[Git][security-tracker-team/security-tracker][master] mark CVE-2020-26519 postponed and CVE-2020-15227 no-dsa
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: dc731a63 by Abhijith PA at 2020-10-10T10:34:01+05:30 mark CVE-2020-26519 postponed and CVE-2020-15227 no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -873,6 +873,7 @@ CVE-2020-26520 RESERVED CVE-2020-26519 (Artifex MuPDF before 1.18.0 has a heap based buffer over-write when pa ...) - mupdf (bug #971595) + [stretch] - mupdf (Minor issue, can be fixed along in next DLA) NOTE: http://git.ghostscript.com/?p=mupdf.git;a=commit;h=af1e390a2c7abceb32676ec684cd1dbb92907ce8 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=702937 CVE-2020-26518 (Artica Pandora FMS before 743 allows unauthenticated attackers to cond ...) @@ -24611,6 +24612,7 @@ CVE-2020-15228 (In the `@actions/core` npm module before version 1.2.6,`addPath` TODO: check CVE-2020-15227 (Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 ar ...) - php-nette + [stretch] - php-nette (low priority) NOTE: https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94 CVE-2020-15226 (In GLPI before version 9.5.2, there is a SQL Injection in the API's se ...) - glpi View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc731a63acbaf9e8393d8bf3a4c0afb8a89fcdbf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc731a63acbaf9e8393d8bf3a4c0afb8a89fcdbf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim libonig and guacamole-client in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e2b56fb3 by Markus Koschany at 2020-10-10T01:23:48+02:00 Claim libonig and guacamole-client in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,7 +76,7 @@ golang-1.8 -- golang-golang-x-net-dev -- -guacamole-client +guacamole-client (Markus Koschany) -- httpcomponents-client (Markus Koschany) -- @@ -86,7 +86,7 @@ jupyter-notebook lemonldap-ng NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby) -- -libonig +libonig (Markus Koschany) NOTE: 20201002: Fix for CVE-2020-26159 is too trivial. Besides that, please consider NOTE: 20201002: fixing other errors mentioned in https://github.com/kkos/oniguruma/issues/207 NOTE: 20201002: and the other 6/7 CVEs tagged as no-dsa in stretch but fixed in jessie. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2b56fb34efe476d88925656187d2c9c8b8b8388 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2b56fb34efe476d88925656187d2c9c8b8b8388 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-13956,httpcomponents-client: Link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 89c3a4a2 by Markus Koschany at 2020-10-09T22:37:41+02:00 CVE-2020-13956,httpcomponents-client: Link to fixing commit - - - - - d37e6137 by Markus Koschany at 2020-10-09T23:05:36+02:00 CVE-2020-13956,httpcomponents-client: Fixed in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28097,8 +28097,9 @@ CVE-2020-13957 RESERVED CVE-2020-13956 [incorrect handling of malformed authority component in request URIs] RESERVED - - httpcomponents-client + - httpcomponents-client 4.5.13-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1886587 + NOTE: Fixed by https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e CVE-2020-13955 (HttpUtils#getURLConnection method disables explicitly hostname verific ...) TODO: check CVE-2020-13954 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4376346ec33e6e0738dd709e6c1936e02cae95fb...d37e6137343d8b892b526c3fe04780cb0869aaef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4376346ec33e6e0738dd709e6c1936e02cae95fb...d37e6137343d8b892b526c3fe04780cb0869aaef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2404-1 for eclipse-wtp
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 4376346e by Markus Koschany at 2020-10-09T22:18:46+02:00 Reserve DLA-2404-1 for eclipse-wtp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Oct 2020] DLA-2404-1 eclipse-wtp - security update + {CVE-2019-17637} + [stretch] - eclipse-wtp 3.6.3-3+deb9u1 [09 Oct 2020] DLA-2403-1 rails - security update {CVE-2020-15169} [stretch] - rails 2:4.2.7.1-1+deb9u4 = data/dla-needed.txt = @@ -59,8 +59,6 @@ condor NOTE: 20200712: Requested input on path forward from debian-lts@l.d.o (roberto) NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto) -- -eclipse-wtp (Markus Koschany) --- f2fs-tools NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4376346ec33e6e0738dd709e6c1936e02cae95fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4376346ec33e6e0738dd709e6c1936e02cae95fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eace3585 by security tracker role at 2020-10-09T20:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24729,7 +24729,7 @@ CVE-2020-15171 (In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT CVE-2020-15170 (apollo-adminservice before version 1.7.1 does not implement access con ...) NOT-FOR-US: apollo-adminservice CVE-2020-15169 (In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potentia ...) - {DSA-4766-1} + {DSA-4766-1 DLA-2403-1} - rails 2:6.0.3.3+dfsg-1 (bug #970040) NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-15169.yml NOTE: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1 @@ -28099,8 +28099,8 @@ CVE-2020-13956 [incorrect handling of malformed authority component in request U RESERVED - httpcomponents-client NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1886587 -CVE-2020-13955 - RESERVED +CVE-2020-13955 (HttpUtils#getURLConnection method disables explicitly hostname verific ...) + TODO: check CVE-2020-13954 RESERVED CVE-2020-13953 (In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an att ...) @@ -41933,8 +41933,8 @@ CVE-2020-9107 RESERVED CVE-2020-9106 RESERVED -CVE-2020-9105 - RESERVED +CVE-2020-9105 (Taurus-AN00B versions earlier than 10.1.0.156(C00E155R7P2) have an ins ...) + TODO: check CVE-2020-9104 (HUAWEI P30 smartphones with Versions earlier than 10.1.0.123(C431E22R2 ...) NOT-FOR-US: Huawei CVE-2020-9103 (HUAWEI Mate 20 smartphones with 9.0.0.205(C00E205R2P1) have a logic er ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eace3585ffd56c7f7f8502500d58aae20b2e2826 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eace3585ffd56c7f7f8502500d58aae20b2e2826 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim httpcomponents-client in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 270abb9d by Markus Koschany at 2020-10-09T20:14:16+02:00 Claim httpcomponents-client in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -80,6 +80,8 @@ golang-golang-x-net-dev -- guacamole-client -- +httpcomponents-client (Markus Koschany) +-- jupyter-notebook NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/270abb9d7c92e2e323592911260649133e531ce2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/270abb9d7c92e2e323592911260649133e531ce2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2403-1 for rails
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b412091 by Markus Koschany at 2020-10-09T19:06:45+02:00 Reserve DLA-2403-1 for rails - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[09 Oct 2020] DLA-2403-1 rails - security update + {CVE-2020-15169} + [stretch] - rails 2:4.2.7.1-1+deb9u4 [08 Oct 2020] DLA-2402-1 golang-go.crypto - security update {CVE-2019-11840 CVE-2019-11841 CVE-2020-9283} [stretch] - golang-go.crypto 1:0.0~git20170407.0.55a552f+REALLY.0.0~git20161012.0.5f31782-1+deb8u1 = data/dla-needed.txt = @@ -119,8 +119,6 @@ python3.5 (Thorsten Alteholz) -- qtsvg-opensource-src (Adrian Bunk) -- -rails (Markus Koschany) --- reel NOTE: 20200909: it is now unmaintained. last commit was in Aug 2018. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b412091437d87547f5a21b907c3330b9369a11f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b412091437d87547f5a21b907c3330b9369a11f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-15168/node-fetch fixed in unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fbcdc525 by Salvatore Bonaccorso at 2020-10-09T17:20:01+02:00 CVE-2020-15168/node-fetch fixed in unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24737,7 +24737,7 @@ CVE-2020-15169 (In Action View before versions 5.2.4.4 and 6.0.3.3 there is a po NOTE: https://github.com/rails/rails/commit/aaa7ab1320330b3c4fa8f0fbda716dcfa21e3d65 (5.2) CVE-2020-15168 (node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the si ...) [experimental] - node-fetch 2.6.1-1 - - node-fetch (bug #970173) + - node-fetch 2.6.1-2 (bug #970173) [buster] - node-fetch (Minor issue; Intrusive to backport) NOTE: https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r CVE-2020-15167 (In Miller (command line utility) using the configuration file support ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbcdc525abcc9fb366b00a0f8c55064203b03d54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbcdc525abcc9fb366b00a0f8c55064203b03d54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for ruby-doorkeeper
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fdf3932 by Utkarsh Gupta at 2020-10-09T20:03:15+05:30 Add notes for ruby-doorkeeper - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -135,6 +135,8 @@ ruby-doorkeeper NOTE: 20200831: it's a breaking change, I'd rather not want to issue a DLA for this. (utkarsh) NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh) NOTE: 20200831: more investigation needed. (utkarsh) + NOTE: 20201009: on another note, it needs more investigation if this version is affected in + NOTE: 20201009: the first place or not. (utkarsh) -- ruby-kaminari NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fdf3932bb8f7048f055aac02e76deb2b4cc95db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fdf3932bb8f7048f055aac02e76deb2b4cc95db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for ruby-kaminari
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 862a75e0 by Utkarsh Gupta at 2020-10-09T20:00:28+05:30 Add notes for ruby-kaminari - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -136,7 +136,7 @@ ruby-doorkeeper NOTE: 20200831: in case it's really DLA worthy, I'd be very careful with this update. (utkarsh) NOTE: 20200831: more investigation needed. (utkarsh) -- -ruby-kaminari (Utkarsh) +ruby-kaminari NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to NOTE: 20200819: the one upstream or in its many forks. For example, both dthe NOTE: 20200819: kaminari/kaminari and amatsuda/kaminari repositories does no have the @@ -144,6 +144,8 @@ ruby-kaminari (Utkarsh) NOTE: 20200819: file has been refactored a few times). (lamby) NOTE: 20200928: A new module should be written in config/initializers/kaminari.rb. (utkarsh) NOTE: 20200928: It should prepend_features from Kaminari::Helpers::Tag. (utkarsh) + NOTE: 20201009: This (↑) is an app-level patch for a rails app. A library-level patch + NOTE: 20201009: will needed to be written. Opened an issue at upstream, though somewhat inactive. (utkarsh) -- ruby-oauth -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/862a75e04d3f71eedea079fe83980bd21becb2e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/862a75e04d3f71eedea079fe83980bd21becb2e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-10936/sympa: reference Debian-specific patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a074a01 by Sylvain Beucler at 2020-10-09T14:45:42+02:00 CVE-2020-10936/sympa: reference Debian-specific patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37168,6 +37168,7 @@ CVE-2020-10936 (Sympa before 6.2.56 allows privilege escalation. ...) NOTE: Patch for sympa-6.1.25: https://github.com/sympa-community/sympa/releases/download/6.2.56/sympa-6.1.25-sa-2020-002-r2.patch NOTE: https://sysdream.com/news/lab/2020-05-25-cve-2020-10936-sympa-privileges-escalation-to-root/ NOTE: https://github.com/sympa-community/sympa/issues/943 + NOTE: https://salsa.debian.org/sympa-team/sympa/-/merge_requests/1 (fix Debian loose permissions referenced in sysdream write-up) CVE-2020-10935 (Zulip Server before 2.1.3 allows XSS via a Markdown link, with resulta ...) - zulip-server (bug #800052) CVE-2020-10934 (Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a074a014a81f3492c0a33e33dea1f6348ae1aeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a074a014a81f3492c0a33e33dea1f6348ae1aeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d064ca66 by Salvatore Bonaccorso at 2020-10-09T10:17:38+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -772,7 +772,7 @@ CVE-2020-26569 CVE-2020-26568 RESERVED CVE-2020-26567 (An issue was discovered on D-Link DSR-250N before 3.17B devices. The C ...) - TODO: check + NOT-FOR-US: D-Link CVE-2020-26566 RESERVED CVE-2020-26565 @@ -866,7 +866,7 @@ CVE-2020-26524 (CodeLathe FileCloud before 20.2.0.11915 allows username enumerat CVE-2020-26523 (Froala Editor before 3.2.2 allows XSS via pasted content. ...) NOT-FOR-US: Froala Editor CVE-2020-26522 (A cross-site request forgery (CSRF) vulnerability in mod/user/act_user ...) - TODO: check + NOT-FOR-US: Garfield Petshop CVE-2020-26521 RESERVED CVE-2020-26520 @@ -1599,7 +1599,7 @@ CVE-2020-26164 (In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker CVE-2020-26163 (BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Ori ...) NOT-FOR-US: BigBlueButton Greenlight CVE-2020-26162 (Xerox WorkCentre EC7836 before 073.050.059.25300 and EC7856 before 073 ...) - TODO: check + NOT-FOR-US: Xerox CVE-2020-26161 RESERVED CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows attackers to bypass intended acces ...) @@ -3591,13 +3591,13 @@ CVE-2013-7490 (An issue was discovered in the DBI module before 1.632 for Perl. NOTE: https://github.com/perl5-dbi/dbi/commit/a8b98e988d6ea2946f5f56691d6d5ead53f65766 NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=86744 CVE-2020-25273 (In SourceCodester Online Bus Booking System 1.0, there is Authenticati ...) - TODO: check + NOT-FOR-US: SourceCodester Online Bus Booking System CVE-2020-25272 (In SourceCodester Online Bus Booking System 1.0, there is XSS through ...) - TODO: check + NOT-FOR-US: SourceCodester Online Bus Booking System CVE-2020-25271 (PHPGurukul hospital-management-system-in-php 4.0 allows XSS via admin/ ...) - TODO: check + NOT-FOR-US: PHPGurukul hospital-management-system-in-php CVE-2020-25270 (PHPGurukul hostel-management-system 2.1 allows XSS via Guardian Name, ...) - TODO: check + NOT-FOR-US: PHPGurukul hostel-management-system CVE-2020-25269 (An issue was discovered in InspIRCd 2 before 2.0.29 and 3 before 3.6.0 ...) {DSA-4764-1 DLA-2375-1} - inspircd (bug #960650) @@ -3619,9 +3619,9 @@ CVE-2020-25265 CVE-2020-25264 RESERVED CVE-2020-25263 (PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the ...) - TODO: check + NOT-FOR-US: PyroCMS CVE-2020-25262 (PyroCMS 3.7 is vulnerable to cross-site request forgery (CSRF) via the ...) - TODO: check + NOT-FOR-US: PyroCMS CVE-2020-25261 RESERVED CVE-2020-25260 (An issue was discovered in Hyland OnBase through 18.0.0.32 and 19.x th ...) @@ -5757,7 +5757,7 @@ CVE-2020-24303 CVE-2020-24302 RESERVED CVE-2020-24301 (Users of the HAPI FHIR Testpage Overlay 5.0.0 and below can use a spec ...) - TODO: check + NOT-FOR-US: HAPI FHIR Testpage Overlay CVE-2020-24300 RESERVED CVE-2020-24299 @@ -23007,7 +23007,7 @@ CVE-2020-15840 (In Liferay Portal before 7.3.1, Liferay Portal 6.2 EE, and Lifer CVE-2020-15839 (Liferay Portal before 7.3.3, and Liferay DXP 7.1 before fix pack 18 an ...) NOT-FOR-US: Liferay CVE-2020-15838 (The Agent Update System in ConnectWise Automate before 2020.8 allows P ...) - TODO: check + NOT-FOR-US: ConnectWise Automate CVE-2020-15837 RESERVED CVE-2020-15836 @@ -24578,11 +24578,11 @@ CVE-2020-15245 CVE-2020-15244 RESERVED CVE-2020-15243 (Affected versions of Smartstore have a missing WebApi Authentication a ...) - TODO: check + NOT-FOR-US: Smartstore CVE-2020-15242 (Next.js versions =9.5.0 and 9.5.4 are vulnerable to an Open Re ...) TODO: check CVE-2020-15241 (TYPO3 Fluid Engine (package `typo3fluid/fluid`) before versions 2.0.5, ...) - TODO: check + NOT-FOR-US: TYPO3 Fluid Engine CVE-2020-15240 RESERVED CVE-2020-15239 (In xmpp-http-upload before version 0.4.0, when the GET method is attac ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d064ca66c2beb7daa2aaad7e3cadb50b30669ca2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d064ca66c2beb7daa2aaad7e3cadb50b30669ca2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c30de2e by Salvatore Bonaccorso at 2020-10-09T10:14:26+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,73 +1,73 @@ CVE-2020-26931 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26930 (NETGEAR EX7700 devices before 1.0.0.210 are affected by incorrect conf ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26929 (Certain NETGEAR devices are affected by command injection by an authen ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26928 (Certain NETGEAR devices are affected by authentication bypass. This af ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26927 (Certain NETGEAR devices are affected by authentication bypass. This af ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26926 (Certain NETGEAR devices are affected by authentication bypass. This af ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26925 (NETGEAR GS808E devices before 1.7.1.0 are affected by denial of servic ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26924 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26923 (Certain NETGEAR devices are affected by stored XSS. This affects WC750 ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26922 (Certain NETGEAR devices are affected by command injection by an authen ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26921 (Certain NETGEAR devices are affected by authentication bypass. This af ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26920 (Certain NETGEAR devices are affected by command injection by an unauth ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26919 (NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of acces ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26918 (Certain NETGEAR devices are affected by stored XSS. This affects EX700 ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26917 (Certain NETGEAR devices are affected by stored XSS. This affects EX700 ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26916 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26915 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26914 (Certain NETGEAR devices are affected by command injection by an authen ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26913 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26912 (Certain NETGEAR devices are affected by CSRF. This affects D6200 befor ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26911 (Certain NETGEAR devices are affected by lack of access control at the ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26910 (Certain NETGEAR devices are affected by command injection by an authen ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26909 (Certain NETGEAR devices are affected by command injection by an unauth ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26908 (Certain NETGEAR devices are affected by authentication bypass. This af ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26907 (Certain NETGEAR devices are affected by command injection by an unauth ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26906 (Certain NETGEAR devices are affected by disclosure of administrative c ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26905 (Certain NETGEAR devices are affected by disclosure of administrative c ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26904 (Certain NETGEAR devices are affected by disclosure of administrative c ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26903 (Certain NETGEAR devices are affected by disclosure of administrative c ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26902 (Certain NETGEAR devices are affected by command injection by an unauth ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26901 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26900 (Certain NETGEAR devices are affected by disclosure of administrative c ...) - TODO: check + NOT-FOR-US: Netgear CVE-2020-26899 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) - TODO:
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6ffbac5 by security tracker role at 2020-10-09T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2020-26931 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + TODO: check +CVE-2020-26930 (NETGEAR EX7700 devices before 1.0.0.210 are affected by incorrect conf ...) + TODO: check +CVE-2020-26929 (Certain NETGEAR devices are affected by command injection by an authen ...) + TODO: check +CVE-2020-26928 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + TODO: check +CVE-2020-26927 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + TODO: check +CVE-2020-26926 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + TODO: check +CVE-2020-26925 (NETGEAR GS808E devices before 1.7.1.0 are affected by denial of servic ...) + TODO: check +CVE-2020-26924 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + TODO: check +CVE-2020-26923 (Certain NETGEAR devices are affected by stored XSS. This affects WC750 ...) + TODO: check +CVE-2020-26922 (Certain NETGEAR devices are affected by command injection by an authen ...) + TODO: check +CVE-2020-26921 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + TODO: check +CVE-2020-26920 (Certain NETGEAR devices are affected by command injection by an unauth ...) + TODO: check +CVE-2020-26919 (NETGEAR JGS516PE devices before 2.6.0.43 are affected by lack of acces ...) + TODO: check +CVE-2020-26918 (Certain NETGEAR devices are affected by stored XSS. This affects EX700 ...) + TODO: check +CVE-2020-26917 (Certain NETGEAR devices are affected by stored XSS. This affects EX700 ...) + TODO: check +CVE-2020-26916 (Certain NETGEAR devices are affected by incorrect configuration of sec ...) + TODO: check +CVE-2020-26915 (Certain NETGEAR devices are affected by stored XSS. This affects D7800 ...) + TODO: check +CVE-2020-26914 (Certain NETGEAR devices are affected by command injection by an authen ...) + TODO: check +CVE-2020-26913 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...) + TODO: check +CVE-2020-26912 (Certain NETGEAR devices are affected by CSRF. This affects D6200 befor ...) + TODO: check +CVE-2020-26911 (Certain NETGEAR devices are affected by lack of access control at the ...) + TODO: check +CVE-2020-26910 (Certain NETGEAR devices are affected by command injection by an authen ...) + TODO: check +CVE-2020-26909 (Certain NETGEAR devices are affected by command injection by an unauth ...) + TODO: check +CVE-2020-26908 (Certain NETGEAR devices are affected by authentication bypass. This af ...) + TODO: check +CVE-2020-26907 (Certain NETGEAR devices are affected by command injection by an unauth ...) + TODO: check +CVE-2020-26906 (Certain NETGEAR devices are affected by disclosure of administrative c ...) + TODO: check +CVE-2020-26905 (Certain NETGEAR devices are affected by disclosure of administrative c ...) + TODO: check +CVE-2020-26904 (Certain NETGEAR devices are affected by disclosure of administrative c ...) + TODO: check +CVE-2020-26903 (Certain NETGEAR devices are affected by disclosure of administrative c ...) + TODO: check +CVE-2020-26902 (Certain NETGEAR devices are affected by command injection by an unauth ...) + TODO: check +CVE-2020-26901 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + TODO: check +CVE-2020-26900 (Certain NETGEAR devices are affected by disclosure of administrative c ...) + TODO: check +CVE-2020-26899 (Certain NETGEAR devices are affected by disclosure of sensitive inform ...) + TODO: check +CVE-2020-26898 (NETGEAR RAX40 devices before 1.0.3.80 are affected by incorrect config ...) + TODO: check +CVE-2020-26897 (Certain NETGEAR devices are affected by disclosure of administrative c ...) + TODO: check +CVE-2020-26896 + RESERVED +CVE-2020-26895 + RESERVED +CVE-2020-26894 (Faulkner Wildlife Issues in the New Millennium 18.0.160 on Windows all ...) + TODO: check +CVE-2020-26893 + RESERVED CVE-2020-26892 RESERVED CVE-2020-26891 @@ -787,8 +865,8 @@ CVE-2020-26524 (CodeLathe FileCloud before 20.2.0.11915 allows username enumerat NOT-FOR-US: CodeLathe FileCloud CVE-2020-26523 (Froala Editor before 3.2.2 allows XSS via pasted content. ...) NOT-FOR-US: Froala Editor -CVE-2020-26522 - RESERVED +CVE-2020-26522 (A cross-site request forgery (CSRF) vulnerability in mod/user/act_user ...) + TODO:
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-13956/httpcomponents-client
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3c13930 by Salvatore Bonaccorso at 2020-10-09T09:58:58+02:00 Add CVE-2020-13956/httpcomponents-client - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28017,8 +28017,10 @@ CVE-2020-13958 RESERVED CVE-2020-13957 RESERVED -CVE-2020-13956 +CVE-2020-13956 [incorrect handling of malformed authority component in request URIs] RESERVED + - httpcomponents-client + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1886587 CVE-2020-13955 RESERVED CVE-2020-13954 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3c13930ff12b0b99f8a1b65a35a09a3d67c8b2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3c13930ff12b0b99f8a1b65a35a09a3d67c8b2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-8264/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b2fad04 by Salvatore Bonaccorso at 2020-10-09T09:29:19+02:00 Add CVE-2020-8264/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43875,8 +43875,12 @@ CVE-2020-8266 RESERVED CVE-2020-8265 RESERVED -CVE-2020-8264 +CVE-2020-8264 [Possible XSS Vulnerability in Action Pack in Development Mode] RESERVED + - rails + [buster] - rails (Vulnerable code not present) + [stretch] - rails (Vulnerable code not present) + NOTE: https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ CVE-2020-8263 RESERVED CVE-2020-8262 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b2fad047ec5cf86a5ebb172d2f58aa38de0b8f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b2fad047ec5cf86a5ebb172d2f58aa38de0b8f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-25645/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16c3e31b by Salvatore Bonaccorso at 2020-10-09T08:01:55+02:00 Add CVE-2020-25645/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2676,8 +2676,10 @@ CVE-2020-25647 RESERVED CVE-2020-25646 RESERVED -CVE-2020-25645 +CVE-2020-25645 [geneve: add transport ports in route lookup for geneve] RESERVED + - linux + NOTE: https://git.kernel.org/linus/34beb21594519ce64a55a498c2fe7d567bc1ca20 CVE-2020-25644 (A memory leak flaw was found in WildFly OpenSSL in versions prior to 1 ...) - wildfly (bug #752018) CVE-2020-25643 (A flaw was found in the HDLC_PPP module of the Linux kernel in version ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c3e31bcc508a88b03e45ba68db3763c3a3482f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c3e31bcc508a88b03e45ba68db3763c3a3482f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits