[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Tue Feb 9 08:10:27 GMT 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
65dd9a02 by security tracker role at 2021-02-09T08:10:19+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2021-26918 (The ProBot bot through 2021-02-08 for Discord might allow attackers to ...)
+ TODO: check
+CVE-2021-26917 (** DISPUTED ** PyBitmessage through 0.6.3.2 allows attackers to write ...)
+ TODO: check
+CVE-2021-26916 (In nopCommerce 4.30, a Reflected XSS issue in the Discount Coupon comp ...)
+ TODO: check
+CVE-2021-26915 (NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthent ...)
+ TODO: check
+CVE-2021-26914 (NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthent ...)
+ TODO: check
+CVE-2021-26913 (NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthent ...)
+ TODO: check
+CVE-2021-26912 (NetMotion Mobility before 11.73 and 12.x before 12.02 allows unauthent ...)
+ TODO: check
+CVE-2021-26911
+ RESERVED
+CVE-2021-26909
+ RESERVED
+CVE-2021-26908
+ RESERVED
+CVE-2021-26907
+ RESERVED
+CVE-2021-26906
+ RESERVED
CVE-2021-3402
RESERVED
CVE-2021-26905 (1Password SCIM Bridge before 1.6.2 mishandles validation of requests f ...)
@@ -106,7 +130,7 @@ CVE-2021-26854
RESERVED
CVE-2021-26853
RESERVED
-CVE-2021-26910 [root privilege escalation in OverlayFS code]
+CVE-2021-26910 (Firejail before 0.9.64.4 allows attackers to bypass intended access re ...)
- firejail 0.9.64.4-1
NOTE: https://www.openwall.com/lists/oss-security/2021/02/08/5
NOTE: Fix (disabled overlayfs): https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
@@ -729,14 +753,14 @@ CVE-2021-26579
RESERVED
CVE-2021-26578
RESERVED
-CVE-2021-26577
- RESERVED
-CVE-2021-26576
- RESERVED
-CVE-2021-26575
- RESERVED
-CVE-2021-26574
- RESERVED
+CVE-2021-26577 (The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 Sy ...)
+ TODO: check
+CVE-2021-26576 (The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 Sy ...)
+ TODO: check
+CVE-2021-26575 (The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 Sy ...)
+ TODO: check
+CVE-2021-26574 (The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 Sy ...)
+ TODO: check
CVE-2021-26573 (The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 Sy ...)
NOT-FOR-US: HPE
CVE-2021-26572 (The Baseboard Management Controller (BMC) firmware in HPE Apollo 70 Sy ...)
@@ -915,12 +939,12 @@ CVE-2021-26532
RESERVED
CVE-2021-26531
RESERVED
-CVE-2021-26530
- RESERVED
-CVE-2021-26529
- RESERVED
-CVE-2021-26528
- RESERVED
+CVE-2021-26530 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 (compile ...)
+ TODO: check
+CVE-2021-26529 (The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7- ...)
+ TODO: check
+CVE-2021-26528 (The mg_http_serve_file function in Cesanta Mongoose HTTP server 7.0 is ...)
+ TODO: check
CVE-2021-26527
RESERVED
CVE-2021-26526
@@ -1593,8 +1617,8 @@ CVE-2021-3296
RESERVED
CVE-2021-3295
RESERVED
-CVE-2021-3294
- RESERVED
+CVE-2021-3294 (CASAP Automated Enrollment System 1.0 is affected by cross-site script ...)
+ TODO: check
CVE-2021-3293 (emlog v5.3.1 has full path disclosure vulnerability in t/index.php, wh ...)
TODO: check
CVE-2021-3292
@@ -1663,12 +1687,12 @@ CVE-2021-26224
RESERVED
CVE-2021-26223
RESERVED
-CVE-2021-26222
- RESERVED
-CVE-2021-26221
- RESERVED
-CVE-2021-26220
- RESERVED
+CVE-2021-26222 (The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable to OOB ...)
+ TODO: check
+CVE-2021-26221 (The ezxml_new function in ezXML 0.8.6 and earlier is vulnerable to OOB ...)
+ TODO: check
+CVE-2021-26220 (The ezxml_toxml function in ezxml 0.8.6 and earlier is vulnerable to O ...)
+ TODO: check
CVE-2021-26219
RESERVED
CVE-2021-26218
@@ -2343,8 +2367,8 @@ CVE-2021-25915
RESERVED
CVE-2021-25914
RESERVED
-CVE-2021-25913
- RESERVED
+CVE-2021-25913 (Prototype pollution vulnerability in ‘set-or-get’ version ...)
+ TODO: check
CVE-2021-25912 (Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0. ...)
NOT-FOR-US: Node dotty
CVE-2018-25003
@@ -7118,6 +7142,7 @@ CVE-2021-3115 (Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerab
NOTE: explicitly in PATH and running 'go get' outside of a module or with module
NOTE: mode disabled.
CVE-2021-3114 (In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go ...)
+ {DSA-4848-1}
- golang-1.15 1.15.7-1
- golang-1.11 <removed>
- golang-1.8 <removed>
@@ -9919,8 +9944,8 @@ CVE-2021-22504
RESERVED
CVE-2021-22503
RESERVED
-CVE-2021-22502
- RESERVED
+CVE-2021-22502 (Remote Code execution vulnerability in Micro Focus Operation Bridge Re ...)
+ TODO: check
CVE-2021-22501
RESERVED
CVE-2021-22500 (Cross Site Request Forgery vulnerability in Micro Focus Application Pe ...)
@@ -11995,16 +12020,16 @@ CVE-2020-36154 (The Application Wrapper in Pearson VUE VTS Installer 2.3.1911 ha
NOT-FOR-US: Pearson VUE VTS Installer
CVE-2020-36153
RESERVED
-CVE-2020-36152
- RESERVED
-CVE-2020-36151
- RESERVED
-CVE-2020-36150
- RESERVED
-CVE-2020-36149
- RESERVED
-CVE-2020-36148
- RESERVED
+CVE-2020-36152 (Buffer overflow in readDataVar in hdf/dataobject.c in Symonics libmyso ...)
+ TODO: check
+CVE-2020-36151 (Incorrect handling of input data in mysofa_resampler_reset_mem functio ...)
+ TODO: check
+CVE-2020-36150 (Incorrect handling of input data in loudness function in the libmysofa ...)
+ TODO: check
+CVE-2020-36149 (Incorrect handling of input data in changeAttribute function in the li ...)
+ TODO: check
+CVE-2020-36148 (Incorrect handling of input data in verifyAttribute function in the li ...)
+ TODO: check
CVE-2020-36147
RESERVED
CVE-2020-36146
@@ -13590,10 +13615,10 @@ CVE-2021-21308
RESERVED
CVE-2021-21307
RESERVED
-CVE-2021-21306
- RESERVED
-CVE-2021-21305
- RESERVED
+CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm package "ma ...)
+ TODO: check
+CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple and flex ...)
+ TODO: check
CVE-2021-21304 (Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dy ...)
TODO: check
CVE-2021-21303 (Helm is open-source software which is essentially "The Kubernetes Pack ...)
@@ -13620,8 +13645,8 @@ CVE-2021-21292 (Traccar is an open source GPS tracking system. In Traccar before
NOT-FOR-US: Traccar
CVE-2021-21291 (OAuth2 Proxy is an open-source reverse proxy and static file server th ...)
TODO: check
-CVE-2021-21290
- RESERVED
+CVE-2021-21290 (Netty is an open-source, asynchronous event-driven network application ...)
+ TODO: check
CVE-2021-21289 (Mechanize is an open-source ruby library that makes automated web inte ...)
- ruby-mechanize 2.7.7-1
NOTE: https://github.com/sparklemotion/mechanize/security/advisories/GHSA-qrqm-fpv6-6r8g
@@ -13631,8 +13656,8 @@ CVE-2021-21289 (Mechanize is an open-source ruby library that makes automated we
NOTE: https://github.com/sparklemotion/mechanize/commit/b48b12f5db33c5a94a14dfcab8adf3e73cfa0388 (v2.7.7)
NOTE: https://github.com/sparklemotion/mechanize/commit/63f8779e49664d5e95fae8d42d04c8e373162b3c (v2.7.7)
NOTE: Test warnings fixup: https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093 (v2.7.7)
-CVE-2021-21288
- RESERVED
+CVE-2021-21288 (CarrierWave is an open-source RubyGem which provides a simple and flex ...)
+ TODO: check
CVE-2021-21287 (MinIO is a High Performance Object Storage released under Apache Licen ...)
- minio <itp> (bug #859207)
CVE-2021-21286 (AVideo Platform is an open-source Audio and Video platform. It is simi ...)
@@ -13737,8 +13762,8 @@ CVE-2021-21241 (The Python "Flask-Security-Too" package is used for adding secur
NOTE: https://github.com/Flask-Middleware/flask-security/pull/422
NOTE: https://github.com/Flask-Middleware/flask-security/commit/c05afe837e83f20f59c0fb409ce1240341d1ec41 (master)
NOTE: https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f (3.4.5)
-CVE-2021-21240
- RESERVED
+CVE-2021-21240 (httplib2 is a comprehensive HTTP client library for Python. In httplib ...)
+ TODO: check
CVE-2021-21239 (PySAML2 is a pure python implementation of SAML Version 2 Standard. Py ...)
- python-pysaml2 6.5.1-1 (bug #980772)
NOTE: https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
@@ -20973,8 +20998,8 @@ CVE-2020-29023
RESERVED
CVE-2020-29022
RESERVED
-CVE-2020-29021
- RESERVED
+CVE-2020-29021 (A vulnerability in web UI input field of GateManager allows authentica ...)
+ TODO: check
CVE-2020-29020
RESERVED
CVE-2020-29019 (A stack-based buffer overflow vulnerability in FortiWeb 6.3.0 through ...)
@@ -26484,11 +26509,13 @@ CVE-2020-27847
CVE-2020-27846 (A signature verification vulnerability exists in crewjam/saml. This fl ...)
NOT-FOR-US: github.com/crewjam/saml
CVE-2020-27845 (There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior t ...)
+ {DLA-2550-1}
- openjpeg2 2.4.0-1
[buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1302
NOTE: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 (v2.4.0)
CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior ...)
+ {DLA-2550-1}
- openjpeg2 2.4.0-1
NOTE: https://github.com/uclouvain/openjpeg/issues/1299
NOTE: https://github.com/uclouvain/openjpeg/commit/73fdf28342e4594019af26eb6a347a34eceb6296 (v2.4.0)
@@ -26501,6 +26528,7 @@ CVE-2020-27842 (There's a flaw in openjpeg's t2 encoder in versions prior to 2.4
[buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1294
CVE-2020-27841 (There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openj ...)
+ {DLA-2550-1}
- openjpeg2 2.4.0-1
[buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1293
@@ -26579,12 +26607,14 @@ CVE-2020-27825 (A use-after-free flaw was found in kernel/trace/ring_buffer.c in
NOTE: https://git.kernel.org/linus/bbeb97464eefc65f506084fd9f18f21653e01137
CVE-2020-27824 [global-buffer-overflow read in lib-openjp2]
RESERVED
+ {DLA-2550-1}
- openjpeg2 2.4.0-1
[buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1286
NOTE: https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d (v2.4.0)
CVE-2020-27823 [Heap-buffer-overflow write in lib-openjp2]
RESERVED
+ {DLA-2550-1}
- openjpeg2 2.4.0-1
NOTE: https://github.com/uclouvain/openjpeg/issues/1284
NOTE: https://github.com/uclouvain/openjpeg/commit/b2072402b7e14d22bba6fb8cde2a1e9996e9a919 (v2.4.0)
@@ -26618,6 +26648,7 @@ CVE-2020-27815
- linux 5.10.4-1
NOTE: https://www.openwall.com/lists/oss-security/2020/11/30/5
CVE-2020-27814 (A heap-buffer overflow was found in the way openjpeg2 handled certain ...)
+ {DLA-2550-1}
- openjpeg2 2.4.0-1
NOTE: https://github.com/uclouvain/openjpeg/issues/1283
NOTE: https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc (v2.4.0)
@@ -33911,8 +33942,8 @@ CVE-2020-24946
RESERVED
CVE-2020-24945
RESERVED
-CVE-2020-24944
- RESERVED
+CVE-2020-24944 (picoquic (before 3rd of July 2020) allows attackers to cause a denial ...)
+ TODO: check
CVE-2020-24943
RESERVED
CVE-2020-24942
@@ -34455,8 +34486,8 @@ CVE-2020-24687
RESERVED
CVE-2020-24686
RESERVED
-CVE-2020-24685
- RESERVED
+CVE-2020-24685 (An unauthenticated specially crafted packet sent by an attacker over t ...)
+ TODO: check
CVE-2020-24684
RESERVED
CVE-2020-24683 (The affected versions of S+ Operations (version 2.1 SP1 and earlier) u ...)
@@ -50388,7 +50419,7 @@ CVE-2020-16846 (An issue was discovered in SaltStack Salt through 3002. Sending
NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/02/2018.3.x.patch (2018.3.x)
NOTE: https://gitlab.com/saltstack/open/salt-patches/-/raw/master/patches/2020/09/02/2016.11.x.patch (2016.11.x)
CVE-2020-16845 (Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loo ...)
- {DLA-2460-1 DLA-2459-1}
+ {DSA-4848-1 DLA-2460-1 DLA-2459-1}
- golang-1.15 1.15~rc2-1
- golang-1.14 1.14.7-1
- golang-1.11 <removed>
@@ -53596,7 +53627,7 @@ CVE-2020-15588 (An issue was discovered in the client side of Zoho ManageEngine
CVE-2020-15587
RESERVED
CVE-2020-15586 (Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net ...)
- {DLA-2460-1 DLA-2459-1}
+ {DSA-4848-1 DLA-2460-1 DLA-2459-1}
- golang-1.15 1.15~rc1-1
- golang-1.14 1.14.6-1
- golang-1.11 <removed>
@@ -56779,8 +56810,7 @@ CVE-2020-14392 (An untrusted pointer dereference flaw was found in Perl-DBI <
- libdbi-perl 1.643-1
[buster] - libdbi-perl 1.642-1+deb10u1
NOTE: https://github.com/perl5-dbi/dbi/commit/ea99b6aafb437db53c28fd40d5eafbe119cd66e1
-CVE-2020-14391
- RESERVED
+CVE-2020-14391 (A flaw was found in the GNOME Control Center in Red Hat Enterprise Lin ...)
- gnome-settings-daemon <not-affected> (Red Hat-specific plugin)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1873093
CVE-2020-14390 (A flaw was found in the Linux kernel in versions before 5.9-rc6. When ...)
@@ -58116,8 +58146,7 @@ CVE-2020-13949
RESERVED
CVE-2020-13948 (While investigating a bug report on Apache Superset, it was determined ...)
NOT-FOR-US: Apache Superset
-CVE-2020-13947
- RESERVED
+CVE-2020-13947 (An instance of a cross-site scripting vulnerability was identified to ...)
- activemq <unfixed> (unimportant)
NOTE: Admin console not enabled in the Debian package, see #702670)
NOTE: Fixed in 5.15.13, 5.16.1
@@ -59434,12 +59463,12 @@ CVE-2020-13464 (The flash memory readout protection in China Key Systems & I
NOT-FOR-US: China Key Systems & Integrated Circuit CKS32F103 devices
CVE-2020-13463 (The flash memory readout protection in Apex Microelectronics APM32F103 ...)
NOT-FOR-US: Apex Microelectronics APM32F103 devices
-CVE-2020-13462
- RESERVED
-CVE-2020-13461
- RESERVED
-CVE-2020-13460
- RESERVED
+CVE-2020-13462 (Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, ...)
+ TODO: check
+CVE-2020-13461 (Username enumeration in present in Tufin SecureTrack. It's affecting a ...)
+ TODO: check
+CVE-2020-13460 (Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were presen ...)
+ TODO: check
CVE-2020-13459 (An issue was discovered in the Image Resizer plugin before 2.0.9 for C ...)
NOT-FOR-US: Image Resizer plugin for Craft CMS
CVE-2020-13458 (An issue was discovered in the Image Resizer plugin before 2.0.9 for C ...)
@@ -59556,12 +59585,12 @@ CVE-2020-13411
RESERVED
CVE-2020-13410 (An issue was discovered in MoscaJS Aedes 0.42.0. lib/write.js does not ...)
NOT-FOR-US: MoscaJS Aedes
-CVE-2020-13409
- RESERVED
-CVE-2020-13408
- RESERVED
-CVE-2020-13407
- RESERVED
+CVE-2020-13409 (Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in ...)
+ TODO: check
+CVE-2020-13408 (Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in ...)
+ TODO: check
+CVE-2020-13407 (Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in ...)
+ TODO: check
CVE-2020-13406
RESERVED
CVE-2020-13405 (userfiles/modules/users/controller/controller.php in Microweber before ...)
@@ -73405,14 +73434,14 @@ CVE-2020-8592 (eG Manager 7.1.2 allows SQL Injection via the user parameter to c
NOT-FOR-US: eG Manager
CVE-2020-8591 (eG Manager 7.1.2 allows authentication bypass via a com.egurkha.EgLogi ...)
NOT-FOR-US: eG Manager
-CVE-2020-8590
- RESERVED
+CVE-2020-8590 (Clustered Data ONTAP versions prior to 9.1P18 and 9.3P12 are susceptib ...)
+ TODO: check
CVE-2020-8589 (Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptib ...)
NOT-FOR-US: Clustered Data ONTAP
CVE-2020-8588 (Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptib ...)
NOT-FOR-US: Clustered Data ONTAP
-CVE-2020-8587
- RESERVED
+CVE-2020-8587 (OnCommand System Manager 9.x versions prior to 9.3P20 and 9.4 prior to ...)
+ TODO: check
CVE-2020-8586
RESERVED
CVE-2020-8585 (OnCommand Unified Manager Core Package versions prior to 5.2.5 may dis ...)
@@ -73429,8 +73458,8 @@ CVE-2020-8580 (SANtricity OS Controller Software versions 11.30 and higher are s
NOT-FOR-US: SANtricity OS Controller Software
CVE-2020-8579 (Clustered Data ONTAP versions 9.7 through 9.7P7 are susceptible to a v ...)
NOT-FOR-US: Clustered Data ONTAP
-CVE-2020-8578
- RESERVED
+CVE-2020-8578 (Clustered Data ONTAP versions prior to 9.3P20 are susceptible to a vul ...)
+ TODO: check
CVE-2020-8577 (SANtricity OS Controller Software versions 11.50.1 and higher are susc ...)
NOT-FOR-US: SANtricity OS Controller Software
CVE-2020-8576 (Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 a ...)
@@ -75179,6 +75208,7 @@ CVE-2019-20400 (The usage of Tomcat in Jira before version 8.5.2 allows local at
CVE-2020-7920 (pmm-server in Percona Monitoring and Management (PMM) 2.2.x before 2.2 ...)
NOT-FOR-US: Percona Monitoring and Management (PMM)
CVE-2020-7919 (Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte ...)
+ {DSA-4848-1}
- golang-1.14 1.14~rc1-1
- golang-1.13 1.13.7-1
- golang-1.11 <removed>
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65dd9a0244d377a5f2948aa16a2bb5c3e02f4255
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65dd9a0244d377a5f2948aa16a2bb5c3e02f4255
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210209/e49080cf/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list