NFUs

author: Moritz Muehlenhoff <jmm@debian.org> 2020-07-31 14:53:05 +0200
committer: Moritz Muehlenhoff <jmm@debian.org> 2020-07-31 14:53:05 +0200
commit: 5f1301481ff6df632f8d4a91c7b9e82a73f63143 (patch)
tree: 60b256d97341e73e30957320437bad56659ff464 /data/CVE
parent: 418ac46eaeafef78471c605567e107d1726de4ef (diff)
4 files changed, 13 insertions, 14 deletions
diff --git a/data/CVE/2013.list b/data/CVE/2013.list
index 3b14bebc61..c801abb6fc 100644
--- a/data/CVE/2013.list
+++ b/data/CVE/2013.list
@@ -4140,8 +4140,7 @@ CVE-2013-5961 (Unrestricted file upload vulnerability in lazyseo.php in the Lazy
 CVE-2013-5960 (The authenticated-encryption feature in the symmetric-encryption imple ...)
 	NOT-FOR-US: OWASP Enterprise Security API for Java
 CVE-2013-5958 (The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2. ...)
-	NOT-FOR-US: Symfony
-	TODO: Check if php-symfony-polyfill/1.17.0-1 needs to be tracked
+	- symfony <not-affected> (Fixed before initial upload)
 CVE-2013-5957 (Multiple SQL injection vulnerabilities in CRM/Core/Page/AJAX/Location. ...)
 	- civicrm <not-affected> (Fixed before initial upload to the archive)
 CVE-2013-5956 (Cross-site scripting (XSS) vulnerability in includes/flvthumbnail.php  ...)
diff --git a/data/CVE/2014.list b/data/CVE/2014.list
index 94239f8a31..b571dcf687 100644
--- a/data/CVE/2014.list
+++ b/data/CVE/2014.list
@@ -23700,7 +23700,7 @@ CVE-2014-1424 (apparmor_parser in the apparmor package before 2.8.95~2430-0ubunt
 CVE-2014-1423 (signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch ...)
 	NOT-FOR-US: signond from Ubuntu Touch
 CVE-2014-1422 (In Ubuntu's trust-store, if a user revokes location access from an app ...)
-	TODO: check
+	NOT-FOR-US: Ubuntu trust-store
 CVE-2014-1421 (mountall 1.54, as used in Ubuntu 14.10, does not properly handle the u ...)
 	- mountall <not-affected> (partman-efi in jessie uses secure umask, mount in older releases not affected)
 	NOTE: See https://bugs.launchpad.net/ubuntu/+source/partman-efi/+bug/1390183
diff --git a/data/CVE/2016.list b/data/CVE/2016.list
index 017c46935d..1450c7ca61 100644
--- a/data/CVE/2016.list
+++ b/data/CVE/2016.list
@@ -11796,9 +11796,9 @@ CVE-2016-7066 (It was found that the improper default permissions on /tmp/auth d
 CVE-2016-7065 (The JMX servlet in Red Hat JBoss Enterprise Application Platform (EAP) ...)
 	NOT-FOR-US: Red Hat JBoss EAP
 CVE-2016-7064 (A flaw was found in pritunl-client before version 1.0.1116.6. A lack o ...)
-	TODO: check
+	NOT-FOR-US: pritunl-client
 CVE-2016-7063 (A flaw was found in pritunl-client before version 1.0.1116.6. Arbitrar ...)
-	TODO: check
+	NOT-FOR-US: pritunl-client
 CVE-2016-7062 (rhscon-ceph in Red Hat Storage Console 2 x86_64 and Red Hat Storage Co ...)
 	NOT-FOR-US: Red Hat rhscon-core
 CVE-2016-7061 (An information disclosure vulnerability was found in JBoss Enterprise  ...)
diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index e55af44bce..d4ffcb770f 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -230,7 +230,7 @@ CVE-2020-16090
 CVE-2020-16089
 	RESERVED
 CVE-2020-16088 (iked in OpenIKED, as used in OpenBSD through 6.7, allows authenticatio ...)
-	TODO: check
+	NOT-FOR-US: OpenIKED
 CVE-2020-16087
 	RESERVED
 CVE-2020-16086
@@ -2398,9 +2398,9 @@ CVE-2020-15133
 CVE-2020-15132
 	RESERVED
 CVE-2020-15131 (In SLP Validate (npm package slp-validate) before version 1.2.2, there ...)
-	TODO: check
+	NOT-FOR-US: Node slp-validate
 CVE-2020-15130 (In SLPJS (npm package slpjs) before version 0.27.4, there is a vulnera ...)
-	TODO: check
+	NOT-FOR-US: Node slpjs
 CVE-2020-15129 (In Traefik before versions 1.7.26, 2.2.8, and 2.3.0-rc3, there exists  ...)
 	NOT-FOR-US: Traefik
 CVE-2020-15128
@@ -2410,7 +2410,7 @@ CVE-2020-15127
 CVE-2020-15126 (In parser-server from version 3.5.0 and before 4.3.0, an authenticated ...)
 	NOT-FOR-US: Node parser-server
 CVE-2020-15125 (In auth0 (npm package) versions before 2.27.1, a DenyList of specific  ...)
-	TODO: check
+	NOT-FOR-US: Node auth0
 CVE-2020-15124 (In Goobi Viewer Core before version 4.8.3, a path traversal vulnerabil ...)
 	NOT-FOR-US: Goobi Viewer Core
 CVE-2020-15123 (In codecov (npm package) before version 3.7.1 the upload method has a  ...)
@@ -18838,7 +18838,7 @@ CVE-2020-8217 (A cross site scripting (XSS) vulnerability in Pulse Connect Secur
 CVE-2020-8216 (An information disclosure vulnerability in meeting of Pulse Connect Se ...)
 	NOT-FOR-US: Pulse
 CVE-2020-8215 (A buffer overflow is present in canvas version &lt;= 1.6.9, which coul ...)
-	TODO: check
+	NOT-FOR-US: Node canvas
 CVE-2020-8214 (A path traversal vulnerability in servey version &lt; 3 allows an atta ...)
 	NOT-FOR-US: servey
 CVE-2020-8213 (An information exposure vulnerability exists in UniFi Protect v1.13.3  ...)
@@ -18867,7 +18867,7 @@ CVE-2020-8203 (Prototype pollution attack when using _.zipObjectDeep in lodash &
 	[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://hackerone.com/reports/712065
 CVE-2020-8202 (Improper check of inputs in Nextcloud Preferred Providers app v1.6.0 a ...)
-	TODO: check
+	NOT-FOR-US: Nextcloud Preferred Providers app
 CVE-2020-8201
 	RESERVED
 CVE-2020-8200
@@ -18887,7 +18887,7 @@ CVE-2020-8194 (Reflected code injection in Citrix ADC and Citrix Gateway version
 CVE-2020-8193 (Improper access control in Citrix ADC and Citrix Gateway versions befo ...)
 	NOT-FOR-US: Citrix
 CVE-2020-8192 (A denial of service vulnerability exists in Fastify v2.14.1 and v3.0.0 ...)
-	TODO: check
+	NOT-FOR-US: Node fastify
 CVE-2020-8191 (Improper input validation in Citrix ADC and Citrix Gateway versions be ...)
 	NOT-FOR-US: Citrix
 CVE-2020-8190 (Incorrect file permissions in Citrix ADC and Citrix Gateway before ver ...)
@@ -18931,7 +18931,7 @@ CVE-2020-8177
 CVE-2020-8176 (A cross-site scripting vulnerability exists in koa-shopify-auth v3.1.6 ...)
 	NOT-FOR-US: koa-shopify-auth
 CVE-2020-8175 (Uncontrolled resource consumption in `jpeg-js` before 0.4.0 may allow  ...)
-	TODO: check
+	NOT-FOR-US: Node jimp
 CVE-2020-8174 (napi_get_value_string_*() allows various kinds of memory corruption in ...)
 	{DSA-4696-1}
 	- nodejs 10.21.0~dfsg-1 (bug #962145)
@@ -20020,7 +20020,7 @@ CVE-2020-7701
 CVE-2020-7700
 	RESERVED
 CVE-2020-7699 (This affects the package express-fileupload before 1.1.8. If the parse ...)
-	TODO: check
+	NOT-FOR-US: express-fileupload
 CVE-2020-7698 (This affects the package Gerapy from 0 and before 0.9.3. The input bei ...)
 	TODO: check
 CVE-2020-7697 (This affects all versions of package mock2easy. a malicious user could ...)
author	Moritz Muehlenhoff <jmm@debian.org>	2020-07-31 14:53:05 +0200
committer	Moritz Muehlenhoff <jmm@debian.org>	2020-07-31 14:53:05 +0200
commit	5f1301481ff6df632f8d4a91c7b9e82a73f63143 (patch)
tree	60b256d97341e73e30957320437bad56659ff464 /data/CVE
parent	418ac46eaeafef78471c605567e107d1726de4ef (diff)