[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Nov 1 08:36:42 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ccf0c358 by Moritz Muehlenhoff at 2021-11-01T09:35:51+01:00
NFUs
remove TODO for libstd, codebases which embed it not security relevant

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1043,16 +1043,14 @@ CVE-2021-3894
 CVE-2021-42717
 	RESERVED
 CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...)
-	- libstb <undetermined>
+	- libstb <unfixed>
 	NOTE: https://github.com/nothings/stb/issues/1166
 	NOTE: https://github.com/nothings/stb/issues/1225
 	NOTE: https://github.com/nothings/stb/pull/1223
-	TODO: check libstb itself, and various packages embedd a copy
 CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR  ...)
-	- libstb <undetermined>
+	- libstb <unfixed>
 	NOTE: https://github.com/nothings/stb/issues/1224
 	NOTE: https://github.com/nothings/stb/pull/1223
-	TODO: check libstb itself, and various packages embedd a copy
 CVE-2021-42714
 	RESERVED
 CVE-2021-42713
@@ -1094,7 +1092,7 @@ CVE-2021-42696
 CVE-2021-42695
 	RESERVED
 CVE-2021-42694 (An issue was discovered in the character definitions of the Unicode Sp ...)
-	TODO: check
+	NOT-FOR-US: Unicode spec
 CVE-2021-42693
 	RESERVED
 CVE-2021-42692
@@ -5438,7 +5436,7 @@ CVE-2021-3813
 CVE-2021-41314 (Certain NETGEAR smart switches are affected by a \n injection in the w ...)
 	NOT-FOR-US: NETGEAR
 CVE-2021-41313 (Affected versions of Atlassian Jira Server and Data Center allow authe ...)
-	TODO: check
+	NOT-FOR-US: Atlassian
 CVE-2021-41312
 	RESERVED
 CVE-2021-41311
@@ -5712,7 +5710,7 @@ CVE-2021-41196
 CVE-2021-41195
 	RESERVED
 CVE-2021-41194 (FirstUseAuthenticator is a JupyterHub authenticator that helps new use ...)
-	TODO: check
+	NOT-FOR-US: FirstUseAuthenticator for JupyterHub
 CVE-2021-41193
 	RESERVED
 CVE-2021-41192
@@ -5771,9 +5769,9 @@ CVE-2021-41170
 CVE-2021-41169 (Sulu is an open-source PHP content management system based on the Symf ...)
 	NOT-FOR-US: Sulu
 CVE-2021-41168 (Snudown is a reddit-specific fork of the Sundown Markdown parser used  ...)
-	TODO: check
+	NOT-FOR-US: Snudown
 CVE-2021-41167 (modern-async is an open source JavaScript tooling library for asynchro ...)
-	TODO: check
+	NOT-FOR-US: modern-async
 CVE-2021-41166
 	RESERVED
 CVE-2021-41165
@@ -5819,9 +5817,9 @@ CVE-2021-41152 (OpenOlat is a web-based e-learning platform for teaching, learni
 CVE-2021-41151 (Backstage is an open platform for building developer portals. In affec ...)
 	NOT-FOR-US: Backstage
 CVE-2021-41150 (Tough provides a set of Rust libraries and tools for using and generat ...)
-	TODO: check
+	NOT-FOR-US: Tough
 CVE-2021-41149 (Tough provides a set of Rust libraries and tools for using and generat ...)
-	TODO: check
+	NOT-FOR-US: Tough
 CVE-2021-41148 (Tuleap Open ALM is a libre and open source tool for end to end traceab ...)
 	NOT-FOR-US: Tuleap
 CVE-2021-41147 (Tuleap Open ALM is a libre and open source tool for end to end traceab ...)
@@ -12384,7 +12382,7 @@ CVE-2021-38380 (Live555 through 1.08 mishandles huge requests for the same MP3 s
 	NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021954.html
 	NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.04]
 CVE-2021-38379 (The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permi ...)
-	TODO: check
+	NOT-FOR-US: CFEngine Enterprise
 CVE-2021-38378
 	RESERVED
 CVE-2021-38377
@@ -16352,7 +16350,7 @@ CVE-2021-36758 (1Password Connect server before 1.2 is missing validation checks
 CVE-2021-36757
 	RESERVED
 CVE-2021-36756 (CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate  ...)
-	TODO: check
+	NOT-FOR-US: CFEngine Enterprise
 CVE-2021-36755 (Nightscout Web Monitor (aka cgm-remote-monitor) 14.2.2 allows XSS via  ...)
 	NOT-FOR-US: Nightscout Web Monitor
 CVE-2021-36754 (PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to cra ...)
@@ -122264,8 +122262,6 @@ CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt
 	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
 	- libstb <unfixed> (unimportant; bug #949555)
-	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/866
 	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccf0c3583ccc915d928af60614e88a0171ab6836

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccf0c3583ccc915d928af60614e88a0171ab6836
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211101/cf671448/attachment.htm>

More information about the debian-security-tracker-commits mailing list