[Git][security-tracker-team/security-tracker][master] new yarnpkg, netty issues

Thu Sep 26 22:20:07 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4509b5dc by Moritz Muehlenhoff at 2019-09-26T21:19:39Z
new yarnpkg, netty issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -118,7 +118,8 @@ CVE-2019-16871
 CVE-2019-16870
 	RESERVED
 CVE-2019-16869 (Netty before 4.1.42.Final mishandles whitespace before the colon in HT ...)
-	TODO: check
+	- netty <unfixed>
+	NOTE: https://github.com/netty/netty/issues/9571
 CVE-2019-16868 (emlog through 6.0.0beta has an arbitrary file deletion vulnerability v ...)
 	NOT-FOR-US: emlog
 CVE-2019-16867 (HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file par ...)
@@ -14684,7 +14685,7 @@ CVE-2019-12093
 CVE-2019-12092
 	RESERVED
 CVE-2019-12091 (The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2 ...)
-	TODO: check
+	NOT-FOR-US: Netskope
 CVE-2019-12090
 	RESERVED
 CVE-2019-12089
@@ -18013,7 +18014,7 @@ CVE-2019-10884 (Uniqkey Password Manager 1.14 contains a vulnerability because i
 CVE-2019-10883 (Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN Center  ...)
 	NOT-FOR-US: Citrix
 CVE-2019-10882 (The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2 ...)
-	TODO: check
+	NOT-FOR-US: Netskope
 CVE-2019-10881
 	RESERVED
 CVE-2019-10880 (Within multiple XEROX products a vulnerability allows remote command e ...)
@@ -18296,9 +18297,9 @@ CVE-2019-10757
 CVE-2019-10756
 	RESERVED
 CVE-2019-10755 (The SAML identifier generated within SAML2Utils.java was found to make ...)
-	TODO: check
+	NOT-FOR-US: SAML2Utils.java
 CVE-2019-10754 (Multiple classes used within Apereo CAS before release 6.1.0-RC5 makes ...)
-	TODO: check
+	NOT-FOR-US: Apereo Central Authentication Service
 CVE-2019-10753 (In all versions prior to version 3.9.6 for eclipse-wtp, all versions p ...)
 	NOT-FOR-US: eclipse-wtp
 CVE-2019-10752
@@ -31292,7 +31293,7 @@ CVE-2019-6163 (A denial of service vulnerability was reported in Lenovo System U
 CVE-2019-6162
 	RESERVED
 CVE-2019-6161 (An internal product security audit discovered a session handling vulne ...)
-	TODO: check
+	NOT-FOR-US: Lenovo
 CVE-2019-6160 (A vulnerability in various versions of Iomega and LenovoEMC NAS produc ...)
 	NOT-FOR-US: Iomega and LenovoEMC NAS products
 CVE-2019-6159 (A stored cross-site scripting (XSS) vulnerability exists in various fi ...)
@@ -33178,11 +33179,11 @@ CVE-2019-5459 (An Integer underflow in VLC Media Player versions < 3.0.7 lead
 	[jessie] - vlc <end-of-life> (https://lists.debian.org/debian-security-announce/2018/msg00130.html)
 	NOTE: https://hackerone.com/reports/502816
 CVE-2019-5458 (Cross-site scripting (XSS) vulnerability in http-file-server (all vers ...)
-	TODO: check
+	NOT-FOR-US: http-file-server Node.js module
 CVE-2019-5457 (Cross-site scripting (XSS) vulnerability in min-http-server (all versi ...)
-	TODO: check
+	NOT-FOR-US: min-http-server Node module
 CVE-2019-5456 (SMTP MITM refers to a malicious actor setting up an SMTP proxy server  ...)
-	TODO: check
+	NOT-FOR-US: SMTP MITM
 CVE-2019-5455 (Bypassing lock protection exists in Nextcloud Android app 3.6.0 when c ...)
 	NOT-FOR-US: Nextcloud Android app
 CVE-2019-5454 (SQL Injection in the Nextcloud Android app prior to version 3.0.0 allo ...)
@@ -33198,7 +33199,7 @@ CVE-2019-5450 (Improper sanitization of HTML in directory names in the Nextcloud
 CVE-2019-5449 (A missing check in the Nextcloud Server prior to version 15.0.1 causes ...)
 	- nextcloud <itp> (bug #835086)
 CVE-2019-5448 (Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Da ...)
-	TODO: check
+	- yarnpkg <unfixed>
 CVE-2019-5447 (A path traversal vulnerability in <= v0.2.6 of http-file-server npm ...)
 	NOT-FOR-US: http-file-server Node.js module
 CVE-2019-5446 (Command Injection in EdgeMAX EdgeSwitch prior to 1.8.2 allow an Admin  ...)
@@ -33994,11 +33995,11 @@ CVE-2019-5069 (A code execution vulnerability exists in Epignosis eFront LMS v5.
 CVE-2019-5068
 	RESERVED
 CVE-2019-5067 (An uninitialized memory access vulnerability exists in the way Aspose. ...)
-	TODO: check
+	NOT-FOR-US: Aspose
 CVE-2019-5066 (An exploitable use-after-free vulnerability exists in the way LZW-comp ...)
-	TODO: check
+	NOT-FOR-US: Aspose
 CVE-2019-5065 (An exploitable information disclosure vulnerability exists in the pack ...)
-	TODO: check
+	NOT-FOR-US: Blynk
 CVE-2019-5064
 	RESERVED
 CVE-2019-5063
@@ -35466,7 +35467,7 @@ CVE-2019-4380
 CVE-2019-4379
 	RESERVED
 CVE-2019-4378 (IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12, 9.0.0 ...)
-	TODO: check
+	NOT-FOR-US: IBM
 CVE-2019-4377 (IBM Sterling B2B Integrator 6.0.0.0 and 6.0.0.1 reveals sensitive info ...)
 	NOT-FOR-US: IBM
 CVE-2019-4376
@@ -35698,7 +35699,7 @@ CVE-2019-4264 (IBM QRadar SIEM 7.2.8 WinCollect could allow an attacker to obtai
 CVE-2019-4263 (IBM Content Navigator 3.0CD is vulnerable to local file inclusion, all ...)
 	NOT-FOR-US: IBM
 CVE-2019-4262 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to Server Side Request Forge ...)
-	TODO: check
+	NOT-FOR-US: IBM
 CVE-2019-4261 (IBM WebSphere MQ V7.1, 7.5, IBM MQ V8, IBM MQ V9.0LTS, IBM MQ V9.1 LTS ...)
 	NOT-FOR-US: IBM
 CVE-2019-4260 (IBM Daeja ViewONE Professional, Standard & Virtual 5.0 through 5.0 ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4509b5dc94b280cef452225005f1c97eed06fc08

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/4509b5dc94b280cef452225005f1c97eed06fc08
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190926/a69ea67f/attachment-0001.html>
