[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Mon Feb 10 20:10:36 GMT 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ed3f050a by security tracker role at 2020-02-10T20:10:29+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,23 @@
+CVE-2020-8838
+	RESERVED
+CVE-2020-8837
+	RESERVED
+CVE-2020-8836
+	RESERVED
+CVE-2020-8835
+	RESERVED
+CVE-2020-8834
+	RESERVED
+CVE-2020-8833
+	RESERVED
+CVE-2020-8832
+	RESERVED
+CVE-2020-8831
+	RESERVED
+CVE-2019-20451 (The HTTP API in Prismview System 9 11.10.17.00 and Prismview Player 11 ...)
+	TODO: check
+CVE-2017-18642
+	RESERVED
 CVE-2020-8830
 	RESERVED
 CVE-2020-8829
@@ -8,8 +28,8 @@ CVE-2020-8827
 	RESERVED
 CVE-2020-8826
 	RESERVED
-CVE-2020-8825
-	RESERVED
+CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows store ...)
+	TODO: check
 CVE-2020-8824
 	RESERVED
 CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...)
@@ -664,7 +684,7 @@ CVE-2020-8517 (An issue was discovered in Squid before 4.10. Due to incorrect in
 	NOTE: Squid 3.5: http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-c62d2b43ad4962ea44aa0c5edb4cc99cb83a413d.patch
 	NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/squid-4-6982f1187a26557e582172965e266f544ea562a5.patch
 	NOTE: Debian binary packages are not build with --enable-external-acl-helpers="[...]LM_group[...".
-CVE-2020-8516 (The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not ...)
+CVE-2020-8516 (** DISPUTED ** The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0 ...)
 	- tor <unfixed> (unimportant)
 	NOTE: Not considered a bug / explicit design choice by upstream
 	NOTE: https://lists.torproject.org/pipermail/tor-dev/2020-February/014147.html
@@ -674,7 +694,7 @@ CVE-2019-20446 (In xml.rs in GNOME librsvg before 2.46.2, a crafted SVG file wit
 	- librsvg 2.46.4-1
 	NOTE: https://gitlab.gnome.org/GNOME/librsvg/issues/515
 	NOTE: https://gitlab.gnome.org/GNOME/librsvg/commit/572f95f739529b865e2717664d6fefcef9493135
-CVE-2020-8515 (DrayTek Vigor2960 1.3.1_Beta; Vigor3900 1.4.4_Beta; and Vigor300B 1.3. ...)
+CVE-2020-8515 (DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3. ...)
 	NOT-FOR-US: DrayTek devices
 CVE-2020-8514 (An issue was discovered in Rumpus 8.2.10 on macOS. By crafting a direc ...)
 	NOT-FOR-US: Rumpus on macOS
@@ -1575,8 +1595,8 @@ CVE-2020-8091 (svg.swf in TYPO3 6.2.0 to 6.2.38 ELTS and 7.0.0 to 7.1.0 could al
 	NOT-FOR-US: TYPO3
 CVE-2020-8090 (The Username field in the Storage Service settings of A1 WLAN Box ADB  ...)
 	NOT-FOR-US: A1 WLAN Box ADB VV2220v2 devices
-CVE-2020-8089
-	RESERVED
+CVE-2020-8089 (Piwigo 2.10.1 is affected by stored XSS via the Group Name Field to th ...)
+	TODO: check
 CVE-2020-8088 (panel_login.php in UseBB 1.0.12 allows type juggling for login bypass  ...)
 	NOT-FOR-US: UseBB
 CVE-2020-8087 (SMC Networks D3G0804W D3GNV5M-3.5.1.6.10_GA devices allow remote comma ...)
@@ -3887,16 +3907,14 @@ CVE-2020-7062
 	RESERVED
 CVE-2020-7061
 	RESERVED
-CVE-2020-7060 [Global buffer-overflow in mbfl_filt_conv_big5_wchar function]
-	RESERVED
+CVE-2020-7060 (When using certain mbstring functions to convert multibyte encodings,  ...)
 	- php7.4 7.4.2-7
 	- php7.3 <unfixed>
 	- php7.0 <removed>
 	- php5 <removed>
 	NOTE: Fixed in PHP 7.4.2, 7.3.14, 7.2.27
 	NOTE: PHP Bug: http://bugs.php.net/79037
-CVE-2020-7059 [Out of bounds read in php_strip_tags_ex]
-	RESERVED
+CVE-2020-7059 (When using fgetss() function to read data with stripping tags, in PHP  ...)
 	- php7.4 7.4.2-7
 	- php7.3 <unfixed>
 	- php7.0 <removed>
@@ -11170,14 +11188,14 @@ CVE-2019-20063 (hdf/dataobject.c in libmysofa before 0.8 has an uninitialized us
 	[buster] - libmysofa 0.6~dfsg0-3+deb10u1
 	NOTE: https://github.com/hoene/libmysofa/issues/67
 	NOTE: https://github.com/hoene/libmysofa/commit/ecb7b743b6f6d47b93a7bc680a60071a0f9524c6
-CVE-2019-20062
-	RESERVED
-CVE-2019-20061
-	RESERVED
-CVE-2019-20060
-	RESERVED
-CVE-2019-20059
-	RESERVED
+CVE-2019-20062 (MFScripts YetiShare v3.5.2 through v4.5.4 might allow an attacker to r ...)
+	TODO: check
+CVE-2019-20061 (The user-introduction email in MFScripts YetiShare v3.5.2 through v4.5 ...)
+	TODO: check
+CVE-2019-20060 (MFScripts YetiShare v3.5.2 through v4.5.4 places sensitive information ...)
+	TODO: check
+CVE-2019-20059 (payment_manage.ajax.php and various *_manage.ajax.php in MFScripts Yet ...)
+	TODO: check
 CVE-2019-20058 (** DISPUTED ** Bolt 3.7.0, if Symfony Web Profiler is used, allows XSS ...)
 	NOT-FOR-US: Bolt CMS
 CVE-2019-20057 (com.proxyman.NSProxy.HelperTool in Privileged Helper Tool in Proxyman  ...)
@@ -15224,30 +15242,30 @@ CVE-2019-19672
 	RESERVED
 CVE-2019-19671
 	RESERVED
-CVE-2019-19670
-	RESERVED
-CVE-2019-19669
-	RESERVED
-CVE-2019-19668
-	RESERVED
-CVE-2019-19667
-	RESERVED
-CVE-2019-19666
-	RESERVED
-CVE-2019-19665
-	RESERVED
-CVE-2019-19664
-	RESERVED
-CVE-2019-19663
-	RESERVED
-CVE-2019-19662
-	RESERVED
-CVE-2019-19661
-	RESERVED
-CVE-2019-19660
-	RESERVED
-CVE-2019-19659
-	RESERVED
+CVE-2019-19670 (A HTTP Response Splitting vulnerability was identified in the Web Sett ...)
+	TODO: check
+CVE-2019-19669 (A CSRF vulnerability exists in the Upload Center Forms Component of We ...)
+	TODO: check
+CVE-2019-19668 (A CSRF vulnerability exists in the File Types component of Web File Ma ...)
+	TODO: check
+CVE-2019-19667 (A CSRF vulnerability exists in the Block Clients component of Web File ...)
+	TODO: check
+CVE-2019-19666 (A CSRF vulnerability exists in the Event Notices Settings of Web File  ...)
+	TODO: check
+CVE-2019-19665 (A CSRF vulnerability exists in the FTP Settings of Web File Manager in ...)
+	TODO: check
+CVE-2019-19664 (A CSRF vulnerability exists in the Web Settings of Web File Manager in ...)
+	TODO: check
+CVE-2019-19663 (A CSRF vulnerability exists in the Folder Sets Settings of Web File Ma ...)
+	TODO: check
+CVE-2019-19662 (A CSRF vulnerability exists in the Web File Manager's Create/Delete Ac ...)
+	TODO: check
+CVE-2019-19661 (A Cookie based reflected XSS exists in the Web File Manager of Rumpus  ...)
+	TODO: check
+CVE-2019-19660 (A CSRF vulnerability exists in the Web File Manager's Network Setting  ...)
+	TODO: check
+CVE-2019-19659 (A CSRF vulnerability exists in the Web File Manager's Edit Accounts fu ...)
+	TODO: check
 CVE-2019-19658
 	RESERVED
 CVE-2019-19657
@@ -17682,8 +17700,7 @@ CVE-2020-1699 [improper URL checking leads to information disclosure]
 	NOTE: https://github.com/ceph/ceph/commit/0443e40c11280ba3b7efcba61522afa70c4f8158
 CVE-2020-1698
 	RESERVED
-CVE-2020-1697
-	RESERVED
+CVE-2020-1697 (It was found in all keycloak versions before 9.0.0 that links to exter ...)
 	NOT-FOR-US: Keycloak
 CVE-2020-1696
 	RESERVED
@@ -50828,6 +50845,7 @@ CVE-2019-9660 (Stored XSS exists in YzmCMS 5.2 via the admin/category/edit.html
 CVE-2019-9659 (The Chuango 433 MHz burglar-alarm product line uses static codes in th ...)
 	NOT-FOR-US: Chuango
 CVE-2019-10782 (All versions of com.puppycrawl.tools:checkstyle before 8.29 are vulner ...)
+	{DLA-2099-1}
 	- checkstyle 8.29-1
 	[buster] - checkstyle <not-affected> (Incomplete fix for CVE-2019-9658 not applied)
 	[stretch] - checkstyle <not-affected> (Incomplete fix for CVE-2019-9658 not applied)
@@ -51926,7 +51944,7 @@ CVE-2019-9280 (In keyguard, there is a possible escalation of privilege due to i
 CVE-2019-9279 (In the wifi hotspot service, there is a possible denial of service due ...)
 	NOT-FOR-US: Android
 CVE-2019-9278 (In libexif, there is a possible out of bounds write due to an integer  ...)
-	{DSA-4618-1}
+	{DSA-4618-1 DLA-2100-1}
 	- libexif 0.6.21-6 (bug #945948)
 	NOTE: https://android.googlesource.com/platform/external/libexif/+/a5e8e5812a11ec9686294de8a5d68aaf2ab72475%5E%21/#F0
 	NOTE: https://github.com/libexif/libexif/issues/26
@@ -83652,9 +83670,11 @@ CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka
 	[jessie] - audiofile <postponed> (Can be fixed along in future DLA)
 	NOTE: https://github.com/mpruett/audiofile/issues/50
 	NOTE: https://github.com/mpruett/audiofile/issues/51
-CVE-2018-17094 (An issue has been discovered in mackyle xar 1.6.1. There is a NULL poi ...)
+CVE-2018-17094
+	REJECTED
 	- xar <removed>
-CVE-2018-17093 (An issue has been discovered in mackyle xar 1.6.1. There is a NULL poi ...)
+CVE-2018-17093
+	REJECTED
 	- xar <removed>
 CVE-2018-17092 (An issue was discovered in DonLinkage 6.6.8. SQL injection in /pages/p ...)
 	NOT-FOR-US: DonLinkage
@@ -239779,8 +239799,8 @@ CVE-2012-6668 (Multiple cross-site scripting (XSS) vulnerabilities in the Shout
 	NOT-FOR-US: DragonByte Technologies vBShout module for vBulletin
 CVE-2012-6667 (Cross-site scripting (XSS) vulnerability in vbshout.php in DragonByte  ...)
 	NOT-FOR-US: DragonByte Technologies vBShout module for vBulletin
-CVE-2012-6666
-	RESERVED
+CVE-2012-6666 (vBSeo before 3.6.0PL2 allows XSS via the member.php u parameter. ...)
+	TODO: check
 CVE-2010-5313 (Race condition in arch/x86/kvm/x86.c in the Linux kernel before 2.6.38 ...)
 	- linux 2.6.38-1
 	- linux-2.6 2.6.38-1
@@ -250433,14 +250453,14 @@ CVE-2014-5088 (Cross-site scripting (XSS) vulnerability in Status2k allows remot
 	NOT-FOR-US: Status2k
 CVE-2014-5087 (A vulnerability exists in Sphider Search Engine prior to 1.3.6 due to  ...)
 	TODO: check
-CVE-2014-5086
-	RESERVED
-CVE-2014-5085
-	RESERVED
-CVE-2014-5084
-	RESERVED
-CVE-2014-5083
-	RESERVED
+CVE-2014-5086 (A Command Execution vulnerability exists in Sphider Pro, and Sphider P ...)
+	TODO: check
+CVE-2014-5085 (A Command Execution vulnerability exists in Sphider Plus 3.2 due to in ...)
+	TODO: check
+CVE-2014-5084 (A Command Execution vulnerability exists in Sphider Pro 3.2 due to ins ...)
+	TODO: check
+CVE-2014-5083 (A Command Execution vulnerability exists in Sphider before 1.3.6 due t ...)
+	TODO: check
 CVE-2014-5082 (Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1 ...)
 	NOT-FOR-US: Sphider
 CVE-2014-5081 (sphider prior to 1.3.6, sphider-pro prior to 3.2, and sphider-plus pri ...)
@@ -265041,8 +265061,8 @@ CVE-2013-6871
 	RESERVED
 CVE-2013-6870 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk befor ...)
 	NOT-FOR-US: Splunk Web
-CVE-2012-6611
-	RESERVED
+CVE-2012-6611 (Polycom HDX Video End Points before 3.0 allows attackers to read arbit ...)
+	TODO: check
 CVE-2012-6610 (Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J al ...)
 	NOT-FOR-US: Polycom HDX Video End Points
 CVE-2012-6609 (Directory traversal vulnerability in a_getlog.cgi in Polycom HDX Video ...)
@@ -277536,11 +277556,9 @@ CVE-2013-2110 (Heap-based buffer overflow in the php_quot_print_encode function
 	[squeeze] - php5 <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/php/php-src/commit/93e0d78ec655f59ebfa82b2c6f8486c43651c1d0
 	NOTE: vulnerability introduced with commit http://git.php.net/?p=php-src.git;a=commitdiff;h=18bb426587d62f93c54c40bf8535eb8416603629
-CVE-2013-2109
-	RESERVED
+CVE-2013-2109 (WordPress plugin wp-cleanfix has Remote Code Execution ...)
 	NOT-FOR-US: WordPress plugin wp-cleanfix
-CVE-2013-2108
-	RESERVED
+CVE-2013-2108 (WordPress WP Cleanfix Plugin 2.4.4 has CSRF ...)
 	NOT-FOR-US: WordPress plugin wp-cleanfix
 CVE-2013-2107 (Cross-site request forgery (CSRF) vulnerability in the Mail On Update  ...)
 	NOT-FOR-US: WordPress plugin mail-on-update
@@ -280216,8 +280234,8 @@ CVE-2013-1355
 	REJECTED
 CVE-2013-1354
 	RESERVED
-CVE-2013-1353
-	RESERVED
+CVE-2013-1353 (Orange HRM 2.7.1 allows XSS via the vacancy name. ...)
+	TODO: check
 CVE-2013-1352 (Verax NMS prior to 2.1.0 uses an encryption key that is hardcoded in a ...)
 	NOT-FOR-US: Verax NMS
 CVE-2013-1351 (Verax NMS prior to 2.10 allows authentication via the encrypted passwo ...)
@@ -282074,8 +282092,8 @@ CVE-2012-6451 (Lorex LNC116 and LNC104 IP Cameras have a Remote Authentication B
 	NOT-FOR-US: Lorex LNC116 and LNC104 IP Cameras
 CVE-2012-6450
 	RESERVED
-CVE-2012-6449
-	RESERVED
+CVE-2012-6449 (The clientconf.html and detailbw.html pages in x3 in cPanel & WHM  ...)
+	TODO: check
 CVE-2012-6448 (Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 all ...)
 	NOT-FOR-US: cPanel
 CVE-2012-6447 (Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk 5.0.0 ...)
@@ -285381,8 +285399,8 @@ CVE-2012-5829 (Heap-based buffer overflow in the nsWindow::OnExposeEvent functio
 	- iceweasel 10.0.11esr-1
 	- icedove 10.0.11-1
 	- iceape 2.7.11-1
-CVE-2012-5828
-	RESERVED
+CVE-2012-5828 (BlackBerry PlayBook before 2.1 has an Information Disclosure Vulnerabi ...)
+	TODO: check
 CVE-2012-5827 (Joomla! 2.5.x before 2.5.8 and 3.0.x before 3.0.2 allows remote attack ...)
 	NOT-FOR-US: Joomla!
 CVE-2012-5826
@@ -295069,8 +295087,8 @@ CVE-2012-2206 (The Web Gateway component in IBM WebSphere MQ File Transfer Editi
 	NOT-FOR-US: IBM WebSphere MQ File Transfer Edition
 CVE-2012-2205 (Cross-site scripting (XSS) vulnerability in IBM Rational ClearQuest 7. ...)
 	NOT-FOR-US: IBM Rational ClearQuest
-CVE-2012-2204
-	RESERVED
+CVE-2012-2204 (InfoSphere Guardium aix_ktap module: DoS ...)
+	TODO: check
 CVE-2012-2203 (IBM Global Security Kit (aka GSKit) before 8.0.14.22, as used in IBM R ...)
 	NOT-FOR-US: IBM Global Security Kit
 CVE-2012-2202 (Directory traversal vulnerability in javatester_init.php in IBM Lotus  ...)
@@ -295581,8 +295599,8 @@ CVE-2012-1996 (Unspecified vulnerability in HP Systems Insight Manager (SIM) bef
 	NOT-FOR-US: HP Systems Insight Manager
 CVE-2012-1995 (Unspecified vulnerability in HP Systems Insight Manager (SIM) before 7 ...)
 	NOT-FOR-US: HP Systems Insight Manager
-CVE-2012-1994
-	RESERVED
+CVE-2012-1994 (HP Systems Insight Manager before 7.0 allows a remote user on adjacent ...)
+	TODO: check
 CVE-2012-1993 (Unspecified vulnerability in HP System Management Homepage (SMH) befor ...)
 	NOT-FOR-US: HP System Management Homepage
 CVE-2012-1992 (Cross-site scripting (XSS) vulnerability in admin/edituser.php in CMS  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed3f050a96b6cfea8fa36ccbb5fa9de49aee90bd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed3f050a96b6cfea8fa36ccbb5fa9de49aee90bd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200210/8a1279f9/attachment.html>


More information about the debian-security-tracker-commits mailing list