[Git][security-tracker-team/security-tracker][master] new linux issues

Thu May 23 16:25:49 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
916f3786 by Moritz Muehlenhoff at 2019-05-23T15:25:28Z
new linux issues
new sysdig issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -97,7 +97,7 @@ CVE-2019-12252 (In Zoho ManageEngine ServiceDesk Plus through 10.5, users with t
 CVE-2019-12251 (sadmin/ceditpost.php in UCMS 1.4.7 allows SQL Injection via the index. ...)
 	NOT-FOR-US: UCMS
 CVE-2019-12250 (IdentityServer IdentityServer4 through 2.4 has stored XSS via the http ...)
-	TODO: check
+	NOT-FOR-US: IdentityServer
 CVE-2019-12249
 	RESERVED
 CVE-2019-12248
@@ -499,6 +499,7 @@ CVE-2019-12086 (A Polymorphic Typing issue was discovered in FasterXML jackson-d
 	{DLA-1798-1}
 	- jackson-databind 2.9.8-2 (bug #929177)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2326
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024
 CVE-2019-12085
 	RESERVED
 CVE-2019-12084
@@ -2032,7 +2033,6 @@ CVE-2019-11458 (An issue was discovered in SmtpTransport in CakePHP 3.7.6. An un
 	- cakephp <not-affected> (Vulnerable code introduced in 3.0.0)
 	NOTE: https://github.com/cakephp/cakephp/commit/1a74e798309192a9895c9cedabd714ceee345f4e
 	NOTE: https://github.com/cakephp/cakephp/pull/13153
-	TODO: check, possibly introduced in later version than present in unstable 2.10.11
 CVE-2019-11457
 	RESERVED
 CVE-2019-11456 (Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. ...)
@@ -10597,7 +10597,7 @@ CVE-2019-8341 (An issue was discovered in Jinja2 2.10. The from_string function
 CVE-2019-8340
 	RESERVED
 CVE-2019-8339 (An issue was discovered in Sysdig through 0.24.2, as used in Falco thr ...)
-	TODO: check
+	- sysdig <unfixed>
 CVE-2019-8338 (The signature verification routine in the Airmail GPG-PGP Plugin, vers ...)
 	NOT-FOR-US: Airmail
 CVE-2019-8336 (HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a c ...)
@@ -14981,7 +14981,7 @@ CVE-2019-6515 (An issue was discovered in WSO2 API Manager 2.6.0. Uploaded docum
 CVE-2019-6514 (An issue was discovered in WSO2 Dashboard Server 2.0.0. It is possible ...)
 	NOT-FOR-US: WSO2
 CVE-2019-6513 (An issue was discovered in WSO2 API Manager 2.6.0. It is possible for  ...)
-	TODO: check
+	NOT-FOR-US: WSO2
 CVE-2019-6512 (An issue was discovered in WSO2 API Manager 2.6.0. It is possible to f ...)
 	NOT-FOR-US: WSO2
 CVE-2019-6511
@@ -17802,9 +17802,9 @@ CVE-2019-5440
 CVE-2019-5439
 	RESERVED
 CVE-2019-5438 (Path traversal using symlink in npm harp module versions <= 0.29.0. ...)
-	TODO: check
+	NOT-FOR-US: npm harp module
 CVE-2019-5437 (Information exposure through the directory listing in npm's harp modul ...)
-	TODO: check
+	NOT-FOR-US: npm harp module
 CVE-2019-5436 [TFTP receive buffer overflow]
 	RESERVED
 	- curl <unfixed> (bug #929351)
@@ -21898,9 +21898,9 @@ CVE-2019-3567
 CVE-2019-3566 (A bug in WhatsApp for Android's messaging logic would potentially allo ...)
 	NOT-FOR-US: WhatsApp for Android
 CVE-2019-3565 (Legacy C++ Facebook Thrift servers (using cpp instead of cpp2) would n ...)
-	TODO: check
+	NOT-FOR-US: Thrift servers
 CVE-2019-3564 (Go Facebook Thrift servers would not error upon receiving messages wit ...)
-	TODO: check
+	NOT-FOR-US: Thrift servers
 CVE-2019-3563 (Wangle's LineBasedFrameDecoder contains logic for identifying newlines ...)
 	NOT-FOR-US: Facebook Wangle
 CVE-2019-3562 (A remote web page could inject arbitrary HTML code into the Oculus Bro ...)
@@ -21910,9 +21910,9 @@ CVE-2019-3561 (Insufficient boundary checks for the strrpos and strripos functio
 CVE-2019-3560 (An improperly performed length calculation on a buffer in PlaintextRec ...)
 	NOT-FOR-US: Fizz
 CVE-2019-3559 (Java Facebook Thrift servers would not error upon receiving messages w ...)
-	TODO: check
+	NOT-FOR-US: Thrift servers
 CVE-2019-3558 (Python Facebook Thrift servers would not error upon receiving messages ...)
-	TODO: check
+	NOT-FOR-US: Thrift servers
 CVE-2019-3557 (The implementations of streams for bz2 and php://output improperly imp ...)
 	- hhvm <removed>
 CVE-2019-3556
@@ -21924,7 +21924,7 @@ CVE-2019-3554 (Wangle's AcceptRoutingHandler incorrectly casts a socket when acc
 CVE-2019-3553
 	RESERVED
 CVE-2019-3552 (C++ Facebook Thrift servers (using cpp2) would not error upon receivin ...)
-	TODO: check
+	NOT-FOR-US: Thrift servers
 CVE-2019-3551
 	RESERVED
 CVE-2019-3550
@@ -22682,9 +22682,11 @@ CVE-2018-20513
 CVE-2018-20512 (EPON CPE-WiFi devices 2.0.4-X000 are vulnerable to escalation of privi ...)
 	NOT-FOR-US: EPON CPE-WiFi devices
 CVE-2018-20510 (The print_binder_transaction_ilocked function in drivers/android/binde ...)
-	TODO: check
+	- linux 4.16.5-1
+	NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8ca86f1639ec5890d400fff9211aca22d0a392eb
 CVE-2018-20509 (The print_binder_ref_olocked function in drivers/android/binder.c in t ...)
-	TODO: check
+	- linux <unfixed>
+	NOTE: https://security.netapp.com/advisory/ntap-20190517-0002/
 CVE-2018-20508 (CrashFix 1.0.4 has SQL Injection via the User[status] parameter. This  ...)
 	NOT-FOR-US: CrashFix
 CVE-2018-1000890 (FrontAccounting 2.4.5 contains a Time Based Blind SQL Injection vulner ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/916f3786ce8440461bd259743415206bd33f4afb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/916f3786ce8440461bd259743415206bd33f4afb
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190523/40f4d7b0/attachment.html>
