[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 796c0764 by Salvatore Bonaccorso at 2022-04-04T07:58:52+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2022-28381 (Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflo ...) - TODO: check + NOT-FOR-US: ALLMediaServer CVE-2022-28380 (The rc-httpd component through 2022-03-31 for 9front (Plan 9 fork) all ...) TODO: check CVE-2022-28379 (jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item dele ...) - TODO: check + NOT-FOR-US: jc21.com Nginx Proxy Manager CVE-2022-28378 (Craft CMS before 3.7.29 allows XSS. ...) - TODO: check + NOT-FOR-US: Craft CMS CVE-2022-1211 (A vulnerability classified as critical has been found in tildearrow Fu ...) - TODO: check + NOT-FOR-US: tildearrow Furnace CVE-2022-28377 RESERVED CVE-2022-28376 (Verizon LVSKIHP 5G outside devices through 2022-02-15 allow anyone (kn ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/796c0764330be6cdeff8cbb32420648baefb95ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/796c0764330be6cdeff8cbb32420648baefb95ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2021-33061/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce78f51e by Salvatore Bonaccorso at 2022-04-04T07:12:03+02:00 Update information on CVE-2021-33061/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56206,8 +56206,9 @@ CVE-2021-33063 (Uncontrolled search path in the Intel(R) RealSense(TM) D400 Seri CVE-2021-33062 (Incorrect default permissions in the software installer for the Intel( ...) NOT-FOR-US: Intel CVE-2021-33061 (Insufficient control flow management for the Intel(R) 82599 Ethernet C ...) + - linux + NOTE: https://git.kernel.org/linus/008ca35f6e87be1d60b6af3d1ae247c6d5c2531d (5.18-rc1) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00571.html - TODO: check, might affect the src:linux ixgbe driver CVE-2021-33060 RESERVED CVE-2021-33059 (Improper input validation in the Intel(R) Administrative Tools for Int ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce78f51e42a855fa38bd0e97a608489b79702e4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce78f51e42a855fa38bd0e97a608489b79702e4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ced45790 by Moritz Muehlenhoff at 2022-04-03T22:19:50+02:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -4053,6 +4053,8 @@ CVE-2022-26884 CVE-2022-0934 RESERVED - dnsmasq + [bullseye] - dnsmasq (Minor issue) + [buster] - dnsmasq (Minor issue) NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2022q1/016272.html CVE-2022-0933 RESERVED @@ -5560,11 +5562,11 @@ CVE-2022-0815 (Improper access control vulnerability in McAfee WebAdvisor Chrome CVE-2022-0814 RESERVED CVE-2022-0813 (PhpMyAdmin 5.1.1 and before allows an attacker to retrieve potentially ...) - - phpmyadmin 4:5.1.3+dfsg1-1 - [stretch] - phpmyadmin (Minor issue) + - phpmyadmin 4:5.1.3+dfsg1-1 (unimportant) NOTE: https://www.phpmyadmin.net/news/2022/2/11/phpmyadmin-4910-and-513-are-released/ NOTE: https://www.incibe-cert.es/en/early-warning/security-advisories/phpmyadmin-exposure-sensitive-information NOTE: Fixed by: https://github.com/phpmyadmin/phpmyadmin/commit/c04f85f2bb96c442086d9ad057953567cc794486 + NOTE: Negligible security impact CVE-2022-0811 (A flaw was found in CRI-O in the way it set kernel options for a pod. ...) NOT-FOR-US: cri-o CVE-2022-26333 @@ -8212,18 +8214,24 @@ CVE-2022-25311 (A vulnerability has been identified in SINEC NMS (All versions). CVE-2022-25310 RESERVED - fribidi (bug #1008793) + [bullseye] - fribidi (Minor issue) + [buster] - fribidi (Minor issue) NOTE: https://github.com/fribidi/fribidi/issues/183 NOTE: https://github.com/fribidi/fribidi/pull/186 NOTE: https://github.com/fribidi/fribidi/commit/175850b03e1af251d705c1d04b2b9b3c1c06e48f CVE-2022-25309 RESERVED - fribidi (bug #1008793) + [bullseye] - fribidi (Minor issue) + [buster] - fribidi (Minor issue) NOTE: https://github.com/fribidi/fribidi/issues/182 NOTE: https://github.com/fribidi/fribidi/pull/185 NOTE: https://github.com/fribidi/fribidi/commit/f22593b82b5d1668d1997dbccd10a9c31ffea3b3 CVE-2022-25308 RESERVED - fribidi (bug #1008793) + [bullseye] - fribidi (Minor issue) + [buster] - fribidi (Minor issue) NOTE: https://github.com/fribidi/fribidi/issues/181 NOTE: https://github.com/fribidi/fribidi/pull/184 NOTE: https://github.com/fribidi/fribidi/commit/ad3a19e6372b1e667128ed1ea2f49919884587e1 @@ -8399,6 +8407,7 @@ CVE-2022-25255 (In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on [buster] - qtbase-opensource-src (Breaks existing behaviour and upstream also skipped from 5.12 branch) [stretch] - qtbase-opensource-src (Vulnerable code introduced later) - qtbase-opensource-src-gles + [buster] - qtbase-opensource-src-gles (Breaks existing behaviour and upstream also skipped from 5.12 branch) NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/393113 NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/394914 NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/396020 @@ -10353,8 +10362,8 @@ CVE-2022-24616 RESERVED CVE-2022-24615 (zip4j up to 2.9.0 can throw various uncaught exceptions while parsing ...) - zip4j + [bullseye] - zip4j (Minor issue) NOTE: https://github.com/srikanth-lingala/zip4j/issues/377 - TODO: check details CVE-2022-24614 (When reading a specially crafted JPEG file, metadata-extractor up to 2 ...) - libmetadata-extractor-java [bullseye] - libmetadata-extractor-java (Minor issue) @@ -26609,6 +26618,7 @@ CVE-2021-43810 (Admidio is a free open source user management system for website NOT-FOR-US: Admidio CVE-2021-43809 (`Bundler` is a package for managing application dependencies in Ruby. ...) - rubygems 3.3.5-1 + [bullseye] - rubygems (Minor issue) NOTE: https://github.com/rubygems/rubygems/security/advisories/GHSA-fj7f-vq84-fh43 NOTE: https://github.com/rubygems/rubygems/commit/90b1ed8b9f8b636aa8c913f7b5a764a2e03d179c (v3.3.0) NOTE: https://github.com/rubygems/rubygems/pull/5142 @@ -27692,6 +27702,7 @@ CVE-2021-43726 RESERVED CVE-2021-43725 (There is a Cross Site Scripting (XSS) vulnerability in SpotPage_login. ...) - spotweb + [buster] - spotweb (Minor issue) NOTE: https://github.com/spotweb/spotweb/commit/2bfa001689aae96009688a193c64478647ba45a1 NOTE: https://github.com/spotweb/spotweb/issues/718 CVE-2021-43724 (A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS throug ...) @@ -52582,6 +52593,7 @@ CVE-2021-34558 (The crypto/tls package of Go throu
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: update note for ring, claim mitmproxy
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e57e78f by Abhijith PA at 2022-04-04T01:42:05+05:30 data/dla-needed.txt: update note for ring, claim mitmproxy - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,7 +97,7 @@ mbedtls (Utkarsh) minidlna (Thorsten Alteholz) NOTE: 20220327: update other releases first -- -mitmproxy +mitmproxy (Abhijith PA) -- nvidia-cuda-toolkit NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc) @@ -125,6 +125,8 @@ qemu (Emilio) -- ring (Abhijith PA) NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc + NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) + NOTE: 20220404: a network error (abhijith -- samba NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e57e78fe1ce005b6e87a44fd79a62212b9406cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e57e78fe1ce005b6e87a44fd79a62212b9406cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd359505 by security tracker role at 2022-04-03T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2022-28381 (Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflo ...) + TODO: check +CVE-2022-28380 (The rc-httpd component through 2022-03-31 for 9front (Plan 9 fork) all ...) + TODO: check +CVE-2022-28379 (jc21.com Nginx Proxy Manager before 2.9.17 allows XSS during item dele ...) + TODO: check +CVE-2022-28378 (Craft CMS before 3.7.29 allows XSS. ...) + TODO: check +CVE-2022-1211 (A vulnerability classified as critical has been found in tildearrow Fu ...) + TODO: check CVE-2022-28377 RESERVED CVE-2022-28376 (Verizon LVSKIHP 5G outside devices through 2022-02-15 allow anyone (kn ...) @@ -54,8 +64,7 @@ CVE-2022-28354 RESERVED CVE-2022-28353 RESERVED -CVE-2022-1210 [Tiff conversion to PS crashed due to incorrect memory size request] - RESERVED +CVE-2022-1210 (A vulnerability classified as problematic was found in LibTIFF 4.3.0. ...) - tiff NOTE: https://gitlab.com/libtiff/libtiff/-/issues/402 CVE-2021-46782 @@ -768,31 +777,37 @@ CVE-2022-1147 RESERVED CVE-2022-1146 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1145 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1144 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1143 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1142 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1141 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) @@ -800,66 +815,79 @@ CVE-2022-1140 RESERVED CVE-2022-1139 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1138 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1137 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1136 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1135 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1134 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1133 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1132 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1131 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1130 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1129 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1128 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-1127 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) @@ -867,6 +895,7 @@ CVE-2022-1126 RESERVED CVE-2022-1125 RESERVED + {DSA-5112-1} - chromium 100.0.4896.60-1 [
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1201/mruby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89fb4a36 by Salvatore Bonaccorso at 2022-04-03T20:56:08+02:00 Add CVE-2022-1201/mruby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135,7 +135,9 @@ CVE-2022-1203 CVE-2022-1202 RESERVED CVE-2022-1201 (NULL Pointer Dereference in mrb_vm_exec with super in GitHub repositor ...) - TODO: check + - mruby + NOTE: https://huntr.dev/bounties/6f930add-c9d8-4870-ae56-d4bd8354703b + NOTE: https://github.com/mruby/mruby/commit/00acae117da1b45b318dc36531a7b0021b8097ae CVE-2022-28327 RESERVED CVE-2022-28326 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89fb4a36e95c3b76d605c7013777d51c758b36aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89fb4a36e95c3b76d605c7013777d51c758b36aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58797533 by Salvatore Bonaccorso at 2022-04-03T20:54:59+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49,7 +49,7 @@ CVE-2022-28356 (In the Linux kernel before 5.17.1, a refcount leak bug was found - linux 5.16.18-1 NOTE: https://git.kernel.org/linus/764f4eb6846f5475f1244767d24d25dd86528a4a CVE-2022-28355 (randomUUID in Scala.js before 1.10.0 generates predictable values. ...) - TODO: check + NOT-FOR-US: Scala.js CVE-2022-28354 RESERVED CVE-2022-28353 @@ -1478,7 +1478,7 @@ CVE-2022-27864 CVE-2022-27186 RESERVED CVE-2022-27177 (A Python format string issue leading to information disclosure and pot ...) - TODO: check + NOT-FOR-US: Netflix ConsoleMe CVE-2022-27171 RESERVED CVE-2022-26371 @@ -2998,7 +2998,7 @@ CVE-2022-25880 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) CVE-2022-1019 RESERVED CVE-2022-1018 (When opening a malicious solution file provided by an attacker, the ap ...) - TODO: check + NOT-FOR-US: Rockwell Automation CVE-2022-27172 RESERVED CVE-2022-1017 @@ -4125,7 +4125,7 @@ CVE-2022-26850 CVE-2022-0923 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) NOT-FOR-US: Delta Electronics CVE-2022-0922 (The software does not perform any authentication for critical system f ...) - TODO: check + NOT-FOR-US: Rockwell Automation CVE-2022-0921 (Abusing Backup/Restore feature to achieve Remote Code Execution in Git ...) NOT-FOR-US: microweber CVE-2022-0920 @@ -10705,7 +10705,7 @@ CVE-2022-24428 CVE-2022-24427 RESERVED CVE-2022-24426 (Dell Command | Update, Dell Update, and Alienware Update versions prio ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-24425 RESERVED CVE-2022-24424 @@ -11666,7 +11666,7 @@ CVE-2022-24183 CVE-2022-24182 RESERVED CVE-2022-24181 (Cross-site scripting (XSS) via Host Header injection in PKP Open Journ ...) - TODO: check + NOT-FOR-US: PKP Open Journals System CVE-2022-24180 RESERVED CVE-2022-24179 @@ -13128,7 +13128,7 @@ CVE-2021-46445 (H.H.G Multistore v5.1.0 and below was discovered to contain a SQ CVE-2021-46444 (H.H.G Multistore v5.1.0 and below was discovered to contain a SQL inje ...) NOT-FOR-US: H.H.G Multistore CVE-2021-46443 (Spoofer 1.4.6 suffers from unquoted service paths vulnerability. An at ...) - TODO: check + NOT-FOR-US: Spoofer CVE-2021-46442 RESERVED CVE-2021-46441 @@ -13136,7 +13136,7 @@ CVE-2021-46441 CVE-2021-46440 RESERVED CVE-2021-46439 (The WinSEGAV AutoConfig service in EG Free Antivirus v2020 suffers fro ...) - TODO: check + NOT-FOR-US: EG Free Antivirus CVE-2021-46438 RESERVED CVE-2021-46437 @@ -15622,13 +15622,13 @@ CVE-2022-23160 CVE-2022-23159 RESERVED CVE-2022-23158 (Wyse Device Agent version 14.6.1.4 and below contain a sensitive data ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-23157 (Wyse Device Agent version 14.6.1.4 and below contain a sensitive data ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-23156 (Wyse Device Agent version 14.6.1.4 and below contain an Improper Authe ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-23155 (Dell Wyse Management Suite versions 2.0 through 3.5.2 contain an unres ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-23154 RESERVED CVE-2022-23153 @@ -22060,7 +22060,7 @@ CVE-2022-21949 CVE-2022-21948 RESERVED CVE-2022-21947 (A Improper Access Control vulnerability in Rancher Desktop of SUSE all ...) - TODO: check + NOT-FOR-US: Rancher CVE-2022-21946 (A Improper Privilege Management vulnerability in the sudoers configura ...) NOT-FOR-US: SUSE cscreen CVE-2022-21945 (A Insecure Temporary File vulnerability in cscreen of openSUSE Factory ...) @@ -27668,7 +27668,7 @@ CVE-2021-43724 (A Cross Site Scripting (XSS) vulnerability exits in Subrion CMS CVE-2021-43723 RESERVED CVE-2021-43722 (D-Link DIR-645 1.03 A1 is vulnerable to Buffer Overflow. The hnap_main ...) - TODO: check + NOT-FOR-US: D-Link CVE-2021-43721 (Leanote 2.7.0 is vulnerable to Cross Site Scripting (XSS) in the markd ...) NOT-FOR-US: Leanote CVE-2021-43720 @@ -27698,7 +27698,7 @@ CVE-2021-43709 CVE-2021-43708 RESERVED CVE-2021-43707 (Cross Site Scripting (XSS) vulnerability exists in Maccms v10 via link ...) - TODO: check + NOT-FOR-US: Maccms CVE-2021-43706 RESERVED CVE-2021-43705 @@ -47261,9 +47261,9 @@ CVE-2021-36778 CVE-2021-36777 (A Reliance on Untrusted Inputs in a Security Decision vulnerability in ...) NOT-FOR-US: OpenSuSE infr
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-28368/php-dompdf
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 780b7413 by Salvatore Bonaccorso at 2022-04-03T20:45:40+02:00 Add CVE-2022-28368/php-dompdf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,12 @@ CVE-2022-28370 CVE-2022-28369 RESERVED CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the src:u ...) - TODO: check + - php-dompdf + NOTE: https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/ + NOTE: https://positive.security/blog/dompdf-rce + NOTE: https://github.com/dompdf/dompdf/issues/2598 + NOTE: https://github.com/dompdf/dompdf/pull/2808 + NOTE: https://github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141d (v1.2.1) CVE-2022-28367 RESERVED CVE-2022-28366 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/780b7413f3f6399b3be985e543451702665f5b98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/780b7413f3f6399b3be985e543451702665f5b98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc8f8907 by Salvatore Bonaccorso at 2022-04-03T20:44:17+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2022-28377 RESERVED CVE-2022-28376 (Verizon LVSKIHP 5G outside devices through 2022-02-15 allow anyone (kn ...) - TODO: check + NOT-FOR-US: Verizon CVE-2022-28375 RESERVED CVE-2022-28374 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8f8907c40c02aa8a2ccfa6f7d844d035c38d1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc8f8907c40c02aa8a2ccfa6f7d844d035c38d1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1210/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3278c74b by Salvatore Bonaccorso at 2022-04-03T20:36:04+02:00 Add CVE-2022-1210/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49,8 +49,10 @@ CVE-2022-28354 RESERVED CVE-2022-28353 RESERVED -CVE-2022-1210 +CVE-2022-1210 [Tiff conversion to PS crashed due to incorrect memory size request] RESERVED + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/402 CVE-2021-46782 RESERVED CVE-2021-46781 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3278c74b9a956df885b4ad452ed1c23206b3342c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3278c74b9a956df885b4ad452ed1c23206b3342c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5046fc60 by Moritz Mühlenhoff at 2022-04-03T17:12:58+02:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[03 Apr 2022] DSA-5112-1 chromium - security update + {CVE-2022-1125 CVE-2022-1127 CVE-2022-1128 CVE-2022-1129 CVE-2022-1130 CVE-2022-1131 CVE-2022-1132 CVE-2022-1133 CVE-2022-1134 CVE-2022-1135 CVE-2022-1136 CVE-2022-1137 CVE-2022-1138 CVE-2022-1139 CVE-2022-1141 CVE-2022-1142 CVE-2022-1143 CVE-2022-1144 CVE-2022-1145 CVE-2022-1146} + [bullseye] - chromium 100.0.4896.60-1~deb11u1 [01 Apr 2022] DSA-5111-1 zlib - security update {CVE-2018-25032} [buster] - zlib 1:1.2.11.dfsg-1+deb10u1 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk/oldstable -- -chromium/stable --- condor/oldstable -- fish/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5046fc6010939e7e7aef210d9d33cf4e874a3f22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5046fc6010939e7e7aef210d9d33cf4e874a3f22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] golang-github-russellhaering-goxmldsig spu/opsu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b3fa1e01 by Moritz Mühlenhoff at 2022-04-03T17:08:54+02:00 golang-github-russellhaering-goxmldsig spu/opsu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -92,3 +92,5 @@ CVE-2020-13253 [buster] - qemu 1:3.1+dfsg-8+deb10u9 CVE-2015-9541 [buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u5 +CVE-2020-7711 + [buster] - golang-github-russellhaering-goxmldsig 0.0~git20170911.b7efc62-1+deb10u1 = data/next-point-update.txt = @@ -28,3 +28,5 @@ CVE-2022-21813 [bullseye] - nvidia-graphics-drivers 470.103.01-1~deb11u1 CVE-2021-39191 [bullseye] - libapache2-mod-auth-openidc 2.4.9.4-1+deb11u1 +CVE-2020-7711 + [bullseye] - golang-github-russellhaering-goxmldsig 1.1.0-1+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3fa1e015bb9c8bf19396d2e6f331b3697dd3228 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3fa1e015bb9c8bf19396d2e6f331b3697dd3228 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-28356/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31850455 by Salvatore Bonaccorso at 2022-04-03T10:20:42+02:00 Add CVE-2022-28356/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,7 +41,8 @@ CVE-2022-28358 CVE-2022-28357 RESERVED CVE-2022-28356 (In the Linux kernel before 5.17.1, a refcount leak bug was found in ne ...) - TODO: check + - linux 5.16.18-1 + NOTE: https://git.kernel.org/linus/764f4eb6846f5475f1244767d24d25dd86528a4a CVE-2022-28355 (randomUUID in Scala.js before 1.10.0 generates predictable values. ...) TODO: check CVE-2022-28354 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/318504554450a664ffb3bc3ac11a02258f8cf7b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/318504554450a664ffb3bc3ac11a02258f8cf7b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8dc4c5b by security tracker role at 2022-04-03T08:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,55 @@ +CVE-2022-28377 + RESERVED +CVE-2022-28376 (Verizon LVSKIHP 5G outside devices through 2022-02-15 allow anyone (kn ...) + TODO: check +CVE-2022-28375 + RESERVED +CVE-2022-28374 + RESERVED +CVE-2022-28373 + RESERVED +CVE-2022-28372 + RESERVED +CVE-2022-28371 + RESERVED +CVE-2022-28370 + RESERVED +CVE-2022-28369 + RESERVED +CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the src:u ...) + TODO: check +CVE-2022-28367 + RESERVED +CVE-2022-28366 + RESERVED +CVE-2022-28365 + RESERVED +CVE-2022-28364 + RESERVED +CVE-2022-28363 + RESERVED +CVE-2022-28362 + RESERVED +CVE-2022-28361 + RESERVED +CVE-2022-28360 + RESERVED +CVE-2022-28359 + RESERVED +CVE-2022-28358 + RESERVED +CVE-2022-28357 + RESERVED +CVE-2022-28356 (In the Linux kernel before 5.17.1, a refcount leak bug was found in ne ...) + TODO: check +CVE-2022-28355 (randomUUID in Scala.js before 1.10.0 generates predictable values. ...) + TODO: check +CVE-2022-28354 + RESERVED +CVE-2022-28353 + RESERVED +CVE-2022-1210 + RESERVED CVE-2021-46782 RESERVED CVE-2021-46781 @@ -1553,7 +1605,7 @@ CVE-2022-1061 (Heap Buffer Overflow in parseDragons in GitHub repository radareo NOTE: https://huntr.dev/bounties/a7546dae-01c5-4fb0-8a8e-c04ea4e9bac7 NOTE: https://github.com/radareorg/radare2/commit/d4ce40b516ffd70cf2e9e36832d8de139117d522 CVE-2018-25032 (zlib before 1.2.12 allows memory corruption when deflating (i.e., when ...) - {DSA-5111-1} + {DSA-5111-1 DLA-2968-1} - zlib 1:1.2.11.dfsg-4 (bug #1008265) - libz-mingw-w64 1.2.11+dfsg-5 [bullseye] - libz-mingw-w64 (Minor issue) @@ -2721,8 +2773,8 @@ CVE-2022-27308 RESERVED CVE-2022-27307 RESERVED -CVE-2022-27306 (The function url.parse() in Node.js v17.7.0 allows attackers to spoof ...) - TODO: check +CVE-2022-27306 + REJECTED CVE-2022-27305 RESERVED CVE-2022-27304 @@ -99734,6 +99786,7 @@ CVE-2020-28243 (An issue was discovered in SaltStack Salt before 3002.5. The min NOTE: Follow-up: https://github.com/saltstack/salt/commit/777ffe612e612fb443018c1d7983d4abe4632bb2 (v3002.6) NOTE: Follow-up doc: https://github.com/saltstack/salt/commit/903cfdcf6863b288fa41549bd991da6049962f54 (next commit) CVE-2020-28242 (An issue was discovered in Asterisk Open Source 13.x before 13.37.1, 1 ...) + {DLA-2969-1} - asterisk 1:16.15.0~dfsg-1 (bug #974713) [buster] - asterisk (Minor issue) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29013 @@ -169450,6 +169503,7 @@ CVE-2019-18978 (An issue was discovered in the rack-cors (aka Rack CORS Middlewa CVE-2019-18977 RESERVED CVE-2019-18976 (An issue was discovered in res_pjsip_t38.c in Sangoma Asterisk through ...) + {DLA-2969-1} - asterisk 1:16.1.1~dfsg-1 [jessie] - asterisk (Vulnerable code not present) NOTE: https://downloads.asterisk.org/pub/security/AST-2019-008.html @@ -169979,7 +170033,7 @@ CVE-2019-18792 (An issue was discovered in Suricata 5.0.0. It is possible to byp CVE-2019-18791 (Lexmark printer MS812 and multiple older generation Lexmark devices ha ...) NOT-FOR-US: Lexmark CVE-2019-18790 (An issue was discovered in channels/chan_sip.c in Sangoma Asterisk 13. ...) - {DLA-2017-1} + {DLA-2969-1 DLA-2017-1} - asterisk 1:16.10.0~dfsg-1 (bug #947381) [buster] - asterisk 1:16.2.1~dfsg-1+deb10u2 NOTE: https://downloads.asterisk.org/pub/security/AST-2019-006.html @@ -172602,7 +172656,7 @@ CVE-2019-18612 (An issue was discovered in the AbuseFilter extension through 1.3 CVE-2019-18611 (An issue was discovered in the CheckUser extension through 1.34 for Me ...) NOT-FOR-US: CheckUser MediaWiki extension CVE-2019-18610 (An issue was discovered in manager.c in Sangoma Asterisk through 13.x, ...) - {DLA-2017-1} + {DLA-2969-1 DLA-2017-1} - asterisk 1:16.10.0~dfsg-1 (bug #947377) [buster] - asterisk 1:16.2.1~dfsg-1+deb10u2 NOTE: https://downloads.asterisk.org/pub/security/AST-2019-007.html @@ -191084,6 +191138,7 @@ CVE-2019-13163 (The Fujitsu TLS library allows a man-in-the-middle attack. This CVE-2019-13162 RESERVED CVE-2019-13161 (An issue was discovered in Asterisk Open Source through 13.27.0, 14.x ...) + {DLA-2969-1} - asterisk 1:16.2.1~dfsg-2 (low; bug #931981) [buster] - asterisk 1:16.2.1~dfsg-1+deb10u1 [jessie] - asterisk
[Git][security-tracker-team/security-tracker][master] Process CVE-2022-22963 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca8e6420 by Salvatore Bonaccorso at 2022-04-03T09:15:56+02:00 Process CVE-2022-22963 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16102,7 +16102,7 @@ CVE-2022-22965 (A Spring MVC or Spring WebFlux application running on JDK 9+ may CVE-2022-22964 RESERVED CVE-2022-22963 (In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported v ...) - TODO: check + NOT-FOR-US: Spring Cloud Function CVE-2022-22962 RESERVED CVE-2022-22961 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca8e64209d0bc059ae884fd22885c37a58776e5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca8e64209d0bc059ae884fd22885c37a58776e5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Revert "Fix commit 4a2ad41"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c649d21a by Salvatore Bonaccorso at 2022-04-03T09:12:36+02:00 Revert "Fix commit 4a2ad41" This reverts commit 13e69b7d5f5cf0e485f221f082f82a3f7865b8c0. - - - - - afddd50f by Salvatore Bonaccorso at 2022-04-03T09:13:01+02:00 Revert "asterisk in stretch not embed pjproject" You might want to make clear code is not present. But fixing it with a specific version does not seem right. This reverts commit 4a2ad41f8350c080e929b335f110a2d6dcd7b1a4. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45042,8 +45042,7 @@ CVE-2021-37707 (Shopware is an open source eCommerce platform. Versions prior to NOT-FOR-US: Shopware CVE-2021-37706 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-2962-1} - - asterisk - [stretch] - asterisk 1:13.14.1~dfsg-2+deb9u4 + - asterisk - pjproject - ring NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29945 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/13e69b7d5f5cf0e485f221f082f82a3f7865b8c0...afddd50fb2fcdd60d09d4c4ba3dc4241b8e0d9fe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/13e69b7d5f5cf0e485f221f082f82a3f7865b8c0...afddd50fb2fcdd60d09d4c4ba3dc4241b8e0d9fe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits