new files

Author: ahouseholder

data/1/vu_782301/vendor_cheu-blhrnv.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "",
+  "DateLastUpdated": "2020-02-16T16:44:00-05:00",
+  "DateNotified": "2020-02-05T15:07:34-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 3,
+  "Status": "Not Affected",
+  "Vendor": "lwIP",
+  "VendorInformation": "EAP was never used by any lwIP user. The lwIP PPP support is mostly used with cellular modems only as a framing protocol limited to the serial link between the MCU and the modem were security is less relevant because it is not authenticated anyway. The lwIP so far has had support for  PAP, CHAP, MS-CHAP (tied to MPPE keys exchange), but EAP has never been enabled from compile time.",
+  "VendorRecordID": "CHEU-BLHRNV",
+  "VendorReferences": "If you plan to compile lwIP with EAP support, please ensure you apply both the patches linked below as it also resolves the issue of preventing response to unsolicited EAP messages as well as buffer overflow due to the bounds check logic flaw. http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=2ee3cbe69c6d2805e64e7cac2a1c1706e49ffd86\nhttp://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=d281d3e9592a3ca2ad0c3b7840f8036facc02f7b",
+  "VendorStatement": "lwIP is a bit different than pppd, we added a lot of preprocessor directives to enable or disable features at compile time in order to reduce binary size output and EAP is disabled by default: http://git.savannah.nongnu.org/cgit/lwip.git/tree/src/include/netif/ppp/ppp_opts.h?id=d281d3e9592a3ca2ad0c3b7840f8036facc02f7b#n234 \nhttp://git.savannah.nongnu.org/cgit/lwip.git/tree/src/netif/ppp/eap.c?id=d281d3e9592a3ca2ad0c3b7840f8036facc02f7b#n46 \nThat is, no product using lwIP were ever shipped with the EAP code compiled at all."
+}

data/1/vu_782301/vendor_cheu-blptw4.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "",
+  "DateLastUpdated": "2020-02-11T17:04:56-05:00",
+  "DateNotified": "2020-02-11T17:00:10-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 0,
+  "Status": "Unknown",
+  "Vendor": "Alpine Linux",
+  "VendorInformation": "",
+  "VendorRecordID": "CHEU-BLPTW4",
+  "VendorReferences": "",
+  "VendorStatement": ""
+}

data/1/vu_782301/vendor_cheu-blptw6.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "",
+  "DateLastUpdated": "2020-02-11T17:04:57-05:00",
+  "DateNotified": "2020-02-11T17:00:10-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 0,
+  "Status": "Unknown",
+  "Vendor": "Aspera Inc.",
+  "VendorInformation": "",
+  "VendorRecordID": "CHEU-BLPTW6",
+  "VendorReferences": "",
+  "VendorStatement": ""
+}

data/1/vu_782301/vendor_cheu-blptw8.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "There are no additional comments at this time.",
+  "DateLastUpdated": "2020-02-19T13:05:00-05:00",
+  "DateNotified": "2020-02-11T17:00:10-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 2,
+  "Status": "Not Affected",
+  "Vendor": "Apple",
+  "VendorInformation": "Apple has a forked version of ppp that was modified years earlier. It shows not affected due to the source code changes.",
+  "VendorRecordID": "CHEU-BLPTW8",
+  "VendorReferences": "None",
+  "VendorStatement": "No statement is currently available from the vendor regarding this vulnerability."
+}

data/1/vu_782301/vendor_cheu-blptwa.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "There are no additional comments at this time.",
+  "DateLastUpdated": "2020-03-10T10:49:00-04:00",
+  "DateNotified": "2020-02-11T17:00:10-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 2,
+  "Status": "Affected",
+  "Vendor": "Amazon",
+  "VendorInformation": "Amazon Linux has adopted RedHat advisory and published their own updates. Please see Vendor URL section for details.",
+  "VendorRecordID": "CHEU-BLPTWA",
+  "VendorReferences": "https://alas.aws.amazon.com/AL2/ALAS-2020-1400.html",
+  "VendorStatement": "Visit ALAS post https://alas.aws.amazon.com/AL2/ALAS-2020-1400.html for details of this vulnerability"
+}

data/1/vu_782301/vendor_cheu-blptwc.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "There are no additional comments at this time.",
+  "DateLastUpdated": "2020-02-14T12:23:00-05:00",
+  "DateNotified": "2020-02-11T17:00:10-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 1,
+  "Status": "Not Affected",
+  "Vendor": "Arista Networks, Inc.",
+  "VendorInformation": "We are not aware of further vendor information regarding this vulnerability.",
+  "VendorRecordID": "CHEU-BLPTWC",
+  "VendorReferences": "None",
+  "VendorStatement": "Arista products do not have any features using pppd, hence no Arista products are affected."
+}

data/1/vu_782301/vendor_cheu-blptwf.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "There are no additional comments at this time.",
+  "DateLastUpdated": "2020-02-12T19:00:00-05:00",
+  "DateNotified": "2020-02-11T17:00:12-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 1,
+  "Status": "Not Affected",
+  "Vendor": "CoreOS",
+  "VendorInformation": "We are not aware of further vendor information regarding this vulnerability.",
+  "VendorRecordID": "CHEU-BLPTWF",
+  "VendorReferences": "None",
+  "VendorStatement": "CoreOS Container Linux does not ship pppd."
+}

data/1/vu_782301/vendor_cheu-blptwh.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "There are no additional comments at this time.",
+  "DateLastUpdated": "2020-03-09T14:07:00-04:00",
+  "DateNotified": "2020-02-11T17:00:12-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 1,
+  "Status": "Affected",
+  "Vendor": "Arch Linux",
+  "VendorInformation": "ArchLinux has updated its advisory on March 7 2020, with ASA-202003-3 advisory with resolution statement\n\"Upgrade to 2.4.7-7. # pacman -Syu \"ppp>=2.4.7-7\"\nThe problem has been fixed upstream but no release is available yet.\"",
+  "VendorRecordID": "CHEU-BLPTWH",
+  "VendorReferences": "https://security.archlinux.org/ASA-202003-3/generate",
+  "VendorStatement": "No statement is currently available from the vendor regarding this vulnerability."
+}

data/1/vu_782301/vendor_cheu-blptwk.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "There are no additional comments at this time.",
+  "DateLastUpdated": "2020-02-21T18:05:00-05:00",
+  "DateNotified": "2020-02-11T17:00:12-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 3,
+  "Status": "Not Affected",
+  "Vendor": "FreeBSD Project",
+  "VendorInformation": "A review of the pppd source tree suggests that FreeBSD do not include pppd in the base system (removed in r190751 - ten years ago). The first pppd version that contained the vulnerability was 2.4.2, and FreeBSD has never shipped with that version.",
+  "VendorRecordID": "CHEU-BLPTWK",
+  "VendorReferences": "None",
+  "VendorStatement": "FreeBSD does not distribute pppd."
+}

data/1/vu_782301/vendor_cheu-blptwm.json

@@ -0,0 +1,14 @@
+{
+  "Addendum": "",
+  "DateLastUpdated": "2020-02-11T17:04:59-05:00",
+  "DateNotified": "2020-02-11T17:00:13-05:00",
+  "DateResponded": "",
+  "ID": "VU#782301",
+  "Revision": 0,
+  "Status": "Unknown",
+  "Vendor": "DesktopBSD",
+  "VendorInformation": "",
+  "VendorRecordID": "CHEU-BLPTWM",
+  "VendorReferences": "",
+  "VendorStatement": ""
+}