[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45145 but retain todo item for now
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b889e982 by Salvatore Bonaccorso at 2022-12-12T08:56:01+01:00 Add CVE-2022-45145 but retain todo item for now - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5335,7 +5335,10 @@ CVE-2022-3942 (A vulnerability was found in SourceCodester Sanitization Manageme CVE-2022-45146 (An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA b ...) NOT-FOR-US: FIPS provider for Bouncycastle, not part of the Debian package for Bouncycastle CVE-2022-45145 (egg-compile.scm in CHICKEN 5.x before 5.3.1 allows arbitrary OS comman ...) - TODO: check + - chicken + NOTE: https://lists.gnu.org/archive/html/chicken-announce/2022-11/msg0.html + NOTE: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=a08f8f548d772ef410c672ba33a27108d8d434f3;hp=9c6fb001c25de4390f46ffd7c3c94237f4df92a9 + TODO: check, might be Windows specific CVE-2022-45144 RESERVED CVE-2022-3941 (A vulnerability has been found in Activity Log Plugin and classified a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b889e982faac2e66aa1d4345c8f837e945a388d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b889e982faac2e66aa1d4345c8f837e945a388d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Reclaim netatalk
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b64dc7c by Anton Gladky at 2022-12-12T06:17:19+01:00 LTS: Reclaim netatalk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -147,9 +147,12 @@ net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. -- -netatalk +netatalk (gladk) NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) + NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk + NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) + -- nextcloud-desktop NOTE: 20221128: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b64dc7cb23483dd6b916d552b70ec61312e9cbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b64dc7cb23483dd6b916d552b70ec61312e9cbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d488679b by Anton Gladky at 2022-12-12T06:02:49+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,7 +87,7 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) @@ -147,7 +147,7 @@ net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. -- -netatalk (gladk) +netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d488679beaf8c3eb9ff21345be4908e165190806 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d488679beaf8c3eb9ff21345be4908e165190806 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim mbedtls in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 381b2c8f by Markus Koschany at 2022-12-12T01:03:16+01:00 Claim mbedtls in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,7 +128,7 @@ man2html NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- -mbedtls +mbedtls (Markus Koschany) NOTE: 20220821: Programming language: C. -- modsecurity-crs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/381b2c8fe915f599aaed6cf39f8dfdd44eb83f40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/381b2c8fe915f599aaed6cf39f8dfdd44eb83f40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3236-1 for openexr
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 432e5017 by Markus Koschany at 2022-12-12T00:50:31+01:00 Reserve DLA-3236-1 for openexr - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -74108,7 +74108,6 @@ CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in I {DSA-5299-1} [experimental] - openexr 3.1.4-1 - openexr 3.1.5-2 (bug #1014828) - [buster] - openexr (Minor issue) [stretch] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209 @@ -108269,7 +108268,6 @@ CVE-2021-34696 (A vulnerability in the access control list (ACL) programming of CVE-2021-3605 (There's a flaw in OpenEXR's rleUncompress functionality in versions pr ...) {DSA-5299-1 DLA-2732-1} - openexr 2.5.7-1 (bug #990899) - [buster] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1036 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268 (master) NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3204008c0bd4c8d7599a052b304d1b44c4511283 (v2.5) @@ -108348,7 +108346,6 @@ CVE-2021-34675 (Basix NEX-Forms through 7.8.7 allows authentication bypass for s CVE-2021-3598 (There's a flaw in OpenEXR's ImfDeepScanLineInputFile functionality in ...) {DSA-5299-1 DLA-2701-1} - openexr 2.5.7-1 (bug #990450) - [buster] - openexr (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1033 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1037 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/566f5241edd87445373885d5f7a904dc81e866c1 (master) @@ -116543,7 +116540,6 @@ CVE-2021-26945 (An integer overflow leading to a heap-buffer overflow was found CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found in the ...) {DSA-5299-1 DLA-2701-1} - openexr 2.5.7-1 (bug #992703) - [buster] - openexr (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/894 @@ -116552,7 +116548,6 @@ CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was found in the ...) {DSA-5299-1 DLA-2701-1} - openexr 2.5.7-1 - [buster] - openexr (Minor issue, might change ABI) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901 @@ -121634,14 +121629,12 @@ CVE-2021-3480 (A flaw was found in slapi-nis in versions before 0.56.7. A NULL p CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...) {DLA-2701-1} - openexr 2.5.4-1 (bug #986796) - [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830 CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...) {DLA-2701-1} - openexr 2.5.4-1 (bug #986796) - [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a (master) @@ -121650,7 +121643,6 @@ CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...) {DLA-2701-1} - openexr 2.5.4-1 (bug #986796) - [buster] - openexr (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1 @@ -122248,19 +122240,16 @@ CVE-2021-29425 (In Apache Commons IO before 2.7, When invoking the method FileNa CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...) {DLA-2701-1} - openexr 2.5.4-1 (bug #986796) - [buster]
[Git][security-tracker-team/security-tracker][master] Add note for gerbv in dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f1e6a001 by Salvatore Bonaccorso at 2022-12-11T22:41:21+01:00 Add note for gerbv in dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -15,6 +15,7 @@ If needed, specify the release by adding a slash after the name of the source pa frr -- gerbv (aron) + Aron proposed debdiff for review -- lava -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1e6a0019809a4008b51bc11033a8b005a5bb522 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1e6a0019809a4008b51bc11033a8b005a5bb522 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-4399/nodau via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b70ca5b3 by Salvatore Bonaccorso at 2022-12-11T22:40:25+01:00 Track fixed version for CVE-2022-4399/nodau via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,7 @@ CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as pr CVE-2022-46907 RESERVED CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) - - nodau (unimportant) + - nodau 0.3.8-5 (unimportant) NOTE: https://github.com/TicklishHoneyBee/nodau/commit/7a7d737a3929f335b9717ddbd31db91151b69ad2 NOTE: https://github.com/TicklishHoneyBee/nodau/pull/26 NOTE: Negligible security impact View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70ca5b3b749311de3841431a001cdedfa05ec17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70ca5b3b749311de3841431a001cdedfa05ec17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4399/nodau
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21fb3266 by Salvatore Bonaccorso at 2022-12-11T21:35:53+01:00 Add CVE-2022-4399/nodau - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,10 @@ CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as pr CVE-2022-46907 RESERVED CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) - TODO: check + - nodau (unimportant) + NOTE: https://github.com/TicklishHoneyBee/nodau/commit/7a7d737a3929f335b9717ddbd31db91151b69ad2 + NOTE: https://github.com/TicklishHoneyBee/nodau/pull/26 + NOTE: Negligible security impact CVE-2022-4398 (Integer Overflow or Wraparound in GitHub repository radareorg/radare2 ...) - radare2 NOTE: https://huntr.dev/bounties/c6f8d3ef-5420-4eba-9a5f-aba5e2b5fea2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21fb3266696b0cdbe80f8899c5e5d585841bbc83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21fb3266696b0cdbe80f8899c5e5d585841bbc83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4398/radare2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2a0d9ff by Salvatore Bonaccorso at 2022-12-11T21:30:41+01:00 Add CVE-2022-4398/radare2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,9 @@ CVE-2022-46907 CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) TODO: check CVE-2022-4398 (Integer Overflow or Wraparound in GitHub repository radareorg/radare2 ...) - TODO: check + - radare2 + NOTE: https://huntr.dev/bounties/c6f8d3ef-5420-4eba-9a5f-aba5e2b5fea2 + NOTE: https://github.com/radareorg/radare2/commit/b53a1583d05c3a5bfe5fa60da133fe59dfbb02b8 CVE-2022-4397 (A vulnerability was found in morontt zend-blog-number-2. It has been c ...) TODO: check CVE-2022-4396 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib py ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2a0d9fffbbb179a183f0cc362d21a9ae0ff4c54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2a0d9fffbbb179a183f0cc362d21a9ae0ff4c54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: efdc8c42 by Salvatore Bonaccorso at 2022-12-11T21:26:20+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,11 +5,11 @@ CVE-2022-4411 CVE-2022-4410 RESERVED CVE-2022-4409 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub ...) - TODO: check + NOT-FOR-US: phpMyFAQ CVE-2022-4408 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) - TODO: check + NOT-FOR-US: phpMyFAQ CVE-2022-4407 (Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/p ...) - TODO: check + NOT-FOR-US: phpMyFAQ CVE-2022-4406 RESERVED CVE-2022-4405 @@ -17,13 +17,13 @@ CVE-2022-4405 CVE-2022-4404 RESERVED CVE-2022-4403 (A vulnerability classified as critical was found in SourceCodester Can ...) - TODO: check + NOT-FOR-US: SourceCodester Canteen Management System CVE-2022-4402 (A vulnerability classified as critical has been found in RainyGao DocS ...) - TODO: check + NOT-FOR-US: RainyGao DocSys CVE-2022-4401 (A vulnerability was found in pallidlight online-course-selection-syste ...) - TODO: check + NOT-FOR-US: pallidlight online-course-selection-system CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as problem ...) - TODO: check + NOT-FOR-US: zbl1996 FS-Blog CVE-2022-46907 RESERVED CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efdc8c42dd1a8b46bb91e5d67933b9079af5621e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efdc8c42dd1a8b46bb91e5d67933b9079af5621e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-37533
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4fd229f by Salvatore Bonaccorso at 2022-12-11T21:17:44+01:00 Add Debian bug reference for CVE-2021-37533 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101542,7 +101542,7 @@ CVE-2021-37535 (SAP NetWeaver Application Server Java (JMS Connector Service) - CVE-2021-37534 (app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when ...) NOT-FOR-US: MISP CVE-2021-37533 (Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host fr ...) - - libcommons-net-java + - libcommons-net-java (bug #1025910) NOTE: https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 NOTE: https://issues.apache.org/jira/browse/NET-711 NOTE: https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f87639816cc3993974 (commons-net-3.9.0-RC1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4fd229fded383b87735e4b32c789c9732d629f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4fd229fded383b87735e4b32c789c9732d629f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 83053157 by security tracker role at 2022-12-11T20:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,29 @@ -CVE-2022-4401 +CVE-2022-4412 RESERVED -CVE-2022-4400 +CVE-2022-4411 RESERVED +CVE-2022-4410 + RESERVED +CVE-2022-4409 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub ...) + TODO: check +CVE-2022-4408 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) + TODO: check +CVE-2022-4407 (Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/p ...) + TODO: check +CVE-2022-4406 + RESERVED +CVE-2022-4405 + RESERVED +CVE-2022-4404 + RESERVED +CVE-2022-4403 (A vulnerability classified as critical was found in SourceCodester Can ...) + TODO: check +CVE-2022-4402 (A vulnerability classified as critical has been found in RainyGao DocS ...) + TODO: check +CVE-2022-4401 (A vulnerability was found in pallidlight online-course-selection-syste ...) + TODO: check +CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as problem ...) + TODO: check CVE-2022-46907 RESERVED CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) @@ -47674,6 +47696,7 @@ CVE-2022-1651 (A memory leak flaw was found in the Linux kernel in acrn_dev_ioct [stretch] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b (5.18-rc1) CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) + {DLA-3235-1} - node-eventsource 2.0.2+~1.1.8-1 [bullseye] - node-eventsource 1.0.7-1+deb11u1 [stretch] - node-eventsource (not covered by security support) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83053157264d0169d04d08b142e274bcc1161fbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83053157264d0169d04d08b142e274bcc1161fbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim exiv2
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b20e9ff by Helmut Grohne at 2022-12-11T20:52:46+01:00 LTS: claim exiv2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,7 +42,7 @@ erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- -exiv2 +exiv2 (Helmut Grohne) NOTE: 20221119: Programming language: C. -- firmware-nonfree (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b20e9ffcee6f952a43144655dfefd7f17aedcca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b20e9ffcee6f952a43144655dfefd7f17aedcca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-37533/libcommons-net-java
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 488a5251 by Salvatore Bonaccorso at 2022-12-11T20:48:57+01:00 Add CVE-2021-37533/libcommons-net-java - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101519,7 +101519,10 @@ CVE-2021-37535 (SAP NetWeaver Application Server Java (JMS Connector Service) - CVE-2021-37534 (app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when ...) NOT-FOR-US: MISP CVE-2021-37533 (Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host fr ...) - TODO: check + - libcommons-net-java + NOTE: https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 + NOTE: https://issues.apache.org/jira/browse/NET-711 + NOTE: https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f87639816cc3993974 (commons-net-3.9.0-RC1) CVE-2021-37532 (SAP Business One version - 10, due to improper input validation, allow ...) NOT-FOR-US: SAP CVE-2021-37531 (SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/488a5251fde69b845745741bc55baa27bd7a7b3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/488a5251fde69b845745741bc55baa27bd7a7b3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add asterisk to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: eacaf48e by Anton Gladky at 2022-12-11T20:00:25+01:00 LTS: add asterisk to dla-needed.txt - - - - - 3006dd86 by Anton Gladky at 2022-12-11T20:04:15+01:00 LTS: add some more info into firmware-nonfree - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -14,6 +14,7 @@ rather than remove/replace existing ones. -- asterisk + NOTE: 20221211: Programming language: C. -- cacti NOTE: 20221208: Programming language: PHP. @@ -47,6 +48,8 @@ exiv2 firmware-nonfree (Markus Koschany) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) + NOTE: 20221211: Programming language: Binary blob + NOTE: 20221211: VCS: https://salsa.debian.org/lts-team/packages/firmware-nonfree.git -- fusiondirectory NOTE: 20221203: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/487a94c1660fff1d08597aadc8bb7c175c9747ae...3006dd86f53a5438ff47e69b7e172d4facc74a09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/487a94c1660fff1d08597aadc8bb7c175c9747ae...3006dd86f53a5438ff47e69b7e172d4facc74a09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim node-tar in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 487a94c1 by Guilhem Moulin at 2022-12-11T18:43:37+01:00 LTS: claim node-tar in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -188,7 +188,7 @@ node-set-value NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk) -- -node-tar +node-tar (guilhem) NOTE: 20220907: Programming language: JavaScript. -- node-trim-newlines View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/487a94c1660fff1d08597aadc8bb7c175c9747ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/487a94c1660fff1d08597aadc8bb7c175c9747ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3235-1 for node-eventsource
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: f5eedaa2 by Guilhem Moulin at 2022-12-11T14:35:35+01:00 Reserve DLA-3235-1 for node-eventsource - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -47676,7 +47676,6 @@ CVE-2022-1651 (A memory leak flaw was found in the Linux kernel in acrn_dev_ioct CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) - node-eventsource 2.0.2+~1.1.8-1 [bullseye] - node-eventsource 1.0.7-1+deb11u1 - [buster] - node-eventsource (Minor issue) [stretch] - node-eventsource (not covered by security support) NOTE: https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e/ NOTE: https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4 (v2.0.2) = data/DLA/list = @@ -1,3 +1,6 @@ +[11 Dec 2022] DLA-3235-1 node-eventsource - security update + {CVE-2022-1650} + [buster] - node-eventsource 0.2.1-1+deb10u1 [10 Dec 2022] DLA-3234-1 hsqldb - security update {CVE-2022-41853} [buster] - hsqldb 2.4.1-2+deb10u1 = data/dla-needed.txt = @@ -156,10 +156,6 @@ nextcloud-desktop node-css-what NOTE: 20221031: Programming language: Javascript. -- -node-eventsource (guilhem) - NOTE: 2022: Programming language: JavaScript. - NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) --- node-follow-redirects NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5eedaa27c16d3505ec4c32b9302c0b2e6f98330 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5eedaa27c16d3505ec4c32b9302c0b2e6f98330 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-43272/dcmtk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc89cfb8 by Salvatore Bonaccorso at 2022-12-11T13:47:24+01:00 Add CVE-2022-43272/dcmtk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12990,7 +12990,11 @@ CVE-2022-43274 CVE-2022-43273 RESERVED CVE-2022-43272 (DCMTK v3.6.7 was discovered to contain a memory leak via the T_ASC_Ass ...) - TODO: check + [experimental] - dcmtk 3.6.8~git20221013.51be018-1 + - dcmtk + [bullseye] - dcmtk (Minor issue) + NOTE: https://github.com/songxpu/bug_report/tree/master/DCMTK/memory_leak_in_3.6.7 + NOTE: Fixed by: https://github.com/DCMTK/dcmtk/commit/c34f4e46e672ad21accf04da0dc085e43be6f5e1 CVE-2022-43271 RESERVED CVE-2022-43270 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc89cfb8d63668c77221500b455bcb93e5bd1c3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc89cfb8d63668c77221500b455bcb93e5bd1c3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-45283/gpac as EOL in gpac for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a0ebae58 by Chris Lamb at 2022-12-11T11:52:16+00:00 Mark CVE-2022-45283/gpac as EOL in gpac for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4884,6 +4884,7 @@ CVE-2022-45284 RESERVED CVE-2022-45283 (GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the s ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2295 NOTE: https://github.com/gpac/gpac/commit/0fc714872ba4536a1190f93aa278b6e08f8c60df CVE-2022-45282 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0ebae5847e8aa8586267c09251cc83c1ce4cc21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0ebae5847e8aa8586267c09251cc83c1ce4cc21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af52e8f0 by security tracker role at 2022-12-11T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,13 @@ -CVE-2022-46907 +CVE-2022-4401 RESERVED -CVE-2022-4399 +CVE-2022-4400 RESERVED -CVE-2022-4398 +CVE-2022-46907 RESERVED +CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) + TODO: check +CVE-2022-4398 (Integer Overflow or Wraparound in GitHub repository radareorg/radare2 ...) + TODO: check CVE-2022-4397 (A vulnerability was found in morontt zend-blog-number-2. It has been c ...) TODO: check CVE-2022-4396 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib py ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af52e8f09ffa2a6a2d2d665c91e9745ae02edebb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af52e8f09ffa2a6a2d2d665c91e9745ae02edebb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for xrdp issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd3e955c by Salvatore Bonaccorso at 2022-12-11T09:09:37+01:00 Add Debian bug references for xrdp issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69131,7 +69131,7 @@ CVE-2022-23495 (go-merkledag implements the 'DAGService' interface and adds two CVE-2022-23494 (tinymce is an open source rich text editor. A cross-site scripting (XS ...) TODO: check CVE-2022-23493 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-59wp-3wq6-jh5v CVE-2022-23492 (go-libp2p is the offical libp2p implementation in the Go programming l ...) TODO: check @@ -69150,28 +69150,28 @@ CVE-2022-23486 (libp2p-rust is the official rust language Implementation of the CVE-2022-23485 (Sentry is an error tracking and performance monitoring platform. In ve ...) TODO: check CVE-2022-23484 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rqfx-5fv8-q9c6 CVE-2022-23483 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-38rw-9ch2-fcxq CVE-2022-23482 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-56pq-2pm9-7fhm CVE-2022-23481 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hm75-9jcg-p7hq CVE-2022-23480 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-3jmx-f6hv-95wg CVE-2022-23479 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-pgx2-3fjj-fqqh CVE-2022-23478 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2f49-wwpm-78pj CVE-2022-23477 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hqw2-jx2c-wrr2 CVE-2022-23476 (Nokogiri is an open source XML and HTML library for the Ruby programmi ...) TODO: check @@ -69193,7 +69193,7 @@ CVE-2022-23470 (Galaxy is an open-source platform for data analysis. An arbitrar CVE-2022-23469 (Traefik is an open source HTTP reverse proxy and load balancer. Versio ...) - traefik (bug #983289) CVE-2022-23468 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8c2f-mw8m-qpx6 CVE-2022-23467 (OpenRazer is an open source driver and user-space daemon to control Ra ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd3e955cabb55f3598bed6af3370fefab8f42a91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd3e955cabb55f3598bed6af3370fefab8f42a91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for sofia-sip DSA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6c8002d by Salvatore Bonaccorso at 2022-12-11T09:06:24+01:00 Update status for sofia-sip DSA - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -52,7 +52,7 @@ salt samba -- sofia-sip - Maintainer proposed debdiff, though as rebuild of the testing version + Maintainer proposed debdiff for review with additional question -- sox patch needed for CVE-2021-40426, check with upstream View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6c8002d98822861f685e47ef0d9f76cb64fefc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6c8002d98822861f685e47ef0d9f76cb64fefc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits