[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Oct 1 09:10:30 BST 2021 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4abf0cb0 by security tracker role at 2021-10-01T08:10:20+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,5 @@
+CVE-2021-3845
+	RESERVED
 CVE-2021-41832
 	RESERVED
 CVE-2021-41831
@@ -1093,8 +1095,8 @@ CVE-2021-41326 (In MISP before 2.4.148, app/Lib/Export/OpendataExport.php mishan
 	NOT-FOR-US: MISP
 CVE-2021-41325 (Broken access control for user creation in Pydio Cells 2.2.9 allows re ...)
 	NOT-FOR-US: Pydio Cells
-CVE-2021-41324
-	RESERVED
+CVE-2021-41324 (Directory traversal in the Copy, Move, and Delete features in Pydio Ce ...)
+	TODO: check
 CVE-2021-41323 (Directory traversal in the Compress feature in Pydio Cells 2.2.9 allow ...)
 	NOT-FOR-US: Pydio Cells
 CVE-2021-41322
@@ -1579,8 +1581,8 @@ CVE-2021-41103
 	RESERVED
 CVE-2021-41102
 	RESERVED
-CVE-2021-41101
-	RESERVED
+CVE-2021-41101 (wire-server is an open-source back end for Wire, a secure collaboratio ...)
+	TODO: check
 CVE-2021-41100
 	RESERVED
 CVE-2021-41099
@@ -3763,8 +3765,8 @@ CVE-2021-40156 (A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020
 	NOT-FOR-US: Autodesk
 CVE-2021-40155 (A maliciously crafted DWG file in Autodesk Navisworks 2019, 2020, 2021 ...)
 	NOT-FOR-US: Autodesk
-CVE-2021-3747
-	RESERVED
+CVE-2021-3747 (The MacOS version of Multipass, version 1.7.0, fixed in 1.7.2, acciden ...)
+	TODO: check
 CVE-2021-40154
 	RESERVED
 CVE-2021-40152
@@ -6811,7 +6813,7 @@ CVE-2021-38860
 CVE-2021-38859
 	RESERVED
 CVE-2021-3712 (ASN.1 strings are represented internally within OpenSSL as an ASN1_STR ...)
-	{DSA-4963-1 DLA-2766-1}
+	{DSA-4963-1 DLA-2774-1 DLA-2766-1}
 	- openssl 1.1.1l-1
 	- openssl1.0 <removed>
 	NOTE: https://www.openssl.org/news/secadv/20210824.txt
@@ -7137,11 +7139,9 @@ CVE-2021-38709 (In ocProducts Composr CMS before 10.0.38, an attacker can inject
 	NOT-FOR-US: ocProducts Composr CMS
 CVE-2021-38708 (In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaS ...)
 	NOT-FOR-US: ocProducts Composr CMS
-CVE-2021-3710
-	RESERVED
+CVE-2021-3710 (An information disclosure via path traversal was discovered in apport/ ...)
 	NOT-FOR-US: Apport
-CVE-2021-3709
-	RESERVED
+CVE-2021-3709 (Function check_attachment_for_errors() in file data/general-hooks/ubun ...)
 	NOT-FOR-US: Apport
 CVE-2021-38711 (In gitit before 0.15.0.0, the Export feature can be exploited to leak  ...)
 	- gitit <unfixed> (bug #992297)
@@ -7220,8 +7220,8 @@ CVE-2021-38677
 	RESERVED
 CVE-2021-38676
 	RESERVED
-CVE-2021-38675
-	RESERVED
+CVE-2021-38675 (A cross-site scripting (XSS) vulnerability has been reported to affect ...)
+	TODO: check
 CVE-2021-38674
 	RESERVED
 CVE-2021-3706 (adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag ...)
@@ -13763,8 +13763,8 @@ CVE-2021-35937 [TOCTOU race in checks for unsafe symlinks]
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964125
 CVE-2021-35936 (If remote logging is not used, the worker (in the case of CeleryExecut ...)
 	- airflow <itp> (bug #819700)
-CVE-2021-3626
-	RESERVED
+CVE-2021-3626 (The Windows version of Multipass before 1.7.0 allowed any local proces ...)
+	TODO: check
 CVE-2021-3625
 	RESERVED
 CVE-2021-35935
@@ -17311,16 +17311,16 @@ CVE-2021-34358
 	RESERVED
 CVE-2021-34357
 	RESERVED
-CVE-2021-34356
-	RESERVED
-CVE-2021-34355
-	RESERVED
-CVE-2021-34354
-	RESERVED
+CVE-2021-34356 (A cross-site scripting (XSS) vulnerability has been reported to affect ...)
+	TODO: check
+CVE-2021-34355 (A cross-site scripting (XSS) vulnerability has been reported to affect ...)
+	TODO: check
+CVE-2021-34354 (A cross-site scripting (XSS) vulnerability has been reported to affect ...)
+	TODO: check
 CVE-2021-34353
 	RESERVED
-CVE-2021-34352
-	RESERVED
+CVE-2021-34352 (A command injection vulnerability has been reported to affect QNAP dev ...)
+	TODO: check
 CVE-2021-34351 (A command injection vulnerability has been reported to affect QNAP dev ...)
 	NOT-FOR-US: QNAP
 CVE-2021-34350
@@ -19010,8 +19010,8 @@ CVE-2021-33628
 	RESERVED
 CVE-2021-33627
 	RESERVED
-CVE-2021-33626
-	RESERVED
+CVE-2021-33626 (In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not cor ...)
+	TODO: check
 CVE-2021-33625
 	RESERVED
 CVE-2021-33624 (In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch  ...)
@@ -19105,8 +19105,8 @@ CVE-2021-33585
 	RESERVED
 CVE-2021-33584
 	RESERVED
-CVE-2021-33583
-	RESERVED
+CVE-2021-33583 (REINER timeCard 6.05.07 installs a Microsoft SQL Server with an sa pas ...)
+	TODO: check
 CVE-2021-33582 (Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of s ...)
 	- cyrus-imapd 3.4.2-1 (bug #993433)
 	[bullseye] - cyrus-imapd <no-dsa> (Minor issue; pending fix via point release)
@@ -45383,10 +45383,12 @@ CVE-2021-22949 (A CSRF in Concrete CMS version 8.5.5 and below allows an attacke
 CVE-2021-22948 (Vulnerability in the generation of session IDs in revive-adserver < ...)
 	NOT-FOR-US: revive-adserver
 CVE-2021-22947 (When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 se ...)
+	{DLA-2773-1}
 	- curl <unfixed>
 	NOTE: https://curl.se/docs/CVE-2021-22947.html
 	NOTE: Fixed by: https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68 (curl-7_79_0)
 CVE-2021-22946 (A user can tell curl >= 7.20.0 and <= 7.78.0 to require a succes ...)
+	{DLA-2773-1}
 	- curl <unfixed>
 	NOTE: https://curl.se/docs/CVE-2021-22946.html
 	NOTE: Fixed by: https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca (curl-7_79_0)
@@ -66248,7 +66250,7 @@ CVE-2020-27341
 	RESERVED
 CVE-2020-27340 (The online help portal of Mitel MiCollab before 9.2 could allow an att ...)
 	NOT-FOR-US: Mitel
-CVE-2020-27339 (Insyde found that a number of SMM drivers in InsydeH2O did not correct ...)
+CVE-2020-27339 (In the kernel in Insyde InsydeH2O 5.x, certain SMM drivers did not cor ...)
 	NOT-FOR-US: Insyde
 CVE-2020-27338 (An issue was discovered in Treck IPv6 before 6.0.1.68. Improper Input  ...)
 	NOT-FOR-US: Treck
@@ -81127,14 +81129,14 @@ CVE-2020-20801
 	RESERVED
 CVE-2020-20800 (An issue was discovered in MetInfo v7.0.0 beta. There is SQL Injection ...)
 	NOT-FOR-US: MetInfo
-CVE-2020-20799
-	RESERVED
+CVE-2020-20799 (JeeCMS 1.0.1 contains a stored cross-site scripting (XSS) vulnerabilit ...)
+	TODO: check
 CVE-2020-20798
 	RESERVED
-CVE-2020-20797
-	RESERVED
-CVE-2020-20796
-	RESERVED
+CVE-2020-20797 (FlameCMS 3.3.5 contains a time-based blind SQL injection vulnerability ...)
+	TODO: check
+CVE-2020-20796 (FlameCMS 3.3.5 contains a SQL injection vulnerability in /master/artic ...)
+	TODO: check
 CVE-2020-20795
 	RESERVED
 CVE-2020-20794
@@ -81233,8 +81235,8 @@ CVE-2020-20748
 	RESERVED
 CVE-2020-20747
 	RESERVED
-CVE-2020-20746
-	RESERVED
+CVE-2020-20746 (A stack-based buffer overflow in the httpd server on Tenda AC9 V15.03. ...)
+	TODO: check
 CVE-2020-20745
 	RESERVED
 CVE-2020-20744
@@ -213534,7 +213536,7 @@ CVE-2018-11440 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function
 	NOTE: https://github.com/liblouis/liblouis/issues/575
 	NOTE: https://github.com/liblouis/liblouis/commit/4417bad83df4481ed58419b28c5c91b9649e2a86
 CVE-2018-11439 (The TagLib::Ogg::FLAC::File::scan function in oggflacfile.cpp in TagLi ...)
-	{DLA-1430-1}
+	{DLA-2772-1 DLA-1430-1}
 	- taglib 1.11.1+dfsg.1-0.3 (bug #903847)
 	NOTE: PoC: http://seclists.org/fulldisclosure/2018/May/49
 	NOTE: Upstream issue: https://github.com/taglib/taglib/issues/868
@@ -260257,6 +260259,7 @@ CVE-2017-12680 (Cross-Site Scripting (XSS) exists in NexusPHP 1.5 via the type p
 CVE-2017-12679 (SQL Injection exists in NexusPHP 1.5.beta5.20120707 via the delcheater ...)
 	NOT-FOR-US: NexusPHP
 CVE-2017-12678 (In TagLib 1.11.1, the rebuildAggregateFrames function in id3v2framefac ...)
+	{DLA-2772-1}
 	- taglib 1.11.1+dfsg.1-0.2 (bug #871511)
 	[jessie] - taglib <not-affected> (Vulnerable code not present)
 	[wheezy] - taglib <not-affected> (Vulnerable code not present)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4abf0cb0fbddc45d7b36a2fdee9e6a2578ce12ec

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4abf0cb0fbddc45d7b36a2fdee9e6a2578ce12ec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211001/4a74e50f/attachment.htm>

More information about the debian-security-tracker-commits mailing list