Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
63f2b78d by security tracker role at 2021-03-19T08:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,11 @@
+CVE-2021-28834 (Kramdown before 2.3.1 does not restrict Rouge formatters to
the Rouge: ...)
+ TODO: check
+CVE-2021-28833
+ RESERVED
+CVE-2021-28832
+ RESERVED
+CVE-2021-28831 (decompress_gunzip.c in BusyBox through 1.32.1 mishandles the
error bit ...)
+ TODO: check
CVE-2021-XXXX [Local privilege escalation via guix-daemon and --keep-failed]
- guix <unfixed> (bug #985467; unimportant)
NOTE: https://issues.guix.gnu.org/47229
@@ -365,8 +373,8 @@ CVE-2021-28655
RESERVED
CVE-2021-28654
RESERVED
-CVE-2021-28653
- RESERVED
+CVE-2021-28653 (The iOS and macOS apps before 1.4.1 for the Western Digital
G-Technolo ...)
+ TODO: check
CVE-2021-28652
RESERVED
CVE-2021-28651
@@ -1420,8 +1428,8 @@ CVE-2021-28162 (In Eclipse Theia versions up to and
including 0.16.0, in the not
NOT-FOR-US: Eclipse Theia
CVE-2021-28161 (In Eclipse Theia versions up to and including 1.8.0, in the
debug cons ...)
NOT-FOR-US: Eclipse Theia
-CVE-2021-28160
- RESERVED
+CVE-2021-28160 (Reflected XSS on Acexy (BoyaMicro) Wireless-N WiFi Repeater
28.08.06.1 ...)
+ TODO: check
CVE-2021-28159
RESERVED
CVE-2021-28158
@@ -1539,8 +1547,8 @@ CVE-2021-28128
RESERVED
CVE-2021-28127
RESERVED
-CVE-2021-28126
- RESERVED
+CVE-2021-28126 (index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG)
before 3.1 ...)
+ TODO: check
CVE-2021-28125
RESERVED
CVE-2021-28124
@@ -1580,10 +1588,10 @@ CVE-2021-28112
RESERVED
CVE-2021-28111
RESERVED
-CVE-2021-28110
- RESERVED
-CVE-2021-28109
- RESERVED
+CVE-2021-28110 (/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before
3.1.27. ...)
+ TODO: check
+CVE-2021-28109 (TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php
reflected C ...)
+ TODO: check
CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier
Authent ...)
- courier-authlib 0.71.1-2 (bug #984810)
NOTE: Re-introduction of #378571 while migrating from
debian/permissions to
@@ -1682,15 +1690,13 @@ CVE-2021-3424
NOT-FOR-US: Keycloak
CVE-2021-28091
RESERVED
-CVE-2021-28090
- RESERVED
+CVE-2021-28090 (Tor before 0.4.5.7 allows a remote attacker to cause Tor
directory aut ...)
{DSA-4871-1}
- tor 0.4.5.7-1
[stretch] - tor <end-of-life> (See DSA 4644)
NOTE: https://blog.torproject.org/node/2009
NOTE: https://bugs.torproject.org/tpo/core/tor/40316
-CVE-2021-28089
- RESERVED
+CVE-2021-28089 (Tor before 0.4.5.7 allows a remote participant in the Tor
directory pr ...)
{DSA-4871-1}
- tor 0.4.5.7-1
[stretch] - tor <end-of-life> (See DSA 4644)
@@ -2054,8 +2060,8 @@ CVE-2021-27930
RESERVED
CVE-2021-27929
RESERVED
-CVE-2021-27928
- RESERVED
+CVE-2021-27928 (A remote code execution issue was discovered in MariaDB 10.2
before 10 ...)
+ TODO: check
CVE-2021-27927 (In Zabbix before 4.0.28rc1, 5.x before 5.0.8rc1, 5.1.x and
5.2.x befor ...)
- zabbix 1:5.0.8+dfsg-1
[stretch] - zabbix <no-dsa> (minor issue)
@@ -2491,8 +2497,7 @@ CVE-2021-27803 (A vulnerability was discovered in how
p2p/p2p_pd.c in wpa_suppli
NOTE:
https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
CVE-2021-3417 (An internal product security audit of LXCO, prior to version
1.2.2, di ...)
NOT-FOR-US: Lenovo
-CVE-2021-3416 [net: infinite loop in loopback mode may lead to stack overflow]
- RESERVED
+CVE-2021-3416 (A potential stack overflow via infinite loop issue was found in
variou ...)
- qemu 1:5.2+dfsg-9 (bug #984448)
[buster] - qemu <postponed> (Minor issue)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
@@ -3130,8 +3135,8 @@ CVE-2021-27438
RESERVED
CVE-2021-27437
RESERVED
-CVE-2021-27436
- RESERVED
+CVE-2021-27436 (WebAccess/SCADA Versions 9.0 and prior is vulnerable to
cross-site scr ...)
+ TODO: check
CVE-2021-27435
RESERVED
CVE-2021-27434
@@ -3331,8 +3336,8 @@ CVE-2021-27360
RESERVED
CVE-2021-27359
RESERVED
-CVE-2021-27358
- RESERVED
+CVE-2021-27358 (The snapshot feature in Grafana before 7.4.1 can allow an
unauthentica ...)
+ TODO: check
CVE-2021-27357
RESERVED
CVE-2021-27356
@@ -3617,8 +3622,8 @@ CVE-2021-27223
RESERVED
CVE-2021-27222 (In the "Time in Status" app before 4.13.0 for Jira, remote
authenticat ...)
NOT-FOR-US: "Time in Status" app
-CVE-2021-27221
- RESERVED
+CVE-2021-27221 (** DISPUTED ** MikroTik RouterOS 6.47.9 allows remote
authenticated ft ...)
+ TODO: check
CVE-2021-27220
RESERVED
CVE-2021-27217 (An issue was discovered in the _send_secure_msg() function of
Yubico y ...)
@@ -5855,8 +5860,8 @@ CVE-2021-3329
RESERVED
CVE-2021-3328
RESERVED
-CVE-2021-3327
- RESERVED
+CVE-2021-3327 (Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the
post_t ...)
+ TODO: check
CVE-2021-26294 (An issue was discovered in AfterLogic Aurora through 7.7.9 and
WebMail ...)
NOT-FOR-US: AfterLogic Aurora
CVE-2021-26293 (An issue was discovered in AfterLogic Aurora through 8.5.3 and
WebMail ...)
@@ -5895,8 +5900,8 @@ CVE-2021-26277
RESERVED
CVE-2021-26276 (** DISPUTED ** scripts/cli.js in the GoDaddy
node-config-shield (aka C ...)
NOT-FOR-US: GoDaddy node-config-shield
-CVE-2021-26275
- RESERVED
+CVE-2021-26275 (** UNSUPPORTED WHEN ASSIGNED ** The eslint-fixer package
through 0.1.5 ...)
+ TODO: check
CVE-2020-36240 (The ResourceDownloadRewriteRule class in Crowd before version
4.0.4, a ...)
NOT-FOR-US: Atlassian
CVE-2020-36239
@@ -7324,8 +7329,8 @@ CVE-2021-25766 (In JetBrains YouTrack before 2020.4.4701,
improper resource acce
NOT-FOR-US: JetBrains TeamCity
CVE-2021-25765 (In JetBrains YouTrack before 2020.4.4701, CSRF via attachment
upload w ...)
NOT-FOR-US: JetBrains TeamCity
-CVE-2021-25764
- RESERVED
+CVE-2021-25764 (In JetBrains PhpStorm before 2020.3, source code could be
added to deb ...)
+ TODO: check
CVE-2021-25763 (In JetBrains Ktor before 1.4.2, weak cipher suites were
enabled by def ...)
NOT-FOR-US: JetBrains Ktor
CVE-2021-25762 (In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was
possible. ...)
@@ -8405,37 +8410,32 @@ CVE-2021-25295 (OpenCATS through 0.9.5-3 has multiple
Cross-site Scripting (XSS)
NOT-FOR-US: OpenCATS
CVE-2021-25294 (OpenCATS through 0.9.5-3 unsafely deserializes
index.php?m=activity re ...)
NOT-FOR-US: OpenCATS
-CVE-2021-25293
- RESERVED
+CVE-2021-25293 (An issue was discovered in Pillow before 8.1.1. There is an
out-of-bou ...)
- pillow 8.1.1-1
[buster] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
NOTE:
https://github.com/python-pillow/Pillow/commit/f891baa604636cd2506a9360d170bc2cf4963cc5
NOTE: Introduced in
https://github.com/python-pillow/Pillow/commit/a90dc4910045f5c6c119b582d4fd2e4841cd51f8
(v4.3.0)
-CVE-2021-25292
- RESERVED
+CVE-2021-25292 (An issue was discovered in Pillow before 8.1.1. The PDF parser
allows ...)
- pillow 8.1.1-1
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <not-affected> (Vulnerable code introduced later)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
NOTE:
https://github.com/python-pillow/Pillow/commit/521dab94c7ab72b037bd9a83e9663401e0fd2cee
NOTE: Introduced in:
https://github.com/python-pillow/Pillow/commit/6207b44ab1ff4a91d8ddc7579619876d0bb191a4
(5.1.0)
-CVE-2021-25291
- RESERVED
+CVE-2021-25291 (An issue was discovered in Pillow before 8.1.1. In
TiffDecode.c, there ...)
- pillow 8.1.1-1
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <not-affected> (Vulnerable code introduced later)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
NOTE:
https://github.com/python-pillow/Pillow/commit/8b8076bdcb3815be0ef0d279651d8d1342b8ea61
NOTE: Introduced in:
https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f
(6.0.0)
-CVE-2021-25290
- RESERVED
+CVE-2021-25290 (An issue was discovered in Pillow before 8.1.1. In
TiffDecode.c, there ...)
- pillow 8.1.1-1
[buster] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
NOTE:
https://github.com/python-pillow/Pillow/commit/e25be1e33dc526bfd1094bc778a54d8e29bf66c9
-CVE-2021-25289
- RESERVED
+CVE-2021-25289 (An issue was discovered in Pillow before 8.1.1. TiffDecode has
a heap- ...)
- pillow 8.1.1-1
[buster] - pillow <not-affected> (Vulnerable code not present)
[stretch] - pillow <not-affected> (Vulnerable code not present)
@@ -16578,8 +16578,8 @@ CVE-2020-36146
RESERVED
CVE-2020-36145
RESERVED
-CVE-2020-36144
- RESERVED
+CVE-2020-36144 (Redash 8.0.0 is affected by LDAP Injection. There is an
authentication ...)
+ TODO: check
CVE-2020-36143
RESERVED
CVE-2020-36142
@@ -18010,8 +18010,8 @@ CVE-2021-21386
RESERVED
CVE-2021-21385
RESERVED
-CVE-2021-21384
- RESERVED
+CVE-2021-21384 (shescape is a simple shell escape package for JavaScript. In
shescape ...)
+ TODO: check
CVE-2021-21383 (Wiki.js an open-source wiki app built on Node.js. Wiki.js
before versi ...)
TODO: check
CVE-2021-21382
@@ -21592,8 +21592,7 @@ CVE-2020-35493 (A flaw exists in binutils in bfd/pef.c.
An attacker who is able
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25307
NOTE:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2a3559d54602cecfec6d90f792be4a70ad918ab
NOTE: NOTE: binutils not covered by security support
-CVE-2020-35492 [cairo: buffer overflow in image compositor]
- RESERVED
+CVE-2020-35492 (A flaw was found in cairo's image-compositor.c in all versions
prior t ...)
{DLA-2518-1}
- cairo 1.16.0-5 (bug #978658)
[buster] - cairo 1.16.0-4+deb10u1
@@ -27424,8 +27423,8 @@ CVE-2021-1289 (Multiple vulnerabilities in the
web-based management interface of
NOT-FOR-US: Cisco
CVE-2021-1288 (Multiple vulnerabilities in the ingress packet processing
function of ...)
NOT-FOR-US: Cisco
-CVE-2021-1287
- RESERVED
+CVE-2021-1287 (A vulnerability in the web-based management interface of Cisco
RV132W ...)
+ TODO: check
CVE-2021-1286 (Multiple vulnerabilities in the web-based management interface
of Cisc ...)
NOT-FOR-US: Cisco
CVE-2021-1285
@@ -34256,8 +34255,8 @@ CVE-2020-26888
RESERVED
CVE-2020-26887 (FRITZ!OS before 7.21 on FRITZ!Box devices allows a bypass of a
DNS Reb ...)
NOT-FOR-US: Fritz OS
-CVE-2020-26886
- RESERVED
+CVE-2020-26886 (Softaculous before 5.5.7 is affected by a code execution
vulnerability ...)
+ TODO: check
CVE-2020-26885
RESERVED
CVE-2020-26884 (RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL
injection vulner ...)
@@ -34446,8 +34445,8 @@ CVE-2020-26799
RESERVED
CVE-2020-26798
RESERVED
-CVE-2020-26797
- RESERVED
+CVE-2020-26797 (Mediainfo before version 20.08 has a heap buffer overflow
vulnerabilit ...)
+ TODO: check
CVE-2020-26796
RESERVED
CVE-2020-26795
@@ -38539,8 +38538,7 @@ CVE-2020-25099
RESERVED
CVE-2020-25098
RESERVED
-CVE-2020-25097
- RESERVED
+CVE-2020-25097 (An issue was discovered in Squid through 4.13 and 5.x through
5.0.4. D ...)
{DLA-2598-1}
- squid <unfixed> (bug #985068)
- squid3 <removed>
@@ -56752,7 +56750,7 @@ CVE-2020-16232
RESERVED
CVE-2020-16231
RESERVED
-CVE-2020-16230 (WebAccess/SCADA Versions 9.0 and prior are vulnerable to
cross-site sc ...)
+CVE-2020-16230 (All version of Ewon Flexy and Cosy prior to 14.1 use wildcards
such as ...)
NOT-FOR-US: HMS Networks
CVE-2020-16229 (Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior.
Process ...)
NOT-FOR-US: Advantech WebAccess
@@ -76536,8 +76534,8 @@ CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows
remote attackers to cause a de
NOTE: Upstream patch:
https://github.com/sympa-community/sympa/releases/download/6.2.54/sympa-6.2.52-sa-2020-001.patch
CVE-2020-9368 (The Module Olea Gift On Order module through 5.0.8 for
PrestaShop enab ...)
NOT-FOR-US: Module Olea Gift On Order module for PrestaShop
-CVE-2020-9367
- RESERVED
+CVE-2020-9367 (The MPS Agent in Zoho ManageEngine Desktop Central MSP build
MSP build ...)
+ TODO: check
CVE-2020-9365 (An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds
(OOB) re ...)
- pure-ftpd 1.0.49-3 (bug #952471)
[buster] - pure-ftpd <no-dsa> (Minor issue)
@@ -83546,10 +83544,10 @@ CVE-2020-6580
RESERVED
CVE-2020-6579 (Cross-site scripting (XSS) vulnerability in
mailhive/cloudbeez/cloudlo ...)
NOT-FOR-US: MailBeez plugin for ZenCart
-CVE-2020-6578
- RESERVED
-CVE-2020-6577
- RESERVED
+CVE-2020-6578 (Zen Cart 1.5.6d allows reflected XSS via the main_page
parameter to in ...)
+ TODO: check
+CVE-2020-6577 (The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition)
allows ...)
+ TODO: check
CVE-2020-6576 (Use after free in offscreen canvas in Google Chrome prior to
85.0.4183 ...)
{DSA-4824-1}
- chromium 87.0.4280.88-0.1
@@ -113535,7 +113533,7 @@ CVE-2019-14910 (A vulnerability was found in keycloak
7.x, when keycloak is conf
CVE-2019-14909 (A vulnerability was found in Keycloak 7.x where the user
federation LD ...)
NOT-FOR-US: Keycloak
CVE-2019-14908
- RESERVED
+ REJECTED
CVE-2019-14907 (All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12
and 4.11 ...)
- samba 2:4.11.5+dfsg-1
[buster] - samba <no-dsa> (Minor issue)
@@ -113561,7 +113559,7 @@ CVE-2019-14904 (A flaw was found in the solaris_zone
module from the Ansible Com
NOTE: https://github.com/ansible/ansible/pull/65686
NOTE: https://github.com/ansible/ansible/blob/stable-2.0/CHANGELOG.md
CVE-2019-14903
- RESERVED
+ REJECTED
CVE-2019-14902 (There is an issue in all samba 4.11.x versions before 4.11.5,
all samb ...)
- samba 2:4.11.5+dfsg-1
[buster] - samba <no-dsa> (Minor issue)
@@ -113846,10 +113844,9 @@ CVE-2019-14853 (An error-handling flaw was found in
python-ecdsa before version
NOTE: https://github.com/warner/python-ecdsa/pull/115
NOTE: https://github.com/warner/python-ecdsa/pull/124
NOTE: Fix for CVE-2019-14853 fixes as well CVE-2019-14859.
-CVE-2019-14852
- RESERVED
-CVE-2019-14851 [assertion failure by issuing commands in the wrong order]
- RESERVED
+CVE-2019-14852 (A flaw was found in 3scale’s APIcast gateway that
enabled the TL ...)
+ TODO: check
+CVE-2019-14851 (A denial of service vulnerability was discovered in nbdkit. A
client i ...)
- nbdkit 1.14.2-1
[buster] - nbdkit <not-affected> (Issue introduced by the fix for
CVE-2019-14850)
[stretch] - nbdkit <not-affected> (Issue introduced by the fix for
CVE-2019-14850)
@@ -113861,8 +113858,7 @@ CVE-2019-14851 [assertion failure by issuing commands
in the wrong order]
NOTE:
https://github.com/libguestfs/nbdkit/commit/bf0d61883a2f02f4388ec10dc92d4c61c093679e
NOTE: 1.12:
NOTE:
https://github.com/libguestfs/nbdkit/commit/b2bc6683ea3cd1f6be694e8a681dfa411b7d15f3
-CVE-2019-14850 [denial of service due to premature opening of back-end
connection]
- RESERVED
+CVE-2019-14850 (A denial of service vulnerability was discovered in nbdkit
1.12.7, 1.1 ...)
- nbdkit 1.14.1-1
[buster] - nbdkit <no-dsa> (Minor issue)
[stretch] - nbdkit <no-dsa> (Minor issue)
@@ -113880,7 +113876,7 @@ CVE-2019-14850 [denial of service due to premature
opening of back-end connectio
CVE-2019-14849 (A vulnerability was found in 3scale before version 2.6, did
not set th ...)
NOT-FOR-US: Red Hat 3scale
CVE-2019-14848
- RESERVED
+ REJECTED
CVE-2019-14847 (A flaw was found in samba 4.0.0 before samba 4.9.15 and samba
4.10.x b ...)
- samba 2:4.11.0+dfsg-6
[buster] - samba <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63f2b78d13d5650bff134a36fc642dd75bd7228d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63f2b78d13d5650bff134a36fc642dd75bd7228d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
