[Git][security-tracker-team/security-tracker][master] new golang-go.crypto, golang, ceph issues

Moritz Muehlenhoff jmm at debian.org
Fri Dec 18 08:04:03 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5a697b78 by Moritz Muehlenhoff at 2020-12-18T09:03:20+01:00
new golang-go.crypto, golang, ceph issues
jsonpickle non issue
NFUs
concludes external check

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2012,7 +2012,11 @@ CVE-2020-29654 (Western Digital Dashboard before 3.2.2.9 allows DLL Hijacking th
 CVE-2020-29653
 	RESERVED
 CVE-2020-29652 (A nil pointer dereference in the golang.org/x/crypto/ssh component thr ...)
-	TODO: check
+	- golang-go.crypto <unfixed>
+	- kubernetes <unfixed>
+	NOTE: https://go-review.googlesource.com/c/crypto/+/278852
+	NOTE: https://groups.google.com/g/golang-announce/c/ouZIlBimOsE?pli=1
+	NOTE: k8s vendors a copy
 CVE-2021-1985
 	RESERVED
 CVE-2021-1984
@@ -2871,11 +2875,26 @@ CVE-2020-29513
 CVE-2020-29512
 	RESERVED
 CVE-2020-29511 (The encoding/xml package in Go (all versions) does not correctly prese ...)
-	TODO: check
+	- golang-1.15 <unfixed>
+	- golang-1.11 <removed>
+	- golang-1.8 <removed>
+	- golang-1.7 <removed>
+	NOTE: https://github.com/golang/go/issues/43168
+	NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
 CVE-2020-29510 (The encoding/xml package in Go versions 1.15 and earlier does not corr ...)
-	TODO: check
+	- golang-1.15 <unfixed>
+	- golang-1.11 <removed>
+	- golang-1.8 <removed>
+	- golang-1.7 <removed>
+	NOTE: https://github.com/golang/go/issues/43168
+	NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
 CVE-2020-29509 (The encoding/xml package in Go (all versions) does not correctly prese ...)
-	TODO: check
+	- golang-1.15 <unfixed>
+	- golang-1.11 <removed>
+	- golang-1.8 <removed>
+	- golang-1.7 <removed>
+	NOTE: https://github.com/golang/go/issues/43168
+	NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
 CVE-2020-29508
 	RESERVED
 CVE-2020-29507
@@ -6526,7 +6545,7 @@ CVE-2020-28460
 CVE-2020-28459
 	RESERVED
 CVE-2020-28458 (All versions of package datatables.net are vulnerable to Prototype Pol ...)
-	TODO: check
+	NOT-FOR-US: Node datatables.net
 CVE-2020-28457 (This affects the package s-cart/core before 4.4. The search functional ...)
 	TODO: check
 CVE-2020-28456 (The package s-cart/core before 4.4 are vulnerable to Cross-site Script ...)
@@ -9574,8 +9593,10 @@ CVE-2020-27848
 	RESERVED
 CVE-2020-27847
 	RESERVED
+	NOT-FOR-US: github.com/dexidp/dex
 CVE-2020-27846
 	RESERVED
+	NOT-FOR-US: github.com/crewjam/saml
 CVE-2020-27845
 	RESERVED
 	- openjpeg2 <unfixed>
@@ -9603,6 +9624,8 @@ CVE-2020-27840
 	RESERVED
 CVE-2020-27839
 	RESERVED
+	- ceph <unfixed>
+	NOTE: https://tracker.ceph.com/issues/44591
 CVE-2020-27838
 	RESERVED
 	NOT-FOR-US: Keycloak
@@ -9769,6 +9792,8 @@ CVE-2020-27782
 	RESERVED
 CVE-2020-27781
 	RESERVED
+	- ceph <unfixed>
+	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1900109
 CVE-2020-27780
 	RESERVED
 	- pam <not-affected> (Only affects 1.5.0)
@@ -22757,7 +22782,9 @@ CVE-2020-22085
 CVE-2020-22084
 	RESERVED
 CVE-2020-22083 (jsonpickle through 1.4.1 allows remote code execution during deseriali ...)
-	TODO: check
+	- jsonpickle <unfixed> (unimportant)
+	NOTE: CVE assigment seems bogus, jsonpickle clearly states "jsonpickle can execute arbitrary Python code.
+	NOTE: Do not load jsonpickles from untrusted unauthenticated sources", so this works as expected
 CVE-2020-22082
 	RESERVED
 CVE-2020-22081
@@ -31923,6 +31950,7 @@ CVE-2020-17521 (Apache Groovy provides extension methods to aid with creating te
 	NOTE: https://github.com/apache/groovy/commit/4e418d4a34c973a7ec1e822552103043ac13780e (GROOVY_2_4_21)
 CVE-2020-17520
 	RESERVED
+	NOT-FOR-US: Apache Pulsar
 CVE-2020-17519
 	RESERVED
 CVE-2020-17518
@@ -58322,7 +58350,7 @@ CVE-2020-7791 (This affects the package i18n before 2.1.15. Vulnerability arises
 CVE-2020-7790 (This affects the package spatie/browsershot from 0.0.0. By specifying  ...)
 	TODO: check
 CVE-2020-7789 (This affects the package node-notifier before 9.0.0. It allows an atta ...)
-	TODO: check
+	NOT-FOR-US: Node node-notifier
 CVE-2020-7788 (This affects the package ini before 1.3.6. If an attacker submits a ma ...)
 	- node-ini <unfixed>
 	NOTE: https://snyk.io/vuln/SNYK-JS-INI-1048974



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a697b78b97da2de72edab2160ca88d971e0e4ea

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a697b78b97da2de72edab2160ca88d971e0e4ea
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201218/fa273419/attachment.html>

More information about the debian-security-tracker-commits mailing list