[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Jun 8 10:40:20 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fa2415fd by Moritz Muehlenhoff at 2021-06-08T11:40:09+02:00
NFUs
new chromium issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -804,7 +804,7 @@ CVE-2021-33906
 CVE-2021-33905
 	RESERVED
 CVE-2021-33904 (In Accela Civic Platform through 21.1, the security/hostSignon.do para ...)
-	TODO: check
+	NOT-FOR-US: Accela Civic Platform
 CVE-2021-33903
 	RESERVED
 CVE-2021-33902
@@ -814,9 +814,9 @@ CVE-2021-33901
 CVE-2021-33900
 	RESERVED
 CVE-2020-36384 (PageLayer before 1.3.5 allows reflected XSS via color settings. ...)
-	TODO: check
+	NOT-FOR-US: PageLayer
 CVE-2020-36383 (PageLayer before 1.3.5 allows reflected XSS via the font-size paramete ...)
-	TODO: check
+	NOT-FOR-US: PageLayer
 CVE-2021-33899
 	RESERVED
 CVE-2021-33898 (In Invoice Ninja before 4.4.0, there is an unsafe call to unserialize( ...)
@@ -2432,7 +2432,6 @@ CVE-2021-33197
 	- golang-1.7 <removed>
 	NOTE: https://github.com/golang/go/issues/46313
 	NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
-	TODO: check completeness/correctness of the tracking
 CVE-2021-33196 [archive/zip: malformed archive may cause panic or memory exhaustion]
 	RESERVED
 	- golang-1.16 1.16.5-1 (bug #989492)
@@ -3597,9 +3596,9 @@ CVE-2021-32673
 CVE-2021-32672
 	RESERVED
 CVE-2021-32671 (Flarum is a forum software for building communities. Flarum's translat ...)
-	TODO: check
+	NOT-FOR-US: Flarum
 CVE-2021-32670 (Datasette is an open source multi-tool for exploring and publishing da ...)
-	TODO: check
+	NOT-FOR-US: Datasette
 CVE-2021-32669
 	RESERVED
 CVE-2021-32668
@@ -6432,10 +6431,11 @@ CVE-2021-31525 (net/http in Go before 1.15.12 and 1.16.x before 1.16.4 allows re
 	- golang-1.11 <removed>
 	- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-3
 	- golang-golang-x-net-dev <removed>
+	- golang-1.8 <removed>
+	- golang-1.7 <removed>
 	NOTE: https://github.com/golang/go/issues/45710
 	NOTE: https://github.com/golang/go/issues/45711 (1.15 backport)
 	NOTE: https://github.com/golang/go/issues/45712 (1.16 backport)
-	TODO: check details for golang-1.11 and older
 CVE-2021-26945
 	RESERVED
 	- openexr <unfixed>
@@ -8649,9 +8649,11 @@ CVE-2021-30545
 CVE-2021-30544
 	RESERVED
 CVE-2021-30543 (Use after free in Tab Strip in Google Chrome prior to 91.0.4472.77 all ...)
-	TODO: check
+	- chromium <unfixed>
+	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-30542 (Use after free in Tab Strip in Google Chrome prior to 91.0.4472.77 all ...)
-	TODO: check
+	- chromium <unfixed>
+	[stretch] - chromium <end-of-life> (see DSA 4562)
 CVE-2021-30541
 	RESERVED
 CVE-2021-30540 (Incorrect security UI in payments in Google Chrome on Android prior to ...)
@@ -11025,7 +11027,7 @@ CVE-2021-29622 (Prometheus is an open-source monitoring system and time series d
 	NOTE: The vulnerability itself is introduced with 2.23.0 upstream.
 	NOTE: See https://bugs.debian.org/988804 for details.
 CVE-2021-29621 (Flask-AppBuilder is a development framework, built on top of Flask. Us ...)
-	TODO: check
+	NOT-FOR-US: Flask-AppBuilder
 CVE-2021-29620
 	RESERVED
 CVE-2021-29619 (TensorFlow is an end-to-end open source platform for machine learning. ...)
@@ -11269,7 +11271,7 @@ CVE-2021-29505 (XStream is software for serializing Java objects to XML and back
 	- libxstream-java <unfixed> (bug #989491)
 	NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-7chv-rrw6-w6fc
 CVE-2021-29504 (WP-CLI is the command-line interface for WordPress. An improper error  ...)
-	TODO: check
+	NOT-FOR-US: WP-CLI
 CVE-2021-29503 (HedgeDoc is a platform to write and share markdown. HedgeDoc before ve ...)
 	NOT-FOR-US: HedgeDoc
 CVE-2021-29502 (WarnSystem is a cog (plugin) for the Red discord bot. A vulnerability  ...)
@@ -12300,7 +12302,7 @@ CVE-2021-29101 (ArcGIS GeoEvent Server versions 10.8.1 and below has a read-only
 CVE-2021-29100 (A path traversal vulnerability exists in Esri ArcGIS Earth versions 1. ...)
 	NOT-FOR-US: Esri
 CVE-2021-29099 (A SQL injection vulnerability exists in some configurations of ArcGIS  ...)
-	TODO: check
+	NOT-FOR-US: Esri
 CVE-2021-29098 (Multiple uninitialized pointer vulnerabilities when parsing a speciall ...)
 	NOT-FOR-US: Esri (various ArcGIS products)
 CVE-2021-29097 (Multiple buffer overflow vulnerabilities when parsing a specially craf ...)
@@ -12985,9 +12987,9 @@ CVE-2021-28813
 CVE-2021-28812 (A command injection vulnerability has been reported to affect certain  ...)
 	NOT-FOR-US: QNAP
 CVE-2021-28811 (If exploited, this command injection vulnerability could allow remote  ...)
-	TODO: check
+	NOT-FOR-US: QNAP
 CVE-2021-28810 (If exploited, this vulnerability allows an attacker to access resource ...)
-	TODO: check
+	NOT-FOR-US: QNAP
 CVE-2021-28809
 	RESERVED
 CVE-2021-28808
@@ -13967,7 +13969,7 @@ CVE-2021-28384
 CVE-2021-28383
 	RESERVED
 CVE-2021-28382 (Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on th ...)
-	TODO: check
+	NOT-FOR-US: Zoho
 CVE-2021-28381 (The vhs (aka VHS: Fluid ViewHelpers) extension before 5.1.1 for TYPO3  ...)
 	NOT-FOR-US: vhs (aka VHS: Fluid ViewHelpers) extension for TYPO3
 CVE-2021-28380 (The aimeos (aka Aimeos shop and e-commerce framework) extension before ...)
@@ -19539,11 +19541,11 @@ CVE-2021-26082
 CVE-2021-26081
 	RESERVED
 CVE-2021-26080 (EditworkflowScheme.jspa in Jira Server and Jira Data Center before ver ...)
-	TODO: check
+	NOT-FOR-US: Atlassian
 CVE-2021-26079 (The CardLayoutConfigTable component in Jira Server and Jira Data Cente ...)
-	TODO: check
+	NOT-FOR-US: Atlassian
 CVE-2021-26078 (The number range searcher component in Jira Server and Jira Data Cente ...)
-	TODO: check
+	NOT-FOR-US: Atlassian
 CVE-2021-26077 (Broken Authentication in Atlassian Connect Spring Boot (ACSB) in versi ...)
 	NOT-FOR-US: Atlassian
 CVE-2021-26076 (The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira ...)
@@ -20035,7 +20037,7 @@ CVE-2021-3279
 CVE-2021-3278 (Local Service Search Engine Management System 1.0 has a vulnerability  ...)
 	NOT-FOR-US: Local Service Search Engine Management System
 CVE-2021-3277 (Nagios XI 5.7.5 and earlier allows authenticated admins to upload arbi ...)
-	TODO: check
+	NOT-FOR-US: Nagios XI
 CVE-2021-3276
 	RESERVED
 CVE-2021-3275 (Unauthenticated stored cross-site scripting (XSS) exists in multiple T ...)
@@ -23587,23 +23589,23 @@ CVE-2021-24346
 CVE-2021-24345
 	RESERVED
 CVE-2021-24344 (The Easy Preloader WordPress plugin through 1.0.0 does not sanitise it ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-24343 (The iFlyChat - WordPress Chat plugin through 4.6.4 does not sanitise i ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-24342 (The JNews WordPress theme before 8.0.6 did not sanitise the cat_id par ...)
-	TODO: check
+	NOT-FOR-US: WordPress theme
 CVE-2021-24341
 	RESERVED
 CVE-2021-24340 (The WP Statistics WordPress plugin before 13.0.8 relied on using the W ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-24339
 	RESERVED
 CVE-2021-24338
 	RESERVED
 CVE-2021-24337 (The id GET parameter of one of the Video Embed WordPress plugin throug ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-24336 (The FlightLog WordPress plugin through 3.0.2 does not sanitise, valida ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-24335 (The Car Repair Services & Auto Mechanic WordPress theme before 4.0 ...)
 	NOT-FOR-US: WordPress theme
 CVE-2021-24334 (The Instant Images – One Click Unsplash Uploads WordPress plugin ...)
@@ -33378,9 +33380,9 @@ CVE-2021-20701
 CVE-2021-20700
 	RESERVED
 CVE-2021-20699 (Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and  ...)
-	TODO: check
+	NOT-FOR-US: SHARP
 CVE-2021-20698 (Sharp NEC Displays (UN462A R1.300 and prior to it, UN462VA R1.300 and  ...)
-	TODO: check
+	NOT-FOR-US: SHARP
 CVE-2021-20697 (Missing authentication for critical function in DAP-1880AC firmware ve ...)
 	NOT-FOR-US: DAP-1880AC firmware
 CVE-2021-20696 (DAP-1880AC firmware version 1.21 and earlier allows a remote authentic ...)
@@ -33742,7 +33744,7 @@ CVE-2021-20519 (IBM Jazz Team Server products are vulnerable to cross-site scrip
 CVE-2021-20518 (IBM Jazz Foundation Products are vulnerable to cross-site scripting. T ...)
 	NOT-FOR-US: IBM
 CVE-2021-20517 (IBM WebSphere Application Server Network Deployment 8.5 and 9.0 could  ...)
-	TODO: check
+	NOT-FOR-US: IBM
 CVE-2021-20516
 	RESERVED
 CVE-2021-20515 (IBM Informix Dynamic Server 14.10 is vulnerable to a stack based buffe ...)
@@ -66619,15 +66621,15 @@ CVE-2020-18270
 CVE-2020-18269
 	RESERVED
 CVE-2020-18268 (Open Redirect in Z-BlogPHP v1.5.2 and earlier allows remote attackers  ...)
-	TODO: check
+	NOT-FOR-US: Z-BlogPHP
 CVE-2020-18267
 	RESERVED
 CVE-2020-18266
 	RESERVED
 CVE-2020-18265 (Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote att ...)
-	TODO: check
+	NOT-FOR-US: Simple-Log
 CVE-2020-18264 (Cross Site Request Forgery (CSRF) in Simple-Log v1.6 allows remote att ...)
-	TODO: check
+	NOT-FOR-US: Simple-Log
 CVE-2020-18263
 	RESERVED
 CVE-2020-18262
@@ -87642,7 +87644,7 @@ CVE-2020-10668 (The web application exposed by the Canon Oce Colorwave 500 4.0.0
 CVE-2020-10667 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...)
 	NOT-FOR-US: Canon
 CVE-2020-10666 (The restapps (aka Rest Phone apps) module for Sangoma FreePBX and PBXa ...)
-	TODO: check
+	NOT-FOR-US: FreePBX
 CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...)
 	- libperlspeak-perl <removed> (bug #954238)
 	[jessie] - libperlspeak-perl <end-of-life> (Not supported in jessie LTS)
@@ -95544,7 +95546,7 @@ CVE-2020-7471 (Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0
 CVE-2020-7470 (Sonoff TH 10 and 16 devices with firmware 6.6.0.21 allows XSS via the  ...)
 	NOT-FOR-US: Sonoff TH 10 and 16 devices
 CVE-2020-7469 (In FreeBSD 12.2-STABLE before r367402, 11.4-STABLE before r368202, 12. ...)
-	TODO: check
+	- kfreebsd-10 <unfixed> (unimportant)
 CVE-2020-7468 (In FreeBSD 12.2-STABLE before r365772, 11.4-STABLE before r365773, 12. ...)
 	NOT-FOR-US: FreeBSD ftpd
 CVE-2020-7467 (In FreeBSD 12.2-STABLE before r365767, 11.4-STABLE before r365769, 12. ...)
@@ -102182,7 +102184,7 @@ CVE-2020-5010
 CVE-2020-5009
 	RESERVED
 CVE-2020-5008 (IBM DataPower Gateway 10.0.0.0 through 10.0.1.0 and 2018.4.1.0 through ...)
-	TODO: check
+	NOT-FOR-US: IBM
 CVE-2020-5007
 	RESERVED
 CVE-2020-5006



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa2415fdf64609012b42f01f0a10cce8a52e6cc5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa2415fdf64609012b42f01f0a10cce8a52e6cc5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210608/491d2d70/attachment.htm>

More information about the debian-security-tracker-commits mailing list