[Git][security-tracker-team/security-tracker][master] 2 commits: Add four new pillow issues

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c65ce7dd by Salvatore Bonaccorso at 2020-06-25T22:54:40+02:00
Add four new pillow issues

- - - - -
1b0872dd by Salvatore Bonaccorso at 2020-06-25T22:55:30+02:00
Merge remote-tracking branch 'origin/master'

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -10308,7 +10308,10 @@ CVE-2020-11540
 CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It  ...)
 	NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices
 CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out- ...)
-	TODO: check
+	- pillow <unfixed>
+	NOTE: https://github.com/python-pillow/Pillow/pull/4504
+	NOTE: https://github.com/python-pillow/Pillow/pull/4538
+	NOTE: Fixed in 7.1.0
 CVE-2020-11537 (A SQL Injection issue was discovered in ONLYOFFICE Document Server 5.5 ...)
 	NOT-FOR-US: ONLYOFFICE Document Server
 CVE-2020-11536 (An issue was discovered in ONLYOFFICE Document Server 5.5.0. An attack ...)
@@ -11706,7 +11709,10 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not
 	NOTE: https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2020-01.html
 	NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3
 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multipl ...)
-	TODO: check
+	- pillow <unfixed>
+	NOTE: https://github.com/python-pillow/Pillow/pull/4505
+	NOTE: https://github.com/python-pillow/Pillow/pull/4538
+	NOTE: Fixed in 7.1.0
 CVE-2020-10993 (Osmand through 2.0.0 allow XXE because of binary/BinaryMapIndexReader. ...)
 	NOT-FOR-US: Osmand
 CVE-2020-10992 (Azkaban through 3.84.0 allows XXE, related to validator/XmlValidatorMa ...)
@@ -13602,9 +13608,13 @@ CVE-2020-10380 (RMySQL through 0.10.19 allows SQL Injection. ...)
 	NOTE: Fixed by: https://github.com/r-dbi/RMySQL/commit/c2467c466684b4733a7b0df4689987e1f9dcfc32
 	NOTE: Test: https://github.com/r-dbi/RMySQL/commit/6137ce887c1e36b278f11656a9a9fc1cae6a5f40
 CVE-2020-10379 (In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Over ...)
-	TODO: check
+	- pillow <unfixed>
+	NOTE: https://github.com/python-pillow/Pillow/pull/4538
+	NOTE: Fixed in 6.2.3 and 7.1.0
 CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, ...)
-	TODO: check
+	- pillow <unfixed>
+	NOTE: https://github.com/python-pillow/Pillow/pull/4538
+	NOTE: Fixed in 6.2.3 and 7.1.0
 CVE-2020-10377 (A weak encryption vulnerability in Mitel MiVoice Connect Client before ...)
 	NOT-FOR-US: Mitel
 CVE-2020-10376 (Technicolor TC7337NET 08.89.17.23.03 devices allow remote attackers to ...)
@@ -14067,7 +14077,10 @@ CVE-2020-10179
 CVE-2020-10178
 	REJECTED
 CVE-2020-10177 (Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds re ...)
-	TODO: check
+	- pillow <unfixed>
+	NOTE: https://github.com/python-pillow/Pillow/pull/4503
+	NOTE: https://github.com/python-pillow/Pillow/pull/4538
+	NOTE: Fixed in 6.2.3 and 7.1.0
 CVE-2020-10176 (ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow E ...)
 	NOT-FOR-US: ASSA ABLOY Yale WIPC-301W
 CVE-2020-10175



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1db624b4fd38b19c25ce45471ba465284424281e...1b0872ddd5e02a1564281c1617ab86fe4214ad45

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1db624b4fd38b19c25ce45471ba465284424281e...1b0872ddd5e02a1564281c1617ab86fe4214ad45
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200625/50be0543/attachment.html>