[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 26 21:10:30 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ceb093cc by security tracker role at 2019-09-26T20:10:21Z
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,45 @@
+CVE-2019-16916
+ RESERVED
+CVE-2019-16915 (An issue was discovered in pfSense through 2.4.4-p3. widgets/widgets/p ...)
+ TODO: check
+CVE-2019-16914 (An XSS issue was discovered in pfSense through 2.4.4-p3. In services_c ...)
+ TODO: check
+CVE-2019-16913
+ RESERVED
+CVE-2019-16912
+ RESERVED
+CVE-2019-16911
+ RESERVED
+CVE-2019-16910 (Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when dete ...)
+ TODO: check
+CVE-2019-16909
+ RESERVED
+CVE-2019-16908
+ RESERVED
+CVE-2019-16907
+ RESERVED
+CVE-2019-16906
+ RESERVED
+CVE-2019-16905
+ RESERVED
+CVE-2019-16904 (TeamPass 2.1.27.36 allows XSS by setting a crafted password for an ite ...)
+ TODO: check
+CVE-2019-16903 (Platinum UPnP SDK 1.2.0 allows Directory Traversal in Core/PltHttpServ ...)
+ TODO: check
+CVE-2015-9456
+ RESERVED
+CVE-2015-9455
+ RESERVED
+CVE-2015-9454
+ RESERVED
+CVE-2015-9453
+ RESERVED
+CVE-2015-9452
+ RESERVED
+CVE-2015-9451
+ RESERVED
+CVE-2015-9450
+ RESERVED
CVE-2019-16902
RESERVED
CVE-2019-16901 (Advantech WebAccess/HMI Designer 2.1.9.31 has Exception Handler Chain ...)
@@ -13,9 +55,9 @@ CVE-2019-16897
CVE-2019-16896
RESERVED
CVE-2019-16895
- RESERVED
-CVE-2019-16894
- RESERVED
+ REJECTED
+CVE-2019-16894 (download.php in inoERP 4.15 allows SQL injection through insecure dese ...)
+ TODO: check
CVE-2019-16893
RESERVED
CVE-2019-16892 (In Rubyzip before 1.3.0, a crafted ZIP file can bypass application che ...)
@@ -71,8 +113,8 @@ CVE-2019-16871
RESERVED
CVE-2019-16870
RESERVED
-CVE-2019-16869
- RESERVED
+CVE-2019-16869 (Netty before 4.1.42.Final mishandles whitespace before the colon in HT ...)
+ TODO: check
CVE-2019-16868 (emlog through 6.0.0beta has an arbitrary file deletion vulnerability v ...)
NOT-FOR-US: emlog
CVE-2019-16867 (HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file par ...)
@@ -381,8 +423,8 @@ CVE-2019-16757
RESERVED
CVE-2019-16756
RESERVED
-CVE-2019-16755
- RESERVED
+CVE-2019-16755 (A vulnerability was discovered in BMC MyIT Digital Workplace DWP befor ...)
+ TODO: check
CVE-2019-16754 (RIOT 2019.07 contains a NULL pointer dereference in the MQTT-SN implem ...)
NOT-FOR-US: RIOT RIOT-OS
CVE-2019-16753
@@ -581,8 +623,8 @@ CVE-2019-16669 (The Reset Password feature in Pagekit 1.0.17 gives a different r
NOT-FOR-US: Pagekit CMS
CVE-2019-16668
RESERVED
-CVE-2019-16667
- RESERVED
+CVE-2019-16667 (diag_command.php in pfSense 2.4.4-p3 allows CSRF via the txtCommand or ...)
+ TODO: check
CVE-2019-16666
RESERVED
CVE-2019-16665 (An issue was discovered in ThinkSAAS 2.91. There is XSS via the conten ...)
@@ -941,8 +983,8 @@ CVE-2019-16534 (On DrayTek Vigor2925 devices with firmware 3.8.4.3, XSS exists v
NOT-FOR-US: DrayTek Vigor2925 devices
CVE-2019-16533 (On DrayTek Vigor2925 devices with firmware 3.8.4.3, Incorrect Access C ...)
NOT-FOR-US: DrayTek Vigor2925 devices
-CVE-2019-16532
- RESERVED
+CVE-2019-16532 (An HTTP Host header injection vulnerability exists in YzmCMS V5.3. A m ...)
+ TODO: check
CVE-2019-16531 (LayerBB before 1.1.4 has multiple CSRF issues, as demonstrated by chan ...)
NOT-FOR-US: LayerBB
CVE-2019-16530
@@ -957,8 +999,7 @@ CVE-2019-16526
RESERVED
CVE-2019-16525 (An XSS issue was discovered in the checklist plugin before 1.1.9 for W ...)
NOT-FOR-US: checklist plugin for WordPress
-CVE-2019-16524
- RESERVED
+CVE-2019-16524 (The easy-fancybox plugin before 1.8.18 for WordPress (aka Easy FancyBo ...)
NOT-FOR-US: Wordpress plugin
CVE-2019-16523
RESERVED
@@ -1199,8 +1240,8 @@ CVE-2019-16410 (An issue was discovered in Suricata 4.1.4. By sending multiple f
[stretch] - suricata <no-dsa> (Minor issue)
[jessie] - suricata <no-dsa> (Minor issue)
NOTE: https://suricata-ids.org/2019/09/24/suricata-4-1-5-released/
-CVE-2019-16409
- RESERVED
+CVE-2019-16409 (In the Versioned Files module through 2.0.3 for SilverStripe 3.x, unpu ...)
+ TODO: check
CVE-2019-16408
RESERVED
CVE-2019-16407
@@ -5826,8 +5867,7 @@ CVE-2019-14846
RESERVED
CVE-2019-14845
RESERVED
-CVE-2019-14844 [reversed strlcpy() allows client to crash the KDC]
- RESERVED
+CVE-2019-14844 (A flaw was found in, Fedora versions of krb5 from 1.16.1 to, including ...)
- krb5 <not-affected> (Vulnerable code not present; problematic commit not backported; not present in any MIT krb5 release)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1753589
NOTE: Introduced by: https://github.com/krb5/krb5/commit/a649279727490687d54becad91fde8cf7429d951
@@ -8044,10 +8084,10 @@ CVE-2019-14274 (MCPP 2.7.2 has a heap-based buffer overflow in the do_msg() func
[stretch] - mcpp <no-dsa> (Minor issue)
[jessie] - mcpp <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/mcpp/bugs/13/
-CVE-2019-14273
- RESERVED
-CVE-2019-14272
- RESERVED
+CVE-2019-14273 (In SilverStripe assets 4.0, there is broken access control on files. ...)
+ TODO: check
+CVE-2019-14272 (In SilverStripe asset-admin 4.0, there is XSS in file titles managed t ...)
+ TODO: check
CVE-2019-14271 (In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka ...)
{DSA-4521-1}
- docker.io 18.09.1+dfsg1-9
@@ -10760,8 +10800,8 @@ CVE-2019-13525
RESERVED
CVE-2019-13524
RESERVED
-CVE-2019-13523
- RESERVED
+CVE-2019-13523 (In Honeywell Performance IP Cameras and Performance NVRs, the integrat ...)
+ TODO: check
CVE-2019-13522 (An attacker could use a specially crafted project file to corrupt the ...)
NOT-FOR-US: EZ PLC Editor
CVE-2019-13521
@@ -13187,8 +13227,8 @@ CVE-2019-12618 (HashiCorp Nomad 0.9.0 through 0.9.1 has Incorrect Access Control
- nomad <not-affected> (Vulnerability introduced in 0.9.0)
NOTE: https://www.hashicorp.com/blog/hashicorp-nomad-0-9-2
NOTE: https://github.com/hashicorp/nomad/issues/5783
-CVE-2019-12617
- RESERVED
+CVE-2019-12617 (In SilverStripe through 4.3.3, there is access escalation for CMS user ...)
+ TODO: check
CVE-2019-12616 (An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability wa ...)
{DLA-1821-1}
- phpmyadmin <unfixed> (bug #930017)
@@ -14627,8 +14667,8 @@ CVE-2019-12093
RESERVED
CVE-2019-12092
RESERVED
-CVE-2019-12091
- RESERVED
+CVE-2019-12091 (The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2 ...)
+ TODO: check
CVE-2019-12090
RESERVED
CVE-2019-12089
@@ -16301,9 +16341,9 @@ CVE-2019-11498 (WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in Wav
[jessie] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
NOTE: https://github.com/dbry/WavPack/issues/67
NOTE: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4
-CVE-2019-11497 (An issue was discovered in Couchbase Server 5.0.0. When creating a new ...)
+CVE-2019-11497 (In Couchbase Server 5.0.0, when an invalid Remote Cluster Certificate ...)
NOT-FOR-US: Couchbase
-CVE-2019-11496 (An issue was discovered in Couchbase Server 5.0.0. Editing bucket sett ...)
+CVE-2019-11496 (In versions of Couchbase Server prior to 5.0, the bucket named "defaul ...)
NOT-FOR-US: Couchbase
CVE-2019-11495 (Couchbase Server 5.1.1 generates insufficiently random numbers. The pr ...)
NOT-FOR-US: Couchbase
@@ -16420,13 +16460,13 @@ CVE-2019-11469 (Zoho ManageEngine Applications Manager 12 through 14 allows Faul
NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2019-11468
RESERVED
-CVE-2019-11467 (An issue was discovered in Couchbase Server 4.6.3 and 5.5.0. A JSON do ...)
+CVE-2019-11467 (In Couchbase Server 4.6.3 and 5.5.0, secondary indexing encodes the en ...)
NOT-FOR-US: Couchbase
-CVE-2019-11466 (An issue was discovered in Couchbase Server 5.5.0 and 6.0.0. The Event ...)
+CVE-2019-11466 (In Couchbase Server 6.0.0 and 5.5.0, the eventing service exposes syst ...)
NOT-FOR-US: Couchbase
CVE-2019-11465 (An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6. ...)
NOT-FOR-US: Couchbase
-CVE-2019-11464 (An issue was discovered in Couchbase Server 5.1.2 and 5.5.0. The http ...)
+CVE-2019-11464 (Some enterprises require that REST API endpoints include security-rela ...)
NOT-FOR-US: Couchbase
CVE-2019-11463 (A memory leak in archive_read_format_zip_cleanup in archive_read_suppo ...)
- libarchive <not-affected> (Vulnerable code not present)
@@ -17936,7 +17976,7 @@ CVE-2019-10894 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the GSS
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-14.html
CVE-2019-10893 (CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open So ...)
NOT-FOR-US: CentOS-WebPanel.com
-CVE-2019-10892 (hnap_main in /htdocs/cgibin on D-link DIR-806 v1.0 devices has a stack ...)
+CVE-2019-10892 (An issue was discovered in D-Link DIR-806 devices.There is an stack ov ...)
NOT-FOR-US: D-Link
CVE-2019-10891 (D-Link DIR-806 devices allow remote attackers to execute arbitrary she ...)
NOT-FOR-US: D-Link
@@ -17956,8 +17996,8 @@ CVE-2019-10884 (Uniqkey Password Manager 1.14 contains a vulnerability because i
NOT-FOR-US: Uniqkey Password Manager
CVE-2019-10883 (Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center ...)
NOT-FOR-US: Citrix
-CVE-2019-10882
- RESERVED
+CVE-2019-10882 (The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2 ...)
+ TODO: check
CVE-2019-10881
RESERVED
CVE-2019-10880 (Within multiple XEROX products a vulnerability allows remote command e ...)
@@ -20042,8 +20082,7 @@ CVE-2019-10098 (In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with
NOTE: Affects upstream versions 2.4.0 to 2.4.39
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-10098
NOTE: https://svn.apache.org/r1864192
-CVE-2019-10097 [mod_remoteip stack buffer overflow and NULL pointer dereference]
- RESERVED
+CVE-2019-10097 (In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured ...)
- apache2 2.4.41-1
[buster] - apache2 2.4.38-3+deb10u1
[stretch] - apache2 <not-affected> (PROXY protocol support in mod_remoteip added later)
@@ -20065,8 +20104,7 @@ CVE-2019-10093 (In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006m
[buster] - tika <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/08/02/3
NOTE: https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae
-CVE-2019-10092 [Limited cross-site scripting in mod_proxy]
- RESERVED
+CVE-2019-10092 (In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting iss ...)
{DSA-4509-1 DLA-1900-1}
- apache2 2.4.41-1
NOTE: Affects upstream versions 2.4.0 to 2.4.39
@@ -20100,8 +20138,7 @@ CVE-2019-10084
RESERVED
CVE-2019-10083
RESERVED
-CVE-2019-10082 [mod_http2, read-after-free in h2 connection shutdown]
- RESERVED
+CVE-2019-10082 (In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the h ...)
{DSA-4509-1}
- apache2 2.4.41-1
[jessie] - apache2 <not-affected> (HTTP/2 support only available since version 2.4.17 and later)
@@ -31201,8 +31238,8 @@ CVE-2019-6177 (A vulnerability reported in Lenovo Solution Center version 03.12.
NOT-FOR-US: Lenovo
CVE-2019-6176
RESERVED
-CVE-2019-6175
- RESERVED
+CVE-2019-6175 (A denial of service vulnerability was reported in Lenovo System Update ...)
+ TODO: check
CVE-2019-6174
RESERVED
CVE-2019-6173
@@ -31229,8 +31266,8 @@ CVE-2019-6163 (A denial of service vulnerability was reported in Lenovo System U
NOT-FOR-US: Lenovo System Update
CVE-2019-6162
RESERVED
-CVE-2019-6161
- RESERVED
+CVE-2019-6161 (An internal product security audit discovered a session handling vulne ...)
+ TODO: check
CVE-2019-6160 (A vulnerability in various versions of Iomega and LenovoEMC NAS produc ...)
NOT-FOR-US: Iomega and LenovoEMC NAS products
CVE-2019-6159 (A stored cross-site scripting (XSS) vulnerability exists in various fi ...)
@@ -35403,8 +35440,8 @@ CVE-2019-4380
RESERVED
CVE-2019-4379
RESERVED
-CVE-2019-4378
- RESERVED
+CVE-2019-4378 (IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12, 9.0.0 ...)
+ TODO: check
CVE-2019-4377 (IBM Sterling B2B Integrator 6.0.0.0 and 6.0.0.1 reveals sensitive info ...)
NOT-FOR-US: IBM
CVE-2019-4376
@@ -35635,8 +35672,8 @@ CVE-2019-4264 (IBM QRadar SIEM 7.2.8 WinCollect could allow an attacker to obtai
NOT-FOR-US: IBM
CVE-2019-4263 (IBM Content Navigator 3.0CD is vulnerable to local file inclusion, all ...)
NOT-FOR-US: IBM
-CVE-2019-4262
- RESERVED
+CVE-2019-4262 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to Server Side Request Forge ...)
+ TODO: check
CVE-2019-4261 (IBM WebSphere MQ V7.1, 7.5, IBM MQ V8, IBM MQ V9.0LTS, IBM MQ V9.1 LTS ...)
NOT-FOR-US: IBM
CVE-2019-4260 (IBM Daeja ViewONE Professional, Standard & Virtual 5.0 through 5.0 ...)
@@ -48578,8 +48615,7 @@ CVE-2019-0205
RESERVED
CVE-2019-0204 (A specifically crafted Docker image running under the root user can ov ...)
- apache-mesos <itp> (bug #760315)
-CVE-2019-0203 [Remote unauthenticated denial-of-service in Subversion svnserve]
- RESERVED
+CVE-2019-0203 (In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12 ...)
{DSA-4490-1 DLA-1903-1}
- subversion 1.10.6-1
NOTE: https://subversion.apache.org/security/CVE-2019-0203-advisory.txt
@@ -58187,7 +58223,7 @@ CVE-2018-15730 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The d
NOT-FOR-US: STOPzilla
CVE-2018-15729 (An issue was discovered in STOPzilla AntiMalware 6.5.2.59. The driver ...)
NOT-FOR-US: STOPzilla
-CVE-2018-15728 (An issue was discovered in Couchbase Server. Authenticated users can s ...)
+CVE-2018-15728 (Couchbase Server exposed the '/diag/eval' endpoint which by default is ...)
NOT-FOR-US: Couchbase
CVE-2018-15727 (Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows aut ...)
- grafana <removed> (bug #907590)
@@ -68548,8 +68584,7 @@ CVE-2018-11783 (sslheaders plugin extracts information from the client certifica
[stretch] - trafficserver <postponed> (Minor issue, experimental plugin, will be fixed along in next DSA)
NOTE: https://github.com/apache/trafficserver/pull/4701
NOTE: https://www.openwall.com/lists/oss-security/2019/02/13/6
-CVE-2018-11782 [Remotely triggerable DoS vulnerability in svnserve 'get-deleted-rev']
- RESERVED
+CVE-2018-11782 (In Apache Subversion versions up to and including 1.9.10, 1.10.4, 1.12 ...)
{DSA-4490-1 DLA-1903-1}
- subversion 1.10.6-1
NOTE: https://subversion.apache.org/security/CVE-2018-11782-advisory.txt
@@ -98151,7 +98186,7 @@ CVE-2017-17520 (** DISPUTED ** tools/url_handler.pl in TIN 2.4.1 does not valida
CVE-2017-17519 (batteriesConfig.mlp in OCaml Batteries Included (aka ocaml-batteries) ...)
- ocaml-batteries <unfixed> (unimportant)
NOTE: https://sources.debian.org/src/ocaml-batteries/2.6.0-1/src/batteriesConfig.mlp/?hl=23#L23
-CVE-2017-17518 (swt/motif/browser.c in White_dune (aka whitedune) 0.30.10 does not val ...)
+CVE-2017-17518 (** DISPUTED ** swt/motif/browser.c in White_dune (aka whitedune) 0.30. ...)
- whitedune <unfixed> (unimportant)
NOTE: https://sources.debian.org/src/whitedune/0.30.10-2.1/src/swt/motif/browser.c/?hl=159#L214
CVE-2017-17517 (libsylph/utils.c in Sylpheed through 3.6 does not validate strings bef ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ceb093cc99fcd9471aab0bde093e152a5e6a6d8b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ceb093cc99fcd9471aab0bde093e152a5e6a6d8b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190926/57abc41e/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list