[Git][security-tracker-team/security-tracker][master] new node-fetch, activemq, bitcoin issues

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8593146a by Moritz Muehlenhoff at 2020-09-11T10:42:34+02:00
new node-fetch, activemq, bitcoin issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20965,7 +20965,7 @@ CVE-2020-15172
 CVE-2020-15171 (In XWiki before versions 11.10.5 or 12.2.1, any user with 
SCRIPT right ...)
        TODO: check
 CVE-2020-15170 (apollo-adminservice before version 1.7.1 does not implement 
access con ...)
-       TODO: check
+       NOT-FOR-US: apollo-adminservice
 CVE-2020-15169
        RESERVED
        - rails 2:6.0.3.3+dfsg-1 (bug #970040)
@@ -20973,7 +20973,9 @@ CVE-2020-15169
        NOTE: 
https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1
        NOTE: 
https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
 CVE-2020-15168 (node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not 
honor the si ...)
-       TODO: check
+       - node-fetch <unfixed>
+       [buster] - node-fetch <no-dsa> (Minor issue)
+       NOTE: 
https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
 CVE-2020-15167 (In Miller (command line utility) using the configuration file 
support  ...)
        - miller 5.9.1+dfsg-1 (bug #969467)
        [buster] - miller <not-affected> (Introduced in 5.9.0)
@@ -23632,7 +23634,8 @@ CVE-2020-14200
 CVE-2020-14199 (BIP-143 in the Bitcoin protocol specification mishandles the 
signing o ...)
        NOT-FOR-US: Bitcoin protocol issue
 CVE-2020-14198 (Bitcoin Core 0.20.0 allows remote denial of service. ...)
-       TODO: check
+       - bitcoin <unfixed>
+       NOTE: 
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2020-14198
 CVE-2020-14197
        RESERVED
 CVE-2020-14196 (In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 
and 4.1 ...)
@@ -24379,7 +24382,8 @@ CVE-2020-13922
 CVE-2020-13921 (**Resolved** Only when using H2/MySQL/TiDB as Apache 
SkyWalking storag ...)
        NOT-FOR-US: Apache SkyWalking
 CVE-2020-13920 (Apache ActiveMQ uses LocateRegistry.createRegistry() to create 
the JMX ...)
-       TODO: check
+       - activemq <unfixed>
+       NOTE: 
http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt
 CVE-2020-13919 (emfd/libemf in Ruckus Wireless Unleashed through 
200.7.10.102.92 allow ...)
        NOT-FOR-US: Ruckus Wireless Unleashed
 CVE-2020-13918 (Incorrect access control in webs in Ruckus Wireless Unleashed 
through  ...)
@@ -29326,7 +29330,8 @@ CVE-2020-12000 (The affected product is vulnerable to 
the handling of serialized
 CVE-2020-11999 (FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic 
v4.11.0 ...)
        NOT-FOR-US: FactoryTalk
 CVE-2020-11998 (A regression has been introduced in the commit preventing JMX 
re-bind. ...)
-       TODO: check
+       - activemq <unfixed>
+       NOTE: 
http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt
 CVE-2020-11997
        RESERVED
 CVE-2020-11996 (A specially crafted sequence of HTTP/2 requests sent to Apache 
Tomcat  ...)
@@ -38960,7 +38965,7 @@ CVE-2020-8760
 CVE-2020-8759 (Improper access control in the installer for Intel(R) SSD DCT 
versions ...)
        NOT-FOR-US: Intel
 CVE-2020-8758 (Improper buffer restrictions in network subsystem in 
provisioned Intel ...)
-       TODO: check
+       NOT-FOR-US: Intel
 CVE-2020-8757
        RESERVED
 CVE-2020-8756
@@ -66089,7 +66094,6 @@ CVE-2019-17558 (Apache Solr 5.0.0 to Apache Solr 8.3.1 
are vulnerable to a Remot
        NOTE: https://www.openwall.com/lists/oss-security/2019/12/30/1
        NOTE: https://issues.apache.org/jira/browse/SOLR-13971
        NOTE: https://issues.apache.org/jira/browse/SOLR-14025
-       TODO: check, whilst the advisory claims 5.0.0 upwards only the 
SolrParamResourceLoader might be of issue already earlier?
 CVE-2019-17557 (It was found that the Apache Syncope EndUser UI login page 
prio to 2.0 ...)
        NOT-FOR-US: Apache Syncope
 CVE-2019-17556 (Apache Olingo versions 4.0.0 to 4.6.0 provide the 
AbstractService clas ...)
@@ -124490,7 +124494,8 @@ CVE-2018-17147 (Nagios XI before 5.5.4 has XSS in the 
auto login admin managemen
 CVE-2018-17146 (A cross-site scripting vulnerability exists in Nagios XI 
before 5.5.4  ...)
        NOT-FOR-US: Nagios XI
 CVE-2018-17145 (Bitcoin Core 0.16.x before 0.16.2 and Bitcoin Knots 0.16.x 
before 0.16 ...)
-       TODO: check
+       - bitcoin 0.16.2~dfsg-1
+       NOTE: 
https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17145
 CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 
0.16.x be ...)
        - bitcoin 0.16.3~dfsg-1
        - litecoin 0.16.3-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8593146aa09baa3559e5b2eff352f7c1e21d7eca

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8593146aa09baa3559e5b2eff352f7c1e21d7eca
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits