[Git][security-tracker-team/security-tracker][master] associate various JerryScript NFUs with iotjs, marked as <unfixed> initially

Moritz Muehlenhoff jmm at debian.org
Sun Dec 13 19:15:01 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a5eb2724 by Moritz Muehlenhoff at 2020-12-13T20:14:28+01:00
associate various JerryScript NFUs with iotjs, marked as <unfixed> initially

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -138,7 +138,7 @@ CVE-2020-35151
 CVE-2020-35150
 	RESERVED
 CVE-2020-35149 (lib/utils.js in mquery before 3.2.3 allows a pollution attack because  ...)
-	TODO: check
+	NOT-FOR-US: Node mquery
 CVE-2020-35148
 	RESERVED
 CVE-2020-35147
@@ -1276,7 +1276,8 @@ CVE-2020-29659 (A buffer overflow in the web server of Flexense DupScout Enterpr
 CVE-2020-29658
 	RESERVED
 CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in main_print_unh ...)
-	TODO: check
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244
 CVE-2020-29656 (An information disclosure vulnerability exists in RT-AC88U Download Ma ...)
 	NOT-FOR-US: RT-AC88U Download Master
 CVE-2020-29655 (An injection vulnerability exists in RT-AC88U Download Master before 3 ...)
@@ -17375,9 +17376,10 @@ CVE-2020-24347 (njs through 0.4.3, used in NGINX, has an out-of-bounds read in n
 CVE-2020-24346 (njs through 0.4.3, used in NGINX, has a use-after-free in njs_json_par ...)
 	NOT-FOR-US: njs
 CVE-2020-24345 (** DISPUTED ** JerryScript through 2.3.0 allows stack consumption via  ...)
-	NOT-FOR-US: JerryScript
+	NOTE: Disputed JerryScript issue
 CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const argumen ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
 CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of  ...)
 	NOT-FOR-US: MuJS
 CVE-2020-24342 (Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring be ...)
@@ -39531,7 +39533,9 @@ CVE-2020-14165 (The UniversalAvatarResource.getAvatars resource in Jira Server a
 CVE-2020-14164 (The WYSIWYG editor resource in Jira Server and Data Center before vers ...)
 	NOT-FOR-US: Atlassian
 CVE-2020-14163 (An issue was discovered in ecma/operations/ecma-container-object.c in  ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/commit/c2b662170245a16f46ce02eae68815c325d99821
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3804
 CVE-2020-14162 (An issue was discovered in Pi-Hole through 5.0. The local www-data use ...)
 	NOT-FOR-US: Pi-Hole
 CVE-2020-14161
@@ -41008,7 +41012,10 @@ CVE-2020-13651 (An issue was discovered in DigDash 2018R2 before p20200528, 2019
 CVE-2020-13650 (An issue was discovered in DigDash 2018R2 before p20200210 and 2019R1  ...)
 	NOT-FOR-US: DigDash
 CVE-2020-13649 (parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors during c ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/commit/69f8e78c2f8d562bd6d8002b5488f1662ac30d24
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3786
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3788
 CVE-2020-13648
 	RESERVED
 CVE-2020-13647
@@ -41099,9 +41106,12 @@ CVE-2020-13625 (PHPMailer before 6.1.6 contains an output escaping bug when the
 CVE-2020-13624
 	RESERVED
 CVE-2020-13623 (JerryScript 2.2.0 allows attackers to cause a denial of service (stack ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3785
 CVE-2020-13622 (JerryScript 2.2.0 allows attackers to cause a denial of service (asser ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3787
+	NOTE: https://github.com/jerryscript-project/jerryscript/pull/3797
 CVE-2020-13621
 	RESERVED
 CVE-2020-13620 (Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26 allow CSRF ...)
@@ -106602,7 +106612,8 @@ CVE-2019-1010178 (Fred MODX Revolution < 1.0.0-beta5 is affected by: Incorrec
 CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by: Use After Free. The impact is: deni ...)
 	NOT-FOR-US: Jsish
 CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166 is affecte ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2476
 CVE-2019-1010175
 	RESERVED
 CVE-2019-1010174 (CImg The CImg Library v.2.3.3 and earlier is affected by: command inje ...)
@@ -144955,7 +144966,8 @@ CVE-2018-1000639 (LatexDraw version <=4.0 contains a XML External Entity (XXE
 CVE-2018-1000638 (MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vulnerabilit ...)
 	NOT-FOR-US: MiniCMS
 CVE-2018-1000636 (JerryScript version Tested on commit f86d7459d195c8ba58479d1861b0cc726 ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2435
 CVE-2018-1000635 (The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 co ...)
 	NOT-FOR-US: Open Microscopy Environment
 CVE-2018-1000634 (The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 co ...)
@@ -156029,9 +156041,11 @@ CVE-2018-11421 (Moxa OnCell G3100-HSPA Series version 1.6 Build 17100315 and pri
 CVE-2018-11420 (There is Memory corruption in the web interface of Moxa OnCell G3100-H ...)
 	NOT-FOR-US: Moxa
 CVE-2018-11419 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2230
 CVE-2018-11418 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2237
 CVE-2018-11417
 	RESERVED
 CVE-2018-11416 (jpegoptim.c in jpegoptim 1.4.5 (fixed in 1.4.6) has an invalid use of  ...)
@@ -166234,7 +166248,8 @@ CVE-2018-7587 (An issue was discovered in CImg v.220. DoS occurs when loading a
 CVE-2018-7586 (In the nextgen-gallery plugin before 2.2.50 for WordPress, gallery pat ...)
 	NOT-FOR-US: nextgen-gallery plugin for WordPress
 CVE-2017-18212 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2140
 CVE-2018-7585
 	RESERVED
 CVE-2018-7584 (In PHP through 5.6.33, 7.0.x before 7.0.28, 7.1.x through 7.1.14, and  ...)
@@ -196305,7 +196320,8 @@ CVE-2017-14751 (The Intense WP "WP Jobs" plugin 1.5 for WordPress has XSS, relat
 CVE-2017-14750
 	RESERVED
 CVE-2017-14749 (JerryScript 1.0 allows remote attackers to cause a denial of service ( ...)
-	NOT-FOR-US: JerryScript
+	- iotjs <unfixed>
+	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2008
 CVE-2017-14748 (Race condition in Blizzard Overwatch 1.15.0.2 allows remote authentica ...)
 	NOT-FOR-US: Blizzard Overwatch
 CVE-2017-14747



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5eb2724caa6e5baf09d8e477f58bf138c4a6130

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5eb2724caa6e5baf09d8e477f58bf138c4a6130
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201213/dbbbc545/attachment.html>

More information about the debian-security-tracker-commits mailing list