Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c6974682 by security tracker role at 2021-02-15T20:10:22+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,15 @@
+CVE-2021-27223
+ RESERVED
+CVE-2021-27222
+ RESERVED
+CVE-2021-27221
+ RESERVED
+CVE-2021-27220
+ RESERVED
+CVE-2021-27217
+ RESERVED
+CVE-2021-27216
+ RESERVED
CVE-2021-27215
RESERVED
CVE-2021-27214
@@ -11,8 +23,8 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through
2.5.1alpha, an asse
NOTE: https://bugs.openldap.org/show_bug.cgi?id=9454
NOTE: trunk:
https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0
NOTE: REL_ENG 2.4.x:
https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30
-CVE-2021-27211
- RESERVED
+CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which
makes it e ...)
+ TODO: check
CVE-2021-27210 (TP-Link Archer C5v 1.7_181221 devices allows remote attackers
to retri ...)
NOT-FOR-US: TP-Link
CVE-2021-27209 (In the management interface on TP-Link Archer C5v 1.7_181221
devices, ...)
@@ -40,8 +52,8 @@ CVE-2021-27202
CVE-2021-XXXX [several security fixes: PHP injections, XSS and secrets stored
in session file]
- spip 3.2.9-1
TODO: needs possibly CVE requests for individual issues
-CVE-2021-27201
- RESERVED
+CVE-2021-27201 (Endian Firewall Community (aka EFW) 3.3.2 allows remote
authenticated ...)
+ TODO: check
CVE-2021-27200
RESERVED
CVE-2021-27199
@@ -828,10 +840,10 @@ CVE-2021-21299 (hyper is an open-source HTTP library for
Rust (crates.io). In hy
- rust-hyper <unfixed>
NOTE:
https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
-CVE-2021-27218 [Integer overflow in
g_byte_array_new_take()/g_bytes_unref_to_array() on 64-bit platforms]
+CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x
before ...)
- glib2.0 2.66.7-1 (bug #982779)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
-CVE-2021-27219 [GHSL-2021-045: integer overflow in g_bytes_new/g_memdup]
+CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x
before ...)
- glib2.0 2.66.6-1 (bug #982778)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
CVE-2021-26842
@@ -1538,8 +1550,8 @@ CVE-2021-3377
RESERVED
CVE-2021-3376
RESERVED
-CVE-2021-3375
- RESERVED
+CVE-2021-3375 (ActivePresenter 6.1.6 is affected by a memory corruption
vulnerability ...)
+ TODO: check
CVE-2021-3374
RESERVED
CVE-2021-3373
@@ -4670,14 +4682,14 @@ CVE-2021-25301
RESERVED
CVE-2021-25300
RESERVED
-CVE-2021-25299
- RESERVED
-CVE-2021-25298
- RESERVED
-CVE-2021-25297
- RESERVED
-CVE-2021-25296
- RESERVED
+CVE-2021-25299 (Nagios XI version xi-5.7.5 is affected by cross-site scripting
(XSS). ...)
+ TODO: check
+CVE-2021-25298 (Nagios XI version xi-5.7.5 is affected by OS command
injection. The vu ...)
+ TODO: check
+CVE-2021-25297 (Nagios XI version xi-5.7.5 is affected by OS command
injection. The vu ...)
+ TODO: check
+CVE-2021-25296 (Nagios XI version xi-5.7.5 is affected by OS command
injection. The vu ...)
+ TODO: check
CVE-2021-25295 (OpenCATS through 0.9.5-3 has multiple Cross-site Scripting
(XSS) issue ...)
NOT-FOR-US: OpenCATS
CVE-2021-25294 (OpenCATS through 0.9.5-3 unsafely deserializes
index.php?m=activity re ...)
@@ -8816,12 +8828,12 @@ CVE-2021-23340
RESERVED
CVE-2021-23339
RESERVED
-CVE-2021-23338
- RESERVED
-CVE-2021-23337
- RESERVED
-CVE-2021-23336
- RESERVED
+CVE-2021-23338 (This affects all versions of package qlib. The workflow
function in cl ...)
+ TODO: check
+CVE-2021-23337 (All versions of package lodash; all versions of package
org.fujion.web ...)
+ TODO: check
+CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from
3.7.0 and be ...)
+ TODO: check
CVE-2021-23335 (All versions of package is-user-valid are vulnerable to LDAP
Injection ...)
NOT-FOR-US: Node is-user-valid
CVE-2021-23334 (All versions of package static-eval are vulnerable to
Arbitrary Code E ...)
@@ -13686,8 +13698,8 @@ CVE-2020-35777 (NETGEAR DGN2200v1 devices before
v1.0.0.58 are affected by comma
NOT-FOR-US: Netgear
CVE-2020-35776
RESERVED
-CVE-2020-35775
- RESERVED
+CVE-2020-35775 (CITSmart before 9.1.2.23 allows LDAP Injection. ...)
+ TODO: check
CVE-2020-35774 (server/handler/HistogramQueryHandler.scala in Twitter
TwitterServer (a ...)
NOT-FOR-US: Twitter TwitterServer
CVE-2020-35773 (The site-offline plugin before 1.4.4 for WordPress lacks
certain wp_cr ...)
@@ -17352,8 +17364,7 @@ CVE-2020-35513 (A flaw incorrect umask during file or
directory modification in
[stretch] - linux <not-affected> (Vulnerable code introduce later)
NOTE:
https://git.kernel.org/linus/880a3a5325489a143269a8e172e7563ebf9897bc
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1911309
-CVE-2020-35512
- RESERVED
+CVE-2020-35512 (A use-after-free flaw was found in D-Bus 1.12.20 when a system
has mul ...)
- dbus 1.12.20-1
[buster] - dbus 1.12.20-0+deb10u1
[stretch] - dbus 1.10.32-0+deb9u1
@@ -17432,6 +17443,7 @@ CVE-2020-35499
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910048
NOTE:
https://git.kernel.org/linus/f6b8c6b5543983e9de29dc14716bfa4eb3f157c4
CVE-2020-35498 (A vulnerability was found in openvswitch. A limitation in the
implemen ...)
+ {DSA-4852-1}
- openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-5 (bug #982493)
NOTE: master:
https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83
NOTE: 2.15:
https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0
@@ -21715,8 +21727,8 @@ CVE-2020-29033
RESERVED
CVE-2020-29032
RESERVED
-CVE-2020-29031
- RESERVED
+CVE-2020-29031 (An Insecure Direct Object Reference vulnerability exists in
the web UI ...)
+ TODO: check
CVE-2020-29030
RESERVED
CVE-2020-29029
@@ -21725,8 +21737,8 @@ CVE-2020-29028
RESERVED
CVE-2020-29027
RESERVED
-CVE-2020-29026
- RESERVED
+CVE-2020-29026 (A directory traversal vulnerability exists in the file upload
function ...)
+ TODO: check
CVE-2020-29025
RESERVED
CVE-2020-29024
@@ -24063,8 +24075,8 @@ CVE-2020-28502
RESERVED
CVE-2020-28501
RESERVED
-CVE-2020-28500
- RESERVED
+CVE-2020-28500 (All versions of package lodash; all versions of package
org.fujion.web ...)
+ TODO: check
CVE-2020-28499
RESERVED
CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to
Cryptographic Issu ...)
@@ -24119,7 +24131,8 @@ CVE-2020-28478 (This affects the package gsap before
3.6.0. ...)
NOT-FOR-US: Node gsap
CVE-2020-28477 (This affects all versions of package immer. ...)
NOT-FOR-US: Node immer
-CVE-2020-28476 (All versions of package tornado are vulnerable to Web Cache
Poisoning ...)
+CVE-2020-28476
+ REJECTED
- python-tornado <unfixed>
[buster] - python-tornado <no-dsa> (Minor issue)
[stretch] - python-tornado <no-dsa> (Minor issue)
@@ -34776,8 +34789,8 @@ CVE-2020-24901 (The default installation of Krpano
Panorama Viewer version <=
NOT-FOR-US: Krpano Panorama Viewer
CVE-2020-24900 (The default installation of Krpano Panorama Viewer version
<=1.20.8 ...)
NOT-FOR-US: Krpano Panorama Viewer
-CVE-2020-24899
- RESERVED
+CVE-2020-24899 (Nagios XI 5.7.2 is affected by a remote code execution (RCE)
vulnerabi ...)
+ TODO: check
CVE-2020-24898 (The Table Filter and Charts for Confluence Server app before
5.3.26 (f ...)
NOT-FOR-US: Confluence Server app for Atlassian Confluence
CVE-2020-24897 (The Table Filter and Charts for Confluence Server app before
5.3.25 (f ...)
@@ -39903,12 +39916,12 @@ CVE-2020-22429
RESERVED
CVE-2020-22428
RESERVED
-CVE-2020-22427
- RESERVED
+CVE-2020-22427 (NagiosXI 5.6.11 is affected by a remote code execution (RCE)
vulnerabi ...)
+ TODO: check
CVE-2020-22426
RESERVED
-CVE-2020-22425
- RESERVED
+CVE-2020-22425 (Centreon 19.10-3.el7 is affected by a SQL injection
vulnerability, whe ...)
+ TODO: check
CVE-2020-22424
RESERVED
CVE-2020-22423
@@ -83821,12 +83834,12 @@ CVE-2020-4958 (IBM Security Identity Governance and
Intelligence 5.2.6 does not
NOT-FOR-US: IBM
CVE-2020-4957
RESERVED
-CVE-2020-4956
- RESERVED
-CVE-2020-4955
- RESERVED
-CVE-2020-4954
- RESERVED
+CVE-2020-4956 (IBM Spectrum Protect Operations Center 7.1 and 8.1 is
vulnerable to a ...)
+ TODO: check
+CVE-2020-4955 (IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a
remote ...)
+ TODO: check
+CVE-2020-4954 (IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow
a remot ...)
+ TODO: check
CVE-2020-4953
RESERVED
CVE-2020-4952 (IBM Security Guardium 11.2 could allow an authenticated user to
gain r ...)
@@ -171431,7 +171444,7 @@ CVE-2018-1000519 (aio-libs aiohttp-session contains a
Session Fixation vulnerabi
CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper
Handling o ...)
NOT-FOR-US: aaugustin websockets
CVE-2018-1000517 (BusyBox project BusyBox wget version prior to commit
8e2174e9bd836e53c ...)
- {DLA-1445-1}
+ {DLA-2559-1 DLA-1445-1}
- busybox 1:1.27.2-3 (low; bug #902724)
NOTE:
https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
CVE-2018-1000516 (The Galaxy Project Galaxy version v14.10 contains a CWE-79:
Improper N ...)
@@ -209892,7 +209905,7 @@ CVE-2017-16545 (The ReadWPGImage function in
coders/wpg.c in GraphicsMagick 1.3.
NOTE: the severity of the wheezy version is low even though the
vulnerable code is still present.
NOTE: The patch is trivial so it may be worth fixing in combination
with some other fix.
CVE-2017-16544 (In the add_match function in libbb/lineedit.c in BusyBox
through 1.27. ...)
- {DLA-1445-1}
+ {DLA-2559-1 DLA-1445-1}
- busybox 1:1.27.2-2 (bug #882258)
[wheezy] - busybox <no-dsa> (Minor issue)
NOTE:
https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/
@@ -211983,7 +211996,7 @@ CVE-2017-15874
(archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an
NOTE: Introduced in:
https://git.busybox.net/busybox/commit/?id=3989e5adf454a3ab98412b249c2c9bd2a3175ae0
NOTE: Fixed by:
https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b
CVE-2017-15873 (The get_next_block function in
archival/libarchive/decompress_bunzip2. ...)
- {DLA-1445-1}
+ {DLA-2559-1 DLA-1445-1}
- busybox 1:1.27.2-2 (bug #879732)
[wheezy] - busybox <no-dsa> (Minor issue)
NOTE: Fixed by:
https://git.busybox.net/busybox/commit/?id=0402cb32df015d9372578e3db27db47b33d5c7b0
@@ -282754,12 +282767,12 @@ CVE-2016-2150 (SPICE allows local guest OS users to
read from or write to arbitr
CVE-2016-2149 (Red Hat OpenShift Enterprise 3.2 allows remote authenticated
users to ...)
NOT-FOR-US: OpenShift
CVE-2016-2148 (Heap-based buffer overflow in the DHCP client (udhcpc) in
BusyBox befo ...)
- {DLA-1445-1}
+ {DLA-2559-1 DLA-1445-1}
- busybox 1:1.27.2-1 (bug #818497)
[wheezy] - busybox <no-dsa> (Minor issue)
NOTE:
https://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2
CVE-2016-2147 (Integer overflow in the DHCP client (udhcpc) in BusyBox before
1.25.0 ...)
- {DLA-1445-1}
+ {DLA-2559-1 DLA-1445-1}
- busybox 1:1.27.2-1 (bug #818499)
[wheezy] - busybox <no-dsa> (Minor issue)
NOTE:
https://git.busybox.net/busybox/commit/?id=d474ffc68290e0a83651c4432eeabfa62cd51e87
@@ -291792,7 +291805,7 @@ CVE-2015-7944 (The RESTful control interface (aka
RAPI or ganeti-rapi) in Ganeti
NOTE: http://www.ocert.org/advisories/ocert-2015-012.html
NOTE:
http://git.ganeti.org/?p=ganeti.git;a=commit;h=201fcb916b8164c78f4ed8e0c9cfc0227a78684c
CVE-2015-9261 (huft_build in archival/libarchive/decompress_gunzip.c in
BusyBox befor ...)
- {DLA-1445-1 DLA-337-1}
+ {DLA-2559-1 DLA-1445-1 DLA-337-1}
- busybox 1:1.27.2-1 (bug #803097)
NOTE: https://www.openwall.com/lists/oss-security/2015/10/25/3
NOTE:
http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e
@@ -298780,7 +298793,7 @@ CVE-2012-6694 (GE Healthcare Centricity PACS
Workstation 4.0 and 4.0.1, and Serv
CVE-2012-6693 (GE Healthcare Centricity PACS 4.0 Server has a default password
of (1) ...)
NOT-FOR-US: GE Healthcare Centricity PACS
CVE-2011-5325 (Directory traversal vulnerability in the BusyBox implementation
of tar ...)
- {DLA-1445-1}
+ {DLA-2559-1 DLA-1445-1}
- busybox 1:1.27.2-1 (bug #802702)
[wheezy] - busybox <no-dsa> (Minor issue)
[squeeze] - busybox <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6974682569c9b6601b938f1ddd990707d17e916
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6974682569c9b6601b938f1ddd990707d17e916
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
