[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Mon Jul 6 18:29:44 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3e4c3e89 by Moritz Muehlenhoff at 2020-07-06T19:29:25+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -121,6 +121,7 @@ CVE-2020-15504
 	RESERVED
 CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...)
 	- libraw <unfixed>
+	[buster] - libraw <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477
 	NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d
 CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android,  ...)
@@ -186,6 +187,8 @@ CVE-2020-15475 (In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_mai
 	NOTE: https://github.com/ntop/nDPI/commit/6a9f5e4f7c3fd5ddab3e6727b071904d76773952
 CVE-2020-15474 (In nDPI through 3.2, there is a stack overflow in extractRDNSequence i ...)
 	- ndpi <unfixed>
+	[buster] - ndpi <not-affected> (Vulnerable code not present)
+	[stretch] - ndpi <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/ntop/nDPI/commit/23594f036536468072198a57c59b6e9d63caf6ce
 CVE-2020-15473 (In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-bas ...)
 	- ndpi <unfixed>
@@ -195,6 +198,8 @@ CVE-2020-15472 (In nDPI through 3.2, the H.323 dissector is vulnerable to a heap
 	NOTE: https://github.com/ntop/nDPI/commit/b7e666e465f138ae48ab81976726e67deed12701
 CVE-2020-15471 (In nDPI through 3.2, the packet parsing code is vulnerable to a heap-b ...)
 	- ndpi <unfixed>
+	[buster] - ndpi <not-affected> (Vulnerable code not present)
+	[stretch] - ndpi <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/ntop/nDPI/commit/61066fb106efa6d3d95b67e47b662de208b2b622
 CVE-2020-15470 (ffjpeg through 2020-02-24 has a heap-based buffer overflow in jfif_dec ...)
 	NOT-FOR-US: ffjpeg
@@ -1316,7 +1321,8 @@ CVE-2020-14949
 CVE-2020-14948
 	RESERVED
 CVE-2020-14947 (OCS Inventory NG 2.7 allows Remote Command Execution via shell metacha ...)
-	TODO: check
+	- ocsinventory-server <unfixed> (unimportant)
+	NOTE: Only supported in trusted environments, see debtags
 CVE-2020-14946 (downloadFile.ashx in the Administrator section of the Surveillance mod ...)
 	NOT-FOR-US: Surveillance module in Global RADAR BSA Radar
 CVE-2020-14945 (A privilege escalation vulnerability exists within Global RADAR BSA Ra ...)
@@ -17681,6 +17687,7 @@ CVE-2020-8946 (Netis WF2471 v1.2.30142 devices allow an authenticated attacker t
 	NOT-FOR-US: Netis devices
 CVE-2020-8945 (The proglottis Go wrapper before 0.1.1 for the GPGME library has a use ...)
 	- golang-github-proglottis-gpgme 0.1.1-1 (bug #951372)
+	[buster] - golang-github-proglottis-gpgme <no-dsa> (Minor issue)
 	NOTE: https://github.com/proglottis/gpgme/pull/23
 CVE-2020-8944
 	RESERVED
@@ -19603,6 +19610,7 @@ CVE-2020-8132 (Lack of input validation in pdf-image npm package version <= 2
 	NOT-FOR-US: Node pdf-image package
 CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows  ...)
 	- node-yarnpkg 1.22.4-2 (bug #952912)
+	[buster] - node-yarnpkg <no-dsa> (Minor issue)
 	NOTE: https://hackerone.com/reports/730239
 	NOTE: https://github.com/yarnpkg/yarn/pull/7831
 CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake < 12.3. ...)
@@ -147563,7 +147571,8 @@ CVE-2018-1286 (In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileg
 	NOT-FOR-US: Apache OpenMeetings
 CVE-2018-1285 (Apache log4net before 2.0.8 does not disable XML external entities whe ...)
 	{DLA-2211-1}
-	- log4net <unfixed>
+	- log4net <unfixed> (low)
+	[buster] - log4net <no-dsa> (Minor issue)
 	NOTE: https://issues.apache.org/jira/browse/LOG4NET-575
 	NOTE: https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7
 CVE-2018-1284 (In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -37,6 +37,8 @@ rails
 ruby2.5/stable
   Utkarsh Gupta proposed to work on an update
 --
+roundcube
+--
 squid/stable
 --
 teeworlds/stable (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e4c3e89ce20df6ecaeac9c55f6a7bdfd27349f5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e4c3e89ce20df6ecaeac9c55f6a7bdfd27349f5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200706/1f50b149/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list