diff options
author | security tracker role <sectracker@soriano.debian.org> | 2019-11-19 08:10:23 +0000 |
---|---|---|
committer | security tracker role <sectracker@soriano.debian.org> | 2019-11-19 08:10:23 +0000 |
commit | 8521a1b45514a26720e2cf5a7728f73e1ddb1c43 (patch) | |
tree | 29bad8ebe21b6c01cad43c94bf47f02974a27433 /data/CVE | |
parent | 8a57d35514e256353fbb4b53bf6cb5f620b06388 (diff) |
automatic update
Diffstat (limited to 'data/CVE')
-rw-r--r-- | data/CVE/2008.list | 3 | ||||
-rw-r--r-- | data/CVE/2010.list | 2 | ||||
-rw-r--r-- | data/CVE/2012.list | 12 | ||||
-rw-r--r-- | data/CVE/2014.list | 3 | ||||
-rw-r--r-- | data/CVE/2019.list | 56 |
5 files changed, 40 insertions, 36 deletions
diff --git a/data/CVE/2008.list b/data/CVE/2008.list index 42afa18ac2..931efa05de 100644 --- a/data/CVE/2008.list +++ b/data/CVE/2008.list @@ -2692,8 +2692,7 @@ CVE-2008-6068 (SQL injection vulnerability in the JoomlaDate (com_joomladate) co NOT-FOR-US: Joomla! CVE-2008-7272 (FireGPG before 0.6 handle user’s passphrase and decrypted cleart ...) - iceweasel-firegpg <removed> (bug #514386) -CVE-2008-7273 [iceweasel-firegpg: Passphrase and Cleartext Recovery] - RESERVED +CVE-2008-7273 (A symlink issue exists in Iceweasel-firegpg before 0.6 due to insecure ...) - iceweasel-firegpg <removed> (bug #514386) CVE-2008-6067 REJECTED diff --git a/data/CVE/2010.list b/data/CVE/2010.list index d39c58fbab..caf308ed6b 100644 --- a/data/CVE/2010.list +++ b/data/CVE/2010.list @@ -3618,7 +3618,7 @@ CVE-2010-3847 (elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) CVE-2010-3846 (Array index error in the apply_rcs_change function in rcs.c in CVS 1.1 ...) - cvs <not-affected> (vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3852 -CVE-2010-3844 (An unchecked sscanf() call in ettercap 0.7.3 allows an insecure tempor ...) +CVE-2010-3844 (An unchecked sscanf() call in ettercap before 0.7.5 allows an insecure ...) - ettercap 1:0.7.4-1 (unimportant; bug #600130) NOTE: Very far-fetched attack vector CVE-2010-3843 diff --git a/data/CVE/2012.list b/data/CVE/2012.list index c1a454102b..e5c11574e7 100644 --- a/data/CVE/2012.list +++ b/data/CVE/2012.list @@ -5588,20 +5588,16 @@ CVE-2012-4443 (Monkey HTTP Daemon 0.9.3 uses a real UID of root and a real GID o - monkey <removed> (unimportant; bug #688008) CVE-2012-4442 (Monkey HTTP Daemon 0.9.3 retains the supplementary group IDs of the ro ...) - monkey <removed> (unimportant; bug #688007) -CVE-2012-4441 [jenkins XSS in CI game plugin] - RESERVED +CVE-2012-4441 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...) - jenkins <not-affected> (Plugin not built in Debian source package) NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb -CVE-2012-4440 [jenkins XSS in Violations plugin] - RESERVED +CVE-2012-4440 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...) - jenkins <not-affected> (Plugin not built in Debian source package) NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb -CVE-2012-4439 [jenkins XSS] - RESERVED +CVE-2012-4439 (Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before ...) - jenkins 1.447.2+dfsg-2 (bug #688298) NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb -CVE-2012-4438 [jenkins remote code execution] - RESERVED +CVE-2012-4438 (Jenkins main before 1.482 and LTS before 1.466.2 allows remote attacke ...) - jenkins 1.447.2+dfsg-2 (bug #688298) NOTE: http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://web.archive.org/web/20130606043312/http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb CVE-2012-4437 (Cross-site scripting (XSS) vulnerability in the SmartyException class ...) diff --git a/data/CVE/2014.list b/data/CVE/2014.list index 4f33fe52a1..b10faeeb97 100644 --- a/data/CVE/2014.list +++ b/data/CVE/2014.list @@ -13911,8 +13911,7 @@ CVE-2014-5047 RESERVED CVE-2014-5046 RESERVED -CVE-2014-5118 - RESERVED +CVE-2014-5118 (A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the bo ...) NOT-FOR-US: tboot CVE-2014-5117 (Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit ...) {DSA-2993-1 DLA-17-1} diff --git a/data/CVE/2019.list b/data/CVE/2019.list index 3c3fe3b526..146f785ed0 100644 --- a/data/CVE/2019.list +++ b/data/CVE/2019.list @@ -1,3 +1,11 @@ +CVE-2019-19117 (/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2(PSG12 ...) + TODO: check +CVE-2019-19116 + RESERVED +CVE-2019-19115 + RESERVED +CVE-2019-19114 + RESERVED CVE-2019-19113 (main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka Ne ...) NOT-FOR-US: newbee-mall CVE-2019-19112 @@ -497,17 +505,20 @@ CVE-2019-18889 [Forbid serializing AbstractAdapter and TagAwareAdapter instances NOTE: https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a CVE-2019-18888 [Prevent argument injection in a MimeTypeGuesser] RESERVED + {DSA-4573-1 DLA-1999-1} - symfony 4.3.8+dfsg-1 NOTE: https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser NOTE: https://github.com/symfony/symfony/commit/691486e43ce0e4893cd703e221bafc10a871f365 NOTE: https://github.com/symfony/symfony/commit/77ddabf2e785ea85860d2720cc86f7c5d8967ed5 CVE-2019-18887 [Use constant time comparison in UriSigner] RESERVED + {DSA-4573-1 DLA-1999-1} - symfony 4.3.8+dfsg-1 NOTE: https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner NOTE: https://github.com/symfony/symfony/commit/cccefe6a7f12e776df0665aeb77fe9294c285fbb CVE-2019-18886 [Prevent user enumeration using switch user functionality] RESERVED + {DLA-1999-1} - symfony 4.3.8+dfsg-1 NOTE: https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality NOTE: https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332 @@ -1686,8 +1697,8 @@ CVE-2019-18375 RESERVED CVE-2019-18374 RESERVED -CVE-2019-18373 - RESERVED +CVE-2019-18373 (Norton App Lock, prior to 1.4.0.503, may be susceptible to a bypass ex ...) + TODO: check CVE-2019-18372 (Symantec Endpoint Protection, prior to 14.2 RU2, may be susceptible to ...) NOT-FOR-US: Symantec Endpoint Protection CVE-2019-18371 (An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-s ...) @@ -2030,8 +2041,8 @@ CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote NOTE: https://github.com/proftpd/proftpd/issues/846 CVE-2019-18216 (** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM ...) NOT-FOR-US: BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 -CVE-2019-18215 - RESERVED +CVE-2019-18215 (An issue was discovered in signmgr.dll 6.5.0.819 in Comodo Internet Se ...) + TODO: check CVE-2019-18214 (The Video_Converter app 0.1.0 for Nextcloud allows denial of service ( ...) NOT-FOR-US: Video_Converter app for Nextcloud CVE-2019-18213 (XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML ...) @@ -4470,8 +4481,8 @@ CVE-2019-17087 RESERVED CVE-2019-17086 RESERVED -CVE-2019-17085 - RESERVED +CVE-2019-17085 (XXE attack vulnerability on Micro Focus Operations Agent, affected ver ...) + TODO: check CVE-2019-17084 RESERVED CVE-2019-17083 @@ -9251,8 +9262,8 @@ CVE-2019-15056 RESERVED CVE-2019-15055 (MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly ...) NOT-FOR-US: MikroTik RouterOS -CVE-2019-15054 - RESERVED +CVE-2019-15054 (Multiple cross-site scripting (XSS) vulnerabilities in Mailbird before ...) + TODO: check CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Confluenc ...) NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials ...) @@ -9671,7 +9682,7 @@ CVE-2019-14871 RESERVED CVE-2019-14870 RESERVED -CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.28, where ...) +CVE-2019-14869 (A flaw was found in all versions of ghostscript 9.x before 9.50, where ...) {DSA-4569-1 DLA-1992-1} - ghostscript <unfixed> (bug #944760) NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=485904772c5f0aa1140032746e5a0abfc40f4cef @@ -9896,7 +9907,7 @@ CVE-2019-14818 (A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x - dpdk 18.11.4-1 NOTE: http://mails.dpdk.org/archives/announce/2019-November/000293.html NOTE: https://bugs.dpdk.org/show_bug.cgi?id=363 -CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.28, in the .pdfex ...) +CVE-2019-14817 (A flaw was found in, ghostscript versions prior to 9.50, in the .pdfex ...) {DSA-4518-1 DLA-1915-1} - ghostscript 9.28~~rc2~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701450 @@ -9916,7 +9927,7 @@ CVE-2019-14815 CVE-2019-14814 (There is heap-based buffer overflow in Linux kernel, all versions up t ...) {DLA-1930-1} - linux 5.2.17-1 -CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.28, in the sets ...) +CVE-2019-14813 (A flaw was found in ghostscript, versions 9.x before 9.50, in the sets ...) {DSA-4518-1 DLA-1915-1} - ghostscript 9.28~~rc2~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701443 @@ -9935,7 +9946,7 @@ CVE-2019-14812 NOTE: For recent versions (9.28~~rc1~dfsg-1) the issue is mitigated starting NOTE: from http://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=7ecbfda92b4c8dbf6f6c2bf8fc82020a29219eff NOTE: which changed the access to file permissions. -CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.28, in the .pdf_h ...) +CVE-2019-14811 (A flaw was found in, ghostscript versions prior to 9.50, in the .pdf_h ...) {DSA-4518-1 DLA-1915-1} - ghostscript 9.28~~rc2~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=701445 @@ -15078,6 +15089,7 @@ CVE-2019-12840 (In Webmin through 1.910, any user authorized to the "Package Upd CVE-2019-12839 (In OrangeHRM 4.3.1 and before, there is an input validation error with ...) NOT-FOR-US: OrangeHRM CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL ...) + {DSA-4572-1} - slurm-llnl 19.05.3.2-1 (bug #931880) [stretch] - slurm-llnl <no-dsa> (Too intrusive to backport) NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html @@ -16169,8 +16181,7 @@ CVE-2019-12424 RESERVED CVE-2019-12423 RESERVED -CVE-2019-12422 [weak cookie vulnerability] - RESERVED +CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...) - shiro <unfixed> NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1 TODO: check details on fix @@ -16198,8 +16209,8 @@ CVE-2019-12411 RESERVED CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/arrow/pu ...) NOT-FOR-US: Apache Arrow -CVE-2019-12409 - RESERVED +CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...) + TODO: check CVE-2019-12408 (It was discovered that the C++ implementation (which underlies the R, ...) NOT-FOR-US: Apache Arrow CVE-2019-12407 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) @@ -16211,7 +16222,7 @@ CVE-2019-12405 (Improper authentication is possible in Apache Traffic Control ve CVE-2019-12404 (On Apache JSPWiki, up to version 2.11.0.M4, a carefully crafted plugin ...) - jspwiki <removed> CVE-2019-12403 - RESERVED + REJECTED CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commons Com ...) - libcommons-compress-java 1.18-3 (low; bug #939610) [buster] - libcommons-compress-java <no-dsa> (Minor issue) @@ -20628,10 +20639,10 @@ CVE-2019-10766 RESERVED CVE-2019-10765 RESERVED -CVE-2019-10764 - RESERVED -CVE-2019-10763 - RESERVED +CVE-2019-10764 (In elliptic-php versions priot to 1.0.6, Timing attacks might be possi ...) + TODO: check +CVE-2019-10763 (pimcore/pimcore before 6.3.0 is vulnerable to SQL Injection. An attack ...) + TODO: check CVE-2019-10762 (columnQuote in medoo before 1.7.5 allows remote attackers to perform a ...) NOT-FOR-US: medoo CVE-2019-10761 @@ -22558,8 +22569,7 @@ CVE-2019-10072 (The fix for CVE-2019-0199 was incomplete and did not address HTT NOTE: https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E CVE-2019-10071 (The code which checks HMAC in form submissions used String.equals() fo ...) NOT-FOR-US: Apache Tapestry -CVE-2019-10070 - RESERVED +CVE-2019-10070 (Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored ...) NOT-FOR-US: Apache Atlas CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to the des ...) NOT-FOR-US: Godot |