Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 81694e53 by Moritz Muehlenhoff at 2020-07-22T18:34:56+02:00 stable triage - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -387,8 +387,7 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855273 NOTE: https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...) - - openldap <unfixed> (bug #965184) - [stretch] - openldap <no-dsa> (Minor issue, works as intended) + - openldap <unfixed> (unimportant; bug #965184) NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070 NOTE: RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch @@ -11926,11 +11925,10 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local users to discover the clea CVE-2020-11559 RESERVED CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...) - - gpac <undetermined> + - gpac <unfixed> [jessie] - gpac <not-affected> (Vulnerable code not present and not reproducible) NOTE: https://github.com/gpac/gpac/commit/6063b1a011c3f80cee25daade18154e15e4c058c NOTE: https://github.com/gpac/gpac/issues/1440 - TODO: check CVE-2020-11557 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) NOT-FOR-US: Castle Rock SNMPc CVE-2020-11556 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...) @@ -11970,10 +11968,10 @@ CVE-2020-11540 CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It ...) NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out- ...) - - pillow 7.2.0-1 (unimportant) + - pillow 7.2.0-1 (low) + [buster] - pillow <no-dsa> (Will be fixed via spu) NOTE: https://github.com/python-pillow/Pillow/pull/4504 NOTE: https://github.com/python-pillow/Pillow/pull/4538 - NOTE: Debian packages are built without JPEG2000 support CVE-2020-11537 (A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5 ...) NOT-FOR-US: ONLYOFFICE Document Server CVE-2020-11536 (An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attack ...) @@ -13377,12 +13375,11 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multipl ...) - - pillow 7.2.0-1 (low) - [buster] - pillow <no-dsa> (Minor issue) - [jessie] - pillow <no-dsa> (Minor issue) + - pillow 7.2.0-1 (unimportant) NOTE: https://github.com/python-pillow/Pillow/pull/4505 NOTE: https://github.com/python-pillow/Pillow/pull/4538 NOTE: Fixed in 7.1.0 + NOTE: Debian packages are built without JPEG2000 support CVE-2020-10993 (Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader. ...) NOT-FOR-US: Osmand CVE-2020-10992 (Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorMa ...) @@ -13552,6 +13549,7 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4) CVE-2020-10941 (Arm Mbed TLS before 2.6.15 allows attackers to obtain sensitive inform ...) - mbedtls 2.16.5-1 + [buster] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...) NOT-FOR-US: PHOENIX CONTACT @@ -13586,6 +13584,7 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...) - mbedtls <unfixed> (bug #963159) + [buster] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04 CVE-2020-10930 @@ -15308,7 +15307,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma NOTE: Fixed in 6.2.3 and 7.1.0 CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds rea ...) - pillow 7.2.0-1 - [buster] - pillow <no-dsa> (Minor issue) + [buster] - pillow <no-dsa> (Will be fixed via spu) [stretch] - pillow <not-affected> (Vulnerable code not present) [jessie] - pillow <no-dsa> (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4538 @@ -15781,7 +15780,7 @@ CVE-2020-10178 REJECTED CVE-2020-10177 (Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/Fli ...) - pillow 7.2.0-1 - [buster] - pillow <ignored> (Minor issue) + [buster] - pillow <no-dsa> (Will be fixed via spu) [jessie] - pillow <no-dsa> (Minor issue) NOTE: https://github.com/python-pillow/Pillow/pull/4503 NOTE: https://github.com/python-pillow/Pillow/pull/4538 @@ -28391,11 +28390,13 @@ CVE-2019-20163 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac <unfixed> + [buster] - gpac <no-dsa> (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1327 NOTE: https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77 CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) {DLA-2072-1} - gpac <unfixed> + [buster] - gpac <no-dsa> (Minor issue) NOTE: https://github.com/gpac/gpac/issues/1320 NOTE: https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956 CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...) @@ -43501,6 +43502,7 @@ CVE-2019-18223 (ZOOM International Call Recording 6.3.1 suffers from multiple au NOT-FOR-US: ZOOM International Call Recording CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 a ...) - mbedtls 2.16.4-1 + [buster] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 NOTE: Fixed upstream in 2.20.0, 2.16.4 and 2.7.13 CVE-2019-18221 (CoreHR Core Portal before 27.0.7 allows stored XSS. ...) @@ -67486,6 +67488,7 @@ CVE-2019-10774 (php-shellcommand versions before 1.6.1 have a command injection NOTE: https://github.com/mikehaertl/php-shellcommand/issues/44 CVE-2019-10773 (In Yarn before 1.21.1, the package install functionality can be abused ...) - node-yarnpkg 1.21.1-1 + [buster] - node-yarnpkg <no-dsa> (Minor issue) NOTE: https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023 NOTE: https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/ NOTE: https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81694e5337563e88341c4e0db7bd8f106010e1bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81694e5337563e88341c4e0db7bd8f106010e1bf You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits