Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 56f8fec9 by security tracker role at 2020-11-23T20:10:32+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,17 @@ +CVE-2020-28982 + RESERVED +CVE-2020-28981 + RESERVED +CVE-2020-28980 + RESERVED +CVE-2020-28979 + RESERVED +CVE-2020-28978 + RESERVED +CVE-2020-28977 + RESERVED +CVE-2020-28976 + RESERVED CVE-2020-XXXX [identified authors can execute arbitrary PHP code] - spip 3.2.8-1 NOTE: https://git.spip.net/spip/spip/commit/ae4267eba1022dabc12831ddb021c5d6e09040f8 @@ -64,10 +78,12 @@ CVE-2020-28951 (libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may enc CVE-2020-28950 RESERVED CVE-2020-28949 (Archive_Tar through 1.4.10 has :// filename sanitization only to addre ...) + {DLA-2465-1} - php-pear <unfixed> NOTE: https://github.com/pear/Archive_Tar/issues/33 NOTE: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da CVE-2020-28948 (Archive_Tar through 1.4.10 allows an unserialization attack because ph ...) + {DLA-2465-1} - php-pear <unfixed> NOTE: https://github.com/pear/Archive_Tar/issues/33 NOTE: https://github.com/pear/Archive_Tar/commit/0670a05fdab997036a3fc3ef113b8f5922e574da @@ -197,8 +213,7 @@ CVE-2020-28898 RESERVED CVE-2020-28897 RESERVED -CVE-2020-28896 - RESERVED +CVE-2020-28896 (Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $s ...) - mutt 2.0.2-1 [buster] - mutt <no-dsa> (Minor issue) - neomutt 20201120+dfsg.1-1 @@ -267,8 +282,8 @@ CVE-2020-28866 RESERVED CVE-2020-28865 RESERVED -CVE-2020-28864 - RESERVED +CVE-2020-28864 (Buffer overflow in WinSCP 5.17.8 allows a malicious FTP server to caus ...) + TODO: check CVE-2020-28863 RESERVED CVE-2020-28862 @@ -2312,8 +2327,8 @@ CVE-2020-28423 RESERVED CVE-2020-28422 RESERVED -CVE-2020-28421 - RESERVED +CVE-2020-28421 (CA Unified Infrastructure Management 20.1 and earlier contains a vulne ...) + TODO: check CVE-2020-28420 RESERVED CVE-2020-28419 @@ -4611,8 +4626,8 @@ CVE-2020-28055 (A vulnerability in the TCL Android Smart TV series V8-R851T02-LF NOT-FOR-US: TCL Android Smart TV series CVE-2020-28054 (JamoDat TSMManager Collector version up to 6.5.0.21 is vulnerable to a ...) NOT-FOR-US: JamoDat TSMManager Collector -CVE-2020-28053 - RESERVED +CVE-2020-28053 (HashiCorp Consul and Consul Enterprise 1.2.0 up to 1.8.5 allowed opera ...) + TODO: check CVE-2020-28052 RESERVED CVE-2020-28051 @@ -4796,8 +4811,8 @@ CVE-2020-27987 RESERVED CVE-2020-27986 (** DISPUTED ** SonarQube 8.4.2.36762 allows remote attackers to discov ...) NOT-FOR-US: SonarQube -CVE-2020-27985 - RESERVED +CVE-2020-27985 (Security Onion v2 prior to 2.3.10 has an incorrect sudo configuration, ...) + TODO: check CVE-2020-27984 RESERVED CVE-2020-27983 @@ -6344,7 +6359,7 @@ CVE-2020-27555 (Use of default credentials for the telnet server in BASETech GE- NOT-FOR-US: BASETech CVE-2020-27554 (Cleartext Transmission of Sensitive Information vulnerability in BASET ...) NOT-FOR-US: BASETech -CVE-2020-27553 (A directory traversal vulnerability in BASETech GE-131 BT-1837836 firm ...) +CVE-2020-27553 (In BASETech GE-131 BT-1837836 firmware 20180921, the web-server on the ...) NOT-FOR-US: BASETech CVE-2020-27552 RESERVED @@ -7543,7 +7558,7 @@ CVE-2020-26969 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26969 CVE-2020-26968 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7564,7 +7579,7 @@ CVE-2020-26966 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26966 CVE-2020-26965 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7585,7 +7600,7 @@ CVE-2020-26962 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26962 CVE-2020-26961 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7594,7 +7609,7 @@ CVE-2020-26961 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26961 CVE-2020-26960 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7603,7 +7618,7 @@ CVE-2020-26960 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26960 CVE-2020-26959 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7612,7 +7627,7 @@ CVE-2020-26959 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-52/#CVE-2020-26959 CVE-2020-26958 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7625,7 +7640,7 @@ CVE-2020-26957 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26957 CVE-2020-26956 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7642,7 +7657,7 @@ CVE-2020-26954 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26954 CVE-2020-26953 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -7655,7 +7670,7 @@ CVE-2020-26952 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-50/#CVE-2020-26952 CVE-2020-26951 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -8469,10 +8484,10 @@ CVE-2019-20926 RESERVED CVE-2019-20925 RESERVED -CVE-2019-20924 - RESERVED -CVE-2019-20923 - RESERVED +CVE-2019-20924 (A user authorized to perform database queries may trigger denial of se ...) + TODO: check +CVE-2019-20923 (A user authorized to perform database queries may trigger denial of se ...) + TODO: check CVE-1999-0199 (manual/search.texi in the GNU C Library (aka glibc) before 2.2 lacks a ...) - glibc 2.2-1 CVE-2020-26572 (The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a ...) @@ -9168,8 +9183,8 @@ CVE-2020-26241 RESERVED CVE-2020-26240 RESERVED -CVE-2020-26239 - RESERVED +CVE-2020-26239 (Scratch Addons is a WebExtension that supports both Chrome and Firefox ...) + TODO: check CVE-2020-26238 RESERVED CVE-2020-26237 @@ -12355,7 +12370,7 @@ CVE-2020-24892 RESERVED CVE-2020-24891 REJECTED -CVE-2020-24890 (libraw 20.0 has a null pointer dereference vulnerability in parse_tiff ...) +CVE-2020-24890 (** DISPUTED ** libraw 20.0 has a null pointer dereference vulnerabilit ...) - libraw <unfixed> (unimportant) NOTE: https://github.com/LibRaw/LibRaw/issues/335 NOTE: https://github.com/LibRaw/LibRaw/issues/335#issuecomment-677637276 @@ -30529,7 +30544,7 @@ CVE-2020-16013 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2020-16012 RESERVED - {DSA-4796-1 DSA-4793-1 DLA-2457-1} + {DSA-4796-1 DSA-4793-1 DLA-2464-1 DLA-2457-1} - firefox 83.0-1 - firefox-esr 78.5.0esr-1 - thunderbird 1:78.5.0-1 @@ -37291,6 +37306,7 @@ CVE-2020-13585 RESERVED CVE-2020-13584 RESERVED + {DSA-4797-1} - webkit2gtk 2.30.3-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -40427,15 +40443,13 @@ CVE-2020-12354 (Incorrect default permissions in Windows(R) installer in Intel(R NOT-FOR-US: Intel CVE-2020-12353 (Improper permissions in the Intel(R) Data Center Manager Console befor ...) NOT-FOR-US: Intel -CVE-2020-12352 - RESERVED +CVE-2020-12352 (Improper access control in BlueZ may allow an unauthenticated user to ...) {DSA-4774-1 DLA-2420-1 DLA-2417-1} - linux 5.9.1-1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html NOTE: https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq NOTE: Fixed by: https://git.kernel.org/linus/eddb7732119d53400f48a02536a84c509692faa8 -CVE-2020-12351 - RESERVED +CVE-2020-12351 (Improper input validation in BlueZ may allow an unauthenticated user t ...) {DSA-4774-1 DLA-2420-1 DLA-2417-1} - linux 5.9.1-1 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00435.html @@ -47997,7 +48011,7 @@ CVE-2020-9985 (A buffer overflow issue was addressed with improved memory handli CVE-2020-9984 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2020-9983 (An out-of-bounds write issue was addressed with improved bounds checki ...) - RESERVED + {DSA-4797-1} - webkit2gtk 2.30.3-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -48064,14 +48078,14 @@ CVE-2020-9954 CVE-2020-9953 RESERVED CVE-2020-9952 (An input validation issue was addressed with improved input validation ...) - RESERVED + {DSA-4739-1} - webkit2gtk 2.28.3-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) - wpewebkit 2.28.3-1 NOTE: https://webkitgtk.org/security/WSA-2020-0008.html CVE-2020-9951 (A use after free issue was addressed with improved memory management. ...) - RESERVED + {DSA-4797-1} - webkit2gtk 2.30.1-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -48082,7 +48096,7 @@ CVE-2020-9950 CVE-2020-9949 RESERVED CVE-2020-9948 (A type confusion issue was addressed with improved memory handling. Th ...) - RESERVED + {DSA-4797-1} - webkit2gtk 2.30.1-1 [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) [jessie] - webkit2gtk <ignored> (Not covered by security support in jessie) @@ -53131,14 +53145,14 @@ CVE-2020-7930 RESERVED CVE-2020-7929 RESERVED -CVE-2020-7928 - RESERVED -CVE-2020-7927 - RESERVED -CVE-2020-7926 - RESERVED -CVE-2020-7925 - RESERVED +CVE-2020-7928 (A user authorized to perform database queries may trigger a read overr ...) + TODO: check +CVE-2020-7927 (Specially crafted API calls may allow an authenticated user who holds ...) + TODO: check +CVE-2020-7926 (A user authorized to perform database queries may cause denial of serv ...) + TODO: check +CVE-2020-7925 (Incorrect validation of user input in the role name parser may lead to ...) + TODO: check CVE-2020-7924 RESERVED CVE-2020-7923 (A user authorized to perform database queries may cause denial of serv ...) @@ -53550,8 +53564,8 @@ CVE-2020-7779 RESERVED CVE-2020-7778 RESERVED -CVE-2020-7777 - RESERVED +CVE-2020-7777 (This affects all versions of package jsen. If an attacker can control ...) + TODO: check CVE-2020-7776 RESERVED CVE-2020-7775 @@ -55522,8 +55536,8 @@ CVE-2020-6941 RESERVED CVE-2020-6940 RESERVED -CVE-2020-6939 - RESERVED +CVE-2020-6939 (Tableau Server installations configured with Site-Specific SAML that a ...) + TODO: check CVE-2020-6938 (A sensitive information disclosure vulnerability in Tableau Server 10. ...) NOT-FOR-US: Tableau Server CVE-2020-6937 (A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, ...) @@ -61115,8 +61129,8 @@ CVE-2020-4856 RESERVED CVE-2020-4855 RESERVED -CVE-2020-4854 - RESERVED +CVE-2020-4854 (IBM Spectrum Protect Plus 10.1.0 thorugh 10.1.6 contains hard-coded cr ...) + TODO: check CVE-2020-4853 RESERVED CVE-2020-4852 @@ -61257,8 +61271,8 @@ CVE-2020-4785 (IBM App Connect Enterprise Certified Container 1.0.0, 1.0.1, 1.0. NOT-FOR-US: IBM CVE-2020-4784 RESERVED -CVE-2020-4783 - RESERVED +CVE-2020-4783 (IBM Spectrum Protect Plus 10.1.0 through 10.1.6 could allow a remote a ...) + TODO: check CVE-2020-4782 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a ...) NOT-FOR-US: IBM CVE-2020-4781 (An improper input validation before calling java readLine() method may ...) @@ -61281,8 +61295,8 @@ CVE-2020-4773 (A cross-site request forgery (CSRF) vulnerability may impact IBM NOT-FOR-US: IBM CVE-2020-4772 (An XML External Entity Injection (XXE) vulnerability may impact IBM Cu ...) NOT-FOR-US: IBM -CVE-2020-4771 - RESERVED +CVE-2020-4771 (IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.10.and 7. ...) + TODO: check CVE-2020-4770 RESERVED CVE-2020-4769 @@ -69801,8 +69815,8 @@ CVE-2020-1780 RESERVED CVE-2020-1779 RESERVED -CVE-2020-1778 - RESERVED +CVE-2020-1778 (When OTRS uses multiple backends for user authentication (with LDAP), ...) + TODO: check CVE-2020-1777 (Agent names that participates in a chat conversation are revealed in c ...) - otrs <not-affected> (Only affects 7.x and 8.x) NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-15/ @@ -74680,8 +74694,7 @@ CVE-2020-0570 (Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 NOTE: https://bugreports.qt.io/browse/QTBUG-81272 NOTE: Patch: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd NOTE: https://lists.qt-project.org/pipermail/development/2020-January/038534.html -CVE-2020-0569 - RESERVED +CVE-2020-0569 (Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windo ...) {DSA-4617-1 DLA-2092-1} - qtbase-opensource-src 5.12.5+dfsg-8 NOTE: Patch for 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404 @@ -87402,14 +87415,12 @@ CVE-2019-14589 RESERVED CVE-2019-14588 RESERVED -CVE-2019-14587 - RESERVED +CVE-2019-14587 (Logic issue EDK II may allow an unauthenticated user to potentially en ...) - edk2 0~20200229.4c0f6e34-1 [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <ignored> (Minor issue) [jessie] - edk2 <end-of-life> (non-free) -CVE-2019-14586 - RESERVED +CVE-2019-14586 (Use after free vulnerability in EDK II may allow an authenticated user ...) - edk2 0~20200229.4c0f6e34-1 [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <ignored> (Minor issue) @@ -87439,8 +87450,7 @@ CVE-2019-14577 RESERVED CVE-2019-14576 RESERVED -CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signature check] - RESERVED +CVE-2019-14575 (Logic issue in DxeImageVerificationHandler() for EDK II may allow an a ...) - edk2 0~20200229.4c0f6e34-1 (low; bug #952935) [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <ignored> (Minor issue) @@ -87468,16 +87478,14 @@ CVE-2019-14565 (Insufficient initialization in Intel(R) SGX SDK Windows versions NOT-FOR-US: Intel CVE-2019-14564 RESERVED -CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib] - RESERVED +CVE-2019-14563 (Integer truncation in EDK II may allow an authenticated user to potent ...) - edk2 0~20200229.4c0f6e34-1 (low; bug #952934) [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <ignored> (Minor issue) [jessie] - edk2 <end-of-life> (non-free) NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891 NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2001 -CVE-2019-14562 - RESERVED +CVE-2019-14562 (Integer overflow in DxeImageVerificationHandler() EDK II may allow an ...) - edk2 2020.05-4 (bug #968819) [buster] - edk2 <no-dsa> (Minor issue) [stretch] - edk2 <no-dsa> (Minor issue) @@ -87491,8 +87499,7 @@ CVE-2019-14560 [GetEfiGlobalVariable2() return value not checked] [buster] - edk2 <no-dsa> (Minor issue) [stretch] - edk2 <no-dsa> (Minor issue) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2167 -CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc] - RESERVED +CVE-2019-14559 (Uncontrolled resource consumption in EDK II may allow an unauthenticat ...) - edk2 0~20200229.4c0f6e34-1 (bug #952926; low) [buster] - edk2 0~20181115.85588389-3+deb10u1 [stretch] - edk2 <ignored> (Minor issue) @@ -87515,8 +87522,7 @@ CVE-2019-14555 RESERVED CVE-2019-14554 RESERVED -CVE-2019-14553 [invalid server certificate accepted in HTTPS-over-IPv6 boot] - RESERVED +CVE-2019-14553 (Improper authentication in EDK II may allow a privileged user to poten ...) - edk2 0~20190828.37eef910-4 (unimportant; bug #941775) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1758518 NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=960 @@ -103231,14 +103237,14 @@ CVE-2019-9832 (The AirDrop application through 2.0 for Android allows remote att NOT-FOR-US: AirDrop application for Android CVE-2019-9831 (The AirMore application through 1.6.1 for Android allows remote attack ...) NOT-FOR-US: AirMore application for Android -CVE-2018-20805 - RESERVED -CVE-2018-20804 - RESERVED -CVE-2018-20803 - RESERVED -CVE-2018-20802 - RESERVED +CVE-2018-20805 (A user authorized to perform database queries may trigger denial of se ...) + TODO: check +CVE-2018-20804 (A user authorized to perform database queries may trigger denial of se ...) + TODO: check +CVE-2018-20803 (A user authorized to perform database queries may trigger denial of se ...) + TODO: check +CVE-2018-20802 (A user authorized to perform database queries may trigger denial of se ...) + TODO: check CVE-2017-18363 RESERVED CVE-2015-9283 @@ -124003,10 +124009,10 @@ CVE-2018-20029 (The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine be NOT-FOR-US: nxfs.sys driver in the DokanFS library in NoMachine on Windows CVE-2019-2394 RESERVED -CVE-2019-2393 - RESERVED -CVE-2019-2392 - RESERVED +CVE-2019-2393 (A user authorized to perform database queries may trigger denial of se ...) + TODO: check +CVE-2019-2392 (A user authorized to perform database queries may trigger denial of se ...) + TODO: check CVE-2019-2391 (Incorrect parsing of certain JSON input may result in js-bson not corr ...) [experimental] - node-mongodb 3.5.5+~cs11.12.19-1 - node-mongodb 3.5.6+~cs11.12.19-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56f8fec9d1d3c88ad678c7939ba99a698b2942e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56f8fec9d1d3c88ad678c7939ba99a698b2942e7 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits