[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Tue Nov 19 08:10:35 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
cc126160 by security tracker role at 2019-11-19T08:10:23Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,11 @@
+CVE-2019-19117 (/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG12 ...)
+ TODO: check
+CVE-2019-19116
+ RESERVED
+CVE-2019-19115
+ RESERVED
+CVE-2019-19114
+ RESERVED
CVE-2019-19113 (main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka Ne ...)
NOT-FOR-US: newbee-mall
CVE-2019-19112
@@ -503,17 +511,20 @@ CVE-2019-18889 [Forbid serializing AbstractAdapter and TagAwareAdapter instances
NOTE: https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a
CVE-2019-18888 [Prevent argument injection in a MimeTypeGuesser]
RESERVED
+ {DSA-4573-1 DLA-1999-1}
- symfony 4.3.8+dfsg-1
NOTE: https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser
NOTE: https://github.com/symfony/symfony/commit/691486e43ce0e4893cd703e221bafc10a871f365
NOTE: https://github.com/symfony/symfony/commit/77ddabf2e785ea85860d2720cc86f7c5d8967ed5
CVE-2019-18887 [Use constant time comparison in UriSigner]
RESERVED
+ {DSA-4573-1 DLA-1999-1}
- symfony 4.3.8+dfsg-1
NOTE: https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
NOTE: https://github.com/symfony/symfony/commit/cccefe6a7f12e776df0665aeb77fe9294c285fbb
CVE-2019-18886 [Prevent user enumeration using switch user functionality]
RESERVED
+ {DLA-1999-1}
- symfony 4.3.8+dfsg-1
NOTE: https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality
NOTE: https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332
@@ -4081,8 +4092,8 @@ CVE-2019-18375
RESERVED
CVE-2019-18374
RESERVED
-CVE-2019-18373
- RESERVED
+CVE-2019-18373 (Norton App Lock, prior to 1.4.0.503, may be susceptible to a bypass ex ...)
+ TODO: check
CVE-2019-18372 (Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to ...)
NOT-FOR-US: Symantec Endpoint Protection
CVE-2019-18371 (An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-s ...)
@@ -4425,8 +4436,8 @@ CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote
NOTE: https://github.com/proftpd/proftpd/issues/846
CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM ...)
NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313
-CVE-2019-18215
- RESERVED
+CVE-2019-18215 (An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Se ...)
+ TODO: check
CVE-2019-18214 (The Video_Converter app 0.1.0 for Nextcloud allows denial of service ( ...)
NOT-FOR-US: Video_Converter app for Nextcloud
CVE-2019-18213 (XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML ...)
@@ -8078,8 +8089,8 @@ CVE-2019-17087
RESERVED
CVE-2019-17086
RESERVED
-CVE-2019-17085
- RESERVED
+CVE-2019-17085 (XXE attack vulnerability on Micro Focus Operations Agent, affected ver ...)
+ TODO: check
CVE-2019-17084
RESERVED
CVE-2019-17083
@@ -13896,8 +13907,8 @@ CVE-2019-15056
RESERVED
CVE-2019-15055 (MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly ...)
NOT-FOR-US: MikroTik RouterOS
-CVE-2019-15054
- RESERVED
+CVE-2019-15054 (Multiple cross-site scripting (XSS) vulnerabilities in Mailbird before ...)
+ TODO: check
CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Confluenc ...)
NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server
CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials ...)
@@ -14492,7 +14503,7 @@ CVE-2019-14871
RESERVED
CVE-2019-14870
RESERVED
-CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.28, where ...)
+CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.50, where ...)
{DSA-4569-1 DLA-1992-1}
- ghostscript <unfixed> (bug #944760)
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f0aa1140032746e5a0abfc40f4cef
@@ -14717,7 +14728,7 @@ CVE-2019-14818 (A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x
- dpdk 18.11.4-1
NOTE: http://mails.dpdk.org/archives/announce/2019-November/000293.html
NOTE: https://bugs.dpdk.org/show_bug.cgi?id=363
-CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.28, in the .pdfex ...)
+CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.50, in the .pdfex ...)
{DSA-4518-1 DLA-1915-1}
- ghostscript 9.28~~rc2~dfsg-1
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701450
@@ -14737,7 +14748,7 @@ CVE-2019-14815
CVE-2019-14814 (There is heap-based buffer overflow in Linux kernel, all versions up t ...)
{DLA-1930-1}
- linux 5.2.17-1
-CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.28, in the sets ...)
+CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.50, in the sets ...)
{DSA-4518-1 DLA-1915-1}
- ghostscript 9.28~~rc2~dfsg-1
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701443
@@ -14756,7 +14767,7 @@ CVE-2019-14812
NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated starting
NOTE: from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff
NOTE: which changed the access to file permissions.
-CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_h ...)
+CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_h ...)
{DSA-4518-1 DLA-1915-1}
- ghostscript 9.28~~rc2~dfsg-1
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701445
@@ -21643,6 +21654,7 @@ CVE-2019-12839 (In OrangeHRM 4.3.1 and before, there is an input validation erro
CVE-2013-7472 (The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via t ...)
NOT-FOR-US: "Count per Day" plugin for WordPress
CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL ...)
+ {DSA-4572-1}
- slurm-llnl 19.05.3.2-1 (bug #931880)
[stretch] - slurm-llnl <no-dsa> (Too intrusive to backport)
NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html
@@ -22756,8 +22768,7 @@ CVE-2019-12424
RESERVED
CVE-2019-12423
RESERVED
-CVE-2019-12422 [weak cookie vulnerability]
- RESERVED
+CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...)
- shiro <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1
TODO: check details on fix
@@ -22785,8 +22796,8 @@ CVE-2019-12411
RESERVED
CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/arrow/pu ...)
NOT-FOR-US: Apache Arrow
-CVE-2019-12409
- RESERVED
+CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...)
+ TODO: check
CVE-2019-12408 (It was discovered that the C++ implementation (which underlies the R, ...)
NOT-FOR-US: Apache Arrow
CVE-2019-12407 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...)
@@ -22798,7 +22809,7 @@ CVE-2019-12405 (Improper authentication is possible in Apache Traffic Control ve
CVE-2019-12404 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...)
- jspwiki <removed>
CVE-2019-12403
- RESERVED
+ REJECTED
CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commons Com ...)
- libcommons-compress-java 1.18-3 (low; bug #939610)
[buster] - libcommons-compress-java <no-dsa> (Minor issue)
@@ -27377,10 +27388,10 @@ CVE-2019-10766
RESERVED
CVE-2019-10765
RESERVED
-CVE-2019-10764
- RESERVED
-CVE-2019-10763
- RESERVED
+CVE-2019-10764 (In elliptic-php versions priot to 1.0.6, Timing attacks might be possi ...)
+ TODO: check
+CVE-2019-10763 (pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attack ...)
+ TODO: check
CVE-2019-10762 (columnQuote in medoo before 1.7.5 allows remote attackers to perform a ...)
NOT-FOR-US: medoo
CVE-2019-10761
@@ -29324,8 +29335,7 @@ CVE-2019-10072 (The fix for CVE-2019-0199 was incomplete and did not address HTT
NOTE: https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E
CVE-2019-10071 (The code which checks HMAC in form submissions used String.equals() fo ...)
NOT-FOR-US: Apache Tapestry
-CVE-2019-10070
- RESERVED
+CVE-2019-10070 (Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored ...)
NOT-FOR-US: Apache Atlas
CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to the des ...)
NOT-FOR-US: Godot
@@ -231141,8 +231151,7 @@ CVE-2014-5047
RESERVED
CVE-2014-5046
RESERVED
-CVE-2014-5118
- RESERVED
+CVE-2014-5118 (A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the bo ...)
NOT-FOR-US: tboot
CVE-2014-5117 (Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit ...)
{DSA-2993-1 DLA-17-1}
@@ -270088,20 +270097,16 @@ CVE-2012-4443 (Monkey HTTP Daemon 0.9.3 uses a real UID of root and a real GID o
- monkey <removed> (unimportant; bug #688008)
CVE-2012-4442 (Monkey HTTP Daemon 0.9.3 retains the supplementary group IDs of the ro ...)
- monkey <removed> (unimportant; bug #688007)
-CVE-2012-4441 [jenkins XSS in CI game plugin]
- RESERVED
+CVE-2012-4441 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...)
- jenkins <not-affected> (Plugin not built in Debian source package)
NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4440 [jenkins XSS in Violations plugin]
- RESERVED
+CVE-2012-4440 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...)
- jenkins <not-affected> (Plugin not built in Debian source package)
NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4439 [jenkins XSS]
- RESERVED
+CVE-2012-4439 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...)
- jenkins 1.447.2+dfsg-2 (bug #688298)
NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4438 [jenkins remote code execution]
- RESERVED
+CVE-2012-4438 (Jenkins main before 1.482 and LTS before 1.466.2 allows remote attacke ...)
- jenkins 1.447.2+dfsg-2 (bug #688298)
NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
CVE-2012-4437 (Cross-site scripting (XSS) vulnerability in the SmartyException class ...)
@@ -298624,7 +298629,7 @@ CVE-2010-3847 (elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6)
CVE-2010-3846 (Array index error in the apply_rcs_change function in rcs.c in CVS 1.1 ...)
- cvs <not-affected> (vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3852
-CVE-2010-3844 (An unchecked sscanf() call in ettercap 0.7.3 allows an insecure tempor ...)
+CVE-2010-3844 (An unchecked sscanf() call in ettercap before 0.7.5 allows an insecure ...)
- ettercap 1:0.7.4-1 (unimportant; bug #600130)
NOTE: Very far-fetched attack vector
CVE-2010-3843
@@ -323697,8 +323702,7 @@ CVE-2002-2427 (The security handler in GoAhead WebServer before 2.1.1 allows rem
NOT-FOR-US: GoAhead WebServer
CVE-2008-7272 (FireGPG before 0.6 handle user’s passphrase and decrypted cleart ...)
- iceweasel-firegpg <removed> (bug #514386)
-CVE-2008-7273 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
- RESERVED
+CVE-2008-7273 (A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure ...)
- iceweasel-firegpg <removed> (bug #514386)
CVE-2009-0431 (SQL injection vulnerability in Default.asp in LinksPro Standard Editio ...)
NOT-FOR-US: LinksPro
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc1261606d0622597baeb73d346faff4f95c36cb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cc1261606d0622597baeb73d346faff4f95c36cb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191119/4e9ae79d/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list