[Git][security-tracker-team/security-tracker][master] sqlite spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bfb1d4a by Moritz Muehlenhoff at 2020-10-12T22:54:18+02:00 sqlite spu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -29222,6 +29222,7 @@ CVE-2020-13633 (Fork before 5.8.3 allows XSS via navigation_title or title. ...) CVE-2020-13632 (ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer der ...) {DLA-2340-1} - sqlite3 3.32.0-1 + [buster] - sqlite3 (Minor issue, will be fixed in point release) [jessie] - sqlite3 (Vulnerable code not present) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459 NOTE: https://sqlite.org/src/info/a4dd148928ea65bd @@ -29236,6 +29237,7 @@ CVE-2020-13631 (SQLite before 3.32.0 allows a virtual table to be renamed to the CVE-2020-13630 (ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3Ev ...) {DLA-2340-1} - sqlite3 3.32.0-1 + [buster] - sqlite3 (Minor issue, will be fixed in point release) [jessie] - sqlite3 (Vulnerable code not found) NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459 NOTE: https://sqlite.org/src/info/0d69f76f0865f962 = data/next-point-update.txt = @@ -36,3 +36,23 @@ CVE-2020-9359 [buster] - okular 4:17.12.2-2.2+deb10u1 CVE-2018-1000825 [buster] - freecol 0.11.6+dfsg2-2+deb10u1 +CVE-2019-19923 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2019-19925 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2019-19959 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2019-20218 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2020-13434 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2020-13435 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2020-13630 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2020-13632 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2020-15358 + [buster] - sqlite3 3.27.2-3+deb10u1 +CVE-2019-16168 + [buster] - sqlite3 3.27.2-3+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bfb1d4a1ae30cb65c6ebe9827e4c17bf6ed1b93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bfb1d4a1ae30cb65c6ebe9827e4c17bf6ed1b93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for sympa issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d990635 by Salvatore Bonaccorso at 2020-10-12T22:23:02+02:00 Add Debian bug reference for sympa issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -281,7 +281,7 @@ CVE-2020-26882 CVE-2020-26881 RESERVED CVE-2020-26880 (Sympa through 6.2.57b.2 allows a local privilege escalation from the s ...) - - sympa + - sympa (bug #972114) NOTE: https://github.com/sympa-community/sympa/issues/1009 NOTE: https://github.com/sympa-community/sympa/issues/943#issuecomment-704779420 NOTE: https://github.com/sympa-community/sympa/issues/943#issuecomment-704842235 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d99063527719329c785ce04ee3cc8711dee0004 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d99063527719329c785ce04ee3cc8711dee0004 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new webmin issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e378209a by Salvatore Bonaccorso at 2020-10-12T22:21:47+02:00 Add new webmin issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31595,7 +31595,7 @@ CVE-2020-12672 (GraphicsMagick through 1.3.35 has a heap-based buffer overflow i CVE-2020-12671 RESERVED CVE-2020-12670 (XSS exists in Webmin 1.941 and earlier affecting the Save function of ...) - TODO: check + - webmin CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authentic ...) - dolibarr CVE-2020-12668 @@ -42849,9 +42849,9 @@ CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vul CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices ...) NOT-FOR-US: Digi TransPort CVE-2020-8821 (An Improper Data Validation Vulnerability exists in Webmin 1.941 and e ...) - TODO: check + - webmin CVE-2020-8820 (An XSS Vulnerability exists in Webmin 1.941 and earlier affecting the ...) - TODO: check + - webmin CVE-2020-8819 (An issue was discovered in the CardGate Payments plugin through 3.1.15 ...) NOT-FOR-US: CardGate Payments plugin for WooCommerce CVE-2020-8818 (An issue was discovered in the CardGate Payments plugin through 2.0.30 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e378209a8075c35334d7d310c9f4f3c51473d757 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e378209a8075c35334d7d310c9f4f3c51473d757 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb06a587 by Salvatore Bonaccorso at 2020-10-12T22:19:42+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -307,11 +307,11 @@ CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs - dompurify.js NOTE: https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ CVE-2020-26869 (An information exposure vulnerability exists in PcVue 12, allowing a n ...) - TODO: check + NOT-FOR-US: PcVue CVE-2020-26868 (A Denial Of Service vulnerability exists in PcVue from version 8.10 on ...) - TODO: check + NOT-FOR-US: PcVue CVE-2020-26867 (A Remote Code Execution vulnerability exists in PcVue from version 8.1 ...) - TODO: check + NOT-FOR-US: PcVue CVE-2020-26866 RESERVED CVE-2020-26865 @@ -994,7 +994,7 @@ CVE-2020-26548 CVE-2020-26547 RESERVED CVE-2020-26546 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in HelpDeskZ 1 ...) - TODO: check + NOT-FOR-US: HelpDeskZ CVE-2020-26545 RESERVED CVE-2020-26544 @@ -2530,7 +2530,7 @@ CVE-2020-25827 (An issue was discovered in the OATHAuth extension in MediaWiki b CVE-2020-25826 (PingID Integration for Windows Login before 2.4.2 allows local users t ...) NOT-FOR-US: PingID Integration for Windows Login CVE-2020-25825 (In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensit ...) - TODO: check + NOT-FOR-US: Octopus Deploy CVE-2020-25824 RESERVED CVE-2020-25823 @@ -41878,11 +41878,11 @@ CVE-2020-9242 (FusionCompute 8.0.0 have a command injection vulnerability. The s CVE-2020-9241 (Huawei 5G Mobile WiFi E6878-370 with versions of 10.0.3.1(H563SP1C00), ...) NOT-FOR-US: Huawei CVE-2020-9240 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have a buff ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9239 (Huawei smartphones BLA-A09 versions 8.0.0.123(C212),versions earlier t ...) NOT-FOR-US: Huawei CVE-2020-9238 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have a buff ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9237 (Huawei smartphone Taurus-AL00B with versions earlier than 10.1.0.126(C ...) NOT-FOR-US: Huawei CVE-2020-9236 @@ -41898,7 +41898,7 @@ CVE-2020-9232 CVE-2020-9231 RESERVED CVE-2020-9230 (WS5800-10 version 10.0.3.25 has a denial of service vulnerability. Due ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9229 (FusionCompute 8.0.0 has an information disclosure vulnerability. Due t ...) NOT-FOR-US: Huawei CVE-2020-9228 (FusionCompute 8.0.0 has an information disclosure vulnerability. Due t ...) @@ -42112,9 +42112,9 @@ CVE-2020-9125 CVE-2020-9124 RESERVED CVE-2020-9123 (HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) and versi ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9122 (Some Huawei products have an insufficient input verification vulnerabi ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9121 RESERVED CVE-2020-9120 @@ -42138,15 +42138,15 @@ CVE-2020-9112 CVE-2020-9111 RESERVED CVE-2020-9110 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have an inf ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9109 (There is an information disclosure vulnerability in several smartphone ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9108 (HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have an o ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9107 (HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have an o ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9106 (HUAWEI P30 Pro versions earlier than 10.1.0.160(C00E160R2P8) have a pa ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9105 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have an ins ...) NOT-FOR-US: Huawei CVE-2020-9104 (HUAWEI P30 smartphones with Versions earlier than 10.1.0.123(C431E22R2 ...) @@ -42176,7 +42176,7 @@ CVE-2020-9093 CVE-2020-9092 RESERVED CVE-2020-9091 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have an out ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9090 (FusionAccess version 6.5.1 has an improper authorization vulnerability ...) TODO: check CVE-2020-9089 @@ -42184,7 +42184,7 @@ CVE-2020-9089 CVE-2020-9088 RESERVED CVE-2020-9087 (Taurus-AL00A version 10.0.0.1(C00E1R1P1) has an out-of-bounds read vul ...) - TODO: check + NOT-FOR-US: Huawei CVE-2020-9086 RESERVED CVE-2020-9085 @@ -45442,7 +45442,7 @@ CVE-2020-7813 (Ezhttptrans.ocx ActiveX Control in Kaoni ezHTTPTrans
[Git][security-tracker-team/security-tracker][master] Add CVE-020-13341/gitlab
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1388e732 by Salvatore Bonaccorso at 2020-10-12T22:21:09+02:00 Add CVE-020-13341/gitlab - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29895,7 +29895,7 @@ CVE-2020-13343 (An issue has been discovered in GitLab affecting all versions st CVE-2020-13342 (An issue has been discovered in GitLab affecting versions prior to 13. ...) - gitlab 13.2.10-1 CVE-2020-13341 (An issue has been discovered in GitLab affecting all versions prior to ...) - TODO: check + - gitlab CVE-2020-13340 (An issue has been discovered in GitLab affecting all versions prior to ...) - gitlab 13.2.10-1 CVE-2020-13339 (An issue has been discovered in GitLab affecting all versions before 1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1388e73238fd6bef253876686c073a43f7b6b75d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1388e73238fd6bef253876686c073a43f7b6b75d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: faa815e5 by Salvatore Bonaccorso at 2020-10-12T22:13:00+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53193,25 +53193,25 @@ CVE-2020-4783 CVE-2020-4782 RESERVED CVE-2020-4781 (An improper input validation before calling java readLine() method may ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4780 (OOTB build scripts does not set the secure attribute on session cookie ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4779 (A HTTP Verb Tampering vulnerability may impact IBM Curam Social Progra ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4778 (IBM Curam Social Program Management 7.0.9 and 7.0.10 uses MD5 algorith ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4777 RESERVED CVE-2020-4776 (A path traversal vulnerability may impact IBM Curam Social Program Man ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4775 (A cross-site scripting (XSS) vulnerability may impact IBM Curam Social ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4774 (An XPath vulnerability may impact IBM Curam Social Program Management ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4773 (A cross-site request forgery (CSRF) vulnerability may impact IBM Curam ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4772 (An XML External Entity Injection (XXE) vulnerability may impact IBM Cu ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4771 RESERVED CVE-2020-4770 @@ -53273,9 +53273,9 @@ CVE-2020-4743 CVE-2020-4742 RESERVED CVE-2020-4741 (IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to store ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4740 (IBM InfoSphere Information Server 11.5 and 11.7 is vulnerable to HTML ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4739 RESERVED CVE-2020-4738 @@ -53357,7 +53357,7 @@ CVE-2020-4701 CVE-2020-4700 RESERVED CVE-2020-4699 (IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0. ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4698 (IBM Business Process Manager 8.5, 8.6 and IBM Business Automation Work ...) NOT-FOR-US: IBM CVE-2020-4697 @@ -53377,7 +53377,7 @@ CVE-2020-4691 CVE-2020-4690 RESERVED CVE-2020-4689 (IBM Security Guardium 11.2 is vulnerable to CVS Injection. A remote pr ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4688 RESERVED CVE-2020-4687 (IBM Content Navigator 3.0.7 and 3.0.8 could allow an authenticated use ...) @@ -53393,13 +53393,13 @@ CVE-2020-4683 CVE-2020-4682 RESERVED CVE-2020-4681 (IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4680 (IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4679 (IBM Security Guardium 11.2 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4678 (IBM Security Guardium 11.2 could allow an attacker with admin access t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4677 RESERVED CVE-2020-4676 @@ -53433,9 +53433,9 @@ CVE-2020-4663 CVE-2020-4662 (IBM Event Streams 10.0.0 could allow an authenticated user to perform ...) NOT-FOR-US: IBM CVE-2020-4661 (IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0. ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4660 (IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0. ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4659 RESERVED CVE-2020-4658 @@ -53979,7 +53979,7 @@ CVE-2020-4390 CVE-2020-4389 RESERVED CVE-2020-4388 (IBM Cognos Analytics 11.0 and 11.1 could be vulnerable to a denial of ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4387 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM CVE-2020-4386 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) @@ -54151,7 +54151,7 @@ CVE-2020-4304 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0. CVE-2020-4303 (IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 i ...) NOT-FOR-US: IBM CVE-2020-4302 (IBM Cognos Analytics 11.0 and 11.1 could allow a remote attacker to ex ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4301 RESERVED CVE-2020-4300 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faa815e5d21b8ed49636cd731dd629dead318b0b -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 373878db by security tracker role at 2020-10-12T20:10:36+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,145 @@ +CVE-2020-27020 + RESERVED +CVE-2020-27019 + RESERVED +CVE-2020-27018 + RESERVED +CVE-2020-27017 + RESERVED +CVE-2020-27016 + RESERVED +CVE-2020-27015 + RESERVED +CVE-2020-27014 + RESERVED +CVE-2020-27013 + RESERVED +CVE-2020-27012 + RESERVED +CVE-2020-27011 + RESERVED +CVE-2020-27010 + RESERVED +CVE-2020-27009 + RESERVED +CVE-2020-27008 + RESERVED +CVE-2020-27007 + RESERVED +CVE-2020-27006 + RESERVED +CVE-2020-27005 + RESERVED +CVE-2020-27004 + RESERVED +CVE-2020-27003 + RESERVED +CVE-2020-27002 + RESERVED +CVE-2020-27001 + RESERVED +CVE-2020-27000 + RESERVED +CVE-2020-26999 + RESERVED +CVE-2020-26998 + RESERVED +CVE-2020-26997 + RESERVED +CVE-2020-26996 + RESERVED +CVE-2020-26995 + RESERVED +CVE-2020-26994 + RESERVED +CVE-2020-26993 + RESERVED +CVE-2020-26992 + RESERVED +CVE-2020-26991 + RESERVED +CVE-2020-26990 + RESERVED +CVE-2020-26989 + RESERVED +CVE-2020-26988 + RESERVED +CVE-2020-26987 + RESERVED +CVE-2020-26986 + RESERVED +CVE-2020-26985 + RESERVED +CVE-2020-26984 + RESERVED +CVE-2020-26983 + RESERVED +CVE-2020-26982 + RESERVED +CVE-2020-26981 + RESERVED +CVE-2020-26980 + RESERVED +CVE-2020-26979 + RESERVED +CVE-2020-26978 + RESERVED +CVE-2020-26977 + RESERVED +CVE-2020-26976 + RESERVED +CVE-2020-26975 + RESERVED +CVE-2020-26974 + RESERVED +CVE-2020-26973 + RESERVED +CVE-2020-26972 + RESERVED +CVE-2020-26971 + RESERVED +CVE-2020-26970 + RESERVED +CVE-2020-26969 + RESERVED +CVE-2020-26968 + RESERVED +CVE-2020-26967 + RESERVED +CVE-2020-26966 + RESERVED +CVE-2020-26965 + RESERVED +CVE-2020-26964 + RESERVED +CVE-2020-26963 + RESERVED +CVE-2020-26962 + RESERVED +CVE-2020-26961 + RESERVED +CVE-2020-26960 + RESERVED +CVE-2020-26959 + RESERVED +CVE-2020-26958 + RESERVED +CVE-2020-26957 + RESERVED +CVE-2020-26956 + RESERVED +CVE-2020-26955 + RESERVED +CVE-2020-26954 + RESERVED +CVE-2020-26953 + RESERVED +CVE-2020-26952 + RESERVED +CVE-2020-26951 + RESERVED +CVE-2020-26950 + RESERVED CVE-2020-26949 RESERVED CVE-2020-26948 (Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ...) @@ -164,12 +306,12 @@ CVE-2020-26871 CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs becaus ...) - dompurify.js NOTE: https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ -CVE-2020-26869 - RESERVED -CVE-2020-26868 - RESERVED -CVE-2020-26867 - RESERVED +CVE-2020-26869 (An information exposure vulnerability exists in PcVue 12, allowing a n ...) + TODO: check +CVE-2020-26868 (A Denial Of Service vulnerability exists in PcVue from version 8.10 on ...) + TODO: check +CVE-2020-26867 (A Remote Code Execution vulnerability exists in PcVue from version 8.1 ...) + TODO: check CVE-2020-26866 RESERVED CVE-2020-26865 @@ -851,8 +993,8 @@ CVE-2020-26548 RESERVED CVE-2020-26547 RESERVED -CVE-2020-26546 - RESERVED +CVE-2020-26546 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in HelpDeskZ 1 ...) + TODO: check CVE-2020-26545 RESERVED CVE-2020-26544 @@ -2387,8 +2529,8 @@ CVE-2020-25827 (An issue was discovered in the OATHAuth extension in MediaWiki b NOTE: https://phabricator.wikimedia.org/T251661 CVE-2020-25826 (PingID Integration for Windows Login before 2.4.2 allows local users t ...) NOT-FOR-US: PingID Integration for Windows Login -CVE-2020-25825 - RESERVED +CVE-2020-25825 (In Octopus Deploy 3.1.0 to 2020.4.0, certain scripts can reveal sensit ...) + TODO: check CVE-2020-25824 RESERVED CVE-2020-25823 @@ -2405,7 +2547,7 @@ CVE-2020-25818 RESERVED CVE-2020-25817 RESERVED -CVE-2020-25816 (HashiCorp Vault and Vault Enterprise 1.0 before 1.5.4 have Incorrect A ...) +CVE-2020-25816 (HashiCorp Vault and Vault Enterprise versions 1.0 and newer allowed le ...) NOT-FOR-US: HashiCorp Vault CVE-2020-25815 (An issue was discovered in MediaWiki 1.32.x through 1.34.x before 1.34 ...) - mediawiki 1:1.35.0-1 @@ -24609,8 +24751,8 @@ CVE-2020-15252 RESERVED CVE-2020-15251 RESERVED -CVE-2020-15250 - RESERVED +CVE-2020-15250 (In JUnit4 before version 4.13.1, the test rule TemporaryFolder
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-26159/libonig
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d51eaa0 by Salvatore Bonaccorso at 2020-10-12T22:01:02+02:00 Add Debian bug reference for CVE-2020-26159/libonig - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1647,7 +1647,7 @@ CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows attackers to bypass intended NOTE: https://github.com/dgrijalva/jwt-go/issues/422 NOTE: https://github.com/dgrijalva/jwt-go/pull/426 CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expressi ...) - - libonig + - libonig (bug #972113) NOTE: https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 NOTE: https://github.com/kkos/oniguruma/issues/207 CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of Service (R ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d51eaa0f8f1542bfa02977fc35587d5c0fef522 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d51eaa0f8f1542bfa02977fc35587d5c0fef522 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix small typo in postponed note
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db2d80ef by Salvatore Bonaccorso at 2020-10-12T21:17:32+02:00 Fix small typo in postponed note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46940,7 +46940,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x {DLA-2397-1} - php7.4 7.4.11-1 - php7.3 - [buster] - php7.3 (Minor issue, likely to introduce tegressions, wait for one more 7.3 upstream release) + [buster] - php7.3 (Minor issue, likely to introduce egressions, wait for one more 7.3 upstream release) - php7.0 NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34 NOTE: PHP Bug: https://bugs.php.net/79699 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db2d80ef645cc294a4c4f3c7aa90ac76435ca8e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db2d80ef645cc294a4c4f3c7aa90ac76435ca8e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-1107{6,7}/puma
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44b57d85 by Salvatore Bonaccorso at 2020-10-12T21:09:14+02:00 Add Debian bug reference for CVE-2020-1107{6,7}/puma - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36672,11 +36672,11 @@ CVE-2020-11078 (In httplib2 before version 0.18.0, an attacker controlling unesc NOTE: https://github.com/httplib2/httplib2/commit/a1457cc31f3206cf691d11d2bf34e98865873e9e CVE-2020-11077 (In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a re ...) {DLA-2398-1} - - puma + - puma (bug #972102) NOTE: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle a ...) {DLA-2398-1} - - puma + - puma (bug #972102) NOTE: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h NOTE: https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container image m ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44b57d85b31a0c9f149624f0106dfc0fe9300ea2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44b57d85b31a0c9f149624f0106dfc0fe9300ea2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lua, rust-ncurses bugs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5570cbf6 by Moritz Muehlenhoff at 2020-10-12T20:15:10+02:00 lua, rust-ncurses bugs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22931,7 +22931,7 @@ CVE-2020-15889 (Lua through 5.4.0 has a getobjname heap-based buffer over-read b NOTE: https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312 NOTE: Introduced in 5.4 CVE-2020-15888 (Lua through 5.4.0 mishandles the interaction between stack resizes and ...) - - lua5.4 + - lua5.4 (bug #972101) NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00053.html NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00054.html NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00071.html @@ -75960,10 +75960,10 @@ CVE-2019-15550 (An issue was discovered in the simd-json crate before 0.1.15 for CVE-2019-15549 (An issue was discovered in the asn1_der crate before 0.6.2 for Rust. A ...) NOT-FOR-US: Rust crate asn1_der CVE-2019-15548 (An issue was discovered in the ncurses crate through 5.99.0 for Rust. ...) - - rust-ncurses + - rust-ncurses (bug #972100) NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0006.html CVE-2019-15547 (An issue was discovered in the ncurses crate through 5.99.0 for Rust. ...) - - rust-ncurses + - rust-ncurses (bug #972100) NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0006.html CVE-2019-15546 (An issue was discovered in the pancurses crate through 0.16.1 for Rust ...) NOT-FOR-US: Rust crate pancurses View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5570cbf6dd2449a83184efe3efe34ff62c73fa61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5570cbf6dd2449a83184efe3efe34ff62c73fa61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] adplug fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fd9a8acd by Moritz Muehlenhoff at 2020-10-12T20:07:08+02:00 adplug fixed in sid qemu bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78840,23 +78840,26 @@ CVE-2019-14736 CVE-2019-14735 RESERVED CVE-2019-14734 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::l ...) - - adplug + - adplug 2.3.3+dfsg-2 [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/90 + NOTE: https://github.com/adplug/adplug/commit/8342139c09178823dba3f3bbd8b53d0ea0c72de9 CVE-2019-14733 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::l ...) - - adplug + - adplug 2.3.3+dfsg-2 [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/89 + NOTE: https://github.com/adplug/adplug/commit/cb715174f95187bf544c11ca2a2ecd091b7fbb8a (eventually got replaced by rad2.cpp rewrite) CVE-2019-14732 (AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::l ...) - - adplug + - adplug 2.3.3+dfsg-2 [buster] - adplug (Minor issue) [stretch] - adplug (Minor issue) [jessie] - adplug (Minor issue) NOTE: https://github.com/adplug/adplug/issues/88 + NOTE: https://github.com/adplug/adplug/commit/30ddcfe9bd1cce3e02f8135961bceb411419dbdb CVE-2019-14731 (An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vul ...) NOT-FOR-US: ZenTao CMS CVE-2019-14730 (In CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.851, an insecu ...) @@ -87852,7 +87855,7 @@ CVE-2019-12068 (In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3. NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08 CVE-2019-12067 [ide: ahci: add check to avoid null dereference] RESERVED - - qemu (low) + - qemu (low; bug #972099) [buster] - qemu (Minor issue, revisit when fixed upstream) [stretch] - qemu (Minor issue, can be fixed along in future update) [jessie] - qemu (Minor issue, can be fixed along in future update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd9a8acdaf45361355aaacbc86b04c54e4f8f2c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd9a8acdaf45361355aaacbc86b04c54e4f8f2c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 116f39de by Moritz Muehlenhoff at 2020-10-12T19:45:22+02:00 buster triage reviewed the status of some old issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1769,6 +1769,7 @@ CVE-2020-26116 (http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3. - python3.9 3.9.0~b5-1 - python3.8 3.8.5-1 - python3.7 + [buster] - python3.7 (Minor issue) - python3.5 NOTE: https://bugs.python.org/issue39603 NOTE: https://python-security.readthedocs.io/vuln/http-header-injection-method.html @@ -2606,6 +2607,7 @@ CVE-2020-25740 CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...) {DLA-2380-1} - ruby-gon (bug #970938) + [buster] - ruby-gon (Minor issue) NOTE: https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7 CVE-2020-25738 RESERVED @@ -2825,6 +2827,7 @@ CVE-2020-25638 CVE-2020-25637 (A double free memory issue was found to occur in the libvirt API, in v ...) {DLA-2395-1} - libvirt (bug #971555) + [buster] - libvirt (Minor issue) NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=0977b8aa071de550e1a013d35e2c72615e65d520 (v1.2.14-rc1) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401 (v6.8.0) NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923 (v6.8.0) @@ -22336,11 +22339,13 @@ CVE-2020-16122 RESERVED {DLA-2399-1} - packagekit + [buster] - packagekit (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098 CVE-2020-16121 RESERVED {DLA-2399-1} - packagekit + [buster] - packagekit (Minor issue) NOTE: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/187 CVE-2020-16120 RESERVED @@ -46935,6 +46940,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x {DLA-2397-1} - php7.4 7.4.11-1 - php7.3 + [buster] - php7.3 (Minor issue, likely to introduce tegressions, wait for one more 7.3 upstream release) - php7.0 NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34 NOTE: PHP Bug: https://bugs.php.net/79699 @@ -46942,8 +46948,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x CVE-2020-7069 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below ...) - php7.4 7.4.11-1 - php7.3 - - php7.0 - [stretch] - php7.0 (Affected code not present) + - php7.0 (Affected code not present) NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34 NOTE: PHP Bug: https://bugs.php.net/79601 NOTE: https://git.php.net/?p=php-src.git;a=commit;h=0216630ea2815a5789a24279a1211ac398d4de79 @@ -51686,12 +51691,14 @@ CVE-2020-5218 (Affected versions of Sylius give attackers the ability to switch NOT-FOR-US: Sylius CVE-2020-5217 (In Secure Headers (RubyGem secure_headers), a directive injection vuln ...) - ruby-secure-headers 6.3.1-1 (bug #94) + [buster] - ruby-secure-headers (Minor issue) NOTE: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c NOTE: https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3 NOTE: https://github.com/twitter/secure_headers/issues/418 NOTE: https://github.com/twitter/secure_headers/pull/421 CVE-2020-5216 (In Secure Headers (RubyGem secure_headers), a directive injection vuln ...) - ruby-secure-headers 6.3.1-1 (bug #949998) + [buster] - ruby-secure-headers (Minor issue) NOTE: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg NOTE: https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0 CVE-2020-5215 (In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Pytho ...) @@ -129333,8 +129340,9 @@ CVE-2018-16849 (A flaw was found in openstack-mistral. By manipulating the SSH p [stretch] - mistral 3.0.0-4+deb9u1 NOTE: https://bugs.launchpad.net/mistral/+bug/1783708 CVE-2018-16848 (A Denial of Service (DoS) condition is possible in OpenStack Mistral i ...) - - mistral + - mistral 10.0.0~rc1-2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1645332 + NOTE: https://bugs.launchpad.net/mistral/%2Bbug/1785657 CVE-2018-16847 (An OOB heap buffer r/w access issue was found in the NVM Express Contr ...) - qemu 1:3.1+dfsg-1 (bug #912655) [stretch] - qemu (support for Controller Memory
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13943/tomcat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca70b35a by Salvatore Bonaccorso at 2020-10-12T17:58:26+02:00 Add CVE-2020-13943/tomcat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28170,6 +28170,10 @@ CVE-2020-13944 (In Apache Airflow 1.10.12, the "origin" parameter passed to - airflow (bug #819700) CVE-2020-13943 RESERVED + - tomcat9 9.0.38-1 + - tomcat8 + NOTE: https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b (9.0.38) + NOTE: https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a (8.5.58) CVE-2020-13942 RESERVED CVE-2020-13941 (Reported in SOLR-14515 (private) and fixed in SOLR-14561 (public), rel ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca70b35a9f431a0faa0274b8706188fe9fed4c96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca70b35a9f431a0faa0274b8706188fe9fed4c96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-11979/ant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 55698feb by Salvatore Bonaccorso at 2020-10-12T17:52:01+02:00 Add fixed version for CVE-2020-11979/ant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33254,7 +33254,7 @@ CVE-2020-11981 (An issue was found in Apache Airflow versions 1.10.10 and below. CVE-2020-11980 (In Karaf, JMX authentication takes place using JAAS and authorization ...) - apache-karaf (bug #881297) CVE-2020-11979 (As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissi ...) - - ant (bug #971612) + - ant 1.10.9-1 (bug #971612) [buster] - ant (Vulnerability not present as CVE-2020-1945 not addressed) [stretch] - ant (Vulnerability not present as CVE-2020-1945 not addressed) NOTE: https://lists.apache.org/thread.html/rc3c8ef9724b5b1e171529b47f4b35cb7920edfb6e917fa21eb6c64ea%40%3Cdev.ant.apache.org%3E View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55698feba74aa5c8d8cd9debe91947e80b821b51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55698feba74aa5c8d8cd9debe91947e80b821b51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd652998 by Salvatore Bonaccorso at 2020-10-12T17:32:24+02:00 Process one NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61043,7 +61043,7 @@ CVE-2020-1916 CVE-2020-1915 RESERVED CVE-2020-1914 (A logic vulnerability when handling the SaveGeneratorLong instruction ...) - TODO: check + NOT-FOR-US: Facebook Hermes CVE-2020-1913 (An Integer signedness error in the JavaScript Interpreter in Facebook ...) NOT-FOR-US: Facebook Hermes CVE-2020-1912 (An out-of-bounds read/write vulnerability when executing lazily compil ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd652998ceb4cc945094156bf6b05dd5360fa18e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd652998ceb4cc945094156bf6b05dd5360fa18e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d0da7e0 by Moritz Muehlenhoff at 2020-10-12T16:07:53+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2020-26949 CVE-2020-26948 (Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ...) NOT-FOR-US: Emby Server CVE-2020-26947 (monero-wallet-gui in Monero GUI 0.17.0.1 includes the . directory in a ...) - TODO: check + NOT-FOR-US: monero-wallet-gui CVE-2020-26946 RESERVED CVE-2020-26945 (MyBatis before 3.5.6 mishandles deserialization of object streams. ...) @@ -111,7 +111,7 @@ CVE-2020-26896 CVE-2020-26895 RESERVED CVE-2020-26894 (Faulkner Wildlife Issues in the New Millennium 18.0.160 on Windows all ...) - TODO: check + NOT-FOR-US: New Millennium CVE-2020-26893 RESERVED CVE-2020-26892 @@ -31394,7 +31394,7 @@ CVE-2020-12678 CVE-2020-12677 (An issue was discovered in Progress MOVEit Automation Web Admin. A Web ...) NOT-FOR-US: Progress MOVEit Automation Web Admin CVE-2020-12676 (FusionAuth fusionauth-samlv2 0.2.3 allows remote attackers to forge me ...) - TODO: check + NOT-FOR-US: FusionAuth CVE-2020-12675 (The mappress-google-maps-for-wordpress plugin before 2.54.6 for WordPr ...) NOT-FOR-US: mappress-google-maps-for-wordpress plugin for WordPress CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) @@ -42112,7 +42112,7 @@ CVE-2020-9050 CVE-2020-9049 RESERVED CVE-2020-9048 (A vulnerability in victor Web Client versions up to and including v5.4 ...) - TODO: check + NOT-FOR-US: Johnson Controls CVE-2020-9047 (A vulnerability exists that could allow the execution of unauthorized ...) NOT-FOR-US: exacqVision Web Service CVE-2020-9046 (A vulnerability in all versions of Kantech EntraPass Editions could po ...) @@ -45430,15 +45430,15 @@ CVE-2020-7744 CVE-2020-7743 RESERVED CVE-2020-7742 (This affects the package simpl-schema before 1.10.2. ...) - TODO: check + NOT-FOR-US: Node simpl-schema CVE-2020-7741 (This affects the package hellojs before 1.18.6. The code get the param ...) - TODO: check + NOT-FOR-US: hello.js CVE-2020-7740 (This affects all versions of package node-pdf-generator. Due to lack o ...) - TODO: check + NOT-FOR-US: Node pdf-generator CVE-2020-7739 (This affects all versions of package phantomjs-seo. It is possible for ...) - TODO: check + NOT-FOR-US: Node phantomjs-seo CVE-2020-7738 (All versions of package shiba are vulnerable to Arbitrary Code Executi ...) - TODO: check + NOT-FOR-US: Node shiba CVE-2020-7737 (All versions of package safetydance are vulnerable to Prototype Pollut ...) TODO: check CVE-2020-7736 (The package bmoor before 0.8.12 are vulnerable to Prototype Pollution ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d0da7e0e64247878593215592ae69f10023b8f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d0da7e0e64247878593215592ae69f10023b8f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream reference for CVE-2019-20922
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dcafd2ab by Salvatore Bonaccorso at 2020-10-12T15:20:48+02:00 Add upstream reference for CVE-2019-20922 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1653,6 +1653,7 @@ CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able to supply a regular ex CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of Service (R ...) - node-handlebars (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded) - libjs-handlebars (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded) + NOTE: https://github.com/handlebars-lang/handlebars.js/issues/1579 NOTE: https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388 NOTE: https://www.npmjs.com/advisories/1300 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcafd2abede24d4a96d0b8cd7d6d1eb31c5948bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcafd2abede24d4a96d0b8cd7d6d1eb31c5948bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add yaws to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02773334 by Salvatore Bonaccorso at 2020-10-12T15:10:34+02:00 Add yaws to dsa-needed list - - - - - cd83091d by Salvatore Bonaccorso at 2020-10-12T15:11:03+02:00 Take yaws from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -32,3 +32,5 @@ python-flask-cors xcftools Hugo proposed to work on this update -- +yaws (carnil) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c8964697bce5fe24eb517e03fc43200ee55300bf...cd83091dc56af1b3627ecb955c3d924696315949 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c8964697bce5fe24eb517e03fc43200ee55300bf...cd83091dc56af1b3627ecb955c3d924696315949 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new otrs issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c8964697 by Moritz Muehlenhoff at 2020-10-12T13:28:06+02:00 new otrs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36914,8 +36914,11 @@ CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5 [jessie] - drupal7 (Vulnerable code not embedded) - node-jquery 3.5.0+dfsg-2 [buster] - node-jquery (Minor issue) + - otrs2 6.0.30-1 + [buster] - otrs2 (Non-free not supported) NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6 NOTE: https://www.drupal.org/sa-core-2020-002 + NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-14/ CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ...) {DSA-4693-1} - jquery @@ -36926,9 +36929,12 @@ CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0 [buster] - node-jquery (Minor issue) - drupal7 [jessie] - drupal7 (Vulnerable code not embedded) + - otrs2 6.0.30-1 + [buster] - otrs2 (Non-free not supported) NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 NOTE: https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77 NOTE: https://www.drupal.org/sa-core-2020-002 + NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-14/ CVE-2020-11021 (Actions Http-Client (NPM @actions/http-client) before version 1.0.8 ca ...) NOT-FOR-US: Actions Http-Client CVE-2020-11020 (Faye (NPM, RubyGem) versions greater than 0.5.0 and before 1.0.4, 1.1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8964697bce5fe24eb517e03fc43200ee55300bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8964697bce5fe24eb517e03fc43200ee55300bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-20922 n/a, thanks yadd
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ffcbba6 by Moritz Muehlenhoff at 2020-10-12T12:32:50+02:00 CVE-2019-20922 n/a, thanks yadd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1651,9 +1651,8 @@ CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able to supply a regular ex NOTE: https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0 NOTE: https://github.com/kkos/oniguruma/issues/207 CVE-2019-20922 (Handlebars before 4.4.5 allows Regular Expression Denial of Service (R ...) - - node-handlebars 3:4.7.2-1 - - libjs-handlebars - [stretch] - libjs-handlebars (Only reverse depends was diaspora which not in stretch) + - node-handlebars (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded) + - libjs-handlebars (Introduced in 4.4.4 and fixed in 4.4.5, no vulnerable version uploaded) NOTE: https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388 NOTE: https://www.npmjs.com/advisories/1300 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ffcbba60f857d3c3546ffbee4783f1286d6d155 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ffcbba60f857d3c3546ffbee4783f1286d6d155 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] more gitlab fixes
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bd99e08 by Moritz Muehlenhoff at 2020-10-12T11:10:23+02:00 more gitlab fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29737,11 +29737,11 @@ CVE-2020-13347 (A command injection vulnerability was discovered in Gitlab runne CVE-2020-13346 (Membership changes are not reflected in ToDo subscriptions in GitLab v ...) - gitlab 13.2.10-1 CVE-2020-13345 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13344 (An issue has been discovered in GitLab affecting all versions prior to ...) - gitlab 13.2.10-1 CVE-2020-13343 (An issue has been discovered in GitLab affecting all versions starting ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13342 (An issue has been discovered in GitLab affecting versions prior to 13. ...) - gitlab 13.2.10-1 CVE-2020-13341 @@ -29757,7 +29757,7 @@ CVE-2020-13337 (An issue has been discovered in GitLab affecting versions from 1 - gitlab (Only affected 12.10 to 12.10.12) NOTE: https://gitlab.com/gitlab-org/gitlab/-/issues/199049 CVE-2020-13336 (An issue has been discovered in GitLab affecting versions from 11.8 be ...) - - gitlab + - gitlab (Only affected 11.x/12.x while unstable on 13.x) CVE-2020-13335 (Improper group membership validation when deleting a user account in G ...) - gitlab 13.2.10-1 CVE-2020-13334 (In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper autho ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd99e0890fc729c8a7616f72cd1d2e1e1cf06ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd99e0890fc729c8a7616f72cd1d2e1e1cf06ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2019-14888/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4485d8c8 by Salvatore Bonaccorso at 2020-10-12T10:41:16+02:00 Update information on CVE-2019-14888/undertow Upstream is not very transparent here, but the fixed version is noted in the CVE description as 2.0.28.SP1 (which is possibly after 2.0.28.Final). Checking trough the commits of 2.0.28.Final and 2.0.29.Final reveals one commit matching a denial of service due to a deadlock in the http2 code. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78201,8 +78201,12 @@ CVE-2019-14889 (A flaw was found with the libssh API function ssh_scp_new() in v NOTE: https://bugs.debian.org/947129 NOTE: https://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ce559d163a943737fe4160f7233925df2eee1f9a CVE-2019-14888 (A vulnerability was found in the Undertow HTTP server in versions befo ...) - - undertow 2.0.28-1 + - undertow 2.0.30-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1772464 + NOTE: https://issues.redhat.com/browse/UNDERTOW-1623 + NOTE: https://github.com/undertow-io/undertow/commit/846c50ead09f7d0b38965b4726ba0b6c5582bf7f (and followups) + NOTE: https://github.com/undertow-io/undertow/pull/828 + NOTE: https://github.com/undertow-io/undertow/pull/852 CVE-2019-14887 (A flaw was found when an OpenSSL security provider is used with Wildfl ...) - wildfly (bug #752018) CVE-2019-14886 (A vulnerability was found in business-central, as shipped in rhdm-7.5. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4485d8c84632762fc13960bfe6573a2af83e5900 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4485d8c84632762fc13960bfe6573a2af83e5900 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 391e53be by Salvatore Bonaccorso at 2020-10-12T10:25:32+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27513,7 +27513,7 @@ CVE-2020-14186 CVE-2020-14185 RESERVED CVE-2020-14184 (Affected versions of Atlassian Jira Server allow remote attackers to i ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2020-14183 (Affected versions of Jira Server Data Center allow a remote atta ...) NOT-FOR-US: Atlassian CVE-2020-14182 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/391e53becd88bedebba48a6c79bb949211c07b4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/391e53becd88bedebba48a6c79bb949211c07b4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gitlab fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ca1c1d80 by Moritz Muehlenhoff at 2020-10-12T10:12:59+02:00 gitlab fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29735,21 +29735,21 @@ CVE-2020-13348 CVE-2020-13347 (A command injection vulnerability was discovered in Gitlab runner vers ...) - gitlab-ci-multi-runner (Only affects gitlab-runner when configured on Windows) CVE-2020-13346 (Membership changes are not reflected in ToDo subscriptions in GitLab v ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13345 (An issue has been discovered in GitLab affecting all versions starting ...) - gitlab CVE-2020-13344 (An issue has been discovered in GitLab affecting all versions prior to ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13343 (An issue has been discovered in GitLab affecting all versions starting ...) - gitlab CVE-2020-13342 (An issue has been discovered in GitLab affecting versions prior to 13. ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13341 RESERVED CVE-2020-13340 (An issue has been discovered in GitLab affecting all versions prior to ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13339 (An issue has been discovered in GitLab affecting all versions before 1 ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13338 (An issue has been discovered in GitLab affecting versions prior to 12. ...) - gitlab 13.2.3-2 NOTE: https://gitlab.com/gitlab-org/gitlab/-/issues/213273 @@ -29759,13 +29759,13 @@ CVE-2020-13337 (An issue has been discovered in GitLab affecting versions from 1 CVE-2020-13336 (An issue has been discovered in GitLab affecting versions from 11.8 be ...) - gitlab CVE-2020-13335 (Improper group membership validation when deleting a user account in G ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13334 (In GitLab versions prior to 13.2.10, 13.3.7 and 13.4.2, improper autho ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-1 (A potential DOS vulnerability was discovered in GitLab versions 13.1, ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13332 (Improper access expiration date validation in GitLab version =8.11 ...) - - gitlab + - gitlab 13.2.10-1 CVE-2020-13331 (An issue has been discovered in GitLab affecting versions prior to 12. ...) - gitlab 13.2.3-2 CVE-2020-13330 (An issue has been discovered in GitLab affecting versions prior to 12. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca1c1d8ff46a1391fa65a8e946d91ab8fd57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca1c1d8ff46a1391fa65a8e946d91ab8fd57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 099d742e by security tracker role at 2020-10-12T08:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27512,8 +27512,8 @@ CVE-2020-14186 RESERVED CVE-2020-14185 RESERVED -CVE-2020-14184 - RESERVED +CVE-2020-14184 (Affected versions of Atlassian Jira Server allow remote attackers to i ...) + TODO: check CVE-2020-14183 (Affected versions of Jira Server Data Center allow a remote atta ...) NOT-FOR-US: Atlassian CVE-2020-14182 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/099d742e6590e83d6377ec13296a110d85ea5d77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/099d742e6590e83d6377ec13296a110d85ea5d77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-11800/zabbix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0c9950a by Salvatore Bonaccorso at 2020-10-12T09:00:49+02:00 Add CVE-2020-11800/zabbix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34319,7 +34319,10 @@ CVE-2020-11801 CVE-2019-20768 (ServiceNow IT Service Management Kingston through Patch 14-1, London t ...) NOT-FOR-US: ServiceNow IT Service Management Kingston CVE-2020-11800 (Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote att ...) - TODO: check + - zabbix 1:4.0.0+dfsg-1 + NOTE: https://support.zabbix.com/browse/DEV-1538 + NOTE: https://support.zabbix.com/browse/ZBX-17600 + NOTE: https://support.zabbix.com/browse/ZBXSEC-30 (not public) CVE-2020-11799 (Z-Cron 5.6 Build 04 allows an unprivileged attacker to elevate privile ...) NOT-FOR-US: Z-Cron CVE-2020-11798 (A Directory Traversal vulnerability in the web conference component of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0c9950ab56bddcaff4edd8bf451786d278e91b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0c9950ab56bddcaff4edd8bf451786d278e91b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: e0a1bf9d by Thorsten Alteholz at 2020-10-12T08:57:08+02:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,6 +124,7 @@ php-horde-trean phpmyadmin (Abhijith PA) -- python3.5 (Thorsten Alteholz) + NOTE: 20201011: testing package -- pluxml NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0a1bf9d75c0ee7cf71722ab23d5385286e16a40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0a1bf9d75c0ee7cf71722ab23d5385286e16a40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15866/mruby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 537007de by Salvatore Bonaccorso at 2020-10-12T08:47:52+02:00 Add Debian bug reference for CVE-2020-15866/mruby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22977,7 +22977,7 @@ CVE-2020-15868 (Sonatype Nexus Repository Manager OSS/Pro before 3.26.0 has Inco CVE-2020-15867 RESERVED CVE-2020-15866 (mruby through 2.1.2-rc has a heap-based buffer overflow in the mrb_yie ...) - - mruby + - mruby (bug #972051) [buster] - mruby (Minor issue) [stretch] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/5042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/537007de83cc047e76173b99e5ac6f74c26b2488 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/537007de83cc047e76173b99e5ac6f74c26b2488 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-15476/ndpi
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ef63ccb by Salvatore Bonaccorso at 2020-10-12T08:46:26+02:00 Add Debian bug reference for CVE-2020-15476/ndpi - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24070,28 +24070,28 @@ CVE-2020-15477 (The WebControl in RaspberryTortoise through 2012-10-28 is vulner NOT-FOR-US: RaspberryTortoise CVE-2020-15476 (In nDPI through 3.2, the Oracle protocol dissector has a heap-based bu ...) {DLA-2354-1} - - ndpi + - ndpi (bug #972050) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21780 NOTE: https://github.com/ntop/nDPI/commit/b69177be2fbe01c2442239a61832c44e40136c05 CVE-2020-15475 (In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_main.c om ...) - - ndpi + - ndpi (bug #972050) [stretch] - ndpi (Vulnerable code not present, content_disposition_line introduced later) NOTE: https://github.com/ntop/nDPI/commit/6a9f5e4f7c3fd5ddab3e6727b071904d76773952 CVE-2020-15474 (In nDPI through 3.2, there is a stack overflow in extractRDNSequence i ...) - - ndpi + - ndpi (bug #972050) [buster] - ndpi (Vulnerable code not present) [stretch] - ndpi (Vulnerable code not present) NOTE: https://github.com/ntop/nDPI/commit/23594f036536468072198a57c59b6e9d63caf6ce CVE-2020-15473 (In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-bas ...) - - ndpi + - ndpi (bug #972050) [stretch] - ndpi (Vulnerable code introduced later) NOTE: https://github.com/ntop/nDPI/commit/8e7b1ea7a136cc4e4aa9880072ec2d69900a825e CVE-2020-15472 (In nDPI through 3.2, the H.323 dissector is vulnerable to a heap-based ...) - - ndpi + - ndpi (bug #972050) [stretch] - ndpi (Vulnerable code introduced later) NOTE: https://github.com/ntop/nDPI/commit/b7e666e465f138ae48ab81976726e67deed12701 CVE-2020-15471 (In nDPI through 3.2, the packet parsing code is vulnerable to a heap-b ...) - - ndpi + - ndpi (bug #972050) [buster] - ndpi (Vulnerable code not present) [stretch] - ndpi (Vulnerable code not present) NOTE: https://github.com/ntop/nDPI/commit/61066fb106efa6d3d95b67e47b662de208b2b622 @@ -33348,14 +33348,14 @@ CVE-2020-11942 (An issue was discovered in Open-AudIT 3.2.2. There are Multiple CVE-2020-11941 (An issue was discovered in Open-AudIT 3.2.2. There is OS Command injec ...) NOT-FOR-US: Open-AudIT CVE-2020-11940 (In nDPI through 3.2 Stable, an out-of-bounds read in concat_hash_strin ...) - - ndpi + - ndpi (bug #972050) [buster] - ndpi (Introduced in 3.0) [stretch] - ndpi (Introduced in 3.0) [jessie] - ndpi (Introduced in 3.0) NOTE: https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435 NOTE: https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi CVE-2020-11939 (In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KE ...) - - ndpi + - ndpi (bug #972050) [buster] - ndpi (Introduced in 3.0) [stretch] - ndpi (Introduced in 3.0) [jessie] - ndpi (Introduced in 3.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ef63ccbf61a8041c5a4deb8a280cc60a4d8658a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ef63ccbf61a8041c5a4deb8a280cc60a4d8658a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-26570/opensc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e9525d5 by Salvatore Bonaccorso at 2020-10-12T08:43:32+02:00 Add Debian bug reference for CVE-2020-26570/opensc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -800,7 +800,7 @@ CVE-2020-26571 (The gemsafe GPK smart card software driver in OpenSC before 0.21 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612 TODO: check, unclear fixing commit CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 ha ...) - - opensc + - opensc (bug #972037) [buster] - opensc (Minor issue) [stretch] - opensc (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e9525d5fc3c8bcfaaf07b72ad5cd871aede39f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e9525d5fc3c8bcfaaf07b72ad5cd871aede39f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for gpac issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5db7f0d by Salvatore Bonaccorso at 2020-10-12T08:41:46+02:00 Add Debian bug references for gpac issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35536,7 +35536,7 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local users to discover the clea CVE-2020-11559 RESERVED CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...) - - gpac + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Vulnerable code not present and not reproducible) @@ -37341,35 +37341,35 @@ CVE-2020-10882 (This vulnerability allows network-adjacent attackers to execute CVE-2020-10881 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: TP-Link CVE-2019-20632 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - - gpac + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1271 CVE-2019-20631 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - - gpac + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1270 CVE-2019-20630 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - - gpac + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/1ab4860609f2e7a35634930571e7d0531297e090 NOTE: https://github.com/gpac/gpac/issues/1268 CVE-2019-20629 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - - gpac + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7 NOTE: https://github.com/gpac/gpac/issues/1264 CVE-2019-20628 (An issue was discovered in libgpac.a in GPAC before 0.8.0, as demonstr ...) - - gpac + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue) @@ -48103,7 +48103,7 @@ CVE-2020-6633 CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a Q ...) NOT-FOR-US: PrestaShop CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - - gpac (low) + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) @@ -48111,7 +48111,7 @@ CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL po NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521 NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...) - - gpac (low) + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) [jessie] - gpac (Minor issue, clean crash, MP42TS not shipped, incomplete patch) @@ -52047,7 +52047,7 @@ CVE-2019-20209 (The CTHthemes CityBook before 2.3.4, TownHub before 1.0.6, and E NOT-FOR-US: themes for WordPress CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based ...) {DLA-2072-1} - - gpac + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1348 @@ -52253,7 +52253,7 @@ CVE-2019-20171 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm NOTE: https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - - gpac (low) + - gpac (bug #972053) [buster] - gpac (Minor issue) [stretch] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1328 @@ -52279,7 +52279,7 @@ CVE-2019-20166 (An issue was discovered in GPAC version