[Git][security-tracker-team/security-tracker][master] 2 commits: pillow commit refs

Moritz Muehlenhoff jmm at debian.org
Mon May 10 16:47:03 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c813767c by Moritz Muehlenhoff at 2021-05-10T17:46:38+02:00
pillow commit refs

- - - - -
464804fa by Moritz Muehlenhoff at 2021-05-10T17:46:39+02:00
new gitlab issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -17,7 +17,7 @@ CVE-2021-32473
 CVE-2021-32472
 	RESERVED
 CVE-2021-32471 (Insufficient input validation in the Marvin Minsky 1967 implementation ...)
-	TODO: check
+	NOT-FOR-US: Marvin Minsky 1967 implementation of the Universal Turing Machine
 CVE-2021-32470 (Craft CMS before 3.6.13 has an XSS vulnerability. ...)
 	NOT-FOR-US: Craft CMS
 CVE-2021-32469
@@ -769,19 +769,19 @@ CVE-2021-32098 (Artica Pandora FMS 742 allows unauthenticated attackers to perfo
 CVE-2021-32097
 	RESERVED
 CVE-2021-32096 (The ConsoleAction component of U.S. National Security Agency (NSA) Emi ...)
-	TODO: check
+	NOT-FOR-US: NSA Emissary
 CVE-2021-32095 (U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authentic ...)
-	TODO: check
+	NOT-FOR-US: NSA Emissary
 CVE-2021-32094 (U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authentic ...)
-	TODO: check
+	NOT-FOR-US: NSA Emissary
 CVE-2021-32093 (The ConfigFileAction component of U.S. National Security Agency (NSA)  ...)
-	TODO: check
+	NOT-FOR-US: NSA Emissary
 CVE-2021-32092 (A Cross-site scripting (XSS) vulnerability in the DocumentAction compo ...)
-	TODO: check
+	NOT-FOR-US: NSA Emissary
 CVE-2021-32091 (A Cross-site scripting (XSS) vulnerability exists in StackLift LocalSt ...)
-	TODO: check
+	NOT-FOR-US: StackList LocalStack
 CVE-2021-32090 (The dashboard component of StackLift LocalStack 0.12.6 allows attacker ...)
-	TODO: check
+	NOT-FOR-US: StackList LocalStack
 CVE-2021-32089
 	RESERVED
 CVE-2021-32088
@@ -1542,7 +1542,7 @@ CVE-2021-31829 (kernel/bpf/verifier.c in the Linux kernel through 5.12.1 perform
 	- linux <unfixed>
 	NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/4
 CVE-2021-31828 (An SSRF issue in Open Distro for Elasticsearch (ODFE) before 1.13.1.0  ...)
-	TODO: check
+	NOT-FOR-US: OpenDistro for Elasticsearch
 CVE-2021-31827
 	RESERVED
 CVE-2021-31825
@@ -5251,9 +5251,9 @@ CVE-2021-30173 (Local File Inclusion vulnerability of the omni-directional commu
 CVE-2021-30172 (Special characters of picture preview page in the Quan-Fang-Wei-Tong-X ...)
 	NOT-FOR-US: Quan-Fang-Wei-Tong-Xun system
 CVE-2021-30171 (Special characters of ERP POS news page are not filtered in users&#821 ...)
-	TODO: check
+	NOT-FOR-US: ERP POS
 CVE-2021-30170 (Special characters of ERP POS customer profile page are not filtered i ...)
-	TODO: check
+	NOT-FOR-US: ERP POS
 CVE-2021-30169 (The sensitive information of webcam device is not properly protected.  ...)
 	NOT-FOR-US: LILIN
 CVE-2021-30168 (The sensitive information of webcam device is not properly protected.  ...)
@@ -6857,7 +6857,7 @@ CVE-2021-29495 (Nim is a statically typed compiled systems programming language.
 CVE-2021-29494
 	RESERVED
 CVE-2021-29493 (Kennnyshiwa-cogs contains cogs for Red Discordbot. An RCE exploit has  ...)
-	TODO: check
+	NOT-FOR-US: Kennnyshiwa-cogs
 CVE-2021-29492
 	RESERVED
 CVE-2021-29491 (Mixme is a library for recursive merging of Javascript objects. In Nod ...)
@@ -8769,22 +8769,30 @@ CVE-2021-28678
 	RESERVED
 	[experimental] - pillow 8.2.0-1
 	- pillow <unfixed>
+	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
+	NOTE: https://github.com/python-pillow/Pillow/commit/496245aa4365d0827390bd0b6fbd11287453b3a1
 CVE-2021-28677
 	RESERVED
 	[experimental] - pillow 8.2.0-1
 	- pillow <unfixed>
+	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
+	NOTE: https://github.com/python-pillow/Pillow/commit/5a5e6db0abf4e7a638fb1b3408c4e495a096cb92
 CVE-2021-28676
 	RESERVED
 	[experimental] - pillow 8.2.0-1
 	- pillow <unfixed>
+	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
+	NOTE: https://github.com/python-pillow/Pillow/commit/bb6c11fb889e6c11b0ee122b828132ee763b5856
 CVE-2021-28675
 	RESERVED
 	[experimental] - pillow 8.2.0-1
 	- pillow <unfixed>
+	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin
+	NOTE: https://github.com/python-pillow/Pillow/commit/22e9bee4ef225c0edbb9323f94c26cee0c623497
 CVE-2021-28674
 	RESERVED
 CVE-2021-28673 (Xerox Phaser 6510 before 64.61.23 and 64.59.11 (Bridge), WorkCentre 65 ...)
@@ -10074,7 +10082,7 @@ CVE-2021-28130
 CVE-2021-28129
 	RESERVED
 CVE-2021-28128 (In Strapi through 3.6.0, the admin panel allows the changing of one's  ...)
-	TODO: check
+	NOT-FOR-US: Strapi
 CVE-2021-28127
 	RESERVED
 CVE-2021-28126 (index.jsp in TranzWare e-Commerce Payment Gateway (TWEC PG) before 3.1 ...)
@@ -11696,7 +11704,7 @@ CVE-2021-27439
 CVE-2021-27438 (The software contains a hard-coded password it uses for its own inboun ...)
 	NOT-FOR-US: GE
 CVE-2021-27437 (The affected product allows attackers to obtain sensitive information  ...)
-	TODO: check
+	NOT-FOR-US: WISE-PaaS
 CVE-2021-27436 (WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scr ...)
 	NOT-FOR-US: WebAccess/SCADA
 CVE-2021-27435
@@ -15014,7 +15022,7 @@ CVE-2021-26079
 CVE-2021-26078
 	RESERVED
 CVE-2021-26077 (Broken Authentication in Atlassian Connect Spring Boot (ACSB) in versi ...)
-	TODO: check
+	NOT-FOR-US: Atlassian
 CVE-2021-26076 (The jira.editor.user.mode cookie set by the Jira Editor Plugin in Jira ...)
 	NOT-FOR-US: Atlassian
 CVE-2021-26075 (The Jira importers plugin AttachTemporaryFile rest resource in Jira Se ...)
@@ -17058,11 +17066,14 @@ CVE-2021-25288
 	RESERVED
 	[experimental] - pillow 8.2.0-1
 	- pillow <unfixed>
+	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
+	NOTE: https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
 CVE-2021-25287
 	RESERVED
 	[experimental] - pillow 8.2.0-1
 	- pillow <unfixed>
+	[buster] - pillow <no-dsa> (Minor issue)
 	NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
 CVE-2021-3185 (A flaw was found in the gstreamer h264 component of gst-plugins-bad be ...)
 	{DSA-4833-1 DLA-2528-1}
@@ -23837,13 +23848,13 @@ CVE-2021-22213
 CVE-2021-22212
 	RESERVED
 CVE-2021-22211 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22210 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22209 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22208 (An issue has been discovered in GitLab affecting versions starting wit ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22207 (Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to ...)
 	- wireshark <unfixed> (bug #987853)
 	[bullseye] - wireshark <postponed> (Minor issue, can be fixed along in future update)
@@ -23853,7 +23864,7 @@ CVE-2021-22207 (Excessive memory consumption in MS-WSP dissector in Wireshark 3.
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2021-04.html
 CVE-2021-22206 (An issue has been discovered in GitLab affecting all versions starting ...)
-	TODO: check
+	- gitlab <unfixed>
 CVE-2021-22205 (An issue has been discovered in GitLab CE/EE affecting all versions st ...)
 	- gitlab <unfixed>
 CVE-2021-22204 (Improper neutralization of user data in the DjVu file format in ExifTo ...)
@@ -25821,7 +25832,7 @@ CVE-2020-35953
 CVE-2020-35952 (login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-3 ...)
 	NOT-FOR-US: PHP-Fusion
 CVE-2021-3003 (Agenzia delle Entrate Desktop Telematico 1.0.0 contacts the jws.agenzi ...)
-	TODO: check
+	NOT-FOR-US: Agenzia delle Entrate Desktop Telematico
 CVE-2021-3002 (Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?se ...)
 	NOT-FOR-US: Seo Panel
 CVE-2021-3001
@@ -32909,7 +32920,7 @@ CVE-2021-1927 (Possible use after free due to lack of null check while memory is
 CVE-2021-1926
 	RESERVED
 CVE-2021-1925 (Possible denial of service scenario due to improper handling of group  ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm components for Android
 CVE-2021-1924
 	RESERVED
 CVE-2021-1923



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c15b651381caaad070c3599bb6ec2b638c45a967...464804fabecbb1eccbf9e556d585d5c3659eaa10

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c15b651381caaad070c3599bb6ec2b638c45a967...464804fabecbb1eccbf9e556d585d5c3659eaa10
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210510/f7f3154e/attachment.htm>

More information about the debian-security-tracker-commits mailing list