[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Oct 3 21:10:44 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
24e79e76 by security tracker role at 2019-10-03T20:10:24Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2019-17109
+ RESERVED
+CVE-2019-17108
+ RESERVED
+CVE-2019-17107
+ RESERVED
+CVE-2019-17106
+ RESERVED
+CVE-2019-17105
+ RESERVED
+CVE-2019-17104
+ RESERVED
+CVE-2018-21025
+ RESERVED
+CVE-2018-21024
+ RESERVED
+CVE-2018-21023
+ RESERVED
+CVE-2018-21022
+ RESERVED
+CVE-2018-21021
+ RESERVED
+CVE-2018-21020
+ RESERVED
CVE-2019-17103
RESERVED
CVE-2019-17102
@@ -387,17 +411,17 @@ CVE-2019-16933
RESERVED
CVE-2019-16932 (A blind SSRF vulnerability exists in the Visualizer plugin before 3.3. ...)
NOT-FOR-US: Visualizer plugin for WordPress
-CVE-2019-16931
- RESERVED
+CVE-2019-16931 (A stored XSS vulnerability in the Visualizer plugin 3.3.0 for WordPres ...)
+ TODO: check
CVE-2019-16930 (Zcashd in Zcash before 2.0.7-3 allows discovery of the IP address of a ...)
NOT-FOR-US: Zcash
CVE-2019-16929
RESERVED
CVE-2019-16927 (Xpdf 4.01.01 has an out-of-bounds write in the vertProfile part of the ...)
- xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
-CVE-2019-16926 (Flower 1.0.0 has XSS via a crafted worker name. ...)
+CVE-2019-16926 (Flower 0.9.3 has XSS via a crafted worker name. ...)
NOT-FOR-US: Flower
-CVE-2019-16925 (Flower 1.0.0 has XSS via the name parameter in an @app.task call. ...)
+CVE-2019-16925 (Flower 0.9.3 has XSS via the name parameter in an @app.task call. ...)
NOT-FOR-US: Flower
CVE-2019-16924 (The Nulock application 1.5.0 for mobile devices sends a cleartext pass ...)
NOT-FOR-US: Nulock
@@ -557,8 +581,8 @@ CVE-2019-16868 (emlog through 6.0.0beta has an arbitrary file deletion vulnerabi
NOT-FOR-US: emlog
CVE-2019-16867 (HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file par ...)
NOT-FOR-US: HongCMS
-CVE-2019-16866
- RESERVED
+CVE-2019-16866 (Unbound before 1.9.4 accesses uninitialized memory, which allows remot ...)
+ TODO: check
CVE-2015-9449 (The microblog-poster plugin before 1.6.2 for WordPress has SQL Injecti ...)
NOT-FOR-US: microblog-poster plugin for WordPress
CVE-2015-9448 (The sendpress plugin before 1.2 for WordPress has SQL Injection via th ...)
@@ -1934,6 +1958,7 @@ CVE-2019-16332 (In the api-bearer-auth plugin before 20190907 for WordPress, the
NOT-FOR-US: Wordpress plugin
CVE-2019-12412 [Remotely exploitable null pointer dereference bug]
RESERVED
+ {DLA-1944-1}
- libapreq2 2.13-6 (bug #939937)
NOTE: http://svn.apache.org/r1866760
CVE-2019-16331
@@ -3402,8 +3427,8 @@ CVE-2019-15811 (In DomainMOD through 4.13, the parameter daterange in the file r
NOT-FOR-US: DomainMOD
CVE-2019-15810 (Insufficient sanitization during device search in Netdisco 2.042010 al ...)
TODO: check
-CVE-2019-15809
- RESERVED
+CVE-2019-15809 (Smart cards from the Athena SCS manufacturer, based on the Atmel Toolb ...)
+ TODO: check
CVE-2019-15808
RESERVED
CVE-2019-15806 (CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 ...)
@@ -5246,18 +5271,18 @@ CVE-2019-15168
RESERVED
CVE-2019-15167
RESERVED
-CVE-2019-15166
- RESERVED
-CVE-2019-15165
- RESERVED
-CVE-2019-15164
- RESERVED
-CVE-2019-15163
- RESERVED
-CVE-2019-15162
- RESERVED
-CVE-2019-15161
- RESERVED
+CVE-2019-15166 (lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 l ...)
+ TODO: check
+CVE-2019-15165 (sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB ...)
+ TODO: check
+CVE-2019-15164 (rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may ...)
+ TODO: check
+CVE-2019-15163 (rpcapd/daemon.c in libpcap before 1.9.1 allows attackers to cause a de ...)
+ TODO: check
+CVE-2019-15162 (rpcapd/daemon.c in libpcap before 1.9.1 on non-Windows platforms provi ...)
+ TODO: check
+CVE-2019-15161 (rpcapd/daemon.c in libpcap before 1.9.1 mishandles certain length valu ...)
+ TODO: check
CVE-2019-15160 (The SweetXml (aka sweet_xml) package through 0.6.6 for Erlang and Elix ...)
NOT-FOR-US: SweetXml (aka sweet_xml) package for Erlang and Elixir
CVE-2019-15159
@@ -10058,11 +10083,9 @@ CVE-2019-13631 (In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in
NOTE: https://patchwork.kernel.org/patch/11040813/
CVE-2019-13630
RESERVED
-CVE-2019-13629
- RESERVED
+CVE-2019-13629 (MatrixSSL 4.2.1 and earlier contains a timing side channel in ECDSA si ...)
- matrixssl <removed>
-CVE-2019-13628
- RESERVED
+CVE-2019-13628 (wolfSSL and wolfCrypt 4.0.0 and earlier (when configured without --ena ...)
- wolfssl 4.1.0+dfsg-1
NOTE: https://github.com/wolfSSL/wolfssl/pull/2353
CVE-2019-13627 (It was discovered that there was a ECDSA timing attack in the libgcryp ...)
@@ -16830,7 +16853,7 @@ CVE-2019-11512 (Contao 4.x allows SQL Injection. Fixed in Contao 4.4.39 and Cont
NOT-FOR-US: Contao
CVE-2019-11511 (Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the ...)
NOT-FOR-US: Zoho ManageEngine ADSelfService Plus
-CVE-2019-11510 (In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before ...)
+CVE-2019-11510 (In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 be ...)
NOT-FOR-US: Pulse Secure Pulse Connect Secure
CVE-2019-11509 (In Pulse Secure Pulse Connect Secure (PCS) before 8.1R15.1, 8.2 before ...)
NOT-FOR-US: Pulse Secure Pulse Connect Secure
@@ -35904,8 +35927,8 @@ CVE-2019-4443
RESERVED
CVE-2019-4442 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9,0 could allow a ...)
NOT-FOR-US: IBM
-CVE-2019-4441
- RESERVED
+CVE-2019-4441 (IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could ...)
+ TODO: check
CVE-2019-4440
RESERVED
CVE-2019-4439 (IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session ...)
@@ -35942,8 +35965,8 @@ CVE-2019-4424 (IBM Business Automation Workflow 18.0.0.0, 18.0.0.1, 18.0.0.2, 19
NOT-FOR-US: IBM
CVE-2019-4423 (IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 could allow a remote ...)
NOT-FOR-US: IBM
-CVE-2019-4422
- RESERVED
+CVE-2019-4422 (IBM Security Guardium 9.0, 9.5, and 10.6 are vulnerable to a privilege ...)
+ TODO: check
CVE-2019-4421
RESERVED
CVE-2019-4420 (IBM Intelligent Operations Center V5.1.0 through V5.2.0 could disclose ...)
@@ -37311,8 +37334,7 @@ CVE-2019-3835 (It was found that the superexec operator was available in the int
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=205591753126802da850ada6511a0ff8411aa287
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d683d1e6450d74619e6277efeebfc222d9a5cb91 (needed dependency)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700585
-CVE-2019-3834
- RESERVED
+CVE-2019-3834 (It was found that the fix for CVE-2014-0114 had been reverted in JBoss ...)
NOT-FOR-US: JBoss Operations Network 3 (JON) specific CVE assignment
CVE-2019-3833 (Openwsman, versions up to and including 2.6.9, are vulnerable to infin ...)
- openwsman <itp> (bug #754501)
@@ -56961,10 +56983,10 @@ CVE-2018-16454 (PHP Scripts Mall Currency Converter Script 2.0.5 allows remote a
NOT-FOR-US: PHP Scripts Mall Olx Clone
CVE-2018-16453 (PHP Scripts Mall Domain Lookup Script 3.0.5 allows XSS in the search b ...)
NOT-FOR-US: PHP Scripts Mall Domain Lookup Script
-CVE-2018-16452
- RESERVED
-CVE-2018-16451
- RESERVED
+CVE-2018-16452 (The SMB parser in tcpdump before 4.9.3 has stack exhaustion in smbutil ...)
+ TODO: check
+CVE-2018-16451 (The SMB parser in tcpdump before 4.9.3 has buffer over-reads in print- ...)
+ TODO: check
CVE-2018-16450 (CraftedWeb through 2013-09-24 has reflected XSS via the p parameter. ...)
NOT-FOR-US: CraftedWeb
CVE-2018-16449 (OneThink 1.1.141212 allows CSRF for adding a page via admin.php?s=/Cha ...)
@@ -57400,10 +57422,10 @@ CVE-2018-16303 (PDF-XChange Editor through 7.0.326.1 allows remote attackers to
NOT-FOR-US: PDF-XChange Editor
CVE-2018-16302 (MediaComm Zip-n-Go before 4.95 has a Buffer Overflow via a crafted fil ...)
NOT-FOR-US: MediaComm Zip-n-Go
-CVE-2018-16301
- RESERVED
-CVE-2018-16300
- RESERVED
+CVE-2018-16301 (libpcap before 1.9.1, as used in tcpdump before 4.9.3, has a buffer ov ...)
+ TODO: check
+CVE-2018-16300 (The BGP parser in tcpdump before 4.9.3 allows stack consumption in pri ...)
+ TODO: check
CVE-2018-16299 (The Localize My Post plugin 1.0 for WordPress allows Directory Travers ...)
NOT-FOR-US: Wordpress plugin
CVE-2018-16298 (An issue was discovered in MiniCMS 1.10. There is an mc-admin/post.php ...)
@@ -57544,14 +57566,14 @@ CVE-2018-16232 (An authenticated command injection vulnerability exists in IPFir
NOT-FOR-US: IPFire
CVE-2018-16231 (Michael Roth Software Personal FTP Server (PFTP) through 8.4f allows r ...)
NOT-FOR-US: Michael Roth Software Personal FTP Server
-CVE-2018-16230
- RESERVED
-CVE-2018-16229
- RESERVED
-CVE-2018-16228
- RESERVED
-CVE-2018-16227
- RESERVED
+CVE-2018-16230 (The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print ...)
+ TODO: check
+CVE-2018-16229 (The DCCP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...)
+ TODO: check
+CVE-2018-16228 (The HNCP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...)
+ TODO: check
+CVE-2018-16227 (The IEEE 802.11 parser in tcpdump before 4.9.3 has a buffer over-read ...)
+ TODO: check
CVE-2018-16226 (A vulnerability in the web admin component of Mitel MiVoice Office 400 ...)
NOT-FOR-US: Mitel
CVE-2018-16225 (The QBee MultiSensor Camera through 4.16.4 accepts unencrypted network ...)
@@ -60801,14 +60823,14 @@ CVE-2018-14883 (An issue was discovered in PHP before 5.6.37, 7.0.x before 7.0.3
- php5 <removed>
NOTE: Fixed in 5.6.37, 7.0.31, 7.1.20, 7.2.8
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76423
-CVE-2018-14882
- RESERVED
-CVE-2018-14881
- RESERVED
-CVE-2018-14880
- RESERVED
-CVE-2018-14879
- RESERVED
+CVE-2018-14882 (The ICMPv6 parser in tcpdump before 4.9.3 has a buffer over-read in pr ...)
+ TODO: check
+CVE-2018-14881 (The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print ...)
+ TODO: check
+CVE-2018-14880 (The OSPFv3 parser in tcpdump before 4.9.3 has a buffer over-read in pr ...)
+ TODO: check
+CVE-2018-14879 (The command-line argument parser in tcpdump before 4.9.3 has a buffer ...)
+ TODO: check
CVE-2018-XXXX [DSA verification crashes OpenSSL on invalid combinations of key content]
- xml-security-c 2.0.2-2 (bug #913136)
[stretch] - xml-security-c <no-dsa> (Minor issue; can be fixed via point release)
@@ -62119,26 +62141,26 @@ CVE-2018-14472 (An issue was discovered in WUZHI CMS 4.1.0. The vulnerable file
NOT-FOR-US: WUZHI CMS
CVE-2018-14471 (dwg_obj_block_control_get_block_headers in dwg_api.c in GNU LibreDWG 0 ...)
- libredwg <itp> (bug #595191)
-CVE-2018-14470
- RESERVED
-CVE-2018-14469
- RESERVED
-CVE-2018-14468
- RESERVED
-CVE-2018-14467
- RESERVED
-CVE-2018-14466
- RESERVED
-CVE-2018-14465
- RESERVED
-CVE-2018-14464
- RESERVED
-CVE-2018-14463
- RESERVED
-CVE-2018-14462
- RESERVED
-CVE-2018-14461
- RESERVED
+CVE-2018-14470 (The Babel parser in tcpdump before 4.9.3 has a buffer over-read in pri ...)
+ TODO: check
+CVE-2018-14469 (The IKEv1 parser in tcpdump before 4.9.3 has a buffer over-read in pri ...)
+ TODO: check
+CVE-2018-14468 (The FRF.16 parser in tcpdump before 4.9.3 has a buffer over-read in pr ...)
+ TODO: check
+CVE-2018-14467 (The BGP parser in tcpdump before 4.9.3 has a buffer over-read in print ...)
+ TODO: check
+CVE-2018-14466 (The Rx parser in tcpdump before 4.9.3 has a buffer over-read in print- ...)
+ TODO: check
+CVE-2018-14465 (The RSVP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...)
+ TODO: check
+CVE-2018-14464 (The LMP parser in tcpdump before 4.9.3 has a buffer over-read in print ...)
+ TODO: check
+CVE-2018-14463 (The VRRP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...)
+ TODO: check
+CVE-2018-14462 (The ICMP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...)
+ TODO: check
+CVE-2018-14461 (The LDP parser in tcpdump before 4.9.3 has a buffer over-read in print ...)
+ TODO: check
CVE-2018-14460 (An issue was discovered in the HDF HDF5 1.8.20 library. There is a hea ...)
- hdf5 <undetermined>
NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README3.md
@@ -73955,12 +73977,12 @@ CVE-2018-10107 (D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWA
NOT-FOR-US: D-Link
CVE-2018-10106 (D-Link DIR-815 REV. B (with firmware through DIR-815_REVB_FIRMWARE_PAT ...)
NOT-FOR-US: D-Link
-CVE-2018-10105
- RESERVED
+CVE-2018-10105 (tcpdump before 4.9.3 mishandles the printing of SMB data (issue 2 of 2 ...)
+ TODO: check
CVE-2018-10104
RESERVED
-CVE-2018-10103
- RESERVED
+CVE-2018-10103 (tcpdump before 4.9.3 mishandles the printing of SMB data (issue 1 of 2 ...)
+ TODO: check
CVE-2018-10099 (Google Monorail before 2018-04-04 has a Cross-Site Search (XS-Search) ...)
NOT-FOR-US: Google Monorail
CVE-2018-10098 (In MicroWorld eScan Internet Security Suite (ISS) for Business 14.0.14 ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/24e79e766ef9620f6d3d10bcf1ccb87da0f0f166
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/24e79e766ef9620f6d3d10bcf1ccb87da0f0f166
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191003/1479b390/attachment.html>
More information about the debian-security-tracker-commits
mailing list