[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 18 12:29:33 BST 2021



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f8c90cca by Moritz Muehlenhoff at 2021-05-18T13:28:32+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -738,13 +738,13 @@ CVE-2021-32822
 CVE-2021-32821
 	RESERVED
 CVE-2021-32820 (Express-handlebars is a Handlebars view engine for Express. Express-ha ...)
-	TODO: check
+	NOT-FOR-US: Express-handlebars
 CVE-2021-32819 (Squirrelly is a template engine implemented in JavaScript that works o ...)
-	TODO: check
+	NOT-FOR-US: Squirrelly
 CVE-2021-32818 (haml-coffee is a JavaScript templating solution. haml-coffee mixes pur ...)
-	TODO: check
+	NOT-FOR-US: haml-coffee
 CVE-2021-32817 (express-hbs is an Express handlebars template engine. express-hbs mixe ...)
-	TODO: check
+	NOT-FOR-US: express-hbs
 CVE-2021-32816 (ProtonMail Web Client is the official AngularJS web client for the Pro ...)
 	NOT-FOR-US: ProtonMail Web Client
 CVE-2021-32815
@@ -1134,7 +1134,7 @@ CVE-2021-32624
 CVE-2021-32623
 	RESERVED
 CVE-2021-32622 (Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip ...)
-	TODO: check
+	NOT-FOR-US: Matrix-React-SDK
 CVE-2021-32621
 	RESERVED
 CVE-2021-32620
@@ -2382,7 +2382,7 @@ CVE-2021-32056 (Cyrus IMAP before 3.2.7, and 3.3.x and 3.4.x before 3.4.1, allow
 	NOTE: https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41465b521399f691c241181300fab55995
 	NOTE: https://cyrus.topicbox.com/groups/announce/T126392718bc29d6b/cyrus-imap-3-2-7-released
 CVE-2021-32054 (Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers ...)
-	TODO: check
+	NOT-FOR-US: Firely/Incendi Spark
 CVE-2021-32053 (JPA Server in HAPI FHIR before 5.4.0 allows a user to deny service (e. ...)
 	NOT-FOR-US: HAPI FHIR
 CVE-2021-32052 (In Django 2.2 before 2.2.22, 3.1 before 3.1.10, and 3.2 before 3.2.2 ( ...)
@@ -8446,7 +8446,7 @@ CVE-2021-29513 (TensorFlow is an end-to-end open source platform for machine lea
 CVE-2021-29512 (TensorFlow is an end-to-end open source platform for machine learning. ...)
 	- tensorflow <itp> (bug #804612)
 CVE-2021-29511 (evm is a pure Rust implementation of Ethereum Virtual Machine. Prior t ...)
-	TODO: check
+	NOT-FOR-US: Rust crate evm
 CVE-2021-29510 (Pydantic is a data validation and settings management using Python typ ...)
 	- pydantic <unfixed> (bug #988480)
 	NOTE: https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh
@@ -8457,11 +8457,11 @@ CVE-2021-29509 (Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications.
 	NOTE: https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837
 	NOTE: CVE is related to an incomplete fix for CVE-2019-16770
 CVE-2021-29508 (Due to how Wire handles type information in its serialization format,  ...)
-	TODO: check
+	NOT-FOR-US: Wire
 CVE-2021-29507
 	RESERVED
 CVE-2021-29506 (GraphHopper is an open-source Java routing engine. In GrassHopper from ...)
-	TODO: check
+	NOT-FOR-US: GraphHopper
 CVE-2021-29505
 	RESERVED
 CVE-2021-29504
@@ -16013,7 +16013,7 @@ CVE-2021-26313
 CVE-2021-26312
 	RESERVED
 CVE-2021-26311 (In the AMD SEV/SEV-ES feature, memory can be rearranged in the guest a ...)
-	TODO: check
+	NOT-FOR-US: AMD
 CVE-2021-3346 (Foris before 101.1.1, as used in Turris OS, lacks certain HTML escapin ...)
 	NOT-FOR-US: Foris
 CVE-2021-3344 (A privilege escalation flaw was found in OpenShift builder. During bui ...)
@@ -16966,11 +16966,11 @@ CVE-2021-25945
 CVE-2021-25944
 	RESERVED
 CVE-2021-25943 (Prototype pollution vulnerability in '101' versions 1.0.0 through 1.6. ...)
-	TODO: check
+	NOT-FOR-US: Node 101
 CVE-2021-25942
 	RESERVED
 CVE-2021-25941 (Prototype pollution vulnerability in 'deep-override' versions 1.0.0 th ...)
-	TODO: check
+	NOT-FOR-US: Node deep-override
 CVE-2021-25940
 	RESERVED
 CVE-2021-25939
@@ -20749,7 +20749,7 @@ CVE-2021-24325 (The tab parameter of the settings page of the 404 SEO Redirectio
 CVE-2021-24324 (The 404 SEO Redirection WordPress plugin through 1.3 is lacking CSRF c ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2021-24323 (When taxes are enabled, the "Additional tax classes" field was not pro ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-24322
 	RESERVED
 CVE-2021-24321
@@ -20819,7 +20819,7 @@ CVE-2021-24290 (There are several endpoints in the Store Locator Plus for WordPr
 CVE-2021-24289 (There is functionality in the Store Locator Plus for WordPress plugin  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2021-24288 (When subscribing using AcyMailing, the 'redirect' parameter isn't prop ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-24287 (The settings page of the Select All Categories and Taxonomies, Change  ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2021-24286 (The settings page of the Redirect 404 to parent WordPress plugin befor ...)
@@ -20829,7 +20829,7 @@ CVE-2021-24285 (The request_list_request AJAX call of the Car Seller - Auto Clas
 CVE-2021-24284 (The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows una ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2021-24283 (The tab GET parameter of the settings page is not sanitised or escaped ...)
-	TODO: check
+	NOT-FOR-US: WordPress plugin
 CVE-2021-24282 (In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, a ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2021-24281 (In the Redirection for Contact Form 7 WordPress plugin before 2.3.4, a ...)
@@ -22924,7 +22924,7 @@ CVE-2021-23386
 CVE-2021-23385
 	RESERVED
 CVE-2021-23384 (The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to ...)
-	TODO: check
+	NOT-FOR-US: Node koa-remove-trailing-slashes before
 CVE-2021-23383 (The package handlebars before 4.7.7 are vulnerable to Prototype Pollut ...)
 	- node-handlebars 3:4.7.6+~4.1.0-2
 	[buster] - node-handlebars <no-dsa> (Minor issue; can be fixed via point release)
@@ -23456,7 +23456,7 @@ CVE-2021-3030
 CVE-2021-23234
 	RESERVED
 CVE-2021-23135 (Exposure of System Data to an Unauthorized Control Sphere vulnerabilit ...)
-	TODO: check
+	NOT-FOR-US: Argo CD
 CVE-2021-23134 (Use After Free vulnerability in nfc sockets in the Linux Kernel before ...)
 	- linux <unfixed>
 	NOTE: https://git.kernel.org/linus/c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6
@@ -24044,7 +24044,7 @@ CVE-2021-22868
 CVE-2021-22867
 	RESERVED
 CVE-2021-22866 (A UI misrepresentation vulnerability was identified in GitHub Enterpri ...)
-	TODO: check
+	NOT-FOR-US: GitHub Enterprise Server
 CVE-2021-22865 (An improper access control vulnerability was identified in GitHub Ente ...)
 	NOT-FOR-US: GitHub Enterprise Server
 CVE-2021-22864 (A remote code execution vulnerability was identified in GitHub Enterpr ...)
@@ -52487,7 +52487,7 @@ CVE-2020-23792
 CVE-2020-23791
 	RESERVED
 CVE-2020-23790 (An Arbitrary File Upload vulnerability was discovered in the Golo Lara ...)
-	TODO: check
+	NOT-FOR-US: Golo Laravel theme
 CVE-2020-23789
 	RESERVED
 CVE-2020-23788
@@ -52917,7 +52917,7 @@ CVE-2020-23577
 CVE-2020-23576 (Laborator Neon dashboard v3 is affected by stored Cross Site Scripting ...)
 	NOT-FOR-US: Laborator Neon dashboard
 CVE-2020-23575 (A directory traversal vulnerability exists in Kyocera Printer d-COPIA2 ...)
-	TODO: check
+	NOT-FOR-US: Kyocera
 CVE-2020-23574 (When uploading a file in Sysax Multi Server 6.90, an authenticated use ...)
 	NOT-FOR-US: Sysax Multi Server
 CVE-2020-23573
@@ -54449,7 +54449,7 @@ CVE-2020-22811
 CVE-2020-22810
 	RESERVED
 CVE-2020-22809 (In Windscribe v1.83 Build 20, 'WindscribeService' has an Unquoted Serv ...)
-	TODO: check
+	NOT-FOR-US: Windscribe
 CVE-2020-22808 (An issue was found in yii2_fecshop 2.x. There is a reflected XSS vulne ...)
 	NOT-FOR-US: yii2_fecshop
 CVE-2020-22807 (An issue was dicovered in vtiger crm 7.2. Union sql injection in the c ...)
@@ -75087,7 +75087,7 @@ CVE-2020-13669
 CVE-2020-13668
 	RESERVED
 CVE-2020-13667 (Access bypass vulnerability in of Drupal Core Workspaces allows an att ...)
-	TODO: check
+	NOT-FOR-US: Drupal 8.x
 CVE-2020-13666 (Cross-site scripting vulnerability in Drupal Core. Drupal AJAX API doe ...)
 	{DLA-2458-1}
 	- drupal7 <removed>
@@ -76799,7 +76799,7 @@ CVE-2020-12969
 CVE-2020-12968
 	RESERVED
 CVE-2020-12967 (The lack of nested page table protection in the AMD SEV/SEV-ES feature ...)
-	TODO: check
+	NOT-FOR-US: AMD
 CVE-2020-12966
 	RESERVED
 CVE-2020-12965
@@ -77970,7 +77970,7 @@ CVE-2020-12528 (An issue was discovered in MB connect line mymbCONNECT24 and mbC
 CVE-2020-12527 (An issue was discovered in MB connect line mymbCONNECT24 and mbCONNECT ...)
 	NOT-FOR-US: MB connect software
 CVE-2020-12526 (TwinCAT OPC UA Server in versions up to 2.3.0.12 and IPC Diagnostics U ...)
-	TODO: check
+	NOT-FOR-US: TwinCAT OPC UA Server
 CVE-2020-12525 (M&M Software fdtCONTAINER Component in versions below 3.5.20304.x  ...)
 	NOT-FOR-US: M&M Software fdtCONTAINER Component
 CVE-2020-12524 (Uncontrolled Resource Consumption can be exploited to cause the Phoeni ...)
@@ -451936,7 +451936,7 @@ CVE-2007-5969 (MySQL Community Server 5.0.x before 5.0.51, Enterprise Server 5.0
 CVE-2007-5968
 	REJECTED
 CVE-2007-5967 (A flaw in Mozilla's embedded certificate code might allow web sites to ...)
-	TODO: check
+	NOT-FOR-US: Historic Mozilla issue
 CVE-2007-5966 (Integer overflow in the hrtimer_start function in kernel/hrtimer.c in  ...)
 	{DSA-1436-1}
 	- linux-2.6 2.6.23-2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8c90cca35c38809b23cd7f76f80da717c174c56

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8c90cca35c38809b23cd7f76f80da717c174c56
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210518/e3ff7581/attachment.htm>


More information about the debian-security-tracker-commits mailing list