[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff
jmm at debian.org
Mon Sep 14 19:02:24 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
bd4d8ac1 by Moritz Muehlenhoff at 2020-09-14T20:02:11+02:00
buster triage
also track python-os-brick
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2112,6 +2112,7 @@ CVE-2020-24553 (Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because tex
- golang-1.15 <unfixed> (bug #969661)
- golang-1.14 <unfixed> (bug #969662)
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://groups.google.com/forum/#!topic/golang-announce/8wqlSbkLdPs
@@ -16344,6 +16345,7 @@ CVE-2020-17481
RESERVED
CVE-2020-17480 (TinyMCE before 4.9.7 and 5.x before 5.1.4 allows XSS in the core parse ...)
- tinymce <unfixed>
+ [buster] - tinymce <no-dsa> (Minor issue)
NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-27gm-ghr9-4v95
CVE-2020-17479 (jpv (aka Json Pattern Validator) before 2.2.2 does not properly valida ...)
NOT-FOR-US: jpv
@@ -28260,6 +28262,7 @@ CVE-2020-12649 (Gurbalib through 2020-04-30 allows lib/cmds/player/help.c direct
NOT-FOR-US: Gurbalib
CVE-2020-12648 (A cross-site scripting (XSS) vulnerability in TinyMCE 5.2.1 and earlie ...)
- tinymce <unfixed>
+ [buster] - tinymce <no-dsa> (Minor issue)
NOTE: https://labs.bishopfox.com/advisories/tinymce-version-5.2.1
CVE-2020-12647 (Unisys ALGOL Compiler 58.1 before 58.1a.15, 59.1 before 59.1a.9, and 6 ...)
NOT-FOR-US: Unisys ALGOL Compiler
@@ -28821,6 +28824,7 @@ CVE-2020-12414 (IndexedDB should be cleared when leaving private browsing mode a
CVE-2020-12413 [racoon attack for NSS]
RESERVED
- nss <unfixed>
+ [buster] - nss <no-dsa> (Minor issue)
NOTE: https://raccoon-attack.com/
CVE-2020-12412 (By navigating a tab using the history API, an attacker could cause the ...)
- firefox 70.0-1
@@ -34622,9 +34626,10 @@ CVE-2020-10755 (An insecure-credentials flaw was found in all openstack-cinder v
[buster] - cinder <no-dsa> (Minor issue)
[stretch] - cinder <no-dsa> (Minor issue)
[jessie] - cinder <end-of-life> (OpenStack component, not supported in jessie LTS)
+ - python-os-brick 3.1.0-1 (low)
+ [buster] - python-os-brick <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/cinder/+bug/1823200
NOTE: https://wiki.openstack.org/wiki/OSSN/OSSN-0086
- TODO: check, affects as well python-os-brick or needs a respective update?
CVE-2020-10754 (It was found that nmcli, a command line interface to NetworkManager di ...)
- network-manager <unfixed> (unimportant)
NOTE: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/448
@@ -46302,6 +46307,7 @@ CVE-2020-6098 (An exploitable denial of service vulnerability exists in the free
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1030
CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atftpd da ...)
- atftp <unfixed> (bug #970066)
+ [buster] - atftp <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1029
CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv7 mem ...)
- glibc 2.31-2 (low; bug #961452)
@@ -91202,6 +91208,7 @@ CVE-2019-1010092
RESERVED
CVE-2019-1010091 (tinymce 4.7.11, 4.7.12 is affected by: CWE-79: Improper Neutralization ...)
- tinymce <unfixed> (bug #970256)
+ [buster] - tinymce <no-dsa> (Minor issue)
[jessie] - tinymce <ignored> (Minor issue, requires manually copy/pasting javascript to execute it, can't reproduce on Jessie)
NOTE: https://github.com/tinymce/tinymce/issues/4394
CVE-2019-1010090
=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ knot-resolver
linux (carnil)
Wait until more issues have piled up
--
+python-flask-cors
+--
rails (jmm)
Sylvain Beucler proposed to help for the update, remaining CVEs to be done
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd4d8ac1a24333399042c48f94efd4fa038f05fc
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd4d8ac1a24333399042c48f94efd4fa038f05fc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200914/f195fe67/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list