[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Wed Feb 19 20:10:34 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
05714578 by security tracker role at 2020-02-19T20:10:27+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,23 @@
+CVE-2020-9295
+ RESERVED
+CVE-2020-9294
+ RESERVED
+CVE-2020-9293
+ RESERVED
+CVE-2020-9292
+ RESERVED
+CVE-2020-9291
+ RESERVED
+CVE-2020-9290
+ RESERVED
+CVE-2020-9289
+ RESERVED
+CVE-2020-9288
+ RESERVED
+CVE-2020-9287
+ RESERVED
+CVE-2020-9286
+ RESERVED
CVE-2020-9285
RESERVED
CVE-2020-9284
@@ -721,8 +741,8 @@ CVE-2020-8961
RESERVED
CVE-2020-8960
RESERVED
-CVE-2020-8959
- RESERVED
+CVE-2020-8959 (Western Digital WesternDigitalSSDDashboardSetup.exe before 3.0.2.0 all ...)
+ TODO: check
CVE-2020-8958
RESERVED
CVE-2020-8957
@@ -1016,8 +1036,8 @@ CVE-2020-8826
RESERVED
CVE-2020-8825 (index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows store ...)
NOT-FOR-US: Vanilla Forums
-CVE-2020-8824
- RESERVED
+CVE-2020-8824 (Hitron CODA-4582U 7.1.1.30 devices allow XSS via a Managed Device name ...)
+ TODO: check
CVE-2020-8823 (htmlfile in lib/transport/htmlfile.js in SockJS before 3.0 is vulnerab ...)
NOT-FOR-US: SockJS
CVE-2020-8822 (Digi TransPort WR21 5.2.2.3, WR44 5.1.6.4, and WR44v2 5.1.6.9 devices ...)
@@ -1866,8 +1886,8 @@ CVE-2020-8443 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible
- ossec-hids <itp> (bug #361954)
CVE-2020-8442 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for ...)
- ossec-hids <itp> (bug #361954)
-CVE-2020-8441
- RESERVED
+CVE-2020-8441 (JYaml through 1.3 allows remote code execution during deserialization ...)
+ TODO: check
CVE-2020-8440 (controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is ...)
NOT-FOR-US: Simplejobscript.com SJS
CVE-2020-8439
@@ -1885,6 +1905,7 @@ CVE-2020-8434
CVE-2020-8433
RESERVED
CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length ...)
+ {DLA-2110-1 DLA-2109-1}
- netty <unfixed> (bug #950967)
- netty-3.9 <removed>
NOTE: https://github.com/netty/netty/issues/9861
@@ -1892,6 +1913,7 @@ CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-L
NOTE: https://github.com/netty/netty/commit/629034624626b722128e0fcc6b3ec9d406cb3706 (4.1)
NOTE: https://github.com/netty/netty/commit/5f68897880467c00f29495b0aa46ed19bf7a873c (tests)
CVE-2019-20444 (HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header th ...)
+ {DLA-2110-1 DLA-2109-1}
- netty <unfixed> (bug #950966)
- netty-3.9 <removed>
NOTE: https://github.com/netty/netty/issues/9866
@@ -4534,6 +4556,7 @@ CVE-2019-20383
CVE-2019-20382
RESERVED
CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles ...)
+ {DLA-2110-1 DLA-2109-1}
- netty <unfixed> (bug #950967)
- netty-3.9 <removed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225
@@ -7160,10 +7183,10 @@ CVE-2020-6064 (An exploitable out-of-bounds write vulnerability exists in the un
NOT-FOR-US: Accusoft ImageGear
CVE-2020-6063 (An exploitable out-of-bounds write vulnerability exists in the uncompr ...)
NOT-FOR-US: Accusoft ImageGear
-CVE-2020-6062
- RESERVED
-CVE-2020-6061
- RESERVED
+CVE-2020-6062 (An exploitable denial-of-service vulnerability exists in the way CoTUR ...)
+ TODO: check
+CVE-2020-6061 (An exploitable heap overflow vulnerability exists in the way CoTURN 4. ...)
+ TODO: check
CVE-2020-6060 (A stack buffer overflow vulnerability exists in the way MiniSNMPD vers ...)
NOT-FOR-US: MiniSNMPD
CVE-2020-6059 (An exploitable out of bounds read vulnerability exists in the way Mini ...)
@@ -11413,8 +11436,8 @@ CVE-2020-4232
RESERVED
CVE-2020-4231
RESERVED
-CVE-2020-4230
- RESERVED
+CVE-2020-4230 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.1 ...)
+ TODO: check
CVE-2020-4229
RESERVED
CVE-2020-4228
@@ -11465,16 +11488,16 @@ CVE-2020-4206
RESERVED
CVE-2020-4205
RESERVED
-CVE-2020-4204
- RESERVED
+CVE-2020-4204 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...)
+ TODO: check
CVE-2020-4203
RESERVED
CVE-2020-4202
RESERVED
CVE-2020-4201
RESERVED
-CVE-2020-4200
- RESERVED
+CVE-2020-4200 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...)
+ TODO: check
CVE-2020-4199
RESERVED
CVE-2020-4198
@@ -11551,8 +11574,8 @@ CVE-2020-4163 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under sp
NOT-FOR-US: IBM
CVE-2020-4162
RESERVED
-CVE-2020-4161
- RESERVED
+CVE-2020-4161 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 ...)
+ TODO: check
CVE-2020-4160
RESERVED
CVE-2020-4159
@@ -11603,8 +11626,8 @@ CVE-2020-4137
RESERVED
CVE-2020-4136
RESERVED
-CVE-2020-4135
- RESERVED
+CVE-2020-4135 (IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, ...)
+ TODO: check
CVE-2020-4134
RESERVED
CVE-2020-4133
@@ -27360,8 +27383,8 @@ CVE-2019-17335 (The Data access layer component of TIBCO Software Inc.'s TIBCO S
NOT-FOR-US: TIBCO
CVE-2019-17334 (The Visualizations component of TIBCO Software Inc.'s TIBCO Spotfire A ...)
NOT-FOR-US: TIBCO
-CVE-2019-17333
- RESERVED
+CVE-2019-17333 (The Web server component of TIBCO Software Inc.'s TIBCO EBX contains a ...)
+ TODO: check
CVE-2019-17332 (The Digital Asset Manager Web Interface component of TIBCO Software In ...)
NOT-FOR-US: TIBCO
CVE-2019-17331 (The Data Exchange Web Interface component of TIBCO Software Inc.'s TIB ...)
@@ -28566,7 +28589,7 @@ CVE-2019-16871 (Beckhoff Embedded Windows PLCs through 3.1.4024.0, and Beckhoff
CVE-2019-16870
RESERVED
CVE-2019-16869 (Netty before 4.1.42.Final mishandles whitespace before the colon in HT ...)
- {DSA-4597-1 DLA-1941-1}
+ {DSA-4597-1 DLA-2110-1 DLA-1941-1}
- netty 1:4.1.33-2 (bug #941266)
- netty-3.9 <removed>
NOTE: https://github.com/netty/netty/issues/9571
@@ -43165,8 +43188,8 @@ CVE-2019-12440 (The Sitecore Rocks plugin before 2.1.149 for Sitecore allows an
NOT-FOR-US: Sitecore CMS
CVE-2019-12438
RESERVED
-CVE-2019-12437
- RESERVED
+CVE-2019-12437 (In SilverStripe through 4.3.3, the previous fix for SS-2018-007 does n ...)
+ TODO: check
CVE-2019-12436 (Samba 4.10.x before 4.10.5 has a NULL pointer dereference, leading to ...)
- samba <not-affected> (Only affects Samba since 4.10.0)
NOTE: https://www.samba.org/samba/security/CVE-2019-12436.html
@@ -43699,8 +43722,8 @@ CVE-2019-12247 (** DISPUTED ** QEMU 3.0.0 has an Integer Overflow because the qg
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg04596.html
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg05457.html
NOTE: Disputed upstream as not beeing exploitable.
-CVE-2019-12246
- RESERVED
+CVE-2019-12246 (SilverStripe through 4.3.3 allows a Denial of Service on flush and dev ...)
+ TODO: check
CVE-2019-12245 (SilverStripe through 4.3.3 has incorrect access control for protected ...)
NOT-FOR-US: SilverStripe
CVE-2019-12244
@@ -47836,8 +47859,8 @@ CVE-2019-10799
RESERVED
CVE-2019-10798
RESERVED
-CVE-2019-10797
- RESERVED
+CVE-2019-10797 (Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Respo ...)
+ TODO: check
CVE-2019-10796
RESERVED
CVE-2019-10795 (undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' f ...)
@@ -64874,8 +64897,8 @@ CVE-2019-4642
RESERVED
CVE-2019-4641
RESERVED
-CVE-2019-4640
- RESERVED
+CVE-2019-4640 (IBM Security Secret Server 10.7 processes patches, image backups and o ...)
+ TODO: check
CVE-2019-4639 (IBM Security Secret Server 10.7 uses weaker than expected cryptographi ...)
NOT-FOR-US: IBM
CVE-2019-4638 (IBM Security Secret Server 10.7 does not set the secure attribute on a ...)
@@ -65240,8 +65263,8 @@ CVE-2019-4459 (IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5
NOT-FOR-US: IBM
CVE-2019-4458
RESERVED
-CVE-2019-4457
- RESERVED
+CVE-2019-4457 (IBM Jazz Foundation 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, and ...)
+ TODO: check
CVE-2019-4456 (IBM Daeja ViewONE Professional, Standard & Virtual 5.0.5 and 5.0.6 ...)
NOT-FOR-US: IBM
CVE-2019-4455
@@ -65296,8 +65319,8 @@ CVE-2019-4431 (IBM Rational Publishing Engine 6.0.6 and 6.0.6.1 is vulnerable to
NOT-FOR-US: IBM
CVE-2019-4430 (IBM Maximo Asset Management 7.6 could allow a remote attacker to trave ...)
NOT-FOR-US: IBM
-CVE-2019-4429
- RESERVED
+CVE-2019-4429 (IBM Maximo Asset Management 7.6.0 and 7.6.1 is vulnerable to cross-sit ...)
+ TODO: check
CVE-2019-4428 (IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is ...)
NOT-FOR-US: IBM
CVE-2019-4427 (IBM Cloud CLI 0.6.0 through 0.16.1 windows installers are signed using ...)
@@ -194446,8 +194469,7 @@ CVE-2016-1000110 (The CGIHandler class in Python before 2.7.12 does not protect
NOTE: No part of Python does set HTTP_PROXY based on a Proxy: header, the Python bug
NOTE: just provides a hardening to discard HTTP_PROXY if it thinks a Python script is
NOTE: running as a CGI script
-CVE-2016-1000109
- RESERVED
+CVE-2016-1000109 (HHVM does not attempt to address RFC 3875 section 4.1.18 namespace con ...)
- hhvm 3.12.11+dfsg-1 (unimportant)
CVE-2016-1000107 (inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1 ...)
- erlang <unfixed> (unimportant)
@@ -194751,11 +194773,9 @@ CVE-2016-1000008
RESERVED
CVE-2016-1000006 (hhvm before 3.12.11 has a use-after-free in the serialize_memoize_para ...)
- hhvm 3.12.11+dfsg-1
-CVE-2016-1000005
- RESERVED
+CVE-2016-1000005 (mcrypt_get_block_size did not enforce that the provided "module" param ...)
- hhvm 3.12.11+dfsg-1
-CVE-2016-1000004
- RESERVED
+CVE-2016-1000004 (Insufficient type checks were employed prior to casting input data in ...)
- hhvm 3.12.11+dfsg-1
CVE-2016-6173 (NSD before 4.1.11 allows remote DNS master servers to cause a denial o ...)
- nsd 4.1.11-1 (unimportant; bug #830806)
@@ -233494,7 +233514,7 @@ CVE-2015-2106 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmw
CVE-2015-2105
RESERVED
CVE-2015-2104
- RESERVED
+ REJECTED
CVE-2015-2103 (Cross-site scripting (XSS) vulnerability in the admin-login panel (adm ...)
NOT-FOR-US: Cosmoshop
CVE-2015-2102 (SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2. ...)
@@ -239255,8 +239275,7 @@ CVE-2014-9556 (Integer overflow in the qtmd_decompress function in libmspack 0.4
NOTE: Starting with 1.4-5 cabextract uses the mspack system library
CVE-2012-6686
REJECTED
-CVE-2012-6685 [ruby-nokogiri XXE]
- RESERVED
+CVE-2012-6685 (Nokogiri before 1.5.4 is vulnerable to XXE attacks ...)
{DLA-229-1}
- ruby-nokogiri 1.5.4-1 (low)
- libnokogiri-ruby <removed>
@@ -255185,8 +255204,7 @@ CVE-2014-3624 (Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers
NOTE: https://issues.apache.org/jira/browse/TS-2677
CVE-2014-3623 (Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF ...)
NOT-FOR-US: Apache CXF
-CVE-2014-3622 [Posthandler Potential Illegal efree() vulnerability]
- RESERVED
+CVE-2014-3622 (Use-after-free vulnerability in the add_post_var function in the Posth ...)
- php5 5.6.1+dfsg-1 (unimportant)
NOTE: Not exploitable
NOTE: https://bugs.php.net/bug.php?id=68088
@@ -255740,6 +255758,7 @@ CVE-2014-3490 (RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in
CVE-2014-3489 (lib/util/miq-password.rb in Red Hat CloudForms 3.0 Management Engine ( ...)
NOT-FOR-US: Red Hat CloudForms Management Engine
CVE-2014-3488 (The SslHandler in Netty before 3.9.2 allows remote attackers to cause ...)
+ {DLA-2110-1}
- netty <not-affected> (Introduced in 3.9.0)
- netty-3.9 3.9.9.Final-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1107983 says only affects
@@ -257880,8 +257899,8 @@ CVE-2014-2729 (Cross-site scripting (XSS) vulnerability in content.aspx in Ektro
NOT-FOR-US: Ektron Web Content Management System
CVE-2014-2728
RESERVED
-CVE-2014-2727
- RESERVED
+CVE-2014-2727 (The STARTTLS implementation in MailMarshal before 7.2 allows plaintext ...)
+ TODO: check
CVE-2012-6641 (Cross-site scripting (XSS) vulnerability in redirect.php in the Socoli ...)
NOT-FOR-US: PrestaShop
CVE-2012-6640 (Cross-site scripting (XSS) vulnerability in Horde Internet Mail Progra ...)
@@ -259243,8 +259262,8 @@ CVE-2014-2230 (Open redirect vulnerability in the header function in adclick.php
NOT-FOR-US: OpenX
CVE-2014-2229
RESERVED
-CVE-2014-2228
- RESERVED
+CVE-2014-2228 (The XStream extension in HP Fortify SCA before 2.2 RC3 allows remote a ...)
+ TODO: check
CVE-2014-2227 (The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Ne ...)
NOT-FOR-US: Ubiquiti Networks
CVE-2014-2226 (Ubiquiti UniFi Controller before 3.2.1 logs the administrative passwor ...)
@@ -264577,8 +264596,8 @@ CVE-2013-7004 (D-Link DSR-150 with firmware before 1.08B44; DSR-150N with firmwa
NOT-FOR-US: D-Link DSR-150
CVE-2013-7003 (Multiple cross-site scripting (XSS) vulnerabilities in LiveZilla befor ...)
NOT-FOR-US: LiveZilla
-CVE-2012-6614
- RESERVED
+CVE-2012-6614 (D-Link DSR-250N devices before 1.08B31 allow remote authenticated user ...)
+ TODO: check
CVE-2012-6613 (D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root ...)
NOT-FOR-US: D-Link
CVE-2014-0365
@@ -265354,6 +265373,7 @@ CVE-2014-0195 (The dtls1_reassemble_fragment function in d1_both.c in OpenSSL be
CVE-2014-0194
REJECTED
CVE-2014-0193 (WebSocket08FrameDecoder in Netty 3.6.x before 3.6.9, 3.7.x before 3.7. ...)
+ {DLA-2110-1}
- netty <not-affected> (WebSocket08FrameDecoder function not present; bug #746639)
- netty-3.9 3.9.9.Final-1
NOTE: https://github.com/netty/netty/commit/48edb7802b42b0e2eb5a55d8eca390e0c9066783
@@ -269638,7 +269658,7 @@ CVE-2013-5583 (Cross-site scripting (XSS) vulnerability in libraries/idna_conver
CVE-2013-5582 (Ammyy Admin 3.2 and earlier stores the client ID at a fixed memory loc ...)
NOT-FOR-US: Ammyy Admin
CVE-2013-5581
- RESERVED
+ REJECTED
NOT-FOR-US: Ammyy Admin
CVE-2013-5579
RESERVED
@@ -296920,8 +296940,8 @@ CVE-2012-1934 (SQL injection vulnerability in admin/country/edit.php in Newscoop
- newscoop <itp> (bug #604113)
CVE-2012-1933 (Multiple PHP remote file inclusion vulnerabilities in Newscoop 3.5.x b ...)
- newscoop <itp> (bug #604113)
-CVE-2012-1932
- RESERVED
+CVE-2012-1932 (A cross-site scripting (XSS) vulnerability in Wolf CMS 0.75 and earlie ...)
+ TODO: check
CVE-2007-6753 (Untrusted search path vulnerability in Shell32.dll in Microsoft Window ...)
NOT-FOR-US: Microsoft Windows
CVE-2012-1931 (Opera before 11.62 on UNIX, when used in conjunction with an unspecifi ...)
@@ -302485,8 +302505,7 @@ CVE-2012-0056 (The mem_write function in the Linux kernel before 3.2.2, when ASL
[squeeze] - linux-2.6 <not-affected> (introduced in 2.6.39)
[lenny] - linux-2.6 <not-affected> (introduced in 2.6.39)
NOTE: fix is http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc (queued for 3.3)
-CVE-2012-0055
- RESERVED
+CVE-2012-0055 (OverlayFS in the Linux kernel before 3.0.0-16.28, as used in Ubuntu 10 ...)
NOT-FOR-US: overlayfs is not (yet) in the Debian kernel
CVE-2012-0054 (libs/updater.py in GoLismero 0.6.3, and other versions before Git revi ...)
NOT-FOR-US: golismero not in Debian
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/057145782b16fd7c4558be765b23e218261323e1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/057145782b16fd7c4558be765b23e218261323e1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200219/df389ff7/attachment.html>
More information about the debian-security-tracker-commits
mailing list