[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff
jmm at debian.org
Wed Feb 17 17:55:55 GMT 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e58877cf by Moritz Muehlenhoff at 2021-02-17T18:55:32+01:00
NFUs
one SDL issue specific to SDL2
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -50115,11 +50115,11 @@ CVE-2020-17536
CVE-2020-17535
REJECTED
CVE-2020-17534 (There exists a race condition between the deletion of the temporary fi ...)
- TODO: check
+ NOT-FOR-US: netbeans-html4j
CVE-2020-17533 (Apache Accumulo versions 1.5.0 through 1.10.0 and version 2.0.0 do not ...)
NOT-FOR-US: Apache Accumulo
CVE-2020-17532 (When handler-router component is enabled in servicecomb-java-chassis, ...)
- TODO: check
+ NOT-FOR-US: servicecomb-java-chassis
CVE-2020-17531 (A Java Serialization vulnerability was found in Apache Tapestry 4. Apa ...)
NOT-FOR-US: Apache Tapestry
CVE-2020-17530 (Forced OGNL evaluation, when evaluated on raw user input in tag attrib ...)
@@ -53112,7 +53112,7 @@ CVE-2020-16145 (Roundcube Webmail before 1.3.15 and 1.4.8 allows stored XSS in H
NOTE: https://github.com/roundcube/roundcubemail/commit/d44ca2308a96576b88d6bf27528964d4fe1a6b8b (1.3.15)
NOTE: https://github.com/roundcube/roundcubemail/commit/589d36010048300ed39f4887aab1afd3ae98d00e (1.2.12)
CVE-2020-16144 (When using an object storage like S3 as the file store, when a user cr ...)
- TODO: check
+ - owncloud <removed>
CVE-2020-16143 (The seafile-client client 7.0.8 for Seafile is vulnerable to DLL hijac ...)
- seafile-client <not-affected> (Windows-specific)
CVE-2020-16142 (On Mercedes-Benz C Class AMG Premium Plus c220 BlueTec vehicles, the B ...)
@@ -56010,7 +56010,7 @@ CVE-2020-15099 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20
CVE-2020-15098 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.20, and ...)
NOT-FOR-US: TYPO3
CVE-2020-15097 (loklak is an open-source server application which is able to collect m ...)
- TODO: check
+ NOT-FOR-US: loklak
CVE-2020-15096 (In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, the ...)
- electron <itp> (bug #842420)
CVE-2020-15095 (Versions of the npm CLI prior to 6.14.6 are vulnerable to an informati ...)
@@ -57887,11 +57887,10 @@ CVE-2020-14411
RESERVED
CVE-2020-14410 (SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based buffer ...)
{DLA-2536-1}
- - libsdl1.2 <undetermined>
+ - libsdl1.2 <not-affected> (Only affects SDL2)
- libsdl2 2.0.14+dfsg2-2
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=5200
NOTE: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
- TODO: check libsdl1.2
CVE-2020-14409 (SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow ...)
{DLA-2536-1}
- libsdl1.2 <undetermined>
@@ -60383,9 +60382,9 @@ CVE-2020-13584 (An exploitable use-after-free vulnerability exists in WebKitGTK
- wpewebkit 2.30.3-1
NOTE: https://webkitgtk.org/security/WSA-2020-0008.html
CVE-2020-13583 (A denial-of-service vulnerability exists in the HTTP Server functional ...)
- TODO: check
+ NOT-FOR-US: Micrium
CVE-2020-13582 (A denial-of-service vulnerability exists in the HTTP Server functional ...)
- TODO: check
+ NOT-FOR-US: Micrium
CVE-2020-13581 (In SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1 ...)
NOT-FOR-US: SoftMaker
CVE-2020-13580 (An exploitable heap-based buffer overflow vulnerability exists in the ...)
@@ -60405,9 +60404,9 @@ CVE-2020-13574 (A denial-of-service vulnerability exists in the WS-Security plug
CVE-2020-13573 (A denial-of-service vulnerability exists in the Ethernet/IP server fun ...)
NOT-FOR-US: Rockwell Automation RSLinx Classic
CVE-2020-13572 (A heap overflow vulnerability exists in the way the GIF parser decodes ...)
- TODO: check
+ NOT-FOR-US: Accusoft
CVE-2020-13571 (An out-of-bounds write vulnerability exists in the SGI RLE decompressi ...)
- TODO: check
+ NOT-FOR-US: Accusoft
CVE-2020-13570 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...)
NOT-FOR-US: Foxit
CVE-2020-13569 (A cross-site request forgery vulnerability exists in the GACL function ...)
@@ -60419,15 +60418,15 @@ CVE-2020-13567
CVE-2020-13566
RESERVED
CVE-2020-13565 (An open redirect vulnerability exists in the return_page redirection f ...)
- TODO: check
+ NOT-FOR-US: OpenEMR
CVE-2020-13564 (A cross-site scripting vulnerability exists in the template functional ...)
- TODO: check
+ NOT-FOR-US: phpGACL
CVE-2020-13563 (A cross-site scripting vulnerability exists in the template functional ...)
- TODO: check
+ NOT-FOR-US: phpGACL
CVE-2020-13562 (A cross-site scripting vulnerability exists in the template functional ...)
- TODO: check
+ NOT-FOR-US: phpGACL
CVE-2020-13561 (An out-of-bounds write vulnerability exists in the TIFF parser of Accu ...)
- TODO: check
+ NOT-FOR-US: Accusoft
CVE-2020-13560 (A use after free vulnerability exists in the JavaScript engine of Foxi ...)
NOT-FOR-US: Foxit
CVE-2020-13559 (A denial-of-service vulnerability exists in the traffic-logging functi ...)
@@ -60633,11 +60632,11 @@ CVE-2020-13464 (The flash memory readout protection in China Key Systems & I
CVE-2020-13463 (The flash memory readout protection in Apex Microelectronics APM32F103 ...)
NOT-FOR-US: Apex Microelectronics APM32F103 devices
CVE-2020-13462 (Insecure Direct Object Reference (IDOR) exists in Tufin SecureChange, ...)
- TODO: check
+ NOT-FOR-US: Tufin
CVE-2020-13461 (Username enumeration in present in Tufin SecureTrack. It's affecting a ...)
- TODO: check
+ NOT-FOR-US: Tufin
CVE-2020-13460 (Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were presen ...)
- TODO: check
+ NOT-FOR-US: Tufin
CVE-2020-13459 (An issue was discovered in the Image Resizer plugin before 2.0.9 for C ...)
NOT-FOR-US: Image Resizer plugin for Craft CMS
CVE-2020-13458 (An issue was discovered in the Image Resizer plugin before 2.0.9 for C ...)
@@ -60653,13 +60652,13 @@ CVE-2020-13454
CVE-2020-13453
RESERVED
CVE-2020-13452 (In Gotenberg through 6.2.1, insecure permissions for tini (writable by ...)
- TODO: check
+ NOT-FOR-US: Gotenberg
CVE-2020-13451 (An incomplete-cleanup vulnerability in the Office rendering engine of ...)
- TODO: check
+ NOT-FOR-US: Gotenberg
CVE-2020-13450 (A directory traversal vulnerability in file upload function of Gotenbe ...)
- TODO: check
+ NOT-FOR-US: Gotenberg
CVE-2020-13449 (A directory traversal vulnerability in the Markdown engine of Gotenber ...)
- TODO: check
+ NOT-FOR-US: Gotenberg
CVE-2020-13448 (QuickBox Community Edition through 2.5.5 and Pro Edition through 2.1.8 ...)
NOT-FOR-US: QuickBox
CVE-2020-13447
@@ -60755,11 +60754,11 @@ CVE-2020-13411
CVE-2020-13410 (An issue was discovered in MoscaJS Aedes 0.42.0. lib/write.js does not ...)
NOT-FOR-US: MoscaJS Aedes
CVE-2020-13409 (Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in ...)
- TODO: check
+ NOT-FOR-US: Tufin
CVE-2020-13408 (Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in ...)
- TODO: check
+ NOT-FOR-US: Tufin
CVE-2020-13407 (Tufin SecureTrack < R20-2 GA contains reflected + stored XSS (as in ...)
- TODO: check
+ NOT-FOR-US: Tufin
CVE-2020-13406
RESERVED
CVE-2020-13405 (userfiles/modules/users/controller/controller.php in Microweber before ...)
@@ -61342,9 +61341,9 @@ CVE-2020-13188
CVE-2020-13187
REJECTED
CVE-2020-13186 (An Anti CSRF mechanism was discovered missing in the Teradici Cloud Ac ...)
- TODO: check
+ NOT-FOR-US: Teradici
CVE-2020-13185 (Certain web application pages in the authenticated section of the Tera ...)
- TODO: check
+ NOT-FOR-US: Teradici
CVE-2020-13184
RESERVED
CVE-2020-13183 (Reflected Cross Site Scripting in Teradici PCoIP Management Console pr ...)
@@ -64454,7 +64453,7 @@ CVE-2020-11996 (A specially crafted sequence of HTTP/2 requests sent to Apache T
NOTE: https://github.com/apache/tomcat/commit/9a0231683a77e2957cea0fdee88b193b30b0c976 (9.0.36)
NOTE: https://github.com/apache/tomcat/commit/c8acd2ab7371e39aeca7c306f3b5380f00afe552 (8.5.56)
CVE-2020-11995 (A deserialization vulnerability existed in dubbo 2.7.5 and its earlier ...)
- TODO: check
+ NOT-FOR-US: Apache Dubbo
CVE-2020-11994 (Server-Side Template Injection and arbitrary file disclosure on Camel ...)
NOT-FOR-US: Apache Camel
CVE-2020-11993 (Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enab ...)
@@ -66344,7 +66343,7 @@ CVE-2019-20636 (In the Linux kernel before 5.4.12, drivers/input/input.c has out
CVE-2020-11636
RESERVED
CVE-2020-11635 (The Zscaler Client Connector prior to 3.1.0 did not sufficiently valid ...)
- TODO: check
+ NOT-FOR-US: Zscaler Client Connector
CVE-2020-11634
RESERVED
CVE-2020-11633
@@ -71086,7 +71085,7 @@ CVE-2020-10050 (A vulnerability has been identified in SIMATIC RTLS Locating Man
CVE-2020-10049 (A vulnerability has been identified in SIMATIC RTLS Locating Manager ( ...)
NOT-FOR-US: Siemens
CVE-2020-10048 (A vulnerability has been identified in SIMATIC PCS 7 (All versions), S ...)
- TODO: check
+ NOT-FOR-US: Siemens
CVE-2020-10047
RESERVED
CVE-2020-10046
@@ -73120,7 +73119,7 @@ CVE-2020-9211
CVE-2020-9210
RESERVED
CVE-2020-9209 (There is a privilege escalation vulnerability in SMC2.0 product. Some ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2020-9208 (There is an information leak vulnerability in iManager NetEco 6000 ver ...)
NOT-FOR-US: Huawei
CVE-2020-9207 (There is an improper authentication vulnerability in some verisons of ...)
@@ -73128,7 +73127,7 @@ CVE-2020-9207 (There is an improper authentication vulnerability in some verison
CVE-2020-9206
RESERVED
CVE-2020-9205 (There has a CSV injection vulnerability in ManageOne 8.0.1. An attacke ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2020-9204
RESERVED
CVE-2020-9203 (There is a resource management errors vulnerability in Huawei P30. Loc ...)
@@ -73302,7 +73301,7 @@ CVE-2020-9120 (CloudEngine 1800V versions V100R019C10SPC500 has a resource manag
CVE-2020-9119 (There is a privilege escalation vulnerability on some Huawei smart pho ...)
NOT-FOR-US: Huawei
CVE-2020-9118 (There is an insufficient integrity check vulnerability in Huawei Sound ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2020-9117 (HUAWEI nova 4 versions earlier than 10.0.0.165(C01E34R2P4) and SydneyM ...)
NOT-FOR-US: Huawei
CVE-2020-9116 (Huawei FusionCompute versions 6.5.1 and 8.0.0 have a command injection ...)
@@ -74632,13 +74631,13 @@ CVE-2020-8592 (eG Manager 7.1.2 allows SQL Injection via the user parameter to c
CVE-2020-8591 (eG Manager 7.1.2 allows authentication bypass via a com.egurkha.EgLogi ...)
NOT-FOR-US: eG Manager
CVE-2020-8590 (Clustered Data ONTAP versions prior to 9.1P18 and 9.3P12 are susceptib ...)
- TODO: check
+ NOT-FOR-US: Clustered Data ONTAP
CVE-2020-8589 (Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptib ...)
NOT-FOR-US: Clustered Data ONTAP
CVE-2020-8588 (Clustered Data ONTAP versions prior to 9.3P20 and 9.5P15 are susceptib ...)
NOT-FOR-US: Clustered Data ONTAP
CVE-2020-8587 (OnCommand System Manager 9.x versions prior to 9.3P20 and 9.4 prior to ...)
- TODO: check
+ NOT-FOR-US: NetApp
CVE-2020-8586
RESERVED
CVE-2020-8585 (OnCommand Unified Manager Core Package versions prior to 5.2.5 may dis ...)
@@ -74656,7 +74655,7 @@ CVE-2020-8580 (SANtricity OS Controller Software versions 11.30 and higher are s
CVE-2020-8579 (Clustered Data ONTAP versions 9.7 through 9.7P7 are susceptible to a v ...)
NOT-FOR-US: Clustered Data ONTAP
CVE-2020-8578 (Clustered Data ONTAP versions prior to 9.3P20 are susceptible to a vul ...)
- TODO: check
+ NOT-FOR-US: Clustered Data ONTAP
CVE-2020-8577 (SANtricity OS Controller Software versions 11.50.1 and higher are susc ...)
NOT-FOR-US: SANtricity OS Controller Software
CVE-2020-8576 (Clustered Data ONTAP versions prior to 9.3P19, 9.5P14, 9.6P9 and 9.7 a ...)
@@ -75322,9 +75321,9 @@ CVE-2020-8296
CVE-2020-8295 (A wrong check in Nextcloud Server 19 and prior allowed to perform a de ...)
- nextcloud-server <itp> (bug #941708)
CVE-2020-8294 (A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 1 ...)
- TODO: check
+ - nextcloud-server <itp> (bug #941708)
CVE-2020-8293 (A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, ...)
- TODO: check
+ - nextcloud-server <itp> (bug #941708)
CVE-2020-8292 (Rocket.Chat server before 3.9.0 is vulnerable to a self cross-site scr ...)
NOT-FOR-US: Rocket.Chat
CVE-2020-8291
@@ -75362,9 +75361,9 @@ CVE-2020-8283 (An authorised user on a Windows host running Citrix Universal Pri
CVE-2020-8282 (A security issue was found in EdgePower 24V/54V firmware v1.7.0 and ea ...)
NOT-FOR-US: EdgePower 24V/54V firmware
CVE-2020-8281 (A missing file type check in Nextcloud Contacts 3.3.0 allows a malicio ...)
- TODO: check
+ NOT-FOR-US: Nextcloud Contacts
CVE-2020-8280 (A missing file type check in Nextcloud Contacts 3.4.0 allows a malicio ...)
- TODO: check
+ NOT-FOR-US: Nextcloud Contacts
CVE-2020-8279 (Missing validation of server certificates for out-going connections in ...)
NOT-FOR-US: Nextcloud Social app
CVE-2020-8278 (Improper access control in Nextcloud Social app version 0.3.1 allowed ...)
@@ -75863,7 +75862,7 @@ CVE-2020-8103 (A vulnerability in the improper handling of symbolic links in Bit
CVE-2020-8102 (Improper Input Validation vulnerability in the Safepay browser compone ...)
NOT-FOR-US: Safepay
CVE-2020-8101 (Improper Neutralization of Special Elements used in a Command ('Comman ...)
- TODO: check
+ NOT-FOR-US: Bitdefender
CVE-2020-8100 (Improper Input Validation vulnerability in the cevakrnl.rv0 module as ...)
NOT-FOR-US: Bitdefender
CVE-2020-8099 (A vulnerability in the improper handling of junctions in Bitdefender A ...)
@@ -76042,9 +76041,9 @@ CVE-2020-8032
CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...)
TODO: check
CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform ...)
- TODO: check
+ NOT-FOR-US: SuSE CaaS
CVE-2020-8029 (A Incorrect Permission Assignment for Critical Resource vulnerability ...)
- TODO: check
+ NOT-FOR-US: SuSE CaaS
CVE-2020-8028 (A Improper Access Control vulnerability in the configuration of salt o ...)
NOT-FOR-US: Salt configuration in SUSE Server Manager
CVE-2020-8027 (A Insecure Temporary File vulnerability in openldap2 of SUSE Linux Ent ...)
@@ -79504,7 +79503,7 @@ CVE-2020-6651 (Improper Input Validation in Eaton's Intelligent Power Manager (I
CVE-2020-6650 (UPS companion software v1.05 & Prior is affected by ‘Eval In ...)
NOT-FOR-US: UPS companion software
CVE-2020-6649 (An insufficient session expiration vulnerability in FortiNet's FortiIs ...)
- TODO: check
+ NOT-FOR-US: Fortinet
CVE-2020-6648 (A cleartext storage of sensitive information vulnerability in FortiOS ...)
NOT-FOR-US: Fortiguard FortiOS
CVE-2020-6647 (An improper neutralization of input vulnerability in the dashboard of ...)
@@ -81169,7 +81168,7 @@ CVE-2020-6090 (An exploitable code execution vulnerability exists in the Web-Bas
CVE-2020-6089 (An exploitable code execution vulnerability exists in the ANI file for ...)
NOT-FOR-US: Leadtools
CVE-2020-6088 (An exploitable denial of service vulnerability exists in the ENIP Requ ...)
- TODO: check
+ NOT-FOR-US: Allen-Bradley Flex IO
CVE-2020-6087 (An exploitable denial of service vulnerability exists in the ENIP Requ ...)
NOT-FOR-US: Allen-Bradley Flex IO
CVE-2020-6086 (An exploitable denial of service vulnerability exists in the ENIP Requ ...)
@@ -81805,7 +81804,7 @@ CVE-2020-5814
CVE-2020-5813
RESERVED
CVE-2020-5812 (Nessus AMI versions 8.12.0 and earlier were found to either not valida ...)
- TODO: check
+ NOT-FOR-US: Nessus
CVE-2020-5811 (An authenticated path traversal vulnerability exists during package in ...)
NOT-FOR-US: Umbraco CMS
CVE-2020-5810 (A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or curren ...)
@@ -81819,7 +81818,7 @@ CVE-2020-5807 (An unauthenticated remote attacker can send data to RsvcHost.exe
CVE-2020-5806 (An attacker-controlled memory allocation size can be passed to the C++ ...)
NOT-FOR-US: FactoryTalk
CVE-2020-5805 (In Marvell QConvergeConsole GUI <= 5.5.0.74, credentials are stored ...)
- TODO: check
+ NOT-FOR-US: Marvell QConvergeConsole GUI
CVE-2020-5804 (Marvell QConvergeConsole GUI <= 5.5.0.74 is affected by a path trav ...)
NOT-FOR-US: Marvell QConvergeConsole GUI
CVE-2020-5803 (Relative Path Traversal in Marvell QConvergeConsole GUI 5.5.0.74 allow ...)
@@ -82177,7 +82176,7 @@ CVE-2020-5628 (UNIQLO App for Android versions 7.3.3 and earlier allows remote a
CVE-2020-5627 (Yodobashi App for Android versions 1.8.7 and earlier allows remote att ...)
NOT-FOR-US: Yodobashi App for Android
CVE-2020-5626 (Logstorage version 8.0.0 and earlier, and ELC Analytics version 3.0.0 ...)
- TODO: check
+ NOT-FOR-US: Logstorage
CVE-2020-5625 (Cross-site scripting vulnerability in XooNIps 3.48 and earlier allows ...)
NOT-FOR-US: XooNIps
CVE-2020-5624 (SQL injection vulnerability in the XooNIps 3.48 and earlier allows rem ...)
@@ -87666,7 +87665,7 @@ CVE-2020-3689
CVE-2020-3688 (Possible buffer overflow while parsing mp4 clip with corrupted sample ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-3687 (Local privilege escalation in admin services in Windows environment ca ...)
- TODO: check
+ NOT-FOR-US: Qualcomm
CVE-2020-3686 (Possible memory out of bound issue during music playback when an incor ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-3685 (Pointer variable which is freed is not cleared can result in memory co ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58877cf0efb034ed7356e091e4af583484df810
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58877cf0efb034ed7356e091e4af583484df810
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210217/a9b8f36f/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list