[Git][security-tracker-team/security-tracker][master] new QT, libreoffice, VLC issues

Moritz Muehlenhoff jmm at debian.org
Tue Jun 9 10:45:39 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2ef64054 by Moritz Muehlenhoff at 2020-06-09T11:45:10+02:00
new QT, libreoffice, VLC issues
pam-tacplus no-dsa
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20,7 +20,13 @@ CVE-2020-13966
 CVE-2020-13963
 	RESERVED
 CVE-2020-13962 (Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 ...)
-	TODO: check
+	- qtbase-opensource-src <unfixed>
+	[buster] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
+	[stretch] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
+	[jessie] - qtbase-opensource-src <not-affected> (Only affects 5.12.2 and later)
+	NOTE: https://bugreports.qt.io/browse/QTBUG-83450
+	NOTE: https://github.com/mumble-voip/mumble/issues/3679
+	NOTE: https://github.com/mumble-voip/mumble/pull/4032
 CVE-2020-13961
 	RESERVED
 CVE-2020-13960 (D-Link DSL 2730-U IN_1.10 and IN_1.11 and DIR-600M 3.04 devices have t ...)
@@ -126,7 +132,7 @@ CVE-2020-13911
 CVE-2020-13910 (Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nf ...)
 	NOT-FOR-US: Pengutronix Barebox
 CVE-2020-13909 (The Ignition page before 2.0.5 for Laravel mishandles globals, _get, _ ...)
-	TODO: check
+	NOT-FOR-US: Laravel
 CVE-2020-13908
 	RESERVED
 CVE-2020-13907
@@ -187,7 +193,9 @@ CVE-2020-13882
 	RESERVED
 CVE-2020-13881 (In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared se ...)
 	{DLA-2239-1}
-	- libpam-tacplus <unfixed>
+	- libpam-tacplus <unfixed> (low)
+	[buster] - libpam-tacplus <no-dsa> (Minor issue)
+	[stretch] - libpam-tacplus <no-dsa> (Minor issue)
 	NOTE: https://github.com/kravietz/pam_tacplus/commit/4a9852c31c2fd0c0e72fbb689a586aabcfb11cb0
 	NOTE: https://github.com/kravietz/pam_tacplus/issues/149
 CVE-2020-13880
@@ -1287,7 +1295,7 @@ CVE-2020-13434 (SQLite through 3.32.0 has an integer overflow in sqlite3_str_vap
 CVE-2020-13433 (Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php h ...)
 	NOT-FOR-US: Jason2605 AdminPanel
 CVE-2020-13432 (rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual file ...)
-	TODO: check
+	NOT-FOR-US: Rejetto HTTP File Server
 CVE-2020-13431
 	RESERVED
 CVE-2020-13430 (Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datasource. ...)
@@ -1296,7 +1304,9 @@ CVE-2020-13430 (Grafana before 7.0.0 allows tag value XSS via the OpenTSDB datas
 CVE-2020-13429 (legend.ts in the piechart-panel (aka Pie Chart Panel) plugin before 1. ...)
 	NOT-FOR-US: piechart-panel plugin for Grafana
 CVE-2020-13428 (A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in mod ...)
-	TODO: check
+	- vlc <unfixed>
+	NOTE: https://github.com/videolan/vlc-3.0/releases/tag/3.0.11
+	NOTE: http://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=d5c43c21c747ff30ed19fcca745dea3481c733e0
 CVE-2020-13427
 	RESERVED
 CVE-2020-13426
@@ -2707,9 +2717,11 @@ CVE-2020-12805
 CVE-2020-12804
 	RESERVED
 CVE-2020-12803 (ODF documents can contain forms to be filled out by the user. Similar  ...)
-	TODO: check
+	- libreoffice 1:6.4.4-1 (low)
+	NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12803
 CVE-2020-12802 (LibreOffice has a 'stealth mode' in which only documents from location ...)
-	TODO: check
+	- libreoffice 1:6.4.4-1 (low)
+	NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12802
 CVE-2020-12801 (If LibreOffice has an encrypted document open and crashes, that docume ...)
 	- libreoffice 1:6.4.3-1 (low)
 	[buster] - libreoffice <ignored> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ef6405486bc8da4e908b5aab27ec18a66c3c6e7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ef6405486bc8da4e908b5aab27ec18a66c3c6e7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200609/b3ee25c0/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list