[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Wed Feb 19 20:10:34 GMT 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
05714578 by security tracker role at 2020-02-19T20:10:27+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,23 @@
+CVE-2020-9295
+	RESERVED
+CVE-2020-9294
+	RESERVED
+CVE-2020-9293
+	RESERVED
+CVE-2020-9292
+	RESERVED
+CVE-2020-9291
+	RESERVED
+CVE-2020-9290
+	RESERVED
+CVE-2020-9289
+	RESERVED
+CVE-2020-9288
+	RESERVED
+CVE-2020-9287
+	RESERVED
+CVE-2020-9286
+	RESERVED
 CVE-2020-9285
 	RESERVED
 CVE-2020-9284
@@ -721,8 +741,8 @@ CVE-2020-8961
 	RESERVED
 CVE-2020-8960
 	RESERVED
-CVE-2020-8959
-	RESERVED
+CVE-2020-8959 (Western Digital WesternDigitalSSDDashboardSetup.exe before 3.0.2.0 all ...)
+	TODO: check
 CVE-2020-8958
 	RESERVED
 CVE-2020-8957
@@ -1016,8 +1036,8 @@ CVE-2020-8826
 	RESERVED
 CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows store ...)
 	NOT-FOR-US: Vanilla Forums
-CVE-2020-8824
-	RESERVED
+CVE-2020-8824 (Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name ...)
+	TODO: check
 CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...)
 	NOT-FOR-US: SockJS
 CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices  ...)
@@ -1866,8 +1886,8 @@ CVE-2020-8443 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible
 	- ossec-hids <itp> (bug #361954)
 CVE-2020-8442 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for  ...)
 	- ossec-hids <itp> (bug #361954)
-CVE-2020-8441
-	RESERVED
+CVE-2020-8441 (JYaml through 1.3 allows remote code execution during deserialization  ...)
+	TODO: check
 CVE-2020-8440 (controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is  ...)
 	NOT-FOR-US: Simplejobscript.com SJS
 CVE-2020-8439
@@ -1885,6 +1905,7 @@ CVE-2020-8434
 CVE-2020-8433
 	RESERVED
 CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length  ...)
+	{DLA-2110-1 DLA-2109-1}
 	- netty <unfixed> (bug #950967)
 	- netty-3.9 <removed>
 	NOTE: https://github.com/netty/netty/issues/9861
@@ -1892,6 +1913,7 @@ CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-L
 	NOTE: https://github.com/netty/netty/commit/629034624626b722128e0fcc6b3ec9d406cb3706 (4.1)
 	NOTE: https://github.com/netty/netty/commit/5f68897880467c00f29495b0aa46ed19bf7a873c (tests)
 CVE-2019-20444 (HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header th ...)
+	{DLA-2110-1 DLA-2109-1}
 	- netty <unfixed> (bug #950966)
 	- netty-3.9 <removed>
 	NOTE: https://github.com/netty/netty/issues/9866
@@ -4534,6 +4556,7 @@ CVE-2019-20383
 CVE-2019-20382
 	RESERVED
 CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles ...)
+	{DLA-2110-1 DLA-2109-1}
 	- netty <unfixed> (bug #950967)
 	- netty-3.9 <removed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225
@@ -7160,10 +7183,10 @@ CVE-2020-6064 (An exploitable out-of-bounds write vulnerability exists in the un
 	NOT-FOR-US: Accusoft ImageGear
 CVE-2020-6063 (An exploitable out-of-bounds write vulnerability exists in the uncompr ...)
 	NOT-FOR-US: Accusoft ImageGear
-CVE-2020-6062
-	RESERVED
-CVE-2020-6061
-	RESERVED
+CVE-2020-6062 (An exploitable denial-of-service vulnerability exists in the way CoTUR ...)
+	TODO: check
+CVE-2020-6061 (An exploitable heap overflow vulnerability exists in the way CoTURN 4. ...)
+	TODO: check
 CVE-2020-6060 (A stack buffer overflow vulnerability exists in the way MiniSNMPD vers ...)
 	NOT-FOR-US: MiniSNMPD
 CVE-2020-6059 (An exploitable out of bounds read vulnerability exists in the way Mini ...)
@@ -11413,8 +11436,8 @@ CVE-2020-4232
 	RESERVED
 CVE-2020-4231
 	RESERVED
-CVE-2020-4230
-	RESERVED
+CVE-2020-4230 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 ...)
+	TODO: check
 CVE-2020-4229
 	RESERVED
 CVE-2020-4228
@@ -11465,16 +11488,16 @@ CVE-2020-4206
 	RESERVED
 CVE-2020-4205
 	RESERVED
-CVE-2020-4204
-	RESERVED
+CVE-2020-4204 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...)
+	TODO: check
 CVE-2020-4203
 	RESERVED
 CVE-2020-4202
 	RESERVED
 CVE-2020-4201
 	RESERVED
-CVE-2020-4200
-	RESERVED
+CVE-2020-4200 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...)
+	TODO: check
 CVE-2020-4199
 	RESERVED
 CVE-2020-4198
@@ -11551,8 +11574,8 @@ CVE-2020-4163 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under sp
 	NOT-FOR-US: IBM
 CVE-2020-4162
 	RESERVED
-CVE-2020-4161
-	RESERVED
+CVE-2020-4161 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 ...)
+	TODO: check
 CVE-2020-4160
 	RESERVED
 CVE-2020-4159
@@ -11603,8 +11626,8 @@ CVE-2020-4137
 	RESERVED
 CVE-2020-4136
 	RESERVED
-CVE-2020-4135
-	RESERVED
+CVE-2020-4135 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...)
+	TODO: check
 CVE-2020-4134
 	RESERVED
 CVE-2020-4133
@@ -27360,8 +27383,8 @@ CVE-2019-17335 (The Data access layer component of TIBCO Software Inc.'s TIBCO S
 	NOT-FOR-US: TIBCO
 CVE-2019-17334 (The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire A ...)
 	NOT-FOR-US: TIBCO
-CVE-2019-17333
-	RESERVED
+CVE-2019-17333 (The Web server component of TIBCO Software Inc.'s TIBCO EBX contains a ...)
+	TODO: check
 CVE-2019-17332 (The Digital Asset Manager Web Interface component of TIBCO Software In ...)
 	NOT-FOR-US: TIBCO
 CVE-2019-17331 (The Data Exchange Web Interface component of TIBCO Software Inc.'s TIB ...)
@@ -28566,7 +28589,7 @@ CVE-2019-16871 (Beckhoff Embedded Windows PLCs through 3.1.4024.0, and Beckhoff
 CVE-2019-16870
 	RESERVED
 CVE-2019-16869 (Netty before 4.1.42.Final mishandles whitespace before the colon in HT ...)
-	{DSA-4597-1 DLA-1941-1}
+	{DSA-4597-1 DLA-2110-1 DLA-1941-1}
 	- netty 1:4.1.33-2 (bug #941266)
 	- netty-3.9 <removed>
 	NOTE: https://github.com/netty/netty/issues/9571
@@ -43165,8 +43188,8 @@ CVE-2019-12440 (The Sitecore Rocks plugin before 2.1.149 for Sitecore allows an
 	NOT-FOR-US: Sitecore CMS
 CVE-2019-12438
 	RESERVED
-CVE-2019-12437
-	RESERVED
+CVE-2019-12437 (In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does n ...)
+	TODO: check
 CVE-2019-12436 (Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to  ...)
 	- samba <not-affected> (Only affects Samba since 4.10.0)
 	NOTE: https://www.samba.org/samba/security/CVE-2019-12436.html
@@ -43699,8 +43722,8 @@ CVE-2019-12247 (** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the qg
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg05457.html
 	NOTE: Disputed upstream as not beeing exploitable.
-CVE-2019-12246
-	RESERVED
+CVE-2019-12246 (SilverStripe through 4.3.3 allows a Denial of Service on flush and dev ...)
+	TODO: check
 CVE-2019-12245 (SilverStripe through 4.3.3 has incorrect access control for protected  ...)
 	NOT-FOR-US: SilverStripe
 CVE-2019-12244
@@ -47836,8 +47859,8 @@ CVE-2019-10799
 	RESERVED
 CVE-2019-10798
 	RESERVED
-CVE-2019-10797
-	RESERVED
+CVE-2019-10797 (Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Respo ...)
+	TODO: check
 CVE-2019-10796
 	RESERVED
 CVE-2019-10795 (undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' f ...)
@@ -64874,8 +64897,8 @@ CVE-2019-4642
 	RESERVED
 CVE-2019-4641
 	RESERVED
-CVE-2019-4640
-	RESERVED
+CVE-2019-4640 (IBM Security Secret Server 10.7 processes patches, image backups and o ...)
+	TODO: check
 CVE-2019-4639 (IBM Security Secret Server 10.7 uses weaker than expected cryptographi ...)
 	NOT-FOR-US: IBM
 CVE-2019-4638 (IBM Security Secret Server 10.7 does not set the secure attribute on a ...)
@@ -65240,8 +65263,8 @@ CVE-2019-4459 (IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5
 	NOT-FOR-US: IBM
 CVE-2019-4458
 	RESERVED
-CVE-2019-4457
-	RESERVED
+CVE-2019-4457 (IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and ...)
+	TODO: check
 CVE-2019-4456 (IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 ...)
 	NOT-FOR-US: IBM
 CVE-2019-4455
@@ -65296,8 +65319,8 @@ CVE-2019-4431 (IBM Rational Publishing Engine 6.0.6 and 6.0.6.1 is vulnerable to
 	NOT-FOR-US: IBM
 CVE-2019-4430 (IBM Maximo Asset Management 7.6 could allow a remote attacker to trave ...)
 	NOT-FOR-US: IBM
-CVE-2019-4429
-	RESERVED
+CVE-2019-4429 (IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-sit ...)
+	TODO: check
 CVE-2019-4428 (IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is ...)
 	NOT-FOR-US: IBM
 CVE-2019-4427 (IBM Cloud CLI 0.6.0 through 0.16.1 windows installers are signed using ...)
@@ -194446,8 +194469,7 @@ CVE-2016-1000110 (The CGIHandler class in Python before 2.7.12 does not protect
 	NOTE: No part of Python does set HTTP_PROXY based on a Proxy: header, the Python bug
 	NOTE: just provides a hardening to discard HTTP_PROXY if it thinks a Python script is
 	NOTE: running as a CGI script
-CVE-2016-1000109
-	RESERVED
+CVE-2016-1000109 (HHVM does not attempt to address RFC 3875 section 4.1.18 namespace con ...)
 	- hhvm 3.12.11+dfsg-1 (unimportant)
 CVE-2016-1000107 (inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1 ...)
 	- erlang <unfixed> (unimportant)
@@ -194751,11 +194773,9 @@ CVE-2016-1000008
 	RESERVED
 CVE-2016-1000006 (hhvm before 3.12.11 has a use-after-free in the serialize_memoize_para ...)
 	- hhvm 3.12.11+dfsg-1
-CVE-2016-1000005
-	RESERVED
+CVE-2016-1000005 (mcrypt_get_block_size did not enforce that the provided "module" param ...)
 	- hhvm 3.12.11+dfsg-1
-CVE-2016-1000004
-	RESERVED
+CVE-2016-1000004 (Insufficient type checks were employed prior to casting input data in  ...)
 	- hhvm 3.12.11+dfsg-1
 CVE-2016-6173 (NSD before 4.1.11 allows remote DNS master servers to cause a denial o ...)
 	- nsd 4.1.11-1 (unimportant; bug #830806)
@@ -233494,7 +233514,7 @@ CVE-2015-2106 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmw
 CVE-2015-2105
 	RESERVED
 CVE-2015-2104
-	RESERVED
+	REJECTED
 CVE-2015-2103 (Cross-site scripting (XSS) vulnerability in the admin-login panel (adm ...)
 	NOT-FOR-US: Cosmoshop
 CVE-2015-2102 (SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2. ...)
@@ -239255,8 +239275,7 @@ CVE-2014-9556 (Integer overflow in the qtmd_decompress function in libmspack 0.4
 	NOTE: Starting with 1.4-5 cabextract uses the mspack system library
 CVE-2012-6686
 	REJECTED
-CVE-2012-6685 [ruby-nokogiri XXE]
-	RESERVED
+CVE-2012-6685 (Nokogiri before 1.5.4 is vulnerable to XXE attacks ...)
 	{DLA-229-1}
 	- ruby-nokogiri 1.5.4-1 (low)
 	- libnokogiri-ruby <removed>
@@ -255185,8 +255204,7 @@ CVE-2014-3624 (Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers
 	NOTE: https://issues.apache.org/jira/browse/TS-2677
 CVE-2014-3623 (Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF ...)
 	NOT-FOR-US: Apache CXF
-CVE-2014-3622 [Posthandler Potential Illegal efree() vulnerability]
-	RESERVED
+CVE-2014-3622 (Use-after-free vulnerability in the add_post_var function in the Posth ...)
 	- php5 5.6.1+dfsg-1 (unimportant)
 	NOTE: Not exploitable
 	NOTE: https://bugs.php.net/bug.php?id=68088
@@ -255740,6 +255758,7 @@ CVE-2014-3490 (RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in
 CVE-2014-3489 (lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine ( ...)
 	NOT-FOR-US: Red Hat CloudForms Management Engine
 CVE-2014-3488 (The SslHandler in Netty before 3.9.2 allows remote attackers to cause  ...)
+	{DLA-2110-1}
 	- netty <not-affected> (Introduced in 3.9.0)
 	- netty-3.9 3.9.9.Final-1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1107983 says only affects
@@ -257880,8 +257899,8 @@ CVE-2014-2729 (Cross-site scripting (XSS) vulnerability in content.aspx in Ektro
 	NOT-FOR-US: Ektron Web Content Management System
 CVE-2014-2728
 	RESERVED
-CVE-2014-2727
-	RESERVED
+CVE-2014-2727 (The STARTTLS implementation in MailMarshal before 7.2 allows plaintext ...)
+	TODO: check
 CVE-2012-6641 (Cross-site scripting (XSS) vulnerability in redirect.php in the Socoli ...)
 	NOT-FOR-US: PrestaShop
 CVE-2012-6640 (Cross-site scripting (XSS) vulnerability in Horde Internet Mail Progra ...)
@@ -259243,8 +259262,8 @@ CVE-2014-2230 (Open redirect vulnerability in the header function in adclick.php
 	NOT-FOR-US: OpenX
 CVE-2014-2229
 	RESERVED
-CVE-2014-2228
-	RESERVED
+CVE-2014-2228 (The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote a ...)
+	TODO: check
 CVE-2014-2227 (The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Ne ...)
 	NOT-FOR-US: Ubiquiti Networks
 CVE-2014-2226 (Ubiquiti UniFi Controller before 3.2.1 logs the administrative passwor ...)
@@ -264577,8 +264596,8 @@ CVE-2013-7004 (D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmwa
 	NOT-FOR-US: D-Link DSR-150
 CVE-2013-7003 (Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla befor ...)
 	NOT-FOR-US: LiveZilla
-CVE-2012-6614
-	RESERVED
+CVE-2012-6614 (D-Link DSR-250N devices before 1.08B31 allow remote authenticated user ...)
+	TODO: check
 CVE-2012-6613 (D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root ...)
 	NOT-FOR-US: D-Link
 CVE-2014-0365
@@ -265354,6 +265373,7 @@ CVE-2014-0195 (The dtls1_reassemble_fragment function in d1_both.c in OpenSSL be
 CVE-2014-0194
 	REJECTED
 CVE-2014-0193 (WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7. ...)
+	{DLA-2110-1}
 	- netty <not-affected> (WebSocket08FrameDecoder function not present; bug #746639)
 	- netty-3.9 3.9.9.Final-1
 	NOTE: https://github.com/netty/netty/commit/48edb7802b42b0e2eb5a55d8eca390e0c9066783
@@ -269638,7 +269658,7 @@ CVE-2013-5583 (Cross-site scripting (XSS) vulnerability in libraries/idna_conver
 CVE-2013-5582 (Ammyy Admin 3.2 and earlier stores the client ID at a fixed memory loc ...)
 	NOT-FOR-US: Ammyy Admin
 CVE-2013-5581
-	RESERVED
+	REJECTED
 	NOT-FOR-US: Ammyy Admin
 CVE-2013-5579
 	RESERVED
@@ -296920,8 +296940,8 @@ CVE-2012-1934 (SQL injection vulnerability in admin/country/edit.php in Newscoop
 	- newscoop <itp> (bug #604113)
 CVE-2012-1933 (Multiple PHP remote file inclusion vulnerabilities in Newscoop 3.5.x b ...)
 	- newscoop <itp> (bug #604113)
-CVE-2012-1932
-	RESERVED
+CVE-2012-1932 (A cross-site scripting (XSS) vulnerability in Wolf CMS 0.75 and earlie ...)
+	TODO: check
 CVE-2007-6753 (Untrusted search path vulnerability in Shell32.dll in Microsoft Window ...)
 	NOT-FOR-US: Microsoft Windows
 CVE-2012-1931 (Opera before 11.62 on UNIX, when used in conjunction with an unspecifi ...)
@@ -302485,8 +302505,7 @@ CVE-2012-0056 (The mem_write function in the Linux kernel before 3.2.2, when ASL
 	[squeeze] - linux-2.6 <not-affected> (introduced in 2.6.39)
 	[lenny] - linux-2.6 <not-affected> (introduced in 2.6.39)
 	NOTE: fix is http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc (queued for 3.3)
-CVE-2012-0055
-	RESERVED
+CVE-2012-0055 (OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10 ...)
 	NOT-FOR-US: overlayfs is not (yet) in the Debian kernel
 CVE-2012-0054 (libs/updater.py in GoLismero 0.6.3, and other versions before Git revi ...)
 	NOT-FOR-US: golismero not in Debian



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/057145782b16fd7c4558be765b23e218261323e1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/057145782b16fd7c4558be765b23e218261323e1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200219/df389ff7/attachment.html>


More information about the debian-security-tracker-commits mailing list