[Git][security-tracker-team/security-tracker][master] 3 commits: Process NFUs

Salvatore Bonaccorso carnil at debian.org
Thu Jun 20 21:33:14 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dfe1f23d by Salvatore Bonaccorso at 2019-06-20T20:32:29Z
Process NFUs

- - - - -
bcacaae1 by Salvatore Bonaccorso at 2019-06-20T20:32:29Z
Add CVE-2018-1883{6,7,8,9}/netdata

- - - - -
acb7d59b by Salvatore Bonaccorso at 2019-06-20T20:32:30Z
Add CVE-2018-16514/mantis

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,9 +1,9 @@
 CVE-2019-12921
 	RESERVED
 CVE-2019-12920 (On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices ...)
-	TODO: check
+	NOT-FOR-US: Shenzhen Cylan Clever Dog Smart Cameraa DOG-2W and DOG-2W-V4 devices
 CVE-2019-12919 (On Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices ...)
-	TODO: check
+	NOT-FOR-US: Shenzhen Cylan Clever Dog Smart Camera DOG-2W and DOG-2W-V4 devices
 CVE-2019-12918
 	RESERVED
 CVE-2019-12917
@@ -49,19 +49,19 @@ CVE-2019-12900 (BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out
 	NOTE: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
 	TODO: check details
 CVE-2019-12899 (Delta Electronics DeviceNet Builder 2.04 has a User Mode Write AV star ...)
-	TODO: check
+	NOT-FOR-US: Delta Electronics DeviceNet Builder
 CVE-2019-12898 (Delta Electronics DeviceNet Builder 2.04 has a User Mode Write AV star ...)
-	TODO: check
+	NOT-FOR-US: Delta Electronics DeviceNet Builder
 CVE-2019-12897 (Edraw Max 7.9.3 has a Read Access Violation at the Instruction Pointer ...)
 	TODO: check
 CVE-2019-12896 (Edraw Max 7.9.3 has Heap Corruption starting at ntdll!RtlpNtMakeTempor ...)
 	TODO: check
 CVE-2019-12895 (In Alternate Pic View 2.600, the Exception Handler Chain is Corrupted  ...)
-	TODO: check
+	NOT-FOR-US: Alternate Pic View
 CVE-2019-12894 (Alternate Pic View 2.600 has a Read Access Violation at the Instructio ...)
-	TODO: check
+	NOT-FOR-US: Alternate Pic View
 CVE-2019-12893 (Alternate Pic View 2.600 has a User Mode Write AV starting at PicViewe ...)
-	TODO: check
+	NOT-FOR-US: Alternate Pic View
 CVE-2019-12892
 	RESERVED
 CVE-2019-12891
@@ -444,9 +444,9 @@ CVE-2019-12747
 CVE-2019-12746
 	RESERVED
 CVE-2019-12745 (out/out.UsrMgr.php in SeedDMS before 5.1.11 allows Stored Cross-Site S ...)
-	TODO: check
+	NOT-FOR-US: SeedDMS
 CVE-2019-12744 (SeedDMS before 5.1.11 allows Remote Command Execution (RCE) because of ...)
-	TODO: check
+	NOT-FOR-US: SeedDMS
 CVE-2019-12743
 	RESERVED
 CVE-2019-12742 (Bludit prior to 3.9.1 allows a non-privileged user to change the passw ...)
@@ -8690,7 +8690,7 @@ CVE-2019-9765 (In Blog_mini 1.0, XSS exists via the author name of a comment rep
 CVE-2019-9764 (HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to ...)
 	NOT-FOR-US: HashiCorp Consul
 CVE-2019-9763 (An issue was discovered in Openfind Mail2000 v6 Webmail. XSS can occur ...)
-	TODO: check
+	NOT-FOR-US: Openfind Mail2000 Webmail
 CVE-2019-9762 (A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment ...)
 	NOT-FOR-US: PHPSHE
 CVE-2019-9761 (An XXE issue was discovered in PHPSHE 1.7, which can be used to read a ...)
@@ -12075,9 +12075,9 @@ CVE-2019-8461
 CVE-2019-8460
 	RESERVED
 CVE-2019-8459 (Check Point Endpoint Security Client for Windows, with the VPN blade,  ...)
-	TODO: check
+	NOT-FOR-US: Check Point Endpoint Security Client for Windows
 CVE-2019-8458 (Check Point Endpoint Security Client for Windows, with Anti-Malware bl ...)
-	TODO: check
+	NOT-FOR-US: Check Point Endpoint Security Client for Windows
 CVE-2019-8457 (SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-o ...)
 	- sqlite3 3.27.2-3 (bug #929775)
 	NOTE: https://www.sqlite.org/src/info/90acdbfce9c08858
@@ -23343,7 +23343,7 @@ CVE-2019-3739
 CVE-2019-3738
 	RESERVED
 CVE-2019-3737 (Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by a ...)
-	TODO: check
+	NOT-FOR-US: Dell EMC Avamar ADMe Web Interface
 CVE-2019-3736
 	RESERVED
 CVE-2019-3735
@@ -27077,7 +27077,7 @@ CVE-2019-2731
 CVE-2019-2730
 	RESERVED
 CVE-2019-2729 (Vulnerability in the Oracle WebLogic Server component of Oracle Fusion ...)
-	TODO: check
+	NOT-FOR-US: Oracle
 CVE-2019-2728
 	RESERVED
 CVE-2019-2727
@@ -29457,13 +29457,13 @@ CVE-2019-1908
 CVE-2019-1907
 	RESERVED
 CVE-2019-1906 (A vulnerability in the Virtual Domain system of Cisco Prime Infrastruc ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1905 (A vulnerability in the GZIP decompression engine of Cisco AsyncOS Soft ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1904
 	RESERVED
 CVE-2019-1903 (A vulnerability in Cisco Security Manager could allow an unauthenticat ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1902
 	RESERVED
 CVE-2019-1901
@@ -29471,11 +29471,11 @@ CVE-2019-1901
 CVE-2019-1900
 	RESERVED
 CVE-2019-1899 (A vulnerability in the web interface of Cisco RV110W, RV130W, and RV21 ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1898 (A vulnerability in the web-based management interface of Cisco RV110W, ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1897 (A vulnerability in the web-based management interface of Cisco RV110W, ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1896
 	RESERVED
 CVE-2019-1895
@@ -29511,17 +29511,17 @@ CVE-2019-1881 (A vulnerability in the web-based management interface of Cisco In
 CVE-2019-1880 (A vulnerability in the BIOS upgrade utility of Cisco Unified Computing ...)
 	NOT-FOR-US: Cisco
 CVE-2019-1879 (A vulnerability in the CLI of Cisco Integrated Management Controller ( ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1878 (A vulnerability in the Cisco Discovery Protocol (CDP) implementation f ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1877
 	RESERVED
 CVE-2019-1876 (A vulnerability in the HTTPS proxy feature of Cisco Wide Area Applicat ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1875 (A vulnerability in the web-based management interface of Cisco Prime S ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1874 (A vulnerability in the web-based management interface of Cisco Prime S ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1873
 	RESERVED
 CVE-2019-1872 (A vulnerability in Cisco TelePresence Video Communication Server (VCS) ...)
@@ -29531,7 +29531,7 @@ CVE-2019-1871
 CVE-2019-1870 (A vulnerability in the web-based management interface of Cisco Enterpr ...)
 	NOT-FOR-US: Cisco
 CVE-2019-1869 (A vulnerability in the internal packet-processing functionality of the ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1868 (A vulnerability in the web-based management interface of Cisco Webex M ...)
 	NOT-FOR-US: Cisco
 CVE-2019-1867 (A vulnerability in the REST API of Cisco Elastic Services Controller ( ...)
@@ -29573,7 +29573,7 @@ CVE-2019-1850
 CVE-2019-1849 (A vulnerability in the Border Gateway Patrol (BGP) Multiprotocol Label ...)
 	NOT-FOR-US: Cisco
 CVE-2019-1848 (A vulnerability in Cisco Digital Network Architecture (DNA) Center cou ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1847
 	RESERVED
 CVE-2019-1846 (A vulnerability in the Multiprotocol Label Switching (MPLS) Operations ...)
@@ -29583,7 +29583,7 @@ CVE-2019-1845 (A vulnerability in the authentication service of the Cisco Unifie
 CVE-2019-1844 (A vulnerability in certain attachment detection mechanisms of the Cisc ...)
 	NOT-FOR-US: Cisco
 CVE-2019-1843 (A vulnerability in the web-based management interface of the Cisco RV1 ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1842 (A vulnerability in the Secure Shell (SSH) authentication function of C ...)
 	NOT-FOR-US: Cisco
 CVE-2019-1841 (A vulnerability in the Software Image Management feature of Cisco DNA  ...)
@@ -30030,25 +30030,25 @@ CVE-2019-1634
 CVE-2019-1633
 	RESERVED
 CVE-2019-1632 (A vulnerability in the web-based management interface of Cisco Integra ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1631 (A vulnerability in the web-based management interface of Cisco Integra ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1630 (A vulnerability in the firmware signature checking program of Cisco In ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1629 (A vulnerability in the configuration import utility of Cisco Integrate ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1628 (A vulnerability in the web server of Cisco Integrated Management Contr ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1627 (A vulnerability in the Server Utilities of Cisco Integrated Management ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1626 (A vulnerability in the vManage web-based UI (Web UI) of the Cisco SD-W ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1625 (A vulnerability in the CLI of Cisco SD-WAN Solution could allow an aut ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1624 (A vulnerability in the vManage web-based UI (Web UI) in the Cisco SD-W ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1623 (A vulnerability in the CLI configuration shell of Cisco Meeting Server ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-1622
 	RESERVED
 CVE-2019-1621
@@ -36077,7 +36077,7 @@ CVE-2018-18865 (The Royal browser extensions TS before 4.3.60728 (Release Date 2
 CVE-2018-18864 (Loadbalancer.org Enterprise VA MAX before 8.3.3 has XSS because Apache ...)
 	NOT-FOR-US: Loadbalancer.org Enterprise VA MAX
 CVE-2018-18863 (NGA ResourceLink 20.0.2.1 allows local file inclusion. ...)
-	TODO: check
+	NOT-FOR-US: NGA ResourceLink
 CVE-2018-18862 (BMC Remedy Mid-Tier 7.1.00 and 9.1.02.003 for BMC Remedy AR System has ...)
 	NOT-FOR-US: BMC
 CVE-2018-18861 (Buffer overflow in PCMan FTP Server 2.0.7 allows for remote code execu ...)
@@ -36099,7 +36099,7 @@ CVE-2018-18854 (Lightbend Spray spray-json through 1.3.4 allows remote attackers
 CVE-2018-18853 (Lightbend Spray spray-json through 1.3.4 allows remote attackers to ca ...)
 	NOT-FOR-US: Lightbend Spray spray-json
 CVE-2018-18852 (Cerio DT-300N 1.1.6 through 1.1.12 devices allow OS command injection  ...)
-	TODO: check
+	NOT-FOR-US: Cerio devices
 CVE-2018-18851
 	RESERVED
 CVE-2018-18850 (In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authen ...)
@@ -36130,13 +36130,21 @@ CVE-2018-18841 (XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.p
 CVE-2018-18840 (XSS was discovered in SEMCMS PHP V3.4 via the SEMCMS_SeoAndTag.php?Cla ...)
 	NOT-FOR-US: SEMCMS PHP
 CVE-2018-18839 (** DISPUTED ** An issue was discovered in Netdata 1.10.0. Full Path Di ...)
-	TODO: check
+	- netdata 1.11.1+dfsg-1
+	NOTE: https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca
+	NOTE: https://github.com/netdata/netdata/pull/4521
 CVE-2018-18838 (An issue was discovered in Netdata 1.10.0. Log Injection (or Log Forge ...)
-	TODO: check
+	- netdata 1.11.1+dfsg-1
+	NOTE: https://github.com/netdata/netdata/pull/4521
+	NOTE: https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca
 CVE-2018-18837 (An issue was discovered in Netdata 1.10.0. HTTP Header Injection exist ...)
-	TODO: check
+	- netdata 1.11.1+dfsg-1
+	NOTE: https://github.com/netdata/netdata/pull/4521
+	NOTE: https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca
 CVE-2018-18836 (An issue was discovered in Netdata 1.10.0. JSON injection exists via t ...)
-	TODO: check
+	- netdata 1.11.1+dfsg-1
+	NOTE: https://github.com/netdata/netdata/pull/4521
+	NOTE: https://github.com/netdata/netdata/commit/92327c9ec211bd1616315abcb255861b130b97ca
 CVE-2018-18835 (upload_template() in system/changeskin.php in DocCms 2016.5.12 allows  ...)
 	NOT-FOR-US: DocCms
 CVE-2018-18834 (An issue has been found in libIEC61850 v1.3. It is a heap-based buffer ...)
@@ -36232,7 +36240,7 @@ CVE-2018-18804 (Bakeshop Inventory System 1.0 has SQL injection via the login sc
 CVE-2018-18803 (Curriculum Evaluation System 1.0 allows SQL Injection via the login sc ...)
 	NOT-FOR-US: Curriculum Evaluation System
 CVE-2018-18802 (The Tubigan "Welcome to our Resort" 1.0 software allows CSRF via admin ...)
-	TODO: check
+	NOT-FOR-US: Tubigan "Welcome to our Resort" software
 CVE-2018-18801 (The BSEN Ordering software 1.0 has SQL Injection via student/index.php ...)
 	NOT-FOR-US: BSEN Ordering software
 CVE-2018-18800 (The Tubigan "Welcome to our Resort" 1.0 software allows SQL Injection  ...)
@@ -37119,7 +37127,7 @@ CVE-2018-18473 (A hidden backdoor on PATLITE NBM-D88N, NHL-3FB1, and NHL-3FV1N d
 CVE-2018-18472 (Western Digital WD My Book Live (all versions) has a root Remote Comma ...)
 	NOT-FOR-US: Western Digital WD My Book Live
 CVE-2018-18471 (/api/2.0/rest/aggregator/xml in Axentra firmware, used by NETGEAR Stor ...)
-	TODO: check
+	NOT-FOR-US: Axentra firmware
 CVE-2018-18470
 	RESERVED
 CVE-2018-18469
@@ -42293,7 +42301,7 @@ CVE-2017-1000600 (WordPress version <4.9 contains a CWE-20 Input Validation v
 	NOTE: vulnerable module installed on the site as well. Due to an incomplete fix
 	NOTE: in 4.9 there exists CVE-2018-1000773.
 CVE-2018-16553 (In Jspxcms 9.0.0, a vulnerable URL routing implementation allows remot ...)
-	TODO: check
+	NOT-FOR-US: Jspxcms
 CVE-2018-16552 (MicroPyramid Django-CRM 0.2 allows CSRF for /users/create/, /users/##/ ...)
 	NOT-FOR-US: MicroPyramid Django-CRM
 CVE-2018-16551 (LavaLite 5.5 has XSS via a /edit URI, as demonstrated by client/job/jo ...)
@@ -42369,7 +42377,8 @@ CVE-2018-16517 (asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointe
 CVE-2018-16516 (helpers.py in Flask-Admin 1.5.2 has Reflected XSS via a crafted URL. ...)
 	- python-flask-admin <itp> (bug #765509)
 CVE-2018-16514 (A cross-site scripting (XSS) vulnerability in the View Filters page (v ...)
-	TODO: check
+	- mantis <removed>
+	NOTE: https://mantisbt.org/bugs/view.php?id=24731
 CVE-2018-17088 (The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may al ...)
 	- jhead 1:3.00-8 (bug #907925)
 	[stretch] - jhead 1:3.00-4+deb9u1
@@ -43071,15 +43080,15 @@ CVE-2018-16253 (In sig_verify() in x509.c in axTLS version 2.1.3 and before, the
 CVE-2018-16252 (FsPro Labs Event Log Explorer 4.6.1.2115 has ".elx" FileType XML Exter ...)
 	NOT-FOR-US: FsPro Labs Event Log Explorer
 CVE-2018-16251 (A "search for user discovery" injection issue exists in Creatiwity wit ...)
-	TODO: check
+	NOT-FOR-US: Creatiwity wityCMS
 CVE-2018-16250 (The "utilisateur" menu in Creatiwity wityCMS 0.6.2 modifies the presen ...)
-	TODO: check
+	NOT-FOR-US: Creatiwity wityCMS
 CVE-2018-16249 (In Symphony before 3.3.0, there is XSS in the Title under Post. The ID ...)
 	TODO: check
 CVE-2018-16248 (b3log Solo 2.9.3 has XSS in the Input page under the "Publish Articles ...)
 	TODO: check
 CVE-2018-16247 (YzmCMS 5.1 has XSS via the admin/system_manage/user_config_add.html ti ...)
-	TODO: check
+	NOT-FOR-US: YzmCMS
 CVE-2018-16246
 	RESERVED
 CVE-2018-16245
@@ -43370,13 +43379,13 @@ CVE-2018-16121
 CVE-2018-16120
 	RESERVED
 CVE-2018-16119 (Stack-based buffer overflow in the httpd server of TP-Link WR1043nd (F ...)
-	TODO: check
+	NOT-FOR-US: TP-Link
 CVE-2018-16118 (A shell escape vulnerability in /webconsole/APIController in the API C ...)
-	TODO: check
+	NOT-FOR-US: Sophos
 CVE-2018-16117 (A shell escape vulnerability in /webconsole/Controller in Admin Portal ...)
-	TODO: check
+	NOT-FOR-US: Sophos
 CVE-2018-16116 (SQL injection vulnerability in AccountStatus.jsp in Admin Portal of So ...)
-	TODO: check
+	NOT-FOR-US: Sophos
 CVE-2018-16115 (Lightbend Akka 2.5.x before 2.5.16 allows message disclosure and modif ...)
 	NOT-FOR-US: Lightbend Akka
 CVE-2018-16114
@@ -43907,9 +43916,9 @@ CVE-2018-15894 (A SQL injection was discovered in /coreframe/app/admin/pay/admin
 CVE-2018-15893 (A SQL injection was discovered in /coreframe/app/admin/copyfrom.php in ...)
 	NOT-FOR-US: WUZHI CMS
 CVE-2018-15892 (FreePBX 13 and 14 has SQL Injection in the DISA module via the hangup  ...)
-	TODO: check
+	NOT-FOR-US: FreePBX
 CVE-2018-15891 (An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, ...)
-	TODO: check
+	NOT-FOR-US: FreePBX
 CVE-2018-15890 (An issue was discovered in EthereumJ 1.8.2. There is Unsafe Deserializ ...)
 	TODO: check
 CVE-2018-15889 (In podofo 0.9.6, the function PoDoFo::PdfParser::ReadObjects() in base ...)
@@ -77978,7 +77987,7 @@ CVE-2017-17946 (A buffer overflow in Handy Password 4.9.3 allows remote attacker
 CVE-2017-17945
 	RESERVED
 CVE-2017-17944 (The ASUS Vivobaby application before 1.1.09 for Android has Missing SS ...)
-	TODO: check
+	NOT-FOR-US: ASUS Vivobaby application
 CVE-2017-17943
 	RESERVED
 CVE-2017-17942 (In LibTIFF 4.0.9, there is a heap-based buffer over-read in the functi ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d2b7cee5129f41e9eef13dfebdd5e6d1fcb42ad3...acb7d59bc6553b4fa21841c4b49ee491adac7bce

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d2b7cee5129f41e9eef13dfebdd5e6d1fcb42ad3...acb7d59bc6553b4fa21841c4b49ee491adac7bce
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190620/7a69eb08/attachment.html>

More information about the debian-security-tracker-commits mailing list