automatic update

author: security tracker role <sectracker@soriano.debian.org> 2019-11-19 08:10:23 +0000
committer: security tracker role <sectracker@soriano.debian.org> 2019-11-19 08:10:23 +0000
commit: 8521a1b45514a26720e2cf5a7728f73e1ddb1c43 (patch)
tree: 29bad8ebe21b6c01cad43c94bf47f02974a27433 /data/CVE
parent: 8a57d35514e256353fbb4b53bf6cb5f620b06388 (diff)
5 files changed, 40 insertions, 36 deletions
diff --git a/data/CVE/2008.list b/data/CVE/2008.list
index 42afa18ac2..931efa05de 100644
--- a/data/CVE/2008.list
+++ b/data/CVE/2008.list
@@ -2692,8 +2692,7 @@ CVE-2008-6068 (SQL injection vulnerability in the JoomlaDate (com_joomladate) co
 	NOT-FOR-US: Joomla!
 CVE-2008-7272 (FireGPG before 0.6 handle user&#8217;s passphrase and decrypted cleart ...)
 	- iceweasel-firegpg <removed> (bug #514386)
-CVE-2008-7273 [iceweasel-firegpg: Passphrase and Cleartext Recovery]
-	RESERVED
+CVE-2008-7273 (A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure ...)
 	- iceweasel-firegpg <removed> (bug #514386)
 CVE-2008-6067
 	REJECTED
diff --git a/data/CVE/2010.list b/data/CVE/2010.list
index d39c58fbab..caf308ed6b 100644
--- a/data/CVE/2010.list
+++ b/data/CVE/2010.list
@@ -3618,7 +3618,7 @@ CVE-2010-3847 (elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6)
 CVE-2010-3846 (Array index error in the apply_rcs_change function in rcs.c in CVS 1.1 ...)
 	- cvs <not-affected> (vulnerable code not present)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3852
-CVE-2010-3844 (An unchecked sscanf() call in ettercap 0.7.3 allows an insecure tempor ...)
+CVE-2010-3844 (An unchecked sscanf() call in ettercap before 0.7.5 allows an insecure ...)
 	- ettercap 1:0.7.4-1 (unimportant; bug #600130)
 	NOTE: Very far-fetched attack vector
 CVE-2010-3843
diff --git a/data/CVE/2012.list b/data/CVE/2012.list
index c1a454102b..e5c11574e7 100644
--- a/data/CVE/2012.list
+++ b/data/CVE/2012.list
@@ -5588,20 +5588,16 @@ CVE-2012-4443 (Monkey HTTP Daemon 0.9.3 uses a real UID of root and a real GID o
 	- monkey <removed> (unimportant; bug #688008)
 CVE-2012-4442 (Monkey HTTP Daemon 0.9.3 retains the supplementary group IDs of the ro ...)
 	- monkey <removed> (unimportant; bug #688007)
-CVE-2012-4441 [jenkins XSS in CI game plugin]
-	RESERVED
+CVE-2012-4441 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...)
 	- jenkins <not-affected> (Plugin not built in Debian source package)
 	NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4440 [jenkins XSS in Violations plugin]
-	RESERVED
+CVE-2012-4440 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...)
 	- jenkins <not-affected> (Plugin not built in Debian source package)
 	NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4439 [jenkins XSS]
-	RESERVED
+CVE-2012-4439 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...)
 	- jenkins 1.447.2+dfsg-2 (bug #688298)
 	NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
-CVE-2012-4438 [jenkins remote code execution]
-	RESERVED
+CVE-2012-4438 (Jenkins main before 1.482 and LTS before 1.466.2 allows remote attacke ...)
 	- jenkins 1.447.2+dfsg-2 (bug #688298)
 	NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
 CVE-2012-4437 (Cross-site scripting (XSS) vulnerability in the SmartyException class  ...)
diff --git a/data/CVE/2014.list b/data/CVE/2014.list
index 4f33fe52a1..b10faeeb97 100644
--- a/data/CVE/2014.list
+++ b/data/CVE/2014.list
@@ -13911,8 +13911,7 @@ CVE-2014-5047
 	RESERVED
 CVE-2014-5046
 	RESERVED
-CVE-2014-5118
-	RESERVED
+CVE-2014-5118 (A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the bo ...)
 	NOT-FOR-US: tboot
 CVE-2014-5117 (Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit ...)
 	{DSA-2993-1 DLA-17-1}
diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index 3c3fe3b526..146f785ed0 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -1,3 +1,11 @@
+CVE-2019-19117 (/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG12 ...)
+	TODO: check
+CVE-2019-19116
+	RESERVED
+CVE-2019-19115
+	RESERVED
+CVE-2019-19114
+	RESERVED
 CVE-2019-19113 (main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka Ne ...)
 	NOT-FOR-US: newbee-mall
 CVE-2019-19112
@@ -497,17 +505,20 @@ CVE-2019-18889 [Forbid serializing AbstractAdapter and TagAwareAdapter instances
 	NOTE: https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a
 CVE-2019-18888 [Prevent argument injection in a MimeTypeGuesser]
 	RESERVED
+	{DSA-4573-1 DLA-1999-1}
 	- symfony 4.3.8+dfsg-1
 	NOTE: https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser
 	NOTE: https://github.com/symfony/symfony/commit/691486e43ce0e4893cd703e221bafc10a871f365
 	NOTE: https://github.com/symfony/symfony/commit/77ddabf2e785ea85860d2720cc86f7c5d8967ed5
 CVE-2019-18887 [Use constant time comparison in UriSigner]
 	RESERVED
+	{DSA-4573-1 DLA-1999-1}
 	- symfony 4.3.8+dfsg-1
 	NOTE: https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
 	NOTE: https://github.com/symfony/symfony/commit/cccefe6a7f12e776df0665aeb77fe9294c285fbb
 CVE-2019-18886 [Prevent user enumeration using switch user functionality]
 	RESERVED
+	{DLA-1999-1}
 	- symfony 4.3.8+dfsg-1
 	NOTE: https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality
 	NOTE: https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332
@@ -1686,8 +1697,8 @@ CVE-2019-18375
 	RESERVED
 CVE-2019-18374
 	RESERVED
-CVE-2019-18373
-	RESERVED
+CVE-2019-18373 (Norton App Lock, prior to 1.4.0.503, may be susceptible to a bypass ex ...)
+	TODO: check
 CVE-2019-18372 (Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to ...)
 	NOT-FOR-US: Symantec Endpoint Protection
 CVE-2019-18371 (An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-s ...)
@@ -2030,8 +2041,8 @@ CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote
 	NOTE: https://github.com/proftpd/proftpd/issues/846
 CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM ...)
 	NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313
-CVE-2019-18215
-	RESERVED
+CVE-2019-18215 (An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Se ...)
+	TODO: check
 CVE-2019-18214 (The Video_Converter app 0.1.0 for Nextcloud allows denial of service ( ...)
 	NOT-FOR-US: Video_Converter app for Nextcloud
 CVE-2019-18213 (XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML ...)
@@ -4470,8 +4481,8 @@ CVE-2019-17087
 	RESERVED
 CVE-2019-17086
 	RESERVED
-CVE-2019-17085
-	RESERVED
+CVE-2019-17085 (XXE attack vulnerability on Micro Focus Operations Agent, affected ver ...)
+	TODO: check
 CVE-2019-17084
 	RESERVED
 CVE-2019-17083
@@ -9251,8 +9262,8 @@ CVE-2019-15056
 	RESERVED
 CVE-2019-15055 (MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly  ...)
 	NOT-FOR-US: MikroTik RouterOS
-CVE-2019-15054
-	RESERVED
+CVE-2019-15054 (Multiple cross-site scripting (XSS) vulnerabilities in Mailbird before ...)
+	TODO: check
 CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Confluenc ...)
 	NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server
 CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials  ...)
@@ -9671,7 +9682,7 @@ CVE-2019-14871
 	RESERVED
 CVE-2019-14870
 	RESERVED
-CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.28, where ...)
+CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.50, where ...)
 	{DSA-4569-1 DLA-1992-1}
 	- ghostscript <unfixed> (bug #944760)
 	NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f0aa1140032746e5a0abfc40f4cef
@@ -9896,7 +9907,7 @@ CVE-2019-14818 (A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x
 	- dpdk 18.11.4-1
 	NOTE: http://mails.dpdk.org/archives/announce/2019-November/000293.html
 	NOTE: https://bugs.dpdk.org/show_bug.cgi?id=363
-CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.28, in the .pdfex ...)
+CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.50, in the .pdfex ...)
 	{DSA-4518-1 DLA-1915-1}
 	- ghostscript 9.28~~rc2~dfsg-1
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701450
@@ -9916,7 +9927,7 @@ CVE-2019-14815
 CVE-2019-14814 (There is heap-based buffer overflow in Linux kernel, all versions up t ...)
 	{DLA-1930-1}
 	- linux 5.2.17-1
-CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.28, in the sets ...)
+CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.50, in the sets ...)
 	{DSA-4518-1 DLA-1915-1}
 	- ghostscript 9.28~~rc2~dfsg-1
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701443
@@ -9935,7 +9946,7 @@ CVE-2019-14812
 	NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated starting
 	NOTE: from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff
 	NOTE: which changed the access to file permissions.
-CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_h ...)
+CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_h ...)
 	{DSA-4518-1 DLA-1915-1}
 	- ghostscript 9.28~~rc2~dfsg-1
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701445
@@ -15078,6 +15089,7 @@ CVE-2019-12840 (In Webmin through 1.910, any user authorized to the "Package Upd
 CVE-2019-12839 (In OrangeHRM 4.3.1 and before, there is an input validation error with ...)
 	NOT-FOR-US: OrangeHRM
 CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL ...)
+	{DSA-4572-1}
 	- slurm-llnl 19.05.3.2-1 (bug #931880)
 	[stretch] - slurm-llnl <no-dsa> (Too intrusive to backport)
 	NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html
@@ -16169,8 +16181,7 @@ CVE-2019-12424
 	RESERVED
 CVE-2019-12423
 	RESERVED
-CVE-2019-12422 [weak cookie vulnerability]
-	RESERVED
+CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...)
 	- shiro <unfixed>
 	NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1
 	TODO: check details on fix
@@ -16198,8 +16209,8 @@ CVE-2019-12411
 	RESERVED
 CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/arrow/pu ...)
 	NOT-FOR-US: Apache Arrow
-CVE-2019-12409
-	RESERVED
+CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...)
+	TODO: check
 CVE-2019-12408 (It was discovered that the C++ implementation (which underlies the R,  ...)
 	NOT-FOR-US: Apache Arrow
 CVE-2019-12407 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...)
@@ -16211,7 +16222,7 @@ CVE-2019-12405 (Improper authentication is possible in Apache Traffic Control ve
 CVE-2019-12404 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...)
 	- jspwiki <removed>
 CVE-2019-12403
-	RESERVED
+	REJECTED
 CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commons Com ...)
 	- libcommons-compress-java 1.18-3 (low; bug #939610)
 	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
@@ -20628,10 +20639,10 @@ CVE-2019-10766
 	RESERVED
 CVE-2019-10765
 	RESERVED
-CVE-2019-10764
-	RESERVED
-CVE-2019-10763
-	RESERVED
+CVE-2019-10764 (In elliptic-php versions priot to 1.0.6, Timing attacks might be possi ...)
+	TODO: check
+CVE-2019-10763 (pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attack ...)
+	TODO: check
 CVE-2019-10762 (columnQuote in medoo before 1.7.5 allows remote attackers to perform a ...)
 	NOT-FOR-US: medoo
 CVE-2019-10761
@@ -22558,8 +22569,7 @@ CVE-2019-10072 (The fix for CVE-2019-0199 was incomplete and did not address HTT
 	NOTE: https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E
 CVE-2019-10071 (The code which checks HMAC in form submissions used String.equals() fo ...)
 	NOT-FOR-US: Apache Tapestry
-CVE-2019-10070
-	RESERVED
+CVE-2019-10070 (Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored  ...)
 	NOT-FOR-US: Apache Atlas
 CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to the des ...)
 	NOT-FOR-US: Godot
author	security tracker role <sectracker@soriano.debian.org>	2019-11-19 08:10:23 +0000
committer	security tracker role <sectracker@soriano.debian.org>	2019-11-19 08:10:23 +0000
commit	8521a1b45514a26720e2cf5a7728f73e1ddb1c43 (patch)
tree	29bad8ebe21b6c01cad43c94bf47f02974a27433 /data/CVE
parent	8a57d35514e256353fbb4b53bf6cb5f620b06388 (diff)