[Git][security-tracker-team/security-tracker][master] inn2 n/a

Moritz Muehlenhoff jmm at debian.org
Tue Sep 8 12:00:31 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
888e7224 by Moritz Muehlenhoff at 2020-09-08T13:00:14+02:00
inn2 n/a
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -18979,17 +18979,12 @@ CVE-2020-15889 (Lua through 5.4.0 has a getobjname heap-based buffer over-read b
 	NOTE: Introduced in 5.4
 CVE-2020-15888 (Lua through 5.4.0 mishandles the interaction between stack resizes and ...)
 	- lua5.4 <unfixed>
-	- lua5.3 <undetermined>
-	- lua5.2 <undetermined>
-	- lua5.1 <undetermined>
-	- lua50 <undetermined>
 	NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00053.html
 	NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00054.html
 	NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00071.html
 	NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00079.html
 	NOTE: https://github.com/lua/lua/commit/6298903e35217ab69c279056f925fb72900ce0b7
 	NOTE: https://github.com/lua/lua/commit/eb41999461b6f428186c55abd95f4ce1a76217d5
-	TODO: check details for older versions
 CVE-2020-15887 (A SQL injection vulnerability in softwareupdate_controller.php in the  ...)
 	NOT-FOR-US: MunkiReport
 CVE-2020-15886 (A SQL injection vulnerability in reportdata_controller.php in the repo ...)
@@ -40564,7 +40559,7 @@ CVE-2020-8028
 CVE-2020-8027
 	RESERVED
 CVE-2020-8026 (A Incorrect Default Permissions vulnerability in the packaging of inn  ...)
-	TODO: check
+	- inn2 <not-affected> (inews has correct ownership in Debian)
 CVE-2020-8025 (A Incorrect Execution-Assigned Permissions vulnerability in the permis ...)
 	NOT-FOR-US: SAP
 CVE-2020-8024 (A Incorrect Default Permissions vulnerability in the packaging of hyla ...)
@@ -41364,39 +41359,39 @@ CVE-2020-7729 (The package grunt before 1.3.0 are vulnerable to Arbitrary Code E
 CVE-2020-7728
 	RESERVED
 CVE-2020-7727 (All versions of package gedi are vulnerable to Prototype Pollution via ...)
-	TODO: check
+	NOT-FOR-US: Node gedi
 CVE-2020-7726 (All versions of package safe-object2 are vulnerable to Prototype Pollu ...)
-	TODO: check
+	NOT-FOR-US: Node safe-object2
 CVE-2020-7725 (All versions of package worksmith are vulnerable to Prototype Pollutio ...)
-	TODO: check
+	NOT-FOR-US: Node worksmith
 CVE-2020-7724 (All versions of package tiny-conf are vulnerable to Prototype Pollutio ...)
-	TODO: check
+	NOT-FOR-US: Node tiny-conf
 CVE-2020-7723 (All versions of package promisehelpers are vulnerable to Prototype Pol ...)
-	TODO: check
+	NOT-FOR-US: Node promisehelpers
 CVE-2020-7722 (All versions of package nodee-utils are vulnerable to Prototype Pollut ...)
-	TODO: check
+	NOT-FOR-US: Node nodee-utils
 CVE-2020-7721 (All versions of package node-oojs are vulnerable to Prototype Pollutio ...)
-	TODO: check
+	NOT-FOR-US: Node node-oojs
 CVE-2020-7720 (The package node-forge before 0.10.0 is vulnerable to Prototype Pollut ...)
 	- node-node-forge <unfixed> (bug #969669)
 	NOTE: https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
 	NOTE: https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756
 CVE-2020-7719 (Versions of package locutus before 2.0.12 are vulnerable to prototype  ...)
-	TODO: check
+	NOT-FOR-US: Node locutus
 CVE-2020-7718 (All versions of package gammautils are vulnerable to Prototype Polluti ...)
-	TODO: check
+	NOT-FOR-US: Node gammautils
 CVE-2020-7717 (All versions of package dot-notes are vulnerable to Prototype Pollutio ...)
-	TODO: check
+	NOT-FOR-US: Node dot-notes
 CVE-2020-7716 (All versions of package deeps are vulnerable to Prototype Pollution vi ...)
-	TODO: check
+	NOT-FOR-US: Node deeps
 CVE-2020-7715 (All versions of package deep-get-set are vulnerable to Prototype Pollu ...)
-	TODO: check
+	NOT-FOR-US: Node deep-get-set
 CVE-2020-7714 (All versions of package confucious are vulnerable to Prototype Polluti ...)
-	TODO: check
+	NOT-FOR-US: Node confucious
 CVE-2020-7713 (All versions of package arr-flatten-unflatten are vulnerable to Protot ...)
-	TODO: check
+	NOT-FOR-US: Node arr-flatten-unflatten
 CVE-2020-7712 (This affects the package json before 10.0.0. It is possible to inject  ...)
-	TODO: check
+	NOT-FOR-US: Node json
 CVE-2020-7711 (This affects all versions of package github.com/russellhaering/goxmlds ...)
 	- golang-github-russellhaering-goxmldsig <unfixed> (bug #968928)
 	NOTE: https://github.com/russellhaering/goxmldsig/issues/48



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/888e72243c8e862d08236222ec2685a2421e2238

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/888e72243c8e862d08236222ec2685a2421e2238
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200908/6d2ad54f/attachment.html>

More information about the debian-security-tracker-commits mailing list