[Git][security-tracker-team/security-tracker][master] Take debian-edu-config
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 92885c96 by Utkarsh Gupta at 2022-02-05T10:53:06+05:30 Take debian-edu-config - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,7 +31,7 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- -debian-edu-config +debian-edu-config (Utkarsh) NOTE: 20220204: upcoming DSA (Beuc) -- firmware-nonfree (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92885c968ae783d3e935ab0e6c23079f0d66007e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92885c968ae783d3e935ab0e6c23079f0d66007e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Unify naming for taocms NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2c981b5 by Salvatore Bonaccorso at 2022-02-04T21:26:39+01:00 Unify naming for taocms NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3622,7 +3622,7 @@ CVE-2022-23318 CVE-2022-23317 RESERVED CVE-2022-23316 (An issue was discovered in taoCMS v3.0.2. There is an arbitrary file r ...) - NOT-FOR-US: taoCMS + NOT-FOR-US: taocms CVE-2022-23315 (MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnera ...) NOT-FOR-US: MCMS CVE-2022-23314 (MCMS v5.2.4 was discovered to contain a SQL injection vulnerability vi ...) @@ -5444,9 +5444,9 @@ CVE-2021-46206 CVE-2021-46205 RESERVED CVE-2021-46204 (Taocms v3.0.2 was discovered to contain an arbitrary file read vulnera ...) - NOT-FOR-US: Taocms + NOT-FOR-US: taocms CVE-2021-46203 (Taocms v3.0.2 was discovered to contain an arbitrary file read vulnera ...) - NOT-FOR-US: Taocms + NOT-FOR-US: taocms CVE-2021-46202 RESERVED CVE-2021-46201 (An SQL Injection vulnerability exists in Sourcecodester Online Resort ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2c981b5e2efefc048d2e5dfb0ee17d1877a40db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2c981b5e2efefc048d2e5dfb0ee17d1877a40db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new zammad issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 91d9033e by Salvatore Bonaccorso at 2022-02-04T21:24:50+01:00 Add two new zammad issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11558,7 +11558,7 @@ CVE-2021-44888 CVE-2021-44887 RESERVED CVE-2021-44886 (In Zammad 5.0.2, agents can configure "out of office" periods and subs ...) - TODO: check + - zammad (bug #841355) CVE-2021-44885 RESERVED CVE-2021-44884 @@ -18702,7 +18702,7 @@ CVE-2021-43147 CVE-2021-43146 RESERVED CVE-2021-43145 (With certain LDAP configurations, Zammad 5.0.1 was found to be vulnera ...) - TODO: check + - zammad (bug #841355) CVE-2021-43144 RESERVED CVE-2021-43143 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91d9033ee92bb2deeec9b7c187b2389aaa5682e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91d9033ee92bb2deeec9b7c187b2389aaa5682e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e1abeca1 by Salvatore Bonaccorso at 2022-02-04T21:24:23+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3622,7 +3622,7 @@ CVE-2022-23318 CVE-2022-23317 RESERVED CVE-2022-23316 (An issue was discovered in taoCMS v3.0.2. There is an arbitrary file r ...) - TODO: check + NOT-FOR-US: taoCMS CVE-2022-23315 (MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnera ...) NOT-FOR-US: MCMS CVE-2022-23314 (MCMS v5.2.4 was discovered to contain a SQL injection vulnerability vi ...) @@ -3850,7 +3850,7 @@ CVE-2021-46322 (Duktape v2.99.99 was discovered to contain a SEGV vulnerability CVE-2021-46321 RESERVED CVE-2021-46320 (In OpenZeppelin =v4.4.0, initializer functions that are invoked se ...) - TODO: check + NOT-FOR-US: OpenZeppelin CVE-2021-46319 RESERVED CVE-2021-46318 @@ -10085,7 +10085,7 @@ CVE-2021-45270 CVE-2021-45269 RESERVED CVE-2021-45268 (A Cross Site Request Forgery (CSRF) vulnerability exists in Backdrop C ...) - TODO: check + NOT-FOR-US: Backdrop CMS CVE-2021-45267 (An invalid memory address dereference vulnerability exists in gpac 1.1 ...) - gpac NOTE: https://github.com/gpac/gpac/issues/1965 @@ -11335,7 +11335,7 @@ CVE-2021-44985 CVE-2021-44984 RESERVED CVE-2021-44983 (In taocms 3.0.1 after logging in to the background, there is an Arbitr ...) - TODO: check + NOT-FOR-US: taocms CVE-2021-44982 RESERVED CVE-2021-44981 (In QuickBox Pro v2.5.8 and below, the config.php file has a variable w ...) @@ -11345,9 +11345,9 @@ CVE-2021-44980 CVE-2021-44979 RESERVED CVE-2021-44978 (iCMS = 8.0.0 allows users to add and render a comtom template, whi ...) - TODO: check + NOT-FOR-US: iCMS CVE-2021-44977 (In iCMS =8.0.0, a directory traversal vulnerability allows an atta ...) - TODO: check + NOT-FOR-US: iCMS CVE-2021-44976 RESERVED CVE-2021-44975 @@ -11524,15 +11524,15 @@ CVE-2021-44905 CVE-2021-44904 RESERVED CVE-2021-44903 (Micro-Star International (MSI) Center Pro = 2.0.16.0 is vulnerable ...) - TODO: check + NOT-FOR-US: Micro-Star International (MSI) Center Pro CVE-2021-44902 RESERVED CVE-2021-44901 (Micro-Star International (MSI) Dragon Center = 2.0.116.0 is vulner ...) - TODO: check + NOT-FOR-US: Micro-Star International (MSI) Dragon Center CVE-2021-44900 (Micro-Star International (MSI) App Player = 4.280.1.6309 is vulner ...) - TODO: check + NOT-FOR-US: Micro-Star International (MSI) App Player CVE-2021-44899 (Micro-Star International (MSI) Center = 1.0.31.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: Micro-Star International (MSI) Center CVE-2021-44898 RESERVED CVE-2021-44897 @@ -18864,7 +18864,7 @@ CVE-2021-43075 CVE-2021-43074 RESERVED CVE-2021-43073 (A improper neutralization of special elements used in an os command (' ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2021-43072 RESERVED CVE-2021-43071 (A heap-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1abeca127402fddd0ac7c98fa709656a8392965 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1abeca127402fddd0ac7c98fa709656a8392965 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-23607/python-treq
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 814e4c56 by Salvatore Bonaccorso at 2022-02-04T21:20:47+01:00 Add CVE-2022-23607/python-treq - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2855,7 +2855,9 @@ CVE-2022-23609 CVE-2022-23608 RESERVED CVE-2022-23607 (treq is an HTTP library inspired by requests but written on top of Twi ...) - TODO: check + - python-treq + NOTE: https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc + NOTE: https://github.com/twisted/treq/commit/1da6022cc880bbcff59321abe02bf8498b89efb2 (release-22.1.0) CVE-2022-23606 RESERVED CVE-2022-23605 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/814e4c56248c534f7225c0bd20fd367415937635 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/814e4c56248c534f7225c0bd20fd367415937635 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-46671/atftp assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db7f9a66 by Salvatore Bonaccorso at 2022-02-04T21:13:53+01:00 CVE-2021-46671/atftp assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,7 +18,7 @@ CVE-2022-0494 RESERVED CVE-2022-0493 RESERVED -CVE-2022- [information leak] +CVE-2021-46671 [information leak] - atftp 0.7.git20210915-1 (bug #1004974) NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5) CVE-2022-24407 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db7f9a6678bd93f8e326bff656e6febb5d7d1d6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db7f9a6678bd93f8e326bff656e6febb5d7d1d6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e4dd0a1 by security tracker role at 2022-02-04T20:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2022-24408 + RESERVED +CVE-2022-0501 + RESERVED +CVE-2022-0500 + RESERVED +CVE-2022-0499 + RESERVED +CVE-2022-0498 + RESERVED +CVE-2022-0497 + RESERVED +CVE-2022-0496 + RESERVED +CVE-2022-0495 + RESERVED +CVE-2022-0494 + RESERVED +CVE-2022-0493 + RESERVED CVE-2022- [information leak] - atftp 0.7.git20210915-1 (bug #1004974) NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5) @@ -3599,8 +3619,8 @@ CVE-2022-23318 RESERVED CVE-2022-23317 RESERVED -CVE-2022-23316 - RESERVED +CVE-2022-23316 (An issue was discovered in taoCMS v3.0.2. There is an arbitrary file r ...) + TODO: check CVE-2022-23315 (MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnera ...) NOT-FOR-US: MCMS CVE-2022-23314 (MCMS v5.2.4 was discovered to contain a SQL injection vulnerability vi ...) @@ -3631,8 +3651,8 @@ CVE-2022-0267 RESERVED CVE-2021-46399 RESERVED -CVE-2021-46398 - RESERVED +CVE-2021-46398 (A Cross-Site Request Forgery (CSRF) vulnerability exists in Filebrowse ...) + TODO: check CVE-2021-46397 RESERVED CVE-2021-46396 @@ -3827,8 +3847,8 @@ CVE-2021-46322 (Duktape v2.99.99 was discovered to contain a SEGV vulnerability NOT-FOR-US: Duktape CVE-2021-46321 RESERVED -CVE-2021-46320 - RESERVED +CVE-2021-46320 (In OpenZeppelin =v4.4.0, initializer functions that are invoked se ...) + TODO: check CVE-2021-46319 RESERVED CVE-2021-46318 @@ -11312,8 +11332,8 @@ CVE-2021-44985 RESERVED CVE-2021-44984 RESERVED -CVE-2021-44983 - RESERVED +CVE-2021-44983 (In taocms 3.0.1 after logging in to the background, there is an Arbitr ...) + TODO: check CVE-2021-44982 RESERVED CVE-2021-44981 (In QuickBox Pro v2.5.8 and below, the config.php file has a variable w ...) @@ -11322,10 +11342,10 @@ CVE-2021-44980 RESERVED CVE-2021-44979 RESERVED -CVE-2021-44978 - RESERVED -CVE-2021-44977 - RESERVED +CVE-2021-44978 (iCMS = 8.0.0 allows users to add and render a comtom template, whi ...) + TODO: check +CVE-2021-44977 (In iCMS =8.0.0, a directory traversal vulnerability allows an atta ...) + TODO: check CVE-2021-44976 RESERVED CVE-2021-44975 @@ -11501,16 +11521,16 @@ CVE-2021-44905 RESERVED CVE-2021-44904 RESERVED -CVE-2021-44903 - RESERVED +CVE-2021-44903 (Micro-Star International (MSI) Center Pro = 2.0.16.0 is vulnerable ...) + TODO: check CVE-2021-44902 RESERVED -CVE-2021-44901 - RESERVED -CVE-2021-44900 - RESERVED -CVE-2021-44899 - RESERVED +CVE-2021-44901 (Micro-Star International (MSI) Dragon Center = 2.0.116.0 is vulner ...) + TODO: check +CVE-2021-44900 (Micro-Star International (MSI) App Player = 4.280.1.6309 is vulner ...) + TODO: check +CVE-2021-44899 (Micro-Star International (MSI) Center = 1.0.31.0 is vulnerable to ...) + TODO: check CVE-2021-44898 RESERVED CVE-2021-44897 @@ -11535,8 +11555,8 @@ CVE-2021-44888 RESERVED CVE-2021-44887 RESERVED -CVE-2021-44886 - RESERVED +CVE-2021-44886 (In Zammad 5.0.2, agents can configure "out of office" periods and subs ...) + TODO: check CVE-2021-44885 RESERVED CVE-2021-44884 @@ -18679,8 +18699,8 @@ CVE-2021-43147 RESERVED CVE-2021-43146 RESERVED -CVE-2021-43145 - RESERVED +CVE-2021-43145 (With certain LDAP configurations, Zammad 5.0.1 was found to be vulnera ...) + TODO: check CVE-2021-43144 RESERVED CVE-2021-43143 @@ -302856,15 +302876,17 @@ CVE-2017-6964 (dmcrypt-get-device, as shipped in the eject package of Debian and CVE-2017-6963 RESERVED CVE-2017-6962 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) + {DLA-2911-1} - apng2gif 1.8-0.1 (bug #854447) [jessie] - apng2gif (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif (Vulnerable code introduced later with refactoring) CVE-2017-6961 (An issue was discovered in apng2gif 1.7. There is improper sanitizatio ...) + {DLA-2911-1} - apng2gif 1.8-0.1 (bug #854441) [jessie] - apng2gif (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif (Vulnerable code introduced later with refactoring) CVE-2017-6960 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) - {DLA-2165-1 DLA-981-1} + {DLA-2911-1 DLA-2165-1 DLA-981-1}
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-34337/mailman3 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee4db794 by Salvatore Bonaccorso at 2022-02-04T20:45:08+01:00 Mark CVE-2021-34337/mailman3 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41420,6 +41420,7 @@ CVE-2021-34338 CVE-2021-34337 [password checking timing attack in administrative REST API] RESERVED - mailman3 (bug #1004934) + [buster] - mailman3 (Minor issue; will be fixed via point release) NOTE: Fixed by: https://gitlab.com/mailman/mailman/-/commit/e4a39488c4510fcad8851217f10e7337a196bb51 (3.3.5b1) CVE-2021-34336 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee4db79444ece0cf0f8206403e8306d3c9dc35b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee4db79444ece0cf0f8206403e8306d3c9dc35b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Cleanup traling whitespaces in CVE list file
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64c490f1 by Salvatore Bonaccorso at 2022-02-04T20:40:19+01:00 Cleanup traling whitespaces in CVE list file - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23624,7 +23624,7 @@ CVE-2021-3829 (openwhyd is vulnerable to URL Redirection to Untrusted Site ...) CVE-2021-41610 REJECTED CVE-2021-41609 (SQL injection in the ID parameter of the UploadedImageDisplay.aspx end ...) - NOT-FOR-US: SelectSurvey.NET + NOT-FOR-US: SelectSurvey.NET CVE-2021-41608 (A file disclosure vulnerability in the UploadedImageDisplay.aspx endpo ...) NOT-FOR-US: SelectSurvey.NET CVE-2021-41607 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64c490f1a867a21c207b3658be3f256aff5d88ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64c490f1a867a21c207b3658be3f256aff5d88ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tempoarary entry for atftp issue, #1004974
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86ac60ae by Salvatore Bonaccorso at 2022-02-04T20:34:25+01:00 Add tempoarary entry for atftp issue, #1004974 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2022- [information leak] + - atftp 0.7.git20210915-1 (bug #1004974) + NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5) CVE-2022-24407 RESERVED CVE-2022-24406 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86ac60aedb7157df747a7c5f35ddd19d59abefce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86ac60aedb7157df747a7c5f35ddd19d59abefce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1279/rabbitmq-server: stretch postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c94a993 by Sylvain Beucler at 2022-02-04T16:27:17+01:00 CVE-2018-1279/rabbitmq-server: stretch postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -267518,6 +267518,7 @@ CVE-2018-1279 (Pivotal RabbitMQ for PCF, all versions, uses a deterministically - rabbitmq-server 3.9.8-5 (bug #924768) [bullseye] - rabbitmq-server (Minor issue) [buster] - rabbitmq-server (Minor issue) + [stretch] - rabbitmq-server (Minor issue; documentation-only fix) NOTE: https://pivotal.io/security/cve-2018-1279 CVE-2018-1278 (Apps Manager included in Pivotal Application Service, versions 1.12.x ...) NOT-FOR-US: Pivotal View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c94a99384302b7be17b068fb298686ff31da164 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c94a99384302b7be17b068fb298686ff31da164 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add debian-edu-config
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f426193e by Sylvain Beucler at 2022-02-04T16:03:14+01:00 dla: add debian-edu-config - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,6 +31,9 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- +debian-edu-config + NOTE: 20220204: upcoming DSA (Beuc) +-- firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f426193efccc6b3da6dda7b785ef18db729be3a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f426193efccc6b3da6dda7b785ef18db729be3a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-21680,CVE-2022-21681/node-marked: stretch end-of-life
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: abfd6ae1 by Sylvain Beucler at 2022-02-04T15:42:58+01:00 CVE-2022-21680,CVE-2022-21681/node-marked: stretch end-of-life - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14602,6 +14602,7 @@ CVE-2022-21681 (Marked is a markdown parser and compiler. Prior to version 4.0.1 - node-marked 4.0.12+ds+~4.0.1-1 [bullseye] - node-marked (Minor issue) [buster] - node-marked (Minor issue) + [stretch] - node-marked (Nodejs in stretch not covered by security support) NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj NOTE: https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5 NOTE: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 (4.0.10) @@ -14610,6 +14611,7 @@ CVE-2022-21680 (Marked is a markdown parser and compiler. Prior to version 4.0.1 - node-marked 4.0.12+ds+~4.0.1-1 [bullseye] - node-marked (Minor issue) [buster] - node-marked (Minor issue) + [stretch] - node-marked (Nodejs in stretch not covered by security support) NOTE: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 (4.0.10) NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10 NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abfd6ae1d7b10ec4b142e622b2b9a22088209f05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abfd6ae1d7b10ec4b142e622b2b9a22088209f05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take gif2apng
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 68b5e71d by Anton Gladky at 2022-02-04T15:26:46+01:00 LTS: take gif2apng - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,7 +39,7 @@ firmware-nonfree (Markus Koschany) flatpak NOTE: 20220113: upcoming DSA; non-trivial backport (Beuc) -- -gif2apng +gif2apng (Anton) NOTE: 20220114: orphaned package with inactive upstream, maybe coordinate with Debian QA to write our own patches (Beuc) NOTE: 20220114: CVEs unrelated to apng2gif's (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68b5e71d9c2a25c19a9393cc201f66c88181724c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68b5e71d9c2a25c19a9393cc201f66c88181724c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Reclaim firmware-nonfree in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a9be54e8 by Markus Koschany at 2022-02-04T15:12:56+01:00 Reclaim firmware-nonfree in dla-needed.txt - - - - - 9e0de800 by Markus Koschany at 2022-02-04T15:13:27+01:00 Remove minetest from dla-needed.txt again Games are not supported - - - - - f7a81994 by Markus Koschany at 2022-02-04T15:14:51+01:00 CVE-2022-24300,CVE-2022-24301,minetest: Mark as end-of-life - - - - - 3787efe8 by Markus Koschany at 2022-02-04T15:15:33+01:00 Remove guacamole-client from dla-needed.txt - - - - - 3af7f763 by Markus Koschany at 2022-02-04T15:17:43+01:00 CVE-2021-41767,guacamole-client: end-of-life See https://lists.debian.org/debian-lts/2022/01/msg00015.html - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2230,6 +2230,7 @@ CVE-2021-4209 RESERVED CVE-2022-24300 (Minetest before 5.4.0 allows attackers to add or modify arbitrary meta ...) - minetest 5.4.1+repack-1 (bug #1004223) + [stretch] - minetest (games are not supported in LTS) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0) NOTE: When fixing this issue the fix for GHSA-7q63-4fq2-hqcr should be included, @@ -2238,6 +2239,7 @@ CVE-2022-24300 (Minetest before 5.4.0 allows attackers to add or modify arbitrar NOTE: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0) CVE-2022-24301 (In Minetest before 5.4.0, players can add or subtract items from a dif ...) - minetest 5.4.1+repack-1 + [stretch] - minetest (games are not supported in LTS) NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-fvwv-qcq6-wmp5 NOTE: Fixed by: https://github.com/minetest/minetest/commit/3693b6871eba268ecc79b3f52d00d3cefe761131 (5.4.0) CVE-2022-23850 (xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through ...) @@ -23269,6 +23271,7 @@ CVE-2021-41768 RESERVED CVE-2021-41767 (Apache Guacamole 1.3.0 and older may incorrectly include a private tun ...) - guacamole-client + [stretch] - guacamole-client (unmaintained stretch-only package) NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/6 CVE-2021-3837 (openwhyd is vulnerable to Improper Authorization ...) NOT-FOR-US: openwhyd = data/dla-needed.txt = @@ -31,7 +31,7 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- -firmware-nonfree +firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag NOTE: 20211207: Intend to release this week. @@ -48,9 +48,6 @@ gpac (Roberto C. Sánchez) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- -guacamole-client (Markus Koschany) - NOTE: 20220114: package unmaintained AFAICS and only present in stretch (Beuc) --- libarchive (Thorsten Alteholz) NOTE: 20220116: waiting for upload in higher releases NOTE: 20220130: new CVEs arrived @@ -62,9 +59,6 @@ linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- -minetest - NOTE: 20220203: a DSA is planned (Beuc) --- nvidia-graphics-drivers NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/199dc479a6ad00b91b9fde09bed767a5c4b8fdfe...3af7f7635798aefdf9881f985862badd54082931 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/199dc479a6ad00b91b9fde09bed767a5c4b8fdfe...3af7f7635798aefdf9881f985862badd54082931 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags for upcoming apng2gif update
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 662a1732 by Markus Koschany at 2022-02-04T15:10:37+01:00 Remove no-dsa tags for upcoming apng2gif update - - - - - 199dc479 by Markus Koschany at 2022-02-04T15:11:46+01:00 Reserve DLA-2911-1 for apng2gif - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -302847,18 +302847,15 @@ CVE-2017-6963 RESERVED CVE-2017-6962 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) - apng2gif 1.8-0.1 (bug #854447) - [stretch] - apng2gif (Minor issue; can be fixed via point release) [jessie] - apng2gif (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif (Vulnerable code introduced later with refactoring) CVE-2017-6961 (An issue was discovered in apng2gif 1.7. There is improper sanitizatio ...) - apng2gif 1.8-0.1 (bug #854441) - [stretch] - apng2gif (Minor issue; can be fixed via point release) [jessie] - apng2gif (Vulnerable code introduced later with refactoring) [wheezy] - apng2gif (Vulnerable code introduced later with refactoring) CVE-2017-6960 (An issue was discovered in apng2gif 1.7. There is an integer overflow ...) {DLA-2165-1 DLA-981-1} - apng2gif 1.8-0.1 (bug #854367) - [stretch] - apng2gif (Minor issue; can be fixed via point release) CVE-2017-6959 REJECTED CVE-2017-6958 (An XSS vulnerability in the MantisBT Source Integration Plugin (before ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Feb 2022] DLA-2911-1 apng2gif - security update + {CVE-2017-6960 CVE-2017-6961 CVE-2017-6962} + [stretch] - apng2gif 1.8-0.1~deb9u1 [03 Feb 2022] DLA-2910-1 ldns - security update {CVE-2017-1000231 CVE-2017-1000232 CVE-2020-19860 CVE-2020-19861} [stretch] - ldns 1.7.0-1+deb9u1 = data/dla-needed.txt = @@ -18,10 +18,6 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -apng2gif (Markus Koschany) - NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie - NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk) --- connman (Emilio) NOTE: 20220203: harmonize with buster-10.10 (CVE-2021-33833) NOTE: 20220203: + check new CVEs if patches can be identified (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b954ce84d07609fb033dec8ce720ebd00781147c...199dc479a6ad00b91b9fde09bed767a5c4b8fdfe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b954ce84d07609fb033dec8ce720ebd00781147c...199dc479a6ad00b91b9fde09bed767a5c4b8fdfe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-23133/zabbix: stretch not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: b954ce84 by Sylvain Beucler at 2022-02-04T14:45:50+01:00 CVE-2022-23133/zabbix: stretch not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4501,8 +4501,10 @@ CVE-2022-23134 (After the initial setup process, some steps of setup.php file ar NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa0fecfbcc9794bc00206630a7424575dfc944df (5.0.19rc2) CVE-2022-23133 (An authenticated user can create a hosts group from the configuration ...) - zabbix + [stretch] - zabbix (Vulnerable code introduced later, and reverted with the fix) NOTE: https://support.zabbix.com/browse/ZBX-20388 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/74b8716a73c324e6cdbdda1de434e7872740a908 (5.0.19rc1) + NOTE: Introduced by: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/f3654d0173ea244a2319a093f7c4e27ad9086dc3 (4.4.0alpha3) CVE-2022-23132 (During Zabbix installation from RPM, DAC_OVERRIDE SELinux capability i ...) - zabbix [stretch] - zabbix (Not using RPM or DAC_OVERRIDE in Debian installs, zbx_ipc_service_init_env() not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b954ce84d07609fb033dec8ce720ebd00781147c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b954ce84d07609fb033dec8ce720ebd00781147c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libde265 bug
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d0ea97c6 by Moritz Muehlenhoff at 2022-02-04T14:27:26+01:00 libde265 bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104215,7 +104215,7 @@ CVE-2020-21603 (libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_ [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/240 CVE-2020-21602 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bi ...) - - libde265 + - libde265 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) @@ -104227,7 +104227,7 @@ CVE-2020-21601 (libde265 v1.0.4 contains a stack buffer overflow in the put_qpel [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/241 CVE-2020-21600 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pr ...) - - libde265 + - libde265 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) @@ -104239,7 +104239,7 @@ CVE-2020-21599 (libde265 v1.0.4 contains a heap buffer overflow in the de265_ima [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/235 CVE-2020-21598 (libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unw ...) - - libde265 + - libde265 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0ea97c65dbc059201fa92da058d128a8eb11f6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0ea97c65dbc059201fa92da058d128a8eb11f6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseyre/buster triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7feae34c by Moritz Muehlenhoff at 2022-02-04T14:25:10+01:00 bullseyre/buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -856,6 +856,8 @@ CVE-2022-0415 RESERVED CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows attacke ...) - xterm 370-2 (bug #1004689) + [bullseye] - xterm (Minor issue) + [buster] - xterm (Minor issue) NOTE: https://twitter.com/nickblack/status/1487731459398025216 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 @@ -1176,6 +1178,11 @@ CVE-2022-0392 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to CVE-2022-0391 [urllib.parse does not sanitize URLs containing ASCII newline and tabs] RESERVED - python3.9 3.9.7-1 + [bullseye] - python3.9 (Minor issue) + - python3.7 + [buster] - python3.7 (Minor issue) + - python3.5 + - python3.4 NOTE: https://bugs.python.org/issue43882 NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1) NOTE: Followup for 3.10.x: https://github.com/python/cpython/commit/24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705 (v3.10.0b2) @@ -3145,11 +3152,15 @@ CVE-2022-23453 CVE-2022-23452 RESERVED - barbican + [bullseye] - barbican (Minor issue) + [buster] - barbican (Minor issue) NOTE: https://storyboard.openstack.org/#!/story/2009297 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025090 CVE-2022-23451 RESERVED - barbican + [bullseye] - barbican (Minor issue) + [buster] - barbican (Minor issue) NOTE: https://storyboard.openstack.org/#!/story/2009253 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025089 CVE-2022-23450 @@ -4766,16 +4777,19 @@ CVE-2022-23036 RESERVED CVE-2022-23035 (Insufficient cleanup of passed-through device IRQs The management of I ...) - xen + [bullseye] - xen (Fix along with next DSA round) [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-395.html CVE-2022-23034 (A PV guest could DoS Xen while unmapping a grant To address XSA-380, r ...) - xen + [bullseye] - xen (Fix along with next DSA round) [buster] - xen (DSA 4677-1) [stretch] - xen (DSA 4602-1) NOTE: https://xenbits.xen.org/xsa/advisory-394.html CVE-2022-23033 (arm: guest_physmap_remove_page not removing the p2m mappings The funct ...) - xen + [bullseye] - xen (Fix along with next DSA round) [buster] - xen (Vulnerable code introduced later) [stretch] - xen (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-393.html @@ -14582,12 +14596,16 @@ CVE-2022-21682 (Flatpak is a Linux application sandboxing and distribution frame NOTE: 1.12.4 added further changes to avoid regressions for some workflows CVE-2022-21681 (Marked is a markdown parser and compiler. Prior to version 4.0.10, the ...) - node-marked 4.0.12+ds+~4.0.1-1 + [bullseye] - node-marked (Minor issue) + [buster] - node-marked (Minor issue) NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj NOTE: https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5 NOTE: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 (4.0.10) NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10 CVE-2022-21680 (Marked is a markdown parser and compiler. Prior to version 4.0.10, the ...) - node-marked 4.0.12+ds+~4.0.1-1 + [bullseye] - node-marked (Minor issue) + [buster] - node-marked (Minor issue) NOTE: https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0 (4.0.10) NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10 NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf @@ -17141,11 +17159,15 @@ CVE-2021-43358 (Sunnet eHRD has inadequate filtering for special characters in U NOT-FOR-US: Sunnet eHRD CVE-2021-3928 (vim is vulnerable to Use of Uninitialized Variable ...) - vim 2:8.2.3995-1 + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/29c3ebd2-d601-481c-bf96-76975369d0cd NOTE: Fixed by: https://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732 (v8.2.3582) CVE-2021-3927 (vim is vulnerable to Heap-based Buffer
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2018-1279
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 858358ef by Salvatore Bonaccorso at 2022-02-04T14:14:53+01:00 Add Debian bug reference for CVE-2018-1279 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -267477,7 +267477,7 @@ CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4 CVE-2018-1280 (Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains ...) NOT-FOR-US: Pivotal CVE-2018-1279 (Pivotal RabbitMQ for PCF, all versions, uses a deterministically gener ...) - - rabbitmq-server 3.9.8-5 + - rabbitmq-server 3.9.8-5 (bug #924768) [bullseye] - rabbitmq-server (Minor issue) [buster] - rabbitmq-server (Minor issue) NOTE: https://pivotal.io/security/cve-2018-1279 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/858358eff9102e6f32c6a6dbd377bfa6edd22292 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/858358eff9102e6f32c6a6dbd377bfa6edd22292 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2021-20001/debian-edu-config
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bdfee1f by Salvatore Bonaccorso at 2022-02-04T14:09:41+01:00 Add CVE-2021-20001/debian-edu-config - - - - - eedda795 by Salvatore Bonaccorso at 2022-02-04T14:10:36+01:00 Add debian-edu-config to dsa-needed list - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -79124,6 +79124,8 @@ CVE-2021-20002 RESERVED CVE-2021-20001 RESERVED + - debian-edu-config 2.12.16 + NOTE: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/4d39a5888d193567704238f8c035f8d17cfe34e5 CVE-2020-35488 (The fileop module of the NXLog service in NXLog Community Edition 2.10 ...) NOT-FOR-US: NXLog CVE-2020-35487 = data/dsa-needed.txt = @@ -21,6 +21,9 @@ condor cryptsetup/stable (corsac) Maintainer is proposing updates, to be checked further procedure -- +debian-edu-config + Maintainer preparing updates down the supported suites +-- expat (carnil) -- faad2/oldstable (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3151685996e139d7ba86a9a32768a4b712ebc0fc...eedda795f87081b24ff881d41f3c9fd5d19bd551 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3151685996e139d7ba86a9a32768a4b712ebc0fc...eedda795f87081b24ff881d41f3c9fd5d19bd551 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Group entries for easier tracking/overview
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31516859 by Salvatore Bonaccorso at 2022-02-04T14:07:54+01:00 Group entries for easier tracking/overview - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -30,6 +30,8 @@ CVE-2021-32719 [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 CVE-2021-22116 [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 +CVE-2018-1279 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 CVE-2021-36980 [bullseye] - openvswitch 2.15.0+ds1-2+deb11u1 CVE-2022-0155 @@ -56,5 +58,3 @@ CVE-2021-23518 [bullseye] - node-cached-path-relative 1.0.2-1+deb11u1 CVE-2021-44273 [bullseye] - e2guardian 5.3.4-1+deb11u1 -CVE-2018-1279 - [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3151685996e139d7ba86a9a32768a4b712ebc0fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3151685996e139d7ba86a9a32768a4b712ebc0fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-23131/zabbix: stretch not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 41bc0304 by Sylvain Beucler at 2022-02-04T14:05:24+01:00 CVE-2022-23131/zabbix: stretch not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4498,9 +4498,10 @@ CVE-2022-23132 (During Zabbix installation from RPM, DAC_OVERRIDE SELinux capabi NOTE: https://support.zabbix.com/browse/ZBX-20341 NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/019fbd9b5cc9c455304f1a48460435ca474ba2ac (5.0.18) CVE-2022-23131 (In the case of instances where the SAML SSO authentication is enabled ...) - - zabbix + - zabbix + [stretch] - zabbix (SAML authentication support added in 5.0) NOTE: https://support.zabbix.com/browse/ZBX-20350 - TODO: check, possibly only affecting 5.4.0 onwards + TODO: check, possibly only affecting 5.4.0 onwards; similar code but no upstream fix in 5.0 LTS CVE-2022-23130 (Buffer Over-read vulnerability in Mitsubishi Electric MC Works64 versi ...) NOT-FOR-US: Mitsubishi CVE-2022-23129 (Plaintext Storage of a Password vulnerability in Mitsubishi Electric M ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41bc0304994ad24644552350ab8c0610e2c18d32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41bc0304994ad24644552350ab8c0610e2c18d32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] associate CVE-2018-1279 also with rabbitmq and track spu upload
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f71355b by Moritz Mühlenhoff at 2022-02-04T13:22:15+01:00 associate CVE-2018-1279 also with rabbitmq and track spu upload - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -267474,7 +267474,9 @@ CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4 CVE-2018-1280 (Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains ...) NOT-FOR-US: Pivotal CVE-2018-1279 (Pivotal RabbitMQ for PCF, all versions, uses a deterministically gener ...) - - rabbitmq-server (Specific to RabbitMQ setup in Pivotal, see bug #924768) + - rabbitmq-server 3.9.8-5 + [bullseye] - rabbitmq-server (Minor issue) + [buster] - rabbitmq-server (Minor issue) NOTE: https://pivotal.io/security/cve-2018-1279 CVE-2018-1278 (Apps Manager included in Pivotal Application Service, versions 1.12.x ...) NOT-FOR-US: Pivotal = data/next-point-update.txt = @@ -56,3 +56,5 @@ CVE-2021-23518 [bullseye] - node-cached-path-relative 1.0.2-1+deb11u1 CVE-2021-44273 [bullseye] - e2guardian 5.3.4-1+deb11u1 +CVE-2018-1279 + [bullseye] - rabbitmq-server 3.8.9-3+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f71355b313bef79ef5230766c80a65ee21779f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f71355b313bef79ef5230766c80a65ee21779f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nvidia-graphics-drivers-tesla-470 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 797ff083 by Moritz Mühlenhoff at 2022-02-04T13:16:59+01:00 nvidia-graphics-drivers-tesla-470 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11842,7 +11842,7 @@ CVE-2022-21814 - nvidia-graphics-drivers-legacy-390xx (bug #1004849) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - - nvidia-graphics-drivers-tesla-470 (bug #1004853) + - nvidia-graphics-drivers-tesla-470 470.103.01-1 (bug #1004853) - nvidia-graphics-drivers-tesla-460 (bug #1004852) [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) - nvidia-graphics-drivers-tesla-450 450.172.01-1 (bug #1004851) @@ -11860,7 +11860,7 @@ CVE-2022-21813 - nvidia-graphics-drivers-legacy-390xx (bug #1004849) [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) [buster] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) - - nvidia-graphics-drivers-tesla-470 (bug #1004853) + - nvidia-graphics-drivers-tesla-470 470.103.01-1 (bug #1004853) - nvidia-graphics-drivers-tesla-460 (bug #1004852) [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) - nvidia-graphics-drivers-tesla-450 450.172.01-1 (bug #1004851) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/797ff083889e469c014c91bbe7ec4839b911278b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/797ff083889e469c014c91bbe7ec4839b911278b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e6aaef1 by Henri Salo at 2022-02-04T11:04:40+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37033,8 +37033,10 @@ CVE-2021-36153 (Mismanaged state in GRPCWebToHTTP2ServerCodec.swift in gRPC Swif NOT-FOR-US: gRPC Swift CVE-2021-36152 RESERVED + NOT-FOR-US: Apache Gobblin CVE-2021-36151 RESERVED + NOT-FOR-US: Apache Gobblin CVE-2021-3636 (It was found in OpenShift, before version 4.8, that the generated cert ...) NOT-FOR-US: OpenShift CVE-2021-3635 (A flaw was found in the Linux kernel netfilter implementation in versi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e6aaef17151f2c5f744089a729528a7be6618e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e6aaef17151f2c5f744089a729528a7be6618e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4aa100be by Moritz Muehlenhoff at 2022-02-04T09:27:16+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -262,7 +262,7 @@ CVE-2022-0473 CVE-2022-24308 RESERVED CVE-2022-24307 (Mastodon before 3.3.2 and 3.4.x before 3.4.6 has incorrect access cont ...) - TODO: check + NOT-FOR-US: Mastodon CVE-2022-24306 RESERVED CVE-2022-24305 @@ -529,7 +529,7 @@ CVE-2022-0433 [missing initialization in bloom filter map in kernel/bpf/bloom_fi NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2048259 NOTE: Fixed by: https://git.kernel.org/linus/3ccdcee28415c4226de05438b4d89eb5514edf73 (5.17-rc1) CVE-2022-0432 (Prototype Pollution in GitHub repository mastodon/mastodon prior to 3. ...) - TODO: check + NOT-FOR-US: Mastodon CVE-2022-0431 RESERVED CVE-2022-0430 @@ -874,7 +874,7 @@ CVE-2022-24125 CVE-2022-24124 (The query API in Casdoor before 1.13.1 has a SQL injection vulnerabili ...) NOT-FOR-US: Casdoor CVE-2022-24123 (MarkText through 0.16.3 does not sanitize the input of a mermaid block ...) - TODO: check + NOT-FOR-US: MarkText CVE-2022-24121 (SQL Injection vulnerability discovered in Unified Office Total Connect ...) NOT-FOR-US: Unified Office CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) a ...) @@ -963,7 +963,7 @@ CVE-2022-0403 CVE-2022-0402 RESERVED CVE-2022-0401 (Path Traversal in NPM w-zip prior to 1.0.12. ...) - TODO: check + NOT-FOR-US: Node w-zip CVE-2022-0400 [Out of bounds read in the smc protocol stack] RESERVED - linux @@ -2831,9 +2831,9 @@ CVE-2022-23605 CVE-2022-23604 RESERVED CVE-2022-23603 (iTunesRPC-Remastered is a discord rich presence application for use wi ...) - TODO: check + NOT-FOR-US: iTunesRPC-Remastered CVE-2022-23602 (Nimforum is a lightweight alternative to Discourse written in Nim. In ...) - TODO: check + NOT-FOR-US: Nimforum CVE-2022-23601 (Symfony is a PHP framework for web and console applications and a set ...) - symfony (Vulnerable code not present; no Debian released version contained the vulnerable code) NOTE: https://symfony.com/blog/cve-2022-23601-csrf-token-missing-in-forms @@ -11522,11 +11522,11 @@ CVE-2021-44884 CVE-2021-44883 RESERVED CVE-2021-44882 (D-Link device DIR_878_FW1.30B08_Hotfix_02 was discovered to contain a ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-44881 (D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-44880 (D-Link devices DIR_878 DIR_878_FW1.30B08_Hotfix_02 and DIR_882 DIR_882 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-44879 RESERVED CVE-2021-44878 (Pac4j v5.1 and earlier allows (by default) clients to accept and succe ...) @@ -11554,7 +11554,7 @@ CVE-2021-44868 CVE-2021-44867 RESERVED CVE-2021-44866 (An issue was discovered in Online-Movie-Ticket-Booking-System 1.0. The ...) - TODO: check + NOT-FOR-US: Online-Movie-Ticket-Booking-System CVE-2021-44865 RESERVED CVE-2021-44864 @@ -13392,9 +13392,9 @@ CVE-2021-44249 (Online Motorcycle (Bike) Rental System 1.0 is vulnerable to a Bl CVE-2021-44248 RESERVED CVE-2021-44247 (Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B201 ...) - TODO: check + NOT-FOR-US: Totolink CVE-2021-44246 (Totolink devices A3100R v4.1.2cu.5050_B20200504, A830R v5.9c.4729_B201 ...) - TODO: check + NOT-FOR-US: Totolink CVE-2021-44245 (An SQL Injection vulnerability exists in Courcecodester COVID 19 Testi ...) NOT-FOR-US: Sourcecodester COVID 19 Testing Management System (CTMS) CVE-2021-44244 (An SQL Injection vulnerabiity exists in Sourcecodester Logistic Hub Pa ...) @@ -14494,7 +14494,7 @@ CVE-2022-21712 CVE-2022-21711 (elfspirit is an ELF static analysis and injection framework that parse ...) NOT-FOR-US: elfspirit CVE-2022-21710 (ShortDescription is a MediaWiki extension that provides local short de ...) - TODO: check + NOT-FOR-US: ShortDescription MediaWiki extension CVE-2022-21709 RESERVED CVE-2022-21708 (graphql-go is a GraphQL server with a focus on ease of use. In version ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4aa100be6ac2ae9b8c0afabf69aa48976fd6ff76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4aa100be6ac2ae9b8c0afabf69aa48976fd6ff76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2022-0329 which was wrongly assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bbd4d6e by Salvatore Bonaccorso at 2022-02-04T09:26:28+01:00 Remove notes from CVE-2022-0329 which was wrongly assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2360,9 +2360,6 @@ CVE-2022-0330 [drm/i915: Flush TLBs before releasing backing store] NOTE: https://git.kernel.org/linus/7938d61591d33394a21bdd7797a245b65428f44c CVE-2022-0329 REJECTED - - loguru 0.5.3-5 (bug #1004194) - NOTE: https://github.com/Delgan/loguru/issues/563 - NOTE: https://github.com/delgan/loguru/commit/4b0070a4f30cbf6d5e12e6274b242b62ea11c81b CVE-2022-0328 RESERVED CVE-2022-0327 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bbd4d6e91e08b87c14f28ece85979266ada55ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bbd4d6e91e08b87c14f28ece85979266ada55ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58f83382 by Salvatore Bonaccorso at 2022-02-04T09:25:25+01:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2078,17 +2078,17 @@ CVE-2021-46459 (Victor CMS v1.0 was discovered to contain multiple SQL injection CVE-2021-46458 (Victor CMS v1.0 was discovered to contain a SQL injection vulnerabilit ...) NOT-FOR-US: Victor CMS CVE-2021-46457 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46456 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46455 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46454 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46453 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46452 (D-Link device D-Link DIR-823-Pro v1.0.2 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46451 (An SQL Injection vulnerabilty exists in Sourcecodester Online Project ...) NOT-FOR-US: Sourcecodester CVE-2021-46450 @@ -5345,21 +5345,21 @@ CVE-2021-46234 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 v NOTE: https://github.com/gpac/gpac/issues/2023 NOTE: https://github.com/gpac/gpac/commit/70c6f6f832dccff814a19a74d87b97b3d68a4af5 CVE-2021-46233 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46232 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46231 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46230 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46229 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46228 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46227 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46226 (D-Link device DI-7200GV2.E1 v21.04.09E1 was discovered to contain a co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-46225 (A buffer overflow in the GmfOpenMesh() function of libMeshb v7.61 allo ...) NOT-FOR-US: libMeshb CVE-2021-46224 @@ -7469,7 +7469,7 @@ CVE-2021-46000 CVE-2021-45999 RESERVED CVE-2021-45998 (D-Link device DIR_882 DIR_882_FW1.30B06_Hotfix_02 was discovered to co ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-45997 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) NOT-FOR-US: Tenda routers CVE-2021-45996 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) @@ -8422,25 +8422,25 @@ CVE-2021-45744 (A Stored Cross Site Scripting (XSS) vulnerability exists in blud CVE-2021-45743 RESERVED CVE-2021-45742 (TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a comm ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45741 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a sta ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45740 (TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stac ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45739 (TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stac ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45738 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a com ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45737 (TOTOLINK A720R v4.1.5cu.470_B20200911 was discovered to contain a stac ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45736 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a sta ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45735 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to use the HTTP ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45734 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was discovered to contain a sta ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2021-45733 (TOTOLINK X5000R v9.1.0u.6118_B20201102 was
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c110adc4 by Salvatore Bonaccorso at 2022-02-04T09:23:22+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -753,67 +753,67 @@ CVE-2022-24174 CVE-2022-24173 RESERVED CVE-2022-24172 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24171 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24170 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24169 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24168 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24167 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24166 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24165 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24164 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24163 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24162 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24161 (Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24160 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24159 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24158 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24157 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24156 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24155 (Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24154 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24153 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24152 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24151 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24150 (Tenda AX3 v16.03.12.10_CN was discovered to contain a command injectio ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24149 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24148 (Tenda AX3 v16.03.12.10_CN was discovered to contain a command injectio ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24147 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24146 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24145 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24144 (Tenda AX3 v16.03.12.10_CN was discovered to contain a command injectio ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24143 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers CVE-2022-24142 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) - TODO: check + NOT-FOR-US: Tenda routers
[Git][security-tracker-team/security-tracker][master] libtpms fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 522990e9 by Moritz Muehlenhoff at 2022-02-04T09:19:16+01:00 libtpms fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38574,7 +38574,7 @@ CVE-2021-3624 [buffer-overflow caused by integer-overflow in foveon_load_camf()] [stretch] - dcraw (Minor issue) CVE-2021-3623 [out-of-bounds access when trying to resume the state of the vTPM] RESERVED - - libtpms (bug #990522) + - libtpms 0.9.1-1 (bug #990522) NOTE: https://github.com/stefanberger/libtpms/pull/223 NOTE: https://github.com/stefanberger/libtpms/commit/2f30d620d3c053f20d38b54bf76ac0907821d263 NOTE: https://github.com/stefanberger/libtpms/commit/7981d9ad90a5043a05004e4ca7b46beab8ca7809 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/522990e9071f0ef04d0884674c7d116589792286 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/522990e9071f0ef04d0884674c7d116589792286 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c274b800 by security tracker role at 2022-02-04T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,49 @@ +CVE-2022-24407 + RESERVED +CVE-2022-24406 + RESERVED +CVE-2022-24405 + RESERVED +CVE-2022-24404 + RESERVED +CVE-2022-24403 + RESERVED +CVE-2022-24402 + RESERVED +CVE-2022-24401 + RESERVED +CVE-2022-24400 + RESERVED +CVE-2022-24382 + RESERVED +CVE-2022-24379 + RESERVED +CVE-2022-24297 + RESERVED +CVE-2022-23917 + RESERVED +CVE-2022-23914 + RESERVED +CVE-2022-22730 + RESERVED +CVE-2022-21807 + RESERVED +CVE-2022-21795 + RESERVED +CVE-2022-21233 + RESERVED +CVE-2022-21128 + RESERVED +CVE-2022-0492 + RESERVED +CVE-2022-0491 + RESERVED +CVE-2022-0490 + RESERVED +CVE-2022-0489 + RESERVED +CVE-2022-0488 + RESERVED CVE-2022-24399 RESERVED CVE-2022-24398 @@ -33,6 +79,7 @@ CVE-2022-24384 CVE-2022-21241 RESERVED CVE-2022-0487 [Use after free in moxart_remove] + RESERVED - linux NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1194516 NOTE: https://lore.kernel.org/all/20220114075934.302464-1-gre...@linuxfoundation.org/ @@ -705,68 +752,68 @@ CVE-2022-24174 RESERVED CVE-2022-24173 RESERVED -CVE-2022-24172 - RESERVED -CVE-2022-24171 - RESERVED -CVE-2022-24170 - RESERVED -CVE-2022-24169 - RESERVED -CVE-2022-24168 - RESERVED -CVE-2022-24167 - RESERVED -CVE-2022-24166 - RESERVED -CVE-2022-24165 - RESERVED -CVE-2022-24164 - RESERVED -CVE-2022-24163 - RESERVED -CVE-2022-24162 - RESERVED -CVE-2022-24161 - RESERVED -CVE-2022-24160 - RESERVED -CVE-2022-24159 - RESERVED -CVE-2022-24158 - RESERVED -CVE-2022-24157 - RESERVED -CVE-2022-24156 - RESERVED -CVE-2022-24155 - RESERVED -CVE-2022-24154 - RESERVED -CVE-2022-24153 - RESERVED -CVE-2022-24152 - RESERVED -CVE-2022-24151 - RESERVED -CVE-2022-24150 - RESERVED -CVE-2022-24149 - RESERVED -CVE-2022-24148 - RESERVED -CVE-2022-24147 - RESERVED -CVE-2022-24146 - RESERVED -CVE-2022-24145 - RESERVED -CVE-2022-24144 - RESERVED -CVE-2022-24143 - RESERVED -CVE-2022-24142 - RESERVED +CVE-2022-24172 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24171 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24170 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24169 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24168 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24167 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24166 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24165 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24164 (Tenda routers G1 and G3 v15.11.0.17(9502)_CN were discovered to contai ...) + TODO: check +CVE-2022-24163 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24162 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24161 (Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in ...) + TODO: check +CVE-2022-24160 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24159 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24158 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24157 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24156 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24155 (Tenda AX3 v16.03.12.10_CN was discovered to contain a heap overflow in ...) + TODO: check +CVE-2022-24154 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24153 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24152 (Tenda AX3 v16.03.12.10_CN was discovered to contain a stack overflow i ...) + TODO: check +CVE-2022-24151 (Tenda AX3