[Git][security-tracker-team/security-tracker][master] new rust-kamadak-exif (might not affect stale Debian versions)

Moritz Muehlenhoff jmm at debian.org
Wed Jan 6 10:50:13 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
28f804c1 by Moritz Muehlenhoff at 2021-01-06T11:49:58+01:00
new rust-kamadak-exif (might not affect stale Debian versions)
new golang-github-tidwall-gjson issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1109,7 +1109,7 @@ CVE-2021-22160
 CVE-2020-36159 (Veritas Desktop and Laptop Option (DLO) before 9.5 disclosed operation ...)
 	NOT-FOR-US: Veritas
 CVE-2021-3019 (ffay lanproxy 0.1 allows Directory Traversal to read /../conf/config.p ...)
-	TODO: check
+	NOT-FOR-US: ffay lanproxy
 CVE-2021-3018 (ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an un ...)
 	NOT-FOR-US: ipeak Infosystems ibexwebCMS (aka IPeakCMS)
 CVE-2021-3017
@@ -2644,9 +2644,13 @@ CVE-2020-36069
 CVE-2020-36068
 	RESERVED
 CVE-2020-36067 (GJSON <=v1.6.5 allows attackers to cause a denial of service (panic ...)
-	TODO: check
+	- golang-github-tidwall-gjson <unfixed>
+	NOTE: https://github.com/tidwall/gjson/issues/196
+	NOTE: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
 CVE-2020-36066 (GJSON <1.6.5 allows attackers to cause a denial of service (remote) ...)
-	TODO: check
+	- golang-github-tidwall-gjson <unfixed>
+	NOTE: https://github.com/tidwall/gjson/issues/195
+	NOTE: https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc
 CVE-2020-36065
 	RESERVED
 CVE-2020-36064
@@ -2674,9 +2678,9 @@ CVE-2020-36054
 CVE-2020-36053
 	RESERVED
 CVE-2020-36052 (Directory traversal vulnerability in post-edit.php in MiniCMS V1.10 al ...)
-	TODO: check
+	NOT-FOR-US: MiniCMS
 CVE-2020-36051 (Directory traversal vulnerability in page_edit.php in MiniCMS V1.10 al ...)
-	TODO: check
+	NOT-FOR-US: MiniCMS
 CVE-2020-36050
 	RESERVED
 CVE-2020-36049
@@ -2848,7 +2852,7 @@ CVE-2020-35967
 CVE-2020-35966
 	RESERVED
 CVE-2021-3007 (** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Fr ...)
-	TODO: check
+	NOT-FOR-US: laminas-http
 CVE-2021-21495 (MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the ce ...)
 	NOT-FOR-US: MK-AUTH
 CVE-2021-21494 (MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo ...)
@@ -2863,7 +2867,7 @@ CVE-2020-35964 (track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622
 CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out- ...)
-	TODO: check
+	NOT-FOR-US: Fluent Bit
 CVE-2021-3006 (The breed function in the smart contract implementation for Farm in Se ...)
 	NOT-FOR-US: Farm in Seal Finance (Seal) Ethereum token
 CVE-2021-3005 (MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive ...)
@@ -4153,9 +4157,10 @@ CVE-2021-21237
 CVE-2021-21236
 	RESERVED
 CVE-2021-21235 (kamadak-exif is an exif parsing library written in pure Rust. In kamad ...)
-	TODO: check
+	- rust-kamadak-exif <unfixed>
+	NOTE: https://github.com/kamadak/exif-rs/security/advisories/GHSA-px9g-8hgv-jvg2
 CVE-2021-21234 (spring-boot-actuator-logview in a library that adds a simple logfile v ...)
-	TODO: check
+	NOT-FOR-US: Spring actuator logview
 CVE-2020-35627 (Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vul ...)
 	NOT-FOR-US: Ultimate WooCommerce Gift Cards
 CVE-2021-21233
@@ -6965,7 +6970,7 @@ CVE-2021-20002
 CVE-2021-20001
 	RESERVED
 CVE-2020-35488 (The fileop module of the NXLog service in NXLog Community Edition 2.10 ...)
-	TODO: check
+	NOT-FOR-US: NXLog
 CVE-2020-35487
 	RESERVED
 CVE-2020-35486
@@ -10142,7 +10147,7 @@ CVE-2020-29439 (Tesla Model X vehicles before 2020-11-23 have key fobs that rely
 CVE-2020-29438 (Tesla Model X vehicles before 2020-11-23 have key fobs that accept fir ...)
 	NOT-FOR-US: Tesla Model X vehicles
 CVE-2020-29437 (SQL injection in the Buzz module of OrangeHRM through 4.6 allows remot ...)
-	TODO: check
+	NOT-FOR-US: OrangeHRM
 CVE-2020-29436 (Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with ...)
 	NOT-FOR-US: Sonatype Nexus Repository Manager
 CVE-2020-29435
@@ -13420,7 +13425,7 @@ CVE-2020-28466
 CVE-2020-28465
 	RESERVED
 CVE-2020-28464 (This affects the package djv before 2.1.4. By controlling the schema f ...)
-	TODO: check
+	NOT-FOR-US: Node djv
 CVE-2020-28463
 	RESERVED
 CVE-2020-28462
@@ -20590,17 +20595,17 @@ CVE-2020-26299
 CVE-2020-26298
 	RESERVED
 CVE-2020-26297 (mdBook is a utility to create modern online books from Markdown files  ...)
-	TODO: check
+	NOT-FOR-US: mdBook
 CVE-2020-26296 (Vega is a visualization grammar, a declarative format for creating, sa ...)
 	NOT-FOR-US: Node vega
 CVE-2020-26295
 	RESERVED
 CVE-2020-26294 (Vela is a Pipeline Automation (CI/CD) framework built on Linux contain ...)
-	TODO: check
+	NOT-FOR-US: Vela
 CVE-2020-26293 (HtmlSanitizer is a .NET library for cleaning HTML fragments and docume ...)
-	TODO: check
+	NOT-FOR-US: HtmlSanitizer
 CVE-2020-26292 (Creeper is an experimental dynamic, interpreted language. The binary r ...)
-	TODO: check
+	NOT-FOR-US: Creeper
 CVE-2020-26291 (URI.js is a javascript URL mutation library (npm package urijs). In UR ...)
 	NOT-FOR-US: Node urijs
 CVE-2020-26290 (Dex is a federated OpenID Connect provider written in Go. In Dex befor ...)
@@ -27409,9 +27414,9 @@ CVE-2020-23252
 CVE-2020-23251
 	RESERVED
 CVE-2020-23250 (GigaVUE-OS (GVOS) 5.4 - 5.9 uses a weak algorithm for a hash stored in ...)
-	TODO: check
+	NOT-FOR-US: GigaVUE-OS
 CVE-2020-23249 (GigaVUE-OS (GVOS) 5.4 - 5.9 stores a Redis database password in plaint ...)
-	TODO: check
+	NOT-FOR-US: GigaVUE-OS
 CVE-2020-23248
 	RESERVED
 CVE-2020-23247
@@ -28809,7 +28814,7 @@ CVE-2020-22552 (The Snap7 server component in version 1.4.1, when an attacker se
 CVE-2020-22551
 	RESERVED
 CVE-2020-22550 (Veno File Manager 3.5.6 is affected by a directory traversal vulnerabi ...)
-	TODO: check
+	NOT-FOR-US: Veno File Manager
 CVE-2020-22549
 	RESERVED
 CVE-2020-22548
@@ -49218,9 +49223,9 @@ CVE-2020-13542 (A local privilege elevation vulnerability exists in the file sys
 CVE-2020-13541 (An exploitable local privilege elevation vulnerability exists in the f ...)
 	NOT-FOR-US: Mobile-911 Server
 CVE-2020-13540 (An exploitable local privilege elevation vulnerability exists in the f ...)
-	TODO: check
+	NOT-FOR-US: Win-911 Enterprise
 CVE-2020-13539 (An exploitable local privilege elevation vulnerability exists in the f ...)
-	TODO: check
+	NOT-FOR-US: Win-911 Enterprise
 CVE-2020-13538
 	RESERVED
 CVE-2020-13537 (An exploitable local privilege elevation vulnerability exists in the f ...)
@@ -61247,9 +61252,9 @@ CVE-2020-9422
 CVE-2020-9421
 	RESERVED
 CVE-2019-20484 (An issue was discovered in Viki Vera 4.9.1.26180. A user without acces ...)
-	TODO: check
+	NOT-FOR-US: Viki Vera
 CVE-2019-20483 (An issue was discovered in Viki Vera 4.9.1.26180. An attacker could se ...)
-	TODO: check
+	NOT-FOR-US: Viki Vera
 CVE-2020-9420
 	RESERVED
 CVE-2020-9419
@@ -65490,7 +65495,7 @@ CVE-2020-7773 (This affects the package markdown-it-highlightjs before 3.3.1. It
 CVE-2020-7772 (This affects the package doc-path before 2.1.2. ...)
 	NOT-FOR-US: Node doc-path
 CVE-2020-7771 (The package asciitable.js before 1.0.3 are vulnerable to Prototype Pol ...)
-	TODO: check
+	NOT-FOR-US: Node asciitable.js
 CVE-2020-7770 (This affects the package json8 before 1.0.3. The function adds in the  ...)
 	NOT-FOR-US: Node json8
 CVE-2020-7769 (This affects the package nodemailer before 6.4.16. Use of crafted reci ...)
@@ -66453,7 +66458,7 @@ CVE-2020-7338
 CVE-2020-7337 (Incorrect Permission Assignment for Critical Resource vulnerability in ...)
 	NOT-FOR-US: McAfee
 CVE-2020-7336 (Cross Site Request Forgery vulnerability in McAfee Network Security Ma ...)
-	TODO: check
+	NOT-FOR-US: McAfee
 CVE-2020-7335 (Privilege Escalation vulnerability in Microsoft Windows client McAfee  ...)
 	NOT-FOR-US: McAfee
 CVE-2020-7334 (Improper privilege assignment vulnerability in the installer McAfee Ap ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f804c16393a61f36b5554e6eef5c25aff87988

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f804c16393a61f36b5554e6eef5c25aff87988
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210106/2b73b436/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list