Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: b536ad2a by security tracker role at 2021-02-20T08:10:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,9 @@ +CVE-2021-27509 (In Visualware MyConnection Server before 11.0b build 5382, each publis ...) + TODO: check +CVE-2021-27508 + RESERVED +CVE-2021-27507 + RESERVED CVE-2021-27506 RESERVED CVE-2021-27505 @@ -1753,8 +1759,7 @@ CVE-2021-26715 RESERVED CVE-2021-26714 RESERVED -CVE-2021-26713 - RESERVED +CVE-2021-26713 (A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asteris ...) - asterisk <not-affected> (Only affects 16.16.0 onwards) NOTE: https://downloads.asterisk.org/pub/security/AST-2021-004.html CVE-2021-26712 (Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 1 ...) @@ -4538,8 +4543,8 @@ CVE-2021-3308 (An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 t NOTE: Introduced by: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5b58dad089880127674d460494d1a9d68109b3d7 (4.14.0-rc1) NOTE: Issue backported to 4.12.3 and 4.13.1 NOTE: Fixed by: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=58427889f5a420cc5226f88524b3228f90b72a58 -CVE-2021-3189 - RESERVED +CVE-2021-3189 (The slashify package 1.0.0 for Node.js allows open-redirect attacks, a ...) + TODO: check CVE-2021-3188 (phpList 3.6.0 allows CSV injection, related to the email parameter, an ...) - phplist <itp> (bug #612288) CVE-2021-3187 @@ -15344,41 +15349,51 @@ CVE-2021-21158 RESERVED CVE-2021-21157 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21156 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21155 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21154 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21153 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21152 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21151 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21150 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21149 RESERVED + {DSA-4858-1} - chromium 88.0.4324.182-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21148 (Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 all ...) + {DSA-4858-1} - chromium 88.0.4324.150-1 [stretch] - chromium <end-of-life> (see DSA 4562) CVE-2021-21147 (Inappropriate implementation in Skia in Google Chrome prior to 88.0.43 ...) @@ -16751,10 +16766,10 @@ CVE-2021-20590 RESERVED CVE-2021-20589 RESERVED -CVE-2021-20588 - RESERVED -CVE-2021-20587 - RESERVED +CVE-2021-20588 (Improper handling of length parameter inconsistency vulnerability in M ...) + TODO: check +CVE-2021-20587 (Heap-based buffer overflow vulnerability in Mitsubishi Electric FA Eng ...) + TODO: check CVE-2021-20586 (Resource management errors vulnerability in a robot controller of MELF ...) NOT-FOR-US: Mitsubishi CVE-2021-20585 @@ -18175,15 +18190,14 @@ CVE-2020-35501 NOTE: https://www.openwall.com/lists/oss-security/2021/02/18/1 CVE-2020-35500 REJECTED -CVE-2020-35499 - RESERVED +CVE-2020-35499 (A NULL pointer dereference flaw in kernel versions prior to 5.11 may b ...) - linux 5.10.4-1 [buster] - linux <not-affected> (Vulnerable code introduced later) [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910048 NOTE: https://git.kernel.org/linus/f6b8c6b5543983e9de29dc14716bfa4eb3f157c4 CVE-2020-35498 (A vulnerability was found in openvswitch. A limitation in the implemen ...) - {DSA-4852-1} + {DSA-4852-1 DLA-2571-1} - openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-5 (bug #982493) NOTE: master: https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83 NOTE: 2.15: https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0 @@ -26910,8 +26924,8 @@ CVE-2020-28250 (Cellinx NVT Web Server 5.0.0.014b.test 2019-09-05 allows a remot NOT-FOR-US: Cellinx NVT Web Server CVE-2020-28249 (Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. ...) NOT-FOR-US: Joplin -CVE-2020-28248 - RESERVED +CVE-2020-28248 (An integer overflow in the PngImg::InitStorage_() function of png-img ...) + TODO: check CVE-2020-28247 (The lettre library through 0.10.0-alpha for Rust allows arbitrary send ...) NOT-FOR-US: Node lettre CVE-2020-28246 @@ -27486,8 +27500,8 @@ CVE-2020-27999 RESERVED CVE-2020-27998 (An issue was discovered in FastReport before 2020.4.0. It lacks a Scri ...) NOT-FOR-US: FastReport -CVE-2020-27997 - RESERVED +CVE-2020-27997 (An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross S ...) + TODO: check CVE-2020-27996 (An issue was discovered in SmartStoreNET before 4.0.1. It does not pro ...) NOT-FOR-US: SmartStoreNET CVE-2020-27995 (SQL Injection in Zoho ManageEngine Applications Manager 14 before 1456 ...) @@ -28074,7 +28088,7 @@ CVE-2020-27828 (There's a flaw in jasper's jpc encoder in versions prior to 2.0. NOTE: https://github.com/jasper-software/jasper/pull/253 CVE-2020-27827 [lldp: avoid memory leak from bad packets] RESERVED - {DSA-4836-1} + {DSA-4836-1 DLA-2571-1} - lldpd 1.0.8-1 [buster] - lldpd <no-dsa> (Minor issue) [stretch] - lldpd <no-dsa> (Minor issue) @@ -28203,7 +28217,7 @@ CVE-2020-27786 (A flaw was found in the Linux kernels implementation of MIDI, wh [stretch] - linux 4.9.228-1 NOTE: https://git.kernel.org/linus/c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d CVE-2020-27785 - RESERVED + REJECTED CVE-2020-27784 RESERVED CVE-2020-27783 (A XSS vulnerability was discovered in python-lxml's clean module. The ...) @@ -36137,8 +36151,8 @@ CVE-2020-24619 (In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check NOT-FOR-US: Shotcut CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020. ...) NOT-FOR-US: JetBrains -CVE-2020-24617 - RESERVED +CVE-2020-24617 (Mailtrain through 1.24.1 allows SQL Injection in statsClickedSubscribe ...) + TODO: check CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...) - jackson-databind 2.12.1-1 [buster] - jackson-databind <no-dsa> (Minor issue) @@ -36641,10 +36655,10 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS serv [buster] - linux 4.19.131-1 [stretch] - linux <not-affected> (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/22cf8419f1319ff87ec759d0ebdff4cbafaee832 -CVE-2020-24393 - RESERVED -CVE-2020-24392 - RESERVED +CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure way tha ...) + TODO: check +CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...) + TODO: check CVE-2020-24391 RESERVED CVE-2020-24390 (eonweb in EyesOfNetwork before 5.3-7 does not properly escape the user ...) @@ -62380,8 +62394,8 @@ CVE-2020-12875 (Veritas APTARE versions prior to 10.4 did not perform adequate a NOT-FOR-US: Veritas CVE-2020-12874 (Veritas APTARE versions prior to 10.4 included code that bypassed the ...) NOT-FOR-US: Veritas -CVE-2020-12873 - RESERVED +CVE-2020-12873 (An issue was discovered in Alfresco Enterprise Content Management (ECM ...) + TODO: check CVE-2020-12872 (yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ...) - erlang 1:21.2.6+dfsg-1 (low) [stretch] - erlang 1:19.2.1+dfsg-2+deb9u3 @@ -63007,8 +63021,8 @@ CVE-2020-12670 (XSS exists in Webmin 1.941 and earlier affecting the Save functi - webmin <removed> CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authentic ...) - dolibarr <removed> -CVE-2020-12668 - RESERVED +CVE-2020-12668 (Jinjava before 2.5.4 allow access to arbitrary classes by calling Java ...) + TODO: check CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a crafted ...) - knot-resolver 5.1.1-0.1 (bug #961076) NOTE: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/ @@ -160300,6 +160314,7 @@ CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By acc ...) NOT-FOR-US: Snap Creek Duplicator CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...) + {DLA-2571-1} - openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 [jessie] - openvswitch <not-affected> (Vulnerable code does not exist; no such function) NOTE: https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226 (master) @@ -160314,6 +160329,7 @@ CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7. NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8) NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7) CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, aff ...) + {DLA-2571-1} - openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1 [jessie] - openvswitch <not-affected> (Vulnerable code does not exist; no such function) NOTE: https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa (master) @@ -232848,6 +232864,7 @@ CVE-2017-9216 (libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghos CVE-2017-9215 RESERVED CVE-2017-9214 (In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_RE ...) + {DLA-2571-1} [experimental] - openvswitch 2.8.1+dfsg1-1 - openvswitch 2.8.1+dfsg1-2 (bug #863228) [jessie] - openvswitch <not-affected> (Vulnerable code not present) @@ -292986,7 +293003,7 @@ CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux kernel - linux-2.6 <removed> NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=60533 CVE-2015-8011 (Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c ...) - {DSA-4836-1} + {DSA-4836-1 DLA-2571-1} - lldpd 0.7.19-1 [jessie] - lldpd 0.7.11-2+deb8u1 [wheezy] - lldpd <not-affected> (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b536ad2a399608743c1836a36933f126f10fb82e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b536ad2a399608743c1836a36933f126f10fb82e You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits