new gsoap, ruby-twitter-stream issues

NFUs
some rust issues no-dsa in buster

1 files changed, 36 insertions, 23 deletions

diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index 652c397525..407022c592 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -1274,6 +1274,7 @@ CVE-2020-35709 (bloofoxCMS 0.5.2.1 allows admins to upload arbitrary .php files
 	NOT-FOR-US: bloofoxCMS
 CVE-2020-35711 (An issue has been discovered in the arc-swap crate before 0.4.8 (and 1 ...)
 	- rust-arc-swap <unfixed>
+	[buster] - rust-arc-swap <no-dsa> (Minor issue)
 	NOTE: https://github.com/vorner/arc-swap/issues/45
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0091.html
 CVE-2020-35708 (phpList 3.5.9 allows SQL injection by admins who provide a crafted fou ...)
@@ -4374,22 +4375,27 @@ CVE-2020-26235 (In Rust time crate from version 0.2.7 and before version 0.2.23,
 	NOTE: Deprecated in: https://github.com/time-rs/time/commit/f153a1ca5fdfec979f16c49619e6034cc67e186d (v0.2.23)
 CVE-2020-35914 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
 	- rust-lock-api <unfixed> (bug #975319)
+	[buster] - rust-lock-api <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
 	NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-35913 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
 	- rust-lock-api <unfixed> (bug #975319)
+	[buster] - rust-lock-api <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
 	NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-35912 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
 	- rust-lock-api <unfixed> (bug #975319)
+	[buster] - rust-lock-api <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
 	NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-35911 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
 	- rust-lock-api <unfixed> (bug #975319)
+	[buster] - rust-lock-api <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
 	NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-35910 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
 	- rust-lock-api <unfixed> (bug #975319)
+	[buster] - rust-lock-api <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
 	NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-28971 (An issue was discovered on Western Digital My Cloud OS 5 devices befor ...)
@@ -13885,7 +13891,7 @@ CVE-2020-24910
 CVE-2020-24909
 	RESERVED
 CVE-2020-24908 (Checkmk before 1.6.0p17 allows local users to obtain SYSTEM privileges ...)
-	TODO: check
+	- check-mk <removed>
 CVE-2020-24907
 	RESERVED
 CVE-2020-24906
@@ -15016,7 +15022,8 @@ CVE-2020-24394 (In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS serv
 CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure way tha ...)
 	NOT-FOR-US: TweetStream
 CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...)
-	TODO: check
+	- ruby-twitter-stream <unfixed>
+	NOTE: https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream
 CVE-2020-24391
 	RESERVED
 CVE-2020-24390 (eonweb in EyesOfNetwork before 5.3-7 does not properly escape the user ...)
@@ -38586,15 +38593,20 @@ CVE-2020-13580 (An exploitable heap-based buffer overflow vulnerability exists i
 CVE-2020-13579 (An exploitable integer overflow vulnerability exists in the PlanMaker  ...)
 	NOT-FOR-US: SoftMaker
 CVE-2020-13578 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...)
-	TODO: check
+	- gsoap <unfixed>
+	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1189
 CVE-2020-13577 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...)
-	TODO: check
+	- gsoap <unfixed>
+	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188
 CVE-2020-13576 (A code execution vulnerability exists in the WS-Addressing plugin func ...)
-	TODO: check
+	- gsoap <unfixed>
+	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187
 CVE-2020-13575 (A denial-of-service vulnerability exists in the WS-Addressing plugin f ...)
-	TODO: check
+	- gsoap <unfixed>
+	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1186
 CVE-2020-13574 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...)
-	TODO: check
+	- gsoap <unfixed>
+	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1185
 CVE-2020-13573 (A denial-of-service vulnerability exists in the Ethernet/IP server fun ...)
 	NOT-FOR-US: Rockwell Automation RSLinx Classic
 CVE-2020-13572 (A heap overflow vulnerability exists in the way the GIF parser decodes ...)
@@ -44406,7 +44418,7 @@ CVE-2020-11225 (Out of bound access in WLAN driver due to lack of validation of
 CVE-2020-11224
 	RESERVED
 CVE-2020-11223 (Out of bound in camera driver due to lack of check of validation of ar ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11222
 	RESERVED
 CVE-2020-11221
@@ -44444,7 +44456,7 @@ CVE-2020-11206 (u'Possible buffer overflow in Fastrpc while handling received pa
 CVE-2020-11205 (u'Possible integer overflow to heap overflow while processing command  ...)
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11204 (Possible memory corruption and information leakage in sub-system due t ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11203 (Stack overflow may occur if GSM/WCDMA broadcast config size received f ...)
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11202 (u'Buffer overflow/underflow occurs when typecasting the buffer passed  ...)
@@ -44456,15 +44468,15 @@ CVE-2020-11200 (Buffer over-read while parsing RPS due to lack of check of input
 CVE-2020-11199
 	RESERVED
 CVE-2020-11198 (Key material used for TZ diag buffer encryption and other data related ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11197 (Possible integer overflow can occur when stream info update is called  ...)
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11196 (u'Integer overflow to buffer overflow occurs while playback of ASF cli ...)
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11195 (Out of bound write and read in TA while processing command from NS sid ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11194 (Possible out of bound access in TA while processing a command from NS  ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11193 (u'Buffer over read can happen while parsing mkv clip due to improper t ...)
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11192
@@ -44562,7 +44574,7 @@ CVE-2020-11149 (Out of bound access due to usage of an out-of-range pointer offs
 CVE-2020-11148 (Use after free issue in HIDL while using callback to post event in Rx  ...)
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11147 (Use after free issue in audio modules while removing and freeing objec ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11146 (Out of bound write while copying data using IOCTL due to lack of check ...)
 	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-11145 (Divide by zero issue can happen while updating delta extension header  ...)
@@ -51012,9 +51024,9 @@ CVE-2020-8569 (Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 cou
 	NOT-FOR-US: Kubernetes CSI Snapshotter
 	NOTE: https://github.com/kubernetes-csi/external-snapshotter/issues/421
 CVE-2020-8568 (Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow ...)
-	TODO: check
+	NOT-FOR-US: Kubernetes Secrets Store CSI Driver
 CVE-2020-8567 (Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azur ...)
-	TODO: check
+	NOT-FOR-US: Kubernetes Secrets Store CSI Driver
 CVE-2020-8566 (In Kubernetes clusters using Ceph RBD as a storage provisioner, with l ...)
 	- kubernetes 1.19.3-1 (bug #972341)
 	NOTE: https://github.com/kubernetes/kubernetes/pull/95245
@@ -52333,7 +52345,8 @@ CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Devic
 CVE-2020-8032
 	RESERVED
 CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...)
-	TODO: check
+	- open-build-service <unfixed>
+	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1178880
 CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform ...)
 	NOT-FOR-US: SuSE CaaS
 CVE-2020-8029 (A Incorrect Permission Assignment for Critical Resource vulnerability  ...)
@@ -52875,7 +52888,7 @@ CVE-2020-7796 (Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSR
 CVE-2020-7795
 	RESERVED
 CVE-2020-7794 (This affects all versions of package buns. The injection point is loca ...)
-	TODO: check
+	NOT-FOR-US: Node buns
 CVE-2020-7793 (The package ua-parser-js before 0.7.23 are vulnerable to Regular Expre ...)
 	- node-ua-parser-js 0.7.23+ds-1
 	[buster] - node-ua-parser-js <no-dsa> (Minor issue)
@@ -52898,7 +52911,7 @@ CVE-2020-7788 (This affects the package ini before 1.3.6. If an attacker submits
 CVE-2020-7787 (This affects all versions of package react-adal. It is possible for a  ...)
 	NOT-FOR-US: Node react-adal
 CVE-2020-7786 (This affects all versions of package macfromip. The injection point is ...)
-	TODO: check
+	NOT-FOR-US: Node macfromip
 CVE-2020-7785 (This affects all versions of package node-ps. The injection point is l ...)
 	TODO: check
 CVE-2020-7784 (This affects all versions of package ts-process-promises. The injectio ...)
@@ -58631,9 +58644,9 @@ CVE-2020-5430
 CVE-2020-5429
 	REJECTED
 CVE-2020-5428 (In applications using Spring Cloud Task 2.2.4.RELEASE and below, may b ...)
-	TODO: check
+	NOT-FOR-US: Vmware
 CVE-2020-5427 (In Spring Cloud Data Flow, versions 2.6.x prior to 2.6.5, versions 2.5 ...)
-	TODO: check
+	NOT-FOR-US: Vmware
 CVE-2020-5426 (Scheduler for TAS prior to version 1.4.0 was permitting plaintext tran ...)
 	NOT-FOR-US: Vmware
 CVE-2020-5425 (Single Sign-On for Vmware Tanzu all versions prior to 1.11.3 ,1.12.x v ...)
@@ -62443,7 +62456,7 @@ CVE-2020-3666 (u'Out of bounds memory access during memory copy while processing
 CVE-2020-3665 (A possible buffer overflow would occur while processing command from f ...)
 	NOT-FOR-US: Snapdragon
 CVE-2020-3664 (Out of bound read access in hypervisor due to an invalid read access a ...)
-	TODO: check
+	NOT-FOR-US: Qualcomm components for Android
 CVE-2020-3663 (Buffer over-write may occur during fetching track decoder specific inf ...)
 	NOT-FOR-US: Snapdragon
 CVE-2020-3662 (Buffer overflow can occur while parsing eac3 header while playing the  ...)
@@ -66832,7 +66845,7 @@ CVE-2020-1725 (A flaw was found in keycloak before version 13.0.0. In some scena
 CVE-2020-1724 (A flaw was found in Keycloak in versions before 9.0.2. This flaw allow ...)
 	NOT-FOR-US: Keycloak
 CVE-2020-1723 (The logout endpoint /oauth/logout?redirect=url can be abused to redire ...)
-	TODO: check
+	NOT-FOR-US: Keycloak
 CVE-2020-1722 (A flaw was found in all ipa versions 4.x.x through 4.8.0. When sending ...)
 	- freeipa 4.8.8-2 (bug #966200)
 	[buster] - freeipa <no-dsa> (Minor issue)
@@ -69446,7 +69459,7 @@ CVE-2020-0473 (In updateIncomingFileConfirmNotification of BluetoothOppNotificat
 CVE-2020-0472
 	RESERVED
 CVE-2020-0471 (In reassemble_and_dispatch of packet_fragmenter.cc, there is a possibl ...)
-	TODO: check
+	NOT-FOR-US: Android
 CVE-2020-0470 (In extend_frame_highbd of restoration.c, there is a possible out of bo ...)
 	NOT-FOR-US: Android Media Framework
 CVE-2020-0469 (In addEscrowToken of LockSettingsService.java, there is a possible los ...)