[Git][security-tracker-team/security-tracker][master] new kamailio, jupyter-server issues

Thu Nov 26 21:38:13 GMT 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
11584f78 by Moritz Muehlenhoff at 2020-11-26T22:37:38+01:00
new kamailio, jupyter-server issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -320,7 +320,7 @@ CVE-2020-28984 (prive/formulaires/configurer_preferences.php in SPIP before 3.2.
 	- spip 3.2.8-1
 	NOTE: https://git.spip.net/spip/spip/commit/ae4267eba1022dabc12831ddb021c5d6e09040f8
 CVE-2020-28975 (** DISPUTED ** svm_predict_values in svm.cpp in Libsvm v324, as used i ...)
-	TODO: check
+	NOTE: disputed libsvm non issue
 CVE-2020-28973
 	RESERVED
 CVE-2020-28972
@@ -2797,7 +2797,9 @@ CVE-2020-28974 (A slab-out-of-bounds read in fbcon in the Linux kernel before 5.
 	NOTE: https://git.kernel.org/linus/3c4e0dff2095c579b142d5a0693257f1c58b4804
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/09/2
 CVE-2020-28361 (Kamailio before 5.4.0, as used in Sip Express Router (SER) in Sippy So ...)
-	TODO: check, this might be specific to Kamailio as used in the specified product
+	- kamailio 5.4.0-1
+	[buster] - kamailio <no-dsa> (Minor issue)
+	NOTE: https://packetstormsecurity.com/files/159030/Kamailio-5.4.0-Header-Smuggling.html
 CVE-2020-28360 (Insufficient RegEx in private-ip npm package v1.0.5 and below insuffic ...)
 	NOT-FOR-US: Node private-ip
 CVE-2020-28359
@@ -7523,7 +7525,7 @@ CVE-2020-27209
 CVE-2020-27208
 	RESERVED
 CVE-2020-27207 (Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sq ...)
-	TODO: check
+	NOT-FOR-US: Zetetic SQLCipher
 CVE-2020-27206
 	RESERVED
 CVE-2020-27205
@@ -9660,11 +9662,11 @@ CVE-2020-26243 (Nanopb is a small code-size Protocol Buffers implementation. In
 	NOTE: https://github.com/nanopb/nanopb/commit/edf6dcbffee4d614ac0c2c1b258ab95185bdb6e9 (0.4.4)
 	NOTE: https://github.com/nanopb/nanopb/issues/615
 CVE-2020-26242 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...)
-	TODO: check
+	NOT-FOR-US: Go Ethereum
 CVE-2020-26241 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...)
-	TODO: check
+	NOT-FOR-US: Go Ethereum
 CVE-2020-26240 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...)
-	TODO: check
+	NOT-FOR-US: Go Ethereum
 CVE-2020-26239 (Scratch Addons is a WebExtension that supports both Chrome and Firefox ...)
 	NOT-FOR-US: Scratch Addons
 CVE-2020-26238 (Cron-utils is a Java library to parse, validate, migrate crons as well ...)
@@ -9682,7 +9684,9 @@ CVE-2020-26234
 CVE-2020-26233
 	RESERVED
 CVE-2020-26232 (Jupyter Server before version 1.0.6 has an Open redirect vulnerability ...)
-	TODO: check
+	- jupyter-server 1.0.7-1
+	NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-grfj-wjv9-4f9v
+	NOTE: https://github.com/jupyter-server/jupyter_server/commit/3d83e49090289c431da253e2bdb8dc479cbcb157
 CVE-2020-26231 (October is a free, open-source, self-hosted CMS platform based on the  ...)
 	NOT-FOR-US: October CMS
 CVE-2020-26230 (Radar COVID is the official COVID-19 exposure notification app for Spa ...)
@@ -39396,7 +39400,6 @@ CVE-2020-12912 (A potential vulnerability in the AMD extension to Linux "hwmon"
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1897402
 	NOTE: https://support.lenovo.com/lu/uk/product_security/LEN-50481
 	NOTE: CONFIG_SENSORS_AMD_ENERGY not enabled in Debian builds
-	TODO: check, correctness
 CVE-2020-12911 (A denial of service vulnerability exists in the D3DKMTCreateAllocation ...)
 	NOT-FOR-US: AMD ATIKMDAG.SYS
 CVE-2020-12910
@@ -41006,7 +41009,7 @@ CVE-2020-12340
 CVE-2020-12339
 	RESERVED
 CVE-2020-12338 (Insufficient control flow management in the Open WebRTC Toolkit before ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-12337 (Improper buffer restrictions in firmware for some Intel(R) NUCs may al ...)
 	NOT-FOR-US: Intel
 CVE-2020-12336 (Insecure default variable initialization in firmware for some Intel(R) ...)
@@ -54088,9 +54091,9 @@ CVE-2020-7781
 CVE-2020-7780
 	RESERVED
 CVE-2020-7779 (All versions of package djvalidator are vulnerable to Regular Expressi ...)
-	TODO: check
+	NOT-FOR-US: Node djvalidator
 CVE-2020-7778 (This affects the package systeminformation before 4.30.2. The attacker ...)
-	TODO: check
+	NOT-FOR-US: Node systeminformation
 CVE-2020-7777 (This affects all versions of package jsen. If an attacker can control  ...)
 	NOT-FOR-US: Node jsen
 CVE-2020-7776
@@ -276092,7 +276095,7 @@ CVE-2015-5438
 CVE-2015-5437
 	REJECTED
 CVE-2015-5436 (A potential security vulnerability has been identified with HP Integra ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2015-5435 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 ...)
 	NOT-FOR-US: HP
 CVE-2015-5434 (HPE Networking Products, originally branded as Comware 5, Comware 7, H ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11584f78c23c0eef4d199818927254e8d2bf56f3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11584f78c23c0eef4d199818927254e8d2bf56f3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201126/5bbb8f83/attachment.html>
