[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Mon Feb 24 20:10:30 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c7c896cb by security tracker role at 2020-02-24T20:10:22+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,34 @@
-CVE-2020-9366
+CVE-2020-9374 (On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vu ...)
+ TODO: check
+CVE-2020-9373
+ RESERVED
+CVE-2020-9372
+ RESERVED
+CVE-2020-9371
+ RESERVED
+CVE-2020-9370
+ RESERVED
+CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial ...)
+ TODO: check
+CVE-2020-9368
+ RESERVED
+CVE-2020-9367
+ RESERVED
+CVE-2020-9365 (An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) re ...)
+ TODO: check
+CVE-2020-9364
+ RESERVED
+CVE-2020-9363 (The Sophos AV parsing engine before 2020-01-14 allows virus-detection ...)
+ TODO: check
+CVE-2020-9362 (The Quick Heal AV parsing engine (November 2019) allows virus-detectio ...)
+ TODO: check
+CVE-2019-20481 (In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Fun ...)
+ TODO: check
+CVE-2019-20480 (In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website vis ...)
+ TODO: check
+CVE-2016-11020 (Kunena before 5.0.4 does not restrict avatar file extensions to gif, j ...)
+ TODO: check
+CVE-2020-9366 (A buffer overflow was found in the way GNU Screen before 4.8.0 treated ...)
- screen 4.8.0-1 (bug #950896)
NOTE: https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html
NOTE: https://www.openwall.com/lists/oss-security/2020/02/06/3
@@ -1167,8 +1197,7 @@ CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain x
NOTE: but still an issue when Default Typing is enabled.
CVE-2020-8839 (Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter dev ...)
NOT-FOR-US: CHIYU BF-430 232/485 TCP/IP Converter devices
-CVE-2015-9542 [buffer overflow in password field]
- RESERVED
+CVE-2015-9542 (add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correct ...)
{DLA-2116-1}
- libpam-radius-auth 1.4.0-3 (bug #951396)
NOTE: https://github.com/FreeRADIUS/pam_radius/commit/01173ec
@@ -2714,10 +2743,10 @@ CVE-2020-8133
RESERVED
CVE-2020-8132
RESERVED
-CVE-2020-8131
- RESERVED
-CVE-2020-8130
- RESERVED
+CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn 1.21.1 and earlier al ...)
+ TODO: check
+CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake < 12.3. ...)
+ TODO: check
CVE-2020-8129 (An unintended require vulnerability in script-manager npm package vers ...)
NOT-FOR-US: script-manager nodejs module
CVE-2020-8128 (An unintended require and server-side request forgery vulnerabilities ...)
@@ -9125,10 +9154,10 @@ CVE-2020-5247
RESERVED
CVE-2020-5246
RESERVED
-CVE-2020-5245
- RESERVED
-CVE-2020-5244
- RESERVED
+CVE-2020-5245 (Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary cod ...)
+ TODO: check
+CVE-2020-5244 (In BuddyPress before 5.1.2, requests to a certain REST API endpoint ca ...)
+ TODO: check
CVE-2020-5243 (uap-core before 0.7.3 is vulnerable to a denial of service attack when ...)
TODO: check
CVE-2020-5242 (openHAB before 2.5.2 allow a remote attacker to use REST calls to inst ...)
@@ -9513,12 +9542,12 @@ CVE-2020-5190
RESERVED
CVE-2020-5189
RESERVED
-CVE-2020-5188
- RESERVED
-CVE-2020-5187
- RESERVED
-CVE-2020-5186
- RESERVED
+CVE-2020-5188 (DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions. ...)
+ TODO: check
+CVE-2020-5187 (DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 ...)
+ TODO: check
+CVE-2020-5186 (DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2). ...)
+ TODO: check
CVE-2020-5185
RESERVED
CVE-2020-5184
@@ -11666,8 +11695,8 @@ CVE-2020-4224 (IBM StoredIQ 7.6.0.17 through 7.6.0.20 could disclose sensitive i
NOT-FOR-US: IBM
CVE-2020-4223
RESERVED
-CVE-2020-4222
- RESERVED
+CVE-2020-4222 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+ TODO: check
CVE-2020-4221
RESERVED
CVE-2020-4220
@@ -11684,14 +11713,14 @@ CVE-2020-4215
RESERVED
CVE-2020-4214
RESERVED
-CVE-2020-4213
- RESERVED
-CVE-2020-4212
- RESERVED
-CVE-2020-4211
- RESERVED
-CVE-2020-4210
- RESERVED
+CVE-2020-4213 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+ TODO: check
+CVE-2020-4212 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+ TODO: check
+CVE-2020-4211 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+ TODO: check
+CVE-2020-4210 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+ TODO: check
CVE-2020-4209
RESERVED
CVE-2020-4208
@@ -12505,8 +12534,8 @@ CVE-2019-20046 (The Synergy Systems & Solutions PLC & RTU system has a v
NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system
CVE-2019-20045 (The Synergy Systems & Solutions PLC & RTU system has a vulnera ...)
NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system
-CVE-2019-20044 [insecure dropping of privileges when unsetting PRIVILEGED option]
- RESERVED
+CVE-2019-20044 (In Zsh before 5.8, attackers able to execute commands can regain privi ...)
+ {DLA-2117-1}
- zsh 5.8-1 (bug #951458)
[buster] - zsh <no-dsa> (Minor issue)
[stretch] - zsh <no-dsa> (Minor issue)
@@ -25533,10 +25562,10 @@ CVE-2019-18185
RESERVED
CVE-2019-18184 (Crestron DMC-STRO 1.0 devices allow remote command execution as root v ...)
NOT-FOR-US: Crestron DMC-STRO 1.0 devices
-CVE-2019-18183
- RESERVED
-CVE-2019-18182
- RESERVED
+CVE-2019-18183 (pacman before 5.2 is vulnerable to arbitrary command injection in lib/ ...)
+ TODO: check
+CVE-2019-18182 (pacman before 5.2 is vulnerable to arbitrary command injection in conf ...)
+ TODO: check
CVE-2019-18181 (In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train ...)
NOT-FOR-US: CloudVision Portal
CVE-2019-18180 (Improper Check for filenames with overly long extensions in PostMaster ...)
@@ -27876,10 +27905,10 @@ CVE-2019-17231
RESERVED
CVE-2019-17230
RESERVED
-CVE-2019-17229
- RESERVED
-CVE-2019-17228
- RESERVED
+CVE-2019-17229 (includes/options.php in the motors-car-dealership-classified-listings ...)
+ TODO: check
+CVE-2019-17228 (includes/options.php in the motors-car-dealership-classified-listings ...)
+ TODO: check
CVE-2019-17227
RESERVED
CVE-2019-17226 (CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Modu ...)
@@ -30732,7 +30761,7 @@ CVE-2019-16231 (drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not
NOTE: https://lkml.org/lkml/2019/9/9/487
NOTE: Requires memory allocation failure during device probe, so unlikely to
NOTE: be exploitable, and then it's only a local DoS.
-CVE-2019-16230 (drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 doe ...)
+CVE-2019-16230 (** DISPUTED ** drivers/gpu/drm/radeon/radeon_display.c in the Linux ke ...)
- linux <unfixed> (unimportant)
NOTE: https://lkml.org/lkml/2019/9/9/487
NOTE: Requires memory allocation failure during device probe, so unlikely to
@@ -33432,8 +33461,8 @@ CVE-2019-15301 (A SQL injection vulnerability in the method Terrasoft.Core.DB.Co
NOT-FOR-US: Terrasoft Bpm'online CRM-System SDK
CVE-2019-15300 (A problem was found in Centreon Web through 19.04.3. An authenticated ...)
- centreon-web <itp> (bug #913903)
-CVE-2019-15299
- RESERVED
+CVE-2019-15299 (An issue was discovered in Centreon Web through 19.04.3. When a user c ...)
+ TODO: check
CVE-2019-15298 (A problem was found in Centreon Web through 19.04.3. An authenticated ...)
- centreon-web <itp> (bug #913903)
CVE-2019-15297 (res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allo ...)
@@ -43219,14 +43248,14 @@ CVE-2019-12515 (There is an out-of-bounds read vulnerability in the function Fla
NOTE: https://github.com/PanguL4b/pocs/tree/master/xpdf/out-of-bounds-read-in-FlateStream__getChar
CVE-2019-12514
RESERVED
-CVE-2019-12513
- RESERVED
-CVE-2019-12512
- RESERVED
-CVE-2019-12511
- RESERVED
-CVE-2019-12510
- RESERVED
+CVE-2019-12513 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP dis ...)
+ TODO: check
+CVE-2019-12512 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execu ...)
+ TODO: check
+CVE-2019-12511 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may execu ...)
+ TODO: check
+CVE-2019-12510 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypas ...)
+ TODO: check
CVE-2019-12509
RESERVED
CVE-2019-12508
@@ -46842,7 +46871,7 @@ CVE-2019-11269 (Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to
CVE-2019-11268 (Cloud Foundry UAA version prior to 73.3.0, contain endpoints that cont ...)
NOT-FOR-US: Cloud Foundry UAA
CVE-2019-11358 (jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other produc ...)
- {DSA-4460-1 DSA-4434-1 DLA-1797-1 DLA-1777-1}
+ {DSA-4460-1 DSA-4434-1 DLA-2118-1 DLA-1797-1 DLA-1777-1}
- drupal7 <removed> (bug #927330)
- jquery 3.3.1~dfsg-2 (bug #927385)
[stretch] - jquery 3.1.1-2+deb9u1
@@ -48147,14 +48176,14 @@ CVE-2019-10801
RESERVED
CVE-2019-10800
RESERVED
-CVE-2019-10799
- RESERVED
-CVE-2019-10798
- RESERVED
+CVE-2019-10799 (compile-sass prior to 1.0.5 allows execution of arbritary commands. Th ...)
+ TODO: check
+CVE-2019-10798 (rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects r ...)
+ TODO: check
CVE-2019-10797 (Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Respo ...)
TODO: check
-CVE-2019-10796
- RESERVED
+CVE-2019-10796 (rpi through 0.0.3 allows execution of arbritary commands. The variable ...)
+ TODO: check
CVE-2019-10795 (undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' f ...)
NOT-FOR-US: undefsafe
CVE-2019-10794 (All versions of component-flatten are vulnerable to Prototype Pollutio ...)
@@ -64981,8 +65010,8 @@ CVE-2019-4747
RESERVED
CVE-2019-4746
RESERVED
-CVE-2019-4745
- RESERVED
+CVE-2019-4745 (IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to d ...)
+ TODO: check
CVE-2019-4744 (IBM Financial Transaction Manager 3.0 is vulnerable to cross-site scri ...)
NOT-FOR-US: IBM
CVE-2019-4743 (IBM Financial Transaction Manager 3.0 does not set the secure attribut ...)
@@ -65065,8 +65094,8 @@ CVE-2019-4705
RESERVED
CVE-2019-4704
RESERVED
-CVE-2019-4703
- RESERVED
+CVE-2019-4703 (IBM Spectrum Protect Plus 10.1.0 and 10.5.0, when protecting Microsoft ...)
+ TODO: check
CVE-2019-4702
RESERVED
CVE-2019-4701
@@ -65281,8 +65310,8 @@ CVE-2019-4597
RESERVED
CVE-2019-4596
RESERVED
-CVE-2019-4595
- RESERVED
+CVE-2019-4595 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 c ...)
+ TODO: check
CVE-2019-4594
RESERVED
CVE-2019-4593
@@ -67445,8 +67474,8 @@ CVE-2019-3672
RESERVED
CVE-2019-3671
RESERVED
-CVE-2019-3670
- RESERVED
+CVE-2019-3670 (Remote Code Execution vulnerability in the web interface in McAfee Web ...)
+ TODO: check
CVE-2019-3669
RESERVED
CVE-2019-3668
@@ -91256,8 +91285,8 @@ CVE-2018-14707 (Directory traversal in the Drobo Pix web application on Drobo 5N
NOT-FOR-US: Drobo Pix web application on Drobo 5N2 NAS
CVE-2018-14706 (System command injection in the /DroboPix/api/drobopix/demo endpoint o ...)
NOT-FOR-US: Drobo 5N2 NAS
-CVE-2018-14705
- RESERVED
+CVE-2018-14705 (In Drobo 5N2 4.0.5, all optional applications lack any form of authent ...)
+ TODO: check
CVE-2018-14704 (Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS vers ...)
NOT-FOR-US: Drobo 5N2 NAS
CVE-2018-14703 (Incorrect access control in the /mysql/api/droboapp/data endpoint in D ...)
@@ -94913,8 +94942,8 @@ CVE-2018-13315 (Incorrect access control in formPasswordSetup in TOTOLINK A3002R
NOT-FOR-US: TOTOLINK
CVE-2018-13314 (System command injection in formAliasIp in TOTOLINK A3002RU version 1. ...)
NOT-FOR-US: TOTOLINK
-CVE-2018-13313
- RESERVED
+CVE-2018-13313 (In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the ...)
+ TODO: check
CVE-2018-13312 (Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0 ...)
NOT-FOR-US: TOTOLINK
CVE-2018-13311 (System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 ...)
@@ -302713,8 +302742,7 @@ CVE-2011-4696 (Directory traversal vulnerability in Eye-Fi Helper before 3.4.23
NOT-FOR-US: Eye-Fi Helper
CVE-2010-5075 (Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5. ...)
NOT-FOR-US: Avast! Internet Security
-CVE-2012-0785 [Jenkins and hash collision attack]
- RESERVED
+CVE-2012-0785 (Hash collision attack vulnerability in Jenkins before 1.447, Jenkins L ...)
- jenkins-winstone 0.9.10-jenkins-31+dfsg-1 (bug #655553)
- jenkins-executable-war 1.25-1 (bug #655554)
- jenkins 1.409.3+dfsg-2
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7c896cbcb8a91687b2044e92fa9a134fde96532
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7c896cbcb8a91687b2044e92fa9a134fde96532
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200224/7127b785/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list