[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
62406382 by Moritz Muehlenhoff at 2022-07-08T11:23:00+02:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3854,10 +3854,16 @@ CVE-2022-2122
        RESERVED
 CVE-2022-2121 (OFFIS DCMTK's (All versions prior to 3.6.7) has a NULL pointer 
derefer ...)
        - dcmtk <unfixed> (bug #1014044)
+       [bullseye] - dcmtk <no-dsa> (Minor issue)
+       [buster] - dcmtk <no-dsa> (Minor issue)
 CVE-2022-2120 (OFFIS DCMTK's (All versions prior to 3.6.7) service class user 
(SCU) i ...)
        - dcmtk <unfixed> (bug #1014044)
+       [bullseye] - dcmtk <no-dsa> (Minor issue)
+       [buster] - dcmtk <no-dsa> (Minor issue)
 CVE-2022-2119 (OFFIS DCMTK's (All versions prior to 3.6.7) service class 
provider (SC ...)
        - dcmtk <unfixed> (bug #1014044)
+       [bullseye] - dcmtk <no-dsa> (Minor issue)
+       [buster] - dcmtk <no-dsa> (Minor issue)
 CVE-2022-2118
        RESERVED
 CVE-2014-125025 (A vulnerability classified as problematic has been found in 
FFmpeg 2.0 ...)
@@ -9669,7 +9675,6 @@ CVE-2022-31627
 CVE-2022-31626 (In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 
8.1.x belo ...)
        - php8.1 8.1.7-1 (bug #1014533)
        - php7.4 <removed>
-       [bullseye] - php7.4 <postponed> (Minor issue, fix along with next 
security release)
        - php7.3 <removed>
        [buster] - php7.3 <postponed> (Minor issue, fix along with next 
security release)
        - php7.0 <removed>
@@ -9679,7 +9684,6 @@ CVE-2022-31626 (In PHP versions 7.4.x below 7.4.30, 8.0.x 
below 8.0.20, and 8.1.
 CVE-2022-31625 (In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 
8.1.x belo ...)
        - php8.1 8.1.7-1 (bug #1014533)
        - php7.4 <removed>
-       [bullseye] - php7.4 <postponed> (Minor issue, fix along with next 
security release)
        - php7.3 <removed>
        [buster] - php7.3 <postponed> (Minor issue, fix along with next 
security release)
        - php7.0 <removed>
@@ -12637,9 +12641,12 @@ CVE-2022-XXXX [RUSTSEC-2022-0022]
        NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0022.html
 CVE-2022-XXXX [RUSTSEC-2022-0021]
        - rust-crossbeam-queue <unfixed>
+       [bullseye] - rust-crossbeam-queue <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0021.html
 CVE-2022-XXXX [RUSTSEC-2022-0019]
        - rust-crossbeam-channel <unfixed>
+       [bullseye] - rust-crossbeam-channel <no-dsa> (Minor issue)
+       [buster] - rust-crossbeam-channel <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0019.html
 CVE-2022-XXXX [RUSTSEC-2022-0020]
        - rust-crossbeam <unfixed>
@@ -28141,9 +28148,11 @@ CVE-2022-25256 (SAS Web Report Studio 4.4 allows XSS. 
/SASWebReportStudio/logonA
 CVE-2022-25255 (In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 
on Linux ...)
        - qt6-base <unfixed>
        - qtbase-opensource-src 5.15.2+dfsg-15
+       [bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
        [buster] - qtbase-opensource-src <ignored> (Breaks existing behaviour 
and upstream also skipped from 5.12 branch)
        [stretch] - qtbase-opensource-src <not-affected> (Vulnerable code 
introduced later)
        - qtbase-opensource-src-gles <unfixed>
+       [bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
        [buster] - qtbase-opensource-src-gles <ignored> (Breaks existing 
behaviour and upstream also skipped from 5.12 branch)
        NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/393113
        NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/394914
@@ -63332,13 +63341,19 @@ CVE-2021-38579
        RESERVED
 CVE-2021-38578 (Existing CommBuffer checks in SmmEntryPoint will not catch 
underflow w ...)
        - edk2 <unfixed> (bug #1014468)
+       [bullseye] - edk2 <no-dsa> (Minor issue)
+       [buster] - edk2 <no-dsa> (Minor issue)
        NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3387 (private)
        NOTE: https://edk2.groups.io/g/devel/message/90516
 CVE-2021-38577 (Heap Overflow in BaseBmpSupportLib. ...)
        - edk2 <unfixed> (bug #1014468)
+       [bullseye] - edk2 <no-dsa> (Minor issue)
+       [buster] - edk2 <no-dsa> (Minor issue)
        NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3360 (private)
 CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the 
Platform a ...)
        - edk2 <unfixed> (bug #1014468)
+       [bullseye] - edk2 <no-dsa> (Minor issue)
+       [buster] - edk2 <no-dsa> (Minor issue)
        NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3499 (private)
 CVE-2021-38575 (NetworkPkg/IScsiDxe has remotely exploitable buffer overflows. 
...)
        - edk2 2021.08-1
@@ -74941,6 +74956,7 @@ CVE-2021-33881 (On NXP MIFARE Ultralight and NTAG 
cards, an attacker can interru
        NOT-FOR-US: NXP
 CVE-2021-33880 (The aaugustin websockets library before 9.1 for Python has an 
Observab ...)
        - python-websockets 9.1-1 (bug #989561)
+       [bullseye] - python-websockets <no-dsa> (Minor issue)
        [buster] - python-websockets <not-affected> (Vulnerable code introduced 
in 8.0)
        [stretch] - python-websockets <not-affected> (Vulnerable code 
introduced in 8.0)
        NOTE: 
https://github.com/aaugustin/websockets/commit/547a26b685d08cac0aa64e5e65f7867ac0ea9bc0
@@ -90418,6 +90434,8 @@ CVE-2021-28022 (Blind SQL injection in the login form 
in ServiceTonic Helpdesk s
        NOT-FOR-US: ServiceTonic
 CVE-2021-28021 (Buffer overflow vulnerability in function stbi__extend_receive 
in stb_ ...)
        - libstb <unfixed> (bug #1014530)
+       [bullseye] - libstb <no-dsa> (Minor issue)
+       [buster] - libstb <no-dsa> (Minor issue)
        NOTE: https://github.com/nothings/stb/issues/1108
        NOTE: 
https://github.com/nothings/stb/commit/86b7570cfba845e8209c6aec2d15e487bb1d8bb4
 CVE-2021-28020


=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ freecad (aron)
 --
 kicad (jmm)
 --
+kopanocore/oldstable
+--
 librecad
 --
 libpgjava (apo)
@@ -40,6 +42,8 @@ netatalk
 nodejs/oldstable
   one of the upstream fixes doesn't address the security issue 
 --
+php7.4
+--
 php-horde-mime-viewer
 --
 php-horde-turba
@@ -62,5 +66,9 @@ unzip
   unclear information, initial report indicates writable memory corruption, but
   some identified patch is just for a NULL deref, needs more clarification
 --
+webkit2gtk (berto)
+--
+wpewebkit/stable (berto)
+--
 xen (jmm)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/624063824b83ea8f3c0915ecc510cc55702bbede

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/624063824b83ea8f3c0915ecc510cc55702bbede
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits