[Git][security-tracker-team/security-tracker][master] 4 commits: Process NFUs

Salvatore Bonaccorso carnil at debian.org
Fri Feb 28 21:36:58 GMT 2020 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fcf7d792 by Salvatore Bonaccorso at 2020-02-28T22:36:31+01:00
Process NFUs

- - - - -
b193521e by Salvatore Bonaccorso at 2020-02-28T22:36:32+01:00
Add CVE-2019-10785/dojo

- - - - -
085ddc5a by Salvatore Bonaccorso at 2020-02-28T22:36:33+01:00
Add CVE-2016-4606/curl

- - - - -
55599938 by Salvatore Bonaccorso at 2020-02-28T22:36:34+01:00
Add CVE-2013-6022/tikiwiki

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -33,7 +33,7 @@ CVE-2020-9449
 CVE-2020-9448
 	RESERVED
 CVE-2020-9447 (The file-upload feature in GwtUpload 1.0.3 allows XSS via a crafted fi ...)
-	TODO: check
+	NOT-FOR-US: GwtUpload
 CVE-2020-9446
 	RESERVED
 CVE-2018-21035
@@ -18807,7 +18807,7 @@ CVE-2020-1846
 CVE-2020-1845
 	RESERVED
 CVE-2020-1844 (PCManager with versions earlier than 10.0.5.51 have a privilege escala ...)
-	TODO: check
+	NOT-FOR-US: Huawei
 CVE-2020-1843 (Huawei HEGE-560 version 1.0.1.20(SP2), OSCA-550 version 1.0.0.71(SP1), ...)
 	NOT-FOR-US: Huawei
 CVE-2020-1842 (Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version  ...)
@@ -48523,21 +48523,24 @@ CVE-2019-10790 (taffy through 2.6.2 allows attackers to forge adding additional
 CVE-2019-10789 (All versions of curling.js are vulnerable to Command Injection via the ...)
 	NOT-FOR-US: curling.js
 CVE-2019-10788 (im-metadata through 3.0.1 allows remote attackers to execute arbitrary ...)
-	TODO: check
+	NOT-FOR-US: im-metadata node module
 CVE-2019-10787 (im-resize through 2.3.2 allows remote attackers to execute arbitrary c ...)
-	TODO: check
+	NOT-FOR-US: im-resize node module
 CVE-2019-10786 (network-manager through 1.0.2 allows remote attackers to execute arbit ...)
 	NOT-FOR-US: network-manager node module
 CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions before ver ...)
-	TODO: check
+	- dojo <unfixed>
+	NOTE: https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
+	NOTE: https://snyk.io/vuln/SNYK-JS-DOJOX-548257
+	NOTE: https://github.com/dojo/dojox/pull/315
 CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be performed wit ...)
 	- phppgadmin <unfixed>
 	NOTE: https://snyk.io/vuln/SNYK-PHP-PHPPGADMINPHPPGADMIN-543885
 	NOTE: https://github.com/phppgadmin/phppgadmin/issues/94
 CVE-2019-10783 (All versions including 0.0.4 of lsof npm module are vulnerable to Comm ...)
-	TODO: check
+	NOT-FOR-US: lsof node module
 CVE-2019-10781 (In schema-inspector before 1.6.9, a maliciously crafted JavaScript obj ...)
-	TODO: check
+	NOT-FOR-US: schema-inspector node module
 CVE-2019-10780 (BibTeX-ruby before 5.1.0 allows shell command injection due to unsanit ...)
 	NOT-FOR-US: BibTeX-ruby
 CVE-2019-10779 (All versions of stroom:stroom-app before 5.5.12 and all versions of th ...)
@@ -55321,7 +55324,7 @@ CVE-2019-8743 (Multiple memory corruption issues were addressed with improved me
 CVE-2019-8742 (The issue was addressed by restricting options offered on a locked dev ...)
 	NOT-FOR-US: Apple
 CVE-2019-8741 (A denial of service issue was addressed with improved input validation ...)
-	TODO: check
+	NOT-FOR-US: Apple
 CVE-2019-8740
 	RESERVED
 CVE-2019-8739 (A memory corruption issue was addressed with improved state management ...)
@@ -107461,9 +107464,9 @@ CVE-2018-8880 (Lutron Quantum BACnet Integration 2.0 (firmware 3.2.243) doesn't
 CVE-2018-8879 (Stack-based buffer overflow in Asuswrt-Merlin firmware for ASUS device ...)
 	NOT-FOR-US: ASUS
 CVE-2018-8878 (Information disclosure in Asuswrt-Merlin firmware for ASUS devices old ...)
-	TODO: check
+	NOT-FOR-US: ASUS
 CVE-2018-8877 (Information disclosure in Asuswrt-Merlin firmware for ASUS devices old ...)
-	TODO: check
+	NOT-FOR-US: ASUS
 CVE-2018-8876 (In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) allows loc ...)
 	NOT-FOR-US: 2345 Security Guard
 CVE-2018-8875 (In 2345 Security Guard 3.6, the driver file (2345Wrath.sys) allows loc ...)
@@ -200766,7 +200769,7 @@ CVE-2016-4607 (libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes be
 	NOTE: Apple still does not provide information on this CVE, although it is
 	NOTE: possible that it's fixed in 1.1.29 upstream.
 CVE-2016-4606 (Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 al ...)
-	TODO: check
+	- curl <not-affected> (Only applies to Curl on Mac OS)
 CVE-2016-4605 (Calendar in Apple iOS before 9.3.3 allows remote attackers to cause a  ...)
 	NOT-FOR-US: Apple
 CVE-2016-4604 (Safari in Apple iOS before 9.3.3 allows remote attackers to spoof the  ...)
@@ -249083,7 +249086,7 @@ CVE-2014-6419
 CVE-2014-6415
 	RESERVED
 CVE-2014-6413 (A Cross-site Scripting (XSS) vulnerability exists in WatchGuard XTM 11 ...)
-	TODO: check
+	NOT-FOR-US: WatchGuard
 CVE-2014-6412 (WordPress before 4.4 makes it easier for remote attackers to predict p ...)
 	- wordpress <not-affected> (Affects only Wordpress on Windows systems)
 CVE-2014-6411
@@ -251171,7 +251174,7 @@ CVE-2014-5470
 CVE-2014-5469
 	RESERVED
 CVE-2014-5468 (A File Inclusion vulnerability exists in Railo 4.2.1 and earlier via a ...)
-	TODO: check
+	NOT-FOR-US: Railo
 CVE-2014-5467
 	RESERVED
 CVE-2014-5466 (Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk We ...)
@@ -252243,15 +252246,15 @@ CVE-2014-5089 (SQL injection vulnerability in admin/options/logs.php in Status2k
 CVE-2014-5088 (Cross-site scripting (XSS) vulnerability in Status2k allows remote att ...)
 	NOT-FOR-US: Status2k
 CVE-2014-5087 (A vulnerability exists in Sphider Search Engine prior to 1.3.6 due to  ...)
-	TODO: check
+	NOT-FOR-US: Sphider Search Engine
 CVE-2014-5086 (A Command Execution vulnerability exists in Sphider Pro, and Sphider P ...)
-	TODO: check
+	NOT-FOR-US: Sphider
 CVE-2014-5085 (A Command Execution vulnerability exists in Sphider Plus 3.2 due to in ...)
-	TODO: check
+	NOT-FOR-US: Sphider
 CVE-2014-5084 (A Command Execution vulnerability exists in Sphider Pro 3.2 due to ins ...)
-	TODO: check
+	NOT-FOR-US: Sphider
 CVE-2014-5083 (A Command Execution vulnerability exists in Sphider before 1.3.6 due t ...)
-	TODO: check
+	NOT-FOR-US: Sphider
 CVE-2014-5082 (Multiple SQL injection vulnerabilities in admin/admin.php in Sphider 1 ...)
 	NOT-FOR-US: Sphider
 CVE-2014-5081 (sphider prior to 1.3.6, sphider-pro prior to 3.2, and sphider-plus pri ...)
@@ -255171,7 +255174,7 @@ CVE-2014-3880 (The (1) execve and (2) fexecve system calls in the FreeBSD kernel
 	- kfreebsd-9 <removed>
 	- kfreebsd-10 10.0-6
 CVE-2014-3879 (OpenPAM Nummularia 9.2 through 10.0 does not properly handle the error ...)
-	TODO: check
+	NOT-FOR-US: OpenPAM
 CVE-2014-3878 (Multiple cross-site scripting (XSS) vulnerabilities in the web client  ...)
 	NOT-FOR-US: IPSwitch IMail
 CVE-2014-3877 (Incomplete blacklist vulnerability in Frams' Fast File EXchange (F*EX, ...)
@@ -256548,7 +256551,7 @@ CVE-2013-7380 (The Etherpad Lite ep_imageconvert Plugin has a Remote Command Inj
 CVE-2013-7379 (The admin API in the tomato module before 0.0.6 for Node.js does not p ...)
 	NOT-FOR-US: tomato module for Node.js
 CVE-2013-7378 (scripts/email.coffee in the Hubot Scripts module before 2.4.4 for Node ...)
-	TODO: check
+	NOT-FOR-US: Hubot Scripts module for Node.js
 CVE-2013-7377 (The codem-transcode module before 0.5.0 for Node.js, when ffprobe is e ...)
 	NOT-FOR-US: codem-transcode Node module
 CVE-2013-7376 (Multiple cross-site request forgery (CSRF) vulnerabilities in OpenX 2. ...)
@@ -269072,7 +269075,7 @@ CVE-2013-6024 (The Edge Client components in F5 BIG-IP APM 10.x, 11.x, 12.x, 13.
 CVE-2013-6023 (Directory traversal vulnerability in the TVT TD-2308SS-B DVR with firm ...)
 	NOT-FOR-US: TVT TD-2308SS-B DVR
 CVE-2013-6022 (A Cross-Site Scripting (XSS) vulnerability exists in Tiki Wiki CMG Gro ...)
-	TODO: check
+	- tikiwiki <removed>
 CVE-2013-6021 (Buffer overflow in WGagent in WatchGuard WSM and Fireware before 11.8  ...)
 	NOT-FOR-US: WatchGuard WSM and Fireware
 CVE-2013-6020 (passwordRequestPOST.jsp in Tyler Technologies TaxWeb 3.13.3.1 sends di ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aeed6b824d2601f06f8a18b862a92301bd675f69...555999387ec6a8fa2c46b948d3727d132e2e415f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aeed6b824d2601f06f8a18b862a92301bd675f69...555999387ec6a8fa2c46b948d3727d132e2e415f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200228/28c63928/attachment.html>

More information about the debian-security-tracker-commits mailing list