[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Thu Apr 30 21:10:33 BST 2020 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cc07cc5b by security tracker role at 2020-04-30T20:10:25+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,245 @@
+CVE-2020-12602
+	RESERVED
+CVE-2020-12601
+	RESERVED
+CVE-2020-12600
+	RESERVED
+CVE-2020-12599
+	RESERVED
+CVE-2020-12598
+	RESERVED
+CVE-2020-12597
+	RESERVED
+CVE-2020-12596
+	RESERVED
+CVE-2020-12595
+	RESERVED
+CVE-2020-12594
+	RESERVED
+CVE-2020-12593
+	RESERVED
+CVE-2020-12592
+	RESERVED
+CVE-2020-12591
+	RESERVED
+CVE-2020-12590
+	RESERVED
+CVE-2020-12589
+	RESERVED
+CVE-2020-12588
+	RESERVED
+CVE-2020-12587
+	RESERVED
+CVE-2020-12586
+	RESERVED
+CVE-2020-12585
+	RESERVED
+CVE-2020-12584
+	RESERVED
+CVE-2020-12583
+	RESERVED
+CVE-2020-12582
+	RESERVED
+CVE-2020-12581
+	RESERVED
+CVE-2020-12580
+	RESERVED
+CVE-2020-12579
+	RESERVED
+CVE-2020-12578
+	RESERVED
+CVE-2020-12577
+	RESERVED
+CVE-2020-12576
+	RESERVED
+CVE-2020-12575
+	RESERVED
+CVE-2020-12574
+	RESERVED
+CVE-2020-12573
+	RESERVED
+CVE-2020-12572
+	RESERVED
+CVE-2020-12571
+	RESERVED
+CVE-2020-12570
+	RESERVED
+CVE-2020-12569
+	RESERVED
+CVE-2020-12568
+	RESERVED
+CVE-2020-12567
+	RESERVED
+CVE-2020-12566
+	RESERVED
+CVE-2020-12565
+	RESERVED
+CVE-2020-12564
+	RESERVED
+CVE-2020-12563
+	RESERVED
+CVE-2020-12562
+	RESERVED
+CVE-2020-12561
+	RESERVED
+CVE-2020-12560
+	RESERVED
+CVE-2020-12559
+	RESERVED
+CVE-2020-12558
+	RESERVED
+CVE-2020-12557
+	RESERVED
+CVE-2020-12556
+	RESERVED
+CVE-2020-12555
+	RESERVED
+CVE-2020-12554
+	RESERVED
+CVE-2020-12553
+	RESERVED
+CVE-2020-12552
+	RESERVED
+CVE-2020-12551
+	RESERVED
+CVE-2020-12550
+	RESERVED
+CVE-2020-12549
+	RESERVED
+CVE-2020-12548
+	RESERVED
+CVE-2020-12547
+	RESERVED
+CVE-2020-12546
+	RESERVED
+CVE-2020-12545
+	RESERVED
+CVE-2020-12544
+	RESERVED
+CVE-2020-12543
+	RESERVED
+CVE-2020-12542
+	RESERVED
+CVE-2020-12541
+	RESERVED
+CVE-2020-12540
+	RESERVED
+CVE-2020-12539
+	RESERVED
+CVE-2020-12538
+	RESERVED
+CVE-2020-12537
+	RESERVED
+CVE-2020-12536
+	RESERVED
+CVE-2020-12535
+	RESERVED
+CVE-2020-12534
+	RESERVED
+CVE-2020-12533
+	RESERVED
+CVE-2020-12532
+	RESERVED
+CVE-2020-12531
+	RESERVED
+CVE-2020-12530
+	RESERVED
+CVE-2020-12529
+	RESERVED
+CVE-2020-12528
+	RESERVED
+CVE-2020-12527
+	RESERVED
+CVE-2020-12526
+	RESERVED
+CVE-2020-12525
+	RESERVED
+CVE-2020-12524
+	RESERVED
+CVE-2020-12523
+	RESERVED
+CVE-2020-12522
+	RESERVED
+CVE-2020-12521
+	RESERVED
+CVE-2020-12520
+	RESERVED
+CVE-2020-12519
+	RESERVED
+CVE-2020-12518
+	RESERVED
+CVE-2020-12517
+	RESERVED
+CVE-2020-12516
+	RESERVED
+CVE-2020-12515
+	RESERVED
+CVE-2020-12514
+	RESERVED
+CVE-2020-12513
+	RESERVED
+CVE-2020-12512
+	RESERVED
+CVE-2020-12511
+	RESERVED
+CVE-2020-12510
+	RESERVED
+CVE-2020-12509
+	RESERVED
+CVE-2020-12508
+	RESERVED
+CVE-2020-12507
+	RESERVED
+CVE-2020-12506
+	RESERVED
+CVE-2020-12505
+	RESERVED
+CVE-2020-12504
+	RESERVED
+CVE-2020-12503
+	RESERVED
+CVE-2020-12502
+	RESERVED
+CVE-2020-12501
+	RESERVED
+CVE-2020-12500
+	RESERVED
+CVE-2020-12499
+	RESERVED
+CVE-2020-12498
+	RESERVED
+CVE-2020-12497
+	RESERVED
+CVE-2020-12496
+	RESERVED
+CVE-2020-12495
+	RESERVED
+CVE-2020-12494
+	RESERVED
+CVE-2020-12493
+	RESERVED
+CVE-2020-12492
+	RESERVED
+CVE-2020-12491
+	RESERVED
+CVE-2020-12490
+	RESERVED
+CVE-2020-12489
+	RESERVED
+CVE-2020-12488
+	RESERVED
+CVE-2020-12487
+	RESERVED
+CVE-2020-12486
+	RESERVED
+CVE-2020-12485
+	RESERVED
+CVE-2020-12484
+	RESERVED
+CVE-2020-12483
+	RESERVED
+CVE-2020-12482
+	RESERVED
 CVE-2020-12481
 	RESERVED
 CVE-2020-12480
@@ -861,12 +1103,12 @@ CVE-2020-12105 (OpenConnect through 8.08 mishandles negative return values from
 	NOTE: https://gitlab.com/openconnect/openconnect/-/merge_requests/96
 CVE-2020-12104
 	RESERVED
-CVE-2020-12103 (In Tiny File Manager 2.4.1, there is a vulnerability in the ajax file  ...)
+CVE-2020-12103 (In Tiny File Manager 2.4.1 there is a vulnerability in the ajax file b ...)
 	NOT-FOR-US: Tiny File Manager
 CVE-2020-12102 (In Tiny File Manager 2.4.1, there is a Path Traversal vulnerability in ...)
 	NOT-FOR-US: Tiny File Manager
-CVE-2020-12101
-	RESERVED
+CVE-2020-12101 (The address-management feature in xt:Commerce 5.1 to 6.2.2 allows remo ...)
+	TODO: check
 CVE-2020-12100
 	RESERVED
 CVE-2020-12099
@@ -994,8 +1236,8 @@ CVE-2020-12052 (Grafana version < 6.7.3 is vulnerable for annotation popup XS
 	- grafana <removed>
 CVE-2020-12051 (The CentralAuth extension through REL1_34 for MediaWiki allows remote  ...)
 	NOT-FOR-US: MediaWiki extension
-CVE-2020-12050
-	RESERVED
+CVE-2020-12050 (SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.99 ...)
+	TODO: check
 CVE-2020-12049
 	RESERVED
 CVE-2020-12048
@@ -2840,10 +3082,10 @@ CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x
 	[jessie] - varnish <not-affected> (Only affects 6.x)
 	NOTE: https://varnish-cache.org/security/VSV00005.html#vsv00005
 	NOTE: https://github.com/varnishcache/varnish-cache/commit/2d8fc1a784a1e26d78c30174923a2b14ee2ebf62
-CVE-2020-11652
-	RESERVED
-CVE-2020-11651
-	RESERVED
+CVE-2020-11652 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...)
+	TODO: check
+CVE-2020-11651 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...)
+	TODO: check
 CVE-2020-11650 (An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before ...)
 	NOT-FOR-US: FreeNAS
 CVE-2020-11649 (An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Membe ...)
@@ -4479,7 +4721,7 @@ CVE-2020-11024 (In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulne
 CVE-2020-11023 (In jQuery before 3.5.0, passing HTML containing <option> element ...)
 	- jquery <unfixed>
 	NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
-CVE-2020-11022 (In jQuery before 3.5.0, passing HTML from untrusted sources - even aft ...)
+CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ...)
 	- jquery <unfixed>
 	NOTE: https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
 	NOTE: https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
@@ -5534,8 +5776,7 @@ CVE-2020-10693
 	RESERVED
 CVE-2020-10692
 	RESERVED
-CVE-2020-10691
-	RESERVED
+CVE-2020-10691 (An archive traversal flaw was found in all ansible-engine versions 2.9 ...)
 	- ansible <unfixed>
 	[buster] - ansible <not-affected> (Vulnerable code introduced later)
 	[stretch] - ansible <not-affected> (Vulnerable code introduced later)
@@ -6029,13 +6270,13 @@ CVE-2020-10516
 	RESERVED
 CVE-2020-10515 (STARFACE UCC Client before 6.7.1.204 on WIndows allows binary planting ...)
 	NOT-FOR-US: STARFACE UCC Client
-CVE-2020-10514 (iCatch DVR do not validate function parameter properly, resulting atta ...)
+CVE-2020-10514 (iCatch DVR firmware before 20200103 do not validate function parameter ...)
 	NOT-FOR-US: iCatch DVR
-CVE-2020-10513 (The file management interface of iCatch DVR contains broken access con ...)
+CVE-2020-10513 (The file management interface of iCatch DVR firmware before 20200103 c ...)
 	NOT-FOR-US: iCatch DVR
-CVE-2020-10512 (HGiga C&Cmail contains a SQL Injection vulnerability which allows  ...)
+CVE-2020-10512 (HGiga C&Cmail CCMAILQ before olln-calendar-6.0-100.i386.rpm and CC ...)
 	NOT-FOR-US: HGiga C&Cmail
-CVE-2020-10511 (HGiga C&Cmail contains insecure configurations. Attackers can expl ...)
+CVE-2020-10511 (HGiga C&Cmail CCMAILQ before olln-base-6.0-418.i386.rpm and CCMAIL ...)
 	NOT-FOR-US: HGiga C&Cmail
 CVE-2020-10510 (Sunnet eHRD, a human training and development management system, conta ...)
 	NOT-FOR-US: Sunnet eHRD
@@ -6043,11 +6284,11 @@ CVE-2020-10509 (Sunnet eHRD, a human training and development management system,
 	NOT-FOR-US: Sunnet eHRD
 CVE-2020-10508 (Sunnet eHRD, a human training and development management system, impro ...)
 	NOT-FOR-US: Sunnet eHRD
-CVE-2020-10507 (The School Manage System, developed by ALLE INFORMATION CO., LTD., con ...)
+CVE-2020-10507 (The School Manage System before 2020, developed by ALLE INFORMATION CO ...)
 	NOT-FOR-US: The School Manage System
-CVE-2020-10506 (The School Manage System, developed by ALLE INFORMATION CO., LTD., con ...)
+CVE-2020-10506 (The School Manage System before 2020, developed by ALLE INFORMATION CO ...)
 	NOT-FOR-US: The School Manage System
-CVE-2020-10505 (The School Manage System, developed by ALLE INFORMATION CO., LTD., con ...)
+CVE-2020-10505 (The School Manage System before 2020, developed by ALLE INFORMATION CO ...)
 	NOT-FOR-US: The School Manage System
 CVE-2020-10504 (CSRF in admin/edit-comments.php in Chadha PHPKB Standard Multi-Languag ...)
 	NOT-FOR-US: Chadha PHPKB
@@ -8521,8 +8762,8 @@ CVE-2020-9389
 	RESERVED
 CVE-2020-9388
 	RESERVED
-CVE-2020-9387
-	RESERVED
+CVE-2020-9387 (In Mahara 19.04 before 19.04.5 and 19.10 before 19.10.3, account detai ...)
+	TODO: check
 CVE-2020-9386 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10 before ...)
 	- mahara <removed>
 CVE-2020-9391 (An issue was discovered in the Linux kernel 5.4 and 5.5 through 5.5.6  ...)
@@ -15175,8 +15416,8 @@ CVE-2020-6581 (Nagios NRPE 3.2.1 has Insufficient Filtering because, for example
 	NOTE: https://github.com/NagiosEnterprises/nrpe/commit/0db345444d0dcb3e37cca1bcbb0027dcbb764197 (part for proper processing of nasty_metachars)
 CVE-2020-6580
 	RESERVED
-CVE-2020-6579
-	RESERVED
+CVE-2020-6579 (Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudlo ...)
+	TODO: check
 CVE-2020-6578
 	RESERVED
 CVE-2020-6577
@@ -16501,8 +16742,8 @@ CVE-2020-6012
 	RESERVED
 CVE-2020-6011
 	RESERVED
-CVE-2020-6010
-	RESERVED
+CVE-2020-6010 (LearnPress Wordpress plugin version prior and including 3.2.6.7 is vul ...)
+	TODO: check
 CVE-2020-6009 (LearnDash Wordpress plugin version below 3.1.6 is vulnerable to Unauth ...)
 	NOT-FOR-US: LearnDash Wordpress plugin
 CVE-2020-6008 (LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbi ...)
@@ -18216,7 +18457,7 @@ CVE-2020-5239 (In Mailu before version 1.7, an authenticated user can exploit a
 	NOT-FOR-US: Mailu
 CVE-2020-5238
 	RESERVED
-CVE-2020-5237 (oneup/uploader-bundle before 1.9.3 and 2.1.5, can be exploited to uplo ...)
+CVE-2020-5237 (Multiple relative path traversal vulnerabilities in the oneup/uploader ...)
 	NOT-FOR-US: oneup/uploader-bundle
 CVE-2020-5236 (Waitress version 1.4.2 allows a DOS attack When waitress receives a he ...)
 	- waitress <not-affected> (Vulnerable code introduced later)
@@ -28238,8 +28479,7 @@ CVE-2020-1753 (A security flaw was found in Ansible Engine, all Ansible 2.7.x ve
 	NOTE: https://github.com/ansible-collections/kubernetes/pull/51
 	NOTE: Fixing commit only introduces a warning about disclosure when using certain
 	NOTE: options.
-CVE-2020-1752 [use-after-free in glob() function when expanding ~user]
-	RESERVED
+CVE-2020-1752 (A use-after-free vulnerability introduced in glibc upstream version 2. ...)
 	- glibc 2.30-3 (bug #953788)
 	[buster] - glibc <no-dsa> (Minor issue)
 	[stretch] - glibc <no-dsa> (Minor issue)
@@ -28913,18 +29153,18 @@ CVE-2019-19221 (In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_
 	[jessie] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41
 	NOTE: https://github.com/libarchive/libarchive/issues/1276
-CVE-2019-19220
-	RESERVED
-CVE-2019-19219
-	RESERVED
-CVE-2019-19218
-	RESERVED
-CVE-2019-19217
-	RESERVED
-CVE-2019-19216
-	RESERVED
-CVE-2019-19215
-	RESERVED
+CVE-2019-19220 (BMC Control-M/Agent 7.0.00.000 allows OS Command Injection (issue 2 of ...)
+	TODO: check
+CVE-2019-19219 (BMC Control-M/Agent 7.0.00.000 allows Arbitrary File Download. ...)
+	TODO: check
+CVE-2019-19218 (BMC Control-M/Agent 7.0.00.000 has Insecure Password Storage. ...)
+	TODO: check
+CVE-2019-19217 (BMC Control-M/Agent 7.0.00.000 allows OS Command Injection. ...)
+	TODO: check
+CVE-2019-19216 (BMC Control-M/Agent 7.0.00.000 has an Insecure File Copy. ...)
+	TODO: check
+CVE-2019-19215 (A buffer overflow vulnerability in BMC Control-M/Agent 7.0.00.000 when ...)
+	TODO: check
 CVE-2019-19214
 	RESERVED
 CVE-2019-19213
@@ -124084,7 +124324,7 @@ CVE-2017-1000507 (Canvs Canvas version 3.4.2 contains a Cross Site Scripting (XS
 CVE-2017-1000506 (Mautic version 2.11.0 and earlier contains a Cross Site Scripting (XSS ...)
 	NOT-FOR-US: Mautic
 CVE-2016-10711 (Apsis Pound before 2.8a allows request smuggling via crafted headers,  ...)
-	{DLA-1280-1}
+	{DLA-2196-1 DLA-1280-1}
 	[experimental] - pound 2.8-1+patrodyne20190113
 	- pound 2.8-2 (bug #888786)
 	[stretch] - pound 2.7-1.3+deb9u1
@@ -124582,12 +124822,14 @@ CVE-2018-6198 (w3m through 0.5.3 does not properly handle temporary files when t
 	NOTE: https://github.com/tats/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753
 	NOTE: Neutralised by kernel hardening
 CVE-2018-6197 (w3m through 0.5.3 is prone to a NULL pointer dereference flaw in formU ...)
+	{DLA-2195-1}
 	- w3m 0.5.3-36 (low)
 	[stretch] - w3m 0.5.3-34+deb9u1
 	[wheezy] - w3m <no-dsa> (Minor issue)
 	NOTE: https://github.com/tats/w3m/issues/89
 	NOTE: https://github.com/tats/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8
 CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in HTMLlinepr ...)
+	{DLA-2195-1}
 	- w3m 0.5.3-36 (low)
 	[stretch] - w3m 0.5.3-34+deb9u1
 	[wheezy] - w3m <no-dsa> (Minor issue)
@@ -166778,7 +167020,7 @@ CVE-2016-10376 (Gajim through 0.16.7 unconditionally implements the "XEP-0146: R
 	NOTE: https://dev.gajim.org/gajim/gajim/commit/cb65cfc5aed9efe05208ebbb7fb2d41fcf7253cc
 	NOTE: https://dev.gajim.org/gajim/gajim/issues/8378
 CVE-2016-10375 (Yodl before 3.07.01 has a Buffer Over-read in the queue_push function  ...)
-	{DLA-976-1}
+	{DLA-2194-1 DLA-976-1}
 	- yodl 3.07.01-1
 	NOTE: https://github.com/fbb-git/yodl/issues/1
 	NOTE: https://github.com/fbb-git/yodl/commit/fd85f8c94182558ff1480d06a236d6fb927979a3
@@ -168285,7 +168527,7 @@ CVE-2017-8800
 CVE-2017-8799 (Untrusted input execution via igetwild in all iRODS versions before 4. ...)
 	NOT-FOR-US: iRODS
 CVE-2017-8798 (Integer signedness error in MiniUPnP MiniUPnPc v1.4.20101221 through v ...)
-	{DLA-949-1}
+	{DLA-2197-1 DLA-949-1}
 	- miniupnpc 1.9.20140610-3 (bug #862273)
 	NOTE: https://github.com/tintinweb/pub/blob/master/pocs/cve-2017-8798/Readme.md
 	NOTE: Fixed by: https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc07cc5b0e1047382bd03e378fd496956932895d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc07cc5b0e1047382bd03e378fd496956932895d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200430/7b34efde/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list