[Git][security-tracker-team/security-tracker][master] new issues in golang-github-unknwon-cae (sic!), Go...
Moritz Muehlenhoff
jmm at debian.org
Wed Jul 15 14:36:37 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7d66f3dc by Moritz Muehlenhoff at 2020-07-15T15:35:37+02:00
new issues in golang-github-unknwon-cae (sic!), Go...
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4478,6 +4478,7 @@ CVE-2020-13924
RESERVED
CVE-2020-13923
RESERVED
+ NOT-FOR-US: Apache OFBiz
CVE-2020-13922
RESERVED
CVE-2020-13921
@@ -16931,6 +16932,7 @@ CVE-2020-9497 (Apache Guacamole 1.1.0 and older do not properly validate datarec
NOTE: https://www.openwall.com/lists/oss-security/2020/07/02/2
CVE-2020-9496
RESERVED
+ NOT-FOR-US: Apache OFBiz
CVE-2020-9495 (Apache Archiva login service before 2.2.5 is vulnerable to LDAP inject ...)
NOT-FOR-US: Apache Archiva
CVE-2020-9494 (Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8. ...)
@@ -17658,7 +17660,7 @@ CVE-2020-9227
CVE-2020-9226 (HUAWEI P30 with versions earlier than 10.1.0.135(C00E135R2P11) have an ...)
NOT-FOR-US: HUAWEI
CVE-2020-9225 (FusionSphere OpenStack 6.5.1 have an improper permissions management v ...)
- TODO: check
+ NOT-FOR-US: Huawei
CVE-2020-9224
RESERVED
CVE-2020-9223
@@ -21343,9 +21345,9 @@ CVE-2020-7692 (PKCE support is not implemented in accordance with the RFC for OA
NOTE: https://github.com/googleapis/google-oauth-java-client/issues/469
NOTE: https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
CVE-2020-7691 (In all versions of the package jspdf, it is possible to use <<sc ...)
- TODO: check
+ NOT-FOR-US: jspdf
CVE-2020-7690 (In all versions of package jspdf, it is possible to inject JavaScript ...)
- TODO: check
+ NOT-FOR-US: jspdf
CVE-2020-7689 (Data is truncated wrong when its length is greater than 255 bytes. ...)
NOT-FOR-US: Node bcrypt
CVE-2020-7688 (The issue occurs because tagName user input is formatted inside the ex ...)
@@ -21384,25 +21386,28 @@ CVE-2020-7675 (cd-messenger through 2.7.26 is vulnerable to Arbitrary Code Execu
CVE-2020-7674 (access-policy through 3.1.0 is vulnerable to Arbitrary Code Execution. ...)
NOT-FOR-US: Node access-policy
CVE-2020-7673 (node-extend through 0.2.0 is vulnerable to Arbitrary Code Execution. U ...)
- TODO: check
+ - node-extend <not-affected> (Vulnerable code not present)
+ NOTE: Debian's node-extend is a different package(fork?) which doesn't eval()
CVE-2020-7672 (mosc through 1.0.0 is vulnerable to Arbitrary Code Execution. User inp ...)
- TODO: check
+ NOT-FOR-US: Node mosc
CVE-2020-7671 (goliath through 1.0.6 allows request smuggling attacks where goliath i ...)
- TODO: check
+ NOT-FOR-US: Ruby gem goliath
CVE-2020-7670 (agoo through 2.12.3 allows request smuggling attacks where agoo is use ...)
- TODO: check
+ NOT-FOR-US: Ruby gem agoo
CVE-2020-7669
RESERVED
CVE-2020-7668 (In all versions of the package github.com/unknwon/cae/tz, the ExtractT ...)
- TODO: check
+ - golang-github-unknwon-cae <unfixed>
+ NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUNKNWONCAETZ-570384
CVE-2020-7667 (In package github.com/sassoftware/go-rpmutils/cpio before version 0.1. ...)
- TODO: check
+ NOT-FOR-US: github.com/sassoftware/go-rpmutils/cpio go module
CVE-2020-7666
RESERVED
CVE-2020-7665
RESERVED
CVE-2020-7664 (In all versions of the package github.com/unknwon/cae/zip, the Extract ...)
- TODO: check
+ - golang-github-unknwon-cae <unfixed>
+ NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMUNKNWONCAEZIP-570383
CVE-2020-7663 (websocket-extensions ruby module prior to 0.1.5 allows Denial of Servi ...)
- ruby-websocket-extensions <unfixed> (bug #964274)
NOTE: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
@@ -21861,9 +21866,9 @@ CVE-2020-7460
CVE-2020-7459
RESERVED
CVE-2020-7458 (In FreeBSD 12.1-STABLE before r362281, 11.4-STABLE before r362281, and ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2020-7457 (In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-ST ...)
- TODO: check
+ NOT-FOR-US: FreeBSD
CVE-2020-7456 (In FreeBSD 12.1-STABLE before r361918, 12.1-RELEASE before p6, 11.4-ST ...)
- kfreebsd-10 <unfixed> (unimportant)
NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-20:17.usb.asc
@@ -22070,9 +22075,9 @@ CVE-2020-7357
CVE-2020-7356
RESERVED
CVE-2020-7355 (Cross-site Scripting (XSS) vulnerability in the 'notes' field of a dis ...)
- TODO: check
+ NOT-FOR-US: Metasploit Pro
CVE-2020-7354 (Cross-site Scripting (XSS) vulnerability in the 'host' field of a disc ...)
- TODO: check
+ NOT-FOR-US: Metasploit Pro
CVE-2020-7353
RESERVED
CVE-2020-7352
@@ -25290,7 +25295,7 @@ CVE-2020-6116
CVE-2020-6115
RESERVED
CVE-2020-6114 (An exploitable SQL injection vulnerability exists in the Admin Reports ...)
- TODO: check
+ NOT-FOR-US: Glacies IceHRM
CVE-2020-6113
RESERVED
CVE-2020-6112
@@ -25629,7 +25634,7 @@ CVE-2020-5976
CVE-2020-5975
RESERVED
CVE-2020-5974 (NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in i ...)
- TODO: check
+ NOT-FOR-US: NVIDIA
CVE-2020-5973 (NVIDIA Virtual GPU Manager and the guest drivers contain a vulnerabili ...)
NOT-FOR-US: NVIDIA Virtual GPU Manager
CVE-2020-5972 (NVIDIA Virtual GPU Manager contains a vulnerability in the vGPU plugin ...)
@@ -25787,11 +25792,11 @@ CVE-2020-5913
CVE-2020-5912
RESERVED
CVE-2020-5911 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller ...)
- TODO: check
+ NOT-FOR-US: NGINX Controller
CVE-2020-5910 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic ...)
- TODO: check
+ NOT-FOR-US: NGINX Controller
CVE-2020-5909 (In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the co ...)
- TODO: check
+ NOT-FOR-US: NGINX Controller
CVE-2020-5908 (In versions bundled with BIG-IP APM 12.1.0-12.1.5 and 11.6.1-11.6.5.2, ...)
NOT-FOR-US: F5 BIG-IP
CVE-2020-5907 (In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.3, 13.1.0-13.1.3.3, ...)
@@ -25807,11 +25812,11 @@ CVE-2020-5903 (In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.
CVE-2020-5902 (In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, ...)
NOT-FOR-US: F5 BIG-IP
CVE-2020-5901 (In NGINX Controller 3.3.0-3.4.0, undisclosed API endpoints may allow f ...)
- TODO: check
+ NOT-FOR-US: NGINX Controller
CVE-2020-5900 (In versions 3.0.0-3.4.0, 2.0.0-2.9.0, and 1.0.1, there is insufficient ...)
- TODO: check
+ NOT-FOR-US: NGINX Controller
CVE-2020-5899 (In NGINX Controller 3.0.0-3.4.0, recovery code required to change a us ...)
- TODO: check
+ NOT-FOR-US: NGINX Controller
CVE-2020-5898 (In versions 7.1.5-7.1.9, BIG-IP Edge Client Windows Stonewall driver d ...)
NOT-FOR-US: F5 BIG-IP
CVE-2020-5897 (In versions 7.1.5-7.1.9, there is use-after-free memory vulnerability ...)
@@ -26077,7 +26082,7 @@ CVE-2020-5768
CVE-2020-5767
RESERVED
CVE-2020-5766 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
- TODO: check
+ NOT-FOR-US: Wordpress plugin
CVE-2020-5765
RESERVED
CVE-2020-5764 (MX Player Android App versions prior to v1.24.5, are vulnerable to a d ...)
@@ -26401,7 +26406,7 @@ CVE-2020-5606
CVE-2020-5605
RESERVED
CVE-2020-5604 (Android App 'Mercari' (Japan version) prior to version 3.52.0 allows a ...)
- TODO: check
+ NOT-FOR-US: Mercari
CVE-2020-5603 (Uncontrolled resource consumption vulnerability in Mitsubishi Electori ...)
NOT-FOR-US: Mitsubishi
CVE-2020-5602 (Mitsubishi Electoric FA Engineering Software (CPU Module Logging Confi ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d66f3dc248119e48edd24cb2806d9f7d7b131c7
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d66f3dc248119e48edd24cb2806d9f7d7b131c7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200715/c1a66c34/attachment.html>
More information about the debian-security-tracker-commits
mailing list