[Git][security-tracker-team/security-tracker][master] opensc no-dsa

Moritz Muehlenhoff jmm at debian.org
Tue Oct 6 21:50:14 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e3309143 by Moritz Muehlenhoff at 2020-10-06T22:49:46+02:00
opensc no-dsa
sqlite3 triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -98,14 +98,17 @@ CVE-1999-0199 (manual/search.texi in the GNU C Library (aka glibc) before 2.2 la
 	TODO: check
 CVE-2020-26572 (The TCOS smart card software driver in OpenSC before 0.21.0-rc1 has a  ...)
 	- opensc <unfixed>
+	[buster] - opensc <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22967
 	NOTE: https://github.com/OpenSC/OpenSC/commit/9d294de90d1cc66956389856e60b6944b27b4817
 CVE-2020-26571 (The gemsafe GPK smart card software driver in OpenSC before 0.21.0-rc1 ...)
 	- opensc <unfixed>
+	[buster] - opensc <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20612
 	TODO: check, unclear fixing commit
 CVE-2020-26570 (The Oberthur smart card software driver in OpenSC before 0.21.0-rc1 ha ...)
 	- opensc <unfixed>
+	[buster] - opensc <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24316
 	NOTE: https://github.com/OpenSC/OpenSC/commit/6903aebfddc466d966c7b865fae34572bf3ed23e
 CVE-2020-26569
@@ -28314,6 +28317,7 @@ CVE-2020-13632 (ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL point
 	[jessie] - sqlite3 <not-affected> (Vulnerable code not present)
 	NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
 	NOTE: https://sqlite.org/src/info/a4dd148928ea65bd
+	NOTE: https://github.com/sqlite/sqlite/commit/219b8e7e7587df8669d96ce867cdd61ca1c05730
 CVE-2020-13631 (SQLite before 3.32.0 allows a virtual table to be renamed to the name  ...)
 	- sqlite3 3.32.0-1
 	[buster] - sqlite3 <ignored> (Minor issue, too intrusive to backport)
@@ -28327,6 +28331,7 @@ CVE-2020-13630 (ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in
 	[jessie] - sqlite3 <not-affected> (Vulnerable code not found)
 	NOTE: https://bugs.chromium.org/p/chromium/issues/detail?id=1080459
 	NOTE: https://sqlite.org/src/info/0d69f76f0865f962
+	NOTE: https://github.com/sqlite/sqlite/commit/becd68ba0dac41904aa817d96a67fb4685734b41
 CVE-2020-13629
 	RESERVED
 CVE-2020-13628 (Cross-site scripting (XSS) vulnerability allows remote attackers to in ...)
@@ -28749,6 +28754,7 @@ CVE-2020-13434 (SQLite through 3.32.0 has an integer overflow in sqlite3_str_vap
 	[buster] - sqlite3 <no-dsa> (Minor issue)
 	NOTE: https://www.sqlite.org/src/info/23439ea582241138
 	NOTE: https://www.sqlite.org/src/info/d08d3405878d394e
+	NOTE: https://github.com/sqlite/sqlite/commit/dd6c33d372f3b83f4fe57904c2bd5ebba5c38018
 CVE-2020-13433 (Jason2605 AdminPanel 4.0 allows SQL Injection via the editPlayer.php h ...)
 	NOT-FOR-US: Jason2605 AdminPanel
 CVE-2020-13432 (rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual file ...)
@@ -34226,7 +34232,7 @@ CVE-2020-11656 (In SQLite through 3.31.1, the ALTER TABLE implementation has a u
 CVE-2020-11655 (SQLite through 3.31.1 allows attackers to cause a denial of service (s ...)
 	{DLA-2340-1 DLA-2203-1}
 	- sqlite3 3.31.1-5
-	[buster] - sqlite3 <no-dsa> (Minor issue)
+	[buster] - sqlite3 <not-affected> (Introduced/exploitable in 3.30 with 3251a2031bfd29f338a5fda1a08c18878296d354)
 	NOTE: https://www.sqlite.org/cgi/src/tktview?name=af4556bb5c
 	NOTE: Issue covered before: https://www.sqlite.org/cgi/src/info/712e47714863a8ed
 	NOTE: Fixed by: https://www.sqlite.org/cgi/src/info/4a302b42c7bf5e11
@@ -40699,7 +40705,7 @@ CVE-2020-9328
 	RESERVED
 CVE-2020-9327 (In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger  ...)
 	- sqlite3 3.31.1-3 (bug #951835)
-	[buster] - sqlite3 <no-dsa> (Minor issue)
+	[buster] - sqlite3 <not-affected> (Vulnerable code not present)
 	[stretch] - sqlite3 <not-affected> (vulnerable code not present)
 	[jessie] - sqlite3 <not-affected> (vulnerable code not present)
 	NOTE: https://www.sqlite.org/cgi/src/info/4374860b29383380
@@ -61597,11 +61603,12 @@ CVE-2019-19246 (Oniguruma through 6.9.3, as used in PHP 7.3.x and other products
 CVE-2019-19245 (NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication S ...)
 	NOT-FOR-US: NAPC Xinet Elegant 6 Asset Library
 CVE-2019-19244 (sqlite3Select in select.c in SQLite 3.30.1 allows a crash if a sub-sel ...)
-	- sqlite3 3.30.1+fossil191229-1 (bug #946656)
+	- sqlite3 3.30.1+fossil191229-1 (unimportant; bug #946656)
 	[buster] - sqlite3 <no-dsa> (Minor issue)
 	[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
 	[jessie] - sqlite3 <not-affected> (Vulnerable code, i.e. window functions, not present)
 	NOTE: https://github.com/sqlite/sqlite/commit/e59c562b3f6894f84c715772c4b116d7b5c01348
+	NOTE: Only triggerable with SQLITE_DEBUG, which Debian builds don't use
 CVE-2019-19243
 	RESERVED
 CVE-2019-19242 (SQLite 3.30.1 mishandles pExpr->y.pTab, as demonstrated by the TK_C ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e33091430fec8fd516968803f0b02333cc3ea5cc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e33091430fec8fd516968803f0b02333cc3ea5cc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201006/a12175fc/attachment.html>

More information about the debian-security-tracker-commits mailing list