[Git][security-tracker-team/security-tracker][master] various bugs filed

Moritz Muehlenhoff jmm at debian.org
Mon Apr 12 10:53:46 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c687d49c by Moritz Mühlenhoff at 2021-04-12T11:53:19+02:00
various bugs filed
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -674,7 +674,7 @@ CVE-2021-30186
 CVE-2021-30185 (CERN Indico before 2.3.4 can use an attacker-supplied Host header in a ...)
 	NOT-FOR-US: CERN Indico
 CVE-2021-30184 (GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted ...)
-	- gnuchess <unfixed>
+	- gnuchess <unfixed> (bug #986801)
 	NOTE: https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html
 	NOTE: https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html
 CVE-2021-30183
@@ -727,11 +727,9 @@ CVE-2021-30166
 CVE-2021-30165
 	RESERVED
 CVE-2021-30164 (Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass ...)
-	- redmine <unfixed>
-	TODO: check fixing commit, fixed in 4.0.8
+	- redmine <unfixed> (bug #986800)
 CVE-2021-30163 (Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discov ...)
-	- redmine <unfixed>
-	TODO: check fixing commit, fixed in 4.0.8
+	- redmine <unfixed> (bug #986800)
 CVE-2021-30162 (An issue was discovered on LG mobile devices with Android OS 4.4 throu ...)
 	NOT-FOR-US: LG mobile devices
 CVE-2021-30161 (An issue was discovered on LG mobile devices with Android OS 11 softwa ...)
@@ -771,16 +769,12 @@ CVE-2020-36309 (ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in Ope
 	NOTE: https://github.com/openresty/lua-nginx-module/pull/1654
 CVE-2020-36308 (Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discov ...)
 	- redmine 4.0.7-1
-	TODO: check fixing commit, fixed in 4.0.7
 CVE-2020-36307 (Redmine before 4.0.7 and 4.1.x before 4.1.1 has stored XSS via textile ...)
 	- redmine 4.0.7-1
-	TODO: check fixing commit, fixed in 4.0.7
 CVE-2020-36306 (Redmine before 4.0.7 and 4.1.x before 4.1.1 has XSS via the back_url f ...)
 	- redmine 4.0.7-1
-	TODO: check fixing commit, fixed in 4.0.7
 CVE-2019-25026 (Redmine before 3.4.13 and 4.x before 4.0.6 mishandles markup data duri ...)
 	- redmine 4.0.6-1
-	TODO: check fixing commit, fixed in 4.0.6
 CVE-2021-30160
 	RESERVED
 CVE-2021-30159 (An issue was discovered in MediaWiki before 1.31.12 and 1.32.x through ...)
@@ -1259,7 +1253,7 @@ CVE-2021-3482 (A flaw was found in Exiv2 in versions before and including 0.27.4
 	NOTE: https://github.com/Exiv2/exiv2/issues/1522
 CVE-2021-3481 [Out of bounds read in function QRadialFetchSimd from crafted svg file]
 	RESERVED
-	- qtsvg-opensource-src <unfixed>
+	- qtsvg-opensource-src <unfixed> (bug #986798)
 	[buster] - qtsvg-opensource-src <no-dsa> (Minor issue)
 	- qt4-x11 <removed>
 	[buster] - qt4-x11 <no-dsa> (Minor issue)
@@ -4155,7 +4149,7 @@ CVE-2021-3447 (A flaw was found in several ansible modules, where parameters con
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939349
 	NOTE: check, details on upstream status not yet clear
 CVE-2021-3446 (A flaw was found in libtpms in versions before 0.8.2. The commonly use ...)
-	- libtpms <unfixed>
+	- libtpms <unfixed> (bug #986799)
 	NOTE: https://github.com/stefanberger/libtpms/commit/32c159ab53db703749a8f90430cdc7b20b00975e
 CVE-2021-28650 (autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOM ...)
 	[experimental] - gnome-autoar 0.3.1-1
@@ -4181,7 +4175,7 @@ CVE-2017-20002 (The Debian shadow package before 1:4.5-1 for Shadow incorrectly
 	NOTE: Introduced in attempt to address #830255 in 1:4.4-2
 CVE-2021-3445
 	RESERVED
-	- libdnf <unfixed>
+	- libdnf <unfixed> (bug #986802)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1932079
 CVE-2021-28644
 	RESERVED
@@ -21806,11 +21800,11 @@ CVE-2020-35628 (A code execution vulnerability exists in the Nef polygon-parsing
 	- cgal 5.2-3 (bug #985671)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
 CVE-2021-21433 (Discord Recon Server is a bot that allows you to do your reconnaissanc ...)
-	TODO: check
+	NOT-FOR-US: Discord Recon Server
 CVE-2021-21432 (Vela is a Pipeline Automation (CI/CD) framework built on Linux contain ...)
-	TODO: check
+	NOT-FOR-US: Vela
 CVE-2021-21431 (sopel-channelmgnt is a channelmgnt plugin for sopel. In versions prior ...)
-	TODO: check
+	NOT-FOR-US: sopel-channelmgnt
 CVE-2021-21430
 	RESERVED
 CVE-2021-21429
@@ -21847,7 +21841,7 @@ CVE-2021-21415
 CVE-2021-21414
 	RESERVED
 CVE-2021-21413 (isolated-vm is a library for nodejs which gives you access to v8's Iso ...)
-	TODO: check
+	NOT-FOR-US: Node isolated-vm
 CVE-2021-21412 (Potential for arbitrary code execution in npm package @thi.ng/egf `#gp ...)
 	NOT-FOR-US: Node @thi.ng/egf
 CVE-2021-21411 (OAuth2-Proxy is an open source reverse proxy that provides authenticat ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c687d49c54143317a3d04da680a7ec6bef86924e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c687d49c54143317a3d04da680a7ec6bef86924e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210412/f2036d43/attachment.htm>

More information about the debian-security-tracker-commits mailing list