[Xymon] CVE-ID mix-up/inconsistencies?

Japheth Cleaver cleaver at terabithia.org
Thu Jul 25 17:10:58 CEST 2019


On 7/25/2019 6:24 AM, Axel Beckert wrote:
> Hi Japheth,
>
> On Tue, Jul 23, 2019 at 08:57:49AM -0700, Japheth Cleaver wrote:
>> The specific CVEs in question are:
>>    CVE-2019-13451, CVE-2019-13452, CVE-2019-13455, CVE-2019-13473,
>                                                                 ^^^
>>    CVE-2019-13474, CVE-2019-13484, CVE-2019-13485, CVE-2019-13486
>                 ^^^
>
> But in the information for Xymon packagers you wrote a slightly
> differing set of CVE-IDs:
>
>> The CVEs in question are:
>>      history.c (service overflows histlogfn) = CVE-2019-13451
>>      reportlog.c (service overflows histlogfn) = CVE-2019-13452
>>      csvinfo.c (srdb overflows dbfn) = CVE-2019-13273
>                                                     ^^^
>>      csvinfo.c (reflected XSS) = CVE-2019-13274
>                                               ^^^
>>      acknowledge.c (htmlquoted(hostname) overflows msgline) = CVE-2019-13455
>>      appfeed.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13484
>>      history.c (hostname overflows selfurl) = CVE-2019-13485
>>      svcstatus.c (htmlquoted(xymondreq) overflows errtxt) = CVE-2019-13486
> Which ones are the correct ones? I used the latter ones in my
> changelog entry for the Debian package.
>
> 		Kind regards, Axel


Thanks, this is indeed a typo. The correct ones are CVE-2019-13*2*73 and 
CVE-2019-13*2*74, sent earlier, numerically the first in this set, both 
involving csvinfo.c (one for an overflow and one for the XSS).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13274>
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13273>

-jc

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20190725/0909d7d7/attachment.htm>


More information about the Xymon mailing list