Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
bdb1c153 by Salvatore Bonaccorso at 2021-02-18T21:57:52+01:00
mujs entered the archive, recheck some older CVEs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -36504,7 +36504,9 @@ CVE-2020-24344 (JerryScript through 2.3.0 has a
(function({a=arguments}){const a
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
NOTE:
https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a
CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c
because of ...)
- NOT-FOR-US: MuJS
+ - mujs <undetermined>
+ NOTE: https://github.com/ccxvii/mujs/issues/136
+ TODO: check, issue seems to be of disputed validity
CVE-2020-24342 (Lua through 5.4.0 allows a stack redzone cross in
luaO_pushvfstring be ...)
- lua5.4 5.4.1-1 (bug #971012)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00052.html
@@ -117475,7 +117477,8 @@ CVE-2019-12818 (An issue was discovered in the Linux
kernel before 4.20.15. The
CVE-2019-12799 (In createInstanceFromNamedArguments in Shopware through 5.6.x,
a craft ...)
NOT-FOR-US: Shopware
CVE-2019-12798 (An issue was discovered in Artifex MuJS 1.0.5. regcompx in
regexp.c do ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed with initial upload to Debian)
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;h=7f50591861525f76e3ec7a63392656ff8c030af9
(1.0.6)
CVE-2019-12797 (A clone version of an ELM327 OBD2 Bluetooth device has a
hardcoded PIN ...)
NOT-FOR-US: ELM327 OBD2 Bluetooth device
CVE-2019-12796
@@ -121424,11 +121427,17 @@ CVE-2019-11415 (An issue was discovered on
Intelbras IWR 3000N 1.5.0 devices. A
CVE-2019-11414 (An issue was discovered on Intelbras IWR 3000N 1.5.0 devices.
When the ...)
NOT-FOR-US: Intelbras IWR 3000N 1.5.0 devices
CVE-2019-11413 (An issue was discovered in Artifex MuJS 1.0.5. It has
unlimited recurs ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed with initial upload to Debian)
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700937
+ NOTE:
https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2
CVE-2019-11412 (An issue was discovered in Artifex MuJS 1.0.5. jscompile.c can
cause a ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed with initial upload to Debian)
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700947
+ NOTE:
https://github.com/ccxvii/mujs/commit/1e5479084bc9852854feb1ba9bf68b52cd127e02
CVE-2019-11411 (An issue was discovered in Artifex MuJS 1.0.5. The
Number#toFixed() an ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed with initial upload to Debian)
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700938
+ NOTE:
https://github.com/ccxvii/mujs/commit/da632ca08f240590d2dec786722ed08486ce1be6
CVE-2018-20818 (A buffer overflow vulnerability was discovered in the OpenPLC
controll ...)
NOT-FOR-US: OpenPLC
CVE-2019-11410 (app/backup/index.php in the Backup Module in FusionPBX 4.4.3
suffers f ...)
@@ -190264,7 +190273,9 @@ CVE-2018-6192 (In Artifex MuPDF 1.12.0, the
pdf_read_new_xref function in pdf/pd
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698916
NOTE: Fixed by:
http://www.ghostscript.com/cgi-bin/findgit.cgi?5e411a99604ff6be5db9e273ee84737204113299
CVE-2018-6191 (The js_strtod function in jsdtoa.c in Artifex MuJS through
1.0.2 has a ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;a=commit;h=25821e6d74fab5fcc200fe5e818362e03e114428
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698920
CVE-2018-6190 (Netis WF2419 V3.2.41381 devices allow XSS via the Description
field on ...)
NOT-FOR-US: Netis WF2419 V3.2.41381 devices
CVE-2017-1000504 (A race condition during Jenkins 2.94 and earlier; 2.89.1 and
earlier s ...)
@@ -191862,7 +191873,9 @@ CVE-2018-5761 (A man-in-the-middle vulnerability
related to vCenter access was f
CVE-2018-5760
RESERVED
CVE-2018-5759 (jsparse.c in Artifex MuJS through 1.0.2 does not properly
maintain the ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;a=commit;h=4d45a96e57fbabf00a7378b337d0ddcace6f38c1
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698868
CVE-2018-5758 (The Upload File functionality in upload.jspa in Aurea Jive
Jive-n 9.0. ...)
NOT-FOR-US: Aurea Jive Jive-n
CVE-2018-5757 (An issue was discovered on AudioCodes 450HD IP Phone devices
with firm ...)
@@ -244190,9 +244203,13 @@ CVE-2017-5899 (Directory traversal vulnerability in
the setuid root helper binar
NOTE:
https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf
NOTE: https://www.openwall.com/lists/oss-security/2017/01/27/7
CVE-2017-5628 (An issue was discovered in Artifex Software, Inc. MuJS before
8f62ea10 ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;h=8f62ea10a0af68e56d5c00720523ebcba13c2e6a
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697496
CVE-2017-5627 (An issue was discovered in Artifex Software, Inc. MuJS before
4006739a ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;h=4006739a28367c708dea19aeb19b8a1a9326ce08
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697497
CVE-2017-5617 (The SVG Salamander (aka svgSalamander) library, when used in a
web app ...)
{DSA-3781-1 DLA-816-1}
- svgsalamander 1.1.1+dfsg-2 (bug #853134)
@@ -245421,11 +245438,17 @@ CVE-2017-5341 (The OTV parser in tcpdump before
4.9.0 has a buffer overflow in p
{DSA-3775-1 DLA-809-1}
- tcpdump 4.9.0-1
CVE-2016-10141 (An integer overflow vulnerability was observed in the regemit
function ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;h=fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697448
CVE-2016-10133 (Heap-based buffer overflow in the js_stackoverflow function in
jsrun.c ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;a=commit;h=77ab465f1c394bb77f00966cd950650f3f53cb24
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697401
CVE-2016-10132 (regexp.c in Artifex Software, Inc. MuJS allows attackers to
cause a de ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697381
CVE-2016-10131 (system/libraries/Email.php in CodeIgniter before 3.1.3 allows
remote a ...)
- codeigniter <itp> (bug #471583)
CVE-2017-5357 (regex.c in GNU ed before 1.14.1 allows attackers to cause a
denial of ...)
@@ -260154,7 +260177,9 @@ CVE-2016-9296 (A null pointer dereference bug affects
the 16.02 and many old ver
NOTE: https://sourceforge.net/p/p7zip/bugs/185/
NOTE: no security impact
CVE-2016-9294 (Artifex Software, Inc. MuJS before
5008105780c0b0182ea6eda83ad5598f225 ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697172
+ NOTE:
http://git.ghostscript.com/?p=mujs.git;a=commit;h=5008105780c0b0182ea6eda83ad5598f225be3ee
CVE-2016-9279 (Use-after-free vulnerability in the Samsung Exynos fimg2d
driver for A ...)
NOT-FOR-US: Samsung Exynos fimg2d driver for Android
CVE-2016-9278 (The Samsung Exynos fimg2d driver for Android with Exynos 5433,
54xx, o ...)
@@ -260550,7 +260575,8 @@ CVE-2016-9180 (perl-XML-Twig: The option to
`expand_external_ents`, documented a
NOTE: Release 3.50 adds a no_xxe flag which will fail to parse files
with external entities.
NOTE: 2016-12-13: The corresponding changes is not in the public git
repository yet: https://github.com/mirod/xmltwig/commits/master
CVE-2016-9136 (Artifex Software, Inc. MuJS before
a0ceaf5050faf419401fe1b83acfa950ec8 ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697244
CVE-2016-9135 (Exponent CMS 2.3.9 suffers from a SQL injection vulnerability
in "/fra ...)
NOT-FOR-US: Exponent CMS
CVE-2016-9134 (Exponent CMS 2.3.9 suffers from a SQL injection vulnerability
in "/exp ...)
@@ -260674,9 +260700,9 @@ CVE-2015-8966 (arch/arm/kernel/sys_oabi-compat.c in
the Linux kernel before 4.4
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/76cc404bfdc0d419c720de4daaf2584542734f42 (v4.4-rc8)
CVE-2016-9109 (Artifex Software MuJS allows attackers to cause a denial of
service (c ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
CVE-2016-9108 (Integer overflow in the js_regcomp function in regexp.c in
Artifex Sof ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
CVE-2016-9107 (The OTR plugin for Gajim sends information in cleartext when
using XHT ...)
- gajim-otr <itp> (bug #722130)
NOTE: Upstream bug: https://trac-plugins.gajim.org/ticket/145
@@ -260944,7 +260970,8 @@ CVE-2016-9019 (SQL injection vulnerability in the
activate_address function in f
CVE-2016-9018 (Improper handling of a repeating VRAT chunk in qcpfformat.dll
allows a ...)
NOT-FOR-US: RealPlayer
CVE-2016-9017 (Artifex Software, Inc. MuJS before
a5c747f1d40e8d6659a37a8d25f13fb5acf ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697171
CVE-2016-9015 (Versions 1.17 and 1.18 of the Python urllib3 library suffer
from a vul ...)
- python-urllib3 <not-affected> (Issue only present in 1.17 and 1.18
releases)
CVE-2016-9014 (Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and
1.10.x bef ...)
@@ -265534,9 +265561,11 @@ CVE-2016-7566
CVE-2016-7565 (install/index.php in Exponent CMS 2.3.9 allows remote attackers
to exe ...)
NOT-FOR-US: Exponent CMS
CVE-2016-7564 (Heap-based buffer overflow in the Fp_toString function in
jsfunction.c ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697137
CVE-2016-7563 (The chartorune function in Artifex Software MuJS allows
attackers to c ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697136
CVE-2016-7562 (The ff_draw_pc_font function in libavcodec/cga_data.c in FFmpeg
before ...)
- ffmpeg 7:3.1.4-1 (bug #840434)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/496267f8e9ec218351e4359e1fde48722d4fc804
(n3.1.4)
@@ -265627,11 +265656,14 @@ CVE-2016-7507 (Cross-Site Request Forgery (CSRF)
vulnerability in GLPI 0.90.4 al
- glpi <removed> (unimportant)
NOTE: Only supported behind an authenticated HTTP zone
CVE-2016-7506 (An out-of-bounds read vulnerability was observed in
Sp_replace_regexp ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697141
CVE-2016-7505 (A buffer overflow vulnerability was observed in divby function
of Arti ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697140
CVE-2016-7504 (A use-after-free vulnerability was observed in Rp_toString
function of ...)
- NOT-FOR-US: MuJS
+ - mujs <not-affected> (Fixed before initial upload to Debian)
+ NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697142
CVE-2016-7503
RESERVED
CVE-2016-7502 (The cavs_idct8_add_c function in libavcodec/cavsdsp.c in FFmpeg
before ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdb1c153309ae766843284540d369015d2191ec9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bdb1c153309ae766843284540d369015d2191ec9
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
