[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso Fri, 24 Jan 2020 00:11:25 -0800


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
1bd192e8 by security tracker role at 2020-01-24T08:10:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2020-7946
+       RESERVED
+CVE-2020-7945
+       RESERVED
+CVE-2020-7944
+       RESERVED
+CVE-2020-7943
+       RESERVED
+CVE-2020-7942
+       RESERVED
+CVE-2020-7941 (A privilege escalation issue in plone.app.contenttypes in Plone 
4.3 th ...)
+       TODO: check
+CVE-2020-7940 (Missing password strength checks on some forms in Plone 4.3 
through 5. ...)
+       TODO: check
+CVE-2020-7939 (SQL Injection in DTML or in connection objects in Plone 4.0 
through 5. ...)
+       TODO: check
+CVE-2020-7938 (plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a 
certain ...)
+       TODO: check
+CVE-2020-7937 (An XSS issue in the title field in Plone 5.0 through 5.2.1 
allows user ...)
+       TODO: check
+CVE-2020-7936 (An open redirect on the login form (and possibly other places) 
in Plon ...)
+       TODO: check
+CVE-2020-7935
+       RESERVED
 CVE-2020-7934
        RESERVED
 CVE-2020-7933
@@ -1470,8 +1494,8 @@ CVE-2020-7247
        RESERVED
 CVE-2020-7246 (A remote code execution (RCE) vulnerability exists in qdPM 9.1 
and ear ...)
        NOT-FOR-US: qdPM
-CVE-2020-7245
-       RESERVED
+CVE-2020-7245 (Incorrect username validation in the registration processes of 
CTFd th ...)
+       TODO: check
 CVE-2020-7244 (Comtech Stampede FX-1010 7.4.3 devices allow remote 
authenticated admi ...)
        NOT-FOR-US: Comtech Stampede FX-1010 devices
 CVE-2020-7243 (Comtech Stampede FX-1010 7.4.3 devices allow remote 
authenticated admi ...)
@@ -4123,8 +4147,8 @@ CVE-2020-6009
        RESERVED
 CVE-2020-6008
        RESERVED
-CVE-2020-6007
-       RESERVED
+CVE-2020-6007 (Philips Hue Bridge model 2.X prior to and including version 
1935144020 ...)
+       TODO: check
 CVE-2020-6006
        RESERVED
 CVE-2020-6005
@@ -9502,18 +9526,18 @@ CVE-2019-19900 (An issue was discovered in Backdrop CMS 
1.13.x before 1.13.5 and
        - backdrop <itp> (bug #914257)
 CVE-2019-19899 (Pebble Templates 3.1.2 allows attackers to bypass a protection 
mechani ...)
        NOT-FOR-US: Pebble Templates
-CVE-2019-19898
-       RESERVED
-CVE-2019-19897
-       RESERVED
-CVE-2019-19896
-       RESERVED
-CVE-2019-19895
-       RESERVED
-CVE-2019-19894
-       RESERVED
-CVE-2019-19893
-       RESERVED
+CVE-2019-19898 (In IXP EasyInstall 6.2.13723, there are cleartext credentials 
in netwo ...)
+       TODO: check
+CVE-2019-19897 (In IXP EasyInstall 6.2.13723, there is Remote Code Execution 
via the A ...)
+       TODO: check
+CVE-2019-19896 (In IXP EasyInstall 6.2.13723, there is Remote Code Execution 
via weak  ...)
+       TODO: check
+CVE-2019-19895 (In IXP EasyInstall 6.2.13723, there is Lateral Movement (using 
the Age ...)
+       TODO: check
+CVE-2019-19894 (In IXP EasyInstall 6.2.13723, it is possible to temporarily 
disable UA ...)
+       TODO: check
+CVE-2019-19893 (In IXP EasyInstall 6.2.13723, there is Directory Traversal on 
TCP port ...)
+       TODO: check
 CVE-2019-19892
        RESERVED
 CVE-2019-19891 (An encryption key vulnerability on Mitel SIP-DECT wireless 
devices 8.0 ...)
@@ -23114,8 +23138,7 @@ CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer 
class that is vulnerable
        NOTE: is end-of-life upstream and does not recieve a fix for this 
issue. Users
        NOTE: should upgrade to Log4j 2.x.
        NOTE: Fixed by 
https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master
-CVE-2019-17570 [untrusted deserialization]
-       RESERVED
+CVE-2019-17570 (An untrusted deserialization was found in the 
org.apache.xmlrpc.parser ...)
        - libxmlrpc3-java <unfixed> (bug #949089)
        NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/1
        NOTE: Proposed patch: 
https://bugzilla.redhat.com/show_bug.cgi?id=1775193
@@ -28126,11 +28149,13 @@ CVE-2019-15797
        RESERVED
 CVE-2019-15796 [python-apt: Check that repository is trusted before 
downloading from it]
        RESERVED
+       {DSA-4609-1 DLA-2074-1}
        - python-apt 1.8.5
        NOTE: 
https://salsa.debian.org/apt-team/python-apt/commit/b4eef110b7ba4fb21cc0dd92585756f50e0100c9
 (1.8.5)
        NOTE: 
https://salsa.debian.org/apt-team/python-apt/commit/e3321eb9792bf3b4cace4cee47dc6da00fbee929
 (1.8.5)
 CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads]
        RESERVED
+       {DSA-4609-1 DLA-2074-1}
        - python-apt 1.8.5
        NOTE: 
https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24
 (1.8.5)
 CVE-2019-15794
@@ -31134,8 +31159,7 @@ CVE-2019-14887
 CVE-2019-14886
        RESERVED
        NOT-FOR-US: Business central
-CVE-2019-14885
-       RESERVED
+CVE-2019-14885 (A flaw was found in the JBoss EAP Vault system in all versions 
before  ...)
        NOT-FOR-US: JBoss EAP
 CVE-2019-14884
        RESERVED
@@ -218889,8 +218913,7 @@ CVE-2015-5957 (Buffer overflow in the DumpSysVar 
function in var.c in Remind bef
        {DLA-289-1}
        - remind 03.01.15-1 (unimportant)
        NOTE: Non-exploitable starting with Wheezy due to D_FORTIFY_SOURCE
-CVE-2015-5745 [buffer overflow in virtio-serial]
-       RESERVED
+CVE-2015-5745 (Buffer overflow in the send_control_msg function in 
hw/char/virtio-ser ...)
        {DSA-3349-1 DSA-3348-1}
        - qemu 1:2.4+dfsg-1a (bug #795087)
        [wheezy] - qemu 1.1.2+dfsg-6a+deb7u9
@@ -220204,11 +220227,9 @@ CVE-2015-5336 (Multiple cross-site scripting (XSS) 
vulnerabilities in the survey
 CVE-2015-5335 (Cross-site request forgery (CSRF) vulnerability in 
admin/registration/ ...)
        - moodle 2.7.11+dfsg-1
        [squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
-CVE-2015-5334
-       RESERVED
+CVE-2015-5334 (Off-by-one error in the OBJ_obj2txt function in LibreSSL before 
2.3.1  ...)
        - libressl <itp> (bug #754513)
-CVE-2015-5333
-       RESERVED
+CVE-2015-5333 (Memory leak in the OBJ_obj2txt function in LibreSSL before 
2.3.1 allow ...)
        - libressl <itp> (bug #754513)
 CVE-2015-5332 (Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows 
remote ...)
        - moodle <not-affected> (Only affects 2.8 and later)
@@ -220459,8 +220480,7 @@ CVE-2015-5279 (Heap-based buffer overflow in the 
ne2000_receive function in hw/n
        - qemu-kvm <removed>
        [squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
        NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03984.html
-CVE-2015-5278 [net: avoid infinite loop when receiving packets]
-       RESERVED
+CVE-2015-5278 (The ne2000_receive function in hw/net/ne2000.c in QEMU before 
2.4.0.1  ...)
        {DSA-3362-1 DSA-3361-1}
        - qemu 1:2.4+dfsg-3 (bug #799073)
        [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
@@ -220617,8 +220637,7 @@ CVE-2015-5240 (Race condition in OpenStack Neutron 
before 2014.2.4 and 2015.1 be
        - neutron 1:7.0.0-1
        [jessie] - neutron <no-dsa> (Minor issue)
        NOTE: versions through 2014.2.3 and 2015.1 versions through 2015.1.1
-CVE-2015-5239 [Integer overflow in vnc_client_read() and protocol_client_msg()]
-       RESERVED
+CVE-2015-5239 (Integer overflow in the VNC display driver in QEMU before 2.1.0 
allows ...)
        {DLA-574-1 DLA-573-1}
        - qemu 2.1+dfsg-1
        [squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
@@ -238847,8 +238866,8 @@ CVE-2012-6665 (Directory traversal vulnerability in 
index.php in phpMoneyBooks 1
        NOT-FOR-US: phpMoneyBooks
 CVE-2012-6664
        RESERVED
-CVE-2012-6663
-       RESERVED
+CVE-2012-6663 (General Electric D20ME devices are not properly configured and 
reveal  ...)
+       TODO: check
 CVE-2014-8988 (MantisBT before 1.2.18 allows remote authenticated users to 
bypass the ...)
        {DSA-3120-1}
        - mantis <removed>
@@ -249036,8 +249055,8 @@ CVE-2014-4644 (SQL injection vulnerability in 
superlinks.php in the superlinks p
        NOT-FOR-US: Cacti plugin superlinks
 CVE-2014-4643 (Multiple heap-based buffer overflows in the client in Core FTP 
LE 2.2  ...)
        NOT-FOR-US: Core FTP client
-CVE-2012-6649
-       RESERVED
+CVE-2012-6649 (WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to 
execute ...)
+       TODO: check
 CVE-2014-4721 (The phpinfo implementation in ext/standard/info.c in PHP before 
5.4.30 ...)
        {DSA-2974-1 DLA-0018-1}
        - php5 5.6.0~rc1+dfsg-2 (low)
@@ -277019,8 +277038,8 @@ CVE-2013-1595
        RESERVED
 CVE-2013-1594
        RESERVED
-CVE-2013-1593
-       RESERVED
+CVE-2013-1593 (A Denial of Service vulnerability exists in the WRITE_C 
function in th ...)
+       TODO: check
 CVE-2013-1592 (A Buffer Overflow vulnerability exists in the Message Server 
service _ ...)
        NOT-FOR-US: SAP
 CVE-2013-1591 (Stack-based buffer overflow in libpixman, as used in Pale Moon 
before  ...)
@@ -284139,8 +284158,8 @@ CVE-2012-5391 (Session fixation vulnerability in 
Special:UserLogin in MediaWiki
 CVE-2012-5390 (The standard universe shadow (condor_shadow.std) component in 
Condor 7 ...)
        - condor <not-affected> (standard universe is disabled in the Debian 
package, see bug #697936)
        NOTE: 
http://research.cs.wisc.edu/htcondor/security/vulnerabilities/CONDOR-2012-0003.html
-CVE-2012-5389
-       RESERVED
+CVE-2012-5389 (NULL Pointer Dereference in PowerTCP WebServer for ActiveX 
1.9.2 and e ...)
+       TODO: check
 CVE-2012-5388 (Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in 
the Wh ...)
        NOT-FOR-US: White Label CMS
 CVE-2012-5387 (Cross-site request forgery (CSRF) vulnerability in 
wlcms-plugin.php in ...)
@@ -284287,8 +284306,8 @@ CVE-2011-5210 (Directory traversal vulnerability in 
admin/preview.php in Limny 3
        NOT-FOR-US: Limny
 CVE-2011-5209 (Cross-site scripting (XSS) vulnerability in search/ in 
GraphicsClone S ...)
        NOT-FOR-US: GraphicsClone
-CVE-2012-5340
-       RESERVED
+CVE-2012-5340 (SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an 
Integer ...)
+       TODO: check
 CVE-2012-5339 (Multiple cross-site scripting (XSS) vulnerabilities in 
phpMyAdmin 3.5. ...)
        - phpmyadmin <not-affected> (Only affects 3.5.x, not packaged yet, see 
#691728)
 CVE-2012-5338 (Open redirect vulnerability in JForum 2.1.9 allows remote 
attackers to ...)
@@ -286349,8 +286368,8 @@ CVE-2009-5123 (The Antivirus component in Comodo 
Internet Security before 3.11.1
        NOT-FOR-US: Comodo Internet Security
 CVE-2012-4667 (Multiple cross-site scripting (XSS) vulnerabilities in 
SquidClamav 5.x ...)
        - squidclamav <removed> (bug #685398)
-CVE-2012-4606
-       RESERVED
+CVE-2012-4606 (Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 
Common Cri ...)
+       TODO: check
 CVE-2011-5117 (Sophos SafeGuard Enterprise Device Encryption 5.x through 
5.50.8.13, S ...)
        NOT-FOR-US: Sophos SafeGuard
 CVE-2011-5116 (SQL injection vulnerability in setseed-hub in SetSeed CMS 
5.8.20, 5.11 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bd192e880689123c96489acb240c35ea45a1a29

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bd192e880689123c96489acb240c35ea45a1a29
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

Reply via email to