automatic update

author: security tracker role <sectracker@soriano.debian.org> 2021-02-18 20:10:27 +0000
committer: security tracker role <sectracker@soriano.debian.org> 2021-02-18 20:10:27 +0000
commit: 746426b2d611eb0158df2067167d3e50feb773ba (patch)
tree: e6a4c44e5814f83f1c71a472e17e632eafe176e8
parent: c16c0cdd94b6e297ebff292a7a6e9fc642d9f238 (diff)
3 files changed, 100 insertions, 51 deletions
diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index acdf14de03..f31013f89f 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -7102,8 +7102,8 @@ CVE-2019-18257 (In Advantech DiagAnywhere Server, Versions 3.07.11 and prior, mu
 	NOT-FOR-US: Advantech
 CVE-2019-18256 (BIOTRONIK CardioMessenger II, The affected products use individual per ...)
 	NOT-FOR-US: BIOTRONIK CardioMessenge
-CVE-2019-18255
-	RESERVED
+CVE-2019-18255 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...)
+	TODO: check
 CVE-2019-18254 (BIOTRONIK CardioMessenger II, The affected products do not encrypt sen ...)
 	NOT-FOR-US: BIOTRONIK CardioMessenge
 CVE-2019-18253 (An attacker could use specially crafted paths in a specific request to ...)
@@ -7126,8 +7126,8 @@ CVE-2019-18245 (Reliable Controls LicenseManager versions 3.4 and prior may allo
 	NOT-FOR-US: Reliable Controls LicenseManager
 CVE-2019-18244 (In OSIsoft PI System multiple products and versions, a local attacker  ...)
 	NOT-FOR-US: OSIsoft
-CVE-2019-18243
-	RESERVED
+CVE-2019-18243 (HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated u ...)
+	TODO: check
 CVE-2019-18242 (In Moxa ioLogik 2500 series firmware, Version 3.0 or lower, and IOxpre ...)
 	NOT-FOR-US: Moxa
 CVE-2019-18241 (In Philips IntelliBridge EC40 and EC80, IntelliBridge EC40 Hub all ver ...)
diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index 23aec710ab..b6c490be4f 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -32,8 +32,8 @@ CVE-2020-36235 (Affected versions of Atlassian Jira Server and Data Center allow
 	NOT-FOR-US: Atlassian
 CVE-2020-36234 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
 	NOT-FOR-US: Atlassian
-CVE-2020-36233
-	RESERVED
+CVE-2020-36233 (The Microsoft Windows Installer for Atlassian Bitbucket Server and Dat ...)
+	TODO: check
 CVE-2020-36232
 	RESERVED
 CVE-2020-36231 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
@@ -1574,8 +1574,8 @@ CVE-2020-35579 (tindy2013 subconverter 0.6.4 has a /sub?target=%TARGET%&amp;url=
 	NOT-FOR-US: tindy2013
 CVE-2020-35578 (An issue was discovered in the Manage Plugins page in Nagios XI before ...)
 	NOT-FOR-US: Nagios XI
-CVE-2020-35577
-	RESERVED
+CVE-2020-35577 (In Endalia Selection Portal before 4.205.0, an Insecure Direct Object  ...)
+	TODO: check
 CVE-2020-35576 (A Command Injection issue in the traceroute feature on TP-Link TL-WR84 ...)
 	NOT-FOR-US: TP-Link
 CVE-2020-35575 (A password-disclosure issue in the web interface on certain TP-Link de ...)
@@ -2737,8 +2737,8 @@ CVE-2020-29666 (In Lan ATMService M3 ATM Monitoring System 6.1.0, due to a direc
 	NOT-FOR-US: Lan ATMService M3 ATM Monitoring System
 CVE-2020-29665
 	RESERVED
-CVE-2020-29664
-	RESERVED
+CVE-2020-29664 (A command injection issue in dji_sys in DJI Mavic 2 Remote Controller  ...)
+	TODO: check
 CVE-2020-29663 (Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked ...)
 	- icinga2 2.12.3-1
 	[buster] - icinga2 <no-dsa> (Minor issue)
@@ -3309,8 +3309,8 @@ CVE-2020-29455 (A cross-Site Scripting (XSS) vulnerability in this.showInvalid a
 	NOT-FOR-US: SmartyStreets liveAddressPlugin.js
 CVE-2020-29454 (Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user  ...)
 	NOT-FOR-US: Umbraco CMS
-CVE-2020-29453
-	RESERVED
+CVE-2020-29453 (The CachingResourceDownloadRewriteRule class in Jira Server and Jira D ...)
+	TODO: check
 CVE-2020-29452
 	RESERVED
 CVE-2020-29451 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
@@ -3319,8 +3319,8 @@ CVE-2020-29450 (Affected versions of Atlassian Confluence Server and Data Center
 	NOT-FOR-US: Atlassian
 CVE-2020-29449
 	RESERVED
-CVE-2020-29448
-	RESERVED
+CVE-2020-29448 (The ConfluenceResourceDownloadRewriteRule class in Confluence Server a ...)
+	TODO: check
 CVE-2020-29447 (Affected versions of Atlassian Crucible allow remote attackers to impa ...)
 	NOT-FOR-US: Atlassian
 CVE-2020-29446 (Affected versions of Atlassian Fisheye &amp; Crucible allow remote att ...)
@@ -5406,16 +5406,16 @@ CVE-2020-28501
 CVE-2020-28500 (All versions of package lodash; all versions of package org.fujion.web ...)
 	- node-lodash <unfixed>
 	NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1018905
-CVE-2020-28499
-	RESERVED
+CVE-2020-28499 (All versions of package merge are vulnerable to Prototype Pollution vi ...)
+	TODO: check
 CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographic Issu ...)
 	- node-elliptic <unfixed>
 	NOTE: https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
 	NOTE: https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
 CVE-2020-28497
 	RESERVED
-CVE-2020-28496
-	RESERVED
+CVE-2020-28496 (This affects the package three before 0.125.0. This can happen when ha ...)
+	TODO: check
 CVE-2020-28495 (This affects the package total.js before 3.4.7. The set function can b ...)
 	NOT-FOR-US: Node total.js
 CVE-2020-28494 (This affects the package total.js before 3.4.7. The issue occurs in th ...)
@@ -5427,10 +5427,10 @@ CVE-2020-28493 (This affects the package jinja2 from 0.0.0 and before 2.11.3. Th
 	NOTE: https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
 CVE-2020-28492
 	REJECTED
-CVE-2020-28491
-	RESERVED
-CVE-2020-28490
-	RESERVED
+CVE-2020-28491 (This affects the package com.fasterxml.jackson.dataformat:jackson-data ...)
+	TODO: check
+CVE-2020-28490 (The package async-git before 1.13.2 are vulnerable to Command Injectio ...)
+	TODO: check
 CVE-2020-28489
 	RESERVED
 CVE-2020-28488
@@ -5490,8 +5490,8 @@ CVE-2020-28465
 	RESERVED
 CVE-2020-28464 (This affects the package djv before 2.1.4. By controlling the schema f ...)
 	NOT-FOR-US: Node djv
-CVE-2020-28463
-	RESERVED
+CVE-2020-28463 (All versions of package reportlab are vulnerable to Server-side Reques ...)
+	TODO: check
 CVE-2020-28462
 	RESERVED
 CVE-2020-28461
@@ -50824,6 +50824,7 @@ CVE-2020-8627
 CVE-2020-8626
 	RESERVED
 CVE-2020-8625 (BIND servers are vulnerable if they are running an affected version an ...)
+	{DSA-4857-1}
 	- bind9 1:9.16.12-1 (bug #983004)
 	NOTE: https://kb.isc.org/v1/docs/cve-2020-8625
 	NOTE: 9.11 branch: https://downloads.isc.org/isc/bind9/9.11.28/patches
@@ -59781,8 +59782,8 @@ CVE-2020-4935
 	RESERVED
 CVE-2020-4934 (IBM Content Navigator 3.0.CD could allow a remote attacker to traverse ...)
 	NOT-FOR-US: IBM
-CVE-2020-4933
-	RESERVED
+CVE-2020-4933 (IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerabl ...)
+	TODO: check
 CVE-2020-4932
 	RESERVED
 CVE-2020-4931
diff --git a/data/CVE/2021.list b/data/CVE/2021.list
index 01891fd431..47f9daa01d 100644
--- a/data/CVE/2021.list
+++ b/data/CVE/2021.list
@@ -1,3 +1,49 @@
+CVE-2021-3413
+	RESERVED
+CVE-2021-3412
+	RESERVED
+CVE-2021-27399
+	RESERVED
+CVE-2021-27398
+	RESERVED
+CVE-2021-27397
+	RESERVED
+CVE-2021-27396
+	RESERVED
+CVE-2021-27395
+	RESERVED
+CVE-2021-27394
+	RESERVED
+CVE-2021-27393
+	RESERVED
+CVE-2021-27392
+	RESERVED
+CVE-2021-27391
+	RESERVED
+CVE-2021-27390
+	RESERVED
+CVE-2021-27389
+	RESERVED
+CVE-2021-27388
+	RESERVED
+CVE-2021-27387
+	RESERVED
+CVE-2021-27386
+	RESERVED
+CVE-2021-27385
+	RESERVED
+CVE-2021-27384
+	RESERVED
+CVE-2021-27383
+	RESERVED
+CVE-2021-27382
+	RESERVED
+CVE-2021-27381
+	RESERVED
+CVE-2021-27380
+	RESERVED
+CVE-2021-27379 (An issue was discovered in Xen through 4.11.x, allowing x86 Intel HVM  ...)
+	TODO: check
 CVE-2021-27378 (An issue was discovered in the rand_core crate before 0.6.2 for Rust.  ...)
 	- rust-rand-core <unfixed>
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0023.html
@@ -85,8 +131,8 @@ CVE-2021-27337
 	RESERVED
 CVE-2021-27336
 	RESERVED
-CVE-2021-27335
-	RESERVED
+CVE-2021-27335 (KollectApps before 4.8.16c is affected by insecure Java deserializatio ...)
+	TODO: check
 CVE-2021-27334
 	RESERVED
 CVE-2021-27333
@@ -97,8 +143,8 @@ CVE-2021-27331
 	RESERVED
 CVE-2021-27330
 	RESERVED
-CVE-2021-27329
-	RESERVED
+CVE-2021-27329 (Friendica 2021.01 allows SSRF via parse_url?binurl= for DNS lookups or ...)
+	TODO: check
 CVE-2021-27328
 	RESERVED
 CVE-2021-27327
@@ -298,6 +344,7 @@ CVE-2021-27231 (Hestia Control Panel through 1.3.3, in a shared-hosting environm
 CVE-2021-27230
 	RESERVED
 CVE-2021-27229 (Mumble before 1.3.4 allows remote code execution if a victim navigates ...)
+	{DLA-2562-1}
 	- mumble <unfixed> (bug #982904)
 	NOTE: https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
 	NOTE: https://github.com/mumble-voip/mumble/pull/4733
@@ -949,6 +996,7 @@ CVE-2021-26930 (An issue was discovered in the Linux kernel 3.11 through 5.10.16
 	- linux <unfixed>
 	NOTE: https://xenbits.xen.org/xsa/advisory-365.html
 CVE-2021-26929 (An XSS issue was discovered in Horde Groupware Webmail Edition through ...)
+	{DLA-2564-1}
 	- php-horde-text-filter <unfixed> (bug #982769)
 	NOTE: https://lists.horde.org/archives/announce/2021/001298.html
 	NOTE: https://github.com/horde/Text_Filter/commit/c26f938854c36b981558a3b1b9b2f81403cff60e (master)
@@ -2988,8 +3036,8 @@ CVE-2021-26070
 	RESERVED
 CVE-2021-26069
 	RESERVED
-CVE-2021-26068
-	RESERVED
+CVE-2021-26068 (An endpoint in Atlassian Jira Server for Slack plugin from version 0.0 ...)
+	TODO: check
 CVE-2021-26067 (Affected versions of Atlassian Bamboo allow an unauthenticated remote  ...)
 	NOT-FOR-US: Atlassian
 CVE-2021-26066
@@ -3319,7 +3367,7 @@ CVE-2021-25915
 	RESERVED
 CVE-2021-25914
 	RESERVED
-CVE-2021-25913 (Prototype pollution vulnerability in &#8216;set-or-get&#8217; version  ...)
+CVE-2021-25913 (Prototype pollution vulnerability in 'set-or-get' version 1.0.0 throug ...)
 	NOT-FOR-US: Node set-or-get
 CVE-2021-25912 (Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0. ...)
 	NOT-FOR-US: Node dotty
@@ -7915,13 +7963,13 @@ CVE-2021-23843
 CVE-2021-23842
 	RESERVED
 CVE-2021-23841 (The OpenSSL public API function X509_issuer_and_serial_hash() attempts ...)
-	{DSA-4855-1}
+	{DSA-4855-1 DLA-2565-1 DLA-2563-1}
 	- openssl 1.1.1j-1
 	- openssl1.0 <removed>
 	NOTE: https://www.openssl.org/news/secadv/20210216.txt
 	NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=122a19ab48091c657f7cb1fb3af9fc07bd557bbf (OpenSSL_1_1_1j)
 CVE-2021-23840 (Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may ...)
-	{DSA-4855-1}
+	{DSA-4855-1 DLA-2565-1 DLA-2563-1}
 	- openssl 1.1.1j-1
 	- openssl1.0 <removed>
 	NOTE: https://www.openssl.org/news/secadv/20210216.txt
@@ -8967,10 +9015,10 @@ CVE-2021-23343
 	RESERVED
 CVE-2021-23342
 	RESERVED
-CVE-2021-23341
-	RESERVED
-CVE-2021-23340
-	RESERVED
+CVE-2021-23341 (The package prismjs before 1.23.0 are vulnerable to Regular Expression ...)
+	TODO: check
+CVE-2021-23340 (This affects the package pimcore/pimcore before 6.8.8. A Local FIle In ...)
+	TODO: check
 CVE-2021-23339 (This affects all versions of package com.typesafe.akka:akka-http-core. ...)
 	TODO: check
 CVE-2021-23338 (This affects all versions of package qlib. The workflow function in cl ...)
@@ -13093,8 +13141,8 @@ CVE-2021-21320
 	RESERVED
 CVE-2021-21319
 	RESERVED
-CVE-2021-21318
-	RESERVED
+CVE-2021-21318 (Opencast is a free, open-source platform to support the management of  ...)
+	TODO: check
 CVE-2021-21317 (uap-core in an open-source npm package which contains the core of Brow ...)
 	NOT-FOR-US: Node uap-core
 CVE-2021-21316 (less-openui5 is an npm package which enables building OpenUI5 themes w ...)
@@ -14984,14 +15032,14 @@ CVE-2021-20448
 	RESERVED
 CVE-2021-20447
 	RESERVED
-CVE-2021-20446
-	RESERVED
-CVE-2021-20445
-	RESERVED
-CVE-2021-20444
-	RESERVED
-CVE-2021-20443
-	RESERVED
+CVE-2021-20446 (IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site  ...)
+	TODO: check
+CVE-2021-20445 (IBM Maximo for Civil Infrastructure 7.6.2 could allow a user to obtain ...)
+	TODO: check
+CVE-2021-20444 (IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site  ...)
+	TODO: check
+CVE-2021-20443 (IBM Maximo for Civil Infrastructure 7.6.2 includes executable function ...)
+	TODO: check
 CVE-2021-20442
 	RESERVED
 CVE-2021-20441
@@ -15168,8 +15216,8 @@ CVE-2021-20356
 	RESERVED
 CVE-2021-20355
 	RESERVED
-CVE-2021-20354
-	RESERVED
+CVE-2021-20354 (IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remot ...)
+	TODO: check
 CVE-2021-20353 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable  ...)
 	NOT-FOR-US: IBM
 CVE-2021-20352
author	security tracker role <sectracker@soriano.debian.org>	2021-02-18 20:10:27 +0000
committer	security tracker role <sectracker@soriano.debian.org>	2021-02-18 20:10:27 +0000
commit	746426b2d611eb0158df2067167d3e50feb773ba (patch)
tree	e6a4c44e5814f83f1c71a472e17e632eafe176e8
parent	c16c0cdd94b6e297ebff292a7a6e9fc642d9f238 (diff)