[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Apr 1 21:10:30 BST 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7a3479c4 by security tracker role at 2021-04-01T20:10:22+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,7 @@
+CVE-2021-3481
+ RESERVED
+CVE-2021-29943
+ RESERVED
CVE-2021-29942 (An issue was discovered in the reorder crate through 2021-02-24 for Ru ...)
TODO: check
CVE-2021-29941 (An issue was discovered in the reorder crate through 2021-02-24 for Ru ...)
@@ -594,7 +598,7 @@ CVE-2020-36288
RESERVED
CVE-2020-36287
RESERVED
-CVE-2020-36286 (The membersOf of JQL search function in Jira Server and Data Center be ...)
+CVE-2020-36286 (The membersOf JQL search function in Jira Server and Data Center befor ...)
NOT-FOR-US: Atlassian
CVE-2021-29663 (CourseMS (aka Course Registration Management System) 2.1 is affected b ...)
NOT-FOR-US: CourseMS (aka Course Registration Management System)
@@ -2243,8 +2247,7 @@ CVE-2021-28920
RESERVED
CVE-2021-28919
RESERVED
-CVE-2021-28918
- RESERVED
+CVE-2021-28918 (Improper input validation of octal strings in netmask npm package v1.0 ...)
NOT-FOR-US: netmask nodejs module
NOTE: https://sick.codes/sick-2021-011
NOTE: https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/
@@ -2423,6 +2426,7 @@ CVE-2021-28833
CVE-2021-28832
RESERVED
CVE-2021-28831 (decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit ...)
+ {DLA-2614-1}
- busybox <unfixed> (bug #985674)
[buster] - busybox <no-dsa> (Minor issue)
NOTE: https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd
@@ -2828,8 +2832,7 @@ CVE-2021-3448 [fixed outgoing port used when --server is used with an interface
[stretch] - dnsmasq <postponed> (Probably easier to base the patch on a backported version)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939368
NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2
-CVE-2021-3447
- RESERVED
+CVE-2021-3447 (A flaw was found in several ansible modules, where parameters containi ...)
- ansible <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939349
NOTE: check, details on upstream status not yet clear
@@ -3058,10 +3061,10 @@ CVE-2021-28548
RESERVED
CVE-2021-28547
RESERVED
-CVE-2021-28546
- RESERVED
-CVE-2021-28545
- RESERVED
+CVE-2021-28546 (Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020 ...)
+ TODO: check
+CVE-2021-28545 (Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020 ...)
+ TODO: check
CVE-2021-28544
RESERVED
CVE-2021-28543 (Varnish varnish-modules before 0.17.1 allows remote attackers to cause ...)
@@ -3866,12 +3869,12 @@ CVE-2021-28167
RESERVED
CVE-2021-28166
RESERVED
-CVE-2021-28165
- RESERVED
-CVE-2021-28164
- RESERVED
-CVE-2021-28163
- RESERVED
+CVE-2021-28165 (In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0. ...)
+ TODO: check
+CVE-2021-28164 (In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default com ...)
+ TODO: check
+CVE-2021-28163 (In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0. ...)
+ TODO: check
CVE-2021-28162 (In Eclipse Theia versions up to and including 0.16.0, in the notificat ...)
NOT-FOR-US: Eclipse Theia
CVE-2021-28161 (In Eclipse Theia versions up to and including 1.8.0, in the debug cons ...)
@@ -5153,8 +5156,8 @@ CVE-2021-27655
RESERVED
CVE-2021-27654
RESERVED
-CVE-2021-27653
- RESERVED
+CVE-2021-27653 (Misconfiguration of the Pega Chat Access Group portal in Pega platform ...)
+ TODO: check
CVE-2021-27652
RESERVED
CVE-2021-27651
@@ -7280,8 +7283,8 @@ CVE-2021-26720 (avahi-daemon-check-dns.sh in the Debian avahi package through 0.
NOTE: Fixed by removing the avahi-daemon-check-dns.sh script.
CVE-2021-26719 (A directory traversal issue was discovered in Gradle gradle-enterprise ...)
NOT-FOR-US: gradle-enterprise-test-distribution-agent
-CVE-2021-26718
- RESERVED
+CVE-2021-26718 (KIS for macOS in some use cases was vulnerable to AV bypass that poten ...)
+ TODO: check
CVE-2021-26717 (An issue was discovered in Sangoma Asterisk 16.x before 16.16.1, 17.x ...)
- asterisk 1:16.16.1~dfsg-1 (bug #983157)
[buster] - asterisk <not-affected> (Introduced in 16.15.0)
@@ -7569,8 +7572,7 @@ CVE-2021-3395 (A cross-site scripting (XSS) vulnerability in Pryaniki 6.44.3 all
NOT-FOR-US: Pryaniki
CVE-2021-3394 (Millennium Millewin (also known as "Cartella clinica") 13.39.028, 13.3 ...)
NOT-FOR-US: Millennium Millewin
-CVE-2021-3393 [postgres: information leak in error message]
- RESERVED
+CVE-2021-3393 (An information leak was discovered in postgresql in versions before 13 ...)
- postgresql-13 13.2-1
- postgresql-11 <removed>
[buster] - postgresql-11 11.11-0+deb10u1
@@ -7612,10 +7614,10 @@ CVE-2021-26583
RESERVED
CVE-2021-26582
RESERVED
-CVE-2021-26581
- RESERVED
-CVE-2021-26580
- RESERVED
+CVE-2021-26581 (A potential security vulnerability has been identified in HPE Superdom ...)
+ TODO: check
+CVE-2021-26580 (A potential security vulnerability has been identified in HPE iLO Ampl ...)
+ TODO: check
CVE-2021-26579 (A security vulnerability in HPE Unified Data Management (UDM) could al ...)
NOT-FOR-US: HPE
CVE-2021-26578 (A potential security vulnerability has been identified in HPE Network ...)
@@ -8911,8 +8913,8 @@ CVE-2021-26074
RESERVED
CVE-2021-26073
RESERVED
-CVE-2021-26072
- RESERVED
+CVE-2021-26072 (The WidgetConnector plugin in Confluence Server and Confluence Data Ce ...)
+ TODO: check
CVE-2021-26071 (The SetFeatureEnabled.jspa resource in Jira Server and Data Center bef ...)
NOT-FOR-US: Atlassian
CVE-2021-26070 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
@@ -9229,8 +9231,8 @@ CVE-2021-25926
RESERVED
CVE-2021-25925
RESERVED
-CVE-2021-25924
- RESERVED
+CVE-2021-25924 (In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Reques ...)
+ TODO: check
CVE-2021-25923
RESERVED
CVE-2021-25922 (In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross- ...)
@@ -15106,7 +15108,7 @@ CVE-2021-23360 (This affects the package killport before 1.0.2. If (attacker-con
CVE-2021-23359 (This affects all versions of package port-killer. If (attacker-control ...)
NOT-FOR-US: Node port-killer
CVE-2021-23358 (The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 a ...)
- {DLA-2613-1}
+ {DSA-4883-1 DLA-2613-1}
- underscore 1.9.1~dfsg-2 (bug #986171)
NOTE: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
CVE-2021-23357 (All versions of package github.com/tyktechnologies/tyk/gateway are vul ...)
@@ -16046,8 +16048,7 @@ CVE-2021-22892
RESERVED
CVE-2021-22891
RESERVED
-CVE-2021-22890 [TLS 1.3 session ticket proxy host mixup]
- RESERVED
+CVE-2021-22890 (curl 7.63.0 to and including 7.75.0 includes vulnerability that allows ...)
{DSA-4881-1}
- curl <unfixed>
NOTE: https://curl.se/docs/CVE-2021-22890.html
@@ -16094,8 +16095,7 @@ CVE-2021-22878 (Nextcloud Server prior to 20.0.6 is vulnerable to reflected cros
- nextcloud-server <itp> (bug #941708)
CVE-2021-22877 (A missing user check in Nextcloud prior to 20.0.6 inadvertently popula ...)
- nextcloud-server <itp> (bug #941708)
-CVE-2021-22876 [Automatic referer leaks credentials]
- RESERVED
+CVE-2021-22876 (curl 7.1.1 to and including 7.75.0 is vulnerable to an "Exposure of Pr ...)
{DSA-4881-1}
- curl <unfixed>
NOTE: https://curl.se/docs/CVE-2021-22876.html
@@ -17615,8 +17615,8 @@ CVE-2021-22197
RESERVED
CVE-2021-22196
RESERVED
-CVE-2021-22195
- RESERVED
+CVE-2021-22195 (Client side code execution in gitlab-vscode-extension v3.15.0 and earl ...)
+ TODO: check
CVE-2021-22194 (In all versions of GitLab starting from 13.7, marshalled session keys ...)
- gitlab <unfixed>
CVE-2021-22193 (An issue has been discovered in GitLab affecting all versions starting ...)
@@ -17662,8 +17662,8 @@ CVE-2021-22179 (A vulnerability was discovered in GitLab versions before 12.2. G
- gitlab <unfixed>
CVE-2021-22178 (An issue has been discovered in GitLab affecting all versions starting ...)
- gitlab <unfixed>
-CVE-2021-22177
- RESERVED
+CVE-2021-22177 (Potential DoS was identified in gitlab-shell in GitLab CE/EE version 1 ...)
+ TODO: check
CVE-2021-22176 (An issue has been discovered in GitLab affecting all versions starting ...)
- gitlab <unfixed>
CVE-2021-22175
@@ -18079,8 +18079,8 @@ CVE-2021-21984
RESERVED
CVE-2021-21983 (Arbitrary file write vulnerability in vRealize Operations Manager API ...)
NOT-FOR-US: vRealize Operations Manager API (Vmware)
-CVE-2021-21982
- RESERVED
+CVE-2021-21982 (VMware Carbon Black Cloud Workload appliance 1.0.0 and 1.01 has an aut ...)
+ TODO: check
CVE-2021-21981
RESERVED
CVE-2021-21980
@@ -23185,8 +23185,7 @@ CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkMana
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1942741 (not yet public)
NOTE: Introduced by: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/3ced486f4162edcd03ff42fa27535130aff0c86c (1.26-rc2)
NOTE: Fixed by: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/420784e342da4883f6debdfe10cde68507b10d27
-CVE-2021-20296
- RESERVED
+CVE-2021-20296 (A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted i ...)
- openexr <unfixed>
[buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854
@@ -23210,8 +23209,8 @@ CVE-2021-20292 [RM Memory Management Double Free Privilege Escalation Vulnerabil
[buster] - linux 4.19.146-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939686
NOTE: https://git.kernel.org/linus/5de5b6ecf97a021f29403aa272cb4e03318ef586
-CVE-2021-20291
- RESERVED
+CVE-2021-20291 (A deadlock vulnerability was found in 'github.com/containers/storage' ...)
+ TODO: check
CVE-2021-20290
RESERVED
CVE-2021-20289 (A flaw was found in RESTEasy in all versions of RESTEasy up to 4.6.0.F ...)
@@ -23470,15 +23469,13 @@ CVE-2021-20236 [Stack overflow on server running PUB/XPUB socket]
NOTE: https://github.com/zeromq/libzmq/pull/3959
NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22488
-CVE-2021-20235 [Heap overflow when receiving malformed ZMTP v1 packets]
- RESERVED
+CVE-2021-20235 (There's a flaw in the zeromq server in versions before 4.3.3 in src/de ...)
{DLA-2588-1}
- zeromq3 4.3.3-1
NOTE: https://github.com/zeromq/libzmq/pull/3902
NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21984
-CVE-2021-20234 [Memory leak in client induced by malicious server without CURVE/ZAP]
- RESERVED
+CVE-2021-20234 (An uncontrolled resource consumption (memory leak) flaw was found in t ...)
{DLA-2588-1}
- zeromq3 4.3.3-1
NOTE: https://github.com/zeromq/libzmq/pull/3918
@@ -23960,8 +23957,8 @@ CVE-2021-20080
RESERVED
CVE-2021-20079
RESERVED
-CVE-2021-20078
- RESERVED
+CVE-2021-20078 (Manage Engine OpManager builds below 125346 are vulnerable to a remote ...)
+ TODO: check
CVE-2021-20077 (Nessus Agent versions 7.2.0 through 8.2.2 were found to inadvertently ...)
NOT-FOR-US: Nessus Agent
CVE-2021-20076 (Tenable.sc and Tenable.sc Core versions 5.13.0 through 5.17.0 were fou ...)
@@ -34073,7 +34070,7 @@ CVE-2020-27847
CVE-2020-27846 (A signature verification vulnerability exists in crewjam/saml. This fl ...)
NOT-FOR-US: github.com/crewjam/saml
CVE-2020-27845 (There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior t ...)
- {DLA-2550-1}
+ {DSA-4882-1 DLA-2550-1}
- openjpeg2 2.4.0-1
NOTE: https://github.com/uclouvain/openjpeg/issues/1302
NOTE: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 (v2.4.0)
@@ -34083,16 +34080,18 @@ CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions
NOTE: Fixed by: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0)
NOTE: Introduced by: https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...)
+ {DSA-4882-1}
- openjpeg2 2.4.0-1 (bug #983663)
[stretch] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1297
NOTE: Partial fix (preventing the out of bounds access): https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 (2.4.0)
CVE-2020-27842 (There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An ...)
+ {DSA-4882-1}
- openjpeg2 2.4.0-1
[stretch] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1294
CVE-2020-27841 (There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openj ...)
- {DLA-2550-1}
+ {DSA-4882-1 DLA-2550-1}
- openjpeg2 2.4.0-1
NOTE: https://github.com/uclouvain/openjpeg/issues/1293
NOTE: https://github.com/rouault/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce (v2.4.0)
@@ -34180,13 +34179,13 @@ CVE-2020-27825 (A use-after-free flaw was found in kernel/trace/ring_buffer.c in
NOTE: https://git.kernel.org/linus/bbeb97464eefc65f506084fd9f18f21653e01137
CVE-2020-27824 [global-buffer-overflow read in lib-openjp2]
RESERVED
- {DLA-2550-1}
+ {DSA-4882-1 DLA-2550-1}
- openjpeg2 2.4.0-1
NOTE: https://github.com/uclouvain/openjpeg/issues/1286
NOTE: https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d (v2.4.0)
CVE-2020-27823 [Heap-buffer-overflow write in lib-openjp2]
RESERVED
- {DLA-2550-1}
+ {DSA-4882-1 DLA-2550-1}
- openjpeg2 2.4.0-1
NOTE: https://github.com/uclouvain/openjpeg/issues/1284
NOTE: https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919 (v2.4.0)
@@ -34222,7 +34221,7 @@ CVE-2020-27815
- linux 5.10.4-1
NOTE: https://www.openwall.com/lists/oss-security/2020/11/30/5
CVE-2020-27814 (A heap-buffer overflow was found in the way openjpeg2 handled certain ...)
- {DLA-2550-1}
+ {DSA-4882-1 DLA-2550-1}
- openjpeg2 2.4.0-1
NOTE: https://github.com/uclouvain/openjpeg/issues/1283
NOTE: https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc (v2.4.0)
@@ -52449,20 +52448,20 @@ CVE-2020-19621
RESERVED
CVE-2020-19620
RESERVED
-CVE-2020-19619
- RESERVED
-CVE-2020-19618
- RESERVED
-CVE-2020-19617
- RESERVED
-CVE-2020-19616
- RESERVED
+CVE-2020-19619 (Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the signatur ...)
+ TODO: check
+CVE-2020-19618 (Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post con ...)
+ TODO: check
+CVE-2020-19617 (Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the nickname ...)
+ TODO: check
+CVE-2020-19616 (Cross Site Scripting (XSS) vulnerability in mblog 3.5 via the post hea ...)
+ TODO: check
CVE-2020-19615
RESERVED
CVE-2020-19614
RESERVED
-CVE-2020-19613
- RESERVED
+CVE-2020-19613 (Server Side Request Forgery (SSRF) vulnerability in saveUrlAs function ...)
+ TODO: check
CVE-2020-19612
RESERVED
CVE-2020-19611
@@ -61803,7 +61802,7 @@ CVE-2020-15391 (The UI in DevSpace 4.13.0 allows web sites to execute actions on
CVE-2020-15390
RESERVED
CVE-2020-15389 (jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free th ...)
- {DLA-2277-1}
+ {DSA-4882-1 DLA-2277-1}
- openjpeg2 2.4.0-1 (bug #965220)
NOTE: https://github.com/uclouvain/openjpeg/issues/1261
NOTE: https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 (v2.4.0)
@@ -79775,14 +79774,14 @@ CVE-2020-9151
RESERVED
CVE-2020-9150
RESERVED
-CVE-2020-9149
- RESERVED
-CVE-2020-9148
- RESERVED
-CVE-2020-9147
- RESERVED
-CVE-2020-9146
- RESERVED
+CVE-2020-9149 (An application error verification vulnerability exists in a component ...)
+ TODO: check
+CVE-2020-9148 (An application bypass mechanism vulnerability exists in a component in ...)
+ TODO: check
+CVE-2020-9147 (A memory buffer error vulnerability exists in a component interface of ...)
+ TODO: check
+CVE-2020-9146 (A memory buffer error vulnerability exists in a component interface of ...)
+ TODO: check
CVE-2020-9145 (There is an Out-of-bounds Write vulnerability in some Huawei smartphon ...)
NOT-FOR-US: Huawei
CVE-2020-9144 (There is a heap overflow vulnerability in some Huawei smartphone, atta ...)
@@ -82373,7 +82372,7 @@ CVE-2020-8113 (GitLab 10.7 and later through 12.7.2 has Incorrect Access Control
- gitlab 12.6.8-3
NOTE: https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through ...)
- {DLA-2277-1 DLA-2089-1}
+ {DSA-4882-1 DLA-2277-1 DLA-2089-1}
- openjpeg2 2.4.0-1 (bug #950184)
NOTE: https://github.com/uclouvain/openjpeg/issues/1231
NOTE: https://github.com/rouault/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074 (v2.4.0)
@@ -85462,7 +85461,7 @@ CVE-2020-6853
CVE-2020-6852 (CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3. ...)
NOT-FOR-US: CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP
CVE-2020-6851 (OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl ...)
- {DLA-2277-1 DLA-2081-1}
+ {DSA-4882-1 DLA-2277-1 DLA-2081-1}
- openjpeg2 2.4.0-1 (bug #950000)
NOTE: https://github.com/uclouvain/openjpeg/issues/1228
NOTE: https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04 (v2.4.0)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a3479c4504e043884d3e0ab8c5bccda65ab4eeb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a3479c4504e043884d3e0ab8c5bccda65ab4eeb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210401/5585209f/attachment.htm>
More information about the debian-security-tracker-commits
mailing list