[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Wed Jul 8 21:10:28 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b7449e14 by security tracker role at 2020-07-08T20:10:20+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2513,7 +2513,7 @@ CVE-2020-14478
CVE-2020-14477 (In Philips Ultrasound ClearVue Versions 3.2 and prior, Ultrasound CX V ...)
NOT-FOR-US: Philips
CVE-2020-14476
- RESERVED
+ REJECTED
CVE-2020-14475 (A reflected cross-site scripting (XSS) vulnerability in Dolibarr 11.0. ...)
- dolibarr <removed>
NOTE: https://github.com/Dolibarr/dolibarr/commit/22ca5e067189bffe8066df26df923a386f044c08
@@ -8936,8 +8936,8 @@ CVE-2020-11996 (A specially crafted sequence of HTTP/2 requests sent to Apache T
NOTE: https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552 (8.5.56)
CVE-2020-11995
RESERVED
-CVE-2020-11994
- RESERVED
+CVE-2020-11994 (Server-Side Template Injection and arbitrary file disclosure on Camel ...)
+ TODO: check
CVE-2020-11993
RESERVED
CVE-2020-11992
@@ -8947,6 +8947,7 @@ CVE-2020-11991
CVE-2020-11990
RESERVED
CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...)
+ {DLA-2273-1}
- shiro <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1
NOTE: https://github.com/apache/shiro/pull/211
@@ -9926,8 +9927,8 @@ CVE-2020-11851
RESERVED
CVE-2020-11850
RESERVED
-CVE-2020-11849
- RESERVED
+CVE-2020-11849 (Elevation of privilege and/or unauthorized access vulnerability in Mic ...)
+ TODO: check
CVE-2020-11848
RESERVED
CVE-2020-11847
@@ -12351,7 +12352,7 @@ CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smu
NOTE: https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
CVE-2020-11075 (In Anchore Engine version 0.7.0, a specially crafted container image m ...)
NOT-FOR-US: Anchore Engine
-CVE-2020-11074 (In PrestaShop from version 1.5.3.0 and before version 1.7.7.6, there i ...)
+CVE-2020-11074 (In PrestaShop from version 1.5.3.0 and before version 1.7.6.6, there i ...)
NOT-FOR-US: PrestaShop
CVE-2020-11073 (In Autoswitch Python Virtualenv before version 0.16.0, a user who ente ...)
NOT-FOR-US: zsh-autoswitch-virtualenv
@@ -12879,6 +12880,7 @@ CVE-2020-10935 (Zulip Server before 2.1.3 allows XSS via a Markdown link, with r
CVE-2020-10934 (Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. ...)
NOT-FOR-US: Acyba AcyMailing
CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6 ...)
+ {DSA-4721-1}
- ruby2.7 2.7.1-1
- ruby2.5 <removed>
- ruby2.3 <not-affected> (Vulnerable code introduced in 2.5.0)
@@ -13920,7 +13922,7 @@ CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY
CVE-2020-10664 (The IGMP component in VxWorks 6.8.3 IPNET CVE patches created in 2019 ...)
NOT-FOR-US: VxWorks
CVE-2020-10663 (The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9 ...)
- {DLA-2192-1 DLA-2190-1}
+ {DSA-4721-1 DLA-2192-1 DLA-2190-1}
- ruby-json 2.3.0+dfsg-1
[buster] - ruby-json <no-dsa> (Minor issue)
[stretch] - ruby-json <no-dsa> (Minor issue)
@@ -14592,7 +14594,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma
[jessie] - pillow <no-dsa> (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/pull/4538
NOTE: Fixed in 6.2.3 and 7.1.0
-CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, ...)
+CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before before 7.0.1, an out-of-bou ...)
- pillow <unfixed>
[jessie] - pillow <no-dsa> (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -15059,7 +15061,7 @@ CVE-2020-10179
RESERVED
CVE-2020-10178
REJECTED
-CVE-2020-10177 (Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds re ...)
+CVE-2020-10177 (Pillow before 7.0.1 has multiple out-of-bounds reads in libImaging/Fli ...)
- pillow <unfixed>
[jessie] - pillow <no-dsa> (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/pull/4503
@@ -22170,8 +22172,8 @@ CVE-2020-7142
RESERVED
CVE-2020-7141
RESERVED
-CVE-2020-7140
- RESERVED
+CVE-2020-7140 (A security vulnerability in HPE IceWall SSO Dfw and Dgfw (Domain Gatew ...)
+ TODO: check
CVE-2020-7139 (Potential remote access security vulnerabilities have been identified ...)
NOT-FOR-US: HPE
CVE-2020-7138 (Potential remote code execution security vulnerabilities have been ide ...)
@@ -22694,8 +22696,8 @@ CVE-2020-6940
RESERVED
CVE-2020-6939
RESERVED
-CVE-2020-6938
- RESERVED
+CVE-2020-6938 (A sensitive information disclosure vulnerability in Tableau Server 10. ...)
+ TODO: check
CVE-2020-6937 (A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, ...)
NOT-FOR-US: MuleSoft
CVE-2020-6936
@@ -25491,8 +25493,8 @@ CVE-2020-5841 (An issue was discovered in OpServices OpMon 9.3.1-1. Using passwo
NOT-FOR-US: OpServices OpMon
CVE-2020-5840 (An issue was discovered in HashBrown CMS before 1.3.2. Server/Entity/R ...)
NOT-FOR-US: HashBrown CMS
-CVE-2020-5839
- RESERVED
+CVE-2020-5839 (Symantec Endpoint Detection And Response, prior to 4.4, may be suscept ...)
+ TODO: check
CVE-2020-5838 (Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-s ...)
NOT-FOR-US: Symantec
CVE-2020-5837 (Symantec Endpoint Protection, prior to 14.3, may not respect file perm ...)
@@ -25641,8 +25643,8 @@ CVE-2020-5766
RESERVED
CVE-2020-5765
RESERVED
-CVE-2020-5764
- RESERVED
+CVE-2020-5764 (MX Player Android App versions prior to v1.24.5, are vulnerable to a d ...)
+ TODO: check
CVE-2020-5763
RESERVED
CVE-2020-5762
@@ -29917,8 +29919,8 @@ CVE-2020-3975
RESERVED
CVE-2020-3974
RESERVED
-CVE-2020-3973
- RESERVED
+CVE-2020-3973 (The VeloCloud Orchestrator does not apply correct input validation whi ...)
+ TODO: check
CVE-2020-3972 (VMware Tools for macOS (11.x.x and prior before 11.1.1) contains a den ...)
NOT-FOR-US: VMware
CVE-2020-3971 (VMware ESXi (6.7 before ESXi670-201904101-SG and 6.5 before ESXi650-20 ...)
@@ -30662,8 +30664,8 @@ CVE-2020-3933 (Secom Co. Dr.ID, a Door Access Control and Personnel Attendance M
NOT-FOR-US: Secom Co. Dr.ID
CVE-2020-3932 (A vulnerable SNMP in Draytek VigorAP910C cannot be disabled, which may ...)
NOT-FOR-US: Draytek VigorAP910C
-CVE-2020-3931
- RESERVED
+CVE-2020-3931 (Buffer overflow exists in Geovision Door Access Control device family, ...)
+ TODO: check
CVE-2020-3930 (GeoVision Door Access Control device family improperly stores and cont ...)
NOT-FOR-US: GeoVision Door Access Control
CVE-2020-3929 (GeoVision Door Access Control device family employs shared cryptograph ...)
@@ -35635,16 +35637,16 @@ CVE-2020-2036
RESERVED
CVE-2020-2035
RESERVED
-CVE-2020-2034
- RESERVED
+CVE-2020-2034 (An OS Command Injection vulnerability in the PAN-OS GlobalProtect port ...)
+ TODO: check
CVE-2020-2033 (When the pre-logon feature is enabled, a missing certification validat ...)
NOT-FOR-US: Palo Alto Networks
CVE-2020-2032 (A race condition vulnerability Palo Alto Networks GlobalProtect app on ...)
NOT-FOR-US: Palo Alto Networks
-CVE-2020-2031
- RESERVED
-CVE-2020-2030
- RESERVED
+CVE-2020-2031 (An integer underflow vulnerability in the dnsproxyd component of the P ...)
+ TODO: check
+CVE-2020-2030 (An OS Command Injection vulnerability in the PAN-OS management interfa ...)
+ TODO: check
CVE-2020-2029 (An OS Command Injection vulnerability in the PAN-OS web management int ...)
NOT-FOR-US: Palo Alto Networks
CVE-2020-2028 (An OS Command Injection vulnerability in PAN-OS management server allo ...)
@@ -35747,8 +35749,8 @@ CVE-2020-1983 (A use after free vulnerability in ip_reass() in ip_input.c of lib
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/9bd6c5913271eabcb7768a58197ed3301fe19f2d
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed
NOTE: slirp4netns 1.0.1-1 switched to system libslirp, marking that version as fixed.
-CVE-2020-1982
- RESERVED
+CVE-2020-1982 (Certain communication between PAN-OS and cloud-delivered services inad ...)
+ TODO: check
CVE-2020-1981 (A predictable temporary filename vulnerability in PAN-OS allows local ...)
NOT-FOR-US: PAN-OS
CVE-2020-1980 (A shell command injection vulnerability in the PAN-OS CLI allows a loc ...)
@@ -36069,7 +36071,7 @@ CVE-2020-1959 (A Server-Side Template Injection was identified in Apache Syncope
CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, callers of ...)
- druid <itp> (bug #825797)
CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...)
- {DLA-2181-1}
+ {DLA-2273-1 DLA-2181-1}
- shiro <unfixed> (bug #955018)
NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2
NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139
@@ -36722,17 +36724,17 @@ CVE-2019-19419
RESERVED
CVE-2019-19418
RESERVED
-CVE-2019-19417
- RESERVED
-CVE-2019-19416
- RESERVED
-CVE-2019-19415
- RESERVED
+CVE-2019-19417 (The SIP module of some Huawei products have a denial of service (DoS) ...)
+ TODO: check
+CVE-2019-19416 (The SIP module of some Huawei products have a denial of service (DoS) ...)
+ TODO: check
+CVE-2019-19415 (The SIP module of some Huawei products have a denial of service (DoS) ...)
+ TODO: check
CVE-2019-19414 (There is an integer overflow vulnerability in LDAP server of some Huaw ...)
NOT-FOR-US: Huawei
CVE-2019-19413 (There is an integer overflow vulnerability in LDAP client of some Huaw ...)
NOT-FOR-US: Huawei
-CVE-2019-19412 (Some Huawei smart phones have a Factory Reset Protection (FRP) bypass ...)
+CVE-2019-19412 (Huawei smart phones have a Factory Reset Protection (FRP) bypass secur ...)
NOT-FOR-US: Huawei
CVE-2019-19411 (USG9500 with versions of V500R001C30SPC100, V500R001C30SPC200, V500R00 ...)
NOT-FOR-US: Huawei
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7449e14b5b83c2e3d87f3863f55f299a91b8359
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7449e14b5b83c2e3d87f3863f55f299a91b8359
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200708/e345e43a/attachment.html>
More information about the debian-security-tracker-commits
mailing list