Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fb29a3ea by security tracker role at 2021-06-02T20:10:22+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,29 @@
+CVE-2021-3577
+ RESERVED
+CVE-2021-3576
+ RESERVED
+CVE-2021-3575
+ RESERVED
+CVE-2021-3574
+ RESERVED
+CVE-2021-33804
+ RESERVED
+CVE-2021-33803
+ RESERVED
+CVE-2021-33802
+ RESERVED
+CVE-2021-33801
+ RESERVED
+CVE-2021-33800
+ RESERVED
+CVE-2021-33799
+ RESERVED
+CVE-2021-33798
+ RESERVED
+CVE-2021-33797
+ RESERVED
+CVE-2021-33796
+ RESERVED
CVE-2021-3573
RESERVED
CVE-2021-33795
@@ -2713,8 +2739,7 @@ CVE-2021-32576
CVE-2021-32606 (In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in
net/can/i ...)
- linux <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2021/05/11/16
-CVE-2021-3545 [vhost-user-gpu: information disclosure due to uninitialized
memory read]
- RESERVED
+CVE-2021-3545 (An information disclosure vulnerability was found in the virtio
vhost- ...)
- qemu <unfixed> (bug #989042)
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
@@ -2722,8 +2747,7 @@ CVE-2021-3545 [vhost-user-gpu: information disclosure due
to uninitialized memor
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01153.html
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/121841b2
-CVE-2021-3544 [vhost-user-gpu: multiple memory leaks]
- RESERVED
+CVE-2021-3544 (Several memory leaks were found in the virtio vhost-user GPU
device (v ...)
- qemu <unfixed> (bug #989042)
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
@@ -2951,8 +2975,7 @@ CVE-2021-32563 (An issue was discovered in Thunar before
4.16.7 and 4.17.x befor
NOTE: Fixed by:
https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b
NOTE: Regression fix:
https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664
NOTE: Regression: https://gitlab.xfce.org/xfce/thunar/-/issues/575
-CVE-2021-3546
- RESERVED
+CVE-2021-3546 (A flaw was found in vhost-user-gpu of QEMU in versions up to
and inclu ...)
- qemu <unfixed> (bug #989042)
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
@@ -3808,8 +3831,7 @@ CVE-2021-32078
RESERVED
CVE-2021-3539
RESERVED
-CVE-2021-3538
- RESERVED
+CVE-2021-3538 (A flaw was found in github.com/satori/go.uuid in versions from
commit ...)
- golang-github-satori-go.uuid <not-affected> (Vulnerable code
introduced later and not in any released version)
NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
NOTE: Possibly introduced by:
https://github.com/satori/go.uuid/commit/0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c
@@ -4091,8 +4113,7 @@ CVE-2021-3531 (A flaw was found in the Red Hat Ceph
Storage RGW in versions befo
NOTE: Nautilus:
https://github.com/ceph/ceph/commit/f44a8ae8aa27ecef69528db9aec220f12492810e
NOTE: Octopus:
https://github.com/ceph/ceph/commit/b87e64e3206210580f4a6df2d77f9ae3f1033039
NOTE: Pacific:
https://github.com/ceph/ceph/commit/bf06990ab41d7ac299e4441ad9cd434e926a18e7
-CVE-2021-3530
- RESERVED
+CVE-2021-3530 (A flaw was discovered in GNU libiberty within demangle_path()
in rust- ...)
- binutils <unfixed> (unimportant)
NOTE: https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1925348
NOTE: binutils not covered by security support
@@ -4128,8 +4149,7 @@ CVE-2021-31997
RESERVED
CVE-2021-31996 (An issue was discovered in the algorithmica crate through
2021-03-07 f ...)
NOT-FOR-US: Rust crate algorithmica
-CVE-2021-3529
- RESERVED
+CVE-2021-3529 (A flaw was found in noobaa-core in versions before 5.7.0. This
flaw re ...)
NOT-FOR-US: noobaa
CVE-2021-31995
RESERVED
@@ -4306,8 +4326,7 @@ CVE-2021-3524 (A flaw was found in the Red Hat Ceph
Storage RadosGW (Ceph Object
NOTE: Fixed by:
https://github.com/ceph/ceph/commit/763aebb94678018f89427137ffbc0c5205b1edc1
CVE-2021-3523
RESERVED
-CVE-2021-31921
- RESERVED
+CVE-2021-31921 (Istio before 1.8.6 and 1.9.x before 1.9.5, when a gateway is
using the ...)
NOT-FOR-US: Istio
CVE-2021-31920 (Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely
exploitable v ...)
NOT-FOR-US: Istio
@@ -4463,8 +4482,7 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 2.2.11
through 2.2.16 sometimes
NOTE: https://github.com/rubygems/rubygems/issues/3982
CVE-2021-3521
RESERVED
-CVE-2021-3520 [memory corruption due to an integer overflow bug caused by
memmove argument]
- RESERVED
+CVE-2021-3520 (There's a flaw in lz4. An attacker who submits a crafted file
to an ap ...)
{DSA-4919-1 DLA-2657-1}
- lz4 1.9.3-2 (bug #987856)
NOTE: https://github.com/lz4/lz4/pull/972
@@ -4511,8 +4529,8 @@ CVE-2021-31857
RESERVED
CVE-2021-31856 (A SQL Injection vulnerability in the REST API in Layer5
Meshery 0.5.2 ...)
NOT-FOR-US: Layer Meshery
-CVE-2021-31855
- RESERVED
+CVE-2021-31855 (KDE Messagelib through 5.17.0 reveals cleartext of encrypted
messages ...)
+ TODO: check
CVE-2021-31854
RESERVED
CVE-2021-31853
@@ -6052,8 +6070,7 @@ CVE-2021-31215 (SchedMD Slurm before 20.02.7 and 20.03.x
through 20.11.x before
- slurm-llnl <removed>
[stretch] - slurm-llnl <not-affected> (env is already SPANKed)
NOTE:
https://github.com/SchedMD/slurm/commit/a9e9e2fedbd200ca545ab67dd753bd52c919f236
(2.11.7)
-CVE-2021-3499
- RESERVED
+CVE-2021-3499 (A vulnerability was found in OVN Kubernetes in versions up to
and incl ...)
NOT-FOR-US: Openshift/ovn-kubernetes
CVE-2021-31214 (Visual Studio Code Remote Code Execution Vulnerability This
CVE ID is ...)
NOT-FOR-US: Microsoft
@@ -7255,8 +7272,7 @@ CVE-2021-XXXX [out of bounds reads in ASF demuxer]
NOTE:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
NOTE:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f
(master)
NOTE:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/9726aaf78e6643a5955864f444852423de58de29
(1.18.4)
-CVE-2021-3522 [invalid reads during ID3v2 tag parsing]
- RESERVED
+CVE-2021-3522 (GStreamer before 1.18.4 may perform an out-of-bounds read when
handlin ...)
{DSA-4903-1 DLA-2641-1}
- gst-plugins-base1.0 1.18.4-2
NOTE:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
@@ -7809,8 +7825,8 @@ CVE-2021-3486 (GLPi 9.5.4 does not sanitize the metadata.
This way its possible
NOTE:
https://github.com/Kitsun3Sec/exploits/tree/master/cms/GLPI/GLPI-stored-XSS
CVE-2021-30475
RESERVED
-CVE-2021-30474
- RESERVED
+CVE-2021-30474 (aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30
has a use ...)
+ TODO: check
CVE-2021-30473 (aom_image.c in libaom in AOMedia before 2021-04-07 frees
memory that i ...)
- aom <unfixed> (bug #988211)
NOTE:
https://aomedia.googlesource.com/aom/+/4efe20e99dcd9b6f8eadc8de8acc825be7416578
@@ -8993,6 +9009,7 @@ CVE-2021-29968
RESERVED
CVE-2021-29967
RESERVED
+ {DSA-4925-1}
- firefox-esr 78.11.0esr-1
- firefox 89.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-24/#CVE-2021-29967
@@ -10793,8 +10810,7 @@ CVE-2021-3470 (A heap overflow issue was found in Redis
in versions before 5.0.1
CVE-2021-3469
RESERVED
- foreman <itp> (bug #663101)
-CVE-2021-3468 [Local DoS by event-busy-loop from writing long lines to
/run/avahi-daemon/socket]
- RESERVED
+CVE-2021-3468 (A flaw was found in avahi in versions 0.6 up to 0.8. The event
used to ...)
- avahi <unfixed> (bug #984938)
[bullseye] - avahi <no-dsa> (Minor issue)
[buster] - avahi <no-dsa> (Minor issue)
@@ -12109,32 +12125,28 @@ CVE-2021-28680
RESERVED
CVE-2021-28679
RESERVED
-CVE-2021-28678
- RESERVED
+CVE-2021-28678 (An issue was discovered in Pillow before 8.2.0. For BLP data,
BlpImage ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
NOTE:
https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
-CVE-2021-28677
- RESERVED
+CVE-2021-28677 (An issue was discovered in Pillow before 8.2.0. For EPS data,
the read ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
NOTE:
https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
-CVE-2021-28676
- RESERVED
+CVE-2021-28676 (An issue was discovered in Pillow before 8.2.0. For FLI data,
FliDecod ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
NOTE:
https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
-CVE-2021-28675
- RESERVED
+CVE-2021-28675 (An issue was discovered in Pillow before 8.2.0.
PSDImagePlugin.PsdImag ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
@@ -16182,7 +16194,7 @@ CVE-2021-26942
CVE-2021-26941
RESERVED
CVE-2021-26940
- RESERVED
+ REJECTED
CVE-2021-26939 (** DISPUTED ** An information disclosure issue exists in
henriquedorna ...)
NOT-FOR-US: henriquedornas
CVE-2021-26938 (** DISPUTED ** A stored XSS issue exists in henriquedornas
5.2.17 via ...)
@@ -16781,8 +16793,7 @@ CVE-2021-26710 (A cross-site scripting (XSS) issue in
the login panel in Redwood
NOT-FOR-US: Redwood Report2Web
CVE-2021-26709 (** UNSUPPORTED WHEN ASSIGNED ** D-Link DSL-320B-D1 devices
through EU_ ...)
NOT-FOR-US: D-Link
-CVE-2021-26707
- RESERVED
+CVE-2021-26707 (The merge-deep library before 3.0.3 for Node.js can be tricked
into ov ...)
NOT-FOR-US: Node deep-merge
CVE-2020-36241 (autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as
used by GNO ...)
- gnome-autoar 0.2.4-3 (bug #982737)
@@ -20439,16 +20450,14 @@ CVE-2021-25289 (An issue was discovered in Pillow
before 8.1.1. TiffDecode has a
[stretch] - pillow <not-affected> (Vulnerable code not present)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
NOTE:
https://github.com/python-pillow/Pillow/commit/cbfdde7b1f2295059a20a539ee9960f0bec7b299
-CVE-2021-25288
- RESERVED
+CVE-2021-25288 (An issue was discovered in Pillow before 8.2.0. There is an
out-of-bou ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
NOTE:
https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
-CVE-2021-25287
- RESERVED
+CVE-2021-25287 (An issue was discovered in Pillow before 8.2.0. There is an
out-of-bou ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
@@ -23131,8 +23140,8 @@ CVE-2021-24014
RESERVED
CVE-2021-24013
RESERVED
-CVE-2021-24012
- RESERVED
+CVE-2021-24012 (An improper following of a certificate's chain of trust
vulnerability ...)
+ TODO: check
CVE-2021-24011 (A privilege escalation vulnerability in FortiNAC version below
8.8.2 m ...)
NOT-FOR-US: Fortiguard
CVE-2021-24010
@@ -23568,12 +23577,12 @@ CVE-2021-3127 (NATS Server 2.x before 2.2.0 and JWT
library before 2.0.1 have In
NOT-FOR-US: nats-server
CVE-2021-3126
RESERVED
-CVE-2021-23896
- RESERVED
-CVE-2021-23895
- RESERVED
-CVE-2021-23894
- RESERVED
+CVE-2021-23896 (Cleartext Transmission of Sensitive Information vulnerability
in the a ...)
+ TODO: check
+CVE-2021-23895 (Deserialization of untrusted data vulnerability in McAfee
Database Sec ...)
+ TODO: check
+CVE-2021-23894 (Deserialization of untrusted data vulnerability in McAfee
Database Sec ...)
+ TODO: check
CVE-2021-23893
RESERVED
CVE-2021-23892 (By exploiting a time of check to time of use (TOCTOU) race
condition d ...)
@@ -26585,7 +26594,7 @@ CVE-2021-22545
RESERVED
CVE-2021-22544
RESERVED
-CVE-2021-22543 (An issue was discovered in the Linux: KVM through Improper
handling of ...)
+CVE-2021-22543 (An issue was discovered in Linux: KVM through Improper
handling of VM_ ...)
- linux <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2021/05/26/3
NOTE:
https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584
@@ -32994,12 +33003,14 @@ CVE-2021-20315
CVE-2021-20314
RESERVED
CVE-2021-20313 (A flaw was found in ImageMagick in versions before 7.0.11. A
potential ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <no-dsa> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/70aa86f5d5d8aa605a918ed51f7574f433a18482
NOTE: IM6:
https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
CVE-2021-20312 (A flaw was found in ImageMagick in versions 7.0.11, where an
integer o ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
@@ -33013,6 +33024,7 @@ CVE-2021-20310 (A flaw was found in ImageMagick in
versions before 7.0.11, where
NOTE: https://github.com/ImageMagick/ImageMagick/issues/3295
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/75f6f5032690077cae3eaeda3c0165cc765eaeb5
CVE-2021-20309 (A flaw was found in ImageMagick in versions before 7.0.11 and
before 6 ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
@@ -33303,6 +33315,7 @@ CVE-2021-20246 (A flaw was found in ImageMagick in
MagickCore/resample.c. An att
NOTE: ImageMagick:
https://github.com/ImageMagick/ImageMagick/commit/8d25d94a363b104acd6ff23df7470aeedb806c51
NOTE: ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/f3190d4a6e6e8556575c84b5d976f77d111caa74
CVE-2021-20245 (A flaw was found in ImageMagick in coders/webp.c. An attacker
who subm ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
@@ -33318,6 +33331,7 @@ CVE-2021-20244 (A flaw was found in ImageMagick in
MagickCore/visual-effects.c.
NOTE: ImageMagick:
https://github.com/ImageMagick/ImageMagick/commit/329dd528ab79531d884c0ba131e97d43f872ab5d
NOTE: In IM6 the code seems to be in magick/fx.c
CVE-2021-20243 (A flaw was found in ImageMagick in MagickCore/resize.c. An
attacker wh ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
@@ -33992,8 +34006,7 @@ CVE-2020-35516
RESERVED
CVE-2020-35515
RESERVED
-CVE-2020-35514
- RESERVED
+CVE-2020-35514 (An insecure modification flaw in the
/etc/kubernetes/kubeconfig file w ...)
NOT-FOR-US: OpenShift
CVE-2020-35513 (A flaw incorrect umask during file or directory modification
in the Li ...)
- linux 4.16.5-1
@@ -34011,8 +34024,7 @@ CVE-2020-35512 (A use-after-free flaw was found in
D-Bus Development branch <
NOTE:
https://gitlab.freedesktop.org/dbus/dbus/-/commit/dc94fe3d31adf72259adc31f343537151a6c0bdd
(dbus-1.10.32)
CVE-2020-35511
RESERVED
-CVE-2020-35510
- RESERVED
+CVE-2020-35510 (A flaw was found in jboss-remoting in versions before
5.0.20.SP1-redha ...)
- libjboss-remoting-java <removed>
CVE-2020-35509
RESERVED
@@ -34049,8 +34061,7 @@ CVE-2020-35504 (A NULL pointer dereference flaw was
found in the SCSI emulation
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
NOTE: https://bugs.launchpad.net/qemu/+bug/1910723 (reproducer)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg06065.html
-CVE-2020-35503 [QEMU: NULL pointer dereference issue in megasas-gen2 host bus
adapter]
- RESERVED
+CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2
SCSI hos ...)
- qemu <unfixed> (bug #979678)
[bullseye] - qemu <postponed> (Minor issue)
[buster] - qemu <postponed> (Fix along in future DSA)
@@ -44389,6 +44400,7 @@ CVE-2020-27777 (A flaw was found in the way RTAS
handled memory accesses in user
[stretch] - linux <ignored> (Only an issue when Secure Boot is
implemented)
NOTE:
https://git.kernel.org/linus/bd59380c5ba4147dcbaad3e582b55ccfd120b764
CVE-2020-27776 (A flaw was found in ImageMagick in MagickCore/statistic.c. An
attacker ...)
+ {DLA-2602-1}
- imagemagick 8:6.9.11.24+dfsg-1
[buster] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1736
@@ -44564,6 +44576,7 @@ CVE-2020-27752 (A flaw was found in ImageMagick in
MagickCore/quantum-private.h.
NOTE: impossible to determine whether there was a possible security
vulnerability
NOTE: in the first place.
CVE-2020-27751 (A flaw was found in ImageMagick in
MagickCore/quantum-export.c. An att ...)
+ {DLA-2672-1}
- imagemagick 8:6.9.11.24+dfsg-1
[buster] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1727
@@ -45188,8 +45201,7 @@ CVE-2020-27663 (In GLPI before 9.5.3,
ajax/getDropdownValue.php has an Insecure
- glpi <removed>
CVE-2020-27662 (In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct
Object ...)
- glpi <removed>
-CVE-2020-27661 [divide by zero in dwc2_handle_packet() in hw/usb/hcd-dwc2.c]
- RESERVED
+CVE-2020-27661 (A divide-by-zero issue was found in dwc2_handle_packet in
hw/usb/hcd-d ...)
- qemu 1:5.2+dfsg-1 (bug #972864)
[buster] - qemu <postponed> (Fix along in future DSA)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
@@ -50719,8 +50731,8 @@ CVE-2020-25364
RESERVED
CVE-2020-25363
RESERVED
-CVE-2020-25362
- RESERVED
+CVE-2020-25362 (The id paramater in Online Shopping Alphaware 1.0 has been
discovered ...)
+ TODO: check
CVE-2020-25361
RESERVED
CVE-2020-25360
@@ -51880,8 +51892,7 @@ CVE-2020-24872
RESERVED
CVE-2020-24871
RESERVED
-CVE-2020-24870
- RESERVED
+CVE-2020-24870 (Libraw before 0.20.1 has a stack buffer overflow via
LibRaw::identify_ ...)
- libraw 0.20.2-1
[buster] - libraw <not-affected> (Vulnerable code not present)
[stretch] - libraw <not-affected> (vulnerable code not present)
@@ -51901,8 +51912,8 @@ CVE-2020-24864
RESERVED
CVE-2020-24863 (A memory corruption vulnerability was found in the kernel
function ker ...)
NOT-FOR-US: FreeBSD and MidnightBSD
-CVE-2020-24862
- RESERVED
+CVE-2020-24862 (The catID parameter in Pharmacy Medical Store and Sale Point
v1.0 has ...)
+ TODO: check
CVE-2020-25016 (A safety violation was discovered in the rgb crate before
0.8.20 for R ...)
- rust-rgb <unfixed> (bug #969213)
[bullseye] - rust-rgb <no-dsa> (Minor issue)
@@ -57728,28 +57739,28 @@ CVE-2020-22058
RESERVED
CVE-2020-22057
RESERVED
-CVE-2020-22056
- RESERVED
+CVE-2020-22056 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to
a memory ...)
+ TODO: check
CVE-2020-22055
RESERVED
-CVE-2020-22054
- RESERVED
+CVE-2020-22054 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to
a memory ...)
+ TODO: check
CVE-2020-22053
RESERVED
CVE-2020-22052
RESERVED
-CVE-2020-22051
- RESERVED
+CVE-2020-22051 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to
a memory ...)
+ TODO: check
CVE-2020-22050
RESERVED
-CVE-2020-22049
- RESERVED
-CVE-2020-22048
- RESERVED
+CVE-2020-22049 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to
a memory ...)
+ TODO: check
+CVE-2020-22048 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to
a memory ...)
+ TODO: check
CVE-2020-22047
RESERVED
-CVE-2020-22046
- RESERVED
+CVE-2020-22046 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to
a memory ...)
+ TODO: check
CVE-2020-22045
RESERVED
CVE-2020-22044 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to
a memory ...)
@@ -74820,8 +74831,7 @@ CVE-2020-14390 (A flaw was found in the Linux kernel in
versions before 5.9-rc6.
NOTE: https://www.openwall.com/lists/oss-security/2020/09/15/2
CVE-2020-14389 (It was found that Keycloak before version 12.0.0 would permit
a user w ...)
NOT-FOR-US: Keycloak
-CVE-2020-14388
- RESERVED
+CVE-2020-14388 (A flaw was found in the Red Hat 3scale API Management
Platform, where ...)
NOT-FOR-US: 3scale
CVE-2020-14387 (A flaw was found in rsync in versions since 3.2.0pre1. Rsync
improperl ...)
- rsync 3.2.3-3 (bug #969530)
@@ -74865,8 +74875,7 @@ CVE-2020-14381 (A flaw was found in the Linux
kernel’s futex implementatio
[buster] - linux 4.19.118-1
[stretch] - linux 4.9.228-1
NOTE:
https://git.kernel.org/linus/8019ad13ef7f64be44d4f892af9c840179009254
-CVE-2020-14380
- RESERVED
+CVE-2020-14380 (An account takeover flaw was found in Red Hat Satellite 6.7.2
onward. ...)
NOT-FOR-US: Red Hat Satellite
CVE-2020-14379
RESERVED
@@ -74904,8 +74913,7 @@ CVE-2020-14372 (A flaw was found in grub2 in versions
prior to 2.06, where it in
{DSA-4867-1}
- grub2 2.04-16
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
-CVE-2020-14371
- RESERVED
+CVE-2020-14371 (A credential leak vulnerability was found in Red Hat
Satellite. This f ...)
NOT-FOR-US: Red Hat Satellite
CVE-2020-14370 (An information disclosure vulnerability was found in
containers/podman ...)
- libpod 2.0.6+dfsg1-1
@@ -75055,8 +75063,7 @@ CVE-2020-14342 (It was found that cifs-utils'
mount.cifs was invoking a shell wh
NOTE:
https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=48a654e2e763fce24c22e1b9c695b42804bbdd4a
CVE-2020-14341 (The "Test Connection" available in v7.x of the Red Hat Single
Sign On ...)
NOT-FOR-US: Red Hat Single Sign On application console
-CVE-2020-14340
- RESERVED
+CVE-2020-14340 (A vulnerability was discovered in XNIO where file descriptor
leak caus ...)
- jboss-xnio 3.8.2-1
[buster] - jboss-xnio <no-dsa> (Minor issue)
[stretch] - jboss-xnio <not-affected> (vulnerable code is not present)
@@ -75074,11 +75081,9 @@ CVE-2020-14338 (A flaw was found in Wildfly's
implementation of Xerces, specific
- wildfly <itp> (bug #752018)
CVE-2020-14337 (A data exposure flaw was found in Tower, where sensitive data
was reve ...)
NOT-FOR-US: Ansible Tower
-CVE-2020-14336
- RESERVED
+CVE-2020-14336 (A flaw was found in the Restricted Security Context
Constraints (SCC), ...)
NOT-FOR-US: OpenShift
-CVE-2020-14335
- RESERVED
+CVE-2020-14335 (A flaw was found in Red Hat Satellite, which allows a
privileged attac ...)
NOT-FOR-US: Red Hat Satellite
CVE-2020-14334 (A flaw was found in Red Hat Satellite 6 which allows
privileged attack ...)
- foreman <itp> (bug #663101)
@@ -75111,8 +75116,7 @@ CVE-2020-14328 (A flaw was found in Ansible Tower in
versions before 3.7.2. A Se
NOT-FOR-US: Ansible Tower
CVE-2020-14327 (A Server-side request forgery (SSRF) flaw was found in Ansible
Tower i ...)
NOT-FOR-US: Ansible Tower
-CVE-2020-14326
- RESERVED
+CVE-2020-14326 (A vulnerability was found in RESTEasy, where RootNode
incorrectly cach ...)
- resteasy <undetermined>
- resteasy3.0 <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855826
@@ -75143,8 +75147,7 @@ CVE-2020-14318 (A flaw was found in the way samba
handled file and directory per
[buster] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2020-14318.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14434
-CVE-2020-14317
- RESERVED
+CVE-2020-14317 (It was found that the issue for security flaw CVE-2019-3805
appeared a ...)
- wildfly <itp> (bug #752018)
CVE-2020-14316 (A flaw was found in kubevirt 0.29 and earlier. Virtual Machine
Instanc ...)
NOT-FOR-US: KubeVirt
@@ -86027,8 +86030,7 @@ CVE-2020-10773 (A stack information leak flaw was found
in s390/s390x in the Lin
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1846380
CVE-2020-10772 (An incomplete fix for CVE-2020-12662 was shipped for Unbound
in Red Ha ...)
- unbound <not-affected> (Red Hat specific regression in backport)
-CVE-2020-10771
- RESERVED
+CVE-2020-10771 (A flaw was found in Infinispan version 10, where it is
possible to per ...)
NOT-FOR-US: Infinispan
CVE-2020-10770 (A flaw was found in Keycloak before 13.0.0, where it is
possible to fo ...)
NOT-FOR-US: Keycloak
@@ -86160,11 +86162,9 @@ CVE-2020-10744 (An incomplete fix was found for the
fix of the flaw CVE-2020-173
NOTE:
https://github.com/ansible/ansible/commit/77d0effcc5b2da1ef23e4ba32986a9759c27c10d
NOTE:
https://github.com/ansible/ansible/commit/84afa8e90cd168ff13208c8eae3e533ce7e21e1f
(v2.9.12)
NOTE: CVE is for an incomplete fix of CVE-2020-1733
-CVE-2020-10743
- RESERVED
+CVE-2020-10743 (It was discovered that OpenShift Container Platform's (OCP)
distributi ...)
- kibana <itp> (bug #700337)
-CVE-2020-10742
- RESERVED
+CVE-2020-10742 (A flaw was found in the Linux kernel. An index buffer overflow
during ...)
- linux 3.16.2-2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1835127
CVE-2020-10741
@@ -95608,8 +95608,7 @@ CVE-2020-6952
RESERVED
CVE-2020-6951
RESERVED
-CVE-2020-6950
- RESERVED
+CVE-2020-6950 (Directory traversal in Eclipse Mojarra before 2.3.14 allows
attackers ...)
- mojarra <not-affected> (Vulnerable code introduced later)
NOTE:
https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741
CVE-2020-6949 (A privilege escalation issue was discovered in the postUser
function i ...)
@@ -96407,8 +96406,8 @@ CVE-2020-6643 (An improper neutralization of input
vulnerability in the URL Desc
NOT-FOR-US: Fortinet
CVE-2020-6642
RESERVED
-CVE-2020-6641
- RESERVED
+CVE-2020-6641 (Two authorization bypass through user-controlled key
vulnerabilities i ...)
+ TODO: check
CVE-2020-6640 (An improper neutralization of input vulnerability in the Admin
Profile ...)
NOT-FOR-US: Fortiguard
CVE-2020-6639
@@ -126968,7 +126967,7 @@ CVE-2019-14838 (A flaw was found in wildfly-core
before 7.2.5.GA. The Management
- wildfly <itp> (bug #752018)
CVE-2019-14837 (A flaw was found in keycloack before version 8.0.0. The owner
of 'plac ...)
NOT-FOR-US: Keycloak
-CVE-2019-14836 (3scale dev portal login form does not verify CSRF token, and
so does n ...)
+CVE-2019-14836 (A vulnerability was found that the 3scale dev portal does not
employ m ...)
NOT-FOR-US: 3scale
CVE-2019-14835 (A buffer overflow flaw was found, in versions from 2.6.34 to
5.2.x, in ...)
{DSA-4531-1 DLA-1940-1 DLA-1930-1}
@@ -136327,8 +136326,7 @@ CVE-2019-12068 (In QEMU 1:4.1-1,
1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08
-CVE-2019-12067 [ide: ahci: add check to avoid null dereference]
- RESERVED
+CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows
attackers to ...)
- qemu <unfixed> (low; bug #972099)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <postponed> (Minor issue, revisit when fixed upstream)
@@ -195874,8 +195872,7 @@ CVE-2018-10196 (NULL pointer dereference
vulnerability in the rebuild_vlists fun
[wheezy] - graphviz <no-dsa> (Minor issue)
NOTE: https://gitlab.com/graphviz/graphviz/issues/1367
NOTE: https://issuetracker.google.com/issues/77810342
-CVE-2018-10195 [rzsz: sz can leak data to receiving side]
- RESERVED
+CVE-2018-10195 (lrzsz before version 0.12.21~rc can leak information to the
receiving ...)
- lrzsz 0.12.21-10 (low; bug #897010)
[stretch] - lrzsz <no-dsa> (Minor issue)
[jessie] - lrzsz <no-dsa> (Minor issue)
@@ -250970,8 +250967,7 @@ CVE-2017-8763 (Cross-site scripting (XSS)
vulnerability in modules/Base/Box/chec
NOT-FOR-US: EPESI
CVE-2017-8762 (GeniXCMS 1.0.2 has XSS triggered by an authenticated user who
submits ...)
NOT-FOR-US: GenixCMS
-CVE-2017-8761 [Swift tempurl middleware reveals signatures in the logfiles]
- RESERVED
+CVE-2017-8761 (In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and
2.14.0, ...)
- swift 2.17.0-2
[stretch] - swift <no-dsa> (Minor issue)
[jessie] - swift <end-of-life> (Not supported in Jessie LTS)
@@ -327525,8 +327521,7 @@ CVE-2015-1881 (OpenStack Image Registry and Delivery
Service (Glance) 2014.2 thr
- glance <not-affected> (Only affects 2014.2.x releases, only present
in experimental)
[wheezy] - glance <not-affected> (Vulnerable code not present)
NOTE: https://review.openstack.org/#/c/156553
-CVE-2015-1877 [command injection vulnerability]
- RESERVED
+CVE-2015-1877 (The open_generic_xdg_mime function in xdg-open in xdg-utils
1.1.0 rc1 ...)
{DSA-3165-1 DLA-217-1}
- xdg-utils 1.1.0~rc1+git20111210-7.4 (bug #777722)
CVE-2015-1568 (Cross-site request forgery (CSRF) vulnerability in the GD
Infinite Scr ...)
@@ -398202,8 +398197,7 @@ CVE-2011-3657 (Multiple cross-site scripting (XSS)
vulnerabilities in Bugzilla 2
- bugzilla <removed> (low)
[squeeze] - bugzilla <end-of-life> (Not supported in Squeeze LTS)
[lenny] - bugzilla <no-dsa> (Minor issue)
-CVE-2011-3656
- RESERVED
+CVE-2011-3656 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox
before 3.6 ...)
- iceweasel 4.0-1
[squeeze] - iceweasel <end-of-life> (Iceweasel not supported in Squeeze
LTS)
CVE-2011-3655 (Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0
perfor ...)
@@ -434023,11 +434017,9 @@ CVE-2009-0950 (Stack-based buffer overflow in Apple
iTunes before 8.2 allows rem
CVE-2009-0949 (The ippReadIO function in cups/ipp.c in cupsd in CUPS before
1.3.10 do ...)
{DSA-1811-1}
- cups 1.3.10-1
-CVE-2009-0948
- RESERVED
+CVE-2009-0948 (Multiple buffer overflows in the (1) cdf_read_sat, (2)
cdf_read_long_s ...)
- file 5.02-1
-CVE-2009-0947
- RESERVED
+CVE-2009-0947 (Multiple integer overflows in the (1) cdf_read_property_info
and (2) c ...)
- file 5.02-1
CVE-2009-0946 (Multiple integer overflows in FreeType 2.3.9 and earlier allow
remote ...)
{DSA-1784-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb29a3ea5ede49566360e6a7d7ed3fa94344f6d6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb29a3ea5ede49566360e6a7d7ed3fa94344f6d6
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
