<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 7/25/2019 6:24 AM, Axel Beckert
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20190725132437.uickk3aycb5c6nph@sym.noone.org">
<pre class="moz-quote-pre" wrap="">Hi Japheth,
On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">The specific CVEs in question are:
CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap=""> ^^^
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap=""> ^^^
But in the information for Xymon packagers you wrote a slightly
differing set of CVE-IDs:
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">The CVEs in question are:
history.c (service overflows histlogfn) = CVE-2019-13451
reportlog.c (service overflows histlogfn) = CVE-2019-13452
csvinfo.c (srdb overflows dbfn) = CVE-2019-13273
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap=""> ^^^
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> csvinfo.c (reflected XSS) = CVE-2019-13274
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap=""> ^^^
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap=""> acknowledge.c (htmlquoted(hostname) overflows msgline) = CVE-2019-13455
appfeed.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13484
history.c (hostname overflows selfurl) = CVE-2019-13485
svcstatus.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13486
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">
Which ones are the correct ones? I used the latter ones in my
changelog entry for the Debian package.
Kind regards, Axel
</pre>
</blockquote>
<p><br>
</p>
<p>Thanks, this is indeed a typo. The correct ones are CVE-2019-13<b>2</b>73
and CVE-2019-13<b>2</b>74, sent earlier, numerically the first in
this set, both involving csvinfo.c (one for an overflow and one
for the XSS).</p>
<p><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273</a><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274"><br>
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274</a><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273"><br>
</a><font size="+1"><span style="font-size:11pt;"><span
style="font-size:11pt;"></span></span></font></p>
<p><font size="+1"><span style="font-size:11pt;"><span
style="font-size:11pt;">-jc<br>
</span></span></font></p>
</body>
</html>