[Git][security-tracker-team/security-tracker][master] NFUs and some Win-specific issues
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Jul 28 09:45:29 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2ea85251 by Moritz Muehlenhoff at 2021-07-28T10:45:08+02:00
NFUs and some Win-specific issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3,11 +3,13 @@ CVE-2021-37598
CVE-2021-37597
RESERVED
CVE-2021-37596 (Telegram Web K Alpha 0.6.1 allows XSS via a document name. ...)
- TODO: check
+ NOT-FOR-US: Telegram Web K Alpha
CVE-2021-37595 (In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_re ...)
- TODO: check
+ - freerdp2 <not-affected> (Windows-specific)
+ NOTE: https://github.com/FreeRDP/FreeRDP/commit/0d79670a28c0ab049af08613621aa0c267f977e9
CVE-2021-37594 (In FreeRDP before 2.4.0 on Windows, wf_cliprdr_server_file_contents_re ...)
- TODO: check
+ - freerdp2 <not-affected> (Windows-specific)
+ NOTE: https://github.com/FreeRDP/FreeRDP/commit/0d79670a28c0ab049af08613621aa0c267f977e9
CVE-2021-37593 (PEEL Shopping before 9.4.0.1 allows remote SQL injection. A public use ...)
NOT-FOR-US: PEEL Shopping
CVE-2021-37592
@@ -19,9 +21,9 @@ CVE-2021-37590
CVE-2021-37589
RESERVED
CVE-2021-37588 (In Charm 0.43, any two users can collude to achieve the ability to dec ...)
- TODO: check
+ NOT-FOR-US: Charm
CVE-2021-37587 (In Charm 0.43, any single user can decrypt DAC-MACS or MA-ABE-YJ14 dat ...)
- TODO: check
+ NOT-FOR-US: Charm
CVE-2021-37586
RESERVED
CVE-2021-37585
@@ -6198,7 +6200,7 @@ CVE-2021-34804
CVE-2021-34803 (TeamViewer before 14.7.48644 on Windows loads untrusted DLLs in certai ...)
NOT-FOR-US: TeamViewer
CVE-2021-34802 (A failure in resetting the security context in some transaction action ...)
- TODO: check
+ NOT-FOR-US: Neo4j
CVE-2021-34801 (Valine 1.4.14 allows remote attackers to cause a denial of service (ap ...)
NOT-FOR-US: Valine
CVE-2021-34800
@@ -10975,7 +10977,7 @@ CVE-2021-32749 (fail2ban is a daemon to ban hosts that cause multiple authentica
NOTE: Fix introduces regression for installations with mail command from the bsd-mailx package:
NOTE: https://github.com/fail2ban/fail2ban/issues/3059
CVE-2021-32748 (Nextcloud Richdocuments in an open source self hosted online office. N ...)
- TODO: check
+ NOT-FOR-US: Nextcloud Richdocuments
CVE-2021-32747 (Icinga Web 2 is an open source monitoring web interface, framework, an ...)
[experimental] - icingaweb2 2.8.3-1~exp1
- icingaweb2 <unfixed> (bug #991116)
@@ -11252,7 +11254,7 @@ CVE-2021-32633 (Zope is an open-source web application server. In Zope versions
CVE-2021-32632 (Pajbot is a Twitch chat bot. Pajbot versions prior to 1.52 are vulnera ...)
NOT-FOR-US: Pajbot
CVE-2021-32631 (Common is a package of common modules that can be accessed by NIMBLE s ...)
- TODO: check
+ NOT-FOR-US: NIMBLE
CVE-2021-32630 (Admidio is a free, open source user management system for websites of ...)
NOT-FOR-US: Admidio
CVE-2021-32629 (Cranelift is an open-source code generator maintained by Bytecode Alli ...)
@@ -16791,7 +16793,7 @@ CVE-2021-30485 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi
CVE-2021-30484
RESERVED
CVE-2021-30483 (isomorphic-git before 1.8.2 allows Directory Traversal via a crafted r ...)
- TODO: check
+ NOT-FOR-US: isomorphic-git
CVE-2021-30482 (In JetBrains UpSource before 2020.1.1883, application passwords were n ...)
NOT-FOR-US: JetBrains
CVE-2021-30481 (Valve Steam through 2021-04-10, when a Source engine game is installed ...)
@@ -20567,7 +20569,8 @@ CVE-2021-28968 (An issue was discovered in PunBB before 1.4.6. An XSS vulnerabil
CVE-2021-28967 (The unofficial MATLAB extension before 2.0.1 for Visual Studio Code al ...)
NOT-FOR-US: MATLAB extenstion for vscode
CVE-2021-28966 (In Ruby through 3.0 on Windows, a remote attacker can submit a crafted ...)
- TODO: check
+ - ruby2.7 <not-affected> (Windows-specific)
+ NOTE: https://hackerone.com/reports/1131465
CVE-2021-28965 (The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, a ...)
- ruby2.7 2.7.3-1 (bug #986807)
- ruby2.5 <removed>
@@ -21294,7 +21297,7 @@ CVE-2021-28675 (An issue was discovered in Pillow before 8.2.0. PSDImagePlugin.P
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin
NOTE: https://github.com/python-pillow/Pillow/commit/22e9bee4ef225c0edbb9323f94c26cee0c623497
CVE-2021-28674 (The node management page in SolarWinds Orion Platform before 2020.2.5 ...)
- TODO: check
+ NOT-FOR-US: SolarWinds
CVE-2021-28673 (Xerox Phaser 6510 before 64.61.23 and 64.59.11 (Bridge), WorkCentre 65 ...)
NOT-FOR-US: Xerox
CVE-2021-28672 (Xerox Phaser 6510 before 64.65.51 and 64.59.11 (Bridge), WorkCentre 65 ...)
@@ -33863,11 +33866,11 @@ CVE-2021-23413 (This affects the package jszip before 3.7.0. Crafting a new zip
NOTE: https://github.com/Stuk/jszip/pull/766
NOTE: https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36
CVE-2021-23412 (All versions of package gitlogplus are vulnerable to Command Injection ...)
- TODO: check
+ NOT-FOR-US: Node gitlogplus
CVE-2021-23411 (All versions of package anchorme are vulnerable to Cross-site Scriptin ...)
- TODO: check
+ NOT-FOR-US: Node anchorme
CVE-2021-23410 (All versions of package msgpack are vulnerable to Deserialization of U ...)
- TODO: check
+ NOT-FOR-US: Node msgpack
CVE-2021-23409 (The package github.com/pires/go-proxyproto before 0.6.0 are vulnerable ...)
- golang-github-pires-go-proxyproto <unfixed> (bug #991498)
[bullseye] - golang-github-pires-go-proxyproto <no-dsa> (Minor issue)
@@ -33875,7 +33878,7 @@ CVE-2021-23409 (The package github.com/pires/go-proxyproto before 0.6.0 are vuln
NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPIRESGOPROXYPROTO-1316439
NOTE: https://github.com/pires/go-proxyproto/pull/74
CVE-2021-23408 (This affects the package com.graphhopper:graphhopper-web-bundle before ...)
- TODO: check
+ NOT-FOR-US: com.graphhopper:graphhopper-web-bundle
CVE-2021-23407 (This affects the package elFinder.Net.Core from 0 and before 1.2.4. Th ...)
NOT-FOR-US: elFinder.Net.Core
CVE-2021-23406
@@ -41426,19 +41429,19 @@ CVE-2021-20791
CVE-2021-20790
RESERVED
CVE-2021-20789 (Open redirect vulnerability in GroupSession (GroupSession Free edition ...)
- TODO: check
+ NOT-FOR-US: GroupSession
CVE-2021-20788 (Server-side request forgery (SSRF) vulnerability in GroupSession (Grou ...)
- TODO: check
+ NOT-FOR-US: GroupSession
CVE-2021-20787 (Cross-site scripting vulnerability in GroupSession (GroupSession Free ...)
- TODO: check
+ NOT-FOR-US: GroupSession
CVE-2021-20786 (Cross-site request forgery (CSRF) vulnerability in GroupSession (Group ...)
- TODO: check
+ NOT-FOR-US: GroupSession
CVE-2021-20785 (Cross-site scripting vulnerability in GroupSession (GroupSession Free ...)
- TODO: check
+ NOT-FOR-US: GroupSession
CVE-2021-20784 (HTTP header injection vulnerability in Everything all versions except ...)
NOT-FOR-US: Everything
CVE-2021-20783 (Cross-site request forgery (CSRF) vulnerability in Optical BB unit E-W ...)
- TODO: check
+ NOT-FOR-US: Optical BB unit E-WMTA2.3
CVE-2021-20782 (Cross-site request forgery (CSRF) vulnerability in Software License Ma ...)
NOT-FOR-US: Wordpress plugin
CVE-2021-20781 (Cross-site request forgery (CSRF) vulnerability in WordPress Meta Data ...)
@@ -65956,7 +65959,7 @@ CVE-2020-22743
CVE-2020-22742
RESERVED
CVE-2020-22741 (An issue was discovered in Xuperchain 3.6.0 that allows for attackers ...)
- TODO: check
+ NOT-FOR-US: Xuperchain
CVE-2020-22740
RESERVED
CVE-2020-22739
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea85251b4d41e81744b6a3207dc7ce625066f26
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea85251b4d41e81744b6a3207dc7ce625066f26
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210728/a8351e56/attachment.htm>
More information about the debian-security-tracker-commits
mailing list