[Git][security-tracker-team/security-tracker][master] Slightly detangle CVE list

Salvatore Bonaccorso carnil at debian.org
Wed May 6 07:55:40 BST 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
221201ac by Salvatore Bonaccorso at 2020-05-06T08:51:09+02:00
Slightly detangle CVE list

Some were fixed only in stretch or buster, or for buster in an earlier
DSA already. To pinpoint in the tracker the exact fixing version
detangle the list slightly as otherwise the fixes will cross-merged from
the data/DSA/list up to the mentioned version.

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -23444,6 +23444,7 @@ CVE-2019-19834 (Directory Traversal in ruckus_cli2 in Ruckus Wireless Unleashed
 CVE-2019-20043 (In in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.ph ...)
 	{DSA-4599-1}
 	- wordpress 5.3.2+dfsg1-1 (bug #946905)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	[jessie] - wordpress <not-affected> (Vulnerable REST API introduced in 4.4)
 	NOTE: https://core.trac.wordpress.org/changeset/46893/trunk
 	NOTE: https://github.com/WordPress/wordpress-develop/commit/1d1d5be7aa94608c04516cac4238e8c22b93c1d9
@@ -23459,6 +23460,7 @@ CVE-2019-20042 (In wp-includes/formatting.php in WordPress 3.7 to 5.3.0, the fun
 CVE-2019-20041 (wp_kses_bad_protocol in wp-includes/kses.php in WordPress before 5.3.1 ...)
 	{DSA-4599-1 DLA-2067-1}
 	- wordpress 5.3.2+dfsg1-1 (bug #946905)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	NOTE: https://github.com/WordPress/wordpress-develop/commit/b1975463dd995da19bb40d3fa0786498717e3c53
 	NOTE: https://wordpress.org/news/2019/12/wordpress-5-3-1-security-and-maintenance-release/
 CVE-2019-16781 (In WordPress before 5.3.1, authenticated users with lower privileges ( ...)
@@ -36669,6 +36671,7 @@ CVE-2019-17622
 CVE-2019-17675 (WordPress before 5.2.4 does not properly consider type confusion durin ...)
 	{DSA-4599-1 DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46477
 	NOTE: https://github.com/WordPress/WordPress/commit/b183fd1cca0b44a92f0264823dd9f22d2fd8b8d0
@@ -36676,6 +36679,7 @@ CVE-2019-17675 (WordPress before 5.2.4 does not properly consider type confusion
 CVE-2019-17674 (WordPress before 5.2.4 is vulnerable to stored XSS (cross-site scripti ...)
 	{DSA-4599-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	[jessie] - wordpress <postponed> (officially fixed in 4.1.28 but no related fix was identified)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
@@ -36684,6 +36688,7 @@ CVE-2019-17674 (WordPress before 5.2.4 is vulnerable to stored XSS (cross-site s
 CVE-2019-17673 (WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON ...)
 	{DSA-4599-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	[jessie] - wordpress <not-affected> (vulnerable code not present)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46478
@@ -36692,6 +36697,7 @@ CVE-2019-17673 (WordPress before 5.2.4 is vulnerable to poisoning of the cache o
 CVE-2019-17672 (WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject  ...)
 	{DSA-4599-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	[jessie] - wordpress <postponed> (officially fixed in 4.1.28 but no related fix was identified)
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
@@ -36700,6 +36706,7 @@ CVE-2019-17672 (WordPress before 5.2.4 is vulnerable to a stored XSS attack to i
 CVE-2019-17671 (In WordPress before 5.2.4, unauthenticated viewing of certain content  ...)
 	{DSA-4599-1 DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46474
 	NOTE: https://github.com/WordPress/WordPress/commit/f82ed753cf00329a5e41f2cb6dc521085136f308
@@ -36715,6 +36722,7 @@ CVE-2019-17670 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF)
 CVE-2019-17669 (WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulner ...)
 	{DSA-4599-1 DLA-1980-1}
 	- wordpress 5.2.4+dfsg1-1 (bug #942459)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	NOTE: https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html
 	NOTE: https://core.trac.wordpress.org/changeset/46475
 	NOTE: https://github.com/WordPress/WordPress/commit/608d39faed63ea212b6c6cdf9fe2bef92e2120ea
@@ -40784,28 +40792,35 @@ CVE-2019-16224 (An issue was discovered in py-lmdb 0.97. For certain values of m
 CVE-2019-16223 (WordPress before 5.2.3 allows XSS in post previews by authenticated us ...)
 	{DSA-4599-1 DLA-1960-1}
 	- wordpress 5.2.3+dfsg1-1 (bug #939543)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 CVE-2019-16222 (WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_b ...)
 	{DSA-4599-1 DLA-1960-1}
 	- wordpress 5.2.3+dfsg1-1 (bug #939543)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	NOTE: https://core.trac.wordpress.org/changeset/45997
 	NOTE: https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
 CVE-2019-16221 (WordPress before 5.2.3 allows reflected XSS in the dashboard. ...)
 	{DSA-4599-1 DLA-1960-1}
 	- wordpress 5.2.3+dfsg1-1 (bug #939543)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 CVE-2019-16220 (In WordPress before 5.2.3, validation and sanitization of a URL in wp_ ...)
 	{DSA-4599-1 DLA-1960-1}
 	- wordpress 5.2.3+dfsg1-1 (bug #939543)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	NOTE: https://core.trac.wordpress.org/changeset/45971
 	NOTE: https://github.com/WordPress/WordPress/commit/c86ee39ff4c1a79b93c967eb88522f5c09614a28
 CVE-2019-16219 (WordPress before 5.2.3 allows XSS in shortcode previews. ...)
 	{DSA-4599-1 DLA-1960-1}
 	- wordpress 5.2.3+dfsg1-1 (bug #939543)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 CVE-2019-16218 (WordPress before 5.2.3 allows XSS in stored comments. ...)
 	{DSA-4599-1 DLA-1960-1}
 	- wordpress 5.2.3+dfsg1-1 (bug #939543)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 CVE-2019-16217 (WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upl ...)
 	{DSA-4599-1 DLA-1960-1}
 	- wordpress 5.2.3+dfsg1-1 (bug #939543)
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	NOTE: https://core.trac.wordpress.org/changeset/45936
 CVE-2019-16216 (Zulip server before 2.0.5 incompletely validated the MIME types of upl ...)
 	- zulip-server <itp> (bug #800052)
@@ -62020,6 +62035,7 @@ CVE-2019-9787 (WordPress before 5.1.1 does not properly filter comment content,
 	{DLA-1742-1}
 	- wordpress 5.1.1+dfsg1-1 (bug #924546)
 	[buster] - wordpress 5.0.4+dfsg1-1
+	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	NOTE: https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
 	NOTE: Fixed by: https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
 CVE-2019-9779 (An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a N ...)


=====================================
data/DSA/list
=====================================
@@ -1,5 +1,5 @@
 [06 May 2020] DSA-4677-1 wordpress - security update
-	{CVE-2019-9787 CVE-2019-16217 CVE-2019-16218 CVE-2019-16219 CVE-2019-16220 CVE-2019-16221 CVE-2019-16222 CVE-2019-16223 CVE-2019-16780 CVE-2019-16781 CVE-2019-17669 CVE-2019-17671 CVE-2019-17672 CVE-2019-17673 CVE-2019-17674 CVE-2019-17675 CVE-2019-20041 CVE-2019-20042 CVE-2019-20043 CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029 CVE-2020-11030}
+	{CVE-2020-11025 CVE-2020-11026 CVE-2020-11027 CVE-2020-11028 CVE-2020-11029}
 	[stretch] - wordpress 4.7.5+dfsg-2+deb9u6
 	[buster] - wordpress 5.0.4+dfsg1-1+deb10u2
 [06 May 2020] DSA-4676-1 salt - security update



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/221201ac089b1e83097ca9050351e8b4737d6a42

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/221201ac089b1e83097ca9050351e8b4737d6a42
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200506/0b7be7f6/attachment.html>


More information about the debian-security-tracker-commits mailing list