Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b0372c1d by security tracker role at 2020-11-19T08:10:21+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,17 @@
+CVE-2020-28940
+ RESERVED
+CVE-2020-28939
+ RESERVED
+CVE-2020-28938
+ RESERVED
+CVE-2020-28937
+ RESERVED
+CVE-2020-28936
+ RESERVED
+CVE-2020-28935
+ RESERVED
+CVE-2019-20933 (InfluxDB before 1.7.6 has an authentication bypass
vulnerability in th ...)
+ TODO: check
CVE-2020-28934
RESERVED
CVE-2020-28933
@@ -9056,8 +9070,8 @@ CVE-2020-26228
RESERVED
CVE-2020-26227
RESERVED
-CVE-2020-26226
- RESERVED
+CVE-2020-26226 (In the npm package semantic-release before version 17.2.3,
secrets tha ...)
+ TODO: check
CVE-2020-26225 (In PrestaShop Product Comments before version 4.2.0, an
attacker could ...)
NOT-FOR-US: PrestaShop
CVE-2020-26224 (In PrestaShop before version 1.7.6.9 an attacker is able to
list all t ...)
@@ -9082,8 +9096,8 @@ CVE-2020-26217 (XStream before version 1.4.14 is
vulnerable to Remote Code Execu
NOTE:
https://github.com/x-stream/xstream/commit/0fec095d534126931c99fd38e9c6d41f5c685c1a
CVE-2020-26216 (TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4,
2.5.11 ...)
TODO: check
-CVE-2020-26215
- RESERVED
+CVE-2020-26215 (Jupyter Notebook before version 6.1.5 has an Open redirect
vulnerabili ...)
+ TODO: check
CVE-2020-26214 (In Alerta before version 8.1.0, users may be able to bypass
LDAP authe ...)
NOT-FOR-US: Alerta
CVE-2020-26213 (In teler before version 0.0.1, if you run teler inside a
Docker contai ...)
@@ -9336,6 +9350,7 @@ CVE-2020-26117 (In rfb/CSecurityTLS.cxx and
rfb/CSecurityTLS.java in TigerVNC be
NOTE:
https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba
(master)
NOTE:
https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e
(master)
CVE-2020-26116 (http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12,
3.7.x be ...)
+ {DLA-2456-1}
- python3.9 3.9.0~b5-1
- python3.8 3.8.5-1
- python3.7 <removed>
@@ -10944,8 +10959,8 @@ CVE-2020-25456
RESERVED
CVE-2020-25455
RESERVED
-CVE-2020-25454
- RESERVED
+CVE-2020-25454 (Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via
the add re ...)
+ TODO: check
CVE-2020-25453 (An issue was discovered in BlackCat CMS v.1.3.6. There is a
CSRF vulne ...)
NOT-FOR-US: BlackCat CMS
CVE-2020-25452
@@ -16682,8 +16697,8 @@ CVE-2020-22725
RESERVED
CVE-2020-22724
RESERVED
-CVE-2020-22723
- RESERVED
+CVE-2020-22723 (A cross-site scripting (XSS) vulnerability in Beijing
Liangjing Zhiche ...)
+ TODO: check
CVE-2020-22722 (Rapid Software LLC Rapid SCADA 5.8.0 is affected by a local
privilege ...)
NOT-FOR-US: Rapid Software LLC Rapid SCADA
CVE-2020-22721 (A File Upload Vulnerability in PNotes - Andrey Gruber
PNotes.NET v3.8. ...)
@@ -31163,8 +31178,7 @@ CVE-2020-15712 (rConfig 3.9.5 could allow a remote
authenticated attacker to tra
NOT-FOR-US: rConfig
CVE-2020-15711 (In MISP before 2.4.129, setting a favourite homepage was not
CSRF prot ...)
NOT-FOR-US: MISP
-CVE-2020-15710
- RESERVED
+CVE-2020-15710 (Potential double free in Bluez 5 module of PulseAudio could
allow a lo ...)
- pulseaudio <not-affected> (Issue in Ubuntu-specific patch)
NOTE:
https://bugs.launchpad.net/ubuntu/%2Bsource/pulseaudio/%2Bbug/1884738
CVE-2020-15709 (Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14,
0.96.20 ...)
@@ -31252,7 +31266,7 @@ CVE-2019-20908 (An issue was discovered in
drivers/firmware/efi/efi.c in the Lin
NOTE: https://www.openwall.com/lists/oss-security/2020/06/14/1
NOTE: Fixed by:
https://git.kernel.org/linus/1957a85b0032a81e6482ca4aab883643b8dae06e
CVE-2019-20907 (In Lib/tarfile.py in Python through 3.8.3, an attacker is able
to craf ...)
- {DLA-2337-1}
+ {DLA-2456-1 DLA-2337-1}
- python3.9 3.9.0~b5-1 (low)
- python3.8 3.8.5-1 (low)
- python3.7 <removed> (low)
@@ -32300,10 +32314,10 @@ CVE-2020-15303
RESERVED
CVE-2020-15302 (In Argent RecoveryManager before
0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...)
NOT-FOR-US: Argent RecoveryManager
-CVE-2020-15301
- RESERVED
-CVE-2020-15300
- RESERVED
+CVE-2020-15301 (SuiteCRM through 7.11.13 allows CSV Injection via registration
fields ...)
+ TODO: check
+CVE-2020-15300 (SuiteCRM through 7.11.13 has an Open Redirect in the Documents
module ...)
+ TODO: check
CVE-2020-15299 (A reflected Cross-Site Scripting (XSS) Vulnerability in the
KingCompos ...)
NOT-FOR-US: KingComposer plugin for WordPress
CVE-2020-15298
@@ -35358,8 +35372,8 @@ CVE-2020-14210 (MONITORAPP AIWAF-VE and AIWAF-4000
through 2020-06-16 allow refl
NOT-FOR-US: MONITORAPP
CVE-2020-14209 (Dolibarr before 11.0.5 allows low-privilege users to upload
files of d ...)
- dolibarr <removed>
-CVE-2020-14208
- RESERVED
+CVE-2020-14208 (SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting
(XSS) in t ...)
+ TODO: check
CVE-2020-14207
RESERVED
CVE-2020-14206
@@ -36455,8 +36469,8 @@ CVE-2020-13802 (Rebar3 versions 3.0.0-beta.3 to 3.13.2
are vulnerable to OS comm
NOTE:
https://github.com/erlang/rebar3/commit/2e2d1a6bb141a969b6483e082a2afd361fc2ece2
CVE-2020-13801
RESERVED
-CVE-2020-13799
- RESERVED
+CVE-2020-13799 (Western Digital iNAND devices through 2020-06-03 allow
Authentication ...)
+ TODO: check
CVE-2020-13798 (An issue was discovered in Navigate CMS through 2.8.7. It
allows XSS b ...)
NOT-FOR-US: Navigate CMS
CVE-2020-13797 (An issue was discovered in Navigate CMS through 2.8.7. It
allows XSS b ...)
@@ -36888,6 +36902,7 @@ CVE-2020-13668
CVE-2020-13667
RESERVED
CVE-2020-13666 [SA-CORE-2020-007]
+ RESERVED
- drupal7 <removed>
NOTE: https://www.drupal.org/sa-core-2020-007
NOTE:
https://github.com/drupal/drupal/commit/cd3721550d988240ef6e682bd1cae2939c6e9e5a
@@ -37624,10 +37639,9 @@ CVE-2018-21234 (Jodd before 5.0.4 performs
Deserialization of Untrusted JSON Dat
NOTE: https://github.com/oblac/jodd/issues/628
CVE-2017-18868 (Digi XBee 2 devices do not have an effective protection
mechanism agai ...)
NOT-FOR-US: Digi XBee 2 devices
-CVE-2020-13360
- RESERVED
-CVE-2020-13359
- RESERVED
+CVE-2020-13360 (An attacker can schedule a very large number of releases in
the future ...)
+ TODO: check
+CVE-2020-13359 (The Terraform API in GitLab CE/EE 12.10+ exposed the object
storage si ...)
- gitlab 13.3.9-1
NOTE:
https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/
CVE-2020-13358 (A vulnerability in the internal Kubernetes agent api in GitLab
CE/EE v ...)
@@ -37635,12 +37649,10 @@ CVE-2020-13358 (A vulnerability in the internal
Kubernetes agent api in GitLab C
NOTE:
https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/
CVE-2020-13357
RESERVED
-CVE-2020-13356
- RESERVED
+CVE-2020-13356 (An issue has been discovered in GitLab CE/EE affecting all
versions st ...)
- gitlab 13.3.9-1
NOTE:
https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/
-CVE-2020-13355
- RESERVED
+CVE-2020-13355 (An issue has been discovered in GitLab CE/EE affecting all
versions st ...)
- gitlab 13.3.9-1
NOTE:
https://about.gitlab.com/releases/2020/11/02/security-release-gitlab-13-5-2-released/
CVE-2020-13354 (A potential DOS vulnerability was discovered in GitLab CE/EE
starting ...)
@@ -39586,8 +39598,8 @@ CVE-2020-12595
RESERVED
CVE-2020-12594
RESERVED
-CVE-2020-12593
- RESERVED
+CVE-2020-12593 (Symantec Endpoint Detection & Response, prior to 4.5, may
be susce ...)
+ TODO: check
CVE-2020-12592
RESERVED
CVE-2020-12591
@@ -49552,7 +49564,7 @@ CVE-2020-9285
CVE-2020-9284
RESERVED
CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975
for Go a ...)
- {DLA-2453-1 DLA-2402-1}
+ {DLA-2455-1 DLA-2453-1 DLA-2402-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bug #952462)
[buster] - golang-go.crypto <no-dsa> (Minor issue)
[jessie] - golang-go.crypto <no-dsa> (Minor issue)
@@ -51970,12 +51982,11 @@ CVE-2020-8281
RESERVED
CVE-2020-8280
RESERVED
-CVE-2020-8279
- RESERVED
-CVE-2020-8278
- RESERVED
-CVE-2020-8277 [Denial of Service through DNS request]
- RESERVED
+CVE-2020-8279 (Missing validation of server certificates for out-going
connections in ...)
+ TODO: check
+CVE-2020-8278 (Improper access control in Nextcloud Social app version 0.3.1
allowed ...)
+ TODO: check
+CVE-2020-8277 (A Node.js application that allows an attacker to trigger a DNS
request ...)
- c-ares <unfixed>
[buster] - c-ares <not-affected> (Introduced in 1.16)
[stretch] - c-ares <not-affected> (Introduced in 1.16)
@@ -58032,8 +58043,8 @@ CVE-2020-5949
RESERVED
CVE-2020-5948
RESERVED
-CVE-2020-5947
- RESERVED
+CVE-2020-5947 (In versions 16.0.0-16.0.0.1 and 15.1.0-15.1.1, on specific
BIG-IP plat ...)
+ TODO: check
CVE-2020-5946 (In BIG-IP Advanced WAF and FPS versions 16.0.0-16.0.0.1,
15.1.0-15.1.0 ...)
NOT-FOR-US: F5 BIG-IP
CVE-2020-5945 (In BIG-IP versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, and
14.1.0-14.1.2 ...)
@@ -69251,7 +69262,7 @@ CVE-2020-1872 (Huawei smart phones P10 Plus with
versions earlier than 9.1.0.201
NOT-FOR-US: Huawei
CVE-2020-1871 (USG9500 with software of V500R001C30SPC100; V500R001C30SPC200;
V500R00 ...)
NOT-FOR-US: Huawei
-CVE-2020-1870 (CloudEngine 12800 products with versions of V200R019C00,
V200R019C10SP ...)
+CVE-2020-1870 (There is a denial of service vulnerability in some Huawei
products. Du ...)
NOT-FOR-US: Huawei
CVE-2020-1869
RESERVED
@@ -81530,8 +81541,7 @@ CVE-2019-16333 (GetSimple CMS v3.3.15 has Persistent
Cross-Site Scripting (XSS)
NOT-FOR-US: GetSimple CMS
CVE-2019-16332 (In the api-bearer-auth plugin before 20190907 for WordPress,
the serve ...)
NOT-FOR-US: Wordpress plugin
-CVE-2019-12412 [Remotely exploitable null pointer dereference bug]
- RESERVED
+CVE-2019-12412 (A flaw in the libapreq2 v2.07 to v2.13 multipart parser can
deference ...)
{DSA-4541-1 DLA-1944-1}
- libapreq2 2.13-6 (bug #939937)
NOTE: https://svn.apache.org/r1866760
@@ -96321,7 +96331,7 @@ CVE-2019-11841 (A message-forgery issue was discovered
in crypto/openpgp/clearsi
NOTE:
https://packetstormsecurity.com/files/152840/Go-Cryptography-Libraries-Cleartext-Message-Spoofing.html
NOTE: Upstream feels that this is not a security issue. See
https://github.com/golang/go/issues/41200.
CVE-2019-11840 (An issue was discovered in supplementary Go cryptography
libraries, ak ...)
- {DLA-2442-1 DLA-2402-1 DLA-1840-1}
+ {DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
NOTE: https://github.com/golang/go/issues/30965
NOTE:
https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
@@ -111641,7 +111651,7 @@ CVE-2019-6623 (On BIG-IP 14.1.0-14.1.0.5,
14.0.0-14.0.0.4, 13.0.0-13.1.1.4, and
NOT-FOR-US: F5 BIG-IP
CVE-2019-6622 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4,
12.1.0-12 ...)
NOT-FOR-US: F5 BIG-IP
-CVE-2019-6621 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4,
12.1.0-12 ...)
+CVE-2019-6621 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.4, 13.0.0-13.1.1.4,
12.1.0-12 ...)
NOT-FOR-US: F5 BIG-IP
CVE-2019-6620 (On BIG-IP 14.1.0-14.1.0.5, 14.0.0-14.0.0.5, 13.0.0-13.1.1.4,
12.1.0-12 ...)
NOT-FOR-US: F5 BIG-IP
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0372c1d74d894df1b9cf7fbb43afe95bc1ac8bb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0372c1d74d894df1b9cf7fbb43afe95bc1ac8bb
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
