[Git][security-tracker-team/security-tracker][master] Try to resolve confusion in CVEs for xymon

Salvatore Bonaccorso carnil at debian.org
Wed Jul 24 19:14:25 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dea3b531 by Salvatore Bonaccorso at 2019-07-24T18:12:18Z
Try to resolve confusion in CVEs for xymon

We have to assume that the now set is correct. Former communication
involved those CVEs which were used as well by the maintainer in the
debian/changelog file. But upstream used different CVEs (possibly
typoed) in the announce in https://lists.xymon.com/archive/2019-July/046570.html

The correct set of CVEs should be thus

       - CVE-2019-13451: service overflows histlogfn in history.c.
       - CVE-2019-13452: service overflows histlogfn in reportlog.c.
       - CVE-2019-13273: srdb overflows dbfn in csvinfo.c.
       - CVE-2019-13274: reflected XSS in csvinfo.c.
       - CVE-2019-13455: htmlquoted(hostname) overflows msgline in
         acknowledge.c.
       - CVE-2019-13484: htmlquoted(xymondreq) overflows errtxt appfeed.c.
       - CVE-2019-13485: hostname overflows selfurl in history.c.
       - CVE-2019-13486: htmlquoted(xymondreq) overflows errtxt in
         svcstatus.c.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2619,12 +2619,8 @@ CVE-2019-13475 (In MobaXterm 11.1, the mobaxterm: URI handler has an argument in
 	NOT-FOR-US: MobaXterm
 CVE-2019-13474
 	RESERVED
-	- xymon 4.3.29-1
-	NOTE: https://lists.xymon.com/archive/2019-July/046570.html
 CVE-2019-13473
 	RESERVED
-	- xymon 4.3.29-1
-	NOTE: https://lists.xymon.com/archive/2019-July/046570.html
 CVE-2019-13472 (PHPWind 9.1.0 has XSS vulnerabilities in the c and m parameters of the ...)
 	NOT-FOR-US: PHPWind
 CVE-2019-13471
@@ -3105,8 +3101,12 @@ CVE-2019-13275 (An issue was discovered in the VeronaLabs wp-statistics plugin b
 	NOT-FOR-US: VeronaLabs wp-statistics plugin for WordPress
 CVE-2019-13274
 	RESERVED
+	- xymon 4.3.29-1
+	NOTE: https://lists.xymon.com/archive/2019-July/046570.html
 CVE-2019-13273
 	RESERVED
+	- xymon 4.3.29-1
+	NOTE: https://lists.xymon.com/archive/2019-July/046570.html
 CVE-2019-13272 (In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mish ...)
 	{DSA-4484-1 DLA-1863-1 DLA-1862-1}
 	- linux 4.19.37-6



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dea3b53104e2c88d81c7df0b9bcb4c73453d571a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/dea3b53104e2c88d81c7df0b9bcb4c73453d571a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190724/abd013f3/attachment.html>

More information about the debian-security-tracker-commits mailing list