[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Tue Dec 28 20:10:33 GMT 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
21f6f5fe by security tracker role at 2021-12-28T20:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,13 @@
+CVE-2021-45913
+ RESERVED
+CVE-2021-45912
+ RESERVED
+CVE-2021-44775
+ RESERVED
+CVE-2021-44465
+ RESERVED
+CVE-2021-4187
+ RESERVED
CVE-2021-45911 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...)
- gif2apng <unfixed> (bug #1002687)
CVE-2021-45910 (An issue was discovered in gif2apng 1.9. There is a heap-based buffer ...)
@@ -16,8 +26,8 @@ CVE-2021-45905 (OpenWrt 21.02.1 allows XSS via the Traffic Rules Name screen. ..
NOT-FOR-US: OpenWrt
CVE-2021-45904 (OpenWrt 21.02.1 allows XSS via the Port Forwards Add Name screen. ...)
NOT-FOR-US: OpenWrt
-CVE-2021-45903
- RESERVED
+CVE-2021-45903 (A persistent cross-site scripting (XSS) issue in the web interface of ...)
+ TODO: check
CVE-2021-45902
RESERVED
CVE-2021-45901
@@ -206,12 +216,12 @@ CVE-2021-45816
RESERVED
CVE-2021-45815
RESERVED
-CVE-2021-45814
- RESERVED
-CVE-2021-45813
- RESERVED
-CVE-2021-45812
- RESERVED
+CVE-2021-45814 (Nettmp NNT 5.1 is affected by a SQL injection vulnerability. An attack ...)
+ TODO: check
+CVE-2021-45813 (SLICAN WebCTI 1.01 2015 is affected by a Cross Site Scripting (XSS) vu ...)
+ TODO: check
+CVE-2021-45812 (NUUO Network Video Recorder NVRsolo 3.9.1 is affected by a Cross Site ...)
+ TODO: check
CVE-2021-45811
RESERVED
CVE-2021-45810
@@ -372,8 +382,8 @@ CVE-2021-45733
RESERVED
CVE-2021-4180
RESERVED
-CVE-2021-4179
- RESERVED
+CVE-2021-4179 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...)
+ TODO: check
CVE-2021-45720 (An issue was discovered in the lru crate before 0.7.1 for Rust. The it ...)
TODO: check
CVE-2021-45719 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...)
@@ -1575,8 +1585,8 @@ CVE-2021-45427
RESERVED
CVE-2021-45426
RESERVED
-CVE-2021-45425
- RESERVED
+CVE-2021-45425 (Reflected Cross Site Scripting (XSS) in SAFARI Montage versions 8.3 an ...)
+ TODO: check
CVE-2021-45424
RESERVED
CVE-2021-45423
@@ -2532,7 +2542,7 @@ CVE-2022-21945
RESERVED
CVE-2022-21944
RESERVED
-CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) di ...)
+CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and ...)
{DSA-5024-1 DLA-2852-1}
- apache-log4j2 2.17.0-1 (bug #1001891)
NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
@@ -2649,7 +2659,7 @@ CVE-2021-42550 (In logback version 1.2.7 and prior versions, an attacker with th
NOTE: https://jira.qos.ch/browse/LOGBACK-1591
NOTE: https://github.com/qos-ch/logback/commit/21d772f2bc2ed780b01b4fe108df7e29707763f1 (v_1.2.8)
CVE-2021-44771
- RESERVED
+ REJECTED
CVE-2021-4124 (janus-gateway is vulnerable to Improper Neutralization of Input During ...)
- janus <unfixed> (unimportant)
NOTE: https://huntr.dev/bounties/a6ca142e-60aa-4d6f-b231-5d1bcd1b7190
@@ -2662,7 +2672,7 @@ CVE-2021-4122
CVE-2021-4121 (yetiforcecrm is vulnerable to Improper Neutralization of Input During ...)
NOT-FOR-US: yetiforcecrm
CVE-2021-23151
- RESERVED
+ REJECTED
CVE-2021-45100 (The ksmbd server through 3.4.2, as used in the Linux kernel through 5. ...)
- linux <unfixed> (unimportant)
[bullseye] - linux <not-affected> (Vulnerable code not present)
@@ -5235,7 +5245,7 @@ CVE-2021-44230 (PortSwigger Burp Suite Enterprise Edition before 2021.11 on Wind
NOT-FOR-US: Burp Suite (different from src:burp)
CVE-2021-44229
RESERVED
-CVE-2021-44228 (Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI ...)
+CVE-2021-44228 (Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2. ...)
{DSA-5020-1 DLA-2842-1}
- apache-log4j2 2.15.0-1 (bug #1001478)
- apache-log4j1.2 <not-affected> (Vulnerable code not present)
@@ -7998,12 +8008,12 @@ CVE-2021-3941
NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/a0cfa81153b2464b864c5fe39a53cb03339092ed
CVE-2021-3940
RESERVED
-CVE-2021-43556
- RESERVED
+CVE-2021-43556 (FATEK WinProladder Versions 3.30_24518 and prior are vulnerable to a s ...)
+ TODO: check
CVE-2021-43555 (mySCADA myDESIGNER Versions 8.20.0 and prior fails to properly validat ...)
NOT-FOR-US: mySCADA myDESIGNER
-CVE-2021-43554
- RESERVED
+CVE-2021-43554 (FATEK WinProladder Versions 3.30_24518 and prior are vulnerable to an ...)
+ TODO: check
CVE-2021-43553 (PI Vision could disclose information to a user with insufficient privi ...)
NOT-FOR-US: OSIsoft
CVE-2021-43552 (The use of a hard-coded cryptographic key significantly increases the ...)
@@ -11386,8 +11396,8 @@ CVE-2021-42585
RESERVED
CVE-2021-42584 (A Stored Cross Site Scripting (XSS) issue exists in Convos-Chat before ...)
NOT-FOR-US: Convos-Chat
-CVE-2021-42583
- RESERVED
+CVE-2021-42583 (A Broken or Risky Cryptographic Algorithm exists in Max Mazurov Maddy ...)
+ TODO: check
CVE-2021-42582
RESERVED
CVE-2021-42581
@@ -17431,8 +17441,8 @@ CVE-2021-40581
RESERVED
CVE-2021-40580
RESERVED
-CVE-2021-40579
- RESERVED
+CVE-2021-40579 (https://www.sourcecodester.com/ Online Enrollment Management System in ...)
+ TODO: check
CVE-2021-40578 (Authenticated Blind & Error-based SQL injection vulnerability was ...)
NOT-FOR-US: Online Enrollment Management System in PHP and PayPal Free Source Code
CVE-2021-40577 (A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecode ...)
@@ -25303,10 +25313,10 @@ CVE-2021-3660
[bullseye] - cockpit <ignored> (Minor issue)
[buster] - cockpit <ignored> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1980688
-CVE-2021-37401
- RESERVED
-CVE-2021-37400
- RESERVED
+CVE-2021-37401 (An attacker may obtain the user credentials from file servers, backup ...)
+ TODO: check
+CVE-2021-37400 (An attacker may obtain the user credentials from the communication bet ...)
+ TODO: check
CVE-2021-37399
RESERVED
CVE-2021-37398
@@ -28795,7 +28805,7 @@ CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2.
CVE-2021-35941 (Western Digital WD My Book Live (2.x and later) and WD My Book Live Du ...)
NOT-FOR-US: Western Digital
CVE-2021-3630 (An out-of-bounds write vulnerability was found in DjVuLibre in DJVU::D ...)
- {DLA-2702-1}
+ {DSA-5032-1 DLA-2702-1}
- djvulibre 3.5.27.1-12
NOTE: https://sourceforge.net/p/djvu/bugs/302/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/7b0ef20690e08f1fe124aebbf42f6310e2f40f81/
@@ -30889,10 +30899,10 @@ CVE-2021-35034
RESERVED
CVE-2021-35033 (A vulnerability in specific versions of Zyxel NBG6818, NBG7815, WSQ20, ...)
NOT-FOR-US: Zyxel
-CVE-2021-35032
- RESERVED
-CVE-2021-35031
- RESERVED
+CVE-2021-35032 (A vulnerability in the 'libsal.so' of the Zyxel GS1900 series firmware ...)
+ TODO: check
+CVE-2021-35031 (A vulnerability in the TFTP client of Zyxel GS1900 series firmware, XG ...)
+ TODO: check
CVE-2021-35030 (A vulnerability was found in the CGI program in Zyxel GS1900-8 firmwar ...)
NOT-FOR-US: Zyxel
CVE-2021-35029 (An authentication bypasss vulnerability in the web-based management in ...)
@@ -37092,22 +37102,22 @@ CVE-2021-3546 (An out-of-bounds write vulnerability was found in the virtio vhos
CVE-2021-3542
REJECTED
CVE-2021-32493 (A flaw was found in djvulibre-3.5.28 and earlier. A heap buffer overfl ...)
- {DLA-2667-1}
+ {DSA-5032-1 DLA-2667-1}
- djvulibre 3.5.28-2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943424
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #3 / Patch12)
CVE-2021-32492 (A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds rea ...)
- {DLA-2667-1}
+ {DSA-5032-1 DLA-2667-1}
- djvulibre 3.5.28-2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943410
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #1 / Patch10)
CVE-2021-32491 (A flaw was found in djvulibre-3.5.28 and earlier. An integer overflow ...)
- {DLA-2667-1}
+ {DSA-5032-1 DLA-2667-1}
- djvulibre 3.5.28-2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943409
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #5 / Patch9)
CVE-2021-32490 (A flaw was found in djvulibre-3.5.28 and earlier. An out of bounds wri ...)
- {DLA-2667-1}
+ {DSA-5032-1 DLA-2667-1}
- djvulibre 3.5.28-2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943408
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/cd8b5c97b27a5c1dc83046498b6ca49ad20aa9b6/ (chunk #4 / Patch8)
@@ -40014,7 +40024,7 @@ CVE-2021-3502 (A flaw was found in avahi 0.8-5. A reachable assertion is present
NOTE: Fixed by: https://github.com/lathiat/avahi/commit/9d31939e55280a733d930b15ac9e4dda4497680c
NOTE: Introduced by: https://github.com/lathiat/avahi/commit/80c98fa16782e921f5b5d5c880f1d80f5c43bd49 (v0.8)
CVE-2021-3500 (A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in ...)
- {DLA-2667-1}
+ {DSA-5032-1 DLA-2667-1}
- djvulibre 3.5.28-2 (bug #988215)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1943685
NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/djvulibre/c/fc359410f7131e4ea0a892ef78e6da72f29afeee.patch
@@ -60304,8 +60314,8 @@ CVE-2021-3097
RESERVED
CVE-2021-3096
RESERVED
-CVE-2021-3095
- RESERVED
+CVE-2021-3095 (A remote attacker with write access to PI Vision could inject code int ...)
+ TODO: check
CVE-2021-3094
RESERVED
CVE-2021-3093
@@ -60314,8 +60324,8 @@ CVE-2021-3092
RESERVED
CVE-2021-3091
RESERVED
-CVE-2021-3090
- RESERVED
+CVE-2021-3090 (PI Vision could disclose information to a user with insufficient privi ...)
+ TODO: check
CVE-2021-3089
RESERVED
CVE-2021-3088
@@ -140147,8 +140157,8 @@ CVE-2019-20084
RESERVED
CVE-2019-20083
RESERVED
-CVE-2019-20082
- RESERVED
+CVE-2019-20082 (ASUS RT-N53 3.0.0.4.376.3754 devices have a buffer overflow via a long ...)
+ TODO: check
CVE-2019-20081
RESERVED
CVE-2019-20080
@@ -148933,7 +148943,7 @@ CVE-2019-18805 (An issue was discovered in net/ipv4/sysctl_net_ipv4.c in the Lin
[jessie] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://git.kernel.org/linus/19fad20d15a6494f47f85d869f00b11343ee5c78
CVE-2019-18804 (DjVuLibre 3.5.27 has a NULL pointer dereference in the function DJVU:: ...)
- {DLA-2667-1 DLA-1985-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1985-1}
- djvulibre 3.5.27.1-14 (bug #945114)
NOTE: https://sourceforge.net/p/djvu/bugs/309/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/c8bec6549c10ffaa2f2fbad8bbc629efdf0dd125/
@@ -162511,22 +162521,22 @@ CVE-2019-15147 (GoPro GPMF-parser 1.2.2 has an out-of-bounds read and SEGV in GP
CVE-2019-15146 (GoPro GPMF-parser 1.2.2 has a heap-based buffer over-read (4 bytes) in ...)
NOT-FOR-US: gpmf-parser
CVE-2019-15145 (DjVuLibre 3.5.27 allows attackers to cause a denial-of-service attack ...)
- {DLA-2667-1 DLA-1902-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1902-1}
- djvulibre 3.5.27.1-11 (low)
NOTE: https://sourceforge.net/p/djvu/bugs/298/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/9658b01431cd7ff6344d7787f855179e73fe81a7/
CVE-2019-15144 (In DjVuLibre 3.5.27, the sorting functionality (aka GArrayTemplate< ...)
- {DLA-2667-1 DLA-1902-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1902-1}
- djvulibre 3.5.27.1-11 (low)
NOTE: https://sourceforge.net/p/djvu/bugs/299/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/e15d51510048927f172f1bf1f27ede65907d940d/
CVE-2019-15143 (In DjVuLibre 3.5.27, the bitmap reader component allows attackers to c ...)
- {DLA-2667-1 DLA-1902-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1902-1}
- djvulibre 3.5.27.1-11 (low)
NOTE: https://sourceforge.net/p/djvu/bugs/297/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/b1f4e1b2187d9e5010cd01ceccf20b4a11ce723f/
CVE-2019-15142 (In DjVuLibre 3.5.27, DjVmDir.cpp in the DJVU reader component allows a ...)
- {DLA-2667-1 DLA-1902-1}
+ {DSA-5032-1 DLA-2667-1 DLA-1902-1}
- djvulibre 3.5.27.1-11 (low)
NOTE: https://sourceforge.net/p/djvu/bugs/296/
NOTE: https://sourceforge.net/p/djvu/djvulibre-git/ci/970fb11a296b5bbdc5e8425851253d2c5913c45e/
@@ -186348,7 +186358,7 @@ CVE-2019-7651 (EPP.sys in Emsisoft Anti-Malware prior to version 2018.12 allows
CVE-2019-7650
RESERVED
CVE-2019-7653 (The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CL ...)
- {DLA-1717-1}
+ {DLA-2861-1 DLA-1717-1}
- rdflib 4.2.2-2 (low; bug #921751)
NOTE: Debian specific issue as respective scripts are overwritten in Debian
NOTE: packaging as wrappers invoking python -m.
@@ -211649,7 +211659,7 @@ CVE-2018-1000807 (Python Cryptographic Authority pyopenssl version prior to vers
NOTE: https://github.com/pyca/pyopenssl/pull/723
NOTE: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509
CVE-2018-1000805 (Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 con ...)
- {DLA-1556-1}
+ {DLA-2860-1 DLA-1556-1}
- paramiko 2.4.2-0.1 (bug #910760)
NOTE: https://github.com/paramiko/paramiko/issues/1283
NOTE: https://github.com/paramiko/paramiko/commit/56c96a659658acdbb873aef8809a7b508434dcce
@@ -212128,8 +212138,8 @@ CVE-2018-17877 (A lottery smart contract implementation for Greedy 599, an Ether
NOT-FOR-US: Greedy 599
CVE-2018-17876 (A Stored XSS vulnerability has been discovered in the v5.5.0 version o ...)
NOT-FOR-US: Coaster CMS
-CVE-2018-17875
- RESERVED
+CVE-2018-17875 (A remote code execution issue in the ping command on Poly Trio 8800 5. ...)
+ TODO: check
CVE-2018-17874 (ExpressionEngine before 4.3.5 has reflected XSS. ...)
NOT-FOR-US: ExpressionEngine
CVE-2018-17873 (An incorrect access control vulnerability in the FTP configuration of ...)
@@ -238931,7 +238941,7 @@ CVE-2018-7751 (The svg_probe function in libavformat/img2dec.c in FFmpeg through
- libav <not-affected> (Vulnerable code not present)
NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/a6cba062051f345e8ebfdff34aba071ed73d923f
CVE-2018-7750 (transport.py in the SSH server implementation of Paramiko before 1.17. ...)
- {DLA-1556-1}
+ {DLA-2860-1 DLA-1556-1}
- paramiko 2.4.2-0.1 (bug #892859)
[wheezy] - paramiko <no-dsa> (Minor issue)
NOTE: https://github.com/paramiko/paramiko/issues/1175
@@ -332004,7 +332014,7 @@ CVE-2016-3738 (Red Hat OpenShift Enterprise 3.2 does not properly restrict acces
CVE-2016-3737 (The server in Red Hat JBoss Operations Network (JON) before 3.3.6 allo ...)
NOT-FOR-US: Red Hat / JBoss Operations Network server
CVE-2016-3736
- RESERVED
+ REJECTED
CVE-2016-3735
RESERVED
CVE-2016-3734 (Cross-site request forgery (CSRF) vulnerability in markposts.php in Mo ...)
@@ -333631,7 +333641,7 @@ CVE-2016-3104 (mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow
NOTE: MongoDB 2.4 installation with authentication enabled, upgraded
NOTE: to 2.6, and did not complete a full upgrade
CVE-2016-3103
- RESERVED
+ REJECTED
CVE-2016-3102 (The Script Security plugin before 1.18.1 in Jenkins might allow remote ...)
- jenkins <removed>
CVE-2016-3101 (Cross-site scripting (XSS) vulnerability in the Extra Columns plugin b ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21f6f5fe1b93a2d0b59ae0d7db49880dd3972c06
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21f6f5fe1b93a2d0b59ae0d7db49880dd3972c06
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211228/6ec09d05/attachment.htm>
More information about the debian-security-tracker-commits
mailing list