[Git][security-tracker-team/security-tracker][master] buster triage

Mon Aug 3 16:09:23 BST 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1a0d3a9a by Moritz Muehlenhoff at 2020-08-03T17:09:04+02:00
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -801,8 +801,9 @@ CVE-2020-15891
 	RESERVED
 CVE-2020-15890 (LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc hand ...)
 	{DLA-2296-1}
-	- luajit <unfixed> (bug #966148)
+	- luajit <unfixed> (unimportant; bug #966148)
 	NOTE: https://github.com/LuaJIT/LuaJIT/issues/601
+	NOTE: No security impact, only "exploitable" with untrusted Lua code
 CVE-2020-15889 (Lua through 5.4.0 has a getobjname heap-based buffer over-read because ...)
 	- lua5.4 5.4.0-2
 	- lua5.3 <undetermined>
@@ -9582,12 +9583,14 @@ CVE-2020-12402 (During RSA key generation, bignum implementations used a variati
 CVE-2020-12401 [ECDSA timing attack mitigation bypass]
 	RESERVED
 	- nss 2:3.55-1
+	[buster] - nss <no-dsa> (Minor issue)
 	NOTE: https://hg.mozilla.org/projects/nss/rev/aeb2e583ee957a699d949009c7ba37af76515c20
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1631573 (private)
 	NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes
 CVE-2020-12400 [P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function]
 	RESERVED
 	- nss 2:3.55-1
+	[buster] - nss <no-dsa> (Minor issue)
 	NOTE: https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c
 	NOTE: https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0
 	NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes
@@ -20020,6 +20023,7 @@ CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext H
 	NOTE: https://github.com/lxc/lxc/pull/1371 for the lxc-fedora template.
 CVE-2020-8813 (graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute a ...)
 	- cacti 1.2.10+ds1-1 (bug #951832)
+	[buster] - cacti <no-dsa> (Minor issue)
 	[stretch] - cacti <not-affected> (Vulnerable code not present)
 	[jessie] - cacti <not-affected> (Vulnerable code not present)
 	NOTE: https://gist.github.com/mhaskar/ebe6b74c32fd0f7e1eedf1aabfd44129
@@ -24746,6 +24750,7 @@ CVE-2020-6830 (For native-to-JS bridging, the app requires a unique token to be
 CVE-2020-6829 [Side channel attack on ECDSA signature generation]
 	RESERVED
 	- nss 2:3.55-1
+	[buster] - nss <no-dsa> (Minor issue)
 	NOTE: https://hg.mozilla.org/projects/nss/rev/e55ab3145546ae3cf1333b43956a974675d2d25c
 	NOTE: https://hg.mozilla.org/projects/nss/rev/3f022d5eca5d3cd0e366a825a5681953d76299d0
 	NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.55_release_notes



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a0d3a9a2e4f7c1c2602bfaf4c98507e455524a1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a0d3a9a2e4f7c1c2602bfaf4c98507e455524a1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200803/9a34a4b1/attachment-0001.html>
