[Git][security-tracker-team/security-tracker][master] 4 commits: Sync release date for DLA-2507-1
Salvatore Bonaccorso
carnil at debian.org
Thu Dec 31 15:45:02 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
bdb7006e by Salvatore Bonaccorso at 2020-12-31T16:25:17+01:00
Sync release date for DLA-2507-1
- - - - -
536eb674 by Salvatore Bonaccorso at 2020-12-31T16:41:03+01:00
Process some NFUs
- - - - -
62da6607 by Salvatore Bonaccorso at 2020-12-31T16:41:51+01:00
Add CVE-2020-28413/mantis
- - - - -
8a84cf71 by Salvatore Bonaccorso at 2020-12-31T16:44:20+01:00
Add CVE-2020-12658/gssproxy
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -284,7 +284,7 @@ CVE-2020-35776
CVE-2020-35775
RESERVED
CVE-2020-35774 (server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (a ...)
- TODO: check
+ NOT-FOR-US: Twitter TwitterServer
CVE-2020-35773 (The site-offline plugin before 1.4.4 for WordPress lacks certain wp_cr ...)
NOT-FOR-US: site-offline plugin for WordPress
CVE-2020-35772
@@ -362,7 +362,7 @@ CVE-2020-35738 (WavPack 5.3.0 has an out-of-bounds write in WavpackPackSamples i
NOTE: https://github.com/dbry/WavPack/issues/91
NOTE: https://github.com/dbry/WavPack/commit/89df160596132e3bd666322e1c20b2ebd4b92cd0
CVE-2020-35737 (In Correspondence Management System (corms) in Newgen eGov 12.0, an at ...)
- TODO: check
+ NOT-FOR-US: Correspondence Management System (corms) in Newgen eGov
CVE-2020-35736 (GateOne 1.1 allows arbitrary file download without authentication via ...)
NOT-FOR-US: GateOne
CVE-2020-35735 (Vidyo 02-09-/D allows clickjacking via the portal/ URI. ...)
@@ -10359,7 +10359,7 @@ CVE-2020-28415 (A reflected cross-site scripting (XSS) vulnerability exists in t
CVE-2020-28414 (A reflected cross-site scripting (XSS) vulnerability exists in the Tra ...)
NOT-FOR-US: TranzWare Payment Gateway
CVE-2020-28413 (In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" ...)
- TODO: check
+ - mantis <removed>
CVE-2020-28412
RESERVED
CVE-2020-28411
@@ -12553,7 +12553,7 @@ CVE-2020-28097
CVE-2020-28096 (FOSCAM FHD X1 1.14.2.4 devices allow attackers (with physical UART acc ...)
NOT-FOR-US: FOSCAM FHD
CVE-2020-28095 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP PO ...)
- TODO: check
+ NOT-FOR-US: Tenda
CVE-2020-28094 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, the default set ...)
NOT-FOR-US: Tenda
CVE-2020-28093 (On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, admin, support, ...)
@@ -31400,7 +31400,7 @@ CVE-2020-19666
CVE-2020-19665
RESERVED
CVE-2020-19664 (DrayTek Vigor2960 1.5.1 allows remote command execution via shell meta ...)
- TODO: check
+ NOT-FOR-US: DrayTek Vigor2960
CVE-2020-19663
RESERVED
CVE-2020-19662
@@ -36087,7 +36087,7 @@ CVE-2020-17365 (Improper directory permissions in the Hotspot Shield VPN client
CVE-2020-17364 (USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs. ...)
NOT-FOR-US: User-friendly SVN
CVE-2020-17363 (USVN (aka User-friendly SVN) before 1.0.9 allows remote code execution ...)
- TODO: check
+ NOT-FOR-US: User-friendly SVN
CVE-2020-17362 (search.php in the Nova Lite theme before 1.3.9 for WordPress allows Re ...)
NOT-FOR-US: Nova Lite theme for WordPress
CVE-2020-17361 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in ReadyTalk A ...)
@@ -45646,7 +45646,7 @@ CVE-2020-13656 (In Morgan Stanley Hobbes through 2020-05-21, the array implement
CVE-2020-13655 (An issue was discovered in Collabtive 3.0 and later. managefile.php is ...)
- collabtive <removed>
CVE-2020-13654 (XWiki Platform before 12.8 mishandles escaping in the property display ...)
- TODO: check
+ NOT-FOR-US: XWiki
CVE-2020-13653 (An XSS vulnerability exists in the Webmail component of Zimbra Collabo ...)
NOT-FOR-US: Zimbra
CVE-2020-13652 (An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 bef ...)
@@ -48167,7 +48167,8 @@ CVE-2020-12659 (An issue was discovered in the Linux kernel before 5.6.7. xdp_um
[jessie] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/99e3a236dd43d06c65af0a2ef9cb44306aef6e02 (5.7-rc2)
CVE-2020-12658 (gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex befor ...)
- TODO: check
+ - gssproxy <unfixed>
+ NOTE: https://github.com/gssapi/gssproxy/commit/cb761412e299ef907f22cd7c4146d50c8a792003 (v0.8.3)
CVE-2020-12657 (An issue was discovered in the Linux kernel before 5.6.5. There is a u ...)
- linux 5.6.7-1
[buster] - linux 4.19.118-1
@@ -102810,7 +102811,7 @@ CVE-2019-12770
CVE-2019-12769 (SolarWinds Serv-U Managed File Transfer (MFT) Web client before 15.1.6 ...)
NOT-FOR-US: SolarWinds
CVE-2019-12768 (An issue was discovered on D-Link DAP-1650 devices through v1.03b07 be ...)
- TODO: check
+ NOT-FOR-US: D-Link
CVE-2019-12767 (An issue was discovered on D-Link DAP-1650 devices before 1.04B02_J65H ...)
NOT-FOR-US: D-Link
CVE-2019-12766 (An issue was discovered in Joomla! before 3.9.7. The subform fieldtype ...)
@@ -117660,9 +117661,9 @@ CVE-2019-7728 (An issue was discovered in the Bosch Smart Camera App before 1.3.
CVE-2019-7727 (In NICE Engage through 6.5, the default configuration binds an unauthe ...)
NOT-FOR-US: NICE Engage
CVE-2019-7726 (modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL IN ...)
- TODO: check
+ NOT-FOR-US: NukeViet
CVE-2019-7725 (includes/core/is_user.php in NukeViet before 4.3.04 deserializes the u ...)
- TODO: check
+ NOT-FOR-US: NukeViet
CVE-2019-7724
RESERVED
CVE-2019-7723
@@ -146486,7 +146487,7 @@ CVE-2018-16797 (A heap-based buffer overflow in PotPlayerMini.exe in PotPlayer 1
CVE-2018-16796 (HiScout GRC Suite before 3.1.5 allows Unrestricted Upload of Files wit ...)
NOT-FOR-US: HiScout GRC Suite
CVE-2018-16795 (OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/a ...)
- TODO: check
+ NOT-FOR-US: OpenEMR
CVE-2018-16794 (Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory ...)
NOT-FOR-US: Microsoft ADFS 4.0 Windows Server
CVE-2018-16793 (Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions ...)
@@ -153666,7 +153667,7 @@ CVE-2018-14069 (An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnera
CVE-2018-14068 (An issue was discovered in SRCMS V2.3.1. There is a CSRF vulnerability ...)
NOT-FOR-US: SRCMS
CVE-2018-14067 (Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injec ...)
- TODO: check
+ NOT-FOR-US: Green Packet WiMax DV-360 devices
CVE-2018-14066 (The content://wappush content provider in com.android.provider.telepho ...)
NOT-FOR-US: Lenovo
CVE-2018-14065 (XMLReader.php in PHPOffice Common before 0.2.9 allows XXE. ...)
@@ -246150,17 +246151,17 @@ CVE-2016-9028 (Unauthorized redirect vulnerability in Citrix NetScaler ADC befor
CVE-2016-9027
RESERVED
CVE-2016-9026 (Exponent CMS before 2.6.0 has improper input validation in fileControl ...)
- TODO: check
+ NOT-FOR-US: Exponent CMS
CVE-2016-9025 (Exponent CMS before 2.6.0 has improper input validation in purchaseOrd ...)
- TODO: check
+ NOT-FOR-US: Exponent CMS
CVE-2016-9024
RESERVED
CVE-2016-9023 (Exponent CMS before 2.6.0 has improper input validation in cron/find_h ...)
- TODO: check
+ NOT-FOR-US: Exponent CMS
CVE-2016-9022 (Exponent CMS before 2.6.0 has improper input validation in usersContro ...)
- TODO: check
+ NOT-FOR-US: Exponent CMS
CVE-2016-9021 (Exponent CMS before 2.6.0 has improper input validation in storeContro ...)
- TODO: check
+ NOT-FOR-US: Exponent CMS
CVE-2016-9020 (SQL injection vulnerability in framework/modules/help/controllers/help ...)
NOT-FOR-US: Exponent CMS
CVE-2016-9019 (SQL injection vulnerability in the activate_address function in framew ...)
=====================================
data/DLA/list
=====================================
@@ -8,7 +8,7 @@
[28 Dec 2020] DLA-2508-1 roundcube - security update
{CVE-2020-35730}
[stretch] - roundcube 1.2.3+dfsg.1-4+deb9u8
-[28 Dec 2020] DLA-2507-1 libxstream-java - security update
+[31 Dec 2020] DLA-2507-1 libxstream-java - security update
{CVE-2020-26258 CVE-2020-26259}
[stretch] - libxstream-java 1.4.11.1-1+deb9u1
[26 Dec 2020] DLA-2488-2 python-apt - regression update
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c539ee098c99a99d3381cbeee102605557530e92...8a84cf71cc39de927ce31ecf0d22d7a953199918
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c539ee098c99a99d3381cbeee102605557530e92...8a84cf71cc39de927ce31ecf0d22d7a953199918
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201231/6e43099f/attachment.html>
More information about the debian-security-tracker-commits
mailing list