[Git][security-tracker-team/security-tracker][master] new node-jszip issue

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jul 26 08:35:30 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c3f47c16 by Moritz Muehlenhoff at 2021-07-26T09:35:01+02:00
new node-jszip issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3,7 +3,7 @@ CVE-2021-37438
 CVE-2021-37437
 	RESERVED
 CVE-2021-37436 (Amazon Echo Dot devices through 2021-07-02 sometimes allow attackers,  ...)
-	TODO: check
+	NOT-FOR-US: Amazon Echo
 CVE-2021-37435
 	RESERVED
 CVE-2021-37434
@@ -70,7 +70,7 @@ CVE-2021-XXXX [Remote Information Disclosure]
 CVE-2021-37404
 	RESERVED
 CVE-2021-3663 (firefly-iii is vulnerable to Improper Restriction of Excessive Authent ...)
-	TODO: check
+	NOT-FOR-US: firefly-iii
 CVE-2021-3662
 	RESERVED
 CVE-2021-3661
@@ -1520,7 +1520,7 @@ CVE-2021-36741
 CVE-2021-3648
 	RESERVED
 CVE-2021-3647 (URI.js is vulnerable to URL Redirection to Untrusted Site ...)
-	TODO: check
+	NOT-FOR-US: URI.js
 CVE-2021-3646
 	RESERVED
 CVE-2021-3645
@@ -4428,7 +4428,7 @@ CVE-2021-35466
 CVE-2021-35465
 	RESERVED
 CVE-2021-35464 (ForgeRock AM server 6.x before 7, and OpenAM 14.6.3, has a Java deseri ...)
-	TODO: check
+	NOT-FOR-US: ForgeRock
 CVE-2021-35463
 	RESERVED
 CVE-2021-35462
@@ -5289,7 +5289,7 @@ CVE-2019-25047 (Greenbone Security Assistant (GSA) before 8.0.2 and Greenbone OS
 CVE-2018-25016 (Greenbone Security Assistant (GSA) before 7.0.3 and Greenbone OS (GOS) ...)
 	NOT-FOR-US: Greenbone Security Assistant
 CVE-2021-35054 (Minecraft before 1.17.1, when online-mode=false is configured, allows  ...)
-	TODO: check
+	NOT-FOR-US: Minecraft
 CVE-2021-3611 [QEMU: intel-hda: segmentation fault due to stack overflow]
 	RESERVED
 	- qemu <unfixed> (bug #990562)
@@ -8945,7 +8945,7 @@ CVE-2021-33483
 CVE-2021-33482
 	RESERVED
 CVE-2021-33478 (The TrustZone implementation in certain Broadcom MediaxChange firmware ...)
-	TODO: check
+	NOT-FOR-US: Broadcom
 CVE-2021-3561 (An Out of Bounds flaw was found fig2dev version 3.2.8a. A flawed bound ...)
 	- fig2dev 1:3.2.8-3
 	[buster] - fig2dev 1:3.2.7a-5+deb10u4
@@ -10538,7 +10538,7 @@ CVE-2021-32785 (mod_auth_openidc is an authentication/authorization module for t
 CVE-2021-32784
 	RESERVED
 CVE-2021-32783 (Contour is a Kubernetes ingress controller using Envoy proxy. In Conto ...)
-	TODO: check
+	NOT-FOR-US: Countour
 CVE-2021-32782
 	RESERVED
 CVE-2021-32781
@@ -10582,7 +10582,7 @@ CVE-2021-32765
 CVE-2021-32764 (Discourse is an open-source discussion platform. In Discourse versions ...)
 	NOT-FOR-US: Discourse
 CVE-2021-32763 (OpenProject is open-source, web-based project management software. In  ...)
-	TODO: check
+	NOT-FOR-US: OpenProject
 CVE-2021-32762
 	RESERVED
 CVE-2021-32761 (Redis is an in-memory database that persists on disk. A vulnerability  ...)
@@ -10600,7 +10600,7 @@ CVE-2021-32758
 CVE-2021-32757
 	RESERVED
 CVE-2021-32756 (ManageIQ is an open-source management platform. In versions prior to j ...)
-	TODO: check
+	NOT-FOR-US: ManageIQ
 CVE-2021-32755 (Wire is a collaboration platform. wire-ios-transport handles authentic ...)
 	NOT-FOR-US: wire-ios (iOS version of Wire)
 CVE-2021-32754 (FlowDroid is a data flow analysis tool. FlowDroid versions prior to 2. ...)
@@ -29209,7 +29209,7 @@ CVE-2021-3171
 CVE-2021-3170
 	RESERVED
 CVE-2021-3169 (An issue in Jumpserver 2.6.2 and below allows attackers to create a co ...)
-	TODO: check
+	NOT-FOR-US: Jumpserver
 CVE-2021-3168
 	RESERVED
 CVE-2021-3167 (In Cloudera Data Engineering (CDE) 1.3.0, JWT authentication tokens ar ...)
@@ -31919,7 +31919,7 @@ CVE-2021-24038
 CVE-2021-24037 (A use after free in hermes, while emitting certain error messages, pri ...)
 	NOT-FOR-US: Facebook Hermes
 CVE-2021-24036 (Passing an attacker controlled size when creating an IOBuf could cause ...)
-	TODO: check
+	- hhvm <removed>
 CVE-2021-24035 (A lack of filename validation when unzipping archives prior to WhatsAp ...)
 	NOT-FOR-US: WhatsApp
 CVE-2021-24034
@@ -33413,7 +33413,9 @@ CVE-2021-23415
 CVE-2021-23414
 	RESERVED
 CVE-2021-23413 (This affects the package jszip before 3.7.0. Crafting a new zip file w ...)
-	TODO: check
+	- node-jszip <unfixed>
+	NOTE: https://github.com/Stuk/jszip/pull/766
+	NOTE: https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36
 CVE-2021-23412 (All versions of package gitlogplus are vulnerable to Command Injection ...)
 	TODO: check
 CVE-2021-23411 (All versions of package anchorme are vulnerable to Cross-site Scriptin ...)
@@ -34811,7 +34813,7 @@ CVE-2021-22786
 CVE-2021-22785
 	RESERVED
 CVE-2021-22784 (A CWE-306: Missing Authentication for Critical Function vulnerability  ...)
-	TODO: check
+	NOT-FOR-US: Schneider Electric
 CVE-2021-22783
 	RESERVED
 CVE-2021-22782 (Missing Encryption of Sensitive Data vulnerability exists in EcoStruxu ...)
@@ -36610,7 +36612,7 @@ CVE-2021-22003
 CVE-2021-22002
 	RESERVED
 CVE-2021-22001 (In UAA versions prior to 75.3.0, sensitive information like relaying s ...)
-	TODO: check
+	NOT-FOR-US: CloudFoundry
 CVE-2021-22000 (VMware Thinapp version 5.x prior to 5.2.10 contain a DLL hijacking vul ...)
 	NOT-FOR-US: VMware
 CVE-2021-21999 (VMware Tools for Windows (11.x.y prior to 11.2.6), VMware Remote Conso ...)
@@ -41367,7 +41369,7 @@ CVE-2021-20598
 CVE-2021-20597
 	RESERVED
 CVE-2021-20596 (NULL Pointer Dereference in MELSEC-F Series FX3U-ENET firmware version ...)
-	TODO: check
+	NOT-FOR-US: Mitsubishi
 CVE-2021-20595 (Improper Restriction of XML External Entity Reference vulnerability in ...)
 	NOT-FOR-US: Mitsubishi
 CVE-2021-20594



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3f47c16f2389eb4d83391ddb5fa56a6ff634cb6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3f47c16f2389eb4d83391ddb5fa56a6ff634cb6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210726/65c8b407/attachment.htm>

More information about the debian-security-tracker-commits mailing list