[Git][security-tracker-team/security-tracker][master] new node-elliptic issue

Moritz Muehlenhoff jmm at debian.org
Mon Feb 15 13:36:32 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
12bf39d8 by Moritz Muehlenhoff at 2021-02-15T14:36:11+01:00
new node-elliptic issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3,7 +3,7 @@ CVE-2021-27215
 CVE-2021-27214
 	RESERVED
 CVE-2021-27213 (config.py in pystemon before 2021-02-13 allows code execution via YAML ...)
-	TODO: check
+	NOT-FOR-US: pystemon
 CVE-2019-25019 (LimeSurvey before 4.0.0-RC4 allows SQL injection via the participant m ...)
 	- limesurvey <itp> (bug #472802)
 CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion  ...)
@@ -30,9 +30,9 @@ CVE-2021-3411
 CVE-2021-3410
 	RESERVED
 CVE-2021-27205 (Telegram before 7.4 (212543) Stable on macOS stores the local copy of  ...)
-	TODO: check
+	NOT-FOR-US: Telegram for MacOS
 CVE-2021-27204 (Telegram before 7.4 (212543) Stable on macOS stores the local passcode ...)
-	TODO: check
+	NOT-FOR-US: Telegram for MacOS
 CVE-2021-27203
 	RESERVED
 CVE-2021-27202
@@ -14430,7 +14430,7 @@ CVE-2021-21256
 CVE-2021-21255
 	RESERVED
 CVE-2021-21254 (CKEditor 5 is an open source rich text editor framework with a modular ...)
-	TODO: check
+	NOT-FOR-US: CKEditor 5 Markdown plugin
 CVE-2021-21253 (OnlineVotingSystem is an open source project hosted on GitHub. OnlineV ...)
 	NOT-FOR-US: OnlineVotingSystem
 CVE-2021-21252 (The jQuery Validation Plugin provides drop-in validation for your exis ...)
@@ -18393,7 +18393,7 @@ CVE-2020-35127 (Ignite Realtime Openfire 4.6.0 has plugins/bookmarks/create-book
 CVE-2020-35126 (** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to conduct ...)
 	NOT-FOR-US: Typesetter CMS
 CVE-2020-35125 (A cross-site scripting (XSS) vulnerability in the forms component of M ...)
-	TODO: check
+	NOT-FOR-US: Mautic
 CVE-2020-35124 (A cross-site scripting (XSS) vulnerability in the assets component of  ...)
 	NOT-FOR-US: Mautic
 CVE-2020-35123 (In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10  ...)
@@ -20220,7 +20220,7 @@ CVE-2020-29584
 CVE-2020-29583 (Firmware version 4.60 of Zyxel USG devices contains an undocumented ac ...)
 	NOT-FOR-US: Zyxel
 CVE-2020-29582 (In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for  ...)
-	TODO: check
+	- kotlin <itp> (bug #892842)
 CVE-2020-29581 (The official spiped docker images before 1.5-alpine contain a blank pa ...)
 	NOT-FOR-US: spiped Docker images
 CVE-2020-29580 (The official storm Docker images before 1.2.1 contain a blank password ...)
@@ -20789,7 +20789,7 @@ CVE-2020-29453
 CVE-2020-29452
 	RESERVED
 CVE-2020-29451 (Affected versions of Atlassian Jira Server and Data Center allow remot ...)
-	TODO: check
+	NOT-FOR-US: Atlassian
 CVE-2020-29450 (Affected versions of Atlassian Confluence Server and Data Center allow ...)
 	NOT-FOR-US: Atlassian
 CVE-2020-29449
@@ -21733,7 +21733,7 @@ CVE-2020-29023
 CVE-2020-29022
 	RESERVED
 CVE-2020-29021 (A vulnerability in web UI input field of GateManager allows authentica ...)
-	TODO: check
+	NOT-FOR-US: GateManager
 CVE-2020-29020
 	RESERVED
 CVE-2020-29019 (A stack-based buffer overflow vulnerability in FortiWeb 6.3.0 through  ...)
@@ -24065,15 +24065,17 @@ CVE-2020-28500
 CVE-2020-28499
 	RESERVED
 CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographic Issu ...)
-	TODO: check
+	- node-elliptic <unfixed>
+	NOTE: https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
+	NOTE: https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
 CVE-2020-28497
 	RESERVED
 CVE-2020-28496
 	RESERVED
 CVE-2020-28495 (This affects the package total.js before 3.4.7. The set function can b ...)
-	TODO: check
+	NOT-FOR-US: Node total.js
 CVE-2020-28494 (This affects the package total.js before 3.4.7. The issue occurs in th ...)
-	TODO: check
+	NOT-FOR-US: Node total.js
 CVE-2020-28493 (This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDO ...)
 	- jinja2 <unfixed> (bug #982736)
 	[stretch] - jinja2 <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12bf39d883f7d36acc7333d1812aa24cb314b793

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12bf39d883f7d36acc7333d1812aa24cb314b793
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210215/8e7b6b73/attachment.html>

More information about the debian-security-tracker-commits mailing list