[Git][security-tracker-team/security-tracker][master] new sqlite, tar, bash, graphviz issues

Moritz Muehlenhoff jmm at debian.org
Fri Mar 22 09:40:10 GMT 2019 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6d5f4061 by Moritz Muehlenhoff at 2019-03-22T09:39:41Z
new sqlite, tar, bash, graphviz issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3,9 +3,13 @@ CVE-2019-9939 (The SHAREit application before 4.0.36 for Android allows a remote
 CVE-2019-9938 (The SHAREit application before 4.0.42 for Android allows a remote atta ...)
 	NOT-FOR-US: SHAREit
 CVE-2019-9937 (In SQLite 3.27.2, interleaving reads and writes in a single transactio ...)
-	TODO: check
+	- sqlite3 <unfixed> (low)
+	[stretch] - sqlite3 <no-dsa> (Minor issue)
+	NOTE: https://sqlite.org/src/info/45c73deb440496e8
 CVE-2019-9936 (In SQLite 3.27.2, running fts5 prefix queries inside a transaction cou ...)
-	TODO: check
+	- sqlite3 <unfixed> (low)
+	[stretch] - sqlite3 <no-dsa> (Minor issue)
+	NOTE: https://sqlite.org/src/info/b3fa58dd7403dbd4
 CVE-2019-9935
 	RESERVED
 CVE-2019-9934
@@ -23,15 +27,20 @@ CVE-2019-9929
 CVE-2019-9928
 	RESERVED
 CVE-2019-9927 (Caret before 2019-02-22 allows Remote Code Execution. ...)
-	TODO: check
+	NOT-FOR-US: Caret editor
 CVE-2019-9926
 	RESERVED
 CVE-2019-9925 (S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter. ...)
 	NOT-FOR-US: S-CMS PHP
 CVE-2019-9924 (rbash in Bash before 4.4-beta2 did not prevent the shell user from mod ...)
-	TODO: check
+	- bash 4.4-1 (low)
+	NOTE: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441
 CVE-2019-9923 (pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointe ...)
-	TODO: check
+	- tar <unfixed> (unimportant)
+	NOTE: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
+	NOTE: http://savannah.gnu.org/bugs/?55369 (private)
+	NOTE: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241
+	NOTE: Crash in CLI tool, no security impact
 CVE-2019-9922
 	RESERVED
 CVE-2019-9921
@@ -69,7 +78,9 @@ CVE-2019-9906
 CVE-2019-9905
 	RESERVED
 CVE-2019-9904 (An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2. ...)
-	TODO: check
+	- graphviz <unfixed> (low)
+	[stretch] - graphviz <no-dsa> (Minor issue)
+	NOTE: https://gitlab.com/graphviz/graphviz/issues/1512
 CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict mark ...)
 	- poppler <unfixed> (bug #925264)
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/741
@@ -1163,9 +1174,9 @@ CVE-2019-9750 (In IoTivity through 1.3.1, the CoAP server interface can be used
 CVE-2019-9749 (An issue was discovered in the MQTT input plugin in Fluent Bit through ...)
 	NOT-FOR-US: Fluent Bit
 CVE-2019-9748 (In tinysvcmdns through 2018-01-16, an mDNS server processing a crafted ...)
-	TODO: check
+	NOT-FOR-US: tinysvcmdns
 CVE-2019-9747 (In tinysvcmdns through 2018-01-16, a maliciously crafted mDNS (Multica ...)
-	TODO: check
+	NOT-FOR-US: tinysvcmdns
 CVE-2019-9746 (In libwebm before 2019-03-08, a NULL pointer dereference caused by the ...)
 	NOT-FOR-US: libwebm
 	NOTE: Chromium and qtwebengine bundle the library, but not a security issue there
@@ -4540,7 +4551,7 @@ CVE-2019-8353
 CVE-2019-8352
 	RESERVED
 CVE-2019-8351 (Heimdal Thor Agent 2.5.17x before 2.5.173 does not verify X.509 certif ...)
-	TODO: check
+	NOT-FOR-US: Heimdal Thor Agent
 CVE-2019-8350
 	RESERVED
 CVE-2019-8349
@@ -6370,7 +6381,7 @@ CVE-2019-7541
 CVE-2019-7540
 	RESERVED
 CVE-2019-7539 (A code injection issue was discovered in ipycache through 2016-05-31. ...)
-	TODO: check
+	NOT-FOR-US: ipycache
 CVE-2019-7538
 	RESERVED
 CVE-2019-7537 (An issue was discovered in Donfig 0.3.0. There is a vulnerability in t ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d5f4061a68dd2b7a5f205e112657552c54c08bc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d5f4061a68dd2b7a5f205e112657552c54c08bc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190322/d1130b5b/attachment.html>

More information about the debian-security-tracker-commits mailing list