[Git][security-tracker-team/security-tracker][master] two libonig issues
Moritz Muehlenhoff
jmm at debian.org
Thu Jul 11 12:15:23 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d9c52c2c by Moritz Muehlenhoff at 2019-07-11T11:14:35Z
two libonig issues
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,7 +1,8 @@
CVE-2019-13504 (There is an out-of-bounds read in Exiv2::MrwImage::readMetadata in mrw ...)
TODO: check
CVE-2019-13503 (mq_parse_http in mongoose.c in Mongoose 6.15 has a heap-based buffer o ...)
- TODO: check
+ NOT-FOR-US: Cesanta Mongoose
+ NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
CVE-2019-13502
RESERVED
CVE-2019-13501
@@ -29,9 +30,9 @@ CVE-2019-13491
CVE-2019-13490
RESERVED
CVE-2019-13489 (Trape through 2019-05-08 has SQL injection via the data[2] variable in ...)
- TODO: check
+ NOT-FOR-US: Trape
CVE-2019-13488 (A cross-site scripting (XSS) vulnerability in static/js/trape.js in Tr ...)
- TODO: check
+ NOT-FOR-US: Trape
CVE-2019-13487
RESERVED
CVE-2019-13486
@@ -43,9 +44,9 @@ CVE-2019-13484
CVE-2019-13483
RESERVED
CVE-2019-13482 (An issue was discovered on D-Link DIR-818LW devices with firmware 2.06 ...)
- TODO: check
+ NOT-FOR-US: D-Link
CVE-2019-13481 (An issue was discovered on D-Link DIR-818LW devices with firmware 2.06 ...)
- TODO: check
+ NOT-FOR-US: D-Link
CVE-2019-13480
RESERVED
CVE-2019-13479
@@ -222,7 +223,7 @@ CVE-2019-13398 (Dynacolor FCM-MB40 v1.2.0.0 devices allow remote attackers to ex
CVE-2019-13397 (Unauthenticated Stored XSS in osTicket 1.10.1 allows a remote attacker ...)
NOT-FOR-US: osTicket
CVE-2019-13396 (FlightPath 4.x and 5.0-x allows directory traversal and Local File Inc ...)
- TODO: check
+ NOT-FOR-US: FlightPath
CVE-2019-13395
RESERVED
CVE-2019-13394
@@ -641,9 +642,15 @@ CVE-2019-13233 (In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, th
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1879
NOTE: Fixed by: https://git.kernel.org/linus/de9f869616dd95e95c00bdd6b0fcd3421e8a4323
CVE-2019-13225 (A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9 ...)
- TODO: check
+ - libonig <unfixed> (low)
+ [buster] - libonig <no-dsa> (Minor issue)
+ [stretch] - libonig <no-dsa> (Minor issue)
+ NOTE: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 a ...)
- TODO: check
+ - libonig <unfixed> (low)
+ [buster] - libonig <no-dsa> (Minor issue)
+ [stretch] - libonig <no-dsa> (Minor issue)
+ NOTE: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
CVE-2019-13223
RESERVED
CVE-2019-13222
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d9c52c2c21b4c3bed1996b7f9abaa85c9ede152b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d9c52c2c21b4c3bed1996b7f9abaa85c9ede152b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190711/7cc1f175/attachment.html>
More information about the debian-security-tracker-commits
mailing list