Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a5eb2724 by Moritz Muehlenhoff at 2020-12-13T20:14:28+01:00
associate various JerryScript NFUs with iotjs, marked as <unfixed>
initially
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -138,7 +138,7 @@ CVE-2020-35151
CVE-2020-35150
RESERVED
CVE-2020-35149 (lib/utils.js in mquery before 3.2.3 allows a pollution attack
because ...)
- TODO: check
+ NOT-FOR-US: Node mquery
CVE-2020-35148
RESERVED
CVE-2020-35147
@@ -1276,7 +1276,8 @@ CVE-2020-29659 (A buffer overflow in the web server of
Flexense DupScout Enterpr
CVE-2020-29658
RESERVED
CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in
main_print_unh ...)
- TODO: check
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244
CVE-2020-29656 (An information disclosure vulnerability exists in RT-AC88U
Download Ma ...)
NOT-FOR-US: RT-AC88U Download Master
CVE-2020-29655 (An injection vulnerability exists in RT-AC88U Download Master
before 3 ...)
@@ -17375,9 +17376,10 @@ CVE-2020-24347 (njs through 0.4.3, used in NGINX, has
an out-of-bounds read in n
CVE-2020-24346 (njs through 0.4.3, used in NGINX, has a use-after-free in
njs_json_par ...)
NOT-FOR-US: njs
CVE-2020-24345 (** DISPUTED ** JerryScript through 2.3.0 allows stack
consumption via ...)
- NOT-FOR-US: JerryScript
+ NOTE: Disputed JerryScript issue
CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const
argumen ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c
because of ...)
NOT-FOR-US: MuJS
CVE-2020-24342 (Lua through 5.4.0 allows a stack redzone cross in
luaO_pushvfstring be ...)
@@ -39531,7 +39533,9 @@ CVE-2020-14165 (The UniversalAvatarResource.getAvatars
resource in Jira Server a
CVE-2020-14164 (The WYSIWYG editor resource in Jira Server and Data Center
before vers ...)
NOT-FOR-US: Atlassian
CVE-2020-14163 (An issue was discovered in
ecma/operations/ecma-container-object.c in ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE:
https://github.com/jerryscript-project/jerryscript/commit/c2b662170245a16f46ce02eae68815c325d99821
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/3804
CVE-2020-14162 (An issue was discovered in Pi-Hole through 5.0. The local
www-data use ...)
NOT-FOR-US: Pi-Hole
CVE-2020-14161
@@ -41008,7 +41012,10 @@ CVE-2020-13651 (An issue was discovered in DigDash
2018R2 before p20200528, 2019
CVE-2020-13650 (An issue was discovered in DigDash 2018R2 before p20200210 and
2019R1 ...)
NOT-FOR-US: DigDash
CVE-2020-13649 (parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors
during c ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE:
https://github.com/jerryscript-project/jerryscript/commit/69f8e78c2f8d562bd6d8002b5488f1662ac30d24
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/3786
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/3788
CVE-2020-13648
RESERVED
CVE-2020-13647
@@ -41099,9 +41106,12 @@ CVE-2020-13625 (PHPMailer before 6.1.6 contains an
output escaping bug when the
CVE-2020-13624
RESERVED
CVE-2020-13623 (JerryScript 2.2.0 allows attackers to cause a denial of
service (stack ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/3785
CVE-2020-13622 (JerryScript 2.2.0 allows attackers to cause a denial of
service (asser ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/3787
+ NOTE: https://github.com/jerryscript-project/jerryscript/pull/3797
CVE-2020-13621
RESERVED
CVE-2020-13620 (Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26
allow CSRF ...)
@@ -106602,7 +106612,8 @@ CVE-2019-1010178 (Fred MODX Revolution <
1.0.0-beta5 is affected by: Incorrec
CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by: Use After Free. The
impact is: deni ...)
NOT-FOR-US: Jsish
CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166
is affecte ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/2476
CVE-2019-1010175
RESERVED
CVE-2019-1010174 (CImg The CImg Library v.2.3.3 and earlier is affected by:
command inje ...)
@@ -144955,7 +144966,8 @@ CVE-2018-1000639 (LatexDraw version <=4.0 contains
a XML External Entity (XXE
CVE-2018-1000638 (MiniCMS version 1.1 contains a Cross Site Scripting (XSS)
vulnerabilit ...)
NOT-FOR-US: MiniCMS
CVE-2018-1000636 (JerryScript version Tested on commit
f86d7459d195c8ba58479d1861b0cc726 ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/2435
CVE-2018-1000635 (The Open Microscopy Environment OMERO.server version 5.4.0
to 5.4.6 co ...)
NOT-FOR-US: Open Microscopy Environment
CVE-2018-1000634 (The Open Microscopy Environment OMERO.server version 5.4.0
to 5.4.6 co ...)
@@ -156029,9 +156041,11 @@ CVE-2018-11421 (Moxa OnCell G3100-HSPA Series
version 1.6 Build 17100315 and pri
CVE-2018-11420 (There is Memory corruption in the web interface of Moxa OnCell
G3100-H ...)
NOT-FOR-US: Moxa
CVE-2018-11419 (An issue was discovered in JerryScript 1.0. There is a
heap-based buff ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/2230
CVE-2018-11418 (An issue was discovered in JerryScript 1.0. There is a
heap-based buff ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/2237
CVE-2018-11417
RESERVED
CVE-2018-11416 (jpegoptim.c in jpegoptim 1.4.5 (fixed in 1.4.6) has an invalid
use of ...)
@@ -166234,7 +166248,8 @@ CVE-2018-7587 (An issue was discovered in CImg v.220.
DoS occurs when loading a
CVE-2018-7586 (In the nextgen-gallery plugin before 2.2.50 for WordPress,
gallery pat ...)
NOT-FOR-US: nextgen-gallery plugin for WordPress
CVE-2017-18212 (An issue was discovered in JerryScript 1.0. There is a
heap-based buff ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/2140
CVE-2018-7585
RESERVED
CVE-2018-7584 (In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through
7.1.14, and ...)
@@ -196305,7 +196320,8 @@ CVE-2017-14751 (The Intense WP "WP Jobs" plugin 1.5
for WordPress has XSS, relat
CVE-2017-14750
RESERVED
CVE-2017-14749 (JerryScript 1.0 allows remote attackers to cause a denial of
service ( ...)
- NOT-FOR-US: JerryScript
+ - iotjs <unfixed>
+ NOTE: https://github.com/jerryscript-project/jerryscript/issues/2008
CVE-2017-14748 (Race condition in Blizzard Overwatch 1.15.0.2 allows remote
authentica ...)
NOT-FOR-US: Blizzard Overwatch
CVE-2017-14747
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5eb2724caa6e5baf09d8e477f58bf138c4a6130
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5eb2724caa6e5baf09d8e477f58bf138c4a6130
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
