[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff jmm at debian.org
Wed Jul 10 11:53:52 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
793e064f by Moritz Muehlenhoff at 2019-07-10T10:53:08Z
NFUs
new wordpress non-issue
new matrixssl issue
ffmpeg n/a

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,21 +1,21 @@
 CVE-2019-13478 (The Yoast SEO plugin before 11.6-RC5 for WordPress does not properly r ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2019-13477
 	RESERVED
 CVE-2019-13476
 	RESERVED
 CVE-2019-13475 (In MobaXterm 11.1, the mobaxterm: URI handler has an argument injectio ...)
-	TODO: check
+	NOT-FOR-US: MobaXterm
 CVE-2019-13474
 	RESERVED
 CVE-2019-13473
 	RESERVED
 CVE-2019-13472 (PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the ...)
-	TODO: check
+	NOT-FOR-US: PHPWind
 CVE-2019-13471
 	RESERVED
 CVE-2019-13470 (MatrixSSL before 4.2.1 has an out-of-bounds read during ASN.1 handling ...)
-	TODO: check
+	- matrixssl <removed>
 CVE-2019-13469
 	RESERVED
 CVE-2019-13468
@@ -204,7 +204,7 @@ CVE-2019-13382
 CVE-2019-13381
 	RESERVED
 CVE-2019-13380 (KEYNTO Team Password Manager 1.5.0 allows XSS because data saved from  ...)
-	TODO: check
+	NOT-FOR-US: KEYNTO Team Password Manager
 CVE-2019-13379 (On AVTECH Room Alert 3E devices before 2.2.5, an attacker with access  ...)
 	NOT-FOR-US: AVTECH Room Alert
 CVE-2019-13378
@@ -295,9 +295,9 @@ CVE-2019-13340 (In MiniCMS V1.10, stored XSS was found in mc-admin/post-edit.php
 CVE-2019-13339 (In MiniCMS V1.10, stored XSS was found in mc-admin/page-edit.php (cont ...)
 	NOT-FOR-US: MiniCMS
 CVE-2019-13338 (In WESEEK GROWI before 3.5.0, a remote attacker can obtain the passwor ...)
-	TODO: check
+	NOT-FOR-US: WESEEK GROWI
 CVE-2019-13337 (In WESEEK GROWI before 3.5.0, the site-wide basic authentication can b ...)
-	TODO: check
+	NOT-FOR-US: WESEEK GROWI
 CVE-2019-13336
 	RESERVED
 CVE-2019-13335
@@ -463,7 +463,7 @@ CVE-2019-13279
 CVE-2019-13278
 	RESERVED
 CVE-2019-13277 (TRENDnet TEW-827DRU with firmware up to and including 2.04B03 allows a ...)
-	TODO: check
+	NOT-FOR-US: TRENDnet TEW-827DRU
 CVE-2019-13276
 	RESERVED
 CVE-2019-13275 (An issue was discovered in the VeronaLabs wp-statistics plugin before  ...)
@@ -4997,7 +4997,7 @@ CVE-2019-11514 (User/Command/ConfirmEmailHandler.php in Flarum before 0.1.0-beta
 CVE-2019-11513 (The File Manager in CMS Made Simple through 2.2.10 has Reflected XSS v ...)
 	NOT-FOR-US: CMS Made Simple
 CVE-2019-11512 (Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Contao 4.7 ...)
-	TODO: check
+	NOT-FOR-US: Contao
 CVE-2019-11511 (Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the ...)
 	NOT-FOR-US: Zoho ManageEngine ADSelfService Plus
 CVE-2019-11510 (In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before ...)
@@ -6304,9 +6304,9 @@ CVE-2019-11022
 CVE-2019-11021
 	RESERVED
 CVE-2019-11020 (Lack of authentication in file-viewing components in DDRT Dashcom Live ...)
-	TODO: check
+	NOT-FOR-US: DDRT Dashcom
 CVE-2019-11019 (Lack of authentication in case-exporting components in DDRT Dashcom Li ...)
-	TODO: check
+	NOT-FOR-US: DDRT Dashcom
 CVE-2019-11018 (application\admin\controller\User.php in ThinkAdmin V4.0 does not prev ...)
 	NOT-FOR-US: ThinkAdmin
 CVE-2019-11017 (On D-Link DI-524 V2.06RU devices, multiple Stored and Reflected XSS vu ...)
@@ -11920,13 +11920,13 @@ CVE-2019-9151 (An issue was discovered in the HDF HDF5 1.10.4 library. There is
 	NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul7
 	NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10718
 CVE-2019-9150 (Mailvelope prior to 3.3.0 does not require user interaction to import  ...)
-	TODO: check
+	NOT-FOR-US: Mailvelope
 CVE-2019-9149 (Mailvelope prior to 3.3.0 allows private key operations without user i ...)
-	TODO: check
+	NOT-FOR-US: Mailvelope
 CVE-2019-9148 (Mailvelope prior to 3.3.0 accepts or operates with invalid PGP public  ...)
-	TODO: check
+	NOT-FOR-US: Mailvelope
 CVE-2019-9147 (Mailvelope prior to 3.1.0 is vulnerable to a clickjacking attack again ...)
-	TODO: check
+	NOT-FOR-US: Mailvelope
 CVE-2019-9146 (Jamf Self Service 10.9.0 allows man-in-the-middle attackers to obtain  ...)
 	NOT-FOR-US: Jamf Self Service
 CVE-2019-9145 (An issue was discovered in Hsycms V1.1. There is an XSS vulnerability  ...)
@@ -22024,7 +22024,6 @@ CVE-2019-5051 (An exploitable heap-based buffer overflow vulnerability exists wh
 	[buster] - sdl-image1.2 <no-dsa> (Minor issue)
 	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0820
-	TODO: isolate fixing commit
 CVE-2019-5050
 	RESERVED
 CVE-2019-5049
@@ -48162,7 +48161,7 @@ CVE-2018-14835 (Subrion CMS v4.2.1 is vulnerable to Stored XSS because of no esc
 CVE-2018-14834
 	RESERVED
 CVE-2018-14833 (Intuit Lacerte 2017 has Incorrect Access Control. ...)
-	TODO: check
+	NOT-FOR-US: Intuit
 CVE-2018-14832
 	RESERVED
 CVE-2018-14831
@@ -122912,7 +122911,8 @@ CVE-2017-6516 (A Local Privilege Escalation Vulnerability in MagniComp's Sysinfo
 CVE-2017-6515
 	RESERVED
 CVE-2017-6514 (WordPress 4.7.2 mishandles listings of post authors, which allows remo ...)
-	TODO: check
+	- wordpress <unfixed> (unimportant)
+	NOTE: No security impact
 CVE-2017-6513 (The WHMCS Reseller Module V2 2.0.2 in Softaculous Virtualizor before 2 ...)
 	NOT-FOR-US: Softaculous Virtualizor
 CVE-2017-6512 (Race condition in the rmtree and remove_tree functions in the File-Pat ...)
@@ -124698,9 +124698,9 @@ CVE-2017-5985 (lxc-user-nic in Linux Containers (LXC) allows local users with a
 CVE-2017-5984 (In libavcodec in Libav 9.21, ff_h264_execute_ref_pic_marking() has a h ...)
 	- libav <removed>
 	[jessie] - libav <not-affected> (Vulnerable code introduced later)
+	- ffmpeg <not-affected> (ffmpeg not affected)
 	NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1019
 	NOTE: https://patches.libav.org/patch/62534/
-	TODO: check if affects src:ffmpeg
 CVE-2017-5983 (The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3. ...)
 	NOT-FOR-US: JIRA Workflow Designer Plugin
 CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/793e064f6b127303862b0776336ba2d7051fd048

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/793e064f6b127303862b0776336ba2d7051fd048
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190710/eaaa2ee2/attachment.html>

More information about the debian-security-tracker-commits mailing list