[Git][security-tracker-team/security-tracker][master] automatic update

Wed Nov 4 08:10:30 GMT 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
72659de9 by security tracker role at 2020-11-04T08:10:23+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,29 @@
+CVE-2020-28208
+	RESERVED
+CVE-2020-28207
+	RESERVED
+CVE-2020-28206
+	RESERVED
+CVE-2020-28205
+	RESERVED
+CVE-2020-28204
+	RESERVED
+CVE-2020-28203
+	RESERVED
+CVE-2020-28202
+	RESERVED
+CVE-2020-28201
+	RESERVED
+CVE-2020-28200
+	RESERVED
+CVE-2020-28199
+	RESERVED
+CVE-2020-28198
+	RESERVED
+CVE-2020-28197
+	RESERVED
+CVE-2020-28196
+	RESERVED
 CVE-2020-28195
 	RESERVED
 CVE-2020-28194
@@ -297,6 +323,7 @@ CVE-2020-28048
 CVE-2020-28047
 	RESERVED
 CVE-2020-27347 [tmux buffer overflow in CSI parsing]
+	RESERVED
 	- tmux 3.1c-1
 	[buster] - tmux <not-affected> (Vulnerable code introduced later)
 	[stretch] - tmux <not-affected> (Vulnerable code introduced later)
@@ -2394,7 +2421,7 @@ CVE-2020-27349
 CVE-2020-27348
 	RESERVED
 CVE-2020-27346
-	RESERVED
+	REJECTED
 CVE-2020-27345
 	RESERVED
 CVE-2020-27344 (The cm-download-manager plugin before 2.8.0 for WordPress allows XSS. ...)
@@ -4767,8 +4794,8 @@ CVE-2020-26213
 	RESERVED
 CVE-2020-26212
 	RESERVED
-CVE-2020-26211
-	RESERVED
+CVE-2020-26211 (In BookStack before version 0.30.4, a user with permissions to edit a  ...)
+	TODO: check
 CVE-2020-26210 (In BookStack before version 0.30.4, a user with permissions to edit a  ...)
 	TODO: check
 CVE-2020-26209
@@ -4889,6 +4916,7 @@ CVE-2020-26160 (jwt-go before 4.0.0-preview1 allows attackers to bypass intended
 	NOTE: https://github.com/dgrijalva/jwt-go/issues/422
 	NOTE: https://github.com/dgrijalva/jwt-go/pull/426
 CVE-2020-26159 (In Oniguruma 6.9.5_rev1, an attacker able to supply a regular expressi ...)
+	{DLA-2431-1}
 	- libonig <unfixed> (bug #972113)
 	[buster] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/commit/cbe9f8bd9cfc6c3c87a60fbae58fa1a85db59df0
@@ -64494,10 +64522,10 @@ CVE-2020-1911 (A type confusion vulnerability when resolving properties of JavaS
 	NOT-FOR-US: Facebook Hermes
 CVE-2020-1910
 	RESERVED
-CVE-2020-1909
-	RESERVED
-CVE-2020-1908
-	RESERVED
+CVE-2020-1909 (A use-after-free in a logging library in WhatsApp for iOS prior to v2. ...)
+	TODO: check
+CVE-2020-1908 (Improper authorization of the Screen Lock feature in WhatsApp and What ...)
+	TODO: check
 CVE-2020-1907 (A stack overflow in WhatsApp for Android prior to v2.20.196.16, WhatsA ...)
 	NOT-FOR-US: WhatsApp
 CVE-2020-1906 (A buffer overflow in WhatsApp for Android prior to v2.20.130 and Whats ...)
@@ -65841,7 +65869,7 @@ CVE-2019-19248 (Electronic Arts Origin through 10.5.x allows Elevation of Privil
 CVE-2019-19247 (Electronic Arts Origin through 10.5.x allows Elevation of Privilege (i ...)
 	NOT-FOR-US: Electronic Arts Origin
 CVE-2019-19246 (Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has  ...)
-	{DLA-2020-1}
+	{DLA-2431-1 DLA-2020-1}
 	- libonig 6.9.4-1 (low; bug #946344)
 	[buster] - libonig <no-dsa> (Minor issue)
 	NOTE: https://bugs.php.net/bug.php?id=78559
@@ -65957,13 +65985,14 @@ CVE-2019-19206 (Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS du
 CVE-2019-19205
 	RESERVED
 CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
-	{DLA-2020-1}
+	{DLA-2431-1 DLA-2020-1}
 	- libonig 6.9.4-1 (low; bug #945313)
 	[buster] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/issues/162
 	NOTE: https://github.com/kkos/oniguruma/commit/6eb4aca6a7f2f60f473580576d86686ed6a6ebec (v6.9.4_rc2)
 	NOTE: Only exploitable with attacker-provided pattern
 CVE-2019-19203 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
+	{DLA-2431-1}
 	- libonig 6.9.4-1 (low; bug #945312)
 	[buster] - libonig <no-dsa> (Minor issue)
 	[jessie] - libonig <ignored> (Minor issue, not reproducible, non-trivial backport)
@@ -66519,7 +66548,7 @@ CVE-2019-19014 (An issue was discovered in TitanHQ WebTitan before 5.18. It has
 CVE-2019-19013 (A CSRF vulnerability in Pagekit 1.0.17 allows an attacker to upload an ...)
 	NOT-FOR-US: Pagekit CMS
 CVE-2019-19012 (An integer overflow in the search_in_range function in regexec.c in On ...)
-	{DLA-2020-1}
+	{DLA-2431-1 DLA-2020-1}
 	- libonig 6.9.4-1 (low; bug #944959)
 	[buster] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/issues/164
@@ -69641,6 +69670,7 @@ CVE-2019-18651 (A cross-site request forgery (CSRF) vulnerability in 3xLogic Inf
 CVE-2019-18650 (An issue was discovered in Joomla! before 3.9.13. A missing token chec ...)
 	NOT-FOR-US: Joomla!
 CVE-2018-21030 (Jupyter Notebook before 5.5.0 does not use a CSP header to treat serve ...)
+	{DLA-2432-1}
 	- jupyter-notebook 5.7.4-1
 	NOTE: https://github.com/jupyter/notebook/pull/3341
 CVE-2019-18649 (When logged in as an admin user, the Title input field (under Reports) ...)
@@ -77577,7 +77607,7 @@ CVE-2019-16165 (GNU cflow through 1.6 has a use-after-free in the reference func
 CVE-2019-16164 (MyHTML through 4.0.5 has a NULL pointer dereference in myhtml_tree_nod ...)
 	NOT-FOR-US: MyHTML
 CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of ...)
-	{DLA-1918-1}
+	{DLA-2431-1 DLA-1918-1}
 	- libonig 6.9.4-1 (low; bug #939988)
 	[buster] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/issues/147
@@ -88020,7 +88050,7 @@ CVE-2019-13225 (A NULL Pointer Dereference in match_at() in regexec.c in Oniguru
 	[jessie] - libonig <not-affected> (vulnerable code was introduced later)
 	NOTE: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
 CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 a ...)
-	{DLA-1854-1}
+	{DLA-2431-1 DLA-1854-1}
 	- libonig 6.9.2-1 (low; bug #931878)
 	[buster] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
@@ -125720,6 +125750,7 @@ CVE-2018-19352 (Jupyter Notebook before 5.7.2 allows XSS via a crafted directory
 	[stretch] - jupyter-notebook <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/jupyter/notebook/commit/288b73e1edbf527740e273fcc69b889460871648
 CVE-2018-19351 (Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook bec ...)
+	{DLA-2432-1}
 	- jupyter-notebook 5.7.4-1 (bug #917409)
 	NOTE: https://github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491
 CVE-2008-7320 (** DISPUTED ** GNOME Seahorse through 3.30 allows physically proximate ...)
@@ -154502,6 +154533,7 @@ CVE-2018-8742
 CVE-2017-18239 (A time-sensitive equality check on the JWT signature in the JsonWebTok ...)
 	NOT-FOR-US: authentikat-jwt
 CVE-2018-8768 (In Jupyter Notebook before 5.4.1, a maliciously forged notebook file c ...)
+	{DLA-2432-1}
 	- jupyter-notebook 5.4.1-1 (bug #893436)
 	- ipython 5.1.0-2
 	[jessie] - ipython <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72659de9d92e5e6cbe88fdde6c2c2aa3e0892b90

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72659de9d92e5e6cbe88fdde6c2c2aa3e0892b90
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201104/8f5c495e/attachment.html>
