[Git][security-tracker-team/security-tracker][master] new puppet issue (needs a closer look)

Moritz Muehlenhoff jmm at debian.org
Tue Feb 16 11:01:50 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
20b5ba76 by Moritz Muehlenhoff at 2021-02-16T12:01:06+01:00
new puppet issue (needs a closer look)
new python issue
NFU
concludes external check

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -462,6 +462,8 @@ CVE-2021-27018
 	RESERVED
 CVE-2021-27017
 	RESERVED
+	- puppet <unfixed>
+	NOTE: https://puppet.com/security/cve/CVE-2021-27017/
 CVE-2021-27016
 	RESERVED
 CVE-2021-27015
@@ -8867,7 +8869,16 @@ CVE-2021-23337 (All versions of package lodash; all versions of package org.fuji
 	- node-lodash <unfixed>
 	NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724
 CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...)
-	TODO: check
+	- python3.9 <unfixed>
+	- python3.8 <removed>
+	- python3.7 <removed>
+	- python3.5 <removed>
+	NOTE: https://github.com/python/cpython/pull/24297
+	NOTE: https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776 (master)
+	NOTE: https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92 (3.9)
+	NOTE: https://github.com/python/cpython/commit/d0d4d30882fe3ab9b1badbecf5d15d94326fd13e (3.7)
+	NOTE: https://snyk.io/blog/cache-poisoning-in-popular-open-source-packages/
+	TODO: check Py2 status
 CVE-2021-23335 (All versions of package is-user-valid are vulnerable to LDAP Injection ...)
 	NOT-FOR-US: Node is-user-valid
 CVE-2021-23334 (All versions of package static-eval are vulnerable to Arbitrary Code E ...)
@@ -20561,6 +20572,7 @@ CVE-2021-1722
 	RESERVED
 CVE-2021-1721
 	RESERVED
+	NOT-FOR-US: Microsoft .NET
 CVE-2021-1720
 	RESERVED
 CVE-2021-1719 (Microsoft SharePoint Elevation of Privilege Vulnerability This CVE ID  ...)
@@ -34900,10 +34912,10 @@ CVE-2020-24871
 CVE-2020-24870
 	RESERVED
 	- libraw 0.20.2-1
+	[buster] - libraw <not-affected> (Vulnerable code not present)
 	[stretch] - libraw <not-affected> (vulnerable code not present)
 	NOTE: https://github.com/LibRaw/LibRaw/commit/4feaed4dea636cee4fee010f615881ccf76a096d
 	NOTE: https://github.com/LibRaw/LibRaw/issues/330
-	TODO: check older versions
 CVE-2020-24869
 	RESERVED
 CVE-2020-24868



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20b5ba76940cd43497f3d45e7d61de9877a1aeec

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20b5ba76940cd43497f3d45e7d61de9877a1aeec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210216/96c37c47/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list