From 3e4c3e89ce20df6ecaeac9c55f6a7bdfd27349f5 Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Mon, 6 Jul 2020 19:29:25 +0200 Subject: buster triage --- data/CVE/list | 13 +++++++++++-- data/dsa-needed.txt | 2 ++ 2 files changed, 13 insertions(+), 2 deletions(-) (limited to 'data') diff --git a/data/CVE/list b/data/CVE/list index e846be7bd9..75c8524b38 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -121,6 +121,7 @@ CVE-2020-15504 RESERVED CVE-2020-15503 (LibRaw before 0.20-RC1 lacks a thumbnail size range check. This affect ...) - libraw + [buster] - libraw (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1853477 NOTE: https://github.com/LibRaw/LibRaw/commit/20ad21c0d87ca80217aee47533d91e633ce1864d CVE-2020-15502 (** DISPUTED ** The DuckDuckGo application through 5.58.0 for Android, ...) @@ -186,6 +187,8 @@ CVE-2020-15475 (In nDPI through 3.2, ndpi_reset_packet_line_info in lib/ndpi_mai NOTE: https://github.com/ntop/nDPI/commit/6a9f5e4f7c3fd5ddab3e6727b071904d76773952 CVE-2020-15474 (In nDPI through 3.2, there is a stack overflow in extractRDNSequence i ...) - ndpi + [buster] - ndpi (Vulnerable code not present) + [stretch] - ndpi (Vulnerable code not present) NOTE: https://github.com/ntop/nDPI/commit/23594f036536468072198a57c59b6e9d63caf6ce CVE-2020-15473 (In nDPI through 3.2, the OpenVPN dissector is vulnerable to a heap-bas ...) - ndpi @@ -195,6 +198,8 @@ CVE-2020-15472 (In nDPI through 3.2, the H.323 dissector is vulnerable to a heap NOTE: https://github.com/ntop/nDPI/commit/b7e666e465f138ae48ab81976726e67deed12701 CVE-2020-15471 (In nDPI through 3.2, the packet parsing code is vulnerable to a heap-b ...) - ndpi + [buster] - ndpi (Vulnerable code not present) + [stretch] - ndpi (Vulnerable code not present) NOTE: https://github.com/ntop/nDPI/commit/61066fb106efa6d3d95b67e47b662de208b2b622 CVE-2020-15470 (ffjpeg through 2020-02-24 has a heap-based buffer overflow in jfif_dec ...) NOT-FOR-US: ffjpeg @@ -1316,7 +1321,8 @@ CVE-2020-14949 CVE-2020-14948 RESERVED CVE-2020-14947 (OCS Inventory NG 2.7 allows Remote Command Execution via shell metacha ...) - TODO: check + - ocsinventory-server (unimportant) + NOTE: Only supported in trusted environments, see debtags CVE-2020-14946 (downloadFile.ashx in the Administrator section of the Surveillance mod ...) NOT-FOR-US: Surveillance module in Global RADAR BSA Radar CVE-2020-14945 (A privilege escalation vulnerability exists within Global RADAR BSA Ra ...) @@ -17681,6 +17687,7 @@ CVE-2020-8946 (Netis WF2471 v1.2.30142 devices allow an authenticated attacker t NOT-FOR-US: Netis devices CVE-2020-8945 (The proglottis Go wrapper before 0.1.1 for the GPGME library has a use ...) - golang-github-proglottis-gpgme 0.1.1-1 (bug #951372) + [buster] - golang-github-proglottis-gpgme (Minor issue) NOTE: https://github.com/proglottis/gpgme/pull/23 CVE-2020-8944 RESERVED @@ -19603,6 +19610,7 @@ CVE-2020-8132 (Lack of input validation in pdf-image npm package version <= 2 NOT-FOR-US: Node pdf-image package CVE-2020-8131 (Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows ...) - node-yarnpkg 1.22.4-2 (bug #952912) + [buster] - node-yarnpkg (Minor issue) NOTE: https://hackerone.com/reports/730239 NOTE: https://github.com/yarnpkg/yarn/pull/7831 CVE-2020-8130 (There is an OS command injection vulnerability in Ruby Rake < 12.3. ...) @@ -147563,7 +147571,8 @@ CVE-2018-1286 (In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileg NOT-FOR-US: Apache OpenMeetings CVE-2018-1285 (Apache log4net before 2.0.8 does not disable XML external entities whe ...) {DLA-2211-1} - - log4net + - log4net (low) + [buster] - log4net (Minor issue) NOTE: https://issues.apache.org/jira/browse/LOG4NET-575 NOTE: https://github.com/apache/logging-log4net/commit/d0b4b0157d4af36b23c24a23739c47925c3bd8d7 CVE-2018-1284 (In Apache Hive 0.6.0 to 2.3.2, malicious user might use any xpath UDFs ...) diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index f404c9509a..cd4278c532 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -37,6 +37,8 @@ rails ruby2.5/stable Utkarsh Gupta proposed to work on an update -- +roundcube +-- squid/stable -- teeworlds/stable (jmm) -- cgit v1.2.3