Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b536ad2a by security tracker role at 2021-02-20T08:10:26+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,9 @@
+CVE-2021-27509 (In Visualware MyConnection Server before 11.0b build 5382,
each publis ...)
+ TODO: check
+CVE-2021-27508
+ RESERVED
+CVE-2021-27507
+ RESERVED
CVE-2021-27506
RESERVED
CVE-2021-27505
@@ -1753,8 +1759,7 @@ CVE-2021-26715
RESERVED
CVE-2021-26714
RESERVED
-CVE-2021-26713
- RESERVED
+CVE-2021-26713 (A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma
Asteris ...)
- asterisk <not-affected> (Only affects 16.16.0 onwards)
NOTE: https://downloads.asterisk.org/pub/security/AST-2021-004.html
CVE-2021-26712 (Incorrect access controls in res_srtp.c in Sangoma Asterisk
13.38.1, 1 ...)
@@ -4538,8 +4543,8 @@ CVE-2021-3308 (An issue was discovered in Xen 4.12.3
through 4.12.4 and 4.13.1 t
NOTE: Introduced by:
https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5b58dad089880127674d460494d1a9d68109b3d7
(4.14.0-rc1)
NOTE: Issue backported to 4.12.3 and 4.13.1
NOTE: Fixed by:
https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=58427889f5a420cc5226f88524b3228f90b72a58
-CVE-2021-3189
- RESERVED
+CVE-2021-3189 (The slashify package 1.0.0 for Node.js allows open-redirect
attacks, a ...)
+ TODO: check
CVE-2021-3188 (phpList 3.6.0 allows CSV injection, related to the email
parameter, an ...)
- phplist <itp> (bug #612288)
CVE-2021-3187
@@ -15344,41 +15349,51 @@ CVE-2021-21158
RESERVED
CVE-2021-21157
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21156
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21155
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21154
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21153
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21152
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21151
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21150
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21149
RESERVED
+ {DSA-4858-1}
- chromium 88.0.4324.182-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21148 (Heap buffer overflow in V8 in Google Chrome prior to
88.0.4324.150 all ...)
+ {DSA-4858-1}
- chromium 88.0.4324.150-1
[stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-21147 (Inappropriate implementation in Skia in Google Chrome prior to
88.0.43 ...)
@@ -16751,10 +16766,10 @@ CVE-2021-20590
RESERVED
CVE-2021-20589
RESERVED
-CVE-2021-20588
- RESERVED
-CVE-2021-20587
- RESERVED
+CVE-2021-20588 (Improper handling of length parameter inconsistency
vulnerability in M ...)
+ TODO: check
+CVE-2021-20587 (Heap-based buffer overflow vulnerability in Mitsubishi
Electric FA Eng ...)
+ TODO: check
CVE-2021-20586 (Resource management errors vulnerability in a robot controller
of MELF ...)
NOT-FOR-US: Mitsubishi
CVE-2021-20585
@@ -18175,15 +18190,14 @@ CVE-2020-35501
NOTE: https://www.openwall.com/lists/oss-security/2021/02/18/1
CVE-2020-35500
REJECTED
-CVE-2020-35499
- RESERVED
+CVE-2020-35499 (A NULL pointer dereference flaw in kernel versions prior to
5.11 may b ...)
- linux 5.10.4-1
[buster] - linux <not-affected> (Vulnerable code introduced later)
[stretch] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910048
NOTE:
https://git.kernel.org/linus/f6b8c6b5543983e9de29dc14716bfa4eb3f157c4
CVE-2020-35498 (A vulnerability was found in openvswitch. A limitation in the
implemen ...)
- {DSA-4852-1}
+ {DSA-4852-1 DLA-2571-1}
- openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-5 (bug #982493)
NOTE: master:
https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83
NOTE: 2.15:
https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0
@@ -26910,8 +26924,8 @@ CVE-2020-28250 (Cellinx NVT Web Server 5.0.0.014b.test
2019-09-05 allows a remot
NOT-FOR-US: Cellinx NVT Web Server
CVE-2020-28249 (Joplin 1.2.6 for Desktop allows XSS via a LINK element in a
note. ...)
NOT-FOR-US: Joplin
-CVE-2020-28248
- RESERVED
+CVE-2020-28248 (An integer overflow in the PngImg::InitStorage_() function of
png-img ...)
+ TODO: check
CVE-2020-28247 (The lettre library through 0.10.0-alpha for Rust allows
arbitrary send ...)
NOT-FOR-US: Node lettre
CVE-2020-28246
@@ -27486,8 +27500,8 @@ CVE-2020-27999
RESERVED
CVE-2020-27998 (An issue was discovered in FastReport before 2020.4.0. It
lacks a Scri ...)
NOT-FOR-US: FastReport
-CVE-2020-27997
- RESERVED
+CVE-2020-27997 (An issue was discovered in SmartStoreNET before 4.1.0. Lack of
Cross S ...)
+ TODO: check
CVE-2020-27996 (An issue was discovered in SmartStoreNET before 4.0.1. It does
not pro ...)
NOT-FOR-US: SmartStoreNET
CVE-2020-27995 (SQL Injection in Zoho ManageEngine Applications Manager 14
before 1456 ...)
@@ -28074,7 +28088,7 @@ CVE-2020-27828 (There's a flaw in jasper's jpc encoder
in versions prior to 2.0.
NOTE: https://github.com/jasper-software/jasper/pull/253
CVE-2020-27827 [lldp: avoid memory leak from bad packets]
RESERVED
- {DSA-4836-1}
+ {DSA-4836-1 DLA-2571-1}
- lldpd 1.0.8-1
[buster] - lldpd <no-dsa> (Minor issue)
[stretch] - lldpd <no-dsa> (Minor issue)
@@ -28203,7 +28217,7 @@ CVE-2020-27786 (A flaw was found in the Linux kernels
implementation of MIDI, wh
[stretch] - linux 4.9.228-1
NOTE:
https://git.kernel.org/linus/c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d
CVE-2020-27785
- RESERVED
+ REJECTED
CVE-2020-27784
RESERVED
CVE-2020-27783 (A XSS vulnerability was discovered in python-lxml's clean
module. The ...)
@@ -36137,8 +36151,8 @@ CVE-2020-24619 (In mainwindow.cpp in Shotcut before
20.09.13, the upgrade check
NOT-FOR-US: Shotcut
CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313,
2020.2.11008, 2020. ...)
NOT-FOR-US: JetBrains
-CVE-2020-24617
- RESERVED
+CVE-2020-24617 (Mailtrain through 1.24.1 allows SQL Injection in
statsClickedSubscribe ...)
+ TODO: check
CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the
interact ...)
- jackson-databind 2.12.1-1
[buster] - jackson-databind <no-dsa> (Minor issue)
@@ -36641,10 +36655,10 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8,
fs/nfsd/vfs.c (in the NFS serv
[buster] - linux 4.19.131-1
[stretch] - linux <not-affected> (Vulnerable code introduced later)
NOTE:
https://git.kernel.org/linus/22cf8419f1319ff87ec759d0ebdff4cbafaee832
-CVE-2020-24393
- RESERVED
-CVE-2020-24392
- RESERVED
+CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure
way tha ...)
+ TODO: check
+CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname
validation allow ...)
+ TODO: check
CVE-2020-24391
RESERVED
CVE-2020-24390 (eonweb in EyesOfNetwork before 5.3-7 does not properly escape
the user ...)
@@ -62380,8 +62394,8 @@ CVE-2020-12875 (Veritas APTARE versions prior to 10.4
did not perform adequate a
NOT-FOR-US: Veritas
CVE-2020-12874 (Veritas APTARE versions prior to 10.4 included code that
bypassed the ...)
NOT-FOR-US: Veritas
-CVE-2020-12873
- RESERVED
+CVE-2020-12873 (An issue was discovered in Alfresco Enterprise Content
Management (ECM ...)
+ TODO: check
CVE-2020-12872 (yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads
obsolete TLS ...)
- erlang 1:21.2.6+dfsg-1 (low)
[stretch] - erlang 1:19.2.1+dfsg-2+deb9u3
@@ -63007,8 +63021,8 @@ CVE-2020-12670 (XSS exists in Webmin 1.941 and earlier
affecting the Save functi
- webmin <removed>
CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote
authentic ...)
- dolibarr <removed>
-CVE-2020-12668
- RESERVED
+CVE-2020-12668 (Jinjava before 2.5.4 allow access to arbitrary classes by
calling Java ...)
+ TODO: check
CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a
crafted ...)
- knot-resolver 5.1.1-0.1 (bug #961076)
NOTE:
https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
@@ -160300,6 +160314,7 @@ CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices
allow unauthenticated command
CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before
1.2.42. By acc ...)
NOT-FOR-US: Snap Creek Duplicator
CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through
2.7.6. The ...)
+ {DLA-2571-1}
- openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1
[jessie] - openvswitch <not-affected> (Vulnerable code does not exist;
no such function)
NOTE:
https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226
(master)
@@ -160314,6 +160329,7 @@ CVE-2018-17205 (An issue was discovered in Open
vSwitch (OvS) 2.7.x through 2.7.
NOTE:
https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928
(branch-2.8)
NOTE:
https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6
(branch-2.7)
CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through
2.7.6, aff ...)
+ {DLA-2571-1}
- openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1
[jessie] - openvswitch <not-affected> (Vulnerable code does not exist;
no such function)
NOTE:
https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa
(master)
@@ -232848,6 +232864,7 @@ CVE-2017-9216 (libjbig2dec.a in Artifex jbig2dec
0.13, as used in MuPDF and Ghos
CVE-2017-9215
RESERVED
CVE-2017-9214 (In Open vSwitch (OvS) 2.7.0, while parsing an
OFPT_QUEUE_GET_CONFIG_RE ...)
+ {DLA-2571-1}
[experimental] - openvswitch 2.8.1+dfsg1-1
- openvswitch 2.8.1+dfsg1-2 (bug #863228)
[jessie] - openvswitch <not-affected> (Vulnerable code not present)
@@ -292986,7 +293003,7 @@ CVE-2013-7445 (The Direct Rendering Manager (DRM)
subsystem in the Linux kernel
- linux-2.6 <removed>
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=60533
CVE-2015-8011 (Buffer overflow in the lldp_decode function in
daemon/protocols/lldp.c ...)
- {DSA-4836-1}
+ {DSA-4836-1 DLA-2571-1}
- lldpd 0.7.19-1
[jessie] - lldpd 0.7.11-2+deb8u1
[wheezy] - lldpd <not-affected> (Vulnerable code not present)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b536ad2a399608743c1836a36933f126f10fb82e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b536ad2a399608743c1836a36933f126f10fb82e
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
