[Git][security-tracker-team/security-tracker][master] Fix typo
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fbfc044 by Henri Salo at 2022-10-28T08:55:36+03:00 Fix typo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1669,7 +1669,7 @@ CVE-2022-43761 RESERVED CVE-2022-3705 (A vulnerability was found in vim and classified as problematic. Affect ...) - vim - NOTE: ttps://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 (v9.0.0805) + NOTE: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 (v9.0.0805) CVE-2022-3704 (A vulnerability classified as problematic has been found in Ruby on Ra ...) - rails NOTE: https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fbfc0446da5a4517f6461a9e81fdde0bb13c59b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fbfc0446da5a4517f6461a9e81fdde0bb13c59b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for curl issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b20f0937 by Salvatore Bonaccorso at 2022-10-28T07:06:44+02:00 Add fixed version for curl issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4026,7 +4026,7 @@ CVE-2022-42917 RESERVED CVE-2022-42916 [HSTS bypass via IDN] RESERVED - - curl + - curl 7.86.0-1 [buster] - curl (Vulnerable code not present) NOTE: https://curl.se/docs/CVE-2022-42916.html NOTE: Introduced with: https://github.com/curl/curl/commit/7385610d0c74c6a254fea5e4cd6e1d559d848c8c (curl-7_74_0) @@ -4034,7 +4034,7 @@ CVE-2022-42916 [HSTS bypass via IDN] NOTE: Fixed by: https://github.com/curl/curl/commit/53bcf55b4538067e6dc36242168866becb987bb7 (curl-7_86_0) CVE-2022-42915 [HTTP proxy double-free] RESERVED - - curl + - curl 7.86.0-1 [bullseye] - curl (Vulnerable code not present) [buster] - curl (Vulnerable code not present) NOTE: https://curl.se/docs/CVE-2022-42915.html @@ -23613,7 +23613,7 @@ CVE-2022-35261 (A denial of service vulnerability exists in the web_server hashF TODO: check CVE-2022-35260 [.netrc parser out-of-bounds access] RESERVED - - curl + - curl 7.86.0-1 [bullseye] - curl (Vulnerable code not present) [buster] - curl (Vulnerable code not present) NOTE: https://curl.se/docs/CVE-2022-35260.html @@ -31751,7 +31751,7 @@ CVE-2022-3 (A cryptographic vulnerability exists on Node.js on linux in vers NOTE: https://github.com/nodejs/node/commit/a5fc2deb43f85dc2195a1fe1683b9c2e7443b001 CVE-2022-32221 [POST following PUT confusion] RESERVED - - curl + - curl 7.86.0-1 NOTE: https://curl.se/docs/CVE-2022-32221.html NOTE: https://github.com/curl/curl/issues/9507 NOTE: Fixed by: https://github.com/curl/curl/commit/a64e3e59938abd7d667e4470a18072a24d7e9de9 (curl-7_86_0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b20f0937215a9045292e2de200e6cc640d1f3a51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b20f0937215a9045292e2de200e6cc640d1f3a51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3166-1 for ruby-sinatra
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 29216582 by Utkarsh Gupta at 2022-10-28T09:21:37+05:30 Reserve DLA-3166-1 for ruby-sinatra - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Oct 2022] DLA-3166-1 ruby-sinatra - security update + {CVE-2022-29970} + [buster] - ruby-sinatra 2.0.5-4+deb10u1 [28 Oct 2022] DLA-3165-1 expat - security update {CVE-2022-43680} [buster] - expat 2.2.6-2+deb10u6 = data/dla-needed.txt = @@ -172,9 +172,6 @@ rainloop NOTE: 20220913: also there's an unofficial one for CVE-2022-29360; NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- -ruby-sinatra (Utkarsh) - NOTE: 20220911: Programming language: ruby --- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29216582464fdb81efe2f24a76dddbaa0d26e2e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29216582464fdb81efe2f24a76dddbaa0d26e2e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Take dropbear and ruby-sinatra
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 8556a2e4 by Utkarsh Gupta at 2022-10-28T07:09:49+05:30 Take dropbear and ruby-sinatra - - - - - c25e0c74 by Utkarsh Gupta at 2022-10-28T07:10:52+05:30 Reserve DLA-3165-1 for expat - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Oct 2022] DLA-3165-1 expat - security update + {CVE-2022-43680} + [buster] - expat 2.2.6-2+deb10u6 [27 Oct 2022] DLA-3164-1 python-django - security update {CVE-2020-24583 CVE-2020-24584 CVE-2021-3281 CVE-2021-23336 CVE-2022-34265} [buster] - python-django 1:1.11.29-1+deb10u2 = data/dla-needed.txt = @@ -33,16 +33,13 @@ curl (Emilio) NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- -dropbear +dropbear (Utkarsh) NOTE: 20221027: Programming language: C. -- exiv2 NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- -expat (Utkarsh) - NOTE: 20221027: Programming language: C. --- firmware-nonfree NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. -- @@ -175,7 +172,7 @@ rainloop NOTE: 20220913: also there's an unofficial one for CVE-2022-29360; NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk) -- -ruby-sinatra +ruby-sinatra (Utkarsh) NOTE: 20220911: Programming language: ruby -- runc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c4abbbd912486474c89abb9379b60448b299762e...c25e0c74fb63a70543c1386c3f66ad4cf47c267f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c4abbbd912486474c89abb9379b60448b299762e...c25e0c74fb63a70543c1386c3f66ad4cf47c267f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3719/exiv2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4abbbd9 by Salvatore Bonaccorso at 2022-10-27T22:59:47+02:00 Add CVE-2022-3719/exiv2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1267,7 +1267,10 @@ CVE-2022-3721 CVE-2022-3720 RESERVED CVE-2022-3719 (A vulnerability has been found in Exiv2 and classified as critical. Th ...) - TODO: check + - exiv2 (Vulnerable code not present) + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=51707 + NOTE: Introduced by: https://github.com/Exiv2/exiv2/commit/e4adf388aaaaf08fc0fc38419a5b0117b299 + NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/a38e124076138e529774d5ec9890d0731058115a CVE-2022-3718 (A vulnerability, which was classified as problematic, was found in Exi ...) TODO: check CVE-2022-3717 (A vulnerability, which was classified as critical, has been found in E ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4abbbd912486474c89abb9379b60448b299762e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4abbbd912486474c89abb9379b60448b299762e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3725/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e33720d by Salvatore Bonaccorso at 2022-10-27T22:48:10+02:00 Add CVE-2022-3725/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1251,7 +1251,11 @@ CVE-2022-3727 CVE-2022-3726 RESERVED CVE-2022-3725 (Crash in the OPUS protocol dissector in Wireshark 3.6.0 to 3.6.8 allow ...) - TODO: check + - wireshark 4.0.0-1 + [bullseye] - wireshark (Vulnerable code not present) + [buster] - wireshark (Vulnerable code not present) + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-07.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18378 CVE-2022-3724 RESERVED CVE-2022-3723 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e33720d04b802067c636cd1b6522090610d5a56 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e33720d04b802067c636cd1b6522090610d5a56 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ceda112d by Moritz Mühlenhoff at 2022-10-27T22:45:36+02:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[27 Oct 2022] DSA-5262-1 thunderbird - security update + {CVE-2022-42927 CVE-2022-42928 CVE-2022-42929 CVE-2022-42932} + [bullseye] - thunderbird 1:102.4.0-1~deb11u1 [26 Oct 2022] DSA-5261-1 chromium - security update {CVE-2022-3652 CVE-2022-3653 CVE-2022-3654 CVE-2022-3655 CVE-2022-3656 CVE-2022-3657 CVE-2022-3658 CVE-2022-3659 CVE-2022-3660 CVE-2022-3661} [bullseye] - chromium 107.0.5304.68-1~deb11u1 = data/dsa-needed.txt = @@ -62,5 +62,3 @@ sofia-sip sox patch needed for CVE-2021-40426, check with upstream -- -thunderbird (jmm) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceda112dd2a783ce7344ca6f65ec4a2b06466ea9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceda112dd2a783ce7344ca6f65ec4a2b06466ea9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take expat
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: de5f7258 by Utkarsh Gupta at 2022-10-28T02:02:00+05:30 Take expat - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,7 +40,7 @@ exiv2 NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- -expat +expat (Utkarsh) NOTE: 20221027: Programming language: C. -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de5f7258cd990515294e553fc1713823b9d4c009 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de5f7258cd990515294e553fc1713823b9d4c009 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4d262da by Salvatore Bonaccorso at 2022-10-27T22:14:21+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8960,9 +8960,9 @@ CVE-2022-40877 (Exam Reviewer Management System 1.0 is vulnerable to SQL Injecti CVE-2022-40876 RESERVED CVE-2022-40875 (Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow in the ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-40874 (Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow vulner ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-40873 RESERVED CVE-2022-40872 (An SQL injection vulnerability issue was discovered in Sourcecodester ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4d262daa57adf2a99d72b65e0a9b3b99bdb22ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4d262daa57adf2a99d72b65e0a9b3b99bdb22ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dbc98a9a by Salvatore Bonaccorso at 2022-10-27T22:12:19+02:00 Process some NFUs - - - - - 5b8aef77 by Salvatore Bonaccorso at 2022-10-27T22:12:20+02:00 Add CVE-2022-3363/rdiffweb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5175,7 +5175,7 @@ CVE-2022-41986 (Information disclosure vulnerability in Android App 'IIJ SmartKe CVE-2022-41814 RESERVED CVE-2022-41796 (Untrusted search path vulnerability in the installer of Content Transf ...) - TODO: check + NOT-FOR-US: installer of Content Transfer (for Windows) CVE-2022-41789 RESERVED CVE-2022-41611 @@ -6607,7 +6607,7 @@ CVE-2022-3365 CVE-2022-3364 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) - rdiffweb (bug #969974) CVE-2022-3363 (Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2 ...) - TODO: check + - rdiffweb (bug #969974) CVE-2022-3362 RESERVED CVE-2022-41850 (roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel th ...) @@ -6680,7 +6680,7 @@ CVE-2022-40967 CVE-2022-40965 RESERVED CVE-2022-40703 (CWE-302 Authentication Bypass by Assumed-Immutable Data in AliveCor Ka ...) - TODO: check + NOT-FOR-US: AliveCor Kardia App CVE-2022-40204 RESERVED CVE-2022-40202 @@ -6869,7 +6869,7 @@ CVE-2022-41713 CVE-2022-41712 RESERVED CVE-2022-41711 (Badaso version 2.6.0 allows an unauthenticated remote attacker to exec ...) - TODO: check + NOT-FOR-US: Badaso CVE-2022-41710 RESERVED CVE-2022-41709 (Markdownify version 1.4.1 allows an external attacker to execute arbit ...) @@ -10482,7 +10482,7 @@ CVE-2022-40240 CVE-2022-40239 RESERVED CVE-2022-40238 (A Remote Code Injection vulnerability exists in CERT software prior to ...) - TODO: check + NOT-FOR-US: CERT software CVE-2022-3169 (A flaw was found in the Linux kernel. A denial of service flaw may occ ...) - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2125341 @@ -12494,15 +12494,15 @@ CVE-2022-39357 (Winter is a free, open-source content management system based on CVE-2022-39356 RESERVED CVE-2022-39355 (Discourse Patreon enables syncronization between Discourse Groups and ...) - TODO: check + NOT-FOR-US: Discourse Patreon CVE-2022-39354 (SputnikVM, also called evm, is a Rust implementation of Ethereum Virtu ...) - TODO: check + NOT-FOR-US: Rust crate evm CVE-2022-39353 RESERVED CVE-2022-39352 RESERVED CVE-2022-39351 (Dependency-Track is a Component Analysis platform that allows organiza ...) - TODO: check + NOT-FOR-US: Dependency-Track CVE-2022-39350 (@dependencytrack/frontend is a Single Page Application (SPA) used in D ...) TODO: check CVE-2022-39349 (The Tasks.org Android app is an open-source app for to-do lists and re ...) @@ -12520,11 +12520,11 @@ CVE-2022-39344 CVE-2022-39343 RESERVED CVE-2022-39342 (OpenFGA is an authorization/permission engine. Versions prior to versi ...) - TODO: check + NOT-FOR-US: OpenFGA CVE-2022-39341 (OpenFGA is an authorization/permission engine. Versions prior to versi ...) - TODO: check + NOT-FOR-US: OpenFGA CVE-2022-39340 (OpenFGA is an authorization/permission engine. Prior to version 0.2.4, ...) - TODO: check + NOT-FOR-US: OpenFGA CVE-2022-39339 RESERVED CVE-2022-39338 @@ -13780,7 +13780,7 @@ CVE-2022-38872 CVE-2022-38871 RESERVED CVE-2022-38870 (Free5gc v3.2.1 is vulnerable to Information disclosure. ...) - TODO: check + NOT-FOR-US: free5GC CVE-2022-38869 RESERVED CVE-2022-38868 @@ -16119,7 +16119,7 @@ CVE-2022-2784 CVE-2022-2783 (In affected versions of Octopus Server it was identified that a sessio ...) NOT-FOR-US: Octopus CVE-2022-2782 (In affected versions of Octopus Server it is possible for a session to ...) - TODO: check + NOT-FOR-US: Octopus Server CVE-2022-2781 (In affected versions of Octopus Server it was identified that the same ...) NOT-FOR-US: Octopus CVE-2022-2780 (In affected versions of Octopus Server it is possible to use the Git C ...) @@ -18616,7 +18616,7 @@ CVE-2022-37204 (Final CMS 5.1.0 is vulnerable to SQL Injection. ...) CVE-2022-37203 (JFinal CMS 5.1.0 is vulnerable to SQL Injection. These interfaces do n ...) NOT-FOR-US: JFinal CMS CVE-2022-37202 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via /admin/advicefeedb ...) - TODO: check + NOT-FOR-US: JFinal CMS CVE-2022-37201 (JFinal CMS 5.1.0 is vulnerable to SQL Injection. ...) NOT-FOR-US: JFinal CMS CVE-2022-37200 @@ -20355,13 +20355,13 @@ CVE-2022-36456 (TOTOLink A720R V4.1.5cu.532_B20210610 was
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 42fcc87f by security tracker role at 2022-10-27T20:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,1279 @@ +CVE-2023-20601 + RESERVED +CVE-2023-20600 + RESERVED +CVE-2023-20599 + RESERVED +CVE-2023-20598 + RESERVED +CVE-2023-20597 + RESERVED +CVE-2023-20596 + RESERVED +CVE-2023-20595 + RESERVED +CVE-2023-20594 + RESERVED +CVE-2023-20593 + RESERVED +CVE-2023-20592 + RESERVED +CVE-2023-20591 + RESERVED +CVE-2023-20590 + RESERVED +CVE-2023-20589 + RESERVED +CVE-2023-20588 + RESERVED +CVE-2023-20587 + RESERVED +CVE-2023-20586 + RESERVED +CVE-2023-20585 + RESERVED +CVE-2023-20584 + RESERVED +CVE-2023-20583 + RESERVED +CVE-2023-20582 + RESERVED +CVE-2023-20581 + RESERVED +CVE-2023-20580 + RESERVED +CVE-2023-20579 + RESERVED +CVE-2023-20578 + RESERVED +CVE-2023-20577 + RESERVED +CVE-2023-20576 + RESERVED +CVE-2023-20575 + RESERVED +CVE-2023-20574 + RESERVED +CVE-2023-20573 + RESERVED +CVE-2023-20572 + RESERVED +CVE-2023-20571 + RESERVED +CVE-2023-20570 + RESERVED +CVE-2023-20569 + RESERVED +CVE-2023-20568 + RESERVED +CVE-2023-20567 + RESERVED +CVE-2023-20566 + RESERVED +CVE-2023-20565 + RESERVED +CVE-2023-20564 + RESERVED +CVE-2023-20563 + RESERVED +CVE-2023-20562 + RESERVED +CVE-2023-20561 + RESERVED +CVE-2023-20560 + RESERVED +CVE-2023-20559 + RESERVED +CVE-2023-20558 + RESERVED +CVE-2023-20557 + RESERVED +CVE-2023-20556 + RESERVED +CVE-2023-20555 + RESERVED +CVE-2023-20554 + RESERVED +CVE-2023-20553 + RESERVED +CVE-2023-20552 + RESERVED +CVE-2023-20551 + RESERVED +CVE-2023-20550 + RESERVED +CVE-2023-20549 + RESERVED +CVE-2023-20548 + RESERVED +CVE-2023-20547 + RESERVED +CVE-2023-20546 + RESERVED +CVE-2023-20545 + RESERVED +CVE-2023-20544 + RESERVED +CVE-2023-20543 + RESERVED +CVE-2023-20542 + RESERVED +CVE-2023-20541 + RESERVED +CVE-2023-20540 + RESERVED +CVE-2023-20539 + RESERVED +CVE-2023-20538 + RESERVED +CVE-2023-20537 + RESERVED +CVE-2023-20536 + RESERVED +CVE-2023-20535 + RESERVED +CVE-2023-20534 + RESERVED +CVE-2023-20533 + RESERVED +CVE-2023-20532 + RESERVED +CVE-2023-20531 + RESERVED +CVE-2023-20530 + RESERVED +CVE-2023-20529 + RESERVED +CVE-2023-20528 + RESERVED +CVE-2023-20527 + RESERVED +CVE-2023-20526 + RESERVED +CVE-2023-20525 + RESERVED +CVE-2023-20524 + RESERVED +CVE-2023-20523 + RESERVED +CVE-2023-20522 + RESERVED +CVE-2023-20521 + RESERVED +CVE-2023-20520 + RESERVED +CVE-2023-20519 + RESERVED +CVE-2023-20518 + RESERVED +CVE-2023-20517 + RESERVED +CVE-2023-20516 + RESERVED +CVE-2023-20515 + RESERVED +CVE-2023-20514 + RESERVED +CVE-2023-20513 + RESERVED +CVE-2023-20512 + RESERVED +CVE-2023-20511 + RESERVED +CVE-2023-20510 + RESERVED +CVE-2023-20509 + RESERVED +CVE-2023-20508 + RESERVED +CVE-2023-20507 + RESERVED +CVE-2023-20506 + RESERVED +CVE-2023-20505 + RESERVED +CVE-2023-20504 + RESERVED +CVE-2023-20503 + RESERVED +CVE-2023-20502 + RESERVED +CVE-2023-20501 + RESERVED +CVE-2023-20500 + RESERVED +CVE-2023-20499 + RESERVED +CVE-2023-20498 + RESERVED +CVE-2023-20497 + RESERVED +CVE-2023-20496 + RESERVED +CVE-2023-20495 + RESERVED +CVE-2023-20494 + RESERVED +CVE-2023-20493 + RESERVED +CVE-2023-20492 + RESERVED +CVE-2023-20491 + RESERVED +CVE-2023-20490 + RESERVED +CVE-2023-20489 + RESERVED +CVE-2023-20488 + RESERVED +CVE-2023-20487 + RESERVED +CVE-2023-20486 + RESERVED +CVE-2023-20485 + RESERVED +CVE-2023-20484 + RESERVED +CVE-2023-20483 + RESERVED +CVE-2023-20482 + RESERVED +CVE-2023-20481 + RESERVED +CVE-2023-20480 + RESERVED +CVE-2023-20479 + RESERVED +CVE-2023-20478 + RESERVED +CVE-2023-20477 + RESERVED +CVE-2023-20476 + RESERVED +CVE-2023-20475 + RESERVED +CVE-2023-20474 + RESERVED +CVE-2023-20473 + RESERVED +CVE-2023-20472 + RESERVED +CVE-2023-20471 + RESERVED +CVE-2023-20470 + RESERVED +CVE-2023-20469 + RESERVED +CVE-2023-20468 + RESERVED +CVE-2023-20467 + RESERVED +CVE-2023-20466 + RESERVED +CVE-2023-20465 + RESERVED +CVE-2023-20464 + RESERVED +CVE-2023-20463 + RESERVED +CVE-2023-20462 + RESERVED +CVE-2023-20461 +
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3474/bazel
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b8506162 by Salvatore Bonaccorso at 2022-10-27T22:01:50+02:00 Add CVE-2022-3474/bazel - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2867,7 +2867,7 @@ CVE-2022-3476 CVE-2022-3475 RESERVED CVE-2022-3474 (A bad credential handling in the remote assets API for Bazel versions ...) - TODO: check + - bazel (bug #979846) CVE-2022-3473 (A vulnerability classified as critical has been found in SourceCodeste ...) NOT-FOR-US: SourceCodester CVE-2022-3472 (A vulnerability was found in SourceCodester Human Resource Management ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b850616274d1ba7cd413bf8a46a6bf7d0fcff8c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b850616274d1ba7cd413bf8a46a6bf7d0fcff8c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for powerline-gitstatus via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 96fa6f55 by Salvatore Bonaccorso at 2022-10-27T21:48:33+02:00 Track proposed update for powerline-gitstatus via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -38,3 +38,5 @@ CVE-2022-22846 [bullseye] - python-dnslib 0.9.14-1+deb11u1 CVE-2022-3517 [bullseye] - node-minimatch 3.0.4+~3.0.3-1+deb11u1 +CVE-2022-42906 + [bullseye] - powerline-gitstatus 1.3.2-0+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96fa6f55d82c4b52373f8318d05cbe5577422559 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96fa6f55d82c4b52373f8318d05cbe5577422559 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e7d3165 by Salvatore Bonaccorso at 2022-10-27T21:47:08+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -612,7 +612,7 @@ CVE-2022-43679 CVE-2022-43678 RESERVED CVE-2022-43677 (In free5GC 3.2.1, a malformed NGAP message can crash the AMF and NGAP ...) - TODO: check + NOT-FOR-US: free5GC CVE-2022-43676 RESERVED CVE-2022-43675 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7d3165266f184831e27117966e4bc26572c3a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e7d3165266f184831e27117966e4bc26572c3a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] batik fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f15f0b6 by Moritz Mühlenhoff at 2022-10-27T21:15:43+02:00 batik fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2856,7 +2856,7 @@ CVE-2022-42892 CVE-2022-42891 RESERVED CVE-2022-42890 (A vulnerability in Batik of Apache XML Graphics allows an attacker to ...) - - batik + - batik 1.16+dfsg-1 NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/3 NOTE: https://issues.apache.org/jira/browse/BATIK-1345 NOTE: http://svn.apache.org/viewvc?view=revision=1904549 @@ -5607,7 +5607,7 @@ CVE-2022-41706 CVE-2022-41705 RESERVED CVE-2022-41704 (A vulnerability in Batik of Apache XML Graphics allows an attacker to ...) - - batik + - batik 1.16+dfsg-1 NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/2 NOTE: https://issues.apache.org/jira/browse/BATIK-1338 NOTE: http://svn.apache.org/viewvc?view=revision=1904320 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f15f0b6b7fc1fabaa5ba5d7ce76901b78e4c572 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f15f0b6b7fc1fabaa5ba5d7ce76901b78e4c572 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3704/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 313600d4 by Salvatore Bonaccorso at 2022-10-27T21:11:59+02:00 Add CVE-2022-3704/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -388,7 +388,9 @@ CVE-2022-3705 (A vulnerability was found in vim and classified as problematic. A - vim NOTE: ttps://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 (v9.0.0805) CVE-2022-3704 (A vulnerability classified as problematic has been found in Ruby on Ra ...) - TODO: check + - rails + NOTE: https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4 + NOTE: https://github.com/rails/rails/issues/46244 CVE-2022-3703 RESERVED CVE-2022-3702 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/313600d4c21c8382a406d66ce7336b68ce34d912 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/313600d4c21c8382a406d66ce7336b68ce34d912 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2020-21599
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73017f53 by Salvatore Bonaccorso at 2022-10-27T20:34:38+02:00 Add upstream tag information for CVE-2020-21599 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160405,7 +160405,7 @@ CVE-2020-21599 (libde265 v1.0.4 contains a heap buffer overflow in the de265_ima [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/235 - NOTE: https://github.com/strukturag/libde265/commit/a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 + NOTE: https://github.com/strukturag/libde265/commit/a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 (v1.0.9) CVE-2020-21598 (libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unw ...) - libde265 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73017f53148d074b18903db568c7bdf49c31d2a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73017f53148d074b18903db568c7bdf49c31d2a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3164-1 for python-django
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a0a2559 by Chris Lamb at 2022-10-27T11:18:45-07:00 Reserve DLA-3164-1 for python-django - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -118518,7 +118518,6 @@ CVE-2021-3282 (HashiCorp Vault Enterprise 1.6.0 1.6.1 allowed the `remove- CVE-2021-3281 (In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, ...) {DLA-2540-1} - python-django 2:2.2.18-1 (bug #981562) - [buster] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2021/feb/01/security-releases/ NOTE: https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23 (master) NOTE: https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37 (2.2.18) @@ -124993,7 +124992,6 @@ CVE-2021-23337 (Lodash versions prior to 4.17.21 are vulnerable to Command Injec CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...) {DLA-2628-1 DLA-2619-1 DLA-2569-1} - python-django 2:2.2.19-1 (bug #983090) - [buster] - python-django (Minor issue; can be fixed via point release) - python3.9 3.9.2-1 [buster] - python3.9 (Will break existing applications, don't backport to released suites) - python3.8 @@ -153881,7 +153879,6 @@ CVE-2020-24585 (An issue was discovered in the DTLS handshake implementation in NOTE: https://github.com/wolfSSL/wolfssl/commit/3be7f3ea3a56d178acf0f7f84ee4ae8cbfee8915 (v4.5.0-stable) CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...) - python-django 2:2.2.16-1 (bug #969367) - [buster] - python-django (Fix along in future DSA) [stretch] - python-django (Requires Python 3.7+) NOTE: https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71 (master) NOTE: https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b (3.1.1) @@ -153889,7 +153886,6 @@ CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before NOTE: https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f (2.2.16) CVE-2020-24583 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...) - python-django 2:2.2.16-1 (bug #969367) - [buster] - python-django (Fix along in future DSA) [stretch] - python-django (Requires Python 3.7+) NOTE: https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9 (master) NOTE: https://github.com/django/django/commit/934430d22aa5d90c2ba33495ff69a6a1d997d584 (3.1.1) = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Oct 2022] DLA-3164-1 python-django - security update + {CVE-2020-24583 CVE-2020-24584 CVE-2021-3281 CVE-2021-23336 CVE-2022-34265} + [buster] - python-django 1:1.11.29-1+deb10u2 [26 Oct 2022] DLA-3163-1 wordpress - security update [buster] - wordpress 5.0.18+dfsg1-0+deb10u1 [26 Oct 2022] DLA-3162-1 libdatetime-timezone-perl - new timezone database = data/dla-needed.txt = @@ -149,14 +149,6 @@ pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- -python-django (Chris Lamb) - NOTE: 20220911: Programming language: Python - NOTE: 20220911: There are many minors issues that should be done in a point release. No further point releases for buster. - NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster. - NOTE: 20221018: There are 4 CVEs on the debian/buster branch that are seemingly unreleased: CVE-2020-24583, CVE-2020-24584, CVE-2021-3281 and CVE-2021-23336. (lamby) - NOTE: 20221018: This leaves 8 CVEs that need fixing, either simply because the code is vulnerable or the issue has already been fixed in stretch: CVE-2022-34265, CVE-2022-28346, CVE-2022-23833, CVE-2022-22818, CVE-2021-33571, CVE-2021-33203, CVE-2021-31542 & CVE-2021-28658 (lamby) - NOTE: 20221027: To clarify, only the first CVE mentioned in the previous comment (CVE-2022-34265) is vulnerable and not fixed in stretch, and the other seven have already been fixed in stretch. I plan to fix these remaining 1 CVE and release (with 5 total CVEs) instead of trying to co-ordinate a release with 12 (!) new patches. I can address them later. (lamby) --- python-scciclient NOTE: 20221009: Programming language: Python. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0a2559b2fbf88b59b56b8d70e9a820d30c4eaa -- View it on GitLab: https://salsa.debian.org/secu
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: No, CVE-2022-28346 is fixed in stretch like the others.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: eea9c40b by Chris Lamb at 2022-10-27T10:36:55-07:00 dla-needed.txt: No, CVE-2022-28346 is fixed in stretch like the others. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -155,7 +155,7 @@ python-django (Chris Lamb) NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster. NOTE: 20221018: There are 4 CVEs on the debian/buster branch that are seemingly unreleased: CVE-2020-24583, CVE-2020-24584, CVE-2021-3281 and CVE-2021-23336. (lamby) NOTE: 20221018: This leaves 8 CVEs that need fixing, either simply because the code is vulnerable or the issue has already been fixed in stretch: CVE-2022-34265, CVE-2022-28346, CVE-2022-23833, CVE-2022-22818, CVE-2021-33571, CVE-2021-33203, CVE-2021-31542 & CVE-2021-28658 (lamby) - NOTE: 20221027: To clarify, the first two CVEs mentioned in the previous comment (CVE-2022-34265 & CVE-2022-28346) are vulnerable and not fixed in stretch, and the next six have already been fixed in stretch. I plan to fix these remaining 2 CVEs and release (with 6 total CVEs), instead of trying to co-ordinate a release with 12 (!) new patches. I can address them later. (lamby) + NOTE: 20221027: To clarify, only the first CVE mentioned in the previous comment (CVE-2022-34265) is vulnerable and not fixed in stretch, and the other seven have already been fixed in stretch. I plan to fix these remaining 1 CVE and release (with 5 total CVEs) instead of trying to co-ordinate a release with 12 (!) new patches. I can address them later. (lamby) -- python-scciclient NOTE: 20221009: Programming language: Python. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eea9c40b76b2fbd02c5242fef5b3ba0b6fc6dc92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eea9c40b76b2fbd02c5242fef5b3ba0b6fc6dc92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Update note for python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bf26c2c by Chris Lamb at 2022-10-27T10:25:22-07:00 dla-needed.txt: Update note for python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -155,6 +155,7 @@ python-django (Chris Lamb) NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed for buster. NOTE: 20221018: There are 4 CVEs on the debian/buster branch that are seemingly unreleased: CVE-2020-24583, CVE-2020-24584, CVE-2021-3281 and CVE-2021-23336. (lamby) NOTE: 20221018: This leaves 8 CVEs that need fixing, either simply because the code is vulnerable or the issue has already been fixed in stretch: CVE-2022-34265, CVE-2022-28346, CVE-2022-23833, CVE-2022-22818, CVE-2021-33571, CVE-2021-33203, CVE-2021-31542 & CVE-2021-28658 (lamby) + NOTE: 20221027: To clarify, the first two CVEs mentioned in the previous comment (CVE-2022-34265 & CVE-2022-28346) are vulnerable and not fixed in stretch, and the next six have already been fixed in stretch. I plan to fix these remaining 2 CVEs and release (with 6 total CVEs), instead of trying to co-ordinate a release with 12 (!) new patches. I can address them later. (lamby) -- python-scciclient NOTE: 20221009: Programming language: Python. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bf26c2c7247d7343313def881672b75c4495276 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bf26c2c7247d7343313def881672b75c4495276 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-41842,libcommons-jxpath-java: Link to proposed upstream changes
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 83af9505 by Markus Koschany at 2022-10-27T18:34:48+02:00 CVE-2022-41842,libcommons-jxpath-java: Link to proposed upstream changes The upstream discussion is ongoing. They intend to implement either a whitelist or a blacklist. Maven requires jxpath as a build-dependency. We should wait for the outcome of that discussion - - - - - 4c46ba1e by Markus Koschany at 2022-10-27T18:42:12+02:00 Add libcommons-jxpath-java to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -5178,6 +5178,8 @@ CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in CVE-2022-41852 (Those using JXPath to interpret untrusted XPath expressions may be vul ...) - libcommons-jxpath-java NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 + NOTE: https://github.com/apache/commons-jxpath/pull/25 + NOTE: https://github.com/apache/commons-jxpath/pull/26 CVE-2022-41851 (A vulnerability has been identified in JTTK (All versions V11.1.1 ...) NOT-FOR-US: JTTK CVE-2022-41836 (When an 'Attack Signature False Positive Mode' enabled security policy ...) = data/dla-needed.txt = @@ -98,6 +98,10 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- +libcommons-jxpath-java + NOTE: 20221027: Programming language: Java. + NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests. +-- libreoffice NOTE: 20221012: Programming language: C++. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/257634c3285ad3cb989508e20d4703e596835672...4c46ba1ef93f6027787ca6fba7577590eb6f91f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/257634c3285ad3cb989508e20d4703e596835672...4c46ba1ef93f6027787ca6fba7577590eb6f91f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add expat to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 06e7cc80 by Markus Koschany at 2022-10-27T18:05:46+02:00 Add expat to dla-needed.txt - - - - - d4e9c895 by Markus Koschany at 2022-10-27T18:06:58+02:00 Add dropbear to dla-needed.txt - - - - - 257634c3 by Markus Koschany at 2022-10-27T18:16:25+02:00 Add graphicsmagick to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,10 +33,16 @@ curl (Emilio) NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. -- +dropbear + NOTE: 20221027: Programming language: C. +-- exiv2 NOTE: 20220819: Programming language: C++. NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) -- +expat + NOTE: 20221027: Programming language: C. +-- firmware-nonfree NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. -- @@ -73,6 +79,9 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- +graphicsmagick + NOTE: 20221027: Programming language: C. +-- imagemagick (gladk) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/92d3b469317cb0a0f5f00aabf5ff51e1bfd9175d...257634c3285ad3cb989508e20d4703e596835672 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/92d3b469317cb0a0f5f00aabf5ff51e1bfd9175d...257634c3285ad3cb989508e20d4703e596835672 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one libde265 issue fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 92d3b469 by Moritz Mühlenhoff at 2022-10-27T16:46:10+02:00 one libde265 issue fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160402,11 +160402,12 @@ CVE-2020-21600 (libde265 v1.0.4 contains a heap buffer overflow in the put_weigh [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/243 CVE-2020-21599 (libde265 v1.0.4 contains a heap buffer overflow in the de265_image::av ...) - - libde265 (bug #1014999) - [bullseye] - libde265 (Minor issue, revisit when fixed upstream) + - libde265 1.0.9-1 (bug #1014999) + [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/235 + NOTE: https://github.com/strukturag/libde265/commit/a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 CVE-2020-21598 (libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unw ...) - libde265 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92d3b469317cb0a0f5f00aabf5ff51e1bfd9175d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92d3b469317cb0a0f5f00aabf5ff51e1bfd9175d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two etcd issues fixed in experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f952b859 by Moritz Mühlenhoff at 2022-10-27T16:13:36+02:00 two etcd issues fixed in experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -324449,6 +324449,7 @@ CVE-2018-1100 (zsh through version 5.4.2 is vulnerable to a stack-based buffer o NOTE: https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607 NOTE: https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/ CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attack ...) + [experimental] - etcd 3.5.5-1 - etcd (low; bug #921156) [bullseye] - etcd (Minor issue) [buster] - etcd (Minor issue) @@ -324456,6 +324457,7 @@ CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An a NOTE: https://github.com/etcd-io/etcd/pull/9372 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552717 CVE-2018-1098 (A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. ...) + [experimental] - etcd 3.5.5-1 - etcd (low; bug #921156) [bullseye] - etcd (Minor issue) [buster] - etcd (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f952b859a68feb8bccb3e86acfcde207e5ef98e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f952b859a68feb8bccb3e86acfcde207e5ef98e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] additional sqlite reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 13d24bca by Moritz Mühlenhoff at 2022-10-27T12:26:12+02:00 additional sqlite reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21079,6 +21079,7 @@ CVE-2022-35737 (SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an a - sqlite3 3.39.2-1 (unimportant) NOTE: https://sqlite.org/forum/forumpost/3607259d3c NOTE: Debian sqlite3 packages not compiled with -DSQLITE_ENABLE_STAT4 + NOTE: https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/ CVE-2022-35736 RESERVED CVE-2022-35724 (It is possible to provide data to be read that leads the reader to loo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13d24bcab93a5dafac1acef6e9d6363f72fed373 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13d24bcab93a5dafac1acef6e9d6363f72fed373 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3705/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ecf26d88 by Salvatore Bonaccorso at 2022-10-27T11:01:52+02:00 Add CVE-2022-3705/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -385,7 +385,8 @@ CVE-2022-43762 CVE-2022-43761 RESERVED CVE-2022-3705 (A vulnerability was found in vim and classified as problematic. Affect ...) - TODO: check + - vim + NOTE: ttps://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 (v9.0.0805) CVE-2022-3704 (A vulnerability classified as problematic has been found in Ruby on Ra ...) TODO: check CVE-2022-3703 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecf26d88b01a85207bc17e23e427c1028f9f6fa3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ecf26d88b01a85207bc17e23e427c1028f9f6fa3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: CVE-2022-42916/curl n/a on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 0de69910 by Emilio Pozuelo Monfort at 2022-10-27T10:31:05+02:00 lts: CVE-2022-42916/curl n/a on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2741,6 +2741,7 @@ CVE-2022-42917 CVE-2022-42916 [HSTS bypass via IDN] RESERVED - curl + [buster] - curl (Vulnerable code not present) NOTE: https://curl.se/docs/CVE-2022-42916.html NOTE: Introduced with: https://github.com/curl/curl/commit/7385610d0c74c6a254fea5e4cd6e1d559d848c8c (curl-7_74_0) NOTE: Enabled by default since: https://github.com/curl/curl/commit/d71ff2b9db566b3f4b2eb29441c2df86715d4339 (curl-7_77_0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0de69910f43e1c2f2879471741c405345bb1188b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0de69910f43e1c2f2879471741c405345bb1188b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: faf49d27 by security tracker role at 2022-10-27T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,45 @@ +CVE-2022-43945 + RESERVED +CVE-2022-43944 + RESERVED +CVE-2022-43943 + RESERVED +CVE-2022-43942 + RESERVED +CVE-2022-43941 + RESERVED +CVE-2022-43940 + RESERVED +CVE-2022-43939 + RESERVED +CVE-2022-43938 + RESERVED +CVE-2022-43937 + RESERVED +CVE-2022-43936 + RESERVED +CVE-2022-43935 + RESERVED +CVE-2022-43934 + RESERVED +CVE-2022-43933 + RESERVED +CVE-2022-3713 + RESERVED +CVE-2022-3712 + RESERVED +CVE-2022-3711 + RESERVED +CVE-2022-3710 + RESERVED +CVE-2022-3709 + RESERVED +CVE-2022-3708 + RESERVED +CVE-2022-3707 + RESERVED +CVE-2022-3706 + RESERVED CVE-2022-43932 RESERVED CVE-2022-43931 @@ -342,10 +384,10 @@ CVE-2022-43762 RESERVED CVE-2022-43761 RESERVED -CVE-2022-3705 - RESERVED -CVE-2022-3704 - RESERVED +CVE-2022-3705 (A vulnerability was found in vim and classified as problematic. Affect ...) + TODO: check +CVE-2022-3704 (A vulnerability classified as problematic has been found in Ruby on Ra ...) + TODO: check CVE-2022-3703 RESERVED CVE-2022-3702 @@ -5282,8 +5324,8 @@ CVE-2022-3365 RESERVED CVE-2022-3364 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) - rdiffweb (bug #969974) -CVE-2022-3363 - RESERVED +CVE-2022-3363 (Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2 ...) + TODO: check CVE-2022-3362 RESERVED CVE-2022-41850 (roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel th ...) @@ -5355,8 +5397,8 @@ CVE-2022-40967 RESERVED CVE-2022-40965 RESERVED -CVE-2022-40703 - RESERVED +CVE-2022-40703 (CWE-302 Authentication Bypass by Assumed-Immutable Data in AliveCor Ka ...) + TODO: check CVE-2022-40204 RESERVED CVE-2022-40202 @@ -11169,8 +11211,8 @@ CVE-2022-39357 (Winter is a free, open-source content management system based on NOT-FOR-US: Winter CVE-2022-39356 RESERVED -CVE-2022-39355 - RESERVED +CVE-2022-39355 (Discourse Patreon enables syncronization between Discourse Groups and ...) + TODO: check CVE-2022-39354 (SputnikVM, also called evm, is a Rust implementation of Ethereum Virtu ...) TODO: check CVE-2022-39353 @@ -11183,8 +11225,8 @@ CVE-2022-39350 (@dependencytrack/frontend is a Single Page Application (SPA) use TODO: check CVE-2022-39349 (The Tasks.org Android app is an open-source app for to-do lists and re ...) TODO: check -CVE-2022-39348 - RESERVED +CVE-2022-39348 (Twisted is an event-based framework for internet applications. Started ...) + TODO: check CVE-2022-39347 RESERVED CVE-2022-39346 @@ -11319,8 +11361,8 @@ CVE-2022-39288 (fastify is a fast and low overhead web framework, for Node.js. A NOT-FOR-US: Node fastify CVE-2022-39287 (tiny-csrf is a Node.js cross site request forgery (CSRF) protection mi ...) NOT-FOR-US: tiny-csrf Nodejs module -CVE-2022-39286 - RESERVED +CVE-2022-39286 (Jupyter Core is a package for the core common functionality of Jupyter ...) + TODO: check CVE-2022-39285 (ZoneMinder is a free, open source Closed-circuit television software a ...) - zoneminder 1.36.31+dfsg1-1 (unimportant; bug #1021565) NOTE: https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-h6xp-cvwv-q433 @@ -14794,8 +14836,8 @@ CVE-2022-2784 RESERVED CVE-2022-2783 (In affected versions of Octopus Server it was identified that a sessio ...) NOT-FOR-US: Octopus -CVE-2022-2782 - RESERVED +CVE-2022-2782 (In affected versions of Octopus Server it is possible for a session to ...) + TODO: check CVE-2022-2781 (In affected versions of Octopus Server it was identified that the same ...) NOT-FOR-US: Octopus CVE-2022-2780 (In affected versions of Octopus Server it is possible to use the Git C ...) @@ -19342,8 +19384,8 @@ CVE-2022-2509 (A vulnerability found in gnutls. This security flaw happens becau NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2022-07-07 NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1383 (restricted) NOTE: https://gitlab.com/gnutls/gnutls/-/commit/ce37f9eb265dbe9b6d597f5767449e8ee95848e2 -CVE-2022-2508 - RESERVED +CVE-2022-2508 (In affected versions of Octopus Server it is possible to reveal the ex ...) + TODO: check CVE-2022-2507 RESERVED CVE-2022-2506 @@ -48872,8 +48914,8 @@ CVE-2022-25921 (All versions of package morgan-json are vulnerable to Arbitrary
[Git][security-tracker-team/security-tracker][master] lts: take curl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e028103 by Emilio Pozuelo Monfort at 2022-10-27T08:36:38+02:00 lts: take curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -28,7 +28,7 @@ clickhouse NOTE: 20221003: One pull request closes several CVEs. NOTE: 20221003: Please evaluate, whether it can be applied. -- -curl +curl (Emilio) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e028103b1a5b93a444e0b333bacb0e6f9704fc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e028103b1a5b93a444e0b333bacb0e6f9704fc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3697/ansible
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe5d1e9f by Salvatore Bonaccorso at 2022-10-27T08:32:41+02:00 Add CVE-2022-3697/ansible - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -358,8 +358,11 @@ CVE-2022-3699 RESERVED CVE-2022-3698 RESERVED -CVE-2022-3697 +CVE-2022-3697 [improper handling of tower_callback parameter in amazon.aws collection] RESERVED + - ansible + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2137664 + NOTE: https://github.com/ansible-collections/amazon.aws/pull/1199 CVE-2022-3696 RESERVED CVE-2022-3695 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe5d1e9fe84501b8a44c5a135ee0329773ee9baf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe5d1e9fe84501b8a44c5a135ee0329773ee9baf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits