[Git][security-tracker-team/security-tracker][master] various bugs filed

Tue May 18 19:58:53 BST 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
152b18bb by Moritz Mühlenhoff at 2021-05-18T20:58:34+02:00
various bugs filed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3051,7 +3051,7 @@ CVE-2021-31831
 CVE-2021-31830
 	RESERVED
 CVE-2020-36326 (PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Des ...)
-	- libphp-phpmailer <unfixed>
+	- libphp-phpmailer <unfixed> (bug #988732)
 	[buster] - libphp-phpmailer <not-affected> (Regression introduced in 6.1.8)
 	[stretch] - libphp-phpmailer <not-affected> (Regression introduced in 6.1.8)
 	NOTE: Introduced by: https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9 (6.1.8)
@@ -3085,7 +3085,7 @@ CVE-2021-3515
 	NOTE: https://github.com/2ndQuadrant/pglogical/commit/95c0e8981485e09efab6821cf55a4e27b086efe5
 CVE-2021-3514 [sync_repl NULL pointer dereference in sync_create_state_control()]
 	RESERVED
-	- 389-ds-base <unfixed>
+	- 389-ds-base <unfixed> (bug #988727)
 	NOTE: https://github.com/389ds/389-ds-base/issues/4711
 CVE-2021-31829 (kernel/bpf/verifier.c in the Linux kernel through 5.12.1 performs unde ...)
 	- linux <unfixed>
@@ -8168,7 +8168,7 @@ CVE-2020-36284 (Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Imp
 	NOT-FOR-US: Union Pay
 CVE-2021-3480
 	RESERVED
-	- 389-ds-base <unfixed>
+	- 389-ds-base <unfixed> (bug #988727)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1944640
 	NOTE: https://pagure.io/slapi-nis/c/c7417ea2d534712e559b56ed45baa91c5d3d44db?branch=master
 CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...)
@@ -14798,7 +14798,7 @@ CVE-2020-36242 (In the cryptography package before 3.3.2 for Python, certain seq
 	[stretch] - python-cryptography <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/pyca/cryptography/issues/5615
 CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hyper fr ...)
-	- rust-hyper <unfixed>
+	- rust-hyper <unfixed> (bug #988729)
 	NOTE: https://github.com/hyperium/hyper/security/advisories/GHSA-6hfq-h8hq-87mf
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
 CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before  ...)
@@ -39152,7 +39152,7 @@ CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographi
 CVE-2020-28497
 	RESERVED
 CVE-2020-28496 (This affects the package three before 0.125.0. This can happen when ha ...)
-	- three.js <unfixed>
+	- three.js <unfixed> (bug #988726)
 	[buster] - three.js <no-dsa> (Minor issue)
 	[stretch] - three.js <no-dsa> (can be fixed along in next DLA)
 	NOTE: https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
@@ -51218,7 +51218,7 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS serv
 CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure way tha ...)
 	NOT-FOR-US: TweetStream
 CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...)
-	- ruby-twitter-stream <unfixed>
+	- ruby-twitter-stream <unfixed> (bug #988733)
 	[bullseye] - ruby-twitter-stream <no-dsa> (Minor issue)
 	[buster] - ruby-twitter-stream <no-dsa> (Minor issue)
 	[stretch] - ruby-twitter-stream <no-dsa> (Minor issue)
@@ -51280,7 +51280,7 @@ CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers a
 CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation faul ...)
 	{DLA-2381-1}
 	- lua5.4 5.4.1-1 (bug #971613)
-	- lua5.3 <unfixed>
+	- lua5.3 <unfixed> (bug #988734)
 	[buster] - lua5.3 <no-dsa> (Minor issue)
 	NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
 	NOTE: (lua5.4) https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
@@ -65098,7 +65098,7 @@ CVE-2020-17525 (Subversion's mod_authz_svn module will crash if the server is us
 CVE-2020-17524
 	REJECTED
 CVE-2020-17523 (Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a spec ...)
-	- shiro <unfixed>
+	- shiro <unfixed> (bug #988728)
 	[bullseye] - shiro <no-dsa> (Minor issue)
 	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/02/01/3
@@ -65134,7 +65134,7 @@ CVE-2020-17512
 CVE-2020-17511 (In Airflow versions prior to 1.10.13, when creating a user using airfl ...)
 	- airflow <itp> (bug #819700)
 CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...)
-	- shiro <unfixed>
+	- shiro <unfixed> (bug #988728)
 	[bullseye] - shiro <no-dsa> (Minor issue)
 	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7
@@ -79498,7 +79498,7 @@ CVE-2020-11990 (We have resolved a security issue in the camera plugin that coul
 	NOT-FOR-US: Apache Cordova
 CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...)
 	{DLA-2273-1}
-	- shiro <unfixed>
+	- shiro <unfixed> (bug #988728)
 	[bullseye] - shiro <no-dsa> (Minor issue)
 	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1
@@ -89070,7 +89070,7 @@ CVE-2020-8814
 CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, it was possible for authenticate ...)
 	NOT-FOR-US: Argo
 CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...)
-	- lxc-templates <unfixed>
+	- lxc-templates <unfixed> (bug #988730)
 	[buster] - lxc-templates <ignored> (Minor issue)
 	- lxc 1:3.0.3-1 (low)
 	[stretch] - lxc <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/152b18bbfa6b5ad2d6a8c75fbc4f2666d982ccef

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/152b18bbfa6b5ad2d6a8c75fbc4f2666d982ccef
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210518/17604cf1/attachment-0001.htm>
