[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 6 21:10:31 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6f348849 by security tracker role at 2019-06-06T20:10:20Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,39 @@
+CVE-2019-12761 (A code injection issue was discovered in PyXDG before 0.26 via crafted ...)
+ TODO: check
+CVE-2019-12760 (A deserialization vulnerability exists in the way parso through 0.4.0 ...)
+ TODO: check
+CVE-2019-12759
+ RESERVED
+CVE-2019-12758
+ RESERVED
+CVE-2019-12757
+ RESERVED
+CVE-2019-12756
+ RESERVED
+CVE-2019-12755
+ RESERVED
+CVE-2019-12754
+ RESERVED
+CVE-2019-12753
+ RESERVED
+CVE-2019-12752
+ RESERVED
+CVE-2019-12751
+ RESERVED
+CVE-2019-12750
+ RESERVED
+CVE-2019-12749
+ RESERVED
+CVE-2019-12748
+ RESERVED
+CVE-2019-12747
+ RESERVED
+CVE-2019-12746
+ RESERVED
+CVE-2019-12745
+ RESERVED
+CVE-2019-12744
+ RESERVED
CVE-2019-12743
RESERVED
CVE-2019-12742 (Bludit prior to 3.9.1 allows a non-privileged user to change the passw ...)
@@ -24,8 +60,8 @@ CVE-2019-12735 (getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows
NOTE: https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md
NOTE: vim patches: https://github.com/vim/vim/commit/5357552
NOTE: neovim pull request: https://github.com/neovim/neovim/pull/10082
-CVE-2019-12732
- RESERVED
+CVE-2019-12732 (The Chartkick gem through 3.1.0 for Ruby allows XSS. ...)
+ TODO: check
CVE-2019-12731
RESERVED
CVE-2019-12730 (aa_read_header in libavformat/aadec.c in FFmpeg before 3.2.14 does not ...)
@@ -882,6 +918,7 @@ CVE-2019-12362 (EmpireCMS 7.5.0 has XSS via the HTTP Referer header to e/member/
CVE-2019-12361 (EmpireCMS 7.5.0 has XSS via the from parameter to e/member/doaction.ph ...)
NOT-FOR-US: EmpireCMS
CVE-2019-12360 (A stack-based buffer over-read exists in FoFiTrueType::dumpString in f ...)
+ {DLA-1815-1}
- xpdf <not-affected> (xpdf in Debian uses poppler, which is not affected or fixed)
- poppler 0.38.0-2
NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41801
@@ -983,7 +1020,7 @@ CVE-2019-12314 (Deltek Maconomy 2.2.5 is prone to local file inclusion via absol
NOT-FOR-US: Deltek Maconomy
CVE-2019-12313 (XSS exists in Shave before 2.5.3 because output encoding is mishandled ...)
NOT-FOR-US: Shave
-CVE-2019-12312 (In Libreswan before 3.28, an assertion failure can lead to a pluto IKE ...)
+CVE-2019-12312 (In Libreswan 3.27 an assertion failure can lead to a pluto IKE daemon ...)
[experimental] - libreswan 3.28-1
- libreswan 3.27-5 (bug #929916)
NOTE: https://github.com/libreswan/libreswan/issues/246
@@ -1033,8 +1070,8 @@ CVE-2019-12305
RESERVED
CVE-2019-12304
RESERVED
-CVE-2019-12303
- RESERVED
+CVE-2019-12303 (In Rancher 2 through 2.2.3, Project owners can inject additional fluen ...)
+ TODO: check
CVE-2019-12302
RESERVED
CVE-2019-12301 (The Percona Server 5.6.44-85.0-1 packages for Debian and Ubuntu suffer ...)
@@ -1062,13 +1099,14 @@ CVE-2019-12295 (In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14
CVE-2019-12294
RESERVED
CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-read in J ...)
+ {DLA-1815-1}
- poppler 0.71.0-5 (bug #929423)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/768
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c
CVE-2019-12292
RESERVED
-CVE-2019-12291
- RESERVED
+CVE-2019-12291 (HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Key ...)
+ TODO: check
CVE-2019-12290
RESERVED
CVE-2019-12289 (An issue was discovered in upgrade_firmware.cgi on VStarcam 100T (C782 ...)
@@ -1103,8 +1141,8 @@ CVE-2019-12275
RESERVED
CVE-2016-10750 (In Hazelcast before 3.11, the cluster join procedure is vulnerable to ...)
- hazelcast <itp> (bug #745640)
-CVE-2019-12274
- RESERVED
+CVE-2019-12274 (In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to de ...)
+ TODO: check
CVE-2019-12273
RESERVED
CVE-2019-12272 (In OpenWrt LuCI through 0.10, the endpoints admin/status/realtime/band ...)
@@ -1459,10 +1497,10 @@ CVE-2019-12137 (Typora 0.9.9.24.6 on macOS allows directory traversal, for execu
NOT-FOR-US: Typora
CVE-2019-12136 (There is XSS in BoostIO Boostnote 0.11.15 via a label named mermaid, a ...)
NOT-FOR-US: Boostnote
-CVE-2019-12135
- RESERVED
-CVE-2019-12134
- RESERVED
+CVE-2019-12135 (An unspecified vulnerability in the application server in PaperCut MF ...)
+ TODO: check
+CVE-2019-12134 (CSV Injection (aka Excel Macro Injection or Formula Injection) exists ...)
+ TODO: check
CVE-2019-12133
RESERVED
CVE-2019-12132
@@ -4002,8 +4040,8 @@ CVE-2019-11082 (core/api/datasets/internal/actions/Explode.java in the Dataset A
NOT-FOR-US: DKPro Core
CVE-2019-11081 (A default username and password in Dentsply Sirona Sidexis 4.2 and pos ...)
NOT-FOR-US: Dentsply Sirona Sidexis
-CVE-2019-11080
- RESERVED
+CVE-2019-11080 (Sitecore Experience Platform (XP) prior to 9.1.1 is vulnerable to remo ...)
+ TODO: check
CVE-2019-11079
RESERVED
CVE-2019-11078 (MKCMS V5.0 has a CSRF vulnerability to add a new admin user via the uc ...)
@@ -4633,6 +4671,7 @@ CVE-2019-10873 (An issue was discovered in Poppler 0.74.0. There is a NULL point
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/748
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8dbe2e6c480405dab9347075cf4be626f90f1d05
CVE-2019-10872 (An issue was discovered in Poppler 0.74.0. There is a heap-based buffe ...)
+ {DLA-1815-1}
- poppler 0.71.0-5 (low; bug #926530)
[stretch] - poppler <postponed> (Revisit when fixed upstream)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/750
@@ -5884,7 +5923,7 @@ CVE-2019-10325 (A cross-site scripting vulnerability in Jenkins Warnings NG Plug
NOT-FOR-US: Jenkins plugin
CVE-2019-10324 (A cross-site request forgery vulnerability in Jenkins Artifactory Plug ...)
NOT-FOR-US: Jenkins plugin
-CVE-2019-10323 (A missing permission check in Jenkins Artifactory Plugin 3.2.2 and ear ...)
+CVE-2019-10323 (A missing permission check in Jenkins Artifactory Plugin 3.2.3 and ear ...)
NOT-FOR-US: Jenkins plugin
CVE-2019-10322 (A missing permission check in Jenkins Artifactory Plugin 3.2.2 and ear ...)
NOT-FOR-US: Jenkins plugin
@@ -6887,8 +6926,8 @@ CVE-2019-9931
RESERVED
CVE-2019-9930
RESERVED
-CVE-2019-9929
- RESERVED
+CVE-2019-9929 (Northern.tech CFEngine Enterprise 3.12.1 has Insecure Permissions. ...)
+ TODO: check
CVE-2019-9928 (GStreamer before 1.16.0 has a heap-based buffer overflow in the RTSP c ...)
{DSA-4437-1 DLA-1770-1 DLA-1769-1}
[experimental] - gst-plugins-base1.0 1.15.90-1
@@ -11862,8 +11901,7 @@ CVE-2019-8321 [Escape sequence injection vulnerability in verbose]
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b
-CVE-2019-8320 [Delete directory using symlink when decompressing tar]
- RESERVED
+CVE-2019-8320 (A Directory Traversal issue was discovered in RubyGems 2.7.6 and later ...)
{DSA-4433-1 DLA-1735-1}
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
@@ -13589,12 +13627,12 @@ CVE-2019-7556
RESERVED
CVE-2019-7555
RESERVED
-CVE-2019-7554
- RESERVED
-CVE-2019-7553
- RESERVED
-CVE-2019-7552
- RESERVED
+CVE-2019-7554 (An issue was discovered in PHP Scripts Mall API Based Travel Booking 3 ...)
+ TODO: check
+CVE-2019-7553 (PHP Scripts Mall Chartered Accountant : Auditor Website 2.0.1 has Stor ...)
+ TODO: check
+CVE-2019-7552 (An issue was discovered in PHP Scripts Mall Investment MLM Software 2. ...)
+ TODO: check
CVE-2019-7551 (Cantemo Portal before 3.2.13, 3.3.x before 3.3.8, and 3.4.x before 3.4 ...)
NOT-FOR-US: Cantemo Portal
CVE-2019-7550 (In JForum 2.1.8, an unauthenticated, remote attacker can enumerate whe ...)
@@ -14318,8 +14356,8 @@ CVE-2019-7313 (www/resource.py in Buildbot before 1.8.1 allows CRLF injection in
NOTE: https://github.com/buildbot/buildbot/pull/4584/files#diff-a2e7e3ee5f6a1d3cd9c6abf0328c21e0
CVE-2019-7312 (Limited plaintext disclosure exists in PRIMX Zed Entreprise for Window ...)
NOT-FOR-US: PRIMX Zed Enterprise
-CVE-2019-7311
- RESERVED
+CVE-2019-7311 (An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. A ...)
+ TODO: check
CVE-2019-7310 (In Poppler 0.73.0, a heap-based buffer over-read (due to an integer si ...)
{DLA-1706-1}
- poppler 0.71.0-4 (bug #921215)
@@ -14556,8 +14594,8 @@ CVE-2019-7221 (The KVM implementation in the Linux kernel through 4.20.5 has a U
[stretch] - linux 4.9.161-1
NOTE: https://git.kernel.org/linus/ecec76885bcfe3294685dc363fd1273df0d5d65f
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1760
-CVE-2019-7220
- RESERVED
+CVE-2019-7220 (X-Cart V5 is vulnerable to XSS via the CategoryFilter2 parameter. ...)
+ TODO: check
CVE-2019-7219 (Unauthenticated reflected cross-site scripting (XSS) exists in Zarafa ...)
- zarafa <itp> (bug #658433)
CVE-2019-7218 (Citrix ShareFile through 19.1 allows a downgrade from two-factor authe ...)
@@ -14566,8 +14604,8 @@ CVE-2019-7217 (Citrix ShareFile through 19.1 allows User Enumeration. It is poss
NOT-FOR-US: Citrix ShareFile
CVE-2019-7216 (An issue was discovered in FileChucker 4.99e-free-e02. filechucker.cgi ...)
NOT-FOR-US: FileChucker
-CVE-2019-7215
- RESERVED
+CVE-2019-7215 (Progress Sitefinity 10.1.6536 does not invalidate session cookies upon ...)
+ TODO: check
CVE-2019-7214 (SmarterTools SmarterMail 16.x before build 6985 allows deserialization ...)
NOT-FOR-US: SmarterTools SmarterMail
CVE-2019-7213 (SmarterTools SmarterMail 16.x before build 6985 allows directory trave ...)
@@ -15091,8 +15129,8 @@ CVE-2019-1000018 (rssh version 2.3.4 contains a CWE-77: Improper Neutralization
{DSA-4377-1 DLA-1650-1}
- rssh 2.3.4-9 (bug #919623)
NOTE: https://sourceforge.net/p/rssh/mailman/message/36519118/
-CVE-2019-6989
- RESERVED
+CVE-2019-6989 (TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow, caus ...)
+ TODO: check
CVE-2019-6988 (An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers ...)
- openjpeg2 <unfixed> (low; bug #922648)
[buster] - openjpeg2 <ignored> (Minor issue)
@@ -16396,10 +16434,10 @@ CVE-2019-6454 (An issue was discovered in sd-bus in systemd 239. bus_process_obj
NOTE: https://github.com/systemd/systemd/commit/f519a19bcd5afe674a9b8fc462cd77d8bad403c1
CVE-2019-6453 (mIRC before 7.55 allows remote command execution by using argument inj ...)
NOT-FOR-US: mIRC
-CVE-2019-6452
- RESERVED
-CVE-2019-6451
- RESERVED
+CVE-2019-6452 (Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remo ...)
+ TODO: check
+CVE-2019-6451 (On SOYAL AR-727H and AR-829Ev5 devices, all CGI programs allow unauthe ...)
+ TODO: check
CVE-2019-6450
RESERVED
CVE-2019-6449
@@ -18787,14 +18825,14 @@ CVE-2019-5527
RESERVED
CVE-2019-5526 (VMware Workstation (15.x before 15.1.0) contains a DLL hijacking issue ...)
NOT-FOR-US: VMware
-CVE-2019-5525
- RESERVED
+CVE-2019-5525 (VMware Workstation (15.x before 15.1.0) contains a use-after-free vuln ...)
+ TODO: check
CVE-2019-5524 (VMware Workstation (14.x before 14.1.6) and Fusion (10.x before 10.1.6 ...)
NOT-FOR-US: VMware
CVE-2019-5523 (VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 up ...)
NOT-FOR-US: VMware vCloud Director for Service Providers
-CVE-2019-5522
- RESERVED
+CVE-2019-5522 (VMware Tools for Windows (10.x before 10.3.10) update addresses an out ...)
+ TODO: check
CVE-2019-5521
RESERVED
CVE-2019-5520 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-20 ...)
@@ -19258,8 +19296,8 @@ CVE-2019-5307 (Some Huawei 4G LTE devices, P30 versions before ELE-AL00 9.1.0.16
TODO: check
CVE-2019-5306 (There is a Factory Reset Protection (FRP) bypass security vulnerabilit ...)
TODO: check
-CVE-2019-5305
- RESERVED
+CVE-2019-5305 (The image processing module of some Huawei Mate 10 smartphones version ...)
+ TODO: check
CVE-2019-5304
RESERVED
CVE-2019-5303
@@ -19278,8 +19316,8 @@ CVE-2019-5297 (Emily-L29C Huawei phones versions earlier than 9.0.0.159 (C185E2R
TODO: check
CVE-2019-5296 (Mate20 Huawei smartphones versions earlier than HMA-AL00C00B175 have a ...)
TODO: check
-CVE-2019-5295
- RESERVED
+CVE-2019-5295 (Huawei Honor V10 smartphones versions earlier than Berkeley-AL20 9.0.0 ...)
+ TODO: check
CVE-2019-5294
RESERVED
CVE-2019-5293
@@ -19384,10 +19422,10 @@ CVE-2019-5244 (Mate 9 Pro Huawei smartphones earlier than LON-L29C 8.0.0.361(C63
TODO: check
CVE-2019-5243
RESERVED
-CVE-2019-5242
- RESERVED
-CVE-2019-5241
- RESERVED
+CVE-2019-5242 (There is a code execution vulnerability in Huawei PCManager versions e ...)
+ TODO: check
+CVE-2019-5241 (There is a privilege escalation vulnerability in Huawei PCManager vers ...)
+ TODO: check
CVE-2019-5240
RESERVED
CVE-2019-5239
@@ -19430,18 +19468,18 @@ CVE-2019-5221
RESERVED
CVE-2019-5220
RESERVED
-CVE-2019-5219
- RESERVED
+CVE-2019-5219 (There is a double free vulnerability on certain drivers of Huawei Mate ...)
+ TODO: check
CVE-2019-5218
RESERVED
CVE-2019-5217 (There is an information disclosure vulnerability on Mate 9 Pro Huawei ...)
TODO: check
-CVE-2019-5216
- RESERVED
+CVE-2019-5216 (There is a race condition vulnerability on Huawei Honor V10 smartphone ...)
+ TODO: check
CVE-2019-5215 (There is a man-in-the-middle (MITM) vulnerability on Huawei P30 smartp ...)
TODO: check
-CVE-2019-5214
- RESERVED
+CVE-2019-5214 (There is a use after free vulnerability on certain driver component in ...)
+ TODO: check
CVE-2019-5213
RESERVED
CVE-2019-5212
@@ -23025,10 +23063,10 @@ CVE-2018-20662 (In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers t
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/7b4e372deeb716eb3fe3a54b31ed41af759224f9
CVE-2019-3580 (OpenRefine through 3.1 allows arbitrary file write because Directory T ...)
NOT-FOR-US: OpenRefine
-CVE-2019-3579
- RESERVED
-CVE-2019-3578
- RESERVED
+CVE-2019-3579 (MyBB 1.8.19 allows remote attackers to obtain sensitive information be ...)
+ TODO: check
+CVE-2019-3578 (MyBB 1.8.19 has XSS in the resetpassword function. ...)
+ TODO: check
CVE-2019-3577 (An issue was discovered in Waimai Super Cms 20150505. web/Lib/Action/P ...)
NOT-FOR-US: Waimai Super Cms
CVE-2019-3576 (inxedu through 2018-12-24 has a SQL Injection vulnerability that can l ...)
@@ -59521,8 +59559,8 @@ CVE-2018-9841 (The export function in libavfilter/vf_signature.c in FFmpeg throu
NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commit;h=35eeff30caf34df835206f1c12bcf4b7c2bd6758
CVE-2018-9840 (The Open Whisper Signal app before 2.23.2 for iOS allows physically pr ...)
NOT-FOR-US: Open Whisper Signal app for iOS
-CVE-2018-9839
- RESERVED
+CVE-2018-9839 (An issue was discovered in MantisBT through 1.3.14, and 2.0.0. Using a ...)
+ TODO: check
CVE-2018-1000164 (gunicorn version 19.4.5 contains a CWE-113: Improper Neutralization of ...)
{DSA-4186-1 DLA-1357-1}
- gunicorn 19.5.0-1 (bug #896548)
@@ -63991,8 +64029,8 @@ CVE-2018-8048 (In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML at
NOTE: https://github.com/flavorjones/loofah/issues/144
NOTE: https://github.com/flavorjones/loofah/commit/4a08c25a603654f2fc505a7d2bf0c35a39870ad7
NOTE: https://github.com/flavorjones/loofah/commit/56e95a6696b1e17a242eb8ebbbab64d613c4f1fe
-CVE-2018-8047
- RESERVED
+CVE-2018-8047 (vtiger CRM 7.0.1 is affected by one reflected Cross-Site Scripting (XS ...)
+ TODO: check
CVE-2018-8046 (The getTip() method of Action Columns of Sencha Ext JS 4 to 6 before 6 ...)
NOT-FOR-US: Sencha
CVE-2018-8045 (In Joomla! 3.5.0 through 3.8.5, the lack of type casting of a variable ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f348849227c265b5822f9de672fdfb4a9d07624
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6f348849227c265b5822f9de672fdfb4a9d07624
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190606/cb7470e0/attachment.html>
More information about the debian-security-tracker-commits
mailing list