[Git][security-tracker-team/security-tracker][master] automatic update

Thu May 7 09:10:22 BST 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c178fdf0 by security tracker role at 2020-05-07T08:10:15+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,12 +1,52 @@
-CVE-2020-12692 [Keystone doesn't check signature TTL of the EC2 credential auth method]
+CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a URL. ...)
+	TODO: check
+CVE-2020-12695
+	RESERVED
+CVE-2020-12694
+	RESERVED
+CVE-2020-12693
+	RESERVED
+CVE-2020-12688
+	RESERVED
+CVE-2020-12687
+	RESERVED
+CVE-2020-12686
+	RESERVED
+CVE-2020-12685
+	RESERVED
+CVE-2020-12684
+	RESERVED
+CVE-2020-12683
+	RESERVED
+CVE-2020-12682
+	RESERVED
+CVE-2020-12681
+	RESERVED
+CVE-2020-12680
+	RESERVED
+CVE-2020-12679
+	RESERVED
+CVE-2020-12678
+	REJECTED
+	TODO: check
+CVE-2020-12677
+	RESERVED
+CVE-2020-12676
+	RESERVED
+CVE-2020-12675
+	RESERVED
+CVE-2020-12692 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...)
+	{DSA-4679-1}
 	- keystone <unfixed>
 	NOTE: https://bugs.launchpad.net/keystone/+bug/1872737
 	NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/4
-CVE-2020-12691 [Keystone V3 /credentials endpoint policy logic allows to change credentials owner or target project ID]
+CVE-2020-12691 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...)
+	{DSA-4679-1}
 	- keystone <unfixed>
 	NOTE: https://bugs.launchpad.net/keystone/+bug/1872733
 	NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5
-CVE-2020-12690
+CVE-2020-12690 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...)
+	{DSA-4679-1}
 	- keystone <unfixed>
 	NOTE: https://bugs.launchpad.net/keystone/+bug/1873290
 	NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/6
@@ -14,7 +54,8 @@ CVE-2020-12674
 	RESERVED
 CVE-2020-12673
 	RESERVED
-CVE-2020-12689 [OSSA-2020-004: EC2 and credential endpoints are not protected from a scoped context]
+CVE-2020-12689 (An issue was discovered in OpenStack Keystone before 15.0.1, and 16.0. ...)
+	{DSA-4679-1}
 	- keystone <unfixed> (bug #959900)
 	NOTE: https://bugs.launchpad.net/keystone/+bug/1872735
 	NOTE: https://www.openwall.com/lists/oss-security/2020/05/06/5
@@ -633,6 +674,7 @@ CVE-2020-12396
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-16/#CVE-2020-12396
 CVE-2020-12395
 	RESERVED
+	{DSA-4678-1}
 	- firefox 76.0-1
 	- firefox-esr 68.8.0esr-1
 	- thunderbird 1:68.8.0-1
@@ -653,6 +695,7 @@ CVE-2020-12393
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-12393
 CVE-2020-12392
 	RESERVED
+	{DSA-4678-1}
 	- firefox 76.0-1
 	- firefox-esr 68.8.0esr-1
 	- thunderbird 1:68.8.0-1
@@ -681,6 +724,7 @@ CVE-2020-12388
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-12388
 CVE-2020-12387
 	RESERVED
+	{DSA-4678-1}
 	- firefox 76.0-1
 	- firefox-esr 68.8.0esr-1
 	- thunderbird 1:68.8.0-1
@@ -15036,6 +15080,7 @@ CVE-2019-20377 (TopList before 2019-09-03 allows XSS via a title. ...)
 	NOT-FOR-US: TopList
 CVE-2020-6831
 	RESERVED
+	{DSA-4678-1}
 	- firefox 76.0-1
 	- firefox-esr 68.8.0esr-1
 	- chromium <unfixed>
@@ -28013,7 +28058,7 @@ CVE-2020-1940 (The optional initial password change and password expiration feat
 CVE-2020-1939
 	RESERVED
 CVE-2020-1938 (When using the Apache JServ Protocol (AJP), care must be taken when tr ...)
-	{DSA-4673-1 DLA-2133-1}
+	{DSA-4680-1 DSA-4673-1 DLA-2133-1}
 	- tomcat9 9.0.31-1 (bug #952437)
 	- tomcat8 <removed> (bug #952438)
 	[jessie] - tomcat8 <no-dsa> (backport is intrusive because of API changes)
@@ -28040,7 +28085,7 @@ CVE-2020-1937 (Kylin has some restful apis which will concatenate SQLs with the
 CVE-2020-1936
 	RESERVED
 CVE-2020-1935 (In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0. ...)
-	{DSA-4673-1 DLA-2133-1}
+	{DSA-4680-1 DSA-4673-1 DLA-2133-1}
 	- tomcat9 9.0.31-1
 	- tomcat8 <removed>
 	[jessie] - tomcat8 <no-dsa> (backport is too intrusive)
@@ -36970,7 +37015,7 @@ CVE-2019-17570 (An untrusted deserialization was found in the org.apache.xmlrpc.
 	NOTE: Proposed patch: https://bugzilla.redhat.com/show_bug.cgi?id=1775193
 	NOTE: https://github.com/orangecertcc/xmlrpc-common-deserialization
 CVE-2019-17569 (The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8 ...)
-	{DSA-4673-1 DLA-2133-1}
+	{DSA-4680-1 DSA-4673-1 DLA-2133-1}
 	- tomcat9 9.0.31-1
 	- tomcat8 <removed>
 	[jessie] - tomcat8 <not-affected> (vulnerable code introduced in later version)
@@ -36992,7 +37037,7 @@ CVE-2019-17565 (There is a vulnerability in Apache Traffic Server 6.0.0 to 6.2.3
 CVE-2019-17564 (Unsafe deserialization occurs within a Dubbo application which has HTT ...)
 	NOT-FOR-US: Dubbo
 CVE-2019-17563 (When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29,  ...)
-	{DSA-4596-1 DLA-2077-1}
+	{DSA-4680-1 DSA-4596-1 DLA-2077-1}
 	- tomcat9 9.0.31-1
 	- tomcat8 <removed>
 	[jessie] - tomcat8 <no-dsa> (low risk, backport is intrusive)
@@ -53722,7 +53767,7 @@ CVE-2019-12420 (In Apache SpamAssassin before 3.4.3, a message can be crafted in
 CVE-2019-12419 (Apache CXF before 3.3.4 and 3.2.11 provides all of the components that ...)
 	NOT-FOR-US: Apache CFX
 CVE-2019-12418 (When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0. ...)
-	{DSA-4596-1 DLA-2155-1 DLA-2077-1}
+	{DSA-4680-1 DSA-4596-1 DLA-2155-1 DLA-2077-1}
 	- tomcat9 9.0.31-1
 	- tomcat8 <removed>
 	- tomcat7 <removed>
@@ -60373,6 +60418,7 @@ CVE-2019-10074 (An RCE is possible by entering Freemarker markup in an Apache OF
 CVE-2019-10073 (The "Blog", "Forum", "Contact Us" screens of the template "ecommerce"  ...)
 	NOT-FOR-US: Apache OFBiz
 CVE-2019-10072 (The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 co ...)
+	{DSA-4680-1}
 	- tomcat9 9.0.22-1 (bug #931131; bug #930872)
 	- tomcat8 <removed> (bug #30873)
 	[stretch] - tomcat8 <not-affected> (Incomplete fix for CVE-2019-0199 not applied)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c178fdf02a7bb8044f40e9efb51ff44f52c72bd4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c178fdf02a7bb8044f40e9efb51ff44f52c72bd4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200507/e0ebf823/attachment.html>
