[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso Mon, 20 Jul 2020 13:11:03 -0700


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
623bafda by security tracker role at 2020-07-20T20:10:21+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,15 @@
+CVE-2020-15857
+       RESERVED
+CVE-2020-15856
+       RESERVED
+CVE-2020-15855
+       RESERVED
+CVE-2020-15854
+       RESERVED
+CVE-2020-15853
+       RESERVED
+CVE-2020-15852 (An issue was discovered in the Linux kernel 5.5 through 5.7.9, 
as used ...)
+       TODO: check
 CVE-2020-XXXX [mpv insecure lua loadpath]
        - mpv 0.32.0-2 (bug #950816)
        [buster] - mpv <no-dsa> (Minor issue)
@@ -1646,18 +1658,18 @@ CVE-2020-15125
        RESERVED
 CVE-2020-15124
        RESERVED
-CVE-2020-15123
-       RESERVED
+CVE-2020-15123 (In codecov (npm package) before version 3.7.1 the upload 
method has a  ...)
+       TODO: check
 CVE-2020-15122
        RESERVED
-CVE-2020-15121
-       RESERVED
+CVE-2020-15121 (In radare2 before version 4.5.0, malformed PDB file names in 
the PDB s ...)
+       TODO: check
 CVE-2020-15120
        RESERVED
 CVE-2020-15119
        RESERVED
-CVE-2020-15118
-       RESERVED
+CVE-2020-15118 (In Wagtail before versions 2.7.4 and 2.9.3, when a form page 
type is m ...)
+       TODO: check
 CVE-2020-15117 (In Synergy before version 1.12.0, a Synergy server can be 
crashed by r ...)
        - synergy <removed>
        NOTE: 
https://github.com/symless/synergy-core/commit/0a97c2be0da2d0df25cb86dfd642429e7a8bea39
@@ -1672,8 +1684,8 @@ CVE-2020-15113
        RESERVED
 CVE-2020-15112
        RESERVED
-CVE-2020-15111
-       RESERVED
+CVE-2020-15111 (In Fiber before version 1.12.6, the filename that is given in 
c.Attach ...)
+       TODO: check
 CVE-2020-15110 (In jupyterhub-kubespawner before 0.12, certain usernames will 
be able  ...)
        NOT-FOR-US: jupyterhub-kubespawner
 CVE-2020-15109
@@ -1795,10 +1807,10 @@ CVE-2020-15055
        RESERVED
 CVE-2020-15054
        RESERVED
-CVE-2020-15053
-       RESERVED
-CVE-2020-15052
-       RESERVED
+CVE-2020-15053 (An issue was discovered in Artica Proxy CE before 
4.28.030.418. Reflec ...)
+       TODO: check
+CVE-2020-15052 (An issue was discovered in Artica Proxy CE before 
4.28.030.418. SQL In ...)
+       TODO: check
 CVE-2020-15051 (An issue was discovered in Artica Proxy before 4.30.000000. 
Stored XSS ...)
        NOT-FOR-US: Artica Proxy
 CVE-2020-15050 (An issue was discovered in the Video Extension in Suprema 
BioStar 2 be ...)
@@ -1901,8 +1913,8 @@ CVE-2020-15011 (GNU Mailman before 2.1.33 allows 
arbitrary content injection via
        NOTE: https://bugs.launchpad.net/mailman/+bug/1877379
 CVE-2020-15010
        RESERVED
-CVE-2020-15009
-       RESERVED
+CVE-2020-15009 (AsusScreenXpertServicec.exe and 
ScreenXpertUpgradeServiceManager.exe i ...)
+       TODO: check
 CVE-2020-15008 (A SQLi exists in the probe code of all Connectwise Automate 
versions b ...)
        NOT-FOR-US: Connectwise
 CVE-2020-15007 (A buffer overflow in the M_LoadDefaults function in m_misc.c 
in id Tec ...)
@@ -3012,14 +3024,14 @@ CVE-2020-14496
        RESERVED
 CVE-2020-14495
        RESERVED
-CVE-2020-14494
-       RESERVED
+CVE-2020-14494 (OpenClinic GA versions 5.09.02 and 5.89.05b contain an 
authentication  ...)
+       TODO: check
 CVE-2020-14493
        RESERVED
 CVE-2020-14492
        RESERVED
-CVE-2020-14491
-       RESERVED
+CVE-2020-14491 (OpenClinic GA versions 5.09.02 and 5.89.05b do not properly 
check perm ...)
+       TODO: check
 CVE-2020-14490
        RESERVED
 CVE-2020-14489
@@ -3030,10 +3042,10 @@ CVE-2020-14487
        RESERVED
 CVE-2020-14486
        RESERVED
-CVE-2020-14485
-       RESERVED
-CVE-2020-14484
-       RESERVED
+CVE-2020-14485 (OpenClinic GA versions 5.09.02 and 5.89.05b may allow an 
attacker to b ...)
+       TODO: check
+CVE-2020-14484 (OpenClinic GA versions 5.09.02 and 5.89.05b may allow an 
attacker to b ...)
+       TODO: check
 CVE-2020-14483
        RESERVED
 CVE-2020-14482 (Delta Industrial Automation DOPSoft, Version 4.00.08.15 and 
prior. Ope ...)
@@ -9428,16 +9440,16 @@ CVE-2020-12033 (In Rockwell Automation FactoryTalk 
Services Platform, all versio
        NOT-FOR-US: Rockwell Automation
 CVE-2020-12032 (Baxter ExactaMix EM 2400 Versions 1.10, 1.11 and ExactaMix 
EM1200 Vers ...)
        NOT-FOR-US: Baxter
-CVE-2020-12031
-       RESERVED
+CVE-2020-12031 (In all versions of FactoryTalk View SE, after bypassing memory 
corrupt ...)
+       TODO: check
 CVE-2020-12030
        RESERVED
-CVE-2020-12029
-       RESERVED
-CVE-2020-12028
-       RESERVED
-CVE-2020-12027
-       RESERVED
+CVE-2020-12029 (All versions of FactoryTalk View SE do not properly validate 
input of  ...)
+       TODO: check
+CVE-2020-12028 (In all versions of FactoryTalk View SEA remote, an 
authenticated attac ...)
+       TODO: check
+CVE-2020-12027 (All versions of FactoryTalk View SE disclose the hostnames and 
file pa ...)
+       TODO: check
 CVE-2020-12026 (Advantech WebAccess Node, Version 8.4.4 and prior, Version 
9.0.0. Mult ...)
        NOT-FOR-US: Advantech WebAccess Node
 CVE-2020-12025 (Rockwell Automation Logix Designer Studio 5000 Versions 32.00, 
32.01,  ...)
@@ -11088,6 +11100,7 @@ CVE-2020-11727 (A cross-site scripting (XSS) 
vulnerability in the AlgolPlus Adva
 CVE-2020-11726
        RESERVED
 CVE-2020-11724 (An issue was discovered in OpenResty before 1.15.8.4. 
ngx_http_lua_sub ...)
+       {DLA-2283-1}
        - nginx 1.18.0-5 (bug #964950)
        NOTE: 
https://github.com/openresty/lua-nginx-module/commit/9ab38e8ee35fc08a57636b1b6190dca70b0076fa
 (ngx_lua 0.10.17, with tests)
        NOTE: 
https://github.com/openresty/openresty/commit/4e8b4c395f842a078e429c80dd063b2323999957
 (ngx_lua 0.10.15)
@@ -14042,7 +14055,7 @@ CVE-2020-10784
        RESERVED
 CVE-2020-10783
        RESERVED
-CVE-2020-10782 (An exposure of sensitive information flaw was found in Ansible 
Tower b ...)
+CVE-2020-10782 (An exposure of sensitive information flaw was found in Ansible 
version ...)
        NOT-FOR-US: Ansible Tower
 CVE-2020-10781 [zram sysfs resource consumption]
        RESERVED
@@ -20248,10 +20261,10 @@ CVE-2020-8217
        RESERVED
 CVE-2020-8216
        RESERVED
-CVE-2020-8215
-       RESERVED
-CVE-2020-8214
-       RESERVED
+CVE-2020-8215 (A buffer overflow is present in canvas version &lt;= 1.6.9, 
which coul ...)
+       TODO: check
+CVE-2020-8214 (A path traversal vulnerability in servey version &lt; 3 allows 
an atta ...)
+       TODO: check
 CVE-2020-8213
        RESERVED
 CVE-2020-8212
@@ -20268,8 +20281,8 @@ CVE-2020-8207
        RESERVED
 CVE-2020-8206
        RESERVED
-CVE-2020-8205
-       RESERVED
+CVE-2020-8205 (The uppy npm package &lt; 1.13.2 and &lt; 2.0.0-alpha.5 is 
vulnerable  ...)
+       TODO: check
 CVE-2020-8204
        RESERVED
 CVE-2020-8203 (Prototype pollution attack when using _.zipObjectDeep in lodash 
&lt;=  ...)
@@ -20380,19 +20393,20 @@ CVE-2020-8166 (A CSRF forgery vulnerability exists in 
rails &lt; 5.2.5, rails &l
        NOTE: 
https://github.com/rails/rails/commit/d124f19287f4892c72ca54da728a781591c6fca1
        NOTE: per-form CSRF token introduced in 5.x: 
https://github.com/rails/rails/commit/3e98819e20bc113343d4d4c0df614865ad5a9d3a
 CVE-2020-8165 (A deserialization of untrusted data vulnernerability exists in 
rails & ...)
-       {DLA-2251-1}
+       {DLA-2282-1 DLA-2251-1}
        - rails 2:5.2.4.3+dfsg-1
        NOTE: 
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
        NOTE: 
https://github.com/rails/rails/commit/f7e077f85e61fc0b7381963eda0ceb0e457546b5 
(MemCache backend)
        NOTE: 
https://github.com/rails/rails/commit/467e3399c9007996c03ffe3212689d48dd25ae99 
(Redis backend)
        NOTE: Redis backend introduced in 5.2: 
https://github.com/rails/rails/commit/9f8ec3535247ac41a9c92e84ddc7a3b771bc318b
 CVE-2020-8164 (A deserialization of untrusted data vulnerability exists in 
rails &lt; ...)
-       {DLA-2251-1}
+       {DLA-2282-1 DLA-2251-1}
        [experimental] - rails 2:6.0.3.1+dfsg-1
        - rails 2:5.2.4.3+dfsg-1
        NOTE: 
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
        NOTE: 
https://github.com/rails/rails/commit/7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec
 CVE-2020-8163 (The is a code injection vulnerability in versions of Rails 
prior to 5. ...)
+       {DLA-2282-1}
        - rails 2:5.2.0+dfsg-2
        NOTE: 
https://weblog.rubyonrails.org/2020/5/15/Rails-4-2-11-2-has-been-released/
        NOTE: 
https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released/
@@ -21634,8 +21648,8 @@ CVE-2020-7682
        RESERVED
 CVE-2020-7681
        RESERVED
-CVE-2020-7680
-       RESERVED
+CVE-2020-7680 (docsify prior to 4.11.4 is susceptible to Cross-site Scripting 
(XSS).  ...)
+       TODO: check
 CVE-2020-7679 (In all versions of package casperjs, the mergeObjects utility 
function ...)
        NOT-FOR-US: Node casperjs
 CVE-2020-7678
@@ -23487,10 +23501,10 @@ CVE-2020-6874
        RESERVED
 CVE-2020-6873
        RESERVED
-CVE-2020-6872
-       RESERVED
-CVE-2020-6871
-       RESERVED
+CVE-2020-6872 (The server management software module of ZTE has a storage XSS 
vulnera ...)
+       TODO: check
+CVE-2020-6871 (The server management software module of ZTE has an 
authentication iss ...)
+       TODO: check
 CVE-2020-6870 (The version V12.17.20T115 of ZTE U31R20 product is impacted by 
a desig ...)
        NOT-FOR-US: ZTE
 CVE-2020-6869 (All versions up to 10.06 of ZTEMarket APK are impacted by an 
informati ...)
@@ -29501,8 +29515,8 @@ CVE-2020-4529 (IBM Maximo Asset Management 7.6.0 and 
7.6.1 is vulnerable to serv
        NOT-FOR-US: IBM
 CVE-2020-4528
        RESERVED
-CVE-2020-4527
-       RESERVED
+CVE-2020-4527 (IBM Planning Analytics 2.0 could allow a remote attacker to 
obtain sen ...)
+       TODO: check
 CVE-2020-4526
        RESERVED
 CVE-2020-4525
@@ -29623,8 +29637,8 @@ CVE-2020-4468 (IBM i2 Intelligent Analyis Platform 
9.2.1 could allow a remote at
        NOT-FOR-US: IBM
 CVE-2020-4467 (IBM i2 Intelligent Analyis Platform 9.2.1 could allow a remote 
attacke ...)
        NOT-FOR-US: IBM
-CVE-2020-4466
-       RESERVED
+CVE-2020-4466 (IBM MQ for HPE NonStop 8.0.4 and 8.1.0 could allow a remote 
authentica ...)
+       TODO: check
 CVE-2020-4465
        RESERVED
 CVE-2020-4464 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 
traditional co ...)
@@ -29833,8 +29847,8 @@ CVE-2020-4363 (IBM DB2 for Linux, UNIX and Windows 
(includes DB2 Connect Server)
        NOT-FOR-US: IBM
 CVE-2020-4362 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 
traditional is ...)
        NOT-FOR-US: IBM
-CVE-2020-4361
-       RESERVED
+CVE-2020-4361 (IBM Planning Analytics 2.0 could allow a remote attacker to 
obtain sen ...)
+       TODO: check
 CVE-2020-4360 (IBM Planning Analytics Local 2.0 is vulnerable to cross-site 
scripting ...)
        NOT-FOR-US: IBM
 CVE-2020-4359
@@ -32774,8 +32788,7 @@ CVE-2020-3483
        RESERVED
 CVE-2020-3482
        RESERVED
-CVE-2020-3481
-       RESERVED
+CVE-2020-3481 (A vulnerability in the EGG archive parsing module in Clam 
AntiVirus (C ...)
        - clamav 0.102.4+dfsg-1
        [buster] - clamav <no-dsa> (ClamAV is updated via -updates)
        NOTE: 
https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/623bafdab0057bf225fe7cc66733637329d0e950

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/623bafdab0057bf225fe7cc66733637329d0e950
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

Reply via email to