[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Mon Aug 24 21:10:27 BST 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
93edc9ba by security tracker role at 2020-08-24T20:10:19+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,25 @@
+CVE-2020-24608
+	RESERVED
+CVE-2020-24607
+	RESERVED
+CVE-2020-24605
+	RESERVED
+CVE-2020-24604
+	RESERVED
+CVE-2020-24603
+	RESERVED
+CVE-2020-24602
+	RESERVED
+CVE-2020-24601
+	RESERVED
+CVE-2020-24600
+	RESERVED
+CVE-2020-24599
+	RESERVED
+CVE-2020-24598
+	RESERVED
+CVE-2020-24597
+	RESERVED
 CVE-2020-24596
 	RESERVED
 CVE-2020-24595
@@ -474,7 +496,7 @@ CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via t
 	NOTE: https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a
 	NOTE: https://www.lua.org/bugs.html#5.4.0-12
 CVE-2020-24368 (Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Director ...)
-	{DSA-4747-1}
+	{DSA-4747-1 DLA-2343-1}
 	- icingaweb2 2.8.2-1 (bug #968833)
 	NOTE: https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/
 	NOTE: https://github.com/Icinga/icingaweb2/issues/4226
@@ -486,8 +508,8 @@ CVE-2020-24366
 	RESERVED
 CVE-2020-24365
 	RESERVED
-CVE-2020-24364
-	RESERVED
+CVE-2020-24364 (MineTime through 1.8.5 allows XSS via the notes field in a meeting inv ...)
+	TODO: check
 CVE-2020-24363
 	RESERVED
 CVE-2016-11085 (php/qmn_options_questions_tab.php in the quiz-master-next plugin befor ...)
@@ -864,8 +886,8 @@ CVE-2020-24188
 	RESERVED
 CVE-2020-24187
 	RESERVED
-CVE-2020-24186
-	RESERVED
+CVE-2020-24186 (A Remote Code Execution vulnerability exists in the gVectors wpDiscuz  ...)
+	TODO: check
 CVE-2020-24185
 	RESERVED
 CVE-2020-24184
@@ -9454,36 +9476,36 @@ CVE-2020-19893
 	RESERVED
 CVE-2020-19892
 	RESERVED
-CVE-2020-19891
-	RESERVED
-CVE-2020-19890
-	RESERVED
-CVE-2020-19889
-	RESERVED
-CVE-2020-19888
-	RESERVED
-CVE-2020-19887
-	RESERVED
-CVE-2020-19886
-	RESERVED
-CVE-2020-19885
-	RESERVED
-CVE-2020-19884
-	RESERVED
-CVE-2020-19883
-	RESERVED
-CVE-2020-19882
-	RESERVED
-CVE-2020-19881
-	RESERVED
-CVE-2020-19880
-	RESERVED
-CVE-2020-19879
-	RESERVED
-CVE-2020-19878
-	RESERVED
-CVE-2020-19877
-	RESERVED
+CVE-2020-19891 (DBHcms v1.2.0 has an Arbitrary file write vulnerability in dbhcms\mod\ ...)
+	TODO: check
+CVE-2020-19890 (DBHcms v1.2.0 has an Arbitrary file read vulnerability in dbhcms\mod\m ...)
+	TODO: check
+CVE-2020-19889 (DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF ...)
+	TODO: check
+CVE-2020-19888 (DBHcms v1.2.0 has an unauthorized operation vulnerability because ther ...)
+	TODO: check
+CVE-2020-19887 (DBHcms v1.2.0 has a stored XSS vulnerability as there is no htmlspecia ...)
+	TODO: check
+CVE-2020-19886 (DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF ...)
+	TODO: check
+CVE-2020-19885 (DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecia ...)
+	TODO: check
+CVE-2020-19884 (DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecia ...)
+	TODO: check
+CVE-2020-19883 (DBHcms v1.2.0 has a stored xss vulnerability as there is no security f ...)
+	TODO: check
+CVE-2020-19882 (DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecia ...)
+	TODO: check
+CVE-2020-19881 (DBHcms v1.2.0 has a reflected xss vulnerability as there is no securit ...)
+	TODO: check
+CVE-2020-19880 (DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecia ...)
+	TODO: check
+CVE-2020-19879 (DBHcms v1.2.0 has a stored xss vulnerability as there is no security f ...)
+	TODO: check
+CVE-2020-19878 (DBHcms v1.2.0 has a sensitive information leaks vulnerability as there ...)
+	TODO: check
+CVE-2020-19877 (DBHcms v1.2.0 has a directory traversal vulnerability as there is no d ...)
+	TODO: check
 CVE-2020-19876
 	RESERVED
 CVE-2020-19875
@@ -17857,7 +17879,7 @@ CVE-2020-15811
 	- squid3 <removed>
 	NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
 	NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
-CVE-2020-24606 [SQUID-2020:9 Denial of Service processing Cache Digest Response]
+CVE-2020-24606 (Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perfor ...)
 	- squid 4.13-1 (bug #968933)
 	- squid3 <removed>
 	NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
@@ -21524,8 +21546,7 @@ CVE-2020-14369
 	RESERVED
 CVE-2020-14368
 	RESERVED
-CVE-2020-14367 [Insecure writing to PID file]
-	RESERVED
+CVE-2020-14367 (A flaw was found in chrony versions before 3.5.1 when creating the PID ...)
 	- chrony 3.5.1-1 (unimportant)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/08/21/1
 	NOTE: Fixed by: https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74 (4.0-pre1)
@@ -21576,8 +21597,7 @@ CVE-2020-14352
 	NOT-FOR-US: librepo
 CVE-2020-14351
 	RESERVED
-CVE-2020-14350
-	RESERVED
+CVE-2020-14350 (It was found that some PostgreSQL extensions did not use search_path s ...)
 	{DLA-2331-1}
 	- postgresql-12 12.4-1
 	- postgresql-11 <removed>
@@ -21585,8 +21605,7 @@ CVE-2020-14350
 	- postgresql-9.6 <removed>
 	NOTE: https://www.postgresql.org/about/news/2060/
 	NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=7eeb1d9861b0a3f453f8b31c7648396cdd7f1e59
-CVE-2020-14349
-	RESERVED
+CVE-2020-14349 (It was found that PostgreSQL versions before 12.4, before 11.9 and bef ...)
 	- postgresql-12 12.4-1
 	- postgresql-11 <removed>
 	[buster] - postgresql-11 <no-dsa> (Minor issue; will be fixed via point release)
@@ -22403,10 +22422,10 @@ CVE-2020-14046
 	RESERVED
 CVE-2020-14045
 	RESERVED
-CVE-2020-14044
-	RESERVED
-CVE-2020-14043
-	RESERVED
+CVE-2020-14044 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forger ...)
+	TODO: check
+CVE-2020-14043 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery ...)
+	TODO: check
 CVE-2020-14042
 	RESERVED
 CVE-2020-14041
@@ -32226,8 +32245,7 @@ CVE-2020-10777 (A cross-site scripting flaw was found in Report Menu feature of
 	NOT-FOR-US: Red Hat CloudForm
 CVE-2020-10776
 	RESERVED
-CVE-2020-10775
-	RESERVED
+CVE-2020-10775 (An Open redirect vulnerability was found in ovirt-engine versions 4.4  ...)
 	NOT-FOR-US: ovirt-engine
 CVE-2020-10774
 	RESERVED
@@ -33783,7 +33801,7 @@ CVE-2020-10190 (An issue was discovered in MunkiReport before 5.3.0. An authenti
 CVE-2020-10189 (Zoho ManageEngine Desktop Central before 10.0.474 allows remote code e ...)
 	NOT-FOR-US: Zoho ManageEngine
 CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...)
-	{DLA-2176-1}
+	{DLA-2341-1 DLA-2176-1}
 	- inetutils 2:1.9.4-12 (bug #956084)
 	- netkit-telnet 0.17-18woody2 (bug #953477)
 	- netkit-telnet-ssl 0.17.17+0.1-2woody3 (bug #953478)
@@ -39582,8 +39600,8 @@ CVE-2020-7833
 	RESERVED
 CVE-2020-7832
 	RESERVED
-CVE-2020-7831
-	RESERVED
+CVE-2020-7831 (A vulnerability in the web-based contract management service interface ...)
+	TODO: check
 CVE-2020-7830
 	RESERVED
 CVE-2020-7829 (DaviewIndy 8.98.4 and earlier version contain Heap-based overflow vuln ...)
@@ -39835,8 +39853,8 @@ CVE-2020-7707 (The package property-expr before 2.0.3 are vulnerable to Prototyp
 	NOT-FOR-US: Node property-expr
 CVE-2020-7706 (The package connie-lang before 0.1.1 are vulnerable to Prototype Pollu ...)
 	NOT-FOR-US: Node connie-lang
-CVE-2020-7705
-	RESERVED
+CVE-2020-7705 (This affects the package MintegralAdSDK from 0.0.0. The SDK distribute ...)
+	TODO: check
 CVE-2020-7704 (The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pol ...)
 	NOT-FOR-US: Node linux-cmdline
 CVE-2020-7703 (All versions of package nis-utils are vulnerable to Prototype Pollutio ...)
@@ -39868,7 +39886,7 @@ CVE-2020-7692 (PKCE support is not implemented in accordance with the RFC for OA
 	NOTE: https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
 CVE-2020-7691 (In all versions of the package jspdf, it is possible to use <<sc ...)
 	NOT-FOR-US: jspdf
-CVE-2020-7690 (In all versions of package jspdf, it is possible to inject JavaScript  ...)
+CVE-2020-7690 (All affected versions <2.0.0 of package jspdf are vulnerable to Cro ...)
 	NOT-FOR-US: jspdf
 CVE-2020-7689 (Data is truncated wrong when its length is greater than 255 bytes. ...)
 	NOT-FOR-US: Node bcrypt
@@ -42398,8 +42416,8 @@ CVE-2020-6639
 	RESERVED
 CVE-2020-6638 (Grin through 2.1.1 has Insufficient Validation. ...)
 	NOT-FOR-US: Grin
-CVE-2020-6637
-	RESERVED
+CVE-2020-6637 (openSIS Community Edition version 7.3 is vulnerable to SQL injection v ...)
+	TODO: check
 CVE-2020-6636
 	RESERVED
 CVE-2020-6635
@@ -47698,8 +47716,8 @@ CVE-2020-4600
 	RESERVED
 CVE-2020-4599
 	RESERVED
-CVE-2020-4598
-	RESERVED
+CVE-2020-4598 (IBM Security Guardium Insights 2.0.1 could allow a remote attacker to  ...)
+	TODO: check
 CVE-2020-4597
 	RESERVED
 CVE-2020-4596
@@ -47708,8 +47726,8 @@ CVE-2020-4595
 	RESERVED
 CVE-2020-4594
 	RESERVED
-CVE-2020-4593
-	RESERVED
+CVE-2020-4593 (IBM Security Guardium Insights 2.0.1 stores user credentials in plain  ...)
+	TODO: check
 CVE-2020-4592
 	RESERVED
 CVE-2020-4591
@@ -47720,8 +47738,8 @@ CVE-2020-4589 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could all
 	NOT-FOR-US: IBM
 CVE-2020-4588
 	RESERVED
-CVE-2020-4587
-	RESERVED
+CVE-2020-4587 (IBM Sterling Connect:Direct for UNIX 4.2.0, 4.3.0, 6.0.0, and 6.1.0 is ...)
+	TODO: check
 CVE-2020-4586
 	RESERVED
 CVE-2020-4585
@@ -48128,10 +48146,10 @@ CVE-2020-4385 (IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 contains hard-coded cred
 	NOT-FOR-US: IBM
 CVE-2020-4384 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable t ...)
 	NOT-FOR-US: IBM
-CVE-2020-4383
-	RESERVED
-CVE-2020-4382
-	RESERVED
+CVE-2020-4383 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 5.3.5  ...)
+	TODO: check
+CVE-2020-4382 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 5.3.5  ...)
+	TODO: check
 CVE-2020-4381 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 5.3.6  ...)
 	NOT-FOR-US: IBM
 CVE-2020-4380 (IBM Workload Scheduler 9.3.0.4 is vulnerable to cross-site scripting.  ...)
@@ -48554,8 +48572,8 @@ CVE-2020-4172
 	RESERVED
 CVE-2020-4171
 	RESERVED
-CVE-2020-4170
-	RESERVED
+CVE-2020-4170 (IBM Security Guardium Insights 2.0.1 is vulnerable to cross-site reque ...)
+	TODO: check
 CVE-2020-4169
 	RESERVED
 CVE-2020-4168
@@ -48564,8 +48582,8 @@ CVE-2020-4167
 	RESERVED
 CVE-2020-4166
 	RESERVED
-CVE-2020-4165
-	RESERVED
+CVE-2020-4165 (IBM Security Guardium Insights 2.0.1 could allow a remote attacker to  ...)
+	TODO: check
 CVE-2020-4164 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...)
 	NOT-FOR-US: IBM
 CVE-2020-4163 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under special ...)
@@ -87348,7 +87366,7 @@ CVE-2019-10173 (It was found that xstream API version 1.4.10 before 1.4.11 intro
 	NOTE: http://x-stream.github.io/changes.html#1.4.11
 	NOTE: Regression introduced and present only in 1.4.10.
 CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libr ...)
-	{DLA-2091-1}
+	{DLA-2342-1 DLA-2091-1}
 	- libjackson-json-java <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075
 	NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721
@@ -164858,8 +164876,8 @@ CVE-2018-1987 (IBM Spectrum Protect for Enterprise Resource Planning 7.1 and 8.1
 	NOT-FOR-US: IBM
 CVE-2018-1986
 	RESERVED
-CVE-2018-1985
-	RESERVED
+CVE-2018-1985 (IBM Trusteer Rapport/Apex 3.6.1908.22 contains an unused legacy driver ...)
+	TODO: check
 CVE-2018-1984 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-sit ...)
 	NOT-FOR-US: IBM
 CVE-2018-1983 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-sit ...)
@@ -177197,7 +177215,7 @@ CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1502928
 	NOTE: Fixed by: http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac
 CVE-2017-15095 (A deserialization flaw was discovered in the jackson-databind in versi ...)
-	{DSA-4037-1 DLA-2091-1}
+	{DSA-4037-1 DLA-2342-1 DLA-2091-1}
 	- jackson-databind 2.9.1-1
 	- libjackson-json-java <unfixed>
 	NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
@@ -200436,7 +200454,7 @@ CVE-2017-7526 (libgcrypt before version 1.7.8 is vulnerable to a cache side-chan
 	NOTE: GnuPG: https://dev.gnupg.org/rC8725c99ffa41778f382ca97233183bcd687bb0ce
 	NOTE: GnuPG1: https://dev.gnupg.org/D438
 CVE-2017-7525 (A deserialization flaw was discovered in the jackson-databind, version ...)
-	{DSA-4004-1 DLA-2091-1}
+	{DSA-4004-1 DLA-2342-1 DLA-2091-1}
 	- jackson-databind 2.9.1-1 (bug #870848)
 	- libjackson-json-java <unfixed>
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/1599



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93edc9ba7c7de6c174204560b5f853994f9db9d9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93edc9ba7c7de6c174204560b5f853994f9db9d9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200824/c51f8015/attachment.html>


More information about the debian-security-tracker-commits mailing list