automatic update

author: security tracker role <sectracker@soriano.debian.org> 2021-02-15 20:10:22 +0000
committer: security tracker role <sectracker@soriano.debian.org> 2021-02-15 20:10:22 +0000
commit: 50f8455d7061990662616a278a087e15b5d10713 (patch)
tree: 256ff589496716809b6002e9b034bf7c16c0c518 /data
parent: 01d5bb9a2bbdddfffe24805b6cc91ae04e310e6a (diff)
7 files changed, 65 insertions, 52 deletions
diff --git a/data/CVE/list.2011 b/data/CVE/list.2011
index ee97c0f9f6..2dd7e8139d 100644
--- a/data/CVE/list.2011
+++ b/data/CVE/list.2011
@@ -15,7 +15,7 @@ CVE-2011-5326 (imlib2 before 1.4.9 allows remote attackers to cause a denial of
 	NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=c94d83ccab15d5ef02f88d42dce38ed3f0892882
 	NOTE: https://www.openwall.com/lists/oss-security/2016/04/10/5
 CVE-2011-5325 (Directory traversal vulnerability in the BusyBox implementation of tar ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-1 (bug #802702)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	[squeeze] - busybox <no-dsa> (Minor issue)
diff --git a/data/CVE/list.2015 b/data/CVE/list.2015
index 0402a0c9c7..1f34699185 100644
--- a/data/CVE/list.2015
+++ b/data/CVE/list.2015
@@ -5005,7 +5005,7 @@ CVE-2015-7944 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti
 	NOTE: http://www.ocert.org/advisories/ocert-2015-012.html
 	NOTE: http://git.ganeti.org/?p=ganeti.git;a=commit;h=201fcb916b8164c78f4ed8e0c9cfc0227a78684c
 CVE-2015-9261 (huft_build in archival/libarchive/decompress_gunzip.c in BusyBox befor ...)
-	{DLA-1445-1 DLA-337-1}
+	{DLA-2559-1 DLA-1445-1 DLA-337-1}
 	- busybox 1:1.27.2-1 (bug #803097)
 	NOTE: https://www.openwall.com/lists/oss-security/2015/10/25/3
 	NOTE: http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e
diff --git a/data/CVE/list.2016 b/data/CVE/list.2016
index b01c449cd3..e21273c8ba 100644
--- a/data/CVE/list.2016
+++ b/data/CVE/list.2016
@@ -26758,12 +26758,12 @@ CVE-2016-2150 (SPICE allows local guest OS users to read from or write to arbitr
 CVE-2016-2149 (Red Hat OpenShift Enterprise 3.2 allows remote authenticated users to  ...)
 	NOT-FOR-US: OpenShift
 CVE-2016-2148 (Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox befo ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-1 (bug #818497)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	NOTE: https://git.busybox.net/busybox/commit/?id=352f79acbd759c14399e39baef21fc4ffe180ac2
 CVE-2016-2147 (Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0  ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-1 (bug #818499)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	NOTE: https://git.busybox.net/busybox/commit/?id=d474ffc68290e0a83651c4432eeabfa62cd51e87
diff --git a/data/CVE/list.2017 b/data/CVE/list.2017
index ece82e5c55..36725a59c0 100644
--- a/data/CVE/list.2017
+++ b/data/CVE/list.2017
@@ -7002,7 +7002,7 @@ CVE-2017-16545 (The ReadWPGImage function in coders/wpg.c in GraphicsMagick 1.3.
 	NOTE: the severity of the wheezy version is low even though the vulnerable code is still present.
 	NOTE: The patch is trivial so it may be worth fixing in combination with some other fix.
 CVE-2017-16544 (In the add_match function in libbb/lineedit.c in BusyBox through 1.27. ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-2 (bug #882258)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	NOTE: https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/
@@ -8675,7 +8675,7 @@ CVE-2017-15874 (archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an
 	NOTE: Introduced in: https://git.busybox.net/busybox/commit/?id=3989e5adf454a3ab98412b249c2c9bd2a3175ae0
 	NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b
 CVE-2017-15873 (The get_next_block function in archival/libarchive/decompress_bunzip2. ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-2 (bug #879732)
 	[wheezy] - busybox <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://git.busybox.net/busybox/commit/?id=0402cb32df015d9372578e3db27db47b33d5c7b0
diff --git a/data/CVE/list.2018 b/data/CVE/list.2018
index c95f834ab4..dfd8b00dba 100644
--- a/data/CVE/list.2018
+++ b/data/CVE/list.2018
@@ -22707,7 +22707,7 @@ CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation vulnerabi
 CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper Handling o ...)
 	NOT-FOR-US: aaugustin websockets
 CVE-2018-1000517 (BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c ...)
-	{DLA-1445-1}
+	{DLA-2559-1 DLA-1445-1}
 	- busybox 1:1.27.2-3 (low; bug #902724)
 	NOTE: https://git.busybox.net/busybox/commit/?id=8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
 CVE-2018-1000516 (The Galaxy Project Galaxy version v14.10 contains a CWE-79: Improper N ...)
diff --git a/data/CVE/list.2020 b/data/CVE/list.2020
index 123f16aedf..c04d9ee01b 100644
--- a/data/CVE/list.2020
+++ b/data/CVE/list.2020
@@ -1096,8 +1096,8 @@ CVE-2020-35777 (NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by comma
 	NOT-FOR-US: Netgear
 CVE-2020-35776
 	RESERVED
-CVE-2020-35775
-	RESERVED
+CVE-2020-35775 (CITSmart before 9.1.2.23 allows LDAP Injection. ...)
+	TODO: check
 CVE-2020-35774 (server/handler/HistogramQueryHandler.scala in Twitter TwitterServer (a ...)
 	NOT-FOR-US: Twitter TwitterServer
 CVE-2020-35773 (The site-offline plugin before 1.4.4 for WordPress lacks certain wp_cr ...)
@@ -1732,8 +1732,7 @@ CVE-2020-35513 (A flaw incorrect umask during file or directory modification in
 	[stretch] - linux <not-affected> (Vulnerable code introduce later)
 	NOTE: https://git.kernel.org/linus/880a3a5325489a143269a8e172e7563ebf9897bc
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1911309
-CVE-2020-35512
-	RESERVED
+CVE-2020-35512 (A use-after-free flaw was found in D-Bus 1.12.20 when a system has mul ...)
 	- dbus 1.12.20-1
 	[buster] - dbus 1.12.20-0+deb10u1
 	[stretch] - dbus 1.10.32-0+deb9u1
@@ -1812,6 +1811,7 @@ CVE-2020-35499
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910048
 	NOTE: https://git.kernel.org/linus/f6b8c6b5543983e9de29dc14716bfa4eb3f157c4
 CVE-2020-35498 (A vulnerability was found in openvswitch. A limitation in the implemen ...)
+	{DSA-4852-1}
 	- openvswitch 2.15.0~git20210104.def6eb1ea+dfsg1-5 (bug #982493)
 	NOTE: master: https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83
 	NOTE: 2.15: https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0
@@ -4222,8 +4222,8 @@ CVE-2020-29033
 	RESERVED
 CVE-2020-29032
 	RESERVED
-CVE-2020-29031
-	RESERVED
+CVE-2020-29031 (An Insecure Direct Object Reference vulnerability exists in the web UI ...)
+	TODO: check
 CVE-2020-29030
 	RESERVED
 CVE-2020-29029
@@ -4232,8 +4232,8 @@ CVE-2020-29028
 	RESERVED
 CVE-2020-29027
 	RESERVED
-CVE-2020-29026
-	RESERVED
+CVE-2020-29026 (A directory traversal vulnerability exists in the file upload function ...)
+	TODO: check
 CVE-2020-29025
 	RESERVED
 CVE-2020-29024
@@ -5398,8 +5398,8 @@ CVE-2020-28502
 	RESERVED
 CVE-2020-28501
 	RESERVED
-CVE-2020-28500
-	RESERVED
+CVE-2020-28500 (All versions of package lodash; all versions of package org.fujion.web ...)
+	TODO: check
 CVE-2020-28499
 	RESERVED
 CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographic Issu ...)
@@ -5454,7 +5454,8 @@ CVE-2020-28478 (This affects the package gsap before 3.6.0. ...)
 	NOT-FOR-US: Node gsap
 CVE-2020-28477 (This affects all versions of package immer. ...)
 	NOT-FOR-US: Node immer
-CVE-2020-28476 (All versions of package tornado are vulnerable to Web Cache Poisoning  ...)
+CVE-2020-28476
+	REJECTED
 	- python-tornado <unfixed>
 	[buster] - python-tornado <no-dsa> (Minor issue)
 	[stretch] - python-tornado <no-dsa> (Minor issue)
@@ -13876,8 +13877,8 @@ CVE-2020-24901 (The default installation of Krpano Panorama Viewer version &lt;=
 	NOT-FOR-US: Krpano Panorama Viewer
 CVE-2020-24900 (The default installation of Krpano Panorama Viewer version &lt;=1.20.8 ...)
 	NOT-FOR-US: Krpano Panorama Viewer
-CVE-2020-24899
-	RESERVED
+CVE-2020-24899 (Nagios XI 5.7.2 is affected by a remote code execution (RCE) vulnerabi ...)
+	TODO: check
 CVE-2020-24898 (The Table Filter and Charts for Confluence Server app before 5.3.26 (f ...)
 	NOT-FOR-US: Confluence Server app for Atlassian Confluence
 CVE-2020-24897 (The Table Filter and Charts for Confluence Server app before 5.3.25 (f ...)
@@ -19001,12 +19002,12 @@ CVE-2020-22429
 	RESERVED
 CVE-2020-22428
 	RESERVED
-CVE-2020-22427
-	RESERVED
+CVE-2020-22427 (NagiosXI 5.6.11 is affected by a remote code execution (RCE) vulnerabi ...)
+	TODO: check
 CVE-2020-22426
 	RESERVED
-CVE-2020-22425
-	RESERVED
+CVE-2020-22425 (Centreon 19.10-3.el7 is affected by a SQL injection vulnerability, whe ...)
+	TODO: check
 CVE-2020-22424
 	RESERVED
 CVE-2020-22423
@@ -59752,12 +59753,12 @@ CVE-2020-4958 (IBM Security Identity Governance and Intelligence 5.2.6 does not
 	NOT-FOR-US: IBM
 CVE-2020-4957
 	RESERVED
-CVE-2020-4956
-	RESERVED
-CVE-2020-4955
-	RESERVED
-CVE-2020-4954
-	RESERVED
+CVE-2020-4956 (IBM Spectrum Protect Operations Center 7.1 and 8.1 is vulnerable to a  ...)
+	TODO: check
+CVE-2020-4955 (IBM Spectrum Protect Operations Center 7.1 and 8.1could allow a remote ...)
+	TODO: check
+CVE-2020-4954 (IBM Spectrum Protect Operations Center 7.1 and 8.1 could allow a remot ...)
+	TODO: check
 CVE-2020-4953
 	RESERVED
 CVE-2020-4952 (IBM Security Guardium 11.2 could allow an authenticated user to gain r ...)
diff --git a/data/CVE/list.2021 b/data/CVE/list.2021
index 909827a26e..cf894d4b7a 100644
--- a/data/CVE/list.2021
+++ b/data/CVE/list.2021
@@ -1,3 +1,15 @@
+CVE-2021-27223
+	RESERVED
+CVE-2021-27222
+	RESERVED
+CVE-2021-27221
+	RESERVED
+CVE-2021-27220
+	RESERVED
+CVE-2021-27217
+	RESERVED
+CVE-2021-27216
+	RESERVED
 CVE-2021-27215
 	RESERVED
 CVE-2021-27214
@@ -9,8 +21,8 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an asse
 	NOTE: https://bugs.openldap.org/show_bug.cgi?id=9454
 	NOTE: trunk: https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0
 	NOTE: REL_ENG 2.4.x: https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30
-CVE-2021-27211
-	RESERVED
+CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which makes it e ...)
+	TODO: check
 CVE-2021-27210 (TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retri ...)
 	NOT-FOR-US: TP-Link
 CVE-2021-27209 (In the management interface on TP-Link Archer C5v 1.7_181221 devices,  ...)
@@ -36,8 +48,8 @@ CVE-2021-27202
 CVE-2021-XXXX [several security fixes: PHP injections, XSS and secrets stored in session file]
 	- spip 3.2.9-1
 	TODO: needs possibly CVE requests for individual issues
-CVE-2021-27201
-	RESERVED
+CVE-2021-27201 (Endian Firewall Community (aka EFW) 3.3.2 allows remote authenticated  ...)
+	TODO: check
 CVE-2021-27200
 	RESERVED
 CVE-2021-27199
@@ -808,10 +820,10 @@ CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hy
 	- rust-hyper <unfixed>
 	NOTE: https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
-CVE-2021-27218 [Integer overflow in g_byte_array_new_take()/g_bytes_unref_to_array() on 64-bit platforms]
+CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before  ...)
 	- glib2.0 2.66.7-1 (bug #982779)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
-CVE-2021-27219 [GHSL-2021-045: integer overflow in g_bytes_new/g_memdup]
+CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before  ...)
 	- glib2.0 2.66.6-1 (bug #982778)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
 CVE-2021-26842
@@ -1506,8 +1518,8 @@ CVE-2021-3377
 	RESERVED
 CVE-2021-3376
 	RESERVED
-CVE-2021-3375
-	RESERVED
+CVE-2021-3375 (ActivePresenter 6.1.6 is affected by a memory corruption vulnerability ...)
+	TODO: check
 CVE-2021-3374
 	RESERVED
 CVE-2021-3373
@@ -4477,14 +4489,14 @@ CVE-2021-25301
 	RESERVED
 CVE-2021-25300
 	RESERVED
-CVE-2021-25299
-	RESERVED
-CVE-2021-25298
-	RESERVED
-CVE-2021-25297
-	RESERVED
-CVE-2021-25296
-	RESERVED
+CVE-2021-25299 (Nagios XI version xi-5.7.5 is affected by cross-site scripting (XSS).  ...)
+	TODO: check
+CVE-2021-25298 (Nagios XI version xi-5.7.5 is affected by OS command injection. The vu ...)
+	TODO: check
+CVE-2021-25297 (Nagios XI version xi-5.7.5 is affected by OS command injection. The vu ...)
+	TODO: check
+CVE-2021-25296 (Nagios XI version xi-5.7.5 is affected by OS command injection. The vu ...)
+	TODO: check
 CVE-2021-25295 (OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issue ...)
 	NOT-FOR-US: OpenCATS
 CVE-2021-25294 (OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity re ...)
@@ -8619,12 +8631,12 @@ CVE-2021-23340
 	RESERVED
 CVE-2021-23339
 	RESERVED
-CVE-2021-23338
-	RESERVED
-CVE-2021-23337
-	RESERVED
-CVE-2021-23336
-	RESERVED
+CVE-2021-23338 (This affects all versions of package qlib. The workflow function in cl ...)
+	TODO: check
+CVE-2021-23337 (All versions of package lodash; all versions of package org.fujion.web ...)
+	TODO: check
+CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...)
+	TODO: check
 CVE-2021-23335 (All versions of package is-user-valid are vulnerable to LDAP Injection ...)
 	NOT-FOR-US: Node is-user-valid
 CVE-2021-23334 (All versions of package static-eval are vulnerable to Arbitrary Code E ...)
author	security tracker role <sectracker@soriano.debian.org>	2021-02-15 20:10:22 +0000
committer	security tracker role <sectracker@soriano.debian.org>	2021-02-15 20:10:22 +0000
commit	50f8455d7061990662616a278a087e15b5d10713 (patch)
tree	256ff589496716809b6002e9b034bf7c16c0c518 /data
parent	01d5bb9a2bbdddfffe24805b6cc91ae04e310e6a (diff)