[Git][security-tracker-team/security-tracker][master] Reserve DLA-2420-1 for linux
Ben Hutchings pushed to branch master at Debian Security Tracker / security-tracker Commits: f2e21e33 by Ben Hutchings at 2020-10-29T21:27:53+00:00 Reserve DLA-2420-1 for linux - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2020] DLA-2420-1 linux - security update + {CVE-2019-9445 CVE-2019-19073 CVE-2019-19074 CVE-2019-19448 CVE-2020-12351 CVE-2020-12352 CVE-2020-12655 CVE-2020-12771 CVE-2020-12888 CVE-2020-14305 CVE-2020-14314 CVE-2020-14331 CVE-2020-14356 CVE-2020-14386 CVE-2020-14390 CVE-2020-15393 CVE-2020-16166 CVE-2020-24490 CVE-2020-25211 CVE-2020-25212 CVE-2020-25220 CVE-2020-25284 CVE-2020-25285 CVE-2020-25641 CVE-2020-25643 CVE-2020-26088} + [stretch] - linux 4.9.240-1 [29 Oct 2020] DLA-2419-1 dompurify.js - security update {CVE-2019-16728 CVE-2020-26870} [stretch] - dompurify.js 0.8.2~dfsg1-1+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2e21e3330c118889c6d50499cb2dc3dfab0585c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2e21e3330c118889c6d50499cb2dc3dfab0585c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-14318/samba
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f57224db by Salvatore Bonaccorso at 2020-10-29T22:11:06+01:00 Add Debian bug reference for CVE-2020-14318/samba - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30118,7 +30118,7 @@ CVE-2020-14319 (It was found that the AMQ Online console is vulnerable to a Cros NOT-FOR-US: AMQ Online CVE-2020-14318 [Missing handle permissions check in SMB1/2/3 ChangeNotify] RESERVED - - samba + - samba (bug #973400) NOTE: https://www.samba.org/samba/security/CVE-2020-14318.html CVE-2020-14317 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f57224db16b5d8b93a4286bef1c7cfc4e887647f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f57224db16b5d8b93a4286bef1c7cfc4e887647f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-14383/samba
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a20d1ebe by Salvatore Bonaccorso at 2020-10-29T22:08:23+01:00 Add Debian bug reference for CVE-2020-14383/samba - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29835,7 +29835,7 @@ CVE-2020-14384 (A flaw was found in JBossWeb in versions before 7.5.31.Final-red NOT-FOR-US: JBossWeb CVE-2020-14383 [An authenticated user can crash the DCE/RPC DNS with easily crafted records] RESERVED - - samba + - samba (bug #973398) NOTE: https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14382 (A vulnerability was found in upstream release cryptsetup-2.2.0 where, ...) - cryptsetup 2:2.3.4-1 (bug #969471) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a20d1ebe9af964a4b6b92b13e6057b5c3959dff0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a20d1ebe9af964a4b6b92b13e6057b5c3959dff0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2020-14323/samba
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f32db8d8 by Salvatore Bonaccorso at 2020-10-29T22:07:10+01:00 Add Debian bug reference for CVE-2020-14323/samba - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30106,7 +30106,7 @@ CVE-2020-14324 (A high severity vulnerability was found in all active versions o NOT-FOR-US: Red Hat CloudForm CVE-2020-14323 [Unprivileged user can crash winbind] RESERVED - - samba + - samba (bug #973399) NOTE: https://www.samba.org/samba/security/CVE-2020-14323.html CVE-2020-14322 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f32db8d8ad3d2801b7826f6110b3cad1eb622d74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f32db8d8ad3d2801b7826f6110b3cad1eb622d74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d95d0c8f by Salvatore Bonaccorso at 2020-10-29T21:33:42+01:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,17 +3,17 @@ CVE-2020-28000 CVE-2020-27999 RESERVED CVE-2020-27998 (An issue was discovered in FastReport before 2020.4.0. It lacks a Scri ...) - TODO: check + NOT-FOR-US: FastReport CVE-2020-27997 RESERVED CVE-2020-27996 (An issue was discovered in SmartStoreNET before 4.0.1. It does not pro ...) - TODO: check + NOT-FOR-US: SmartStoreNET CVE-2020-27995 (SQL Injection in Zoho ManageEngine Applications Manager 14 before 1456 ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2020-27994 RESERVED CVE-2020-27993 (Hrsale 2.0.0 allows download?type=filesfilename=../ directory tra ...) - TODO: check + NOT-FOR-US: Hrsale CVE-2020-27992 RESERVED CVE-2020-27991 @@ -425,9 +425,9 @@ CVE-2021-0202 CVE-2021-0201 RESERVED CVE-2020-27887 (An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authent ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2020-27886 (An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. T ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2020-27885 RESERVED CVE-2020-27884 @@ -705,13 +705,13 @@ CVE-2020-27749 CVE-2020-27748 RESERVED CVE-2020-27747 (An issue was discovered in Click Studios Passwordstate 8.9 (Build 8973 ...) - TODO: check + NOT-FOR-US: Click Studios Passwordstate CVE-2020-27746 RESERVED CVE-2020-27745 RESERVED CVE-2020-27744 (An issue was discovered on Western Digital My Cloud NAS devices before ...) - TODO: check + NOT-FOR-US: Western Digital My Cloud NAS devices CVE-2020-27743 (libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAN ...) - libpam-tacplus (bug #973250) NOTE: https://github.com/kravietz/pam_tacplus/pull/163 @@ -1284,27 +1284,27 @@ CVE-2020-27660 CVE-2020-27659 RESERVED CVE-2020-27658 (Synology Router Manager (SRM) before 1.2.4-8081 does not include the H ...) - TODO: check + NOT-FOR-US: Synology Router Manager (SRM) CVE-2020-27657 (Cleartext transmission of sensitive information vulnerability in DDNS ...) - TODO: check + NOT-FOR-US: Synology Router Manager (SRM) CVE-2020-27656 (Cleartext transmission of sensitive information vulnerability in DDNS ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27655 (Improper access control vulnerability in Synology Router Manager (SRM) ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27654 (Improper access control vulnerability in lbd in Synology Router Manage ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27653 (Algorithm downgrade vulnerability in QuickConnect in Synology Router M ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27652 (Algorithm downgrade vulnerability in QuickConnect in Synology DiskStat ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27651 (Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secur ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27650 (Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set t ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27649 (Improper certificate validation vulnerability in OpenVPN client in Syn ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27648 (Improper certificate validation vulnerability in OpenVPN client in Syn ...) - TODO: check + NOT-FOR-US: Synology CVE-2020-27647 RESERVED CVE-2020-27646 (Biscom Secure File Transfer (SFT) before 5.1.1082 and 6.x before 6.0.1 ...) @@ -5944,7 +5944,7 @@ CVE-2020-25518 CVE-2020-25517 RESERVED CVE-2020-25516 (WSO2 Enterprise Integrator 6.6.0 or earlier contains a stored cross-si ...) - TODO: check + NOT-FOR-US: WSO2 Enterprise Integrator CVE-2020-25515 (Sourcecodester Simple Library Management System 1.0 is affected by Ins ...) NOT-FOR-US: Sourcecodester Simple Library Management System CVE-2020-25514 (Sourcecodester Simple Library Management System 1.0 is affected by Inc ...) @@ -14712,7 +14712,7 @@ CVE-2020-21268 CVE-2020-21267 RESERVED CVE-2020-21266 (Broadleaf Commerce 5.1.14-GA is affected by cross-site scripting (XSS) ...) - TODO: check + NOT-FOR-US: Broadleaf Commerce CVE-2020-21265 RESERVED CVE-2020-21264 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d95d0c8ffe820ac9e92630a4ae031c9e2f17b360 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2012-1191/djbdns in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 87274815 by Salvatore Bonaccorso at 2020-10-29T21:19:22+01:00 Add fixed version for CVE-2012-1191/djbdns in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -345306,7 +345306,7 @@ CVE-2012-1193 (The resolver in PowerDNS Recursor (aka pdns_recursor) 3.3 overwri CVE-2012-1192 (The resolver in Unbound before 1.4.11 overwrites cached server names a ...) NOTE: DNS protocol flaw CVE-2012-1191 (The resolver in dnscache in Daniel J. Bernstein djbdns 1.05 overwrites ...) - - djbdns + - djbdns 1:1.05-10 NOTE: DNS protocol flaw NOTE: RH made an update: https://bugzilla.redhat.com/show_bug.cgi?id=838761 NOTE: https://marc.info/?l=djbdns=134269902121506=2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8727481559fe0f5dfeb36f1f6b0a7baf590b33ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8727481559fe0f5dfeb36f1f6b0a7baf590b33ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference patch submission for CVE-2012-1191/djbdns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cee6a609 by Salvatore Bonaccorso at 2020-10-29T21:17:36+01:00 Reference patch submission for CVE-2012-1191/djbdns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -345309,6 +345309,7 @@ CVE-2012-1191 (The resolver in dnscache in Daniel J. Bernstein djbdns 1.05 overw - djbdns NOTE: DNS protocol flaw NOTE: RH made an update: https://bugzilla.redhat.com/show_bug.cgi?id=838761 + NOTE: https://marc.info/?l=djbdns=134269902121506=2 CVE-2011-5081 (Cross-site scripting (XSS) vulnerability in RestoreFile.pm in BackupPC ...) - backuppc 3.1.0-9.1 (low; bug #661011) [squeeze] - backuppc 3.1.0-9.1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cee6a609d2457fd66442c4b28826643c9281d1dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cee6a609d2457fd66442c4b28826643c9281d1dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9af81ec by Salvatore Bonaccorso at 2020-10-29T21:12:29+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53026,21 +53026,21 @@ CVE-2020-5940 CVE-2020-5939 RESERVED CVE-2020-5938 (On BIG-IP 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, when ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5937 (On BIG-IP AFM 15.1.0-15.1.0.5, the Traffic Management Microkernel (TMM ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5936 (On BIG-IP LTM 15.1.0-15.1.0.5, 14.1.0-14.1.2.7, 13.1.0-13.1.3.4, and 1 ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5935 (On BIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Con ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5934 (On BIG-IP APM 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, and 13.1.0-13.1.3.3, w ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5933 (On versions 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0- ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5932 (On BIG-IP ASM 15.1.0-15.1.0.5, a cross-site scripting (XSS) vulnerabil ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5931 (On BIG-IP 15.1.0-15.1.0.5, 14.1.0-14.1.2.3, 13.1.0-13.1.3.4, 12.1.0-12 ...) - TODO: check + NOT-FOR-US: F5 BIG-IP CVE-2020-5930 (In BIG-IP 15.0.0-15.1.0.4, 14.1.0-14.1.2.7, 13.1.0-13.1.3.3, 12.1.0-12 ...) NOT-FOR-US: F5 BIG-IP CVE-2020-5929 (In versions 13.0.0-13.0.0 HF2, 12.1.0-12.1.2 HF1, and 11.6.1-11.6.2, B ...) @@ -55869,7 +55869,7 @@ CVE-2020-4866 CVE-2020-4865 RESERVED CVE-2020-4864 (IBM Resilient SOAR V38.0 could allow an attacker on the internal net w ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4863 RESERVED CVE-2020-4862 @@ -56149,13 +56149,13 @@ CVE-2020-4726 CVE-2020-4725 RESERVED CVE-2020-4724 (IBM i2 Analyst Notebook 9.2.0 and 9.2.1 could allow a local attacker t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4723 (IBM i2 Analyst Notebook 9.2.0 and 9.2.1 could allow a local attacker t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4722 (IBM i2 Analyst Notebook 9.2.0 and 9.2.1 could allow a local attacker t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4721 (IBM i2 Analyst Notebook 9.2.0 and 9.2.1 could allow a local attacker t ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4720 RESERVED CVE-2020-4719 @@ -111786,7 +111786,7 @@ CVE-2019-4565 (IBM Security Key Lifecycle Manager 3.0 and 3.0.1 does not require CVE-2019-4564 (IBM Security Key Lifecycle Manager 2.6, 2.7, 3.0, and 3.0.1 is vulnera ...) NOT-FOR-US: IBM CVE-2019-4563 (IBM Security Directory Server 6.4.0 does not set the secure attribute ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4562 (IBM Security Directory Server 6.4.0 stores sensitive information in UR ...) NOT-FOR-US: IBM CVE-2019-4561 (IBM Security Identity Manager 6.0.0 could allow a remote attacker to e ...) @@ -111818,7 +111818,7 @@ CVE-2019-4549 (IBM Security Directory Server 6.4.0 discloses sensitive informati CVE-2019-4548 (IBM Security Directory Server 6.4.0 could allow a remote attacker to h ...) NOT-FOR-US: IBM CVE-2019-4547 (IBM Security Directory Server 6.4.0 generates an error message that in ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4546 (After installing the IBM Maximo Health- Safety and Environment Manager ...) NOT-FOR-US: IBM CVE-2019-4545 (IBM QRadar SIEM 7.3 and 7.4 when configured to use Active Directory Au ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9af81ec0dd59d040feb2f1f072b9f79ce8100af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9af81ec0dd59d040feb2f1f072b9f79ce8100af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d1f4aff4 by security tracker role at 2020-10-29T20:10:31+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2020-28000 + RESERVED +CVE-2020-27999 + RESERVED +CVE-2020-27998 (An issue was discovered in FastReport before 2020.4.0. It lacks a Scri ...) + TODO: check +CVE-2020-27997 + RESERVED +CVE-2020-27996 (An issue was discovered in SmartStoreNET before 4.0.1. It does not pro ...) + TODO: check +CVE-2020-27995 (SQL Injection in Zoho ManageEngine Applications Manager 14 before 1456 ...) + TODO: check +CVE-2020-27994 + RESERVED +CVE-2020-27993 (Hrsale 2.0.0 allows download?type=filesfilename=../ directory tra ...) + TODO: check +CVE-2020-27992 + RESERVED CVE-2020-27991 RESERVED CVE-2020-27990 @@ -406,10 +424,10 @@ CVE-2021-0202 RESERVED CVE-2021-0201 RESERVED -CVE-2020-27887 - RESERVED -CVE-2020-27886 - RESERVED +CVE-2020-27887 (An issue was discovered in EyesOfNetwork 5.3 through 5.3-8. An authent ...) + TODO: check +CVE-2020-27886 (An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. T ...) + TODO: check CVE-2020-27885 RESERVED CVE-2020-27884 @@ -686,14 +704,14 @@ CVE-2020-27749 RESERVED CVE-2020-27748 RESERVED -CVE-2020-27747 - RESERVED +CVE-2020-27747 (An issue was discovered in Click Studios Passwordstate 8.9 (Build 8973 ...) + TODO: check CVE-2020-27746 RESERVED CVE-2020-27745 RESERVED -CVE-2020-27744 - RESERVED +CVE-2020-27744 (An issue was discovered on Western Digital My Cloud NAS devices before ...) + TODO: check CVE-2020-27743 (libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAN ...) - libpam-tacplus (bug #973250) NOTE: https://github.com/kravietz/pam_tacplus/pull/163 @@ -1265,28 +1283,28 @@ CVE-2020-27660 RESERVED CVE-2020-27659 RESERVED -CVE-2020-27658 - RESERVED -CVE-2020-27657 - RESERVED -CVE-2020-27656 - RESERVED -CVE-2020-27655 - RESERVED -CVE-2020-27654 - RESERVED -CVE-2020-27653 - RESERVED -CVE-2020-27652 - RESERVED -CVE-2020-27651 - RESERVED -CVE-2020-27650 - RESERVED -CVE-2020-27649 - RESERVED -CVE-2020-27648 - RESERVED +CVE-2020-27658 (Synology Router Manager (SRM) before 1.2.4-8081 does not include the H ...) + TODO: check +CVE-2020-27657 (Cleartext transmission of sensitive information vulnerability in DDNS ...) + TODO: check +CVE-2020-27656 (Cleartext transmission of sensitive information vulnerability in DDNS ...) + TODO: check +CVE-2020-27655 (Improper access control vulnerability in Synology Router Manager (SRM) ...) + TODO: check +CVE-2020-27654 (Improper access control vulnerability in lbd in Synology Router Manage ...) + TODO: check +CVE-2020-27653 (Algorithm downgrade vulnerability in QuickConnect in Synology Router M ...) + TODO: check +CVE-2020-27652 (Algorithm downgrade vulnerability in QuickConnect in Synology DiskStat ...) + TODO: check +CVE-2020-27651 (Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secur ...) + TODO: check +CVE-2020-27650 (Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set t ...) + TODO: check +CVE-2020-27649 (Improper certificate validation vulnerability in OpenVPN client in Syn ...) + TODO: check +CVE-2020-27648 (Improper certificate validation vulnerability in OpenVPN client in Syn ...) + TODO: check CVE-2020-27647 RESERVED CVE-2020-27646 (Biscom Secure File Transfer (SFT) before 5.1.1082 and 6.x before 6.0.1 ...) @@ -2919,6 +2937,7 @@ CVE-2020-26872 CVE-2020-26871 RESERVED CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs becaus ...) + {DLA-2419-1} - dompurify.js NOTE: https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ NOTE: https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d @@ -5282,8 +5301,8 @@ CVE-2020-25791 (An issue was discovered in the sized-chunks crate through 0.6.2 - rust-sized-chunks (bug #970586) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html NOTE: https://github.com/bodil/sized-chunks/issues/11 -CVE-2020-25780 - RESERVED +CVE-2020-25780 (In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before ...) + TODO: check CVE-2020-25779 (Trend Micro Antivirus for Mac 2020 (Consumer) has a vulnerability in w ...) NOT-FOR-US: Trend Micro CVE-2020-25778 (Trend Micro Antivirus for Mac 2020 (Consumer) has a vulnerability in a ...) @@ -5924,8 +5943,8 @@
[Git][security-tracker-team/security-tracker][master] various bugs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 91e443d5 by Moritz Mühlenhoff at 2020-10-29T19:52:21+01:00 various bugs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -698,13 +698,13 @@ CVE-2020-27743 (libtac in pam_tacplus through 1.5.1 lacks a check for a failure - libpam-tacplus (bug #973250) NOTE: https://github.com/kravietz/pam_tacplus/pull/163 CVE-2020-27742 (An Insecure Direct Object Reference vulnerability in Citadel WebCit th ...) - - webcit + - webcit (bug #973385) CVE-2020-27741 (Multiple cross-site scripting (XSS) vulnerabilities in Citadel WebCit ...) - - webcit + - webcit (bug #973385) CVE-2020-27740 (Citadel WebCit through 926 allows unauthenticated remote attackers to ...) - - webcit + - webcit (bug #973385) CVE-2020-27739 (A Weak Session Management vulnerability in Citadel WebCit through 926 ...) - - webcit + - webcit (bug #973385) CVE-2020-27738 RESERVED CVE-2020-27737 @@ -20855,10 +20855,10 @@ CVE-2020-18187 CVE-2020-18186 RESERVED CVE-2020-18185 (class.plx.admin.php in PluXml 5.7 allows attackers to execute arbitrar ...) - - pluxml + - pluxml (bug #973382) NOTE: https://github.com/pluxml/PluXml/issues/321 CVE-2020-18184 (In PluxXml V5.7,the theme edit function /PluXml/core/admin/parametres_ ...) - - pluxml + - pluxml (bug #973382) NOTE: https://github.com/pluxml/PluXml/issues/320 CVE-2020-18183 RESERVED @@ -52570,19 +52570,19 @@ CVE-2020-6110 (An exploitable partial path traversal vulnerability exists in the CVE-2020-6109 (An exploitable path traversal vulnerability exists in the Zoom client, ...) NOT-FOR-US: Zoom CVE-2020-6108 (An exploitable code execution vulnerability exists in the fsck_chk_orp ...) - - f2fs-tools + - f2fs-tools (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1050 CVE-2020-6107 (An exploitable information disclosure vulnerability exists in the dev_ ...) - - f2fs-tools + - f2fs-tools (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1049 CVE-2020-6106 (An exploitable information disclosure vulnerability exists in the init ...) - - f2fs-tools + - f2fs-tools (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1048 CVE-2020-6105 (An exploitable code execution vulnerability exists in the multiple dev ...) - - f2fs-tools + - f2fs-tools (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1047 CVE-2020-6104 (An exploitable information disclosure vulnerability exists in the get_ ...) - - f2fs-tools + - f2fs-tools (bug #973380) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1046 CVE-2020-6103 (An exploitable code execution vulnerability exists in the Shader funct ...) NOT-FOR-US: AMD Radeon DirectX 11 Driver atidxx64.dll @@ -54101,7 +54101,7 @@ CVE-2020-5423 CVE-2020-5422 (BOSH System Metrics Server releases prior to 0.1.0 exposed the UAA pas ...) NOT-FOR-US: BOSH System Metrics Server CVE-2020-5421 (In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5. ...) - - libspring-java + - libspring-java (bug #973381) [buster] - libspring-java (Minor issue) [stretch] - libspring-java (Minor issue) NOTE: https://tanzu.vmware.com/security/cve-2020-5421 @@ -93816,7 +93816,7 @@ CVE-2019-11029 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the D CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability allowing ...) NOT-FOR-US: GAT-Ship Web Module CVE-2015-9284 (The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vuln ...) - - ruby-omniauth + - ruby-omniauth (bug #973384) [buster] - ruby-omniauth (Minor issue) [stretch] - ruby-omniauth (Minor issue) [jessie] - ruby-omniauth (Fix is in additional gem and needs CSRF protection in apps) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91e443d5b9629243e306928b6bd820e17e9e1bde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91e443d5b9629243e306928b6bd820e17e9e1bde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2419-1 for dompurify.js
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 40a2d6c0 by Thorsten Alteholz at 2020-10-29T17:01:23+01:00 Reserve DLA-2419-1 for dompurify.js - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Oct 2020] DLA-2419-1 dompurify.js - security update + {CVE-2019-16728 CVE-2020-26870} + [stretch] - dompurify.js 0.8.2~dfsg1-1+deb9u1 [29 Oct 2020] DLA-2418-1 libsndfile - security update {CVE-2017-6892 CVE-2017-14245 CVE-2017-14246 CVE-2017-14634 CVE-2018-19661 CVE-2018-19662 CVE-2018-19758 CVE-2019-3832} [stretch] - libsndfile 1.0.27-3+deb9u1 = data/dla-needed.txt = @@ -61,9 +61,6 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -dompurify.js (Thorsten Alteholz) - NOTE: 20201013: Package only in stretch - needs investigation to identify patch. (lamby) --- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40a2d6c0280da5a0b4a5f3900142b17073a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40a2d6c0280da5a0b4a5f3900142b17073a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: add link for fix of CVE-2020-26870
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 2841d98f by Thorsten Alteholz at 2020-10-29T16:16:41+01:00 add link for fix of CVE-2020-26870 - - - - - f237bbbc by Thorsten Alteholz at 2020-10-29T16:17:53+01:00 this CVE-2019-16728 will be fixed with next upload - - - - - c2935a5c by Thorsten Alteholz at 2020-10-29T16:21:21+01:00 consistently fix libsndfile CVEs in all suites - - - - - f5dc715a by Thorsten Alteholz at 2020-10-29T16:53:30+01:00 Reserve DLA-2418-1 for libsndfile - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -2921,6 +2921,7 @@ CVE-2020-26871 CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs becaus ...) - dompurify.js NOTE: https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ + NOTE: https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d CVE-2020-26869 (An information exposure vulnerability exists in PcVue 12, allowing a n ...) NOT-FOR-US: PcVue CVE-2020-26868 (A Denial Of Service vulnerability exists in PcVue from version 8.10 on ...) @@ -75432,7 +75433,6 @@ CVE-2019-16730 (processCommandUpgrade() in libcommon.so in Petwant PF-103 firmwa NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (m ...) - dompurify.js - [stretch] - dompurify.js (Minor issue) NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/ CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel ...) {DLA-2114-1 DLA-2068-1} @@ -113445,7 +113445,6 @@ CVE-2019-3833 (Openwsman, versions up to and including 2.6.9, are vulnerable to CVE-2019-3832 (It was discovered the fix for CVE-2018-19758 (libsndfile) was not comp ...) {DLA-1712-1} - libsndfile 1.0.28-6 (bug #922372) - [stretch] - libsndfile (Incomplete fix for CVE-2018-19758 not applied) NOTE: https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436 NOTE: https://github.com/erikd/libsndfile/pull/460 NOTE: https://github.com/erikd/libsndfile/commit/6d7ce94c020cc720a6b28719d1a7879181790008 @@ -121382,7 +121381,6 @@ CVE-2018-19759 (There is a heap-based buffer over-read at stb_image_write.h (fun CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_header in ...) {DLA-1632-1} - libsndfile 1.0.28-5 (bug #917416) - [stretch] - libsndfile (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643812 NOTE: https://github.com/erikd/libsndfile/issues/435 NOTE: https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e @@ -121611,14 +121609,12 @@ CVE-2018-19663 CVE-2018-19662 (An issue was discovered in libsndfile 1.0.28. There is a buffer over-r ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low) - [stretch] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/429 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate) CVE-2018-19661 (An issue was discovered in libsndfile 1.0.28. There is a buffer over-r ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low) - [stretch] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/429 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate) @@ -187408,7 +187404,6 @@ CVE-2017-14650 (A Remote Code Execution vulnerability has been found in the Hord CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the function do ...) {DLA-1618-1} - libsndfile 1.0.28-5 (bug #876783) - [stretch] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/318 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788 @@ -188557,14 +188552,12 @@ CVE-2017-14247 (SQL Injection exists in the EyesOfNetwork web interface (aka eon CVE-2017-14246 (An out of bounds read in the function d2ulaw_array() in ulaw.c of libs ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low; bug #876682) - [stretch] - libsndfile (Minor issue) [wheezy] - libsndfile (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f CVE-2017-14245 (An out of bounds read in the function d2alaw_array() in alaw.c of libs ...) {DLA-1618-1}
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ac158ec0 by Moritz Muehlenhoff at 2020-10-29T12:53:47+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,7 @@ CVE-2020-27980 (Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in CVE-2020-27979 RESERVED CVE-2020-27978 (Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service ...) - TODO: check + NOT-FOR-US: Shibboleth Identify Provider (Debian only packages the SP) CVE-2020-27977 RESERVED CVE-2020-27976 (osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remot ...) @@ -70951,7 +70951,6 @@ CVE-2020-0306 (In LLVM, there is a possible ineffective stack cookie placement d - llvm-toolchain-10 - llvm-toolchain-9 - llvm-toolchain-8 - TODO: get some proper references CVE-2020-0305 (In cdev_get of char_dev.c, there is a possible use-after-free due to a ...) - linux 5.4.13-1 [buster] - linux 4.19.98-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac158ec0242194c38ac6337d99f3af702ffe63df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac158ec0242194c38ac6337d99f3af702ffe63df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new webcit issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0491ffba by Moritz Muehlenhoff at 2020-10-29T12:02:47+01:00 new webcit issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2020-27983 CVE-2020-27982 RESERVED CVE-2020-27981 (An XSS vulnerability in the auto-complete function of the description ...) - TODO: check + NOT-FOR-US: Firefly III CVE-2020-27980 (Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WL ...) NOT-FOR-US: Genexis Platinum-4410 P4410-V2-1.28 devices CVE-2020-27979 @@ -698,13 +698,13 @@ CVE-2020-27743 (libtac in pam_tacplus through 1.5.1 lacks a check for a failure - libpam-tacplus (bug #973250) NOTE: https://github.com/kravietz/pam_tacplus/pull/163 CVE-2020-27742 (An Insecure Direct Object Reference vulnerability in Citadel WebCit th ...) - TODO: check + - webcit CVE-2020-27741 (Multiple cross-site scripting (XSS) vulnerabilities in Citadel WebCit ...) - TODO: check + - webcit CVE-2020-27740 (Citadel WebCit through 926 allows unauthenticated remote attackers to ...) - TODO: check + - webcit CVE-2020-27739 (A Weak Session Management vulnerability in Citadel WebCit through 926 ...) - TODO: check + - webcit CVE-2020-27738 RESERVED CVE-2020-27737 @@ -7673,19 +7673,19 @@ CVE-2020-24715 (The Scalyr Agent before 2.1.10 has Missing SSL Certificate Valid CVE-2020-24714 (The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation ...) NOT-FOR-US: Scalyr CVE-2020-24713 (Gophish through 0.10.1 does not invalidate the gophish cookie upon log ...) - TODO: check + NOT-FOR-US: Gophish CVE-2020-24712 (Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via ...) - TODO: check + NOT-FOR-US: Gophish CVE-2020-24711 (The Reset button on the Account Settings page in Gophish before 0.11.0 ...) - TODO: check + NOT-FOR-US: Gophish CVE-2020-24710 (Gophish before 0.11.0 allows SSRF attacks. ...) - TODO: check + NOT-FOR-US: Gophish CVE-2020-24709 (Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via ...) - TODO: check + NOT-FOR-US: Gophish CVE-2020-24708 (Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via ...) - TODO: check + NOT-FOR-US: Gophish CVE-2020-24707 (Gophish before 0.11.0 allows the creation of CSV sheets that contain m ...) - TODO: check + NOT-FOR-US: Gophish CVE-2020-24706 (An issue was discovered in certain WSO2 products. The Try It tool allo ...) NOT-FOR-US: WSO2 CVE-2020-24705 (An issue was discovered in certain WSO2 products. A valid Carbon Manag ...) @@ -48368,13 +48368,13 @@ CVE-2020-7757 CVE-2020-7756 RESERVED CVE-2020-7755 (All versions of package dat.gui are vulnerable to Regular Expression D ...) - TODO: check + NOT-FOR-US: dat.GUI CVE-2020-7754 (This affects the package npm-user-validate before 1.0.1. The regex tha ...) - TODO: check + NOT-FOR-US: npm-user-validate CVE-2020-7753 (All versions of package trim are vulnerable to Regular Expression Deni ...) - TODO: check + NOT-FOR-US: Node trim CVE-2020-7752 (This affects the package systeminformation before 4.27.11. This packag ...) - TODO: check + NOT-FOR-US: Node systeminformation CVE-2020-7751 (This affects all versions of package pathval. ...) - node-pathval 1.1.0-4 (bug #972895) [buster] - node-pathval (Minor issue) @@ -55129,9 +55129,9 @@ CVE-2020-5147 CVE-2020-5146 RESERVED CVE-2020-5145 (SonicWall Global VPN client version 4.10.4.0314 and earlier have an in ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2020-5144 (SonicWall Global VPN client version 4.10.4.0314 and earlier allows unp ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2020-5143 (SonicOS SSLVPN login page allows a remote unauthenticated attacker to ...) NOT-FOR-US: SonicOS SSLVPN CVE-2020-5142 (A stored cross-site scripting (XSS) vulnerability exists in the SonicO ...) @@ -100966,29 +100966,29 @@ CVE-2019-8860 CVE-2019-8859 RESERVED CVE-2019-8858 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8857 (The issue was addressed with improved validation when an iCloud Link i ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8856 (An API issue existed in the handling of outgoing phone calls initiated ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8855 (An access issue was addressed with additional sandbox restrictions. Th ...) - TODO: check + NOT-FOR-US: Apple CVE-2019-8854 (A user privacy issue was addressed by
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14383/samba
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bcb9f300 by Salvatore Bonaccorso at 2020-10-29T10:19:42+01:00 Add CVE-2020-14383/samba - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29813,8 +29813,10 @@ CVE-2020-14385 (A flaw was found in the Linux kernel before 5.9-rc4. A failure o NOTE: https://git.kernel.org/linus/f4020438fab05364018c91f7e02ebdd192085933 CVE-2020-14384 (A flaw was found in JBossWeb in versions before 7.5.31.Final-redhat-3. ...) NOT-FOR-US: JBossWeb -CVE-2020-14383 +CVE-2020-14383 [An authenticated user can crash the DCE/RPC DNS with easily crafted records] RESERVED + - samba + NOTE: https://www.samba.org/samba/security/CVE-2020-14383.html CVE-2020-14382 (A vulnerability was found in upstream release cryptsetup-2.2.0 where, ...) - cryptsetup 2:2.3.4-1 (bug #969471) [buster] - cryptsetup (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcb9f3002ce094045e09d671dec398a6fed56a68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcb9f3002ce094045e09d671dec398a6fed56a68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14323/samba
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 990ca44c by Salvatore Bonaccorso at 2020-10-29T10:18:12+01:00 Add CVE-2020-14323/samba - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30082,8 +30082,10 @@ CVE-2020-14325 (Red Hat CloudForms before 5.11.7.0 was vulnerable to the User Im NOT-FOR-US: Red Hat CloudForm CVE-2020-14324 (A high severity vulnerability was found in all active versions of Red ...) NOT-FOR-US: Red Hat CloudForm -CVE-2020-14323 +CVE-2020-14323 [Unprivileged user can crash winbind] RESERVED + - samba + NOTE: https://www.samba.org/samba/security/CVE-2020-14323.html CVE-2020-14322 RESERVED CVE-2020-14321 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/990ca44c10629bfd8f6e45987f74a726ad6cdee5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/990ca44c10629bfd8f6e45987f74a726ad6cdee5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14318/samba
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba12a1d1 by Salvatore Bonaccorso at 2020-10-29T10:17:00+01:00 Add CVE-2020-14318/samba - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30092,8 +30092,10 @@ CVE-2020-14320 RESERVED CVE-2020-14319 (It was found that the AMQ Online console is vulnerable to a Cross-Site ...) NOT-FOR-US: AMQ Online -CVE-2020-14318 +CVE-2020-14318 [Missing handle permissions check in SMB1/2/3 ChangeNotify] RESERVED + - samba + NOTE: https://www.samba.org/samba/security/CVE-2020-14318.html CVE-2020-14317 RESERVED - wildfly (bug #752018) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba12a1d152a3a370f6b74b6e667c3918182f641c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba12a1d152a3a370f6b74b6e667c3918182f641c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14355/spice fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a31976f by Salvatore Bonaccorso at 2020-10-29T09:36:10+01:00 CVE-2020-14355/spice fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29932,7 +29932,7 @@ CVE-2020-14356 (A flaw null pointer dereference in the Linux kernel cgroupv2 sub NOTE: Fixed by: https://git.kernel.org/linus/ad0f75e5f57ccbceec13274e1e242f2b5a6397ed CVE-2020-14355 (Multiple buffer overflow vulnerabilities were found in the QUIC image ...) {DSA-4771-1} - - spice (bug #971750) + - spice 0.14.3-2 (bug #971750) - spice-gtk (bug #971751) [buster] - spice-gtk (Minor issue) NOTE: https://gitlab.freedesktop.org/spice/spice-common/-/commit/762e0abae36033ccde658fd52d3235887b60862d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a31976fcb847b3cc5ae04732bf1ac7e729d1398 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a31976fcb847b3cc5ae04732bf1ac7e729d1398 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dbe594f7 by Salvatore Bonaccorso at 2020-10-29T09:13:58+01:00 Process some new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2020-27988 CVE-2020-27987 RESERVED CVE-2020-27986 (** DISPUTED ** SonarQube 8.4.2.36762 allows remote attackers to discov ...) - TODO: check + NOT-FOR-US: SonarQube CVE-2020-27985 RESERVED CVE-2020-27984 @@ -6211,7 +6211,7 @@ CVE-2020-25376 CVE-2020-25375 (Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM V1.8.7 is affect ...) NOT-FOR-US: Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM CVE-2020-25374 (CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers t ...) - TODO: check + NOT-FOR-US: CyberArk Privileged Session Manager (PSM) CVE-2020-25373 RESERVED CVE-2020-25372 @@ -38063,9 +38063,9 @@ CVE-2020-11618 (THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set CVE-2020-11617 (The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA ...) NOT-FOR-US: THOMSON CVE-2020-11616 (NVIDIA DGX servers, all BMC firmware versions prior to 3.38.30, contai ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2020-11615 (NVIDIA DGX servers, all BMC firmware versions prior to 3.38.30, contai ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2020-11614 (Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as w ...) NOT-FOR-US: Mids' Reborn Hero Designer CVE-2020-11613 (Mids' Reborn Hero Designer 2.6.0.7 has an elevation of privilege vulne ...) @@ -38660,19 +38660,19 @@ CVE-2020-11491 (Monitoring::Logs in Zen Load Balancer 3.10.1 allows remote authe CVE-2020-11490 (Manage::Certificates in Zen Load Balancer 3.10.1 allows remote authent ...) NOT-FOR-US: Zen Load Balancer CVE-2020-11489 (NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38 ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2020-11488 (NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38 ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2020-11487 (NVIDIA DGX servers, DGX-1 with BMC firmware versions prior to 3.38.30. ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2020-11486 (NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38 ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2020-11485 (NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38 ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2020-11484 (NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38 ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2020-11483 (NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38 ...) - TODO: check + NOT-FOR-US: NVIDIA DGX servers CVE-2019-20635 (codeBeamer before 9.5.0-RC3 does not properly restrict the ability to ...) NOT-FOR-US: codeBeamer CVE-2020-11501 (GnuTLS 3.6.x before 3.6.13 uses incorrect cryptography for DTLS. The e ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbe594f70be03f025beb6975e011185805a51034 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dbe594f70be03f025beb6975e011185805a51034 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bbcdc91 by security tracker role at 2020-10-29T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2020-27991 + RESERVED +CVE-2020-27990 + RESERVED +CVE-2020-27989 + RESERVED +CVE-2020-27988 + RESERVED +CVE-2020-27987 + RESERVED +CVE-2020-27986 (** DISPUTED ** SonarQube 8.4.2.36762 allows remote attackers to discov ...) + TODO: check +CVE-2020-27985 + RESERVED +CVE-2020-27984 + RESERVED +CVE-2020-27983 + RESERVED +CVE-2020-27982 + RESERVED +CVE-2020-27981 (An XSS vulnerability in the auto-complete function of the description ...) + TODO: check CVE-2020-27980 (Genexis Platinum-4410 P4410-V2-1.28 devices allow stored XSS in the WL ...) NOT-FOR-US: Genexis Platinum-4410 P4410-V2-1.28 devices CVE-2020-27979 @@ -6188,8 +6210,8 @@ CVE-2020-25376 RESERVED CVE-2020-25375 (Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM V1.8.7 is affect ...) NOT-FOR-US: Wordpress Plugin Store / SoftradeWeb SNC WP SMART CRM -CVE-2020-25374 - RESERVED +CVE-2020-25374 (CyberArk Privileged Session Manager (PSM) 10.9.0.15 allows attackers t ...) + TODO: check CVE-2020-25373 RESERVED CVE-2020-25372 @@ -7650,20 +7672,20 @@ CVE-2020-24715 (The Scalyr Agent before 2.1.10 has Missing SSL Certificate Valid NOT-FOR-US: Scalyr CVE-2020-24714 (The Scalyr Agent before 2.1.10 has Missing SSL Certificate Validation ...) NOT-FOR-US: Scalyr -CVE-2020-24713 - RESERVED -CVE-2020-24712 - RESERVED -CVE-2020-24711 - RESERVED -CVE-2020-24710 - RESERVED -CVE-2020-24709 - RESERVED -CVE-2020-24708 - RESERVED -CVE-2020-24707 - RESERVED +CVE-2020-24713 (Gophish through 0.10.1 does not invalidate the gophish cookie upon log ...) + TODO: check +CVE-2020-24712 (Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via ...) + TODO: check +CVE-2020-24711 (The Reset button on the Account Settings page in Gophish before 0.11.0 ...) + TODO: check +CVE-2020-24710 (Gophish before 0.11.0 allows SSRF attacks. ...) + TODO: check +CVE-2020-24709 (Cross Site Scripting (XSS) vulnerability in Gophish through 0.10.1 via ...) + TODO: check +CVE-2020-24708 (Cross Site Scripting (XSS) vulnerability in Gophish before 0.11.0 via ...) + TODO: check +CVE-2020-24707 (Gophish before 0.11.0 allows the creation of CSV sheets that contain m ...) + TODO: check CVE-2020-24706 (An issue was discovered in certain WSO2 products. The Try It tool allo ...) NOT-FOR-US: WSO2 CVE-2020-24705 (An issue was discovered in certain WSO2 products. A valid Carbon Manag ...) @@ -37123,7 +37145,7 @@ CVE-2020-11855 (An Authorization Bypass vulnerability on Micro Focus Operation B NOT-FOR-US: Micro Focus CVE-2020-11854 (Arbitrary code execution vlnerability in Operation bridge Manager, App ...) NOT-FOR-US: Micro Focus -CVE-2020-11853 (An arbitrary code execution vulnerability exists in Micro Focus Operat ...) +CVE-2020-11853 (Arbitrary code execution vulnerability affecting multiple Micro Focus ...) NOT-FOR-US: Micro Focus CVE-2020-11852 (DKIM key management page vulnerability on Micro Focus Secure Messaging ...) NOT-FOR-US: Micro Focus @@ -38040,10 +38062,10 @@ CVE-2020-11618 (THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA DVB-T2 2.2.1 set NOT-FOR-US: THOMSON CVE-2020-11617 (The RSS application on THOMSON THT741FTA 2.2.1 and Philips DTR3502BFTA ...) NOT-FOR-US: THOMSON -CVE-2020-11616 - RESERVED -CVE-2020-11615 - RESERVED +CVE-2020-11616 (NVIDIA DGX servers, all BMC firmware versions prior to 3.38.30, contai ...) + TODO: check +CVE-2020-11615 (NVIDIA DGX servers, all BMC firmware versions prior to 3.38.30, contai ...) + TODO: check CVE-2020-11614 (Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest, as w ...) NOT-FOR-US: Mids' Reborn Hero Designer CVE-2020-11613 (Mids' Reborn Hero Designer 2.6.0.7 has an elevation of privilege vulne ...) @@ -38637,20 +38659,20 @@ CVE-2020-11491 (Monitoring::Logs in Zen Load Balancer 3.10.1 allows remote authe NOT-FOR-US: Zen Load Balancer CVE-2020-11490 (Manage::Certificates in Zen Load Balancer 3.10.1 allows remote authent ...) NOT-FOR-US: Zen Load Balancer -CVE-2020-11489 - RESERVED -CVE-2020-11488 - RESERVED -CVE-2020-11487 - RESERVED -CVE-2020-11486 - RESERVED -CVE-2020-11485 - RESERVED -CVE-2020-11484 - RESERVED -CVE-2020-11483 - RESERVED +CVE-2020-11489 (NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38 ...) + TODO: check +CVE-2020-11488 (NVIDIA DGX servers, all
[Git][security-tracker-team/security-tracker][master] Track proposed fix for libdbi-perl via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: acbfc2e5 by Salvatore Bonaccorso at 2020-10-29T08:17:56+01:00 Track proposed fix for libdbi-perl via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -82,3 +82,5 @@ CVE-2020-15256 [buster] - node-object-path 0.11.4-2+deb10u1 CVE-2020-7751 [buster] - node-pathval 1.1.0-3+deb10u1 +CVE-2014-10402 + [buster] - libdbi-perl 1.642-1+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acbfc2e5a83a4d6371d52dedbbc21f0e681ed93d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acbfc2e5a83a4d6371d52dedbbc21f0e681ed93d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits