From 11584f78c23c0eef4d199818927254e8d2bf56f3 Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Thu, 26 Nov 2020 22:37:38 +0100 Subject: new kamailio, jupyter-server issues NFUs --- data/CVE/list | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/data/CVE/list b/data/CVE/list index 3d8870eb72..3cbc825430 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -320,7 +320,7 @@ CVE-2020-28984 (prive/formulaires/configurer_preferences.php in SPIP before 3.2. - spip 3.2.8-1 NOTE: https://git.spip.net/spip/spip/commit/ae4267eba1022dabc12831ddb021c5d6e09040f8 CVE-2020-28975 (** DISPUTED ** svm_predict_values in svm.cpp in Libsvm v324, as used i ...) - TODO: check + NOTE: disputed libsvm non issue CVE-2020-28973 RESERVED CVE-2020-28972 @@ -2797,7 +2797,9 @@ CVE-2020-28974 (A slab-out-of-bounds read in fbcon in the Linux kernel before 5. NOTE: https://git.kernel.org/linus/3c4e0dff2095c579b142d5a0693257f1c58b4804 NOTE: https://www.openwall.com/lists/oss-security/2020/11/09/2 CVE-2020-28361 (Kamailio before 5.4.0, as used in Sip Express Router (SER) in Sippy So ...) - TODO: check, this might be specific to Kamailio as used in the specified product + - kamailio 5.4.0-1 + [buster] - kamailio (Minor issue) + NOTE: https://packetstormsecurity.com/files/159030/Kamailio-5.4.0-Header-Smuggling.html CVE-2020-28360 (Insufficient RegEx in private-ip npm package v1.0.5 and below insuffic ...) NOT-FOR-US: Node private-ip CVE-2020-28359 @@ -7523,7 +7525,7 @@ CVE-2020-27209 CVE-2020-27208 RESERVED CVE-2020-27207 (Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sq ...) - TODO: check + NOT-FOR-US: Zetetic SQLCipher CVE-2020-27206 RESERVED CVE-2020-27205 @@ -9660,11 +9662,11 @@ CVE-2020-26243 (Nanopb is a small code-size Protocol Buffers implementation. In NOTE: https://github.com/nanopb/nanopb/commit/edf6dcbffee4d614ac0c2c1b258ab95185bdb6e9 (0.4.4) NOTE: https://github.com/nanopb/nanopb/issues/615 CVE-2020-26242 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...) - TODO: check + NOT-FOR-US: Go Ethereum CVE-2020-26241 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...) - TODO: check + NOT-FOR-US: Go Ethereum CVE-2020-26240 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...) - TODO: check + NOT-FOR-US: Go Ethereum CVE-2020-26239 (Scratch Addons is a WebExtension that supports both Chrome and Firefox ...) NOT-FOR-US: Scratch Addons CVE-2020-26238 (Cron-utils is a Java library to parse, validate, migrate crons as well ...) @@ -9682,7 +9684,9 @@ CVE-2020-26234 CVE-2020-26233 RESERVED CVE-2020-26232 (Jupyter Server before version 1.0.6 has an Open redirect vulnerability ...) - TODO: check + - jupyter-server 1.0.7-1 + NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-grfj-wjv9-4f9v + NOTE: https://github.com/jupyter-server/jupyter_server/commit/3d83e49090289c431da253e2bdb8dc479cbcb157 CVE-2020-26231 (October is a free, open-source, self-hosted CMS platform based on the ...) NOT-FOR-US: October CMS CVE-2020-26230 (Radar COVID is the official COVID-19 exposure notification app for Spa ...) @@ -39396,7 +39400,6 @@ CVE-2020-12912 (A potential vulnerability in the AMD extension to Linux "hwmon" NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1897402 NOTE: https://support.lenovo.com/lu/uk/product_security/LEN-50481 NOTE: CONFIG_SENSORS_AMD_ENERGY not enabled in Debian builds - TODO: check, correctness CVE-2020-12911 (A denial of service vulnerability exists in the D3DKMTCreateAllocation ...) NOT-FOR-US: AMD ATIKMDAG.SYS CVE-2020-12910 @@ -41006,7 +41009,7 @@ CVE-2020-12340 CVE-2020-12339 RESERVED CVE-2020-12338 (Insufficient control flow management in the Open WebRTC Toolkit before ...) - TODO: check + NOT-FOR-US: Intel CVE-2020-12337 (Improper buffer restrictions in firmware for some Intel(R) NUCs may al ...) NOT-FOR-US: Intel CVE-2020-12336 (Insecure default variable initialization in firmware for some Intel(R) ...) @@ -54088,9 +54091,9 @@ CVE-2020-7781 CVE-2020-7780 RESERVED CVE-2020-7779 (All versions of package djvalidator are vulnerable to Regular Expressi ...) - TODO: check + NOT-FOR-US: Node djvalidator CVE-2020-7778 (This affects the package systeminformation before 4.30.2. The attacker ...) - TODO: check + NOT-FOR-US: Node systeminformation CVE-2020-7777 (This affects all versions of package jsen. If an attacker can control ...) NOT-FOR-US: Node jsen CVE-2020-7776 @@ -276092,7 +276095,7 @@ CVE-2015-5438 CVE-2015-5437 REJECTED CVE-2015-5436 (A potential security vulnerability has been identified with HP Integra ...) - TODO: check + NOT-FOR-US: HP CVE-2015-5435 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 ...) NOT-FOR-US: HP CVE-2015-5434 (HPE Networking Products, originally branded as Comware 5, Comware 7, H ...) -- cgit v1.2.3