[Xymon] CVE-ID mix-up/inconsistencies? (was: Re: Xymon 4.3.29 Released - Important Security Update)

Axel Beckert abe at deuxchevaux.org
Thu Jul 25 15:24:38 CEST 2019

Hi Japheth,

On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
> The specific CVEs in question are:
>   CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
>   CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486

But in the information for Xymon packagers you wrote a slightly
differing set of CVE-IDs:

> The CVEs in question are:
>     history.c (service overflows histlogfn) = CVE-2019-13451
>     reportlog.c (service overflows histlogfn) = CVE-2019-13452
>     csvinfo.c (srdb overflows dbfn) = CVE-2019-13273
>     csvinfo.c (reflected XSS) = CVE-2019-13274
>     acknowledge.c (htmlquoted(hostname) overflows msgline) = CVE-2019-13455
>     appfeed.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13484
>     history.c (hostname overflows selfurl) = CVE-2019-13485
>     svcstatus.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13486

Which ones are the correct ones? I used the latter ones in my
changelog entry for the Debian package.

		Kind regards, Axel
PGP: 2FF9CD59612616B5      /~\  Plain Text Ribbon Campaign, http://arc.pasp.de/
Mail: abe at deuxchevaux.org  \ /  Say No to HTML in E-Mail and Usenet
Mail+Jabber: abe at noone.org  X
https://axel.beckert.ch/   / \  I love long mails: https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190725/517ce2a6/attachment.sig>

More information about the Xymon mailing list