[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) Sun, 27 Jun 2021 11:07:06 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
be9c2bb7 by Moritz Muehlenhoff at 2021-06-27T20:05:43+02:00
NFUs
resolve various TODOs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9230,13 +9230,13 @@ CVE-2021-26260 (An integer overflow leading to a 
heap-buffer overflow was found
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423
        NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/894
-       TODO: check details
+       NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/088a61434568cedf3ac1521c44584be397909078
 CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was 
found in the ...)
        - openexr <unfixed>
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653
        NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901
-       TODO: check details
+       NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/0e08c959c5459e2ffd3b81b654c3ce8b71a4b42c
 CVE-2021-23169 (A heap-buffer overflow was found in the copyIntoFrameBuffer 
function o ...)
        - openexr 2.5.4-2 (bug #988240)
        [buster] - openexr <not-affected> (Vulnerable code not present)
@@ -9535,7 +9535,7 @@ CVE-2021-31414 (The unofficial vscode-rpm-spec extension 
before 0.3.2 for Visual
 CVE-2021-31413
        RESERVED
 CVE-2021-31412 (Improper sanitization of path in default RouteNotFoundError 
view in co ...)
-       TODO: check
+       NOT-FOR-US: Vaadin
 CVE-2021-31411 (Insecure temporary directory usage in frontend build 
functionality of  ...)
        NOT-FOR-US: Vaadin
 CVE-2021-31410 (Overly relaxed configuration of frontend resources server in 
Vaadin De ...)
@@ -13063,7 +13063,7 @@ CVE-2021-29955 (A transient execution vulnerability, 
named Floating Point Value
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-29955
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-29955
 CVE-2021-29954 (Proxy functionality built into Hubs Cloud&#8217;s Reticulum 
software a ...)
-       TODO: check
+       NOT-FOR-US: Hubs Cloud
 CVE-2021-29953 (A malicious webpage could have forced a Firefox for Android 
user into  ...)
        - firefox <not-affected> (Only affects Android)
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2021-20/#CVE-2021-29953
@@ -15832,7 +15832,7 @@ CVE-2021-28834 (Kramdown before 2.3.1 does not restrict 
Rouge formatters to the
        NOTE: Fixed by: 
https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760
        NOTE: Introduced by 
https://github.com/gettalong/kramdown/commit/ff0218aefcf00cd5a389e17e075d36cd46d011e2
 (v1.16)
 CVE-2021-28833 (Increments Qiita::Markdown before 0.34.0 allows XSS via a 
crafted gist ...)
-       TODO: check
+       NOT-FOR-US: Increments Qiita::Markdown
 CVE-2021-28832 (VSCodeVim before 1.19.0 allows attackers to execute arbitrary 
code via ...)
        NOT-FOR-US: VSCodeVim
 CVE-2021-28831 (decompress_gunzip.c in BusyBox through 1.32.1 mishandles the 
error bit ...)
@@ -17590,7 +17590,6 @@ CVE-2021-3426 (There's a flaw in Python 3's pydoc. A 
local or adjacent attacker
        NOTE: https://python-security.readthedocs.io/vuln/pydoc-getfile.html
        NOTE: https://github.com/python/cpython/pull/24337
        NOTE: https://github.com/python/cpython/pull/24285
-       TODO: check, upload of pypy/7.3.5+dfsg-1 to experimental claims this 
affects src:pypy
 CVE-2021-3425 (A flaw was found in the AMQ Broker that discloses JDBC 
encrypted usern ...)
        NOT-FOR-US: Red Hat AMQ Broker
 CVE-2021-28108
@@ -19378,15 +19377,14 @@ CVE-2021-27349 (Advanced Order Export before 3.1.8 
for WooCommerce allows XSS, a
 CVE-2021-27348
        RESERVED
 CVE-2021-27347 (Use after free in lzma_decompress_buf function in stream.c in 
Irzip 0. ...)
-       - lrzip <undetermined>
+       - lrzip <unfixed>
        NOTE: https://github.com/ckolivas/lrzip/issues/165
-       TODO: check fixing commit
 CVE-2021-27346
        RESERVED
 CVE-2021-27345 (A null pointer dereference was discovered in ucompthread in 
stream.c i ...)
-       - lrzip <undetermined>
+       - lrzip <unfixed> (unimportant)
        NOTE: https://github.com/ckolivas/lrzip/issues/164
-       TODO: check fixing commit
+       NOTE: Crash in CLI tool, no security impact
 CVE-2021-27344
        RESERVED
 CVE-2021-27343 (SerenityOS Unspecified is affected by: Buffer Overflow. The 
impact is: ...)
@@ -20589,9 +20587,9 @@ CVE-2021-26837
 CVE-2021-26836
        RESERVED
 CVE-2021-26835 (No filtering of cross-site scripting (XSS) payloads in the 
markdown-ed ...)
-       TODO: check
+       NOT-FOR-US: Zettlr
 CVE-2021-26834 (A cross-site scripting (XSS) vulnerability exists in Znote 
0.5.2. An a ...)
-       TODO: check
+       NOT-FOR-US: Znote
 CVE-2021-26833 (Code Execution vulnerability in Profile Picture upload in 
TimelyBills  ...)
        NOT-FOR-US: TimelyBills App Budget, Expense tracker & Bills
 CVE-2021-26832 (Cross Site Scripting (XSS) in the "Reset Password" page form 
of Priori ...)
@@ -22659,7 +22657,6 @@ CVE-2021-3284
 CVE-2021-3283 (HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java 
task d ...)
        - nomad 0.12.10+dfsg1-1 (bug #981889)
        NOTE: 
https://discuss.hashicorp.com/t/hcsec-2021-01-nomad-s-exec-and-java-task-drivers-did-not-isolate-processes/20332
-       TODO: check details
 CVE-2021-3282 (HashiCorp Vault Enterprise 1.6.0 &amp; 1.6.1 allowed the 
`remove-peer` ...)
        NOT-FOR-US: HashiCorp Vault
 CVE-2021-3281 (In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 
3.1.6,  ...)
@@ -23716,7 +23713,7 @@ CVE-2021-25656 (Stored XSS injection vulnerabilities 
were discovered in the Avay
 CVE-2021-25655 (A vulnerability in the system Service Menu component of Avaya 
Aura Exp ...)
        NOT-FOR-US: Avaya
 CVE-2021-25654 (An arbitrary code execution vulnerability was discovered in 
Avaya Aura ...)
-       TODO: check
+       NOT-FOR-US: Avaya
 CVE-2021-25653 (A privilege escalation vulnerability was discovered in Avaya 
Aura Appl ...)
        NOT-FOR-US: Avaya
 CVE-2021-25652 (An information disclosure vulnerability was discovered in the 
director ...)
@@ -28757,7 +28754,7 @@ CVE-2021-23400
 CVE-2021-23399
        RESERVED
 CVE-2021-23398 (All versions of package react-bootstrap-table are vulnerable 
to Cross- ...)
-       TODO: check
+       NOT-FOR-US: react-bootstrap-table
 CVE-2021-23397
        RESERVED
 CVE-2021-23396 (All versions of package lutils are vulnerable to Prototype 
Pollution v ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be9c2bb72a240fa7e2580007166f810356b6685c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be9c2bb72a240fa7e2580007166f810356b6685c
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

Reply via email to