[Git][security-tracker-team/security-tracker][master] new virtualbox, phpmyadmin issues

Moritz Muehlenhoff jmm at debian.org
Wed Jan 20 13:58:09 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a782e2b8 by Moritz Muehlenhoff at 2021-01-20T14:57:33+01:00
new virtualbox, phpmyadmin issues
git-nfs n/a
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9168,7 +9168,7 @@ CVE-2016-20001 (The REST/JSON project 7.x-1.x for Drupal allows node access bypa
 CVE-2020-35930 (Seo Panel 4.8.0 allows stored XSS by an Authenticated User via the url ...)
 	NOT-FOR-US: Seo Panel
 CVE-2020-35929 (In TinyCheck before commits 9fd360d and ea53de8, the installation scri ...)
-	TODO: check
+	NOT-FOR-US: TinyCheck
 CVE-2020-35928 (An issue was discovered in the concread crate before 0.2.6 for Rust. A ...)
 	NOT-FOR-US: concread rust crate
 CVE-2020-35927 (An issue was discovered in the thex crate through 2020-12-08 for Rust. ...)
@@ -10349,7 +10349,9 @@ CVE-2021-21254
 CVE-2021-21253
 	RESERVED
 CVE-2021-21252 (The jQuery Validation Plugin provides drop-in validation for your exis ...)
-	TODO: check
+	- phpmyadmin <unfixed>
+	NOTE: https://github.com/jquery-validation/jquery-validation/security/advisories/GHSA-jxwx-85vp-gvwm
+	NOTE: not packaged, but phpmyadmin embeds a copy
 CVE-2021-21251 (OneDev is an all-in-one devops platform. In OneDev before version 4.0. ...)
 	NOT-FOR-US: OneDev
 CVE-2021-21250 (OneDev is an all-in-one devops platform. In OneDev before version 4.0. ...)
@@ -10385,7 +10387,8 @@ CVE-2021-21239
 CVE-2021-21238
 	RESERVED
 CVE-2021-21237 (Git LFS is a command line extension for managing large files with Git. ...)
-	TODO: check
+	- git-lfs <not-affected> (Windows-specific)
+	NOTE: https://github.com/git-lfs/git-lfs/security/advisories/GHSA-cx3w-xqmc-84g5
 CVE-2021-21236 (CairoSVG is a Python (pypi) package. CairoSVG is an SVG converter base ...)
 	- cairosvg 2.5.0-1.1 (bug #979597)
 	[buster] - cairosvg <not-affected> (Vulnerable code introduced in 2.0.0rc6)
@@ -11865,7 +11868,7 @@ CVE-2021-20621
 CVE-2021-20620
 	RESERVED
 CVE-2021-20619 (Cross-site scripting vulnerability in GROWI (v4.2 Series) versions pri ...)
-	TODO: check
+	NOT-FOR-US: GROWI
 CVE-2021-20618 (Privilege chaining vulnerability in acmailer ver. 4.0.2 and earlier, a ...)
 	NOT-FOR-US: acmailer
 CVE-2021-20617 (Improper access control vulnerability in acmailer ver. 4.0.1 and earli ...)
@@ -14889,30 +14892,42 @@ CVE-2021-2132
 	RESERVED
 CVE-2021-2131
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2130
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2129
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2128
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2127
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2126
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2125
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2124
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2123
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2122
 	RESERVED
 CVE-2021-2121
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2120
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2119
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2118
 	RESERVED
 CVE-2021-2117
@@ -14927,8 +14942,10 @@ CVE-2021-2113
 	RESERVED
 CVE-2021-2112
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2111
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2110
 	RESERVED
 CVE-2021-2109
@@ -14979,6 +14996,7 @@ CVE-2021-2087
 	RESERVED
 CVE-2021-2086
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2085
 	RESERVED
 CVE-2021-2084
@@ -15003,8 +15021,10 @@ CVE-2021-2075
 	RESERVED
 CVE-2021-2074
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2073
 	RESERVED
+	- virtualbox 6.1.18-dfsg-1
 CVE-2021-2072
 	RESERVED
 CVE-2021-2071
@@ -19777,17 +19797,17 @@ CVE-2020-28484
 CVE-2020-28483
 	RESERVED
 CVE-2020-28482 (This affects the package fastify-csrf before 3.0.0. 1. The generated c ...)
-	TODO: check
+	NOT-FOR-US: Node fastify-csrf
 CVE-2020-28481 (The package socket.io before 2.4.0 are vulnerable to Insecure Defaults ...)
-	TODO: check
+	NOT-FOR-US: Node socket.io
 CVE-2020-28480 (The package jointjs before 3.3.0 are vulnerable to Prototype Pollution ...)
-	TODO: check
+	NOT-FOR-US: Node jointjs
 CVE-2020-28479 (The package jointjs before 3.3.0 are vulnerable to Denial of Service ( ...)
-	TODO: check
+	NOT-FOR-US: Node jointjs
 CVE-2020-28478 (This affects the package gsap before 3.6.0. ...)
-	TODO: check
+	NOT-FOR-US: Node gsap
 CVE-2020-28477 (This affects all versions of package immer. ...)
-	TODO: check
+	NOT-FOR-US: Node immer
 CVE-2020-28476 (All versions of package tornado are vulnerable to Web Cache Poisoning  ...)
 	TODO: check
 CVE-2020-28475



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a782e2b856b53ec085e9d2e01ebab51ce311c200

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a782e2b856b53ec085e9d2e01ebab51ce311c200
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210120/6428943a/attachment.html>

More information about the debian-security-tracker-commits mailing list