[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Sat Feb 20 08:10:33 GMT 2021 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b536ad2a by security tracker role at 2021-02-20T08:10:26+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,9 @@
+CVE-2021-27509 (In Visualware MyConnection Server before 11.0b build 5382, each publis ...)
+	TODO: check
+CVE-2021-27508
+	RESERVED
+CVE-2021-27507
+	RESERVED
 CVE-2021-27506
 	RESERVED
 CVE-2021-27505
@@ -1753,8 +1759,7 @@ CVE-2021-26715
 	RESERVED
 CVE-2021-26714
 	RESERVED
-CVE-2021-26713
-	RESERVED
+CVE-2021-26713 (A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asteris ...)
 	- asterisk <not-affected> (Only affects 16.16.0 onwards)
 	NOTE: https://downloads.asterisk.org/pub/security/AST-2021-004.html
 CVE-2021-26712 (Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 1 ...)
@@ -4538,8 +4543,8 @@ CVE-2021-3308 (An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 t
 	NOTE: Introduced by: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=5b58dad089880127674d460494d1a9d68109b3d7 (4.14.0-rc1)
 	NOTE: Issue backported to 4.12.3 and 4.13.1
 	NOTE: Fixed by: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=58427889f5a420cc5226f88524b3228f90b72a58
-CVE-2021-3189
-	RESERVED
+CVE-2021-3189 (The slashify package 1.0.0 for Node.js allows open-redirect attacks, a ...)
+	TODO: check
 CVE-2021-3188 (phpList 3.6.0 allows CSV injection, related to the email parameter, an ...)
 	- phplist <itp> (bug #612288)
 CVE-2021-3187
@@ -15344,41 +15349,51 @@ CVE-2021-21158
 	RESERVED
 CVE-2021-21157
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21156
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21155
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21154
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21153
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21152
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21151
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21150
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21149
 	RESERVED
+	{DSA-4858-1}
 	- chromium 88.0.4324.182-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21148 (Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 all ...)
+	{DSA-4858-1}
 	- chromium 88.0.4324.150-1
 	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-21147 (Inappropriate implementation in Skia in Google Chrome prior to 88.0.43 ...)
@@ -16751,10 +16766,10 @@ CVE-2021-20590
 	RESERVED
 CVE-2021-20589
 	RESERVED
-CVE-2021-20588
-	RESERVED
-CVE-2021-20587
-	RESERVED
+CVE-2021-20588 (Improper handling of length parameter inconsistency vulnerability in M ...)
+	TODO: check
+CVE-2021-20587 (Heap-based buffer overflow vulnerability in Mitsubishi Electric FA Eng ...)
+	TODO: check
 CVE-2021-20586 (Resource management errors vulnerability in a robot controller of MELF ...)
 	NOT-FOR-US: Mitsubishi
 CVE-2021-20585
@@ -18175,15 +18190,14 @@ CVE-2020-35501
 	NOTE: https://www.openwall.com/lists/oss-security/2021/02/18/1
 CVE-2020-35500
 	REJECTED
-CVE-2020-35499
-	RESERVED
+CVE-2020-35499 (A NULL pointer dereference flaw in kernel versions prior to 5.11 may b ...)
 	- linux 5.10.4-1
 	[buster] - linux <not-affected> (Vulnerable code introduced later)
 	[stretch] - linux <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910048
 	NOTE: https://git.kernel.org/linus/f6b8c6b5543983e9de29dc14716bfa4eb3f157c4
 CVE-2020-35498 (A vulnerability was found in openvswitch. A limitation in the implemen ...)
-	{DSA-4852-1}
+	{DSA-4852-1 DLA-2571-1}
 	- openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-5 (bug #982493)
 	NOTE: master: https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83
 	NOTE: 2.15: https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0
@@ -26910,8 +26924,8 @@ CVE-2020-28250 (Cellinx NVT Web Server 5.0.0.014b.test 2019-09-05 allows a remot
 	NOT-FOR-US: Cellinx NVT Web Server
 CVE-2020-28249 (Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. ...)
 	NOT-FOR-US: Joplin
-CVE-2020-28248
-	RESERVED
+CVE-2020-28248 (An integer overflow in the PngImg::InitStorage_() function of png-img  ...)
+	TODO: check
 CVE-2020-28247 (The lettre library through 0.10.0-alpha for Rust allows arbitrary send ...)
 	NOT-FOR-US: Node lettre
 CVE-2020-28246
@@ -27486,8 +27500,8 @@ CVE-2020-27999
 	RESERVED
 CVE-2020-27998 (An issue was discovered in FastReport before 2020.4.0. It lacks a Scri ...)
 	NOT-FOR-US: FastReport
-CVE-2020-27997
-	RESERVED
+CVE-2020-27997 (An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross S ...)
+	TODO: check
 CVE-2020-27996 (An issue was discovered in SmartStoreNET before 4.0.1. It does not pro ...)
 	NOT-FOR-US: SmartStoreNET
 CVE-2020-27995 (SQL Injection in Zoho ManageEngine Applications Manager 14 before 1456 ...)
@@ -28074,7 +28088,7 @@ CVE-2020-27828 (There's a flaw in jasper's jpc encoder in versions prior to 2.0.
 	NOTE: https://github.com/jasper-software/jasper/pull/253
 CVE-2020-27827 [lldp: avoid memory leak from bad packets]
 	RESERVED
-	{DSA-4836-1}
+	{DSA-4836-1 DLA-2571-1}
 	- lldpd 1.0.8-1
 	[buster] - lldpd <no-dsa> (Minor issue)
 	[stretch] - lldpd <no-dsa> (Minor issue)
@@ -28203,7 +28217,7 @@ CVE-2020-27786 (A flaw was found in the Linux kernels implementation of MIDI, wh
 	[stretch] - linux 4.9.228-1
 	NOTE: https://git.kernel.org/linus/c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d
 CVE-2020-27785
-	RESERVED
+	REJECTED
 CVE-2020-27784
 	RESERVED
 CVE-2020-27783 (A XSS vulnerability was discovered in python-lxml's clean module. The  ...)
@@ -36137,8 +36151,8 @@ CVE-2020-24619 (In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check
 	NOT-FOR-US: Shotcut
 CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020. ...)
 	NOT-FOR-US: JetBrains
-CVE-2020-24617
-	RESERVED
+CVE-2020-24617 (Mailtrain through 1.24.1 allows SQL Injection in statsClickedSubscribe ...)
+	TODO: check
 CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...)
 	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
@@ -36641,10 +36655,10 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS serv
 	[buster] - linux 4.19.131-1
 	[stretch] - linux <not-affected> (Vulnerable code introduced later)
 	NOTE: https://git.kernel.org/linus/22cf8419f1319ff87ec759d0ebdff4cbafaee832
-CVE-2020-24393
-	RESERVED
-CVE-2020-24392
-	RESERVED
+CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure way tha ...)
+	TODO: check
+CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...)
+	TODO: check
 CVE-2020-24391
 	RESERVED
 CVE-2020-24390 (eonweb in EyesOfNetwork before 5.3-7 does not properly escape the user ...)
@@ -62380,8 +62394,8 @@ CVE-2020-12875 (Veritas APTARE versions prior to 10.4 did not perform adequate a
 	NOT-FOR-US: Veritas
 CVE-2020-12874 (Veritas APTARE versions prior to 10.4 included code that bypassed the  ...)
 	NOT-FOR-US: Veritas
-CVE-2020-12873
-	RESERVED
+CVE-2020-12873 (An issue was discovered in Alfresco Enterprise Content Management (ECM ...)
+	TODO: check
 CVE-2020-12872 (yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS  ...)
 	- erlang 1:21.2.6+dfsg-1 (low)
 	[stretch] - erlang 1:19.2.1+dfsg-2+deb9u3
@@ -63007,8 +63021,8 @@ CVE-2020-12670 (XSS exists in Webmin 1.941 and earlier affecting the Save functi
 	- webmin <removed>
 CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authentic ...)
 	- dolibarr <removed>
-CVE-2020-12668
-	RESERVED
+CVE-2020-12668 (Jinjava before 2.5.4 allow access to arbitrary classes by calling Java ...)
+	TODO: check
 CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a crafted  ...)
 	- knot-resolver 5.1.1-0.1 (bug #961076)
 	NOTE: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
@@ -160300,6 +160314,7 @@ CVE-2018-17208 (Linksys Velop 1.1.2.187020 devices allow unauthenticated command
 CVE-2018-17207 (An issue was discovered in Snap Creek Duplicator before 1.2.42. By acc ...)
 	NOT-FOR-US: Snap Creek Duplicator
 CVE-2018-17206 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The ...)
+	{DLA-2571-1}
 	- openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1
 	[jessie] - openvswitch <not-affected> (Vulnerable code does not exist; no such function)
 	NOTE: https://github.com/openvswitch/ovs/commit/5026a263d7846077eee540de42192d27da513226 (master)
@@ -160314,6 +160329,7 @@ CVE-2018-17205 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.
 	NOTE: https://github.com/openvswitch/ovs/commit/638d406e3b647359f3d82189d7a6ee56b4a54928 (branch-2.8)
 	NOTE: https://github.com/openvswitch/ovs/commit/0befd1f3745055c32940f5faf9559be6a14395e6 (branch-2.7)
 CVE-2018-17204 (An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, aff ...)
+	{DLA-2571-1}
 	- openvswitch 2.10.0+2018.08.28+git.8ca7c82b7d+ds1-1
 	[jessie] - openvswitch <not-affected> (Vulnerable code does not exist; no such function)
 	NOTE: https://github.com/openvswitch/ovs/commit/9740d81d94888cb158fa99a9366fe2b32b3e4aaa (master)
@@ -232848,6 +232864,7 @@ CVE-2017-9216 (libjbig2dec.a in Artifex jbig2dec 0.13, as used in MuPDF and Ghos
 CVE-2017-9215
 	RESERVED
 CVE-2017-9214 (In Open vSwitch (OvS) 2.7.0, while parsing an OFPT_QUEUE_GET_CONFIG_RE ...)
+	{DLA-2571-1}
 	[experimental] - openvswitch 2.8.1+dfsg1-1
 	- openvswitch 2.8.1+dfsg1-2 (bug #863228)
 	[jessie] - openvswitch <not-affected> (Vulnerable code not present)
@@ -292986,7 +293003,7 @@ CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux kernel
 	- linux-2.6 <removed>
 	NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=60533
 CVE-2015-8011 (Buffer overflow in the lldp_decode function in daemon/protocols/lldp.c ...)
-	{DSA-4836-1}
+	{DSA-4836-1 DLA-2571-1}
 	- lldpd 0.7.19-1
 	[jessie] - lldpd 0.7.11-2+deb8u1
 	[wheezy] - lldpd <not-affected> (Vulnerable code not present)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b536ad2a399608743c1836a36933f126f10fb82e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b536ad2a399608743c1836a36933f126f10fb82e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210220/272d523b/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list