[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3859/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9f926da4 by Salvatore Bonaccorso at 2022-02-02T07:43:29+01:00
Add CVE-2021-3859/undertow
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -22183,6 +22183,9 @@ CVE-2021-3860 (JFrog Artifactory before 7.25.4
(Enterprise+ deployments only), i
NOT-FOR-US: JFrog Artifactory
CVE-2021-3859
RESERVED
+ - undertow
+ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2010378
+ TODO: check details
CVE-2021-42008 (The decode_data function in drivers/net/hamradio/6pack.c in
the Linux ...)
{DLA-2843-1 DLA-2785-1}
- linux 5.14.6-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f926da43a63fb3611a5e563294121f7037c1946
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f926da43a63fb3611a5e563294121f7037c1946
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4218/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fffe2b6 by Salvatore Bonaccorso at 2022-02-02T07:41:44+01:00 Add CVE-2021-4218/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -188,6 +188,9 @@ CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field NOTE: https://jira.mariadb.org/browse/MDEV-25766 CVE-2021-4218 RESERVED + - linux 5.8.7-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2048359 + NOTE: Fixed by: https://git.kernel.org/linus/32927393dc1ccd60fb2bdc05b9e8e88753761469 (5.8-rc1) CVE-2022-24282 RESERVED CVE-2022-24281 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fffe2b690660a3466a0322c7967d88694b12eeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fffe2b690660a3466a0322c7967d88694b12eeb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Expand notes for CVE-2022-24300
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fcddc403 by Salvatore Bonaccorso at 2022-02-02T07:31:45+01:00 Expand notes for CVE-2022-24300 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1907,6 +1907,10 @@ CVE-2022-24300 [ItemStack meta injection vulnerability] - minetest 5.4.1+repack-1 (bug #1004223) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0) + NOTE: When fixing this issue the fix for GHSA-7q63-4fq2-hqcr should be included, + NOTE: which is not a vulnerability by itself, and won't get a CVE assigned: + NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-7q63-4fq2-hqcr + NOTE: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0) CVE-2022-24301 [Players can access the inventories of other players] - minetest 5.4.1+repack-1 NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-fvwv-qcq6-wmp5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcddc403fc1814e72d94c1fcc9acb2e1a3029ef2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcddc403fc1814e72d94c1fcc9acb2e1a3029ef2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop one previously added minetest temporary entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58847c65 by Salvatore Bonaccorso at 2022-02-02T07:26:58+01:00 Drop one previously added minetest temporary entry While a fix exist in form of https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 and should ideally be included in an update, the issue itself states: Because passing user input to this function is inherently insecure, this issue isnt considered a vulnerability by itself. There wont be a CVE assigned thus for this. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1903,10 +1903,6 @@ CVE-2022-0340 RESERVED CVE-2021-4209 RESERVED -CVE-2021- [Remote Code Execution using minetest.deserialize] - - minetest 5.2.0+repack-1 - NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-7q63-4fq2-hqcr - NOTE: Fixed by: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0) CVE-2022-24300 [ItemStack meta injection vulnerability] - minetest 5.4.1+repack-1 (bug #1004223) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58847c65af5281f87365fa7557c90620d17b7ee0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58847c65af5281f87365fa7557c90620d17b7ee0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24301 assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c7f7d14 by Salvatore Bonaccorso at 2022-02-02T07:25:17+01:00 CVE-2022-24301 assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1911,7 +1911,7 @@ CVE-2022-24300 [ItemStack meta injection vulnerability] - minetest 5.4.1+repack-1 (bug #1004223) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0) -CVE-2021- [Players can access the inventories of other players] +CVE-2022-24301 [Players can access the inventories of other players] - minetest 5.4.1+repack-1 NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-fvwv-qcq6-wmp5 NOTE: Fixed by: https://github.com/minetest/minetest/commit/3693b6871eba268ecc79b3f52d00d3cefe761131 (5.4.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c7f7d149fe030e104aa16b90eaf8926db73c2b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c7f7d149fe030e104aa16b90eaf8926db73c2b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24300 assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f9e537c6 by Salvatore Bonaccorso at 2022-02-02T07:23:44+01:00 CVE-2022-24300 assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1907,7 +1907,7 @@ CVE-2021- [Remote Code Execution using minetest.deserialize] - minetest 5.2.0+repack-1 NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-7q63-4fq2-hqcr NOTE: Fixed by: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0) -CVE-2021- [ItemStack meta injection vulnerability] +CVE-2022-24300 [ItemStack meta injection vulnerability] - minetest 5.4.1+repack-1 (bug #1004223) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9e537c61bbf7120584f74f1d1b20c83e16496c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9e537c61bbf7120584f74f1d1b20c83e16496c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f40503a1 by Salvatore Bonaccorso at 2022-02-02T06:29:07+01:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk/oldstable -- +chromium +-- condor -- cryptsetup/stable (corsac) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f40503a113366e3e64de8458532d1d6b64a1328d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f40503a113366e3e64de8458532d1d6b64a1328d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 939b5ea7 by Salvatore Bonaccorso at 2022-02-02T06:28:14+01:00 Add new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,43 +19,81 @@ CVE-2022-21799 CVE-2022-21173 RESERVED CVE-2022-0470 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0469 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0468 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0467 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0466 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0465 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0464 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0463 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0462 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0461 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0460 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0459 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0458 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0457 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0456 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0455 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0454 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0453 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0452 - RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-0451 RESERVED CVE-2022-0450 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/939b5ea7c7601d4fd0bbc1e88d9485757b789a8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/939b5ea7c7601d4fd0bbc1e88d9485757b789a8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ignore CVE-2021-44141 for buster and bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c367703 by Salvatore Bonaccorso at 2022-02-01T23:36:08+01:00 Ignore CVE-2021-44141 for buster and bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13434,6 +13434,8 @@ CVE-2021-44142 [Out-of-bounds heap read/write vulnerability in VFS module vfs_fr CVE-2021-44141 [Information leak via symlinks of existance of files or directories outside of the exported share] RESERVED - samba (bug #1004692) + [bullseye] - samba (Minor issue; no backport to older versions, mitigations exists) + [buster] - samba (Minor issue; no backport to older versions, mitigations exists) NOTE: https://www.samba.org/samba/security/CVE-2021-44141.html NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14911 CVE-2021-44140 (Remote attackers may delete arbitrary files in a system hosting a JSPW ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3677033261fc2f1f3e78577d4e0ccbddd40fc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3677033261fc2f1f3e78577d4e0ccbddd40fc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2022-24130/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 81f4cb72 by Salvatore Bonaccorso at 2022-02-01T22:42:08+01:00 Reference upstream commit for CVE-2022-24130/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -504,6 +504,7 @@ CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows a NOTE: https://twitter.com/nickblack/status/1487731459398025216 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 + NOTE: https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d CVE-2022-24129 RESERVED NOT-FOR-US: Shibboleth identity provider OIDC OP plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81f4cb72a5aa737e791889c55fc2f8ec741d1ae0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81f4cb72a5aa737e791889c55fc2f8ec741d1ae0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for python-django issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
60708da6 by Salvatore Bonaccorso at 2022-02-01T22:06:38+01:00
Track fixed version for python-django issues via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1929,7 +1929,7 @@ CVE-2022-23834
CVE-2022-23833
RESERVED
{DLA-2906-1}
- - python-django (bug #1004752)
+ - python-django 2:3.2.12-1 (bug #1004752)
NOTE:
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
NOTE:
https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23
(main)
NOTE:
https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9
(4.0.2)
@@ -5227,7 +5227,7 @@ CVE-2022-22819
CVE-2022-22818
RESERVED
{DLA-2906-1}
- - python-django (bug #1004752)
+ - python-django 2:3.2.12-1 (bug #1004752)
NOTE:
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
NOTE:
https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68
(main)
NOTE:
https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5
(4.0.2)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60708da676c3d568df5e2c26af006d8225047815
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60708da676c3d568df5e2c26af006d8225047815
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2022-24130/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: daf5d066 by Salvatore Bonaccorso at 2022-02-01T21:40:53+01:00 Add fixed version for CVE-2022-24130/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -500,7 +500,7 @@ CVE-2022-0416 CVE-2022-0415 RESERVED CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows attacke ...) - - xterm (bug #1004689) + - xterm 370-2 (bug #1004689) NOTE: https://twitter.com/nickblack/status/1487731459398025216 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daf5d06636892aae6c4c631a41b60e3096c1423b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daf5d06636892aae6c4c631a41b60e3096c1423b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 878dbd1b by Salvatore Bonaccorso at 2022-02-01T21:39:56+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -302,17 +302,17 @@ CVE-2022-24225 CVE-2022-24224 RESERVED CVE-2022-24223 (AtomCMS v2.0 was discovered to contain a SQL injection vulnerability v ...) - TODO: check + NOT-FOR-US: AtomCMS CVE-2022-24222 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24221 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24220 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24219 (eliteCMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24218 (An issue in /admin/delete_image.php of eliteCMS v1.0 allows attackers ...) - TODO: check + NOT-FOR-US: eliteCMS CVE-2022-24217 RESERVED CVE-2022-24216 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/878dbd1bce61603a2f8d951200cfc9b5f8943f1f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/878dbd1bce61603a2f8d951200cfc9b5f8943f1f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2907-1 for apache2
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3ac67d6a by Anton Gladky at 2022-02-01T21:31:12+01:00
Reserve DLA-2907-1 for apache2
Signed-off-by: Anton Gladky gl...@debian.org
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[01 Feb 2022] DLA-2907-1 apache2 - security update
+ {CVE-2021-44224 CVE-2021-44790}
+ [stretch] - apache2 2.4.25-3+deb9u12
[01 Feb 2022] DLA-2906-1 python-django - security update
{CVE-2022-22818 CVE-2022-23833}
[stretch] - python-django 1:1.10.7-2+deb9u15
=
data/dla-needed.txt
=
@@ -18,10 +18,6 @@ ansible
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
-apache2 (Anton)
- NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2
(Anton)
- NOTE: 20220124: WIP
---
apng2gif
NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie
NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ac67d6a7060b39e5f6fb1dd8193ef6435c28484
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ac67d6a7060b39e5f6fb1dd8193ef6435c28484
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44259065 by Salvatore Bonaccorso at 2022-02-01T21:27:46+01:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2103,7 +2103,7 @@ CVE-2022-0322 [DoS in sctp_addto_chunk in net/sctp/sm_make_chunk.c] CVE-2022-0321 RESERVED CVE-2022-0320 (The Essential Addons for Elementor WordPress plugin before 5.0.5 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-0319 (Out-of-bounds Read in vim/vim prior to 8.2. ...) - vim [bullseye] - vim (Minor issue) @@ -3887,7 +3887,7 @@ CVE-2022-0222 CVE-2022-0221 RESERVED CVE-2022-0220 (The check_privacy_settings AJAX action of the WordPress GDPR WordPress ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-0219 (Improper Restriction of XML External Entity Reference in GitHub reposi ...) NOT-FOR-US: jadx CVE-2022-0218 @@ -64683,7 +64683,7 @@ CVE-2021-25099 CVE-2021-25098 RESERVED CVE-2021-25097 (The LabTools WordPress plugin through 1.0 does not have proper authori ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25096 RESERVED CVE-2021-25095 @@ -64691,15 +64691,15 @@ CVE-2021-25095 CVE-2021-25094 RESERVED CVE-2021-25093 (The Link Library WordPress plugin before 7.2.8 does not have authorisa ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25092 (The Link Library WordPress plugin before 7.2.8 does not have CSRF chec ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25091 (The Link Library WordPress plugin before 7.2.9 does not sanitise and e ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25090 RESERVED CVE-2021-25089 (The UpdraftPlus WordPress Backup Plugin WordPress plugin before 1.16.6 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25088 RESERVED CVE-2021-25087 @@ -64707,7 +64707,7 @@ CVE-2021-25087 CVE-2021-25086 RESERVED CVE-2021-25085 (The WOOF WordPress plugin before 1.2.6.3 does not sanitise and escape ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25084 RESERVED CVE-2021-25083 (The Registrations for the Events Calendar WordPress plugin before 2.7. ...) @@ -64733,7 +64733,7 @@ CVE-2021-25074 (The WebP Converter for Media WordPress plugin before 4.0.3 conta CVE-2021-25073 (The WP125 WordPress plugin before 1.5.5 does not have CSRF checks in v ...) NOT-FOR-US: WordPress plugin CVE-2021-25072 (The NextScripts: Social Networks Auto-Poster WordPress plugin before 4 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25071 RESERVED CVE-2021-25070 @@ -64751,7 +64751,7 @@ CVE-2021-25065 (The Smash Balloon Social Post Feed WordPress plugin before 4.1.1 CVE-2021-25064 RESERVED CVE-2021-25063 (The Contact Form 7 Skins WordPress plugin through 2.5.0 does not sanit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-25062 (The Orders Tracking for WooCommerce WordPress plugin before 1.1.10 doe ...) NOT-FOR-US: WordPress plugin CVE-2021-25061 (The WP Booking System WordPress plugin before 2.0.15 was affected by a ...) @@ -64911,7 +64911,7 @@ CVE-2021-24985 (The Easy Forms for Mailchimp WordPress plugin before 6.8.6 does CVE-2021-24984 (The WPFront User Role Editor WordPress plugin before 3.2.1.11184 does ...) NOT-FOR-US: WordPress plugin CVE-2021-24983 (The Asset CleanUp: Page Speed Booster WordPress plugin before 1.3.8.5 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24982 RESERVED CVE-2021-24981 (The Directorist WordPress plugin before 7.0.6.2 was vulnerable to Cros ...) @@ -64927,7 +64927,7 @@ CVE-2021-24977 CVE-2021-24976 (The Smart SEO Tool WordPress plugin before 3.0.6 does not sanitise and ...) NOT-FOR-US: WordPress plugin CVE-2021-24975 (The NextScripts: Social Networks Auto-Poster WordPress plugin before 4 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24974 (The Product Feed PRO for WooCommerce WordPress plugin before 11.0.7 do ...) NOT-FOR-US: WordPress plugin CVE-2021-24973 (The Site Reviews WordPress plugin before 5.17.3 does not sanitise and ...) @@ -64989,7 +64989,7 @@ CVE-2021-24946 (The Modern Events Calendar Lite WordPress plugin before 6.1.5 do CVE-2021-24945 (The Like Button Rating LikeBtn WordPress plugin before 2.6.38 ...) NOT-FOR-US: WordPress plugin CVE-2021-24944 (The Custom Dashboard Login Page WordPress plugin before 7.0 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-24943 (The Registrations for the Events Calendar WordPress plugin before 2.7. ...) NOT-FOR-US: WordPress plugin CVE-2021-24942
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
538120a8 by security tracker role at 2022-02-01T20:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,91 @@
+CVE-2022-24294
+ RESERVED
+CVE-2022-24293
+ RESERVED
+CVE-2022-24292
+ RESERVED
+CVE-2022-24291
+ RESERVED
+CVE-2022-24290
+ RESERVED
+CVE-2022-24289
+ RESERVED
+CVE-2022-24288
+ RESERVED
+CVE-2022-24287
+ RESERVED
+CVE-2022-21799
+ RESERVED
+CVE-2022-21173
+ RESERVED
+CVE-2022-0470
+ RESERVED
+CVE-2022-0469
+ RESERVED
+CVE-2022-0468
+ RESERVED
+CVE-2022-0467
+ RESERVED
+CVE-2022-0466
+ RESERVED
+CVE-2022-0465
+ RESERVED
+CVE-2022-0464
+ RESERVED
+CVE-2022-0463
+ RESERVED
+CVE-2022-0462
+ RESERVED
+CVE-2022-0461
+ RESERVED
+CVE-2022-0460
+ RESERVED
+CVE-2022-0459
+ RESERVED
+CVE-2022-0458
+ RESERVED
+CVE-2022-0457
+ RESERVED
+CVE-2022-0456
+ RESERVED
+CVE-2022-0455
+ RESERVED
+CVE-2022-0454
+ RESERVED
+CVE-2022-0453
+ RESERVED
+CVE-2022-0452
+ RESERVED
+CVE-2022-0451
+ RESERVED
+CVE-2022-0450
+ RESERVED
+CVE-2022-0449
+ RESERVED
+CVE-2022-0448
+ RESERVED
+CVE-2022-0447
+ RESERVED
+CVE-2022-0446
+ RESERVED
+CVE-2022-0445
+ RESERVED
+CVE-2022-0444
+ RESERVED
+CVE-2022-0443
+ RESERVED
+CVE-2022-0442
+ RESERVED
+CVE-2022-0441
+ RESERVED
+CVE-2022-0440
+ RESERVED
+CVE-2022-0439
+ RESERVED
+CVE-2022-0438
+ RESERVED
+CVE-2021-46670
+ RESERVED
CVE-2022-24286
RESERVED
CVE-2022-24285
@@ -213,18 +301,18 @@ CVE-2022-24225
RESERVED
CVE-2022-24224
RESERVED
-CVE-2022-24223
- RESERVED
-CVE-2022-24222
- RESERVED
-CVE-2022-24221
- RESERVED
-CVE-2022-24220
- RESERVED
-CVE-2022-24219
- RESERVED
-CVE-2022-24218
- RESERVED
+CVE-2022-24223 (AtomCMS v2.0 was discovered to contain a SQL injection
vulnerability v ...)
+ TODO: check
+CVE-2022-24222 (eliteCMS v1.0 was discovered to contain a SQL injection
vulnerability ...)
+ TODO: check
+CVE-2022-24221 (eliteCMS v1.0 was discovered to contain a SQL injection
vulnerability ...)
+ TODO: check
+CVE-2022-24220 (eliteCMS v1.0 was discovered to contain a SQL injection
vulnerability ...)
+ TODO: check
+CVE-2022-24219 (eliteCMS v1.0 was discovered to contain a SQL injection
vulnerability ...)
+ TODO: check
+CVE-2022-24218 (An issue in /admin/delete_image.php of eliteCMS v1.0 allows
attackers ...)
+ TODO: check
CVE-2022-24217
RESERVED
CVE-2022-24216
@@ -401,12 +489,12 @@ CVE-2022-24131
RESERVED
CVE-2022-21170
RESERVED
-CVE-2022-0419
- RESERVED
+CVE-2022-0419 (NULL Pointer Dereference in NPM radare2.js prior to 6.0.0. ...)
+ TODO: check
CVE-2022-0418
RESERVED
-CVE-2022-0417
- RESERVED
+CVE-2022-0417 (Heap-based Buffer Overflow in Conda vim prior to 8.2. ...)
+ TODO: check
CVE-2022-0416
RESERVED
CVE-2022-0415
@@ -457,7 +545,7 @@ CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2
allows an application
NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2
CVE-2022-0414 (Business Logic Errors in Packagist dolibarr/dolibarr prior to
16.0. ...)
- dolibarr
-CVE-2022-0413 (Use After Free in Conda vim prior to 8.2. ...)
+CVE-2022-0413 (Use After Free in GitHub repository vim/vim prior to 8.2. ...)
- vim
[bullseye] - vim (Minor issue)
[buster] - vim (Minor issue)
@@ -494,7 +582,7 @@ CVE-2022-24113
RESERVED
CVE-2022-0409
RESERVED
-CVE-2022-0408 (Stack-based Buffer Overflow in Conda vim prior to 8.2. ...)
+CVE-2022-0408 (Stack-based Buffer Overflow in GitHub repository vim/vim prior
to 8.2. ...)
- vim
[bullseye] - vim (Minor issue)
[buster] - vim (Minor issue)
@@ -518,8 +606,8 @@ CVE-2022-0403
RESERVED
CVE-2022-0402
RESERVED
-CVE-2022-0401
- RESERVED
+CVE-2022-0401 (Path Traversal in NPM w-zip prior to 1.0.12. ...)
+ TODO: check
CVE-2022-0400 [Out of bounds read in the smc protocol stack]
RESERVED
- linux
@@ -1840,6 +1928,7 @@ CVE-2022-23834
RESERVED
CVE-2022-23833
RESERVED
+ {DLA-2906-1}
- python-django (bug #1004752)
NOTE:
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
NOTE:
https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23
(main)
@@ -2013,8 +2102,8 @@ CVE-2022-0322 [DoS in sctp_addto_chunk in
net/sctp/sm_make_chunk.c]
NOTE:
https://git.kernel.org/linus/a2d859e3fc97e79d907761550dbc03ff1b36479c (5.15-rc6)
CVE-2022-0321
RESERVED
-CVE-2022-0320
-
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2906-1 for python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ebdc2a87 by Chris Lamb at 2022-02-01T10:21:42-08:00
Reserve DLA-2906-1 for python-django.
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[01 Feb 2022] DLA-2906-1 python-django - security update
+ {CVE-2022-22818 CVE-2022-23833}
+ [stretch] - python-django 1:1.10.7-2+deb9u15
[31 Jan 2022] DLA-2905-1 apache-log4j1.2 - security update
{CVE-2021-4104 CVE-2022-23302 CVE-2022-23305 CVE-2022-23307}
[stretch] - apache-log4j1.2 1.2.17-7+deb9u2
=
data/dla-needed.txt
=
@@ -81,8 +81,6 @@ pgbouncer
pjproject (Abhijith PA)
NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu)
--
-python-django (Chris Lamb)
---
python2.7 (Anton)
NOTE: 20220112: 3 postponed CVEs (Beuc)
NOTE: 20220124: WIP
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebdc2a87397cdb4bfca6d9f803e1688d8bccf423
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebdc2a87397cdb4bfca6d9f803e1688d8bccf423
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage python-django for stretch LTS (CVE-2022-22818 &...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 55cb8e04 by Chris Lamb at 2022-02-01T09:20:43-08:00 data/dla-needed.txt: Triage python-django for stretch LTS (CVE-2022-22818 CVE-2022-23833) and self-assign; am maintainer in Debian. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,6 +81,8 @@ pgbouncer pjproject (Abhijith PA) NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) -- +python-django (Chris Lamb) +-- python2.7 (Anton) NOTE: 20220112: 3 postponed CVEs (Beuc) NOTE: 20220124: WIP View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55cb8e0424f163a3cff520b8facc5a802a6c9dd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55cb8e0424f163a3cff520b8facc5a802a6c9dd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for python-django issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb7f502c by Salvatore Bonaccorso at 2022-02-01T18:10:49+01:00 Add Debian bug reference for python-django issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1840,7 +1840,7 @@ CVE-2022-23834 RESERVED CVE-2022-23833 RESERVED - - python-django + - python-django (bug #1004752) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main) NOTE: https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9 (4.0.2) @@ -5138,7 +5138,7 @@ CVE-2022-22819 RESERVED CVE-2022-22818 RESERVED - - python-django + - python-django (bug #1004752) NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68 (main) NOTE: https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5 (4.0.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb7f502c1d46e8eaac3132abafb3004ff66da85f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb7f502c1d46e8eaac3132abafb3004ff66da85f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-23833/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8360b8e5 by Salvatore Bonaccorso at 2022-02-01T17:23:12+01:00 Add CVE-2022-23833/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1840,6 +1840,12 @@ CVE-2022-23834 RESERVED CVE-2022-23833 RESERVED + - python-django + NOTE: https://www.djangoproject.com/weblog/2022/feb/01/security-releases/ + NOTE: https://github.com/django/django/commit/fc18f36c4ab94399366ca2f2007b3692559a6f23 (main) + NOTE: https://github.com/django/django/commit/f9c7d48fdd6f198a6494a9202f90242f176e4fc9 (4.0.2) + NOTE: https://github.com/django/django/commit/d16133568ef9c9b42cb7a08bdf9ff3feec2e5468 (3.2.12) + NOTE: https://github.com/django/django/commit/c477b761804984c932704554ad35f78a2e230c6a (2.2.27) CVE-2022-23832 RESERVED CVE-2022-23831 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8360b8e57aacfa1ea7e29ad2b69cc1ef02ff3072 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8360b8e57aacfa1ea7e29ad2b69cc1ef02ff3072 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-22818/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
da394951 by Salvatore Bonaccorso at 2022-02-01T17:21:49+01:00
Add CVE-2022-22818/python-django
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5132,6 +5132,12 @@ CVE-2022-22819
RESERVED
CVE-2022-22818
RESERVED
+ - python-django
+ NOTE:
https://www.djangoproject.com/weblog/2022/feb/01/security-releases/
+ NOTE:
https://github.com/django/django/commit/394517f07886495efcf79f95c7ee402a9437bd68
(main)
+ NOTE:
https://github.com/django/django/commit/01422046065d2b51f8f613409cad2c81b39487e5
(4.0.2)
+ NOTE:
https://github.com/django/django/commit/1a1e8278c46418bde24c86a65443b0674bae65e2
(3.2.12)
+ NOTE:
https://github.com/django/django/commit/c27a7eb9f40b64990398978152e62b6ff839c2e6
(2.2.27)
CVE-2022-22817 (PIL.ImageMath.eval in Pillow before 9.0.0 allows evaluation of
arbitra ...)
{DSA-5053-1 DLA-2893-1}
- pillow 9.0.0-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da3949515adcd51c7d403487b3ee4e82e8165d1d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da3949515adcd51c7d403487b3ee4e82e8165d1d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add expat to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 777398fb by Salvatore Bonaccorso at 2022-02-01T17:14:52+01:00 Add expat to dsa-needed list - - - - - 728d8104 by Salvatore Bonaccorso at 2022-02-01T17:15:16+01:00 Take expat from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -19,6 +19,8 @@ condor cryptsetup/stable (corsac) Maintainer is proposing updates, to be checked further procedure -- +expat (carnil) +-- faad2/oldstable (jmm) -- librecad View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe84de825ea043392c3ef0056c2632e4c9b13649...728d8104cf3d7cbe68b4c5ed0fb5c172fa8a5720 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe84de825ea043392c3ef0056c2632e4c9b13649...728d8104cf3d7cbe68b4c5ed0fb5c172fa8a5720 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tentatively take samba from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe84de82 by Salvatore Bonaccorso at 2022-02-01T17:10:55+01:00 Tentatively take samba from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -52,7 +52,7 @@ ruby2.7/stable -- runc -- -samba +samba (carnil) -- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe84de825ea043392c3ef0056c2632e4c9b13649 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe84de825ea043392c3ef0056c2632e4c9b13649 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: remove-cve-dist-tags: remove empty CVE entries
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a8106732 by Emilio Pozuelo Monfort at 2022-02-01T16:16:50+01:00
remove-cve-dist-tags: remove empty CVE entries
This can happen in ExtendFiles if they only contain dist tags
that are being removed.
- - - - -
47e07c9c by Emilio Pozuelo Monfort at 2022-02-01T16:16:50+01:00
gen-DSA: sanitize DISTS var after calculating it
Rather than have every user have to do it.
- - - - -
63516a0c by Emilio Pozuelo Monfort at 2022-02-01T16:16:50+01:00
gen-DSA: diff and commit changes to extracvefile
In case were processing a dist that uses an ExtendFile.
- - - - -
2 changed files:
- bin/gen-DSA
- bin/remove-cve-dist-tags
Changes:
=
bin/gen-DSA
=
@@ -372,8 +372,10 @@ for dist in $CODENAMES; do
[ -z "$version" ] || DISTS="${DISTS},${dist}"
done
+DISTS="${DISTS#,}"
+
if [ -n "${DISTS}" ]; then
-bin/remove-cve-dist-tags "${DISTS#,}" "${PACKAGE}" ${CVE}
+bin/remove-cve-dist-tags "${DISTS}" "${PACKAGE}" ${CVE}
fi
if ! $save; then
@@ -412,9 +414,12 @@ EOF
echo "$IDMODE text written to ./$IDMODE-$DAID"
if [ "$IDMODE" = "DLA" ] || [ "$IDMODE" = "ELA" ]; then
idmode=$(echo "$IDMODE" | tr A-Z a-z)
+ if [ -n "${DISTS}" ]; then
+ extracvefile=`jq -r ".distributions.${DISTS}.maincvefile"
data/config.json`
+ fi
if [ -d .git ]; then
echo "Made the following changes:"
- git diff -- data/$IDMODE/list data/CVE/list $needed_file
+ git diff -- data/$IDMODE/list data/CVE/list $extracvefile
$needed_file
if ! git diff-index --name-only HEAD -- $needed_file | grep -qs .
&& [ $TYPE = security ]; then
warn "did not make any changes to $needed_file - this may
indicate duplicate work or misspelled package name"
fi
@@ -424,7 +429,7 @@ EOF
echo -n "Do you want to commit and push them now ? [Yn] "
read reply
if [ "$reply" = "Y" ] || [ "$reply" = "" ] || [ "$reply" = "y" ];
then
- git add data/$IDMODE/list data/CVE/list $needed_file
+ git add data/$IDMODE/list data/CVE/list $extracvefile
$needed_file
git commit -m "Reserve $IDMODE-$DAID for $PACKAGE"
git push origin master
fi
=
bin/remove-cve-dist-tags
=
@@ -56,6 +56,12 @@ for cve in data:
if keep_annotation(cve, annotation)
)
cve = cve._replace(annotations=annotations)
+if not cve.annotations:
+# this shouldn't happen on a normal CVE file as we're only removing
+# the dist specific tags, but it may happen in an ExtendFile, in
+# which case we don't want to keep an empty CVE entry
+continue
+
new_data.append(cve)
with open(main_list, 'w') as f:
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d18f65e690cc218bcda4fc715d57a61082664af7...63516a0cf95e2d6a5b43cfceb44e48c0e0572825
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d18f65e690cc218bcda4fc715d57a61082664af7...63516a0cf95e2d6a5b43cfceb44e48c0e0572825
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for ruby2.{5,7} in dsa-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d18f65e6 by Utkarsh Gupta at 2022-02-01T17:49:18+05:30
Add note for ruby2.{5,7} in dsa-needed
- - - - -
1 changed file:
- data/dsa-needed.txt
Changes:
=
data/dsa-needed.txt
=
@@ -43,10 +43,12 @@ rpki-client/stable
new 7.6 release required libretls, which isn't in Bullseye
--
ruby2.5/oldstable
- Maintainer is preparing updates
+ Utkarsh proposed the update for fixing CVE-2021-31799, CVE-2021-32066,
+ CVE-2021-31810, CVE-2021-41817, CVE-2021-41819, and CVE-2021-28965.
--
ruby2.7/stable
- Maintainer is preparing updates
+ Utkarsh proposed the update for fixing CVE-2021-41816, CVE-2021-41817,
+ and CVE-2021-41819.
--
runc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d18f65e690cc218bcda4fc715d57a61082664af7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d18f65e690cc218bcda4fc715d57a61082664af7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-1986{0,1}/ldns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0597c2e3 by Salvatore Bonaccorso at 2022-02-01T13:10:51+01:00
Update information for CVE-2020-1986{0,1}/ldns
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -107249,12 +107249,13 @@ CVE-2020-19861 (When a zone file in ldns 1.7.1 is
parsed, the function ldns_nsec
[bullseye] - ldns (Minor issue)
[buster] - ldns (Minor issue)
NOTE: https://github.com/NLnetLabs/ldns/issues/51
+ NOTE:
https://github.com/NLnetLabs/ldns/commit/136ec420437041fe13f344a2053e774f9050cc38
(1.8.0-rc.1)
CVE-2020-19860 (When ldns version 1.7.1 verifies a zone file, the
ldns_rr_new_frm_str_ ...)
- ldns
[bullseye] - ldns (Minor issue)
[buster] - ldns (Minor issue)
NOTE: https://github.com/NLnetLabs/ldns/issues/50
- NOTE:
https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3
+ NOTE:
https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3
(1.8.0-rc.1)
CVE-2020-19859
RESERVED
CVE-2020-19858 (Platinum Upnp SDK through 1.2.0 has a directory traversal
vulnerabilit ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0597c2e3ef7b6591588fae4a3af756d74a0b117f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0597c2e3ef7b6591588fae4a3af756d74a0b117f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 93788507 by Moritz Muehlenhoff at 2022-02-01T13:08:55+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -418,6 +418,7 @@ CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows a NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 CVE-2022-24129 RESERVED + NOT-FOR-US: Shibboleth identity provider OIDC OP plugin CVE-2022-24128 RESERVED CVE-2022-24127 @@ -23107,6 +23108,7 @@ CVE-2021-41572 RESERVED CVE-2021-41571 RESERVED + NOT-FOR-US: Apache Pulsar CVE-2021-41570 RESERVED CVE-2021-41569 (SAS/Intrnet 9.4 build 1520 and earlier allows Local File Inclusion. Th ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93788507a9f01241ac9cb31222aa790245d444f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93788507a9f01241ac9cb31222aa790245d444f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46661/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46b7a860 by Salvatore Bonaccorso at 2022-02-01T10:59:36+01:00 Add CVE-2021-46661/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56,7 +56,10 @@ CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via NOTE: https://jira.mariadb.org/browse/MDEV-22464 NOTE: Fixed in MariaDB: 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25766 CVE-2021-4218 RESERVED CVE-2022-24282 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46b7a8600a8ded68bee447bab2006c1559ec4dc6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46b7a8600a8ded68bee447bab2006c1559ec4dc6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46662/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 165a00cd by Salvatore Bonaccorso at 2022-02-01T10:58:29+01:00 Add CVE-2021-46662/mariadb - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -49,7 +49,12 @@ CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application cra - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-26351 CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) - TODO: check + - mariadb-10.6 1:10.6.5-1 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25637 + NOTE: https://jira.mariadb.org/browse/MDEV-22464 + NOTE: Fixed in MariaDB: 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) TODO: check CVE-2021-4218 = data/next-point-update.txt = @@ -10,6 +10,8 @@ CVE-2021-35604 [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 CVE-2021-46667 [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 +CVE-2021-46662 + [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 CVE-2021-44917 [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1 CVE-2021-45379 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/165a00cd6a79677b7b7855f648b7827284eda530 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/165a00cd6a79677b7b7855f648b7827284eda530 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46663/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 257b307f by Salvatore Bonaccorso at 2022-02-01T10:55:17+01:00 Add CVE-2021-46663/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44,7 +44,10 @@ CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-25761 CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-26351 CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) TODO: check CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in find_field_in_ta ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/257b307febb81acbec83a4ab25aa0e8f0d116778 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/257b307febb81acbec83a4ab25aa0e8f0d116778 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46664/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6dece12b by Salvatore Bonaccorso at 2022-02-01T10:53:59+01:00 Add CVE-2021-46664/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,7 +39,10 @@ CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash b - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-25636 CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25761 CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) TODO: check CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash via certa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dece12be08675daf313c16799e2446b6d7485d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6dece12be08675daf313c16799e2446b6d7485d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46665/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 953063e0 by Salvatore Bonaccorso at 2022-02-01T10:53:02+01:00 Add CVE-2021-46665/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,7 +34,10 @@ CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mis NOTE: https://jira.mariadb.org/browse/MDEV-25635 NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25636 CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) TODO: check CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application crash via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953063e075ccfb348091ed401bee2324e049acb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953063e075ccfb348091ed401bee2324e049acb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46666/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50e23d69 by Salvatore Bonaccorso at 2022-02-01T10:49:04+01:00 Add CVE-2021-4/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,12 @@ CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading NOTE: https://jira.mariadb.org/browse/MDEV-26350 NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) - TODO: check + - mariadb-10.6 (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25635 + NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) TODO: check CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in sub_select_postj ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50e23d69e5921797302126a622ae3f83d56a7d5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50e23d69e5921797302126a622ae3f83d56a7d5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46667/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 08808dd4 by Salvatore Bonaccorso at 2022-02-01T10:46:05+01:00 Add CVE-2021-46667/mariadb - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -21,7 +21,11 @@ CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain l - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-25787 CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) - TODO: check + - mariadb-10.6 1:10.6.5-1 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-26350 + NOTE: Fixed in MariaDB: 10.2.41, 10.3.32, 10.4.22, 10.5.13, 10.6.5 CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) TODO: check CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash because ...) = data/next-point-update.txt = @@ -8,6 +8,8 @@ CVE-2021-41270 [bullseye] - symfony 4.4.19+dfsg-2+deb11u1 CVE-2021-35604 [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 +CVE-2021-46667 + [bullseye] - mariadb-10.5 1:10.5.13-0+deb11u1 CVE-2021-44917 [bullseye] - gnuplot 5.4.1+dfsg1-1+deb11u1 CVE-2021-45379 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08808dd44d31132557cb612f41a76240c579a271 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08808dd44d31132557cb612f41a76240c579a271 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a2f3607 by Moritz Muehlenhoff at 2022-02-01T10:42:25+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -102,13 +102,13 @@ CVE-2022-24268 CVE-2022-24267 RESERVED CVE-2022-24266 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Cuppa CMS CVE-2022-24265 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Cuppa CMS CVE-2022-24264 (Cuppa CMS v1.0 was discovered to contain a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Cuppa CMS CVE-2022-24263 (Hospital Management System v4.0 was discovered to contain a SQL inject ...) - TODO: check + NOT-FOR-US: Hospital Management System CVE-2022-24262 RESERVED CVE-2022-24261 @@ -1362,7 +1362,7 @@ CVE-2022-23874 CVE-2022-23873 RESERVED CVE-2022-23872 (Emlog pro v1.1.1 was discovered to contain a stored cross-site scripti ...) - TODO: check + NOT-FOR-US: Emlog pro CVE-2022-23871 RESERVED CVE-2022-23870 @@ -2011,7 +2011,7 @@ CVE-2022-23776 CVE-2022-23775 RESERVED CVE-2022-23774 (Docker Desktop before 4.4.4 on Windows allows attackers to move arbitr ...) - TODO: check + NOT-FOR-US: Docker Desktop CVE-2022-23773 RESERVED CVE-2022-23772 @@ -2364,9 +2364,9 @@ CVE-2022-23601 [CSRF token missing in forms] CVE-2022-23600 RESERVED CVE-2022-23599 (Products.ATContentTypes are the core content types for Plone 2.1 - 4.3 ...) - TODO: check + NOT-FOR-US: Plone CVE-2022-23598 (laminas-form is a package for validating and displaying simple and com ...) - TODO: check + NOT-FOR-US: laminas-form CVE-2022-23597 RESERVED CVE-2022-23596 @@ -3129,11 +3129,11 @@ CVE-2022-0272 CVE-2022-0271 RESERVED CVE-2022-0270 (Prior to v0.6.1, bored-agent failed to sanitize incoming kubernetes im ...) - TODO: check + NOT-FOR-US: bored-agent CVE-2022-0269 (Cross-Site Request Forgery (CSRF) in Packagist yetiforce/yetiforce-crm ...) NOT-FOR-US: yetiforce-crm CVE-2022-0268 (Cross-site Scripting (XSS) - Stored in Packagist getgrav/grav prior to ...) - TODO: check + NOT-FOR-US: Grav CMS CVE-2022-0267 RESERVED CVE-2021-46399 @@ -3768,7 +3768,7 @@ CVE-2022-0221 CVE-2022-0220 RESERVED CVE-2022-0219 (Improper Restriction of XML External Entity Reference in GitHub reposi ...) - TODO: check + NOT-FOR-US: jadx CVE-2022-0218 RESERVED CVE-2022-0216 @@ -5100,7 +5100,7 @@ CVE-2022-22822 (addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 ha CVE-2022-22821 (NVIDIA NeMo before 1.6.0 contains a vulnerability in ASR WebApp, in wh ...) NOT-FOR-US: NVIDIA NeMo CVE-2022-22820 (Due to the lack of media file checks before rendering, it was possible ...) - TODO: check + NOT-FOR-US: LINE CVE-2022-22819 RESERVED CVE-2022-22818 @@ -5173,9 +5173,9 @@ CVE-2022-22793 CVE-2022-22792 RESERVED CVE-2022-22791 (SYNEL - eharmony Authenticated Blind Stored XSS. Inject JS code ...) - TODO: check + NOT-FOR-US: SYNEL CVE-2022-22790 (SYNEL - eharmony Directory Traversal. Directory Traversal - is an atta ...) - TODO: check + NOT-FOR-US: SYNEL CVE-2022-22789 (Charactell - FormStorm Enterprise Account takeover An attacker ...) NOT-FOR-US: Charactell - FormStorm Enterprise CVE-2022-22788 @@ -6692,7 +6692,7 @@ CVE-2021-46104 (An issue was discovered in webp_server_go 0.4.0. There is a dire CVE-2021-46103 RESERVED CVE-2021-46102 (From version 0.2.14 to 0.2.16 for Solana rBPF, function "relocate" in ...) - TODO: check + NOT-FOR-US: Solana rBBP CVE-2021-46101 (In Git for windows through 2.34.1 when using git pull to update the lo ...) TODO: check CVE-2021-46100 @@ -6728,9 +6728,9 @@ CVE-2021-46086 (xzs-mysql = t3.4.0 is vulnerable to Insecure Permissions. Th CVE-2021-46085 (OneBlog = 2.2.8 is vulnerable to Insecure Permissions. Low level a ...) NOT-FOR-US: OneBlog CVE-2021-46084 (uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) v ...) - TODO: check + NOT-FOR-US: uscat CVE-2021-46083 (uscat, as of 2021-12-28, is vulnerable to Cross Site Scripting (XSS) v ...) - TODO: check + NOT-FOR-US: uscat CVE-2021-46082 RESERVED CVE-2021-46081 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a2f3607f40efe2c1f4387198542fbb4f4f3709e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a2f3607f40efe2c1f4387198542fbb4f4f3709e You're receiving this email because of your account on
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46668/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e080086 by Salvatore Bonaccorso at 2022-02-01T10:40:27+01:00 Add CVE-2021-46668/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16,7 +16,10 @@ CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a convert_con - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-25638 CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain long SE ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25787 CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) TODO: check CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of mishandli ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e080086bb182def901bc92eb8dff478037623b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e080086bb182def901bc92eb8dff478037623b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46669/mariadb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 150627c4 by Salvatore Bonaccorso at 2022-02-01T10:38:11+01:00 Add CVE-2021-46669/mariadb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,10 @@ CVE-2022-0437 CVE-2022-0436 RESERVED CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a convert_const_to_ ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25638 CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain long SE ...) TODO: check CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow, leading to an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/150627c4feaf57b9a1e503e0e76652bfe805349b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/150627c4feaf57b9a1e503e0e76652bfe805349b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 46c238ac by Henri Salo at 2022-02-01T11:15:27+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12377,6 +12377,7 @@ CVE-2021-44453 (mySCADA myPRO: Versions 8.20.0 and prior has a vulnerable debug NOT-FOR-US: mySCADA myPRO CVE-2021-44451 RESERVED + NOT-FOR-US: Apache Superset CVE-2021-44450 (A vulnerability has been identified in JT Utilities (All versions ...) NOT-FOR-US: Siemens CVE-2021-9 (A vulnerability has been identified in JT Utilities (All versions ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46c238ac902f84385165ba47a44ae46e24e2cee4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46c238ac902f84385165ba47a44ae46e24e2cee4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
63bc46fb by security tracker role at 2022-02-01T08:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,35 @@
+CVE-2022-24286
+ RESERVED
+CVE-2022-24285
+ RESERVED
+CVE-2022-24284
+ RESERVED
+CVE-2022-24283
+ RESERVED
+CVE-2022-0437
+ RESERVED
+CVE-2022-0436
+ RESERVED
+CVE-2021-46669 (MariaDB through 10.5.9 allows attackers to trigger a
convert_const_to_ ...)
+ TODO: check
+CVE-2021-46668 (MariaDB through 10.5.9 allows an application crash via certain
long SE ...)
+ TODO: check
+CVE-2021-46667 (MariaDB before 10.6.5 has a sql_lex.cc integer overflow,
leading to an ...)
+ TODO: check
+CVE-2021-4 (MariaDB before 10.6.2 allows an application crash because of
mishandli ...)
+ TODO: check
+CVE-2021-46665 (MariaDB through 10.5.9 allows a sql_parse.cc application crash
because ...)
+ TODO: check
+CVE-2021-46664 (MariaDB through 10.5.9 allows an application crash in
sub_select_postj ...)
+ TODO: check
+CVE-2021-46663 (MariaDB through 10.5.13 allows a ha_maria::extra application
crash via ...)
+ TODO: check
+CVE-2021-46662 (MariaDB through 10.5.9 allows a set_var.cc application crash
via certa ...)
+ TODO: check
+CVE-2021-46661 (MariaDB through 10.5.9 allows an application crash in
find_field_in_ta ...)
+ TODO: check
+CVE-2021-4218
+ RESERVED
CVE-2022-24282
RESERVED
CVE-2022-24281
@@ -63,14 +95,14 @@ CVE-2022-24268
RESERVED
CVE-2022-24267
RESERVED
-CVE-2022-24266
- RESERVED
-CVE-2022-24265
- RESERVED
-CVE-2022-24264
- RESERVED
-CVE-2022-24263
- RESERVED
+CVE-2022-24266 (Cuppa CMS v1.0 was discovered to contain a SQL injection
vulnerability ...)
+ TODO: check
+CVE-2022-24265 (Cuppa CMS v1.0 was discovered to contain a SQL injection
vulnerability ...)
+ TODO: check
+CVE-2022-24264 (Cuppa CMS v1.0 was discovered to contain a SQL injection
vulnerability ...)
+ TODO: check
+CVE-2022-24263 (Hospital Management System v4.0 was discovered to contain a
SQL inject ...)
+ TODO: check
CVE-2022-24262
RESERVED
CVE-2022-24261
@@ -1323,8 +1355,8 @@ CVE-2022-23874
RESERVED
CVE-2022-23873
RESERVED
-CVE-2022-23872
- RESERVED
+CVE-2022-23872 (Emlog pro v1.1.1 was discovered to contain a stored cross-site
scripti ...)
+ TODO: check
CVE-2022-23871
RESERVED
CVE-2022-23870
@@ -1972,8 +2004,8 @@ CVE-2022-23776
RESERVED
CVE-2022-23775
RESERVED
-CVE-2022-23774
- RESERVED
+CVE-2022-23774 (Docker Desktop before 4.4.4 on Windows allows attackers to
move arbitr ...)
+ TODO: check
CVE-2022-23773
RESERVED
CVE-2022-23772
@@ -5773,6 +5805,7 @@ CVE-2022-22596
CVE-2022-22595
RESERVED
CVE-2022-22594 [A cross-origin issue in the IndexDB API was addressed with
improved input validation]
+ RESERVED
{DSA-5061-1 DSA-5060-1}
- webkit2gtk 2.34.4-1
[stretch] - webkit2gtk (Not covered by security support in
stretch)
@@ -14030,8 +14063,8 @@ CVE-2022-21661 (WordPress is a free and open-source
content management system wr
NOTE:
https://www.zerodayinitiative.com/blog/2022/1/18/cve-2021-21661-exposing-database-info-via-wordpress-sql-injection
CVE-2022-21660
RESERVED
-CVE-2022-21659
- RESERVED
+CVE-2022-21659 (Flask-AppBuilder is an application development framework,
built on top ...)
+ TODO: check
CVE-2022-21658 (Rust is a multi-paradigm, general-purpose programming language
designe ...)
- rustc
NOTE:
https://github.com/rust-lang/wg-security-response/tree/master/patches/CVE-2022-21658
@@ -46527,7 +46560,7 @@ CVE-2018-25014 (A flaw was found in libwebp in versions
before 1.0.1. An unitial
- libwebp 0.6.1-2.1
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9496
CVE-2021-3534
- RESERVED
+ REJECTED
CVE-2021-3533 (A flaw was found in Ansible if an ansible user sets
ANSIBLE_ASYNC_DIR ...)
- ansible
[bullseye] - ansible (Minor issue, revisit when/if fixed
upstream)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63bc46fb702799e19f85fae65633b0c1604f4ae5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63bc46fb702799e19f85fae65633b0c1604f4ae5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
