[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Tue Nov 5 20:10:36 GMT 2019



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d329f191 by security tracker role at 2019-11-05T20:10:23Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,5 @@
+CVE-2019-18780 (An arbitrary command injection vulnerability in the Cluster Server com ...)
+	TODO: check
 CVE-2020-1689
 	RESERVED
 CVE-2020-1688
@@ -2478,8 +2480,8 @@ CVE-2019-18633 (European Commission eIDAS-Node Integration Package before 2.3.1
 	NOT-FOR-US: European Commission eIDAS-Node Integration Package
 CVE-2019-18632 (European Commission eIDAS-Node Integration Package before 2.3.1 allows ...)
 	NOT-FOR-US: European Commission eIDAS-Node Integration Package
-CVE-2019-18631
-	RESERVED
+CVE-2019-18631 (The Windows component of Centrify Authentication and Privilege Elevati ...)
+	TODO: check
 CVE-2019-18630
 	RESERVED
 CVE-2019-18629
@@ -5801,6 +5803,7 @@ CVE-2019-17623
 CVE-2019-17622
 	RESERVED
 CVE-2019-17675 (WordPress before 5.2.4 does not properly consider type confusion durin ...)
+	{DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46477
@@ -5822,17 +5825,20 @@ CVE-2019-17672 (WordPress before 5.2.4 is vulnerable to a stored XSS attack to i
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 CVE-2019-17671 (In WordPress before 5.2.4, unauthenticated viewing of certain content  ...)
+	{DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46474
 	NOTE: https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
 CVE-2019-17670 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...)
+	{DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46472
 	NOTE: https://github.com/WordPress/WordPress/commit/9db44754b9e4044690a6c32fd74b9d5fe26b07b2
 	NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
 CVE-2019-17669 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...)
+	{DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46475
@@ -5890,8 +5896,8 @@ CVE-2019-17600 (Intelbras IWR 1000N 1.6.4 devices allows disclosure of the admin
 	NOT-FOR-US: Intelbras IWR 1000N devices
 CVE-2019-17599
 	RESERVED
-CVE-2019-17598
-	RESERVED
+CVE-2019-17598 (An issue was discovered in Lightbend Play Framework 2.5.x through 2.6. ...)
+	TODO: check
 CVE-2019-17597
 	RESERVED
 CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using user input  ...)
@@ -6957,8 +6963,8 @@ CVE-2019-17223 (There is HTML Injection in the Note field in Dolibarr ERP/CRM 10
 	- dolibarr <removed>
 CVE-2019-17222
 	RESERVED
-CVE-2019-17221
-	RESERVED
+CVE-2019-17221 (PhantomJS through 2.1.1 has an arbitrary file read vulnerability, as d ...)
+	TODO: check
 CVE-2019-17220 (Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. ...)
 	NOT-FOR-US: Rocket.Chat
 CVE-2019-17219 (An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ether ...)
@@ -6975,10 +6981,10 @@ CVE-2019-17214 (The WebARX plugin 1.3.0 for WordPress allows firewall bypass by
 	NOT-FOR-US: WebARX plugin for WordPress
 CVE-2019-17213 (The WebARX plugin 1.3.0 for WordPress has unauthenticated stored XSS v ...)
 	NOT-FOR-US: WebARX plugin for WordPress
-CVE-2019-17212
-	RESERVED
-CVE-2019-17211
-	RESERVED
+CVE-2019-17212 (Buffer overflows were discovered in the CoAP library in Arm Mbed OS 5. ...)
+	TODO: check
+CVE-2019-17211 (An integer overflow was discovered in the CoAP library in Arm Mbed OS  ...)
+	TODO: check
 CVE-2019-17210 (A denial-of-service issue was discovered in the MQTT library in Arm Mb ...)
 	NOT-FOR-US: Arm Mbed OS
 CVE-2019-17209
@@ -7313,8 +7319,8 @@ CVE-2019-17064 (Catalog.cc in Xpdf 4.02 has a NULL pointer dereference because C
 	- xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
 CVE-2019-17063 (In Snowtide PDFxStream before 3.7.1 (for Java), a crafted PDF file can ...)
 	NOT-FOR-US: Snowtide PDFxStream
-CVE-2019-17062
-	RESERVED
+CVE-2019-17062 (An issue was discovered in OXID eShop 6.x before 6.0.6 and 6.1.x befor ...)
+	TODO: check
 CVE-2019-17061
 	RESERVED
 CVE-2019-17060
@@ -10268,8 +10274,8 @@ CVE-2019-15968
 	RESERVED
 CVE-2019-15967
 	RESERVED
-CVE-2019-15966
-	RESERVED
+CVE-2019-15966 (A vulnerability in the web application of Cisco TelePresence Advanced  ...)
+	TODO: check
 CVE-2019-15965
 	RESERVED
 CVE-2019-15964
@@ -13664,6 +13670,7 @@ CVE-2019-14867
 	RESERVED
 CVE-2019-14866 [improper input validation when writing tar header fields leads to unexpect tar generation]
 	RESERVED
+	{DLA-1981-1}
 	- cpio <unfixed> (low; bug #941412)
 	[buster] - cpio <no-dsa> (Minor issue)
 	[stretch] - cpio <no-dsa> (Minor issue)
@@ -14017,8 +14024,7 @@ CVE-2019-14776 (A heap-based buffer over-read exists in DemuxInit() in demux/asf
 	NOTE: https://www.videolan.org/security/sb-vlc308.html
 CVE-2019-14775
 	RESERVED
-CVE-2019-12625 [clamav zip DoS]
-	RESERVED
+CVE-2019-12625 (ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnera ...)
 	{DLA-1953-1}
 	- clamav 0.101.4+dfsg-1 (bug #934359)
 	[buster] - clamav 0.101.4+dfsg-0+deb10u1
@@ -27738,8 +27744,7 @@ CVE-2019-10224 [using dscreate in verbose mode results in information disclosure
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1677147
 	NOTE: https://pagure.io/389-ds-base/issue/50251
 	NOTE: https://pagure.io/389-ds-base/c/632ecb90d96ac0535656f5aaf67fd2be4b81d310
-CVE-2019-10223
-	RESERVED
+CVE-2019-10223 (A security issue was discovered in the kube-state-metrics versions v1. ...)
 	NOT-FOR-US: kube-state-metrics
 CVE-2019-10222 [unauthenticated clients can crash RGW]
 	RESERVED
@@ -45429,8 +45434,7 @@ CVE-2019-3687
 	RESERVED
 CVE-2019-3686
 	RESERVED
-CVE-2019-3685 [Fails to adequately verify TLS certificates allowing for a man in the middle attack]
-	RESERVED
+CVE-2019-3685 (Open Build Service before version 0.165.4 diddn't validate TLS certifi ...)
 	- osc <not-affected> (Affects 0.165.x only, bug #941667)
 CVE-2019-3684 (SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a71 ...)
 	NOT-FOR-US: SUSE Manager
@@ -51875,8 +51879,7 @@ CVE-2019-1791 (A vulnerability in the CLI of Cisco NX-OS Software could allow an
 	NOT-FOR-US: Cisco
 CVE-2019-1790 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...)
 	NOT-FOR-US: Cisco
-CVE-2019-1789 [An out-of-bounds heap read condition when scanning PE files]
-	RESERVED
+CVE-2019-1789 (ClamAV versions prior to 0.101.2 are susceptible to a denial of servic ...)
 	{DLA-1759-1}
 	- clamav 0.101.2+dfsg-1
 	[stretch] - clamav 0.100.3+dfsg-0+deb9u1
@@ -110952,7 +110955,7 @@ CVE-2018-0180 (Multiple vulnerabilities in the Login Enhancements (Login Block)
 CVE-2018-0179 (Multiple vulnerabilities in the Login Enhancements (Login Block) featu ...)
 	NOT-FOR-US: Cisco
 CVE-2018-0178
-	RESERVED
+	REJECTED
 CVE-2018-0177 (A vulnerability in the IP Version 4 (IPv4) processing code of Cisco IO ...)
 	NOT-FOR-US: Cisco
 CVE-2018-0176 (Multiple vulnerabilities in the CLI parser of Cisco IOS XE Software co ...)
@@ -175968,8 +175971,7 @@ CVE-2016-4456 (The "GNUTLS_KEYLOGFILE" environment variable in gnutls 3.4.12 all
 	[jessie] - gnutls28 <not-affected> (Introduced in 3.4.12)
 	NOTE: http://gnutls.org/security.html#GNUTLS-SA-2016-1
 	NOTE: http://www.openwall.com/lists/oss-security/2016/06/07/2
-CVE-2016-1000002
-	RESERVED
+CVE-2016-1000002 (gdm3 3.14.2 and possibly later has an information leak before screen l ...)
 	- gdm3 <unfixed> (low; bug #849432)
 	[buster] - gdm3 <ignored> (Minor issue)
 	[stretch] - gdm3 <ignored> (Minor issue)
@@ -245689,13 +245691,11 @@ CVE-2013-6463
 CVE-2013-6462 (Stack-based buffer overflow in the bdfReadCharacters function in bitma ...)
 	{DSA-2838-1}
 	- libxfont 1:1.4.7-1
-CVE-2013-6461 [DoS while parsing XML entities]
-	RESERVED
+CVE-2013-6461 (Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by fai ...)
 	- ruby-nokogiri <not-affected> (jruby implementation not shiped)
 	- libnokogiri-ruby <not-affected> (1.4 and earlier not affected)
 	NOTE: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
-CVE-2013-6460 [DoS while parsing XML documents]
-	RESERVED
+CVE-2013-6460 (Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsin ...)
 	- ruby-nokogiri <not-affected> (jruby implementation not shiped)
 	- libnokogiri-ruby <not-affected> (1.4 and earlier not affected)
 	NOTE: https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
@@ -246144,16 +246144,14 @@ CVE-2004-XXXX [base-passwd: sets valid shells for system services]
 	NOTE: Hardening, not a direct vulnerability
 CVE-2013-6366 (The Groovy script console in VMware Hyperic HQ 4.6.6 allows remote aut ...)
 	NOT-FOR-US: VMware Hyperic HQ
-CVE-2013-6365 [CSRF edit.php]
-	RESERVED
+CVE-2013-6365 (Horde Groupware Web mail 5.1.2 has CSRF with requests to change permis ...)
 	- php-horde 5.1.5+debian0-1 (bug #730110)
 	- php-horde-kronolith 4.1.4-1 (bug #730980)
 	- kronolith2 <not-affected> (Vulnerable code not present)
 	- horde3 <removed>
 	[squeeze] - horde3 <end-of-life> (Unsupported in squeeze-lts)
 	NOTE: https://github.com/horde/horde/commit/b79114d08ee8c8e43e74a179741749529f6d885c
-CVE-2013-6364 [XSS and CSRF search.php]
-	RESERVED
+CVE-2013-6364 (Horde Groupware Webmail Edition has CSRF and XSS when saving search as ...)
 	- php-horde <not-affected> (Vulnerable code in turba)
 	- php-horde-turba 4.1.3-1 (bug #730979)
 	- turba2 <removed>
@@ -246371,8 +246369,7 @@ CVE-2013-6288 (Unspecified vulnerability in the Apache Solr for TYPO3 (solr) ext
 	NOT-FOR-US: TYPO3 extension Apache Solr
 CVE-2013-6285 (The search component in the Treasurer application in Tyler Technologie ...)
 	NOT-FOR-US: Tyler Technologies TaxWeb
-CVE-2013-6275 [CSRF]
-	RESERVED
+CVE-2013-6275 (Multiple CSRF issues in Horde Groupware Webmail Edition 5.1.2 and earl ...)
 	- php-horde-ingo 3.1.3-1 (bug #727669)
 	- ingo1 <not-affected> (Affected code not present)
 CVE-2013-6242
@@ -247734,8 +247731,7 @@ CVE-2013-5663 (The App-ID cache feature in Palo Alto Networks PAN-OS before 4.0.
 	NOT-FOR-US: Palo Alto Networks PAN-OS
 CVE-2013-5662
 	RESERVED
-CVE-2013-5661 [DNS response rate limiting can simplify cache poisoning attacks]
-	RESERVED
+CVE-2013-5661 (Cache Poisoning issue exists in DNS Response Rate Limiting. ...)
 	NOTE: DNS protocol flaw
 	NOTE: http://www.certa.ssi.gouv.fr/site/CERTA-2013-AVI-506/index.html
 	NOTE: https://www.isc.org/blogs/cache-poisoning-gets-a-second-wind-from-rrl-probably-not/
@@ -252103,8 +252099,7 @@ CVE-2013-4112 (The DiagnosticsHandler in JGroup 3.0.x, 3.1.x, 3.2.x before 3.2.9
 	NOTE: libjgroups-java/2.12.2.Final-4 disables diagnostic probing by default
 CVE-2013-4111 (The Python client library for Glance (python-glanceclient) before 0.10 ...)
 	- python-glanceclient 1:0.9.0-2 (bug #718282)
-CVE-2013-4110
-	RESERVED
+CVE-2013-4110 (Cryptocat has an Unspecified Chat Participant User List Disclosure ...)
 	NOT-FOR-US: Cryptocat
 CVE-2013-4109
 	RESERVED
@@ -252112,8 +252107,7 @@ CVE-2013-4109
 CVE-2013-4108
 	RESERVED
 	NOT-FOR-US: Cryptocat
-CVE-2013-4107
-	RESERVED
+CVE-2013-4107 (Cryptocat before 2.0.22: cryptocat.js handlePresence() has cross site  ...)
 	NOT-FOR-US: Cryptocat
 CVE-2013-4106
 	RESERVED



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d329f1919fadb5fa6223fe2e25362b2bd1113b2d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d329f1919fadb5fa6223fe2e25362b2bd1113b2d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191105/8728dace/attachment.html>


More information about the debian-security-tracker-commits mailing list