[Git][security-tracker-team/security-tracker][master] NFUs, unimportant ruamel.yaml and kfreebsd issues

Moritz Muehlenhoff jmm at debian.org
Thu Feb 20 12:22:40 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9f81a8b8 by Moritz Muehlenhoff at 2020-02-20T13:22:12+01:00
NFUs, unimportant ruamel.yaml and kfreebsd issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -69,7 +69,10 @@ CVE-2020-9273
 CVE-2020-9272
 	RESERVED
 CVE-2019-20478 (In ruamel.yaml through 0.16.7, the load method allows remote code exec ...)
-	TODO: check
+	- ruamel.yaml <unfixed> (unimportant)
+	NOTE: This is a well-known design deficiency in pyyaml (of which ruamel.yaml is derived),
+	NOTE: various CVE IDs have been assigned to applications misusing the API over the years.
+	NOTE: pyyaml 5.1 changed the default hebaviour
 CVE-2019-20477 (PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and ...)
 	- pyyaml <unfixed> (unimportant)
 	NOTE: CVE exists due to an incomplete fix for CVE-2017-18342.
@@ -1909,7 +1912,7 @@ CVE-2020-8443 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible
 CVE-2020-8442 (In OSSEC-HIDS 2.7 through 3.5.0, the server component responsible for  ...)
 	- ossec-hids <itp> (bug #361954)
 CVE-2020-8441 (JYaml through 1.3 allows remote code execution during deserialization  ...)
-	TODO: check
+	NOT-FOR-US: JYaml
 CVE-2020-8440 (controllers/page_apply.php in Simplejobscript.com SJS through 1.66 is  ...)
 	NOT-FOR-US: Simplejobscript.com SJS
 CVE-2020-8439
@@ -4128,7 +4131,7 @@ CVE-2020-7452
 CVE-2020-7451
 	RESERVED
 CVE-2020-7450 (In FreeBSD 12.1-STABLE before r357213, 12.1-RELEASE before 12.1-RELEAS ...)
-	TODO: check
+	NOT-FOR-US: FreeBSD
 CVE-2020-7449
 	RESERVED
 CVE-2020-7448
@@ -4637,7 +4640,7 @@ CVE-2020-7218 (HashiCorp Nomad and Nomad Enterprise before 0.10.3 allow unbounde
 	- nomad 0.10.3+dfsg1-1
 	NOTE: https://github.com/hashicorp/nomad/issues/7002
 CVE-2020-7217 (An ni_dhcp4_fsm_process_dhcp4_packet memory leak in openSUSE wicked 0. ...)
-	TODO: check
+	NOT-FOR-US: openSUSE wicked
 CVE-2020-7216 (An ni_dhcp4_parse_response memory leak in openSUSE wicked 0.6.55 and e ...)
 	NOT-FOR-US: openSUSE wicked
 CVE-2020-7215 (An issue was discovered in Gallagher Command Centre 7.x before 7.90.99 ...)
@@ -13060,7 +13063,7 @@ CVE-2019-19880 (exprListAppendList in window.c in SQLite 3.30.1 allows attackers
 	NOTE: https://github.com/sqlite/sqlite/commit/8428b3b437569338a9d1e10c4cd8154acbe33089
 	NOTE: to not open CVE-2019-19926.
 CVE-2019-19879 (HashiCorp Sentinel up to 0.10.1 incorrectly parsed negation in certain ...)
-	TODO: check
+	NOT-FOR-US: HashiCorp Sentinel (different from Redis Sentinel)
 CVE-2019-19878
 	RESERVED
 CVE-2019-19877
@@ -17588,7 +17591,7 @@ CVE-2020-1979
 CVE-2020-1978
 	RESERVED
 CVE-2020-1977 (Insufficient Cross-Site Request Forgery (XSRF) protection on Expeditio ...)
-	TODO: check
+	NOT-FOR-US: Palo Alto
 CVE-2020-1976 (A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalPr ...)
 	NOT-FOR-US: Palo Alto Networks GlobalProtect software
 CVE-2020-1975 (Missing XML validation vulnerability in the PAN-OS web interface on Pa ...)
@@ -23233,15 +23236,15 @@ CVE-2020-0566
 CVE-2020-0565
 	RESERVED
 CVE-2020-0564 (Improper permissions in the installer for Intel(R) RWC3 for Windows be ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-0563 (Improper permissions in the installer for Intel(R) MPSS before version ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-0562 (Improper permissions in the installer for Intel(R) RWC2, all versions, ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-0561 (Improper initialization in the Intel(R) SGX SDK before v2.6.100.1 may  ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-0560 (Improper permissions in the installer for the Intel(R) Renesas Electro ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-0559
 	RESERVED
 CVE-2020-0558
@@ -31456,7 +31459,8 @@ CVE-2019-15877
 CVE-2019-15876
 	RESERVED
 CVE-2019-15875 (In FreeBSD 12.1-STABLE before r354734, 12.1-RELEASE before 12.1-RELEAS ...)
-	TODO: check
+	- kfreebsd-10 <unfixed> (unimportant)
+	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:03.thrmisc.asc
 CVE-2019-15874
 	RESERVED
 CVE-2019-15873 (The profilegrid-user-profiles-groups-and-communities plugin before 2.8 ...)
@@ -62726,7 +62730,8 @@ CVE-2019-5615 (Users with Site-level permissions can access files containing the
 CVE-2019-5614
 	RESERVED
 CVE-2019-5613 (In FreeBSD 12.0-RELEASE before 12.0-RELEASE-p13, a missing check in th ...)
-	TODO: check
+	- kfreebsd-10 <not-affected> (Only affects kfreebsd 12)
+	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:02.ipsec.asc
 CVE-2019-5612 (In FreeBSD 12.0-STABLE before r351264, 12.0-RELEASE before 12.0-RELEAS ...)
 	- kfreebsd-10 <unfixed> (unimportant)
 	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-19:23.midi.asc



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f81a8b8e5f57bfac0e3d994c841ab975cb716c0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9f81a8b8e5f57bfac0e3d994c841ab975cb716c0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200220/c6b5bee8/attachment.html>

More information about the debian-security-tracker-commits mailing list