[Git][security-tracker-team/security-tracker][master] new ansible, google-oauth-client-java, golang issues

Wed Jul 15 10:14:43 BST 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5582d01f by Moritz Muehlenhoff at 2020-07-15T11:14:09+02:00
new ansible, google-oauth-client-java, golang issues
Red Hat NFUs, concludes external check

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -417,6 +417,9 @@ CVE-2020-15587
 	RESERVED
 CVE-2020-15586
 	RESERVED
+	- golang-1.14 <unfixed>
+	- golang-1.11 <removed>
+	NOTE: https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ
 CVE-2020-15585
 	RESERVED
 CVE-2020-15584 (An issue was discovered on Samsung mobile devices with Q(10.0) softwar ...)
@@ -3438,12 +3441,17 @@ CVE-2020-14331
 	RESERVED
 CVE-2020-14330
 	RESERVED
+	- ansible <unfixed>
+	NOTE: https://github.com/ansible/ansible/issues/68400
 CVE-2020-14329
 	RESERVED
+	NOT-FOR-US: Ansible Tower
 CVE-2020-14328
 	RESERVED
+	NOT-FOR-US: Ansible Tower
 CVE-2020-14327
 	RESERVED
+	NOT-FOR-US: Ansible Tower
 CVE-2020-14326
 	RESERVED
 	- resteasy <undetermined>
@@ -4166,6 +4174,10 @@ CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in en
 	NOTE: https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
 CVE-2020-14039
 	RESERVED
+	- golang-1.14 <not-affected> (Windows-specific)
+	- golang-1.11 <not-affected> (Windows-specific)
+	NOTE: https://groups.google.com/g/golang-announce/c/XZNfaiwgt2w/m/E6gHDs32AQAJ
+	TODO: check older versions than golang-1.11
 CVE-2020-XXXX [Editor: Ensure latest comments can only be viewed from public posts]
 	- wordpress 5.4.2+dfsg1-1 (bug #962685)
 	[buster] - wordpress 5.0.10+dfsg1-0+deb10u1
@@ -21324,7 +21336,10 @@ CVE-2020-7694
 CVE-2020-7693 (Incorrect handling of Upgrade header with the value websocket leads in ...)
 	TODO: check
 CVE-2020-7692 (PKCE support is not implemented in accordance with the RFC for OAuth 2 ...)
-	TODO: check
+	- google-oauth-client-java <unfixed>
+	NOTE: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
+	NOTE: https://github.com/googleapis/google-oauth-java-client/issues/469
+	NOTE: https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
 CVE-2020-7691 (In all versions of the package jspdf, it is possible to use <<sc ...)
 	TODO: check
 CVE-2020-7690 (In all versions of package jspdf, it is possible to inject JavaScript  ...)
@@ -40369,7 +40384,7 @@ CVE-2020-1149 (An elevation of privilege vulnerability exists when the Windows R
 CVE-2020-1148 (A spoofing vulnerability exists when Microsoft SharePoint Server does  ...)
 	NOT-FOR-US: Microsoft
 CVE-2020-1147 (A remote code execution vulnerability exists in .NET Framework, Micros ...)
-	TODO: check
+	NOT-FOR-US: Microsoft .NET
 CVE-2020-1146
 	RESERVED
 CVE-2020-1145 (An information disclosure vulnerability exists in the way that the Win ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5582d01fcdcba1b86be908725d090247282e3f0d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5582d01fcdcba1b86be908725d090247282e3f0d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200715/3904eb1c/attachment.html>
