Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
28f804c1 by Moritz Muehlenhoff at 2021-01-06T11:49:58+01:00
new rust-kamadak-exif (might not affect stale Debian versions)
new golang-github-tidwall-gjson issues
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1109,7 +1109,7 @@ CVE-2021-22160
CVE-2020-36159 (Veritas Desktop and Laptop Option (DLO) before 9.5 disclosed
operation ...)
NOT-FOR-US: Veritas
CVE-2021-3019 (ffay lanproxy 0.1 allows Directory Traversal to read
/../conf/config.p ...)
- TODO: check
+ NOT-FOR-US: ffay lanproxy
CVE-2021-3018 (ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable
to an un ...)
NOT-FOR-US: ipeak Infosystems ibexwebCMS (aka IPeakCMS)
CVE-2021-3017
@@ -2644,9 +2644,13 @@ CVE-2020-36069
CVE-2020-36068
RESERVED
CVE-2020-36067 (GJSON <=v1.6.5 allows attackers to cause a denial of
service (panic ...)
- TODO: check
+ - golang-github-tidwall-gjson <unfixed>
+ NOTE: https://github.com/tidwall/gjson/issues/196
+ NOTE:
https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
CVE-2020-36066 (GJSON <1.6.5 allows attackers to cause a denial of service
(remote) ...)
- TODO: check
+ - golang-github-tidwall-gjson <unfixed>
+ NOTE: https://github.com/tidwall/gjson/issues/195
+ NOTE:
https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc
CVE-2020-36065
RESERVED
CVE-2020-36064
@@ -2674,9 +2678,9 @@ CVE-2020-36054
CVE-2020-36053
RESERVED
CVE-2020-36052 (Directory traversal vulnerability in post-edit.php in MiniCMS
V1.10 al ...)
- TODO: check
+ NOT-FOR-US: MiniCMS
CVE-2020-36051 (Directory traversal vulnerability in page_edit.php in MiniCMS
V1.10 al ...)
- TODO: check
+ NOT-FOR-US: MiniCMS
CVE-2020-36050
RESERVED
CVE-2020-36049
@@ -2848,7 +2852,7 @@ CVE-2020-35967
CVE-2020-35966
RESERVED
CVE-2021-3007 (** DISPUTED ** Laminas Project laminas-http before 2.14.2, and
Zend Fr ...)
- TODO: check
+ NOT-FOR-US: laminas-http
CVE-2021-21495 (MK-AUTH through 19.01 K4.9 allows CSRF for password changes
via the ce ...)
NOT-FOR-US: MK-AUTH
CVE-2021-21494 (MK-AUTH through 19.01 K4.9 allows XSS via the
admin/logs_ajax.php tipo ...)
@@ -2863,7 +2867,7 @@ CVE-2020-35964 (track_header in libavformat/vividas.c in
FFmpeg 4.3.1 has an out
NOTE:
https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622
CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has
an out- ...)
- TODO: check
+ NOT-FOR-US: Fluent Bit
CVE-2021-3006 (The breed function in the smart contract implementation for
Farm in Se ...)
NOT-FOR-US: Farm in Seal Finance (Seal) Ethereum token
CVE-2021-3005 (MK-AUTH through 19.01 K4.9 allows remote attackers to obtain
sensitive ...)
@@ -4153,9 +4157,10 @@ CVE-2021-21237
CVE-2021-21236
RESERVED
CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust.
In kamad ...)
- TODO: check
+ - rust-kamadak-exif <unfixed>
+ NOTE:
https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2
CVE-2021-21234 (spring-boot-actuator-logview in a library that adds a simple
logfile v ...)
- TODO: check
+ NOT-FOR-US: Spring actuator logview
CVE-2020-35627 (Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file
upload vul ...)
NOT-FOR-US: Ultimate WooCommerce Gift Cards
CVE-2021-21233
@@ -6965,7 +6970,7 @@ CVE-2021-20002
CVE-2021-20001
RESERVED
CVE-2020-35488 (The fileop module of the NXLog service in NXLog Community
Edition 2.10 ...)
- TODO: check
+ NOT-FOR-US: NXLog
CVE-2020-35487
RESERVED
CVE-2020-35486
@@ -10142,7 +10147,7 @@ CVE-2020-29439 (Tesla Model X vehicles before
2020-11-23 have key fobs that rely
CVE-2020-29438 (Tesla Model X vehicles before 2020-11-23 have key fobs that
accept fir ...)
NOT-FOR-US: Tesla Model X vehicles
CVE-2020-29437 (SQL injection in the Buzz module of OrangeHRM through 4.6
allows remot ...)
- TODO: check
+ NOT-FOR-US: OrangeHRM
CVE-2020-29436 (Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a
user with ...)
NOT-FOR-US: Sonatype Nexus Repository Manager
CVE-2020-29435
@@ -13420,7 +13425,7 @@ CVE-2020-28466
CVE-2020-28465
RESERVED
CVE-2020-28464 (This affects the package djv before 2.1.4. By controlling the
schema f ...)
- TODO: check
+ NOT-FOR-US: Node djv
CVE-2020-28463
RESERVED
CVE-2020-28462
@@ -20590,17 +20595,17 @@ CVE-2020-26299
CVE-2020-26298
RESERVED
CVE-2020-26297 (mdBook is a utility to create modern online books from
Markdown files ...)
- TODO: check
+ NOT-FOR-US: mdBook
CVE-2020-26296 (Vega is a visualization grammar, a declarative format for
creating, sa ...)
NOT-FOR-US: Node vega
CVE-2020-26295
RESERVED
CVE-2020-26294 (Vela is a Pipeline Automation (CI/CD) framework built on Linux
contain ...)
- TODO: check
+ NOT-FOR-US: Vela
CVE-2020-26293 (HtmlSanitizer is a .NET library for cleaning HTML fragments
and docume ...)
- TODO: check
+ NOT-FOR-US: HtmlSanitizer
CVE-2020-26292 (Creeper is an experimental dynamic, interpreted language. The
binary r ...)
- TODO: check
+ NOT-FOR-US: Creeper
CVE-2020-26291 (URI.js is a javascript URL mutation library (npm package
urijs). In UR ...)
NOT-FOR-US: Node urijs
CVE-2020-26290 (Dex is a federated OpenID Connect provider written in Go. In
Dex befor ...)
@@ -27409,9 +27414,9 @@ CVE-2020-23252
CVE-2020-23251
RESERVED
CVE-2020-23250 (GigaVUE-OS (GVOS) 5.4 - 5.9 uses a weak algorithm for a hash
stored in ...)
- TODO: check
+ NOT-FOR-US: GigaVUE-OS
CVE-2020-23249 (GigaVUE-OS (GVOS) 5.4 - 5.9 stores a Redis database password
in plaint ...)
- TODO: check
+ NOT-FOR-US: GigaVUE-OS
CVE-2020-23248
RESERVED
CVE-2020-23247
@@ -28809,7 +28814,7 @@ CVE-2020-22552 (The Snap7 server component in version
1.4.1, when an attacker se
CVE-2020-22551
RESERVED
CVE-2020-22550 (Veno File Manager 3.5.6 is affected by a directory traversal
vulnerabi ...)
- TODO: check
+ NOT-FOR-US: Veno File Manager
CVE-2020-22549
RESERVED
CVE-2020-22548
@@ -49218,9 +49223,9 @@ CVE-2020-13542 (A local privilege elevation
vulnerability exists in the file sys
CVE-2020-13541 (An exploitable local privilege elevation vulnerability exists
in the f ...)
NOT-FOR-US: Mobile-911 Server
CVE-2020-13540 (An exploitable local privilege elevation vulnerability exists
in the f ...)
- TODO: check
+ NOT-FOR-US: Win-911 Enterprise
CVE-2020-13539 (An exploitable local privilege elevation vulnerability exists
in the f ...)
- TODO: check
+ NOT-FOR-US: Win-911 Enterprise
CVE-2020-13538
RESERVED
CVE-2020-13537 (An exploitable local privilege elevation vulnerability exists
in the f ...)
@@ -61247,9 +61252,9 @@ CVE-2020-9422
CVE-2020-9421
RESERVED
CVE-2019-20484 (An issue was discovered in Viki Vera 4.9.1.26180. A user
without acces ...)
- TODO: check
+ NOT-FOR-US: Viki Vera
CVE-2019-20483 (An issue was discovered in Viki Vera 4.9.1.26180. An attacker
could se ...)
- TODO: check
+ NOT-FOR-US: Viki Vera
CVE-2020-9420
RESERVED
CVE-2020-9419
@@ -65490,7 +65495,7 @@ CVE-2020-7773 (This affects the package
markdown-it-highlightjs before 3.3.1. It
CVE-2020-7772 (This affects the package doc-path before 2.1.2. ...)
NOT-FOR-US: Node doc-path
CVE-2020-7771 (The package asciitable.js before 1.0.3 are vulnerable to
Prototype Pol ...)
- TODO: check
+ NOT-FOR-US: Node asciitable.js
CVE-2020-7770 (This affects the package json8 before 1.0.3. The function adds
in the ...)
NOT-FOR-US: Node json8
CVE-2020-7769 (This affects the package nodemailer before 6.4.16. Use of
crafted reci ...)
@@ -66453,7 +66458,7 @@ CVE-2020-7338
CVE-2020-7337 (Incorrect Permission Assignment for Critical Resource
vulnerability in ...)
NOT-FOR-US: McAfee
CVE-2020-7336 (Cross Site Request Forgery vulnerability in McAfee Network
Security Ma ...)
- TODO: check
+ NOT-FOR-US: McAfee
CVE-2020-7335 (Privilege Escalation vulnerability in Microsoft Windows client
McAfee ...)
NOT-FOR-US: McAfee
CVE-2020-7334 (Improper privilege assignment vulnerability in the installer
McAfee Ap ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f804c16393a61f36b5554e6eef5c25aff87988
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f804c16393a61f36b5554e6eef5c25aff87988
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
