[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Fri Nov 8 08:10:31 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a3d5962a by security tracker role at 2019-11-08T08:10:18Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,41 @@
+CVE-2019-18836
+ RESERVED
+CVE-2019-18835 (Matrix Synapse before 1.5.0 mishandles signature checking on some fede ...)
+ TODO: check
+CVE-2019-18834
+ RESERVED
+CVE-2019-18833
+ RESERVED
+CVE-2019-18832
+ RESERVED
+CVE-2019-18831
+ RESERVED
+CVE-2019-18830
+ RESERVED
+CVE-2019-18829
+ RESERVED
+CVE-2019-18828
+ RESERVED
+CVE-2019-18827
+ RESERVED
+CVE-2019-18826
+ RESERVED
+CVE-2019-18825
+ RESERVED
+CVE-2019-18824
+ RESERVED
+CVE-2019-18823
+ RESERVED
+CVE-2019-18822
+ RESERVED
+CVE-2019-18821 (Eximious Logo Designer 3.82 has a User Mode Write AV starting at ExiCu ...)
+ TODO: check
+CVE-2019-18820 (Eximious Logo Designer 3.82 has Heap Corruption starting at ntdll!Rtlp ...)
+ TODO: check
+CVE-2019-18819 (Eximious Logo Designer 3.82 has a User Mode Write AV starting at ExiVe ...)
+ TODO: check
+CVE-2019-18818 (strapi before 3.0.0-beta.17.5 mishandles password resets within packag ...)
+ TODO: check
CVE-2019-18817
RESERVED
CVE-2019-18816 (po-admin/route.php?mod=post&act=edit in PopojiCMS 2.0.1 allows pos ...)
@@ -5,7 +43,7 @@ CVE-2019-18816 (po-admin/route.php?mod=post&act=edit in PopojiCMS 2.0.1 allo
CVE-2019-18815 (PopojiCMS 2.0.1 allows refer= Open Redirection. ...)
NOT-FOR-US: PopojiCMS
CVE-2019-18814 (An issue was discovered in the Linux kernel through 5.3.9. There is a ...)
- - linux <unfixed>
+ - linux <unfixed>
NOTE: https://lore.kernel.org/patchwork/patch/1142523/
CVE-2019-18813 (A memory leak in the dwc3_pci_probe() function in drivers/usb/dwc3/dwc ...)
- linux <unfixed>
@@ -3322,6 +3360,7 @@ CVE-2019-18398
RESERVED
CVE-2019-18397
RESERVED
+ {DSA-4561-1}
- fribidi <unfixed> (bug #944327)
[stretch] - fribidi <not-affected> (Vulnerable code not present)
[jessie] - fribidi <not-affected> (Vulnerable code not present)
@@ -13346,8 +13385,8 @@ CVE-2019-15007
RESERVED
CVE-2019-15006
RESERVED
-CVE-2019-15005
- RESERVED
+CVE-2019-15005 (The Atlassian Troubleshooting and Support Tools plugin prior to versio ...)
+ TODO: check
CVE-2019-15004 (The Customer Context Filter in Atlassian Jira Service Desk Server and ...)
NOT-FOR-US: Atlassian
CVE-2019-15003 (The Customer Context Filter in Atlassian Jira Service Desk Server and ...)
@@ -46116,8 +46155,7 @@ CVE-2019-3467
RESERVED
CVE-2019-3466
RESERVED
-CVE-2019-3465
- RESERVED
+CVE-2019-3465 (Rob Richards XmlSecLibs, all versions prior to v3.0.3, as used for exa ...)
{DSA-4560-1 DLA-1983-1}
- simplesamlphp 1.17.6-2 (bug #944107)
NOTE: https://groups.google.com/forum/#!msg/simplesamlphp-announce/2odMqz63z7k/6zQQeM91EwAJ
@@ -46220,8 +46258,8 @@ CVE-2019-3424
RESERVED
CVE-2019-3423
RESERVED
-CVE-2019-3422
- RESERVED
+CVE-2019-3422 (Security researcher Shen Ying from the Sec Consult Security Lab report ...)
+ TODO: check
CVE-2019-3421 (The 7520V3V1.0.0B09P27 version, and all earlier versions of ZTE produc ...)
NOT-FOR-US: ZTE
CVE-2019-3420
@@ -58941,8 +58979,8 @@ CVE-2018-18676 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject
NOT-FOR-US: GNU Board
CVE-2018-18675 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...)
NOT-FOR-US: GNU Board
-CVE-2018-18674
- RESERVED
+CVE-2018-18674 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...)
+ TODO: check
CVE-2018-18673 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...)
NOT-FOR-US: GNU Board
CVE-2018-18672 (GNUBOARD5 5.3.1.9 has XSS that allows remote attackers to inject arbit ...)
@@ -258370,15 +258408,13 @@ CVE-2013-1812 (The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID pr
- ruby-openid 2.1.8debian-6 (bug #702217)
- libopenid-ruby <removed> (bug #702217)
[squeeze] - libopenid-ruby 2.1.8debian-1+squeeze1
-CVE-2013-1811 [Reporter can change issue status to 'new']
- RESERVED
+CVE-2013-1811 (An access control issue in MantisBT before 1.2.13 allows users with "R ...)
{DSA-3120-1}
- mantis <removed> (low; bug #698481)
[squeeze] - mantis <end-of-life> (Unsupported in squeeze-lts)
CVE-2013-1810 (Multiple cross-site scripting (XSS) vulnerabilities in core/summary_ap ...)
- mantis <not-affected> (only affects MantisBT 1.2.12)
-CVE-2013-1809 [Gambas creates hijackable directory in /tmp]
- RESERVED
+CVE-2013-1809 (Gambas before 3.4.0 allows remote attackers to move or manipulate dire ...)
- gambas3 3.5.1-1 (low; bug #702184)
- gambas2 <removed>
[wheezy] - gambas3 <no-dsa> (Minor issue)
@@ -258486,8 +258522,7 @@ CVE-2013-1773 (Buffer overflow in the VFAT filesystem implementation in the Linu
CVE-2013-1772 (The log_prefix function in kernel/printk.c in the Linux kernel 3.x bef ...)
- linux 3.2.39-1
- linux-2.6 <not-affected> (Vulnerability exposed since 3.0)
-CVE-2013-1771 [monkey: world-readable logdir]
- RESERVED
+CVE-2013-1771 (The web server Monkeyd produces a world-readable log (/var/log/monkeyd ...)
- monkey <removed> (low)
[squeeze] - monkey <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2013/02/24/5
@@ -258558,8 +258593,7 @@ CVE-2013-1753
NOTE: preliminary patch: http://bugs.python.org/file28796/xmlrpc_gzip_27.patch
CVE-2013-1752
REJECTED
-CVE-2013-1751
- RESERVED
+CVE-2013-1751 (TWiki before 5.1.4 allows remote attackers to execute arbitrary shell ...)
- twiki <removed>
NOTE: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2013-1751
CVE-2013-1750 (Heap-based buffer overflow in RealNetworks RealPlayer before 16.0.1.18 ...)
@@ -259819,8 +259853,7 @@ CVE-2013-1430 (An issue was discovered in xrdp before 0.9.1. When successfully l
NOTE: ~/.vnc/sesman_${username}_passwd is created. Its content is the
NOTE: equivalent of the users clear text password, DES encrypted with a known
NOTE: key.
-CVE-2013-1429 [Lintian unsafe symlinks]
- RESERVED
+CVE-2013-1429 (Lintian before 2.5.12 allows remote attackers to gather information ab ...)
- lintian 2.5.10.5 (bug #705553; unimportant)
CVE-2013-1428 (Stack-based buffer overflow in the receive_tcppacket function in net_p ...)
{DSA-2663-1}
@@ -259828,14 +259861,12 @@ CVE-2013-1428 (Stack-based buffer overflow in the receive_tcppacket function in
CVE-2013-1427 (The configuration file for the FastCGI PHP support for lighttpd before ...)
{DSA-2649-1}
- lighttpd 1.4.31-4
-CVE-2013-1426 [mahara: stored XSS in tinyMCE editor]
- RESERVED
+CVE-2013-1426 (Cross-site Scripting (XSS) in Mahara before 1.5.9 and 1.6.x before 1.6 ...)
- mahara <removed> (low)
[wheezy] - mahara <no-dsa> (Minor issue)
[squeeze] - mahara <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/mahara/+bug/1153423
-CVE-2013-1425 [ldap-git-backup: Incorrect directory permissions exposes password hashes]
- RESERVED
+CVE-2013-1425 (ldap-git-backup before 1.0.4 exposes password hashes due to incorrect ...)
- ldap-git-backup 1.0.4-1 (bug #699227)
CVE-2013-1424 [matplotlib buffer overrun]
RESERVED
@@ -280583,8 +280614,7 @@ CVE-2007-6746 (telepathy-idle before 0.1.15 does not verify (1) that the issuer
- telepathy-idle 0.1.15-1 (low; bug #706094)
[wheezy] - telepathy-idle <no-dsa> (Minor issue)
[squeeze] - telepathy-idle <no-dsa> (Minor issue)
-CVE-2007-6745 [clamav floating point exception in OLE2 scanner DoS]
- RESERVED
+CVE-2007-6745 (clamav 0.91.2 suffers from a floating point exception when using ScanO ...)
- clamav 0.91.2-1~volatile1
[etch] - clamav <not-affected> (Vulnerable code not present)
[sarge] - clamav <not-affected> (Vulnerable code not present)
@@ -301630,8 +301660,7 @@ CVE-2010-2474 (JBoss Enterprise Service Bus (ESB) before 4.7 CP02 in JBoss Enter
- jbossas4 <not-affected> (Only builds a few libraries, not the full application server, #581226)
CVE-2010-2470 (Install/Filesystem.pm in Bugzilla 3.5.1 through 3.6.1 and 3.7 through ...)
- bugzilla <not-affected> (Only affects 3.5 to 3.7)
-CVE-2010-2476 [syscp open_basedir bypassing]
- RESERVED
+CVE-2010-2476 (syscp 1.4.2.1 allows attackers to add arbitrary paths via the document ...)
- syscp <removed> (bug #587481)
CVE-2010-2469 (The Linear eMerge 50 and 5000 uses a default password of eMerge for th ...)
NOT-FOR-US: Linear eMerge
@@ -304124,8 +304153,7 @@ CVE-2009-4812 (Wolfram Research webMathematica allows remote attackers to obtain
NOT-FOR-US: Wolfram Research webMathematica
CVE-2009-4811 (VMware Authentication Daemon 1.0 in vmware-authd.exe in the VMware Aut ...)
NOT-FOR-US: VMware
-CVE-2010-2447 [gitolite "not filtering src/ or hooks/ from pathnames"]
- RESERVED
+CVE-2010-2447 (gitolite before 1.4.1 does not filter src/ or hooks/ from path names. ...)
- gitolite 1.4.2-1 (low)
NOTE: http://secunia.com/advisories/39587/
CVE-2010-2448 (znc.cpp in ZNC before 0.092 allows remote authenticated users to cause ...)
@@ -304823,8 +304851,7 @@ CVE-2010-1373 (Cross-site scripting (XSS) vulnerability in Help Viewer in Apple
CVE-2010-1423 (Argument injection vulnerability in the URI handler in (a) Java NPAPI ...)
- sun-java6 6.20-1 (high)
[lenny] - sun-java6 6-20-0lenny1
-CVE-2010-2449 [gource: predictable log file located in /tmp]
- RESERVED
+CVE-2010-2449 (Gource through 0.26 logs to a predictable file name (/tmp/gource-$UID. ...)
- gource 0.26-2 (low; bug #577958)
CVE-2010-1564
REJECTED
@@ -306474,8 +306501,7 @@ CVE-2010-XXXX [esmtp: world-readable config file]
NOTE: Documentation advises against adding password data to the respective config file
CVE-2010-XXXX [irssi emote leak]
- irssi-plugin-otr 1.0.0~alpha2-1 (unimportant; bug #569506)
-CVE-2010-2450 [shibboleth-sp2: world-readable key]
- RESERVED
+CVE-2010-2450 (The keygen.sh script in Shibboleth SP 2.0 (located in /usr/local/etc/s ...)
- shibboleth-sp2 2.3.1+dfsg-2 (low; bug #571631)
[lenny] - shibboleth-sp2 <no-dsa> (Minor issue)
- shibboleth-sp <not-affected> (Vulnerable code not present)
@@ -314830,8 +314856,7 @@ CVE-2009-2762 (wp-login.php in WordPress 2.8.3 and earlier allows remote attacke
[lenny] - wordpress <not-affected> (Vulnerable code not present)
[etch] - wordpress <not-affected> (Vulnerable code not present)
NOTE: not really a security issue in my opinion, just an annoying bug
-CVE-2008-7291 [gri: insecure temp file generation]
- RESERVED
+CVE-2008-7291 (gri before 2.12.18 generates temporary files in an insecure way. ...)
- gri 2.12.18-1 (low)
[etch] - gri <no-dsa> (Minor issue)
[lenny] - gri <no-dsa> (Minor issue)
@@ -322796,8 +322821,7 @@ CVE-2002-2428 (webs.c in GoAhead WebServer before 2.1.4 allows remote attackers
NOT-FOR-US: GoAhead WebServer
CVE-2002-2427 (The security handler in GoAhead WebServer before 2.1.1 allows remote a ...)
NOT-FOR-US: GoAhead WebServer
-CVE-2008-7272 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
- RESERVED
+CVE-2008-7272 (FireGPG before 0.6 handle user’s passphrase and decrypted cleart ...)
- iceweasel-firegpg <removed> (bug #514386)
CVE-2008-7273 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
RESERVED
@@ -326333,8 +326357,7 @@ CVE-2008-5085
RESERVED
CVE-2008-5084
RESERVED
-CVE-2008-5083
- RESERVED
+CVE-2008-5083 (In JON 2.1.x before 2.1.2 SP1, users can obtain unauthorized security ...)
NOT-FOR-US: Red Hat JBoss Operations Network
CVE-2008-5082 (The verifyProof function in the Token Processing System (TPS) componen ...)
NOT-FOR-US: Red Hat Certificate System
@@ -330731,8 +330754,7 @@ CVE-2008-3280
RESERVED
CVE-2008-3279 (Untrusted search path vulnerability in libbrlttybba.so in brltty 3.7.2 ...)
- brltty <not-affected> (RedHat-specific)
-CVE-2008-3278
- RESERVED
+CVE-2008-3278 (frysk packages through 2008-08-05 as shipped in Red Hat Enterprise Lin ...)
- frysk <removed>
CVE-2008-3277 (Untrusted search path vulnerability in a certain Red Hat build script ...)
- ibutils <not-affected> (RedHat-specific)
@@ -340933,8 +340955,7 @@ CVE-2007-5745 (Multiple heap-based buffer overflows in OpenOffice.org before 2.4
- openoffice.org 2.4.0~ooh680m5-1
CVE-2007-5744
RESERVED
-CVE-2007-5743
- RESERVED
+CVE-2007-5743 (viewvc 1.0.3 allows improper access control to files in a repository w ...)
- viewvc 1.0.3-2.1 (bug #416696)
CVE-2007-5742 (Directory traversal vulnerability in the WML engine preprocessor for W ...)
{DSA-1421-1 DTSA-90-1}
@@ -346236,8 +346257,7 @@ CVE-2007-3916 (The main function in skkdic-expr.c in SKK Tools 1.2 allows local
- skktools 1.2+0.20061004-3 (low)
[sarge] - skktools <no-dsa> (Minor issue)
[etch] - skktools <no-dsa> (Minor issue)
-CVE-2007-3915 [mondo insecure handling of temporary files]
- RESERVED
+CVE-2007-3915 (Mondo 2.24 has insecure handling of temporary files. ...)
- mondo 2.24-2 (low)
CVE-2007-3914
RESERVED
@@ -346698,8 +346718,7 @@ CVE-2007-3734 (Multiple unspecified vulnerabilities in the browser engine in Moz
NOTE: MFSA2007-18
CVE-2007-3733
RESERVED
-CVE-2007-3732
- RESERVED
+CVE-2007-3732 (In Linux 2.6 before 2.6.23, the TRACE_IRQS_ON function in iret_exc cal ...)
- linux-2.6 2.6.23-1
NOTE: Upstream fix: https://git.kernel.org/linus/a10d9a71bafd3a283da240d2868e71346d2aef6f (v2.6.23-rc1)
CVE-2007-3731 (The Linux kernel 2.6.20 and 2.6.21 does not properly handle an invalid ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3d5962a7c31e8a13a8ab9238e54730390cc3c4d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3d5962a7c31e8a13a8ab9238e54730390cc3c4d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191108/fdf8d3b8/attachment.html>
More information about the debian-security-tracker-commits
mailing list