Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 3adefba4 by Moritz Muehlenhoff at 2022-06-07T13:12:07+02:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -5478,6 +5478,8 @@ CVE-2022-1651 NOTE: https://git.kernel.org/linus/ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b (5.18-rc1) CVE-2022-1650 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) - node-eventsource 2.0.2+~1.1.8-1 + [bullseye] - node-eventsource <no-dsa> (Minor issue) + [buster] - node-eventsource <no-dsa> (Minor issue) [stretch] - node-eventsource <end-of-life> (not covered by security support) NOTE: https://huntr.dev/bounties/dc9e467f-be5d-4945-867d-1044d27e9b8e/ NOTE: https://github.com/eventsource/eventsource/commit/10ee0c4881a6ba2fe65ec18ed195ac35889583c4 (v2.0.2) @@ -6792,11 +6794,9 @@ CVE-2022-30067 (GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Thro CVE-2022-30066 RESERVED CVE-2022-30065 (A use-after-free in Busybox 1.35-x's awk applet leads to denial of ser ...) - - busybox <unfixed> - [bullseye] - busybox <no-dsa> (Minor issue) - [buster] - busybox <no-dsa> (Minor issue) - [stretch] - busybox <postponed> (Minor issue, requires passing arbitrary awk program, no identified patch) + - busybox <unfixed> (unimportant) NOTE: https://bugs.busybox.net/show_bug.cgi?id=14781 + NOTE: Crash in CLI tool, no security impact CVE-2022-30064 RESERVED CVE-2022-30063 (ftcms <=2.1 was discovered to be vulnerable to code execution attac ...) @@ -7350,6 +7350,8 @@ CVE-2022-1516 (A NULL pointer dereference flaw was found in the Linux kernelR NOTE: CONFIG_X25 is not set in Debian CVE-2022-1515 (A memory leak was discovered in matio 1.5.21 and earlier in Mat_VarRea ...) - libmatio 1.5.22-1 + [bullseye] - libmatio <no-dsa> (Minor issue) + [buster] - libmatio <no-dsa> (Minor issue) NOTE: https://github.com/tbeu/matio/issues/186 NOTE: Fixed by: https://github.com/tbeu/matio/commit/b53b62b756920f4c1509f4ee06427f66c3b5c9c4 (v1.5.22) CVE-2022-1514 (Stored XSS via upload plugin functionality in zip format in GitHub rep ...) @@ -7722,16 +7724,18 @@ CVE-2022-29801 (A vulnerability has been identified in Teamcenter V12.4 (All ver NOT-FOR-US: Siemens CVE-2022-29800 RESERVED - - networkd-dispatcher <unfixed> (bug #1010303) + - networkd-dispatcher <unfixed> (unimportant; bug #1010303) NOTE: https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ NOTE: https://gitlab.com/craftyguy/networkd-dispatcher/-/commit/074ff68f08d64a963a13e3cfc4fb3e3fb9006dfe NOTE: https://gitlab.com/craftyguy/networkd-dispatcher/-/commit/2e226ee027bdc8022f0e10470318f89f25dc6133 + NOTE: No security impact in Debian, see #1010303 CVE-2022-29799 RESERVED - - networkd-dispatcher <unfixed> (bug #1010303) + - networkd-dispatcher <unfixed> (unimportant; bug #1010303) NOTE: https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/ NOTE: https://gitlab.com/craftyguy/networkd-dispatcher/-/commit/074ff68f08d64a963a13e3cfc4fb3e3fb9006dfe NOTE: https://gitlab.com/craftyguy/networkd-dispatcher/-/commit/2e226ee027bdc8022f0e10470318f89f25dc6133 + NOTE: No security impact in Debian, see #1010303 CVE-2022-29798 RESERVED CVE-2022-29797 @@ -11578,14 +11582,17 @@ CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the NOTE: https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e (v0.8.0) CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE ...) - libowasp-antisamy-java <unfixed> (bug #1010154) + [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue) + [buster] - libowasp-antisamy-java <no-dsa> (Minor issue) NOTE: https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae (v1.6.6) NOTE: Make sure to fix the issue completely and include the commit otherwise opening CVE-2022-29577 NOTE: https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 (v1.6.7) CVE-2022-28366 (Certain Neko-related HTML parsers allow a denial of service via crafte ...) - libowasp-antisamy-java <unfixed> (bug #1010154) + [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue) + [buster] - libowasp-antisamy-java <no-dsa> (Minor issue) NOTE: https://github.com/nahsra/antisamy/releases/tag/v1.6.6 NOTE: https://github.com/nahsra/antisamy/issues/174 - TODO: check upstream for commits CVE-2022-28365 (Reprise License Manager 14.2 is affected by an Information Disclosure ...) NOT-FOR-US: Reprise License Manager CVE-2022-28364 (Reprise License Manager 14.2 is affected by a reflected cross-site scr ...) @@ -21656,6 +21663,8 @@ CVE-2022-24892 (Shopware is an open source e-commerce software platform. Startin NOT-FOR-US: Shopware CVE-2022-24891 (ESAPI (The OWASP Enterprise Security API) is a free, open source, web ...) - libowasp-esapi-java 2.4.0.0-1 (bug #1010339) + [bullseye] - libowasp-esapi-java <no-dsa> (Minor issue) + [buster] - libowasp-esapi-java <no-dsa> (Minor issue) NOTE: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt @@ -26611,6 +26620,8 @@ CVE-2022-23458 RESERVED CVE-2022-23457 (ESAPI (The OWASP Enterprise Security API) is a free, open source, web ...) - libowasp-esapi-java 2.4.0.0-1 (bug #1010339) + [bullseye] - libowasp-esapi-java <no-dsa> (Minor issue) + [buster] - libowasp-esapi-java <no-dsa> (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/ NOTE: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2 NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt @@ -64384,6 +64395,8 @@ CVE-2021-35044 RESERVED CVE-2021-35043 (OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using ...) - libowasp-antisamy-java <unfixed> + [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue) + [buster] - libowasp-antisamy-java <no-dsa> (Minor issue) NOTE: https://github.com/nahsra/antisamy/pull/87 CVE-2021-35042 (Django 3.1.x before 3.1.13 and 3.2.x before 3.2.5 allows QuerySet.orde ...) - python-django <not-affected> (Vulnerable code introduced in 3.1) @@ -303915,6 +303928,8 @@ CVE-2017-14736 RESERVED CVE-2017-14735 (OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstr ...) - libowasp-antisamy-java <unfixed> + [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue) + [buster] - libowasp-antisamy-java <no-dsa> (Minor issue) NOTE: https://github.com/nahsra/antisamy/issues/10 CVE-2017-14734 (The build_msps function in libbpg.c in libbpg 0.9.7 allows remote atta ...) NOT-FOR-US: libbpg @@ -337657,6 +337672,8 @@ CVE-2016-10007 (SQL injection vulnerability in the "Marketing > Forms" screen NOT-FOR-US: dotCMS CVE-2016-10006 (In OWASP AntiSamy before 1.5.5, by submitting a specially crafted inpu ...) - libowasp-antisamy-java <unfixed> + [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue) + [buster] - libowasp-antisamy-java <no-dsa> (Minor issue) NOTE: https://github.com/nahsra/antisamy/issues/2 CVE-2016-10005 (Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to ob ...) NOT-FOR-US: SAP ===================================== data/dsa-needed.txt ===================================== @@ -26,6 +26,8 @@ freecad (aron) -- kicad -- +librecad +-- libpgjava (apo) -- linux (carnil) @@ -34,8 +36,12 @@ linux (carnil) -- ndpi/oldstable -- +netatalk +-- nodejs (jmm) -- +php-horde-turba +-- puma/oldstable -- python-bottle (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3adefba4df86b0413321d5aa71da7da899095736 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3adefba4df86b0413321d5aa71da7da899095736 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits