[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Mon Aug 24 21:10:27 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
93edc9ba by security tracker role at 2020-08-24T20:10:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,25 @@
+CVE-2020-24608
+ RESERVED
+CVE-2020-24607
+ RESERVED
+CVE-2020-24605
+ RESERVED
+CVE-2020-24604
+ RESERVED
+CVE-2020-24603
+ RESERVED
+CVE-2020-24602
+ RESERVED
+CVE-2020-24601
+ RESERVED
+CVE-2020-24600
+ RESERVED
+CVE-2020-24599
+ RESERVED
+CVE-2020-24598
+ RESERVED
+CVE-2020-24597
+ RESERVED
CVE-2020-24596
RESERVED
CVE-2020-24595
@@ -474,7 +496,7 @@ CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via t
NOTE: https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a
NOTE: https://www.lua.org/bugs.html#5.4.0-12
CVE-2020-24368 (Icinga Icinga Web2 2.0.0 through 2.6.4, 2.7.4 and 2.8.2 has a Director ...)
- {DSA-4747-1}
+ {DSA-4747-1 DLA-2343-1}
- icingaweb2 2.8.2-1 (bug #968833)
NOTE: https://icinga.com/2020/08/19/icinga-web-security-release-v2-6-4-v2-7-4-and-v2-8-2/
NOTE: https://github.com/Icinga/icingaweb2/issues/4226
@@ -486,8 +508,8 @@ CVE-2020-24366
RESERVED
CVE-2020-24365
RESERVED
-CVE-2020-24364
- RESERVED
+CVE-2020-24364 (MineTime through 1.8.5 allows XSS via the notes field in a meeting inv ...)
+ TODO: check
CVE-2020-24363
RESERVED
CVE-2016-11085 (php/qmn_options_questions_tab.php in the quiz-master-next plugin befor ...)
@@ -864,8 +886,8 @@ CVE-2020-24188
RESERVED
CVE-2020-24187
RESERVED
-CVE-2020-24186
- RESERVED
+CVE-2020-24186 (A Remote Code Execution vulnerability exists in the gVectors wpDiscuz ...)
+ TODO: check
CVE-2020-24185
RESERVED
CVE-2020-24184
@@ -9454,36 +9476,36 @@ CVE-2020-19893
RESERVED
CVE-2020-19892
RESERVED
-CVE-2020-19891
- RESERVED
-CVE-2020-19890
- RESERVED
-CVE-2020-19889
- RESERVED
-CVE-2020-19888
- RESERVED
-CVE-2020-19887
- RESERVED
-CVE-2020-19886
- RESERVED
-CVE-2020-19885
- RESERVED
-CVE-2020-19884
- RESERVED
-CVE-2020-19883
- RESERVED
-CVE-2020-19882
- RESERVED
-CVE-2020-19881
- RESERVED
-CVE-2020-19880
- RESERVED
-CVE-2020-19879
- RESERVED
-CVE-2020-19878
- RESERVED
-CVE-2020-19877
- RESERVED
+CVE-2020-19891 (DBHcms v1.2.0 has an Arbitrary file write vulnerability in dbhcms\mod\ ...)
+ TODO: check
+CVE-2020-19890 (DBHcms v1.2.0 has an Arbitrary file read vulnerability in dbhcms\mod\m ...)
+ TODO: check
+CVE-2020-19889 (DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF ...)
+ TODO: check
+CVE-2020-19888 (DBHcms v1.2.0 has an unauthorized operation vulnerability because ther ...)
+ TODO: check
+CVE-2020-19887 (DBHcms v1.2.0 has a stored XSS vulnerability as there is no htmlspecia ...)
+ TODO: check
+CVE-2020-19886 (DBHcms v1.2.0 has no CSRF protection mechanism,as demonstrated by CSRF ...)
+ TODO: check
+CVE-2020-19885 (DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecia ...)
+ TODO: check
+CVE-2020-19884 (DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecia ...)
+ TODO: check
+CVE-2020-19883 (DBHcms v1.2.0 has a stored xss vulnerability as there is no security f ...)
+ TODO: check
+CVE-2020-19882 (DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecia ...)
+ TODO: check
+CVE-2020-19881 (DBHcms v1.2.0 has a reflected xss vulnerability as there is no securit ...)
+ TODO: check
+CVE-2020-19880 (DBHcms v1.2.0 has a stored xss vulnerability as there is no htmlspecia ...)
+ TODO: check
+CVE-2020-19879 (DBHcms v1.2.0 has a stored xss vulnerability as there is no security f ...)
+ TODO: check
+CVE-2020-19878 (DBHcms v1.2.0 has a sensitive information leaks vulnerability as there ...)
+ TODO: check
+CVE-2020-19877 (DBHcms v1.2.0 has a directory traversal vulnerability as there is no d ...)
+ TODO: check
CVE-2020-19876
RESERVED
CVE-2020-19875
@@ -17857,7 +17879,7 @@ CVE-2020-15811
- squid3 <removed>
NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-c7p8-xqhm-49wv
NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2020_8.patch
-CVE-2020-24606 [SQUID-2020:9 Denial of Service processing Cache Digest Response]
+CVE-2020-24606 (Squid before 4.13 and 5.x before 5.0.4 allows a trusted peer to perfor ...)
- squid 4.13-1 (bug #968933)
- squid3 <removed>
NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-vvj7-xjgq-g2jg
@@ -21524,8 +21546,7 @@ CVE-2020-14369
RESERVED
CVE-2020-14368
RESERVED
-CVE-2020-14367 [Insecure writing to PID file]
- RESERVED
+CVE-2020-14367 (A flaw was found in chrony versions before 3.5.1 when creating the PID ...)
- chrony 3.5.1-1 (unimportant)
NOTE: https://www.openwall.com/lists/oss-security/2020/08/21/1
NOTE: Fixed by: https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74 (4.0-pre1)
@@ -21576,8 +21597,7 @@ CVE-2020-14352
NOT-FOR-US: librepo
CVE-2020-14351
RESERVED
-CVE-2020-14350
- RESERVED
+CVE-2020-14350 (It was found that some PostgreSQL extensions did not use search_path s ...)
{DLA-2331-1}
- postgresql-12 12.4-1
- postgresql-11 <removed>
@@ -21585,8 +21605,7 @@ CVE-2020-14350
- postgresql-9.6 <removed>
NOTE: https://www.postgresql.org/about/news/2060/
NOTE: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=7eeb1d9861b0a3f453f8b31c7648396cdd7f1e59
-CVE-2020-14349
- RESERVED
+CVE-2020-14349 (It was found that PostgreSQL versions before 12.4, before 11.9 and bef ...)
- postgresql-12 12.4-1
- postgresql-11 <removed>
[buster] - postgresql-11 <no-dsa> (Minor issue; will be fixed via point release)
@@ -22403,10 +22422,10 @@ CVE-2020-14046
RESERVED
CVE-2020-14045
RESERVED
-CVE-2020-14044
- RESERVED
-CVE-2020-14043
- RESERVED
+CVE-2020-14044 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Server-Side Request Forger ...)
+ TODO: check
+CVE-2020-14043 (** PRODUCT NOT SUPPORTED WHEN ASSIGNED ** A Cross Side Request Forgery ...)
+ TODO: check
CVE-2020-14042
RESERVED
CVE-2020-14041
@@ -32226,8 +32245,7 @@ CVE-2020-10777 (A cross-site scripting flaw was found in Report Menu feature of
NOT-FOR-US: Red Hat CloudForm
CVE-2020-10776
RESERVED
-CVE-2020-10775
- RESERVED
+CVE-2020-10775 (An Open redirect vulnerability was found in ovirt-engine versions 4.4 ...)
NOT-FOR-US: ovirt-engine
CVE-2020-10774
RESERVED
@@ -33783,7 +33801,7 @@ CVE-2020-10190 (An issue was discovered in MunkiReport before 5.3.0. An authenti
CVE-2020-10189 (Zoho ManageEngine Desktop Central before 10.0.474 allows remote code e ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...)
- {DLA-2176-1}
+ {DLA-2341-1 DLA-2176-1}
- inetutils 2:1.9.4-12 (bug #956084)
- netkit-telnet 0.17-18woody2 (bug #953477)
- netkit-telnet-ssl 0.17.17+0.1-2woody3 (bug #953478)
@@ -39582,8 +39600,8 @@ CVE-2020-7833
RESERVED
CVE-2020-7832
RESERVED
-CVE-2020-7831
- RESERVED
+CVE-2020-7831 (A vulnerability in the web-based contract management service interface ...)
+ TODO: check
CVE-2020-7830
RESERVED
CVE-2020-7829 (DaviewIndy 8.98.4 and earlier version contain Heap-based overflow vuln ...)
@@ -39835,8 +39853,8 @@ CVE-2020-7707 (The package property-expr before 2.0.3 are vulnerable to Prototyp
NOT-FOR-US: Node property-expr
CVE-2020-7706 (The package connie-lang before 0.1.1 are vulnerable to Prototype Pollu ...)
NOT-FOR-US: Node connie-lang
-CVE-2020-7705
- RESERVED
+CVE-2020-7705 (This affects the package MintegralAdSDK from 0.0.0. The SDK distribute ...)
+ TODO: check
CVE-2020-7704 (The package linux-cmdline before 1.0.1 are vulnerable to Prototype Pol ...)
NOT-FOR-US: Node linux-cmdline
CVE-2020-7703 (All versions of package nis-utils are vulnerable to Prototype Pollutio ...)
@@ -39868,7 +39886,7 @@ CVE-2020-7692 (PKCE support is not implemented in accordance with the RFC for OA
NOTE: https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
CVE-2020-7691 (In all versions of the package jspdf, it is possible to use <<sc ...)
NOT-FOR-US: jspdf
-CVE-2020-7690 (In all versions of package jspdf, it is possible to inject JavaScript ...)
+CVE-2020-7690 (All affected versions <2.0.0 of package jspdf are vulnerable to Cro ...)
NOT-FOR-US: jspdf
CVE-2020-7689 (Data is truncated wrong when its length is greater than 255 bytes. ...)
NOT-FOR-US: Node bcrypt
@@ -42398,8 +42416,8 @@ CVE-2020-6639
RESERVED
CVE-2020-6638 (Grin through 2.1.1 has Insufficient Validation. ...)
NOT-FOR-US: Grin
-CVE-2020-6637
- RESERVED
+CVE-2020-6637 (openSIS Community Edition version 7.3 is vulnerable to SQL injection v ...)
+ TODO: check
CVE-2020-6636
RESERVED
CVE-2020-6635
@@ -47698,8 +47716,8 @@ CVE-2020-4600
RESERVED
CVE-2020-4599
RESERVED
-CVE-2020-4598
- RESERVED
+CVE-2020-4598 (IBM Security Guardium Insights 2.0.1 could allow a remote attacker to ...)
+ TODO: check
CVE-2020-4597
RESERVED
CVE-2020-4596
@@ -47708,8 +47726,8 @@ CVE-2020-4595
RESERVED
CVE-2020-4594
RESERVED
-CVE-2020-4593
- RESERVED
+CVE-2020-4593 (IBM Security Guardium Insights 2.0.1 stores user credentials in plain ...)
+ TODO: check
CVE-2020-4592
RESERVED
CVE-2020-4591
@@ -47720,8 +47738,8 @@ CVE-2020-4589 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could all
NOT-FOR-US: IBM
CVE-2020-4588
RESERVED
-CVE-2020-4587
- RESERVED
+CVE-2020-4587 (IBM Sterling Connect:Direct for UNIX 4.2.0, 4.3.0, 6.0.0, and 6.1.0 is ...)
+ TODO: check
CVE-2020-4586
RESERVED
CVE-2020-4585
@@ -48128,10 +48146,10 @@ CVE-2020-4385 (IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 contains hard-coded cred
NOT-FOR-US: IBM
CVE-2020-4384 (IBM InfoSphere Information Server 11.3, 11.5, and 11.7 is vulnerable t ...)
NOT-FOR-US: IBM
-CVE-2020-4383
- RESERVED
-CVE-2020-4382
- RESERVED
+CVE-2020-4383 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 5.3.5 ...)
+ TODO: check
+CVE-2020-4382 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 5.3.5 ...)
+ TODO: check
CVE-2020-4381 (IBM Spectrum Scale for IBM Elastic Storage Server 5.3.0 through 5.3.6 ...)
NOT-FOR-US: IBM
CVE-2020-4380 (IBM Workload Scheduler 9.3.0.4 is vulnerable to cross-site scripting. ...)
@@ -48554,8 +48572,8 @@ CVE-2020-4172
RESERVED
CVE-2020-4171
RESERVED
-CVE-2020-4170
- RESERVED
+CVE-2020-4170 (IBM Security Guardium Insights 2.0.1 is vulnerable to cross-site reque ...)
+ TODO: check
CVE-2020-4169
RESERVED
CVE-2020-4168
@@ -48564,8 +48582,8 @@ CVE-2020-4167
RESERVED
CVE-2020-4166
RESERVED
-CVE-2020-4165
- RESERVED
+CVE-2020-4165 (IBM Security Guardium Insights 2.0.1 could allow a remote attacker to ...)
+ TODO: check
CVE-2020-4164 (IBM Security Information Queue (ISIQ) 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0. ...)
NOT-FOR-US: IBM
CVE-2020-4163 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under special ...)
@@ -87348,7 +87366,7 @@ CVE-2019-10173 (It was found that xstream API version 1.4.10 before 1.4.11 intro
NOTE: http://x-stream.github.io/changes.html#1.4.11
NOTE: Regression introduced and present only in 1.4.10.
CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libr ...)
- {DLA-2091-1}
+ {DLA-2342-1 DLA-2091-1}
- libjackson-json-java <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075
NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721
@@ -164858,8 +164876,8 @@ CVE-2018-1987 (IBM Spectrum Protect for Enterprise Resource Planning 7.1 and 8.1
NOT-FOR-US: IBM
CVE-2018-1986
RESERVED
-CVE-2018-1985
- RESERVED
+CVE-2018-1985 (IBM Trusteer Rapport/Apex 3.6.1908.22 contains an unused legacy driver ...)
+ TODO: check
CVE-2018-1984 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-sit ...)
NOT-FOR-US: IBM
CVE-2018-1983 (IBM Rational Team Concert 5.0 through 6.0.6 is vulnerable to cross-sit ...)
@@ -177197,7 +177215,7 @@ CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1502928
NOTE: Fixed by: http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac
CVE-2017-15095 (A deserialization flaw was discovered in the jackson-databind in versi ...)
- {DSA-4037-1 DLA-2091-1}
+ {DSA-4037-1 DLA-2342-1 DLA-2091-1}
- jackson-databind 2.9.1-1
- libjackson-json-java <unfixed>
NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
@@ -200436,7 +200454,7 @@ CVE-2017-7526 (libgcrypt before version 1.7.8 is vulnerable to a cache side-chan
NOTE: GnuPG: https://dev.gnupg.org/rC8725c99ffa41778f382ca97233183bcd687bb0ce
NOTE: GnuPG1: https://dev.gnupg.org/D438
CVE-2017-7525 (A deserialization flaw was discovered in the jackson-databind, version ...)
- {DSA-4004-1 DLA-2091-1}
+ {DSA-4004-1 DLA-2342-1 DLA-2091-1}
- jackson-databind 2.9.1-1 (bug #870848)
- libjackson-json-java <unfixed>
NOTE: https://github.com/FasterXML/jackson-databind/issues/1599
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93edc9ba7c7de6c174204560b5f853994f9db9d9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93edc9ba7c7de6c174204560b5f853994f9db9d9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200824/c51f8015/attachment.html>
More information about the debian-security-tracker-commits
mailing list