From ee366e83ac7160626a4f78878d1d434cf393a6c7 Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Mon, 1 Nov 2021 09:35:51 +0100 Subject: NFUs remove TODO for libstd, codebases which embed it not security relevant --- data/CVE/2020.list | 2 -- data/CVE/2021.list | 24 +++++++++++------------- 2 files changed, 11 insertions(+), 15 deletions(-) diff --git a/data/CVE/2020.list b/data/CVE/2020.list index 439bd856f1..58090cfb5f 100644 --- a/data/CVE/2020.list +++ b/data/CVE/2020.list @@ -57633,8 +57633,6 @@ CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...) - libstb (unimportant; bug #949555) - [bullseye] - libstb (Minor issue) - [buster] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/866 NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...) diff --git a/data/CVE/2021.list b/data/CVE/2021.list index d54140df2a..32a1556643 100644 --- a/data/CVE/2021.list +++ b/data/CVE/2021.list @@ -983,16 +983,14 @@ CVE-2021-3894 CVE-2021-42717 RESERVED CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...) - - libstb + - libstb NOTE: https://github.com/nothings/stb/issues/1166 NOTE: https://github.com/nothings/stb/issues/1225 NOTE: https://github.com/nothings/stb/pull/1223 - TODO: check libstb itself, and various packages embedd a copy CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR ...) - - libstb + - libstb NOTE: https://github.com/nothings/stb/issues/1224 NOTE: https://github.com/nothings/stb/pull/1223 - TODO: check libstb itself, and various packages embedd a copy CVE-2021-42714 RESERVED CVE-2021-42713 @@ -1034,7 +1032,7 @@ CVE-2021-42696 CVE-2021-42695 RESERVED CVE-2021-42694 (An issue was discovered in the character definitions of the Unicode Sp ...) - TODO: check + NOT-FOR-US: Unicode spec CVE-2021-42693 RESERVED CVE-2021-42692 @@ -4124,7 +4122,7 @@ CVE-2021-3813 CVE-2021-41314 (Certain NETGEAR smart switches are affected by a \n injection in the w ...) NOT-FOR-US: NETGEAR CVE-2021-41313 (Affected versions of Atlassian Jira Server and Data Center allow authe ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-41312 RESERVED CVE-2021-41311 @@ -4394,7 +4392,7 @@ CVE-2021-41196 CVE-2021-41195 RESERVED CVE-2021-41194 (FirstUseAuthenticator is a JupyterHub authenticator that helps new use ...) - TODO: check + NOT-FOR-US: FirstUseAuthenticator for JupyterHub CVE-2021-41193 RESERVED CVE-2021-41192 @@ -4453,9 +4451,9 @@ CVE-2021-41170 CVE-2021-41169 (Sulu is an open-source PHP content management system based on the Symf ...) NOT-FOR-US: Sulu CVE-2021-41168 (Snudown is a reddit-specific fork of the Sundown Markdown parser used ...) - TODO: check + NOT-FOR-US: Snudown CVE-2021-41167 (modern-async is an open source JavaScript tooling library for asynchro ...) - TODO: check + NOT-FOR-US: modern-async CVE-2021-41166 RESERVED CVE-2021-41165 @@ -4501,9 +4499,9 @@ CVE-2021-41152 (OpenOlat is a web-based e-learning platform for teaching, learni CVE-2021-41151 (Backstage is an open platform for building developer portals. In affec ...) NOT-FOR-US: Backstage CVE-2021-41150 (Tough provides a set of Rust libraries and tools for using and generat ...) - TODO: check + NOT-FOR-US: Tough CVE-2021-41149 (Tough provides a set of Rust libraries and tools for using and generat ...) - TODO: check + NOT-FOR-US: Tough CVE-2021-41148 (Tuleap Open ALM is a libre and open source tool for end to end traceab ...) NOT-FOR-US: Tuleap CVE-2021-41147 (Tuleap Open ALM is a libre and open source tool for end to end traceab ...) @@ -11050,7 +11048,7 @@ CVE-2021-38380 (Live555 through 1.08 mishandles huge requests for the same MP3 s NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021954.html NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.04] CVE-2021-38379 (The Hub in CFEngine Enterprise 3.6.7 through 3.18.0 has Insecure Permi ...) - TODO: check + NOT-FOR-US: CFEngine Enterprise CVE-2021-38378 RESERVED CVE-2021-38377 @@ -14866,7 +14864,7 @@ CVE-2021-36758 (1Password Connect server before 1.2 is missing validation checks CVE-2021-36757 RESERVED CVE-2021-36756 (CFEngine Enterprise 3.15.0 through 3.15.4 has Missing SSL Certificate ...) - TODO: check + NOT-FOR-US: CFEngine Enterprise CVE-2021-36755 (Nightscout Web Monitor (aka cgm-remote-monitor) 14.2.2 allows XSS via ...) NOT-FOR-US: Nightscout Web Monitor CVE-2021-36754 (PowerDNS Authoritative Server 4.5.0 before 4.5.1 allows anybody to cra ...) -- cgit v1.2.3