<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html;

      charset=windows-1252">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 7/25/2019 6:24 AM, Axel Beckert

      wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:20190725132437.uickk3aycb5c6nph@sym.noone.org">

      <pre class="moz-quote-pre" wrap="">Hi Japheth,

On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:

</pre>

      <blockquote type="cite">

        <pre class="moz-quote-pre" wrap="">The specific CVEs in question are:

  CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,

</pre>

      </blockquote>

      <pre class="moz-quote-pre" wrap="">                                                               ^^^

</pre>

      <blockquote type="cite">

        <pre class="moz-quote-pre" wrap="">  CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486

</pre>

      </blockquote>

      <pre class="moz-quote-pre" wrap="">               ^^^

But in the information for Xymon packagers you wrote a slightly

differing set of CVE-IDs:

</pre>

      <blockquote type="cite">

        <pre class="moz-quote-pre" wrap="">The CVEs in question are:

    history.c (service overflows histlogfn) = CVE-2019-13451

    reportlog.c (service overflows histlogfn) = CVE-2019-13452

    csvinfo.c (srdb overflows dbfn) = CVE-2019-13273

</pre>

      </blockquote>

      <pre class="moz-quote-pre" wrap="">                                                   ^^^

</pre>

      <blockquote type="cite">

        <pre class="moz-quote-pre" wrap="">    csvinfo.c (reflected XSS) = CVE-2019-13274

</pre>

      </blockquote>

      <pre class="moz-quote-pre" wrap="">                                             ^^^

</pre>

      <blockquote type="cite">

        <pre class="moz-quote-pre" wrap="">    acknowledge.c (htmlquoted(hostname) overflows msgline) = CVE-2019-13455

    appfeed.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13484

    history.c (hostname overflows selfurl) = CVE-2019-13485

    svcstatus.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13486

</pre>

      </blockquote>

      <pre class="moz-quote-pre" wrap="">

Which ones are the correct ones? I used the latter ones in my

changelog entry for the Debian package.

                Kind regards, Axel

</pre>

    </blockquote>

    <p><br>

    </p>

    <p>Thanks, this is indeed a typo. The correct ones are CVE-2019-13<b>2</b>73

      and CVE-2019-13<b>2</b>74, sent earlier, numerically the first in

      this set, both involving csvinfo.c (one for an overflow and one

      for the XSS).</p>

    <p><a

        href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273</a><a

href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274"><br>

        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274</a><a

href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273"><br>

      </a><font size="+1"><span style="font-size:11pt;"><span

            style="font-size:11pt;"></span></span></font></p>

    <p><font size="+1"><span style="font-size:11pt;"><span

            style="font-size:11pt;">-jc<br>

          </span></span></font></p>

  </body>

</html>