[Git][security-tracker-team/security-tracker][master] stable triage

Wed Jul 22 17:35:20 BST 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
81694e53 by Moritz Muehlenhoff at 2020-07-22T18:34:56+02:00
stable triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -387,8 +387,7 @@ CVE-2020-15720 (In Dogtag PKI through 10.8.3, the pki.client.PKIConnection class
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1855273
 	NOTE: https://github.com/dogtagpki/pki/commit/50c23ec146ee9abf28c9de87a5f7787d495f0b72
 CVE-2020-15719 (libldap in certain third-party OpenLDAP packages has a certificate-val ...)
-	- openldap <unfixed> (bug #965184)
-	[stretch] - openldap <no-dsa> (Minor issue, works as intended)
+	- openldap <unfixed> (unimportant; bug #965184)
 	NOTE: https://bugs.openldap.org/show_bug.cgi?id=9266
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1740070
 	NOTE: RedHat/CentOS applied patch: https://git.centos.org/rpms/openldap/raw/67459960064be9d226d57c5f82aaba0929876813/f/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
@@ -11926,11 +11925,10 @@ CVE-2020-11560 (NCH Express Invoice 7.25 allows local users to discover the clea
 CVE-2020-11559
 	RESERVED
 CVE-2020-11558 (An issue was discovered in libgpac.a in GPAC 0.8.0, as demonstrated by ...)
-	- gpac <undetermined>
+	- gpac <unfixed>
 	[jessie] - gpac <not-affected> (Vulnerable code not present and not reproducible)
 	NOTE: https://github.com/gpac/gpac/commit/6063b1a011c3f80cee25daade18154e15e4c058c
 	NOTE: https://github.com/gpac/gpac/issues/1440
-	TODO: check
 CVE-2020-11557 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...)
 	NOT-FOR-US: Castle Rock SNMPc
 CVE-2020-11556 (An issue was discovered in Castle Rock SNMPc Online 12.10.10 before 20 ...)
@@ -11970,10 +11968,10 @@ CVE-2020-11540
 CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It  ...)
 	NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices
 CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out- ...)
-	- pillow 7.2.0-1 (unimportant)
+	- pillow 7.2.0-1 (low)
+	[buster] - pillow <no-dsa> (Will be fixed via spu)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4504
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
-	NOTE: Debian packages are built without JPEG2000 support
 CVE-2020-11537 (A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5 ...)
 	NOT-FOR-US: ONLYOFFICE Document Server
 CVE-2020-11536 (An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attack ...)
@@ -13377,12 +13375,11 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
 	NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3
 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multipl ...)
-	- pillow 7.2.0-1 (low)
-	[buster] - pillow <no-dsa> (Minor issue)
-	[jessie] - pillow <no-dsa> (Minor issue)
+	- pillow 7.2.0-1 (unimportant)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4505
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
 	NOTE: Fixed in 7.1.0
+	NOTE: Debian packages are built without JPEG2000 support
 CVE-2020-10993 (Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader. ...)
 	NOT-FOR-US: Osmand
 CVE-2020-10992 (Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorMa ...)
@@ -13552,6 +13549,7 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos
 	NOTE: https://git.kernel.org/linus/42d84c8490f9f0931786f1623191fcab397c3d64 (5.6-rc4)
 CVE-2020-10941 (Arm Mbed TLS before 2.6.15 allows attackers to obtain sensitive inform ...)
 	- mbedtls 2.16.5-1
+	[buster] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02
 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...)
 	NOT-FOR-US: PHOENIX CONTACT
@@ -13586,6 +13584,7 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu
 	NOTE: and https://github.com/ruby/ruby/commit/ba5eb6458a7e9a41ee76cfe45b84f997600681dc
 CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...)
 	- mbedtls <unfixed> (bug #963159)
+	[buster] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
 CVE-2020-10930
@@ -15308,7 +15307,7 @@ CVE-2020-10379 (In Pillow before 7.1.0, there are two Buffer Overflows in libIma
 	NOTE: Fixed in 6.2.3 and 7.1.0
 CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds rea ...)
 	- pillow 7.2.0-1
-	[buster] - pillow <no-dsa> (Minor issue)
+	[buster] - pillow <no-dsa> (Will be fixed via spu)
 	[stretch] - pillow <not-affected> (Vulnerable code not present)
 	[jessie] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -15781,7 +15780,7 @@ CVE-2020-10178
 	REJECTED
 CVE-2020-10177 (Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/Fli ...)
 	- pillow 7.2.0-1
-	[buster] - pillow <ignored> (Minor issue)
+	[buster] - pillow <no-dsa> (Will be fixed via spu)
 	[jessie] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4503
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
@@ -28391,11 +28390,13 @@ CVE-2019-20163 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm
 CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
 	{DLA-2072-1}
 	- gpac <unfixed>
+	[buster] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/1327
 	NOTE: https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77
 CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
 	{DLA-2072-1}
 	- gpac <unfixed>
+	[buster] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/1320
 	NOTE: https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956
 CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
@@ -43501,6 +43502,7 @@ CVE-2019-18223 (ZOOM International Call Recording 6.3.1 suffers from multiple au
 	NOT-FOR-US: ZOOM International Call Recording
 CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 a ...)
 	- mbedtls 2.16.4-1
+	[buster] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12
 	NOTE: Fixed upstream in 2.20.0, 2.16.4 and 2.7.13
 CVE-2019-18221 (CoreHR Core Portal before 27.0.7 allows stored XSS. ...)
@@ -67486,6 +67488,7 @@ CVE-2019-10774 (php-shellcommand versions before 1.6.1 have a command injection
 	NOTE: https://github.com/mikehaertl/php-shellcommand/issues/44
 CVE-2019-10773 (In Yarn before 1.21.1, the package install functionality can be abused ...)
 	- node-yarnpkg 1.21.1-1
+	[buster] - node-yarnpkg <no-dsa> (Minor issue)
 	NOTE: https://github.com/yarnpkg/yarn/issues/7761#issuecomment-565493023
 	NOTE: https://blog.daniel-ruf.de/critical-design-flaw-npm-pnpm-yarn/
 	NOTE: https://github.com/yarnpkg/yarn/commit/039bafd74b7b1a88a53a54f8fa6fa872615e90e7



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81694e5337563e88341c4e0db7bd8f106010e1bf

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81694e5337563e88341c4e0db7bd8f106010e1bf
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200722/5c0635cf/attachment.html>
