[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff jmm at debian.org
Thu May 14 16:44:27 BST 2020



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cbd1181f by Moritz Muehlenhoff at 2020-05-14T17:44:10+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -338,13 +338,13 @@ CVE-2020-12702
 CVE-2020-12701
 	RESERVED
 CVE-2020-12700 (The direct_mail extension through 5.2.3 for TYPO3 allows Information D ...)
-	TODO: check
+	NOT-FOR-US: Typo3 extension
 CVE-2020-12699 (The direct_mail extension through 5.2.3 for TYPO3 has an Open Redirect ...)
-	TODO: check
+	NOT-FOR-US: Typo3 extension
 CVE-2020-12698 (The direct_mail extension through 5.2.3 for TYPO3 has Broken Access Co ...)
-	TODO: check
+	NOT-FOR-US: Typo3 extension
 CVE-2020-12697 (The direct_mail extension through 5.2.3 for TYPO3 allows Denial of Ser ...)
-	TODO: check
+	NOT-FOR-US: Typo3 extension
 CVE-2020-12696 (The iframe plugin before 4.5 for WordPress does not sanitize a URL. ...)
 	NOT-FOR-US: iframe plugin for WordPress
 CVE-2020-12695
@@ -962,7 +962,7 @@ CVE-2020-12429 (Online Course Registration 2.0 has multiple SQL injections that
 CVE-2020-12428
 	RESERVED
 CVE-2020-12427 (The Western Digital WD Discovery application before 3.8.229 for MyClou ...)
-	TODO: check
+	NOT-FOR-US: Western Digital
 CVE-2020-12426
 	RESERVED
 CVE-2020-12425
@@ -2135,7 +2135,7 @@ CVE-2020-11934
 CVE-2020-11933
 	RESERVED
 CVE-2020-11932 (It was discovered that the Subiquity installer for Ubuntu Server logge ...)
-	TODO: check
+	NOT-FOR-US: Subiquity installer for Ubuntu
 CVE-2020-11931
 	RESERVED
 	NOT-FOR-US: Ubuntu snap packaging of Pulseaudio
@@ -5298,21 +5298,21 @@ CVE-2020-11072 (In SLP Validate (npm package slp-validate) before version 1.2.1,
 CVE-2020-11071 (SLPJS (npm package slpjs) before version 0.27.2, has a vulnerability w ...)
 	TODO: check
 CVE-2020-11070 (The SVG Sanitizer extension for TYPO3 has a cross-site scripting vulne ...)
-	TODO: check
+	NOT-FOR-US: TYPO3
 CVE-2020-11069 (In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has be ...)
-	TODO: check
+	NOT-FOR-US: TYPO3
 CVE-2020-11068
 	RESERVED
 CVE-2020-11067 (In TYPO3 CMS 9.0.0 through 9.5.16 and 10.0.0 through 10.4.1, it has be ...)
-	TODO: check
+	NOT-FOR-US: TYPO3
 CVE-2020-11066 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and g ...)
-	TODO: check
+	NOT-FOR-US: TYPO3
 CVE-2020-11065 (In TYPO3 CMS greater than or equal to 9.5.12 and less than 9.5.17, and ...)
-	TODO: check
+	NOT-FOR-US: TYPO3
 CVE-2020-11064 (In TYPO3 CMS greater than or equal to 9.0.0 and less than 9.5.17 and g ...)
-	TODO: check
+	NOT-FOR-US: TYPO3
 CVE-2020-11063 (In TYPO3 CMS versions 10.4.0 and 10.4.1, it has been discovered that t ...)
-	TODO: check
+	NOT-FOR-US: TYPO3
 CVE-2020-11062 (In GLPI after 0.68.1 and before 9.4.6, multiple reflexive XSS occur in ...)
 	- glpi <removed> (unimportant)
 	NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-3xxh-f5p2-jg3h
@@ -5334,7 +5334,7 @@ CVE-2020-11058 (In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds se
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/3627aaf7d289315b614a584afb388f04abfb5bbf
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6011
 CVE-2020-11057 (In XWiki Platform 7.2 through 11.10.2, registered users without script ...)
-	TODO: check
+	NOT-FOR-US: XWiki
 CVE-2020-11056 (In Sprout Forms before 3.9.0, there is a potential Server-Side Templat ...)
 	NOT-FOR-US: Sprout Forms
 CVE-2020-11055 (In BookStack greater than or equal to 0.18.0 and less than 0.29.2, the ...)
@@ -6746,7 +6746,7 @@ CVE-2020-10656
 CVE-2020-10655
 	RESERVED
 CVE-2020-10654 (Ping Identity PingID SSH before 4.0.14 contains a heap buffer overflow ...)
-	TODO: check
+	NOT-FOR-US: Ping Identity PingID
 CVE-2020-10653
 	RESERVED
 CVE-2020-10652
@@ -8639,25 +8639,25 @@ CVE-2020-9768 (A use after free issue was addressed with improved memory managem
 CVE-2020-9767
 	RESERVED
 CVE-2020-10028 (Multiple syscalls with insufficient argument validation See NCC-ZEP-00 ...)
-	TODO: check
+	NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2020-10027 (An attacker who has obtained code execution within a user thread is ab ...)
-	TODO: check
+	NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2020-10026
 	REJECTED
 CVE-2020-10025
 	REJECTED
 CVE-2020-10024 (The arm platform-specific code uses a signed integer comparison when v ...)
-	TODO: check
+	NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2020-10023 (The shell subsystem contains a buffer overflow, whereby an adversary w ...)
-	TODO: check
+	NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2020-10022 (A malformed JSON payload that is received from an UpdateHub server may ...)
-	TODO: check
+	NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2020-10021 (Out-of-bounds Write in the USB Mass Storage memoryWrite handler with u ...)
-	TODO: check
+	NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2020-10020
 	REJECTED
 CVE-2020-10019 (USB DFU has a potential buffer overflow where the requested length (wL ...)
-	TODO: check
+	NOT-FOR-US: Zephyr, different from src:zephyr
 CVE-2020-10018 (WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4 (which are the  ...)
 	{DSA-4641-1}
 	- webkit2gtk 2.28.0-2
@@ -9271,9 +9271,9 @@ CVE-2020-9504
 CVE-2020-9503
 	RESERVED
 CVE-2020-9502 (Some Dahua products with Build time before December 2019 have Session  ...)
-	TODO: check
+	NOT-FOR-US: Dahua
 CVE-2020-9501 (Attackers can obtain Cloud Key information from the Dahua Web P2P cont ...)
-	TODO: check
+	NOT-FOR-US: Dahua
 CVE-2020-9500 (Some products of Dahua have Denial of Service vulnerabilities. After t ...)
 	NOT-FOR-US: Dahua
 CVE-2020-9499 (Some Dahua products have buffer overflow vulnerabilities. After the su ...)
@@ -17835,9 +17835,9 @@ CVE-2020-5897 (In versions 7.1.5-7.1.9, there is use-after-free memory vulnerabi
 CVE-2020-5896 (On versions 7.1.5-7.1.9, the BIG-IP Edge Client's Windows Installer Se ...)
 	NOT-FOR-US: F5 BIG-IP
 CVE-2020-5895 (On NGINX Controller versions 3.1.0-3.3.0, AVRD uses world-readable and ...)
-	TODO: check
+	NOT-FOR-US: NGINX Controller
 CVE-2020-5894 (On versions 3.0.0-3.3.0, the NGINX Controller webserver does not inval ...)
-	TODO: check
+	NOT-FOR-US: NGINX Controller
 CVE-2020-5893 (In versions 7.1.5-7.1.8, when a user connects to a VPN using BIG-IP Ed ...)
 	NOT-FOR-US: F5 BIG-IP
 CVE-2020-5892 (In versions 7.1.5-7.1.8, the BIG-IP Edge Client components in BIG-IP A ...)
@@ -17949,17 +17949,17 @@ CVE-2020-5840 (An issue was discovered in HashBrown CMS before 1.3.2. Server/Ent
 CVE-2020-5839
 	RESERVED
 CVE-2020-5838 (Symantec IT Analytics, prior to 2.9.1, may be susceptible to a cross-s ...)
-	TODO: check
+	NOT-FOR-US: Symantec
 CVE-2020-5837 (Symantec Endpoint Protection, prior to 14.3, may not respect file perm ...)
-	TODO: check
+	NOT-FOR-US: Symantec
 CVE-2020-5836 (Symantec Endpoint Protection, prior to 14.3, can potentially reset the ...)
-	TODO: check
+	NOT-FOR-US: Symantec
 CVE-2020-5835 (Symantec Endpoint Protection Manager, prior to 14.3, has a race condit ...)
-	TODO: check
+	NOT-FOR-US: Symantec
 CVE-2020-5834 (Symantec Endpoint Protection Manager, prior to 14.3, may be susceptibl ...)
-	TODO: check
+	NOT-FOR-US: Symantec
 CVE-2020-5833 (Symantec Endpoint Protection Manager, prior to 14.3, may be susceptibl ...)
-	TODO: check
+	NOT-FOR-US: Symantec
 CVE-2020-5832 (Symantec Data Center Security Manager Component, prior to 6.8.2 (aka 6 ...)
 	NOT-FOR-US: Symantec
 CVE-2020-5831 (Symantec Endpoint Protection Manager (SEPM), prior to 14.2 RU2 MP1, ma ...)
@@ -18549,7 +18549,7 @@ CVE-2020-5540
 CVE-2020-5539 (GRANDIT Ver.1.6, Ver.2.0, Ver.2.1, Ver.2.2, Ver.2.3, and Ver.3.0 do no ...)
 	NOT-FOR-US: GRANDIT
 CVE-2020-5538 (Improper Access Control in PALLET CONTROL Ver. 6.3 and earlier allows  ...)
-	TODO: check
+	NOT-FOR-US: PALLET CONTROL
 CVE-2020-5537
 	RESERVED
 CVE-2020-5536 (OpenBlocks IoT VX2 prior to Ver.4.0.0 (Ver.3 Series) allows an attacke ...)
@@ -18866,7 +18866,7 @@ CVE-2020-5411
 CVE-2020-5410
 	RESERVED
 CVE-2020-5409 (Pivotal Concourse, most versions prior to 6.0.0, allows redirects to u ...)
-	TODO: check
+	NOT-FOR-US: Pivotal
 CVE-2020-5408
 	RESERVED
 CVE-2020-5407 (Spring Security versions 5.2.x prior to 5.2.4 and 5.3.x prior to 5.3.2 ...)
@@ -28081,27 +28081,27 @@ CVE-2020-2020
 CVE-2020-2019
 	RESERVED
 CVE-2020-2018 (An authentication bypass vulnerability in Palo Alto Networks PAN-OS Pa ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2017 (A DOM-Based Cross Site Scripting Vulnerability exists in PAN-OS and Pa ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2016 (A race condition due to insecure creation of a file in a temporary dir ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2015 (A buffer overflow vulnerability in the PAN-OS management server allows ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2014 (An OS Command Injection vulnerability in PAN-OS management server allo ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2013 (A cleartext transmission of sensitive information vulnerability in Pal ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2012 (Improper restriction of XML external entity reference ('XXE') vulnerab ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2011 (An improper input validation vulnerability in the configuration daemon ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2010 (An OS command injection vulnerability in PAN-OS management interface a ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2009 (An external control of filename vulnerability in the SD WAN component  ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2008 (An OS command injection and external control of filename vulnerability ...)
-	TODO: check
+	NOT-FOR-US: PAN-OS
 CVE-2020-2007 (An OS command injection vulnerability in the management server compone ...)
 	TODO: check
 CVE-2020-2006 (A stack-based buffer overflow vulnerability in the management server c ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbd1181f8efc19025bfd446768fd05340063ecca

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbd1181f8efc19025bfd446768fd05340063ecca
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200514/75604de9/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list