0159
CVE-2019-0158 (Insufficient path checking in the installation package for Intel(R) Gr ...)
NOT-FOR-US: Intel
CVE-2019-0157 (Insufficient input validation in the Intel(R) SGX driver for Linux may ...)
- TODO: check
+ NOT-FOR-US: Intel
CVE-2019-0156
RESERVED
CVE-2019-0155
@@ -35894,7 +35895,7 @@ CVE-2019-0138 (Improper directory permissions in Intel(R) ACU Wizard version 12.
CVE-2019-0137
RESERVED
CVE-2019-0136 (Insufficient access control in the Intel(R) PROSet/Wireless WiFi Softw ...)
- TODO: check
+ NOT-FOR-US: Intel
CVE-2019-0135 (Improper permissions in the installer for Intel(R) Accelerated Storage ...)
NOT-FOR-US: Intel
CVE-2019-0134
@@ -38179,7 +38180,7 @@ CVE-2018-18427 (s-cms 3.0 allows SQL Injection via the member/post.php 0_id para
CVE-2018-18426 (s-cms 3.0 allows remote attackers to execute arbitrary PHP code by pla ...)
NOT-FOR-US: s-cms
CVE-2018-18425 (The doAirdrop function of a smart contract implementation for Primeo ( ...)
- TODO: check
+ NOT-FOR-US: Primeo
CVE-2018-18424
RESERVED
CVE-2018-18423
@@ -38228,7 +38229,7 @@ CVE-2018-18407 (A heap-based buffer over-read was discovered in the tcpreplay-ed
NOTE: https://github.com/appneta/tcpreplay/issues/488
NOTE: https://github.com/appneta/tcpreplay/commit/1d7561a4d542842a1aeabf55bfd4aaf88b3a1071
CVE-2018-18406 (An issue was discovered in Tufin SecureTrack 18.1 with TufinOS 2.16 bu ...)
- TODO: check
+ NOT-FOR-US: Tufin SecureTrack
CVE-2018-18405
RESERVED
CVE-2018-18404
@@ -41705,7 +41706,7 @@ CVE-2018-17081 (e107 2.1.9 allows CSRF via e107_admin/wmessage.php?mode=&act
CVE-2018-17080
RESERVED
CVE-2018-17079 (An issue was discovered in ZRLOG 2.0.1. There is a Stored XSS vulnerab ...)
- TODO: check
+ NOT-FOR-US: ZRLOG
CVE-2018-17078
RESERVED
CVE-2018-17077 (An issue was discovered in yiqicms through 2016-11-20. There is stored ...)
@@ -42772,11 +42773,11 @@ CVE-2018-16720
CVE-2018-16719
RESERVED
CVE-2018-16718 (An XSS vulnerability exists in wwwblast.c in the 2.0.7 through 2.2.26 ...)
- TODO: check
+ NOT-FOR-US: NCBI ToolBox
CVE-2018-16717 (A heap-based buffer overflow exists in nph-viewgif.cgi in the 2.0.7 th ...)
- TODO: check
+ NOT-FOR-US: NCBI ToolBox
CVE-2018-16716 (A path traversal vulnerability exists in viewcgi.c in the 2.0.7 throug ...)
- TODO: check
+ NOT-FOR-US: NCBI ToolBox
CVE-2018-16715 (An issue was discovered in Absolute Software CTES Windows Agent throug ...)
NOT-FOR-US: Absolute Software CTES Windows Agent
CVE-2018-16714
@@ -44761,7 +44762,7 @@ CVE-2018-15915
CVE-2018-15914
RESERVED
CVE-2018-15913 (An issue was discovered in Cloudera Manager 5.x through 5.15.0. One ty ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2018-15912 (An issue was discovered in manjaro-update-system.sh in manjaro-system ...)
NOT-FOR-US: manjaro-update-system.sh in manjaro-system on Manjaro Linux
CVE-2018-15919 (Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 co ...)
@@ -44830,7 +44831,7 @@ CVE-2018-15892 (FreePBX 13 and 14 has SQL Injection in the DISA module via the h
CVE-2018-15891 (An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, ...)
NOT-FOR-US: FreePBX
CVE-2018-15890 (An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserializ ...)
- TODO: check
+ NOT-FOR-US: EthereumJ
CVE-2018-15889 (In podofo 0.9.6, the function PoDoFo::PdfParser::ReadObjects() in base ...)
- libpodofo <unfixed> (low; bug #916167)
[buster] - libpodofo <no-dsa> (Minor issue)
@@ -45269,7 +45270,7 @@ CVE-2018-15749 (The Pulse Secure Desktop (macOS) 5.3RX before 5.3R5 and 9.0R1 ha
CVE-2018-15748 (On Dell 2335dn printers with Printer Firmware Version 2.70.05.02, Engi ...)
NOT-FOR-US: Dell 2335dn printers
CVE-2018-15747 (The default configuration of glot-www through 2018-05-19 allows remote ...)
- TODO: check
+ NOT-FOR-US: glot-www
CVE-2018-15746 (qemu-seccomp.c in QEMU might allow local OS guest users to cause a den ...)
- qemu 1:3.1+dfsg-1 (low; bug #907500)
[stretch] - qemu <ignored> (Minor issue, too risky to backport, not enabled by default)
@@ -45475,7 +45476,7 @@ CVE-2018-15667 (An issue was discovered in Bloop Airmail 3 3.5.9 for macOS. It r
CVE-2018-15666
RESERVED
CVE-2018-15665 (An issue was discovered in Cloudera Data Science Workbench (CDSW) 1.2. ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2018-15664 (In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker ...)
- docker.io 18.09.1+dfsg1-7.1 (bug #929662)
NOTE: https://www.openwall.com/lists/oss-security/2019/05/28/1
@@ -45940,7 +45941,7 @@ CVE-2018-15508 (Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control al
CVE-2018-15507
RESERVED
CVE-2018-15506 (In BubbleUPnP 0.9 update 30, the XML parsing engine for SSDP/UPnP func ...)
- TODO: check
+ NOT-FOR-US: BubbleUPnP
CVE-2018-15505 (An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb b ...)
NOT-FOR-US: Embedthis GoAhead
CVE-2018-15504 (An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb b ...)
@@ -47347,7 +47348,7 @@ CVE-2018-14868 (Incorrect access control in the Password Encryption module in Od
CVE-2018-14867 (Incorrect access control in the portal messaging system in Odoo Commun ...)
NOT-FOR-US: Odoo
CVE-2018-14866 (Incorrect access control in the TransientModel framework in Odoo Commu ...)
- TODO: check
+ NOT-FOR-US: Odoo
CVE-2018-14865 (Report engine in Odoo Community 9.0 through 11.0 and earlier and Odoo ...)
NOT-FOR-US: Odoo
CVE-2018-14864 (Incorrect access control in asset bundles in Odoo Community 9.0 throug ...)
@@ -53415,7 +53416,7 @@ CVE-2018-12558 (The parse() method in the Email::Address module through 1.909 fo
CVE-2018-12557 (An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offl ...)
- zuul <itp> (bug #705844)
CVE-2018-12556 (The signature verification routine in install.sh in yarnpkg/website th ...)
- TODO: check
+ NOT-FOR-US: yarnpkg
CVE-2018-12555
REJECTED
CVE-2018-12554
@@ -56020,7 +56021,7 @@ CVE-2018-11688 (Ignite Realtime Openfire before 3.9.2 is vulnerable to cross-sit
CVE-2018-11687 (An integer overflow in the distributeBTR function of a smart contract ...)
NOT-FOR-US: smart contract implementation for Bitcoin Red (BTCR)
CVE-2018-11686 (The Publish Service in FlexPaper (later renamed FlowPaper) 2.3.6 allow ...)
- TODO: check
+ NOT-FOR-US: FlexPaper (later renamed FlowPaper)
CVE-2018-11685 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function compi ...)
- liblouis 3.5.0-3
[stretch] - liblouis 3.0.0-3+deb9u4
@@ -57346,7 +57347,7 @@ CVE-2018-11217
CVE-2018-11216
RESERVED
CVE-2018-11215 (Remote code execution is possible in Cloudera Data Science Workbench v ...)
- TODO: check
+ NOT-FOR-US: Cloudera
CVE-2018-11214 (An issue was discovered in libjpeg 9a. The get_text_rgb_row function i ...)
{DLA-1638-1}
- libjpeg9 1:9c-1 (low; bug #902176)
@@ -57890,7 +57891,7 @@ CVE-2018-10988 (An issue was discovered on Diqee Diqee360 devices. A firmware up
CVE-2018-10987 (An issue was discovered on Dongguan Diqee Diqee360 devices. The affect ...)
NOT-FOR-US: Diqee
CVE-2018-10986 (OX Guard 2.8.0 has CSRF. ...)
- TODO: check
+ NOT-FOR-US: Open-Xchange OX Guard
CVE-2018-10985
RESERVED
CVE-2018-10984
@@ -264652,7 +264653,7 @@ CVE-2011-3152 (DistUpgrade/DistUpgradeFetcherCore.py in Update Manager before 1:
- update-manager <not-affected> (ubuntu-specific issue)
NOTE: see bug #650307
CVE-2011-3151 (The Ubuntu SELinux initscript before version 1:0.10 used touch to crea ...)
- TODO: check
+ NOT-FOR-US: Historic Ubuntu init script issue
CVE-2011-3150 (Software Center in Ubuntu 11.10, 11.04 10.10 does not properly validat ...)
- software-center <not-affected> (ubuntu-specific issue)
NOTE: debian package does not contain the vulnerable purchaseview.py code, and probably won't ever as that's part of their commercial interface code
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c617103226b8b2af7a2c4e51530b1611b67e6d59
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c617103226b8b2af7a2c4e51530b1611b67e6d59
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190704/411bffa7/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list