[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3859/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f926da4 by Salvatore Bonaccorso at 2022-02-02T07:43:29+01:00 Add CVE-2021-3859/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22183,6 +22183,9 @@ CVE-2021-3860 (JFrog Artifactory before 7.25.4 (Enterprise+ deployments only), i NOT-FOR-US: JFrog Artifactory CVE-2021-3859 RESERVED + - undertow + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2010378 + TODO: check details CVE-2021-42008 (The decode_data function in drivers/net/hamradio/6pack.c in the Linux ...) {DLA-2843-1 DLA-2785-1} - linux 5.14.6-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f926da43a63fb3611a5e563294121f7037c1946 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f926da43a63fb3611a5e563294121f7037c1946 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4218/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fffe2b6 by Salvatore Bonaccorso at 2022-02-02T07:41:44+01:00 Add CVE-2021-4218/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -188,6 +188,9 @@ CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field NOTE: https://jira.mariadb.org/browse/MDEV-25766 CVE-2021-4218 RESERVED + - linux 5.8.7-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2048359 + NOTE: Fixed by: https://git.kernel.org/linus/32927393dc1ccd60fb2bdc05b9e8e88753761469 (5.8-rc1) CVE-2022-24282 RESERVED CVE-2022-24281 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fffe2b690660a3466a0322c7967d88694b12eeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fffe2b690660a3466a0322c7967d88694b12eeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Expand notes for CVE-2022-24300
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fcddc403 by Salvatore Bonaccorso at 2022-02-02T07:31:45+01:00 Expand notes for CVE-2022-24300 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1907,6 +1907,10 @@ CVE-2022-24300 [ItemStack meta injection vulnerability] - minetest 5.4.1+repack-1 (bug #1004223) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0) + NOTE: When fixing this issue the fix for GHSA-7q63-4fq2-hqcr should be included, + NOTE: which is not a vulnerability by itself, and won't get a CVE assigned: + NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-7q63-4fq2-hqcr + NOTE: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0) CVE-2022-24301 [Players can access the inventories of other players] - minetest 5.4.1+repack-1 NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-fvwv-qcq6-wmp5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcddc403fc1814e72d94c1fcc9acb2e1a3029ef2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcddc403fc1814e72d94c1fcc9acb2e1a3029ef2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop one previously added minetest temporary entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58847c65 by Salvatore Bonaccorso at 2022-02-02T07:26:58+01:00 Drop one previously added minetest temporary entry While a fix exist in form of https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 and should ideally be included in an update, the issue itself states: Because passing user input to this function is inherently insecure, this issue isnt considered a vulnerability by itself. There wont be a CVE assigned thus for this. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1903,10 +1903,6 @@ CVE-2022-0340 RESERVED CVE-2021-4209 RESERVED -CVE-2021- [Remote Code Execution using minetest.deserialize] - - minetest 5.2.0+repack-1 - NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-7q63-4fq2-hqcr - NOTE: Fixed by: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0) CVE-2022-24300 [ItemStack meta injection vulnerability] - minetest 5.4.1+repack-1 (bug #1004223) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58847c65af5281f87365fa7557c90620d17b7ee0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58847c65af5281f87365fa7557c90620d17b7ee0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24301 assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c7f7d14 by Salvatore Bonaccorso at 2022-02-02T07:25:17+01:00 CVE-2022-24301 assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1911,7 +1911,7 @@ CVE-2022-24300 [ItemStack meta injection vulnerability] - minetest 5.4.1+repack-1 (bug #1004223) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0) -CVE-2021- [Players can access the inventories of other players] +CVE-2022-24301 [Players can access the inventories of other players] - minetest 5.4.1+repack-1 NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-fvwv-qcq6-wmp5 NOTE: Fixed by: https://github.com/minetest/minetest/commit/3693b6871eba268ecc79b3f52d00d3cefe761131 (5.4.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c7f7d149fe030e104aa16b90eaf8926db73c2b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c7f7d149fe030e104aa16b90eaf8926db73c2b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24300 assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9e537c6 by Salvatore Bonaccorso at 2022-02-02T07:23:44+01:00 CVE-2022-24300 assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1907,7 +1907,7 @@ CVE-2021- [Remote Code Execution using minetest.deserialize] - minetest 5.2.0+repack-1 NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-7q63-4fq2-hqcr NOTE: Fixed by: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0) -CVE-2021- [ItemStack meta injection vulnerability] +CVE-2022-24300 [ItemStack meta injection vulnerability] - minetest 5.4.1+repack-1 (bug #1004223) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9e537c61bbf7120584f74f1d1b20c83e16496c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9e537c61bbf7120584f74f1d1b20c83e16496c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f40503a1 by Salvatore Bonaccorso at 2022-02-02T06:29:07+01:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk/oldstable -- +chromium +-- condor -- cryptsetup/stable (corsac) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f40503a113366e3e64de8458532d1d6b64a1328d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f40503a113366e3e64de8458532d1d6b64a1328d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 939b5ea7 by Salvatore Bonaccorso at 2022-02-02T06:28:14+01:00 Add new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,43 +19,81 @@ CVE-2022-21799 CVE-2022-21173 RESERVED CVE-2022-0470 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0469 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0468 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0467 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0466 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0465 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0464 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0463 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0462 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0461 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0460 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0459 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0458 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0457 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0456 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0455 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0454 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0453 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0452 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0451 RESERVED CVE-2022-0450 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/939b5ea7c7601d4fd0bbc1e88d9485757b789a8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/939b5ea7c7601d4fd0bbc1e88d9485757b789a8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ignore CVE-2021-44141 for buster and bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c367703 by Salvatore Bonaccorso at 2022-02-01T23:36:08+01:00 Ignore CVE-2021-44141 for buster and bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13434,6 +13434,8 @@ CVE-2021-44142 [Out-of-bounds heap read/write vulnerability in VFS module vfs_fr CVE-2021-44141 [Information leak via symlinks of existance of files or directories outside of the exported share] RESERVED - samba (bug #1004692) + [bullseye] - samba (Minor issue; no backport to older versions, mitigations exists) + [buster] - samba (Minor issue; no backport to older versions, mitigations exists) NOTE: https://www.samba.org/samba/security/CVE-2021-44141.html NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14911 CVE-2021-44140 (Remote attackers may delete arbitrary files in a system hosting a JSPW ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3677033261fc2f1f3e78577d4e0ccbddd40fc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3677033261fc2f1f3e78577d4e0ccbddd40fc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2022-24130/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 81f4cb72 by Salvatore Bonaccorso at 2022-02-01T22:42:08+01:00 Reference upstream commit for CVE-2022-24130/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -504,6 +504,7 @@ CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows a NOTE: https://twitter.com/nickblack/status/1487731459398025216 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 + NOTE: https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d CVE-2022-24129 RESERVED NOT-FOR-US: Shibboleth identity provider OIDC OP plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81f4cb72a5aa737e791889c55fc2f8ec741d1ae0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81f4cb72a5aa737e791889c55fc2f8ec741d1ae0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for python-django issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 60708da6 by Salvatore Bonaccorso at 2022-02-01T22:06:38+01:00 Track fixed version for python-django issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1929,7 +1929,7 @@ CVE-2022-23834 CVE-2022-23833 RESERVED {DLA-2906-1} - - python-django (bug #1004752) + - python-django 2:3.2.12-1 (bug #1004752) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main) NOTE: https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9 (4.0.2) @@ -5227,7 +5227,7 @@ CVE-2022-22819 CVE-2022-22818 RESERVED {DLA-2906-1} - - python-django (bug #1004752) + - python-django 2:3.2.12-1 (bug #1004752) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68 (main) NOTE: https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5 (4.0.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60708da676c3d568df5e2c26af006d8225047815 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60708da676c3d568df5e2c26af006d8225047815 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2022-24130/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: daf5d066 by Salvatore Bonaccorso at 2022-02-01T21:40:53+01:00 Add fixed version for CVE-2022-24130/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -500,7 +500,7 @@ CVE-2022-0416 CVE-2022-0415 RESERVED CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows attacke ...) - - xterm (bug #1004689) + - xterm 370-2 (bug #1004689) NOTE: https://twitter.com/nickblack/status/1487731459398025216 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daf5d06636892aae6c4c631a41b60e3096c1423b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daf5d06636892aae6c4c631a41b60e3096c1423b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 878dbd1b by Salvatore Bonaccorso at 2022-02-01T21:39:56+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -302,17 +302,17 @@ CVE-2022-24225 CVE-2022-24224 RESERVED CVE-2022-24223 (AtomCMS v2.0 was discovered to contain a SQL injection vulnerability v ...) - TODO: check + NOT-FOR-US: AtomCMS CVE-2022-24222 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24221 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24220 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24219 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24218 (An issue in /admin/delete_image.php of eliteCMS v1.0 allows attackers ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24217 RESERVED CVE-2022-24216 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/878dbd1bce61603a2f8d951200cfc9b5f8943f1f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/878dbd1bce61603a2f8d951200cfc9b5f8943f1f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2907-1 for apache2
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ac67d6a by Anton Gladky at 2022-02-01T21:31:12+01:00 Reserve DLA-2907-1 for apache2 Signed-off-by: Anton Gladky gl...@debian.org - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Feb 2022] DLA-2907-1 apache2 - security update + {CVE-2021-44224 CVE-2021-44790} + [stretch] - apache2 2.4.25-3+deb9u12 [01 Feb 2022] DLA-2906-1 python-django - security update {CVE-2022-22818 CVE-2022-23833} [stretch] - python-django 1:1.10.7-2+deb9u15 = data/dla-needed.txt = @@ -18,10 +18,6 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -apache2 (Anton) - NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton) - NOTE: 20220124: WIP --- apng2gif NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ac67d6a7060b39e5f6fb1dd8193ef6435c28484 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ac67d6a7060b39e5f6fb1dd8193ef6435c28484 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44259065 by Salvatore Bonaccorso at 2022-02-01T21:27:46+01:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2103,7 +2103,7 @@ CVE-2022-0322 [DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c] CVE-2022-0321 RESERVED CVE-2022-0320 (The Essential Addons for Elementor WordPress plugin before 5.0.5 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-0319 (Out-of-bounds Read in vim/vim prior to 8.2. ...) - vim [bullseye] - vim (Minor issue) @@ -3887,7 +3887,7 @@ CVE-2022-0222 CVE-2022-0221 RESERVED CVE-2022-0220 (The check_privacy_settings AJAX action of the WordPress GDPR WordPress ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-0219 (Improper Restriction of XML External Entity Reference in GitHub reposi ...) NOT-FOR-US: jadx CVE-2022-0218 @@ -64683,7 +64683,7 @@ CVE-2021-25099 CVE-2021-25098 RESERVED CVE-2021-25097 (The LabTools WordPress plugin through 1.0 does not have proper authori ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25096 RESERVED CVE-2021-25095 @@ -64691,15 +64691,15 @@ CVE-2021-25095 CVE-2021-25094 RESERVED CVE-2021-25093 (The Link Library WordPress plugin before 7.2.8 does not have authorisa ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25092 (The Link Library WordPress plugin before 7.2.8 does not have CSRF chec ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25091 (The Link Library WordPress plugin before 7.2.9 does not sanitise and e ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25090 RESERVED CVE-2021-25089 (The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.6 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25088 RESERVED CVE-2021-25087 @@ -64707,7 +64707,7 @@ CVE-2021-25087 CVE-2021-25086 RESERVED CVE-2021-25085 (The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25084 RESERVED CVE-2021-25083 (The Registrations for the Events Calendar WordPress plugin before 2.7. ...) @@ -64733,7 +64733,7 @@ CVE-2021-25074 (The WebP Converter for Media WordPress plugin before 4.0.3 conta CVE-2021-25073 (The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in v ...) NOT-FOR-US: WordPress plugin CVE-2021-25072 (The NextScripts: Social Networks Auto-Poster WordPress plugin before 4 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25071 RESERVED CVE-2021-25070 @@ -64751,7 +64751,7 @@ CVE-2021-25065 (The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 CVE-2021-25064 RESERVED CVE-2021-25063 (The Contact Form 7 Skins WordPress plugin through 2.5.0 does not sanit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25062 (The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 doe ...) NOT-FOR-US: WordPress plugin CVE-2021-25061 (The WP Booking System WordPress plugin before 2.0.15 was affected by a ...) @@ -64911,7 +64911,7 @@ CVE-2021-24985 (The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does CVE-2021-24984 (The WPFront User Role Editor WordPress plugin before 3.2.1.11184 does ...) NOT-FOR-US: WordPress plugin CVE-2021-24983 (The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24982 RESERVED CVE-2021-24981 (The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cros ...) @@ -64927,7 +64927,7 @@ CVE-2021-24977 CVE-2021-24976 (The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and ...) NOT-FOR-US: WordPress plugin CVE-2021-24975 (The NextScripts: Social Networks Auto-Poster WordPress plugin before 4 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24974 (The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 do ...) NOT-FOR-US: WordPress plugin CVE-2021-24973 (The Site Reviews WordPress plugin before 5.17.3 does not sanitise and ...) @@ -64989,7 +64989,7 @@ CVE-2021-24946 (The Modern Events Calendar Lite WordPress plugin before 6.1.5 do CVE-2021-24945 (The Like Button Rating LikeBtn WordPress plugin before 2.6.38 ...) NOT-FOR-US: WordPress plugin CVE-2021-24944 (The Custom Dashboard Login Page WordPress plugin before 7.0 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24943 (The Registrations for the Events Calendar WordPress plugin before 2.7. ...) NOT-FOR-US: WordPress plugin CVE-2021-24942
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 538120a8 by security tracker role at 2022-02-01T20:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,91 @@ +CVE-2022-24294 + RESERVED +CVE-2022-24293 + RESERVED +CVE-2022-24292 + RESERVED +CVE-2022-24291 + RESERVED +CVE-2022-24290 + RESERVED +CVE-2022-24289 + RESERVED +CVE-2022-24288 + RESERVED +CVE-2022-24287 + RESERVED +CVE-2022-21799 + RESERVED +CVE-2022-21173 + RESERVED +CVE-2022-0470 + RESERVED +CVE-2022-0469 + RESERVED +CVE-2022-0468 + RESERVED +CVE-2022-0467 + RESERVED +CVE-2022-0466 + RESERVED +CVE-2022-0465 + RESERVED +CVE-2022-0464 + RESERVED +CVE-2022-0463 + RESERVED +CVE-2022-0462 + RESERVED +CVE-2022-0461 + RESERVED +CVE-2022-0460 + RESERVED +CVE-2022-0459 + RESERVED +CVE-2022-0458 + RESERVED +CVE-2022-0457 + RESERVED +CVE-2022-0456 + RESERVED +CVE-2022-0455 + RESERVED +CVE-2022-0454 + RESERVED +CVE-2022-0453 + RESERVED +CVE-2022-0452 + RESERVED +CVE-2022-0451 + RESERVED +CVE-2022-0450 + RESERVED +CVE-2022-0449 + RESERVED +CVE-2022-0448 + RESERVED +CVE-2022-0447 + RESERVED +CVE-2022-0446 + RESERVED +CVE-2022-0445 + RESERVED +CVE-2022-0444 + RESERVED +CVE-2022-0443 + RESERVED +CVE-2022-0442 + RESERVED +CVE-2022-0441 + RESERVED +CVE-2022-0440 + RESERVED +CVE-2022-0439 + RESERVED +CVE-2022-0438 + RESERVED +CVE-2021-46670 + RESERVED CVE-2022-24286 RESERVED CVE-2022-24285 @@ -213,18 +301,18 @@ CVE-2022-24225 RESERVED CVE-2022-24224 RESERVED -CVE-2022-24223 - RESERVED -CVE-2022-24222 - RESERVED -CVE-2022-24221 - RESERVED -CVE-2022-24220 - RESERVED -CVE-2022-24219 - RESERVED -CVE-2022-24218 - RESERVED +CVE-2022-24223 (AtomCMS v2.0 was discovered to contain a SQL injection vulnerability v ...) + TODO: check +CVE-2022-24222 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2022-24221 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2022-24220 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2022-24219 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2022-24218 (An issue in /admin/delete_image.php of eliteCMS v1.0 allows attackers ...) + TODO: check CVE-2022-24217 RESERVED CVE-2022-24216 @@ -401,12 +489,12 @@ CVE-2022-24131 RESERVED CVE-2022-21170 RESERVED -CVE-2022-0419 - RESERVED +CVE-2022-0419 (NULL Pointer Dereference in NPM radare2.js prior to 6.0.0. ...) + TODO: check CVE-2022-0418 RESERVED -CVE-2022-0417 - RESERVED +CVE-2022-0417 (Heap-based Buffer Overflow in Conda vim prior to 8.2. ...) + TODO: check CVE-2022-0416 RESERVED CVE-2022-0415 @@ -457,7 +545,7 @@ CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2022-0414 (Business Logic Errors in Packagist dolibarr/dolibarr prior to 16.0. ...) - dolibarr -CVE-2022-0413 (Use After Free in Conda vim prior to 8.2. ...) +CVE-2022-0413 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) - vim [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) @@ -494,7 +582,7 @@ CVE-2022-24113 RESERVED CVE-2022-0409 RESERVED -CVE-2022-0408 (Stack-based Buffer Overflow in Conda vim prior to 8.2. ...) +CVE-2022-0408 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - vim [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) @@ -518,8 +606,8 @@ CVE-2022-0403 RESERVED CVE-2022-0402 RESERVED -CVE-2022-0401 - RESERVED +CVE-2022-0401 (Path Traversal in NPM w-zip prior to 1.0.12. ...) + TODO: check CVE-2022-0400 [Out of bounds read in the smc protocol stack] RESERVED - linux @@ -1840,6 +1928,7 @@ CVE-2022-23834 RESERVED CVE-2022-23833 RESERVED + {DLA-2906-1} - python-django (bug #1004752) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main) @@ -2013,8 +2102,8 @@ CVE-2022-0322 [DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c] NOTE: https://git.kernel.org/linus/a2d859e3fc97e79d907761550dbc03ff1b36479c (5.15-rc6) CVE-2022-0321 RESERVED -CVE-2022-0320 -
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2906-1 for python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ebdc2a87 by Chris Lamb at 2022-02-01T10:21:42-08:00 Reserve DLA-2906-1 for python-django. - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Feb 2022] DLA-2906-1 python-django - security update + {CVE-2022-22818 CVE-2022-23833} + [stretch] - python-django 1:1.10.7-2+deb9u15 [31 Jan 2022] DLA-2905-1 apache-log4j1.2 - security update {CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307} [stretch] - apache-log4j1.2 1.2.17-7+deb9u2 = data/dla-needed.txt = @@ -81,8 +81,6 @@ pgbouncer pjproject (Abhijith PA) NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) -- -python-django (Chris Lamb) --- python2.7 (Anton) NOTE: 20220112: 3 postponed CVEs (Beuc) NOTE: 20220124: WIP View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebdc2a87397cdb4bfca6d9f803e1688d8bccf423 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebdc2a87397cdb4bfca6d9f803e1688d8bccf423 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage python-django for stretch LTS (CVE-2022-22818 &...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 55cb8e04 by Chris Lamb at 2022-02-01T09:20:43-08:00 data/dla-needed.txt: Triage python-django for stretch LTS (CVE-2022-22818 CVE-2022-23833) and self-assign; am maintainer in Debian. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,6 +81,8 @@ pgbouncer pjproject (Abhijith PA) NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) -- +python-django (Chris Lamb) +-- python2.7 (Anton) NOTE: 20220112: 3 postponed CVEs (Beuc) NOTE: 20220124: WIP View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55cb8e0424f163a3cff520b8facc5a802a6c9dd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55cb8e0424f163a3cff520b8facc5a802a6c9dd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for python-django issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb7f502c by Salvatore Bonaccorso at 2022-02-01T18:10:49+01:00 Add Debian bug reference for python-django issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1840,7 +1840,7 @@ CVE-2022-23834 RESERVED CVE-2022-23833 RESERVED - - python-django + - python-django (bug #1004752) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main) NOTE: https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9 (4.0.2) @@ -5138,7 +5138,7 @@ CVE-2022-22819 RESERVED CVE-2022-22818 RESERVED - - python-django + - python-django (bug #1004752) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68 (main) NOTE: https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5 (4.0.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb7f502c1d46e8eaac3132abafb3004ff66da85f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb7f502c1d46e8eaac3132abafb3004ff66da85f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-23833/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8360b8e5 by Salvatore Bonaccorso at 2022-02-01T17:23:12+01:00 Add CVE-2022-23833/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1840,6 +1840,12 @@ CVE-2022-23834 RESERVED CVE-2022-23833 RESERVED + - python-django + NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ + NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main) + NOTE: https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9 (4.0.2) + NOTE: https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468 (3.2.12) + NOTE: https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a (2.2.27) CVE-2022-23832 RESERVED CVE-2022-23831 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8360b8e57aacfa1ea7e29ad2b69cc1ef02ff3072 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8360b8e57aacfa1ea7e29ad2b69cc1ef02ff3072 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-22818/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da394951 by Salvatore Bonaccorso at 2022-02-01T17:21:49+01:00 Add CVE-2022-22818/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5132,6 +5132,12 @@ CVE-2022-22819 RESERVED CVE-2022-22818 RESERVED + - python-django + NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ + NOTE: https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68 (main) + NOTE: https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5 (4.0.2) + NOTE: https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2 (3.2.12) + NOTE: https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6 (2.2.27) CVE-2022-22817 (PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of arbitra ...) {DSA-5053-1 DLA-2893-1} - pillow 9.0.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da3949515adcd51c7d403487b3ee4e82e8165d1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da3949515adcd51c7d403487b3ee4e82e8165d1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add expat to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 777398fb by Salvatore Bonaccorso at 2022-02-01T17:14:52+01:00 Add expat to dsa-needed list - - - - - 728d8104 by Salvatore Bonaccorso at 2022-02-01T17:15:16+01:00 Take expat from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -19,6 +19,8 @@ condor cryptsetup/stable (corsac) Maintainer is proposing updates, to be checked further procedure -- +expat (carnil) +-- faad2/oldstable (jmm) -- librecad View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe84de825ea043392c3ef0056c2632e4c9b13649...728d8104cf3d7cbe68b4c5ed0fb5c172fa8a5720 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe84de825ea043392c3ef0056c2632e4c9b13649...728d8104cf3d7cbe68b4c5ed0fb5c172fa8a5720 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tentatively take samba from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe84de82 by Salvatore Bonaccorso at 2022-02-01T17:10:55+01:00 Tentatively take samba from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -52,7 +52,7 @@ ruby2.7/stable -- runc -- -samba +samba (carnil) -- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe84de825ea043392c3ef0056c2632e4c9b13649 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe84de825ea043392c3ef0056c2632e4c9b13649 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: remove-cve-dist-tags: remove empty CVE entries
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: a8106732 by Emilio Pozuelo Monfort at 2022-02-01T16:16:50+01:00 remove-cve-dist-tags: remove empty CVE entries This can happen in ExtendFiles if they only contain dist tags that are being removed. - - - - - 47e07c9c by Emilio Pozuelo Monfort at 2022-02-01T16:16:50+01:00 gen-DSA: sanitize DISTS var after calculating it Rather than have every user have to do it. - - - - - 63516a0c by Emilio Pozuelo Monfort at 2022-02-01T16:16:50+01:00 gen-DSA: diff and commit changes to extracvefile In case were processing a dist that uses an ExtendFile. - - - - - 2 changed files: - bin/gen-DSA - bin/remove-cve-dist-tags Changes: = bin/gen-DSA = @@ -372,8 +372,10 @@ for dist in $CODENAMES; do [ -z "$version" ] || DISTS="${DISTS},${dist}" done +DISTS="${DISTS#,}" + if [ -n "${DISTS}" ]; then -bin/remove-cve-dist-tags "${DISTS#,}" "${PACKAGE}" ${CVE} +bin/remove-cve-dist-tags "${DISTS}" "${PACKAGE}" ${CVE} fi if ! $save; then @@ -412,9 +414,12 @@ EOF echo "$IDMODE text written to ./$IDMODE-$DAID" if [ "$IDMODE" = "DLA" ] || [ "$IDMODE" = "ELA" ]; then idmode=$(echo "$IDMODE" | tr A-Z a-z) + if [ -n "${DISTS}" ]; then + extracvefile=`jq -r ".distributions.${DISTS}.maincvefile" data/config.json` + fi if [ -d .git ]; then echo "Made the following changes:" - git diff -- data/$IDMODE/list data/CVE/list $needed_file + git diff -- data/$IDMODE/list data/CVE/list $extracvefile $needed_file if ! git diff-index --name-only HEAD -- $needed_file | grep -qs . && [ $TYPE = security ]; then warn "did not make any changes to $needed_file - this may indicate duplicate work or misspelled package name" fi @@ -424,7 +429,7 @@ EOF echo -n "Do you want to commit and push them now ? [Yn] " read reply if [ "$reply" = "Y" ] || [ "$reply" = "" ] || [ "$reply" = "y" ]; then - git add data/$IDMODE/list data/CVE/list $needed_file + git add data/$IDMODE/list data/CVE/list $extracvefile $needed_file git commit -m "Reserve $IDMODE-$DAID for $PACKAGE" git push origin master fi = bin/remove-cve-dist-tags = @@ -56,6 +56,12 @@ for cve in data: if keep_annotation(cve, annotation) ) cve = cve._replace(annotations=annotations) +if not cve.annotations: +# this shouldn't happen on a normal CVE file as we're only removing +# the dist specific tags, but it may happen in an ExtendFile, in +# which case we don't want to keep an empty CVE entry +continue + new_data.append(cve) with open(main_list, 'w') as f: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d18f65e690cc218bcda4fc715d57a61082664af7...63516a0cf95e2d6a5b43cfceb44e48c0e0572825 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d18f65e690cc218bcda4fc715d57a61082664af7...63516a0cf95e2d6a5b43cfceb44e48c0e0572825 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for ruby2.{5,7} in dsa-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: d18f65e6 by Utkarsh Gupta at 2022-02-01T17:49:18+05:30 Add note for ruby2.{5,7} in dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -43,10 +43,12 @@ rpki-client/stable new 7.6 release required libretls, which isn't in Bullseye -- ruby2.5/oldstable - Maintainer is preparing updates + Utkarsh proposed the update for fixing CVE-2021-31799, CVE-2021-32066, + CVE-2021-31810, CVE-2021-41817, CVE-2021-41819, and CVE-2021-28965. -- ruby2.7/stable - Maintainer is preparing updates + Utkarsh proposed the update for fixing CVE-2021-41816, CVE-2021-41817, + and CVE-2021-41819. -- runc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d18f65e690cc218bcda4fc715d57a61082664af7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d18f65e690cc218bcda4fc715d57a61082664af7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-1986{0,1}/ldns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0597c2e3 by Salvatore Bonaccorso at 2022-02-01T13:10:51+01:00 Update information for CVE-2020-1986{0,1}/ldns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -107249,12 +107249,13 @@ CVE-2020-19861 (When a zone file in ldns 1.7.1 is parsed, the function ldns_nsec [bullseye] - ldns (Minor issue) [buster] - ldns (Minor issue) NOTE: https://github.com/NLnetLabs/ldns/issues/51 + NOTE: https://github.com/NLnetLabs/ldns/commit/136ec420437041fe13f344a2053e774f9050cc38 (1.8.0-rc.1) CVE-2020-19860 (When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_ ...) - ldns [bullseye] - ldns (Minor issue) [buster] - ldns (Minor issue) NOTE: https://github.com/NLnetLabs/ldns/issues/50 - NOTE: https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3 + NOTE: https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3 (1.8.0-rc.1) CVE-2020-19859 RESERVED CVE-2020-19858 (Platinum Upnp SDK through 1.2.0 has a directory traversal vulnerabilit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0597c2e3ef7b6591588fae4a3af756d74a0b117f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0597c2e3ef7b6591588fae4a3af756d74a0b117f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 93788507 by Moritz Muehlenhoff at 2022-02-01T13:08:55+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -418,6 +418,7 @@ CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows a NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 CVE-2022-24129 RESERVED + NOT-FOR-US: Shibboleth identity provider OIDC OP plugin CVE-2022-24128 RESERVED CVE-2022-24127 @@ -23107,6 +23108,7 @@ CVE-2021-41572 RESERVED CVE-2021-41571 RESERVED + NOT-FOR-US: Apache Pulsar CVE-2021-41570 RESERVED CVE-2021-41569 (SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. Th ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93788507a9f01241ac9cb31222aa790245d444f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93788507a9f01241ac9cb31222aa790245d444f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46661/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46b7a860 by Salvatore Bonaccorso at 2022-02-01T10:59:36+01:00 Add CVE-2021-46661/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56,7 +56,10 @@ CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via NOTE: https://jira.mariadb.org/browse/MDEV-22464 NOTE: Fixed in MariaDB: 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25766 CVE-2021-4218 RESERVED CVE-2022-24282 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46b7a8600a8ded68bee447bab2006c1559ec4dc6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46b7a8600a8ded68bee447bab2006c1559ec4dc6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46662/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 165a00cd by Salvatore Bonaccorso at 2022-02-01T10:58:29+01:00 Add CVE-2021-46662/mariadb - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -49,7 +49,12 @@ CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application cra - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-26351 CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) - TODO: check + - mariadb-10.6 1:10.6.5-1 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25637 + NOTE: https://jira.mariadb.org/browse/MDEV-22464 + NOTE: Fixed in MariaDB: 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) TODO: check CVE-2021-4218 = data/next-point-update.txt = @@ -10,6 +10,8 @@ CVE-2021-35604 [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 CVE-2021-46667 [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 +CVE-2021-46662 + [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 CVE-2021-44917 [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1 CVE-2021-45379 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/165a00cd6a79677b7b7855f648b7827284eda530 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/165a00cd6a79677b7b7855f648b7827284eda530 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46663/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 257b307f by Salvatore Bonaccorso at 2022-02-01T10:55:17+01:00 Add CVE-2021-46663/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44,7 +44,10 @@ CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-25761 CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-26351 CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) TODO: check CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/257b307febb81acbec83a4ab25aa0e8f0d116778 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/257b307febb81acbec83a4ab25aa0e8f0d116778 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46664/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6dece12b by Salvatore Bonaccorso at 2022-02-01T10:53:59+01:00 Add CVE-2021-46664/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,7 +39,10 @@ CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash b - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-25636 CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25761 CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) TODO: check CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dece12be08675daf313c16799e2446b6d7485d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dece12be08675daf313c16799e2446b6d7485d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46665/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 953063e0 by Salvatore Bonaccorso at 2022-02-01T10:53:02+01:00 Add CVE-2021-46665/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,7 +34,10 @@ CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mis NOTE: https://jira.mariadb.org/browse/MDEV-25635 NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25636 CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) TODO: check CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953063e075ccfb348091ed401bee2324e049acb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953063e075ccfb348091ed401bee2324e049acb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46666/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50e23d69 by Salvatore Bonaccorso at 2022-02-01T10:49:04+01:00 Add CVE-2021-4/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,12 @@ CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading NOTE: https://jira.mariadb.org/browse/MDEV-26350 NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) - TODO: check + - mariadb-10.6 (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25635 + NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) TODO: check CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50e23d69e5921797302126a622ae3f83d56a7d5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50e23d69e5921797302126a622ae3f83d56a7d5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46667/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08808dd4 by Salvatore Bonaccorso at 2022-02-01T10:46:05+01:00 Add CVE-2021-46667/mariadb - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -21,7 +21,11 @@ CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain l - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-25787 CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) - TODO: check + - mariadb-10.6 1:10.6.5-1 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-26350 + NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) TODO: check CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) = data/next-point-update.txt = @@ -8,6 +8,8 @@ CVE-2021-41270 [bullseye] - symfony 4.4.19+dfsg-2+deb11u1 CVE-2021-35604 [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 +CVE-2021-46667 + [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 CVE-2021-44917 [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1 CVE-2021-45379 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08808dd44d31132557cb612f41a76240c579a271 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08808dd44d31132557cb612f41a76240c579a271 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a2f3607 by Moritz Muehlenhoff at 2022-02-01T10:42:25+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -102,13 +102,13 @@ CVE-2022-24268 CVE-2022-24267 RESERVED CVE-2022-24266 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Cuppa CMS CVE-2022-24265 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Cuppa CMS CVE-2022-24264 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Cuppa CMS CVE-2022-24263 (Hospital Management System v4.0 was discovered to contain a SQL inject ...) - TODO: check + NOT-FOR-US: Hospital Management System CVE-2022-24262 RESERVED CVE-2022-24261 @@ -1362,7 +1362,7 @@ CVE-2022-23874 CVE-2022-23873 RESERVED CVE-2022-23872 (Emlog pro v1.1.1 was discovered to contain a stored cross-site scripti ...) - TODO: check + NOT-FOR-US: Emlog pro CVE-2022-23871 RESERVED CVE-2022-23870 @@ -2011,7 +2011,7 @@ CVE-2022-23776 CVE-2022-23775 RESERVED CVE-2022-23774 (Docker Desktop before 4.4.4 on Windows allows attackers to move arbitr ...) - TODO: check + NOT-FOR-US: Docker Desktop CVE-2022-23773 RESERVED CVE-2022-23772 @@ -2364,9 +2364,9 @@ CVE-2022-23601 [CSRF token missing in forms] CVE-2022-23600 RESERVED CVE-2022-23599 (Products.ATContentTypes are the core content types for Plone 2.1 - 4.3 ...) - TODO: check + NOT-FOR-US: Plone CVE-2022-23598 (laminas-form is a package for validating and displaying simple and com ...) - TODO: check + NOT-FOR-US: laminas-form CVE-2022-23597 RESERVED CVE-2022-23596 @@ -3129,11 +3129,11 @@ CVE-2022-0272 CVE-2022-0271 RESERVED CVE-2022-0270 (Prior to v0.6.1, bored-agent failed to sanitize incoming kubernetes im ...) - TODO: check + NOT-FOR-US: bored-agent CVE-2022-0269 (Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm ...) NOT-FOR-US: yetiforce-crm CVE-2022-0268 (Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to ...) - TODO: check + NOT-FOR-US: Grav CMS CVE-2022-0267 RESERVED CVE-2021-46399 @@ -3768,7 +3768,7 @@ CVE-2022-0221 CVE-2022-0220 RESERVED CVE-2022-0219 (Improper Restriction of XML External Entity Reference in GitHub reposi ...) - TODO: check + NOT-FOR-US: jadx CVE-2022-0218 RESERVED CVE-2022-0216 @@ -5100,7 +5100,7 @@ CVE-2022-22822 (addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 ha CVE-2022-22821 (NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in wh ...) NOT-FOR-US: NVIDIA NeMo CVE-2022-22820 (Due to the lack of media file checks before rendering, it was possible ...) - TODO: check + NOT-FOR-US: LINE CVE-2022-22819 RESERVED CVE-2022-22818 @@ -5173,9 +5173,9 @@ CVE-2022-22793 CVE-2022-22792 RESERVED CVE-2022-22791 (SYNEL - eharmony Authenticated Blind Stored XSS. Inject JS code ...) - TODO: check + NOT-FOR-US: SYNEL CVE-2022-22790 (SYNEL - eharmony Directory Traversal. Directory Traversal - is an atta ...) - TODO: check + NOT-FOR-US: SYNEL CVE-2022-22789 (Charactell - FormStorm Enterprise Account takeover An attacker ...) NOT-FOR-US: Charactell - FormStorm Enterprise CVE-2022-22788 @@ -6692,7 +6692,7 @@ CVE-2021-46104 (An issue was discovered in webp_server_go 0.4.0. There is a dire CVE-2021-46103 RESERVED CVE-2021-46102 (From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in ...) - TODO: check + NOT-FOR-US: Solana rBBP CVE-2021-46101 (In Git for windows through 2.34.1 when using git pull to update the lo ...) TODO: check CVE-2021-46100 @@ -6728,9 +6728,9 @@ CVE-2021-46086 (xzs-mysql = t3.4.0 is vulnerable to Insecure Permissions. Th CVE-2021-46085 (OneBlog = 2.2.8 is vulnerable to Insecure Permissions. Low level a ...) NOT-FOR-US: OneBlog CVE-2021-46084 (uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) v ...) - TODO: check + NOT-FOR-US: uscat CVE-2021-46083 (uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) v ...) - TODO: check + NOT-FOR-US: uscat CVE-2021-46082 RESERVED CVE-2021-46081 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a2f3607f40efe2c1f4387198542fbb4f4f3709e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a2f3607f40efe2c1f4387198542fbb4f4f3709e You're receiving this email because of your account on
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46668/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e080086 by Salvatore Bonaccorso at 2022-02-01T10:40:27+01:00 Add CVE-2021-46668/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16,7 +16,10 @@ CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a convert_con - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-25638 CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain long SE ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25787 CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) TODO: check CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e080086bb182def901bc92eb8dff478037623b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e080086bb182def901bc92eb8dff478037623b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46669/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 150627c4 by Salvatore Bonaccorso at 2022-02-01T10:38:11+01:00 Add CVE-2021-46669/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,10 @@ CVE-2022-0437 CVE-2022-0436 RESERVED CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_ ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25638 CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain long SE ...) TODO: check CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/150627c4feaf57b9a1e503e0e76652bfe805349b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/150627c4feaf57b9a1e503e0e76652bfe805349b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 46c238ac by Henri Salo at 2022-02-01T11:15:27+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12377,6 +12377,7 @@ CVE-2021-44453 (mySCADA myPRO: Versions 8.20.0 and prior has a vulnerable debug NOT-FOR-US: mySCADA myPRO CVE-2021-44451 RESERVED + NOT-FOR-US: Apache Superset CVE-2021-44450 (A vulnerability has been identified in JT Utilities (All versions ...) NOT-FOR-US: Siemens CVE-2021-9 (A vulnerability has been identified in JT Utilities (All versions ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46c238ac902f84385165ba47a44ae46e24e2cee4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46c238ac902f84385165ba47a44ae46e24e2cee4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63bc46fb by security tracker role at 2022-02-01T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,35 @@ +CVE-2022-24286 + RESERVED +CVE-2022-24285 + RESERVED +CVE-2022-24284 + RESERVED +CVE-2022-24283 + RESERVED +CVE-2022-0437 + RESERVED +CVE-2022-0436 + RESERVED +CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_ ...) + TODO: check +CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain long SE ...) + TODO: check +CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) + TODO: check +CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) + TODO: check +CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) + TODO: check +CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) + TODO: check +CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) + TODO: check +CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) + TODO: check +CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) + TODO: check +CVE-2021-4218 + RESERVED CVE-2022-24282 RESERVED CVE-2022-24281 @@ -63,14 +95,14 @@ CVE-2022-24268 RESERVED CVE-2022-24267 RESERVED -CVE-2022-24266 - RESERVED -CVE-2022-24265 - RESERVED -CVE-2022-24264 - RESERVED -CVE-2022-24263 - RESERVED +CVE-2022-24266 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2022-24265 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2022-24264 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2022-24263 (Hospital Management System v4.0 was discovered to contain a SQL inject ...) + TODO: check CVE-2022-24262 RESERVED CVE-2022-24261 @@ -1323,8 +1355,8 @@ CVE-2022-23874 RESERVED CVE-2022-23873 RESERVED -CVE-2022-23872 - RESERVED +CVE-2022-23872 (Emlog pro v1.1.1 was discovered to contain a stored cross-site scripti ...) + TODO: check CVE-2022-23871 RESERVED CVE-2022-23870 @@ -1972,8 +2004,8 @@ CVE-2022-23776 RESERVED CVE-2022-23775 RESERVED -CVE-2022-23774 - RESERVED +CVE-2022-23774 (Docker Desktop before 4.4.4 on Windows allows attackers to move arbitr ...) + TODO: check CVE-2022-23773 RESERVED CVE-2022-23772 @@ -5773,6 +5805,7 @@ CVE-2022-22596 CVE-2022-22595 RESERVED CVE-2022-22594 [A cross-origin issue in the IndexDB API was addressed with improved input validation] + RESERVED {DSA-5061-1 DSA-5060-1} - webkit2gtk 2.34.4-1 [stretch] - webkit2gtk (Not covered by security support in stretch) @@ -14030,8 +14063,8 @@ CVE-2022-21661 (WordPress is a free and open-source content management system wr NOTE: https://www.zerodayinitiative.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection CVE-2022-21660 RESERVED -CVE-2022-21659 - RESERVED +CVE-2022-21659 (Flask-AppBuilder is an application development framework, built on top ...) + TODO: check CVE-2022-21658 (Rust is a multi-paradigm, general-purpose programming language designe ...) - rustc NOTE: https://github.com/rust-lang/wg-security-response/tree/master/patches/CVE-2022-21658 @@ -46527,7 +46560,7 @@ CVE-2018-25014 (A flaw was found in libwebp in versions before 1.0.1. An unitial - libwebp 0.6.1-2.1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9496 CVE-2021-3534 - RESERVED + REJECTED CVE-2021-3533 (A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR ...) - ansible [bullseye] - ansible (Minor issue, revisit when/if fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63bc46fb702799e19f85fae65633b0c1604f4ae5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63bc46fb702799e19f85fae65633b0c1604f4ae5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits