Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f2089065 by Moritz Muehlenhoff at 2022-10-05T17:02:42+02:00
bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -7460,11 +7460,13 @@ CVE-2022-39210 (Nextcloud android is the official
Android client for the Nextclo
CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and
renderin ...)
- cmark-gfm <unfixed> (bug #1020588)
- python-cmarkgfm <unfixed>
- - ghostwriter <unfixed>
+ - ghostwriter <unfixed> (unimportant)
- ruby-commonmarker <unfixed>
- r-cran-commonmark <unfixed>
+ [bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
NOTE:
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
NOTE:
https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70
(0.29.0.gfm.6)
+ NOTE: For ghostwriter just a hang/crash in GUI tool, no security impact
CVE-2022-39208 (Onedev is an open source, self-hosted Git Server with CI/CD
and Kanban ...)
NOT-FOR-US: Onedev
CVE-2022-39207 (Onedev is an open source, self-hosted Git Server with CI/CD
and Kanban ...)
@@ -7824,6 +7826,7 @@ CVE-2006-20001
RESERVED
CVE-2022-XXXX [wordpress 6.0.2]
- wordpress 6.0.2+dfsg1-1 (bug #1018863)
+ [bullseye] - wordpress <no-dsa> (Minor issue)
NOTE:
https://wordpress.org/news/2022/08/wordpress-6-0-2-security-and-maintenance-release/
CVE-2022-39079
RESERVED
@@ -18258,11 +18261,13 @@ CVE-2022-2321 (Improper Restriction of Excessive
Authentication Attempts in GitH
CVE-2022-35230 (An authenticated user can create a link with reflected
Javascript code ...)
[experimental] - zabbix 1:6.0.6+dfsg-1
- zabbix 1:6.0.7+dfsg-2 (bug #1014994)
+ [bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-21305
NOTE: Fixed in:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/3b47a97676ee9ca4e16566f1931c456459108eae
(5.0.25rc1)
CVE-2022-35229 (An authenticated user can create a link with reflected
Javascript code ...)
[experimental] - zabbix 1:6.0.6+dfsg-1
- zabbix 1:6.0.7+dfsg-2 (bug #1014992)
+ [bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-21306
NOTE: Fixed in:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/b546c3f10ce98b0c914e5fc4114bd43042880c3c
(5.0.25rc1)
CVE-2022-35228 (SAP BusinessObjects CMC allows an unauthenticated attacker to
retrieve ...)
@@ -47753,16 +47758,19 @@ CVE-2022-24920
CVE-2022-24919 (An authenticated user can create a link with reflected
Javascript code ...)
{DLA-2980-1}
- zabbix 1:6.0.7+dfsg-2
+ [bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-20680
NOTE:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe
(5.0.21rc1)
CVE-2022-24918 (An authenticated user can create a link with reflected
Javascript code ...)
- zabbix 1:6.0.7+dfsg-2
+ [bullseye] - zabbix <no-dsa> (Minor issue)
[stretch] - zabbix <not-affected> (The vulnerable code was introduced
later)
NOTE: https://support.zabbix.com/browse/ZBX-20680
NOTE:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe
(5.0.21rc1)
CVE-2022-24917 (An authenticated user can create a link with reflected
Javascript code ...)
{DLA-2980-1}
- zabbix 1:6.0.7+dfsg-2
+ [bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-20680
NOTE:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe
(5.0.21rc1)
CVE-2022-24911
@@ -48391,6 +48399,7 @@ CVE-2022-24725 (Shescape is a shell escape package for
JavaScript. An issue in v
CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference
implementati ...)
- cmark-gfm 0.29.0.gfm.3-3 (bug #1006756)
- ghostwriter <unfixed> (bug #1006757)
+ [bullseye] - ghostwriter <no-dsa> (Minor issue)
- python-cmarkgfm 0.7.0-1 (bug #1006758)
- ruby-commonmarker <unfixed> (bug #1006759)
- r-cran-commonmark 1.8.0-1 (bug #1006760)
@@ -49549,6 +49558,7 @@ CVE-2022-24350
CVE-2022-24349 (An authenticated user can create a link with reflected XSS
payload for ...)
{DLA-2980-1}
- zabbix 1:6.0.7+dfsg-2
+ [bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-20680
NOTE:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/ff70e709719e4e9f25f5d187637fd53fd61c8bbe
(5.0.21rc1)
CVE-2022-24348 (Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory
traversal ...)
@@ -54285,10 +54295,12 @@ CVE-2022-23135 (There is a directory traversal
vulnerability in some home gatewa
CVE-2022-23134 (After the initial setup process, some steps of setup.php file
are reac ...)
{DLA-2914-1}
- zabbix 1:6.0.7+dfsg-2
+ [bullseye] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-20384
NOTE:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa0fecfbcc9794bc00206630a7424575dfc944df
(5.0.19rc2)
CVE-2022-23133 (An authenticated user can create a hosts group from the
configuration ...)
- zabbix 1:6.0.7+dfsg-2
+ [bullseye] - zabbix <no-dsa> (Minor issue)
[buster] - zabbix <not-affected> (Vulnerable code introduced later, and
reverted with the fix)
[stretch] - zabbix <not-affected> (Vulnerable code introduced later,
and reverted with the fix)
NOTE: https://support.zabbix.com/browse/ZBX-20388
@@ -54296,6 +54308,7 @@ CVE-2022-23133 (An authenticated user can create a
hosts group from the configur
NOTE: Introduced by:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/f3654d0173ea244a2319a093f7c4e27ad9086dc3
(4.4.0alpha3)
CVE-2022-23132 (During Zabbix installation from RPM, DAC_OVERRIDE SELinux
capability i ...)
- zabbix 1:6.0.7+dfsg-2
+ [bullseye] - zabbix <no-dsa> (Minor issue)
[stretch] - zabbix <not-affected> (Not using RPM or DAC_OVERRIDE in
Debian installs, zbx_ipc_service_init_env() not present)
NOTE: https://support.zabbix.com/browse/ZBX-20341
NOTE:
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/019fbd9b5cc9c455304f1a48460435ca474ba2ac
(5.0.18)
=====================================
data/dsa-needed.txt
=====================================
@@ -42,6 +42,8 @@ rpki-client
--
ruby-image-processing
--
+ruby-nokogiri
+--
ruby-rack
--
ruby-tzinfo
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f208906503b226a8ed78815240dc67764bbd2d6b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f208906503b226a8ed78815240dc67764bbd2d6b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
