date:20220816

[Git][security-tracker-team/security-tracker][master] CVE-2022-2294: Track as well fixed version in older suites

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5e265003 by Salvatore Bonaccorso at 2022-08-17T06:39:12+02:00
CVE-2022-2294: Track as well fixed version in older suites

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8551,7 +8551,10 @@ CVE-2022-2294 (Heap buffer overflow in WebRTC in Google 
Chrome prior to 103.0.50
[buster] - chromium  (see DSA 5046)
[stretch] - chromium  (see DSA 4562)
- webkit2gtk 2.36.6-1 (unimportant)
+   [bullseye] - webkit2gtk 2.36.6-1~deb11u1
+   [buster] - webkit2gtk 2.36.6-1~deb10u1
- wpewebkit 2.36.6-1 (unimportant)
+   [bullseye] - wpewebkit 2.36.6-1~deb11u1
NOTE: https://www.openwall.com/lists/oss-security/2022/07/28/2
NOTE: Debian WebKitGTK and WPE WebKit binary packages are built without 
LibWebRTC
 CVE-2022-2293 (A vulnerability classified as problematic was found in 
SourceCodester  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e2650038a36c550beb8f51147f39d0d59212dff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e2650038a36c550beb8f51147f39d0d59212dff
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new chromium issues

2022-08-16 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
678b1173 by Moritz Mühlenhoff at 2022-08-16T23:47:57+02:00
new chromium issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1,3 +1,33 @@
+CVE-2022-2861
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2860
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2859
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2858
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2857
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2856
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2855
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2854
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2853
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
+CVE-2022-2852
+   - chromium 
+   [buster] - chromium  (see DSA 5046)
 CVE-2022-38381
RESERVED
 CVE-2022-38380


=
data/dsa-needed.txt
=
@@ -16,6 +16,8 @@ asterisk (apo)
 --
 freecad (aron)
 --
+chromium (jmm)
+--
 gdk-pixbuf (carnil)
 --
 kicad (jmm)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/678b11738f65dcab44166b5988efa0fe6858e9a4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/678b11738f65dcab44166b5988efa0fe6858e9a4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5210-1 and wpewebkit DSA-5211-1

2022-08-16 Thread Alberto Garcia (@berto)



Alberto Garcia pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d9fb4e48 by Alberto Garcia at 2022-08-16T23:43:23+02:00
webkit2gtk DSA-5210-1 and wpewebkit DSA-5211-1

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,9 @@
+[16 Aug 2022] DSA-5211-1 wpewebkit - security update
+   {CVE-2022-32792 CVE-2022-32816}
+   [bullseye] - wpewebkit 2.36.6-1~deb11u1
+[16 Aug 2022] DSA-5210-1 webkit2gtk - security update
+   {CVE-2022-32792 CVE-2022-32816}
+   [bullseye] - webkit2gtk 2.36.6-1~deb11u1
 [16 Aug 2022] DSA-5209-1 net-snmp - security update
{CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 
CVE-2022-24809 CVE-2022-24810}
[bullseye] - net-snmp 5.9+dfsg-4+deb11u1


=
data/dsa-needed.txt
=
@@ -53,9 +53,5 @@ sofia-sip
 sox
   patch needed for CVE-2021-40426, check with upstream
 --
-webkit2gtk (berto)
---
-wpewebkit (berto)
---
 zlib (carnil)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9fb4e489a79cc9e528020a07e33a26b3d1d79be

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9fb4e489a79cc9e528020a07e33a26b3d1d79be
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-35978/minetest

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c1b2c80f by Salvatore Bonaccorso at 2022-08-16T22:22:34+02:00
Add CVE-2022-35978/minetest

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5992,7 +5992,9 @@ CVE-2022-35980 (OpenSearch Security is a plugin for 
OpenSearch that offers encry
 CVE-2022-35979
RESERVED
 CVE-2022-35978 (Minetest is a free open-source voxel game engine with easy 
modding and ...)
-   TODO: check
+   - minetest 
+   NOTE: 
https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc
+   NOTE: 
https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13
 (5.6.0)
 CVE-2022-35977
RESERVED
 CVE-2022-35976



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1b2c80fddc314a77c4668b498303e1c24a7cbfd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1b2c80fddc314a77c4668b498303e1c24a7cbfd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b849cf6c by Salvatore Bonaccorso at 2022-08-16T22:19:49+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -464,17 +464,17 @@ CVE-2022-38196
 CVE-2022-38195
RESERVED
 CVE-2022-38194 (In Esri Portal for ArcGIS versions 10.8.1, a system property 
is not pr ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38193 (There is a code injection vulnerability in Esri Portal for 
ArcGIS vers ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38192 (A stored Cross Site Scripting (XSS) vulnerability in Esri 
Portal for A ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS 
versions 10 ...)
NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri 
Portal for A ...)
NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38189 (A stored Cross Site Scripting (XSS) vulnerability in Esri 
Portal for A ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for 
ArcGIS versi ...)
NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38187 (Prior to version 10.9.0, the 
sharing/rest/content/features/analyze end ...)
@@ -484,7 +484,7 @@ CVE-2022-38186 (There is a reflected XSS vulnerability in 
Esri Portal for ArcGIS
 CVE-2022-38185
RESERVED
 CVE-2022-38184 (There is an improper access control vulnerability in Portal 
for ArcGIS ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38183 (In Gitea before 1.16.9, it was possible for users to add 
existing issu ...)
- gitea 
 CVE-2022-38182
@@ -4420,7 +4420,7 @@ CVE-2022-36601
 CVE-2022-36600
RESERVED
 CVE-2022-36599 (Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection 
vulnerab ...)
-   TODO: check
+   NOT-FOR-US: Mingsoft MCMS
 CVE-2022-36598
RESERVED
 CVE-2022-36597
@@ -4826,9 +4826,9 @@ CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in 
GitHub repository beanc
NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f
NOTE: 
https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b
 (v1.22.2)
 CVE-2022-36381 (OS command injection vulnerability in Nintendo Wi-Fi Network 
Adaptor W ...)
-   TODO: check
+   NOT-FOR-US: Nintendo Wi-Fi Network Adaptor WAP-001
 CVE-2022-36293 (Buffer overflow vulnerability in Nintendo Wi-Fi Network 
Adaptor WAP-00 ...)
-   TODO: check
+   NOT-FOR-US: Nintendo Wi-Fi Network Adaptor WAP-001
 CVE-2022-35734 ('Hulu / ' App for Android from 
version ...)
TODO: check
 CVE-2022-34156 ('Hulu / ' App for iOS versions 
prior t ...)
@@ -5014,7 +5014,7 @@ CVE-2022-36361
 CVE-2022-36360
RESERVED
 CVE-2022-35239 (The image file management page of SolarView Compact 
SV-CPT-MC310 Ver.7 ...)
-   TODO: check
+   NOT-FOR-US: SolarView Compact SV-CPT-MC310
 CVE-2022-2505
RESERVED
- firefox 103.0-1
@@ -5358,9 +5358,9 @@ CVE-2022-36275
 CVE-2022-36274
RESERVED
 CVE-2022-36273 (Tenda AC9 V15.03.2.21_cn is vulnerable to command injection 
via goform ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2022-36272 (Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection 
vulnerab ...)
-   TODO: check
+   NOT-FOR-US: Mingsoft MCMS
 CVE-2022-36271
RESERVED
 CVE-2022-36270 (Clinic's Patient Management System v1.0 has arbitrary code 
execution v ...)
@@ -5420,7 +5420,7 @@ CVE-2022-36244
 CVE-2022-36243
RESERVED
 CVE-2022-36242 (Clinic's Patient Management System v1.0 is vulnerable to SQL 
Injection ...)
-   TODO: check
+   NOT-FOR-US: Clinic's Patient Management System
 CVE-2022-36241
RESERVED
 CVE-2022-36240
@@ -21430,7 +21430,7 @@ CVE-2022-30266
 CVE-2022-30265
RESERVED
 CVE-2022-30264 (The Emerson ROC and FloBoss RTU product lines through 
2022-05-02 perfo ...)
-   TODO: check
+   NOT-FOR-US: Emerson
 CVE-2022-30263
RESERVED
 CVE-2022-30262
@@ -22253,7 +22253,7 @@ CVE-2022-29961
 CVE-2022-29960 (Emerson OpenBSI through 2022-04-29 uses weak cryptography. It 
is an en ...)
NOT-FOR-US: Emerson
 CVE-2022-29959 (Emerson OpenBSI through 2022-04-29 mishandles credential 
storage. It i ...)
-   TODO: check
+   NOT-FOR-US: Emerson
 CVE-2022-29958 (JTEKT TOYOPUC PLCs through 2022-04-29 do not ensure data 
integrity. Th ...)
NOT-FOR-US: JTEKT TOYOPUC PLCs
 CVE-2022-29957 (The Emerson DeltaV Distributed Control System (DCS) through 
2022-04-29 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b849cf6c767a994cf5c3028ea9bcdb380ef91799

[Git][security-tracker-team/security-tracker][master] automatic update

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
17ba084d by security tracker role at 2022-08-16T20:10:16+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,73 @@
+CVE-2022-38381
+   RESERVED
+CVE-2022-38380
+   RESERVED
+CVE-2022-38379
+   RESERVED
+CVE-2022-38378
+   RESERVED
+CVE-2022-38377
+   RESERVED
+CVE-2022-38376
+   RESERVED
+CVE-2022-38375
+   RESERVED
+CVE-2022-38374
+   RESERVED
+CVE-2022-38373
+   RESERVED
+CVE-2022-38372
+   RESERVED
+CVE-2022-38371
+   RESERVED
+CVE-2022-38370
+   RESERVED
+CVE-2022-38369
+   RESERVED
+CVE-2022-2851
+   RESERVED
+CVE-2022-2850
+   RESERVED
+CVE-2022-2849
+   RESERVED
+CVE-2022-2848
+   RESERVED
+CVE-2022-2847
+   RESERVED
+CVE-2022-2846
+   RESERVED
+CVE-2022-2845
+   RESERVED
+CVE-2022-2844
+   RESERVED
+CVE-2022-2843
+   RESERVED
+CVE-2022-2842
+   RESERVED
+CVE-2022-2841
+   RESERVED
+CVE-2022-2840
+   RESERVED
+CVE-2022-2839
+   RESERVED
+CVE-2022-2838 (In Eclipse Sphinx before version 0.13.1, Apache Xerces 
XML Pars ...)
+   TODO: check
+CVE-2022-2837
+   RESERVED
+CVE-2022-2836
+   RESERVED
+CVE-2022-2835
+   RESERVED
+CVE-2022-2834
+   RESERVED
+CVE-2022-2833
+   RESERVED
+CVE-2022-2832
+   RESERVED
+CVE-2022-2831
+   RESERVED
+CVE-2022-2830
+   RESERVED
 CVE-2022-38368 (An issue was discovered in Aviatrix Gateway before 6.6.5712 
and 6.7.x  ...)
NOT-FOR-US: Aviatrix Gateway
 CVE-2022-38367
@@ -18,8 +88,7 @@ CVE-2022-2827
RESERVED
 CVE-2022-2826
RESERVED
-CVE-2022-38362
-   RESERVED
+CVE-2022-38362 (Apache Airflow Docker's Provider prior to 3.0.0 shipped with 
an exampl ...)
- airflow  (bug #819700)
 CVE-2022-38361
RESERVED
@@ -394,18 +463,18 @@ CVE-2022-38196
RESERVED
 CVE-2022-38195
RESERVED
-CVE-2022-38194
-   RESERVED
-CVE-2022-38193
-   RESERVED
-CVE-2022-38192
-   RESERVED
+CVE-2022-38194 (In Esri Portal for ArcGIS versions 10.8.1, a system property 
is not pr ...)
+   TODO: check
+CVE-2022-38193 (There is a code injection vulnerability in Esri Portal for 
ArcGIS vers ...)
+   TODO: check
+CVE-2022-38192 (A stored Cross Site Scripting (XSS) vulnerability in Esri 
Portal for A ...)
+   TODO: check
 CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS 
versions 10 ...)
NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri 
Portal for A ...)
NOT-FOR-US: Esri Portal for ArcGIS
-CVE-2022-38189
-   RESERVED
+CVE-2022-38189 (A stored Cross Site Scripting (XSS) vulnerability in Esri 
Portal for A ...)
+   TODO: check
 CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for 
ArcGIS versi ...)
NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38187 (Prior to version 10.9.0, the 
sharing/rest/content/features/analyze end ...)
@@ -414,8 +483,8 @@ CVE-2022-38186 (There is a reflected XSS vulnerability in 
Esri Portal for ArcGIS
NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38185
RESERVED
-CVE-2022-38184
-   RESERVED
+CVE-2022-38184 (There is an improper access control vulnerability in Portal 
for ArcGIS ...)
+   TODO: check
 CVE-2022-38183 (In Gitea before 1.16.9, it was possible for users to add 
existing issu ...)
- gitea 
 CVE-2022-38182
@@ -4350,8 +4419,8 @@ CVE-2022-36601
RESERVED
 CVE-2022-36600
RESERVED
-CVE-2022-36599
-   RESERVED
+CVE-2022-36599 (Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection 
vulnerab ...)
+   TODO: check
 CVE-2022-36598
RESERVED
 CVE-2022-36597
@@ -4488,8 +4557,8 @@ CVE-2022-36532
RESERVED
 CVE-2022-36531
RESERVED
-CVE-2022-36530
-   RESERVED
+CVE-2022-36530 (An issue was discovered in rageframe2 2.6.37. There is a XSS 
vulnerabi ...)
+   TODO: check
 CVE-2022-36529
RESERVED
 CVE-2022-36528
@@ -4756,14 +4825,14 @@ CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected 
in GitHub repository beanc
[buster] - fava  (Minor issue)
NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f
NOTE: 
https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b
 (v1.22.2)
-CVE-2022-36381
-   RESERVED
-CVE-2022-36293
-   RESERVED
-CVE-2022-35734
-   RESERVED
-CVE-2022-34156
-   RESERVED
+CVE-2022-36381 (OS command injection vulnerability in Nintendo Wi-Fi Network 
Adaptor W ...)
+   TODO: check
+CVE-2022-36293 (Buffer overflow vulnerability in Nintendo Wi-Fi Network 
Adaptor WAP-00 ...)
+   TODO: check
+CVE-2022-35734 ('Hulu / ' App for Android from 
version ...)
+   TODO: check
+CVE-2022-34156 ('Hulu / ' App for iOS versions

[Git][security-tracker-team/security-tracker][master] Take gdk-pixbuf from dsa-needed list

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
37460ddc by Salvatore Bonaccorso at 2022-08-16T22:08:57+02:00
Take gdk-pixbuf from dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -16,7 +16,7 @@ asterisk (apo)
 --
 freecad (aron)
 --
-gdk-pixbuf
+gdk-pixbuf (carnil)
 --
 kicad (jmm)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37460ddc8e4c267a6be08d16070a4e53efc90d25

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37460ddc8e4c267a6be08d16070a4e53efc90d25
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for net-snmp

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
925d15df by Salvatore Bonaccorso at 2022-08-16T21:58:12+02:00
Reserve DSA number for net-snmp

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[16 Aug 2022] DSA-5209-1 net-snmp - security update
+   {CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 
CVE-2022-24809 CVE-2022-24810}
+   [bullseye] - net-snmp 5.9+dfsg-4+deb11u1
 [16 Aug 2022] DSA-5208-1 epiphany-browser - security update
{CVE-2022-29536}
[bullseye] - epiphany-browser 3.38.2-1+deb11u3


=
data/dsa-needed.txt
=
@@ -26,8 +26,6 @@ linux (carnil)
 --
 maven-shared-utils
 --
-net-snmp (carnil)
---
 netatalk
   open regression with MacOS, tentative patch not yet merged upstream
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/925d15df5de12f61899cfe72d3795b43c2ae511c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/925d15df5de12f61899cfe72d3795b43c2ae511c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] epiphany-browser DSA

2022-08-16 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2135c63f by Moritz Mühlenhoff at 2022-08-16T21:52:22+02:00
epiphany-browser DSA

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[16 Aug 2022] DSA-5208-1 epiphany-browser - security update
+   {CVE-2022-29536}
+   [bullseye] - epiphany-browser 3.38.2-1+deb11u3
 [15 Aug 2022] DSA-5207-1 linux - security update
{CVE-2022-2585 CVE-2022-2586 CVE-2022-2588 CVE-2022-26373 
CVE-2022-29900 CVE-2022-29901 CVE-2022-36879 CVE-2022-36946}
[bullseye] - linux 5.10.136-1


=
data/dsa-needed.txt
=
@@ -14,9 +14,6 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 asterisk (apo)
 --
-epiphany-browser
-  Emilio prepared a debdiff for review
---
 freecad (aron)
 --
 gdk-pixbuf



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2135c63fdaa513b73d2a42444bd9f019c37e736c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2135c63fdaa513b73d2a42444bd9f019c37e736c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-38362/airflow

2022-08-16 Thread Henri Salo (@hsalo-guest)



Henri Salo pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8f89a0e0 by Henri Salo at 2022-08-16T22:09:06+03:00
CVE-2022-38362/airflow

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -20,6 +20,7 @@ CVE-2022-2826
RESERVED
 CVE-2022-38362
RESERVED
+   - airflow  (bug #819700)
 CVE-2022-38361
RESERVED
 CVE-2022-38360



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f89a0e0a31dc86dcf461818b81ecf92557c88b2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f89a0e0a31dc86dcf461818b81ecf92557c88b2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
350932f2 by Salvatore Bonaccorso at 2022-08-16T21:04:21+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -25,11 +25,11 @@ CVE-2022-38361
 CVE-2022-38360
RESERVED
 CVE-2022-38359 (Cross-site request forgery attacks can be carried out against 
the Eyes ...)
-   TODO: check
+   NOT-FOR-US: EyesOfNetwork (EON)
 CVE-2022-38358 (Improper neutralization of input during web page generation 
leaves the ...)
-   TODO: check
+   NOT-FOR-US: EyesOfNetwork (EON)
 CVE-2022-38357 (Improper neutralization of special elements leaves the Eyes of 
Network ...)
-   TODO: check
+   NOT-FOR-US: EyesOfNetwork (EON)
 CVE-2022-38354
RESERVED
 CVE-2022-38353



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/350932f21a4eae324f051d3ecb324740b1aa78a5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/350932f21a4eae324f051d3ecb324740b1aa78a5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-29154/rsync via unstable

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b1ca95c3 by Salvatore Bonaccorso at 2022-08-16T20:53:45+02:00
Track fixed version for CVE-2022-29154/rsync via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -24696,7 +24696,7 @@ CVE-2022-29155 (In OpenLDAP 2.x before 2.5.12 and 2.6.x 
before 2.6.2, a SQL inje
NOTE: 
https://git.openldap.org/openldap/openldap/-/commit/40f3ae4f5c9a8baf75b237220f62c436a571d66e
 (OPENLDAP_REL_ENG_2_5_12)
NOTE: back-sql backend to slapd is enabled but considered experimental 
upstream.
 CVE-2022-29154 (An issue was discovered in rsync before 3.2.5 that allows 
malicious re ...)
-   - rsync  (bug #1016543)
+   - rsync 3.2.5-1 (bug #1016543)
[bullseye] - rsync  (Minor issue; for untrusted remote sending 
hosts additional protective measures can be taken)
NOTE: https://www.openwall.com/lists/oss-security/2022/08/02/1
NOTE: 
https://git.samba.org/?p=rsync.git;a=commit;h=b7231c7d02cfb65d291af74ff66e7d8c507ee871
 (v3.2.5pre1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1ca95c370c01102aea3dfb9034484be03609c42

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1ca95c370c01102aea3dfb9034484be03609c42
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-44648/gdk-pixbuf via unstable

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d8c1b7f0 by Salvatore Bonaccorso at 2022-08-16T20:51:43+02:00
Track fixed version for CVE-2021-44648/gdk-pixbuf via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -51716,7 +51716,7 @@ CVE-2021-44650 (Zoho ManageEngine M365 Manager Plus 
before Build 4419 allows rem
 CVE-2021-44649 (Django CMS 3.7.3 does not validate the plugin_type parameter 
while gen ...)
- python-django-cms  (bug #516183)
 CVE-2021-44648 (GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer 
overflow vulner ...)
-   - gdk-pixbuf  (bug #1014600)
+   - gdk-pixbuf 2.42.9+dfsg-1 (bug #1014600)
[bullseye] - gdk-pixbuf  (Minor issue)
[buster] - gdk-pixbuf  (Vulnerable code introduced later)
[stretch] - gdk-pixbuf  (Vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8c1b7f0c77f2018bd5453060ee4837bdcc8b199

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8c1b7f0c77f2018bd5453060ee4837bdcc8b199
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take net-snmp for DSA release

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1c177ec8 by Salvatore Bonaccorso at 2022-08-16T20:12:41+02:00
Take net-snmp for DSA release

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -29,7 +29,7 @@ linux (carnil)
 --
 maven-shared-utils
 --
-net-snmp
+net-snmp (carnil)
 --
 netatalk
   open regression with MacOS, tentative patch not yet merged upstream



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c177ec89f2f2175464b6a9b91985099c99c8b85

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c177ec89f2f2175464b6a9b91985099c99c8b85
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] claim net-snmp like for ELA

2022-08-16 Thread Thorsten Alteholz (@alteholz)



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
786af565 by Thorsten Alteholz at 2022-08-16T20:10:08+02:00
claim net-snmp like for ELA

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -61,7 +61,7 @@ mediawiki (Markus Koschany)
 ndpi (Anton)
   NOTE: 20220801: Programming language: C.
 --
-net-snmp
+net-snmp (Thorsten Alteholz)
   NOTE: 20220816: Programming language: C.
 --
 netatalk



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/786af5655b4e8cd8fc4358f8af97e749deea1ef2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/786af5655b4e8cd8fc4358f8af97e749deea1ef2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2020-8287 in http-parser for buster LTS.

2022-08-16 Thread Chris Lamb (@lamby)



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fc43cf84 by Chris Lamb at 2022-08-16T08:17:34-07:00
Triage CVE-2020-8287 in http-parser for buster LTS.

- - - - -
913c5e79 by Chris Lamb at 2022-08-16T08:17:51-07:00
Triage CVE-2021-41556 in squirrel3 for buster LTS.

- - - - -
506f373e by Chris Lamb at 2022-08-16T08:18:14-07:00
Triage CVE-2022-38223 in w3m for buster LTS.

- - - - -
9ab01064 by Chris Lamb at 2022-08-16T08:18:45-07:00
Triage CVE-2021-23385 in flask-security for buster LTS.

- - - - -
ec45dbf5 by Chris Lamb at 2022-08-16T08:19:07-07:00
Triage CVE-2016-3709 in libxml2 for buster LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -315,6 +315,7 @@ CVE-2022-38224
 CVE-2022-38223 (There is an out-of-bounds write in checkType located in etc.c 
in w3m 0 ...)
- w3m 
[bullseye] - w3m  (Minor issue)
+   [buster] - w3m  (Minor issue)
NOTE: https://github.com/tats/w3m/issues/242
 CVE-2022-38222 (There is a use-after-free issue in JBIG2Stream::close() 
located in JBI ...)
TODO: check
@@ -63746,6 +63747,7 @@ CVE-2021-41557 (Sofico Miles RIA 2020.2 Build 127964T 
is affected by Stored Cros
 CVE-2021-41556 (sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 
allows an ou ...)
- squirrel3  (bug #1016212)
[bullseye] - squirrel3  (Minor issue)
+   [buster] - squirrel3  (Minor issue)
NOTE: 
https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98
 (v3.2)
NOTE: https://blog.sonarsource.com/squirrel-vm-sandbox-escape/
 CVE-2021-41555 (** UNSUPPORTED WHEN ASSIGNED ** In ARCHIBUS Web Central 
21.3.3.815 (a  ...)
@@ -109543,6 +109545,7 @@ CVE-2021-23386 (This affects the package dns-packet 
before 5.2.2. It creates buf
 CVE-2021-23385 (This affects all versions of package Flask-Security. When 
using the ge ...)
- flask-security 
[bullseye] - flask-security  (Minor issue)
+   [buster] - flask-security  (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234
 CVE-2021-23384 (The package koa-remove-trailing-slashes before 2.0.2 are 
vulnerable to ...)
NOT-FOR-US: Node koa-remove-trailing-slashes before
@@ -178901,6 +178904,7 @@ CVE-2020-8287 (Node.js versions before 10.23.1, 
12.20.1, 14.15.4, 15.5.1 allow t
{DSA-4826-1}
- http-parser 2.9.4-5 (bug #1016690)
[bullseye] - http-parser  (Minor issue)
+   [buster] - http-parser  (Minor issue)
- nodejs 12.20.1~dfsg-1 (bug #979364)
[stretch] - nodejs  (Nodejs in stretch not covered by security 
support)
NOTE: https://nodejs.org/en/blog/release/v10.23.1/
@@ -382139,6 +382143,7 @@ CVE-2016-3710 (The VGA module in QEMU improperly 
performs bounds checking on ban
 CVE-2016-3709 (Possible cross-site scripting vulnerability in libxml after 
commit 960 ...)
- libxml2 2.9.12+dfsg-3
[bullseye] - libxml2  (Minor issue)
+   [buster] - libxml2  (Minor issue)
NOTE: https://mail.gnome.org/archives/xml/2018-January/msg00010.html
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=769760
NOTE: Introduced by: 
https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588
 (v2.9.2-rc1)c



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/688aaa541ecd1651306d77bbe44f5fefa74cd54e...ec45dbf532b0ccce3f239922c5e5e98dbd0b9bd1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/688aaa541ecd1651306d77bbe44f5fefa74cd54e...ec45dbf532b0ccce3f239922c5e5e98dbd0b9bd1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2022-34749 in mistune for buster LTS.

2022-08-16 Thread Chris Lamb (@lamby)



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7abf24a6 by Chris Lamb at 2022-08-16T08:15:16-07:00
Triage CVE-2022-34749 in mistune for buster LTS.

- - - - -
d1959f4d by Chris Lamb at 2022-08-16T08:15:41-07:00
Triage CVE-2022-37394 in nova for buster LTS.

- - - - -
a3a9e490 by Chris Lamb at 2022-08-16T08:16:41-07:00
Triage CVE-2022-2514, CVE-2022-2523  CVE-2022-2589 in fava for buster LTS.

- - - - -
688aaa54 by Chris Lamb at 2022-08-16T08:16:56-07:00
data/dla-needed.txt: Add programming language.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -2409,6 +2409,7 @@ CVE-2022-37395
 CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x 
before 2 ...)
- nova  (bug #1016980)
[bullseye] - nova  (Minor issue)
+   [buster] - nova  (Minor issue)
NOTE: https://bugs.launchpad.net/ossa/+bug/1981813
NOTE: https://review.opendev.org/c/openstack/nova/+/849985
NOTE: https://review.opendev.org/c/openstack/nova/+/850003
@@ -3274,6 +3275,7 @@ CVE-2022-2590
 CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository 
beancount/ ...)
- fava  (bug #1016971)
[bullseye] - fava  (Minor issue)
+   [buster] - fava  (Minor issue)
NOTE: https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/
NOTE: 
https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539
 (v1.22.3)
 CVE-2022-37037
@@ -4749,6 +4751,7 @@ CVE-2022-33963
 CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository 
beancount/ ...)
- fava  (bug #1016971)
[bullseye] - fava  (Minor issue)
+   [buster] - fava  (Minor issue)
NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f
NOTE: 
https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b
 (v1.22.2)
 CVE-2022-36381
@@ -4886,6 +4889,7 @@ CVE-2022-2515
 CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are 
vulnerable t ...)
- fava  (bug #1016971)
[bullseye] - fava  (Minor issue)
+   [buster] - fava  (Minor issue)
NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
NOTE: 
https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
 (v1.22)
 CVE-2022-2513
@@ -8961,6 +8965,7 @@ CVE-2022-34750 (An issue was discovered in MediaWiki 
through 1.38.1. The lemma l
 CVE-2022-34749 (In mistune through 2.0.2, support of inline markup is 
implemented by u ...)
- mistune 2.0.3-1 (bug #1016089)
[bullseye] - mistune  (Minor issue)
+   [buster] - mistune  (Minor issue)
NOTE: 
https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2
 (v2.0.3)
 CVE-2022-34748 (A vulnerability has been identified in Simcenter Femap (All 
versions & ...)
NOT-FOR-US: Siemens


=
data/dla-needed.txt
=
@@ -75,6 +75,7 @@ php-horde-mime-viewer
   NOTE: 20220816: Programming language: PHP.
 --
 php-horde-turba
+  NOTE: 20220816: Programming language: PHP.
 --
 puma (Abhijith PA)
   NOTE: 20220801: Programming language: Ruby.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c4301580e9b72e5a966e13d44e6e3ccf1f576c10...688aaa541ecd1651306d77bbe44f5fefa74cd54e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c4301580e9b72e5a966e13d44e6e3ccf1f576c10...688aaa541ecd1651306d77bbe44f5fefa74cd54e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage php-horde-turba for buster LTS (CVE-2022-30287)

2022-08-16 Thread Chris Lamb (@lamby)



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c4301580 by Chris Lamb at 2022-08-16T08:14:02-07:00
data/dla-needed.txt: Triage php-horde-turba for buster LTS (CVE-2022-30287)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,6 +74,8 @@ nodejs
 php-horde-mime-viewer
   NOTE: 20220816: Programming language: PHP.
 --
+php-horde-turba
+--
 puma (Abhijith PA)
   NOTE: 20220801: Programming language: Ruby.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4301580e9b72e5a966e13d44e6e3ccf1f576c10

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4301580e9b72e5a966e13d44e6e3ccf1f576c10
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage netatalk for buster LTS.

2022-08-16 Thread Chris Lamb (@lamby)



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
577c85d8 by Chris Lamb at 2022-08-16T08:10:20-07:00
data/dla-needed.txt: Triage netatalk for buster LTS.

- - - - -
fd0665f5 by Chris Lamb at 2022-08-16T08:11:53-07:00
data/dla-needed.txt: Triage php-horde-mime-viewer for buster LTS 
(CVE-2022-26874)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -64,10 +64,16 @@ ndpi (Anton)
 net-snmp
   NOTE: 20220816: Programming language: C.
 --
+netatalk
+  NOTE: 20220816: Programming language: C.
+--
 nodejs
   NOTE: 20220801: Programming language: JavaScript.
   NOTE: 20220801: one of the upstream fixes doesn't address the security issue
 --
+php-horde-mime-viewer
+  NOTE: 20220816: Programming language: PHP.
+--
 puma (Abhijith PA)
   NOTE: 20220801: Programming language: Ruby.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/71737919a1179b458af729cf606e2b146b686e74...fd0665f5a1e93ebdaace4f76fe25ea3a3f885779

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/71737919a1179b458af729cf606e2b146b686e74...fd0665f5a1e93ebdaace4f76fe25ea3a3f885779
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage net-snmp for buster LTS.

2022-08-16 Thread Chris Lamb (@lamby)



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
71737919 by Chris Lamb at 2022-08-16T08:09:29-07:00
data/dla-needed.txt: Triage net-snmp for buster LTS.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -61,6 +61,9 @@ mediawiki (Markus Koschany)
 ndpi (Anton)
   NOTE: 20220801: Programming language: C.
 --
+net-snmp
+  NOTE: 20220816: Programming language: C.
+--
 nodejs
   NOTE: 20220801: Programming language: JavaScript.
   NOTE: 20220801: one of the upstream fixes doesn't address the security issue



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71737919a1179b458af729cf606e2b146b686e74

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71737919a1179b458af729cf606e2b146b686e74
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Switch target source package name as used in the ITP

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3db43c5c by Salvatore Bonaccorso at 2022-08-16T12:43:00+02:00
Switch target source package name as used in the ITP

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -36809,13 +36809,13 @@ CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 
for PHP does not prevent ad
[bullseye] - php-crypt-gpg 1.6.4-2+deb11u1
NOTE: 
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04
 (v1.6.7)
 CVE-2022-24952 (Several denial of service vulnerabilities exist in Eternal 
Terminal pr ...)
-   - et  (bug #861635)
+   - eternal-terminal  (bug #861635)
 CVE-2022-24951 (A race condition exists in Eternal Terminal prior to version 
6.2.0 whi ...)
-   - et  (bug #861635)
+   - eternal-terminal  (bug #861635)
 CVE-2022-24950 (A race condition exists in Eternal Terminal prior to version 
6.2.0 tha ...)
-   - et  (bug #861635)
+   - eternal-terminal  (bug #861635)
 CVE-2022-24949 (A privilege escalation to root exists in Eternal Terminal 
prior to ver ...)
-   - et  (bug #861635)
+   - eternal-terminal  (bug #861635)
 CVE-2022-24948 (A carefully crafted user preferences for submission could 
trigger an X ...)
- jspwiki 
 CVE-2022-24947 (Apache JSPWiki user preferences form is vulnerable to CSRF 
attacks, wh ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3db43c5c2faefad813002b92c2bd99939dda29d2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3db43c5c2faefad813002b92c2bd99939dda29d2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2022-08-16 Thread Neil Williams (@codehelp)



Neil Williams pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
da6a56e0 by Neil Williams at 2022-08-16T11:14:41+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -139,9 +139,9 @@ CVE-2022-2823
 CVE-2022-2822 (An attacker can freely brute force username and password and 
can takeo ...)
- octoprint  (bug #718591)
 CVE-2022-2821 (Missing Critical Step in Authentication in GitHub repository 
namelessm ...)
-   TODO: check
+   NOT-FOR-US: NamelessMC/Nameless
 CVE-2022-2820 (Improper Access Control in GitHub repository 
namelessmc/nameless prior ...)
-   TODO: check
+   NOT-FOR-US: NamelessMC/Nameless
 CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior 
to 9.0.0 ...)
- vim 
NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59
@@ -36809,13 +36809,13 @@ CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 
for PHP does not prevent ad
[bullseye] - php-crypt-gpg 1.6.4-2+deb11u1
NOTE: 
https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04
 (v1.6.7)
 CVE-2022-24952 (Several denial of service vulnerabilities exist in Eternal 
Terminal pr ...)
-   TODO: check
+   - et  (bug #861635)
 CVE-2022-24951 (A race condition exists in Eternal Terminal prior to version 
6.2.0 whi ...)
-   TODO: check
+   - et  (bug #861635)
 CVE-2022-24950 (A race condition exists in Eternal Terminal prior to version 
6.2.0 tha ...)
-   TODO: check
+   - et  (bug #861635)
 CVE-2022-24949 (A privilege escalation to root exists in Eternal Terminal 
prior to ver ...)
-   TODO: check
+   - et  (bug #861635)
 CVE-2022-24948 (A carefully crafted user preferences for submission could 
trigger an X ...)
- jspwiki 
 CVE-2022-24947 (Apache JSPWiki user preferences form is vulnerable to CSRF 
attacks, wh ...)
@@ -37906,7 +37906,7 @@ CVE-2022-24656 (HexoEditor 1.1.8 is affected by Cross 
Site Scripting (XSS). By p
 CVE-2022-24655 (A stack overflow vulnerability exists in the upnpd service in 
Netgear  ...)
NOT-FOR-US: Netgear
 CVE-2022-24654 (Authenticated stored cross-site scripting (XSS) vulnerability 
in "Fiel ...)
-   TODO: check
+   NOT-FOR-US: Intelbras ATA 200
 CVE-2022-24653
RESERVED
 CVE-2022-24652 (sentcms 4.0.x allows remote attackers to cause arbitrary file 
uploads  ...)
@@ -140624,7 +140624,7 @@ CVE-2020-23624
 CVE-2020-23623
RESERVED
 CVE-2020-23622 (** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol 
in 4thli ...)
-   TODO: check
+   NOT-FOR-US: 4thline/cling
 CVE-2020-23621 (The Java Remote Management Interface of all versions of SVI MS 
Managem ...)
NOT-FOR-US: Squire Remote Management Interface
 CVE-2020-23620 (The Java Remote Management Interface of all versions of 
Orlansoft ERP  ...)
@@ -144906,9 +144906,9 @@ CVE-2020-21644
 CVE-2020-21643
RESERVED
 CVE-2020-21642 (Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in 
/zropuse ...)
-   TODO: check
+   NOT-FOR-US: ManageEngine Analytics Plus
 CVE-2020-21641 (Out-of-Band XML External Entity (OOB-XXE) vulnerability in 
Zoho Manage ...)
-   TODO: check
+   NOT-FOR-US: ManageEngine Analytics Plus
 CVE-2020-21640
RESERVED
 CVE-2020-21639 (Ruijie RG-UAC 6000-E50 commit 9071227 was discovered to 
contain a cros ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6a56e06a488b68b0f5582d7859f7a83d38489c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6a56e06a488b68b0f5582d7859f7a83d38489c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-21365/wkhtmltopdf 0.12.6-1

2022-08-16 Thread Neil Williams (@codehelp)



Neil Williams pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b60603f3 by Neil Williams at 2022-08-16T11:01:26+01:00
CVE-2020-21365/wkhtmltopdf 0.12.6-1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -145559,7 +145559,9 @@ CVE-2020-21367
 CVE-2020-21366
RESERVED
 CVE-2020-21365 (Directory traversal vulnerability in wkhtmltopdf through 
0.12.5 allows ...)
-   TODO: check
+   - wkhtmltopdf 0.12.6-1
+   NOTE: 
https://github.com/wkhtmltopdf/wkhtmltopdf/commit/2a5f25077895fb075812c0f599326f079a59d6cf
 (0.12.6)
+   NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536
 CVE-2020-21364
RESERVED
 CVE-2020-21363 (An arbitrary file deletion vulnerability exists within 
Maccms10. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b60603f37276511550e78a35d61914c1f974ace5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b60603f37276511550e78a35d61914c1f974ace5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3323{5,6}/htmldoc

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a3729572 by Salvatore Bonaccorso at 2022-08-16T10:44:25+02:00
Add CVE-2021-3323{5,6}/htmldoc

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -84417,9 +84417,18 @@ CVE-2021-33238
 CVE-2021-33237
RESERVED
 CVE-2021-33236 (Buffer Overflow vulnerability in write_header in htmldoc 
through 1.9.1 ...)
-   TODO: check
+   - htmldoc 1.9.12-1 (unimportant)
+   NOTE: https://github.com/michaelrsweet/htmldoc/issues/425
+   NOTE: 
https://github.com/michaelrsweet/htmldoc/commit/a0014be47d614220db111b360fb6170ef6f3937e
 (v1.9.12)
+   NOTE: Crash in CLI tool, no security impact
+   NOTE: Duplicate CVE of CVE-2022-34033
+   TODO: clarify duplicate assignment with assigning CNA
 CVE-2021-33235 (Buffer overflow vulnerability in write_node in htmldoc through 
1.9.11  ...)
-   TODO: check
+   - htmldoc 1.9.12-1 (unimportant)
+   NOTE: https://github.com/michaelrsweet/htmldoc/issues/426
+   NOTE: 
https://github.com/michaelrsweet/htmldoc/commit/ee778252faebb721afba5a081dd6ad7eaf20eef3
 (v1.9.12)
+   NOTE: Duplicate assignment of CVE-2022-34035
+   TODO: clarify duplicate assignment with assigning CNA
 CVE-2021-33234
RESERVED
 CVE-2021-33233



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3729572dfc9ee4a1fba0201f514fb91dc16d43a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3729572dfc9ee4a1fba0201f514fb91dc16d43a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a48e5a35 by Salvatore Bonaccorso at 2022-08-16T10:43:59+02:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5105,19 +5105,19 @@ CVE-2021-46828 (In libtirpc before 1.3.3rc1, remote 
attackers could exhaust the
NOTE: Fixed by: 
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed
 (libtirpc-1-3-3-rc1)
NOTE: Introduced by: 
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f
 (libtirpc-0-3-3-rc3)
 CVE-2022-36312 (Airspan AirVelocity 1500 software version 15.18.00.2511 lacks 
CSRF pro ...)
-   TODO: check
+   NOT-FOR-US: Airspan AirVelocity 1500 software
 CVE-2022-36311 (Airspan AirVelocity 1500 prior to software version 
15.18.00.2511 is vu ...)
-   TODO: check
+   NOT-FOR-US: Airspan AirVelocity 1500 software
 CVE-2022-36310 (Airspan AirVelocity 1500 software prior to version 
15.18.00.2511 had N ...)
-   TODO: check
+   NOT-FOR-US: Airspan AirVelocity 1500 software
 CVE-2022-36309 (Airspan AirVelocity 1500 software versions prior to 
15.18.00.2511 have ...)
-   TODO: check
+   NOT-FOR-US: Airspan AirVelocity 1500 software
 CVE-2022-36308 (Airspan AirVelocity 1500 web management UI displays SNMP 
credentials i ...)
-   TODO: check
+   NOT-FOR-US: Airspan AirVelocity 1500
 CVE-2022-36307 (The AirVelocity 1500 prints SNMP credentials on its physically 
accessi ...)
-   TODO: check
+   NOT-FOR-US: Airspan AirVelocity 1500
 CVE-2022-36306 (An authenticated attacker can enumerate and download sensitive 
files,  ...)
-   TODO: check
+   NOT-FOR-US: Airspan AirVelocity 1500
 CVE-2022-36294
RESERVED
 CVE-2022-36290
@@ -6328,7 +6328,7 @@ CVE-2022-35824 (Azure Site Recovery Remote Code Execution 
Vulnerability. This CV
 CVE-2022-35823
RESERVED
 CVE-2022-35822 (Windows Defender Credential Guard Security Feature Bypass 
Vulnerabilit ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2022-35821 (Azure Sphere Information Disclosure Vulnerability. ...)
NOT-FOR-US: Microsoft
 CVE-2022-35820 (Windows Bluetooth Driver Elevation of Privilege Vulnerability. 
...)
@@ -9118,7 +9118,7 @@ CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool 
(MSDT) Remote Code Exe
 CVE-2022-34712 (Windows Defender Credential Guard Information Disclosure 
Vulnerability ...)
NOT-FOR-US: Microsoft
 CVE-2022-34711 (Windows Defender Credential Guard Elevation of Privilege 
Vulnerability ...)
-   TODO: check
+   NOT-FOR-US: Microsoft
 CVE-2022-34710 (Windows Defender Credential Guard Information Disclosure 
Vulnerability ...)
NOT-FOR-US: Microsoft
 CVE-2022-34709 (Windows Defender Credential Guard Security Feature Bypass 
Vulnerabilit ...)
@@ -25696,7 +25696,7 @@ CVE-2022-28758
 CVE-2022-28757
RESERVED
 CVE-2022-28756 (The Zoom Client for Meetings for macOS (Standard and for IT 
Admin) sta ...)
-   TODO: check
+   NOT-FOR-US: Zoom
 CVE-2022-28755 (The Zoom Client for Meetings (for Android, iOS, Linux, macOS, 
and Wind ...)
NOT-FOR-US: Zoom
 CVE-2022-28754 (Zoom On-Premise Meeting Connector MMR before version 
4.8.129.20220714  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48e5a35a62e9db3a03d996a1b541cd56d848a07

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48e5a35a62e9db3a03d996a1b541cd56d848a07
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2816/vim

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
40da2368 by Salvatore Bonaccorso at 2022-08-16T10:28:03+02:00
Add CVE-2022-2816/vim

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -331,7 +331,9 @@ CVE-2022-2817 (Use After Free in GitHub repository vim/vim 
prior to 9.0.0212. ..
NOTE: https://huntr.dev/bounties/a7b7d242-3d88-4bde-a681-6c986aff886f
NOTE: 
https://github.com/vim/vim/commit/249e1b903a9c0460d618f6dcc59aeb8c03b24b20 
(v9.0.0213)
 CVE-2022-2816 (Out-of-bounds Read in GitHub repository vim/vim prior to 
9.0.0211. ...)
-   TODO: check
+   - vim 
+   NOTE: https://huntr.dev/bounties/e2a83037-fcf9-4218-b2b9-b7507dacde58
+   NOTE: 
https://github.com/vim/vim/commit/dbdd16b62560413abcc3c8e893cc3010ccf31666 
(v9.0.0212)
 CVE-2022-38217
RESERVED
 CVE-2022-2815



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40da23685b6a26ce9716ea7297a0a05cd7009b12

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40da23685b6a26ce9716ea7297a0a05cd7009b12
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2817/vim

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b220c9ca by Salvatore Bonaccorso at 2022-08-16T10:27:13+02:00
Add CVE-2022-2817/vim

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -327,7 +327,9 @@ CVE-2022-38219
 CVE-2022-38218
RESERVED
 CVE-2022-2817 (Use After Free in GitHub repository vim/vim prior to 9.0.0212. 
...)
-   TODO: check
+   - vim 
+   NOTE: https://huntr.dev/bounties/a7b7d242-3d88-4bde-a681-6c986aff886f
+   NOTE: 
https://github.com/vim/vim/commit/249e1b903a9c0460d618f6dcc59aeb8c03b24b20 
(v9.0.0213)
 CVE-2022-2816 (Out-of-bounds Read in GitHub repository vim/vim prior to 
9.0.0211. ...)
TODO: check
 CVE-2022-38217



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b220c9cab1d4bbc29130abe791266f53a47e0155

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b220c9cab1d4bbc29130abe791266f53a47e0155
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process NFUs

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6fd70c0d by Salvatore Bonaccorso at 2022-08-16T10:26:39+02:00
Process NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,5 +1,5 @@
 CVE-2022-38368 (An issue was discovered in Aviatrix Gateway before 6.6.5712 
and 6.7.x  ...)
-   TODO: check
+   NOT-FOR-US: Aviatrix Gateway
 CVE-2022-38367
RESERVED
 CVE-2022-38366
@@ -147,7 +147,7 @@ CVE-2022-2819 (Heap-based Buffer Overflow in GitHub 
repository vim/vim prior to
NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59
NOTE: 
https://github.com/vim/vim/commit/d1d8f6bacb489036d0fd479c9dd3c0102c99 
(v9.0.0211)
 CVE-2022-2818 (Authentication Bypass by Primary Weakness in GitHub repository 
cockpit ...)
-   TODO: check
+   NOT-FOR-US: Cockpit-HQ/Cockpit
 CVE-2022-38305
RESERVED
 CVE-2022-38304
@@ -395,17 +395,17 @@ CVE-2022-38193
 CVE-2022-38192
RESERVED
 CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS 
versions 10 ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri 
Portal for A ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38189
RESERVED
 CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for 
ArcGIS versi ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38187 (Prior to version 10.9.0, the 
sharing/rest/content/features/analyze end ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38186 (There is a reflected XSS vulnerability in Esri Portal for 
ArcGIS versi ...)
-   TODO: check
+   NOT-FOR-US: Esri Portal for ArcGIS
 CVE-2022-38185
RESERVED
 CVE-2022-38184



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fd70c0d4e10ff5eca468c670c27137a2bdc195b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fd70c0d4e10ff5eca468c670c27137a2bdc195b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2022-08-16 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
26797cd3 by security tracker role at 2022-08-16T08:10:14+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,15 +1,35 @@
-CVE-2022-38362
+CVE-2022-38368 (An issue was discovered in Aviatrix Gateway before 6.6.5712 
and 6.7.x  ...)
+   TODO: check
+CVE-2022-38367
RESERVED
-CVE-2022-38361
+CVE-2022-38366
RESERVED
-CVE-2022-38360
+CVE-2022-38365
+   RESERVED
+CVE-2022-38364
+   RESERVED
+CVE-2022-38363
+   RESERVED
+CVE-2022-2829
RESERVED
-CVE-2022-38359
+CVE-2022-2828
RESERVED
-CVE-2022-38358
+CVE-2022-2827
RESERVED
-CVE-2022-38357
+CVE-2022-2826
+   RESERVED
+CVE-2022-38362
+   RESERVED
+CVE-2022-38361
+   RESERVED
+CVE-2022-38360
RESERVED
+CVE-2022-38359 (Cross-site request forgery attacks can be carried out against 
the Eyes ...)
+   TODO: check
+CVE-2022-38358 (Improper neutralization of input during web page generation 
leaves the ...)
+   TODO: check
+CVE-2022-38357 (Improper neutralization of special elements leaves the Eyes of 
Network ...)
+   TODO: check
 CVE-2022-38354
RESERVED
 CVE-2022-38353
@@ -306,10 +326,10 @@ CVE-2022-38219
RESERVED
 CVE-2022-38218
RESERVED
-CVE-2022-2817
-   RESERVED
-CVE-2022-2816
-   RESERVED
+CVE-2022-2817 (Use After Free in GitHub repository vim/vim prior to 9.0.0212. 
...)
+   TODO: check
+CVE-2022-2816 (Out-of-bounds Read in GitHub repository vim/vim prior to 
9.0.0211. ...)
+   TODO: check
 CVE-2022-38217
RESERVED
 CVE-2022-2815
@@ -324,8 +344,8 @@ CVE-2022-2811 (A vulnerability classified as problematic 
has been found in Sourc
NOT-FOR-US: SourceCodester
 CVE-2022-2810
RESERVED
-CVE-2022-38216
-   RESERVED
+CVE-2022-38216 (An integer overflow exists in Mapbox's closed source gl-native 
library ...)
+   TODO: check
 CVE-2022-38215
RESERVED
 CVE-2022-38214
@@ -374,18 +394,18 @@ CVE-2022-38193
RESERVED
 CVE-2022-38192
RESERVED
-CVE-2022-38191
-   RESERVED
-CVE-2022-38190
-   RESERVED
+CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS 
versions 10 ...)
+   TODO: check
+CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri 
Portal for A ...)
+   TODO: check
 CVE-2022-38189
RESERVED
-CVE-2022-38188
-   RESERVED
-CVE-2022-38187
-   RESERVED
-CVE-2022-38186
-   RESERVED
+CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for 
ArcGIS versi ...)
+   TODO: check
+CVE-2022-38187 (Prior to version 10.9.0, the 
sharing/rest/content/features/analyze end ...)
+   TODO: check
+CVE-2022-38186 (There is a reflected XSS vulnerability in Esri Portal for 
ArcGIS versi ...)
+   TODO: check
 CVE-2022-38185
RESERVED
 CVE-2022-38184
@@ -2127,25 +2147,25 @@ CVE-2022-37451 (Exim before 4.96 has an invalid free in 
pam_converse in auths/ca
 CVE-2022-37450 (Go Ethereum (aka geth) through 1.10.21 allows attackers to 
increase re ...)
- golang-github-go-ethereum  (bug #890541)
 CVE-2022-37449
-   RESERVED
+   REJECTED
 CVE-2022-37448
-   RESERVED
+   REJECTED
 CVE-2022-37447
-   RESERVED
+   REJECTED
 CVE-2022-37446
-   RESERVED
+   REJECTED
 CVE-2022-37445
-   RESERVED
+   REJECTED
 CVE-2022-37444
-   RESERVED
+   REJECTED
 CVE-2022-37443
-   RESERVED
+   REJECTED
 CVE-2022-37442
-   RESERVED
+   REJECTED
 CVE-2022-37441
-   RESERVED
+   REJECTED
 CVE-2022-37440
-   RESERVED
+   REJECTED
 CVE-2022-2687 (A vulnerability, which was classified as critical, was found in 
Source ...)
NOT-FOR-US: SourceCodester Gym Management System
 CVE-2022-2686 (A vulnerability, which was classified as problematic, was found 
in ore ...)
@@ -5080,20 +5100,20 @@ CVE-2021-46828 (In libtirpc before 1.3.3rc1, remote 
attackers could exhaust the
- libtirpc 1.3.2-2.1 (bug #1015873)
NOTE: Fixed by: 
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed
 (libtirpc-1-3-3-rc1)
NOTE: Introduced by: 
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f
 (libtirpc-0-3-3-rc3)
-CVE-2022-36312
-   RESERVED
-CVE-2022-36311
-   RESERVED
-CVE-2022-36310
-   RESERVED
-CVE-2022-36309
-   RESERVED
-CVE-2022-36308
-   RESERVED
-CVE-2022-36307
-   RESERVED
-CVE-2022-36306
-   RESERVED
+CVE-2022-36312 (Airspan AirVelocity 1500 software version 15.18.00.2511 lacks 
CSRF pro ...)
+   TODO: check
+CVE-2022-36311 (Airspan AirVelocity 1500 prior to software version 
15.18.00.2511 is vu ...)
+   TODO: check
+CVE-2022-36310 (Airspan AirVelocity 1500 software prior to version

[Git][security-tracker-team/security-tracker][master] CVE-2022-2294: Track as well fixed version in older suites

[Git][security-tracker-team/security-tracker][master] new chromium issues

[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5210-1 and wpewebkit DSA-5211-1

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-35978/minetest

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Take gdk-pixbuf from dsa-needed list

[Git][security-tracker-team/security-tracker][master] Reserve DSA number for net-snmp

[Git][security-tracker-team/security-tracker][master] epiphany-browser DSA

[Git][security-tracker-team/security-tracker][master] CVE-2022-38362/airflow

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-29154/rsync via unstable

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-44648/gdk-pixbuf via unstable

[Git][security-tracker-team/security-tracker][master] Take net-snmp for DSA release

[Git][security-tracker-team/security-tracker][master] claim net-snmp like for ELA

[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2020-8287 in http-parser for buster LTS.

[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2022-34749 in mistune for buster LTS.

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage php-horde-turba for buster LTS (CVE-2022-30287)

[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage netatalk for buster LTS.

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage net-snmp for buster LTS.

[Git][security-tracker-team/security-tracker][master] Switch target source package name as used in the ITP

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] CVE-2020-21365/wkhtmltopdf 0.12.6-1

[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3323{5,6}/htmldoc

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2816/vim

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2817/vim

[Git][security-tracker-team/security-tracker][master] Process NFUs

[Git][security-tracker-team/security-tracker][master] automatic update

29 matches

Site Navigation

Mail list logo

Footer information