[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Fri Jan 24 08:10:24 GMT 2020



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1bd192e8 by security tracker role at 2020-01-24T08:10:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2020-7946
+	RESERVED
+CVE-2020-7945
+	RESERVED
+CVE-2020-7944
+	RESERVED
+CVE-2020-7943
+	RESERVED
+CVE-2020-7942
+	RESERVED
+CVE-2020-7941 (A privilege escalation issue in plone.app.contenttypes in Plone 4.3 th ...)
+	TODO: check
+CVE-2020-7940 (Missing password strength checks on some forms in Plone 4.3 through 5. ...)
+	TODO: check
+CVE-2020-7939 (SQL Injection in DTML or in connection objects in Plone 4.0 through 5. ...)
+	TODO: check
+CVE-2020-7938 (plone.restapi in Plone 5.2.0 through 5.2.1 allows users with a certain ...)
+	TODO: check
+CVE-2020-7937 (An XSS issue in the title field in Plone 5.0 through 5.2.1 allows user ...)
+	TODO: check
+CVE-2020-7936 (An open redirect on the login form (and possibly other places) in Plon ...)
+	TODO: check
+CVE-2020-7935
+	RESERVED
 CVE-2020-7934
 	RESERVED
 CVE-2020-7933
@@ -1470,8 +1494,8 @@ CVE-2020-7247
 	RESERVED
 CVE-2020-7246 (A remote code execution (RCE) vulnerability exists in qdPM 9.1 and ear ...)
 	NOT-FOR-US: qdPM
-CVE-2020-7245
-	RESERVED
+CVE-2020-7245 (Incorrect username validation in the registration processes of CTFd th ...)
+	TODO: check
 CVE-2020-7244 (Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated admi ...)
 	NOT-FOR-US: Comtech Stampede FX-1010 devices
 CVE-2020-7243 (Comtech Stampede FX-1010 7.4.3 devices allow remote authenticated admi ...)
@@ -4123,8 +4147,8 @@ CVE-2020-6009
 	RESERVED
 CVE-2020-6008
 	RESERVED
-CVE-2020-6007
-	RESERVED
+CVE-2020-6007 (Philips Hue Bridge model 2.X prior to and including version 1935144020 ...)
+	TODO: check
 CVE-2020-6006
 	RESERVED
 CVE-2020-6005
@@ -9502,18 +9526,18 @@ CVE-2019-19900 (An issue was discovered in Backdrop CMS 1.13.x before 1.13.5 and
 	- backdrop <itp> (bug #914257)
 CVE-2019-19899 (Pebble Templates 3.1.2 allows attackers to bypass a protection mechani ...)
 	NOT-FOR-US: Pebble Templates
-CVE-2019-19898
-	RESERVED
-CVE-2019-19897
-	RESERVED
-CVE-2019-19896
-	RESERVED
-CVE-2019-19895
-	RESERVED
-CVE-2019-19894
-	RESERVED
-CVE-2019-19893
-	RESERVED
+CVE-2019-19898 (In IXP EasyInstall 6.2.13723, there are cleartext credentials in netwo ...)
+	TODO: check
+CVE-2019-19897 (In IXP EasyInstall 6.2.13723, there is Remote Code Execution via the A ...)
+	TODO: check
+CVE-2019-19896 (In IXP EasyInstall 6.2.13723, there is Remote Code Execution via weak  ...)
+	TODO: check
+CVE-2019-19895 (In IXP EasyInstall 6.2.13723, there is Lateral Movement (using the Age ...)
+	TODO: check
+CVE-2019-19894 (In IXP EasyInstall 6.2.13723, it is possible to temporarily disable UA ...)
+	TODO: check
+CVE-2019-19893 (In IXP EasyInstall 6.2.13723, there is Directory Traversal on TCP port ...)
+	TODO: check
 CVE-2019-19892
 	RESERVED
 CVE-2019-19891 (An encryption key vulnerability on Mitel SIP-DECT wireless devices 8.0 ...)
@@ -23114,8 +23138,7 @@ CVE-2019-17571 (Included in Log4j 1.2 is a SocketServer class that is vulnerable
 	NOTE: is end-of-life upstream and does not recieve a fix for this issue. Users
 	NOTE: should upgrade to Log4j 2.x.
 	NOTE: Fixed by https://src.fedoraproject.org/rpms/log4j12/c/d4c817c458d69dcc629a7271999d178b0dcb7c74?branch=master
-CVE-2019-17570 [untrusted deserialization]
-	RESERVED
+CVE-2019-17570 (An untrusted deserialization was found in the org.apache.xmlrpc.parser ...)
 	- libxmlrpc3-java <unfixed> (bug #949089)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/1
 	NOTE: Proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=1775193
@@ -28126,11 +28149,13 @@ CVE-2019-15797
 	RESERVED
 CVE-2019-15796 [python-apt: Check that repository is trusted before downloading from it]
 	RESERVED
+	{DSA-4609-1 DLA-2074-1}
 	- python-apt 1.8.5
 	NOTE: https://salsa.debian.org/apt-team/python-apt/commit/b4eef110b7ba4fb21cc0dd92585756f50e0100c9 (1.8.5)
 	NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e3321eb9792bf3b4cace4cee47dc6da00fbee929 (1.8.5)
 CVE-2019-15795 [python-apt: Do not use MD5 for verifying downloads]
 	RESERVED
+	{DSA-4609-1 DLA-2074-1}
 	- python-apt 1.8.5
 	NOTE: https://salsa.debian.org/apt-team/python-apt/commit/e175130e51c2b0424f3dfeb825e3dc598fec1a24 (1.8.5)
 CVE-2019-15794
@@ -31134,8 +31159,7 @@ CVE-2019-14887
 CVE-2019-14886
 	RESERVED
 	NOT-FOR-US: Business central
-CVE-2019-14885
-	RESERVED
+CVE-2019-14885 (A flaw was found in the JBoss EAP Vault system in all versions before  ...)
 	NOT-FOR-US: JBoss EAP
 CVE-2019-14884
 	RESERVED
@@ -218889,8 +218913,7 @@ CVE-2015-5957 (Buffer overflow in the DumpSysVar function in var.c in Remind bef
 	{DLA-289-1}
 	- remind 03.01.15-1 (unimportant)
 	NOTE: Non-exploitable starting with Wheezy due to D_FORTIFY_SOURCE
-CVE-2015-5745 [buffer overflow in virtio-serial]
-	RESERVED
+CVE-2015-5745 (Buffer overflow in the send_control_msg function in hw/char/virtio-ser ...)
 	{DSA-3349-1 DSA-3348-1}
 	- qemu 1:2.4+dfsg-1a (bug #795087)
 	[wheezy] - qemu 1.1.2+dfsg-6a+deb7u9
@@ -220204,11 +220227,9 @@ CVE-2015-5336 (Multiple cross-site scripting (XSS) vulnerabilities in the survey
 CVE-2015-5335 (Cross-site request forgery (CSRF) vulnerability in admin/registration/ ...)
 	- moodle 2.7.11+dfsg-1
 	[squeeze] - moodle <end-of-life> (Unsupported in squeeze-lts)
-CVE-2015-5334
-	RESERVED
+CVE-2015-5334 (Off-by-one error in the OBJ_obj2txt function in LibreSSL before 2.3.1  ...)
 	- libressl <itp> (bug #754513)
-CVE-2015-5333
-	RESERVED
+CVE-2015-5333 (Memory leak in the OBJ_obj2txt function in LibreSSL before 2.3.1 allow ...)
 	- libressl <itp> (bug #754513)
 CVE-2015-5332 (Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote ...)
 	- moodle <not-affected> (Only affects 2.8 and later)
@@ -220459,8 +220480,7 @@ CVE-2015-5279 (Heap-based buffer overflow in the ne2000_receive function in hw/n
 	- qemu-kvm <removed>
 	[squeeze] - qemu-kvm <end-of-life> (Not supported in Squeeze LTS)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2015-09/msg03984.html
-CVE-2015-5278 [net: avoid infinite loop when receiving packets]
-	RESERVED
+CVE-2015-5278 (The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1  ...)
 	{DSA-3362-1 DSA-3361-1}
 	- qemu 1:2.4+dfsg-3 (bug #799073)
 	[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
@@ -220617,8 +220637,7 @@ CVE-2015-5240 (Race condition in OpenStack Neutron before 2014.2.4 and 2015.1 be
 	- neutron 1:7.0.0-1
 	[jessie] - neutron <no-dsa> (Minor issue)
 	NOTE: versions through 2014.2.3 and 2015.1 versions through 2015.1.1
-CVE-2015-5239 [Integer overflow in vnc_client_read() and protocol_client_msg()]
-	RESERVED
+CVE-2015-5239 (Integer overflow in the VNC display driver in QEMU before 2.1.0 allows ...)
 	{DLA-574-1 DLA-573-1}
 	- qemu 2.1+dfsg-1
 	[squeeze] - qemu <end-of-life> (Not supported in Squeeze LTS)
@@ -238847,8 +238866,8 @@ CVE-2012-6665 (Directory traversal vulnerability in index.php in phpMoneyBooks 1
 	NOT-FOR-US: phpMoneyBooks
 CVE-2012-6664
 	RESERVED
-CVE-2012-6663
-	RESERVED
+CVE-2012-6663 (General Electric D20ME devices are not properly configured and reveal  ...)
+	TODO: check
 CVE-2014-8988 (MantisBT before 1.2.18 allows remote authenticated users to bypass the ...)
 	{DSA-3120-1}
 	- mantis <removed>
@@ -249036,8 +249055,8 @@ CVE-2014-4644 (SQL injection vulnerability in superlinks.php in the superlinks p
 	NOT-FOR-US: Cacti plugin superlinks
 CVE-2014-4643 (Multiple heap-based buffer overflows in the client in Core FTP LE 2.2  ...)
 	NOT-FOR-US: Core FTP client
-CVE-2012-6649
-	RESERVED
+CVE-2012-6649 (WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute ...)
+	TODO: check
 CVE-2014-4721 (The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 ...)
 	{DSA-2974-1 DLA-0018-1}
 	- php5 5.6.0~rc1+dfsg-2 (low)
@@ -277019,8 +277038,8 @@ CVE-2013-1595
 	RESERVED
 CVE-2013-1594
 	RESERVED
-CVE-2013-1593
-	RESERVED
+CVE-2013-1593 (A Denial of Service vulnerability exists in the WRITE_C function in th ...)
+	TODO: check
 CVE-2013-1592 (A Buffer Overflow vulnerability exists in the Message Server service _ ...)
 	NOT-FOR-US: SAP
 CVE-2013-1591 (Stack-based buffer overflow in libpixman, as used in Pale Moon before  ...)
@@ -284139,8 +284158,8 @@ CVE-2012-5391 (Session fixation vulnerability in Special:UserLogin in MediaWiki
 CVE-2012-5390 (The standard universe shadow (condor_shadow.std) component in Condor 7 ...)
 	- condor <not-affected> (standard universe is disabled in the Debian package, see bug #697936)
 	NOTE: http://research.cs.wisc.edu/htcondor/security/vulnerabilities/CONDOR-2012-0003.html
-CVE-2012-5389
-	RESERVED
+CVE-2012-5389 (NULL Pointer Dereference in PowerTCP WebServer for ActiveX 1.9.2 and e ...)
+	TODO: check
 CVE-2012-5388 (Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the Wh ...)
 	NOT-FOR-US: White Label CMS
 CVE-2012-5387 (Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in ...)
@@ -284287,8 +284306,8 @@ CVE-2011-5210 (Directory traversal vulnerability in admin/preview.php in Limny 3
 	NOT-FOR-US: Limny
 CVE-2011-5209 (Cross-site scripting (XSS) vulnerability in search/ in GraphicsClone S ...)
 	NOT-FOR-US: GraphicsClone
-CVE-2012-5340
-	RESERVED
+CVE-2012-5340 (SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an Integer ...)
+	TODO: check
 CVE-2012-5339 (Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5. ...)
 	- phpmyadmin <not-affected> (Only affects 3.5.x, not packaged yet, see #691728)
 CVE-2012-5338 (Open redirect vulnerability in JForum 2.1.9 allows remote attackers to ...)
@@ -286349,8 +286368,8 @@ CVE-2009-5123 (The Antivirus component in Comodo Internet Security before 3.11.1
 	NOT-FOR-US: Comodo Internet Security
 CVE-2012-4667 (Multiple cross-site scripting (XSS) vulnerabilities in SquidClamav 5.x ...)
 	- squidclamav <removed> (bug #685398)
-CVE-2012-4606
-	RESERVED
+CVE-2012-4606 (Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Cri ...)
+	TODO: check
 CVE-2011-5117 (Sophos SafeGuard Enterprise Device Encryption 5.x through 5.50.8.13, S ...)
 	NOT-FOR-US: Sophos SafeGuard
 CVE-2011-5116 (SQL injection vulnerability in setseed-hub in SetSeed CMS 5.8.20, 5.11 ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bd192e880689123c96489acb240c35ea45a1a29

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1bd192e880689123c96489acb240c35ea45a1a29
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200124/4db31d56/attachment.html>


More information about the debian-security-tracker-commits mailing list