[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Tue Oct 1 09:10:25 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c462bcb2 by security tracker role at 2019-10-01T08:10:12Z
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -424,6 +424,7 @@ CVE-2019-16871
 CVE-2019-16870
 	RESERVED
 CVE-2019-16869 (Netty before 4.1.42.Final mishandles whitespace before the colon in HT ...)
+	{DLA-1941-1}
 	- netty <unfixed> (bug #941266)
 	NOTE: https://github.com/netty/netty/issues/9571
 CVE-2019-16868 (emlog through 6.0.0beta has an arbitrary file deletion vulnerability v ...)
@@ -724,8 +725,8 @@ CVE-2019-16762
 	RESERVED
 CVE-2019-16761
 	RESERVED
-CVE-2019-16760
-	RESERVED
+CVE-2019-16760 (Cargo prior to Rust 1.26.0 may download the wrong dependency if your p ...)
+	TODO: check
 CVE-2019-16759 (vBulletin 5.x through 5.5.4 allows remote command execution via the wi ...)
 	NOT-FOR-US: vBulletin
 CVE-2019-16758
@@ -734,7 +735,7 @@ CVE-2019-16757
 	RESERVED
 CVE-2019-16756
 	RESERVED
-CVE-2019-16755 (A vulnerability was discovered in BMC MyIT Digital Workplace DWP befor ...)
+CVE-2019-16755 (An unspecified vulnerability in both DWP and SmartIT components can pe ...)
 	NOT-FOR-US: BMC MyIT Digital Workplace DWP
 CVE-2019-16754 (RIOT 2019.07 contains a NULL pointer dereference in the MQTT-SN implem ...)
 	NOT-FOR-US: RIOT RIOT-OS
@@ -2947,6 +2948,7 @@ CVE-2018-21010 (OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_
 	- openjpeg2 <unfixed> (bug #939553)
 	NOTE: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea
 CVE-2018-21009 (Poppler before 0.66.0 has an integer overflow in Parser::makeStream in ...)
+	{DLA-1939-1}
 	- poppler 0.69.0-2
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/0868c499a9f5f37f8df5c9fef03c37496b40fc8a
 CVE-2018-21008 (An issue was discovered in the Linux kernel before 4.16.7. A use-after ...)
@@ -3034,7 +3036,7 @@ CVE-2019-15903 (In libexpat before 2.2.8, crafted XML input could fool the parse
 	NOTE: https://github.com/libexpat/libexpat/issues/317
 	NOTE: https://github.com/libexpat/libexpat/pull/318
 CVE-2019-15902 (A backporting error was discovered in the Linux stable/longterm kernel ...)
-	{DSA-4531-1}
+	{DSA-4531-1 DLA-1940-1}
 	- linux <unfixed>
 	[jessie] - linux <not-affected> (Bug never introduced)
 	NOTE: https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
@@ -4832,10 +4834,10 @@ CVE-2019-15292 (An issue was discovered in the Linux kernel before 5.0.9. There
 CVE-2019-15291 (An issue was discovered in the Linux kernel through 5.2.9. There is a  ...)
 	- linux <unfixed>
 	NOTE: https://www.openwall.com/lists/oss-security/2019/08/20/2
-CVE-2019-15290 (An issue was discovered in the Linux kernel through 5.2.9. There is a  ...)
+CVE-2019-15290
+	REJECTED
 	- linux <unfixed>
 	NOTE: https://www.openwall.com/lists/oss-security/2019/08/20/2
-	NOTE: Duplicate of CVE-2019-15098 and likely to be rejected.
 CVE-2019-15239 (In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was ...)
 	{DSA-4497-1 DLA-1884-1}
 	- linux 4.15.4-1
@@ -5283,11 +5285,11 @@ CVE-2019-15120 (The Kunena extension before 5.1.14 for Joomla! allows XSS via BB
 CVE-2019-15119 (lib/install/install.go in cnlh nps through 0.23.2 uses 0777 permission ...)
 	NOT-FOR-US: cnlh nps
 CVE-2019-15118 (check_input_term in sound/usb/mixer.c in the Linux kernel through 5.2. ...)
-	{DSA-4531-1 DLA-1930-1}
+	{DSA-4531-1 DLA-1940-1 DLA-1930-1}
 	- linux 5.2.17-1
 	NOTE: Fixed by: https://git.kernel.org/linus/19bce474c45be69a284ecee660aa12d8f1e88f18
 CVE-2019-15117 (parse_audio_mixer_unit in sound/usb/mixer.c in the Linux kernel throug ...)
-	{DSA-4531-1 DLA-1930-1}
+	{DSA-4531-1 DLA-1940-1 DLA-1930-1}
 	- linux 5.2.17-1
 	NOTE: Fixed by: https://git.kernel.org/linus/daac07156b330b18eb5071aec4b3ddca1c377f2c
 CVE-2019-15116 (The easy-digital-downloads plugin before 2.9.16 for WordPress has XSS  ...)
@@ -6227,7 +6229,7 @@ CVE-2019-14837
 CVE-2019-14836
 	RESERVED
 CVE-2019-14835 (A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in ...)
-	{DSA-4531-1 DLA-1930-1}
+	{DSA-4531-1 DLA-1940-1 DLA-1930-1}
 	- linux 5.2.17-1
 	NOTE: https://www.openwall.com/lists/oss-security/2019/09/17/1
 	NOTE: https://git.kernel.org/linus/060423bfdee3f8bc6e2c1bac97de24d5415e2bc4
@@ -6270,7 +6272,7 @@ CVE-2019-14822 [missing authorization flaw]
 	NOTE: https://launchpad.net/bugs/1844853
 	NOTE: https://github.com/ibus/ibus/issues/2137
 CVE-2019-14821 (An out-of-bounds access issue was found in the Linux kernel, all versi ...)
-	{DSA-4531-1 DLA-1930-1}
+	{DSA-4531-1 DLA-1940-1 DLA-1930-1}
 	- linux 5.2.17-1
 	NOTE: https://git.kernel.org/linus/b60fe990c6b07ef6d4df67bc0530c7c90a62623a
 CVE-2019-14820
@@ -11538,7 +11540,8 @@ CVE-2019-13377 (The implementations of SAE and EAP-pwd in hostapd and wpa_suppli
 CVE-2019-13376 (phpBB version 3.2.7 allows the stealing of an Administration Control P ...)
 	- phpbb3 <removed>
 	NOTE: https://github.com/phpbb/phpbb/commit/dc5a167c429a3813d66b0ae3d14242650466cac6
-CVE-2019-16993
+CVE-2019-16993 (In phpBB before 3.1.7-PL1, includes/acp/acp_bbcodes.php has improper v ...)
+	{DLA-1942-1}
 	- phpbb3 <removed>
 	NOTE: https://github.com/phpbb/phpbb/commit/18abef716ecf42a35416444f3f84f5459d573789
 	NOTE: https://github.com/phpbb/phpbb/commit/cdf4f5ef85f05c0f94eae1a9edb1c28d4ac3515f
@@ -12231,10 +12234,10 @@ CVE-2019-13126 (An integer overflow in NATS Server 2.0.0 allows a remote attacke
 	NOT-FOR-US: NATS Server
 CVE-2019-13125 (HaboMalHunter through 2.0.0.3 in Tencent Habo allows attackers to evad ...)
 	NOT-FOR-US: Tencent
-CVE-2019-13124
-	RESERVED
-CVE-2019-13123
-	RESERVED
+CVE-2019-13124 (Foxit Reader 9.6.0.25114 and earlier has two unique RecursiveCall bugs ...)
+	TODO: check
+CVE-2019-13123 (Foxit Reader 9.6.0.25114 and earlier has two unique RecursiveCall bugs ...)
+	TODO: check
 CVE-2019-13122 (A Cross Site Scripting (XSS) vulnerability exists in the template tag  ...)
 	NOT-FOR-US: Patchwork
 CVE-2019-13121 [SSRF Vulnerability in Project GitHub Integration]
@@ -13893,6 +13896,7 @@ CVE-2019-12495 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0
 CVE-2019-12494 (In Gardener before 0.20.0, incorrect access control in seed clusters a ...)
 	NOT-FOR-US: Gardener
 CVE-2019-12493 (A stack-based buffer over-read exists in PostScriptFunction::transform ...)
+	{DLA-1939-1}
 	- xpdf <not-affected> (xpdf in Debian uses poppler, which is not affected or fixed)
 	- poppler 0.44.0-2
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/37840827c4073dedfd37915a74eb8fe0c44843c3
@@ -37407,18 +37411,18 @@ CVE-2019-3735 (Dell SupportAssist for Business PCs version 2.0 and Dell SupportA
 	NOT-FOR-US: Dell SupportAssist
 CVE-2019-3734 (Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain an ...)
 	NOT-FOR-US: EMC
-CVE-2019-3733
-	RESERVED
-CVE-2019-3732
-	RESERVED
-CVE-2019-3731
-	RESERVED
-CVE-2019-3730
-	RESERVED
-CVE-2019-3729
-	RESERVED
-CVE-2019-3728
-	RESERVED
+CVE-2019-3733 (RSA BSAFE Crypto-C Micro Edition, all versions prior to 4.1.4, is vuln ...)
+	TODO: check
+CVE-2019-3732 (RSA BSAFE Crypto-C Micro Edition, versions prior to 4.0.5.3 (in 4.0.x) ...)
+	TODO: check
+CVE-2019-3731 (RSA BSAFE Crypto-C Micro Edition versions prior to 4.1.4 and RSA Micro ...)
+	TODO: check
+CVE-2019-3730 (RSA BSAFE Micro Edition Suite versions prior to 4.1.6.3 (in 4.1.x) and ...)
+	TODO: check
+CVE-2019-3729 (RSA BSAFE Micro Edition Suite versions prior to 4.4 (in 4.0.x, 4.1.x,  ...)
+	TODO: check
+CVE-2019-3728 (RSA BSAFE Crypto-C Micro Edition versions prior to 4.0.5.4 (in 4.0.x)  ...)
+	TODO: check
 CVE-2019-3727 (Dell EMC RecoverPoint versions prior to 5.1.3 and RecoverPoint for VMs ...)
 	NOT-FOR-US: Dell EMC RecoverPoint
 CVE-2019-3726 (An Uncontrolled Search Path Vulnerability is applicable to the followi ...)
@@ -37954,6 +37958,7 @@ CVE-2018-20651 (A NULL pointer dereference was discovered in elf_link_add_object
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f
 	NOTE: binutils not covered by security support
 CVE-2018-20650 (A reachable Object::dictLookup assertion in Poppler 0.72.0 allows atta ...)
+	{DLA-1939-1}
 	- poppler <unfixed> (low; bug #917974)
 	[buster] - poppler <ignored> (Minor issue)
 	[stretch] - poppler <ignored> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c462bcb2b0825e2240e0e30f7470be9703b44827

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c462bcb2b0825e2240e0e30f7470be9703b44827
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191001/467f0308/attachment.html>

More information about the debian-security-tracker-commits mailing list