Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6db70086 by security tracker role at 2020-12-08T08:10:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,5 +1,23 @@
-CVE-2020-29597
+CVE-2020-29606
RESERVED
+CVE-2020-29605
+ RESERVED
+CVE-2020-29604
+ RESERVED
+CVE-2020-29603
+ RESERVED
+CVE-2020-29602
+ RESERVED
+CVE-2020-29601
+ RESERVED
+CVE-2020-29600 (In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an
absolute ...)
+ TODO: check
+CVE-2020-29599 (ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40
mishandles the - ...)
+ TODO: check
+CVE-2020-29598
+ RESERVED
+CVE-2020-29597 (IncomCMS 2.0 has a modules/uploader/showcase/script.php
insecure file ...)
+ TODO: check
CVE-2020-29596
RESERVED
CVE-2020-29595 (PlugIns\IDE_ACDStd.apl in ACDSee Photo Studio Studio
Professional 2021 ...)
@@ -152,7 +170,7 @@ CVE-2020-29534 (An issue was discovered in the Linux kernel
before 5.9.3. io_uri
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2089
NOTE:
https://git.kernel.org/linus/0f2122045b946241a9e549c2a76cea54fa58a7ff
-CVE-2020-29529 (HashiCorp go-slug before 0.5.0 does not address attempts at
directory ...)
+CVE-2020-29529 (HashiCorp go-slug up to 0.4.3 did not fully protect against
Zip Slip a ...)
TODO: check
CVE-2020-29528
RESERVED
@@ -1641,8 +1659,7 @@ CVE-2020-28937 (OpenClinic version 0.8.2 is affected by a
missing authentication
NOT-FOR-US: OpenClinic
CVE-2020-28936
RESERVED
-CVE-2020-28935
- RESERVED
+CVE-2020-28935 (NLnet Labs Unbound, up to and including version 1.12.0, and
NLnet Labs ...)
- unbound <unfixed>
[buster] - unbound <no-dsa> (Minor issue)
[stretch] - unbound <end-of-life> (DSA 4694-1)
@@ -1672,6 +1689,7 @@ CVE-2020-28928 (In musl libc through 1.2.1, wcsnrtombs
mishandles particular com
CVE-2020-28927 (There is a Stored XSS in Magicpin v2.1 in the User
Registration sectio ...)
NOT-FOR-US: Magicpin
CVE-2020-28926 (ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote
code exe ...)
+ {DSA-4806-1}
- minidlna <unfixed> (bug #976595)
NOTE:
https://www.rootshellsecurity.net/remote-heap-corruption-bug-discovery-minidlna/
NOTE:
https://sourceforge.net/p/minidlna/git/ci/9fba41008adebc1da0f4f6c6e27ae422ace3fe4a
(v1_3_0)
@@ -6320,8 +6338,7 @@ CVE-2020-28008
RESERVED
CVE-2020-28007
RESERVED
-CVE-2020-25692 [vulnerability with slapd normalization handling with modrdn]
- RESERVED
+CVE-2020-25692 (A NULL pointer dereference was found in OpenLDAP server and
was fixed ...)
{DSA-4782-1 DLA-2425-1}
- openldap 2.4.55+dfsg-1
NOTE: https://bugs.openldap.org/show_bug.cgi?id=9370
@@ -6901,8 +6918,7 @@ CVE-2020-27824
RESERVED
CVE-2020-27823
RESERVED
-CVE-2020-27822
- RESERVED
+CVE-2020-27822 (A flaw was found in Wildfly affecting versions 19.0.0.Final,
19.1.0.Fi ...)
- wildfly <itp> (bug #752018)
CVE-2020-27821 [heap buffer overflow in msix_table_mmio_write() in
hw/pci/msix.c]
RESERVED
@@ -6916,8 +6932,7 @@ CVE-2020-27819 [NULL pointer dereference via crafted xls
file]
RESERVED
- r-cran-readxl <not-affected> (Embeds libxls, but not affected)
NOTE: https://github.com/libxls/libxls/issues/84
-CVE-2020-27818
- RESERVED
+CVE-2020-27818 (A flaw was found in the check_chunk_name() function of
pngcheck-2.4.0. ...)
- pngcheck 2.3.0-13 (bug #976350)
[buster] - pngcheck <no-dsa> (Minor issue)
[stretch] - pngcheck <no-dsa> (Minor issue)
@@ -7875,7 +7890,7 @@ CVE-2020-27643
CVE-2020-27642 (A cross-site scripting (XSS) vulnerability exists in the
'merge accoun ...)
NOT-FOR-US: BigBlueButton
CVE-2020-27641
- RESERVED
+ REJECTED
CVE-2020-27640
RESERVED
CVE-2020-27639
@@ -10926,8 +10941,8 @@ CVE-2020-26255
RESERVED
CVE-2020-26254
RESERVED
-CVE-2020-26253
- RESERVED
+CVE-2020-26253 (Kirby is a CMS. In Kirby CMS (getkirby/cms) before version
3.3.6, and ...)
+ TODO: check
CVE-2020-26252
RESERVED
CVE-2020-26251
@@ -12301,8 +12316,7 @@ CVE-2020-25678
RESERVED
- ceph <unfixed>
NOTE: https://tracker.ceph.com/issues/37503
-CVE-2020-25677
- RESERVED
+CVE-2020-25677 (Ceph-ansible 4.0.34.1 creates /etc/ceph/iscsi-gateway.conf
with insecu ...)
NOT-FOR-US: ceph Ansible module
CVE-2020-25676
RESERVED
@@ -12532,14 +12546,14 @@ CVE-2020-25633 (A flaw was found in RESTEasy client
in all versions of RESTEasy
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1879042
CVE-2020-25632
RESERVED
-CVE-2020-25631
- RESERVED
-CVE-2020-25630
- RESERVED
-CVE-2020-25629
- RESERVED
-CVE-2020-25628
- RESERVED
+CVE-2020-25631 (A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4
and 3.7 ...)
+ TODO: check
+CVE-2020-25630 (A vulnerability was found in Moodle where the decompressed
size of zip ...)
+ TODO: check
+CVE-2020-25629 (A vulnerability was found in Moodle where users with "Log in
as" capab ...)
+ TODO: check
+CVE-2020-25628 (The filter in the tag manager required extra sanitizing to
prevent a r ...)
+ TODO: check
CVE-2020-25627
RESERVED
CVE-2020-25626 (A flaw was found in Django REST Framework versions before
3.12.0 and b ...)
@@ -29117,8 +29131,7 @@ CVE-2020-17523
RESERVED
CVE-2020-17522
RESERVED
-CVE-2020-17521 [Information Disclosure]
- RESERVED
+CVE-2020-17521 (Apache Groovy provides extension methods to aid with creating
temporar ...)
- groovy <unfixed>
[stretch] - groovy <no-dsa> (Minor issue)
- groovy2 <removed>
@@ -29150,11 +29163,13 @@ CVE-2020-17510 (Apache Shiro before 1.7.0, when using
Apache Shiro with Spring,
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7
CVE-2020-17509 [ATS negative cache option is vulnerable to a cache poisoning
attack]
RESERVED
+ {DSA-4805-1}
- trafficserver 8.1.1+ds-1
NOTE: https://github.com/apache/trafficserver/pull/7359
NOTE:
https://lists.apache.org/thread.html/raa9f0589c26c4d146646425e51e2a33e1457492df9f7ea2019daa6d3%40%3Cdev.trafficserver.apache.org%3E
CVE-2020-17508 [The ATS ESI plugin has a memory disclosure vulnerability]
RESERVED
+ {DSA-4805-1}
- trafficserver 8.1.1+ds-1
NOTE: https://github.com/apache/trafficserver/pull/7358
NOTE:
https://lists.apache.org/thread.html/r65434f7acca3aebf81b0588587149c893fe9f8f9f159eaa7364a70ff%40%3Cdev.trafficserver.apache.org%3E
@@ -41361,7 +41376,7 @@ CVE-2020-12697 (The direct_mail extension through 5.2.3
for TYPO3 allows Denial
CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a
URL. ...)
NOT-FOR-US: iframe plugin for WordPress
CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before
2020-04-17 ...)
- {DLA-2318-1 DLA-2315-1}
+ {DSA-4806-1 DLA-2318-1 DLA-2315-1}
- wpa 2:2.9.0-16 (bug #976106)
[buster] - wpa <no-dsa> (Minor issue)
- gupnp 1.2.3-1
@@ -53401,26 +53416,22 @@ CVE-2020-8568
RESERVED
CVE-2020-8567
RESERVED
-CVE-2020-8566
- RESERVED
+CVE-2020-8566 (In Kubernetes clusters using Ceph RBD as a storage provisioner,
with l ...)
- kubernetes 1.19.3-1 (bug #972341)
NOTE: https://github.com/kubernetes/kubernetes/pull/95245
NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
NOTE: https://github.com/kubernetes/kubernetes/issues/95624
-CVE-2020-8565
- RESERVED
+CVE-2020-8565 (In Kubernetes, if the logging level is set to at least 9,
authorizatio ...)
- kubernetes <unfixed> (bug #972649)
NOTE: https://github.com/kubernetes/kubernetes/pull/95316
NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
NOTE: https://github.com/kubernetes/kubernetes/issues/95623
-CVE-2020-8564
- RESERVED
+CVE-2020-8564 (In Kubernetes clusters using a logging level of at least 4,
processing ...)
- kubernetes 1.19.3-1 (bug #972341)
NOTE: https://github.com/kubernetes/kubernetes/pull/94712
NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
NOTE: https://github.com/kubernetes/kubernetes/issues/95622
-CVE-2020-8563
- RESERVED
+CVE-2020-8563 (In Kubernetes clusters using VSphere as a cloud provider, with
a loggi ...)
- kubernetes <not-affected> (Only affects 19.x)
NOTE: https://github.com/kubernetes/kubernetes/pull/95236
NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
@@ -115001,11 +115012,11 @@ CVE-2019-6174
RESERVED
CVE-2019-6173 (A DLL search path vulnerability could allow privilege
escalation in so ...)
NOT-FOR-US: Lenovo
-CVE-2019-6172 (A potential vulnerability in the SMI callback function in some
Lenovo ...)
+CVE-2019-6172 (A potential vulnerability in the SMI callback function used in
Legacy ...)
NOT-FOR-US: Lenovo
CVE-2019-6171 (A vulnerability was reported in various BIOS versions of older
ThinkPa ...)
NOT-FOR-US: Lenovo
-CVE-2019-6170 (A potential vulnerability in some Lenovo ThinkPads may allow an
attack ...)
+CVE-2019-6170 (A potential vulnerability in the SMI callback function used in
the Leg ...)
NOT-FOR-US: Lenovo
CVE-2019-6169 (A vulnerability reported in Lenovo Service Bridge before
version 4.1.0 ...)
NOT-FOR-US: Lenovo Service Bridge
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6db700863ff78c4d98f0d746ce7ef9a6fb6476a5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6db700863ff78c4d98f0d746ce7ef9a6fb6476a5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
