[Git][security-tracker-team/security-tracker][master] Add CVE-2021-23926/xmlbeans
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bfc6014d by Salvatore Bonaccorso at 2021-01-14T06:57:47+01:00 Add CVE-2021-23926/xmlbeans - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -171,8 +171,10 @@ CVE-2021-23928 (OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifes NOT-FOR-US: OX App Suite CVE-2021-23927 (OX App Suite through 7.10.4 allows SSRF via a URL with an @ character ...) NOT-FOR-US: OX App Suite -CVE-2021-23926 +CVE-2021-23926 [XML Entity Expansion] RESERVED +- xmlbeans 3.0.2-1 + NOTE: https://issues.apache.org/jira/browse/XMLBEANS-517 CVE-2021-23925 RESERVED CVE-2021-23924 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfc6014da04dd5dfb79c67c51b6b89ae92ffedc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfc6014da04dd5dfb79c67c51b6b89ae92ffedc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-27827/lldpd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf4c2afb by Salvatore Bonaccorso at 2021-01-14T06:40:38+01:00 Add CVE-2020-27827/lldpd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19410,8 +19410,11 @@ CVE-2020-27828 (There's a flaw in jasper's jpc encoder in versions prior to 2.0. - jasper NOTE: https://github.com/jasper-software/jasper/issues/252 NOTE: https://github.com/jasper-software/jasper/pull/253 -CVE-2020-27827 +CVE-2020-27827 [lldp: avoid memory leak from bad packets] RESERVED + - lldpd 1.0.8-1 + NOTE: https://github.com/openvswitch/ovs/pull/337 + NOTE: https://github.com/lldpd/lldpd/commit/a8d3c90feca548fc0656d95b5d278713db86ff61 CVE-2020-27826 RESERVED NOT-FOR-US: Keycloak View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf4c2afb25945f90de3a30b335077708978d1cb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf4c2afb25945f90de3a30b335077708978d1cb2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-26298/ruby-redcarpet via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dccd012 by Salvatore Bonaccorso at 2021-01-13T23:01:46+01:00 Add fixed version for CVE-2020-26298/ruby-redcarpet via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23423,7 +23423,7 @@ CVE-2020-26300 CVE-2020-26299 RESERVED CVE-2020-26298 (Redcarpet is a Ruby library for Markdown processing. In Redcarpet befo ...) - - ruby-redcarpet (bug #980057) + - ruby-redcarpet 3.5.1-1 (bug #980057) NOTE: https://github.com/advisories/GHSA-q3wr-qw3g-3p4h NOTE: https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793 CVE-2020-26297 (mdBook is a utility to create modern online books from Markdown files ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dccd012396b2bbf7db0e989e64f76a667383c7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dccd012396b2bbf7db0e989e64f76a667383c7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Wrap note for CVE-2020-24027
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a85a9a07 by Salvatore Bonaccorso at 2021-01-13T22:51:13+01:00 Wrap note for CVE-2020-24027 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28709,7 +28709,8 @@ CVE-2020-24028 (ForLogic Qualiex v1 and v3 allows any authenticated customer to CVE-2020-24027 (In Live Networks, Inc., liblivemedia version 20200625, there is a pote ...) - liblivemedia NOTE: http://lists.live555.com/pipermail/live-devel/2020-July/021662.html - NOTE: Fixed in 2020.07.09 upstream (http://www.live555.com/liveMedia/public/changelog.txt) + NOTE: Fixed in 2020.07.09 upstream, cf. + NOTE: http://www.live555.com/liveMedia/public/changelog.txt CVE-2020-24026 RESERVED CVE-2020-24025 (Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when r ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85a9a074518cb6071dbdac7e56f34d1e82b0074 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85a9a074518cb6071dbdac7e56f34d1e82b0074 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-24027/liblivemedia
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 620ddedf by Salvatore Bonaccorso at 2021-01-13T21:40:50+01:00 Add CVE-2020-24027/liblivemedia - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28707,7 +28707,9 @@ CVE-2020-24029 (Because of unauthenticated password changes in ForLogic Qualiex CVE-2020-24028 (ForLogic Qualiex v1 and v3 allows any authenticated customer to achiev ...) NOT-FOR-US: ForLogic Qualiex CVE-2020-24027 (In Live Networks, Inc., liblivemedia version 20200625, there is a pote ...) - TODO: check + - liblivemedia + NOTE: http://lists.live555.com/pipermail/live-devel/2020-July/021662.html + NOTE: Fixed in 2020.07.09 upstream (http://www.live555.com/liveMedia/public/changelog.txt) CVE-2020-24026 RESERVED CVE-2020-24025 (Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when r ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/620ddedfd9d5a674944d6d2cc170293e5c074316 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/620ddedfd9d5a674944d6d2cc170293e5c074316 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89c54df1 by Salvatore Bonaccorso at 2021-01-13T21:34:15+01:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -194,7 +194,7 @@ CVE-2021-3133 (The Elementor Contact Form DB plugin before 1.6 for WordPress all CVE-2021-3132 RESERVED CVE-2021-3131 (The Web server in 1C:Enterprise 8 before 8.3.17.1851 sends base64 enco ...) - TODO: check + NOT-FOR-US: 1C:Enterprise CVE-2021-3130 RESERVED CVE-2021-3129 (Ignition before 2.5.2, as used in Laravel and other products, allows u ...) @@ -1771,9 +1771,9 @@ CVE-2021-3034 CVE-2021-3033 RESERVED CVE-2021-3032 (An information exposure through log file vulnerability exists in Palo ...) - TODO: check + NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2021-3031 (Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, P ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2021-3030 RESERVED CVE-2021-23234 @@ -6397,7 +6397,7 @@ CVE-2020-35689 CVE-2020-35688 RESERVED CVE-2020-35687 (PHPFusion version 9.03.90 is vulnerable to CSRF attack which leads to ...) - TODO: check + NOT-FOR-US: PHP-Fusion CVE-2020-35686 (The SECOMN service in Sound Research DCHU model software component mod ...) NOT-FOR-US: Sound Research CVE-2020-35685 @@ -8356,7 +8356,7 @@ CVE-2021-20618 CVE-2021-20617 RESERVED CVE-2021-20616 (Untrusted search path vulnerability in the installer of SKYSEA Client ...) - TODO: check + NOT-FOR-US: SKYSEA Client View CVE-2021-20615 RESERVED CVE-2021-20614 @@ -20771,7 +20771,7 @@ CVE-2020-27490 CVE-2020-27489 RESERVED CVE-2020-27488 (Loxone Miniserver devices with firmware before 11.1 (aka 11.1.9.3) are ...) - TODO: check + NOT-FOR-US: Loxone Miniserver devices CVE-2020-27487 RESERVED CVE-2020-27486 (Garmin Forerunner 235 before 8.20 is affected by: Buffer Overflow. The ...) @@ -22485,9 +22485,9 @@ CVE-2020-26715 CVE-2020-26714 RESERVED CVE-2020-26713 (REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function wi ...) - TODO: check + NOT-FOR-US: REDCap CVE-2020-26712 (REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList f ...) - TODO: check + NOT-FOR-US: REDCap CVE-2020-26711 RESERVED CVE-2020-26710 @@ -23880,7 +23880,7 @@ CVE-2020-26120 (XSS exists in the MobileFrontend extension for MediaWiki before CVE-2020-26119 RESERVED CVE-2020-26118 (In SmartBear Collaborator Server through 13.3.13302, use of the Google ...) - TODO: check + NOT-FOR-US: SmartBear Collaborator Server CVE-2020-26117 (In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1 ...) {DLA-2396-1} - tigervnc 1.10.1+dfsg-9 (bug #971272) @@ -24048,7 +24048,7 @@ CVE-2020-26052 CVE-2020-26051 RESERVED CVE-2020-26050 (SaferVPN for Windows Ver 5.0.3.3 through 5.0.4.15 could allow local pr ...) - TODO: check + NOT-FOR-US: SaferVPN for Windows CVE-2020-26049 (Nifty-PM CPE 2.3 is affected by stored HTML injection. The impact is r ...) NOT-FOR-US: Nifty-PM CPE CVE-2020-26048 (The file manager option in CuppaCMS before 2019-11-12 allows an authen ...) @@ -27221,9 +27221,9 @@ CVE-2020-24703 (An issue was discovered in certain WSO2 products. A valid Carbon CVE-2020-24702 RESERVED CVE-2020-24701 (OX App Suite through 7.10.4 allows XSS via the app loading mechanism ( ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2020-24700 (OX App Suite through 7.10.3 allows SSRF because GET requests are sent ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2020-24699 (The Chamber Dashboard Business Directory plugin 3.2.8 for WordPress al ...) NOT-FOR-US: Chamber Dashboard Business Directory plugin for WordPress CVE-2020-24698 (An issue was discovered in PowerDNS Authoritative through 4.3.0 when - ...) @@ -29455,7 +29455,7 @@ CVE-2020-23655 (NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on mod CVE-2020-23654 (NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) via the modu ...) NOT-FOR-US: NavigateCMS CVE-2020-23653 (An insecure unserialize vulnerability was discovered in ThinkAdmin ver ...) - TODO: check + NOT-FOR-US: ThinkAdmin CVE-2020-23652 RESERVED CVE-2020-23651 @@ -29499,7 +29499,7 @@ CVE-2020-23633 CVE-2020-23632 RESERVED CVE-2020-23631 (Cross-site request forgery (CSRF) in admin/global/manage.php in WDJA C ...) - TODO: check + NOT-FOR-US: WDJA CMS CVE-2020-23630 (A blind SQL injection vulnerability exists in zzcms ver201910 based on ...) NOT-FOR-US: zzcms CVE-2020-23629 @@ -44706,7 +44706,7 @@ CVE-2020-16148 (The
[Git][security-tracker-team/security-tracker][master] MITRE assigned separate CVE for tcmu issue (related to CVE-2020-28374)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63e32712 by Salvatore Bonaccorso at 2021-01-13T21:22:47+01:00 MITRE assigned separate CVE for tcmu issue (related to CVE-2020-28374) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,16 @@ CVE-2021-3140 RESERVED CVE-2021-3139 (In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy ...) - TODO: check + - tcmu (bug #980007) + NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/12 + NOTE: https://www.openwall.com/lists/oss-security/2021/01/13/5 + NOTE: https://github.com/open-iscsi/tcmu-runner/issues/645 + NOTE: https://github.com/open-iscsi/tcmu-runner/pull/644 + NOTE: Fixed by: https://github.com/open-iscsi/tcmu-runner/commit/2b16e96e6b63d0419d857f53e4cc67f0adb383fd + NOTE: Some followup fixes: https://github.com/open-iscsi/tcmu-runner/pull/646 + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/b202dc06ef391c6ab9a7561856238a258de04663 + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/170bfa63288a399b38c35eb646b2835d4ba7c08a + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/01685b2ab8c430c0fb9ce397e7e76b60fe6cbde5 CVE-2021-24002 RESERVED CVE-2021-24001 @@ -16447,16 +16456,8 @@ CVE-2020-28375 RESERVED CVE-2020-28374 (In drivers/target/target_core_xcopy.c in the Linux kernel before 5.10. ...) - linux - - tcmu (bug #980007) NOTE: https://git.kernel.org/linus/2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/12 - NOTE: https://github.com/open-iscsi/tcmu-runner/issues/645 - NOTE: https://github.com/open-iscsi/tcmu-runner/pull/644 - NOTE: Fixed by: https://github.com/open-iscsi/tcmu-runner/commit/2b16e96e6b63d0419d857f53e4cc67f0adb383fd - NOTE: Some followup fixes: https://github.com/open-iscsi/tcmu-runner/pull/646 - NOTE: https://github.com/open-iscsi/tcmu-runner/commit/b202dc06ef391c6ab9a7561856238a258de04663 - NOTE: https://github.com/open-iscsi/tcmu-runner/commit/170bfa63288a399b38c35eb646b2835d4ba7c08a - NOTE: https://github.com/open-iscsi/tcmu-runner/commit/01685b2ab8c430c0fb9ce397e7e76b60fe6cbde5 CVE-2020-28373 (upnpd on certain NETGEAR devices allows remote (LAN) attackers to exec ...) NOT-FOR-US: Netgear CVE-2020-28372 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63e327127872a3a51d2c3c1a0a19de5229d761ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63e327127872a3a51d2c3c1a0a19de5229d761ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Proces some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 33a89b35 by Salvatore Bonaccorso at 2021-01-13T21:20:37+01:00 Proces some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -76456,27 +76456,27 @@ CVE-2020-4606 (IBM Security Verify Privilege Manager 10.8 is vulnerable to an XM CVE-2020-4605 RESERVED CVE-2020-4604 (IBM Security Guardium Insights 2.0.2 stores user credentials in plain ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4603 (IBM Security Guardium Insights 2.0.1 performs an operation at a privil ...) NOT-FOR-US: IBM CVE-2020-4602 (IBM Security Guardium Insights 2.0.2 stores user credentials in plain ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4601 RESERVED CVE-2020-4600 (IBM Security Guardium Insights 2.0.2 could allow a remote attacker to ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4599 (IBM Security Guardium Insights 2.0.2 could allow a remote attacker to ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4598 (IBM Security Guardium Insights 2.0.1 could allow a remote attacker to ...) NOT-FOR-US: IBM CVE-2020-4597 (IBM Security Guardium Insights 2.0.2 does not set the secure attribute ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4596 (IBM Security Guardium Insights 2.0.2 uses weaker than expected cryptog ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4595 (IBM Security Guardium Insights 2.0.2 uses weaker than expected cryptog ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4594 (IBM Security Guardium Insights 2.0.2 uses weaker than expected cryptog ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4593 (IBM Security Guardium Insights 2.0.1 stores user credentials in plain ...) NOT-FOR-US: IBM CVE-2020-4592 (IBM MQ Appliance 9.1.CD and LTS could allow an authenticated user, und ...) @@ -131722,7 +131722,7 @@ CVE-2019-4704 (IBM Security Identity Manager Virtual Appliance 7.0.2 does not se CVE-2019-4703 (IBM Spectrum Protect Plus 10.1.0 and 10.5.0, when protecting Microsoft ...) NOT-FOR-US: IBM CVE-2019-4702 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 specifies permissi ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4701 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 is deployed with a ...) NOT-FOR-US: IBM CVE-2019-4700 @@ -131752,7 +131752,7 @@ CVE-2019-4689 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 could allow a CVE-2019-4688 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 does not set the s ...) NOT-FOR-US: IBM CVE-2019-4687 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 stores sensitive i ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4686 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 does not set the s ...) NOT-FOR-US: IBM CVE-2019-4685 @@ -132806,7 +132806,7 @@ CVE-2019-4162 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 is CVE-2019-4161 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, and 1.0.2 disclose ...) NOT-FOR-US: IBM CVE-2019-4160 (IBM Security Guardium Data Encryption (GDE) 3.0.0.2 uses weaker than e ...) - TODO: check + NOT-FOR-US: IBM CVE-2019-4159 REJECTED CVE-2019-4158 (IBM Security Access Manager 9.0.1 through 9.0.6 does not prove that a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33a89b35723100ee7749d495e80091ce105b36f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33a89b35723100ee7749d495e80091ce105b36f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb7d937a by security tracker role at 2021-01-13T20:10:32+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,139 @@ +CVE-2021-3140 + RESERVED +CVE-2021-3139 (In Open-iSCSI tcmu-runner 1.3.x, 1.4.x, and 1.5.x through 1.5.2, xcopy ...) + TODO: check +CVE-2021-24002 + RESERVED +CVE-2021-24001 + RESERVED +CVE-2021-24000 + RESERVED +CVE-2021-23999 + RESERVED +CVE-2021-23998 + RESERVED +CVE-2021-23997 + RESERVED +CVE-2021-23996 + RESERVED +CVE-2021-23995 + RESERVED +CVE-2021-23994 + RESERVED +CVE-2021-23993 + RESERVED +CVE-2021-23992 + RESERVED +CVE-2021-23991 + RESERVED +CVE-2021-23990 + RESERVED +CVE-2021-23989 + RESERVED +CVE-2021-23988 + RESERVED +CVE-2021-23987 + RESERVED +CVE-2021-23986 + RESERVED +CVE-2021-23985 + RESERVED +CVE-2021-23984 + RESERVED +CVE-2021-23983 + RESERVED +CVE-2021-23982 + RESERVED +CVE-2021-23981 + RESERVED +CVE-2021-23980 + RESERVED +CVE-2021-23979 + RESERVED +CVE-2021-23978 + RESERVED +CVE-2021-23977 + RESERVED +CVE-2021-23976 + RESERVED +CVE-2021-23975 + RESERVED +CVE-2021-23974 + RESERVED +CVE-2021-23973 + RESERVED +CVE-2021-23972 + RESERVED +CVE-2021-23971 + RESERVED +CVE-2021-23970 + RESERVED +CVE-2021-23969 + RESERVED +CVE-2021-23968 + RESERVED +CVE-2021-23967 + RESERVED +CVE-2021-23966 + RESERVED +CVE-2021-23965 + RESERVED +CVE-2021-23964 + RESERVED +CVE-2021-23963 + RESERVED +CVE-2021-23962 + RESERVED +CVE-2021-23961 + RESERVED +CVE-2021-23960 + RESERVED +CVE-2021-23959 + RESERVED +CVE-2021-23958 + RESERVED +CVE-2021-23957 + RESERVED +CVE-2021-23956 + RESERVED +CVE-2021-23955 + RESERVED +CVE-2021-23954 + RESERVED +CVE-2021-23953 + RESERVED +CVE-2021-23952 + RESERVED +CVE-2021-23951 + RESERVED +CVE-2021-23950 + RESERVED +CVE-2021-23949 + RESERVED +CVE-2021-23948 + RESERVED +CVE-2021-23947 + RESERVED +CVE-2021-23946 + RESERVED +CVE-2021-23945 + RESERVED +CVE-2021-23944 + RESERVED +CVE-2021-23943 + RESERVED +CVE-2021-23942 + RESERVED +CVE-2021-23941 + RESERVED +CVE-2021-23940 + RESERVED +CVE-2021-23939 + RESERVED +CVE-2021-23938 + RESERVED +CVE-2021-23937 + RESERVED CVE-2021-3138 RESERVED CVE-2021-3137 @@ -48,8 +184,8 @@ CVE-2021-3133 (The Elementor Contact Form DB plugin before 1.6 for WordPress all NOT-FOR-US: Elementor Contact Form DB plugin for WordPress CVE-2021-3132 RESERVED -CVE-2021-3131 - RESERVED +CVE-2021-3131 (The Web server in 1C:Enterprise 8 before 8.3.17.1851 sends base64 enco ...) + TODO: check CVE-2021-3130 RESERVED CVE-2021-3129 (Ignition before 2.5.2, as used in Laravel and other products, allows u ...) @@ -96,10 +232,10 @@ CVE-2021-23902 RESERVED CVE-2021-23901 RESERVED -CVE-2021-23900 - RESERVED -CVE-2021-23899 - RESERVED +CVE-2021-23900 (OWASP json-sanitizer before 1.2.2 can output invalid JSON or throw an ...) + TODO: check +CVE-2021-23899 (OWASP json-sanitizer before 1.2.2 may emit closing SCRIPT tags and CDA ...) + TODO: check CVE-2021-23898 RESERVED CVE-2021-23897 @@ -1625,10 +1761,10 @@ CVE-2021-3034 RESERVED CVE-2021-3033 RESERVED -CVE-2021-3032 - RESERVED -CVE-2021-3031 - RESERVED +CVE-2021-3032 (An information exposure through log file vulnerability exists in Palo ...) + TODO: check +CVE-2021-3031 (Padding bytes in Ethernet packets on PA-200, PA-220, PA-500, PA-800, P ...) + TODO: check CVE-2021-3030 RESERVED CVE-2021-23234 @@ -2592,8 +2728,8 @@ CVE-2020-36178 (oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_ NOT-FOR-US: TP-Link CVE-2021-3029 (** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Imaging) ...) NOT-FOR-US: EVOLUCARE ECSIMAGING (aka ECS Imaging) -CVE-2021-3028 - RESERVED +CVE-2021-3028 (git-big-picture before 1.0.0 mishandles ' characters in a branch name, ...) + TODO: check CVE-2021-22696 RESERVED CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-o ...) @@ -4843,44 +4979,31 @@ CVE-2021-21616 RESERVED CVE-2021-21615 RESERVED -CVE-2021-21614 - RESERVED +CVE-2021-21614 (Jenkins Bumblebee HP ALM Plugin 4.1.5 and earlier stores credentials u ...) NOT-FOR-US: Jenkins plugin -CVE-2021-21613 - RESERVED +CVE-2021-21613 (Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS servic ...) NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] one hylafax issue n/a in Debian
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c266f120 by Moritz Muehlenhoff at 2021-01-13T19:58:30+01:00 one hylafax issue n/a in Debian openjpeg no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19217,6 +19217,7 @@ CVE-2020-27846 (A signature verification vulnerability exists in crewjam/saml. T NOT-FOR-US: github.com/crewjam/saml CVE-2020-27845 (There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior t ...) - openjpeg2 + [buster] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1302 NOTE: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior ...) @@ -19225,12 +19226,15 @@ CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions NOTE: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...) - openjpeg2 + [buster] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1297 CVE-2020-27842 (There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An ...) - openjpeg2 + [buster] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1294 CVE-2020-27841 (There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openj ...) - openjpeg2 + [buster] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1293 NOTE: https://github.com/rouault/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce CVE-2020-27840 @@ -19295,6 +19299,7 @@ CVE-2020-27825 (A use-after-free flaw was found in kernel/trace/ring_buffer.c in CVE-2020-27824 [global-buffer-overflow read in lib-openjp2] RESERVED - openjpeg2 + [buster] - openjpeg2 (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1286 NOTE: https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d CVE-2020-27823 [Heap-buffer-overflow write in lib-openjp2] @@ -46710,9 +46715,7 @@ CVE-2020-15399 CVE-2020-15398 RESERVED CVE-2020-15397 (HylaFAX+ through 7.0.2 and HylaFAX Enterprise have scripts that execut ...) - - hylafax (bug #964198) - [buster] - hylafax (Minor issue) - [stretch] - hylafax (Minor issue) + - hylafax (/var/spool/hylafax/bin and /var/spool/hylafax/etc are root-owned in Debian) NOTE: https://sourceforge.net/p/hylafax/HylaFAX+/2534/ CVE-2020-15396 (In HylaFAX+ through 7.0.2 and HylaFAX Enterprise, the faxsetup utility ...) - hylafax (bug #964198) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c266f120eaf0197c5e50e7f3d9b22c847790ce5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c266f120eaf0197c5e50e7f3d9b22c847790ce5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b4a7d68 by Moritz Muehlenhoff at 2021-01-13T18:21:25+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,11 +39,11 @@ CVE-2021-23922 CVE-2021-23921 RESERVED CVE-2020-36191 (JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lac ...) - TODO: check + NOT-FOR-US: JupyterHub CVE-2020-36190 (RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows ...) - TODO: check + NOT-FOR-US: RailsAdmin CVE-2021-3134 (Mubu 2.2.1 allows local users to gain privileges to execute commands, ...) - TODO: check + NOT-FOR-US: Mubu CVE-2021-3133 (The Elementor Contact Form DB plugin before 1.6 for WordPress allows C ...) NOT-FOR-US: Elementor Contact Form DB plugin for WordPress CVE-2021-3132 @@ -53,7 +53,7 @@ CVE-2021-3131 CVE-2021-3130 RESERVED CVE-2021-3129 (Ignition before 2.5.2, as used in Laravel and other products, allows u ...) - TODO: check + NOT-FOR-US: Ignition CVE-2021-3128 RESERVED CVE-2021-23920 @@ -255,7 +255,7 @@ CVE-2021-3118 (** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Ima CVE-2021-3117 RESERVED CVE-2021-3116 (before_upstream_connection in AuthPlugin in http/proxy/auth.py in prox ...) - TODO: check + NOT-FOR-US: proxy.py CVE-2021-3115 RESERVED CVE-2021-3114 @@ -4122,7 +4122,7 @@ CVE-2021-3013 CVE-2021-3012 RESERVED CVE-2021-3011 (An electromagnetic-wave side-channel issue was discovered on NXP Smart ...) - TODO: check + NOT-FOR-US: NXP CVE-2021-3010 RESERVED CVE-2021-3009 @@ -5827,19 +5827,19 @@ CVE-2021-21473 CVE-2021-21472 RESERVED CVE-2021-21471 (In CLA-Assistant, versions before 2.8.5, due to improper access contro ...) - TODO: check + NOT-FOR-US: CLA-Assistant CVE-2021-21470 (SAP EPM Add-in for Microsoft Office, version - 1010 and SAP EPM Add-in ...) NOT-FOR-US: SAP CVE-2021-21469 (When security guidelines for SAP NetWeaver Master Data Management, ver ...) NOT-FOR-US: SAP CVE-2021-21468 (The BW Database Interface does not perform necessary authorization che ...) - TODO: check + NOT-FOR-US: SAP CVE-2021-21467 (SAP Banking Services (Generic Market Data) 400, 450, and 500 does not ...) NOT-FOR-US: SAP CVE-2021-21466 (SAP Business Warehouse, versions 700, 701, 702, 711, 730, 731, 740, 75 ...) NOT-FOR-US: SAP CVE-2021-21465 (The BW Database Interface allows an attacker with low privileges to ex ...) - TODO: check + NOT-FOR-US: SAP CVE-2021-21464 (SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open ma ...) NOT-FOR-US: SAP CVE-2021-21463 (SAP 3D Visual Enterprise Viewer, version - 9, allows a user to open ma ...) @@ -6267,7 +6267,7 @@ CVE-2020-35688 CVE-2020-35687 RESERVED CVE-2020-35686 (The SECOMN service in Sound Research DCHU model software component mod ...) - TODO: check + NOT-FOR-US: Sound Research CVE-2020-35685 RESERVED CVE-2020-35684 @@ -12507,11 +12507,11 @@ CVE-2021-1727 CVE-2021-1726 RESERVED CVE-2021-1725 (Bot Framework SDK Information Disclosure Vulnerability ...) - TODO: check + NOT-FOR-US: Bot Framework SDK CVE-2021-1724 RESERVED CVE-2021-1723 (ASP.NET Core and Visual Studio Denial of Service Vulnerability ...) - TODO: check + NOT-FOR-US: ASP.NET Core and Visual Studio CVE-2021-1722 RESERVED CVE-2021-1721 @@ -12645,7 +12645,7 @@ CVE-2021-1658 (Remote Procedure Call Runtime Remote Code Execution Vulnerability CVE-2021-1657 (Windows Fax Compose Form Remote Code Execution Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-1656 (TPM Device Driver Information Disclosure Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1655 (Windows CSC Service Elevation of Privilege Vulnerability This CVE ID i ...) NOT-FOR-US: Microsoft CVE-2021-1654 (Windows CSC Service Elevation of Privilege Vulnerability This CVE ID i ...) @@ -16281,7 +16281,7 @@ CVE-2020-28397 CVE-2020-28396 (A vulnerability has been identified in SICAM A8000 CP-8000 (All versio ...) NOT-FOR-US: Siemens CVE-2020-28395 (A vulnerability has been identified in SCALANCE X-300 switch family (i ...) - TODO: check + NOT-FOR-US: Siemens CVE-2020-28394 RESERVED CVE-2020-28393 @@ -16289,9 +16289,9 @@ CVE-2020-28393 CVE-2020-28392 RESERVED CVE-2020-28391 (A vulnerability has been identified in SCALANCE X-200 switch family (i ...) - TODO: check + NOT-FOR-US: Siemens CVE-2020-28390 (A vulnerability has been identified in Opcenter Execution Core (V8.2), ...) - TODO: check + NOT-FOR-US: Siemens CVE-2020-28389
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-23239/sudo as no-dsa for buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 93421e78 by Salvatore Bonaccorso at 2021-01-13T18:04:21+01:00 Mark CVE-2021-23239/sudo as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1466,6 +1466,7 @@ CVE-2021-23240 (selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows NOTE: Neutralised by kernel hardening (fs.protected_symlinks = 1) CVE-2021-23239 (The sudoedit personality of Sudo before 1.9.5 may allow a local unpriv ...) - sudo 1.9.5-1 + [buster] - sudo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/01/11/2 NOTE: https://www.sudo.ws/repos/sudo/rev/ea19d0073c02 CVE-2021-3108 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93421e7873bae5c48109ae5b99cf16e7c62237b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93421e7873bae5c48109ae5b99cf16e7c62237b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] track CVE-2020-16044 for thunderbird
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fbca7867 by Moritz Muehlenhoff at 2021-01-13T18:00:01+01:00 track CVE-2020-16044 for thunderbird - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44838,7 +44838,10 @@ CVE-2020-16044 {DSA-4827-1 DLA-2521-1} - firefox 84.0.2-1 - firefox-esr 78.6.1esr-1 + - thunderbird + [buster] - thunderbird (Minor issue, wait until next Mozilla security cycle) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-02/#CVE-2020-16044 CVE-2020-16043 (Insufficient data validation in networking in Google Chrome prior to 8 ...) - chromium 87.0.4280.141-0.1 (bug #979533) [stretch] - chromium (see DSA 4562) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbca7867bed7fde85ff0c20e1b11cf16af457c05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbca7867bed7fde85ff0c20e1b11cf16af457c05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-23240/sudo as unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02df239a by Salvatore Bonaccorso at 2021-01-13T17:29:47+01:00 Mark CVE-2021-23240/sudo as unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1459,10 +1459,11 @@ CVE-2021-23242 (MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal vi CVE-2021-23241 (MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ ...) NOT-FOR-US: MERCUSYS Mercury X18G devices CVE-2021-23240 (selinux_edit_copy_tfiles in sudoedit in Sudo before 1.9.5 allows a loc ...) - - sudo 1.9.5-1 + - sudo 1.9.5-1 (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2021/01/11/2 NOTE: https://www.sudo.ws/repos/sudo/rev/8fcb36ef422a NOTE: https://www.sudo.ws/alerts/sudoedit_selinux.html + NOTE: Neutralised by kernel hardening (fs.protected_symlinks = 1) CVE-2021-23239 (The sudoedit personality of Sudo before 1.9.5 may allow a local unpriv ...) - sudo 1.9.5-1 NOTE: https://www.openwall.com/lists/oss-security/2021/01/11/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02df239ad49f1e74ebe6a5b2c130af256f276444 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02df239ad49f1e74ebe6a5b2c130af256f276444 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2020-26298/ruby-redcarpet
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 595c43b0 by Salvatore Bonaccorso at 2021-01-13T16:52:29+01:00 Add Debian bug references for CVE-2020-26298/ruby-redcarpet - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23292,7 +23292,7 @@ CVE-2020-26300 CVE-2020-26299 RESERVED CVE-2020-26298 (Redcarpet is a Ruby library for Markdown processing. In Redcarpet befo ...) - - ruby-redcarpet + - ruby-redcarpet (bug #980057) NOTE: https://github.com/advisories/GHSA-q3wr-qw3g-3p4h NOTE: https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793 CVE-2020-26297 (mdBook is a utility to create modern online books from Markdown files ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/595c43b00c6df153a252549e0ac55468fa5b8c6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/595c43b00c6df153a252549e0ac55468fa5b8c6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2020-28374/tcmu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46270ab9 by Salvatore Bonaccorso at 2021-01-13T16:40:35+01:00 Update notes on CVE-2020-28374/tcmu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16325,8 +16325,13 @@ CVE-2020-28374 (In drivers/target/target_core_xcopy.c in the Linux kernel before - tcmu (bug #980007) NOTE: https://git.kernel.org/linus/2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/12 - NOTE: tcmu-runner patch: https://bugzilla.suse.com/attachment.cgi?id=844924=diff=patch==1=raw NOTE: https://github.com/open-iscsi/tcmu-runner/issues/645 + NOTE: https://github.com/open-iscsi/tcmu-runner/pull/644 + NOTE: Fixed by: https://github.com/open-iscsi/tcmu-runner/commit/2b16e96e6b63d0419d857f53e4cc67f0adb383fd + NOTE: Some followup fixes: https://github.com/open-iscsi/tcmu-runner/pull/646 + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/b202dc06ef391c6ab9a7561856238a258de04663 + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/170bfa63288a399b38c35eb646b2835d4ba7c08a + NOTE: https://github.com/open-iscsi/tcmu-runner/commit/01685b2ab8c430c0fb9ce397e7e76b60fe6cbde5 CVE-2020-28373 (upnpd on certain NETGEAR devices allows remote (LAN) attackers to exec ...) NOT-FOR-US: Netgear CVE-2020-28372 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46270ab9f4e9faef5a3682df176dc520f3d2fa3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46270ab9f4e9faef5a3682df176dc520f3d2fa3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8781eda3 by Moritz Muehlenhoff at 2021-01-13T16:23:22+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4843,30 +4843,43 @@ CVE-2021-21615 RESERVED CVE-2021-21614 RESERVED + NOT-FOR-US: Jenkins plugin CVE-2021-21613 RESERVED + NOT-FOR-US: Jenkins plugin CVE-2021-21612 RESERVED + NOT-FOR-US: Jenkins plugin CVE-2021-21611 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21610 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21609 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21608 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21607 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21606 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21605 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21604 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21603 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21602 RESERVED + NOT-FOR-US: Jenkins CVE-2021-21601 RESERVED CVE-2021-21600 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8781eda3c67df96e4f54d73d7d1280e39804d9aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8781eda3c67df96e4f54d73d7d1280e39804d9aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for libmaxminddb via buster-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca015667 by Salvatore Bonaccorso at 2021-01-13T14:11:16+01:00 Track proposed update for libmaxminddb via buster-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -64,3 +64,5 @@ CVE-2020-7039 [buster] - slirp 1:1.0.17-8+deb10u1 CVE-2020-8608 [buster] - slirp 1:1.0.17-8+deb10u1 +CVE-2020-28241 + [buster] - libmaxminddb 1.3.2-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca01566729ea5d2447c1e3fc86b9e066e1916e1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca01566729ea5d2447c1e3fc86b9e066e1916e1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim golang-1.7
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 03ae9534 by Sylvain Beucler at 2021-01-13T14:10:27+01:00 dla: claim golang-1.7 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,7 +40,7 @@ f2fs-tools (Abhijith PA) firmware-nonfree NOTE: 20201207: wait for the update in buster and backport that (Emilio) -- -golang-1.7 +golang-1.7 (Sylvain Beucler) NOTE: 20201219: new CVEs may not be getting fixed, might need to ignore (roberto) NOTE: 20210103: Clarification CVE-2020-29509, ...10 and ...11 is definitely not going to be fixed in 1.7. NOTE: 20210103: golang at all. Follow up a little more before it is ignored. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03ae9534fb355ae359b1fd87dfcb6f500a0148f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03ae9534fb355ae359b1fd87dfcb6f500a0148f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new redcarpet issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 243209db by Moritz Muehlenhoff at 2021-01-13T10:57:45+01:00 new redcarpet issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23274,7 +23274,9 @@ CVE-2020-26300 CVE-2020-26299 RESERVED CVE-2020-26298 (Redcarpet is a Ruby library for Markdown processing. In Redcarpet befo ...) - TODO: check + - ruby-redcarpet + NOTE: https://github.com/advisories/GHSA-q3wr-qw3g-3p4h + NOTE: https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793 CVE-2020-26297 (mdBook is a utility to create modern online books from Markdown files ...) NOT-FOR-US: mdBook CVE-2020-26296 (Vega is a visualization grammar, a declarative format for creating, sa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/243209db2e424a289f168935d2a85748d30edfed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/243209db2e424a289f168935d2a85748d30edfed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2020-8842
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d667e8fa by Salvatore Bonaccorso at 2021-01-13T09:48:18+01:00 Remove notes from CVE-2020-8842 Was withdrawn by its CNA as found to not be a security issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65343,7 +65343,6 @@ CVE-2020-8843 (An issue was discovered in Istio 1.3 through 1.3.6. Under certain NOT-FOR-US: Istio CVE-2020-8842 REJECTED - NOT-FOR-US: MSI True Color CVE-2020-8841 (An issue was discovered in TestLink 1.9.19. The relation_type paramete ...) NOT-FOR-US: TestLink CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean- ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d667e8fa23649bfab3cee8b6190bc6f4e9014974 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d667e8fa23649bfab3cee8b6190bc6f4e9014974 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fb4f931 by Salvatore Bonaccorso at 2021-01-13T09:47:23+01:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1652,11 +1652,11 @@ CVE-2021-23127 CVE-2021-23126 RESERVED CVE-2021-23125 (An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of e ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2021-23124 (An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of e ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2021-23123 (An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of A ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2021-23122 RESERVED CVE-2021-23121 @@ -12504,173 +12504,173 @@ CVE-2021-1721 CVE-2021-1720 RESERVED CVE-2021-1719 (Microsoft SharePoint Elevation of Privilege Vulnerability This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1718 (Microsoft SharePoint Server Tampering Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1717 (Microsoft SharePoint Spoofing Vulnerability This CVE ID is unique from ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1716 (Microsoft Word Remote Code Execution Vulnerability This CVE ID is uniq ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1715 (Microsoft Word Remote Code Execution Vulnerability This CVE ID is uniq ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1714 (Microsoft Excel Remote Code Execution Vulnerability This CVE ID is uni ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1713 (Microsoft Excel Remote Code Execution Vulnerability This CVE ID is uni ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1712 (Microsoft SharePoint Elevation of Privilege Vulnerability This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1711 (Microsoft Office Remote Code Execution Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1710 (Microsoft Windows Media Foundation Remote Code Execution Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1709 (Windows Win32k Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1708 (Windows GDI+ Information Disclosure Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1707 (Microsoft SharePoint Server Remote Code Execution Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1706 (Windows LUAFV Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1705 (Microsoft Edge (HTML-based) Memory Corruption Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1704 (Windows Hyper-V Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1703 (Windows Event Logging Service Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1702 (Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerabi ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1701 (Remote Procedure Call Runtime Remote Code Execution Vulnerability This ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1700 (Remote Procedure Call Runtime Remote Code Execution Vulnerability This ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1699 (Windows (modem.sys) Information Disclosure Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1698 RESERVED CVE-2021-1697 (Windows InstallService Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1696 (Windows Graphics Component Information Disclosure Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1695 (Windows Print Spooler Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1694 (Windows Update Stack Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1693 (Windows CSC Service Elevation of Privilege Vulnerability This CVE ID i ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1692 (Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1691 (Hyper-V Denial of Service Vulnerability This CVE ID is unique from CVE ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1690 (Windows WalletService Elevation of Privilege Vulnerability This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-1689 (Windows Multipoint Management Elevation of
[Git][security-tracker-team/security-tracker][master] 2 commits: Add reference for CVE-2020-28374
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d027f86 by Salvatore Bonaccorso at 2021-01-13T09:27:50+01:00 Add reference for CVE-2020-28374 - - - - - 65d64130 by Salvatore Bonaccorso at 2021-01-13T09:32:31+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,25 +7,25 @@ CVE-2021-3136 CVE-2021-3135 RESERVED CVE-2021-23936 (OX App Suite through 7.10.4 allows XSS via the subject of a task. ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23935 (OX App Suite through 7.10.4 allows XSS via an appointment in which the ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23934 (OX App Suite through 7.10.4 allows XSS via a contact whose name contai ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23933 (OX App Suite through 7.10.4 allows XSS via JavaScript in a Note refere ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23932 (OX App Suite through 7.10.4 allows XSS via an inline image with a craf ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23931 (OX App Suite through 7.10.4 allows XSS via an inline binary file. ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23930 (OX App Suite through 7.10.4 allows XSS via use of the conversion API f ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23929 (OX App Suite through 7.10.4 allows XSS via a crafted Content-Dispositi ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23928 (OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests que ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23927 (OX App Suite through 7.10.4 allows SSRF via a URL with an @ character ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2021-23926 RESERVED CVE-2021-23925 @@ -16313,6 +16313,7 @@ CVE-2020-28374 (In drivers/target/target_core_xcopy.c in the Linux kernel before NOTE: https://git.kernel.org/linus/2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 NOTE: https://www.openwall.com/lists/oss-security/2021/01/12/12 NOTE: tcmu-runner patch: https://bugzilla.suse.com/attachment.cgi?id=844924=diff=patch==1=raw + NOTE: https://github.com/open-iscsi/tcmu-runner/issues/645 CVE-2020-28373 (upnpd on certain NETGEAR devices allows remote (LAN) attackers to exec ...) NOT-FOR-US: Netgear CVE-2020-28372 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0495ed6690543d013e5a68efead3fd3344d3784a...65d64130733f0823570c0a362ec7c10a4c55cf9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0495ed6690543d013e5a68efead3fd3344d3784a...65d64130733f0823570c0a362ec7c10a4c55cf9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0495ed66 by security tracker role at 2021-01-13T08:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,47 @@ +CVE-2021-3138 + RESERVED +CVE-2021-3137 + RESERVED +CVE-2021-3136 + RESERVED +CVE-2021-3135 + RESERVED +CVE-2021-23936 (OX App Suite through 7.10.4 allows XSS via the subject of a task. ...) + TODO: check +CVE-2021-23935 (OX App Suite through 7.10.4 allows XSS via an appointment in which the ...) + TODO: check +CVE-2021-23934 (OX App Suite through 7.10.4 allows XSS via a contact whose name contai ...) + TODO: check +CVE-2021-23933 (OX App Suite through 7.10.4 allows XSS via JavaScript in a Note refere ...) + TODO: check +CVE-2021-23932 (OX App Suite through 7.10.4 allows XSS via an inline image with a craf ...) + TODO: check +CVE-2021-23931 (OX App Suite through 7.10.4 allows XSS via an inline binary file. ...) + TODO: check +CVE-2021-23930 (OX App Suite through 7.10.4 allows XSS via use of the conversion API f ...) + TODO: check +CVE-2021-23929 (OX App Suite through 7.10.4 allows XSS via a crafted Content-Dispositi ...) + TODO: check +CVE-2021-23928 (OX App Suite through 7.10.3 allows XSS via the ajax/apps/manifests que ...) + TODO: check +CVE-2021-23927 (OX App Suite through 7.10.4 allows SSRF via a URL with an @ character ...) + TODO: check +CVE-2021-23926 + RESERVED +CVE-2021-23925 + RESERVED +CVE-2021-23924 + RESERVED +CVE-2021-23923 + RESERVED +CVE-2021-23922 + RESERVED +CVE-2021-23921 + RESERVED +CVE-2020-36191 (JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lac ...) + TODO: check +CVE-2020-36190 (RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows ...) + TODO: check CVE-2021-3134 (Mubu 2.2.1 allows local users to gain privileges to execute commands, ...) TODO: check CVE-2021-3133 (The Elementor Contact Form DB plugin before 1.6 for WordPress allows C ...) @@ -1607,12 +1651,12 @@ CVE-2021-23127 RESERVED CVE-2021-23126 RESERVED -CVE-2021-23125 - RESERVED -CVE-2021-23124 - RESERVED -CVE-2021-23123 - RESERVED +CVE-2021-23125 (An issue was discovered in Joomla! 3.1.0 through 3.9.23. The lack of e ...) + TODO: check +CVE-2021-23124 (An issue was discovered in Joomla! 3.9.0 through 3.9.23. The lack of e ...) + TODO: check +CVE-2021-23123 (An issue was discovered in Joomla! 3.0.0 through 3.9.23. The lack of A ...) + TODO: check CVE-2021-23122 RESERVED CVE-2021-23121 @@ -6207,8 +6251,8 @@ CVE-2020-35688 RESERVED CVE-2020-35687 RESERVED -CVE-2020-35686 - RESERVED +CVE-2020-35686 (The SECOMN service in Sound Research DCHU model software component mod ...) + TODO: check CVE-2020-35685 RESERVED CVE-2020-35684 @@ -12447,186 +12491,186 @@ CVE-2021-1727 RESERVED CVE-2021-1726 RESERVED -CVE-2021-1725 - RESERVED +CVE-2021-1725 (Bot Framework SDK Information Disclosure Vulnerability ...) + TODO: check CVE-2021-1724 RESERVED -CVE-2021-1723 - RESERVED +CVE-2021-1723 (ASP.NET Core and Visual Studio Denial of Service Vulnerability ...) + TODO: check CVE-2021-1722 RESERVED CVE-2021-1721 RESERVED CVE-2021-1720 RESERVED -CVE-2021-1719 - RESERVED -CVE-2021-1718 - RESERVED -CVE-2021-1717 - RESERVED -CVE-2021-1716 - RESERVED -CVE-2021-1715 - RESERVED -CVE-2021-1714 - RESERVED -CVE-2021-1713 - RESERVED -CVE-2021-1712 - RESERVED -CVE-2021-1711 - RESERVED -CVE-2021-1710 - RESERVED -CVE-2021-1709 - RESERVED -CVE-2021-1708 - RESERVED -CVE-2021-1707 - RESERVED -CVE-2021-1706 - RESERVED -CVE-2021-1705 - RESERVED -CVE-2021-1704 - RESERVED -CVE-2021-1703 - RESERVED -CVE-2021-1702 - RESERVED -CVE-2021-1701 - RESERVED -CVE-2021-1700 - RESERVED -CVE-2021-1699 - RESERVED +CVE-2021-1719 (Microsoft SharePoint Elevation of Privilege Vulnerability This CVE ID ...) + TODO: check +CVE-2021-1718 (Microsoft SharePoint Server Tampering Vulnerability ...) + TODO: check +CVE-2021-1717 (Microsoft SharePoint Spoofing Vulnerability This CVE ID is unique from ...) + TODO: check +CVE-2021-1716 (Microsoft Word Remote Code Execution Vulnerability This CVE ID is uniq ...) + TODO: check +CVE-2021-1715 (Microsoft Word Remote Code Execution Vulnerability This CVE ID is uniq ...) + TODO: check +CVE-2021-1714 (Microsoft Excel Remote Code Execution Vulnerability This CVE ID is uni ...) + TODO: check +CVE-2021-1713 (Microsoft Excel Remote Code Execution Vulnerability This CVE ID