[Git][security-tracker-team/security-tracker][master] NFUs

Sun Jun 27 19:06:55 BST 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
be9c2bb7 by Moritz Muehlenhoff at 2021-06-27T20:05:43+02:00
NFUs
resolve various TODOs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9230,13 +9230,13 @@ CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/894
-	TODO: check details
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/088a61434568cedf3ac1521c44584be397909078
 CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was found in the ...)
 	- openexr <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901
-	TODO: check details
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/0e08c959c5459e2ffd3b81b654c3ce8b71a4b42c
 CVE-2021-23169 (A heap-buffer overflow was found in the copyIntoFrameBuffer function o ...)
 	- openexr 2.5.4-2 (bug #988240)
 	[buster] - openexr <not-affected> (Vulnerable code not present)
@@ -9535,7 +9535,7 @@ CVE-2021-31414 (The unofficial vscode-rpm-spec extension before 0.3.2 for Visual
 CVE-2021-31413
 	RESERVED
 CVE-2021-31412 (Improper sanitization of path in default RouteNotFoundError view in co ...)
-	TODO: check
+	NOT-FOR-US: Vaadin
 CVE-2021-31411 (Insecure temporary directory usage in frontend build functionality of  ...)
 	NOT-FOR-US: Vaadin
 CVE-2021-31410 (Overly relaxed configuration of frontend resources server in Vaadin De ...)
@@ -13063,7 +13063,7 @@ CVE-2021-29955 (A transient execution vulnerability, named Floating Point Value
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-29955
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-29955
 CVE-2021-29954 (Proxy functionality built into Hubs Cloud’s Reticulum software a ...)
-	TODO: check
+	NOT-FOR-US: Hubs Cloud
 CVE-2021-29953 (A malicious webpage could have forced a Firefox for Android user into  ...)
 	- firefox <not-affected> (Only affects Android)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-20/#CVE-2021-29953
@@ -15832,7 +15832,7 @@ CVE-2021-28834 (Kramdown before 2.3.1 does not restrict Rouge formatters to the
 	NOTE: Fixed by: https://github.com/gettalong/kramdown/commit/d6a1cbcb2caa2f8a70927f176070d126b2422760
 	NOTE: Introduced by https://github.com/gettalong/kramdown/commit/ff0218aefcf00cd5a389e17e075d36cd46d011e2 (v1.16)
 CVE-2021-28833 (Increments Qiita::Markdown before 0.34.0 allows XSS via a crafted gist ...)
-	TODO: check
+	NOT-FOR-US: Increments Qiita::Markdown
 CVE-2021-28832 (VSCodeVim before 1.19.0 allows attackers to execute arbitrary code via ...)
 	NOT-FOR-US: VSCodeVim
 CVE-2021-28831 (decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit ...)
@@ -17590,7 +17590,6 @@ CVE-2021-3426 (There's a flaw in Python 3's pydoc. A local or adjacent attacker
 	NOTE: https://python-security.readthedocs.io/vuln/pydoc-getfile.html
 	NOTE: https://github.com/python/cpython/pull/24337
 	NOTE: https://github.com/python/cpython/pull/24285
-	TODO: check, upload of pypy/7.3.5+dfsg-1 to experimental claims this affects src:pypy
 CVE-2021-3425 (A flaw was found in the AMQ Broker that discloses JDBC encrypted usern ...)
 	NOT-FOR-US: Red Hat AMQ Broker
 CVE-2021-28108
@@ -19378,15 +19377,14 @@ CVE-2021-27349 (Advanced Order Export before 3.1.8 for WooCommerce allows XSS, a
 CVE-2021-27348
 	RESERVED
 CVE-2021-27347 (Use after free in lzma_decompress_buf function in stream.c in Irzip 0. ...)
-	- lrzip <undetermined>
+	- lrzip <unfixed>
 	NOTE: https://github.com/ckolivas/lrzip/issues/165
-	TODO: check fixing commit
 CVE-2021-27346
 	RESERVED
 CVE-2021-27345 (A null pointer dereference was discovered in ucompthread in stream.c i ...)
-	- lrzip <undetermined>
+	- lrzip <unfixed> (unimportant)
 	NOTE: https://github.com/ckolivas/lrzip/issues/164
-	TODO: check fixing commit
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-27344
 	RESERVED
 CVE-2021-27343 (SerenityOS Unspecified is affected by: Buffer Overflow. The impact is: ...)
@@ -20589,9 +20587,9 @@ CVE-2021-26837
 CVE-2021-26836
 	RESERVED
 CVE-2021-26835 (No filtering of cross-site scripting (XSS) payloads in the markdown-ed ...)
-	TODO: check
+	NOT-FOR-US: Zettlr
 CVE-2021-26834 (A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An a ...)
-	TODO: check
+	NOT-FOR-US: Znote
 CVE-2021-26833 (Code Execution vulnerability in Profile Picture upload in TimelyBills  ...)
 	NOT-FOR-US: TimelyBills App Budget, Expense tracker & Bills
 CVE-2021-26832 (Cross Site Scripting (XSS) in the "Reset Password" page form of Priori ...)
@@ -22659,7 +22657,6 @@ CVE-2021-3284
 CVE-2021-3283 (HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task d ...)
 	- nomad 0.12.10+dfsg1-1 (bug #981889)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2021-01-nomad-s-exec-and-java-task-drivers-did-not-isolate-processes/20332
-	TODO: check details
 CVE-2021-3282 (HashiCorp Vault Enterprise 1.6.0 & 1.6.1 allowed the `remove-peer` ...)
 	NOT-FOR-US: HashiCorp Vault
 CVE-2021-3281 (In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6,  ...)
@@ -23716,7 +23713,7 @@ CVE-2021-25656 (Stored XSS injection vulnerabilities were discovered in the Avay
 CVE-2021-25655 (A vulnerability in the system Service Menu component of Avaya Aura Exp ...)
 	NOT-FOR-US: Avaya
 CVE-2021-25654 (An arbitrary code execution vulnerability was discovered in Avaya Aura ...)
-	TODO: check
+	NOT-FOR-US: Avaya
 CVE-2021-25653 (A privilege escalation vulnerability was discovered in Avaya Aura Appl ...)
 	NOT-FOR-US: Avaya
 CVE-2021-25652 (An information disclosure vulnerability was discovered in the director ...)
@@ -28757,7 +28754,7 @@ CVE-2021-23400
 CVE-2021-23399
 	RESERVED
 CVE-2021-23398 (All versions of package react-bootstrap-table are vulnerable to Cross- ...)
-	TODO: check
+	NOT-FOR-US: react-bootstrap-table
 CVE-2021-23397
 	RESERVED
 CVE-2021-23396 (All versions of package lutils are vulnerable to Prototype Pollution v ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be9c2bb72a240fa7e2580007166f810356b6685c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be9c2bb72a240fa7e2580007166f810356b6685c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210627/0236617f/attachment.htm>
