[Git][security-tracker-team/security-tracker][master] automatic update

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c178fdf0 by security tracker role at 2020-05-07T08:10:15+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,12 +1,52 @@
-CVE-2020-12692 [Keystone doesn't check signature TTL of the EC2 credential 
auth method]
+CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a 
URL. ...)
+       TODO: check
+CVE-2020-12695
+       RESERVED
+CVE-2020-12694
+       RESERVED
+CVE-2020-12693
+       RESERVED
+CVE-2020-12688
+       RESERVED
+CVE-2020-12687
+       RESERVED
+CVE-2020-12686
+       RESERVED
+CVE-2020-12685
+       RESERVED
+CVE-2020-12684
+       RESERVED
+CVE-2020-12683
+       RESERVED
+CVE-2020-12682
+       RESERVED
+CVE-2020-12681
+       RESERVED
+CVE-2020-12680
+       RESERVED
+CVE-2020-12679
+       RESERVED
+CVE-2020-12678
+       REJECTED
+       TODO: check
+CVE-2020-12677
+       RESERVED
+CVE-2020-12676
+       RESERVED
+CVE-2020-12675
+       RESERVED
+CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1, 
and 16.0. ...)
+       {DSA-4679-1}
        - keystone <unfixed>
        NOTE: https://bugs.launchpad.net/keystone/+bug/1872737
        NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/4
-CVE-2020-12691 [Keystone V3 /credentials endpoint policy logic allows to 
change credentials owner or target project ID]
+CVE-2020-12691 (An issue was discovered in OpenStack Keystone before 15.0.1, 
and 16.0. ...)
+       {DSA-4679-1}
        - keystone <unfixed>
        NOTE: https://bugs.launchpad.net/keystone/+bug/1872733
        NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5
-CVE-2020-12690
+CVE-2020-12690 (An issue was discovered in OpenStack Keystone before 15.0.1, 
and 16.0. ...)
+       {DSA-4679-1}
        - keystone <unfixed>
        NOTE: https://bugs.launchpad.net/keystone/+bug/1873290
        NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/6
@@ -14,7 +54,8 @@ CVE-2020-12674
        RESERVED
 CVE-2020-12673
        RESERVED
-CVE-2020-12689 [OSSA-2020-004: EC2 and credential endpoints are not protected 
from a scoped context]
+CVE-2020-12689 (An issue was discovered in OpenStack Keystone before 15.0.1, 
and 16.0. ...)
+       {DSA-4679-1}
        - keystone <unfixed> (bug #959900)
        NOTE: https://bugs.launchpad.net/keystone/+bug/1872735
        NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5
@@ -633,6 +674,7 @@ CVE-2020-12396
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12396
 CVE-2020-12395
        RESERVED
+       {DSA-4678-1}
        - firefox 76.0-1
        - firefox-esr 68.8.0esr-1
        - thunderbird 1:68.8.0-1
@@ -653,6 +695,7 @@ CVE-2020-12393
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12393
 CVE-2020-12392
        RESERVED
+       {DSA-4678-1}
        - firefox 76.0-1
        - firefox-esr 68.8.0esr-1
        - thunderbird 1:68.8.0-1
@@ -681,6 +724,7 @@ CVE-2020-12388
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12388
 CVE-2020-12387
        RESERVED
+       {DSA-4678-1}
        - firefox 76.0-1
        - firefox-esr 68.8.0esr-1
        - thunderbird 1:68.8.0-1
@@ -15036,6 +15080,7 @@ CVE-2019-20377 (TopList before 2019-09-03 allows XSS 
via a title. ...)
        NOT-FOR-US: TopList
 CVE-2020-6831
        RESERVED
+       {DSA-4678-1}
        - firefox 76.0-1
        - firefox-esr 68.8.0esr-1
        - chromium <unfixed>
@@ -28013,7 +28058,7 @@ CVE-2020-1940 (The optional initial password change and 
password expiration feat
 CVE-2020-1939
        RESERVED
 CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken 
when tr ...)
-       {DSA-4673-1 DLA-2133-1}
+       {DSA-4680-1 DSA-4673-1 DLA-2133-1}
        - tomcat9 9.0.31-1 (bug #952437)
        - tomcat8 <removed> (bug #952438)
        [jessie] - tomcat8 <no-dsa> (backport is intrusive because of API 
changes)
@@ -28040,7 +28085,7 @@ CVE-2020-1937 (Kylin has some restful apis which will 
concatenate SQLs with the
 CVE-2020-1936
        RESERVED
 CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 
to 7.0. ...)
-       {DSA-4673-1 DLA-2133-1}
+       {DSA-4680-1 DSA-4673-1 DLA-2133-1}
        - tomcat9 9.0.31-1
        - tomcat8 <removed>
        [jessie] - tomcat8 <no-dsa> (backport is too intrusive)
@@ -36970,7 +37015,7 @@ CVE-2019-17570 (An untrusted deserialization was found 
in the org.apache.xmlrpc.
        NOTE: Proposed patch: 
https://bugzilla.redhat.com/show_bug.cgi?id=1775193
        NOTE: https://github.com/orangecertcc/xmlrpc-common-deserialization
 CVE-2019-17569 (The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 
8.5.48 to 8 ...)
-       {DSA-4673-1 DLA-2133-1}
+       {DSA-4680-1 DSA-4673-1 DLA-2133-1}
        - tomcat9 9.0.31-1
        - tomcat8 <removed>
        [jessie] - tomcat8 <not-affected> (vulnerable code introduced in later 
version)
@@ -36992,7 +37037,7 @@ CVE-2019-17565 (There is a vulnerability in Apache 
Traffic Server 6.0.0 to 6.2.3
 CVE-2019-17564 (Unsafe deserialization occurs within a Dubbo application which 
has HTT ...)
        NOT-FOR-US: Dubbo
 CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 
9.0.29,  ...)
-       {DSA-4596-1 DLA-2077-1}
+       {DSA-4680-1 DSA-4596-1 DLA-2077-1}
        - tomcat9 9.0.31-1
        - tomcat8 <removed>
        [jessie] - tomcat8 <no-dsa> (low risk, backport is intrusive)
@@ -53722,7 +53767,7 @@ CVE-2019-12420 (In Apache SpamAssassin before 3.4.3, a 
message can be crafted in
 CVE-2019-12419 (Apache CXF before 3.3.4 and 3.2.11 provides all of the 
components that ...)
        NOT-FOR-US: Apache CFX
 CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 
and 7.0. ...)
-       {DSA-4596-1 DLA-2155-1 DLA-2077-1}
+       {DSA-4680-1 DSA-4596-1 DLA-2155-1 DLA-2077-1}
        - tomcat9 9.0.31-1
        - tomcat8 <removed>
        - tomcat7 <removed>
@@ -60373,6 +60418,7 @@ CVE-2019-10074 (An RCE is possible by entering 
Freemarker markup in an Apache OF
 CVE-2019-10073 (The "Blog", "Forum", "Contact Us" screens of the template 
"ecommerce"  ...)
        NOT-FOR-US: Apache OFBiz
 CVE-2019-10072 (The fix for CVE-2019-0199 was incomplete and did not address 
HTTP/2 co ...)
+       {DSA-4680-1}
        - tomcat9 9.0.22-1 (bug #931131; bug #930872)
        - tomcat8 <removed> (bug #30873)
        [stretch] - tomcat8 <not-affected> (Incomplete fix for CVE-2019-0199 
not applied)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c178fdf02a7bb8044f40e9efb51ff44f52c72bd4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c178fdf02a7bb8044f40e9efb51ff44f52c72bd4
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits