Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fa2415fd by Moritz Muehlenhoff at 2021-06-08T11:40:09+02:00
NFUs
new chromium issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -804,7 +804,7 @@ CVE-2021-33906
CVE-2021-33905
RESERVED
CVE-2021-33904 (In Accela Civic Platform through 21.1, the
security/hostSignon.do para ...)
- TODO: check
+ NOT-FOR-US: Accela Civic Platform
CVE-2021-33903
RESERVED
CVE-2021-33902
@@ -814,9 +814,9 @@ CVE-2021-33901
CVE-2021-33900
RESERVED
CVE-2020-36384 (PageLayer before 1.3.5 allows reflected XSS via color
settings. ...)
- TODO: check
+ NOT-FOR-US: PageLayer
CVE-2020-36383 (PageLayer before 1.3.5 allows reflected XSS via the font-size
paramete ...)
- TODO: check
+ NOT-FOR-US: PageLayer
CVE-2021-33899
RESERVED
CVE-2021-33898 (In Invoice Ninja before 4.4.0, there is an unsafe call to
unserialize( ...)
@@ -2432,7 +2432,6 @@ CVE-2021-33197
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46313
NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
- TODO: check completeness/correctness of the tracking
CVE-2021-33196 [archive/zip: malformed archive may cause panic or memory
exhaustion]
RESERVED
- golang-1.16 1.16.5-1 (bug #989492)
@@ -3597,9 +3596,9 @@ CVE-2021-32673
CVE-2021-32672
RESERVED
CVE-2021-32671 (Flarum is a forum software for building communities. Flarum's
translat ...)
- TODO: check
+ NOT-FOR-US: Flarum
CVE-2021-32670 (Datasette is an open source multi-tool for exploring and
publishing da ...)
- TODO: check
+ NOT-FOR-US: Datasette
CVE-2021-32669
RESERVED
CVE-2021-32668
@@ -6432,10 +6431,11 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and
1.16.x before 1.16.4 allows re
- golang-1.11 <removed>
- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-3
- golang-golang-x-net-dev <removed>
+ - golang-1.8 <removed>
+ - golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/45710
NOTE: https://github.com/golang/go/issues/45711 (1.15 backport)
NOTE: https://github.com/golang/go/issues/45712 (1.16 backport)
- TODO: check details for golang-1.11 and older
CVE-2021-26945
RESERVED
- openexr <unfixed>
@@ -8649,9 +8649,11 @@ CVE-2021-30545
CVE-2021-30544
RESERVED
CVE-2021-30543 (Use after free in Tab Strip in Google Chrome prior to
91.0.4472.77 all ...)
- TODO: check
+ - chromium <unfixed>
+ [stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-30542 (Use after free in Tab Strip in Google Chrome prior to
91.0.4472.77 all ...)
- TODO: check
+ - chromium <unfixed>
+ [stretch] - chromium <end-of-life> (see DSA 4562)
CVE-2021-30541
RESERVED
CVE-2021-30540 (Incorrect security UI in payments in Google Chrome on Android
prior to ...)
@@ -11025,7 +11027,7 @@ CVE-2021-29622 (Prometheus is an open-source monitoring
system and time series d
NOTE: The vulnerability itself is introduced with 2.23.0 upstream.
NOTE: See https://bugs.debian.org/988804 for details.
CVE-2021-29621 (Flask-AppBuilder is a development framework, built on top of
Flask. Us ...)
- TODO: check
+ NOT-FOR-US: Flask-AppBuilder
CVE-2021-29620
RESERVED
CVE-2021-29619 (TensorFlow is an end-to-end open source platform for machine
learning. ...)
@@ -11269,7 +11271,7 @@ CVE-2021-29505 (XStream is software for serializing
Java objects to XML and back
- libxstream-java <unfixed> (bug #989491)
NOTE:
https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
CVE-2021-29504 (WP-CLI is the command-line interface for WordPress. An
improper error ...)
- TODO: check
+ NOT-FOR-US: WP-CLI
CVE-2021-29503 (HedgeDoc is a platform to write and share markdown. HedgeDoc
before ve ...)
NOT-FOR-US: HedgeDoc
CVE-2021-29502 (WarnSystem is a cog (plugin) for the Red discord bot. A
vulnerability ...)
@@ -12300,7 +12302,7 @@ CVE-2021-29101 (ArcGIS GeoEvent Server versions 10.8.1
and below has a read-only
CVE-2021-29100 (A path traversal vulnerability exists in Esri ArcGIS Earth
versions 1. ...)
NOT-FOR-US: Esri
CVE-2021-29099 (A SQL injection vulnerability exists in some configurations of
ArcGIS ...)
- TODO: check
+ NOT-FOR-US: Esri
CVE-2021-29098 (Multiple uninitialized pointer vulnerabilities when parsing a
speciall ...)
NOT-FOR-US: Esri (various ArcGIS products)
CVE-2021-29097 (Multiple buffer overflow vulnerabilities when parsing a
specially craf ...)
@@ -12985,9 +12987,9 @@ CVE-2021-28813
CVE-2021-28812 (A command injection vulnerability has been reported to affect
certain ...)
NOT-FOR-US: QNAP
CVE-2021-28811 (If exploited, this command injection vulnerability could allow
remote ...)
- TODO: check
+ NOT-FOR-US: QNAP
CVE-2021-28810 (If exploited, this vulnerability allows an attacker to access
resource ...)
- TODO: check
+ NOT-FOR-US: QNAP
CVE-2021-28809
RESERVED
CVE-2021-28808
@@ -13967,7 +13969,7 @@ CVE-2021-28384
CVE-2021-28383
RESERVED
CVE-2021-28382 (Zoho ManageEngine Key Manager Plus before 6001 allows Stored
XSS on th ...)
- TODO: check
+ NOT-FOR-US: Zoho
CVE-2021-28381 (The vhs (aka VHS: Fluid ViewHelpers) extension before 5.1.1
for TYPO3 ...)
NOT-FOR-US: vhs (aka VHS: Fluid ViewHelpers) extension for TYPO3
CVE-2021-28380 (The aimeos (aka Aimeos shop and e-commerce framework)
extension before ...)
@@ -19539,11 +19541,11 @@ CVE-2021-26082
CVE-2021-26081
RESERVED
CVE-2021-26080 (EditworkflowScheme.jspa in Jira Server and Jira Data Center
before ver ...)
- TODO: check
+ NOT-FOR-US: Atlassian
CVE-2021-26079 (The CardLayoutConfigTable component in Jira Server and Jira
Data Cente ...)
- TODO: check
+ NOT-FOR-US: Atlassian
CVE-2021-26078 (The number range searcher component in Jira Server and Jira
Data Cente ...)
- TODO: check
+ NOT-FOR-US: Atlassian
CVE-2021-26077 (Broken Authentication in Atlassian Connect Spring Boot (ACSB)
in versi ...)
NOT-FOR-US: Atlassian
CVE-2021-26076 (The jira.editor.user.mode cookie set by the Jira Editor Plugin
in Jira ...)
@@ -20035,7 +20037,7 @@ CVE-2021-3279
CVE-2021-3278 (Local Service Search Engine Management System 1.0 has a
vulnerability ...)
NOT-FOR-US: Local Service Search Engine Management System
CVE-2021-3277 (Nagios XI 5.7.5 and earlier allows authenticated admins to
upload arbi ...)
- TODO: check
+ NOT-FOR-US: Nagios XI
CVE-2021-3276
RESERVED
CVE-2021-3275 (Unauthenticated stored cross-site scripting (XSS) exists in
multiple T ...)
@@ -23587,23 +23589,23 @@ CVE-2021-24346
CVE-2021-24345
RESERVED
CVE-2021-24344 (The Easy Preloader WordPress plugin through 1.0.0 does not
sanitise it ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-24343 (The iFlyChat - WordPress Chat plugin through 4.6.4 does not
sanitise i ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-24342 (The JNews WordPress theme before 8.0.6 did not sanitise the
cat_id par ...)
- TODO: check
+ NOT-FOR-US: WordPress theme
CVE-2021-24341
RESERVED
CVE-2021-24340 (The WP Statistics WordPress plugin before 13.0.8 relied on
using the W ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-24339
RESERVED
CVE-2021-24338
RESERVED
CVE-2021-24337 (The id GET parameter of one of the Video Embed WordPress
plugin throug ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-24336 (The FlightLog WordPress plugin through 3.0.2 does not
sanitise, valida ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2021-24335 (The Car Repair Services & Auto Mechanic WordPress theme
before 4.0 ...)
NOT-FOR-US: WordPress theme
CVE-2021-24334 (The Instant Images – One Click Unsplash Uploads
WordPress plugin ...)
@@ -33378,9 +33380,9 @@ CVE-2021-20701
CVE-2021-20700
RESERVED
CVE-2021-20699 (Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA
R1.300 and ...)
- TODO: check
+ NOT-FOR-US: SHARP
CVE-2021-20698 (Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA
R1.300 and ...)
- TODO: check
+ NOT-FOR-US: SHARP
CVE-2021-20697 (Missing authentication for critical function in DAP-1880AC
firmware ve ...)
NOT-FOR-US: DAP-1880AC firmware
CVE-2021-20696 (DAP-1880AC firmware version 1.21 and earlier allows a remote
authentic ...)
@@ -33742,7 +33744,7 @@ CVE-2021-20519 (IBM Jazz Team Server products are
vulnerable to cross-site scrip
CVE-2021-20518 (IBM Jazz Foundation Products are vulnerable to cross-site
scripting. T ...)
NOT-FOR-US: IBM
CVE-2021-20517 (IBM WebSphere Application Server Network Deployment 8.5 and
9.0 could ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2021-20516
RESERVED
CVE-2021-20515 (IBM Informix Dynamic Server 14.10 is vulnerable to a stack
based buffe ...)
@@ -66619,15 +66621,15 @@ CVE-2020-18270
CVE-2020-18269
RESERVED
CVE-2020-18268 (Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote
attackers ...)
- TODO: check
+ NOT-FOR-US: Z-BlogPHP
CVE-2020-18267
RESERVED
CVE-2020-18266
RESERVED
CVE-2020-18265 (Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows
remote att ...)
- TODO: check
+ NOT-FOR-US: Simple-Log
CVE-2020-18264 (Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows
remote att ...)
- TODO: check
+ NOT-FOR-US: Simple-Log
CVE-2020-18263
RESERVED
CVE-2020-18262
@@ -87642,7 +87644,7 @@ CVE-2020-10668 (The web application exposed by the
Canon Oce Colorwave 500 4.0.0
CVE-2020-10667 (The web application exposed by the Canon Oce Colorwave 500
4.0.0.0 pri ...)
NOT-FOR-US: Canon
CVE-2020-10666 (The restapps (aka Rest Phone apps) module for Sangoma FreePBX
and PBXa ...)
- TODO: check
+ NOT-FOR-US: FreePBX
CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary
OS comman ...)
- libperlspeak-perl <removed> (bug #954238)
[jessie] - libperlspeak-perl <end-of-life> (Not supported in jessie LTS)
@@ -95544,7 +95546,7 @@ CVE-2020-7471 (Django 1.11 before 1.11.28, 2.2 before
2.2.10, and 3.0 before 3.0
CVE-2020-7470 (Sonoff TH 10 and 16 devices with firmware 6.6.0.21 allows XSS
via the ...)
NOT-FOR-US: Sonoff TH 10 and 16 devices
CVE-2020-7469 (In FreeBSD 12.2-STABLE before r367402, 11.4-STABLE before
r368202, 12. ...)
- TODO: check
+ - kfreebsd-10 <unfixed> (unimportant)
CVE-2020-7468 (In FreeBSD 12.2-STABLE before r365772, 11.4-STABLE before
r365773, 12. ...)
NOT-FOR-US: FreeBSD ftpd
CVE-2020-7467 (In FreeBSD 12.2-STABLE before r365767, 11.4-STABLE before
r365769, 12. ...)
@@ -102182,7 +102184,7 @@ CVE-2020-5010
CVE-2020-5009
RESERVED
CVE-2020-5008 (IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0
through ...)
- TODO: check
+ NOT-FOR-US: IBM
CVE-2020-5007
RESERVED
CVE-2020-5006
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa2415fdf64609012b42f01f0a10cce8a52e6cc5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa2415fdf64609012b42f01f0a10cce8a52e6cc5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
