[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1106/mruby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e18c0aef by Salvatore Bonaccorso at 2022-03-28T07:04:26+02:00 Add CVE-2022-1106/mruby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,6 +66,9 @@ CVE-2022-27929 CVE-2022-27928 RESERVED CVE-2022-1106 (use after free in mrb_vm_exec in GitHub repository mruby/mruby prior t ...) + - mruby + NOTE: https://huntr.dev/bounties/16b9d0ea-71ed-41bc-8a88-2deb4c20be8f + NOTE: https://github.com/mruby/mruby/commit/7f5a490d09f4d56801ac3a3e4e39e03e1471b44c TODO: check CVE-2022-1105 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e18c0aefee0b1e6aaa61c7544b58f614d8d4f68b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e18c0aefee0b1e6aaa61c7544b58f614d8d4f68b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-27950/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7369b58b by Salvatore Bonaccorso at 2022-03-28T06:55:24+02:00 Add CVE-2022-27950/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,10 @@ +CVE-2022-27950 [HID: elo: fix memory leak in elo_probe] + - linux 5.16.11-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + [stretch] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/817b8b9c5396d2b2d92311b46719aad5d3339dbe (5.17-rc5) + NOTE: https://www.openwall.com/lists/oss-security/2022/03/13/1 CVE-2022-27949 RESERVED CVE-2022-27948 (Certain Tesla vehicles through 2022-03-26 allow attackers to open the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7369b58beddd30f59adcfa7161bb103fa3f7db98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7369b58beddd30f59adcfa7161bb103fa3f7db98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f0a152c by Thorsten Alteholz at 2022-03-27T23:14:52+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,7 +58,7 @@ jackson-databind kicad -- libarchive (Thorsten Alteholz) - NOTE: 20220225: fix seems to be incomplete + NOTE: 20220327: next round of testing -- libdatetime-timezone-perl (Emilio) -- @@ -82,6 +82,7 @@ mariadb-10.1 mbedtls (Utkarsh) -- minidlna (Thorsten Alteholz) + NOTE: 20220327: update other releases first -- nvidia-graphics-drivers NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f0a152c5f11b7c79ecf0b03de3e2651e143b21d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f0a152c5f11b7c79ecf0b03de3e2651e143b21d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] also track zlib issue for libz-mingw-w64
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 689b7d6f by Moritz Muehlenhoff at 2022-03-27T22:52:00+02:00 also track zlib issue for libz-mingw-w64 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -338,6 +338,9 @@ CVE-2022-1061 (Heap Buffer Overflow in parseDragons in GitHub repository radareo NOTE: https://github.com/radareorg/radare2/commit/d4ce40b516ffd70cf2e9e36832d8de139117d522 CVE-2018-25032 (zlib 1.2.11 allows memory corruption when deflating (i.e., when compre ...) - zlib 1:1.2.11.dfsg-4 (bug #1008265) + - libz-mingw-w64 1.2.11+dfsg-5 + [bullseye] - libz-mingw-w64 (Minor issue) + [buster] - libz-mingw-w64 (Minor issue) NOTE: https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 NOTE: https://www.openwall.com/lists/oss-security/2022/03/24/1 NOTE: Details: https://www.openwall.com/lists/oss-security/2022/03/26/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/689b7d6f2328238b5ecac65b082220553200f474 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/689b7d6f2328238b5ecac65b082220553200f474 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ce3d302 by Moritz Muehlenhoff at 2022-03-27T22:35:27+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2022-27949 RESERVED CVE-2022-27948 (Certain Tesla vehicles through 2022-03-26 allow attackers to open the ...) - TODO: check + NOT-FOR-US: Tesla CVE-2022-1110 RESERVED CVE-2022-1109 @@ -87,7 +87,7 @@ CVE-2022-27920 (libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver NOTE: https://github.com/kiwix/libkiwix/issues/728 NOTE: https://github.com/kiwix/libkiwix/pull/721 CVE-2022-27919 (Gradle Enterprise before 2022.1 allows remote code execution if the in ...) - TODO: check + NOT-FOR-US: Gradle Enterprise CVE-2022-27918 RESERVED CVE-2022-27917 @@ -177,9 +177,9 @@ CVE-2022-27884 (Maccms v10 was discovered to contain a reflected cross-site scri CVE-2022-27883 RESERVED CVE-2022-27882 (slaacd in OpenBSD 6.9 and 7.0 before 2022-03-22 has an integer signedn ...) - TODO: check + NOT-FOR-US: slaacd from OpenBSD CVE-2022-27881 (engine.c in slaacd in OpenBSD 6.9 and 7.0 before 2022-02-21 has a buff ...) - TODO: check + NOT-FOR-US: slaacd from OpenBSD CVE-2022-27873 RESERVED CVE-2022-27872 @@ -4366,11 +4366,11 @@ CVE-2022-26256 CVE-2022-26255 RESERVED CVE-2022-26254 (WoWonder The Ultimate PHP Social Network Platform v4.0.0 was discovere ...) - TODO: check + NOT-FOR-US: WoWonder CVE-2022-26253 RESERVED CVE-2022-26252 (aaPanel v6.8.21 was discovered to be vulnerable to directory traversal ...) - TODO: check + NOT-FOR-US: aaPanel CVE-2022-26251 RESERVED CVE-2022-26250 @@ -4384,7 +4384,7 @@ CVE-2022-26247 (TMS v2.28.0 contains an insecure permissions vulnerability via t CVE-2022-26246 (TMS v2.28.0 was discovered to contain a cross-site scripting (XSS) vul ...) NOT-FOR-US: TMS CVE-2022-26245 (Falcon-plus v0.3 was discovered to contain a SQL injection vulnerabili ...) - TODO: check + NOT-FOR-US: Falcon-plus CVE-2022-26244 RESERVED CVE-2022-26243 (Tenda AC10-1200 v15.03.06.23_EN was discovered to contain a buffer ove ...) @@ -4464,7 +4464,7 @@ CVE-2022-26207 (Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200 CVE-2022-26206 (Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A ...) NOT-FOR-US: Totolink CVE-2022-26205 (Marky commit 3686565726c65756e was discovered to contain a remote code ...) - TODO: check + NOT-FOR-US: Marky CVE-2022-26204 RESERVED CVE-2022-26203 @@ -4478,7 +4478,7 @@ CVE-2022-26200 CVE-2022-26199 RESERVED CVE-2022-26198 (Notable v1.8.4 does not filter text editing, allowing attackers to exe ...) - TODO: check + NOT-FOR-US: Notable CVE-2022-26197 (Joget DX 7 was discovered to contain a cross-site scripting (XSS) vuln ...) NOT-FOR-US: Joget CVE-2022-26196 @@ -6183,7 +6183,7 @@ CVE-2022-25576 (Anchor CMS v0.12.7 was discovered to contain a Cross-Site Reques CVE-2022-25575 (Multiple cross-site scripting (XSS) vulnerabilities in Parking Managem ...) NOT-FOR-US: Parking Management System CVE-2022-25574 (A stored cross-site scripting (XSS) vulnerability in the upload functi ...) - TODO: check + NOT-FOR-US: douphp CVE-2022-25573 RESERVED CVE-2022-25572 @@ -8361,9 +8361,9 @@ CVE-2022-24786 CVE-2022-24785 RESERVED CVE-2022-24784 (Statamic is a Laravel and Git powered CMS. Before versions 3.2.39 and ...) - TODO: check + NOT-FOR-US: Statamic CVE-2022-24783 (Deno is a runtime for JavaScript and TypeScript. The versions of Deno ...) - TODO: check + NOT-FOR-US: Deno CVE-2022-24782 (Discourse is an open source discussion platform. Versions 2.8.2 and pr ...) NOT-FOR-US: Discourse CVE-2022-24781 (Geon is a board game based on solving questions about the Pythagorean ...) @@ -8435,7 +8435,7 @@ CVE-2022-24761 (Waitress is a Web Server Gateway Interface server for Python 2 a CVE-2022-24760 (Parse Server is an open source http web server backend. In versions pr ...) TODO: check CVE-2022-24759 (`@chainsafe/libp2p-noise` contains TypeScript implementation of noise ...) - TODO: check + NOT-FOR-US: chainsafe/libp2p-noise CVE-2022-24758 RESERVED CVE-2022-24757 (The Jupyter Server provides the backend (i.e. the core services, APIs, ...) @@ -8466,11 +8466,11 @@ CVE-2022-24754 (PJSIP is a free and open source multimedia communication library NOTE: https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47 TODO: check impact on src:asterisk and src:ring CVE-2022-24753 (Stripe CLI is a command-line tool for the Stripe
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
64407bfb by security tracker role at 2022-03-27T20:10:20+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2022-27949
+ RESERVED
+CVE-2022-27948 (Certain Tesla vehicles through 2022-03-26 allow attackers to
open the ...)
+ TODO: check
CVE-2022-1110
RESERVED
CVE-2022-1109
@@ -54,8 +58,8 @@ CVE-2022-27929
RESERVED
CVE-2022-27928
RESERVED
-CVE-2022-1106
- RESERVED
+CVE-2022-1106 (use after free in mrb_vm_exec in GitHub repository mruby/mruby
prior t ...)
+ TODO: check
CVE-2022-1105
RESERVED
CVE-2022-1104
@@ -3393,8 +3397,8 @@ CVE-2022-26622
RESERVED
CVE-2022-26621
RESERVED
-CVE-2022-26620 (Akeo Consulting Rufus Executable 3.17.1846 and Rufus Portable
Executab ...)
- TODO: check
+CVE-2022-26620
+ REJECTED
CVE-2022-26619
RESERVED
CVE-2022-26618
@@ -4361,12 +4365,12 @@ CVE-2022-26256
RESERVED
CVE-2022-26255
RESERVED
-CVE-2022-26254
- RESERVED
+CVE-2022-26254 (WoWonder The Ultimate PHP Social Network Platform v4.0.0 was
discovere ...)
+ TODO: check
CVE-2022-26253
RESERVED
-CVE-2022-26252
- RESERVED
+CVE-2022-26252 (aaPanel v6.8.21 was discovered to be vulnerable to directory
traversal ...)
+ TODO: check
CVE-2022-26251
RESERVED
CVE-2022-26250
@@ -4379,8 +4383,8 @@ CVE-2022-26247 (TMS v2.28.0 contains an insecure
permissions vulnerability via t
NOT-FOR-US: TMS
CVE-2022-26246 (TMS v2.28.0 was discovered to contain a cross-site scripting
(XSS) vul ...)
NOT-FOR-US: TMS
-CVE-2022-26245
- RESERVED
+CVE-2022-26245 (Falcon-plus v0.3 was discovered to contain a SQL injection
vulnerabili ...)
+ TODO: check
CVE-2022-26244
RESERVED
CVE-2022-26243 (Tenda AC10-1200 v15.03.06.23_EN was discovered to contain a
buffer ove ...)
@@ -4469,8 +4473,8 @@ CVE-2022-26202
RESERVED
CVE-2022-26201 (Victor CMS v1.0 was discovered to contain a SQL injection
vulnerabilit ...)
NOT-FOR-US: Victor CMS
-CVE-2022-26200 (Technitium Installer v4.4 was discovered to allow attackers to
execute ...)
- TODO: check
+CVE-2022-26200
+ REJECTED
CVE-2022-26199
RESERVED
CVE-2022-26198 (Notable v1.8.4 does not filter text editing, allowing
attackers to exe ...)
@@ -56770,17 +56774,17 @@ CVE-2021-32280 (An issue was discovered in fig2dev
before 3.2.8.. A NULL pointer
CVE-2021-32279
RESERVED
CVE-2021-32278 (An issue was discovered in faad2 through 2.10.0. A
heap-buffer-overflo ...)
- {DLA-2792-1}
+ {DSA-5109-1 DLA-2792-1}
- faad2 2.10.0-1
NOTE: https://github.com/knik0/faad2/issues/62
NOTE:
https://github.com/knik0/faad2/commit/e19a5e491354e0e4664d02b796dacee28fb2521e
(2_10_0)
CVE-2021-32277 (An issue was discovered in faad2 through 2.10.0. A
heap-buffer-overflo ...)
- {DLA-2792-1}
+ {DSA-5109-1 DLA-2792-1}
- faad2 2.10.0-1
NOTE: https://github.com/knik0/faad2/issues/59
NOTE:
https://github.com/knik0/faad2/commit/c78251b2b5d41ea840fd61ab9502b3d3036bd747
(2_10_0)
CVE-2021-32276 (An issue was discovered in faad2 through 2.10.0. A NULL
pointer derefe ...)
- {DLA-2792-1}
+ {DSA-5109-1 DLA-2792-1}
- faad2 2.10.0-1
NOTE: https://github.com/knik0/faad2/issues/58
NOTE:
https://github.com/knik0/faad2/commit/b58840121d1827b4b6c7617e2431589af1776ddc
(2_10_0)
@@ -56789,16 +56793,18 @@ CVE-2021-32275 (An issue was discovered in faust
through v2.30.5. A NULL pointer
NOTE: https://github.com/grame-cncm/faust/issues/482
NOTE: Negligible security impact
CVE-2021-32274 (An issue was discovered in faad2 through 2.10.0. A
heap-buffer-overflo ...)
- {DLA-2792-1}
+ {DSA-5109-1 DLA-2792-1}
- faad2 2.10.0-1
NOTE: https://github.com/knik0/faad2/issues/60
NOTE:
https://github.com/knik0/faad2/commit/c78251b2b5d41ea840fd61ab9502b3d3036bd747
(2_10_0)
CVE-2021-32273 (An issue was discovered in faad2 through 2.10.0. A
stack-buffer-overfl ...)
+ {DSA-5109-1}
- faad2 2.10.0-1
[stretch] - faad2 (Vulnerable code not present,
introduced in 2.8.2)
NOTE: https://github.com/knik0/faad2/issues/56
NOTE:
https://github.com/knik0/faad2/commit/1073aeef823cafd844704389e9a497c257768e2f
(2_10_0)
CVE-2021-32272 (An issue was discovered in faad2 before 2.10.0. A
heap-buffer-overflow ...)
+ {DSA-5109-1}
- faad2 2.10.0-1
[stretch] - faad2 (Vulnerable code not present,
introduced in 2.8.2)
NOTE: https://github.com/knik0/faad2/issues/57
@@ -207957,7 +207963,7 @@ CVE-2019-6958 (A recently discovered security
vulnerability affects all Bosch Vi
CVE-2019-6957 (A
[Git][security-tracker-team/security-tracker][master] faad2 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
46a79c1c by Moritz Mühlenhoff at 2022-03-27T21:16:46+02:00
faad2 DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -218056,7 +218056,6 @@ CVE-2018-20200 (** DISPUTED ** CertificatePinner.java
in OkHttp 3.x through 3.12
CVE-2018-20199 (A NULL pointer dereference was discovered in ifilter_bank of
libfaad/f ...)
{DLA-2792-1 DLA-1899-1}
- faad2 2.8.8-3.1 (low)
- [buster] - faad2 (Minor issue)
NOTE: https://github.com/knik0/faad2/issues/24
NOTE:
https://github.com/knik0/faad2/commit/3b80a57483a6bc822d3ce3cc640fa81737a87c54
CVE-2018-20198 (A NULL pointer dereference was discovered in ifilter_bank of
libfaad/f ...)
@@ -218074,7 +218073,6 @@ CVE-2018-20197 (There is a stack-based buffer
underflow in the third instance of
CVE-2018-20196 (There is a stack-based buffer overflow in the third instance
of the ca ...)
{DLA-1899-1}
- faad2 2.8.8-3.1 (low)
- [buster] - faad2 (Minor issue)
[stretch] - faad2 (Minor issue)
NOTE: https://github.com/knik0/faad2/issues/19
NOTE:
https://github.com/knik0/faad2/commit/6aeeaa1af0caf986daf22852a97f7c13c5edd879
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[27 Mar 2022] DSA-5109-1 faad2 - security update
+ {CVE-2018-20196 CVE-2018-20199 CVE-2018-20360 CVE-2019-6956
CVE-2021-32272 CVE-2021-32273 CVE-2021-32274 CVE-2021-32276 CVE-2021-32277
CVE-2021-32278}
+ [buster] - faad2 2.10.0-1~deb10u1
[24 Mar 2022] DSA-5108-1 tiff - security update
{CVE-2022-0561 CVE-2022-0562 CVE-2022-0865 CVE-2022-0891 CVE-2022-0907
CVE-2022-0908 CVE-2022-0909 CVE-2022-0924 CVE-2022-22844}
[buster] - tiff 4.1.0+git191117-2~deb10u4
=
data/dsa-needed.txt
=
@@ -16,8 +16,6 @@ asterisk/oldstable
--
condor/oldstable
--
-faad2/oldstable (jmm)
---
fish/stable
--
freecad (aron)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46a79c1c8d006e50b74741d49fc30bc09292a067
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46a79c1c8d006e50b74741d49fc30bc09292a067
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qt ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cc35cfef by Moritz Mühlenhoff at 2022-03-27T21:13:37+02:00 qt ospu - - - - - 2 changed files: - data/CVE/list - data/next-oldstable-point-update.txt Changes: = data/CVE/list = @@ -7024,6 +7024,7 @@ CVE-2022-25256 (SAS Web Report Studio 4.4 allows XSS. /SASWebReportStudio/logonA CVE-2022-25255 (In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux ...) - qt6-base - qtbase-opensource-src 5.15.2+dfsg-15 + [buster] - qtbase-opensource-src (Breaks existing behaviour and upstream also skipped from 5.12 branch) [stretch] - qtbase-opensource-src (Vulnerable code introduced later) - qtbase-opensource-src-gles NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/393113 = data/next-oldstable-point-update.txt = @@ -90,3 +90,5 @@ CVE-2020-15859 [buster] - qemu 1:3.1+dfsg-8+deb10u9 CVE-2020-13253 [buster] - qemu 1:3.1+dfsg-8+deb10u9 +CVE-2015-9541 + [buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc35cfefdc227440a4b5fc174b3d8af5cbf8d02a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc35cfefdc227440a4b5fc174b3d8af5cbf8d02a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1071/mruby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2e864e1 by Salvatore Bonaccorso at 2022-03-27T21:10:29+02:00 Add CVE-2022-1071/mruby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -266,7 +266,10 @@ CVE-2022-27494 CVE-2022-26423 RESERVED CVE-2022-1071 (User after free in mrb_vm_exec in GitHub repository mruby/mruby prior ...) - TODO: check + - mruby + NOTE: https://huntr.dev/bounties/6597ece9-07af-415b-809b-919ce0a17cf3 + NOTE: https://github.com/mruby/mruby/commit/aaa28a508903041dd7399d4159a8ace9766b022f + TODO: check where issue introduced and present before code refactoring CVE-2022-1070 RESERVED CVE-2022-1069 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2e864e1b3bfce4c4e17daeb70a9bafcccd0e7d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2e864e1b3bfce4c4e17daeb70a9bafcccd0e7d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2022-279{39,40,41,42}/tcpreplay
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9c2e5279 by Salvatore Bonaccorso at 2022-03-27T13:36:26+02:00
Update information on CVE-2022-279{39,40,41,42}/tcpreplay
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -17,17 +17,21 @@ CVE-2022-27944
CVE-2022-27943 (libiberty/rust-demangle.c in GNU GCC 11.2 allows stack
consumption in ...)
TODO: check
CVE-2022-27942 (tcpprep in Tcpreplay 4.4.1 has a heap-based buffer over-read
in parse_ ...)
- - tcpreplay
+ - tcpreplay (unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/719
+ NOTE: Crash in CLI tool, no security impact
CVE-2022-27941 (tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer
over-read in get ...)
- - tcpreplay
+ - tcpreplay (unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/716
+ NOTE: Crash in CLI tool, no security impact
CVE-2022-27940 (tcprewrite in Tcpreplay 4.4.1 has a heap-based buffer
over-read in get ...)
- - tcpreplay
+ - tcpreplay (unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/718
+ NOTE: Crash in CLI tool, no security impact
CVE-2022-27939 (tcprewrite in Tcpreplay 4.4.1 has a reachable assertion in
get_layer4_ ...)
- - tcpreplay
+ - tcpreplay (unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/717
+ NOTE: Crash in CLI tool, no security impact
CVE-2022-27938 (stb_image.h (aka the stb image loader) 2.19, as used in
libsixel and o ...)
TODO: check
CVE-2022-27937
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c2e527913bf75c2f525873eca8d3957b9e80f2b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c2e527913bf75c2f525873eca8d3957b9e80f2b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add details for CVE-2018-25032
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 52278d11 by Salvatore Bonaccorso at 2022-03-27T11:57:15+02:00 Add details for CVE-2018-25032 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -329,6 +329,8 @@ CVE-2018-25032 (zlib 1.2.11 allows memory corruption when deflating (i.e., when - zlib 1:1.2.11.dfsg-4 (bug #1008265) NOTE: https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 NOTE: https://www.openwall.com/lists/oss-security/2022/03/24/1 + NOTE: Details: https://www.openwall.com/lists/oss-security/2022/03/26/1 + NOTE: https://www.openwall.com/lists/oss-security/2022/03/27/1 CVE-2022-27843 RESERVED CVE-2022-27842 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52278d1156a2739a72b796a564a4b61ff4f96293 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52278d1156a2739a72b796a564a4b61ff4f96293 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim libvirt
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ac2ec3b by Thorsten Alteholz at 2022-03-27T11:52:40+02:00 claim libvirt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -68,6 +68,8 @@ liblouis -- libpgjava -- +libvirt (Thorsten Alteholz) +-- libxml2 (Anton) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ac2ec3b43b1c8480818845b487264111ad5e3d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ac2ec3b43b1c8480818845b487264111ad5e3d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark temporary weechat CVE as not-affected for Stretch
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ec91425 by Thorsten Alteholz at 2022-03-27T11:36:12+02:00 mark temporary weechat CVE as not-affected for Stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -728,6 +728,7 @@ CVE-2022-1056 RESERVED CVE-2022- [Possible man-in-the-middle attack in TLS connection to servers] - weechat 3.4.1-1 + [stretch] - weechat (Vulnerable code introduced later) NOTE: https://weechat.org/doc/security/WSA-2022-1/ NOTE: https://github.com/weechat/weechat/issues/1763 NOTE: Fixed by: https://github.com/weechat/weechat/commit/710247891cdfd4e66ee6d1715e93626def6871f1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ec914250f01f12bca260fe3ad4776a37504071e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ec914250f01f12bca260fe3ad4776a37504071e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate CVE-2022-27820/zaproxy, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab809a26 by Salvatore Bonaccorso at 2022-03-27T11:32:57+02:00 Associate CVE-2022-27820/zaproxy, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -376,7 +376,7 @@ CVE-2022-27822 CVE-2022-27821 RESERVED CVE-2022-27820 (OWASP Zed Attack Proxy (ZAP) through w2022-03-21 does not verify the T ...) - NOT-FOR-US: OWASP Zed Attack Proxy + - zaproxy (bug #897142) CVE-2022-27819 RESERVED CVE-2022-27818 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab809a26654b29ffa35076ed6aeea21165778784 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab809a26654b29ffa35076ed6aeea21165778784 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-27920/libkiwix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c618ed0 by Salvatore Bonaccorso at 2022-03-27T11:23:41+02:00 Add Debian bug reference for CVE-2022-27920/libkiwix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73,7 +73,7 @@ CVE-2022-27922 CVE-2022-27921 RESERVED CVE-2022-27920 (libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver functi ...) - - libkiwix + - libkiwix (bug #1008483) [bullseye] - libkiwix (Vulnerable code introduced later) [buster] - libkiwix (Vulnerable code introduced later) NOTE: https://github.com/kiwix/libkiwix/issues/728 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c618ed07bd1416042a629e9dd658d6122ab2a2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c618ed07bd1416042a629e9dd658d6122ab2a2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2022-27920/libkiwix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 942ca0fb by Salvatore Bonaccorso at 2022-03-27T11:11:56+02:00 Update status for CVE-2022-27920/libkiwix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74,6 +74,8 @@ CVE-2022-27921 RESERVED CVE-2022-27920 (libkiwix 10.0.0 and 10.0.1 allows XSS in the built-in webserver functi ...) - libkiwix + [bullseye] - libkiwix (Vulnerable code introduced later) + [buster] - libkiwix (Vulnerable code introduced later) NOTE: https://github.com/kiwix/libkiwix/issues/728 NOTE: https://github.com/kiwix/libkiwix/pull/721 CVE-2022-27919 (Gradle Enterprise before 2022.1 allows remote code execution if the in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/942ca0fb1d3a30f4976e3d729e38bec12853ec99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/942ca0fb1d3a30f4976e3d729e38bec12853ec99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eed55818 by Moritz Muehlenhoff at 2022-03-27T10:50:02+02:00 buster/bullseye triage one lemonldap-ng issue n/a for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -773,6 +773,8 @@ CVE-2022-1050 RESERVED CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The pcs da ...) - pcs + [bullseye] - pcs (Minor issue) + [buster] - pcs (Minor issue) NOTE: https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5 NOTE: https://github.com/ClusterLabs/pcs/commit/fb860005117dc9e092649687dfa1304fb423efc5 CVE-2022-1048 [race condition in snd_pcm_hw_free leading to use-after-free] @@ -2995,6 +2997,8 @@ CVE-2022-0898 RESERVED CVE-2022-0897 (A flaw was found in the libvirt nwfilter driver. The virNWFilterObjLis ...) - libvirt + [bullseye] - libvirt (Minor issue) + [buster] - libvirt (Minor issue) NOTE: https://gitlab.com/libvirt/libvirt/-/commit/a4947e8f63c3e6b7b067b444f3d6cf674c0d7f36 CVE-2022-0896 (Improper Neutralization of Special Elements Used in a Template Engine ...) NOT-FOR-US: microweber @@ -35592,7 +35596,7 @@ CVE-2021-40874 [RESTServer pwdConfirm always returns true with Combination + Ker - lemonldap-ng 2.0.14+ds-1 (bug #1005302) [bullseye] - lemonldap-ng 2.0.11+ds-4+deb11u1 [buster] - lemonldap-ng 2.0.2+ds-7+deb10u7 - [stretch] - lemonldap-ng (Minor issue) + [stretch] - lemonldap-ng (Vulnerable code introduced in 2.0) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612 NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8f754812b375768c2124937137c856fe0c CVE-2021-40873 (An issue was discovered in Softing Industrial Automation OPC UA C++ SD ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed55818c5c182b1943d2cf5c8a1a6b97e4c508a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eed55818c5c182b1943d2cf5c8a1a6b97e4c508a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fadbbca1 by security tracker role at 2022-03-27T08:10:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2022-1110 + RESERVED +CVE-2022-1109 + RESERVED +CVE-2022-1108 + RESERVED +CVE-2022-1107 + RESERVED CVE-2022-27947 (NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to ex ...) NOT-FOR-US: NETGEAR CVE-2022-27946 (NETGEAR R8500 1.0.2.158 devices allow remote authenticated users to ex ...) @@ -3369,8 +3377,8 @@ CVE-2022-26622 RESERVED CVE-2022-26621 RESERVED -CVE-2022-26620 - RESERVED +CVE-2022-26620 (Akeo Consulting Rufus Executable 3.17.1846 and Rufus Portable Executab ...) + TODO: check CVE-2022-26619 RESERVED CVE-2022-26618 @@ -4435,8 +4443,8 @@ CVE-2022-26207 (Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200 NOT-FOR-US: Totolink CVE-2022-26206 (Totolink A830R V5.9c.4729_B20191112, A3100R V4.1.2cu.5050_B20200504, A ...) NOT-FOR-US: Totolink -CVE-2022-26205 - RESERVED +CVE-2022-26205 (Marky commit 3686565726c65756e was discovered to contain a remote code ...) + TODO: check CVE-2022-26204 RESERVED CVE-2022-26203 @@ -4445,12 +4453,12 @@ CVE-2022-26202 RESERVED CVE-2022-26201 (Victor CMS v1.0 was discovered to contain a SQL injection vulnerabilit ...) NOT-FOR-US: Victor CMS -CVE-2022-26200 - RESERVED +CVE-2022-26200 (Technitium Installer v4.4 was discovered to allow attackers to execute ...) + TODO: check CVE-2022-26199 RESERVED -CVE-2022-26198 - RESERVED +CVE-2022-26198 (Notable v1.8.4 does not filter text editing, allowing attackers to exe ...) + TODO: check CVE-2022-26197 (Joget DX 7 was discovered to contain a cross-site scripting (XSS) vuln ...) NOT-FOR-US: Joget CVE-2022-26196 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fadbbca1b6b541e994116f6f1b6369733050746b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fadbbca1b6b541e994116f6f1b6369733050746b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
