Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ddd94352 by Moritz Muehlenhoff at 2021-02-22T18:21:59+01:00
new three.js issues
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -9599,16 +9599,16 @@ CVE-2021-23344
CVE-2021-23343
RESERVED
CVE-2021-23342 (This affects the package docsify before 4.12.0. It is possible
to bypa ...)
- TODO: check
+ NOT-FOR-US: docsify
CVE-2021-23341 (The package prismjs before 1.23.0 are vulnerable to Regular
Expression ...)
- node-prismjs <unfixed>
NOTE:
https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609
NOTE: https://github.com/PrismJS/prism/pull/2584
NOTE: https://github.com/PrismJS/prism/issues/2583
CVE-2021-23340 (This affects the package pimcore/pimcore before 6.8.8. A Local
FIle In ...)
- TODO: check
+ NOT-FOR-US: Pimcore
CVE-2021-23339 (This affects all versions of package
com.typesafe.akka:akka-http-core. ...)
- TODO: check
+ NOT-FOR-US: com.typesafe.akka:akka-http-core
CVE-2021-23338 (This affects all versions of package qlib. The workflow
function in cl ...)
NOT-FOR-US: qlib
CVE-2021-23337 (All versions of package lodash; all versions of package
org.fujion.web ...)
@@ -10569,11 +10569,11 @@ CVE-2021-22860
CVE-2021-22859
RESERVED
CVE-2021-22858 (Attackers can access the CGE account management function
without privi ...)
- TODO: check
+ NOT-FOR-US: CGE
CVE-2021-22857 (The CGE page with download function contains a Directory
Traversal vul ...)
- TODO: check
+ NOT-FOR-US: CGE
CVE-2021-22856 (The CGE property management system contains SQL Injection
vulnerabilit ...)
- TODO: check
+ NOT-FOR-US: CGE
CVE-2021-22855 (The specific function of HR Portal of Soar Cloud System
accepts any ty ...)
NOT-FOR-US: HR Portal of Soar Cloud System
CVE-2021-22854 (The HR Portal of Soar Cloud System fails to filter specific
parameters ...)
@@ -11333,7 +11333,7 @@ CVE-2021-22555
CVE-2021-22554
RESERVED
CVE-2021-22553 (Any git operation is passed through Jetty and a session is
created. No ...)
- TODO: check
+ - gerrit <itp> (bug #589436)
CVE-2021-22552
RESERVED
CVE-2021-22551
@@ -14770,7 +14770,7 @@ CVE-2020-35666 (Steedos Platform through 1.21.24 allows
NoSQL injection because
CVE-2020-35665 (An unauthenticated command-execution vulnerability exists in
TerraMast ...)
NOT-FOR-US: TerraMaster TOS
CVE-2020-35664 (An issue was discovered in Acronis Cyber Protect before 15
Update 1 bu ...)
- TODO: check
+ NOT-FOR-US: Acronis
CVE-2020-35663
RESERVED
CVE-2020-35662
@@ -16038,7 +16038,7 @@ CVE-2020-35558 (An issue was discovered in MB CONNECT
LINE mymbCONNECT24 and mbC
CVE-2020-35557 (An issue was discovered in MB CONNECT LINE mymbCONNECT24 and
mbCONNECT ...)
NOT-FOR-US: MB CONNECT
CVE-2020-35556 (An issue was discovered in Acronis Cyber Protect before 15
Update 1 bu ...)
- TODO: check
+ NOT-FOR-US: Acronis
CVE-2020-35555 (An issue was discovered on LG mobile devices with Android OS
10 softwa ...)
NOT-FOR-US: LG mobile devices
CVE-2020-35554 (An issue was discovered on LG mobile devices with Android OS
8.0, 8.1, ...)
@@ -17595,11 +17595,11 @@ CVE-2021-20245 [Division by zero in
WriteAnimatedWEBPImage() in coders/webp.c]
NOTE: ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/a78d92dc0f468e79c3d761aae9707042952cdaca
CVE-2021-20244 [Division by zero in ImplodeImage in
MagickCore/visual-effects.c]
RESERVED
- - imagemagick <undetermined>
+ - imagemagick <unfixed>
[buster] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/pull/3194
NOTE: ImageMagick:
https://github.com/ImageMagick/ImageMagick/commit/329dd528ab79531d884c0ba131e97d43f872ab5d
- TODO: check
+ NOTE: In IM6 the code seems to be in magick/fx.c
CVE-2021-20243 [Division by zero in GetResizeFilterWeight in
MagickCore/resize.c]
RESERVED
- imagemagick <undetermined>
@@ -24972,7 +24972,7 @@ CVE-2020-28500 (All versions of package lodash; all
versions of package org.fuji
- node-lodash <unfixed>
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1018905
CVE-2020-28499 (All versions of package merge are vulnerable to Prototype
Pollution vi ...)
- TODO: check
+ NOTE: Only bogus references listed, unclear what this is about
CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to
Cryptographic Issu ...)
- node-elliptic <unfixed>
NOTE:
https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
@@ -24980,7 +24980,9 @@ CVE-2020-28498 (The package elliptic before 6.5.4 are
vulnerable to Cryptographi
CVE-2020-28497
RESERVED
CVE-2020-28496 (This affects the package three before 0.125.0. This can happen
when ha ...)
- TODO: check
+ - three.js <unfixed>
+ NOTE:
https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
+ NOTE: https://github.com/mrdoob/three.js/issues/21132
CVE-2020-28495 (This affects the package total.js before 3.4.7. The set
function can b ...)
NOT-FOR-US: Node total.js
CVE-2020-28494 (This affects the package total.js before 3.4.7. The issue
occurs in th ...)
@@ -27064,7 +27066,7 @@ CVE-2020-28250 (Cellinx NVT Web Server 5.0.0.014b.test
2019-09-05 allows a remot
CVE-2020-28249 (Joplin 1.2.6 for Desktop allows XSS via a LINK element in a
note. ...)
NOT-FOR-US: Joplin
CVE-2020-28248 (An integer overflow in the PngImg::InitStorage_() function of
png-img ...)
- TODO: check
+ NOT-FOR-US: png-img
CVE-2020-28247 (The lettre library through 0.10.0-alpha for Rust allows
arbitrary send ...)
NOT-FOR-US: Node lettre
CVE-2020-28246
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd94352c2e8e1b9be204e6410de9d5ef7b49027
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd94352c2e8e1b9be204e6410de9d5ef7b49027
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
