Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
81694e53 by Moritz Muehlenhoff at 2020-07-22T18:34:56+02:00
stable triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -387,8 +387,7 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the
pki.client.PKIConnection class
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855273
NOTE:
https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72
CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a
certificate-val ...)
- - openldap <unfixed> (bug #965184)
- [stretch] - openldap <no-dsa> (Minor issue, works as intended)
+ - openldap <unfixed> (unimportant; bug #965184)
NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070
NOTE: RedHat/CentOS applied patch:
https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
@@ -11926,11 +11925,10 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local
users to discover the clea
CVE-2020-11559
RESERVED
CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as
demonstrated by ...)
- - gpac <undetermined>
+ - gpac <unfixed>
[jessie] - gpac <not-affected> (Vulnerable code not present and not
reproducible)
NOTE:
https://github.com/gpac/gpac/commit/6063b1a011c3f80cee25daade18154e15e4c058c
NOTE: https://github.com/gpac/gpac/issues/1440
- TODO: check
CVE-2020-11557 (An issue was discovered in Castle Rock SNMPc Online 12.10.10
before 20 ...)
NOT-FOR-US: Castle Rock SNMPc
CVE-2020-11556 (An issue was discovered in Castle Rock SNMPc Online 12.10.10
before 20 ...)
@@ -11970,10 +11968,10 @@ CVE-2020-11540
CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12
devices. It ...)
NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices
CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number
of out- ...)
- - pillow 7.2.0-1 (unimportant)
+ - pillow 7.2.0-1 (low)
+ [buster] - pillow <no-dsa> (Will be fixed via spu)
NOTE: https://github.com/python-pillow/Pillow/pull/4504
NOTE: https://github.com/python-pillow/Pillow/pull/4538
- NOTE: Debian packages are built without JPEG2000 support
CVE-2020-11537 (A SQL Injection issue was discovered in ONLYOFFICE Document
Server 5.5 ...)
NOT-FOR-US: ONLYOFFICE Document Server
CVE-2020-11536 (An issue was discovered in ONLYOFFICE Document Server 5.5.0.
An attack ...)
@@ -13377,12 +13375,11 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to
and including 4.3.0 does not
NOTE:
https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3
CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are
multipl ...)
- - pillow 7.2.0-1 (low)
- [buster] - pillow <no-dsa> (Minor issue)
- [jessie] - pillow <no-dsa> (Minor issue)
+ - pillow 7.2.0-1 (unimportant)
NOTE: https://github.com/python-pillow/Pillow/pull/4505
NOTE: https://github.com/python-pillow/Pillow/pull/4538
NOTE: Fixed in 7.1.0
+ NOTE: Debian packages are built without JPEG2000 support
CVE-2020-10993 (Osmand through 2.0.0 allow XXE because of
binary/BinaryMapIndexReader. ...)
NOT-FOR-US: Osmand
CVE-2020-10992 (Azkaban through 3.84.0 allows XXE, related to
validator/XmlValidatorMa ...)
@@ -13552,6 +13549,7 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8,
get_raw_socket in drivers/vhos
NOTE:
https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4)
CVE-2020-10941 (Arm Mbed TLS before 2.6.15 allows attackers to obtain
sensitive inform ...)
- mbedtls 2.16.5-1
+ [buster] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02
CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT
PORTICO SERVER ...)
NOT-FOR-US: PHOENIX CONTACT
@@ -13586,6 +13584,7 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x
through 2.5.7, 2.6.x throu
NOTE: and
https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc
CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and
2.7.x before ...)
- mbedtls <unfixed> (bug #963159)
+ [buster] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
CVE-2020-10930
@@ -15308,7 +15307,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two
Buffer Overflows in libIma
NOTE: Fixed in 6.2.3 and 7.1.0
CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 7.1.0, an
out-of-bounds rea ...)
- pillow 7.2.0-1
- [buster] - pillow <no-dsa> (Minor issue)
+ [buster] - pillow <no-dsa> (Will be fixed via spu)
[stretch] - pillow <not-affected> (Vulnerable code not present)
[jessie] - pillow <no-dsa> (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -15781,7 +15780,7 @@ CVE-2020-10178
REJECTED
CVE-2020-10177 (Pillow before 7.1.0 has multiple out-of-bounds reads in
libImaging/Fli ...)
- pillow 7.2.0-1
- [buster] - pillow <ignored> (Minor issue)
+ [buster] - pillow <no-dsa> (Will be fixed via spu)
[jessie] - pillow <no-dsa> (Minor issue)
NOTE: https://github.com/python-pillow/Pillow/pull/4503
NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -28391,11 +28390,13 @@ CVE-2019-20163 (An issue was discovered in GPAC
version 0.8.0 and 0.9.0-developm
CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
{DLA-2072-1}
- gpac <unfixed>
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1327
NOTE:
https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77
CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
{DLA-2072-1}
- gpac <unfixed>
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1320
NOTE:
https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956
CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and
0.9.0-development-20 ...)
@@ -43501,6 +43502,7 @@ CVE-2019-18223 (ZOOM International Call Recording 6.3.1
suffers from multiple au
NOT-FOR-US: ZOOM International Call Recording
CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed
Crypto 2.1 a ...)
- mbedtls 2.16.4-1
+ [buster] - mbedtls <no-dsa> (Minor issue)
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12
NOTE: Fixed upstream in 2.20.0, 2.16.4 and 2.7.13
CVE-2019-18221 (CoreHR Core Portal before 27.0.7 allows stored XSS. ...)
@@ -67486,6 +67488,7 @@ CVE-2019-10774 (php-shellcommand versions before 1.6.1
have a command injection
NOTE: https://github.com/mikehaertl/php-shellcommand/issues/44
CVE-2019-10773 (In Yarn before 1.21.1, the package install functionality can
be abused ...)
- node-yarnpkg 1.21.1-1
+ [buster] - node-yarnpkg <no-dsa> (Minor issue)
NOTE: https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
NOTE: https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
NOTE:
https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81694e5337563e88341c4e0db7bd8f106010e1bf
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81694e5337563e88341c4e0db7bd8f106010e1bf
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
