[Git][security-tracker-team/security-tracker][master] NFUs, unimportant ruamel.yaml and kfreebsd issues

Thu, 20 Feb 2020 04:23:42 -0800 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9f81a8b8 by Moritz Muehlenhoff at 2020-02-20T13:22:12+01:00
NFUs, unimportant ruamel.yaml and kfreebsd issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -69,7 +69,10 @@ CVE-2020-9273
 CVE-2020-9272
        RESERVED
 CVE-2019-20478 (In ruamel.yaml through 0.16.7, the load method allows remote 
code exec ...)
-       TODO: check
+       - ruamel.yaml <unfixed> (unimportant)
+       NOTE: This is a well-known design deficiency in pyyaml (of which 
ruamel.yaml is derived),
+       NOTE: various CVE IDs have been assigned to applications misusing the 
API over the years.
+       NOTE: pyyaml 5.1 changed the default hebaviour
 CVE-2019-20477 (PyYAML 5.1 through 5.1.2 has insufficient restrictions on the 
load and ...)
        - pyyaml <unfixed> (unimportant)
        NOTE: CVE exists due to an incomplete fix for CVE-2017-18342.
@@ -1909,7 +1912,7 @@ CVE-2020-8443 (In OSSEC-HIDS 2.7 through 3.5.0, the 
server component responsible
 CVE-2020-8442 (In OSSEC-HIDS 2.7 through 3.5.0, the server component 
responsible for  ...)
        - ossec-hids <itp> (bug #361954)
 CVE-2020-8441 (JYaml through 1.3 allows remote code execution during 
deserialization  ...)
-       TODO: check
+       NOT-FOR-US: JYaml
 CVE-2020-8440 (controllers/page_apply.php in Simplejobscript.com SJS through 
1.66 is  ...)
        NOT-FOR-US: Simplejobscript.com SJS
 CVE-2020-8439
@@ -4128,7 +4131,7 @@ CVE-2020-7452
 CVE-2020-7451
        RESERVED
 CVE-2020-7450 (In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 
12.1-RELEAS ...)
-       TODO: check
+       NOT-FOR-US: FreeBSD
 CVE-2020-7449
        RESERVED
 CVE-2020-7448
@@ -4637,7 +4640,7 @@ CVE-2020-7218 (HashiCorp Nomad and Nomad Enterprise 
before 0.10.3 allow unbounde
        - nomad 0.10.3+dfsg1-1
        NOTE: https://github.com/hashicorp/nomad/issues/7002
 CVE-2020-7217 (An ni_dhcp4_fsm_process_dhcp4_packet memory leak in openSUSE 
wicked 0. ...)
-       TODO: check
+       NOT-FOR-US: openSUSE wicked
 CVE-2020-7216 (An ni_dhcp4_parse_response memory leak in openSUSE wicked 
0.6.55 and e ...)
        NOT-FOR-US: openSUSE wicked
 CVE-2020-7215 (An issue was discovered in Gallagher Command Centre 7.x before 
7.90.99 ...)
@@ -13060,7 +13063,7 @@ CVE-2019-19880 (exprListAppendList in window.c in 
SQLite 3.30.1 allows attackers
        NOTE: 
https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089
        NOTE: to not open CVE-2019-19926.
 CVE-2019-19879 (HashiCorp Sentinel up to 0.10.1 incorrectly parsed negation in 
certain ...)
-       TODO: check
+       NOT-FOR-US: HashiCorp Sentinel (different from Redis Sentinel)
 CVE-2019-19878
        RESERVED
 CVE-2019-19877
@@ -17588,7 +17591,7 @@ CVE-2020-1979
 CVE-2020-1978
        RESERVED
 CVE-2020-1977 (Insufficient Cross-Site Request Forgery (XSRF) protection on 
Expeditio ...)
-       TODO: check
+       NOT-FOR-US: Palo Alto
 CVE-2020-1976 (A denial-of-service (DoS) vulnerability in Palo Alto Networks 
GlobalPr ...)
        NOT-FOR-US: Palo Alto Networks GlobalProtect software
 CVE-2020-1975 (Missing XML validation vulnerability in the PAN-OS web 
interface on Pa ...)
@@ -23233,15 +23236,15 @@ CVE-2020-0566
 CVE-2020-0565
        RESERVED
 CVE-2020-0564 (Improper permissions in the installer for Intel(R) RWC3 for 
Windows be ...)
-       TODO: check
+       NOT-FOR-US: Intel
 CVE-2020-0563 (Improper permissions in the installer for Intel(R) MPSS before 
version ...)
-       TODO: check
+       NOT-FOR-US: Intel
 CVE-2020-0562 (Improper permissions in the installer for Intel(R) RWC2, all 
versions, ...)
-       TODO: check
+       NOT-FOR-US: Intel
 CVE-2020-0561 (Improper initialization in the Intel(R) SGX SDK before 
v2.6.100.1 may  ...)
-       TODO: check
+       NOT-FOR-US: Intel
 CVE-2020-0560 (Improper permissions in the installer for the Intel(R) Renesas 
Electro ...)
-       TODO: check
+       NOT-FOR-US: Intel
 CVE-2020-0559
        RESERVED
 CVE-2020-0558
@@ -31456,7 +31459,8 @@ CVE-2019-15877
 CVE-2019-15876
        RESERVED
 CVE-2019-15875 (In FreeBSD 12.1-STABLE before r354734, 12.1-RELEASE before 
12.1-RELEAS ...)
-       TODO: check
+       - kfreebsd-10 <unfixed> (unimportant)
+       NOTE: 
https://www.freebsd.org/security/advisories/FreeBSD-SA-20:03.thrmisc.asc
 CVE-2019-15874
        RESERVED
 CVE-2019-15873 (The profilegrid-user-profiles-groups-and-communities plugin 
before 2.8 ...)
@@ -62726,7 +62730,8 @@ CVE-2019-5615 (Users with Site-level permissions can 
access files containing the
 CVE-2019-5614
        RESERVED
 CVE-2019-5613 (In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing 
check in th ...)
-       TODO: check
+       - kfreebsd-10 <not-affected> (Only affects kfreebsd 12)
+       NOTE: 
https://www.freebsd.org/security/advisories/FreeBSD-SA-20:02.ipsec.asc
 CVE-2019-5612 (In FreeBSD 12.0-STABLE before r351264, 12.0-RELEASE before 
12.0-RELEAS ...)
        - kfreebsd-10 <unfixed> (unimportant)
        NOTE: 
https://www.freebsd.org/security/advisories/FreeBSD-SA-19:23.midi.asc



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f81a8b8e5f57bfac0e3d994c841ab975cb716c0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f81a8b8e5f57bfac0e3d994c841ab975cb716c0
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to