Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e1da3684 by security tracker role at 2021-01-06T20:17:10+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2021-3029
+ RESERVED
+CVE-2021-3028
+ RESERVED
+CVE-2021-22696
+ RESERVED
+CVE-2020-36177 (RsaPad_PSS in wolfcrypt/src/rsa.c in wolfSSL before 4.6.0 has
an out-o ...)
+ TODO: check
+CVE-2020-36176 (The iThemes Security (formerly Better WP Security) plugin
before 7.7.0 ...)
+ TODO: check
+CVE-2020-36175 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows
attackers ...)
+ TODO: check
+CVE-2020-36174 (The Ninja Forms plugin before 3.4.27.1 for WordPress allows
CSRF via s ...)
+ TODO: check
+CVE-2020-36173 (The Ninja Forms plugin before 3.4.28 for WordPress lacks
escaping for ...)
+ TODO: check
+CVE-2020-36172 (The Advanced Custom Fields plugin before 5.8.12 for WordPress
mishandl ...)
+ TODO: check
+CVE-2020-36171 (The Elementor Website Builder plugin before 3.0.14 for
WordPress does ...)
+ TODO: check
+CVE-2020-36170 (The Ultimate Member plugin before 2.1.13 for WordPress
mishandles hidd ...)
+ TODO: check
+CVE-2012-10001 (The Limit Login Attempts plugin before 1.7.1 for WordPress
does not cl ...)
+ TODO: check
CVE-2021-3027
RESERVED
CVE-2021-3026 (Invision Community IPS Community Suite before 4.5.4.2 allows
XSS durin ...)
@@ -3557,7 +3581,7 @@ CVE-2020-35719
RESERVED
CVE-2020-35718
RESERVED
-CVE-2020-35717 (zonote <=0.4.0 allows XSS via crafted note, with resultant
Remote C ...)
+CVE-2020-35717 (zonote through 0.4.0 allows XSS via a crafted note, with
resultant Rem ...)
NOT-FOR-US: zonote
CVE-2020-35716 (Belkin LINKSYS RE6500 devices before 1.0.012.001 allow remote
attacker ...)
NOT-FOR-US: Belkin LINKSYS RE6500 devices
@@ -4154,8 +4178,8 @@ CVE-2021-21238
RESERVED
CVE-2021-21237
RESERVED
-CVE-2021-21236
- RESERVED
+CVE-2021-21236 (CairoSVG is a Python (pypi) package. CairoSVG is an SVG
converter base ...)
+ TODO: check
CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust.
In kamad ...)
- rust-kamadak-exif <unfixed>
NOTE:
https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2
@@ -18346,20 +18370,20 @@ CVE-2020-27287
RESERVED
CVE-2020-27286
RESERVED
-CVE-2020-27285
- RESERVED
+CVE-2020-27285 (The default configuration of Crimson 3.1 (Build versions prior
to 3119 ...)
+ TODO: check
CVE-2020-27284
RESERVED
-CVE-2020-27283
- RESERVED
+CVE-2020-27283 (An attacker could send a specially crafted message to Crimson
3.1 (Bui ...)
+ TODO: check
CVE-2020-27282
RESERVED
CVE-2020-27281
RESERVED
CVE-2020-27280
RESERVED
-CVE-2020-27279
- RESERVED
+CVE-2020-27279 (A NULL pointer deference vulnerability has been identified in
the prot ...)
+ TODO: check
CVE-2020-27278
RESERVED
CVE-2020-27277
@@ -19569,8 +19593,8 @@ CVE-2020-26761
RESERVED
CVE-2020-26760
RESERVED
-CVE-2020-26759
- RESERVED
+CVE-2020-26759 (clickhouse-driver before 0.1.5 allows a malicious clickhouse
server to ...)
+ TODO: check
CVE-2020-26758
RESERVED
CVE-2020-26757
@@ -22204,7 +22228,7 @@ CVE-2020-25656 (A flaw was found in the Linux kernel. A
use-after-free was found
CVE-2020-25655 (An issue was discovered in ManagedClusterView API, that could
allow se ...)
NOT-FOR-US: Red Hat open-cluster-management
CVE-2020-25654 (An ACL bypass flaw was found in pacemaker. An attacker having
a local ...)
- {DSA-4791-1}
+ {DSA-4791-1 DLA-2519-1}
- pacemaker 2.0.5~rc2-1 (bug #973254)
NOTE: https://www.openwall.com/lists/oss-security/2020/10/27/1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1888191
@@ -49211,10 +49235,10 @@ CVE-2020-13547 (A type confusion vulnerability exists
in the JavaScript engine o
NOT-FOR-US: Foxit
CVE-2020-13546
RESERVED
-CVE-2020-13545
- RESERVED
-CVE-2020-13544
- RESERVED
+CVE-2020-13545 (An exploitable signed conversion vulnerability exists in the
TextMaker ...)
+ TODO: check
+CVE-2020-13544 (An exploitable sign extension vulnerability exists in the
TextMaker do ...)
+ TODO: check
CVE-2020-13543 (A code execution vulnerability exists in the WebSocket
functionality o ...)
{DSA-4797-1}
- webkit2gtk 2.30.3-1
@@ -58391,14 +58415,14 @@ CVE-2019-20511 (ERPNext 11.1.47 allows
blog?blog_category= Frame Injection. ...)
NOT-FOR-US: ERPNext
CVE-2020-10659 (Entrust Entelligence Security Provider (ESP) before 10.0.60 on
Windows ...)
NOT-FOR-US: Entrust Entelligence Security Provider (ESP)
-CVE-2020-10658
- RESERVED
-CVE-2020-10657
- RESERVED
-CVE-2020-10656
- RESERVED
-CVE-2020-10655
- RESERVED
+CVE-2020-10658 (The Proofpoint Insider Threat Management Server (formerly
ObserveIT Se ...)
+ TODO: check
+CVE-2020-10657 (The Proofpoint Insider Threat Management Server (formerly
ObserveIT Se ...)
+ TODO: check
+CVE-2020-10656 (The Proofpoint Insider Threat Management Server (formerly
ObserveIT Se ...)
+ TODO: check
+CVE-2020-10655 (The Proofpoint Insider Threat Management Server (formerly
ObserveIT Se ...)
+ TODO: check
CVE-2020-10654 (Ping Identity PingID SSH before 4.0.14 contains a heap buffer
overflow ...)
NOT-FOR-US: Ping Identity PingID
CVE-2020-10653
@@ -62574,8 +62598,8 @@ CVE-2012-6721 (Multiple cross-site request forgery
(CSRF) vulnerabilities in the
NOT-FOR-US: SocialEngine
CVE-2012-6720 (Multiple cross-site scripting (XSS) vulnerabilities in
SocialEngine be ...)
NOT-FOR-US: SocialEngine
-CVE-2020-8884
- RESERVED
+CVE-2020-8884 (rcdsvc in the Proofpoint Insider Threat Management Windows
Agent (form ...)
+ TODO: check
CVE-2020-8883 (This vulnerability allows remote attackers to disclose
sensitive infor ...)
NOT-FOR-US: Foxit Studio Photo
CVE-2020-8882 (This vulnerability allows remote attackers to execute arbitrary
code o ...)
@@ -64433,8 +64457,8 @@ CVE-2020-8161 (A directory traversal vulnerability
exists in rack < 2.2.0 tha
NOTE: Fixed by:
https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e
NOTE: Required followup:
https://github.com/rack/rack/commit/e7ba1b0557d3ad97af1ef113bbeb5f27417983fa
NOTE: Test:
https://github.com/rack/rack/commit/775c836bdd25b63340399fea739532d746860a94
-CVE-2020-8160
- RESERVED
+CVE-2020-8160 (MendixSSO <= 2.1.1 contains endpoints that make use of the
openid h ...)
+ TODO: check
CVE-2020-8159 (There is a vulnerability in actionpack_page-caching gem <
v1.2.1 th ...)
- ruby-actionpack-page-caching 1.2.2-1 (bug #960680)
[buster] - ruby-actionpack-page-caching <no-dsa> (Minor issue)
@@ -65486,7 +65510,7 @@ CVE-2020-7776 (This affects the package
phpoffice/phpspreadsheet from 0.0.0. The
NOT-FOR-US: phpoffice/phpspreadsheet
CVE-2020-7775
RESERVED
-CVE-2020-7774 (This affects the package y18n before 4.0.1 and 5.0.5. PoC by
po6ix: co ...)
+CVE-2020-7774 (This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5.
PoC by po ...)
- node-y18n 4.0.0-3 (bug #976390)
[buster] - node-y18n <no-dsa> (Minor issue)
[stretch] - node-y18n <no-dsa> (Minor issue)
@@ -72621,15 +72645,15 @@ CVE-2020-5108
CVE-2020-5107
RESERVED
CVE-2020-5106
- RESERVED
+ REJECTED
CVE-2020-5105
- RESERVED
+ REJECTED
CVE-2020-5104
- RESERVED
+ REJECTED
CVE-2020-5103
- RESERVED
+ REJECTED
CVE-2020-5102
- RESERVED
+ REJECTED
CVE-2020-5101
REJECTED
CVE-2020-5100
@@ -74163,8 +74187,8 @@ CVE-2020-4338 (IBM MQ 9.1.4 could allow a local
attacker to obtain sensitive inf
NOT-FOR-US: IBM
CVE-2020-4337 (IBM API Connect 2018.4.1.0 through 2018.4.1.12 could allow an
attacker ...)
NOT-FOR-US: IBM
-CVE-2020-4336
- RESERVED
+CVE-2020-4336 (IBM WebSphere eXtreme Scale 8.6.1 stores sensitive information
in URL ...)
+ TODO: check
CVE-2020-4335
RESERVED
CVE-2020-4334
@@ -92050,8 +92074,8 @@ CVE-2019-16964 (app/call_centers/cmd.php in the Call
Center Queue Module in Fusi
NOT-FOR-US: FusionPBX
CVE-2019-16963
RESERVED
-CVE-2019-16962
- RESERVED
+CVE-2019-16962 (Zoho ManageEngine Desktop Central 10.0.430 allows HTML
injection via a ...)
+ TODO: check
CVE-2019-16961
RESERVED
CVE-2019-16960 (SolarWinds Web Help Desk 12.7.0 allows XSS via a CSV template
file wit ...)
@@ -92066,8 +92090,8 @@ CVE-2019-16956 (SolarWinds Web Help Desk 12.7.0 allows
XSS via the Request Type
NOT-FOR-US: SolarWinds
CVE-2019-16955 (SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG
documen ...)
NOT-FOR-US: SolarWinds
-CVE-2019-16954
- RESERVED
+CVE-2019-16954 (SolarWinds Web Help Desk 12.7.0 allows HTML injection via a
Comment in ...)
+ TODO: check
CVE-2019-16953
RESERVED
CVE-2019-16952
@@ -149494,12 +149518,14 @@ CVE-2018-16880 (A flaw was found in the Linux
kernel's handle_rx() function in t
CVE-2018-16879 (Ansible Tower before version 3.3.3 does not set a secure
channel as it ...)
NOT-FOR-US: Ansible Tower
CVE-2018-16878 (A flaw was found in pacemaker up to and including version
2.0.1. An in ...)
+ {DLA-2519-1}
- pacemaker 2.0.1-3 (bug #927714)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master)
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1750 (1.1)
NOTE: https://lists.clusterlabs.org/pipermail/users/2019-May/025822.html
CVE-2018-16877 (A flaw was found in the way pacemaker's client-server
authentication w ...)
+ {DLA-2519-1}
- pacemaker 2.0.1-3 (bug #927714)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
NOTE: https://github.com/ClusterLabs/pacemaker/pull/1749 (master)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1da36844d210ad9b59091fc288f5315f6761d38
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1da36844d210ad9b59091fc288f5315f6761d38
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
