[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff Mon, 06 Jul 2020 10:30:07 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
3e4c3e89 by Moritz Muehlenhoff at 2020-07-06T19:29:25+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -121,6 +121,7 @@ CVE-2020-15504
        RESERVED
 CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. 
This affect ...)
        - libraw <unfixed>
+       [buster] - libraw <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d
 CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for 
Android,  ...)
@@ -186,6 +187,8 @@ CVE-2020-15475 (In nDPI through 3.2, 
ndpi_reset_packet_line_info in lib/ndpi_mai
        NOTE: 
https://github.com/ntop/nDPI/commit/6a9f5e4f7c3fd5ddab3e6727b071904d76773952
 CVE-2020-15474 (In nDPI through 3.2, there is a stack overflow in 
extractRDNSequence i ...)
        - ndpi <unfixed>
+       [buster] - ndpi <not-affected> (Vulnerable code not present)
+       [stretch] - ndpi <not-affected> (Vulnerable code not present)
        NOTE: 
https://github.com/ntop/nDPI/commit/23594f036536468072198a57c59b6e9d63caf6ce
 CVE-2020-15473 (In nDPI through 3.2, the OpenVPN dissector is vulnerable to a 
heap-bas ...)
        - ndpi <unfixed>
@@ -195,6 +198,8 @@ CVE-2020-15472 (In nDPI through 3.2, the H.323 dissector is 
vulnerable to a heap
        NOTE: 
https://github.com/ntop/nDPI/commit/b7e666e465f138ae48ab81976726e67deed12701
 CVE-2020-15471 (In nDPI through 3.2, the packet parsing code is vulnerable to 
a heap-b ...)
        - ndpi <unfixed>
+       [buster] - ndpi <not-affected> (Vulnerable code not present)
+       [stretch] - ndpi <not-affected> (Vulnerable code not present)
        NOTE: 
https://github.com/ntop/nDPI/commit/61066fb106efa6d3d95b67e47b662de208b2b622
 CVE-2020-15470 (ffjpeg through 2020-02-24 has a heap-based buffer overflow in 
jfif_dec ...)
        NOT-FOR-US: ffjpeg
@@ -1316,7 +1321,8 @@ CVE-2020-14949
 CVE-2020-14948
        RESERVED
 CVE-2020-14947 (OCS Inventory NG 2.7 allows Remote Command Execution via shell 
metacha ...)
-       TODO: check
+       - ocsinventory-server <unfixed> (unimportant)
+       NOTE: Only supported in trusted environments, see debtags
 CVE-2020-14946 (downloadFile.ashx in the Administrator section of the 
Surveillance mod ...)
        NOT-FOR-US: Surveillance module in Global RADAR BSA Radar
 CVE-2020-14945 (A privilege escalation vulnerability exists within Global 
RADAR BSA Ra ...)
@@ -17681,6 +17687,7 @@ CVE-2020-8946 (Netis WF2471 v1.2.30142 devices allow an 
authenticated attacker t
        NOT-FOR-US: Netis devices
 CVE-2020-8945 (The proglottis Go wrapper before 0.1.1 for the GPGME library 
has a use ...)
        - golang-github-proglottis-gpgme 0.1.1-1 (bug #951372)
+       [buster] - golang-github-proglottis-gpgme <no-dsa> (Minor issue)
        NOTE: https://github.com/proglottis/gpgme/pull/23
 CVE-2020-8944
        RESERVED
@@ -19603,6 +19610,7 @@ CVE-2020-8132 (Lack of input validation in pdf-image 
npm package version &lt;= 2
        NOT-FOR-US: Node pdf-image package
 CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn before 1.22.0 
allows  ...)
        - node-yarnpkg 1.22.4-2 (bug #952912)
+       [buster] - node-yarnpkg <no-dsa> (Minor issue)
        NOTE: https://hackerone.com/reports/730239
        NOTE: https://github.com/yarnpkg/yarn/pull/7831
 CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake 
&lt; 12.3. ...)
@@ -147563,7 +147571,8 @@ CVE-2018-1286 (In Apache OpenMeetings 3.0.0 - 4.0.1, 
CRUD operations on privileg
        NOT-FOR-US: Apache OpenMeetings
 CVE-2018-1285 (Apache log4net before 2.0.8 does not disable XML external 
entities whe ...)
        {DLA-2211-1}
-       - log4net <unfixed>
+       - log4net <unfixed> (low)
+       [buster] - log4net <no-dsa> (Minor issue)
        NOTE: https://issues.apache.org/jira/browse/LOG4NET-575
        NOTE: 
https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7
 CVE-2018-1284 (In Apache Hive 0.6.0 to 2.3.2, malicious user might use any 
xpath UDFs ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -37,6 +37,8 @@ rails
 ruby2.5/stable
   Utkarsh Gupta proposed to work on an update
 --
+roundcube
+--
 squid/stable
 --
 teeworlds/stable (jmm)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e4c3e89ce20df6ecaeac9c55f6a7bdfd27349f5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e4c3e89ce20df6ecaeac9c55f6a7bdfd27349f5
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] buster triage

Reply via email to