summaryrefslogtreecommitdiffstats
path: root/data/CVE/2019.list
diff options
context:
space:
mode:
Diffstat (limited to 'data/CVE/2019.list')
-rw-r--r--data/CVE/2019.list3903
1 files changed, 2231 insertions, 1672 deletions
diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index 758ee66943..5458ea22b4 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -1,6 +1,269 @@
+CVE-2019-25057 (In Corda before 4.1, the meaning of serialized data can be modified vi ...)
+ NOT-FOR-US: Corda
+CVE-2019-25056 (In Bromite through 78.0.3904.130, there are adblock rules in the relea ...)
+ NOT-FOR-US: Bromite
+CVE-2019-25055 (An issue was discovered in the libpulse-binding crate before 2.6.0 for ...)
+ NOT-FOR-US: Rust crate libpulse-binding
+CVE-2019-25054 (An issue was discovered in the pnet crate before 0.27.2 for Rust. Ther ...)
+ NOT-FOR-US: Rust crate pnet
+CVE-2019-25053
+ RESERVED
+CVE-2019-25052 (In Linaro OP-TEE before 3.7.0, by using inconsistent or malformed data ...)
+ NOT-FOR-US: Linaro/OP-TEE OP-TEE
+CVE-2019-25051 (objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow in acom ...)
+ {DSA-4948-1 DLA-2720-1}
+ - aspell 0.60.8-3 (bug #991307)
+ NOTE: https://github.com/gnuaspell/aspell/commit/0718b375425aad8e54e1150313b862e4c6fd324a
+ NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/aspell/OSV-2020-521.yaml
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18462
+CVE-2019-25050 (netCDF in GDAL 2.4.2 through 3.0.4 has a stack-based buffer overflow i ...)
+ - gdal 3.1.0+dfsg-1
+ [buster] - gdal <no-dsa> (Minor issue)
+ [stretch] - gdal <not-affected> (Vulnerable code not present)
+ NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2020-420.yaml
+ NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2020-392.yaml
+ NOTE: https://github.com/OSGeo/gdal/commit/767e3a56144f676ca738ef8f700e0e56035bd05a (v3.1.0RC1)
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15143
+ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15156
+CVE-2019-25049 (LibreSSL 2.9.1 through 3.2.1 has an out-of-bounds read in asn1_item_pr ...)
+ - libressl <itp> (bug #754513)
+CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read in do_p ...)
+ - libressl <itp> (bug #754513)
+CVE-2019-25047 (Greenbone Security Assistant (GSA) before 8.0.2 and Greenbone OS (GOS) ...)
+ NOT-FOR-US: Greenbone Security Assistant
+CVE-2019-25046 (The Web Client in Cerberus FTP Server Enterprise before 10.0.19 and 11 ...)
+ NOT-FOR-US: Cerberus FTP Server Enterprise
+CVE-2019-25045 (An issue was discovered in the Linux kernel before 5.0.19. The XFRM su ...)
+ - linux 5.2.6-1
+ [buster] - linux 4.19.67-1
+ [stretch] - linux 4.9.210-1
+ NOTE: https://git.kernel.org/linus/dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399
+CVE-2019-25044 (The block subsystem in the Linux kernel before 5.2 has a use-after-fre ...)
+ - linux <not-affected> (Vulnerable code only between 5.2-rc3 and 5.2-rc4)
+CVE-2019-25043 (ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as dem ...)
+ - modsecurity 3.0.4-1
+ [buster] - modsecurity <no-dsa> (Minor issue)
+ NOTE: https://github.com/SpiderLabs/ModSecurity/issues/2566
+ NOTE: https://github.com/SpiderLabs/ModSecurity/commit/9cac167fafd180902c2aa5dc6141aae874127199
+CVE-2019-25042 (** DISPUTED ** Unbound before 1.9.5 allows an out-of-bounds write via ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/6c3a0b54ed8ace93d5b5ca7b8078dc87e75cd640
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25041 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure via a ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/2d444a5037acff6024630b88092d9188f2f5d8fe
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25040 (** DISPUTED ** Unbound before 1.9.5 allows an infinite loop via a comp ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/2d444a5037acff6024630b88092d9188f2f5d8fe
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25039 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in a si ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/02080f6b180232f43b77f403d0c038e9360a460f
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25038 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in a si ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/02080f6b180232f43b77f403d0c038e9360a460f
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25037 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure and de ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/d2eb78e871153f22332d30c6647f3815148f21e5
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25036 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure and de ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/f5e06689d193619c57c33270c83f5e40781a261d
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25035 (** DISPUTED ** Unbound before 1.9.5 allows an out-of-bounds write in s ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/fa23ee8f31ba9a018c720ea822faaee639dc7a9c
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25034 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in sldn ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/a3545867fcdec50307c776ce0af28d07046a52dd
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25033 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/226298bbd36f1f0fd9608e98c2ae85988b7bbdb8
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25032 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/226298bbd36f1f0fd9608e98c2ae85988b7bbdb8
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25031 (** DISPUTED ** Unbound before 1.9.5 allows configuration injection in ...)
+ {DLA-2652-1}
+ - unbound 1.9.6-1 (unimportant)
+ [stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
+ NOTE: https://github.com/NLnetLabs/unbound/commit/f887552763477a606a9608b0f6b498685e0f6587
+ NOTE: Not deemed an exploitable vulnerability by upstream
+CVE-2019-25030 (In Versa Director, Versa Analytics and VOS, Passwords are not hashed u ...)
+ NOT-FOR-US: Versa
+CVE-2019-25029 (In Versa Director, the command injection is an attack in which the goa ...)
+ NOT-FOR-US: Versa
+CVE-2019-25028 (Missing variable sanitization in Grid component in com.vaadin:vaadin-s ...)
+ NOT-FOR-US: Vaadin
+CVE-2019-25027 (Missing output sanitization in default RouteNotFoundError view in com. ...)
+ NOT-FOR-US: Vaadin
+CVE-2019-25026 (Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data duri ...)
+ {DLA-2658-1}
+ - redmine 4.0.6-1
+CVE-2019-25025 (The activerecord-session_store (aka Active Record Session Store) compo ...)
+ - ruby-activerecord-session-store <removed>
+ [stretch] - ruby-activerecord-session-store <ignored> (No reverse dependencies)
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1935724
+ NOTE: https://github.com/rails/activerecord-session_store/pull/151
+CVE-2019-10102 (JetBrains Ktor framework (created using the Kotlin IDE template) versi ...)
+ NOT-FOR-US: JetBrains Ktor
+CVE-2019-25024 (OpenRepeater (ORP) before 2.2 allows unauthenticated command injection ...)
+ NOT-FOR-US: OpenRepeater (ORP)
+CVE-2019-25023 (An issue was discovered in Scytl sVote 2.1. Because the IP address fro ...)
+ NOT-FOR-US: Scytl sVote
+CVE-2019-25022 (An issue was discovered in Scytl sVote 2.1. An attacker can inject cod ...)
+ NOT-FOR-US: Scytl sVote
+CVE-2019-25021 (An issue was discovered in Scytl sVote 2.1. Due to the implementation ...)
+ NOT-FOR-US: Scytl sVote
+CVE-2019-25020 (An issue was discovered in Scytl sVote 2.1. Because the sdm-ws-rest AP ...)
+ NOT-FOR-US: Scytl sVote
+CVE-2019-25019 (LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant m ...)
+ - limesurvey <itp> (bug #472802)
+CVE-2019-25018 (In the rcp client in MIT krb5-appl through 1.0.3, malicious servers co ...)
+ - krb5-appl <removed>
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1131109
+CVE-2019-25017 (An issue was discovered in rcp in MIT krb5-appl through 1.0.3. Due to ...)
+ - krb5-appl <removed>
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1131109
+CVE-2019-25016 (In OpenDoas from 6.6 to 6.8 the users PATH variable was incorrectly in ...)
+ - doas <not-affected> (Fixed with initial upload to Debian)
+ NOTE: Introduced in: https://github.com/Duncaen/OpenDoas/commit/01c658f8c45cb92a343be5f32aa6da70b2032168 (v6.6)
+ NOTE: Fixed by: https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d (v6.8.1)
+ NOTE: https://github.com/Duncaen/OpenDoas/issues/45
+CVE-2019-25015 (LuCI in OpenWrt 18.06.0 through 18.06.4 allows stored XSS via a crafte ...)
+ NOT-FOR-US: LuCI in OpenWrt
+CVE-2019-25014 (A NULL pointer dereference was found in pkg/proxy/envoy/v2/debug.go ge ...)
+ NOT-FOR-US: Istio
+CVE-2019-25013 (The iconv feature in the GNU C Library (aka glibc or libc6) through 2. ...)
+ - glibc 2.31-9 (bug #979273)
+ [buster] - glibc <no-dsa> (Minor issue)
+ [stretch] - glibc <postponed> (Minor issue; can be fixed in next update)
+ NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24973
+ NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b
+CVE-2019-25012 (The Webform Report project 7.x-1.x-dev for Drupal allows remote attack ...)
+ NOT-FOR-US: Webform Report project for Drupal
+CVE-2019-25011 (NetBox through 2.6.2 allows an Authenticated User to conduct an XSS at ...)
+ NOT-FOR-US: NetBox
+CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13 for Ru ...)
+ - rust-failure <unfixed>
+ [bullseye] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated upstream)
+ [buster] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated upstream)
+ NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
+CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for Rust. The ...)
+ - rust-http <unfixed> (bug #988945)
+ [buster] - rust-http <no-dsa> (Minor issue)
+ NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0034.html
+ NOTE: https://github.com/hyperium/http/commit/82d53dbdfdb1ffbeb0323200a0bbd30b5f895fa7
+ NOTE: https://github.com/hyperium/http/commit/8ffe094df1431321d450860cc56a22dd53175f5e
+CVE-2019-25008
+ REJECTED
+CVE-2019-25007 (An issue was discovered in the streebog crate before 0.8.0 for Rust. T ...)
+ NOT-FOR-US: streebog rust crate
+CVE-2019-25006 (An issue was discovered in the streebog crate before 0.8.0 for Rust. T ...)
+ NOT-FOR-US: streebog rust crate
+CVE-2019-25005 (An issue was discovered in the chacha20 crate before 0.2.3 for Rust. A ...)
+ NOT-FOR-US: Rust chacha20
+CVE-2019-25004 (An issue was discovered in the flatbuffers crate before 0.6.1 for Rust ...)
+ NOT-FOR-US: flatbuffers rust crate
+CVE-2019-25003 (An issue was discovered in the libsecp256k1 crate before 0.3.1 for Rus ...)
+ NOT-FOR-US: libsecp256k1 rust crate
+CVE-2019-25002 (An issue was discovered in the sodiumoxide crate before 0.2.5 for Rust ...)
+ NOT-FOR-US: sodiumoxide rust crate
+CVE-2019-25001 (An issue was discovered in the serde_cbor crate before 0.10.2 for Rust ...)
+ - rust-serde-cbor <not-affected> (Fixed before initial upload to Debian)
+ NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0025.html
+CVE-2019-20934 (An issue was discovered in the Linux kernel before 5.2.6. On NUMA syst ...)
+ - linux 5.2.6-1
+ [buster] - linux 4.19.67-1
+ [stretch] - linux 4.9.189-1
+ NOTE: https://git.kernel.org/linus/16d51a590a8ce3befb1308e0e7ab77f3b661af33
+ NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1913
+CVE-2019-20933 (InfluxDB before 1.7.6 has an authentication bypass vulnerability in th ...)
+ {DSA-4823-1 DLA-2501-1}
+ - influxdb 1.6.7~rc0-1 (bug #978087)
+ NOTE: https://github.com/influxdata/influxdb/commit/761b557315ff9c1642cf3b0e5797cd3d983a24c0
+ NOTE: https://github.com/influxdata/influxdb/issues/12927
+CVE-2019-20932
+ RESERVED
+CVE-2019-20931
+ RESERVED
+CVE-2019-20930
+ RESERVED
+CVE-2019-20929
+ RESERVED
+CVE-2019-20928
+ RESERVED
+CVE-2019-20927
+ RESERVED
+CVE-2019-20926
+ RESERVED
+CVE-2019-20925 (An unauthenticated client can trigger denial of service by issuing spe ...)
+ - mongodb <removed>
+ [stretch] - mongodb <not-affected> (Vulnerable code introduced later)
+ NOTE: https://jira.mongodb.org/browse/SERVER-43751
+ NOTE: https://github.com/mongodb/mongo/commit/c1a956e084d39e6da75cd347e63d0064ed9151a8 (3.4.24, AGPL)
+ NOTE: Introduced by: https://github.com/mongodb/mongo/commit/91800fc61913358350b658406065c5d893d2ba2c (v3.3.11)
+CVE-2019-20924 (A user authorized to perform database queries may trigger denial of se ...)
+ - mongodb <removed>
+ [stretch] - mongodb <not-affected> (Vulnerable code introduced later)
+ NOTE: https://jira.mongodb.org/browse/SERVER-44377
+ NOTE: https://github.com/mongodb/mongo/commit/e4338fa6e876e61e47f68e7f573ead7bcfbd06fc (v4.2.2, SSPL)
+ NOTE: Introduced by: https://github.com/mongodb/mongo/commit/34a1ce6a681e2637d3c29a49a9412efe63821178 (v4.1.9)
+CVE-2019-20923 (A user authorized to perform database queries may trigger denial of se ...)
+ - mongodb <removed>
+ [stretch] - mongodb <not-affected> (Vulnerable code introduced later)
+ NOTE: https://jira.mongodb.org/browse/SERVER-39481
+ NOTE: https://github.com/mongodb/mongo/commit/c9dd94ca1a571f9d145eaa9029d8ce905a86f933 (v4.0.7, SSPL)
+ NOTE: Introduced by: https://github.com/mongodb/mongo/commit/1c629fb3e0cfdf218a6cdb20882806e3b7dd9e9c (v3.7.1)
+CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of Service (R ...)
+ - node-handlebars <not-affected> (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded)
+ - libjs-handlebars <not-affected> (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded)
+ NOTE: https://github.com/handlebars-lang/handlebars.js/issues/1579
+ NOTE: https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b
+ NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388
+ NOTE: https://www.npmjs.com/advisories/1300
+CVE-2019-20921 (bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS). It d ...)
+ NOT-FOR-US: bootstrap-select
+CVE-2019-20920 (Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrar ...)
+ - node-handlebars 3:4.5.3-1
+ [buster] - node-handlebars 3:4.1.0-1+deb10u3
+ - libjs-handlebars <removed>
+ [stretch] - libjs-handlebars <ignored> (Only reverse depends was diaspora which not in stretch and too intrusive to backport)
+ NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
+ NOTE: https://www.npmjs.com/advisories/1316
+ NOTE: https://www.npmjs.com/advisories/1324
CVE-2019-20919 (An issue was discovered in the DBI module before 1.643 for Perl. The h ...)
+ {DLA-2386-1}
- libdbi-perl 1.643-1
- [buster] - libdbi-perl <no-dsa> (Minor issue)
+ [buster] - libdbi-perl 1.642-1+deb10u1
NOTE: https://github.com/perl5-dbi/dbi/commit/eca7d7c8f43d96f6277e86d1000e842eb4cc67ff
CVE-2019-20918 (An issue was discovered in InspIRCd 3 before 3.1.0. The silence module ...)
- inspircd <not-affected> (Only affected 3.0.0 and 3.0.1)
@@ -40,14 +303,13 @@ CVE-2019-20908 (An issue was discovered in drivers/firmware/efi/efi.c in the Lin
NOTE: https://www.openwall.com/lists/oss-security/2020/06/14/1
NOTE: Fixed by: https://git.kernel.org/linus/1957a85b0032a81e6482ca4aab883643b8dae06e
CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craf ...)
- {DLA-2337-1}
+ {DLA-2456-1 DLA-2337-1}
- python3.9 3.9.0~b5-1 (low)
- python3.8 3.8.5-1 (low)
- python3.7 <removed> (low)
[buster] - python3.7 3.7.3-2+deb10u2
- python3.5 <removed> (low)
- [stretch] - python3.5 <postponed> (Minor issue, can be fixed in next DLA)
- - python2.7 <unfixed> (low; bug #970099)
+ - python2.7 2.7.18-2 (low; bug #970099)
[buster] - python2.7 <no-dsa> (Minor issue)
[stretch] - python2.7 <postponed> (Minor issue, can be fixed in next DLA)
NOTE: https://bugs.python.org/issue39017
@@ -63,10 +325,10 @@ CVE-2019-20905
RESERVED
CVE-2019-20904
RESERVED
-CVE-2019-20903
- RESERVED
-CVE-2019-20902
- RESERVED
+CVE-2019-20903 (The hyperlinks functionality in atlaskit/editor-core in before version ...)
+ NOT-FOR-US: Atlassian
+CVE-2019-20902 (Upgrading Crowd via XML Data Transfer can reactivate a disabled user f ...)
+ NOT-FOR-US: Atlassian
CVE-2019-20901 (The login.jsp resource in Jira before version 8.5.2, and from version ...)
NOT-FOR-US: Atlassian
CVE-2019-20900 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
@@ -103,79 +365,79 @@ CVE-2019-20892 (net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStat
CVE-2019-20891 (WooCommerce before 3.6.5, when it handles CSV imports of products, has ...)
NOT-FOR-US: WooCommerce
CVE-2019-20890 (An issue was discovered in Mattermost Server before 5.7. It allows a b ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20889 (An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20888 (An issue was discovered in Mattermost Server before 5.7, 5.6.3, 5.5.2, ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20887 (An issue was discovered in Mattermost Server before 5.7.1, 5.6.4, 5.5. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20886 (An issue was discovered in Mattermost Server before 5.8.0. The first u ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20885 (An issue was discovered in Mattermost Server before 5.8.0. It does not ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20884 (An issue was discovered in Mattermost Server before 5.8.0. It allows a ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20883 (An issue was discovered in Mattermost Server before 5.8.0, when Town S ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20882 (An issue was discovered in Mattermost Server before 5.8.0. It does not ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20881 (An issue was discovered in Mattermost Server before 5.8.0. It mishandl ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20880 (An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20879 (An issue was discovered in Mattermost Server before 5.8.0, 5.7.2, 5.6. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20878 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20877 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20876 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20875 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20874 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20873 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20872 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20871 (An issue was discovered in Mattermost Server before 5.9.0, 5.8.1, 5.7. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20870 (An issue was discovered in Mattermost Server before 5.10.0. An attacke ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20869 (An issue was discovered in Mattermost Server before 5.10.0, 5.9.1, 5.8 ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20868 (An issue was discovered in Mattermost Server before 5.11.0. Invite IDs ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20867 (An issue was discovered in Mattermost Server before 5.11.0. An attacke ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20866 (An issue was discovered in Mattermost Server before 5.12.0. Use of a P ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20865 (An issue was discovered in Mattermost Server before 5.12.0, 5.11.1, 5. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20864 (An issue was discovered in Mattermost Plugins before 5.13.0. The GitHu ...)
NOT-FOR-US: Mattermost
CVE-2019-20863 (An issue was discovered in Mattermost Server before 5.13.0. Incoming w ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20862 (An issue was discovered in Mattermost Server before 5.13.0. Non-member ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20861 (An issue was discovered in Mattermost Desktop App before 4.2.2. It all ...)
- NOT-FOR-US: Mattermost
+ - mattermost-desktop <itp> (bug #831861)
CVE-2019-20860 (An issue was discovered in Mattermost Server before 5.14.0, 5.13.3, 5. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20859 (An issue was discovered in Mattermost Server before 5.15.0. Login acce ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20858 (An issue was discovered in Mattermost Server before 5.15.0. It allows ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20857 (An issue was discovered in Mattermost Server before 5.16.0. It allows ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20856 (An issue was discovered in Mattermost Desktop App before 4.3.0 on macO ...)
- NOT-FOR-US: Mattermost
+ - mattermost-desktop <itp> (bug #831861)
CVE-2019-20855 (An issue was discovered in Mattermost Server before 5.16.1, 5.15.2, 5. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20854 (An issue was discovered in Mattermost Server before 5.17.0. It allows ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20853 (An issue was discovered in Mattermost Packages before 5.16.3. A Drople ...)
NOT-FOR-US: Mattermost
CVE-2019-20852 (An issue was discovered in Mattermost Mobile Apps before 1.26.0. Local ...)
@@ -189,19 +451,19 @@ CVE-2019-20849 (An issue was discovered in Mattermost Mobile Apps before 1.26.0.
CVE-2019-20848 (An issue was discovered in Mattermost Mobile Apps before 1.26.0. The Q ...)
NOT-FOR-US: Mattermost
CVE-2019-20847 (An issue was discovered in Mattermost Server before 5.18.0. An attacke ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20846 (An issue was discovered in Mattermost Server before 5.18.0. It has wea ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20845 (An issue was discovered in Mattermost Server before 5.18.0. It allows ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20844 (An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20843 (An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20842 (An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20841 (An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5. ...)
- NOT-FOR-US: Mattermost
+ - mattermost-server <itp> (bug #823556)
CVE-2019-20840 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws ...)
- libvncserver 0.9.13+dfsg-1
[buster] - libvncserver <not-affected> (Vulnerable code not present)
@@ -212,7 +474,7 @@ CVE-2019-20840 (An issue was discovered in LibVNCServer before 0.9.13. libvncser
CVE-2019-20839 (libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer over ...)
{DLA-2347-1 DLA-2264-1}
- libvncserver 0.9.13+dfsg-1
- [buster] - libvncserver <no-dsa> (Minor issue; will be fixed via point release)
+ [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u4
NOTE: https://github.com/LibVNC/libvncserver/commit/3fd03977c9b35800d73a865f167338cb4d05b0c1
CVE-2019-20838 (libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT w ...)
- pcre3 <unfixed> (unimportant)
@@ -286,17 +548,16 @@ CVE-2019-20810 (go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the
NOTE: https://git.kernel.org/linus/9453264ef58638ce8976121ac44c07a3ef375983
CVE-2019-20809 (The price oracle in PriceOracle.sol in Compound Finance Compound Price ...)
NOT-FOR-US: Compound Finance Compound Price Oracle
-CVE-2019-20808 [out-of-bounds read in ati_cursor_define() function in hw/display/ati.c leads to DoS]
- RESERVED
+CVE-2019-20808 (In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA imp ...)
- qemu 1:4.2-1
[buster] - qemu <not-affected> (Vulnerable code introduced later)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
[jessie] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=aab0e2a661b2b6bf7915c0aefe807fb60d6d9d13 (v4.2.0-rc0)
CVE-2019-20807 (In Vim before 8.1.0881, users can circumvent the rvim restricted mode ...)
+ {DLA-2876-1}
- vim 2:8.1.2136-1
[buster] - vim <no-dsa> (Minor issue)
- [stretch] - vim <no-dsa> (Minor issue)
[jessie] - vim <no-dsa> (Minor issue)
NOTE: https://github.com/vim/vim/commit/8c62a08faf89663e5633dc5036cd8695c80f1075
CVE-2019-20806 (An issue was discovered in the Linux kernel before 5.2. There is a NUL ...)
@@ -342,23 +603,31 @@ CVE-2019-20795 (iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_n
NOTE: Introduced in: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=86bf43c7c2fdc33d7c021b4a1add1c8facbca51c (v4.15.0)
CVE-2019-20794 (An issue was discovered in the Linux kernel 4.18 through 5.6.11 when u ...)
- linux <unfixed>
+ [bullseye] - linux <postponed> (Minor issue, revisit when fixed upstream)
+ [buster] - linux <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://sourceforge.net/p/fuse/mailman/message/36598753/
CVE-2019-20793
RESERVED
CVE-2019-20792 (OpenSC before 0.20.0 has a double free in coolkey_free_private_data be ...)
- opensc 0.20.0-1 (low)
[buster] - opensc <no-dsa> (Minor issue)
- [stretch] - opensc <no-dsa> (Minor issue)
+ [stretch] - opensc <not-affected> (Coolkey driver added in 0.17.0)
[jessie] - opensc <postponed> (Minor issue but can be worth fixing later)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208
NOTE: https://github.com/OpenSC/OpenSC/commit/c246f6f69a749d4f68626b40795a4f69168008f4
CVE-2019-20791 (OpenThread before 2019-12-13 has a stack-based buffer overflow in Mesh ...)
NOT-FOR-US: OpenThread
CVE-2019-20790 (OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf 2.0.2, ...)
- - opendmarc <unfixed>
+ - opendmarc 1.4.0~beta1+dfsg-4 (bug #977766)
+ [buster] - opendmarc <no-dsa> (Minor issue)
+ [stretch] - opendmarc <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/pypolicyd-spf/+bug/1838816
NOTE: https://sourceforge.net/p/opendmarc/tickets/235/
NOTE: https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
+ NOTE: Issue is disputed upstream and considered "work as designed" (wontfix)
+ NOTE: https://github.com/trusteddomainproject/OpenDMARC/blob/develop/SECURITY/CVE-2019-20790
+ NOTE: Upstream reconsidering position:
+ NOTE: https://github.com/trusteddomainproject/OpenDMARC/issues/158
CVE-2019-20789 (Croogo before 3.0.7 allows XSS via the title to admin/menus/menus or a ...)
NOT-FOR-US: Croogo
CVE-2019-20788 (libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCurso ...)
@@ -691,35 +960,36 @@ CVE-2019-20633 (GNU patch through 2.7.6 contains a free(p_line[p_end]) Double Fr
- patch <not-affected> (Incomplete fix for CVE-2018-6952 not applied)
NOTE: https://savannah.gnu.org/bugs/index.php?56683
CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...)
- - gpac <unfixed>
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
[jessie] - gpac <ignored> (Minor issue)
NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1271
CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...)
- - gpac <unfixed>
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
[jessie] - gpac <ignored> (Minor issue)
NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1270
CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...)
- - gpac <unfixed>
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
[jessie] - gpac <ignored> (Minor issue)
NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090
NOTE: https://github.com/gpac/gpac/issues/1268
CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...)
- - gpac <unfixed>
- [buster] - gpac <no-dsa> (Minor issue)
- [stretch] - gpac <no-dsa> (Minor issue)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
+ [buster] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0)
+ [stretch] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0)
[jessie] - gpac <ignored> (Minor issue)
- NOTE: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7
NOTE: https://github.com/gpac/gpac/issues/1264
+ NOTE: Introduced by: https://github.com/gpac/gpac/commit/bb002ad4f92d216f8ab7c8466102279ef8af6f88 (v0.8.0)
+ NOTE: Fixed by: qhttps://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 (v0.9.0-preview)
CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...)
- - gpac <unfixed>
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
[jessie] - gpac <ignored> (Minor issue)
@@ -1028,10 +1298,10 @@ CVE-2019-20485 (qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holdin
[stretch] - libvirt <no-dsa> (Minor issue)
[jessie] - libvirt <not-affected> (Vulnerable code not present)
NOTE: https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=a663a860819287e041c3de672aad1d8543098ecc (v6.0.0-rc1)
-CVE-2019-20484
- RESERVED
-CVE-2019-20483
- RESERVED
+CVE-2019-20484 (An issue was discovered in Viki Vera 4.9.1.26180. A user without acces ...)
+ NOT-FOR-US: Viki Vera
+CVE-2019-20483 (An issue was discovered in Viki Vera 4.9.1.26180. An attacker could se ...)
+ NOT-FOR-US: Viki Vera
CVE-2019-20482
RESERVED
CVE-2019-20481 (In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Fun ...)
@@ -1061,28 +1331,28 @@ CVE-2019-20475
RESERVED
CVE-2019-20474 (An issue was discovered in Zoho ManageEngine Remote Access Plus 10.0.4 ...)
NOT-FOR-US: Zoho ManageEngine Remote Access Plus
-CVE-2019-20473
- RESERVED
+CVE-2019-20473 (An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.865 ...)
+ NOT-FOR-US: TK-Star Q90 Junior GPS horloge
CVE-2019-20472
RESERVED
-CVE-2019-20471
- RESERVED
-CVE-2019-20470
- RESERVED
+CVE-2019-20471 (An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.865 ...)
+ NOT-FOR-US: TK-Star Q90 Junior GPS horloge
+CVE-2019-20470 (An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.865 ...)
+ NOT-FOR-US: TK-Star Q90 Junior GPS horloge
CVE-2019-20469
RESERVED
-CVE-2019-20468
- RESERVED
-CVE-2019-20467
- RESERVED
-CVE-2019-20466
- RESERVED
-CVE-2019-20465
- RESERVED
-CVE-2019-20464
- RESERVED
-CVE-2019-20463
- RESERVED
+CVE-2019-20468 (An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horlo ...)
+ NOT-FOR-US: TK-Star Q90 Junior GPS horloge
+CVE-2019-20467 (An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 ...)
+ NOT-FOR-US: Sannce
+CVE-2019-20466 (An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 ...)
+ NOT-FOR-US: Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices
+CVE-2019-20465 (An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 ...)
+ NOT-FOR-US: Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices
+CVE-2019-20464 (An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 ...)
+ NOT-FOR-US: Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices
+CVE-2019-20463 (An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 ...)
+ NOT-FOR-US: Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices
CVE-2019-20462
RESERVED
CVE-2019-20461
@@ -1129,7 +1399,7 @@ CVE-2019-20446 (In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file wit
NOTE: https://gitlab.gnome.org/GNOME/librsvg/issues/515
NOTE: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135
CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length ...)
- {DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
+ {DSA-4885-1 DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
- netty 1:4.1.45-1 (bug #950967)
- netty-3.9 <removed>
NOTE: https://github.com/netty/netty/issues/9861
@@ -1137,7 +1407,7 @@ CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-L
NOTE: https://github.com/netty/netty/commit/629034624626b722128e0fcc6b3ec9d406cb3706 (4.1)
NOTE: https://github.com/netty/netty/commit/5f68897880467c00f29495b0aa46ed19bf7a873c (tests)
CVE-2019-20444 (HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header th ...)
- {DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
+ {DSA-4885-1 DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1}
- netty 1:4.1.45-1 (bug #950966)
- netty-3.9 <removed>
NOTE: https://github.com/netty/netty/issues/9866
@@ -1194,9 +1464,8 @@ CVE-2019-20422 (In the Linux kernel before 5.3.4, fib6_rule_lookup in net/ipv6/i
- linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/7b09c2d052db4b4ad0b27b97918b46a7746966fa
CVE-2019-20421 (In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input ...)
+ {DSA-4958-1 DLA-2750-1}
- exiv2 0.27.2-8 (low; bug #950183)
- [buster] - exiv2 <ignored> (Minor issue)
- [stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/commit/a82098f4f90cd86297131b5663c3dec6a34470e8
NOTE: https://github.com/Exiv2/exiv2/issues/1011
@@ -1306,7 +1575,7 @@ CVE-2019-20389 (An XSS issue was identified on the Subrion CMS 4.2.1 /panel/conf
CVE-2019-20388 (xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaV ...)
{DLA-2369-1}
- libxml2 2.9.10+dfsg-2.1 (bug #949583)
- [buster] - libxml2 <no-dsa> (Minor issue)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u1
[jessie] - libxml2 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a
CVE-2019-20387 (repodata_schema2id in repodata.c in libsolv before 0.7.6 has a heap-ba ...)
@@ -1374,9 +1643,9 @@ CVE-2019-20369
CVE-2019-20368
RESERVED
CVE-2019-20367 (nlist.c in libbsd before 0.10.0 has an out-of-bounds read during a com ...)
+ {DLA-2566-1}
- libbsd 0.10.0-1
- [buster] - libbsd <no-dsa> (Minor issue)
- [stretch] - libbsd <no-dsa> (Minor issue)
+ [buster] - libbsd 0.9.1-2+deb10u1
[jessie] - libbsd <no-dsa> (Minor issue)
NOTE: https://lists.freedesktop.org/archives/libbsd/2019-August/000229.html
NOTE: https://gitlab.freedesktop.org/libbsd/libbsd/commit/9d917aad37778a9f4a96ba358415f077f3f36f3b (0.10.0)
@@ -1409,9 +1678,10 @@ CVE-2019-20354 (The web application component of piSignage before 2.6.4 allows a
CVE-2019-20353
RESERVED
CVE-2019-20352 (In Netwide Assembler (NASM) 2.15rc0, a heap-based buffer over-read occ ...)
- - nasm <unfixed> (unimportant)
+ - nasm 2.15.04-1 (unimportant)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392636
NOTE: Crash in CLI tool, no security impact
+ NOTE: https://github.com/netwide-assembler/nasm/commit/7c88289e222dc5ef9f53f9e86ecaab1924744b88 (nasm-2.15.04rc6)
CVE-2019-20351
RESERVED
CVE-2019-20350
@@ -1671,10 +1941,9 @@ CVE-2019-20227
CVE-2019-20226
REJECTED
CVE-2019-20326 (A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg( ...)
- {DLA-2066-1}
- - gthumb <unfixed> (bug #948197)
- [buster] - gthumb <no-dsa> (Minor issue)
- [stretch] - gthumb <no-dsa> (Minor issue)
+ {DLA-2749-1 DLA-2066-1}
+ - gthumb 3:3.8.3-0.1 (bug #948197)
+ [buster] - gthumb 3:3.6.2-4+deb10u1
NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/14860321ce3235d420498c4f81f21003d1fb78f4 (3.8.3)
NOTE: https://gitlab.gnome.org/GNOME/gthumb/commit/4faa5ce2358812d23a1147953ee76f59631590ad (master)
CVE-2019-20225 (MyBB before 1.8.22 allows an open redirect on login. ...)
@@ -1692,9 +1961,9 @@ CVE-2019-20220 (In Support Incident Tracker (SiT!) 3.67, the search_id parameter
CVE-2019-20219 (ngiflib 0.4 has a heap-based buffer over-read in GifIndexToTrueColor i ...)
NOT-FOR-US: ngiflib
CVE-2019-20218 (selectExpander in select.c in SQLite 3.30.1 proceeds with WITH stack u ...)
- {DLA-2340-1}
+ {DLA-2340-2}
- sqlite3 3.30.1+fossil191229-1
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 3.27.2-3+deb10u1
[jessie] - sqlite3 <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/sqlite/sqlite/commit/a6c1a71cde082e09750465d5675699062922e387
CVE-2019-20217 (D-Link DIR-859 1.05 and 1.06B01 Beta01 devices allow remote attackers ...)
@@ -1717,9 +1986,12 @@ CVE-2019-20209 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and E
NOT-FOR-US: themes for WordPress
CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based ...)
{DLA-2072-1}
- - gpac <unfixed>
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1348
NOTE: https://github.com/gpac/gpac/commit/bcfcb3e90476692fe0d2bb532ea8deeb2a77580e (chunk #1)
CVE-2019-20207
@@ -1738,15 +2010,90 @@ CVE-2019-20204 (The Postie plugin 1.9.40 for WordPress allows XSS, as demonstrat
CVE-2019-20203 (The Authorized Addresses feature in the Postie plugin 1.9.40 for WordP ...)
NOT-FOR-US: Authorized Addresses feature in the Postie plugin for WordPress
CVE-2019-20202 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- NOT-FOR-US: ezXML
+ - mapcache <unfixed> (bug #989363)
+ [bullseye] - mapcache <no-dsa> (Minor issue)
+ [buster] - mapcache <no-dsa> (Minor issue)
+ [stretch] - mapcache <no-dsa> (Minor issue)
+ - scilab <unfixed> (bug #989364)
+ [bullseye] - scilab <no-dsa> (Minor issue)
+ [buster] - scilab <no-dsa> (Minor issue)
+ [stretch] - scilab <no-dsa> (Minor issue)
+ - netcdf <unfixed> (bug #989360)
+ [bullseye] - netcdf <no-dsa> (Minor issue)
+ [buster] - netcdf <no-dsa> (Minor issue)
+ [stretch] - netcdf <not-affected> (vulnerable code not present)
+ - netcdf-parallel <unfixed> (bug #989361)
+ [bullseye] - netcdf-parallel <no-dsa> (Minor issue)
+ [buster] - netcdf-parallel <no-dsa> (Minor issue)
+ NOTE: https://sourceforge.net/p/ezxml/bugs/17/
CVE-2019-20201 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The ezxml_parse_ ...)
- NOT-FOR-US: ezXML
+ - mapcache <unfixed> (bug #989363)
+ [bullseye] - mapcache <no-dsa> (Minor issue)
+ [buster] - mapcache <no-dsa> (Minor issue)
+ [stretch] - mapcache <no-dsa> (Minor issue)
+ - scilab <unfixed> (bug #989364)
+ [bullseye] - scilab <no-dsa> (Minor issue)
+ [buster] - scilab <no-dsa> (Minor issue)
+ [stretch] - scilab <no-dsa> (Minor issue)
+ - netcdf <unfixed> (bug #989360)
+ [bullseye] - netcdf <no-dsa> (Minor issue)
+ [buster] - netcdf <no-dsa> (Minor issue)
+ [stretch] - netcdf <not-affected> (vulnerable code not present)
+ - netcdf-parallel <unfixed> (bug #989361)
+ [bullseye] - netcdf-parallel <no-dsa> (Minor issue)
+ [buster] - netcdf-parallel <no-dsa> (Minor issue)
+ NOTE: https://sourceforge.net/p/ezxml/bugs/16/
CVE-2019-20200 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- NOT-FOR-US: ezXML
+ - mapcache <unfixed> (bug #989363)
+ [bullseye] - mapcache <no-dsa> (Minor issue)
+ [buster] - mapcache <no-dsa> (Minor issue)
+ [stretch] - mapcache <no-dsa> (Minor issue)
+ - scilab <unfixed> (bug #989364)
+ [bullseye] - scilab <no-dsa> (Minor issue)
+ [buster] - scilab <no-dsa> (Minor issue)
+ [stretch] - scilab <no-dsa> (Minor issue)
+ - netcdf <unfixed> (bug #989360)
+ [bullseye] - netcdf <no-dsa> (Minor issue)
+ [buster] - netcdf <no-dsa> (Minor issue)
+ [stretch] - netcdf <not-affected> (vulnerable code not present)
+ - netcdf-parallel <unfixed> (bug #989361)
+ [bullseye] - netcdf-parallel <no-dsa> (Minor issue)
+ [buster] - netcdf-parallel <no-dsa> (Minor issue)
+ NOTE: https://sourceforge.net/p/ezxml/bugs/19/
CVE-2019-20199 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- NOT-FOR-US: ezXML
+ - mapcache <unfixed> (bug #989363)
+ [bullseye] - mapcache <no-dsa> (Minor issue)
+ [buster] - mapcache <no-dsa> (Minor issue)
+ [stretch] - mapcache <no-dsa> (Minor issue)
+ - scilab <unfixed> (bug #989364)
+ [bullseye] - scilab <no-dsa> (Minor issue)
+ [buster] - scilab <no-dsa> (Minor issue)
+ [stretch] - scilab <no-dsa> (Minor issue)
+ - netcdf <unfixed> (bug #989360)
+ [bullseye] - netcdf <no-dsa> (Minor issue)
+ [buster] - netcdf <no-dsa> (Minor issue)
+ [stretch] - netcdf <not-affected> (vulnerable code not present)
+ - netcdf-parallel <unfixed> (bug #989361)
+ [bullseye] - netcdf-parallel <no-dsa> (Minor issue)
+ [buster] - netcdf-parallel <no-dsa> (Minor issue)
+ NOTE: https://sourceforge.net/p/ezxml/bugs/18/
CVE-2019-20198 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- NOT-FOR-US: ezXML
+ - mapcache <unfixed> (bug #989363)
+ [bullseye] - mapcache <no-dsa> (Minor issue)
+ [buster] - mapcache <no-dsa> (Minor issue)
+ [stretch] - mapcache <no-dsa> (Minor issue)
+ - scilab <unfixed> (bug #989364)
+ [bullseye] - scilab <no-dsa> (Minor issue)
+ [buster] - scilab <no-dsa> (Minor issue)
+ [stretch] - scilab <no-dsa> (Minor issue)
+ - netcdf <unfixed> (bug #989360)
+ [bullseye] - netcdf <no-dsa> (Minor issue)
+ [buster] - netcdf <no-dsa> (Minor issue)
+ [stretch] - netcdf <not-affected> (vulnerable code not present)
+ - netcdf-parallel <unfixed> (bug #989361)
+ [bullseye] - netcdf-parallel <no-dsa> (Minor issue)
+ [buster] - netcdf-parallel <no-dsa> (Minor issue)
+ NOTE: https://sourceforge.net/p/ezxml/bugs/20/
CVE-2019-20197 (In Nagios XI 5.6.9, an authenticated user is able to execute arbitrary ...)
NOT-FOR-US: Nagios XI
CVE-2019-20196
@@ -1813,17 +2160,23 @@ CVE-2019-20172 (Kernel/VM/MemoryManager.cpp in SerenityOS before 2019-12-30 does
NOT-FOR-US: SerenityOS
CVE-2019-20171 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed> (low)
+ - gpac 1.0.1+dfsg1-2 (low)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1337
NOTE: https://github.com/gpac/gpac/commit/72cdc5048dead86bb1df7d21e0b9975e49cf2d97
NOTE: https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c
CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed> (low)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1328
NOTE: https://github.com/gpac/gpac/commit/16856430287cc10f495eb241910b4dc45b193e03
CVE-2019-20169 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
@@ -1847,34 +2200,41 @@ CVE-2019-20166 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm
NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2)
CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed> (low)
- [buster] - gpac <no-dsa> (Minor issue)
- [stretch] - gpac <no-dsa> (Minor issue)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
+ [buster] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0)
+ [stretch] - gpac <not-affected> (Vulnerable code introduced later, in version 0.8.0)
NOTE: https://github.com/gpac/gpac/issues/1338
NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #1)
+ NOTE: Introduced by https://github.com/gpac/gpac/commit/86d072b6a13baa1a4a90168098a0f8354c24d8cf
CVE-2019-20164 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
- gpac <not-affected> (Vulnerable code introduced in 0.7.0)
NOTE: https://github.com/gpac/gpac/issues/1332
NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2)
CVE-2019-20163 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed> (low)
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1335
NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #4)
CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed>
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1327
NOTE: https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77
CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed>
+ - gpac 1.0.1+dfsg1-2 (bug #972053)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1320
NOTE: https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956
CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
@@ -2022,8 +2382,8 @@ CVE-2019-20103
RESERVED
CVE-2019-20102 (The attachment-uploading feature in Atlassian Confluence Server from v ...)
NOT-FOR-US: Atlassian
-CVE-2019-20101
- RESERVED
+CVE-2019-20101 (Affected versions of Atlassian Jira Server and Data Center allow anony ...)
+ NOT-FOR-US: Atlassian
CVE-2019-20100 (The Atlassian Application Links plugin is vulnerable to cross-site req ...)
NOT-FOR-US: Atlassian Application Links plugin
CVE-2019-20099 (The VerifyPopServerConnection!add.jspa component in Atlassian Jira Ser ...)
@@ -2053,8 +2413,9 @@ CVE-2019-20094 (An issue was discovered in libsixel 1.8.4. There is a heap-based
NOTE: https://github.com/saitoha/libsixel/issues/125
NOTE: https://github.com/saitoha/libsixel/commit/a18b3789cfd147028403c17fe79a43b169d8f034
CVE-2019-20093 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...)
- - libpodofo <unfixed>
- [buster] - libpodofo <no-dsa> (Minor issue)
+ - libpodofo <unfixed> (bug #977302)
+ [bullseye] - libpodofo <ignored> (Minor issue)
+ [buster] - libpodofo <ignored> (Minor issue)
[stretch] - libpodofo <no-dsa> (Minor issue)
[jessie] - libpodofo <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/podofo/tickets/75/
@@ -2078,19 +2439,20 @@ CVE-2019-20084
RESERVED
CVE-2019-20083
RESERVED
-CVE-2019-20082
- RESERVED
+CVE-2019-20082 (ASUS RT-N53 3.0.0.4.376.3754 devices have a buffer overflow via a long ...)
+ NOT-FOR-US: ASUS
CVE-2019-20081
RESERVED
CVE-2019-20080
RESERVED
CVE-2019-20079 (The autocmd feature in window.c in Vim before 8.1.2136 accesses freed ...)
- vim 2:8.1.2136-1
- [buster] - vim <no-dsa> (Minor issue)
+ [buster] - vim <not-affected> (Vulnerable code introduced later)
[stretch] - vim <not-affected> (Vulnerable code introduced later)
[jessie] - vim <not-affected> (vulnerable code was introduced later)
NOTE: https://github.com/vim/vim/issues/5041
- NOTE: https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421
+ NOTE: Introduced with: https://github.com/vim/vim/commit/a27e1dcddc9e3914ab34b164f71c51b72903b00b (v8.1.2121)
+ NOTE: Fixed by: https://github.com/vim/vim/commit/ec66c41d84e574baf8009dbc0bd088d2bc5b2421 (v8.1.2136)
CVE-2019-20078
RESERVED
CVE-2019-20077 (The Typesetter CMS 5.1 logout functionality is affected by a CSRF vuln ...)
@@ -2144,10 +2506,12 @@ CVE-2019-20056 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <no-dsa> (Minor issue)
- libstb <unfixed> (low)
+ [bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <no-dsa> (Minor issue)
NOTE: libsixel PR: https://github.com/saitoha/libsixel/issues/126
NOTE: libsixel patch: https://github.com/saitoha/libsixel/commit/814f831555ea2492d442e784ab5d594f6a8e2e8d
NOTE: libstb PR: https://github.com/nothings/stb/issues/886
+ NOTE: libstb patch: https://github.com/nothings/stb/commit/bfaccab17a648b315543d366c63aee575a0756b7
CVE-2019-20055 (LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substri ...)
NOT-FOR-US: LuquidPixels LiquiFire OS
CVE-2019-20053 (An invalid memory address dereference was discovered in the canUnpack ...)
@@ -2180,10 +2544,9 @@ CVE-2019-20046 (The Synergy Systems &amp; Solutions PLC &amp; RTU system has a v
CVE-2019-20045 (The Synergy Systems &amp; Solutions PLC &amp; RTU system has a vulnera ...)
NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system
CVE-2019-20044 (In Zsh before 5.8, attackers able to execute commands can regain privi ...)
- {DLA-2117-1}
+ {DLA-2470-1 DLA-2117-1}
- zsh 5.8-1 (bug #951458)
[buster] - zsh <no-dsa> (Minor issue)
- [stretch] - zsh <no-dsa> (Minor issue)
NOTE: https://www.zsh.org/mla/zsh-announce/141
NOTE: https://sourceforge.net/p/zsh/code/ci/24e993db62cf146fb76ebcf677a4a7aa3766fc74/
NOTE: https://sourceforge.net/p/zsh/code/ci/8250c5c168f07549ed646e6848e6dda118271e23/
@@ -2248,25 +2611,29 @@ CVE-2019-20021 (A heap-based buffer over-read was discovered in canUnpack in p_m
NOTE: https://github.com/upx/upx/issues/315
NOTE: https://github.com/upx/upx/commit/819c33fee2b2c33b96bef27a13cb20f2589819aa
CVE-2019-20020 (A stack-based buffer over-read was discovered in ReadNextStructField i ...)
- - libmatio <unfixed>
+ [experimental] - libmatio 1.5.18-1
+ - libmatio 1.5.19-2
[buster] - libmatio <no-dsa> (Minor issue)
[stretch] - libmatio <no-dsa> (Minor issue)
[jessie] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/128
CVE-2019-20019 (An attempted excessive memory allocation was discovered in Mat_VarRead ...)
- libmatio <unfixed>
+ [bullseye] - libmatio <no-dsa> (Minor issue)
[buster] - libmatio <no-dsa> (Minor issue)
[stretch] - libmatio <no-dsa> (Minor issue)
[jessie] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/130
CVE-2019-20018 (A stack-based buffer over-read was discovered in ReadNextCell in mat5. ...)
- - libmatio <unfixed>
+ [experimental] - libmatio 1.5.18-1
+ - libmatio 1.5.19-2
[buster] - libmatio <no-dsa> (Minor issue)
[stretch] - libmatio <no-dsa> (Minor issue)
[jessie] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/129
CVE-2019-20017 (A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5 ...)
- - libmatio <unfixed>
+ [experimental] - libmatio 1.5.18-1
+ - libmatio 1.5.19-2
[buster] - libmatio <no-dsa> (Minor issue)
[stretch] - libmatio <no-dsa> (Minor issue)
[jessie] - libmatio <no-dsa> (Minor issue)
@@ -2294,11 +2661,56 @@ CVE-2019-20009 (An issue was discovered in GNU LibreDWG before 0.93. Crafted inp
CVE-2019-20008 (In Archery before 1.3, inserting an XSS payload into a project name (e ...)
NOT-FOR-US: Archery
CVE-2019-20007 (An issue was discovered in ezXML 0.8.2 through 0.8.6. The function ezx ...)
- NOT-FOR-US: ezXML
+ - mapcache <unfixed> (bug #989363)
+ [bullseye] - mapcache <no-dsa> (Minor issue)
+ [buster] - mapcache <no-dsa> (Minor issue)
+ [stretch] - mapcache <no-dsa> (Minor issue)
+ - scilab <unfixed> (bug #989364)
+ [bullseye] - scilab <no-dsa> (Minor issue)
+ [buster] - scilab <no-dsa> (Minor issue)
+ [stretch] - scilab <no-dsa> (Minor issue)
+ - netcdf <unfixed> (bug #989360)
+ [bullseye] - netcdf <no-dsa> (Minor issue)
+ [buster] - netcdf <no-dsa> (Minor issue)
+ [stretch] - netcdf <not-affected> (vulnerable code not present)
+ - netcdf-parallel <unfixed> (bug #989361)
+ [bullseye] - netcdf-parallel <no-dsa> (Minor issue)
+ [buster] - netcdf-parallel <no-dsa> (Minor issue)
+ NOTE: https://sourceforge.net/p/ezxml/bugs/13/
CVE-2019-20006 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- NOT-FOR-US: ezXML
+ - mapcache <unfixed> (bug #989363)
+ [bullseye] - mapcache <no-dsa> (Minor issue)
+ [buster] - mapcache <no-dsa> (Minor issue)
+ [stretch] - mapcache <no-dsa> (Minor issue)
+ - scilab <unfixed> (bug #989364)
+ [bullseye] - scilab <no-dsa> (Minor issue)
+ [buster] - scilab <no-dsa> (Minor issue)
+ [stretch] - scilab <no-dsa> (Minor issue)
+ - netcdf <unfixed> (bug #989360)
+ [bullseye] - netcdf <no-dsa> (Minor issue)
+ [buster] - netcdf <no-dsa> (Minor issue)
+ [stretch] - netcdf <not-affected> (vulnerable code not present)
+ - netcdf-parallel <unfixed> (bug #989361)
+ [bullseye] - netcdf-parallel <no-dsa> (Minor issue)
+ [buster] - netcdf-parallel <no-dsa> (Minor issue)
+ NOTE: https://sourceforge.net/p/ezxml/bugs/15/
CVE-2019-20005 (An issue was discovered in ezXML 0.8.3 through 0.8.6. The function ezx ...)
- NOT-FOR-US: ezXML
+ - mapcache <unfixed> (bug #989363)
+ [bullseye] - mapcache <no-dsa> (Minor issue)
+ [buster] - mapcache <no-dsa> (Minor issue)
+ [stretch] - mapcache <no-dsa> (Minor issue)
+ - scilab <unfixed> (bug #989364)
+ [bullseye] - scilab <no-dsa> (Minor issue)
+ [buster] - scilab <no-dsa> (Minor issue)
+ [stretch] - scilab <no-dsa> (Minor issue)
+ - netcdf <unfixed> (bug #989360)
+ [bullseye] - netcdf <no-dsa> (Minor issue)
+ [buster] - netcdf <no-dsa> (Minor issue)
+ [stretch] - netcdf <not-affected> (vulnerable code not present)
+ - netcdf-parallel <unfixed> (bug #989361)
+ [bullseye] - netcdf-parallel <no-dsa> (Minor issue)
+ [buster] - netcdf-parallel <no-dsa> (Minor issue)
+ NOTE: https://sourceforge.net/p/ezxml/bugs/14/
CVE-2019-20004 (An issue was discovered on Intelbras IWR 3000N 1.8.7 devices. When the ...)
NOT-FOR-US: Intelbras
CVE-2019-20003 (Feldtech easescreen Crystal 9.0 Web-Services 9.0.1.16265 allows Stored ...)
@@ -2404,7 +2816,7 @@ CVE-2019-19960 (In wolfSSL before 4.3.0, wc_ecc_mulmod_ex does not properly resi
NOTE: https://github.com/wolfSSL/wolfssl/commit/5ee9f9c7a23f8ed093fe1e42bc540727e96cebb8 (v4.3.0-stable)
CVE-2019-19959 (ext/misc/zipfile.c in SQLite 3.30.1 mishandles certain uses of INSERT ...)
- sqlite3 3.30.1+fossil191229-1
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 3.27.2-3+deb10u1
[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
[jessie] - sqlite3 <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/sqlite/sqlite/commit/1e490c4ca6b43a9cf8637d695907888349f69bec
@@ -2417,7 +2829,7 @@ CVE-2019-19956 (xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before
{DLA-2369-1 DLA-2048-1}
[experimental] - libxml2 2.9.10+dfsg-1
- libxml2 2.9.10+dfsg-2
- [buster] - libxml2 <no-dsa> (Minor issue)
+ [buster] - libxml2 2.9.4+dfsg1-7+deb10u1
NOTE: https://gitlab.gnome.org/GNOME/libxml2/issues/82
NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549 (v2.9.10-rc1)
CVE-2019-19955
@@ -2485,7 +2897,7 @@ CVE-2019-19937 (In JFrog Artifactory before 6.18, it is not possible to restrict
NOT-FOR-US: JFrog Artifactory
CVE-2019-19936
RESERVED
-CVE-2019-19935 (Froala Editor before 3.0.6 allows XSS. ...)
+CVE-2019-19935 (Froala Editor before 3.2.3 allows XSS. ...)
NOT-FOR-US: Froala Editor
CVE-2019-19934
RESERVED
@@ -2515,7 +2927,7 @@ CVE-2019-19926 (multiSelect in select.c in SQLite 3.30.1 mishandles certain erro
CVE-2019-19925 (zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles a NULL ...)
{DSA-4638-1}
- sqlite3 3.30.1+fossil191229-1
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 3.27.2-3+deb10u1
[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
[jessie] - sqlite3 <not-affected> (Vulnerable code introduced later)
- chromium 80.0.3987.106-1
@@ -2523,14 +2935,14 @@ CVE-2019-19925 (zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles
NOTE: https://github.com/sqlite/sqlite/commit/54d501092d88c0cf89bec4279951f548fb0b8618
CVE-2019-19924 (SQLite 3.30.1 mishandles certain parser-tree rewriting, related to exp ...)
- sqlite3 3.30.1+fossil191229-1
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 <ignored> (Minor issue)
[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
[jessie] - sqlite3 <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/sqlite/sqlite/commit/8654186b0236d556aa85528c2573ee0b6ab71be3
CVE-2019-19923 (flattenSubquery in select.c in SQLite 3.30.1 mishandles certain uses o ...)
{DSA-4638-1}
- sqlite3 3.30.1+fossil191229-1
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 3.27.2-3+deb10u1
[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
[jessie] - sqlite3 <not-affected> (Vulnerable code introduced later)
- chromium 80.0.3987.106-1
@@ -2553,13 +2965,13 @@ CVE-2019-19919 (Versions of handlebars prior to 4.3.0 are vulnerable to Prototyp
[buster] - node-handlebars 3:4.1.0-1+deb10u1
NOTE: https://www.npmjs.com/advisories/1164
CVE-2019-19918 (Lout 3.40 has a heap-based buffer overflow in the srcnext() function i ...)
- - lout <unfixed> (bug #947113)
+ - lout <removed> (bug #947113)
[buster] - lout <no-dsa> (Minor issue)
[stretch] - lout <no-dsa> (Minor issue)
[jessie] - lout <ignored> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/lout-users/2019-12/msg00001.html
CVE-2019-19917 (Lout 3.40 has a buffer overflow in the StringQuotedWord() function in ...)
- - lout <unfixed> (bug #947113)
+ - lout <removed> (bug #947113)
[buster] - lout <no-dsa> (Minor issue)
[stretch] - lout <no-dsa> (Minor issue)
[jessie] - lout <ignored> (Minor issue)
@@ -2642,8 +3054,8 @@ CVE-2019-19886 (Trustwave ModSecurity 3.0.0 through 3.0.3 allows an attacker to
[buster] - modsecurity 3.0.3-1+deb10u1
NOTE: https://github.com/SpiderLabs/ModSecurity/pull/2202
NOTE: https://github.com/SpiderLabs/ModSecurity/commit/7ba77631f9a37e0680d23ee57c455c6a35c65cb9
-CVE-2019-19885
- RESERVED
+CVE-2019-19885 (In Bender COMTRAXX, user authorization is validated for most, but not ...)
+ NOT-FOR-US: Bender COMTRAXX
CVE-2019-19884
RESERVED
CVE-2019-19883
@@ -2672,26 +3084,26 @@ CVE-2019-19880 (exprListAppendList in window.c in SQLite 3.30.1 allows attackers
NOTE: to not open CVE-2019-19926.
CVE-2019-19879 (HashiCorp Sentinel up to 0.10.1 incorrectly parsed negation in certain ...)
NOT-FOR-US: HashiCorp Sentinel (different from Redis Sentinel)
-CVE-2019-19878
- RESERVED
-CVE-2019-19877
- RESERVED
-CVE-2019-19876
- RESERVED
-CVE-2019-19875
- RESERVED
-CVE-2019-19874
- RESERVED
-CVE-2019-19873
- RESERVED
-CVE-2019-19872
- RESERVED
+CVE-2019-19878 (An issue was discovered in B&amp;R Industrial Automation APROL before ...)
+ NOT-FOR-US: B&R Industrial Automation APROL
+CVE-2019-19877 (An issue was discovered in B&amp;R Industrial Automation APROL before ...)
+ NOT-FOR-US: B&R Industrial Automation APROL
+CVE-2019-19876 (An issue was discovered in B&amp;R Industrial Automation APROL before ...)
+ NOT-FOR-US: B&R Industrial Automation APROL
+CVE-2019-19875 (An issue was discovered in B&amp;R Industrial Automation APROL before ...)
+ NOT-FOR-US: B&R Industrial Automation APROL
+CVE-2019-19874 (An issue was discovered in B&amp;R Industrial Automation APROL before ...)
+ NOT-FOR-US: B&R Industrial Automation APROL
+CVE-2019-19873 (An issue was discovered in B&amp;R Industrial Automation APROL before ...)
+ NOT-FOR-US: B&R Industrial Automation APROL
+CVE-2019-19872 (An issue was discovered in B&amp;R Industrial Automation APROL before ...)
+ NOT-FOR-US: B&R Industrial Automation APROL
CVE-2019-19871
RESERVED
CVE-2019-19870
RESERVED
-CVE-2019-19869
- RESERVED
+CVE-2019-19869 (An issue was discovered in B&amp;R Industrial Automation APROL before ...)
+ NOT-FOR-US: B&R Industrial Automation APROL
CVE-2019-19868
RESERVED
CVE-2019-19867
@@ -2844,21 +3256,29 @@ CVE-2019-19818 (The JBIG2Decode library in npdf.dll in Nitro Free PDF Reader 12.
CVE-2019-19817 (The JBIG2Decode library in npdf.dll in Nitro Free PDF Reader 12.0.0.11 ...)
NOT-FOR-US: JBIG2Globals library in npdf.dll in Nitro Free PDF Reader
CVE-2019-19816 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image ...)
+ {DLA-2586-1 DLA-2483-1 DLA-2385-1}
- linux 5.2.6-1
+ [buster] - linux 4.19.160-1
NOTE: https://git.kernel.org/linus/6bf9e4bd6a277840d3fe8c5d5d530a1fbd3db592
CVE-2019-19815 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...)
- linux 5.3.7-1
+ [buster] - linux 4.19.67-1
+ [stretch] - linux 4.9.184-1
CVE-2019-19814 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...)
- linux <unfixed>
+ [bullseye] - linux <no-dsa> (Minor issue)
+ [buster] - linux <no-dsa> (Minor issue)
CVE-2019-19813 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...)
+ {DLA-2586-1 DLA-2385-1}
- linux 5.2.6-1
+ [buster] - linux 4.19.146-1
NOTE: https://git.kernel.org/linus/6bf9e4bd6a277840d3fe8c5d5d530a1fbd3db592
CVE-2019-19812
RESERVED
CVE-2019-19811
RESERVED
-CVE-2019-19810
- RESERVED
+CVE-2019-19810 (Zoom Call Recording 6.3.1 from Eleveo is vulnerable to Java Deserializ ...)
+ NOT-FOR-US: Zoom
CVE-2019-19809
RESERVED
CVE-2019-3467 (Debian-edu-config all versions &lt; 2.11.10, a set of configuration fi ...)
@@ -2888,9 +3308,9 @@ CVE-2019-19799 (Zoho ManageEngine Applications Manager before 14600 allows a rem
CVE-2019-19798
RESERVED
CVE-2019-19797 (read_colordef in read.c in Xfig fig2dev 3.2.7b has an out-of-bounds wr ...)
+ {DLA-2778-1}
- fig2dev 1:3.2.7b-3 (bug #946866)
[buster] - fig2dev 1:3.2.7a-5+deb10u3
- [stretch] - fig2dev <no-dsa> (Minor issue)
- transfig <removed>
[jessie] - transfig <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/mcj/tickets/67/
@@ -2983,7 +3403,9 @@ CVE-2019-19830 (_core_/plugins/medias in SPIP 3.2.x before 3.2.7 allows remote a
[stretch] - spip <not-affected> (Vulnerable code not present)
[jessie] - spip <not-affected> (Vulnerable code not present)
CVE-2019-19770 (** DISPUTED ** In the Linux kernel 4.19.83, there is a use-after-free ...)
+ {DLA-2483-1}
- linux 5.7.17-1
+ [buster] - linux 4.19.160-1
[stretch] - linux <not-affected> (Vulnerability introduced later)
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=205713
CVE-2019-19769 (In the Linux kernel 5.3.10, there is a use-after-free (read) in the pe ...)
@@ -3085,13 +3507,16 @@ CVE-2019-19730
CVE-2019-19729 (An issue was discovered in the BSON ObjectID (aka bson-objectid) packa ...)
NOT-FOR-US: bsjon-objectid node module
CVE-2019-19728 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 executes srun --u ...)
+ {DSA-4841-1}
- slurm-llnl 19.05.5-1
- [buster] - slurm-llnl <no-dsa> (Minor issue)
- [stretch] - slurm-llnl <no-dsa> (Minor issue)
+ [stretch] - slurm-llnl <ignored> (Minor issue, fix introduces regression, upstream refuses access to bug tracker)
[jessie] - slurm-llnl <ignored> (Minor issue, fix introduces regression, upstream refuses access to bug tracker)
NOTE: https://github.com/SchedMD/slurm/commit/5ac031b2ef5462f6e8e47dad0247bd474614c118
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1159692
+ NOTE: https://bugs.schedmd.com/show_bug.cgi?id=8084
NOTE: Fixed upstream in 18.08.9, 19.05.5
+ NOTE: regression: running 'srun --uid ...' can lock the node 'alloc' state, requiring manually reset
+ NOTE: (with 'nobody' in stretch, with all users in jessie)
CVE-2019-19727 (SchedMD Slurm before 18.08.9 and 19.x before 19.05.5 has weak slurmdbd ...)
- slurm-llnl 19.05.5-1 (unimportant)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1155784
@@ -3278,11 +3703,9 @@ CVE-2019-19650 (Zoho ManageEngine Applications Manager before 13640 allows a rem
CVE-2019-19649 (Zoho ManageEngine Applications Manager before 13620 allows a remote un ...)
NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2019-19648 (In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, ...)
- - yara <unfixed>
- [buster] - yara <no-dsa> (Minor issue)
- [stretch] - yara <no-dsa> (Minor issue)
- [jessie] - yara <no-dsa> (Minor issue)
+ - yara <unfixed> (unimportant)
NOTE: https://github.com/VirusTotal/yara/issues/1178
+ NOTE: Negligible security impact
CVE-2019-19647 (radare2 through 4.0.0 lacks validation of the content variable in the ...)
- radare2 4.2.1+dfsg-1 (bug #947402)
[jessie] - radare2 <no-dsa> (Minor issue)
@@ -3294,7 +3717,7 @@ CVE-2019-19646 (pragma.c in SQLite through 3.30.1 mishandles NOT NULL in an inte
NOTE: https://github.com/sqlite/sqlite/commit/ebd70eedd5d6e6a890a670b5ee874a5eae86b4dd
CVE-2019-19645 (alter.c in SQLite through 3.30.1 allows attackers to trigger infinite ...)
- sqlite3 3.30.1+fossil191229-1 (bug #946612)
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 <ignored> (Minor issue, too intrusive to backport)
[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
[jessie] - sqlite3 <no-dsa> (Minor issue)
NOTE: https://github.com/sqlite/sqlite/commit/38096961c7cd109110ac21d3ed7dad7e0cb0ae06
@@ -3343,12 +3766,12 @@ CVE-2019-19632 (An issue was discovered in Big Switch Big Monitoring Fabric 6.2
CVE-2019-19631 (An issue was discovered in Big Switch Big Monitoring Fabric 6.2 throug ...)
NOT-FOR-US: Big Switch Networks
CVE-2019-19630 (HTMLDOC 1.9.7 allows a stack-based buffer overflow in the hd_strlcpy() ...)
- {DLA-2026-1}
- - htmldoc 1.9.7-1 (low)
- [buster] - htmldoc <no-dsa> (Minor issue)
- [stretch] - htmldoc <no-dsa> (Minor issue)
+ {DLA-2700-1 DLA-2026-1}
+ - htmldoc 1.9.7-1 (unimportant; bug #988289)
+ [buster] - htmldoc 1.9.3-1+deb10u1
NOTE: https://github.com/michaelrsweet/htmldoc/issues/370
NOTE: https://github.com/michaelrsweet/htmldoc/commit/8a129c520e90fc967351f3e165f967128a88f09c
+ NOTE: Crash in CLI tool, no security impact
CVE-2019-19629 (In GitLab EE 10.5 through 12.5.3, 12.4.5, and 12.3.8, when transferrin ...)
- gitlab <not-affected> (Only affects Gitlab EE)
NOTE: https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/
@@ -3381,9 +3804,8 @@ CVE-2019-19619 (domain/section/markdown/markdown.go in Documize before 3.5.1 mis
CVE-2019-19618
RESERVED
CVE-2019-19617 (phpMyAdmin before 4.9.2 does not escape certain Git information, relat ...)
- {DLA-2024-1}
+ {DLA-2413-1 DLA-2024-1}
- phpmyadmin 4:4.9.2+dfsg1-1
- [stretch] - phpmyadmin <no-dsa> (Minor issue)
NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/1119de642b136d20e810bb20f545069a01dd7cc9
CVE-2019-19616 (An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia ...)
NOT-FOR-US: Microsoft Dynamics NAV
@@ -3419,13 +3841,13 @@ CVE-2019-19604 (Arbitrary command execution is possible in Git before 2.20.2, 2.
NOTE: https://git.kernel.org/pub/scm/git/git.git/commit/?id=c1547450748fcbac21675f2681506d2d80351a19
NOTE: Upstream did backport fixes for CVE-2019-19604 to older versions as the introducing
NOTE: version for sake of robustness/hardening. In particular, the server-side protection
- NOTE: provided by the fsck is useful for protecting unpatched clients that are affected
+ NOTE: provided by the fsck is useful for protecting unpatched clients that are affected
NOTE: by the bug.
NOTE: https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md
NOTE: https://www.openwall.com/lists/oss-security/2019/12/13/1
CVE-2019-19603 (SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent ...)
- sqlite3 3.30.1+fossil191229-1
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 <ignored> (Minor issue, too intrusive to backport)
[stretch] - sqlite3 <not-affected> (vulnerable code not present)
[jessie] - sqlite3 <no-dsa> (Minor issue)
NOTE: https://github.com/sqlite/sqlite/commit/527cbd4a104cb93bf3994b3dd3619a6299a78b13
@@ -3464,7 +3886,7 @@ CVE-2019-19590 (In radare2 through 4.0, there is an integer overflow for the var
[jessie] - radare2 <no-dsa> (Minor issue)
NOTE: https://github.com/radareorg/radare2/issues/15543
NOTE: https://github.com/radareorg/radare2/commit/9bbc63ffa0e93aa054e262cdfb973326935a2d70
-CVE-2019-19589 (The Lever PDF Embedder plugin 4.4 for WordPress does not block the dis ...)
+CVE-2019-19589 (** DISPUTED ** The Lever PDF Embedder plugin 4.4 for WordPress does no ...)
NOT-FOR-US: Lever PDF Embedder plugin for WordPress
CVE-2019-19588 (The validators package 0.12.2 through 0.12.5 for Python enters an infi ...)
NOT-FOR-US: validators Python package
@@ -3537,22 +3959,22 @@ CVE-2019-19565
RESERVED
CVE-2019-19564
RESERVED
-CVE-2019-19563
- RESERVED
-CVE-2019-19562
- RESERVED
-CVE-2019-19561
- RESERVED
-CVE-2019-19560
- RESERVED
+CVE-2019-19563 (A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 ...)
+ NOT-FOR-US: Mercedes-Benz HERMES
+CVE-2019-19562 (An authentication bypass in the debug interface in Mercedes-Benz HERME ...)
+ NOT-FOR-US: Mercedes-Benz HERMES
+CVE-2019-19561 (A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 ...)
+ NOT-FOR-US: Mercedes-Benz HERMES
+CVE-2019-19560 (An authentication bypass in the debug interface in Mercedes-Benz HERME ...)
+ NOT-FOR-US: Mercedes-Benz HERMES
CVE-2019-19559
RESERVED
CVE-2019-19558
RESERVED
-CVE-2019-19557
- RESERVED
-CVE-2019-19556
- RESERVED
+CVE-2019-19557 (A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 al ...)
+ NOT-FOR-US: Mercedes-Benz HERMES
+CVE-2019-19556 (An authentication bypass in the debug interface in Mercedes-Benz HERME ...)
+ NOT-FOR-US: Mercedes-Benz HERMES
CVE-2019-19555 (read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-based buf ...)
{DLA-2073-1}
- fig2dev 1:3.2.7b-2 (unimportant; bug #946176)
@@ -3565,9 +3987,9 @@ CVE-2019-19555 (read_textobject in read.c in Xfig fig2dev 3.2.7b has a stack-bas
CVE-2019-19554
RESERVED
CVE-2019-19553 (In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector cou ...)
+ {DLA-2547-1}
- wireshark 3.0.7-1 (low)
- [buster] - wireshark <postponed> (Can be fixed along in next 3.0.x DSA)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x DSA)
+ [buster] - wireshark 2.6.20-0+deb10u1
[jessie] - wireshark <postponed> (Can be fixed along in next 1.12.x DLA)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=34d2e0d5318d0a7e9889498c721639e5cbf4ce45
@@ -3717,8 +4139,8 @@ CVE-2019-19515 (Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in w
NOT-FOR-US: Ayision
CVE-2019-19514 (Ayision Ays-WR01 v28K.RPT.20161224 devices allow stored XSS in basic r ...)
NOT-FOR-US: Ayision
-CVE-2019-19513
- RESERVED
+CVE-2019-19513 (The BASSMIDI plugin 2.4.12.1 for Un4seen BASS Audio Library on Windows ...)
+ NOT-FOR-US: BASS Audio Library
CVE-2019-19512
RESERVED
CVE-2019-19511
@@ -3802,10 +4224,9 @@ CVE-2019-19480 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x thro
NOTE: fixes are not related "directly" to the CVE assignment for the incorrect
NOTE: free operation in sc_pkcs15_decode_prkdf_entry.
CVE-2019-19479 (An issue was discovered in OpenSC through 0.19.0 and 0.20.x through 0. ...)
- {DLA-2046-1}
+ {DLA-2832-1 DLA-2046-1}
- opensc 0.20.0-1 (bug #947383)
[buster] - opensc <no-dsa> (Minor issue)
- [stretch] - opensc <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18693
NOTE: https://github.com/OpenSC/OpenSC/commit/c3f23b836e5a1766c36617fe1da30d22f7b63de2
CVE-2019-19478
@@ -3839,7 +4260,7 @@ CVE-2019-19465
CVE-2019-19464 (The CBC Gem application before 9.24.1 for Android and before 9.26.0 fo ...)
NOT-FOR-US: CBC Gem application for Android
CVE-2019-19463 (The Anhui Huami Mi Fit application before 4.0.11 for Android has an Un ...)
- NOT-FOR-US: Anhui Huami Mi Fit application for Android
+ NOT-FOR-US: Anhui Huami Mi Fit application for Android
CVE-2019-19462 (relay_open in kernel/relay.c in the Linux kernel through 5.4.1 allows ...)
{DSA-4699-1 DSA-4698-1 DLA-2242-1}
- linux 5.6.14-2
@@ -3874,9 +4295,13 @@ CVE-2019-19450
RESERVED
CVE-2019-19449 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...)
- linux <unfixed>
+ [bullseye] - linux <postponed> (Minor issue, revisit once fixed upstream)
+ [buster] - linux <postponed> (Minor issue, revisit once fixed upstream)
NOTE: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19449
CVE-2019-19448 (In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesy ...)
+ {DLA-2420-1 DLA-2385-1}
- linux 5.7.17-1
+ [buster] - linux 4.19.146-1
NOTE: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19448
CVE-2019-19447 (In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, ...)
{DLA-2241-1 DLA-2114-1}
@@ -3991,12 +4416,12 @@ CVE-2019-19395
RESERVED
CVE-2019-19394 (Northern.tech CFEngine Enterprise before 3.10.7, 3.11.x and 3.12.x bef ...)
NOT-FOR-US: CFEngine Enterprise
-CVE-2019-19393
- RESERVED
+CVE-2019-19393 (The Web application on Rittal CMC PU III 7030.000 V3.00 V3.11.00_2 to ...)
+ NOT-FOR-US: Rittal
CVE-2019-19392 (The forDNN.UsersExportImport module before 1.2.0 for DNN (formerly Dot ...)
NOT-FOR-US: forDNN.UsersExportImport module for DNN
CVE-2019-19391 (** DISPUTED ** In LuaJIT through 2.0.5, as used in Moonjit before 2.1. ...)
- - luajit <unfixed> (bug #946053; unimportant)
+ - luajit 2.1.0~beta3+git20210112+dfsg-2 (bug #946053; unimportant)
NOTE: https://github.com/LuaJIT/LuaJIT/pull/526
NOTE: Negligible security impact. The debug library is unsafe per se and one is
NOTE: not supposed to release an application with the debug library.
@@ -4026,8 +4451,12 @@ CVE-2019-19379 (In app/Controller/TagsController.php in MISP 2.4.118, users can
NOT-FOR-US: MISP
CVE-2019-19378 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image ...)
- linux <unfixed>
+ [bullseye] - linux <no-dsa> (Minor issue)
+ [buster] - linux <no-dsa> (Minor issue)
CVE-2019-19377 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...)
+ {DLA-2483-1}
- linux 5.6.7-1
+ [buster] - linux 4.19.160-1
NOTE: https://git.kernel.org/linus/b3ff8f1d380e65dddd772542aa9bff6c86bf715a
CVE-2019-19376 (In Octopus Deploy before 2019.10.6, an authenticated user with TeamEdi ...)
NOT-FOR-US: Octopus Deploy
@@ -4073,22 +4502,17 @@ CVE-2019-19356 (Netis WF2419 is vulnerable to authenticated Remote Code Executio
NOT-FOR-US: Netis WF2419
CVE-2019-19355 (An insecure modification vulnerability in the /etc/passwd file was fou ...)
NOT-FOR-US: openshift
-CVE-2019-19354
- RESERVED
+CVE-2019-19354 (An insecure modification vulnerability in the /etc/passwd file was fou ...)
NOT-FOR-US: openshift
-CVE-2019-19353
- RESERVED
+CVE-2019-19353 (An insecure modification vulnerability in the /etc/passwd file was fou ...)
NOT-FOR-US: openshift
-CVE-2019-19352
- RESERVED
+CVE-2019-19352 (An insecure modification vulnerability in the /etc/passwd file was fou ...)
NOT-FOR-US: openshift
CVE-2019-19351 (An insecure modification vulnerability in the /etc/passwd file was fou ...)
NOT-FOR-US: openshift
-CVE-2019-19350
- RESERVED
+CVE-2019-19350 (An insecure modification vulnerability in the /etc/passwd file was fou ...)
NOT-FOR-US: openshift
-CVE-2019-19349
- RESERVED
+CVE-2019-19349 (An insecure modification vulnerability in the /etc/passwd file was fou ...)
NOT-FOR-US: openshift
CVE-2019-19348 (An insecure modification vulnerability in the /etc/passwd file was fou ...)
NOT-FOR-US: openshift
@@ -4104,8 +4528,7 @@ CVE-2019-19344 (There is a use-after-free issue in all samba 4.9.x versions befo
[stretch] - samba <not-affected> (Only affects Samba 4.9 onwards)
[jessie] - samba <not-affected> (Only affects Samba 4.9 onwards)
NOTE: https://www.samba.org/samba/security/CVE-2019-19344.html
-CVE-2019-19343
- RESERVED
+CVE-2019-19343 (A flaw was found in Undertow when using Remoting as shipped in Red Hat ...)
- undertow <unfixed> (bug #948024; unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780445
NOTE: Issue affects both Undertow and rmeoting, but for adressing the immediate
@@ -4145,6 +4568,7 @@ CVE-2019-19332 (An out-of-bounds memory write issue was found in the Linux Kerne
NOTE: https://git.kernel.org/linus/433f4ba1904100da65a311033f17a9bf586b287e
CVE-2019-19331 (knot-resolver before version 4.3.0 is vulnerable to denial of service ...)
- knot-resolver 5.0.1-1 (bug #946181)
+ [buster] - knot-resolver <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://www.openwall.com/lists/oss-security/2019/12/04/4
CVE-2019-19329 (In Wikibase Wikidata Query Service GUI before 0.3.6-SNAPSHOT 2019-11-0 ...)
NOT-FOR-US: Wikibase Wikidata Query Service GUI
@@ -4166,12 +4590,15 @@ CVE-2019-19321
RESERVED
CVE-2019-19320
RESERVED
-CVE-2019-19319 (In the Linux kernel 5.0.21, a setxattr operation, after a mount of a c ...)
+CVE-2019-19319 (In the Linux kernel before 5.2, a setxattr operation, after a mount of ...)
{DSA-4698-1 DLA-2242-1 DLA-2241-1}
- linux 5.2.6-1
[buster] - linux 4.19.87-1
CVE-2019-19318 (In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can c ...)
+ {DLA-2586-1}
- linux 5.4.6-1
+ [buster] - linux 4.19.146-1
+ NOTE: https://git.kernel.org/linus/9f7fec0ba89108b9385f1b9fb167861224912a4a
CVE-2019-19317 (lookupName in resolve.c in SQLite 3.30.1 omits bits from the colUsed b ...)
- sqlite3 <not-affected> (Generated column support was added with SQLite version 3.31.0)
NOTE: Fixed by: https://github.com/sqlite/sqlite/commit/522ebfa7cee96fb325a22ea3a2464a63485886a8
@@ -4224,44 +4651,44 @@ CVE-2019-19303
RESERVED
CVE-2019-19302
RESERVED
-CVE-2019-19301 (A vulnerability has been identified in SCALANCE S602 (All versions), S ...)
+CVE-2019-19301 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...)
NOT-FOR-US: Siemens
-CVE-2019-19300 (A vulnerability has been identified in KTK ATE530S (All versions), SID ...)
+CVE-2019-19300 (A vulnerability has been identified in Development/Evaluation Kits for ...)
NOT-FOR-US: Siemens
-CVE-2019-19299 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19299 (A vulnerability has been identified in SiNVR/SiVMS Video Server (All v ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19298 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19298 (A vulnerability has been identified in SiNVR/SiVMS Video Server (All v ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19297 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19297 (A vulnerability has been identified in SiNVR/SiVMS Video Server (All v ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19296 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19296 (A vulnerability has been identified in SiNVR/SiVMS Video Server (All v ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19295 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19295 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19294 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19294 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19293 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19293 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19292 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19292 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19291 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19291 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19290 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-19290 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: SiNVR 3 Central Control Server (CCS)
-CVE-2019-19289
- RESERVED
-CVE-2019-19288
- RESERVED
-CVE-2019-19287
- RESERVED
-CVE-2019-19286
- RESERVED
-CVE-2019-19285
- RESERVED
-CVE-2019-19284
- RESERVED
-CVE-2019-19283
- RESERVED
+CVE-2019-19289 (A vulnerability has been identified in XHQ (All Versions &lt; 6.1). Th ...)
+ NOT-FOR-US: XHQ
+CVE-2019-19288 (A vulnerability has been identified in XHQ (All Versions &lt; 6.1). Th ...)
+ NOT-FOR-US: XHQ
+CVE-2019-19287 (A vulnerability has been identified in XHQ (All Versions &lt; 6.1). Th ...)
+ NOT-FOR-US: XHQ
+CVE-2019-19286 (A vulnerability has been identified in XHQ (All Versions &lt; 6.1). Th ...)
+ NOT-FOR-US: XHQ
+CVE-2019-19285 (A vulnerability has been identified in XHQ (All Versions &lt; 6.1). Th ...)
+ NOT-FOR-US: XHQ
+CVE-2019-19284 (A vulnerability has been identified in XHQ (All Versions &lt; 6.1). Th ...)
+ NOT-FOR-US: XHQ
+CVE-2019-19283 (A vulnerability has been identified in XHQ (All Versions &lt; 6.1). Th ...)
+ NOT-FOR-US: XHQ
CVE-2019-19282 (A vulnerability has been identified in OpenPCS 7 V8.1 (All versions), ...)
NOT-FOR-US: Siemens
CVE-2019-19281 (A vulnerability has been identified in SIMATIC ET 200SP Open Controlle ...)
@@ -4274,8 +4701,8 @@ CVE-2019-19278 (A vulnerability has been identified in SINAMICS PERFECT HARMONY
NOT-FOR-US: SINAMICS
CVE-2019-19277 (A vulnerability has been identified in SIPORT MP (All versions &lt; 3. ...)
NOT-FOR-US: Siemens
-CVE-2019-19276
- RESERVED
+CVE-2019-19276 (A vulnerability has been identified in SIMATIC HMI Comfort Panels 1st ...)
+ NOT-FOR-US: Siemens
CVE-2019-19275 (typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. ...)
- python3-typed-ast 1.4.0-1 (low)
[buster] - python3-typed-ast <no-dsa> (Minor issue)
@@ -4348,7 +4775,6 @@ CVE-2019-19260 (GitLab Community Edition (CE) and Enterprise Edition (EE) throug
[buster] - gitlab-workhorse <ignored> (Minor issue)
[stretch] - gitlab-workhorse <ignored> (Minor issue)
[experimental] - gitaly 1.65.2+dfsg-1
- - gitaly <unfixed>
NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
CVE-2019-19259 (GitLab Enterprise Edition (EE) 11.3 and later through 12.5 allows an I ...)
- gitlab <not-affected> (Only affects Gitlab EE)
@@ -4390,25 +4816,24 @@ CVE-2019-19248 (Electronic Arts Origin through 10.5.x allows Elevation of Privil
CVE-2019-19247 (Electronic Arts Origin through 10.5.x allows Elevation of Privilege (i ...)
NOT-FOR-US: Electronic Arts Origin
CVE-2019-19246 (Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has ...)
- {DLA-2020-1}
+ {DLA-2431-1 DLA-2020-1}
- libonig 6.9.4-1 (low; bug #946344)
[buster] - libonig <no-dsa> (Minor issue)
- [stretch] - libonig <no-dsa> (Minor issue)
NOTE: https://bugs.php.net/bug.php?id=78559
NOTE: https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b
CVE-2019-19245 (NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication S ...)
NOT-FOR-US: NAPC Xinet Elegant 6 Asset Library
CVE-2019-19244 (sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-sel ...)
- - sqlite3 3.30.1+fossil191229-1 (bug #946656)
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ - sqlite3 3.30.1+fossil191229-1 (unimportant; bug #946656)
[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
[jessie] - sqlite3 <not-affected> (Vulnerable code, i.e. window functions, not present)
NOTE: https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348
+ NOTE: Only triggerable with SQLITE_DEBUG, which Debian builds don't use
CVE-2019-19243
RESERVED
CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr-&gt;y.pTab, as demonstrated by the TK_C ...)
- sqlite3 3.30.1+fossil191229-1
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 <not-affected> (Vulnerable code not present)
[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
[jessie] - sqlite3 <not-affected> (Vulnerable code not present)
NOTE: https://github.com/sqlite/sqlite/commit/57f7ece78410a8aae86aa4625fb7556897db384c
@@ -4507,17 +4932,16 @@ CVE-2019-19206 (Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS du
CVE-2019-19205
RESERVED
CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
- {DLA-2020-1}
+ {DLA-2431-1 DLA-2020-1}
- libonig 6.9.4-1 (low; bug #945313)
[buster] - libonig <no-dsa> (Minor issue)
- [stretch] - libonig <no-dsa> (Minor issue)
NOTE: https://github.com/kkos/oniguruma/issues/162
NOTE: https://github.com/kkos/oniguruma/commit/6eb4aca6a7f2f60f473580576d86686ed6a6ebec (v6.9.4_rc2)
NOTE: Only exploitable with attacker-provided pattern
CVE-2019-19203 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
+ {DLA-2431-1}
- libonig 6.9.4-1 (low; bug #945312)
[buster] - libonig <no-dsa> (Minor issue)
- [stretch] - libonig <no-dsa> (Minor issue)
[jessie] - libonig <ignored> (Minor issue, not reproducible, non-trivial backport)
NOTE: https://github.com/kkos/oniguruma/issues/163
NOTE: https://github.com/kkos/oniguruma/commit/aa0188eaedc056dca8374ac03d0177429b495515 (v6.9.4_rc2)
@@ -4526,10 +4950,10 @@ CVE-2019-19202 (In Vtiger 7.x before 7.2.0, the My Preferences saving functional
NOT-FOR-US: Vtiger CRM
CVE-2019-19201
RESERVED
-CVE-2019-19200
- RESERVED
-CVE-2019-19199
- RESERVED
+CVE-2019-19200 (REDDOXX MailDepot 2032 2.2.1242 allows authenticated users to access t ...)
+ NOT-FOR-US: REDDOXX MailDepot
+CVE-2019-19199 (REDDOXX MailDepot 2032 SP2 2.2.1242 has Insufficient Session Expiratio ...)
+ NOT-FOR-US: REDDOXX MailDepot
CVE-2019-19198 (The Scoutnet Kalender plugin 1.1.0 for WordPress allows XSS. ...)
NOT-FOR-US: Scoutnet Kalender plugin for WordPress
CVE-2019-19197 (IOCTL Handling in the kyrld.sys driver in Kyrol Internet Security 9.0. ...)
@@ -4655,8 +5079,8 @@ CVE-2019-19140
RESERVED
CVE-2019-19139
RESERVED
-CVE-2019-19138
- RESERVED
+CVE-2019-19138 (Ivanti Workspace Control before 10.4.50.0 allows attackers to degrade ...)
+ NOT-FOR-US: Ivanti
CVE-2019-19137
RESERVED
CVE-2019-19136
@@ -4716,8 +5140,8 @@ CVE-2019-19117 (/usr/lib/lua/luci/controller/admin/autoupgrade.lua on PHICOMM K2
NOT-FOR-US: PHICOMM K2(PSG1218) devices
CVE-2019-19116
RESERVED
-CVE-2019-19115
- RESERVED
+CVE-2019-19115 (An escalation of privilege vulnerability in Nahimic APO Software Compo ...)
+ NOT-FOR-US: Nahimic APO Software Component Driver
CVE-2019-19114
RESERVED
CVE-2019-19113 (main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka Ne ...)
@@ -4790,6 +5214,7 @@ CVE-2019-19083 (Memory leaks in *clock_source_create() functions under drivers/g
NOTE: https://git.kernel.org/linus/055e547478a11a6360c7ce05e2afc3e366968a12
CVE-2019-19082 (Memory leaks in *create_resource_pool() functions under drivers/gpu/dr ...)
- linux 5.4.6-1
+ [buster] - linux 4.19.146-1
[stretch] - linux <not-affected> (Vulnerable code not present)
[jessie] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/104c307147ad379617472dd91a5bcb368d72bd6d
@@ -4833,13 +5258,18 @@ CVE-2019-19075 (A memory leak in the ca8210_probe() function in drivers/net/ieee
[buster] - linux 4.19.87-1
NOTE: https://git.kernel.org/linus/6402939ec86eaf226c8b8ae00ed983936b164908
CVE-2019-19074 (A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ ...)
+ {DLA-2420-1}
- linux 5.4.6-1
+ [buster] - linux 4.19.146-1
NOTE: https://git.kernel.org/linus/728c1e2a05e4b5fc52fab3421dce772a806612a2
CVE-2019-19073 (Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux ...)
+ {DLA-2420-1}
- linux 5.4.6-1
+ [buster] - linux 4.19.146-1
NOTE: https://git.kernel.org/linus/853acf7caf10b828102d92d05b5c101666a6142b
CVE-2019-19072 (A memory leak in the predicate_parse() function in kernel/trace/trace_ ...)
- linux 5.4.6-1
+ [buster] - linux 4.19.146-1
[stretch] - linux <not-affected> (Vulnerable code not present)
[jessie] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/96c5c6e6a5b6db592acae039fed54b5c8844cd35
@@ -4864,6 +5294,7 @@ CVE-2019-19068 (A memory leak in the rtl8xxxu_submit_int_urb() function in drive
[jessie] - linux <not-affected> (Vulnerable code not present)
CVE-2019-19067 (** DISPUTED ** Four memory leaks in the acp_hw_init() function in driv ...)
- linux 5.3.9-1 (unimportant)
+ [buster] - linux 4.19.146-1
NOTE: https://git.kernel.org/linus/57be09c6e8747bf48704136d9e3f92bfb93f5725
CVE-2019-19066 (A memory leak in the bfad_im_get_stats() function in drivers/scsi/bfa/ ...)
{DLA-2114-1 DLA-2068-1}
@@ -4889,6 +5320,7 @@ CVE-2019-19062 (A memory leak in the crypto_report() function in crypto/crypto_u
[stretch] - linux 4.9.210-1
CVE-2019-19061 (A memory leak in the adis_update_scan_mode_burst() function in drivers ...)
- linux 5.3.9-1 (unimportant)
+ [buster] - linux 4.19.146-1
NOTE: https://git.kernel.org/linus/9c0530e898f384c5d279bfcebd8bb17af1105873
CVE-2019-19060 (A memory leak in the adis_update_scan_mode() function in drivers/iio/i ...)
- linux 5.3.9-1 (unimportant)
@@ -4924,6 +5356,7 @@ CVE-2019-19055 (** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_st
NOTE: https://git.kernel.org/linus/1399c59fa92984836db90538cf92397fe7caaa57
CVE-2019-19054 (A memory leak in the cx23888_ir_probe() function in drivers/media/pci/ ...)
- linux 5.5.13-1 (unimportant)
+ [buster] - linux 4.19.146-1
NOTE: Memory leak on probe only.
CVE-2019-19053 (A memory leak in the rpmsg_eptdev_write_iter() function in drivers/rpm ...)
- linux 5.4.13-1
@@ -4993,7 +5426,9 @@ CVE-2019-19041 (An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61
CVE-2019-19040 (KairosDB through 1.2.2 has XSS in view.html because of showErrorMessag ...)
NOT-FOR-US: KairosDB
CVE-2019-19039 (** DISPUTED ** __btrfs_free_extent in fs/btrfs/extent-tree.c in the Li ...)
+ {DLA-2483-1}
- linux 5.6.7-1
+ [buster] - linux 4.19.160-1
NOTE: https://git.kernel.org/linus/b3ff8f1d380e65dddd772542aa9bff6c86bf715a
CVE-2019-19038
RESERVED
@@ -5056,10 +5491,9 @@ CVE-2019-19014 (An issue was discovered in TitanHQ WebTitan before 5.18. It has
CVE-2019-19013 (A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an ...)
NOT-FOR-US: Pagekit CMS
CVE-2019-19012 (An integer overflow in the search_in_range function in regexec.c in On ...)
- {DLA-2020-1}
+ {DLA-2431-1 DLA-2020-1}
- libonig 6.9.4-1 (low; bug #944959)
[buster] - libonig <no-dsa> (Minor issue)
- [stretch] - libonig <no-dsa> (Minor issue)
NOTE: https://github.com/kkos/oniguruma/issues/164
NOTE: https://github.com/kkos/oniguruma/commit/0463e21432515631a9bc925ce5eb95b097c73719
NOTE: https://github.com/kkos/oniguruma/commit/778a43dd56925ed58bbe26e3a7bb8202d72c3f3f
@@ -5082,10 +5516,12 @@ CVE-2019-19007 (Intelbras IWR 3000N 1.8.7 devices allow disclosure of the admini
NOT-FOR-US: Intelbras IWR 3000N 1.8.7 devices
CVE-2019-19006 (Sangoma FreePBX 115.0.16.26 and below, 14.0.13.11 and below, 13.0.197. ...)
NOT-FOR-US: FreePBX
-CVE-2019-19005
- RESERVED
-CVE-2019-19004
- RESERVED
+CVE-2019-19005 (A bitmap double free in main.c in autotrace 0.31.1 allows attackers to ...)
+ - autotrace <removed>
+ NOTE: https://github.com/autotrace/autotrace/pull/40
+CVE-2019-19004 (A biWidth*biBitCnt integer overflow in input-bmp.c in autotrace 0.31.1 ...)
+ - autotrace <removed>
+ NOTE: https://github.com/autotrace/autotrace/pull/40
CVE-2019-19003 (For ABB eSOMS versions 4.0 to 6.0.2, the HTTPOnly flag is not set. Thi ...)
NOT-FOR-US: ABB eSOMS
CVE-2019-19002 (For ABB eSOMS versions 4.0 to 6.0.2, the X-XSS-Protection HTTP respons ...)
@@ -5110,12 +5546,12 @@ CVE-2019-18993 (OpenWrt 18.06.4 allows XSS via the "New port forward" Name field
NOT-FOR-US: OpenWrt
CVE-2019-18992 (OpenWrt 18.06.4 allows XSS via these Name fields to the cgi-bin/luci/a ...)
NOT-FOR-US: OpenWrt
-CVE-2019-18991
- RESERVED
-CVE-2019-18990
- RESERVED
-CVE-2019-18989
- RESERVED
+CVE-2019-18991 (A partial authentication bypass vulnerability exists on Atheros AR9132 ...)
+ NOT-FOR-US: Atheros devices
+CVE-2019-18990 (A partial authentication bypass vulnerability exists on Realtek RTL881 ...)
+ NOT-FOR-US: Realtek devices
+CVE-2019-18989 (A partial authentication bypass vulnerability exists on Mediatek MT762 ...)
+ NOT-FOR-US: Mediatek devices
CVE-2019-18988 (TeamViewer Desktop through 14.7.1965 allows a bypass of remote-login a ...)
NOT-FOR-US: TeamViewer
CVE-2019-18987 (An issue was discovered in the AbuseFilter extension through 1.34 for ...)
@@ -5137,7 +5573,7 @@ CVE-2019-18980 (On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9
CVE-2019-18979 (Adaware antivirus 12.6.1005.11662 and 12.7.1055.0 has a quarantine fla ...)
NOT-FOR-US: Adaware
CVE-2019-18978 (An issue was discovered in the rack-cors (aka Rack CORS Middleware) ge ...)
- {DLA-2096-1}
+ {DSA-4918-1 DLA-2389-1 DLA-2096-1}
- ruby-rack-cors 1.1.1-1 (bug #944849)
NOTE: https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d
NOTE: https://github.com/cyu/rack-cors/compare/v1.0.3...v1.0.4
@@ -5206,18 +5642,18 @@ CVE-2019-18949 (SnowHaze before 2.6.6 is sometimes too late to honor a per-site
NOT-FOR-US: SnowHaze
CVE-2019-18948 (An issue was found in Arista EOS. Specific malformed ARP packets can i ...)
NOT-FOR-US: Arista
-CVE-2019-18947
- RESERVED
-CVE-2019-18946
- RESERVED
-CVE-2019-18945
- RESERVED
-CVE-2019-18944
- RESERVED
-CVE-2019-18943
- RESERVED
-CVE-2019-18942
- RESERVED
+CVE-2019-18947 (Micro Focus Solutions Business Manager Application Repository versions ...)
+ NOT-FOR-US: Micro Focus
+CVE-2019-18946 (Micro Focus Solutions Business Manager Application Repository versions ...)
+ NOT-FOR-US: Micro Focus
+CVE-2019-18945 (Micro Focus Solutions Business Manager Application Repository versions ...)
+ NOT-FOR-US: Micro Focus
+CVE-2019-18944 (Micro Focus Solutions Business Manager Application Repository versions ...)
+ NOT-FOR-US: Micro Focus
+CVE-2019-18943 (Micro Focus Solutions Business Manager versions prior to 11.7.1 are vu ...)
+ NOT-FOR-US: Micro Focus
+CVE-2019-18942 (Micro Focus Solutions Business Manager versions prior to 11.7.1 are vu ...)
+ NOT-FOR-US: Micro Focus
CVE-2019-18941
RESERVED
CVE-2019-18940
@@ -5237,11 +5673,13 @@ CVE-2019-18936 (UniValue::read() in UniValue before 1.0.5 allow attackers to cau
CVE-2019-18935 (Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .N ...)
NOT-FOR-US: Progress Telerik UI for ASP.NET AJAX
CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec modul ...)
- - unbound <unfixed> (unimportant)
+ - unbound 1.9.6-1 (unimportant)
[stretch] - unbound <not-affected> (ipsecmod module introduced later)
[jessie] - unbound <not-affected> (ipsecmod module introduced later)
NOTE: Debian binary packages not built with --enable-ipsecmod
NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2019-18934.txt
+ NOTE: https://github.com/NLnetLabs/unbound/commit/09845779d5f2c96e3064ff398cad65c08357cfbf
+ NOTE: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
CVE-2019-18933 (In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new ...)
- zulip-server <itp> (bug #800052)
CVE-2019-18932 (log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows ...)
@@ -5285,16 +5723,16 @@ CVE-2019-18918
RESERVED
CVE-2019-18917 (A potential security vulnerability has been identified for certain HP ...)
NOT-FOR-US: HP
-CVE-2019-18916
- RESERVED
+CVE-2019-18916 (A potential security vulnerability has been identified for HP LaserJet ...)
+ NOT-FOR-US: HP
CVE-2019-18915 (A potential security vulnerability has been identified with certain ve ...)
NOT-FOR-US: HP System Event Utility
-CVE-2019-18914
- RESERVED
+CVE-2019-18914 (A potential security vulnerability has been identified for certain HP ...)
+ NOT-FOR-US: HP
CVE-2019-18913 (A potential security vulnerability with pre-boot DMA may allow unautho ...)
NOT-FOR-US: Generic UEFI hardware/software issue
-CVE-2019-18912
- RESERVED
+CVE-2019-18912 (A potential security vulnerability has been identified for certain HP ...)
+ NOT-FOR-US: HP
CVE-2019-18911
RESERVED
CVE-2019-18910 (The Citrix Receiver wrapper function does not safely handle user suppl ...)
@@ -5305,8 +5743,8 @@ CVE-2019-18908
RESERVED
CVE-2019-18907
RESERVED
-CVE-2019-18906
- RESERVED
+CVE-2019-18906 (A Use of Password Hash Instead of Password for Authentication vulnerab ...)
+ NOT-FOR-US: SAP
CVE-2019-18905 (A Insufficient Verification of Data Authenticity vulnerability in auto ...)
NOT-FOR-US: autoyast2
CVE-2019-18904 (A Uncontrolled Resource Consumption vulnerability in rmt of SUSE Linux ...)
@@ -5319,7 +5757,8 @@ CVE-2019-18901 (A UNIX Symbolic Link (Symlink) Following vulnerability in the my
NOT-FOR-US: SuSE-specific mysqld-systemd-helper
CVE-2019-18900 (: Incorrect Default Permissions vulnerability in libzypp of SUSE CaaS ...)
{DLA-2132-1}
- - libzypp <unfixed> (bug #953362)
+ [experimental] - libzypp 17.25.5-1
+ - libzypp 17.25.5-2 (bug #953362)
[buster] - libzypp <no-dsa> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1158763
NOTE: https://github.com/openSUSE/libzypp/pull/196
@@ -5469,13 +5908,14 @@ CVE-2019-18851
CVE-2019-18850 (TrevorC2 v1.1/v1.2 fails to prevent fingerprinting primarily via a dis ...)
NOT-FOR-US: TrevorC2
CVE-2019-18849 (In tnef before 1.4.18, an attacker may be able to write to the victim' ...)
- {DLA-2005-1}
+ {DLA-2748-1 DLA-2005-1}
- tnef 1.4.18-1 (bug #944851)
- [buster] - tnef <no-dsa> (Minor issue; can be fixed via point release)
- [stretch] - tnef <no-dsa> (Minor issue; can be fixed via point release)
+ [buster] - tnef 1.4.12-1.2+deb10u1
NOTE: https://github.com/verdammelt/tnef/pull/40
CVE-2019-18848 (The json-jwt gem before 1.11.0 for Ruby lacks an element count during ...)
+ {DLA-2390-1}
- ruby-json-jwt 1.11.0-1 (bug #944850)
+ [buster] - ruby-json-jwt <no-dsa> (Minor issue)
NOTE: https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a
CVE-2019-18847 (Enterprise Access Client Auto-Updater allows for Remote Code Execution ...)
NOT-FOR-US: Akamai / Enterprise Access Client Auto-Updater
@@ -5531,9 +5971,8 @@ CVE-2019-18825 (Barco ClickShare Huddle CS-100 devices before 1.9.0 and CSE-200
CVE-2019-18824 (Barco ClickShare Button R9861500D01 devices before 1.10.0.13 have Miss ...)
NOT-FOR-US: Barco ClickShare Button R9861500D01 devices
CVE-2019-18823 (HTCondor up to and including stable series 8.8.6 and development serie ...)
+ {DLA-2724-1}
- condor <unfixed> (bug #963777)
- NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0001.html
- NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0002.html
NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0003.html
NOTE: https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html
NOTE: https://github.com/htcondor/htcondor/commit/95eaee86e7ad3852c17df46a1b8b193dabd1fd14
@@ -5597,6 +6036,7 @@ CVE-2019-18809 (A memory leak in the af9005_identify_state() function in drivers
[jessie] - linux <not-affected> (Bug introduced later)
CVE-2019-18808 (A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ ...)
- linux 5.5.13-1 (unimportant)
+ [buster] - linux 4.19.146-1
NOTE: Not a valid issue
CVE-2019-18807 (Two memory leaks in the sja1105_static_config_upload() function in dri ...)
- linux 5.3.7-1
@@ -5617,10 +6057,8 @@ CVE-2019-18805 (An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Lin
[jessie] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://git.kernel.org/linus/19fad20d15a6494f47f85d869f00b11343ee5c78
CVE-2019-18804 (DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU:: ...)
- {DLA-1985-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1985-1}
- djvulibre 3.5.27.1-14 (bug #945114)
- [buster] - djvulibre <no-dsa> (Minor issue)
- [stretch] - djvulibre <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/djvu/bugs/309/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125/
CVE-2019-18803
@@ -5632,26 +6070,29 @@ CVE-2019-18801 (An issue was discovered in Envoy 1.12.0. An untrusted remote cli
CVE-2019-18800 (Viber through 11.7.0.5 allows a remote attacker who can capture a vict ...)
NOT-FOR-US: Viber
CVE-2019-18799 (LibSass before 3.6.3 allows a NULL pointer dereference in Sass::Parser ...)
- - libsass <unfixed> (low)
+ - libsass 3.6.3-1 (low)
[buster] - libsass <no-dsa> (Minor issue)
[stretch] - libsass <no-dsa> (Minor issue)
NOTE: https://github.com/sass/libsass/issues/3001
+ NOTE: https://github.com/mgreter/libsass/commit/994695c669085058c4a500f295a0531893eff77a
CVE-2019-18798 (LibSass before 3.6.3 allows a heap-based buffer over-read in Sass::wea ...)
- - libsass <unfixed> (low)
+ - libsass 3.6.3-1 (low)
[buster] - libsass <no-dsa> (Minor issue)
[stretch] - libsass <no-dsa> (Minor issue)
NOTE: https://github.com/sass/libsass/issues/2999
+ NOTE: https://github.com/mgreter/libsass/commit/0b721e0f37fc69ab197ec956a923e036e3b05ca6
CVE-2019-18797 (LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sas ...)
- - libsass <unfixed> (low)
+ - libsass <unfixed> (unimportant)
[buster] - libsass <no-dsa> (Minor issue)
[stretch] - libsass <no-dsa> (Minor issue)
NOTE: https://github.com/sass/libsass/issues/3000
-CVE-2019-18796
- RESERVED
-CVE-2019-18795
- RESERVED
-CVE-2019-18794
- RESERVED
+ NOTE: Not considered a security issue be upstream
+CVE-2019-18796 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...)
+ NOT-FOR-US: BASS Audio Library
+CVE-2019-18795 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...)
+ NOT-FOR-US: BASS Audio Library
+CVE-2019-18794 (The BASS Audio Library 2.4.14 under Windows is prone to a BASS_StreamC ...)
+ NOT-FOR-US: BASS Audio Library
CVE-2019-18793 (Parallels Plesk Panel 9.5 allows XSS in target/locales/tr-TR/help/inde ...)
NOT-FOR-US: Parallels Plesk Panel
CVE-2019-18792 (An issue was discovered in Suricata 5.0.0. It is possible to bypass/ev ...)
@@ -5669,7 +6110,7 @@ CVE-2019-18791 (Lexmark printer MS812 and multiple older generation Lexmark devi
CVE-2019-18790 (An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13. ...)
{DLA-2017-1}
- asterisk 1:16.10.0~dfsg-1 (bug #947381)
- [buster] - asterisk <no-dsa> (Minor issue)
+ [buster] - asterisk 1:16.2.1~dfsg-1+deb10u2
[stretch] - asterisk <no-dsa> (Minor issue)
NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28589
@@ -6001,10 +6442,10 @@ CVE-2019-18645 (The quarantine restoration function in Total Defense Anti-virus
NOT-FOR-US: Total Defense Anti-virus
CVE-2019-18644 (The malware scan function in Total Defense Anti-virus 11.5.2.28 is vul ...)
NOT-FOR-US: Total Defense Anti-virus
-CVE-2019-18643
- RESERVED
-CVE-2019-18642
- RESERVED
+CVE-2019-18643 (Rock RMS versions before 8.10 and versions 9.0 through 9.3 fails to pr ...)
+ NOT-FOR-US: Rock RMS
+CVE-2019-18642 (Rock RMS version before 8.6 is vulnerable to account takeover by tampe ...)
+ NOT-FOR-US: Rock RMS
CVE-2019-18641 (Rock RMS before 1.8.6 mishandles vCard access control within the Peopl ...)
NOT-FOR-US: Rock RMS
CVE-2019-18640
@@ -6040,12 +6481,12 @@ CVE-2019-18632 (European Commission eIDAS-Node Integration Package before 2.3.1
NOT-FOR-US: European Commission eIDAS-Node Integration Package
CVE-2019-18631 (The Windows component of Centrify Authentication and Privilege Elevati ...)
NOT-FOR-US: Centrify Authentication and Privilege Elevation Services
-CVE-2019-18630
- RESERVED
-CVE-2019-18629
- RESERVED
-CVE-2019-18628
- RESERVED
+CVE-2019-18630 (On Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/ ...)
+ NOT-FOR-US: Xerox
+CVE-2019-18629 (Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C80 ...)
+ NOT-FOR-US: Xerox
+CVE-2019-18628 (Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C80 ...)
+ NOT-FOR-US: Xerox
CVE-2019-18627
RESERVED
CVE-2019-18626 (Harris Ormed Self Service before 2019.1.4 allows an authenticated user ...)
@@ -6096,7 +6537,7 @@ CVE-2019-18611 (An issue was discovered in the CheckUser extension through 1.34
CVE-2019-18610 (An issue was discovered in manager.c in Sangoma Asterisk through 13.x, ...)
{DLA-2017-1}
- asterisk 1:16.10.0~dfsg-1 (bug #947377)
- [buster] - asterisk <no-dsa> (Minor issue)
+ [buster] - asterisk 1:16.2.1~dfsg-1+deb10u2
[stretch] - asterisk <no-dsa> (Minor issue)
NOTE: https://downloads.asterisk.org/pub/security/AST-2019-007.html
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28580
@@ -6693,11 +7134,12 @@ CVE-2019-18362 (JetBrains MPS before 2019.2.2 exposed listening ports to the net
NOT-FOR-US: JetBrains
CVE-2019-18361 (JetBrains IntelliJ IDEA before 2019.2 allows local user privilege esca ...)
- intellij-idea <itp> (bug #747616)
- - intellij-community-idea <undetermined>
CVE-2019-18360 (In JetBrains Hub versions earlier than 2019.1.11738, username enumerat ...)
NOT-FOR-US: JetBrains
CVE-2019-18359 (A buffer over-read was discovered in ReadMP3APETag in apetag.c in MP3G ...)
- - mp3gain <removed>
+ - mp3gain 1.6.2-2 (bug #973932)
+ NOTE: SuSE fix: https://build.opensuse.org/package/view_file/openSUSE:Maintenance:12304/mp3gain.openSUSE_Leap_15.1_Update/0001-fix-security-bugs.patch?rev=0db47562b2545871d0be3fc88083e0cd
+ NOTE: Caught by ASAN according to CVE. mp3gain is compiled with ASAN on: amd64 i386 armel armhf powerpc
CVE-2019-18358
RESERVED
CVE-2019-18357 (An XSS issue was discovered in Thycotic Secret Server before 10.7 (iss ...)
@@ -6713,7 +7155,7 @@ CVE-2019-18353
CVE-2019-18352 (Improper access control exists on PHOENIX CONTACT FL NAT 2208 devices ...)
NOT-FOR-US: PHOENIX CONTACT FL NAT 2208 devices
CVE-2019-18351
- RESERVED
+ REJECTED
CVE-2019-18350 (In Ant Design Pro 4.0.0, reflected XSS in the user/login redirect GET ...)
NOT-FOR-US: Ant Design Pro
CVE-2019-18349 (HotkeyP through 4.9 r96 allows privilege escalation in the privilege f ...)
@@ -6756,17 +7198,17 @@ CVE-2019-18344 (Sourcecodester Online Grading System 1.0 is vulnerable to unauth
NOT-FOR-US: Sourcecodester Online Grading System
CVE-2019-18343
RESERVED
-CVE-2019-18342 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-18342 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: Siemens
-CVE-2019-18341 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-18341 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: Siemens
-CVE-2019-18340 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-18340 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: Siemens
-CVE-2019-18339 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-18339 (A vulnerability has been identified in SiNVR/SiVMS Video Server (All v ...)
NOT-FOR-US: Siemens
-CVE-2019-18338 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-18338 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: Siemens
-CVE-2019-18337 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-18337 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: Siemens
CVE-2019-18336 (A vulnerability has been identified in SIMATIC S7-300 CPU family (incl ...)
NOT-FOR-US: Siemens
@@ -6900,13 +7342,13 @@ CVE-2019-18278 (When executing VideoLAN VLC media player 3.0.8 with libqt on Win
NOT-FOR-US: VLC on Windows
CVE-2019-18277 (A flaw was found in HAProxy before 2.0.6. In legacy mode, messages fea ...)
- haproxy 2.0.6-1
- [buster] - haproxy <no-dsa> (Minor issue)
+ [buster] - haproxy 1.8.19-1+deb10u3
[stretch] - haproxy <no-dsa> (Minor issue)
[jessie] - haproxy <no-dsa> (Minor issue)
NOTE: https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581
NOTE: https://nathandavison.com/blog/haproxy-http-request-smuggling
CVE-2019-18276 (An issue was discovered in disable_priv_mode in shell.c in GNU Bash th ...)
- - bash <unfixed> (unimportant)
+ - bash 5.1~rc1-2 (unimportant)
NOTE: https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=951bdaad7a18cc0dc1036bba86b18b90874d39ff
NOTE: https://savannah.gnu.org/patch/?9822
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1158028
@@ -6951,8 +7393,8 @@ CVE-2019-18257 (In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, mu
NOT-FOR-US: Advantech
CVE-2019-18256 (BIOTRONIK CardioMessenger II, The affected products use individual per ...)
NOT-FOR-US: BIOTRONIK CardioMessenge
-CVE-2019-18255
- RESERVED
+CVE-2019-18255 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...)
+ NOT-FOR-US: HMI/SCADA iFIX
CVE-2019-18254 (BIOTRONIK CardioMessenger II, The affected products do not encrypt sen ...)
NOT-FOR-US: BIOTRONIK CardioMessenge
CVE-2019-18253 (An attacker could use specially crafted paths in a specific request to ...)
@@ -6975,8 +7417,8 @@ CVE-2019-18245 (Reliable Controls LicenseManager versions 3.4 and prior may allo
NOT-FOR-US: Reliable Controls LicenseManager
CVE-2019-18244 (In OSIsoft PI System multiple products and versions, a local attacker ...)
NOT-FOR-US: OSIsoft
-CVE-2019-18243
- RESERVED
+CVE-2019-18243 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...)
+ NOT-FOR-US: HMI/SCADA iFIX
CVE-2019-18242 (In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpre ...)
NOT-FOR-US: Moxa
CVE-2019-18241 (In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all ver ...)
@@ -6991,16 +7433,16 @@ CVE-2019-18237
RESERVED
CVE-2019-18236 (Multiple buffer overflow vulnerabilities exist when the PLC Editor Ver ...)
NOT-FOR-US: PLC Editor
-CVE-2019-18235
- RESERVED
+CVE-2019-18235 (Advantech Spectre RT ERT351 Versions 5.1.3 and prior has insufficient ...)
+ NOT-FOR-US: Advantech Spectre RT ERT351
CVE-2019-18234 (Equinox Control Expert all versions, is vulnerable to an SQL injection ...)
NOT-FOR-US: Equinox Control Expert
-CVE-2019-18233
- RESERVED
+CVE-2019-18233 (In Advantech Spectre RT Industrial Routers ERT351 5.1.3 and prior, the ...)
+ NOT-FOR-US: Advantech Spectre RT Industrial Routers ERT351
CVE-2019-18232 (SafeNet Sentinel LDK License Manager, all versions prior to 7.101(only ...)
NOT-FOR-US: SafeNet Sentinel LDK License Manager
-CVE-2019-18231
- RESERVED
+CVE-2019-18231 (Advantech Spectre RT ERT351 Versions 5.1.3 and prior logins and passwo ...)
+ NOT-FOR-US: Advantech Spectre RT ERT351
CVE-2019-18230 (Honeywell equIP and Performance series IP cameras, multiple versions, ...)
NOT-FOR-US: Honeywell
CVE-2019-18229 (Advantech WISE-PaaS/RMM, Versions 3.3.29 and prior. Lack of sanitizati ...)
@@ -7034,10 +7476,12 @@ CVE-2019-18220 (Sitemagic CMS 4.4.1 is affected by a Cross-Site-Request-Forgery
CVE-2019-18219 (Sitemagic CMS 4.4.1 is affected by a Cross-Site-Scripting (XSS) vulner ...)
NOT-FOR-US: Sitemagic CMS
CVE-2019-18218 (cdf_read_property_info in cdf.c in file through 5.37 does not restrict ...)
- {DSA-4550-1 DLA-1969-1}
+ {DSA-4550-1 DLA-2708-1 DLA-1969-1}
- file 1:5.37-6 (bug #942830)
+ - php7.0 <removed>
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16780
NOTE: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
+ NOTE: https://github.com/php/php-src/commit/469820048df558040f6dec7c39471ad11e2a7cfb (php-7.2.25RC1)
CVE-2019-18217 (ProFTPD before 1.3.6b and 1.3.7rc before 1.3.7rc2 allows remote unauth ...)
{DSA-4559-1 DLA-1974-1}
- proftpd-dfsg 1.3.6a-2 (bug #942831)
@@ -7101,8 +7545,9 @@ CVE-2019-18194 (TotalAV 2020 4.14.31 has a quarantine flaw that allows privilege
CVE-2019-18193 (In Unisys Stealth (core) 3.4.108.0, 3.4.209.x, 4.0.027.x and 4.0.114, ...)
NOT-FOR-US: Unisys Stealth
CVE-2019-18192 (GNU Guix 1.0.1 allows local users to gain access to an arbitrary user' ...)
- - guix <itp> (bug #850644)
+ - guix <not-affected> (Fixed before initial upload to Debian)
NOTE: https://issues.guix.gnu.org/issue/37744
+ NOTE: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=81c580c8664bfeeb767e2c47ea343004e88223c7 (v1.1.0rc1)
CVE-2019-18191 (A privilege escalation vulnerability in the Trend Micro Deep Security ...)
NOT-FOR-US: Trend Micro
CVE-2019-18190 (Trend Micro Security (Consumer) 2020 (v16.x) is affected by a vulnerab ...)
@@ -7127,15 +7572,15 @@ CVE-2019-18181 (In CloudVision Portal all releases in the 2018.1 and 2018.2 Code
NOT-FOR-US: CloudVision Portal
CVE-2019-18180 (Improper Check for filenames with overly long extensions in PostMaster ...)
- otrs2 6.0.24-1 (bug #945251)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <ignored> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <not-affected> (vulnerable code not present)
NOTE: https://community.otrs.com/security-advisory-2019-15-security-update-for-otrs-framework/
CVE-2019-18179 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
{DLA-2053-1}
- otrs2 6.0.24-1 (bug #945251)
- [buster] - otrs2 <no-dsa> (Non-free not supported)
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <ignored> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-14-security-update-for-otrs-framework/
CVE-2019-18178 (Real Time Engineers FreeRTOS+FAT 160919a has a use after free. The fun ...)
NOT-FOR-US: FreeRTOS+FAT
@@ -8171,8 +8616,8 @@ CVE-2019-17658 (An unquoted service path vulnerability in the FortiClient FortiT
NOT-FOR-US: Fortiguard
CVE-2019-17657 (An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSw ...)
NOT-FOR-US: Fortiguard
-CVE-2019-17656
- RESERVED
+CVE-2019-17656 (A Stack-based Buffer Overflow vulnerability in the HTTPD daemon of For ...)
+ NOT-FOR-US: Fortiguard
CVE-2019-17655 (A cleartext storage in a file or on disk (CWE-313) vulnerability in Fo ...)
NOT-FOR-US: Fortiguard
CVE-2019-17654 (An Insufficient Verification of Data Authenticity vulnerability in For ...)
@@ -8203,8 +8648,8 @@ CVE-2019-17642 (An issue was discovered in Centreon before 18.10.8, 19.10.1, and
- centreon-web <itp> (bug #913903)
CVE-2019-17641
RESERVED
-CVE-2019-17640
- RESERVED
+CVE-2019-17640 (In Eclipse Vert.x 3.4.x up to 3.9.4, 4.0.0.milestone1, 4.0.0.milestone ...)
+ NOT-FOR-US: Eclipse Vert.x
CVE-2019-17639 (In Eclipse OpenJ9 prior to version 0.21 on Power platforms, calling th ...)
NOT-FOR-US: IBM JDK specific issue on on AIX and Linux on the Power platform
CVE-2019-17638 (In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in ca ...)
@@ -8214,6 +8659,7 @@ CVE-2019-17638 (In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521,
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=564984
NOTE: https://github.com/eclipse/jetty.project/issues/4936
CVE-2019-17637 (In all versions of Eclipse Web Tools Platform through release 3.18 (20 ...)
+ {DLA-2404-1}
- eclipse-wtp 3.18-1
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=458571
NOTE: http://git.eclipse.org/c/sourceediting/webtools.sourceediting.git/commit/?id=9644d4217cd6e3be367d654a8320104d88ddfd6b
@@ -8229,13 +8675,15 @@ CVE-2019-17633 (For Eclipse Che versions 6.16 to 7.3.0, with both authentication
NOT-FOR-US: Eclipse Che
CVE-2019-17632 (In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4. ...)
- jetty9 9.4.26-1
- [buster] - jetty9 <no-dsa> (Minor issue)
- [stretch] - jetty9 <no-dsa> (Minor issue)
+ [buster] - jetty9 <not-affected> (vulnerable code introduced later)
+ [stretch] - jetty9 <not-affected> (vulnerable code introduced later)
- jetty8 <removed>
[jessie] - jetty8 <not-affected> (vulnerable code introduced later)
- jetty <removed>
[jessie] - jetty <not-affected> (vulnerable code introduced later)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=553443
+ NOTE: https://github.com/eclipse/jetty.project/issues/4334
+ NOTE: Introduced by https://github.com/eclipse/jetty.project/commit/bde86467f4e5df595773ab11ed5e80c615b741f3 (jetty-9.4.21.v20190926)
CVE-2019-17631 (From Eclipse OpenJ9 0.15 to 0.16, access to diagnostic operations such ...)
NOT-FOR-US: Eclipse OpenJ9
CVE-2019-17630 (CMS Made Simple (CMSMS) 2.2.11 allows stored XSS by an admin via a cra ...)
@@ -8370,14 +8818,12 @@ CVE-2019-17598 (An issue was discovered in Lightbend Play Framework 2.5.x throug
CVE-2019-17597
RESERVED
CVE-2019-17596 (Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to ...)
- {DSA-4551-1}
+ {DSA-4551-1 DLA-2592-1 DLA-2591-1}
- golang-1.13 1.13.3-1 (bug #942628)
- golang-1.12 1.12.12-1 (bug #942629)
- golang-1.11 <removed>
- golang-1.8 <removed>
- [stretch] - golang-1.8 <ignored> (Minor issue)
- golang-1.7 <removed>
- [stretch] - golang-1.7 <ignored> (Minor issue)
- golang <removed>
[jessie] - golang <ignored> (Minor issue)
NOTE: https://golang.org/issue/34960
@@ -8420,8 +8866,12 @@ CVE-2019-17584 (The Meinberg SyncBox/PTP/PTPv2 devices have default SSH keys whi
NOT-FOR-US: Meinberg SyncBox/PTP/PTPv2 devices
CVE-2019-17583 (idreamsoft iCMS 7.0.15 allows remote attackers to cause a denial of se ...)
NOT-FOR-US: idreamsoft iCMS
-CVE-2019-17582
- RESERVED
+CVE-2019-17582 (A use-after-free in the _zip_dirent_read function of zip_dirent.c in l ...)
+ - libzip <not-affected> (Vulnerable code introduced later; and never in a released version in Debian)
+ NOTE: Introduced after: https://github.com/nih-at/libzip/commit/796c5968ad679220db3fb65ec6f48c66e554e5d5 (rel-1-2-0)
+ NOTE: Fixed by: https://github.com/nih-at/libzip/commit/2217022b7d1142738656d891e00b3d2d9179b796 (rel-1-3-0)
+ NOTE: Same fixing commit as CVE-2017-12858 apparently, but CVE assignment for
+ NOTE: two different use-after-free issues.
CVE-2019-17581 (tonyy dormsystem through 1.3 allows DOM XSS. ...)
NOT-FOR-US: tonyy dormsystem
CVE-2019-17580 (tonyy dormsystem through 1.3 allows SQL Injection in admin.php. ...)
@@ -8468,10 +8918,14 @@ CVE-2019-17569 (The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.4
NOTE: https://github.com/apache/tomcat/commit/b191a0d9cf06f4e04257c221bfe41d2b108a9cc8 (7.0.100)
CVE-2019-17568
REJECTED
-CVE-2019-17567
- RESERVED
-CVE-2019-17566 [SSRF vulnerability]
- RESERVED
+CVE-2019-17567 (Apache HTTP Server versions 2.4.6 to 2.4.46 mod_proxy_wstunnel configu ...)
+ [experimental] - apache2 2.4.48-1
+ - apache2 2.4.48-2
+ [buster] - apache2 <ignored> (Intrusive and risky backport)
+ [stretch] - apache2 <ignored> (Intrusive and risky backport)
+ NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-17567
+ NOTE: https://svn.apache.org/r1885605
+CVE-2019-17566 (Apache Batik is vulnerable to server-side request forgery, caused by i ...)
- batik 1.12-1.1 (bug #964510)
[buster] - batik 1.10-2+deb10u1
[stretch] - batik 1.8-4+deb9u2
@@ -8497,11 +8951,11 @@ CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.
CVE-2019-17562 (A buffer overflow vulnerability has been found in the baremetal compon ...)
NOT-FOR-US: Apache CloudStack
CVE-2019-17561 (The "Apache NetBeans" autoupdate system does not fully validate code s ...)
- - netbeans <unfixed> (unimportant)
- NOTE: Debian packages updated via apt
+ - netbeans 12.1-1 (unimportant)
+ NOTE: Debian packages updated via apt, starting with 12.1 only some classes are shipped
CVE-2019-17560 (The "Apache NetBeans" autoupdate system does not validate SSL certific ...)
- - netbeans <unfixed> (unimportant)
- NOTE: Debian packages updated via apt
+ - netbeans 12.1-1 (unimportant)
+ NOTE: Debian packages updated via apt, starting with 12.1 only some classes are shipped
CVE-2019-17559 (There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0. ...)
{DSA-4672-1}
- trafficserver 8.0.6+ds-1
@@ -8544,17 +8998,14 @@ CVE-2019-17546 (tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL throug
NOTE: https://gitlab.com/libtiff/libtiff/commit/4bb584a35f87af42d6cf09d15e9ce8909a839145
NOTE: gdal uses system libtiff libraries since 2.0.1+dfsg-1~exp1 (#684233)
CVE-2019-17545 (GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ...)
- {DLA-1984-1}
+ {DLA-2877-1 DLA-1984-1}
- gdal 2.4.2+dfsg-2 (low)
[buster] - gdal <no-dsa> (Minor issue)
- [stretch] - gdal <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178
NOTE: https://github.com/OSGeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb
CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over- ...)
- {DLA-1966-1}
+ {DSA-4948-1 DLA-2720-1 DLA-1966-1}
- aspell 0.60.8-1 (low)
- [buster] - aspell <no-dsa> (Minor issue)
- [stretch] - aspell <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16109
NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e
CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...)
@@ -8593,9 +9044,8 @@ CVE-2019-17540 (ImageMagick before 7.0.8-54 has a heap-based buffer overflow in
NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/41399a3414069870071e47680b0bbbe0a283db5d
NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/4ba4dc73b7e38bb66c57d457f17ab4aeb9b6bbdc
CVE-2019-17539 (In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NUL ...)
- {DSA-4722-1}
+ {DSA-4722-1 DLA-2537-1}
- ffmpeg 7:4.2.1-1 (low)
- [stretch] - ffmpeg <postponed> (Minor issue, wait until fixed in 3.2.x branch)
- libav <removed> (low)
[jessie] - libav <not-affected> (Vulnerable code introduced in v12.x)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/8df6884832ec413cf032dfaa45c23b1c7876670c
@@ -8695,12 +9145,11 @@ CVE-2019-17500
CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on Compal CH7 ...)
NOT-FOR-US: Compal CH7465LG devices
CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic i ...)
- {DLA-1991-1}
- - libssh2 <unfixed> (low; bug #943562)
+ {DLA-2848-1 DLA-1991-1}
+ - libssh2 1.9.0-1 (low; bug #943562)
[buster] - libssh2 <no-dsa> (Minor issue)
- [stretch] - libssh2 <no-dsa> (Minor issue)
NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
- NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
+ NOTE: https://securitylab.github.com/research/libssh2-integer-overflow-CVE-2019-17498/
NOTE: Backported SUSE patch for versions <= 1.8.0 (including struct string_buf,
NOTE: and the functions _libssh2_check_length(), _libssh2_get_u32() and
NOTE: libssh2_get_string(), forming part of the fix):
@@ -8792,10 +9241,9 @@ CVE-2019-17457
CVE-2019-17456
RESERVED
CVE-2019-17455 (Libntlm through 1.5 relies on a fixed buffer size for tSmbNtlmAuthRequ ...)
- {DLA-2207-1}
+ {DLA-2831-1 DLA-2207-1}
- libntlm 1.6-1 (bug #942145)
[buster] - libntlm 1.5-1+deb10u1
- [stretch] - libntlm <no-dsa> (Minor issue)
NOTE: https://gitlab.com/jas/libntlm/issues/2
NOTE: https://gitlab.com/jas/libntlm/-/commit/b967886873fcf19f816b9c0868465f2d9e5df85e
CVE-2019-17454 (Bento4 1.5.1.0 has a NULL pointer dereference in AP4_Descriptor::GetTa ...)
@@ -8805,12 +9253,12 @@ CVE-2019-17453 (Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorL
CVE-2019-17452 (Bento4 1.5.1.0 has a NULL pointer dereference in AP4_DescriptorListIns ...)
NOT-FOR-US: Bento4
CVE-2019-17451 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...)
- - binutils <unfixed> (unimportant)
+ - binutils 2.34-1 (unimportant)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25070
NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=336bfbeb1848f4b9558456fdcf283ee8a32d7fd1
NOTE: binutils not covered by security support
CVE-2019-17450 (find_abstract_instance in dwarf2.c in the Binary File Descriptor (BFD) ...)
- - binutils <unfixed> (unimportant)
+ - binutils 2.34-1 (unimportant)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25078
NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=063c511bd79281f33fd33f0964541a73511b9e2b
NOTE: binutils not covered by security support
@@ -8824,8 +9272,8 @@ CVE-2019-17446 (An issue was discovered in Eracent EPA Agent through 10.2.26. Th
NOT-FOR-US: Eracent EPA Agent
CVE-2019-17445 (An issue was discovered in Eracent EDA, EPA, EPM, EUA, FLW, and SUM Ag ...)
NOT-FOR-US: Eracent EDA, EPA, EPM, EUA, FLW, and SUM Agent
-CVE-2019-17444
- RESERVED
+CVE-2019-17444 (Jfrog Artifactory uses default passwords (such as "password") for admi ...)
+ NOT-FOR-US: JFrog Artifactory
CVE-2019-17443
RESERVED
CVE-2019-17442
@@ -8972,9 +9420,9 @@ CVE-2019-17384 (The animate-it plugin before 2.3.4 for WordPress has XSS. ...)
CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby has misconfigured file permissio ...)
- ruby-netaddr <not-affected> (Upstream packaging issue)
CVE-2019-17382 (An issue was discovered in zabbix.php?action=dashboard.view&amp;dashbo ...)
- - zabbix <unfixed>
+ - zabbix 1:5.0.0+dfsg-1
[buster] - zabbix <no-dsa> (Minor issue)
- [stretch] - zabbix <no-dsa> (Minor issue)
+ [stretch] - zabbix <ignored> (Minor issue, no patch, guest accounts can be disabled)
[jessie] - zabbix <no-dsa> (Minor issue, guest accounts can be disabled)
NOTE: https://support.zabbix.com/browse/ZBX-16789
NOTE: Disputed by upstream, closed as not a security bug.
@@ -9410,6 +9858,7 @@ CVE-2019-17178 (HuffmanTree_makeFromFrequencies in lodepng.c in LodePNG through
- freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-2
[buster] - freerdp2 2.0.0~git20190204.1.2693389a+dfsg1-1+deb10u1
- freerdp <removed>
+ [stretch] - freerdp <postponed> (Minor issue, can be fixed along with next DLA)
NOTE: https://github.com/FreeRDP/FreeRDP/issues/5645
NOTE: https://github.com/akallabeth/FreeRDP/commit/fc80ab45621bd966f70594c0b7393ec005a94007
NOTE: Multiple source packages embed a copy of lodepng (openscad, tbb, mame, passage,
@@ -9590,8 +10039,8 @@ CVE-2019-17100 (An Untrusted Search Path vulnerability in bdserviceshost.exe as
NOT-FOR-US: Bitdefender Total Security
CVE-2019-17099 (An Untrusted Search Path vulnerability in EPSecurityService.exe as use ...)
NOT-FOR-US: Bitdefender Endpoint Security Tools
-CVE-2019-17098
- RESERVED
+CVE-2019-17098 (Use of hard-coded cryptographic key vulnerability in August Connect Wi ...)
+ NOT-FOR-US: August Connect Wi-Fi Bridge App
CVE-2019-17097
RESERVED
CVE-2019-17096 (A OS Command Injection vulnerability in the bootstrap stage of Bitdefe ...)
@@ -9738,16 +10187,14 @@ CVE-2019-17044 (An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execut
CVE-2019-17043 (An issue was discovered in BMC Patrol Agent 9.0.10i. Weak execution pe ...)
NOT-FOR-US: BMC Patrol Agent
CVE-2019-17042 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmcisconames/pmc ...)
- {DLA-1952-1}
+ {DLA-2835-1 DLA-1952-1}
- rsyslog 8.1910.0-1 (bug #942065)
[buster] - rsyslog <no-dsa> (Minor issue, pmcisconames module not loaded by default)
- [stretch] - rsyslog <no-dsa> (Minor issue, pmcisconames module not loaded by default)
NOTE: https://github.com/rsyslog/rsyslog/pull/3883
CVE-2019-17041 (An issue was discovered in Rsyslog v8.1908.0. contrib/pmaixforwardedfr ...)
- {DLA-1952-1}
+ {DLA-2835-1 DLA-1952-1}
- rsyslog 8.1910.0-1 (bug #942067)
[buster] - rsyslog <no-dsa> (Minor issue, pmaixforwardedfrom module not loaded by default)
- [stretch] - rsyslog <no-dsa> (Minor issue, pmaixforwardedfrom module not loaded by default)
NOTE: https://github.com/rsyslog/rsyslog/pull/3884
CVE-2019-17040 (contrib/pmdb2diag/pmdb2diag.c in Rsyslog v8.1908.0 allows out-of-bound ...)
- rsyslog 8.1910.0-1 (unimportant)
@@ -9901,18 +10348,16 @@ CVE-2019-17008 (When using nested workers, a use-after-free could occur during w
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17008
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-37/#CVE-2019-17008
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/#CVE-2019-17008
-CVE-2019-17007 [nss: Handling of Netscape Certificate Sequences in CERT_DecodeCertPackage() may crash with a NULL deref leading to DoS]
- RESERVED
- {DSA-4579-1 DLA-2015-1}
+CVE-2019-17007 (In Network Security Services before 3.44, a malformed Netscape Certifi ...)
+ {DSA-4579-1 DLA-2388-1 DLA-2015-1}
- nss 2:3.45-1
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1798
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1533216
NOTE: https://hg.mozilla.org/projects/nss/rev/1473dd7efe2ce4f8722a33ebb03a3425e09887de
NOTE: Fixed in 3.44 upstream (and there was an upload of 3.44 to unstable
NOTE: but then reverted until the 2:3.45-1 upload).
-CVE-2019-17006 [Check length of inputs for cryptographic primitives]
- RESERVED
- {DSA-4726-1 DLA-2058-1}
+CVE-2019-17006 (In Network Security Services (NSS) before 3.46, several cryptographic ...)
+ {DSA-4726-1 DLA-2388-1 DLA-2058-1}
- nss 2:3.47-1
NOTE: Fixed upstream in NSS 3.46.
NOTE: Upstream bug (currently non-public): https://bugzilla.mozilla.org/show_bug.cgi?id=1539788
@@ -10017,24 +10462,24 @@ CVE-2019-16964 (app/call_centers/cmd.php in the Call Center Queue Module in Fusi
NOT-FOR-US: FusionPBX
CVE-2019-16963
RESERVED
-CVE-2019-16962
- RESERVED
-CVE-2019-16961
- RESERVED
-CVE-2019-16960
- RESERVED
-CVE-2019-16959
- RESERVED
-CVE-2019-16958
- RESERVED
-CVE-2019-16957
- RESERVED
-CVE-2019-16956
- RESERVED
-CVE-2019-16955
- RESERVED
-CVE-2019-16954
- RESERVED
+CVE-2019-16962 (Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a ...)
+ NOT-FOR-US: Zoho ManageEngine Desktop Central
+CVE-2019-16961 (SolarWinds Web Help Desk 12.7.0 allows XSS via a Schedule Name. ...)
+ NOT-FOR-US: SolarWinds
+CVE-2019-16960 (SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file wit ...)
+ NOT-FOR-US: SolarWinds
+CVE-2019-16959 (SolarWinds Web Help Desk 12.7.0 allows CSV Injection, also known as Fo ...)
+ NOT-FOR-US: SolarWinds
+CVE-2019-16958 (Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 1 ...)
+ NOT-FOR-US: SolarWinds Web Help Desk
+CVE-2019-16957 (SolarWinds Web Help Desk 12.7.0 allows XSS via the First Name field of ...)
+ NOT-FOR-US: SolarWinds
+CVE-2019-16956 (SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type parame ...)
+ NOT-FOR-US: SolarWinds
+CVE-2019-16955 (SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG documen ...)
+ NOT-FOR-US: SolarWinds
+CVE-2019-16954 (SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in ...)
+ NOT-FOR-US: SolarWinds
CVE-2019-16953
RESERVED
CVE-2019-16952
@@ -10076,7 +10521,7 @@ CVE-2019-16937
CVE-2019-16936
RESERVED
CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x through ...)
- {DLA-2280-1}
+ {DLA-2628-1 DLA-2280-1}
- python3.8 3.8.0~rc1-1
- python3.7 3.7.5~rc1-1
[buster] - python3.7 3.7.3-2+deb10u1
@@ -10085,14 +10530,14 @@ CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x t
[jessie] - python3.4 <ignored> (Minor Issue, XSS in an unlikely use-case)
- python2.7 2.7.17~rc1-1
[buster] - python2.7 2.7.16-2+deb10u1
- [stretch] - python2.7 <no-dsa> (Minor issue)
[jessie] - python2.7 <ignored> (Minor Issue, XSS in an unlikely use-case)
- jython <unfixed>
+ [bullseye] - jython <ignored> (Minor Issue)
[buster] - jython <ignored> (Minor Issue)
[stretch] - jython <ignored> (Minor Issue)
[jessie] - jython <ignored> (Minor Issue, XSS in an unlikely use-case)
- - pypy <unfixed> (low)
- [buster] - pypy <no-dsa> (Minor issue)
+ - pypy 7.3.2+dfsg-1 (low)
+ [buster] - pypy <ignored> (Minor issue)
[stretch] - pypy <no-dsa> (Minor issue)
[jessie] - pypy <postponed> (Minor Issue, XSS in an unlikely use-case)
NOTE: https://bugs.python.org/issue38243
@@ -10231,6 +10676,7 @@ CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and
[buster] - runc <no-dsa> (Minor issue)
[stretch] - runc <no-dsa> (Minor issue)
- golang-github-opencontainers-selinux 1.3.0-2 (bug #942027)
+ [buster] - golang-github-opencontainers-selinux <no-dsa> (Minor issue)
NOTE: https://github.com/opencontainers/runc/issues/2128
CVE-2019-16883
RESERVED
@@ -10277,6 +10723,8 @@ CVE-2019-16866 (Unbound before 1.9.4 accesses uninitialized memory, which allows
[jessie] - unbound <not-affected> (Vulnerable code introduced in 1.7.1)
NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2019-16866.txt
NOTE: Patch: https://nlnetlabs.nl/downloads/unbound/patch_cve_2019-16866.diff
+ NOTE: https://github.com/NLnetLabs/unbound/commit/b60c4a472c856f0a98120b7259e991b3a6507eb5
+ NOTE: https://ostif.org/our-audit-of-unbound-dns-by-x41-d-sec-full-results/
CVE-2019-16865 (An issue was discovered in Pillow before 6.2.0. When reading specially ...)
- pillow 6.2.0-1 (low)
[buster] - pillow 5.4.1-2+deb10u1
@@ -10287,8 +10735,8 @@ CVE-2019-16865 (An issue was discovered in Pillow before 6.2.0. When reading spe
NOTE: https://github.com/python-pillow/Pillow/commit/f228d0ccbf6bf9392d7fcd51356ef2cfda80c75a
NOTE: https://github.com/python-pillow/Pillow/commit/b9693a51c99c260bd66d1affeeab4a226cf7e5a5
NOTE: https://github.com/python-pillow/Pillow/commit/cc16025e234b7a7a4dd3a86d2fdc0980698db9cc
-CVE-2019-16864
- RESERVED
+CVE-2019-16864 (CompleteFTPService.exe in the server in EnterpriseDT CompleteFTP befor ...)
+ NOT-FOR-US: EnterpriseDT CompleteFTP
CVE-2019-16863 (STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow a ...)
NOT-FOR-US: STMicroelectronics
CVE-2019-16862 (Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x befor ...)
@@ -10525,6 +10973,8 @@ CVE-2019-16770 (In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved clien
[stretch] - puma <no-dsa> (Minor issue)
NOTE: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
NOTE: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
+ NOTE: This is an incomplete fix. When fixing this issue make sure to also apply
+ NOTE: the fix for CVE-2021-29509 to not open that CVE.
CVE-2019-16769 (The serialize-javascript npm package before version 2.1.1 is vulnerabl ...)
NOT-FOR-US: serialize-javascript Node package
CVE-2019-16768 (In affected versions of Sylius, exception messages from internal excep ...)
@@ -10571,8 +11021,9 @@ CVE-2019-16749
CVE-2019-16748 (In wolfSSL through 4.1.0, there is a missing sanity check of memory ac ...)
- wolfssl 4.2.0+dfsg-1
NOTE: https://github.com/wolfSSL/wolfssl/issues/2459
-CVE-2019-16747
- RESERVED
+CVE-2019-16747 (In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an inval ...)
+ - matrixssl <removed>
+ NOTE: https://github.com/matrixssl/matrixssl/issues/33
CVE-2019-16745 (eBrigade before 5.0 has evenement_choice.php chxCal SQL Injection. ...)
NOT-FOR-US: eBrigade
CVE-2019-16744 (eBrigade before 5.0 has evenements.php cid SQL Injection. ...)
@@ -10608,8 +11059,8 @@ CVE-2019-16731 (The udpServerSys service in Petwant PF-103 firmware 4.22.2.42 an
CVE-2019-16730 (processCommandUpgrade() in libcommon.so in Petwant PF-103 firmware 4.2 ...)
NOT-FOR-US: Petwant PF-103 and Petalk AI
CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (m ...)
+ {DLA-2419-1}
- dompurify.js <removed>
- [stretch] - dompurify.js <ignored> (Minor issue)
NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/
CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel ...)
{DLA-2114-1 DLA-2068-1}
@@ -10824,8 +11275,8 @@ CVE-2019-16653 (An application plugin in Genius Bytes Genius Server (Genius CDDS
NOT-FOR-US: Genius Bytes Genius Server (Genius CDDS)
CVE-2019-16652 (The BPM component in Genius Bytes Genius Server (Genius CDDS) 3.2.2 al ...)
NOT-FOR-US: Genius Bytes Genius Server (Genius CDDS)
-CVE-2019-16651
- RESERVED
+CVE-2019-16651 (An issue was discovered on Virgin Media Super Hub 3 (based on ARRIS TG ...)
+ NOT-FOR-US: Virgin Media Super Hub
CVE-2019-16650 (On Supermicro X10 and X11 products, a client's access privileges may b ...)
NOT-FOR-US: Supermicro
CVE-2019-16649 (On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination ...)
@@ -11351,7 +11802,7 @@ CVE-2019-16396 (GnuCOBOL 2.2 has a use-after-free in the end_scope_of_program_na
- open-cobol <removed>
[stretch] - open-cobol <ignored> (Minor issue)
[jessie] - open-cobol <no-dsa> (Minor issue)
- NOTE: https://sourceforge.net/p/open-cobol/bugs/587/
+ NOTE: https://sourceforge.net/p/gnucobol/bugs/587/
NOTE: Fixed by: https://sourceforge.net/p/open-cobol/code/3347/
CVE-2019-16395 (GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name() functi ...)
- gnucobol 4.0~early~20200606-1 (low; bug #940949)
@@ -11359,7 +11810,7 @@ CVE-2019-16395 (GnuCOBOL 2.2 has a stack-based buffer overflow in the cb_name()
- open-cobol <removed>
[stretch] - open-cobol <ignored> (Minor issue)
[jessie] - open-cobol <no-dsa> (Minor issue)
- NOTE: https://sourceforge.net/p/open-cobol/bugs/586/
+ NOTE: https://sourceforge.net/p/gnucobol/bugs/586/
NOTE: Fixed by: https://sourceforge.net/p/open-cobol/code/3346/
CVE-2019-16390
RESERVED
@@ -11391,8 +11842,8 @@ CVE-2019-16376
RESERVED
CVE-2019-16375 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
- otrs2 6.0.23-1
- [buster] - otrs2 <no-dsa> (Non-free not supported)
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <ignored> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <no-dsa> (Minor issue)
NOTE: https://community.otrs.com/security-advisory-2019-13-security-update-for-otrs-framework/
NOTE: https://github.com/OTRS/otrs/commit/aeb33d800716e2a6653597aa86314c4cbdadb678 (6.x)
@@ -11427,7 +11878,8 @@ CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a c
NOT-FOR-US: LogMeIn LastPass
CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...)
- gradle <unfixed> (low; bug #941186)
- [buster] - gradle <no-dsa> (Minor issue)
+ [bullseye] - gradle <ignored> (Minor issue)
+ [buster] - gradle <ignored> (Minor issue)
[stretch] - gradle <no-dsa> (Minor issue)
[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for building Debian packages with apt signatures)
NOTE: https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f
@@ -11510,8 +11962,7 @@ CVE-2019-16333 (GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS)
NOT-FOR-US: GetSimple CMS
CVE-2019-16332 (In the api-bearer-auth plugin before 20190907 for WordPress, the serve ...)
NOT-FOR-US: Wordpress plugin
-CVE-2019-12412 [Remotely exploitable null pointer dereference bug]
- RESERVED
+CVE-2019-12412 (A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference ...)
{DSA-4541-1 DLA-1944-1}
- libapreq2 2.13-6 (bug #939937)
NOTE: https://svn.apache.org/r1866760
@@ -11522,7 +11973,9 @@ CVE-2019-16330 (In NCH Express Accounts Accounting v7.02, persistent cross site
CVE-2019-16329
RESERVED
CVE-2019-16328 (In RPyC 4.1.x through 4.1.1, a remote attacker can dynamically modify ...)
- - rpyc <removed>
+ - rpyc <not-affected> (Vulnerable code newer in a released Debian version)
+ NOTE: Issue only affected 4.1.0 and 4.1.1 upstream and fixed in 4.1.2
+ NOTE: https://rpyc.readthedocs.io/en/latest/docs/security.html#security
CVE-2019-16327 (D-Link DIR-601 B1 2.00NA devices are vulnerable to authentication bypa ...)
NOT-FOR-US: D-Link
CVE-2019-16326 (D-Link DIR-601 B1 2.00NA devices have CSRF because no anti-CSRF token ...)
@@ -11613,8 +12066,8 @@ CVE-2019-16283
RESERVED
CVE-2019-16282 (In NCH Express Invoice v7.12, persistent cross site scripting (XSS) ex ...)
NOT-FOR-US: NCH Express Invoice
-CVE-2019-16281
- RESERVED
+CVE-2019-16281 (Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token ...)
+ NOT-FOR-US: Ptarmigan
CVE-2019-16280
RESERVED
CVE-2019-16279 (A memory error in the function SSL_accept in nostromo nhttpd through 1 ...)
@@ -11624,24 +12077,22 @@ CVE-2019-16278 (Directory Traversal in the function http_verify in nostromo nhtt
CVE-2019-16277 (PicoC 2.1 has a heap-based buffer overflow in StringStrcpy in cstdlib/ ...)
NOT-FOR-US: PicoC
CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector ...)
+ {DLA-2547-1}
- wireshark 3.0.4-1 (low)
- [buster] - wireshark <postponed> (Can be fixed along in next 3.0.x DSA)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x DSA)
+ [buster] - wireshark 2.6.20-0+deb10u1
[jessie] - wireshark <not-affected> (Vulnerable code not present)
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-21.html
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=02ddd49885c6a09e936a76aceb726ed06539704a
CVE-2019-16276 (Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smugglin ...)
- {DSA-4534-1}
+ {DSA-4534-1 DLA-2592-1 DLA-2591-1}
- golang-1.13 1.13.1-1
- golang-1.12 1.12.10-1 (bug #941173)
- golang-1.11 <removed>
- golang-1.8 <removed>
- [stretch] - golang-1.8 <ignored> (Minor issue)
- golang-1.7 <removed>
- [stretch] - golang-1.7 <ignored> (Minor issue)
- golang <removed>
- [jessie] - golang <ignored> (does not makes sense to fix in jessie if not in later dists)
+ [jessie] - golang <ignored> (Minor issue)
NOTE: https://groups.google.com/forum/m/#!topic/golang-announce/cszieYyuL9Q
NOTE: https://golang.org/issue/34540
NOTE: https://github.com/golang/go/commit/5a6ab1ec3e678640befebeb3318b746a64ad986c (golang-1.13)
@@ -11658,8 +12109,8 @@ CVE-2019-16270
RESERVED
CVE-2019-16269
RESERVED
-CVE-2019-16268
- RESERVED
+CVE-2019-16268 (Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection vi ...)
+ NOT-FOR-US: Zoho ManageEngine Remote Access Plus
CVE-2019-16267
RESERVED
CVE-2019-16266
@@ -11689,7 +12140,8 @@ CVE-2019-16255 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
- ruby2.5 2.5.7-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - jruby <unfixed>
+ - jruby <unfixed> (bug #972230)
+ [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
NOTE: ruby2.5: https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640
CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allow ...)
@@ -11697,7 +12149,8 @@ CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
- ruby2.5 2.5.7-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - jruby <unfixed>
+ - jruby <unfixed> (bug #972230)
+ [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
NOTE: https://hackerone.com/reports/331984
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
@@ -11731,8 +12184,8 @@ CVE-2019-16242 (On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, there is an engi
NOT-FOR-US: TCL Alcatel Cingular Flip 2 B9HUAH1 devices
CVE-2019-16241 (On TCL Alcatel Cingular Flip 2 B9HUAH1 devices, PIN authentication can ...)
NOT-FOR-US: TCL Alcatel Cingular Flip 2 B9HUAH1 devices
-CVE-2019-16240
- RESERVED
+CVE-2019-16240 (A Buffer Overflow and Information Disclosure issue exists in HP Office ...)
+ NOT-FOR-US: HP
CVE-2019-16239 (process_http_response in OpenConnect before 8.05 has a Buffer Overflow ...)
{DSA-4607-1 DLA-1945-1}
- openconnect 8.02-1.1 (bug #940871)
@@ -11861,10 +12314,10 @@ CVE-2019-16214 (Libra Core before 2019-09-03 has an erroneous regular expression
NOT-FOR-US: Libra
CVE-2019-16213 (Tenda PA6 Wi-Fi Powerline extender 1.0.1.21 could allow a remote authe ...)
NOT-FOR-US: Tenda PA6 Wi-Fi Powerline extender
-CVE-2019-16212
- RESERVED
-CVE-2019-16211
- RESERVED
+CVE-2019-16212 (A vulnerability in Brocade SANnav versions before v2.1.0 could allow a ...)
+ NOT-FOR-US: Brocade SANnav
+CVE-2019-16211 (Brocade SANnav versions before v2.1.0, contain a Plaintext Password St ...)
+ NOT-FOR-US: Brocade SANnav
CVE-2019-16210 (Brocade SANnav versions before v2.0, logs plain text database connecti ...)
NOT-FOR-US: Brocade
CVE-2019-16209 (A vulnerability, in The ReportsTrustManager class of Brocade SANnav ve ...)
@@ -11888,7 +12341,8 @@ CVE-2019-16201 (WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x throu
- ruby2.5 2.5.7-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - jruby <unfixed>
+ - jruby <unfixed> (bug #972230)
+ [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03
NOTE: https://hackerone.com/reports/661722
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
@@ -11967,28 +12421,29 @@ CVE-2019-16167 (sysstat before 12.1.6 has memory corruption due to an Integer Ov
NOTE: Introduced after: https://github.com/sysstat/sysstat/commit/65ac30359e49ee717397e39950d7c24a6610d57c (v11.7.1)
NOTE: Fixed by: https://github.com/sysstat/sysstat/commit/edbf507678bf10914e9804ff8a06737fdcb2e781
CVE-2019-16166 (GNU cflow through 1.6 has a heap-based buffer over-read in the nexttok ...)
- - cflow <unfixed> (unimportant; bug #939916)
+ - cflow 1:1.6-6 (unimportant; bug #939916)
NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html
+ NOTE: https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6
NOTE: Crash in CLI tool, no security impact
CVE-2019-16165 (GNU cflow through 1.6 has a use-after-free in the reference function i ...)
- - cflow <unfixed> (unimportant; bug #939915)
+ - cflow 1:1.6-6 (unimportant; bug #939915)
NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html
+ NOTE: https://git.savannah.gnu.org/cgit/cflow.git/commit/?id=b9a7cd5e9d4efb54141dd0d11c319bb97a4600c6
NOTE: Crash in CLI tool, no security impact
CVE-2019-16164 (MyHTML through 4.0.5 has a NULL pointer dereference in myhtml_tree_nod ...)
NOT-FOR-US: MyHTML
CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of ...)
- {DLA-1918-1}
+ {DLA-2431-1 DLA-1918-1}
- libonig 6.9.4-1 (low; bug #939988)
[buster] - libonig <no-dsa> (Minor issue)
- [stretch] - libonig <no-dsa> (Minor issue)
NOTE: https://github.com/kkos/oniguruma/issues/147
NOTE: https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180
CVE-2019-16162 (Onigmo through 6.2.0 has an out-of-bounds read in parse_char_class bec ...)
NOT-FOR-US: Onigmo (fork of Oniguruma)
CVE-2019-16161 (Onigmo through 6.2.0 has a NULL pointer dereference in onig_error_code ...)
NOT-FOR-US: Onigmo (fork of Oniguruma)
-CVE-2019-16160
- RESERVED
+CVE-2019-16160 (An integer underflow in the SMB server of MikroTik RouterOS before 6.4 ...)
+ NOT-FOR-US: MikroTik RouterOS
CVE-2019-16159 (BIRD Internet Routing Daemon 1.6.x through 1.6.7 and 2.x through 2.0.5 ...)
- bird 1.6.8-1 (bug #939990)
[buster] - bird 1.6.6-1+deb10u1
@@ -12020,12 +12475,13 @@ CVE-2019-16149
CVE-2019-16168 (In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can cras ...)
{DLA-2340-1}
- sqlite3 3.29.0-2
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 3.27.2-3+deb10u1
[jessie] - sqlite3 <no-dsa> (Minor issue)
NOTE: https://www.mail-archive.com/sqlite-users@mailinglists.sqlite.org/msg116312.html
NOTE: https://www.sqlite.org/src/info/e4598ecbdd18bd82945f6029013296690e719a62
NOTE: Fixed by: https://www.sqlite.org/src/info/d93508fc9913cfe6
NOTE: Introduced by: https://www.sqlite.org/src/info/90e36676476e8db0
+ NOTE: https://github.com/sqlite/sqlite/commit/725dd72400872da94dcfb6af48128905b93d57fe
CVE-2019-16148 (Sakai through 12.6 allows XSS via a chat user name. ...)
NOT-FOR-US: Sakai
CVE-2019-16147 (Liferay Portal through 7.2.0 GA1 allows XSS via a journal article titl ...)
@@ -12068,12 +12524,12 @@ CVE-2019-16131 (framework/admin/modulec_control.php in OKLite v1.2.25 has an Arb
NOT-FOR-US: OKLite
CVE-2019-16130 (YII2-CMS v1.0 has XSS in protected\core\modules\home\models\Contact.ph ...)
NOT-FOR-US: YII2-CMS
-CVE-2019-16129
- RESERVED
-CVE-2019-16128
- RESERVED
-CVE-2019-16127
- RESERVED
+CVE-2019-16129 (Microchip CryptoAuthentication Library CryptoAuthLib prior to 20191122 ...)
+ NOT-FOR-US: Microchip CryptoAuthentication Library CryptoAuthLib
+CVE-2019-16128 (Microchip CryptoAuthentication Library CryptoAuthLib prior to 20191122 ...)
+ NOT-FOR-US: Microchip CryptoAuthentication Library CryptoAuthLib
+CVE-2019-16127 (Atmel Advanced Software Framework (ASF) 4 has an Integer Overflow. ...)
+ NOT-FOR-US: Atmel Advanced Software Framework (ASF) 4
CVE-2019-16126 (Grav through 1.6.15 allows (Stored) Cross-Site Scripting due to JavaSc ...)
NOT-FOR-US: Grav CMS
CVE-2019-16125 (In Jobberbase 2.0, the parameter category is not sanitized in public/p ...)
@@ -12211,6 +12667,8 @@ CVE-2019-16061 (A number of files on the NETSAS Enigma NMS server 65.0.0 and pri
NOT-FOR-US: NETSAS Enigma NMS
CVE-2019-16089 (An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_s ...)
- linux <unfixed>
+ [bullseye] - linux <postponed> (Minor issue, revisit when fixed upstream)
+ [buster] - linux <postponed> (Minor issue, revisit when fixed upstream)
[stretch] - linux <not-affected> (Vulnerable code not present)
[jessie] - linux <not-affected> (Vulnerable code not present)
CVE-2019-16060 (The Airbrake Ruby notifier 4.2.3 for Airbrake mishandles the blacklist ...)
@@ -12296,30 +12754,30 @@ CVE-2019-16030
RESERVED
CVE-2019-16029 (A vulnerability in the application programming interface (API) of Cisc ...)
NOT-FOR-US: Cisco
-CVE-2019-16028
- RESERVED
+CVE-2019-16028 (A vulnerability in the web-based management interface of Cisco Firepow ...)
+ NOT-FOR-US: Cisco
CVE-2019-16027 (A vulnerability in the implementation of the Intermediate System&amp;n ...)
NOT-FOR-US: Cisco
CVE-2019-16026 (A vulnerability in the implementation of the Stream Control Transmissi ...)
NOT-FOR-US: Cisco
-CVE-2019-16025
- RESERVED
+CVE-2019-16025 (A vulnerability in the web framework of Cisco Emergency Responder coul ...)
+ NOT-FOR-US: Cisco
CVE-2019-16024 (A vulnerability in the web-based management interface of Cisco Crosswo ...)
NOT-FOR-US: Cisco
-CVE-2019-16023
- RESERVED
+CVE-2019-16023 (Multiple vulnerabilities in the implementation of Border Gateway Proto ...)
+ NOT-FOR-US: Cisco
CVE-2019-16022 (Multiple vulnerabilities in the implementation of Border Gateway Proto ...)
NOT-FOR-US: Cisco
-CVE-2019-16021
- RESERVED
+CVE-2019-16021 (Multiple vulnerabilities in the implementation of Border Gateway Proto ...)
+ NOT-FOR-US: Cisco
CVE-2019-16020 (Multiple vulnerabilities in the implementation of Border Gateway Proto ...)
NOT-FOR-US: Cisco
-CVE-2019-16019
- RESERVED
+CVE-2019-16019 (Multiple vulnerabilities in the implementation of Border Gateway Proto ...)
+ NOT-FOR-US: Cisco
CVE-2019-16018 (A vulnerability in the implementation of Border Gateway Protocol (BGP) ...)
NOT-FOR-US: Cisco
-CVE-2019-16017
- RESERVED
+CVE-2019-16017 (A vulnerability in the Operations, Administration, Maintenance and Pro ...)
+ NOT-FOR-US: Cisco
CVE-2019-16016
RESERVED
CVE-2019-16015 (A vulnerability in the web-based management interface of the Cisco Dat ...)
@@ -12334,26 +12792,26 @@ CVE-2019-16011 (A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could
NOT-FOR-US: Cisco
CVE-2019-16010 (A vulnerability in the web UI of the Cisco SD-WAN vManage software cou ...)
NOT-FOR-US: Cisco
-CVE-2019-16009
- RESERVED
+CVE-2019-16009 (A vulnerability in the web UI of Cisco IOS and Cisco IOS XE Software c ...)
+ NOT-FOR-US: Cisco
CVE-2019-16008 (A vulnerability in the web-based GUI of Cisco IP Phone 6800, 7800, and ...)
NOT-FOR-US: Cisco
-CVE-2019-16007
- RESERVED
+CVE-2019-16007 (A vulnerability in the inter-service communication of Cisco AnyConnect ...)
+ NOT-FOR-US: Cisco
CVE-2019-16006
RESERVED
CVE-2019-16005 (A vulnerability in the web-based management interface of Cisco Webex V ...)
NOT-FOR-US: Cisco
-CVE-2019-16004
- RESERVED
+CVE-2019-16004 (A vulnerability in the REST API endpoint of Cisco Vision Dynamic Signa ...)
+ NOT-FOR-US: Cisco
CVE-2019-16003 (A vulnerability in the web-based management interface of Cisco UCS Dir ...)
NOT-FOR-US: Cisco
CVE-2019-16002 (A vulnerability in the vManage web-based UI (web UI) of the Cisco SD-W ...)
NOT-FOR-US: Cisco
CVE-2019-16001 (A vulnerability in the loading mechanism of specific dynamic link libr ...)
NOT-FOR-US: Cisco
-CVE-2019-16000
- RESERVED
+CVE-2019-16000 (A vulnerability in the automatic update process of Cisco Umbrella Roam ...)
+ NOT-FOR-US: Cisco
CVE-2019-15999 (A vulnerability in the application environment of Cisco Data Center Ne ...)
NOT-FOR-US: Cisco
CVE-2019-15998 (A vulnerability in the access-control logic of the NETCONF over Secure ...)
@@ -12366,10 +12824,10 @@ CVE-2019-15995 (A vulnerability in the web UI of Cisco DNA Spaces: Connector cou
NOT-FOR-US: Cisco
CVE-2019-15994 (A vulnerability in the web-based management interface of Cisco Stealth ...)
NOT-FOR-US: Cisco
-CVE-2019-15993
- RESERVED
-CVE-2019-15992
- RESERVED
+CVE-2019-15993 (A vulnerability in the web UI of Cisco Small Business Switches could a ...)
+ NOT-FOR-US: Cisco
+CVE-2019-15992 (A vulnerability in the implementation of the Lua interpreter integrate ...)
+ NOT-FOR-US: Cisco
CVE-2019-15991
RESERVED
CVE-2019-15990 (A vulnerability in the web-based management interface of certain Cisco ...)
@@ -12404,8 +12862,8 @@ CVE-2019-15976 (Multiple vulnerabilities in the authentication mechanisms of Cis
NOT-FOR-US: Cisco
CVE-2019-15975 (Multiple vulnerabilities in the authentication mechanisms of Cisco Dat ...)
NOT-FOR-US: Cisco
-CVE-2019-15974
- RESERVED
+CVE-2019-15974 (A vulnerability in the web interface of Cisco Managed Services Acceler ...)
+ NOT-FOR-US: Cisco
CVE-2019-15973 (A vulnerability in the web-based management interface of Cisco Industr ...)
NOT-FOR-US: Cisco
CVE-2019-15972 (A vulnerability in the web-based management interface of Cisco Unified ...)
@@ -12414,8 +12872,8 @@ CVE-2019-15971 (A vulnerability in the MP3 detection engine of Cisco AsyncOS Sof
NOT-FOR-US: Cisco
CVE-2019-15970
RESERVED
-CVE-2019-15969
- RESERVED
+CVE-2019-15969 (A vulnerability in the web-based management interface of Cisco Web Sec ...)
+ NOT-FOR-US: Cisco
CVE-2019-15968 (A vulnerability in the web-based management interface of Cisco Unified ...)
NOT-FOR-US: Cisco
CVE-2019-15967 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...)
@@ -12426,8 +12884,8 @@ CVE-2019-15965
RESERVED
CVE-2019-15964
RESERVED
-CVE-2019-15963
- RESERVED
+CVE-2019-15963 (A vulnerability in the web-based management interface of Cisco Unified ...)
+ NOT-FOR-US: Cisco
CVE-2019-15962 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...)
NOT-FOR-US: Cisco
CVE-2019-15961 (A vulnerability in the email parsing module Clam AntiVirus (ClamAV) So ...)
@@ -12438,12 +12896,12 @@ CVE-2019-15961 (A vulnerability in the email parsing module Clam AntiVirus (Clam
NOTE: https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html
CVE-2019-15960 (A vulnerability in the Webex Network Recording Admin page of Cisco Web ...)
NOT-FOR-US: Cisco
-CVE-2019-15959
- RESERVED
+CVE-2019-15959 (A vulnerability in Cisco Small Business SPA500 Series IP Phones could ...)
+ NOT-FOR-US: Cisco
CVE-2019-15958 (A vulnerability in the REST API of Cisco Prime Infrastructure (PI) and ...)
NOT-FOR-US: Cisco
-CVE-2019-15957
- RESERVED
+CVE-2019-15957 (A vulnerability in the web-based management interface of certain Cisco ...)
+ NOT-FOR-US: Cisco
CVE-2019-15956 (A vulnerability in the web management interface of Cisco AsyncOS Softw ...)
NOT-FOR-US: Cisco
CVE-2019-15955 (An issue was discovered in Total.js CMS 12.0.0. A low privilege user c ...)
@@ -12463,18 +12921,16 @@ CVE-2019-15949 (Nagios XI before 5.6.6 allows remote command execution as root.
CVE-2019-15948 (Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller dev ...)
NOT-FOR-US: Texas Instruments CC256x and WL18xx dual-mode Bluetooth controller devices
CVE-2019-15947 (In Bitcoin Core 0.18.0, bitcoin-qt stores wallet.dat data unencrypted ...)
- - bitcoin <unfixed> (bug #939608)
+ - bitcoin 0.20.1~dfsg-1 (bug #939608)
CVE-2019-15946 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Octet ...)
- {DLA-1916-1}
+ {DLA-2832-1 DLA-1916-1}
- opensc 0.20.0-1 (bug #939669)
[buster] - opensc <no-dsa> (Minor issue)
- [stretch] - opensc <no-dsa> (Minor issue)
NOTE: https://github.com/OpenSC/OpenSC/commit/a3fc7693f3a035a8a7921cffb98432944bb42740
CVE-2019-15945 (OpenSC before 0.20.0-rc1 has an out-of-bounds access of an ASN.1 Bitst ...)
- {DLA-1916-1}
+ {DLA-2832-1 DLA-1916-1}
- opensc 0.20.0-1 (bug #939668)
[buster] - opensc <no-dsa> (Minor issue)
- [stretch] - opensc <no-dsa> (Minor issue)
NOTE: https://github.com/OpenSC/OpenSC/commit/412a6142c27a5973c61ba540e33cdc22d5608e68
CVE-2019-15944 (In Counter-Strike: Global Offensive before 8/29/2019, community game s ...)
NOT-FOR-US: Counter-Strike: Global Offensive
@@ -12482,7 +12938,7 @@ CVE-2019-15943 (vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1
NOT-FOR-US: Counter-Strike: Global Offensive
CVE-2019-15942 (FFmpeg through 4.2 has a "Conditional jump or move depends on uninitia ...)
- ffmpeg <not-affected> (Only affects 4.2)
- NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71
+ NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=af70bfbeadc0c9b9215cf045ff2a6a31e8ac3a71
CVE-2019-15941 (OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may allow an ...)
{DSA-4533-1}
- lemonldap-ng 2.0.6+ds-1
@@ -12494,9 +12950,9 @@ CVE-2019-15941 (OpenID Connect Issuer in LemonLDAP::NG 2.x through 2.0.5 may all
CVE-2019-15940 (Victure PC530 devices allow unauthenticated TELNET access as root. ...)
NOT-FOR-US: Victure PC530 devices
CVE-2019-15939 (An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero err ...)
+ {DLA-2799-1}
- opencv 4.1.2+dfsg-3
[buster] - opencv <no-dsa> (Minor issue)
- [stretch] - opencv <no-dsa> (Minor issue)
[jessie] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/OpenCV/opencv/issues/15287
NOTE: https://github.com/opencv/opencv/pull/15382
@@ -12658,6 +13114,7 @@ CVE-2019-15890 (libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in i
NOTE: https://www.openwall.com/lists/oss-security/2019/09/06/3
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/c59279437eda91841b9d26079c70b8a540d41204
NOTE: 1:4.1-2 switched to system libslirp, marking that version as fixed
+ NOTE: https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-jx98-2j5v-w265
CVE-2019-15889 (The download-manager plugin before 2.9.94 for WordPress has XSS via th ...)
NOT-FOR-US: download-manager plugin for WordPress
CVE-2019-15888
@@ -12760,9 +13217,9 @@ CVE-2019-15849 (eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An
CVE-2019-15848 (JetBrains TeamCity 2019.1 and 2019.1.1 allows cross-site scripting (XS ...)
NOT-FOR-US: JetBrains TeamCity
CVE-2019-15847 (The POWER9 backend in GNU Compiler Collection (GCC) before version 10 ...)
- - gcc-7 <unfixed>
+ - gcc-7 7.4.0-12
[buster] - gcc-7 <ignored> (minor issue, affects only POWER9 binaries)
- - gcc-8 <unfixed>
+ - gcc-8 8.3.0-22
[buster] - gcc-8 <ignored> (minor issue, affects only POWER9 binaries)
- gcc-9 9.2.1-7 (low)
NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=91481
@@ -12952,7 +13409,7 @@ CVE-2019-15769 (The handl-utm-grabber plugin before 2.6.5 for WordPress has CSRF
CVE-2019-15768
RESERVED
CVE-2019-15767 (In GNU Chess 6.2.5, there is a stack-based buffer overflow in the cmd_ ...)
- - gnuchess <unfixed> (unimportant; bug #936023)
+ - gnuchess 6.2.7-1 (unimportant; bug #936023)
NOTE: https://lists.gnu.org/archive/html/bug-gnu-chess/2019-08/msg00004.html
NOTE: Neutralised by toolchain hardening, no security impact
CVE-2019-15766 (The KSLABS KSWEB (aka ru.kslabs.ksweb) application 3.93 for Android al ...)
@@ -13422,9 +13879,8 @@ CVE-2019-15605 (HTTP request smuggling in Node.js 10, 12, and 13 causes maliciou
- nodejs 10.19.0~dfsg-1
[stretch] - nodejs <ignored> (Nodejs in stretch not covered by security support)
[jessie] - nodejs <end-of-life> (Nodejs in jessie not covered by security support)
- [experimental] - http-parser 2.9.3-1
- - http-parser <unfixed>
- [buster] - http-parser <no-dsa> (Minor issue)
+ - http-parser 2.9.4-2 (bug #977467)
+ [buster] - http-parser 2.8.1-1+deb10u1
[stretch] - http-parser <ignored> (Invasive patch, requires prior content-length support and public struct changes that break ABI)
[jessie] - http-parser <ignored> (Invasive patch, requires prior content-length support and public struct changes that break ABI)
NOTE: https://hackerone.com/reports/735748
@@ -13549,7 +14005,7 @@ CVE-2019-15564 (The Compassion Switzerland addons 10.01.4 for Odoo allow SQL inj
NOT-FOR-US: Compassion Switzerland addons for Odoo
CVE-2019-15563 (Observational Health Data Sciences and Informatics (OHDSI) WebAPI befo ...)
NOT-FOR-US: Observational Health Data Sciences and Informatics
-CVE-2019-15562 (GORM before 1.9.10 allows SQL injection via incomplete parentheses. ...)
+CVE-2019-15562 (** DISPUTED ** GORM before 1.9.10 allows SQL injection via incomplete ...)
NOT-FOR-US: GORM
CVE-2019-15561 (FlashLingo before 2019-06-12 allows SQL injection, related to flashlin ...)
NOT-FOR-US: FlashLingo
@@ -13567,12 +14023,12 @@ CVE-2019-15555 (FredReinink Wellness-app before 2019-06-19 allows SQL injection,
NOT-FOR-US: FredReinink Wellness-app
CVE-2019-15554 (An issue was discovered in the smallvec crate before 0.6.10 for Rust. ...)
- rust-smallvec 0.6.10-1
- [buster] - rust-smallvec <no-dsa> (Minor issue)
+ [buster] - rust-smallvec <ignored> (Minor issue)
NOTE: https://github.com/servo/rust-smallvec/issues/149
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0012.html
CVE-2019-15553 (An issue was discovered in the memoffset crate before 0.5.0 for Rust. ...)
- rust-memoffset 0.5.1-1 (bug #936025)
- [buster] - rust-memoffset <no-dsa> (Minor issue)
+ [buster] - rust-memoffset <ignored> (Minor issue)
NOTE: https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0011.html
CVE-2019-15552 (An issue was discovered in the libflate crate before 0.1.25 for Rust. ...)
@@ -13582,7 +14038,7 @@ CVE-2019-15552 (An issue was discovered in the libflate crate before 0.1.25 for
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0010.html
CVE-2019-15551 (An issue was discovered in the smallvec crate before 0.6.10 for Rust. ...)
- rust-smallvec 0.6.10-1
- [buster] - rust-smallvec <no-dsa> (Minor issue)
+ [buster] - rust-smallvec <ignored> (Minor issue)
NOTE: https://github.com/servo/rust-smallvec/issues/148
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0009.html
CVE-2019-15550 (An issue was discovered in the simd-json crate before 0.1.15 for Rust. ...)
@@ -13590,10 +14046,10 @@ CVE-2019-15550 (An issue was discovered in the simd-json crate before 0.1.15 for
CVE-2019-15549 (An issue was discovered in the asn1_der crate before 0.6.2 for Rust. A ...)
NOT-FOR-US: Rust crate asn1_der
CVE-2019-15548 (An issue was discovered in the ncurses crate through 5.99.0 for Rust. ...)
- - rust-ncurses <unfixed>
+ - rust-ncurses <unfixed> (bug #972100)
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0006.html
CVE-2019-15547 (An issue was discovered in the ncurses crate through 5.99.0 for Rust. ...)
- - rust-ncurses <unfixed>
+ - rust-ncurses <unfixed> (bug #972100)
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0006.html
CVE-2019-15546 (An issue was discovered in the pancurses crate through 0.16.1 for Rust ...)
NOT-FOR-US: Rust crate pancurses
@@ -13604,7 +14060,7 @@ CVE-2019-15544 (An issue was discovered in the protobuf crate before 2.6.0 for R
CVE-2019-15543 (An issue was discovered in the slice-deque crate before 0.2.0 for Rust ...)
NOT-FOR-US: Rust crate slice-deque
CVE-2019-15542 (An issue was discovered in the ammonia crate before 2.1.0 for Rust. Th ...)
- NOT-FOR-US: Rust crate ammonia
+ - rust-ammonia <not-affected> (Fixed before initial upload)
CVE-2019-15541 (rustls-mio/examples/tlsserver.rs in the rustls crate before 0.16.0 for ...)
NOT-FOR-US: Rust crate rustls
CVE-2019-15540 (filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2. ...)
@@ -13631,10 +14087,9 @@ CVE-2019-15533 (XENFCoreSharp before 2019-07-16 allows SQL injection in web/veri
CVE-2019-15532 (CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBrut ...)
NOT-FOR-US: CyberChef
CVE-2019-15531 (GNU Libextractor through 1.9 has a heap-based buffer over-read in the ...)
- {DLA-1904-1}
+ {DLA-2851-1 DLA-1904-1}
- libextractor 1:1.9-2 (bug #935553)
[buster] - libextractor <no-dsa> (Minor issue)
- [stretch] - libextractor <no-dsa> (Minor issue)
NOTE: https://bugs.gnunet.org/view.php?id=5846
NOTE: https://git.gnunet.org/libextractor.git/commit/?id=d2b032452241708bee68d02aa02092cfbfba951a
CVE-2019-15530 (An issue was discovered on D-Link DIR-823G devices with firmware V1.0. ...)
@@ -13651,8 +14106,11 @@ CVE-2019-15525 (There is Missing SSL Certificate Validation in the pw3270 termin
NOT-FOR-US: pw3270 terminal emulator
CVE-2019-15524 (CSZ CMS 1.2.3 allows arbitrary file upload, as demonstrated by a .php ...)
NOT-FOR-US: CSZ CMS
-CVE-2019-15523
- RESERVED
+CVE-2019-15523 (An issue was discovered in LINBIT csync2 through 2.0. It does not corr ...)
+ {DLA-2515-1}
+ - csync2 2.0-25-gc0faaf9-1
+ [buster] - csync2 <no-dsa> (Minor issue)
+ NOTE: https://github.com/LINBIT/csync2/pull/13/commits/92742544a56bcbcd9ec99ca15f898b31797e39e2
CVE-2019-15522 (An issue was discovered in LINBIT csync2 through 2.0. csync_daemon_ses ...)
- csync2 2.0-25-gc0faaf9-1 (bug #955445)
[buster] - csync2 2.0-22-gce67c55-1+deb10u1
@@ -14117,7 +14575,7 @@ CVE-2019-15298 (A problem was found in Centreon Web through 19.04.3. An authenti
- centreon-web <itp> (bug #913903)
CVE-2019-15297 (res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allo ...)
- asterisk 1:16.10.0~dfsg-1 (low; bug #940060)
- [buster] - asterisk <no-dsa> (Minor issue)
+ [buster] - asterisk 1:16.2.1~dfsg-1+deb10u2
[stretch] - asterisk <no-dsa> (Minor issue)
[jessie] - asterisk <not-affected> (The vulnerable code is not present)
NOTE: https://downloads.asterisk.org/pub/security/AST-2019-004.html
@@ -14132,20 +14590,20 @@ CVE-2019-15294 (An issue was discovered in Gallagher Command Centre 8.10 before
NOT-FOR-US: Gallagher Command Centre
CVE-2019-15293 (An issue was discovered in ACDSee Photo Studio Standard 22.1 Build 115 ...)
NOT-FOR-US: ACDSee
-CVE-2019-15289
- RESERVED
+CVE-2019-15289 (Multiple vulnerabilities in the video service of Cisco TelePresence Co ...)
+ NOT-FOR-US: Cisco
CVE-2019-15288 (A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoin ...)
NOT-FOR-US: Cisco
-CVE-2019-15287
- RESERVED
+CVE-2019-15287 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...)
+ NOT-FOR-US: Cisco
CVE-2019-15286 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...)
NOT-FOR-US: Cisco
-CVE-2019-15285
- RESERVED
+CVE-2019-15285 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...)
+ NOT-FOR-US: Cisco
CVE-2019-15284 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...)
NOT-FOR-US: Cisco
-CVE-2019-15283
- RESERVED
+CVE-2019-15283 (Multiple vulnerabilities in Cisco Webex Network Recording Player for M ...)
+ NOT-FOR-US: Cisco
CVE-2019-15282 (A vulnerability in the web-based management interface of Cisco Identit ...)
NOT-FOR-US: Cisco
CVE-2019-15281 (A vulnerability in the web-based management interface of Cisco Identit ...)
@@ -14253,8 +14711,10 @@ CVE-2019-15239 (In the Linux kernel, a certain net/ipv4/tcp_output.c change, whi
CVE-2019-15238 (The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the ...)
NOT-FOR-US: Wordpress plugin
CVE-2019-15237 (Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, ...)
- - roundcube <unfixed> (low; bug #949629)
- [buster] - roundcube <no-dsa> (Minor issue)
+ [experimental] - roundcube 1.5~rc+dfsg.1-1
+ - roundcube 1.5.0+dfsg.1-1 (low; bug #949629)
+ [bullseye] - roundcube <ignored> (Minor issue)
+ [buster] - roundcube <ignored> (Minor issue)
[stretch] - roundcube <no-dsa> (Minor issue)
NOTE: https://github.com/roundcube/roundcubemail/issues/6891
CVE-2019-15236
@@ -14342,6 +14802,7 @@ CVE-2019-15214 (An issue was discovered in the Linux kernel before 5.0.10. There
[stretch] - linux 4.9.184-1
CVE-2019-15213 (An issue was discovered in the Linux kernel before 5.2.3. There is a u ...)
- linux <unfixed>
+ [bullseye] - linux <postponed> (Revisit when correctly fixed upstream)
[stretch] - linux <not-affected> (Vulnerable code introduced later)
[jessie] - linux <not-affected> (Vulnerable code introduced later)
CVE-2019-15212 (An issue was discovered in the Linux kernel before 5.1.8. There is a d ...)
@@ -14449,10 +14910,9 @@ CVE-2019-15166 (lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4
- tcpdump 4.9.3-1 (bug #941698)
NOTE: https://github.com/the-tcpdump-group/tcpdump/commit/0b661e0aa61850234b64394585cf577aac570bf4
CVE-2019-15165 (sf-pcapng.c in libpcap before 1.9.1 does not properly validate the PHB ...)
- {DLA-1967-1}
+ {DLA-2850-1 DLA-1967-1}
- libpcap 1.9.1-1 (low; bug #941697)
- [buster] - libpcap <no-dsa> (Minor issue)
- [stretch] - libpcap <no-dsa> (Minor issue)
+ [buster] - libpcap <ignored> (Minor issue)
NOTE: https://github.com/the-tcpdump-group/libpcap/commit/87d6bef033062f969e70fa40c43dfd945d5a20ab
NOTE: https://github.com/the-tcpdump-group/libpcap/commit/a5a36d9e82dde7265e38fe1f87b7f11c461c29f6
CVE-2019-15164 (rpcapd/daemon.c in libpcap before 1.9.1 allows SSRF because a URL may ...)
@@ -14503,7 +14963,7 @@ CVE-2019-15152
RESERVED
CVE-2019-15151 (AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h. ...)
[experimental] - adplug 2.3.3+dfsg-1
- - adplug <unfixed> (bug #946340)
+ - adplug 2.3.3+dfsg-2 (bug #946340)
[buster] - adplug <no-dsa> (Minor issue)
[stretch] - adplug <no-dsa> (Minor issue)
[jessie] - adplug <no-dsa> (Minor issue)
@@ -14519,31 +14979,23 @@ CVE-2019-15147 (GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GP
CVE-2019-15146 (GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in ...)
NOT-FOR-US: gpmf-parser
CVE-2019-15145 (DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack ...)
- {DLA-1902-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1902-1}
- djvulibre 3.5.27.1-11 (low)
- [buster] - djvulibre <no-dsa> (Minor issue)
- [stretch] - djvulibre <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/djvu/bugs/298/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/9658b01431cd7ff6344d7787f855179e73fe81a7/
CVE-2019-15144 (In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate&lt; ...)
- {DLA-1902-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1902-1}
- djvulibre 3.5.27.1-11 (low)
- [buster] - djvulibre <no-dsa> (Minor issue)
- [stretch] - djvulibre <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/djvu/bugs/299/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/e15d51510048927f172f1bf1f27ede65907d940d/
CVE-2019-15143 (In DjVuLibre 3.5.27, the bitmap reader component allows attackers to c ...)
- {DLA-1902-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1902-1}
- djvulibre 3.5.27.1-11 (low)
- [buster] - djvulibre <no-dsa> (Minor issue)
- [stretch] - djvulibre <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/djvu/bugs/297/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f/
CVE-2019-15142 (In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows a ...)
- {DLA-1902-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1902-1}
- djvulibre 3.5.27.1-11 (low)
- [buster] - djvulibre <no-dsa> (Minor issue)
- [stretch] - djvulibre <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/djvu/bugs/296/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/
CVE-2019-15141 (WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allows att ...)
@@ -14586,11 +15038,13 @@ CVE-2019-15133 (In GIFLIB before 2019-02-16, a malformed GIF file triggers a div
NOTE: https://sourceforge.net/p/giflib/code/ci/799eb6a3af8a3dd81e2429bf11a72a57e541f908/
NOTE: https://sourceforge.net/p/giflib/bugs/119/
CVE-2019-15132 (Zabbix through 4.4.0alpha1 allows User Enumeration. With login request ...)
- - zabbix <unfixed> (bug #935027)
+ {DLA-2631-1}
+ - zabbix 1:5.0.7+dfsg-1 (bug #935027)
[buster] - zabbix <no-dsa> (Minor issue)
- [stretch] - zabbix <no-dsa> (Minor issue)
[jessie] - zabbix <postponed> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-16532
+ NOTE: https://support.zabbix.com/browse/ZBX-5842
+ NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b5a110e4d1c21d865cd03e3ef8dbc6f37221b60f (4.0.27rc1)
CVE-2019-15131 (In Code42 Enterprise 6.7.5 and earlier, 6.8.4 through 6.8.8, and 7.0.0 ...)
NOT-FOR-US: Code42
CVE-2019-15130 (The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 ...)
@@ -14709,12 +15163,12 @@ CVE-2019-15082 (The 360-product-rotation plugin before 1.4.8 for WordPress has r
NOT-FOR-US: Wordpress plugin
CVE-2019-15081 (OpenCart 3.x, when the attacker has login access to the admin panel, a ...)
NOT-FOR-US: OpenCart
-CVE-2019-15080
- RESERVED
-CVE-2019-15079
- RESERVED
-CVE-2019-15078
- RESERVED
+CVE-2019-15080 (An issue was discovered in a smart contract implementation for MORPH T ...)
+ NOT-FOR-US: MORPH Token Ethereum token
+CVE-2019-15079 (A typo exists in the constructor of a smart contract implementation fo ...)
+ NOT-FOR-US: EAI Ethereum token
+CVE-2019-15078 (An issue was discovered in a smart contract implementation for AIRDROP ...)
+ NOT-FOR-US: AIRDROPX BORN Ethereum token
CVE-2019-15077
RESERVED
CVE-2019-15076
@@ -14754,13 +15208,15 @@ CVE-2019-15061
RESERVED
CVE-2019-15060 (The traceroute function on the TP-Link TL-WR840N v4 router with firmwa ...)
NOT-FOR-US: TP-Link
-CVE-2019-15059
- RESERVED
+CVE-2019-15059 (In Liberty lisPBX 2.0-4, configuration backup files can be retrieved r ...)
+ NOT-FOR-US: Liberty lisPBX
CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer ov ...)
- - libstb <unfixed> (bug #934973)
+ - libstb 0.0~git20210910.af1a5bc+ds-1 (bug #934973)
+ [bullseye] - libstb <no-dsa> (Minor issue)
[buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/nothings/stb/issues/790
NOTE: Potentially also affects libsixel, mame, libsfml, love, zynaddsubfx, yquake2, ccextractor, zam-plugins, osgearth, catimg, darknet, gem, retroarch, renderdoc, goxel
+ NOTE: https://github.com/nothings/stb/commit/bfaccab17a648b315543d366c63aee575a0756b7
CVE-2019-15057
RESERVED
CVE-2019-15056
@@ -14773,6 +15229,7 @@ CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Con
NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server
CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials ...)
- gradle <unfixed> (low; bug #941187)
+ [bullseye] - gradle <no-dsa> (Minor issue)
[buster] - gradle <no-dsa> (Minor issue)
[stretch] - gradle <no-dsa> (Minor issue)
[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for building Debian packages with system libraries)
@@ -15012,7 +15469,6 @@ CVE-2019-14955 (In JetBrains Hub versions earlier than 2018.4.11436, there was n
NOT-FOR-US: JetBrains Hub
CVE-2019-14954 (JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plant ...)
- intellij-idea <itp> (bug #747616)
- - intellij-community-idea <undetermined>
CVE-2019-14953 (JetBrains YouTrack versions before 2019.2.53938 had a possible XSS thr ...)
NOT-FOR-US: JetBrains YouTrack
CVE-2019-14952 (JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in ...)
@@ -15050,7 +15506,7 @@ CVE-2019-14940 (In Storage Performance Development Kit (SPDK) before 19.07, a us
NOT-FOR-US: Storage Performance Development Kit
CVE-2019-14939 (An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for N ...)
- node-mysql 2.18.0-1 (bug #934712)
- [buster] - node-mysql <no-dsa> (Minor issue)
+ [buster] - node-mysql 2.16.0-1+deb10u1
[stretch] - node-mysql <end-of-life> (Nodejs in stretch not covered by security support)
[jessie] - node-mysql <end-of-life> (Nodejs in jessie not covered by security support)
NOTE: https://github.com/mysqljs/mysql/issues/2257
@@ -15063,9 +15519,9 @@ CVE-2019-14936 (Easy!Appointments 1.3.2 plugin for WordPress allows Sensitive In
CVE-2019-14935 (3CX Phone 15 on Windows has insecure permissions on the "%PROGRAMDATA% ...)
NOT-FOR-US: 3CX Phone 15 on Windows
CVE-2019-14934 (An issue was discovered in PDFResurrect before 0.18. pdf_load_pages_ki ...)
+ {DLA-2475-1}
- pdfresurrect 0.18-1
[buster] - pdfresurrect <no-dsa> (Minor issue)
- [stretch] - pdfresurrect <no-dsa> (Minor issue)
[jessie] - pdfresurrect <no-dsa> (Minor issue)
NOTE: https://github.com/enferex/pdfresurrect/commit/0c4120fffa3dffe97b95c486a120eded82afe8a6
NOTE: https://github.com/enferex/pdfresurrect/issues/6
@@ -15121,11 +15577,11 @@ CVE-2019-14910 (A vulnerability was found in keycloak 7.x, when keycloak is conf
CVE-2019-14909 (A vulnerability was found in Keycloak 7.x where the user federation LD ...)
NOT-FOR-US: Keycloak
CVE-2019-14908
- RESERVED
+ REJECTED
CVE-2019-14907 (All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11 ...)
+ {DLA-2668-1}
- samba 2:4.11.5+dfsg-1
[buster] - samba <no-dsa> (Minor issue)
- [stretch] - samba <no-dsa> (Minor issue)
[jessie] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2019-14907.html
CVE-2019-14906 (A flaw was found with the RHSA-2019:3950 erratum, where it did not fix ...)
@@ -15139,21 +15595,23 @@ CVE-2019-14905 (A vulnerability was found in Ansible Engine versions 2.9.x befor
NOTE: https://github.com/ansible/ansible/pull/65423
NOTE: https://github.com/ansible/ansible/blob/stable-2.2/CHANGELOG.md
CVE-2019-14904 (A flaw was found in the solaris_zone module from the Ansible Community ...)
+ {DSA-4950-1 DLA-2535-1}
- ansible 2.9.4+dfsg-1 (low)
- [buster] - ansible <no-dsa> (Minor issue)
- [stretch] - ansible <no-dsa> (Minor issue)
[jessie] - ansible <not-affected> (Vulnerable module first bundled in 2.0)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1776944
NOTE: https://github.com/ansible/ansible/pull/65686
NOTE: https://github.com/ansible/ansible/blob/stable-2.0/CHANGELOG.md
CVE-2019-14903
- RESERVED
+ REJECTED
CVE-2019-14902 (There is an issue in all samba 4.11.x versions before 4.11.5, all samb ...)
+ {DLA-2668-1}
- samba 2:4.11.5+dfsg-1
[buster] - samba <no-dsa> (Minor issue)
- [stretch] - samba <no-dsa> (Minor issue)
- [jessie] - samba <no-dsa> (Minor issue)
+ [jessie] - samba <ignored> (difficult and risky backport to 4.2 in jessie)
NOTE: https://www.samba.org/samba/security/CVE-2019-14902.html
+ NOTE: Workaround: Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will
+ NOTE: cause all ACLs to be syncronised from DC2 to DC1, for the given NC (naming
+ NOTE: context).
CVE-2019-14901 (A heap overflow flaw was found in the Linux kernel, all versions 3.x.x ...)
{DLA-2114-1 DLA-2068-1}
- linux 5.4.13-1
@@ -15220,8 +15678,12 @@ CVE-2019-14889 (A flaw was found with the libssh API function ssh_scp_new() in v
NOTE: https://bugs.debian.org/947129
NOTE: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a
CVE-2019-14888 (A vulnerability was found in the Undertow HTTP server in versions befo ...)
- - undertow <undetermined>
+ - undertow 2.0.30-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1772464
+ NOTE: https://issues.redhat.com/browse/UNDERTOW-1623
+ NOTE: https://github.com/undertow-io/undertow/commit/846c50ead09f7d0b38965b4726ba0b6c5582bf7f (and followups)
+ NOTE: https://github.com/undertow-io/undertow/pull/828
+ NOTE: https://github.com/undertow-io/undertow/pull/852
CVE-2019-14887 (A flaw was found when an OpenSSL security provider is used with Wildfl ...)
- wildfly <itp> (bug #752018)
CVE-2019-14886 (A vulnerability was found in business-central, as shipped in rhdm-7.5. ...)
@@ -15303,9 +15765,9 @@ CVE-2019-14871 (The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as u
NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
NOTE: https://keithp.com/blogs/picolibc-string-float/
CVE-2019-14870 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11 ...)
+ {DLA-2668-1}
- samba 2:4.11.3+dfsg-1
[buster] - samba <no-dsa> (Minor issue)
- [stretch] - samba <no-dsa> (Minor issue)
[jessie] - samba <no-dsa> (Minor issue)
- heimdal 7.7.0+dfsg-1 (bug #946786)
[buster] - heimdal <no-dsa> (Minor issue)
@@ -15347,9 +15809,9 @@ CVE-2019-14865 (A flaw was found in the grub2-set-bootflag utility of grub2. A l
NOTE: https://seclists.org/oss-sec/2019/q4/101
NOTE: Red Hat-specific patch, get added as 0131-Add-grub-set-bootflag-utility.patch in their SRPM
CVE-2019-14864 (Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible v ...)
+ {DSA-4950-1}
- ansible 2.9.2+dfsg-1 (low; bug #943768)
- [buster] - ansible <no-dsa> (Minor issue)
- [stretch] - ansible <no-dsa> (Minor issue)
+ [stretch] - ansible <not-affected> (Vulnerable code was introduced later)
[jessie] - ansible <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/ansible/ansible/issues/63522
NOTE: https://github.com/ansible/ansible/pull/63527
@@ -15368,9 +15830,9 @@ CVE-2019-14862 (There is a vulnerability in knockout before version 3.5.0-beta,
NOTE: https://github.com/knockout/knockout/commit/7e280b2b8a04cc19176b5171263a5c68bda98efb
NOTE: Only impacts browsers which are totally insecure and EOLed anyway
CVE-2019-14861 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11 ...)
+ {DLA-2668-1}
- samba 2:4.11.3+dfsg-1
[buster] - samba <no-dsa> (Minor issue)
- [stretch] - samba <no-dsa> (Minor issue)
[jessie] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2019-14861.html
CVE-2019-14860 (It was found that the Syndesis configuration for Cross-Origin Resource ...)
@@ -15386,7 +15848,7 @@ CVE-2019-14859 (A flaw was found in all python-ecdsa versions before 0.13.3, whe
CVE-2019-14858 (A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible ...)
- ansible 2.8.6+dfsg-1 (bug #942332)
[buster] - ansible <no-dsa> (Minor issue)
- [stretch] - ansible <no-dsa> (Minor issue)
+ [stretch] - ansible <not-affected> (Vulnerable code was introduced later)
[jessie] - ansible <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1760593
NOTE: https://github.com/ansible/ansible/pull/63405
@@ -15401,11 +15863,12 @@ CVE-2019-14857 (A flaw was found in mod_auth_openidc before version 2.4.0.1. An
NOTE: https://groups.google.com/forum/#!topic/mod_auth_openidc/boy1Ba3Gdk4
CVE-2019-14855 (A flaw was found in the way certificate signatures could be forged usi ...)
- gnupg2 2.2.19-1 (low; bug #945859)
- [buster] - gnupg2 <no-dsa> (Minor issue)
+ [buster] - gnupg2 <ignored> (Minor issue)
[stretch] - gnupg2 <no-dsa> (Minor issue)
[jessie] - gnupg2 <ignored> (No backport to version << 2.2.x, low impact, danger of breaking things)
- gnupg1 <unfixed> (low)
- [buster] - gnupg1 <no-dsa> (Minor issue)
+ [bullseye] - gnupg1 <ignored> (Minor issue)
+ [buster] - gnupg1 <ignored> (Minor issue)
[stretch] - gnupg1 <no-dsa> (Minor issue)
- gnupg <removed> (low)
[jessie] - gnupg <ignored> (No backport to version << 2.2.x, low impact, danger of breaking things)
@@ -15424,10 +15887,9 @@ CVE-2019-14853 (An error-handling flaw was found in python-ecdsa before version
NOTE: https://github.com/warner/python-ecdsa/pull/115
NOTE: https://github.com/warner/python-ecdsa/pull/124
NOTE: Fix for CVE-2019-14853 fixes as well CVE-2019-14859.
-CVE-2019-14852
- RESERVED
-CVE-2019-14851 [assertion failure by issuing commands in the wrong order]
- RESERVED
+CVE-2019-14852 (A flaw was found in 3scale&#8217;s APIcast gateway that enabled the TL ...)
+ NOT-FOR-US: Red Hat 3scale API gateway
+CVE-2019-14851 (A denial of service vulnerability was discovered in nbdkit. A client i ...)
- nbdkit 1.14.2-1
[buster] - nbdkit <not-affected> (Issue introduced by the fix for CVE-2019-14850)
[stretch] - nbdkit <not-affected> (Issue introduced by the fix for CVE-2019-14850)
@@ -15439,8 +15901,7 @@ CVE-2019-14851 [assertion failure by issuing commands in the wrong order]
NOTE: https://github.com/libguestfs/nbdkit/commit/bf0d61883a2f02f4388ec10dc92d4c61c093679e
NOTE: 1.12:
NOTE: https://github.com/libguestfs/nbdkit/commit/b2bc6683ea3cd1f6be694e8a681dfa411b7d15f3
-CVE-2019-14850 [denial of service due to premature opening of back-end connection]
- RESERVED
+CVE-2019-14850 (A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.1 ...)
- nbdkit 1.14.1-1
[buster] - nbdkit <no-dsa> (Minor issue)
[stretch] - nbdkit <no-dsa> (Minor issue)
@@ -15458,18 +15919,16 @@ CVE-2019-14850 [denial of service due to premature opening of back-end connectio
CVE-2019-14849 (A vulnerability was found in 3scale before version 2.6, did not set th ...)
NOT-FOR-US: Red Hat 3scale
CVE-2019-14848
- RESERVED
+ REJECTED
CVE-2019-14847 (A flaw was found in samba 4.0.0 before samba 4.9.15 and samba 4.10.x b ...)
+ {DLA-2668-1}
- samba 2:4.11.0+dfsg-6
[buster] - samba <no-dsa> (Minor issue)
- [stretch] - samba <no-dsa> (Minor issue)
[jessie] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2019-14847.html
-CVE-2019-14846 (Ansible, all ansible_engine-2.x versions and ansible_engine-3.x up to ...)
- {DLA-2202-1}
+CVE-2019-14846 (In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, an ...)
+ {DSA-4950-1 DLA-2535-1 DLA-2202-1}
- ansible 2.8.6+dfsg-1 (low; bug #942188)
- [buster] - ansible <no-dsa> (Minor issue)
- [stretch] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1755373
NOTE: https://github.com/ansible/ansible/pull/63366
NOTE: https://github.com/ansible/ansible/commit/90e74dd2600e5cc42dd9b4f4656f3d651c4ce5c4
@@ -15484,16 +15943,18 @@ CVE-2019-14843 (A flaw was found in Wildfly Security Manager, running under JDK
- wildfly <itp> (bug #752018)
CVE-2019-14841
RESERVED
+ NOT-FOR-US: Red Hat Decision Manager
CVE-2019-14840
RESERVED
CVE-2019-14839
RESERVED
+ NOT-FOR-US: Red Hat / JBoss BPMS Business-central console
CVE-2019-14838 (A flaw was found in wildfly-core before 7.2.5.GA. The Management users ...)
- wildfly <itp> (bug #752018)
CVE-2019-14837 (A flaw was found in keycloack before version 8.0.0. The owner of 'plac ...)
NOT-FOR-US: Keycloak
-CVE-2019-14836
- RESERVED
+CVE-2019-14836 (A vulnerability was found that the 3scale dev portal does not employ m ...)
+ NOT-FOR-US: 3scale
CVE-2019-14835 (A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in ...)
{DSA-4531-1 DLA-1940-1 DLA-1930-1}
- linux 5.2.17-1
@@ -15504,32 +15965,33 @@ CVE-2019-14834 (A vulnerability was found in dnsmasq before version 2.81, where
[buster] - dnsmasq <no-dsa> (Minor issue)
[stretch] - dnsmasq <no-dsa> (Minor issue)
[jessie] - dnsmasq <no-dsa> (Minor issue)
- NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69bc94779c2f035a9fffdb5327a54c3aeca73ed5
+ NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=69bc94779c2f035a9fffdb5327a54c3aeca73ed5
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1764425
CVE-2019-14833 (A flaw was found in Samba, all versions starting samba 4.5.0 before sa ...)
+ {DLA-2668-1}
- samba 2:4.11.1+dfsg-2
[buster] - samba <no-dsa> (Minor issue)
- [stretch] - samba <no-dsa> (Minor issue)
[jessie] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2019-14833.html
CVE-2019-14832 (A flaw was found in the Keycloak REST API before version 8.0.0 where i ...)
NOT-FOR-US: Keycloak
-CVE-2019-14831
- RESERVED
-CVE-2019-14830
- RESERVED
-CVE-2019-14829
- RESERVED
-CVE-2019-14828
- RESERVED
-CVE-2019-14827
- RESERVED
+CVE-2019-14831 (A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to ...)
+ - moodle <removed>
+CVE-2019-14830 (A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to ...)
+ - moodle <removed>
+CVE-2019-14829 (A vulnerability was found in Moodle affection 3.7 to 3.7.1, 3.6 to 3.6 ...)
+ - moodle <removed>
+CVE-2019-14828 (A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6 ...)
+ - moodle <removed>
+CVE-2019-14827 (A vulnerability was found in Moodle where javaScript injection was pos ...)
+ - moodle <removed>
CVE-2019-14826 (A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies ...)
- - freeipa <unfixed> (bug #940913)
- [buster] - freeipa <no-dsa> (Minor issue)
+ - freeipa <unfixed> (unimportant; bug #940913)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1746944
NOTE: Introduced by https://pagure.io/freeipa/c/b895f4a34bcbd0b1787d2bfc1db25f34c3584b9c
NOTE: due to fix for https://fedorahosted.org/freeipa/ticket/6682.
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1746944#c12
+ NOTE: Negligible security impact
CVE-2019-14825 (A cleartext password storage issue was discovered in Katello, versions ...)
NOT-FOR-US: Katello
CVE-2019-14824 (A flaw was found in the 'deref' plugin of 389-ds-base where it could u ...)
@@ -15632,9 +16094,9 @@ CVE-2019-14809 (net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles
- golang-1.12 1.12.8-1
- golang-1.11 1.11.13-1
- golang-1.8 <removed>
- [stretch] - golang-1.8 <ignored> (Minor issue)
+ [stretch] - golang-1.8 <ignored> (Minor issue, affects poor validation practice, introduce regressions, requires rebuilding affected go-based packages)
- golang-1.7 <removed>
- [stretch] - golang-1.7 <ignored> (Minor issue)
+ [stretch] - golang-1.7 <ignored> (Minor issue, affects poor validation practice, introduce regressions, requires rebuilding affected go-based packages)
- golang <removed>
[jessie] - golang <ignored> (Fix too invasive to backport, url.go file in jessie too far behind upstream)
NOTE: Issue: https://github.com/golang/go/issues/29098
@@ -15807,7 +16269,7 @@ CVE-2019-14744 (In KDE Frameworks KConfig before 5.61.0, malicious desktop files
{DSA-4494-1 DLA-1890-1}
- kconfig 5.54.0-2 (bug #934267)
- kde4libs 4:4.14.38-4 (bug #934268)
- [buster] - kde4libs <no-dsa> (Minor issue)
+ [buster] - kde4libs <ignored> (Minor issue)
[stretch] - kde4libs <no-dsa> (Minor issue)
NOTE: https://gist.githubusercontent.com/zeropwn/630832df151029cb8f22d5b6b9efaefb/raw/64aa3d30279acb207f787ce9c135eefd5e52643b/kde-kdesktopfile-command-injection.txt
NOTE: https://kde.org/info/security/advisory-20190807-1.txt
@@ -15832,23 +16294,26 @@ CVE-2019-14736
CVE-2019-14735
RESERVED
CVE-2019-14734 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::l ...)
- - adplug <unfixed>
+ - adplug 2.3.3+dfsg-2
[buster] - adplug <no-dsa> (Minor issue)
[stretch] - adplug <no-dsa> (Minor issue)
[jessie] - adplug <no-dsa> (Minor issue)
NOTE: https://github.com/adplug/adplug/issues/90
+ NOTE: https://github.com/adplug/adplug/commit/8342139c09178823dba3f3bbd8b53d0ea0c72de9
CVE-2019-14733 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::l ...)
- - adplug <unfixed>
+ - adplug 2.3.3+dfsg-2
[buster] - adplug <no-dsa> (Minor issue)
[stretch] - adplug <no-dsa> (Minor issue)
[jessie] - adplug <no-dsa> (Minor issue)
NOTE: https://github.com/adplug/adplug/issues/89
+ NOTE: https://github.com/adplug/adplug/commit/cb715174f95187bf544c11ca2a2ecd091b7fbb8a (eventually got replaced by rad2.cpp rewrite)
CVE-2019-14732 (AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::l ...)
- - adplug <unfixed>
+ - adplug 2.3.3+dfsg-2
[buster] - adplug <no-dsa> (Minor issue)
[stretch] - adplug <no-dsa> (Minor issue)
[jessie] - adplug <no-dsa> (Minor issue)
NOTE: https://github.com/adplug/adplug/issues/88
+ NOTE: https://github.com/adplug/adplug/commit/30ddcfe9bd1cce3e02f8135961bceb411419dbdb
CVE-2019-14731 (An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vul ...)
NOT-FOR-US: ZenTao CMS
CVE-2019-14730 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...)
@@ -15873,24 +16338,24 @@ CVE-2019-14721 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an
NOT-FOR-US: CentOS-WebPanel.com CentOS Web Panel
CVE-2019-14720
RESERVED
-CVE-2019-14719
- RESERVED
-CVE-2019-14718
- RESERVED
-CVE-2019-14717
- RESERVED
-CVE-2019-14716
- RESERVED
-CVE-2019-14715
- RESERVED
+CVE-2019-14719 (Verifone MX900 series Pinpad Payment Terminals with OS 30251000 allow ...)
+ NOT-FOR-US: Verifone MX900 series Pinpad Payment Terminals
+CVE-2019-14718 (Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have I ...)
+ NOT-FOR-US: Verifone MX900 series Pinpad Payment Terminals
+CVE-2019-14717 (Verifone Verix OS on VerixV Pinpad Payment Terminals with QT000530 hav ...)
+ NOT-FOR-US: Verifone Verix OS on VerixV Pinpad Payment Terminals
+CVE-2019-14716 (Verifone VerixV Pinpad Payment Terminals with QT000530 have an undocum ...)
+ NOT-FOR-US: Verifone VerixV Pinpad Payment Terminals
+CVE-2019-14715 (Verifone Pinpad Payment Terminals allow undocumented physical access t ...)
+ NOT-FOR-US: Verifone Pinpad Payment Terminals
CVE-2019-14714
RESERVED
-CVE-2019-14713
- RESERVED
-CVE-2019-14712
- RESERVED
-CVE-2019-14711
- RESERVED
+CVE-2019-14713 (Verifone MX900 series Pinpad Payment Terminals with OS 30251000 allow ...)
+ NOT-FOR-US: Verifone MX900 series Pinpad Payment Terminals
+CVE-2019-14712 (Verifone VerixV Pinpad Payment Terminals with QT000530 allow bypass of ...)
+ NOT-FOR-US: Verifone VerixV Pinpad Payment Terminals
+CVE-2019-14711 (Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have a ...)
+ NOT-FOR-US: Verifone MX900 series Pinpad Payment Terminals
CVE-2019-14710
RESERVED
CVE-2019-14709 (A cleartext password storage issue was discovered on MicroDigital N-se ...)
@@ -15927,21 +16392,21 @@ CVE-2019-14693 (Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML Ex
NOT-FOR-US: Zoho ManageEngine AssetExplorer
CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in ...)
[experimental] - adplug 2.3.3+dfsg-1
- - adplug <unfixed> (bug #943927)
+ - adplug 2.3.3+dfsg-2 (bug #943927)
[buster] - adplug <no-dsa> (Minor issue)
[stretch] - adplug <no-dsa> (Minor issue)
[jessie] - adplug <no-dsa> (Minor issue)
NOTE: https://github.com/adplug/adplug/issues/87
CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in ...)
[experimental] - adplug 2.3.3+dfsg-1
- - adplug <unfixed> (bug #943928)
+ - adplug 2.3.3+dfsg-2 (bug #943928)
[buster] - adplug <no-dsa> (Minor issue)
[stretch] - adplug <no-dsa> (Minor issue)
[jessie] - adplug <no-dsa> (Minor issue)
NOTE: https://github.com/adplug/adplug/issues/86
CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_ ...)
[experimental] - adplug 2.3.3+dfsg-1
- - adplug <unfixed> (bug #943929)
+ - adplug 2.3.3+dfsg-2 (bug #943929)
[buster] - adplug <no-dsa> (Minor issue)
[stretch] - adplug <no-dsa> (Minor issue)
[jessie] - adplug <no-dsa> (Minor issue)
@@ -16005,20 +16470,19 @@ CVE-2019-14666 (GLPI through 9.4.3 is prone to account takeover by abusing the a
NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-47hq-pfrr-jh5q
NOTE: Only supported behind an authenticated HTTP zone
CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array in vari ...)
- - brandy <unfixed> (unimportant; bug #933996)
+ - brandy 1.22.13-1 (unimportant; bug #933996)
NOTE: https://sourceforge.net/p/brandy/bugs/8/
NOTE: Negligible security impact
CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypted emai ...)
- - enigmail <unfixed>
- [buster] - enigmail <ignored> (Minor issue and too intrusive to backport)
+ - enigmail 2:2.1.3+ds1-1
[jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
NOTE: https://sourceforge.net/p/enigmail/bugs/984/
CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fi ...)
- - brandy <unfixed> (unimportant; bug #933996)
+ - brandy 1.22.13-1 (unimportant; bug #933996)
NOTE: https://sourceforge.net/p/brandy/bugs/6/
NOTE: Negligible security impact
CVE-2019-14662 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openout in f ...)
- - brandy <unfixed> (unimportant; bug #933996)
+ - brandy 1.22.13-1 (unimportant; bug #933996)
NOTE: https://sourceforge.net/p/brandy/bugs/7/
NOTE: Negligible security impact
CVE-2019-14661
@@ -16179,22 +16643,24 @@ CVE-2019-14589
RESERVED
CVE-2019-14588
RESERVED
-CVE-2019-14587
- RESERVED
+CVE-2019-14587 (Logic issue EDK II may allow an unauthenticated user to potentially en ...)
+ {DLA-2645-1}
- edk2 0~20200229.4c0f6e34-1
[buster] - edk2 0~20181115.85588389-3+deb10u1
- [stretch] - edk2 <ignored> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
-CVE-2019-14586
- RESERVED
+CVE-2019-14586 (Use after free vulnerability in EDK II may allow an authenticated user ...)
+ {DLA-2645-1}
- edk2 0~20200229.4c0f6e34-1
[buster] - edk2 0~20181115.85588389-3+deb10u1
- [stretch] - edk2 <ignored> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
CVE-2019-14585
RESERVED
-CVE-2019-14584
- RESERVED
+CVE-2019-14584 (Null pointer dereference in Tianocore EDK2 may allow an authenticated ...)
+ {DLA-2645-1}
+ - edk2 2020.11-1 (bug #977300)
+ [buster] - edk2 0~20181115.85588389-3+deb10u3
+ NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1914
+ NOTE: https://github.com/tianocore/edk2/commit/26442d11e620a9e81c019a24a4ff38441c64ba10
CVE-2019-14583
RESERVED
CVE-2019-14582
@@ -16211,11 +16677,10 @@ CVE-2019-14577
RESERVED
CVE-2019-14576
RESERVED
-CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signature check]
- RESERVED
+CVE-2019-14575 (Logic issue in DxeImageVerificationHandler() for EDK II may allow an a ...)
+ {DLA-2645-1}
- edk2 0~20200229.4c0f6e34-1 (low; bug #952935)
[buster] - edk2 0~20181115.85588389-3+deb10u1
- [stretch] - edk2 <ignored> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
CVE-2019-14574 (Out of bounds read in a subsystem for Intel(R) Graphics Driver version ...)
@@ -16240,19 +16705,17 @@ CVE-2019-14565 (Insufficient initialization in Intel(R) SGX SDK Windows versions
NOT-FOR-US: Intel
CVE-2019-14564
RESERVED
-CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib]
- RESERVED
+CVE-2019-14563 (Integer truncation in EDK II may allow an authenticated user to potent ...)
+ {DLA-2645-1}
- edk2 0~20200229.4c0f6e34-1 (low; bug #952934)
[buster] - edk2 0~20181115.85588389-3+deb10u1
- [stretch] - edk2 <ignored> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2001
-CVE-2019-14562
- RESERVED
+CVE-2019-14562 (Integer overflow in DxeImageVerificationHandler() EDK II may allow an ...)
+ {DLA-2645-1}
- edk2 2020.05-4 (bug #968819)
- [buster] - edk2 <no-dsa> (Minor issue)
- [stretch] - edk2 <no-dsa> (Minor issue)
+ [buster] - edk2 0~20181115.85588389-3+deb10u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1869245
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
CVE-2019-14561
@@ -16260,36 +16723,34 @@ CVE-2019-14561
CVE-2019-14560 [GetEfiGlobalVariable2() return value not checked]
RESERVED
- edk2 <unfixed> (bug #967994)
+ [bullseye] - edk2 <no-dsa> (Minor issue)
[buster] - edk2 <no-dsa> (Minor issue)
[stretch] - edk2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2167
-CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc]
- RESERVED
+CVE-2019-14559 (Uncontrolled resource consumption in EDK II may allow an unauthenticat ...)
+ {DLA-2645-1}
- edk2 0~20200229.4c0f6e34-1 (bug #952926; low)
[buster] - edk2 0~20181115.85588389-3+deb10u1
- [stretch] - edk2 <ignored> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2550
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
-CVE-2019-14558
- RESERVED
+CVE-2019-14558 (Insufficient control flow management in BIOS firmware for 8th, 9th, 10 ...)
+ {DLA-2645-1}
- edk2 0~20200229.4c0f6e34-1
[buster] - edk2 0~20181115.85588389-3+deb10u1
- [stretch] - edk2 <ignored> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1611
NOTE: https://github.com/tianocore/edk2/commit/764e8ba1389a617639d79d2c4f0d53f4ea4a7387
NOTE: https://github.com/tianocore/edk2/commit/f1d78c489a39971b5aac5d2fc8a39bfa925c3c5d
-CVE-2019-14557
- RESERVED
-CVE-2019-14556
- RESERVED
+CVE-2019-14557 (Buffer overflow in BIOS firmware for 8th, 9th, 10th Generation Intel(R ...)
+ NOT-FOR-US: Intel
+CVE-2019-14556 (Improper initialization in BIOS firmware for 8th, 9th, 10th Generation ...)
+ NOT-FOR-US: Intel
CVE-2019-14555
RESERVED
CVE-2019-14554
RESERVED
-CVE-2019-14553 [invalid server certificate accepted in HTTPS-over-IPv6 boot]
- RESERVED
+CVE-2019-14553 (Improper authentication in EDK II may allow a privileged user to poten ...)
- edk2 0~20190828.37eef910-4 (unimportant; bug #941775)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1758518
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=960
@@ -16323,7 +16784,7 @@ CVE-2019-14541 (GnuCOBOL 2.2 has a stack-based buffer overflow in cb_encode_prog
- open-cobol <removed>
[stretch] - open-cobol <ignored> (Minor issue)
[jessie] - open-cobol <no-dsa> (Minor issue)
- NOTE: https://sourceforge.net/p/open-cobol/bugs/584/
+ NOTE: https://sourceforge.net/p/gnucobol/bugs/584/
CVE-2019-14540 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...)
{DSA-4542-1 DLA-1943-1}
- jackson-databind 2.10.0-1 (bug #940498)
@@ -16371,7 +16832,7 @@ CVE-2019-14528 (GnuCOBOL 2.2 has a heap-based buffer overflow in read_literal in
- open-cobol <removed>
[stretch] - open-cobol <ignored> (Minor issue)
[jessie] - open-cobol <no-dsa> (Minor issue)
- NOTE: https://sourceforge.net/p/open-cobol/bugs/583/
+ NOTE: https://sourceforge.net/p/gnucobol/bugs/583/
CVE-2019-14527 (An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices befor ...)
NOT-FOR-US: NETGEAR
CVE-2019-14526 (An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices befor ...)
@@ -16414,11 +16875,11 @@ CVE-2019-14513 (Improper bounds checking in Dnsmasq before 2.76 allows an attack
[buster] - dnsmasq <no-dsa> (Minor issue)
[stretch] - dnsmasq <no-dsa> (Minor issue)
NOTE: https://github.com/Slovejoy/dnsmasq-pre2.76
- NOTE: http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=d3a8b39c7df2f0debf3b5f274a1c37a9e261f94e
+ NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=d3a8b39c7df2f0debf3b5f274a1c37a9e261f94e
CVE-2019-14512 (LimeSurvey 3.17.7+190627 has XSS via Boxes in application/extensions/P ...)
- limesurvey <itp> (bug #472802)
CVE-2019-14511 (Sphinx Technologies Sphinx 3.1.1 by default has no authentication and ...)
- - sphinxsearch <unfixed> (unimportant; bug #939762)
+ - sphinxsearch 2.2.11-4 (unimportant; bug #939762)
NOTE: Issue is just with the default configuration, but can be easily reconfigured
NOTE: to listen on localhost only. sphinxsearch will not be started automatically
NOTE: and an admin needs first to create anyway a /etc/sphinxsearch/sphinx.conf
@@ -16458,31 +16919,31 @@ CVE-2019-14498 (A divide-by-zero error exists in the Control function of demux/c
CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTr ...)
{DLA-2292-1 DLA-1961-1}
- milkytracker 1.02.00+dfsg-2 (bug #933964)
- [buster] - milkytracker <no-dsa> (Minor issue)
+ [buster] - milkytracker 1.02.00+dfsg-1+deb10u1
NOTE: https://github.com/milkytracker/MilkyTracker/issues/182
NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
CVE-2019-14496 (LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 ha ...)
{DLA-2292-1 DLA-1961-1}
- milkytracker 1.02.00+dfsg-2 (bug #933964)
- [buster] - milkytracker <no-dsa> (Minor issue)
+ [buster] - milkytracker 1.02.00+dfsg-1+deb10u1
NOTE: https://github.com/milkytracker/MilkyTracker/issues/183
NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
CVE-2019-14495 (webadmin.c in 3proxy before 0.8.13 has an out-of-bounds write in the a ...)
- 3proxy <itp> (bug #718219)
CVE-2019-14494 (An issue was discovered in Poppler through 0.78.0. There is a divide-b ...)
+ {DLA-2440-1}
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (bug #933812)
[buster] - poppler <ignored> (Minor issue)
- [stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/802
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/b224e2f5739fe61de9fa69955d016725b2a4b78d
CVE-2019-14493 (An issue was discovered in OpenCV before 4.1.1. There is a NULL pointe ...)
+ {DLA-2799-1}
[experimental] - opencv 4.1.1+dfsg-1
- opencv 4.1.2+dfsg-3
[buster] - opencv <no-dsa> (Minor issue)
- [stretch] - opencv <no-dsa> (Minor issue)
[jessie] - opencv <postponed> (Minor issue, DoS, PoC not crashing)
NOTE: https://github.com/opencv/opencv/issues/15127
NOTE: https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023
@@ -16518,27 +16979,27 @@ CVE-2019-14486 (GnuCOBOL 2.2 has a buffer overflow in cb_evaluate_expr in cobc/f
- open-cobol <removed>
[stretch] - open-cobol <ignored> (Minor issue)
[jessie] - open-cobol <no-dsa> (Minor issue)
- NOTE: https://sourceforge.net/p/open-cobol/bugs/582/
+ NOTE: https://sourceforge.net/p/gnucobol/bugs/582/
CVE-2019-14485
RESERVED
CVE-2019-14484
RESERVED
-CVE-2019-14483
- RESERVED
-CVE-2019-14482
- RESERVED
-CVE-2019-14481
- RESERVED
-CVE-2019-14480
- RESERVED
-CVE-2019-14479
- RESERVED
-CVE-2019-14478
- RESERVED
-CVE-2019-14477
- RESERVED
-CVE-2019-14476
- RESERVED
+CVE-2019-14483 (AdRem NetCrunch 10.6.0.4587 allows Credentials Disclosure. Every user ...)
+ NOT-FOR-US: AdRem NetCrunch
+CVE-2019-14482 (AdRem NetCrunch 10.6.0.4587 has a hardcoded SSL private key vulnerabil ...)
+ NOT-FOR-US: AdRem NetCrunch
+CVE-2019-14481 (AdRem NetCrunch 10.6.0.4587 has a Cross-Site Request Forgery (CSRF) vu ...)
+ NOT-FOR-US: AdRem NetCrunch
+CVE-2019-14480 (AdRem NetCrunch 10.6.0.4587 has an Improper Session Handling vulnerabi ...)
+ NOT-FOR-US: AdRem NetCrunch
+CVE-2019-14479 (AdRem NetCrunch 10.6.0.4587 allows Remote Code Execution. In the NetCr ...)
+ NOT-FOR-US: AdRem NetCrunch
+CVE-2019-14478 (AdRem NetCrunch 10.6.0.4587 has a stored Cross-Site Scripting (XSS) vu ...)
+ NOT-FOR-US: AdRem NetCrunch
+CVE-2019-14477 (AdRem NetCrunch 10.6.0.4587 has Improper Credential Storage since the ...)
+ NOT-FOR-US: AdRem NetCrunch
+CVE-2019-14476 (AdRem NetCrunch 10.6.0.4587 has a Server-Side Request Forgery (SSRF) v ...)
+ NOT-FOR-US: AdRem NetCrunch
CVE-2019-14475 (eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use s ...)
NOT-FOR-US: eQ-3 Homematic CCU2 and CCU3
CVE-2019-14474 (eQ-3 Homematic CCU3 3.47.15 and prior has Improper Input Validation in ...)
@@ -16559,7 +17020,7 @@ CVE-2019-14468 (GnuCOBOL 2.2 has a buffer overflow in cb_push_op in cobc/field.c
- open-cobol <removed>
[stretch] - open-cobol <ignored> (Minor issue)
[jessie] - open-cobol <no-dsa> (Minor issue)
- NOTE: https://sourceforge.net/p/open-cobol/bugs/581/
+ NOTE: https://sourceforge.net/p/gnucobol/bugs/581/
CVE-2019-14467 (The Social Photo Gallery plugin 1.0 for WordPress allows Remote Code E ...)
NOT-FOR-US: Social Photo Gallery plugin for WordPress
CVE-2019-14466 (The GOsa_Filter_Settings cookie in GONICUS GOsa 2.7.5.2 is vulnerable ...)
@@ -16580,22 +17041,22 @@ CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a
CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a ...)
{DLA-2292-1 DLA-1961-1}
- milkytracker 1.02.00+dfsg-2 (bug #933964)
- [buster] - milkytracker <no-dsa> (Minor issue)
+ [buster] - milkytracker 1.02.00+dfsg-1+deb10u1
NOTE: https://github.com/milkytracker/MilkyTracker/issues/184
NOTE: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34
CVE-2019-14463 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...)
+ {DLA-2825-1}
- libmodbus 3.1.6-1 (bug #933805)
[buster] - libmodbus <no-dsa> (Minor issue)
- [stretch] - libmodbus <no-dsa> (Minor issue)
[jessie] - libmodbus <no-dsa> (Minor issue)
NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5)
NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5)
NOTE: https://github.com/stephane/libmodbus/commit/2b5cb5896120d7564f4c34fdc5aaa4f22a97e45c (3.0.7)
NOTE: https://github.com/stephane/libmodbus/commit/64cd092bcc421a70431fe1fb6b7f1e6f491f7cf8 (3.0.8)
CVE-2019-14462 (An issue was discovered in libmodbus before 3.0.7 and 3.1.x before 3.1 ...)
+ {DLA-2825-1}
- libmodbus 3.1.6-1 (bug #933805)
[buster] - libmodbus <no-dsa> (Minor issue)
- [stretch] - libmodbus <no-dsa> (Minor issue)
[jessie] - libmodbus <no-dsa> (Minor issue)
NOTE: https://github.com/stephane/libmodbus/commit/5ccdf5ef79d742640355d1132fa9e2abc7fbaefc (3.1.5)
NOTE: https://github.com/stephane/libmodbus/commit/6f915d4215c06be3c719761423d9b5e8aa3cb820 (3.1.5)
@@ -16606,9 +17067,9 @@ CVE-2019-14461
CVE-2019-14460
RESERVED
CVE-2019-14459 (nfdump 1.6.17 and earlier is affected by an integer overflow in the fu ...)
+ {DLA-2383-1}
- nfdump 1.6.18-1 (bug #933740)
[buster] - nfdump <no-dsa> (Minor issue)
- [stretch] - nfdump <no-dsa> (Minor issue)
NOTE: https://github.com/phaag/nfdump/issues/171
NOTE: https://github.com/phaag/nfdump/commit/3b006ededaf351f1723aea6c727c9edd1b1fff9b
CVE-2019-14458 (VIVOTEK IP Camera devices with firmware before 0x20x allow a denial of ...)
@@ -16621,8 +17082,8 @@ CVE-2019-14455
RESERVED
CVE-2019-14454 (SuiteCRM 7.11.x and 7.10.x before 7.11.8 and 7.10.20 is vulnerable to ...)
NOT-FOR-US: SuiteCRM
-CVE-2019-14453
- RESERVED
+CVE-2019-14453 (An issue was discovered in Comelit "App lejos de casa (web)" 2.8.0. It ...)
+ NOT-FOR-US: Comelit "App lejos de casa (web)"
CVE-2019-14452 (Sigil before 0.9.16 is vulnerable to a directory traversal, allowing a ...)
- sigil 0.9.16+dfsg-1 (bug #933797)
[buster] - sigil <no-dsa> (Minor issue)
@@ -16821,6 +17282,7 @@ CVE-2019-14378 (ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer
- slirp4netns 0.3.2-1 (bug #933742)
[buster] - slirp4netns 0.2.3-1
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210
+ NOTE: https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-gjwp-vf65-3jqf
CVE-2019-14377
RESERVED
CVE-2019-14376
@@ -17077,7 +17539,7 @@ CVE-2019-1020015 (graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3
NOT-FOR-US: graphql-engine (aka Hasura GraphQL Engine)
CVE-2019-1020014 (docker-credential-helpers before 0.6.3 has a double free in the List f ...)
- golang-github-docker-docker-credential-helpers 0.6.1-3 (bug #933801)
- [buster] - golang-github-docker-docker-credential-helpers <no-dsa> (Minor issue, can be fixed in point release)
+ [buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1
[stretch] - golang-github-docker-docker-credential-helpers <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/docker/docker-credential-helpers/commit/1c9f7ede70a5ab9851f4c9cb37d317fd89cd318a
CVE-2019-1020013 (parse-server before 3.6.0 allows account enumeration. ...)
@@ -17205,8 +17667,9 @@ CVE-2019-14249 (dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows at
NOTE: Fixed by: https://sourceforge.net/p/libdwarf/code/ci/cb7198abde46c2ae29957ad460da6886eaa606ba
NOTE: Introduced in: https://sourceforge.net/p/libdwarf/code/ci/4709f63c8b7488241b5b522267a796834a66db3a
CVE-2019-14248 (In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows ...)
- - nasm <unfixed> (unimportant; bug #932907)
+ - nasm 2.15.02-1 (unimportant; bug #932907)
NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392576
+ NOTE: https://github.com/netwide-assembler/nasm/commit/93d41d82963b2cfd0b24c906f5a8daf53281b559
NOTE: Crash in CLI tool, no security impact
CVE-2019-14247 (The scan() function in mad.c in mpg321 0.3.2 allows remote attackers t ...)
- mpg321 0.3.2-2
@@ -17319,213 +17782,213 @@ CVE-2019-14205 (A Local File Inclusion vulnerability in the Nevma Adaptive Image
NOT-FOR-US: Nevma Adaptive Images plugin for WordPress
CVE-2019-14204 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21
CVE-2019-14203 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21
CVE-2019-14202 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21
CVE-2019-14201 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21
CVE-2019-14200 (An issue was discovered in Das U-Boot through 2019.07. There is a stac ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21
CVE-2019-14199 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/fe7288069d2e6659117049f7d27e261b550bb725
CVE-2019-14198 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078
CVE-2019-14197 (An issue was discovered in Das U-Boot through 2019.07. There is a read ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/741a8a08ebe5bc3ccfe3cde6c2b44ee53891af21
CVE-2019-14196 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/5d14ee4e53a81055d34ba280cb8fd90330f22a96
CVE-2019-14195 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/cf3a4f1e86ecdd24f87b615051b49d8e1968c230
CVE-2019-14194 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/aa207cf3a6d68f39d64cd29057a4fb63943e9078
CVE-2019-14193 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/fe7288069d2e6659117049f7d27e261b550bb725
CVE-2019-14192 (An issue was discovered in Das U-Boot through 2019.07. There is an unb ...)
- u-boot 2020.01+dfsg-1
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://blog.semmle.com/uboot-rce-nfs-vulnerability/
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/fe7288069d2e6659117049f7d27e261b550bb725
CVE-2019-14191
- RESERVED
+ REJECTED
CVE-2019-14190
- RESERVED
+ REJECTED
CVE-2019-14189
- RESERVED
+ REJECTED
CVE-2019-14188
- RESERVED
+ REJECTED
CVE-2019-14187
- RESERVED
+ REJECTED
CVE-2019-14186
- RESERVED
+ REJECTED
CVE-2019-14185
- RESERVED
+ REJECTED
CVE-2019-14184
- RESERVED
+ REJECTED
CVE-2019-14183
- RESERVED
+ REJECTED
CVE-2019-14182
- RESERVED
+ REJECTED
CVE-2019-14181
- RESERVED
+ REJECTED
CVE-2019-14180
- RESERVED
+ REJECTED
CVE-2019-14179
- RESERVED
+ REJECTED
CVE-2019-14178
- RESERVED
+ REJECTED
CVE-2019-14177
- RESERVED
+ REJECTED
CVE-2019-14176
- RESERVED
+ REJECTED
CVE-2019-14175
- RESERVED
+ REJECTED
CVE-2019-14174
- RESERVED
+ REJECTED
CVE-2019-14173
- RESERVED
+ REJECTED
CVE-2019-14172
- RESERVED
+ REJECTED
CVE-2019-14171
- RESERVED
+ REJECTED
CVE-2019-14170
- RESERVED
+ REJECTED
CVE-2019-14169
- RESERVED
+ REJECTED
CVE-2019-14168
- RESERVED
+ REJECTED
CVE-2019-14167
- RESERVED
+ REJECTED
CVE-2019-14166
- RESERVED
+ REJECTED
CVE-2019-14165
- RESERVED
+ REJECTED
CVE-2019-14164
- RESERVED
+ REJECTED
CVE-2019-14163
- RESERVED
+ REJECTED
CVE-2019-14162
- RESERVED
+ REJECTED
CVE-2019-14161
- RESERVED
+ REJECTED
CVE-2019-14160
- RESERVED
+ REJECTED
CVE-2019-14159
- RESERVED
+ REJECTED
CVE-2019-14158
- RESERVED
+ REJECTED
CVE-2019-14157
- RESERVED
+ REJECTED
CVE-2019-14156
- RESERVED
+ REJECTED
CVE-2019-14155
- RESERVED
+ REJECTED
CVE-2019-14154
- RESERVED
+ REJECTED
CVE-2019-14153
- RESERVED
+ REJECTED
CVE-2019-14152
- RESERVED
+ REJECTED
CVE-2019-14151
- RESERVED
+ REJECTED
CVE-2019-14150
- RESERVED
+ REJECTED
CVE-2019-14149
- RESERVED
+ REJECTED
CVE-2019-14148
- RESERVED
+ REJECTED
CVE-2019-14147
- RESERVED
+ REJECTED
CVE-2019-14146
- RESERVED
+ REJECTED
CVE-2019-14145
- RESERVED
+ REJECTED
CVE-2019-14144
- RESERVED
+ REJECTED
CVE-2019-14143
- RESERVED
+ REJECTED
CVE-2019-14142
- RESERVED
+ REJECTED
CVE-2019-14141
- RESERVED
+ REJECTED
CVE-2019-14140
- RESERVED
+ REJECTED
CVE-2019-14139
- RESERVED
+ REJECTED
CVE-2019-14138
- RESERVED
+ REJECTED
CVE-2019-14137
- RESERVED
+ REJECTED
CVE-2019-14136
- RESERVED
+ REJECTED
CVE-2019-14135 (Possible integer overflow to buffer overflow in WLAN while parsing non ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14134 (Possible out of bound access in WLAN handler when the received value o ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14133
- RESERVED
+ REJECTED
CVE-2019-14132 (Buffer over-write when this 0-byte buffer is typecasted to some other ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14131 (Out of bound write can occur in radio measurement request if STA recei ...)
@@ -17535,13 +17998,13 @@ CVE-2019-14130 (Memory corruption can occurs in trusted application if offset si
CVE-2019-14129
RESERVED
CVE-2019-14128
- RESERVED
+ REJECTED
CVE-2019-14127 (Possible buffer overflow while playing mkv clip due to lack of validat ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14126
- RESERVED
+ REJECTED
CVE-2019-14125
- RESERVED
+ REJECTED
CVE-2019-14124 (Memory failure in content protection module due to not having pointer ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14123 (Possible buffer overflow and over read possible due to missing bounds ...)
@@ -17555,7 +18018,7 @@ CVE-2019-14120
CVE-2019-14119 (u'While processing SMCInvoke asynchronous message header, message coun ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14118
- RESERVED
+ REJECTED
CVE-2019-14117 (u'Whenever the page list is updated via privileged user, the previous ...)
NOT-FOR-US: Snapdragon
CVE-2019-14116 (Privilege escalation by using an altered debug policy image can occur ...)
@@ -17573,21 +18036,21 @@ CVE-2019-14111 (Possible buffer overflow while handling NAN reception of NMF in
CVE-2019-14110 (Buffer overflow can occur in function wlan firmware while copying asso ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14109
- RESERVED
+ REJECTED
CVE-2019-14108
RESERVED
CVE-2019-14107
- RESERVED
+ REJECTED
CVE-2019-14106
- RESERVED
+ REJECTED
CVE-2019-14105 (Kernel was reading the CSL defined reserved field as uint16 instead of ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14104 (Slab-out-of-bounds access can occur if the context pointer is invalid ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14103
- RESERVED
+ REJECTED
CVE-2019-14102
- RESERVED
+ REJECTED
CVE-2019-14101 (Out of bounds read can happen in diag event set mask command handler w ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14100 (Register write via debugfs is disabled by default to prevent register ...)
@@ -17599,7 +18062,7 @@ CVE-2019-14098 (Possible buffer overflow in data offload handler due to lack of
CVE-2019-14097 (Possible buffer overflow in WLAN Parser due to lack of length check wh ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14096
- RESERVED
+ REJECTED
CVE-2019-14095 (Buffer overflow occurs while processing LMP packet in which name lengt ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14094 (Integer overflow in diag command handler when user inputs a large valu ...)
@@ -17623,7 +18086,7 @@ CVE-2019-14086 (Possible integer overflow while checking the length of frame whi
CVE-2019-14085 (Possible Integer underflow in WLAN function due to lack of check of da ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14084
- RESERVED
+ REJECTED
CVE-2019-14083 (While parsing Service Descriptor Extended Attribute received as part o ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14082 (Potential buffer over-read due to lack of bound check of memory offset ...)
@@ -17663,7 +18126,7 @@ CVE-2019-14066 (Integer overflow in calculating estimated output buffer size whe
CVE-2019-14065 (u'Pointer double free in HavenSvc due to not setting the pointer to NU ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-14064
- RESERVED
+ REJECTED
CVE-2019-14063 (Out of bound access due to Invalid inputs to dapm mux settings which r ...)
NOT-FOR-US: Snapdragon
CVE-2019-14062 (Buffer overflows while decoding setup message from Network due to lack ...)
@@ -17675,7 +18138,7 @@ CVE-2019-14060 (Uninitialized stack data gets used If memory is not allocated fo
CVE-2019-14059
RESERVED
CVE-2019-14058
- RESERVED
+ REJECTED
CVE-2019-14057 (Buffer Over read of codec private data while parsing an mkv file due t ...)
NOT-FOR-US: Snapdragon
CVE-2019-14056 (u'Possible integer overflow in API due to lack of check on large oid r ...)
@@ -17797,15 +18260,15 @@ CVE-2019-13999 (u'Lack of check for integer overflow for round up and addition o
CVE-2019-13998 (u'Lack of check that the TX FIFO write and read indices that are read ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-13997
- RESERVED
+ REJECTED
CVE-2019-13996
- RESERVED
+ REJECTED
CVE-2019-13995 (u'Lack of integer overflow check for addition of fragment size and rem ...)
NOT-FOR-US: Snapdragon
CVE-2019-13994 (u'Lack of check that the current received data fragment size of a part ...)
NOT-FOR-US: Snapdragon
CVE-2019-13993
- RESERVED
+ REJECTED
CVE-2019-13992 (u'Out of bound memory access if stack push and pop operation are perfo ...)
NOT-FOR-US: Snapdragon
CVE-2019-13991 (Embedded systems based on Arduino before Rev3 allow remote attackers t ...)
@@ -17880,7 +18343,7 @@ CVE-2019-13962 (lavc_CopyPicture in modules/codec/avcodec/video.c in VideoLAN VL
{DSA-4504-1}
- vlc 3.0.8-1 (low)
[jessie] - vlc <end-of-life> (https://lists.debian.org/debian-security-announce/2018/msg00130.html)
- NOTE: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=2b4f9d0b0e0861f262c90e9b9b94e7d53b864509
+ NOTE: https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=2b4f9d0b0e0861f262c90e9b9b94e7d53b864509
NOTE: https://trac.videolan.org/vlc/ticket/22240
NOTE: https://www.videolan.org/security/sb-vlc308.html
CVE-2019-13961 (A CSRF vulnerability was found in flatCore before 1.5, leading to the ...)
@@ -17902,7 +18365,8 @@ CVE-2019-13954 (Mikrotik RouterOS before 6.44.5 (long-term release tree) is vuln
CVE-2019-13953 (An exploitable authentication bypass vulnerability exists in the Bluet ...)
NOT-FOR-US: YI M1 Mirrorless Camera
CVE-2019-13952 (The set_ipv6() function in zscan_rfc1035.rl in gdnsd before 2.4.3 and ...)
- - gdnsd <unfixed> (unimportant; bug #932407)
+ - gdnsd 3.5.0-1 (unimportant; bug #932407)
+ [buster] - gdnsd 2.4.3-1
NOTE: https://github.com/gdnsd/gdnsd/issues/185
NOTE: No security impact, data is under administrative control
NOTE: Patches: https://github.com/gdnsd/gdnsd/issues/185#issuecomment-513288786
@@ -17918,7 +18382,7 @@ CVE-2019-13949 (SyGuestBook A5 Version 1.2 has no CSRF protection mechanism, as
NOT-FOR-US: SyGuestBook A5
CVE-2019-13948 (SyGuestBook A5 Version 1.2 allows stored XSS because the isValidData f ...)
NOT-FOR-US: SyGuestBook A5
-CVE-2019-13947 (A vulnerability has been identified in SiNVR 3 Central Control Server ...)
+CVE-2019-13947 (A vulnerability has been identified in Control Center Server (CCS) (Al ...)
NOT-FOR-US: Siemens
CVE-2019-13946 (A vulnerability has been identified in Development/Evaluation Kits for ...)
NOT-FOR-US: Siemens
@@ -17934,7 +18398,7 @@ CVE-2019-13941 (A vulnerability has been identified in OZW672 (All versions &lt;
NOT-FOR-US: Siemens
CVE-2019-13940 (A vulnerability has been identified in SIMATIC S7-1200 CPU family (inc ...)
NOT-FOR-US: Siemens
-CVE-2019-13939 (A vulnerability has been identified in Nucleus NET (All versions), Nuc ...)
+CVE-2019-13939 (A vulnerability has been identified in APOGEE MEC/MBC/PXC (P2) (All ve ...)
NOT-FOR-US: Nucleus
CVE-2019-13938
RESERVED
@@ -17946,7 +18410,7 @@ CVE-2019-13935 (Improper Neutralization of Input During Web Page Generation ('Cr
NOT-FOR-US: Siemens
CVE-2019-13934 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
NOT-FOR-US: Siemens
-CVE-2019-13933 (A vulnerability has been identified in SCALANCE X-200RNA switch family ...)
+CVE-2019-13933 (A vulnerability has been identified in SCALANCE X-300 switch family (i ...)
NOT-FOR-US: Siemens
CVE-2019-13932 (A vulnerability has been identified in XHQ (All versions &lt; V6.0.0.2 ...)
NOT-FOR-US: Siemens
@@ -17964,7 +18428,7 @@ CVE-2019-13926 (A vulnerability has been identified in SCALANCE S602 (All versio
NOT-FOR-US: Siemens
CVE-2019-13925 (A vulnerability has been identified in SCALANCE S602 (All versions &gt ...)
NOT-FOR-US: Siemens
-CVE-2019-13924 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...)
+CVE-2019-13924 (A vulnerability has been identified in SCALANCE S602 (All versions &lt ...)
NOT-FOR-US: Siemens
CVE-2019-13923 (A vulnerability has been identified in IE/WSN-PA Link WirelessHART Gat ...)
NOT-FOR-US: Siemens
@@ -18266,7 +18730,7 @@ CVE-2019-13778
CVE-2019-13777
RESERVED
CVE-2019-13776
- RESERVED
+ REJECTED
CVE-2019-13775
RESERVED
CVE-2019-13774
@@ -18539,9 +19003,7 @@ CVE-2019-13703 (Insufficient policy enforcement in the Omnibox in Google Chrome
- chromium 78.0.3904.87-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2019-13702 (Inappropriate implementation in installer in Google Chrome on Windows ...)
- {DSA-4562-1}
- - chromium 78.0.3904.87-1
- [stretch] - chromium <end-of-life> (see DSA 4562)
+ - chromium <not-affected> (debian package disables the installer)
CVE-2019-13701 (Incorrect implementation in navigation in Google Chrome prior to 78.0. ...)
{DSA-4562-1}
- chromium 78.0.3904.87-1
@@ -18734,13 +19196,13 @@ CVE-2019-13648 (In the Linux kernel through 5.2.1 on the powerpc platform, when
{DSA-4497-1 DSA-4495-1 DLA-1885-1}
- linux 5.2.6-1
NOTE: https://patchwork.ozlabs.org/patch/1133904/
-CVE-2019-13647 (Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of ...)
+CVE-2019-13647 (** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to stored XSS ...)
NOT-FOR-US: Firefly
-CVE-2019-13646 (Firefly III before 4.7.17.3 is vulnerable to reflected XSS due to lack ...)
+CVE-2019-13646 (** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to reflected ...)
NOT-FOR-US: Firefly
-CVE-2019-13645 (Firefly III before 4.7.17.3 is vulnerable to stored XSS due to lack of ...)
+CVE-2019-13645 (** DISPUTED ** Firefly III before 4.7.17.3 is vulnerable to stored XSS ...)
NOT-FOR-US: Firefly
-CVE-2019-13644 (Firefly III before 4.7.17.1 is vulnerable to stored XSS due to lack of ...)
+CVE-2019-13644 (** DISPUTED ** Firefly III before 4.7.17.1 is vulnerable to stored XSS ...)
NOT-FOR-US: Firefly
CVE-2019-13643 (Stored XSS in EspoCRM before 5.6.4 allows remote attackers to execute ...)
NOT-FOR-US: EspoCRM
@@ -18769,8 +19231,8 @@ CVE-2019-13635 (The WP Fastest Cache plugin through 0.8.9.5 for WordPress allows
NOT-FOR-US: WP Fastest Cache plugin for WordPress
CVE-2019-13634
RESERVED
-CVE-2019-13633
- RESERVED
+CVE-2019-13633 (Blinger.io v.1.0.2519 is vulnerable to Blind/Persistent XSS. An attack ...)
+ NOT-FOR-US: Blinger.io
CVE-2019-13632
RESERVED
CVE-2019-13631 (In parse_hid_report_descriptor in drivers/input/tablet/gtco.c in the L ...)
@@ -18815,30 +19277,32 @@ CVE-2019-13621
CVE-2019-13620
RESERVED
CVE-2019-13619 (In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ...)
+ {DLA-2547-1}
- wireshark 2.6.10-1 (low)
- [buster] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
+ [buster] - wireshark 2.6.20-0+deb10u1
[jessie] - wireshark <not-affected> (vulnerable code not present, binary encoding not yet supported)
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-20.html
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15870
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7e90aed666e809c0db5de9d1816802a7dcea28d9
CVE-2019-13618 (In GPAC before 0.8.0, isomedia/isom_read.c in libgpac.a has a heap-bas ...)
{DLA-2072-1}
- - gpac <unfixed> (low; bug #932242)
+ - gpac 1.0.1+dfsg1-2 (low; bug #932242)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1250
NOTE: https://github.com/gpac/gpac/commit/c23d54ed15a70b4543e3191e6ead5097cda0878b
CVE-2019-13617 (njs through 0.3.3, used in NGINX, has a heap-based buffer over-read in ...)
NOT-FOR-US: njs
CVE-2019-13616 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
+ {DLA-2804-1 DLA-2536-1}
- libsdl2 2.0.10+dfsg1-1
[buster] - libsdl2 <no-dsa> (Minor issue)
- [stretch] - libsdl2 <no-dsa> (Minor issue)
[jessie] - libsdl2 <postponed> (can be fixed along with more important patches)
- libsdl1.2 1.2.15+dfsg2-5
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
[jessie] - libsdl1.2 <postponed> (can be fixed along with more important patches)
- libsdl2-image 2.0.5+dfsg1-2 (bug #940934)
[buster] - libsdl2-image <no-dsa> (Minor issue)
@@ -19243,8 +19707,8 @@ CVE-2019-13459
CVE-2019-13458 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
{DLA-1877-1}
- otrs2 6.0.20-1
- [buster] - otrs2 <no-dsa> (Non-free not supported)
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <ignored> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-12-security-update-for-otrs-framework/
NOTE: OTRS 6.0: https://github.com/OTRS/otrs/commit/69430f260d52e5a7afc185048da0cfc2eef2659a
NOTE: OTRS 5.0: https://github.com/OTRS/otrs/commit/0e26066dfff8efff0039da13e29609ca7f00d9a2
@@ -19622,7 +20086,7 @@ CVE-2019-13313 (libosinfo 1.5.0 allows local users to discover credentials by li
CVE-2019-13312 (block_cmp() in libavcodec/zmbvenc.c in FFmpeg 4.1.3 has a heap-based b ...)
- ffmpeg <not-affected> (Vulnerable code not present)
NOTE: https://trac.ffmpeg.org/ticket/7980
- NOTE: Introduced in http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0321370601833f4ae47e8e11c44570ea4bd382a4
+ NOTE: Introduced in https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=0321370601833f4ae47e8e11c44570ea4bd382a4
CVE-2019-13311 (ImageMagick 7.0.8-50 Q16 has memory leaks at AcquireMagickMemory becau ...)
{DSA-4712-1}
- imagemagick 8:6.9.11.24+dfsg-1 (unimportant)
@@ -19895,14 +20359,14 @@ CVE-2019-13233 (In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, th
CVE-2019-13225 (A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9 ...)
- libonig 6.9.2-1 (low; bug #931878)
[buster] - libonig <no-dsa> (Minor issue)
- [stretch] - libonig <no-dsa> (Minor issue)
+ [stretch] - libonig <not-affected> (vulnerable code was introduced later)
[jessie] - libonig <not-affected> (vulnerable code was introduced later)
NOTE: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 a ...)
- {DLA-1854-1}
+ {DSA-4529-1 DSA-4527-1 DLA-2431-1 DLA-1854-1}
- libonig 6.9.2-1 (low; bug #931878)
[buster] - libonig <no-dsa> (Minor issue)
- [stretch] - libonig <no-dsa> (Minor issue)
+ - php7.0 <removed>
NOTE: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
CVE-2019-13223 (A reachable assertion in the lookup1_values function in stb_vorbis thr ...)
- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)
@@ -19959,7 +20423,7 @@ CVE-2019-13208 (WavesSysSvc in Waves MAXX Audio allows privilege escalation beca
NOT-FOR-US: Waves MAXX Audio
CVE-2019-13207 (nsd-checkzone in NLnet Labs NSD 4.2.0 has a Stack-based Buffer Overflo ...)
- nsd 4.2.4-1 (low; bug #931476)
- [buster] - nsd <no-dsa> (Minor issue)
+ [buster] - nsd <ignored> (Minor issue)
[stretch] - nsd <no-dsa> (Minor issue)
[jessie] - nsd <postponed> (Minor issue, crash on malformed admin-controlled disk configuration)
- nsd3 <removed>
@@ -20067,7 +20531,7 @@ CVE-2019-13166 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) did
NOT-FOR-US: Xerox
CVE-2019-13165 (Some Xerox printers (such as the Phaser 3320 V53.006.16.000) were affe ...)
NOT-FOR-US: Xerox
-CVE-2019-13164 (qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that a network inte ...)
+CVE-2019-13164 (qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a netw ...)
{DSA-4512-1 DSA-4506-1 DLA-1927-1}
- qemu 1:4.1-1 (bug #931351)
- qemu-kvm <removed>
@@ -20112,7 +20576,8 @@ CVE-2019-13148 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2
NOT-FOR-US: TRENDnet TEW-827DRU firmware
CVE-2019-13147 (In Audio File Library (aka audiofile) 0.3.6, there exists one NULL poi ...)
- audiofile <unfixed> (low; bug #931343)
- [buster] - audiofile <no-dsa> (Minor issue)
+ [bullseye] - audiofile <ignored> (Minor issue)
+ [buster] - audiofile <ignored> (Minor issue)
[stretch] - audiofile <no-dsa> (Minor issue)
[jessie] - audiofile <postponed> (Minor issue, local DoS)
NOTE: https://github.com/mpruett/audiofile/issues/54
@@ -20212,12 +20677,12 @@ CVE-2019-13117 (In numbers.c in libxslt 1.1.33, an xsl:number with certain forma
CVE-2019-13116 (The MuleSoft Mule Community Edition runtime engine before 3.8 allows r ...)
NOT-FOR-US: MuleSoft Mule
CVE-2019-13115 (In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha2 ...)
- {DLA-1730-3}
- - libssh2 <unfixed> (bug #932329)
+ {DLA-2848-1 DLA-1730-3}
+ - libssh2 1.9.0-1 (bug #932329)
[buster] - libssh2 <no-dsa> (Minor issue)
- [stretch] - libssh2 <no-dsa> (Minor issue)
- NOTE: https://blog.semmle.com/libssh2-integer-overflow/
+ NOTE: https://securitylab.github.com/research/libssh2-integer-overflow/
NOTE: https://github.com/libssh2/libssh2/pull/350
+ NOTE: https://github.com/libssh2/libssh2/commit/ff1b155731ff8f790f12d980911d9fd84d0e1598
CVE-2019-13114 (http.c in Exiv2 through 0.27.1 allows a malicious http server to cause ...)
- exiv2 0.27.2-6 (low)
[buster] - exiv2 <ignored> (Minor issue)
@@ -20248,6 +20713,7 @@ CVE-2019-13110 (A CiffDirectory::readDirectory integer overflow and out-of-bound
[stretch] - exiv2 <ignored> (Minor issue)
[jessie] - exiv2 <ignored> (Minor issue, read segfault)
NOTE: https://github.com/Exiv2/exiv2/issues/843
+ NOTE: https://github.com/Exiv2/exiv2/pull/844
NOTE: https://github.com/Exiv2/exiv2/commit/9628f82084ed30d494ddd4f7360d233801e22967
CVE-2019-13109 (An integer overflow in Exiv2 through 0.27.1 allows an attacker to caus ...)
- exiv2 0.27.2-6 (low)
@@ -20272,28 +20738,28 @@ CVE-2019-13107 (Multiple integer overflows exist in MATIO before 1.5.16, related
NOTE: Several commits between 1.5.15..1.5.16: https://github.com/tbeu/matio/compare/f8cd397...fabac6c
CVE-2019-13106 (Das U-Boot versions 2016.09 through 2019.07-rc4 can memset() too much ...)
- u-boot 2020.01+dfsg-1 (low)
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375516.html
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/e205896c5383c938274262524adceb2775fb03ba
CVE-2019-13105 (Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 can double-free a ...)
- u-boot 2020.01+dfsg-1 (low)
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375513.html
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/6e5a79de658cb1c8012c86e0837379aa6eabd024
CVE-2019-13104 (In Das U-Boot versions 2016.11-rc1 through 2019.07-rc4, an underflow c ...)
- u-boot 2020.01+dfsg-1 (low)
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375514.html
NOTE: https://gitlab.denx.de/u-boot/u-boot/commit/878269dbe74229005dd7f27aca66c554e31dad8e
CVE-2019-13103 (A crafted self-referential DOS partition table will cause all Das U-Bo ...)
- u-boot 2020.01+dfsg-1 (low)
- [buster] - u-boot <no-dsa> (Minor issue)
+ [buster] - u-boot <ignored> (Minor issue)
[stretch] - u-boot <no-dsa> (Minor issue)
[jessie] - u-boot <no-dsa> (Minor issue)
NOTE: https://lists.denx.de/pipermail/u-boot/2019-July/375512.html
@@ -20450,7 +20916,7 @@ CVE-2019-13034
RESERVED
CVE-2019-13045 (Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when S ...)
- irssi 1.2.1-1 (low; bug #931264)
- [buster] - irssi <no-dsa> (Minor issue)
+ [buster] - irssi 1.2.0-2+deb10u1
[stretch] - irssi <no-dsa> (Minor issue)
[jessie] - irssi <not-affected> (vulnerable sasl code is not present)
NOTE: https://irssi.org/security/irssi_sa_2019_06.txt
@@ -20633,12 +21099,12 @@ CVE-2019-12974 (A NULL pointer dereference in the function ReadPANGOImage in cod
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/b4391bdd60df0a77e97a6ef1674f2ffef0e19e24
CVE-2019-12973 (In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_c ...)
{DLA-2277-1}
- - openjpeg2 <unfixed> (bug #931292)
- [buster] - openjpeg2 <no-dsa> (Minor issue)
+ - openjpeg2 2.4.0-1 (bug #931292)
+ [buster] - openjpeg2 <ignored> (Minor issue)
[jessie] - openjpeg2 <not-affected> (vulnerable code is not present)
NOTE: https://github.com/uclouvain/openjpeg/pull/1185
- NOTE: https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3
- NOTE: https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66
+ NOTE: https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3 (v2.4.0)
+ NOTE: https://github.com/uclouvain/openjpeg/commit/3aef207f90e937d4931daf6d411e092f76d82e66 (v2.4.0)
NOTE: Issue is similar to CVE-2018-6616.
CVE-2019-12972 (An issue was discovered in the Binary File Descriptor (BFD) library (a ...)
- binutils 2.32.51.20190707-1 (unimportant)
@@ -20696,8 +21162,11 @@ CVE-2019-12955
RESERVED
CVE-2019-12954 (SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, ...)
NOT-FOR-US: SolarWinds
-CVE-2019-12953
- RESERVED
+CVE-2019-12953 (Dropbear 2011.54 through 2018.76 has an inconsistent failure delay tha ...)
+ - dropbear 2019.78-1
+ [buster] - dropbear <no-dsa> (Minor issue)
+ [stretch] - dropbear <postponed> (Minor issue but fixed along next DLA)
+ NOTE: https://hg.ucc.asn.au/dropbear/rev/228b086794b7
CVE-2019-12952
RESERVED
CVE-2019-12951 (An issue was discovered in Mongoose before 6.15. The parse_mqtt() func ...)
@@ -20810,15 +21279,8 @@ CVE-2019-12906
RESERVED
CVE-2019-12905 (FileRun 2019.05.21 allows XSS via the filename to the ?module=fileman& ...)
NOT-FOR-US: FileRun
-CVE-2019-12904 (In Libgcrypt 1.8.4, the C implementation of AES is vulnerable to a flu ...)
- - libgcrypt20 <unfixed> (bug #930885)
- [buster] - libgcrypt20 <no-dsa> (Minor issue)
- [stretch] - libgcrypt20 <no-dsa> (Minor issue)
- [jessie] - libgcrypt20 <not-affected> (Vulnerable code introduced later in version 1.7.0)
- - libgcrypt11 <removed>
- NOTE: https://dev.gnupg.org/T4541
- NOTE: https://github.com/gpg/libgcrypt/commit/a4c561aab1014c3630bc88faf6f5246fee16b020
- NOTE: https://github.com/gpg/libgcrypt/commit/daedbbb5541cd8ecda1459d3b843ea4d92788762
+CVE-2019-12904 (** DISPUTED ** In Libgcrypt 1.8.4, the C implementation of AES is vuln ...)
+ NOTE: Issue disputed by libgcrypt upstream, see https://dev.gnupg.org/T4541
CVE-2019-12903 (Pydio Cells before 1.5.0, when supplied with a Name field in an unexpe ...)
NOT-FOR-US: Pydio Cells (relates to Pydio product)
CVE-2019-12902 (Pydio Cells before 1.5.0 does incomplete cleanup of a user's data upon ...)
@@ -20878,8 +21340,10 @@ CVE-2019-12883
CVE-2019-12882
REJECTED
CVE-2019-12881 (i915_gem_userptr_get_pages in drivers/gpu/drm/i915/i915_gem_userptr.c ...)
- - linux <undetermined>
+ - linux 4.18.6-1
+ [stretch] - linux 4.9.130-1
NOTE: https://gist.github.com/oxagast/472866fb2c3d439e10499d7141d0a520
+ NOTE: https://git.kernel.org/linus/c11c7bfd213495784b22ef82a69b6489f8d0092f
CVE-2019-12880 (BCN Quark Quarking Password Manager 3.1.84 suffers from a clickjacking ...)
NOT-FOR-US: BCN Quark Quarking Password Manager
CVE-2019-12879
@@ -20896,7 +21360,7 @@ CVE-2019-12874 (An issue was discovered in zlib_decompress_extra in modules/demu
{DSA-4459-1}
- vlc 3.0.7-1
[jessie] - vlc <end-of-life> (https://lists.debian.org/debian-security-announce/2018/msg00130.html)
- NOTE: http://git.videolan.org/?p=vlc.git;a=commit;h=81023659c7de5ac2637b4a879195efef50846102
+ NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=81023659c7de5ac2637b4a879195efef50846102
CVE-2019-12873
RESERVED
CVE-2019-12872 (dotCMS before 5.1.6 is vulnerable to a SQL injection that can be explo ...)
@@ -20980,9 +21444,8 @@ CVE-2019-12840 (In Webmin through 1.910, any user authorized to the "Package Upd
CVE-2019-12839 (In OrangeHRM 4.3.1 and before, there is an input validation error with ...)
NOT-FOR-US: OrangeHRM
CVE-2019-12838 (SchedMD Slurm 17.11.x, 18.08.0 through 18.08.7, and 19.05.0 allows SQL ...)
- {DSA-4572-1 DLA-2143-1}
+ {DSA-4572-1 DLA-2886-1 DLA-2143-1}
- slurm-llnl 19.05.3.2-1 (bug #931880)
- [stretch] - slurm-llnl <no-dsa> (Too intrusive to backport)
NOTE: https://github.com/SchedMD/slurm/commit/afa7d743f407c60a7c8a4bd98a10be32c82988b5
NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000025.html
CVE-2019-12837 (The Java API in accesuniversitat.gencat.cat 1.7.5 allows remote attack ...)
@@ -21021,7 +21484,7 @@ CVE-2019-12825 (Unauthorized Access to the Container Registry of other groups wa
- gitlab <not-affected> (Only affects Gitlab EE)
CVE-2019-12824
RESERVED
-CVE-2019-12823 (Craft CMS 3.1.30 has XSS. ...)
+CVE-2019-12823 (Craft CMS before 3.1.31 does not properly filter XML feeds and thus al ...)
NOT-FOR-US: Craft CMS
CVE-2019-12822 (In http.c in Embedthis GoAhead before 4.1.1 and 5.x before 5.0.1, a he ...)
NOT-FOR-US: Embedthis GoAhead
@@ -21094,7 +21557,8 @@ CVE-2019-12818 (An issue was discovered in the Linux kernel before 4.20.15. The
CVE-2019-12799 (In createInstanceFromNamedArguments in Shopware through 5.6.x, a craft ...)
NOT-FOR-US: Shopware
CVE-2019-12798 (An issue was discovered in Artifex MuJS 1.0.5. regcompx in regexp.c do ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed with initial upload to Debian)
+ NOTE: http://git.ghostscript.com/?p=mujs.git;h=7f50591861525f76e3ec7a63392656ff8c030af9 (1.0.6)
CVE-2019-12797 (A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN ...)
NOT-FOR-US: ELM327 OBD2 Bluetooth device
CVE-2019-12796
@@ -21183,8 +21647,8 @@ CVE-2019-12770
RESERVED
CVE-2019-12769 (SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 ...)
NOT-FOR-US: SolarWinds
-CVE-2019-12768
- RESERVED
+CVE-2019-12768 (An issue was discovered on D-Link DAP-1650 devices through v1.03b07 be ...)
+ NOT-FOR-US: D-Link
CVE-2019-12767 (An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H ...)
NOT-FOR-US: D-Link
CVE-2019-12766 (An issue was discovered in Joomla! before 3.9.7. The subform fieldtype ...)
@@ -21198,11 +21662,11 @@ CVE-2019-12763 (The Security Camera CZ application through 1.6.8 for Android sto
CVE-2019-12762 (Xiaomi Mi 5s Plus devices allow attackers to trigger touchscreen anoma ...)
NOT-FOR-US: Xiaomi Mi 5s Plus devices
CVE-2019-12761 (A code injection issue was discovered in PyXDG before 0.26 via crafted ...)
- {DLA-1819-1}
- - pyxdg <unfixed> (low; bug #930099)
+ {DLA-2727-1 DLA-1819-1}
+ - pyxdg 0.26-1 (low; bug #930099)
[buster] - pyxdg <no-dsa> (Minor issue)
- [stretch] - pyxdg <no-dsa> (Minor issue)
NOTE: https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
+ NOTE: https://gitlab.freedesktop.org/xdg/pyxdg/-/commit/aa4ce1bbc59def6975c9dd1598aafb3ef3fea681 (rel-0.26)
NOTE: https://gitlab.freedesktop.org/xdg/pyxdg/issues/14
CVE-2019-12760 (** DISPUTED ** A deserialization vulnerability exists in the way parso ...)
- parso 0.5.1-0.1 (unimportant; bug #930356)
@@ -21242,8 +21706,8 @@ CVE-2019-12747 (TYPO3 8.x through 8.7.26 and 9.x through 9.5.7 allows Deserializ
CVE-2019-12746 (An issue was discovered in Open Ticket Request System (OTRS) Community ...)
{DLA-1877-1}
- otrs2 6.0.20-1
- [buster] - otrs2 <no-dsa> (Non-free not supported)
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <ignored> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-10-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/fab16a8e54aaf033f460e5f98c673248f29ea49c
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/cc08cb7df9f6dde05de2f8c6cbd59cd5d0952627
@@ -21547,14 +22011,14 @@ CVE-2019-12615 (An issue was discovered in get_vdev_port_node_info in arch/sparc
- linux 5.2.6-1 (unimportant)
NOTE: https://git.kernel.org/linus/80caf43549e7e41a695c6d1e11066286538b336f
NOTE: This is a potential null pointer dereference that looks like it can
- NOTE: only be invoked by root or the hypervisor. Probably no security impact.
+ NOTE: only be invoked by root or the hypervisor. Probably no security impact.
CVE-2019-12614 (An issue was discovered in dlpar_parse_cc_property in arch/powerpc/pla ...)
- linux 5.3.7-1 (unimportant)
[buster] - linux 4.19.98-1
[stretch] - linux 4.9.210-1
NOTE: https://lkml.org/lkml/2019/6/3/526
NOTE: This is a potential null pointer dereference that looks like it can
- NOTE: only be invoked by root or the hypervisor. Probably no security impact.
+ NOTE: only be invoked by root or the hypervisor. Probably no security impact.
CVE-2019-12601 (SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before ...)
NOT-FOR-US: SuiteCRM
CVE-2019-12600 (SuiteCRM 7.8.x before 7.8.30, 7.10.x before 7.10.17, and 7.11.x before ...)
@@ -21819,8 +22283,8 @@ CVE-2019-12498 (The WP Live Chat Support plugin before 8.0.33 for WordPress acce
CVE-2019-12497 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
{DLA-1816-1}
- otrs2 6.0.19-1
- [buster] - otrs2 <no-dsa> (Non-free not supported)
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <ignored> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-09-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/f8bcf08dfc5f06915c1352c07e5f626f9b5ecfc2
NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d4cc3f0e24937fa53870132003aec6af460b9b57
@@ -21860,23 +22324,32 @@ CVE-2019-12484
RESERVED
CVE-2019-12483 (An issue was discovered in GPAC 0.7.1. There is a heap-based buffer ov ...)
{DLA-1841-1}
- - gpac <unfixed> (bug #931088)
+ - gpac 1.0.1+dfsg1-2 (bug #931088)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1249
NOTE: https://github.com/gpac/gpac/commit/f40aaaf959d4d1f7fa0dcd04c0666592e615c8f1
CVE-2019-12482 (An issue was discovered in GPAC 0.7.1. There is a NULL pointer derefer ...)
{DLA-1841-1}
- - gpac <unfixed> (bug #931088)
+ - gpac 1.0.1+dfsg1-2 (bug #931088)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1249
NOTE: https://github.com/gpac/gpac/commit/f40aaaf959d4d1f7fa0dcd04c0666592e615c8f1
CVE-2019-12481 (An issue was discovered in GPAC 0.7.1. There is a NULL pointer derefer ...)
{DLA-1841-1}
- - gpac <unfixed> (bug #931088)
+ - gpac 1.0.1+dfsg1-2 (bug #931088)
[buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <no-dsa> (Minor issue)
+ - ccextractor 0.93+ds2-1 (bug #994746)
+ [bullseye] - ccextractor <no-dsa> (Minor issue)
+ [buster] - ccextractor <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1249
NOTE: https://github.com/gpac/gpac/commit/f40aaaf959d4d1f7fa0dcd04c0666592e615c8f1
CVE-2019-12480 (BACnet Protocol Stack through 0.8.6 has a segmentation fault leading t ...)
@@ -22085,6 +22558,7 @@ CVE-2019-12423 (Apache CXF ships with a OpenId Connect JWK Keys service, which a
NOT-FOR-US: Apache CFX
CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...)
- shiro <unfixed> (low; bug #947945)
+ [bullseye] - shiro <no-dsa> (Minor issue)
[buster] - shiro <no-dsa> (Minor issue)
[stretch] - shiro <no-dsa> (Minor issue)
[jessie] - shiro <no-dsa> (Minor issue)
@@ -22114,17 +22588,15 @@ CVE-2019-12417 (A malicious admin user could edit the state of objects in the Ai
CVE-2019-12416 (we got reports for 2 injection attacks against the DeltaSpike windowha ...)
NOT-FOR-US: DeltaSpike
CVE-2019-12415 (In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to conv ...)
- - libapache-poi-java <unfixed> (bug #943565)
- [buster] - libapache-poi-java <no-dsa> (Minor issue)
- [stretch] - libapache-poi-java <no-dsa> (Minor issue)
- [jessie] - libapache-poi-java <no-dsa> (Minor issue)
+ - libapache-poi-java <unfixed> (unimportant; bug #943565)
NOTE: https://www.openwall.com/lists/oss-security/2019/10/23/1
+ NOTE: Vulnerable tool not shipped in binary package
CVE-2019-12414 (In Apache Incubator Superset before 0.32, a user can view database nam ...)
NOT-FOR-US: Apache Superset
CVE-2019-12413 (In Apache Incubator Superset before 0.31 user could query database met ...)
NOT-FOR-US: Apache Superset
CVE-2019-12411
- RESERVED
+ REJECTED
CVE-2019-12410 (While investigating UBSAN errors in https://github.com/apache/arrow/pu ...)
NOT-FOR-US: Apache Arrow
CVE-2019-12409 (The 8.1.1 and 8.2.0 releases of Apache Solr contain an insecure settin ...)
@@ -22144,7 +22616,7 @@ CVE-2019-12403
REJECTED
CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commons Com ...)
- libcommons-compress-java 1.18-3 (low; bug #939610)
- [buster] - libcommons-compress-java <no-dsa> (Minor issue)
+ [buster] - libcommons-compress-java 1.18-2+deb10u1
[stretch] - libcommons-compress-java <not-affected> (Vulnerable code introduced later)
[jessie] - libcommons-compress-java <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2019/08/27/1
@@ -22159,10 +22631,13 @@ CVE-2019-12401 (Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4
NOTE: disabling coalescing by default which can trigger large memory consumption
NOTE: when parsing specially crafted XML data.
CVE-2019-12400 (In version 2.0.3 Apache Santuario XML Security for Java, a caching mec ...)
- - libxml-security-java <unfixed> (bug #935548)
+ - libxml-security-java 2.1.7-1 (bug #935548)
+ [bullseye] - libxml-security-java <no-dsa> (Minor issue)
+ [buster] - libxml-security-java <no-dsa> (Minor issue)
[stretch] - libxml-security-java <not-affected> (Vulnerable code introduced in 2.0.3)
[jessie] - libxml-security-java <not-affected> (Vulnerable code introduced in 2.0.3)
NOTE: http://santuario.apache.org/secadv.data/CVE-2019-12400.asc
+ NOTE: https://github.com/apache/santuario-xml-security-java/commit/8c88bbe449d073d5bc0626c1719e81e81c2ad9b4 (likely fix)
CVE-2019-12399 (When Connect workers in Apache Kafka 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0 ...)
- kafka <itp> (bug #786460)
CVE-2019-12398 (In Apache Airflow before 1.10.5 when running with the "classic" UI, a ...)
@@ -22296,8 +22771,8 @@ CVE-2019-12350
RESERVED
CVE-2019-12349
RESERVED
-CVE-2019-12348
- RESERVED
+CVE-2019-12348 (An issue was discovered in zzcms 2019. SQL Injection exists in user/zt ...)
+ NOT-FOR-US: zzcms
CVE-2019-12347 (In pfSense 2.4.4-p3, a stored XSS vulnerability occurs when attackers ...)
NOT-FOR-US: pfSense
CVE-2019-12346 (In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for Word ...)
@@ -22390,8 +22865,8 @@ CVE-2019-12307
RESERVED
CVE-2019-12306
RESERVED
-CVE-2019-12305
- RESERVED
+CVE-2019-12305 (In EZCast Pro II, the administrator password md5 hash is provided upon ...)
+ NOT-FOR-US: EZCast Pro II
CVE-2019-12304
RESERVED
CVE-2019-12303 (In Rancher 2 through 2.2.3, Project owners can inject additional fluen ...)
@@ -22414,8 +22889,8 @@ CVE-2019-12297 (An issue was discovered in scopd on Motorola routers CX2 1.01 an
CVE-2019-12296
RESERVED
CVE-2019-12295 (In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the ...)
+ {DLA-2547-1 DLA-2423-1}
- wireshark 2.6.8-1.1 (low; bug #929446)
- [stretch] - wireshark <no-dsa> (Minor issue)
[jessie] - wireshark <postponed> (Minor, can be fixed along in a future update)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=7b6e197da4c497e229ed3ebf6952bae5c426a820
@@ -22526,8 +23001,8 @@ CVE-2019-12249
CVE-2019-12248 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...)
{DLA-1816-1}
- otrs2 6.0.19-1
- [buster] - otrs2 <no-dsa> (Non-free not supported)
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <ignored> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-08-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/4e06ef439c33e7d90af16451719415c780e0c29c
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/0713999042e3ce7fa60067d3cd165206899224bf
@@ -22661,6 +23136,7 @@ CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discover
- matomo <itp> (bug #448532)
CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...)
- freeimage <unfixed> (bug #947478)
+ [bullseye] - freeimage <postponed> (Revisit when upstream fixes are available)
[buster] - freeimage <postponed> (Revisit when upstream fixes are available)
[stretch] - freeimage <postponed> (Revisit when upstream fixes are available)
[jessie] - freeimage <postponed> (Revisit when upstream fixes are available)
@@ -22677,6 +23153,7 @@ CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDir
NOTE: https://sourceforge.net/p/freeimage/svn/1825/
CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize ...)
- freeimage <unfixed> (bug #947477)
+ [bullseye] - freeimage <postponed> (Revisit when upstream fixes are available)
[buster] - freeimage <postponed> (Revisit when upstream fixes are available)
[stretch] - freeimage <postponed> (Revisit when upstream fixes are available)
[jessie] - freeimage <postponed> (Revisit when upstream fixes are available)
@@ -22804,11 +23281,11 @@ CVE-2019-12159 (GoHTTP through 2017-07-25 has a stack-based buffer over-read in
NOT-FOR-US: GoHTTP
CVE-2019-12158 (GoHTTP through 2017-07-25 has a GetExtension heap-based buffer overflo ...)
NOT-FOR-US: GoHTTP
-CVE-2019-12157 (In JetBrains TeamCity versions before 2018.2.5 and UpSource versions b ...)
+CVE-2019-12157 (In JetBrains UpSource versions before 2018.2 build 1293, there is cred ...)
NOT-FOR-US: JetBrains TeamCity
CVE-2019-12156 (Server metadata could be exposed because one of the error messages ref ...)
NOT-FOR-US: JetBrains TeamCity
-CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NUL ...)
+CVE-2019-12155 (interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4 ...)
{DSA-4454-1 DLA-1927-1}
- qemu 1:3.1+dfsg-8 (bug #929353)
[buster] - qemu 1:3.1+dfsg-8~deb10u1
@@ -22965,21 +23442,18 @@ CVE-2019-12096
RESERVED
CVE-2019-12095 (Horde Trean, as used in Horde Groupware Webmail Edition through 5.2.22 ...)
{DLA-2033-1}
- - php-horde-trean <unfixed>
- [buster] - php-horde-trean <ignored> (Minor issue)
- [stretch] - php-horde-trean <ignored> (Minor issue)
- [jessie] - php-horde-trean <ignored> (Minor issue)
+ - php-horde-trean <unfixed> (unimportant)
- php-horde 5.2.21+debian0-1
[buster] - php-horde 5.2.20+debian0-1+deb10u1
[stretch] - php-horde 5.2.13+debian0-1+deb9u1
NOTE: https://github.com/horde/base/commit/81a7b53973506856db67e7f0b0263be29528aa75
NOTE: https://bugs.horde.org/ticket/14926 (for the stored XSS)
+ NOTE: Negligible impact for php-horde-trean, and unlikely that upstream will address
CVE-2019-12094 (Horde Groupware Webmail Edition through 5.2.22 allows XSS via an admin ...)
- - php-horde <unfixed>
- [buster] - php-horde <ignored> (Minor issue)
- [stretch] - php-horde <ignored> (Minor issue)
- [jessie] - php-horde <ignored> (Minor issue)
+ - php-horde <unfixed> (unimportant)
NOTE: https://bugs.horde.org/ticket/14926 (for the reflected XSS)
+ NOTE: Negligible impact and unlikely that upstream will address after fixes
+ NOTE: for CVE-2019-12095
CVE-2019-12093
RESERVED
CVE-2019-12092
@@ -23040,17 +23514,18 @@ CVE-2019-12068 (In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.
- qemu-kvm <removed>
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html
NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08
-CVE-2019-12067 [ide: ahci: add check to avoid null dereference]
- RESERVED
- - qemu <unfixed> (low)
+CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to ...)
+ - qemu <unfixed> (low; bug #972099)
+ [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[stretch] - qemu <postponed> (Minor issue, can be fixed along in future update)
[jessie] - qemu <postponed> (Minor issue, can be fixed along in future update)
- qemu-kvm <removed>
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01358.html
- NOTE: patch not sanctioned as of 20200907
+ NOTE: patch not sanctioned as of 20210202
NOTE: patched function introduced in 2014/2.1.50 but affected code pre-existed
NOTE: https://github.com/qemu/qemu/commit/659142ecf71a0da240ab0ff7cf929ee25c32b9bc
+ NOTE: No upstream patch as of 2022-01-28
CVE-2019-12066
RESERVED
CVE-2019-12065
@@ -23304,10 +23779,12 @@ CVE-2019-11941 (A remote code execution vulnerability was identified in HPE Inte
CVE-2019-11940 (In the course of decompressing HPACK inside the HTTP2 protocol, an une ...)
NOT-FOR-US: Facebook Proxygen
CVE-2019-11939 (Golang Facebook Thrift servers would not error upon receiving messages ...)
- - thrift <unfixed>
+ - thrift <unfixed> (bug #988948)
+ [bullseye] - thrift <no-dsa> (Minor issue)
+ [buster] - thrift <no-dsa> (Minor issue)
NOTE: https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
CVE-2019-11938 (Java Facebook Thrift servers would not error upon receiving messages d ...)
- NOT-FOR-US: Java Facebook Thrift
+ NOT-FOR-US: Facebook Java Thrift (Debian packages Apache Thrift)
CVE-2019-11937 (In Mcrouter prior to v0.41.0, a large struct input provided to the Car ...)
NOT-FOR-US: mcrouter
NOTE: https://github.com/facebook/mcrouter/releases
@@ -23511,7 +23988,7 @@ CVE-2019-11844 (An HTML Injection vulnerability has been discovered on the RICOH
CVE-2019-11843 (The MailPoet plugin before 3.23.2 for WordPress allows remote attacker ...)
NOT-FOR-US: MailPoet plugin for WordPress
CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsign/cle ...)
- {DLA-1920-1}
+ {DLA-2402-1 DLA-1920-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
NOTE: https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text")
@@ -23519,7 +23996,7 @@ CVE-2019-11841 (A message-forgery issue was discovered in crypto/openpgp/clearsi
NOTE: https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html
NOTE: Upstream feels that this is not a security issue. See https://github.com/golang/go/issues/41200.
CVE-2019-11840 (An issue was discovered in supplementary Go cryptography libraries, ak ...)
- {DLA-1840-1}
+ {DLA-2527-1 DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
NOTE: https://github.com/golang/go/issues/30965
NOTE: https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
@@ -23648,20 +24125,27 @@ CVE-2019-11788
RESERVED
CVE-2019-11787
RESERVED
-CVE-2019-11786
- RESERVED
-CVE-2019-11785
- RESERVED
-CVE-2019-11784
- RESERVED
-CVE-2019-11783
- RESERVED
-CVE-2019-11782
- RESERVED
-CVE-2019-11781
- RESERVED
+CVE-2019-11786 (Improper access control in Odoo Community 13.0 and earlier and Odoo En ...)
+ - odoo <not-affected> (Fixed before initial upload to Debian)
+ NOTE: https://github.com/odoo/odoo/issues/63711
+CVE-2019-11785 (Improper access control in mail module (followers) in Odoo Community 1 ...)
+ - odoo <not-affected> (Fixed before initial upload to Debian)
+ NOTE: https://github.com/odoo/odoo/issues/63710
+CVE-2019-11784 (Improper access control in mail module (notifications) in Odoo Communi ...)
+ - odoo 14.0.0+dfsg.2-1
+ NOTE: https://github.com/odoo/odoo/issues/63709
+CVE-2019-11783 (Improper access control in mail module (channel partners) in Odoo Comm ...)
+ - odoo 14.0.0+dfsg.2-1
+ NOTE: https://github.com/odoo/odoo/issues/63708
+CVE-2019-11782 (Improper access control in Odoo Community 14.0 and earlier and Odoo En ...)
+ - odoo 14.0.0+dfsg.2-1
+ NOTE: https://github.com/odoo/odoo/issues/63707
+CVE-2019-11781 (Improper input validation in portal component in Odoo Community 12.0 a ...)
+ - odoo <not-affected> (Fixed before initial upload to Debian)
+ NOTE: https://github.com/odoo/odoo/issues/63706
CVE-2019-11780 (Improper access control in the computed fields system of the framework ...)
- NOT-FOR-US: Odoo
+ - odoo <not-affected> (Fixed before initial upload to Debian)
+ NOTE: https://github.com/odoo/odoo/issues/42196
CVE-2019-11779 (In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT cli ...)
{DSA-4570-1 DLA-1972-1}
- mosquitto 1.6.6-1 (bug #940654)
@@ -23859,7 +24343,7 @@ CVE-2019-11746 (A use-after-free vulnerability can occur while manipulating vide
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-27/#CVE-2019-11746
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11746
CVE-2019-11745 (When encrypting with a block cipher, if a call to NSC_EncryptUpdate wa ...)
- {DSA-4579-1 DLA-2008-1}
+ {DSA-4579-1 DLA-2388-1 DLA-2008-1}
- nss 2:3.47.1-1
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1586176 (not public)
NOTE: https://hg.mozilla.org/projects/nss/rev/1e22a0c93afe9f46545560c86caedef9dab6cfda
@@ -23949,7 +24433,7 @@ CVE-2019-11730 (A vulnerability exists where if a user opens a locally saved HTM
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11730
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11730
CVE-2019-11729 (Empty or malformed p256-ECDH public keys may trigger a segmentation fa ...)
- {DLA-1857-1}
+ {DLA-2388-1 DLA-1857-1}
- firefox 68.0-1 (unimportant)
- firefox-esr 60.8.0esr-1 (unimportant)
[buster] - firefox-esr 60.8.0esr-1~deb10u1
@@ -23959,7 +24443,6 @@ CVE-2019-11729 (Empty or malformed p256-ECDH public keys may trigger a segmentat
[stretch] - thunderbird 1:60.8.0-1~deb9u1
- nss 2:3.45-1
[buster] - nss 2:3.42.1-1+deb10u1
- [stretch] - nss <no-dsa> (Minor issue)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11729
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11729
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11729
@@ -24002,7 +24485,7 @@ CVE-2019-11720 (Some unicode characters are incorrectly treated as whitespace du
- firefox 68.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11720
CVE-2019-11719 (When importing a curve25519 private key in PKCS#8format with leading 0 ...)
- {DLA-1857-1}
+ {DLA-2388-1 DLA-1857-1}
- firefox 68.0-1 (unimportant)
- firefox-esr 60.8.0esr-1 (unimportant)
[buster] - firefox-esr 60.8.0esr-1~deb10u1
@@ -24012,7 +24495,6 @@ CVE-2019-11719 (When importing a curve25519 private key in PKCS#8format with lea
[stretch] - thunderbird 1:60.8.0-1~deb9u1
- nss 2:3.45-1
[buster] - nss 2:3.42.1-1+deb10u1
- [stretch] - nss <no-dsa> (Minor issue)
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11719
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-22/#CVE-2019-11719
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/#CVE-2019-11719
@@ -24202,8 +24684,8 @@ CVE-2019-11686 (Western Digital SanDisk X300, X300s, X400, and X600 devices: A v
NOT-FOR-US: Western Digital
CVE-2019-11685
RESERVED
-CVE-2019-11684
- RESERVED
+CVE-2019-11684 (Improper Access Control in the RCP+ server of the Bosch Video Recordin ...)
+ NOT-FOR-US: Bosch
CVE-2019-11683 (udp_gro_receive_segment in net/ipv4/udp_offload.c in the Linux kernel ...)
- linux <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by: https://git.kernel.org/linus/4dd2b82d5adfbe0b1587ccad7a8f76d826120f37
@@ -24501,8 +24983,8 @@ CVE-2019-11558
RESERVED
CVE-2019-11557 (The WebDorado Contact Form Builder plugin before 1.0.69 for WordPress ...)
NOT-FOR-US: WebDorado Contact Form Builder plugi for WordPress
-CVE-2019-11556
- RESERVED
+CVE-2019-11556 (Pagure before 5.6 allows XSS via the templates/blame.html blame view. ...)
+ - pagure <not-affected> (Fixed before initial release)
CVE-2019-11554 (The Audible application through 2.34.0 for Android has Missing SSL Cer ...)
NOT-FOR-US: Audible application for Android
CVE-2019-11553 (In Code42 for Enterprise through 6.8.4, an administrator without web r ...)
@@ -24645,8 +25127,8 @@ CVE-2019-11499 (In the IMAP Server in Dovecot 2.3.3 through 2.3.5.2, the submiss
[jessie] - dovecot <not-affected> (Vulnerable code not present, introduced in 2.3)
NOTE: https://dovecot.org/pipermail/dovecot/2019-April/115758.html
CVE-2019-11498 (WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack t ...)
+ {DLA-2525-1}
- wavpack 5.1.0-6 (low; bug #927903)
- [stretch] - wavpack <no-dsa> (Minor issue)
[jessie] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
NOTE: https://github.com/dbry/WavPack/issues/67
NOTE: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4
@@ -24792,14 +25274,12 @@ CVE-2019-11457 (Multiple CSRF issues exist in MicroPyramid Django CRM 0.2.1 via
CVE-2019-11456 (Gila CMS 1.10.1 allows fm/save CSRF for executing arbitrary PHP code. ...)
NOT-FOR-US: Gila CMS
CVE-2019-11455 (A buffer over-read in Util_urlDecode in util.c in Tildeslash Monit bef ...)
- {DLA-1767-1}
+ {DLA-2855-1 DLA-1767-1}
- monit 1:5.25.3-1 (bug #927775)
- [stretch] - monit <no-dsa> (Minor issue)
NOTE: https://bitbucket.org/tildeslash/monit/commits/f12d0cdb42d4e74dffe1525d4062c815c48ac57a
CVE-2019-11454 (Persistent cross-site scripting (XSS) in http/cervlet.c in Tildeslash ...)
- {DLA-1767-1}
+ {DLA-2855-1 DLA-1767-1}
- monit 1:5.25.3-1 (bug #927775)
- [stretch] - monit <no-dsa> (Minor issue)
NOTE: https://bitbucket.org/tildeslash/monit/commits/1a8295eab6815072a18019b668fe084945b751f3
NOTE: https://bitbucket.org/tildeslash/monit/commits/328f60773057641c4b2075fab9820145e95b728c
CVE-2019-11453
@@ -24883,11 +25363,17 @@ CVE-2019-11415 (An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. A
CVE-2019-11414 (An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the ...)
NOT-FOR-US: Intelbras IWR 3000N 1.5.0 devices
CVE-2019-11413 (An issue was discovered in Artifex MuJS 1.0.5. It has unlimited recurs ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed with initial upload to Debian)
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700937
+ NOTE: https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2
CVE-2019-11412 (An issue was discovered in Artifex MuJS 1.0.5. jscompile.c can cause a ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed with initial upload to Debian)
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700947
+ NOTE: https://github.com/ccxvii/mujs/commit/1e5479084bc9852854feb1ba9bf68b52cd127e02
CVE-2019-11411 (An issue was discovered in Artifex MuJS 1.0.5. The Number#toFixed() an ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed with initial upload to Debian)
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700938
+ NOTE: https://github.com/ccxvii/mujs/commit/da632ca08f240590d2dec786722ed08486ce1be6
CVE-2019-11410 (app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers f ...)
NOT-FOR-US: FreePBX
CVE-2019-11409 (app/operator_panel/exec.php in the Operator Panel module in FusionPBX ...)
@@ -24978,16 +25464,16 @@ CVE-2019-11375 (Msvod v10 has a CSRF vulnerability to change user information vi
CVE-2019-11374 (74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the ...)
NOT-FOR-US: 74CMS
CVE-2019-11373 (An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer ...)
+ {DLA-2603-1}
[experimental] - libmediainfo 19.04+dfsg-1
- libmediainfo 18.12-2 (low; bug #927672)
- [stretch] - libmediainfo <no-dsa> (Minor issue)
[jessie] - libmediainfo <no-dsa> (Minor issue)
NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
CVE-2019-11372 (An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test ...)
+ {DLA-2603-1}
[experimental] - libmediainfo 19.04+dfsg-1
- libmediainfo 18.12-2 (low; bug #927672)
- [stretch] - libmediainfo <no-dsa> (Minor issue)
[jessie] - libmediainfo <no-dsa> (Minor issue)
NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
@@ -25078,7 +25564,7 @@ CVE-2019-11339 (The studio profile decoder in libavcodec/mpeg4videodec.c in FFmp
- libav <not-affected> (Vulnerable code not present)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/1f686d023b95219db933394a7704ad9aa5f01cbb
NOTE: https://github.com/FFmpeg/FFmpeg/commit/d227ed5d598340e719eff7156b1aa0a4469e9a6a
-CVE-2019-11338 (libavcodec/hevcdec.c in FFmpeg 4.1.2 mishandles detection of duplicate ...)
+CVE-2019-11338 (libavcodec/hevcdec.c in FFmpeg 3.4 and 4.1.2 mishandles detection of d ...)
{DSA-4449-1 DLA-1809-1}
- ffmpeg 7:4.1.3-1
- libav <removed>
@@ -25120,9 +25606,9 @@ CVE-2019-11323 (HAProxy before 1.9.7 mishandles a reload with rotated keys, whic
NOTE: Introduced in: https://git.haproxy.org/?p=haproxy.git;a=commit;h=9e7547740cc2d0a6851de8ca9ac57488bdbb8bf2
NOTE: Fixed by: https://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d
CVE-2019-11324 (The urllib3 library before 1.24.2 for Python mishandles certain cases ...)
+ {DLA-2686-1}
- python-urllib3 1.25.6-4 (bug #927412)
[buster] - python-urllib3 <no-dsa> (Minor issue)
- [stretch] - python-urllib3 <no-dsa> (Minor issue)
[jessie] - python-urllib3 <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/3
@@ -25137,51 +25623,51 @@ CVE-2019-11319 (An issue was discovered in Motorola CX2 1.01 and M2 1.01. There
CVE-2019-11318 (Zimbra Collaboration before 8.8.12 Patch 1 has persistent XSS. ...)
NOT-FOR-US: Zimbra Collaboration
CVE-2019-11317
- RESERVED
+ REJECTED
CVE-2019-11316
- RESERVED
+ REJECTED
CVE-2019-11315
- RESERVED
+ REJECTED
CVE-2019-11314
- RESERVED
+ REJECTED
CVE-2019-11313
- RESERVED
+ REJECTED
CVE-2019-11312
- RESERVED
+ REJECTED
CVE-2019-11311
- RESERVED
+ REJECTED
CVE-2019-11310
- RESERVED
+ REJECTED
CVE-2019-11309
- RESERVED
+ REJECTED
CVE-2019-11308
- RESERVED
+ REJECTED
CVE-2019-11307
- RESERVED
+ REJECTED
CVE-2019-11306
- RESERVED
+ REJECTED
CVE-2019-11305
- RESERVED
+ REJECTED
CVE-2019-11304
- RESERVED
+ REJECTED
CVE-2019-11303
- RESERVED
+ REJECTED
CVE-2019-11302
- RESERVED
+ REJECTED
CVE-2019-11301
- RESERVED
+ REJECTED
CVE-2019-11300
- RESERVED
+ REJECTED
CVE-2019-11299
- RESERVED
+ REJECTED
CVE-2019-11298
- RESERVED
+ REJECTED
CVE-2019-11297
- RESERVED
+ REJECTED
CVE-2019-11296
- RESERVED
+ REJECTED
CVE-2019-11295
- RESERVED
+ REJECTED
CVE-2019-11294 (Cloud Foundry Cloud Controller API (CAPI), version 1.88.0, allows spac ...)
NOT-FOR-US: Cloud Foundry
CVE-2019-11293 (Cloud Foundry UAA Release, versions prior to v74.10.0, when set to log ...)
@@ -25189,10 +25675,12 @@ CVE-2019-11293 (Cloud Foundry UAA Release, versions prior to v74.10.0, when set
CVE-2019-11292 (Pivotal Ops Manager, versions 2.4.x prior to 2.4.27, 2.5.x prior to 2. ...)
NOT-FOR-US: Pivotal
CVE-2019-11291 (Pivotal RabbitMQ, 3.7 versions prior to v3.7.20 and 3.8 version prior ...)
- - rabbitmq-server <unfixed> (bug #945601)
+ - rabbitmq-server 3.8.3-1 (bug #945601)
[buster] - rabbitmq-server <no-dsa> (Minor issue)
- [stretch] - rabbitmq-server <no-dsa> (Minor issue)
+ [stretch] - rabbitmq-server <not-affected> (Vulnerable code not present)
[jessie] - rabbitmq-server <postponed> (Minor issue)
+ NOTE: https://github.com/rabbitmq/rabbitmq-shovel-management/commit/c22992b289dddadba866ac2b7fc697bc66847e4f
+ NOTE: https://github.com/rabbitmq/rabbitmq-federation-management/commit/52bf0ffbb8695060b1ae909266b9b62717e7ba2d
NOTE: https://pivotal.io/security/cve-2019-11291
CVE-2019-11290 (Cloud Foundry UAA Release, versions prior to v74.8.0, logs all query p ...)
NOT-FOR-US: Cloud Foundry
@@ -25201,9 +25689,9 @@ CVE-2019-11289 (Cloud Foundry Routing, all versions before 0.193.0, does not pro
CVE-2019-11288 (In Pivotal tc Server, 3.x versions prior to 3.2.19 and 4.x versions pr ...)
NOT-FOR-US: Pivotal
CVE-2019-11287 (Pivotal RabbitMQ, versions 3.7.x prior to 3.7.21 and 3.8.x prior to 3. ...)
- - rabbitmq-server <unfixed> (bug #945600)
+ {DLA-2710-1}
+ - rabbitmq-server 3.8.3-1 (bug #945600)
[buster] - rabbitmq-server <no-dsa> (Minor issue)
- [stretch] - rabbitmq-server <no-dsa> (Minor issue)
[jessie] - rabbitmq-server <postponed> (Minor issue)
NOTE: https://pivotal.io/security/cve-2019-11287
CVE-2019-11286 (VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and ...)
@@ -25217,15 +25705,16 @@ CVE-2019-11283 (Cloud Foundry SMB Volume, versions prior to v2.0.3, accidentally
CVE-2019-11282 (Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoint tha ...)
NOT-FOR-US: Cloud Foundry
CVE-2019-11281 (Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, ver ...)
+ {DLA-2710-1}
- rabbitmq-server 3.7.18-1 (low)
[buster] - rabbitmq-server <no-dsa> (Minor issue)
- [stretch] - rabbitmq-server <no-dsa> (Minor issue)
[jessie] - rabbitmq-server <no-dsa> (Minor issue; one plugin not vulnerable, the other only exploitable by malicious admin)
NOTE: https://pivotal.io/security/cve-2019-11281
NOTE: fix for vhost limit feature: https://github.com/rabbitmq/rabbitmq-management/commit/42def1b51243397c1cb9192d6d064351e358bacc
NOTE: which was only introduced in 3.7.0-beta.19
NOTE: federation management plugin: exploitable only by a remote authenticated malicious user
- NOTE: with administrative access
+ NOTE: with administrative access
+ NOTE: https://github.com/rabbitmq/rabbitmq-federation-management/commit/d4d4cb2d3ecd7b6c8a51e50c3565c9a431c086b3
CVE-2019-11280 (Pivotal Apps Manager, included in Pivotal Application Service versions ...)
NOT-FOR-US: Pivotal
CVE-2019-11279 (CF UAA versions prior to 74.1.0 can request scopes for a client that s ...)
@@ -25262,8 +25751,8 @@ CVE-2019-11358 (jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
- node-jquery 2.2.4+dfsg-4 (bug #927466)
- mediawiki 1:1.31.2-1
- otrs2 6.0.26-1
- [buster] - otrs2 <no-dsa> (Non-free not supported)
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [buster] - otrs2 <ignored> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://www.drupal.org/sa-core-2019-006
NOTE: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
NOTE: https://github.com/DanielRuf/snyk-js-jquery-174006?files=1
@@ -25347,11 +25836,10 @@ CVE-2019-11238
CVE-2019-11237
RESERVED
CVE-2019-11236 (In the urllib3 library through 1.24.1 for Python, CRLF injection is po ...)
- {DLA-1828-1}
+ {DLA-2686-1 DLA-1828-1}
[experimental] - python-urllib3 1.25.6-1
- python-urllib3 1.25.6-4 (bug #927172)
[buster] - python-urllib3 <no-dsa> (Minor issue)
- [stretch] - python-urllib3 <no-dsa> (Minor issue)
NOTE: https://github.com/urllib3/urllib3/issues/1553
NOTE: https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d
NOTE: https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162
@@ -25622,8 +26110,8 @@ CVE-2019-11123 (Insufficient session validation in system firmware for Intel(R)
NOT-FOR-US: Intel
CVE-2019-11122
RESERVED
-CVE-2019-11121
- RESERVED
+CVE-2019-11121 (Improper file permissions in the installer for the Intel(R) Media SDK ...)
+ NOT-FOR-US: Intel
CVE-2019-11120 (Insufficient path checking in the installer for Intel(R) Active System ...)
NOT-FOR-US: Intel
CVE-2019-11119 (Insufficient session validation in the service API for Intel(R) RWC3 v ...)
@@ -25668,8 +26156,15 @@ CVE-2019-11100 (Insufficient input validation in the subsystem for Intel(R) AMT
NOT-FOR-US: Intel
CVE-2019-11099
RESERVED
-CVE-2019-11098
- RESERVED
+CVE-2019-11098 (Insufficient input validation in MdeModulePkg in EDKII may allow an un ...)
+ [experimental] - edk2 2021.02-1
+ - edk2 2020.11-5 (bug #991495)
+ [bullseye] - edk2 2020.11-2+deb11u1
+ [buster] - edk2 <no-dsa> (Minor issue)
+ [stretch] - edk2 <no-dsa> (Minor issue)
+ NOTE: https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability
+ NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1614
+ NOTE: https://bugzilla.tianocore.org/attachment.cgi?id=316
CVE-2019-11097 (Improper directory permissions in the installer for Intel(R) Managemen ...)
NOT-FOR-US: Intel
CVE-2019-11096 (Insufficient memory protection for Intel(R) Ethernet I218 Adapter driv ...)
@@ -25759,9 +26254,9 @@ CVE-2019-11068 (libxslt through 1.1.33 allows bypass of a protection mechanism b
CVE-2019-11067
RESERVED
CVE-2019-1003050 (The f:validateButton form control for the Jenkins UI did not properly ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-1003049 (Users who cached their CLI authentication before Jenkins was updated t ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-11066 (openid.php in LightOpenID through 1.3.1 allows SSRF via a crafted Open ...)
NOT-FOR-US: LightOpenID
CVE-2019-11065 (Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download ...)
@@ -26172,10 +26667,10 @@ CVE-2019-10944
RESERVED
CVE-2019-10943 (A vulnerability has been identified in SIMATIC ET 200SP Open Controlle ...)
NOT-FOR-US: Siemens
-CVE-2019-10942 (A vulnerability has been identified in SCALANCE X-200 (All versions), ...)
+CVE-2019-10942 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...)
+ NOT-FOR-US: Siemens
+CVE-2019-10941 (A vulnerability has been identified in SINEMA Server (All versions &lt ...)
NOT-FOR-US: Siemens
-CVE-2019-10941
- RESERVED
CVE-2019-10940 (A vulnerability has been identified in SINEMA Server (All versions &lt ...)
NOT-FOR-US: Siemens
CVE-2019-10939 (A vulnerability has been identified in TIM 3V-IE (incl. SIPLUS NET var ...)
@@ -26204,9 +26699,9 @@ CVE-2019-10928 (A vulnerability has been identified in SCALANCE SC-600 (V2.0). A
NOT-FOR-US: Siemens
CVE-2019-10927 (A vulnerability has been identified in SCALANCE SC-600 (V2.0), SCALANC ...)
NOT-FOR-US: Siemens
-CVE-2019-10926 (A vulnerability has been identified in SIMATIC Ident MV420 family (All ...)
+CVE-2019-10926 (A vulnerability has been identified in SIMATIC MV400 family (All Versi ...)
NOT-FOR-US: Siemens
-CVE-2019-10925 (A vulnerability has been identified in SIMATIC Ident MV420 family (All ...)
+CVE-2019-10925 (A vulnerability has been identified in SIMATIC MV400 family (All Versi ...)
NOT-FOR-US: Siemens
CVE-2019-10924 (A vulnerability has been identified in LOGO! Soft Comfort (All version ...)
NOT-FOR-US: Siemens
@@ -26214,11 +26709,11 @@ CVE-2019-10923 (A vulnerability has been identified in Development/Evaluation Ki
NOT-FOR-US: Siemens
CVE-2019-10922 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier ...)
NOT-FOR-US: Siemens
-CVE-2019-10921 (A vulnerability has been identified in LOGO!8 BM (All versions). Unenc ...)
+CVE-2019-10921 (A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS varian ...)
NOT-FOR-US: Siemens
-CVE-2019-10920 (A vulnerability has been identified in LOGO!8 BM (All versions). Proje ...)
+CVE-2019-10920 (A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS varian ...)
NOT-FOR-US: Siemens
-CVE-2019-10919 (A vulnerability has been identified in LOGO!8 BM (All versions). Attac ...)
+CVE-2019-10919 (A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS varian ...)
NOT-FOR-US: Siemens
CVE-2019-10918 (A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier ...)
NOT-FOR-US: Siemens
@@ -26278,23 +26773,21 @@ CVE-2019-10904 (Roundup 1.6 allows XSS via the URI because frontends/roundup.cgi
NOTE: https://issues.roundup-tracker.org/issue2551035
NOTE: https://bitbucket.org/python/roundup/commits/51682dc2cd7e28421d749117c25bec58f632ee5f
CVE-2019-10903 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DCERPC SP ...)
- {DLA-1802-1}
+ {DLA-2423-1 DLA-1802-1}
- wireshark 2.6.8-1 (low; bug #926718)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15568
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=eafdcfa4b6d5187a5326442a82608ab03d9dddcb
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-18.html
CVE-2019-10902 (In Wireshark 3.0.0, the TSDNS dissector could crash. This was addresse ...)
- - wireshark 2.6.8-1 (low; bug #926718)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
- [jessie] - wireshark <not-affected> (vulnerable code is not present)
+ - wireshark <not-affected> (Vulnerable code never present in the archive in released version)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15619
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=95571f17d5e2de39735e62e5251583f930c06d51
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-16.html
+ NOTE: bug was never in Debian apart experimental released versions:
+ NOTE: Dissector introduced in 3.0.0 and CVE fixed in 3.0.1
CVE-2019-10901 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the LDSS diss ...)
- {DLA-1802-1}
+ {DLA-2423-1 DLA-1802-1}
- wireshark 2.6.8-1 (low; bug #926718)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15620
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cf801a25074f76dc3ae62d8ec53ace75f56ce2cd
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-17.html
@@ -26304,9 +26797,8 @@ CVE-2019-10900 (In Wireshark 3.0.0, the Rbm dissector could go into an infinite
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=26eee01f57f0a86fb375892c7937eac24ede4610
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-13.html
CVE-2019-10899 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the SRVLOC di ...)
- {DLA-1802-1}
+ {DLA-2423-1 DLA-1802-1}
- wireshark 2.6.8-1 (low; bug #926718)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15546
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b16fea2f175a3297edac118c8844c7987d31c1cb
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-10.html
@@ -26321,16 +26813,15 @@ CVE-2019-10897 (In Wireshark 3.0.0, the IEEE 802.11 dissector could go into an i
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=00d5e9e9fb377f52ab7696f25c1dbc011ef0244d
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-11.html
CVE-2019-10896 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the DOF disse ...)
+ {DLA-2423-1}
- wireshark 2.6.8-1 (low; bug #926718)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
[jessie] - wireshark <not-affected> (vulnerable code is not present)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15617
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=441b6d9071d6341e58dfe10719375489c5b8e3f0
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-15.html
CVE-2019-10895 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the NetScaler ...)
- {DLA-1802-1}
+ {DLA-2423-1 DLA-1802-1}
- wireshark 2.6.8-1 (low; bug #926718)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15497
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=2fbbde780e5d5d82e31dca656217daf278cf62bb
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=38680c4c69f9f4e0f39e29b66fe2b02d88eb629d
@@ -26338,9 +26829,8 @@ CVE-2019-10895 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the Net
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=cab0cff6abdd7a5b5b0bfa4ee204eea951e129e9
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-09.html
CVE-2019-10894 (In Wireshark 2.4.0 to 2.4.13, 2.6.0 to 2.6.7, and 3.0.0, the GSS-API d ...)
- {DLA-1802-1}
+ {DLA-2423-1 DLA-1802-1}
- wireshark 2.6.8-1 (low; bug #926718)
- [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15613
NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=b20e5d8aae2580e29c83ddaf0b6b2e640603e4aa
NOTE: https://www.wireshark.org/security/wnpa-sec-2019-14.html
@@ -26368,8 +26858,8 @@ CVE-2019-10883 (Citrix SD-WAN Center 10.2.x before 10.2.1 and NetScaler SD-WAN C
NOT-FOR-US: Citrix
CVE-2019-10882 (The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2 ...)
NOT-FOR-US: Netskope
-CVE-2019-10881
- RESERVED
+CVE-2019-10881 (Xerox AltaLink B8045/B8055/B8065/B8075/B8090, AltaLink C8030/C8035/C80 ...)
+ NOT-FOR-US: Xerox
CVE-2019-10880 (Within multiple XEROX products a vulnerability allows remote command e ...)
NOT-FOR-US: XEROX
CVE-2019-10879 (In Teeworlds 0.7.2, there is an integer overflow in CDataFileReader::O ...)
@@ -26413,12 +26903,13 @@ CVE-2019-10872 (An issue was discovered in Poppler 0.74.0. There is a heap-based
CVE-2019-10871 (An issue was discovered in Poppler 0.74.0. There is a heap-based buffe ...)
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #926529)
- [buster] - poppler <postponed> (Revisit when fixed upstream)
+ [buster] - poppler <ignored> (Minor issue)
[stretch] - poppler <postponed> (Revisit when fixed upstream)
[jessie] - poppler <postponed> (Revisit when fixed upstream)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/751
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/266 (rejected in favor of always enabling SPLASH_CMYK)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/341 (always enable SPLASH_CMYK)
+ NOTE: Enabling SPLASH_CMYK in older releases causes regressions, see https://bugs.launchpad.net/ubuntu/+source/poppler/+bug/1905741
CVE-2019-10870
RESERVED
CVE-2019-10869 (Path Traversal and Unrestricted File Upload exists in the Ninja Forms ...)
@@ -26598,6 +27089,7 @@ CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions befo
NOTE: https://github.com/dojo/dojox/pull/315
CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be performed wit ...)
- phppgadmin <unfixed> (bug #953945)
+ [bullseye] - phppgadmin <no-dsa> (Minor issue)
[buster] - phppgadmin <no-dsa> (Minor issue)
[stretch] - phppgadmin <no-dsa> (Minor issue)
[jessie] - phppgadmin <no-dsa> (Minor issue)
@@ -26741,6 +27233,7 @@ CVE-2019-10736
RESERVED
CVE-2019-10735 (In Claws Mail 3.14.1, an attacker in possession of S/MIME or PGP encry ...)
- claws-mail <unfixed> (low; bug #926705)
+ [bullseye] - claws-mail <no-dsa> (Minor issue)
[buster] - claws-mail <postponed> (Revisit when fixed upstream)
[stretch] - claws-mail <postponed> (Revisit when fixed upstream)
[jessie] - claws-mail <postponed> (Revisit when fixed upstream)
@@ -26777,7 +27270,8 @@ CVE-2019-10724 (There is a vulnerability with the Dolby DAX2 API system services
NOT-FOR-US: Dolby
CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class i ...)
- libpodofo <unfixed> (low; bug #926667)
- [buster] - libpodofo <no-dsa> (Minor issue)
+ [bullseye] - libpodofo <ignored> (Minor issue)
+ [buster] - libpodofo <ignored> (Minor issue)
[stretch] - libpodofo <no-dsa> (Minor issue)
[jessie] - libpodofo <postponed> (clean exception quit/DoS, low popcon)
NOTE: https://sourceforge.net/p/podofo/tickets/46/
@@ -27119,7 +27613,7 @@ CVE-2019-10621 (Use after free issue when MAP and UNMAP calls at same time as da
CVE-2019-10620 (Kernel memory error in debug module due to improper check of user data ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-10619
- RESERVED
+ REJECTED
CVE-2019-10618 (Driver may access an invalid address while processing IO control due t ...)
NOT-FOR-US: Snapdragon
CVE-2019-10617 (Low privilege users can access service configuration which contains re ...)
@@ -27131,7 +27625,7 @@ CVE-2019-10615 (u'Possibility of integer overflow in keymaster 4 while allocatin
CVE-2019-10614 (Out of boundary access is possible as there is no validation of data a ...)
NOT-FOR-US: Snapdragon
CVE-2019-10613
- RESERVED
+ REJECTED
CVE-2019-10612 (UTCB object has a function pointer called by the reaper to deallocate ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-10611 (Buffer overflow can occur while processing clip due to lack of check o ...)
@@ -27159,7 +27653,7 @@ CVE-2019-10601 (Out of bound access can occur while processing firmware event du
CVE-2019-10600 (Use of local variable as argument to netlink CB callback goes out of i ...)
NOT-FOR-US: Snapdragon
CVE-2019-10599
- RESERVED
+ REJECTED
CVE-2019-10598 (Out of bound access can occur while processing peer info in IBSS conne ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-10597 (kernel writes to user passed address without any checks can lead to ar ...)
@@ -27211,7 +27705,7 @@ CVE-2019-10575 (Wlan binary which is not signed with OEMs RoT is working on secu
CVE-2019-10574 (Lack of boundary checks for data offsets received from HLOS can lead t ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-10573
- RESERVED
+ REJECTED
CVE-2019-10572 (Improper check in video driver while processing data from video firmwa ...)
NOT-FOR-US: Snapdragon
CVE-2019-10571 (Snapshot of IB can lead to invalid address access due to missing check ...)
@@ -27221,7 +27715,7 @@ CVE-2019-10570
CVE-2019-10569 (Stack buffer overflow due to instance id is misplaced inside definitio ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-10568
- RESERVED
+ REJECTED
CVE-2019-10567 (There is a way to deceive the GPU kernel driver into thinking there is ...)
NOT-FOR-US: Snapdragon
CVE-2019-10566 (Buffer overflow can occur in wlan module if supported rates or extende ...)
@@ -27237,7 +27731,7 @@ CVE-2019-10562 (u'Improper authentication and signature verification of debug po
CVE-2019-10561 (Improper initialization of local variables which are parameters to sfs ...)
NOT-FOR-US: Snapdragon
CVE-2019-10560
- RESERVED
+ REJECTED
CVE-2019-10559 (Accessing data buffer beyond the available data while parsing ogg clip ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-10558 (While transferring data from APPS to DSP, Out of bound in FastRPC HLOS ...)
@@ -27545,17 +28039,17 @@ CVE-2019-10408 (A cross-site request forgery vulnerability in Jenkins Project In
CVE-2019-10407 (Jenkins Project Inheritance Plugin 2.0.0 and earlier displayed a list ...)
NOT-FOR-US: Jenkins plugin
CVE-2019-10406 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not restrict or ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10405 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value o ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10404 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10403 (Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10402 (In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:combobox ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10401 (In Jenkins 2.196 and earlier, LTS 2.176.3 and earlier, the f:expandabl ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10400 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...)
NOT-FOR-US: Jenkins plugin
CVE-2019-10399 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 ...)
@@ -27589,9 +28083,9 @@ CVE-2019-10386 (A cross-site request forgery vulnerability in Jenkins XL TestVie
CVE-2019-10385 (Jenkins eggPlant Plugin 2.2 and earlier stores credentials unencrypted ...)
NOT-FOR-US: Jenkins plugin
CVE-2019-10384 (Jenkins 2.191 and earlier, LTS 2.176.2 and earlier allowed users to ob ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10383 (A stored cross-site scripting vulnerability in Jenkins 2.191 and earli ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10382 (Jenkins VMware Lab Manager Slaves Plugin 0.2.8 and earlier disables SS ...)
NOT-FOR-US: Jenkins plugin
CVE-2019-10381 (Jenkins Codefresh Integration Plugin 1.8 and earlier disables SSL/TLS ...)
@@ -27649,11 +28143,11 @@ CVE-2019-10356 (A sandbox bypass vulnerability in Jenkins Script Security Plugin
CVE-2019-10355 (A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 ...)
NOT-FOR-US: Jenkins Script Security Plugin
CVE-2019-10354 (A vulnerability in the Stapler web framework used in Jenkins 2.185 and ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10353 (CSRF tokens in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier did ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10352 (A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176 ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-10351 (Jenkins Caliper CI Plugin stores credentials unencrypted in job config ...)
NOT-FOR-US: Jenkins plugin
CVE-2019-10350 (Jenkins Port Allocator Plugin stores credentials unencrypted in job co ...)
@@ -27863,6 +28357,8 @@ CVE-2019-10256 (An authentication bypass vulnerability in VIVOTEK IPCam versions
NOT-FOR-US: VIVOTEK IPCam
CVE-2019-10255 (An Open Redirect vulnerability for all browsers in Jupyter Notebook be ...)
- jupyter-notebook 5.7.8-1 (bug #925939)
+ [stretch] - jupyter-notebook <no-dsa> (Intrusive to backport)
+ - jupyterhub <not-affected> (Fixed before initial upload to Debian)
NOTE: https://github.com/jupyter/notebook/commit/08c4c898182edbe97aadef1815cce50448f975cb
NOTE: https://github.com/jupyter/notebook/commit/70fe9f0ddb3023162ece21fbb77d5564306b913b
NOTE: When adressing this issue make sure to not open CVE-2019-10856 and apply the
@@ -27902,10 +28398,9 @@ CVE-2019-10249 (All Xtext &amp; Xtend versions prior to 2.18.0 were built using
CVE-2019-10248 (Eclipse Vorto versions prior to 0.11 resolved Maven build artifacts fo ...)
NOT-FOR-US: Eclipse Vorto
CVE-2019-10247 (In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, ...)
+ {DSA-4949-1 DLA-2661-1}
[experimental] - jetty9 9.4.18-1
- jetty9 9.4.18-2 (bug #928444)
- [buster] - jetty9 <no-dsa> (Minor issue)
- [stretch] - jetty9 <no-dsa> (Minor issue)
- jetty8 <removed>
[jessie] - jetty8 <no-dsa> (Minor issue)
- jetty <removed>
@@ -27927,15 +28422,15 @@ CVE-2019-10243 (In Eclipse Kura versions up to 4.0.0, Kura exposes the underlyin
CVE-2019-10242 (In Eclipse Kura versions up to 4.0.0, the SkinServlet did not checked ...)
NOT-FOR-US: Eclipse Kura
CVE-2019-10241 (In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.1 ...)
+ {DSA-4949-1 DLA-2661-1}
[experimental] - jetty9 9.4.18-1
- jetty9 9.4.18-2 (bug #928444)
- [buster] - jetty9 <no-dsa> (Minor issue)
- [stretch] - jetty9 <no-dsa> (Minor issue)
- jetty8 <removed>
[jessie] - jetty8 <no-dsa> (Minor issue)
- jetty <removed>
- [jessie] - jetty <no-dsa> (Minor issue)
+ [jessie] - jetty <not-affected> (Test case reproducers properly HTML-escaped)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546121
+ NOTE: https://github.com/eclipse/jetty.project/issues/3319#issuecomment-567918620
CVE-2019-10240 (Eclipse hawkBit versions prior to 0.3.0M2 resolved Maven build artifac ...)
NOT-FOR-US: Eclipse hawkBit
CVE-2019-10239 (Robotronic RunAsSpc 3.7.0.0 protects stored credentials insufficiently ...)
@@ -27972,8 +28467,7 @@ CVE-2019-10227 (openITCOCKPIT before 3.7.1 has reflected XSS in the 404-not-foun
NOT-FOR-US: openITCOCKPIT
CVE-2019-10226 (HTML Injection has been discovered in the v0.19.0 version of the Fat F ...)
NOT-FOR-US: Fat Free CRM
-CVE-2019-10225
- RESERVED
+CVE-2019-10225 (A flaw was found in atomic-openshift of openshift-4.2 where the basic- ...)
NOT-FOR-US: OpenShift
CVE-2019-10224 (A flaw has been found in 389-ds-base versions 1.4.x.x before 1.4.1.3. ...)
- 389-ds-base 1.4.1.5-1
@@ -27998,8 +28492,9 @@ CVE-2019-10222 (A flaw was found in the Ceph RGW configuration with Beast as the
NOTE: 12.2.x installations only affected by the vulnerability if experimental
NOTE: features are enabled.
CVE-2019-10221 (A Reflected Cross Site Scripting vulnerability was found in all pki-co ...)
- - dogtag-pki <unfixed>
+ - dogtag-pki 10.9.1-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1732565
+ NOTE: https://github.com/dogtagpki/pki/pull/452
CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a rel ...)
{DLA-2114-1 DLA-2068-1}
- linux 5.3.9-1
@@ -28007,6 +28502,7 @@ CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to
[stretch] - linux 4.9.210-1
CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...)
- libhibernate-validator-java <unfixed> (bug #948235)
+ [bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
[stretch] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
[jessie] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
@@ -28015,9 +28511,9 @@ CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml v
NOTE: https://hibernate.atlassian.net/browse/HV-1739
NOTE: Fixed by https://github.com/hibernate/hibernate-validator/commit/124b7dd6d9a4ad24d4d49f74701f05a13e56ceee
CVE-2019-10218 (A flaw was found in the samba client, all samba versions before samba ...)
+ {DLA-2668-1}
- samba 2:4.11.1+dfsg-2
[buster] - samba <no-dsa> (Minor issue)
- [stretch] - samba <no-dsa> (Minor issue)
[jessie] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2019-10218.html
CVE-2019-10217 (A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensit ...)
@@ -28075,9 +28571,8 @@ CVE-2019-14856 (ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a
NOTE: https://github.com/ansible/ansible/pull/63351
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1760829
CVE-2019-10206 (ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2 ...)
+ {DSA-4950-1}
- ansible 2.8.6+dfsg-1 (bug #933005)
- [buster] - ansible <no-dsa> (Minor issue)
- [stretch] - ansible <no-dsa> (Minor issue)
[jessie] - ansible <not-affected> (Vulnerable code introduced later, password templating code introduced with 2.0 refactoring, '{{' supported in passwords)
NOTE: https://github.com/ansible/ansible/pull/59246
NOTE: 2.8.x https://github.com/ansible/ansible/pull/59552
@@ -28091,8 +28586,8 @@ CVE-2019-10205 (A flaw was found in the way Red Hat Quay stores robot account to
CVE-2019-10204
RESERVED
CVE-2019-10203 (PowerDNS Authoritative daemon , pdns versions 4.0.x before 4.0.9, 4.1. ...)
- - pdns 4.2.0-1 (low)
- [buster] - pdns <no-dsa> (Minor issue)
+ - pdns 4.2.0-1 (low; bug #970729)
+ [buster] - pdns 4.1.6-3+deb10u1
[stretch] - pdns <no-dsa> (Minor issue)
[jessie] - pdns <no-dsa> (Minor issue)
NOTE: Fixed in 4.2.0, 4.1.11, 4.0.9, for existing installations a manual schema update
@@ -28102,8 +28597,7 @@ CVE-2019-10202 (A series of deserialization vulnerabilities have been discovered
NOT-FOR-US: Codehaus
CVE-2019-10201 (It was found that Keycloak's SAML broker, versions up to 6.0.1, did no ...)
NOT-FOR-US: Keycloak
-CVE-2019-10200
- RESERVED
+CVE-2019-10200 (A flaw was discovered in OpenShift Container Platform 4 where, by defa ...)
NOT-FOR-US: OpenShift
CVE-2019-10199 (It was found that Keycloak's account console, up to 6.0.1, did not per ...)
NOT-FOR-US: Keycloak
@@ -28115,8 +28609,7 @@ CVE-2019-10197 (A flaw was found in samba versions 4.9.x up to 4.9.13, samba 4.1
[stretch] - samba <not-affected> (Issue introduced in 4.9.0 upstream)
[jessie] - samba <not-affected> (Issue introduced in 4.9.0 upstream)
NOTE: https://www.samba.org/samba/security/CVE-2019-10197.html
-CVE-2019-10196
- RESERVED
+CVE-2019-10196 (A flaw was found in http-proxy-agent, prior to version 2.1.0. It was d ...)
NOT-FOR-US: nodejs-http-proxy-agent
CVE-2019-10195 (A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x ve ...)
- freeipa 4.8.3-1
@@ -28144,11 +28637,13 @@ CVE-2019-10192 (A heap-buffer overflow vulnerability was found in the Redis hype
NOTE: https://github.com/antirez/redis/commit/7f79849caa006f0d760b6c7e17f7796e3be92b4f (5.0.4)
CVE-2019-10191 (A vulnerability was discovered in DNS resolver of knot resolver before ...)
- knot-resolver 5.0.1-1 (bug #932048)
+ [buster] - knot-resolver <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html
NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/839
NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1
CVE-2019-10190 (A vulnerability was discovered in DNS resolver component of knot resol ...)
- knot-resolver 5.0.1-1 (bug #932048)
+ [buster] - knot-resolver <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://www.knot-resolver.cz/2019-07-10-knot-resolver-4.1.0.html
NOTE: https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/827
NOTE: https://www.openwall.com/lists/oss-security/2019/07/14/1
@@ -28193,6 +28688,7 @@ CVE-2019-10181 (It was found that in icedtea-web up to and including 1.7.2 and 1
NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e (1.8)
CVE-2019-10180 (A vulnerability was found in all pki-core 10.x.x version, where the To ...)
- dogtag-pki <unfixed>
+ [bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721137
CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where the K ...)
- dogtag-pki 10.9.1-1
@@ -28201,6 +28697,7 @@ CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where
NOTE: https://github.com/dogtagpki/pki/commit/a93a65be0b1bcf94e004ba59c6a0c8a2c086936f (v10.9.0)
CVE-2019-10178 (It was found that the Token Processing Service (TPS) did not properly ...)
- dogtag-pki <unfixed>
+ [bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1719042
CVE-2019-10177 (A stored cross-site scripting (XSS) vulnerability was found in the PDF ...)
NOT-FOR-US: Red Hat CloudForms
@@ -28218,7 +28715,8 @@ CVE-2019-10173 (It was found that xstream API version 1.4.10 before 1.4.11 intro
NOTE: Regression introduced and present only in 1.4.10.
CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libr ...)
{DLA-2342-1 DLA-2091-1}
- - libjackson-json-java <unfixed>
+ - libjackson-json-java 1.9.13-2
+ [buster] - libjackson-json-java <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075
NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721
NOTE: https://github.com/FasterXML/jackson-1/pull/1
@@ -28297,10 +28795,8 @@ CVE-2019-10158 (A flaw was found in Infinispan through version 9.4.14.Final. An
CVE-2019-10157 (It was found that Keycloak's Node.js adapter before version 4.8.3 did ...)
NOT-FOR-US: Keycloak
CVE-2019-10156 (A flaw was discovered in the way Ansible templating was implemented in ...)
- {DLA-1923-1}
+ {DSA-4950-1 DLA-2535-1 DLA-1923-1}
- ansible 2.8.3+dfsg-1 (low; bug #930065)
- [buster] - ansible <no-dsa> (Minor issue)
- [stretch] - ansible <no-dsa> (Minor issue)
NOTE: https://github.com/ansible/ansible/pull/57188
CVE-2019-10155 (The Libreswan Project has found a vulnerability in the processing of I ...)
- libreswan 3.27-6 (bug #930338)
@@ -28321,7 +28817,7 @@ CVE-2019-10153 (A flaw was discovered in fence-agents, prior to version 4.3.4, w
CVE-2019-10152 (A path traversal vulnerability has been discovered in podman before ve ...)
- libpod <not-affected> (Fixed before initial upload)
CVE-2019-10151
- RESERVED
+ REJECTED
CVE-2019-10150 (It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 ...)
NOT-FOR-US: OpenShift
CVE-2019-10149 (A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Improper v ...)
@@ -28336,7 +28832,7 @@ CVE-2019-10149 (A flaw was found in Exim versions 4.87 to 4.91 (inclusive). Impr
CVE-2019-10148
REJECTED
CVE-2019-10147 (rkt through version 1.30.0 does not isolate processes in containers th ...)
- - rkt <unfixed> (bug #929781)
+ - rkt <removed> (bug #929781)
NOTE: https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/
NOTE: https://github.com/rkt/rkt/issues/3998
CVE-2019-10146 (A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x ...)
@@ -28344,11 +28840,11 @@ CVE-2019-10146 (A Reflected Cross Site Scripting flaw was found in all pki-core
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1710171
NOTE: https://github.com/dogtagpki/pki/commit/b235c0f3c6c249dbba692410b525d8d6fb7409f4 (10.9.0-b1)
CVE-2019-10145 (rkt through version 1.30.0 does not isolate processes in containers th ...)
- - rkt <unfixed> (bug #929781)
+ - rkt <removed> (bug #929781)
NOTE: https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/
NOTE: https://github.com/rkt/rkt/issues/3998
CVE-2019-10144 (rkt through version 1.30.0 does not isolate processes in containers th ...)
- - rkt <unfixed> (bug #929781)
+ - rkt <removed> (bug #929781)
NOTE: https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/
NOTE: https://github.com/rkt/rkt/issues/3998
CVE-2019-10143 (** DISPUTED ** It was discovered freeradius up to and including versio ...)
@@ -28407,12 +28903,10 @@ CVE-2019-10130 (A vulnerability was found in PostgreSQL versions 11.x up to excl
CVE-2019-10129 (A vulnerability was found in postgresql versions 11.x prior to 11.3. U ...)
- postgresql-11 11.3-1
NOTE: https://www.postgresql.org/about/news/1939/
-CVE-2019-10128
- RESERVED
+CVE-2019-10128 (A vulnerability was found in postgresql versions 11.x prior to 11.3. T ...)
- postgresql-11 <not-affected> (Windows-specific)
NOTE: https://www.postgresql.org/about/news/1939/
-CVE-2019-10127
- RESERVED
+CVE-2019-10127 (A vulnerability was found in postgresql versions 11.x prior to 11.3. T ...)
- postgresql-11 <not-affected> (Windows-specific)
NOTE: https://www.postgresql.org/about/news/1939/
CVE-2019-10126 (A flaw was found in the Linux kernel. A heap based buffer overflow in ...)
@@ -28477,14 +28971,11 @@ CVE-2019-10105 (CMS Made Simple 2.2.10 has a Self-XSS vulnerability via the Layo
NOT-FOR-US: CMS Made Simple
CVE-2019-10104 (In several JetBrains IntelliJ IDEA Ultimate versions, an Application S ...)
- intellij-idea <itp> (bug #747616)
- - intellij-community-idea <undetermined>
CVE-2019-10103 (JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/J ...)
- intellij-idea <itp> (bug #747616)
- intellij-community-idea <undetermined>
-CVE-2019-10102 (JetBrains Ktor framework (created using the Kotlin IDE template) versi ...)
- NOT-FOR-US: JetBrains
CVE-2019-10101 (JetBrains Kotlin versions before 1.3.30 were resolving artifacts using ...)
- - kotlin <itp> (bug #892842)
+ - kotlin <not-affected> (Fixed before initial upload to Debian)
CVE-2019-10100 (In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it wa ...)
NOT-FOR-US: JetBrains YouTrack Confluence plugin
CVE-2019-1000031 (A disk space or quota exhaustion issue exists in article2pdf_getfile.p ...)
@@ -28508,8 +28999,8 @@ CVE-2019-10097 (In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was confi
NOTE: https://svn.apache.org/r1864613
CVE-2019-10096
REJECTED
-CVE-2019-10095
- RESERVED
+CVE-2019-10095 (bash command injection vulnerability in Apache Zeppelin allows an atta ...)
+ NOT-FOR-US: Apache Zeppelin
CVE-2019-10094 (A carefully crafted package/compressed file that, when unzipped/uncomp ...)
- tika 1.22-1 (bug #933746)
[buster] - tika <no-dsa> (Minor issue)
@@ -28603,13 +29094,17 @@ CVE-2019-10071 (The code which checks HMAC in form submissions used String.equal
CVE-2019-10070 (Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored ...)
NOT-FOR-US: Apache Atlas
CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to the des ...)
- NOT-FOR-US: Godot
+ - godot 3.2-stable-1
+ [buster] - godot <no-dsa> (Minor issue)
+ NOTE: https://github.com/godotengine/godot/pull/27398
+ NOTE: https://github.com/godotengine/godot/commit/e3bd84fa571661d76fc8458d65bb053988e934a6 (3.2-stable)
+ NOTE: For 3.0: https://github.com/godotengine/godot/commit/0c4881f1dbfe4feab879b4f0fe031b735ddc1f9f
CVE-2019-10068 (An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x befor ...)
NOT-FOR-US: Kentico
CVE-2019-10067 (An issue was discovered in Open Ticket Request System (OTRS) 7.x throu ...)
- otrs2 6.0.18-1
[buster] - otrs2 6.0.16-2
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <not-affected> (vulnerable code is not present)
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/8a489236336ddc82e745c27abb32dfa1ceefb0f4
NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/67158d8b08309859572c795982ecc7c52484ab0e
@@ -28638,8 +29133,8 @@ CVE-2019-10063 (Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x be
[stretch] - flatpak 0.8.9-0+deb9u3
NOTE: https://github.com/flatpak/flatpak/issues/2782
NOTE: https://github.com/flatpak/flatpak/commit/a9107feeb4b8275b78965b36bf21b92d5724699e
-CVE-2019-10062
- RESERVED
+CVE-2019-10062 (The HTMLSanitizer class in html-sanitizer.ts in all released versions ...)
+ NOT-FOR-US: Aurelia
CVE-2019-10061 (utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) ...)
- node-opencv 6.0.0+git20180416.cfc96ba0-3 (unimportant; bug #925571)
NOTE: https://www.npmjs.com/advisories/789
@@ -28765,8 +29260,8 @@ CVE-2019-10020 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the
CVE-2019-10019 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...)
- xpdf <not-affected> (xpdf in Debian uses poppler, which is not affected or fixed)
CVE-2019-10018 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...)
+ {DLA-2440-1}
- poppler 0.57.0-2 (low; bug #926133)
- [stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <ignored> (Minor issue)
NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41276 (PostScriptFunction::exec@Function.cc:1374-42___FPE PoC)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101500
@@ -28812,7 +29307,7 @@ CVE-2019-9985
CVE-2019-9984
RESERVED
CVE-2019-9983
- RESERVED
+ REJECTED
CVE-2019-9982
RESERVED
CVE-2019-9981
@@ -28888,11 +29383,10 @@ CVE-2019-9961 (A cross-site scripting (XSS) vulnerability in ressource view in c
CVE-2019-9960 (The downloadZip function in application/controllers/admin/export.php i ...)
- limesurvey <itp> (bug #472802)
CVE-2019-9959 (The JPXStream::init function in Poppler 0.78.0 and earlier doesn't che ...)
- {DLA-1963-1}
+ {DLA-2440-1 DLA-1963-1}
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #941776)
[buster] - poppler <ignored> (Minor issue)
- [stretch] - poppler <ignored> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/805
NOTE: Patch: https://gitlab.freedesktop.org/poppler/poppler/commit/68ef84e5968a4249c2162b839ca6d7975048a557 (poppler-0.79.0)
NOTE: Reproducer: https://gitlab.freedesktop.org/poppler/poppler/uploads/3f22837ebd503f87e730b51221b89742/raiter_issue5465.pdf
@@ -29019,7 +29513,7 @@ CVE-2019-9924 (rbash in Bash before 4.4-beta2 did not prevent the shell user fro
- bash 4.4-1 (low)
NOTE: https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1803441
CVE-2019-9923 (pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointe ...)
- - tar <unfixed> (unimportant; bug #925286)
+ - tar 1.32+dfsg-1 (unimportant; bug #925286)
NOTE: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120
NOTE: http://savannah.gnu.org/bugs/?55369 (private)
NOTE: https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241
@@ -29068,8 +29562,9 @@ CVE-2019-9905
RESERVED
CVE-2019-9904 (An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2. ...)
- graphviz <unfixed> (low; bug #925284)
- [buster] - graphviz <no-dsa> (Minor issue)
- [stretch] - graphviz <no-dsa> (Minor issue)
+ [bullseye] - graphviz <ignored> (Minor issue)
+ [buster] - graphviz <ignored> (Minor issue)
+ [stretch] - graphviz <ignored> (Minor issue)
[jessie] - graphviz <no-dsa> (Minor issue)
NOTE: https://gitlab.com/graphviz/graphviz/issues/1512
CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict mark ...)
@@ -29119,7 +29614,7 @@ CVE-2019-9892 (An issue was discovered in Open Ticket Request System (OTRS) 5.x
{DLA-1774-1}
- otrs2 6.0.18-1
[buster] - otrs2 6.0.16-2
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/3617488c6c28e06203e4127c7b031140f775a685
NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/c3b9342a85c6f2c9382e074ad9cc440ce80a6f34
NOTE: https://community.otrs.com/security-advisory-2019-04-security-update-for-otrs-framework/
@@ -29134,27 +29629,24 @@ CVE-2019-9889 (In Vanilla before 2.6.4, a flaw exists within the getSingleIndex
CVE-2019-9888
RESERVED
CVE-2019-1010319 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...)
+ {DLA-2525-1}
- wavpack 5.1.0-7 (low; bug #932061)
[buster] - wavpack <no-dsa> (Minor issue)
- [stretch] - wavpack <no-dsa> (Minor issue)
- [jessie] - wavpack <no-dsa> (Minor issue)
NOTE: https://github.com/dbry/WavPack/commit/33a0025d1d63ccd05d9dbaa6923d52b1446a62fe
NOTE: https://github.com/dbry/WavPack/issues/68
CVE-2019-1010318
REJECTED
CVE-2019-1010317 (WavPack 5.1.0 and earlier is affected by: CWE-457: Use of Uninitialize ...)
+ {DLA-2525-1}
- wavpack 5.1.0-7 (low; bug #932060)
[buster] - wavpack <no-dsa> (Minor issue)
- [stretch] - wavpack <no-dsa> (Minor issue)
- [jessie] - wavpack <no-dsa> (Minor issue)
NOTE: https://github.com/dbry/WavPack/commit/f68a9555b548306c5b1ee45199ccdc4a16a6101b
NOTE: https://github.com/dbry/WavPack/issues/66
CVE-2019-1010316 (pyxtrlock 0.3 and earlier is affected by: Incorrect Access Control. Th ...)
NOT-FOR-US: pyxtrlock
CVE-2019-1010315 (WavPack 5.1 and earlier is affected by: CWE 369: Divide by Zero. The i ...)
+ {DLA-2525-1}
- wavpack 5.1.0-6 (low)
- [stretch] - wavpack <no-dsa> (Minor issue)
- [jessie] - wavpack <no-dsa> (Minor issue)
NOTE: https://github.com/dbry/WavPack/commit/4c0faba32fddbd0745cbfaf1e1aeb3da5d35b9fc
NOTE: https://github.com/dbry/WavPack/issues/65
CVE-2019-1010314 (Gitea 1.7.2, 1.7.3 is affected by: Cross Site Scripting (XSS). The imp ...)
@@ -29179,9 +29671,8 @@ CVE-2019-1010307 (GLPI GLPI Product 9.3.1 is affected by: Cross Site Scripting (
CVE-2019-1010306 (Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The impact ...)
NOT-FOR-US: Slanger
CVE-2019-1010305 (libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: I ...)
- {DLA-1895-1}
+ {DLA-2805-1 DLA-1895-1}
- libmspack 0.10.1-1
- [stretch] - libmspack <no-dsa> (Minor issue)
NOTE: https://github.com/kyz/libmspack/commit/2f084136cfe0d05e5bf5703f3e83c6d955234b4d
NOTE: https://github.com/kyz/libmspack/issues/27
CVE-2019-1010304 (Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f ...)
@@ -29497,11 +29988,14 @@ CVE-2019-1010178 (Fred MODX Revolution &lt; 1.0.0-beta5 is affected by: Incorrec
CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by: Use After Free. The impact is: deni ...)
NOT-FOR-US: Jsish
CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166 is affecte ...)
- NOT-FOR-US: JerryScript
+ - iotjs 1.0+715-1
+ [buster] - iotjs <no-dsa> (Minor issue)
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/2476
+ NOTE: https://github.com/jerryscript-project/jerryscript/commit/505dace719aebb3308a3af223cfaa985159efae0
CVE-2019-1010175
RESERVED
CVE-2019-1010174 (CImg The CImg Library v.2.3.3 and earlier is affected by: command inje ...)
- {DLA-1934-1}
+ {DLA-2421-1 DLA-1934-1}
- cimg 2.3.6+dfsg-1
NOTE: https://framagit.org/dtschump/CImg/commit/5ce7a426b77f814973e56182a0e76a2b04904146 (v.2.3.4)
CVE-2019-1010173 (Jsish 2.4.84 2.0484 is affected by: Reachable Assertion. The impact is ...)
@@ -29684,8 +30178,9 @@ CVE-2019-1010093
CVE-2019-1010092
RESERVED
CVE-2019-1010091 (tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization ...)
- - tinymce <unfixed> (bug #970256)
+ - tinymce <removed> (bug #970256)
[buster] - tinymce <no-dsa> (Minor issue)
+ [stretch] - tinymce <ignored> (Minor issue, can't reproduce)
[jessie] - tinymce <ignored> (Minor issue, requires manually copy/pasting javascript to execute it, can't reproduce on Jessie)
NOTE: https://github.com/tinymce/tinymce/issues/4394
CVE-2019-1010090
@@ -29777,8 +30272,8 @@ CVE-2019-1010059
CVE-2019-1010058
RESERVED
CVE-2019-1010057 (nfdump 1.6.16 and earlier is affected by: Buffer Overflow. The impact ...)
+ {DLA-2383-1}
- nfdump 1.6.17-1
- [stretch] - nfdump <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://github.com/phaag/nfdump/issues/104
NOTE: https://github.com/phaag/nfdump/commit/9f0fe9563366f62a71d34c92229da3432ec5cf0e
CVE-2019-1010056
@@ -29850,15 +30345,15 @@ CVE-2019-1010025 (** DISPUTED ** GNU Libc current is affected by: Mitigation byp
- glibc <unfixed> (unimportant)
NOTE: Not treated as a security issue by upstream
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE-2019-1010024 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...)
+CVE-2019-1010024 (** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The ...)
- glibc <unfixed> (unimportant)
NOTE: Not treated as a security issue by upstream
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22852
-CVE-2019-1010023 (GNU Libc current is affected by: Re-mapping current loaded libray with ...)
+CVE-2019-1010023 (** DISPUTED ** GNU Libc current is affected by: Re-mapping current loa ...)
- glibc <unfixed> (unimportant)
NOTE: Not treated as a security issue by upstream
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22851
-CVE-2019-1010022 (GNU Libc current is affected by: Mitigation bypass. The impact is: Att ...)
+CVE-2019-1010022 (** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The ...)
- glibc <unfixed> (unimportant)
NOTE: Not treated as a security issue by upstream
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22850
@@ -29871,9 +30366,10 @@ CVE-2019-1010019
CVE-2019-1010018 (Zammad GmbH Zammad 2.3.0 and earlier is affected by: Cross Site Script ...)
- zammad <itp> (bug #841355)
CVE-2019-1010017 (libnmap &lt; v0.6.3 is affected by: XML Injection. The impact is: Deni ...)
- - python-libnmap <unfixed> (low)
+ - python-libnmap 0.7.2-1 (low)
[buster] - python-libnmap <no-dsa> (Minor issue)
NOTE: https://github.com/savon-noir/python-libnmap/issues/87
+ NOTE: https://github.com/savon-noir/python-libnmap/pull/109
CVE-2019-1010016 (Dolibarr 6.0.4 is affected by: Cross Site Scripting (XSS). The impact ...)
- dolibarr <removed>
NOTE: https://github.com/Dolibarr/dolibarr/issues/7962
@@ -29955,10 +30451,8 @@ CVE-2019-9874 (Deserialization of Untrusted Data in the Sitecore.Security.AntiCS
NOT-FOR-US: Sitecore CMS
CVE-2019-9873 (In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task ...)
- intellij-idea <itp> (bug #747616)
- - intellij-community-idea <undetermined>
CVE-2019-9872 (In several versions of JetBrains IntelliJ IDEA Ultimate, creating run ...)
- intellij-idea <itp> (bug #747616)
- - intellij-community-idea <undetermined>
CVE-2019-9871 (Jector Smart TV FM-K75 devices allow remote code execution because the ...)
NOT-FOR-US: Jector Smart TV FM-K75 devices
CVE-2019-9870 (plugin.js in the w8tcha oEmbed plugin before 2019-03-14 for CKEditor m ...)
@@ -30096,9 +30590,9 @@ CVE-2019-9824 (tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg01871.html
NOTE: https://www.openwall.com/lists/oss-security/2019/03/18/1
NOTE: https://github.com/qemu/qemu/commit/d3222975c7d6cda9e25809dea05241188457b113
+ NOTE: https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-vp7q-v36g-7vq7
CVE-2019-9823 (In several JetBrains IntelliJ IDEA versions, creating remote run confi ...)
- intellij-idea <itp> (bug #747616)
- - intellij-community-idea <undetermined>
CVE-2019-9822
RESERVED
CVE-2019-9821 (A use-after-free vulnerability can occur in AssertWorkerThread due to ...)
@@ -30394,14 +30888,14 @@ CVE-2019-9753 (An issue was discovered in Open Ticket Request System (OTRS) 7.x
CVE-2019-9752 (An issue was discovered in Open Ticket Request System (OTRS) 5.x befor ...)
{DLA-1721-1}
- otrs2 6.0.16-1
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/341c4096222819a108feb02256aba878943bf810
NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d4e3dfbaa054762b29df54705aa412685dd37e15
CVE-2019-9751 (An issue was discovered in Open Ticket Request System (OTRS) 6.x befor ...)
- otrs2 6.0.17-1
[buster] - otrs2 6.0.16-2
- [stretch] - otrs2 <no-dsa> (Non-free not supported)
+ [stretch] - otrs2 <ignored> (Non-free not supported)
[jessie] - otrs2 <not-affected> (Vulnerable code not present)
NOTE: https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/1afb2b995e59551b927c2105e234e8b87efcc37a
@@ -30425,13 +30919,11 @@ CVE-2019-9743 (An issue was discovered on PHOENIX CONTACT RAD-80211-XD and RAD-8
CVE-2019-9742 (gdwfpcd.sys in G Data Total Security before 2019-02-22 allows an attac ...)
NOT-FOR-US: G Data Total Security
CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF injection is po ...)
- {DLA-1749-1}
+ {DLA-2592-1 DLA-2591-1 DLA-1749-1}
- golang-1.12 1.12-1
- golang-1.11 1.11.6-1 (bug #924630)
- golang-1.8 <removed>
- [stretch] - golang-1.8 <ignored> (Minor issue)
- golang-1.7 <removed>
- [stretch] - golang-1.7 <ignored> (Minor issue)
- golang <removed>
NOTE: https://github.com/golang/go/issues/30794
NOTE: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca#diff-b97af51863ce82bf2a13003b52034aa9
@@ -30492,7 +30984,7 @@ CVE-2019-9723 (LogicalDOC Community Edition 8.x before 8.2.1 has a path traversa
NOT-FOR-US: LogicalDOC
CVE-2019-9722
RESERVED
-CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 allows attac ...)
+CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 3.2 and 4.1 allo ...)
- ffmpeg 7:4.1.3-1 (bug #926666)
[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65
@@ -30506,7 +30998,7 @@ CVE-2019-9720 (A stack-based buffer overflow in the subtitle decoder in Libav 12
CVE-2019-9719 (** DISPUTED ** A stack-based buffer overflow in the subtitle decoder i ...)
- libav <unfixed> (unimportant)
NOTE: Generic low-certainty warning about snprintf usage without rationale
-CVE-2019-9718 (In FFmpeg 4.1, a denial of service in the subtitle decoder allows atta ...)
+CVE-2019-9718 (In FFmpeg 3.2 and 4.1, a denial of service in the subtitle decoder all ...)
{DSA-4449-1}
- ffmpeg 7:4.1.3-1 (low; bug #926666)
NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982
@@ -30536,19 +31028,16 @@ CVE-2019-9708 (An issue was discovered in Mahara 17.10 before 17.10.8, 18.04 bef
CVE-2019-9707
RESERVED
CVE-2019-9705 (Vixie Cron before the 3.0pl1-133 Debian package allows local users to ...)
- {DLA-1723-1}
+ {DLA-2801-1 DLA-1723-1}
- cron 3.0pl1-133 (low)
- [stretch] - cron <no-dsa> (Minor issue, will be fixed via point update)
NOTE: Fixed by: https://salsa.debian.org/debian/cron/commit/26814a26
CVE-2019-9706 (Vixie Cron before the 3.0pl1-133 Debian package allows local users to ...)
- {DLA-1723-1}
+ {DLA-2801-1 DLA-1723-1}
- cron 3.0pl1-133 (bug #809167)
- [stretch] - cron <no-dsa> (Minor issue, will be fixed via point update)
NOTE: Fixed by: https://salsa.debian.org/debian/cron/commit/40791b93
CVE-2019-9704 (Vixie Cron before the 3.0pl1-133 Debian package allows local users to ...)
- {DLA-1723-1}
+ {DLA-2801-1 DLA-1723-1}
- cron 3.0pl1-133 (low)
- [stretch] - cron <no-dsa> (Minor issue, will be fixed via point update)
NOTE: Fixed by: https://salsa.debian.org/debian/cron/commit/f2525567
CVE-2019-9703 (Symantec Endpoint Encryption, prior to SEE 11.3.0, may be susceptible ...)
NOT-FOR-US: Symantec
@@ -30617,7 +31106,7 @@ CVE-2019-9675 (** DISPUTED ** An issue was discovered in PHP 7.x before 7.1.27 a
NOTE: Fixed in 7.1.27, 7.3.3
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77586
CVE-2019-9674 (Lib/zipfile.py in Python through 3.7.2 allows remote attackers to caus ...)
- - python3.8 <unfixed> (unimportant)
+ - python3.8 <removed> (unimportant)
- python3.7 <removed> (unimportant)
- python3.5 <removed> (unimportant)
- python3.4 <removed> (unimportant)
@@ -30707,6 +31196,7 @@ CVE-2019-9646 (The Contact Form Email plugin before 1.2.66 for WordPress allows
NOT-FOR-US: WordPress plugin contact-form-to-email
CVE-2019-9644 (An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook befor ...)
- jupyter-notebook 5.7.8-1 (bug #924515)
+ [stretch] - jupyter-notebook <no-dsa> (Intrusive to backport)
NOTE: https://github.com/jupyter/notebook/commit/cfc335b76466ccf1538ce545b654b29b5ab0097c
NOTE: https://github.com/jupyter/notebook/commit/b5105814fc41c6d789b317fa59f786bad7f9d798
NOTE: https://github.com/jupyter/notebook/commit/bfaa61385729ed4fb453863053f9a79141f01119
@@ -31050,6 +31540,7 @@ CVE-2019-9546 (SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege
NOT-FOR-US: SolarWinds Orion Platform
CVE-2019-9545 (An issue was discovered in Poppler 0.74.0. A recursive function call, ...)
- poppler <unfixed> (low; bug #923552)
+ [bullseye] - poppler <ignored> (Minor issue)
[buster] - poppler <ignored> (Minor issue)
[stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <ignored> (Minor issue)
@@ -31058,6 +31549,7 @@ CVE-2019-9544 (An issue was discovered in Bento4 1.5.1-628. An out of bounds wri
NOT-FOR-US: Bento4
CVE-2019-9543 (An issue was discovered in Poppler 0.74.0. A recursive function call, ...)
- poppler <unfixed> (low; bug #923553)
+ [bullseye] - poppler <ignored> (Minor issue)
[buster] - poppler <ignored> (Minor issue)
[stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <postponed> (Minor issue; revisit when fixed upstream)
@@ -31141,14 +31633,14 @@ CVE-2019-9515 (Some HTTP/2 implementations are vulnerable to a settings flood, p
NOTE: https://github.com/h2o/h2o/issues/2090
NOTE: https://github.com/h2o/h2o/commit/743d6b6118c29b75d0b84ef7950a2721c32dfe3f
CVE-2019-9514 (Some HTTP/2 implementations are vulnerable to a reset flood, potential ...)
- {DSA-4669-1 DSA-4520-1 DSA-4508-1 DSA-4503-1}
+ {DSA-4669-1 DSA-4520-1 DSA-4508-1 DSA-4503-1 DLA-2485-1}
- golang-1.13 1.13~beta1-3 (bug #934955)
- golang-1.12 1.12.8-1
- golang-1.11 1.11.13-1
- golang-1.8 <removed>
- [stretch] - golang-1.8 <ignored> (Minor issue)
+ [stretch] - golang-1.8 <ignored> (Minor issue, DoS, invasive, net/http server-side, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
- [stretch] - golang-1.7 <ignored> (Minor issue)
+ [stretch] - golang-1.7 <ignored> (Minor issue, DoS, invasive, net/http server-side, requires rebuilding reverse-dependencies)
- golang <removed>
[jessie] - golang <not-affected> (No HTTP2 support yet)
- golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1
@@ -31181,14 +31673,14 @@ CVE-2019-9513 (Some HTTP/2 implementations are vulnerable to resource loops, pot
NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
NOTE: https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2
CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potentially ...)
- {DSA-4520-1 DSA-4508-1 DSA-4503-1}
+ {DSA-4520-1 DSA-4508-1 DSA-4503-1 DLA-2485-1}
- golang-1.13 1.13~beta1-3 (bug #934955)
- golang-1.12 1.12.8-1
- golang-1.11 1.11.13-1
- golang-1.8 <removed>
- [stretch] - golang-1.8 <ignored> (Minor issue)
+ [stretch] - golang-1.8 <ignored> (Minor issue, DoS, invasive, net/http server-side, requires rebuilding reverse-dependencies)
- golang-1.7 <removed>
- [stretch] - golang-1.7 <ignored> (Minor issue)
+ [stretch] - golang-1.7 <ignored> (Minor issue, DoS, invasive, net/http server-side, requires rebuilding reverse-dependencies)
- golang <removed>
[jessie] - golang <not-affected> (No HTTP2 support yet)
- golang-golang-x-net-dev 1:0.0+git20190811.74dc4d7+dfsg-1
@@ -31323,8 +31815,8 @@ CVE-2019-9477
RESERVED
CVE-2019-9476
RESERVED
-CVE-2019-9475
- RESERVED
+CVE-2019-9475 (In /proc/net of the kernel filesystem, there is a possible information ...)
+ NOT-FOR-US: Android
CVE-2019-9474 (In Bluetooth, there is a possible out of bounds read due to a missing ...)
NOT-FOR-US: Android
CVE-2019-9473 (In Bluetooth, there is a possible out of bounds read due to a missing ...)
@@ -31383,6 +31875,7 @@ CVE-2019-9454 (In the Android kernel in i2c driver there is a possible out of bo
CVE-2019-9453 (In the Android kernel in F2FS touch driver there is a possible out of ...)
- linux 5.2.6-1
[buster] - linux 4.19.67-1
+ [stretch] - linux <ignored> (f2fs is not supportable)
[jessie] - linux <ignored> (f2fs is not supportable)
NOTE: https://git.kernel.org/linus/2777e654371dd4207a3a7f4fb5fa39550053a080
CVE-2019-9452 (In the Android kernel in SEC_TS touch driver there is a possible out o ...)
@@ -31400,6 +31893,7 @@ CVE-2019-9447 (In the Android kernel in the FingerTipS touchscreen driver there
CVE-2019-9446 (In the Android kernel in the FingerTipS touchscreen driver there is a ...)
NOT-FOR-US: Android kernel
CVE-2019-9445 (In the Android kernel in F2FS driver there is a possible out of bounds ...)
+ {DLA-2420-1}
- linux 5.2.6-1
[buster] - linux 4.19.98-1
[jessie] - linux <ignored> (f2fs is not supportable)
@@ -31546,7 +32040,7 @@ CVE-2019-9378 (In the Activity Manager service, there is a possible permission b
NOT-FOR-US: Android
CVE-2019-9377 (In FingerprintService, there is a possible bypass for operating system ...)
NOT-FOR-US: Android
-CVE-2019-9376 (In the Accounts package, there is a possible crash due to improper inp ...)
+CVE-2019-9376 (In Account of Account.java, there is a possible boot loop due to impro ...)
NOT-FOR-US: Android
CVE-2019-9375 (In hostapd, there is a possible out of bounds write due to a race cond ...)
NOT-FOR-US: Android
@@ -31826,6 +32320,7 @@ CVE-2019-9246 (In NFC, there is a possible out of bounds read due to a missing b
NOT-FOR-US: Android
CVE-2019-9245 (In the Android kernel in the f2fs driver there is a possible out of bo ...)
- linux 4.19.16-1
+ [stretch] - linux <ignored> (f2fs is not supportable)
[jessie] - linux <ignored> (f2fs is not supportable)
NOTE: https://git.kernel.org/linus/64beba0558fce7b59e9a8a7afd77290e82a22163
CVE-2019-9244 (In NFC, there is a possible out of bounds read due to a missing bounds ...)
@@ -31931,9 +32426,8 @@ CVE-2019-9211 (There is a reachable assertion abort in the function write_long_s
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1683499
NOTE: Crash in CLI tool, no security impact
CVE-2019-9210 (In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer ...)
- {DLA-1702-1}
+ {DLA-2868-1 DLA-1702-1}
- advancecomp 2.1-2 (low; bug #923416)
- [stretch] - advancecomp <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/advancemame/bugs/277/
NOTE: Fixed by https://github.com/amadvance/advancecomp/commit/fcf71a89265c78fc26243574dda3a872574a5c02
CVE-2019-9209 (In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and rel ...)
@@ -32011,7 +32505,6 @@ CVE-2019-9187 (ikiwiki before 3.20170111.1 and 3.2018x and 3.2019x before 3.2019
NOTE: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=9a275b2
CVE-2019-9186 (In several JetBrains IntelliJ IDEA versions, a Spring Boot run configu ...)
- intellij-idea <itp> (bug #747616)
- - intellij-community-idea <undetermined>
CVE-2019-9185 (Controller/Async/FilesystemManager.php in the filemanager in Bolt befo ...)
NOT-FOR-US: Bolt CMS
CVE-2019-9184 (SQL injection vulnerability in the J2Store plugin 3.x before 3.3.7 for ...)
@@ -32110,19 +32603,15 @@ CVE-2019-9154 (Improper Verification of a Cryptographic Signature in OpenPGP.js
CVE-2019-9153 (Improper Verification of a Cryptographic Signature in OpenPGP.js &lt;= ...)
- node-openpgp <itp> (bug #787774)
CVE-2019-9152 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...)
- - hdf5 <unfixed>
- [buster] - hdf5 <no-dsa> (Minor issue)
- [stretch] - hdf5 <no-dsa> (Minor issue)
- [jessie] - hdf5 <ignored> (Minor issue)
+ - hdf5 <unfixed> (unimportant)
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul8
NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10719
+ NOTE: Negligible security impact
CVE-2019-9151 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...)
- - hdf5 <unfixed>
- [buster] - hdf5 <no-dsa> (Minor issue)
- [stretch] - hdf5 <no-dsa> (Minor issue)
- [jessie] - hdf5 <ignored> (Minor issue)
+ - hdf5 <unfixed> (unimportant)
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul7
NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10718
+ NOTE: Negligible security impact
CVE-2019-9150 (Mailvelope prior to 3.3.0 does not require user interaction to import ...)
NOT-FOR-US: Mailvelope
CVE-2019-9149 (Mailvelope prior to 3.3.0 allows private key operations without user i ...)
@@ -32280,9 +32769,9 @@ CVE-2019-9083 (SQLiteManager 1.20 and 1.24 allows SQL injection via the /sqlitem
CVE-2019-9082 (ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other pro ...)
NOT-FOR-US: ThinkPHP
CVE-2019-9081 (The Illuminate component of Laravel Framework 5.7.x has a deserializat ...)
- NOT-FOR-US: Laravel Framework
-CVE-2019-9080
- RESERVED
+ - php-laravel-framework <undetermined>
+CVE-2019-9080 (DomainMOD before 4.14.0 uses MD5 without a salt for password storage. ...)
+ NOT-FOR-US: DomainMOD
CVE-2019-9079
RESERVED
CVE-2019-9078 (zzcms 2019 has XSS via an arbitrary user/ask.php?do=modify parameter b ...)
@@ -32343,8 +32832,8 @@ CVE-2019-9062 (PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site R
NOT-FOR-US: PHP Scripts Mall Online Food Ordering Script
CVE-2019-9061 (An issue was discovered in CMS Made Simple 2.2.8. In the module Module ...)
NOT-FOR-US: CMS Made Simple
-CVE-2019-9060
- RESERVED
+CVE-2019-9060 (An issue was discovered in CMS Made Simple 2.2.8. It is possible to ac ...)
+ NOT-FOR-US: CMS Made Simple
CVE-2019-9059 (An issue was discovered in CMS Made Simple 2.2.8. It is possible, with ...)
NOT-FOR-US: CMS Made Simple
CVE-2019-9058 (An issue was discovered in CMS Made Simple 2.2.8. In the administrator ...)
@@ -32701,15 +33190,15 @@ CVE-2019-8952 (A Path Traversal vulnerability located in the webserver affects s
CVE-2019-8951 (An Open Redirect vulnerability located in the webserver affects severa ...)
NOT-FOR-US: Bosch
CVE-2019-1003028 (A server-side request forgery vulnerability exists in Jenkins JMS Mess ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-1003027 (A server-side request forgery vulnerability exists in Jenkins OctopusD ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-1003026 (A server-side request forgery vulnerability exists in Jenkins Mattermo ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-1003025 (A exposure of sensitive information vulnerability exists in Jenkins Cl ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-1003024 (A sandbox bypass vulnerability exists in Jenkins Script Security Plugi ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-8950 (The backdoor account dnsekakf2$$ in /bin/login on DASAN H665 devices w ...)
NOT-FOR-US: DASAN
CVE-2019-8949
@@ -32792,10 +33281,18 @@ CVE-2019-8924 (XAMPP through 5.6.8 allows XSS via the cds-fpdf.php interpret or
NOT-FOR-US: XAMPP
CVE-2019-8923 (XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf ...)
NOT-FOR-US: XAMPP
-CVE-2019-8922
- RESERVED
-CVE-2019-8921
- RESERVED
+CVE-2019-8922 (A heap-based buffer overflow was discovered in bluetoothd in BlueZ thr ...)
+ {DLA-2827-1}
+ - bluez 5.54-1
+ [buster] - bluez <no-dsa> (Minor issue)
+ NOTE: https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/
+ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=6c7243fb6ab90b7b855cead98c66394fedea135f (5.51)
+CVE-2019-8921 (An issue was discovered in bluetoothd in BlueZ through 5.48. The vulne ...)
+ {DLA-2827-1}
+ - bluez 5.54-1
+ [buster] - bluez <no-dsa> (Minor issue)
+ NOTE: https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/
+ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7bf67b32709d828fafa26256b4c78331760c6e93 (5.51)
CVE-2019-8920 (iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. ...)
NOT-FOR-US: XAMPP
CVE-2019-8919 (The seadroid (aka Seafile Android Client) application through 2.2.13 f ...)
@@ -32854,14 +33351,14 @@ CVE-2019-8903 (index.js in Total.js Platform before 3.2.3 allows path traversal.
NOT-FOR-US: Total.js Platform
CVE-2019-8902 (An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vuln ...)
NOT-FOR-US: idreamsoft iCMS
-CVE-2019-8901
- RESERVED
+CVE-2019-8901 (This issue was addressed by verifying host keys when connecting to a p ...)
+ NOT-FOR-US: Apple
CVE-2019-8900
RESERVED
CVE-2019-8899
RESERVED
-CVE-2019-8898
- RESERVED
+CVE-2019-8898 (An information disclosure issue existed in the handling of the Storage ...)
+ NOT-FOR-US: Apple
CVE-2019-8897
RESERVED
CVE-2019-8896
@@ -32940,32 +33437,31 @@ CVE-2019-8860
RESERVED
CVE-2019-8859
RESERVED
-CVE-2019-8858
- RESERVED
-CVE-2019-8857
- RESERVED
-CVE-2019-8856
- RESERVED
-CVE-2019-8855
- RESERVED
-CVE-2019-8854
- RESERVED
-CVE-2019-8853
- RESERVED
-CVE-2019-8852
- RESERVED
-CVE-2019-8851
- RESERVED
-CVE-2019-8850
- RESERVED
+CVE-2019-8858 (A logic issue was addressed with improved state management. This issue ...)
+ NOT-FOR-US: Apple
+CVE-2019-8857 (The issue was addressed with improved validation when an iCloud Link i ...)
+ NOT-FOR-US: Apple
+CVE-2019-8856 (An API issue existed in the handling of outgoing phone calls initiated ...)
+ NOT-FOR-US: Apple
+CVE-2019-8855 (An access issue was addressed with additional sandbox restrictions. Th ...)
+ NOT-FOR-US: Apple
+CVE-2019-8854 (A user privacy issue was addressed by removing the broadcast MAC addre ...)
+ NOT-FOR-US: Apple
+CVE-2019-8853 (A validation issue was addressed with improved input sanitization. Thi ...)
+ NOT-FOR-US: Apple
+CVE-2019-8852 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8851 (A logic issue was addressed with improved state management. This issue ...)
+ NOT-FOR-US: Apple
+CVE-2019-8850 (An out-of-bounds read was addressed with improved input validation. Th ...)
+ NOT-FOR-US: Apple
CVE-2019-8849 (The issue was addressed by signaling that an executable stack is not r ...)
NOT-FOR-US: Apple
-CVE-2019-8848
- RESERVED
-CVE-2019-8847
- RESERVED
-CVE-2019-8846
- RESERVED
+CVE-2019-8848 (This issue was addressed with improved checks. This issue is fixed in ...)
+ NOT-FOR-US: Apple
+CVE-2019-8847 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8846 (A use after free issue was addressed with improved memory management. ...)
{DSA-4610-1}
- webkit2gtk 2.26.3-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
@@ -32973,8 +33469,7 @@ CVE-2019-8846
NOTE: https://webkitgtk.org/security/WSA-2020-0001.html
CVE-2019-8845
RESERVED
-CVE-2019-8844
- RESERVED
+CVE-2019-8844 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4610-1}
- webkit2gtk 2.26.3-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
@@ -32982,54 +33477,52 @@ CVE-2019-8844
NOTE: https://webkitgtk.org/security/WSA-2020-0001.html
CVE-2019-8843
RESERVED
-CVE-2019-8842 [he `ippReadIO` function may under-read an extension field]
- RESERVED
+CVE-2019-8842 (A buffer overflow was addressed with improved bounds checking. This is ...)
{DLA-2237-1}
- cups 2.3.1-12
[buster] - cups 2.2.10-6+deb10u3
[stretch] - cups 2.2.1-8+deb9u6
NOTE: https://github.com/apple/cups/commit/82e3ee0e3230287b76a76fb8f16b92ca6e50b444 (cups/ipp.c: ippReadIO)
-CVE-2019-8841
- RESERVED
-CVE-2019-8840
- RESERVED
-CVE-2019-8839
- RESERVED
-CVE-2019-8838
- RESERVED
-CVE-2019-8837
- RESERVED
-CVE-2019-8836
- RESERVED
-CVE-2019-8835
- RESERVED
+CVE-2019-8841 (An information disclosure issue was addressed by removing the vulnerab ...)
+ NOT-FOR-US: Apple
+CVE-2019-8840 (An out-of-bounds read was addressed with improved bounds checking. Thi ...)
+ NOT-FOR-US: Apple
+CVE-2019-8839 (A buffer overflow was addressed with improved bounds checking. This is ...)
+ NOT-FOR-US: Apple
+CVE-2019-8838 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8837 (A logic issue was addressed with improved restrictions. This issue is ...)
+ NOT-FOR-US: Apple
+CVE-2019-8836 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8835 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4610-1}
- webkit2gtk 2.26.3-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2020-0001.html
-CVE-2019-8834
- RESERVED
-CVE-2019-8833
- RESERVED
-CVE-2019-8832
- RESERVED
-CVE-2019-8831
- RESERVED
-CVE-2019-8830
- RESERVED
-CVE-2019-8829
- RESERVED
-CVE-2019-8828
- RESERVED
-CVE-2019-8827
- RESERVED
-CVE-2019-8826
- RESERVED
-CVE-2019-8825
- RESERVED
-CVE-2019-8824
- RESERVED
+CVE-2019-8834 (A configuration issue was addressed with additional restrictions. This ...)
+ NOT-FOR-US: Apple
+CVE-2019-8833 (A memory corruption issue was addressed by removing the vulnerable cod ...)
+ NOT-FOR-US: Apple
+CVE-2019-8832 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8831 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8830 (An out-of-bounds read was addressed with improved input validation. Th ...)
+ NOT-FOR-US: Apple
+CVE-2019-8829 (A memory corruption vulnerability was addressed with improved locking. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8828 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8827 (The HTTP referrer header may be used to leak browsing history. The iss ...)
+ NOT-FOR-US: Apple
+CVE-2019-8826 (A memory corruption issue was addressed with improved state management ...)
+ NOT-FOR-US: Apple
+CVE-2019-8825 (A memory corruption issue was addressed with improved state management ...)
+ NOT-FOR-US: Apple
+CVE-2019-8824 (A memory corruption issue was addressed with improved state management ...)
+ NOT-FOR-US: Apple
CVE-2019-8823 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4558-1}
- webkit2gtk 2.26.1-1
@@ -33102,8 +33595,8 @@ CVE-2019-8811 (Multiple memory corruption issues were addressed with improved me
NOTE: https://webkitgtk.org/security/WSA-2019-0006.html
CVE-2019-8810
RESERVED
-CVE-2019-8809
- RESERVED
+CVE-2019-8809 (A validation issue was addressed with improved logic. This issue is fi ...)
+ NOT-FOR-US: Apple
CVE-2019-8808 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4558-1}
- webkit2gtk 2.26.0-1
@@ -33126,14 +33619,14 @@ CVE-2019-8801 (A dynamic library loading issue existed in iTunes setup. This was
NOT-FOR-US: Apple
CVE-2019-8800 (A memory corruption issue was addressed with improved validation. This ...)
NOT-FOR-US: Apple
-CVE-2019-8799
- RESERVED
+CVE-2019-8799 (This issue was resolved by replacing device names with a random identi ...)
+ NOT-FOR-US: Apple
CVE-2019-8798 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
CVE-2019-8797 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
-CVE-2019-8796
- RESERVED
+CVE-2019-8796 (A logic issue was addressed with improved validation. This issue is fi ...)
+ NOT-FOR-US: Apple
CVE-2019-8795 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
CVE-2019-8794 (A validation issue was addressed with improved input sanitization. Thi ...)
@@ -33144,8 +33637,8 @@ CVE-2019-8792 (An injection issue was addressed with improved validation. This i
NOT-FOR-US: Shazam Android App
CVE-2019-8791 (An issue existed in the parsing of URL schemes. This issue was address ...)
NOT-FOR-US: Shazam Android App
-CVE-2019-8790
- RESERVED
+CVE-2019-8790 (This issue was addresses by updating incorrect URLSession file descrip ...)
+ NOT-FOR-US: Apple
CVE-2019-8789 (A validation issue existed in the handling of symlinks. This issue was ...)
NOT-FOR-US: Apple
CVE-2019-8788 (An issue existed in the parsing of URLs. This issue was addressed with ...)
@@ -33172,26 +33665,25 @@ CVE-2019-8782 (Multiple memory corruption issues were addressed with improved me
NOTE: https://webkitgtk.org/security/WSA-2019-0006.html
CVE-2019-8781 (A memory corruption issue was addressed with improved state management ...)
NOT-FOR-US: Apple
-CVE-2019-8780
- RESERVED
+CVE-2019-8780 (The issue was addressed with improved permissions logic. This issue is ...)
+ NOT-FOR-US: Apple
CVE-2019-8779 (A logic issue applied the incorrect restrictions. This issue was addre ...)
NOT-FOR-US: Apple
CVE-2019-8778
RESERVED
-CVE-2019-8777
- RESERVED
-CVE-2019-8776
- RESERVED
+CVE-2019-8777 (A lock screen issue allowed access to contacts on a locked device. Thi ...)
+ NOT-FOR-US: Apple
+CVE-2019-8776 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
CVE-2019-8775 (The issue was addressed by restricting options offered on a locked dev ...)
NOT-FOR-US: Apple
-CVE-2019-8774
- RESERVED
-CVE-2019-8773
- RESERVED
+CVE-2019-8774 (A resource exhaustion issue was addressed with improved input validati ...)
+ NOT-FOR-US: Apple
+CVE-2019-8773 (Multiple memory corruption issues were addressed with improved memory ...)
+ NOT-FOR-US: Apple
CVE-2019-8772 (An issue existed in the handling of links in encrypted PDFs. This issu ...)
NOT-FOR-US: Apple
-CVE-2019-8771
- RESERVED
+CVE-2019-8771 (This issue was addressed with improved iframe sandbox enforcement. Thi ...)
{DSA-4558-1}
- webkit2gtk 2.26.0-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
@@ -33210,8 +33702,8 @@ CVE-2019-8768 ("Clear History and Website Data" did not clear the history. The i
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0005.html
-CVE-2019-8767
- RESERVED
+CVE-2019-8767 (A memory consumption issue was addressed with improved memory handling ...)
+ NOT-FOR-US: Apple
CVE-2019-8766 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4558-1}
- webkit2gtk 2.26.0-1
@@ -33236,44 +33728,44 @@ CVE-2019-8763 (Multiple memory corruption issues were addressed with improved me
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0005.html
-CVE-2019-8762
- RESERVED
-CVE-2019-8761
- RESERVED
+CVE-2019-8762 (A validation issue was addressed with improved logic. This issue is fi ...)
+ NOT-FOR-US: Apple
+CVE-2019-8761 (This issue was addressed with improved checks. This issue is fixed in ...)
+ NOT-FOR-US: Apple
CVE-2019-8760 (This issue was addressed by improving Face ID machine learning models. ...)
NOT-FOR-US: Apple
-CVE-2019-8759
- RESERVED
+CVE-2019-8759 (An out-of-bounds read was addressed with improved bounds checking. Thi ...)
+ NOT-FOR-US: Apple
CVE-2019-8758 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
CVE-2019-8757 (A race condition existed when reading and writing user preferences. Th ...)
NOT-FOR-US: Apple
-CVE-2019-8756
- RESERVED
+CVE-2019-8756 (Multiple memory corruption issues were addressed with improved input v ...)
+ NOT-FOR-US: Apple
CVE-2019-8755 (A logic issue was addressed with improved restrictions. This issue is ...)
NOT-FOR-US: Apple
-CVE-2019-8754
- RESERVED
-CVE-2019-8753
- RESERVED
-CVE-2019-8752
- RESERVED
-CVE-2019-8751
- RESERVED
+CVE-2019-8754 (A cross-origin issue existed with "iframe" elements. This was addresse ...)
+ NOT-FOR-US: Apple
+CVE-2019-8753 (This issue was addressed with improved checks. This issue is fixed in ...)
+ NOT-FOR-US: Apple
+CVE-2019-8752 (Multiple memory corruption issues were addressed with improved memory ...)
+ NOT-FOR-US: Apple
+CVE-2019-8751 (Multiple memory corruption issues were addressed with improved memory ...)
+ NOT-FOR-US: Apple
CVE-2019-8750 (Multiple memory corruption issues were addressed with improved input v ...)
NOT-FOR-US: Apple
-CVE-2019-8749
- RESERVED
+CVE-2019-8749 (Multiple memory corruption issues were addressed with improved input v ...)
+ NOT-FOR-US: Apple
CVE-2019-8748 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
CVE-2019-8747 (A memory corruption vulnerability was addressed with improved locking. ...)
NOT-FOR-US: Apple
-CVE-2019-8746
- RESERVED
+CVE-2019-8746 (An out-of-bounds read was addressed with improved input validation. Th ...)
+ NOT-FOR-US: Apple
CVE-2019-8745 (A buffer overflow was addressed with improved bounds checking. This is ...)
NOT-FOR-US: Apple
-CVE-2019-8744
- RESERVED
+CVE-2019-8744 (A memory corruption issue existed in the handling of IPv6 packets. Thi ...)
+ NOT-FOR-US: Apple
CVE-2019-8743 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4558-1}
- webkit2gtk 2.26.0-1
@@ -33284,39 +33776,39 @@ CVE-2019-8742 (The issue was addressed by restricting options offered on a locke
NOT-FOR-US: Apple
CVE-2019-8741 (A denial of service issue was addressed with improved input validation ...)
NOT-FOR-US: Apple
-CVE-2019-8740
- RESERVED
+CVE-2019-8740 (A memory corruption vulnerability was addressed with improved locking. ...)
+ NOT-FOR-US: Apple
CVE-2019-8739 (A memory corruption issue was addressed with improved state management ...)
NOT-FOR-US: Apple
CVE-2019-8738 (A memory corruption issue was addressed with improved state management ...)
NOT-FOR-US: Apple
-CVE-2019-8737
- RESERVED
-CVE-2019-8736
- RESERVED
+CVE-2019-8737 (A denial of service issue was addressed with improved validation. This ...)
+ NOT-FOR-US: Apple
+CVE-2019-8736 (An input validation issue was addressed with improved input validation ...)
+ NOT-FOR-US: Apple
CVE-2019-8735 (Multiple memory corruption issues were addressed with improved memory ...)
- webkit2gtk 2.24.2-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0005.html
-CVE-2019-8734
- RESERVED
+CVE-2019-8734 (Multiple memory corruption issues were addressed with improved memory ...)
+ NOT-FOR-US: Apple
CVE-2019-8733 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4515-1}
- webkit2gtk 2.24.4-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0005.html
-CVE-2019-8732
- RESERVED
+CVE-2019-8732 (The issue was addressed with improved data deletion. This issue is fix ...)
+ NOT-FOR-US: Apple
CVE-2019-8731 (A permissions issue existed in which execute permission was incorrectl ...)
NOT-FOR-US: Apple
CVE-2019-8730 (The contents of locked notes sometimes appeared in search results. Thi ...)
NOT-FOR-US: Apple
CVE-2019-8729
RESERVED
-CVE-2019-8728
- RESERVED
+CVE-2019-8728 (Multiple memory corruption issues were addressed with improved memory ...)
+ NOT-FOR-US: Apple
CVE-2019-8727 (A logic issue was addressed with improved state management. This issue ...)
NOT-FOR-US: Apple
CVE-2019-8726 (Multiple memory corruption issues were addressed with improved memory ...)
@@ -33347,20 +33839,20 @@ CVE-2019-8719 (A logic issue was addressed with improved state management. This
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0005.html
-CVE-2019-8718
- RESERVED
+CVE-2019-8718 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
CVE-2019-8717 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
-CVE-2019-8716
- RESERVED
-CVE-2019-8715
- RESERVED
+CVE-2019-8716 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8715 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
CVE-2019-8714
RESERVED
CVE-2019-8713
RESERVED
-CVE-2019-8712
- RESERVED
+CVE-2019-8712 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
CVE-2019-8711 (A logic issue existed with the display of notification previews. This ...)
NOT-FOR-US: Apple
CVE-2019-8710 (Multiple memory corruption issues were addressed with improved memory ...)
@@ -33369,26 +33861,26 @@ CVE-2019-8710 (Multiple memory corruption issues were addressed with improved me
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0006.html
-CVE-2019-8709
- RESERVED
-CVE-2019-8708
- RESERVED
+CVE-2019-8709 (A memory corruption issue was addressed with improved state management ...)
+ NOT-FOR-US: Apple
+CVE-2019-8708 (A logic issue was addressed with improved restrictions. This issue is ...)
+ NOT-FOR-US: Apple
CVE-2019-8707 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4515-1}
- webkit2gtk 2.24.4-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0005.html
-CVE-2019-8706
- RESERVED
+CVE-2019-8706 (A memory corruption issue was addressed with improved state management ...)
+ NOT-FOR-US: Apple
CVE-2019-8705 (A memory corruption issue was addressed with improved validation. This ...)
NOT-FOR-US: Apple
CVE-2019-8704 (An authentication issue was addressed with improved state management. ...)
NOT-FOR-US: Apple
-CVE-2019-8703
- RESERVED
-CVE-2019-8702
- RESERVED
+CVE-2019-8703 (This issue was addressed with improved entitlements. This issue is fix ...)
+ NOT-FOR-US: Apple
+CVE-2019-8702 (This issue was addressed with a new entitlement. This issue is fixed i ...)
+ NOT-FOR-US: Apple
CVE-2019-8701 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
CVE-2019-8700
@@ -33399,8 +33891,7 @@ CVE-2019-8698 (A validation issue existed in the entitlement verification. This
NOT-FOR-US: Apple
CVE-2019-8697 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
-CVE-2019-8696 [stack-buffer-overflow in libcups's asn1_get_packed function]
- RESERVED
+CVE-2019-8696 (A buffer overflow issue was addressed with improved memory handling. T ...)
{DLA-1893-1}
- cups 2.2.12-1 (bug #934957)
[buster] - cups 2.2.10-6+deb10u1
@@ -33498,8 +33989,7 @@ CVE-2019-8676 (Multiple memory corruption issues were addressed with improved me
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0004.html
-CVE-2019-8675 [stack-buffer-overflow in libcups's asn1_get_type function]
- RESERVED
+CVE-2019-8675 (A buffer overflow issue was addressed with improved memory handling. T ...)
{DLA-1893-1}
- cups 2.2.12-1 (bug #934957)
[buster] - cups 2.2.10-6+deb10u1
@@ -33537,8 +34027,8 @@ CVE-2019-8669 (Multiple memory corruption issues were addressed with improved me
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0004.html
-CVE-2019-8668
- RESERVED
+CVE-2019-8668 (A denial of service issue was addressed with improved validation. This ...)
+ NOT-FOR-US: Apple
CVE-2019-8667 (An inconsistent user interface issue was addressed with improved state ...)
NOT-FOR-US: Apple
CVE-2019-8666 (Multiple memory corruption issues were addressed with improved memory ...)
@@ -33549,8 +34039,8 @@ CVE-2019-8666 (Multiple memory corruption issues were addressed with improved me
NOTE: https://webkitgtk.org/security/WSA-2019-0004.html
CVE-2019-8665 (A denial of service issue was addressed with improved validation. This ...)
NOT-FOR-US: Apple
-CVE-2019-8664
- RESERVED
+CVE-2019-8664 (An input validation issue was addressed with improved input validation ...)
+ NOT-FOR-US: Apple
CVE-2019-8663 (This issue was addressed with improved checks. This issue is fixed in ...)
NOT-FOR-US: Apple
CVE-2019-8662 (This issue was addressed with improved checks. This issue is fixed in ...)
@@ -33569,8 +34059,8 @@ CVE-2019-8658 (A logic issue was addressed with improved state management. This
NOTE: https://webkitgtk.org/security/WSA-2019-0004.html
CVE-2019-8657 (An out-of-bounds read was addressed with improved input validation. Th ...)
NOT-FOR-US: Apple
-CVE-2019-8656
- RESERVED
+CVE-2019-8656 (This was addressed with additional checks by Gatekeeper on files mount ...)
+ NOT-FOR-US: Apple
CVE-2019-8655
RESERVED
CVE-2019-8654 (An inconsistent user interface issue was addressed with improved state ...)
@@ -33595,26 +34085,26 @@ CVE-2019-8647 (A use after free issue was addressed with improved memory managem
NOT-FOR-US: Apple
CVE-2019-8646 (An out-of-bounds read was addressed with improved input validation. Th ...)
NOT-FOR-US: Apple
-CVE-2019-8645
- RESERVED
+CVE-2019-8645 (An issue existed in the handling of encrypted Mail. This issue was add ...)
+ NOT-FOR-US: Apple
CVE-2019-8644 (Multiple memory corruption issues were addressed with improved memory ...)
{DSA-4515-1}
- webkit2gtk 2.24.4-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0004.html
-CVE-2019-8643
- RESERVED
-CVE-2019-8642
- RESERVED
+CVE-2019-8643 (CVE-2019-8643: Arun Sharma of VMWare This issue is fixed in macOS Moja ...)
+ NOT-FOR-US: Apple
+CVE-2019-8642 (An issue existed in the handling of S-MIME certificates. This issue wa ...)
+ NOT-FOR-US: Apple
CVE-2019-8641 (An out-of-bounds read was addressed with improved input validation. ...)
NOT-FOR-US: Apple
-CVE-2019-8640
- RESERVED
-CVE-2019-8639
- RESERVED
-CVE-2019-8638
- RESERVED
+CVE-2019-8640 (A logic issue was addressed with improved validation. This issue is fi ...)
+ NOT-FOR-US: Apple
+CVE-2019-8639 (Multiple memory corruption issues were addressed with improved memory ...)
+ NOT-FOR-US: Apple
+CVE-2019-8638 (Multiple memory corruption issues were addressed with improved memory ...)
+ NOT-FOR-US: Apple
CVE-2019-8637 (An input validation issue was addressed with improved input validation ...)
NOT-FOR-US: Apple
CVE-2019-8636
@@ -33623,12 +34113,12 @@ CVE-2019-8635 (A memory corruption issue was addressed with improved memory hand
NOT-FOR-US: Apple
CVE-2019-8634 (An authentication issue was addressed with improved state management. ...)
NOT-FOR-US: Apple
-CVE-2019-8633
- RESERVED
+CVE-2019-8633 (A validation issue was addressed with improved input sanitization. Thi ...)
+ NOT-FOR-US: Apple
CVE-2019-8632 (Some analytics data was sent using HTTP rather than HTTPS. This was ad ...)
NOT-FOR-US: Apple
-CVE-2019-8631
- RESERVED
+CVE-2019-8631 (A logic issue was addressed with improved state management. This issue ...)
+ NOT-FOR-US: Apple
CVE-2019-8630 (The issue was addressed with improved UI handling. This issue is fixed ...)
NOT-FOR-US: Apple
CVE-2019-8629 (A memory initialization issue was addressed with improved memory handl ...)
@@ -33666,8 +34156,8 @@ CVE-2019-8619 (Multiple memory corruption issues were addressed with improved me
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0003.html
-CVE-2019-8618
- RESERVED
+CVE-2019-8618 (A logic issue was addressed with improved restrictions. This issue is ...)
+ NOT-FOR-US: Apple
CVE-2019-8617 (An access issue was addressed with additional sandbox restrictions. Th ...)
NOT-FOR-US: Apple
CVE-2019-8616 (A memory corruption issue was addressed with improved memory handling. ...)
@@ -33680,8 +34170,8 @@ CVE-2019-8614
RESERVED
CVE-2019-8613 (A use after free issue was addressed with improved memory management. ...)
NOT-FOR-US: Apple
-CVE-2019-8612
- RESERVED
+CVE-2019-8612 (A logic issue was addressed with improved state management. This issue ...)
+ NOT-FOR-US: Apple
CVE-2019-8611 (Multiple memory corruption issues were addressed with improved memory ...)
- webkit2gtk 2.24.1-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
@@ -33748,16 +34238,16 @@ CVE-2019-8594 (Multiple memory corruption issues were addressed with improved me
NOTE: https://webkitgtk.org/security/WSA-2019-0003.html
CVE-2019-8593 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
-CVE-2019-8592
- RESERVED
+CVE-2019-8592 (A memory corruption issue was addressed with improved input validation ...)
+ NOT-FOR-US: Apple
CVE-2019-8591 (A type confusion issue was addressed with improved memory handling. Th ...)
NOT-FOR-US: Apple
CVE-2019-8590 (A logic issue was addressed with improved restrictions. This issue is ...)
NOT-FOR-US: Apple
CVE-2019-8589 (This issue was addressed with improved checks. This issue is fixed in ...)
NOT-FOR-US: Apple
-CVE-2019-8588
- RESERVED
+CVE-2019-8588 (A null pointer dereference was addressed with improved input validatio ...)
+ NOT-FOR-US: Apple
CVE-2019-8587 (Multiple memory corruption issues were addressed with improved memory ...)
- webkit2gtk 2.24.1-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
@@ -33780,37 +34270,37 @@ CVE-2019-8583 (Multiple memory corruption issues were addressed with improved me
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0003.html
-CVE-2019-8582
- RESERVED
-CVE-2019-8581
- RESERVED
-CVE-2019-8580
- RESERVED
-CVE-2019-8579
- RESERVED
-CVE-2019-8578
- RESERVED
+CVE-2019-8582 (An out-of-bounds read was addressed with improved bounds checking. Thi ...)
+ NOT-FOR-US: Apple
+CVE-2019-8581 (An out-of-bounds read was addressed with improved input validation. Th ...)
+ NOT-FOR-US: Apple
+CVE-2019-8580 (Source-routed IPv4 packets were disabled by default. This issue is fix ...)
+ NOT-FOR-US: Apple
+CVE-2019-8579 (An input validation issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
+CVE-2019-8578 (A use after free issue was addressed with improved memory management. ...)
+ NOT-FOR-US: Apple
CVE-2019-8577 (An input validation issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
CVE-2019-8576 (An out-of-bounds read was addressed with improved bounds checking. Thi ...)
NOT-FOR-US: Apple
-CVE-2019-8575
- RESERVED
+CVE-2019-8575 (The issue was addressed with improved data deletion. This issue is fix ...)
+ NOT-FOR-US: Apple
CVE-2019-8574 (A memory corruption issue was addressed with improved memory handling. ...)
NOT-FOR-US: Apple
-CVE-2019-8573
- RESERVED
-CVE-2019-8572
- RESERVED
+CVE-2019-8573 (An input validation issue was addressed with improved input validation ...)
+ NOT-FOR-US: Apple
+CVE-2019-8572 (A null pointer dereference was addressed with improved input validatio ...)
+ NOT-FOR-US: Apple
CVE-2019-8571 (Multiple memory corruption issues were addressed with improved memory ...)
- webkit2gtk 2.24.1-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0003.html
-CVE-2019-8570
- RESERVED
-CVE-2019-8569
- RESERVED
+CVE-2019-8570 (A logic issue was addressed with improved state management. This issue ...)
+ NOT-FOR-US: Apple
+CVE-2019-8569 (A memory corruption issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
CVE-2019-8568 (A validation issue existed in the handling of symlinks. This issue was ...)
NOT-FOR-US: Apple
CVE-2019-8567 (A user privacy issue was addressed by removing the broadcast MAC addre ...)
@@ -33819,8 +34309,8 @@ CVE-2019-8566 (An API issue existed in the handling of microphone data. This iss
NOT-FOR-US: Apple
CVE-2019-8565 (A race condition was addressed with additional validation. This issue ...)
NOT-FOR-US: Apple
-CVE-2019-8564
- RESERVED
+CVE-2019-8564 (A logic issue was addressed with improved validation. This issue is fi ...)
+ NOT-FOR-US: Apple
CVE-2019-8563 (Multiple memory corruption issues were addressed with improved memory ...)
- webkit2gtk 2.24.1-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
@@ -33865,8 +34355,8 @@ CVE-2019-8549 (Multiple input validation issues existed in MIG generated code. T
NOT-FOR-US: Apple
CVE-2019-8548 (An issue existed where partially entered passcodes may not clear when ...)
NOT-FOR-US: Apple
-CVE-2019-8547
- RESERVED
+CVE-2019-8547 (An out-of-bounds read issue existed that led to the disclosure of kern ...)
+ NOT-FOR-US: Apple
CVE-2019-8546 (An access issue was addressed with additional sandbox restrictions. Th ...)
NOT-FOR-US: Apple
CVE-2019-8545 (A memory corruption issue was addressed with improved state management ...)
@@ -33884,10 +34374,10 @@ CVE-2019-8541 (A privacy issue existed in motion sensor calibration. This issue
NOT-FOR-US: Apple
CVE-2019-8540 (A memory initialization issue was addressed with improved memory handl ...)
NOT-FOR-US: Apple
-CVE-2019-8539
- RESERVED
-CVE-2019-8538
- RESERVED
+CVE-2019-8539 (A memory initialization issue was addressed with improved memory handl ...)
+ NOT-FOR-US: Apple
+CVE-2019-8538 (A denial of service issue was addressed with improved validation. This ...)
+ NOT-FOR-US: Apple
CVE-2019-8537 (An access issue was addressed with improved memory management. This is ...)
NOT-FOR-US: Apple
CVE-2019-8536 (A memory corruption issue was addressed with improved memory handling. ...)
@@ -33900,26 +34390,26 @@ CVE-2019-8535 (A memory corruption issue was addressed with improved state manag
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0002.html
-CVE-2019-8534
- RESERVED
+CVE-2019-8534 (A logic issue existed resulting in memory corruption. This was address ...)
+ NOT-FOR-US: Apple
CVE-2019-8533 (A lock handling issue was addressed with improved lock handling. This ...)
NOT-FOR-US: Apple
-CVE-2019-8532
- RESERVED
-CVE-2019-8531
- RESERVED
+CVE-2019-8532 (A permissions issue was addressed by removing vulnerable code and addi ...)
+ NOT-FOR-US: Apple
+CVE-2019-8531 (A validation issue existed in Trust Anchor Management. This issue was ...)
+ NOT-FOR-US: Apple
CVE-2019-8530 (This issue was addressed with improved checks. This issue is fixed in ...)
NOT-FOR-US: Apple
CVE-2019-8529 (A memory corruption issue was addressed with improved input validation ...)
NOT-FOR-US: Apple
-CVE-2019-8528
- RESERVED
+CVE-2019-8528 (A use after free issue was addressed with improved memory management. ...)
+ NOT-FOR-US: Apple
CVE-2019-8527 (A buffer overflow was addressed with improved size validation. This is ...)
NOT-FOR-US: Apple
CVE-2019-8526 (A use after free issue was addressed with improved memory management. ...)
NOT-FOR-US: Apple
-CVE-2019-8525
- RESERVED
+CVE-2019-8525 (A memory corruption issue was addressed with improved state management ...)
+ NOT-FOR-US: Apple
CVE-2019-8524 (Multiple memory corruption issues were addressed with improved memory ...)
- webkit2gtk 2.24.1-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
@@ -33962,8 +34452,8 @@ CVE-2019-8511 (A buffer overflow issue was addressed with improved memory handli
NOT-FOR-US: Apple
CVE-2019-8510 (An out-of-bounds read issue existed that led to the disclosure of kern ...)
NOT-FOR-US: Apple
-CVE-2019-8509
- RESERVED
+CVE-2019-8509 (This issue was addressed by removing the vulnerable code. This issue i ...)
+ NOT-FOR-US: Apple
CVE-2019-8508 (A buffer overflow was addressed with improved bounds checking. This is ...)
NOT-FOR-US: Apple
CVE-2019-8507 (Multiple memory corruption issues were addressed with improved input v ...)
@@ -34138,19 +34628,32 @@ CVE-2019-8431
CVE-2019-8430
RESERVED
CVE-2019-8429 (ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php fil ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder <unfixed> (unimportant; bug #922724)
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-8428 (ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
+ NOTE: https://github.com/ZoneMinder/zoneminder/pull/2422
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/c0a6e54d60d3a8f297cc5f2ef6a862f6f00d746e
CVE-2019-8427 (daemonControl in includes/functions.php in ZoneMinder before 1.32.3 al ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder <unfixed> (unimportant; bug #922724)
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-8426 (skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/34e2e4799364639483f93cff70204618b834f7a2
+ NOTE: https://github.com/ZoneMinder/zoneminder/pull/2423
CVE-2019-8425 (includes/database.php in ZoneMinder before 1.32.3 has XSS in the const ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder <unfixed> (unimportant; bug #922724)
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-8424 (ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sor ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/02fd1e79b3bfa5b2e2087cb1255f9dbd921ccae8
+ NOTE: https://github.com/ZoneMinder/zoneminder/pull/2421
CVE-2019-8423 (ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/view ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder <unfixed> (unimportant; bug #922724)
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-8422 (A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the descri ...)
NOT-FOR-US: PbootCMS
CVE-2019-8421 (upload/protected/modules/admini/views/post/index.php in BageCMS throug ...)
@@ -34204,16 +34707,19 @@ CVE-2019-8398 (An issue was discovered in the HDF HDF5 1.10.4 library. There is
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10710
CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...)
- - hdf5 <unfixed>
+ - hdf5 <unfixed> (unimportant)
[buster] - hdf5 <no-dsa> (Minor issue)
[stretch] - hdf5 <no-dsa> (Minor issue)
[jessie] - hdf5 <ignored> (Minor issue)
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5
NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10711
+ NOTE: Negligible security impact, malicous scientific data has more issues than a crash
CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 ...)
- hdf5 <undetermined>
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10712
+ NOTE: HDFFV-10712 is marked to be closed in a future 1.10.8 upstream release.
+ NOTE: Upstream fix was made in May 2021 after the 1.12.0 release (Mar 2020)
CVE-2019-8395 (An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoh ...)
NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus
CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allow ...)
@@ -34239,8 +34745,8 @@ CVE-2019-8385 (An issue was discovered in Thomson Reuters Desktop Extensions 1.9
CVE-2019-8384
RESERVED
CVE-2019-8383 (An issue was discovered in AdvanceCOMP through 2.1. An invalid memory ...)
+ {DLA-2868-1}
- advancecomp 2.1-2.1 (bug #928730)
- [stretch] - advancecomp <no-dsa> (Minor issue)
[jessie] - advancecomp <ignored> (Minor issue)
NOTE: https://sourceforge.net/p/advancemame/bugs/272/
NOTE: https://github.com/amadvance/advancecomp/commit/78a56b21340157775be2462a19276b4d31d2bd01
@@ -34253,8 +34759,8 @@ CVE-2019-8381 (An issue was discovered in Tcpreplay 4.3.1. An invalid memory acc
CVE-2019-8380 (An issue was discovered in Bento4 1.5.1-628. A NULL pointer dereferenc ...)
NOT-FOR-US: Bento4
CVE-2019-8379 (An issue was discovered in AdvanceCOMP through 2.1. A NULL pointer der ...)
+ {DLA-2868-1}
- advancecomp 2.1-2.1 (bug #928729)
- [stretch] - advancecomp <no-dsa> (Minor issue)
[jessie] - advancecomp <ignored> (Minor issue)
NOTE: https://sourceforge.net/p/advancemame/bugs/271/
NOTE: https://github.com/amadvance/advancecomp/commit/7894a6e684ce68ddff9f4f4919ab8e3911ac8040
@@ -34403,7 +34909,7 @@ CVE-2019-8325 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems 3.2.0~rc.1-1
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -34413,7 +34919,7 @@ CVE-2019-8324 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems 3.2.0~rc.1-1
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -34423,7 +34929,7 @@ CVE-2019-8323 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems 3.2.0~rc.1-1
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -34433,7 +34939,7 @@ CVE-2019-8322 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems 3.2.0~rc.1-1
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -34444,7 +34950,7 @@ CVE-2019-8321 (An issue was discovered in RubyGems 2.6 and later through 3.0.2.
- ruby2.3 <removed>
- ruby2.1 <removed>
[jessie] - ruby2.1 <not-affected> (Vulnerable code introduced later)
- - rubygems <removed>
+ - rubygems 3.2.0~rc.1-1
- jruby 9.1.17.0-3 (bug #925987)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
@@ -34454,7 +34960,7 @@ CVE-2019-8320 (A Directory Traversal issue was discovered in RubyGems 2.7.6 and
- ruby2.5 2.5.5-1
- ruby2.3 <removed>
- ruby2.1 <removed>
- - rubygems <removed>
+ - rubygems 3.2.0~rc.1-1
- jruby 9.1.17.0-3 (bug #925987)
[jessie] - jruby <not-affected> (Vulnerable code introduced later)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
@@ -35655,7 +36161,7 @@ CVE-2019-7733 (In Live555 0.95, there is a buffer overflow via a large integer i
NOTE: https://github.com/rgaufman/live555/issues/21
NOTE: fixed in 2019.05.12: http://www.live555.com/liveMedia/public/changelog.txt
CVE-2019-7732 (In Live555 0.95, a setup packet can cause a memory leak leading to DoS ...)
- - liblivemedia <unfixed> (unimportant)
+ - liblivemedia <removed> (unimportant)
[stretch] - liblivemedia <no-dsa> (Minor issue)
[jessie] - liblivemedia <no-dsa> (Minor issue, unlikely to be exploited in practice)
NOTE: https://github.com/rgaufman/live555/issues/20
@@ -35670,10 +36176,10 @@ CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before 1.3.
NOT-FOR-US: Bosch Smart Camera App
CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an unauthe ...)
NOT-FOR-US: NICE Engage
-CVE-2019-7726
- RESERVED
-CVE-2019-7725
- RESERVED
+CVE-2019-7726 (modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL IN ...)
+ NOT-FOR-US: NukeViet
+CVE-2019-7725 (includes/core/is_user.php in NukeViet before 4.3.04 deserializes the u ...)
+ NOT-FOR-US: NukeViet
CVE-2019-7724
RESERVED
CVE-2019-7723
@@ -35802,15 +36308,14 @@ CVE-2019-7667 (Prima Systems FlexAir, Versions 2.3.38 and prior. The application
CVE-2019-7666 (Prima Systems FlexAir, Versions 2.3.38 and prior. The application allo ...)
NOT-FOR-US: Prima Systems FlexAir devices
CVE-2019-7665 (In elfutils 0.175, a heap-based buffer over-read was discovered in the ...)
- {DLA-1689-1}
+ {DLA-2802-1 DLA-1689-1}
- elfutils 0.176-1 (low; bug #921880)
- [stretch] - elfutils <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24089
NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html
NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=de01cc6f9446187d69b9748bb3636361c79e77a4
CVE-2019-7664 (In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_not ...)
- elfutils 0.176-1 (low; bug #921881)
- [stretch] - elfutils <no-dsa> (Minor issue)
+ [stretch] - elfutils <not-affected> (Vulnerable code introduced later)
[jessie] - elfutils <not-affected> (Vulnerable code introduced later)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24084
NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=e65d91d21cb09d83b001fef9435e576ba447db32
@@ -35853,9 +36358,8 @@ CVE-2019-7651 (EPP.sys in Emsisoft Anti-Malware prior to version 2018.12 allows
CVE-2019-7650
RESERVED
CVE-2019-7653 (The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CL ...)
- {DLA-1717-1}
+ {DLA-2861-1 DLA-1717-1}
- rdflib 4.2.2-2 (low; bug #921751)
- [stretch] - rdflib <no-dsa> (Minor issue)
NOTE: Debian specific issue as respective scripts are overwritten in Debian
NOTE: packaging as wrappers invoking python -m.
CVE-2019-7649 (global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies ...)
@@ -35881,23 +36385,19 @@ CVE-2019-7640
CVE-2019-7639 (An issue was discovered in gsi-openssh-server 7.9p1 on Fedora 29. If P ...)
NOT-FOR-US: gsi-openssh-server (OpenSSH patched with openssh-7.9p1-gsissh.patch)
CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
- [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4500
NOTE: https://hg.libsdl.org/SDL/rev/19d8c3b9c251 (SDL-1.2)
NOTE: https://hg.libsdl.org/SDL/rev/07c39cbbeacf
CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-2803-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.6+dfsg1-4 (bug #924610)
- [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4497
NOTE: https://hg.libsdl.org/SDL/rev/9b0e5c555c0f (SDL-1.2)
NOTE: https://hg.libsdl.org/SDL/rev/32075e9e2135 (SDL-1.2)
@@ -35906,24 +36406,20 @@ CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
NOTE: https://hg.libsdl.org/SDL/rev/81a4950907a0 (SDL-2)
NOTE: For SDL-2 the fix for CVE-2017-2888 fixes as well CVE-2019-7637.
CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
- [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4499
NOTE: https://hg.libsdl.org/SDL/rev/19d8c3b9c251 (SDL-1.2)
NOTE: https://hg.libsdl.org/SDL/rev/07c39cbbeacf (SDL-2)
CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1865-1 DLA-1861-1 DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-2536-1 DLA-1865-1 DLA-1861-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
- [stretch] - libsdl2 <no-dsa> (Minor issue)
- sdl-image1.2 1.2.12-11 (bug #932755)
[buster] - sdl-image1.2 1.2.12-10+deb10u1
[stretch] - sdl-image1.2 1.2.12-5+deb9u2
@@ -36056,34 +36552,29 @@ CVE-2019-7580 (ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary
CVE-2019-7579 (An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. An ...)
NOT-FOR-US: Linksys
CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
- [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494
NOTE: https://hg.libsdl.org/SDL/rev/388987dff7bf (SDL-1.2)
NOTE: https://hg.libsdl.org/SDL/rev/f9a9d6c76b21 (SDL-2)
CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
- [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
NOTE: https://hg.libsdl.org/SDL/rev/faf9abbcfb5f (SDL-1.2)
NOTE: https://hg.libsdl.org/SDL/rev/416136310b88 (SDL-1.2)
NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available:
NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2)
CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
@@ -36091,22 +36582,19 @@ CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
NOTE: Proposed patch: https://bugzilla.libsdl.org/attachment.cgi?id=3620&action=diff
NOTE: very similar bug to CVE-2019-7573, fix for CVE-2019-7573 is applicable to this
CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-2536-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
- [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4493
NOTE: https://hg.libsdl.org/SDL/rev/a936f9bd3e38 (SDL-1.2)
NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available:
NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2)
CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
@@ -36115,10 +36603,9 @@ CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available:
NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2)
CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
@@ -36128,10 +36615,9 @@ CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0
NOTE: SDL2 was probably fixed during a refactoring, no targeted fix available:
NOTE: https://hg.libsdl.org/SDL/rev/b06fa7da012b (SDL-2)
CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 ha ...)
- {DLA-1714-1 DLA-1713-1}
+ {DLA-2804-1 DLA-1714-1 DLA-1713-1}
- libsdl1.2 1.2.15+dfsg2-5 (bug #924609)
[buster] - libsdl1.2 <no-dsa> (Minor issue)
- [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 2.0.10+dfsg1-1 (bug #924610)
[buster] - libsdl2 <no-dsa> (Minor issue)
[stretch] - libsdl2 <no-dsa> (Minor issue)
@@ -36191,10 +36677,9 @@ CVE-2019-7549 (An issue was discovered in GitLab Community and Enterprise Editio
- gitlab 11.5.10+dfsg-1 (bug #921059)
NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/
CVE-2019-7548 (SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be ...)
- {DLA-1718-1}
+ {DLA-2811-1 DLA-1718-1}
[experimental] - sqlalchemy 1.3.0~b3+ds1-1
- sqlalchemy 1.2.18+ds1-2 (bug #922669)
- [stretch] - sqlalchemy <no-dsa> (Minor issue)
NOTE: https://github.com/sqlalchemy/sqlalchemy/issues/4481
NOTE: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
CVE-2019-7547 (An issue was discovered in SIDU 6.0. Because the database name is not ...)
@@ -36644,10 +37129,10 @@ CVE-2019-7359 (An exploitable heap overflow vulnerability in the AcCellMargin ha
NOT-FOR-US: Autodesk
CVE-2019-7358 (An exploitable heap overflow vulnerability in the DXF-parsing function ...)
NOT-FOR-US: Autodesk
-CVE-2019-7357
- RESERVED
-CVE-2019-7356
- RESERVED
+CVE-2019-7357 (Subrion CMS 4.2.1 has CSRF in panel/modules/plugins/. The attacker can ...)
+ NOT-FOR-US: Subrion CMS
+CVE-2019-7356 (Subrion CMS v4.2.1 allows XSS via the panel/phrases/ VALUE parameter. ...)
+ NOT-FOR-US: Subrion CMS
CVE-2019-1000024 (OPT/NET BV NG-NetMS version v3.6-2 and earlier versions contains a Cro ...)
NOT-FOR-US: OPT/NET BV
CVE-2019-1000023 (OPT/NET BV OPTOSS Next Gen Network Management System (NG-NetMS) versio ...)
@@ -36671,7 +37156,7 @@ CVE-2019-1000019 (libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a7
NOTE: https://github.com/libarchive/libarchive/pull/1120
NOTE: https://github.com/libarchive/libarchive/commit/65a23f5dbee4497064e9bb467f81138a62b0dae1
CVE-2019-1000017 (Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect A ...)
- NOT-FOR-US: Chamilo Chamilo-lms
+ NOT-FOR-US: Chamilo LMS
CVE-2019-1000016 (FFMPEG version 4.1 contains a CWE-129: Improper Validation of Array In ...)
- ffmpeg 7:4.1.1-1 (low; bug #922066)
[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
@@ -36679,10 +37164,10 @@ CVE-2019-1000016 (FFMPEG version 4.1 contains a CWE-129: Improper Validation of
- libav <removed>
[jessie] - libav <not-affected> (Vulnerable code not present)
CVE-2019-1000015 (Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site S ...)
- NOT-FOR-US: Chamilo Chamilo-lms
+ NOT-FOR-US: Chamilo LMS
CVE-2019-1000014 (Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracl ...)
- rebar <not-affected> (vulnerable code is not present)
- - rebar3 <itp> (bug #824773)
+ - rebar3 <not-affected> (Fixed before initial upload to Debian)
NOTE: https://github.com/erlang/rebar3/pull/1986
CVE-2019-1000013 (Hex package manager hex_core version 0.3.0 and earlier contains a Sign ...)
NOT-FOR-US: Hex package manager
@@ -36720,89 +37205,143 @@ CVE-2019-7353 (An Incorrect Access Control issue was discovered in GitLab Commun
- gitlab <not-affected> (Only affects 11.7)
NOTE: https://about.gitlab.com/2019/02/05/critical-security-release-gitlab-11-dot-7-dot-4-released/
CVE-2019-7352 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2475
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/effd609ff736e7853e9d39eed81ed029b9525159
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7351 (Log Injection exists in ZoneMinder through 1.32.3, as an attacker can ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder <unfixed> (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2466
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7350 (Session fixation exists in ZoneMinder through 1.32.3, as an attacker c ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder <unfixed> (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2471
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7349 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2465
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/cef54feaf9bf1374f0404bf525cdd322300882b5
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7348 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2467
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/9ce05a9a09de47868398a09e6c5259645b9ee73e
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7347 (A Time-of-check Time-of-use (TOCTOU) Race Condition exists in ZoneMind ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2476
+ NOTE: https://github.com/ZoneMinder/zoneminder/pull/2487
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7346 (A CSRF check issue exists in ZoneMinder through 1.32.3 as whenever a C ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2469
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/dbc1c7b72f8cab5094a4a498a66ca2c0d3f29872
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7345 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2468
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/6af2c4ad0e288fae5702e96391657d173bba2297
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7344 (Reflected XSS exists in ZoneMinder through 1.32.3, allowing an attacke ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2455
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/70e59ed546474bf18b9af2040d0ed732dce835bc
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7343 (Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1. ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2464
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/9705edfe24ca429fb8c7c6cac9ef947e8410219a
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7342 (POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2461
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/dd37808ef790a77100845c2c3c3bb28d9038950f
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7341 (Reflected - Cross Site Scripting (XSS) exists in ZoneMinder through 1. ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2463
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/ef0e5f453a4e60a5bdd6bc347e517a87182b6cad
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7340 (POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2462
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/bb75dad091bfa35af49467fede06adb972ed0545
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7339 (POST - Cross Site Scripting (XSS) exists in ZoneMinder through 1.32.3, ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2460
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/c9d597dced27f7a826bac1c6fccd1003d8643064
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7338 (Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an att ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2454
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/7b0ee8a6a22576b66c341ee6f09668852769cbb6
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7337 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2456
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/fcbc22b6a27b2375327327c3d75995fe6a3cafd9
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7336 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2457
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/d7ede4643df3efd21d3cb8a758cfabf244f38b16
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7335 (Self - Stored XSS exists in ZoneMinder through 1.32.3, allowing an att ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2453
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/255806bd549392114af4306422cd23445e843259
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7334 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2443
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/02f09aad7f4ff50f1dd113c964f10d8e675da916
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7333 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2441
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/0b38e72f882aea7006dac01d3348f2465bcc8c09
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7332 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2442
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/61f6a92cc050f3db831f04c3c19f8f2d52cbe08e
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7331 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2451
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/254b7286b4d2654b95080a175c44195667e42ea8
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7330 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2448
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/b2a97ee190c6dc3e30b9c36b9c33c33348dde4d6
CVE-2019-7329 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2446
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/a97711de89d808edcec1b422b5c97645dbd9f501
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7328 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2449
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/b2a97ee190c6dc3e30b9c36b9c33c33348dde4d6
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7327 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2447
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/b2a97ee190c6dc3e30b9c36b9c33c33348dde4d6
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7326 (Self - Stored Cross Site Scripting (XSS) exists in ZoneMinder through ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2452
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/fa6716a64b7481677b0d8d73d460200e60429410
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7325 (Reflected Cross Site Scripting (XSS) exists in ZoneMinder through 1.32 ...)
- - zoneminder <unfixed> (bug #922724)
+ - zoneminder 1.34.6-1 (unimportant; bug #922724)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2450
+ NOTE: https://github.com/ZoneMinder/zoneminder/commit/99f1e23c5b115b46265ab78d57fd6548490c6802
+ NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
CVE-2019-7324 (app/Core/Paginator.php in Kanboard before 1.2.8 has XSS in pagination ...)
- kanboard <itp> (bug #790814)
CVE-2019-7323 (GUP (generic update process) in LightySoft LogMX before 7.4.0 does not ...)
@@ -36855,9 +37394,8 @@ CVE-2019-7312 (Limited plaintext disclosure exists in PRIMX Zed Entreprise for W
CVE-2019-7311 (An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 devices. A ...)
NOT-FOR-US: Linksys
CVE-2019-7310 (In Poppler 0.73.0, a heap-based buffer over-read (due to an integer si ...)
- {DLA-1706-1}
+ {DLA-2440-1 DLA-1706-1}
- poppler 0.71.0-4 (bug #921215)
- [stretch] - poppler <ignored> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12797
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/717
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/172
@@ -36918,14 +37456,14 @@ CVE-2019-7292 (A validation issue was addressed with improved logic. This issue
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
NOTE: https://webkitgtk.org/security/WSA-2019-0002.html
-CVE-2019-7291
- RESERVED
+CVE-2019-7291 (A denial of service issue was addressed with improved memory handling. ...)
+ NOT-FOR-US: Apple
CVE-2019-7290 (An access issue was addressed with additional sandbox restrictions. Th ...)
NOT-FOR-US: Shortcuts for iOS
CVE-2019-7289 (A parsing issue in the handling of directory paths was addressed with ...)
NOT-FOR-US: Shortcuts for iOS
-CVE-2019-7288
- RESERVED
+CVE-2019-7288 (The issue was addressed with improved validation on the FaceTime serve ...)
+ NOT-FOR-US: Apple
CVE-2019-7287 (A memory corruption issue was addressed with improved input validation ...)
NOT-FOR-US: Apple
CVE-2019-7286 (A memory corruption issue was addressed with improved input validation ...)
@@ -37007,12 +37545,12 @@ CVE-2019-7250 (An issue was discovered in the Cross Reference Add-on 36 for Goog
CVE-2019-7249 (In Keybase before 2.12.6 on macOS, the move RPC to the Helper was susc ...)
NOT-FOR-US: Keybase on MacOS
CVE-2019-7283 (An issue was discovered in rcp in NetKit through 0.17. For an rcp oper ...)
+ {DLA-2822-1}
- netkit-rsh 0.17-20 (bug #920486)
- [stretch] - netkit-rsh <no-dsa> (Minor issue)
[jessie] - netkit-rsh <no-dsa> (Minor issue)
CVE-2019-7282 (In NetKit through 0.17, rcp.c in the rcp client allows remote rsh serv ...)
+ {DLA-2822-1}
- netkit-rsh 0.17-20 (bug #920486)
- [stretch] - netkit-rsh <no-dsa> (Minor issue)
[jessie] - netkit-rsh <no-dsa> (Minor issue)
CVE-2019-7248
RESERVED
@@ -37124,8 +37662,8 @@ CVE-2019-7200
RESERVED
CVE-2019-7199
RESERVED
-CVE-2019-7198
- RESERVED
+CVE-2019-7198 (This command injection vulnerability allows attackers to execute arbit ...)
+ NOT-FOR-US: QNAP
CVE-2019-7197 (A stored cross-site scripting (XSS) vulnerability has been reported to ...)
NOT-FOR-US: QNAP
CVE-2019-7196
@@ -37164,10 +37702,10 @@ CVE-2019-7180
RESERVED
CVE-2019-7179
RESERVED
-CVE-2019-7178
- RESERVED
-CVE-2019-7177
- RESERVED
+CVE-2019-7178 (Pexip Infinity before 20.1 allows privilege escalation by restoring a ...)
+ NOT-FOR-US: Pexip Infinity
+CVE-2019-7177 (Pexip Infinity before 20.1 allows Code Injection onto nodes via an adm ...)
+ NOT-FOR-US: Pexip Infinity
CVE-2019-7176 (An issue was discovered in GitLab Community and Enterprise Edition 8.x ...)
- gitlab 11.5.10+dfsg-1 (bug #921059)
NOTE: https://about.gitlab.com/2019/01/31/security-release-gitlab-11-dot-7-dot-3-released/
@@ -37201,10 +37739,9 @@ CVE-2019-7165 (A buffer overflow in DOSBox 0.74-2 allows attackers to execute ar
NOTE: Upstream clarification https://sourceforge.net/p/dosbox/bugs/508/
NOTE: Fixed by https://sourceforge.net/p/dosbox/code-0/3925/
CVE-2019-7164 (SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injecti ...)
- {DLA-1718-1}
+ {DLA-2811-1 DLA-1718-1}
[experimental] - sqlalchemy 1.3.0~b3+ds1-1
- sqlalchemy 1.2.18+ds1-2 (bug #922669)
- [stretch] - sqlalchemy <no-dsa> (Minor issue)
NOTE: https://github.com/sqlalchemy/sqlalchemy/issues/4481
NOTE: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
CVE-2019-7163 (The web interface of Alcatel LINKZONE MW40-V-V1.0 MW40_LU_02.00_02 dev ...)
@@ -37252,9 +37789,8 @@ CVE-2019-7151 (A NULL pointer dereference was discovered in wasm::Module::getFun
NOTE: https://github.com/WebAssembly/binaryen/commit/2127e64f42da55bb5b9b0ab1995b3ca7fc4e0d0b
NOTE: https://github.com/WebAssembly/binaryen/commit/85e95e315a8023c46eb804fe80ebc244bcfdae3e
CVE-2019-7150 (An issue was discovered in elfutils 0.175. A segmentation fault can oc ...)
- {DLA-1689-1}
+ {DLA-2802-1 DLA-1689-1}
- elfutils 0.176-1 (low; bug #920909)
- [stretch] - elfutils <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24103
NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html
NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=da5c5336a1eaf519de246f7d9f0f5585e1d4ac59
@@ -37569,7 +38105,7 @@ CVE-2019-7004 (A Cross-Site Scripting (XSS) vulnerability in the WebUI component
CVE-2019-7003 (A SQL injection vulnerability in the reporting component of Avaya Cont ...)
NOT-FOR-US: Avaya
CVE-2019-7002
- RESERVED
+ REJECTED
CVE-2019-7001 (A SQL injection vulnerability in the WebUI component of IP Office Cont ...)
NOT-FOR-US: IP Office Contact Center
CVE-2019-7000 (A Cross-Site Scripting (XSS) vulnerability in the Web UI of Avaya Aura ...)
@@ -37611,6 +38147,7 @@ CVE-2019-6989 (TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow,
NOT-FOR-US: TP-Link
CVE-2019-6988 (An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers ...)
- openjpeg2 <unfixed> (low; bug #922648)
+ [bullseye] - openjpeg2 <ignored> (Minor issue)
[buster] - openjpeg2 <ignored> (Minor issue)
[stretch] - openjpeg2 <ignored> (Minor issue)
[jessie] - openjpeg2 <ignored> (Minor issue)
@@ -37646,14 +38183,14 @@ CVE-2019-1000029 [DoS due to changing # of allowed users in root channel]
NOTE: Introduced in: https://github.com/mumble-voip/mumble/commit/84b1bcecef790a84d10b2d1f2060c1681a2bb836
NOTE: Fixed by: https://github.com/mumble-voip/mumble/commit/3edc46ff7308691d342f8c08ce1afaaefce35a5c
CVE-2019-6977 (gdImageColorMatch in gd_color_match.c in the GD Graphics Library (aka ...)
- {DSA-4384-1 DLA-1651-1}
+ {DSA-4384-1 DLA-1679-1 DLA-1651-1}
- libgd2 2.2.5-5.1 (bug #920645)
- php7.3 7.3.1-1 (unimportant)
- php7.0 <removed> (unimportant)
- php5 <removed> (unimportant)
NOTE: Fixed in 5.6.40, 7.1.26, 7.2.14, 7.3.1
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77270
- NOTE: Proposed patch: https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
+ NOTE: https://github.com/php/php-src/commit/7a12dad4dd6c370835b13afae214b240082c7538
CVE-2019-6976 (libvips before 8.7.4 generates output images from uninitialized memory ...)
- vips 8.7.4-1 (low)
[stretch] - vips 8.4.5-1+deb9u1
@@ -37707,10 +38244,9 @@ CVE-2019-6958 (A recently discovered security vulnerability affects all Bosch Vi
CVE-2019-6957 (A recently discovered security vulnerability affects all Bosch Video M ...)
NOT-FOR-US: Bosch
CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...)
- {DLA-1899-1}
+ {DLA-2792-1 DLA-1899-1}
- faad2 2.8.8-3.1 (bug #914641)
[buster] - faad2 <no-dsa> (Minor issue)
- [stretch] - faad2 <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/faac/bugs/240/
NOTE: https://github.com/knik0/faad2/issues/39
NOTE: https://github.com/knik0/faad2/commit/6823e6610c9af1b0080cb22b9da03efb208d7d57
@@ -37914,9 +38450,9 @@ CVE-2019-6857 (A CWE-754: Improper Check for Unusual or Exceptional Conditions v
NOT-FOR-US: Modicon
CVE-2019-6856 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...)
NOT-FOR-US: Modicon
-CVE-2019-6855 (An Improper Authorization - CWE-285 vulnerability exists in EcoStruxur ...)
+CVE-2019-6855 (Incorrect Authorization vulnerability exists in EcoStruxure Control Ex ...)
NOT-FOR-US: EcoStruxure Control Expert
-CVE-2019-6854 (A CWE-264 Permissions, Privileges, and Access Controls vulnerability e ...)
+CVE-2019-6854 (A CWE-287: Improper Authentication vulnerability exists in a folder wi ...)
NOT-FOR-US: EcoStruxure Geo SCADA Expert
CVE-2019-6853 (A CWE-79: Failure to Preserve Web Page Structure vulnerability exists ...)
NOT-FOR-US: Andover Continuum
@@ -37928,31 +38464,31 @@ CVE-2019-6850 (A CWE-200: Information Exposure vulnerability exists in Modicon M
NOT-FOR-US: Modicon
CVE-2019-6849 (A CWE-200: Information Exposure vulnerability exists in Modicon M580, ...)
NOT-FOR-US: Modicon
-CVE-2019-6848 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+CVE-2019-6848 (A CWE-755: Improper Handling of Exceptional Conditions vulnerability e ...)
NOT-FOR-US: Modicon
-CVE-2019-6847 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+CVE-2019-6847 (A CWE-755: Improper Handling of Exceptional Conditions vulnerability e ...)
NOT-FOR-US: Modicon
CVE-2019-6846 (A CWE-319: Cleartext Transmission of Sensitive Information vulnerabili ...)
NOT-FOR-US: Modicon
CVE-2019-6845 (A CWE-319: Cleartext Transmission of Sensitive Information vulnerabili ...)
NOT-FOR-US: Modicon
-CVE-2019-6844 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+CVE-2019-6844 (A CWE-755: Improper Handling of Exceptional Conditions vulnerability e ...)
NOT-FOR-US: Modicon
-CVE-2019-6843 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+CVE-2019-6843 (A CWE-755: Improper Handling of Exceptional Conditions vulnerability e ...)
NOT-FOR-US: Modicon
-CVE-2019-6842 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+CVE-2019-6842 (A CWE-755: Improper Handling of Exceptional Conditions vulnerability e ...)
NOT-FOR-US: Modicon
-CVE-2019-6841 (A CWE-248: Uncaught Exception vulnerability exists in Modicon M580, Mo ...)
+CVE-2019-6841 (A CWE-755: Improper Handling of Exceptional Conditions vulnerability e ...)
NOT-FOR-US: Modicon
CVE-2019-6840 (A Format String: CWE-134 vulnerability exists in U.motion Server (MEG6 ...)
NOT-FOR-US: Schneider
-CVE-2019-6839 (An Improper Access Control: CWE-284 vulnerability exists in U.motion S ...)
+CVE-2019-6839 (A CWE-434: Unrestricted Upload of File with Dangerous Type vulnerabili ...)
NOT-FOR-US: Schneider
-CVE-2019-6838 (An Improper Access Control: CWE-284 vulnerability exists in U.motion S ...)
+CVE-2019-6838 (A CWE-863: Incorrect Authorization vulnerability exists in U.motion Se ...)
NOT-FOR-US: Schneider
CVE-2019-6837 (A Server-Side Request Forgery (SSRF): CWE-918 vulnerability exists in ...)
NOT-FOR-US: Schneider
-CVE-2019-6836 (An Improper Access Control: CWE-284 vulnerability exists in U.motion S ...)
+CVE-2019-6836 (A CWE-863: Incorrect Authorization vulnerability exists in U.motion Se ...)
NOT-FOR-US: Schneider
CVE-2019-6835 (A Cross-Site Scripting (XSS) CWE-79 vulnerability exists in U.motion S ...)
NOT-FOR-US: Schneider
@@ -37996,7 +38532,7 @@ CVE-2019-6816 (In Modicon Quantum all firmware versions, a CWE-94: Code Injectio
NOT-FOR-US: Schneider Electric
CVE-2019-6815 (In Modicon Quantum all firmware versions, CWE-264: Permissions, Privil ...)
NOT-FOR-US: Schneider Electric
-CVE-2019-6814 (An Improper Access Control: CWE-284 vulnerability exists in the NET55X ...)
+CVE-2019-6814 (A CWE-287: Improper Authentication vulnerability exists in the NET55XX ...)
NOT-FOR-US: Schneider Electric
CVE-2019-6813 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...)
NOT-FOR-US: Schneider
@@ -38101,6 +38637,7 @@ CVE-2019-6778 (In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffe
- slirp4netns 0.2.1-1
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg03132.html
NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905
+ NOTE: https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-j2r5-xwp8-m8m9
CVE-2019-6777 (An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in ...)
- zoneminder 1.32.3-2 (bug #920375)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2436
@@ -38246,7 +38783,8 @@ CVE-2019-6708 (PHPSHE 1.7 has SQL injection via the admin.php?mod=order state pa
CVE-2019-6707 (PHPSHE 1.7 has SQL injection via the admin.php?mod=product&amp;act=sta ...)
NOT-FOR-US: PHPSHE
CVE-2019-6706 (Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For examp ...)
- - lua5.3 <unfixed> (bug #920321)
+ - lua5.3 5.3.6-1 (bug #920321)
+ [bullseye] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream)
[buster] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream)
[stretch] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream)
- lua5.2 <not-affected> (Vulnerable code introduced later)
@@ -38286,9 +38824,8 @@ CVE-2019-6692 (A malicious DLL preload vulnerability in Fortinet FortiClient for
CVE-2019-6691 (phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=bac ...)
NOT-FOR-US: phpwind
CVE-2019-6690 (python-gnupg 0.4.3 allows context-dependent attackers to trick gnupg t ...)
- {DLA-1675-1}
+ {DLA-2862-1 DLA-1675-1}
- python-gnupg 0.4.4-1
- [stretch] - python-gnupg <no-dsa> (Minor issue)
NOTE: https://github.com/stigtsp/CVE-2019-6690-python-gnupg-vulnerability
NOTE: https://github.com/vsajip/python-gnupg/commit/39eca266dd837e2ad89c94eb17b7a6f50b25e7cf#diff-88b99bb28683bd5b7e3a204826ead112
NOTE: https://github.com/vsajip/python-gnupg/commit/3003b654ca1c29b0510a54b9848571b3ad57df19#diff-88b99bb28683bd5b7e3a204826ead112
@@ -38428,7 +38965,7 @@ CVE-2019-6623 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and
NOT-FOR-US: F5 BIG-IP
CVE-2019-6622 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12 ...)
NOT-FOR-US: F5 BIG-IP
-CVE-2019-6621 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12 ...)
+CVE-2019-6621 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4, 12.1.0-12 ...)
NOT-FOR-US: F5 BIG-IP
CVE-2019-6620 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4, 12.1.0-12 ...)
NOT-FOR-US: F5 BIG-IP
@@ -38532,9 +39069,9 @@ CVE-2019-6571 (A vulnerability has been identified in SIEMENS LOGO!8 (6ED1052-xy
NOT-FOR-US: Siemens
CVE-2019-6570 (A vulnerability has been identified in SINEMA Remote Connect Server (A ...)
NOT-FOR-US: Siemens
-CVE-2019-6569 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...)
+CVE-2019-6569 (The monitor barrier of the affected products insufficiently blocks dat ...)
NOT-FOR-US: Scalance
-CVE-2019-6568 (A vulnerability has been identified in RFID 181EIP, SIMATIC ET 200SP O ...)
+CVE-2019-6568 (A vulnerability has been identified in RFID 181EIP, SIMATIC CP 1604, S ...)
NOT-FOR-US: Siemens
CVE-2019-6567 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...)
NOT-FOR-US: Siemens
@@ -38672,9 +39209,9 @@ CVE-2019-6502 (sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a me
NOTE: https://github.com/OpenSC/OpenSC/commit/0d7967549751b7032f22b437106b41444aff0ba9 (0.20.0-rc1)
NOTE: Negligible security impact, assigning a CVE seems out of proportion...
CVE-2019-1003004 (An improper authorization vulnerability exists in Jenkins 2.158 and ea ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-1003003 (An improper authorization vulnerability exists in Jenkins 2.158 and ea ...)
- NOT-FOR-US: Jenkins
+ - jenkins <removed>
CVE-2019-1003002 (A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin ...)
NOT-FOR-US: Jenkins plugin
CVE-2019-1003001 (A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 ...)
@@ -38821,12 +39358,14 @@ CVE-2019-6463
RESERVED
CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite loop in ...)
- cairo <unfixed> (low; bug #929945)
+ [bullseye] - cairo <ignored> (Minor issue)
[buster] - cairo <ignored> (Minor issue)
[stretch] - cairo <no-dsa> (Minor issue)
[jessie] - cairo <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/353
CVE-2019-6461 (An issue was discovered in cairo 1.16.0. There is an assertion problem ...)
- cairo <unfixed> (low; bug #929944)
+ [bullseye] - cairo <ignored> (Minor issue)
[buster] - cairo <ignored> (Minor issue)
[stretch] - cairo <no-dsa> (Minor issue)
[jessie] - cairo <no-dsa> (Minor issue)
@@ -39190,11 +39729,9 @@ CVE-2019-6295 (Cleanto 5.0 has SQL Injection via the assets/lib/service_method_a
CVE-2019-6294 (An issue was discovered in EasyCMS 1.5. There is CSRF via the index.ph ...)
NOT-FOR-US: EasyCMS
CVE-2019-6293 (An issue was discovered in the function mark_beginning_as_normal in nf ...)
- - flex <unfixed> (low; bug #919428)
- [buster] - flex <no-dsa> (Minor issue)
- [stretch] - flex <no-dsa> (Minor issue)
- [jessie] - flex <no-dsa> (Minor issue)
+ - flex <unfixed> (unimportant; bug #919428)
NOTE: https://github.com/westes/flex/issues/414
+ NOTE: Negligible security impact
CVE-2019-6292 (An issue was discovered in singledocparser.cpp in yaml-cpp (aka LibYam ...)
- yaml-cpp 0.6.3-1 (low; bug #919430)
[buster] - yaml-cpp <no-dsa> (Minor issue)
@@ -39214,8 +39751,8 @@ CVE-2019-6290 (An infinite recursion issue was discovered in eval.c in Netwide A
NOTE: Crash in CLI tool, no security impact
CVE-2019-6289 (uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows ...)
NOT-FOR-US: DedeCMS
-CVE-2019-6288
- RESERVED
+CVE-2019-6288 (Edgecore ECS2020 Firmware 1.0.0.0 devices allow Unauthenticated Comman ...)
+ NOT-FOR-US: Edgecore ECS2020 Firmware
CVE-2019-6287 (In Rancher 2.0.0 through 2.1.5, project members have continued access ...)
NOT-FOR-US: Rancher
CVE-2019-6286 (In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelex ...)
@@ -39329,9 +39866,8 @@ CVE-2019-6246 (An issue was discovered in SVG++ (aka svgpp) 1.2.3. After calling
- svgpp 1.2.3+dfsg1-5 (bug #919321)
NOTE: https://github.com/svgpp/svgpp/issues/70
CVE-2019-6245 (An issue was discovered in Anti-Grain Geometry (AGG) 2.4 as used in SV ...)
- {DLA-1656-1}
+ {DLA-2872-1 DLA-1656-1}
- agg 1:2.4-r127+dfsg1-1 (low; bug #919322)
- [stretch] - agg <no-dsa> (Minor issue)
- svgpp <unfixed> (unimportant; bug #919321)
NOTE: https://github.com/svgpp/svgpp/issues/70
NOTE: Fixed in src:agg with: https://sourceforge.net/p/agg/svn/119/
@@ -39351,8 +39887,8 @@ CVE-2019-6240 (An issue was discovered in GitLab Community and Enterprise Editio
NOTE: https://about.gitlab.com/2019/01/16/critical-security-release-gitlab-11-dot-6-dot-4-released/
CVE-2019-6239 (This issue was addressed with improved handling of file metadata. This ...)
NOT-FOR-US: Apple
-CVE-2019-6238
- RESERVED
+CVE-2019-6238 (A validation issue existed in the handling of symlinks. This issue was ...)
+ NOT-FOR-US: Apple
CVE-2019-6237 (Multiple memory corruption issues were addressed with improved memory ...)
- webkit2gtk 2.24.1-1
[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
@@ -39498,11 +40034,11 @@ CVE-2019-6174
RESERVED
CVE-2019-6173 (A DLL search path vulnerability could allow privilege escalation in so ...)
NOT-FOR-US: Lenovo
-CVE-2019-6172 (A potential vulnerability in the SMI callback function in some Lenovo ...)
+CVE-2019-6172 (A potential vulnerability in the SMI callback function used in Legacy ...)
NOT-FOR-US: Lenovo
CVE-2019-6171 (A vulnerability was reported in various BIOS versions of older ThinkPa ...)
NOT-FOR-US: Lenovo
-CVE-2019-6170 (A potential vulnerability in some Lenovo ThinkPads may allow an attack ...)
+CVE-2019-6170 (A potential vulnerability in the SMI callback function used in the Leg ...)
NOT-FOR-US: Lenovo
CVE-2019-6169 (A vulnerability reported in Lenovo Service Bridge before version 4.1.0 ...)
NOT-FOR-US: Lenovo Service Bridge
@@ -40204,8 +40740,7 @@ CVE-2019-5864 (Insufficient data validation in CORS in Google Chrome prior to 76
- chromium 76.0.3809.87-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2019-5863
- RESERVED
- - chromium <not-affected> (Windows-specific)
+ REJECTED
CVE-2019-5862 (Insufficient data validation in AppCache in Google Chrome prior to 76. ...)
{DSA-4500-1}
- chromium 76.0.3809.87-1
@@ -40873,8 +41408,8 @@ CVE-2019-5642 (Rapid7 Metasploit Pro version 4.16.0-2019081901 and prior suffers
NOT-FOR-US: Rapid7 Metasploit Pro
CVE-2019-5641
RESERVED
-CVE-2019-5640
- RESERVED
+CVE-2019-5640 (Rapid7 Nexpose versions prior to 6.6.114 suffer from an information ex ...)
+ NOT-FOR-US: Rapid7 Nexpose
CVE-2019-5639
RESERVED
CVE-2019-5638 (Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient sess ...)
@@ -41395,6 +41930,7 @@ CVE-2019-5428
REJECTED
CVE-2019-5427 (c3p0 version &lt; 0.9.5.4 may be exploited by a billion laughs attack ...)
- c3p0 <unfixed> (low; bug #927936)
+ [bullseye] - c3p0 <no-dsa> (Minor issue)
[buster] - c3p0 <no-dsa> (Minor issue)
[stretch] - c3p0 <no-dsa> (Minor issue)
[jessie] - c3p0 <no-dsa> (Minor issue)
@@ -41627,12 +42163,12 @@ CVE-2019-5321 (Aruba Intelligent Edge Switch Series 2540, 2530, 2930F, 2930M, 29
NOT-FOR-US: Aruba Intelligent Edge Switch Series
CVE-2019-5320 (Aruba Intelligent Edge Switch Series 2540, 2530, 2930F, 2930M, 2920, 5 ...)
NOT-FOR-US: Aruba Intelligent Edge Switch Series
-CVE-2019-5319
- RESERVED
-CVE-2019-5318
- RESERVED
-CVE-2019-5317
- RESERVED
+CVE-2019-5319 (A remote buffer overflow vulnerability was discovered in some Aruba In ...)
+ NOT-FOR-US: Aruba
+CVE-2019-5318 (A remote cross-site request forgery (csrf) vulnerability was discovere ...)
+ NOT-FOR-US: Aruba
+CVE-2019-5317 (A local authentication bypass vulnerability was discovered in some Aru ...)
+ NOT-FOR-US: Aruba
CVE-2019-5316
RESERVED
CVE-2019-5315 (A command injection vulnerability is present in the web management int ...)
@@ -42119,11 +42655,15 @@ CVE-2019-5089 (An exploitable memory corruption vulnerability exists in Investin
CVE-2019-5088 (An exploitable memory corruption vulnerability exists in Investintech ...)
NOT-FOR-US: Investintech
CVE-2019-5087 (An exploitable integer overflow vulnerability exists in the flattenInc ...)
- - xcftools <unfixed> (bug #945317)
+ {DLA-2553-1}
+ - xcftools 1.0.7-6.1 (bug #945317)
+ [buster] - xcftools 1.0.7-6+deb10u1
NOTE: https://github.com/j-jorge/xcftools/issues/13
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0879
CVE-2019-5086 (An exploitable integer overflow vulnerability exists in the flattenInc ...)
- - xcftools <unfixed> (bug #945317)
+ {DLA-2553-1}
+ - xcftools 1.0.7-6.1 (bug #945317)
+ [buster] - xcftools 1.0.7-6+deb10u1
NOTE: https://github.com/j-jorge/xcftools/issues/12
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0878
CVE-2019-5085 (An exploitable code execution vulnerability exists in the DICOM packet ...)
@@ -42164,7 +42704,7 @@ CVE-2019-5068 (An exploitable shared memory permissions vulnerability exists in
{DLA-1993-1}
- mesa 19.2.6-1 (low; bug #944298)
[buster] - mesa 18.3.6-2+deb10u1
- [stretch] - mesa <no-dsa> (Minor issue)
+ [stretch] - mesa <ignored> (Affected code is not built in stretch)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857
NOTE: https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html
NOTE: https://cgit.freedesktop.org/mesa/mesa/commit/?id=02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc
@@ -42176,7 +42716,7 @@ CVE-2019-5065 (An exploitable information disclosure vulnerability exists in the
NOT-FOR-US: Blynk
CVE-2019-5064 (An exploitable heap buffer overflow vulnerability exists in the data s ...)
[experimental] - opencv 4.2.0+dfsg-1
- - opencv <unfixed> (bug #948180)
+ - opencv 4.2.0+dfsg-3 (bug #948180)
[buster] - opencv <not-affected> (Vulnerable code introduced later)
[stretch] - opencv <not-affected> (Vulnerable code introduced later)
[jessie] - opencv <not-affected> (The vulnerable code was introduced later)
@@ -42186,7 +42726,7 @@ CVE-2019-5064 (An exploitable heap buffer overflow vulnerability exists in the d
NOTE: Persistence implementation refactored in: https://github.com/opencv/opencv/pull/13011
CVE-2019-5063 (An exploitable heap buffer overflow vulnerability exists in the data s ...)
[experimental] - opencv 4.2.0+dfsg-1
- - opencv <unfixed> (bug #948180)
+ - opencv 4.2.0+dfsg-3 (bug #948180)
[buster] - opencv <not-affected> (Vulnerable code introduced later)
[stretch] - opencv <not-affected> (Vulnerable code introduced later)
[jessie] - opencv <not-affected> (The vulnerable code was introduced later)
@@ -42929,8 +43469,8 @@ CVE-2019-4740 (IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is v
NOT-FOR-US: IBM
CVE-2019-4739
RESERVED
-CVE-2019-4738
- RESERVED
+CVE-2019-4738 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 a ...)
+ NOT-FOR-US: IBM
CVE-2019-4737 (IBM DOORS Next Generation (DNG/RRC) 6.0.2. 6.0.6, and 6.0.61 is vulner ...)
NOT-FOR-US: IBM
CVE-2019-4736 (IBM Financial Transaction Manager 3.0 is vulnerable to cross-site requ ...)
@@ -42945,24 +43485,24 @@ CVE-2019-4732 (IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.5
NOT-FOR-US: IBM
CVE-2019-4731 (IBM MQ Appliance 9.1.4.CD could allow a local attacker to obtain highl ...)
NOT-FOR-US: IBM
-CVE-2019-4730
- RESERVED
+CVE-2019-4730 (IBM Cognos Analytics 11.0 and 11.1 is vulnerable to an XML External En ...)
+ NOT-FOR-US: IBM
CVE-2019-4729 (IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to ob ...)
NOT-FOR-US: IBM
-CVE-2019-4728
- RESERVED
+CVE-2019-4728 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_2 ...)
+ NOT-FOR-US: IBM
CVE-2019-4727
RESERVED
CVE-2019-4726 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 i ...)
NOT-FOR-US: IBM
-CVE-2019-4725
- RESERVED
-CVE-2019-4724
- RESERVED
-CVE-2019-4723
- RESERVED
-CVE-2019-4722
- RESERVED
+CVE-2019-4725 (IBM Security Access Manager Appliance 9.0 is vulnerable to cross-site ...)
+ NOT-FOR-US: IBM
+CVE-2019-4724 (IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to ob ...)
+ NOT-FOR-US: IBM
+CVE-2019-4723 (IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to ob ...)
+ NOT-FOR-US: IBM
+CVE-2019-4722 (IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to ob ...)
+ NOT-FOR-US: IBM
CVE-2019-4721
RESERVED
CVE-2019-4720 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...)
@@ -43001,8 +43541,8 @@ CVE-2019-4704 (IBM Security Identity Manager Virtual Appliance 7.0.2 does not se
NOT-FOR-US: IBM
CVE-2019-4703 (IBM Spectrum Protect Plus 10.1.0 and 10.5.0, when protecting Microsoft ...)
NOT-FOR-US: IBM
-CVE-2019-4702
- RESERVED
+CVE-2019-4702 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 specifies permissi ...)
+ NOT-FOR-US: IBM
CVE-2019-4701 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 is deployed with a ...)
NOT-FOR-US: IBM
CVE-2019-4700
@@ -43031,8 +43571,8 @@ CVE-2019-4689 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 could allow a
NOT-FOR-US: IBM
CVE-2019-4688 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 does not set the s ...)
NOT-FOR-US: IBM
-CVE-2019-4687
- RESERVED
+CVE-2019-4687 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores sensitive i ...)
+ NOT-FOR-US: IBM
CVE-2019-4686 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 does not set the s ...)
NOT-FOR-US: IBM
CVE-2019-4685
@@ -43045,8 +43585,8 @@ CVE-2019-4682
RESERVED
CVE-2019-4681 (IBM Tivoli Netcool Impact 7.1.0.0 through 7.1.0.17 is vulnerable to cr ...)
NOT-FOR-US: IBM
-CVE-2019-4680
- RESERVED
+CVE-2019-4680 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 6.0.2.2 i ...)
+ NOT-FOR-US: IBM
CVE-2019-4679 (IBM Content Navigator 3.0CD could allow an authenticated user to gain ...)
NOT-FOR-US: IBM
CVE-2019-4678
@@ -43099,8 +43639,8 @@ CVE-2019-4655 (IBM MQ 9.1.0.0, 9.1.0.1, 9.1.0.2, 9.1.0.3, 9.1.1, 9.1.2, and 9.1.
NOT-FOR-US: IBM
CVE-2019-4654 (IBM QRadar 7.3.0 to 7.3.3 Patch 2 does not validate, or incorrectly va ...)
NOT-FOR-US: IBM
-CVE-2019-4653
- RESERVED
+CVE-2019-4653 (IBM Cognos Analytics 11.0 and 11.1 is vulnerable to cross-site scripti ...)
+ NOT-FOR-US: IBM
CVE-2019-4652 (IBM Spectrum Protect Plus 10.1.0 through 10.1.4 uses insecure file per ...)
NOT-FOR-US: IBM Spectrum Protect Plus
CVE-2019-4651 (IBM Jazz Reporting Service (JRS) 6.0.6.1 is vulnerable to SQL injectio ...)
@@ -43229,8 +43769,8 @@ CVE-2019-4590
RESERVED
CVE-2019-4589 (IBM Cognos Analytics 11.0 and 11.1 is vulnerable to privlege escalatio ...)
NOT-FOR-US: IBM
-CVE-2019-4588
- RESERVED
+CVE-2019-4588 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 9.7, ...)
+ NOT-FOR-US: IBM
CVE-2019-4587
RESERVED
CVE-2019-4586
@@ -43279,8 +43819,8 @@ CVE-2019-4565 (IBM Security Key Lifecycle Manager 3.0 and 3.0.1 does not require
NOT-FOR-US: IBM
CVE-2019-4564 (IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0, and 3.0.1 is vulnera ...)
NOT-FOR-US: IBM
-CVE-2019-4563
- RESERVED
+CVE-2019-4563 (IBM Security Directory Server 6.4.0 does not set the secure attribute ...)
+ NOT-FOR-US: IBM
CVE-2019-4562 (IBM Security Directory Server 6.4.0 stores sensitive information in UR ...)
NOT-FOR-US: IBM
CVE-2019-4561 (IBM Security Identity Manager 6.0.0 could allow a remote attacker to e ...)
@@ -43301,8 +43841,8 @@ CVE-2019-4554
RESERVED
CVE-2019-4553 (IBM API Connect V5.0.0.0 through 5.0.8.7iFix3 uses weaker than expecte ...)
NOT-FOR-US: IBM
-CVE-2019-4552
- RESERVED
+CVE-2019-4552 (IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0. ...)
+ NOT-FOR-US: IBM
CVE-2019-4551 (IBM Security Directory Server 6.4.0 does not perform an authentication ...)
NOT-FOR-US: IBM
CVE-2019-4550 (IBM Security Directory Server 6.4.0 is deployed with active debugging ...)
@@ -43311,12 +43851,12 @@ CVE-2019-4549 (IBM Security Directory Server 6.4.0 discloses sensitive informati
NOT-FOR-US: IBM
CVE-2019-4548 (IBM Security Directory Server 6.4.0 could allow a remote attacker to h ...)
NOT-FOR-US: IBM
-CVE-2019-4547
- RESERVED
+CVE-2019-4547 (IBM Security Directory Server 6.4.0 generates an error message that in ...)
+ NOT-FOR-US: IBM
CVE-2019-4546 (After installing the IBM Maximo Health- Safety and Environment Manager ...)
NOT-FOR-US: IBM
-CVE-2019-4545
- RESERVED
+CVE-2019-4545 (IBM QRadar SIEM 7.3 and 7.4 when configured to use Active Directory Au ...)
+ NOT-FOR-US: IBM
CVE-2019-4544
RESERVED
CVE-2019-4543
@@ -43463,8 +44003,8 @@ CVE-2019-4473 (Multiple binaries in IBM SDK, Java Technology Edition 7, 7R, and
NOT-FOR-US: IBM
CVE-2019-4472
RESERVED
-CVE-2019-4471
- RESERVED
+CVE-2019-4471 (IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to ob ...)
+ NOT-FOR-US: IBM
CVE-2019-4470 (IBM QRadar 7.3.0 to 7.3.2 Patch 4 is vulnerable to cross-site scriptin ...)
NOT-FOR-US: IBM
CVE-2019-4469
@@ -43667,8 +44207,8 @@ CVE-2019-4371
RESERVED
CVE-2019-4370
RESERVED
-CVE-2019-4369 (IBM BigFix Inventory v9 (SUA v9 / ILMT v9) discloses sensitive informa ...)
- NOT-FOR-US: IBM
+CVE-2019-4369
+ REJECTED
CVE-2019-4368
RESERVED
CVE-2019-4367
@@ -43701,14 +44241,14 @@ CVE-2019-4354
RESERVED
CVE-2019-4353
RESERVED
-CVE-2019-4352
- RESERVED
-CVE-2019-4351
- RESERVED
+CVE-2019-4352 (IBM Maximo Anywhere 7.6.4.0 applications could allow obfuscation of th ...)
+ NOT-FOR-US: IBM
+CVE-2019-4351 (IBM Maximo Anywhere 7.6.4.0 applications could disclose sensitive info ...)
+ NOT-FOR-US: IBM
CVE-2019-4350
RESERVED
-CVE-2019-4349
- RESERVED
+CVE-2019-4349 (IBM Maximo Anywhere 7.6.2.0, 7.6.2.1, 7.6.3.0, and 7.6.3.1 application ...)
+ NOT-FOR-US: IBM
CVE-2019-4348
RESERVED
CVE-2019-4347
@@ -43753,10 +44293,10 @@ CVE-2019-4328
RESERVED
CVE-2019-4327 ("HCL AppScan Enterprise uses hard-coded credentials which can be explo ...)
NOT-FOR-US: HCL AppScan Enterprise
-CVE-2019-4326
- RESERVED
-CVE-2019-4325
- RESERVED
+CVE-2019-4326 ("HCL AppScan Enterprise security rules update administration section o ...)
+ NOT-FOR-US: HCL
+CVE-2019-4325 ("HCL AppScan Enterprise makes use of broken or risky cryptographic alg ...)
+ NOT-FOR-US: HCL
CVE-2019-4324 ("HCL AppScan Enterprise is susceptible to Cross-Site Scripting while i ...)
NOT-FOR-US: HCL
CVE-2019-4323 ("HCL AppScan Enterprise advisory API documentation is susceptible to c ...)
@@ -43823,8 +44363,8 @@ CVE-2019-4293 (IBM Storwize V7000 Unified (2073) 1.6 configuration may allow an
NOT-FOR-US: IBM
CVE-2019-4292 (IBM Security Guardium 10.5 could allow a remote attacker to upload arb ...)
NOT-FOR-US: IBM
-CVE-2019-4291
- RESERVED
+CVE-2019-4291 (IBM Maximo Anywhere 7.6.4.0 could allow an attacker to reverse enginee ...)
+ NOT-FOR-US: IBM
CVE-2019-4290
RESERVED
CVE-2019-4289
@@ -44085,8 +44625,8 @@ CVE-2019-4162 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is
NOT-FOR-US: IBM
CVE-2019-4161 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 disclose ...)
NOT-FOR-US: IBM
-CVE-2019-4160
- RESERVED
+CVE-2019-4160 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 uses weaker than e ...)
+ NOT-FOR-US: IBM
CVE-2019-4159
REJECTED
CVE-2019-4158 (IBM Security Access Manager 9.0.1 through 9.0.6 does not prove that a ...)
@@ -44600,7 +45140,7 @@ CVE-2019-3905 (Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SS
CVE-2019-3904
RESERVED
CVE-2019-3903
- RESERVED
+ REJECTED
CVE-2019-3902 (A flaw was found in Mercurial before 4.9. It was possible to use symli ...)
{DLA-2293-1 DLA-1764-1}
- mercurial 4.9-1 (bug #927674)
@@ -44621,9 +45161,8 @@ CVE-2019-3900 (An infinite loop issue was found in the vhost_net kernel module i
CVE-2019-3899 (It was found that default configuration of Heketi does not require any ...)
- heketi <itp> (bug #903384)
CVE-2019-3898
- RESERVED
-CVE-2019-3897
- RESERVED
+ REJECTED
+CVE-2019-3897 (It has been discovered in redhat-certification that any unauthorized u ...)
NOT-FOR-US: redhat-certification
CVE-2019-3896 (A double-free can happen in idr_remove_all() in lib/idr.c in the Linux ...)
- linux 3.2.41-1
@@ -44735,8 +45274,9 @@ CVE-2019-3876 (A flaw was found in the /oauth/token/request custom endpoint of t
CVE-2019-3875 (A vulnerability was found in keycloak before 6.0.2. The X.509 authenti ...)
NOT-FOR-US: Keycloak
CVE-2019-3874 (The SCTP socket buffer used by a userspace application is not accounte ...)
+ {DLA-2385-1}
- linux 5.2.6-1
- [buster] - linux <ignored> (Minor issue)
+ [buster] - linux 4.19.146-1
[stretch] - linux <ignored> (Minor issue)
[jessie] - linux <ignored> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1686373
@@ -44759,8 +45299,7 @@ CVE-2019-3869 (When running Tower before 3.4.3 on OpenShift or Kubernetes, appli
NOT-FOR-US: Ansible Tower
CVE-2019-3868 (Keycloak up to version 6.0.0 allows the end user token (access or id t ...)
NOT-FOR-US: Keycloak
-CVE-2019-3867
- RESERVED
+CVE-2019-3867 (A vulnerability was found in the Quay web application. Sessions in the ...)
NOT-FOR-US: OpenShift (web-cosnole issue specific to OpenShift only)
CVE-2019-3866 (An information-exposure vulnerability was discovered where openstack-m ...)
- python-oslo.utils 3.41.3-1 (low; bug #946060)
@@ -44840,7 +45379,7 @@ CVE-2019-3855 (An integer overflow flaw which could lead to an out of bounds wri
CVE-2019-3854
REJECTED
CVE-2019-3853
- RESERVED
+ REJECTED
CVE-2019-3852 (A vulnerability was found in moodle before version 3.6.3. The get_with ...)
- moodle <removed>
CVE-2019-3851 (A vulnerability was found in moodle before versions 3.6.3 and 3.5.5. T ...)
@@ -44940,9 +45479,8 @@ CVE-2019-3834 (It was found that the fix for CVE-2014-0114 had been reverted in
CVE-2019-3833 (Openwsman, versions up to and including 2.6.9, are vulnerable to infin ...)
- openwsman <itp> (bug #754501)
CVE-2019-3832 (It was discovered the fix for CVE-2018-19758 (libsndfile) was not comp ...)
- {DLA-1712-1}
+ {DLA-2418-1 DLA-1712-1}
- libsndfile 1.0.28-6 (bug #922372)
- [stretch] - libsndfile <not-affected> (Incomplete fix for CVE-2018-19758 not applied)
NOTE: https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436
NOTE: https://github.com/erikd/libsndfile/pull/460
NOTE: https://github.com/erikd/libsndfile/commit/6d7ce94c020cc720a6b28719d1a7879181790008
@@ -45197,8 +45735,8 @@ CVE-2019-3754 (Dell EMC Unity Operating Environment versions prior to 5.0.0.0.5.
NOT-FOR-US: EMC
CVE-2019-3753 (Dell EMC PowerConnect 8024, 7000, M6348, M6220, M8024 and M8024-K runn ...)
NOT-FOR-US: EMC
-CVE-2019-3752
- RESERVED
+CVE-2019-3752 (Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2 and 19.1 and ...)
+ NOT-FOR-US: EMC Avamar Server
CVE-2019-3751 (Dell EMC Enterprise Copy Data Management (eCDM) versions 1.0, 1.1, 2.0 ...)
NOT-FOR-US: EMC
CVE-2019-3750 (Dell Command Update versions prior to 3.1 contain an Arbitrary File De ...)
@@ -45339,7 +45877,8 @@ CVE-2019-3688 (The /usr/sbin/pinger binary packaged with squid in SUSE Linux Ent
CVE-2019-3687 (The permission package in SUSE Linux Enterprise Server allowed all loc ...)
NOT-FOR-US: SuSE
CVE-2019-3686 (openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vuln ...)
- - openqa <itp> (bug #840253)
+ - openqa <not-affected> (Fixed before initial upload to Debian)
+ NOTE: Fixed by: https://github.com/os-autoinst/openQA/commit/c172e8883d8f32fced5e02f9b6faaacc913df27b
CVE-2019-3685 (Open Build Service before version 0.165.4 diddn't validate TLS certifi ...)
- osc <not-affected> (Affects 0.165.x only, bug #941667)
CVE-2019-3684 (SUSE Manager until version 4.0.7 and Uyuni until commit 1b426ad5ed0a71 ...)
@@ -45349,8 +45888,9 @@ CVE-2019-3683 (The keystone-json-assignment package in SUSE Openstack Cloud 8 be
CVE-2019-3682 (The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7 ...)
NOT-FOR-US: SuSE
CVE-2019-3681 (A External Control of File Name or Path vulnerability in osc of SUSE L ...)
- - osc <unfixed> (bug #969999)
+ - osc 0.169.1-1 (bug #969999)
[buster] - osc <no-dsa> (Minor issue)
+ [stretch] - osc <no-dsa> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1122675
NOTE: https://github.com/openSUSE/osc/commit/a79c54418baf9b9785123bd07f350f12bd729ed3 (0.169.0)
CVE-2019-3680
@@ -45490,7 +46030,7 @@ CVE-2019-3614
CVE-2019-3613 (DLL Search Order Hijacking vulnerability in McAfee Agent (MA) prior to ...)
NOT-FOR-US: McAfee
CVE-2019-3612 (Information Disclosure vulnerability in McAfee DXL Platform and TIE Se ...)
- NOT-FOR-US: McAFee
+ NOT-FOR-US: McAfee
CVE-2019-3611
RESERVED
CVE-2019-3610 (Data Leakage Attacks vulnerability in Microsoft Windows client in McAf ...)
@@ -45607,13 +46147,13 @@ CVE-2019-3561 (Insufficient boundary checks for the strrpos and strripos functio
CVE-2019-3560 (An improperly performed length calculation on a buffer in PlaintextRec ...)
NOT-FOR-US: Fizz
CVE-2019-3559 (Java Facebook Thrift servers would not error upon receiving messages w ...)
- NOT-FOR-US: Thrift servers
+ NOT-FOR-US: Facebook Java Thrift (Debian packages Apache Thrift)
CVE-2019-3558 (Python Facebook Thrift servers would not error upon receiving messages ...)
NOT-FOR-US: Thrift servers
CVE-2019-3557 (The implementations of streams for bz2 and php://output improperly imp ...)
- hhvm <removed>
-CVE-2019-3556
- RESERVED
+CVE-2019-3556 (HHVM supports the use of an "admin" server which accepts administrativ ...)
+ - hhvm <removed>
CVE-2019-3555
RESERVED
CVE-2019-3554 (Wangle's AcceptRoutingHandler incorrectly casts a socket when acceptin ...)
@@ -45725,9 +46265,8 @@ CVE-2019-3502
CVE-2019-3501 (The OUGC Awards plugin before 1.8.19 for MyBB allows XSS via a crafted ...)
NOT-FOR-US: OUGC Awards plugin for MyBB
CVE-2019-3500 (aria2c in aria2 1.33.1, when --log is used, can store an HTTP Basic Au ...)
- {DLA-1636-1}
+ {DLA-2873-1 DLA-1636-1}
- aria2 1.34.0-4 (low; bug #918058)
- [stretch] - aria2 <no-dsa> (Minor issue)
NOTE: https://github.com/aria2/aria2/issues/1329
NOTE: Masking of all authorization and cookie header fields (but not userinfo in URL):
NOTE: https://github.com/aria2/aria2/commit/37368130ca7de5491a75fd18a20c5c5cc641824a
@@ -45941,8 +46480,8 @@ CVE-2019-3407
RESERVED
CVE-2019-3406
RESERVED
-CVE-2019-3405
- RESERVED
+CVE-2019-3405 (In the 3.1.3.64296 and lower version of 360F5, the third party can tri ...)
+ NOT-FOR-US: 360F5
CVE-2019-3404 (By adding some special fields to the uri ofrouter app function, the us ...)
NOT-FOR-US: ofrouter
CVE-2019-3403 (The /rest/api/2/user/picker rest resource in Jira before version 7.13. ...)
@@ -46781,7 +47320,7 @@ CVE-2019-2995 (Vulnerability in the Oracle Marketing product of Oracle E-Busines
CVE-2019-2994 (Vulnerability in the Oracle Marketing product of Oracle E-Business Sui ...)
NOT-FOR-US: Oracle
CVE-2019-2993 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2992 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...)
{DSA-4548-1 DSA-4546-1 DLA-2023-1}
@@ -46848,7 +47387,7 @@ CVE-2019-2974 (Vulnerability in the MySQL Server product of Oracle MySQL (compon
[buster] - mariadb-10.3 1:10.3.22-0+deb10u1
- mariadb-10.1 <removed>
[stretch] - mariadb-10.1 10.1.44-0+deb9u1
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
NOTE: MySQL: https://github.com/mysql/mysql-server/commit/52d9daf06478851548251ec2103cdc22178c48c4
NOTE: MariaDB: https://github.com/MariaDB/server/commit/719ac0ad4af0dd1e20dbc94eff8f8c9f786b3393
@@ -46865,7 +47404,7 @@ CVE-2019-2971 (Vulnerability in the Oracle Outside In Technology product of Orac
CVE-2019-2970 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...)
NOT-FOR-US: Oracle
CVE-2019-2969 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2968 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mysql-5.7 <not-affected> (Only affects MySQL 8)
@@ -46890,7 +47429,7 @@ CVE-2019-2962 (Vulnerability in the Java SE, Java SE Embedded product of Oracle
CVE-2019-2961 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...)
NOT-FOR-US: Oracle
CVE-2019-2960 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2959 (Vulnerability in the Hyperion Financial Reporting product of Oracle Hy ...)
NOT-FOR-US: Oracle
@@ -46921,12 +47460,12 @@ CVE-2019-2949 (Vulnerability in the Java SE, Java SE Embedded product of Oracle
- openjdk-8 8u232-b09-1
- openjdk-7 <removed>
CVE-2019-2948 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2947 (Vulnerability in the Oracle Hospitality Reporting and Analytics compon ...)
NOT-FOR-US: Oracle
CVE-2019-2946 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2945 (Vulnerability in the Java SE, Java SE Embedded product of Oracle Java ...)
{DSA-4548-1 DSA-4546-1 DLA-2023-1}
@@ -46947,7 +47486,7 @@ CVE-2019-2940 (Vulnerability in the Core RDBMS component of Oracle Database Serv
CVE-2019-2939 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...)
NOT-FOR-US: Oracle
CVE-2019-2938 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
- mariadb-10.3 1:10.3.19-1
[buster] - mariadb-10.3 1:10.3.22-0+deb10u1
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
@@ -46982,18 +47521,18 @@ CVE-2019-2926 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtu
CVE-2019-2925 (Vulnerability in the Oracle Workflow product of Oracle E-Business Suit ...)
NOT-FOR-US: Oracle
CVE-2019-2924 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2923 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2922 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2921
RESERVED
CVE-2019-2920 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2919
RESERVED
@@ -47006,17 +47545,17 @@ CVE-2019-2916
CVE-2019-2915 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...)
NOT-FOR-US: Oracle
CVE-2019-2914 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2913 (Vulnerability in the Core RDBMS component of Oracle Database Server. S ...)
NOT-FOR-US: Oracle
CVE-2019-2912
RESERVED
CVE-2019-2911 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2910 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- - mysql-5.7 <unfixed> (bug #942443)
+ - mysql-5.7 <removed> (bug #942443)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html#AppendixMSQL
CVE-2019-2909 (Vulnerability in the Java VM component of Oracle Database Server. Supp ...)
NOT-FOR-US: Oracle
@@ -47218,7 +47757,7 @@ CVE-2019-2821 (Vulnerability in the Java SE component of Oracle Java SE (subcomp
CVE-2019-2820 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...)
NOT-FOR-US: Oracle
CVE-2019-2819 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2818 (Vulnerability in the Java SE component of Oracle Java SE (subcomponent ...)
{DSA-4486-1}
@@ -47257,7 +47796,7 @@ CVE-2019-2805 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
[stretch] - mariadb-10.1 10.1.41-0+deb9u1
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2804 (Vulnerability in the Oracle Solaris component of Oracle Sun Systems Pr ...)
@@ -47275,7 +47814,7 @@ CVE-2019-2799 (Vulnerability in the Oracle ODBC Driver component of Oracle Datab
CVE-2019-2798 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mysql-5.7 <not-affected> (Only affects MySQL 8)
CVE-2019-2797 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2796 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mysql-5.7 <not-affected> (Only affects MySQL 8)
@@ -47288,7 +47827,7 @@ CVE-2019-2793 (Vulnerability in the Oracle FLEXCUBE Universal Banking component
CVE-2019-2792 (Vulnerability in the Oracle Outside In Technology component of Oracle ...)
NOT-FOR-US: Oracle
CVE-2019-2791 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2790 (Vulnerability in the Oracle FLEXCUBE Universal Banking component of Or ...)
NOT-FOR-US: Oracle
@@ -47318,7 +47857,7 @@ CVE-2019-2780 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
CVE-2019-2779 (Vulnerability in the Siebel Core - Common Components component of Orac ...)
NOT-FOR-US: Oracle
CVE-2019-2778 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2777 (Vulnerability in the Siebel Core - Server Framework component of Oracl ...)
NOT-FOR-US: Oracle
@@ -47327,7 +47866,7 @@ CVE-2019-2776 (Vulnerability in the Core RDBMS component of Oracle Database Serv
CVE-2019-2775 (Vulnerability in the Oracle Payments component of Oracle E-Business Su ...)
NOT-FOR-US: Oracle
CVE-2019-2774 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2773 (Vulnerability in the Oracle Payments component of Oracle E-Business Su ...)
NOT-FOR-US: Oracle
@@ -47373,11 +47912,11 @@ CVE-2019-2759 (Vulnerability in the Oracle Outside In Technology component of Or
CVE-2019-2758 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2757 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2756 (Vulnerability in the Oracle Outside In Technology component of Oracle ...)
NOT-FOR-US: Oracle
@@ -47413,14 +47952,14 @@ CVE-2019-2743 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
CVE-2019-2742 (Vulnerability in the Oracle BI Publisher component of Oracle Fusion Mi ...)
NOT-FOR-US: Oracle
CVE-2019-2741 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2740 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
[stretch] - mariadb-10.1 10.1.41-0+deb9u1
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2739 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
@@ -47428,18 +47967,18 @@ CVE-2019-2739 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
[stretch] - mariadb-10.1 10.1.41-0+deb9u1
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2738 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2737 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
- mariadb-10.3 1:10.3.17-1
[buster] - mariadb-10.3 1:10.3.17-0+deb10u1
- mariadb-10.1 <removed>
[stretch] - mariadb-10.1 10.1.41-0+deb9u1
- - mysql-5.7 <unfixed> (bug #932340)
+ - mysql-5.7 <removed> (bug #932340)
NOTE: Fixed in MariaDB: 10.3.17, 10.1.41
NOTE: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixMSQL
CVE-2019-2736 (Vulnerability in the Oracle FLEXCUBE Investor Servicing component of O ...)
@@ -48225,10 +48764,16 @@ CVE-2019-2395 (Vulnerability in the Oracle WebLogic Server component of Oracle F
NOT-FOR-US: Oracle
CVE-2019-2394
RESERVED
-CVE-2019-2393
- RESERVED
-CVE-2019-2392
- RESERVED
+CVE-2019-2393 (A user authorized to perform database queries may trigger denial of se ...)
+ - mongodb <removed>
+ [stretch] - mongodb <postponed> (Minor issue, authenticated DoS)
+ NOTE: https://jira.mongodb.org/browse/SERVER-43350
+ NOTE: https://github.com/mongodb/mongo/commit/785b41740a216429573a89a5df82f96064965559 (v3.6.15, SSPL)
+CVE-2019-2392 (A user authorized to perform database queries may trigger denial of se ...)
+ - mongodb <removed>
+ [stretch] - mongodb <postponed> (Minor issue, authenticated DoS)
+ NOTE: https://jira.mongodb.org/browse/SERVER-43699
+ NOTE: https://github.com/mongodb/mongo/commit/b5ff43f92c0e562121477e8253a56b2d83825571 (v3.4.24, AGPL)
CVE-2019-2391 (Incorrect parsing of certain JSON input may result in js-bson not corr ...)
[experimental] - node-mongodb 3.5.5+~cs11.12.19-1
- node-mongodb 3.5.6+~cs11.12.19-1
@@ -48253,95 +48798,95 @@ CVE-2019-2386 (After user deletion in MongoDB Server the improper invalidation o
CVE-2019-2385
RESERVED
CVE-2019-2384
- RESERVED
+ REJECTED
CVE-2019-2383
- RESERVED
+ REJECTED
CVE-2019-2382
- RESERVED
+ REJECTED
CVE-2019-2381
- RESERVED
+ REJECTED
CVE-2019-2380
- RESERVED
+ REJECTED
CVE-2019-2379
- RESERVED
+ REJECTED
CVE-2019-2378
- RESERVED
+ REJECTED
CVE-2019-2377
- RESERVED
+ REJECTED
CVE-2019-2376
- RESERVED
+ REJECTED
CVE-2019-2375
- RESERVED
+ REJECTED
CVE-2019-2374
- RESERVED
+ REJECTED
CVE-2019-2373
- RESERVED
+ REJECTED
CVE-2019-2372
- RESERVED
+ REJECTED
CVE-2019-2371
- RESERVED
+ REJECTED
CVE-2019-2370
- RESERVED
+ REJECTED
CVE-2019-2369
- RESERVED
+ REJECTED
CVE-2019-2368
- RESERVED
+ REJECTED
CVE-2019-2367
- RESERVED
+ REJECTED
CVE-2019-2366
- RESERVED
+ REJECTED
CVE-2019-2365
- RESERVED
+ REJECTED
CVE-2019-2364
- RESERVED
+ REJECTED
CVE-2019-2363
- RESERVED
+ REJECTED
CVE-2019-2362
- RESERVED
+ REJECTED
CVE-2019-2361
- RESERVED
+ REJECTED
CVE-2019-2360
- RESERVED
+ REJECTED
CVE-2019-2359
- RESERVED
+ REJECTED
CVE-2019-2358
- RESERVED
+ REJECTED
CVE-2019-2357
- RESERVED
+ REJECTED
CVE-2019-2356
- RESERVED
+ REJECTED
CVE-2019-2355
- RESERVED
+ REJECTED
CVE-2019-2354
- RESERVED
+ REJECTED
CVE-2019-2353
- RESERVED
+ REJECTED
CVE-2019-2352
- RESERVED
+ REJECTED
CVE-2019-2351
- RESERVED
+ REJECTED
CVE-2019-2350
- RESERVED
+ REJECTED
CVE-2019-2349
- RESERVED
+ REJECTED
CVE-2019-2348
- RESERVED
+ REJECTED
CVE-2019-2347
- RESERVED
+ REJECTED
CVE-2019-2346 (Firmware is getting into loop of overwriting memory when scan command ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2019-2345 (Race condition while accessing DMA buffer in jpeg driver in Snapdragon ...)
NOT-FOR-US: Snapdragon
CVE-2019-2344
- RESERVED
+ REJECTED
CVE-2019-2343 (Out of bound read and information disclosure in firmware due to insuff ...)
NOT-FOR-US: Snapdragon
CVE-2019-2342
- RESERVED
+ REJECTED
CVE-2019-2341 (Buffer overflow when the audio buffer size provided by user is larger ...)
NOT-FOR-US: Snapdragon
CVE-2019-2340
- RESERVED
+ REJECTED
CVE-2019-2339 (Out of bound access due to lack of check of whiltelist array size whil ...)
NOT-FOR-US: Snapdragon
CVE-2019-2338 (Crafted image that has a valid signature from a non-QC entity can be l ...)
@@ -48449,7 +48994,7 @@ CVE-2019-2288 (Out of bound write in TZ while copying the secure dump structure
CVE-2019-2287 (Improper validation for inputs received from firmware can lead to an o ...)
NOT-FOR-US: Snapdragon
CVE-2019-2286
- RESERVED
+ REJECTED
CVE-2019-2285 (Out of bound write issue is observed while giving information about pr ...)
NOT-FOR-US: Snapdragon
CVE-2019-2284 (Possible use-after-free issue due to a race condition while calling ca ...)
@@ -48457,11 +49002,11 @@ CVE-2019-2284 (Possible use-after-free issue due to a race condition while calli
CVE-2019-2283 (Improper validation of read and write index of tx and rx fifo`s before ...)
NOT-FOR-US: Snapdragon
CVE-2019-2282
- RESERVED
+ REJECTED
CVE-2019-2281 (An unauthenticated bitmap image can be loaded in to memory and subsequ ...)
NOT-FOR-US: Snapdragon
CVE-2019-2280
- RESERVED
+ REJECTED
CVE-2019-2279 (Shared memory gets updated with invalid data and may lead to access be ...)
NOT-FOR-US: Snapdragon
CVE-2019-2278 (User keystore signature is ignored in boot and can lead to bypass boot ...)
@@ -48587,7 +49132,7 @@ CVE-2019-2221 (In hasActivityInVisibleTask of WindowProcessController.java there
NOT-FOR-US: Android
CVE-2019-2220 (In checkOperation of AppOpsService.java, there is a possible bypass of ...)
NOT-FOR-US: Android
-CVE-2019-2219 (In System UI, there is a possible bypass of user's consent for access ...)
+CVE-2019-2219 (In several functions of NotificationManagerService.java and related fi ...)
NOT-FOR-US: Android
CVE-2019-2218 (In createSessionInternal of PackageInstallerService.java, there is a p ...)
NOT-FOR-US: Android
@@ -48616,10 +49161,10 @@ CVE-2019-2212 (In poisson_distribution of random, there is an out of bounds read
- libc++ <removed>
[stretch] - libc++ <no-dsa> (Minor issue)
[jessie] - libc++ <no-dsa> (Minor issue, Jessie versions of software that uses poisson distribution have low popcon)
- - llvm-toolchain-6.0 <unfixed>
+ - llvm-toolchain-6.0 <removed>
[buster] - llvm-toolchain-6.0 <ignored> (Minor issue)
[jessie] - llvm-toolchain-6.0 <no-dsa> (Minor issue, Jessie versions of software that uses poisson distribution have low popcon)
- - llvm-toolchain-8 <unfixed>
+ - llvm-toolchain-8 <removed>
NOTE: https://android.googlesource.com/platform/external/libcxx/+/4cebe6f1f01a34546b3b843b5267619a61bd7d39
NOTE: https://android.googlesource.com/platform/external/libcxx/+/8260b5d56f6880a29b57f73b7f4866e47e9e4818
NOTE: https://android.googlesource.com/platform/external/libcxx/+/a16cd9df50f22ccf65cf27eddc0403791116c75a
@@ -48646,16 +49191,16 @@ CVE-2019-2202 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible
NOT-FOR-US: Android media framework
CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is ...)
- libjpeg-turbo 1:2.0.5-1 (low)
- [buster] - libjpeg-turbo <no-dsa> (Minor issue)
+ [buster] - libjpeg-turbo 1:1.5.2-2+deb10u1
[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses the TurboJPEG API)
NOTE: https://source.android.com/security/bulletin/2019-11-01
NOTE: https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884
- NOTE: https://github.com/clearlinux-pkgs/libjpeg-turbo/commit/0a5d06c3dd4a64754d7e6ffa081fd9132714f74c
NOTE: The description text is wrong, this CVE is about gigapixel images not ARM NEON SIMD code.
NOTE: See https://bugs.gentoo.org/show_bug.cgi?id=699830#c12
+ NOTE: Followup fix for tjbench: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad
CVE-2019-2200 (In updatePermissions of PermissionManagerService.java, it may be possi ...)
NOT-FOR-US: Android
CVE-2019-2199 (In createSessionInternal of PackageInstallerService.java, there is a p ...)
@@ -48668,8 +49213,7 @@ CVE-2019-2196 (In Download Provider, there is possible SQL injection. This could
NOT-FOR-US: Android
CVE-2019-2195 (In tokenize of sqlite3_android.cpp, there is a possible attacker contr ...)
NOT-FOR-US: Android
-CVE-2019-2194
- RESERVED
+CVE-2019-2194 (In SurfaceFlinger::createLayer of SurfaceFlinger.cpp, there is a possi ...)
NOT-FOR-US: Android
CVE-2019-2193 (In WelcomeActivity.java and related files, there is a possible permiss ...)
NOT-FOR-US: Android
@@ -49118,8 +49662,8 @@ CVE-2019-1985 (In findAvailSpellCheckerLocked of TextServicesManagerService.java
NOT-FOR-US: Android
CVE-2019-1984 (A vulnerability in Cisco Enterprise Network Functions Virtualization I ...)
NOT-FOR-US: Cisco
-CVE-2019-1983
- RESERVED
+CVE-2019-1983 (A vulnerability in the email message filtering feature of Cisco AsyncO ...)
+ NOT-FOR-US: Cisco
CVE-2019-1982 (A vulnerability in the HTTP traffic filtering component of Cisco Firep ...)
NOT-FOR-US: Cisco
CVE-2019-1981 (A vulnerability in the normalization functionality of Cisco Firepower ...)
@@ -49190,8 +49734,8 @@ CVE-2019-1949 (A vulnerability in the web-based management interface of Cisco Fi
NOT-FOR-US: Cisco
CVE-2019-1948 (A vulnerability in Cisco Webex Meetings Mobile (iOS) could allow an un ...)
NOT-FOR-US: Cisco
-CVE-2019-1947
- RESERVED
+CVE-2019-1947 (A vulnerability in the email message filtering feature of Cisco AsyncO ...)
+ NOT-FOR-US: Cisco
CVE-2019-1946 (A vulnerability in the web-based management interface of Cisco Enterpr ...)
NOT-FOR-US: Cisco
CVE-2019-1945 (Multiple vulnerabilities in the smart tunnel functionality of Cisco Ad ...)
@@ -49308,8 +49852,8 @@ CVE-2019-1890 (A vulnerability in the fabric infrastructure VLAN connection esta
NOT-FOR-US: Cisco
CVE-2019-1889 (A vulnerability in the REST API for software device management in Cisc ...)
NOT-FOR-US: Cisco
-CVE-2019-1888
- RESERVED
+CVE-2019-1888 (A vulnerability in the Administration Web Interface of Cisco Unified C ...)
+ NOT-FOR-US: Cisco
CVE-2019-1887 (A vulnerability in the Session Initiation Protocol (SIP) protocol impl ...)
NOT-FOR-US: Cisco
CVE-2019-1886 (A vulnerability in the HTTPS decryption feature of Cisco Web Security ...)
@@ -49636,8 +50180,8 @@ CVE-2019-1738 (A vulnerability in the Network-Based Application Recognition (NBA
NOT-FOR-US: Cisco
CVE-2019-1737 (A vulnerability in the processing of IP Service Level Agreement (SLA) ...)
NOT-FOR-US: Cisco
-CVE-2019-1736
- RESERVED
+CVE-2019-1736 (A vulnerability in the firmware of the Cisco UCS C-Series Rack Servers ...)
+ NOT-FOR-US: Cisco
CVE-2019-1735 (A vulnerability in the CLI of Cisco NX-OS Software could allow an auth ...)
NOT-FOR-US: Cisco
CVE-2019-1734 (A vulnerability in the implementation of a CLI diagnostic command in C ...)
@@ -50024,9 +50568,8 @@ CVE-2019-1552 (OpenSSL has internal defaults for a directory tree where it can f
- openssl1.0 <not-affected> (Windows-specific)
NOTE: https://www.openssl.org/news/secadv/20190730.txt
CVE-2019-1551 (There is an overflow bug in the x64_64 Montgomery squaring procedure u ...)
- {DSA-4594-1}
+ {DSA-4855-1 DSA-4594-1}
- openssl 1.1.1e-1 (low; bug #947949)
- [buster] - openssl <postponed> (Wait until next upstream security release)
[stretch] - openssl <postponed> (Wait until next upstream security release)
[jessie] - openssl <not-affected> (Affected modules are not present in Jessie)
- openssl1.0 <removed> (low)
@@ -52775,11 +53318,15 @@ CVE-2019-0223 (While investigating bug PROTON-2014, we discovered that under som
NOTE: not present in the jessie version. That part do not seem to be essential for
NOTE: the package to be vulnerable.
CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame ca ...)
- - activemq 5.15.9-1 (bug #925964)
- [buster] - activemq <no-dsa> (Minor issue)
- [stretch] - activemq <no-dsa> (Minor issue)
+ {DLA-2583-1 DLA-2582-1}
+ - activemq 5.15.9-1 (bug #925964; unimportant)
[jessie] - activemq <not-affected> (MQTT support not enabled)
+ - mqtt-client 1.16-1 (bug #988109)
+ [buster] - mqtt-client 1.14-1+deb10u1
NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
+ NOTE: activemq disabled MQTT transport in 5.6.0+dfsg-1 (d/patches/exclude_mqtt.diff)
+ NOTE: but enabled activemq-mqtt in 5.13.2+dfsg-2 using the external mqtt-client.
+ NOTE: https://github.com/fusesource/mqtt-client/commit/2898f10be758decdc85ba6c523cb5be6b9092855 (mqtt-client-project-1.15)
CVE-2019-0221 (The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 ...)
{DSA-4596-1 DLA-1883-1 DLA-1810-1}
- tomcat9 9.0.16-4 (bug #929895)
@@ -52828,7 +53375,9 @@ CVE-2019-0211 (In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM eve
CVE-2019-0210 (In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJS ...)
[experimental] - thrift 0.13.0-1
- thrift 0.13.0-2
+ [buster] - thrift <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/10/17/2
+ NOTE: https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
CVE-2019-0209
REJECTED
CVE-2019-0208
@@ -52840,6 +53389,7 @@ CVE-2019-0206
CVE-2019-0205 (In Apache Thrift all versions up to and including 0.12.0, a server or ...)
[experimental] - thrift 0.13.0-1
- thrift 0.13.0-2
+ [buster] - thrift <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/10/17/1
CVE-2019-0204 (A specifically crafted Docker image running under the root user can ov ...)
- apache-mesos <itp> (bug #760315)
@@ -52884,7 +53434,7 @@ CVE-2019-0194 (Apache Camel's File is vulnerable to directory traversal. Camel 2
CVE-2019-0193 (In Apache Solr, the DataImportHandler, an optional but popular module ...)
{DLA-2327-1 DLA-1954-1}
- lucene-solr 3.6.2+dfsg-22 (low)
- [buster] - lucene-solr <no-dsa> (Minor issue)
+ [buster] - lucene-solr 3.6.2+dfsg-20+deb10u2
NOTE: https://issues.apache.org/jira/browse/SOLR-13669
NOTE: upstream recommends everybody upgrade or rework their configuration
NOTE: consider backporting enable.dih.dataConfigParam instead:
@@ -52905,6 +53455,7 @@ CVE-2019-0188 (Apache Camel prior to 2.24.0 contains an XML external entity inje
NOT-FOR-US: Apache Camel
CVE-2019-0187 (Unauthenticated RCE is possible when JMeter is used in distributed mod ...)
- jakarta-jmeter <unfixed>
+ [bullseye] - jakarta-jmeter <no-dsa> (Minor issue)
[buster] - jakarta-jmeter <no-dsa> (Minor issue)
[stretch] - jakarta-jmeter <no-dsa> (Minor issue)
[jessie] - jakarta-jmeter <no-dsa> (Minor issue)
@@ -52961,14 +53512,14 @@ CVE-2019-0163 (Insufficient input validation in system firmware for Intel(R) Bro
CVE-2019-0162 (Memory access in virtual memory mapping for some microprocessors may a ...)
NOT-FOR-US: F5
CVE-2019-0161 (Stack overflow in XHCI for EDK II may allow an unauthenticated user to ...)
+ {DLA-2645-1}
- edk2 0~20180803.dd4cae4d-1 (low)
- [stretch] - edk2 <ignored> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://github.com/tianocore/edk2/commit/acebdf14c985c5c9f50b37ece0b15ada87767359
NOTE: https://github.com/tianocore/edk2/commit/72750e3bf9174f15c17e78f0f117b5e7311bb49f
CVE-2019-0160 (Buffer overflow in system firmware for EDK II may allow unauthenticate ...)
- edk2 0~20181115.85588389-1 (low)
- [stretch] - edk2 <ignored> (Minor issue)
+ [stretch] - edk2 <not-affected> (vulnerable code is not present)
[jessie] - edk2 <end-of-life> (non-free)
NOTE: https://github.com/tianocore/edk2/commit/4df8f5bfa28b8b881e506437e8f08d92c1a00370
NOTE: https://github.com/tianocore/edk2/commit/b9ae1705adfdd43668027a25a2b03c2e81960219
@@ -53000,18 +53551,23 @@ CVE-2019-0150 (Insufficient access control in firmware Intel(R) Ethernet 700 Ser
NOT-FOR-US: Intel firmware for Ethernet 700 Series
CVE-2019-0149 (Insufficient input validation in i40e driver for Intel(R) Ethernet 700 ...)
- linux 5.2.6-1
+ [buster] - linux 4.19.146-1
NOTE: https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
CVE-2019-0148 (Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controll ...)
- linux 5.2.6-1
+ [buster] - linux 4.19.146-1
NOTE: https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
CVE-2019-0147 (Insufficient input validation in i40e driver for Intel(R) Ethernet 700 ...)
- linux 5.2.6-1
+ [buster] - linux 4.19.146-1
NOTE: https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
CVE-2019-0146 (Resource leak in i40e driver for Intel(R) Ethernet 700 Series Controll ...)
- linux 5.2.6-1
+ [buster] - linux 4.19.146-1
NOTE: https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
CVE-2019-0145 (Buffer overflow in i40e driver for Intel(R) Ethernet 700 Series Contro ...)
- linux 5.2.6-1
+ [buster] - linux 4.19.146-1
NOTE: https://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-20200810/021006.html
CVE-2019-0144 (Unhandled exception in firmware for Intel(R) Ethernet 700 Series Contr ...)
NOT-FOR-US: Intel firmware for Ethernet 700 Series
@@ -53212,6 +53768,9 @@ CVE-2019-0053 (Insufficient validation of environment variables in the telnet cl
NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:12.telnet.asc
NOTE: https://raw.githubusercontent.com/hackerhouse-opensource/exploits/master/inetutils-telnet.txt
NOTE: https://www.openwall.com/lists/oss-security/2018/12/14/8
+ NOTE: Additional patch to fix infinite loop causing stack exhaustion (but not
+ NOTE: directly covered by this CVE applied in inetutils/2:2.2-2):
+ NOTE: https://git.hadrons.org/cgit/debian/pkgs/inetutils.git/diff/?id=0d246b17e51060daac8a26848a8d9e5722fcca24
CVE-2019-0052 (The srxpfe process may crash on SRX Series services gateways when the ...)
NOT-FOR-US: Juniper
CVE-2019-0051 (SSL-Proxy feature on SRX devices fails to handle a hardware resource l ...)

© 2014-2024 Faster IT GmbH | imprint | privacy policy