Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
59300f89 by Moritz Muehlenhoff at 2022-02-07T23:03:36+01:00
buster/bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3913,11 +3913,10 @@ CVE-2022-0285 (Cross-site Scripting (XSS) - Stored in
Packagist pimcore/pimcore
NOT-FOR-US: pimcore
CVE-2022-0284
RESERVED
- - imagemagick <undetermined>
+ - imagemagick <not-affected> (Specific to IM7)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2045943
NOTE: https://github.com/ImageMagick/ImageMagick/issues/4729
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/e50f19fd73c792ebe912df8ab83aa51a243a3da7
- TODO: check if it affects ImageMagick6
CVE-2022-0283
RESERVED
CVE-2022-0282 (Code Injection in Packagist microweber/microweber prior to
1.2.11. ...)
@@ -6249,6 +6248,7 @@ CVE-2022-22814
RESERVED
CVE-2022-0155 (follow-redirects is vulnerable to Exposure of Private Personal
Informa ...)
- node-follow-redirects 1.14.7+~1.13.1-1
+ [bullseye] - node-follow-redirects <no-dsa> (Minor issue)
[buster] - node-follow-redirects <ignored> (Minor issue, too intrusive
to backport)
NOTE: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406
NOTE: https://github.com/follow-redirects/follow-redirects/issues/183
@@ -7954,18 +7954,26 @@ CVE-2021-46047 (A Pointer Dereference Vulnerability
exists in GPAC 1.0.1 via the
NOTE:
https://github.com/gpac/gpac/commit/dd2e8b1b9378a9679de8e7e5dcb2d7841acd5dbd
CVE-2021-46046 (A Pointer Derefernce Vulnerbility exists GPAC 1.0.1 the
gf_isom_box_si ...)
- gpac <unfixed>
+ [bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/2005
NOTE:
https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f
CVE-2021-46045 (GPAC 1.0.1 is affected by: Abort failed. The impact is: cause
a denial ...)
- gpac <unfixed>
+ [bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/2007
NOTE:
https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f
CVE-2021-46044 (A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1via
ShiftMetaOf ...)
- gpac <unfixed>
+ [bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/2006
NOTE:
https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f
CVE-2021-46043 (A Pointer Dereference Vulnerability exits in GPAC 1.0.1 in the
gf_list ...)
- gpac <unfixed>
+ [bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/2001
NOTE:
https://github.com/gpac/gpac/commit/f5a778edd1febd574ff9558d2faa57133bdb4a5f
CVE-2021-46042 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via
the _fsee ...)
@@ -8242,6 +8250,8 @@ CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0
has a heap-based buffer
NOTE:
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7
CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a
heap-base ...)
- assimp 5.1.1~ds0-1
+ [bullseye] - assimp <not-affected> (Vulnerable code not present)
+ [buster] - assimp <not-affected> (Vulnerable code not present)
[stretch] - assimp <not-affected> (M3D format support not present)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416
NOTE:
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml
@@ -13416,11 +13426,13 @@ CVE-2021-44514 (OpUtils in Zoho ManageEngine
OpManager 12.5 before 125490 mishan
NOT-FOR-US: ManageEngine
CVE-2021-44513 (Insecure creation of temporary directories in tmate-ssh-server
2.3.0 a ...)
- tmate-ssh-server <unfixed> (bug #1001225)
+ [bullseye] - tmate-ssh-server <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596
NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388
CVE-2021-44512 (World-writable permissions on the /tmp/tmate/sessions
directory in tma ...)
- tmate-ssh-server <unfixed> (bug #1001225)
+ [bullseye] - tmate-ssh-server <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596
NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388
@@ -20619,6 +20631,7 @@ CVE-2021-42577
RESERVED
CVE-2021-42576 (The bluemonday sanitizer before 1.0.16 for Go, and before
0.0.8 for Py ...)
- golang-github-microcosm-cc-bluemonday 1.0.16-1
+ [bullseye] - golang-github-microcosm-cc-bluemonday <no-dsa> (Minor
issue)
NOTE:
https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/
CVE-2021-42575 (The OWASP Java HTML Sanitizer before 20211018.1 does not
properly enfo ...)
NOT-FOR-US: OWASP HTML Sanitizer
@@ -25521,6 +25534,8 @@ CVE-2021-41079 (Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1
to 9.0.43 and 10.0.0-M1
NOTE:
https://github.com/apache/tomcat/commit/b90d4fc1ff44f30e4b3aba622ba6677e3f003822
(8.5.64)
CVE-2021-3803 (nth-check is vulnerable to Inefficient Regular Expression
Complexity ...)
- node-nth-check 2.0.1-1
+ [bullseye] - node-nth-check <no-dsa> (Minor issue)
+ [buster] - node-nth-check <no-dsa> (Minor issue)
[stretch] - node-nth-check <end-of-life> (Nodejs in stretch not covered
by security support)
NOTE:
https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726
(v2.0.1)
NOTE: https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0/
@@ -31315,6 +31330,8 @@ CVE-2021-38699 (TastyIgniter 3.0.7 allows XSS via
/account, /reservation, /admin
NOT-FOR-US: TastyIgniter
CVE-2021-38698 (HashiCorp Consul and Consul Enterprise 1.10.1 Txn.Apply
endpoint allow ...)
- consul <unfixed>
+ [bullseye] - consul <no-dsa> (Minor issue)
+ [buster] - consul <no-dsa> (Minor issue)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2021-24-consul-missing-authorization-check-on-txn-apply-endpoint/29026
NOTE:
https://github.com/hashicorp/consul/commit/747844bad6410091f2c6e961216c0c5fc285a44d
(v1.8.15)
CVE-2021-38697 (SoftVibe SARABAN for INFOMA 1.1 allows Unauthenticated
unrestricted Fi ...)
@@ -31521,9 +31538,11 @@ CVE-2021-38604 (In librt in the GNU C Library (aka
glibc) through 2.34, sysdeps/
NOTE:
https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8
CVE-2021-38603 (PluXML 5.8.7 allows core/admin/profil.php stored XSS via the
Informati ...)
- pluxml <unfixed>
+ [buster] - pluxml <ignored> (Minor issue)
[stretch] - pluxml <no-dsa> (Minor issue)
CVE-2021-38602 (PluXML 5.8.7 allows Article Editing stored XSS via Headline or
Content ...)
- pluxml <unfixed>
+ [buster] - pluxml <ignored> (Minor issue)
[stretch] - pluxml <no-dsa> (Minor issue)
CVE-2021-38601
RESERVED
@@ -41791,6 +41810,7 @@ CVE-2021-34432 (In Eclipse Mosquitto versions 2.07 and
earlier, the server will
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=574141
CVE-2021-34431 (In Eclipse Mosquitto version 1.6 to 2.0.10, if an
authenticated client ...)
- mosquitto 2.0.11-1
+ [bullseye] - mosquitto <no-dsa> (Minor issue)
[buster] - mosquitto <not-affected> (Vulnerable code introduced later)
[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
NOTE: https://mosquitto.org/blog/2021/06/version-2-0-11-released/
@@ -42018,6 +42038,7 @@ CVE-2021-34338
CVE-2021-34337 [password checking timing attack in administrative REST API]
RESERVED
- mailman3 <unfixed> (bug #1004934)
+ [bullseye] - mailman3 <no-dsa> (Minor issue)
[buster] - mailman3 <no-dsa> (Minor issue; will be fixed via point
release)
NOTE: Fixed by:
https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51
(3.3.5b1)
CVE-2021-34336
@@ -57945,6 +57966,7 @@ CVE-2021-28167 (In Eclipse Openj9 to version 0.25.0,
usage of the jdk.internal.r
NOT-FOR-US: Eclipse OpenJ9
CVE-2021-28166 (In Eclipse Mosquitto version 2.0.0 to 2.0.9, if an
authenticated clien ...)
- mosquitto 2.0.10-1 (bug #986701)
+ [bullseye] - mosquitto <no-dsa> (Minor issue)
[buster] - mosquitto <not-affected> (Vulnerable code introduced in 2.0)
[stretch] - mosquitto <not-affected> (Vulnerable code introduced in 2.0)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=572608
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59300f8964d9728017bbd8c8f009c768d719ce3d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59300f8964d9728017bbd8c8f009c768d719ce3d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
