[Git][security-tracker-team/security-tracker][master] NFUs and some Win-specific issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jul 28 09:45:29 BST 2021



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2ea85251 by Moritz Muehlenhoff at 2021-07-28T10:45:08+02:00
NFUs and some Win-specific issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3,11 +3,13 @@ CVE-2021-37598
 CVE-2021-37597
 	RESERVED
 CVE-2021-37596 (Telegram Web K Alpha 0.6.1 allows XSS via a document name. ...)
-	TODO: check
+	NOT-FOR-US: Telegram Web K Alpha
 CVE-2021-37595 (In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_re ...)
-	TODO: check
+	- freerdp2 <not-affected> (Windows-specific)
+	NOTE: https://github.com/FreeRDP/FreeRDP/commit/0d79670a28c0ab049af08613621aa0c267f977e9
 CVE-2021-37594 (In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_re ...)
-	TODO: check
+	- freerdp2 <not-affected> (Windows-specific)
+	NOTE: https://github.com/FreeRDP/FreeRDP/commit/0d79670a28c0ab049af08613621aa0c267f977e9
 CVE-2021-37593 (PEEL Shopping before 9.4.0.1 allows remote SQL injection. A public use ...)
 	NOT-FOR-US: PEEL Shopping
 CVE-2021-37592
@@ -19,9 +21,9 @@ CVE-2021-37590
 CVE-2021-37589
 	RESERVED
 CVE-2021-37588 (In Charm 0.43, any two users can collude to achieve the ability to dec ...)
-	TODO: check
+	NOT-FOR-US: Charm
 CVE-2021-37587 (In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 dat ...)
-	TODO: check
+	NOT-FOR-US: Charm
 CVE-2021-37586
 	RESERVED
 CVE-2021-37585
@@ -6198,7 +6200,7 @@ CVE-2021-34804
 CVE-2021-34803 (TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certai ...)
 	NOT-FOR-US: TeamViewer
 CVE-2021-34802 (A failure in resetting the security context in some transaction action ...)
-	TODO: check
+	NOT-FOR-US: Neo4j
 CVE-2021-34801 (Valine 1.4.14 allows remote attackers to cause a denial of service (ap ...)
 	NOT-FOR-US: Valine
 CVE-2021-34800
@@ -10975,7 +10977,7 @@ CVE-2021-32749 (fail2ban is a daemon to ban hosts that cause multiple authentica
 	NOTE: Fix introduces regression for installations with mail command from the bsd-mailx package:
 	NOTE: https://github.com/fail2ban/fail2ban/issues/3059
 CVE-2021-32748 (Nextcloud Richdocuments in an open source self hosted online office. N ...)
-	TODO: check
+	NOT-FOR-US: Nextcloud Richdocuments
 CVE-2021-32747 (Icinga Web 2 is an open source monitoring web interface, framework, an ...)
 	[experimental] - icingaweb2 2.8.3-1~exp1
 	- icingaweb2 <unfixed> (bug #991116)
@@ -11252,7 +11254,7 @@ CVE-2021-32633 (Zope is an open-source web application server. In Zope versions
 CVE-2021-32632 (Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnera ...)
 	NOT-FOR-US: Pajbot
 CVE-2021-32631 (Common is a package of common modules that can be accessed by NIMBLE s ...)
-	TODO: check
+	NOT-FOR-US: NIMBLE
 CVE-2021-32630 (Admidio is a free, open source user management system for websites of  ...)
 	NOT-FOR-US: Admidio
 CVE-2021-32629 (Cranelift is an open-source code generator maintained by Bytecode Alli ...)
@@ -16791,7 +16793,7 @@ CVE-2021-30485 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi
 CVE-2021-30484
 	RESERVED
 CVE-2021-30483 (isomorphic-git before 1.8.2 allows Directory Traversal via a crafted r ...)
-	TODO: check
+	NOT-FOR-US: isomorphic-git
 CVE-2021-30482 (In JetBrains UpSource before 2020.1.1883, application passwords were n ...)
 	NOT-FOR-US: JetBrains
 CVE-2021-30481 (Valve Steam through 2021-04-10, when a Source engine game is installed ...)
@@ -20567,7 +20569,8 @@ CVE-2021-28968 (An issue was discovered in PunBB before 1.4.6. An XSS vulnerabil
 CVE-2021-28967 (The unofficial MATLAB extension before 2.0.1 for Visual Studio Code al ...)
 	NOT-FOR-US: MATLAB extenstion for vscode
 CVE-2021-28966 (In Ruby through 3.0 on Windows, a remote attacker can submit a crafted ...)
-	TODO: check
+	- ruby2.7 <not-affected> (Windows-specific)
+	NOTE: https://hackerone.com/reports/1131465
 CVE-2021-28965 (The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, a ...)
 	- ruby2.7 2.7.3-1 (bug #986807)
 	- ruby2.5 <removed>
@@ -21294,7 +21297,7 @@ CVE-2021-28675 (An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.P
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin
 	NOTE: https://github.com/python-pillow/Pillow/commit/22e9bee4ef225c0edbb9323f94c26cee0c623497
 CVE-2021-28674 (The node management page in SolarWinds Orion Platform before 2020.2.5  ...)
-	TODO: check
+	NOT-FOR-US: SolarWinds
 CVE-2021-28673 (Xerox Phaser 6510 before 64.61.23 and 64.59.11 (Bridge), WorkCentre 65 ...)
 	NOT-FOR-US: Xerox
 CVE-2021-28672 (Xerox Phaser 6510 before 64.65.51 and 64.59.11 (Bridge), WorkCentre 65 ...)
@@ -33863,11 +33866,11 @@ CVE-2021-23413 (This affects the package jszip before 3.7.0. Crafting a new zip
 	NOTE: https://github.com/Stuk/jszip/pull/766
 	NOTE: https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36
 CVE-2021-23412 (All versions of package gitlogplus are vulnerable to Command Injection ...)
-	TODO: check
+	NOT-FOR-US: Node gitlogplus
 CVE-2021-23411 (All versions of package anchorme are vulnerable to Cross-site Scriptin ...)
-	TODO: check
+	NOT-FOR-US: Node anchorme
 CVE-2021-23410 (All versions of package msgpack are vulnerable to Deserialization of U ...)
-	TODO: check
+	NOT-FOR-US: Node msgpack
 CVE-2021-23409 (The package github.com/pires/go-proxyproto before 0.6.0 are vulnerable ...)
 	- golang-github-pires-go-proxyproto <unfixed> (bug #991498)
 	[bullseye] - golang-github-pires-go-proxyproto <no-dsa> (Minor issue)
@@ -33875,7 +33878,7 @@ CVE-2021-23409 (The package github.com/pires/go-proxyproto before 0.6.0 are vuln
 	NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPIRESGOPROXYPROTO-1316439
 	NOTE: https://github.com/pires/go-proxyproto/pull/74
 CVE-2021-23408 (This affects the package com.graphhopper:graphhopper-web-bundle before ...)
-	TODO: check
+	NOT-FOR-US: com.graphhopper:graphhopper-web-bundle
 CVE-2021-23407 (This affects the package elFinder.Net.Core from 0 and before 1.2.4. Th ...)
 	NOT-FOR-US: elFinder.Net.Core
 CVE-2021-23406
@@ -41426,19 +41429,19 @@ CVE-2021-20791
 CVE-2021-20790
 	RESERVED
 CVE-2021-20789 (Open redirect vulnerability in GroupSession (GroupSession Free edition ...)
-	TODO: check
+	NOT-FOR-US: GroupSession
 CVE-2021-20788 (Server-side request forgery (SSRF) vulnerability in GroupSession (Grou ...)
-	TODO: check
+	NOT-FOR-US: GroupSession
 CVE-2021-20787 (Cross-site scripting vulnerability in GroupSession (GroupSession Free  ...)
-	TODO: check
+	NOT-FOR-US: GroupSession
 CVE-2021-20786 (Cross-site request forgery (CSRF) vulnerability in GroupSession (Group ...)
-	TODO: check
+	NOT-FOR-US: GroupSession
 CVE-2021-20785 (Cross-site scripting vulnerability in GroupSession (GroupSession Free  ...)
-	TODO: check
+	NOT-FOR-US: GroupSession
 CVE-2021-20784 (HTTP header injection vulnerability in Everything all versions except  ...)
 	NOT-FOR-US: Everything
 CVE-2021-20783 (Cross-site request forgery (CSRF) vulnerability in Optical BB unit E-W ...)
-	TODO: check
+	NOT-FOR-US: Optical BB unit E-WMTA2.3
 CVE-2021-20782 (Cross-site request forgery (CSRF) vulnerability in Software License Ma ...)
 	NOT-FOR-US: Wordpress plugin
 CVE-2021-20781 (Cross-site request forgery (CSRF) vulnerability in WordPress Meta Data ...)
@@ -65956,7 +65959,7 @@ CVE-2020-22743
 CVE-2020-22742
 	RESERVED
 CVE-2020-22741 (An issue was discovered in Xuperchain 3.6.0 that allows for attackers  ...)
-	TODO: check
+	NOT-FOR-US: Xuperchain
 CVE-2020-22740
 	RESERVED
 CVE-2020-22739



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea85251b4d41e81744b6a3207dc7ce625066f26

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea85251b4d41e81744b6a3207dc7ce625066f26
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210728/a8351e56/attachment.htm>


More information about the debian-security-tracker-commits mailing list