[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Jul 2 21:10:35 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e9becb90 by security tracker role at 2020-07-02T20:10:27+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,21 @@
+CVE-2020-15509
+ RESERVED
+CVE-2020-15508
+ RESERVED
+CVE-2020-15507
+ RESERVED
+CVE-2020-15506
+ RESERVED
+CVE-2020-15505
+ RESERVED
+CVE-2020-15504
+ RESERVED
+CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...)
+ TODO: check
+CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, ...)
+ TODO: check
+CVE-2019-20894 (Traefik 2.x, in certain configurations, allows HTTPS sessions to proce ...)
+ TODO: check
CVE-2020-15501
RESERVED
CVE-2020-15500 (An issue was discovered in server.js in TileServer GL through 3.0.0. T ...)
@@ -865,8 +883,8 @@ CVE-2020-15093
RESERVED
CVE-2020-15092
RESERVED
-CVE-2020-15091
- RESERVED
+CVE-2020-15091 (TenderMint from version 0.33.0 and before version 0.33.6 allows block ...)
+ TODO: check
CVE-2020-15090
RESERVED
CVE-2020-15089
@@ -881,16 +899,16 @@ CVE-2020-15085 (In Saleor Storefront before version 2.10.3, request data used to
NOT-FOR-US: Saleor Storefront
CVE-2020-15084 (In express-jwt (NPM package) up and including version 5.3.3, the algor ...)
TODO: check
-CVE-2020-15083
- RESERVED
-CVE-2020-15082
- RESERVED
-CVE-2020-15081
- RESERVED
-CVE-2020-15080
- RESERVED
-CVE-2020-15079
- RESERVED
+CVE-2020-15083 (In PrestaShop from version 1.7.0.0 and before version 1.7.6.6, if a ta ...)
+ TODO: check
+CVE-2020-15082 (In PrestaShop from version 1.6.0.1 and before version 1.7.6.6, the das ...)
+ TODO: check
+CVE-2020-15081 (In PrestaShop from version 1.5.0.0 and before 1.7.6.6, there is inform ...)
+ TODO: check
+CVE-2020-15080 (In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some fi ...)
+ TODO: check
+CVE-2020-15079 (In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, there i ...)
+ TODO: check
CVE-2020-15078
RESERVED
CVE-2020-15077
@@ -3370,8 +3388,8 @@ CVE-2020-14093 (Mutt before 1.14.3 allows an IMAP fcc/postpone man-in-the-middle
NOTE: Fixed by: https://gitlab.com/muttmua/mutt/commit/3e88866dc60b5fa6aaba6fd7c1710c12c1c3cd01
NOTE: Fix for CVE-2020-14093 introduces a regression, cf. #963107
NOTE: Regression fixed by: https://gitlab.com/muttmua/mutt/-/commit/dc909119b3433a84290f0095c0f43a23b98b3748
-CVE-2020-14092
- RESERVED
+CVE-2020-14092 (The CodePeople Payment Form for PayPal Pro plugin before 1.1.65 for Wo ...)
+ TODO: check
CVE-2020-14091
RESERVED
CVE-2020-14090
@@ -4544,8 +4562,8 @@ CVE-2020-13655
RESERVED
CVE-2020-13654
RESERVED
-CVE-2020-13653
- RESERVED
+CVE-2020-13653 (An XSS vulnerability exists in the Webmail component of Zimbra Collabo ...)
+ TODO: check
CVE-2020-13652 (An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 bef ...)
NOT-FOR-US: DigDash
CVE-2020-13651 (An issue was discovered in DigDash 2018R2 before p20200528, 2019R1 bef ...)
@@ -5109,6 +5127,7 @@ CVE-2020-13403
CVE-2020-13402
RESERVED
CVE-2020-13401 (An issue was discovered in Docker Engine before 19.03.11. An attacker ...)
+ {DSA-4716-1}
- docker.io 19.03.11+dfsg1-1 (bug #962141)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1833233
NOTE: https://github.com/moby/libnetwork/commit/153d0769a1181bf591a9637fd487a541ec7db1e6
@@ -8251,8 +8270,8 @@ CVE-2020-12121
RESERVED
CVE-2020-12120 (The Correos Express addon for PrestaShop 1.6 through 1.7 allows remote ...)
NOT-FOR-US: PrestaShop
-CVE-2020-12119
- RESERVED
+CVE-2020-12119 (Ledger Live before 2.7.0 does not handle Bitcoin's Replace-By-Fee (RBF ...)
+ TODO: check
CVE-2020-12118 (The keygen protocol implementation in Binance tss-lib before 1.2.0 all ...)
NOT-FOR-US: Binance tss-lib
CVE-2020-12117 (Moxa Service in Moxa NPort 5150A firmware version 1.5 and earlier allo ...)
@@ -11969,8 +11988,8 @@ CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smu
NOTE: https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container image m ...)
NOT-FOR-US: Anchore Engine
-CVE-2020-11074
- RESERVED
+CVE-2020-11074 (In PrestaShop from version 1.5.3.0 and before version 1.7.7.6, there i ...)
+ TODO: check
CVE-2020-11073 (In Autoswitch Python Virtualenv before version 0.16.0, a user who ente ...)
NOT-FOR-US: zsh-autoswitch-virtualenv
CVE-2020-11072 (In SLP Validate (npm package slp-validate) before version 1.2.1, users ...)
@@ -16163,12 +16182,10 @@ CVE-2020-9500 (Some products of Dahua have Denial of Service vulnerabilities. Af
NOT-FOR-US: Dahua
CVE-2020-9499 (Some Dahua products have buffer overflow vulnerabilities. After the su ...)
NOT-FOR-US: Dahua
-CVE-2020-9498
- RESERVED
+CVE-2020-9498 (Apache Guacamole 1.1.0 and older may mishandle pointers involved inpro ...)
- guacamole-client <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2020/07/02/3
-CVE-2020-9497
- RESERVED
+CVE-2020-9497 (Apache Guacamole 1.1.0 and older do not properly validate datareceived ...)
- guacamole-client <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2020/07/02/2
CVE-2020-9496
@@ -19274,14 +19291,13 @@ CVE-2020-8190
RESERVED
CVE-2020-8189
RESERVED
-CVE-2020-8188
- RESERVED
+CVE-2020-8188 (We have recently released new version of UniFi Protect firmware v1.13. ...)
+ TODO: check
CVE-2020-8187
RESERVED
CVE-2020-8186
RESERVED
-CVE-2020-8185
- RESERVED
+CVE-2020-8185 (A denial of service vulnerability exists in Rails <6.0.3.2 that all ...)
[experimental] - rails 6.0.3.2+dfsg-1 (bug #964081)
- rails <not-affected> (Introduced in rails 6.x)
NOTE: https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0
@@ -19296,8 +19312,8 @@ CVE-2020-8181
RESERVED
CVE-2020-8180 (A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a cod ...)
NOT-FOR-US: Nextcloud Talk
-CVE-2020-8179
- RESERVED
+CVE-2020-8179 (Improper access control in Nextcloud Deck 1.0.0 allowed an attacker to ...)
+ TODO: check
CVE-2020-8178
RESERVED
CVE-2020-8177
@@ -19305,8 +19321,8 @@ CVE-2020-8177
- curl <unfixed>
NOTE: https://curl.haxx.se/docs/CVE-2020-8177.html
NOTE: https://github.com/curl/curl/commit/8236aba58542c5f89f1d41ca09d84579efb05e22 (7.71.0)
-CVE-2020-8176
- RESERVED
+CVE-2020-8176 (A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.6 ...)
+ TODO: check
CVE-2020-8175
RESERVED
CVE-2020-8174 [napi_get_value_string_*() allows various kinds of memory corruption]
@@ -19340,8 +19356,7 @@ CVE-2020-8167 (A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module
[jessie] - rails <not-affected> (Vulnerable code introduced later)
NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
NOTE: https://github.com/rails/rails/commit/fbc7bec074b5ef9ae22f79ca5d9bafec7b276dd3
-CVE-2020-8166
- RESERVED
+CVE-2020-8166 (A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6. ...)
- rails 2:5.2.4.3+dfsg-1
[stretch] - rails <not-affected> (Vulnerable code introduced later)
[jessie] - rails <not-affected> (Vulnerable code introduced later)
@@ -19361,8 +19376,7 @@ CVE-2020-8164 (A deserialization of untrusted data vulnerability exists in rails
- rails 2:5.2.4.3+dfsg-1
NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
NOTE: https://github.com/rails/rails/commit/7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec
-CVE-2020-8163
- RESERVED
+CVE-2020-8163 (The is a code injection vulnerability in versions of Rails prior to 5. ...)
- rails 2:5.2.0+dfsg-2
NOTE: https://weblog.rubyonrails.org/2020/5/15/Rails-4-2-11-2-has-been-released/
NOTE: https://weblog.rubyonrails.org/2020/5/16/rails-4-2-11-3-has-been-released/
@@ -19379,8 +19393,7 @@ CVE-2020-8162 (A client side enforcement of server side security vulnerability e
[jessie] - rails <not-affected> (Vulnerable code introduced later)
NOTE: https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
NOTE: https://github.com/rails/rails/commit/e8df5648515a0e8324d3b3c4bdb7bde6802cd8be
-CVE-2020-8161 [Directory traversal in Rack::Directory]
- RESERVED
+CVE-2020-8161 (A directory traversal vulnerability exists in rack < 2.2.0 that all ...)
{DLA-2216-1}
- ruby-rack 2.1.1-5
[buster] - ruby-rack <no-dsa> (Minor issue; can be fixed via point release)
@@ -20308,10 +20321,10 @@ CVE-2020-7823
RESERVED
CVE-2020-7822
RESERVED
-CVE-2020-7821
- RESERVED
-CVE-2020-7820
- RESERVED
+CVE-2020-7821 (Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a ...)
+ TODO: check
+CVE-2020-7820 (Nexacro14/17 ExtCommonApiV13 Library under 2019.9.6 version contain a ...)
+ TODO: check
CVE-2020-7819
RESERVED
CVE-2020-7818
@@ -24964,12 +24977,12 @@ CVE-2020-5913
RESERVED
CVE-2020-5912
RESERVED
-CVE-2020-5911
- RESERVED
-CVE-2020-5910
- RESERVED
-CVE-2020-5909
- RESERVED
+CVE-2020-5911 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller ...)
+ TODO: check
+CVE-2020-5910 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic ...)
+ TODO: check
+CVE-2020-5909 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the co ...)
+ TODO: check
CVE-2020-5908 (In versions bundled with BIG-IP APM 12.1.0-12.1.5 and 11.6.1-11.6.5.2, ...)
NOT-FOR-US: F5 BIG-IP
CVE-2020-5907 (In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, ...)
@@ -29313,8 +29326,8 @@ CVE-2020-4076
RESERVED
CVE-2020-4075
RESERVED
-CVE-2020-4074
- RESERVED
+CVE-2020-4074 (In PrestaShop from version 1.5.0.0 and before version 1.7.7.6, the aut ...)
+ TODO: check
CVE-2020-4073
RESERVED
CVE-2020-4072 (In generator-jhipster-kotlin version 1.6.0 log entries are created for ...)
@@ -29342,8 +29355,8 @@ CVE-2020-4063
RESERVED
CVE-2020-4062 (In Conjur OSS Helm Chart before 2.0.0, a recently identified critical ...)
TODO: check
-CVE-2020-4061
- RESERVED
+CVE-2020-4061 (In October from version 1.0.319 and before version 1.0.467, pasting co ...)
+ TODO: check
CVE-2020-4060 (In LoRa Basics Station before 2.0.4, there is a Use After Free vulnera ...)
NOT-FOR-US: LoRa Basics Station
CVE-2020-4059 (In mversion before 2.0.0, there is a command injection vulnerability. ...)
@@ -30144,7 +30157,7 @@ CVE-2019-19949 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-r
NOTE: https://github.com/ImageMagick/ImageMagick/commit/d17c047f7bff7c0edbf304470cd2ab9d02fbf617 (7.x)
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/34adc98afd5c7e7fb774d2ebdaea39e831c24dce (6.x)
CVE-2019-19948 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer overflow in ...)
- {DSA-4712-1 DLA-2049-1}
+ {DSA-4715-1 DSA-4712-1 DLA-2049-1}
- imagemagick <unfixed> (low; bug #947308)
[stretch] - imagemagick <no-dsa> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1562
@@ -32075,8 +32088,8 @@ CVE-2020-3284
RESERVED
CVE-2020-3283 (A vulnerability in the Secure Sockets Layer (SSL)/Transport Layer Secu ...)
NOT-FOR-US: Cisco
-CVE-2020-3282
- RESERVED
+CVE-2020-3282 (A vulnerability in the web-based management interface of Cisco Unified ...)
+ TODO: check
CVE-2020-3281 (A vulnerability in the audit logging component of Cisco Digital Networ ...)
NOT-FOR-US: Cisco
CVE-2020-3280 (A vulnerability in the Java Remote Management Interface of Cisco Unifi ...)
@@ -34869,62 +34882,43 @@ CVE-2020-2221
RESERVED
CVE-2020-2220
RESERVED
-CVE-2020-2219
- RESERVED
+CVE-2020-2219 (Jenkins Link Column Plugin 1.0 and earlier does not filter URLs of lin ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2218
- RESERVED
+CVE-2020-2218 (Jenkins HP ALM Quality Center Plugin 1.6 and earlier stores a password ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2217
- RESERVED
+CVE-2020-2217 (Jenkins Compatibility Action Storage Plugin 1.0 and earlier does not e ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2216
- RESERVED
+CVE-2020-2216 (A missing permission check in Jenkins Zephyr for JIRA Test Management ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2215
- RESERVED
+CVE-2020-2215 (A cross-site request forgery vulnerability in Jenkins Zephyr for JIRA ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2214
- RESERVED
+CVE-2020-2214 (Jenkins ZAP Pipeline Plugin 1.9 and earlier programmatically disables ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2213
- RESERVED
+CVE-2020-2213 (Jenkins White Source Plugin 19.1.1 and earlier stores credentials unen ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2212
- RESERVED
+CVE-2020-2212 (Jenkins GitHub Coverage Reporter Plugin 1.8 and earlier stores secrets ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2211
- RESERVED
+CVE-2020-2211 (Jenkins ElasticBox Jenkins Kubernetes CI/CD Plugin 1.3 and earlier doe ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2210
- RESERVED
+CVE-2020-2210 (Jenkins Stash Branch Parameter Plugin 0.3.0 and earlier transmits conf ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2209
- RESERVED
+CVE-2020-2209 (Jenkins TestComplete support Plugin 2.4.1 and earlier stores a passwor ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2208
- RESERVED
+CVE-2020-2208 (Jenkins Slack Upload Plugin 1.7 and earlier stores a secret unencrypte ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2207
- RESERVED
+CVE-2020-2207 (Jenkins VncViewer Plugin 1.7 and earlier does not escape a parameter v ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2206
- RESERVED
+CVE-2020-2206 (Jenkins VncRecorder Plugin 1.25 and earlier does not escape a paramete ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2205
- RESERVED
+CVE-2020-2205 (Jenkins VncRecorder Plugin 1.25 and earlier does not escape a tool pat ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2204
- RESERVED
+CVE-2020-2204 (A missing permission check in Jenkins Fortify on Demand Plugin 5.0.1 a ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2203
- RESERVED
+CVE-2020-2203 (A cross-site request forgery vulnerability in Jenkins Fortify on Deman ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2202
- RESERVED
+CVE-2020-2202 (A missing permission check in Jenkins Fortify on Demand Plugin 6.0.0 a ...)
NOT-FOR-US: Jenkins plugin
-CVE-2020-2201
- RESERVED
+CVE-2020-2201 (Jenkins Sonargraph Integration Plugin 3.0.0 and earlier does not escap ...)
NOT-FOR-US: Jenkins plugin
CVE-2020-2200 (Jenkins Play Framework Plugin 1.0.2 and earlier lets users specify the ...)
NOT-FOR-US: Jenkins plugin
@@ -51924,7 +51918,7 @@ CVE-2019-15141 (WriteTIFFImage in coders/tiff.c in ImageMagick 7.0.8-43 Q16 allo
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1560
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/3c53413eb544cc567309b4c86485eae43e956112
CVE-2019-15140 (coders/mat.c in ImageMagick 7.0.8-43 Q16 allows remote attackers to ca ...)
- {DSA-4712-1 DLA-1968-1}
+ {DSA-4715-1 DSA-4712-1 DLA-1968-1}
- imagemagick <unfixed> (bug #941671)
NOTE: https://github.com/ImageMagick/ImageMagick/commit/f7206618d27c2e69d977abf40e3035a33e5f6be0
NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/5caef6e97f3f575cf7bea497865a4c1e624b8010
@@ -59026,7 +59020,7 @@ CVE-2019-13308 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow in Mag
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1595
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/19651f3db63fa1511ed83a348c4c82fa553f8d01
CVE-2019-13307 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCor ...)
- {DSA-4712-1}
+ {DSA-4715-1 DSA-4712-1}
- imagemagick <unfixed> (bug #931448)
[jessie] - imagemagick <ignored> (minor issue, patch fairly intrusive)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1615
@@ -59035,7 +59029,7 @@ CVE-2019-13307 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at Mag
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e6d26d4e2f07375ddbf46a857d309d51eeff7ee1
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/643921ca69a20b203faebd0b287d8b7012dc749d
CVE-2019-13306 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/p ...)
- {DSA-4712-1 DLA-1888-1}
+ {DSA-4715-1 DSA-4712-1 DLA-1888-1}
- imagemagick <unfixed> (bug #931449)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1612
NOTE: initial fix:
@@ -59048,7 +59042,7 @@ CVE-2019-13305 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at co
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1613
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/5c7fbf9a14fb83c9685ad69d48899f490a37609d
CVE-2019-13304 (ImageMagick 7.0.8-50 Q16 has a stack-based buffer overflow at coders/p ...)
- {DSA-4712-1 DLA-1888-1}
+ {DSA-4715-1 DSA-4712-1 DLA-1888-1}
- imagemagick <unfixed> (bug #931453)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1614
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/bfa3b9610c83227894c92b0d312ad327fceb6241
@@ -59066,7 +59060,7 @@ CVE-2019-13301 (ImageMagick 7.0.8-50 Q16 has memory leaks in AcquireMagickMemory
- imagemagick <unfixed> (unimportant)
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/0b7d3675438cbcde824e751895847a0794406e08
CVE-2019-13300 (ImageMagick 7.0.8-50 Q16 has a heap-based buffer overflow at MagickCor ...)
- {DSA-4712-1}
+ {DSA-4715-1 DSA-4712-1}
- imagemagick <unfixed> (bug #931454)
[jessie] - imagemagick <ignored> (minor issue, patch fairly intrusive)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1586
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9becb90075efee7161b23df6a10549ca7d55358
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9becb90075efee7161b23df6a10549ca7d55358
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200702/cf99779b/attachment.html>
More information about the debian-security-tracker-commits
mailing list