[Git][security-tracker-team/security-tracker][master] various bugs filed

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri May 21 20:59:41 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
23383b39 by Moritz Mühlenhoff at 2021-05-21T21:59:28+02:00
various bugs filed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -28524,7 +28524,7 @@ CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13
 	[buster] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated upstream)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
 CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for Rust. The  ...)
-	- rust-http <unfixed>
+	- rust-http <unfixed> (bug #988945)
 	[buster] - rust-http <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0034.html
 	NOTE: https://github.com/hyperium/http/commit/82d53dbdfdb1ffbeb0323200a0bbd30b5f895fa7
@@ -32147,7 +32147,7 @@ CVE-2021-20292 [RM Memory Management Double Free Privilege Escalation Vulnerabil
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939686
 	NOTE: https://git.kernel.org/linus/5de5b6ecf97a021f29403aa272cb4e03318ef586
 CVE-2021-20291 (A deadlock vulnerability was found in 'github.com/containers/storage'  ...)
-	- golang-github-containers-image <unfixed>
+	- golang-github-containers-image <unfixed> (bug #988942)
 	NOTE: https://github.com/containers/storage/commit/306fcabc964470e4b3b87a43a8f6b7d698209ee1
 	TODO: check golang-github-containers-buildah, docker.io, golang-github-containers-storage
 CVE-2021-20290
@@ -39966,10 +39966,10 @@ CVE-2020-28485
 CVE-2020-28484
 	RESERVED
 CVE-2020-28483 (This affects all versions of package github.com/gin-gonic/gin. When gi ...)
-	- golang-github-gin-gonic-gin <unfixed>
+	- golang-github-gin-gonic-gin <unfixed> (bug #988943)
 	[buster] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
 	NOTE: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMGINGONICGIN-1041736
-	NOTE: https://github.com/gin-gonic/gin/pull/2474#issuecomment-729696437
+	NOTE: https://github.com/gin-gonic/gin/pull/2474
 	NOTE: https://github.com/gin-gonic/gin/commit/c9ea8ece4a3881028f7f715f008414346a7f4b88
 CVE-2020-28482 (This affects the package fastify-csrf before 3.0.0. 1. The generated c ...)
 	NOT-FOR-US: Node fastify-csrf
@@ -46038,7 +46038,7 @@ CVE-2020-26894 (LiveCode v9.6.1 on Windows allows local, low-privileged users to
 CVE-2020-26893 (An issue was discovered in ClamXAV 3 before 3.1.1. A malicious actor c ...)
 	NOT-FOR-US: ClamXAV
 CVE-2020-26892 (The JWT library in NATS nats-server before 2.1.9 has Incorrect Access  ...)
-	- golang-github-nats-io-jwt <unfixed>
+	- golang-github-nats-io-jwt <unfixed> (bug #988950)
 	[buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
 	NOTE: https://advisories.nats.io/CVE/CVE-2020-26892.txt
 CVE-2020-26891 (AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS d ...)
@@ -46874,7 +46874,7 @@ CVE-2020-26523 (Froala Editor before 3.2.2 allows XSS via pasted content. ...)
 CVE-2020-26522 (A cross-site request forgery (CSRF) vulnerability in mod/user/act_user ...)
 	NOT-FOR-US: Garfield Petshop
 CVE-2020-26521 (The JWT library in NATS nats-server before 2.1.9 allows a denial of se ...)
-	- golang-github-nats-io-jwt <unfixed>
+	- golang-github-nats-io-jwt <unfixed> (bug #988950)
 	[buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
 	NOTE: https://advisories.nats.io/CVE/CVE-2020-26521.txt
 CVE-2020-26520
@@ -75078,7 +75078,8 @@ CVE-2020-13951 (Attackers can use public NetTest web service of Apache OpenMeeti
 CVE-2020-13950
 	RESERVED
 CVE-2020-13949 (In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send sho ...)
-	- thrift <unfixed>
+	- thrift <unfixed> (bug #988949)
+	NOTE: https://seclists.org/oss-sec/2021/q1/140
 CVE-2020-13948 (While investigating a bug report on Apache Superset, it was determined ...)
 	NOT-FOR-US: Apache Superset
 CVE-2020-13947 (An instance of a cross-site scripting vulnerability was identified to  ...)
@@ -85295,7 +85296,7 @@ CVE-2020-10695
 CVE-2020-10694
 	RESERVED
 CVE-2020-10693 (A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in  ...)
-	- libhibernate-validator-java <unfixed>
+	- libhibernate-validator-java <unfixed> (bug #988946)
 	[buster] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
 	[stretch] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
 	[jessie] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
@@ -92794,7 +92795,7 @@ CVE-2020-7694 (This affects all versions of package uvicorn. The request logger
 CVE-2020-7693 (Incorrect handling of Upgrade header with the value websocket leads in ...)
 	- node-socks <itp> (bug #922921)
 CVE-2020-7692 (PKCE support is not implemented in accordance with the RFC for OAuth 2 ...)
-	- google-oauth-client-java <unfixed>
+	- google-oauth-client-java <unfixed> (bug #988944)
 	NOTE: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEOAUTHCLIENT-575276
 	NOTE: https://github.com/googleapis/google-oauth-java-client/issues/469
 	NOTE: https://github.com/googleapis/google-oauth-java-client/commit/13433cd7dd06267fc261f0b1d4764f8e3432c824
@@ -135537,7 +135538,7 @@ CVE-2019-11941 (A remote code execution vulnerability was identified in HPE Inte
 CVE-2019-11940 (In the course of decompressing HPACK inside the HTTP2 protocol, an une ...)
 	NOT-FOR-US: Facebook Proxygen
 CVE-2019-11939 (Golang Facebook Thrift servers would not error upon receiving messages ...)
-	- thrift <unfixed>
+	- thrift <unfixed> (bug #988948)
 	NOTE: https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
 CVE-2019-11938 (Java Facebook Thrift servers would not error upon receiving messages d ...)
 	NOT-FOR-US: Java Facebook Thrift



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23383b39a0bfe1742dacfd10e628ce26ea698835

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23383b39a0bfe1742dacfd10e628ce26ea698835
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210521/28266e5b/attachment.htm>

More information about the debian-security-tracker-commits mailing list