[Git][security-tracker-team/security-tracker][master] new node-url-parse, telegram-desktop issues

Mon Feb 22 14:29:19 GMT 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2a5afa2c by Moritz Muehlenhoff at 2021-02-22T15:28:52+01:00
new node-url-parse, telegram-desktop issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -83,9 +83,11 @@ CVE-2021-27518
 CVE-2021-27517
 	RESERVED
 CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash  ...)
-	TODO: check
+	NOT-FOR-US: urijs
 CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash such as ht ...)
-	TODO: check
+	- node-url-parse <unfixed>
+	NOTE: https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
+	NOTE: https://github.com/unshiftio/url-parse/pull/197
 CVE-2021-27514 (EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for th ...)
 	NOT-FOR-US: EyesOfNetwork (EON)
 CVE-2021-27513 (The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authentica ...)
@@ -307,7 +309,7 @@ CVE-2021-27407
 CVE-2021-27406
 	RESERVED
 CVE-2021-27405 (A ReDoS (regular expression denial of service) flaw was found in the @ ...)
-	TODO: check
+	NOT-FOR-US: Node scrapbox-parser
 CVE-2021-27404 (Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow injec ...)
 	NOT-FOR-US: Askey devices
 CVE-2021-27403 (Askey RTF8115VW BR_SV_g11.11_RTF_TEF001_V6.54_V014 devices allow cgi-b ...)
@@ -453,7 +455,8 @@ CVE-2021-27353
 CVE-2021-27352
 	RESERVED
 CVE-2021-27351 (The Terminate Session feature in the Telegram application through 7.2. ...)
-	TODO: check
+	- telegram-desktop 2.5.8+ds-1
+	NOTE: https://0ffsecninja.github.io/Telegram:CVE-2021-2735.html
 CVE-2021-27350
 	RESERVED
 CVE-2021-27349
@@ -4658,7 +4661,7 @@ CVE-2021-3308 (An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 t
 	NOTE: Issue backported to 4.12.3 and 4.13.1
 	NOTE: Fixed by: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=58427889f5a420cc5226f88524b3228f90b72a58
 CVE-2021-3189 (The slashify package 1.0.0 for Node.js allows open-redirect attacks, a ...)
-	TODO: check
+	NOT-FOR-US: Node slashify
 CVE-2021-3188 (phpList 3.6.0 allows CSV injection, related to the email parameter, an ...)
 	- phplist <itp> (bug #612288)
 CVE-2021-3187



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a5afa2c0ded5ae3aae99f4391c490d4a06f5c6b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a5afa2c0ded5ae3aae99f4391c490d4a06f5c6b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210222/055a4444/attachment.htm>
