[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso
carnil at debian.org
Tue Feb 23 20:10:39 GMT 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
cc4f806d by security tracker role at 2021-02-23T20:10:30+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,21 @@
+CVE-2021-27583 (** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an atta ...)
+ TODO: check
+CVE-2021-27582 (org/mitre/oauth2/web/OAuthConfirmationController.java in the OpenID Co ...)
+ TODO: check
+CVE-2021-27581
+ RESERVED
+CVE-2021-27580
+ RESERVED
+CVE-2021-27579 (Snow Inventory Agent through 6.7.0 on Windows uses CPUID to report on ...)
+ TODO: check
+CVE-2021-27578
+ RESERVED
+CVE-2021-27577
+ RESERVED
+CVE-2021-27576
+ RESERVED
+CVE-2021-27575
+ RESERVED
CVE-2021-27574
RESERVED
CVE-2021-27573
@@ -49,8 +67,8 @@ CVE-2021-27552
RESERVED
CVE-2021-27551
RESERVED
-CVE-2021-27550
- RESERVED
+CVE-2021-27550 (Polaris Office v9.102.66 is affected by a divide-by-zero error in Pola ...)
+ TODO: check
CVE-2021-27549 (** DISPUTED ** Genymotion Desktop through 3.2.0 leaks the host's clipb ...)
NOT-FOR-US: Genymotion Desktop
CVE-2021-27548
@@ -1014,8 +1032,7 @@ CVE-2021-3407
RESERVED
CVE-2021-3406
RESERVED
-CVE-2021-3405
- RESERVED
+CVE-2021-3405 (A flaw was found in libebml before 1.4.2. A heap overflow bug exists i ...)
- libebml 1.4.2-1 (bug #982597)
NOTE: https://github.com/Matroska-Org/libebml/issues/74
CVE-2021-27104 (Accellion FTA 9_12_370 and earlier is affected by OS command execution ...)
@@ -1419,13 +1436,11 @@ CVE-2021-26929 (An XSS issue was discovered in Horde Groupware Webmail Edition t
NOTE: https://www.alexbirnberg.com/horde-xss.html
CVE-2021-26928
RESERVED
-CVE-2021-26927
- RESERVED
+CVE-2021-26927 (A flaw was found in jasper before 2.0.25. A null pointer dereference i ...)
- jasper <removed>
NOTE: https://github.com/jasper-software/jasper/issues/265
NOTE: https://github.com/jasper-software/jasper/commit/41f214b121b837fa30d9ca5f2430212110f5cd9b
-CVE-2021-26926
- RESERVED
+CVE-2021-26926 (A flaw was found in jasper before 2.0.25. An out of bounds read issue ...)
- jasper <removed>
NOTE: https://github.com/jasper-software/jasper/issues/264
NOTE: https://github.com/jasper-software/jasper/commit/41f214b121b837fa30d9ca5f2430212110f5cd9b
@@ -1985,26 +2000,26 @@ CVE-2021-26688 (An issue was discovered on LG Wing mobile devices with Android O
NOT-FOR-US: LG Wing mobile devices
CVE-2021-26687 (An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, ...)
NOT-FOR-US: LG mobile devices
-CVE-2021-26686
- RESERVED
-CVE-2021-26685
- RESERVED
-CVE-2021-26684
- RESERVED
-CVE-2021-26683
- RESERVED
-CVE-2021-26682
- RESERVED
-CVE-2021-26681
- RESERVED
-CVE-2021-26680
- RESERVED
-CVE-2021-26679
- RESERVED
-CVE-2021-26678
- RESERVED
-CVE-2021-26677
- RESERVED
+CVE-2021-26686 (A remote authenticated SQL Injection vulnerabilitiy was discovered in ...)
+ TODO: check
+CVE-2021-26685 (A remote authenticated SQL Injection vulnerabilitiy was discovered in ...)
+ TODO: check
+CVE-2021-26684 (A remote authenticated command injection vulnerability was discovered ...)
+ TODO: check
+CVE-2021-26683 (A remote authenticated command injection vulnerability was discovered ...)
+ TODO: check
+CVE-2021-26682 (A remote reflected cross-site scripting (XSS) vulnerability was discov ...)
+ TODO: check
+CVE-2021-26681 (A remote authenticated command Injection vulnerability was discovered ...)
+ TODO: check
+CVE-2021-26680 (A remote authenticated command injection vulnerability was discovered ...)
+ TODO: check
+CVE-2021-26679 (A remote authenticated command injection vulnerability was discovered ...)
+ TODO: check
+CVE-2021-26678 (A remote unauthenticated stored cross-site scripting (XSS) vulnerabili ...)
+ TODO: check
+CVE-2021-26677 (A local authenticated escalation of privilege vulnerability was discov ...)
+ TODO: check
CVE-2021-3399
RESERVED
CVE-2021-3398
@@ -2195,12 +2210,12 @@ CVE-2021-26597
RESERVED
CVE-2021-26596
RESERVED
-CVE-2021-26595
- RESERVED
-CVE-2021-26594
- RESERVED
-CVE-2021-26593
- RESERVED
+CVE-2021-26595 (** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an atta ...)
+ TODO: check
+CVE-2021-26594 (** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an atta ...)
+ TODO: check
+CVE-2021-26593 (** UNSUPPORTED WHEN ASSIGNED ** In Directus 8.x through 8.8.1, an atta ...)
+ TODO: check
CVE-2021-26592
RESERVED
CVE-2021-26591
@@ -4042,8 +4057,8 @@ CVE-2021-3254
RESERVED
CVE-2021-3253
RESERVED
-CVE-2021-3252
- RESERVED
+CVE-2021-3252 (KACO New Energy XP100U Up to XP-JAVA 2.0 is affected by incorrect acce ...)
+ TODO: check
CVE-2021-3251
RESERVED
CVE-2021-3250
@@ -4736,8 +4751,7 @@ CVE-2021-25632
RESERVED
CVE-2021-25631
RESERVED
-CVE-2021-25630
- RESERVED
+CVE-2021-25630 ("loolforkit" is a privileged program that is supposed to be run by a s ...)
NOT-FOR-US: libreoffice online
CVE-2021-25629
RESERVED
@@ -10592,8 +10606,8 @@ CVE-2021-22883
- nodejs <unfixed>
[stretch] - nodejs <ignored> (Nodejs in stretch not covered by security support)
NOTE: https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/
-CVE-2021-22882
- RESERVED
+CVE-2021-22882 (UniFi Protect before v1.17.1 allows an attacker to use spoofed cameras ...)
+ TODO: check
CVE-2021-22881 (The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3 ...)
- rails 2:6.0.3.5+dfsg-1
[stretch] - rails <not-affected> (host_authorization.rb added later)
@@ -11218,8 +11232,8 @@ CVE-2021-22653 (Multiple out-of-bounds write issues have been identified in the
NOT-FOR-US: Fuji Electric
CVE-2021-22652 (Access to the Advantech iView versions prior to v5.7.03.6112 configura ...)
NOT-FOR-US: Advantech iView
-CVE-2021-22651
- RESERVED
+CVE-2021-22651 (When loading a specially crafted file, Luxion KeyShot versions prior t ...)
+ TODO: check
CVE-2021-22650
RESERVED
CVE-2021-22649 (Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions ...)
@@ -12320,10 +12334,9 @@ CVE-2021-22115
RESERVED
CVE-2021-22114
RESERVED
-CVE-2021-22113
- RESERVED
-CVE-2021-22112
- RESERVED
+CVE-2021-22113 (Applications using the “Sensitive Headers” functionality i ...)
+ TODO: check
+CVE-2021-22112 (Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5. ...)
NOT-FOR-US: Jenkins
CVE-2021-22111
RESERVED
@@ -17653,8 +17666,7 @@ CVE-2021-20249
RESERVED
CVE-2021-20248
RESERVED
-CVE-2021-20247 [isync/mbsync data leak/destruction vulnerability]
- RESERVED
+CVE-2021-20247 (A flaw was found in mbsync before v1.3.5 and v1.4.1. Validations of th ...)
- isync <unfixed> (bug #983351)
[buster] - isync <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/02/22/1
@@ -17687,7 +17699,7 @@ CVE-2021-20243 [Division by zero in GetResizeFilterWeight in MagickCore/resize.c
NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/9751bd619872c8e58609fbed56c4827afa083b40
TODO: check
CVE-2021-20242
- RESERVED
+ REJECTED
NOTE: Duplicate of CVE-2021-20176, pending rejection of assigning CNA
CVE-2021-20241 [Division by zero in WriteJP2Image() in coders/jp2.c]
RESERVED
@@ -17748,16 +17760,14 @@ CVE-2021-20232
RESERVED
CVE-2021-20231
RESERVED
-CVE-2021-20230 [client certificate not correctly verified when redirect and verifyChain options are used]
- RESERVED
+CVE-2021-20230 (A flaw was found in stunnel before 5.57, where it improperly validates ...)
- stunnel4 <unfixed> (bug #982578)
[stretch] - stunnel4 <not-affected> (Re-ordering of redirect/accept/reject checks performed in stunnel 5.41b8)
NOTE: https://github.com/mtrojnar/stunnel/commit/ebad9ddc4efb2635f37174c9d800d06206f1edf9
NOTE: Isolated fix only the changes in src/verify.c:
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1177580#c2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1925226
-CVE-2021-20229 [postgres: information leak in some select statements]
- RESERVED
+CVE-2021-20229 (A flaw was found in PostgreSQL in versions before 13.2, before 12.6, b ...)
- postgresql-13 13.2-1
NOTE: https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
CVE-2021-20228 [basic.py no_log with fallback option]
@@ -17776,8 +17786,7 @@ CVE-2021-20227
NOTE: https://sqlite.org/src/info/30a4c323650cc949
NOTE: Patch: https://github.com/sqlite/sqlite/commit/f39168e468af3b1d6b6d37efdcb081eced6724b2
NOTE: Introduced in https://github.com/sqlite/sqlite/commit/896366282dae3789fb277c2dad8660784a0895a3
-CVE-2021-20226
- RESERVED
+CVE-2021-20226 (A use-after-free flaw was found in the io_uring in Linux kernel, where ...)
- linux 5.10.4-1
[buster] - linux <not-affected> (Vulnerable code introduced later)
[stretch] - linux <not-affected> (Vulnerable code introduced later)
@@ -17797,8 +17806,7 @@ CVE-2021-20221 [GIC: out-of-bound heap buffer access via an interrupt ID field]
- qemu 1:5.2+dfsg-4
NOTE: https://www.openwall.com/lists/oss-security/2021/02/05/1
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bda7777edcb3510f76a
-CVE-2021-20220
- RESERVED
+CVE-2021-20220 (A flaw was found in Undertow. A regression in the fix for CVE-2020-106 ...)
- undertow <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1923133
TODO: CVE for incomplete fix for CVE-2020-10687 but not clear if affected any Debian released version
@@ -17913,8 +17921,7 @@ CVE-2021-20199 (Rootless containers run with Podman, receive all traffic with a
NOTE: For Podman v3.0: https://github.com/containers/podman/pull/9225 (v3.0.0-rc3)
NOTE: Issue in podman was fixed by linking against rootlesskit 0.12, and Debian updated
NOTE: ahead of time
-CVE-2021-20198
- RESERVED
+CVE-2021-20198 (A flaw was found in the OpenShift Installer before version v0.9.0-mast ...)
NOT-FOR-US: OpenShift
CVE-2021-20197
RESERVED
@@ -24710,8 +24717,8 @@ CVE-2020-28588 [lib/syscall: fix syscall registers retrieval on 32-bit platforms
[stretch] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/4f134b89a24b965991e7c345b9a4591821f7c2a6
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1211
-CVE-2020-28587
- RESERVED
+CVE-2020-28587 (A specially crafted document can cause the document parser to copy dat ...)
+ TODO: check
CVE-2020-28586
RESERVED
CVE-2020-28585
@@ -25207,14 +25214,14 @@ CVE-2020-28434
RESERVED
CVE-2020-28433
RESERVED
-CVE-2020-28432
- RESERVED
-CVE-2020-28431
- RESERVED
-CVE-2020-28430
- RESERVED
-CVE-2020-28429
- RESERVED
+CVE-2020-28432 (All versions of package theme-core are vulnerable to Command Injection ...)
+ TODO: check
+CVE-2020-28431 (All versions of package wc-cmd are vulnerable to Command Injection via ...)
+ TODO: check
+CVE-2020-28430 (All versions of package nuance-gulp-build-common are vulnerable to Com ...)
+ TODO: check
+CVE-2020-28429 (All versions of package geojson2kml are vulnerable to Command Injectio ...)
+ TODO: check
CVE-2020-28428
RESERVED
CVE-2020-28427
@@ -28448,8 +28455,7 @@ CVE-2020-27783 (A XSS vulnerability was discovered in python-lxml's clean module
- lxml 4.6.2-1
NOTE: https://github.com/lxml/lxml/commit/89e7aad6e7ff9ecd88678ff25f885988b184b26e (lxml-4.6.1)
NOTE: https://github.com/lxml/lxml/commit/a105ab8dc262ec6735977c25c13f0bdfcdec72a7 (lxml-4.6.2)
-CVE-2020-27782
- RESERVED
+CVE-2020-27782 (A flaw was found in the Undertow AJP connector. Malicious requests and ...)
- undertow 2.2.4-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1901304
NOTE: https://issues.redhat.com/browse/UNDERTOW-1824
@@ -31630,8 +31636,8 @@ CVE-2020-26611
RESERVED
CVE-2020-26610
RESERVED
-CVE-2020-26609
- RESERVED
+CVE-2020-26609 (fastadmin V1.0.0.20200506_beta contains a cross-site scripting (XSS) v ...)
+ TODO: check
CVE-2020-26608
RESERVED
CVE-2020-26607 (An issue was discovered in TimaService on Samsung mobile devices with ...)
@@ -33868,7 +33874,7 @@ CVE-2020-25679
CVE-2020-25678 (A flaw was found in ceph in versions prior to 16.y.z where ceph stores ...)
- ceph <unfixed>
NOTE: https://tracker.ceph.com/issues/37503
-CVE-2020-25677 (Ceph-ansible 4.0.34.1 creates /etc/ceph/iscsi-gateway.conf with insecu ...)
+CVE-2020-25677 (A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph ...)
NOT-FOR-US: ceph Ansible module
CVE-2020-25676 (In CatromWeights(), MeshInterpolate(), InterpolatePixelChannel(), Inte ...)
- imagemagick 8:6.9.11.24+dfsg-1
@@ -35185,8 +35191,8 @@ CVE-2020-25163
RESERVED
CVE-2020-25162
RESERVED
-CVE-2020-25161
- RESERVED
+CVE-2020-25161 (The WADashboard component of WebAccess/SCADA Versions 9.0 and prior ma ...)
+ TODO: check
CVE-2020-25160
RESERVED
CVE-2020-25159 (499ES EtherNet/IP (ENIP) Adaptor Source Code is vulnerable to a stack- ...)
@@ -53492,8 +53498,8 @@ CVE-2020-16245 (Advantech iView, Versions 5.7 and prior. The affected product is
NOT-FOR-US: Advantech
CVE-2020-16244 (GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for h ...)
NOT-FOR-US: GE Digital APM Classic
-CVE-2020-16243
- RESERVED
+CVE-2020-16243 (Multiple buffer overflow vulnerabilities exist when LeviStudioU (Versi ...)
+ TODO: check
CVE-2020-16242 (The affected Reason S20 Ethernet Switch is vulnerable to cross-site sc ...)
NOT-FOR-US: General Electric
CVE-2020-16241 (Philips SureSigns VS4, A.07.107 and prior. The software does not restr ...)
@@ -58711,8 +58717,7 @@ CVE-2020-14360 (A flaw was found in the X.Org Server before version 1.20.10. An
{DSA-4803-1 DLA-2486-1}
- xorg-server 2:1.20.10-1 (bug #976216)
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/446ff2d3177087b8173fa779fa5b77a2a128988b
-CVE-2020-14359
- RESERVED
+CVE-2020-14359 (A vulnerability was found in all versions of keycloak, where on using ...)
NOT-FOR-US: Keycloak
CVE-2020-14358
RESERVED
@@ -60649,8 +60654,8 @@ CVE-2020-13699 (TeamViewer Desktop for Windows before 15.8.3 does not properly q
NOT-FOR-US: TeamViewer Desktop
CVE-2020-13698
RESERVED
-CVE-2020-13697
- RESERVED
+CVE-2020-13697 (An issue was discovered in RouterNanoHTTPD.java in NanoHTTPD through 2 ...)
+ TODO: check
CVE-2020-13696 (An issue was discovered in LinuxTV xawtv before 3.107. The function de ...)
{DLA-2246-1}
- xawtv 3.107-1 (bug #962221)
@@ -74377,8 +74382,8 @@ CVE-2020-8903 (A vulnerability in Google Cloud Platform's guest-oslogin versions
- google-compute-image-packages <unfixed>
NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619
NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
-CVE-2020-8902
- RESERVED
+CVE-2020-8902 (Rendertron versions prior to 3.0.0 are are susceptible to a Server-Sid ...)
+ TODO: check
CVE-2020-8901
RESERVED
CVE-2020-8900
@@ -75882,8 +75887,8 @@ CVE-2020-8299
RESERVED
CVE-2020-8298
RESERVED
-CVE-2020-8297
- RESERVED
+CVE-2020-8297 (Nextcloud Deck before 1.0.2 suffers from an insecure direct object ref ...)
+ TODO: check
CVE-2020-8296
RESERVED
CVE-2020-8295 (A wrong check in Nextcloud Server 19 and prior allowed to perform a de ...)
@@ -77188,8 +77193,8 @@ CVE-2020-7849 (A vulnerability of uPrism.io CURIX(Video conferecing solution) co
NOT-FOR-US: uPrism.io CURIX
CVE-2020-7848 (The EFM ipTIME C200 IP Camera is affected by a Command Injection vulne ...)
NOT-FOR-US: EFM ipTIME C200 IP Camera
-CVE-2020-7847
- RESERVED
+CVE-2020-7847 (The ipTIME NAS product allows an arbitrary file upload vulnerability i ...)
+ TODO: check
CVE-2020-7846
RESERVED
CVE-2020-7845 (Spamsniper 5.0 ~ 5.2.7 contain a stack-based buffer overflow vulnerabi ...)
@@ -78807,8 +78812,8 @@ CVE-2020-7122 (Two memory corruption vulnerabilities in the Aruba CX Switches Se
NOT-FOR-US: Aruba
CVE-2020-7121 (Two memory corruption vulnerabilities in the Aruba CX Switches Series ...)
NOT-FOR-US: Aruba
-CVE-2020-7120
- RESERVED
+CVE-2020-7120 (A local authenticated buffer overflow vulnerability was discovered in ...)
+ TODO: check
CVE-2020-7119 (A vulnerability exists in the Aruba Analytics and Location Engine (ALE ...)
NOT-FOR-US: Aruba
CVE-2020-7118
@@ -84790,8 +84795,8 @@ CVE-2020-4955 (IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a r
NOT-FOR-US: IBM
CVE-2020-4954 (IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remot ...)
NOT-FOR-US: IBM
-CVE-2020-4953
- RESERVED
+CVE-2020-4953 (IBM Planning Analytics 2.0 could allow a remote authenticated attacker ...)
+ TODO: check
CVE-2020-4952 (IBM Security Guardium 11.2 could allow an authenticated user to gain r ...)
NOT-FOR-US: IBM
CVE-2020-4951
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc4f806de295ce46741b56078f214c62fd78da33
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc4f806de295ce46741b56078f214c62fd78da33
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210223/ba439431/attachment.htm>
More information about the debian-security-tracker-commits
mailing list