[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso carnil at debian.org
Fri Mar 19 08:10:25 GMT 2021



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
63f2b78d by security tracker role at 2021-03-19T08:10:17+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,11 @@
+CVE-2021-28834 (Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge: ...)
+	TODO: check
+CVE-2021-28833
+	RESERVED
+CVE-2021-28832
+	RESERVED
+CVE-2021-28831 (decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit ...)
+	TODO: check
 CVE-2021-XXXX [Local privilege escalation via guix-daemon and --keep-failed]
 	- guix <unfixed> (bug #985467; unimportant)
 	NOTE: https://issues.guix.gnu.org/47229
@@ -365,8 +373,8 @@ CVE-2021-28655
 	RESERVED
 CVE-2021-28654
 	RESERVED
-CVE-2021-28653
-	RESERVED
+CVE-2021-28653 (The iOS and macOS apps before 1.4.1 for the Western Digital G-Technolo ...)
+	TODO: check
 CVE-2021-28652
 	RESERVED
 CVE-2021-28651
@@ -1420,8 +1428,8 @@ CVE-2021-28162 (In Eclipse Theia versions up to and including 0.16.0, in the not
 	NOT-FOR-US: Eclipse Theia
 CVE-2021-28161 (In Eclipse Theia versions up to and including 1.8.0, in the debug cons ...)
 	NOT-FOR-US: Eclipse Theia
-CVE-2021-28160
-	RESERVED
+CVE-2021-28160 (Reflected XSS on Acexy (BoyaMicro) Wireless-N WiFi Repeater 28.08.06.1 ...)
+	TODO: check
 CVE-2021-28159
 	RESERVED
 CVE-2021-28158
@@ -1539,8 +1547,8 @@ CVE-2021-28128
 	RESERVED
 CVE-2021-28127
 	RESERVED
-CVE-2021-28126
-	RESERVED
+CVE-2021-28126 (index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1 ...)
+	TODO: check
 CVE-2021-28125
 	RESERVED
 CVE-2021-28124
@@ -1580,10 +1588,10 @@ CVE-2021-28112
 	RESERVED
 CVE-2021-28111
 	RESERVED
-CVE-2021-28110
-	RESERVED
-CVE-2021-28109
-	RESERVED
+CVE-2021-28110 (/exec in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1.27. ...)
+	TODO: check
+CVE-2021-28109 (TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php reflected C ...)
+	TODO: check
 CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier Authent ...)
 	- courier-authlib 0.71.1-2 (bug #984810)
 	NOTE: Re-introduction of #378571 while migrating from debian/permissions to
@@ -1682,15 +1690,13 @@ CVE-2021-3424
 	NOT-FOR-US: Keycloak
 CVE-2021-28091
 	RESERVED
-CVE-2021-28090
-	RESERVED
+CVE-2021-28090 (Tor before 0.4.5.7 allows a remote attacker to cause Tor directory aut ...)
 	{DSA-4871-1}
 	- tor 0.4.5.7-1
 	[stretch] - tor <end-of-life> (See DSA 4644)
 	NOTE: https://blog.torproject.org/node/2009
 	NOTE: https://bugs.torproject.org/tpo/core/tor/40316
-CVE-2021-28089
-	RESERVED
+CVE-2021-28089 (Tor before 0.4.5.7 allows a remote participant in the Tor directory pr ...)
 	{DSA-4871-1}
 	- tor 0.4.5.7-1
 	[stretch] - tor <end-of-life> (See DSA 4644)
@@ -2054,8 +2060,8 @@ CVE-2021-27930
 	RESERVED
 CVE-2021-27929
 	RESERVED
-CVE-2021-27928
-	RESERVED
+CVE-2021-27928 (A remote code execution issue was discovered in MariaDB 10.2 before 10 ...)
+	TODO: check
 CVE-2021-27927 (In Zabbix before 4.0.28rc1, 5.x before 5.0.8rc1, 5.1.x and 5.2.x befor ...)
 	- zabbix 1:5.0.8+dfsg-1
 	[stretch] - zabbix <no-dsa> (minor issue)
@@ -2491,8 +2497,7 @@ CVE-2021-27803 (A vulnerability was discovered in how p2p/p2p_pd.c in wpa_suppli
 	NOTE: https://w1.fi/security/2021-1/0001-P2P-Fix-a-corner-case-in-peer-addition-based-on-PD-R.patch
 CVE-2021-3417 (An internal product security audit of LXCO, prior to version 1.2.2, di ...)
 	NOT-FOR-US: Lenovo
-CVE-2021-3416 [net: infinite loop in loopback mode may lead to stack overflow]
-	RESERVED
+CVE-2021-3416 (A potential stack overflow via infinite loop issue was found in variou ...)
 	- qemu 1:5.2+dfsg-9 (bug #984448)
 	[buster] - qemu <postponed> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07431.html
@@ -3130,8 +3135,8 @@ CVE-2021-27438
 	RESERVED
 CVE-2021-27437
 	RESERVED
-CVE-2021-27436
-	RESERVED
+CVE-2021-27436 (WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scr ...)
+	TODO: check
 CVE-2021-27435
 	RESERVED
 CVE-2021-27434
@@ -3331,8 +3336,8 @@ CVE-2021-27360
 	RESERVED
 CVE-2021-27359
 	RESERVED
-CVE-2021-27358
-	RESERVED
+CVE-2021-27358 (The snapshot feature in Grafana before 7.4.1 can allow an unauthentica ...)
+	TODO: check
 CVE-2021-27357
 	RESERVED
 CVE-2021-27356
@@ -3617,8 +3622,8 @@ CVE-2021-27223
 	RESERVED
 CVE-2021-27222 (In the "Time in Status" app before 4.13.0 for Jira, remote authenticat ...)
 	NOT-FOR-US: "Time in Status" app
-CVE-2021-27221
-	RESERVED
+CVE-2021-27221 (** DISPUTED ** MikroTik RouterOS 6.47.9 allows remote authenticated ft ...)
+	TODO: check
 CVE-2021-27220
 	RESERVED
 CVE-2021-27217 (An issue was discovered in the _send_secure_msg() function of Yubico y ...)
@@ -5855,8 +5860,8 @@ CVE-2021-3329
 	RESERVED
 CVE-2021-3328
 	RESERVED
-CVE-2021-3327
-	RESERVED
+CVE-2021-3327 (Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_t ...)
+	TODO: check
 CVE-2021-26294 (An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail ...)
 	NOT-FOR-US: AfterLogic Aurora
 CVE-2021-26293 (An issue was discovered in AfterLogic Aurora through 8.5.3 and WebMail ...)
@@ -5895,8 +5900,8 @@ CVE-2021-26277
 	RESERVED
 CVE-2021-26276 (** DISPUTED ** scripts/cli.js in the GoDaddy node-config-shield (aka C ...)
 	NOT-FOR-US: GoDaddy node-config-shield
-CVE-2021-26275
-	RESERVED
+CVE-2021-26275 (** UNSUPPORTED WHEN ASSIGNED ** The eslint-fixer package through 0.1.5 ...)
+	TODO: check
 CVE-2020-36240 (The ResourceDownloadRewriteRule class in Crowd before version 4.0.4, a ...)
 	NOT-FOR-US: Atlassian
 CVE-2020-36239
@@ -7324,8 +7329,8 @@ CVE-2021-25766 (In JetBrains YouTrack before 2020.4.4701, improper resource acce
 	NOT-FOR-US: JetBrains TeamCity
 CVE-2021-25765 (In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload w ...)
 	NOT-FOR-US: JetBrains TeamCity
-CVE-2021-25764
-	RESERVED
+CVE-2021-25764 (In JetBrains PhpStorm before 2020.3, source code could be added to deb ...)
+	TODO: check
 CVE-2021-25763 (In JetBrains Ktor before 1.4.2, weak cipher suites were enabled by def ...)
 	NOT-FOR-US: JetBrains Ktor
 CVE-2021-25762 (In JetBrains Ktor before 1.4.3, HTTP Request Smuggling was possible. ...)
@@ -8405,37 +8410,32 @@ CVE-2021-25295 (OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS)
 	NOT-FOR-US: OpenCATS
 CVE-2021-25294 (OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity re ...)
 	NOT-FOR-US: OpenCATS
-CVE-2021-25293
-	RESERVED
+CVE-2021-25293 (An issue was discovered in Pillow before 8.1.1. There is an out-of-bou ...)
 	- pillow 8.1.1-1
 	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
 	NOTE: https://github.com/python-pillow/Pillow/commit/f891baa604636cd2506a9360d170bc2cf4963cc5
 	NOTE: Introduced in https://github.com/python-pillow/Pillow/commit/a90dc4910045f5c6c119b582d4fd2e4841cd51f8 (v4.3.0)
-CVE-2021-25292
-	RESERVED
+CVE-2021-25292 (An issue was discovered in Pillow before 8.1.1. The PDF parser allows  ...)
 	- pillow 8.1.1-1
 	[buster] - pillow <no-dsa> (Minor issue)
 	[stretch] - pillow <not-affected> (Vulnerable code introduced later)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
 	NOTE: https://github.com/python-pillow/Pillow/commit/521dab94c7ab72b037bd9a83e9663401e0fd2cee
 	NOTE: Introduced in: https://github.com/python-pillow/Pillow/commit/6207b44ab1ff4a91d8ddc7579619876d0bb191a4 (5.1.0)
-CVE-2021-25291
-	RESERVED
+CVE-2021-25291 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there ...)
 	- pillow 8.1.1-1
 	[buster] - pillow <no-dsa> (Minor issue)
 	[stretch] - pillow <not-affected> (Vulnerable code introduced later)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
 	NOTE: https://github.com/python-pillow/Pillow/commit/8b8076bdcb3815be0ef0d279651d8d1342b8ea61
 	NOTE: Introduced in: https://github.com/python-pillow/Pillow/commit/e91b851fdc1c914419543f485bdbaa010790719f (6.0.0)
-CVE-2021-25290
-	RESERVED
+CVE-2021-25290 (An issue was discovered in Pillow before 8.1.1. In TiffDecode.c, there ...)
 	- pillow 8.1.1-1
 	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
 	NOTE: https://github.com/python-pillow/Pillow/commit/e25be1e33dc526bfd1094bc778a54d8e29bf66c9
-CVE-2021-25289
-	RESERVED
+CVE-2021-25289 (An issue was discovered in Pillow before 8.1.1. TiffDecode has a heap- ...)
 	- pillow 8.1.1-1
 	[buster] - pillow <not-affected> (Vulnerable code not present)
 	[stretch] - pillow <not-affected> (Vulnerable code not present)
@@ -16578,8 +16578,8 @@ CVE-2020-36146
 	RESERVED
 CVE-2020-36145
 	RESERVED
-CVE-2020-36144
-	RESERVED
+CVE-2020-36144 (Redash 8.0.0 is affected by LDAP Injection. There is an authentication ...)
+	TODO: check
 CVE-2020-36143
 	RESERVED
 CVE-2020-36142
@@ -18010,8 +18010,8 @@ CVE-2021-21386
 	RESERVED
 CVE-2021-21385
 	RESERVED
-CVE-2021-21384
-	RESERVED
+CVE-2021-21384 (shescape is a simple shell escape package for JavaScript. In shescape  ...)
+	TODO: check
 CVE-2021-21383 (Wiki.js an open-source wiki app built on Node.js. Wiki.js before versi ...)
 	TODO: check
 CVE-2021-21382
@@ -21592,8 +21592,7 @@ CVE-2020-35493 (A flaw exists in binutils in bfd/pef.c. An attacker who is able
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25307
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2a3559d54602cecfec6d90f792be4a70ad918ab
 	NOTE: NOTE: binutils not covered by security support
-CVE-2020-35492 [cairo: buffer overflow in image compositor]
-	RESERVED
+CVE-2020-35492 (A flaw was found in cairo's image-compositor.c in all versions prior t ...)
 	{DLA-2518-1}
 	- cairo 1.16.0-5 (bug #978658)
 	[buster] - cairo 1.16.0-4+deb10u1
@@ -27424,8 +27423,8 @@ CVE-2021-1289 (Multiple vulnerabilities in the web-based management interface of
 	NOT-FOR-US: Cisco
 CVE-2021-1288 (Multiple vulnerabilities in the ingress packet processing function of  ...)
 	NOT-FOR-US: Cisco
-CVE-2021-1287
-	RESERVED
+CVE-2021-1287 (A vulnerability in the web-based management interface of Cisco RV132W  ...)
+	TODO: check
 CVE-2021-1286 (Multiple vulnerabilities in the web-based management interface of Cisc ...)
 	NOT-FOR-US: Cisco
 CVE-2021-1285
@@ -34256,8 +34255,8 @@ CVE-2020-26888
 	RESERVED
 CVE-2020-26887 (FRITZ!OS before 7.21 on FRITZ!Box devices allows a bypass of a DNS Reb ...)
 	NOT-FOR-US: Fritz OS
-CVE-2020-26886
-	RESERVED
+CVE-2020-26886 (Softaculous before 5.5.7 is affected by a code execution vulnerability ...)
+	TODO: check
 CVE-2020-26885
 	RESERVED
 CVE-2020-26884 (RSA Archer 6.8 through 6.8.0.3 and 6.9 contains a URL injection vulner ...)
@@ -34446,8 +34445,8 @@ CVE-2020-26799
 	RESERVED
 CVE-2020-26798
 	RESERVED
-CVE-2020-26797
-	RESERVED
+CVE-2020-26797 (Mediainfo before version 20.08 has a heap buffer overflow vulnerabilit ...)
+	TODO: check
 CVE-2020-26796
 	RESERVED
 CVE-2020-26795
@@ -38539,8 +38538,7 @@ CVE-2020-25099
 	RESERVED
 CVE-2020-25098
 	RESERVED
-CVE-2020-25097
-	RESERVED
+CVE-2020-25097 (An issue was discovered in Squid through 4.13 and 5.x through 5.0.4. D ...)
 	{DLA-2598-1}
 	- squid <unfixed> (bug #985068)
 	- squid3 <removed>
@@ -56752,7 +56750,7 @@ CVE-2020-16232
 	RESERVED
 CVE-2020-16231
 	RESERVED
-CVE-2020-16230 (WebAccess/SCADA Versions 9.0 and prior are vulnerable to cross-site sc ...)
+CVE-2020-16230 (All version of Ewon Flexy and Cosy prior to 14.1 use wildcards such as ...)
 	NOT-FOR-US: HMS Networks
 CVE-2020-16229 (Advantech WebAccess HMI Designer, Versions 2.1.9.31 and prior. Process ...)
 	NOT-FOR-US: Advantech WebAccess
@@ -76536,8 +76534,8 @@ CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a de
 	NOTE: Upstream patch: https://github.com/sympa-community/sympa/releases/download/6.2.54/sympa-6.2.52-sa-2020-001.patch
 CVE-2020-9368 (The Module Olea Gift On Order module through 5.0.8 for PrestaShop enab ...)
 	NOT-FOR-US: Module Olea Gift On Order module for PrestaShop
-CVE-2020-9367
-	RESERVED
+CVE-2020-9367 (The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build ...)
+	TODO: check
 CVE-2020-9365 (An issue was discovered in Pure-FTPd 1.0.49. An out-of-bounds (OOB) re ...)
 	- pure-ftpd 1.0.49-3 (bug #952471)
 	[buster] - pure-ftpd <no-dsa> (Minor issue)
@@ -83546,10 +83544,10 @@ CVE-2020-6580
 	RESERVED
 CVE-2020-6579 (Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudlo ...)
 	NOT-FOR-US: MailBeez plugin for ZenCart
-CVE-2020-6578
-	RESERVED
-CVE-2020-6577
-	RESERVED
+CVE-2020-6578 (Zen Cart 1.5.6d allows reflected XSS via the main_page parameter to in ...)
+	TODO: check
+CVE-2020-6577 (The IT-Recht Kanzlei plugin in Zen Cart 1.5.6c (German edition) allows ...)
+	TODO: check
 CVE-2020-6576 (Use after free in offscreen canvas in Google Chrome prior to 85.0.4183 ...)
 	{DSA-4824-1}
 	- chromium 87.0.4280.88-0.1
@@ -113535,7 +113533,7 @@ CVE-2019-14910 (A vulnerability was found in keycloak 7.x, when keycloak is conf
 CVE-2019-14909 (A vulnerability was found in Keycloak 7.x where the user federation LD ...)
 	NOT-FOR-US: Keycloak
 CVE-2019-14908
-	RESERVED
+	REJECTED
 CVE-2019-14907 (All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11 ...)
 	- samba 2:4.11.5+dfsg-1
 	[buster] - samba <no-dsa> (Minor issue)
@@ -113561,7 +113559,7 @@ CVE-2019-14904 (A flaw was found in the solaris_zone module from the Ansible Com
 	NOTE: https://github.com/ansible/ansible/pull/65686
 	NOTE: https://github.com/ansible/ansible/blob/stable-2.0/CHANGELOG.md
 CVE-2019-14903
-	RESERVED
+	REJECTED
 CVE-2019-14902 (There is an issue in all samba 4.11.x versions before 4.11.5, all samb ...)
 	- samba 2:4.11.5+dfsg-1
 	[buster] - samba <no-dsa> (Minor issue)
@@ -113846,10 +113844,9 @@ CVE-2019-14853 (An error-handling flaw was found in python-ecdsa before version
 	NOTE: https://github.com/warner/python-ecdsa/pull/115
 	NOTE: https://github.com/warner/python-ecdsa/pull/124
 	NOTE: Fix for CVE-2019-14853 fixes as well CVE-2019-14859.
-CVE-2019-14852
-	RESERVED
-CVE-2019-14851 [assertion failure by issuing commands in the wrong order]
-	RESERVED
+CVE-2019-14852 (A flaw was found in 3scale’s APIcast gateway that enabled the TL ...)
+	TODO: check
+CVE-2019-14851 (A denial of service vulnerability was discovered in nbdkit. A client i ...)
 	- nbdkit 1.14.2-1
 	[buster] - nbdkit <not-affected> (Issue introduced by the fix for CVE-2019-14850)
 	[stretch] - nbdkit <not-affected> (Issue introduced by the fix for CVE-2019-14850)
@@ -113861,8 +113858,7 @@ CVE-2019-14851 [assertion failure by issuing commands in the wrong order]
 	NOTE: https://github.com/libguestfs/nbdkit/commit/bf0d61883a2f02f4388ec10dc92d4c61c093679e
 	NOTE: 1.12:
 	NOTE: https://github.com/libguestfs/nbdkit/commit/b2bc6683ea3cd1f6be694e8a681dfa411b7d15f3
-CVE-2019-14850 [denial of service due to premature opening of back-end connection]
-	RESERVED
+CVE-2019-14850 (A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.1 ...)
 	- nbdkit 1.14.1-1
 	[buster] - nbdkit <no-dsa> (Minor issue)
 	[stretch] - nbdkit <no-dsa> (Minor issue)
@@ -113880,7 +113876,7 @@ CVE-2019-14850 [denial of service due to premature opening of back-end connectio
 CVE-2019-14849 (A vulnerability was found in 3scale before version 2.6, did not set th ...)
 	NOT-FOR-US: Red Hat 3scale
 CVE-2019-14848
-	RESERVED
+	REJECTED
 CVE-2019-14847 (A flaw was found in samba 4.0.0 before samba 4.9.15 and samba 4.10.x b ...)
 	- samba 2:4.11.0+dfsg-6
 	[buster] - samba <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63f2b78d13d5650bff134a36fc642dd75bd7228d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63f2b78d13d5650bff134a36fc642dd75bd7228d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210319/f8bc0181/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list