[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Apr 2 09:10:22 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d8b3cc1a by security tracker role at 2020-04-02T08:10:15+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,45 @@
+CVE-2020-11482
+ RESERVED
+CVE-2020-11481
+ RESERVED
+CVE-2020-11480
+ RESERVED
+CVE-2020-11479
+ RESERVED
+CVE-2020-11478
+ RESERVED
+CVE-2020-11477
+ RESERVED
+CVE-2020-11476
+ RESERVED
+CVE-2020-11475
+ RESERVED
+CVE-2020-11474
+ RESERVED
+CVE-2020-11473
+ RESERVED
+CVE-2020-11472
+ RESERVED
+CVE-2020-11471
+ RESERVED
+CVE-2020-11470 (Zoom Client for Meetings through 4.6.8 on macOS has the disable-librar ...)
+ TODO: check
+CVE-2020-11469 (Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to ...)
+ TODO: check
+CVE-2020-11468
+ RESERVED
+CVE-2020-11467 (An issue was discovered in Deskpro before 2019.8.0. This product enabl ...)
+ TODO: check
+CVE-2020-11466 (An issue was discovered in Deskpro before 2019.8.0. The /api/tickets e ...)
+ TODO: check
+CVE-2020-11465 (An issue was discovered in Deskpro before 2019.8.0. The /api/apps/* en ...)
+ TODO: check
+CVE-2020-11464 (An issue was discovered in Deskpro before 2019.8.0. The /api/people en ...)
+ TODO: check
+CVE-2020-11463 (An issue was discovered in Deskpro before 2019.8.0. The /api/email_acc ...)
+ TODO: check
+CVE-2020-11462
+ RESERVED
CVE-2020-11461
RESERVED
CVE-2020-11460
@@ -1072,8 +1114,8 @@ CVE-2020-10950
RESERVED
CVE-2020-10949
RESERVED
-CVE-2020-10948
- RESERVED
+CVE-2020-10948 (Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) ...)
+ TODO: check
CVE-2020-10947
RESERVED
CVE-2020-10946
@@ -2092,8 +2134,8 @@ CVE-2020-10600
RESERVED
CVE-2020-10599
RESERVED
-CVE-2020-10598
- RESERVED
+CVE-2020-10598 (In BD Pyxis MedStation ES System v1.6.1 and Pyxis Anesthesia (PAS) ES ...)
+ TODO: check
CVE-2020-10597 (The affected insulin pump is designed to communicate using a wireless ...)
NOT-FOR-US: Insulet
CVE-2020-10596 (OpenCart 3.0.3.2 allows remote authenticated users to conduct XSS atta ...)
@@ -5778,8 +5820,8 @@ CVE-2020-8968
RESERVED
CVE-2020-8967
RESERVED
-CVE-2020-8966
- RESERVED
+CVE-2020-8966 (There is an Improper Neutralization of Script-Related HTML Tags in a W ...)
+ TODO: check
CVE-2020-8965
RESERVED
CVE-2020-8964 (TimeTools SC7105 1.0.007, SC9205 1.0.007, SC9705 1.0.007, SR7110 1.0.0 ...)
@@ -7605,12 +7647,12 @@ CVE-2020-8148
RESERVED
CVE-2020-8147
RESERVED
-CVE-2020-8146
- RESERVED
-CVE-2020-8145
- RESERVED
-CVE-2020-8144
- RESERVED
+CVE-2020-8146 (In UniFi Video v3.10.1 (for Windows 7/8/10 x64) there is a Local Privi ...)
+ TODO: check
+CVE-2020-8145 (The UniFi Video Server (Windows) web interface configuration restore f ...)
+ TODO: check
+CVE-2020-8144 (The UniFi Video Server v3.9.3 and prior (for Windows 7/8/10 x64) web i ...)
+ TODO: check
CVE-2020-8143
RESERVED
CVE-2020-8142
@@ -12440,8 +12482,8 @@ CVE-2020-6098
RESERVED
CVE-2020-6097
RESERVED
-CVE-2020-6096
- RESERVED
+CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv7 mem ...)
+ TODO: check
CVE-2020-6095 (An exploitable denial of service vulnerability exists in the GstRTSPAu ...)
- gst-rtsp-server1.0 1.16.2-3 (low)
[buster] - gst-rtsp-server1.0 <no-dsa> (Minor issue)
@@ -12635,8 +12677,8 @@ CVE-2020-6011
RESERVED
CVE-2020-6010
RESERVED
-CVE-2020-6009
- RESERVED
+CVE-2020-6009 (LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauth ...)
+ TODO: check
CVE-2020-6008 (LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbi ...)
NOT-FOR-US: LifterLMS Wordpress plugin
CVE-2020-6007 (Philips Hue Bridge model 2.X prior to and including version 1935144020 ...)
@@ -14178,8 +14220,8 @@ CVE-2020-5293
RESERVED
CVE-2020-5292 (Leantime before versions 2.0.15 and 2.1-beta3 has a SQL Injection vuln ...)
NOT-FOR-US: Leantime
-CVE-2020-5290
- RESERVED
+CVE-2020-5290 (In RedpwnCTF before version 2.3, there is a session fixation vulnerabi ...)
+ TODO: check
CVE-2020-5289 (In Elide before 4.5.14, it is possible for an adversary to "guess and ...)
NOT-FOR-US: Elide
CVE-2020-5288
@@ -23302,8 +23344,7 @@ CVE-2020-1960
RESERVED
CVE-2020-1959
RESERVED
-CVE-2020-1958
- RESERVED
+CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, callers of ...)
- druid <itp> (bug #825797)
CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...)
- shiro <unfixed> (bug #955018)
@@ -23314,8 +23355,7 @@ CVE-2020-1956
RESERVED
CVE-2020-1955
RESERVED
-CVE-2020-1954
- RESERVED
+CVE-2020-1954 (Apache CXF has the ability to integrate with JMX by registering an Ins ...)
NOT-FOR-US: Apache CXF
CVE-2020-1953 (Apache Commons Configuration uses a third-party library to parse YAML ...)
- commons-configuration2 2.7-1 (bug #954713)
@@ -23391,8 +23431,7 @@ CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to
NOTE: https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26 (9.0.31)
NOTE: https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56 (8.5.51)
NOTE: https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d (7.0.100)
-CVE-2020-1934
- RESERVED
+CVE-2020-1934 (In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitial ...)
- apache2 2.4.43-1 (low)
[buster] - apache2 <no-dsa> (Minor issue)
[stretch] - apache2 <no-dsa> (Minor issue)
@@ -23418,8 +23457,7 @@ CVE-2020-1929 (The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 ha
NOT-FOR-US: Apache Beam MongoDB connector
CVE-2020-1928 (An information disclosure vulnerability was found in Apache NiFi 1.10. ...)
NOT-FOR-US: Apache NiFi
-CVE-2020-1927
- RESERVED
+CVE-2020-1927 (In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_r ...)
- apache2 2.4.43-1 (low)
[buster] - apache2 <no-dsa> (Minor issue)
[stretch] - apache2 <no-dsa> (Minor issue)
@@ -32236,8 +32274,8 @@ CVE-2019-17566
CVE-2019-17565 (There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3, 7.0. ...)
- trafficserver 8.0.6+ds-1
NOTE: https://lists.apache.org/thread.html/r99d18d0bc4daa05e7d0e5a63e0e22701a421b2ef5a8f4f7694c43869%40%3Cannounce.trafficserver.apache.org%3E
-CVE-2019-17564
- RESERVED
+CVE-2019-17564 (Unsafe deserialization occurs within a Dubbo application which has HTT ...)
+ TODO: check
CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, ...)
{DSA-4596-1 DLA-2077-1}
- tomcat9 9.0.31-1
@@ -52262,8 +52300,7 @@ CVE-2019-11256
REJECTED
CVE-2019-11255 (Improper input validation in Kubernetes CSI sidecar containers for ext ...)
NOT-FOR-US: kubernetes-csi
-CVE-2019-11254
- RESERVED
+CVE-2019-11254 (The Kubernetes API Server component in versions 1.1-1.14, and versions ...)
- kubernetes 1.17.4-1
NOTE: https://github.com/kubernetes/kubernetes/issues/89535
CVE-2019-11253 (Improper input validation in the Kubernetes API server in versions v1. ...)
@@ -59108,8 +59145,8 @@ CVE-2019-9165 (SQL injection vulnerability in Nagios XI before 5.5.11 allows att
NOT-FOR-US: Nagios XI
CVE-2019-9164 (Command injection in Nagios XI before 5.5.11 allows an authenticated u ...)
NOT-FOR-US: Nagios XI
-CVE-2019-9163
- RESERVED
+CVE-2019-9163 (The connection initiation process in March Networks Command Client bef ...)
+ TODO: check
CVE-2019-9161 (WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier ...)
NOT-FOR-US: Sangfor Sundray WLAN Controller
CVE-2019-9160 (WAC on the Sangfor Sundray WLAN Controller version 3.7.4.2 and earlier ...)
@@ -104570,8 +104607,7 @@ CVE-2018-11803 (Subversion's mod_dav_svn Apache HTTPD module versions 1.11.0 and
[jessie] - subversion <not-affected> (Vulnerable code introduced in 1.10.0)
NOTE: https://subversion.apache.org/security/CVE-2018-11803-advisory.txt
NOTE: https://www.openwall.com/lists/oss-security/2019/01/23/1
-CVE-2018-11802 [Rule-base Authorization plugin skips authorization if querying node does not have collection replica]
- RESERVED
+CVE-2018-11802 (In Apache Solr, the cluster can be partitioned into multiple collectio ...)
- lucene-solr <not-affected> (Vulnerable code is not present)
NOTE: https://issues.apache.org/jira/browse/SOLR-12514
NOTE: Issue introduced around: https://github.com/apache/lucene-solr/commit/56e88400aefbeb7f1821cbd10a2997cde018df97 (4.2.0)
@@ -166207,6 +166243,7 @@ CVE-2017-7984 (In Joomla! 3.2.0 through 3.6.5 (fixed in 3.7.0), inadequate filte
CVE-2017-7983 (In Joomla! 1.5.0 through 3.6.5 (fixed in 3.7.0), mail sent using the J ...)
NOT-FOR-US: Joomla!
CVE-2017-7982 (Integer overflow in the plist_from_bin function in bplist.c in libimob ...)
+ {DLA-2168-1}
- libplist 1.12+git+1+e37ca00-0.3 (bug #860945)
[wheezy] - libplist <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/fdebf8b319b9280cd0e9b4382f2c7cbf26ef9325
@@ -171486,7 +171523,7 @@ CVE-2017-6440 (The parse_data_node function in bplist.c in libimobiledevice libp
NOTE: https://github.com/libimobiledevice/libplist/issues/99
NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b
CVE-2017-6439 (Heap-based buffer overflow in the parse_string_node function in bplist ...)
- {DLA-870-1}
+ {DLA-2168-1 DLA-870-1}
- libplist 1.12+git+1+e37ca00-0.1
NOTE: https://github.com/libimobiledevice/libplist/issues/95
NOTE: https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd
@@ -171503,12 +171540,12 @@ CVE-2017-6437 (The base64encode function in base64.c in libimobiledevice libplis
NOTE: https://github.com/libimobiledevice/libplist/issues/100
NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/dccd9290745345896e3a4a73154576a599fd8b7b
CVE-2017-6436 (The parse_string_node function in bplist.c in libimobiledevice libplis ...)
- {DLA-870-1}
+ {DLA-2168-1 DLA-870-1}
- libplist 1.12+git+1+e37ca00-0.1
NOTE: https://github.com/libimobiledevice/libplist/issues/94
NOTE: https://github.com/libimobiledevice/libplist/commit/32ee5213fe64f1e10ec76c1ee861ee6f233120dd
CVE-2017-6435 (The parse_string_node function in bplist.c in libimobiledevice libplis ...)
- {DLA-870-1}
+ {DLA-2168-1 DLA-870-1}
- libplist 1.12+git+1+e37ca00-0.1
NOTE: https://github.com/libimobiledevice/libplist/issues/93
NOTE: https://github.com/libimobiledevice/libplist/commit/fbd8494d5e4e46bf2e90cb6116903e404374fb56
@@ -173472,12 +173509,12 @@ CVE-2017-5836 (The plist_free_data function in plist.c in libplist allows attack
NOTE: https://github.com/libimobiledevice/libplist/issues/86
NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/6
CVE-2017-5835 (libplist allows attackers to cause a denial of service (large memory a ...)
- {DLA-840-1}
+ {DLA-2168-1 DLA-840-1}
- libplist 1.12+git+1+e37ca00-0.1 (bug #854000)
NOTE: https://github.com/libimobiledevice/libplist/issues/88
NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/6
CVE-2017-5834 (The parse_dict_node function in bplist.c in libplist allows attackers ...)
- {DLA-840-1}
+ {DLA-2168-1 DLA-840-1}
- libplist 1.12+git+1+e37ca00-0.1 (bug #854000)
NOTE: https://github.com/libimobiledevice/libplist/issues/89
NOTE: http://www.openwall.com/lists/oss-security/2017/01/31/6
@@ -174631,7 +174668,7 @@ CVE-2017-5554 (An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS bef
CVE-2017-5553 (Cross-site scripting (XSS) vulnerability in plugins/markdown_plugin/_m ...)
- b2evolution <removed>
CVE-2017-5545 (The main function in plistutil.c in libimobiledevice libplist through ...)
- {DLA-811-1}
+ {DLA-2168-1 DLA-811-1}
- libplist 1.12+git+1+e37ca00-0.1 (low; bug #852385)
NOTE: https://github.com/libimobiledevice/libplist/issues/87
NOTE: Fixed by: https://github.com/libimobiledevice/libplist/commit/7391a506352c009fe044dead7baad9e22dd279ee
@@ -175857,7 +175894,7 @@ CVE-2017-5211 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by:
CVE-2017-5210 (Open-Xchange GmbH OX App Suite 7.8.3 and earlier is affected by: Infor ...)
NOT-FOR-US: Open-Xchange GmbH OX App Suite
CVE-2017-5209 (The base64decode function in base64.c in libimobiledevice libplist thr ...)
- {DLA-811-1}
+ {DLA-2168-1 DLA-811-1}
- libplist 1.12+git+1+e37ca00-0.1 (low; bug #851196)
NOTE: Upstream bug: https://github.com/libimobiledevice/libplist/issues/84
NOTE: https://github.com/libimobiledevice/libplist/commit/3a55ddd3c4c11ce75a86afbefd085d8d397ff957
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8b3cc1aef5c973563a51ee6e2562b9dcc06699b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8b3cc1aef5c973563a51ee6e2562b9dcc06699b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200402/40ee1fd2/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list