[Git][security-tracker-team/security-tracker][master] new ffmpeg, cpp-httplib issues

Moritz Muehlenhoff jmm at debian.org
Thu Apr 30 15:55:49 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
70b9306b by Moritz Muehlenhoff at 2020-04-30T16:55:25+02:00
new ffmpeg, cpp-httplib issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -430,7 +430,9 @@ CVE-2020-12286 (In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, th
 CVE-2020-12285
 	RESERVED
 CVE-2020-12284 (cbs_jpeg_split_fragment in libavcodec/cbs_jpeg.c in FFmpeg 4.2.2 has a ...)
-	TODO: check
+	- ffmpeg <unfixed>
+	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19734
+	NOTE: https://github.com/FFmpeg/FFmpeg/commit/1812352d767ccf5431aa440123e2e260a4db2726
 CVE-2017-18863 (Certain NETGEAR devices are affected by command execution via a PHP fo ...)
 	NOT-FOR-US: Netgear
 CVE-2017-18862 (Certain NETGEAR devices are affected by authentication bypass. This af ...)
@@ -468,7 +470,7 @@ CVE-2016-11055 (Certain NETGEAR devices are affected by CSRF. This affects CM400
 CVE-2016-11054 (NETGEAR DGN2200v4 devices before 2017-01-06 are affected by command ex ...)
 	NOT-FOR-US: Netgear
 CVE-2020-12283 (Sourcegraph before 3.15.1 has a vulnerable authentication workflow bec ...)
-	TODO: check
+	NOT-FOR-US: Sourcegraph
 CVE-2020-12282
 	RESERVED
 CVE-2020-12281
@@ -522,7 +524,7 @@ CVE-2019-20790 (OpenDMARC through 1.3.2 and 1.4.x, when used with pypolicyd-spf
 CVE-2020-12266 (An issue was discovered on WAVLINK WL-WN579G3 M79X3.V5030.180719, WL-W ...)
 	NOT-FOR-US: WAVLINK
 CVE-2020-12265 (The decompress package before 4.2.1 for Node.js is vulnerable to Arbit ...)
-	TODO: check
+	NOT-FOR-US: Node decompress
 CVE-2020-12264
 	RESERVED
 CVE-2020-12263
@@ -2694,7 +2696,10 @@ CVE-2020-11711
 CVE-2020-11710 (An issue was discovered in docker-kong (for Kong) through 2.0.3. The a ...)
 	NOT-FOR-US: docker-kong
 CVE-2020-11709 (cpp-httplib through 0.5.8 does not filter \r\n in parameters passed in ...)
-	TODO: check
+	- chromium <unfixed>
+	[stretch] - chromium <end-of-life> (see DSA 4562)
+	NOTE: Chromium embeds cpp-httplib
+	NOTE: https://github.com/yhirose/cpp-httplib/issues/425
 CVE-2020-11708 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...)
 	NOT-FOR-US: ProVide (formerly zFTPServer)
 CVE-2020-11707 (An issue was discovered in ProVide (formerly zFTPServer) through 13.1. ...)
@@ -2762,13 +2767,13 @@ CVE-2020-11679
 CVE-2020-11678
 	RESERVED
 CVE-2020-11677 (Cerner medico 26.00 has a Local Buffer Overflow (issue 3 of 3). ...)
-	TODO: check
+	NOT-FOR-US: Cerner medico
 CVE-2020-11676 (Cerner medico 26.00 has a Local Buffer Overflow (issue 2 of 3). ...)
-	TODO: check
+	NOT-FOR-US: Cerner medico
 CVE-2020-11675 (Cerner medico 26.00 has a Local Buffer Overflow (issue 1 of 3). ...)
-	TODO: check
+	NOT-FOR-US: Cerner medico
 CVE-2020-11674 (Cerner medico 26.00 allows variable reuse, possibly causing data corru ...)
-	TODO: check
+	NOT-FOR-US: Cerner medico
 CVE-2020-11673 (An issue was discovered in the Responsive Poll through 1.3.4 for Wordp ...)
 	NOT-FOR-US: Responsive Poll for WordPress
 CVE-2020-11672
@@ -3578,7 +3583,7 @@ CVE-2020-11448
 CVE-2020-11447
 	RESERVED
 CVE-2020-11446 (ESET Antivirus and Antispyware Module module 1553 through 1560 allows  ...)
-	TODO: check
+	NOT-FOR-US: ESET
 CVE-2020-11445 (TP-Link cloud cameras through 2020-02-09 allow remote attackers to byp ...)
 	NOT-FOR-US: TP-Link
 CVE-2020-11444 (Sonatype Nexus Repository Manager 3.x up to and including 3.21.2 has I ...)
@@ -4464,7 +4469,7 @@ CVE-2020-11026
 CVE-2020-11025
 	RESERVED
 CVE-2020-11024 (In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulnerable  ...)
-	TODO: check
+	NOT-FOR-US: Moonlight iOS/tvOS
 CVE-2020-11023 (In jQuery before 3.5.0, passing HTML containing <option> element ...)
 	TODO: check
 CVE-2020-11022 (In jQuery before 3.5.0, passing HTML from untrusted sources - even aft ...)
@@ -88515,6 +88520,7 @@ CVE-2015-9274 (HarfBuzz before 1.0.4 allows remote attackers to cause a denial o
 	NOTE: https://github.com/harfbuzz/harfbuzz/commit/c917965b9e6fe2b21ed6c51559673288fa3af4b7
 CVE-2019-0235
 	RESERVED
+	NOT-FOR-US: Apache OFBiz
 CVE-2019-0234 (A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache  ...)
 	NOT-FOR-US: Apache Roller
 CVE-2019-0233



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70b9306b50a882d650f7c87182b3ade121819e8a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70b9306b50a882d650f7c87182b3ade121819e8a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200430/a6c8c9b2/attachment.html>

More information about the debian-security-tracker-commits mailing list