[Git][security-tracker-team/security-tracker][master] Add CVE-2020-15365/libraw
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62715326 by Salvatore Bonaccorso at 2020-06-30T06:47:44+02:00 Add CVE-2020-15365/libraw - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,9 @@ CVE-2020-15367 CVE-2020-15366 RESERVED CVE-2020-15365 (LibRaw before 0.20-Beta3 has an out-of-bounds write in parse_exif() in ...) - TODO: check + - libraw (Vulnerable code introduced in 0.20-Beta1) + NOTE: https://github.com/LibRaw/LibRaw/issues/301 + NOTE: https://github.com/LibRaw/LibRaw/commit/55f0a0c08974b8b79ebfa7762b555a1704b25fb2 CVE-2020-15364 (The Nexos theme through 1.7 for WordPress allows top-map/?search_locat ...) NOT-FOR-US: Wordpress theme CVE-2020-15363 (The Nexos theme through 1.7 for WordPress allows side-map/?search_orde ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62715326e37e65e0058ca1211f516cf286d05e70 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62715326e37e65e0058ca1211f516cf286d05e70 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c7a0729 by Salvatore Bonaccorso at 2020-06-30T06:53:58+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93,31 +93,31 @@ CVE-2020-15326 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded certi CVE-2020-15325 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cook ...) NOT-FOR-US: Zyxel CVE-2020-15324 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a world-readable axess/ ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15323 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the cloud1234 password ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15322 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the wbboEZ4BN3ssxAfM ha ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15321 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axzyxel password fo ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15320 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axiros password for ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15319 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15318 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15317 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15316 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH k ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15315 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15314 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15313 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH k ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15312 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2020-15311 (Stash 1.0.3 allows SQL Injection via the downloadmp3.php download para ...) NOT-FOR-US: Stash CVE-2020-15310 @@ -609,7 +609,7 @@ CVE-2020-15071 CVE-2020-15070 RESERVED CVE-2020-15069 (Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow an ...) - TODO: check + NOT-FOR-US: Sophos CVE-2020-15068 RESERVED CVE-2020-15067 @@ -667,7 +667,7 @@ CVE-2020-15045 CVE-2020-15044 RESERVED CVE-2020-15043 (iBall WRB303N devices allow CSRF attacks, as demonstrated by enabling ...) - TODO: check + NOT-FOR-US: iBall WRB303N devices CVE-2020-15042 RESERVED CVE-2020-15041 (PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Ad ...) @@ -2289,11 +2289,11 @@ CVE-2020-14416 (In the Linux kernel before 5.4.16, a race condition in tty-d [jessie] - linux 3.16.84-1 NOTE: https://git.kernel.org/linus/0ace17d56824165c7f4c68785d6b58971db954dd CVE-2020-14414 (NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php imprope ...) - TODO: check + NOT-FOR-US: NeDi CVE-2020-14413 (NeDi 1.9C is vulnerable to XSS because of an incorrect implementation ...) - TODO: check + NOT-FOR-US: NeDi CVE-2020-14412 (NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.p ...) - TODO: check + NOT-FOR-US: NeDi CVE-2020-14411 RESERVED CVE-2020-14410 @@ -3080,15 +3080,15 @@ CVE-2020-14074 (TRENDnet TEW-827DRU devices through 2.06B04 contain a stack-base CVE-2020-14073 (XSS exists in PRTG Network Monitor 20.1.56.1574 via crafted map proper ...) NOT-FOR-US: PRTG Network Monitor CVE-2020-14072 (An issue was discovered in MK-AUTH 19.01. It allows command execution ...) - TODO: check + NOT-FOR-US: MK-AUTH CVE-2020-14071 (An issue was discovered in MK-AUTH 19.01. XSS vulnerabilities in admin ...) - TODO: check + NOT-FOR-US: MK-AUTH CVE-2020-14070 (An issue was discovered in MK-AUTH 19.01. There is authentication bypa ...) - TODO: check + NOT-FOR-US: MK-AUTH CVE-2020-14069 (An issue was discovered in MK-AUTH 19.01. There are SQL injection issu ...) - TODO: check + NOT-FOR-US: MK-AUTH CVE-2020-14068 (An issue was discovered in MK-AUTH 19.01. The web login functionality ...) - TODO: check + NOT-FOR-US: MK-AUTH CVE-2020-14067 (The install_from_hash functionality in Navigate CMS 2.9 does not consi ...) NOT-FOR-US: Navigate CMS CVE-2020-14066 @@ -3525,7 +3525,7 @@ CVE-2020-13898 (An issue was discovered in janus-gateway (aka Janus
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5af37f42 by Salvatore Bonaccorso at 2020-06-30T06:30:15+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18019,7 +18019,7 @@ CVE-2020-8575 CVE-2020-8574 RESERVED CVE-2020-8573 (The NetApp HCI H610S Baseboard Management Controller (BMC) is shipped ...) - TODO: check + NOT-FOR-US: NetApp CVE-2020-8572 (Element OS prior to version 12.0 and Element HealthTools prior to vers ...) NOT-FOR-US: Element OS CVE-2020-8571 (StorageGRID (formerly StorageGRID Webscale) versions 10.0.0 through 11 ...) @@ -19311,13 +19311,13 @@ CVE-2020-8024 (A Incorrect Default Permissions vulnerability in the packaging of CVE-2020-8023 RESERVED CVE-2020-8022 (A Incorrect Default Permissions vulnerability in the packaging of tomc ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-8021 (a Improper Access Control vulnerability in of Open Build Service allow ...) TODO: check CVE-2020-8020 (A Improper Neutralization of Input During Web Page Generation vulnerab ...) TODO: check CVE-2020-8019 (A UNIX Symbolic Link (Symlink) Following vulnerability in the packagin ...) - TODO: check + NOT-FOR-US: SAP CVE-2020-8018 (A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST- ...) NOT-FOR-US: Some SLES images CVE-2020-8017 (A Race Condition Enabling Link Following vulnerability in the cron job ...) @@ -27863,7 +27863,7 @@ CVE-2020-4559 CVE-2020-4558 RESERVED CVE-2020-4557 (IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4556 RESERVED CVE-2020-4555 @@ -28073,7 +28073,7 @@ CVE-2020-4454 CVE-2020-4453 RESERVED CVE-2020-4452 (IBM API Connect V2018.4.1.0 through 2018.4.1.11 uses weaker than expec ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4451 RESERVED CVE-2020-4450 (IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5af37f4230b01970b7cb6b059d0e440723a1b694 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5af37f4230b01970b7cb6b059d0e440723a1b694 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track nvidia-graphics-drivers-tesla-440 for CVE-2020-596{3,7}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df70fded by Salvatore Bonaccorso at 2020-06-30T07:21:43+02:00 Track nvidia-graphics-drivers-tesla-440 for CVE-2020-596{3,7} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24354,6 +24354,7 @@ CVE-2020-5967 (NVIDIA Linux GPU Display Driver, all versions, contains a vulnera - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) + - nvidia-graphics-drivers-tesla-440 440.95.01-1 - nvidia-graphics-drivers-tesla-418 418.152.00-1 NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5031/kw/Security%20Bulletin CVE-2020-5966 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) @@ -24375,6 +24376,7 @@ CVE-2020-5963 (NVIDIA Windows GPU Display Driver, all versions, contains a vulne - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) + - nvidia-graphics-drivers-tesla-440 440.95.01-1 - nvidia-graphics-drivers-tesla-418 418.152.00-1 NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5031/kw/Security%20Bulletin CVE-2020-5962 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df70fded602d144b2216adc497f4521b0c6d8835 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df70fded602d144b2216adc497f4521b0c6d8835 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify associations between CVE-2020-1957 and CVE-2020-11989
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d1d96c9 by Salvatore Bonaccorso at 2020-06-30T06:37:19+02:00 Clarify associations between CVE-2020-1957 and CVE-2020-11989 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8180,7 +8180,9 @@ CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring d NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1 NOTE: https://github.com/apache/shiro/pull/211 NOTE: https://issues.apache.org/jira/browse/SHIRO-753 - TODO: checking with shiro security team + NOTE: The original CVE-2020-1957 adressed in 1.5.2 introduced an encoding issue + NOTE: which can (security wise) be exploited, resulting in a 1.5.3 release. This + NOTE: CVE is closely related to CVE-2020-1957. CVE-2020-11988 RESERVED CVE-2020-11987 @@ -35194,6 +35196,8 @@ CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dy NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2 NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139 NOTE: https://github.com/apache/shiro/pull/203#issuecomment-606270322 + NOTE: Fix for CVE-2020-1957 introduces a (security sensitive) encoding issue + NOTE: resulting in a followup release 1.5.3. CVE-2020-1956 (Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restfu ...) NOT-FOR-US: Apache Kylin CVE-2020-1955 (CouchDB version 3.0.0 shipped with a new configuration setting that go ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d1d96c9bf366e3dc6221e3f7a4c614bb2ff4b87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d1d96c9bf366e3dc6221e3f7a4c614bb2ff4b87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2263-1 for drupal7
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 7840006e by Ola Lundqvist at 2020-06-29T23:47:42+02:00 Reserve DLA-2263-1 for drupal7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Jun 2020] DLA-2263-1 drupal7 - security update + {CVE-2020-13663} + [jessie] - drupal7 7.32-1+deb8u19 [29 Jun 2020] DLA-2262-1 qemu - security update {CVE-2020-1983 CVE-2020-13361 CVE-2020-13362 CVE-2020-13765} [jessie] - qemu 1:2.1+dfsg-12+deb8u15 = data/dla-needed.txt = @@ -46,8 +46,6 @@ coturn (Utkarsh Gupta) -- curl (Thorsten Alteholz) -- -drupal7 (Ola Lundqvist) --- freerdp NOTE: 20200510: Vulnerable to at least CVE-2020-11042. (lamby) NOTE: 20200531: Discussing if EOL'ing of freerdp (1.1) makes sense (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7840006e623fa4628f316772121c7347736f1714 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7840006e623fa4628f316772121c7347736f1714 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim shiro.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 81ee66b6 by Chris Lamb at 2020-06-29T10:10:11+01:00 data/dla-needed.txt: Claim shiro. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,7 +125,8 @@ rails (Sylvain Beucler) ruby-rack NOTE: probably not affected (parse_cookies_header() is not available in Jessie, but code might hide somewhere else) (thorsten) -- -shiro +shiro (Chris Lamb) + NOTE: 20200629: Taking this now as I did the last upload. (lamby) -- squid3 (Markus Koschany) NOTE: 20200622: https://people.debian.org/~apo/lts/squid3/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81ee66b6c9a032f99c82e1e4b1b12b17ff6e9561 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81ee66b6c9a032f99c82e1e4b1b12b17ff6e9561 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add coturn to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0e89b16 by Salvatore Bonaccorso at 2020-06-29T12:31:48+02:00 Add coturn to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- chromium -- +coturn (carnil) +-- docker.io (jmm) Packages rejected due to Built-Using on golang-github-prometheus-common, ftp-master team contacted. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e89b16688d69f50283b2c581558286518681bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0e89b16688d69f50283b2c581558286518681bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add temporary description for CVE-2020-4067/coturn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ff4e8a6 by Salvatore Bonaccorso at 2020-06-29T12:30:36+02:00 Add temporary description for CVE-2020-4067/coturn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28829,7 +28829,7 @@ CVE-2020-4069 RESERVED CVE-2020-4068 (In APNSwift 1.0.0, calling APNSwiftSigner.sign(digest:) is likely to r ...) TODO: check -CVE-2020-4067 +CVE-2020-4067 [STUN response buffer not initialized properly] RESERVED - coturn NOTE: https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff4e8a6d2d14b57419b88acfa6513651ca39b8d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff4e8a6d2d14b57419b88acfa6513651ca39b8d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixed version for nvidia-graphics-drivers-legacy-390xx
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d863603 by Salvatore Bonaccorso at 2020-06-29T08:32:05+02:00 Track fixed version for nvidia-graphics-drivers-legacy-390xx - - - - - a71e7da2 by Salvatore Bonaccorso at 2020-06-29T08:33:04+02:00 Add tracking Debian bug for nvidia-graphics-drivers-legacy-390xx issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24325,7 +24325,7 @@ CVE-2020-5967 (NVIDIA Linux GPU Display Driver, all versions, contains a vulnera [buster] - nvidia-graphics-drivers (Non-free not supported) [stretch] - nvidia-graphics-drivers (Non-free not supported) [jessie] - nvidia-graphics-drivers (Non-free not supported) - - nvidia-graphics-drivers-legacy-390xx + - nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) @@ -24345,7 +24345,7 @@ CVE-2020-5963 (NVIDIA Windows GPU Display Driver, all versions, contains a vulne [buster] - nvidia-graphics-drivers (Non-free not supported) [stretch] - nvidia-graphics-drivers (Non-free not supported) [jessie] - nvidia-graphics-drivers (Non-free not supported) - - nvidia-graphics-drivers-legacy-390xx + - nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - nvidia-graphics-drivers-legacy-340xx [buster] - nvidia-graphics-drivers-legacy-340xx (Non-free not supported) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/13e7ca5bccc9ed1c988bcf96350223f45112ff85...a71e7da29ddc23394f7b07cefe0eb8cb4200955b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/13e7ca5bccc9ed1c988bcf96350223f45112ff85...a71e7da29ddc23394f7b07cefe0eb8cb4200955b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new google-compute-image-packages issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 32334cfa by Moritz Muehlenhoff at 2020-06-29T09:59:50+02:00 new google-compute-image-packages issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2020-15365 (LibRaw before 0.20-Beta3 has an out-of-bounds write in parse_exif() in ...) TODO: check CVE-2020-15364 (The Nexos theme through 1.7 for WordPress allows top-map/?search_locat ...) - TODO: check + NOT-FOR-US: Wordpress theme CVE-2020-15363 (The Nexos theme through 1.7 for WordPress allows side-map/?search_orde ...) - TODO: check + NOT-FOR-US: Wordpress theme CVE-2020-15362 RESERVED CVE-2020-15361 @@ -113,13 +113,13 @@ CVE-2020-15313 CVE-2020-15312 RESERVED CVE-2020-15311 (Stash 1.0.3 allows SQL Injection via the downloadmp3.php download para ...) - TODO: check + NOT-FOR-US: Stash CVE-2020-15310 RESERVED CVE-2020-15309 RESERVED CVE-2020-15308 (Support Incident Tracker (aka SiT! or SiTracker) 3.67 p2 allows post-a ...) - TODO: check + NOT-FOR-US: Support Incident Tracker CVE-2020-15307 RESERVED CVE-2020-15306 (An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount a ...) @@ -720,9 +720,9 @@ CVE-2020-15019 CVE-2020-15018 (playSMS through 1.4.3 is vulnerable to session fixation. ...) NOT-FOR-US: playSMS CVE-2020-15017 (NeDi 1.9C is vulnerable to reflected cross-site scripting. The Devices ...) - TODO: check + NOT-FOR-US: NeDi CVE-2020-15016 (NeDi 1.9C is vulnerable to reflected cross-site scripting. The Other-C ...) - TODO: check + NOT-FOR-US: NeDi CVE-2020-15015 (The FileExplorer component in GleamTech FileUltimate 6.1.5.0 allows XS ...) NOT-FOR-US: FileExplorer component in GleamTech FileUltimate CVE-2020-15014 (pramodmahato BlogCMS through 2019-12-31 has admin/changepass.php CSRF. ...) @@ -16831,7 +16831,7 @@ CVE-2020-9049 CVE-2020-9048 RESERVED CVE-2020-9047 (A vulnerability exists that could allow the execution of unauthorized ...) - TODO: check + NOT-FOR-US: exacqVision Web Service CVE-2020-9046 (A vulnerability in all versions of Kantech EntraPass Editions could po ...) NOT-FOR-US: Kantech CVE-2020-9045 (During installation or upgrade to Software House CCURE 9000 v2. ...) @@ -17128,7 +17128,9 @@ CVE-2020-8935 CVE-2020-8934 RESERVED CVE-2020-8933 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - TODO: check + - google-compute-image-packages + NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 + NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8932 RESERVED CVE-2020-8931 @@ -17182,7 +17184,9 @@ CVE-2020-8909 CVE-2020-8908 RESERVED CVE-2020-8907 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - TODO: check + - google-compute-image-packages + NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 + NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8906 RESERVED CVE-2020-8905 @@ -17190,7 +17194,9 @@ CVE-2020-8905 CVE-2020-8904 RESERVED CVE-2020-8903 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...) - TODO: check + - google-compute-image-packages + NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619 + NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29 CVE-2020-8902 RESERVED CVE-2020-8901 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32334cfa0cd254023b8374cec1f928fc38264b85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32334cfa0cd254023b8374cec1f928fc38264b85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove no-dsa tagged entries for CVE-2020-606{1,2}/coturn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 697b3dd5 by Salvatore Bonaccorso at 2020-06-29T12:33:21+02:00 Remove no-dsa tagged entries for CVE-2020-606{1,2}/coturn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24128,15 +24128,11 @@ CVE-2020-6063 (An exploitable out-of-bounds write vulnerability exists in the un NOT-FOR-US: Accusoft ImageGear CVE-2020-6062 (An exploitable denial-of-service vulnerability exists in the way CoTUR ...) - coturn 4.5.1.1-1.2 (bug #951876) - [buster] - coturn (Minor issue) - [stretch] - coturn (Minor issue) [jessie] - coturn (Vulnerable code introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0985 NOTE: https://github.com/coturn/coturn/commit/e09bcd9f7af5b32c81b37f51835b384b5a7d03a8 CVE-2020-6061 (An exploitable heap overflow vulnerability exists in the way CoTURN 4. ...) - coturn 4.5.1.1-1.2 (bug #951876) - [buster] - coturn (Minor issue) - [stretch] - coturn (Minor issue) [jessie] - coturn (Vulnerable code introduced later) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-0984 NOTE: https://github.com/coturn/coturn/commit/51a7c2b9bf924890c7a3ff4db9c4976c5a93340a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/697b3dd5eb6850c70a001f54ca921fe1bfe5e881 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/697b3dd5eb6850c70a001f54ca921fe1bfe5e881 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cf73ff6 by security tracker role at 2020-06-29T08:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19596,16 +19596,16 @@ CVE-2019-20416 RESERVED CVE-2019-20415 RESERVED -CVE-2019-20414 - RESERVED -CVE-2019-20413 - RESERVED -CVE-2019-20412 - RESERVED -CVE-2019-20411 - RESERVED -CVE-2019-20410 - RESERVED +CVE-2019-20414 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) + TODO: check +CVE-2019-20413 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) + TODO: check +CVE-2019-20412 (The Convert Sub-Task to Issue page in affected versions of Atlassian J ...) + TODO: check +CVE-2019-20411 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) + TODO: check +CVE-2019-20410 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) + TODO: check CVE-2019-20409 (The way in which velocity templates were used in Atlassian Jira Server ...) NOT-FOR-US: Atlassian CVE-2019-20408 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cf73ff6496ef8dfd3e2e0a3680e09c52948c7c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cf73ff6496ef8dfd3e2e0a3680e09c52948c7c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-4067/coturn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ec27737 by Salvatore Bonaccorso at 2020-06-29T12:29:42+02:00 Add CVE-2020-4067/coturn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28831,6 +28831,9 @@ CVE-2020-4068 (In APNSwift 1.0.0, calling APNSwiftSigner.sign(digest:) is likely TODO: check CVE-2020-4067 RESERVED + - coturn + NOTE: https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm + NOTE: https://github.com/coturn/coturn/commit/170da1140797748ae85565b5a93a2e35e7b07b6a CVE-2020-4066 (In Limdu before 0.95, the trainBatch function has a command injection ...) TODO: check CVE-2020-4065 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ec27737baf526b284cd430f610b679eb23fcf02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ec27737baf526b284cd430f610b679eb23fcf02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14396/libvncserver/jessie: not affected
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fc0010d by Mike Gabriel at 2020-06-29T15:51:34+02:00 CVE-2020-14396/libvncserver/jessie: not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2329,6 +2329,7 @@ CVE-2020-14397 (An issue was discovered in LibVNCServer before 0.9.13. libvncser NOTE: https://github.com/LibVNC/libvncserver/commit/38e98ee61d74f5f5ab4aa4c77146faad1962d6d0 CVE-2020-14396 (An issue was discovered in LibVNCServer before 0.9.13. libvncclient/tl ...) - libvncserver + [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/33441d90a506d5f3ae9388f2752901227e430553 CVE-2020-14395 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fc0010df8ad7378eea4c2db67217dfa5c4259dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fc0010df8ad7378eea4c2db67217dfa5c4259dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2018-21247/libvncserver fixed already in 0.9.11+dfsg-1.2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a043fd81 by Salvatore Bonaccorso at 2020-06-29T15:50:46+02:00 CVE-2018-21247/libvncserver fixed already in 0.9.11+dfsg-1.2 - - - - - b8129f55 by Salvatore Bonaccorso at 2020-06-29T15:50:47+02:00 Track fixes for CVE-2018-21247 (fixed with same commit as CVE-2018-20023) - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/DSA/list Changes: = data/CVE/list = @@ -2713,7 +2713,7 @@ CVE-2019-20839 (libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffe - libvncserver NOTE: https://github.com/LibVNC/libvncserver/commit/3fd03977c9b35800d73a865f167338cb4d05b0c1 CVE-2018-21247 (An issue was discovered in LibVNCServer before 0.9.13. There is an inf ...) - - libvncserver 0.9.12+dfsg-3 + - libvncserver 0.9.11+dfsg-1.2 NOTE: https://github.com/LibVNC/libvncserver/issues/253 NOTE: https://github.com/LibVNC/libvncserver/commit/8b06f835e259652b0ff026898014fc7297ade858 CVE-2020-14215 = data/DLA/list = @@ -1991,7 +1991,7 @@ {CVE-2017-8361 CVE-2017-8362 CVE-2017-8363 CVE-2017-8365 CVE-2017-14245 CVE-2017-14246 CVE-2017-14634 CVE-2018-13139 CVE-2018-19432 CVE-2018-19661 CVE-2018-19662} [jessie] - libsndfile 1.0.25-9.1+deb8u2 [25 Dec 2018] DLA-1617-1 libvncserver - security update - {CVE-2018-6307 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024} + {CVE-2018-6307 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024 CVE-2018-21247} [jessie] - libvncserver 0.9.9+dfsg2-6.1+deb8u4 [24 Dec 2018] DLA-1616-1 libextractor - security update {CVE-2018-20430 CVE-2018-20431} = data/DSA/list = @@ -1142,7 +1142,7 @@ {CVE-2019-6977 CVE-2019-6978} [stretch] - libgd2 2.2.4-2+deb9u4 [03 Feb 2019] DSA-4383-1 libvncserver - security update - {CVE-2018-6307 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024} + {CVE-2018-6307 CVE-2018-15126 CVE-2018-15127 CVE-2018-20019 CVE-2018-20020 CVE-2018-20021 CVE-2018-20022 CVE-2018-20023 CVE-2018-20024 CVE-2018-21247} [stretch] - libvncserver 0.9.11+dfsg-1.3~deb9u1 [02 Feb 2019] DSA-4382-1 rssh - security update {CVE-2019-3463 CVE-2019-3464} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a7cd14c32fea5e8abe896ca1dbfdd3a9e4fe045d...b8129f5518de15d3e449359ef0c085214a112a8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a7cd14c32fea5e8abe896ca1dbfdd3a9e4fe045d...b8129f5518de15d3e449359ef0c085214a112a8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-20840/libvncserver/jessie: not affected
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: a7cd14c3 by Mike Gabriel at 2020-06-29T15:36:01+02:00 CVE-2019-20840/libvncserver/jessie: not affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2707,6 +2707,7 @@ CVE-2020-14216 RESERVED CVE-2019-20840 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws ...) - libvncserver + [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/0cf1400c61850065de590d403f6d49e32882fd76 CVE-2019-20839 (libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer over ...) - libvncserver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7cd14c32fea5e8abe896ca1dbfdd3a9e4fe045d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7cd14c32fea5e8abe896ca1dbfdd3a9e4fe045d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2020-4067/coturn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ac99f31f by Salvatore Bonaccorso at 2020-06-29T16:46:25+02:00 Add fixed version for CVE-2020-4067/coturn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28829,7 +28829,7 @@ CVE-2020-4068 (In APNSwift 1.0.0, calling APNSwiftSigner.sign(digest:) is likely TODO: check CVE-2020-4067 [STUN response buffer not initialized properly] RESERVED - - coturn + - coturn 4.5.1.3-1 NOTE: https://github.com/coturn/coturn/security/advisories/GHSA-c8r8-8vp5-6gcm NOTE: https://github.com/coturn/coturn/commit/170da1140797748ae85565b5a93a2e35e7b07b6a CVE-2020-4066 (In Limdu before 0.95, the trainBatch function has a command injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac99f31f3d24f715ad1e582f192f8133d2098bf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac99f31f3d24f715ad1e582f192f8133d2098bf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14398/libvncserver/jessie: ignore, possibly ABI breakage
Mike Gabriel pushed to branch master at Debian Security Tracker / security-tracker Commits: e6049f97 by Mike Gabriel at 2020-06-29T16:50:00+02:00 CVE-2020-14398/libvncserver/jessie: ignore, possibly ABI breakage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2323,6 +2323,7 @@ CVE-2020-14399 (An issue was discovered in LibVNCServer before 0.9.13. Byte-alig NOTE: https://github.com/LibVNC/libvncserver/commit/23e5cbe6b090d7f22982aee909a6a618174d3c2d CVE-2020-14398 (An issue was discovered in LibVNCServer before 0.9.13. An improperly c ...) - libvncserver + [jessie] - libvncserver (Proposed patch might break ABI consumers) NOTE: https://github.com/LibVNC/libvncserver/commit/57433015f856cc12753378254ce4f1c78f5d9c7b CVE-2020-14397 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rf ...) - libvncserver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6049f9728bbaf4b94e255f43001d73ed7c51588 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6049f9728bbaf4b94e255f43001d73ed7c51588 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA for coturn update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7933bbdf by Salvatore Bonaccorso at 2020-06-29T18:11:40+02:00 Reserve DSA for coturn update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[29 Jun 2020] DSA-4711-1 coturn - security update + {CVE-2020-4067 CVE-2020-6061 CVE-2020-6062} + [stretch] - coturn 4.5.0.5-1+deb9u2 + [buster] - coturn 4.5.1.1-1.1+deb10u1 [27 Jun 2020] DSA-4710-1 trafficserver - security update {CVE-2020-9494} [buster] - trafficserver 8.0.2+ds-1+deb10u3 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- chromium -- -coturn (carnil) --- docker.io (jmm) Packages rejected due to Built-Using on golang-github-prometheus-common, ftp-master team contacted. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7933bbdf43c2e2f37b828180eaeef1a1d9930317 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7933bbdf43c2e2f37b828180eaeef1a1d9930317 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nvidia spu/ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b29de2a by Moritz Muehlenhoff at 2020-06-29T18:53:20+02:00 nvidia spu/ospu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -135,3 +135,7 @@ CVE-2020-0182 [stretch] - libexif 0.6.21-2+deb9u4 CVE-2020-0198 [stretch] - libexif 0.6.21-2+deb9u4 +CVE-2020-5963 + [stretch] - nvidia-graphics-drivers 390.138-1 +CVE-2020-5967 + [stretch] - nvidia-graphics-drivers 390.138-1 = data/next-point-update.txt = @@ -86,3 +86,7 @@ CVE-2020-0182 [buster] - libexif 0.6.21-5.1+deb10u4 CVE-2020-0198 [buster] - libexif 0.6.21-5.1+deb10u4 +CVE-2020-5963 + [buster] - nvidia-graphics-drivers-legacy-390xx 390.138-1~deb10u1 +CVE-2020-5967 + [buster] - nvidia-graphics-drivers-legacy-390xx 390.138-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b29de2a1dab90298287ad47a52808c37569636b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b29de2a1dab90298287ad47a52808c37569636b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim coturn
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: f721bfa2 by Utkarsh Gupta at 2020-06-29T22:54:04+05:30 Claim coturn and add a note for jackson-databind - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,6 +42,8 @@ condor (Roberto C. Sánchez) NOTE: 20200531: Patches are linked from https://security-tracker.debian.org/tracker/CVE-2019-18823 (bunk) NOTE: 20200627: Updates prepared (for jessie/stretch/buster); coordinating with security team for testing (roberto) -- +coturn (Utkarsh Gupta) +-- curl (Thorsten Alteholz) -- drupal7 (Ola Lundqvist) @@ -57,8 +59,8 @@ gupnp imagemagick (Markus Koschany) NOTE: 20200622: Ongoing work -- -jackson-databind (Utkarsh Guta) - NOTE: 20200623: probably Markus or Utkarsh want to do the upload (thorsten) +jackson-databind (Utkarsh Gupta) + NOTE: 20200629: WIP (utkarsh) -- libdatetime-timezone-perl NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f721bfa26954ed3b99c9bdb4116fb721cb5fd1a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f721bfa26954ed3b99c9bdb4116fb721cb5fd1a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track nvidia-graphics-driver-testla-418 as well for CVE-2020-59{63,67}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1fe6315 by Salvatore Bonaccorso at 2020-06-29T22:01:07+02:00 Track nvidia-graphics-driver-testla-418 as well for CVE-2020-59{63,67} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24345,6 +24345,7 @@ CVE-2020-5967 (NVIDIA Linux GPU Display Driver, all versions, contains a vulnera - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) + - nvidia-graphics-drivers-tesla-418 418.152.00-1 NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5031/kw/Security%20Bulletin CVE-2020-5966 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver @@ -24365,6 +24366,7 @@ CVE-2020-5963 (NVIDIA Windows GPU Display Driver, all versions, contains a vulne - nvidia-graphics-drivers-legacy-304xx [stretch] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) [jessie] - nvidia-graphics-drivers-legacy-304xx (Non-free not supported) + - nvidia-graphics-drivers-tesla-418 418.152.00-1 NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5031/kw/Security%20Bulletin CVE-2020-5962 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...) NOT-FOR-US: NVIDIA Windows GPU Display Driver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1fe6315fcd0250489cfb0f614b21d3d8889a8f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1fe6315fcd0250489cfb0f614b21d3d8889a8f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2020-11989
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b157e921 by Salvatore Bonaccorso at 2020-06-29T21:41:30+02:00 Update notes for CVE-2020-11989 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8170,7 +8170,9 @@ CVE-2020-11990 CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...) - shiro NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1 - TODO: check details + NOTE: https://github.com/apache/shiro/pull/211 + NOTE: https://issues.apache.org/jira/browse/SHIRO-753 + TODO: checking with shiro security team CVE-2020-11988 RESERVED CVE-2020-11987 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b157e92149c5070726d943a694411d02875c4e27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b157e92149c5070726d943a694411d02875c4e27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Several libvncserver issues fixed via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d49f0758 by Salvatore Bonaccorso at 2020-06-29T21:58:49+02:00 Several libvncserver issues fixed via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2301,35 +2301,35 @@ CVE-2020-14407 CVE-2020-14406 RESERVED CVE-2020-14405 (An issue was discovered in LibVNCServer before 0.9.13. libvncclient/rf ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/8937203441ee241c4ace85da687b7d6633a12365 CVE-2020-14404 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rr ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/74e8a70f2c9a5248d6718ce443e07c7ed314dfff CVE-2020-14403 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/he ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/74e8a70f2c9a5248d6718ce443e07c7ed314dfff CVE-2020-14402 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/co ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/74e8a70f2c9a5248d6718ce443e07c7ed314dfff CVE-2020-14401 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/sc ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/a6788d1da719ae006605b78d22f5a9f170b423af CVE-2020-14400 (An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned da ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/53073c8d7e232151ea2ecd8a1243124121e10e2d CVE-2020-14399 (An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned da ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/23e5cbe6b090d7f22982aee909a6a618174d3c2d CVE-2020-14398 (An issue was discovered in LibVNCServer before 0.9.13. An improperly c ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 [jessie] - libvncserver (Proposed patch might break ABI consumers) NOTE: https://github.com/LibVNC/libvncserver/commit/57433015f856cc12753378254ce4f1c78f5d9c7b CVE-2020-14397 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rf ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/38e98ee61d74f5f5ab4aa4c77146faad1962d6d0 CVE-2020-14396 (An issue was discovered in LibVNCServer before 0.9.13. libvncclient/tl ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/33441d90a506d5f3ae9388f2752901227e430553 CVE-2020-14395 @@ -2708,11 +2708,11 @@ CVE-2020-14217 CVE-2020-14216 RESERVED CVE-2019-20840 (An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 [jessie] - libvncserver (Vulnerable code not present) NOTE: https://github.com/LibVNC/libvncserver/commit/0cf1400c61850065de590d403f6d49e32882fd76 CVE-2019-20839 (libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer over ...) - - libvncserver + - libvncserver 0.9.13+dfsg-1 NOTE: https://github.com/LibVNC/libvncserver/commit/3fd03977c9b35800d73a865f167338cb4d05b0c1 CVE-2018-21247 (An issue was discovered in LibVNCServer before 0.9.13. There is an inf ...) - libvncserver 0.9.11+dfsg-1.2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d49f0758f30ca95ea6db90fe283d5d4d2bac9165 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d49f0758f30ca95ea6db90fe283d5d4d2bac9165 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2262-1 for qemu
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b08ab25 by Adrian Bunk at 2020-06-29T23:45:12+03:00 Reserve DLA-2262-1 for qemu - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[29 Jun 2020] DLA-2262-1 qemu - security update + {CVE-2020-1983 CVE-2020-13361 CVE-2020-13362 CVE-2020-13765} + [jessie] - qemu 1:2.1+dfsg-12+deb8u15 [28 Jun 2020] DLA-2261-1 php5 - security update {CVE-2019-11048} [jessie] - php5 5.6.40+dfsg-0+deb8u12 = data/dla-needed.txt = @@ -115,11 +115,6 @@ perl (Abhijith PA) python3.4 (Sylvain Beucler) NOTE: 20200623: waiting for CVE-2020-14422's patch to be approved upstream -- -qemu (Adrian Bunk) - NOTE: 20200531: waiting for CVE-2020-13362 fix to be applied upstream (bunk) - NOTE: 20200615: work is ongoing (bunk) - NOTE: 20200629: pending release (bunk) --- rails (Sylvain Beucler) NOTE: 20200624: asked for upstream feedback on regression NOTE: 20200624: https://github.com/rails/rails/issues/39301 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b08ab2524a1fb1e116a48a0fe62dc0a72f7dd5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b08ab2524a1fb1e116a48a0fe62dc0a72f7dd5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-14145/openssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef19fe3e by Salvatore Bonaccorso at 2020-06-29T21:51:56+02:00 Add CVE-2020-14145/openssh This is a coresponding issue to the already tracked CVE-2020-14002/putty issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2900,6 +2900,11 @@ CVE-2020-14146 (KumbiaPHP through 1.1.1, in Development mode, allows XSS via the NOT-FOR-US: KumbiaPHP CVE-2020-14145 RESERVED + - openssh (unimportant) + NOTE: https://www.fzi.de/en/news/news/detail-en/artikel/fsa-2020-2-ausnutzung-eines-informationslecks-fuer-gezielte-mitm-angriffe-auf-ssh-clients/ + NOTE: https://www.fzi.de/fileadmin/user_upload/2020-06-26-FSA-2020-2.pdf + NOTE: The OpenSSH project is not planning to change the behaviour of OpenSSH regarding + NOTE: the issue, details in "3.1 OpenSSH" in the publication. CVE-2020-14144 RESERVED CVE-2020-14143 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef19fe3ef6b857166d269d1fe60606b440bb72e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef19fe3ef6b857166d269d1fe60606b440bb72e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Several frerdp2 issues fixed via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b5a98e8 by Salvatore Bonaccorso at 2020-06-29T21:56:58+02:00 Several frerdp2 issues fixed via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11462,31 +11462,31 @@ CVE-2016-11024 (odata4j 0.7.0 allows ExecuteJPQLQueryCommand.java SQL injection. CVE-2016-11023 (odata4j 0.7.0 allows ExecuteCountQueryCommand.java SQL injection. NOTE ...) NOT-FOR-US: odata4j CVE-2020-11099 (In FreeRDP before version 2.1.2, there is an out of bounds read in lic ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h CVE-2020-11098 (In FreeRDP before version 2.1.2, there is an out-of-bound read in glyp ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv CVE-2020-11097 (In FreeRDP before version 2.1.2, an out of bounds read occurs resultin ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f CVE-2020-11096 (In FreeRDP before version 2.1.2, there is a global OOB read in update_ ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x CVE-2020-11095 (In FreeRDP before version 2.1.2, an out of bound reads occurs resultin ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) @@ -28901,25 +28901,25 @@ CVE-2020-4035 (In WatermelonDB (NPM package "@nozbe/watermelondb") before versio CVE-2020-4034 RESERVED CVE-2020-4033 (In FreeRDP before version 2.1.2, there is an out of bounds read in RLE ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7rhj-856w-82p8 CVE-2020-4032 (In FreeRDP before version 2.1.2, there is an integer casting vulnerabi ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3898-mc89-x2vc CVE-2020-4031 (In FreeRDP before version 2.1.2, there is a use-after-free in gdi_Sele ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gwcq-hpq2-m74g CVE-2020-4030 (In FreeRDP before version 2.1.2, there is an out of bounds read in Tri ...) - - freerdp2 + - freerdp2 2.1.2+dfsg1-1 [buster] - freerdp2 (Minor issue) - freerdp [stretch] - freerdp (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b5a98e86041791f85a8df5633ef09a5bd896324 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b5a98e86041791f85a8df5633ef09a5bd896324 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec96ed1d by security tracker role at 2020-06-29T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,15 @@ +CVE-2020-15367 + RESERVED +CVE-2020-15366 + RESERVED CVE-2020-15365 (LibRaw before 0.20-Beta3 has an out-of-bounds write in parse_exif() in ...) TODO: check CVE-2020-15364 (The Nexos theme through 1.7 for WordPress allows top-map/?search_locat ...) NOT-FOR-US: Wordpress theme CVE-2020-15363 (The Nexos theme through 1.7 for WordPress allows side-map/?search_orde ...) NOT-FOR-US: Wordpress theme -CVE-2020-15362 - RESERVED +CVE-2020-15362 (wifiscanner.js in thingsSDK WiFi Scanner 1.0.1 allows Code Injection b ...) + TODO: check CVE-2020-15361 RESERVED CVE-2020-15360 (com.docker.vmnetd in Docker Desktop 2.3.0.3 allows privilege escalatio ...) @@ -21,11 +25,11 @@ CVE-2020-15358 (In SQLite before 3.32.3, select.c mishandles query-flattener opt NOTE: https://www.sqlite.org/src/info/10fa79d00f8091e5 NOTE: https://www.sqlite.org/src/tktview?name=8f157e8010 CVE-2020-15356 - RESERVED + REJECTED CVE-2020-15355 - RESERVED + REJECTED CVE-2020-15354 - RESERVED + REJECTED CVE-2013-7489 (The Beaker library through 1.11.0 for Python is affected by deserializ ...) TODO: check CVE-2020-15353 @@ -86,32 +90,32 @@ CVE-2020-15326 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded certi NOT-FOR-US: Zyxel CVE-2020-15325 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded Erlang cook ...) NOT-FOR-US: Zyxel -CVE-2020-15324 - RESERVED -CVE-2020-15323 - RESERVED -CVE-2020-15322 - RESERVED -CVE-2020-15321 - RESERVED -CVE-2020-15320 - RESERVED -CVE-2020-15319 - RESERVED -CVE-2020-15318 - RESERVED -CVE-2020-15317 - RESERVED -CVE-2020-15316 - RESERVED -CVE-2020-15315 - RESERVED -CVE-2020-15314 - RESERVED -CVE-2020-15313 - RESERVED -CVE-2020-15312 - RESERVED +CVE-2020-15324 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a world-readable axess/ ...) + TODO: check +CVE-2020-15323 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the cloud1234 password ...) + TODO: check +CVE-2020-15322 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the wbboEZ4BN3ssxAfM ha ...) + TODO: check +CVE-2020-15321 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axzyxel password fo ...) + TODO: check +CVE-2020-15320 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has the axiros password for ...) + TODO: check +CVE-2020-15319 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) + TODO: check +CVE-2020-15318 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) + TODO: check +CVE-2020-15317 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) + TODO: check +CVE-2020-15316 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH k ...) + TODO: check +CVE-2020-15315 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) + TODO: check +CVE-2020-15314 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded RSA SSH key ...) + TODO: check +CVE-2020-15313 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded ECDSA SSH k ...) + TODO: check +CVE-2020-15312 (Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded DSA SSH key ...) + TODO: check CVE-2020-15311 (Stash 1.0.3 allows SQL Injection via the downloadmp3.php download para ...) NOT-FOR-US: Stash CVE-2020-15310 @@ -602,8 +606,8 @@ CVE-2020-15071 RESERVED CVE-2020-15070 RESERVED -CVE-2020-15069 - RESERVED +CVE-2020-15069 (Sophos XG Firewall 17.x through v17.5 MR12 allows a Buffer Overflow an ...) + TODO: check CVE-2020-15068 RESERVED CVE-2020-15067 @@ -660,8 +664,8 @@ CVE-2020-15045 RESERVED CVE-2020-15044 RESERVED -CVE-2020-15043 - RESERVED +CVE-2020-15043 (iBall WRB303N devices allow CSRF attacks, as demonstrated by enabling ...) + TODO: check CVE-2020-15042 RESERVED CVE-2020-15041 (PHP-Fusion 9.03.60 allows XSS via the administration/site_links.php Ad ...) @@ -2282,12 +2286,12 @@ CVE-2020-14416 (In the Linux kernel before 5.4.16, a race condition in tty-d [stretch] - linux 4.9.210-1+deb9u1 [jessie] - linux 3.16.84-1 NOTE: https://git.kernel.org/linus/0ace17d56824165c7f4c68785d6b58971db954dd -CVE-2020-14414 - RESERVED -CVE-2020-14413 - RESERVED -CVE-2020-14412 - RESERVED +CVE-2020-14414 (NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php imprope ...) + TODO: check