[Git][security-tracker-team/security-tracker][master] new uap-core issue

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e89135dd by Moritz Muehlenhoff at 2020-02-26T15:45:42+01:00
new uap-core issue
NFUs
add tomcat to dsa-needed

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -74,7 +74,7 @@ CVE-2020-9383 (An issue was discovered in the Linux kernel through 5.5.6. set_fd
 	- linux <unfixed>
 	NOTE: https://git.kernel.org/linus/2e90ca68b0d2f5548804f22f0dd61145516171e3
 CVE-2020-9382 (An issue was discovered in the Widgets extension through 1.4.0 for Med ...)
-	TODO: check
+	NOT-FOR-US: Widgets extension for MediaWiki
 CVE-2020-9381 (controllers/admin.js in Total.js CMS 13 allows remote attackers to exe ...)
 	NOT-FOR-US: Total.js CMS
 CVE-2020-9380
@@ -1396,9 +1396,9 @@ CVE-2020-8812 (** DISPUTED ** Bludit 3.10.0 allows Editor or Author roles to ins
 CVE-2020-8811 (ajax/profile-picture-upload.php in Bludit 3.10.0 allows authenticated  ...)
 	NOT-FOR-US: Bludit
 CVE-2020-8810 (An issue was discovered in Gurux GXDLMS Director through 8.5.1905.1301 ...)
-	TODO: check
+	NOT-FOR-US: Gurux
 CVE-2020-8809 (Gurux GXDLMS Director prior to 8.5.1905.1301 downloads updates to add- ...)
-	TODO: check
+	NOT-FOR-US: Gurux
 CVE-2020-8808 (The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR ...)
 	NOT-FOR-US: CORSAIR iCUE
 CVE-2020-8807
@@ -9285,13 +9285,14 @@ CVE-2020-5247
 CVE-2020-5246
 	RESERVED
 CVE-2020-5245 (Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary cod ...)
-	TODO: check
+	NOT-FOR-US: Dropwizard-Validation
 CVE-2020-5244 (In BuddyPress before 5.1.2, requests to a certain REST API endpoint ca ...)
 	NOT-FOR-US: BuddyPress
 CVE-2020-5243 (uap-core before 0.7.3 is vulnerable to a denial of service attack when ...)
-	TODO: check
+	- uap-core <unfixed>
+	NOTE: https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
 CVE-2020-5242 (openHAB before 2.5.2 allow a remote attacker to use REST calls to inst ...)
-	TODO: check
+	NOT-FOR-US: openHAB
 CVE-2020-5241 (matestack-ui-core (RubyGem) before 0.7.4 is vulnerable to XSS/Script i ...)
 	NOT-FOR-US: matestack-ui-core Ruby gem
 CVE-2020-5240
@@ -25702,9 +25703,9 @@ CVE-2019-18185
 CVE-2019-18184 (Crestron DMC-STRO 1.0 devices allow remote command execution as root v ...)
 	NOT-FOR-US: Crestron DMC-STRO 1.0 devices
 CVE-2019-18183 (pacman before 5.2 is vulnerable to arbitrary command injection in lib/ ...)
-	TODO: check
+	NOT-FOR-US: pacman package manager for arch, different from src:pacman
 CVE-2019-18182 (pacman before 5.2 is vulnerable to arbitrary command injection in conf ...)
-	TODO: check
+	NOT-FOR-US: pacman package manager for arch, different from src:pacman
 CVE-2019-18181 (In CloudVision Portal all releases in the 2018.1 and 2018.2 Code train ...)
 	NOT-FOR-US: CloudVision Portal
 CVE-2019-18180 (Improper Check for filenames with overly long extensions in PostMaster ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -54,5 +54,9 @@ squid3/oldstable
 --
 tiff/oldstable
 --
+tomcat8/oldstable
+--
+tomcat9/stable
+--
 xcftools (hle)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e89135dd9b685e30cc94952bf945f79a6e35ebc1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e89135dd9b685e30cc94952bf945f79a6e35ebc1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200226/ec3a4548/attachment.html>