new kamailio, jupyter-server issues

NFUs
author: Moritz Muehlenhoff <jmm@debian.org> 2020-11-26 22:37:38 +0100
committer: Moritz Muehlenhoff <jmm@debian.org> 2020-11-26 22:37:38 +0100
commit: 3f819c3f1cae30615fec5bccb5b15359d1cc04c2 (patch)
tree: ddb5dfadc8dcd305c5a63f417a18baf34b3f6c63 /data
parent: 4b74fd67b43097a11b9804345692fb620234b91f (diff)
2 files changed, 15 insertions, 12 deletions
diff --git a/data/CVE/2015.list b/data/CVE/2015.list
index ed5d300478..5107c97e2f 100644
--- a/data/CVE/2015.list
+++ b/data/CVE/2015.list
@@ -11717,7 +11717,7 @@ CVE-2015-5438
 CVE-2015-5437
 	REJECTED
 CVE-2015-5436 (A potential security vulnerability has been identified with HP Integra ...)
-	TODO: check
+	NOT-FOR-US: HP
 CVE-2015-5435 (Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 ...)
 	NOT-FOR-US: HP
 CVE-2015-5434 (HPE Networking Products, originally branded as Comware 5, Comware 7, H ...)
diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index 71a967d966..f5abd6774d 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -316,7 +316,7 @@ CVE-2020-28984 (prive/formulaires/configurer_preferences.php in SPIP before 3.2.
 	- spip 3.2.8-1
 	NOTE: https://git.spip.net/spip/spip/commit/ae4267eba1022dabc12831ddb021c5d6e09040f8
 CVE-2020-28975 (** DISPUTED ** svm_predict_values in svm.cpp in Libsvm v324, as used i ...)
-	TODO: check
+	NOTE: disputed libsvm non issue
 CVE-2020-28973
 	RESERVED
 CVE-2020-28972
@@ -1639,7 +1639,9 @@ CVE-2020-28974 (A slab-out-of-bounds read in fbcon in the Linux kernel before 5.
 	NOTE: https://git.kernel.org/linus/3c4e0dff2095c579b142d5a0693257f1c58b4804
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/09/2
 CVE-2020-28361 (Kamailio before 5.4.0, as used in Sip Express Router (SER) in Sippy So ...)
-	TODO: check, this might be specific to Kamailio as used in the specified product
+	- kamailio 5.4.0-1
+	[buster] - kamailio <no-dsa> (Minor issue)
+	NOTE: https://packetstormsecurity.com/files/159030/Kamailio-5.4.0-Header-Smuggling.html
 CVE-2020-28360 (Insufficient RegEx in private-ip npm package v1.0.5 and below insuffic ...)
 	NOT-FOR-US: Node private-ip
 CVE-2020-28359
@@ -4250,7 +4252,7 @@ CVE-2020-27209
 CVE-2020-27208
 	RESERVED
 CVE-2020-27207 (Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sq ...)
-	TODO: check
+	NOT-FOR-US: Zetetic SQLCipher
 CVE-2020-27206
 	RESERVED
 CVE-2020-27205
@@ -6351,11 +6353,11 @@ CVE-2020-26243 (Nanopb is a small code-size Protocol Buffers implementation. In
 	NOTE: https://github.com/nanopb/nanopb/commit/edf6dcbffee4d614ac0c2c1b258ab95185bdb6e9 (0.4.4)
 	NOTE: https://github.com/nanopb/nanopb/issues/615
 CVE-2020-26242 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...)
-	TODO: check
+	NOT-FOR-US: Go Ethereum
 CVE-2020-26241 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...)
-	TODO: check
+	NOT-FOR-US: Go Ethereum
 CVE-2020-26240 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...)
-	TODO: check
+	NOT-FOR-US: Go Ethereum
 CVE-2020-26239 (Scratch Addons is a WebExtension that supports both Chrome and Firefox ...)
 	NOT-FOR-US: Scratch Addons
 CVE-2020-26238 (Cron-utils is a Java library to parse, validate, migrate crons as well ...)
@@ -6373,7 +6375,9 @@ CVE-2020-26234
 CVE-2020-26233
 	RESERVED
 CVE-2020-26232 (Jupyter Server before version 1.0.6 has an Open redirect vulnerability ...)
-	TODO: check
+	- jupyter-server 1.0.7-1
+	NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-grfj-wjv9-4f9v
+	NOTE: https://github.com/jupyter-server/jupyter_server/commit/3d83e49090289c431da253e2bdb8dc479cbcb157
 CVE-2020-26231 (October is a free, open-source, self-hosted CMS platform based on the  ...)
 	NOT-FOR-US: October CMS
 CVE-2020-26230 (Radar COVID is the official COVID-19 exposure notification app for Spa ...)
@@ -35457,7 +35461,6 @@ CVE-2020-12912 (A potential vulnerability in the AMD extension to Linux "hwmon"
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1897402
 	NOTE: https://support.lenovo.com/lu/uk/product_security/LEN-50481
 	NOTE: CONFIG_SENSORS_AMD_ENERGY not enabled in Debian builds
-	TODO: check, correctness
 CVE-2020-12911 (A denial of service vulnerability exists in the D3DKMTCreateAllocation ...)
 	NOT-FOR-US: AMD ATIKMDAG.SYS
 CVE-2020-12910
@@ -37034,7 +37037,7 @@ CVE-2020-12340
 CVE-2020-12339
 	RESERVED
 CVE-2020-12338 (Insufficient control flow management in the Open WebRTC Toolkit before ...)
-	TODO: check
+	NOT-FOR-US: Intel
 CVE-2020-12337 (Improper buffer restrictions in firmware for some Intel(R) NUCs may al ...)
 	NOT-FOR-US: Intel
 CVE-2020-12336 (Insecure default variable initialization in firmware for some Intel(R) ...)
@@ -48172,9 +48175,9 @@ CVE-2020-7781
 CVE-2020-7780
 	RESERVED
 CVE-2020-7779 (All versions of package djvalidator are vulnerable to Regular Expressi ...)
-	TODO: check
+	NOT-FOR-US: Node djvalidator
 CVE-2020-7778 (This affects the package systeminformation before 4.30.2. The attacker ...)
-	TODO: check
+	NOT-FOR-US: Node systeminformation
 CVE-2020-7777 (This affects all versions of package jsen. If an attacker can control  ...)
 	NOT-FOR-US: Node jsen
 CVE-2020-7776
author	Moritz Muehlenhoff <jmm@debian.org>	2020-11-26 22:37:38 +0100
committer	Moritz Muehlenhoff <jmm@debian.org>	2020-11-26 22:37:38 +0100
commit	3f819c3f1cae30615fec5bccb5b15359d1cc04c2 (patch)
tree	ddb5dfadc8dcd305c5a63f417a18baf34b3f6c63 /data
parent	4b74fd67b43097a11b9804345692fb620234b91f (diff)