[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Tue Dec 8 08:10:36 GMT 2020 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6db70086 by security tracker role at 2020-12-08T08:10:19+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,5 +1,23 @@
-CVE-2020-29597
+CVE-2020-29606
 	RESERVED
+CVE-2020-29605
+	RESERVED
+CVE-2020-29604
+	RESERVED
+CVE-2020-29603
+	RESERVED
+CVE-2020-29602
+	RESERVED
+CVE-2020-29601
+	RESERVED
+CVE-2020-29600 (In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an absolute ...)
+	TODO: check
+CVE-2020-29599 (ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the - ...)
+	TODO: check
+CVE-2020-29598
+	RESERVED
+CVE-2020-29597 (IncomCMS 2.0 has a modules/uploader/showcase/script.php insecure file  ...)
+	TODO: check
 CVE-2020-29596
 	RESERVED
 CVE-2020-29595 (PlugIns\IDE_ACDStd.apl in ACDSee Photo Studio Studio Professional 2021 ...)
@@ -152,7 +170,7 @@ CVE-2020-29534 (An issue was discovered in the Linux kernel before 5.9.3. io_uri
 	[stretch] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2089
 	NOTE: https://git.kernel.org/linus/0f2122045b946241a9e549c2a76cea54fa58a7ff
-CVE-2020-29529 (HashiCorp go-slug before 0.5.0 does not address attempts at directory  ...)
+CVE-2020-29529 (HashiCorp go-slug up to 0.4.3 did not fully protect against Zip Slip a ...)
 	TODO: check
 CVE-2020-29528
 	RESERVED
@@ -1641,8 +1659,7 @@ CVE-2020-28937 (OpenClinic version 0.8.2 is affected by a missing authentication
 	NOT-FOR-US: OpenClinic
 CVE-2020-28936
 	RESERVED
-CVE-2020-28935
-	RESERVED
+CVE-2020-28935 (NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs ...)
 	- unbound <unfixed>
 	[buster] - unbound <no-dsa> (Minor issue)
 	[stretch] - unbound <end-of-life> (DSA 4694-1)
@@ -1672,6 +1689,7 @@ CVE-2020-28928 (In musl libc through 1.2.1, wcsnrtombs mishandles particular com
 CVE-2020-28927 (There is a Stored XSS in Magicpin v2.1 in the User Registration sectio ...)
 	NOT-FOR-US: Magicpin
 CVE-2020-28926 (ReadyMedia (aka MiniDLNA) before versions 1.3.0 allows remote code exe ...)
+	{DSA-4806-1}
 	- minidlna <unfixed> (bug #976595)
 	NOTE: https://www.rootshellsecurity.net/remote-heap-corruption-bug-discovery-minidlna/
 	NOTE: https://sourceforge.net/p/minidlna/git/ci/9fba41008adebc1da0f4f6c6e27ae422ace3fe4a (v1_3_0)
@@ -6320,8 +6338,7 @@ CVE-2020-28008
 	RESERVED
 CVE-2020-28007
 	RESERVED
-CVE-2020-25692 [vulnerability with slapd normalization handling with modrdn]
-	RESERVED
+CVE-2020-25692 (A NULL pointer dereference was found in OpenLDAP server and was fixed  ...)
 	{DSA-4782-1 DLA-2425-1}
 	- openldap 2.4.55+dfsg-1
 	NOTE: https://bugs.openldap.org/show_bug.cgi?id=9370
@@ -6901,8 +6918,7 @@ CVE-2020-27824
 	RESERVED
 CVE-2020-27823
 	RESERVED
-CVE-2020-27822
-	RESERVED
+CVE-2020-27822 (A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Fi ...)
 	- wildfly <itp> (bug #752018)
 CVE-2020-27821 [heap buffer overflow in msix_table_mmio_write() in hw/pci/msix.c]
 	RESERVED
@@ -6916,8 +6932,7 @@ CVE-2020-27819 [NULL pointer dereference via crafted xls file]
 	RESERVED
 	- r-cran-readxl <not-affected> (Embeds libxls, but not affected)
 	NOTE: https://github.com/libxls/libxls/issues/84
-CVE-2020-27818
-	RESERVED
+CVE-2020-27818 (A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. ...)
 	- pngcheck 2.3.0-13 (bug #976350)
 	[buster] - pngcheck <no-dsa> (Minor issue)
 	[stretch] - pngcheck <no-dsa> (Minor issue)
@@ -7875,7 +7890,7 @@ CVE-2020-27643
 CVE-2020-27642 (A cross-site scripting (XSS) vulnerability exists in the 'merge accoun ...)
 	NOT-FOR-US: BigBlueButton
 CVE-2020-27641
-	RESERVED
+	REJECTED
 CVE-2020-27640
 	RESERVED
 CVE-2020-27639
@@ -10926,8 +10941,8 @@ CVE-2020-26255
 	RESERVED
 CVE-2020-26254
 	RESERVED
-CVE-2020-26253
-	RESERVED
+CVE-2020-26253 (Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and  ...)
+	TODO: check
 CVE-2020-26252
 	RESERVED
 CVE-2020-26251
@@ -12301,8 +12316,7 @@ CVE-2020-25678
 	RESERVED
 	- ceph <unfixed>
 	NOTE: https://tracker.ceph.com/issues/37503
-CVE-2020-25677
-	RESERVED
+CVE-2020-25677 (Ceph-ansible 4.0.34.1 creates /etc/ceph/iscsi-gateway.conf with insecu ...)
 	NOT-FOR-US: ceph Ansible module
 CVE-2020-25676
 	RESERVED
@@ -12532,14 +12546,14 @@ CVE-2020-25633 (A flaw was found in RESTEasy client in all versions of RESTEasy
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1879042
 CVE-2020-25632
 	RESERVED
-CVE-2020-25631
-	RESERVED
-CVE-2020-25630
-	RESERVED
-CVE-2020-25629
-	RESERVED
-CVE-2020-25628
-	RESERVED
+CVE-2020-25631 (A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 ...)
+	TODO: check
+CVE-2020-25630 (A vulnerability was found in Moodle where the decompressed size of zip ...)
+	TODO: check
+CVE-2020-25629 (A vulnerability was found in Moodle where users with "Log in as" capab ...)
+	TODO: check
+CVE-2020-25628 (The filter in the tag manager required extra sanitizing to prevent a r ...)
+	TODO: check
 CVE-2020-25627
 	RESERVED
 CVE-2020-25626 (A flaw was found in Django REST Framework versions before 3.12.0 and b ...)
@@ -29117,8 +29131,7 @@ CVE-2020-17523
 	RESERVED
 CVE-2020-17522
 	RESERVED
-CVE-2020-17521 [Information Disclosure]
-	RESERVED
+CVE-2020-17521 (Apache Groovy provides extension methods to aid with creating temporar ...)
 	- groovy <unfixed>
 	[stretch] - groovy <no-dsa> (Minor issue)
 	- groovy2 <removed>
@@ -29150,11 +29163,13 @@ CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring,
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7
 CVE-2020-17509 [ATS negative cache option is vulnerable to a cache poisoning attack]
 	RESERVED
+	{DSA-4805-1}
 	- trafficserver 8.1.1+ds-1
 	NOTE: https://github.com/apache/trafficserver/pull/7359
 	NOTE: https://lists.apache.org/thread.html/raa9f0589c26c4d146646425e51e2a33e1457492df9f7ea2019daa6d3%40%3Cdev.trafficserver.apache.org%3E
 CVE-2020-17508 [The ATS ESI plugin has a memory disclosure vulnerability]
 	RESERVED
+	{DSA-4805-1}
 	- trafficserver 8.1.1+ds-1
 	NOTE: https://github.com/apache/trafficserver/pull/7358
 	NOTE: https://lists.apache.org/thread.html/r65434f7acca3aebf81b0588587149c893fe9f8f9f159eaa7364a70ff%40%3Cdev.trafficserver.apache.org%3E
@@ -41361,7 +41376,7 @@ CVE-2020-12697 (The direct_mail extension through 5.2.3 for TYPO3 allows Denial
 CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a URL. ...)
 	NOT-FOR-US: iframe plugin for WordPress
 CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020-04-17  ...)
-	{DLA-2318-1 DLA-2315-1}
+	{DSA-4806-1 DLA-2318-1 DLA-2315-1}
 	- wpa 2:2.9.0-16 (bug #976106)
 	[buster] - wpa <no-dsa> (Minor issue)
 	- gupnp 1.2.3-1
@@ -53401,26 +53416,22 @@ CVE-2020-8568
 	RESERVED
 CVE-2020-8567
 	RESERVED
-CVE-2020-8566
-	RESERVED
+CVE-2020-8566 (In Kubernetes clusters using Ceph RBD as a storage provisioner, with l ...)
 	- kubernetes 1.19.3-1 (bug #972341)
 	NOTE: https://github.com/kubernetes/kubernetes/pull/95245
 	NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
 	NOTE: https://github.com/kubernetes/kubernetes/issues/95624
-CVE-2020-8565
-	RESERVED
+CVE-2020-8565 (In Kubernetes, if the logging level is set to at least 9, authorizatio ...)
 	- kubernetes <unfixed> (bug #972649)
 	NOTE: https://github.com/kubernetes/kubernetes/pull/95316
 	NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
 	NOTE: https://github.com/kubernetes/kubernetes/issues/95623
-CVE-2020-8564
-	RESERVED
+CVE-2020-8564 (In Kubernetes clusters using a logging level of at least 4, processing ...)
 	- kubernetes 1.19.3-1 (bug #972341)
 	NOTE: https://github.com/kubernetes/kubernetes/pull/94712
 	NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
 	NOTE: https://github.com/kubernetes/kubernetes/issues/95622
-CVE-2020-8563
-	RESERVED
+CVE-2020-8563 (In Kubernetes clusters using VSphere as a cloud provider, with a loggi ...)
 	- kubernetes <not-affected> (Only affects 19.x)
 	NOTE: https://github.com/kubernetes/kubernetes/pull/95236
 	NOTE: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
@@ -115001,11 +115012,11 @@ CVE-2019-6174
 	RESERVED
 CVE-2019-6173 (A DLL search path vulnerability could allow privilege escalation in so ...)
 	NOT-FOR-US: Lenovo
-CVE-2019-6172 (A potential vulnerability in the SMI callback function in some Lenovo  ...)
+CVE-2019-6172 (A potential vulnerability in the SMI callback function used in Legacy  ...)
 	NOT-FOR-US: Lenovo
 CVE-2019-6171 (A vulnerability was reported in various BIOS versions of older ThinkPa ...)
 	NOT-FOR-US: Lenovo
-CVE-2019-6170 (A potential vulnerability in some Lenovo ThinkPads may allow an attack ...)
+CVE-2019-6170 (A potential vulnerability in the SMI callback function used in the Leg ...)
 	NOT-FOR-US: Lenovo
 CVE-2019-6169 (A vulnerability reported in Lenovo Service Bridge before version 4.1.0 ...)
 	NOT-FOR-US: Lenovo Service Bridge



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6db700863ff78c4d98f0d746ce7ef9a6fb6476a5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6db700863ff78c4d98f0d746ce7ef9a6fb6476a5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201208/d4caa81c/attachment.html>

More information about the debian-security-tracker-commits mailing list