[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Tue Nov 5 20:10:36 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d329f191 by security tracker role at 2019-11-05T20:10:23Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,5 @@
+CVE-2019-18780 (An arbitrary command injection vulnerability in the Cluster Server com ...)
+ TODO: check
CVE-2020-1689
RESERVED
CVE-2020-1688
@@ -2478,8 +2480,8 @@ CVE-2019-18633 (European Commission eIDAS-Node Integration Package before 2.3.1
NOT-FOR-US: European Commission eIDAS-Node Integration Package
CVE-2019-18632 (European Commission eIDAS-Node Integration Package before 2.3.1 allows ...)
NOT-FOR-US: European Commission eIDAS-Node Integration Package
-CVE-2019-18631
- RESERVED
+CVE-2019-18631 (The Windows component of Centrify Authentication and Privilege Elevati ...)
+ TODO: check
CVE-2019-18630
RESERVED
CVE-2019-18629
@@ -5801,6 +5803,7 @@ CVE-2019-17623
CVE-2019-17622
RESERVED
CVE-2019-17675 (WordPress before 5.2.4 does not properly consider type confusion durin ...)
+ {DLA-1980-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://core.trac.wordpress.org/changeset/46477
@@ -5822,17 +5825,20 @@ CVE-2019-17672 (WordPress before 5.2.4 is vulnerable to a stored XSS attack to i
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
CVE-2019-17671 (In WordPress before 5.2.4, unauthenticated viewing of certain content ...)
+ {DLA-1980-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://core.trac.wordpress.org/changeset/46474
NOTE: https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
CVE-2019-17670 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...)
+ {DLA-1980-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://core.trac.wordpress.org/changeset/46472
NOTE: https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
CVE-2019-17669 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...)
+ {DLA-1980-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://core.trac.wordpress.org/changeset/46475
@@ -5890,8 +5896,8 @@ CVE-2019-17600 (Intelbras IWR 1000N 1.6.4 devices allows disclosure of the admin
NOT-FOR-US: Intelbras IWR 1000N devices
CVE-2019-17599
RESERVED
-CVE-2019-17598
- RESERVED
+CVE-2019-17598 (An issue was discovered in Lightbend Play Framework 2.5.x through 2.6. ...)
+ TODO: check
CVE-2019-17597
RESERVED
CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using user input ...)
@@ -6957,8 +6963,8 @@ CVE-2019-17223 (There is HTML Injection in the Note field in Dolibarr ERP/CRM 10
- dolibarr <removed>
CVE-2019-17222
RESERVED
-CVE-2019-17221
- RESERVED
+CVE-2019-17221 (PhantomJS through 2.1.1 has an arbitrary file read vulnerability, as d ...)
+ TODO: check
CVE-2019-17220 (Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. ...)
NOT-FOR-US: Rocket.Chat
CVE-2019-17219 (An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ether ...)
@@ -6975,10 +6981,10 @@ CVE-2019-17214 (The WebARX plugin 1.3.0 for WordPress allows firewall bypass by
NOT-FOR-US: WebARX plugin for WordPress
CVE-2019-17213 (The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS v ...)
NOT-FOR-US: WebARX plugin for WordPress
-CVE-2019-17212
- RESERVED
-CVE-2019-17211
- RESERVED
+CVE-2019-17212 (Buffer overflows were discovered in the CoAP library in Arm Mbed OS 5. ...)
+ TODO: check
+CVE-2019-17211 (An integer overflow was discovered in the CoAP library in Arm Mbed OS ...)
+ TODO: check
CVE-2019-17210 (A denial-of-service issue was discovered in the MQTT library in Arm Mb ...)
NOT-FOR-US: Arm Mbed OS
CVE-2019-17209
@@ -7313,8 +7319,8 @@ CVE-2019-17064 (Catalog.cc in Xpdf 4.02 has a NULL pointer dereference because C
- xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
CVE-2019-17063 (In Snowtide PDFxStream before 3.7.1 (for Java), a crafted PDF file can ...)
NOT-FOR-US: Snowtide PDFxStream
-CVE-2019-17062
- RESERVED
+CVE-2019-17062 (An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x befor ...)
+ TODO: check
CVE-2019-17061
RESERVED
CVE-2019-17060
@@ -10268,8 +10274,8 @@ CVE-2019-15968
RESERVED
CVE-2019-15967
RESERVED
-CVE-2019-15966
- RESERVED
+CVE-2019-15966 (A vulnerability in the web application of Cisco TelePresence Advanced ...)
+ TODO: check
CVE-2019-15965
RESERVED
CVE-2019-15964
@@ -13664,6 +13670,7 @@ CVE-2019-14867
RESERVED
CVE-2019-14866 [improper input validation when writing tar header fields leads to unexpect tar generation]
RESERVED
+ {DLA-1981-1}
- cpio <unfixed> (low; bug #941412)
[buster] - cpio <no-dsa> (Minor issue)
[stretch] - cpio <no-dsa> (Minor issue)
@@ -14017,8 +14024,7 @@ CVE-2019-14776 (A heap-based buffer over-read exists in DemuxInit() in demux/asf
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-14775
RESERVED
-CVE-2019-12625 [clamav zip DoS]
- RESERVED
+CVE-2019-12625 (ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnera ...)
{DLA-1953-1}
- clamav 0.101.4+dfsg-1 (bug #934359)
[buster] - clamav 0.101.4+dfsg-0+deb10u1
@@ -27738,8 +27744,7 @@ CVE-2019-10224 [using dscreate in verbose mode results in information disclosure
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1677147
NOTE: https://pagure.io/389-ds-base/issue/50251
NOTE: https://pagure.io/389-ds-base/c/632ecb90d96ac0535656f5aaf67fd2be4b81d310
-CVE-2019-10223
- RESERVED
+CVE-2019-10223 (A security issue was discovered in the kube-state-metrics versions v1. ...)
NOT-FOR-US: kube-state-metrics
CVE-2019-10222 [unauthenticated clients can crash RGW]
RESERVED
@@ -45429,8 +45434,7 @@ CVE-2019-3687
RESERVED
CVE-2019-3686
RESERVED
-CVE-2019-3685 [Fails to adequately verify TLS certificates allowing for a man in the middle attack]
- RESERVED
+CVE-2019-3685 (Open Build Service before version 0.165.4 diddn't validate TLS certifi ...)
- osc <not-affected> (Affects 0.165.x only, bug #941667)
CVE-2019-3684 (SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a71 ...)
NOT-FOR-US: SUSE Manager
@@ -51875,8 +51879,7 @@ CVE-2019-1791 (A vulnerability in the CLI of Cisco NX-OS Software could allow an
NOT-FOR-US: Cisco
CVE-2019-1790 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...)
NOT-FOR-US: Cisco
-CVE-2019-1789 [An out-of-bounds heap read condition when scanning PE files]
- RESERVED
+CVE-2019-1789 (ClamAV versions prior to 0.101.2 are susceptible to a denial of servic ...)
{DLA-1759-1}
- clamav 0.101.2+dfsg-1
[stretch] - clamav 0.100.3+dfsg-0+deb9u1
@@ -110952,7 +110955,7 @@ CVE-2018-0180 (Multiple vulnerabilities in the Login Enhancements (Login Block)
CVE-2018-0179 (Multiple vulnerabilities in the Login Enhancements (Login Block) featu ...)
NOT-FOR-US: Cisco
CVE-2018-0178
- RESERVED
+ REJECTED
CVE-2018-0177 (A vulnerability in the IP Version 4 (IPv4) processing code of Cisco IO ...)
NOT-FOR-US: Cisco
CVE-2018-0176 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software co ...)
@@ -175968,8 +175971,7 @@ CVE-2016-4456 (The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 all
[jessie] - gnutls28 <not-affected> (Introduced in 3.4.12)
NOTE: http://gnutls.org/security.html#GNUTLS-SA-2016-1
NOTE: http://www.openwall.com/lists/oss-security/2016/06/07/2
-CVE-2016-1000002
- RESERVED
+CVE-2016-1000002 (gdm3 3.14.2 and possibly later has an information leak before screen l ...)
- gdm3 <unfixed> (low; bug #849432)
[buster] - gdm3 <ignored> (Minor issue)
[stretch] - gdm3 <ignored> (Minor issue)
@@ -245689,13 +245691,11 @@ CVE-2013-6463
CVE-2013-6462 (Stack-based buffer overflow in the bdfReadCharacters function in bitma ...)
{DSA-2838-1}
- libxfont 1:1.4.7-1
-CVE-2013-6461 [DoS while parsing XML entities]
- RESERVED
+CVE-2013-6461 (Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by fai ...)
- ruby-nokogiri <not-affected> (jruby implementation not shiped)
- libnokogiri-ruby <not-affected> (1.4 and earlier not affected)
NOTE: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
-CVE-2013-6460 [DoS while parsing XML documents]
- RESERVED
+CVE-2013-6460 (Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsin ...)
- ruby-nokogiri <not-affected> (jruby implementation not shiped)
- libnokogiri-ruby <not-affected> (1.4 and earlier not affected)
NOTE: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
@@ -246144,16 +246144,14 @@ CVE-2004-XXXX [base-passwd: sets valid shells for system services]
NOTE: Hardening, not a direct vulnerability
CVE-2013-6366 (The Groovy script console in VMware Hyperic HQ 4.6.6 allows remote aut ...)
NOT-FOR-US: VMware Hyperic HQ
-CVE-2013-6365 [CSRF edit.php]
- RESERVED
+CVE-2013-6365 (Horde Groupware Web mail 5.1.2 has CSRF with requests to change permis ...)
- php-horde 5.1.5+debian0-1 (bug #730110)
- php-horde-kronolith 4.1.4-1 (bug #730980)
- kronolith2 <not-affected> (Vulnerable code not present)
- horde3 <removed>
[squeeze] - horde3 <end-of-life> (Unsupported in squeeze-lts)
NOTE: https://github.com/horde/horde/commit/b79114d08ee8c8e43e74a179741749529f6d885c
-CVE-2013-6364 [XSS and CSRF search.php]
- RESERVED
+CVE-2013-6364 (Horde Groupware Webmail Edition has CSRF and XSS when saving search as ...)
- php-horde <not-affected> (Vulnerable code in turba)
- php-horde-turba 4.1.3-1 (bug #730979)
- turba2 <removed>
@@ -246371,8 +246369,7 @@ CVE-2013-6288 (Unspecified vulnerability in the Apache Solr for TYPO3 (solr) ext
NOT-FOR-US: TYPO3 extension Apache Solr
CVE-2013-6285 (The search component in the Treasurer application in Tyler Technologie ...)
NOT-FOR-US: Tyler Technologies TaxWeb
-CVE-2013-6275 [CSRF]
- RESERVED
+CVE-2013-6275 (Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earl ...)
- php-horde-ingo 3.1.3-1 (bug #727669)
- ingo1 <not-affected> (Affected code not present)
CVE-2013-6242
@@ -247734,8 +247731,7 @@ CVE-2013-5663 (The App-ID cache feature in Palo Alto Networks PAN-OS before 4.0.
NOT-FOR-US: Palo Alto Networks PAN-OS
CVE-2013-5662
RESERVED
-CVE-2013-5661 [DNS response rate limiting can simplify cache poisoning attacks]
- RESERVED
+CVE-2013-5661 (Cache Poisoning issue exists in DNS Response Rate Limiting. ...)
NOTE: DNS protocol flaw
NOTE: http://www.certa.ssi.gouv.fr/site/CERTA-2013-AVI-506/index.html
NOTE: https://www.isc.org/blogs/cache-poisoning-gets-a-second-wind-from-rrl-probably-not/
@@ -252103,8 +252099,7 @@ CVE-2013-4112 (The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9
NOTE: libjgroups-java/2.12.2.Final-4 disables diagnostic probing by default
CVE-2013-4111 (The Python client library for Glance (python-glanceclient) before 0.10 ...)
- python-glanceclient 1:0.9.0-2 (bug #718282)
-CVE-2013-4110
- RESERVED
+CVE-2013-4110 (Cryptocat has an Unspecified Chat Participant User List Disclosure ...)
NOT-FOR-US: Cryptocat
CVE-2013-4109
RESERVED
@@ -252112,8 +252107,7 @@ CVE-2013-4109
CVE-2013-4108
RESERVED
NOT-FOR-US: Cryptocat
-CVE-2013-4107
- RESERVED
+CVE-2013-4107 (Cryptocat before 2.0.22: cryptocat.js handlePresence() has cross site ...)
NOT-FOR-US: Cryptocat
CVE-2013-4106
RESERVED
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d329f1919fadb5fa6223fe2e25362b2bd1113b2d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d329f1919fadb5fa6223fe2e25362b2bd1113b2d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191105/8728dace/attachment.html>
More information about the debian-security-tracker-commits
mailing list