[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Wed Jan 6 20:17:17 GMT 2021



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e1da3684 by security tracker role at 2021-01-06T20:17:10+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2021-3029
+	RESERVED
+CVE-2021-3028
+	RESERVED
+CVE-2021-22696
+	RESERVED
+CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has an out-o ...)
+	TODO: check
+CVE-2020-36176 (The iThemes Security (formerly Better WP Security) plugin before 7.7.0 ...)
+	TODO: check
+CVE-2020-36175 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows attackers  ...)
+	TODO: check
+CVE-2020-36174 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows CSRF via s ...)
+	TODO: check
+CVE-2020-36173 (The Ninja Forms plugin before 3.4.28 for WordPress lacks escaping for  ...)
+	TODO: check
+CVE-2020-36172 (The Advanced Custom Fields plugin before 5.8.12 for WordPress mishandl ...)
+	TODO: check
+CVE-2020-36171 (The Elementor Website Builder plugin before 3.0.14 for WordPress does  ...)
+	TODO: check
+CVE-2020-36170 (The Ultimate Member plugin before 2.1.13 for WordPress mishandles hidd ...)
+	TODO: check
+CVE-2012-10001 (The Limit Login Attempts plugin before 1.7.1 for WordPress does not cl ...)
+	TODO: check
 CVE-2021-3027
 	RESERVED
 CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows XSS durin ...)
@@ -3557,7 +3581,7 @@ CVE-2020-35719
 	RESERVED
 CVE-2020-35718
 	RESERVED
-CVE-2020-35717 (zonote <=0.4.0 allows XSS via crafted note, with resultant Remote C ...)
+CVE-2020-35717 (zonote through 0.4.0 allows XSS via a crafted note, with resultant Rem ...)
 	NOT-FOR-US: zonote
 CVE-2020-35716 (Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote attacker ...)
 	NOT-FOR-US: Belkin LINKSYS RE6500 devices
@@ -4154,8 +4178,8 @@ CVE-2021-21238
 	RESERVED
 CVE-2021-21237
 	RESERVED
-CVE-2021-21236
-	RESERVED
+CVE-2021-21236 (CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter base ...)
+	TODO: check
 CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust. In kamad ...)
 	- rust-kamadak-exif <unfixed>
 	NOTE: https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2
@@ -18346,20 +18370,20 @@ CVE-2020-27287
 	RESERVED
 CVE-2020-27286
 	RESERVED
-CVE-2020-27285
-	RESERVED
+CVE-2020-27285 (The default configuration of Crimson 3.1 (Build versions prior to 3119 ...)
+	TODO: check
 CVE-2020-27284
 	RESERVED
-CVE-2020-27283
-	RESERVED
+CVE-2020-27283 (An attacker could send a specially crafted message to Crimson 3.1 (Bui ...)
+	TODO: check
 CVE-2020-27282
 	RESERVED
 CVE-2020-27281
 	RESERVED
 CVE-2020-27280
 	RESERVED
-CVE-2020-27279
-	RESERVED
+CVE-2020-27279 (A NULL pointer deference vulnerability has been identified in the prot ...)
+	TODO: check
 CVE-2020-27278
 	RESERVED
 CVE-2020-27277
@@ -19569,8 +19593,8 @@ CVE-2020-26761
 	RESERVED
 CVE-2020-26760
 	RESERVED
-CVE-2020-26759
-	RESERVED
+CVE-2020-26759 (clickhouse-driver before 0.1.5 allows a malicious clickhouse server to ...)
+	TODO: check
 CVE-2020-26758
 	RESERVED
 CVE-2020-26757
@@ -22204,7 +22228,7 @@ CVE-2020-25656 (A flaw was found in the Linux kernel. A use-after-free was found
 CVE-2020-25655 (An issue was discovered in ManagedClusterView API, that could allow se ...)
 	NOT-FOR-US: Red Hat open-cluster-management
 CVE-2020-25654 (An ACL bypass flaw was found in pacemaker. An attacker having a local  ...)
-	{DSA-4791-1}
+	{DSA-4791-1 DLA-2519-1}
 	- pacemaker 2.0.5~rc2-1 (bug #973254)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/10/27/1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1888191
@@ -49211,10 +49235,10 @@ CVE-2020-13547 (A type confusion vulnerability exists in the JavaScript engine o
 	NOT-FOR-US: Foxit
 CVE-2020-13546
 	RESERVED
-CVE-2020-13545
-	RESERVED
-CVE-2020-13544
-	RESERVED
+CVE-2020-13545 (An exploitable signed conversion vulnerability exists in the TextMaker ...)
+	TODO: check
+CVE-2020-13544 (An exploitable sign extension vulnerability exists in the TextMaker do ...)
+	TODO: check
 CVE-2020-13543 (A code execution vulnerability exists in the WebSocket functionality o ...)
 	{DSA-4797-1}
 	- webkit2gtk 2.30.3-1
@@ -58391,14 +58415,14 @@ CVE-2019-20511 (ERPNext 11.1.47 allows blog?blog_category= Frame Injection. ...)
 	NOT-FOR-US: ERPNext
 CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on Windows ...)
 	NOT-FOR-US: Entrust Entelligence Security Provider (ESP)
-CVE-2020-10658
-	RESERVED
-CVE-2020-10657
-	RESERVED
-CVE-2020-10656
-	RESERVED
-CVE-2020-10655
-	RESERVED
+CVE-2020-10658 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...)
+	TODO: check
+CVE-2020-10657 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...)
+	TODO: check
+CVE-2020-10656 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...)
+	TODO: check
+CVE-2020-10655 (The Proofpoint Insider Threat Management Server (formerly ObserveIT Se ...)
+	TODO: check
 CVE-2020-10654 (Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow ...)
 	NOT-FOR-US: Ping Identity PingID
 CVE-2020-10653
@@ -62574,8 +62598,8 @@ CVE-2012-6721 (Multiple cross-site request forgery (CSRF) vulnerabilities in the
 	NOT-FOR-US: SocialEngine
 CVE-2012-6720 (Multiple cross-site scripting (XSS) vulnerabilities in SocialEngine be ...)
 	NOT-FOR-US: SocialEngine
-CVE-2020-8884
-	RESERVED
+CVE-2020-8884 (rcdsvc in the Proofpoint Insider Threat Management Windows Agent (form ...)
+	TODO: check
 CVE-2020-8883 (This vulnerability allows remote attackers to disclose sensitive infor ...)
 	NOT-FOR-US: Foxit Studio Photo
 CVE-2020-8882 (This vulnerability allows remote attackers to execute arbitrary code o ...)
@@ -64433,8 +64457,8 @@ CVE-2020-8161 (A directory traversal vulnerability exists in rack < 2.2.0 tha
 	NOTE: Fixed by: https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e
 	NOTE: Required followup: https://github.com/rack/rack/commit/e7ba1b0557d3ad97af1ef113bbeb5f27417983fa
 	NOTE: Test: https://github.com/rack/rack/commit/775c836bdd25b63340399fea739532d746860a94
-CVE-2020-8160
-	RESERVED
+CVE-2020-8160 (MendixSSO <= 2.1.1 contains endpoints that make use of the openid h ...)
+	TODO: check
 CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem < v1.2.1 th ...)
 	- ruby-actionpack-page-caching 1.2.2-1 (bug #960680)
 	[buster] - ruby-actionpack-page-caching <no-dsa> (Minor issue)
@@ -65486,7 +65510,7 @@ CVE-2020-7776 (This affects the package phpoffice/phpspreadsheet from 0.0.0. The
 	NOT-FOR-US: phpoffice/phpspreadsheet
 CVE-2020-7775
 	RESERVED
-CVE-2020-7774 (This affects the package y18n before 4.0.1 and 5.0.5. PoC by po6ix: co ...)
+CVE-2020-7774 (This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po ...)
 	- node-y18n 4.0.0-3 (bug #976390)
 	[buster] - node-y18n <no-dsa> (Minor issue)
 	[stretch] - node-y18n <no-dsa> (Minor issue)
@@ -72621,15 +72645,15 @@ CVE-2020-5108
 CVE-2020-5107
 	RESERVED
 CVE-2020-5106
-	RESERVED
+	REJECTED
 CVE-2020-5105
-	RESERVED
+	REJECTED
 CVE-2020-5104
-	RESERVED
+	REJECTED
 CVE-2020-5103
-	RESERVED
+	REJECTED
 CVE-2020-5102
-	RESERVED
+	REJECTED
 CVE-2020-5101
 	REJECTED
 CVE-2020-5100
@@ -74163,8 +74187,8 @@ CVE-2020-4338 (IBM MQ 9.1.4 could allow a local attacker to obtain sensitive inf
 	NOT-FOR-US: IBM
 CVE-2020-4337 (IBM API Connect 2018.4.1.0 through 2018.4.1.12 could allow an attacker ...)
 	NOT-FOR-US: IBM
-CVE-2020-4336
-	RESERVED
+CVE-2020-4336 (IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information in URL  ...)
+	TODO: check
 CVE-2020-4335
 	RESERVED
 CVE-2020-4334
@@ -92050,8 +92074,8 @@ CVE-2019-16964 (app/call_centers/cmd.php in the Call Center Queue Module in Fusi
 	NOT-FOR-US: FusionPBX
 CVE-2019-16963
 	RESERVED
-CVE-2019-16962
-	RESERVED
+CVE-2019-16962 (Zoho ManageEngine Desktop Central 10.0.430 allows HTML injection via a ...)
+	TODO: check
 CVE-2019-16961
 	RESERVED
 CVE-2019-16960 (SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template file wit ...)
@@ -92066,8 +92090,8 @@ CVE-2019-16956 (SolarWinds Web Help Desk 12.7.0 allows XSS via the Request Type
 	NOT-FOR-US: SolarWinds
 CVE-2019-16955 (SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG documen ...)
 	NOT-FOR-US: SolarWinds
-CVE-2019-16954
-	RESERVED
+CVE-2019-16954 (SolarWinds Web Help Desk 12.7.0 allows HTML injection via a Comment in ...)
+	TODO: check
 CVE-2019-16953
 	RESERVED
 CVE-2019-16952
@@ -149494,12 +149518,14 @@ CVE-2018-16880 (A flaw was found in the Linux kernel's handle_rx() function in t
 CVE-2018-16879 (Ansible Tower before version 3.3.3 does not set a secure channel as it ...)
 	NOT-FOR-US: Ansible Tower
 CVE-2018-16878 (A flaw was found in pacemaker up to and including version 2.0.1. An in ...)
+	{DLA-2519-1}
 	- pacemaker 2.0.1-3 (bug #927714)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
 	NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master)
 	NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1)
 	NOTE: https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html
 CVE-2018-16877 (A flaw was found in the way pacemaker's client-server authentication w ...)
+	{DLA-2519-1}
 	- pacemaker 2.0.1-3 (bug #927714)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
 	NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1da36844d210ad9b59091fc288f5315f6761d38

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1da36844d210ad9b59091fc288f5315f6761d38
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210106/94132811/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list