[Git][security-tracker-team/security-tracker][master] stable triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9ace03d7 by Moritz Muehlenhoff at 2021-01-07T08:11:52+01:00
stable triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -2673,10 +2673,12 @@ CVE-2020-36068
RESERVED
CVE-2020-36067 (GJSON =v1.6.5 allows attackers to cause a denial of
service (panic ...)
- golang-github-tidwall-gjson
+ [buster] - golang-github-tidwall-gjson (Minor issue)
NOTE: https://github.com/tidwall/gjson/issues/196
NOTE:
https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
CVE-2020-36066 (GJSON 1.6.5 allows attackers to cause a denial of service
(remote) ...)
- golang-github-tidwall-gjson
+ [buster] - golang-github-tidwall-gjson (Minor issue)
NOTE: https://github.com/tidwall/gjson/issues/195
NOTE:
https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc
CVE-2020-36065
@@ -6719,6 +6721,7 @@ CVE-2020-35546
RESERVED
CVE-2020-35545 (Time-based SQL injection exists in Spotweb 1.4.9 via the query
string. ...)
- spotweb (bug #977719)
+ [buster] - spotweb (Minor issue)
NOTE: https://github.com/spotweb/spotweb/issues/629
NOTE:
https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2
CVE-2020-35544
@@ -6876,6 +6879,7 @@ CVE-2020-35492 [cairo: libreoffice slideshow aborts with
stack smashing in cairo
RESERVED
{DLA-2518-1}
- cairo 1.16.0-5 (bug #978658)
+ [buster] - cairo (Minor issue)
NOTE: https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
NOTE: Introduced by:
https://gitlab.freedesktop.org/cairo/cairo/-/commit/c986a7310bb06582b7d8a566d5f007ba4e5e75bf
(1.12.12)
NOTE: Fixed by:
https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be
@@ -8919,6 +8923,7 @@ CVE-2020-29658
RESERVED
CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in
main_print_unh ...)
- iotjs (bug #977736)
+ [buster] - iotjs (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244
CVE-2020-29656 (An information disclosure vulnerability exists in RT-AC88U
Download Ma ...)
NOT-FOR-US: RT-AC88U Download Master
@@ -20724,7 +20729,8 @@ CVE-2020-26265 (Go Ethereum, or "Geth", is the official
Golang implementation of
CVE-2020-26264 (Go Ethereum, or "Geth", is the official Golang implementation
of the E ...)
- golang-github-go-ethereum (bug #890541)
CVE-2020-26263 (tlslite-ng is an open source python library that implements
SSL and TL ...)
- - tlslite-ng
+ - tlslite-ng
+ [buster] - tlslite-ng (Minor issue)
NOTE:
https://github.com/tlsfuzzer/tlslite-ng/security/advisories/GHSA-wvcv-832q-fjg7
NOTE:
https://github.com/tlsfuzzer/tlslite-ng/commit/c28d6d387bba59d8bd5cb3ba15edc42edf54b368
NOTE: https://github.com/tlsfuzzer/tlslite-ng/pull/438
@@ -25253,6 +25259,7 @@ CVE-2020-24345 (** DISPUTED ** JerryScript through
2.3.0 allows stack consumptio
NOTE: Disputed JerryScript issue
CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const
argumen ...)
- iotjs
+ [buster] - iotjs (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
NOTE:
https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a
CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c
because of ...)
@@ -49002,6 +49009,7 @@ CVE-2020-13650 (An issue was discovered in DigDash
2018R2 before p20200210 and 2
NOT-FOR-US: DigDash
CVE-2020-13649 (parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors
during c ...)
- iotjs 1.0+715-1
+ [buster] - iotjs (Minor issue)
NOTE:
https://github.com/jerryscript-project/jerryscript/commit/69f8e78c2f8d562bd6d8002b5488f1662ac30d24
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3786
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3788
@@ -114779,6 +114787,7 @@ CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by:
Use After Free. The impact
NOT-FOR-US: Jsish
CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166
is affecte ...)
- iotjs 1.0+715-1
+ [buster] - iotjs (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/2476
NOTE:
https://github.com/jerryscript-project/jerryscript/commit/505dace719aebb3308a3af223cfaa985159efae0
CVE-2019-1010175
@@ -153144,6 +153153,7 @@ CVE-2018-1000638 (MiniCMS version 1.1 contains a
Cross Site Scripting (XSS) vuln
NOT-FOR-US: MiniCMS
CVE-2018-1000636 (JerryScript
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-35512/dbus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fc480d1 by Salvatore Bonaccorso at 2021-01-07T07:42:22+01:00 Add CVE-2020-35512/dbus - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6787,6 +6787,14 @@ CVE-2020-35513 RESERVED CVE-2020-35512 RESERVED + - dbus 1.12.20-1 + [buster] - dbus 1.12.20-0+deb10u1 + [stretch] - dbus 1.10.32-0+deb9u1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909101 + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/305 + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/2b7948ef907669e844b52c4fa2268d6e3162a70c (dbus-1.13.18) + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/f3b2574f0c9faa32a59efec905921f7ef4438a60 (dbus-1.12.20) + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/dc94fe3d31adf72259adc31f343537151a6c0bdd (dbus-1.10.32) CVE-2020-35511 RESERVED CVE-2020-35510 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc480d1ea286ac77d64d3fdb3bb5ffb656fbc06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fc480d1ea286ac77d64d3fdb3bb5ffb656fbc06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-35509, NFU (Keycloak)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fd68fce by Salvatore Bonaccorso at 2021-01-07T07:27:24+01:00 Add CVE-2020-35509, NFU (Keycloak) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6794,6 +6794,7 @@ CVE-2020-35510 - libjboss-remoting-java CVE-2020-35509 RESERVED + NOT-FOR-US: Keycloak CVE-2020-35508 RESERVED - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd68fcec8ba6c16eea67a8f0d64051b1242b07a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fd68fcec8ba6c16eea67a8f0d64051b1242b07a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix for CVE-2019-18900/libzypp via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fa4573a0 by Salvatore Bonaccorso at 2021-01-07T06:44:48+01:00
Track fix for CVE-2019-18900/libzypp via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -83648,7 +83648,7 @@ CVE-2019-18901 (A UNIX Symbolic Link (Symlink)
Following vulnerability in the my
CVE-2019-18900 (: Incorrect Default Permissions vulnerability in libzypp of
SUSE CaaS ...)
{DLA-2132-1}
[experimental] - libzypp 17.25.5-1
- - libzypp (bug #953362)
+ - libzypp 17.25.5-2 (bug #953362)
[buster] - libzypp (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1158763
NOTE: https://github.com/openSUSE/libzypp/pull/196
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa4573a03bd6201ecd720833519e72f903570e9b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa4573a03bd6201ecd720833519e72f903570e9b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium CVEs from January 6, 2021 advisory (fixed in 87.0.4280.141)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
516225d1 by Salvatore Bonaccorso at 2021-01-07T06:41:16+01:00
Add new chromium CVEs from January 6, 2021 advisory (fixed in 87.0.4280.141)
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4427,26 +4427,48 @@ CVE-2021-21117
RESERVED
CVE-2021-21116
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21115
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21114
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21113
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21112
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-2
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21110
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21109
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21108
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21107
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2021-21106
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2020-35626 (An issue was discovered in the PushToWatch extension for
MediaWiki thr ...)
NOT-FOR-US: PushToWatch MediaWiki extension
CVE-2020-35625 (An issue was discovered in the Widgets extension for MediaWiki
through ...)
@@ -42154,6 +42176,8 @@ CVE-2020-16044
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044
CVE-2020-16043
RESERVED
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2020-16042
RESERVED
{DSA-4824-1 DSA-4815-1 DSA-4813-1 DLA-2497-1 DLA-2496-1}
@@ -42380,7 +42404,8 @@ CVE-2020-15997 (Use after free in Mojo in Google Chrome
prior to 86.0.4240.99 al
CVE-2020-15996 (Use after free in passwords in Google Chrome prior to
86.0.4240.99 all ...)
- chromium (Chrome on Android)
CVE-2020-15995 (Out of bounds write in V8 in Google Chrome prior to
86.0.4240.99 allow ...)
- - chromium (Chrome on Android)
+ - chromium
+ [stretch] - chromium (see DSA 4562)
CVE-2020-15994 (Use after free in V8 in Google Chrome prior to 86.0.4240.99
allowed a ...)
- chromium (Chrome on Android)
CVE-2020-15993 (Use after free in printing in Google Chrome prior to
86.0.4240.99 allo ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/516225d14bbfdd6769f300368233094d89c2a360
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/516225d14bbfdd6769f300368233094d89c2a360
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2020-16044/firefox-esr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c7f1d24 by Salvatore Bonaccorso at 2021-01-07T06:36:16+01:00 Add fixed version via unstable for CVE-2020-16044/firefox-esr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42150,7 +42150,7 @@ CVE-2020-16045 CVE-2020-16044 RESERVED - firefox 84.0.2-1 - - firefox-esr + - firefox-esr 78.6.1esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044 CVE-2020-16043 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c7f1d24eab25bcd1885ff2c95010654495e0994 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c7f1d24eab25bcd1885ff2c95010654495e0994 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-16044/firefox via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d1a9672 by Salvatore Bonaccorso at 2021-01-07T06:35:11+01:00 Track fixed version for CVE-2020-16044/firefox via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42149,7 +42149,7 @@ CVE-2020-16045 RESERVED CVE-2020-16044 RESERVED - - firefox + - firefox 84.0.2-1 - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044 CVE-2020-16043 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d1a9672685f8cb7d4426e878fed8ff8bb07797b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d1a9672685f8cb7d4426e878fed8ff8bb07797b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2520-1 for golang-websocket
Brian May pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d8b7b1f0 by Brian May at 2021-01-07T10:03:08+11:00
Reserve DLA-2520-1 for golang-websocket
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[07 Jan 2021] DLA-2520-1 golang-websocket - security update
+ {CVE-2020-27813}
+ [stretch] - golang-websocket 1.1.0-1+deb9u1
[06 Jan 2021] DLA-2519-1 pacemaker - security update
{CVE-2018-16877 CVE-2018-16878 CVE-2020-25654}
[stretch] - pacemaker 1.1.24-0+deb9u1
=
data/dla-needed.txt
=
@@ -58,8 +58,6 @@ golang-1.8
NOTE: 20210103: Clarification CVE-2020-29509, ...10 and ...11 is definitely
not going to be fixed in 1.8.
NOTE: 20210103: golang at all. Follow up a little more before it is ignored
(ola)
--
-golang-websocket (Brian May)
---
imagemagick (Sylvain Beucler)
NOTE: 20201207: requested CVE-2020-29599 (Beuc)
NOTE: 20201212: batch of vulnerabilities triaged, the only important
vulnerability is not reproducible, ongoing (Beuc)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8b7b1f02560055b765c47a80e7deb51f5b21b7e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8b7b1f02560055b765c47a80e7deb51f5b21b7e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim golang-websocket
Brian May pushed to branch master at Debian Security Tracker / security-tracker Commits: ac8a67f5 by Brian May at 2021-01-07T09:07:19+11:00 Claim golang-websocket - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ golang-1.8 NOTE: 20210103: Clarification CVE-2020-29509, ...10 and ...11 is definitely not going to be fixed in 1.8. NOTE: 20210103: golang at all. Follow up a little more before it is ignored (ola) -- -golang-websocket +golang-websocket (Brian May) -- imagemagick (Sylvain Beucler) NOTE: 20201207: requested CVE-2020-29599 (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8a67f5d40e20e2949129b8b342e5913a649ac9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8a67f5d40e20e2949129b8b342e5913a649ac9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nodejs security update
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b9c67685 by Moritz Mühlenhoff at 2021-01-06T22:54:22+01:00
nodejs security update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[06 Jan 2021] DSA-4826-1 nodejs - security update
+ {CVE-2020-8265 CVE-2020-8287}
+ [buster] - nodejs 10.23.1~dfsg-1~deb10u1
[05 Jan 2021] DSA-4806-2 minidlna - regression update
[buster] - minidlna 1.2.1+dfsg-2+deb10u2
[04 Jan 2021] DSA-4825-1 dovecot - security update
=
data/dsa-needed.txt
=
@@ -28,8 +28,6 @@ linux (carnil)
--
netty
--
-nodejs
---
salt (carnil)
--
slurm-llnl (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9c67685ca8b5a334c36572965a51bbc8b97ccf9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9c67685ca8b5a334c36572965a51bbc8b97ccf9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a83eb9cc by Salvatore Bonaccorso at 2021-01-06T21:23:16+01:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18375,11 +18375,11 @@ CVE-2020-27287 CVE-2020-27286 RESERVED CVE-2020-27285 (The default configuration of Crimson 3.1 (Build versions prior to 3119 ...) - TODO: check + NOT-FOR-US: Crimson CVE-2020-27284 RESERVED CVE-2020-27283 (An attacker could send a specially crafted message to Crimson 3.1 (Bui ...) - TODO: check + NOT-FOR-US: Crimson CVE-2020-27282 RESERVED CVE-2020-27281 @@ -18387,7 +18387,7 @@ CVE-2020-27281 CVE-2020-27280 RESERVED CVE-2020-27279 (A NULL pointer deference vulnerability has been identified in the prot ...) - TODO: check + NOT-FOR-US: Crimson CVE-2020-27278 RESERVED CVE-2020-27277 @@ -58420,13 +58420,13 @@ CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...) NOT-FOR-US: Entrust Entelligence Security Provider (ESP) CVE-2020-10658 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Server CVE-2020-10657 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Server CVE-2020-10656 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Server CVE-2020-10655 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Server CVE-2020-10654 (Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow ...) NOT-FOR-US: Ping Identity PingID CVE-2020-10653 @@ -62603,7 +62603,7 @@ CVE-2012-6721 (Multiple cross-site request forgery (CSRF) vulnerabilities in the CVE-2012-6720 (Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine be ...) NOT-FOR-US: SocialEngine CVE-2020-8884 (rcdsvc in the Proofpoint Insider Threat Management Windows Agent (form ...) - TODO: check + NOT-FOR-US: Proofpoint Insider Threat Management Windows Agent CVE-2020-8883 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Foxit Studio Photo CVE-2020-8882 (This vulnerability allows remote attackers to execute arbitrary code o ...) @@ -64462,7 +64462,7 @@ CVE-2020-8161 (A directory traversal vulnerability exists in rack 2.2.0 tha NOTE: Required followup: https://github.com/rack/rack/commit/e7ba1b0557d3ad97af1ef113bbeb5f27417983fa NOTE: Test: https://github.com/rack/rack/commit/775c836bdd25b63340399fea739532d746860a94 CVE-2020-8160 (MendixSSO = 2.1.1 contains endpoints that make use of the openid h ...) - TODO: check + NOT-FOR-US: MendixSSO CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem v1.2.1 th ...) - ruby-actionpack-page-caching 1.2.2-1 (bug #960680) [buster] - ruby-actionpack-page-caching (Minor issue) @@ -92079,7 +92079,7 @@ CVE-2019-16964 (app/call_centers/cmd.php in the Call Center Queue Module in Fusi CVE-2019-16963 RESERVED CVE-2019-16962 (Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine Desktop Central CVE-2019-16961 RESERVED CVE-2019-16960 (SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file wit ...) @@ -92095,7 +92095,7 @@ CVE-2019-16956 (SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type CVE-2019-16955 (SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG documen ...) NOT-FOR-US: SolarWinds CVE-2019-16954 (SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2019-16953 RESERVED CVE-2019-16952 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83eb9cc47d9df55c60856a1bdfa1a30509ef4c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83eb9cc47d9df55c60856a1bdfa1a30509ef4c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-36177/wolfssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fd17a5c by Salvatore Bonaccorso at 2021-01-06T21:20:20+01:00 Add CVE-2020-36177/wolfssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,11 @@ CVE-2021-3028 CVE-2021-22696 RESERVED CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-o ...) - TODO: check + - wolfssl + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26567 + NOTE: https://github.com/wolfSSL/wolfssl/commit/63bf5dc56ccbfc12a73b06327361687091a4c6f7 + NOTE: https://github.com/wolfSSL/wolfssl/commit/fb2288c46dd4c864b78f00a47a364b96a09a5c0f + NOTE: https://github.com/wolfSSL/wolfssl/pull/3426 CVE-2020-36176 (The iThemes Security (formerly Better WP Security) plugin before 7.7.0 ...) NOT-FOR-US: iThemes Security (formerly Better WP Security) plugin for WordPress CVE-2020-36175 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fd17a5ca572517b1e3712756312b588ef660d12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fd17a5ca572517b1e3712756312b588ef660d12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97a25c68 by Salvatore Bonaccorso at 2021-01-06T21:18:01+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,21 +7,21 @@ CVE-2021-22696 CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-o ...) TODO: check CVE-2020-36176 (The iThemes Security (formerly Better WP Security) plugin before 7.7.0 ...) - TODO: check + NOT-FOR-US: iThemes Security (formerly Better WP Security) plugin for WordPress CVE-2020-36175 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers ...) - TODO: check + NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2020-36174 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via s ...) - TODO: check + NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2020-36173 (The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for ...) - TODO: check + NOT-FOR-US: Ninja Forms plugin for WordPress CVE-2020-36172 (The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandl ...) - TODO: check + NOT-FOR-US: Advanced Custom Fields plugin for WordPress CVE-2020-36171 (The Elementor Website Builder plugin before 3.0.14 for WordPress does ...) - TODO: check + NOT-FOR-US: Elementor Website Builder plugin for WordPress CVE-2020-36170 (The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidd ...) - TODO: check + NOT-FOR-US: Ultimate Member plugin for WordPress CVE-2012-10001 (The Limit Login Attempts plugin before 1.7.1 for WordPress does not cl ...) - TODO: check + NOT-FOR-US: Limit Login Attempts plugin for WordPress CVE-2021-3027 RESERVED CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows XSS durin ...) @@ -74188,7 +74188,7 @@ CVE-2020-4338 (IBM MQ 9.1.4 could allow a local attacker to obtain sensitive inf CVE-2020-4337 (IBM API Connect 2018.4.1.0 through 2018.4.1.12 could allow an attacker ...) NOT-FOR-US: IBM CVE-2020-4336 (IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4335 RESERVED CVE-2020-4334 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97a25c68b944a96917c0eba438fb90bb1341385c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97a25c68b944a96917c0eba438fb90bb1341385c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e1da3684 by security tracker role at 2021-01-06T20:17:10+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,27 @@
+CVE-2021-3029
+ RESERVED
+CVE-2021-3028
+ RESERVED
+CVE-2021-22696
+ RESERVED
+CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has
an out-o ...)
+ TODO: check
+CVE-2020-36176 (The iThemes Security (formerly Better WP Security) plugin
before 7.7.0 ...)
+ TODO: check
+CVE-2020-36175 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows
attackers ...)
+ TODO: check
+CVE-2020-36174 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows
CSRF via s ...)
+ TODO: check
+CVE-2020-36173 (The Ninja Forms plugin before 3.4.28 for WordPress lacks
escaping for ...)
+ TODO: check
+CVE-2020-36172 (The Advanced Custom Fields plugin before 5.8.12 for WordPress
mishandl ...)
+ TODO: check
+CVE-2020-36171 (The Elementor Website Builder plugin before 3.0.14 for
WordPress does ...)
+ TODO: check
+CVE-2020-36170 (The Ultimate Member plugin before 2.1.13 for WordPress
mishandles hidd ...)
+ TODO: check
+CVE-2012-10001 (The Limit Login Attempts plugin before 1.7.1 for WordPress
does not cl ...)
+ TODO: check
CVE-2021-3027
RESERVED
CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows
XSS durin ...)
@@ -3557,7 +3581,7 @@ CVE-2020-35719
RESERVED
CVE-2020-35718
RESERVED
-CVE-2020-35717 (zonote =0.4.0 allows XSS via crafted note, with resultant
Remote C ...)
+CVE-2020-35717 (zonote through 0.4.0 allows XSS via a crafted note, with
resultant Rem ...)
NOT-FOR-US: zonote
CVE-2020-35716 (Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote
attacker ...)
NOT-FOR-US: Belkin LINKSYS RE6500 devices
@@ -4154,8 +4178,8 @@ CVE-2021-21238
RESERVED
CVE-2021-21237
RESERVED
-CVE-2021-21236
- RESERVED
+CVE-2021-21236 (CairoSVG is a Python (pypi) package. CairoSVG is an SVG
converter base ...)
+ TODO: check
CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust.
In kamad ...)
- rust-kamadak-exif
NOTE:
https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2
@@ -18346,20 +18370,20 @@ CVE-2020-27287
RESERVED
CVE-2020-27286
RESERVED
-CVE-2020-27285
- RESERVED
+CVE-2020-27285 (The default configuration of Crimson 3.1 (Build versions prior
to 3119 ...)
+ TODO: check
CVE-2020-27284
RESERVED
-CVE-2020-27283
- RESERVED
+CVE-2020-27283 (An attacker could send a specially crafted message to Crimson
3.1 (Bui ...)
+ TODO: check
CVE-2020-27282
RESERVED
CVE-2020-27281
RESERVED
CVE-2020-27280
RESERVED
-CVE-2020-27279
- RESERVED
+CVE-2020-27279 (A NULL pointer deference vulnerability has been identified in
the prot ...)
+ TODO: check
CVE-2020-27278
RESERVED
CVE-2020-27277
@@ -19569,8 +19593,8 @@ CVE-2020-26761
RESERVED
CVE-2020-26760
RESERVED
-CVE-2020-26759
- RESERVED
+CVE-2020-26759 (clickhouse-driver before 0.1.5 allows a malicious clickhouse
server to ...)
+ TODO: check
CVE-2020-26758
RESERVED
CVE-2020-26757
@@ -22204,7 +8,7 @@ CVE-2020-25656 (A flaw was found in the Linux kernel. A
use-after-free was found
CVE-2020-25655 (An issue was discovered in ManagedClusterView API, that could
allow se ...)
NOT-FOR-US: Red Hat open-cluster-management
CVE-2020-25654 (An ACL bypass flaw was found in pacemaker. An attacker having
a local ...)
- {DSA-4791-1}
+ {DSA-4791-1 DLA-2519-1}
- pacemaker 2.0.5~rc2-1 (bug #973254)
NOTE: https://www.openwall.com/lists/oss-security/2020/10/27/1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1888191
@@ -49211,10 +49235,10 @@ CVE-2020-13547 (A type confusion vulnerability exists
in the JavaScript engine o
NOT-FOR-US: Foxit
CVE-2020-13546
RESERVED
-CVE-2020-13545
- RESERVED
-CVE-2020-13544
- RESERVED
+CVE-2020-13545 (An exploitable signed conversion vulnerability exists in the
TextMaker ...)
+ TODO: check
+CVE-2020-13544 (An exploitable sign extension vulnerability exists in the
TextMaker do ...)
+ TODO: check
CVE-2020-13543 (A code execution vulnerability exists in the WebSocket
functionality o ...)
{DSA-4797-1}
- webkit2gtk 2.30.3-1
@@ -58391,14 +58415,14 @@ CVE-2019-20511 (ERPNext 11.1.47 allows
blog?blog_category= Frame Injection. ...)
NOT-FOR-US: ERPNext
CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on
Windows ...)
NOT-FOR-US: Entrust Entelligence Security Provider (ESP)
-CVE-2020-10658
-
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags from pacemaker/stretch.
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3c51dc6c by Markus Koschany at 2021-01-06T21:08:18+01:00
Remove no-dsa tags from pacemaker/stretch.
- - - - -
723cd446 by Markus Koschany at 2021-01-06T21:09:59+01:00
Reserve DLA-2519-1 for pacemaker
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -149495,14 +149495,12 @@ CVE-2018-16879 (Ansible Tower before version 3.3.3
does not set a secure channel
NOT-FOR-US: Ansible Tower
CVE-2018-16878 (A flaw was found in pacemaker up to and including version
2.0.1. An in ...)
- pacemaker 2.0.1-3 (bug #927714)
- [stretch] - pacemaker (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master)
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1)
NOTE: https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html
CVE-2018-16877 (A flaw was found in the way pacemaker's client-server
authentication w ...)
- pacemaker 2.0.1-3 (bug #927714)
- [stretch] - pacemaker (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master)
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 Jan 2021] DLA-2519-1 pacemaker - security update
+ {CVE-2018-16877 CVE-2018-16878 CVE-2020-25654}
+ [stretch] - pacemaker 1.1.24-0+deb9u1
[06 Jan 2021] DLA-2518-1 cairo - security update
{CVE-2020-35492}
[stretch] - cairo 1.14.8-1+deb9u1
=
data/dla-needed.txt
=
@@ -102,12 +102,6 @@ openjpeg2 (Thorsten Alteholz)
NOTE: 20201220: more CVEs appeared
NOTE: 20210104: testing package
--
-pacemaker (Markus Koschany)
- NOTE: 20201228: See #974563 for further information.
- NOTE: 20201228: https://people.debian.org/~apo/lts/pacemaker/
- NOTE: 20201228: The new upstream version works as intended. One user
- NOTE: 20201228: reported no regressions. Will release on 06.01.2021.
---
php-horde-trean
NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in
https://bugs.horde.org/ticket/14926 (sunweaver)
NOTE: 20200829: We may not expect too much activity regarding this by
upstream. (sunweaver)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bf635dec5420522f0b82b9b91bc3305fb1f8542c...723cd4466c9c580c43d195f05a095b63a3061d6e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bf635dec5420522f0b82b9b91bc3305fb1f8542c...723cd4466c9c580c43d195f05a095b63a3061d6e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove "check" item for libxstream-java, acked
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a90abcd0 by Salvatore Bonaccorso at 2021-01-06T20:57:18+01:00 Remove check item for libxstream-java, acked - - - - - bf635dec by Salvatore Bonaccorso at 2021-01-06T20:57:46+01:00 Add firefox-esr to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,11 +14,13 @@ If needed, specify the release by adding a slash after the name of the source pa -- ansible -- +firefox-esr +-- knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- libxstream-java - Check for DSA; Markus Koschany proposed an update for review + Markus Koschany proposed an update for review -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b2eb7b504bb2e571ba8429d41921f7847d8d9fa...bf635dec5420522f0b82b9b91bc3305fb1f8542c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b2eb7b504bb2e571ba8429d41921f7847d8d9fa...bf635dec5420522f0b82b9b91bc3305fb1f8542c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-16044/firefox{,-esr}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6b2eb7b5 by Salvatore Bonaccorso at 2021-01-06T20:56:19+01:00
Add CVE-2020-16044/firefox{,-esr}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -42121,6 +42121,9 @@ CVE-2020-16045
RESERVED
CVE-2020-16044
RESERVED
+ - firefox
+ - firefox-esr
+ NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/#CVE-2020-16044
CVE-2020-16043
RESERVED
CVE-2020-16042
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2eb7b504bb2e571ba8429d41921f7847d8d9fa
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2eb7b504bb2e571ba8429d41921f7847d8d9fa
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via experimental for CVE-2019-18900/libzypp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4ae56b7a by Salvatore Bonaccorso at 2021-01-06T14:39:38+01:00
Track fix via experimental for CVE-2019-18900/libzypp
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -83591,6 +83591,7 @@ CVE-2019-18901 (A UNIX Symbolic Link (Symlink)
Following vulnerability in the my
NOT-FOR-US: SuSE-specific mysqld-systemd-helper
CVE-2019-18900 (: Incorrect Default Permissions vulnerability in libzypp of
SUSE CaaS ...)
{DLA-2132-1}
+ [experimental] - libzypp 17.25.5-1
- libzypp (bug #953362)
[buster] - libzypp (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1158763
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ae56b7a63a47a084b58f03a2aed108636985e32
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ae56b7a63a47a084b58f03a2aed108636985e32
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rust-kamadak-exif (might not affect stale Debian versions)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 28f804c1 by Moritz Muehlenhoff at 2021-01-06T11:49:58+01:00 new rust-kamadak-exif (might not affect stale Debian versions) new golang-github-tidwall-gjson issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1109,7 +1109,7 @@ CVE-2021-22160 CVE-2020-36159 (Veritas Desktop and Laptop Option (DLO) before 9.5 disclosed operation ...) NOT-FOR-US: Veritas CVE-2021-3019 (ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.p ...) - TODO: check + NOT-FOR-US: ffay lanproxy CVE-2021-3018 (ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an un ...) NOT-FOR-US: ipeak Infosystems ibexwebCMS (aka IPeakCMS) CVE-2021-3017 @@ -2644,9 +2644,13 @@ CVE-2020-36069 CVE-2020-36068 RESERVED CVE-2020-36067 (GJSON =v1.6.5 allows attackers to cause a denial of service (panic ...) - TODO: check + - golang-github-tidwall-gjson + NOTE: https://github.com/tidwall/gjson/issues/196 + NOTE: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b CVE-2020-36066 (GJSON 1.6.5 allows attackers to cause a denial of service (remote) ...) - TODO: check + - golang-github-tidwall-gjson + NOTE: https://github.com/tidwall/gjson/issues/195 + NOTE: https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc CVE-2020-36065 RESERVED CVE-2020-36064 @@ -2674,9 +2678,9 @@ CVE-2020-36054 CVE-2020-36053 RESERVED CVE-2020-36052 (Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 al ...) - TODO: check + NOT-FOR-US: MiniCMS CVE-2020-36051 (Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 al ...) - TODO: check + NOT-FOR-US: MiniCMS CVE-2020-36050 RESERVED CVE-2020-36049 @@ -2848,7 +2852,7 @@ CVE-2020-35967 CVE-2020-35966 RESERVED CVE-2021-3007 (** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Fr ...) - TODO: check + NOT-FOR-US: laminas-http CVE-2021-21495 (MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the ce ...) NOT-FOR-US: MK-AUTH CVE-2021-21494 (MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo ...) @@ -2863,7 +2867,7 @@ CVE-2020-35964 (track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out NOTE: https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622 CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out- ...) - TODO: check + NOT-FOR-US: Fluent Bit CVE-2021-3006 (The breed function in the smart contract implementation for Farm in Se ...) NOT-FOR-US: Farm in Seal Finance (Seal) Ethereum token CVE-2021-3005 (MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive ...) @@ -4153,9 +4157,10 @@ CVE-2021-21237 CVE-2021-21236 RESERVED CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust. In kamad ...) - TODO: check + - rust-kamadak-exif + NOTE: https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2 CVE-2021-21234 (spring-boot-actuator-logview in a library that adds a simple logfile v ...) - TODO: check + NOT-FOR-US: Spring actuator logview CVE-2020-35627 (Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vul ...) NOT-FOR-US: Ultimate WooCommerce Gift Cards CVE-2021-21233 @@ -6965,7 +6970,7 @@ CVE-2021-20002 CVE-2021-20001 RESERVED CVE-2020-35488 (The fileop module of the NXLog service in NXLog Community Edition 2.10 ...) - TODO: check + NOT-FOR-US: NXLog CVE-2020-35487 RESERVED CVE-2020-35486 @@ -10142,7 +10147,7 @@ CVE-2020-29439 (Tesla Model X vehicles before 2020-11-23 have key fobs that rely CVE-2020-29438 (Tesla Model X vehicles before 2020-11-23 have key fobs that accept fir ...) NOT-FOR-US: Tesla Model X vehicles CVE-2020-29437 (SQL injection in the Buzz module of OrangeHRM through 4.6 allows remot ...) - TODO: check + NOT-FOR-US: OrangeHRM CVE-2020-29436 (Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with ...) NOT-FOR-US: Sonatype Nexus Repository Manager CVE-2020-29435 @@ -13420,7 +13425,7 @@ CVE-2020-28466 CVE-2020-28465 RESERVED CVE-2020-28464 (This affects the package djv before 2.1.4. By controlling the schema f ...) - TODO: check + NOT-FOR-US: Node djv CVE-2020-28463 RESERVED CVE-2020-28462 @@ -20590,17 +20595,17 @@ CVE-2020-26299 CVE-2020-26298 RESERVED CVE-2020-26297 (mdBook is a utility to create modern online books from Markdown files ...) -
[Git][security-tracker-team/security-tracker][master] Triage CVE-2020-35680 in opensmtpd for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 1758dfd3 by Chris Lamb at 2021-01-06T10:04:57+00:00 Triage CVE-2020-35680 in opensmtpd for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3637,6 +3637,7 @@ CVE-2020-35681 [Potential leakage of session identifiers using legacy AsgiHandle NOTE: https://github.com/django/channels/commit/e85874d9630474986a6937430eac52db79a2a022 (3.0.3) CVE-2020-35680 (smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurati ...) - opensmtpd 6.8.0p2-1 (bug #978039) + [stretch] - opensmtpd (new filter grammar support added in ec69ed85b6c) NOTE: https://github.com/openbsd/src/commit/6c3220444ed06b5796dedfd53a0f4becd903c0d1 NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, whi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1758dfd37b2ff14f70909f144af5575a95b95a51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1758dfd37b2ff14f70909f144af5575a95b95a51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2020-35679 in opensmtpd for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: feffeaba by Chris Lamb at 2021-01-06T09:51:27+00:00 Triage CVE-2020-35679 in opensmtpd for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3641,6 +3641,7 @@ CVE-2020-35680 (smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain confi NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, whi ...) - opensmtpd 6.8.0p2-1 (bug #978038) + [stretch] - opensmtpd (regex table supported added > 6.4.0 according to CHANGES.md) NOTE: https://github.com/openbsd/src/commit/79a034b4aed29e965f45a13409268290c9910043 NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html CVE-2020-35678 (Autobahn|Python before 20.12.3 allows redirect header injection. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/feffeaba6246867cd5be4df082449aa55943407e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/feffeaba6246867cd5be4df082449aa55943407e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new libjboss-remoting-java (removed), concludes external check
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 897e0cc2 by Moritz Muehlenhoff at 2021-01-06T10:29:50+01:00 new libjboss-remoting-java (removed), concludes external check - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6734,6 +6734,7 @@ CVE-2020-35511 RESERVED CVE-2020-35510 RESERVED + - libjboss-remoting-java CVE-2020-35509 RESERVED CVE-2020-35508 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/897e0cc20412ab87d6a7852563c185995d58d5a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/897e0cc20412ab87d6a7852563c185995d58d5a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ead70c40 by Salvatore Bonaccorso at 2021-01-06T09:38:47+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2021-3027 RESERVED CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows XSS durin ...) - TODO: check + NOT-FOR-US: Invision Community IPS Community Suite CVE-2021-3025 RESERVED CVE-2021-22695 @@ -25,25 +25,25 @@ CVE-2021-22687 CVE-2021-22686 RESERVED CVE-2020-36169 (An issue was discovered in Veritas NetBackup through 8.3.0.1 and OpsCe ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36168 (An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. It ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36167 (An issue was discovered in the server in Veritas Backup Exec through 1 ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36166 (An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Wind ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36165 (An issue was discovered in Veritas Desktop and Laptop Option (DLO) bef ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36164 (An issue was discovered in Veritas Enterprise Vault through 14.0. On s ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36163 (An issue was discovered in Veritas NetBackup and OpsCenter through 8.3 ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36162 (An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. T ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36161 (An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 ...) - TODO: check + NOT-FOR-US: Veritas CVE-2020-36160 (An issue was discovered in Veritas System Recovery before 21.2. On sta ...) - TODO: check + NOT-FOR-US: Veritas CVE-2021-3024 RESERVED CVE-2021-3023 @@ -7641,7 +7641,7 @@ CVE-2020-35172 CVE-2020-35171 RESERVED CVE-2020-35170 (Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Un ...) - TODO: check + NOT-FOR-US: Dell EMC Unisphere for PowerMax CVE-2020-35169 RESERVED CVE-2020-35168 @@ -9765,11 +9765,11 @@ CVE-2020-29504 CVE-2020-29503 RESERVED CVE-2020-29502 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) - TODO: check + NOT-FOR-US: EMC PowerStore CVE-2020-29501 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) - TODO: check + NOT-FOR-US: EMC PowerStore CVE-2020-29500 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) - TODO: check + NOT-FOR-US: EMC PowerStore CVE-2020-29499 RESERVED CVE-2020-29498 (Dell Wyse Management Suite versions prior to 3.1 contain an open redir ...) @@ -9789,9 +9789,9 @@ CVE-2020-29492 (Dell Wyse ThinOS 8.6 and prior versions contain an insecure defa CVE-2020-29491 (Dell Wyse ThinOS 8.6 and prior versions contain an insecure default co ...) NOT-FOR-US: Dell Wyse ThinOS CVE-2020-29490 (Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-29489 (Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 ...) - TODO: check + NOT-FOR-US: EMC CVE-2021-1735 RESERVED CVE-2021-1734 @@ -20816,7 +20816,7 @@ CVE-2020-26201 (Askey AP5100W_Dual_SIG_1.01.097 and all prior versions use a wea CVE-2020-26200 RESERVED CVE-2020-26199 (Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-26198 (Dell EMC iDRAC9 versions prior to 4.32.10.00 and 4.40.00.00 contain a ...) NOT-FOR-US: EMC CVE-2020-26197 @@ -20852,7 +20852,7 @@ CVE-2020-26183 (Dell EMC NetWorker versions prior to 19.3.0.2 contain an imprope CVE-2020-26182 (Dell EMC NetWorker versions prior to 19.3.0.2 contain an incorrect pri ...) NOT-FOR-US: EMC CVE-2020-26181 (Dell EMC Isilon OneFS versions 8.1 and later and Dell EMC PowerScale O ...) - TODO: check + NOT-FOR-US: EMC CVE-2020-26180 RESERVED CVE-2020-26179 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead70c40a9898bec55ed9989d2b5fc5ef2265514 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead70c40a9898bec55ed9989d2b5fc5ef2265514 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Remove note from CVE-2020-1674
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4fddff61 by Salvatore Bonaccorso at 2021-01-06T09:14:31+01:00 Remove note from CVE-2020-1674 Apparently further investigation showed that it was not a security issue and the Juniper CNA withdrawn the CVE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84000,7 +84000,6 @@ CVE-2020-1675 (When Security Assertion Markup Language (SAML) authentication is NOT-FOR-US: Juniper CVE-2020-1674 REJECTED - NOT-FOR-US: Juniper CVE-2020-1673 (Insufficient Cross-Site Scripting (XSS) protection in Juniper Networks ...) NOT-FOR-US: Juniper CVE-2020-1672 (On Juniper Networks Junos OS devices configured with DHCPv6 relay enab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fddff616d6ae75b6763c82b0021b0cc7ea8fc13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4fddff616d6ae75b6763c82b0021b0cc7ea8fc13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2aa1522 by security tracker role at 2021-01-06T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,49 @@ +CVE-2021-3027 + RESERVED +CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows XSS durin ...) + TODO: check +CVE-2021-3025 + RESERVED +CVE-2021-22695 + RESERVED +CVE-2021-22694 + RESERVED +CVE-2021-22693 + RESERVED +CVE-2021-22692 + RESERVED +CVE-2021-22691 + RESERVED +CVE-2021-22690 + RESERVED +CVE-2021-22689 + RESERVED +CVE-2021-22688 + RESERVED +CVE-2021-22687 + RESERVED +CVE-2021-22686 + RESERVED +CVE-2020-36169 (An issue was discovered in Veritas NetBackup through 8.3.0.1 and OpsCe ...) + TODO: check +CVE-2020-36168 (An issue was discovered in Veritas Resiliency Platform 3.4 and 3.5. It ...) + TODO: check +CVE-2020-36167 (An issue was discovered in the server in Veritas Backup Exec through 1 ...) + TODO: check +CVE-2020-36166 (An issue was discovered in Veritas InfoScale 7.x through 7.4.2 on Wind ...) + TODO: check +CVE-2020-36165 (An issue was discovered in Veritas Desktop and Laptop Option (DLO) bef ...) + TODO: check +CVE-2020-36164 (An issue was discovered in Veritas Enterprise Vault through 14.0. On s ...) + TODO: check +CVE-2020-36163 (An issue was discovered in Veritas NetBackup and OpsCenter through 8.3 ...) + TODO: check +CVE-2020-36162 (An issue was discovered in Veritas CloudPoint before 8.3.0.1+hotfix. T ...) + TODO: check +CVE-2020-36161 (An issue was discovered in Veritas APTARE 10.4 before 10.4P9 and 10.5 ...) + TODO: check +CVE-2020-36160 (An issue was discovered in Veritas System Recovery before 21.2. On sta ...) + TODO: check CVE-2021-3024 RESERVED CVE-2021-3023 @@ -2597,10 +2643,10 @@ CVE-2020-36069 RESERVED CVE-2020-36068 RESERVED -CVE-2020-36067 - RESERVED -CVE-2020-36066 - RESERVED +CVE-2020-36067 (GJSON =v1.6.5 allows attackers to cause a denial of service (panic ...) + TODO: check +CVE-2020-36066 (GJSON 1.6.5 allows attackers to cause a denial of service (remote) ...) + TODO: check CVE-2020-36065 RESERVED CVE-2020-36064 @@ -2627,10 +2673,10 @@ CVE-2020-36054 RESERVED CVE-2020-36053 RESERVED -CVE-2020-36052 - RESERVED -CVE-2020-36051 - RESERVED +CVE-2020-36052 (Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 al ...) + TODO: check +CVE-2020-36051 (Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 al ...) + TODO: check CVE-2020-36050 RESERVED CVE-2020-36049 @@ -4104,8 +4150,8 @@ CVE-2021-21237 RESERVED CVE-2021-21236 RESERVED -CVE-2021-21235 - RESERVED +CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust. In kamad ...) + TODO: check CVE-2021-21234 (spring-boot-actuator-logview in a library that adds a simple logfile v ...) TODO: check CVE-2020-35627 (Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vul ...) @@ -7392,7 +7438,7 @@ CVE-2020-35271 RESERVED CVE-2020-35270 RESERVED -CVE-2020-35269 (There is a Cross Site Request Forgery (CSRF) vulnerability in Nagios C ...) +CVE-2020-35269 (Nagios Core application version 4.2.4 is vulnerable to Site-Wide Cross ...) - nagios4 NOTE: https://gist.github.com/MoSalah20/d1d40b43eafba0bd22ee4cddecad3cbc NOTE: https://github.com/NagiosEnterprises/nagioscore/issues/809 @@ -7594,8 +7640,8 @@ CVE-2020-35172 RESERVED CVE-2020-35171 RESERVED -CVE-2020-35170 - RESERVED +CVE-2020-35170 (Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9, Dell EMC Un ...) + TODO: check CVE-2020-35169 RESERVED CVE-2020-35168 @@ -9718,12 +9764,12 @@ CVE-2020-29504 RESERVED CVE-2020-29503 RESERVED -CVE-2020-29502 - RESERVED -CVE-2020-29501 - RESERVED -CVE-2020-29500 - RESERVED +CVE-2020-29502 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) + TODO: check +CVE-2020-29501 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) + TODO: check +CVE-2020-29500 (Dell EMC PowerStore versions prior to 1.0.3.0.5.007 contain a Plain-Te ...) + TODO: check CVE-2020-29499 RESERVED CVE-2020-29498 (Dell Wyse Management Suite versions prior to 3.1 contain an open redir ...) @@ -9742,10 +9788,10 @@ CVE-2020-29492 (Dell Wyse ThinOS 8.6 and prior versions contain an insecure defa NOT-FOR-US: Dell Wyse ThinOS CVE-2020-29491 (Dell Wyse ThinOS 8.6 and prior versions contain an insecure default co ...) NOT-FOR-US: Dell Wyse
