[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Aug 7 21:10:37 BST 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0938f3a7 by security tracker role at 2021-08-07T20:10:29+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,9 +1,31 @@
-CVE-2021-38166 [bpf: Fix integer overflow involving bucket_size]
+CVE-2021-38173 (Btrbk before 0.31.2 allows command execution because of the mishandlin ...)
+ TODO: check
+CVE-2021-38172
+ RESERVED
+CVE-2021-38171
+ RESERVED
+CVE-2021-38170
+ RESERVED
+CVE-2021-38169 (Roxy-WI through 5.2.2.0 allows command injection via /app/funct.py and ...)
+ TODO: check
+CVE-2021-38168 (Roxy-WI through 5.2.2.0 allows authenticated SQL injection via select_ ...)
+ TODO: check
+CVE-2021-38167 (Roxy-WI through 5.2.2.0 allows SQL Injection via check_login. An unaut ...)
+ TODO: check
+CVE-2021-38164
+ RESERVED
+CVE-2021-38163
+ RESERVED
+CVE-2021-38162
+ RESERVED
+CVE-2021-38161
+ RESERVED
+CVE-2021-38166 (In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is a ...)
- linux <unfixed>
[buster] - linux <not-affected> (Vulnerable code introduced later)
[stretch] - linux <not-affected> (Vulnerable code introduced later)
-CVE-2021-38159
- RESERVED
+CVE-2021-38159 (In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0 ...)
+ TODO: check
CVE-2021-38158
RESERVED
CVE-2021-38157 (** UNSUPPORTED WHEN ASSIGNED ** LeoStream Connection Broker 9.x before ...)
@@ -13,7 +35,7 @@ CVE-2021-38156
CVE-2021-38155 (OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1 ...)
- keystone <unfixed>
NOTE: https://launchpad.net/bugs/1688137
-CVE-2021-38165 [lynx leaks password to remote servers via SNI]
+CVE-2021-38165 (HTParse in Lynx through 2.8.9 mishandles the userinfo subcomponent of ...)
[experimental] - lynx 2.9.0dev.9-1
- lynx <unfixed> (bug #991971)
NOTE: https://lists.nongnu.org/archive/html/lynx-dev/2021-08/msg00002.html
@@ -19601,10 +19623,10 @@ CVE-2021-29925
RESERVED
CVE-2021-29924
RESERVED
-CVE-2021-29923
- RESERVED
-CVE-2021-29922
- RESERVED
+CVE-2021-29923 (Go before 1.17 does not properly consider extraneous zero characters a ...)
+ TODO: check
+CVE-2021-29922 (library/std/src/net/parser.rs in Rust before 1.53.0 does not properly ...)
+ TODO: check
CVE-2021-29921 (In Python before 3,9,5, the ipaddress library mishandles leading zero ...)
[experimental] - python3.9 3.9.5-1
- python3.9 <unfixed> (bug #989195)
@@ -44193,6 +44215,7 @@ CVE-2021-20229 (A flaw was found in PostgreSQL in versions before 13.2. This fla
- postgresql-13 13.2-1
NOTE: https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
CVE-2021-20228 (A flaw was found in the Ansible Engine 2.9.18, where sensitive info is ...)
+ {DSA-4950-1}
- ansible 2.10.7+merged+base+2.10.8+dfsg-1
- ansible-base <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1925002
@@ -55806,7 +55829,7 @@ CVE-2021-0131 (Use of cryptographically weak pseudo-random number generator (PRN
CVE-2021-0130
RESERVED
CVE-2021-0129 (Improper access control in BlueZ may allow an authenticated user to po ...)
- {DLA-2692-1 DLA-2690-1 DLA-2689-1}
+ {DSA-4951-1 DLA-2692-1 DLA-2690-1 DLA-2689-1}
- bluez 5.55-3.1 (bug #989614)
- linux 5.10.40-1
[buster] - linux 4.19.194-1
@@ -57236,7 +57259,7 @@ CVE-2020-27152 (An issue was discovered in ioapic_lazy_update_eoi in arch/x86/kv
CVE-2020-27151 (An issue was discovered in Kata Containers through 1.11.3 and 2.x thro ...)
NOT-FOR-US: Kata Containers
CVE-2020-27153 (In BlueZ before 5.55, a double free was found in the gatttool disconne ...)
- {DLA-2410-1}
+ {DSA-4951-1 DLA-2410-1}
- bluez 5.55-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1884817
NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=1cd644db8c23a2f530ddb93cebed7dacc5f5721a
@@ -58644,7 +58667,7 @@ CVE-2020-26559 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 an
NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960011
CVE-2020-26558 (Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specification ...)
- {DLA-2692-1 DLA-2690-1 DLA-2689-1}
+ {DSA-4951-1 DLA-2692-1 DLA-2690-1 DLA-2689-1}
- bluez 5.55-3.1 (bug #989614)
- linux 5.10.40-1
[buster] - linux 4.19.194-1
@@ -86070,6 +86093,7 @@ CVE-2020-14367 (A flaw was found in chrony versions before 3.5.1 when creating t
CVE-2020-14366 (A vulnerability was found in keycloak, where path traversal using URL- ...)
NOT-FOR-US: Keycloak
CVE-2020-14365 (A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before ...)
+ {DSA-4950-1}
- ansible 2.9.13+dfsg-1 (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1869154
NOTE: https://github.com/ansible/ansible/commit/1d043e082b3b1f3ad35c803137f5d3bcbae92275 (v2.9.13)
@@ -86225,6 +86249,7 @@ CVE-2020-14334 (A flaw was found in Red Hat Satellite 6 which allows privileged
CVE-2020-14333 (A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earl ...)
NOT-FOR-US: ovirt-engine
CVE-2020-14332 (A flaw was found in the Ansible Engine when using module_args. Tasks e ...)
+ {DSA-4950-1}
- ansible 2.9.13+dfsg-1 (bug #966672)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1857805
NOTE: https://github.com/ansible/ansible/pull/71033
@@ -86236,6 +86261,7 @@ CVE-2020-14331 (A flaw was found in the Linux kernel’s implementation of t
NOTE: https://www.openwall.com/lists/oss-security/2020/07/28/2
NOTE: Only exploitable when CONFIG_VGACON_SOFT_SCROLLBACK is set
CVE-2020-14330 (An Improper Output Neutralization for Logs flaw was found in Ansible w ...)
+ {DSA-4950-1}
- ansible 2.9.13+dfsg-1
NOTE: https://github.com/ansible/ansible/issues/68400
NOTE: Initial fix: https://github.com/ansible/ansible/pull/69653
@@ -97363,6 +97389,7 @@ CVE-2020-10730 (A NULL pointer dereference, or possible use-after-free flaw was
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14364
NOTE: https://git.samba.org/?p=samba.git;a=commitdiff;h=9dd458956d7af1b4bbe505ba2ab72235e81c27d0 (for ldb)
CVE-2020-10729 (A flaw was found in the use of insufficiently random values in Ansible ...)
+ {DSA-4950-1}
- ansible 2.9.6+dfsg-1
[jessie] - ansible <not-affected> (Vulnerable code introduced later, no variables template caching)
NOTE: https://github.com/ansible/ansible/issues/34144
@@ -97544,6 +97571,7 @@ CVE-2020-10687 (A flaw was discovered in all versions of Undertow before Underto
CVE-2020-10686 (A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in ...)
NOT-FOR-US: Keycloak
CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine versions 2 ...)
+ {DSA-4950-1}
- ansible 2.9.7+dfsg-1
[jessie] - ansible <not-affected> (Vulnerable code introduced later, all decryption in-memory, no transparent file decryption)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1814627
@@ -97551,6 +97579,7 @@ CVE-2020-10685 (A flaw was found in Ansible Engine affecting Ansible Engine vers
NOTE: https://github.com/ansible/ansible/commit/6452a82452f3a721233b50f62419598206442fd9
NOTE: Introduced in https://github.com/ansible/ansible/commit/cdf6e3e4bf44fdab62c2e4ccd3f5fd67ea554548 (2.1)
CVE-2020-10684 (A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9. ...)
+ {DSA-4950-1}
- ansible 2.9.7+dfsg-1
[stretch] - ansible <not-affected> (Vulnerable code introduced later, 'ansible_facts' variable not exposed)
[jessie] - ansible <not-affected> (Vulnerable code introduced later, 'ansible_facts' variable not exposed)
@@ -121492,6 +121521,7 @@ CVE-2020-1755
CVE-2020-1754
RESERVED
CVE-2020-1753 (A security flaw was found in Ansible Engine, all Ansible 2.7.x version ...)
+ {DSA-4950-1}
- ansible 2.9.16+dfsg-1
[stretch] - ansible <not-affected> (Vulnerable code introduced later)
[jessie] - ansible <not-affected> (Vulnerable code introduced later)
@@ -121534,6 +121564,7 @@ CVE-2020-1747 (A vulnerability was discovered in the PyYAML library in versions
[jessie] - pyyaml <not-affected> (Loader/Constructor classes are unsafe in this version)
NOTE: https://github.com/yaml/pyyaml/pull/386
CVE-2020-1746 (A flaw was found in the Ansible Engine affecting Ansible Engine versio ...)
+ {DSA-4950-1}
- ansible 2.9.7+dfsg-1
[stretch] - ansible <not-affected> (Vulnerable code introduced later)
[jessie] - ansible <not-affected> (Vulnerable code introduced later)
@@ -121555,13 +121586,13 @@ CVE-2020-1742 (An insecure modification vulnerability flaw was found in containe
CVE-2020-1741 (A flaw was found in openshift-ansible. OpenShift Container Platform (O ...)
NOT-FOR-US: openshift-ansible
CVE-2020-1740 (A flaw was found in Ansible Engine when using Ansible Vault for editin ...)
- {DLA-2202-1}
+ {DSA-4950-1 DLA-2202-1}
- ansible 2.9.7+dfsg-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802193
NOTE: https://github.com/ansible/ansible/issues/67798
NOTE: https://github.com/ansible/ansible/pull/68644
CVE-2020-1739 (A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9 ...)
- {DLA-2202-1}
+ {DSA-4950-1 DLA-2202-1}
- ansible 2.9.7+dfsg-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802178
NOTE: https://github.com/ansible/ansible/issues/67797
@@ -121588,6 +121619,7 @@ CVE-2020-1736 (A flaw was found in Ansible Engine when a file is moved using ato
NOTE: CVE-2020-1736 one should specify a mode parameter in all file-based tasks
NOTE: that accept it, cf. https://github.com/ansible/ansible/commit/7eec8e4d268d6711f317583974e9e936083de636
CVE-2020-1735 (A flaw was found in the Ansible Engine when the fetch module is used. ...)
+ {DSA-4950-1}
- ansible 2.9.7+dfsg-1
[jessie] - ansible <not-affected> (No remote expansion in fetch module)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1802085
@@ -121605,7 +121637,7 @@ CVE-2020-1734 (A flaw was found in the pipe lookup plugin of ansible. Arbitrary
NOTE: Upstream considers this intended functionality and delegates it up to the
NOTE: playbook author to ensure they use the quote filter.
CVE-2020-1733 (A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2. ...)
- {DLA-2202-1}
+ {DSA-4950-1 DLA-2202-1}
- ansible 2.9.7+dfsg-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1801735
NOTE: https://github.com/ansible/ansible/issues/67791
@@ -137872,7 +137904,7 @@ CVE-2019-14905 (A vulnerability was found in Ansible Engine versions 2.9.x befor
NOTE: https://github.com/ansible/ansible/pull/65423
NOTE: https://github.com/ansible/ansible/blob/stable-2.2/CHANGELOG.md
CVE-2019-14904 (A flaw was found in the solaris_zone module from the Ansible Community ...)
- {DLA-2535-1}
+ {DSA-4950-1 DLA-2535-1}
- ansible 2.9.4+dfsg-1 (low)
[jessie] - ansible <not-affected> (Vulnerable module first bundled in 2.0)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1776944
@@ -138086,6 +138118,7 @@ CVE-2019-14865 (A flaw was found in the grub2-set-bootflag utility of grub2. A l
NOTE: https://seclists.org/oss-sec/2019/q4/101
NOTE: Red Hat-specific patch, get added as 0131-Add-grub-set-bootflag-utility.patch in their SRPM
CVE-2019-14864 (Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible v ...)
+ {DSA-4950-1}
- ansible 2.9.2+dfsg-1 (low; bug #943768)
[stretch] - ansible <not-affected> (Vulnerable code was introduced later)
[jessie] - ansible <not-affected> (Vulnerable code introduced later)
@@ -138203,7 +138236,7 @@ CVE-2019-14847 (A flaw was found in samba 4.0.0 before samba 4.9.15 and samba 4.
[jessie] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2019-14847.html
CVE-2019-14846 (In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, an ...)
- {DLA-2535-1 DLA-2202-1}
+ {DSA-4950-1 DLA-2535-1 DLA-2202-1}
- ansible 2.8.6+dfsg-1 (low; bug #942188)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1755373
NOTE: https://github.com/ansible/ansible/pull/63366
@@ -152768,6 +152801,7 @@ CVE-2019-14856 (ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a
NOTE: https://github.com/ansible/ansible/pull/63351
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1760829
CVE-2019-10206 (ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2 ...)
+ {DSA-4950-1}
- ansible 2.8.6+dfsg-1 (bug #933005)
[jessie] - ansible <not-affected> (Vulnerable code introduced later, password templating code introduced with 2.0 refactoring, '{{' supported in passwords)
NOTE: https://github.com/ansible/ansible/pull/59246
@@ -152991,7 +153025,7 @@ CVE-2019-10158 (A flaw was found in Infinispan through version 9.4.14.Final. An
CVE-2019-10157 (It was found that Keycloak's Node.js adapter before version 4.8.3 did ...)
NOT-FOR-US: Keycloak
CVE-2019-10156 (A flaw was discovered in the way Ansible templating was implemented in ...)
- {DLA-2535-1 DLA-1923-1}
+ {DSA-4950-1 DLA-2535-1 DLA-1923-1}
- ansible 2.8.3+dfsg-1 (low; bug #930065)
NOTE: https://github.com/ansible/ansible/pull/57188
CVE-2019-10155 (The Libreswan Project has found a vulnerability in the processing of I ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0938f3a7282f96b9cd5722b87a15ae9aca53c92f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0938f3a7282f96b9cd5722b87a15ae9aca53c92f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210807/96479ec7/attachment.htm>
More information about the debian-security-tracker-commits
mailing list