[Git][security-tracker-team/security-tracker][master] CVE-2022-21716 is fixed in unstable
Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker Commits: 946ed788 by Stefano Rivera at 2022-04-22T22:17:35-04:00 CVE-2022-21716 is fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29570,7 +29570,7 @@ CVE-2022-21717 RESERVED CVE-2022-21716 (Twisted is an event-based framework for internet applications, support ...) {DLA-2938-1} - - twisted + - twisted 22.2.0-1 [bullseye] - twisted (Minor issue) [buster] - twisted (Minor issue) NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-rv6r-3f5q-9rgx View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/946ed788b96dd2c70b999285f572bac4ec1cd83b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/946ed788b96dd2c70b999285f572bac4ec1cd83b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take twisted
Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker Commits: 69995c36 by Stefano Rivera at 2022-04-22T19:45:33-04:00 LTS: take twisted - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -169,7 +169,7 @@ tiff (Utkarsh) twig NOTE: 20220402: cf. DSA-5107-1; similar code in lib/Twig/Extension/Core.php (Beuc) -- -twisted +twisted (Stefano Rivera) -- unzip NOTE: 20220319: no patches yet but reproducible (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69995c36e307350bfd5f7373eaca180eb2610142 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69995c36e307350bfd5f7373eaca180eb2610142 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk-8 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 06e5d18a by Moritz Muehlenhoff at 2022-04-22T22:31:58+02:00 openjdk-8 fixed in sid new libpod issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2593,6 +2593,7 @@ CVE-2022-1228 RESERVED CVE-2022-1227 RESERVED + - libpod 3.4.7+ds1-1 - golang-github-containers-psgo 1.7.1+ds1-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070368 NOTE: https://github.com/containers/psgo/pull/92 @@ -30569,7 +30570,7 @@ CVE-2022-21498 (Vulnerability in the Java VM component of Oracle Database Server CVE-2022-21497 (Vulnerability in the Oracle Web Services Manager product of Oracle Fus ...) NOT-FOR-US: Oracle CVE-2022-21496 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 - openjdk-17 CVE-2022-21495 @@ -30611,7 +30612,7 @@ CVE-2022-21478 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21477 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) NOT-FOR-US: Oracle CVE-2022-21476 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 - openjdk-17 CVE-2022-21475 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) @@ -30670,7 +30671,7 @@ CVE-2022-21451 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21450 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub produc ...) NOT-FOR-US: Oracle CVE-2022-21449 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 - openjdk-17 CVE-2022-21448 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) @@ -30685,7 +30686,7 @@ CVE-2022-21444 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 - mysql-5.7 CVE-2022-21443 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 - openjdk-17 CVE-2022-21442 (Vulnerability in Oracle GoldenGate (component: OGG Core Library). The ...) @@ -30705,7 +30706,7 @@ CVE-2022-21436 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21435 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2022-21434 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 - openjdk-17 CVE-2022-21433 @@ -30724,7 +30725,7 @@ CVE-2022-21427 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 - mysql-5.7 CVE-2022-21426 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 - openjdk-17 CVE-2022-21425 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06e5d18a9538df1d4cef7a1fd06e79c43cc42a50 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06e5d18a9538df1d4cef7a1fd06e79c43cc42a50 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b2a8e0f by security tracker role at 2022-04-22T20:10:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,56 @@ -CVE-2022-29582 [io_uring: fix race between timeout flush and removal] +CVE-2022-29592 + RESERVED +CVE-2022-29591 + RESERVED +CVE-2022-29590 + RESERVED +CVE-2022-29589 (Crypt Server before 3.3.0 allows XSS in the index view. This is relate ...) + TODO: check +CVE-2022-29588 + RESERVED +CVE-2022-29587 + RESERVED +CVE-2022-29586 + RESERVED +CVE-2022-29585 + RESERVED +CVE-2022-29584 + RESERVED +CVE-2022-29583 (service_windows.go in the kardianos service package for Go omits quoti ...) + TODO: check +CVE-2022-29581 + RESERVED +CVE-2022-29580 + RESERVED +CVE-2022-29579 + RESERVED +CVE-2022-1440 (Command Injection vulnerability in git-interface@2.1.1 in GitHub repos ...) + TODO: check +CVE-2022-1439 (Reflected XSS on demo.microweber.org/demo/module/ in GitHub repository ...) + TODO: check +CVE-2022-1438 + RESERVED +CVE-2022-1437 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) + TODO: check +CVE-2022-1436 + RESERVED +CVE-2022-1435 + RESERVED +CVE-2022-1434 + RESERVED +CVE-2022-1433 + RESERVED +CVE-2022-1432 + RESERVED +CVE-2022-1431 + RESERVED +CVE-2022-1430 + RESERVED +CVE-2022-1429 (SQL injection in GridHelperService.php in GitHub repository pimcore/pi ...) + TODO: check +CVE-2022-1428 + RESERVED +CVE-2022-29582 (In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free ...) - linux 5.17.3-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) @@ -4195,8 +4247,8 @@ CVE-2022-28076 RESERVED CVE-2022-28075 RESERVED -CVE-2022-28074 - RESERVED +CVE-2022-28074 (Halo-1.5.0 was discovered to contain a stored cross-site scripting (XS ...) + TODO: check CVE-2022-28073 RESERVED CVE-2022-28072 @@ -5835,12 +5887,12 @@ CVE-2022-27408 RESERVED CVE-2022-27407 RESERVED -CVE-2022-27406 - RESERVED -CVE-2022-27405 - RESERVED -CVE-2022-27404 - RESERVED +CVE-2022-27406 (FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovere ...) + TODO: check +CVE-2022-27405 (FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovere ...) + TODO: check +CVE-2022-27404 (FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovere ...) + TODO: check CVE-2022-27403 RESERVED CVE-2022-27402 @@ -14851,8 +14903,8 @@ CVE-2022-24274 RESERVED CVE-2022-24273 RESERVED -CVE-2022-24272 (An authenticated user may trigger an invariant assertion during comman ...) - TODO: check +CVE-2022-24272 + REJECTED CVE-2022-23400 RESERVED CVE-2022-0435 (A stack overflow flaw was found in the Linux kernel's TIPC protocol fu ...) @@ -20816,7 +20868,7 @@ CVE-2022-22707 (In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded [stretch] - lighttpd (Vulnerable code not present; the issue was introduced in later versions) NOTE: https://redmine.lighttpd.net/issues/3134 NOTE: https://github.com/lighttpd/lighttpd1.4/commit/8c62a890e23f5853b1a562b03fe3e1bccc6e7664 -CVE-2022-22706 (An Arm product family through 2022-01-03 has an Exposed Dangerous Meth ...) +CVE-2022-22706 (Arm Mali GPU Kernel Driver allows a non-privileged user to achieve wri ...) NOT-FOR-US: ARM Mali GPU driver CVE-2022-22705 RESERVED @@ -45450,8 +45502,8 @@ CVE-2021-38948 (IBM InfoSphere Information Server 11.7 is vulnerable to an XML E NOT-FOR-US: IBM CVE-2021-38947 (IBM Spectrum Copy Data Management 2.2.13 and earlier uses weaker than ...) NOT-FOR-US: IBM -CVE-2021-38946 - RESERVED +CVE-2021-38946 (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross ...) + TODO: check CVE-2021-38945 RESERVED CVE-2021-38944 @@ -45532,12 +45584,12 @@ CVE-2021-38907 RESERVED CVE-2021-38906 RESERVED -CVE-2021-38905 - RESERVED -CVE-2021-38904 - RESERVED -CVE-2021-38903 - RESERVED +CVE-2021-38905 (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow an authent ...) + TODO: check +CVE-2021-38904 (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 could allow a remote a ...) + TODO: check +CVE-2021-38903 (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross ...) + TODO: check CVE-2021-38902 RESERVED CVE-2021-38901 (IBM Spectrum Protect Operations Center 7.1, under special configuratio ...) @@ -45570,8 +45622,8 @@ CVE-2021-3 RESERVED
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-25745 and CVE-2021-25746 as NFU (Kubernetes ingress-nginx component)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82d84f35 by Salvatore Bonaccorso at 2022-04-22T21:36:25+02:00 Mark CVE-2021-25745 and CVE-2021-25746 as NFU (Kubernetes ingress-nginx component) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78928,12 +78928,10 @@ CVE-2021-25747 RESERVED CVE-2021-25746 RESERVED - TODO: check - NOTE: https://www.openwall.com/lists/oss-security/2022/04/22/6 + NOT-FOR-US: Kubernetes ingress-nginx component CVE-2021-25745 RESERVED - TODO: check - NOTE: https://www.openwall.com/lists/oss-security/2022/04/22/5 + NOT-FOR-US: Kubernetes ingress-nginx component CVE-2021-25744 RESERVED CVE-2021-25743 (kubectl does not neutralize escape, meta or control sequences containe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82d84f35c19be2f309e63b27783ac88f64d4d1a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82d84f35c19be2f309e63b27783ac88f64d4d1a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Return subversion to the pool with comment.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 039ef92d by Chris Lamb at 2022-04-22T11:34:37-07:00 data/dla-needed.txt: Return subversion to the pool with comment. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -157,7 +157,9 @@ sox NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton) NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton) -- -subversion (Chris Lamb) +subversion + NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment) + NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby) -- tiff (Utkarsh) NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/039ef92df51344b2fbb03263f108bd63093cb524 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/039ef92df51344b2fbb03263f108bd63093cb524 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: triage epiphany-browser
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a0447a9f by Anton Gladky at 2022-04-22T20:27:47+02:00 LTS: triage epiphany-browser - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -37,6 +37,10 @@ debian-security-support (Utkarsh) NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc) NOTE: 20220419: backport prepped, will contact Holger for more details. (utkarsh) -- +epiphany-browser + NOTE: 20220422: please try to reproduce and be careful with the patch applying. + NOTE: 20220422: It cannot be applied one-to-one, but affected lines can be found. (Anton) +-- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0447a9fd2709a5e6a3c0240988493e8faa2724d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0447a9fd2709a5e6a3c0240988493e8faa2724d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: triage openjdk-8 and assign to pochu
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: cffb5082 by Anton Gladky at 2022-04-22T19:46:29+02:00 LTS: triage openjdk-8 and assign to pochu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -117,6 +117,8 @@ nvidia-graphics-drivers NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential NOTE: 20220209: backport (apo) -- +openjdk-8 (pochu) +-- openvpn NOTE: 20220402: harmonize with buster/10.10 (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cffb50820ed482fbb6e4905a2611b3d0cc8643dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cffb50820ed482fbb6e4905a2611b3d0cc8643dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2022-24070 in subversion for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d14af60 by Chris Lamb at 2022-04-22T10:42:48-07:00 Triage CVE-2022-24070 in subversion for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15449,6 +15449,7 @@ CVE-2022-24071 (A Built-in extension in Whale browser before 3.12.129.46 allows CVE-2022-24070 (Subversion's mod_dav_svn is vulnerable to memory corruption. While loo ...) {DSA-5119-1} - subversion 1.14.2-1 + [stretch] - subversion (Vulnerable codepaths added in 1.10.0-alpha1) NOTE: https://subversion.apache.org/security/CVE-2022-24070-advisory.txt CVE-2022-0396 (BIND 9.16.11 - 9.16.26, 9.17.0 - 9.18.0 and versions 9.16.11-S ...) - bind9 1:9.18.1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d14af602216a24253372a4140a9bc10a622fc33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d14af602216a24253372a4140a9bc10a622fc33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch FD-role_2022Q3
Anton Gladky deleted branch FD-role_2022Q3 at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: FD-dispatch 2022Q3
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d0d2857a by Anton Gladky at 2022-04-19T21:49:27+02:00 FD-dispatch 2022Q3 - - - - - 37bb5691 by Anton Gladky at 2022-04-22T17:41:15+00:00 Merge branch FD-role_2022Q3 into master FD-dispatch 2022Q3 See merge request security-tracker-team/security-tracker!104 - - - - - 1 changed file: - org/lts-frontdesk.2022.txt Changes: = org/lts-frontdesk.2022.txt = @@ -37,19 +37,19 @@ From 06-06 to 12-06:Utkarsh Gupta From 13-06 to 19-06:Anton Gladky From 20-06 to 26-06:Chris Lamb From 27-06 to 03-07:Emilio Pozuelo Monfort -From 04-07 to 10-07: -From 11-07 to 17-07: -From 18-07 to 24-07: -From 25-07 to 31-07: -From 01-08 to 07-08: -From 08-08 to 14-08: -From 15-08 to 21-08: -From 22-08 to 28-08: -From 29-08 to 04-09: -From 05-09 to 11-09: -From 12-09 to 18-09: -From 19-09 to 25-09: -From 26-09 to 02-10: +From 04-07 to 10-07:Markus Koschany +From 11-07 to 17-07:Ola Lundqvist +From 18-07 to 24-07:Sylvain Beucler +From 25-07 to 31-07:Thorsten Alteholz +From 01-08 to 07-08:Utkarsh Gupta +From 08-08 to 14-08:Anton Gladky +From 15-08 to 21-08:Chris Lamb +From 22-08 to 28-08:Emilio Pozuelo Monfort +From 29-08 to 04-09:Markus Koschany +From 05-09 to 11-09:Ola Lundqvist +From 12-09 to 18-09:Sylvain Beucler +From 19-09 to 25-09:Thorsten Alteholz +From 26-09 to 02-10:Utkarsh Gupta From 03-10 to 09-10: From 10-10 to 16-10: From 17-10 to 23-10: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b6f53575096973b46b62822b18e8d076b537f1e2...37bb5691776db452cc93d5b0a656e0970433f3f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b6f53575096973b46b62822b18e8d076b537f1e2...37bb5691776db452cc93d5b0a656e0970433f3f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-25745, CVE-2021-25746
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: b6f53575 by Henri Salo at 2022-04-22T20:17:05+03:00 CVE-2021-25745, CVE-2021-25746 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78927,8 +78927,12 @@ CVE-2021-25747 RESERVED CVE-2021-25746 RESERVED + TODO: check + NOTE: https://www.openwall.com/lists/oss-security/2022/04/22/6 CVE-2021-25745 RESERVED + TODO: check + NOTE: https://www.openwall.com/lists/oss-security/2022/04/22/5 CVE-2021-25744 RESERVED CVE-2021-25743 (kubectl does not neutralize escape, meta or control sequences containe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f53575096973b46b62822b18e8d076b537f1e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f53575096973b46b62822b18e8d076b537f1e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-29582/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e2ec687f by Salvatore Bonaccorso at 2022-04-22T18:07:34+02:00 Add CVE-2022-29582/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2022-29582 [io_uring: fix race between timeout flush and removal] + - linux 5.17.3-1 + [buster] - linux (Vulnerable code not present) + [stretch] - linux (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2022/04/22/4 + NOTE: https://git.kernel.org/linus/e677edbcabee849bfdd43f1602bccbecf736a646 CVE-2022-29578 RESERVED CVE-2022-29577 (OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2ec687f8fa1168f80583ce8068d25336f6f00af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2ec687f8fa1168f80583ce8068d25336f6f00af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for openjdk-8 issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7676186 by Salvatore Bonaccorso at 2022-04-22T17:12:02+02:00 Track fixed version for openjdk-8 issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30794,7 +30794,7 @@ CVE-2022-21366 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-17 17.0.2+8-1 CVE-2022-21365 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21364 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) @@ -30807,7 +30807,7 @@ CVE-2022-21361 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu NOT-FOR-US: Oracle CVE-2022-21360 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21359 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) @@ -30832,7 +30832,7 @@ CVE-2022-21350 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu NOT-FOR-US: Oracle CVE-2022-21349 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 CVE-2022-21348 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2022-21347 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) @@ -30850,12 +30850,12 @@ CVE-2022-21342 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 CVE-2022-21341 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21340 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21339 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -30928,7 +30928,7 @@ CVE-2022-21306 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu NOT-FOR-US: Oracle CVE-2022-21305 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21304 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -30945,7 +30945,7 @@ CVE-2022-21300 (Vulnerability in the PeopleSoft Enterprise CS SA Integration Pac NOT-FOR-US: Oracle CVE-2022-21299 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21298 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) @@ -30954,19 +30954,19 @@ CVE-2022-21297 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 CVE-2022-21296 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21295 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox (Windows-specific) CVE-2022-21294 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21293 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} - - openjdk-8 + - openjdk-8 8u322-ga-1 - openjdk-11 11.0.14+9-1 - openjdk-17 17.0.2+8-1 CVE-2022-21292 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) @@ -30991,11 +30991,12 @@ CVE-2022-21284 (Vulnerability in the MySQL Cluster product of Oracle MySQL (comp NOT-FOR-US: MySQL Cluster CVE-2022-21283 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5058-1 DSA-5057-1 DLA-2917-1} + - openjdk-8 8u322-ga-1 - openjdk-11
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-1227/golang-github-containers-psgo via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 77f11594 by Salvatore Bonaccorso at 2022-04-22T17:05:42+02:00 Track fixed version for CVE-2022-1227/golang-github-containers-psgo via unstable Note, that whilest the changelog mentions the import of new upstream version 1.7.2 this seems in fact 1.7.1 insteread and the CVE patch is applied separately on top. So from tracking point of view 1.7.1+ds1-1 is still correct. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2535,7 +2535,7 @@ CVE-2022-1228 RESERVED CVE-2022-1227 RESERVED - - golang-github-containers-psgo + - golang-github-containers-psgo 1.7.1+ds1-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070368 NOTE: https://github.com/containers/psgo/pull/92 NOTE: https://github.com/containers/psgo/commit/d9467da9f563a9de1ece79dcae86b37b1db75443 (v1.7.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77f11594af20d1aa880126a93f80122a95b2c156 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77f11594af20d1aa880126a93f80122a95b2c156 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Track three new hoteldruid CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e756a797 by Salvatore Bonaccorso at 2022-04-22T16:57:50+02:00 Track three new hoteldruid CVEs - - - - - f1ca669b by Salvatore Bonaccorso at 2022-04-22T16:58:17+02:00 Track fixed version for CVE-2022-22909/hoteldruid via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8156,6 +8156,9 @@ CVE-2022-26565 (A cross-site scripting (XSS) vulnerability in Totaljs commit 95f NOT-FOR-US: Totaljs CMS CVE-2022-26564 RESERVED + - hoteldruid 3.0.4-1 + [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2022-26563 RESERVED CVE-2022-26562 (An issue in provider/libserver/ECKrbAuth.cpp of Kopano-Core v11.0.2.51 ...) @@ -19706,7 +19709,7 @@ CVE-2022-22911 CVE-2022-22910 RESERVED CVE-2022-22909 (HotelDruid v3.0.3 was discovered to contain a remote code execution (R ...) - - hoteldruid (bug #1006750) + - hoteldruid 3.0.4-1 (bug #1006750) [bullseye] - hoteldruid (Minor issue) [buster] - hoteldruid (Minor issue) [stretch] - hoteldruid (Minor issue) @@ -34301,8 +34304,14 @@ CVE-2021-42950 (Remote Code Execution (RCE) vulnerability exists in Zepl Noteboo NOT-FOR-US: Zepl CVE-2021-42949 RESERVED + - hoteldruid 3.0.4-1 + [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2021-42948 RESERVED + - hoteldruid 3.0.4-1 + [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2021-42947 RESERVED CVE-2021-42946 (A Cross Site Scripting (XSS) vulnerability exists in htmly.2.8.1 via t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d1aa83ca3b4edac2e00eeb795d3c8ccc9022c475...f1ca669b1e305d7f7963dea762b7f2d46b5d7ba1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d1aa83ca3b4edac2e00eeb795d3c8ccc9022c475...f1ca669b1e305d7f7963dea762b7f2d46b5d7ba1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-29536/epiphany-browser
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d1aa83ca by Salvatore Bonaccorso at 2022-04-22T14:17:38+02:00 Track fixed version for CVE-2022-29536/epiphany-browser - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -107,7 +107,7 @@ CVE-2022-29537 (gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has NOTE: https://github.com/gpac/gpac/issues/2173 NOTE: Fixed by: https://github.com/gpac/gpac/commit/1773b7a34bc08734aee7d3f5dfe65d06389fe15a CVE-2022-29536 (In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document c ...) - - epiphany-browser (bug #1009959) + - epiphany-browser 42.2-1 (bug #1009959) NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106 NOTE: Introduced by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/232c613472b38ff0d0d97338f366024ddb9cd228 (3.29.2) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1aa83ca3b4edac2e00eeb795d3c8ccc9022c475 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1aa83ca3b4edac2e00eeb795d3c8ccc9022c475 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for ruby3.0 issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ff0886c by Salvatore Bonaccorso at 2022-04-22T14:15:23+02:00 Add fixed version for ruby3.0 issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2092,7 +2092,7 @@ CVE-2022-28740 RESERVED CVE-2022-28739 [Buffer overrun in String-to-Float conversion] RESERVED - - ruby3.0 (bug #1009956) + - ruby3.0 3.0.4-1 (bug #1009956) - ruby2.7 (bug #1009957) [bullseye] - ruby2.7 (Minor issue, fix with next Ruby security release) - ruby2.5 @@ -2105,7 +2105,7 @@ CVE-2022-28739 [Buffer overrun in String-to-Float conversion] NOTE: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/ CVE-2022-28738 [Double free in Regexp compilation] RESERVED - - ruby3.0 (bug #1009958) + - ruby3.0 3.0.4-1 (bug #1009958) - ruby2.7 (Vulnerable code not present) - ruby2.5 (Vulnerable code not present) - ruby2.3 (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ff0886c0645d7621aa99ea8d97bd91991dcf625 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ff0886c0645d7621aa99ea8d97bd91991dcf625 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to upstream announce for CVE-2022-1215
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0877ea2 by Salvatore Bonaccorso at 2022-04-22T14:02:09+02:00 Add reference to upstream announce for CVE-2022-1215 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2568,6 +2568,7 @@ CVE-2022-1215 - libinput 1.20.1-1 NOTE: https://www.openwall.com/lists/oss-security/2022/04/20/2 NOTE: https://gitlab.freedesktop.org/libinput/libinput/-/commit/2a8b8fde90d63d48ce09ddae44142674bbca1c28 + NOTE: https://lists.x.org/archives/xorg-announce/2022-April/003159.html CVE-2021-46783 RESERVED CVE-2022-28609 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0877ea2bae0e0e039b1a989fdc420e275ce6013 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0877ea2bae0e0e039b1a989fdc420e275ce6013 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0647558 by Salvatore Bonaccorso at 2022-04-22T10:53:59+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3076,7 +3076,7 @@ CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the NOTE: https://github.com/dompdf/dompdf/pull/2808 NOTE: https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d (v1.2.1) CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE ...) - TODO: check + NOT-FOR-US: OWASP AntiSamy CVE-2022-28366 (Certain Neko-related HTML parsers allow a denial of service via crafte ...) TODO: check CVE-2022-28365 (Reprise License Manager 14.2 is affected by an Information Disclosure ...) @@ -4285,55 +4285,55 @@ CVE-2022-28032 (AtomCMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_aj CVE-2022-28031 RESERVED CVE-2022-28030 (Simple Real Estate Portal System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Simple Real Estate Portal System CVE-2022-28029 (Simple Real Estate Portal System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Simple Real Estate Portal System CVE-2022-28028 (Simple Real Estate Portal System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Simple Real Estate Portal System CVE-2022-28027 RESERVED CVE-2022-28026 (Student Grading System v1.0 was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: Student Grading System CVE-2022-28025 (Student Grading System v1.0 was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: Student Grading System CVE-2022-28024 (Student Grading System v1.0 was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: Student Grading System CVE-2022-28023 (Purchase Order Management System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Purchase Order Management System CVE-2022-28022 (Purchase Order Management System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Purchase Order Management System CVE-2022-28021 (Purchase Order Management System v1.0 was discovered to contain a remo ...) - TODO: check + NOT-FOR-US: Purchase Order Management System CVE-2022-28020 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28019 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28018 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28017 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28016 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28015 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28014 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28013 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28012 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28011 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28010 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28009 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28008 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28007 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Attendance and Payroll System CVE-2022-28006 (Attendance and Payroll System v1.0 was discovered to contain a SQL inj ...) -
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e2d406d by Salvatore Bonaccorso at 2022-04-22T10:51:14+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2022-29578 RESERVED CVE-2022-29577 (OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE ...) - TODO: check + NOT-FOR-US: OWASP AntiSamy CVE-2022-29576 RESERVED CVE-2022-29575 @@ -2083,7 +2083,7 @@ CVE-2022-28745 CVE-2022-28744 RESERVED CVE-2022-28743 (Time-of-check Time-of-use (TOCTOU) Race Condition vulerability in Fosc ...) - TODO: check + NOT-FOR-US: Foscam R2C IP camera CVE-2022-28742 RESERVED CVE-2022-28741 @@ -2899,77 +2899,77 @@ CVE-2022-28447 CVE-2022-28446 RESERVED CVE-2022-28445 (KiteCMS v1.1.1 was discovered to contain an arbitrary file read vulner ...) - TODO: check + NOT-FOR-US: KiteCMS CVE-2022-28444 (UCMS v1.6 was discovered to contain an arbitrary file read vulnerabili ...) - TODO: check + NOT-FOR-US: UCMS CVE-2022-28443 (UCMS v1.6 was discovered to contain an arbitrary file deletion vulnera ...) - TODO: check + NOT-FOR-US: UCMS CVE-2022-28442 RESERVED CVE-2022-28441 RESERVED CVE-2022-28440 (An arbitrary file upload vulnerability in UCMS v1.6 allows attackers t ...) - TODO: check + NOT-FOR-US: UCMS CVE-2022-28439 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28438 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28437 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28436 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28435 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28434 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28433 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28432 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28431 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28430 RESERVED CVE-2022-28429 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28428 RESERVED CVE-2022-28427 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28426 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28425 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28424 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28423 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28422 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28421 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28420 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baby Care System CVE-2022-28419 RESERVED CVE-2022-28418 RESERVED CVE-2022-28417 (Home Owners Collection Management System v1.0 was discovered to contai ...) - TODO: check + NOT-FOR-US: Home Owners Collection Management System CVE-2022-28416 (Home Owners Collection Management System v1.0 was discovered to contai ...) - TODO: check + NOT-FOR-US: Home Owners Collection Management System CVE-2022-28415 (Home Owners Collection Management System v1.0 was discovered to contai ...) - TODO: check + NOT-FOR-US: Home Owners Collection Management System CVE-2022-28414 (Home Owners Collection Management System v1.0 was
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5b904b7 by Salvatore Bonaccorso at 2022-04-22T10:12:37+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7410,7 +7410,7 @@ CVE-2022-26858 CVE-2022-26857 RESERVED CVE-2022-26856 (Dell EMC Repository Manager version 3.4.0 contains a plain-text passwo ...) - TODO: check + NOT-FOR-US: EMC CVE-2022-26855 (Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect d ...) NOT-FOR-US: Dell CVE-2022-26854 (Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptograph ...) @@ -14127,9 +14127,9 @@ CVE-2022-24426 (Dell Command | Update, Dell Update, and Alienware Update version CVE-2022-24425 RESERVED CVE-2022-24424 (Dell EMC AppSync versions from 3.9 to 4.3 contain a path traversal vul ...) - TODO: check + NOT-FOR-US: EMC CVE-2022-24423 (Dell EMC iDRAC8 versions 2.81.81 and earlier contain a denial of servi ...) - TODO: check + NOT-FOR-US: EMC CVE-2022-24422 RESERVED CVE-2022-24421 (Dell BIOS contains an improper input validation vulnerability. A local ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5b904b756c1100a3824370771d6d5a4978cd6f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5b904b756c1100a3824370771d6d5a4978cd6f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 51b02391 by security tracker role at 2022-04-22T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,31 @@ +CVE-2022-29578 + RESERVED +CVE-2022-29577 (OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE ...) + TODO: check +CVE-2022-29576 + RESERVED +CVE-2022-29575 + RESERVED +CVE-2022-29574 + RESERVED +CVE-2022-29573 + RESERVED +CVE-2022-29572 + RESERVED +CVE-2022-29571 + RESERVED +CVE-2022-29570 + RESERVED +CVE-2022-29569 + RESERVED +CVE-2022-29568 + RESERVED +CVE-2022-29567 + RESERVED +CVE-2022-29566 (The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation bec ...) + TODO: check +CVE-2022-1427 + RESERVED CVE-2022-29565 RESERVED CVE-2022-29564 @@ -692,7 +720,7 @@ CVE-2022-29282 CVE-2022-29281 (Notable before 1.9.0-beta.8 doesn't effectively prevent the opening of ...) NOT-FOR-US: Notable CVE-2022-29280 - RESERVED + REJECTED CVE-2022-29279 RESERVED CVE-2022-29278 @@ -2054,8 +2082,8 @@ CVE-2022-28745 RESERVED CVE-2022-28744 RESERVED -CVE-2022-28743 - RESERVED +CVE-2022-28743 (Time-of-check Time-of-use (TOCTOU) Race Condition vulerability in Fosc ...) + TODO: check CVE-2022-28742 RESERVED CVE-2022-28741 @@ -2870,78 +2898,78 @@ CVE-2022-28447 RESERVED CVE-2022-28446 RESERVED -CVE-2022-28445 - RESERVED -CVE-2022-28444 - RESERVED -CVE-2022-28443 - RESERVED +CVE-2022-28445 (KiteCMS v1.1.1 was discovered to contain an arbitrary file read vulner ...) + TODO: check +CVE-2022-28444 (UCMS v1.6 was discovered to contain an arbitrary file read vulnerabili ...) + TODO: check +CVE-2022-28443 (UCMS v1.6 was discovered to contain an arbitrary file deletion vulnera ...) + TODO: check CVE-2022-28442 RESERVED CVE-2022-28441 RESERVED -CVE-2022-28440 - RESERVED -CVE-2022-28439 - RESERVED -CVE-2022-28438 - RESERVED -CVE-2022-28437 - RESERVED -CVE-2022-28436 - RESERVED -CVE-2022-28435 - RESERVED -CVE-2022-28434 - RESERVED -CVE-2022-28433 - RESERVED -CVE-2022-28432 - RESERVED -CVE-2022-28431 - RESERVED +CVE-2022-28440 (An arbitrary file upload vulnerability in UCMS v1.6 allows attackers t ...) + TODO: check +CVE-2022-28439 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28438 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28437 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28436 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28435 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28434 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28433 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28432 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28431 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check CVE-2022-28430 RESERVED -CVE-2022-28429 - RESERVED +CVE-2022-28429 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check CVE-2022-28428 RESERVED -CVE-2022-28427 - RESERVED -CVE-2022-28426 - RESERVED -CVE-2022-28425 - RESERVED -CVE-2022-28424 - RESERVED -CVE-2022-28423 - RESERVED -CVE-2022-28422 - RESERVED -CVE-2022-28421 - RESERVED -CVE-2022-28420 - RESERVED +CVE-2022-28427 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28426 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28425 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28424 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28423 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28422 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28421 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) + TODO: check +CVE-2022-28420 (Baby Care System v1.0 was discovered to contain a SQL injection vulner ...) +
[Git][security-tracker-team/security-tracker][master] Add three libstb issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa961a3a by Salvatore Bonaccorso at 2022-04-22T09:28:27+02:00 Add three libstb issues Impact on other embedding sources might need to be evaluated. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4213,7 +4213,9 @@ CVE-2022-28050 CVE-2022-28049 (NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference v ...) NOT-FOR-US: njs CVE-2022-28048 (STB v2.27 was discovered to contain an integer shift of invalid size i ...) - TODO: check + - libstb + NOTE: https://github.com/nothings/stb/issues/1293 + NOTE: https://github.com/nothings/stb/pull/1297 CVE-2022-28047 RESERVED CVE-2022-28046 @@ -4227,9 +4229,13 @@ CVE-2022-28044 (Irzip v0.640 was discovered to contain a heap memory corruption CVE-2022-28043 RESERVED CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-after-fr ...) - TODO: check + - libstb + NOTE: https://github.com/nothings/stb/issues/1289 + NOTE: https://github.com/nothings/stb/pull/1297 CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer overflow via th ...) - TODO: check + - libstb + NOTE: https://github.com/nothings/stb/issues/1292 + NOTE: https://github.com/nothings/stb/pull/1297 CVE-2022-28040 RESERVED CVE-2022-28039 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa961a3a8c7c26011487576b73417c4f0461964e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa961a3a8c7c26011487576b73417c4f0461964e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-23711/kibana
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 289f8486 by Salvatore Bonaccorso at 2022-04-22T08:48:06+02:00 Add CVE-2022-23711/kibana - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17091,6 +17091,7 @@ CVE-2022-23712 RESERVED CVE-2022-23711 RESERVED + - kibana (bug #700337) CVE-2022-23710 (A cross-site-scripting (XSS) vulnerability was discovered in the Data ...) - kibana (bug #700337) CVE-2022-23709 (A flaw was discovered in Kibana in which users with Read access to the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/289f8486971ab4113953c79750aff10928f49de1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/289f8486971ab4113953c79750aff10928f49de1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-135{4,5}/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a9ffd26 by Salvatore Bonaccorso at 2022-04-22T08:46:57+02:00 Add CVE-2022-135{4,5}/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -780,8 +780,14 @@ CVE-2022-1356 RESERVED CVE-2022-1355 RESERVED + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/400 + NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/323 CVE-2022-1354 RESERVED + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/319 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/87f580f39011109b3bb5f6eca13fac543a542798 CVE-2022-1353 [af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register] RESERVED - linux 5.17.3-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a9ffd26ecf9ac9a799d0793bcdfb6a15cd2658c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a9ffd26ecf9ac9a799d0793bcdfb6a15cd2658c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits