[Git][security-tracker-team/security-tracker][master] Track fixes via unstable for openjdk-18
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 114661c9 by Salvatore Bonaccorso at 2022-05-03T07:20:11+02:00 Track fixes via unstable for openjdk-18 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32206,6 +32206,7 @@ CVE-2022-21496 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - openjdk-17 17.0.3+7-1 + - openjdk-18 18.0.1+10-1 CVE-2022-21495 RESERVED CVE-2022-21494 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) @@ -32248,6 +32249,7 @@ CVE-2022-21476 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - openjdk-17 17.0.3+7-1 + - openjdk-18 18.0.1+10-1 CVE-2022-21475 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) NOT-FOR-US: Oracle CVE-2022-21474 (Vulnerability in the Oracle Banking Trade Finance product of Oracle Fi ...) @@ -32307,6 +32309,7 @@ CVE-2022-21449 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-8 8u322-ga-1 - openjdk-11 - openjdk-17 17.0.3+7-1 + - openjdk-18 18.0.1+10-1 CVE-2022-21448 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2022-21447 (Vulnerability in the PeopleSoft Enterprise CS Academic Advisement prod ...) @@ -32322,6 +32325,7 @@ CVE-2022-21443 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - openjdk-17 17.0.3+7-1 + - openjdk-18 18.0.1+10-1 CVE-2022-21442 (Vulnerability in Oracle GoldenGate (component: OGG Core Library). The ...) NOT-FOR-US: Oracle CVE-2022-21441 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) @@ -32342,6 +32346,7 @@ CVE-2022-21434 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - openjdk-17 17.0.3+7-1 + - openjdk-18 18.0.1+10-1 CVE-2022-21433 RESERVED CVE-2022-21432 @@ -32361,6 +32366,7 @@ CVE-2022-21426 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - openjdk-17 17.0.3+7-1 + - openjdk-18 18.0.1+10-1 CVE-2022-21425 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2022-21424 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/114661c9d5164f291766360ec0034b7cfb8e4267 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/114661c9d5164f291766360ec0034b7cfb8e4267 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for openjdk-17 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eaa3f013 by Salvatore Bonaccorso at 2022-05-03T07:16:23+02:00 Track fixes for openjdk-17 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32205,7 +32205,7 @@ CVE-2022-21497 (Vulnerability in the Oracle Web Services Manager product of Orac CVE-2022-21496 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - - openjdk-17 + - openjdk-17 17.0.3+7-1 CVE-2022-21495 RESERVED CVE-2022-21494 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) @@ -32247,7 +32247,7 @@ CVE-2022-21477 (Vulnerability in the Oracle Applications Framework product of Or CVE-2022-21476 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - - openjdk-17 + - openjdk-17 17.0.3+7-1 CVE-2022-21475 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) NOT-FOR-US: Oracle CVE-2022-21474 (Vulnerability in the Oracle Banking Trade Finance product of Oracle Fi ...) @@ -32306,7 +32306,7 @@ CVE-2022-21450 (Vulnerability in the PeopleSoft Enterprise PRTL Interaction Hub CVE-2022-21449 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u322-ga-1 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.3+7-1 CVE-2022-21448 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) NOT-FOR-US: Oracle CVE-2022-21447 (Vulnerability in the PeopleSoft Enterprise CS Academic Advisement prod ...) @@ -32321,7 +32321,7 @@ CVE-2022-21444 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21443 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - - openjdk-17 + - openjdk-17 17.0.3+7-1 CVE-2022-21442 (Vulnerability in Oracle GoldenGate (component: OGG Core Library). The ...) NOT-FOR-US: Oracle CVE-2022-21441 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) @@ -32341,7 +32341,7 @@ CVE-2022-21435 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21434 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - - openjdk-17 + - openjdk-17 17.0.3+7-1 CVE-2022-21433 RESERVED CVE-2022-21432 @@ -32360,7 +32360,7 @@ CVE-2022-21427 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-21426 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - openjdk-11 11.0.15+10-1 - - openjdk-17 + - openjdk-17 17.0.3+7-1 CVE-2022-21425 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2022-21424 (Vulnerability in the Oracle Communications Billing and Revenue Managem ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaa3f0132c02f74a5d00f22f260a1ab8f1863506 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaa3f0132c02f74a5d00f22f260a1ab8f1863506 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed verison for openjdk-11 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b4844f1 by Salvatore Bonaccorso at 2022-05-03T07:13:29+02:00 Track fixed verison for openjdk-11 via unstable Note fore reviewers: there is one CVE not listed which remains unfixed, double check if this one is fixed as well with the 11.0.15 based version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32204,7 +32204,7 @@ CVE-2022-21497 (Vulnerability in the Oracle Web Services Manager product of Orac NOT-FOR-US: Oracle CVE-2022-21496 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - - openjdk-11 + - openjdk-11 11.0.15+10-1 - openjdk-17 CVE-2022-21495 RESERVED @@ -32246,7 +32246,7 @@ CVE-2022-21477 (Vulnerability in the Oracle Applications Framework product of Or NOT-FOR-US: Oracle CVE-2022-21476 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - - openjdk-11 + - openjdk-11 11.0.15+10-1 - openjdk-17 CVE-2022-21475 (Vulnerability in the Oracle Banking Payments product of Oracle Financi ...) NOT-FOR-US: Oracle @@ -32320,7 +32320,7 @@ CVE-2022-21444 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-5.7 CVE-2022-21443 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - - openjdk-11 + - openjdk-11 11.0.15+10-1 - openjdk-17 CVE-2022-21442 (Vulnerability in Oracle GoldenGate (component: OGG Core Library). The ...) NOT-FOR-US: Oracle @@ -32340,7 +32340,7 @@ CVE-2022-21435 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 CVE-2022-21434 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - - openjdk-11 + - openjdk-11 11.0.15+10-1 - openjdk-17 CVE-2022-21433 RESERVED @@ -32359,7 +32359,7 @@ CVE-2022-21427 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-5.7 CVE-2022-21426 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u332-ga-1 - - openjdk-11 + - openjdk-11 11.0.15+10-1 - openjdk-17 CVE-2022-21425 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b4844f1c7b527de62e420268e909de91463321c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b4844f1c7b527de62e420268e909de91463321c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a295f37 by Jeremiah C. Foster at 2022-05-02T22:21:18-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Jeremiah C. Foster- - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -42,7 +42,7 @@ composer: (Markus Koschany) NOTE: 20220424: programming language PHP NOTE: 20220424: check whether really affected (Anton) -- -debian-security-support (Utkarsh) +debian-security-support NOTE: 20220402: need to update the list of unsupported packages (Beuc) NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc) NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc) @@ -100,7 +100,7 @@ linux-4.19 (Ben Hutchings) mariadb-10.1 NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg5.html and coordinate with maintainer (Anton) -- -mbedtls (Utkarsh) +mbedtls NOTE: 20220404: update prepared, needs testing. (utkarsh) NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh) -- @@ -163,7 +163,7 @@ subversion (Roberto C. Sánchez) NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby) NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to test it, mailed results to Roberto C. Sánchez (enrico) -- -tiff (Utkarsh) +tiff NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff. NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh) NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a295f373c45c3b0edf3b652bcbf44786928cb2a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a295f373c45c3b0edf3b652bcbf44786928cb2a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note in data/dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 83711d9f by Abhijith PA at 2022-05-03T04:31:28+05:30 Update note in data/dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -70,6 +70,7 @@ gpac (Roberto C. Sánchez) NOTE: 20220427: Preparing to work with security team to declare EOL (roberto) -- icingaweb2 (Abhijith PA) + NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith) -- intel-microcode NOTE: 20220213: please recheck View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83711d9f1edbc7410fa9234ab86c341c4a6ff3de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83711d9f1edbc7410fa9234ab86c341c4a6ff3de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-24714, CVE-2022-24716 as not affected for stretch
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c55fd09b by Abhijith PA at 2022-05-03T04:05:49+05:30 Mark CVE-2022-24714, CVE-2022-24716 as not affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14990,6 +14990,7 @@ CVE-2022-24716 (Icinga Web 2 is an open source monitoring web interface, framewo - icingaweb2 2.9.6-1 [bullseye] - icingaweb2 (Vulnerable code not present) [buster] - icingaweb2 (Vulnerable code not present) + [stretch] - icingaweb2 (vulnerable code not present) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-5p3f-rh28-8frw NOTE: https://github.com/Icinga/icingaweb2/commit/9931ed799650f5b8d5e1dc58ea3415a4cdc5773d CVE-2022-24715 (Icinga Web 2 is an open source monitoring web interface, framework and ...) @@ -15002,6 +15003,7 @@ CVE-2022-24714 (Icinga Web 2 is an open source monitoring web interface, framewo - icingaweb2 2.9.6-1 [bullseye] - icingaweb2 (Minor issue) [buster] - icingaweb2 (Minor issue) + [stretch] - icingaweb2 (vulnerable code not present) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-qcmg-vr56-x9wf NOTE: https://github.com/Icinga/icingaweb2/commit/6e989d05a1568a6733a3d912001251acc51d9293 CVE-2022-24713 (regex is an implementation of regular expressions for the Rust languag ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55fd09ba7f1f95bbcd8de422e2e425afcc52efc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55fd09ba7f1f95bbcd8de422e2e425afcc52efc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for linux update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e872dde by Salvatore Bonaccorso at 2022-05-02T22:46:45+02:00 Reserve DSA number for linux update - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -4929,7 +4929,6 @@ CVE-2022-28281 CVE-2022-1199 RESERVED - linux 5.16.18-1 - [bullseye] - linux 5.10.106-1 [buster] - linux 4.19.235-1 NOTE: https://www.openwall.com/lists/oss-security/2022/04/02/5 CVE-2022-1198 @@ -4950,7 +4949,6 @@ CVE-2022-1196 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/#CVE-2022-1196 CVE-2022-1195 (A use-after-free vulnerability was found in the Linux kernel in driver ...) - linux 5.15.15-1 - [bullseye] - linux 5.10.92-1 [buster] - linux 4.19.232-1 [stretch] - linux 4.9.303-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2056381 = data/DSA/list = @@ -1,3 +1,6 @@ +[02 May 2022] DSA-5127-1 linux - security update + {CVE-2021-4197 CVE-2022-0168 CVE-2022-1016 CVE-2022-1048 CVE-2022-1158 CVE-2022-1195 CVE-2022-1198 CVE-2022-1199 CVE-2022-1204 CVE-2022-1205 CVE-2022-1353 CVE-2022-1516 CVE-2022-26490 CVE-2022-27666 CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-29582} + [bullseye] - linux 5.10.113-1 [01 May 2022] DSA-5126-1 ffmpeg - security update [buster] - ffmpeg 7:4.1.9-0+deb10u1 [27 Apr 2022] DSA-5125-1 chromium - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e872ddee78ab92b0a68cc732a0464f455b097a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e872ddee78ab92b0a68cc732a0464f455b097a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim mruby from Anton
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c436a582 by Abhijith PA at 2022-05-03T02:12:09+05:30 data/dla-needed.txt: Claim mruby from Anton - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,7 +103,8 @@ mbedtls (Utkarsh) NOTE: 20220404: update prepared, needs testing. (utkarsh) NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh) -- -mruby (Anton) +mruby (Abhijith PA) + NOTE: https://people.debian.org/~abhijith/upload/mruby/mruby_1.2.0+20161228+git30d5424a-1+deb9u1.dsc (abhijith) -- mutt (Utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c436a582738ccf4de5ec3116bdd24d11e664d298 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c436a582738ccf4de5ec3116bdd24d11e664d298 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d4462b21 by Salvatore Bonaccorso at 2022-05-02T22:27:30+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3823,9 +3823,9 @@ CVE-2022-1283 (NULL Pointer Dereference in r_bin_ne_get_entrypoints function in NOTE: https://huntr.dev/bounties/bfeb8fb8-644d-4587-80d4-cb704c404013 NOTE: https://github.com/radareorg/radare2/commit/18d1d064bf599a255d55f09fca3104776fc34a67 CVE-2022-1282 (The Photo Gallery by 10Web WordPress plugin before 1.6.3 does not prop ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1281 (The Photo Gallery WordPress plugin through 1.6.3 does not properly esc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1280 (A use-after-free vulnerability was found in drm_lease_held in drivers/ ...) - linux 5.15.3-1 NOTE: https://www.openwall.com/lists/oss-security/2022/04/12/3 @@ -3844,13 +3844,13 @@ CVE-2022-1275 CVE-2022-1274 RESERVED CVE-2022-1273 (The Import WP WordPress plugin before 2.4.6 does not validate the impo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1272 RESERVED CVE-2022-1270 RESERVED CVE-2022-1269 (The Fast Flow WordPress plugin before 1.2.11 does not sanitise and esc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1268 RESERVED CVE-2022-1267 @@ -3876,7 +3876,7 @@ CVE-2022-1257 (Insecure storage of sensitive information vulnerability in MA for CVE-2022-1256 (A local privilege escalation vulnerability in MA for Windows prior to ...) NOT-FOR-US: McAfee CVE-2022-1255 (The Import and export users and customers WordPress plugin before 1.19 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1254 (A URL redirection vulnerability in Skyhigh SWG in main releases 10.x p ...) NOT-FOR-US: Skyhigh SWG CVE-2022-1253 (Heap-based Buffer Overflow in GitHub repository strukturag/libde265 pr ...) @@ -3889,7 +3889,7 @@ CVE-2022-1252 (Exposure of Private Personal Information to an Unauthorized Actor CVE-2022-1251 RESERVED CVE-2022-1250 (The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanitise a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1248 (A vulnerability was found in SAP Information System 1.0 which has been ...) NOT-FOR-US: SAP CVE-2022-1247 @@ -3953,7 +3953,7 @@ CVE-2022-1240 (Heap buffer overflow in libr/bin/format/mach0/mach0.c in GitHub r NOTE: https://huntr.dev/bounties/e589bd97-4c74-4e79-93b5-0951a281facc NOTE: https://github.com/radareorg/radare2/commit/ca8d8b39f3e34a4fd943270330b80f1148129de4 CVE-2022-1239 (The HubSpot WordPress plugin before 8.8.15 does not validate the proxy ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1238 (Heap-based Buffer Overflow in libr/bin/format/ne/ne.c in GitHub reposi ...) - radare2 NOTE: https://huntr.dev/bounties/47422cdf-aad2-4405-a6a1-6f63a3a93200 @@ -4197,7 +4197,7 @@ CVE-2022-28574 CVE-2022-28573 (D-Link DIR-823-Pro v1.0.2 was discovered to contain a command injectio ...) TODO: check CVE-2022-28572 (Tenda AX1806 v1.0.0.1 was discovered to contain a command injection vu ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-28571 (D-link 882 DIR882A1_FW130B06 was discovered to contain a command injec ...) TODO: check CVE-2022-28570 @@ -6880,7 +6880,7 @@ CVE-2022-1048 (A use-after-free flaw was found in the Linux kernel’s sound CVE-2022-1047 RESERVED CVE-2022-1046 (The Visual Form Builder WordPress plugin before 3.0.7 does not sanitis ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1045 (Stored XSS viva .svg file upload in GitHub repository polonel/trudesk ...) NOT-FOR-US: Trudesk CVE-2022-1044 @@ -8311,7 +8311,7 @@ CVE-2022-0954 (Multiple Stored Cross-site Scripting (XSS) Vulnerabilities in Sho CVE-2022-0953 (The Anti-Malware Security and Brute-Force Firewall WordPress plugin be ...) NOT-FOR-US: WordPress plugin CVE-2022-0952 (The Sitemap by click5 WordPress plugin before 1.0.36 does not have aut ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-0951 (File Upload Restriction Bypass leading to Stored XSS Vulnerability in ...) NOT-FOR-US: ShowDoc CVE-2022-0950 (Unrestricted Upload of File with Dangerous Type in GitHub repository s ...) @@ -11043,7 +11043,7 @@ CVE-2022-0785 (The Daily Prayer Time WordPress plugin before 2022.03.01 does not CVE-2022-0784 (The Title Experiments Free WordPress plugin before 9.0.1 does not sani ...) NOT-FOR-US: WordPress plugin CVE-2022-0783 (The Multiple Shipping Address Woocommerce WordPress plugin before 2.0 ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-0481, CVE-2022-1201, CVE-2022-1212, CVE-2022-1286
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 8383e79b by Abhijith PA at 2022-05-03T01:50:01+05:30 Mark CVE-2022-0481, CVE-2022-1201, CVE-2022-1212, CVE-2022-1286 CVE-2022-1427 as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1547,6 +1547,7 @@ CVE-2022-1427 (Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository - mruby [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) + [stretch] - mruby (Vulnerable code not present) NOTE: https://huntr.dev/bounties/23b6f0a9-64f5-421e-a55f-b5b7a671f301 NOTE: https://github.com/mruby/mruby/commit/a4d97934d51cb88954cc49161dc1d151f64afb6b CVE-2022-29565 @@ -3335,6 +3336,7 @@ CVE-2022-1286 (heap-buffer-overflow in mrb_vm_exec in mruby/mruby in GitHub repo - mruby [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) + [stretch] - mruby (Vulnerable code not present) NOTE: https://github.com/mruby/mruby/commit/b1d0296a937fe278239bdfac840a3fd0e93b3ee9 NOTE: https://huntr.dev/bounties/f918376e-b488-4113-963d-ffe8716e4189/ CVE-2022-2 @@ -4596,6 +4598,7 @@ CVE-2022-1212 (Use-After-Free in str_escape in mruby/mruby in GitHub repository - mruby (bug #1009044) [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) + [stretch] - mruby (Vulnerable code not present) NOTE: https://huntr.dev/bounties/9fcc06d0-08e4-49c8-afda-2cae40946abe/ NOTE: https://github.com/mruby/mruby/commit/3cf291f72224715942beaf8553e42ba8891ab3c6 CVE-2022-28381 (Mediaserver.exe in ALLMediaServer 1.6 has a stack-based buffer overflo ...) @@ -4768,6 +4771,7 @@ CVE-2022-1201 (NULL Pointer Dereference in mrb_vm_exec with super in GitHub repo - mruby [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) + [stretch] - mruby (Vulnerable code not present) NOTE: https://huntr.dev/bounties/6f930add-c9d8-4870-ae56-d4bd8354703b NOTE: https://github.com/mruby/mruby/commit/00acae117da1b45b318dc36531a7b0021b8097ae CVE-2022-28327 (The generic P-256 feature in crypto/elliptic in Go before 1.17.9 and 1 ...) @@ -16160,7 +16164,7 @@ CVE-2022-0481 (NULL Pointer Dereference in Homebrew mruby prior to 3.2. ...) - mruby [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) - [stretch] - mruby (Minor issue) + [stretch] - mruby (Vulnerable code not present) NOTE: https://huntr.dev/bounties/54725c8c-87f4-41b6-878c-01d8e0ee7027 NOTE: https://github.com/mruby/mruby/commit/ae3c99767a27f5c6c584162e2adc6a5d0eb2c54e TODO: check, possibly only introduced with dccd66f9efecd0a974b735c62836fe566015cf37 in 3.1.0-rc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8383e79b42d9adc73f4409bd087bde886d5f3d06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8383e79b42d9adc73f4409bd087bde886d5f3d06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c455d8d by security tracker role at 2022-05-02T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,37 @@ +CVE-2022-30125 + RESERVED +CVE-2022-30124 + RESERVED +CVE-2022-30123 + RESERVED +CVE-2022-30122 + RESERVED +CVE-2022-30121 + RESERVED +CVE-2022-30120 + RESERVED +CVE-2022-30119 + RESERVED +CVE-2022-30118 + RESERVED +CVE-2022-30117 + RESERVED +CVE-2022-30116 + RESERVED +CVE-2022-30115 + RESERVED +CVE-2022-1551 + RESERVED +CVE-2022-1550 + RESERVED +CVE-2022-1549 + RESERVED +CVE-2022-1548 + RESERVED +CVE-2022-1547 + RESERVED +CVE-2022-1546 + RESERVED CVE-2022-30114 RESERVED CVE-2022-30113 @@ -564,8 +598,7 @@ CVE-2022-1516 - linux 5.17.3-1 (unimportant) NOTE: Fixed by: https://git.kernel.org/linus/7781607938c8371d4c2b243527430241c62e39c2 (5.18-rc1) NOTE: CONFIG_X25 is not set in Debian -CVE-2022-1515 - RESERVED +CVE-2022-1515 (A memory leak was discovered in matio 1.5.21 and earlier in Mat_VarRea ...) - libmatio 1.5.22-1 NOTE: https://github.com/tbeu/matio/issues/186 NOTE: Fixed by: https://github.com/tbeu/matio/commit/b53b62b756920f4c1509f4ee06427f66c3b5c9c4 (v1.5.22) @@ -877,8 +910,7 @@ CVE-2022-1477 [stretch] - chromium (see DSA 4562) CVE-2022-1476 RESERVED -CVE-2022-1475 - RESERVED +CVE-2022-1475 (An integer overflow vulnerability was found in FFmpeg 5.0.1 and in pre ...) {DSA-5124-1} - ffmpeg 7:4.4.2-1 [buster] - ffmpeg (Vulnerable code not present) @@ -1861,8 +1893,8 @@ CVE-2022-29446 RESERVED CVE-2022-29445 RESERVED -CVE-2022-29444 - RESERVED +CVE-2022-29444 (Plugin Settings Change leading to Cross-Site Scripting (XSS) vulnerabi ...) + TODO: check CVE-2022-29443 RESERVED CVE-2022-29442 @@ -2249,32 +2281,32 @@ CVE-2022-1379 RESERVED CVE-2022-29266 (In APache APISIX before 3.13.1, the jwt-auth plugin has a security iss ...) NOT-FOR-US: Apache APISIX -CVE-2022-1378 - RESERVED -CVE-2022-1377 - RESERVED -CVE-2022-1376 - RESERVED -CVE-2022-1375 - RESERVED -CVE-2022-1374 - RESERVED +CVE-2022-1378 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check +CVE-2022-1377 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check +CVE-2022-1376 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check +CVE-2022-1375 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check +CVE-2022-1374 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check CVE-2022-1373 RESERVED -CVE-2022-1372 - RESERVED -CVE-2022-1371 - RESERVED -CVE-2022-1370 - RESERVED -CVE-2022-1369 - RESERVED +CVE-2022-1372 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check +CVE-2022-1371 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check +CVE-2022-1370 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check +CVE-2022-1369 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check CVE-2022-1368 RESERVED -CVE-2022-1367 - RESERVED -CVE-2022-1366 - RESERVED +CVE-2022-1367 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check +CVE-2022-1366 (Delta Electronics DIAEnergie (All versions prior to 1.8.02.004) has a ...) + TODO: check CVE-2022-1365 (Exposure of Private Personal Information to an Unauthorized Actor in G ...) NOT-FOR-US: lquixada/cross-fetch CVE-2022-29265 (Multiple components in Apache NiFi 0.0.1 to 1.16.0 do not restrict XML ...) @@ -2982,8 +3014,8 @@ CVE-2022-1302 (In the MZ Automation LibIEC61850 in versions prior to 1.5.1 an un NOT-FOR-US: MZ Automation LibIEC61850 CVE-2022-1301 RESERVED -CVE-2022-1300 - RESERVED +CVE-2022-1300 (Multiple Version of TRUMPF TruTops products expose a service function ...) + TODO: check CVE-2022-1299 RESERVED CVE-2022-1298 @@ -3788,10 +3820,10 @@ CVE-2022-1283 (NULL Pointer Dereference in r_bin_ne_get_entrypoints function in - radare2 NOTE: https://huntr.dev/bounties/bfeb8fb8-644d-4587-80d4-cb704c404013 NOTE: https://github.com/radareorg/radare2/commit/18d1d064bf599a255d55f09fca3104776fc34a67 -CVE-2022-1282 - RESERVED -CVE-2022-1281 - RESERVED +CVE-2022-1282 (The Photo Gallery by 10Web WordPress plugin befo
[Git][security-tracker-team/security-tracker][master] Fix typo in reference for CVE-2022-26490/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29f812f1 by Salvatore Bonaccorso at 2022-05-02T21:55:37+02:00 Fix typo in reference for CVE-2022-26490/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9928,7 +9928,7 @@ CVE-2022-0868 (Open Redirect in GitHub repository medialize/uri.js prior to 1.19 NOT-FOR-US: Node urijs CVE-2022-26490 (st21nfca_connectivity_event_received in drivers/nfc/st21nfca/se.c in t ...) - linux 5.16.18-1 - NOTE: https://git.kernel.org/linux/4fbcc1a4cb20fe26ad0225679c536c80f1648221 (5.17-rc1) + NOTE: https://git.kernel.org/linus/4fbcc1a4cb20fe26ad0225679c536c80f1648221 (5.17-rc1) CVE-2022-26486 RESERVED {DSA-5094-1 DSA-5090-1 DLA-2939-1 DLA-2933-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29f812f14a13145aa9d3c3865d76bd62ba12ffa7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29f812f14a13145aa9d3c3865d76bd62ba12ffa7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c717ed9 by Salvatore Bonaccorso at 2022-05-02T21:49:11+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11703,7 +11703,7 @@ CVE-2022-21191 CVE-2022-21190 RESERVED CVE-2022-21189 (The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-al ...) - TODO: check + NOT-FOR-US: dexie CVE-2022-21187 (The package libvcs before 0.11.1 are vulnerable to Command Injection v ...) NOT-FOR-US: libvcs CVE-2022-21186 @@ -20983,9 +20983,9 @@ CVE-2022-23063 CVE-2022-23062 RESERVED CVE-2022-23061 (In Shopizer versions 2.0 to 2.17.0 a regular admin can permanently del ...) - TODO: check + NOT-FOR-US: Shopizer CVE-2022-23060 (A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer v ...) - TODO: check + NOT-FOR-US: Shopizer CVE-2022-23059 (A Stored Cross Site Scripting (XSS) vulnerability exists in Shopizer v ...) NOT-FOR-US: Shopizer CVE-2022-23058 @@ -22558,7 +22558,7 @@ CVE-2022-0124 (An issue has been discovered affecting GitLab versions prior to 1 CVE-2022-0123 (An issue has been discovered affecting GitLab versions prior to 14.4.5 ...) - gitlab CVE-2021-4200 (A Improper Privilege Management vulnerability in SUSE Rancher allows w ...) - TODO: check + NOT-FOR-US: Rancher CVE-2022-22677 RESERVED CVE-2022-22676 @@ -52571,7 +52571,7 @@ CVE-2021-36786 (The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 CVE-2021-36785 (The miniorange_saml (aka Miniorange Saml) extension before 1.4.3 for T ...) NOT-FOR-US: miniorange_saml (aka Miniorange Saml) extension for TYPO3 CVE-2021-36784 (A Improper Privilege Management vulnerability in SUSE Rancher allows u ...) - TODO: check + NOT-FOR-US: Rancher CVE-2021-36783 RESERVED CVE-2021-36782 @@ -52583,7 +52583,7 @@ CVE-2021-36780 (A Improper Access Control vulnerability in longhorn of SUSE Long CVE-2021-36779 (A Improper Access Control vulnerability inf SUSE Longhorn allows any w ...) NOT-FOR-US: Longhorn CVE-2021-36778 (A Exposure of Sensitive Information to an Unauthorized Actor vulnerabi ...) - TODO: check + NOT-FOR-US: Rancher CVE-2021-36777 (A Reliance on Untrusted Inputs in a Security Decision vulnerability in ...) NOT-FOR-US: OpenSuSE infrastructure CVE-2021-36776 (A Improper Access Control vulnerability in SUSE Rancher allows remote ...) @@ -65314,9 +65314,9 @@ CVE-2021-31676 CVE-2021-31675 RESERVED CVE-2021-31674 (Cyclos 4 PRO 4.14.7 and before does not validate user input at error i ...) - TODO: check + NOT-FOR-US: Cyclos 4 PRO CVE-2021-31673 (A Dom-based Cross-site scripting (XSS) vulnerability at registration a ...) - TODO: check + NOT-FOR-US: Cyclos 4 PRO CVE-2021-31672 RESERVED CVE-2021-31671 (pgsync before 0.6.7 is affected by Information Disclosure of sensitive ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c717ed9621cc1156f2ff65530c607a016f5adaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c717ed9621cc1156f2ff65530c607a016f5adaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-25844/angular.js
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a2d65ba by Salvatore Bonaccorso at 2022-05-02T21:41:11+02:00 Add CVE-2022-25844/angular.js - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11517,7 +11517,8 @@ CVE-2022-25846 CVE-2022-25845 RESERVED CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expression D ...) - TODO: check + - angular.js + NOTE: https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735 CVE-2022-25843 RESERVED CVE-2022-25842 (All versions of package com.alibaba.oneagent:one-java-agent-plugin are ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a2d65baa2681fa0661476f47accf7e7b0e252df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a2d65baa2681fa0661476f47accf7e7b0e252df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bde1d169 by Salvatore Bonaccorso at 2022-05-02T21:39:05+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -620,7 +620,7 @@ CVE-2022-29851 CVE-2022-29850 RESERVED CVE-2022-29849 (In Progress OpenEdge before 11.7.14 and 12.x before 12.2.9, certain SU ...) - TODO: check + NOT-FOR-US: Progress OpenEdge CVE-2022-29848 RESERVED CVE-2022-29847 @@ -4409,7 +4409,7 @@ CVE-2022-28453 CVE-2022-28452 (Red Planet Laundry Management System 1.0 is vulnerable to SQL Injectio ...) NOT-FOR-US: Red Planet Laundry Management System CVE-2022-28451 (nopCommerce 4.50.1 is vulnerable to Directory Traversal via the backup ...) - TODO: check + NOT-FOR-US: nopCommerce CVE-2022-28450 (nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS) via the ...) NOT-FOR-US: nopCommerce CVE-2022-28449 (nopCommerce 4.50.1 is vulnerable to Cross Site Scripting (XSS). At App ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bde1d1698ff27a3fae9807ac68d39b50fd424c1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bde1d1698ff27a3fae9807ac68d39b50fd424c1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-29970/ruby-sinatra
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b7688dfc by Salvatore Bonaccorso at 2022-05-02T21:32:56+02:00 Add CVE-2022-29970/ruby-sinatra - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -288,7 +288,9 @@ CVE-2022-29972 CVE-2022-29971 RESERVED CVE-2022-29970 (Sinatra before 2.2.0 does not validate that the expanded path matches ...) - TODO: check + - ruby-sinatra + NOTE: https://github.com/sinatra/sinatra/commit/462c3ca1db53ed3cfc394cf5948e9c948ad1c10e (v2.2.0) + TODO: check where issue is introduced CVE-2022-29969 (The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rs ...) TODO: check CVE-2022-29968 (An issue was discovered in the Linux kernel through 5.17.5. io_rw_init ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7688dfcac3bc2896fa4bae4d27de34fb50adb42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7688dfcac3bc2896fa4bae4d27de34fb50adb42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim composer, libpgjava, smarty3 and twig and recheck
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c59ad904 by Markus Koschany at 2022-05-02T21:16:17+02:00 Claim composer, libpgjava, smarty3 and twig and recheck if these packages are actually affected. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ cgal ckeditor (Sylvain Beucler) NOTE: 20220402: multiple pendings vulnerabilities (Beuc) -- -composer: +composer: (Markus Koschany) NOTE: 20220424: programming language PHP NOTE: 20220424: check whether really affected (Anton) -- @@ -84,7 +84,7 @@ liblouis (Andreas Rönnquist) NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. -- -libpgjava +libpgjava (Markus Koschany) -- libvirt (Thorsten Alteholz) NOTE: 20220423: wait for upload in newer releases, dependency loop seems to be resolved now @@ -145,7 +145,7 @@ samba NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) NOTE: 20220125: ftbfs, wip. (utkarsh) -- -smarty3 +smarty3 (Markus Koschany) -- snapd NOTE: 20220308: seems vulnerable at least to setup_private_mount, @@ -166,7 +166,7 @@ tiff (Utkarsh) NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh) NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh) -- -twig +twig (Markus Koschany) NOTE: 20220402: cf. DSA-5107-1; similar code in lib/Twig/Extension/Core.php (Beuc) -- twisted (Stefano Rivera) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c59ad904ab7e13db4d890c3079f9e9439474e640 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c59ad904ab7e13db4d890c3079f9e9439474e640 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] node-sqlite3 spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 62a2ba59 by Moritz Mühlenhoff at 2022-05-02T20:27:21+02:00 node-sqlite3 spu - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,5 @@ +[01 May 2022] DSA-5126-1 ffmpeg - security update + [buster] - ffmpeg 7:4.1.9-0+deb10u1 [27 Apr 2022] DSA-5125-1 chromium - security update {CVE-2022-1477 CVE-2022-1478 CVE-2022-1479 CVE-2022-1480 CVE-2022-1481 CVE-2022-1482 CVE-2022-1483 CVE-2022-1484 CVE-2022-1485 CVE-2022-1486 CVE-2022-1487 CVE-2022-1488 CVE-2022-1489 CVE-2022-1490 CVE-2022-1491 CVE-2022-1492 CVE-2022-1493 CVE-2022-1494 CVE-2022-1495 CVE-2022-1496 CVE-2022-1497 CVE-2022-1498 CVE-2022-1499 CVE-2022-1500 CVE-2022-1501} [bullseye] - chromium 101.0.4951.41-1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62a2ba5924e2a716d76ef4a2683056f0a1e860a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62a2ba5924e2a716d76ef4a2683056f0a1e860a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2990-1 for jackson-databind
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bc26d96 by Markus Koschany at 2022-05-02T20:20:53+02:00 Reserve DLA-2990-1 for jackson-databind - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[02 May 2022] DLA-2990-1 jackson-databind - security update + {CVE-2020-36518} + [stretch] - jackson-databind 2.8.6-1+deb9u10 [01 May 2022] DLA-2989-1 ghostscript - security update {CVE-2019-25059} [stretch] - ghostscript 9.26a~dfsg-0+deb9u9 = data/dla-needed.txt = @@ -74,9 +74,6 @@ icingaweb2 (Abhijith PA) intel-microcode NOTE: 20220213: please recheck -- -jackson-databind (Markus Koschany) - NOTE: 20220320: wait for complete upstream fix (apo) --- kicad -- kvmtool View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bc26d9663be5bd0f6d655348914ab97ba228aba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bc26d9663be5bd0f6d655348914ab97ba228aba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-17960/ckeditor: stretch ignored
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c0b365a by Sylvain Beucler at 2022-05-02T19:14:53+02:00 CVE-2018-17960/ckeditor: stretch ignored - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -238454,7 +238454,7 @@ CVE-2018-17961 (Artifex Ghostscript 9.25 and earlier allows attackers to bypass NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a5a9bf8c6a63aa4ac6874234fe8cd63e72077291 CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source ...) - ckeditor 4.11.1+dfsg-1 (low) - [stretch] - ckeditor (Minor issue) + [stretch] - ckeditor (Minor issue, XSS through direct copy/paste by victim, no identified patch) [jessie] - ckeditor (Minor issue) - fckeditor CVE-2018-17959 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c0b365ac7b717e6dd6136a84b07929769708ad0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c0b365ac7b717e6dd6136a84b07929769708ad0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim ckeditor
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a7f87d2 by Sylvain Beucler at 2022-05-02T18:09:41+02:00 dla: claim ckeditor - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -35,7 +35,7 @@ ark cgal NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton) -- -ckeditor +ckeditor (Sylvain Beucler) NOTE: 20220402: multiple pendings vulnerabilities (Beuc) -- composer: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a7f87d2830e8768fc6fc4b2722857123629eaf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a7f87d2830e8768fc6fc4b2722857123629eaf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: minor clarifications/formatting
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5958df03 by Sylvain Beucler at 2022-05-02T18:04:07+02:00 dla: minor clarifications/formatting - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -33,7 +33,7 @@ ark NOTE: 20220424: programming language C -- cgal - NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without an uploading of a new upstream release (Anton) + NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton) -- ckeditor NOTE: 20220402: multiple pendings vulnerabilities (Beuc) @@ -114,9 +114,9 @@ nvidia-cuda-toolkit NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc) -- nvidia-graphics-drivers - NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) - NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential - NOTE: 20220209: backport (apo) + NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc) + NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential + NOTE: 20220209: backport (apo) -- openjdk-8 (pochu) -- @@ -132,13 +132,13 @@ puppet-module-puppetlabs-firewall NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc) -- ring (Abhijith PA) - NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc - NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) - NOTE: 20220404: a network error (abhijith) + NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc + NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) + NOTE: 20220404: a network error (abhijith) -- ruby-devise-two-factor - NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result - NOTE: 20220427: of an incomplete fix to CVE-2015-7225. Will require some investigation. (lamby) + NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result + NOTE: 20220427: of an incomplete fix to CVE-2015-7225. Will require some investigation. (lamby) -- salt -- @@ -156,9 +156,10 @@ snapd -- sox NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton) + NOTE: 20220326: https://salsa.debian.org/lts-team/packages/sox NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton) -- -subversion +subversion (Roberto C. Sánchez) NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment) NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby) NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to test it, mailed results to Roberto C. Sánchez (enrico) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5958df037181dbc5c6b0eb1a7243c919bdd75f2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5958df037181dbc5c6b0eb1a7243c919bdd75f2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46790/ntfs-3g
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ca9780c by Salvatore Bonaccorso at 2022-05-02T13:03:37+02:00 Add CVE-2021-46790/ntfs-3g - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -300,7 +300,8 @@ CVE-2022-29968 (An issue was discovered in the Linux kernel through 5.17.5. io_r CVE-2022-1545 RESERVED CVE-2021-46790 (ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow i ...) - TODO: check + - ntfs-3g + NOTE: https://github.com/tuxera/ntfs-3g/issues/16 CVE-2022-1544 (Formula Injection/CSV Injection due to Improper Neutralization of Form ...) TODO: check CVE-2022-29967 (static_compressed_inmemory_website_callback.c in Glewlwyd through 2.6. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca9780c698cb4f7b8a216d8154425d49bb35e31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ca9780c698cb4f7b8a216d8154425d49bb35e31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-29973/fuse-exfat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7eb9090d by Salvatore Bonaccorso at 2022-05-02T12:30:38+02:00 Add CVE-2022-29973/fuse-exfat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -281,7 +281,8 @@ CVE-2022-29975 CVE-2022-29974 RESERVED CVE-2022-29973 (relan exFAT 1.3.0 allows local users to obtain sensitive information ( ...) - TODO: check + - fuse-exfat + NOTE: https://github.com/relan/exfat/issues/185 CVE-2022-29972 RESERVED CVE-2022-29971 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eb9090d7be6694686fbfe4edc5138cbe7374c4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eb9090d7be6694686fbfe4edc5138cbe7374c4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2022-29968/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 843af0f3 by Salvatore Bonaccorso at 2022-05-02T10:28:12+02:00 Update status for CVE-2022-29968/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -292,6 +292,9 @@ CVE-2022-29969 (The RSS extension before 2022-04-29 for MediaWiki allows XSS via TODO: check CVE-2022-29968 (An issue was discovered in the Linux kernel through 5.17.5. io_rw_init ...) - linux + [bullseye] - linux (Vulnerable code introduced later) + [buster] - linux (Vulnerable code introduced later) + [stretch] - linux (Vulnerable code introduced later) NOTE: https://git.kernel.org/linus/32452a3eb8b64e01e2be717f518c0be046975b9d (5.18-rc5) CVE-2022-1545 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/843af0f3695037cf372a73d92237ce041f09c170 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/843af0f3695037cf372a73d92237ce041f09c170 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-29968/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 122e3d58 by Salvatore Bonaccorso at 2022-05-02T10:25:07+02:00 Add CVE-2022-29968/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -291,7 +291,8 @@ CVE-2022-29970 (Sinatra before 2.2.0 does not validate that the expanded path ma CVE-2022-29969 (The RSS extension before 2022-04-29 for MediaWiki allows XSS via an rs ...) TODO: check CVE-2022-29968 (An issue was discovered in the Linux kernel through 5.17.5. io_rw_init ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/32452a3eb8b64e01e2be717f518c0be046975b9d (5.18-rc5) CVE-2022-1545 RESERVED CVE-2021-46790 (ntfsck in NTFS-3G through 2021.8.22 has a heap-based buffer overflow i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/122e3d58f504375973d7fb2a882a5f05c6b947c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/122e3d58f504375973d7fb2a882a5f05c6b947c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9248dd76 by security tracker role at 2022-05-02T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,301 @@ +CVE-2022-30114 + RESERVED +CVE-2022-30113 + RESERVED +CVE-2022-30112 + RESERVED +CVE-2022-30111 + RESERVED +CVE-2022-30110 + RESERVED +CVE-2022-30109 + RESERVED +CVE-2022-30108 + RESERVED +CVE-2022-30107 + RESERVED +CVE-2022-30106 + RESERVED +CVE-2022-30105 + RESERVED +CVE-2022-30104 + RESERVED +CVE-2022-30103 + RESERVED +CVE-2022-30102 + RESERVED +CVE-2022-30101 + RESERVED +CVE-2022-30100 + RESERVED +CVE-2022-30099 + RESERVED +CVE-2022-30098 + RESERVED +CVE-2022-30097 + RESERVED +CVE-2022-30096 + RESERVED +CVE-2022-30095 + RESERVED +CVE-2022-30094 + RESERVED +CVE-2022-30093 + RESERVED +CVE-2022-30092 + RESERVED +CVE-2022-30091 + RESERVED +CVE-2022-30090 + RESERVED +CVE-2022-30089 + RESERVED +CVE-2022-30088 + RESERVED +CVE-2022-30087 + RESERVED +CVE-2022-30086 + RESERVED +CVE-2022-30085 + RESERVED +CVE-2022-30084 + RESERVED +CVE-2022-30083 + RESERVED +CVE-2022-30082 + RESERVED +CVE-2022-30081 + RESERVED +CVE-2022-30080 + RESERVED +CVE-2022-30079 + RESERVED +CVE-2022-30078 + RESERVED +CVE-2022-30077 + RESERVED +CVE-2022-30076 + RESERVED +CVE-2022-30075 + RESERVED +CVE-2022-30074 + RESERVED +CVE-2022-30073 + RESERVED +CVE-2022-30072 + RESERVED +CVE-2022-30071 + RESERVED +CVE-2022-30070 + RESERVED +CVE-2022-30069 + RESERVED +CVE-2022-30068 + RESERVED +CVE-2022-30067 + RESERVED +CVE-2022-30066 + RESERVED +CVE-2022-30065 + RESERVED +CVE-2022-30064 + RESERVED +CVE-2022-30063 + RESERVED +CVE-2022-30062 + RESERVED +CVE-2022-30061 + RESERVED +CVE-2022-30060 + RESERVED +CVE-2022-30059 + RESERVED +CVE-2022-30058 + RESERVED +CVE-2022-30057 + RESERVED +CVE-2022-30056 + RESERVED +CVE-2022-30055 + RESERVED +CVE-2022-30054 + RESERVED +CVE-2022-30053 + RESERVED +CVE-2022-30052 + RESERVED +CVE-2022-30051 + RESERVED +CVE-2022-30050 + RESERVED +CVE-2022-30049 + RESERVED +CVE-2022-30048 + RESERVED +CVE-2022-30047 + RESERVED +CVE-2022-30046 + RESERVED +CVE-2022-30045 + RESERVED +CVE-2022-30044 + RESERVED +CVE-2022-30043 + RESERVED +CVE-2022-30042 + RESERVED +CVE-2022-30041 + RESERVED +CVE-2022-30040 + RESERVED +CVE-2022-30039 + RESERVED +CVE-2022-30038 + RESERVED +CVE-2022-30037 + RESERVED +CVE-2022-30036 + RESERVED +CVE-2022-30035 + RESERVED +CVE-2022-30034 + RESERVED +CVE-2022-30033 + RESERVED +CVE-2022-30032 + RESERVED +CVE-2022-30031 + RESERVED +CVE-2022-30030 + RESERVED +CVE-2022-30029 + RESERVED +CVE-2022-30028 + RESERVED +CVE-2022-30027 + RESERVED +CVE-2022-30026 + RESERVED +CVE-2022-30025 + RESERVED +CVE-2022-30024 + RESERVED +CVE-2022-30023 + RESERVED +CVE-2022-30022 + RESERVED +CVE-2022-30021 + RESERVED +CVE-2022-30020 + RESERVED +CVE-2022-30019 + RESERVED +CVE-2022-30018 + RESERVED +CVE-2022-30017 + RESERVED +CVE-2022-30016 + RESERVED +CVE-2022-30015 + RESERVED +CVE-2022-30014 + RESERVED +CVE-2022-30013 + RESERVED +CVE-2022-30012 + RESERVED +CVE-2022-30011 + RESERVED +CVE-2022-30010 + RESERVED +CVE-2022-30009 + RESERVED +CVE-2022-30008 + RESERVED +CVE-2022-30007 + RESERVED +CVE-2022-30006 + RESERVED +CVE-2022-30005 + RESERVED +CVE-2022-30004 + RESERVED +CVE-2022-30003 + RESERVED +CVE-2022-30002 + RESERVED +CVE-2022-30001 + RESERVED +CVE-2022-3 + RESERVED +CVE-2022-2 + RESERVED +CVE-2022-29998 + RESERVED +CVE-2022-29997 + RESERVED +CVE-2022-29996 + RESERVED +CVE-2022-29995 + RESERVED +CVE-2022-29994 + RESERVED +CVE-2022-29993 + RESERVED +CVE-2022-29992 + RESERVED +CVE-2022-29991 + RESERVED +CVE-2022-29990 + RESERVED +CVE-2022-29989 + RESERVED +CVE-2022-29988 + RESERVED +CVE-2022-29987 + RESERVED +CVE-2022-29986 + RESERVED +CVE-2022-29985 + RESERVED +CVE-2022-29984 + RESERVED +CVE-2022-29983 + RESERVED +CVE-2022-29982 + RESERVED +CVE-2022-29981 + RESERVED +CVE-2022-29980 + RESERVED +CVE-2022-29979 + RESERVED +CVE-2022-29978 + RESERVED +CVE-2022-29977 + RESERVED +CVE-2022-29976 + RESERVED +CVE-2022-29975 + RESERVED +CVE-2022-29974 + RESE