[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Mon May 4 21:10:28 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
53e2cfed by security tracker role at 2020-05-04T20:10:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,17 @@
+CVE-2020-12642 (An issue was discovered in service-api before 4.3.12 and 5.x before 5. ...)
+ TODO: check
+CVE-2020-12641 (rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to ...)
+ TODO: check
+CVE-2020-12640 (Roundcube Webmail before 1.4.4 allows attackers to include local files ...)
+ TODO: check
+CVE-2020-12639 (phpList before 3.5.3 allows XSS, with resultant privilege elevation, v ...)
+ TODO: check
+CVE-2020-12638
+ RESERVED
+CVE-2020-12637
+ RESERVED
+CVE-2018-21233 (TensorFlow before 1.7.0 has an integer overflow that causes an out-of- ...)
+ TODO: check
CVE-2020-12636
RESERVED
CVE-2020-12635
@@ -12,8 +26,8 @@ CVE-2020-12631
RESERVED
CVE-2020-12630
RESERVED
-CVE-2020-12629
- RESERVED
+CVE-2020-12629 (include/class.sla.php in osTicket before 1.14.2 allows XSS via the SLA ...)
+ TODO: check
CVE-2020-12628
RESERVED
CVE-2020-12627 (Calibre-Web 0.6.6 allows authentication bypass because of the 'A0Zr98j ...)
@@ -316,8 +330,8 @@ CVE-2020-12477 (The REST API functions in TeamPass 2.1.27.36 allow any user with
- teampass <itp> (bug #730180)
CVE-2020-12476
RESERVED
-CVE-2020-12475
- RESERVED
+CVE-2020-12475 (TP-Link Omada Controller Software 3.2.6 allows Directory Traversal for ...)
+ TODO: check
CVE-2020-12474 (Telegram Desktop through 2.0.1, Telegram through 6.0.1 for Android, an ...)
TODO: check
CVE-2020-12473 (MonoX through 5.1.40.5152 allows admins to execute arbitrary programs ...)
@@ -820,7 +834,7 @@ CVE-2020-12272 (OpenDMARC through 1.3.2 and 1.4.x allows attacks that inject aut
NOTE: https://www.usenix.org/system/files/sec20fall_chen-jianjun_prepub_0.pdf
CVE-2020-12271 (A SQL injection issue was found in SFOS 17.0, 17.1, 17.5, and 18.0 bef ...)
NOT-FOR-US: SFOS
-CVE-2020-12270 (React Native Bluetooth Scan in Bluezone 1.0.0 uses six-character alpha ...)
+CVE-2020-12270 (** DISPUTED ** React Native Bluetooth Scan in Bluezone 1.0.0 uses six- ...)
NOT-FOR-US: Bluezone
CVE-2020-12269
RESERVED
@@ -1146,20 +1160,19 @@ CVE-2020-12116
RESERVED
CVE-2020-12115
RESERVED
-CVE-2020-12114 [fs/namespace.c: fix mountpoint reference counter race]
- RESERVED
+CVE-2020-12114 (A pivot_root race condition in fs/namespace.c in the Linux kernel 4.4. ...)
- linux 5.3.7-1
NOTE: https://www.openwall.com/lists/oss-security/2020/05/04/2
CVE-2020-12113 (BigBlueButton before 2.2.4 allows XSS via closed captions because dang ...)
NOT-FOR-US: BigBlueButton
CVE-2020-12112 (BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive ...)
NOT-FOR-US: BigBlueButton
-CVE-2020-12111
- RESERVED
-CVE-2020-12110
- RESERVED
-CVE-2020-12109
- RESERVED
+CVE-2020-12111 (Certain TP-Link devices allow Command Injection. This affects NC260 1. ...)
+ TODO: check
+CVE-2020-12110 (Certain TP-Link devices have a Hardcoded Encryption Key. This affects ...)
+ TODO: check
+CVE-2020-12109 (Certain TP-Link devices allow Command Injection. This affects NC200 2. ...)
+ TODO: check
CVE-2020-12108
RESERVED
CVE-2020-12107
@@ -2005,14 +2018,14 @@ CVE-2017-18776 (Certain NETGEAR devices are affected by authentication bypass. T
NOT-FOR-US: Netgear
CVE-2017-18775 (Certain NETGEAR devices are affected by CSRF. This affects R6100 befor ...)
NOT-FOR-US: Netgear
-CVE-2017-18774
- RESERVED
+CVE-2017-18774 (Certain NETGEAR devices are affected by incorrect configuration of sec ...)
+ TODO: check
CVE-2017-18773 (Certain NETGEAR devices are affected by command injection by an authen ...)
NOT-FOR-US: Netgear
CVE-2017-18772 (Certain NETGEAR devices are affected by authentication bypass. This af ...)
NOT-FOR-US: Netgear
-CVE-2017-18771
- RESERVED
+CVE-2017-18771 (Certain NETGEAR devices are affected by stored XSS. This affects R9000 ...)
+ TODO: check
CVE-2017-18770 (Certain NETGEAR devices are affected by a buffer overflow by an authen ...)
NOT-FOR-US: Netgear
CVE-2017-18769 (Certain NETGEAR devices are affected by an attacker's ability to read ...)
@@ -2033,8 +2046,8 @@ CVE-2017-18762 (Certain NETGEAR devices are affected by command injection by an
NOT-FOR-US: Netgear
CVE-2017-18761 (NETGEAR R8000 devices before 1.0.4.2 are affected by a stack-based buf ...)
NOT-FOR-US: Netgear
-CVE-2017-18760
- RESERVED
+CVE-2017-18760 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...)
+ TODO: check
CVE-2017-18759 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...)
NOT-FOR-US: Netgear
CVE-2017-18758 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...)
@@ -2047,8 +2060,8 @@ CVE-2017-18755 (Certain NETGEAR devices are affected by CSRF. This affects R6300
NOT-FOR-US: Netgear
CVE-2017-18754 (Certain NETGEAR devices are affected by command injection by an authen ...)
NOT-FOR-US: Netgear
-CVE-2017-18753
- RESERVED
+CVE-2017-18753 (Certain NETGEAR devices are affected by a buffer overflow by an unauth ...)
+ TODO: check
CVE-2017-18752 (Certain NETGEAR devices are affected by an attacker's ability to read ...)
NOT-FOR-US: Netgear
CVE-2017-18751 (Certain NETGEAR devices are affected by a stack-based buffer overflow ...)
@@ -2405,8 +2418,8 @@ CVE-2020-11844
RESERVED
CVE-2020-11843
RESERVED
-CVE-2020-11842
- RESERVED
+CVE-2020-11842 (Information disclosure vulnerability in Micro Focus Verastream Host In ...)
+ TODO: check
CVE-2020-11841
RESERVED
CVE-2020-11840
@@ -3101,8 +3114,8 @@ CVE-2020-11673 (An issue was discovered in the Responsive Poll through 1.3.4 for
NOT-FOR-US: Responsive Poll for WordPress
CVE-2020-11672
RESERVED
-CVE-2020-11671
- RESERVED
+CVE-2020-11671 (Lack of authorization controls in REST API functions in TeamPass throu ...)
+ TODO: check
CVE-2020-11670
RESERVED
CVE-2020-11669 (An issue was discovered in the Linux kernel before 5.2 on the powerpc ...)
@@ -3883,8 +3896,8 @@ CVE-2020-11464 (An issue was discovered in Deskpro before 2019.8.0. The /api/peo
NOT-FOR-US: Deskpro
CVE-2020-11463 (An issue was discovered in Deskpro before 2019.8.0. The /api/email_acc ...)
NOT-FOR-US: Deskpro
-CVE-2020-11462
- RESERVED
+CVE-2020-11462 (An issue was discovered in OpenVPN Access Server before 2.7.0 and 2.8. ...)
+ TODO: check
CVE-2020-11461
RESERVED
CVE-2020-11460
@@ -3921,8 +3934,8 @@ CVE-2020-11445 (TP-Link cloud cameras through 2020-02-09 allow remote attackers
NOT-FOR-US: TP-Link
CVE-2020-11444 (Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has I ...)
NOT-FOR-US: Sonatype Nexus Repository Manager
-CVE-2020-11443
- RESERVED
+CVE-2020-11443 (The MSI installer in Zoom before 4.6.10 on Windows follows Symbolic Li ...)
+ TODO: check
CVE-2020-11442
RESERVED
CVE-2020-11441 (** DISPUTED ** phpMyAdmin 5.0.2 allows CRLF injection, as demonstrated ...)
@@ -5092,8 +5105,8 @@ CVE-2020-10935 (Zulip Server before 2.1.3 allows XSS via a Markdown link, with r
- zulip-server <itp> (bug #800052)
CVE-2020-10934 (Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. ...)
NOT-FOR-US: Acyba AcyMailing
-CVE-2020-10933
- RESERVED
+CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6 ...)
+ TODO: check
CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...)
- mbedtls <unfixed>
NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
@@ -5242,8 +5255,8 @@ CVE-2020-10878
RESERVED
CVE-2020-10877
RESERVED
-CVE-2020-10876
- RESERVED
+CVE-2020-10876 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...)
+ TODO: check
CVE-2020-10875 (Motorola FX9500 devices allow remote attackers to conduct absolute pat ...)
NOT-FOR-US: Motorola devices
CVE-2020-10874 (Motorola FX9500 devices allow remote attackers to read database files. ...)
@@ -6152,16 +6165,16 @@ CVE-2020-10624
RESERVED
CVE-2020-10623 (Multiple vulnerabilities could allow an attacker with low privileges t ...)
NOT-FOR-US: WebAccess/NMS
-CVE-2020-10622
- RESERVED
+CVE-2020-10622 (LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vu ...)
+ TODO: check
CVE-2020-10621 (Multiple issues exist that allow files to be uploaded and executed on ...)
NOT-FOR-US: WebAccess/NMS
CVE-2020-10620
RESERVED
CVE-2020-10619 (An attacker could use a specially crafted URL to delete files outside ...)
NOT-FOR-US: WebAccess/NMS
-CVE-2020-10618
- RESERVED
+CVE-2020-10618 (LCDS LAquis SCADA Versions 4.3.1 and prior. The affected product is vu ...)
+ TODO: check
CVE-2020-10617 (There are multiple ways an unauthenticated attacker could perform SQL ...)
NOT-FOR-US: WebAccess/NMS
CVE-2020-10616
@@ -7102,8 +7115,8 @@ CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_a
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2019-20503
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1992
NOTE: https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467
-CVE-2020-10187
- RESERVED
+CVE-2020-10187 (Doorkeeper version 5.0.0 and later contains an information disclosure ...)
+ TODO: check
CVE-2020-10186
RESERVED
CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40 allows remo ...)
@@ -10057,8 +10070,8 @@ CVE-2020-8898
RESERVED
CVE-2020-8897
RESERVED
-CVE-2020-8896
- RESERVED
+CVE-2020-8896 (A Buffer Overflow vulnerability in the khcrypt implementation in Googl ...)
+ TODO: check
CVE-2020-8895 (A vulnerability in the windows installer of Google Earth Pro versions ...)
NOT-FOR-US: windows installer of Google Earth Pro
CVE-2020-8894 (An issue was discovered in MISP before 2.4.121. ACLs for discussion th ...)
@@ -10347,12 +10360,12 @@ CVE-2020-8793 (OpenSMTPD before 6.6.4 allows local users to read arbitrary files
NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/021_smtpd_envelope.patch.sig
NOTE: https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/
NOTE: Neutralised by kernel hardening
-CVE-2020-8792
- RESERVED
-CVE-2020-8791
- RESERVED
-CVE-2020-8790
- RESERVED
+CVE-2020-8792 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...)
+ TODO: check
+CVE-2020-8791 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...)
+ TODO: check
+CVE-2020-8790 (The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlo ...)
+ TODO: check
CVE-2020-8789
RESERVED
CVE-2020-8788 (Synaptive Medical ClearCanvas ImageServer 3.0 Alpha allows XSS (and HT ...)
@@ -12058,8 +12071,8 @@ CVE-2020-8020
RESERVED
CVE-2020-8019
RESERVED
-CVE-2020-8018
- RESERVED
+CVE-2020-8018 (A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST- ...)
+ TODO: check
CVE-2020-8017 (A Race Condition Enabling Link Following vulnerability in the cron job ...)
NOT-FOR-US: SuSE packaging of TexLive
CVE-2020-8016 (A Race Condition Enabling Link Following vulnerability in the packagin ...)
@@ -18335,8 +18348,8 @@ CVE-2020-5345
RESERVED
CVE-2020-5344 (Dell EMC iDRAC7, iDRAC8 and iDRAC9 versions prior to 2.65.65.65, 2.70. ...)
NOT-FOR-US: EMC
-CVE-2020-5343
- RESERVED
+CVE-2020-5343 (Dell Client platforms restored using a Dell OS recovery image download ...)
+ TODO: check
CVE-2020-5342 (Dell Digital Delivery versions prior to 3.5.2015 contain an incorrect ...)
NOT-FOR-US: Dell
CVE-2020-5341
@@ -18347,20 +18360,20 @@ CVE-2020-5339 (RSA Authentication Manager versions prior to 8.4 P10 contain a st
NOT-FOR-US: RSA Authentication Manager
CVE-2020-5338
RESERVED
-CVE-2020-5337
- RESERVED
-CVE-2020-5336
- RESERVED
-CVE-2020-5335
- RESERVED
-CVE-2020-5334
- RESERVED
-CVE-2020-5333
- RESERVED
-CVE-2020-5332
- RESERVED
-CVE-2020-5331
- RESERVED
+CVE-2020-5337 (RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL redirect ...)
+ TODO: check
+CVE-2020-5336 (RSA Archer, versions prior to 6.7 P1 (6.7.0.1), contain a URL injectio ...)
+ TODO: check
+CVE-2020-5335 (RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contain a cross-site r ...)
+ TODO: check
+CVE-2020-5334 (RSA Archer, versions prior to 6.7 P2 (6.7.0.2), contains a Document Ob ...)
+ TODO: check
+CVE-2020-5333 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an authorizati ...)
+ TODO: check
+CVE-2020-5332 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain a command inje ...)
+ TODO: check
+CVE-2020-5331 (RSA Archer, versions prior to 6.7 P3 (6.7.0.3), contain an information ...)
+ TODO: check
CVE-2020-5330 (Dell EMC Networking X-Series firmware versions 3.0.1.2 and older, Dell ...)
NOT-FOR-US: EMC
CVE-2020-5329
@@ -21186,8 +21199,8 @@ CVE-2020-4211 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote
NOT-FOR-US: IBM
CVE-2020-4210 (IBM Spectrum Protect Plus 10.1.0 and 10.1.5 could allow a remote attac ...)
NOT-FOR-US: IBM
-CVE-2020-4209
- RESERVED
+CVE-2020-4209 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote a ...)
+ TODO: check
CVE-2020-4208 (IBM Spectrum Protect Plus 10.1.0 through 10.1.5 contains hard-coded cr ...)
NOT-FOR-US: IBM
CVE-2020-4207 (IBM Watson IoT Message Gateway 2.0.0.x, 5.0.0.0, 5.0.0.1, and 5.0.0.2 ...)
@@ -27753,13 +27766,11 @@ CVE-2020-1963
RESERVED
CVE-2020-1962
RESERVED
-CVE-2020-1961
- RESERVED
+CVE-2020-1961 (Vulnerability to Server-Side Template Injection on Mail templates for ...)
NOT-FOR-US: Apache Syncope
CVE-2020-1960
RESERVED
-CVE-2020-1959
- RESERVED
+CVE-2020-1959 (A Server-Side Template Injection was identified in Apache Syncope prio ...)
NOT-FOR-US: Apache Syncope
CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, callers of ...)
- druid <itp> (bug #825797)
@@ -28758,8 +28769,7 @@ CVE-2020-1733 (A race condition flaw was found in Ansible Engine 2.7.17 and prio
NOTE: https://github.com/ansible/ansible/issues/67791
NOTE: https://github.com/ansible/ansible/pull/68921
NOTE: https://github.com/ansible/ansible/commit/8077d8e40148fe77e2393caa5f2b2ea855149d63
-CVE-2020-1732
- RESERVED
+CVE-2020-1732 (A flaw was found in Soteria before 1.0.1, in a way that multiple reque ...)
- wildfly <itp> (bug #752018)
CVE-2020-1731 (A flaw was found in all versions of the Keycloak operator, before vers ...)
NOT-FOR-US: Keycloak
@@ -30665,8 +30675,8 @@ CVE-2020-1633 (Due to a new NDP proxy feature for EVPN leaf nodes introduced in
NOT-FOR-US: Juniper
CVE-2020-1632 (In a certain condition, receipt of a specific BGP UPDATE message might ...)
NOT-FOR-US: Juniper
-CVE-2020-1631
- RESERVED
+CVE-2020-1631 (A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentic ...)
+ TODO: check
CVE-2020-1630 (A privilege escalation vulnerability in Juniper Networks Junos OS devi ...)
NOT-FOR-US: Juniper
CVE-2020-1629 (A race condition vulnerability on Juniper Network Junos OS devices may ...)
@@ -36796,8 +36806,8 @@ CVE-2019-17558 (Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remot
NOTE: https://issues.apache.org/jira/browse/SOLR-13971
NOTE: https://issues.apache.org/jira/browse/SOLR-14025
TODO: check, whilst the advisory claims 5.0.0 upwards only the SolrParamResourceLoader might be of issue already earlier?
-CVE-2019-17557
- RESERVED
+CVE-2019-17557 (It was found that the Apache Syncope EndUser UI login page prio to 2.0 ...)
+ TODO: check
CVE-2019-17556 (Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService clas ...)
NOT-FOR-US: Olingo
CVE-2019-17555 (The AsyncResponseWrapperImpl class in Apache Olingo versions 4.0.0 to ...)
@@ -51073,8 +51083,8 @@ CVE-2019-13287 (In Xpdf 4.01.01, there is an out-of-bounds read vulnerability in
- xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
CVE-2019-13286 (In Xpdf 4.01.01, there is a heap-based buffer over-read in the functio ...)
- xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
-CVE-2019-13285
- RESERVED
+CVE-2019-13285 (CoSoSys Endpoint Protector 5.1.0.2 allows Host Header Injection. ...)
+ TODO: check
CVE-2019-13284
RESERVED
CVE-2019-13283 (In Xpdf 4.01.01, a heap-based buffer over-read could be triggered in s ...)
@@ -52286,8 +52296,8 @@ CVE-2012-6711 (A heap-based buffer overflow exists in GNU Bash before 4.3 when w
- bash 4.3-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721071
NOTE: https://git.savannah.gnu.org/cgit/bash.git/commit/?h=devel&id=863d31ae775d56b785dc5b0105b6d251515d81d5 (bash-4.3-alpha)
-CVE-2019-12864
- RESERVED
+CVE-2019-12864 (SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vuln ...)
+ TODO: check
CVE-2019-12863 (SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) allows ...)
NOT-FOR-US: SolarWinds
CVE-2019-12862
@@ -54993,8 +55003,8 @@ CVE-2019-11825 (Cross-site scripting (XSS) vulnerability in Event Editor in Syno
NOT-FOR-US: Synology
CVE-2019-11824
RESERVED
-CVE-2019-11823
- RESERVED
+CVE-2019-11823 (CRLF injection vulnerability in Network Center in Synology Router Mana ...)
+ TODO: check
CVE-2019-11822 (Relative path traversal vulnerability in SYNO.PhotoStation.File in Syn ...)
NOT-FOR-US: Synology
CVE-2019-11821 (SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Pho ...)
@@ -120532,7 +120542,8 @@ CVE-2018-7576 (Google TensorFlow 1.6.x and earlier is affected by: Null Pointer
- tensorflow <itp> (bug #804612)
CVE-2018-7575 (Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow v ...)
- tensorflow <itp> (bug #804612)
-CVE-2018-7574 (Google TensorFlow 1.6.x and earlier is affected by a Null Pointer Dere ...)
+CVE-2018-7574
+ REJECTED
- tensorflow <itp> (bug #804612)
CVE-2018-7573 (An issue was discovered in FTPShell Client 6.7. A remote FTP server ca ...)
NOT-FOR-US: FTPShell Client
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53e2cfedac6b65f43f91ee7ec9480821cc5d0516
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53e2cfedac6b65f43f91ee7ec9480821cc5d0516
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200504/fd25e6f5/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list