[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Mon Jun 24 21:10:27 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3c6f5367 by security tracker role at 2019-06-24T20:10:17Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2019-12948
+	RESERVED
+CVE-2019-12947
+	RESERVED
+CVE-2019-12946
+	RESERVED
+CVE-2019-12945
+	RESERVED
+CVE-2019-12944
+	RESERVED
+CVE-2019-12943
+	RESERVED
+CVE-2019-12942
+	RESERVED
+CVE-2019-12941
+	RESERVED
+CVE-2019-12940 (LiveZilla Server before 8.0.1.1 is vulnerable to Denial Of Service (me ...)
+	TODO: check
+CVE-2019-12939 (LiveZilla Server before 8.0.1.1 is vulnerable to SQL Injection in serv ...)
+	TODO: check
+CVE-2019-12938 (The Roundcube component of Analogic Poste.io 2.1.6 uses .htaccess to p ...)
+	TODO: check
+CVE-2018-20843 (In libexpat in Expat before 2.2.7, XML input including XML names that  ...)
+	TODO: check
 CVE-2019-12937 (apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow  ...)
 	TODO: check
 CVE-2019-12936 (BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for ...)
@@ -14,10 +38,10 @@ CVE-2019-12931
 	RESERVED
 CVE-2019-12930
 	RESERVED
-CVE-2019-12929
-	RESERVED
-CVE-2019-12928
-	RESERVED
+CVE-2019-12929 (The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS co ...)
+	TODO: check
+CVE-2019-12928 (The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerabl ...)
+	TODO: check
 CVE-2019-12927
 	RESERVED
 CVE-2019-12926
@@ -119,8 +143,8 @@ CVE-2019-12882
 CVE-2019-12881 (i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c  ...)
 	- linux <undetermined>
 	NOTE: https://gist.github.com/oxagast/472866fb2c3d439e10499d7141d0a520
-CVE-2019-12880
-	RESERVED
+CVE-2019-12880 (BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking ...)
+	TODO: check
 CVE-2019-12879
 	RESERVED
 CVE-2019-12878
@@ -140,12 +164,12 @@ CVE-2019-12873
 	RESERVED
 CVE-2019-12872 (dotCMS before 5.1.6 is vulnerable to a SQL injection that can be explo ...)
 	NOT-FOR-US: dotCMS
-CVE-2019-12871
-	RESERVED
-CVE-2019-12870
-	RESERVED
-CVE-2019-12869
-	RESERVED
+CVE-2019-12871 (An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Wo ...)
+	TODO: check
+CVE-2019-12870 (An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Wo ...)
+	TODO: check
+CVE-2019-12869 (An issue was discovered in PHOENIX CONTACT PC Worx through 1.86, PC Wo ...)
+	TODO: check
 CVE-2019-12868 (app/Model/Server.php in MISP 2.4.109 allows remote command execution b ...)
 	NOT-FOR-US: MISP
 CVE-2019-12867
@@ -1337,8 +1361,7 @@ CVE-2019-12386
 	RESERVED
 CVE-2019-12385
 	RESERVED
-CVE-2019-12384
-	RESERVED
+CVE-2019-12384 (FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to h ...)
 	{DLA-1831-1}
 	- jackson-databind 2.9.8-3 (bug #930750)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2334
@@ -1480,8 +1503,8 @@ CVE-2019-12325
 	RESERVED
 CVE-2019-12324
 	RESERVED
-CVE-2019-12323
-	RESERVED
+CVE-2019-12323 (The HC.Server service in Hosting Controller HC10 10.14 allows an Inval ...)
+	TODO: check
 CVE-2019-12322
 	RESERVED
 CVE-2019-12321
@@ -1585,8 +1608,8 @@ CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-rea
 	- poppler 0.71.0-5 (bug #929423)
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/768
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c
-CVE-2019-12292
-	RESERVED
+CVE-2019-12292 (Citrix AppDNA before 7 1906.1.0.472 has Incorrect Access Control. ...)
+	TODO: check
 CVE-2019-12291 (HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Key ...)
 	NOT-FOR-US: HashiCorp Consul
 CVE-2019-12290
@@ -3157,10 +3180,10 @@ CVE-2019-11650
 	RESERVED
 CVE-2019-11649 (Cross-Site Scripting vulnerability in Micro Focus Fortify Software Sec ...)
 	NOT-FOR-US: Micro Focus Fortify software security center server
-CVE-2019-11648
-	RESERVED
-CVE-2019-11647
-	RESERVED
+CVE-2019-11648 (An information leakage exists in Micro Focus NetIQ Self Service Passwo ...)
+	TODO: check
+CVE-2019-11647 (A potential XSS exists in Self Service Password Reset, in Micro Focus  ...)
+	TODO: check
 CVE-2019-11646 (Remote unauthorized command execution and unauthorized disclosure of i ...)
 	NOT-FOR-US: Micro Focus Service Manager
 CVE-2019-11645
@@ -6605,8 +6628,8 @@ CVE-2019-10273 (Information leakage vulnerability in the /mc login page in Manag
 	NOT-FOR-US: ManageEngine ServiceDesk Plus
 CVE-2019-10272 (An issue was discovered in Weaver e-cology 9.0. There is a CRLF Inject ...)
 	NOT-FOR-US: Weaver e-cology
-CVE-2019-10271
-	RESERVED
+CVE-2019-10271 (An issue was discovered in the Ultimate Member plugin 2.39 for WordPre ...)
+	TODO: check
 CVE-2019-10270 (An arbitrary password reset issue was discovered in the Ultimate Membe ...)
 	NOT-FOR-US: Ultimate Member plugin for WordPress
 CVE-2019-10269 (BWA (aka Burrow-Wheeler Aligner) before 2019-01-23 has a stack-based b ...)
@@ -6885,7 +6908,7 @@ CVE-2019-10168 [arbitrary command execution via virConnectBaselineHypervisorCPU
 	NOTE: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bf6c2830b6c338b1f5699b095df36f374777b291
 CVE-2019-10167 [arbitrary command execution via virConnectGetDomainCapabilities API]
 	RESERVED
-	{DSA-4469-1}
+	{DSA-4469-1 DLA-1832-1}
 	- libvirt 5.0.0-4
 	NOTE: https://access.redhat.com/libvirt-privesc-vulnerabilities
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1720117
@@ -6921,7 +6944,7 @@ CVE-2019-10162 [Denial of service via crafted zone records]
 	NOTE: https://doc.powerdns.com/authoritative/security-advisories/powerdns-advisory-2019-04.html
 CVE-2019-10161 [arbitrary file read/exec via virDomainSaveImageGetXMLDesc API]
 	RESERVED
-	{DSA-4469-1}
+	{DSA-4469-1 DLA-1832-1}
 	- libvirt 5.0.0-4
 	NOTE: https://access.redhat.com/libvirt-privesc-vulnerabilities
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1720115
@@ -7477,10 +7500,10 @@ CVE-2019-9960 (The downloadZip function in application/controllers/admin/export.
 	- limesurvey <itp> (bug #472802)
 CVE-2019-9959
 	RESERVED
-CVE-2019-9958
-	RESERVED
-CVE-2019-9957
-	RESERVED
+CVE-2019-9958 (CSRF within the admin panel in Quadbase EspressReport ES (ERES) v7.0 u ...)
+	TODO: check
+CVE-2019-9957 (Stored XSS within Quadbase EspressReport ES (ERES) v7.0 update 7 allow ...)
+	TODO: check
 CVE-2019-9956 (In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in ...)
 	{DSA-4436-1 DLA-1785-1}
 	- imagemagick 8:6.9.10.23+dfsg-2.1 (bug #925395)
@@ -10542,8 +10565,7 @@ CVE-2019-9086 (HotelDruid before v2.3.1 has SQL Injection via the /visualizza_ta
 	- hoteldruid 2.3.2-1
 	[stretch] - hoteldruid <no-dsa> (Minor issue)
 	[jessie] - hoteldruid <no-dsa> (low popcon)
-CVE-2019-9085
-	RESERVED
+CVE-2019-9085 (Hoteldruid before v2.3.1 allows remote authenticated users to cause a  ...)
 	- hoteldruid 2.3.2-1
 	[stretch] - hoteldruid <no-dsa> (Minor issue)
 	[jessie] - hoteldruid <no-dsa> (low popcon)
@@ -15246,14 +15268,14 @@ CVE-2019-7233 (In libdoc through 2019-01-28, doc2text in catdoc.c has a NULL poi
 	- catdoc <unfixed> (unimportant)
 	NOTE: https://github.com/uvoteam/libdoc/issues/6
 	NOTE: Crash in CLI tool, no security impact
-CVE-2019-7232
-	RESERVED
+CVE-2019-7232 (The ABB IDAL HTTP server is vulnerable to a buffer overflow when a lon ...)
+	TODO: check
 CVE-2019-7231
 	RESERVED
-CVE-2019-7230
-	RESERVED
-CVE-2019-7229
-	RESERVED
+CVE-2019-7230 (The ABB IDAL FTP server mishandles format strings in a username during ...)
+	TODO: check
+CVE-2019-7229 (The ABB CP635 HMI uses two different transmission methods to upgrade i ...)
+	TODO: check
 CVE-2019-7228
 	RESERVED
 CVE-2019-7227
@@ -51548,7 +51570,7 @@ CVE-2018-12906
 	RESERVED
 CVE-2018-12905 (joyplus-cms 1.6.0 has XSS in admin_player.php, related to manager/inde ...)
 	NOT-FOR-US: joyplus-cms
-CVE-2017-18342 (In PyYAML before 4.1, the yaml.load() API could execute arbitrary code ...)
+CVE-2017-18342 (In PyYAML before 5.1, the yaml.load() API could execute arbitrary code ...)
 	- pyyaml <unfixed> (unimportant; bug #902878)
 	NOTE: This is a well-known design deficiency in pyyaml, various CVE IDs have been assigned
 	NOTE: to applications misusing the API over the years. The CVE ID was assigned to raise
@@ -78090,8 +78112,8 @@ CVE-2017-1000411 (OpenFlow Plugin and OpenDayLight Controller versions Nitrogen,
 	NOT-FOR-US: OpenDayLight
 CVE-2017-17946 (A buffer overflow in Handy Password 4.9.3 allows remote attackers to e ...)
 	NOT-FOR-US: Handy Password
-CVE-2017-17945
-	RESERVED
+CVE-2017-17945 (The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing  ...)
+	TODO: check
 CVE-2017-17944 (The ASUS Vivobaby application before 1.1.09 for Android has Missing SS ...)
 	NOT-FOR-US: ASUS Vivobaby application
 CVE-2017-17943



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c6f53676277fa3980b9729ab9489e2b1966d60b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3c6f53676277fa3980b9729ab9489e2b1966d60b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190624/5c55c70e/attachment.html>

More information about the debian-security-tracker-commits mailing list