[Git][security-tracker-team/security-tracker][master] 4 commits: Reference followup commit needed for CVE-2020-11651

Salvatore Bonaccorso carnil at debian.org
Fri May 1 20:54:05 BST 2020 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
851a5e16 by Salvatore Bonaccorso at 2020-05-01T21:29:13+02:00
Reference followup commit needed for CVE-2020-11651

- - - - -
bca83560 by Salvatore Bonaccorso at 2020-05-01T21:29:59+02:00
Add prefix comment to commit

- - - - -
cd893ac6 by Salvatore Bonaccorso at 2020-05-01T21:46:11+02:00
Add CVE-2020-12050/sqliteodbc

- - - - -
3b53a67d by Salvatore Bonaccorso at 2020-05-01T21:53:34+02:00
Process several NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1268,7 +1268,10 @@ CVE-2020-12052 (Grafana version < 6.7.3 is vulnerable for annotation popup XS
 CVE-2020-12051 (The CentralAuth extension through REL1_34 for MediaWiki allows remote  ...)
 	NOT-FOR-US: MediaWiki extension
 CVE-2020-12050 (SQLiteODBC 0.9996, as packaged for certain Linux distributions as 0.99 ...)
-	TODO: check
+	- sqliteodbc <unfixed> (unimportant)
+	NOTE: The issue is located in the *.spec files used for rpm packaging using insecurely
+	NOTE: /tmp/sqliteodbc$$. Debian packaging maintainer scripts do not suffer from same
+	NOTE: issue.
 CVE-2020-12049
 	RESERVED
 CVE-2020-12048
@@ -3116,13 +3119,12 @@ CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x
 CVE-2020-11652 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...)
 	- salt 3000.2+dfsg1-1
 	NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
-	NOTE: https://github.com/saltstack/salt/commit/cce7abad9c22d9d50ccee2813acabff8deca35dd
+	NOTE: Fixed by: https://github.com/saltstack/salt/commit/cce7abad9c22d9d50ccee2813acabff8deca35dd
 CVE-2020-11651 (An issue was discovered in SaltStack Salt before 2019.2.4 and 3000 bef ...)
 	- salt 3000.2+dfsg1-1
 	NOTE: https://github.com/saltstack/salt/blob/v3000.2_docs/doc/topics/releases/3000.2.rst
-	NOTE: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7
-	NOTE: There is a typo (for more info see the release notes) in the official correction.
-	NOTE: This should be fixed too since this typo causes a regression.
+	NOTE: Fixed by: https://github.com/saltstack/salt/commit/a67d76b15615983d467ed81371b38b4a17e4f3b7
+	NOTE: Followup needed: https://github.com/saltstack/salt/commit/78172bf647473d5c1c2720e72fc12d6f2314d583
 CVE-2020-11650 (An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before ...)
 	NOT-FOR-US: FreeNAS
 CVE-2020-11649 (An issue was discovered in GitLab CE and EE 8.15 through 12.9.2. Membe ...)
@@ -4789,7 +4791,7 @@ CVE-2020-11018
 CVE-2020-11017
 	RESERVED
 CVE-2020-11016 (IntelMQ Manager from version 1.1.0 and before version 2.1.1 has a vuln ...)
-	TODO: check
+	NOT-FOR-US: IntelMQ Manager
 CVE-2020-11015
 	RESERVED
 CVE-2020-11014 (Electron-Cash-SLP before version 3.6.2 has a vulnerability. All token  ...)
@@ -5567,7 +5569,7 @@ CVE-2020-10799 (The svglib package through 0.9.3 for Python allows XXE attacks v
 CVE-2020-10798
 	RESERVED
 CVE-2020-10797 (An XSS vulnerability resides in the hostname field of the diag_ping.ph ...)
-	TODO: check
+	NOT-FOR-US: pfSense
 CVE-2020-10796
 	RESERVED
 CVE-2020-10795
@@ -6041,7 +6043,7 @@ CVE-2020-10643
 CVE-2020-10642 (In Rockwell Automation RSLinx Classic versions 4.1.00 and prior, an au ...)
 	NOT-FOR-US: Rockwell
 CVE-2020-10641 (An unprotected logging route may allow an attacker to write endless lo ...)
-	TODO: check
+	NOT-FOR-US: Inductive Automation
 CVE-2020-10640
 	RESERVED
 CVE-2020-10639 (Eaton HMiSoft VU3 (HMIVU3 runtime not impacted), Version 3.00.23 and p ...)
@@ -9508,7 +9510,7 @@ CVE-2020-9100
 CVE-2020-9099
 	RESERVED
 CVE-2020-9098 (Huawei OceanStor 5310 product with version of V500R007C60SPC100 has an ...)
-	TODO: check
+	NOT-FOR-US: Huawei
 CVE-2020-9097
 	RESERVED
 CVE-2020-9096
@@ -10312,11 +10314,11 @@ CVE-2020-8777 (Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.
 CVE-2020-8776 (Alfresco Enterprise before 5.2.7 and Alfresco Community before 6.2.0 ( ...)
 	NOT-FOR-US: Alfresco
 CVE-2020-8775 (Pega Platform before version 8.2.6 is affected by a Stored Cross-Site  ...)
-	TODO: check
+	NOT-FOR-US: Pega Platform
 CVE-2020-8774 (Pega Platform before version 8.2.6 is affected by a Reflected Cross-Si ...)
-	TODO: check
+	NOT-FOR-US: Pega Platform
 CVE-2020-8773 (The Richtext Editor in Pega Platform before 8.2.6 is affected by a Sto ...)
-	TODO: check
+	NOT-FOR-US: Pega Platform
 CVE-2020-8772 (The InfiniteWP Client plugin before 1.9.4.5 for WordPress has a missin ...)
 	NOT-FOR-US: InfiniteWP Client plugin for WordPress
 CVE-2020-8771 (The Time Capsule plugin before 1.21.16 for WordPress has an authentica ...)
@@ -12590,7 +12592,7 @@ CVE-2020-7806
 CVE-2020-7805
 	RESERVED
 CVE-2020-7804 (ActiveX Control(HShell.dll) in Handy Groupware 1.7.3.1 for Windows 7,  ...)
-	TODO: check
+	NOT-FOR-US: Handy Groupware
 CVE-2020-7803
 	RESERVED
 CVE-2020-7802 (The Synergy Systems & Solutions (SSS) HUSKY RTU 6049-E70, with fir ...)
@@ -14026,7 +14028,7 @@ CVE-2020-7138
 CVE-2020-7137
 	RESERVED
 CVE-2020-7136 (A security vulnerability in HPE Smart Update Manager (SUM) prior to ve ...)
-	TODO: check
+	NOT-FOR-US: HPE Smart Update Manager (SUM)
 CVE-2020-7135 (A potential security vulnerability has been identified in the disk dri ...)
 	TODO: check
 CVE-2020-7134 (A remote access to sensitive data vulnerability was discovered in HPE  ...)
@@ -14681,11 +14683,11 @@ CVE-2020-6869
 CVE-2020-6868
 	RESERVED
 CVE-2020-6867 (ZTE's SDON controller is impacted by the resource management error vul ...)
-	TODO: check
+	NOT-FOR-US: ZTE
 CVE-2020-6866 (A ZTE product is impacted by a resource management error vulnerability ...)
-	TODO: check
+	NOT-FOR-US: ZTE
 CVE-2020-6865 (ZTE SDN controller platform is impacted by an information leakage vuln ...)
-	TODO: check
+	NOT-FOR-US: ZTE
 CVE-2020-6864 (ZTE E8820V3 router product is impacted by an information leak vulnerab ...)
 	NOT-FOR-US: ZTE
 CVE-2020-6863 (ZTE E8820V3 router product is impacted by a permission and access cont ...)
@@ -15471,7 +15473,7 @@ CVE-2020-6581 (Nagios NRPE 3.2.1 has Insufficient Filtering because, for example
 CVE-2020-6580
 	RESERVED
 CVE-2020-6579 (Cross-site scripting (XSS) vulnerability in mailhive/cloudbeez/cloudlo ...)
-	TODO: check
+	NOT-FOR-US: MailBeez plugin for ZenCart
 CVE-2020-6578
 	RESERVED
 CVE-2020-6577
@@ -28141,7 +28143,7 @@ CVE-2020-1819
 CVE-2020-1818
 	RESERVED
 CVE-2020-1817 (Huawei PCManager with versions earlier than 10.0.1.36 has a privilege  ...)
-	TODO: check
+	NOT-FOR-US: Huawei
 CVE-2020-1816 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...)
 	NOT-FOR-US: Huawei
 CVE-2020-1815 (Huawei NIP6800 versions V500R001C30, V500R001C60SPC500, and V500R005C0 ...)
@@ -39299,9 +39301,9 @@ CVE-2019-16655 (joyplus-cms 1.6.0 allows reinstallation if the install/ URI rema
 CVE-2019-16654
 	RESERVED
 CVE-2019-16653 (An application plugin in Genius Bytes Genius Server (Genius CDDS) 3.2. ...)
-	TODO: check
+	NOT-FOR-US: Genius Bytes Genius Server (Genius CDDS)
 CVE-2019-16652 (The BPM component in Genius Bytes Genius Server (Genius CDDS) 3.2.2 al ...)
-	TODO: check
+	NOT-FOR-US: Genius Bytes Genius Server (Genius CDDS)
 CVE-2019-16651
 	RESERVED
 CVE-2019-16650 (On Supermicro X10 and X11 products, a client's access privileges may b ...)
@@ -41125,7 +41127,7 @@ CVE-2019-16013
 CVE-2019-16012 (A vulnerability in the web UI of Cisco SD-WAN Solution vManage softwar ...)
 	NOT-FOR-US: Cisco
 CVE-2019-16011 (A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow ...)
-	TODO: check
+	NOT-FOR-US: Cisco
 CVE-2019-16010 (A vulnerability in the web UI of the Cisco SD-WAN vManage software cou ...)
 	NOT-FOR-US: Cisco
 CVE-2019-16009
@@ -53368,7 +53370,7 @@ CVE-2019-12427 (Zimbra Collaboration before 8.8.15 Patch 1 is vulnerable to a no
 CVE-2019-12426 (an unauthenticated user could get access to information of some backen ...)
 	NOT-FOR-US: Apache OFBiz
 CVE-2019-12425 (Apache OFBiz 17.12.01 is vulnerable to Host header injection by accept ...)
-	TODO: check
+	NOT-FOR-US: Apache OFBiz
 CVE-2019-12424
 	REJECTED
 CVE-2019-12423 (Apache CXF ships with a OpenId Connect JWK Keys service, which allows  ...)
@@ -67556,7 +67558,7 @@ CVE-2018-20764 (A buffer overflow exists in HelpSystems tcpcrypt on Linux, used
 	NOTE: https://community.helpsystems.com/knowledge-base/fox-technologies/hotfix/515/
 	NOTE: No specific information is provided, but seems caused by BoKS shipping tcpcrypt setuid
 CVE-2019-7634 (SUAP V2 allows XSS during the update of user information. ...)
-	TODO: check
+	NOT-FOR-US: SUAP
 CVE-2019-7633
 	RESERVED
 CVE-2019-7632 (LifeSize Team, Room, Passport, and Networker 220 devices allow Authent ...)
@@ -72848,15 +72850,15 @@ CVE-2019-5625 (The Android mobile application Halo Home before 1.11.0 stores OAu
 CVE-2019-5624 (Rapid7 Metasploit Framework suffers from an instance of CWE-22, Improp ...)
 	NOT-FOR-US: Rapid7 Metasploit Framework
 CVE-2019-5623 (Accellion File Transfer Appliance version FTA_8_0_540 suffers from an  ...)
-	TODO: check
+	NOT-FOR-US: Accellion File Transfer Appliance
 CVE-2019-5622 (Accellion File Transfer Appliance version FTA_8_0_540 suffers from an  ...)
-	TODO: check
+	NOT-FOR-US: Accellion File Transfer Appliance
 CVE-2019-5621 (ABBS Software Audio Media Player version 3.1 suffers from an instance  ...)
-	TODO: check
+	NOT-FOR-US: ABBS Software Audio Media Player
 CVE-2019-5620 (ABB MicroSCADA Pro SYS600 version 9.3 suffers from an instance of CWE- ...)
-	TODO: check
+	NOT-FOR-US: ABB MicroSCADA Pro SYS600
 CVE-2019-5619 (AASync.com AASync version 2.2.1.0 suffers from an instance of CWE-121: ...)
-	TODO: check
+	NOT-FOR-US: AASync.com AASync
 CVE-2019-5618 (A-PDF WAV to MP3 version 1.0.0 suffers from an instance of CWE-121: St ...)
 	TODO: check
 CVE-2019-5617 (Computing For Good's Basic Laboratory Information System (also known a ...)
@@ -75705,7 +75707,7 @@ CVE-2019-4329 (IBM Security Guardium Big Data Intelligence (SonarG) 4.0 uses inc
 CVE-2019-4328
 	RESERVED
 CVE-2019-4327 ("HCL AppScan Enterprise uses hard-coded credentials which can be explo ...)
-	TODO: check
+	NOT-FOR-US: HCL AppScan Enterprise
 CVE-2019-4326
 	RESERVED
 CVE-2019-4325



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e28c97660d0485bc16410f653cbc73c5ad860d3e...3b53a67da1409b04b5bd289508e32fcf2e1cb64f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e28c97660d0485bc16410f653cbc73c5ad860d3e...3b53a67da1409b04b5bd289508e32fcf2e1cb64f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200501/508dd7b4/attachment.html>

More information about the debian-security-tracker-commits mailing list