diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2021-02-18 21:57:52 +0100 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2021-02-18 21:57:52 +0100 |
commit | 0fc07d6e6c6f04c4a92894c69cbbbe70ae5a0058 (patch) | |
tree | 345d5405c4e720c945fdea914020fe24f7b478a4 | |
parent | c1e7cf1e8a2cef9452d494e314b159ab3a5e16eb (diff) |
mujs entered the archive, recheck some older CVEs
-rw-r--r-- | data/CVE/2016.list | 41 | ||||
-rw-r--r-- | data/CVE/2017.list | 8 | ||||
-rw-r--r-- | data/CVE/2018.list | 8 | ||||
-rw-r--r-- | data/CVE/2019.list | 15 | ||||
-rw-r--r-- | data/CVE/2020.list | 4 |
5 files changed, 54 insertions, 22 deletions
diff --git a/data/CVE/2016.list b/data/CVE/2016.list index e21273c8ba..271df30719 100644 --- a/data/CVE/2016.list +++ b/data/CVE/2016.list @@ -2574,11 +2574,17 @@ CVE-2016-10145 (Off-by-one error in coders/wpg.c in ImageMagick allows remote at NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/d23beebe7b1179fb75db1e85fbca3100e49593d9 NOTE: https://www.openwall.com/lists/oss-security/2017/01/16/6 CVE-2016-10141 (An integer overflow vulnerability was observed in the regemit function ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://git.ghostscript.com/?p=mujs.git;h=fa3d30fd18c348bb4b1f3858fb860f4fcd4b2045 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697448 CVE-2016-10133 (Heap-based buffer overflow in the js_stackoverflow function in jsrun.c ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://git.ghostscript.com/?p=mujs.git;a=commit;h=77ab465f1c394bb77f00966cd950650f3f53cb24 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697401 CVE-2016-10132 (regexp.c in Artifex Software, Inc. MuJS allows attackers to cause a de ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://git.ghostscript.com/?p=mujs.git;h=fd003eceda531e13fbdd1aeb6e9c73156496e569 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697381 CVE-2016-10131 (system/libraries/Email.php in CodeIgniter before 3.1.3 allows remote a ...) - codeigniter <itp> (bug #471583) CVE-2016-10130 (The http_connect function in transports/http.c in libgit2 before 0.24. ...) @@ -5613,7 +5619,9 @@ CVE-2016-9296 (A null pointer dereference bug affects the 16.02 and many old ver NOTE: https://sourceforge.net/p/p7zip/bugs/185/ NOTE: no security impact CVE-2016-9294 (Artifex Software, Inc. MuJS before 5008105780c0b0182ea6eda83ad5598f225 ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697172 + NOTE: http://git.ghostscript.com/?p=mujs.git;a=commit;h=5008105780c0b0182ea6eda83ad5598f225be3ee CVE-2016-9279 (Use-after-free vulnerability in the Samsung Exynos fimg2d driver for A ...) NOT-FOR-US: Samsung Exynos fimg2d driver for Android CVE-2016-9278 (The Samsung Exynos fimg2d driver for Android with Exynos 5433, 54xx, o ...) @@ -5975,7 +5983,8 @@ CVE-2016-9180 (perl-XML-Twig: The option to `expand_external_ents`, documented a NOTE: Release 3.50 adds a no_xxe flag which will fail to parse files with external entities. NOTE: 2016-12-13: The corresponding changes is not in the public git repository yet: https://github.com/mirod/xmltwig/commits/master CVE-2016-9136 (Artifex Software, Inc. MuJS before a0ceaf5050faf419401fe1b83acfa950ec8 ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697244 CVE-2016-9135 (Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/fra ...) NOT-FOR-US: Exponent CMS CVE-2016-9134 (Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/exp ...) @@ -6090,9 +6099,9 @@ CVE-2016-9090 CVE-2016-9089 RESERVED CVE-2016-9109 (Artifex Software MuJS allows attackers to cause a denial of service (c ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) CVE-2016-9108 (Integer overflow in the js_regcomp function in regexp.c in Artifex Sof ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) CVE-2016-9107 (The OTR plugin for Gajim sends information in cleartext when using XHT ...) - gajim-otr <itp> (bug #722130) NOTE: Upstream bug: https://trac-plugins.gajim.org/ticket/145 @@ -6356,7 +6365,8 @@ CVE-2016-9019 (SQL injection vulnerability in the activate_address function in f CVE-2016-9018 (Improper handling of a repeating VRAT chunk in qcpfformat.dll allows a ...) NOT-FOR-US: RealPlayer CVE-2016-9017 (Artifex Software, Inc. MuJS before a5c747f1d40e8d6659a37a8d25f13fb5acf ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697171 CVE-2016-9015 (Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vul ...) - python-urllib3 <not-affected> (Issue only present in 1.17 and 1.18 releases) CVE-2016-9014 (Django before 1.8.x before 1.8.16, 1.9.x before 1.9.11, and 1.10.x bef ...) @@ -10310,9 +10320,11 @@ CVE-2016-7566 CVE-2016-7565 (install/index.php in Exponent CMS 2.3.9 allows remote attackers to exe ...) NOT-FOR-US: Exponent CMS CVE-2016-7564 (Heap-based buffer overflow in the Fp_toString function in jsfunction.c ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697137 CVE-2016-7563 (The chartorune function in Artifex Software MuJS allows attackers to c ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697136 CVE-2016-7562 (The ff_draw_pc_font function in libavcodec/cga_data.c in FFmpeg before ...) - ffmpeg 7:3.1.4-1 (bug #840434) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/496267f8e9ec218351e4359e1fde48722d4fc804 (n3.1.4) @@ -10403,11 +10415,14 @@ CVE-2016-7507 (Cross-Site Request Forgery (CSRF) vulnerability in GLPI 0.90.4 al - glpi <removed> (unimportant) NOTE: Only supported behind an authenticated HTTP zone CVE-2016-7506 (An out-of-bounds read vulnerability was observed in Sp_replace_regexp ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697141 CVE-2016-7505 (A buffer overflow vulnerability was observed in divby function of Arti ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697140 CVE-2016-7504 (A use-after-free vulnerability was observed in Rp_toString function of ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://bugs.ghostscript.com/show_bug.cgi?id=697142 CVE-2016-7503 RESERVED CVE-2016-7502 (The cavs_idct8_add_c function in libavcodec/cavsdsp.c in FFmpeg before ...) diff --git a/data/CVE/2017.list b/data/CVE/2017.list index a1fac96a2a..5205dc5ec8 100644 --- a/data/CVE/2017.list +++ b/data/CVE/2017.list @@ -38593,9 +38593,13 @@ CVE-2017-5899 (Directory traversal vulnerability in the setuid root helper binar NOTE: https://git.sdaoden.eu/cgit/s-nail.git/commit/?id=f2699449b66dd702a98925bd1b11153a6f7294bf NOTE: https://www.openwall.com/lists/oss-security/2017/01/27/7 CVE-2017-5628 (An issue was discovered in Artifex Software, Inc. MuJS before 8f62ea10 ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://git.ghostscript.com/?p=mujs.git;h=8f62ea10a0af68e56d5c00720523ebcba13c2e6a + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697496 CVE-2017-5627 (An issue was discovered in Artifex Software, Inc. MuJS before 4006739a ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://git.ghostscript.com/?p=mujs.git;h=4006739a28367c708dea19aeb19b8a1a9326ce08 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697497 CVE-2017-5617 (The SVG Salamander (aka svgSalamander) library, when used in a web app ...) {DSA-3781-1 DLA-816-1} - svgsalamander 1.1.1+dfsg-2 (bug #853134) diff --git a/data/CVE/2018.list b/data/CVE/2018.list index dfd8b00dba..76689c6d14 100644 --- a/data/CVE/2018.list +++ b/data/CVE/2018.list @@ -40038,7 +40038,9 @@ CVE-2018-6192 (In Artifex MuPDF 1.12.0, the pdf_read_new_xref function in pdf/pd NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698916 NOTE: Fixed by: http://www.ghostscript.com/cgi-bin/findgit.cgi?5e411a99604ff6be5db9e273ee84737204113299 CVE-2018-6191 (The js_strtod function in jsdtoa.c in Artifex MuJS through 1.0.2 has a ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://git.ghostscript.com/?p=mujs.git;a=commit;h=25821e6d74fab5fcc200fe5e818362e03e114428 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698920 CVE-2018-6190 (Netis WF2419 V3.2.41381 devices allow XSS via the Description field on ...) NOT-FOR-US: Netis WF2419 V3.2.41381 devices CVE-2018-6198 (w3m through 0.5.3 does not properly handle temporary files when the ~/ ...) @@ -41511,7 +41513,9 @@ CVE-2018-5761 (A man-in-the-middle vulnerability related to vCenter access was f CVE-2018-5760 RESERVED CVE-2018-5759 (jsparse.c in Artifex MuJS through 1.0.2 does not properly maintain the ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed before initial upload to Debian) + NOTE: http://git.ghostscript.com/?p=mujs.git;a=commit;h=4d45a96e57fbabf00a7378b337d0ddcace6f38c1 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=698868 CVE-2018-5758 (The Upload File functionality in upload.jspa in Aurea Jive Jive-n 9.0. ...) NOT-FOR-US: Aurea Jive Jive-n CVE-2018-5757 (An issue was discovered on AudioCodes 450HD IP Phone devices with firm ...) diff --git a/data/CVE/2019.list b/data/CVE/2019.list index f31013f89f..312abd2660 100644 --- a/data/CVE/2019.list +++ b/data/CVE/2019.list @@ -21262,7 +21262,8 @@ CVE-2019-12818 (An issue was discovered in the Linux kernel before 4.20.15. The CVE-2019-12799 (In createInstanceFromNamedArguments in Shopware through 5.6.x, a craft ...) NOT-FOR-US: Shopware CVE-2019-12798 (An issue was discovered in Artifex MuJS 1.0.5. regcompx in regexp.c do ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed with initial upload to Debian) + NOTE: http://git.ghostscript.com/?p=mujs.git;h=7f50591861525f76e3ec7a63392656ff8c030af9 (1.0.6) CVE-2019-12797 (A clone version of an ELM327 OBD2 Bluetooth device has a hardcoded PIN ...) NOT-FOR-US: ELM327 OBD2 Bluetooth device CVE-2019-12796 @@ -25056,11 +25057,17 @@ CVE-2019-11415 (An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. A CVE-2019-11414 (An issue was discovered on Intelbras IWR 3000N 1.5.0 devices. When the ...) NOT-FOR-US: Intelbras IWR 3000N 1.5.0 devices CVE-2019-11413 (An issue was discovered in Artifex MuJS 1.0.5. It has unlimited recurs ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed with initial upload to Debian) + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700937 + NOTE: https://github.com/ccxvii/mujs/commit/00d4606c3baf813b7b1c176823b2729bf51002a2 CVE-2019-11412 (An issue was discovered in Artifex MuJS 1.0.5. jscompile.c can cause a ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed with initial upload to Debian) + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700947 + NOTE: https://github.com/ccxvii/mujs/commit/1e5479084bc9852854feb1ba9bf68b52cd127e02 CVE-2019-11411 (An issue was discovered in Artifex MuJS 1.0.5. The Number#toFixed() an ...) - NOT-FOR-US: MuJS + - mujs <not-affected> (Fixed with initial upload to Debian) + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=700938 + NOTE: https://github.com/ccxvii/mujs/commit/da632ca08f240590d2dec786722ed08486ce1be6 CVE-2019-11410 (app/backup/index.php in the Backup Module in FusionPBX 4.4.3 suffers f ...) NOT-FOR-US: FreePBX CVE-2019-11409 (app/operator_panel/exec.php in the Operator Panel module in FusionPBX ...) diff --git a/data/CVE/2020.list b/data/CVE/2020.list index 066ea9c06e..b27bd2d558 100644 --- a/data/CVE/2020.list +++ b/data/CVE/2020.list @@ -15125,7 +15125,9 @@ CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const a NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976 NOTE: https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of ...) - NOT-FOR-US: MuJS + - mujs <undetermined> + NOTE: https://github.com/ccxvii/mujs/issues/136 + TODO: check, issue seems to be of disputed validity CVE-2020-24342 (Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring be ...) - lua5.4 5.4.1-1 (bug #971012) NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00052.html |