[Git][security-tracker-team/security-tracker][master] 3 commits: Add workaround entry for libzstd
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 20 09:53:16 GMT 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ac350b95 by Salvatore Bonaccorso at 2021-02-20T10:02:04+01:00
Add workaround entry for libzstd
As so far no CVE assigned from the responsible CNA, add the temporary
workaround in data/CVE/list to correctly track the fix.
- - - - -
47d6e539 by Salvatore Bonaccorso at 2021-02-20T10:52:29+01:00
Process some NFUs
- - - - -
8347d115 by Salvatore Bonaccorso at 2021-02-20T10:52:52+01:00
Add two new owncloud issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,5 +1,5 @@
CVE-2021-27509 (In Visualware MyConnection Server before 11.0b build 5382, each publis ...)
- TODO: check
+ NOT-FOR-US: Visualware MyConnection Server
CVE-2021-27508
RESERVED
CVE-2021-27507
@@ -396,7 +396,7 @@ CVE-2021-27330
CVE-2021-27329 (Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or ...)
NOT-FOR-US: Friendica
CVE-2021-27328 (Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Trave ...)
- TODO: check
+ NOT-FOR-US: Yeastar NeoGate TG400 91.3.0.3 devices
CVE-2021-27327
RESERVED
CVE-2021-27326
@@ -623,7 +623,7 @@ CVE-2021-27216
CVE-2021-27215
RESERVED
CVE-2021-27214 (A Server-side request forgery (SSRF) vulnerability in the ProductConfi ...)
- TODO: check
+ NOT-FOR-US: Zoho ManageEngine ADSelfService Plus
CVE-2021-27213 (config.py in pystemon before 2021-02-13 allows code execution via YAML ...)
NOT-FOR-US: pystemon
CVE-2019-25019 (LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant m ...)
@@ -1449,6 +1449,7 @@ CVE-2021-26910 (Firejail before 0.9.64.4 allows attackers to bypass intended acc
NOTE: https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
CVE-2021-XXXX [zstd allows for race-opening files being compressed or uncompressed]
- libzstd 1.4.8+dfsg-2 (bug #982519)
+ [buster] - libzstd 1.3.8+dfsg-3+deb10u2
NOTE: https://github.com/facebook/zstd/issues/2491
CVE-2019-XXXX [zstd adds read permissions to files while being compressed or uncompressed]
- libzstd 1.4.8+dfsg-1 (bug #981404)
@@ -3976,7 +3977,7 @@ CVE-2021-3212
CVE-2021-3211
RESERVED
CVE-2021-3210 (components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound &l ...)
- TODO: check
+ NOT-FOR-US: Bloodhound
CVE-2021-3209
RESERVED
CVE-2021-3208
@@ -3988,7 +3989,7 @@ CVE-2021-3206
CVE-2021-3205
RESERVED
CVE-2021-3204 (SSRF in the document conversion component of Webware Webdesktop 5.1.15 ...)
- TODO: check
+ NOT-FOR-US: Webware Webdesktop
CVE-2021-3203
RESERVED
CVE-2021-3202
@@ -10759,11 +10760,11 @@ CVE-2021-22705
CVE-2021-22704
RESERVED
CVE-2021-22703 (A CWE-319: Cleartext transmission of sensitive information vulnerabili ...)
- TODO: check
+ NOT-FOR-US: PowerLogic
CVE-2021-22702 (A CWE-319: Cleartext transmission of sensitive information vulnerabili ...)
- TODO: check
+ NOT-FOR-US: PowerLogic
CVE-2021-22701 (A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLog ...)
- TODO: check
+ NOT-FOR-US: PowerLogic
CVE-2021-22700
RESERVED
CVE-2021-22699
@@ -14980,7 +14981,7 @@ CVE-2021-21320
CVE-2021-21319
RESERVED
CVE-2021-21318 (Opencast is a free, open-source platform to support the management of ...)
- TODO: check
+ NOT-FOR-US: Opencast
CVE-2021-21317 (uap-core in an open-source npm package which contains the core of Brow ...)
NOT-FOR-US: Node uap-core
CVE-2021-21316 (less-openui5 is an npm package which enables building OpenUI5 themes w ...)
@@ -16771,9 +16772,9 @@ CVE-2021-20590
CVE-2021-20589
RESERVED
CVE-2021-20588 (Improper handling of length parameter inconsistency vulnerability in M ...)
- TODO: check
+ NOT-FOR-US: Mitsubishi
CVE-2021-20587 (Heap-based buffer overflow vulnerability in Mitsubishi Electric FA Eng ...)
- TODO: check
+ NOT-FOR-US: Mitsubishi
CVE-2021-20586 (Resource management errors vulnerability in a robot controller of MELF ...)
NOT-FOR-US: Mitsubishi
CVE-2021-20585
@@ -27505,7 +27506,7 @@ CVE-2020-27999
CVE-2020-27998 (An issue was discovered in FastReport before 2020.4.0. It lacks a Scri ...)
NOT-FOR-US: FastReport
CVE-2020-27997 (An issue was discovered in SmartStoreNET before 4.1.0. Lack of Cross S ...)
- TODO: check
+ NOT-FOR-US: SmartStoreNET
CVE-2020-27996 (An issue was discovered in SmartStoreNET before 4.0.1. It does not pro ...)
NOT-FOR-US: SmartStoreNET
CVE-2020-27995 (SQL Injection in Zoho ManageEngine Applications Manager 14 before 1456 ...)
@@ -34948,7 +34949,7 @@ CVE-2020-25173 (An attacker with local network access can obtain a fixed cryptog
CVE-2020-25172 (A relative path traversal attack in the B. Braun OnlineSuite Version A ...)
NOT-FOR-US: B. Braun OnlineSuite Version AP
CVE-2020-25171 (The affected Fuji Electric V-Server Lite versions prior to 3.3.24.0 ar ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric
CVE-2020-25170 (An Excel Macro Injection vulnerability exists in the export feature in ...)
NOT-FOR-US: B. Braun OnlineSuite Version AP
CVE-2020-25169 (The affected Reolink P2P products do not sufficiently protect data tra ...)
@@ -36156,7 +36157,7 @@ CVE-2020-24619 (In mainwindow.cpp in Shotcut before 20.09.13, the upgrade check
CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020. ...)
NOT-FOR-US: JetBrains
CVE-2020-24617 (Mailtrain through 1.24.1 allows SQL Injection in statsClickedSubscribe ...)
- TODO: check
+ NOT-FOR-US: Mailtrain
CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...)
- jackson-databind 2.12.1-1
[buster] - jackson-databind <no-dsa> (Minor issue)
@@ -36660,7 +36661,7 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS serv
[stretch] - linux <not-affected> (Vulnerable code introduced later)
NOTE: https://git.kernel.org/linus/22cf8419f1319ff87ec759d0ebdff4cbafaee832
CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure way tha ...)
- TODO: check
+ NOT-FOR-US: TweetStream
CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...)
TODO: check
CVE-2020-24391
@@ -60826,7 +60827,7 @@ CVE-2020-13551 (An exploitable local privilege elevation vulnerability exists in
CVE-2020-13550 (A local file inclusion vulnerability exists in the installation functi ...)
NOT-FOR-US: Advantech WebAccess/SCADA
CVE-2020-13549 (An exploitable local privilege elevation vulnerability exists in the f ...)
- TODO: check
+ NOT-FOR-US: Sytech XL Reporter
CVE-2020-13548 (In Foxit Reader 10.1.0.37527, a specially crafted PDF document can tri ...)
NOT-FOR-US: Foxit Reader
CVE-2020-13547 (A type confusion vulnerability exists in the JavaScript engine of Foxi ...)
@@ -62400,7 +62401,7 @@ CVE-2020-12875 (Veritas APTARE versions prior to 10.4 did not perform adequate a
CVE-2020-12874 (Veritas APTARE versions prior to 10.4 included code that bypassed the ...)
NOT-FOR-US: Veritas
CVE-2020-12873 (An issue was discovered in Alfresco Enterprise Content Management (ECM ...)
- TODO: check
+ NOT-FOR-US: Alfresco Enterprise Content Management (ECM)
CVE-2020-12872 (yaws_config.erl in Yaws through 2.0.2 and/or 2.0.7 loads obsolete TLS ...)
- erlang 1:21.2.6+dfsg-1 (low)
[stretch] - erlang 1:19.2.1+dfsg-2+deb9u3
@@ -63027,7 +63028,7 @@ CVE-2020-12670 (XSS exists in Webmin 1.941 and earlier affecting the Save functi
CVE-2020-12669 (core/get_menudiv.php in Dolibarr before 11.0.4 allows remote authentic ...)
- dolibarr <removed>
CVE-2020-12668 (Jinjava before 2.5.4 allow access to arbitrary classes by calling Java ...)
- TODO: check
+ NOT-FOR-US: Jinjava
CVE-2020-12667 (Knot Resolver before 5.1.1 allows traffic amplification via a crafted ...)
- knot-resolver 5.1.1-0.1 (bug #961076)
NOTE: https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/
@@ -63854,7 +63855,7 @@ CVE-2020-12376 (Use of hard-coded key in the BMC firmware for some Intel(R) Serv
CVE-2020-12375 (Heap overflow in the BMC firmware for some Intel(R) Server Boards, Ser ...)
NOT-FOR-US: Intel
CVE-2020-12374 (Buffer overflow in the BMC firmware for some Intel(R) Server Boards, S ...)
- TODO: check
+ NOT-FOR-US: Intel
CVE-2020-12373 (Expired pointer dereference in some Intel(R) Graphics Drivers before v ...)
NOT-FOR-US: Intel graphics drivers for Windows
CVE-2020-12372 (Unchecked return value in some Intel(R) Graphics Drivers before versio ...)
@@ -70900,11 +70901,11 @@ CVE-2020-10256 (An issue was discovered in beta versions of the 1Password comman
CVE-2020-10255 (Modern DRAM chips (DDR4 and LPDDR4 after 2015) are affected by a vulne ...)
NOT-FOR-US: Hardware vulnerabliity in DDR4 DRAM chips
CVE-2020-10254 (An issue was discovered in ownCloud before 10.4. An attacker can bypas ...)
- TODO: check
+ - owncloud <removed>
CVE-2020-10253
RESERVED
CVE-2020-10252 (An issue was discovered in ownCloud before 10.4. Because of an SSRF is ...)
- TODO: check
+ - owncloud <removed>
CVE-2020-10251 (In ImageMagick 7.0.9, an out-of-bounds read vulnerability exists withi ...)
- imagemagick 8:6.9.11.24+dfsg-1 (low; bug #953741)
[buster] - imagemagick <ignored> (Minor issue)
@@ -73797,7 +73798,7 @@ CVE-2020-9052
CVE-2020-9051
RESERVED
CVE-2020-9050 (Path Traversal vulnerability exists in Metasys Reporting Engine (MRE) ...)
- TODO: check
+ NOT-FOR-US: Metasys Reporting Engine (MRE) Web Services
CVE-2020-9049 (A vulnerability in specified versions of American Dynamics victor Web ...)
NOT-FOR-US: Sensormatic Electronics, LLC; a subsidiary of Johnson Controls
CVE-2020-9048 (A vulnerability in specified versions of American Dynamics victor Web ...)
@@ -99339,7 +99340,7 @@ CVE-2019-18257 (In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, mu
CVE-2019-18256 (BIOTRONIK CardioMessenger II, The affected products use individual per ...)
NOT-FOR-US: BIOTRONIK CardioMessenge
CVE-2019-18255 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...)
- TODO: check
+ NOT-FOR-US: HMI/SCADA iFIX
CVE-2019-18254 (BIOTRONIK CardioMessenger II, The affected products do not encrypt sen ...)
NOT-FOR-US: BIOTRONIK CardioMessenge
CVE-2019-18253 (An attacker could use specially crafted paths in a specific request to ...)
@@ -99363,7 +99364,7 @@ CVE-2019-18245 (Reliable Controls LicenseManager versions 3.4 and prior may allo
CVE-2019-18244 (In OSIsoft PI System multiple products and versions, a local attacker ...)
NOT-FOR-US: OSIsoft
CVE-2019-18243 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...)
- TODO: check
+ NOT-FOR-US: HMI/SCADA iFIX
CVE-2019-18242 (In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpre ...)
NOT-FOR-US: Moxa
CVE-2019-18241 (In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all ver ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fd1859a8870126abf487e5b007ba1e2bedfa687a...8347d115940b73610d69cd2c0b6e9cdebf247666
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fd1859a8870126abf487e5b007ba1e2bedfa687a...8347d115940b73610d69cd2c0b6e9cdebf247666
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210220/e2aeab53/attachment.html>
More information about the debian-security-tracker-commits
mailing list