[Git][security-tracker-team/security-tracker][master] LTS: fix typo
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: c04b0b8a by Anton Gladky at 2022-01-09T21:29:07+01:00 LTS: fix typo - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,7 +19,7 @@ ansible (Lee Garrett) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- apache2 (Anton) - MOTW: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton) + NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton) -- apng2gif NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c04b0b8a62a4d34fa7f2877c82fdb2045715a9c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c04b0b8a62a4d34fa7f2877c82fdb2045715a9c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d435dccf by Salvatore Bonaccorso at 2022-01-09T21:15:43+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,7 +10,7 @@ CVE-2022-22846 (The dnslib package through 0.9.16 for Python does not verify tha - python-dnslib NOTE: https://github.com/paulc/dnslib/issues/30 CVE-2022-22845 (QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167 ...) - TODO: check + NOT-FOR-US: QXIP SIPCAPTURE homer-app for HOMER CVE-2022-22844 (LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c i ...) - tiff [bullseye] - tiff (Minor issue) @@ -32,7 +32,7 @@ CVE-2022-22838 CVE-2022-22837 RESERVED CVE-2022-22836 (CoreFTP Server before 727 allows directory traversal (for file creatio ...) - TODO: check + NOT-FOR-US: CoreFTP CVE-2022-22835 RESERVED CVE-2022-22834 @@ -56,7 +56,7 @@ CVE-2021-46165 (Zoho ManageEngine Desktop Central before 10.0.662, during startu CVE-2021-46164 (Zoho ManageEngine Desktop Central before 10.0.662 allows remote code e ...) NOT-FOR-US: Zoho ManageEngine CVE-2021-46163 (Kentico Xperience 13.0.44 allows XSS via an XML document to the Media ...) - TODO: check + NOT-FOR-US: Kentico Xperience CMS CVE-2022-0156 RESERVED CVE-2022-22827 (storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an in ...) @@ -2437,7 +2437,7 @@ CVE-2021-45858 CVE-2021-45857 RESERVED CVE-2021-45856 (Accu-Time Systems MAXIMUS 1.0 telnet service suffers from a remote buf ...) - TODO: check + NOT-FOR-US: Accu-Time Systems MAXIMUS CVE-2021-45855 RESERVED CVE-2021-45854 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d435dccf5ce199ff4ec6a22aeaa70c1a1b314c98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d435dccf5ce199ff4ec6a22aeaa70c1a1b314c98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cca1de24 by security tracker role at 2022-01-09T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2022-0158 + RESERVED +CVE-2022-0157 + RESERVED CVE-2022-22848 RESERVED CVE-2022-22847 @@ -5,8 +9,8 @@ CVE-2022-22847 CVE-2022-22846 (The dnslib package through 0.9.16 for Python does not verify that the ...) - python-dnslib NOTE: https://github.com/paulc/dnslib/issues/30 -CVE-2022-22845 - RESERVED +CVE-2022-22845 (QXIP SIPCAPTURE homer-app before 1.4.28 for HOMER 7.x has the same 167 ...) + TODO: check CVE-2022-22844 (LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c i ...) - tiff [bullseye] - tiff (Minor issue) @@ -51,8 +55,8 @@ CVE-2021-46165 (Zoho ManageEngine Desktop Central before 10.0.662, during startu NOT-FOR-US: Zoho ManageEngine CVE-2021-46164 (Zoho ManageEngine Desktop Central before 10.0.662 allows remote code e ...) NOT-FOR-US: Zoho ManageEngine -CVE-2021-46163 - RESERVED +CVE-2021-46163 (Kentico Xperience 13.0.44 allows XSS via an XML document to the Media ...) + TODO: check CVE-2022-0156 RESERVED CVE-2022-22827 (storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an in ...) @@ -2432,8 +2436,8 @@ CVE-2021-45858 RESERVED CVE-2021-45857 RESERVED -CVE-2021-45856 - RESERVED +CVE-2021-45856 (Accu-Time Systems MAXIMUS 1.0 telnet service suffers from a remote buf ...) + TODO: check CVE-2021-45855 RESERVED CVE-2021-45854 @@ -4086,8 +4090,8 @@ CVE-2021-45336 (Privilege escalation vulnerability in the Sandbox component of A NOT-FOR-US: Avast Antivirus CVE-2021-45335 (Sandbox component in Avast Antivirus prior to 20.4 has an insecure per ...) NOT-FOR-US: Avast Antivirus -CVE-2021-45334 - RESERVED +CVE-2021-45334 (Sourcecodester Online Thesis Archiving System 1.0 is vulnerable to SQL ...) + TODO: check CVE-2021-45333 RESERVED CVE-2021-45332 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cca1de241f1e6cee5c11a97de722c7a07472260e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cca1de241f1e6cee5c11a97de722c7a07472260e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2021-3770 as not-affected in stretch
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4948c340 by Anton Gladky at 2022-01-09T21:04:33+01:00 Mark CVE-2021-3770 as not-affected in stretch - - - - - 0b379a11 by Anton Gladky at 2022-01-09T21:04:33+01:00 LTS: status update - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -20030,7 +20030,7 @@ CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3455-1 (bug #994076) [bullseye] - vim 2:8.2.2434-3+deb11u1 [buster] - vim (Minor issue) - [stretch] - vim (Minor issue) + [stretch] - vim (Vulnerable code not present) NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402) NOTE: Followup fix for introduced memory leak: https://github.com/vim/vim/commit/2ddb89f8a94425cda1e5491efc80c1b6e08e (v8.2.3403) = data/dla-needed.txt = @@ -19,6 +19,7 @@ ansible (Lee Garrett) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- apache2 (Anton) + MOTW: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton) -- apng2gif NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie @@ -30,6 +31,7 @@ condor (Anton) NOTE: 20211216: full details embargoed NOTE: 20211227: the fix is out and now available; cf: NOTE: 20211227: https://github.com/htcondor/htcondor/commit/8b311dee. (utkarsh) + NOTE: 20220109: Prepare for upload (Anton) -- debian-archive-keyring NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6bf1612701684e094b80bf8d25df461d96f9b27...0b379a11e87f62a313cafc780e428fdb92714843 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6bf1612701684e094b80bf8d25df461d96f9b27...0b379a11e87f62a313cafc780e428fdb92714843 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f6bf1612 by Moritz Muehlenhoff at 2022-01-09T20:06:52+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -9,6 +9,8 @@ CVE-2022-22845 RESERVED CVE-2022-22844 (LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c i ...) - tiff + [bullseye] - tiff (Minor issue) + [buster] - tiff (Minor issue) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/355 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/287 CVE-2022-22843 @@ -1569,9 +1571,9 @@ CVE-2021-46062 CVE-2021-46061 RESERVED CVE-2021-46060 (A NULL Pointer Dereference vulnerability exists in GNU inetutils 2.2 v ...) - - inetutils + - inetutils (unimportant) NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00017.html - TODO: check details + NOTE: Crash in CLI tool, no security impact CVE-2021-46059 (A Pointer Dereference vulnerability exists in Vim 8.2.3883 via the vim ...) - vim 2:8.2.3995-1 [bullseye] - vim (Minor issue) @@ -1967,6 +1969,8 @@ CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertib TODO: check correctness of commit, might not affect any Debian released version CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...) - qtsvg-opensource-src 5.15.2-4 (bug #1002991) + [bullseye] - qtsvg-opensource-src (Minor issue) + [buster] - qtsvg-opensource-src (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml = data/dsa-needed.txt = @@ -24,6 +24,8 @@ condor -- faad2/oldstable (jmm) -- +librecad +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6bf1612701684e094b80bf8d25df461d96f9b27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6bf1612701684e094b80bf8d25df461d96f9b27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2021-20221/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cac7c1c6 by Salvatore Bonaccorso at 2022-01-09T18:09:08+01:00 Add upstream tag information for CVE-2021-20221/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71622,7 +71622,7 @@ CVE-2021-20221 (An out-of-bounds heap buffer access issue was found in the ARM G - qemu 1:5.2+dfsg-4 [buster] - qemu (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/02/05/1 - NOTE: https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bdaedcb3510f76a + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/edfe2eb4360cde4ed5d95bdaedcb3510f76a (v6.0.0-rc0) CVE-2021-20220 (A flaw was found in Undertow. A regression in the fix for CVE-2020-106 ...) - undertow 2.2.0-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1923133 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cac7c1c6ec1974dc24ae5e50e1f217af74b23899 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cac7c1c6ec1974dc24ae5e50e1f217af74b23899 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-20203/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc5537f1 by Salvatore Bonaccorso at 2022-01-09T18:07:07+01:00 Track fixed version via unstable for CVE-2021-20203/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71717,7 +71717,7 @@ CVE-2021-20204 (A heap memory corruption problem (use after free) can be trigger NOTE: Debian patch applied causes functional regressions: https://bugs.debian.org/992437 CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator of the ...) {DLA-2623-1} - - qemu (bug #984452) + - qemu 1:6.2+dfsg-1 (bug #984452) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue) NOTE: https://bugs.launchpad.net/qemu/+bug/1913873 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc5537f198b18857b2efd0f0e699ff41f1977ef6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc5537f198b18857b2efd0f0e699ff41f1977ef6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commit for CVE-2021-20203/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 921f2ba5 by Salvatore Bonaccorso at 2022-01-09T18:06:14+01:00 Track upstream commit for CVE-2021-20203/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71724,6 +71724,7 @@ CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator NOTE: https://gitlab.com/qemu-project/qemu/-/issues/308 NOTE: https://bugs.launchpad.net/qemu/+bug/1890152 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg07935.html + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/d05dcd94aee88728facafb993c7280547eb4d645 (v6.2.0-rc3) CVE-2021-20202 (A flaw was found in keycloak. Directories can be created prior to the ...) NOT-FOR-US: Keycloak CVE-2021-20201 (A flaw was found in spice in versions before 0.14.92. A DoS tool might ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/921f2ba5bcf7582a83cd6172e2da583f64eccefd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/921f2ba5bcf7582a83cd6172e2da583f64eccefd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-20196/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a75de63c by Salvatore Bonaccorso at 2022-01-09T18:03:47+01:00 Track fixed version via unstable for CVE-2021-20196/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71756,7 +71756,7 @@ CVE-2021-20197 (There is an open race window when writing output in the followin NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=365f5fb6d0f0da83817431a275e99e6f6babbe04 NOTE: binutils not covered by security support CVE-2021-20196 (A NULL pointer dereference flaw was found in the floppy disk emulator ...) - - qemu (bug #984453) + - qemu 1:6.2+dfsg-1 (bug #984453) [bullseye] - qemu (Minor issue, revisit when fixed upstream) [buster] - qemu (Fix along in future DSA) [stretch] - qemu (Fix along in future DLA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a75de63c5e4084241a45207d8d6be29ae685a9f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a75de63c5e4084241a45207d8d6be29ae685a9f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2021-20196/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82d116e4 by Salvatore Bonaccorso at 2022-01-09T18:02:46+01:00 Reference upstream commit for CVE-2021-20196/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71764,6 +71764,7 @@ CVE-2021-20196 (A NULL pointer dereference flaw was found in the floppy disk emu NOTE: https://bugs.launchpad.net/qemu/+bug/1912780 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/338 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-01/msg05986.html + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/1ab95af033a419e7a64e2d58e67dd96b20af5233 (v6.2.0-rc4) CVE-2021-20195 (A flaw was found in keycloak in versions before 13.0.0. A Self Stored ...) NOT-FOR-US: Keycloak CVE-2021-20194 (There is a vulnerability in the linux kernel versions higher than 5.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82d116e4485f17d8a8892504766f09593cb1255e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82d116e4485f17d8a8892504766f09593cb1255e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream fix for CVE-2021-4158/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d6748da2 by Salvatore Bonaccorso at 2022-01-09T18:00:36+01:00 Reference upstream fix for CVE-2021-4158/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3346,6 +3346,7 @@ CVE-2021-4158 [NULL pointer dereference in pci_write() in hw/acpi/pcihp.c] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2035002 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/770 NOTE: Introduced in: https://gitlab.com/qemu-project/qemu/-/commit/b32bd763a1ca929677e22ae1c51cb3920921bdce (v6.0.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/9bd6565ccee68f72d5012e24646e12a1c662827e NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-12/msg03692.html CVE-2021-45461 (FreePBX, when restapps (aka Rest Phone Apps) 15.0.19.87, 15.0.19.88, 1 ...) NOT-FOR-US: FreePBX View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6748da20c8b88a2e994713579faef40f6a33575 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6748da20c8b88a2e994713579faef40f6a33575 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-4145/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 606175fd by Salvatore Bonaccorso at 2022-01-09T17:58:52+01:00 Track fixed version via unstable for CVE-2021-4145/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3828,7 +3828,7 @@ CVE-2021-4146 RESERVED CVE-2021-4145 [NULL pointer dereference in mirror_wait_on_conflicts() in block/mirror.c] RESERVED - - qemu + - qemu 1:6.2+dfsg-1 [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/606175fd34e378bb4b7d6f38e929c2846f2738c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/606175fd34e378bb4b7d6f38e929c2846f2738c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-3947/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd336402 by Salvatore Bonaccorso at 2022-01-09T17:58:00+01:00 Track fixed version via unstable for CVE-2021-3947/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10311,7 +10311,7 @@ CVE-2021-3948 NOT-FOR-US: Migration Toolkit for Containers CVE-2021-3947 [NVME: Arbitrary Memory Read] RESERVED - - qemu + - qemu 1:6.2+dfsg-1 [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) [stretch] - qemu (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd3364022932f0c610b6b08b26f477ce0473feae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd3364022932f0c610b6b08b26f477ce0473feae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream fixing commit for CVE-2021-3947/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e00698e by Salvatore Bonaccorso at 2022-01-09T17:57:09+01:00 Reference upstream fixing commit for CVE-2021-3947/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10318,6 +10318,7 @@ CVE-2021-3947 [NVME: Arbitrary Memory Read] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2021869 NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/f432fdfa1215bc3a00468b2e711176be279b0fd2 (v6.0.0-rc0) NOTE: https://lore.kernel.org/qemu-devel/2021153125.2258176-1-phi...@redhat.com/ + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/e2c57529c9306e4c9aac75d9879f6e7699584a22 (v6.2.0-rc3) CVE-2021-3946 RESERVED CVE-2021-3945 (django-helpdesk is vulnerable to Improper Neutralization of Input Duri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e00698e783138e9dad26be278c98832fc1e439c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e00698e783138e9dad26be278c98832fc1e439c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track fixed version via unstable for CVE-2021-3930/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0779054d by Salvatore Bonaccorso at 2022-01-09T17:55:25+01:00 Track fixed version via unstable for CVE-2021-3930/qemu - - - - - b4c8a77a by Salvatore Bonaccorso at 2022-01-09T17:55:44+01:00 Add upstream tag information for CVE-2021-3930/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10834,13 +10834,13 @@ CVE-2021-3931 (snipe-it is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: snipe-it CVE-2021-3930 [off-by-one error in mode_sense_page() in hw/scsi/scsi-disk.c] RESERVED - - qemu + - qemu 1:6.2+dfsg-1 [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue) [stretch] - qemu (Fix along with a future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020588 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/546 - NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8 (v6.2.0-rc0) CVE-2021-3929 [nvme: DMA reentrancy issue leads to use-after-free] RESERVED - qemu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/270ba5dfd737eedc5f0f5e2563b35a34039ef23f...b4c8a77af56aca8aa04e8f500b602c1b615549ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/270ba5dfd737eedc5f0f5e2563b35a34039ef23f...b4c8a77af56aca8aa04e8f500b602c1b615549ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference proposed fix for CVE-2021-3611 (not yet merged)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 270ba5df by Salvatore Bonaccorso at 2022-01-09T17:53:09+01:00 Reference proposed fix for CVE-2021-3611 (not yet merged) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33253,6 +33253,7 @@ CVE-2021-3611 [QEMU: intel-hda: segmentation fault due to stack overflow] NOTE: https://bugs.launchpad.net/qemu/+bug/1907497 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/542 NOTE: Introduced by: https://git.qemu.org/?p=qemu.git;a=commit;h=a9d8ba2be58e067bdfbff830eb9ff438d8db7f10 (v5.0.0-rc0) + NOTE: Proposed fix: https://lore.kernel.org/qemu-devel/20211218160912.1591633-1-phi...@redhat.com/ CVE-2021-3610 [heap-based buffer overflow in ReadTIFFImage() in coders/tiff.c] RESERVED - imagemagick (Specific to Imagemagick 7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/270ba5dfd737eedc5f0f5e2563b35a34039ef23f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/270ba5dfd737eedc5f0f5e2563b35a34039ef23f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to upstream issue for CVE-2020-14394
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fdfd72a6 by Salvatore Bonaccorso at 2022-01-09T17:46:44+01:00 Add reference to upstream issue for CVE-2020-14394 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -113899,6 +113899,7 @@ CVE-2020-14394 [infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c] [buster] - qemu (Minor issue) [stretch] - qemu (Minor issue, privileged local DoS, low CVSS, no patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004 + NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646 CVE-2020-14393 (A buffer overflow was found in perl-DBI 1.643 in DBI.xs. A local ...) {DLA-2386-1} - libdbi-perl 1.643-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdfd72a697e50968613f66c2daf711ca496ce8e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdfd72a697e50968613f66c2daf711ca496ce8e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-42740/node-shell-quote
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c1c10ca5 by Salvatore Bonaccorso at 2022-01-09T15:16:38+01:00 Track fixed version via unstable for CVE-2021-42740/node-shell-quote - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13439,7 +13439,7 @@ CVE-2021-42742 CVE-2021-42741 RESERVED CVE-2021-42740 (The shell-quote package before 1.7.3 for Node.js allows command inject ...) - - node-shell-quote (bug #998418) + - node-shell-quote 1.7.3+~1.7.1-1 (bug #998418) NOTE: https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe (1.7.3) CVE-2021-42739 (The firewire subsystem in the Linux kernel through 5.14.13 has a buffe ...) {DLA-2843-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1c10ca5b5c1079ac44f09bdbd2832ac7b80fa54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1c10ca5b5c1079ac44f09bdbd2832ac7b80fa54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update todo comment for CVE-2021-45958
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 296ca0e9 by Salvatore Bonaccorso at 2022-01-09T15:09:24+01:00 Update todo comment for CVE-2021-45958 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1856,7 +1856,7 @@ CVE-2021-45959 CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer ove ...) - ujson NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 - TODO: claimed to be fixed, but 5525f8c9ef8bb879dadd0eb942d524827d1b0362 is not part of the repository, check correctness of introducing details + TODO: claimed to be fixed in range https://github.com/ultrajson/ultrajson/compare/e3ccc5a1ff945275106d9323c00683fafeffc04a...682c6601569980e9a8a05378d3c1478db30384bc which seem to indicate the fuzzing did not really was helpful and CVE is bogus CVE-2021-45957 (Dnsmasq 2.86 has a heap-based buffer overflow in answer_request (calle ...) - dnsmasq NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35920 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/296ca0e926e5fb03d4bf673da5cfe597ce92e61c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/296ca0e926e5fb03d4bf673da5cfe597ce92e61c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-45930/qtsvg-opensource-src
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd8cec9f by Salvatore Bonaccorso at 2022-01-09T14:54:55+01:00 Track fixed version for CVE-2021-45930/qtsvg-opensource-src - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1966,7 +1966,7 @@ CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertib NOTE: https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81 (2.9.1) TODO: check correctness of commit, might not affect any Debian released version CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...) - - qtsvg-opensource-src (bug #1002991) + - qtsvg-opensource-src 5.15.2-4 (bug #1002991) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd8cec9f2992d50d08ab2bfbd0bfb185711f9d60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd8cec9f2992d50d08ab2bfbd0bfb185711f9d60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2021-43861/node-mermaid via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 444b6ece by Salvatore Bonaccorso at 2022-01-09T10:38:50+01:00 Add fixed version for CVE-2021-43861/node-mermaid via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8785,7 +8785,7 @@ CVE-2021-43863 CVE-2021-43862 (jQuery Terminal Emulator is a plugin for creating command line interpr ...) NOT-FOR-US: jQuery Terminal Emulator CVE-2021-43861 (Mermaid is a Javascript based diagramming and charting tool that uses ...) - - node-mermaid + - node-mermaid 8.13.8+~cs10.4.16-1 NOTE: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v NOTE: https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83 CVE-2021-43860 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/444b6ece69c42eabeca6e9a6fb0161c50ec1a38d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/444b6ece69c42eabeca6e9a6fb0161c50ec1a38d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-22844/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e4f7da0b by Salvatore Bonaccorso at 2022-01-09T09:33:47+01:00 Add CVE-2022-22844/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,7 +8,9 @@ CVE-2022-22846 (The dnslib package through 0.9.16 for Python does not verify tha CVE-2022-22845 RESERVED CVE-2022-22844 (LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c i ...) - TODO: check + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/355 + NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/287 CVE-2022-22843 RESERVED CVE-2022-22842 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4f7da0b1edc711ccb4a66413754070608fe20fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4f7da0b1edc711ccb4a66413754070608fe20fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5634b802 by Salvatore Bonaccorso at 2022-01-09T09:25:42+01:00 Process some NFUs - - - - - 6f88f15f by Salvatore Bonaccorso at 2022-01-09T09:33:07+01:00 Add CVE-2022-22846/python-dnslib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,8 @@ CVE-2022-22848 CVE-2022-22847 RESERVED CVE-2022-22846 (The dnslib package through 0.9.16 for Python does not verify that the ...) - TODO: check + - python-dnslib + NOTE: https://github.com/paulc/dnslib/issues/30 CVE-2022-22845 RESERVED CVE-2022-22844 (LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c i ...) @@ -41,11 +42,11 @@ CVE-2022-22829 CVE-2022-22828 RESERVED CVE-2021-46166 (Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-46165 (Zoho ManageEngine Desktop Central before 10.0.662, during startup, lau ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-46164 (Zoho ManageEngine Desktop Central before 10.0.662 allows remote code e ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2021-46163 RESERVED CVE-2022-0156 @@ -2000,7 +2001,7 @@ CVE-2022-22291 CVE-2022-22290 RESERVED CVE-2022-22289 (Improper access control vulnerability in S Assistant prior to version ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-22288 (Improper authorization vulnerability in Galaxy Store prior to 4.5.36.5 ...) NOT-FOR-US: Samsung CVE-2022-22287 (Abitrary file access vulnerability in Samsung Email prior to 6.1.60.16 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5190fd68ecf881198f018f9df7929f28b20fbbf4...6f88f15f9285ffba621808e1961d54a217500b0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5190fd68ecf881198f018f9df7929f28b20fbbf4...6f88f15f9285ffba621808e1961d54a217500b0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5190fd68 by security tracker role at 2022-01-09T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,53 @@ +CVE-2022-22848 + RESERVED +CVE-2022-22847 + RESERVED +CVE-2022-22846 (The dnslib package through 0.9.16 for Python does not verify that the ...) + TODO: check +CVE-2022-22845 + RESERVED +CVE-2022-22844 (LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c i ...) + TODO: check +CVE-2022-22843 + RESERVED +CVE-2022-22842 + RESERVED +CVE-2022-22841 + RESERVED +CVE-2022-22840 + RESERVED +CVE-2022-22839 + RESERVED +CVE-2022-22838 + RESERVED +CVE-2022-22837 + RESERVED +CVE-2022-22836 (CoreFTP Server before 727 allows directory traversal (for file creatio ...) + TODO: check +CVE-2022-22835 + RESERVED +CVE-2022-22834 + RESERVED +CVE-2022-22833 + RESERVED +CVE-2022-22832 + RESERVED +CVE-2022-22831 + RESERVED +CVE-2022-22830 + RESERVED +CVE-2022-22829 + RESERVED +CVE-2022-22828 + RESERVED +CVE-2021-46166 (Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated ...) + TODO: check +CVE-2021-46165 (Zoho ManageEngine Desktop Central before 10.0.662, during startup, lau ...) + TODO: check +CVE-2021-46164 (Zoho ManageEngine Desktop Central before 10.0.662 allows remote code e ...) + TODO: check +CVE-2021-46163 + RESERVED CVE-2022-0156 RESERVED CVE-2022-22827 (storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an in ...) @@ -126781,8 +126831,8 @@ CVE-2020-10139 (Acronis True Image 2021 includes an OpenSSL component that speci NOT-FOR-US: Acronis CVE-2020-10138 (Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL comp ...) NOT-FOR-US: Acronis -CVE-2020-10137 - RESERVED +CVE-2020-10137 (Z-Wave devices based on Silicon Labs 700 series chipsets using S2 do n ...) + TODO: check CVE-2020-10136 (Multiple products that implement the IP Encapsulation within IP standa ...) NOT-FOR-US: Cisco CVE-2020-10135 (Legacy pairing and secure-connections pairing authentication in Blueto ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5190fd68ecf881198f018f9df7929f28b20fbbf4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5190fd68ecf881198f018f9df7929f28b20fbbf4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits