Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: a0e57058 by security tracker role at 2020-07-29T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,33 @@ +CVE-2020-16131 + RESERVED +CVE-2020-16130 + RESERVED +CVE-2020-16129 + RESERVED +CVE-2020-16128 + RESERVED +CVE-2020-16127 + RESERVED +CVE-2020-16126 + RESERVED +CVE-2020-16125 + RESERVED +CVE-2020-16124 + RESERVED +CVE-2020-16123 + RESERVED +CVE-2020-16122 + RESERVED +CVE-2020-16121 + RESERVED +CVE-2020-16120 + RESERVED +CVE-2020-16119 + RESERVED +CVE-2020-16118 (In GNOME Balsa before 2.6.0, a malicious server operator or man in the ...) + TODO: check +CVE-2020-16117 (In GNOME evolution-data-server before 3.35.91, a malicious server can ...) + TODO: check CVE-2020-16116 RESERVED CVE-2020-16115 @@ -40,8 +70,8 @@ CVE-2020-16097 RESERVED CVE-2020-16096 RESERVED -CVE-2020-16095 - RESERVED +CVE-2020-16095 (The dlf (aka Kitodo.Presentation) extension before 3.1.2 for TYPO3 all ...) + TODO: check CVE-2020-16094 (In imap_scan_tree_recursive in Claws Mail through 3.17.6, a malicious ...) - claws-mail <unfixed> NOTE: https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4313 @@ -918,20 +948,19 @@ CVE-2020-15709 RESERVED CVE-2020-15708 RESERVED -CVE-2020-15707 - RESERVED +CVE-2020-15707 (Integer overflows were discovered in the functions grub_cmd_initrd and ...) + {DSA-4735-1} - grub2 2.04-9 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3 NOTE: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=e7b8856f8be3292afdb38d2e8c70ad8d62a61e10 -CVE-2020-15706 - RESERVED +CVE-2020-15706 (GRUB2 contains a race condition in grub_script_function_create() leadi ...) + {DSA-4735-1} - grub2 2.04-9 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3 NOTE: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=426f57383d647406ae9c628c472059c27cd6e040 -CVE-2020-15705 - RESERVED +CVE-2020-15705 (GRUB2 fails to validate kernel signature when booted directly without ...) - grub2 <unfixed> (unimportant) NOTE: Issue does not affect standard SB Debian setup. NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3 @@ -1046,6 +1075,7 @@ CVE-2020-15660 RESERVED CVE-2020-15659 RESERVED + {DSA-4736-1 DLA-2297-1} - firefox 79.0-1 - firefox-esr 68.11.0esr-1 - thunderbird <unfixed> @@ -1090,6 +1120,7 @@ CVE-2020-15653 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-33/#CVE-2020-15653 CVE-2020-15652 RESERVED + {DSA-4736-1 DLA-2297-1} - firefox 79.0-1 - firefox-esr 68.11.0esr-1 - thunderbird <unfixed> @@ -1257,8 +1288,8 @@ CVE-2020-15590 RESERVED CVE-2020-15589 RESERVED -CVE-2020-15588 - RESERVED +CVE-2020-15588 (An issue was discovered in the client side of Zoho ManageEngine Deskto ...) + TODO: check CVE-2020-15587 RESERVED CVE-2020-15586 (Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net ...) @@ -1482,7 +1513,7 @@ CVE-2020-15499 RESERVED CVE-2020-15498 RESERVED -CVE-2020-15497 (jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 build-20200224104759 ...) +CVE-2020-15497 (** DISPUTED ** jcore/portal/ajaxPortal.jsp in Jalios JCMS 10.0.2 build ...) NOT-FOR-US: Jalios JCMS CVE-2020-15496 RESERVED @@ -2288,8 +2319,8 @@ CVE-2020-15127 RESERVED CVE-2020-15126 (In parser-server from version 3.5.0 and before 4.3.0, an authenticated ...) NOT-FOR-US: Node parser-server -CVE-2020-15125 - RESERVED +CVE-2020-15125 (In auth0 (npm package) versions before 2.27.1, a DenyList of specific ...) + TODO: check CVE-2020-15124 (In Goobi Viewer Core before version 4.8.3, a path traversal vulnerabil ...) NOT-FOR-US: Goobi Viewer Core CVE-2020-15123 (In codecov (npm package) before version 3.7.1 the upload method has a ...) @@ -2355,10 +2386,10 @@ CVE-2020-15101 (In freewvs before 0.1.1, a directory structure of more than 1000 NOT-FOR-US: freewvs CVE-2020-15100 (In freewvs before 0.1.1, a user could create a large file that freewvs ...) NOT-FOR-US: freewvs -CVE-2020-15099 - RESERVED -CVE-2020-15098 - RESERVED +CVE-2020-15099 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and ...) + TODO: check +CVE-2020-15098 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and ...) + TODO: check CVE-2020-15097 RESERVED CVE-2020-15096 (In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, the ...) @@ -2384,8 +2415,8 @@ CVE-2020-15088 RESERVED CVE-2020-15087 (In Presto before version 337, authenticated users can bypass authoriza ...) NOT-FOR-US: Presto query engine, different from src:presto -CVE-2020-15086 - RESERVED +CVE-2020-15086 (In TYPO3 installations with the "mediace" extension from version 7.6.2 ...) + TODO: check CVE-2020-15085 (In Saleor Storefront before version 2.10.3, request data used to authe ...) NOT-FOR-US: Saleor Storefront CVE-2020-15084 (In express-jwt (NPM package) up and including version 5.3.3, the algor ...) @@ -3681,22 +3712,22 @@ CVE-2020-14495 RESERVED CVE-2020-14494 (OpenClinic GA versions 5.09.02 and 5.89.05b contain an authentication ...) NOT-FOR-US: OpenClinic GA -CVE-2020-14493 - RESERVED -CVE-2020-14492 - RESERVED +CVE-2020-14493 (A low-privilege user may use SQL syntax to write arbitrary files to th ...) + TODO: check +CVE-2020-14492 (OpenClinic GA 5.09.02 and 5.89.05b does not properly neutralize user-c ...) + TODO: check CVE-2020-14491 (OpenClinic GA versions 5.09.02 and 5.89.05b do not properly check perm ...) NOT-FOR-US: OpenClinic GA -CVE-2020-14490 - RESERVED -CVE-2020-14489 - RESERVED -CVE-2020-14488 - RESERVED -CVE-2020-14487 - RESERVED -CVE-2020-14486 - RESERVED +CVE-2020-14490 (OpenClinic GA 5.09.02 and 5.89.05b includes arbitrary local files spec ...) + TODO: check +CVE-2020-14489 (OpenClinic GA 5.09.02 and 5.89.05b stores passwords using inadequate h ...) + TODO: check +CVE-2020-14488 (OpenClinic GA 5.09.02 and 5.89.05b does not properly verify uploaded f ...) + TODO: check +CVE-2020-14487 (OpenClinic GA 5.09.02 contains a hidden default user account that may ...) + TODO: check +CVE-2020-14486 (An attacker may bypass permission/authorization checks in OpenClinic G ...) + TODO: check CVE-2020-14485 (OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to b ...) NOT-FOR-US: OpenClinic GA CVE-2020-14484 (OpenClinic GA versions 5.09.02 and 5.89.05b may allow an attacker to b ...) @@ -4405,8 +4436,7 @@ CVE-2020-14318 CVE-2020-14317 RESERVED - wildfly <itp> (bug #752018) -CVE-2020-14316 - RESERVED +CVE-2020-14316 (A flaw was found in kubevirt 0.29 and earlier. Virtual Machine Instanc ...) NOT-FOR-US: KubeVirt CVE-2020-14315 RESERVED @@ -4428,24 +4458,27 @@ CVE-2020-14312 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1851342 CVE-2020-14311 RESERVED + {DSA-4735-1} - grub2 2.04-9 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3 NOTE: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3f05d693d1274965ffbe4ba99080dc2c570944c6 CVE-2020-14310 RESERVED + {DSA-4735-1} - grub2 2.04-9 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3 NOTE: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3f05d693d1274965ffbe4ba99080dc2c570944c6 CVE-2020-14309 RESERVED + {DSA-4735-1} - grub2 2.04-9 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3 NOTE: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=3f05d693d1274965ffbe4ba99080dc2c570944c6 -CVE-2020-14308 - RESERVED +CVE-2020-14308 (In grub2 versions before 2.06 the grub memory allocator doesn't check ...) + {DSA-4735-1} - grub2 2.04-9 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) NOTE: https://www.openwall.com/lists/oss-security/2020/07/29/3 @@ -6082,8 +6115,8 @@ CVE-2020-13701 RESERVED CVE-2020-13700 (An issue was discovered in the acf-to-rest-api plugin through 3.1.0 fo ...) NOT-FOR-US: acf-to-rest-api plugin for WordPress -CVE-2020-13699 - RESERVED +CVE-2020-13699 (TeamViewer Desktop for Windows before 15.8.3 does not properly quote i ...) + TODO: check CVE-2020-13698 RESERVED CVE-2020-13697 @@ -10378,13 +10411,11 @@ CVE-2020-11935 NOTE: https://sourceforge.net/p/aufs/mailman/message/37048642/ NOTE: https://github.com/sfjro/aufs4-linux/commit/515a586eeef31e0717d5dea21e2c11a965340b3c NOTE: https://github.com/sfjro/aufs4-linux/commit/f10aea57d39d6cd311312e9e7746804f7059b5c8 -CVE-2020-11934 - RESERVED +CVE-2020-11934 (It was discovered that snapctl user-open allowed altering the $XDG_DAT ...) - snapd 2.45.2-1 [buster] - snapd <no-dsa> (Minor issue) NOTE: https://github.com/snapcore/snapd/commit/06342a31878f1cf99d56da5483e71b9af61f46ad -CVE-2020-11933 - RESERVED +CVE-2020-11933 (cloud-init as managed by snapd on Ubuntu Core 16 and Ubuntu Core 18 de ...) NOT-FOR-US: cloud-init in some Ubuntu images CVE-2020-11932 (It was discovered that the Subiquity installer for Ubuntu Server logge ...) NOT-FOR-US: Subiquity installer for Ubuntu @@ -15043,6 +15074,7 @@ CVE-2020-10714 NOT-FOR-US: WildFly Elytron CVE-2020-10713 RESERVED + {DSA-4735-1} - grub2 2.04-9 [stretch] - grub2 <ignored> (No SecureBoot support in stretch) NOTE: https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ @@ -17521,14 +17553,14 @@ CVE-2020-9694 RESERVED CVE-2020-9693 RESERVED -CVE-2020-9692 - RESERVED -CVE-2020-9691 - RESERVED -CVE-2020-9690 - RESERVED -CVE-2020-9689 - RESERVED +CVE-2020-9692 (Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a ...) + TODO: check +CVE-2020-9691 (Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a ...) + TODO: check +CVE-2020-9690 (Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a ...) + TODO: check +CVE-2020-9689 (Magento versions 2.3.5-p1 and earlier, and 2.3.5-p1 and earlier have a ...) + TODO: check CVE-2020-9688 (Adobe Download Manager version 2.0.0.518 have a command injection vuln ...) NOT-FOR-US: Adobe CVE-2020-9687 (Adobe Photoshop versions Photoshop CC 2019, and Photoshop 2020 have an ...) @@ -20254,8 +20286,8 @@ CVE-2020-8555 (The Kubernetes kube-controller-manager in versions v1.0-1.14, ver NOTE: https://github.com/kubernetes/kubernetes/issues/91542 CVE-2020-8554 RESERVED -CVE-2020-8553 - RESERVED +CVE-2020-8553 (The Kubernetes ingress-nginx component prior to version 0.28.0 allows ...) + TODO: check CVE-2020-8552 (The Kubernetes API server component in versions prior to 1.15.9, 1.16. ...) - kubernetes 1.17.4-1 NOTE: https://github.com/kubernetes/kubernetes/issues/89378 @@ -22354,13 +22386,13 @@ CVE-2020-7700 RESERVED CVE-2020-7699 RESERVED -CVE-2020-7698 - RESERVED -CVE-2020-7697 - RESERVED +CVE-2020-7698 (This affects the package Gerapy from 0 and before 0.9.3. The input bei ...) + TODO: check +CVE-2020-7697 (This affects all versions of package mock2easy. a malicious user could ...) + TODO: check CVE-2020-7696 (This affects all versions of package react-native-fast-image. When an ...) TODO: check -CVE-2020-7695 (This affects all versions of package uvicorn. Uvicorn's implementation ...) +CVE-2020-7695 (Uvicorn before 0.11.7 is vulnerable to HTTP response splitting. CRLF s ...) TODO: check CVE-2020-7694 (This affects all versions of package uvicorn. The request logger provi ...) TODO: check @@ -25241,6 +25273,7 @@ CVE-2020-6515 (Use after free in tab strip in Google Chrome prior to 84.0.4147.8 - chromium <unfixed> [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2020-6514 (Inappropriate implementation in WebRTC in Google Chrome prior to 84.0. ...) + {DSA-4736-1 DLA-2297-1} [experimental] - chromium 84.0.4147.89-1 - chromium <unfixed> [stretch] - chromium <end-of-life> (see DSA 4562) @@ -25445,7 +25478,7 @@ CVE-2020-6464 (Type confusion in Blink in Google Chrome prior to 81.0.4044.138 a - chromium 83.0.4103.83-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2020-6463 (Use after free in ANGLE in Google Chrome prior to 81.0.4044.122 allowe ...) - {DSA-4714-1} + {DSA-4736-1 DSA-4714-1 DLA-2297-1} - chromium 83.0.4103.83-1 [stretch] - chromium <end-of-life> (see DSA 4562) - firefox 79.0-1 @@ -27126,14 +27159,14 @@ CVE-2020-5765 (Nessus 8.10.0 and earlier were found to contain a Stored XSS vuln NOT-FOR-US: Nessus CVE-2020-5764 (MX Player Android App versions prior to v1.24.5, are vulnerable to a d ...) NOT-FOR-US: MX Player Android App -CVE-2020-5763 - RESERVED -CVE-2020-5762 - RESERVED -CVE-2020-5761 - RESERVED -CVE-2020-5760 - RESERVED +CVE-2020-5763 (Grandstream HT800 series firmware version 1.0.17.5 and below contain a ...) + TODO: check +CVE-2020-5762 (Grandstream HT800 series firmware version 1.0.17.5 and below is vulner ...) + TODO: check +CVE-2020-5761 (Grandstream HT800 series firmware version 1.0.17.5 and below is vulner ...) + TODO: check +CVE-2020-5760 (Grandstream HT800 series firmware version 1.0.17.5 and below is vulner ...) + TODO: check CVE-2020-5759 (Grandstream UCM6200 series firmware version 1.0.20.23 and below is vul ...) NOT-FOR-US: Grandstream CVE-2020-5758 (Grandstream UCM6200 series firmware version 1.0.20.23 and below is vul ...) @@ -30050,10 +30083,10 @@ CVE-2020-4647 RESERVED CVE-2020-4646 RESERVED -CVE-2020-4645 - RESERVED -CVE-2020-4644 - RESERVED +CVE-2020-4645 (IBM Planning Analytics Local 2.0.0 through 2.0.9.1 is vulnerable to cr ...) + TODO: check +CVE-2020-4644 (IBM Planning Analytics Local 2.0.0 through 2.0.9.1 could allow a remot ...) + TODO: check CVE-2020-4643 RESERVED CVE-2020-4642 @@ -30192,22 +30225,22 @@ CVE-2020-4576 RESERVED CVE-2020-4575 RESERVED -CVE-2020-4574 - RESERVED -CVE-2020-4573 - RESERVED -CVE-2020-4572 - RESERVED +CVE-2020-4574 (IBM Tivoli Key Lifecycle Manager does not require that users should ha ...) + TODO: check +CVE-2020-4573 (IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 could disclose sensitiv ...) + TODO: check +CVE-2020-4572 (IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 could allow a remote at ...) + TODO: check CVE-2020-4571 RESERVED CVE-2020-4570 RESERVED -CVE-2020-4569 - RESERVED +CVE-2020-4569 (IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses a protection mecha ...) + TODO: check CVE-2020-4568 RESERVED -CVE-2020-4567 - RESERVED +CVE-2020-4567 (IBM Tivoli Key Lifecycle Manager 3.0.1 and 4.0 uses an inadequate acco ...) + TODO: check CVE-2020-4566 RESERVED CVE-2020-4565 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow an attacke ...) @@ -30414,8 +30447,8 @@ CVE-2020-4465 (IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 CD, NOT-FOR-US: IBM CVE-2020-4464 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 traditional co ...) NOT-FOR-US: IBM -CVE-2020-4463 - RESERVED +CVE-2020-4463 (IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XM ...) + TODO: check CVE-2020-4462 (IBM Sterling External Authentication Server 6.0.1, 6.0.0, 2.4.3.2, and ...) NOT-FOR-US: IBM CVE-2020-4461 (IBM Security Access Manager Appliance 9.0.7.1 could allow an authentic ...) @@ -31253,6 +31286,7 @@ CVE-2020-4051 (In Dijit before versions 1.11.11, and greater than or equal to 1. CVE-2020-4045 (SSB-DB version 20.0.0 has an information disclosure vulnerability. The ...) NOT-FOR-US: SSB-DB CVE-2020-4044 (The xrdp-sesman service before version 0.9.13.1 can be crashed by conn ...) + {DSA-4737-1} - xrdp 0.9.12-1.1 (bug #964573) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-j9fv-6fwf-p3g4 NOTE: Fixed by: https://github.com/neutrinolabs/xrdp/commit/e593f58a82bf79b556601ae08e9e25e366a662fb @@ -31780,24 +31814,24 @@ CVE-2019-20035 RESERVED CVE-2019-20034 RESERVED -CVE-2019-20033 - RESERVED -CVE-2019-20032 - RESERVED -CVE-2019-20031 - RESERVED -CVE-2019-20030 - RESERVED -CVE-2019-20029 - RESERVED -CVE-2019-20028 - RESERVED -CVE-2019-20027 - RESERVED -CVE-2019-20026 - RESERVED -CVE-2019-20025 - RESERVED +CVE-2019-20033 (On Aspire-derived NEC PBXes, including all versions of SV8100 devices, ...) + TODO: check +CVE-2019-20032 (An attacker with access to an InMail voicemail box equipped with the f ...) + TODO: check +CVE-2019-20031 (NEC UM8000, UM4730 and prior non-InMail voicemail systems with all kno ...) + TODO: check +CVE-2019-20030 (An attacker with knowledge of the modem access number on a NEC UM8000 ...) + TODO: check +CVE-2019-20029 (An exploitable privilege escalation vulnerability exists in the WebPro ...) + TODO: check +CVE-2019-20028 (Aspire-derived NEC PBXes operating InMail software, including all vers ...) + TODO: check +CVE-2019-20027 (Aspire-derived NEC PBXes, including the SV8100, SV9100, SL1100 and SL2 ...) + TODO: check +CVE-2019-20026 (The WebPro interface in NEC SV9100 software releases 7.0 or higher all ...) + TODO: check +CVE-2019-20025 (Certain builds of NEC SV9100 software could allow an unauthenticated, ...) + TODO: check CVE-2019-20024 (A heap-based buffer overflow was discovered in image_buffer_resize in ...) - libsixel 1.8.6-1 (low; bug #948103) [buster] - libsixel <no-dsa> (Minor issue) @@ -37055,12 +37089,12 @@ CVE-2020-2080 RESERVED CVE-2020-2079 RESERVED -CVE-2020-2078 - RESERVED -CVE-2020-2077 - RESERVED -CVE-2020-2076 - RESERVED +CVE-2020-2078 (Passwords are stored in plain text within the configuration of SICK Pa ...) + TODO: check +CVE-2020-2077 (SICK Package Analytics software up to and including version V04.0.0 ar ...) + TODO: check +CVE-2020-2076 (SICK Package Analytics software up to and including version V04.0.0 ar ...) + TODO: check CVE-2020-2075 RESERVED CVE-2020-2074 @@ -79084,7 +79118,7 @@ CVE-2019-7149 (A heap-based buffer over-read was discovered in the function read NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24102 NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=2562759d6fe5b364fe224852e64e8bda39eb2e35 -CVE-2019-7148 (**DISPUTED** An attempted excessive memory allocation was discovered i ...) +CVE-2019-7148 (An attempted excessive memory allocation was discovered in the functio ...) - elfutils 0.176-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24085 NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=e32380ecefbb23448541367283d3b94930762986 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0e57058ca4665080182f1ac0f5f27ece42ec78b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0e57058ca4665080182f1ac0f5f27ece42ec78b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits