[Git][security-tracker-team/security-tracker][master] new qt issue

Fri Oct 25 18:09:35 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
63e492b7 by Moritz Muehlenhoff at 2019-10-25T17:09:17Z
new qt issue
new libssh issue
new horde issues
collectd n/a
NFUs
libntlm, golang-1.[78] no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -298,7 +298,13 @@ CVE-2019-18283
 CVE-2019-18282
 	RESERVED
 CVE-2019-18281 (An out-of-bounds memory access in the generateDirectionalRuns() functi ...)
-	TODO: check
+	- qtbase-opensource-src-gles <unfixed>
+	- qtbase-opensource-src <unfixed>
+	[buster] - qtbase-opensource-src <no-dsa> (Minor issue)
+	[stretch] - qtbase-opensource-src <not-affected> (Vulnerable code not present)
+	[jessie] - qtbase-opensource-src <not-affected> (Vulnerable code not present)
+	NOTE: https://github.com/qt/qtbase/commit/af6ac444c97ed2dc234f93fe457440c9da5482ea
+	NOTE: https://bugreports.qt.io/browse/QTBUG-77819
 CVE-2019-18280 (Sourcecodester Online Grading System 1.0 is affected by a Cross Site R ...)
 	NOT-FOR-US: Sourcecodester Online Grading System
 CVE-2019-18279
@@ -448,9 +454,9 @@ CVE-2019-18215
 CVE-2019-18214 (The Video_Converter app 0.1.0 for Nextcloud allows denial of service ( ...)
 	NOT-FOR-US: Video_Converter app for Nextcloud
 CVE-2019-18213 (XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML ...)
-	TODO: check
+	NOT-FOR-US: XML Language Server (aka lsp4xml)
 CVE-2019-18212 (XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0. ...)
-	TODO: check
+	NOT-FOR-US: XML Language Server (aka lsp4xml)
 CVE-2019-18211
 	RESERVED
 CVE-2019-18210
@@ -2728,12 +2734,15 @@ CVE-2019-17596 (Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an atte
 	- golang-1.12 1.12.12-1 (bug #942629)
 	- golang-1.11 <removed>
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <ignored> (Minor issue)
 	- golang-1.7 <removed>
+	[stretch] - golang-1.7 <ignored> (Minor issue)
 	- golang <removed>
 	[jessie] - golang <ignored> (Minor issue)
 	NOTE: https://golang.org/issue/34960
 	NOTE: https://github.com/golang/go/issues/34962 (1.13 backport)
 	NOTE: https://github.com/golang/go/issues/34961 (1.12 backport)
+	NOTE: https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
 CVE-2019-17595 (There is a heap-based buffer over-read in the fmt_entry function in ti ...)
 	- ncurses 6.1+20191019-1 (low; bug #942401)
 	[buster] - ncurses <no-dsa> (Minor issue)
@@ -3026,7 +3035,7 @@ CVE-2019-17528 (An issue was discovered in Bento4 1.5.1.0. There is a SEGV in th
 CVE-2019-17527
 	RESERVED
 CVE-2019-17526 (** DISPUTED ** An issue was discovered in SageMath Sage Cell Server th ...)
-	TODO: check
+	NOT-FOR-US: Sage Cell Server (not part of SafeMath as packaged in Debian)
 CVE-2019-17525
 	RESERVED
 CVE-2019-17524
@@ -3088,7 +3097,9 @@ CVE-2019-17500
 CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on Compal CH7 ...)
 	NOT-FOR-US: Compal CH7465LG devices
 CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic i ...)
-	TODO: check
+	- libssh <unfixed>
+	NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
+	NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
 CVE-2018-21028 (Boa through 0.94.14rc21 allows remote attackers to trigger a memory le ...)
 	- boa <removed>
 CVE-2018-21027 (Boa through 0.94.14rc21 allows remote attackers to trigger an out-of-m ...)
@@ -3218,6 +3229,8 @@ CVE-2019-17456
 	RESERVED
 CVE-2019-17455 (Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequ ...)
 	- libntlm <unfixed> (bug #942145)
+	[buster] - libntlm <no-dsa> (Minor issue)
+	[stretch] - libntlm <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/jas/libntlm/issues/2
 CVE-2019-17454 (Bento4 1.5.1.0 has a NULL pointer dereference in AP4_Descriptor::GetTa ...)
 	NOT-FOR-US: Bento4
@@ -19451,9 +19464,11 @@ CVE-2019-12097 (Telerik Fiddler v5.0.20182.28034 doesn't verify the hash of Enab
 CVE-2019-12096
 	RESERVED
 CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 ...)
-	TODO: check
+	- php-horde-trean <unfixed>
+	NOTE: https://bugs.horde.org/ticket/14926
 CVE-2019-12094 (Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin ...)
-	TODO: check
+	- php-horde-groupware <unfixed>
+	NOTE: https://bugs.horde.org/ticket/14926
 CVE-2019-12093
 	RESERVED
 CVE-2019-12092
@@ -81867,7 +81882,7 @@ CVE-2018-XXXX [Multiple vulnerabilities in CiviCRM]
 	- civicrm 4.7.30+dfsg-1 (bug #887330)
 	NOTE: https://civicrm.org/blog/dev-team/security-release-civicrm-4726-and-4633-monthly-release-4727
 CVE-2017-18240 (The Gentoo app-admin/collectd package before 5.7.2-r1 sets the ownersh ...)
-	TODO: check
+	- collectd <not-affected> (Init scripts shipped by Debian are not affected)
 CVE-2018-8776
 	RESERVED
 CVE-2018-8775



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63e492b79ef7d091ffa71d84b302a3a41c1d6fe9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/63e492b79ef7d091ffa71d84b302a3a41c1d6fe9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191025/29ef1676/attachment.html>
