Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 55038710 by Moritz Muehlenhoff at 2022-11-23T21:06:46+01:00 bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -7864,6 +7864,7 @@ CVE-2022-3716 (A vulnerability classified as problematic was found in SourceCode CVE-2022-3715 [a heap-buffer-overflow in valid_parameter_transform] RESERVED - bash <unfixed> + [bullseye] - bash <no-dsa> (Minor issue) [buster] - bash <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126720 NOTE: https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html @@ -8590,6 +8591,7 @@ CVE-2021-46850 (myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel NOT-FOR-US: myVesta Control Panel CVE-2021-46849 (pikepdf before 2.10.0 allows an XXE attack against PDF XMP metadata pa ...) - pikepdf 3.2.0+dfsg-1 + [bullseye] - pikepdf <no-dsa> (Minor issue) [buster] - pikepdf <no-dsa> (Minor issue) NOTE: https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100 CVE-2021-46848 (GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check ...) @@ -19642,6 +19644,7 @@ CVE-2022-39261 (Twig is a template language for PHP. Versions 1.x prior to 1.44. NOTE: https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b (v1.44.7, v2.15.3, v3.4.3) CVE-2022-39260 (Git is an open source, scalable, distributed revision control system. ...) - git 1:2.38.1-1 (bug #1022046) + [bullseye] - git <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/10/18/5 NOTE: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u NOTE: https://github.com/git/git/commit/32696a4cbe90929ae79ea442f5102c513ce3dfaa (v2.30.6) @@ -19664,6 +19667,7 @@ CVE-2022-39254 (matrix-nio is a Python Matrix client library, designed according NOTE: https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0 (0.20.0) CVE-2022-39253 (Git is an open source, scalable, distributed revision control system. ...) - git 1:2.38.1-1 (bug #1022046) + [bullseye] - git <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/10/18/5 NOTE: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u NOTE: https://github.com/git/git/commit/6f054f9fb3a501c35b55c65e547a244f14c38d56 (v2.30.6) @@ -19723,6 +19727,7 @@ CVE-2022-39238 (Arvados is an open source platform for managing and analyzing bi NOT-FOR-US: Arvados CVE-2022-39237 (syslabs/sif is the Singularity Image Format (SIF) reference implementa ...) - golang-github-sylabs-sif <unfixed> (bug #1023570) + [bullseye] - golang-github-sylabs-sif <no-dsa> (Minor issue) - singularity-container 3.10.3+ds1-1 NOTE: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 NOTE: https://github.com/sylabs/sif/commit/21972852d8783bc93fbf080190de8e1978f1c254 (v2.8.1) @@ -38927,10 +38932,10 @@ CVE-2022-1969 (The Mobile browser color select plugin for WordPress is vulnerabl NOT-FOR-US: Mobile browser color select plugin for WordPress CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3182-1 DLA-3053-1} - - vim 2:9.0.0135-1 (bug #1015984) - [bullseye] - vim <no-dsa> (Minor issue) + - vim 2:9.0.0135-1 (bug #1015984; unimportant) NOTE: https://huntr.dev/bounties/949090e5-f4ea-4edf-bd79-cd98f0498a5b NOTE: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e110895 (v8.2.5050) + NOTE: Crash in CLI tool, no security impact CVE-2022-1967 (The WP Championship WordPress plugin before 9.3 is lacking CSRF checks ...) NOT-FOR-US: WordPress plugin CVE-2022-1966 @@ -40316,10 +40321,10 @@ CVE-2022-1899 (Out-of-bounds Read in GitHub repository radareorg/radare2 prior t NOTE: https://github.com/radareorg/radare2/commit/193f4fe01d7f626e2ea937450f2e0c4604420e9d CVE-2022-1898 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3182-1 DLA-3053-1} - - vim 2:9.0.0135-1 (bug #1015984) - [bullseye] - vim <no-dsa> (Minor issue) + - vim 2:9.0.0135-1 (bug #1015984; unimportant) NOTE: https://huntr.dev/bounties/45aad635-c2f1-47ca-a4f9-db5b25979cea NOTE: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a (v8.2.5024) + NOTE: Crash in CLI tool, no security impact CVE-2022-1897 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim <no-dsa> (Minor issue) @@ -40922,10 +40927,10 @@ CVE-2022-1852 (A NULL pointer dereference flaw was found in the Linux kernelR NOTE: https://git.kernel.org/linus/fee060cd52d69c114b62d1a2948ea9648b5131f9 CVE-2022-1851 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) {DLA-3182-1 DLA-3053-1} - - vim 2:9.0.0135-1 (bug #1015984) - [bullseye] - vim <no-dsa> (Minor issue) + - vim 2:9.0.0135-1 (bug #1015984; unimportant) NOTE: https://huntr.dev/bounties/f8af901a-9a46-440d-942a-8f815b59394d NOTE: https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9ad (v8.2.5013) + NOTE: Crash in CLI tool, no security impact CVE-2022-1850 (Path Traversal in GitHub repository filegator/filegator prior to 7.8.0 ...) NOT-FOR-US: filegator CVE-2022-1849 (Session Fixation in GitHub repository filegator/filegator prior to 7.8 ...) @@ -53859,6 +53864,7 @@ CVE-2022-27192 (The Reporting module in Aseco Lietuva document management system NOT-FOR-US: Aseco CVE-2022-27191 (The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1 ...) - golang-go.crypto 1:0.0~git20220315.3147a52-1 + [bullseye] - golang-go.crypto <no-dsa> (Minor issue) [buster] - golang-go.crypto <postponed> (Limited support, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ NOTE: https://github.com/golang/crypto/commit/1baeb1ce4c0b006eff0f294c47cb7617598dfb3d @@ -64541,6 +64547,7 @@ CVE-2022-23825 (Aliases in the branch predictor may cause some AMD processors to {DSA-5184-1} - linux <unfixed> - xen 4.16.2-1 + [bullseye] - xen <postponed> (Fix along in next DSA) [buster] - xen <end-of-life> (DSA 4677-1) NOTE: https://comsec.ethz.ch/research/microarch/retbleed/ NOTE: https://comsec.ethz.ch/wp-content/files/retbleed_addendum_sec22.pdf @@ -72747,12 +72754,14 @@ CVE-2021-45293 (A Denial of Service vulnerability exists in Binaryen 103 due to NOTE: Crash in CLI tool, no security impact CVE-2021-45292 (The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows attackers to c ...) - gpac 2.0.0+dfsg1-2 + [bullseye] - gpac <no-dsa> (Minor issue) [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1958 NOTE: https://github.com/gpac/gpac/commit/3dafcb5e71e9ffebb50238784dcad8b105da81f6 (v2.0.0) CVE-2021-45291 (The gf_dump_setup function in GPAC 1.0.1 allows malicoius users to cau ...) - gpac 2.0.0+dfsg1-2 + [bullseye] - gpac <no-dsa> (Minor issue) [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1955 @@ -72765,12 +72774,14 @@ CVE-2021-45290 (A Denial of Service vulnerability exits in Binaryen 103 due to a NOTE: Crash in CLI tool, no security impact CVE-2021-45289 (A vulnerability exists in GPAC 1.0.1 due to an omission of security-re ...) - gpac 2.0.0+dfsg1-2 + [bullseye] - gpac <no-dsa> (Minor issue) [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1972 NOTE: https://github.com/gpac/gpac/commit/5e1f084e0c6ad2736c9913715c4abb57c554209d (v2.0.0) CVE-2021-45288 (A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which ...) - gpac 2.0.0+dfsg1-2 + [bullseye] - gpac <no-dsa> (Minor issue) [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1956 @@ -72817,6 +72828,7 @@ CVE-2021-45268 (** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability - backdrop <itp> (bug #914257) CVE-2021-45267 (An invalid memory address dereference vulnerability exists in gpac 1.1 ...) - gpac 2.0.0+dfsg1-2 + [bullseye] - gpac <no-dsa> (Minor issue) [buster] - gpac <end-of-life> (EOL in buster LTS) [stretch] - gpac <end-of-life> (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1965 @@ -79807,6 +79819,7 @@ CVE-2021-43566 (All versions of Samba prior to 4.13.16 are vulnerable to a malic NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13979 CVE-2021-43565 (The x/crypto/ssh package before 0.0.0-20211202192323-5770296d904e of g ...) - golang-go.crypto 1:0.0~git20211202.5770296-1 + [bullseye] - golang-go.crypto <no-dsa> (Minor issue) [buster] - golang-go.crypto <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) [stretch] - golang-go.crypto <postponed> (Limited support in stretch) NOTE: https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083 @@ -135200,6 +135213,7 @@ CVE-2021-22574 RESERVED CVE-2021-22573 (The vulnerability is that IDToken verifier does not verify if token is ...) - google-oauth-client-java 1.33.3-1 (bug #1010657) + [bullseye] - google-oauth-client-java <no-dsa> (Minor issue) NOTE: https://github.com/googleapis/google-oauth-java-client/issues/786 NOTE: https://github.com/googleapis/google-oauth-java-client/pull/861 NOTE: https://github.com/googleapis/google-oauth-java-client/pull/872 (1.33.3) ===================================== data/dsa-needed.txt ===================================== @@ -18,6 +18,10 @@ frr -- gerbv -- +graphicsmagick (jmm) +-- +lava +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y versions @@ -37,6 +41,8 @@ php-horde-mime-viewer -- php-horde-turba -- +pngcheck (jmm) +-- rails -- rpki-client View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5503871020355a40cf41fb5a1602c6a7b78deee7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5503871020355a40cf41fb5a1602c6a7b78deee7 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits