[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Thu Feb 18 20:10:34 GMT 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a5a59136 by security tracker role at 2021-02-18T20:10:27+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,49 @@
+CVE-2021-3413
+ RESERVED
+CVE-2021-3412
+ RESERVED
+CVE-2021-27399
+ RESERVED
+CVE-2021-27398
+ RESERVED
+CVE-2021-27397
+ RESERVED
+CVE-2021-27396
+ RESERVED
+CVE-2021-27395
+ RESERVED
+CVE-2021-27394
+ RESERVED
+CVE-2021-27393
+ RESERVED
+CVE-2021-27392
+ RESERVED
+CVE-2021-27391
+ RESERVED
+CVE-2021-27390
+ RESERVED
+CVE-2021-27389
+ RESERVED
+CVE-2021-27388
+ RESERVED
+CVE-2021-27387
+ RESERVED
+CVE-2021-27386
+ RESERVED
+CVE-2021-27385
+ RESERVED
+CVE-2021-27384
+ RESERVED
+CVE-2021-27383
+ RESERVED
+CVE-2021-27382
+ RESERVED
+CVE-2021-27381
+ RESERVED
+CVE-2021-27380
+ RESERVED
+CVE-2021-27379 (An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM ...)
+ TODO: check
CVE-2021-27378 (An issue was discovered in the rand_core crate before 0.6.2 for Rust. ...)
- rust-rand-core <unfixed>
NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0023.html
@@ -87,8 +133,8 @@ CVE-2021-27337
RESERVED
CVE-2021-27336
RESERVED
-CVE-2021-27335
- RESERVED
+CVE-2021-27335 (KollectApps before 4.8.16c is affected by insecure Java deserializatio ...)
+ TODO: check
CVE-2021-27334
RESERVED
CVE-2021-27333
@@ -99,8 +145,8 @@ CVE-2021-27331
RESERVED
CVE-2021-27330
RESERVED
-CVE-2021-27329
- RESERVED
+CVE-2021-27329 (Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or ...)
+ TODO: check
CVE-2021-27328
RESERVED
CVE-2021-27327
@@ -300,6 +346,7 @@ CVE-2021-27231 (Hestia Control Panel through 1.3.3, in a shared-hosting environm
CVE-2021-27230
RESERVED
CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim navigates ...)
+ {DLA-2562-1}
- mumble <unfixed> (bug #982904)
NOTE: https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
NOTE: https://github.com/mumble-voip/mumble/pull/4733
@@ -960,6 +1007,7 @@ CVE-2021-26930 (An issue was discovered in the Linux kernel 3.11 through 5.10.16
- linux <unfixed>
NOTE: https://xenbits.xen.org/xsa/advisory-365.html
CVE-2021-26929 (An XSS issue was discovered in Horde Groupware Webmail Edition through ...)
+ {DLA-2564-1}
- php-horde-text-filter <unfixed> (bug #982769)
NOTE: https://lists.horde.org/archives/announce/2021/001298.html
NOTE: https://github.com/horde/Text_Filter/commit/c26f938854c36b981558a3b1b9b2f81403cff60e (master)
@@ -2547,8 +2595,8 @@ CVE-2020-36235 (Affected versions of Atlassian Jira Server and Data Center allow
NOT-FOR-US: Atlassian
CVE-2020-36234 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
NOT-FOR-US: Atlassian
-CVE-2020-36233
- RESERVED
+CVE-2020-36233 (The Microsoft Windows Installer for Atlassian Bitbucket Server and Dat ...)
+ TODO: check
CVE-2020-36232
RESERVED
CVE-2020-36231 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
@@ -3053,8 +3101,8 @@ CVE-2021-26070
RESERVED
CVE-2021-26069
RESERVED
-CVE-2021-26068
- RESERVED
+CVE-2021-26068 (An endpoint in Atlassian Jira Server for Slack plugin from version 0.0 ...)
+ TODO: check
CVE-2021-26067 (Affected versions of Atlassian Bamboo allow an unauthenticated remote ...)
NOT-FOR-US: Atlassian
CVE-2021-26066
@@ -3384,7 +3432,7 @@ CVE-2021-25915
RESERVED
CVE-2021-25914
RESERVED
-CVE-2021-25913 (Prototype pollution vulnerability in ‘set-or-get’ version ...)
+CVE-2021-25913 (Prototype pollution vulnerability in 'set-or-get' version 1.0.0 throug ...)
NOT-FOR-US: Node set-or-get
CVE-2021-25912 (Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0. ...)
NOT-FOR-US: Node dotty
@@ -8114,13 +8162,13 @@ CVE-2021-23843
CVE-2021-23842
RESERVED
CVE-2021-23841 (The OpenSSL public API function X509_issuer_and_serial_hash() attempts ...)
- {DSA-4855-1}
+ {DSA-4855-1 DLA-2565-1 DLA-2563-1}
- openssl 1.1.1j-1
- openssl1.0 <removed>
NOTE: https://www.openssl.org/news/secadv/20210216.txt
NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf (OpenSSL_1_1_1j)
CVE-2021-23840 (Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may ...)
- {DSA-4855-1}
+ {DSA-4855-1 DLA-2565-1 DLA-2563-1}
- openssl 1.1.1j-1
- openssl1.0 <removed>
NOTE: https://www.openssl.org/news/secadv/20210216.txt
@@ -9166,10 +9214,10 @@ CVE-2021-23343
RESERVED
CVE-2021-23342
RESERVED
-CVE-2021-23341
- RESERVED
-CVE-2021-23340
- RESERVED
+CVE-2021-23341 (The package prismjs before 1.23.0 are vulnerable to Regular Expression ...)
+ TODO: check
+CVE-2021-23340 (This affects the package pimcore/pimcore before 6.8.8. A Local FIle In ...)
+ TODO: check
CVE-2021-23339 (This affects all versions of package com.typesafe.akka:akka-http-core. ...)
TODO: check
CVE-2021-23338 (This affects all versions of package qlib. The workflow function in cl ...)
@@ -14655,8 +14703,8 @@ CVE-2021-21320
RESERVED
CVE-2021-21319
RESERVED
-CVE-2021-21318
- RESERVED
+CVE-2021-21318 (Opencast is a free, open-source platform to support the management of ...)
+ TODO: check
CVE-2021-21317 (uap-core in an open-source npm package which contains the core of Brow ...)
NOT-FOR-US: Node uap-core
CVE-2021-21316 (less-openui5 is an npm package which enables building OpenUI5 themes w ...)
@@ -15331,8 +15379,8 @@ CVE-2020-35579 (tindy2013 subconverter 0.6.4 has a /sub?target=%TARGET%&url=
NOT-FOR-US: tindy2013
CVE-2020-35578 (An issue was discovered in the Manage Plugins page in Nagios XI before ...)
NOT-FOR-US: Nagios XI
-CVE-2020-35577
- RESERVED
+CVE-2020-35577 (In Endalia Selection Portal before 4.205.0, an Insecure Direct Object ...)
+ TODO: check
CVE-2020-35576 (A Command Injection issue in the traceroute feature on TP-Link TL-WR84 ...)
NOT-FOR-US: TP-Link
CVE-2020-35575 (A password-disclosure issue in the web interface on certain TP-Link de ...)
@@ -16716,14 +16764,14 @@ CVE-2021-20448
RESERVED
CVE-2021-20447
RESERVED
-CVE-2021-20446
- RESERVED
-CVE-2021-20445
- RESERVED
-CVE-2021-20444
- RESERVED
-CVE-2021-20443
- RESERVED
+CVE-2021-20446 (IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site ...)
+ TODO: check
+CVE-2021-20445 (IBM Maximo for Civil Infrastructure 7.6.2 could allow a user to obtain ...)
+ TODO: check
+CVE-2021-20444 (IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site ...)
+ TODO: check
+CVE-2021-20443 (IBM Maximo for Civil Infrastructure 7.6.2 includes executable function ...)
+ TODO: check
CVE-2021-20442
RESERVED
CVE-2021-20441
@@ -16900,8 +16948,8 @@ CVE-2021-20356
RESERVED
CVE-2021-20355
RESERVED
-CVE-2021-20354
- RESERVED
+CVE-2021-20354 (IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remot ...)
+ TODO: check
CVE-2021-20353 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...)
NOT-FOR-US: IBM
CVE-2021-20352
@@ -19924,8 +19972,8 @@ CVE-2020-29666 (In Lan ATMService M3 ATM Monitoring System 6.1.0, due to a direc
NOT-FOR-US: Lan ATMService M3 ATM Monitoring System
CVE-2020-29665
RESERVED
-CVE-2020-29664
- RESERVED
+CVE-2020-29664 (A command injection issue in dji_sys in DJI Mavic 2 Remote Controller ...)
+ TODO: check
CVE-2020-29663 (Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked ...)
- icinga2 2.12.3-1
[buster] - icinga2 <no-dsa> (Minor issue)
@@ -21221,8 +21269,8 @@ CVE-2020-29455 (A cross-Site Scripting (XSS) vulnerability in this.showInvalid a
NOT-FOR-US: SmartyStreets liveAddressPlugin.js
CVE-2020-29454 (Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user ...)
NOT-FOR-US: Umbraco CMS
-CVE-2020-29453
- RESERVED
+CVE-2020-29453 (The CachingResourceDownloadRewriteRule class in Jira Server and Jira D ...)
+ TODO: check
CVE-2020-29452
RESERVED
CVE-2020-29451 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
@@ -21231,8 +21279,8 @@ CVE-2020-29450 (Affected versions of Atlassian Confluence Server and Data Center
NOT-FOR-US: Atlassian
CVE-2020-29449
RESERVED
-CVE-2020-29448
- RESERVED
+CVE-2020-29448 (The ConfluenceResourceDownloadRewriteRule class in Confluence Server a ...)
+ TODO: check
CVE-2020-29447 (Affected versions of Atlassian Crucible allow remote attackers to impa ...)
NOT-FOR-US: Atlassian
CVE-2020-29446 (Affected versions of Atlassian Fisheye & Crucible allow remote att ...)
@@ -24500,16 +24548,16 @@ CVE-2020-28501
CVE-2020-28500 (All versions of package lodash; all versions of package org.fujion.web ...)
- node-lodash <unfixed>
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1018905
-CVE-2020-28499
- RESERVED
+CVE-2020-28499 (All versions of package merge are vulnerable to Prototype Pollution vi ...)
+ TODO: check
CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographic Issu ...)
- node-elliptic <unfixed>
NOTE: https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
NOTE: https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
CVE-2020-28497
RESERVED
-CVE-2020-28496
- RESERVED
+CVE-2020-28496 (This affects the package three before 0.125.0. This can happen when ha ...)
+ TODO: check
CVE-2020-28495 (This affects the package total.js before 3.4.7. The set function can b ...)
NOT-FOR-US: Node total.js
CVE-2020-28494 (This affects the package total.js before 3.4.7. The issue occurs in th ...)
@@ -24521,10 +24569,10 @@ CVE-2020-28493 (This affects the package jinja2 from 0.0.0 and before 2.11.3. Th
NOTE: https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
CVE-2020-28492
REJECTED
-CVE-2020-28491
- RESERVED
-CVE-2020-28490
- RESERVED
+CVE-2020-28491 (This affects the package com.fasterxml.jackson.dataformat:jackson-data ...)
+ TODO: check
+CVE-2020-28490 (The package async-git before 1.13.2 are vulnerable to Command Injectio ...)
+ TODO: check
CVE-2020-28489
RESERVED
CVE-2020-28488
@@ -24584,8 +24632,8 @@ CVE-2020-28465
RESERVED
CVE-2020-28464 (This affects the package djv before 2.1.4. By controlling the schema f ...)
NOT-FOR-US: Node djv
-CVE-2020-28463
- RESERVED
+CVE-2020-28463 (All versions of package reportlab are vulnerable to Server-side Reques ...)
+ TODO: check
CVE-2020-28462
RESERVED
CVE-2020-28461
@@ -74516,6 +74564,7 @@ CVE-2020-8627
CVE-2020-8626
RESERVED
CVE-2020-8625 (BIND servers are vulnerable if they are running an affected version an ...)
+ {DSA-4857-1}
- bind9 1:9.16.12-1 (bug #983004)
NOTE: https://kb.isc.org/v1/docs/cve-2020-8625
NOTE: 9.11 branch: https://downloads.isc.org/isc/bind9/9.11.28/patches
@@ -84278,8 +84327,8 @@ CVE-2020-4935
RESERVED
CVE-2020-4934 (IBM Content Navigator 3.0.CD could allow a remote attacker to traverse ...)
NOT-FOR-US: IBM
-CVE-2020-4933
- RESERVED
+CVE-2020-4933 (IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerabl ...)
+ TODO: check
CVE-2020-4932
RESERVED
CVE-2020-4931
@@ -98993,8 +99042,8 @@ CVE-2019-18257 (In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, mu
NOT-FOR-US: Advantech
CVE-2019-18256 (BIOTRONIK CardioMessenger II, The affected products use individual per ...)
NOT-FOR-US: BIOTRONIK CardioMessenge
-CVE-2019-18255
- RESERVED
+CVE-2019-18255 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...)
+ TODO: check
CVE-2019-18254 (BIOTRONIK CardioMessenger II, The affected products do not encrypt sen ...)
NOT-FOR-US: BIOTRONIK CardioMessenge
CVE-2019-18253 (An attacker could use specially crafted paths in a specific request to ...)
@@ -99017,8 +99066,8 @@ CVE-2019-18245 (Reliable Controls LicenseManager versions 3.4 and prior may allo
NOT-FOR-US: Reliable Controls LicenseManager
CVE-2019-18244 (In OSIsoft PI System multiple products and versions, a local attacker ...)
NOT-FOR-US: OSIsoft
-CVE-2019-18243
- RESERVED
+CVE-2019-18243 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...)
+ TODO: check
CVE-2019-18242 (In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpre ...)
NOT-FOR-US: Moxa
CVE-2019-18241 (In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all ver ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5a5913615c786ce50eb2e582bab4056261f9649
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5a5913615c786ce50eb2e582bab4056261f9649
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210218/36e33344/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list