[Git][security-tracker-team/security-tracker][master] Slightly detangle CVE list
Salvatore Bonaccorso
carnil at debian.org
Wed May 6 07:55:40 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
221201ac by Salvatore Bonaccorso at 2020-05-06T08:51:09+02:00
Slightly detangle CVE list
Some were fixed only in stretch or buster, or for buster in an earlier
DSA already. To pinpoint in the tracker the exact fixing version
detangle the list slightly as otherwise the fixes will cross-merged from
the data/DSA/list up to the mentioned version.
- - - - -
2 changed files:
- data/CVE/list
- data/DSA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -23444,6 +23444,7 @@ CVE-2019-19834 (Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed
CVE-2019-20043 (In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.ph ...)
{DSA-4599-1}
- wordpress 5.3.2+dfsg1-1 (bug #946905)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
[jessie] - wordpress <not-affected> (Vulnerable REST API introduced in 4.4)
NOTE: https://core.trac.wordpress.org/changeset/46893/trunk
NOTE: https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
@@ -23459,6 +23460,7 @@ CVE-2019-20042 (In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the fun
CVE-2019-20041 (wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 ...)
{DSA-4599-1 DLA-2067-1}
- wordpress 5.3.2+dfsg1-1 (bug #946905)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
NOTE: https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
CVE-2019-16781 (In WordPress before 5.3.1, authenticated users with lower privileges ( ...)
@@ -36669,6 +36671,7 @@ CVE-2019-17622
CVE-2019-17675 (WordPress before 5.2.4 does not properly consider type confusion durin ...)
{DSA-4599-1 DLA-1980-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://core.trac.wordpress.org/changeset/46477
NOTE: https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
@@ -36676,6 +36679,7 @@ CVE-2019-17675 (WordPress before 5.2.4 does not properly consider type confusion
CVE-2019-17674 (WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripti ...)
{DSA-4599-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
[jessie] - wordpress <postponed> (officially fixed in 4.1.28 but no related fix was identified)
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
@@ -36684,6 +36688,7 @@ CVE-2019-17674 (WordPress before 5.2.4 is vulnerable to stored XSS (cross-site s
CVE-2019-17673 (WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON ...)
{DSA-4599-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
[jessie] - wordpress <not-affected> (vulnerable code not present)
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://core.trac.wordpress.org/changeset/46478
@@ -36692,6 +36697,7 @@ CVE-2019-17673 (WordPress before 5.2.4 is vulnerable to poisoning of the cache o
CVE-2019-17672 (WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject ...)
{DSA-4599-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
[jessie] - wordpress <postponed> (officially fixed in 4.1.28 but no related fix was identified)
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
@@ -36700,6 +36706,7 @@ CVE-2019-17672 (WordPress before 5.2.4 is vulnerable to a stored XSS attack to i
CVE-2019-17671 (In WordPress before 5.2.4, unauthenticated viewing of certain content ...)
{DSA-4599-1 DLA-1980-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://core.trac.wordpress.org/changeset/46474
NOTE: https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
@@ -36715,6 +36722,7 @@ CVE-2019-17670 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF)
CVE-2019-17669 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...)
{DSA-4599-1 DLA-1980-1}
- wordpress 5.2.4+dfsg1-1 (bug #942459)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
NOTE: https://core.trac.wordpress.org/changeset/46475
NOTE: https://github.com/WordPress/WordPress/commit/608d39faed63ea212b6c6cdf9fe2bef92e2120ea
@@ -40784,28 +40792,35 @@ CVE-2019-16224 (An issue was discovered in py-lmdb 0.97. For certain values of m
CVE-2019-16223 (WordPress before 5.2.3 allows XSS in post previews by authenticated us ...)
{DSA-4599-1 DLA-1960-1}
- wordpress 5.2.3+dfsg1-1 (bug #939543)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
CVE-2019-16222 (WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_b ...)
{DSA-4599-1 DLA-1960-1}
- wordpress 5.2.3+dfsg1-1 (bug #939543)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
NOTE: https://core.trac.wordpress.org/changeset/45997
NOTE: https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
CVE-2019-16221 (WordPress before 5.2.3 allows reflected XSS in the dashboard. ...)
{DSA-4599-1 DLA-1960-1}
- wordpress 5.2.3+dfsg1-1 (bug #939543)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
CVE-2019-16220 (In WordPress before 5.2.3, validation and sanitization of a URL in wp_ ...)
{DSA-4599-1 DLA-1960-1}
- wordpress 5.2.3+dfsg1-1 (bug #939543)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
NOTE: https://core.trac.wordpress.org/changeset/45971
NOTE: https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28
CVE-2019-16219 (WordPress before 5.2.3 allows XSS in shortcode previews. ...)
{DSA-4599-1 DLA-1960-1}
- wordpress 5.2.3+dfsg1-1 (bug #939543)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
CVE-2019-16218 (WordPress before 5.2.3 allows XSS in stored comments. ...)
{DSA-4599-1 DLA-1960-1}
- wordpress 5.2.3+dfsg1-1 (bug #939543)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
CVE-2019-16217 (WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upl ...)
{DSA-4599-1 DLA-1960-1}
- wordpress 5.2.3+dfsg1-1 (bug #939543)
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
NOTE: https://core.trac.wordpress.org/changeset/45936
CVE-2019-16216 (Zulip server before 2.0.5 incompletely validated the MIME types of upl ...)
- zulip-server <itp> (bug #800052)
@@ -62020,6 +62035,7 @@ CVE-2019-9787 (WordPress before 5.1.1 does not properly filter comment content,
{DLA-1742-1}
- wordpress 5.1.1+dfsg1-1 (bug #924546)
[buster] - wordpress 5.0.4+dfsg1-1
+ [stretch] - wordpress 4.7.5+dfsg-2+deb9u6
NOTE: https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
NOTE: Fixed by: https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
CVE-2019-9779 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a N ...)
=====================================
data/DSA/list
=====================================
@@ -1,5 +1,5 @@
[06 May 2020] DSA-4677-1 wordpress - security update
- {CVE-2019-9787 CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223 CVE-2019-16780 CVE-2019-16781 CVE-2019-17669 CVE-2019-17671 CVE-2019-17672 CVE-2019-17673 CVE-2019-17674 CVE-2019-17675 CVE-2019-20041 CVE-2019-20042 CVE-2019-20043 CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030}
+ {CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029}
[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
[buster] - wordpress 5.0.4+dfsg1-1+deb10u2
[06 May 2020] DSA-4676-1 salt - security update
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/221201ac089b1e83097ca9050351e8b4737d6a42
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/221201ac089b1e83097ca9050351e8b4737d6a42
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200506/0b7be7f6/attachment.html>
More information about the debian-security-tracker-commits
mailing list