[Git][security-tracker-team/security-tracker][master] new node-browserslist issue

Thu Apr 29 12:35:16 BST 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0a6f7a97 by Moritz Muehlenhoff at 2021-04-29T13:18:13+02:00
new node-browserslist issue
one more vbox issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -8,7 +8,7 @@ CVE-2021-31877
 CVE-2021-31876
 	RESERVED
 CVE-2021-31875 (In mjs_json.c in Cesanta MongooseOS mJS 1.26, a maliciously formed JSO ...)
-	TODO: check
+	NOT-FOR-US: Cesanta MongooseOS mJS
 CVE-2021-31874
 	RESERVED
 CVE-2021-31873
@@ -5370,7 +5370,7 @@ CVE-2021-29485
 CVE-2021-29484
 	RESERVED
 CVE-2021-29483 (ManageWiki is an extension to the MediaWiki project. The 'wikiconfig'  ...)
-	TODO: check
+	NOT-FOR-US: ManageWiki MediaWiki extension
 CVE-2021-29482 (xz is a compression and decompression library focusing on the xz forma ...)
 	- golang-github-ulikunitz-xz <unfixed>
 	NOTE: https://github.com/ulikunitz/xz/security/advisories/GHSA-25xm-hr59-7c27
@@ -15357,7 +15357,7 @@ CVE-2021-25315 (A Incorrect Implementation of Authentication Algorithm vulnerabi
 	- salt <not-affected> (SuSE specific issue, cf #985085)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1182382
 CVE-2021-25314 (A Creation of Temporary File With Insecure Permissions vulnerability i ...)
-	TODO: check
+	NOT-FOR-US: hawk2 as packaged by SuSE
 CVE-2021-25313 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...)
 	NOT-FOR-US: Rancher
 CVE-2021-3179
@@ -18117,7 +18117,7 @@ CVE-2021-24030 (The fbgames protocol handler registered as part of Facebook Game
 CVE-2021-24029 (A packet of death scenario is possible in mvfst via a specially crafte ...)
 	NOT-FOR-US: mvfst
 CVE-2021-24028 (An invalid free in Thrift's table-based serialization can cause the ap ...)
-	TODO: check
+	NOT-FOR-US: Facebook Thrift (Debian packages Apache Thrift)
 CVE-2021-24027 (A cache configuration issue prior to WhatsApp for Android v2.21.4.18 a ...)
 	NOT-FOR-US: WhatsApp
 CVE-2021-24026 (A missing bounds check within the audio decoding pipeline for WhatsApp ...)
@@ -19717,9 +19717,12 @@ CVE-2021-23367
 CVE-2021-23366
 	RESERVED
 CVE-2021-23365 (The package github.com/tyktechnologies/tyk-identity-broker before 1.1. ...)
-	TODO: check
+	NOT-FOR-US: tyk-identity-broker
 CVE-2021-23364 (The package browserslist from 4.0.0 and before 4.16.5 are vulnerable t ...)
-	TODO: check
+	- node-browserslist <unfixed>
+	NOTE: https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
+	NOTE: https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
+	NOTE: https://github.com/browserslist/browserslist/pull/593
 CVE-2021-23363 (This affects the package kill-by-port before 0.0.2. If (attacker-contr ...)
 	NOT-FOR-US: Node kill-by-port
 CVE-2021-23362 (The package hosted-git-info before 3.0.8 are vulnerable to Regular Exp ...)
@@ -25128,7 +25131,7 @@ CVE-2021-21431 (sopel-channelmgnt is a channelmgnt plugin for sopel. In versions
 CVE-2021-21430
 	RESERVED
 CVE-2021-21429 (OpenAPI Generator allows generation of API client libraries, server st ...)
-	TODO: check
+	NOT-FOR-US: OpenAPI Generator
 CVE-2021-21428
 	RESERVED
 CVE-2021-21427 (Magento-lts is a long-term support alternative to Magento Community Ed ...)
@@ -25161,7 +25164,7 @@ CVE-2021-21416 (django-registration is a user registration package for Django. T
 CVE-2021-21415
 	RESERVED
 CVE-2021-21414 (Prisma is an open source ORM for Node.js & TypeScript. As of today ...)
-	TODO: check
+	NOT-FOR-US: Prisma
 CVE-2021-21413 (isolated-vm is a library for nodejs which gives you access to v8's Iso ...)
 	NOT-FOR-US: Node isolated-vm
 CVE-2021-21412 (Potential for arbitrary code execution in npm package @thi.ng/egf `#gp ...)
@@ -25287,7 +25290,7 @@ CVE-2021-21366 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2
 	NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
 	NOTE: https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
 CVE-2021-21365 (Bootstrap Package is a theme for TYPO3. It has been discovered that re ...)
-	TODO: check
+	NOT-FOR-US: Typo3 theme
 CVE-2021-21364 (swagger-codegen is an open-source project which contains a template-dr ...)
 	- swagger-codegen <itp> (bug #950318)
 CVE-2021-21363 (swagger-codegen is an open-source project which contains a template-dr ...)
@@ -27120,11 +27123,11 @@ CVE-2021-20718
 CVE-2021-20717
 	RESERVED
 CVE-2021-20716 (Hidden functionality in multiple Buffalo network devices (BHR-4RV firm ...)
-	TODO: check
+	NOT-FOR-US: Buffalo
 CVE-2021-20715 (Improper access control vulnerability in Hot Pepper Gourmet App for An ...)
 	NOT-FOR-US: Hot Pepper Gourmet App
 CVE-2021-20714 (Directory traversal vulnerability in WP Fastest Cache versions prior t ...)
-	TODO: check
+	NOT-FOR-US: WP fastest cache
 CVE-2021-20713
 	RESERVED
 CVE-2021-20712 (Improper access control vulnerability in NEC Aterm WG2600HS firmware V ...)
@@ -30399,7 +30402,7 @@ CVE-2021-2323
 CVE-2021-2322
 	RESERVED
 CVE-2021-2321 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...)
-	TODO: check
+	- virtualbox 6.1.20-dfsg-1
 CVE-2021-2320 (Vulnerability in the Oracle Cloud Infrastructure Storage Gateway produ ...)
 	NOT-FOR-US: Oracle
 CVE-2021-2319 (Vulnerability in the Oracle Cloud Infrastructure Storage Gateway produ ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a6f7a976743f8bb68b53434613129638721eb93

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a6f7a976743f8bb68b53434613129638721eb93
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210429/b90bc62e/attachment-0001.htm>
