[Git][security-tracker-team/security-tracker][master] new yard issue

Moritz Muehlenhoff jmm at debian.org
Sun Aug 11 21:09:54 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ca6b6ee3 by Moritz Muehlenhoff at 2019-08-11T20:09:18Z
new yard issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13,7 +13,7 @@ CVE-2019-14926
 CVE-2019-14925
 	RESERVED
 CVE-2019-14924 (An issue was discovered in GCDWebServer before 3.5.3. The method moveI ...)
-	TODO: check
+	NOT-FOR-US: GCDWebServer
 CVE-2019-14923
 	RESERVED
 CVE-2019-14922
@@ -1877,7 +1877,7 @@ CVE-2018-20861 (libopenmpt before 0.3.11 allows a crash with certain malformed c
 CVE-2018-20859 (edx-platform before 2018-07-18 allows XSS via a response to a Chemical ...)
 	NOT-FOR-US: Open edX
 CVE-2018-20858 (Recommender before 2018-07-18 allows XSS. ...)
-	TODO: check
+	NOT-FOR-US: RecommenderXBlock
 CVE-2017-18381 (The installation process in Open edX before 2017-01-10 exposes a Mongo ...)
 	NOT-FOR-US: Open edX
 CVE-2017-18380 (edx-platform before 2017-08-03 allows attackers to trigger password-re ...)
@@ -1930,13 +1930,13 @@ CVE-2019-14359
 CVE-2019-14358
 	RESERVED
 CVE-2019-14357 (** DISPUTED ** On Mooltipass Mini devices, a side channel for the row- ...)
-	TODO: check
+	NOT-FOR-US: Mooltipass Mini devices
 CVE-2019-14356
 	RESERVED
 CVE-2019-14355 (** DISPUTED ** On ShapeShift KeepKey devices, a side channel for the r ...)
-	TODO: check
+	NOT-FOR-US: ShapeShift KeepKey devices
 CVE-2019-14354 (On Ledger Nano S and Nano X devices, a side channel for the row-based  ...)
-	TODO: check
+	NOT-FOR-US: Ledger Nano S and Nano X devices
 CVE-2019-14353 (On Trezor One devices before 1.8.2, a side channel for the row-based O ...)
 	NOT-FOR-US: Trezor One devices
 CVE-2019-14352 (** DISPUTED ** In Joget Workflow 6.0.20, CSV Injection, also known as  ...)
@@ -2149,30 +2149,31 @@ CVE-2019-1020011 (SmokeDetector intentionally does automatic deployments of upda
 CVE-2019-1020010 (Misskey before 10.102.4 allows hijacking a user's token. ...)
 	NOT-FOR-US: Misskey
 CVE-2019-1020009 (Fleet before 2.1.2 allows exposure of SMTP credentials. ...)
-	TODO: check
+	NOT-FOR-US: Fleet (osquery frontend)
 CVE-2019-1020008 (stacktable.js before 1.0.4 allows XSS. ...)
-	TODO: check
+	NOT-FOR-US: stacktable.js
 CVE-2019-1020007 (Dependency-Track before 3.5.1 allows XSS. ...)
-	TODO: check
+	NOT-FOR-US: Dependency-Track
 CVE-2019-1020006 (invenio-app before 1.1.1 allows host header injection. ...)
 	NOT-FOR-US: invenio-app
 CVE-2019-1020005 (invenio-communities before 1.0.0a20 allows XSS. ...)
 	NOT-FOR-US: invenio-communities
 CVE-2019-1020004 (Tridactyl before 1.16.0 allows fake key events. ...)
-	TODO: check
+	NOT-FOR-US: Tridactyl
 CVE-2019-1020003 (invenio-records before 1.2.2 allows XSS. ...)
 	NOT-FOR-US: invenio-records
 CVE-2019-1020002 (Pterodactyl before 0.7.14 with 2FA allows credential sniffing. ...)
-	TODO: check
+	NOT-FOR-US: Pterodactyl
 CVE-2019-1020001 (yard before 0.9.20 allows path traversal. ...)
-	TODO: check
+	- yard <unfixed> (low)
+	NOTE: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
 CVE-2018-20857 (Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as  ...)
 	NOT-FOR-US: Zendesk Samlr
 CVE-2019-14282 (The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org ...)
 	- ruby-simple-captcha2 <not-affected> (Backdoored versions not available in a Debian release)
 	NOTE: https://github.com/rubygems/rubygems.org/issues/2073
 CVE-2019-14281 (The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, inclu ...)
-	TODO: check
+	NOT-FOR-US: Ruby datagrid gem
 CVE-2019-14280 (In some circumstances, Craft 2 before 2.7.10 and 3 before 3.2.6 wasn't ...)
 	NOT-FOR-US: Craft CMS
 CVE-2019-14279
@@ -2237,7 +2238,7 @@ CVE-2019-14257
 CVE-2019-14256
 	RESERVED
 CVE-2019-14255 (A Server Side Request Forgery (SSRF) vulnerability in go-camo up to ve ...)
-	TODO: check
+	NOT-FOR-US: go-camo
 CVE-2019-14254
 	RESERVED
 CVE-2019-14253
@@ -9355,7 +9356,7 @@ CVE-2019-11778
 CVE-2019-11777
 	RESERVED
 CVE-2019-11776 (In Eclipse BIRT versions 1.0 to 4.7, the Report Viewer allows Reflecte ...)
-	TODO: check
+	NOT-FOR-US: Eclipse BIRT
 CVE-2019-11775 (All builds of Eclipse OpenJ9 prior to 0.15 contain a bug where the loo ...)
 	NOT-FOR-US: Eclipse OpenJ9
 CVE-2019-11774



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ca6b6ee3500cd9f5e6786f1382fec9225030ec16

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ca6b6ee3500cd9f5e6786f1382fec9225030ec16
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190811/41d30651/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list