[Git][security-tracker-team/security-tracker][master] new glances issue

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Aug 2 08:44:26 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fa2402d7 by Moritz Muehlenhoff at 2021-08-02T09:43:33+02:00
new glances issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -321,7 +321,7 @@ CVE-2021-37607
 CVE-2021-3669
 	RESERVED
 CVE-2021-37606 (Meow hash 0.5/calico does not sufficiently thwart key recovery by an a ...)
-	TODO: check
+	NOT-FOR-US: Meow hash
 CVE-2021-37605
 	RESERVED
 CVE-2021-37604
@@ -11225,7 +11225,7 @@ CVE-2021-32809
 CVE-2021-32808
 	RESERVED
 CVE-2021-32807 (The module `AccessControl` defines security policies for Python code u ...)
-	TODO: check
+	NOT-FOR-US: Zope AccessControl
 CVE-2021-32806
 	RESERVED
 CVE-2021-32805
@@ -34276,15 +34276,21 @@ CVE-2021-23420
 CVE-2021-23419
 	RESERVED
 CVE-2021-23418 (The package glances before 3.2.1 are vulnerable to XML External Entity ...)
-	TODO: check
+	- glances <unfixed>
+	[bullseye] - glances <no-dsa> (Minor issue)
+	[buster] - glances <no-dsa> (Minor issue)
+	NOTE: https://github.com/nicolargo/glances/issues/1025
+	NOTE: https://github.com/nicolargo/glances/commit/4b87e979afdc06d98ed1b48da31e69eaa3a9fb94
+	NOTE: https://github.com/nicolargo/glances/commit/85d5a6b4af31fcf785d5a61086cbbd166b40b07a
+	NOTE: https://github.com/nicolargo/glances/commit/9d6051be4a42f692392049fdbfc85d5dfa458b32
 CVE-2021-23417 (All versions of package deepmergefn are vulnerable to Prototype Pollut ...)
-	TODO: check
+	NOT-FOR-US: Node deepmergefn
 CVE-2021-23416 (This affects all versions of package curly-bracket-parser. When used a ...)
-	TODO: check
+	NOT-FOR-US: curly-bracket-parser
 CVE-2021-23415 (This affects the package elFinder.AspNet before 1.1.1. The user-contro ...)
 	NOT-FOR-US: elFinder.AspNet
 CVE-2021-23414 (This affects the package video.js before 7.14.3. The src attribute of  ...)
-	TODO: check
+	NOT-FOR-US: video.js
 CVE-2021-23413 (This affects the package jszip before 3.7.0. Crafting a new zip file w ...)
 	- node-jszip 3.5.0+dfsg-2
 	[buster] - node-jszip <no-dsa> (Minor issue)
@@ -57105,7 +57111,7 @@ CVE-2020-26808 (SAP AS ABAP(DMIS), versions - 2011_1_620, 2011_1_640, 2011_1_700
 CVE-2020-26807 (SAP ERP Client for E-Bilanz, version - 1.0, installation sets Incorrec ...)
 	NOT-FOR-US: SAP
 CVE-2020-26806 (admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted F ...)
-	TODO: check
+	NOT-FOR-US: ObjectPlanet Opinio
 CVE-2020-26805 (In Sentrifugo 3.2, admin can edit employee's informations via this end ...)
 	NOT-FOR-US: Sentrifugo
 CVE-2020-26804 (In Sentrifugo 3.2, users can share an announcement under "Organization ...)
@@ -57661,9 +57667,9 @@ CVE-2020-26566 (A Denial of Service condition in Motion-Project Motion 3.2 throu
 	NOTE: https://github.com/Motion-Project/motion/issues/1227#issuecomment-715927776
 	NOTE: https://github.com/Motion-Project/motion/pull/1232
 CVE-2020-26565 (ObjectPlanet Opinio before 7.14 allows Expression Language Injection v ...)
-	TODO: check
+	NOT-FOR-US: ObjectPlanet Opinio
 CVE-2020-26564 (ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: mo ...)
-	TODO: check
+	NOT-FOR-US: ObjectPlanet Opinio
 CVE-2020-26563 (ObjectPlanet Opinio before 7.14 allows reflected XSS via the survey/ad ...)
 	NOT-FOR-US: ObjectPlanet Opinio
 CVE-2020-26562
@@ -71687,8 +71693,7 @@ CVE-2020-20180
 CVE-2020-20179
 	RESERVED
 CVE-2020-20178 (Ethereum 0xe933c0cd9784414d5f278c114904f5a84b396919#code.sol latest ve ...)
-	NOTE: Will be rectified by MITRE, then remove TODO
-	TODO: wait for cleanup, CVE is wrongly associated
+	NOT-FOR-US: Ethereum
 CVE-2020-20177
 	RESERVED
 CVE-2020-20176
@@ -75761,7 +75766,7 @@ CVE-2020-18174 (A process injection vulnerability in setup.exe of AutoHotkey 1.1
 CVE-2020-18173 (A DLL injection vulnerability in 1password.dll of 1Password 7.3.712 al ...)
 	NOT-FOR-US: 1Password
 CVE-2020-18172 (A code injection vulnerability in the SeDebugPrivilege component of Tr ...)
-	TODO: check
+	NOT-FOR-US: Trezor Bridge
 CVE-2020-18171 (TechSmith Snagit 19.1.0.2653 uses Object Linking and Embedding (OLE) w ...)
 	NOT-FOR-US: TechSmith Snagit
 CVE-2020-18170 (An issue in the SeChangeNotifyPrivilege component of Abloy Key Manager ...)
@@ -81508,7 +81513,7 @@ CVE-2020-15661 (A rogue webpage could override the injected WKUserScript used by
 	- firefox <not-affected> (Specific to Firefox for iOS)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-34/#CVE-2020-15661
 CVE-2020-15660 (Missing checks on Content-Type headers in geckodriver before 0.27.0 co ...)
-	TODO: check
+	NOT-FOR-US: geckodriver
 CVE-2020-15659 (Mozilla developers and community members reported memory safety bugs p ...)
 	{DSA-4740-1 DSA-4736-1 DLA-2310-1 DLA-2297-1}
 	- firefox 79.0-1
@@ -83210,7 +83215,7 @@ CVE-2020-15001 (An information leak was discovered on Yubico YubiKey 5 NFC devic
 CVE-2020-15000 (A PIN management problem was discovered on Yubico YubiKey 5 devices 5. ...)
 	NOT-FOR-US: Yubico YubiKey 5 devices
 CVE-2020-14999 (A logic bug in system monitoring driver of Acronis Agent after 12.5.21 ...)
-	TODO: check
+	NOT-FOR-US: Acronis
 CVE-2020-14998
 	RESERVED
 CVE-2020-14997
@@ -96834,7 +96839,7 @@ CVE-2020-10592 (Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.
 CVE-2020-10591 (An issue was discovered in Walmart Labs Concord before 1.44.0. CORS Ac ...)
 	NOT-FOR-US: Walmart Labs Concord
 CVE-2020-10590 (Replicated Classic 2.x versions have an improperly secured API that ex ...)
-	TODO: check
+	NOT-FOR-US: Replicated Classic
 CVE-2020-10589 (v2rayL 2.1.3 allows local users to achieve root access because /etc/v2 ...)
 	NOT-FOR-US: v2rayL
 CVE-2020-10588 (v2rayL 2.1.3 allows local users to achieve root access because /etc/v2 ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa2402d7db3be7abb0bd4427a8c635d82e516ca7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa2402d7db3be7abb0bd4427a8c635d82e516ca7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210802/8e8c29c6/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list