[Git][security-tracker-team/security-tracker][master] 2 commits: new puma issues
Moritz Muehlenhoff
jmm at debian.org
Tue May 26 15:26:03 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
531e35ea by Moritz Muehlenhoff at 2020-05-26T14:11:17+02:00
new puma issues
- - - - -
e48ba45d by Moritz Muehlenhoff at 2020-05-26T16:25:42+02:00
NFUs
new kfreebsd issue
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -6731,9 +6731,12 @@ CVE-2020-11079
CVE-2020-11078 (In httplib2 before version 0.18.0, an attacker controlling unescaped p ...)
TODO: check
CVE-2020-11077 (In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a re ...)
- TODO: check
+ - puma <unfixed>
+ NOTE: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
CVE-2020-11076 (In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle a ...)
- TODO: check
+ - puma <unfixed>
+ NOTE: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
+ NOTE: https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
CVE-2020-11075
RESERVED
CVE-2020-11074
@@ -37253,9 +37256,9 @@ CVE-2020-0223
CVE-2020-0222
RESERVED
CVE-2020-0221 (Airbrush FW's scratch memory allocator is susceptible to numeric overf ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2020-0220 (In crus_afe_callback of msm-cirrus-playback.c, there is a possible out ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2020-0219
RESERVED
CVE-2020-0218
@@ -37494,9 +37497,9 @@ CVE-2020-0103 (In a2dp_aac_decoder_cleanup of a2dp_aac_decoder.cc, there is a po
CVE-2020-0102 (In GattServer::SendResponse of gatt_server.cc, there is a possible out ...)
NOT-FOR-US: Android
CVE-2020-0101 (In BnCrypto::onTransact of ICrypto.cpp, there is a possible informatio ...)
- TODO: check
+ NOT-FOR-US: Android media framework
CVE-2020-0100 (In onTransact of IHDCP.cpp, there is a possible out of bounds read due ...)
- TODO: check
+ NOT-FOR-US: Android media framework
CVE-2020-0099
RESERVED
CVE-2020-0098 (In navigateUpToLocked of ActivityStack.java, there is a possible permi ...)
@@ -37508,7 +37511,7 @@ CVE-2020-0096 (In startActivities of ActivityStartController.java, there is a po
CVE-2020-0095
RESERVED
CVE-2020-0094 (In setImageHeight and setImageWidth of ExifUtils.cpp, there is a possi ...)
- TODO: check
+ NOT-FOR-US: Android media framework
CVE-2020-0093 (In exif_data_save_data_entry of exif-data.c, there is a possible out o ...)
{DLA-2214-1}
- libexif 0.6.21-8
@@ -40394,7 +40397,7 @@ CVE-2019-17103 (An Incorrect Default Permissions vulnerability in the BDLDaemon
CVE-2019-17102 (An exploitable command execution vulnerability exists in the recovery ...)
NOT-FOR-US: Bitdefender BOX 2
CVE-2019-17101 (Improper Neutralization of Special Elements used in a Command ('Comman ...)
- TODO: check
+ NOT-FOR-US: Netatmo Smart Indoor Camera
CVE-2019-17100 (An Untrusted Search Path vulnerability in bdserviceshost.exe as used i ...)
NOT-FOR-US: Bitdefender Total Security
CVE-2019-17099 (An Untrusted Search Path vulnerability in EPSecurityService.exe as use ...)
@@ -40479,7 +40482,7 @@ CVE-2019-17067 (PuTTY before 0.73 on Windows improperly opens port-forwarding li
- putty <not-affected> (Windows-specific)
NOTE: https://lists.tartarus.org/pipermail/putty-announce/2019/000029.html
CVE-2019-17066 (In Ivanti WorkSpace Control before 10.4.40.0, a user can elevate right ...)
- TODO: check
+ NOT-FOR-US: Ivanti WorkSpace Control
CVE-2019-17065
RESERVED
CVE-2019-17064 (Catalog.cc in Xpdf 4.02 has a NULL pointer dereference because Catalog ...)
@@ -54188,11 +54191,11 @@ CVE-2019-13025 (Compal CH7465LG CH7465LG-NCIP-6.12.18.24-5p8-NOSH devices have I
CVE-2019-13024 (Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web be ...)
- centreon-web <itp> (bug #913903)
CVE-2019-13023 (An issue was discovered in all versions of Bond JetSelect. Within the ...)
- TODO: check
+ NOT-FOR-US: Bond JetSelect
CVE-2019-13022 (Bond JetSelect (all versions) has an issue in the Java class (ENCtool. ...)
- TODO: check
+ NOT-FOR-US: Bond JetSelect
CVE-2019-13021 (The administrative passwords for all versions of Bond JetSelect are st ...)
- TODO: check
+ NOT-FOR-US: Bond JetSelect
CVE-2019-13020 (The fetch API in Tightrope Media Carousel before 7.1.3 has CarouselAPI ...)
NOT-FOR-US: Tightrope Media Carousel
CVE-2019-13019
@@ -57362,7 +57365,7 @@ CVE-2019-11825 (Cross-site scripting (XSS) vulnerability in Event Editor in Syno
CVE-2019-11824
RESERVED
CVE-2019-11823 (CRLF injection vulnerability in Network Center in Synology Router Mana ...)
- TODO: check
+ NOT-FOR-US: Synology
CVE-2019-11822 (Relative path traversal vulnerability in SYNO.PhotoStation.File in Syn ...)
NOT-FOR-US: Synology
CVE-2019-11821 (SQL injection vulnerability in synophoto_csPhotoDB.php in Synology Pho ...)
@@ -58554,7 +58557,7 @@ CVE-2019-11482 (Sander Bos discovered a time of check to time of use (TOCTTOU) v
CVE-2019-11481 (Kevin Backhouse discovered that apport would read a user-supplied conf ...)
NOT-FOR-US: Apport
CVE-2019-11480 (The pc-kernel snap build process hardcoded the --allow-insecure-reposi ...)
- TODO: check
+ NOT-FOR-US: Ubuntu tooling for Linux snaps
CVE-2019-11479 (Jonathan Looney discovered that the Linux kernel default MSS is hard-c ...)
{DSA-4465-1 DLA-1824-1 DLA-1823-1}
- linux 4.19.37-4
@@ -64557,7 +64560,7 @@ CVE-2019-9684
CVE-2019-9683
RESERVED
CVE-2019-9682 (Dahua devices with Build time before December 2019 use strong security ...)
- TODO: check
+ NOT-FOR-US: Dahua
CVE-2019-9681 (Online upgrade information in some firmware packages of Dahua products ...)
NOT-FOR-US: Dahua
CVE-2019-9680 (Some Dahua products have information leakage issues. Attackers can obt ...)
@@ -71170,9 +71173,9 @@ CVE-2019-7282 (In NetKit through 0.17, rcp.c in the rcp client allows remote rsh
CVE-2019-7248
RESERVED
CVE-2019-7247 (An issue was discovered in AODDriver2.sys in AMD OverDrive. The vulner ...)
- TODO: check
+ NOT-FOR-US: AMD
CVE-2019-7246 (An issue was discovered in atillk64.sys in AMD ATI Diagnostics Hardwar ...)
- TODO: check
+ NOT-FOR-US: AMD
CVE-2019-7245 (An issue was discovered in GPU-Z.sys in TechPowerUp GPU-Z before 2.23. ...)
NOT-FOR-US: TechPowerUp GPU-Z
CVE-2019-7244 (An issue was discovered in kerneld.sys in AIDA64 before 5.99. The vuln ...)
@@ -74257,7 +74260,7 @@ CVE-2019-5999 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series
CVE-2019-5998 (Buffer overflow in PTP (Picture Transfer Protocol) of EOS series digit ...)
NOT-FOR-US: Canon
CVE-2019-5997 (Video Insight VMS 7.5 and earlier allows remote attackers to conduct c ...)
- TODO: check
+ NOT-FOR-US: Video Insight VMS
CVE-2019-5996 (SQL injection vulnerability in the Video Insight VMS 7.3.2.5 and earli ...)
NOT-FOR-US: Video Insight VMS
CVE-2019-5995 (Missing authorization vulnerability exists in EOS series digital camer ...)
@@ -75330,7 +75333,7 @@ CVE-2019-5620 (ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of
CVE-2019-5619 (AASync.com AASync version 2.2.1.0 suffers from an instance of CWE-121: ...)
NOT-FOR-US: AASync.com AASync
CVE-2019-5618 (A-PDF WAV to MP3 version 1.0.0 suffers from an instance of CWE-121: St ...)
- TODO: check
+ NOT-FOR-US: A-PDF
CVE-2019-5617 (Computing For Good's Basic Laboratory Information System (also known a ...)
NOT-FOR-US: Computing For Good's Basic Laboratory Information System
CVE-2019-5616 (CircuitWerkes Sicon-8, a hardware device used for managing electrical ...)
@@ -75338,7 +75341,8 @@ CVE-2019-5616 (CircuitWerkes Sicon-8, a hardware device used for managing electr
CVE-2019-5615 (Users with Site-level permissions can access files containing the user ...)
NOT-FOR-US: Rapid7 InsightVM
CVE-2019-5614 (In FreeBSD 12.1-STABLE before r356035, 12.1-RELEASE before 12.1-RELEAS ...)
- TODO: check
+ - kfreebsd-10 <unfixed> (unimportant)
+ NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:10.ipfw.asc
CVE-2019-5613 (In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in th ...)
- kfreebsd-10 <not-affected> (Only affects kfreebsd 12)
NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:02.ipsec.asc
@@ -78413,7 +78417,7 @@ CVE-2019-4211 (IBM QRadar SIEM 7.2 and 7.3 is vulnerable to cross-site scripting
CVE-2019-4210 (IBM QRadar SIEM 7.3.2 could allow a user to bypass authentication expo ...)
NOT-FOR-US: IBM
CVE-2019-4209 (HCL Connections v5.5, v6.0, and v6.5 contains an open redirect vulnera ...)
- TODO: check
+ NOT-FOR-US: HCL
CVE-2019-4208 (IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 is vulnerable to an X ...)
NOT-FOR-US: IBM
CVE-2019-4207 (IBM TRIRIGA Application Platform 3.5.3 and 3.6.0 may disclose sensitiv ...)
@@ -84705,7 +84709,7 @@ CVE-2019-2389 (Incorrect scoping of kill operations in MongoDB Server's packaged
[stretch] - mongodb <ignored> (Minor issue)
[jessie] - mongodb <ignored> (Minor issue)
CVE-2019-2388 (In affected Ops Manager versions there is an exposed http route was th ...)
- TODO: check
+ NOT-FOR-US: MongoDB Ops Manager
CVE-2019-2387
RESERVED
CVE-2019-2386 (After user deletion in MongoDB Server the improper invalidation of aut ...)
@@ -129714,7 +129718,7 @@ CVE-2018-5495 (All StorageGRID Webscale versions are susceptible to a vulnerabil
CVE-2018-5494
RESERVED
CVE-2018-5493 (ATTO FibreBridge 7500N firmware versions prior to 2.90 are susceptible ...)
- TODO: check
+ NOT-FOR-US: ATTO
CVE-2018-5492 (NetApp E-Series SANtricity OS Controller Software 11.30 and later vers ...)
NOT-FOR-US: NetApp
CVE-2018-5491
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/44665b76478c4578a8b91a79501140875691def6...e48ba45dc3d804e9ee23d0759c115b4b554a65c9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/44665b76478c4578a8b91a79501140875691def6...e48ba45dc3d804e9ee23d0759c115b4b554a65c9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200526/bfc1b6b3/attachment.html>
More information about the debian-security-tracker-commits
mailing list