[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Mon Feb 24 20:10:30 GMT 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c7c896cb by security tracker role at 2020-02-24T20:10:22+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,34 @@
-CVE-2020-9366
+CVE-2020-9374 (On TP-Link TL-WR849N 0.9.1 4.16 devices, a remote command execution vu ...)
+	TODO: check
+CVE-2020-9373
+	RESERVED
+CVE-2020-9372
+	RESERVED
+CVE-2020-9371
+	RESERVED
+CVE-2020-9370
+	RESERVED
+CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial  ...)
+	TODO: check
+CVE-2020-9368
+	RESERVED
+CVE-2020-9367
+	RESERVED
+CVE-2020-9365 (An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) re ...)
+	TODO: check
+CVE-2020-9364
+	RESERVED
+CVE-2020-9363 (The Sophos AV parsing engine before 2020-01-14 allows virus-detection  ...)
+	TODO: check
+CVE-2020-9362 (The Quick Heal AV parsing engine (November 2019) allows virus-detectio ...)
+	TODO: check
+CVE-2019-20481 (In MIELE XGW 3000 ZigBee Gateway before 2.4.0, the Password Change Fun ...)
+	TODO: check
+CVE-2019-20480 (In MIELE XGW 3000 ZigBee Gateway before 2.4.0, a malicious website vis ...)
+	TODO: check
+CVE-2016-11020 (Kunena before 5.0.4 does not restrict avatar file extensions to gif, j ...)
+	TODO: check
+CVE-2020-9366 (A buffer overflow was found in the way GNU Screen before 4.8.0 treated ...)
 	- screen 4.8.0-1 (bug #950896)
 	NOTE: https://lists.gnu.org/archive/html/screen-devel/2020-02/msg00007.html
 	NOTE: https://www.openwall.com/lists/oss-security/2020/02/06/3
@@ -1167,8 +1197,7 @@ CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain x
 	NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-8839 (Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter dev ...)
 	NOT-FOR-US: CHIYU BF-430 232/485 TCP/IP Converter devices
-CVE-2015-9542 [buffer overflow in password field]
-	RESERVED
+CVE-2015-9542 (add_password in pam_radius_auth.c in pam_radius 1.4.0 does not correct ...)
 	{DLA-2116-1}
 	- libpam-radius-auth 1.4.0-3 (bug #951396)
 	NOTE: https://github.com/FreeRADIUS/pam_radius/commit/01173ec
@@ -2714,10 +2743,10 @@ CVE-2020-8133
 	RESERVED
 CVE-2020-8132
 	RESERVED
-CVE-2020-8131
-	RESERVED
-CVE-2020-8130
-	RESERVED
+CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn 1.21.1 and earlier al ...)
+	TODO: check
+CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake < 12.3. ...)
+	TODO: check
 CVE-2020-8129 (An unintended require vulnerability in script-manager npm package vers ...)
 	NOT-FOR-US: script-manager nodejs module
 CVE-2020-8128 (An unintended require and server-side request forgery vulnerabilities  ...)
@@ -9125,10 +9154,10 @@ CVE-2020-5247
 	RESERVED
 CVE-2020-5246
 	RESERVED
-CVE-2020-5245
-	RESERVED
-CVE-2020-5244
-	RESERVED
+CVE-2020-5245 (Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary cod ...)
+	TODO: check
+CVE-2020-5244 (In BuddyPress before 5.1.2, requests to a certain REST API endpoint ca ...)
+	TODO: check
 CVE-2020-5243 (uap-core before 0.7.3 is vulnerable to a denial of service attack when ...)
 	TODO: check
 CVE-2020-5242 (openHAB before 2.5.2 allow a remote attacker to use REST calls to inst ...)
@@ -9513,12 +9542,12 @@ CVE-2020-5190
 	RESERVED
 CVE-2020-5189
 	RESERVED
-CVE-2020-5188
-	RESERVED
-CVE-2020-5187
-	RESERVED
-CVE-2020-5186
-	RESERVED
+CVE-2020-5188 (DNN (formerly DotNetNuke) through 9.4.4 has Insecure Permissions. ...)
+	TODO: check
+CVE-2020-5187 (DNN (formerly DotNetNuke) through 9.4.4 allows Path Traversal (issue 2 ...)
+	TODO: check
+CVE-2020-5186 (DNN (formerly DotNetNuke) through 9.4.4 allows XSS (issue 1 of 2). ...)
+	TODO: check
 CVE-2020-5185
 	RESERVED
 CVE-2020-5184
@@ -11666,8 +11695,8 @@ CVE-2020-4224 (IBM StoredIQ 7.6.0.17 through 7.6.0.20 could disclose sensitive i
 	NOT-FOR-US: IBM
 CVE-2020-4223
 	RESERVED
-CVE-2020-4222
-	RESERVED
+CVE-2020-4222 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+	TODO: check
 CVE-2020-4221
 	RESERVED
 CVE-2020-4220
@@ -11684,14 +11713,14 @@ CVE-2020-4215
 	RESERVED
 CVE-2020-4214
 	RESERVED
-CVE-2020-4213
-	RESERVED
-CVE-2020-4212
-	RESERVED
-CVE-2020-4211
-	RESERVED
-CVE-2020-4210
-	RESERVED
+CVE-2020-4213 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+	TODO: check
+CVE-2020-4212 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+	TODO: check
+CVE-2020-4211 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+	TODO: check
+CVE-2020-4210 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
+	TODO: check
 CVE-2020-4209
 	RESERVED
 CVE-2020-4208
@@ -12505,8 +12534,8 @@ CVE-2019-20046 (The Synergy Systems & Solutions PLC & RTU system has a v
 	NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system
 CVE-2019-20045 (The Synergy Systems & Solutions PLC & RTU system has a vulnera ...)
 	NOT-FOR-US: Synergy Systems & Solutions PLC & RTU system
-CVE-2019-20044 [insecure dropping of privileges when unsetting PRIVILEGED option]
-	RESERVED
+CVE-2019-20044 (In Zsh before 5.8, attackers able to execute commands can regain privi ...)
+	{DLA-2117-1}
 	- zsh 5.8-1 (bug #951458)
 	[buster] - zsh <no-dsa> (Minor issue)
 	[stretch] - zsh <no-dsa> (Minor issue)
@@ -25533,10 +25562,10 @@ CVE-2019-18185
 	RESERVED
 CVE-2019-18184 (Crestron DMC-STRO 1.0 devices allow remote command execution as root v ...)
 	NOT-FOR-US: Crestron DMC-STRO 1.0 devices
-CVE-2019-18183
-	RESERVED
-CVE-2019-18182
-	RESERVED
+CVE-2019-18183 (pacman before 5.2 is vulnerable to arbitrary command injection in lib/ ...)
+	TODO: check
+CVE-2019-18182 (pacman before 5.2 is vulnerable to arbitrary command injection in conf ...)
+	TODO: check
 CVE-2019-18181 (In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train ...)
 	NOT-FOR-US: CloudVision Portal
 CVE-2019-18180 (Improper Check for filenames with overly long extensions in PostMaster ...)
@@ -27876,10 +27905,10 @@ CVE-2019-17231
 	RESERVED
 CVE-2019-17230
 	RESERVED
-CVE-2019-17229
-	RESERVED
-CVE-2019-17228
-	RESERVED
+CVE-2019-17229 (includes/options.php in the motors-car-dealership-classified-listings  ...)
+	TODO: check
+CVE-2019-17228 (includes/options.php in the motors-car-dealership-classified-listings  ...)
+	TODO: check
 CVE-2019-17227
 	RESERVED
 CVE-2019-17226 (CMS Made Simple (CMSMS) 2.2.11 allows XSS via the Site Admin > Modu ...)
@@ -30732,7 +30761,7 @@ CVE-2019-16231 (drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not
 	NOTE: https://lkml.org/lkml/2019/9/9/487
 	NOTE: Requires memory allocation failure during device probe, so unlikely to
 	NOTE: be exploitable, and then it's only a local DoS.
-CVE-2019-16230 (drivers/gpu/drm/radeon/radeon_display.c in the Linux kernel 5.2.14 doe ...)
+CVE-2019-16230 (** DISPUTED ** drivers/gpu/drm/radeon/radeon_display.c in the Linux ke ...)
 	- linux <unfixed> (unimportant)
 	NOTE: https://lkml.org/lkml/2019/9/9/487
 	NOTE: Requires memory allocation failure during device probe, so unlikely to
@@ -33432,8 +33461,8 @@ CVE-2019-15301 (A SQL injection vulnerability in the method Terrasoft.Core.DB.Co
 	NOT-FOR-US: Terrasoft Bpm'online CRM-System SDK
 CVE-2019-15300 (A problem was found in Centreon Web through 19.04.3. An authenticated  ...)
 	- centreon-web <itp> (bug #913903)
-CVE-2019-15299
-	RESERVED
+CVE-2019-15299 (An issue was discovered in Centreon Web through 19.04.3. When a user c ...)
+	TODO: check
 CVE-2019-15298 (A problem was found in Centreon Web through 19.04.3. An authenticated  ...)
 	- centreon-web <itp> (bug #913903)
 CVE-2019-15297 (res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allo ...)
@@ -43219,14 +43248,14 @@ CVE-2019-12515 (There is an out-of-bounds read vulnerability in the function Fla
 	NOTE: https://github.com/PanguL4b/pocs/tree/master/xpdf/out-of-bounds-read-in-FlateStream__getChar
 CVE-2019-12514
 	RESERVED
-CVE-2019-12513
-	RESERVED
-CVE-2019-12512
-	RESERVED
-CVE-2019-12511
-	RESERVED
-CVE-2019-12510
-	RESERVED
+CVE-2019-12513 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, by sending a DHCP dis ...)
+	TODO: check
+CVE-2019-12512 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.24, an attacker may execu ...)
+	TODO: check
+CVE-2019-12511 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may execu ...)
+	TODO: check
+CVE-2019-12510 (In NETGEAR Nighthawk X10-R900 prior to 1.0.4.26, an attacker may bypas ...)
+	TODO: check
 CVE-2019-12509
 	RESERVED
 CVE-2019-12508
@@ -46842,7 +46871,7 @@ CVE-2019-11269 (Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to
 CVE-2019-11268 (Cloud Foundry UAA version prior to 73.3.0, contain endpoints that cont ...)
 	NOT-FOR-US: Cloud Foundry UAA
 CVE-2019-11358 (jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other produc ...)
-	{DSA-4460-1 DSA-4434-1 DLA-1797-1 DLA-1777-1}
+	{DSA-4460-1 DSA-4434-1 DLA-2118-1 DLA-1797-1 DLA-1777-1}
 	- drupal7 <removed> (bug #927330)
 	- jquery 3.3.1~dfsg-2 (bug #927385)
 	[stretch] - jquery 3.1.1-2+deb9u1
@@ -48147,14 +48176,14 @@ CVE-2019-10801
 	RESERVED
 CVE-2019-10800
 	RESERVED
-CVE-2019-10799
-	RESERVED
-CVE-2019-10798
-	RESERVED
+CVE-2019-10799 (compile-sass prior to 1.0.5 allows execution of arbritary commands. Th ...)
+	TODO: check
+CVE-2019-10798 (rdf-graph-array through 0.3.0-rc6 manipulation of JavaScript objects r ...)
+	TODO: check
 CVE-2019-10797 (Netty in WSO2 transport-http before v6.3.1 is vulnerable to HTTP Respo ...)
 	TODO: check
-CVE-2019-10796
-	RESERVED
+CVE-2019-10796 (rpi through 0.0.3 allows execution of arbritary commands. The variable ...)
+	TODO: check
 CVE-2019-10795 (undefsafe before 2.0.3 is vulnerable to Prototype Pollution. The 'a' f ...)
 	NOT-FOR-US: undefsafe
 CVE-2019-10794 (All versions of component-flatten are vulnerable to Prototype Pollutio ...)
@@ -64981,8 +65010,8 @@ CVE-2019-4747
 	RESERVED
 CVE-2019-4746
 	RESERVED
-CVE-2019-4745
-	RESERVED
+CVE-2019-4745 (IBM Maximo Asset Management 7.6.1.0 could allow a remote attacker to d ...)
+	TODO: check
 CVE-2019-4744 (IBM Financial Transaction Manager 3.0 is vulnerable to cross-site scri ...)
 	NOT-FOR-US: IBM
 CVE-2019-4743 (IBM Financial Transaction Manager 3.0 does not set the secure attribut ...)
@@ -65065,8 +65094,8 @@ CVE-2019-4705
 	RESERVED
 CVE-2019-4704
 	RESERVED
-CVE-2019-4703
-	RESERVED
+CVE-2019-4703 (IBM Spectrum Protect Plus 10.1.0 and 10.5.0, when protecting Microsoft ...)
+	TODO: check
 CVE-2019-4702
 	RESERVED
 CVE-2019-4701
@@ -65281,8 +65310,8 @@ CVE-2019-4597
 	RESERVED
 CVE-2019-4596
 	RESERVED
-CVE-2019-4595
-	RESERVED
+CVE-2019-4595 (IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 c ...)
+	TODO: check
 CVE-2019-4594
 	RESERVED
 CVE-2019-4593
@@ -67445,8 +67474,8 @@ CVE-2019-3672
 	RESERVED
 CVE-2019-3671
 	RESERVED
-CVE-2019-3670
-	RESERVED
+CVE-2019-3670 (Remote Code Execution vulnerability in the web interface in McAfee Web ...)
+	TODO: check
 CVE-2019-3669
 	RESERVED
 CVE-2019-3668
@@ -91256,8 +91285,8 @@ CVE-2018-14707 (Directory traversal in the Drobo Pix web application on Drobo 5N
 	NOT-FOR-US: Drobo Pix web application on Drobo 5N2 NAS
 CVE-2018-14706 (System command injection in the /DroboPix/api/drobopix/demo endpoint o ...)
 	NOT-FOR-US: Drobo 5N2 NAS
-CVE-2018-14705
-	RESERVED
+CVE-2018-14705 (In Drobo 5N2 4.0.5, all optional applications lack any form of authent ...)
+	TODO: check
 CVE-2018-14704 (Cross-site scripting in the MySQL API error page in Drobo 5N2 NAS vers ...)
 	NOT-FOR-US: Drobo 5N2 NAS
 CVE-2018-14703 (Incorrect access control in the /mysql/api/droboapp/data endpoint in D ...)
@@ -94913,8 +94942,8 @@ CVE-2018-13315 (Incorrect access control in formPasswordSetup in TOTOLINK A3002R
 	NOT-FOR-US: TOTOLINK
 CVE-2018-13314 (System command injection in formAliasIp in TOTOLINK A3002RU version 1. ...)
 	NOT-FOR-US: TOTOLINK
-CVE-2018-13313
-	RESERVED
+CVE-2018-13313 (In TOTOLINK A3002RU 1.0.8, the router provides a page that allows the  ...)
+	TODO: check
 CVE-2018-13312 (Cross-site scripting in notice_gen.htm in TOTOLINK A3002RU version 1.0 ...)
 	NOT-FOR-US: TOTOLINK
 CVE-2018-13311 (System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 ...)
@@ -302713,8 +302742,7 @@ CVE-2011-4696 (Directory traversal vulnerability in Eye-Fi Helper before 3.4.23
 	NOT-FOR-US: Eye-Fi Helper
 CVE-2010-5075 (Integer overflow in aswFW.sys 5.0.594.0 in Avast! Internet Security 5. ...)
 	NOT-FOR-US: Avast! Internet Security
-CVE-2012-0785 [Jenkins and hash collision attack]
-	RESERVED
+CVE-2012-0785 (Hash collision attack vulnerability in Jenkins before 1.447, Jenkins L ...)
 	- jenkins-winstone 0.9.10-jenkins-31+dfsg-1 (bug #655553)
 	- jenkins-executable-war 1.25-1 (bug #655554)
 	- jenkins 1.409.3+dfsg-2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7c896cbcb8a91687b2044e92fa9a134fde96532

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7c896cbcb8a91687b2044e92fa9a134fde96532
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200224/7127b785/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list