Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 53e2cfed by security tracker role at 2020-05-04T20:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,17 @@ +CVE-2020-12642 (An issue was discovered in service-api before 4.3.12 and 5.x before 5. ...) + TODO: check +CVE-2020-12641 (rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to ...) + TODO: check +CVE-2020-12640 (Roundcube Webmail before 1.4.4 allows attackers to include local files ...) + TODO: check +CVE-2020-12639 (phpList before 3.5.3 allows XSS, with resultant privilege elevation, v ...) + TODO: check +CVE-2020-12638 + RESERVED +CVE-2020-12637 + RESERVED +CVE-2018-21233 (TensorFlow before 1.7.0 has an integer overflow that causes an out-of- ...) + TODO: check CVE-2020-12636 RESERVED CVE-2020-12635 @@ -12,8 +26,8 @@ CVE-2020-12631 RESERVED CVE-2020-12630 RESERVED -CVE-2020-12629 - RESERVED +CVE-2020-12629 (include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA ...) + TODO: check CVE-2020-12628 RESERVED CVE-2020-12627 (Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j ...) @@ -316,8 +330,8 @@ CVE-2020-12477 (The REST API functions in TeamPass 2.1.27.36 allow any user with - teampass <itp> (bug #730180) CVE-2020-12476 RESERVED -CVE-2020-12475 - RESERVED +CVE-2020-12475 (TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for ...) + TODO: check CVE-2020-12474 (Telegram Desktop through 2.0.1, Telegram through 6.0.1 for Android, an ...) TODO: check CVE-2020-12473 (MonoX through 5.1.40.5152 allows admins to execute arbitrary programs ...) @@ -820,7 +834,7 @@ CVE-2020-12272 (OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject aut NOTE: https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf CVE-2020-12271 (A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 bef ...) NOT-FOR-US: SFOS -CVE-2020-12270 (React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alpha ...) +CVE-2020-12270 (** DISPUTED ** React Native Bluetooth Scan in Bluezone 1.0.0 uses six- ...) NOT-FOR-US: Bluezone CVE-2020-12269 RESERVED @@ -1146,20 +1160,19 @@ CVE-2020-12116 RESERVED CVE-2020-12115 RESERVED -CVE-2020-12114 [fs/namespace.c: fix mountpoint reference counter race] - RESERVED +CVE-2020-12114 (A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4. ...) - linux 5.3.7-1 NOTE: https://www.openwall.com/lists/oss-security/2020/05/04/2 CVE-2020-12113 (BigBlueButton before 2.2.4 allows XSS via closed captions because dang ...) NOT-FOR-US: BigBlueButton CVE-2020-12112 (BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive ...) NOT-FOR-US: BigBlueButton -CVE-2020-12111 - RESERVED -CVE-2020-12110 - RESERVED -CVE-2020-12109 - RESERVED +CVE-2020-12111 (Certain TP-Link devices allow Command Injection. This affects NC260 1. ...) + TODO: check +CVE-2020-12110 (Certain TP-Link devices have a Hardcoded Encryption Key. This affects ...) + TODO: check +CVE-2020-12109 (Certain TP-Link devices allow Command Injection. This affects NC200 2. ...) + TODO: check CVE-2020-12108 RESERVED CVE-2020-12107 @@ -2005,14 +2018,14 @@ CVE-2017-18776 (Certain NETGEAR devices are affected by authentication bypass. T NOT-FOR-US: Netgear CVE-2017-18775 (Certain NETGEAR devices are affected by CSRF. This affects R6100 befor ...) NOT-FOR-US: Netgear -CVE-2017-18774 - RESERVED +CVE-2017-18774 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) + TODO: check CVE-2017-18773 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear CVE-2017-18772 (Certain NETGEAR devices are affected by authentication bypass. This af ...) NOT-FOR-US: Netgear -CVE-2017-18771 - RESERVED +CVE-2017-18771 (Certain NETGEAR devices are affected by stored XSS. This affects R9000 ...) + TODO: check CVE-2017-18770 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...) NOT-FOR-US: Netgear CVE-2017-18769 (Certain NETGEAR devices are affected by an attacker's ability to read ...) @@ -2033,8 +2046,8 @@ CVE-2017-18762 (Certain NETGEAR devices are affected by command injection by an NOT-FOR-US: Netgear CVE-2017-18761 (NETGEAR R8000 devices before 1.0.4.2 are affected by a stack-based buf ...) NOT-FOR-US: Netgear -CVE-2017-18760 - RESERVED +CVE-2017-18760 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + TODO: check CVE-2017-18759 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) NOT-FOR-US: Netgear CVE-2017-18758 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) @@ -2047,8 +2060,8 @@ CVE-2017-18755 (Certain NETGEAR devices are affected by CSRF. This affects R6300 NOT-FOR-US: Netgear CVE-2017-18754 (Certain NETGEAR devices are affected by command injection by an authen ...) NOT-FOR-US: Netgear -CVE-2017-18753 - RESERVED +CVE-2017-18753 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...) + TODO: check CVE-2017-18752 (Certain NETGEAR devices are affected by an attacker's ability to read ...) NOT-FOR-US: Netgear CVE-2017-18751 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) @@ -2405,8 +2418,8 @@ CVE-2020-11844 RESERVED CVE-2020-11843 RESERVED -CVE-2020-11842 - RESERVED +CVE-2020-11842 (Information disclosure vulnerability in Micro Focus Verastream Host In ...) + TODO: check CVE-2020-11841 RESERVED CVE-2020-11840 @@ -3101,8 +3114,8 @@ CVE-2020-11673 (An issue was discovered in the Responsive Poll through 1.3.4 for NOT-FOR-US: Responsive Poll for WordPress CVE-2020-11672 RESERVED -CVE-2020-11671 - RESERVED +CVE-2020-11671 (Lack of authorization controls in REST API functions in TeamPass throu ...) + TODO: check CVE-2020-11670 RESERVED CVE-2020-11669 (An issue was discovered in the Linux kernel before 5.2 on the powerpc ...) @@ -3883,8 +3896,8 @@ CVE-2020-11464 (An issue was discovered in Deskpro before 2019.8.0. The /api/peo NOT-FOR-US: Deskpro CVE-2020-11463 (An issue was discovered in Deskpro before 2019.8.0. The /api/email_acc ...) NOT-FOR-US: Deskpro -CVE-2020-11462 - RESERVED +CVE-2020-11462 (An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8. ...) + TODO: check CVE-2020-11461 RESERVED CVE-2020-11460 @@ -3921,8 +3934,8 @@ CVE-2020-11445 (TP-Link cloud cameras through 2020-02-09 allow remote attackers NOT-FOR-US: TP-Link CVE-2020-11444 (Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has I ...) NOT-FOR-US: Sonatype Nexus Repository Manager -CVE-2020-11443 - RESERVED +CVE-2020-11443 (The MSI installer in Zoom before 4.6.10 on Windows follows Symbolic Li ...) + TODO: check CVE-2020-11442 RESERVED CVE-2020-11441 (** DISPUTED ** phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated ...) @@ -5092,8 +5105,8 @@ CVE-2020-10935 (Zulip Server before 2.1.3 allows XSS via a Markdown link, with r - zulip-server <itp> (bug #800052) CVE-2020-10934 (Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. ...) NOT-FOR-US: Acyba AcyMailing -CVE-2020-10933 - RESERVED +CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6 ...) + TODO: check CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...) - mbedtls <unfixed> NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released @@ -5242,8 +5255,8 @@ CVE-2020-10878 RESERVED CVE-2020-10877 RESERVED -CVE-2020-10876 - RESERVED +CVE-2020-10876 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...) + TODO: check CVE-2020-10875 (Motorola FX9500 devices allow remote attackers to conduct absolute pat ...) NOT-FOR-US: Motorola devices CVE-2020-10874 (Motorola FX9500 devices allow remote attackers to read database files. ...) @@ -6152,16 +6165,16 @@ CVE-2020-10624 RESERVED CVE-2020-10623 (Multiple vulnerabilities could allow an attacker with low privileges t ...) NOT-FOR-US: WebAccess/NMS -CVE-2020-10622 - RESERVED +CVE-2020-10622 (LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vu ...) + TODO: check CVE-2020-10621 (Multiple issues exist that allow files to be uploaded and executed on ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10620 RESERVED CVE-2020-10619 (An attacker could use a specially crafted URL to delete files outside ...) NOT-FOR-US: WebAccess/NMS -CVE-2020-10618 - RESERVED +CVE-2020-10618 (LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vu ...) + TODO: check CVE-2020-10617 (There are multiple ways an unauthenticated attacker could perform SQL ...) NOT-FOR-US: WebAccess/NMS CVE-2020-10616 @@ -7102,8 +7115,8 @@ CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_a NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2019-20503 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1992 NOTE: https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467 -CVE-2020-10187 - RESERVED +CVE-2020-10187 (Doorkeeper version 5.0.0 and later contains an information disclosure ...) + TODO: check CVE-2020-10186 RESERVED CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40 allows remo ...) @@ -10057,8 +10070,8 @@ CVE-2020-8898 RESERVED CVE-2020-8897 RESERVED -CVE-2020-8896 - RESERVED +CVE-2020-8896 (A Buffer Overflow vulnerability in the khcrypt implementation in Googl ...) + TODO: check CVE-2020-8895 (A vulnerability in the windows installer of Google Earth Pro versions ...) NOT-FOR-US: windows installer of Google Earth Pro CVE-2020-8894 (An issue was discovered in MISP before 2.4.121. ACLs for discussion th ...) @@ -10347,12 +10360,12 @@ CVE-2020-8793 (OpenSMTPD before 6.6.4 allows local users to read arbitrary files NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig NOTE: https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ NOTE: Neutralised by kernel hardening -CVE-2020-8792 - RESERVED -CVE-2020-8791 - RESERVED -CVE-2020-8790 - RESERVED +CVE-2020-8792 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...) + TODO: check +CVE-2020-8791 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...) + TODO: check +CVE-2020-8790 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...) + TODO: check CVE-2020-8789 RESERVED CVE-2020-8788 (Synaptive Medical ClearCanvas ImageServer 3.0 Alpha allows XSS (and HT ...) @@ -12058,8 +12071,8 @@ CVE-2020-8020 RESERVED CVE-2020-8019 RESERVED -CVE-2020-8018 - RESERVED +CVE-2020-8018 (A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST- ...) + TODO: check CVE-2020-8017 (A Race Condition Enabling Link Following vulnerability in the cron job ...) NOT-FOR-US: SuSE packaging of TexLive CVE-2020-8016 (A Race Condition Enabling Link Following vulnerability in the packagin ...) @@ -18335,8 +18348,8 @@ CVE-2020-5345 RESERVED CVE-2020-5344 (Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70. ...) NOT-FOR-US: EMC -CVE-2020-5343 - RESERVED +CVE-2020-5343 (Dell Client platforms restored using a Dell OS recovery image download ...) + TODO: check CVE-2020-5342 (Dell Digital Delivery versions prior to 3.5.2015 contain an incorrect ...) NOT-FOR-US: Dell CVE-2020-5341 @@ -18347,20 +18360,20 @@ CVE-2020-5339 (RSA Authentication Manager versions prior to 8.4 P10 contain a st NOT-FOR-US: RSA Authentication Manager CVE-2020-5338 RESERVED -CVE-2020-5337 - RESERVED -CVE-2020-5336 - RESERVED -CVE-2020-5335 - RESERVED -CVE-2020-5334 - RESERVED -CVE-2020-5333 - RESERVED -CVE-2020-5332 - RESERVED -CVE-2020-5331 - RESERVED +CVE-2020-5337 (RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL redirect ...) + TODO: check +CVE-2020-5336 (RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL injectio ...) + TODO: check +CVE-2020-5335 (RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contain a cross-site r ...) + TODO: check +CVE-2020-5334 (RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contains a Document Ob ...) + TODO: check +CVE-2020-5333 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorizati ...) + TODO: check +CVE-2020-5332 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain a command inje ...) + TODO: check +CVE-2020-5331 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an information ...) + TODO: check CVE-2020-5330 (Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell ...) NOT-FOR-US: EMC CVE-2020-5329 @@ -21186,8 +21199,8 @@ CVE-2020-4211 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote NOT-FOR-US: IBM CVE-2020-4210 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...) NOT-FOR-US: IBM -CVE-2020-4209 - RESERVED +CVE-2020-4209 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...) + TODO: check CVE-2020-4208 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded cr ...) NOT-FOR-US: IBM CVE-2020-4207 (IBM Watson IoT Message Gateway 2.0.0.x, 5.0.0.0, 5.0.0.1, and 5.0.0.2 ...) @@ -27753,13 +27766,11 @@ CVE-2020-1963 RESERVED CVE-2020-1962 RESERVED -CVE-2020-1961 - RESERVED +CVE-2020-1961 (Vulnerability to Server-Side Template Injection on Mail templates for ...) NOT-FOR-US: Apache Syncope CVE-2020-1960 RESERVED -CVE-2020-1959 - RESERVED +CVE-2020-1959 (A Server-Side Template Injection was identified in Apache Syncope prio ...) NOT-FOR-US: Apache Syncope CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, callers of ...) - druid <itp> (bug #825797) @@ -28758,8 +28769,7 @@ CVE-2020-1733 (A race condition flaw was found in Ansible Engine 2.7.17 and prio NOTE: https://github.com/ansible/ansible/issues/67791 NOTE: https://github.com/ansible/ansible/pull/68921 NOTE: https://github.com/ansible/ansible/commit/8077d8e40148fe77e2393caa5f2b2ea855149d63 -CVE-2020-1732 - RESERVED +CVE-2020-1732 (A flaw was found in Soteria before 1.0.1, in a way that multiple reque ...) - wildfly <itp> (bug #752018) CVE-2020-1731 (A flaw was found in all versions of the Keycloak operator, before vers ...) NOT-FOR-US: Keycloak @@ -30665,8 +30675,8 @@ CVE-2020-1633 (Due to a new NDP proxy feature for EVPN leaf nodes introduced in NOT-FOR-US: Juniper CVE-2020-1632 (In a certain condition, receipt of a specific BGP UPDATE message might ...) NOT-FOR-US: Juniper -CVE-2020-1631 - RESERVED +CVE-2020-1631 (A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentic ...) + TODO: check CVE-2020-1630 (A privilege escalation vulnerability in Juniper Networks Junos OS devi ...) NOT-FOR-US: Juniper CVE-2020-1629 (A race condition vulnerability on Juniper Network Junos OS devices may ...) @@ -36796,8 +36806,8 @@ CVE-2019-17558 (Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remot NOTE: https://issues.apache.org/jira/browse/SOLR-13971 NOTE: https://issues.apache.org/jira/browse/SOLR-14025 TODO: check, whilst the advisory claims 5.0.0 upwards only the SolrParamResourceLoader might be of issue already earlier? -CVE-2019-17557 - RESERVED +CVE-2019-17557 (It was found that the Apache Syncope EndUser UI login page prio to 2.0 ...) + TODO: check CVE-2019-17556 (Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService clas ...) NOT-FOR-US: Olingo CVE-2019-17555 (The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to ...) @@ -51073,8 +51083,8 @@ CVE-2019-13287 (In Xpdf 4.01.01, there is an out-of-bounds read vulnerability in - xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed) CVE-2019-13286 (In Xpdf 4.01.01, there is a heap-based buffer over-read in the functio ...) - xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed) -CVE-2019-13285 - RESERVED +CVE-2019-13285 (CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection. ...) + TODO: check CVE-2019-13284 RESERVED CVE-2019-13283 (In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in s ...) @@ -52286,8 +52296,8 @@ CVE-2012-6711 (A heap-based buffer overflow exists in GNU Bash before 4.3 when w - bash 4.3-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721071 NOTE: https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=863d31ae775d56b785dc5b0105b6d251515d81d5 (bash-4.3-alpha) -CVE-2019-12864 - RESERVED +CVE-2019-12864 (SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vuln ...) + TODO: check CVE-2019-12863 (SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows ...) NOT-FOR-US: SolarWinds CVE-2019-12862 @@ -54993,8 +55003,8 @@ CVE-2019-11825 (Cross-site scripting (XSS) vulnerability in Event Editor in Syno NOT-FOR-US: Synology CVE-2019-11824 RESERVED -CVE-2019-11823 - RESERVED +CVE-2019-11823 (CRLF injection vulnerability in Network Center in Synology Router Mana ...) + TODO: check CVE-2019-11822 (Relative path traversal vulnerability in SYNO.PhotoStation.File in Syn ...) NOT-FOR-US: Synology CVE-2019-11821 (SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Pho ...) @@ -120532,7 +120542,8 @@ CVE-2018-7576 (Google TensorFlow 1.6.x and earlier is affected by: Null Pointer - tensorflow <itp> (bug #804612) CVE-2018-7575 (Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow v ...) - tensorflow <itp> (bug #804612) -CVE-2018-7574 (Google TensorFlow 1.6.x and earlier is affected by a Null Pointer Dere ...) +CVE-2018-7574 + REJECTED - tensorflow <itp> (bug #804612) CVE-2018-7573 (An issue was discovered in FTPShell Client 6.7. A remote FTP server ca ...) NOT-FOR-US: FTPShell Client View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53e2cfedac6b65f43f91ee7ec9480821cc5d0516 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53e2cfedac6b65f43f91ee7ec9480821cc5d0516 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits