Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 2f0c6f65 by security tracker role at 2020-03-19T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,17 +1,27 @@ +CVE-2020-10679 + RESERVED +CVE-2020-10678 (In Octopus Deploy before 2020.1.5, for customers running on-premises A ...) + TODO: check +CVE-2020-10677 + RESERVED +CVE-2020-10676 + RESERVED +CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows attacker ...) + TODO: check CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) TODO: check CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) TODO: check -CVE-2020-10671 - RESERVED -CVE-2020-10670 - RESERVED +CVE-2020-10671 (The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missi ...) + TODO: check +CVE-2020-10670 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check CVE-2020-10669 RESERVED -CVE-2020-10668 - RESERVED -CVE-2020-10667 - RESERVED +CVE-2020-10668 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check +CVE-2020-10667 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...) + TODO: check CVE-2020-10666 RESERVED CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...) @@ -33,36 +43,36 @@ CVE-2019-20529 (In core/doctype/prepared_report/prepared_report.py in Frappe 11 NOT-FOR-US: Frappe Framework CVE-2019-20528 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) NOT-FOR-US: Ignite Realtime Openfire -CVE-2019-20527 - RESERVED -CVE-2019-20526 - RESERVED -CVE-2019-20525 - RESERVED -CVE-2019-20524 - RESERVED -CVE-2019-20523 - RESERVED -CVE-2019-20522 - RESERVED -CVE-2019-20521 - RESERVED -CVE-2019-20520 - RESERVED -CVE-2019-20519 - RESERVED -CVE-2019-20518 - RESERVED -CVE-2019-20517 - RESERVED -CVE-2019-20516 - RESERVED -CVE-2019-20515 - RESERVED -CVE-2019-20514 - RESERVED -CVE-2019-20513 - RESERVED +CVE-2019-20527 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20526 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20525 (Ignite Realtime Openfire 4.4.1 allows XSS via the setup/setup-datasour ...) + TODO: check +CVE-2019-20524 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Banner param ...) + TODO: check +CVE-2019-20523 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Name paramet ...) + TODO: check +CVE-2019-20522 (ilchCMS 2.1.23 allows XSS via the index.php/partner/index Link paramet ...) + TODO: check +CVE-2019-20521 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/ URI ...) + TODO: check +CVE-2019-20520 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the api/meth ...) + TODO: check +CVE-2019-20519 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the user/ UR ...) + TODO: check +CVE-2019-20518 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the project/ ...) + TODO: check +CVE-2019-20517 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the contact/ ...) + TODO: check +CVE-2019-20516 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the blog/ UR ...) + TODO: check +CVE-2019-20515 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the addresse ...) + TODO: check +CVE-2019-20514 (ERPNext 11.1.47 allows reflected XSS via the PATH_INFO to the address/ ...) + TODO: check +CVE-2019-20513 (Open edX Ironwood.1 allows support/certificates?user= reflected XSS. ...) + TODO: check CVE-2019-20512 (Open edX Ironwood.1 allows support/certificates?course_id= reflected X ...) NOT-FOR-US: Open edX Ironwood.1 CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...) @@ -91,8 +101,8 @@ CVE-2019-20510 REJECTED CVE-2020-10649 RESERVED -CVE-2020-10648 - RESERVED +CVE-2020-10648 (Das U-Boot through 2020.01 allows attackers to bypass verified boot re ...) + TODO: check CVE-2020-10647 RESERVED CVE-2020-10646 @@ -2985,6 +2995,7 @@ CVE-2020-9337 (In GolfBuddy Course Manager 1.1, passwords are sent (with base64 CVE-2020-9336 (fauzantrif eLection 2.0 has XSS via the Admin Dashboard -> Settings ...) NOT-FOR-US: fauzantrif eLection CVE-2020-6816 [mutation XSS vulnerability again] + RESERVED - python-bleach 3.1.3-1 (bug #954236) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1621692 (not public) NOTE: https://github.com/mozilla/bleach/security/advisories/GHSA-m6xf-fq7q-8743 @@ -12236,8 +12247,8 @@ CVE-2020-5269 RESERVED CVE-2020-5268 RESERVED -CVE-2020-5267 - RESERVED +CVE-2020-5267 (In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible ...) + TODO: check CVE-2020-5266 RESERVED CVE-2020-5265 @@ -12246,8 +12257,8 @@ CVE-2020-5264 RESERVED CVE-2020-5263 RESERVED -CVE-2020-5262 - RESERVED +CVE-2020-5262 (In EasyBuild before version 4.1.2, the GitHub Personal Access Token (P ...) + TODO: check CVE-2020-5261 RESERVED CVE-2020-5260 @@ -14886,12 +14897,12 @@ CVE-2020-4207 (IBM Watson IoT Message Gateway 2.0.0.x, 5.0.0.0, 5.0.0.1, and 5.0 NOT-FOR-US: IBM CVE-2020-4206 RESERVED -CVE-2020-4205 - RESERVED +CVE-2020-4205 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could allow an aut ...) + TODO: check CVE-2020-4204 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...) NOT-FOR-US: IBM -CVE-2020-4203 - RESERVED +CVE-2020-4203 (IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.8 could potentially ...) + TODO: check CVE-2020-4202 RESERVED CVE-2020-4201 @@ -17080,7 +17091,7 @@ CVE-2019-19801 (In Gallagher Command Centre Server versions of v8.10 prior to v8 NOT-FOR-US: Gallagher Command Centre Server CVE-2019-19800 (Zoho ManageEngine Applications Manager 14 before 14520 allows a remote ...) NOT-FOR-US: Zoho ManageEngine Applications Manager -CVE-2019-19799 (Zoho ManageEngine Applications Manager 14590 and before allows a remot ...) +CVE-2019-19799 (Zoho ManageEngine Applications Manager before 14600 allows a remote un ...) NOT-FOR-US: Zoho ManageEngine CVE-2019-19798 RESERVED @@ -17864,12 +17875,12 @@ CVE-2020-3268 RESERVED CVE-2020-3267 RESERVED -CVE-2020-3266 - RESERVED -CVE-2020-3265 - RESERVED -CVE-2020-3264 - RESERVED +CVE-2020-3266 (A vulnerability in the CLI of Cisco SD-WAN Solution software could all ...) + TODO: check +CVE-2020-3265 (A vulnerability in Cisco SD-WAN Solution software could allow an authe ...) + TODO: check +CVE-2020-3264 (A vulnerability in Cisco SD-WAN Solution software could allow an authe ...) + TODO: check CVE-2020-3263 RESERVED CVE-2020-3262 @@ -22286,8 +22297,7 @@ CVE-2020-1707 NOT-FOR-US: openshift CVE-2020-1706 (It has been found that in openshift-enterprise version 3.11 and opensh ...) NOT-FOR-US: openshift -CVE-2020-1705 - RESERVED +CVE-2020-1705 (A vulnerability was found in openshift/template-service-broker-operato ...) NOT-FOR-US: openshift CVE-2020-1704 (An insecure modification vulnerability in the /etc/passwd file was fou ...) NOT-FOR-US: openshift @@ -22413,8 +22423,7 @@ CVE-2019-19338 [KVM: export MSR_IA32_TSX_CTRL to guest - incomplete fix for TAA NOTE: https://www.openwall.com/lists/oss-security/2019/12/11/1 CVE-2019-19337 (A flaw was found in Red Hat Ceph Storage version 3 in the way the Ceph ...) - ceph <not-affected> (Only affects Ceph as packaged by Red Hat) -CVE-2019-19336 - RESERVED +CVE-2019-19336 (A cross-site scripting vulnerability was reported in the oVirt-engine' ...) NOT-FOR-US: ovirt-engine CVE-2019-19335 (During installation of an OpenShift 4 cluster, the `openshift-install` ...) NOT-FOR-US: OpenShift @@ -33417,8 +33426,8 @@ CVE-2019-16384 RESERVED CVE-2019-16383 (MOVEit.DMZ.WebApi.dll in Progress MOVEit Transfer 2018 SP2 before 10.2 ...) NOT-FOR-US: Progress MOVEit Transfer -CVE-2019-16382 - RESERVED +CVE-2019-16382 (An issue was discovered in Ivanti Workspace Control 10.3.110.0. One is ...) + TODO: check CVE-2019-16381 RESERVED CVE-2019-16380 @@ -33473,8 +33482,7 @@ CVE-2019-16377 (The makandra consul gem through 1.0.2 for Ruby has Incorrect Acc NOT-FOR-US: makandra consul gem CVE-2019-16376 RESERVED -CVE-2019-16375 - RESERVED +CVE-2019-16375 (An issue was discovered in Open Ticket Request System (OTRS) 7.0.x thr ...) - otrs2 6.0.23-1 [buster] - otrs2 <no-dsa> (Non-free not supported) [stretch] - otrs2 <no-dsa> (Non-free not supported) @@ -33598,10 +33606,10 @@ CVE-2019-16340 (Belkin Linksys Velop 1.1.8.192419 devices allows remote attacker NOT-FOR-US: Belkin CVE-2019-16339 RESERVED -CVE-2019-16338 - RESERVED -CVE-2019-16337 - RESERVED +CVE-2019-16338 (The tfo_common component in HwordApp.dll in Hancom Office 9.6.1.7634 a ...) + TODO: check +CVE-2019-16337 (The hncbd90 component in Hancom Office 9.6.1.9403 allows a use-after-f ...) + TODO: check CVE-2019-16336 (The Bluetooth Low Energy implementation in Cypress PSoC 4 BLE componen ...) NOT-FOR-US: Cypress CVE-2019-16335 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) @@ -34457,26 +34465,26 @@ CVE-2019-16072 RESERVED CVE-2019-16071 RESERVED -CVE-2019-16070 - RESERVED +CVE-2019-16070 (A number of stored Cross-site Scripting (XSS) vulnerabilities were ide ...) + TODO: check CVE-2019-16069 RESERVED CVE-2019-16068 RESERVED -CVE-2019-16067 - RESERVED -CVE-2019-16066 - RESERVED -CVE-2019-16065 - RESERVED -CVE-2019-16064 - RESERVED +CVE-2019-16067 (NETSAS Enigma NMS 65.0.0 and prior utilises basic authentication over ...) + TODO: check +CVE-2019-16066 (An unrestricted file upload vulnerability exists in user and system fi ...) + TODO: check +CVE-2019-16065 (A remote SQL injection web vulnerability was discovered in the Enigma ...) + TODO: check +CVE-2019-16064 (NETSAS Enigma NMS 65.0.0 and prior suffers from a directory traversal ...) + TODO: check CVE-2019-16063 RESERVED -CVE-2019-16062 - RESERVED -CVE-2019-16061 - RESERVED +CVE-2019-16062 (NETSAS Enigma NMS 65.0.0 and prior does not encrypt sensitive data sto ...) + TODO: check +CVE-2019-16061 (A number of files on the NETSAS Enigma NMS server 65.0.0 and prior are ...) + TODO: check CVE-2019-16089 (An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_s ...) - linux <unfixed> [stretch] - linux <not-affected> (Vulnerable code not present) @@ -34597,12 +34605,12 @@ CVE-2019-16014 RESERVED CVE-2019-16013 RESERVED -CVE-2019-16012 - RESERVED +CVE-2019-16012 (A vulnerability in the web UI of Cisco SD-WAN Solution vManage softwar ...) + TODO: check CVE-2019-16011 RESERVED -CVE-2019-16010 - RESERVED +CVE-2019-16010 (A vulnerability in the web UI of the Cisco SD-WAN vManage software cou ...) + TODO: check CVE-2019-16009 RESERVED CVE-2019-16008 (A vulnerability in the web-based GUI of Cisco IP Phone 6800, 7800, and ...) @@ -35685,14 +35693,14 @@ CVE-2019-15658 (connect-pg-simple before 6.0.1 allows SQL injection if tableName NOT-FOR-US: connect-pg-simple CVE-2019-15657 (In eslint-utils before 1.4.1, the getStaticValue function can execute ...) NOT-FOR-US: eslint-utils -CVE-2019-15656 - RESERVED -CVE-2019-15655 - RESERVED -CVE-2019-15654 - RESERVED -CVE-2019-15653 - RESERVED +CVE-2019-15656 (D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are prone to ...) + TODO: check +CVE-2019-15655 (D-Link DSL-2875AL devices through 1.00.05 are prone to password disclo ...) + TODO: check +CVE-2019-15654 (Comba AP2600-I devices through A02,0202N00PD2 are prone to password di ...) + TODO: check +CVE-2019-15653 (Comba AP2600-I devices through A02,0202N00PD2 are prone to password di ...) + TODO: check CVE-2019-15652 (The web interface for NSSLGlobal SatLink VSAT Modem Unit (VMU) devices ...) NOT-FOR-US: NSSLGlobal SatLink VSAT Modem Unit (VMU) devices CVE-2019-15651 (wolfSSL 4.1.0 has a one-byte heap-based buffer over-read in DecodeCert ...) @@ -36077,8 +36085,8 @@ CVE-2019-15541 (rustls-mio/examples/tlsserver.rs in the rustls crate before 0.16 NOT-FOR-US: Rust crate rustls CVE-2019-15540 (filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2. ...) NOT-FOR-US: libMirage -CVE-2019-15539 - RESERVED +CVE-2019-15539 (The proj_doc_edit_page.php Project Documentation feature in MantisBT b ...) + TODO: check CVE-2019-15538 (An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in ...) {DLA-1919-1} - linux 5.2.17-1 @@ -37338,8 +37346,7 @@ CVE-2019-15125 RESERVED CVE-2018-20975 (Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/t ...) NOT-FOR-US: Fat Free CRM -CVE-2019-15124 - RESERVED +CVE-2019-15124 (In the MobileFrontend extension for MediaWiki, XSS exists within the e ...) NOT-FOR-US: MobileFrontend extension for MediaWiki CVE-2019-15123 RESERVED @@ -38283,56 +38290,49 @@ CVE-2019-14880 - moodle <removed> CVE-2019-14879 (moodle before versions 3.7.3, 3.6.7, 3.5.9 is vulnerable to a None. ...) - moodle <removed> -CVE-2019-14878 - RESERVED +CVE-2019-14878 (In the __d2b function of the newlib libc library, all versions prior t ...) - newlib 3.3.0-1 [buster] - newlib <no-dsa> (Minor issue) [stretch] - newlib <no-dsa> (Minor issue) [jessie] - newlib <ignored> (Minor issue) NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ TODO: picolibc might be affected, not yet in the archive -CVE-2019-14877 - RESERVED +CVE-2019-14877 (In the __mdiff function of the newlib libc library, all versions prior ...) - newlib 3.3.0-1 [buster] - newlib <no-dsa> (Minor issue) [stretch] - newlib <no-dsa> (Minor issue) [jessie] - newlib <ignored> (Minor issue) NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ TODO: picolibc might be affected, not yet in the archive -CVE-2019-14876 - RESERVED +CVE-2019-14876 (In the __lshift function of the newlib libc library, all versions prio ...) - newlib 3.3.0-1 [buster] - newlib <no-dsa> (Minor issue) [stretch] - newlib <no-dsa> (Minor issue) [jessie] - newlib <ignored> (Minor issue) NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ TODO: picolibc might be affected, not yet in the archive -CVE-2019-14875 - RESERVED +CVE-2019-14875 (In the __multiply function of the newlib libc library, all versions pr ...) - newlib 3.3.0-1 [buster] - newlib <no-dsa> (Minor issue) [stretch] - newlib <no-dsa> (Minor issue) [jessie] - newlib <ignored> (Minor issue) NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ TODO: picolibc might be affected, not yet in the archive -CVE-2019-14874 - RESERVED +CVE-2019-14874 (In the __i2b function of the newlib libc library, all versions prior t ...) - newlib 3.3.0-1 [buster] - newlib <no-dsa> (Minor issue) [stretch] - newlib <no-dsa> (Minor issue) [jessie] - newlib <ignored> (Minor issue) NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ TODO: picolibc might be affected, not yet in the archive -CVE-2019-14873 - RESERVED +CVE-2019-14873 (In the __multadd function of the newlib libc library, prior to version ...) - newlib 3.3.0-1 [buster] - newlib <no-dsa> (Minor issue) [stretch] - newlib <no-dsa> (Minor issue) [jessie] - newlib <ignored> (Minor issue) NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/ TODO: picolibc might be affected, not yet in the archive -CVE-2019-14872 - RESERVED +CVE-2019-14872 (The _dtoa_r function of the newlib libc library, prior to version 3.3. ...) - newlib 3.3.0-1 [buster] - newlib <no-dsa> (Minor issue) [stretch] - newlib <no-dsa> (Minor issue) @@ -46859,8 +46859,8 @@ CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 an NOTE: https://github.com/apache/tomcat/commit/bef3f40400243348d12f4abfe9b413f43897c02b (7.0.98) CVE-2019-12417 (A malicious admin user could edit the state of objects in the Airflow ...) - airflow <itp> (bug #819700) -CVE-2019-12416 - RESERVED +CVE-2019-12416 (we got reports for 2 injection attacks against the DeltaSpike windowha ...) + TODO: check CVE-2019-12415 (In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to conv ...) - libapache-poi-java <unfixed> (bug #943565) [buster] - libapache-poi-java <no-dsa> (Minor issue) @@ -47656,18 +47656,18 @@ CVE-2019-12132 (An issue was discovered in ONAP SDNC before Dublin. By executing TODO: check CVE-2019-12131 (An issue was detected in ONAP APPC through Dublin and SDC through Dubl ...) TODO: check -CVE-2019-12130 - RESERVED -CVE-2019-12129 - RESERVED -CVE-2019-12128 - RESERVED -CVE-2019-12127 - RESERVED -CVE-2019-12126 - RESERVED -CVE-2019-12125 - RESERVED +CVE-2019-12130 (In ONAP CLI through Dublin, by accessing an applicable port (30234, 30 ...) + TODO: check +CVE-2019-12129 (In ONAP MSB through Dublin, by accessing an applicable port (30234, 30 ...) + TODO: check +CVE-2019-12128 (In ONAP SO through Dublin, by accessing an applicable port (30234, 302 ...) + TODO: check +CVE-2019-12127 (In ONAP OOM through Dublin, by accessing an applicable port (30234, 30 ...) + TODO: check +CVE-2019-12126 (In ONAP DCAE through Dublin, by accessing an applicable port (30234, 3 ...) + TODO: check +CVE-2019-12125 (In ONAP Logging through Dublin, by accessing an applicable port (30234 ...) + TODO: check CVE-2019-12124 (An issue was discovered in ONAP APPC before Dublin. By using an expose ...) TODO: check CVE-2019-12123 (An issue was discovered in ONAP SDNC before Dublin. By executing sla/p ...) @@ -49896,8 +49896,8 @@ CVE-2019-11363 (A SQL injection vulnerability in Snare Central before 7.4.5 allo NOT-FOR-US: Snare Central CVE-2019-11362 (app/controllers/frontend/PostController.php in ROCBOSS V2.2.1 has SQL ...) NOT-FOR-US: ROCBOSS -CVE-2019-11361 - RESERVED +CVE-2019-11361 (Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user p ...) + TODO: check CVE-2016-10748 RESERVED CVE-2016-10747 @@ -67473,7 +67473,7 @@ CVE-2019-5106 (A hard-coded encryption key vulnerability exists in the authentic CVE-2019-5105 RESERVED CVE-2019-5104 - RESERVED + REJECTED CVE-2019-5103 RESERVED CVE-2019-5102 (An exploitable information leak vulnerability exists in the ustream-ss ...) @@ -261574,12 +261574,12 @@ CVE-2014-2725 RESERVED CVE-2014-2724 RESERVED -CVE-2014-2723 - RESERVED -CVE-2014-2722 - RESERVED -CVE-2014-2721 - RESERVED +CVE-2014-2723 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote ...) + TODO: check +CVE-2014-2722 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote ...) + TODO: check +CVE-2014-2721 (In FortiBalancer 400, 1000, 2000 and 3000, a platform-specific remote ...) + TODO: check CVE-2014-2720 (IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Cen ...) NOT-FOR-US: IZArc Archiver CVE-2014-2719 (Advanced_System_Content.asp in the ASUS RT series routers with firmwar ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f0c6f655176b26b22e81ebd0a1305dd7a6ff9e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f0c6f655176b26b22e81ebd0a1305dd7a6ff9e9 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits