[Xymon] CVE-ID mix-up/inconsistencies?
Japheth Cleaver
cleaver at terabithia.org
Thu Jul 25 17:10:58 CEST 2019
On 7/25/2019 6:24 AM, Axel Beckert wrote:
> Hi Japheth,
>
> On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
>> The specific CVEs in question are:
>> CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
> ^^^
>> CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
> ^^^
>
> But in the information for Xymon packagers you wrote a slightly
> differing set of CVE-IDs:
>
>> The CVEs in question are:
>> history.c (service overflows histlogfn) = CVE-2019-13451
>> reportlog.c (service overflows histlogfn) = CVE-2019-13452
>> csvinfo.c (srdb overflows dbfn) = CVE-2019-13273
> ^^^
>> csvinfo.c (reflected XSS) = CVE-2019-13274
> ^^^
>> acknowledge.c (htmlquoted(hostname) overflows msgline) = CVE-2019-13455
>> appfeed.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13484
>> history.c (hostname overflows selfurl) = CVE-2019-13485
>> svcstatus.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13486
> Which ones are the correct ones? I used the latter ones in my
> changelog entry for the Debian package.
>
> Kind regards, Axel
Thanks, this is indeed a typo. The correct ones are CVE-2019-13*2*73 and
CVE-2019-13*2*74, sent earlier, numerically the first in this set, both
involving csvinfo.c (one for an overflow and one for the XSS).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274>
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273>
-jc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190725/0909d7d7/attachment.htm>
More information about the Xymon
mailing list