Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b83cab5d by Moritz Muehlenhoff at 2020-09-08T12:25:59+02:00
various updates
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -18970,13 +18970,9 @@ CVE-2020-15890 (LuaJit through 2.1.0-beta3 has an
out-of-bounds read because __g
NOTE: No security impact, only "exploitable" with untrusted Lua code
CVE-2020-15889 (Lua through 5.4.0 has a getobjname heap-based buffer over-read
because ...)
- lua5.4 5.4.0-2
- - lua5.3 <undetermined>
- - lua5.2 <undetermined>
- - lua5.1 <undetermined>
- - lua50 <undetermined>
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00078.html
NOTE:
https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
- TODO: check details for older versions
+ NOTE: Introduced in 5.4
CVE-2020-15888 (Lua through 5.4.0 mishandles the interaction between stack
resizes and ...)
- lua5.4 <unfixed>
- lua5.3 <undetermined>
@@ -24399,7 +24395,12 @@ CVE-2020-13845 (Sylabs Singularity 3.0 through 3.5 has
Improper Validation of an
CVE-2020-13844 (Arm Armv8-A core implementations utilizing speculative
execution past ...)
NOTE: https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html
NOTE:
https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
- TODO: check further details
+ NOTE: Hardware issue, mitigations to intrusive to backport (and would
require to recompile
+ NOTE: the entire distro, which is not warranted for the impact)
+ NOTE: GCC patches:
+ NOTE:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=a9ba2a9b77bec7eacaf066801f22d1c366a2bc86
+ NOTE:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=be178ecd5ac1fe1510d960ff95c66d0ff831afe1
+ NOTE:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=96b7f495f9269d5448822e4fc28882edb35a58d7
CVE-2020-13843 (An issue was discovered on LG mobile devices with Android OS
software ...)
NOT-FOR-US: LG mobile devices
CVE-2020-13842 (An issue was discovered on LG mobile devices with Android OS
7.2, 8.0, ...)
@@ -33654,25 +33655,25 @@ CVE-2020-10814 (A buffer overflow vulnerability in
Code::Blocks 17.12 allows an
CVE-2020-10813 (A buffer overflow vulnerability in FTPDMIN 0.96 allows
attackers to cr ...)
NOT-FOR-US: FTPDMIN
CVE-2020-10812 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer
derefer ...)
- - hdf5 <undetermined>
+ - hdf5 <unfixed> (unimportant)
NOTE:
https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_4
NOTE:
https://research.loginsoft.com/bugs/null-pointer-dereference-in-h5fquery-c-hdf5-1-13-0/
- TODO: check details
+ NOTE: Negligible security impact, malicous scientific data has more
issues than a crash...
CVE-2020-10811 (An issue was discovered in HDF5 through 1.12.0. A heap-based
buffer ov ...)
- - hdf5 <undetermined>
+ - hdf5 <unfixed> (unimportant)
NOTE:
https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_2
NOTE:
https://research.loginsoft.com/bugs/heap-buffer-overflow-in-h5olayout-c-hdf5-1-13-0/
- TODO: check details
+ NOTE: Negligible security impact, malicous scientific data has more
issues than a crash...
CVE-2020-10810 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer
derefer ...)
- - hdf5 <undetermined>
+ - hdf5 <unfixed> (unimportant)
NOTE:
https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_3
NOTE:
https://research.loginsoft.com/bugs/null-pointer-dereference-in-h5ac-c-hdf5-1-13-0/
- TODO: check details
+ NOTE: Negligible security impact, malicous scientific data has more
issues than a crash...
CVE-2020-10809 (An issue was discovered in HDF5 through 1.12.0. A heap-based
buffer ov ...)
- - hdf5 <undetermined>
+ - hdf5 <unfixed> (unimportant)
NOTE:
https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_1
NOTE:
https://research.loginsoft.com/bugs/heap-overflow-in-decompress-c-hdf5-1-13-0/
- TODO: check details
+ NOTE: Negligible security impact, malicous scientific data has more
issues than a crash...
CVE-2020-10808 (Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command
Injectio ...)
NOT-FOR-US: Vesta Control Panel
CVE-2020-10807 (auth_svc in Caldera before 2.6.5 allows authentication bypass
(for RES ...)
@@ -34006,7 +34007,7 @@ CVE-2020-10720 (A flaw was found in the Linux kernel's
implementation of GRO in
CVE-2020-10719 (A flaw was found in Undertow in versions before 2.1.1.Final,
regarding ...)
- undertow <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828459
- TODO: check, no details on Red Hat bugreport
+ TODO: no details on Red Hat bugreport
CVE-2020-10718
RESERVED
- wildfly <itp> (bug #752018)
@@ -38366,7 +38367,7 @@ CVE-2020-8920
CVE-2020-8919
RESERVED
CVE-2020-8918 (An improperly initialized 'migrationAuth' value in Google's
go-tpm TPM ...)
- TODO: check
+ NOT-FOR-US: go-tpm TPM1.2 library
CVE-2020-8917
RESERVED
CVE-2020-8916 (A memory leak in Openthread's wpantund versions up to commit
0e5d1601f ...)
@@ -38941,9 +38942,9 @@ CVE-2020-8682 (Out of bounds read in system driver for
some Intel(R) Graphics Dr
CVE-2020-8681 (Out of bounds write in system driver for some Intel(R) Graphics
Driver ...)
NOT-FOR-US: Intel
CVE-2020-8680 (Race condition in some Intel(R) Graphics Drivers before version
15.40. ...)
- TODO: check
+ NOT-FOR-US: Intel
CVE-2020-8679 (Out-of-bounds write in Kernel Mode Driver for some Intel(R)
Graphics D ...)
- TODO: check
+ NOT-FOR-US: Intel
CVE-2020-8678
RESERVED
CVE-2020-8677
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b83cab5d8f088b1e8b230b4560b051b867012180
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b83cab5d8f088b1e8b230b4560b051b867012180
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
