[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff jmm at debian.org
Mon Nov 16 17:36:13 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
02392f65 by Moritz Muehlenhoff at 2020-11-16T18:35:54+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3935,7 +3935,7 @@ CVE-2020-28270 (Overview:Prototype pollution vulnerability in ‘object-hier
 CVE-2020-28269 (Prototype pollution vulnerability in 'field' versions 0.0.1 through 1. ...)
 	NOT-FOR-US: Node field
 CVE-2020-28268 (Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 ...)
-	TODO: check
+	NOT-FOR-US: Node controlled-merge
 CVE-2020-28267 (Prototype pollution vulnerability in '@strikeentco/set' version 1.0.0  ...)
 	NOT-FOR-US: Node strikeentco/set
 CVE-2017-18926 (raptor_xml_writer_start_element_common in raptor_xml_writer.c in Rapto ...)
@@ -6770,7 +6770,7 @@ CVE-2020-27219
 CVE-2020-27218
 	RESERVED
 CVE-2020-27217 (In Eclipse Hono version 1.3.0 and 1.4.0 the AMQP protocol adapter does ...)
-	TODO: check
+	NOT-FOR-US: Eclipse Hono
 CVE-2020-27216 (In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thr ...)
 	- jetty9 9.4.33-1
 	[stretch] - jetty9 <no-dsa> (Minor issue)
@@ -8871,7 +8871,7 @@ CVE-2020-26224
 CVE-2020-26223 (Spree is a complete open source e-commerce solution built with Ruby on ...)
 	NOT-FOR-US: Spree
 CVE-2020-26222 (Dependabot is a set of packages for automated dependency management fo ...)
-	TODO: check
+	NOT-FOR-US: Dependabot
 CVE-2020-26221 (touchbase.ai before version 2.0 is vulnerable to Cross-Site Scripting  ...)
 	NOT-FOR-US: touchbase.ai
 CVE-2020-26220 (toucbase.ai before version 2.0 leaks information by not stripping exif ...)
@@ -18590,7 +18590,7 @@ CVE-2020-21669
 CVE-2020-21668
 	RESERVED
 CVE-2020-21667 (In fastadmin-tp6 v1.0, in the file app/admin/controller/Ajax.php the ' ...)
-	TODO: check
+	NOT-FOR-US: fastadmin-tp6
 CVE-2020-21666
 	RESERVED
 CVE-2020-21665
@@ -29521,7 +29521,7 @@ CVE-2020-16275 (A cross-site scripting (XSS) vulnerability in the Credential Man
 CVE-2020-16274
 	RESERVED
 CVE-2020-16273 (In Arm software implementing the Armv8-M processors (all versions), th ...)
-	TODO: check
+	NOT-FOR-US: Arm hardware issue
 CVE-2020-16272 (The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is mis ...)
 	NOT-FOR-US: Kee Vault KeePassRPC
 CVE-2020-16271 (The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 genera ...)
@@ -40104,7 +40104,7 @@ CVE-2020-12309 (Insufficiently protected credentialsin subsystem in some Intel(R
 CVE-2020-12308 (Improper access control for the Intel(R) Computing Improvement Program ...)
 	NOT-FOR-US: Intel
 CVE-2020-12307 (Improper permissions in some Intel(R) High Definition Audio drivers be ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-12306 (Incorrect default permissions in the Intel(R) RealSense(TM) D400 Serie ...)
 	NOT-FOR-US: Intel
 CVE-2020-12305
@@ -50576,7 +50576,7 @@ CVE-2020-8752 (Out-of-bounds write in IPv6 subsystem for Intel(R) AMT, Intel(R)
 CVE-2020-8751 (Insufficient control flow management in subsystem for Intel(R) CSME ve ...)
 	NOT-FOR-US: Intel
 CVE-2020-8750 (Use after free in Kernel Mode Driver for Intel(R) TXE versions before  ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-8749 (Out-of-bounds read in subsystem for Intel(R) AMT versions before 11.8. ...)
 	NOT-FOR-US: Intel
 CVE-2020-8748
@@ -50696,13 +50696,13 @@ CVE-2020-8694 (Insufficient access control in the Linux kernel driver for some I
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html
 	NOTE: https://git.kernel.org/linus/949dd0104c496fa7c14991a23c03c62e44637e71
 CVE-2020-8693 (Improper buffer restrictions in the firmware of the Intel(R) Ethernet  ...)
-	TODO: check
+	NOT-FOR-US: Intel drivers for Ethernet 700 series (apparently for Windows)
 CVE-2020-8692 (Insufficient access control in the firmware of the Intel(R) Ethernet 7 ...)
-	TODO: check
+	NOT-FOR-US: Intel drivers for Ethernet 700 series (apparently for Windows)
 CVE-2020-8691 (A logic issue in the firmware of the Intel(R) Ethernet 700 Series Cont ...)
-	TODO: check
+	NOT-FOR-US: Intel drivers for Ethernet 700 series (apparently for Windows)
 CVE-2020-8690 (Protection mechanism failure in Intel(R) Ethernet 700 Series Controlle ...)
-	TODO: check
+	NOT-FOR-US: Intel drivers for Ethernet 700 series (apparently for Windows)
 CVE-2020-8689 (Improper buffer restrictions in the Intel(R) Wireless for Open Source  ...)
 	- iwd 1.5-1
 	[buster] - iwd <no-dsa> (Minor issue)
@@ -51755,7 +51755,7 @@ CVE-2020-8261 (A vulnerability in the Pulse Connect Secure / Pulse Policy Secure
 CVE-2020-8260 (A vulnerability in the Pulse Connect Secure < 9.1R9 admin web inter ...)
 	NOT-FOR-US: Pulse Secure Pulse Connect Secure
 CVE-2020-8259 (Insufficient protection of the server-side encryption keys in Nextclou ...)
-	TODO: check
+	- nextcloud-server <itp> (bug #941708)
 CVE-2020-8258
 	RESERVED
 CVE-2020-8257
@@ -52075,7 +52075,7 @@ CVE-2020-8154 (An Insecure direct object reference vulnerability in Nextcloud Se
 CVE-2020-8153 (Improper access control in Groupfolders app 4.0.3 allowed to delete hi ...)
 	NOT-FOR-US: Nextcloud Groupfolders app
 CVE-2020-8152 (Insufficient protection of the server-side encryption keys in Nextclou ...)
-	TODO: check
+	- nextcloud-server <itp> (bug #941708)
 CVE-2020-8151 (There is a possible information disclosure issue in Active Resource &l ...)
 	- rails <not-affected> (Vulnerable code splitted out upstream before initial upload to Debian)
 	NOTE: ActiveResource was extracted to a separate gem in starting in the 4.0 rails
@@ -53096,7 +53096,7 @@ CVE-2020-7774
 CVE-2020-7773
 	RESERVED
 CVE-2020-7772 (This affects the package doc-path before 2.1.2. ...)
-	TODO: check
+	NOT-FOR-US: Node doc-path
 CVE-2020-7771
 	RESERVED
 CVE-2020-7770 (This affects the package json8 before 1.0.3. The function adds in the  ...)
@@ -58326,17 +58326,17 @@ CVE-2020-5666 (Uncontrolled resource consumption vulnerability in MELSEC iQ-R Se
 CVE-2020-5665
 	RESERVED
 CVE-2020-5664 (Deserialization of untrusted data vulnerability in XooNIps 3.49 and ea ...)
-	TODO: check
+	NOT-FOR-US: XooNIps
 CVE-2020-5663 (Stored cross-site scripting vulnerability in XooNIps 3.49 and earlier  ...)
-	TODO: check
+	NOT-FOR-US: XooNIps
 CVE-2020-5662 (Reflected cross-site scripting vulnerability in XooNIps 3.49 and earli ...)
-	TODO: check
+	NOT-FOR-US: XooNIps
 CVE-2020-5661
 	RESERVED
 CVE-2020-5660
 	RESERVED
 CVE-2020-5659 (SQL injection vulnerability in the XooNIps 3.49 and earlier allows rem ...)
-	TODO: check
+	NOT-FOR-US: XooNIps
 CVE-2020-5658 (Resource Management Errors vulnerability in TCP/IP function included i ...)
 	NOT-FOR-US: Mitsubishi
 CVE-2020-5657 (Improper neutralization of argument delimiters in a command ('Argument ...)
@@ -66973,11 +66973,11 @@ CVE-2020-2494
 CVE-2020-2493
 	RESERVED
 CVE-2020-2492 (If exploited, the command injection vulnerability could allow remote a ...)
-	TODO: check
+	NOT-FOR-US: QNAP
 CVE-2020-2491
 	RESERVED
 CVE-2020-2490 (If exploited, the command injection vulnerability could allow remote a ...)
-	TODO: check
+	NOT-FOR-US: QNAP
 CVE-2019-19701
 	RESERVED
 CVE-2019-19700



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02392f6585bca6eda793bd7ec567823c5cc1f0bb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02392f6585bca6eda793bd7ec567823c5cc1f0bb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201116/2a6cd0bc/attachment.html>

More information about the debian-security-tracker-commits mailing list