[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Thu, 29 Jun 2023 07:06:11 -0700 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5936ceab by Moritz Muehlenhoff at 2023-06-29T16:04:51+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -65052,6 +65052,7 @@ CVE-2021-46834 (A permission bypass vulnerability in 
Huawei cross device task ma
 CVE-2020-36599 (lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and 
before  ...)
        [experimental] - ruby-omniauth 2.0.4-1~exp1
        - ruby-omniauth 2.0.4-2
+       [bullseye] - ruby-omniauth <no-dsa> (Minor issue)
        [buster] - ruby-omniauth <no-dsa> (Minor issue)
        NOTE: 
https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00
 (v2.0.0-rc1)
 CVE-2020-36598
@@ -72262,6 +72263,7 @@ CVE-2022-2401 (Unrestricted information disclosure of 
all users in Mattermost ve
        - mattermost-server <itp> (bug #823556)
 CVE-2022-2400 (External Control of File Name or Path in GitHub repository 
dompdf/domp ...)
        - php-dompdf 2.0.2+dfsg-1 (bug #1015874)
+       [bullseye] - php-dompdf <no-dsa> (Minor issue)
        NOTE: https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a
        NOTE: 
https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a
 CVE-2022-2399 (Use after free in WebGPU in Google Chrome prior to 
100.0.4896.88 allow ...)
@@ -82198,6 +82200,7 @@ CVE-2022-1962 (Uncontrolled recursion in the Parse 
functions in go/parser before
        - golang-1.18 1.18.4-1
        - golang-1.17 1.17.13-1
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, follow bullseye 
DSAs/point-releases)
        NOTE: https://go.dev/issue/53616
@@ -86689,6 +86692,7 @@ CVE-2022-1705 (Acceptance of some invalid 
Transfer-Encoding headers in the HTTP/
        - golang-1.18 1.18.4-1
        - golang-1.17 1.17.13-1
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <not-affected> (Introduced in 1.15)
        NOTE: https://go.dev/issue/53188
        NOTE: 
https://github.com/golang/go/commit/e5017a93fcde94f09836200bca55324af037ee5f 
(go1.19rc1)
@@ -92740,7 +92744,7 @@ CVE-2022-1227 (A privilege escalation flaw was found in 
Podman. This flaw allows
        - libpod 3.4.7+ds1-1
        [bullseye] - libpod 3.0.1+dfsg1-3+deb11u2
        - golang-github-containers-psgo 1.7.1+ds1-1 (bug #1020907)
-       [bullseye] - golang-github-containers-psgo 1.5.2-2~deb11u1
+       [bullseye] - golang-github-containers-psgo 1.5.2-1+deb11u1
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070368
        NOTE: https://github.com/containers/psgo/pull/92
        NOTE: 
https://github.com/containers/psgo/commit/d9467da9f563a9de1ece79dcae86b37b1db75443
 (v1.7.2)
@@ -126108,6 +126112,7 @@ CVE-2021-42853 (It was discovered that the 
SteelCentral AppInternals Dynamic Sam
 CVE-2021-3902
        RESERVED
        - php-dompdf 2.0.2+dfsg-1
+       [bullseye] - php-dompdf <no-dsa> (Minor issue)
        NOTE: https://github.com/dompdf/dompdf/issues/2564
        NOTE: https://huntr.dev/bounties/a6071c07-806f-429a-8656-a4742e4191b1
 CVE-2021-3901 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF))
@@ -130261,6 +130266,7 @@ CVE-2021-41770 (Ping Identity PingFederate before 
10.3.1 mishandles pre-parsing
 CVE-2021-3838
        RESERVED
        - php-dompdf 2.0.2+dfsg-1
+       [bullseye] - php-dompdf <no-dsa> (Minor issue)
        NOTE: https://github.com/dompdf/dompdf/issues/2564
        NOTE: https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e
 CVE-2021-41769 (A vulnerability has been identified in SIPROTEC 5 6MD85 
devices (CPU v ...)
@@ -160782,6 +160788,7 @@ CVE-2021-29924
 CVE-2021-29923 (Go before 1.17 does not properly consider extraneous zero 
characters a ...)
        - golang-1.16 <unfixed>
        - golang-1.15 <unfixed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        - golang-1.8 <removed>


=====================================
data/dsa-needed.txt
=====================================
@@ -22,6 +22,12 @@ ghostscript (carnil)
 --
 gpac/oldstable (jmm)
 --
+gst-plugins-base1.0 (jmm)
+--
+gst-plugins-bad1.0 (jmm)
+--
+gst-plugins-bad1.0 (jmm)
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y versions



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5936ceabfeaa1226e6dc1e82e854a848f2260327

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5936ceabfeaa1226e6dc1e82e854a848f2260327
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to