[Git][security-tracker-team/security-tracker][master] various updates

Moritz Muehlenhoff jmm at debian.org
Tue Sep 8 11:26:17 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b83cab5d by Moritz Muehlenhoff at 2020-09-08T12:25:59+02:00
various updates

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18970,13 +18970,9 @@ CVE-2020-15890 (LuaJit through 2.1.0-beta3 has an out-of-bounds read because __g
 	NOTE: No security impact, only "exploitable" with untrusted Lua code
 CVE-2020-15889 (Lua through 5.4.0 has a getobjname heap-based buffer over-read because ...)
 	- lua5.4 5.4.0-2
-	- lua5.3 <undetermined>
-	- lua5.2 <undetermined>
-	- lua5.1 <undetermined>
-	- lua50 <undetermined>
 	NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00078.html
 	NOTE: https://github.com/lua/lua/commit/127e7a6c8942b362aa3c6627f44d660a4fb75312
-	TODO: check details for older versions
+	NOTE: Introduced in 5.4
 CVE-2020-15888 (Lua through 5.4.0 mishandles the interaction between stack resizes and ...)
 	- lua5.4 <unfixed>
 	- lua5.3 <undetermined>
@@ -24399,7 +24395,12 @@ CVE-2020-13845 (Sylabs Singularity 3.0 through 3.5 has Improper Validation of an
 CVE-2020-13844 (Arm Armv8-A core implementations utilizing speculative execution past  ...)
 	NOTE: https://lists.llvm.org/pipermail/llvm-dev/2020-June/142109.html
 	NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/downloads/straight-line-speculation
-	TODO: check further details
+	NOTE: Hardware issue, mitigations to intrusive to backport (and would require to recompile
+	NOTE: the entire distro, which is not warranted for the impact)
+	NOTE: GCC patches:
+	NOTE:  https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=a9ba2a9b77bec7eacaf066801f22d1c366a2bc86
+	NOTE:  https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=be178ecd5ac1fe1510d960ff95c66d0ff831afe1
+	NOTE:  https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=96b7f495f9269d5448822e4fc28882edb35a58d7
 CVE-2020-13843 (An issue was discovered on LG mobile devices with Android OS software  ...)
 	NOT-FOR-US: LG mobile devices
 CVE-2020-13842 (An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, ...)
@@ -33654,25 +33655,25 @@ CVE-2020-10814 (A buffer overflow vulnerability in Code::Blocks 17.12 allows an
 CVE-2020-10813 (A buffer overflow vulnerability in FTPDMIN 0.96 allows attackers to cr ...)
 	NOT-FOR-US: FTPDMIN
 CVE-2020-10812 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer derefer ...)
-	- hdf5 <undetermined>
+	- hdf5 <unfixed> (unimportant)
 	NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_4
 	NOTE: https://research.loginsoft.com/bugs/null-pointer-dereference-in-h5fquery-c-hdf5-1-13-0/
-	TODO: check details
+	NOTE: Negligible security impact, malicous scientific data has more issues than a crash...
 CVE-2020-10811 (An issue was discovered in HDF5 through 1.12.0. A heap-based buffer ov ...)
-	- hdf5 <undetermined>
+	- hdf5 <unfixed> (unimportant)
 	NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_2
 	NOTE: https://research.loginsoft.com/bugs/heap-buffer-overflow-in-h5olayout-c-hdf5-1-13-0/
-	TODO: check details
+	NOTE: Negligible security impact, malicous scientific data has more issues than a crash...
 CVE-2020-10810 (An issue was discovered in HDF5 through 1.12.0. A NULL pointer derefer ...)
-	- hdf5 <undetermined>
+	- hdf5 <unfixed> (unimportant)
 	NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_3
 	NOTE: https://research.loginsoft.com/bugs/null-pointer-dereference-in-h5ac-c-hdf5-1-13-0/
-	TODO: check details
+	NOTE: Negligible security impact, malicous scientific data has more issues than a crash...
 CVE-2020-10809 (An issue was discovered in HDF5 through 1.12.0. A heap-based buffer ov ...)
-	- hdf5 <undetermined>
+	- hdf5 <unfixed> (unimportant)
 	NOTE: https://github.com/Loginsoft-Research/hdf5-reports/tree/master/Vuln_1
 	NOTE: https://research.loginsoft.com/bugs/heap-overflow-in-decompress-c-hdf5-1-13-0/
-	TODO: check details
+	NOTE: Negligible security impact, malicous scientific data has more issues than a crash...
 CVE-2020-10808 (Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injectio ...)
 	NOT-FOR-US: Vesta Control Panel
 CVE-2020-10807 (auth_svc in Caldera before 2.6.5 allows authentication bypass (for RES ...)
@@ -34006,7 +34007,7 @@ CVE-2020-10720 (A flaw was found in the Linux kernel's implementation of GRO in
 CVE-2020-10719 (A flaw was found in Undertow in versions before 2.1.1.Final, regarding ...)
 	- undertow <undetermined>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828459
-	TODO: check, no details on Red Hat bugreport
+	TODO: no details on Red Hat bugreport
 CVE-2020-10718
 	RESERVED
 	- wildfly <itp> (bug #752018)
@@ -38366,7 +38367,7 @@ CVE-2020-8920
 CVE-2020-8919
 	RESERVED
 CVE-2020-8918 (An improperly initialized 'migrationAuth' value in Google's go-tpm TPM ...)
-	TODO: check
+	NOT-FOR-US: go-tpm TPM1.2 library
 CVE-2020-8917
 	RESERVED
 CVE-2020-8916 (A memory leak in Openthread's wpantund versions up to commit 0e5d1601f ...)
@@ -38941,9 +38942,9 @@ CVE-2020-8682 (Out of bounds read in system driver for some Intel(R) Graphics Dr
 CVE-2020-8681 (Out of bounds write in system driver for some Intel(R) Graphics Driver ...)
 	NOT-FOR-US: Intel
 CVE-2020-8680 (Race condition in some Intel(R) Graphics Drivers before version 15.40. ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-8679 (Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics D ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-8678
 	RESERVED
 CVE-2020-8677



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b83cab5d8f088b1e8b230b4560b051b867012180

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b83cab5d8f088b1e8b230b4560b051b867012180
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200908/5a7e7247/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list