[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Jul 15 08:35:52 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
493f736c by Moritz Muehlenhoff at 2021-07-15T09:35:28+02:00
NFUs
libstb fix

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -72,7 +72,7 @@ CVE-2021-36718
 CVE-2021-36717
 	RESERVED
 CVE-2021-36716 (A ReDoS (regular expression denial of service) flaw was found in the S ...)
-	TODO: check
+	NOT-FOR-US: Node is-email
 CVE-2021-3643
 	RESERVED
 CVE-2021-XXXX [RUSTSEC-2021-0074]
@@ -4871,7 +4871,6 @@ CVE-2021-34558
 	NOTE: https://github.com/golang/go/issues/47143
 	NOTE: https://github.com/golang/go/commit/58bc454a11d4b3dbc03f44dfcabb9068a9c076f4 (1.16.x)
 	NOTE: key_agreement.go also bundled in various other packages
-	TODO: check older golang branches
 CVE-2021-34556
 	RESERVED
 CVE-2021-34555 (OpenDMARC 1.4.1 and 1.4.1.1 allows remote attackers to cause a denial  ...)
@@ -5707,9 +5706,9 @@ CVE-2021-34176
 CVE-2021-34175
 	RESERVED
 CVE-2021-34174 (A vulnerability exists in Broadcom BCM4352 and BCM43684 chips. Any wir ...)
-	TODO: check
+	NOT-FOR-US: Broadcom
 CVE-2021-34173 (An attacker can cause a Denial of Service and kernel panic in v4.2 and ...)
-	TODO: check
+	NOT-FOR-US: Espressif
 CVE-2021-34172
 	RESERVED
 CVE-2021-34171
@@ -6629,13 +6628,13 @@ CVE-2021-33780 (Windows DNS Server Remote Code Execution Vulnerability This CVE
 CVE-2021-33779 (Windows ADFS Security Feature Bypass Vulnerability ...)
 	NOT-FOR-US: Microsoft
 CVE-2021-33778 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID  ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2021-33777 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID  ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2021-33776 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID  ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2021-33775 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID  ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2021-33774 (Windows Event Tracing Elevation of Privilege Vulnerability ...)
 	NOT-FOR-US: Microsoft
 CVE-2021-33773 (Windows Remote Access Connection Manager Elevation of Privilege Vulner ...)
@@ -7893,11 +7892,11 @@ CVE-2021-33215 (An issue was discovered in CommScope Ruckus IoT Controller 1.7.1
 CVE-2021-33214 (In HMS Ewon eCatcher through 6.6.4, weak filesystem permissions could  ...)
 	NOT-FOR-US: HMS Ewon eCatcher
 CVE-2021-33213 (An SSRF vulnerability in the "Upload from URL" feature in Elements-IT  ...)
-	TODO: check
+	NOT-FOR-US: Elements-IT HTTP Commander
 CVE-2021-33212 (A Cross-site scripting (XSS) vulnerability in the "View in Browser" fe ...)
-	TODO: check
+	NOT-FOR-US: Elements-IT HTTP Commander
 CVE-2021-33211 (A Directory Traversal vulnerability in the Unzip feature in Elements-I ...)
-	TODO: check
+	NOT-FOR-US: Elements-IT HTTP Commander
 CVE-2021-33210
 	RESERVED
 CVE-2021-33209
@@ -10844,7 +10843,7 @@ CVE-2021-31986
 CVE-2021-31985 (Microsoft Defender Remote Code Execution Vulnerability ...)
 	NOT-FOR-US: Microsoft
 CVE-2021-31984 (Power BI Remote Code Execution Vulnerability ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2021-31983 (Paint 3D Remote Code Execution Vulnerability This CVE ID is unique fro ...)
 	NOT-FOR-US: Microsoft
 CVE-2021-31982
@@ -10918,7 +10917,7 @@ CVE-2021-31949 (Microsoft Outlook Remote Code Execution Vulnerability ...)
 CVE-2021-31948 (Microsoft SharePoint Server Spoofing Vulnerability This CVE ID is uniq ...)
 	NOT-FOR-US: Microsoft
 CVE-2021-31947 (HEVC Video Extensions Remote Code Execution Vulnerability This CVE ID  ...)
-	TODO: check
+	NOT-FOR-US: Microsoft
 CVE-2021-31946 (Paint 3D Remote Code Execution Vulnerability This CVE ID is unique fro ...)
 	NOT-FOR-US: Microsoft
 CVE-2021-31945 (Paint 3D Remote Code Execution Vulnerability This CVE ID is unique fro ...)
@@ -11202,7 +11201,7 @@ CVE-2021-31861
 CVE-2021-31860
 	RESERVED
 CVE-2021-31859 (Incorrect privileges in the MU55 FlexiSpooler service in YSoft SafeQ 6 ...)
-	TODO: check
+	NOT-FOR-US: Ysoft SafeQ
 CVE-2021-31858
 	RESERVED
 CVE-2021-31857 (In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, att ...)
@@ -12087,8 +12086,8 @@ CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found
 CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was found in the ...)
 	{DLA-2701-1}
 	- openexr <unfixed>
-	[bullseye] - openexr <no-dsa> (Minor issue)
-	[buster] - openexr <no-dsa> (Minor issue)
+	[bullseye] - openexr <ignored> (Minor issue, changes ABI)
+	[buster] - openexr <ignored> (Minor issue, changes ABI)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901
@@ -25757,9 +25756,9 @@ CVE-2021-25955
 CVE-2021-25954
 	RESERVED
 CVE-2021-25953 (Prototype pollution vulnerability in 'putil-merge' versions1.0.0 throu ...)
-	TODO: check
+	NOT-FOR-US: Node putil-merge
 CVE-2021-25952 (Prototype pollution vulnerability in ‘just-safe-set’ versi ...)
-	TODO: check
+	NOT-FOR-US: AngusC just-safe-set
 CVE-2021-25951 (XXE vulnerability in 'XML2Dict' version 0.2.2 allows an attacker to ca ...)
 	NOT-FOR-US: XML2Dict
 CVE-2021-25950
@@ -110810,6 +110809,7 @@ CVE-2019-20056 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel
 	NOTE: libsixel PR: https://github.com/saitoha/libsixel/issues/126
 	NOTE: libsixel patch: https://github.com/saitoha/libsixel/commit/814f831555ea2492d442e784ab5d594f6a8e2e8d
 	NOTE: libstb PR: https://github.com/nothings/stb/issues/886
+	NOTE: libstb patch: https://github.com/nothings/stb/commit/bfaccab17a648b315543d366c63aee575a0756b7
 CVE-2019-20055 (LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substri ...)
 	NOT-FOR-US: LuquidPixels LiquiFire OS
 CVE-2019-20053 (An invalid memory address dereference was discovered in the canUnpack  ...)
@@ -133496,6 +133496,7 @@ CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buf
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/790
 	NOTE: Potentially also affects libsixel, mame, libsfml, love, zynaddsubfx, yquake2, ccextractor, zam-plugins, osgearth, catimg, darknet, gem, retroarch, renderdoc, goxel
+	NOTE: https://github.com/nothings/stb/commit/bfaccab17a648b315543d366c63aee575a0756b7
 CVE-2019-15057
 	RESERVED
 CVE-2019-15056



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493f736c3b45aa10c49002f95a285a8de64538f3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493f736c3b45aa10c49002f95a285a8de64538f3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210715/a74373c3/attachment.htm>

More information about the debian-security-tracker-commits mailing list