Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c687d49c by Moritz Mühlenhoff at 2021-04-12T11:53:19+02:00
various bugs filed
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -674,7 +674,7 @@ CVE-2021-30186
CVE-2021-30185 (CERN Indico before 2.3.4 can use an attacker-supplied Host
header in a ...)
NOT-FOR-US: CERN Indico
CVE-2021-30184 (GNU Chess 6.2.7 allows attackers to execute arbitrary code via
crafted ...)
- - gnuchess <unfixed>
+ - gnuchess <unfixed> (bug #986801)
NOTE:
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html
NOTE:
https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html
CVE-2021-30183
@@ -727,11 +727,9 @@ CVE-2021-30166
CVE-2021-30165
RESERVED
CVE-2021-30164 (Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers
to bypass ...)
- - redmine <unfixed>
- TODO: check fixing commit, fixed in 4.0.8
+ - redmine <unfixed> (bug #986800)
CVE-2021-30163 (Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers
to discov ...)
- - redmine <unfixed>
- TODO: check fixing commit, fixed in 4.0.8
+ - redmine <unfixed> (bug #986800)
CVE-2021-30162 (An issue was discovered on LG mobile devices with Android OS
4.4 throu ...)
NOT-FOR-US: LG mobile devices
CVE-2021-30161 (An issue was discovered on LG mobile devices with Android OS
11 softwa ...)
@@ -771,16 +769,12 @@ CVE-2020-36309 (ngx_http_lua_module (aka
lua-nginx-module) before 0.10.16 in Ope
NOTE: https://github.com/openresty/lua-nginx-module/pull/1654
CVE-2020-36308 (Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers
to discov ...)
- redmine 4.0.7-1
- TODO: check fixing commit, fixed in 4.0.7
CVE-2020-36307 (Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via
textile ...)
- redmine 4.0.7-1
- TODO: check fixing commit, fixed in 4.0.7
CVE-2020-36306 (Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the
back_url f ...)
- redmine 4.0.7-1
- TODO: check fixing commit, fixed in 4.0.7
CVE-2019-25026 (Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup
data duri ...)
- redmine 4.0.6-1
- TODO: check fixing commit, fixed in 4.0.6
CVE-2021-30160
RESERVED
CVE-2021-30159 (An issue was discovered in MediaWiki before 1.31.12 and 1.32.x
through ...)
@@ -1259,7 +1253,7 @@ CVE-2021-3482 (A flaw was found in Exiv2 in versions
before and including 0.27.4
NOTE: https://github.com/Exiv2/exiv2/issues/1522
CVE-2021-3481 [Out of bounds read in function QRadialFetchSimd from crafted
svg file]
RESERVED
- - qtsvg-opensource-src <unfixed>
+ - qtsvg-opensource-src <unfixed> (bug #986798)
[buster] - qtsvg-opensource-src <no-dsa> (Minor issue)
- qt4-x11 <removed>
[buster] - qt4-x11 <no-dsa> (Minor issue)
@@ -4155,7 +4149,7 @@ CVE-2021-3447 (A flaw was found in several ansible
modules, where parameters con
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939349
NOTE: check, details on upstream status not yet clear
CVE-2021-3446 (A flaw was found in libtpms in versions before 0.8.2. The
commonly use ...)
- - libtpms <unfixed>
+ - libtpms <unfixed> (bug #986799)
NOTE:
https://github.com/stefanberger/libtpms/commit/32c159ab53db703749a8f90430cdc7b20b00975e
CVE-2021-28650 (autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used
by GNOM ...)
[experimental] - gnome-autoar 0.3.1-1
@@ -4181,7 +4175,7 @@ CVE-2017-20002 (The Debian shadow package before 1:4.5-1
for Shadow incorrectly
NOTE: Introduced in attempt to address #830255 in 1:4.4-2
CVE-2021-3445
RESERVED
- - libdnf <unfixed>
+ - libdnf <unfixed> (bug #986802)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1932079
CVE-2021-28644
RESERVED
@@ -21806,11 +21800,11 @@ CVE-2020-35628 (A code execution vulnerability exists
in the Nef polygon-parsing
- cgal 5.2-3 (bug #985671)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
CVE-2021-21433 (Discord Recon Server is a bot that allows you to do your
reconnaissanc ...)
- TODO: check
+ NOT-FOR-US: Discord Recon Server
CVE-2021-21432 (Vela is a Pipeline Automation (CI/CD) framework built on Linux
contain ...)
- TODO: check
+ NOT-FOR-US: Vela
CVE-2021-21431 (sopel-channelmgnt is a channelmgnt plugin for sopel. In
versions prior ...)
- TODO: check
+ NOT-FOR-US: sopel-channelmgnt
CVE-2021-21430
RESERVED
CVE-2021-21429
@@ -21847,7 +21841,7 @@ CVE-2021-21415
CVE-2021-21414
RESERVED
CVE-2021-21413 (isolated-vm is a library for nodejs which gives you access to
v8's Iso ...)
- TODO: check
+ NOT-FOR-US: Node isolated-vm
CVE-2021-21412 (Potential for arbitrary code execution in npm package
@thi.ng/egf `#gp ...)
NOT-FOR-US: Node @thi.ng/egf
CVE-2021-21411 (OAuth2-Proxy is an open source reverse proxy that provides
authenticat ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c687d49c54143317a3d04da680a7ec6bef86924e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c687d49c54143317a3d04da680a7ec6bef86924e
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
