[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Jun 2 21:10:30 BST 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
fb29a3ea by security tracker role at 2021-06-02T20:10:22+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,29 @@
+CVE-2021-3577
+ RESERVED
+CVE-2021-3576
+ RESERVED
+CVE-2021-3575
+ RESERVED
+CVE-2021-3574
+ RESERVED
+CVE-2021-33804
+ RESERVED
+CVE-2021-33803
+ RESERVED
+CVE-2021-33802
+ RESERVED
+CVE-2021-33801
+ RESERVED
+CVE-2021-33800
+ RESERVED
+CVE-2021-33799
+ RESERVED
+CVE-2021-33798
+ RESERVED
+CVE-2021-33797
+ RESERVED
+CVE-2021-33796
+ RESERVED
CVE-2021-3573
RESERVED
CVE-2021-33795
@@ -2713,8 +2739,7 @@ CVE-2021-32576
CVE-2021-32606 (In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/i ...)
- linux <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2021/05/11/16
-CVE-2021-3545 [vhost-user-gpu: information disclosure due to uninitialized memory read]
- RESERVED
+CVE-2021-3545 (An information disclosure vulnerability was found in the virtio vhost- ...)
- qemu <unfixed> (bug #989042)
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
@@ -2722,8 +2747,7 @@ CVE-2021-3545 [vhost-user-gpu: information disclosure due to uninitialized memor
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01153.html
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/121841b2
-CVE-2021-3544 [vhost-user-gpu: multiple memory leaks]
- RESERVED
+CVE-2021-3544 (Several memory leaks were found in the virtio vhost-user GPU device (v ...)
- qemu <unfixed> (bug #989042)
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
@@ -2951,8 +2975,7 @@ CVE-2021-32563 (An issue was discovered in Thunar before 4.16.7 and 4.17.x befor
NOTE: Fixed by: https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b
NOTE: Regression fix: https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664
NOTE: Regression: https://gitlab.xfce.org/xfce/thunar/-/issues/575
-CVE-2021-3546
- RESERVED
+CVE-2021-3546 (A flaw was found in vhost-user-gpu of QEMU in versions up to and inclu ...)
- qemu <unfixed> (bug #989042)
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
@@ -3808,8 +3831,7 @@ CVE-2021-32078
RESERVED
CVE-2021-3539
RESERVED
-CVE-2021-3538
- RESERVED
+CVE-2021-3538 (A flaw was found in github.com/satori/go.uuid in versions from commit ...)
- golang-github-satori-go.uuid <not-affected> (Vulnerable code introduced later and not in any released version)
NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
NOTE: Possibly introduced by: https://github.com/satori/go.uuid/commit/0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c
@@ -4091,8 +4113,7 @@ CVE-2021-3531 (A flaw was found in the Red Hat Ceph Storage RGW in versions befo
NOTE: Nautilus: https://github.com/ceph/ceph/commit/f44a8ae8aa27ecef69528db9aec220f12492810e
NOTE: Octopus: https://github.com/ceph/ceph/commit/b87e64e3206210580f4a6df2d77f9ae3f1033039
NOTE: Pacific: https://github.com/ceph/ceph/commit/bf06990ab41d7ac299e4441ad9cd434e926a18e7
-CVE-2021-3530
- RESERVED
+CVE-2021-3530 (A flaw was discovered in GNU libiberty within demangle_path() in rust- ...)
- binutils <unfixed> (unimportant)
NOTE: https://bugs.launchpad.net/ubuntu/+source/binutils/+bug/1925348
NOTE: binutils not covered by security support
@@ -4128,8 +4149,7 @@ CVE-2021-31997
RESERVED
CVE-2021-31996 (An issue was discovered in the algorithmica crate through 2021-03-07 f ...)
NOT-FOR-US: Rust crate algorithmica
-CVE-2021-3529
- RESERVED
+CVE-2021-3529 (A flaw was found in noobaa-core in versions before 5.7.0. This flaw re ...)
NOT-FOR-US: noobaa
CVE-2021-31995
RESERVED
@@ -4306,8 +4326,7 @@ CVE-2021-3524 (A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object
NOTE: Fixed by: https://github.com/ceph/ceph/commit/763aebb94678018f89427137ffbc0c5205b1edc1
CVE-2021-3523
RESERVED
-CVE-2021-31921
- RESERVED
+CVE-2021-31921 (Istio before 1.8.6 and 1.9.x before 1.9.5, when a gateway is using the ...)
NOT-FOR-US: Istio
CVE-2021-31920 (Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable v ...)
NOT-FOR-US: Istio
@@ -4463,8 +4482,7 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes
NOTE: https://github.com/rubygems/rubygems/issues/3982
CVE-2021-3521
RESERVED
-CVE-2021-3520 [memory corruption due to an integer overflow bug caused by memmove argument]
- RESERVED
+CVE-2021-3520 (There's a flaw in lz4. An attacker who submits a crafted file to an ap ...)
{DSA-4919-1 DLA-2657-1}
- lz4 1.9.3-2 (bug #987856)
NOTE: https://github.com/lz4/lz4/pull/972
@@ -4511,8 +4529,8 @@ CVE-2021-31857
RESERVED
CVE-2021-31856 (A SQL Injection vulnerability in the REST API in Layer5 Meshery 0.5.2 ...)
NOT-FOR-US: Layer Meshery
-CVE-2021-31855
- RESERVED
+CVE-2021-31855 (KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages ...)
+ TODO: check
CVE-2021-31854
RESERVED
CVE-2021-31853
@@ -6052,8 +6070,7 @@ CVE-2021-31215 (SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before
- slurm-llnl <removed>
[stretch] - slurm-llnl <not-affected> (env is already SPANKed)
NOTE: https://github.com/SchedMD/slurm/commit/a9e9e2fedbd200ca545ab67dd753bd52c919f236 (2.11.7)
-CVE-2021-3499
- RESERVED
+CVE-2021-3499 (A vulnerability was found in OVN Kubernetes in versions up to and incl ...)
NOT-FOR-US: Openshift/ovn-kubernetes
CVE-2021-31214 (Visual Studio Code Remote Code Execution Vulnerability This CVE ID is ...)
NOT-FOR-US: Microsoft
@@ -7255,8 +7272,7 @@ CVE-2021-XXXX [out of bounds reads in ASF demuxer]
NOTE: https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/issues/37
NOTE: https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/3aba7d1e625554b2407bc77b3d09b4928b937d5f (master)
NOTE: https://gitlab.freedesktop.org/gstreamer/gst-plugins-ugly/-/commit/9726aaf78e6643a5955864f444852423de58de29 (1.18.4)
-CVE-2021-3522 [invalid reads during ID3v2 tag parsing]
- RESERVED
+CVE-2021-3522 (GStreamer before 1.18.4 may perform an out-of-bounds read when handlin ...)
{DSA-4903-1 DLA-2641-1}
- gst-plugins-base1.0 1.18.4-2
NOTE: https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/issues/876
@@ -7809,8 +7825,8 @@ CVE-2021-3486 (GLPi 9.5.4 does not sanitize the metadata. This way its possible
NOTE: https://github.com/Kitsun3Sec/exploits/tree/master/cms/GLPI/GLPI-stored-XSS
CVE-2021-30475
RESERVED
-CVE-2021-30474
- RESERVED
+CVE-2021-30474 (aom_dsp/grain_table.c in libaom in AOMedia before 2021-03-30 has a use ...)
+ TODO: check
CVE-2021-30473 (aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that i ...)
- aom <unfixed> (bug #988211)
NOTE: https://aomedia.googlesource.com/aom/+/4efe20e99dcd9b6f8eadc8de8acc825be7416578
@@ -8993,6 +9009,7 @@ CVE-2021-29968
RESERVED
CVE-2021-29967
RESERVED
+ {DSA-4925-1}
- firefox-esr 78.11.0esr-1
- firefox 89.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-24/#CVE-2021-29967
@@ -10793,8 +10810,7 @@ CVE-2021-3470 (A heap overflow issue was found in Redis in versions before 5.0.1
CVE-2021-3469
RESERVED
- foreman <itp> (bug #663101)
-CVE-2021-3468 [Local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket]
- RESERVED
+CVE-2021-3468 (A flaw was found in avahi in versions 0.6 up to 0.8. The event used to ...)
- avahi <unfixed> (bug #984938)
[bullseye] - avahi <no-dsa> (Minor issue)
[buster] - avahi <no-dsa> (Minor issue)
@@ -12109,32 +12125,28 @@ CVE-2021-28680
RESERVED
CVE-2021-28679
RESERVED
-CVE-2021-28678
- RESERVED
+CVE-2021-28678 (An issue was discovered in Pillow before 8.2.0. For BLP data, BlpImage ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
NOTE: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
-CVE-2021-28677
- RESERVED
+CVE-2021-28677 (An issue was discovered in Pillow before 8.2.0. For EPS data, the read ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
NOTE: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
-CVE-2021-28676
- RESERVED
+CVE-2021-28676 (An issue was discovered in Pillow before 8.2.0. For FLI data, FliDecod ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
NOTE: https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
-CVE-2021-28675
- RESERVED
+CVE-2021-28675 (An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.PsdImag ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
@@ -16182,7 +16194,7 @@ CVE-2021-26942
CVE-2021-26941
RESERVED
CVE-2021-26940
- RESERVED
+ REJECTED
CVE-2021-26939 (** DISPUTED ** An information disclosure issue exists in henriquedorna ...)
NOT-FOR-US: henriquedornas
CVE-2021-26938 (** DISPUTED ** A stored XSS issue exists in henriquedornas 5.2.17 via ...)
@@ -16781,8 +16793,7 @@ CVE-2021-26710 (A cross-site scripting (XSS) issue in the login panel in Redwood
NOT-FOR-US: Redwood Report2Web
CVE-2021-26709 (** UNSUPPORTED WHEN ASSIGNED ** D-Link DSL-320B-D1 devices through EU_ ...)
NOT-FOR-US: D-Link
-CVE-2021-26707
- RESERVED
+CVE-2021-26707 (The merge-deep library before 3.0.3 for Node.js can be tricked into ov ...)
NOT-FOR-US: Node deep-merge
CVE-2020-36241 (autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNO ...)
- gnome-autoar 0.2.4-3 (bug #982737)
@@ -20439,16 +20450,14 @@ CVE-2021-25289 (An issue was discovered in Pillow before 8.1.1. TiffDecode has a
[stretch] - pillow <not-affected> (Vulnerable code not present)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
NOTE: https://github.com/python-pillow/Pillow/commit/cbfdde7b1f2295059a20a539ee9960f0bec7b299
-CVE-2021-25288
- RESERVED
+CVE-2021-25288 (An issue was discovered in Pillow before 8.2.0. There is an out-of-bou ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
NOTE: https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
-CVE-2021-25287
- RESERVED
+CVE-2021-25287 (An issue was discovered in Pillow before 8.2.0. There is an out-of-bou ...)
[experimental] - pillow 8.2.0-1
- pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
@@ -23131,8 +23140,8 @@ CVE-2021-24014
RESERVED
CVE-2021-24013
RESERVED
-CVE-2021-24012
- RESERVED
+CVE-2021-24012 (An improper following of a certificate's chain of trust vulnerability ...)
+ TODO: check
CVE-2021-24011 (A privilege escalation vulnerability in FortiNAC version below 8.8.2 m ...)
NOT-FOR-US: Fortiguard
CVE-2021-24010
@@ -23568,12 +23577,12 @@ CVE-2021-3127 (NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have In
NOT-FOR-US: nats-server
CVE-2021-3126
RESERVED
-CVE-2021-23896
- RESERVED
-CVE-2021-23895
- RESERVED
-CVE-2021-23894
- RESERVED
+CVE-2021-23896 (Cleartext Transmission of Sensitive Information vulnerability in the a ...)
+ TODO: check
+CVE-2021-23895 (Deserialization of untrusted data vulnerability in McAfee Database Sec ...)
+ TODO: check
+CVE-2021-23894 (Deserialization of untrusted data vulnerability in McAfee Database Sec ...)
+ TODO: check
CVE-2021-23893
RESERVED
CVE-2021-23892 (By exploiting a time of check to time of use (TOCTOU) race condition d ...)
@@ -26585,7 +26594,7 @@ CVE-2021-22545
RESERVED
CVE-2021-22544
RESERVED
-CVE-2021-22543 (An issue was discovered in the Linux: KVM through Improper handling of ...)
+CVE-2021-22543 (An issue was discovered in Linux: KVM through Improper handling of VM_ ...)
- linux <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2021/05/26/3
NOTE: https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584
@@ -32994,12 +33003,14 @@ CVE-2021-20315
CVE-2021-20314
RESERVED
CVE-2021-20313 (A flaw was found in ImageMagick in versions before 7.0.11. A potential ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <no-dsa> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/commit/70aa86f5d5d8aa605a918ed51f7574f433a18482
NOTE: IM6: https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
CVE-2021-20312 (A flaw was found in ImageMagick in versions 7.0.11, where an integer o ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
@@ -33013,6 +33024,7 @@ CVE-2021-20310 (A flaw was found in ImageMagick in versions before 7.0.11, where
NOTE: https://github.com/ImageMagick/ImageMagick/issues/3295
NOTE: https://github.com/ImageMagick/ImageMagick/commit/75f6f5032690077cae3eaeda3c0165cc765eaeb5
CVE-2021-20309 (A flaw was found in ImageMagick in versions before 7.0.11 and before 6 ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
@@ -33303,6 +33315,7 @@ CVE-2021-20246 (A flaw was found in ImageMagick in MagickCore/resample.c. An att
NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/8d25d94a363b104acd6ff23df7470aeedb806c51
NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/f3190d4a6e6e8556575c84b5d976f77d111caa74
CVE-2021-20245 (A flaw was found in ImageMagick in coders/webp.c. An attacker who subm ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
@@ -33318,6 +33331,7 @@ CVE-2021-20244 (A flaw was found in ImageMagick in MagickCore/visual-effects.c.
NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/329dd528ab79531d884c0ba131e97d43f872ab5d
NOTE: In IM6 the code seems to be in magick/fx.c
CVE-2021-20243 (A flaw was found in ImageMagick in MagickCore/resize.c. An attacker wh ...)
+ {DLA-2672-1}
- imagemagick <unfixed>
[bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
@@ -33992,8 +34006,7 @@ CVE-2020-35516
RESERVED
CVE-2020-35515
RESERVED
-CVE-2020-35514
- RESERVED
+CVE-2020-35514 (An insecure modification flaw in the /etc/kubernetes/kubeconfig file w ...)
NOT-FOR-US: OpenShift
CVE-2020-35513 (A flaw incorrect umask during file or directory modification in the Li ...)
- linux 4.16.5-1
@@ -34011,8 +34024,7 @@ CVE-2020-35512 (A use-after-free flaw was found in D-Bus Development branch <
NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/commit/dc94fe3d31adf72259adc31f343537151a6c0bdd (dbus-1.10.32)
CVE-2020-35511
RESERVED
-CVE-2020-35510
- RESERVED
+CVE-2020-35510 (A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redha ...)
- libjboss-remoting-java <removed>
CVE-2020-35509
RESERVED
@@ -34049,8 +34061,7 @@ CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
NOTE: https://bugs.launchpad.net/qemu/+bug/1910723 (reproducer)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg06065.html
-CVE-2020-35503 [QEMU: NULL pointer dereference issue in megasas-gen2 host bus adapter]
- RESERVED
+CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SCSI hos ...)
- qemu <unfixed> (bug #979678)
[bullseye] - qemu <postponed> (Minor issue)
[buster] - qemu <postponed> (Fix along in future DSA)
@@ -44389,6 +44400,7 @@ CVE-2020-27777 (A flaw was found in the way RTAS handled memory accesses in user
[stretch] - linux <ignored> (Only an issue when Secure Boot is implemented)
NOTE: https://git.kernel.org/linus/bd59380c5ba4147dcbaad3e582b55ccfd120b764
CVE-2020-27776 (A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker ...)
+ {DLA-2602-1}
- imagemagick 8:6.9.11.24+dfsg-1
[buster] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1736
@@ -44564,6 +44576,7 @@ CVE-2020-27752 (A flaw was found in ImageMagick in MagickCore/quantum-private.h.
NOTE: impossible to determine whether there was a possible security vulnerability
NOTE: in the first place.
CVE-2020-27751 (A flaw was found in ImageMagick in MagickCore/quantum-export.c. An att ...)
+ {DLA-2672-1}
- imagemagick 8:6.9.11.24+dfsg-1
[buster] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1727
@@ -45188,8 +45201,7 @@ CVE-2020-27663 (In GLPI before 9.5.3, ajax/getDropdownValue.php has an Insecure
- glpi <removed>
CVE-2020-27662 (In GLPI before 9.5.3, ajax/comments.php has an Insecure Direct Object ...)
- glpi <removed>
-CVE-2020-27661 [divide by zero in dwc2_handle_packet() in hw/usb/hcd-dwc2.c]
- RESERVED
+CVE-2020-27661 (A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-d ...)
- qemu 1:5.2+dfsg-1 (bug #972864)
[buster] - qemu <postponed> (Fix along in future DSA)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
@@ -50719,8 +50731,8 @@ CVE-2020-25364
RESERVED
CVE-2020-25363
RESERVED
-CVE-2020-25362
- RESERVED
+CVE-2020-25362 (The id paramater in Online Shopping Alphaware 1.0 has been discovered ...)
+ TODO: check
CVE-2020-25361
RESERVED
CVE-2020-25360
@@ -51880,8 +51892,7 @@ CVE-2020-24872
RESERVED
CVE-2020-24871
RESERVED
-CVE-2020-24870
- RESERVED
+CVE-2020-24870 (Libraw before 0.20.1 has a stack buffer overflow via LibRaw::identify_ ...)
- libraw 0.20.2-1
[buster] - libraw <not-affected> (Vulnerable code not present)
[stretch] - libraw <not-affected> (vulnerable code not present)
@@ -51901,8 +51912,8 @@ CVE-2020-24864
RESERVED
CVE-2020-24863 (A memory corruption vulnerability was found in the kernel function ker ...)
NOT-FOR-US: FreeBSD and MidnightBSD
-CVE-2020-24862
- RESERVED
+CVE-2020-24862 (The catID parameter in Pharmacy Medical Store and Sale Point v1.0 has ...)
+ TODO: check
CVE-2020-25016 (A safety violation was discovered in the rgb crate before 0.8.20 for R ...)
- rust-rgb <unfixed> (bug #969213)
[bullseye] - rust-rgb <no-dsa> (Minor issue)
@@ -57728,28 +57739,28 @@ CVE-2020-22058
RESERVED
CVE-2020-22057
RESERVED
-CVE-2020-22056
- RESERVED
+CVE-2020-22056 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory ...)
+ TODO: check
CVE-2020-22055
RESERVED
-CVE-2020-22054
- RESERVED
+CVE-2020-22054 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory ...)
+ TODO: check
CVE-2020-22053
RESERVED
CVE-2020-22052
RESERVED
-CVE-2020-22051
- RESERVED
+CVE-2020-22051 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory ...)
+ TODO: check
CVE-2020-22050
RESERVED
-CVE-2020-22049
- RESERVED
-CVE-2020-22048
- RESERVED
+CVE-2020-22049 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory ...)
+ TODO: check
+CVE-2020-22048 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory ...)
+ TODO: check
CVE-2020-22047
RESERVED
-CVE-2020-22046
- RESERVED
+CVE-2020-22046 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory ...)
+ TODO: check
CVE-2020-22045
RESERVED
CVE-2020-22044 (A Denial of Service vulnerability exists in FFmpeg 4.2 due to a memory ...)
@@ -74820,8 +74831,7 @@ CVE-2020-14390 (A flaw was found in the Linux kernel in versions before 5.9-rc6.
NOTE: https://www.openwall.com/lists/oss-security/2020/09/15/2
CVE-2020-14389 (It was found that Keycloak before version 12.0.0 would permit a user w ...)
NOT-FOR-US: Keycloak
-CVE-2020-14388
- RESERVED
+CVE-2020-14388 (A flaw was found in the Red Hat 3scale API Management Platform, where ...)
NOT-FOR-US: 3scale
CVE-2020-14387 (A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperl ...)
- rsync 3.2.3-3 (bug #969530)
@@ -74865,8 +74875,7 @@ CVE-2020-14381 (A flaw was found in the Linux kernel’s futex implementatio
[buster] - linux 4.19.118-1
[stretch] - linux 4.9.228-1
NOTE: https://git.kernel.org/linus/8019ad13ef7f64be44d4f892af9c840179009254
-CVE-2020-14380
- RESERVED
+CVE-2020-14380 (An account takeover flaw was found in Red Hat Satellite 6.7.2 onward. ...)
NOT-FOR-US: Red Hat Satellite
CVE-2020-14379
RESERVED
@@ -74904,8 +74913,7 @@ CVE-2020-14372 (A flaw was found in grub2 in versions prior to 2.06, where it in
{DSA-4867-1}
- grub2 2.04-16
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
-CVE-2020-14371
- RESERVED
+CVE-2020-14371 (A credential leak vulnerability was found in Red Hat Satellite. This f ...)
NOT-FOR-US: Red Hat Satellite
CVE-2020-14370 (An information disclosure vulnerability was found in containers/podman ...)
- libpod 2.0.6+dfsg1-1
@@ -75055,8 +75063,7 @@ CVE-2020-14342 (It was found that cifs-utils' mount.cifs was invoking a shell wh
NOTE: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=48a654e2e763fce24c22e1b9c695b42804bbdd4a
CVE-2020-14341 (The "Test Connection" available in v7.x of the Red Hat Single Sign On ...)
NOT-FOR-US: Red Hat Single Sign On application console
-CVE-2020-14340
- RESERVED
+CVE-2020-14340 (A vulnerability was discovered in XNIO where file descriptor leak caus ...)
- jboss-xnio 3.8.2-1
[buster] - jboss-xnio <no-dsa> (Minor issue)
[stretch] - jboss-xnio <not-affected> (vulnerable code is not present)
@@ -75074,11 +75081,9 @@ CVE-2020-14338 (A flaw was found in Wildfly's implementation of Xerces, specific
- wildfly <itp> (bug #752018)
CVE-2020-14337 (A data exposure flaw was found in Tower, where sensitive data was reve ...)
NOT-FOR-US: Ansible Tower
-CVE-2020-14336
- RESERVED
+CVE-2020-14336 (A flaw was found in the Restricted Security Context Constraints (SCC), ...)
NOT-FOR-US: OpenShift
-CVE-2020-14335
- RESERVED
+CVE-2020-14335 (A flaw was found in Red Hat Satellite, which allows a privileged attac ...)
NOT-FOR-US: Red Hat Satellite
CVE-2020-14334 (A flaw was found in Red Hat Satellite 6 which allows privileged attack ...)
- foreman <itp> (bug #663101)
@@ -75111,8 +75116,7 @@ CVE-2020-14328 (A flaw was found in Ansible Tower in versions before 3.7.2. A Se
NOT-FOR-US: Ansible Tower
CVE-2020-14327 (A Server-side request forgery (SSRF) flaw was found in Ansible Tower i ...)
NOT-FOR-US: Ansible Tower
-CVE-2020-14326
- RESERVED
+CVE-2020-14326 (A vulnerability was found in RESTEasy, where RootNode incorrectly cach ...)
- resteasy <undetermined>
- resteasy3.0 <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855826
@@ -75143,8 +75147,7 @@ CVE-2020-14318 (A flaw was found in the way samba handled file and directory per
[buster] - samba <no-dsa> (Minor issue)
NOTE: https://www.samba.org/samba/security/CVE-2020-14318.html
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14434
-CVE-2020-14317
- RESERVED
+CVE-2020-14317 (It was found that the issue for security flaw CVE-2019-3805 appeared a ...)
- wildfly <itp> (bug #752018)
CVE-2020-14316 (A flaw was found in kubevirt 0.29 and earlier. Virtual Machine Instanc ...)
NOT-FOR-US: KubeVirt
@@ -86027,8 +86030,7 @@ CVE-2020-10773 (A stack information leak flaw was found in s390/s390x in the Lin
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1846380
CVE-2020-10772 (An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Ha ...)
- unbound <not-affected> (Red Hat specific regression in backport)
-CVE-2020-10771
- RESERVED
+CVE-2020-10771 (A flaw was found in Infinispan version 10, where it is possible to per ...)
NOT-FOR-US: Infinispan
CVE-2020-10770 (A flaw was found in Keycloak before 13.0.0, where it is possible to fo ...)
NOT-FOR-US: Keycloak
@@ -86160,11 +86162,9 @@ CVE-2020-10744 (An incomplete fix was found for the fix of the flaw CVE-2020-173
NOTE: https://github.com/ansible/ansible/commit/77d0effcc5b2da1ef23e4ba32986a9759c27c10d
NOTE: https://github.com/ansible/ansible/commit/84afa8e90cd168ff13208c8eae3e533ce7e21e1f (v2.9.12)
NOTE: CVE is for an incomplete fix of CVE-2020-1733
-CVE-2020-10743
- RESERVED
+CVE-2020-10743 (It was discovered that OpenShift Container Platform's (OCP) distributi ...)
- kibana <itp> (bug #700337)
-CVE-2020-10742
- RESERVED
+CVE-2020-10742 (A flaw was found in the Linux kernel. An index buffer overflow during ...)
- linux 3.16.2-2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1835127
CVE-2020-10741
@@ -95608,8 +95608,7 @@ CVE-2020-6952
RESERVED
CVE-2020-6951
RESERVED
-CVE-2020-6950
- RESERVED
+CVE-2020-6950 (Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers ...)
- mojarra <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/eclipse-ee4j/mojarra/commit/cefbb9447e7be560e59da2da6bd7cb93776f7741
CVE-2020-6949 (A privilege escalation issue was discovered in the postUser function i ...)
@@ -96407,8 +96406,8 @@ CVE-2020-6643 (An improper neutralization of input vulnerability in the URL Desc
NOT-FOR-US: Fortinet
CVE-2020-6642
RESERVED
-CVE-2020-6641
- RESERVED
+CVE-2020-6641 (Two authorization bypass through user-controlled key vulnerabilities i ...)
+ TODO: check
CVE-2020-6640 (An improper neutralization of input vulnerability in the Admin Profile ...)
NOT-FOR-US: Fortiguard
CVE-2020-6639
@@ -126968,7 +126967,7 @@ CVE-2019-14838 (A flaw was found in wildfly-core before 7.2.5.GA. The Management
- wildfly <itp> (bug #752018)
CVE-2019-14837 (A flaw was found in keycloack before version 8.0.0. The owner of 'plac ...)
NOT-FOR-US: Keycloak
-CVE-2019-14836 (3scale dev portal login form does not verify CSRF token, and so does n ...)
+CVE-2019-14836 (A vulnerability was found that the 3scale dev portal does not employ m ...)
NOT-FOR-US: 3scale
CVE-2019-14835 (A buffer overflow flaw was found, in versions from 2.6.34 to 5.2.x, in ...)
{DSA-4531-1 DLA-1940-1 DLA-1930-1}
@@ -136327,8 +136326,7 @@ CVE-2019-12068 (In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.
- qemu-kvm <removed>
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html
NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08
-CVE-2019-12067 [ide: ahci: add check to avoid null dereference]
- RESERVED
+CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to ...)
- qemu <unfixed> (low; bug #972099)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[buster] - qemu <postponed> (Minor issue, revisit when fixed upstream)
@@ -195874,8 +195872,7 @@ CVE-2018-10196 (NULL pointer dereference vulnerability in the rebuild_vlists fun
[wheezy] - graphviz <no-dsa> (Minor issue)
NOTE: https://gitlab.com/graphviz/graphviz/issues/1367
NOTE: https://issuetracker.google.com/issues/77810342
-CVE-2018-10195 [rzsz: sz can leak data to receiving side]
- RESERVED
+CVE-2018-10195 (lrzsz before version 0.12.21~rc can leak information to the receiving ...)
- lrzsz 0.12.21-10 (low; bug #897010)
[stretch] - lrzsz <no-dsa> (Minor issue)
[jessie] - lrzsz <no-dsa> (Minor issue)
@@ -250970,8 +250967,7 @@ CVE-2017-8763 (Cross-site scripting (XSS) vulnerability in modules/Base/Box/chec
NOT-FOR-US: EPESI
CVE-2017-8762 (GeniXCMS 1.0.2 has XSS triggered by an authenticated user who submits ...)
NOT-FOR-US: GenixCMS
-CVE-2017-8761 [Swift tempurl middleware reveals signatures in the logfiles]
- RESERVED
+CVE-2017-8761 (In OpenStack Swift through 2.10.1, 2.11.0 through 2.13.0, and 2.14.0, ...)
- swift 2.17.0-2
[stretch] - swift <no-dsa> (Minor issue)
[jessie] - swift <end-of-life> (Not supported in Jessie LTS)
@@ -327525,8 +327521,7 @@ CVE-2015-1881 (OpenStack Image Registry and Delivery Service (Glance) 2014.2 thr
- glance <not-affected> (Only affects 2014.2.x releases, only present in experimental)
[wheezy] - glance <not-affected> (Vulnerable code not present)
NOTE: https://review.openstack.org/#/c/156553
-CVE-2015-1877 [command injection vulnerability]
- RESERVED
+CVE-2015-1877 (The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 ...)
{DSA-3165-1 DLA-217-1}
- xdg-utils 1.1.0~rc1+git20111210-7.4 (bug #777722)
CVE-2015-1568 (Cross-site request forgery (CSRF) vulnerability in the GD Infinite Scr ...)
@@ -398202,8 +398197,7 @@ CVE-2011-3657 (Multiple cross-site scripting (XSS) vulnerabilities in Bugzilla 2
- bugzilla <removed> (low)
[squeeze] - bugzilla <end-of-life> (Not supported in Squeeze LTS)
[lenny] - bugzilla <no-dsa> (Minor issue)
-CVE-2011-3656
- RESERVED
+CVE-2011-3656 (Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6 ...)
- iceweasel 4.0-1
[squeeze] - iceweasel <end-of-life> (Iceweasel not supported in Squeeze LTS)
CVE-2011-3655 (Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perfor ...)
@@ -434023,11 +434017,9 @@ CVE-2009-0950 (Stack-based buffer overflow in Apple iTunes before 8.2 allows rem
CVE-2009-0949 (The ippReadIO function in cups/ipp.c in cupsd in CUPS before 1.3.10 do ...)
{DSA-1811-1}
- cups 1.3.10-1
-CVE-2009-0948
- RESERVED
+CVE-2009-0948 (Multiple buffer overflows in the (1) cdf_read_sat, (2) cdf_read_long_s ...)
- file 5.02-1
-CVE-2009-0947
- RESERVED
+CVE-2009-0947 (Multiple integer overflows in the (1) cdf_read_property_info and (2) c ...)
- file 5.02-1
CVE-2009-0946 (Multiple integer overflows in FreeType 2.3.9 and earlier allow remote ...)
{DSA-1784-1}
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb29a3ea5ede49566360e6a7d7ed3fa94344f6d6
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb29a3ea5ede49566360e6a7d7ed3fa94344f6d6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210602/aaa48138/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list