[Git][security-tracker-team/security-tracker][master] Add some Apache NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a59e583 by Salvatore Bonaccorso at 2022-01-06T06:56:57+01:00 Add some Apache NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28747,10 +28747,13 @@ CVE-2020-36419 RESERVED CVE-2021-36739 RESERVED + NOT-FOR-US: Apache Pluto MVCBean JSP portlet CVE-2021-36738 RESERVED + NOT-FOR-US: Apache Pluto Applicant MVCBean CDI portlet CVE-2021-36737 RESERVED + NOT-FOR-US: Apache Pluto UrlTestPortlet CVE-2021-36736 RESERVED CVE-2021-36735 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a59e583fe22197cc22f2c835a44502dc61de035 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a59e583fe22197cc22f2c835a44502dc61de035 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference followup needed for CVE-2021-42097 and CVE-2021-44227
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c9166c95 by Salvatore Bonaccorso at 2022-01-06T06:52:18+01:00
Reference followup needed for CVE-2021-42097 and CVE-2021-44227
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -7059,6 +7059,8 @@ CVE-2021-44227 (In GNU Mailman before 2.1.38, a list
member or moderator can get
[stretch] - mailman (Minor issue; can be fixed with the next
DLA)
NOTE: https://bugs.launchpad.net/mailman/+bug/1952384
NOTE: Patch: https://launchpadlibrarian.net/570827498/patch.txt
+ NOTE: Regression: https://bugs.launchpad.net/mailman/+bug/1954694
+ NOTE: Regression fixed by:
https://launchpadlibrarian.net/573872803/patch.txt
CVE-2021-44226
RESERVED
CVE-2021-4023
@@ -15600,6 +15602,8 @@ CVE-2021-42097 (GNU Mailman before 2.1.35 may allow
remote Privilege Escalation.
NOTE: https://bugs.launchpad.net/mailman/+bug/1947640
NOTE:
https://mail.python.org/archives/list/mailman-annou...@python.org/thread/IKCO6JU755AP5G5TKMBJL6IEZQTTNPDQ/
NOTE: https://www.openwall.com/lists/oss-security/2021/10/21/4
+ NOTE: Regression: https://bugs.launchpad.net/mailman/+bug/1954694
+ NOTE: Regression fixed by:
https://launchpadlibrarian.net/573872803/patch.txt
CVE-2021-42096 (GNU Mailman before 2.1.35 may allow remote Privilege
Escalation. A cer ...)
{DSA-4991-1 DLA-2791-1}
- mailman
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9166c95a9e685324aad13926c211e8d30932988
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9166c95a9e685324aad13926c211e8d30932988
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-0080/mruby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc3225cb by Salvatore Bonaccorso at 2022-01-06T06:35:33+01:00 Track fixed version for CVE-2022-0080/mruby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1291,7 +1291,7 @@ CVE-2021-45962 CVE-2021-45961 RESERVED CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) - - mruby + - mruby 3.0.0-3 [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) [stretch] - mruby (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc3225cb2400c85e0314a5836b6c1174ff370d78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc3225cb2400c85e0314a5836b6c1174ff370d78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-4110/mruby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a77b36e6 by Salvatore Bonaccorso at 2022-01-06T06:33:27+01:00 Track fixed version for CVE-2021-4110/mruby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4761,7 +4761,7 @@ CVE-2021-45042 (In HashiCorp Vault and Vault Enterprise before 1.7.7, 1.8.x befo CVE-2021-45041 (SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated SQL i ...) NOT-FOR-US: SuiteCRM CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...) - - mruby (bug #1001768) + - mruby 3.0.0-2 (bug #1001768) [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) [stretch] - mruby (revisit when/if fix is complete) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a77b36e60a8b7347c633cdaf07c1891dc6df9689 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a77b36e60a8b7347c633cdaf07c1891dc6df9689 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-39633/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68ed42fc by Salvatore Bonaccorso at 2022-01-06T06:27:02+01:00 Add CVE-2021-39633/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21517,8 +21517,14 @@ CVE-2021-39634 [epoll: do not insert into poll queues until all sanity checks ar [stretch] - linux 4.9.240-1 NOTE: https://source.android.com/security/bulletin/2022-01-01 NOTE: https://git.kernel.org/linus/f8d4f44df056c5b504b0d49683fb7279218fd207 (5.9-rc8) -CVE-2021-39633 +CVE-2021-39633 [ip_gre: add validation for csum_start] RESERVED + - linux 5.14.6-1 + [bullseye] - linux 5.10.70-1 + [buster] - linux 4.19.208-1 + [stretch] - linux 4.9.290-1 + NOTE: https://source.android.com/security/bulletin/2022-01-01 + NOTE: https://git.kernel.org/linus/1d011c4803c72f3907eccfc1ec63caefb852fcbf (5.14) CVE-2021-39632 RESERVED CVE-2021-39631 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68ed42fc03c5a2bdd89f304f18e7a4cb819154b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68ed42fc03c5a2bdd89f304f18e7a4cb819154b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-39634/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3f732d4 by Salvatore Bonaccorso at 2022-01-06T06:19:59+01:00 Add CVE-2021-39634/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21510,8 +21510,13 @@ CVE-2021-39636 (In do_ipt_get_ctl and do_ipt_set_ctl of ip_tables.c, there is a NOTE: https://source.android.com/security/bulletin/pixel/2021-12-01 CVE-2021-39635 RESERVED -CVE-2021-39634 +CVE-2021-39634 [epoll: do not insert into poll queues until all sanity checks are done] RESERVED + - linux 5.8.14-1 + [buster] - linux 4.19.152-1 + [stretch] - linux 4.9.240-1 + NOTE: https://source.android.com/security/bulletin/2022-01-01 + NOTE: https://git.kernel.org/linus/f8d4f44df056c5b504b0d49683fb7279218fd207 (5.9-rc8) CVE-2021-39633 RESERVED CVE-2021-39632 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3f732d47ebf7436eeda4cac2eddb204ef2bfad3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3f732d47ebf7436eeda4cac2eddb204ef2bfad3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-46144/roundcube assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d7ec6d89 by Salvatore Bonaccorso at 2022-01-06T06:08:43+01:00 CVE-2021-46144/roundcube assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1227,7 +1227,7 @@ CVE-2021-4197 [cgroup: Use open-time creds and namespace for migration perm chec - linux NOTE: https://lore.kernel.org/lkml/20211209214707.805617-1...@kernel.org/T/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2035652 -CVE-2021- [XSS vulnerability via HTML messages with malicious CSS content] +CVE-2021-46144 [XSS vulnerability via HTML messages with malicious CSS content] - roundcube (bug #1003027) NOTE: https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0 (1.5.2) NOTE: https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8 (1.4.13) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7ec6d89f42bc96e086550509ec3cefc62288fac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7ec6d89f42bc96e086550509ec3cefc62288fac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eedcfe76 by Salvatore Bonaccorso at 2022-01-05T22:27:44+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64828,7 +64828,7 @@ CVE-2021-22047 (In Spring Data REST versions 3.4.0 - 3.4.13, 3.5.0 - 3.5.5, and CVE-2021-22046 RESERVED CVE-2021-22045 (VMware ESXi (7.0, 6.7 before ESXi670-20201-SG and 6.5 before ESXi6 ...) - TODO: check + NOT-FOR-US: VMware CVE-2021-22044 (In Spring Cloud OpenFeign 3.0.0 to 3.0.4, 2.2.0.RELEASE to 2.2.9.RELEA ...) NOT-FOR-US: Spring Cloud OpenFeign CVE-2021-22043 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eedcfe763ab60053321de5af5c62d1bd6f9aae94 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eedcfe763ab60053321de5af5c62d1bd6f9aae94 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e703633c by Salvatore Bonaccorso at 2022-01-05T22:09:45+01:00 Add new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -323,55 +323,79 @@ CVE-2022-22528 CVE-2022-22527 RESERVED CVE-2022-0120 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0119 RESERVED CVE-2022-0118 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0117 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0116 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0115 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0114 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0113 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0112 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0111 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0110 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0109 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0108 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0107 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0106 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0105 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0104 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0103 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0102 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0101 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0100 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0099 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0098 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0097 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0096 - RESERVED + - chromium + [stretch] - chromium (see DSA 4562) CVE-2022-0095 RESERVED CVE-2022-0094 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e703633cb2f10d1c44c8c6dc87b4e3f8ef233f6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e703633cb2f10d1c44c8c6dc87b4e3f8ef233f6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch update_lts_file
Anton Gladky deleted branch update_lts_file at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update LTS FD-file for 2022
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: b9650df6 by Anton Gladky at 2022-01-05T21:08:27+00:00 Update LTS FD-file for 2022 - - - - - 37e0e912 by Jeremiah C. Foster at 2022-01-05T21:08:27+00:00 Merge branch 'update_lts_file' into 'master' Update LTS FD-file for 2022 See merge request security-tracker-team/security-tracker!98 - - - - - 1 changed file: - org/lts-frontdesk.2022.txt Changes: = org/lts-frontdesk.2022.txt = @@ -15,51 +15,51 @@ From 03-01 to 09-01:Chris Lamb From 10-01 to 16-01:Sylvain Beucler From 17-01 to 23-01:Thorsten Alteholz From 24-01 to 30-01:Utkarsh Gupta -From 31-01 to 06-02:Chris Lamb -From 07-02 to 13-02:Chris Lamb -From 14-02 to 20-02:Emilio Pozuelo Monfort -From 21-02 to 27-02:Markus Koschany -From 28-02 to 06-03:Sylvain Beucler -From 07-03 to 13-03:Thorsten Alteholz -From 14-03 to 20-03:Utkarsh Gupta -From 21-03 to 27-03:Chris Lamb -From 28-03 to 03-04:Emilio Pozuelo Monfort -From 04-04 to 10-04:Markus Koschany -From 11-04 to 17-04:Sylvain Beucler -From 18-04 to 24-04:Thorsten Alteholz -From 25-04 to 01-05:Utkarsh Gupta -From 02-05 to 08-05:Chris Lamb -From 09-05 to 15-05:Emilio Pozuelo Monfort -From 16-05 to 22-05:Markus Koschany +From 31-01 to 06-02:Sylvain Beucler +From 07-02 to 13-02:Thorsten Alteholz +From 14-02 to 20-02:Utkarsh Gupta +From 21-02 to 27-02:Anton Gladky +From 28-02 to 06-03:Chris Lamb +From 07-03 to 13-03:Emilio Pozuelo Monfort +From 14-03 to 20-03:Markus Koschany +From 21-03 to 27-03:Ola Lundqvist +From 28-03 to 03-04:Sylvain Beucler +From 04-04 to 10-04:Thorsten Alteholz +From 11-04 to 17-04:Utkarsh Gupta +From 18-04 to 24-04:Anton Gladky +From 25-04 to 01-05:Chris Lamb +From 02-05 to 08-05:Emilio Pozuelo Monfort +From 09-05 to 15-05:Markus Koschany +From 16-05 to 22-05:Ola Lundqvist From 23-05 to 29-05:Sylvain Beucler From 30-05 to 05-06:Thorsten Alteholz From 06-06 to 12-06:Utkarsh Gupta -From 13-06 to 19-06:Chris Lamb -From 20-06 to 26-06:Emilio Pozuelo Monfort -From 27-06 to 03-07:Markus Koschany -From 04-07 to 10-07:Sylvain Beucler -From 11-07 to 17-07:Thorsten Alteholz -From 18-07 to 24-07:Utkarsh Gupta -From 25-07 to 31-07:Chris Lamb -From 01-08 to 07-08:Emilio Pozuelo Monfort -From 08-08 to 14-08:Markus Koschany -From 15-08 to 21-08:Sylvain Beucler -From 22-08 to 28-08:Thorsten Alteholz -From 29-08 to 04-09:Utkarsh Gupta -From 05-09 to 11-09:Chris Lamb -From 12-09 to 18-09:Emilio Pozuelo Monfort -From 19-09 to 25-09:Markus Koschany -From 26-09 to 02-10:Sylvain Beucler -From 03-10 to 09-10:Thorsten Alteholz -From 10-10 to 16-10:Utkarsh Gupta -From 17-10 to 23-10:Chris Lamb -From 24-10 to 30-10:Emilio Pozuelo Monfort -From 31-10 to 06-11:Markus Koschany -From 07-11 to 13-11:Sylvain Beucler -From 14-11 to 20-11:Thorsten Alteholz -From 21-11 to 27-11:Utkarsh Gupta -From 28-11 to 04-12:Chris Lamb -From 05-12 to 11-12:Emilio Pozuelo Monfort -From 12-12 to 18-12:Markus Koschany -From 19-12 to 25-12:Sylvain Beucler -From 26-12 to 01-01:Thorsten Alteholz +From 13-06 to 19-06:Anton Gladky +From 20-06 to 26-06:Chris Lamb +From 27-06 to 03-07:Emilio Pozuelo Monfort +From 04-07 to 10-07: +From 11-07 to 17-07: +From 18-07 to 24-07: +From 25-07 to 31-07: +From 01-08 to 07-08: +From 08-08 to 14-08: +From 15-08 to 21-08: +From 22-08 to 28-08: +From 29-08 to 04-09: +From 05-09 to 11-09: +From 12-09 to 18-09: +From 19-09 to 25-09: +From 26-09 to 02-10: +From 03-10 to 09-10: +From 10-10 to 16-10: +From 17-10 to 23-10: +From 24-10 to 30-10: +From 31-10 to 06-11: +From 07-11 to 13-11: +From 14-11 to 20-11: +From 21-11 to 27-11: +From 28-11 to 04-12: +From 05-12 to 11-12: +From 12-12 to 18-12: +From 19-12 to 25-12: +From 26-12 to 01-01: \ No newline at end of file View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4e7912d92cc7c21e311ab276a52865caeac18317...37e0e912a8e29701fb574b3a6c31c5c5d7d624a3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4e7912d92cc7c21e311ab276a52865caeac18317...37e0e912a8e29701fb574b3a6c31c5c5d7d624a3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][update_lts_file] Let Januar be planned as before
Anton Gladky pushed to branch update_lts_file at Debian Security Tracker / security-tracker Commits: 4dcff214 by Anton Gladky at 2022-01-05T21:53:49+01:00 Let Januar be planned as before - - - - - 1 changed file: - org/lts-frontdesk.2022.txt Changes: = org/lts-frontdesk.2022.txt = @@ -12,9 +12,9 @@ Who is in charge ? -- From 03-01 to 09-01:Chris Lamb -From 10-01 to 16-01:Emilio Pozuelo Monfort -From 17-01 to 23-01:Markus Koschany -From 24-01 to 30-01:Ola Lundqvist +From 10-01 to 16-01:Sylvain Beucler +From 17-01 to 23-01:Thorsten Alteholz +From 24-01 to 30-01:Utkarsh Gupta From 31-01 to 06-02:Sylvain Beucler From 07-02 to 13-02:Thorsten Alteholz From 14-02 to 20-02:Utkarsh Gupta View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dcff214288178821455e463058d1def535fc04d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dcff214288178821455e463058d1def535fc04d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in NFU product naming
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e7912d9 by Salvatore Bonaccorso at 2022-01-05T21:35:36+01:00 Fix typo in NFU product naming - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65144,41 +65144,41 @@ CVE-2021-21897 (A code execution vulnerability exists in the DL_Dxf::handleLWPol CVE-2021-21896 (A directory traversal vulnerability exists in the Web Manager FsBrowse ...) NOT-FOR-US: Lantronix PremierWave CVE-2021-21895 (A directory traversal vulnerability exists in the Web Manager FsTFtp f ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21894 (A directory traversal vulnerability exists in the Web Manager FsTFtp f ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21893 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) NOT-FOR-US: Foxit CVE-2021-21892 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21891 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21890 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21889 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21888 (An OS command injection vulnerability exists in the Web Manager SslGen ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21887 (A stack-based buffer overflow vulnerability exists in the Web Manager ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21886 (A directory traversal vulnerability exists in the Web Manager FSBrowse ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21885 (A directory traversal vulnerability exists in the Web Manager FsMove f ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21884 (An OS command injection vulnerability exists in the Web Manager SslGen ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21883 (An OS command injection vulnerability exists in the Web Manager Diagno ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21882 (An OS command injection vulnerability exists in the Web Manager FsUnmo ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21881 (An OS command injection vulnerability exists in the Web Manager Wirele ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21880 (A directory traversal vulnerability exists in the Web Manager FsCopyFi ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21879 (A directory traversal vulnerability exists in the Web Manager File Upl ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21878 (A local file inclusion vulnerability exists in the Web Manager Applica ...) - NOT-FOR-US: antronix PremierWave + NOT-FOR-US: Lantronix PremierWave CVE-2021-21877 (Specially-crafted HTTP requests can lead to arbitrary command executio ...) NOT-FOR-US: Lantronix CVE-2021-21876 (Specially-crafted HTTP requests can lead to arbitrary command executio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e7912d92cc7c21e311ab276a52865caeac18317 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e7912d92cc7c21e311ab276a52865caeac18317 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c0578eb by Salvatore Bonaccorso at 2022-01-05T21:34:41+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65180,17 +65180,17 @@ CVE-2021-21879 (A directory traversal vulnerability exists in the Web Manager Fi CVE-2021-21878 (A local file inclusion vulnerability exists in the Web Manager Applica ...) NOT-FOR-US: antronix PremierWave CVE-2021-21877 (Specially-crafted HTTP requests can lead to arbitrary command executio ...) - TODO: check + NOT-FOR-US: Lantronix CVE-2021-21876 (Specially-crafted HTTP requests can lead to arbitrary command executio ...) - TODO: check + NOT-FOR-US: Lantronix CVE-2021-21875 (A specially-crafted HTTP request can lead to arbitrary command executi ...) - TODO: check + NOT-FOR-US: Lantronix CVE-2021-21874 (A specially-crafted HTTP request can lead to arbitrary command executi ...) - TODO: check + NOT-FOR-US: Lantronix CVE-2021-21873 (A specially-crafted HTTP request can lead to arbitrary command executi ...) - TODO: check + NOT-FOR-US: Lantronix CVE-2021-21872 (An OS command injection vulnerability exists in the Web Manager Diagno ...) - TODO: check + NOT-FOR-US: Lantronix CVE-2021-21871 (A memory corruption vulnerability exists in the DMG File Format Handle ...) NOT-FOR-US: PowerISO CVE-2021-21870 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) @@ -71295,9 +71295,9 @@ CVE-2021-20150 (Trendnet AC2600 TEW-827DRU version 2.08B01 improperly discloses CVE-2021-20149 (Trendnet AC2600 TEW-827DRU version 2.08B01 does not have sufficient ac ...) NOT-FOR-US: Trendnet CVE-2021-20148 (ManageEngine ADSelfService Plus below build 6116 stores the password p ...) - TODO: check + NOT-FOR-US: ManageEngine CVE-2021-20147 (ManageEngine ADSelfService Plus below build 6116 contains an observabl ...) - TODO: check + NOT-FOR-US: ManageEngine CVE-2021-20146 (An unprotected ssh private key exists on the Gryphon devices which cou ...) NOT-FOR-US: Gryphon Tower routers CVE-2021-20145 (Gryphon Tower routers contain an unprotected openvpn configuration fil ...) @@ -71323,11 +71323,11 @@ CVE-2021-20136 (ManageEngine Log360 Builds < 5235 are affected by an improper CVE-2021-20135 (Nessus versions 8.15.2 and earlier were found to contain a local privi ...) NOT-FOR-US: Nessus CVE-2021-20134 (Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-20133 (Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-20132 (Quagga Services on D-Link DIR-2640 less than or equal to version 1.11B ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-20131 (ManageEngine ADManager Plus Build 7111 contains a post-authentication ...) NOT-FOR-US: ManageEngine ADManager Plus CVE-2021-20130 (ManageEngine ADManager Plus Build 7111 contains a post-authentication ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0578eba8232fee4f238869043d68e796135ace -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c0578eba8232fee4f238869043d68e796135ace You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-43779/glpi
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6aefb94 by Salvatore Bonaccorso at 2022-01-05T21:23:32+01:00 Add CVE-2021-43779/glpi - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8394,7 +8394,9 @@ CVE-2021-43781 (Invenio-Drafts-Resources is a submission/deposit module for Inve CVE-2021-43780 (Redash is a package for data visualization and sharing. In versions 10 ...) NOT-FOR-US: Redash CVE-2021-43779 (GLPI is an open source IT Asset Management, issue tracking system and ...) - TODO: check + - glpi (unimportant) + NOTE: https://github.com/pluginsGLPI/addressing/security/advisories/GHSA-q5fp-xpr8-77jh + NOTE: Only supported behind an authenticated HTTP zone CVE-2021-43778 (Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI inst ...) NOT-FOR-US: GLPI plugin CVE-2021-43777 (Redash is a package for data visualization and sharing. In Redash vers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6aefb940e0f8d2fb6c9def3a45be7a79d27a390 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6aefb940e0f8d2fb6c9def3a45be7a79d27a390 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ae22090b by Salvatore Bonaccorso at 2022-01-05T21:21:03+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3091,15 +3091,15 @@ CVE-2022-22113 CVE-2022-22112 RESERVED CVE-2022-22111 (In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. ...) - TODO: check + NOT-FOR-US: DayByDay CRM CVE-2022-22110 (In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requ ...) - TODO: check + NOT-FOR-US: DayByDay CRM CVE-2022-22109 (In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scri ...) - TODO: check + NOT-FOR-US: DayByDay CRM CVE-2022-22108 (In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missin ...) - TODO: check + NOT-FOR-US: DayByDay CRM CVE-2022-22107 (In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missin ...) - TODO: check + NOT-FOR-US: DayByDay CRM CVE-2022-22106 RESERVED CVE-2022-22105 @@ -7997,7 +7997,7 @@ CVE-2022-21644 (USOC is an open source CMS with a focus on simplicity. In affect CVE-2022-21643 (USOC is an open source CMS with a focus on simplicity. In affected ver ...) NOT-FOR-US: USOC CVE-2022-21642 (Discourse is an open source platform for community discussion. In affe ...) - TODO: check + NOT-FOR-US: Discourse CVE-2021-43959 RESERVED CVE-2021-43958 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae22090b596d3d50a9794500916cec7c3ca8727b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae22090b596d3d50a9794500916cec7c3ca8727b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-41043/tcpslice
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0656d74 by Salvatore Bonaccorso at 2022-01-05T21:14:15+01:00 Add Debian bug reference for CVE-2021-41043/tcpslice - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18163,7 +18163,7 @@ CVE-2021-41045 CVE-2021-41044 RESERVED CVE-2021-41043 (Use after free in tcpslice triggers AddressSanitizer, no other confirm ...) - - tcpslice + - tcpslice (bug #1003190) NOTE: https://github.com/the-tcpdump-group/tcpslice/issues/11 NOTE: https://github.com/the-tcpdump-group/tcpslice/commit/030859fce9c77417de657b9bb29c0f78c2d68f4a (tcpslice-1.5) CVE-2021-41042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0656d747a9255384c6c27714a04aedb367748a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0656d747a9255384c6c27714a04aedb367748a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f5be4540 by security tracker role at 2022-01-05T20:10:30+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2022-22678 + RESERVED +CVE-2022-0129 + RESERVED +CVE-2022-0128 + RESERVED +CVE-2022-0127 + RESERVED +CVE-2022-0126 + RESERVED +CVE-2022-0125 + RESERVED +CVE-2022-0124 + RESERVED +CVE-2022-0123 + RESERVED +CVE-2021-4200 + RESERVED CVE-2022-22677 RESERVED CVE-2022-22676 @@ -3072,16 +3090,16 @@ CVE-2022-22113 RESERVED CVE-2022-22112 RESERVED -CVE-2022-22111 - RESERVED -CVE-2022-22110 - RESERVED -CVE-2022-22109 - RESERVED -CVE-2022-22108 - RESERVED -CVE-2022-22107 - RESERVED +CVE-2022-22111 (In DayByDay CRM, version 2.2.0 is vulnerable to missing authorization. ...) + TODO: check +CVE-2022-22110 (In Daybyday CRM, versions 1.1 through 2.2.0 enforce weak password requ ...) + TODO: check +CVE-2022-22109 (In Daybyday CRM, version 2.2.0 is vulnerable to Stored Cross-Site Scri ...) + TODO: check +CVE-2022-22108 (In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missin ...) + TODO: check +CVE-2022-22107 (In Daybyday CRM, versions 2.0.0 through 2.2.0 are vulnerable to Missin ...) + TODO: check CVE-2022-22106 RESERVED CVE-2022-22105 @@ -7978,8 +7996,8 @@ CVE-2022-21644 (USOC is an open source CMS with a focus on simplicity. In affect NOT-FOR-US: USOC CVE-2022-21643 (USOC is an open source CMS with a focus on simplicity. In affected ver ...) NOT-FOR-US: USOC -CVE-2022-21642 - RESERVED +CVE-2022-21642 (Discourse is an open source platform for community discussion. In affe ...) + TODO: check CVE-2021-43959 RESERVED CVE-2021-43958 @@ -8281,8 +8299,7 @@ CVE-2021-43818 (lxml is a library for processing XML and HTML in the Python lang NOTE: https://github.com/lxml/lxml/commit/f2330237440df7e8f39c3ad1b1aa8852be3b27c0 (lxml-4.6.5) CVE-2021-43817 (Collabora Online is a collaborative online office suite based on Libre ...) NOT-FOR-US: Collabora Online -CVE-2021-43816 - RESERVED +CVE-2021-43816 (containerd is an open source container runtime. On installations using ...) - containerd 1.5.9~ds1-1 [bullseye] - containerd (Vulnerable code introduced in 1.5.0) NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c @@ -8376,8 +8393,8 @@ CVE-2021-43781 (Invenio-Drafts-Resources is a submission/deposit module for Inve NOT-FOR-US: Invenio-Drafts-Resources CVE-2021-43780 (Redash is a package for data visualization and sharing. In versions 10 ...) NOT-FOR-US: Redash -CVE-2021-43779 - RESERVED +CVE-2021-43779 (GLPI is an open source IT Asset Management, issue tracking system and ...) + TODO: check CVE-2021-43778 (Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI inst ...) NOT-FOR-US: GLPI plugin CVE-2021-43777 (Redash is a package for data visualization and sharing. In Redash vers ...) @@ -18145,8 +18162,7 @@ CVE-2021-41045 RESERVED CVE-2021-41044 RESERVED -CVE-2021-41043 [Fix a use-after-free in extract_slice()] - RESERVED +CVE-2021-41043 (Use after free in tcpslice triggers AddressSanitizer, no other confirm ...) - tcpslice NOTE: https://github.com/the-tcpdump-group/tcpslice/issues/11 NOTE: https://github.com/the-tcpdump-group/tcpslice/commit/030859fce9c77417de657b9bb29c0f78c2d68f4a (tcpslice-1.5) @@ -23298,8 +23314,8 @@ CVE-2021-38920 RESERVED CVE-2021-38919 RESERVED -CVE-2021-38918 - RESERVED +CVE-2021-38918 (IBM PowerVM Hypervisor FW860, FW940, FW950, and FW1010, through a spec ...) + TODO: check CVE-2021-38917 (IBM PowerVM Hypervisor FW860, FW940, and FW950 could allow an attacker ...) NOT-FOR-US: IBM CVE-2021-38916 @@ -34721,7 +34737,7 @@ CVE-2021-34143 (The Bluetooth Classic implementation in the Zhuhai Jieli AC6366C NOT-FOR-US: Zhuhai Jieli CVE-2021-34142 RESERVED -CVE-2021-34141 (** DISPUTED ** Incomplete string comparison in the numpy.core componen ...) +CVE-2021-34141 (An incomplete string comparison in the numpy.core component in NumPy b ...) - numpy [bullseye] - numpy (Minor issue) NOTE: https://github.com/numpy/numpy/issues/18993 @@ -41320,8 +41336,8 @@ CVE-2021-31591 RESERVED CVE-2021-31590 (PwnDoc all versions until 0.4.0 (2021-08-23) has incorrect JSON Webtok ...) NOT-FOR-US: PwnDoc -CVE-2021-31589 - RESERVED +CVE-2021-31589 (BeyondTrust Secure Remote Access Base Software through 6.0.1 allows an ...) + TODO: check CVE-2021-31588 RESERVED CVE-2021-3
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-41043/tcpslice
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b076854b by Salvatore Bonaccorso at 2022-01-05T20:58:40+01:00 Add CVE-2021-41043/tcpslice - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18145,8 +18145,11 @@ CVE-2021-41045 RESERVED CVE-2021-41044 RESERVED -CVE-2021-41043 +CVE-2021-41043 [Fix a use-after-free in extract_slice()] RESERVED + - tcpslice + NOTE: https://github.com/the-tcpdump-group/tcpslice/issues/11 + NOTE: https://github.com/the-tcpdump-group/tcpslice/commit/030859fce9c77417de657b9bb29c0f78c2d68f4a (tcpslice-1.5) CVE-2021-41042 RESERVED CVE-2021-41041 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b076854b8418590bc6ebe22dd11f8a3aade4917d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b076854b8418590bc6ebe22dd11f8a3aade4917d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Pushed new branch update_lts_file
Anton Gladky pushed new branch update_lts_file at Debian Security Tracker / security-tracker -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/update_lts_file You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-43816/containerd
Shengjing Zhu pushed to branch master at Debian Security Tracker / security-tracker Commits: d75d61ff by Shengjing Zhu at 2022-01-06T02:18:05+08:00 Track fixed version via unstable for CVE-2021-43816/containerd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8283,6 +8283,10 @@ CVE-2021-43817 (Collabora Online is a collaborative online office suite based on NOT-FOR-US: Collabora Online CVE-2021-43816 RESERVED + - containerd 1.5.9~ds1-1 + [bullseye] - containerd (Vulnerable code introduced in 1.5.0) + NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c + NOTE: Fixed by: https://github.com/containerd/containerd/commit/1407cab509ff0d96baa4f0eb6ff9980270e6e620 CVE-2021-43815 (Grafana is an open-source platform for monitoring and observability. G ...) - grafana CVE-2021-43814 (Rizin is a UNIX-like reverse engineering framework and command-line to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d75d61ff0a8fef8db10cb1e17f7002039af7bc06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d75d61ff0a8fef8db10cb1e17f7002039af7bc06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2021-4189 in python2.7 for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e22d902a by Chris Lamb at 2022-01-05T10:10:03+00:00 Triage CVE-2021-4189 in python2.7 for stretch LTS. - - - - - d793cb29 by Chris Lamb at 2022-01-05T10:10:39+00:00 Triage CVE-2021-4189 in python3.5 for stretch LTS. - - - - - 33e10af5 by Chris Lamb at 2022-01-05T10:13:30+00:00 Triage CVE-2022-0080 in mruby for stretch LTS. - - - - - ac023da7 by Chris Lamb at 2022-01-05T10:14:02+00:00 Triage CVE-2021-3842 in nltk for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1252,6 +1252,7 @@ CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) - mruby [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) + [stretch] - mruby (Minor issue) NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/ NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6 CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) @@ -1509,9 +1510,11 @@ CVE-2021-4189 [ftplib should not use the host from the PASV response] - python3.7 [buster] - python3.7 (Minor issue) - python3.5 + [stretch] - python3.5 (Minor issue) - python2.7 [bullseye] - python2.7 (Python 2.7 in Bullseye not covered by security support) [buster] - python2.7 (Minor issue) + [stretch] - python2.7 (Minor issue) NOTE: https://bugs.python.org/issue43285 NOTE: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master) NOTE: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3) @@ -16200,6 +16203,7 @@ CVE-2021-3842 (nltk is vulnerable to Inefficient Regular Expression Complexity . - nltk (bug #1003142) [bullseye] - nltk (Minor issue) [buster] - nltk (Minor issue) + [stretch] - nltk (Minor issue) NOTE: https://huntr.dev/bounties/761a761e-2be2-430a-8d92-6f74ffe9866a/ NOTE: https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d (3.6.6) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0cfdb87deb02bd560e8a01256d20de7a76474e8e...ac023da7a5f9143e04b73043ae4519149ec5bd43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0cfdb87deb02bd560e8a01256d20de7a76474e8e...ac023da7a5f9143e04b73043ae4519149ec5bd43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cfdb87d by Salvatore Bonaccorso at 2022-01-05T10:43:40+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7972,9 +7972,9 @@ CVE-2022-21646 CVE-2022-21645 RESERVED CVE-2022-21644 (USOC is an open source CMS with a focus on simplicity. In affected ver ...) - TODO: check + NOT-FOR-US: USOC CVE-2022-21643 (USOC is an open source CMS with a focus on simplicity. In affected ver ...) - TODO: check + NOT-FOR-US: USOC CVE-2022-21642 RESERVED CVE-2021-43959 @@ -8004,7 +8004,7 @@ CVE-2021-43948 CVE-2021-43947 RESERVED CVE-2021-43946 (Affected versions of Atlassian Jira Server and Data Center allow authe ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-43945 RESERVED CVE-2021-43944 @@ -8201,11 +8201,11 @@ CVE-2021-43854 (NLTK (Natural Language Toolkit) is a suite of open source Python CVE-2021-43853 (Ajax.NET Professional (AjaxPro) is an AJAX framework available for Mic ...) NOT-FOR-US: Ajax.NET Professional CVE-2021-43852 (OroPlatform is a PHP Business Application Platform. In affected versio ...) - TODO: check + NOT-FOR-US: OroPlatform CVE-2021-43851 (Anuko Time Tracker is an open source, web-based time tracking applicat ...) NOT-FOR-US: Anuko Time Tracker CVE-2021-43850 (Discourse is an open source platform for community discussion. In affe ...) - TODO: check + NOT-FOR-US: Discourse CVE-2021-43849 (cordova-plugin-fingerprint-aio is a plugin provides a single and simpl ...) NOT-FOR-US: cordova-plugin-fingerprint-aio CVE-2021-43848 @@ -8241,7 +8241,7 @@ CVE-2021-43834 (eLabFTW is an electronic lab notebook manager for research teams CVE-2021-43833 (eLabFTW is an electronic lab notebook manager for research teams. In v ...) NOT-FOR-US: eLabFTW CVE-2021-43832 (Spinnaker is an open source, multi-cloud continuous delivery platform. ...) - TODO: check + NOT-FOR-US: Spinnaker CVE-2021-43831 (Gradio is an open source framework for building interactive machine le ...) NOT-FOR-US: gradio CVE-2021-43830 (OpenProject is a web-based project management software. OpenProject ve ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cfdb87deb02bd560e8a01256d20de7a76474e8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cfdb87deb02bd560e8a01256d20de7a76474e8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-21647/codeigniter
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 780df858 by Salvatore Bonaccorso at 2022-01-05T10:42:52+01:00 Add CVE-2022-21647/codeigniter - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7966,7 +7966,7 @@ CVE-2022-21648 (Latte is an open source template engine for PHP. Versions since NOTE: https://github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36j NOTE: https://github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0 CVE-2022-21647 (CodeIgniter is an open source PHP full-stack web framework. Deserializ ...) - TODO: check + - codeigniter (bug #471583) CVE-2022-21646 RESERVED CVE-2022-21645 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/780df8587924a3a3bda1f64797b20786b33f7b8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/780df8587924a3a3bda1f64797b20786b33f7b8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-21648/php-nettle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69bae128 by Salvatore Bonaccorso at 2022-01-05T10:29:39+01:00 Add CVE-2022-21648/php-nettle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7962,7 +7962,9 @@ CVE-2022-21650 (Convos is an open source multi-user chat that runs in a web brow CVE-2022-21649 (Convos is an open source multi-user chat that runs in a web browser. C ...) NOT-FOR-US: Convos CVE-2022-21648 (Latte is an open source template engine for PHP. Versions since 2.8.0 ...) - TODO: check + - php-nette + NOTE: https://github.com/nette/latte/security/advisories/GHSA-36m2-8rhx-f36j + NOTE: https://github.com/nette/latte/commit/9e1b4f7d70f7a9c3fa6753ffa7d7e450a3d4abb0 CVE-2022-21647 (CodeIgniter is an open source PHP full-stack web framework. Deserializ ...) TODO: check CVE-2022-21646 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69bae1282ec8d0436d15d1ea5a0adf3e475a5a69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69bae1282ec8d0436d15d1ea5a0adf3e475a5a69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 70f61e2b by Salvatore Bonaccorso at 2022-01-05T10:17:48+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7958,9 +7958,9 @@ CVE-2022-21652 CVE-2022-21651 RESERVED CVE-2022-21650 (Convos is an open source multi-user chat that runs in a web browser. Y ...) - TODO: check + NOT-FOR-US: Convos CVE-2022-21649 (Convos is an open source multi-user chat that runs in a web browser. C ...) - TODO: check + NOT-FOR-US: Convos CVE-2022-21648 (Latte is an open source template engine for PHP. Versions since 2.8.0 ...) TODO: check CVE-2022-21647 (CodeIgniter is an open source PHP full-stack web framework. Deserializ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70f61e2bba0e6a5b59967ca0a51b1054d9312d74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70f61e2bba0e6a5b59967ca0a51b1054d9312d74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 330e76b3 by security tracker role at 2022-01-05T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,227 @@ +CVE-2022-22677 + RESERVED +CVE-2022-22676 + RESERVED +CVE-2022-22675 + RESERVED +CVE-2022-22674 + RESERVED +CVE-2022-22673 + RESERVED +CVE-2022-22672 + RESERVED +CVE-2022-22671 + RESERVED +CVE-2022-22670 + RESERVED +CVE-2022-22669 + RESERVED +CVE-2022-22668 + RESERVED +CVE-2022-22667 + RESERVED +CVE-2022-22666 + RESERVED +CVE-2022-22665 + RESERVED +CVE-2022-22664 + RESERVED +CVE-2022-22663 + RESERVED +CVE-2022-22662 + RESERVED +CVE-2022-22661 + RESERVED +CVE-2022-22660 + RESERVED +CVE-2022-22659 + RESERVED +CVE-2022-22658 + RESERVED +CVE-2022-22657 + RESERVED +CVE-2022-22656 + RESERVED +CVE-2022-22655 + RESERVED +CVE-2022-22654 + RESERVED +CVE-2022-22653 + RESERVED +CVE-2022-22652 + RESERVED +CVE-2022-22651 + RESERVED +CVE-2022-22650 + RESERVED +CVE-2022-22649 + RESERVED +CVE-2022-22648 + RESERVED +CVE-2022-22647 + RESERVED +CVE-2022-22646 + RESERVED +CVE-2022-22645 + RESERVED +CVE-2022-22644 + RESERVED +CVE-2022-22643 + RESERVED +CVE-2022-22642 + RESERVED +CVE-2022-22641 + RESERVED +CVE-2022-22640 + RESERVED +CVE-2022-22639 + RESERVED +CVE-2022-22638 + RESERVED +CVE-2022-22637 + RESERVED +CVE-2022-22636 + RESERVED +CVE-2022-22635 + RESERVED +CVE-2022-22634 + RESERVED +CVE-2022-22633 + RESERVED +CVE-2022-22632 + RESERVED +CVE-2022-22631 + RESERVED +CVE-2022-22630 + RESERVED +CVE-2022-22629 + RESERVED +CVE-2022-22628 + RESERVED +CVE-2022-22627 + RESERVED +CVE-2022-22626 + RESERVED +CVE-2022-22625 + RESERVED +CVE-2022-22624 + RESERVED +CVE-2022-22623 + RESERVED +CVE-2022-22622 + RESERVED +CVE-2022-22621 + RESERVED +CVE-2022-22620 + RESERVED +CVE-2022-22619 + RESERVED +CVE-2022-22618 + RESERVED +CVE-2022-22617 + RESERVED +CVE-2022-22616 + RESERVED +CVE-2022-22615 + RESERVED +CVE-2022-22614 + RESERVED +CVE-2022-22613 + RESERVED +CVE-2022-22612 + RESERVED +CVE-2022-22611 + RESERVED +CVE-2022-22610 + RESERVED +CVE-2022-22609 + RESERVED +CVE-2022-22608 + RESERVED +CVE-2022-22607 + RESERVED +CVE-2022-22606 + RESERVED +CVE-2022-22605 + RESERVED +CVE-2022-22604 + RESERVED +CVE-2022-22603 + RESERVED +CVE-2022-22602 + RESERVED +CVE-2022-22601 + RESERVED +CVE-2022-22600 + RESERVED +CVE-2022-22599 + RESERVED +CVE-2022-22598 + RESERVED +CVE-2022-22597 + RESERVED +CVE-2022-22596 + RESERVED +CVE-2022-22595 + RESERVED +CVE-2022-22594 + RESERVED +CVE-2022-22593 + RESERVED +CVE-2022-22592 + RESERVED +CVE-2022-22591 + RESERVED +CVE-2022-22590 + RESERVED +CVE-2022-22589 + RESERVED +CVE-2022-22588 + RESERVED +CVE-2022-22587 + RESERVED +CVE-2022-22586 + RESERVED +CVE-2022-22585 + RESERVED +CVE-2022-22584 + RESERVED +CVE-2022-22583 + RESERVED +CVE-2022-22582 + RESERVED +CVE-2022-22581 + RESERVED +CVE-2022-22580 + RESERVED +CVE-2022-22579 + RESERVED +CVE-2022-22578 + RESERVED +CVE-2022-22577 + RESERVED +CVE-2022-22576 + RESERVED +CVE-2022-22575 + RESERVED +CVE-2022-22574 + RESERVED +CVE-2022-22573 + RESERVED +CVE-2022-22572 + RESERVED +CVE-2022-22571 + RESERVED +CVE-2022-22570 + RESERVED +CVE-2022-22569 + RESERVED +CVE-2022-22568 + RESERVED +CVE-2022-0122 + RESERVED +CVE-2022-0121 + RESERVED CVE-2022-22567 RESERVED CVE-2022-22566 @@ -2973,8 +3197,7 @@ CVE-2021-45454 RESERVED CVE-2021-45453 RESERVED -CVE-2021-45452 [Potential directory-traversal via Storage.save()] - RESERVED +CVE-2021-45452 (Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 b ...) - python-django 2:3.2.11-1 (bug #1003113) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security-releases/ NOTE: https://github.com/django/django/commit/8d2f7cff76200cbd2337b2cf1707e383eb1fb54b (3.2.11) @@ -3953,14 +4176,12 @@ CVE-2021-45118 RESERVED CVE-2021-45117 RESERVED -CVE-2021-45116 [Potential information disclosure in dictsort template filter] - RESERVED +CVE-2021-45116 (An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11 ...) - python-django 2:3.2.11-1 (bug #1003113) NOTE: https://www.djangoproject.com/weblog/2022/jan/04/security
