[Git][security-tracker-team/security-tracker][master] new bind9, shiro, etcd, nss, tinymce issues

Moritz Muehlenhoff jmm at debian.org
Thu Aug 20 22:38:21 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
94a240c6 by Moritz Muehlenhoff at 2020-08-20T23:37:55+02:00
new bind9, shiro, etcd, nss, tinymce issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -19362,7 +19362,7 @@ CVE-2020-15138 (Prism is vulnerable to Cross-Site Scripting. The easing preview
 CVE-2020-15137 (All versions of HoRNDIS are affected by an integer overflow in the RND ...)
 	NOT-FOR-US: HoRNDIS
 CVE-2020-15136 (In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication  ...)
-	TODO: check
+	- etcd <unfixed>
 CVE-2020-15135 (save-server (npm package) before version 1.05 is affected by a CSRF vu ...)
 	NOT-FOR-US: Node save-server
 CVE-2020-15134 (Faye before version 1.4.0, there is a lack of certification validation ...)
@@ -21502,7 +21502,7 @@ CVE-2020-14335
 CVE-2020-14334 (A flaw was found in Red Hat Satellite 6 which allows privileged attack ...)
 	- foreman <itp> (bug #663101)
 CVE-2020-14333 (A flaw was found in Ovirt Engine's web interface in ovirt 4.4 and earl ...)
-	TODO: check
+	NOT-FOR-US: ovirt-engine
 CVE-2020-14332
 	RESERVED
 	- ansible <unfixed> (bug #966672)
@@ -22561,7 +22561,8 @@ CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6
 	NOTE: https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc950e (8.5.57)
 	NOTE: https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230f399 (9.0.37)
 CVE-2020-13933 (Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafte ...)
-	TODO: check
+	- shiro <unfixed>
+	NOTE: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E
 CVE-2020-13932 (In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT p ...)
 	NOT-FOR-US: Apache ActiveMQ Artemis
 	NOTE: https://activemq.apache.org/security-advisories.data/CVE-2020-13932-announcement.txt
@@ -25828,7 +25829,8 @@ CVE-2020-12650
 CVE-2020-12649 (Gurbalib through 2020-04-30 allows lib/cmds/player/help.c directory tr ...)
 	NOT-FOR-US: Gurbalib
 CVE-2020-12648 (A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlie ...)
-	TODO: check
+	- tinymce <unfixed>
+	NOTE: https://labs.bishopfox.com/advisories/tinymce-version-5.2.1
 CVE-2020-12647 (Unisys ALGOL Compiler 58.1 before 58.1a.15, 59.1 before 59.1a.9, and 6 ...)
 	NOT-FOR-US: Unisys ALGOL Compiler
 CVE-2020-12646
@@ -26429,6 +26431,11 @@ CVE-2020-12404 (For native-to-JS bridging the app requires a unique token to be
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-19/#CVE-2020-12404
 CVE-2020-12403
 	RESERVED
+	- nss <unfixed>
+	NOTE: https://hg.mozilla.org/projects/nss/rev/f282556e6cc7715f5754aeaadda6f902590e7e38
+	NOTE: https://hg.mozilla.org/projects/nss/rev/c25adfdfab34ddb08d3262aac3242e3399de1095
+	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1636771
+	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1868931
 CVE-2020-12402 (During RSA key generation, bignum implementations used a variation of  ...)
 	{DSA-4726-1 DLA-2266-1}
 	- nss 2:3.53.1-1 (bug #963152)
@@ -32134,6 +32141,7 @@ CVE-2020-10759 [Possible bypass in signature verification]
 	NOTE: https://github.com/hughsie/libjcat/commit/839b89f45a38b2373bf5836337a33f450aaab72e
 CVE-2020-10758
 	RESERVED
+	NOT-FOR-US: Keycloak
 CVE-2020-10757 (A flaw was found in the Linux Kernel in versions after 4.5-rc1 in the  ...)
 	{DSA-4699-1 DSA-4698-1 DLA-2242-1}
 	- linux 5.6.14-2
@@ -37361,14 +37369,24 @@ CVE-2020-8625
 	RESERVED
 CVE-2020-8624
 	RESERVED
+	- bind9 1:9.16.6-1
+	NOTE: https://kb.isc.org/docs/cve-2020-8623
 CVE-2020-8623
 	RESERVED
+	- bind9 1:9.16.6-1
+	NOTE: https://kb.isc.org/docs/cve-2020-8623
 CVE-2020-8622
 	RESERVED
+	- bind9 1:9.16.6-1
+	NOTE: https://kb.isc.org/docs/cve-2020-8622
 CVE-2020-8621
 	RESERVED
+	- bind9 1:9.16.6-1
+	NOTE: https://kb.isc.org/docs/cve-2020-8621
 CVE-2020-8620
 	RESERVED
+	- bind9 1:9.16.6-1
+	NOTE: https://kb.isc.org/docs/cve-2020-8620
 CVE-2020-8619 (In ISC BIND9 versions BIND 9.11.14 -> 9.11.19, BIND 9.14.9 -> 9. ...)
 	- bind9 1:9.16.4-1
 	[buster] - bind9 <not-affected> (Vulnerable code introduced later)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94a240c6ad10868ea6f9652728c73915d9416bd2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94a240c6ad10868ea6f9652728c73915d9416bd2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200820/13949767/attachment.html>

More information about the debian-security-tracker-commits mailing list