[Git][security-tracker-team/security-tracker][master] new ruby-rack-cors issue

2024-02-26 Thread Moritz Muehlenhoff (@jmm) 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
99f819b7 by Moritz Muehlenhoff at 2024-02-26T13:51:28+01:00
new ruby-rack-cors issue
resolve a few TODOs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,5 +1,6 @@
 CVE-2024-27456 (rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 
permissions for th ...)
-   TODO: check
+   - ruby-rack-cors 
+   NOTE: https://github.com/cyu/rack-cors/issues/274
 CVE-2024-27455 (In the Bentley ALIM Web application, certain configuration 
settings ca ...)
NOT-FOR-US: Bentley
 CVE-2024-27454 (orjson.loads in orjson before 3.9.15 does not limit recursion 
for deep ...)
@@ -4390,7 +4391,7 @@ CVE-2024-0323 (Use of a Broken or Risky Cryptographic 
Algorithm vulnerability in
 CVE-2023-7216 (A path traversal vulnerability was found in the CPIO utility. 
This iss ...)
- cpio 
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2249901
-   TODO: check upstream reporting
+   NOTE: https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg0.html
 CVE-2023-6874 (Prior to v7.4.0, Ember ZNet is vulnerable to a denial of 
service attac ...)
NOT-FOR-US: Ember ZNet
 CVE-2023-6028 (A reflected cross-site scripting (XSS) vulnerability exists in 
the SVG ...)
@@ -5296,7 +5297,6 @@ CVE-2024-1062 (A heap overflow flaw was found in 
389-ds-base. This issue leads t
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2261879
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256711
NOTE: https://github.com/389ds/389-ds-base/issues/5647
-   TODO: check details
 CVE-2023-5992 (A vulnerability was found in OpenSC where PKCS#1 encryption 
padding re ...)
- opensc 0.25.0~rc1-1 (bug #1064189)
[bookworm] - opensc  (Minor issue)
@@ -7543,7 +7543,6 @@ CVE-2021-4435 (An untrusted search path vulnerability was 
found in Yarn. When a
[buster] - node-yarnpkg  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2262284
NOTE: Fixed by: 
https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 
(v1.22.12)
-   TODO: check, too few details in RHBZ#2262284
 CVE-2021-4433 (A vulnerability was found in Karjasoft Sami HTTP Server 2.0. It 
has be ...)
NOT-FOR-US: Karjasoft Sami HTTP Server
 CVE-2024-22365 (linux-pam (aka Linux PAM) before 1.6.0 allows attackers to 
cause a den ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f819b7d3826cde5588de7fa246d9d3814ca9b9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99f819b7d3826cde5588de7fa246d9d3814ca9b9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new ruby-rack-cors issue

2019-11-15 Thread Moritz Muehlenhoff 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
712b1868 by Moritz Muehlenhoff at 2019-11-15T11:47:25Z
new ruby-rack-cors issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,25 +1,27 @@
 CVE-2019-18988
RESERVED
 CVE-2019-18987 (An issue was discovered in the AbuseFilter extension through 
1.34 for  ...)
-   TODO: check
+   NOT-FOR-US: AbuseFilter MediaWiki extension
 CVE-2019-18986 (Pimcore before 6.2.2 allow attackers to brute-force (guess) 
valid user ...)
-   TODO: check
+   NOT-FOR-US: Pimcore
 CVE-2019-18985 (Pimcore before 6.2.2 lacks brute force protection for the 2FA 
token. ...)
-   TODO: check
+   NOT-FOR-US: Pimcore
 CVE-2019-18984
RESERVED
 CVE-2019-18983
RESERVED
 CVE-2019-18982 (bundles/AdminBundle/Controller/Admin/EmailController.php in 
Pimcore be ...)
-   TODO: check
+   NOT-FOR-US: Pimcore
 CVE-2019-18981 (Pimcore before 6.2.2 lacks an Access Denied outcome for a 
certain scen ...)
-   TODO: check
+   NOT-FOR-US: Pimcore
 CVE-2019-18980 (On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 
9290022 ...)
-   TODO: check
+   NOT-FOR-US: Signify Philips Taolight
 CVE-2019-18979
RESERVED
 CVE-2019-18978 (An issue was discovered in the rack-cors (aka Rack CORS 
Middleware) ge ...)
-   TODO: check
+   - ruby-rack-cors 
+   NOTE: 
https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d
+   NOTE: https://github.com/cyu/rack-cors/compare/v1.0.3...v1.0.4 
 CVE-2019-18977
RESERVED
 CVE-2019-18976
@@ -61,7 +63,7 @@ CVE-2019-18959
 CVE-2019-18958
RESERVED
 CVE-2019-18957 (Microstrategy Library in MicroStrategy before 2019 before 
11.1.3 has r ...)
-   TODO: check
+   NOT-FOR-US: Microstrategy Library
 CVE-2019-18956
RESERVED
 CVE-2019-18955
@@ -186,7 +188,7 @@ CVE-2019-18897
 CVE-2019-18896
RESERVED
 CVE-2019-18895 (Scanguard through 2019-11-12 on Windows has Insecure 
Permissions for t ...)
-   TODO: check
+   NOT-FOR-US: Scanguard
 CVE-2019-18894
RESERVED
 CVE-2019-18893
@@ -2939,20 +2941,20 @@ CVE-2019-18653 (A Cross Site Scripting (XSS) issue 
exists in Avast AntiVirus (Fr
 CVE-2019-18652
RESERVED
 CVE-2019-18651 (A cross-site request forgery (CSRF) vulnerability in 3xLogic 
Infinias  ...)
-   TODO: check
+   NOT-FOR-US: 3xLogic
 CVE-2019-18650 (An issue was discovered in Joomla! before 3.9.13. A missing 
token chec ...)
NOT-FOR-US: Joomla!
 CVE-2018-21030 (Jupyter Notebook before 5.5.0 does not use a CSP header to 
treat serve ...)
- jupyter-notebook 5.7.4-1
NOTE: https://github.com/jupyter/notebook/pull/3341
 CVE-2019-18649 (When logged in as an admin user, the Title input field (under 
Reports) ...)
-   TODO: check
+   NOT-FOR-US: Untangle NG firewall
 CVE-2019-18648 (When logged in as an admin user, the Untangle NG firewall 
14.2.0 is vu ...)
-   TODO: check
+   NOT-FOR-US: Untangle NG firewall
 CVE-2019-18647 (The Untangle NG firewall 14.2.0 is vulnerable to an 
authenticated comm ...)
-   TODO: check
+   NOT-FOR-US: Untangle NG firewall
 CVE-2019-18646 (The Untangle NG firewall 14.2.0 is vulnerable to authenticated 
inline- ...)
-   TODO: check
+   NOT-FOR-US: Untangle NG firewall
 CVE-2019-18645 (The quarantine restoration function in Total Defense 
Anti-virus 11.5.2 ...)
NOT-FOR-US: Total Defense Anti-virus
 CVE-2019-18644 (The malware scan function in Total Defense Anti-virus 
11.5.2.28 is vul ...)
@@ -7125,7 +7127,7 @@ CVE-2019-17393 (The Customer's Tomedo Server in Version 
1.7.3 communicates to th
 CVE-2019-17392
RESERVED
 CVE-2019-17391 (An issue was discovered in the Espressif ESP32 mask ROM code 
2016-06-0 ...)
-   TODO: check
+   NOT-FOR-US: Espressif ESP32
 CVE-2019-17390
RESERVED
 CVE-2019-17389 (In RIOT 2019.07, the MQTT-SN implementation (asymcute) 
mishandles erro ...)
@@ -10463,7 +10465,7 @@ CVE-2019-16112
 CVE-2019-16111
RESERVED
 CVE-2019-16110 (The network protocol of Blade Shadow though 2.13.3 allows 
remote attac ...)
-   TODO: check
+   NOT-FOR-US: Blade Shadow
 CVE-2019-16109 (An issue was discovered in Plataformatec Devise before 4.7.1. 
It confi ...)
NOT-FOR-US: Plataformatec Devise
 CVE-2019-16108
@@ -11254,17 +11256,17 @@ CVE-2019-15806 (CommScope ARRIS TR4400 devices with 
firmware through A1.00.004-1
 CVE-2019-15805 (CommScope ARRIS TR4400 devices with firmware through 
A1.00.004-180301  ...)
NOT-FOR-US: CommScope ARRIS TR4400 devices
 CVE-2019-15804 (An issue was discovered on Zyxel GS1900 devices with firmware 
before 2 ...)
-   TODO: check
+   NOT-FOR-US: Zyxel
 CVE-2019-15803 (An issue was discovered on Zyxel GS1900 devices with firmware 
before 2 ...)
-   TODO: