[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff jmm at debian.org
Fri Jul 31 13:53:25 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fd6fa804 by Moritz Muehlenhoff at 2020-07-31T14:53:05+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -232,7 +232,7 @@ CVE-2020-16090
 CVE-2020-16089
 	RESERVED
 CVE-2020-16088 (iked in OpenIKED, as used in OpenBSD through 6.7, allows authenticatio ...)
-	TODO: check
+	NOT-FOR-US: OpenIKED
 CVE-2020-16087
 	RESERVED
 CVE-2020-16086
@@ -2471,9 +2471,9 @@ CVE-2020-15133
 CVE-2020-15132
 	RESERVED
 CVE-2020-15131 (In SLP Validate (npm package slp-validate) before version 1.2.2, there ...)
-	TODO: check
+	NOT-FOR-US: Node slp-validate
 CVE-2020-15130 (In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnera ...)
-	TODO: check
+	NOT-FOR-US: Node slpjs
 CVE-2020-15129 (In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists  ...)
 	NOT-FOR-US: Traefik
 CVE-2020-15128
@@ -2483,7 +2483,7 @@ CVE-2020-15127
 CVE-2020-15126 (In parser-server from version 3.5.0 and before 4.3.0, an authenticated ...)
 	NOT-FOR-US: Node parser-server
 CVE-2020-15125 (In auth0 (npm package) versions before 2.27.1, a DenyList of specific  ...)
-	TODO: check
+	NOT-FOR-US: Node auth0
 CVE-2020-15124 (In Goobi Viewer Core before version 4.8.3, a path traversal vulnerabil ...)
 	NOT-FOR-US: Goobi Viewer Core
 CVE-2020-15123 (In codecov (npm package) before version 3.7.1 the upload method has a  ...)
@@ -21204,7 +21204,7 @@ CVE-2020-8217 (A cross site scripting (XSS) vulnerability in Pulse Connect Secur
 CVE-2020-8216 (An information disclosure vulnerability in meeting of Pulse Connect Se ...)
 	NOT-FOR-US: Pulse
 CVE-2020-8215 (A buffer overflow is present in canvas version <= 1.6.9, which coul ...)
-	TODO: check
+	NOT-FOR-US: Node canvas
 CVE-2020-8214 (A path traversal vulnerability in servey version < 3 allows an atta ...)
 	NOT-FOR-US: servey
 CVE-2020-8213 (An information exposure vulnerability exists in UniFi Protect v1.13.3  ...)
@@ -21233,7 +21233,7 @@ CVE-2020-8203 (Prototype pollution attack when using _.zipObjectDeep in lodash &
 	[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://hackerone.com/reports/712065
 CVE-2020-8202 (Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 a ...)
-	TODO: check
+	NOT-FOR-US: Nextcloud Preferred Providers app
 CVE-2020-8201
 	RESERVED
 CVE-2020-8200
@@ -21253,7 +21253,7 @@ CVE-2020-8194 (Reflected code injection in Citrix ADC and Citrix Gateway version
 CVE-2020-8193 (Improper access control in Citrix ADC and Citrix Gateway versions befo ...)
 	NOT-FOR-US: Citrix
 CVE-2020-8192 (A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0 ...)
-	TODO: check
+	NOT-FOR-US: Node fastify
 CVE-2020-8191 (Improper input validation in Citrix ADC and Citrix Gateway versions be ...)
 	NOT-FOR-US: Citrix
 CVE-2020-8190 (Incorrect file permissions in Citrix ADC and Citrix Gateway before ver ...)
@@ -21297,7 +21297,7 @@ CVE-2020-8177
 CVE-2020-8176 (A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.6 ...)
 	NOT-FOR-US: koa-shopify-auth
 CVE-2020-8175 (Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may allow  ...)
-	TODO: check
+	NOT-FOR-US: Node jimp
 CVE-2020-8174 (napi_get_value_string_*() allows various kinds of memory corruption in ...)
 	{DSA-4696-1}
 	- nodejs 10.21.0~dfsg-1 (bug #962145)
@@ -22551,7 +22551,7 @@ CVE-2020-7701
 CVE-2020-7700
 	RESERVED
 CVE-2020-7699 (This affects the package express-fileupload before 1.1.8. If the parse ...)
-	TODO: check
+	NOT-FOR-US: express-fileupload
 CVE-2020-7698 (This affects the package Gerapy from 0 and before 0.9.3. The input bei ...)
 	TODO: check
 CVE-2020-7697 (This affects all versions of package mock2easy. a malicious user could ...)
@@ -212195,9 +212195,9 @@ CVE-2016-7066 (It was found that the improper default permissions on /tmp/auth d
 CVE-2016-7065 (The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) ...)
 	NOT-FOR-US: Red Hat JBoss EAP
 CVE-2016-7064 (A flaw was found in pritunl-client before version 1.0.1116.6. A lack o ...)
-	TODO: check
+	NOT-FOR-US: pritunl-client
 CVE-2016-7063 (A flaw was found in pritunl-client before version 1.0.1116.6. Arbitrar ...)
-	TODO: check
+	NOT-FOR-US: pritunl-client
 CVE-2016-7062 (rhscon-ceph in Red Hat Storage Console 2 x86_64 and Red Hat Storage Co ...)
 	NOT-FOR-US: Red Hat rhscon-core
 CVE-2016-7061 (An information disclosure vulnerability was found in JBoss Enterprise  ...)
@@ -282523,7 +282523,7 @@ CVE-2014-1424 (apparmor_parser in the apparmor package before 2.8.95~2430-0ubunt
 CVE-2014-1423 (signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch ...)
 	NOT-FOR-US: signond from Ubuntu Touch
 CVE-2014-1422 (In Ubuntu's trust-store, if a user revokes location access from an app ...)
-	TODO: check
+	NOT-FOR-US: Ubuntu trust-store
 CVE-2014-1421 (mountall 1.54, as used in Ubuntu 14.10, does not properly handle the u ...)
 	- mountall <not-affected> (partman-efi in jessie uses secure umask, mount in older releases not affected)
 	NOTE: See https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183
@@ -289209,8 +289209,7 @@ CVE-2013-5961 (Unrestricted file upload vulnerability in lazyseo.php in the Lazy
 CVE-2013-5960 (The authenticated-encryption feature in the symmetric-encryption imple ...)
 	NOT-FOR-US: OWASP Enterprise Security API for Java
 CVE-2013-5958 (The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2. ...)
-	NOT-FOR-US: Symfony
-	TODO: Check if php-symfony-polyfill/1.17.0-1 needs to be tracked
+	- symfony <not-affected> (Fixed before initial upload)
 CVE-2013-5957 (Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location. ...)
 	- civicrm <not-affected> (Fixed before initial upload to the archive)
 CVE-2013-5956 (Cross-site scripting (XSS) vulnerability in includes/flvthumbnail.php  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd6fa804c093857496cc545929273746b2bc8a33

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd6fa804c093857496cc545929273746b2bc8a33
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200731/99cc1cfd/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list