Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: f3ac9d21 by security tracker role at 2021-04-05T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1,3 +1,7 @@ +CVE-2021-30129 + RESERVED +CVE-2021-30128 + RESERVED CVE-2021-30127 (TerraMaster F2-210 devices through 2021-04-03 use UPnP to make the adm ...) TODO: check CVE-2021-30126 (Lightmeter ControlCenter 1.1.0 through 1.5.x before 1.5.1 allows anyon ...) @@ -34,8 +38,8 @@ CVE-2021-30111 RESERVED CVE-2021-30110 RESERVED -CVE-2021-30109 - RESERVED +CVE-2021-30109 (Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under c ...) + TODO: check CVE-2021-30108 RESERVED CVE-2021-30107 @@ -136,14 +140,14 @@ CVE-2021-30060 RESERVED CVE-2021-30059 RESERVED -CVE-2021-30058 - RESERVED -CVE-2021-30057 - RESERVED -CVE-2021-30056 - RESERVED -CVE-2021-30055 - RESERVED +CVE-2021-30058 (Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). ...) + TODO: check +CVE-2021-30057 (A stored HTML injection vulnerability exists in Knowage Suite version ...) + TODO: check +CVE-2021-30056 (Knowage Suite before 7.4 is vulnerable to reflected cross-site scripti ...) + TODO: check +CVE-2021-30055 (A SQL injection vulnerability in Knowage Suite version 7.1 exists in t ...) + TODO: check CVE-2021-30054 RESERVED CVE-2021-30053 @@ -259,8 +263,8 @@ CVE-2021-29998 RESERVED CVE-2021-29997 RESERVED -CVE-2021-29996 - RESERVED +CVE-2021-29996 (Mark Text through 0.16.3 allows attackers arbitrary command execution. ...) + TODO: check CVE-2021-29995 RESERVED CVE-2021-29994 @@ -4460,6 +4464,7 @@ CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier A NOTE: debian/courier-authdaemon.tmpfiles in 0.66.4-2. CVE-2021-3426 [Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem.] RESERVED + {DLA-2619-1} [experimental] - python3.9 3.9.3-1 - python3.9 <unfixed> [bullseye] - python3.9 <no-dsa> (Minor issue) @@ -11225,6 +11230,7 @@ CVE-2021-3178 (** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10 NOTE: https://patchwork.kernel.org/project/linux-nfs/patch/20210111210129.ga11...@fieldses.org/ NOTE: Disputed/mild security relevance/impact CVE-2021-3177 (Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctyp ...) + {DLA-2619-1} - python3.9 3.9.1-3 - python3.8 <removed> - python3.7 <removed> @@ -13565,30 +13571,30 @@ CVE-2021-24214 RESERVED CVE-2021-24213 RESERVED -CVE-2021-24212 - RESERVED -CVE-2021-24211 - RESERVED -CVE-2021-24210 - RESERVED -CVE-2021-24209 - RESERVED -CVE-2021-24208 - RESERVED -CVE-2021-24207 - RESERVED -CVE-2021-24206 - RESERVED -CVE-2021-24205 - RESERVED -CVE-2021-24204 - RESERVED -CVE-2021-24203 - RESERVED -CVE-2021-24202 - RESERVED -CVE-2021-24201 - RESERVED +CVE-2021-24212 (The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://wooc ...) + TODO: check +CVE-2021-24211 (The WordPress Related Posts plugin through 3.6.4 contains an authentic ...) + TODO: check +CVE-2021-24210 (There is an open redirect in the PhastPress WordPress plugin before 1. ...) + TODO: check +CVE-2021-24209 (The WP Super Cache WordPress plugin before 1.7.2 was affected by an au ...) + TODO: check +CVE-2021-24208 (The editor of the WP Page Builder WordPress plugin before 1.2.4 allows ...) + TODO: check +CVE-2021-24207 (By default, the WP Page Builder WordPress plugin before 1.2.4 allows s ...) + TODO: check +CVE-2021-24206 (In the Elementor Website Builder WordPress plugin before 3.1.4, the im ...) + TODO: check +CVE-2021-24205 (In the Elementor Website Builder WordPress plugin before 3.1.4, the ic ...) + TODO: check +CVE-2021-24204 (In the Elementor Website Builder WordPress plugin before 3.1.4, the ac ...) + TODO: check +CVE-2021-24203 (In the Elementor Website Builder WordPress plugin before 3.1.4, the di ...) + TODO: check +CVE-2021-24202 (In the Elementor Website Builder WordPress plugin before 3.1.4, the he ...) + TODO: check +CVE-2021-24201 (In the Elementor Website Builder WordPress plugin before 3.1.4, the co ...) + TODO: check CVE-2021-24200 RESERVED CVE-2021-24199 @@ -13597,8 +13603,8 @@ CVE-2021-24198 RESERVED CVE-2021-24197 RESERVED -CVE-2021-24196 - RESERVED +CVE-2021-24196 (The Social Slider Widget WordPress plugin before 1.8.5 allowed Authent ...) + TODO: check CVE-2021-24195 RESERVED CVE-2021-24194 @@ -13615,82 +13621,82 @@ CVE-2021-24189 RESERVED CVE-2021-24188 RESERVED -CVE-2021-24187 - RESERVED -CVE-2021-24186 - RESERVED -CVE-2021-24185 - RESERVED -CVE-2021-24184 - RESERVED -CVE-2021-24183 - RESERVED -CVE-2021-24182 - RESERVED -CVE-2021-24181 - RESERVED -CVE-2021-24180 - RESERVED +CVE-2021-24187 (The setting page of the SEO Redirection Plugin – 301 Redirect Ma ...) + TODO: check +CVE-2021-24186 (The tutor_answering_quiz_question/get_answer_by_id function pair from ...) + TODO: check +CVE-2021-24185 (The tutor_place_rating AJAX action from the Tutor LMS – eLearnin ...) + TODO: check +CVE-2021-24184 (Several AJAX endpoints in the Tutor LMS – eLearning and online c ...) + TODO: check +CVE-2021-24183 (The tutor_quiz_builder_get_question_form AJAX action from the Tutor LM ...) + TODO: check +CVE-2021-24182 (The tutor_quiz_builder_get_answers_by_question AJAX action from the Tu ...) + TODO: check +CVE-2021-24181 (The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – ...) + TODO: check +CVE-2021-24180 (Unvalidated input and lack of output encoding within the Related Posts ...) + TODO: check CVE-2021-24179 RESERVED CVE-2021-24178 RESERVED -CVE-2021-24177 - RESERVED -CVE-2021-24176 - RESERVED -CVE-2021-24175 - RESERVED -CVE-2021-24174 - RESERVED -CVE-2021-24173 - RESERVED -CVE-2021-24172 - RESERVED -CVE-2021-24171 - RESERVED -CVE-2021-24170 - RESERVED -CVE-2021-24169 - RESERVED -CVE-2021-24168 - RESERVED -CVE-2021-24167 - RESERVED -CVE-2021-24166 - RESERVED -CVE-2021-24165 - RESERVED -CVE-2021-24164 - RESERVED -CVE-2021-24163 - RESERVED -CVE-2021-24162 - RESERVED -CVE-2021-24161 - RESERVED -CVE-2021-24160 - RESERVED -CVE-2021-24159 - RESERVED -CVE-2021-24158 - RESERVED -CVE-2021-24157 - RESERVED -CVE-2021-24156 - RESERVED -CVE-2021-24155 - RESERVED -CVE-2021-24154 - RESERVED -CVE-2021-24153 - RESERVED -CVE-2021-24152 - RESERVED +CVE-2021-24177 (In the default configuration of the File Manager WordPress plugin befo ...) + TODO: check +CVE-2021-24176 (The JH 404 Logger WordPress plugin through 1.1 doesn't sanitise the re ...) + TODO: check +CVE-2021-24175 (The Plus Addons for Elementor Page Builder WordPress plugin before 4.1 ...) + TODO: check +CVE-2021-24174 (The Database Backups WordPress plugin through 1.2.2.6 does not have CS ...) + TODO: check +CVE-2021-24173 (The VM Backups WordPress plugin through 1.0 does not have CSRF checks, ...) + TODO: check +CVE-2021-24172 (The VM Backups WordPress plugin through 1.0 does not have CSRF checks, ...) + TODO: check +CVE-2021-24171 (The WooCommerce Upload Files WordPress plugin before 59.4 ran a single ...) + TODO: check +CVE-2021-24170 (The REST API endpoint get_users in the User Profile Picture WordPress ...) + TODO: check +CVE-2021-24169 (This Advanced Order Export For WooCommerce WordPress plugin before 3.1 ...) + TODO: check +CVE-2021-24168 (The Easy Contact Form Pro WordPress plugin before 1.1.1.9 did not prop ...) + TODO: check +CVE-2021-24167 (When visiting a site running Web-Stat < 1.4.0, the "wts_web_stat_lo ...) + TODO: check +CVE-2021-24166 (The wp_ajax_nf_oauth_disconnect from the Ninja Forms Contact Form R ...) + TODO: check +CVE-2021-24165 (In the Ninja Forms Contact Form WordPress plugin before 3.4.34, the wp ...) + TODO: check +CVE-2021-24164 (In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low- ...) + TODO: check +CVE-2021-24163 (The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, di ...) + TODO: check +CVE-2021-24162 (In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, a ...) + TODO: check +CVE-2021-24161 (In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, a ...) + TODO: check +CVE-2021-24160 (In the Reponsive Menu (free and Pro) WordPress plugins before 4.0.4, s ...) + TODO: check +CVE-2021-24159 (Due to the lack of sanitization and lack of nonce protection on the cu ...) + TODO: check +CVE-2021-24158 (Orbit Fox by ThemeIsle has a feature to add a registration form to bot ...) + TODO: check +CVE-2021-24157 (Orbit Fox by ThemeIsle has a feature to add custom scripts to the head ...) + TODO: check +CVE-2021-24156 (Stored Cross-Site Scripting vulnerabilities in Testimonial Rotator 3.0 ...) + TODO: check +CVE-2021-24155 (The WordPress Backup and Migrate Plugin – Backup Guard WordPress ...) + TODO: check +CVE-2021-24154 (The Theme Editor WordPress plugin before 2.6 did not validate the GET ...) + TODO: check +CVE-2021-24153 (A Stored Cross-Site Scripting vulnerability was discovered in the Yoas ...) + TODO: check +CVE-2021-24152 (The "All Subscribers" setting page of Popup Builder was vulnerable to ...) + TODO: check CVE-2021-24151 RESERVED -CVE-2021-24150 - RESERVED +CVE-2021-24150 (The LikeBtn WordPress Like Button Rating ♥ LikeBtn WordPress plu ...) + TODO: check CVE-2021-24149 (Unvalidated input in the Modern Events Calendar Lite WordPress plugin, ...) NOT-FOR-US: Modern Events Calendar Lite WordPress plugin CVE-2021-24148 (A business logic issue in the MStore API WordPress plugin, versions be ...) @@ -15570,7 +15576,7 @@ CVE-2021-23337 (Lodash versions prior to 4.17.21 are vulnerable to Command Injec [stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724 CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...) - {DLA-2569-1} + {DLA-2619-1 DLA-2569-1} - python-django 2:2.2.19-1 (bug #983090) [buster] - python-django <no-dsa> (Minor issue; can be fixed via point release) - python3.9 3.9.2-1 @@ -20915,6 +20921,7 @@ CVE-2021-21411 (OAuth2-Proxy is an open source reverse proxy that provides authe CVE-2021-21410 RESERVED CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network application ...) + {DSA-4885-1} - netty 1:4.1.48-4 (bug #986217) [stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module) NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432 @@ -21203,6 +21210,7 @@ CVE-2021-21297 (Node-Red is a low-code programming for event-driven applications CVE-2021-21296 (Fleet is an open source osquery manager. In Fleet before version 3.7.0 ...) NOT-FOR-US: Fleet CVE-2021-21295 (Netty is an open-source, asynchronous event-driven network application ...) + {DSA-4885-1} - netty 1:4.1.48-3 (bug #984948) [stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module) NOTE: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj @@ -21216,7 +21224,7 @@ CVE-2021-21292 (Traccar is an open source GPS tracking system. In Traccar before CVE-2021-21291 (OAuth2 Proxy is an open-source reverse proxy and static file server th ...) - oauth2-proxy <itp> (bug #982891) CVE-2021-21290 (Netty is an open-source, asynchronous event-driven network application ...) - {DLA-2555-1} + {DSA-4885-1 DLA-2555-1} - netty 1:4.1.48-2 (bug #982580) NOTE: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2 NOTE: https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec @@ -73376,7 +73384,7 @@ CVE-2020-11614 (Mids' Reborn Hero Designer 2.6.0.7 downloads the update manifest CVE-2020-11613 (Mids' Reborn Hero Designer 2.6.0.7 has an elevation of privilege vulne ...) NOT-FOR-US: Mids' Reborn Hero Designer CVE-2020-11612 (The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memo ...) - {DLA-2364-1} + {DSA-4885-1 DLA-2364-1} - netty 1:4.1.48-1 [jessie] - netty <ignored> (OOM DoS with fix/mitigation involving new API; too intrusive to backport due to more limited 3.x buffer API) NOTE: https://github.com/netty/netty/issues/6168 @@ -81979,7 +81987,7 @@ CVE-2020-8434 (Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3 CVE-2020-8433 RESERVED CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length ...) - {DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1} + {DSA-4885-1 DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1} - netty 1:4.1.45-1 (bug #950967) - netty-3.9 <removed> NOTE: https://github.com/netty/netty/issues/9861 @@ -81987,7 +81995,7 @@ CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-L NOTE: https://github.com/netty/netty/commit/629034624626b722128e0fcc6b3ec9d406cb3706 (4.1) NOTE: https://github.com/netty/netty/commit/5f68897880467c00f29495b0aa46ed19bf7a873c (tests) CVE-2019-20444 (HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header th ...) - {DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1} + {DSA-4885-1 DLA-2365-1 DLA-2364-1 DLA-2110-1 DLA-2109-1} - netty 1:4.1.45-1 (bug #950966) - netty-3.9 <removed> NOTE: https://github.com/netty/netty/issues/9866 @@ -84930,7 +84938,7 @@ CVE-2019-20382 (QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc NOTE: https://www.openwall.com/lists/oss-security/2020/03/05/1 NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0 CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles ...) - {DLA-2364-1 DLA-2110-1 DLA-2109-1} + {DSA-4885-1 DLA-2364-1 DLA-2110-1 DLA-2109-1} - netty 1:4.1.45-1 (bug #950967) - netty-3.9 <removed> [stretch] - netty-3.9 <not-affected> (Incomplete fix for CVE-2019-16869 was not applied) @@ -91093,8 +91101,8 @@ CVE-2020-4999 RESERVED CVE-2020-4998 RESERVED -CVE-2020-4997 - RESERVED +CVE-2020-4997 (IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scr ...) + TODO: check CVE-2020-4996 (IBM Security Identity Governance and Intelligence 5.2.6 could allow a ...) NOT-FOR-US: IBM CVE-2020-4995 (IBM Security Identity Governance and Intelligence 5.2.6 does not inval ...) @@ -91503,8 +91511,8 @@ CVE-2020-4794 (IBM Automation Workstream Services 19.0.3, 20.0.1, 20.0.2, IBM Bu NOT-FOR-US: IBM CVE-2020-4793 RESERVED -CVE-2020-4792 - RESERVED +CVE-2020-4792 (IBM Edge 4.2 is vulnerable to cross-site scripting. This vulnerability ...) + TODO: check CVE-2020-4791 (IBM Security Identity Governance and Intelligence 5.2.6 could allow an ...) NOT-FOR-US: IBM CVE-2020-4790 (IBM Security Identity Governance and Intelligence 5.2.6 could allow a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3ac9d216c27ab62e093208ba9d3d1b880bceb16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3ac9d216c27ab62e093208ba9d3d1b880bceb16 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits