[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 45d8534d by Thorsten Alteholz at 2022-01-02T23:42:52+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,7 @@ gpac (Roberto C. Sánchez) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- libarchive (Thorsten Alteholz) + NOTE: 20220102: testing package -- libgit2 (Utkarsh) NOTE: 20211029: CVE-2018-10887/CVE-2018-10888/CVE-2018-15501 were fixed @@ -95,6 +96,7 @@ slurm-llnl (Sylvain Beucler) NOTE: 20211229: should also be checked. (bunk) -- sphinxsearch (Thorsten Alteholz) + NOTE: 20220103: waiting for Buster upload -- thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d8534dcaee8406eed40565a0cafd771db55eec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45943/gdal
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b45bd90 by Salvatore Bonaccorso at 2022-01-02T22:37:41+01:00 Add CVE-2021-45943/gdal - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135,7 +135,14 @@ CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/ghostscript/OSV-2021-237.yaml TODO: check, oss-fuzz "fixing commit" cannot be correct as it only removes a documentation snippet. CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCIDSK::C ...) - TODO: check + [experimental] - gdal 3.4.1~rc1+dfsg-1~exp1 + - gdal + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41993 + NOTE: https://github.com/OSGeo/gdal/pull/4944 + NOTE: https://github.com/OSGeo/gdal/commit/93913a849dc1d217a40dbf9d6e6a3a23c42b61a6 (master) + NOTE: Backport to 3.4: https://github.com/OSGeo/gdal/pull/4947 + NOTE: https://github.com/OSGeo/gdal/commit/9b2bcbc47d1649adc0ab65b801f96f56156cf017 (v3.4.1RC1) + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yaml CVE-2021-45942 (OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_ ...) TODO: check CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b45bd90f20e4cb39a3b313339ae42394d8df71b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b45bd90f20e4cb39a3b313339ae42394d8df71b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVE-2021-45931
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f2fdffa by Salvatore Bonaccorso at 2022-01-02T22:30:27+01:00 Add initial tracking for CVE-2021-45931 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -165,7 +165,11 @@ CVE-2021-45933 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8 bytes) CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) in Mqt ...) TODO: check CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t:: ...) - TODO: check + - harfbuzz + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/harfbuzz/OSV-2021-1159.yaml + NOTE: https://github.com/harfbuzz/harfbuzz/commit/d3e09bf4654fe5478b6dbf2b26ebab6271317d81 (2.9.1) + TODO: check correctness of commit, might not affect any Debian released version CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...) - qtsvg-opensource-src (bug #1002991) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f2fdffa980bee3a3af43227d8197f59ad7f6a6c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f2fdffa980bee3a3af43227d8197f59ad7f6a6c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45948/assimp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 41e55805 by Salvatore Bonaccorso at 2022-01-02T22:07:36+01:00 Add CVE-2021-45948/assimp Note for reviewers: The CVE description and the "oss-fuzz' OSV-2021-775 reference seems wrong in tmarking the affected versions. There is a related upstream pull request covering various issues, including the https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 one which is fixed within https://github.com/assimp/assimp/commit/3664fe20c07fdbd4d72c5caf68375b056806ab08 and so included in v5.1.0 upstream. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -118,7 +118,11 @@ CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-base ...) - TODO: check + - assimp 5.1.1~ds0-1 + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34416 + NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/assimp/OSV-2021-775.yaml + NOTE: https://github.com/assimp/assimp/pull/4146 + NOTE: https://github.com/assimp/assimp/commit/30f17aa2064b86c0096f0ec701b9e8ea9312fef2 (v5.1.0) CVE-2021-45947 (Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from ...) TODO: check CVE-2021-45946 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e5580527b62af40ddfd2674dad9fc20b5529ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e5580527b62af40ddfd2674dad9fc20b5529ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45950/libredwg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4443472 by Salvatore Bonaccorso at 2022-01-02T21:59:17+01:00 Add CVE-2021-45950/libredwg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -112,7 +112,7 @@ CVE-2021-45951 (Dnsmasq 2.86 has a heap-based buffer overflow in check_bad_addre NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/dnsmasq/OSV-2021-924.yaml TODO: check, the introducing commit seems odd, and might be just related to when fuzzing started, and is same for other dnsmaq and oss-fuzz related reports. CVE-2021-45950 (LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds write in ...) - TODO: check + - libredwg (bug #595191) CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overf ...) - ghostscript 9.55.0~dfsg-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4443472156aa8eb67e0a7a067810eeb247e4f79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4443472156aa8eb67e0a7a067810eeb247e4f79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0080/mruby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37a5e91f by Salvatore Bonaccorso at 2022-01-02T21:52:26+01:00 Add CVE-2022-0080/mruby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52,7 +52,9 @@ CVE-2021-45962 CVE-2021-45961 RESERVED CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) - TODO: check + - mruby + NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/ + NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6 CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) - expat (bug #1002994) [bullseye] - expat (Minor issue; can be fixed via point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37a5e91fe797d5c0d0b9fd31e4a0d25224cf014b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37a5e91fe797d5c0d0b9fd31e4a0d25224cf014b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-22293/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 869669d1 by Salvatore Bonaccorso at 2022-01-02T21:37:08+01:00 Add CVE-2022-22293/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...) - TODO: check + - dolibarr CVE-2022-0081 RESERVED CVE-2021-45984 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/869669d1e2a0a7a16b30da9d2f0a184eab8493ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/869669d1e2a0a7a16b30da9d2f0a184eab8493ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for bullseye-pu for php-laravel-framework
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e2f14e7 by Salvatore Bonaccorso at 2022-01-02T21:18:51+01:00 Track proposed update for bullseye-pu for php-laravel-framework - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -16,6 +16,10 @@ CVE-2021-23177 [bullseye] - libarchive 3.4.3-2+deb11u1 CVE-2021-31566 [bullseye] - libarchive 3.4.3-2+deb11u1 +CVE-2021-43808 + [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 +CVE-2021-43617 + [bullseye] - php-laravel-framework 6.20.14+dfsg-2+deb11u1 CVE-2021-32718 [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 CVE-2021-32719 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2f14e747091706eabed20e8a9afb19457f2a91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e2f14e747091706eabed20e8a9afb19457f2a91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f87924b2 by security tracker role at 2022-01-02T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51,8 +51,8 @@ CVE-2021-45962 RESERVED CVE-2021-45961 RESERVED -CVE-2022-0080 - RESERVED +CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) + TODO: check CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) - expat (bug #1002994) [bullseye] - expat (Minor issue; can be fixed via point release) @@ -63,7 +63,7 @@ CVE-2022-0079 RESERVED CVE-2022-0078 RESERVED -CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8 ...) +CVE-2021-45959 (** DISPUTED ** {fmt} 7.1.0 through 8.0.1 has a stack-based buffer over ...) - fmtlib (unimportant) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110 NOTE: https://github.com/fmtlib/fmt/issues/2685 @@ -2963,6 +2963,7 @@ CVE-2021-4127 RESERVED CVE-2021-4126 RESERVED + {DSA-5034-1} - thunderbird 1:91.4.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-55/#CVE-2021-4126 CVE-2021-26264 @@ -4862,6 +4863,7 @@ CVE-2021-4049 (livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF) CVE-2021-44539 RESERVED CVE-2021-44538 (The olm_session_describe function in Matrix libolm before 3.2.7 is vul ...) + {DSA-5034-1} - element-web (bug #866502) - olm 3.2.8~dfsg-1 (bug #1001664) [buster] - olm (Vulnerable code introduced later) @@ -8504,7 +8506,7 @@ CVE-2021-43548 (Patient Information Center iX (PIC iX) Versions C.02 and C.03 re CVE-2021-43547 RESERVED CVE-2021-43546 (It was possible to recreate previous cursor spoofing attacks against u ...) - {DSA-5026-1 DLA-2863-1} + {DSA-5034-1 DSA-5026-1 DLA-2863-1} - firefox 95.0-1 - firefox-esr 91.4.0esr-1 - thunderbird 1:91.4.0-1 @@ -8512,7 +8514,7 @@ CVE-2021-43546 (It was possible to recreate previous cursor spoofing attacks aga NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43546 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43546 CVE-2021-43545 (Using the Location API in a loop could have caused severe application ...) - {DSA-5026-1 DLA-2863-1} + {DSA-5034-1 DSA-5026-1 DLA-2863-1} - firefox 95.0-1 - firefox-esr 91.4.0esr-1 - thunderbird 1:91.4.0-1 @@ -8523,7 +8525,7 @@ CVE-2021-43544 (When receiving a URL through a SEND intent, Firefox would have s - firefox (Only affects Android) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43544 CVE-2021-43543 (Documents loaded with the CSP sandbox directive could have escaped the ...) - {DSA-5026-1 DLA-2863-1} + {DSA-5034-1 DSA-5026-1 DLA-2863-1} - firefox 95.0-1 - firefox-esr 91.4.0esr-1 - thunderbird 1:91.4.0-1 @@ -8531,7 +8533,7 @@ CVE-2021-43543 (Documents loaded with the CSP sandbox directive could have escap NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43543 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43543 CVE-2021-43542 (Using XMLHttpRequest, an attacker could have identified installed appl ...) - {DSA-5026-1 DLA-2863-1} + {DSA-5034-1 DSA-5026-1 DLA-2863-1} - firefox 95.0-1 - firefox-esr 91.4.0esr-1 - thunderbird 1:91.4.0-1 @@ -8539,7 +8541,7 @@ CVE-2021-43542 (Using XMLHttpRequest, an attacker could have identified installe NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-53/#CVE-2021-43542 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-54/#CVE-2021-43542 CVE-2021-43541 (When invoking protocol handlers for external protocols, a supplied par ...) - {DSA-5026-1 DLA-2863-1} + {DSA-5034-1 DSA-5026-1 DLA-2863-1} - firefox 95.0-1 - firefox-esr 91.4.0esr-1 - thunderbird 1:91.4.0-1 @@ -8550,7 +8552,7 @@ CVE-2021-43540 (WebExtensions with the correct permissions were able to create a - firefox 95.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-52/#CVE-2021-43540 CVE-2021-43539 (Failure to correctly record the location of live pointers across wasm ...) - {DSA-5026-1 DLA-2863-1} + {DSA-5034-1 DSA-5026-1 DLA-2863-1} - firefox 95.0-1 - firefox-esr 91.4.0esr-1 - thunderbird 1:91.4.0-1 @@ -8558,7 +8560,7 @@ CVE-2021-43539 (Failure to correctly record the location of live pointers across NOTE: https://www.mozilla.org/en-US/security
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 60d46a28 by Moritz Mühlenhoff at 2022-01-02T17:52:13+01:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[02 Jan 2022] DSA-5034-1 thunderbird - security update + {CVE-2021-4126 CVE-2021-38496 CVE-2021-38500 CVE-2021-38502 CVE-2021-38503 CVE-2021-38504 CVE-2021-38506 CVE-2021-38507 CVE-2021-38508 CVE-2021-38509 CVE-2021-43528 CVE-2021-43529 CVE-2021-43534 CVE-2021-43535 CVE-2021-43536 CVE-2021-43537 CVE-2021-43538 CVE-2021-43539 CVE-2021-43541 CVE-2021-43542 CVE-2021-43543 CVE-2021-43545 CVE-2021-43546 CVE-2021-44538} + [buster] - thunderbird 1:91.4.1-1~deb10u1 + [bullseye] - thunderbird 1:91.4.1-1~deb11u1 [30 Dec 2021] DSA-5033-1 fort-validator - security update {CVE-2021-3907 CVE-2021-3909 CVE-2021-43173 CVE-2021-43114} [bullseye] - fort-validator 1.5.3-1~deb11u1 = data/dsa-needed.txt = @@ -47,9 +47,6 @@ ruby2.7/stable -- runc -- -thunderbird (jmm) - Rust toolchain updates needed --- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d46a2872a118875bf1b0767b68e67d5af4aae5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60d46a2872a118875bf1b0767b68e67d5af4aae5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-43617
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 06342afe by Salvatore Bonaccorso at 2022-01-02T16:07:45+01:00 Add Debian bug reference for CVE-2021-43617 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8264,7 +8264,7 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha NOTE: https://gmplib.org/list-archives/gmp-bugs/2021-September/005077.html NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) - - php-laravel-framework 6.20.14+dfsg-3 + - php-laravel-framework 6.20.14+dfsg-3 (bug #1002728) [bullseye] - php-laravel-framework (Can be fixed via point release) NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06342afe94034dd6d5274fc0812aa8f71bae3da2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06342afe94034dd6d5274fc0812aa8f71bae3da2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Unify NFU naming for CVE-2021-43996 and CVE-2020-13909
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9842f3a by Salvatore Bonaccorso at 2022-01-02T15:46:30+01:00 Unify NFU naming for CVE-2021-43996 and CVE-2020-13909 - - - - - 6c233686 by Salvatore Bonaccorso at 2022-01-02T15:48:19+01:00 Mark CVE-2021-23814 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6399,7 +6399,7 @@ CVE-2021-43998 (HashiCorp Vault and Vault Enterprise 0.11.0 up to 1.7.5 and 1.8. CVE-2021-43997 (Amazon FreeRTOS 10.2.0 through 10.4.5 on the ARMv7-M and ARMv8-M MPU p ...) NOT-FOR-US: Amazon FreeRTOS CVE-2021-43996 (The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Lar ...) - NOT-FOR-US: Laravel component + NOT-FOR-US: Laravel Ignition component CVE-2021-43995 RESERVED CVE-2021-43994 @@ -59507,7 +59507,7 @@ CVE-2021-23816 CVE-2021-23815 RESERVED CVE-2021-23814 (This affects the package unisharp/laravel-filemanager from 0.0.0. The ...) - TODO: check + NOT-FOR-US: Laravel Filemanager CVE-2021-23813 RESERVED CVE-2021-23812 @@ -113461,7 +113461,7 @@ CVE-2020-13911 (Your Online Shop 1.8.0 allows authenticated users to trigger XSS CVE-2020-13910 (Pengutronix Barebox through v2020.05.0 has an out-of-bounds read in nf ...) NOT-FOR-US: Pengutronix Barebox CVE-2020-13909 (The Ignition component before 2.0.5 for Laravel mishandles globals, _g ...) - NOT-FOR-US: Laravel + NOT-FOR-US: Laravel Ignition component CVE-2020-13908 RESERVED CVE-2020-13907 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4859af149a1459fff2f45d01d53f8871d46930d6...6c233686b3555ca158daa709efb84f2f85be6266 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4859af149a1459fff2f45d01d53f8871d46930d6...6c233686b3555ca158daa709efb84f2f85be6266 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-43617 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4859af14 by Salvatore Bonaccorso at 2022-01-02T15:44:04+01:00 Mark CVE-2021-43617 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8265,6 +8265,7 @@ CVE-2021-43618 (GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 ha NOTE: https://gmplib.org/repo/gmp-6.2/rev/561a9c25298e CVE-2021-43617 (Laravel Framework through 8.70.2 does not sufficiently block the uploa ...) - php-laravel-framework 6.20.14+dfsg-3 + [bullseye] - php-laravel-framework (Can be fixed via point release) NOTE: https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b CVE-2021-3957 (kimai2 is vulnerable to Cross-Site Request Forgery (CSRF) ...) NOT-FOR-US: kimai2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4859af149a1459fff2f45d01d53f8871d46930d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4859af149a1459fff2f45d01d53f8871d46930d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for ruby3.0 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7328bc5c by Salvatore Bonaccorso at 2022-01-02T15:19:41+01:00 Add Debian bug reference for ruby3.0 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14939,7 +14939,7 @@ CVE-2021-41820 RESERVED CVE-2021-41819 (CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes i ...) {DLA-2853-1} - - ruby3.0 + - ruby3.0 (bug #1002995) - ruby2.7 2.7.5-1 - ruby2.5 - ruby2.3 @@ -14950,7 +14950,7 @@ CVE-2021-41818 RESERVED CVE-2021-41817 (Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regula ...) {DLA-2853-1} - - ruby3.0 + - ruby3.0 (bug #1002995) - ruby2.7 2.7.5-1 - ruby2.5 - ruby2.3 @@ -14962,7 +14962,7 @@ CVE-2021-41817 (Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS ( NOTE: https://github.com/ruby/date/commit/376c65942bd1d81803f14d37351737df60ec4664 (v3.2.2) CVE-2021-41816 [Buffer Overrun in CGI.escape_html] RESERVED - - ruby3.0 + - ruby3.0 (bug #1002995) - ruby2.7 2.7.5-1 - ruby2.5 (Vulnerable code introduced later) - ruby2.3 (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7328bc5ce40bb74940ab4f708976edda1e770f80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7328bc5ce40bb74940ab4f708976edda1e770f80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-45960/expat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad96e728 by Salvatore Bonaccorso at 2022-01-02T15:17:55+01:00 Add Debian bug reference for CVE-2021-45960/expat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,7 +54,7 @@ CVE-2021-45961 CVE-2022-0080 RESERVED CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) - - expat + - expat (bug #1002994) [bullseye] - expat (Minor issue; can be fixed via point release) [buster] - expat (Minor issue; can be fixed via point release) NOTE: https://github.com/libexpat/libexpat/issues/531 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad96e72804ad29884bd052fbb890e31757b3510c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad96e72804ad29884bd052fbb890e31757b3510c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for CVE-2021-45959/fmtlib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a1b4bd0b by Salvatore Bonaccorso at 2022-01-02T15:03:27+01:00 Update notes for CVE-2021-45959/fmtlib Pending REJECT from MITRE to clean up the CVE entry. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64,10 +64,12 @@ CVE-2022-0079 CVE-2022-0078 RESERVED CVE-2021-45959 ({fmt} 7.1.0 through 8.0.1 has a stack-based buffer overflow in fmt::v8 ...) - - fmtlib + - fmtlib (unimportant) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110 + NOTE: https://github.com/fmtlib/fmt/issues/2685 NOTE: Fixed by: https://github.com/fmtlib/fmt/commit/2038bf61831eb8faede0883965364a974d1350fe - TODO: check correctness, introducing commit in oss-fuzz report is related when fuzzing started + NOTE: The CVE is basically invalid, as the report was one of a series of false positives + NOTE: and the "upstream fix" is effectively a noop. CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer ove ...) - ujson NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b4bd0b76afefa7abf5b0211385ae0a22e651ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1b4bd0b76afefa7abf5b0211385ae0a22e651ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed rabbitmq-server update via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be76208d by Salvatore Bonaccorso at 2022-01-02T14:29:43+01:00 Track proposed rabbitmq-server update via bullseye-pu Note, the update does not seem complete, so followed up on the release.d.o bug (missing patch in debian/patches/series). Asked to include as well the fix for the third open CVE. - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -16,3 +16,7 @@ CVE-2021-23177 [bullseye] - libarchive 3.4.3-2+deb11u1 CVE-2021-31566 [bullseye] - libarchive 3.4.3-2+deb11u1 +CVE-2021-32718 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2021-32719 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be76208d5181d462c7010b8a0b15f143ba2f3eac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be76208d5181d462c7010b8a0b15f143ba2f3eac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop rabbitmq-server from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a53fd0c by Salvatore Bonaccorso at 2022-01-02T14:28:31+01:00 Drop rabbitmq-server from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -39,8 +39,6 @@ puppetdb (jmm) -- python-pysaml2 (jmm) -- -rabbitmq-server --- ruby2.5/oldstable Maintainer is preparing updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a53fd0c2e3fb5910932c77f100d88343a95c551 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a53fd0c2e3fb5910932c77f100d88343a95c551 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-22116/rabbitmq-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 51a0ee26 by Salvatore Bonaccorso at 2022-01-02T14:27:30+01:00 Update information for CVE-2021-22116/rabbitmq-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63352,11 +63352,13 @@ CVE-2021-22117 (RabbitMQ installers on Windows prior to version 3.8.16 do not ha - rabbitmq-server (Windows-specific) CVE-2021-22116 (RabbitMQ all versions prior to 3.8.16 are prone to a denial of service ...) {DLA-2710-1} - - rabbitmq-server (bug #989056) + - rabbitmq-server 3.9.4-1 (bug #989056) [bullseye] - rabbitmq-server (Minor issue) [buster] - rabbitmq-server (Minor issue) NOTE: https://tanzu.vmware.com/security/cve-2021-22116 NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/2953 + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/f37a31de55229e6c763215500e376fa16803390b (v3.9.0-beta.1) + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/626d5219115d087a2695c0eb243c7ddb7e154563 (v3.8.15-rc.2) CVE-2021-22115 (Cloud Controller API versions prior to 1.106.0 logs service broker cre ...) NOT-FOR-US: Cloud Controller API CVE-2021-22114 (Addresses partial fix in CVE-2018-1263. Spring-integration-zip, versio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51a0ee2601ce94e1a28b01006781249722820656 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51a0ee2601ce94e1a28b01006781249722820656 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-3271{8,9}/rabbitmq-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e741c2e by Salvatore Bonaccorso at 2022-01-02T14:19:05+01:00 Update information for CVE-2021-3271{8,9}/rabbitmq-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36949,19 +36949,24 @@ CVE-2021-32721 (PowerMux is a drop-in replacement for Go's http.ServeMux. In Pow CVE-2021-32720 (Sylius is an Open Source eCommerce platform on top of Symfony. In vers ...) NOT-FOR-US: Sylius CVE-2021-32719 (RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prio ...) - - rabbitmq-server (bug #990524) + - rabbitmq-server 3.9.4-1 (bug #990524) [bullseye] - rabbitmq-server (Minor issue) [buster] - rabbitmq-server (Minor issue) [stretch] - rabbitmq-server (Vulnerable code not present) NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-5452-hxj4-773x NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/3122 + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/f01f0f2d840b98128cdb7ff966d8234b06ef7c75 (master) + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/51df93b45fb05f935456f09b88e7554e0b36317f (v3.9.0-beta.1) + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/08beb82e9ab8923ded88ece2800cd80971e2bd05 (v3.8.18) CVE-2021-32718 (RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prio ...) - - rabbitmq-server (bug #990524) + - rabbitmq-server 3.9.4-1 (bug #990524) [bullseye] - rabbitmq-server (Minor issue) [buster] - rabbitmq-server (Minor issue) [stretch] - rabbitmq-server (Vulnerable code not present) NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-c3hj-rg5h-2772 NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/3028 + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/a8dffdf7de9793a76fc4685c89b968d8eddca4ca (v3.9.0-beta.1) + NOTE: Fixed by: https://github.com/rabbitmq/rabbitmq-server/commit/a7373585faeac0aaede5a9c245094d8022e81299 (v3.8.17-rc.1) CVE-2021-32717 (Shopware is an open source eCommerce platform. In versions prior to 6. ...) NOT-FOR-US: Shopware CVE-2021-32716 (Shopware is an open source eCommerce platform. In versions prior to 6. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e741c2e44095af83f5722f61a7c42cb98a851f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e741c2e44095af83f5722f61a7c42cb98a851f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-45930
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b56aaf5d by Salvatore Bonaccorso at 2022-01-02T14:10:59+01:00 Add Debian bug reference for CVE-2021-45930 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -159,7 +159,7 @@ CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t:: ...) TODO: check CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-o ...) - - qtsvg-opensource-src + - qtsvg-opensource-src (bug #1002991) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b56aaf5d1e49c24adabb784d872dc1ae6a1fdae5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b56aaf5d1e49c24adabb784d872dc1ae6a1fdae5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-45930: Add reference to QT bug (not public)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eda465a7 by Salvatore Bonaccorso at 2022-01-02T14:05:24+01:00 CVE-2021-45930: Add reference to QT bug (not public) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -163,6 +163,7 @@ CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml + NOTE: https://bugreports.qt.io/browse/QTBUG-96044 NOTE: https://github.com/qt/qtsvg/commit/36cfd9efb9b22b891adee9c48d30202289cfa620 (dev) NOTE: https://github.com/qt/qtsvg/commit/79bb9f51fa374106a612d17c9d98d35d807be670 (v6.2.2) NOTE: https://github.com/qt/qtsvg/commit/a3b753c2d077313fc9eb93af547051b956e383fc (v5.12.12) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eda465a750cc8040c255bea3f393e88dab12a01a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eda465a750cc8040c255bea3f393e88dab12a01a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45972/giftrans
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da8b6fde by Salvatore Bonaccorso at 2022-01-02T09:21:09+01:00 Add CVE-2021-45972/giftrans - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,8 @@ CVE-2021-45974 CVE-2021-45973 RESERVED CVE-2021-45972 (The giftrans function in giftrans 1.12.2 contains a stack-based buffer ...) - TODO: check + - giftrans (bug #1002739; unimportant) + NOTE: Negligible security impact; crash in CLI tool CVE-2021-45971 RESERVED CVE-2021-45970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da8b6fde5e59dc8e3e14a431c74fdbadc2647da4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da8b6fde5e59dc8e3e14a431c74fdbadc2647da4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d91b87ec by security tracker role at 2022-01-02T08:10:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,55 @@ +CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...) + TODO: check +CVE-2022-0081 + RESERVED +CVE-2021-45984 + RESERVED +CVE-2021-45983 + RESERVED +CVE-2021-45982 + RESERVED +CVE-2021-45981 + RESERVED +CVE-2021-45980 + RESERVED +CVE-2021-45979 + RESERVED +CVE-2021-45978 + RESERVED +CVE-2021-45977 + RESERVED +CVE-2021-45976 + RESERVED +CVE-2021-45975 + RESERVED +CVE-2021-45974 + RESERVED +CVE-2021-45973 + RESERVED +CVE-2021-45972 (The giftrans function in giftrans 1.12.2 contains a stack-based buffer ...) + TODO: check +CVE-2021-45971 + RESERVED +CVE-2021-45970 + RESERVED +CVE-2021-45969 + RESERVED +CVE-2021-45968 + RESERVED +CVE-2021-45967 + RESERVED +CVE-2021-45966 + RESERVED +CVE-2021-45965 + RESERVED +CVE-2021-45964 + RESERVED +CVE-2021-45963 + RESERVED +CVE-2021-45962 + RESERVED +CVE-2021-45961 + RESERVED CVE-2022-0080 RESERVED CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) @@ -3728,8 +3780,8 @@ CVE-2021-44898 RESERVED CVE-2021-44897 RESERVED -CVE-2021-44896 - RESERVED +CVE-2021-44896 (DMP Roadmap before 3.0.4 allows XSS. ...) + TODO: check CVE-2021-44895 RESERVED CVE-2021-44894 @@ -17961,7 +18013,7 @@ CVE-2021-40533 CVE-2021-40532 (Telegram Web K Alpha before 0.7.2 mishandles the characters in a docum ...) NOT-FOR-US: tweb NOTE: https://github.com/morethanwords/tweb -CVE-2021-40531 (An issue discovered in sketch before version 75,that allows for librar ...) +CVE-2021-40531 (Sketch before 75 allows library feeds to be used to bypass file quaran ...) NOT-FOR-US: Sketch collaborative design (Mac or Web app) NOTE: sketch.com, not the sketch package in Debian. CVE-2021-40530 (The ElGamal implementation in Crypto++ through 8.5 allows plaintext re ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d91b87eca8af973cf64ab1887240509b25cd4fe2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d91b87eca8af973cf64ab1887240509b25cd4fe2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits