[Git][security-tracker-team/security-tracker][master] new python-clickhouse-driver issue

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fc61619c by Moritz Muehlenhoff at 2021-01-25T10:13:00+01:00
new python-clickhouse-driver issue
NFUs
bottle no-dsa

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20923,14 +20923,15 @@ CVE-2020-28474
 CVE-2020-28473 (The package bottle from 0 and before 0.12.19 are vulnerable to Web Cac ...)
 	{DLA-2531-1}
 	- python-bottle 0.12.19-1
+	[buster] - python-bottle <no-dsa> (Minor issue)
 	NOTE: https://snyk.io/vuln/SNYK-PYTHON-BOTTLE-1017108
 	NOTE: Fixed by: https://github.com/bottlepy/bottle/commit/57a2f22e0c1d2b328c4f54bf75741d74f47f1a6b (0.12.19)
 CVE-2020-28472 (This affects the package @aws-sdk/shared-ini-file-loader before 1.0.0- ...)
-	TODO: check
+	NOT-FOR-US: aws-sdk-js
 CVE-2020-28471
 	RESERVED
 CVE-2020-28470 (This affects the package @scullyio/scully before 1.0.9. The transfer s ...)
-	TODO: check
+	NOT-FOR-US: scully
 CVE-2020-28469
 	RESERVED
 CVE-2020-28468 (This affects the package pwntools before 4.3.1. The shellcraft generat ...)
@@ -20966,7 +20967,7 @@ CVE-2020-28454
 CVE-2020-28453
 	RESERVED
 CVE-2020-28452 (This affects the package com.softwaremill.akka-http-session:core_2.12  ...)
-	TODO: check
+	NOT-FOR-US: akka-http-session
 CVE-2020-28451
 	RESERVED
 CVE-2020-28450
@@ -23992,7 +23993,7 @@ CVE-2020-27860
 CVE-2020-27859 (This vulnerability allows remote attackers to disclose sensitive infor ...)
 	NOT-FOR-US: NEC ESMPRO Manager
 CVE-2020-27858 (This vulnerability allows remote attackers to disclose sensitive infor ...)
-	TODO: check
+	NOT-FOR-US: CA Arcserve
 CVE-2020-27857
 	RESERVED
 CVE-2020-27856
@@ -25995,11 +25996,11 @@ CVE-2020-27223
 CVE-2020-27222
 	RESERVED
 CVE-2020-27221 (In Eclipse OpenJ9 up to version 0.23, there is potential for a stack-b ...)
-	TODO: check
+	NOT-FOR-US: Eclipse OpenJ9
 CVE-2020-27220 (The Eclipse Hono AMQP and MQTT protocol adapters do not check whether  ...)
-	TODO: check
+	NOT-FOR-US: Eclipse Hono
 CVE-2020-27219 (In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not  ...)
-	TODO: check
+	NOT-FOR-US: Eclipse Hawkbit
 CVE-2020-27218 (In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0  ...)
 	- jetty9 9.4.35-1 (bug #976211)
 	[stretch] - jetty9 <no-dsa> (Minor issue)
@@ -26271,9 +26272,9 @@ CVE-2020-27100
 CVE-2020-27099
 	RESERVED
 CVE-2020-27098 (In checkGrantUriPermission of UriGrantsManagerService.java, there is a ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2020-27097 (In checkGrantUriPermission of UriGrantsManagerService.java, there is a ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2020-27096
 	RESERVED
 CVE-2020-27095
@@ -27062,7 +27063,7 @@ CVE-2020-26770
 CVE-2020-26769
 	RESERVED
 CVE-2020-26768 (Formstone <=1.4.16 is vulnerable to a Reflected Cross-Site Scriptin ...)
-	TODO: check
+	NOT-FOR-US: Formstone
 CVE-2020-26767
 	RESERVED
 CVE-2020-26766 (A Cross Site Request Forgery (CSRF) vulnerability exists in the logins ...)
@@ -27080,7 +27081,9 @@ CVE-2020-26761
 CVE-2020-26760
 	RESERVED
 CVE-2020-26759 (clickhouse-driver before 0.1.5 allows a malicious clickhouse server to ...)
-	TODO: check
+	- python-clickhouse-driver 0.2.0-1
+	NOTE: https://github.com/mymarilyn/clickhouse-driver/commit/3e990547e064b8fca916b23a0f7d6fe8c63c7f6b
+	NOTE: https://github.com/mymarilyn/clickhouse-driver/commit/d708ed548e1d6f254ba81a21de8ba543a53b5598
 CVE-2020-26758
 	RESERVED
 CVE-2020-26757



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc61619cd6a06c7932ce8b800950eccc2e908585

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc61619cd6a06c7932ce8b800950eccc2e908585
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210125/665c031c/attachment.html>