[Git][security-tracker-team/security-tracker][master] new node-fetch, activemq, bitcoin issues

Moritz Muehlenhoff jmm at debian.org
Fri Sep 11 09:43:00 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8593146a by Moritz Muehlenhoff at 2020-09-11T10:42:34+02:00
new node-fetch, activemq, bitcoin issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20965,7 +20965,7 @@ CVE-2020-15172
 CVE-2020-15171 (In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right ...)
 	TODO: check
 CVE-2020-15170 (apollo-adminservice before version 1.7.1 does not implement access con ...)
-	TODO: check
+	NOT-FOR-US: apollo-adminservice
 CVE-2020-15169
 	RESERVED
 	- rails 2:6.0.3.3+dfsg-1 (bug #970040)
@@ -20973,7 +20973,9 @@ CVE-2020-15169
 	NOTE: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1
 	NOTE: https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
 CVE-2020-15168 (node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the si ...)
-	TODO: check
+	- node-fetch <unfixed>
+	[buster] - node-fetch <no-dsa> (Minor issue)
+	NOTE: https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
 CVE-2020-15167 (In Miller (command line utility) using the configuration file support  ...)
 	- miller 5.9.1+dfsg-1 (bug #969467)
 	[buster] - miller <not-affected> (Introduced in 5.9.0)
@@ -23632,7 +23634,8 @@ CVE-2020-14200
 CVE-2020-14199 (BIP-143 in the Bitcoin protocol specification mishandles the signing o ...)
 	NOT-FOR-US: Bitcoin protocol issue
 CVE-2020-14198 (Bitcoin Core 0.20.0 allows remote denial of service. ...)
-	TODO: check
+	- bitcoin <unfixed>
+	NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2020-14198
 CVE-2020-14197
 	RESERVED
 CVE-2020-14196 (In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1 ...)
@@ -24379,7 +24382,8 @@ CVE-2020-13922
 CVE-2020-13921 (**Resolved** Only when using H2/MySQL/TiDB as Apache SkyWalking storag ...)
 	NOT-FOR-US: Apache SkyWalking
 CVE-2020-13920 (Apache ActiveMQ uses LocateRegistry.createRegistry() to create the JMX ...)
-	TODO: check
+	- activemq <unfixed>
+	NOTE: http://activemq.apache.org/security-advisories.data/CVE-2020-13920-announcement.txt
 CVE-2020-13919 (emfd/libemf in Ruckus Wireless Unleashed through 200.7.10.102.92 allow ...)
 	NOT-FOR-US: Ruckus Wireless Unleashed
 CVE-2020-13918 (Incorrect access control in webs in Ruckus Wireless Unleashed through  ...)
@@ -29326,7 +29330,8 @@ CVE-2020-12000 (The affected product is vulnerable to the handling of serialized
 CVE-2020-11999 (FactoryTalk Linx versions 6.00, 6.10, and 6.11, RSLinx Classic v4.11.0 ...)
 	NOT-FOR-US: FactoryTalk
 CVE-2020-11998 (A regression has been introduced in the commit preventing JMX re-bind. ...)
-	TODO: check
+	- activemq <unfixed>
+	NOTE: http://activemq.apache.org/security-advisories.data/CVE-2020-11998-announcement.txt
 CVE-2020-11997
 	RESERVED
 CVE-2020-11996 (A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat  ...)
@@ -38960,7 +38965,7 @@ CVE-2020-8760
 CVE-2020-8759 (Improper access control in the installer for Intel(R) SSD DCT versions ...)
 	NOT-FOR-US: Intel
 CVE-2020-8758 (Improper buffer restrictions in network subsystem in provisioned Intel ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-8757
 	RESERVED
 CVE-2020-8756
@@ -66089,7 +66094,6 @@ CVE-2019-17558 (Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remot
 	NOTE: https://www.openwall.com/lists/oss-security/2019/12/30/1
 	NOTE: https://issues.apache.org/jira/browse/SOLR-13971
 	NOTE: https://issues.apache.org/jira/browse/SOLR-14025
-	TODO: check, whilst the advisory claims 5.0.0 upwards only the SolrParamResourceLoader might be of issue already earlier?
 CVE-2019-17557 (It was found that the Apache Syncope EndUser UI login page prio to 2.0 ...)
 	NOT-FOR-US: Apache Syncope
 CVE-2019-17556 (Apache Olingo versions 4.0.0 to 4.6.0 provide the AbstractService clas ...)
@@ -124490,7 +124494,8 @@ CVE-2018-17147 (Nagios XI before 5.5.4 has XSS in the auto login admin managemen
 CVE-2018-17146 (A cross-site scripting vulnerability exists in Nagios XI before 5.5.4  ...)
 	NOT-FOR-US: Nagios XI
 CVE-2018-17145 (Bitcoin Core 0.16.x before 0.16.2 and Bitcoin Knots 0.16.x before 0.16 ...)
-	TODO: check
+	- bitcoin 0.16.2~dfsg-1
+	NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-17145
 CVE-2018-17144 (Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x be ...)
 	- bitcoin 0.16.3~dfsg-1
 	- litecoin 0.16.3-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8593146aa09baa3559e5b2eff352f7c1e21d7eca

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8593146aa09baa3559e5b2eff352f7c1e21d7eca
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200911/a08c41cc/attachment.html>

More information about the debian-security-tracker-commits mailing list