[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Tue Oct 29 20:10:38 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f6514c76 by security tracker role at 2019-10-29T20:10:27Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,107 @@
+CVE-2019-18625
+ RESERVED
+CVE-2019-18624 (Opera Mini for Android allows attackers to bypass intended restriction ...)
+ TODO: check
+CVE-2019-18623
+ RESERVED
+CVE-2019-18622
+ RESERVED
+CVE-2019-18621
+ RESERVED
+CVE-2019-18620
+ RESERVED
+CVE-2019-18619
+ RESERVED
+CVE-2019-18618
+ RESERVED
+CVE-2019-18617
+ RESERVED
+CVE-2019-18616
+ RESERVED
+CVE-2019-18615
+ RESERVED
+CVE-2019-18614
+ RESERVED
+CVE-2019-18613
+ RESERVED
+CVE-2019-18612 (An issue was discovered in the AbuseFilter extension through 1.34 for ...)
+ TODO: check
+CVE-2019-18611 (An issue was discovered in the CheckUser extension through 1.34 for Me ...)
+ TODO: check
+CVE-2019-18610
+ RESERVED
+CVE-2019-18609
+ RESERVED
+CVE-2019-18608 (Cezerin v0.33.0 allows unauthorized order-information modification bec ...)
+ TODO: check
+CVE-2019-18607
+ RESERVED
+CVE-2019-18606
+ RESERVED
+CVE-2019-18605
+ RESERVED
+CVE-2019-18604 (In axohelp.c before 1.3 in axohelp in axodraw2 before 2.1.1b, as distr ...)
+ TODO: check
+CVE-2019-18600
+ RESERVED
+CVE-2019-18599
+ RESERVED
+CVE-2019-18598
+ RESERVED
+CVE-2019-18597
+ RESERVED
+CVE-2019-18596
+ RESERVED
+CVE-2019-18595
+ RESERVED
+CVE-2019-18594
+ RESERVED
+CVE-2019-18593
+ RESERVED
+CVE-2019-18592
+ RESERVED
+CVE-2019-18591
+ RESERVED
+CVE-2019-18590
+ RESERVED
+CVE-2019-18589
+ RESERVED
+CVE-2019-18588
+ RESERVED
+CVE-2019-18587
+ RESERVED
+CVE-2019-18586
+ RESERVED
+CVE-2019-18585
+ RESERVED
+CVE-2019-18584
+ RESERVED
+CVE-2019-18583
+ RESERVED
+CVE-2019-18582
+ RESERVED
+CVE-2019-18581
+ RESERVED
+CVE-2019-18580
+ RESERVED
+CVE-2019-18579
+ RESERVED
+CVE-2019-18578
+ RESERVED
+CVE-2019-18577
+ RESERVED
+CVE-2019-18576
+ RESERVED
+CVE-2019-18575
+ RESERVED
+CVE-2019-18574
+ RESERVED
+CVE-2019-18573
+ RESERVED
+CVE-2019-18572
+ RESERVED
+CVE-2019-18571
+ RESERVED
CVE-2020-0600
RESERVED
CVE-2020-0599
@@ -408,13 +512,13 @@ CVE-2019-18467
REJECTED
CVE-2019-18466 (An issue was discovered in Podman in libpod before 1.6.0. It resolves ...)
NOT-FOR-US: libpod (podman library used to create container pods)
-CVE-2019-18601 [database server crash from unserialized data access]
+CVE-2019-18601 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of ser ...)
- openafs 1.8.5-1 (bug #943587)
NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-003.txt
-CVE-2019-18602 [information leakage from uninitialized scalars]
+CVE-2019-18602 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to an informatio ...)
- openafs 1.8.5-1 (bug #943587)
NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-002.txt
-CVE-2019-18603 [information leakage in failed RPC output]
+CVE-2019-18603 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to information l ...)
- openafs 1.8.5-1 (bug #943587)
NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-001.txt
CVE-2019-18465
@@ -5691,8 +5795,8 @@ CVE-2019-16649 (On Supermicro H11, H12, M11, X9, X10, and X11 products, a combin
NOT-FOR-US: Supermicro
CVE-2019-16648
RESERVED
-CVE-2019-16647
- RESERVED
+CVE-2019-16647 (Unquoted Search Path in Maxthon 5.1.0 to 5.2.7 Browser for Windows. ...)
+ TODO: check
CVE-2019-16646
RESERVED
CVE-2019-16645 (An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (suc ...)
@@ -8410,18 +8514,18 @@ CVE-2019-15685
RESERVED
CVE-2019-15684
RESERVED
-CVE-2019-15683
- RESERVED
+CVE-2019-15683 (TurboVNC server code contains stack buffer overflow vulnerability in c ...)
+ TODO: check
CVE-2019-15682
RESERVED
-CVE-2019-15681
- RESERVED
-CVE-2019-15680
- RESERVED
-CVE-2019-15679
- RESERVED
-CVE-2019-15678
- RESERVED
+CVE-2019-15681 (LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains ...)
+ TODO: check
+CVE-2019-15680 (TightVNC code version 1.3.10 contains null pointer dereference in Hand ...)
+ TODO: check
+CVE-2019-15679 (TightVNC code version 1.3.10 contains heap buffer overflow in Initiali ...)
+ TODO: check
+CVE-2019-15678 (TightVNC code version 1.3.10 contains heap buffer overflow in rfbServe ...)
+ TODO: check
CVE-2019-15677
RESERVED
CVE-2019-15676
@@ -17365,8 +17469,8 @@ CVE-2019-13068 (public/app/features/panel/panel_ctrl.ts in Grafana before 6.2.5
NOTE: https://github.com/grafana/grafana/issues/17718
CVE-2019-13067 (njs through 0.3.3, used in NGINX, has a buffer over-read in nxt_utf8_d ...)
NOT-FOR-US: njs
-CVE-2019-13066
- RESERVED
+CVE-2019-13066 (Sahi Pro 8.0.0 has a script manager arena located at _s_/dyn/pro/DBRep ...)
+ TODO: check
CVE-2019-13065
RESERVED
CVE-2019-13064
@@ -23014,7 +23118,7 @@ CVE-2019-11023 (The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz
NOTE: Crash in CLI tool, no security impact
CVE-2019-11022
RESERVED
-CVE-2019-11021 (admin/app/mediamanager in Schlix CMS 2.1.8-7 allows Authenticated Unre ...)
+CVE-2019-11021 (** DISPUTED ** admin/app/mediamanager in Schlix CMS 2.1.8-7 allows Aut ...)
NOT-FOR-US: Schlix CMS
CVE-2019-11020 (Lack of authentication in file-viewing components in DDRT Dashcom Live ...)
NOT-FOR-US: DDRT Dashcom
@@ -23695,8 +23799,8 @@ CVE-2019-10751 (All versions of the HTTPie package prior to version 1.0.3 are vu
NOTE: https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8
CVE-2019-10750 (deeply is vulnerable to Prototype Pollution in versions before 3.1.0. ...)
NOT-FOR-US: deeply
-CVE-2019-10749
- RESERVED
+CVE-2019-10749 (sequelize before version 3.35.1 allows attackers to perform a SQL Inje ...)
+ TODO: check
CVE-2019-10748 (Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are vulnera ...)
NOT-FOR-US: sequelize
CVE-2019-10747 (set-value is vulnerable to Prototype Pollution in versions lower than ...)
@@ -23722,7 +23826,7 @@ CVE-2019-10744 (Versions of lodash lower than 4.17.12 are vulnerable to Prototyp
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-450202
NOTE: https://github.com/lodash/lodash/issues/4348
NOTE: https://github.com/lodash/lodash/pull/4336
-CVE-2019-10743 (github.com/mholt/archiver/cmd/arc package versions 3.0.0 and later are ...)
+CVE-2019-10743 (All versions of archiver allow attacker to perform a Zip Slip attack v ...)
NOT-FOR-US: archiver
CVE-2019-10742 (Axios up to and including 0.18.0 allows attackers to cause a denial of ...)
- node-axios 0.17.1+dfsg-2 (bug #928624)
@@ -25051,21 +25155,17 @@ CVE-2019-10212 (A flaw was found in, all under 2.0.20, in the Undertow DEBUG log
- undertow 2.0.27-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1731984
NOTE: https://github.com/undertow-io/undertow/pull/815
-CVE-2019-10211
- RESERVED
+CVE-2019-10211 (Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5. ...)
NOT-FOR-US: EnterpriseDB Windows installer
-CVE-2019-10210
- RESERVED
+CVE-2019-10210 (Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5. ...)
NOT-FOR-US: EnterpriseDB Windows installer
-CVE-2019-10209 [postgres: Fix execution of hashed subplans that require cross-type comparison]
- RESERVED
+CVE-2019-10209 (Postgresql, versions 11.x before 11.5, is vulnerable to a memory discl ...)
{DSA-4493-1}
- postgresql-11 11.5-1
- postgresql-9.6 <not-affected> (Only affects PostgreSQL 11)
- postgresql-9.4 <not-affected> (Only affects PostgreSQL 11)
NOTE: https://www.postgresql.org/about/news/1960/
-CVE-2019-10208 [postgres: Require schema qualification to cast to a temporary type when using functional cast syntax]
- RESERVED
+CVE-2019-10208 (A flaw was discovered in postgresql where arbitrary SQL statements can ...)
{DSA-4493-1 DSA-4492-1 DLA-1874-1}
- postgresql-11 11.5-1
- postgresql-9.6 <removed>
@@ -26008,8 +26108,8 @@ CVE-2019-9928 (GStreamer before 1.16.0 has a heap-based buffer overflow in the R
NOTE: https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/f672277509705c4034bc92a141eefee4524d15aa (1.15.90)
CVE-2019-9927 (Caret before 2019-02-22 allows Remote Code Execution. ...)
NOT-FOR-US: Caret editor
-CVE-2019-9926
- RESERVED
+CVE-2019-9926 (An issue was discovered in LabKey Server 19.1.0. It is possible to for ...)
+ TODO: check
CVE-2019-9925 (S-CMS PHP v1.0 has XSS in 4.edu.php via the S_id parameter. ...)
NOT-FOR-US: S-CMS PHP
CVE-2019-9924 (rbash in Bash before 4.4-beta2 did not prevent the shell user from mod ...)
@@ -27380,7 +27480,7 @@ CVE-2019-9765 (In Blog_mini 1.0, XSS exists via the author name of a comment rep
NOT-FOR-US: Blog_mini
CVE-2019-9764 (HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to ...)
NOT-FOR-US: HashiCorp Consul
-CVE-2019-9763 (An issue was discovered in Openfind Mail2000 v6 Webmail. XSS can occur ...)
+CVE-2019-9763 (An issue was discovered in Openfind Mail2000 6.0 and 7.0 Webmail. XSS ...)
NOT-FOR-US: Openfind Mail2000 Webmail
CVE-2019-9762 (A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment ...)
NOT-FOR-US: PHPSHE
@@ -27390,10 +27490,10 @@ CVE-2019-9760 (FTPGetter Standard v.5.97.0.177 allows remote code execution when
NOT-FOR-US: FTPGetter
CVE-2019-9759 (An issue was discovered in TONGDA Office Anywhere 10.18.190121. There ...)
NOT-FOR-US: TONGDA Office Anywhere
-CVE-2019-9758
- RESERVED
-CVE-2019-9757
- RESERVED
+CVE-2019-9758 (An issue was discovered in LabKey Server 19.1.0. The display name of a ...)
+ TODO: check
+CVE-2019-9757 (An issue was discovered in LabKey Server 19.1.0. Sending an SVG contai ...)
+ TODO: check
CVE-2019-9756 (An issue was discovered in GitLab Community and Enterprise Edition 10. ...)
[experimental] - gitlab 11.8.2-1
- gitlab 11.8.2-2 (bug #924447)
@@ -31482,8 +31582,8 @@ CVE-2019-8289 (Vulnerability in Online Store v1.0, stored XSS in admin/user_view
NOT-FOR-US: Online Store System
CVE-2019-8288 (Vulnerability in Online Store v1.0, Stored XSS in user_view.php where ...)
NOT-FOR-US: Online Store System
-CVE-2019-8287
- RESERVED
+CVE-2019-8287 (TightVNC code version 1.3.10 contains global buffer overflow in Handle ...)
+ TODO: check
CVE-2019-8286 (Information Disclosure in Kaspersky Anti-Virus, Kaspersky Internet Sec ...)
NOT-FOR-US: Kaspersky
CVE-2019-8285 (Kaspersky Lab Antivirus Engine version before 04.apr.2019 has a heap-b ...)
@@ -34994,28 +35094,28 @@ CVE-2019-6853
RESERVED
CVE-2019-6852
RESERVED
-CVE-2019-6851
- RESERVED
-CVE-2019-6850
- RESERVED
-CVE-2019-6849
- RESERVED
-CVE-2019-6848
- RESERVED
-CVE-2019-6847
- RESERVED
-CVE-2019-6846
- RESERVED
-CVE-2019-6845
- RESERVED
-CVE-2019-6844
- RESERVED
-CVE-2019-6843
- RESERVED
-CVE-2019-6842
- RESERVED
-CVE-2019-6841
- RESERVED
+CVE-2019-6851 (A CWE-538: File and Directory Information Exposure vulnerability exist ...)
+ TODO: check
+CVE-2019-6850 (A CWE-200: Information Exposure vulnerability exists in Modicon M580, ...)
+ TODO: check
+CVE-2019-6849 (A CWE-200: Information Exposure vulnerability exists in Modicon M580, ...)
+ TODO: check
+CVE-2019-6848 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+ TODO: check
+CVE-2019-6847 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+ TODO: check
+CVE-2019-6846 (A CWE-319: Cleartext Transmission of Sensitive Information vulnerabili ...)
+ TODO: check
+CVE-2019-6845 (A CWE-319: Cleartext Transmission of Sensitive Information vulnerabili ...)
+ TODO: check
+CVE-2019-6844 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+ TODO: check
+CVE-2019-6843 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+ TODO: check
+CVE-2019-6842 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+ TODO: check
+CVE-2019-6841 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+ TODO: check
CVE-2019-6840 (A Format String: CWE-134 vulnerability exists in U.motion Server (MEG6 ...)
NOT-FOR-US: Schneider
CVE-2019-6839 (An Improper Access Control: CWE-284 vulnerability exists in U.motion S ...)
@@ -77398,8 +77498,8 @@ CVE-2018-10729 (All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products
NOT-FOR-US: Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products
CVE-2018-10728 (All Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products runnin ...)
NOT-FOR-US: Phoenix Contact managed FL SWITCH 3xxx, 4xxx, 48xx products
-CVE-2018-10727
- RESERVED
+CVE-2018-10727 (Reflected Cross-Site Scripting (XSS) vulnerability in the fabrik_refer ...)
+ TODO: check
CVE-2018-10726 (** DISPUTED ** A stored XSS vulnerability was found in Datenstrom Yell ...)
NOT-FOR-US: Datenstrom Yellow
CVE-2018-10725
@@ -176503,8 +176603,8 @@ CVE-2016-4291 (When opening a Hangul HShow Document (.hpt) and processing a stru
NOT-FOR-US: Hancom Office
CVE-2016-4290 (When opening a Hangul HShow Document (.hpt) and processing a structure ...)
NOT-FOR-US: Hancom Office
-CVE-2016-4289
- RESERVED
+CVE-2016-4289 (A stack based buffer overflow vulnerability exists in the method recei ...)
+ TODO: check
CVE-2016-4288 (A local privilege escalation vulnerability exists in BlueStacks App Pl ...)
NOT-FOR-US: BlueStacks
CVE-2016-4287 (Integer overflow in Adobe Flash Player before 18.0.0.375 and 19.x thro ...)
@@ -274432,8 +274532,7 @@ CVE-2012-1189 (Stack-based buffer overflow in modules/graphic/ssgraph/grsound.cp
- speed-dreams <itp> (bug #599884)
CVE-2012-1188 (Multiple cross-site scripting (XSS) vulnerabilities in Fork CMS before ...)
NOT-FOR-US: Fork CMS
-CVE-2012-1187
- RESERVED
+CVE-2012-1187 (Bitlbee does not drop extra group privileges correctly in unix.c ...)
- bitlbee 3.0.4+bzr855-1 (low)
[squeeze] - bitlbee <no-dsa> (Minor issue)
CVE-2012-1186 (Integer overflow in the SyncImageProfiles function in profile.c in Ima ...)
@@ -277281,8 +277380,7 @@ CVE-2011-4933
REJECTED
CVE-2011-4932 (Eval injection vulnerability in ip_cms/modules/standard/content_manage ...)
NOT-FOR-US: ImpressPages CMS not in Debian
-CVE-2011-4931
- RESERVED
+CVE-2011-4931 (gpw generates shorter passwords than required ...)
- gpw <unfixed> (unimportant; bug #651510)
NOTE: This has only marginal security impact
CVE-2011-4930 (Multiple format string vulnerabilities in Condor 7.2.0 through 7.6.4, ...)
@@ -278446,8 +278544,7 @@ CVE-2012-0048 (OpenTTD 0.3.5 through 1.1.4 allows remote attackers to cause a de
NOTE: contacted MITRE, will be rejected
CVE-2012-0047 (Cross-site scripting (XSS) vulnerability in Apache Wicket 1.4.x before ...)
NOT-FOR-US: Apache Wicket
-CVE-2012-0046 [mediawiki info leak]
- RESERVED
+CVE-2012-0046 (mediawiki allows deleted text to be exposed ...)
- mediawiki 1:1.15.5-6 (low; bug #655694)
[squeeze] - mediawiki 1:1.15.5-2squeeze3
[lenny] - mediawiki <not-affected> (Vulnerable code not present)
@@ -291316,8 +291413,7 @@ CVE-2011-0430 (Double free vulnerability in the Rx server process in OpenAFS 1.4
- openafs 1.4.14+dfsg-1
CVE-2011-0429
RESERVED
-CVE-2011-0428
- RESERVED
+CVE-2011-0428 (Cross Site Scripting (XSS) in ikiwiki before 3.20110122 could allow re ...)
- ikiwiki 3.20110122
[squeeze] - ikiwiki 3.20100815.5
[lenny] - ikiwiki <not-affected> (Vulnerable code not present)
@@ -294815,8 +294911,7 @@ CVE-2009-5004
CVE-2010-3845 (libapache-authenhook-perl 2.00-04 stores usernames and passwords in pl ...)
- libapache-authenhook-perl 2.00-04+pristine-2 (low; bug #599712)
[lenny] - libapache-authenhook-perl 2.00-04+pristine-1+lenny1
-CVE-2010-4237
- RESERVED
+CVE-2010-4237 (Mercurial before 1.6.4 fails to verify the Common Name field of SSL ce ...)
- mercurial 1.6.4-1 (low; bug #598841)
[lenny] - mercurial <no-dsa> (Minor issue)
CVE-2010-3840 (The Gis_line_string::init_from_wkb function in sql/spatial.cc in MySQL ...)
@@ -296155,14 +296250,12 @@ CVE-2010-3377 (The (1) runSalome, (2) runTestMedCorba, (3) runLightSalome, and (
CVE-2010-3376 (The (1) proofserv, (2) xrdcp, (3) xrdpwdadmin, and (4) xrd scripts in ...)
- root-system 5.34.00-1 (bug #598420; bug #598419)
[lenny] - root-system <no-dsa> (minor issue)
-CVE-2010-3375
- RESERVED
+CVE-2010-3375 (qtparted has insecure library loading which may allow arbitrary code e ...)
- qtparted 0.4.5-8 (low; bug #598301)
[lenny] - qtparted <no-dsa> (Minor issue)
CVE-2010-3374 (Qt Creator before 2.0.1 places a zero-length directory name in the LD_ ...)
- qtcreator 1.3.1-3 (bug #598300)
-CVE-2010-3373
- RESERVED
+CVE-2010-3373 (paxtest handles temporary files insecurely ...)
- paxtest 1:0.9.9-1 (unimportant; bug #598413)
CVE-2010-3372 (Untrusted search path vulnerability in NorduGrid Advanced Resource Con ...)
- nordugrid-arc-nox 1.1.0~rc6-2.1 (bug #606151)
@@ -307890,8 +307983,7 @@ CVE-2009-3889 (The dbg_lvl file for the megaraid_sas driver in the Linux kernel
CVE-2009-3888 (The do_mmap_pgoff function in mm/nommu.c in the Linux kernel before 2. ...)
- linux-2.6 <not-affected> (Vulnerable code not built)
- linux-2.6.24 <not-affected> (Vulnerable code not built)
-CVE-2009-3887 [ytnef path traversal]
- RESERVED
+CVE-2009-3887 (ytnef has directory traversal ...)
- ytnef <removed> (bug #567631)
[lenny] - ytnef <no-dsa> (Minor issue)
NOTE: http://www.ocert.org/advisories/ocert-2009-013.html
@@ -308428,8 +308520,7 @@ CVE-2009-3725 (The connector layer in the Linux kernel before 2.6.31.5 does not
CVE-2009-3724
RESERVED
NOT-FOR-US: python-markdown2 (not our markdown, different code base)
-CVE-2009-3723 [Unauthorized calls allowed on prohibited networks in asterisk]
- RESERVED
+CVE-2009-3723 (asterisk allows calls on prohibited networks ...)
[etch] - asterisk <not-affected>
[lenny] - asterisk <not-affected>
- asterisk 1:1.6.2.0~rc3-2 (medium; bug #552756)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6514c76b4606ab662ebda94e80433504d645097
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6514c76b4606ab662ebda94e80433504d645097
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191029/2dbd876e/attachment.html>
More information about the debian-security-tracker-commits
mailing list