---

Log

AVG-2037 edited at 07 Jun 2021 21:45:32
Status	- Vulnerable + Fixed
Fixed	+ 3.4.6-1

AVG-2033 edited at 07 Jun 2021 19:25:03
Issues	CVE-2020-24586 CVE-2020-24587 CVE-2020-24588 CVE-2020-26139 CVE-2020-26141 CVE-2020-26145 CVE-2020-26147 CVE-2021-32606 + CVE-2021-33200
Status	- Vulnerable + Fixed
Fixed	+ 5.12.9.hardened1-1

AVG-2009 deleted at 07 Jun 2021 19:24:48
Packages	- linux-hardened
Issues	- CVE-2021-33200
Status	- Vulnerable
Severity	- Medium
Affected	- 5.12.7.hardened1-1
Fixed
Ticket
Advisory qualified	- Yes
References
Notes

AVG-1881 edited at 07 Jun 2021 19:24:07
Affected	- 5.12.7.hardened1-1 + 5.12.9.hardened1-1

AVG-2043 edited at 07 Jun 2021 19:22:35
Severity	- Unknown + Medium

CVE-2021-33896 edited at 07 Jun 2021 19:22:35
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Directory traversal
Description	+ It was discovered that when a user receives and downloads a file in Dino before version 0.2.1, URI-encoded path separators in the file name will be decoded, allowing an attacker to traverse directories and create arbitrary files in the context of the user. + + This vulnerability does not allow to overwrite or modify existing files and the attacker cannot control the executable flag of created files. However, third-party software may be affected by newly created configuration files, potentially allowing for code execution. + + The file name, including path separators, is displayed to the user, however, long file names are ellipsized in the middle of the file name, allowing the attacker to hide the malicious path separators, as long as the resulting file name has sufficient length.
References	+ https://dino.im/security/cve-2021-33896/ + https://github.com/dino/dino/commit/1eaad1ccfbd00c6e76650535496531c172453994
Notes

AVG-2043 created at 07 Jun 2021 19:20:32
Packages	+ dino
Issues	+ CVE-2021-33896
Status	+ Vulnerable
Severity	+ Unknown
Affected	+ 0.2.0-3
Fixed
Ticket
Advisory qualified	+ Yes
References
Notes

CVE-2021-33896 created at 07 Jun 2021 19:20:32

AVG-1003 edited at 07 Jun 2021 17:47:14
Status	- Testing + Fixed

AVG-2042 edited at 07 Jun 2021 15:17:45
Status	- Vulnerable + Fixed
Fixed	+ 1.4.2-1

CVE-2021-3578 edited at 07 Jun 2021 14:58:16
References	- https://www.openwall.com/lists/oss-security/2021/06/07/1 + https://sourceforge.net/p/isync/mailman/message/37297759/ https://sourceforge.net/p/isync/isync/ci/589d2ed4283130108df5495b5510d822282e1300/

AVG-2042 edited at 07 Jun 2021 14:56:56
Severity	- Unknown + Medium

CVE-2021-3578 edited at 07 Jun 2021 14:56:56
Severity	- Unknown + Medium
Remote	- Unknown + Remote
Type	- Unknown + Arbitrary code execution
Description	+ A security issue was found in mbsync before version 1.4.2, where an unchecked pointer cast allows a malicious or compromised server to write an arbitrary integer value past the end of a heap-allocated structure by issuing an unexpected APPENDUID response. This could be plausibly exploited for remote code execution on the client.
References	+ https://www.openwall.com/lists/oss-security/2021/06/07/1 + https://sourceforge.net/p/isync/isync/ci/589d2ed4283130108df5495b5510d822282e1300/
Notes