new vlc issue (already fixed in stable/oldstable)

firefox n/a
NFUs

2 files changed, 9 insertions, 7 deletions

diff --git a/data/CVE/list b/data/CVE/list
index 41687de143..7ebf38bebf 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -15,7 +15,7 @@ CVE-2020-13617
 CVE-2020-13616 (The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS ...)
 	NOT-FOR-US: pichi
 CVE-2020-13615 (lib/QoreSocket.cpp in Qore before 0.9.4.2 lacks hostname verification  ...)
-	TODO: check
+	NOT-FOR-US: Qore
 CVE-2020-13614 (An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implem ...)
 	- axel 2.17.8-1
 	NOTE: https://github.com/axel-download-accelerator/axel/issues/262
@@ -780,6 +780,7 @@ CVE-2020-13253 [sd: OOB access could crash the guest resulting in DoS]
 	[buster] - qemu <postponed> (Minor issue, can be fixed along in next DSA)
 	[stretch] - qemu <postponed> (Minor issue, can be fixed along in next DSA)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05835.html
+	NOTE: https://www.openwall.com/lists/oss-security/2020/05/27/2
 CVE-2020-13252 (Centreon before 19.04.15 allows remote attackers to execute arbitrary  ...)
 	- centreon-web <itp> (bug #913903)
 CVE-2020-13251
@@ -12143,7 +12144,7 @@ CVE-2020-9048
 CVE-2020-9047
 	RESERVED
 CVE-2020-9046 (A vulnerability in all versions of Kantech EntraPass Editions could po ...)
-	TODO: check
+	NOT-FOR-US: Kantech
 CVE-2020-9045 (During installation or upgrade to Software House C&#8226;CURE 9000 v2. ...)
 	NOT-FOR-US: Software House
 CVE-2020-9044 (XXE vulnerability exists in the Metasys family of product Web Services ...)
@@ -15458,9 +15459,9 @@ CVE-2020-7649
 CVE-2020-7648
 	RESERVED
 CVE-2020-7647 (All versions before 1.6.7 and all versions after 2.0.0 inclusive and b ...)
-	TODO: check
+	NOT-FOR-US: jooby
 CVE-2020-7646 (curlrequest through 1.0.1 allows execution of arbitrary commands.It is ...)
-	TODO: check
+	NOT-FOR-US: Noed curlrequest
 CVE-2020-7645 (All versions of chrome-launcher allow execution of arbitrary commands, ...)
 	NOT-FOR-US: Node chrome-launcher
 CVE-2020-7644 (fun-map through 3.3.1 is vulnerable to Prototype Pollution. The functi ...)
@@ -17354,7 +17355,7 @@ CVE-2020-6831 (A buffer overflow could occur when parsing and validating SCTP ch
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-17/#CVE-2020-6831
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-18/#CVE-2020-6831
 CVE-2020-6830 (For native-to-JS bridging, the app requires a unique token to be passe ...)
-	TODO: check
+	- firefox <not-affected> (Firefox on iOS)
 CVE-2020-6829
 	RESERVED
 CVE-2020-6828 (A malicious Android application could craft an Intent that would have  ...)
@@ -27231,7 +27232,8 @@ CVE-2019-19722 (In Dovecot before 2.3.9.2, an attacker can crash a push-notifica
 	NOTE: https://github.com/dovecot/core/commit/1307766b6f5d97341a47376657d342bcefd10f1b
 	NOTE: https://github.com/dovecot/core/commit/393a8cabf4dad893bf2ec60bf96cfde7a0c58432
 CVE-2019-19721 (An off-by-one error in the DecodeBlock function in codec/sdl_image.c i ...)
-	TODO: check
+	- vlc 3.0.10-1
+	NOTE: https://git.videolan.org/?p=vlc/vlc-3.0.git;a=commit;h=72afe7ebd8305bf4f5360293b8621cde52ec506b
 CVE-2020-3109
 	RESERVED
 CVE-2020-3108
diff --git a/data/DSA/list b/data/DSA/list
index e366c09082..72fdbf89d3 100644
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -83,7 +83,7 @@
 	{CVE-2019-17559 CVE-2019-17565 CVE-2020-1944 CVE-2020-9481}
 	[buster] - trafficserver 8.0.2+ds-1+deb10u2
 [30 Apr 2020] DSA-4671-1 vlc - security update
-	{CVE-2020-6071 CVE-2020-6072 CVE-2020-6073 CVE-2020-6077 CVE-2020-6078 CVE-2020-6079 CVE-2020-6080}
+	{CVE-2020-6071 CVE-2020-6072 CVE-2020-6073 CVE-2020-6077 CVE-2020-6078 CVE-2020-6079 CVE-2020-6080 CVE-2019-19721}
 	[stretch] - vlc 3.0.10-0+deb9u1
 	[buster] - vlc 3.0.10-0+deb10u1
 [29 Apr 2020] DSA-4670-1 tiff - security update