[Git][security-tracker-team/security-tracker][master] new node-nodemailer issue

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jun 30 12:15:01 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e2213b0a by Moritz Muehlenhoff at 2021-06-30T13:14:30+02:00
new node-nodemailer issue
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,9 +1,9 @@
 CVE-2021-35960
 	RESERVED
 CVE-2021-35959 (In Plone 5.0 through 5.2.4, Editors are vulnerable to XSS in the folde ...)
-	TODO: check
+	NOT-FOR-US: Plone
 CVE-2021-35958 (** DISPUTED ** TensorFlow through 2.5.0 allows attackers to overwrite  ...)
-	TODO: check
+	- tensorflow <itp> (bug #804612)
 CVE-2021-35957
 	RESERVED
 CVE-2021-35956
@@ -37,7 +37,7 @@ CVE-2021-35943
 CVE-2021-35942
 	RESERVED
 CVE-2021-35941 (Western Digital WD My Book Live (2.x and later) and WD My Book Live Du ...)
-	TODO: check
+	NOT-FOR-US: Western Digital
 CVE-2021-3630
 	RESERVED
 CVE-2021-3629
@@ -7164,7 +7164,7 @@ CVE-2021-32723 (Prism is a syntax highlighting library. Some languages before 1.
 CVE-2021-32722 (GlobalNewFiles is a mediawiki extension. All existing versions of Glob ...)
 	NOT-FOR-US: GlobalNewFiles MediaWiki extension
 CVE-2021-32721 (PowerMux is a drop-in replacement for Go's http.ServeMux. In PowerMux  ...)
-	TODO: check
+	NOT-FOR-US: PowerMux
 CVE-2021-32720 (Sylius is an Open Source eCommerce platform on top of Symfony. In vers ...)
 	NOT-FOR-US: Sylius
 CVE-2021-32719 (RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prio ...)
@@ -16776,7 +16776,7 @@ CVE-2021-27851 (A security vulnerability that can lead to local privilege escala
 	NOTE: https://guix.gnu.org/en/blog/2021/risk-of-local-privilege-escalation-via-guix-daemon/
 	NOTE: Neutralised by kernel hardening (fs.protected_hardlinks = 1)
 CVE-2021-28830 (The TIBCO Spotfire Server and TIBCO Enterprise Runtime for R component ...)
-	TODO: check
+	NOT-FOR-US: TIBCO
 CVE-2021-28829 (The Administration GUI component of TIBCO Software Inc.'s TIBCO Admini ...)
 	NOT-FOR-US: TIBCO
 CVE-2021-28828 (The Administration GUI component of TIBCO Software Inc.'s TIBCO Admini ...)
@@ -29682,7 +29682,10 @@ CVE-2021-23402
 CVE-2021-23401
 	RESERVED
 CVE-2021-23400 (The package nodemailer before 6.6.1 are vulnerable to HTTP Header Inje ...)
-	TODO: check
+	- node-nodemailer <unfixed>
+	NOTE: https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
+	NOTE: https://github.com/nodemailer/nodemailer/issues/1289
+	NOTE: https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
 CVE-2021-23399 (This affects all versions of package wincred. If attacker-controlled u ...)
 	NOT-FOR-US: wincred
 CVE-2021-23398 (All versions of package react-bootstrap-table are vulnerable to Cross- ...)
@@ -29986,7 +29989,7 @@ CVE-2021-23277 (Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerabl
 CVE-2021-23276 (Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to a ...)
 	NOT-FOR-US: Eaton Intelligent Power Manager (IPM)
 CVE-2021-23275 (The Windows Installation component of TIBCO Software Inc.'s TIBCO Ente ...)
-	TODO: check
+	NOT-FOR-US: TIBCO
 CVE-2021-23274 (The Config UI component of TIBCO Software Inc.'s TIBCO API Exchange Ga ...)
 	NOT-FOR-US: TIBCO
 CVE-2021-23273 (The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire  ...)
@@ -31648,7 +31651,7 @@ CVE-2021-22547 (In IoT Devices SDK, there is an implementation of calloc() that
 CVE-2021-22546
 	RESERVED
 CVE-2021-22545 (An attacker can craft a specific IdaPro *.i64 file that will cause the ...)
-	TODO: check
+	NOT-FOR-US: IDA Pro
 CVE-2021-22544
 	RESERVED
 CVE-2021-22543 (An issue was discovered in Linux: KVM through Improper handling of VM_ ...)
@@ -32059,7 +32062,7 @@ CVE-2021-22343
 CVE-2021-22342 (There is an information leak vulnerability in Huawei products. A modul ...)
 	NOT-FOR-US: Huawei
 CVE-2021-22341 (There is a memory leak vulnerability in Huawei products. A resource ma ...)
-	TODO: check
+	NOT-FOR-US: Huawei
 CVE-2021-22340 (There is a multiple threads race condition vulnerability in Huawei pro ...)
 	NOT-FOR-US: Huawei
 CVE-2021-22339 (There is a denial of service vulnerability in some versions of ManageO ...)
@@ -37215,7 +37218,7 @@ CVE-2021-20748
 CVE-2021-20747
 	RESERVED
 CVE-2021-20746 (Cross-site scripting vulnerability in WordPress Popular Posts 5.3.2 an ...)
-	TODO: check
+	NOT-FOR-US: Wordpress plugin
 CVE-2021-20745 (Inkdrop versions prior to v5.3.1 allows an attacker to execute arbitra ...)
 	NOT-FOR-US: Inkdrop
 CVE-2021-20744 (Cross-site scripting vulnerability in EC-CUBE Category contents plugin ...)
@@ -37241,7 +37244,7 @@ CVE-2021-20735 (Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Del
 CVE-2021-20734 (Cross-site scripting vulnerability in Welcart e-Commerce versions prio ...)
 	NOT-FOR-US: Welcart e-Commerce
 CVE-2021-20733 (Improper authorization in handler for custom URL scheme vulnerability  ...)
-	TODO: check
+	NOT-FOR-US: Some Android app
 CVE-2021-20732 (The ATOM (ATOM - Smart life App for Android versions prior to 1.8.1 an ...)
 	NOT-FOR-US: ATOM (ATOM - Smart life App)
 CVE-2021-20731 (WSR-1166DHP3 firmware Ver.1.16 and prior and WSR-1166DHP4 firmware Ver ...)
@@ -38897,15 +38900,15 @@ CVE-2021-20107
 CVE-2021-20106
 	RESERVED
 CVE-2021-20105 (Machform prior to version 16 is vulnerable to an open redirect in Safa ...)
-	TODO: check
+	NOT-FOR-US: Machform
 CVE-2021-20104 (Machform prior to version 16 is vulnerable to unauthenticated remote c ...)
-	TODO: check
+	NOT-FOR-US: Machform
 CVE-2021-20103 (Machform prior to version 16 is vulnerable to stored cross-site script ...)
-	TODO: check
+	NOT-FOR-US: Machform
 CVE-2021-20102 (Machform prior to version 16 is vulnerable to cross-site request forge ...)
-	TODO: check
+	NOT-FOR-US: Machform
 CVE-2021-20101 (Machform prior to version 16 is vulnerable to HTTP host header injecti ...)
-	TODO: check
+	NOT-FOR-US: Machform
 CVE-2021-20100 (Nessus Agent 8.2.4 and earlier for Windows were found to contain multi ...)
 	NOT-FOR-US: Nessus Agent
 CVE-2021-20099 (Nessus Agent 8.2.4 and earlier for Windows were found to contain multi ...)
@@ -40535,7 +40538,7 @@ CVE-2021-2324
 CVE-2021-2323
 	RESERVED
 CVE-2021-2322 (Vulnerability in OpenGrok (component: Web App). Versions that are affe ...)
-	TODO: check
+	NOT-FOR-US: OpenGrok
 CVE-2021-2321 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...)
 	- virtualbox 6.1.20-dfsg-1
 CVE-2021-2320 (Vulnerability in the Oracle Cloud Infrastructure Storage Gateway produ ...)
@@ -47240,9 +47243,9 @@ CVE-2021-0610
 CVE-2021-0609
 	RESERVED
 CVE-2021-0608 (In handleAppLaunch of AppLaunchActivity.java, there is a possible arbi ...)
-	TODO: check
+	NOT-FOR-US: Pixel
 CVE-2021-0607 (In iaxxx_calc_i2s_div of iaxxx-codec.c, there is a possible hardware p ...)
-	TODO: check
+	NOT-FOR-US: Pixel
 CVE-2021-0606 (In drm_syncobj_handle_to_fd of drm_syncobj.c, there is a possible use  ...)
 	- linux <not-affected> (Vulnerability specific to 4.14.y backporting)
 	NOTE: https://source.android.com/security/bulletin/pixel/2021-06-01
@@ -47420,7 +47423,7 @@ CVE-2021-0522 (In ConnectionHandler::SdpCb of connection_handler.cc, there is a
 CVE-2021-0521 (In getAllPackages of PackageManagerService, there is a possible inform ...)
 	NOT-FOR-US: Android
 CVE-2021-0520 (In several functions of MemoryFileSystem.cpp and related files, there  ...)
-	TODO: check
+	NOT-FOR-US: Android media framework
 CVE-2021-0519
 	RESERVED
 CVE-2021-0518
@@ -47443,11 +47446,11 @@ CVE-2021-0512 (In __hidinput_change_resolution_multipliers of hid-input.c, there
 CVE-2021-0511 (In Dex2oat of dex2oat.cc, there is a possible way to inject bytecode i ...)
 	NOT-FOR-US: Android
 CVE-2021-0510 (In decrypt_1_2 of CryptoPlugin.cpp, there is a possible out of bounds  ...)
-	TODO: check
+	NOT-FOR-US: Android media framework
 CVE-2021-0509 (In various functions of CryptoPlugin.cpp, there is a possible use afte ...)
-	TODO: check
+	NOT-FOR-US: Android media framework
 CVE-2021-0508 (In various functions of DrmPlugin.cpp, there is a possible use after f ...)
-	TODO: check
+	NOT-FOR-US: Android media framework
 CVE-2021-0507 (In handle_rc_metamsg_cmd of btif_rc.cc, there is a possible out of bou ...)
 	NOT-FOR-US: Android
 CVE-2021-0506 (In ActivityPicker.java, there is a possible bypass of user interaction ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2213b0a31b959b6fcdd14a6d69f297c07e522c0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2213b0a31b959b6fcdd14a6d69f297c07e522c0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210630/b963c0f1/attachment.htm>

More information about the debian-security-tracker-commits mailing list