[Git][security-tracker-team/security-tracker][master] Reserve DLA-2988-1 for tinyxml
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 781acae4 by Thorsten Alteholz at 2022-05-01T00:23:43+02:00 Reserve DLA-2988-1 for tinyxml - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -38554,7 +38554,6 @@ CVE-2021-42260 (TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData:: - tinyxml 2.6.2-6 [bullseye] - tinyxml (Minor issue) [buster] - tinyxml (Minor issue) - [stretch] - tinyxml (Minor issue; can be fixed with the next DLA) NOTE: https://sourceforge.net/p/tinyxml/bugs/141/ NOTE: https://sourceforge.net/p/tinyxml/git/merge-requests/1/ CVE-2021-42259 = data/DLA/list = @@ -1,3 +1,6 @@ +[01 May 2022] DLA-2988-1 tinyxml - security update + {CVE-2021-42260} + [stretch] - tinyxml 2.6.2-4+deb9u1 [30 Apr 2022] DLA-2987-1 libarchive - security update {CVE-2019-19221 CVE-2021-23177 CVE-2021-31566} [stretch] - libarchive 3.2.2-2+deb9u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/781acae44130039c4b7c4d377e9757f4312527aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/781acae44130039c4b7c4d377e9757f4312527aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: triage ark
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ff0082e9 by Anton Gladky at 2022-04-30T22:53:49+02:00 LTS: triage ark - - - - - 9bd232ff by Anton Gladky at 2022-04-30T22:53:49+02:00 LTS: triage composer - - - - - 9c460592 by Anton Gladky at 2022-04-30T22:54:14+02:00 LTS: Add programming-language-note to some packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -27,6 +27,10 @@ ansible NOTE: 20220427: https://salsa.debian.org/debian/ansible/-/commits/stretch/ -- asterisk + NOTE: 20220424: programming language C +-- +ark + NOTE: 20220424: programming language C -- cgal NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without an uploading of a new upstream release (Anton) @@ -34,12 +38,24 @@ cgal ckeditor NOTE: 20220402: multiple pendings vulnerabilities (Beuc) -- +composer: + NOTE: 20220424: programming language PHP + NOTE: 20220424: check whether really affected (Anton) +-- debian-security-support (Utkarsh) NOTE: 20220402: need to update the list of unsupported packages (Beuc) NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc) NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc) NOTE: 20220419: backport prepped, will contact Holger for more details. (utkarsh) -- +<<< HEAD +=== +epiphany-browser + NOTE: 20220422: programming language C + NOTE: 20220422: please try to reproduce and be careful with the patch applying. + NOTE: 20220422: It cannot be applied one-to-one, but affected lines can be found. (Anton) +-- +>>> 5e4c78dd14 (LTS: Add programming-language-note to some packages) firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fc893a05106bddc33b64ce8870120bb2a7cb5462...9c4605923b7cec141e89dfa3335df724a76971d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fc893a05106bddc33b64ce8870120bb2a7cb5462...9c4605923b7cec141e89dfa3335df724a76971d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc893a05 by security tracker role at 2022-04-30T20:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1966,8 +1966,7 @@ CVE-2022-1366 RESERVED CVE-2022-1365 (Exposure of Private Personal Information to an Unauthorized Actor in G ...) NOT-FOR-US: lquixada/cross-fetch -CVE-2022-29265 - RESERVED +CVE-2022-29265 (Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML ...) NOT-FOR-US: Apache NiFi CVE-2022-1364 RESERVED @@ -4442,8 +4441,7 @@ CVE-2022-28325 CVE-2022-28324 RESERVED NOT-FOR-US: Echo MediaWiki extension -CVE-2022-28323 - RESERVED +CVE-2022-28323 (An issue was discovered in MediaWiki through 1.37.2. The SecurePoll ex ...) NOT-FOR-US: SecurePoll MediaWiki extension CVE-2022-28322 RESERVED @@ -26861,6 +26859,7 @@ CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12 NOTE: https://issues.apache.org/jira/browse/LOG4J2-3230 CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive] RESERVED + {DLA-2987-1} - libarchive 3.5.2-1 (bug #1001990) [bullseye] - libarchive 3.4.3-2+deb11u1 [buster] - libarchive (Minor issue) @@ -26869,6 +26868,7 @@ CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, NOTE: https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b (v3.5.2) CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target] RESERVED + {DLA-2987-1} - libarchive 3.5.2-1 (bug #1001986) [bullseye] - libarchive 3.4.3-2+deb11u1 [buster] - libarchive (Minor issue) @@ -173981,6 +173981,7 @@ CVE-2019-19223 (A Broken Access Control vulnerability in the D-Link DSL-2680 web CVE-2019-19222 (A Stored XSS issue in the D-Link DSL-2680 web administration interface ...) NOT-FOR-US: D-Link CVE-2019-19221 (In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string ...) + {DLA-2987-1} - libarchive 3.4.2-1 (bug #945287) [buster] - libarchive (Minor issue) [jessie] - libarchive (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc893a05106bddc33b64ce8870120bb2a7cb5462 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc893a05106bddc33b64ce8870120bb2a7cb5462 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2987-1 for libarchive
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5812b1d7 by Thorsten Alteholz at 2022-04-30T19:15:55+02:00 Reserve DLA-2987-1 for libarchive - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -173983,7 +173983,6 @@ CVE-2019-19222 (A Stored XSS issue in the D-Link DSL-2680 web administration int CVE-2019-19221 (In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string ...) - libarchive 3.4.2-1 (bug #945287) [buster] - libarchive (Minor issue) - [stretch] - libarchive (Minor issue) [jessie] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41 NOTE: https://github.com/libarchive/libarchive/issues/1276 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Apr 2022] DLA-2987-1 libarchive - security update + {CVE-2019-19221 CVE-2021-23177 CVE-2021-31566} + [stretch] - libarchive 3.2.2-2+deb9u3 [28 Apr 2022] DLA-2986-1 golang-1.8 - security update {CVE-2022-23772 CVE-2022-23806 CVE-2022-24921} [stretch] - golang-1.8 1.8.1-1+deb9u5 = data/dla-needed.txt = @@ -77,9 +77,6 @@ kvmtool NOTE: 20220402: stretch-specific, orphaned package (Beuc) NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc) -- -libarchive (Thorsten Alteholz) - NOTE: 20220423: still testing, some tests still fail --- liblouis (Andreas Rönnquist) NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5812b1d7debbdecbe714b955e937d5eb98a12934 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5812b1d7debbdecbe714b955e937d5eb98a12934 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: picked up subversion coordinating with Roberto C. Sánchez
Enrico Zini pushed to branch master at Debian Security Tracker / security-tracker Commits: a48e11c6 by Enrico Zini at 2022-04-30T18:27:02+02:00 LTS: picked up subversion coordinating with Roberto C. Sánchez - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -155,7 +155,7 @@ sox NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton) NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton) -- -subversion (Roberto C. Sánchez) +subversion (enrico) NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment) NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48e11c6add6800e6aef3ee27c5c4bc978ef95be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48e11c6add6800e6aef3ee27c5c4bc978ef95be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2021-3670 in ldb for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 342e7bfb by Chris Lamb at 2022-04-30T08:48:45-07:00 Triage CVE-2021-3670 in ldb for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50065,6 +50065,7 @@ CVE-2021-3670 [MaxQueryDuration not honoured in Samba AD DC LDAP] RESERVED - ldb 2:2.2.3-1 [buster] - ldb (Minor issue) + [stretch] - ldb (Minor issue) - samba 2:4.16.0+dfsg-2 [bullseye] - samba (Minor issue) [buster] - samba (Minor issue; affects Samba as AD DC; cf DSA 5015-1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342e7bfbb39bc43b492fc1f1f9fd139f488603d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/342e7bfbb39bc43b492fc1f1f9fd139f488603d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fixed introduction to clarify that one picks packages, not issues
Enrico Zini pushed to branch master at Debian Security Tracker / security-tracker Commits: d424117d by Enrico Zini at 2022-04-30T17:32:49+02:00 Fixed introduction to clarify that one picks packages, not issues - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -5,7 +5,7 @@ The specific CVE IDs do not need to be listed, they can be gathered in an up-to- https://security-tracker.debian.org/tracker/source-package/SOURCEPACKAGE when working on an update. -To pick an issue, simply add your name behind it. To learn more about how +To work on a package, simply add your name behind it. To learn more about how this list is updated have a look at https://wiki.debian.org/LTS/Development#Triage_new_security_issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d424117d876a6f2fdc671fc3e7e069f0b5662482 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d424117d876a6f2fdc671fc3e7e069f0b5662482 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim liblouis in dla-needed.txt
Andreas Rönnquist pushed to branch master at Debian Security Tracker / security-tracker Commits: c94c9fb7 by Andreas Rönnquist at 2022-04-30T15:34:56+02:00 LTS: claim liblouis in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -80,7 +80,7 @@ kvmtool libarchive (Thorsten Alteholz) NOTE: 20220423: still testing, some tests still fail -- -liblouis +liblouis (Andreas Rönnquist) NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c94c9fb7d8c435c09195d900a0d965961ac03255 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c94c9fb7d8c435c09195d900a0d965961ac03255 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: jackson-databind,CVE-2020-36518 fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 538d13fb by Markus Koschany at 2022-04-30T14:18:50+02:00 jackson-databind,CVE-2020-36518 fixed in unstable - - - - - 1ffebba6 by Markus Koschany at 2022-04-30T14:19:22+02:00 Claim jackson-databind in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8707,7 +8707,7 @@ CVE-2021-46708 (The swagger-ui-dist package before 4.1.3 for Node.js could allow - node-swagger-ui (bug #871461) - swagger-ui (bug #895422) CVE-2020-36518 (jackson-databind before 2.13.0 allows a Java StackOverflow exception a ...) - - jackson-databind (bug #1007109) + - jackson-databind 2.13.2.2-1 (bug #1007109) [bullseye] - jackson-databind (Minor issue) [buster] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2816 = data/dla-needed.txt = @@ -68,7 +68,7 @@ icingaweb2 (Abhijith PA) intel-microcode NOTE: 20220213: please recheck -- -jackson-databind +jackson-databind (Markus Koschany) NOTE: 20220320: wait for complete upstream fix (apo) -- kicad View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c1a65777a9735156addc041287b0345105eaf11f...1ffebba629156935d6289cfd4ae4891e4d14532f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c1a65777a9735156addc041287b0345105eaf11f...1ffebba629156935d6289cfd4ae4891e4d14532f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-29536/epiphany - stretch not affacted
Andreas Rönnquist pushed to branch master at Debian Security Tracker / security-tracker Commits: c1a65777 by Andreas Rönnquist at 2022-04-30T14:05:54+02:00 CVE-2022-29536/epiphany - stretch not affacted - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1290,6 +1290,7 @@ CVE-2022-29537 (gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has NOTE: Fixed by: https://github.com/gpac/gpac/commit/1773b7a34bc08734aee7d3f5dfe65d06389fe15a CVE-2022-29536 (In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document c ...) - epiphany-browser 42.2-1 (bug #1009959) + [stretch] - epiphany-browser (Vulnerable code not present) NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106 NOTE: Introduced by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/232c613472b38ff0d0d97338f366024ddb9cd228 (3.29.2) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1a65777a9735156addc041287b0345105eaf11f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1a65777a9735156addc041287b0345105eaf11f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update entry for CVE-2021-4070
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 528b6857 by Salvatore Bonaccorso at 2022-04-30T13:41:57+02:00 Update entry for CVE-2021-4070 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28797,7 +28797,9 @@ CVE-2021-44551 CVE-2021-44550 (An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via ...) NOT-FOR-US: CoreNLP CVE-2021-4070 (Off-by-one Error in GitHub repository v2fly/v2ray-core prior to 4.44.0 ...) - NOT-FOR-US: v2fly/v2ray-core + - golang-v2ray-core (bug #1010377) + NOTE: https://huntr.dev/bounties/8da19456-4d89-41ef-9781-a41efd6a1877/ + NOTE: https://github.com/v2fly/v2ray-core/commit/c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c CVE-2021-44549 (Apache Sling Commons Messaging Mail provides a simple layer on top of ...) NOT-FOR-US: Apache Sling CVE-2021-4069 (vim is vulnerable to Use After Free ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/528b6857917eb6bef14d7351f7d06cab6d24ee5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/528b6857917eb6bef14d7351f7d06cab6d24ee5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-28805/lua5.4 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e2e0e13 by Salvatore Bonaccorso at 2022-04-30T13:31:25+02:00 Track fixed version for CVE-2022-28805/lua5.4 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3159,7 +3159,7 @@ CVE-2022-28807 CVE-2022-28806 RESERVED CVE-2022-28805 (singlevar in lparser.c in Lua through 5.4.4 lacks a certain luaK_exp2a ...) - - lua5.4 (bug #1010265) + - lua5.4 5.4.4-2 (bug #1010265) [bullseye] - lua5.4 (Minor issue) - lua5.3 (Specific to 5.4, see #1010265) - lua5.2 (Specific to 5.4, see #1010265) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2e0e136c2c92eb478077e53cfb66011d7c19b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2e0e136c2c92eb478077e53cfb66011d7c19b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-24859/pypdf2 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2834f0b by Salvatore Bonaccorso at 2022-04-30T13:29:29+02:00 Track fixed version for CVE-2022-24859/pypdf2 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14200,7 +14200,7 @@ CVE-2022-24861 (Databasir is a team-oriented relational database model document CVE-2022-24860 (Databasir is a team-oriented relational database model document manage ...) NOT-FOR-US: Databasir CVE-2022-24859 (PyPDF2 is an open source python PDF library capable of splitting, merg ...) - - pypdf2 (bug #1009879) + - pypdf2 1.27.9-1 (bug #1009879) NOTE: https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79 NOTE: https://github.com/py-pdf/PyPDF2/issues/329 NOTE: https://github.com/py-pdf/PyPDF2/pull/740 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2834f0b6bcb98bdcda4382c68fecee72d65afd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2834f0b6bcb98bdcda4382c68fecee72d65afd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-29967/glewlwyd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45edbacf by Salvatore Bonaccorso at 2022-04-30T10:46:19+02:00 Add CVE-2022-29967/glewlwyd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2022-29967 (static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6. ...) - TODO: check + - glewlwyd + NOTE: https://github.com/babelouest/glewlwyd/commit/e3f7245c33897bf9b3a75acfcdb8b7b93974bf11 CVE-2022-29966 RESERVED CVE-2022-29965 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45edbacf1ba6417068d1b871522eaf21aa742afd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45edbacf1ba6417068d1b871522eaf21aa742afd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e65d6756 by security tracker role at 2022-04-30T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,49 @@ +CVE-2022-29967 (static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6. ...) + TODO: check +CVE-2022-29966 + RESERVED +CVE-2022-29965 + RESERVED +CVE-2022-29964 + RESERVED +CVE-2022-29963 + RESERVED +CVE-2022-29962 + RESERVED +CVE-2022-29961 + RESERVED +CVE-2022-29960 + RESERVED +CVE-2022-29959 + RESERVED +CVE-2022-29958 + RESERVED +CVE-2022-29957 + RESERVED +CVE-2022-29956 + RESERVED +CVE-2022-29955 + RESERVED +CVE-2022-29954 + RESERVED +CVE-2022-29953 + RESERVED +CVE-2022-29952 + RESERVED +CVE-2022-29951 + RESERVED +CVE-2022-29950 + RESERVED +CVE-2022-29949 + RESERVED +CVE-2022-29948 + RESERVED +CVE-2022-29947 (Woodpecker before 0.15.1 allows XSS via build logs because web/src/com ...) + TODO: check +CVE-2022-29946 + RESERVED +CVE-2022-29945 (DJI drone devices sold in 2017 through 2022 broadcast unencrypted info ...) + TODO: check CVE-2022-29944 RESERVED CVE-2022-29943 @@ -4891,8 +4937,8 @@ CVE-2022-28200 RESERVED CVE-2022-28199 RESERVED -CVE-2022-28198 - RESERVED +CVE-2022-28198 (NVIDIA Omniverse Nucleus and Cache contain a vulnerability in its conf ...) + TODO: check CVE-2022-28197 (NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cbo ...) NOT-FOR-US: NVIDIA Jetson Linux Driver Package CVE-2022-28196 (NVIDIA Jetson Linux Driver Package contains a vulnerability in the Cbo ...) @@ -11139,8 +11185,8 @@ CVE-2022-25856 RESERVED CVE-2022-25855 RESERVED -CVE-2022-25854 - RESERVED +CVE-2022-25854 (This affects the package @yaireo/tagify before 4.9.8. The package is u ...) + TODO: check CVE-2022-25853 RESERVED CVE-2022-25852 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e65d6756f528e0b2d473ca725d88caeba7ccc355 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e65d6756f528e0b2d473ca725d88caeba7ccc355 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d9d93ee by Salvatore Bonaccorso at 2022-04-30T09:31:26+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,7 +61,7 @@ CVE-2022-29492 CVE-2022-29490 RESERVED CVE-2022-1543 (Improper handling of Length parameter in GitHub repository erudika/sco ...) - TODO: check + NOT-FOR-US: scoold CVE-2022-1542 RESERVED CVE-2022-1541 @@ -75,7 +75,7 @@ CVE-2022-1538 CVE-2022-1537 RESERVED CVE-2022-1536 (A vulnerability has been found in automad up to 1.10.9 and classified ...) - TODO: check + NOT-FOR-US: automad CVE-2022-1535 RESERVED CVE-2022-1534 (Buffer Over-read at parse_rawml.c:1416 in GitHub repository bfabiszews ...) @@ -89,7 +89,7 @@ CVE-2022-1533 (Buffer Over-read in GitHub repository bfabiszewski/libmobi prior CVE-2022-1532 RESERVED CVE-2022-1531 (SQL injection vulnerability in ARAX-UI Synonym Lookup functionality in ...) - TODO: check + NOT-FOR-US: RTX CVE-2022-1530 (Cross-site Scripting (XSS) in GitHub repository livehelperchat/livehel ...) NOT-FOR-US: livehelperchat CVE-2022-1529 @@ -2713,7 +2713,7 @@ CVE-2022-28996 CVE-2022-28995 RESERVED CVE-2022-28994 (Small HTTP Server version 3.06 suffers from a remote buffer overflow v ...) - TODO: check + NOT-FOR-US: Small HTTP Server CVE-2022-28993 RESERVED CVE-2022-28992 @@ -14057,7 +14057,7 @@ CVE-2022-24902 CVE-2022-24901 RESERVED CVE-2022-24900 (Piano LED Visualizer is software that allows LED lights to light up as ...) - TODO: check + NOT-FOR-US: Piano LED Visualizer CVE-2022-24899 RESERVED CVE-2022-24898 (org.xwiki.commons:xwiki-commons-xml is a common module used by other X ...) @@ -28627,9 +28627,9 @@ CVE-2021-44598 (Attendance Management System 1.0 is affected by a Cross Site Scr CVE-2021-44597 (An Access Control vunerabiity exists in Gerapy v 0.9.7 via the spider ...) NOT-FOR-US: Gerapy CVE-2021-44596 (Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remot ...) - TODO: check + NOT-FOR-US: Wondershare CVE-2021-44595 (Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to ...) - TODO: check + NOT-FOR-US: Wondershare CVE-2021-44594 RESERVED CVE-2021-44593 (Simple College Website 1.0 is vulnerable to unauthenticated file uploa ...) @@ -31089,9 +31089,9 @@ CVE-2021-43940 (Affected versions of Atlassian Confluence Server and Data Center CVE-2021-43939 (Elcomplus SmartPTT is vulnerable when a low-authenticated user can acc ...) NOT-FOR-US: Elcomplus SmartPTT CVE-2021-43938 (Elcomplus SmartPTT SCADA Server is vulnerable to an unauthenticated us ...) - TODO: check + NOT-FOR-US: Elcomplus SmartPTT SCADA Server CVE-2021-43937 (Elcomplus SmartPTT SCADA Server web application does not, or cannot, s ...) - TODO: check + NOT-FOR-US: Elcomplus SmartPTT SCADA Server CVE-2021-43936 (The software allows the attacker to upload or transfer files of danger ...) NOT-FOR-US: Distributed Data Systems CVE-2021-43935 (The impacted products, when configured to use SSO, are affected by an ...) @@ -39279,7 +39279,7 @@ CVE-2021-41950 (A directory traversal issue in ResourceSpace 9.6 before 9.6 rev CVE-2021-41949 RESERVED CVE-2021-41948 (A cross-site scripting (XSS) vulnerability exists in the "contact us" ...) - TODO: check + NOT-FOR-US: Subrion CMS plugin CVE-2021-41947 (A SQL injection vulnerability exists in Subrion CMS v4.2.1 in the visu ...) NOT-FOR-US: Subrion CMS CVE-2021-41946 @@ -39296,7 +39296,7 @@ CVE-2021-41944 CVE-2021-41943 RESERVED CVE-2021-41942 (The Magic CMS MSVOD v10 video system has a SQL injection vulnerability ...) - TODO: check + NOT-FOR-US: Magic CMS CVE-2021-41941 RESERVED CVE-2021-41940 @@ -46491,7 +46491,7 @@ CVE-2021-39084 CVE-2021-39083 RESERVED CVE-2021-39082 (IBM UrbanCode Deploy (UCD) 7.1.1.2 uses weaker than expected cryptogra ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-39081 RESERVED CVE-2021-39080 (Due to weak obfuscation, IBM Cognos Analytics Mobile for Android appli ...) @@ -53567,7 +53567,7 @@ CVE-2021-36209 (In JetBrains Hub before 2021.1.13389, account takeover was possi CVE-2021-36208 RESERVED CVE-2021-36207 (Under certain circumstances improper privilege management in Metasys A ...) - TODO: check + NOT-FOR-US: Metasys CVE-2021-36206 RESERVED CVE-2021-36205 (Under certain circumstances the session token is not cleared on logout ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d9d93eeeceb32346054cd2ff1284c643203db2c -- View it on
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2022-29078/node-ejs as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 19260e91 by Salvatore Bonaccorso at 2022-04-30T09:21:51+02:00 Mark CVE-2022-29078/node-ejs as no-dsa - - - - - 0323e19c by Salvatore Bonaccorso at 2022-04-30T09:23:18+02:00 Track proposed update for node-ejs via bullseye-pu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -2435,6 +2435,8 @@ CVE-2022-29079 RESERVED CVE-2022-29078 (The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js ...) - node-ejs 3.1.7-1 (bug #1010359) + [bullseye] - node-ejs (Minor issue; can be fixed via point release) + [buster] - node-ejs (Minor issue; can be fixed via point release) [stretch] - node-ejs (Node not covered by security support) NOTE: https://eslam.io/posts/ejs-server-side-template-injection-rce/ NOTE: https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf (v3.1.7) = data/next-point-update.txt = @@ -54,3 +54,5 @@ CVE-2022-27405 [bullseye] - freetype 2.10.4+dfsg-1+deb11u1 CVE-2022-27404 [bullseye] - freetype 2.10.4+dfsg-1+deb11u1 +CVE-2022-29078 + [bullseye] - node-ejs 2.5.7-3+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5e6a9f5debf53a3a71988a73d981528424df2b9e...0323e19ccd83df57cd24c9db68a402960e510bb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5e6a9f5debf53a3a71988a73d981528424df2b9e...0323e19ccd83df57cd24c9db68a402960e510bb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2021-3670/{samba,ldb}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e6a9f5d by Salvatore Bonaccorso at 2022-04-30T09:20:33+02:00 Update status for CVE-2021-3670/{samba,ldb} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50011,11 +50011,21 @@ CVE-2021-3671 (A null pointer de-reference was found in the way samba kerberos s NOTE: Fixed by (Samba): https://gitlab.com/samba-team/samba/-/commit/0cb4b939f192376bf5e33637863a91a20f74c5a5 CVE-2021-3670 [MaxQueryDuration not honoured in Samba AD DC LDAP] RESERVED - - samba + - ldb 2:2.2.3-1 + [buster] - ldb (Minor issue) + - samba 2:4.16.0+dfsg-2 + [bullseye] - samba (Minor issue) [buster] - samba (Minor issue; affects Samba as AD DC; cf DSA 5015-1) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2077533 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14694 + NOTE: https://gitlab.com/samba-team/samba/-/commit/dcfcafdbf756e12d9077ad7920eea25478c29f81 NOTE: https://gitlab.com/samba-team/samba/-/commit/86fe9d48883f87c928bf31ccbd275db420386803 + NOTE: https://gitlab.com/samba-team/samba/-/commit/e1ab0c43629686d1d2c0b0b2bcdc90057a792049 + NOTE: ldb: https://gitlab.com/samba-team/samba/-/commit/1d5b155619bc532c46932965b215bd73a920e56f + NOTE: https://gitlab.com/samba-team/samba/-/commit/2b3af3b560c9617a233c131376c870fce146c002 + NOTE: https://gitlab.com/samba-team/samba/-/commit/5f0590362c5c0c5ee20503a67467f9be2d50e73b + NOTE: https://gitlab.com/samba-team/samba/-/commit/3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393 + NOTE: Fixed in ldb 2.5.0, 2.4.2 and 2.3.3 CVE-2021-37714 (jsoup is a Java library for working with HTML. Those using jsoup versi ...) - jsoup 1.14.2-1 (bug #992590) [bullseye] - jsoup (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e6a9f5debf53a3a71988a73d981528424df2b9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e6a9f5debf53a3a71988a73d981528424df2b9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVE-2021-3670/samba
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f632120 by Salvatore Bonaccorso at 2022-04-30T09:08:59+02:00 Add initial tracking for CVE-2021-3670/samba - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50009,8 +50009,13 @@ CVE-2021-3671 (A null pointer de-reference was found in the way samba kerberos s NOTE: Followup: https://github.com/heimdal/heimdal/commit/773802aecfb4b6a73817fa522faeb55b2a7cdb2a NOTE: "Equivalent" issue for CVE-2021-37750 for the MIT krb5 vulnerability. NOTE: Fixed by (Samba): https://gitlab.com/samba-team/samba/-/commit/0cb4b939f192376bf5e33637863a91a20f74c5a5 -CVE-2021-3670 +CVE-2021-3670 [MaxQueryDuration not honoured in Samba AD DC LDAP] RESERVED + - samba + [buster] - samba (Minor issue; affects Samba as AD DC; cf DSA 5015-1) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2077533 + NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14694 + NOTE: https://gitlab.com/samba-team/samba/-/commit/86fe9d48883f87c928bf31ccbd275db420386803 CVE-2021-37714 (jsoup is a Java library for working with HTML. Those using jsoup versi ...) - jsoup 1.14.2-1 (bug #992590) [bullseye] - jsoup (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f6321200dde1609c95156282a9bc4e8633b0309 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f6321200dde1609c95156282a9bc4e8633b0309 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process CVE-2022-29265 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1eb3991d by Salvatore Bonaccorso at 2022-04-30T08:56:27+02:00 Process CVE-2022-29265 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1920,6 +1920,7 @@ CVE-2022-1365 (Exposure of Private Personal Information to an Unauthorized Actor NOT-FOR-US: lquixada/cross-fetch CVE-2022-29265 RESERVED + NOT-FOR-US: Apache NiFi CVE-2022-1364 RESERVED {DSA-5121-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eb3991d300f0ca1a8eb6b42f5abe5f4e7d0cdff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1eb3991d300f0ca1a8eb6b42f5abe5f4e7d0cdff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits