Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
810c9ed7 by Moritz Muehlenhoff at 2020-09-23T15:08:16+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -22252,7 +22252,8 @@ CVE-2020-15169 (In Action View before versions 5.2.4.4
and 6.0.3.3 there is a po
- rails 2:6.0.3.3+dfsg-1 (bug #970040)
NOTE:
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-15169.yml
NOTE:
https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1
- NOTE:
https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
+ NOTE:
https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
(master)
+ NOTE:
https://github.com/rails/rails/commit/aaa7ab1320330b3c4fa8f0fbda716dcfa21e3d65
(5.2)
CVE-2020-15168 (node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not
honor the si ...)
[experimental] - node-fetch 2.6.1-1
- node-fetch <unfixed> (bug #970173)
@@ -41636,27 +41637,27 @@ CVE-2020-8167 (A CSRF vulnerability exists in rails
<= 6.0.3 rails-ujs module
[stretch] - rails <not-affected> (Vulnerable code introduced later)
[jessie] - rails <not-affected> (Vulnerable code introduced later)
NOTE:
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
- NOTE:
https://github.com/rails/rails/commit/fbc7bec074b5ef9ae22f79ca5d9bafec7b276dd3
+ NOTE:
https://github.com/rails/rails/commit/fbc7bec074b5ef9ae22f79ca5d9bafec7b276dd3
(5.2)
CVE-2020-8166 (A CSRF forgery vulnerability exists in rails < 5.2.5, rails
< 6. ...)
- rails 2:5.2.4.3+dfsg-1
[stretch] - rails <not-affected> (Vulnerable code introduced later)
[jessie] - rails <not-affected> (Vulnerable code introduced later)
NOTE:
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
- NOTE:
https://github.com/rails/rails/commit/d124f19287f4892c72ca54da728a781591c6fca1
+ NOTE:
https://github.com/rails/rails/commit/d124f19287f4892c72ca54da728a781591c6fca1
(5.2)
NOTE: per-form CSRF token introduced in 5.x:
https://github.com/rails/rails/commit/3e98819e20bc113343d4d4c0df614865ad5a9d3a
CVE-2020-8165 (A deserialization of untrusted data vulnernerability exists in
rails & ...)
{DLA-2282-1 DLA-2251-1}
- rails 2:5.2.4.3+dfsg-1
NOTE:
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
- NOTE:
https://github.com/rails/rails/commit/f7e077f85e61fc0b7381963eda0ceb0e457546b5
(MemCache backend)
- NOTE:
https://github.com/rails/rails/commit/467e3399c9007996c03ffe3212689d48dd25ae99
(Redis backend)
+ NOTE:
https://github.com/rails/rails/commit/f7e077f85e61fc0b7381963eda0ceb0e457546b5
(MemCache backend) (5.2)
+ NOTE:
https://github.com/rails/rails/commit/467e3399c9007996c03ffe3212689d48dd25ae99
(Redis backend) (5.2)
NOTE: Redis backend introduced in 5.2:
https://github.com/rails/rails/commit/9f8ec3535247ac41a9c92e84ddc7a3b771bc318b
CVE-2020-8164 (A deserialization of untrusted data vulnerability exists in
rails < ...)
{DLA-2282-1 DLA-2251-1}
[experimental] - rails 2:6.0.3.1+dfsg-1
- rails 2:5.2.4.3+dfsg-1
NOTE:
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
- NOTE:
https://github.com/rails/rails/commit/7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec
+ NOTE:
https://github.com/rails/rails/commit/7a3ee4fea90b7555f8d09c6c05c15fe7ab5a06ec
(5.2)
CVE-2020-8163 (The is a code injection vulnerability in versions of Rails
prior to 5. ...)
{DLA-2282-1}
- rails 2:5.2.0+dfsg-2
@@ -41674,7 +41675,7 @@ CVE-2020-8162 (A client side enforcement of server side
security vulnerability e
[stretch] - rails <not-affected> (Vulnerable code introduced later)
[jessie] - rails <not-affected> (Vulnerable code introduced later)
NOTE:
https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released
- NOTE:
https://github.com/rails/rails/commit/e8df5648515a0e8324d3b3c4bdb7bde6802cd8be
+ NOTE:
https://github.com/rails/rails/commit/e8df5648515a0e8324d3b3c4bdb7bde6802cd8be
(5.2)
CVE-2020-8161 (A directory traversal vulnerability exists in rack < 2.2.0
that all ...)
{DLA-2275-1 DLA-2216-1}
- ruby-rack 2.1.1-5
@@ -57245,18 +57246,25 @@ CVE-2020-2286
RESERVED
CVE-2020-2285
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2020-2284
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2020-2283
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2020-2282
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2020-2281
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2020-2280
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2020-2279
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2020-2278 (Jenkins Storable Configs Plugin 1.0 and earlier does not
restrict the ...)
NOT-FOR-US: Jenkins plugin
CVE-2020-2277 (Jenkins Storable Configs Plugin 1.0 and earlier allows users
with Job/ ...)
@@ -65197,7 +65205,7 @@ CVE-2020-0349 (In NFC, there is a possible out of
bounds read due to a missing b
CVE-2020-0348 (In NFC, there is a possible out of bounds read due to a missing
bounds ...)
NOT-FOR-US: Android
CVE-2020-0347 (In iptables, there is a possible out of bounds write due to an
incorre ...)
- - iptables <undetermined>
+ - linux <undetermined>
CVE-2020-0346 (In Mediaserver, there is a possible out of bounds write due to
an inte ...)
NOT-FOR-US: Android Media Framework
CVE-2020-0345 (In DocumentsUI, there is a possible permission bypass due to a
confuse ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/810c9ed748397ca3f09101faf8b54ea1d88101f5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/810c9ed748397ca3f09101faf8b54ea1d88101f5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
