[Git][security-tracker-team/security-tracker][master] 4 commits: Process NFUs

Salvatore Bonaccorso Fri, 28 Feb 2020 13:37:45 -0800


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
fcf7d792 by Salvatore Bonaccorso at 2020-02-28T22:36:31+01:00
Process NFUs

- - - - -
b193521e by Salvatore Bonaccorso at 2020-02-28T22:36:32+01:00
Add CVE-2019-10785/dojo

- - - - -
085ddc5a by Salvatore Bonaccorso at 2020-02-28T22:36:33+01:00
Add CVE-2016-4606/curl

- - - - -
55599938 by Salvatore Bonaccorso at 2020-02-28T22:36:34+01:00
Add CVE-2013-6022/tikiwiki

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -33,7 +33,7 @@ CVE-2020-9449
 CVE-2020-9448
        RESERVED
 CVE-2020-9447 (The file-upload feature in GwtUpload 1.0.3 allows XSS via a 
crafted fi ...)
-       TODO: check
+       NOT-FOR-US: GwtUpload
 CVE-2020-9446
        RESERVED
 CVE-2018-21035
@@ -18807,7 +18807,7 @@ CVE-2020-1846
 CVE-2020-1845
        RESERVED
 CVE-2020-1844 (PCManager with versions earlier than 10.0.5.51 have a privilege 
escala ...)
-       TODO: check
+       NOT-FOR-US: Huawei
 CVE-2020-1843 (Huawei HEGE-560 version 1.0.1.20(SP2), OSCA-550 version 
1.0.0.71(SP1), ...)
        NOT-FOR-US: Huawei
 CVE-2020-1842 (Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A 
version  ...)
@@ -48523,21 +48523,24 @@ CVE-2019-10790 (taffy through 2.6.2 allows attackers 
to forge adding additional
 CVE-2019-10789 (All versions of curling.js are vulnerable to Command Injection 
via the ...)
        NOT-FOR-US: curling.js
 CVE-2019-10788 (im-metadata through 3.0.1 allows remote attackers to execute 
arbitrary ...)
-       TODO: check
+       NOT-FOR-US: im-metadata node module
 CVE-2019-10787 (im-resize through 2.3.2 allows remote attackers to execute 
arbitrary c ...)
-       TODO: check
+       NOT-FOR-US: im-resize node module
 CVE-2019-10786 (network-manager through 1.0.2 allows remote attackers to 
execute arbit ...)
        NOT-FOR-US: network-manager node module
 CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions 
before ver ...)
-       TODO: check
+       - dojo <unfixed>
+       NOTE: 
https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
+       NOTE: https://snyk.io/vuln/SNYK-JS-DOJOX-548257
+       NOTE: https://github.com/dojo/dojox/pull/315
 CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be 
performed wit ...)
        - phppgadmin <unfixed>
        NOTE: https://snyk.io/vuln/SNYK-PHP-PHPPGADMINPHPPGADMIN-543885
        NOTE: https://github.com/phppgadmin/phppgadmin/issues/94
 CVE-2019-10783 (All versions including 0.0.4 of lsof npm module are vulnerable 
to Comm ...)
-       TODO: check
+       NOT-FOR-US: lsof node module
 CVE-2019-10781 (In schema-inspector before 1.6.9, a maliciously crafted 
JavaScript obj ...)
-       TODO: check
+       NOT-FOR-US: schema-inspector node module
 CVE-2019-10780 (BibTeX-ruby before 5.1.0 allows shell command injection due to 
unsanit ...)
        NOT-FOR-US: BibTeX-ruby
 CVE-2019-10779 (All versions of stroom:stroom-app before 5.5.12 and all 
versions of th ...)
@@ -55321,7 +55324,7 @@ CVE-2019-8743 (Multiple memory corruption issues were 
addressed with improved me
 CVE-2019-8742 (The issue was addressed by restricting options offered on a 
locked dev ...)
        NOT-FOR-US: Apple
 CVE-2019-8741 (A denial of service issue was addressed with improved input 
validation ...)
-       TODO: check
+       NOT-FOR-US: Apple
 CVE-2019-8740
        RESERVED
 CVE-2019-8739 (A memory corruption issue was addressed with improved state 
management ...)
@@ -107461,9 +107464,9 @@ CVE-2018-8880 (Lutron Quantum BACnet Integration 2.0 
(firmware 3.2.243) doesn't
 CVE-2018-8879 (Stack-based buffer overflow in Asuswrt-Merlin firmware for ASUS 
device ...)
        NOT-FOR-US: ASUS
 CVE-2018-8878 (Information disclosure in Asuswrt-Merlin firmware for ASUS 
devices old ...)
-       TODO: check
+       NOT-FOR-US: ASUS
 CVE-2018-8877 (Information disclosure in Asuswrt-Merlin firmware for ASUS 
devices old ...)
-       TODO: check
+       NOT-FOR-US: ASUS
 CVE-2018-8876 (In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) 
allows loc ...)
        NOT-FOR-US: 2345 Security Guard
 CVE-2018-8875 (In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) 
allows loc ...)
@@ -200766,7 +200769,7 @@ CVE-2016-4607 (libxslt in Apple iOS before 9.3.3, OS 
X before 10.11.6, iTunes be
        NOTE: Apple still does not provide information on this CVE, although it 
is
        NOTE: possible that it's fixed in 1.1.29 upstream.
 CVE-2016-4606 (Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 
10.12 al ...)
-       TODO: check
+       - curl <not-affected> (Only applies to Curl on Mac OS)
 CVE-2016-4605 (Calendar in Apple iOS before 9.3.3 allows remote attackers to 
cause a  ...)
        NOT-FOR-US: Apple
 CVE-2016-4604 (Safari in Apple iOS before 9.3.3 allows remote attackers to 
spoof the  ...)
@@ -249083,7 +249086,7 @@ CVE-2014-6419
 CVE-2014-6415
        RESERVED
 CVE-2014-6413 (A Cross-site Scripting (XSS) vulnerability exists in WatchGuard 
XTM 11 ...)
-       TODO: check
+       NOT-FOR-US: WatchGuard
 CVE-2014-6412 (WordPress before 4.4 makes it easier for remote attackers to 
predict p ...)
        - wordpress <not-affected> (Affects only Wordpress on Windows systems)
 CVE-2014-6411
@@ -251171,7 +251174,7 @@ CVE-2014-5470
 CVE-2014-5469
        RESERVED
 CVE-2014-5468 (A File Inclusion vulnerability exists in Railo 4.2.1 and 
earlier via a ...)
-       TODO: check
+       NOT-FOR-US: Railo
 CVE-2014-5467
        RESERVED
 CVE-2014-5466 (Cross-site scripting (XSS) vulnerability in the Dashboard in 
Splunk We ...)
@@ -252243,15 +252246,15 @@ CVE-2014-5089 (SQL injection vulnerability in 
admin/options/logs.php in Status2k
 CVE-2014-5088 (Cross-site scripting (XSS) vulnerability in Status2k allows 
remote att ...)
        NOT-FOR-US: Status2k
 CVE-2014-5087 (A vulnerability exists in Sphider Search Engine prior to 1.3.6 
due to  ...)
-       TODO: check
+       NOT-FOR-US: Sphider Search Engine
 CVE-2014-5086 (A Command Execution vulnerability exists in Sphider Pro, and 
Sphider P ...)
-       TODO: check
+       NOT-FOR-US: Sphider
 CVE-2014-5085 (A Command Execution vulnerability exists in Sphider Plus 3.2 
due to in ...)
-       TODO: check
+       NOT-FOR-US: Sphider
 CVE-2014-5084 (A Command Execution vulnerability exists in Sphider Pro 3.2 due 
to ins ...)
-       TODO: check
+       NOT-FOR-US: Sphider
 CVE-2014-5083 (A Command Execution vulnerability exists in Sphider before 
1.3.6 due t ...)
-       TODO: check
+       NOT-FOR-US: Sphider
 CVE-2014-5082 (Multiple SQL injection vulnerabilities in admin/admin.php in 
Sphider 1 ...)
        NOT-FOR-US: Sphider
 CVE-2014-5081 (sphider prior to 1.3.6, sphider-pro prior to 3.2, and 
sphider-plus pri ...)
@@ -255171,7 +255174,7 @@ CVE-2014-3880 (The (1) execve and (2) fexecve system 
calls in the FreeBSD kernel
        - kfreebsd-9 <removed>
        - kfreebsd-10 10.0-6
 CVE-2014-3879 (OpenPAM Nummularia 9.2 through 10.0 does not properly handle 
the error ...)
-       TODO: check
+       NOT-FOR-US: OpenPAM
 CVE-2014-3878 (Multiple cross-site scripting (XSS) vulnerabilities in the web 
client  ...)
        NOT-FOR-US: IPSwitch IMail
 CVE-2014-3877 (Incomplete blacklist vulnerability in Frams' Fast File EXchange 
(F*EX, ...)
@@ -256548,7 +256551,7 @@ CVE-2013-7380 (The Etherpad Lite ep_imageconvert 
Plugin has a Remote Command Inj
 CVE-2013-7379 (The admin API in the tomato module before 0.0.6 for Node.js 
does not p ...)
        NOT-FOR-US: tomato module for Node.js
 CVE-2013-7378 (scripts/email.coffee in the Hubot Scripts module before 2.4.4 
for Node ...)
-       TODO: check
+       NOT-FOR-US: Hubot Scripts module for Node.js
 CVE-2013-7377 (The codem-transcode module before 0.5.0 for Node.js, when 
ffprobe is e ...)
        NOT-FOR-US: codem-transcode Node module
 CVE-2013-7376 (Multiple cross-site request forgery (CSRF) vulnerabilities in 
OpenX 2. ...)
@@ -269072,7 +269075,7 @@ CVE-2013-6024 (The Edge Client components in F5 
BIG-IP APM 10.x, 11.x, 12.x, 13.
 CVE-2013-6023 (Directory traversal vulnerability in the TVT TD-2308SS-B DVR 
with firm ...)
        NOT-FOR-US: TVT TD-2308SS-B DVR
 CVE-2013-6022 (A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki 
CMG Gro ...)
-       TODO: check
+       - tikiwiki <removed>
 CVE-2013-6021 (Buffer overflow in WGagent in WatchGuard WSM and Fireware 
before 11.8  ...)
        NOT-FOR-US: WatchGuard WSM and Fireware
 CVE-2013-6020 (passwordRequestPOST.jsp in Tyler Technologies TaxWeb 3.13.3.1 
sends di ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aeed6b824d2601f06f8a18b862a92301bd675f69...555999387ec6a8fa2c46b948d3727d132e2e415f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aeed6b824d2601f06f8a18b862a92301bd675f69...555999387ec6a8fa2c46b948d3727d132e2e415f
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 4 commits: Process NFUs

Reply via email to