[Git][security-tracker-team/security-tracker][master] 2 commits: new vecolity issues

Moritz Muehlenhoff jmm at debian.org
Wed Mar 10 12:46:43 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9449824c by Moritz Muehlenhoff at 2021-03-10T13:39:58+01:00
new vecolity issues

- - - - -
6b0f651c by Moritz Muehlenhoff at 2021-03-10T13:46:21+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9,7 +9,7 @@ CVE-2021-28121
 CVE-2021-28120
 	RESERVED
 CVE-2021-28119 (Twinkle Tray (aka twinkle-tray) through 1.13.3 allows remote command e ...)
-	TODO: check
+	NOT-FOR-US: Twinkle Tray
 CVE-2021-28118
 	RESERVED
 CVE-2021-28117
@@ -17,7 +17,7 @@ CVE-2021-28117
 CVE-2021-28116 (Squid through 4.14 and 5.x through 5.0.5, in some configurations, allo ...)
 	TODO: check
 CVE-2021-28115 (The OUGC Feedback plugin before 1.8.23 for MyBB allows XSS via the com ...)
-	TODO: check
+	NOT-FOR-US: MyBB addon
 CVE-2021-28114
 	RESERVED
 CVE-2021-28113
@@ -4329,7 +4329,7 @@ CVE-2021-3312
 CVE-2021-3311 (An issue was discovered in October through build 471. It reactivates a ...)
 	NOT-FOR-US: October CMS
 CVE-2021-3310 (Western Digital My Cloud OS 5 devices before 5.10.122 mishandle Symbol ...)
-	TODO: check
+	NOT-FOR-US: Western Digital
 CVE-2021-3309 (packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process co ...)
 	NOT-FOR-US: Wekan
 CVE-2021-26272 (It was possible to execute a ReDoS-type attack inside CKEditor 4 befor ...)
@@ -5119,7 +5119,7 @@ CVE-2021-25917
 CVE-2021-25916
 	RESERVED
 CVE-2021-25915 (Prototype pollution vulnerability in 'changeset' versions 0.0.1 throug ...)
-	TODO: check
+	NOT-FOR-US: changeset
 CVE-2021-25914 (Prototype pollution vulnerability in 'object-collider' versions 1.0.0  ...)
 	NOT-FOR-US: object-collider
 CVE-2021-25913 (Prototype pollution vulnerability in 'set-or-get' version 1.0.0 throug ...)
@@ -6673,7 +6673,7 @@ CVE-2021-25315 (A Incorrect Implementation of Authentication Algorithm vulnerabi
 CVE-2021-25314
 	RESERVED
 CVE-2021-25313 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...)
-	TODO: check
+	NOT-FOR-US: Rancher
 CVE-2021-3179
 	RESERVED
 CVE-2021-3178 (** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, w ...)
@@ -10928,9 +10928,9 @@ CVE-2021-23355
 CVE-2021-23354
 	RESERVED
 CVE-2021-23353 (This affects the package jspdf before 2.3.1. ReDoS is possible via the ...)
-	TODO: check
+	NOT-FOR-US: Node jspdf
 CVE-2021-23352 (This affects the package madge before 4.0.1. It is possible to specify ...)
-	TODO: check
+	NOT-FOR-US: Node madge
 CVE-2021-23351 (The package github.com/pires/go-proxyproto before 0.5.0 are vulnerable ...)
 	TODO: check
 CVE-2021-23350
@@ -11109,7 +11109,7 @@ CVE-2021-23275
 CVE-2021-23274
 	RESERVED
 CVE-2021-23273 (The Spotfire client component of TIBCO Software Inc.'s TIBCO Spotfire  ...)
-	TODO: check
+	NOT-FOR-US: TIBCO
 CVE-2021-23272 (The Application Development Clients component of TIBCO Software Inc.'s ...)
 	NOT-FOR-US: TIBCO
 CVE-2021-23271 (The TIBCO EBX Web Server component of TIBCO Software Inc.'s TIBCO EBX  ...)
@@ -16374,7 +16374,7 @@ CVE-2021-21371
 CVE-2021-21370
 	RESERVED
 CVE-2021-21369 (Hyperledger Besu is an open-source, MainNet compatible, Ethereum clien ...)
-	TODO: check
+	NOT-FOR-US: Hyperledger Besu
 CVE-2021-21368
 	RESERVED
 CVE-2021-21367
@@ -16404,9 +16404,9 @@ CVE-2021-21356
 CVE-2021-21355
 	RESERVED
 CVE-2021-21354 (Pollbot is open source software which "frees its human masters from th ...)
-	TODO: check
+	NOT-FOR-US: Pollbot
 CVE-2021-21353 (Pug is an npm package which is a high-performance template engine. In  ...)
-	TODO: check
+	NOT-FOR-US: Node pug
 CVE-2021-21352 (Anuko Time Tracker is an open source, web-based time tracking applicat ...)
 	NOT-FOR-US: Anuko Time Tracker
 CVE-2021-21351
@@ -16438,9 +16438,9 @@ CVE-2021-21339
 CVE-2021-21338
 	RESERVED
 CVE-2021-21337 (Products.PluggableAuthService is a pluggable Zope authentication and a ...)
-	TODO: check
+	NOT-FOR-US: Products.PluggableAuthService
 CVE-2021-21336 (Products.PluggableAuthService is a pluggable Zope authentication and a ...)
-	TODO: check
+	NOT-FOR-US: Products.PluggableAuthService
 CVE-2021-21335 (In the SPNEGO HTTP Authentication Module for nginx (spnego-http-auth-n ...)
 	TODO: check
 CVE-2021-21334
@@ -16480,11 +16480,11 @@ CVE-2021-21324 (GLPI is an open-source asset and IT management software package
 CVE-2021-21323 (Brave is an open source web browser with a focus on privacy and securi ...)
 	- brave-browser <itp> (bug #864795)
 CVE-2021-21322 (fastify-http-proxy is an npm package which is a fastify plugin for pro ...)
-	TODO: check
+	NOT-FOR-US: fastify-http-proxy
 CVE-2021-21321 (fastify-reply-from is an npm package which is a fastify plugin to forw ...)
-	TODO: check
+	NOT-FOR-US: Node fastify-reply-from
 CVE-2021-21320 (matrix-react-sdk is an npm package which is a Matrix SDK for React Jav ...)
-	TODO: check
+	NOT-FOR-US: Node matrix-react-sdk
 CVE-2021-21319
 	RESERVED
 CVE-2021-21318 (Opencast is a free, open-source platform to support the management of  ...)
@@ -16544,9 +16544,9 @@ CVE-2021-21300 (Git is an open-source distributed revision control system. In af
 	NOTE: https://lore.kernel.org/git/xmqqim6019yd.fsf@gitster.c.googlers.com/
 	NOTE: Fixed by: https://git.kernel.org/pub/scm/git/git.git/commit/?h=v2.30.2&id=684dd4c2b414bcf648505e74498a608f28de4592
 CVE-2021-21298 (Node-Red is a low-code programming for event-driven applications built ...)
-	TODO: check
+	NOT-FOR-US: Node-Red
 CVE-2021-21297 (Node-Red is a low-code programming for event-driven applications built ...)
-	TODO: check
+	NOT-FOR-US: Node-Red
 CVE-2021-21296 (Fleet is an open source osquery manager. In Fleet before version 3.7.0 ...)
 	NOT-FOR-US: Fleet
 CVE-2021-21295 (Netty is an open-source, asynchronous event-driven network application ...)
@@ -61367,6 +61367,8 @@ CVE-2020-13960 (D-Link DSL 2730-U IN_1.10 and IN_1.11 and DIR-600M 3.04 devices
 	NOT-FOR-US: D-Link
 CVE-2020-13959
 	RESERVED
+	- velocity <unfixed>
+	NOTE: https://www.openwall.com/lists/oss-security/2021/03/10/2
 CVE-2020-13958 (A vulnerability in Apache OpenOffice scripting events allows an attack ...)
 	NOT-FOR-US: Apache OpenOffice
 CVE-2020-13957 (Apache Solr versions 6.6.0 to 6.6.6, 7.0.0 to 7.7.3 and 8.0.0 to 8.6.2 ...)
@@ -61428,6 +61430,8 @@ CVE-2020-13937 (Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.
 	NOT-FOR-US: Apache Kylin (different from Kylin desktop environment)
 CVE-2020-13936
 	RESERVED
+	- velocity <unfixed>
+	NOTE: https://www.openwall.com/lists/oss-security/2021/03/10/1
 CVE-2020-13935 (The payload length in a WebSocket frame was not correctly validated in ...)
 	{DSA-4727-1 DLA-2286-1}
 	- tomcat9 9.0.37-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/970456682be3edd143d70904bd6dda00dd5f72b9...6b0f651cf6e4f6efe05b2e4792ff221633cca285

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/970456682be3edd143d70904bd6dda00dd5f72b9...6b0f651cf6e4f6efe05b2e4792ff221633cca285
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210310/56127a3a/attachment.htm>

More information about the debian-security-tracker-commits mailing list