Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: c178fdf0 by security tracker role at 2020-05-07T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,12 +1,52 @@ -CVE-2020-12692 [Keystone doesn't check signature TTL of the EC2 credential auth method] +CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a URL. ...) + TODO: check +CVE-2020-12695 + RESERVED +CVE-2020-12694 + RESERVED +CVE-2020-12693 + RESERVED +CVE-2020-12688 + RESERVED +CVE-2020-12687 + RESERVED +CVE-2020-12686 + RESERVED +CVE-2020-12685 + RESERVED +CVE-2020-12684 + RESERVED +CVE-2020-12683 + RESERVED +CVE-2020-12682 + RESERVED +CVE-2020-12681 + RESERVED +CVE-2020-12680 + RESERVED +CVE-2020-12679 + RESERVED +CVE-2020-12678 + REJECTED + TODO: check +CVE-2020-12677 + RESERVED +CVE-2020-12676 + RESERVED +CVE-2020-12675 + RESERVED +CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) + {DSA-4679-1} - keystone <unfixed> NOTE: https://bugs.launchpad.net/keystone/+bug/1872737 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/4 -CVE-2020-12691 [Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID] +CVE-2020-12691 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) + {DSA-4679-1} - keystone <unfixed> NOTE: https://bugs.launchpad.net/keystone/+bug/1872733 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5 -CVE-2020-12690 +CVE-2020-12690 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) + {DSA-4679-1} - keystone <unfixed> NOTE: https://bugs.launchpad.net/keystone/+bug/1873290 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/6 @@ -14,7 +54,8 @@ CVE-2020-12674 RESERVED CVE-2020-12673 RESERVED -CVE-2020-12689 [OSSA-2020-004: EC2 and credential endpoints are not protected from a scoped context] +CVE-2020-12689 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...) + {DSA-4679-1} - keystone <unfixed> (bug #959900) NOTE: https://bugs.launchpad.net/keystone/+bug/1872735 NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5 @@ -633,6 +674,7 @@ CVE-2020-12396 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12396 CVE-2020-12395 RESERVED + {DSA-4678-1} - firefox 76.0-1 - firefox-esr 68.8.0esr-1 - thunderbird 1:68.8.0-1 @@ -653,6 +695,7 @@ CVE-2020-12393 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12393 CVE-2020-12392 RESERVED + {DSA-4678-1} - firefox 76.0-1 - firefox-esr 68.8.0esr-1 - thunderbird 1:68.8.0-1 @@ -681,6 +724,7 @@ CVE-2020-12388 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12388 CVE-2020-12387 RESERVED + {DSA-4678-1} - firefox 76.0-1 - firefox-esr 68.8.0esr-1 - thunderbird 1:68.8.0-1 @@ -15036,6 +15080,7 @@ CVE-2019-20377 (TopList before 2019-09-03 allows XSS via a title. ...) NOT-FOR-US: TopList CVE-2020-6831 RESERVED + {DSA-4678-1} - firefox 76.0-1 - firefox-esr 68.8.0esr-1 - chromium <unfixed> @@ -28013,7 +28058,7 @@ CVE-2020-1940 (The optional initial password change and password expiration feat CVE-2020-1939 RESERVED CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken when tr ...) - {DSA-4673-1 DLA-2133-1} + {DSA-4680-1 DSA-4673-1 DLA-2133-1} - tomcat9 9.0.31-1 (bug #952437) - tomcat8 <removed> (bug #952438) [jessie] - tomcat8 <no-dsa> (backport is intrusive because of API changes) @@ -28040,7 +28085,7 @@ CVE-2020-1937 (Kylin has some restful apis which will concatenate SQLs with the CVE-2020-1936 RESERVED CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0. ...) - {DSA-4673-1 DLA-2133-1} + {DSA-4680-1 DSA-4673-1 DLA-2133-1} - tomcat9 9.0.31-1 - tomcat8 <removed> [jessie] - tomcat8 <no-dsa> (backport is too intrusive) @@ -36970,7 +37015,7 @@ CVE-2019-17570 (An untrusted deserialization was found in the org.apache.xmlrpc. NOTE: Proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=1775193 NOTE: https://github.com/orangecertcc/xmlrpc-common-deserialization CVE-2019-17569 (The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8 ...) - {DSA-4673-1 DLA-2133-1} + {DSA-4680-1 DSA-4673-1 DLA-2133-1} - tomcat9 9.0.31-1 - tomcat8 <removed> [jessie] - tomcat8 <not-affected> (vulnerable code introduced in later version) @@ -36992,7 +37037,7 @@ CVE-2019-17565 (There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3 CVE-2019-17564 (Unsafe deserialization occurs within a Dubbo application which has HTT ...) NOT-FOR-US: Dubbo CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, ...) - {DSA-4596-1 DLA-2077-1} + {DSA-4680-1 DSA-4596-1 DLA-2077-1} - tomcat9 9.0.31-1 - tomcat8 <removed> [jessie] - tomcat8 <no-dsa> (low risk, backport is intrusive) @@ -53722,7 +53767,7 @@ CVE-2019-12420 (In Apache SpamAssassin before 3.4.3, a message can be crafted in CVE-2019-12419 (Apache CXF before 3.3.4 and 3.2.11 provides all of the components that ...) NOT-FOR-US: Apache CFX CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0. ...) - {DSA-4596-1 DLA-2155-1 DLA-2077-1} + {DSA-4680-1 DSA-4596-1 DLA-2155-1 DLA-2077-1} - tomcat9 9.0.31-1 - tomcat8 <removed> - tomcat7 <removed> @@ -60373,6 +60418,7 @@ CVE-2019-10074 (An RCE is possible by entering Freemarker markup in an Apache OF CVE-2019-10073 (The "Blog", "Forum", "Contact Us" screens of the template "ecommerce" ...) NOT-FOR-US: Apache OFBiz CVE-2019-10072 (The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 co ...) + {DSA-4680-1} - tomcat9 9.0.22-1 (bug #931131; bug #930872) - tomcat8 <removed> (bug #30873) [stretch] - tomcat8 <not-affected> (Incomplete fix for CVE-2019-0199 not applied) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c178fdf02a7bb8044f40e9efb51ff44f52c72bd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c178fdf02a7bb8044f40e9efb51ff44f52c72bd4 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits