[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) Tue, 14 Mar 2023 08:30:15 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
a1b5eb28 by Moritz Muehlenhoff at 2023-03-14T16:29:52+01:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -557,6 +557,7 @@ CVE-2023-1351 (A vulnerability classified as critical has 
been found in SourceCo
        NOT-FOR-US: SourceCodester Computer Parts Sales and Inventory System
 CVE-2023-1350 (A vulnerability was found in liferea. It has been rated as 
critical. A ...)
        - liferea 1.14.1-1 (bug #1032822)
+       [bullseye] - liferea <no-dsa> (Minor issue)
        NOTE: Introduced by: 
https://github.com/lwindolf/liferea/commit/b8288389820a3f510ef4b21684b22439c41d95a5
 (v1.12.0)
        NOTE: introduced by: 
https://github.com/lwindolf/liferea/commit/b67dbba73443ab7b36fcd3c78aa803e974c0f23e
 (v1.12.0)
        NOTE: Fixed by: 
https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59
 (v1.14.1)
@@ -1003,6 +1004,7 @@ CVE-2023-1290 (A vulnerability, which was classified as 
critical, has been found
 CVE-2023-1289
        RESERVED
        - imagemagick <unfixed>
+       [bullseye] - imagemagick <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr
        NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4
 CVE-2023-1288 (An XML External Entity injection (XXE) vulnerability in ENOVIA 
Live Co ...)
@@ -2112,6 +2114,7 @@ CVE-2023-1176
        RESERVED
 CVE-2023-1175 (Incorrect Calculation of Buffer Size in GitHub repository 
vim/vim prio ...)
        - vim 2:9.0.1378-1
+       [bullseye] - vim <no-dsa> (Minor issue)
        NOTE: https://huntr.dev/bounties/7e93fc17-92eb-4ae7-b01a-93bb460b643e
        NOTE: 
https://github.com/vim/vim/commit/c99cbf8f289bdda5d4a77d7ec415850a520330ba 
(v9.0.1378)
 CVE-2022-4930 (A vulnerability classified as problematic was found in nuxsmin 
sysPass ...)
@@ -2245,9 +2248,10 @@ CVE-2023-1172
 CVE-2023-1171
        RESERVED
 CVE-2023-1170 (Heap-based Buffer Overflow in GitHub repository vim/vim prior 
to 9.0.1 ...)
-       - vim 2:9.0.1378-1
+       - vim 2:9.0.1378-1 (unimportant)
        NOTE: https://huntr.dev/bounties/286e0090-e654-46d2-ac60-29f81799d0a4
        NOTE: 
https://github.com/vim/vim/commit/1c73b65229c25e3c1fd8824ba958f7cc4d604f9c 
(v9.0.1376)
+       NOTE: Crash in CLI tool, no security impact
 CVE-2023-1169
        RESERVED
 CVE-2015-10089 (A vulnerability classified as problematic has been found in 
flame.js.  ...)
@@ -7762,6 +7766,7 @@ CVE-2023-25567 (GSS-NTLMSSP, a mechglue plugin for the 
GSSAPI library that imple
        NOTE: 
https://github.com/gssapi/gss-ntlmssp/commit/025fbb756d44ffee8f847db4222ed6aa4bd1fbe4
 (v1.2.0)
 CVE-2023-25566 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that 
implement ...)
        - gss-ntlmssp 1.2.0-1 (bug #1031369)
+       [bullseye] - gss-ntlmssp <not-affected> (Vulnerable code not present)
        NOTE: 
https://github.com/gssapi/gss-ntlmssp/security/advisories/GHSA-mfm4-6g58-jw74
        NOTE: 
https://github.com/gssapi/gss-ntlmssp/commit/8660fb16474054e692a596e9c79670cd4d3954f4
 (v1.2.0)
 CVE-2023-25565 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that 
implement ...)
@@ -7770,6 +7775,7 @@ CVE-2023-25565 (GSS-NTLMSSP is a mechglue plugin for the 
GSSAPI library that imp
        NOTE: 
https://github.com/gssapi/gss-ntlmssp/commit/c16100f60907a2de92bcb676f303b81facee0f64
 (v1.2.0)
 CVE-2023-25564 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that 
implement ...)
        - gss-ntlmssp 1.2.0-1 (bug #1031369)
+       [bullseye] - gss-ntlmssp <not-affected> (Vulnerable code not present)
        NOTE: 
https://github.com/gssapi/gss-ntlmssp/security/advisories/GHSA-r85x-q5px-9xfq
        NOTE: 
https://github.com/gssapi/gss-ntlmssp/commit/c753000eb31835c0664e528fbc99378ae0cbe950
 (v1.2.0)
 CVE-2023-25563 (GSS-NTLMSSP is a mechglue plugin for the GSSAPI library that 
implement ...)
@@ -48847,6 +48853,7 @@ CVE-2022-38102
        RESERVED
 CVE-2022-38090 (Improper isolation of shared resources in some Intel(R) 
Processors whe ...)
        - intel-microcode <unfixed> (bug #1031334)
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00767.html
        NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214
 CVE-2022-38084
@@ -54402,6 +54409,7 @@ CVE-2022-34657
        RESERVED
 CVE-2022-33196 (Incorrect default permissions in some memory controller 
configurations ...)
        - intel-microcode <unfixed> (bug #1031334)
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00738.html
        NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214
 CVE-2022-32570 (Improper authentication in the Intel(R) Quartus Prime Pro and 
Standard ...)
@@ -58463,6 +58471,7 @@ CVE-2022-34346 (Out-of-bounds read in the Intel(R) 
Media SDK software before ver
        NOT-FOR-US: Intel
 CVE-2022-33972 (Incorrect calculation in microcode keying mechanism for some 
3rd Gener ...)
        - intel-microcode <unfixed> (bug #1031334)
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00730.html
        NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214
 CVE-2022-33197
@@ -106282,6 +106291,7 @@ CVE-2021-3961 (snipe-it is vulnerable to Improper 
Neutralization of Input During
        - snipe-it <itp> (bug #1005172)
 CVE-2022-21216 (Insufficient granularity of access control in out-of-band 
management i ...)
        - intel-microcode <unfixed> (bug #1031334)
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00700.html
        NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214
 CVE-2022-21204 (Improper permissions for Intel(R) Quartus(R) Prime Pro Edition 
before  ...)
@@ -106297,6 +106307,7 @@ CVE-2022-21153 (Improper access control in the 
Intel(R) Capital Global Summit An
 CVE-2022-21151 (Processor optimization removal or modification of 
security-critical co ...)
        {DSA-5178-1}
        - intel-microcode 3.20220510.1 (bug #1010947)
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00617.html
        NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220510
 CVE-2022-21138
@@ -106725,6 +106736,7 @@ CVE-2022-21180 (Improper input validation for some 
Intel(R) Processors may allow
 CVE-2022-21166 (Incomplete cleanup in specific special register write 
operations for s ...)
        {DSA-5184-1 DSA-5178-1 DSA-5173-1 DLA-3065-1}
        - intel-microcode 3.20220510.1
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        - linux 5.18.5-1
        [bullseye] - linux 5.10.127-1
        - xen 4.16.2-1
@@ -106736,12 +106748,14 @@ CVE-2022-21166 (Incomplete cleanup in specific 
special register write operations
 CVE-2022-21127 (Incomplete cleanup in specific special register read 
operations for so ...)
        {DSA-5178-1}
        - intel-microcode 3.20220510.1
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00615.html
        NOTE: 
https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/processor-mmio-stale-data-vulnerabilities.html#SRBDS-Update
        NOTE: https://xenbits.xen.org/xsa/advisory-404.html
 CVE-2022-21125 (Incomplete cleanup of microarchitectural fill buffers on some 
Intel(R) ...)
        {DSA-5184-1 DSA-5178-1 DSA-5173-1 DLA-3065-1}
        - intel-microcode 3.20220510.1
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        - linux 5.18.5-1
        [bullseye] - linux 5.10.127-1
        - xen 4.16.2-1
@@ -106753,6 +106767,7 @@ CVE-2022-21125 (Incomplete cleanup of 
microarchitectural fill buffers on some In
 CVE-2022-21123 (Incomplete cleanup of multi-core shared buffers for some 
Intel(R) Proc ...)
        {DSA-5184-1 DSA-5178-1 DSA-5173-1 DLA-3065-1}
        - intel-microcode 3.20220510.1
+       [bullseye] - intel-microcode <no-dsa> (Minor issue)
        - linux 5.18.5-1
        [bullseye] - linux 5.10.127-1
        - xen 4.16.2-1


=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ linux (carnil)
 netatalk
   open regression with MacOS, tentative patch not yet merged upstream
 --
+node-sqlite3 (jmm)
+--
 nodejs (aron)
 --
 openimageio



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b5eb28454db6d688b0729f059177a02c40bb4e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b5eb28454db6d688b0729f059177a02c40bb4e
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye triage

Reply via email to