[Git][security-tracker-team/security-tracker][master] new ffmpeg issue

Moritz Muehlenhoff jmm at debian.org
Fri Apr 9 08:25:15 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f182512a by Moritz Muehlenhoff at 2021-04-09T09:24:53+02:00
new ffmpeg issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -39,9 +39,9 @@ CVE-2021-30465
 CVE-2021-30464
 	RESERVED
 CVE-2021-30463 (VestaCP through 0.9.8-24 allows attackers to gain privileges by creati ...)
-	TODO: check
+	NOT-FOR-US: VestaCP
 CVE-2021-30462 (VestaCP through 0.9.8-24 allows the admin user to escalate privileges  ...)
-	TODO: check
+	NOT-FOR-US: VestaCP
 CVE-2021-30461
 	RESERVED
 CVE-2021-30460
@@ -793,7 +793,11 @@ CVE-2021-30125 (Jamf Pro before 10.28.0 allows XSS related to inventory history,
 CVE-2021-30124
 	RESERVED
 CVE-2021-30123 (FFmpeg <=4.3 contains a buffer overflow vulnerability in libavcodec ...)
-	TODO: check
+	- ffmpeg <unfixed>
+	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6f293353c94c7ce200f6e0975ae3de49787f91f
+	NOTE: https://trac.ffmpeg.org/ticket/8845
+	NOTE: https://trac.ffmpeg.org/ticket/8863
+	NOTE: CVE description is wrong, this landed in 4.4 only
 CVE-2021-30122
 	RESERVED
 CVE-2021-30121
@@ -811,13 +815,13 @@ CVE-2021-30116
 CVE-2021-30115
 	RESERVED
 CVE-2021-30114 (Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vuln ...)
-	TODO: check
+	NOT-FOR-US: Web-School ERP
 CVE-2021-30113 (A blind XSS vulnerability exists in Web-School ERP V 5.0 via (Add Even ...)
-	TODO: check
+	NOT-FOR-US: Web-School ERP
 CVE-2021-30112 (Web-School ERP V 5.0 contains a cross-site request forgery (CSRF) vuln ...)
-	TODO: check
+	NOT-FOR-US: Web-School ERP
 CVE-2021-30111 (A stored XSS vulnerability exists in Web-School ERP V 5.0 via (Add Eve ...)
-	TODO: check
+	NOT-FOR-US: Web-School ERP
 CVE-2021-30110
 	RESERVED
 CVE-2021-30109 (Froala Editor 3.2.6 is affected by Cross Site Scripting (XSS). Under c ...)
@@ -1858,7 +1862,7 @@ CVE-2021-29643
 CVE-2021-29642 (GistPad before 0.2.7 allows a crafted workspace folder to change the U ...)
 	NOT-FOR-US: GistPad
 CVE-2021-29641 (Directus 8 before 8.8.2 allows remote authenticated users to execute a ...)
-	TODO: check
+	NOT-FOR-US: Directus
 CVE-2021-29640
 	RESERVED
 CVE-2021-29639
@@ -1886,9 +1890,9 @@ CVE-2021-29629
 CVE-2021-29628
 	RESERVED
 CVE-2021-29627 (In FreeBSD 13.0-STABLE before n245050, 12.2-STABLE before r369525, 13. ...)
-	TODO: check
+	NOT-FOR-US: FreeBSD
 CVE-2021-29626 (In FreeBSD 13.0-STABLE before n245117, 12.2-STABLE before r369551, 11. ...)
-	TODO: check
+	- kfreebsd-10 <unfixed> (unimportant)
 CVE-2021-29625
 	RESERVED
 CVE-2021-29624
@@ -3442,9 +3446,9 @@ CVE-2021-28927 (The text-to-speech engine in libretro RetroArch for Windows 0.11
 CVE-2021-28926
 	RESERVED
 CVE-2021-28925 (SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 vi ...)
-	TODO: check
+	NOT-FOR-US: Nagios Network Analyzer
 CVE-2021-28924 (Self Authenticated XSS in Nagios Network Analyzer before 2.4.2 via the ...)
-	TODO: check
+	NOT-FOR-US: Nagios Network Analyzer
 CVE-2021-28923
 	RESERVED
 CVE-2021-28922
@@ -3933,9 +3937,9 @@ CVE-2021-28688 (The fix for XSA-365 includes initialization of pointers such tha
 	NOTE: https://xenbits.xen.org/xsa/advisory-371.html
 	NOTE: https://git.kernel.org/linus/a846738f8c3788d846ed1f587270d2f2e3d32432
 CVE-2021-28686 (AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow ...)
-	TODO: check
+	NOT-FOR-US: ASUS
 CVE-2021-28685 (AsIO2_64.sys and AsIO2_32.sys in ASUS GPUTweak II before 2.3.0.3 allow ...)
-	TODO: check
+	NOT-FOR-US: ASUS
 CVE-2021-28684
 	RESERVED
 CVE-2021-28683
@@ -5063,7 +5067,7 @@ CVE-2021-28176 (The DNS configuration function in ASUS BMC’s firmware Web
 CVE-2021-28175 (The Radius configuration function in ASUS BMC’s firmware Web man ...)
 	NOT-FOR-US: ASUS
 CVE-2021-28174 (Mitake smart stock selection system contains a broken authentication v ...)
-	TODO: check
+	NOT-FOR-US: Mitake smart stock selection system
 CVE-2021-28173 (The file upload function of Vangene deltaFlow E-platform does not perf ...)
 	NOT-FOR-US: Vangene deltaFlow E-platform
 CVE-2021-28172 (There is a Path Traversal vulnerability in the file download function  ...)
@@ -5687,7 +5691,7 @@ CVE-2021-27947 (SQL Injection vulnerability in MyBB before 1.8.26 via the Copy F
 CVE-2021-27946 (SQL Injection vulnerability in MyBB before 1.8.26 via poll vote count. ...)
 	NOT-FOR-US: MyBB
 CVE-2021-27945 (The Squirro Insights Engine was affected by a Reflected Cross-Site Scr ...)
-	TODO: check
+	NOT-FOR-US: Squirro Insights Engine
 CVE-2021-28039 (An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as u ...)
 	- linux 5.10.24-1 (unimportant)
 	[buster] - linux <not-affected> (Vulnerable code introduced later)
@@ -6650,7 +6654,7 @@ CVE-2021-27524
 CVE-2021-27523
 	RESERVED
 CVE-2021-27522 (Learnsite 1.2.5.0 contains a remote privilege escalation vulnerability ...)
-	TODO: check
+	NOT-FOR-US: Learnsite
 CVE-2021-27521
 	RESERVED
 CVE-2021-27520 (A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote att ...)
@@ -8419,7 +8423,7 @@ CVE-2021-26760
 CVE-2021-26759
 	RESERVED
 CVE-2021-26758 (Privilege Escalation in LiteSpeed Technologies OpenLiteSpeed web serve ...)
-	TODO: check
+	NOT-FOR-US: LiteSpeed Technologies OpenLiteSpeed
 CVE-2021-26757
 	RESERVED
 CVE-2021-26756
@@ -9575,7 +9579,7 @@ CVE-2021-3330
 CVE-2021-3329
 	RESERVED
 CVE-2021-3328 (An issue was discovered in Aprelium Abyss Web Server X1 2.12.1 and 2.1 ...)
-	TODO: check
+	NOT-FOR-US: Aprelium Abyss Web Server
 CVE-2021-3327 (Ovation Dynamic Content 1.10.1 for Elementor allows XSS via the post_t ...)
 	NOT-FOR-US: Ovation Dynamic Content
 CVE-2021-26294 (An issue was discovered in AfterLogic Aurora through 7.7.9 and WebMail ...)
@@ -18226,7 +18230,7 @@ CVE-2021-22509
 CVE-2021-22508
 	RESERVED
 CVE-2021-22507 (Authentication bypass vulnerability in Micro Focus Operations Bridge M ...)
-	TODO: check
+	NOT-FOR-US: Micro Focus
 CVE-2021-22506 (Advance configuration exposing Information Leakage vulnerability in Mi ...)
 	NOT-FOR-US: Micro Focus
 CVE-2021-22505
@@ -18617,7 +18621,7 @@ CVE-2021-22314 (There is a local privilege escalation vulnerability in some vers
 CVE-2021-22313
 	RESERVED
 CVE-2021-22312 (There is a memory leak vulnerability in some Huawei products. An authe ...)
-	TODO: check
+	NOT-FOR-US: Huawei
 CVE-2021-22311 (There is an improper permission assignment vulnerability in Huawei Man ...)
 	NOT-FOR-US: Huawei
 CVE-2021-22310 (There is an information leakage vulnerability in some huawei products. ...)
@@ -19345,7 +19349,7 @@ CVE-2021-3014 (In MikroTik RouterOS through 2021-01-04, the hotspot login page i
 CVE-2021-3013
 	RESERVED
 CVE-2021-3012 (A cross-site scripting (XSS) vulnerability in the Document Link of doc ...)
-	TODO: check
+	NOT-FOR-US: ESRI ArcGIS Online
 CVE-2021-3011 (An electromagnetic-wave side-channel issue was discovered on NXP Smart ...)
 	NOT-FOR-US: NXP
 CVE-2021-3010 (There are multiple persistent cross-site scripting (XSS) vulnerabiliti ...)
@@ -21714,7 +21718,7 @@ CVE-2021-21427
 CVE-2021-21426
 	RESERVED
 CVE-2021-21425 (Grav Admin Plugin is an HTML user interface that provides a way to con ...)
-	TODO: check
+	NOT-FOR-US: Grav Admin Plugin
 CVE-2021-21424
 	RESERVED
 CVE-2021-21423 (`projen` is a project generation tool that synthesizes project configu ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f182512a4136ea31630c4c4ef91420a06a8cac55

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f182512a4136ea31630c4c4ef91420a06a8cac55
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210409/cf848a0a/attachment.htm>

More information about the debian-security-tracker-commits mailing list