[Git][security-tracker-team/security-tracker][master] new steghide issue

Moritz Muehlenhoff jmm at debian.org
Tue Feb 16 16:25:43 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3874eb49 by Moritz Muehlenhoff at 2021-02-16T17:25:10+01:00
new steghide issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -56,7 +56,9 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an asse
 	NOTE: trunk: https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0
 	NOTE: REL_ENG 2.4.x: https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30
 CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which makes it e ...)
-	TODO: check
+	- steghide <unfixed>
+	[buster] - steghide <no-dsa> (Minor issue)
+	NOTE: https://github.com/b4shfire/stegcrack
 CVE-2021-27210 (TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retri ...)
 	NOT-FOR-US: TP-Link
 CVE-2021-27209 (In the management interface on TP-Link Archer C5v 1.7_181221 devices,  ...)
@@ -1598,7 +1600,7 @@ CVE-2021-3377
 CVE-2021-3376
 	RESERVED
 CVE-2021-3375 (ActivePresenter 6.1.6 is affected by a memory corruption vulnerability ...)
-	TODO: check
+	NOT-FOR-US: ActivePresenter
 CVE-2021-3374
 	RESERVED
 CVE-2021-3373
@@ -2465,7 +2467,7 @@ CVE-2021-26202
 CVE-2021-26201 (The Login Panel of CASAP Automated Enrollment System 1.0 is vulnerable ...)
 	NOT-FOR-US: Login Panel of CASAP Automated Enrollment System
 CVE-2021-26200 (The user area for Library System 1.0 is vulnerable to SQL injection wh ...)
-	TODO: check
+	NOT-FOR-US: Library System
 CVE-2021-26199
 	RESERVED
 CVE-2021-26198
@@ -8877,7 +8879,7 @@ CVE-2021-23340
 CVE-2021-23339
 	RESERVED
 CVE-2021-23338 (This affects all versions of package qlib. The workflow function in cl ...)
-	TODO: check
+	NOT-FOR-US: qlib
 CVE-2021-23337 (All versions of package lodash; all versions of package org.fujion.web ...)
 	- node-lodash <unfixed>
 	NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724
@@ -13845,7 +13847,7 @@ CVE-2020-35736 (GateOne 1.1 allows arbitrary file download without authenticatio
 CVE-2020-35735 (Vidyo 02-09-/D allows clickjacking via the portal/ URI. ...)
 	NOT-FOR-US: Vidyo
 CVE-2020-35734 (** UNSUPPORTED WHEN ASSIGNED ** Sruu.pl in Batflat 1.3.6 allows an aut ...)
-	TODO: check
+	NOT-FOR-US: Batflat
 CVE-2020-35733 (An issue was discovered in Erlang/OTP before 23.2.2. The ssl applicati ...)
 	- erlang 1:23.2.2+dfsg-1 (bug #980199)
 	[buster] - erlang <not-affected> (Vulnerable code introduced later)
@@ -21556,7 +21558,6 @@ CVE-2020-29144 (In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web
 	NOT-FOR-US: Ericsson
 CVE-2020-29143 (A SQL injection vulnerability in interface/reports/non_reported.php in ...)
 	NOT-FOR-US: OpenEMR
-	TODO: check
 CVE-2020-29142 (A SQL injection vulnerability in interface/usergroup/usergroup_admin.p ...)
 	NOT-FOR-US: OpenEMR
 CVE-2020-29141
@@ -21801,7 +21802,7 @@ CVE-2020-29033
 CVE-2020-29032
 	RESERVED
 CVE-2020-29031 (An Insecure Direct Object Reference vulnerability exists in the web UI ...)
-	TODO: check
+	NOT-FOR-US: GateManager
 CVE-2020-29030
 	RESERVED
 CVE-2020-29029
@@ -21811,7 +21812,7 @@ CVE-2020-29028
 CVE-2020-29027
 	RESERVED
 CVE-2020-29026 (A directory traversal vulnerability exists in the file upload function ...)
-	TODO: check
+	NOT-FOR-US: GateManager
 CVE-2020-29025
 	RESERVED
 CVE-2020-29024
@@ -24181,7 +24182,7 @@ CVE-2020-28489
 CVE-2020-28488
 	REJECTED
 CVE-2020-28487 (This affects the package vis-timeline before 7.4.4. An attacker with t ...)
-	TODO: check
+	NOT-FOR-US: vis-timeline
 CVE-2020-28486
 	RESERVED
 CVE-2020-28485
@@ -24262,9 +24263,9 @@ CVE-2020-28452 (This affects the package com.softwaremill.akka-http-session:core
 CVE-2020-28451
 	RESERVED
 CVE-2020-28450 (This affects all versions of package decal. The vulnerability is in th ...)
-	TODO: check
+	NOT-FOR-US: Node decal
 CVE-2020-28449 (This affects all versions of package decal. The vulnerability is in th ...)
-	TODO: check
+	NOT-FOR-US: Node decal
 CVE-2020-28448 (This affects the package multi-ini before 2.1.1. It is possible to pol ...)
 	NOT-FOR-US: Node multi-ini
 CVE-2020-28447
@@ -24310,7 +24311,7 @@ CVE-2020-28428
 CVE-2020-28427
 	RESERVED
 CVE-2020-28426 (All versions of package kill-process-on-port are vulnerable to Command ...)
-	TODO: check
+	NOT-FOR-US: Node kill-process-on-port
 CVE-2020-28425
 	RESERVED
 CVE-2020-28424
@@ -24537,7 +24538,7 @@ CVE-2020-28339 (The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9
 CVE-2020-28338
 	RESERVED
 CVE-2020-28337 (A directory traversal issue in the Utils/Unzip module in Microweber th ...)
-	TODO: check
+	NOT-FOR-US: Microweber
 CVE-2020-28336
 	RESERVED
 CVE-2021-1050
@@ -26357,7 +26358,7 @@ CVE-2020-28196 (MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3
 CVE-2020-28195
 	RESERVED
 CVE-2020-28194 (Variable underflow exists in accel-ppp radius/packet.c when receiving  ...)
-	TODO: check
+	NOT-FOR-US: ACCEL-PPP
 CVE-2020-28193
 	RESERVED
 CVE-2020-28192
@@ -27261,19 +27262,19 @@ CVE-2020-27876
 CVE-2020-27875
 	RESERVED
 CVE-2020-27874 (This vulnerability allows remote attackers to execute arbitrary code o ...)
-	TODO: check
+	NOT-FOR-US: WeChat
 CVE-2020-27873 (This vulnerability allows network-adjacent attackers to disclose sensi ...)
 	NOT-FOR-US: Netgear
 CVE-2020-27872 (This vulnerability allows network-adjacent attackers to bypass authent ...)
 	NOT-FOR-US: Netgear
 CVE-2020-27871 (This vulnerability allows remote attackers to create arbitrary files o ...)
-	TODO: check
+	NOT-FOR-US: SolarWinds
 CVE-2020-27870 (This vulnerability allows remote attackers to disclose sensitive infor ...)
-	TODO: check
+	NOT-FOR-US: SolarWinds
 CVE-2020-27869 (This vulnerability allows remote attackers to escalate privileges on a ...)
-	TODO: check
+	NOT-FOR-US: SolarWinds
 CVE-2020-27868 (This vulnerability allows remote attackers to execute arbitrary code o ...)
-	TODO: check
+	NOT-FOR-US: Qognify
 CVE-2020-27867 (This vulnerability allows network-adjacent attackers to execute arbitr ...)
 	NOT-FOR-US: Netgear
 CVE-2020-27866 (This vulnerability allows network-adjacent attackers to bypass authent ...)
@@ -29321,7 +29322,7 @@ CVE-2020-27224
 CVE-2020-27223
 	RESERVED
 CVE-2020-27222 (In Eclipse Californium version 2.3.0 to 2.6.0, the certificate based ( ...)
-	TODO: check
+	NOT-FOR-US: Eclipse Californium
 CVE-2020-27221 (In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-b ...)
 	NOT-FOR-US: Eclipse OpenJ9
 CVE-2020-27220 (The Eclipse Hono AMQP and MQTT protocol adapters do not check whether  ...)
@@ -30907,7 +30908,7 @@ CVE-2020-26549 (An issue was discovered in Aviatrix Controller before R5.4.1290.
 CVE-2020-26548 (An issue was discovered in Aviatrix Controller before R5.4.1290. There ...)
 	NOT-FOR-US: Aviatrix
 CVE-2020-26547 (Monal before 4.9 does not implement proper sender verification on MAM  ...)
-	TODO: check
+	NOT-FOR-US: Monal
 CVE-2020-26546 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in HelpDeskZ 1 ...)
 	NOT-FOR-US: HelpDeskZ
 CVE-2020-26545



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3874eb49fcca06a8cc69e65780caa87e5ec5d0c9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3874eb49fcca06a8cc69e65780caa87e5ec5d0c9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210216/e88eab9f/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list