[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Mon Feb 15 20:10:30 GMT 2021 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c6974682 by security tracker role at 2021-02-15T20:10:22+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,15 @@
+CVE-2021-27223
+	RESERVED
+CVE-2021-27222
+	RESERVED
+CVE-2021-27221
+	RESERVED
+CVE-2021-27220
+	RESERVED
+CVE-2021-27217
+	RESERVED
+CVE-2021-27216
+	RESERVED
 CVE-2021-27215
 	RESERVED
 CVE-2021-27214
@@ -11,8 +23,8 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an asse
 	NOTE: https://bugs.openldap.org/show_bug.cgi?id=9454
 	NOTE: trunk: https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0
 	NOTE: REL_ENG 2.4.x: https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30
-CVE-2021-27211
-	RESERVED
+CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which makes it e ...)
+	TODO: check
 CVE-2021-27210 (TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retri ...)
 	NOT-FOR-US: TP-Link
 CVE-2021-27209 (In the management interface on TP-Link Archer C5v 1.7_181221 devices,  ...)
@@ -40,8 +52,8 @@ CVE-2021-27202
 CVE-2021-XXXX [several security fixes: PHP injections, XSS and secrets stored in session file]
 	- spip 3.2.9-1
 	TODO: needs possibly CVE requests for individual issues
-CVE-2021-27201
-	RESERVED
+CVE-2021-27201 (Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated  ...)
+	TODO: check
 CVE-2021-27200
 	RESERVED
 CVE-2021-27199
@@ -828,10 +840,10 @@ CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hy
 	- rust-hyper <unfixed>
 	NOTE: https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
-CVE-2021-27218 [Integer overflow in g_byte_array_new_take()/g_bytes_unref_to_array() on 64-bit platforms]
+CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before  ...)
 	- glib2.0 2.66.7-1 (bug #982779)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
-CVE-2021-27219 [GHSL-2021-045: integer overflow in g_bytes_new/g_memdup]
+CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before  ...)
 	- glib2.0 2.66.6-1 (bug #982778)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
 CVE-2021-26842
@@ -1538,8 +1550,8 @@ CVE-2021-3377
 	RESERVED
 CVE-2021-3376
 	RESERVED
-CVE-2021-3375
-	RESERVED
+CVE-2021-3375 (ActivePresenter 6.1.6 is affected by a memory corruption vulnerability ...)
+	TODO: check
 CVE-2021-3374
 	RESERVED
 CVE-2021-3373
@@ -4670,14 +4682,14 @@ CVE-2021-25301
 	RESERVED
 CVE-2021-25300
 	RESERVED
-CVE-2021-25299
-	RESERVED
-CVE-2021-25298
-	RESERVED
-CVE-2021-25297
-	RESERVED
-CVE-2021-25296
-	RESERVED
+CVE-2021-25299 (Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS).  ...)
+	TODO: check
+CVE-2021-25298 (Nagios XI version xi-5.7.5 is affected by OS command injection. The vu ...)
+	TODO: check
+CVE-2021-25297 (Nagios XI version xi-5.7.5 is affected by OS command injection. The vu ...)
+	TODO: check
+CVE-2021-25296 (Nagios XI version xi-5.7.5 is affected by OS command injection. The vu ...)
+	TODO: check
 CVE-2021-25295 (OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issue ...)
 	NOT-FOR-US: OpenCATS
 CVE-2021-25294 (OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity re ...)
@@ -8816,12 +8828,12 @@ CVE-2021-23340
 	RESERVED
 CVE-2021-23339
 	RESERVED
-CVE-2021-23338
-	RESERVED
-CVE-2021-23337
-	RESERVED
-CVE-2021-23336
-	RESERVED
+CVE-2021-23338 (This affects all versions of package qlib. The workflow function in cl ...)
+	TODO: check
+CVE-2021-23337 (All versions of package lodash; all versions of package org.fujion.web ...)
+	TODO: check
+CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...)
+	TODO: check
 CVE-2021-23335 (All versions of package is-user-valid are vulnerable to LDAP Injection ...)
 	NOT-FOR-US: Node is-user-valid
 CVE-2021-23334 (All versions of package static-eval are vulnerable to Arbitrary Code E ...)
@@ -13686,8 +13698,8 @@ CVE-2020-35777 (NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by comma
 	NOT-FOR-US: Netgear
 CVE-2020-35776
 	RESERVED
-CVE-2020-35775
-	RESERVED
+CVE-2020-35775 (CITSmart before 9.1.2.23 allows LDAP Injection. ...)
+	TODO: check
 CVE-2020-35774 (server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (a ...)
 	NOT-FOR-US: Twitter TwitterServer
 CVE-2020-35773 (The site-offline plugin before 1.4.4 for WordPress lacks certain wp_cr ...)
@@ -17352,8 +17364,7 @@ CVE-2020-35513 (A flaw incorrect umask during file or directory modification in
 	[stretch] - linux <not-affected> (Vulnerable code introduce later)
 	NOTE: https://git.kernel.org/linus/880a3a5325489a143269a8e172e7563ebf9897bc
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1911309
-CVE-2020-35512
-	RESERVED
+CVE-2020-35512 (A use-after-free flaw was found in D-Bus 1.12.20 when a system has mul ...)
 	- dbus 1.12.20-1
 	[buster] - dbus 1.12.20-0+deb10u1
 	[stretch] - dbus 1.10.32-0+deb9u1
@@ -17432,6 +17443,7 @@ CVE-2020-35499
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910048
 	NOTE: https://git.kernel.org/linus/f6b8c6b5543983e9de29dc14716bfa4eb3f157c4
 CVE-2020-35498 (A vulnerability was found in openvswitch. A limitation in the implemen ...)
+	{DSA-4852-1}
 	- openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-5 (bug #982493)
 	NOTE: master: https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83
 	NOTE: 2.15: https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0
@@ -21715,8 +21727,8 @@ CVE-2020-29033
 	RESERVED
 CVE-2020-29032
 	RESERVED
-CVE-2020-29031
-	RESERVED
+CVE-2020-29031 (An Insecure Direct Object Reference vulnerability exists in the web UI ...)
+	TODO: check
 CVE-2020-29030
 	RESERVED
 CVE-2020-29029
@@ -21725,8 +21737,8 @@ CVE-2020-29028
 	RESERVED
 CVE-2020-29027
 	RESERVED
-CVE-2020-29026
-	RESERVED
+CVE-2020-29026 (A directory traversal vulnerability exists in the file upload function ...)
+	TODO: check
 CVE-2020-29025
 	RESERVED
 CVE-2020-29024
@@ -24063,8 +24075,8 @@ CVE-2020-28502
 	RESERVED
 CVE-2020-28501
 	RESERVED
-CVE-2020-28500
-	RESERVED
+CVE-2020-28500 (All versions of package lodash; all versions of package org.fujion.web ...)
+	TODO: check
 CVE-2020-28499
 	RESERVED
 CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographic Issu ...)
@@ -24119,7 +24131,8 @@ CVE-2020-28478 (This affects the package gsap before 3.6.0. ...)
 	NOT-FOR-US: Node gsap
 CVE-2020-28477 (This affects all versions of package immer. ...)
 	NOT-FOR-US: Node immer
-CVE-2020-28476 (All versions of package tornado are vulnerable to Web Cache Poisoning  ...)
+CVE-2020-28476
+	REJECTED
 	- python-tornado <unfixed>
 	[buster] - python-tornado <no-dsa> (Minor issue)
 	[stretch] - python-tornado <no-dsa> (Minor issue)
@@ -34776,8 +34789,8 @@ CVE-2020-24901 (The default installation of Krpano Panorama Viewer version <=
 	NOT-FOR-US: Krpano Panorama Viewer
 CVE-2020-24900 (The default installation of Krpano Panorama Viewer version <=1.20.8 ...)
 	NOT-FOR-US: Krpano Panorama Viewer
-CVE-2020-24899
-	RESERVED
+CVE-2020-24899 (Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerabi ...)
+	TODO: check
 CVE-2020-24898 (The Table Filter and Charts for Confluence Server app before 5.3.26 (f ...)
 	NOT-FOR-US: Confluence Server app for Atlassian Confluence
 CVE-2020-24897 (The Table Filter and Charts for Confluence Server app before 5.3.25 (f ...)
@@ -39903,12 +39916,12 @@ CVE-2020-22429
 	RESERVED
 CVE-2020-22428
 	RESERVED
-CVE-2020-22427
-	RESERVED
+CVE-2020-22427 (NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerabi ...)
+	TODO: check
 CVE-2020-22426
 	RESERVED
-CVE-2020-22425
-	RESERVED
+CVE-2020-22425 (Centreon 19.10-3.el7 is affected by a SQL injection vulnerability, whe ...)
+	TODO: check
 CVE-2020-22424
 	RESERVED
 CVE-2020-22423
@@ -83821,12 +83834,12 @@ CVE-2020-4958 (IBM Security Identity Governance and Intelligence 5.2.6 does not
 	NOT-FOR-US: IBM
 CVE-2020-4957
 	RESERVED
-CVE-2020-4956
-	RESERVED
-CVE-2020-4955
-	RESERVED
-CVE-2020-4954
-	RESERVED
+CVE-2020-4956 (IBM Spectrum Protect Operations Center 7.1 and 8.1 is vulnerable to a  ...)
+	TODO: check
+CVE-2020-4955 (IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote ...)
+	TODO: check
+CVE-2020-4954 (IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remot ...)
+	TODO: check
 CVE-2020-4953
 	RESERVED
 CVE-2020-4952 (IBM Security Guardium 11.2 could allow an authenticated user to gain r ...)
@@ -171431,7 +171444,7 @@ CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation vulnerabi
 CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper Handling o ...)
 	NOT-FOR-US: aaugustin websockets
 CVE-2018-1000517 (BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-3 (low; bug #902724)
 	NOTE: https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
 CVE-2018-1000516 (The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper N ...)
@@ -209892,7 +209905,7 @@ CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.
 	NOTE: the severity of the wheezy version is low even though the vulnerable code is still present.
 	NOTE: The patch is trivial so it may be worth fixing in combination with some other fix.
 CVE-2017-16544 (In the add_match function in libbb/lineedit.c in BusyBox through 1.27. ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-2 (bug #882258)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	NOTE: https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/
@@ -211983,7 +211996,7 @@ CVE-2017-15874 (archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an
 	NOTE: Introduced in: https://git.busybox.net/busybox/commit/?id=3989e5adf454a3ab98412b249c2c9bd2a3175ae0
 	NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b
 CVE-2017-15873 (The get_next_block function in archival/libarchive/decompress_bunzip2. ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-2 (bug #879732)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=0402cb32df015d9372578e3db27db47b33d5c7b0
@@ -282754,12 +282767,12 @@ CVE-2016-2150 (SPICE allows local guest OS users to read from or write to arbitr
 CVE-2016-2149 (Red Hat OpenShift Enterprise 3.2 allows remote authenticated users to  ...)
 	NOT-FOR-US: OpenShift
 CVE-2016-2148 (Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox befo ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-1 (bug #818497)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	NOTE: https://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2
 CVE-2016-2147 (Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0  ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-1 (bug #818499)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	NOTE: https://git.busybox.net/busybox/commit/?id=d474ffc68290e0a83651c4432eeabfa62cd51e87
@@ -291792,7 +291805,7 @@ CVE-2015-7944 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti
 	NOTE: http://www.ocert.org/advisories/ocert-2015-012.html
 	NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=201fcb916b8164c78f4ed8e0c9cfc0227a78684c
 CVE-2015-9261 (huft_build in archival/libarchive/decompress_gunzip.c in BusyBox befor ...)
-	{DLA-1445-1 DLA-337-1}
+	{DLA-2559-1 DLA-1445-1 DLA-337-1}
 	- busybox 1:1.27.2-1 (bug #803097)
 	NOTE: https://www.openwall.com/lists/oss-security/2015/10/25/3
 	NOTE: http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e
@@ -298780,7 +298793,7 @@ CVE-2012-6694 (GE Healthcare Centricity PACS Workstation 4.0 and 4.0.1, and Serv
 CVE-2012-6693 (GE Healthcare Centricity PACS 4.0 Server has a default password of (1) ...)
 	NOT-FOR-US: GE Healthcare Centricity PACS
 CVE-2011-5325 (Directory traversal vulnerability in the BusyBox implementation of tar ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-1 (bug #802702)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	[squeeze] - busybox <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6974682569c9b6601b938f1ddd990707d17e916

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6974682569c9b6601b938f1ddd990707d17e916
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210215/424ccb9c/attachment.html>

More information about the debian-security-tracker-commits mailing list