[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Jul 23 21:10:33 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
36396fc7 by security tracker role at 2020-07-23T20:10:26+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,21 @@
+CVE-2020-15917 (common/session.c in Claws Mail before 3.17.6 has a protocol violation ...)
+ TODO: check
+CVE-2020-15916 (goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 devices a ...)
+ TODO: check
+CVE-2020-15915
+ RESERVED
+CVE-2020-15914
+ RESERVED
+CVE-2020-15913
+ RESERVED
+CVE-2020-15912 (** DISPUTED ** Tesla Model 3 vehicles allow attackers to open a door b ...)
+ TODO: check
+CVE-2020-15911
+ RESERVED
+CVE-2020-15910
+ RESERVED
+CVE-2020-15909
+ RESERVED
CVE-2020-15908 (tar/TarFileReader.cpp in Cauldron cbang (aka C-Bang or C!) before 1.6. ...)
TODO: check
CVE-2020-15907
@@ -41,20 +59,20 @@ CVE-2020-15889 (Lua through 5.4.0 has a getobjname heap-based buffer over-read b
TODO: check
CVE-2020-15888 (Lua through 5.4.0 mishandles the interaction between stack resizes and ...)
TODO: check
-CVE-2020-15887
- RESERVED
-CVE-2020-15886
- RESERVED
-CVE-2020-15885
- RESERVED
-CVE-2020-15884
- RESERVED
-CVE-2020-15883
- RESERVED
-CVE-2020-15882
- RESERVED
-CVE-2020-15881
- RESERVED
+CVE-2020-15887 (A SQL injection vulnerability in softwareupdate_controller.php in the ...)
+ TODO: check
+CVE-2020-15886 (A SQL injection vulnerability in reportdata_controller.php in the repo ...)
+ TODO: check
+CVE-2020-15885 (A Cross-Site Scripting (XSS) vulnerability in the comment module befor ...)
+ TODO: check
+CVE-2020-15884 (A SQL injection vulnerability in TableQuery.php in MunkiReport before ...)
+ TODO: check
+CVE-2020-15883 (A Cross-Site Scripting (XSS) vulnerability in the managedinstalls modu ...)
+ TODO: check
+CVE-2020-15882 (A CSRF issue in manager/delete_machine/{id} in MunkiReport before 5.6. ...)
+ TODO: check
+CVE-2020-15881 (A Cross-Site Scripting (XSS) vulnerability in the munki_facts (aka Mun ...)
+ TODO: check
CVE-2020-15880
RESERVED
CVE-2020-15879 (Bitwarden Server 1.35.1 allows SSRF because it does not consider certa ...)
@@ -490,8 +508,8 @@ CVE-2020-15690
RESERVED
CVE-2020-15689 (Appweb before 7.2.2 and 8.x before 8.1.0, when built with CGI support, ...)
NOT-FOR-US: Appweb
-CVE-2020-15688
- RESERVED
+CVE-2020-15688 (GoAhead before 5.1.2 mishandles the nonce value during Digest authenti ...)
+ TODO: check
CVE-2020-15687
RESERVED
CVE-2019-20908 (An issue was discovered in drivers/firmware/efi/efi.c in the Linux ker ...)
@@ -8073,8 +8091,8 @@ CVE-2020-12640 (Roundcube Webmail before 1.4.4 allows attackers to include local
NOTE: https://roundcube.net/news/2020/04/29/security-updates-1.4.4-1.3.11-and-1.2.10
CVE-2020-12639 (phpList before 3.5.3 allows XSS, with resultant privilege elevation, v ...)
- phplist <itp> (bug #612288)
-CVE-2020-12638
- RESERVED
+CVE-2020-12638 (An encryption-bypass issue was discovered on Espressif ESP-IDF devices ...)
+ TODO: check
CVE-2020-12637 (Zulip Desktop before 5.2.0 has Missing SSL Certificate Validation beca ...)
NOT-FOR-US: Zulip Desktop
CVE-2018-21233 (TensorFlow before 1.7.0 has an integer overflow that causes an out-of- ...)
@@ -12250,8 +12268,8 @@ CVE-2020-11441 (** DISPUTED ** phpMyAdmin 5.0.2 allows CRLF injection, as demons
- phpmyadmin <undetermined>
[jessie] - phpmyadmin <not-affected> (The pma_error display code does not exist in this version)
NOTE: https://github.com/phpmyadmin/phpmyadmin/issues/16056
-CVE-2020-11440
- RESERVED
+CVE-2020-11440 (httpRpmFs in WebCLI in Wind River VxWorks 5.5 through 7 SR0640 has no ...)
+ TODO: check
CVE-2020-11439 (LibreHealth EMR v2.0.0 is affected by a Local File Inclusion issue all ...)
NOT-FOR-US: LibreHealth EMR
CVE-2020-11438 (LibreHealth EMR v2.0.0 is affected by systemic CSRF. ...)
@@ -13641,16 +13659,16 @@ CVE-2020-10924
RESERVED
CVE-2020-10923
RESERVED
-CVE-2020-10922
- RESERVED
-CVE-2020-10921
- RESERVED
-CVE-2020-10920
- RESERVED
-CVE-2020-10919
- RESERVED
-CVE-2020-10918
- RESERVED
+CVE-2020-10922 (This vulnerability allows remote attackers to create a denial-of-servi ...)
+ TODO: check
+CVE-2020-10921 (This vulnerability allows remote attackers to issue commands on affect ...)
+ TODO: check
+CVE-2020-10920 (This vulnerability allows remote attackers to execute arbitrary code o ...)
+ TODO: check
+CVE-2020-10919 (This vulnerability allows remote attackers to disclose sensitive infor ...)
+ TODO: check
+CVE-2020-10918 (This vulnerability allows remote attackers to bypass authentication on ...)
+ TODO: check
CVE-2020-10917 (This vulnerability allows remote attackers to execute arbitrary code o ...)
TODO: check
CVE-2020-10916 (This vulnerability allows network-adjacent attackers to escalate privi ...)
@@ -19642,8 +19660,7 @@ CVE-2020-8558
- kubernetes 1.18.5-1
NOTE: Issue: https://github.com/kubernetes/kubernetes/issues/90259
NOTE: Upstream fix: https://github.com/kubernetes/kubernetes/pull/91569
-CVE-2020-8557
- RESERVED
+CVE-2020-8557 (The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17. ...)
- kubernetes 1.18.5-1
NOTE: https://github.com/kubernetes/kubernetes/issues/93032
NOTE: https://github.com/kubernetes/kubernetes/pull/92916
@@ -29797,8 +29814,8 @@ CVE-2020-4449 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 tradition
NOT-FOR-US: IBM
CVE-2020-4448 (IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and ...)
NOT-FOR-US: IBM
-CVE-2020-4447
- RESERVED
+CVE-2020-4447 (IBM FileNet Content Manager 5.5.3 and 5.5.4 is vulnerable to cross-sit ...)
+ TODO: check
CVE-2020-4446 (IBM Business Process Manager 8.0, 8.5, and 8.6 and IBM Business Automa ...)
NOT-FOR-US: IBM
CVE-2020-4445
@@ -50701,7 +50718,7 @@ CVE-2018-21010 (OpenJPEG before 2.3.1 has a heap buffer overflow in color_apply_
[stretch] - openjpeg2 2.1.2-1.1+deb9u4
NOTE: https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c981ff05862e8ccf1381ed58ea
CVE-2018-21009 (Poppler before 0.66.0 has an integer overflow in Parser::makeStream in ...)
- {DLA-1939-1}
+ {DLA-2287-1 DLA-1939-1}
- poppler 0.69.0-2
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/0868c499a9f5f37f8df5c9fef03c37496b40fc8a
CVE-2018-21008 (An issue was discovered in the Linux kernel before 4.16.7. A use-after ...)
@@ -63153,7 +63170,7 @@ CVE-2019-12295 (In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14
CVE-2019-12294
RESERVED
CVE-2019-12293 (In Poppler through 0.76.1, there is a heap-based buffer over-read in J ...)
- {DLA-1815-1}
+ {DLA-2287-1 DLA-1815-1}
- poppler 0.71.0-5 (bug #929423)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/768
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/89a5367d49b2556a2635dbb6d48d6a6b182a2c6c
@@ -66153,8 +66170,8 @@ CVE-2019-11254 (The Kubernetes API Server component in versions 1.1-1.14, and ve
CVE-2019-11253 (Improper input validation in the Kubernetes API server in versions v1. ...)
- kubernetes 1.17.4-1
NOTE: https://github.com/kubernetes/kubernetes/issues/83253
-CVE-2019-11252
- RESERVED
+CVE-2019-11252 (The Kubernetes kube-controller-manager in versions v1.0-v1.17 is vulne ...)
+ TODO: check
CVE-2019-11251 (The Kubernetes kubectl cp command in versions 1.1-1.12, and versions p ...)
- kubernetes <not-affected> (Vulnerable code not present)
CVE-2019-11250 (The Kubernetes client-go library logs request headers at verbosity lev ...)
@@ -67277,7 +67294,7 @@ CVE-2019-10873 (An issue was discovered in Poppler 0.74.0. There is a NULL point
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/748
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8dbe2e6c480405dab9347075cf4be626f90f1d05
CVE-2019-10872 (An issue was discovered in Poppler 0.74.0. There is a heap-based buffe ...)
- {DLA-1815-1}
+ {DLA-2287-1 DLA-1815-1}
- poppler 0.71.0-5 (low; bug #926530)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/750
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/6a1580e84f492b5671d23be98192267bb73de250
@@ -71736,7 +71753,7 @@ CVE-2019-9633 (gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a p
CVE-2019-9632 (ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability vi ...)
NOT-FOR-US: ESAFENET CDG
CVE-2019-9631 (Poppler 0.74.0 has a heap-based buffer over-read in the CairoRescaleBo ...)
- {DLA-1752-1}
+ {DLA-2287-1 DLA-1752-1}
- poppler 0.71.0-4 (bug #926673)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/736
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/8122f6d6d409b53151a20c5578fc525ee97315e8
@@ -72911,7 +72928,7 @@ CVE-2019-9202 (Nagios IM (component of Nagios XI) before 2.2.7 allows authentica
CVE-2019-9201 (Phoenix Contact ILC 131 ETH, ILC 131 ETH/XC, ILC 151 ETH, ILC 151 ETH/ ...)
NOT-FOR-US: Phoenix Contact ILC
CVE-2019-9200 (A heap-based buffer underwrite exists in ImageStream::getLine() locate ...)
- {DLA-1706-1}
+ {DLA-2287-1 DLA-1706-1}
- poppler 0.71.0-4 (bug #923414)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/728
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/f4136a6353162db249f63ddb0f20611622ab61b4
@@ -87955,7 +87972,7 @@ CVE-2018-20482 (GNU Tar through 1.30, when --sparse is used, mishandles file shr
NOTE: https://lists.gnu.org/archive/html/bug-tar/2018-12/msg00023.html
NOTE: Fixed by https://git.savannah.gnu.org/cgit/tar.git/commit/?id=c15c42c
CVE-2018-20481 (XRef::getEntry in XRef.cc in Poppler 0.72.0 mishandles unallocated XRe ...)
- {DLA-1706-1}
+ {DLA-2287-1 DLA-1706-1}
- poppler 0.71.0-4 (low; bug #917325)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/692
NOTE: Proposed fix: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/143
@@ -105765,7 +105782,7 @@ CVE-2018-16647 (In Artifex MuPDF 1.13.0, the pdf_get_xref_entry function in pdf/
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699686
NOTE: http://www.ghostscript.com/cgi-bin/findgit.cgi?351c99d8ce23bbf7099dbd52771a095f67e45a2c
CVE-2018-16646 (In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may caus ...)
- {DLA-1562-3 DLA-1562-2 DLA-1562-1}
+ {DLA-2287-1 DLA-1562-3 DLA-1562-2 DLA-1562-1}
- poppler 0.71.0-4 (low; bug #909802)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1622951
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/91
@@ -120959,7 +120976,7 @@ CVE-2018-10947 (An issue was discovered in versions earlier than 1.3.2 for Polyc
CVE-2018-10946 (An issue was discovered in versions earlier than 1.3.0-66872 for Polyc ...)
NOT-FOR-US: Polycom
CVE-2017-18267 (The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler thr ...)
- {DLA-1562-1}
+ {DLA-2287-1 DLA-1562-1}
[experimental] - poppler 0.65.0-1
- poppler 0.69.0-2 (bug #898357)
[wheezy] - poppler <ignored> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36396fc7377860414732af7251b81d24352a4a09
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36396fc7377860414732af7251b81d24352a4a09
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200723/30486a75/attachment.html>
More information about the debian-security-tracker-commits
mailing list