[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff jmm at debian.org
Mon Apr 19 11:39:42 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cfe6cf50 by Moritz Muehlenhoff at 2021-04-19T12:39:21+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -254,7 +254,7 @@ CVE-2021-3502 [reachable assertion in avahi_s_host_name_resolver_start when tryi
 CVE-2021-3500
 	RESERVED
 CVE-2021-31402 (The dio package 4.0.0 for Dart allows CRLF injection if the attacker c ...)
-	TODO: check
+	NOT-FOR-US: dio package for Dart
 CVE-2021-31401
 	RESERVED
 CVE-2021-31400
@@ -2695,7 +2695,7 @@ CVE-2021-30247
 CVE-2021-30246 (In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA ...)
 	NOT-FOR-US: Node jsrasign
 CVE-2021-30245 (The project received a report that all versions of Apache OpenOffice t ...)
-	TODO: check
+	NOT-FOR-US: Apache OpenOffice, equivalent to CVE-2021-25631
 CVE-2020-36316 (In RELIC before 2021-04-03, there is a buffer overflow in PKCS#1 v1.5  ...)
 	NOT-FOR-US: RELIC
 CVE-2020-36315 (In RELIC before 2020-08-01, RSA PKCS#1 v1.5 signature forgery can occu ...)
@@ -2773,7 +2773,7 @@ CVE-2021-30211
 CVE-2021-30210
 	RESERVED
 CVE-2021-30209 (Textpattern V4.8.4 contains an arbitrary file upload vulnerability whe ...)
-	TODO: check
+	NOT-FOR-US: Textpattern CMS
 CVE-2021-30208
 	RESERVED
 CVE-2021-30207
@@ -4490,7 +4490,7 @@ CVE-2021-29454
 CVE-2021-29453
 	RESERVED
 CVE-2021-29452 (a12n-server is an npm package which aims to provide a simple authentic ...)
-	TODO: check
+	NOT-FOR-US: Node a12n-server
 CVE-2021-29451 (Portofino is an open source web development framework. Portofino befor ...)
 	NOT-FOR-US: Portofino
 CVE-2021-29450 (Wordpress is an open source CMS. One of the blocks in the WordPress ed ...)
@@ -4506,13 +4506,13 @@ CVE-2021-29447 (Wordpress is an open source CMS. A user with the ability to uplo
 	NOTE: https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rv47-pc52-qrhh
 	NOTE: Only an issue when installation runs under PHP8.
 CVE-2021-29446 (jose-node-cjs-runtime is an npm package which provides a number of cry ...)
-	TODO: check
+	NOT-FOR-US: Node jose-node-cjs-runtime
 CVE-2021-29445 (jose-node-esm-runtime is an npm package which provides a number of cry ...)
-	TODO: check
+	NOT-FOR-US: Node jose-esm-runtime
 CVE-2021-29444 (jose-browser-runtime is an npm package which provides a number of cryp ...)
-	TODO: check
+	NOT-FOR-US: Node jose-browser-runtime
 CVE-2021-29443 (jose is an npm library providing a number of cryptographic operations. ...)
-	TODO: check
+	NOT-FOR-US: Node jose
 CVE-2021-29442
 	RESERVED
 CVE-2021-29441
@@ -5940,9 +5940,9 @@ CVE-2021-28828
 CVE-2021-28827
 	RESERVED
 CVE-2021-28826 (The Windows Installation component of TIBCO Software Inc.'s TIBCO Mess ...)
-	TODO: check
+	NOT-FOR-US: TIBCO
 CVE-2021-28825 (The Windows Installation component of TIBCO Software Inc.'s TIBCO Mess ...)
-	TODO: check
+	NOT-FOR-US: TIBCO
 CVE-2021-28824 (The Windows Installation component of TIBCO Software Inc.'s TIBCO Acti ...)
 	NOT-FOR-US: TIBCO
 CVE-2021-28823 (The Windows Installation component of TIBCO Software Inc.'s TIBCO eFTL ...)
@@ -6696,7 +6696,7 @@ CVE-2021-28486
 CVE-2021-28485
 	RESERVED
 CVE-2021-28484 (An issue was discovered in the /api/connector endpoint handler in Yubi ...)
-	TODO: check
+	NOT-FOR-US: yubihsm-connector
 CVE-2021-3443 (A NULL pointer dereference flaw was found in the way Jasper versions b ...)
 	- jasper <removed>
 	NOTE: https://github.com/jasper-software/jasper/issues/269
@@ -9580,7 +9580,7 @@ CVE-2021-27249 (This vulnerability allows network-adjacent attackers to execute
 CVE-2021-27248 (This vulnerability allows network-adjacent attackers to execute arbitr ...)
 	NOT-FOR-US: D-Link
 CVE-2021-27247 (This vulnerability allows remote attackers to disclose sensitive infor ...)
-	TODO: check
+	NOT-FOR-US: WeChat
 CVE-2021-27246 (This vulnerability allows network-adjacent attackers to execute arbitr ...)
 	NOT-FOR-US: TP-Link
 CVE-2021-27245 (This vulnerability allows a firewall bypass on affected installations  ...)
@@ -10622,7 +10622,7 @@ CVE-2021-26813 (markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regula
 	[buster] - python-markdown2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/trentm/python-markdown2/pull/387
 CVE-2021-26812 (Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin  ...)
-	TODO: check
+	NOT-FOR-US: Moodle plugin
 CVE-2021-26811
 	RESERVED
 CVE-2021-26810 (D-link DIR-816 A2 v1.10 is affected by a remote code injection vulnera ...)
@@ -10636,7 +10636,7 @@ CVE-2021-26807
 CVE-2021-26806
 	RESERVED
 CVE-2021-26805 (Buffer Overflow in tsMuxer 2.6.16 allows attackers to cause a Denial o ...)
-	TODO: check
+	NOT-FOR-US: tsMuxer
 CVE-2021-26804
 	RESERVED
 CVE-2021-26803
@@ -13681,6 +13681,8 @@ CVE-2021-25632
 	RESERVED
 CVE-2021-25631
 	RESERVED
+	- libreoffice <not-affected> (Libreoffice on Windows)
+	NOTE: https://positive.security/blog/url-open-rce#open-libreoffice
 CVE-2021-25630 ("loolforkit" is a privileged program that is supposed to be run by a s ...)
 	NOT-FOR-US: libreoffice online
 CVE-2021-25629
@@ -14342,7 +14344,7 @@ CVE-2021-25318
 CVE-2021-25317
 	RESERVED
 CVE-2021-25316 (A Insecure Temporary File vulnerability in s390-tools of SUSE Linux En ...)
-	TODO: check
+	NOT-FOR-US: SuSE (different from src:s390-tools in Debian)
 CVE-2021-25315 (A Incorrect Implementation of Authentication Algorithm vulnerability i ...)
 	- salt <not-affected> (SuSE specific issue, cf #985085)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1182382
@@ -18614,25 +18616,25 @@ CVE-2021-23383
 CVE-2021-23382
 	RESERVED
 CVE-2021-23381 (This affects all versions of package killing. If attacker-controlled u ...)
-	TODO: check
+	NOT-FOR-US: Node killing
 CVE-2021-23380 (This affects all versions of package roar-pidusage. If attacker-contro ...)
-	TODO: check
+	NOT-FOR-US: Node roar-pidusage
 CVE-2021-23379 (This affects all versions of package portkiller. If (attacker-controll ...)
-	TODO: check
+	NOT-FOR-US: Node portkiller
 CVE-2021-23378 (This affects all versions of package picotts. If attacker-controlled u ...)
-	TODO: check
+	NOT-FOR-US: Node picotts
 CVE-2021-23377 (This affects all versions of package onion-oled-js. If attacker-contro ...)
-	TODO: check
+	NOT-FOR-US: Node onion-oled-js
 CVE-2021-23376 (This affects all versions of package ffmpegdotjs. If attacker-controll ...)
-	TODO: check
+	NOT-FOR-US: Node ffmpegdotjs
 CVE-2021-23375 (This affects all versions of package psnode. If attacker-controlled us ...)
-	TODO: check
+	NOT-FOR-US: Node psnode
 CVE-2021-23374 (This affects all versions of package ps-visitor. If attacker-controlle ...)
-	TODO: check
+	NOT-FOR-US: Node ps-visitor
 CVE-2021-23373
 	RESERVED
 CVE-2021-23372 (All versions of package mongo-express are vulnerable to Denial of Serv ...)
-	TODO: check
+	NOT-FOR-US: mongo-express
 CVE-2021-23371 (This affects the package chrono-node before 2.2.4. It hangs on a date- ...)
 	NOT-FOR-US: Node chrono-node
 CVE-2021-23370 (This affects the package swiper before 6.5.1. ...)
@@ -24106,7 +24108,7 @@ CVE-2021-21407
 CVE-2021-21406
 	RESERVED
 CVE-2021-21405 (Lotus is an Implementation of the Filecoin protocol written in Go. BLS ...)
-	TODO: check
+	NOT-FOR-US: Lotus
 CVE-2021-21404 (Syncthing is a continuous file synchronization program. In Syncthing b ...)
 	- syncthing <unfixed> (bug #986593)
 	[buster] - syncthing <no-dsa> (Minor issue)
@@ -36153,7 +36155,7 @@ CVE-2021-0490
 CVE-2021-0489
 	RESERVED
 CVE-2021-0488 (In pb_write of pb_encode.c, there is a possible out of bounds write du ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2021-0487
 	RESERVED
 CVE-2021-0486
@@ -36187,13 +36189,13 @@ CVE-2021-0473
 CVE-2021-0472
 	RESERVED
 CVE-2021-0471 (In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds  ...)
-	TODO: check
+	NOT-FOR-US: Android media framework
 CVE-2021-0470
 	RESERVED
 CVE-2021-0469
 	RESERVED
 CVE-2021-0468 (In LK, there is a possible escalation of privilege due to an insecure  ...)
-	TODO: check
+	NOT-FOR-US: MediaTek components for Android
 CVE-2021-0467
 	RESERVED
 CVE-2021-0466



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfe6cf505c5fed7db9768627edf54fb644392b07

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfe6cf505c5fed7db9768627edf54fb644392b07
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210419/9f1aea58/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list