Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
eb6bed07 by security tracker role at 2021-03-05T20:10:30+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,153 @@
+CVE-2021-3423
+ RESERVED
+CVE-2021-28041 (ssh-agent in OpenSSH before 8.5 has a double free that may be
relevant ...)
+ TODO: check
+CVE-2021-28040 (An issue was discovered in OSSEC 3.6.0. An uncontrolled
recursion vuln ...)
+ TODO: check
+CVE-2021-28037 (An issue was discovered in the internment crate before 0.4.2
for Rust. ...)
+ TODO: check
+CVE-2021-28036 (An issue was discovered in the quinn crate before 0.7.0 for
Rust. It m ...)
+ TODO: check
+CVE-2021-28035 (An issue was discovered in the stack_dst crate before 0.6.1
for Rust. ...)
+ TODO: check
+CVE-2021-28034 (An issue was discovered in the stack_dst crate before 0.6.1
for Rust. ...)
+ TODO: check
+CVE-2021-28033 (An issue was discovered in the byte_struct crate before 0.6.1
for Rust ...)
+ TODO: check
+CVE-2021-28032 (An issue was discovered in the nano_arena crate before 0.5.2
for Rust. ...)
+ TODO: check
+CVE-2021-28031 (An issue was discovered in the scratchpad crate before 1.3.1
for Rust. ...)
+ TODO: check
+CVE-2021-28030 (An issue was discovered in the truetype crate before 0.30.1
for Rust. ...)
+ TODO: check
+CVE-2021-28029 (An issue was discovered in the toodee crate before 0.3.0 for
Rust. The ...)
+ TODO: check
+CVE-2021-28028 (An issue was discovered in the toodee crate before 0.3.0 for
Rust. Row ...)
+ TODO: check
+CVE-2021-28027 (An issue was discovered in the bam crate before 0.1.3 for
Rust. There ...)
+ TODO: check
+CVE-2021-28026 (jpeg-xl v0.3.2 is affected by a heap buffer overflow in
/lib/jxl/coeff ...)
+ TODO: check
+CVE-2021-28025
+ RESERVED
+CVE-2021-28024
+ RESERVED
+CVE-2021-28023
+ RESERVED
+CVE-2021-28022
+ RESERVED
+CVE-2021-28021
+ RESERVED
+CVE-2021-28020
+ RESERVED
+CVE-2021-28019
+ RESERVED
+CVE-2021-28018
+ RESERVED
+CVE-2021-28017
+ RESERVED
+CVE-2021-28016
+ RESERVED
+CVE-2021-28015
+ RESERVED
+CVE-2021-28014
+ RESERVED
+CVE-2021-28013
+ RESERVED
+CVE-2021-28012
+ RESERVED
+CVE-2021-28011
+ RESERVED
+CVE-2021-28010
+ RESERVED
+CVE-2021-28009
+ RESERVED
+CVE-2021-28008
+ RESERVED
+CVE-2021-28007
+ RESERVED
+CVE-2021-28006
+ RESERVED
+CVE-2021-28005
+ RESERVED
+CVE-2021-28004
+ RESERVED
+CVE-2021-28003
+ RESERVED
+CVE-2021-28002
+ RESERVED
+CVE-2021-28001
+ RESERVED
+CVE-2021-28000
+ RESERVED
+CVE-2021-27999
+ RESERVED
+CVE-2021-27998
+ RESERVED
+CVE-2021-27997
+ RESERVED
+CVE-2021-27996
+ RESERVED
+CVE-2021-27995
+ RESERVED
+CVE-2021-27994
+ RESERVED
+CVE-2021-27993
+ RESERVED
+CVE-2021-27992
+ RESERVED
+CVE-2021-27991
+ RESERVED
+CVE-2021-27990
+ RESERVED
+CVE-2021-27989
+ RESERVED
+CVE-2021-27988
+ RESERVED
+CVE-2021-27987
+ RESERVED
+CVE-2021-27986
+ RESERVED
+CVE-2021-27985
+ RESERVED
+CVE-2021-27984
+ RESERVED
+CVE-2021-27983
+ RESERVED
+CVE-2021-27982
+ RESERVED
+CVE-2021-27981
+ RESERVED
+CVE-2021-27980
+ RESERVED
+CVE-2021-27979
+ RESERVED
+CVE-2021-27978
+ RESERVED
+CVE-2021-27977
+ RESERVED
+CVE-2021-27976
+ RESERVED
+CVE-2021-27975
+ RESERVED
+CVE-2021-27974
+ RESERVED
+CVE-2021-27973
+ RESERVED
+CVE-2021-27972
+ RESERVED
+CVE-2021-27971
+ RESERVED
+CVE-2021-27970
+ RESERVED
+CVE-2021-27969
+ RESERVED
+CVE-2021-27968
+ RESERVED
+CVE-2021-27967
+ RESERVED
+CVE-2021-27966
+ RESERVED
CVE-2021-27965 (The MsIo64.sys driver before 1.1.19.1016 in MSI Dragon Center
before 2 ...)
NOT-FOR-US: MSI Dragon Center
CVE-2021-27964 (SonLogger before 6.4.1 is affected by Unauthenticated
Arbitrary File U ...)
@@ -44,12 +194,12 @@ CVE-2021-27946
RESERVED
CVE-2021-27945
RESERVED
-CVE-2021-28039 [XSA 369]
+CVE-2021-28039 (An issue was discovered in the Linux kernel 5.9.x through
5.11.3, as u ...)
- linux <unfixed> (unimportant)
[buster] - linux <not-affected> (Vulnerable code introduced later)
[stretch] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://xenbits.xen.org/xsa/advisory-369.html
-CVE-2021-28038 [XSA 367]
+CVE-2021-28038 (An issue was discovered in the Linux kernel through 5.11.3, as
used wi ...)
- linux <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-367.html
CVE-2021-3422
@@ -143,8 +293,7 @@ CVE-2021-27909
RESERVED
CVE-2021-27908
RESERVED
-CVE-2021-27907
- RESERVED
+CVE-2021-27907 (Apache Superset up to and including 0.38.0 allowed the
creation of a M ...)
NOT-FOR-US: Apache Superset
CVE-2021-27906
RESERVED
@@ -1884,10 +2033,10 @@ CVE-2021-27101 (Accellion FTA 9_12_370 and earlier is
affected by SQL injection
NOT-FOR-US: Accellion FTA
CVE-2021-27100
RESERVED
-CVE-2021-27099
- RESERVED
-CVE-2021-27098
- RESERVED
+CVE-2021-27099 (In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and
0.12.1, the ...)
+ TODO: check
+CVE-2021-27098 (In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4,
0.10.2, 0.11.3 ...)
+ TODO: check
CVE-2021-27097 (The boot loader in Das U-Boot before 2021.04-rc2 mishandles a
modified ...)
- u-boot <unfixed> (bug #983270)
[buster] - u-boot <no-dsa> (Minor issue)
@@ -2147,30 +2296,30 @@ CVE-2021-26973
RESERVED
CVE-2021-26972
RESERVED
-CVE-2021-26971
- RESERVED
-CVE-2021-26970
- RESERVED
-CVE-2021-26969
- RESERVED
-CVE-2021-26968
- RESERVED
-CVE-2021-26967
- RESERVED
-CVE-2021-26966
- RESERVED
-CVE-2021-26965
- RESERVED
-CVE-2021-26964
- RESERVED
-CVE-2021-26963
- RESERVED
-CVE-2021-26962
- RESERVED
-CVE-2021-26961
- RESERVED
-CVE-2021-26960
- RESERVED
+CVE-2021-26971 (A remote authenticated arbitrary command execution
vulnerability was d ...)
+ TODO: check
+CVE-2021-26970 (A remote authenticated arbitrary command execution
vulnerability was d ...)
+ TODO: check
+CVE-2021-26969 (A remote authenticated authenticated xml external entity (xxe)
vulnera ...)
+ TODO: check
+CVE-2021-26968 (A remote authenticated stored cross-site scripting (xss)
vulnerability ...)
+ TODO: check
+CVE-2021-26967 (A remote reflected cross-site scripting (xss) vulnerability
was discov ...)
+ TODO: check
+CVE-2021-26966 (A remote authenticated sql injection vulnerability was
discovered in A ...)
+ TODO: check
+CVE-2021-26965 (A remote authenticated sql injection vulnerability was
discovered in A ...)
+ TODO: check
+CVE-2021-26964 (A remote authentication restriction bypass vulnerability was
discovere ...)
+ TODO: check
+CVE-2021-26963 (A remote authenticated arbitrary command execution
vulnerability was d ...)
+ TODO: check
+CVE-2021-26962 (A remote authenticated arbitrary command execution
vulnerability was d ...)
+ TODO: check
+CVE-2021-26961 (A remote unauthenticated cross-site request forgery (csrf)
vulnerabili ...)
+ TODO: check
+CVE-2021-26960 (A remote unauthenticated cross-site request forgery (csrf)
vulnerabili ...)
+ TODO: check
CVE-2021-26959
REJECTED
CVE-2021-26958 (An issue was discovered in the xcb crate through 2021-02-04
for Rust. ...)
@@ -2787,8 +2936,8 @@ CVE-2020-36241 (autoar-extractor.c in GNOME gnome-autoar
through 0.2.4, as used
NOTE: https://gitlab.gnome.org/GNOME/gnome-autoar/-/issues/7
CVE-2021-26706
RESERVED
-CVE-2021-26705
- RESERVED
+CVE-2021-26705 (An issue was discovered in SquareBox CatDV Server through 9.2.
An atta ...)
+ TODO: check
CVE-2021-26704 (EPrints 3.4.2 allows remote attackers to execute arbitrary
commands vi ...)
NOT-FOR-US: EPrints
CVE-2021-26703 (EPrints 3.4.2 allows remote attackers to read arbitrary files
and poss ...)
@@ -3200,8 +3349,8 @@ CVE-2021-3379
RESERVED
CVE-2021-3378 (FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by
sending a ...)
NOT-FOR-US: FortiLogger
-CVE-2021-3377
- RESERVED
+CVE-2021-3377 (The npm package ansi_up converts ANSI escape codes into HTML.
In ansi_ ...)
+ TODO: check
CVE-2021-3376
RESERVED
CVE-2021-3375 (ActivePresenter 6.1.6 is affected by a memory corruption
vulnerability ...)
@@ -4284,6 +4433,7 @@ CVE-2021-26119 (Smarty before 3.1.39 allows a Sandbox
Escape because $smarty.tem
CVE-2021-26118 (While investigating ARTEMIS-2964 it was found that the
creation of adv ...)
NOT-FOR-US: Apache ActiveMQ Artemis
CVE-2021-26117 (The optional ActiveMQ LDAP login module can be configured to
use anony ...)
+ {DLA-2583-1}
- activemq 5.16.1-1 (bug #982590)
NOTE: https://issues.apache.org/jira/browse/AMQ-8035
NOTE: https://www.openwall.com/lists/oss-security/2021/01/27/6
@@ -6266,8 +6416,8 @@ CVE-2021-25315 (A Incorrect Implementation of
Authentication Algorithm vulnerabi
TODO: check
CVE-2021-25314
RESERVED
-CVE-2021-25313
- RESERVED
+CVE-2021-25313 (A Improper Neutralization of Input During Web Page Generation
('Cross- ...)
+ TODO: check
CVE-2021-3179
RESERVED
CVE-2021-3178 (** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through
5.10.8, w ...)
@@ -13986,8 +14136,8 @@ CVE-2021-21727
RESERVED
CVE-2021-21726
RESERVED
-CVE-2021-21725
- RESERVED
+CVE-2021-21725 (A ZTE product has an information leak vulnerability. An
attacker with ...)
+ TODO: check
CVE-2021-21724 (A ZTE product has a memory leak vulnerability. Due to the
product's im ...)
NOT-FOR-US: ZTE
CVE-2021-21723 (Some ZTE products have a DoS vulnerability. Due to the
improper handli ...)
@@ -16791,8 +16941,8 @@ CVE-2020-35596
RESERVED
CVE-2020-35595
RESERVED
-CVE-2020-35594
- RESERVED
+CVE-2020-35594 (Zoho ManageEngine ADManager Plus before 7066 allows XSS. ...)
+ TODO: check
CVE-2020-35593
RESERVED
CVE-2020-35592 (Pi-hole 5.0, 5.1, and 5.1.1 allows XSS via the Options header
to the a ...)
@@ -17772,12 +17922,12 @@ CVE-2021-20667
RESERVED
CVE-2021-20666
RESERVED
-CVE-2021-20665
- RESERVED
-CVE-2021-20664
- RESERVED
-CVE-2021-20663
- RESERVED
+CVE-2021-20665 (Cross-site scripting vulnerability in in Add asset screen of
Contents ...)
+ TODO: check
+CVE-2021-20664 (Cross-site scripting vulnerability in in Asset registration
screen of ...)
+ TODO: check
+CVE-2021-20663 (Cross-site scripting vulnerability in in Role authority
setting screen ...)
+ TODO: check
CVE-2021-20662 (Missing authentication for critical function in SolarView
Compact SV-C ...)
NOT-FOR-US: SolarView Compact
CVE-2021-20661 (Directory traversal vulnerability in SolarView Compact
SV-CPT-MC310 pr ...)
@@ -21495,8 +21645,8 @@ CVE-2020-29660 (A locking inconsistency issue was
discovered in the tty subsyste
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2125
CVE-2020-29659 (A buffer overflow in the web server of Flexense DupScout
Enterprise 10 ...)
NOT-FOR-US: Flexense DupScout Enterprise
-CVE-2020-29658
- RESERVED
+CVE-2020-29658 (Zoho ManageEngine Application Control Plus before 100523 has
an insecu ...)
+ TODO: check
CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in
main_print_unh ...)
- iotjs <unfixed> (bug #977736; unimportant)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244
@@ -23470,8 +23620,8 @@ CVE-2020-29136 (In cPanel before 90.0.17, 2FA can be
bypassed via a brute-force
NOT-FOR-US: cPanel
CVE-2020-29135 (cPanel before 90.0.17 has multiple instances of URL parameter
injectio ...)
NOT-FOR-US: cPanel
-CVE-2020-29134
- RESERVED
+CVE-2020-29134 (TOTVS Fluig Luke 1.7.0 allows directory traversal via a base64
encoded ...)
+ TODO: check
CVE-2020-29133 (jsp/upload.jsp in Coremail XT 5.0 allows XSS via an uploaded
personal ...)
NOT-FOR-US: Coremail XT
CVE-2020-29132
@@ -23695,8 +23845,8 @@ CVE-2020-29034
RESERVED
CVE-2020-29033
RESERVED
-CVE-2020-29032
- RESERVED
+CVE-2020-29032 (Upload of Code Without Integrity Check vulnerability in
firmware archi ...)
+ TODO: check
CVE-2020-29031 (An Insecure Direct Object Reference vulnerability exists in
the web UI ...)
NOT-FOR-US: GateManager
CVE-2020-29030
@@ -26051,8 +26201,8 @@ CVE-2020-28504
RESERVED
CVE-2020-28503
RESERVED
-CVE-2020-28502
- RESERVED
+CVE-2020-28502 (This affects the package xmlhttprequest before 1.7.0; all
versions of ...)
+ TODO: check
CVE-2020-28501
RESERVED
CVE-2020-28500 (All versions of package lodash; all versions of package
org.fujion.web ...)
@@ -28579,8 +28729,8 @@ CVE-2020-28052 (An issue was discovered in Legion of
the Bouncy Castle BC Java 1
NOTE: Fixed by:
https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
(r1rv67)
CVE-2020-28051
RESERVED
-CVE-2020-28050
- RESERVED
+CVE-2020-28050 (Zoho ManageEngine Desktop Central before build 10.0.647 allows
a singl ...)
+ TODO: check
CVE-2020-28049 (An issue was discovered in SDDM before 0.19.0. It incorrectly
starts t ...)
{DSA-4783-1 DLA-2436-1}
- sddm 0.19.0-1 (bug #973748)
@@ -155796,6 +155946,7 @@ CVE-2019-0223 (While investigating bug PROTON-2014,
we discovered that under som
NOTE: not present in the jessie version. That part do not seem to be
essential for
NOTE: the package to be vulnerable.
CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT
frame ca ...)
+ {DLA-2583-1 DLA-2582-1}
- activemq 5.15.9-1 (bug #925964; unimportant)
[jessie] - activemq <not-affected> (MQTT support not enabled)
- mqtt-client 1.16-1
@@ -157951,7 +158102,7 @@ CVE-2018-18559 (In the Linux kernel through 4.19, a
use-after-free can occur due
NOTE: Fixed by:
https://git.kernel.org/linus/15fe076edea787807a7cdc168df832544b58eba6
CVE-2018-18558 (An issue was discovered in Espressif ESP-IDF 2.x and 3.x
before 3.0.6 ...)
NOT-FOR-US: Espressif ESP-IDF
-CVE-2018-18557 (LibTIFF 3.9.3, 3.9.4, 4.0.0alpha4, 4.0.0alpha5, 4.0.0alpha6,
4.0.0beta ...)
+CVE-2018-18557 (LibTIFF 3.9.3, 3.9.4, 3.9.5, 3.9.6, 3.9.7, 4.0.0alpha4,
4.0.0alpha5, 4 ...)
{DSA-4349-1 DLA-1557-1}
- tiff 4.0.9+git181026-1 (bug #911635)
- tiff3 <removed>
@@ -176050,6 +176201,7 @@ CVE-2018-11776 (Apache Struts versions 2.3 to 2.3.34
and 2.5 to 2.5.16 suffer fr
- libstruts1.2-java <not-affected> (Specific to 2.x)
NOTE: https://cwiki.apache.org/confluence/display/WW/S2-057
CVE-2018-11775 (TLS hostname verification when using the Apache ActiveMQ
Client before ...)
+ {DLA-2583-1}
- activemq 5.15.6-1 (low; bug #908950)
[jessie] - activemq <no-dsa> (Minor issue)
NOTE:
http://activemq.apache.org/security-advisories.data/CVE-2018-11775-announcement.txt
@@ -191261,7 +191413,7 @@ CVE-2018-6382 (** DISPUTED ** MantisBT 2.10.0 allows
local users to conduct SQL
- mantis <removed>
[wheezy] - mantis <end-of-life> (Not supported in Wheezy)
NOTE: https://mantisbt.org/bugs/view.php?id=23908
-CVE-2018-6381 (In ZZIPlib 0.13.67, 0.13.66, 0.13.65, 0.13.64 and 0.13.63 there
is a s ...)
+CVE-2018-6381 (In ZZIPlib 0.13.67, 0.13.66, 0.13.65, 0.13.64, 0.13.63,
0.13.62, 0.13. ...)
{DLA-2258-1}
- zziplib 0.13.62-3.2 (bug #889096)
[stretch] - zziplib 0.13.62-3.2~deb9u1
@@ -214380,6 +214532,7 @@ CVE-2017-15710 (In Apache httpd 2.0.23 to 2.0.65,
2.2.0 to 2.2.34, and 2.4.0 to
- apache2 2.4.33-1
NOTE: https://www.openwall.com/lists/oss-security/2018/03/24/8
CVE-2017-15709 (When using the OpenWire protocol in ActiveMQ versions 5.14.0
to 5.15.2 ...)
+ {DLA-2583-1}
- activemq 5.15.3-1 (bug #890352)
[jessie] - activemq <not-affected> (Issue introduced with OpenWire
protocol support)
[wheezy] - activemq <not-affected> (Issue introduced with OpenWire
protocol support)
@@ -216455,7 +216608,7 @@ CVE-2017-15046 (LAME 3.99.5, 3.99.4, 3.98.4, 3.98.2,
3.98 and 3.97 have a stack-
NOTE: Starting with 3.99.5+repack1-8 libsndfile is used to read the
input file, marking that as the fixed
NOTE: version, although the internal lame code was only fixed in 3.100
(strictly speaking that would be
NOTE: severity:unimportant for stretch onwards, but we don't have
suite-specific severity annotations
-CVE-2017-15045 (LAME 3.99.5, 3.98.4, 3.98.2 and 3.98 has a heap-based buffer
over-read ...)
+CVE-2017-15045 (LAME 3.99, 3.99.1, 3.99.2, 3.99.3, 3.99.4, 3.99.5, 3.98.4,
3.98.2 and ...)
- lame 3.99.5+repack1-8
[jessie] - lame 3.99.5+repack1-7+deb8u2
NOTE: https://sourceforge.net/p/lame/bugs/478/
@@ -248381,7 +248534,7 @@ CVE-2016-10094 (Off-by-one error in the
t2p_readwrite_pdf_image_tile function in
- tiff3 <not-affected> (vulnerable code introduced later)
NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2640
NOTE: Fixed by:
https://github.com/vadz/libtiff/commit/c7153361a4041260719b340f73f2f76b0969235c
-CVE-2016-10093 (Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7 3.9.3,
3.9.4, 3.9. ...)
+CVE-2016-10093 (Integer overflow in tools/tiffcp.c in LibTIFF 4.0.7, 3.9.3,
3.9.4, 3.9 ...)
{DSA-3762-1 DLA-795-1}
- tiff 4.0.7-2
- tiff3 <removed>
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb6bed07794afb9bcbf0a59a373c989379d1dbca
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb6bed07794afb9bcbf0a59a373c989379d1dbca
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
