[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 45d8534d by Thorsten Alteholz at 2022-01-02T23:42:52+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,7 @@ gpac (Roberto C. Sánchez) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- libarchive (Thorsten Alteholz) + NOTE: 20220102: testing package -- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed @@ -95,6 +96,7 @@ slurm-llnl (Sylvain Beucler) NOTE: 20211229: should also be checked. (bunk) -- sphinxsearch (Thorsten Alteholz) + NOTE: 20220103: waiting for Buster upload -- thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45943/gdal
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b45bd90 by Salvatore Bonaccorso at 2022-01-02T22:37:41+01:00 Add CVE-2021-45943/gdal - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135,7 +135,14 @@ CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-237.yaml TODO: check, oss-fuzz "fixing commit" cannot be correct as it only removes a documentation snippet. CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::C ...) - TODO: check + [experimental] - gdal 3.4.1~rc1+dfsg-1~exp1 + - gdal + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993 + NOTE: https://github.com/OSGeo/gdal/pull/4944 + NOTE: https://github.com/OSGeo/gdal/commit/93913a849dc1d217a40dbf9d6e6a3a23c42b61a6 (master) + NOTE: Backport to 3.4: https://github.com/OSGeo/gdal/pull/4947 + NOTE: https://github.com/OSGeo/gdal/commit/9b2bcbc47d1649adc0ab65b801f96f56156cf017 (v3.4.1RC1) + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yaml CVE-2021-45942 (OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_ ...) TODO: check CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b45bd90f20e4cb39a3b313339ae42394d8df71b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b45bd90f20e4cb39a3b313339ae42394d8df71b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVE-2021-45931
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f2fdffa by Salvatore Bonaccorso at 2022-01-02T22:30:27+01:00 Add initial tracking for CVE-2021-45931 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -165,7 +165,11 @@ CVE-2021-45933 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8 bytes) CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) in Mqt ...) TODO: check CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t:: ...) - TODO: check + - harfbuzz + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/harfbuzz/OSV-2021-1159.yaml + NOTE: https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81 (2.9.1) + TODO: check correctness of commit, might not affect any Debian released version CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...) - qtsvg-opensource-src (bug #1002991) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f2fdffa980bee3a3af43227d8197f59ad7f6a6c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f2fdffa980bee3a3af43227d8197f59ad7f6a6c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45948/assimp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 41e55805 by Salvatore Bonaccorso at 2022-01-02T22:07:36+01:00 Add CVE-2021-45948/assimp Note for reviewers: The CVE description and the "oss-fuzz' OSV-2021-775 reference seems wrong in tmarking the affected versions. There is a related upstream pull request covering various issues, including the https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 one which is fixed within https://github.com/assimp/assimp/commit/3664fe20c07fdbd4d72c5caf68375b056806ab08 and so included in v5.1.0 upstream. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -118,7 +118,11 @@ CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-base ...) - TODO: check + - assimp 5.1.1~ds0-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml + NOTE: https://github.com/assimp/assimp/pull/4146 + NOTE: https://github.com/assimp/assimp/commit/30f17aa2064b86c0096f0ec701b9e8ea9312fef2 (v5.1.0) CVE-2021-45947 (Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from ...) TODO: check CVE-2021-45946 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e5580527b62af40ddfd2674dad9fc20b5529ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e5580527b62af40ddfd2674dad9fc20b5529ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45950/libredwg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4443472 by Salvatore Bonaccorso at 2022-01-02T21:59:17+01:00 Add CVE-2021-45950/libredwg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -112,7 +112,7 @@ CVE-2021-45951 (Dnsmasq 2.86 has a heap-based buffer overflow in check_bad_addre NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-924.yaml TODO: check, the introducing commit seems odd, and might be just related to when fuzzing started, and is same for other dnsmaq and oss-fuzz related reports. CVE-2021-45950 (LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in ...) - TODO: check + - libredwg (bug #595191) CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overf ...) - ghostscript 9.55.0~dfsg-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4443472156aa8eb67e0a7a067810eeb247e4f79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4443472156aa8eb67e0a7a067810eeb247e4f79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0080/mruby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37a5e91f by Salvatore Bonaccorso at 2022-01-02T21:52:26+01:00 Add CVE-2022-0080/mruby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52,7 +52,9 @@ CVE-2021-45962 CVE-2021-45961 RESERVED CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) - TODO: check + - mruby + NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/ + NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6 CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) - expat (bug #1002994) [bullseye] - expat (Minor issue; can be fixed via point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37a5e91fe797d5c0d0b9fd31e4a0d25224cf014b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37a5e91fe797d5c0d0b9fd31e4a0d25224cf014b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-22293/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 869669d1 by Salvatore Bonaccorso at 2022-01-02T21:37:08+01:00 Add CVE-2022-22293/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...) - TODO: check + - dolibarr CVE-2022-0081 RESERVED CVE-2021-45984 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/869669d1e2a0a7a16b30da9d2f0a184eab8493ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/869669d1e2a0a7a16b30da9d2f0a184eab8493ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for bullseye-pu for php-laravel-framework
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e2f14e7 by Salvatore Bonaccorso at 2022-01-02T21:18:51+01:00 Track proposed update for bullseye-pu for php-laravel-framework - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -16,6 +16,10 @@ CVE-2021-23177 [bullseye] - libarchive 3.4.3-2+deb11u1 CVE-2021-31566 [bullseye] - libarchive 3.4.3-2+deb11u1 +CVE-2021-43808 + [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 +CVE-2021-43617 + [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 CVE-2021-32718 [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 CVE-2021-32719 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2f14e747091706eabed20e8a9afb19457f2a91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2f14e747091706eabed20e8a9afb19457f2a91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f87924b2 by security tracker role at 2022-01-02T20:10:27+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -51,8 +51,8 @@ CVE-2021-45962
RESERVED
CVE-2021-45961
RESERVED
-CVE-2022-0080
- RESERVED
+CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...)
+ TODO: check
CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or
more) pla ...)
- expat (bug #1002994)
[bullseye] - expat (Minor issue; can be fixed via point
release)
@@ -63,7 +63,7 @@ CVE-2022-0079
RESERVED
CVE-2022-0078
RESERVED
-CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in
fmt::v8 ...)
+CVE-2021-45959 (** DISPUTED ** {fmt} 7.1.0 through 8.0.1 has a stack-based
buffer over ...)
- fmtlib (unimportant)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110
NOTE: https://github.com/fmtlib/fmt/issues/2685
@@ -2963,6 +2963,7 @@ CVE-2021-4127
RESERVED
CVE-2021-4126
RESERVED
+ {DSA-5034-1}
- thunderbird 1:91.4.1-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/#CVE-2021-4126
CVE-2021-26264
@@ -4862,6 +4863,7 @@ CVE-2021-4049 (livehelperchat is vulnerable to Cross-Site
Request Forgery (CSRF)
CVE-2021-44539
RESERVED
CVE-2021-44538 (The olm_session_describe function in Matrix libolm before
3.2.7 is vul ...)
+ {DSA-5034-1}
- element-web (bug #866502)
- olm 3.2.8~dfsg-1 (bug #1001664)
[buster] - olm (Vulnerable code introduced later)
@@ -8504,7 +8506,7 @@ CVE-2021-43548 (Patient Information Center iX (PIC iX)
Versions C.02 and C.03 re
CVE-2021-43547
RESERVED
CVE-2021-43546 (It was possible to recreate previous cursor spoofing attacks
against u ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8512,7 +8514,7 @@ CVE-2021-43546 (It was possible to recreate previous
cursor spoofing attacks aga
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43546
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43546
CVE-2021-43545 (Using the Location API in a loop could have caused severe
application ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8523,7 +8525,7 @@ CVE-2021-43544 (When receiving a URL through a SEND
intent, Firefox would have s
- firefox (Only affects Android)
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43544
CVE-2021-43543 (Documents loaded with the CSP sandbox directive could have
escaped the ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8531,7 +8533,7 @@ CVE-2021-43543 (Documents loaded with the CSP sandbox
directive could have escap
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43543
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43543
CVE-2021-43542 (Using XMLHttpRequest, an attacker could have identified
installed appl ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8539,7 +8541,7 @@ CVE-2021-43542 (Using XMLHttpRequest, an attacker could
have identified installe
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43542
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43542
CVE-2021-43541 (When invoking protocol handlers for external protocols, a
supplied par ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8550,7 +8552,7 @@ CVE-2021-43540 (WebExtensions with the correct
permissions were able to create a
- firefox 95.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43540
CVE-2021-43539 (Failure to correctly record the location of live pointers
across wasm ...)
- {DSA-5026-1 DLA-2863-1}
+ {DSA-5034-1 DSA-5026-1 DLA-2863-1}
- firefox 95.0-1
- firefox-esr 91.4.0esr-1
- thunderbird 1:91.4.0-1
@@ -8558,7 +8560,7 @@ CVE-2021-43539 (Failure to correctly record the location
of live pointers across
NOTE:
https://www.mozilla.org/en-US/security
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
60d46a28 by Moritz Mühlenhoff at 2022-01-02T17:52:13+01:00
thunderbird DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[02 Jan 2022] DSA-5034-1 thunderbird - security update
+ {CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502
CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508
CVE-2021-38509 CVE-2021-43528 CVE-2021-43529 CVE-2021-43534 CVE-2021-43535
CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541
CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538}
+ [buster] - thunderbird 1:91.4.1-1~deb10u1
+ [bullseye] - thunderbird 1:91.4.1-1~deb11u1
[30 Dec 2021] DSA-5033-1 fort-validator - security update
{CVE-2021-3907 CVE-2021-3909 CVE-2021-43173 CVE-2021-43114}
[bullseye] - fort-validator 1.5.3-1~deb11u1
=
data/dsa-needed.txt
=
@@ -47,9 +47,6 @@ ruby2.7/stable
--
runc
--
-thunderbird (jmm)
- Rust toolchain updates needed
---
trafficserver (jmm)
wait until status for CVE-2021-38161 is clarified (upstream patch got
reverted)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d46a2872a118875bf1b0767b68e67d5af4aae5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d46a2872a118875bf1b0767b68e67d5af4aae5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-43617
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 06342afe by Salvatore Bonaccorso at 2022-01-02T16:07:45+01:00 Add Debian bug reference for CVE-2021-43617 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8264,7 +8264,7 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha NOTE: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) - - php-laravel-framework 6.20.14+dfsg-3 + - php-laravel-framework 6.20.14+dfsg-3 (bug #1002728) [bullseye] - php-laravel-framework (Can be fixed via point release) NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06342afe94034dd6d5274fc0812aa8f71bae3da2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06342afe94034dd6d5274fc0812aa8f71bae3da2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Unify NFU naming for CVE-2021-43996 and CVE-2020-13909
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9842f3a by Salvatore Bonaccorso at 2022-01-02T15:46:30+01:00 Unify NFU naming for CVE-2021-43996 and CVE-2020-13909 - - - - - 6c233686 by Salvatore Bonaccorso at 2022-01-02T15:48:19+01:00 Mark CVE-2021-23814 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6399,7 +6399,7 @@ CVE-2021-43998 (HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8. CVE-2021-43997 (Amazon FreeRTOS 10.2.0 through 10.4.5 on the ARMv7-M and ARMv8-M MPU p ...) NOT-FOR-US: Amazon FreeRTOS CVE-2021-43996 (The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Lar ...) - NOT-FOR-US: Laravel component + NOT-FOR-US: Laravel Ignition component CVE-2021-43995 RESERVED CVE-2021-43994 @@ -59507,7 +59507,7 @@ CVE-2021-23816 CVE-2021-23815 RESERVED CVE-2021-23814 (This affects the package unisharp/laravel-filemanager from 0.0.0. The ...) - TODO: check + NOT-FOR-US: Laravel Filemanager CVE-2021-23813 RESERVED CVE-2021-23812 @@ -113461,7 +113461,7 @@ CVE-2020-13911 (Your Online Shop 1.8.0 allows authenticated users to trigger XSS CVE-2020-13910 (Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nf ...) NOT-FOR-US: Pengutronix Barebox CVE-2020-13909 (The Ignition component before 2.0.5 for Laravel mishandles globals, _g ...) - NOT-FOR-US: Laravel + NOT-FOR-US: Laravel Ignition component CVE-2020-13908 RESERVED CVE-2020-13907 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4859af149a1459fff2f45d01d53f8871d46930d6...6c233686b3555ca158daa709efb84f2f85be6266 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4859af149a1459fff2f45d01d53f8871d46930d6...6c233686b3555ca158daa709efb84f2f85be6266 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-43617 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4859af14 by Salvatore Bonaccorso at 2022-01-02T15:44:04+01:00 Mark CVE-2021-43617 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8265,6 +8265,7 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) - php-laravel-framework 6.20.14+dfsg-3 + [bullseye] - php-laravel-framework (Can be fixed via point release) NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: kimai2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4859af149a1459fff2f45d01d53f8871d46930d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4859af149a1459fff2f45d01d53f8871d46930d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for ruby3.0 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7328bc5c by Salvatore Bonaccorso at 2022-01-02T15:19:41+01:00
Add Debian bug reference for ruby3.0 issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -14939,7 +14939,7 @@ CVE-2021-41820
RESERVED
CVE-2021-41819 (CGI::Cookie.parse in Ruby through 2.6.8 mishandles security
prefixes i ...)
{DLA-2853-1}
- - ruby3.0
+ - ruby3.0 (bug #1002995)
- ruby2.7 2.7.5-1
- ruby2.5
- ruby2.3
@@ -14950,7 +14950,7 @@ CVE-2021-41818
RESERVED
CVE-2021-41817 (Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS
(regula ...)
{DLA-2853-1}
- - ruby3.0
+ - ruby3.0 (bug #1002995)
- ruby2.7 2.7.5-1
- ruby2.5
- ruby2.3
@@ -14962,7 +14962,7 @@ CVE-2021-41817 (Date.parse in the date gem through
3.2.0 for Ruby allows ReDoS (
NOTE:
https://github.com/ruby/date/commit/376c65942bd1d81803f14d37351737df60ec4664
(v3.2.2)
CVE-2021-41816 [Buffer Overrun in CGI.escape_html]
RESERVED
- - ruby3.0
+ - ruby3.0 (bug #1002995)
- ruby2.7 2.7.5-1
- ruby2.5 (Vulnerable code introduced later)
- ruby2.3 (Vulnerable code introduced later)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7328bc5ce40bb74940ab4f708976edda1e770f80
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7328bc5ce40bb74940ab4f708976edda1e770f80
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-45960/expat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad96e728 by Salvatore Bonaccorso at 2022-01-02T15:17:55+01:00 Add Debian bug reference for CVE-2021-45960/expat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,7 +54,7 @@ CVE-2021-45961 CVE-2022-0080 RESERVED CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) - - expat + - expat (bug #1002994) [bullseye] - expat (Minor issue; can be fixed via point release) [buster] - expat (Minor issue; can be fixed via point release) NOTE: https://github.com/libexpat/libexpat/issues/531 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad96e72804ad29884bd052fbb890e31757b3510c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad96e72804ad29884bd052fbb890e31757b3510c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-45959/fmtlib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a1b4bd0b by Salvatore Bonaccorso at 2022-01-02T15:03:27+01:00
Update notes for CVE-2021-45959/fmtlib
Pending REJECT from MITRE to clean up the CVE entry.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -64,10 +64,12 @@ CVE-2022-0079
CVE-2022-0078
RESERVED
CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in
fmt::v8 ...)
- - fmtlib
+ - fmtlib (unimportant)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110
+ NOTE: https://github.com/fmtlib/fmt/issues/2685
NOTE: Fixed by:
https://github.com/fmtlib/fmt/commit/2038bf61831eb8faede0883965364a974d1350fe
- TODO: check correctness, introducing commit in oss-fuzz report is
related when fuzzing started
+ NOTE: The CVE is basically invalid, as the report was one of a series
of false positives
+ NOTE: and the "upstream fix" is effectively a noop.
CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based
buffer ove ...)
- ujson
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b4bd0b76afefa7abf5b0211385ae0a22e651ac
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b4bd0b76afefa7abf5b0211385ae0a22e651ac
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed rabbitmq-server update via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be76208d by Salvatore Bonaccorso at 2022-01-02T14:29:43+01:00 Track proposed rabbitmq-server update via bullseye-pu Note, the update does not seem complete, so followed up on the release.d.o bug (missing patch in debian/patches/series). Asked to include as well the fix for the third open CVE. - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -16,3 +16,7 @@ CVE-2021-23177 [bullseye] - libarchive 3.4.3-2+deb11u1 CVE-2021-31566 [bullseye] - libarchive 3.4.3-2+deb11u1 +CVE-2021-32718 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-32719 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be76208d5181d462c7010b8a0b15f143ba2f3eac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be76208d5181d462c7010b8a0b15f143ba2f3eac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop rabbitmq-server from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a53fd0c by Salvatore Bonaccorso at 2022-01-02T14:28:31+01:00 Drop rabbitmq-server from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -39,8 +39,6 @@ puppetdb (jmm) -- python-pysaml2 (jmm) -- -rabbitmq-server --- ruby2.5/oldstable Maintainer is preparing updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a53fd0c2e3fb5910932c77f100d88343a95c551 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a53fd0c2e3fb5910932c77f100d88343a95c551 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-22116/rabbitmq-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
51a0ee26 by Salvatore Bonaccorso at 2022-01-02T14:27:30+01:00
Update information for CVE-2021-22116/rabbitmq-server
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -63352,11 +63352,13 @@ CVE-2021-22117 (RabbitMQ installers on Windows prior
to version 3.8.16 do not ha
- rabbitmq-server (Windows-specific)
CVE-2021-22116 (RabbitMQ all versions prior to 3.8.16 are prone to a denial of
service ...)
{DLA-2710-1}
- - rabbitmq-server (bug #989056)
+ - rabbitmq-server 3.9.4-1 (bug #989056)
[bullseye] - rabbitmq-server (Minor issue)
[buster] - rabbitmq-server (Minor issue)
NOTE: https://tanzu.vmware.com/security/cve-2021-22116
NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/2953
+ NOTE: Fixed by:
https://github.com/rabbitmq/rabbitmq-server/commit/f37a31de55229e6c763215500e376fa16803390b
(v3.9.0-beta.1)
+ NOTE: Fixed by:
https://github.com/rabbitmq/rabbitmq-server/commit/626d5219115d087a2695c0eb243c7ddb7e154563
(v3.8.15-rc.2)
CVE-2021-22115 (Cloud Controller API versions prior to 1.106.0 logs service
broker cre ...)
NOT-FOR-US: Cloud Controller API
CVE-2021-22114 (Addresses partial fix in CVE-2018-1263.
Spring-integration-zip, versio ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51a0ee2601ce94e1a28b01006781249722820656
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51a0ee2601ce94e1a28b01006781249722820656
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-3271{8,9}/rabbitmq-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3e741c2e by Salvatore Bonaccorso at 2022-01-02T14:19:05+01:00
Update information for CVE-2021-3271{8,9}/rabbitmq-server
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -36949,19 +36949,24 @@ CVE-2021-32721 (PowerMux is a drop-in replacement for
Go's http.ServeMux. In Pow
CVE-2021-32720 (Sylius is an Open Source eCommerce platform on top of Symfony.
In vers ...)
NOT-FOR-US: Sylius
CVE-2021-32719 (RabbitMQ is a multi-protocol messaging broker. In
rabbitmq-server prio ...)
- - rabbitmq-server (bug #990524)
+ - rabbitmq-server 3.9.4-1 (bug #990524)
[bullseye] - rabbitmq-server (Minor issue)
[buster] - rabbitmq-server (Minor issue)
[stretch] - rabbitmq-server (Vulnerable code not present)
NOTE:
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x
NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/3122
+ NOTE: Fixed by:
https://github.com/rabbitmq/rabbitmq-server/commit/f01f0f2d840b98128cdb7ff966d8234b06ef7c75
(master)
+ NOTE: Fixed by:
https://github.com/rabbitmq/rabbitmq-server/commit/51df93b45fb05f935456f09b88e7554e0b36317f
(v3.9.0-beta.1)
+ NOTE: Fixed by:
https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05
(v3.8.18)
CVE-2021-32718 (RabbitMQ is a multi-protocol messaging broker. In
rabbitmq-server prio ...)
- - rabbitmq-server (bug #990524)
+ - rabbitmq-server 3.9.4-1 (bug #990524)
[bullseye] - rabbitmq-server (Minor issue)
[buster] - rabbitmq-server (Minor issue)
[stretch] - rabbitmq-server (Vulnerable code not present)
NOTE:
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772
NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/3028
+ NOTE: Fixed by:
https://github.com/rabbitmq/rabbitmq-server/commit/a8dffdf7de9793a76fc4685c89b968d8eddca4ca
(v3.9.0-beta.1)
+ NOTE: Fixed by:
https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299
(v3.8.17-rc.1)
CVE-2021-32717 (Shopware is an open source eCommerce platform. In versions
prior to 6. ...)
NOT-FOR-US: Shopware
CVE-2021-32716 (Shopware is an open source eCommerce platform. In versions
prior to 6. ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e741c2e44095af83f5722f61a7c42cb98a851f7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e741c2e44095af83f5722f61a7c42cb98a851f7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-45930
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b56aaf5d by Salvatore Bonaccorso at 2022-01-02T14:10:59+01:00 Add Debian bug reference for CVE-2021-45930 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -159,7 +159,7 @@ CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t:: ...) TODO: check CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...) - - qtsvg-opensource-src + - qtsvg-opensource-src (bug #1002991) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b56aaf5d1e49c24adabb784d872dc1ae6a1fdae5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b56aaf5d1e49c24adabb784d872dc1ae6a1fdae5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-45930: Add reference to QT bug (not public)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eda465a7 by Salvatore Bonaccorso at 2022-01-02T14:05:24+01:00 CVE-2021-45930: Add reference to QT bug (not public) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -163,6 +163,7 @@ CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml + NOTE: https://bugreports.qt.io/browse/QTBUG-96044 NOTE: https://github.com/qt/qtsvg/commit/36cfd9efb9b22b891adee9c48d30202289cfa620 (dev) NOTE: https://github.com/qt/qtsvg/commit/79bb9f51fa374106a612d17c9d98d35d807be670 (v6.2.2) NOTE: https://github.com/qt/qtsvg/commit/a3b753c2d077313fc9eb93af547051b956e383fc (v5.12.12) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eda465a750cc8040c255bea3f393e88dab12a01a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eda465a750cc8040c255bea3f393e88dab12a01a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45972/giftrans
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da8b6fde by Salvatore Bonaccorso at 2022-01-02T09:21:09+01:00 Add CVE-2021-45972/giftrans - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,8 @@ CVE-2021-45974 CVE-2021-45973 RESERVED CVE-2021-45972 (The giftrans function in giftrans 1.12.2 contains a stack-based buffer ...) - TODO: check + - giftrans (bug #1002739; unimportant) + NOTE: Negligible security impact; crash in CLI tool CVE-2021-45971 RESERVED CVE-2021-45970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da8b6fde5e59dc8e3e14a431c74fdbadc2647da4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da8b6fde5e59dc8e3e14a431c74fdbadc2647da4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d91b87ec by security tracker role at 2022-01-02T08:10:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,55 @@ +CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...) + TODO: check +CVE-2022-0081 + RESERVED +CVE-2021-45984 + RESERVED +CVE-2021-45983 + RESERVED +CVE-2021-45982 + RESERVED +CVE-2021-45981 + RESERVED +CVE-2021-45980 + RESERVED +CVE-2021-45979 + RESERVED +CVE-2021-45978 + RESERVED +CVE-2021-45977 + RESERVED +CVE-2021-45976 + RESERVED +CVE-2021-45975 + RESERVED +CVE-2021-45974 + RESERVED +CVE-2021-45973 + RESERVED +CVE-2021-45972 (The giftrans function in giftrans 1.12.2 contains a stack-based buffer ...) + TODO: check +CVE-2021-45971 + RESERVED +CVE-2021-45970 + RESERVED +CVE-2021-45969 + RESERVED +CVE-2021-45968 + RESERVED +CVE-2021-45967 + RESERVED +CVE-2021-45966 + RESERVED +CVE-2021-45965 + RESERVED +CVE-2021-45964 + RESERVED +CVE-2021-45963 + RESERVED +CVE-2021-45962 + RESERVED +CVE-2021-45961 + RESERVED CVE-2022-0080 RESERVED CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) @@ -3728,8 +3780,8 @@ CVE-2021-44898 RESERVED CVE-2021-44897 RESERVED -CVE-2021-44896 - RESERVED +CVE-2021-44896 (DMP Roadmap before 3.0.4 allows XSS. ...) + TODO: check CVE-2021-44895 RESERVED CVE-2021-44894 @@ -17961,7 +18013,7 @@ CVE-2021-40533 CVE-2021-40532 (Telegram Web K Alpha before 0.7.2 mishandles the characters in a docum ...) NOT-FOR-US: tweb NOTE: https://github.com/morethanwords/tweb -CVE-2021-40531 (An issue discovered in sketch before version 75,that allows for librar ...) +CVE-2021-40531 (Sketch before 75 allows library feeds to be used to bypass file quaran ...) NOT-FOR-US: Sketch collaborative design (Mac or Web app) NOTE: sketch.com, not the sketch package in Debian. CVE-2021-40530 (The ElGamal implementation in Crypto++ through 8.5 allows plaintext re ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d91b87eca8af973cf64ab1887240509b25cd4fe2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d91b87eca8af973cf64ab1887240509b25cd4fe2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
