[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45145 but retain todo item for now
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b889e982 by Salvatore Bonaccorso at 2022-12-12T08:56:01+01:00 Add CVE-2022-45145 but retain todo item for now - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5335,7 +5335,10 @@ CVE-2022-3942 (A vulnerability was found in SourceCodester Sanitization Manageme CVE-2022-45146 (An issue was discovered in the FIPS Java API of Bouncy Castle BC-FJA b ...) NOT-FOR-US: FIPS provider for Bouncycastle, not part of the Debian package for Bouncycastle CVE-2022-45145 (egg-compile.scm in CHICKEN 5.x before 5.3.1 allows arbitrary OS comman ...) - TODO: check + - chicken + NOTE: https://lists.gnu.org/archive/html/chicken-announce/2022-11/msg0.html + NOTE: https://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commitdiff;h=a08f8f548d772ef410c672ba33a27108d8d434f3;hp=9c6fb001c25de4390f46ffd7c3c94237f4df92a9 + TODO: check, might be Windows specific CVE-2022-45144 RESERVED CVE-2022-3941 (A vulnerability has been found in Activity Log Plugin and classified a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b889e982faac2e66aa1d4345c8f837e945a388d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b889e982faac2e66aa1d4345c8f837e945a388d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Reclaim netatalk
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b64dc7c by Anton Gladky at 2022-12-12T06:17:19+01:00 LTS: Reclaim netatalk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -147,9 +147,12 @@ net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. -- -netatalk +netatalk (gladk) NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) + NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk + NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) + -- nextcloud-desktop NOTE: 20221128: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b64dc7cb23483dd6b916d552b70ec61312e9cbe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b64dc7cb23483dd6b916d552b70ec61312e9cbe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d488679b by Anton Gladky at 2022-12-12T06:02:49+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,7 +87,7 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) @@ -147,7 +147,7 @@ net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. -- -netatalk (gladk) +netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d488679beaf8c3eb9ff21345be4908e165190806 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d488679beaf8c3eb9ff21345be4908e165190806 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim mbedtls in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 381b2c8f by Markus Koschany at 2022-12-12T01:03:16+01:00 Claim mbedtls in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,7 +128,7 @@ man2html NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as . -- -mbedtls +mbedtls (Markus Koschany) NOTE: 20220821: Programming language: C. -- modsecurity-crs View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/381b2c8fe915f599aaed6cf39f8dfdd44eb83f40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/381b2c8fe915f599aaed6cf39f8dfdd44eb83f40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3236-1 for openexr
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
432e5017 by Markus Koschany at 2022-12-12T00:50:31+01:00
Reserve DLA-3236-1 for openexr
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -74108,7 +74108,6 @@ CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a
heap-based buffer overflow in I
{DSA-5299-1}
[experimental] - openexr 3.1.4-1
- openexr 3.1.5-2 (bug #1014828)
- [buster] - openexr (Minor issue)
[stretch] - openexr (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209
@@ -108269,7 +108268,6 @@ CVE-2021-34696 (A vulnerability in the access control
list (ACL) programming of
CVE-2021-3605 (There's a flaw in OpenEXR's rleUncompress functionality in
versions pr ...)
{DSA-5299-1 DLA-2732-1}
- openexr 2.5.7-1 (bug #990899)
- [buster] - openexr (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1036
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268
(master)
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/3204008c0bd4c8d7599a052b304d1b44c4511283
(v2.5)
@@ -108348,7 +108346,6 @@ CVE-2021-34675 (Basix NEX-Forms through 7.8.7 allows
authentication bypass for s
CVE-2021-3598 (There's a flaw in OpenEXR's ImfDeepScanLineInputFile
functionality in ...)
{DSA-5299-1 DLA-2701-1}
- openexr 2.5.7-1 (bug #990450)
- [buster] - openexr (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1033
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1037
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/566f5241edd87445373885d5f7a904dc81e866c1
(master)
@@ -116543,7 +116540,6 @@ CVE-2021-26945 (An integer overflow leading to a
heap-buffer overflow was found
CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was
found in the ...)
{DSA-5299-1 DLA-2701-1}
- openexr 2.5.7-1 (bug #992703)
- [buster] - openexr (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/894
@@ -116552,7 +116548,6 @@ CVE-2021-26260 (An integer overflow leading to a
heap-buffer overflow was found
CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was
found in the ...)
{DSA-5299-1 DLA-2701-1}
- openexr 2.5.7-1
- [buster] - openexr (Minor issue, might change ABI)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901
@@ -121634,14 +121629,12 @@ CVE-2021-3480 (A flaw was found in slapi-nis in
versions before 0.56.7. A NULL p
CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in
versions bef ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830
CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality
in versi ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a
(master)
@@ -121650,7 +121643,6 @@ CVE-2021-3478 (There's a flaw in OpenEXR's scanline
input file functionality in
CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations
in vers ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1
@@ -122248,19 +122240,16 @@ CVE-2021-29425 (In Apache Commons IO before 2.7,
When invoking the method FileNa
CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality
in versi ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster]
[Git][security-tracker-team/security-tracker][master] Add note for gerbv in dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f1e6a001 by Salvatore Bonaccorso at 2022-12-11T22:41:21+01:00 Add note for gerbv in dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -15,6 +15,7 @@ If needed, specify the release by adding a slash after the name of the source pa frr -- gerbv (aron) + Aron proposed debdiff for review -- lava -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1e6a0019809a4008b51bc11033a8b005a5bb522 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1e6a0019809a4008b51bc11033a8b005a5bb522 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-4399/nodau via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b70ca5b3 by Salvatore Bonaccorso at 2022-12-11T22:40:25+01:00 Track fixed version for CVE-2022-4399/nodau via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,7 @@ CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as pr CVE-2022-46907 RESERVED CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) - - nodau (unimportant) + - nodau 0.3.8-5 (unimportant) NOTE: https://github.com/TicklishHoneyBee/nodau/commit/7a7d737a3929f335b9717ddbd31db91151b69ad2 NOTE: https://github.com/TicklishHoneyBee/nodau/pull/26 NOTE: Negligible security impact View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70ca5b3b749311de3841431a001cdedfa05ec17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b70ca5b3b749311de3841431a001cdedfa05ec17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4399/nodau
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21fb3266 by Salvatore Bonaccorso at 2022-12-11T21:35:53+01:00 Add CVE-2022-4399/nodau - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,10 @@ CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as pr CVE-2022-46907 RESERVED CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) - TODO: check + - nodau (unimportant) + NOTE: https://github.com/TicklishHoneyBee/nodau/commit/7a7d737a3929f335b9717ddbd31db91151b69ad2 + NOTE: https://github.com/TicklishHoneyBee/nodau/pull/26 + NOTE: Negligible security impact CVE-2022-4398 (Integer Overflow or Wraparound in GitHub repository radareorg/radare2 ...) - radare2 NOTE: https://huntr.dev/bounties/c6f8d3ef-5420-4eba-9a5f-aba5e2b5fea2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21fb3266696b0cdbe80f8899c5e5d585841bbc83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21fb3266696b0cdbe80f8899c5e5d585841bbc83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4398/radare2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2a0d9ff by Salvatore Bonaccorso at 2022-12-11T21:30:41+01:00 Add CVE-2022-4398/radare2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,9 @@ CVE-2022-46907 CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) TODO: check CVE-2022-4398 (Integer Overflow or Wraparound in GitHub repository radareorg/radare2 ...) - TODO: check + - radare2 + NOTE: https://huntr.dev/bounties/c6f8d3ef-5420-4eba-9a5f-aba5e2b5fea2 + NOTE: https://github.com/radareorg/radare2/commit/b53a1583d05c3a5bfe5fa60da133fe59dfbb02b8 CVE-2022-4397 (A vulnerability was found in morontt zend-blog-number-2. It has been c ...) TODO: check CVE-2022-4396 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib py ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2a0d9fffbbb179a183f0cc362d21a9ae0ff4c54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2a0d9fffbbb179a183f0cc362d21a9ae0ff4c54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: efdc8c42 by Salvatore Bonaccorso at 2022-12-11T21:26:20+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,11 +5,11 @@ CVE-2022-4411 CVE-2022-4410 RESERVED CVE-2022-4409 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub ...) - TODO: check + NOT-FOR-US: phpMyFAQ CVE-2022-4408 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) - TODO: check + NOT-FOR-US: phpMyFAQ CVE-2022-4407 (Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/p ...) - TODO: check + NOT-FOR-US: phpMyFAQ CVE-2022-4406 RESERVED CVE-2022-4405 @@ -17,13 +17,13 @@ CVE-2022-4405 CVE-2022-4404 RESERVED CVE-2022-4403 (A vulnerability classified as critical was found in SourceCodester Can ...) - TODO: check + NOT-FOR-US: SourceCodester Canteen Management System CVE-2022-4402 (A vulnerability classified as critical has been found in RainyGao DocS ...) - TODO: check + NOT-FOR-US: RainyGao DocSys CVE-2022-4401 (A vulnerability was found in pallidlight online-course-selection-syste ...) - TODO: check + NOT-FOR-US: pallidlight online-course-selection-system CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as problem ...) - TODO: check + NOT-FOR-US: zbl1996 FS-Blog CVE-2022-46907 RESERVED CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efdc8c42dd1a8b46bb91e5d67933b9079af5621e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/efdc8c42dd1a8b46bb91e5d67933b9079af5621e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-37533
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4fd229f by Salvatore Bonaccorso at 2022-12-11T21:17:44+01:00 Add Debian bug reference for CVE-2021-37533 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101542,7 +101542,7 @@ CVE-2021-37535 (SAP NetWeaver Application Server Java (JMS Connector Service) - CVE-2021-37534 (app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when ...) NOT-FOR-US: MISP CVE-2021-37533 (Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host fr ...) - - libcommons-net-java + - libcommons-net-java (bug #1025910) NOTE: https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 NOTE: https://issues.apache.org/jira/browse/NET-711 NOTE: https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f87639816cc3993974 (commons-net-3.9.0-RC1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4fd229fded383b87735e4b32c789c9732d629f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4fd229fded383b87735e4b32c789c9732d629f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
83053157 by security tracker role at 2022-12-11T20:10:18+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,7 +1,29 @@
-CVE-2022-4401
+CVE-2022-4412
RESERVED
-CVE-2022-4400
+CVE-2022-4411
RESERVED
+CVE-2022-4410
+ RESERVED
+CVE-2022-4409 (Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in
GitHub ...)
+ TODO: check
+CVE-2022-4408 (Cross-site Scripting (XSS) - Stored in GitHub repository
thorsten/phpm ...)
+ TODO: check
+CVE-2022-4407 (Cross-site Scripting (XSS) - Reflected in GitHub repository
thorsten/p ...)
+ TODO: check
+CVE-2022-4406
+ RESERVED
+CVE-2022-4405
+ RESERVED
+CVE-2022-4404
+ RESERVED
+CVE-2022-4403 (A vulnerability classified as critical was found in
SourceCodester Can ...)
+ TODO: check
+CVE-2022-4402 (A vulnerability classified as critical has been found in
RainyGao DocS ...)
+ TODO: check
+CVE-2022-4401 (A vulnerability was found in pallidlight
online-course-selection-syste ...)
+ TODO: check
+CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as
problem ...)
+ TODO: check
CVE-2022-46907
RESERVED
CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has
been rated ...)
@@ -47674,6 +47696,7 @@ CVE-2022-1651 (A memory leak flaw was found in the
Linux kernel in acrn_dev_ioct
[stretch] - linux (Vulnerable code not present)
NOTE:
https://git.kernel.org/linus/ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b (5.18-rc1)
CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in
GitHub r ...)
+ {DLA-3235-1}
- node-eventsource 2.0.2+~1.1.8-1
[bullseye] - node-eventsource 1.0.7-1+deb11u1
[stretch] - node-eventsource (not covered by security
support)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83053157264d0169d04d08b142e274bcc1161fbd
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83053157264d0169d04d08b142e274bcc1161fbd
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim exiv2
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b20e9ff by Helmut Grohne at 2022-12-11T20:52:46+01:00 LTS: claim exiv2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,7 +42,7 @@ erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- -exiv2 +exiv2 (Helmut Grohne) NOTE: 20221119: Programming language: C. -- firmware-nonfree (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b20e9ffcee6f952a43144655dfefd7f17aedcca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b20e9ffcee6f952a43144655dfefd7f17aedcca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-37533/libcommons-net-java
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 488a5251 by Salvatore Bonaccorso at 2022-12-11T20:48:57+01:00 Add CVE-2021-37533/libcommons-net-java - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101519,7 +101519,10 @@ CVE-2021-37535 (SAP NetWeaver Application Server Java (JMS Connector Service) - CVE-2021-37534 (app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when ...) NOT-FOR-US: MISP CVE-2021-37533 (Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host fr ...) - TODO: check + - libcommons-net-java + NOTE: https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 + NOTE: https://issues.apache.org/jira/browse/NET-711 + NOTE: https://github.com/apache/commons-net/commit/b0bff89f70cfea70009e22f87639816cc3993974 (commons-net-3.9.0-RC1) CVE-2021-37532 (SAP Business One version - 10, due to improper input validation, allow ...) NOT-FOR-US: SAP CVE-2021-37531 (SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/488a5251fde69b845745741bc55baa27bd7a7b3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/488a5251fde69b845745741bc55baa27bd7a7b3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add asterisk to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: eacaf48e by Anton Gladky at 2022-12-11T20:00:25+01:00 LTS: add asterisk to dla-needed.txt - - - - - 3006dd86 by Anton Gladky at 2022-12-11T20:04:15+01:00 LTS: add some more info into firmware-nonfree - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -14,6 +14,7 @@ rather than remove/replace existing ones. -- asterisk + NOTE: 20221211: Programming language: C. -- cacti NOTE: 20221208: Programming language: PHP. @@ -47,6 +48,8 @@ exiv2 firmware-nonfree (Markus Koschany) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) + NOTE: 20221211: Programming language: Binary blob + NOTE: 20221211: VCS: https://salsa.debian.org/lts-team/packages/firmware-nonfree.git -- fusiondirectory NOTE: 20221203: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/487a94c1660fff1d08597aadc8bb7c175c9747ae...3006dd86f53a5438ff47e69b7e172d4facc74a09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/487a94c1660fff1d08597aadc8bb7c175c9747ae...3006dd86f53a5438ff47e69b7e172d4facc74a09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim node-tar in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 487a94c1 by Guilhem Moulin at 2022-12-11T18:43:37+01:00 LTS: claim node-tar in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -188,7 +188,7 @@ node-set-value NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk) -- -node-tar +node-tar (guilhem) NOTE: 20220907: Programming language: JavaScript. -- node-trim-newlines View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/487a94c1660fff1d08597aadc8bb7c175c9747ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/487a94c1660fff1d08597aadc8bb7c175c9747ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3235-1 for node-eventsource
Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f5eedaa2 by Guilhem Moulin at 2022-12-11T14:35:35+01:00
Reserve DLA-3235-1 for node-eventsource
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -47676,7 +47676,6 @@ CVE-2022-1651 (A memory leak flaw was found in the
Linux kernel in acrn_dev_ioct
CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in
GitHub r ...)
- node-eventsource 2.0.2+~1.1.8-1
[bullseye] - node-eventsource 1.0.7-1+deb11u1
- [buster] - node-eventsource (Minor issue)
[stretch] - node-eventsource (not covered by security
support)
NOTE: https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e/
NOTE:
https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4
(v2.0.2)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[11 Dec 2022] DLA-3235-1 node-eventsource - security update
+ {CVE-2022-1650}
+ [buster] - node-eventsource 0.2.1-1+deb10u1
[10 Dec 2022] DLA-3234-1 hsqldb - security update
{CVE-2022-41853}
[buster] - hsqldb 2.4.1-2+deb10u1
=
data/dla-needed.txt
=
@@ -156,10 +156,6 @@ nextcloud-desktop
node-css-what
NOTE: 20221031: Programming language: Javascript.
--
-node-eventsource (guilhem)
- NOTE: 2022: Programming language: JavaScript.
- NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk)
---
node-follow-redirects
NOTE: 2022: Programming language: JavaScript.
NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5eedaa27c16d3505ec4c32b9302c0b2e6f98330
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5eedaa27c16d3505ec4c32b9302c0b2e6f98330
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-43272/dcmtk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc89cfb8 by Salvatore Bonaccorso at 2022-12-11T13:47:24+01:00 Add CVE-2022-43272/dcmtk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12990,7 +12990,11 @@ CVE-2022-43274 CVE-2022-43273 RESERVED CVE-2022-43272 (DCMTK v3.6.7 was discovered to contain a memory leak via the T_ASC_Ass ...) - TODO: check + [experimental] - dcmtk 3.6.8~git20221013.51be018-1 + - dcmtk + [bullseye] - dcmtk (Minor issue) + NOTE: https://github.com/songxpu/bug_report/tree/master/DCMTK/memory_leak_in_3.6.7 + NOTE: Fixed by: https://github.com/DCMTK/dcmtk/commit/c34f4e46e672ad21accf04da0dc085e43be6f5e1 CVE-2022-43271 RESERVED CVE-2022-43270 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc89cfb8d63668c77221500b455bcb93e5bd1c3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc89cfb8d63668c77221500b455bcb93e5bd1c3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-45283/gpac as EOL in gpac for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a0ebae58 by Chris Lamb at 2022-12-11T11:52:16+00:00 Mark CVE-2022-45283/gpac as EOL in gpac for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4884,6 +4884,7 @@ CVE-2022-45284 RESERVED CVE-2022-45283 (GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the s ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2295 NOTE: https://github.com/gpac/gpac/commit/0fc714872ba4536a1190f93aa278b6e08f8c60df CVE-2022-45282 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0ebae5847e8aa8586267c09251cc83c1ce4cc21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0ebae5847e8aa8586267c09251cc83c1ce4cc21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af52e8f0 by security tracker role at 2022-12-11T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,13 @@ -CVE-2022-46907 +CVE-2022-4401 RESERVED -CVE-2022-4399 +CVE-2022-4400 RESERVED -CVE-2022-4398 +CVE-2022-46907 RESERVED +CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) + TODO: check +CVE-2022-4398 (Integer Overflow or Wraparound in GitHub repository radareorg/radare2 ...) + TODO: check CVE-2022-4397 (A vulnerability was found in morontt zend-blog-number-2. It has been c ...) TODO: check CVE-2022-4396 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib py ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af52e8f09ffa2a6a2d2d665c91e9745ae02edebb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af52e8f09ffa2a6a2d2d665c91e9745ae02edebb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for xrdp issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd3e955c by Salvatore Bonaccorso at 2022-12-11T09:09:37+01:00 Add Debian bug references for xrdp issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69131,7 +69131,7 @@ CVE-2022-23495 (go-merkledag implements the 'DAGService' interface and adds two CVE-2022-23494 (tinymce is an open source rich text editor. A cross-site scripting (XS ...) TODO: check CVE-2022-23493 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-59wp-3wq6-jh5v CVE-2022-23492 (go-libp2p is the offical libp2p implementation in the Go programming l ...) TODO: check @@ -69150,28 +69150,28 @@ CVE-2022-23486 (libp2p-rust is the official rust language Implementation of the CVE-2022-23485 (Sentry is an error tracking and performance monitoring platform. In ve ...) TODO: check CVE-2022-23484 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rqfx-5fv8-q9c6 CVE-2022-23483 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-38rw-9ch2-fcxq CVE-2022-23482 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-56pq-2pm9-7fhm CVE-2022-23481 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hm75-9jcg-p7hq CVE-2022-23480 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-3jmx-f6hv-95wg CVE-2022-23479 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-pgx2-3fjj-fqqh CVE-2022-23478 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2f49-wwpm-78pj CVE-2022-23477 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hqw2-jx2c-wrr2 CVE-2022-23476 (Nokogiri is an open source XML and HTML library for the Ruby programmi ...) TODO: check @@ -69193,7 +69193,7 @@ CVE-2022-23470 (Galaxy is an open-source platform for data analysis. An arbitrar CVE-2022-23469 (Traefik is an open source HTTP reverse proxy and load balancer. Versio ...) - traefik (bug #983289) CVE-2022-23468 (xrdp is an open source project which provides a graphical login to rem ...) - - xrdp + - xrdp (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8c2f-mw8m-qpx6 CVE-2022-23467 (OpenRazer is an open source driver and user-space daemon to control Ra ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd3e955cabb55f3598bed6af3370fefab8f42a91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd3e955cabb55f3598bed6af3370fefab8f42a91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for sofia-sip DSA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6c8002d by Salvatore Bonaccorso at 2022-12-11T09:06:24+01:00 Update status for sofia-sip DSA - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -52,7 +52,7 @@ salt samba -- sofia-sip - Maintainer proposed debdiff, though as rebuild of the testing version + Maintainer proposed debdiff for review with additional question -- sox patch needed for CVE-2021-40426, check with upstream View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6c8002d98822861f685e47ef0d9f76cb64fefc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6c8002d98822861f685e47ef0d9f76cb64fefc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
