[Git][security-tracker-team/security-tracker][master] new redmine, node-tar, edk2 issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Aug 11 10:19:26 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e8ebb8cf by Moritz Mühlenhoff at 2021-08-11T11:19:04+02:00
new redmine, node-tar, edk2 issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -67,7 +67,7 @@ CVE-2021-38514 (Certain NETGEAR devices are affected by authentication bypass. T
 CVE-2021-38513 (Certain NETGEAR devices are affected by authentication bypass. This af ...)
 	NOT-FOR-US: Netgear
 CVE-2021-38512 (An issue was discovered in the actix-http crate before 3.0.0-beta.9 fo ...)
-	TODO: check
+	NOT-FOR-US: Rust crate actix-http
 CVE-2021-38510
 	RESERVED
 CVE-2021-38509
@@ -321,9 +321,9 @@ CVE-2021-38386 (In Contiki 3.0, a buffer overflow in the Telnet service allows r
 CVE-2021-38385
 	RESERVED
 CVE-2021-38384 (Serverless Offline 8.0.0 returns a 403 HTTP status code for a route th ...)
-	TODO: check
+	NOT-FOR-US: Serverless Offline
 CVE-2021-38383 (OwnTone (aka owntone-server) through 28.1 has a use-after-free in net_ ...)
-	TODO: check
+	NOT-FOR-US: OwnTone
 CVE-2021-38382 (Live555 through 1.08 does not handle Matroska and Ogg files properly.  ...)
 	- liblivemedia <removed>
 	NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021959.html
@@ -3086,7 +3086,8 @@ CVE-2021-37158
 CVE-2021-37157
 	RESERVED
 CVE-2021-37156 (Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon  ...)
-	TODO: check
+	- redmine <unfixed>
+	NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
 CVE-2021-37155 (wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a failure ou ...)
 	- wolfssl <unfixed> (bug #991443)
 	[bullseye] - wolfssl <no-dsa> (Minor issue)
@@ -11029,9 +11030,9 @@ CVE-2021-33705
 CVE-2021-33704
 	RESERVED
 CVE-2021-33703 (Under certain conditions, NetWeaver Enterprise Portal, versions - 7.30 ...)
-	TODO: check
+	NOT-FOR-US: NetWeaver
 CVE-2021-33702 (Under certain conditions, NetWeaver Enterprise Portal, versions - 7.10 ...)
-	TODO: check
+	NOT-FOR-US: NetWeaver
 CVE-2021-33701
 	RESERVED
 CVE-2021-33700
@@ -13105,9 +13106,13 @@ CVE-2021-32806 (Products.isurlinportal is a replacement for isURLInPortal method
 CVE-2021-32805
 	RESERVED
 CVE-2021-32804 (The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4 ...)
-	TODO: check
+	- node-tar <unfixed>
+	NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
+	NOTE: https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
 CVE-2021-32803 (The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4 ...)
-	TODO: check
+	- node-tar <unfixed>
+	NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
+	NOTE: https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20
 CVE-2021-32802
 	RESERVED
 CVE-2021-32801
@@ -13204,7 +13209,7 @@ CVE-2021-32770 (Gatsby is a framework for building websites. The gatsby-source-w
 CVE-2021-32769 (Micronaut is a JVM-based, full stack Java framework designed for build ...)
 	NOT-FOR-US: Micronaut
 CVE-2021-32768 (TYPO3 is an open source PHP based web content management system releas ...)
-	TODO: check
+	NOT-FOR-US: Typo 3
 CVE-2021-32767 (TYPO3 is an open source PHP based web content management system. In ve ...)
 	NOT-FOR-US: Typo 3
 CVE-2021-32766
@@ -24678,7 +24683,8 @@ CVE-2021-3437
 CVE-2021-3436
 	RESERVED
 CVE-2021-28216 (BootPerformanceTable pointer is read from an NVRAM variable in PEI. Re ...)
-	TODO: check
+	- edk2 <unfixed>
+	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2957
 CVE-2021-28215
 	RESERVED
 CVE-2021-28214
@@ -28567,7 +28573,7 @@ CVE-2021-26608
 CVE-2021-26607
 	RESERVED
 CVE-2021-26606 (A vulnerability in PKI Security Solution of Dream Security could allow ...)
-	TODO: check
+	NOT-FOR-US: Dream Security
 CVE-2021-26605 (An improper input validation vulnerability in the service of ezPDFRead ...)
 	NOT-FOR-US: ezPDFReader
 CVE-2021-26604
@@ -30271,7 +30277,7 @@ CVE-2021-25956
 CVE-2021-25955
 	RESERVED
 CVE-2021-25954 (In “Dolibarr” application, 2.8.1 to 13.0.4 don’t res ...)
-	TODO: check
+	- dolibarr <removed>
 CVE-2021-25953 (Prototype pollution vulnerability in 'putil-merge' versions1.0.0 throu ...)
 	NOT-FOR-US: Node putil-merge
 CVE-2021-25952 (Prototype pollution vulnerability in ‘just-safe-set’ versi ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8ebb8cfec9c803f356bb34fc487913e546633f8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8ebb8cfec9c803f356bb34fc487913e546633f8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210811/3ca72ccf/attachment.htm>

More information about the debian-security-tracker-commits mailing list