[Git][security-tracker-team/security-tracker][master] new file issue
Moritz Muehlenhoff
jmm at debian.org
Mon Oct 21 17:11:43 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9dbb3ce0 by Moritz Muehlenhoff at 2019-10-21T16:11:15Z
new file issue
new proftpd issue
new rpyc issue
new vaguish gridengine issue
new rabbitserver issue
exiv2 n/a
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,7 +1,11 @@
CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not restrict ...)
- TODO: check
+ - file <unfixed>
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780
+ NOTE: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauth ...)
- TODO: check
+ - proftpd-dfsg <unfixed>
+ NOTE: https://github.com/proftpd/proftpd/commit/13fe9462787b9a551152162f46f1641d65fe4df4
+ NOTE: https://github.com/proftpd/proftpd/issues/846
CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM ...)
NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313
CVE-2019-18215
@@ -2928,7 +2932,7 @@ CVE-2019-17411
CVE-2019-17410
RESERVED
CVE-2019-17409 (Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5. ...)
- TODO: check
+ NOT-FOR-US: OpenEMR
CVE-2019-17408 (parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows re ...)
NOT-FOR-US: ZZZCMS
CVE-2019-17407
@@ -4252,7 +4256,7 @@ CVE-2019-16864
CVE-2019-16863
RESERVED
CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x befor ...)
- TODO: check
+ NOT-FOR-US: OpenEMR
CVE-2019-16861
RESERVED
CVE-2019-16860
@@ -5569,7 +5573,7 @@ CVE-2019-16330 (In NCH Express Accounts Accounting v7.02, persistent cross site
CVE-2019-16329
RESERVED
CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify ...)
- TODO: check
+ - rpyc <removed>
CVE-2019-16327
RESERVED
CVE-2019-16326
@@ -11793,7 +11797,7 @@ CVE-2019-14439 (A Polymorphic Typing issue was discovered in FasterXML jackson-d
NOTE: https://github.com/FasterXML/jackson-databind/issues/2389
NOTE: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
CVE-2018-20871 (In Univa Grid Engine before 8.6.3, when configured for Docker jobs and ...)
- TODO: check, might affect src:gridengine as well
+ - gridengine <undetermined>
CVE-2015-9290 (In FreeType before 2.6.1, a buffer over-read occurs in type1/t1parse.c ...)
{DLA-1887-1}
- freetype 2.6.1-0.1
@@ -12019,7 +12023,7 @@ CVE-2019-14369 (Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99
NOTE: fixed through CVE-2019-13504
NOTE: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9
CVE-2019-14368 (Exiv2 0.27.99.0 has a heap-based buffer over-read in Exiv2::RafImage:: ...)
- TODO: check
+ - exiv2 <not-affected> (Doesn't seem to affect 0.25)
CVE-2019-14367
RESERVED
CVE-2019-14366
@@ -21204,13 +21208,14 @@ CVE-2019-11286
CVE-2019-11285
RESERVED
CVE-2019-11284 (Pivotal Reactor Netty, versions prior to 0.8.11, passes headers throug ...)
- TODO: check
+ NOT-FOR-US: Pivotal
CVE-2019-11283
RESERVED
CVE-2019-11282
RESERVED
CVE-2019-11281 (Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, ver ...)
- TODO: check
+ - rabbitmq-server 3.7.18-1 (low)
+ NOTE: https://pivotal.io/security/cve-2019-11281
CVE-2019-11280 (Pivotal Apps Manager, included in Pivotal Application Service versions ...)
NOT-FOR-US: Pivotal
CVE-2019-11279 (CF UAA versions prior to 74.1.0 can request scopes for a client that s ...)
@@ -22801,9 +22806,9 @@ CVE-2019-10718 (BlogEngine.NET 3.3.7.0 and earlier allows XML External Entity Bl
CVE-2019-10717 (BlogEngine.NET 3.3.7.0 allows /api/filemanager Directory Traversal via ...)
NOT-FOR-US: BlogEngine.NET
CVE-2019-10716 (An Information Disclosure issue in Verodin Director 3.5.3.1 and earlie ...)
- TODO: check
+ NOT-FOR-US: Verodin Director
CVE-2019-10715 (There is Stored XSS in Verodin Director before 3.5.4.0 via input field ...)
- TODO: check
+ NOT-FOR-US: Verodin Director
CVE-2019-10714 (LocaleLowercase in MagickCore/locale.c in ImageMagick before 7.0.8-32 ...)
- imagemagick <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1495
@@ -46834,15 +46839,15 @@ CVE-2019-2189 (In the Easel driver, there is possible memory corruption due to r
CVE-2019-2188 (In the Easel driver, there is possible memory corruption due to race c ...)
NOT-FOR-US: Android
CVE-2019-2187 (In nfc_ncif_decode_rf_params of nfc_ncif.cc, there is a possible out o ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2019-2186 (In GetMBheader of combined_decode.cpp, there is a possible out of boun ...)
- TODO: check
+ NOT-FOR-US: Android Media Framework
CVE-2019-2185 (In VlcDequantH263IntraBlock_SH of vlc_dequant.cpp, there is a possible ...)
- TODO: check
+ NOT-FOR-US: Android Media Framework
CVE-2019-2184 (In PV_DecodePredictedIntraDC of dec_pred_intra_dc.cpp, there is a poss ...)
- TODO: check
+ NOT-FOR-US: Android Media Framework
CVE-2019-2183 (In generateServicesMap of RegisteredServicesCache.java, there is a pos ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2019-2182 (In the Android kernel in the kernel MMU code there is a possible execu ...)
- linux 4.16.5-1
[jessie] - linux <not-affected> (Vulnerable code not present)
@@ -46873,7 +46878,7 @@ CVE-2019-2175 (In checkAccess of SliceManagerService.java in Android 9, there is
CVE-2019-2174 (In SensorManager::assertStateLocked of SensorManager.cpp in Android 7. ...)
NOT-FOR-US: Android
CVE-2019-2173 (In startActivityMayWait of ActivityStarter.java, there is a possible i ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2019-2172 (In libxaac there is a possible information disclosure due to uninitial ...)
NOT-FOR-US: Android
CVE-2019-2171 (In libxaac there is a possible information disclosure due to uninitial ...)
@@ -46991,7 +46996,7 @@ CVE-2019-2116 (In save_attr_seq of sdp_discovery.cc, there is a possible out-of-
CVE-2019-2115 (In GateKeeper::MintAuthToken of gatekeeper.cpp in Android 7.1.1, 7.1.2 ...)
NOT-FOR-US: Android
CVE-2019-2114 (In the default privileges of NFC, there is a possible local bypass of ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2019-2113 (In setup wizard there is a bypass of some checks when wifi connection ...)
NOT-FOR-US: Android
CVE-2019-2112 (In several functions of alarm.cc, there is possible memory corruption ...)
@@ -46999,7 +47004,7 @@ CVE-2019-2112 (In several functions of alarm.cc, there is possible memory corrup
CVE-2019-2111 (In loop of DnsTlsSocket.cpp, there is a possible heap memory corruptio ...)
NOT-FOR-US: Android
CVE-2019-2110 (In ScreenRotationAnimation of ScreenRotationAnimation.java, there is a ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2019-2109 (In MakeMPEG4VideoCodecSpecificData of AVIExtractor.cpp, there is a pos ...)
NOT-FOR-US: Android media framework
CVE-2019-2108 (In ihevcd_ref_list of ihevcd_ref_list.c in Android 10, there is a poss ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9dbb3ce0e60455c8959603e5e25fb9247c31c7f6
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9dbb3ce0e60455c8959603e5e25fb9247c31c7f6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191021/1b26c786/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list