[Git][security-tracker-team/security-tracker][master] number of consul issues (older issues need to be checked in more detail)

Sun Feb 2 21:07:35 GMT 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d698cdb2 by Moritz Muehlenhoff at 2020-02-02T22:06:51+01:00
number of consul issues (older issues need to be checked in more detail)
some exiv2 updates

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1222,7 +1222,7 @@ CVE-2020-7956 (HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly val
 	- nomad 0.10.3+dfsg1-1
 	NOTE: https://github.com/hashicorp/nomad/issues/7003
 CVE-2020-7955 (HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uni ...)
-	TODO: check
+	- consul <unfixed>
 CVE-2020-7954
 	RESERVED
 CVE-2020-7953
@@ -2836,7 +2836,7 @@ CVE-2020-7221
 CVE-2020-7220 (HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain circ ...)
 	NOT-FOR-US: HashiCorp Vault
 CVE-2020-7219 (HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services a ...)
-	TODO: check
+	- consul <unfixed>
 CVE-2020-7218 (HashiCorp Nomad and Nomad Enterprise before 0.10.3 allow unbounded res ...)
 	- nomad 0.10.3+dfsg1-1
 	NOTE: https://github.com/hashicorp/nomad/issues/7002
@@ -41358,7 +41358,7 @@ CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-rea
 CVE-2019-12292 (Citrix AppDNA before 7 1906.1.0.472 has Incorrect Access Control. ...)
 	NOT-FOR-US: Citrix AppDNA
 CVE-2019-12291 (HashiCorp Consul 1.4.0 through 1.5.0 has Incorrect Access Control. Key ...)
-	NOT-FOR-US: HashiCorp Consul
+	- consul <unfixed>
 CVE-2019-12290 (GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specifi ...)
 	- libidn2 2.2.0-1
 	[buster] - libidn2 <no-dsa> (Minor issue; intrusive to backport)
@@ -49414,7 +49414,7 @@ CVE-2019-9766 (Stack-based buffer overflow in Free MP3 CD Ripper 2.6, when conve
 CVE-2019-9765 (In Blog_mini 1.0, XSS exists via the author name of a comment reply in ...)
 	NOT-FOR-US: Blog_mini
 CVE-2019-9764 (HashiCorp Consul 1.4.3 lacks server hostname verification for agent-to ...)
-	NOT-FOR-US: HashiCorp Consul
+	- consul <unfixed>
 CVE-2019-9763 (An issue was discovered in Openfind Mail2000 6.0 and 7.0 Webmail. XSS  ...)
 	NOT-FOR-US: Openfind Mail2000 Webmail
 CVE-2019-9762 (A SQL Injection was discovered in PHPSHE 1.7 in include/plugin/payment ...)
@@ -53485,7 +53485,7 @@ CVE-2019-8339 (An issue was discovered in Falco through 0.14.0. A missing indica
 CVE-2019-8338 (The signature verification routine in the Airmail GPG-PGP Plugin, vers ...)
 	NOT-FOR-US: Airmail
 CVE-2019-8336 (HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a c ...)
-	NOT-FOR-US: HashiCorp Consul
+	- consul <unfixed>
 CVE-2019-8335 (An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerabil ...)
 	NOT-FOR-US: SchoolCMS
 CVE-2019-8334 (An issue was discovered in SchoolCMS 2.3.1. There is an XSS vulnerabil ...)
@@ -72600,7 +72600,7 @@ CVE-2018-19655 (A stack-based buffer overflow in the find_green() function of dc
 CVE-2018-19654 (An issue was discovered in Sales & Company Management System (SCMS ...)
 	NOT-FOR-US: Sales & Company Management System (SCMS)
 CVE-2018-19653 (HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent  ...)
-	NOT-FOR-US: HashiCorp Consul
+	- consul <unfixed>
 CVE-2018-19652
 	RESERVED
 CVE-2018-19651 (admin/functions/remote.php in Interspire Email Marketer through 6.1.6  ...)
@@ -77236,7 +77236,7 @@ CVE-2018-19108 (In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in
 	NOTE: https://github.com/Exiv2/exiv2/commit/b7c71f3ad0386cd7af3b73443c0615ada073f0d5
 CVE-2018-19107 (In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdi ...)
 	{DLA-1691-1}
-	- exiv2 0.27.2-6 (bug #913273)
+	- exiv2 0.27.2-6 (low; bug #913273)
 	[buster] - exiv2 <ignored> (Minor issue)
 	[stretch] - exiv2 <ignored> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/427
@@ -98757,9 +98757,9 @@ CVE-2017-18268 (Symantec IntelligenceCenter 3.3 is vulnerable to the Return of t
 CVE-2018-11038
 	RESERVED
 CVE-2018-11037 (In Exiv2 0.26, the Exiv2::PngImage::printStructure function in pngimag ...)
-	- exiv2 0.27.2-6
-	[buster] - exiv2 <no-dsa> (Minor issue)
-	[stretch] - exiv2 <no-dsa> (Minor issue)
+	- exiv2 0.27.2-6 (low)
+	[buster] - exiv2 <ignored> (Minor issue)
+	[stretch] - exiv2 <ignored> (Minor issue)
 	[jessie] - exiv2 <not-affected> (Jessie doesn't have '-pS', not reproducible, closed upstream)
 	NOTE: https://github.com/Exiv2/exiv2/issues/307
 CVE-2018-11036 (Ruckus SmartZone (formerly Virtual SmartCell Gateway or vSCG) 3.5.0, 3 ...)
@@ -104216,7 +104216,7 @@ CVE-2018-8979 (Open-AudIT Professional 2.1 has CSRF, as demonstrated by modifyin
 CVE-2018-8978 (Open-AudIT Professional 2.1 has XSS via a crafted src attribute of an  ...)
 	NOT-FOR-US: Open-AudIT Professional
 CVE-2018-8977 (In Exiv2 0.26, the Exiv2::Internal::printCsLensFFFF function in canonm ...)
-	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental, bug #)
+	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental, bug #894179)
 	NOTE: https://github.com/Exiv2/exiv2/issues/247
 CVE-2018-8976 (In Exiv2 0.26, jpgimage.cpp allows remote attackers to cause a denial  ...)
 	- exiv2 0.27.2-6 (low; bug #903813)
@@ -137689,7 +137689,7 @@ CVE-2017-14865 (There is a heap-based buffer overflow in the Exiv2::us2Data func
 	NOTE: Patch: https://github.com/Exiv2/exiv2/commit/d3c2b9938583440f87ce9115de5a7e8cd8f8db57
 CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::getULon ...)
 	{DLA-1147-1}
-	- exiv2 0.27.2-6
+	- exiv2 0.27.2-6 (low)
 	[buster] - exiv2 <ignored> (Minor issue)
 	[stretch] - exiv2 <ignored> (Minor issue)
 	[jessie] - exiv2 <ignored> (Minor issue)
@@ -137703,7 +137703,7 @@ CVE-2017-14863 (A NULL pointer dereference was discovered in Exiv2::Image::print
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1494443
 CVE-2017-14862 (An Invalid memory address dereference was discovered in Exiv2::DataVal ...)
 	{DLA-1147-1}
-	- exiv2 0.27.2-6
+	- exiv2 0.27.2-6 (low)
 	[buster] - exiv2 <ignored> (Minor issue)
 	[stretch] - exiv2 <ignored> (Minor issue)
 	[jessie] - exiv2 <ignored> (Minor issue)
@@ -137722,7 +137722,7 @@ CVE-2017-14860 (There is a heap-based buffer over-read in the Exiv2::Jp2Image::r
 	NOTE: Patch: https://github.com/Exiv2/exiv2/pull/108
 CVE-2017-14859 (An Invalid memory address dereference was discovered in Exiv2::StringV ...)
 	{DLA-1147-1}
-	- exiv2 0.27.2-6
+	- exiv2 0.27.2-6 (low)
 	[buster] - exiv2 <ignored> (Minor issue)
 	[stretch] - exiv2 <ignored> (Minor issue)
 	[jessie] - exiv2 <ignored> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d698cdb2984a01f09f208acd12bbb5202655df93

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d698cdb2984a01f09f208acd12bbb5202655df93
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200202/19247887/attachment.html>
