[Git][security-tracker-team/security-tracker][master] new three.js issues

Moritz Muehlenhoff jmm at debian.org
Mon Feb 22 17:22:33 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ddd94352 by Moritz Muehlenhoff at 2021-02-22T18:21:59+01:00
new three.js issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9599,16 +9599,16 @@ CVE-2021-23344
 CVE-2021-23343
 	RESERVED
 CVE-2021-23342 (This affects the package docsify before 4.12.0. It is possible to bypa ...)
-	TODO: check
+	NOT-FOR-US: docsify
 CVE-2021-23341 (The package prismjs before 1.23.0 are vulnerable to Regular Expression ...)
 	- node-prismjs <unfixed>
 	NOTE: https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609
 	NOTE: https://github.com/PrismJS/prism/pull/2584
 	NOTE: https://github.com/PrismJS/prism/issues/2583
 CVE-2021-23340 (This affects the package pimcore/pimcore before 6.8.8. A Local FIle In ...)
-	TODO: check
+	NOT-FOR-US: Pimcore
 CVE-2021-23339 (This affects all versions of package com.typesafe.akka:akka-http-core. ...)
-	TODO: check
+	NOT-FOR-US: com.typesafe.akka:akka-http-core
 CVE-2021-23338 (This affects all versions of package qlib. The workflow function in cl ...)
 	NOT-FOR-US: qlib
 CVE-2021-23337 (All versions of package lodash; all versions of package org.fujion.web ...)
@@ -10569,11 +10569,11 @@ CVE-2021-22860
 CVE-2021-22859
 	RESERVED
 CVE-2021-22858 (Attackers can access the CGE account management function without privi ...)
-	TODO: check
+	NOT-FOR-US: CGE
 CVE-2021-22857 (The CGE page with download function contains a Directory Traversal vul ...)
-	TODO: check
+	NOT-FOR-US: CGE
 CVE-2021-22856 (The CGE property management system contains SQL Injection vulnerabilit ...)
-	TODO: check
+	NOT-FOR-US: CGE
 CVE-2021-22855 (The specific function of HR Portal of Soar Cloud System accepts any ty ...)
 	NOT-FOR-US: HR Portal of Soar Cloud System
 CVE-2021-22854 (The HR Portal of Soar Cloud System fails to filter specific parameters ...)
@@ -11333,7 +11333,7 @@ CVE-2021-22555
 CVE-2021-22554
 	RESERVED
 CVE-2021-22553 (Any git operation is passed through Jetty and a session is created. No ...)
-	TODO: check
+	- gerrit <itp> (bug #589436)
 CVE-2021-22552
 	RESERVED
 CVE-2021-22551
@@ -14770,7 +14770,7 @@ CVE-2020-35666 (Steedos Platform through 1.21.24 allows NoSQL injection because
 CVE-2020-35665 (An unauthenticated command-execution vulnerability exists in TerraMast ...)
 	NOT-FOR-US: TerraMaster TOS
 CVE-2020-35664 (An issue was discovered in Acronis Cyber Protect before 15 Update 1 bu ...)
-	TODO: check
+	NOT-FOR-US: Acronis
 CVE-2020-35663
 	RESERVED
 CVE-2020-35662
@@ -16038,7 +16038,7 @@ CVE-2020-35558 (An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbC
 CVE-2020-35557 (An issue was discovered in MB CONNECT LINE mymbCONNECT24 and mbCONNECT ...)
 	NOT-FOR-US: MB CONNECT
 CVE-2020-35556 (An issue was discovered in Acronis Cyber Protect before 15 Update 1 bu ...)
-	TODO: check
+	NOT-FOR-US: Acronis
 CVE-2020-35555 (An issue was discovered on LG mobile devices with Android OS 10 softwa ...)
 	NOT-FOR-US: LG mobile devices
 CVE-2020-35554 (An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, ...)
@@ -17595,11 +17595,11 @@ CVE-2021-20245 [Division by zero in WriteAnimatedWEBPImage() in coders/webp.c]
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/a78d92dc0f468e79c3d761aae9707042952cdaca
 CVE-2021-20244 [Division by zero in ImplodeImage in MagickCore/visual-effects.c]
 	RESERVED
-	- imagemagick <undetermined>
+	- imagemagick <unfixed>
 	[buster] - imagemagick <ignored> (Minor issue)
 	NOTE: https://github.com/ImageMagick/ImageMagick/pull/3194
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/329dd528ab79531d884c0ba131e97d43f872ab5d
-	TODO: check
+	NOTE: In IM6 the code seems to be in magick/fx.c
 CVE-2021-20243 [Division by zero in GetResizeFilterWeight in MagickCore/resize.c]
 	RESERVED
 	- imagemagick <undetermined>
@@ -24972,7 +24972,7 @@ CVE-2020-28500 (All versions of package lodash; all versions of package org.fuji
 	- node-lodash <unfixed>
 	NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1018905
 CVE-2020-28499 (All versions of package merge are vulnerable to Prototype Pollution vi ...)
-	TODO: check
+	NOTE: Only bogus references listed, unclear what this is about
 CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographic Issu ...)
 	- node-elliptic <unfixed>
 	NOTE: https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
@@ -24980,7 +24980,9 @@ CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographi
 CVE-2020-28497
 	RESERVED
 CVE-2020-28496 (This affects the package three before 0.125.0. This can happen when ha ...)
-	TODO: check
+	- three.js <unfixed>
+	NOTE: https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
+	NOTE: https://github.com/mrdoob/three.js/issues/21132
 CVE-2020-28495 (This affects the package total.js before 3.4.7. The set function can b ...)
 	NOT-FOR-US: Node total.js
 CVE-2020-28494 (This affects the package total.js before 3.4.7. The issue occurs in th ...)
@@ -27064,7 +27066,7 @@ CVE-2020-28250 (Cellinx NVT Web Server 5.0.0.014b.test 2019-09-05 allows a remot
 CVE-2020-28249 (Joplin 1.2.6 for Desktop allows XSS via a LINK element in a note. ...)
 	NOT-FOR-US: Joplin
 CVE-2020-28248 (An integer overflow in the PngImg::InitStorage_() function of png-img  ...)
-	TODO: check
+	NOT-FOR-US: png-img
 CVE-2020-28247 (The lettre library through 0.10.0-alpha for Rust allows arbitrary send ...)
 	NOT-FOR-US: Node lettre
 CVE-2020-28246



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd94352c2e8e1b9be204e6410de9d5ef7b49027

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddd94352c2e8e1b9be204e6410de9d5ef7b49027
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210222/c8134907/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list