Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
23383b39 by Moritz Mühlenhoff at 2021-05-21T21:59:28+02:00
various bugs filed
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -28524,7 +28524,7 @@ CVE-2019-25010 (An issue was discovered in the failure
crate through 2019-11-13
[buster] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated
upstream)
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for
Rust. The ...)
- - rust-http <unfixed>
+ - rust-http <unfixed> (bug #988945)
[buster] - rust-http <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0034.html
NOTE:
https://github.com/hyperium/http/commit/82d53dbdfdb1ffbeb0323200a0bbd30b5f895fa7
@@ -32147,7 +32147,7 @@ CVE-2021-20292 [RM Memory Management Double Free
Privilege Escalation Vulnerabil
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939686
NOTE:
https://git.kernel.org/linus/5de5b6ecf97a021f29403aa272cb4e03318ef586
CVE-2021-20291 (A deadlock vulnerability was found in
'github.com/containers/storage' ...)
- - golang-github-containers-image <unfixed>
+ - golang-github-containers-image <unfixed> (bug #988942)
NOTE:
https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
TODO: check golang-github-containers-buildah, docker.io,
golang-github-containers-storage
CVE-2021-20290
@@ -39966,10 +39966,10 @@ CVE-2020-28485
CVE-2020-28484
RESERVED
CVE-2020-28483 (This affects all versions of package github.com/gin-gonic/gin.
When gi ...)
- - golang-github-gin-gonic-gin <unfixed>
+ - golang-github-gin-gonic-gin <unfixed> (bug #988943)
[buster] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736
- NOTE: https://github.com/gin-gonic/gin/pull/2474#issuecomment-729696437
+ NOTE: https://github.com/gin-gonic/gin/pull/2474
NOTE:
https://github.com/gin-gonic/gin/commit/c9ea8ece4a3881028f7f715f008414346a7f4b88
CVE-2020-28482 (This affects the package fastify-csrf before 3.0.0. 1. The
generated c ...)
NOT-FOR-US: Node fastify-csrf
@@ -46038,7 +46038,7 @@ CVE-2020-26894 (LiveCode v9.6.1 on Windows allows
local, low-privileged users to
CVE-2020-26893 (An issue was discovered in ClamXAV 3 before 3.1.1. A malicious
actor c ...)
NOT-FOR-US: ClamXAV
CVE-2020-26892 (The JWT library in NATS nats-server before 2.1.9 has Incorrect
Access ...)
- - golang-github-nats-io-jwt <unfixed>
+ - golang-github-nats-io-jwt <unfixed> (bug #988950)
[buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
NOTE: https://advisories.nats.io/CVE/CVE-2020-26892.txt
CVE-2020-26891 (AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable
to XSS d ...)
@@ -46874,7 +46874,7 @@ CVE-2020-26523 (Froala Editor before 3.2.2 allows XSS
via pasted content. ...)
CVE-2020-26522 (A cross-site request forgery (CSRF) vulnerability in
mod/user/act_user ...)
NOT-FOR-US: Garfield Petshop
CVE-2020-26521 (The JWT library in NATS nats-server before 2.1.9 allows a
denial of se ...)
- - golang-github-nats-io-jwt <unfixed>
+ - golang-github-nats-io-jwt <unfixed> (bug #988950)
[buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
NOTE: https://advisories.nats.io/CVE/CVE-2020-26521.txt
CVE-2020-26520
@@ -75078,7 +75078,8 @@ CVE-2020-13951 (Attackers can use public NetTest web
service of Apache OpenMeeti
CVE-2020-13950
RESERVED
CVE-2020-13949 (In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could
send sho ...)
- - thrift <unfixed>
+ - thrift <unfixed> (bug #988949)
+ NOTE: https://seclists.org/oss-sec/2021/q1/140
CVE-2020-13948 (While investigating a bug report on Apache Superset, it was
determined ...)
NOT-FOR-US: Apache Superset
CVE-2020-13947 (An instance of a cross-site scripting vulnerability was
identified to ...)
@@ -85295,7 +85296,7 @@ CVE-2020-10695
CVE-2020-10694
RESERVED
CVE-2020-10693 (A flaw was found in Hibernate Validator version 6.1.2.Final. A
bug in ...)
- - libhibernate-validator-java <unfixed>
+ - libhibernate-validator-java <unfixed> (bug #988946)
[buster] - libhibernate-validator-java <not-affected> (EL support added
in 5.x)
[stretch] - libhibernate-validator-java <not-affected> (EL support
added in 5.x)
[jessie] - libhibernate-validator-java <not-affected> (EL support added
in 5.x)
@@ -92794,7 +92795,7 @@ CVE-2020-7694 (This affects all versions of package
uvicorn. The request logger
CVE-2020-7693 (Incorrect handling of Upgrade header with the value websocket
leads in ...)
- node-socks <itp> (bug #922921)
CVE-2020-7692 (PKCE support is not implemented in accordance with the RFC for
OAuth 2 ...)
- - google-oauth-client-java <unfixed>
+ - google-oauth-client-java <unfixed> (bug #988944)
NOTE: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
NOTE: https://github.com/googleapis/google-oauth-java-client/issues/469
NOTE:
https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
@@ -135537,7 +135538,7 @@ CVE-2019-11941 (A remote code execution vulnerability
was identified in HPE Inte
CVE-2019-11940 (In the course of decompressing HPACK inside the HTTP2
protocol, an une ...)
NOT-FOR-US: Facebook Proxygen
CVE-2019-11939 (Golang Facebook Thrift servers would not error upon receiving
messages ...)
- - thrift <unfixed>
+ - thrift <unfixed> (bug #988948)
NOTE:
https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
CVE-2019-11938 (Java Facebook Thrift servers would not error upon receiving
messages d ...)
NOT-FOR-US: Java Facebook Thrift
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23383b39a0bfe1742dacfd10e628ce26ea698835
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23383b39a0bfe1742dacfd10e628ce26ea698835
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
