Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b44c665d by Moritz Muehlenhoff at 2020-07-25T13:48:24+02:00
NFUs
no npm in stretch
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -29,7 +29,7 @@ CVE-2020-15934
CVE-2020-15933
RESERVED
CVE-2020-15932 (Overwolf before 0.149.2.30 mishandles Symbolic Links during
updates, c ...)
- TODO: check
+ NOT-FOR-US: Overwolf
CVE-2020-15931
RESERVED
CVE-2020-15930
@@ -187,7 +187,7 @@ CVE-2020-15862
CVE-2020-15861
RESERVED
CVE-2020-15860 (Parallels Remote Application Server (RAS) 17.1.1 has a
Business Logic ...)
- TODO: check
+ NOT-FOR-US: Parallels
CVE-2020-15859 (QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c
because a gues ...)
- qemu <unfixed> (bug #965978)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05895.html
@@ -1060,7 +1060,7 @@ CVE-2020-15494
CVE-2020-15493
RESERVED
CVE-2020-15492 (An issue was discovered in INNEO Startup TOOLS 2017 M021
12.0.66.3784 ...)
- TODO: check
+ NOT-FOR-US: INNEO
CVE-2020-15491
RESERVED
CVE-2020-15490 (An issue was discovered on Wavlink WL-WN530HG4
M30HG4.V5030.191116 dev ...)
@@ -1090,7 +1090,7 @@ CVE-2020-15479
CVE-2020-15478 (The Journal theme before 3.1.0 for OpenCart allows exposure of
sensiti ...)
NOT-FOR-US: Journal theme for OpenCart
CVE-2020-15477 (The WebControl in RaspberryTortoise through 2012-10-28 is
vulnerable t ...)
- TODO: check
+ NOT-FOR-US: RaspberryTortoise
CVE-2020-15476 (In nDPI through 3.2, the Oracle protocol dissector has a
heap-based bu ...)
- ndpi <unfixed>
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21780
@@ -1301,7 +1301,7 @@ CVE-2020-15393 (In the Linux kernel through 5.7.6,
usbtest_disconnect in drivers
CVE-2020-15392 (A user enumeration vulnerability flaw was found in Venki
Supravizio BP ...)
NOT-FOR-US: Venki
CVE-2020-15391 (The UI in DevSpace 4.13.0 allows web sites to execute actions
on pods ...)
- TODO: check
+ NOT-FOR-US: DevSpace
CVE-2020-15390
RESERVED
CVE-2020-15389 (jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a
use-after-free th ...)
@@ -1853,13 +1853,13 @@ CVE-2020-15128
CVE-2020-15127
RESERVED
CVE-2020-15126 (In parser-server from version 3.5.0 and before 4.3.0, an
authenticated ...)
- TODO: check
+ NOT-FOR-US: Node parser-server
CVE-2020-15125
RESERVED
CVE-2020-15124 (In Goobi Viewer Core before version 4.8.3, a path traversal
vulnerabil ...)
- TODO: check
+ NOT-FOR-US: Goobi Viewer Core
CVE-2020-15123 (In codecov (npm package) before version 3.7.1 the upload
method has a ...)
- TODO: check
+ NOT-FOR-US: Node codedev
CVE-2020-15122
RESERVED
CVE-2020-15121 (In radare2 before version 4.5.0, malformed PDB file names in
the PDB s ...)
@@ -1933,7 +1933,6 @@ CVE-2020-15096 (In Electron before versions 6.1.1, 7.2.4,
8.2.4, and 9.0.0-beta2
CVE-2020-15095 (Versions of the npm CLI prior to 6.14.6 are vulnerable to an
informati ...)
- npm 6.14.6+ds-1 (low; bug #964746)
[buster] - npm <no-dsa> (Minor issue)
- [stretch] - npm <no-dsa> (Minor issue)
NOTE: https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp
NOTE:
https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc
CVE-2020-15094
@@ -7664,7 +7663,7 @@ CVE-2020-12814
CVE-2020-12813
RESERVED
CVE-2020-12812 (An improper authentication vulnerability in SSL VPN in FortiOS
6.4.0, ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2020-12811
RESERVED
CVE-2020-12810
@@ -8177,7 +8176,7 @@ CVE-2020-12640 (Roundcube Webmail before 1.4.4 allows
attackers to include local
CVE-2020-12639 (phpList before 3.5.3 allows XSS, with resultant privilege
elevation, v ...)
- phplist <itp> (bug #612288)
CVE-2020-12638 (An encryption-bypass issue was discovered on Espressif ESP-IDF
devices ...)
- TODO: check
+ NOT-FOR-US: Espressif
CVE-2020-12637 (Zulip Desktop before 5.2.0 has Missing SSL Certificate
Validation beca ...)
NOT-FOR-US: Zulip Desktop
CVE-2018-21233 (TensorFlow before 1.7.0 has an integer overflow that causes an
out-of- ...)
@@ -8615,7 +8614,7 @@ CVE-2020-12434
CVE-2020-12433
RESERVED
CVE-2020-12432 (The WOPI API integration for Vereign Collabora CODE through
4.2.2 does ...)
- TODO: check
+ NOT-FOR-US: Vereign Collabora CODE
CVE-2020-12431 (A Windows privilege change issue was discovered in Splashtop
Software ...)
NOT-FOR-US: Splashtop Software Updater
CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in
qemu/qemu_dri ...)
@@ -11620,11 +11619,11 @@ CVE-2020-11627 (An issue was discovered in EJBCA
before 6.15.2.6 and 7.x before
CVE-2020-11626 (An issue was discovered in EJBCA before 6.15.2.6 and 7.x
before 7.3.1. ...)
NOT-FOR-US: EJBCA / PrimeKey
CVE-2020-11625 (An issue was discovered in AvertX Auto focus Night Vision HD
Indoor/Ou ...)
- TODO: check
+ NOT-FOR-US: AvertX
CVE-2020-11624 (An issue was discovered in AvertX Auto focus Night Vision HD
Indoor/Ou ...)
- TODO: check
+ NOT-FOR-US: AvertX
CVE-2020-11623 (An issue was discovered in AvertX Auto focus Night Vision HD
Indoor/Ou ...)
- TODO: check
+ NOT-FOR-US: AvertX
CVE-2020-11622 (A vulnerability exists in Arista’s Cloud EOS VM / vEOS
4.23.2M a ...)
NOT-FOR-US: Cloud EOS
CVE-2020-11621
@@ -12354,7 +12353,7 @@ CVE-2020-11441 (** DISPUTED ** phpMyAdmin 5.0.2 allows
CRLF injection, as demons
[jessie] - phpmyadmin <not-affected> (The pma_error display code does
not exist in this version)
NOTE: https://github.com/phpmyadmin/phpmyadmin/issues/16056
CVE-2020-11440 (httpRpmFs in WebCLI in Wind River VxWorks 5.5 through 7 SR0640
has no ...)
- TODO: check
+ NOT-FOR-US: Wind River
CVE-2020-11439 (LibreHealth EMR v2.0.0 is affected by a Local File Inclusion
issue all ...)
NOT-FOR-US: LibreHealth EMR
CVE-2020-11438 (LibreHealth EMR v2.0.0 is affected by systemic CSRF. ...)
@@ -13745,17 +13744,17 @@ CVE-2020-10924
CVE-2020-10923
RESERVED
CVE-2020-10922 (This vulnerability allows remote attackers to create a
denial-of-servi ...)
- TODO: check
+ NOT-FOR-US: C-MORE HMI
CVE-2020-10921 (This vulnerability allows remote attackers to issue commands
on affect ...)
- TODO: check
+ NOT-FOR-US: C-MORE HMI
CVE-2020-10920 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
- TODO: check
+ NOT-FOR-US: C-MORE HMI
CVE-2020-10919 (This vulnerability allows remote attackers to disclose
sensitive infor ...)
- TODO: check
+ NOT-FOR-US: C-MORE HMI
CVE-2020-10918 (This vulnerability allows remote attackers to bypass
authentication on ...)
- TODO: check
+ NOT-FOR-US: C-MORE HMI
CVE-2020-10917 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
- TODO: check
+ NOT-FOR-US: NEC
CVE-2020-10916 (This vulnerability allows network-adjacent attackers to
escalate privi ...)
NOT-FOR-US: TP-Link
CVE-2020-10915 (This vulnerability allows remote attackers to execute
arbitrary code o ...)
@@ -14927,7 +14926,7 @@ CVE-2020-10616 (Opto 22 SoftPAC Project Version 9.6 and
prior. SoftPAC does not
CVE-2020-10615 (Triangle MicroWorks SCADA Data Gateway 3.02.0697 through
4.0.122, 2.41 ...)
NOT-FOR-US: Triangle MicroWorks SCADA Data Gateway
CVE-2020-10614 (In OSIsoft PI System multiple products and versions, an
authenticated ...)
- TODO: check
+ NOT-FOR-US: OSIsoft PI System
CVE-2020-10613 (Triangle MicroWorks SCADA Data Gateway 3.02.0697 through
4.0.122, 2.41 ...)
NOT-FOR-US: Triangle MicroWorks SCADA Data Gateway
CVE-2020-10612 (Opto 22 SoftPAC Project Version 9.6 and prior. SoftPACAgent
communicat ...)
@@ -14935,27 +14934,27 @@ CVE-2020-10612 (Opto 22 SoftPAC Project Version 9.6
and prior. SoftPACAgent comm
CVE-2020-10611 (Triangle MicroWorks SCADA Data Gateway 3.02.0697 through
4.0.122, 2.41 ...)
NOT-FOR-US: Triangle MicroWorks SCADA Data Gateway
CVE-2020-10610 (In OSIsoft PI System multiple products and versions, a local
attacker ...)
- TODO: check
+ NOT-FOR-US: OSIsoft PI System
CVE-2020-10609
RESERVED
CVE-2020-10608 (In OSIsoft PI System multiple products and versions, a local
attacker ...)
- TODO: check
+ NOT-FOR-US: OSIsoft PI System
CVE-2020-10607 (In Advantech WebAccess, Versions 8.4.2 and prior. A
stack-based buffer ...)
NOT-FOR-US: Advantech WebAccess
CVE-2020-10606 (In OSIsoft PI System multiple products and versions, a local
attacker ...)
- TODO: check
+ NOT-FOR-US: OSIsoft PI System
CVE-2020-10605 (Grundfos CIM 500 before v06.16.00 responds to unauthenticated
requests ...)
NOT-FOR-US: Grundfos CIM
CVE-2020-10604 (In OSIsoft PI System multiple products and versions, a remote,
unauthe ...)
- TODO: check
+ NOT-FOR-US: OSIsoft PI System
CVE-2020-10603 (WebAccess/NMS (versions prior to 3.0.2) does not properly
sanitize use ...)
NOT-FOR-US: WebAccess/NMS
CVE-2020-10602 (In OSIsoft PI System multiple products and versions, an
authenticated ...)
- TODO: check
+ NOT-FOR-US: OSIsoft PI System
CVE-2020-10601 (VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote
Module allow ...)
NOT-FOR-US: VISAM VBASE Editor
CVE-2020-10600 (In OSIsoft PI System multiple products and versions, an
authenticated ...)
- TODO: check
+ NOT-FOR-US: OSIsoft PI System
CVE-2020-10599 (VISAM VBASE Editor version 11.5.0.2 and VBASE Web-Remote
Module may al ...)
NOT-FOR-US: VISAM VBASE Editor
CVE-2020-10598 (In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia
(PAS) ES ...)
@@ -15047,7 +15046,7 @@ CVE-2020-10568 (The sitepress-multilingual-cms (WPML)
plugin before 4.3.7-b.2 fo
CVE-2020-10567 (An issue was discovered in Responsive Filemanager through
9.14.0. In t ...)
NOT-FOR-US: Responsive Filemanager
CVE-2018-21036 (Sails.js before v1.0.0-46 allows attackers to cause a denial
of servic ...)
- TODO: check
+ NOT-FOR-US: Sails.js
CVE-2020-10566 (grub2-bhyve, as used in FreeBSD bhyve before revision 525916
2020-02-1 ...)
NOT-FOR-US: FreeBSD
CVE-2020-10565 (grub2-bhyve, as used in FreeBSD bhyve before revision 525916
2020-02-1 ...)
@@ -15644,7 +15643,7 @@ CVE-2020-10286 (the main user account has restricted
privileges but is in the su
CVE-2020-10285 (The authentication implementation on the xArm controller has
very low ...)
NOT-FOR-US: xArm
CVE-2020-10284 (No authentication is required to control the robot inside the
network, ...)
- TODO: check
+ NOT-FOR-US: xArm
CVE-2020-10283
RESERVED
CVE-2020-10282 (The Micro Air Vehicle Link (MAVLink) protocol presents no
authenticati ...)
@@ -20279,7 +20278,7 @@ CVE-2020-8328
CVE-2020-8327 (A privilege escalation vulnerability was reported in
LenovoBatteryGaug ...)
NOT-FOR-US: Lenovo
CVE-2020-8326 (An unquoted service path vulnerability was reported in Lenovo
Drivers ...)
- TODO: check
+ NOT-FOR-US: Lenovo
CVE-2020-8325
RESERVED
CVE-2020-8324 (A vulnerability was reported in LenovoAppScenarioPluginSystem
for Leno ...)
@@ -20297,7 +20296,7 @@ CVE-2020-8319 (A privilege escalation vulnerability was
reported in Lenovo Syste
CVE-2020-8318 (A privilege escalation vulnerability was reported in the
LenovoSystemU ...)
NOT-FOR-US: Lenovo
CVE-2020-8317 (A DLL search path vulnerability was reported in Lenovo Drivers
Managem ...)
- TODO: check
+ NOT-FOR-US: Lenovo
CVE-2020-8316 (A vulnerability was reported in Lenovo Vantage prior to version
10.200 ...)
NOT-FOR-US: Lenovo
CVE-2020-8428 (fs/namei.c in the Linux kernel before 5.5 has a
may_create_in_sticky u ...)
@@ -20510,7 +20509,7 @@ CVE-2020-8216
CVE-2020-8215 (A buffer overflow is present in canvas version <= 1.6.9,
which coul ...)
TODO: check
CVE-2020-8214 (A path traversal vulnerability in servey version < 3 allows
an atta ...)
- TODO: check
+ NOT-FOR-US: servey
CVE-2020-8213
RESERVED
CVE-2020-8212
@@ -20524,11 +20523,11 @@ CVE-2020-8209
CVE-2020-8208
RESERVED
CVE-2020-8207 (Improper access control in Citrix Workspace app for Windows
1912 CU1 a ...)
- TODO: check
+ NOT-FOR-US: Citrix
CVE-2020-8206
RESERVED
CVE-2020-8205 (The uppy npm package < 1.13.2 and < 2.0.0-alpha.5 is
vulnerable ...)
- TODO: check
+ NOT-FOR-US: Node uppy
CVE-2020-8204
RESERVED
CVE-2020-8203 (Prototype pollution attack when using _.zipObjectDeep in lodash
<= ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b44c665d07e1b8fb7d4fba4ccec091d5509adfc9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b44c665d07e1b8fb7d4fba4ccec091d5509adfc9
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
