Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
72659de9 by security tracker role at 2020-11-04T08:10:23+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,29 @@
+CVE-2020-28208
+ RESERVED
+CVE-2020-28207
+ RESERVED
+CVE-2020-28206
+ RESERVED
+CVE-2020-28205
+ RESERVED
+CVE-2020-28204
+ RESERVED
+CVE-2020-28203
+ RESERVED
+CVE-2020-28202
+ RESERVED
+CVE-2020-28201
+ RESERVED
+CVE-2020-28200
+ RESERVED
+CVE-2020-28199
+ RESERVED
+CVE-2020-28198
+ RESERVED
+CVE-2020-28197
+ RESERVED
+CVE-2020-28196
+ RESERVED
CVE-2020-28195
RESERVED
CVE-2020-28194
@@ -297,6 +323,7 @@ CVE-2020-28048
CVE-2020-28047
RESERVED
CVE-2020-27347 [tmux buffer overflow in CSI parsing]
+ RESERVED
- tmux 3.1c-1
[buster] - tmux <not-affected> (Vulnerable code introduced later)
[stretch] - tmux <not-affected> (Vulnerable code introduced later)
@@ -2394,7 +2421,7 @@ CVE-2020-27349
CVE-2020-27348
RESERVED
CVE-2020-27346
- RESERVED
+ REJECTED
CVE-2020-27345
RESERVED
CVE-2020-27344 (The cm-download-manager plugin before 2.8.0 for WordPress
allows XSS. ...)
@@ -4767,8 +4794,8 @@ CVE-2020-26213
RESERVED
CVE-2020-26212
RESERVED
-CVE-2020-26211
- RESERVED
+CVE-2020-26211 (In BookStack before version 0.30.4, a user with permissions to
edit a ...)
+ TODO: check
CVE-2020-26210 (In BookStack before version 0.30.4, a user with permissions to
edit a ...)
TODO: check
CVE-2020-26209
@@ -4889,6 +4916,7 @@ CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows
attackers to bypass intended
NOTE: https://github.com/dgrijalva/jwt-go/issues/422
NOTE: https://github.com/dgrijalva/jwt-go/pull/426
CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able to supply a regular
expressi ...)
+ {DLA-2431-1}
- libonig <unfixed> (bug #972113)
[buster] - libonig <no-dsa> (Minor issue)
NOTE:
https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
@@ -64494,10 +64522,10 @@ CVE-2020-1911 (A type confusion vulnerability when
resolving properties of JavaS
NOT-FOR-US: Facebook Hermes
CVE-2020-1910
RESERVED
-CVE-2020-1909
- RESERVED
-CVE-2020-1908
- RESERVED
+CVE-2020-1909 (A use-after-free in a logging library in WhatsApp for iOS prior
to v2. ...)
+ TODO: check
+CVE-2020-1908 (Improper authorization of the Screen Lock feature in WhatsApp
and What ...)
+ TODO: check
CVE-2020-1907 (A stack overflow in WhatsApp for Android prior to v2.20.196.16,
WhatsA ...)
NOT-FOR-US: WhatsApp
CVE-2020-1906 (A buffer overflow in WhatsApp for Android prior to v2.20.130
and Whats ...)
@@ -65841,7 +65869,7 @@ CVE-2019-19248 (Electronic Arts Origin through 10.5.x
allows Elevation of Privil
CVE-2019-19247 (Electronic Arts Origin through 10.5.x allows Elevation of
Privilege (i ...)
NOT-FOR-US: Electronic Arts Origin
CVE-2019-19246 (Oniguruma through 6.9.3, as used in PHP 7.3.x and other
products, has ...)
- {DLA-2020-1}
+ {DLA-2431-1 DLA-2020-1}
- libonig 6.9.4-1 (low; bug #946344)
[buster] - libonig <no-dsa> (Minor issue)
NOTE: https://bugs.php.net/bug.php?id=78559
@@ -65957,13 +65985,14 @@ CVE-2019-19206 (Dolibarr CRM/ERP 10.0.3 allows
viewimage.php?file= Stored XSS du
CVE-2019-19205
RESERVED
CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In
the func ...)
- {DLA-2020-1}
+ {DLA-2431-1 DLA-2020-1}
- libonig 6.9.4-1 (low; bug #945313)
[buster] - libonig <no-dsa> (Minor issue)
NOTE: https://github.com/kkos/oniguruma/issues/162
NOTE:
https://github.com/kkos/oniguruma/commit/6eb4aca6a7f2f60f473580576d86686ed6a6ebec
(v6.9.4_rc2)
NOTE: Only exploitable with attacker-provided pattern
CVE-2019-19203 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In
the func ...)
+ {DLA-2431-1}
- libonig 6.9.4-1 (low; bug #945312)
[buster] - libonig <no-dsa> (Minor issue)
[jessie] - libonig <ignored> (Minor issue, not reproducible,
non-trivial backport)
@@ -66519,7 +66548,7 @@ CVE-2019-19014 (An issue was discovered in TitanHQ
WebTitan before 5.18. It has
CVE-2019-19013 (A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to
upload an ...)
NOT-FOR-US: Pagekit CMS
CVE-2019-19012 (An integer overflow in the search_in_range function in
regexec.c in On ...)
- {DLA-2020-1}
+ {DLA-2431-1 DLA-2020-1}
- libonig 6.9.4-1 (low; bug #944959)
[buster] - libonig <no-dsa> (Minor issue)
NOTE: https://github.com/kkos/oniguruma/issues/164
@@ -69641,6 +69670,7 @@ CVE-2019-18651 (A cross-site request forgery (CSRF)
vulnerability in 3xLogic Inf
CVE-2019-18650 (An issue was discovered in Joomla! before 3.9.13. A missing
token chec ...)
NOT-FOR-US: Joomla!
CVE-2018-21030 (Jupyter Notebook before 5.5.0 does not use a CSP header to
treat serve ...)
+ {DLA-2432-1}
- jupyter-notebook 5.7.4-1
NOTE: https://github.com/jupyter/notebook/pull/3341
CVE-2019-18649 (When logged in as an admin user, the Title input field (under
Reports) ...)
@@ -77577,7 +77607,7 @@ CVE-2019-16165 (GNU cflow through 1.6 has a
use-after-free in the reference func
CVE-2019-16164 (MyHTML through 4.0.5 has a NULL pointer dereference in
myhtml_tree_nod ...)
NOT-FOR-US: MyHTML
CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c
because of ...)
- {DLA-1918-1}
+ {DLA-2431-1 DLA-1918-1}
- libonig 6.9.4-1 (low; bug #939988)
[buster] - libonig <no-dsa> (Minor issue)
NOTE: https://github.com/kkos/oniguruma/issues/147
@@ -88020,7 +88050,7 @@ CVE-2019-13225 (A NULL Pointer Dereference in
match_at() in regexec.c in Oniguru
[jessie] - libonig <not-affected> (vulnerable code was introduced later)
NOTE:
https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma
6.9.2 a ...)
- {DLA-1854-1}
+ {DLA-2431-1 DLA-1854-1}
- libonig 6.9.2-1 (low; bug #931878)
[buster] - libonig <no-dsa> (Minor issue)
NOTE:
https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
@@ -125720,6 +125750,7 @@ CVE-2018-19352 (Jupyter Notebook before 5.7.2 allows
XSS via a crafted directory
[stretch] - jupyter-notebook <not-affected> (Vulnerable code not
present)
NOTE:
https://github.com/jupyter/notebook/commit/288b73e1edbf527740e273fcc69b889460871648
CVE-2018-19351 (Jupyter Notebook before 5.7.1 allows XSS via an untrusted
notebook bec ...)
+ {DLA-2432-1}
- jupyter-notebook 5.7.4-1 (bug #917409)
NOTE:
https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
CVE-2008-7320 (** DISPUTED ** GNOME Seahorse through 3.30 allows physically
proximate ...)
@@ -154502,6 +154533,7 @@ CVE-2018-8742
CVE-2017-18239 (A time-sensitive equality check on the JWT signature in the
JsonWebTok ...)
NOT-FOR-US: authentikat-jwt
CVE-2018-8768 (In Jupyter Notebook before 5.4.1, a maliciously forged notebook
file c ...)
+ {DLA-2432-1}
- jupyter-notebook 5.4.1-1 (bug #893436)
- ipython 5.1.0-2
[jessie] - ipython <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72659de9d92e5e6cbe88fdde6c2c2aa3e0892b90
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72659de9d92e5e6cbe88fdde6c2c2aa3e0892b90
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
