[Git][security-tracker-team/security-tracker][master] new node-url-parse, telegram-desktop issues

Mon, 22 Feb 2021 06:29:29 -0800 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a5afa2c by Moritz Muehlenhoff at 2021-02-22T15:28:52+01:00
new node-url-parse, telegram-desktop issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -83,9 +83,11 @@ CVE-2021-27518
 CVE-2021-27517
        RESERVED
 CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of 
backslash  ...)
-       TODO: check
+       NOT-FOR-US: urijs
 CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash 
such as ht ...)
-       TODO: check
+       - node-url-parse <unfixed>
+       NOTE: 
https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
+       NOTE: https://github.com/unshiftio/url-parse/pull/197
 CVE-2021-27514 (EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 
digits for th ...)
        NOT-FOR-US: EyesOfNetwork (EON)
 CVE-2021-27513 (The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote 
authentica ...)
@@ -307,7 +309,7 @@ CVE-2021-27407
 CVE-2021-27406
        RESERVED
 CVE-2021-27405 (A ReDoS (regular expression denial of service) flaw was found 
in the @ ...)
-       TODO: check
+       NOT-FOR-US: Node scrapbox-parser
 CVE-2021-27404 (Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices 
allow injec ...)
        NOT-FOR-US: Askey devices
 CVE-2021-27403 (Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices 
allow cgi-b ...)
@@ -453,7 +455,8 @@ CVE-2021-27353
 CVE-2021-27352
        RESERVED
 CVE-2021-27351 (The Terminate Session feature in the Telegram application 
through 7.2. ...)
-       TODO: check
+       - telegram-desktop 2.5.8+ds-1
+       NOTE: https://0ffsecninja.github.io/Telegram:CVE-2021-2735.html
 CVE-2021-27350
        RESERVED
 CVE-2021-27349
@@ -4658,7 +4661,7 @@ CVE-2021-3308 (An issue was discovered in Xen 4.12.3 
through 4.12.4 and 4.13.1 t
        NOTE: Issue backported to 4.12.3 and 4.13.1
        NOTE: Fixed by: 
https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=58427889f5a420cc5226f88524b3228f90b72a58
 CVE-2021-3189 (The slashify package 1.0.0 for Node.js allows open-redirect 
attacks, a ...)
-       TODO: check
+       NOT-FOR-US: Node slashify
 CVE-2021-3188 (phpList 3.6.0 allows CSV injection, related to the email 
parameter, an ...)
        - phplist <itp> (bug #612288)
 CVE-2021-3187



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a5afa2c0ded5ae3aae99f4391c490d4a06f5c6b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a5afa2c0ded5ae3aae99f4391c490d4a06f5c6b
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to