[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2019-18218: reference embedded copy in php7.0

Sylvain Beucler (@beuc) beuc at debian.org
Wed Jul 7 17:52:17 BST 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5ded8e10 by Sylvain Beucler at 2021-07-07T18:51:44+02:00
CVE-2019-18218: reference embedded copy in php7.0

- - - - -
1ce82024 by Sylvain Beucler at 2021-07-07T18:51:45+02:00
CVE-2019-6977/php: reference fixed version

- - - - -
f7ec335c by Sylvain Beucler at 2021-07-07T18:51:47+02:00
CVE-2019-13224: reference embedded copy in php7.0

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -122096,8 +122096,10 @@ CVE-2019-18219 (Sitemagic CMS 4.4.1 is affected by a Cross-Site-Scripting (XSS)
 CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not restrict ...)
 	{DSA-4550-1 DLA-1969-1}
 	- file 1:5.37-6 (bug #942830)
+	- php7.0 <removed>
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780
 	NOTE: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
+	NOTE: https://github.com/php/php-src/commit/469820048df558040f6dec7c39471ad11e2a7cfb (php-7.2.25RC1)
 CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauth ...)
 	{DSA-4559-1 DLA-1974-1}
 	- proftpd-dfsg 1.3.6a-2 (bug #942831)
@@ -139225,6 +139227,7 @@ CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6
 	{DLA-2431-1 DLA-1854-1}
 	- libonig 6.9.2-1 (low; bug #931878)
 	[buster] - libonig <no-dsa> (Minor issue)
+	- php7.0 <removed>
 	NOTE: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
 CVE-2019-13223 (A reachable assertion in the lookup1_values function in stb_vorbis thr ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
@@ -157569,7 +157572,7 @@ CVE-2019-6977 (gdImageColorMatch in gd_color_match.c in the GD Graphics Library
 	- php5 <removed> (unimportant)
 	NOTE: Fixed in 5.6.40, 7.1.26, 7.2.14, 7.3.1
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77270
-	NOTE: Proposed patch: https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
+	NOTE: https://github.com/php/php-src/commit/7a12dad4dd6c370835b13afae214b240082c7538
 CVE-2019-6976 (libvips before 8.7.4 generates output images from uninitialized memory ...)
 	- vips 8.7.4-1 (low)
 	[stretch] - vips 8.4.5-1+deb9u1


=====================================
data/DLA/list
=====================================
@@ -3160,7 +3160,7 @@
 	{CVE-2018-17000 CVE-2018-19210 CVE-2019-7663}
 	[jessie] - tiff 4.0.3-12.3+deb8u8
 [16 Feb 2019] DLA-1679-1 php5 - security update
-	{CVE-2019-9020 CVE-2019-9021 CVE-2019-9023 CVE-2019-9024}
+	{CVE-2019-6977 CVE-2019-9020 CVE-2019-9021 CVE-2019-9023 CVE-2019-9024}
 	[jessie] - php5 5.6.40+dfsg-0+deb8u1
 [16 Feb 2019] DLA-1678-1 thunderbird - security update
 	{CVE-2018-18356 CVE-2018-18500 CVE-2018-18501 CVE-2018-18505 CVE-2018-18509 CVE-2018-18512 CVE-2018-18513 CVE-2019-5785}


=====================================
data/DSA/list
=====================================
@@ -1360,7 +1360,7 @@
 	[stretch] - bird 1.6.3-2+deb9u1
 	[buster] - bird 1.6.6-1+deb10u1
 [19 Sep 2019] DSA-4527-1 php7.3 - security update
-	{CVE-2019-11036 CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 CVE-2019-11042}
+	{CVE-2019-11036 CVE-2019-11039 CVE-2019-11040 CVE-2019-11041 CVE-2019-11042 CVE-2019-13224}
 	[buster] - php7.3 7.3.9-1~deb10u1
 [19 Sep 2019] DSA-4526-1 opendmarc - security update
 	{CVE-2019-16378}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5404b63922fddc3225c51f24cfa473d4d3fff0f8...f7ec335c3f41a57b670d79689ad9b95df78fb5bc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5404b63922fddc3225c51f24cfa473d4d3fff0f8...f7ec335c3f41a57b670d79689ad9b95df78fb5bc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210707/274ad83f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list