[Git][security-tracker-team/security-tracker][master] new libarchive, onig, shib issues
Moritz Muehlenhoff
jmm at debian.org
Fri Nov 22 11:02:08 GMT 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3389667a by Moritz Muehlenhoff at 2019-11-22T11:01:38Z
new libarchive, onig, shib issues
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -9,7 +9,9 @@ CVE-2019-19223
CVE-2019-19222
RESERVED
CVE-2019-19221 (In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string ...)
- TODO: check
+ - libarchive <unfixed>
+ NOTE: https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41
+ NOTE: https://github.com/libarchive/libarchive/issues/1276
CVE-2019-19220
RESERVED
CVE-2019-19219
@@ -37,17 +39,21 @@ CVE-2019-19209
CVE-2019-19208
RESERVED
CVE-2019-19207 (rConfig 3.9.2 allows devices.php?searchColumn= SQL injection. ...)
- TODO: check
+ NOT-FOR-US: rConfig
CVE-2019-19206
RESERVED
CVE-2019-19205
RESERVED
CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
- TODO: check
+ - libonig <unfixed>
+ NOTE: https://github.com/kkos/oniguruma/issues/162
+ NOTE: https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
CVE-2019-19203 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
- TODO: check
+ - libonig <unfixed>
+ NOTE: https://github.com/kkos/oniguruma/issues/163
+ NOTE: https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2
CVE-2019-19202 (In Vtiger 7.x before 7.2.0, the My Preferences saving functionality al ...)
- TODO: check
+ NOT-FOR-US: Vtiger CRM
CVE-2019-19201
RESERVED
CVE-2019-19200
@@ -57,7 +63,7 @@ CVE-2019-19199
CVE-2019-19198
RESERVED
CVE-2019-19197 (IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0. ...)
- TODO: check
+ NOT-FOR-US: Kyrol Internet Security
CVE-2019-19196
RESERVED
CVE-2019-19195
@@ -69,7 +75,9 @@ CVE-2019-19193
CVE-2019-19192
RESERVED
CVE-2019-19191 (Shibboleth Service Provider (SP) 3.x before 3.1.0 shipped a spec file ...)
- TODO: check
+ - shibboleth-sp <unfixed>
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1157471
+ NOTE: https://issues.shibboleth.net/jira/browse/SSPCPP-874
CVE-2019-19190
RESERVED
CVE-2019-19189
@@ -426,7 +434,7 @@ CVE-2019-19035 (jhead 3.03 is affected by: heap-based buffer over-read. The impa
CVE-2019-19034
RESERVED
CVE-2019-19033 (Jalios JCMS 10 allows attackers to access any part of the website and ...)
- TODO: check
+ NOT-FOR-US: Jalios JCMS
CVE-2019-19032
RESERVED
CVE-2019-19031
@@ -485,7 +493,7 @@ CVE-2019-19008
CVE-2019-19007
RESERVED
CVE-2019-19006 (Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197. ...)
- TODO: check
+ NOT-FOR-US: FreePBX
CVE-2019-19005
RESERVED
CVE-2019-19004
@@ -583,7 +591,7 @@ CVE-2019-18960
CVE-2019-18959
RESERVED
CVE-2019-18958 (Nitro Pro before 13.2 creates a debug.log file in the directory where ...)
- TODO: check
+ NOT-FOR-US: Nitro Pro
CVE-2019-18957 (Microstrategy Library in MicroStrategy before 2019 before 11.1.3 has r ...)
NOT-FOR-US: Microstrategy Library
CVE-2019-18956
@@ -637,7 +645,7 @@ CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec
NOTE: Debian binary packages not built with --enable-ipsecmod
NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt
CVE-2019-18933 (In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new ...)
- TODO: check
+ NOT-FOR-US: Zulip
CVE-2019-18932
RESERVED
CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a Buffer O ...)
@@ -4375,7 +4383,7 @@ CVE-2019-18351
CVE-2019-18350 (In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET ...)
NOT-FOR-US: Ant Design Pro
CVE-2019-18349 (HotkeyP through 4.9 r96 allows privilege escalation in the privilege f ...)
- TODO: check
+ NOT-FOR-US: HotkeyP
CVE-2019-18348 (An issue was discovered in urllib2 in Python 2.x through 2.7.17 and ur ...)
- python3.8 <unfixed> (unimportant)
- python3.7 <unfixed> (unimportant)
@@ -6806,7 +6814,7 @@ CVE-2019-17652
CVE-2019-17651
RESERVED
CVE-2019-17650 (An Improper Neutralization of Special Elements used in a Command vulne ...)
- TODO: check
+ NOT-FOR-US: Fortiguard
CVE-2019-17649
RESERVED
CVE-2019-17648
@@ -7608,7 +7616,7 @@ CVE-2019-17423
CVE-2019-17422
RESERVED
CVE-2019-17421 (Incorrect file permissions on the packaged Nipper executable file in Z ...)
- TODO: check
+ NOT-FOR-US: Zoho
CVE-2019-17420 (In OISF LibHTP before 0.5.31, as used in Suricata 4.1.4 and other prod ...)
- libhtp 1:0.5.31-1
NOTE: https://github.com/OISF/libhtp/pull/213
@@ -7914,7 +7922,7 @@ CVE-2019-17274
CVE-2019-17273
RESERVED
CVE-2019-17272 (All versions of ONTAP Select Deploy administration utility are suscept ...)
- TODO: check
+ NOT-FOR-US: ONTAP
CVE-2019-17271 (vBulletin 5.5.4 allows SQL Injection via the ajax/api/hook/getHookList ...)
NOT-FOR-US: vBulletin
CVE-2019-17270
@@ -9200,7 +9208,7 @@ CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency if
CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...)
NOT-FOR-US: vBulletin
CVE-2019-16758 (In Lexmark Services Monitor 2.27.4.0.39 (running on TCP port 2070), a ...)
- TODO: check
+ NOT-FOR-US: Lexmark
CVE-2019-16757
RESERVED
CVE-2019-16756
@@ -10053,9 +10061,9 @@ CVE-2019-16408
CVE-2019-16407 (JetBrains ReSharper installers for versions before 2019.2 had a DLL Hi ...)
NOT-FOR-US: JetBrains ReSharper installer
CVE-2019-16406 (Centreon Web 19.04.4 has weak permissions within the OVA (aka VMware v ...)
- TODO: check
+ NOT-FOR-US: Centreon web UI (not packaged in Debian)
CVE-2019-16405 (Centreon Web 19.04.4 allows Remote Code Execution by an administrator ...)
- TODO: check
+ NOT-FOR-US: Centreon web UI (not packaged in Debian)
CVE-2019-16404 (Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php ...)
NOT-FOR-US: OpenEMR
CVE-2019-16403 (In Webkul Bagisto before 0.1.5, the functionalities for customers to c ...)
@@ -10278,7 +10286,7 @@ CVE-2019-16342
CVE-2019-16341
RESERVED
CVE-2019-16340 (Belkin Linksys Velop 1.1.8.192419 devices allows remote attackers to d ...)
- TODO: check
+ NOT-FOR-US: Belkin
CVE-2019-16339
RESERVED
CVE-2019-16338
@@ -12174,7 +12182,7 @@ CVE-2019-15706
CVE-2019-15705
RESERVED
CVE-2019-15704 (A clear text storage of sensitive information vulnerability in FortiCl ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2019-15703 (An Insufficient Entropy in PRNG vulnerability in Fortinet FortiOS 6.2. ...)
NOT-FOR-US: Fortinet
CVE-2019-15702 (In the TCP implementation (gnrc_tcp) in RIOT through 2019.07, the pars ...)
@@ -12703,7 +12711,7 @@ CVE-2019-15513 (An issue was discovered in OpenWrt libuci (aka Library for the U
CVE-2019-15512
RESERVED
CVE-2019-15511 (An exploitable local privilege escalation vulnerability exists in the ...)
- TODO: check
+ NOT-FOR-US: GOG Galaxy
CVE-2019-15510
RESERVED
CVE-2019-15509
@@ -21021,7 +21029,7 @@ CVE-2019-13159
CVE-2019-13158
RESERVED
CVE-2019-13157 (nsGreen.dll in Naver Vaccine 2.1.4 allows remote attackers to overwrit ...)
- TODO: check
+ NOT-FOR-US: Naver Vaccine
CVE-2019-13156 (NDrive(1.2.2).sys in Naver Cloud Explorer has a stack-based buffer ove ...)
NOT-FOR-US: Naver Cloud Explorer
CVE-2019-13155 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2.05B11 ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3389667a8e4497138459b19d73351e1eaa36c2de
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3389667a8e4497138459b19d73351e1eaa36c2de
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191122/857148e9/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list