[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso Wed, 08 Jul 2020 13:11:22 -0700


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
b7449e14 by security tracker role at 2020-07-08T20:10:20+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2513,7 +2513,7 @@ CVE-2020-14478
 CVE-2020-14477 (In Philips Ultrasound ClearVue Versions 3.2 and prior, 
Ultrasound CX V ...)
        NOT-FOR-US: Philips
 CVE-2020-14476
-       RESERVED
+       REJECTED
 CVE-2020-14475 (A reflected cross-site scripting (XSS) vulnerability in 
Dolibarr 11.0. ...)
        - dolibarr <removed>
        NOTE: 
https://github.com/Dolibarr/dolibarr/commit/22ca5e067189bffe8066df26df923a386f044c08
@@ -8936,8 +8936,8 @@ CVE-2020-11996 (A specially crafted sequence of HTTP/2 
requests sent to Apache T
        NOTE: 
https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552
 (8.5.56)
 CVE-2020-11995
        RESERVED
-CVE-2020-11994
-       RESERVED
+CVE-2020-11994 (Server-Side Template Injection and arbitrary file disclosure 
on Camel  ...)
+       TODO: check
 CVE-2020-11993
        RESERVED
 CVE-2020-11992
@@ -8947,6 +8947,7 @@ CVE-2020-11991
 CVE-2020-11990
        RESERVED
 CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring 
dynamic ...)
+       {DLA-2273-1}
        - shiro <unfixed>
        NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1
        NOTE: https://github.com/apache/shiro/pull/211
@@ -9926,8 +9927,8 @@ CVE-2020-11851
        RESERVED
 CVE-2020-11850
        RESERVED
-CVE-2020-11849
-       RESERVED
+CVE-2020-11849 (Elevation of privilege and/or unauthorized access 
vulnerability in Mic ...)
+       TODO: check
 CVE-2020-11848
        RESERVED
 CVE-2020-11847
@@ -12351,7 +12352,7 @@ CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 
3.12.5, an attacker could smu
        NOTE: 
https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
 CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container 
image m ...)
        NOT-FOR-US: Anchore Engine
-CVE-2020-11074 (In PrestaShop from version 1.5.3.0 and before version 1.7.7.6, 
there i ...)
+CVE-2020-11074 (In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, 
there i ...)
        NOT-FOR-US: PrestaShop
 CVE-2020-11073 (In Autoswitch Python Virtualenv before version 0.16.0, a user 
who ente ...)
        NOT-FOR-US: zsh-autoswitch-virtualenv
@@ -12879,6 +12880,7 @@ CVE-2020-10935 (Zulip Server before 2.1.3 allows XSS 
via a Markdown link, with r
 CVE-2020-10934 (Acyba AcyMailing before 6.9.2 mishandles file uploads by 
admins. ...)
        NOT-FOR-US: Acyba AcyMailing
 CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x 
through 2.6 ...)
+       {DSA-4721-1}
        - ruby2.7 2.7.1-1
        - ruby2.5 <removed>
        - ruby2.3 <not-affected> (Vulnerable code introduced in 2.5.0)
@@ -13920,7 +13922,7 @@ CVE-2020-10665 (Docker Desktop allows local privilege 
escalation to NT AUTHORITY
 CVE-2020-10664 (The IGMP component in VxWorks 6.8.3 IPNET CVE patches created 
in 2019  ...)
        NOT-FOR-US: VxWorks
 CVE-2020-10663 (The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 
through 2.4.9 ...)
-       {DLA-2192-1 DLA-2190-1}
+       {DSA-4721-1 DLA-2192-1 DLA-2190-1}
        - ruby-json 2.3.0+dfsg-1
        [buster] - ruby-json <no-dsa> (Minor issue)
        [stretch] - ruby-json <no-dsa> (Minor issue)
@@ -14592,7 +14594,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two 
Buffer Overflows in libIma
        [jessie] - pillow <no-dsa> (Minor issue)
        NOTE: https://github.com/python-pillow/Pillow/pull/4538
        NOTE: Fixed in 6.2.3 and 7.1.0
-CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x 
before 7.0.1, ...)
+CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before before 7.0.1, an 
out-of-bou ...)
        - pillow <unfixed>
        [jessie] - pillow <no-dsa> (Minor issue)
        NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -15059,7 +15061,7 @@ CVE-2020-10179
        RESERVED
 CVE-2020-10178
        REJECTED
-CVE-2020-10177 (Pillow before 6.2.3 and 7.x before 7.0.1 has multiple 
out-of-bounds re ...)
+CVE-2020-10177 (Pillow before 7.0.1 has multiple out-of-bounds reads in 
libImaging/Fli ...)
        - pillow <unfixed>
        [jessie] - pillow <no-dsa> (Minor issue)
        NOTE: https://github.com/python-pillow/Pillow/pull/4503
@@ -22170,8 +22172,8 @@ CVE-2020-7142
        RESERVED
 CVE-2020-7141
        RESERVED
-CVE-2020-7140
-       RESERVED
+CVE-2020-7140 (A security vulnerability in HPE IceWall SSO Dfw and Dgfw 
(Domain Gatew ...)
+       TODO: check
 CVE-2020-7139 (Potential remote access security vulnerabilities have been 
identified  ...)
        NOT-FOR-US: HPE
 CVE-2020-7138 (Potential remote code execution security vulnerabilities have 
been ide ...)
@@ -22694,8 +22696,8 @@ CVE-2020-6940
        RESERVED
 CVE-2020-6939
        RESERVED
-CVE-2020-6938
-       RESERVED
+CVE-2020-6938 (A sensitive information disclosure vulnerability in Tableau 
Server 10. ...)
+       TODO: check
 CVE-2020-6937 (A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 
3.9.x, ...)
        NOT-FOR-US: MuleSoft
 CVE-2020-6936
@@ -25491,8 +25493,8 @@ CVE-2020-5841 (An issue was discovered in OpServices 
OpMon 9.3.1-1. Using passwo
        NOT-FOR-US: OpServices OpMon
 CVE-2020-5840 (An issue was discovered in HashBrown CMS before 1.3.2. 
Server/Entity/R ...)
        NOT-FOR-US: HashBrown CMS
-CVE-2020-5839
-       RESERVED
+CVE-2020-5839 (Symantec Endpoint Detection And Response, prior to 4.4, may be 
suscept ...)
+       TODO: check
 CVE-2020-5838 (Symantec IT Analytics, prior to 2.9.1, may be susceptible to a 
cross-s ...)
        NOT-FOR-US: Symantec
 CVE-2020-5837 (Symantec Endpoint Protection, prior to 14.3, may not respect 
file perm ...)
@@ -25641,8 +25643,8 @@ CVE-2020-5766
        RESERVED
 CVE-2020-5765
        RESERVED
-CVE-2020-5764
-       RESERVED
+CVE-2020-5764 (MX Player Android App versions prior to v1.24.5, are vulnerable 
to a d ...)
+       TODO: check
 CVE-2020-5763
        RESERVED
 CVE-2020-5762
@@ -29917,8 +29919,8 @@ CVE-2020-3975
        RESERVED
 CVE-2020-3974
        RESERVED
-CVE-2020-3973
-       RESERVED
+CVE-2020-3973 (The VeloCloud Orchestrator does not apply correct input 
validation whi ...)
+       TODO: check
 CVE-2020-3972 (VMware Tools for macOS (11.x.x and prior before 11.1.1) 
contains a den ...)
        NOT-FOR-US: VMware
 CVE-2020-3971 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before 
ESXi650-20 ...)
@@ -30662,8 +30664,8 @@ CVE-2020-3933 (Secom Co. Dr.ID, a Door Access Control 
and Personnel Attendance M
        NOT-FOR-US: Secom Co. Dr.ID
 CVE-2020-3932 (A vulnerable SNMP in Draytek VigorAP910C cannot be disabled, 
which may ...)
        NOT-FOR-US: Draytek VigorAP910C
-CVE-2020-3931
-       RESERVED
+CVE-2020-3931 (Buffer overflow exists in Geovision Door Access Control device 
family, ...)
+       TODO: check
 CVE-2020-3930 (GeoVision Door Access Control device family improperly stores 
and cont ...)
        NOT-FOR-US: GeoVision Door Access Control
 CVE-2020-3929 (GeoVision Door Access Control device family employs shared 
cryptograph ...)
@@ -35635,16 +35637,16 @@ CVE-2020-2036
        RESERVED
 CVE-2020-2035
        RESERVED
-CVE-2020-2034
-       RESERVED
+CVE-2020-2034 (An OS Command Injection vulnerability in the PAN-OS 
GlobalProtect port ...)
+       TODO: check
 CVE-2020-2033 (When the pre-logon feature is enabled, a missing certification 
validat ...)
        NOT-FOR-US: Palo Alto Networks
 CVE-2020-2032 (A race condition vulnerability Palo Alto Networks GlobalProtect 
app on ...)
        NOT-FOR-US: Palo Alto Networks
-CVE-2020-2031
-       RESERVED
-CVE-2020-2030
-       RESERVED
+CVE-2020-2031 (An integer underflow vulnerability in the dnsproxyd component 
of the P ...)
+       TODO: check
+CVE-2020-2030 (An OS Command Injection vulnerability in the PAN-OS management 
interfa ...)
+       TODO: check
 CVE-2020-2029 (An OS Command Injection vulnerability in the PAN-OS web 
management int ...)
        NOT-FOR-US: Palo Alto Networks
 CVE-2020-2028 (An OS Command Injection vulnerability in PAN-OS management 
server allo ...)
@@ -35747,8 +35749,8 @@ CVE-2020-1983 (A use after free vulnerability in 
ip_reass() in ip_input.c of lib
        NOTE: 
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/9bd6c5913271eabcb7768a58197ed3301fe19f2d
        NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as 
fixed
        NOTE: slirp4netns 1.0.1-1 switched to system libslirp, marking that 
version as fixed.
-CVE-2020-1982
-       RESERVED
+CVE-2020-1982 (Certain communication between PAN-OS and cloud-delivered 
services inad ...)
+       TODO: check
 CVE-2020-1981 (A predictable temporary filename vulnerability in PAN-OS allows 
local  ...)
        NOT-FOR-US: PAN-OS
 CVE-2020-1980 (A shell command injection vulnerability in the PAN-OS CLI 
allows a loc ...)
@@ -36069,7 +36071,7 @@ CVE-2020-1959 (A Server-Side Template Injection was 
identified in Apache Syncope
 CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, 
callers of ...)
        - druid <itp> (bug #825797)
 CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring 
dynamic ...)
-       {DLA-2181-1}
+       {DLA-2273-1 DLA-2181-1}
        - shiro <unfixed> (bug #955018)
        NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2
        NOTE: Fixed by: 
https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139
@@ -36722,17 +36724,17 @@ CVE-2019-19419
        RESERVED
 CVE-2019-19418
        RESERVED
-CVE-2019-19417
-       RESERVED
-CVE-2019-19416
-       RESERVED
-CVE-2019-19415
-       RESERVED
+CVE-2019-19417 (The SIP module of some Huawei products have a denial of 
service (DoS)  ...)
+       TODO: check
+CVE-2019-19416 (The SIP module of some Huawei products have a denial of 
service (DoS)  ...)
+       TODO: check
+CVE-2019-19415 (The SIP module of some Huawei products have a denial of 
service (DoS)  ...)
+       TODO: check
 CVE-2019-19414 (There is an integer overflow vulnerability in LDAP server of 
some Huaw ...)
        NOT-FOR-US: Huawei
 CVE-2019-19413 (There is an integer overflow vulnerability in LDAP client of 
some Huaw ...)
        NOT-FOR-US: Huawei
-CVE-2019-19412 (Some Huawei smart phones have a Factory Reset Protection (FRP) 
bypass  ...)
+CVE-2019-19412 (Huawei smart phones have a Factory Reset Protection (FRP) 
bypass secur ...)
        NOT-FOR-US: Huawei
 CVE-2019-19411 (USG9500 with versions of V500R001C30SPC100, V500R001C30SPC200, 
V500R00 ...)
        NOT-FOR-US: Huawei



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7449e14b5b83c2e3d87f3863f55f299a91b8359

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7449e14b5b83c2e3d87f3863f55f299a91b8359
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

Reply via email to