[Git][security-tracker-team/security-tracker][master] new python-markdown, ndpi, duo issues
Moritz Muehlenhoff
jmm at debian.org
Mon Apr 27 22:19:22 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f0d816c4 by Moritz Muehlenhoff at 2020-04-27T23:18:53+02:00
new python-markdown, ndpi, duo issues
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -307,11 +307,12 @@ CVE-2020-12138 (AMD ATI atillk64.sys 5.11.9.0 allows low-privileged users to int
CVE-2020-12136
RESERVED
CVE-2020-12135 (bson before 0.8 incorrectly uses int rather than size_t for many varia ...)
- TODO: check
+ - duo-unix <unfixed> (unimportant)
+ NOTE: Embedded older version, but affected function not used
CVE-2020-12134 (Nanometrics Centaur through 4.3.23 and TitanSMA through 4.2.20 mishand ...)
NOT-FOR-US: Nanometrics Centaur / TitanSMA
CVE-2020-12133 (The Apros Evolution, ConsciusMap, and Furukawa provisioning systems th ...)
- TODO: check
+ NOT-FOR-US: Apros Evolution, ConsciusMap, and Furukawa
CVE-2020-12132 (Fifthplay S.A.M.I before 2019.3_HP2 allows unauthenticated stored XSS ...)
NOT-FOR-US: Fifthplay
CVE-2020-12131 (The AirDisk Pro app 5.5.3 for iOS allows XSS via the devicename parame ...)
@@ -736,9 +737,17 @@ CVE-2020-11942
CVE-2020-11941 (An issue was discovered in Open-AudIT 3.2.2. There is OS Command injec ...)
NOT-FOR-US: Open-AudIT
CVE-2020-11940 (In nDPI through 3.2 Stable, an out-of-bounds read in concat_hash_strin ...)
- TODO: check
+ - ndpi <unfixed>
+ [buster] - ndpi <not-affected> (Introduced in 3.0)
+ [stretch] - ndpi <not-affected> (Introduced in 3.0)
+ NOTE: https://github.com/ntop/nDPI/commit/3bbb0cd3296023f6f922c71d21a1c374d2b0a435
+ NOTE: https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi
CVE-2020-11939 (In nDPI through 3.2 Stable, the SSH protocol dissector has multiple KE ...)
- TODO: check
+ - ndpi <unfixed>
+ [buster] - ndpi <not-affected> (Introduced in 3.0)
+ [stretch] - ndpi <not-affected> (Introduced in 3.0)
+ NOTE: https://github.com/ntop/nDPI/commit/7ce478a58b4dd29a8d1e6f4e9df2f778613d9202
+ NOTE: https://securitylab.github.com/advisories/GHSL-2020-051_052-ntop-ndpi
CVE-2020-11938 (In JetBrains TeamCity 2018.2 through 2019.2.1, a project administrator ...)
NOT-FOR-US: JetBrains TeamCity
CVE-2020-11937
@@ -1434,7 +1443,9 @@ CVE-2020-11890 (An issue was discovered in Joomla! before 3.9.17. Improper input
CVE-2020-11889 (An issue was discovered in Joomla! before 3.9.17. Incorrect ACL checks ...)
NOT-FOR-US: Joomla!
CVE-2020-11888 (python-markdown2 through 2.3.8 allows XSS because element names are mi ...)
- TODO: check
+ - python-markdown <unfixed>
+ [buster] - python-markdown <no-dsa> (Minor issue)
+ NOTE: https://github.com/trentm/python-markdown2/issues/348
CVE-2020-11887 (svg2png 4.1.1 allows XSS with resultant SSRF via JavaScript inside an ...)
NOT-FOR-US: svg2png
CVE-2020-11886 (OpenNMS Horizon and Meridian allows HQL Injection in element/nodeList. ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0d816c4867b630da3558d0a58ccf127808b5e2c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0d816c4867b630da3558d0a58ccf127808b5e2c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200427/09bca4d0/attachment.html>
More information about the debian-security-tracker-commits
mailing list