Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 2fc91a81 by Moritz Muehlenhoff at 2020-07-31T07:48:12+02:00 stable triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -459,6 +459,7 @@ CVE-2020-15948 RESERVED CVE-2020-XXXX [RUSTSEC-2020-0026] - rust-linked-hash-map <unfixed> (bug #966246) + [buster] - rust-linked-hash-map <no-dsa> (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0026.html CVE-2020-15947 RESERVED @@ -803,6 +804,7 @@ CVE-2020-15804 RESERVED CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x bef ...) - zabbix 1:5.0.2+dfsg-1 (bug #966146) + [buster] - zabbix <no-dsa> (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-18057 CVE-2020-15802 RESERVED @@ -2047,8 +2049,11 @@ CVE-2020-15305 (An issue was discovered in OpenEXR before 2.5.2. Invalid input c NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730 CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid tiled inpu ...) - openexr <unfixed> + [buster] - openexr <not-affected> (Vulnerable code not present) + [stretch] - openexr <not-affected> (Vulnerable code not present) [jessie] - openexr <no-dsa> (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/727 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/36e05c14c612a89c43d4e0b013669ecd7f8e3440 CVE-2020-15303 RESERVED CVE-2020-15302 (In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...) @@ -5326,9 +5331,11 @@ CVE-2020-14020 RESERVED CVE-2020-14019 (Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/targ ...) - python-rtslib-fb <unfixed> + [buster] - python-rtslib-fb <not-affected> (Introduced in 2.1.70) [stretch] - python-rtslib-fb <not-affected> (vulnerable code introduced later, shutil.copyfile is not used) [jessie] - python-rtslib-fb <not-affected> (vulnerable code introduced later, shutil.copyfile is not used) NOTE: https://github.com/open-iscsi/rtslib-fb/pull/162 + NOTE: https://github.com/open-iscsi/rtslib-fb/commit/75e73778dce1cb7a2816a936240ef75adfbd6ed9 CVE-2020-14018 (An issue was discovered in Navigate CMS 2.9 r1433. There is a stored X ...) NOT-FOR-US: Navigate CMS CVE-2020-14017 (An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well a ...) @@ -11818,7 +11825,6 @@ CVE-2020-11759 (An issue was discovered in OpenEXR before 2.4.1. Because of inte NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b9997d0c045fa01af3d2e46e1a74b07cc4519446 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/acad98d6d3e787f36012a3737c23c42c7f43a00f - TODO: check completeness for upstream commits to cover CVE-2020-11759 CVE-2020-11758 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...) [experimental] - openexr 2.5.0-1 - openexr <unfixed> (bug #959444) @@ -74521,7 +74527,7 @@ CVE-2019-8945 (Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. .. CVE-2019-8944 (An Information Exposure issue in the Terraform deployment step in Octo ...) NOT-FOR-US: Terraform CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An a ...) - - wordpress <unfixed> (bug #923583) + - wordpress <undetermined> (bug #923583) [jessie] - wordpress <postponed> (requires privileged account, not directly exploitable as CVE-2019-8942 is fixed, no official patch) NOTE: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/ NOTE: This CVE is explicitly for the mentioned Path Traversal in wp_crop_image(). @@ -99366,6 +99372,7 @@ CVE-2019-0194 (Apache Camel's File is vulnerable to directory traversal. Camel 2 CVE-2019-0193 (In Apache Solr, the DataImportHandler, an optional but popular module ...) {DLA-1954-1} - lucene-solr 3.6.2+dfsg-22 (low) + [buster] - lucene-solr <no-dsa> (Minor issue) NOTE: https://issues.apache.org/jira/browse/SOLR-13669 NOTE: upstream recommends everybody upgrade or rework their configuration NOTE: consider backporting enable.dih.dataConfigParam instead: @@ -113600,6 +113607,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6. NOT-FOR-US: Creatiwity wityCMS CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are not verifi ...) - wordpress <unfixed> (bug #906565) + [buster] - wordpress <postponed> (Minor issue, revisit when fixed upstream) [stretch] - wordpress <no-dsa> (Minor issue) [jessie] - wordpress <postponed> (no sanctioned patch) NOTE: https://core.trac.wordpress.org/ticket/44710 ===================================== data/dsa-needed.txt ===================================== @@ -32,8 +32,12 @@ nginx rails (jmm) Sylvain Beucler proposed to help for the update, remaining CVEs to be done -- +ruby-kramdown +-- teeworlds (jmm) -- +thunderbird (jmm) +-- webkit2gtk -- xcftools View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fc91a817f86e109b8769dd47ca48c3d3137e3b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fc91a817f86e109b8769dd47ca48c3d3137e3b9 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits