Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8ef29327 by Moritz Muehlenhoff at 2021-02-22T18:45:05+01:00
new gsoap, ruby-twitter-stream issues
NFUs
some rust issues no-dsa in buster
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -9620,6 +9620,7 @@ CVE-2021-23336 (The package python/cpython from 0 and
before 3.6.13, from 3.7.0
- python3.9 <unfixed>
- python3.8 <removed>
- python3.7 <removed>
+ [buster] - python3.7 <no-dsa> (Minor issue)
- python3.5 <removed>
NOTE: https://github.com/python/cpython/pull/24297
NOTE:
https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776
(master)
@@ -14654,6 +14655,7 @@ CVE-2020-35709 (bloofoxCMS 0.5.2.1 allows admins to
upload arbitrary .php files
NOT-FOR-US: bloofoxCMS
CVE-2020-35711 (An issue has been discovered in the arc-swap crate before
0.4.8 (and 1 ...)
- rust-arc-swap <unfixed>
+ [buster] - rust-arc-swap <no-dsa> (Minor issue)
NOTE: https://github.com/vorner/arc-swap/issues/45
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0091.html
CVE-2020-35708 (phpList 3.5.9 allows SQL injection by admins who provide a
crafted fou ...)
@@ -22751,22 +22753,27 @@ CVE-2020-26235 (In Rust time crate from version 0.2.7
and before version 0.2.23,
NOTE: Deprecated in:
https://github.com/time-rs/time/commit/f153a1ca5fdfec979f16c49619e6034cc67e186d
(v0.2.23)
CVE-2020-35914 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35913 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35912 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35911 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35910 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-28971 (An issue was discovered on Western Digital My Cloud OS 5
devices befor ...)
@@ -35669,7 +35676,7 @@ CVE-2020-24910
CVE-2020-24909
RESERVED
CVE-2020-24908 (Checkmk before 1.6.0p17 allows local users to obtain SYSTEM
privileges ...)
- TODO: check
+ - check-mk <removed>
CVE-2020-24907
RESERVED
CVE-2020-24906
@@ -36800,7 +36807,8 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8,
fs/nfsd/vfs.c (in the NFS serv
CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure
way tha ...)
NOT-FOR-US: TweetStream
CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname
validation allow ...)
- TODO: check
+ - ruby-twitter-stream <unfixed>
+ NOTE:
https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream
CVE-2020-24391
RESERVED
CVE-2020-24390 (eonweb in EyesOfNetwork before 5.3-7 does not properly escape
the user ...)
@@ -60901,15 +60909,20 @@ CVE-2020-13580 (An exploitable heap-based buffer
overflow vulnerability exists i
CVE-2020-13579 (An exploitable integer overflow vulnerability exists in the
PlanMaker ...)
NOT-FOR-US: SoftMaker
CVE-2020-13578 (A denial-of-service vulnerability exists in the WS-Security
plugin fun ...)
- TODO: check
+ - gsoap <unfixed>
+ NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1189
CVE-2020-13577 (A denial-of-service vulnerability exists in the WS-Security
plugin fun ...)
- TODO: check
+ - gsoap <unfixed>
+ NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188
CVE-2020-13576 (A code execution vulnerability exists in the WS-Addressing
plugin func ...)
- TODO: check
+ - gsoap <unfixed>
+ NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187
CVE-2020-13575 (A denial-of-service vulnerability exists in the WS-Addressing
plugin f ...)
- TODO: check
+ - gsoap <unfixed>
+ NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1186
CVE-2020-13574 (A denial-of-service vulnerability exists in the WS-Security
plugin fun ...)
- TODO: check
+ - gsoap <unfixed>
+ NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1185
CVE-2020-13573 (A denial-of-service vulnerability exists in the Ethernet/IP
server fun ...)
NOT-FOR-US: Rockwell Automation RSLinx Classic
CVE-2020-13572 (A heap overflow vulnerability exists in the way the GIF parser
decodes ...)
@@ -68050,7 +68063,7 @@ CVE-2020-11225 (Out of bound access in WLAN driver due
to lack of validation of
CVE-2020-11224
RESERVED
CVE-2020-11223 (Out of bound in camera driver due to lack of check of
validation of ar ...)
- TODO: check
+ NOT-FOR-US: Qualcomm components for Android
CVE-2020-11222
RESERVED
CVE-2020-11221
@@ -68088,7 +68101,7 @@ CVE-2020-11206 (u'Possible buffer overflow in Fastrpc
while handling received pa
CVE-2020-11205 (u'Possible integer overflow to heap overflow while processing
command ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-11204 (Possible memory corruption and information leakage in
sub-system due t ...)
- TODO: check
+ NOT-FOR-US: Qualcomm components for Android
CVE-2020-11203 (Stack overflow may occur if GSM/WCDMA broadcast config size
received f ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-11202 (u'Buffer overflow/underflow occurs when typecasting the buffer
passed ...)
@@ -68100,15 +68113,15 @@ CVE-2020-11200 (Buffer over-read while parsing RPS
due to lack of check of input
CVE-2020-11199
RESERVED
CVE-2020-11198 (Key material used for TZ diag buffer encryption and other data
related ...)
- TODO: check
+ NOT-FOR-US: Qualcomm components for Android
CVE-2020-11197 (Possible integer overflow can occur when stream info update is
called ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-11196 (u'Integer overflow to buffer overflow occurs while playback of
ASF cli ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-11195 (Out of bound write and read in TA while processing command
from NS sid ...)
- TODO: check
+ NOT-FOR-US: Qualcomm components for Android
CVE-2020-11194 (Possible out of bound access in TA while processing a command
from NS ...)
- TODO: check
+ NOT-FOR-US: Qualcomm components for Android
CVE-2020-11193 (u'Buffer over read can happen while parsing mkv clip due to
improper t ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-11192
@@ -68206,7 +68219,7 @@ CVE-2020-11149 (Out of bound access due to usage of an
out-of-range pointer offs
CVE-2020-11148 (Use after free issue in HIDL while using callback to post
event in Rx ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-11147 (Use after free issue in audio modules while removing and
freeing objec ...)
- TODO: check
+ NOT-FOR-US: Qualcomm components for Android
CVE-2020-11146 (Out of bound write while copying data using IOCTL due to lack
of check ...)
NOT-FOR-US: Qualcomm components for Android
CVE-2020-11145 (Divide by zero issue can happen while updating delta extension
header ...)
@@ -75159,9 +75172,9 @@ CVE-2020-8569 (Kubernetes CSI snapshot-controller prior
to v2.1.3 and v3.0.2 cou
NOT-FOR-US: Kubernetes CSI Snapshotter
NOTE: https://github.com/kubernetes-csi/external-snapshotter/issues/421
CVE-2020-8568 (Kubernetes Secrets Store CSI Driver versions v0.0.15 and
v0.0.16 allow ...)
- TODO: check
+ NOT-FOR-US: Kubernetes Secrets Store CSI Driver
CVE-2020-8567 (Kubernetes Secrets Store CSI Driver Vault Plugin prior to
v0.0.6, Azur ...)
- TODO: check
+ NOT-FOR-US: Kubernetes Secrets Store CSI Driver
CVE-2020-8566 (In Kubernetes clusters using Ceph RBD as a storage provisioner,
with l ...)
- kubernetes 1.19.3-1 (bug #972341)
NOTE: https://github.com/kubernetes/kubernetes/pull/95245
@@ -76521,7 +76534,8 @@ CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow
XSS via the index.asp Devic
CVE-2020-8032
RESERVED
CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation
('Cross- ...)
- TODO: check
+ - open-build-service <unfixed>
+ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1178880
CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS
Platform ...)
NOT-FOR-US: SuSE CaaS
CVE-2020-8029 (A Incorrect Permission Assignment for Critical Resource
vulnerability ...)
@@ -77208,7 +77222,7 @@ CVE-2020-7796 (Zimbra Collaboration Suite (ZCS) before
8.8.15 Patch 7 allows SSR
CVE-2020-7795
RESERVED
CVE-2020-7794 (This affects all versions of package buns. The injection point
is loca ...)
- TODO: check
+ NOT-FOR-US: Node buns
CVE-2020-7793 (The package ua-parser-js before 0.7.23 are vulnerable to
Regular Expre ...)
- node-ua-parser-js 0.7.23+ds-1
[buster] - node-ua-parser-js <no-dsa> (Minor issue)
@@ -77231,7 +77245,7 @@ CVE-2020-7788 (This affects the package ini before
1.3.6. If an attacker submits
CVE-2020-7787 (This affects all versions of package react-adal. It is possible
for a ...)
NOT-FOR-US: Node react-adal
CVE-2020-7786 (This affects all versions of package macfromip. The injection
point is ...)
- TODO: check
+ NOT-FOR-US: Node macfromip
CVE-2020-7785 (This affects all versions of package node-ps. The injection
point is l ...)
TODO: check
CVE-2020-7784 (This affects all versions of package ts-process-promises. The
injectio ...)
@@ -83116,9 +83130,9 @@ CVE-2020-5430
CVE-2020-5429
REJECTED
CVE-2020-5428 (In applications using Spring Cloud Task 2.2.4.RELEASE and
below, may b ...)
- TODO: check
+ NOT-FOR-US: Vmware
CVE-2020-5427 (In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5,
versions 2.5 ...)
- TODO: check
+ NOT-FOR-US: Vmware
CVE-2020-5426 (Scheduler for TAS prior to version 1.4.0 was permitting
plaintext tran ...)
NOT-FOR-US: Vmware
CVE-2020-5425 (Single Sign-On for Vmware Tanzu all versions prior to 1.11.3
,1.12.x v ...)
@@ -88195,7 +88209,7 @@ CVE-2020-3666 (u'Out of bounds memory access during
memory copy while processing
CVE-2020-3665 (A possible buffer overflow would occur while processing command
from f ...)
NOT-FOR-US: Snapdragon
CVE-2020-3664 (Out of bound read access in hypervisor due to an invalid read
access a ...)
- TODO: check
+ NOT-FOR-US: Qualcomm components for Android
CVE-2020-3663 (Buffer over-write may occur during fetching track decoder
specific inf ...)
NOT-FOR-US: Snapdragon
CVE-2020-3662 (Buffer overflow can occur while parsing eac3 header while
playing the ...)
@@ -93969,7 +93983,7 @@ CVE-2020-1725 (A flaw was found in keycloak before
version 13.0.0. In some scena
CVE-2020-1724 (A flaw was found in Keycloak in versions before 9.0.2. This
flaw allow ...)
NOT-FOR-US: Keycloak
CVE-2020-1723 (The logout endpoint /oauth/logout?redirect=url can be abused to
redire ...)
- TODO: check
+ NOT-FOR-US: Keycloak
CVE-2020-1722 (A flaw was found in all ipa versions 4.x.x through 4.8.0. When
sending ...)
- freeipa 4.8.8-2 (bug #966200)
[buster] - freeipa <no-dsa> (Minor issue)
@@ -99673,7 +99687,7 @@ CVE-2020-0473 (In updateIncomingFileConfirmNotification
of BluetoothOppNotificat
CVE-2020-0472
RESERVED
CVE-2020-0471 (In reassemble_and_dispatch of packet_fragmenter.cc, there is a
possibl ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2020-0470 (In extend_frame_highbd of restoration.c, there is a possible
out of bo ...)
NOT-FOR-US: Android Media Framework
CVE-2020-0469 (In addEscrowToken of LockSettingsService.java, there is a
possible los ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ef29327ccb4a61ae824eb7834b4a3aca488ca01
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ef29327ccb4a61ae824eb7834b4a3aca488ca01
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
