[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Sat Feb 1 08:10:31 GMT 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cd82a0b4 by security tracker role at 2020-02-01T08:10:24+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,25 @@
+CVE-2020-8512 (In IceWarp Webmail Server through 11.4.4.1, there is XSS in the /webma ...)
+	TODO: check
+CVE-2020-8511
+	RESERVED
+CVE-2020-8510
+	RESERVED
+CVE-2020-8509
+	RESERVED
+CVE-2020-8508
+	RESERVED
+CVE-2020-8507
+	RESERVED
+CVE-2020-8506
+	RESERVED
+CVE-2020-8505 (School Management Software PHP/mySQL through 2019-03-14 allows office_ ...)
+	TODO: check
+CVE-2020-8504 (School Management Software PHP/mySQL through 2019-03-14 allows office_ ...)
+	TODO: check
+CVE-2020-8503 (Biscom Secure File Transfer (SFT) 5.0.1050 through 5.1.1067 and 6.0.10 ...)
+	TODO: check
+CVE-2020-8502
+	RESERVED
 CVE-2020-8501
 	RESERVED
 CVE-2020-8500
@@ -877,6 +899,7 @@ CVE-2019-20435 (An issue was discovered in WSO2 API Manager 2.6.0. A reflected X
 CVE-2019-20434 (An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflect ...)
 	NOT-FOR-US: WSO2
 CVE-2020-8086 (The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01 ...)
+	{DSA-4612-1}
 	- prosody-modules 0.0~hg20200128.09e7e880e056+dfsg-1
 	NOTE: https://hg.prosody.im/prosody-modules/rev/f2b29183ef08
 	NOTE: https://prosody.im/security/advisory_20200128/
@@ -20850,7 +20873,7 @@ CVE-2019-18636 (A cross-site scripting (XSS) vulnerability in Jitbit .NET Forum
 	NOT-FOR-US: Jitbit .NET Forum
 CVE-2019-18635 (An issue was discovered in Mooltipass Moolticute through v0.42.1 and v ...)
 	NOT-FOR-US: Mooltipass Moolticute
-CVE-2019-18634 (In Sudo before 1.8.31, if pwfeedback is enabled in /etc/sudoers, users ...)
+CVE-2019-18634 (In Sudo before 1.8.26, if pwfeedback is enabled in /etc/sudoers, users ...)
 	- sudo <unfixed> (bug #950371)
 	[buster] - sudo <no-dsa> (EOF handling introduced in 1.8.26 prevents exploitation of bug)
 	NOTE: https://www.sudo.ws/alerts/pwfeedback.html
@@ -21081,6 +21104,7 @@ CVE-2020-0570
 	NOTE: https://lists.qt-project.org/pipermail/development/2020-January/038534.html
 CVE-2020-0569
 	RESERVED
+	{DLA-2092-1}
 	- qtbase-opensource-src 5.12.5+dfsg-8
 	NOTE: Patch for 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404
 	NOTE: Patch for 5.0.0 through 5.5.1: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=5c4234ed958130d655df8197129806f687d4df0d
@@ -22041,6 +22065,7 @@ CVE-2019-18226 (Honeywell equIP series and Performance series IP cameras and rec
 CVE-2019-18225 (An issue was discovered in Citrix Application Delivery Controller (ADC ...)
 	NOT-FOR-US: Citrix
 CVE-2019-18224 (idn2_to_ascii_4i in lib/lookup.c in GNU libidn2 before 2.1.1 has a hea ...)
+	{DSA-4613-1}
 	- libidn2 2.2.0-1 (bug #942895)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12420
 	NOTE: https://github.com/libidn/libidn2/commit/e4d1558aa2c1c04a05066ee8600f37603890ba8c
@@ -25949,7 +25974,7 @@ CVE-2019-17027
 	RESERVED
 CVE-2019-17026
 	RESERVED
-	{DSA-4603-1 DSA-4600-1 DLA-2071-1}
+	{DSA-4603-1 DSA-4600-1 DLA-2093-1 DLA-2071-1}
 	- firefox 72.0.1-1 (bug #948452)
 	- firefox-esr 68.4.1esr-1
 	- thunderbird 1:68.4.1-1
@@ -39335,12 +39360,12 @@ CVE-2019-13001 [Ability to Write a Note to a Private Snippet]
 	[experimental] - gitlab 11.10.8+dfsg-1
 	- gitlab <not-affected> (Only affects 11.9 and later)
 	NOTE: https://about.gitlab.com/2019/07/03/security-release-gitlab-12-dot-0-dot-3-released/
-CVE-2019-13000
-	RESERVED
-CVE-2019-12999
-	RESERVED
-CVE-2019-12998
-	RESERVED
+CVE-2019-13000 (Eclair through 0.3 allows attackers to trigger loss of funds because o ...)
+	TODO: check
+CVE-2019-12999 (Lightning Network Daemon (lnd) before 0.7 allows attackers to trigger  ...)
+	TODO: check
+CVE-2019-12998 (c-lightning before 0.7.1 allows attackers to trigger loss of funds bec ...)
+	TODO: check
 CVE-2019-12997 (In Loopchain through 2.2.1.3, an attacker can escalate privileges from ...)
 	NOT-FOR-US: Loopchain
 CVE-2019-12996 (In Mendix 7.23.5 and earlier, issue in XML import mappings allow DOCTY ...)
@@ -47152,6 +47177,7 @@ CVE-2019-10173 (It was found that xstream API version 1.4.10 before 1.4.11 intro
 	NOTE: http://x-stream.github.io/changes.html#1.4.11
 	NOTE: Regression introduced and present only in 1.4.10.
 CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libr ...)
+	{DLA-2091-1}
 	- libjackson-json-java <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075
 	NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721
@@ -67811,8 +67837,7 @@ CVE-2019-3018 (Vulnerability in the MySQL Server product of Oracle MySQL (compon
 CVE-2019-3017 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...)
 	- virtualbox 6.0.14-dfsg-1
 	[jessie] - virtualbox <end-of-life> (DSA-3699-1)
-CVE-2019-3016 [information leak within a KVM guest]
-	RESERVED
+CVE-2019-3016 (In a Linux KVM guest that has PV TLB enabled, a process in the guest k ...)
 	- linux <unfixed>
 CVE-2019-3015 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...)
 	NOT-FOR-US: Oracle
@@ -136774,7 +136799,7 @@ CVE-2017-15096 (A flaw was found in GlusterFS in versions prior to 3.10. A null
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1502928
 	NOTE: Fixed by: http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac
 CVE-2017-15095 (A deserialization flaw was discovered in the jackson-databind in versi ...)
-	{DSA-4037-1}
+	{DSA-4037-1 DLA-2091-1}
 	- jackson-databind 2.9.1-1
 	- libjackson-json-java <unfixed>
 	NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
@@ -160047,7 +160072,7 @@ CVE-2017-7526 (libgcrypt before version 1.7.8 is vulnerable to a cache side-chan
 	NOTE: GnuPG: https://dev.gnupg.org/rC8725c99ffa41778f382ca97233183bcd687bb0ce
 	NOTE: GnuPG1: https://dev.gnupg.org/D438
 CVE-2017-7525 (A deserialization flaw was discovered in the jackson-databind, version ...)
-	{DSA-4004-1}
+	{DSA-4004-1 DLA-2091-1}
 	- jackson-databind 2.9.1-1 (bug #870848)
 	- libjackson-json-java <unfixed>
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/1599
@@ -192172,7 +192197,7 @@ CVE-2016-1000107 (inets in Erlang possibly 22.1 and earlier follows RFC 3875 sec
 CVE-2016-1000106
 	REJECTED
 CVE-2016-1000105
-	RESERVED
+	REJECTED
 	- nginx <not-affected> (nginx doesn't support CGI)
 CVE-2016-1000103
 	RESERVED
@@ -206010,12 +206035,12 @@ CVE-2016-2035
 	REJECTED
 CVE-2016-2034 (SQL injection vulnerability in ClearPass Policy Manager 6.5.x through  ...)
 	NOT-FOR-US: ClearPass Policy Manager
-CVE-2016-2033
-	RESERVED
-CVE-2016-2032
-	RESERVED
-CVE-2016-2031
-	RESERVED
+CVE-2016-2033 (Multiple vulnerabilities exist in Aruba ClearPass Policy Manager up to ...)
+	TODO: check
+CVE-2016-2032 (A vulnerability exists in the Aruba AirWave Management Platform 8.x pr ...)
+	TODO: check
+CVE-2016-2031 (Multiple vulnerabilities exists in Aruba Instate before 4.1.3.0 and 4. ...)
+	TODO: check
 CVE-2016-2030 (HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authentic ...)
 	NOT-FOR-US: HPE Systems Insight Manager
 CVE-2016-2029 (HPE Matrix Operating Environment before 7.5.1 allows remote attackers  ...)
@@ -217655,8 +217680,7 @@ CVE-2015-8777 (The process_envvars function in elf/rtld.c in the GNU C Library (
 	NOTE: http://www.openwall.com/lists/oss-security/2015/09/05/8
 	NOTE: Upstream bug https://sourceware.org/bugzilla/show_bug.cgi?id=18928
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
-CVE-2015-6815 [Qemu: net: e1000 infinite loop issue]
-	RESERVED
+CVE-2015-6815 (The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1  ...)
 	{DSA-3362-1 DSA-3361-1}
 	- qemu 1:2.4+dfsg-2 (bug #798101)
 	[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
@@ -241352,8 +241376,8 @@ CVE-2014-8340 (SQL injection vulnerability in Php/Functions/log_function.php in
 	NOT-FOR-US: phpTrafficA
 CVE-2014-8339 (SQL injection vulnerability in midroll.php in Nuevolab Nuevoplayer for ...)
 	NOT-FOR-US: Nuevolabs Nuevoplayer for clipshare
-CVE-2014-8338
-	RESERVED
+CVE-2014-8338 (Cross-site scripting (XSS) vulnerability in vwrooms/js/jsor-jcarousel/ ...)
+	TODO: check
 CVE-2014-8337 (Unrestricted file upload vulnerability in includes/classes/uploadify-v ...)
 	NOT-FOR-US: HelpDEZk
 CVE-2014-8336 (The "Sql Run Query" panel in WP-DBManager (aka Database Manager) plugi ...)
@@ -241378,13 +241402,11 @@ CVE-2014-8323 (buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attacke
 	- aircrack-ng 1:1.2-0~beta3-2 (bug #767979)
 	NOTE: https://github.com/aircrack-ng/aircrack-ng/commit/da087238963c1239fdabd47dc1b65279605aca70
 	NOTE: https://github.com/aircrack-ng/aircrack-ng/pull/15
-CVE-2014-8322 [tcp_test stack overflow]
-	RESERVED
+CVE-2014-8322 (Stack-based buffer overflow in the tcp_test function in aireplay-ng.c  ...)
 	- aircrack-ng 1:1.2-0~beta3-2 (bug #767979)
 	NOTE: https://github.com/aircrack-ng/aircrack-ng/commit/091b153f294b9b695b0b2831e65936438b550d7b
 	NOTE: https://github.com/aircrack-ng/aircrack-ng/pull/14
-CVE-2014-8321 [GPS stack overflow]
-	RESERVED
+CVE-2014-8321 (Stack-based buffer overflow in the gps_tracker function in airodump-ng ...)
 	- aircrack-ng 1:1.2-0~beta3-2 (bug #767979)
 	NOTE: https://github.com/aircrack-ng/aircrack-ng/commit/ff70494dd389ba570dbdbf36f217c28d4381c6b5
 	NOTE: https://github.com/aircrack-ng/aircrack-ng/pull/13
@@ -241952,16 +241974,13 @@ CVE-2014-8142 (Use-after-free vulnerability in the process_nested_data function
 	NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=630f9c33c23639de85c3fd306b209b538b73b4c9
 	NOTE: http://git.php.net/?p=php-src.git;a=commitdiff;h=53f129a44d3c4ec0fae57993b9ae2f6cb48973cc
 	NOTE: Only affects an inherently insecure use case
-CVE-2014-8141 [heap overflow in getZip64Data]
-	RESERVED
+CVE-2014-8141 (Heap-based buffer overflow in the getZip64Data function in Info-ZIP Un ...)
 	{DSA-3113-1 DLA-124-1}
 	- unzip 6.0-13 (bug #773722)
-CVE-2014-8140 [heap overflow in test_compr_eb]
-	RESERVED
+CVE-2014-8140 (Heap-based buffer overflow in the test_compr_eb function in Info-ZIP U ...)
 	{DSA-3113-1 DLA-124-1}
 	- unzip 6.0-13 (bug #773722)
-CVE-2014-8139 [CRC32 heap overflow]
-	RESERVED
+CVE-2014-8139 (Heap-based buffer overflow in the CRC32 verification in Info-ZIP UnZip ...)
 	{DSA-3113-1 DLA-150-1 DLA-124-1}
 	- unzip 6.0-16 (bug #773722)
 CVE-2014-8138 (Heap-based buffer overflow in the jp2_decode function in JasPer 1.900. ...)
@@ -242051,8 +242070,7 @@ CVE-2014-8127 (LibTIFF 4.0.3 allows remote attackers to cause a denial of servic
 	NOTE: 4.0.3-12.1 fixes all issues except 2500
 	NOTE: 2500 is fixed by upstream as per 2016-10-25
 	NOTE: Crash in a frontend tool w/o potential for code injection, marked as unimportant
-CVE-2014-8126 [mailx invocation enables code execution as condor user]
-	RESERVED
+CVE-2014-8126 (The scheduler in HTCondor before 8.2.6 allows remote authenticated use ...)
 	{DSA-3149-1}
 	- condor 8.2.3~dfsg.1-6 (bug #775276)
 	NOTE: https://htcondor-wiki.cs.wisc.edu/index.cgi/tktview?tn=4764
@@ -248775,8 +248793,7 @@ CVE-2014-5238 (XML external entity (XXE) vulnerability in Open-Xchange (OX) AppS
 	NOT-FOR-US: Open-Xchange
 CVE-2014-5237 (Server-side request forgery (SSRF) vulnerability in the documentconver ...)
 	NOT-FOR-US: Open-Xchange
-CVE-2014-5236
-	RESERVED
+CVE-2014-5236 (Multiple absolute path traversal vulnerabilities in documentconverter  ...)
 	NOT-FOR-US: Open-Xchange
 CVE-2014-5235 (Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchan ...)
 	NOT-FOR-US: Open-Xchange
@@ -249411,8 +249428,8 @@ CVE-2014-5041
 	RESERVED
 CVE-2014-5040 (HP Helion Eucalyptus 4.1.x before 4.1.2 and HPE Helion Eucalyptus 4.2. ...)
 	- eucalyptus <removed>
-CVE-2014-5039
-	RESERVED
+CVE-2014-5039 (Cross-site scripting (XSS) vulnerability in Eucalyptus Management Cons ...)
+	TODO: check
 CVE-2014-5038 (Eucalyptus 3.0.0 through 4.0.1, when the log level is set to DEBUG or  ...)
 	- eucalyptus <removed>
 CVE-2014-5037 (Eucalyptus 4.0.0 through 4.0.1, when the log level is set to INFO, log ...)
@@ -252278,8 +252295,8 @@ CVE-2014-3871 (Multiple SQL injection vulnerabilities in register.php in Geodesi
 	NOT-FOR-US: GeodesicSolutions
 CVE-2014-3869
 	RESERVED
-CVE-2014-3868
-	RESERVED
+CVE-2014-3868 (Multiple SQL injection vulnerabilities in ZeusCart 4.x. ...)
+	TODO: check
 CVE-2014-3867 (The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through ...)
 	NOT-FOR-US: IBM Sametime
 CVE-2014-3863 (Cross-site scripting (XSS) vulnerability in the JChatSocial component  ...)
@@ -252444,8 +252461,7 @@ CVE-2014-3811 (Juniper Installer Service (JIS) Client 7.x before 7.4R6 for Windo
 	NOT-FOR-US: Junos Pulse Client
 CVE-2014-3810 (SQL injection vulnerability in administration/profiles.php in BoonEx D ...)
 	NOT-FOR-US: Dolphin (php thingy)
-CVE-2014-3809
-	RESERVED
+CVE-2014-3809 (Cross-site scripting (XSS) vulnerability in the management interface i ...)
 	NOT-FOR-US: Alcatel Lucent
 CVE-2014-3808 (Multiple cross-site scripting (XSS) vulnerabilities in BarracudaDrive  ...)
 	NOT-FOR-US: BarracudaDrive
@@ -254639,8 +254655,8 @@ CVE-2014-3120 (The default configuration in Elasticsearch before 1.2 enables dyn
 	- elasticsearch 1.0.3+dfsg-3 (bug #759736)
 	NOTE: https://github.com/elasticsearch/elasticsearch/commit/81e83cca
 	NOTE: https://github.com/elasticsearch/elasticsearch/issues/5853
-CVE-2014-3119
-	RESERVED
+CVE-2014-3119 (Multiple SQL injection vulnerabilities in web2Project 3.1 and earlier  ...)
+	TODO: check
 CVE-2014-3118
 	RESERVED
 CVE-2014-3117
@@ -257520,8 +257536,7 @@ CVE-2014-2028
 	RESERVED
 CVE-2014-2026 (Cross-site scripting (XSS) vulnerability in the search functionality i ...)
 	NOT-FOR-US: Intrexx
-CVE-2014-2025
-	RESERVED
+CVE-2014-2025 (Unrestricted file upload vulnerability in an unspecified third party t ...)
 	NOT-FOR-US: Intrexx
 CVE-2014-2024 (Cross-site scripting (XSS) vulnerability in classes/controller/error.p ...)
 	NOT-FOR-US: Open Classifieds
@@ -272649,8 +272664,7 @@ CVE-2013-3567 (Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Ent
 	- puppet 3.2.2-1 (bug #712745)
 CVE-2013-3566
 	RESERVED
-CVE-2013-3565 [XSS in HTTP Interface]
-	RESERVED
+CVE-2013-3565 (Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interf ...)
 	- vlc 2.0.7-1 (unimportant)
 	NOTE: Negligible impact
 CVE-2013-3564



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd82a0b4b83cd590e4a1c490a91cc27bbab2f1c8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/cd82a0b4b83cd590e4a1c490a91cc27bbab2f1c8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200201/b80ebba3/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list