[Git][security-tracker-team/security-tracker][master] automatic update

Tue Nov 19 20:10:43 GMT 2019


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7158540c by security tracker role at 2019-11-19T20:10:27Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,7 @@
+CVE-2019-19119
+	RESERVED
+CVE-2019-19118
+	RESERVED
 CVE-2019-19117 (/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG12 ...)
 	NOT-FOR-US: PHICOMM K2(PSG1218) devices
 CVE-2019-19116
@@ -161,7 +165,7 @@ CVE-2019-19051 (A memory leak in the i2400m_op_rfkill_sw_toggle() function in dr
 	NOTE: https://git.kernel.org/linus/6f3ef5c25cc762687a7341c18cbea5af54461407
 CVE-2019-19050 (A memory leak in the crypto_reportstat() function in crypto/crypto_use ...)
 	- linux <unfixed>
-CVE-2019-19049 (A memory leak in the unittest_data_add() function in drivers/of/unitte ...)
+CVE-2019-19049 (** DISPUTED ** A memory leak in the unittest_data_add() function in dr ...)
 	- linux <unfixed>
 	NOTE: https://git.kernel.org/linus/e13de8fe0d6a51341671bbe384826d527afe8d44
 CVE-2019-19048 (A memory leak in the crypto_reportstat() function in drivers/virt/vbox ...)
@@ -405,8 +409,7 @@ CVE-2019-18936
 	RESERVED
 CVE-2019-18935
 	RESERVED
-CVE-2019-18934 [Vulnerability in IPSEC module]
-	RESERVED
+CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec modul ...)
 	- unbound <unfixed> (unimportant)
 	[stretch] - unbound <not-affected> (ipsecmod module introduced later)
 	[jessie] - unbound <not-affected> (ipsecmod module introduced later)
@@ -501,6 +504,7 @@ CVE-2019-18891
 	RESERVED
 CVE-2019-18890 [SQL injection]
 	RESERVED
+	{DSA-4574-1}
 	- redmine 3.4.2-1
 	NOTE: https://www.redmine.org/news/125
 	NOTE: https://www.redmine.org/projects/redmine/repository/revisions/16196
@@ -7363,6 +7367,7 @@ CVE-2015-9457 (The pretty-link plugin before 1.6.8 for WordPress has PrliLinksCo
 CVE-2019-17428
 	RESERVED
 CVE-2019-17427 (In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists ...)
+	{DSA-4574-1}
 	- redmine 4.0.4-1
 	NOTE: Fixed in 3.4.11 and 4.0.4
 	NOTE: https://github.com/redmine/redmine/commit/899fc2e0cd2bcb4f5f9333b612b160bb9c6e803b
@@ -8759,10 +8764,10 @@ CVE-2019-16863 (STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 a
 	NOT-FOR-US: STMicroelectronics
 CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x befor ...)
 	NOT-FOR-US: OpenEMR
-CVE-2019-16861
-	RESERVED
-CVE-2019-16860
-	RESERVED
+CVE-2019-16861 (Code42 server through 7.0.2 for Windows has an Untrusted Search Path.  ...)
+	TODO: check
+CVE-2019-16860 (Code42 app through version 7.0.2 for Windows has an Untrusted Search P ...)
+	TODO: check
 CVE-2019-16859
 	RESERVED
 CVE-2019-16858
@@ -25997,8 +26002,8 @@ CVE-2019-11291
 	RESERVED
 CVE-2019-11290
 	RESERVED
-CVE-2019-11289
-	RESERVED
+CVE-2019-11289 (Cloud Foundry Routing, all versions before 0.193.0, does not properly  ...)
+	TODO: check
 CVE-2019-11288
 	RESERVED
 CVE-2019-11287
@@ -166927,8 +166932,7 @@ CVE-2016-1000238
 	RESERVED
 CVE-2016-1000237
 	RESERVED
-CVE-2016-1000236
-	RESERVED
+CVE-2016-1000236 (Node-cookie-signature before 1.0.6 is affected by a timing attack due  ...)
 	- node-cookie-signature 1.1.0-1 (unimportant; bug #838618)
 	NOTE: https://nodesecurity.io/advisories/134
 	NOTE: https://github.com/tj/node-cookie-signature/commit/39791081692e9e14aa62855369e1c7f80fbfd50e
@@ -174152,8 +174156,7 @@ CVE-2016-1000100
 	REJECTED
 CVE-2016-1000008
 	RESERVED
-CVE-2016-1000006
-	RESERVED
+CVE-2016-1000006 (hhvm before 3.12.11 has a use-after-free in the serialize_memoize_para ...)
 	- hhvm 3.12.11+dfsg-1
 CVE-2016-1000005
 	RESERVED
@@ -230105,8 +230108,7 @@ CVE-2014-5441 (Multiple cross-site scripting (XSS) vulnerabilities in app/views/
 	NOT-FOR-US: Fat Free CRM
 CVE-2014-5440 (SQL injection vulnerability in Login.aspx in MPEX Business Solutions M ...)
 	NOT-FOR-US: MX-SmartTimer
-CVE-2014-5439
-	RESERVED
+CVE-2014-5439 (sniffit 0.3.7 and prior: A configuration file can be leveraged to exec ...)
 	{DLA-713-1}
 	- sniffit 0.3.7.beta-20 (bug #845122)
 	[jessie] - sniffit 0.3.7.beta-17+deb8u1
@@ -265107,8 +265109,7 @@ CVE-2012-6137 (rhn-migrate-classic-to-rhsm tool in Red Hat subscription-manager
 CVE-2012-6136
 	RESERVED
 	- tuned <not-affected> (Fixed before initial release to Debian)
-CVE-2012-6135
-	RESERVED
+CVE-2012-6135 (RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to dele ...)
 	- ruby-passenger <not-affected> (Vulnerable code not present; bug #702219)
 	NOTE: 4.0.0 betas only
 CVE-2012-6134 (Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 ...)
@@ -265361,12 +265362,10 @@ CVE-2012-6072 (CRLF injection vulnerability in Jenkins before 1.491, Jenkins LTS
 	- jenkins-winstone 0.9.10-jenkins-37+dfsg-2 (bug #696974)
 	NOTE: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-11-20
 	NOTE: http://www.openwall.com/lists/oss-security/2012/12/28/1
-CVE-2012-6071 [libnusoap-php: Curl insecure usage]
-	RESERVED
+CVE-2012-6071 (nuSOAP before 0.7.3-5 does not properly check the hostname of a cert. ...)
 	- nusoap 0.7.3-5 (low; bug #696707)
 	[squeeze] - nusoap <no-dsa> (Minor issue)
-CVE-2012-6070 [falconpl: Curl insecure usage]
-	RESERVED
+CVE-2012-6070 (Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may  ...)
 	- falconpl 0.9.6.9-git20120606-2 (bug #696681)
 CVE-2011-5250
 	RESERVED
@@ -279289,12 +279288,10 @@ CVE-2012-0845 (SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.
 CVE-2012-0844
 	RESERVED
 	- netsurf 2.8-2 (bug #659376)
-CVE-2012-0843
-	RESERVED
+CVE-2012-0843 (uzbl: Information disclosure via world-readable cookies storage file ...)
 	- uzbl 0.0.0~git.20111128-2 (bug #659379)
 	[squeeze] - uzbl <no-dsa> (Minor issue)
-CVE-2012-0842 [surf info leak]
-	RESERVED
+CVE-2012-0842 (surf: cookie jar has read access from other local user ...)
 	- surf 0.4.1-6 (bug #659296)
 CVE-2012-0841 (libxml2 before 2.8.0 computes hash values without restricting the abil ...)
 	{DSA-2417-1}
@@ -279345,8 +279342,7 @@ CVE-2012-0825 (Drupal 6.x before 6.23 and 7.x before 7.11 does not verify that A
 	{DSA-2776-1}
 	- drupal7 7.11-1
 	- drupal6 6.26-1
-CVE-2012-0824
-	RESERVED
+CVE-2012-0824 (gnusound 0.7.5 has format string issue ...)
 	- gnusound <removed> (low; bug #654270)
 	[squeeze] - gnusound 0.7.5-3+squeeze1
 CVE-2012-0823 (VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote attackers  ...)
@@ -281092,16 +281088,14 @@ CVE-2011-4969 (Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3,
 	[squeeze] - jquery <no-dsa> (Minor issue)
 	NOTE: http://blog.jquery.com/2011/09/01/jquery-1-6-3-released/
 	NOTE: https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9
-CVE-2011-4968 [nginx http proxy module does not verify peer identity of https origin server]
-	RESERVED
+CVE-2011-4968 (nginx http proxy module does not verify peer identity of https origin  ...)
 	- nginx 1.9.1-1 (low; bug #697940)
 	[jessie] - nginx <no-dsa> (Minor issue)
 	[squeeze] - nginx <no-dsa> (Minor issue)
 	[wheezy] - nginx <no-dsa> (Minor issue)
 	NOTE: http://trac.nginx.org/nginx/ticket/13
 	NOTE: Upstream commit: http://trac.nginx.org/nginx/changeset/060c2e692b96a150b584b8e30d596be1f2defa9c/nginx
-CVE-2011-4967
-	RESERVED
+CVE-2011-4967 (tog-Pegasus has a package hash collision DoS vulnerability ...)
 	NOT-FOR-US: OpenPegasus
 CVE-2011-4966 (modules/rlm_unix/rlm_unix.c in FreeRADIUS before 2.2.0, when unix mode ...)
 	- freeradius 2.1.12+dfsg-1.2 (low; bug #694407)
@@ -281135,13 +281129,11 @@ CVE-2011-4956 (Cross-site scripting (XSS) vulnerability in WordPress before 3.1.
 	- wordpress 3.2.1+dfsg-1
 CVE-2011-4955 (Multiple cross-site scripting (XSS) vulnerabilities in ui_stats.php in ...)
 	NOT-FOR-US: wordpress bsuite plugin
-CVE-2011-4954
-	RESERVED
+CVE-2011-4954 (cobbler has local privilege escalation via the use of insecure locatio ...)
 	- cobbler <not-affected> (Fixed before initial upload)
 CVE-2011-4953 (The set_mgmt_parameters function in item.py in cobbler before 2.2.2 al ...)
 	- cobbler <not-affected> (Fixed before initial upload)
-CVE-2011-4952
-	RESERVED
+CVE-2011-4952 (cobbler: Web interface lacks CSRF protection when using Django framewo ...)
 	- cobbler <not-affected> (Fixed before initial upload)
 CVE-2011-4951 (Open redirect vulnerability in phpgwapi/ntlm/index.php in EGroupware E ...)
 	NOT-FOR-US: EGroupware
@@ -281239,8 +281231,7 @@ CVE-2011-4921 (SQL injection vulnerability in usersettings.php in e107 0.7.26, a
 	NOT-FOR-US: e107
 CVE-2011-4920 (Multiple cross-site scripting (XSS) vulnerabilities in e107 0.7.26, an ...)
 	NOT-FOR-US: e107
-CVE-2011-4919 [mpack info disclosure]
-	RESERVED
+CVE-2011-4919 (mpack 1.6 has information disclosure via eavesdropping on mails sent b ...)
 	- mpack 1.6-8 (low; bug #655971)
 	[squeeze] - mpack <no-dsa> (Minor issue)
 	NOTE: http://openwall.com/lists/oss-security/2011/12/31/1
@@ -287938,11 +287929,9 @@ CVE-2011-2923
 	RESERVED
 	- foomatic-filters <unfixed> (unimportant)
 	NOTE: debug mode-only
-CVE-2011-2922
-	RESERVED
+CVE-2011-2922 (ktsuss versions 1.4 and prior spawns the GTK interface to run as root. ...)
 	- ktsuss <removed>
-CVE-2011-2921
-	RESERVED
+CVE-2011-2921 (ktsuss versions 1.4 and prior has the uid set to root and does not dro ...)
 	- ktsuss <removed>
 CVE-2011-2920 (Multiple cross-site scripting (XSS) vulnerabilities in Spacewalk 1.6,  ...)
 	NOT-FOR-US: Red Hat Network Satellite server
@@ -291662,7 +291651,7 @@ CVE-2011-1590 (The X.509if dissector in Wireshark 1.2.x before 1.2.16 and 1.4.x
 CVE-2011-1589 (Directory traversal vulnerability in Path.pm in Mojolicious before 1.1 ...)
 	{DSA-2221-1}
 	- libmojolicious-perl 1.16-1
-CVE-2011-1588 (Thunar 1.2 through 1.2.1 could crash when copy and pasting a file name ...)
+CVE-2011-1588 (Thunar before 1.3.1 could crash when copy and pasting a file name with ...)
 	- thunar <not-affected> (Introduced in 1.2, only in experimental)
 	NOTE: http://git.xfce.org/xfce/thunar/diff/?id=03dd312e157d4fa8a11d5fa402706ae5b05806fa
 CVE-2011-1587 (Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.4, w ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7158540c01cd12b403e2b35d01a027a57caea78f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7158540c01cd12b403e2b35d01a027a57caea78f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191119/5ac6bf42/attachment-0001.html>
