[Git][security-tracker-team/security-tracker][master] CVE-2022-2294: Track as well fixed version in older suites
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e265003 by Salvatore Bonaccorso at 2022-08-17T06:39:12+02:00 CVE-2022-2294: Track as well fixed version in older suites - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8551,7 +8551,10 @@ CVE-2022-2294 (Heap buffer overflow in WebRTC in Google Chrome prior to 103.0.50 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) - webkit2gtk 2.36.6-1 (unimportant) + [bullseye] - webkit2gtk 2.36.6-1~deb11u1 + [buster] - webkit2gtk 2.36.6-1~deb10u1 - wpewebkit 2.36.6-1 (unimportant) + [bullseye] - wpewebkit 2.36.6-1~deb11u1 NOTE: https://www.openwall.com/lists/oss-security/2022/07/28/2 NOTE: Debian WebKitGTK and WPE WebKit binary packages are built without LibWebRTC CVE-2022-2293 (A vulnerability classified as problematic was found in SourceCodester ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e2650038a36c550beb8f51147f39d0d59212dff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e2650038a36c550beb8f51147f39d0d59212dff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new chromium issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 678b1173 by Moritz Mühlenhoff at 2022-08-16T23:47:57+02:00 new chromium issues - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,33 @@ +CVE-2022-2861 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2860 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2859 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2858 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2857 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2856 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2855 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2854 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2853 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2022-2852 + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-38381 RESERVED CVE-2022-38380 = data/dsa-needed.txt = @@ -16,6 +16,8 @@ asterisk (apo) -- freecad (aron) -- +chromium (jmm) +-- gdk-pixbuf (carnil) -- kicad (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/678b11738f65dcab44166b5988efa0fe6858e9a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/678b11738f65dcab44166b5988efa0fe6858e9a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5210-1 and wpewebkit DSA-5211-1
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: d9fb4e48 by Alberto Garcia at 2022-08-16T23:43:23+02:00 webkit2gtk DSA-5210-1 and wpewebkit DSA-5211-1 - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,9 @@ +[16 Aug 2022] DSA-5211-1 wpewebkit - security update + {CVE-2022-32792 CVE-2022-32816} + [bullseye] - wpewebkit 2.36.6-1~deb11u1 +[16 Aug 2022] DSA-5210-1 webkit2gtk - security update + {CVE-2022-32792 CVE-2022-32816} + [bullseye] - webkit2gtk 2.36.6-1~deb11u1 [16 Aug 2022] DSA-5209-1 net-snmp - security update {CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810} [bullseye] - net-snmp 5.9+dfsg-4+deb11u1 = data/dsa-needed.txt = @@ -53,9 +53,5 @@ sofia-sip sox patch needed for CVE-2021-40426, check with upstream -- -webkit2gtk (berto) --- -wpewebkit (berto) --- zlib (carnil) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9fb4e489a79cc9e528020a07e33a26b3d1d79be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9fb4e489a79cc9e528020a07e33a26b3d1d79be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-35978/minetest
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c1b2c80f by Salvatore Bonaccorso at 2022-08-16T22:22:34+02:00 Add CVE-2022-35978/minetest - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5992,7 +5992,9 @@ CVE-2022-35980 (OpenSearch Security is a plugin for OpenSearch that offers encry CVE-2022-35979 RESERVED CVE-2022-35978 (Minetest is a free open-source voxel game engine with easy modding and ...) - TODO: check + - minetest + NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc + NOTE: https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13 (5.6.0) CVE-2022-35977 RESERVED CVE-2022-35976 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1b2c80fddc314a77c4668b498303e1c24a7cbfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1b2c80fddc314a77c4668b498303e1c24a7cbfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b849cf6c by Salvatore Bonaccorso at 2022-08-16T22:19:49+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -464,17 +464,17 @@ CVE-2022-38196 CVE-2022-38195 RESERVED CVE-2022-38194 (In Esri Portal for ArcGIS versions 10.8.1, a system property is not pr ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38193 (There is a code injection vulnerability in Esri Portal for ArcGIS vers ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38192 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS versions 10 ...) NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38189 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS versi ...) NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38187 (Prior to version 10.9.0, the sharing/rest/content/features/analyze end ...) @@ -484,7 +484,7 @@ CVE-2022-38186 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS CVE-2022-38185 RESERVED CVE-2022-38184 (There is an improper access control vulnerability in Portal for ArcGIS ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38183 (In Gitea before 1.16.9, it was possible for users to add existing issu ...) - gitea CVE-2022-38182 @@ -4420,7 +4420,7 @@ CVE-2022-36601 CVE-2022-36600 RESERVED CVE-2022-36599 (Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerab ...) - TODO: check + NOT-FOR-US: Mingsoft MCMS CVE-2022-36598 RESERVED CVE-2022-36597 @@ -4826,9 +4826,9 @@ CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository beanc NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f NOTE: https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b (v1.22.2) CVE-2022-36381 (OS command injection vulnerability in Nintendo Wi-Fi Network Adaptor W ...) - TODO: check + NOT-FOR-US: Nintendo Wi-Fi Network Adaptor WAP-001 CVE-2022-36293 (Buffer overflow vulnerability in Nintendo Wi-Fi Network Adaptor WAP-00 ...) - TODO: check + NOT-FOR-US: Nintendo Wi-Fi Network Adaptor WAP-001 CVE-2022-35734 ('Hulu / ' App for Android from version ...) TODO: check CVE-2022-34156 ('Hulu / ' App for iOS versions prior t ...) @@ -5014,7 +5014,7 @@ CVE-2022-36361 CVE-2022-36360 RESERVED CVE-2022-35239 (The image file management page of SolarView Compact SV-CPT-MC310 Ver.7 ...) - TODO: check + NOT-FOR-US: SolarView Compact SV-CPT-MC310 CVE-2022-2505 RESERVED - firefox 103.0-1 @@ -5358,9 +5358,9 @@ CVE-2022-36275 CVE-2022-36274 RESERVED CVE-2022-36273 (Tenda AC9 V15.03.2.21_cn is vulnerable to command injection via goform ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-36272 (Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerab ...) - TODO: check + NOT-FOR-US: Mingsoft MCMS CVE-2022-36271 RESERVED CVE-2022-36270 (Clinic's Patient Management System v1.0 has arbitrary code execution v ...) @@ -5420,7 +5420,7 @@ CVE-2022-36244 CVE-2022-36243 RESERVED CVE-2022-36242 (Clinic's Patient Management System v1.0 is vulnerable to SQL Injection ...) - TODO: check + NOT-FOR-US: Clinic's Patient Management System CVE-2022-36241 RESERVED CVE-2022-36240 @@ -21430,7 +21430,7 @@ CVE-2022-30266 CVE-2022-30265 RESERVED CVE-2022-30264 (The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perfo ...) - TODO: check + NOT-FOR-US: Emerson CVE-2022-30263 RESERVED CVE-2022-30262 @@ -22253,7 +22253,7 @@ CVE-2022-29961 CVE-2022-29960 (Emerson OpenBSI through 2022-04-29 uses weak cryptography. It is an en ...) NOT-FOR-US: Emerson CVE-2022-29959 (Emerson OpenBSI through 2022-04-29 mishandles credential storage. It i ...) - TODO: check + NOT-FOR-US: Emerson CVE-2022-29958 (JTEKT TOYOPUC PLCs through 2022-04-29 do not ensure data integrity. Th ...) NOT-FOR-US: JTEKT TOYOPUC PLCs CVE-2022-29957 (The Emerson DeltaV Distributed Control System (DCS) through 2022-04-29 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b849cf6c767a994cf5c3028ea9bcdb380ef91799
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 17ba084d by security tracker role at 2022-08-16T20:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,73 @@ +CVE-2022-38381 + RESERVED +CVE-2022-38380 + RESERVED +CVE-2022-38379 + RESERVED +CVE-2022-38378 + RESERVED +CVE-2022-38377 + RESERVED +CVE-2022-38376 + RESERVED +CVE-2022-38375 + RESERVED +CVE-2022-38374 + RESERVED +CVE-2022-38373 + RESERVED +CVE-2022-38372 + RESERVED +CVE-2022-38371 + RESERVED +CVE-2022-38370 + RESERVED +CVE-2022-38369 + RESERVED +CVE-2022-2851 + RESERVED +CVE-2022-2850 + RESERVED +CVE-2022-2849 + RESERVED +CVE-2022-2848 + RESERVED +CVE-2022-2847 + RESERVED +CVE-2022-2846 + RESERVED +CVE-2022-2845 + RESERVED +CVE-2022-2844 + RESERVED +CVE-2022-2843 + RESERVED +CVE-2022-2842 + RESERVED +CVE-2022-2841 + RESERVED +CVE-2022-2840 + RESERVED +CVE-2022-2839 + RESERVED +CVE-2022-2838 (In Eclipse Sphinx before version 0.13.1, Apache Xerces XML Pars ...) + TODO: check +CVE-2022-2837 + RESERVED +CVE-2022-2836 + RESERVED +CVE-2022-2835 + RESERVED +CVE-2022-2834 + RESERVED +CVE-2022-2833 + RESERVED +CVE-2022-2832 + RESERVED +CVE-2022-2831 + RESERVED +CVE-2022-2830 + RESERVED CVE-2022-38368 (An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x ...) NOT-FOR-US: Aviatrix Gateway CVE-2022-38367 @@ -18,8 +88,7 @@ CVE-2022-2827 RESERVED CVE-2022-2826 RESERVED -CVE-2022-38362 - RESERVED +CVE-2022-38362 (Apache Airflow Docker's Provider prior to 3.0.0 shipped with an exampl ...) - airflow (bug #819700) CVE-2022-38361 RESERVED @@ -394,18 +463,18 @@ CVE-2022-38196 RESERVED CVE-2022-38195 RESERVED -CVE-2022-38194 - RESERVED -CVE-2022-38193 - RESERVED -CVE-2022-38192 - RESERVED +CVE-2022-38194 (In Esri Portal for ArcGIS versions 10.8.1, a system property is not pr ...) + TODO: check +CVE-2022-38193 (There is a code injection vulnerability in Esri Portal for ArcGIS vers ...) + TODO: check +CVE-2022-38192 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) + TODO: check CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS versions 10 ...) NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) NOT-FOR-US: Esri Portal for ArcGIS -CVE-2022-38189 - RESERVED +CVE-2022-38189 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) + TODO: check CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS versi ...) NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38187 (Prior to version 10.9.0, the sharing/rest/content/features/analyze end ...) @@ -414,8 +483,8 @@ CVE-2022-38186 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38185 RESERVED -CVE-2022-38184 - RESERVED +CVE-2022-38184 (There is an improper access control vulnerability in Portal for ArcGIS ...) + TODO: check CVE-2022-38183 (In Gitea before 1.16.9, it was possible for users to add existing issu ...) - gitea CVE-2022-38182 @@ -4350,8 +4419,8 @@ CVE-2022-36601 RESERVED CVE-2022-36600 RESERVED -CVE-2022-36599 - RESERVED +CVE-2022-36599 (Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerab ...) + TODO: check CVE-2022-36598 RESERVED CVE-2022-36597 @@ -4488,8 +4557,8 @@ CVE-2022-36532 RESERVED CVE-2022-36531 RESERVED -CVE-2022-36530 - RESERVED +CVE-2022-36530 (An issue was discovered in rageframe2 2.6.37. There is a XSS vulnerabi ...) + TODO: check CVE-2022-36529 RESERVED CVE-2022-36528 @@ -4756,14 +4825,14 @@ CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository beanc [buster] - fava (Minor issue) NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f NOTE: https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b (v1.22.2) -CVE-2022-36381 - RESERVED -CVE-2022-36293 - RESERVED -CVE-2022-35734 - RESERVED -CVE-2022-34156 - RESERVED +CVE-2022-36381 (OS command injection vulnerability in Nintendo Wi-Fi Network Adaptor W ...) + TODO: check +CVE-2022-36293 (Buffer overflow vulnerability in Nintendo Wi-Fi Network Adaptor WAP-00 ...) + TODO: check +CVE-2022-35734 ('Hulu / ' App for Android from version ...) + TODO: check +CVE-2022-34156 ('Hulu / ' App for iOS versions
[Git][security-tracker-team/security-tracker][master] Take gdk-pixbuf from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37460ddc by Salvatore Bonaccorso at 2022-08-16T22:08:57+02:00 Take gdk-pixbuf from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,7 +16,7 @@ asterisk (apo) -- freecad (aron) -- -gdk-pixbuf +gdk-pixbuf (carnil) -- kicad (jmm) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37460ddc8e4c267a6be08d16070a4e53efc90d25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37460ddc8e4c267a6be08d16070a4e53efc90d25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for net-snmp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 925d15df by Salvatore Bonaccorso at 2022-08-16T21:58:12+02:00 Reserve DSA number for net-snmp - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[16 Aug 2022] DSA-5209-1 net-snmp - security update + {CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810} + [bullseye] - net-snmp 5.9+dfsg-4+deb11u1 [16 Aug 2022] DSA-5208-1 epiphany-browser - security update {CVE-2022-29536} [bullseye] - epiphany-browser 3.38.2-1+deb11u3 = data/dsa-needed.txt = @@ -26,8 +26,6 @@ linux (carnil) -- maven-shared-utils -- -net-snmp (carnil) --- netatalk open regression with MacOS, tentative patch not yet merged upstream -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/925d15df5de12f61899cfe72d3795b43c2ae511c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/925d15df5de12f61899cfe72d3795b43c2ae511c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] epiphany-browser DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2135c63f by Moritz Mühlenhoff at 2022-08-16T21:52:22+02:00 epiphany-browser DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[16 Aug 2022] DSA-5208-1 epiphany-browser - security update + {CVE-2022-29536} + [bullseye] - epiphany-browser 3.38.2-1+deb11u3 [15 Aug 2022] DSA-5207-1 linux - security update {CVE-2022-2585 CVE-2022-2586 CVE-2022-2588 CVE-2022-26373 CVE-2022-29900 CVE-2022-29901 CVE-2022-36879 CVE-2022-36946} [bullseye] - linux 5.10.136-1 = data/dsa-needed.txt = @@ -14,9 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk (apo) -- -epiphany-browser - Emilio prepared a debdiff for review --- freecad (aron) -- gdk-pixbuf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2135c63fdaa513b73d2a42444bd9f019c37e736c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2135c63fdaa513b73d2a42444bd9f019c37e736c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-38362/airflow
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f89a0e0 by Henri Salo at 2022-08-16T22:09:06+03:00 CVE-2022-38362/airflow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,6 +20,7 @@ CVE-2022-2826 RESERVED CVE-2022-38362 RESERVED + - airflow (bug #819700) CVE-2022-38361 RESERVED CVE-2022-38360 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f89a0e0a31dc86dcf461818b81ecf92557c88b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f89a0e0a31dc86dcf461818b81ecf92557c88b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 350932f2 by Salvatore Bonaccorso at 2022-08-16T21:04:21+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,11 +25,11 @@ CVE-2022-38361 CVE-2022-38360 RESERVED CVE-2022-38359 (Cross-site request forgery attacks can be carried out against the Eyes ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2022-38358 (Improper neutralization of input during web page generation leaves the ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2022-38357 (Improper neutralization of special elements leaves the Eyes of Network ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) CVE-2022-38354 RESERVED CVE-2022-38353 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/350932f21a4eae324f051d3ecb324740b1aa78a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/350932f21a4eae324f051d3ecb324740b1aa78a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-29154/rsync via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b1ca95c3 by Salvatore Bonaccorso at 2022-08-16T20:53:45+02:00 Track fixed version for CVE-2022-29154/rsync via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24696,7 +24696,7 @@ CVE-2022-29155 (In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL inje NOTE: https://git.openldap.org/openldap/openldap/-/commit/40f3ae4f5c9a8baf75b237220f62c436a571d66e (OPENLDAP_REL_ENG_2_5_12) NOTE: back-sql backend to slapd is enabled but considered experimental upstream. CVE-2022-29154 (An issue was discovered in rsync before 3.2.5 that allows malicious re ...) - - rsync (bug #1016543) + - rsync 3.2.5-1 (bug #1016543) [bullseye] - rsync (Minor issue; for untrusted remote sending hosts additional protective measures can be taken) NOTE: https://www.openwall.com/lists/oss-security/2022/08/02/1 NOTE: https://git.samba.org/?p=rsync.git;a=commit;h=b7231c7d02cfb65d291af74ff66e7d8c507ee871 (v3.2.5pre1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1ca95c370c01102aea3dfb9034484be03609c42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b1ca95c370c01102aea3dfb9034484be03609c42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-44648/gdk-pixbuf via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8c1b7f0 by Salvatore Bonaccorso at 2022-08-16T20:51:43+02:00 Track fixed version for CVE-2021-44648/gdk-pixbuf via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51716,7 +51716,7 @@ CVE-2021-44650 (Zoho ManageEngine M365 Manager Plus before Build 4419 allows rem CVE-2021-44649 (Django CMS 3.7.3 does not validate the plugin_type parameter while gen ...) - python-django-cms (bug #516183) CVE-2021-44648 (GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulner ...) - - gdk-pixbuf (bug #1014600) + - gdk-pixbuf 2.42.9+dfsg-1 (bug #1014600) [bullseye] - gdk-pixbuf (Minor issue) [buster] - gdk-pixbuf (Vulnerable code introduced later) [stretch] - gdk-pixbuf (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8c1b7f0c77f2018bd5453060ee4837bdcc8b199 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8c1b7f0c77f2018bd5453060ee4837bdcc8b199 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take net-snmp for DSA release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c177ec8 by Salvatore Bonaccorso at 2022-08-16T20:12:41+02:00 Take net-snmp for DSA release - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -29,7 +29,7 @@ linux (carnil) -- maven-shared-utils -- -net-snmp +net-snmp (carnil) -- netatalk open regression with MacOS, tentative patch not yet merged upstream View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c177ec89f2f2175464b6a9b91985099c99c8b85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c177ec89f2f2175464b6a9b91985099c99c8b85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim net-snmp like for ELA
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 786af565 by Thorsten Alteholz at 2022-08-16T20:10:08+02:00 claim net-snmp like for ELA - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,7 +61,7 @@ mediawiki (Markus Koschany) ndpi (Anton) NOTE: 20220801: Programming language: C. -- -net-snmp +net-snmp (Thorsten Alteholz) NOTE: 20220816: Programming language: C. -- netatalk View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/786af5655b4e8cd8fc4358f8af97e749deea1ef2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/786af5655b4e8cd8fc4358f8af97e749deea1ef2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2020-8287 in http-parser for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: fc43cf84 by Chris Lamb at 2022-08-16T08:17:34-07:00 Triage CVE-2020-8287 in http-parser for buster LTS. - - - - - 913c5e79 by Chris Lamb at 2022-08-16T08:17:51-07:00 Triage CVE-2021-41556 in squirrel3 for buster LTS. - - - - - 506f373e by Chris Lamb at 2022-08-16T08:18:14-07:00 Triage CVE-2022-38223 in w3m for buster LTS. - - - - - 9ab01064 by Chris Lamb at 2022-08-16T08:18:45-07:00 Triage CVE-2021-23385 in flask-security for buster LTS. - - - - - ec45dbf5 by Chris Lamb at 2022-08-16T08:19:07-07:00 Triage CVE-2016-3709 in libxml2 for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -315,6 +315,7 @@ CVE-2022-38224 CVE-2022-38223 (There is an out-of-bounds write in checkType located in etc.c in w3m 0 ...) - w3m [bullseye] - w3m (Minor issue) + [buster] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/242 CVE-2022-38222 (There is a use-after-free issue in JBIG2Stream::close() located in JBI ...) TODO: check @@ -63746,6 +63747,7 @@ CVE-2021-41557 (Sofico Miles RIA 2020.2 Build 127964T is affected by Stored Cros CVE-2021-41556 (sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an ou ...) - squirrel3 (bug #1016212) [bullseye] - squirrel3 (Minor issue) + [buster] - squirrel3 (Minor issue) NOTE: https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98 (v3.2) NOTE: https://blog.sonarsource.com/squirrel-vm-sandbox-escape/ CVE-2021-41555 (** UNSUPPORTED WHEN ASSIGNED ** In ARCHIBUS Web Central 21.3.3.815 (a ...) @@ -109543,6 +109545,7 @@ CVE-2021-23386 (This affects the package dns-packet before 5.2.2. It creates buf CVE-2021-23385 (This affects all versions of package Flask-Security. When using the ge ...) - flask-security [bullseye] - flask-security (Minor issue) + [buster] - flask-security (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234 CVE-2021-23384 (The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to ...) NOT-FOR-US: Node koa-remove-trailing-slashes before @@ -178901,6 +178904,7 @@ CVE-2020-8287 (Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow t {DSA-4826-1} - http-parser 2.9.4-5 (bug #1016690) [bullseye] - http-parser (Minor issue) + [buster] - http-parser (Minor issue) - nodejs 12.20.1~dfsg-1 (bug #979364) [stretch] - nodejs (Nodejs in stretch not covered by security support) NOTE: https://nodejs.org/en/blog/release/v10.23.1/ @@ -382139,6 +382143,7 @@ CVE-2016-3710 (The VGA module in QEMU improperly performs bounds checking on ban CVE-2016-3709 (Possible cross-site scripting vulnerability in libxml after commit 960 ...) - libxml2 2.9.12+dfsg-3 [bullseye] - libxml2 (Minor issue) + [buster] - libxml2 (Minor issue) NOTE: https://mail.gnome.org/archives/xml/2018-January/msg00010.html NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=769760 NOTE: Introduced by: https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588 (v2.9.2-rc1)c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/688aaa541ecd1651306d77bbe44f5fefa74cd54e...ec45dbf532b0ccce3f239922c5e5e98dbd0b9bd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/688aaa541ecd1651306d77bbe44f5fefa74cd54e...ec45dbf532b0ccce3f239922c5e5e98dbd0b9bd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2022-34749 in mistune for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7abf24a6 by Chris Lamb at 2022-08-16T08:15:16-07:00 Triage CVE-2022-34749 in mistune for buster LTS. - - - - - d1959f4d by Chris Lamb at 2022-08-16T08:15:41-07:00 Triage CVE-2022-37394 in nova for buster LTS. - - - - - a3a9e490 by Chris Lamb at 2022-08-16T08:16:41-07:00 Triage CVE-2022-2514, CVE-2022-2523 CVE-2022-2589 in fava for buster LTS. - - - - - 688aaa54 by Chris Lamb at 2022-08-16T08:16:56-07:00 data/dla-needed.txt: Add programming language. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2409,6 +2409,7 @@ CVE-2022-37395 CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 2 ...) - nova (bug #1016980) [bullseye] - nova (Minor issue) + [buster] - nova (Minor issue) NOTE: https://bugs.launchpad.net/ossa/+bug/1981813 NOTE: https://review.opendev.org/c/openstack/nova/+/849985 NOTE: https://review.opendev.org/c/openstack/nova/+/850003 @@ -3274,6 +3275,7 @@ CVE-2022-2590 CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...) - fava (bug #1016971) [bullseye] - fava (Minor issue) + [buster] - fava (Minor issue) NOTE: https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/ NOTE: https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539 (v1.22.3) CVE-2022-37037 @@ -4749,6 +4751,7 @@ CVE-2022-33963 CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...) - fava (bug #1016971) [bullseye] - fava (Minor issue) + [buster] - fava (Minor issue) NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f NOTE: https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b (v1.22.2) CVE-2022-36381 @@ -4886,6 +4889,7 @@ CVE-2022-2515 CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are vulnerable t ...) - fava (bug #1016971) [bullseye] - fava (Minor issue) + [buster] - fava (Minor issue) NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429 NOTE: https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 (v1.22) CVE-2022-2513 @@ -8961,6 +8965,7 @@ CVE-2022-34750 (An issue was discovered in MediaWiki through 1.38.1. The lemma l CVE-2022-34749 (In mistune through 2.0.2, support of inline markup is implemented by u ...) - mistune 2.0.3-1 (bug #1016089) [bullseye] - mistune (Minor issue) + [buster] - mistune (Minor issue) NOTE: https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2 (v2.0.3) CVE-2022-34748 (A vulnerability has been identified in Simcenter Femap (All versions & ...) NOT-FOR-US: Siemens = data/dla-needed.txt = @@ -75,6 +75,7 @@ php-horde-mime-viewer NOTE: 20220816: Programming language: PHP. -- php-horde-turba + NOTE: 20220816: Programming language: PHP. -- puma (Abhijith PA) NOTE: 20220801: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c4301580e9b72e5a966e13d44e6e3ccf1f576c10...688aaa541ecd1651306d77bbe44f5fefa74cd54e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c4301580e9b72e5a966e13d44e6e3ccf1f576c10...688aaa541ecd1651306d77bbe44f5fefa74cd54e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage php-horde-turba for buster LTS (CVE-2022-30287)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c4301580 by Chris Lamb at 2022-08-16T08:14:02-07:00 data/dla-needed.txt: Triage php-horde-turba for buster LTS (CVE-2022-30287) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,8 @@ nodejs php-horde-mime-viewer NOTE: 20220816: Programming language: PHP. -- +php-horde-turba +-- puma (Abhijith PA) NOTE: 20220801: Programming language: Ruby. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4301580e9b72e5a966e13d44e6e3ccf1f576c10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4301580e9b72e5a966e13d44e6e3ccf1f576c10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage netatalk for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 577c85d8 by Chris Lamb at 2022-08-16T08:10:20-07:00 data/dla-needed.txt: Triage netatalk for buster LTS. - - - - - fd0665f5 by Chris Lamb at 2022-08-16T08:11:53-07:00 data/dla-needed.txt: Triage php-horde-mime-viewer for buster LTS (CVE-2022-26874) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,10 +64,16 @@ ndpi (Anton) net-snmp NOTE: 20220816: Programming language: C. -- +netatalk + NOTE: 20220816: Programming language: C. +-- nodejs NOTE: 20220801: Programming language: JavaScript. NOTE: 20220801: one of the upstream fixes doesn't address the security issue -- +php-horde-mime-viewer + NOTE: 20220816: Programming language: PHP. +-- puma (Abhijith PA) NOTE: 20220801: Programming language: Ruby. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/71737919a1179b458af729cf606e2b146b686e74...fd0665f5a1e93ebdaace4f76fe25ea3a3f885779 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/71737919a1179b458af729cf606e2b146b686e74...fd0665f5a1e93ebdaace4f76fe25ea3a3f885779 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage net-snmp for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 71737919 by Chris Lamb at 2022-08-16T08:09:29-07:00 data/dla-needed.txt: Triage net-snmp for buster LTS. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,6 +61,9 @@ mediawiki (Markus Koschany) ndpi (Anton) NOTE: 20220801: Programming language: C. -- +net-snmp + NOTE: 20220816: Programming language: C. +-- nodejs NOTE: 20220801: Programming language: JavaScript. NOTE: 20220801: one of the upstream fixes doesn't address the security issue View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71737919a1179b458af729cf606e2b146b686e74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71737919a1179b458af729cf606e2b146b686e74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Switch target source package name as used in the ITP
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3db43c5c by Salvatore Bonaccorso at 2022-08-16T12:43:00+02:00 Switch target source package name as used in the ITP - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36809,13 +36809,13 @@ CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 for PHP does not prevent ad [bullseye] - php-crypt-gpg 1.6.4-2+deb11u1 NOTE: https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 (v1.6.7) CVE-2022-24952 (Several denial of service vulnerabilities exist in Eternal Terminal pr ...) - - et (bug #861635) + - eternal-terminal (bug #861635) CVE-2022-24951 (A race condition exists in Eternal Terminal prior to version 6.2.0 whi ...) - - et (bug #861635) + - eternal-terminal (bug #861635) CVE-2022-24950 (A race condition exists in Eternal Terminal prior to version 6.2.0 tha ...) - - et (bug #861635) + - eternal-terminal (bug #861635) CVE-2022-24949 (A privilege escalation to root exists in Eternal Terminal prior to ver ...) - - et (bug #861635) + - eternal-terminal (bug #861635) CVE-2022-24948 (A carefully crafted user preferences for submission could trigger an X ...) - jspwiki CVE-2022-24947 (Apache JSPWiki user preferences form is vulnerable to CSRF attacks, wh ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3db43c5c2faefad813002b92c2bd99939dda29d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3db43c5c2faefad813002b92c2bd99939dda29d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: da6a56e0 by Neil Williams at 2022-08-16T11:14:41+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139,9 +139,9 @@ CVE-2022-2823 CVE-2022-2822 (An attacker can freely brute force username and password and can takeo ...) - octoprint (bug #718591) CVE-2022-2821 (Missing Critical Step in Authentication in GitHub repository namelessm ...) - TODO: check + NOT-FOR-US: NamelessMC/Nameless CVE-2022-2820 (Improper Access Control in GitHub repository namelessmc/nameless prior ...) - TODO: check + NOT-FOR-US: NamelessMC/Nameless CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - vim NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59 @@ -36809,13 +36809,13 @@ CVE-2022-24953 (The Crypt_GPG extension before 1.6.7 for PHP does not prevent ad [bullseye] - php-crypt-gpg 1.6.4-2+deb11u1 NOTE: https://github.com/pear/Crypt_GPG/commit/74c8f989cefbe0887274b461dc56197e121bfd04 (v1.6.7) CVE-2022-24952 (Several denial of service vulnerabilities exist in Eternal Terminal pr ...) - TODO: check + - et (bug #861635) CVE-2022-24951 (A race condition exists in Eternal Terminal prior to version 6.2.0 whi ...) - TODO: check + - et (bug #861635) CVE-2022-24950 (A race condition exists in Eternal Terminal prior to version 6.2.0 tha ...) - TODO: check + - et (bug #861635) CVE-2022-24949 (A privilege escalation to root exists in Eternal Terminal prior to ver ...) - TODO: check + - et (bug #861635) CVE-2022-24948 (A carefully crafted user preferences for submission could trigger an X ...) - jspwiki CVE-2022-24947 (Apache JSPWiki user preferences form is vulnerable to CSRF attacks, wh ...) @@ -37906,7 +37906,7 @@ CVE-2022-24656 (HexoEditor 1.1.8 is affected by Cross Site Scripting (XSS). By p CVE-2022-24655 (A stack overflow vulnerability exists in the upnpd service in Netgear ...) NOT-FOR-US: Netgear CVE-2022-24654 (Authenticated stored cross-site scripting (XSS) vulnerability in "Fiel ...) - TODO: check + NOT-FOR-US: Intelbras ATA 200 CVE-2022-24653 RESERVED CVE-2022-24652 (sentcms 4.0.x allows remote attackers to cause arbitrary file uploads ...) @@ -140624,7 +140624,7 @@ CVE-2020-23624 CVE-2020-23623 RESERVED CVE-2020-23622 (** UNSUPPORTED WHEN ASSIGNED ** An issue in the UPnP protocol in 4thli ...) - TODO: check + NOT-FOR-US: 4thline/cling CVE-2020-23621 (The Java Remote Management Interface of all versions of SVI MS Managem ...) NOT-FOR-US: Squire Remote Management Interface CVE-2020-23620 (The Java Remote Management Interface of all versions of Orlansoft ERP ...) @@ -144906,9 +144906,9 @@ CVE-2020-21644 CVE-2020-21643 RESERVED CVE-2020-21642 (Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropuse ...) - TODO: check + NOT-FOR-US: ManageEngine Analytics Plus CVE-2020-21641 (Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho Manage ...) - TODO: check + NOT-FOR-US: ManageEngine Analytics Plus CVE-2020-21640 RESERVED CVE-2020-21639 (Ruijie RG-UAC 6000-E50 commit 9071227 was discovered to contain a cros ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6a56e06a488b68b0f5582d7859f7a83d38489c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da6a56e06a488b68b0f5582d7859f7a83d38489c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-21365/wkhtmltopdf 0.12.6-1
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: b60603f3 by Neil Williams at 2022-08-16T11:01:26+01:00 CVE-2020-21365/wkhtmltopdf 0.12.6-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -145559,7 +145559,9 @@ CVE-2020-21367 CVE-2020-21366 RESERVED CVE-2020-21365 (Directory traversal vulnerability in wkhtmltopdf through 0.12.5 allows ...) - TODO: check + - wkhtmltopdf 0.12.6-1 + NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/commit/2a5f25077895fb075812c0f599326f079a59d6cf (0.12.6) + NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/4536 CVE-2020-21364 RESERVED CVE-2020-21363 (An arbitrary file deletion vulnerability exists within Maccms10. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b60603f37276511550e78a35d61914c1f974ace5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b60603f37276511550e78a35d61914c1f974ace5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3323{5,6}/htmldoc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a3729572 by Salvatore Bonaccorso at 2022-08-16T10:44:25+02:00 Add CVE-2021-3323{5,6}/htmldoc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84417,9 +84417,18 @@ CVE-2021-33238 CVE-2021-33237 RESERVED CVE-2021-33236 (Buffer Overflow vulnerability in write_header in htmldoc through 1.9.1 ...) - TODO: check + - htmldoc 1.9.12-1 (unimportant) + NOTE: https://github.com/michaelrsweet/htmldoc/issues/425 + NOTE: https://github.com/michaelrsweet/htmldoc/commit/a0014be47d614220db111b360fb6170ef6f3937e (v1.9.12) + NOTE: Crash in CLI tool, no security impact + NOTE: Duplicate CVE of CVE-2022-34033 + TODO: clarify duplicate assignment with assigning CNA CVE-2021-33235 (Buffer overflow vulnerability in write_node in htmldoc through 1.9.11 ...) - TODO: check + - htmldoc 1.9.12-1 (unimportant) + NOTE: https://github.com/michaelrsweet/htmldoc/issues/426 + NOTE: https://github.com/michaelrsweet/htmldoc/commit/ee778252faebb721afba5a081dd6ad7eaf20eef3 (v1.9.12) + NOTE: Duplicate assignment of CVE-2022-34035 + TODO: clarify duplicate assignment with assigning CNA CVE-2021-33234 RESERVED CVE-2021-33233 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3729572dfc9ee4a1fba0201f514fb91dc16d43a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3729572dfc9ee4a1fba0201f514fb91dc16d43a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a48e5a35 by Salvatore Bonaccorso at 2022-08-16T10:43:59+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5105,19 +5105,19 @@ CVE-2021-46828 (In libtirpc before 1.3.3rc1, remote attackers could exhaust the NOTE: Fixed by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed (libtirpc-1-3-3-rc1) NOTE: Introduced by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f (libtirpc-0-3-3-rc3) CVE-2022-36312 (Airspan AirVelocity 1500 software version 15.18.00.2511 lacks CSRF pro ...) - TODO: check + NOT-FOR-US: Airspan AirVelocity 1500 software CVE-2022-36311 (Airspan AirVelocity 1500 prior to software version 15.18.00.2511 is vu ...) - TODO: check + NOT-FOR-US: Airspan AirVelocity 1500 software CVE-2022-36310 (Airspan AirVelocity 1500 software prior to version 15.18.00.2511 had N ...) - TODO: check + NOT-FOR-US: Airspan AirVelocity 1500 software CVE-2022-36309 (Airspan AirVelocity 1500 software versions prior to 15.18.00.2511 have ...) - TODO: check + NOT-FOR-US: Airspan AirVelocity 1500 software CVE-2022-36308 (Airspan AirVelocity 1500 web management UI displays SNMP credentials i ...) - TODO: check + NOT-FOR-US: Airspan AirVelocity 1500 CVE-2022-36307 (The AirVelocity 1500 prints SNMP credentials on its physically accessi ...) - TODO: check + NOT-FOR-US: Airspan AirVelocity 1500 CVE-2022-36306 (An authenticated attacker can enumerate and download sensitive files, ...) - TODO: check + NOT-FOR-US: Airspan AirVelocity 1500 CVE-2022-36294 RESERVED CVE-2022-36290 @@ -6328,7 +6328,7 @@ CVE-2022-35824 (Azure Site Recovery Remote Code Execution Vulnerability. This CV CVE-2022-35823 RESERVED CVE-2022-35822 (Windows Defender Credential Guard Security Feature Bypass Vulnerabilit ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-35821 (Azure Sphere Information Disclosure Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-35820 (Windows Bluetooth Driver Elevation of Privilege Vulnerability. ...) @@ -9118,7 +9118,7 @@ CVE-2022-34713 (Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Exe CVE-2022-34712 (Windows Defender Credential Guard Information Disclosure Vulnerability ...) NOT-FOR-US: Microsoft CVE-2022-34711 (Windows Defender Credential Guard Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-34710 (Windows Defender Credential Guard Information Disclosure Vulnerability ...) NOT-FOR-US: Microsoft CVE-2022-34709 (Windows Defender Credential Guard Security Feature Bypass Vulnerabilit ...) @@ -25696,7 +25696,7 @@ CVE-2022-28758 CVE-2022-28757 RESERVED CVE-2022-28756 (The Zoom Client for Meetings for macOS (Standard and for IT Admin) sta ...) - TODO: check + NOT-FOR-US: Zoom CVE-2022-28755 (The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Wind ...) NOT-FOR-US: Zoom CVE-2022-28754 (Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48e5a35a62e9db3a03d996a1b541cd56d848a07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48e5a35a62e9db3a03d996a1b541cd56d848a07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2816/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 40da2368 by Salvatore Bonaccorso at 2022-08-16T10:28:03+02:00 Add CVE-2022-2816/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -331,7 +331,9 @@ CVE-2022-2817 (Use After Free in GitHub repository vim/vim prior to 9.0.0212. .. NOTE: https://huntr.dev/bounties/a7b7d242-3d88-4bde-a681-6c986aff886f NOTE: https://github.com/vim/vim/commit/249e1b903a9c0460d618f6dcc59aeb8c03b24b20 (v9.0.0213) CVE-2022-2816 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0211. ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/e2a83037-fcf9-4218-b2b9-b7507dacde58 + NOTE: https://github.com/vim/vim/commit/dbdd16b62560413abcc3c8e893cc3010ccf31666 (v9.0.0212) CVE-2022-38217 RESERVED CVE-2022-2815 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40da23685b6a26ce9716ea7297a0a05cd7009b12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40da23685b6a26ce9716ea7297a0a05cd7009b12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2817/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b220c9ca by Salvatore Bonaccorso at 2022-08-16T10:27:13+02:00 Add CVE-2022-2817/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -327,7 +327,9 @@ CVE-2022-38219 CVE-2022-38218 RESERVED CVE-2022-2817 (Use After Free in GitHub repository vim/vim prior to 9.0.0212. ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/a7b7d242-3d88-4bde-a681-6c986aff886f + NOTE: https://github.com/vim/vim/commit/249e1b903a9c0460d618f6dcc59aeb8c03b24b20 (v9.0.0213) CVE-2022-2816 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0211. ...) TODO: check CVE-2022-38217 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b220c9cab1d4bbc29130abe791266f53a47e0155 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b220c9cab1d4bbc29130abe791266f53a47e0155 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fd70c0d by Salvatore Bonaccorso at 2022-08-16T10:26:39+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2022-38368 (An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x ...) - TODO: check + NOT-FOR-US: Aviatrix Gateway CVE-2022-38367 RESERVED CVE-2022-38366 @@ -147,7 +147,7 @@ CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59 NOTE: https://github.com/vim/vim/commit/d1d8f6bacb489036d0fd479c9dd3c0102c99 (v9.0.0211) CVE-2022-2818 (Authentication Bypass by Primary Weakness in GitHub repository cockpit ...) - TODO: check + NOT-FOR-US: Cockpit-HQ/Cockpit CVE-2022-38305 RESERVED CVE-2022-38304 @@ -395,17 +395,17 @@ CVE-2022-38193 CVE-2022-38192 RESERVED CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS versions 10 ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38189 RESERVED CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS versi ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38187 (Prior to version 10.9.0, the sharing/rest/content/features/analyze end ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38186 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS versi ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS CVE-2022-38185 RESERVED CVE-2022-38184 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fd70c0d4e10ff5eca468c670c27137a2bdc195b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fd70c0d4e10ff5eca468c670c27137a2bdc195b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26797cd3 by security tracker role at 2022-08-16T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,35 @@ -CVE-2022-38362 +CVE-2022-38368 (An issue was discovered in Aviatrix Gateway before 6.6.5712 and 6.7.x ...) + TODO: check +CVE-2022-38367 RESERVED -CVE-2022-38361 +CVE-2022-38366 RESERVED -CVE-2022-38360 +CVE-2022-38365 + RESERVED +CVE-2022-38364 + RESERVED +CVE-2022-38363 + RESERVED +CVE-2022-2829 RESERVED -CVE-2022-38359 +CVE-2022-2828 RESERVED -CVE-2022-38358 +CVE-2022-2827 RESERVED -CVE-2022-38357 +CVE-2022-2826 + RESERVED +CVE-2022-38362 + RESERVED +CVE-2022-38361 + RESERVED +CVE-2022-38360 RESERVED +CVE-2022-38359 (Cross-site request forgery attacks can be carried out against the Eyes ...) + TODO: check +CVE-2022-38358 (Improper neutralization of input during web page generation leaves the ...) + TODO: check +CVE-2022-38357 (Improper neutralization of special elements leaves the Eyes of Network ...) + TODO: check CVE-2022-38354 RESERVED CVE-2022-38353 @@ -306,10 +326,10 @@ CVE-2022-38219 RESERVED CVE-2022-38218 RESERVED -CVE-2022-2817 - RESERVED -CVE-2022-2816 - RESERVED +CVE-2022-2817 (Use After Free in GitHub repository vim/vim prior to 9.0.0212. ...) + TODO: check +CVE-2022-2816 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0211. ...) + TODO: check CVE-2022-38217 RESERVED CVE-2022-2815 @@ -324,8 +344,8 @@ CVE-2022-2811 (A vulnerability classified as problematic has been found in Sourc NOT-FOR-US: SourceCodester CVE-2022-2810 RESERVED -CVE-2022-38216 - RESERVED +CVE-2022-38216 (An integer overflow exists in Mapbox's closed source gl-native library ...) + TODO: check CVE-2022-38215 RESERVED CVE-2022-38214 @@ -374,18 +394,18 @@ CVE-2022-38193 RESERVED CVE-2022-38192 RESERVED -CVE-2022-38191 - RESERVED -CVE-2022-38190 - RESERVED +CVE-2022-38191 (There is an HTML injection issue in Esri Portal for ArcGIS versions 10 ...) + TODO: check +CVE-2022-38190 (A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for A ...) + TODO: check CVE-2022-38189 RESERVED -CVE-2022-38188 - RESERVED -CVE-2022-38187 - RESERVED -CVE-2022-38186 - RESERVED +CVE-2022-38188 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS versi ...) + TODO: check +CVE-2022-38187 (Prior to version 10.9.0, the sharing/rest/content/features/analyze end ...) + TODO: check +CVE-2022-38186 (There is a reflected XSS vulnerability in Esri Portal for ArcGIS versi ...) + TODO: check CVE-2022-38185 RESERVED CVE-2022-38184 @@ -2127,25 +2147,25 @@ CVE-2022-37451 (Exim before 4.96 has an invalid free in pam_converse in auths/ca CVE-2022-37450 (Go Ethereum (aka geth) through 1.10.21 allows attackers to increase re ...) - golang-github-go-ethereum (bug #890541) CVE-2022-37449 - RESERVED + REJECTED CVE-2022-37448 - RESERVED + REJECTED CVE-2022-37447 - RESERVED + REJECTED CVE-2022-37446 - RESERVED + REJECTED CVE-2022-37445 - RESERVED + REJECTED CVE-2022-37444 - RESERVED + REJECTED CVE-2022-37443 - RESERVED + REJECTED CVE-2022-37442 - RESERVED + REJECTED CVE-2022-37441 - RESERVED + REJECTED CVE-2022-37440 - RESERVED + REJECTED CVE-2022-2687 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Gym Management System CVE-2022-2686 (A vulnerability, which was classified as problematic, was found in ore ...) @@ -5080,20 +5100,20 @@ CVE-2021-46828 (In libtirpc before 1.3.3rc1, remote attackers could exhaust the - libtirpc 1.3.2-2.1 (bug #1015873) NOTE: Fixed by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed (libtirpc-1-3-3-rc1) NOTE: Introduced by: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f (libtirpc-0-3-3-rc3) -CVE-2022-36312 - RESERVED -CVE-2022-36311 - RESERVED -CVE-2022-36310 - RESERVED -CVE-2022-36309 - RESERVED -CVE-2022-36308 - RESERVED -CVE-2022-36307 - RESERVED -CVE-2022-36306 - RESERVED +CVE-2022-36312 (Airspan AirVelocity 1500 software version 15.18.00.2511 lacks CSRF pro ...) + TODO: check +CVE-2022-36311 (Airspan AirVelocity 1500 prior to software version 15.18.00.2511 is vu ...) + TODO: check +CVE-2022-36310 (Airspan AirVelocity 1500 software prior to version