diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2020-08-28 19:48:20 +0200 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2020-08-28 19:48:20 +0200 |
commit | c4047393b5aa53a917e6b297940d636d4378e04a (patch) | |
tree | 704990df4ca42be1c59f3f8a2d9eb562869c24f0 | |
parent | a165926b4314c7272035d03daaf5d285f2b9c05a (diff) |
buster triage
-rw-r--r-- | data/CVE/list | 32 | ||||
-rw-r--r-- | data/dsa-needed.txt | 4 |
2 files changed, 28 insertions, 8 deletions
diff --git a/data/CVE/list b/data/CVE/list index db8b2308ac..1aa7fa5119 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -400,6 +400,7 @@ CVE-2020-24662 RESERVED CVE-2020-24661 (GNOME Geary before 3.36.3 mishandles pinned TLS certificate verificati ...) - geary <unfixed> + [buster] - geary <no-dsa> (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/geary/-/issues/866 CVE-2020-24660 RESERVED @@ -617,6 +618,7 @@ CVE-2020-24556 RESERVED CVE-2020-24614 (Fossil before 2.10.2, 2.11.x before 2.11.2, and 2.12.x before 2.12.1 a ...) - fossil 1:2.12.1-1 + [buster] - fossil <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/08/20/1 NOTE: https://fossil-scm.org/forum/info/a05ae3ce7760daf6 NOTE: https://fossil-scm.org/fossil/vdiff?branch=sec2020-2.12-patch&diff=1&w @@ -990,17 +992,19 @@ CVE-2020-24374 CVE-2020-24373 RESERVED CVE-2020-24372 (LuaJIT through 2.1.0-beta3 has an out-of-bounds read in lj_err_run in ...) - - luajit <unfixed> + - luajit <unfixed> (unimportant) NOTE: https://github.com/LuaJIT/LuaJIT/issues/603 - TODO: Needs to be checked with upstream, unclear whether that's really a security issue + NOTE: No security impact, only "exploitable" with untrusted Lua code CVE-2020-24371 (lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the ...) - lua5.4 <unfixed> - lua5.3 <unfixed> + [buster] - lua5.3 <no-dsa> (Minor isue) NOTE: https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110 NOTE: https://www.lua.org/bugs.html#5.4.0-9 CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation faul ...) - lua5.4 <unfixed> - lua5.3 <unfixed> + [buster] - lua5.3 <no-dsa> (Minor isue) NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html NOTE: https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b CVE-2020-24369 (ldebug.c in Lua 5.4.0 attempts to access debug information via the lin ...) @@ -1287,16 +1291,16 @@ CVE-2020-24244 CVE-2020-24243 RESERVED CVE-2020-24242 (In Netwide Assembler (NASM) 2.15rc10, SEGV can be triggered in tok_tex ...) - - nasm 2.15.04-1 - [stretch] - nasm <no-dsa> (Minor issue) + - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392708 NOTE: https://github.com/netwide-assembler/nasm/commit/6299a3114ce0f3acd55d07de201a8ca2f0a83059 + NOTE: Crash in CLI tool, no security impact CVE-2020-24241 (In Netwide Assembler (NASM) 2.15rc10, there is heap use-after-free in ...) - - nasm 2.15.04-1 - [stretch] - nasm <no-dsa> (Minor issue) + - nasm 2.15.04-1 (unimportant) NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392707 NOTE: https://github.com/netwide-assembler/nasm/commit/6ac6ac57e3d01ea8ed4ea47706eb724b59176461 NOTE: https://github.com/netwide-assembler/nasm/commit/78df8828a0a5d8e2d8ff3dced562bf1778ce2e6c + NOTE: Crash in CLI tool, no security impact CVE-2020-24240 (GNU Bison 3.7 has a use after free (UAF) vulnerability. A local attack ...) - bison <unfixed> (unimportant) NOTE: https://github.com/akimd/bison/commit/be95a4fe2951374676efc9454ffee8638faaf68d (v3.7.1) @@ -14803,6 +14807,7 @@ CVE-2020-17498 (In Wireshark 3.2.0 to 3.2.5, the Kafka protocol dissector could NOTE: https://www.wireshark.org/security/wnpa-sec-2020-10.html CVE-2020-17497 (eapol.c in iNet wireless daemon (IWD) through 1.8 allows attackers to ...) - iwd <unfixed> (bug #968996) + [buster] - iwd <no-dsa> (Minor issue) NOTE: https://lists.01.org/hyperkitty/list/iwd@lists.01.org/thread/4GUXL4Z6KZWWZINATGHNJVAEUTS3I7PG/ NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=f22ba5aebb569ca54521afd2babdc1f67e3904ea CVE-2020-17496 (vBulletin 5.5.4 through 5.6.2 allows remote command execution via craf ...) @@ -18134,6 +18139,7 @@ CVE-2020-15918 (Multiple Stored Cross Site Scripting (XSS) vulnerabilities were NOT-FOR-US: Mida eFramework CVE-2020-15917 (common/session.c in Claws Mail before 3.17.6 has a protocol violation ...) - claws-mail 3.17.6-1 + [buster] - claws-mail <no-dsa> (Minor issue) [stretch] - claws-mail <no-dsa> (low priority issue) NOTE: https://git.claws-mail.org/?p=claws.git;a=commit;h=fcc25329049b6f9bd8d890f1197ed61eb12e14d5 CVE-2020-15916 (goform/AdvSetLanip endpoint on Tenda AC15 AC1900 15.03.05.19 devices a ...) @@ -19738,11 +19744,13 @@ CVE-2020-15306 (An issue was discovered in OpenEXR before v2.5.2. Invalid chunkC - openexr 2.5.3-2 [jessie] - openexr <no-dsa> (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/738 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/6a9f8af6e89547bcd370ae3cec2b12849eee0b54 CVE-2020-15305 (An issue was discovered in OpenEXR before 2.5.2. Invalid input could c ...) [experimental] - openexr 2.5.2-1 - openexr 2.5.3-2 [jessie] - openexr <no-dsa> (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3d03979dc101612e806cdf0b011475d9fa685a73 CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid tiled inpu ...) [experimental] - openexr 2.5.2-1 - openexr 2.5.3-2 @@ -34400,6 +34408,7 @@ CVE-2020-10189 (Zoho ManageEngine Desktop Central before 10.0.474 allows remote CVE-2020-10188 (utility.c in telnetd in netkit telnet through 0.17 allows remote attac ...) {DLA-2341-1 DLA-2176-1} - inetutils 2:1.9.4-12 (bug #956084) + [buster] - inetutils <no-dsa> (Minor issue) - netkit-telnet 0.17-18woody2 (bug #953477) - netkit-telnet-ssl 0.17.17+0.1-2woody3 (bug #953478) NOTE: https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html @@ -37999,6 +38008,7 @@ CVE-2020-8690 RESERVED CVE-2020-8689 (Improper buffer restrictions in the Intel(R) Wireless for Open Source ...) - iwd 1.5-1 + [buster] - iwd <no-dsa> (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00379.html CVE-2020-8688 (Improper input validation in the Intel(R) RAID Web Console 3 for Windo ...) NOT-FOR-US: Intel @@ -39092,20 +39102,25 @@ CVE-2020-8231 CVE-2020-8230 (A memory corruption vulnerability exists in NextCloud Desktop Client v ...) - nextcloud-desktop <not-affected> (Windows-specific) CVE-2020-8229 (A memory leak in the OCUtil.dll library used by Nextcloud Desktop Clie ...) - - nextcloud-desktop <unfixed> (bug #968822) + - nextcloud-desktop <not-affected> (Windows-specific) NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-034 + NOTE: Windows-specific code in shell_integration/windows/OCUtil + NOTE: https://hackerone.com/reports/588562 CVE-2020-8228 RESERVED CVE-2020-8227 (Missing sanitization of a server response in Nextcloud Desktop Client ...) - nextcloud-desktop <unfixed> + [buster] - nextcloud-desktop <no-dsa> (Minor issue) NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-032 + NOTE: https://hackerone.com/reports/685552 CVE-2020-8226 (A vulnerability exists in phpBB <v3.2.10 and <v3.3.1 which allow ...) NOT-FOR-US: phpBB CVE-2020-8225 RESERVED CVE-2020-8224 (A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arb ...) - - nextcloud-desktop <unfixed> (bug #968822) + - nextcloud-desktop <not-affected> (Windows-specific) NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-030 + NOTE: https://hackerone.com/reports/622170 CVE-2020-8223 RESERVED CVE-2020-8222 (A path traversal vulnerability exists in Pulse Connect Secure <9.1R ...) @@ -39179,6 +39194,7 @@ CVE-2020-8190 (Incorrect file permissions in Citrix ADC and Citrix Gateway befor NOT-FOR-US: Citrix CVE-2020-8189 (A cross-site scripting error in Nextcloud Desktop client 2.6.4 allowed ...) - nextcloud-desktop <unfixed> + [buster] - nextcloud-desktop <no-dsa> (Minor issue) NOTE: https://nextcloud.com/security/advisory/?id=NC-SA-2020-027 CVE-2020-8188 (We have recently released new version of UniFi Protect firmware v1.13. ...) NOT-FOR-US: UniFi Protect diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index 7538086d5c..22fdd22f2d 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -27,6 +27,10 @@ lilypond (jmm) linux (carnil) Wait until more issues have piled up -- +mupdf +-- +openexr (jmm) +-- rails (jmm) Sylvain Beucler proposed to help for the update, remaining CVEs to be done -- |