[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26353/qemu and update note for CVE-2021-3748
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d7ff114 by Salvatore Bonaccorso at 2022-03-14T06:58:04+01:00 Add CVE-2022-26353/qemu and update note for CVE-2021-3748 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1592,8 +1592,14 @@ CVE-2022-26354 [vhost-vsock: missing virtqueue detach on error can lead to memor - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063257 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf -CVE-2022-26353 +CVE-2022-26353 [virtio-net: map leaking on error during receive] RESERVED + - qemu + [buster] - qemu (Original upstream fix for CVE-2021-3748 not applied) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063197 + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 (v6.2.0-rc0) + NOTE: Introduced by the original fix for CVE-2021-3748. CVE-2022-0835 RESERVED CVE-2022-0834 @@ -34241,6 +34247,7 @@ CVE-2021-3748 [virtio-net: heap use-after-free in virtio_net_receive_rcu] - qemu 1:6.1+dfsg-6 (bug #993401) [stretch] - qemu (Fix along with a future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1998514 + NOTE: When fixing this issue make sure to not open CVE-2022-26353 CVE-2021-40319 RESERVED CVE-2021-40318 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7ff11450d8881ec701eb9311d7c783d5c90b20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7ff11450d8881ec701eb9311d7c783d5c90b20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26354/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: baaa570d by Salvatore Bonaccorso at 2022-03-14T06:51:42+01:00 Add CVE-2022-26354/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1587,8 +1587,11 @@ CVE-2022-26356 RESERVED CVE-2022-26355 (Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deplo ...) NOT-FOR-US: Citrix -CVE-2022-26354 +CVE-2022-26354 [vhost-vsock: missing virtqueue detach on error can lead to memory leak] RESERVED + - qemu + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063257 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf CVE-2022-26353 RESERVED CVE-2022-0835 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baaa570df223cd557e3a31dd33b5fd1393da5f9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baaa570df223cd557e3a31dd33b5fd1393da5f9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 86dba41b by Abhijith PA at 2022-03-14T09:48:35+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,6 +19,7 @@ ansible NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- asterisk (Abhijith PA) + NOTE: 20220314: Looking on back log no-dsa (abhijith) -- cacti (Sylvain Beucler) -- @@ -61,12 +62,14 @@ pjproject (Abhijith PA) NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) NOTE: 20220215: Asterisk and ring have embedded copy of pjproject (abhijith) NOTE: 20220302: uploading asterisk, ring and pjproject in one go (abhijith) + NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/pjproject_2.5.5~dfsg-6+deb9u3.dsc -- python-scrapy -- python-treq -- ring (Abhijith PA) + NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc -- samba NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86dba41b94ee612f0c51dfb64af7065a0b5e3321 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86dba41b94ee612f0c51dfb64af7065a0b5e3321 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-24720/ruby-image-processing
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3aab97ec by Salvatore Bonaccorso at 2022-03-13T22:52:51+01:00 Add Debian bug reference for CVE-2022-24720/ruby-image-processing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5899,7 +5899,7 @@ CVE-2022-24722 (VIewComponent is a framework for building view components in Rub CVE-2022-24721 RESERVED CVE-2022-24720 (image_processing is an image processing wrapper for libvips and ImageM ...) - - ruby-image-processing + - ruby-image-processing (bug #1007225) NOTE: https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446 NOTE: https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada (v1.12.2) CVE-2022-24719 (Fluture-Node is a FP-style HTTP and streaming utils for Node based on ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3aab97ec9000c83d1977cd33d4ab380d2b1add31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3aab97ec9000c83d1977cd33d4ab380d2b1add31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-26967/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bfbc4d0 by Salvatore Bonaccorso at 2022-03-13T22:48:48+01:00 Add Debian bug reference for CVE-2022-26967/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42,7 +42,7 @@ CVE-2022-26969 CVE-2022-26968 RESERVED CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) - - gpac + - gpac (bug #1007224) NOTE: https://github.com/gpac/gpac/issues/2138 NOTE: https://github.com/gpac/gpac/commit/ea1eca00fd92fa17f0e25ac25652622924a9a6a0 CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. drivers/ne ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bfbc4d08ecc15d9a6779c5dabd384669e2e828d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bfbc4d08ecc15d9a6779c5dabd384669e2e828d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2948-1 for debian-archive-keyring
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cf043ff by Anton Gladky at 2022-03-13T22:02:54+01:00 Reserve DLA-2948-1 for debian-archive-keyring - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[13 Mar 2022] DLA-2948-1 debian-archive-keyring - security update + [stretch] - debian-archive-keyring 2017.5+deb9u2 [11 Mar 2022] DLA-2947-1 vim - security update {CVE-2021-3984 CVE-2021-4019 CVE-2021-4069 CVE-2021-4193 CVE-2022-0213 CVE-2022-0319 CVE-2022-0368 CVE-2022-0554 CVE-2022-0361 CVE-2022-0408 CVE-2022-0685 CVE-2022-0714 CVE-2022-0359 CVE-2021-4192 CVE-2021-3872 CVE-2021-3927 CVE-2021-3928 CVE-2021-3973 CVE-2021-3974 CVE-2022-0729} [stretch] - vim 2:8.0.0197-4+deb9u5 = data/dla-needed.txt = @@ -22,16 +22,6 @@ asterisk (Abhijith PA) -- cacti (Sylvain Beucler) -- -debian-archive-keyring (Anton) - NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html - NOTE: 20210920: Raphael answered. will backport today. (utkarsh) - NOTE: 20211003: waiting for Jonathan to get back as his keys - NOTE: 20211003: seemed to have expired and the build is thus - NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh) - NOTE: 20211018: Jonathan is prepping the branch; will work - NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) - NOTE: 20220307: WIP (Anton) --- firmware-nonfree (Markus Koschany) NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf043ff3eca5c22da05a6fbd88e2e75ea2fb198 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf043ff3eca5c22da05a6fbd88e2e75ea2fb198 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26981/liblouis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d57f515 by Salvatore Bonaccorso at 2022-03-13T21:34:44+01:00 Add CVE-2022-26981/liblouis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2022-26981 (Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in ...) - TODO: check + - liblouis + NOTE: https://github.com/liblouis/liblouis/issues/1171 CVE-2022-26980 RESERVED CVE-2022-0942 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d57f5153a058dd07c861fe06d893f4f53b5322a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d57f5153a058dd07c861fe06d893f4f53b5322a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track possible fixes for CVE-2017-25{79,80,81}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 130a2414 by Salvatore Bonaccorso at 2022-03-13T21:29:19+01:00 Track possible fixes for CVE-2017-25{79,80,81} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -323862,18 +323862,21 @@ CVE-2017-2581 (An out-of-bounds write vulnerability was found in netpbm before 1 NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: PoC+report attached to #854978 NOTE: Similar code path seems protected by earlier stricter size checks ("object too large") + NOTE: Possible fix: https://sourceforge.net/p/netpbm/code/2989/ (10.78.05) CVE-2017-2580 (An out-of-bounds write vulnerability was found in netpbm before 10.61. ...) - netpbm-free (bug #854978) [jessie] - netpbm-free (pnm/giftopnm.c and bpm/libpm.c rewritten, PoC triggers clean check "Zero byte allocation" missing in later versions) NOTE: Debian uses an old fork of netpbm NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: PoC+report attached to #854978 + NOTE: Possible fix: https://sourceforge.net/p/netpbm/code/2821 (10.47.63) CVE-2017-2579 (An out-of-bounds read vulnerability was found in netpbm before 10.61. ...) - netpbm-free (bug #854978) [jessie] - netpbm-free (pnm/giftopnm.c rewritten, PoC triggers clean application error handling) NOTE: Debian uses an old fork of netpbm NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1024288 (reproducer) + NOTE: Possible fix: https://sourceforge.net/p/netpbm/code/2821 (10.47.63) CVE-2017-2577 REJECTED CVE-2017-2575 (A vulnerability was found while fuzzing libbpg 0.9.7. It is a NULL poi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/130a24147f887d8f6975647d75d99347428aaf4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/130a24147f887d8f6975647d75d99347428aaf4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d388608 by security tracker role at 2022-03-13T20:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,18 @@ -CVE-2021-46709 [cross-site-scripting with newRows GET parameter] +CVE-2022-26981 (Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in ...) + TODO: check +CVE-2022-26980 + RESERVED +CVE-2022-0942 + RESERVED +CVE-2022-0941 + RESERVED +CVE-2022-0940 + RESERVED +CVE-2022-0939 + RESERVED +CVE-2022-0938 + RESERVED +CVE-2021-46709 (phpLiteAdmin through 1.9.8.2 allows XSS via the index.php newRows para ...) - phpliteadmin 1.9.8.2-2 NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows @@ -1716,7 +1730,7 @@ CVE-2022-26320 RESERVED CVE-2022-26319 (An installer search patch element vulnerability in Trend Micro Portabl ...) NOT-FOR-US: Trend Micro -CVE-2022-26318 (Null pointer dereference in WatchGuard Firebox and XTM appliances allo ...) +CVE-2022-26318 (On WatchGuard Firebox and XTM appliances, an unauthenticated user can ...) NOT-FOR-US: WatchGuard CVE-2022-26317 (A vulnerability has been identified in Mendix Applications using Mendi ...) NOT-FOR-US: Mendix (Siemens) @@ -3535,6 +3549,7 @@ CVE-2022-0712 (NULL Pointer Dereference in GitHub repository radareorg/radare2 p NOTE: https://huntr.dev/bounties/1e572820-e502-49d1-af0e-81833e2eb466 NOTE: https://github.com/radareorg/radare2/commit/515e592b9bea0612bc63d8e93239ff35bcf645c7 CVE-2022-0711 (A flaw was found in the way HAProxy processed HTTP responses containin ...) + {DSA-5102-1} - haproxy 2.4.13-1 [buster] - haproxy (Vulnerable code introduced later) [stretch] - haproxy (Vulnerable code introduced later) @@ -5008,7 +5023,7 @@ CVE-2022-25092 RESERVED CVE-2022-25091 RESERVED -CVE-2022-25090 (Printix Secure Cloud Print Management 1.3.1035.0 creates a temporary f ...) +CVE-2022-25090 (Printix Secure Cloud Print Management through 1.3.1106.0 creates a tem ...) NOT-FOR-US: Printix Secure Cloud Print Management CVE-2022-25089 (Printix Secure Cloud Print Management through 1.3.1106.0 incorrectly u ...) NOT-FOR-US: Printix Secure Cloud Print Management @@ -6004,8 +6019,8 @@ CVE-2022-0549 NOTE: https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/ CVE-2022-0548 RESERVED -CVE-2022-24696 - RESERVED +CVE-2022-24696 (Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30) allows a ...) + TODO: check CVE-2022-24695 RESERVED CVE-2022-24694 (In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and 21.10 before ...) @@ -7736,8 +7751,8 @@ CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows a NOTE: https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d CVE-2022-24129 (The OIDC OP plugin before 3.0.4 for Shibboleth Identity Provider allow ...) NOT-FOR-US: Shibboleth identity provider OIDC OP plugin -CVE-2022-24128 - RESERVED +CVE-2022-24128 (Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow privilege esc ...) + TODO: check CVE-2022-24127 RESERVED CVE-2022-24126 @@ -30339,7 +30354,7 @@ CVE-2021-41851 CVE-2021-3851 (firefly-iii is vulnerable to URL Redirection to Untrusted Site ...) NOT-FOR-US: firefly-iii CVE-2021-3850 (Authentication Bypass by Primary Weakness in GitHub repository adodb/a ...) - {DLA-2912-1} + {DSA-5101-1 DLA-2912-1} - libphp-adodb 5.21.4-1 (bug #1004376) NOTE: https://github.com/ADOdb/ADOdb/issues/793 NOTE: https://github.com/adodb/adodb/commit/b4d5ce70034c5aac3a1d51d317d93c037a0938d2 (v5.21.4) @@ -64034,7 +64049,7 @@ CVE-2021-28490 (In OWASP CSRFGuard through 3.1.0, CSRF can occur because the CSR NOT-FOR-US: OWASP CSRFGuard CVE-2021-28489 RESERVED -CVE-2021-28488 (Ericsson Network Manager 20.2 has Insecure Permissions. ...) +CVE-2021-28488 (Ericsson Network Manager (ENM) before 21.2 has incorrect access-contro ...) NOT-FOR-US: Ericsson CVE-2021-28487 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d3886082572a08981574cd2a8f300c699974fa4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d3886082572a08981574cd2a8f300c699974fa4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing
[Git][security-tracker-team/security-tracker][master] CVE-2021-46709/phpliteadmin assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bcefb2a5 by Salvatore Bonaccorso at 2022-03-13T20:31:09+01:00 CVE-2021-46709/phpliteadmin assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,4 @@ -CVE-2022- [cross-site-scripting with newRows GET parameter] +CVE-2021-46709 [cross-site-scripting with newRows GET parameter] - phpliteadmin 1.9.8.2-2 NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcefb2a57f152b89d659312632380dbd73ec4ddd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcefb2a57f152b89d659312632380dbd73ec4ddd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for some tiff issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b69394f by Salvatore Bonaccorso at 2022-03-13T17:32:12+01:00 Track fixed version for some tiff issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -286,7 +286,7 @@ CVE-2022-26852 CVE-2022-26851 RESERVED CVE-2022-0924 (Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers t ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/278 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/311 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892fed5f7db8b963a @@ -467,16 +467,16 @@ CVE-2022-25905 CVE-2022-0910 RESERVED CVE-2022-0909 (Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/393 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/310 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d557acb293fc8cde CVE-2022-0908 (Null source pointer passed as an argument to memcpy() function within ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/383 CVE-2022-0907 (Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libt ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/392 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/314 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/40b00cfb32256d377608b4d4cd30fac338d0a0bc @@ -529,7 +529,7 @@ CVE-2022-26778 (Veritas System Recovery (VSR) 18 and 21 stores a network destina CVE-2022-26777 RESERVED CVE-2022-0891 (A heap buffer overflow in ExtractImageSection function in tiffcrop.c i ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c NOTE: https://gitlab.com/libtiff/libtiff/-/issues/380 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/382 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b69394f99e02a31f49cbaacb54be1053e5c0467 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b69394f99e02a31f49cbaacb54be1053e5c0467 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for haproxy update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3b0bc1a by Salvatore Bonaccorso at 2022-03-13T17:16:57+01:00 Reserve DSA number for haproxy update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[13 Mar 2022] DSA-5102-1 haproxy - security update + {CVE-2022-0711} + [bullseye] - haproxy 2.2.9-2+deb11u3 [13 Mar 2022] DSA-5085-2 expat - regression update [buster] - expat 2.2.6-2+deb10u4 [bullseye] - expat 2.2.10-2+deb11u3 = data/dsa-needed.txt = @@ -22,8 +22,6 @@ faad2/oldstable (jmm) -- freecad (aron) -- -haproxy/stable (carnil) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3b0bc1a050ee35a7ab42c008f206fac691699fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3b0bc1a050ee35a7ab42c008f206fac691699fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA for expat functional regression update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2951638b by Salvatore Bonaccorso at 2022-03-13T16:09:08+01:00 Reserve DSA for expat functional regression update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[13 Mar 2022] DSA-5085-2 expat - regression update + [buster] - expat 2.2.6-2+deb10u4 + [bullseye] - expat 2.2.10-2+deb11u3 [13 Mar 2022] DSA-5101-1 libphp-adodb - security update {CVE-2021-3850} [buster] - libphp-adodb 5.20.14-1+deb10u1 = data/dsa-needed.txt = @@ -18,8 +18,6 @@ containerd (jmm) -- condor/oldstable -- -expat (carnil) --- faad2/oldstable (jmm) -- freecad (aron) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2951638b574c280343ea028f11cf8f5bddfc3763 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2951638b574c280343ea028f11cf8f5bddfc3763 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for libphp-adodb update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 14e016dd by Salvatore Bonaccorso at 2022-03-13T15:43:09+01:00 Reserve DSA number for libphp-adodb update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[13 Mar 2022] DSA-5101-1 libphp-adodb - security update + {CVE-2021-3850} + [buster] - libphp-adodb 5.20.14-1+deb10u1 + [bullseye] - libphp-adodb 5.20.19-1+deb11u1 [12 Mar 2022] DSA-5100-1 nbd - security update {CVE-2022-26495 CVE-2022-26496} [buster] - nbd 1:3.19-3+deb10u1 = data/dsa-needed.txt = @@ -26,8 +26,6 @@ freecad (aron) -- haproxy/stable (carnil) -- -libphp-adodb (carnil) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14e016dd4ef26cba2242c1dd86c25ba58610f939 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14e016dd4ef26cba2242c1dd86c25ba58610f939 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tempoary entry for phpliteadmin issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7374eae7 by Salvatore Bonaccorso at 2022-03-13T09:39:04+01:00 Add tempoary entry for phpliteadmin issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2022- [cross-site-scripting with newRows GET parameter] + - phpliteadmin 1.9.8.2-2 + NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability + NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows CVE-2022-26979 RESERVED CVE-2022-26978 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7374eae792e3fa436ca51ddfb1071168c90753a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7374eae792e3fa436ca51ddfb1071168c90753a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26967/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c8f133b8 by Salvatore Bonaccorso at 2022-03-13T09:30:41+01:00 Add CVE-2022-26967/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,9 @@ CVE-2022-26969 CVE-2022-26968 RESERVED CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2138 + NOTE: https://github.com/gpac/gpac/commit/ea1eca00fd92fa17f0e25ac25652622924a9a6a0 CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. drivers/ne ...) - linux 5.16.12-1 [bullseye] - linux 5.10.103-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8f133b86f567fc2bc0017091bd82d91ff6a14b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8f133b86f567fc2bc0017091bd82d91ff6a14b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26966/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d96999d5 by Salvatore Bonaccorso at 2022-03-13T09:17:40+01:00 Add CVE-2022-26966/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,10 @@ CVE-2022-26968 CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) TODO: check CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. drivers/ne ...) - TODO: check + - linux 5.16.12-1 + [bullseye] - linux 5.10.103-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/e9da0b56fe27206b49f39805f7dcda8a89379062 (5.17-rc6) CVE-2022-26965 RESERVED CVE-2022-26964 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d96999d5c0cbcf5e08a93f10ae00ebdef6932a0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d96999d5c0cbcf5e08a93f10ae00ebdef6932a0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02d4ca6b by security tracker role at 2022-03-13T08:10:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,55 @@ +CVE-2022-26979 + RESERVED +CVE-2022-26978 + RESERVED +CVE-2022-26977 + RESERVED +CVE-2022-26976 + RESERVED +CVE-2022-26975 + RESERVED +CVE-2022-26974 + RESERVED +CVE-2022-26973 + RESERVED +CVE-2022-26972 + RESERVED +CVE-2022-26971 + RESERVED +CVE-2022-26970 + RESERVED +CVE-2022-26969 + RESERVED +CVE-2022-26968 + RESERVED +CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) + TODO: check +CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. drivers/ne ...) + TODO: check +CVE-2022-26965 + RESERVED +CVE-2022-26964 + RESERVED +CVE-2022-26963 + RESERVED +CVE-2022-26962 + RESERVED +CVE-2022-26961 + RESERVED +CVE-2022-26960 + RESERVED +CVE-2022-26959 + RESERVED +CVE-2022-26958 + RESERVED +CVE-2022-26957 + RESERVED +CVE-2022-26956 + RESERVED +CVE-2022-26955 + RESERVED +CVE-2022-0937 + RESERVED CVE-2022-26954 RESERVED CVE-2022-26953 @@ -8421,8 +8473,7 @@ CVE-2022-23962 RESERVED CVE-2022-23961 RESERVED -CVE-2022-23960 - RESERVED +CVE-2022-23960 (Certain Arm Cortex and Neoverse processors through 2022-03-08 do not p ...) - linux NOTE: https://www.vusec.net/projects/bhi-spectre-bhb/ NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb @@ -15172,14 +15223,14 @@ CVE-2021-45891 RESERVED CVE-2021-45890 (basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authenti ...) NOT-FOR-US: AuthGuard -CVE-2021-45889 - RESERVED -CVE-2021-45888 - RESERVED -CVE-2021-45887 - RESERVED -CVE-2021-45886 - RESERVED +CVE-2021-45889 (An issue was discovered in PONTON X/P Messenger before 3.11.2. Several ...) + TODO: check +CVE-2021-45888 (An issue was discovered in PONTON X/P Messenger before 3.11.2. The nav ...) + TODO: check +CVE-2021-45887 (An issue was discovered in PONTON X/P Messenger before 3.11.2. Due to ...) + TODO: check +CVE-2021-45886 (An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CS ...) + TODO: check CVE-2021-45885 (An issue was discovered in Stormshield Network Security (SNS) 4.2.2 th ...) NOT-FOR-US: Stormshield Network Security (SNS) CVE-2021-4186 (Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows den ...) @@ -43903,8 +43954,8 @@ CVE-2021-36370 (An issue was discovered in Midnight Commander through 4.8.26. Wh NOTE: https://github.com/MidnightCommander/mc/commit/9235d3c232d13ad7f973346077c9cf2eaa77dc5f CVE-2021-36369 RESERVED -CVE-2021-36368 - RESERVED +CVE-2021-36368 (** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a cli ...) + TODO: check CVE-2021-36367 (PuTTY through 0.75 proceeds with establishing an SSH session even if i ...) - putty 0.75-3 (bug #990901) [bullseye] - putty (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d4ca6bde1a6d31cb70e966a8a4c367d89ddd09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d4ca6bde1a6d31cb70e966a8a4c367d89ddd09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits