[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Wed May 6 09:10:25 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c8c47940 by security tracker role at 2020-05-06T08:10:18+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,25 @@
+CVE-2020-12672 (GraphicsMagick through 1.3.35 has a heap-based buffer overflow in Read ...)
+ TODO: check
+CVE-2020-12671
+ RESERVED
+CVE-2020-12670
+ RESERVED
+CVE-2020-12669
+ RESERVED
+CVE-2020-12668
+ RESERVED
+CVE-2020-12667
+ RESERVED
+CVE-2020-12666 (macaron before 1.3.7 has an open redirect in the static handler, as de ...)
+ TODO: check
+CVE-2020-12665
+ RESERVED
+CVE-2020-12664
+ RESERVED
+CVE-2020-12663
+ RESERVED
+CVE-2020-12662
+ RESERVED
CVE-2017-18867 (Certain NETGEAR devices are affected by incorrect configuration of sec ...)
NOT-FOR-US: Netgear
CVE-2017-18866 (Certain NETGEAR devices are affected by stored XSS. This affects R9000 ...)
@@ -434,8 +456,8 @@ CVE-2020-12465 (An array overflow was discovered in mt76_add_fragment in drivers
CVE-2020-12464 (usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before ...)
- linux <unfixed>
NOTE: https://git.kernel.org/linus/056ad39ee9253873522f6469c3364964a322912b (5.7-rc3)
-CVE-2020-12463
- RESERVED
+CVE-2020-12463 (An elevation of privilege vulnerability exists in Avira Software Updat ...)
+ TODO: check
CVE-2020-12462 (The ninja-forms plugin before 3.4.24.2 for WordPress allows CSRF with ...)
NOT-FOR-US: ninja-forms plugin for WordPress
CVE-2020-12461 (PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has an in ...)
@@ -484,8 +506,8 @@ CVE-2020-12441
RESERVED
CVE-2020-12440
RESERVED
-CVE-2020-12439
- RESERVED
+CVE-2020-12439 (Grin before 3.1.0 allows attackers to adversely affect availability of ...)
+ TODO: check
CVE-2020-12438 (An XSS vulnerability exists in the banners.php page of PHP-Fusion 9.03 ...)
NOT-FOR-US: PHP-Fusion
CVE-2020-12437
@@ -1206,12 +1228,12 @@ CVE-2020-12146
RESERVED
CVE-2020-12145
RESERVED
-CVE-2020-12144
- RESERVED
-CVE-2020-12143
- RESERVED
-CVE-2020-12142
- RESERVED
+CVE-2020-12144 (Details The certificate used to identify the Silver Peak Cloud Portal ...)
+ TODO: check
+CVE-2020-12143 (Summary - The certificate used to identify Orchestrator to EdgeConnect ...)
+ TODO: check
+CVE-2020-12142 (a. IPSec UDP key material can be retrieved from machine-to-machine int ...)
+ TODO: check
CVE-2020-12141
RESERVED
CVE-2020-12140
@@ -2612,8 +2634,8 @@ CVE-2020-11802
RESERVED
CVE-2020-11801
RESERVED
-CVE-2019-20768
- RESERVED
+CVE-2019-20768 (ServiceNow IT Service Management Kingston through Patch 14-1, London t ...)
+ TODO: check
CVE-2020-11800
RESERVED
CVE-2020-11799 (Z-Cron 5.6 Build 04 allows an unprivileged attacker to elevate privile ...)
@@ -3262,6 +3284,7 @@ CVE-2020-11656 (In SQLite through 3.31.1, the ALTER TABLE implementation has a u
NOTE: https://www.sqlite.org/src/info/b64674919f673602
NOTE: Negliglible security impact (and uncovered in DEBUG build)
CVE-2020-11655 (SQLite through 3.31.1 allows attackers to cause a denial of service (s ...)
+ {DLA-2203-1}
- sqlite3 3.31.1-5
[buster] - sqlite3 <no-dsa> (Minor issue)
[stretch] - sqlite3 <no-dsa> (Minor issue)
@@ -3277,10 +3300,12 @@ CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x
NOTE: https://varnish-cache.org/security/VSV00005.html#vsv00005
NOTE: https://github.com/varnishcache/varnish-cache/commit/2d8fc1a784a1e26d78c30174923a2b14ee2ebf62
CVE-2020-11652 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...)
+ {DSA-4676-1}
- salt 3000.2+dfsg1-1 (bug #959684)
NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
NOTE: Fixed by: https://github.com/saltstack/salt/commit/cce7abad9c22d9d50ccee2813acabff8deca35dd
CVE-2020-11651 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...)
+ {DSA-4676-1}
- salt 3000.2+dfsg1-1 (bug #959684)
NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
NOTE: Fixed by: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7
@@ -4041,7 +4066,7 @@ CVE-2020-11445 (TP-Link cloud cameras through 2020-02-09 allow remote attackers
NOT-FOR-US: TP-Link
CVE-2020-11444 (Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has I ...)
NOT-FOR-US: Sonatype Nexus Repository Manager
-CVE-2020-11443 (The MSI installer in Zoom before 4.6.10 on Windows follows Symbolic Li ...)
+CVE-2020-11443 (The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to ver ...)
NOT-FOR-US: Zoom
CVE-2020-11442
RESERVED
@@ -4867,8 +4892,8 @@ CVE-2020-11053
RESERVED
CVE-2020-11052
RESERVED
-CVE-2020-11051
- RESERVED
+CVE-2020-11051 (In Wiki.js before 2.3.81, there is a stored XSS in the Markdown editor ...)
+ TODO: check
CVE-2020-11050
RESERVED
CVE-2020-11049
@@ -4897,16 +4922,16 @@ CVE-2020-11038
RESERVED
CVE-2020-11037 (In Wagtail before versions 2.7.2 and 2.8.2, a potential timing attack ...)
NOT-FOR-US: Wagtail
-CVE-2020-11036
- RESERVED
-CVE-2020-11035
- RESERVED
-CVE-2020-11034
- RESERVED
-CVE-2020-11033
- RESERVED
-CVE-2020-11032
- RESERVED
+CVE-2020-11036 (In GLPI before version 9.4.6 there are multiple related stored XSS vul ...)
+ TODO: check
+CVE-2020-11035 (In GLPI after version 0.83.3 and before version 9.4.6, the CSRF tokens ...)
+ TODO: check
+CVE-2020-11034 (In GLPI before version 9.4.6, there is a vulnerability that allows byp ...)
+ TODO: check
+CVE-2020-11033 (In GLPI from version 9.1 and before version 9.4.6, any API user with R ...)
+ TODO: check
+CVE-2020-11032 (In GLPI before version 9.4.6, there is a SQL injection vulnerability f ...)
+ TODO: check
CVE-2020-11031
RESERVED
CVE-2020-11030 (In affected versions of WordPress, a special payload can be crafted th ...)
@@ -4919,30 +4944,35 @@ CVE-2020-11030 (In affected versions of WordPress, a special payload can be craf
NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates
NOTE: Fixed by: https://github.com/WordPress/wordpress-develop/commit/ec05c8b897ef4ae77fc0cba576573e90a726a52f
CVE-2020-11029 (In affected versions of WordPress, a vulnerability in the stats() meth ...)
+ {DSA-4677-1}
- wordpress 5.4.1+dfsg1-1 (bug #959391)
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-568w-8m88-8g2c
NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates
NOTE: https://core.trac.wordpress.org/changeset/47637
NOTE: https://github.com/WordPress/wordpress-develop/935ab39e8ee754735a553c74d41270df1164ae56 (master)
CVE-2020-11028 (In affected versions of WordPress, some private posts, which were prev ...)
+ {DSA-4677-1}
- wordpress 5.4.1+dfsg1-1 (bug #959391)
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w
NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates
NOTE: https://core.trac.wordpress.org/changeset/47635
NOTE: https://github.com/WordPress/wordpress-develop/commit/8e11facb671932a6eefe0e7e4f3d63d39eef55b3
CVE-2020-11027 (In affected versions of WordPress, a password reset link emailed to a ...)
+ {DSA-4677-1}
- wordpress 5.4.1+dfsg1-1 (bug #959391)
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-ww7v-jg8c-q6jw
NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates
NOTE: https://core.trac.wordpress.org/changeset/47634
NOTE: https://github.com/WordPress/wordpress-develop/commit/4354d1fc5cd55a18bc24555b11db201d5eb87e0c (master)
CVE-2020-11026 (In affected versions of WordPress, files with a specially crafted name ...)
+ {DSA-4677-1}
- wordpress 5.4.1+dfsg1-1 (bug #959391)
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-3gw2-4656-pfr2
NOTE: https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates
NOTE: https://core.trac.wordpress.org/changeset/47638
NOTE: https://github.com/WordPress/wordpress-develop/commit/74d6f9613b96a2948f7675513b8b7f8224bfc386 (master)
CVE-2020-11025 (In affected versions of WordPress, a cross-site scripting (XSS) vulner ...)
+ {DSA-4677-1}
- wordpress 5.4.1+dfsg1-1 (bug #959391)
[jessie] - wordress <not-affected> (Vulnerable code not present)
NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4mhg-j6fx-5g3c
@@ -5199,7 +5229,7 @@ CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO
CVE-2020-10939 (Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT thro ...)
NOT-FOR-US: PHOENIX CONTACT
CVE-2020-10938 (GraphicsMagick before 1.3.35 has an integer overflow and resultant hea ...)
- {DLA-2173-1}
+ {DSA-4675-1 DLA-2173-1}
- graphicsmagick 1.4+really1.3.34-1
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/95abc2b694ce
CVE-2020-10937
@@ -5396,8 +5426,8 @@ CVE-2020-10861 (An issue was discovered in Avast Antivirus before 20. The aswTas
NOT-FOR-US: Avast Antivirus
CVE-2020-10860 (An issue was discovered in Avast Antivirus before 20. An Arbitrary Mem ...)
NOT-FOR-US: Avast Antivirus
-CVE-2020-10859
- RESERVED
+CVE-2020-10859 (Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated ...)
+ TODO: check
CVE-2020-10858
RESERVED
CVE-2020-10857
@@ -6251,16 +6281,16 @@ CVE-2020-10636
RESERVED
CVE-2020-10635
RESERVED
-CVE-2020-10634
- RESERVED
+CVE-2020-10634 (SAE IT-systems FW-50 Remote Telemetry Unit (RTU). A specially crafted ...)
+ TODO: check
CVE-2020-10633 (A non-persistent XSS (cross-site scripting) vulnerability exists in eW ...)
NOT-FOR-US: eWON Flexy and Cosy
CVE-2020-10632
RESERVED
CVE-2020-10631 (An attacker could use a specially crafted URL to delete or read files ...)
NOT-FOR-US: WebAccess/NMS
-CVE-2020-10630
- RESERVED
+CVE-2020-10630 (SAE IT-systems FW-50 Remote Telemetry Unit (RTU). The software does no ...)
+ TODO: check
CVE-2020-10629 (WebAccess/NMS (versions prior to 3.0.2) does not sanitize XML input. S ...)
NOT-FOR-US: WebAccess/NMS
CVE-2020-10628
@@ -37641,6 +37671,7 @@ CVE-2019-17362 (In LibTomCrypt through 1.18.2, the der_decode_utf8_string functi
NOTE: https://github.com/libtom/libtomcrypt/issues/507
NOTE: https://github.com/libtom/libtomcrypt/pull/508
CVE-2019-17361 (In SaltStack Salt through 2019.2.0, the salt-api NET API with the ssh ...)
+ {DSA-4676-1}
- salt 2019.2.3+dfsg1-1 (bug #949222)
[jessie] - salt <not-affected> (Vulnerable code added in v2014.7)
NOTE: https://github.com/saltstack/salt/commit/bca115f3f00fbde564dd2f12bf036b5d2fd08387
@@ -42447,7 +42478,7 @@ CVE-2019-15656 (D-Link DSL-2875AL and DSL-2877AL devices through 1.00.05 are pro
NOT-FOR-US: D-Link
CVE-2019-15655 (D-Link DSL-2875AL devices through 1.00.05 are prone to password disclo ...)
NOT-FOR-US: D-Link
-CVE-2019-15654 (Comba AP2600-I devices through A02,0202N00PD2 are prone to password di ...)
+CVE-2019-15654 (Comba AC2400 devices are prone to password disclosure via a simple cra ...)
NOT-FOR-US: Comba
CVE-2019-15653 (Comba AP2600-I devices through A02,0202N00PD2 are prone to password di ...)
NOT-FOR-US: Comba
@@ -52286,7 +52317,7 @@ CVE-2019-12922 (A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server
NOTE: https://seclists.org/fulldisclosure/2019/Sep/23
NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/427fbed55d3154d96ecfc1c7784d49eaa3c04161 (4.9.1)
CVE-2019-12921 (In GraphicsMagick before 1.3.32, the text filename component allows re ...)
- {DLA-2152-1}
+ {DSA-4675-1 DLA-2152-1}
- graphicsmagick 1.4~hg16039-1
NOTE: https://github.com/d0ge/data-processing/blob/master/CVE-2019-12921.md
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/f780c290b4ab
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8c47940ed769ca87c4535b30720bbc11351cce1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8c47940ed769ca87c4535b30720bbc11351cce1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200506/203422e9/attachment.html>
More information about the debian-security-tracker-commits
mailing list