[Git][security-tracker-team/security-tracker][master] new ruby-carrierwave, helm-kubernetes, node-marked issues

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dcd71852 by Moritz Muehlenhoff at 2021-02-11T10:53:03+01:00
new ruby-carrierwave, helm-kubernetes, node-marked issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -14212,13 +14212,18 @@ CVE-2021-21308
 CVE-2021-21307
 	RESERVED
 CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm package "ma ...)
-	TODO: check
+	- node-marked <unfixed>
+	NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96
+	NOTE: https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd
+	TODO: might not affect <= 0.8, needs to be verified
 CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple and flex ...)
-	TODO: check
+	- ruby-carrierwave <unfixed>
+	NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4
+	NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7
 CVE-2021-21304 (Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dy ...)
-	TODO: check
+	NOT-FOR-US: Dynamoose
 CVE-2021-21303 (Helm is open-source software which is essentially "The Kubernetes Pack ...)
-	TODO: check
+	- helm-kubernetes <itp> (bug #910799)
 CVE-2021-21302
 	RESERVED
 CVE-2021-21301
@@ -14230,17 +14235,17 @@ CVE-2021-21298
 CVE-2021-21297
 	RESERVED
 CVE-2021-21296 (Fleet is an open source osquery manager. In Fleet before version 3.7.0 ...)
-	TODO: check
+	NOT-FOR-US: Fleet
 CVE-2021-21295
 	RESERVED
 CVE-2021-21294 (Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface f ...)
-	TODO: check
+	NOT-FOR-US: Http4s
 CVE-2021-21293 (blaze is a Scala library for building asynchronous pipelines, with a f ...)
-	TODO: check
+	NOT-FOR-US: blaez
 CVE-2021-21292 (Traccar is an open source GPS tracking system. In Traccar before versi ...)
 	NOT-FOR-US: Traccar
 CVE-2021-21291 (OAuth2 Proxy is an open-source reverse proxy and static file server th ...)
-	TODO: check
+	NOT-FOR-US: OAuth2 Proxy
 CVE-2021-21290 (Netty is an open-source, asynchronous event-driven network application ...)
 	- netty <unfixed>
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2
@@ -14255,7 +14260,9 @@ CVE-2021-21289 (Mechanize is an open-source ruby library that makes automated we
 	NOTE: https://github.com/sparklemotion/mechanize/commit/63f8779e49664d5e95fae8d42d04c8e373162b3c (v2.7.7)
 	NOTE: Test warnings fixup: https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093 (v2.7.7)
 CVE-2021-21288 (CarrierWave is an open-source RubyGem which provides a simple and flex ...)
-	TODO: check
+	- ruby-carrierwave <unfixed>
+	NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
+	NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0
 CVE-2021-21287 (MinIO is a High Performance Object Storage released under Apache Licen ...)
 	- minio <itp> (bug #859207)
 CVE-2021-21286 (AVideo Platform is an open-source Audio and Video platform. It is simi ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcd71852295bc7b8d53fa9bfed2654d6612d4868

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcd71852295bc7b8d53fa9bfed2654d6612d4868
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210211/1891daea/attachment.html>