[Git][security-tracker-team/security-tracker][master] Reserve DLA-2997-1 for ecdsautils
Sven Eckelmann pushed to branch master at Debian Security Tracker / security-tracker Commits: 11f39cc2 by Sven Eckelmann at 2022-05-07T07:53:28+02:00 Reserve DLA-2997-1 for ecdsautils - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 May 2022] DLA-2997-1 ecdsautils - security update + {CVE-2022-24884} + [stretch] - ecdsautils 0.3.2+git20151018-2+deb9u1 [06 May 2022] DLA-2996-1 mruby - security update {CVE-2017-9527 CVE-2018-10191 CVE-2018-11743 CVE-2018-12249 CVE-2018-14337 CVE-2020-15866} [stretch] - mruby 1.2.0+20161228+git30d5424a-1+deb9u1 = data/dla-needed.txt = @@ -44,9 +44,6 @@ debian-security-support (Utkarsh) NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc) NOTE: 20220502: backport prepped, will contact Holger for more details. (utkarsh) -- -ecdsautils (Sven Eckelmann) - NOTE: 20220507: CVE-2022-24884 requires same update as buster/bullseye --- ffmpeg NOTE: 20220503: update to 3.2.17 (pochu) NOTE: 20220505: upstream is upstreaming the patches we are carrying and will View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11f39cc25f17ae2958933e4e99fd3cb291337330 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11f39cc25f17ae2958933e4e99fd3cb291337330 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc783310 by Salvatore Bonaccorso at 2022-05-07T07:37:52+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3815,15 +3815,15 @@ CVE-2022-28975 CVE-2022-28974 RESERVED CVE-2022-28973 (Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via t ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-28972 (Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via t ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-28971 (Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via t ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-28970 (Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow via th ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-28969 (Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via t ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-28968 RESERVED CVE-2022-28967 @@ -47819,7 +47819,7 @@ CVE-2021-39029 CVE-2021-39028 RESERVED CVE-2021-39027 (IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 prepares a structur ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-39026 (IBM Guardium Data Encryption (GDE) 5.0.0.2 and 5.0.0.3 could allow a r ...) NOT-FOR-US: IBM CVE-2021-39025 (IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 could disclose ...) @@ -47827,7 +47827,7 @@ CVE-2021-39025 (IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 could dis CVE-2021-39024 RESERVED CVE-2021-39023 (IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 could allow a remot ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-39022 (IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 saves user-prov ...) NOT-FOR-US: IBM CVE-2021-39021 (IBM Guardium Data Encryption (GDE) 5.0.0.2 behaves differently or send ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc783310488832af2802d77eba91ffec18705c72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc783310488832af2802d77eba91ffec18705c72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove composer from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a8961729 by Markus Koschany at 2022-05-07T00:38:23+02:00 Remove composer from dla-needed.txt The vulnerable getFileContent function was introduced in November 2016 and does not exist in Stretch. https://github.com/composer/composer/commit/597f834ae998ea80797879f4259e8e6accff4a4b The getBranches function is missing the check to filter branch names starting with a - character but this alone is not worth fixing. I agree with the current triaging as no-dsa. The getBranches function can be fixed later. - - - - - a5de7d44 by Markus Koschany at 2022-05-07T00:41:26+02:00 Claim ark in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ ansible asterisk (Abhijith PA) NOTE: 20220424: programming language C -- -ark +ark (Markus Koschany) NOTE: 20220424: programming language C -- cgal @@ -38,10 +38,6 @@ cgal ckeditor (Sylvain Beucler) NOTE: 20220402: multiple pendings vulnerabilities (Beuc) -- -composer: (Markus Koschany) - NOTE: 20220424: programming language PHP - NOTE: 20220424: check whether really affected (Anton) --- debian-security-support (Utkarsh) NOTE: 20220402: need to update the list of unsupported packages (Beuc) NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c1c0aa15af09b3b6e68be8fe93b71747e81093f3...a5de7d445e0a7414a6dda2fef20e45b2fe4ee108 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c1c0aa15af09b3b6e68be8fe93b71747e81093f3...a5de7d445e0a7414a6dda2fef20e45b2fe4ee108 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim ecdsautils
Sven Eckelmann pushed to branch master at Debian Security Tracker / security-tracker Commits: c1c0aa15 by Sven Eckelmann at 2022-05-07T00:22:42+02:00 data/dla-needed.txt: claim ecdsautils - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -48,6 +48,9 @@ debian-security-support (Utkarsh) NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg0.html (Beuc) NOTE: 20220502: backport prepped, will contact Holger for more details. (utkarsh) -- +ecdsautils (Sven Eckelmann) + NOTE: 20220507: CVE-2022-24884 requires same update as buster/bullseye +-- ffmpeg NOTE: 20220503: update to 3.2.17 (pochu) NOTE: 20220505: upstream is upstreaming the patches we are carrying and will View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1c0aa15af09b3b6e68be8fe93b71747e81093f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1c0aa15af09b3b6e68be8fe93b71747e81093f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take ecdsautils, qemu, thunderbird
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a70c098 by Moritz Muehlenhoff at 2022-05-06T22:21:37+02:00 take ecdsautils, qemu, thunderbird - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -18,7 +18,7 @@ cacti -- condor/oldstable (apo) -- -ecdsautils +ecdsautils (jmm) Maintainer prepared updates -- epiphany-browser @@ -35,7 +35,7 @@ nodejs (jmm) -- puma -- -qemu/stable +qemu/stable (jmm) Maintainer is proposing update for some CVEs, need review -- rpki-client/stable @@ -52,6 +52,8 @@ slurm-wlm/stable -- sox -- +thunderbird (jmm) +-- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a70c09829bd1006fd55165de00a42950193751b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a70c09829bd1006fd55165de00a42950193751b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ffba3f2 by security tracker role at 2022-05-06T20:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2022-30320 + RESERVED +CVE-2022-30319 + RESERVED +CVE-2022-30318 + RESERVED +CVE-2022-30317 + RESERVED +CVE-2022-30316 + RESERVED +CVE-2022-30315 + RESERVED +CVE-2022-30314 + RESERVED +CVE-2022-30313 + RESERVED +CVE-2022-30312 + RESERVED +CVE-2022-30311 + RESERVED +CVE-2022-30310 + RESERVED +CVE-2022-30309 + RESERVED +CVE-2022-30308 + RESERVED +CVE-2022-30307 + RESERVED +CVE-2022-30306 + RESERVED +CVE-2022-30305 + RESERVED +CVE-2022-30304 + RESERVED +CVE-2022-30303 + RESERVED +CVE-2022-30302 + RESERVED +CVE-2022-30301 + RESERVED +CVE-2022-30300 + RESERVED +CVE-2022-30299 + RESERVED +CVE-2022-30298 + RESERVED +CVE-2022-29509 + RESERVED +CVE-2022-29483 + RESERVED +CVE-2022-28702 + RESERVED +CVE-2022-1615 + RESERVED +CVE-2022-1614 + RESERVED +CVE-2022-1613 + RESERVED +CVE-2022-1612 + RESERVED +CVE-2022-1611 + RESERVED +CVE-2022-1610 + RESERVED +CVE-2022-1609 + RESERVED +CVE-2022-1608 + RESERVED +CVE-2022-1607 + RESERVED +CVE-2022-1606 + RESERVED +CVE-2022-1605 + RESERVED +CVE-2022-1604 + RESERVED +CVE-2022-1603 + RESERVED CVE-2022-30295 (uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable D ...) TODO: check CVE-2022-30294 (In WebKitGTK through 2.36.0 (and WPE WebKit), there is a use-after-fre ...) @@ -2507,14 +2585,14 @@ CVE-2022-29425 RESERVED CVE-2022-29424 RESERVED -CVE-2022-29423 - RESERVED -CVE-2022-29422 - RESERVED -CVE-2022-29421 - RESERVED -CVE-2022-29420 - RESERVED +CVE-2022-29423 (Pro Features Lock Bypass vulnerability in Countdown & Clock plugin ...) + TODO: check +CVE-2022-29422 (Multiple Authenticated (admin+) Persistent Cross-Site Scripting (XSS) ...) + TODO: check +CVE-2022-29421 (Reflected Cross-Site Scripting (XSS) vulnerability in Adam Skaat's Cou ...) + TODO: check +CVE-2022-29420 (Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability ...) + TODO: check CVE-2022-29419 (SQL Injection (SQLi) vulnerability in Don Crowther's 3xSocializer plug ...) NOT-FOR-US: WordPress plugin CVE-2022-29418 (Authenticated (admin user role) Persistent Cross-Site Scripting (XSS) ...) @@ -3736,16 +3814,16 @@ CVE-2022-28975 RESERVED CVE-2022-28974 RESERVED -CVE-2022-28973 - RESERVED -CVE-2022-28972 - RESERVED -CVE-2022-28971 - RESERVED -CVE-2022-28970 - RESERVED -CVE-2022-28969 - RESERVED +CVE-2022-28973 (Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via t ...) + TODO: check +CVE-2022-28972 (Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via t ...) + TODO: check +CVE-2022-28971 (Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via t ...) + TODO: check +CVE-2022-28970 (Tenda AX1806 v1.0.0.1 was discovered to contain a heap overflow via th ...) + TODO: check +CVE-2022-28969 (Tenda AX1806 v1.0.0.1 was discovered to contain a stack overflow via t ...) + TODO: check CVE-2022-28968 RESERVED CVE-2022-28967 @@ -4843,8 +4921,8 @@ CVE-2022-28547 RESERVED CVE-2022-28546 RESERVED -CVE-2022-28545 - RESERVED +CVE-2022-28545 (FUDforum 3.1.1 is vulnerable to Stored XSS. ...) + TODO: check CVE-2022-28544 (Path traversal vulnerability in unzip method of InstallAgentCommonHelp ...) NOT-FOR-US: Samsung CVE-2022-28543 (Path traversal vulnerability in Samsung Flow prior to version 4.8.07.4 ...) @@ -4919,8 +4997,8 @@ CVE-2022-28509 RESERVED CVE-2022-28508 (An XSS issue was discovered in browser_search_plugin.php in MantisBT b ...) - mantis -CVE-2022-28507 - RESERVED +CVE-2022-28507 (Dragon Path Technologies Bharti Airtel Routers Hardware BDT-121 versio ...) + TODO: check CVE-2022-28506 (There is a heap-buffer-overflow in GIFLIB 5.2.1 function DumpScreen2RG ...) - giflib [bullseye] - giflib (Minor issue) @@ -5637,26 +5715,26 @@ CVE-2021-46744 RESERVED CVE-2022-28280 RESERVED -CVE-2022-28279 - RESERVED -CVE-2022-28278 - RESERVED -CVE-2022-28277 - RESERVED -CVE-2022-28276 - RESERVED -CVE-2022-28275 - RESERVED -CVE-2022-28274 - RESERVED -CVE-2022-28273 - RESERVED -CVE-2022-28272 - RESERVED -CVE-2022-28271 - RESERVED -CVE-2022-28270 - RESERVED +CVE-2022-28279 (Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier)
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2022-24884
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 41bac78e by Salvatore Bonaccorso at 2022-05-06T21:36:01+02:00 Add upstream tag information for CVE-2022-24884 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15134,7 +15134,7 @@ CVE-2022-24885 (Nextcloud Android app is the Android client for Nextcloud, a sel CVE-2022-24884 (ecdsautils is a tiny collection of programs used for ECDSA (keygen, si ...) - ecdsautils 0.4.1-1 NOTE: https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw - NOTE: https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 + NOTE: https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 (v0.4.1) CVE-2022-24883 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). ...) - freerdp2 2.7.0+dfsg1-1 - freerdp View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41bac78eda5a92c3647234f9def82d9c13705ca5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41bac78eda5a92c3647234f9def82d9c13705ca5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ammend note for ecdsautils that it is handled by maintainer already
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af697249 by Salvatore Bonaccorso at 2022-05-06T21:35:29+02:00 Ammend note for ecdsautils that it is handled by maintainer already - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -19,6 +19,7 @@ cacti condor/oldstable (apo) -- ecdsautils + Maintainer prepared updates -- epiphany-browser -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af69724964f7bd14b344130309bf5291e0f704cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af69724964f7bd14b344130309bf5291e0f704cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference associated upstream commit for CVE-2021-22573
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d6e1750e by Salvatore Bonaccorso at 2022-05-06T21:32:29+02:00 Reference associated upstream commit for CVE-2021-22573 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -88897,6 +88897,7 @@ CVE-2021-22573 (The vulnerability is that IDToken verifier does not verify if to NOTE: https://github.com/googleapis/google-oauth-java-client/issues/786 NOTE: https://github.com/googleapis/google-oauth-java-client/pull/861 NOTE: https://github.com/googleapis/google-oauth-java-client/pull/872 (1.33.3) + NOTE: https://github.com/googleapis/google-oauth-java-client/commit/22419d60579ef4c1a8a256a90e6ca7bc58f09aa1 (v1.33.3) CVE-2021-22572 (On unix-like systems, the system temporary directory is shared between ...) NOT-FOR-US: Google Data Transfer Project CVE-2021-22571 (A local attacker could read files from some other users' SA360 reports ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6e1750e389f4faeba2db0181b2ffdc2f7d73452 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6e1750e389f4faeba2db0181b2ffdc2f7d73452 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for dpdk issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b0d85403 by Salvatore Bonaccorso at 2022-05-06T21:14:34+02:00 Add Debian bug reference for dpdk issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13836,7 +13836,7 @@ CVE-2022-0670 CVE-2022-0669 RESERVED {DSA-5130-1} - - dpdk 20.11.5-1 + - dpdk 20.11.5-1 (bug #1010641) [buster] - dpdk (Vulnerable code introduced later) [stretch] - dpdk (Vulnerable code introduced later) NOTE: https://bugs.dpdk.org/show_bug.cgi?id=922 @@ -40851,7 +40851,7 @@ CVE-2021-41773 (A flaw was found in a change made to path normalization in Apach CVE-2021-3839 RESERVED {DSA-5130-1} - - dpdk 20.11.5-1 + - dpdk 20.11.5-1 (bug #1010641) [buster] - dpdk (Vulnerable code introduced later) [stretch] - dpdk (Vulnerable code introduced later) NOTE: https://bugs.dpdk.org/show_bug.cgi?id=657 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0d854035f099c6d780165c4cc452c94d78fa944 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0d854035f099c6d780165c4cc452c94d78fa944 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-27470/libsdl2-ttf unfixed 1010671
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fe8be9b by Neil Williams at 2022-05-06T15:28:08+01:00 CVE-2022-27470/libsdl2-ttf unfixed 1010671 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7841,7 +7841,9 @@ CVE-2022-27472 (SQL injection vulnerability in Topics Counting feature of Roothu CVE-2022-27471 RESERVED CVE-2022-27470 (SDL_ttf v2.0.18 and below was discovered to contain an arbitrary memor ...) - TODO: check + - libsdl2-ttf (bug #1010671) + NOTE: https://github.com/libsdl-org/SDL_ttf/commit/db1b41ab8bde6723c24b866e466cad78c2fa0448 + NOTE: https://github.com/libsdl-org/SDL_ttf/issues/187 CVE-2022-27469 (Monstaftp v2.10.3 was discovered to allow attackers to execute Server- ...) NOT-FOR-US: Monstaftp CVE-2022-27468 (Monstaftp v2.10.3 was discovered to contain an arbitrary file upload w ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fe8be9b4c9767e99a10e74517bfe690088125c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fe8be9b4c9767e99a10e74517bfe690088125c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs & pistache ITP
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: f8a8e4ad by Neil Williams at 2022-05-06T15:13:22+01:00 Process some NFUs & pistache ITP - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8188,7 +8188,7 @@ CVE-2022-27362 CVE-2022-27361 RESERVED CVE-2022-27360 (SpringBlade v3.2.0 and below was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: SpringBlade CVE-2022-27359 (Foxit PDF Reader v11.2.1.53537 was discovered to contain a NULL pointe ...) NOT-FOR-US: Foxit PDF Reader CVE-2022-27358 @@ -11875,7 +11875,7 @@ CVE-2022-0759 (A flaw was found in all versions of kubeclient up to (but not inc CVE-2022-26085 RESERVED CVE-2022-26068 (This affects the package pistacheio/pistache before 0.0.3.20220425. It ...) - TODO: check + - pistache (bug #929593) CVE-2022-26066 RESERVED CVE-2022-26063 @@ -12153,7 +12153,7 @@ CVE-2022-25856 CVE-2022-25855 RESERVED CVE-2022-25854 (This affects the package @yaireo/tagify before 4.9.8. The package is u ...) - TODO: check + NOT-FOR-US: Tagify CVE-2022-25853 RESERVED CVE-2022-25852 @@ -12161,7 +12161,7 @@ CVE-2022-25852 CVE-2022-25851 RESERVED CVE-2022-25850 (The package github.com/hoppscotch/proxyscotch before 1.0.0 are vulnera ...) - TODO: check + NOT-FOR-US: hoppscotch proxyscotch CVE-2022-25849 RESERVED CVE-2022-25848 @@ -12178,7 +12178,7 @@ CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expres CVE-2022-25843 RESERVED CVE-2022-25842 (All versions of package com.alibaba.oneagent:one-java-agent-plugin are ...) - TODO: check + NOT-FOR-US: alibaba one-java-agent CVE-2022-25840 RESERVED CVE-2022-25839 (The package url-js before 2.1.0 are vulnerable to Improper Input Valid ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8a8e4ad3cefe2cc8979449912f052a8234303fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8a8e4ad3cefe2cc8979449912f052a8234303fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove twig from dla-/dsa-needed.txt.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3df8707b by Markus Koschany at 2022-05-06T16:00:08+02:00 Remove twig from dla-/dsa-needed.txt. The arrow function was first introduced in Twig 2.12. Stretch and Buster are not affected. - - - - - a832eed5 by Markus Koschany at 2022-05-06T16:04:30+02:00 CVE-2022-23614,twig: Stretch and Buster are not affected The vulnerable code was introduced later. - - - - - 3 changed files: - data/CVE/list - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/CVE/list = @@ -19676,6 +19676,8 @@ CVE-2022-23614 (Twig is an open source template language for PHP. When in a sand {DSA-5107-1} - php-twig 3.3.8-1 - twig + [buster] - twig (The vulnerable code was introduced later) + [stretch] - twig (The vulnerable code was introduced later) NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-5mv2-rx3q-4w2v NOTE: https://github.com/twigphp/Twig/pull/3641 NOTE: https://github.com/twigphp/Twig/commit/2eb33080558611201b55079d07ac88f207b466d5 (v3.3.8) = data/dla-needed.txt = @@ -179,9 +179,6 @@ tiff (Utkarsh) NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh) NOTE: 20220502: will collate the new CVEs and update the package. (utkarsh) -- -twig (Markus Koschany) - NOTE: 20220402: cf. DSA-5107-1; similar code in lib/Twig/Extension/Core.php (Beuc) --- unzip NOTE: 20220319: no patches yet but reproducible (apo) NOTE: 20220429: CVE-2022-0530: reported #1010355 with a proposed patch (enrico) = data/dsa-needed.txt = @@ -54,8 +54,6 @@ sox trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) -- -twig/oldstable --- unzip no details public yet -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9a8e2b9590820b623fe62835ec21d119a7b9921e...a832eed5760816c703cea8627e6feeb38a1656c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9a8e2b9590820b623fe62835ec21d119a7b9921e...a832eed5760816c703cea8627e6feeb38a1656c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a8e2b95 by Neil Williams at 2022-05-06T14:52:32+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12184,7 +12184,7 @@ CVE-2022-25840 CVE-2022-25839 (The package url-js before 2.1.0 are vulnerable to Improper Input Valid ...) NOT-FOR-US: Node url-js CVE-2022-25767 (All versions of package com.bstek.ureport:ureport2-console are vulnera ...) - TODO: check + NOT-FOR-US: youseries/ureport CVE-2022-25766 (The package ungit before 1.5.20 are vulnerable to Remote Code Executio ...) NOT-FOR-US: NodeJS ungit CVE-2022-25765 @@ -12562,25 +12562,25 @@ CVE-2022-25789 (A maliciously crafted DWF, 3DS and DWFX files in Autodesk AutoCA CVE-2022-25788 (A maliciously crafted JT file in Autodesk AutoCAD 2022 may be used to ...) NOT-FOR-US: Autodesk CVE-2022-25787 (Information Exposure Through Query Strings in GET Request vulnerabilit ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25786 (Unprotected Alternate Channel vulnerability in debug console of GateMa ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25785 (Stack-based Buffer Overflow vulnerability in SiteManager allows logged ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25784 (Cross-site Scripting (XSS) vulnerability in Web GUI of SiteManager all ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25783 (Insufficient Logging vulnerability in web server of Secomea GateManage ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25782 (Improper Handling of Insufficient Privileges vulnerability in Web UI o ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25781 (Cross-site Scripting (XSS) vulnerability in Web UI of Secomea GateMana ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25780 (Information Exposure vulnerability in web UI of Secomea GateManager al ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25779 (Logging of Excessive Data vulnerability in audit log of Secomea GateMa ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25778 (Cross-Site Request Forgery (CSRF) vulnerability in Web UI of Secomea G ...) - TODO: check + NOT-FOR-US: Secomea CVE-2022-25777 RESERVED CVE-2022-25776 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a8e2b9590820b623fe62835ec21d119a7b9921e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a8e2b9590820b623fe62835ec21d119a7b9921e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-25647/libgoogle-gson-java unfixed 1010670
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 85e72854 by Neil Williams at 2022-05-06T14:39:27+01:00 CVE-2022-25647/libgoogle-gson-java unfixed 1010670 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12205,7 +12205,10 @@ CVE-2022-25648 (The package git before 1.11.0 are vulnerable to Command Injectio NOTE: Fixed by: https://github.com/ruby-git/ruby-git/commit/291ca0946bec7164b90ad5c572ac147f512c7159 (v1.11.0) NOTE: https://security.snyk.io/vuln/SNYK-RUBY-GIT-2421270 CVE-2022-25647 (The package com.google.code.gson:gson before 2.8.9 are vulnerable to D ...) - TODO: check + - libgoogle-gson-java (bug #1010670) + NOTE: https://github.com/google/gson/pull/1991 + NOTE: https://github.com/google/gson/commit/e6fae590cf2a758c47cd5a17f9bf3780ce62c986 (gson-parent-2.8.9) + NOTE: https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327 CVE-2022-25646 RESERVED CVE-2022-25645 (All versions of package dset are vulnerable to Prototype Pollution via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85e728541b1fff0f1134649bda84e710b96d0689 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85e728541b1fff0f1134649bda84e710b96d0689 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-21949/ruby-xmlhash unfixed 1010667
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 907be172 by Neil Williams at 2022-05-06T14:10:13+01:00 CVE-2022-21949/ruby-xmlhash unfixed 1010667 - - - - - 29c55ad1 by Neil Williams at 2022-05-06T14:15:54+01:00 Process an NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12209,7 +12209,7 @@ CVE-2022-25647 (The package com.google.code.gson:gson before 2.8.9 are vulnerabl CVE-2022-25646 RESERVED CVE-2022-25645 (All versions of package dset are vulnerable to Prototype Pollution via ...) - TODO: check + NOT-FOR-US: Node dset CVE-2022-25644 RESERVED CVE-2022-25354 (The package set-in before 2.0.3 are vulnerable to Prototype Pollution ...) @@ -27844,7 +27844,9 @@ CVE-2022-21951 CVE-2022-21950 RESERVED CVE-2022-21949 (A Improper Restriction of XML External Entity Reference vulnerability ...) - TODO: check + - ruby-xmlhash (bug #1010667) + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1197928 + NOTE: https://github.com/coolo/xmlhash/commit/544e614e2674ad26b97a234baa013723c829b751 (1.3.8) CVE-2022-21948 RESERVED CVE-2022-21947 (A Improper Access Control vulnerability in Rancher Desktop of SUSE all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a12d4ad2505f97c9562a242ae5553cedbe5ffb5a...29c55ad1ad3ea8541bc4a49e9e6f1dff2670f25c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a12d4ad2505f97c9562a242ae5553cedbe5ffb5a...29c55ad1ad3ea8541bc4a49e9e6f1dff2670f25c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: a12d4ad2 by Neil Williams at 2022-05-06T13:53:21+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15088,13 +15088,13 @@ CVE-2022-24903 (Rsyslog is a rocket-fast system for log processing. Modules for NOTE: https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243 NOTE: https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f (v8.2204.1) CVE-2022-24902 (TkVideoplayer is a simple library to play video files in tkinter. Unco ...) - TODO: check + NOT-FOR-US: TkVideoplayer CVE-2022-24901 (Improper validation of the Apple certificate URL in the Apple Game Cen ...) - TODO: check + NOT-FOR-US: parse-server CVE-2022-24900 (Piano LED Visualizer is software that allows LED lights to light up as ...) NOT-FOR-US: Piano LED Visualizer CVE-2022-24899 (Contao is a powerful open source CMS that allows you to create profess ...) - TODO: check + NOT-FOR-US: Contao CMS CVE-2022-24898 (org.xwiki.commons:xwiki-commons-xml is a common module used by other X ...) NOT-FOR-US: Xwiki CVE-2022-24897 (APIs to evaluate content with Velocity is a package for APIs to evalua ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a12d4ad2505f97c9562a242ae5553cedbe5ffb5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a12d4ad2505f97c9562a242ae5553cedbe5ffb5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add ecdsautils to dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a83db67a by Moritz Muehlenhoff at 2022-05-06T14:29:50+02:00 add ecdsautils to dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -18,6 +18,8 @@ cacti -- condor/oldstable (apo) -- +ecdsautils +-- epiphany-browser -- freecad (aron) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83db67a0d14cafb0915de94b1ee81701dc6687e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a83db67a0d14cafb0915de94b1ee81701dc6687e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ecdsautils issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cb7329a by Moritz Muehlenhoff at 2022-05-06T14:23:56+02:00 new ecdsautils issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15127,7 +15127,9 @@ CVE-2022-24886 (Nextcloud Android app is the Android client for Nextcloud, a sel CVE-2022-24885 (Nextcloud Android app is the Android client for Nextcloud, a self-host ...) NOT-FOR-US: Nextcloud Android app CVE-2022-24884 (ecdsautils is a tiny collection of programs used for ECDSA (keygen, si ...) - TODO: check + - ecdsautils 0.4.1-1 + NOTE: https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-78pw + NOTE: https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b95ad70f6dbd08 CVE-2022-24883 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). ...) - freerdp2 2.7.0+dfsg1-1 - freerdp View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cb7329ab348d7f78a4ba19b0e7504eb2e9e7914 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cb7329ab348d7f78a4ba19b0e7504eb2e9e7914 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e863127 by Neil Williams at 2022-05-06T13:21:53+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15147,9 +15147,9 @@ CVE-2022-24880 (flask-session-captcha is a package which allows users to extend CVE-2022-24879 (Shopware is an open source e-commerce software platform. Versions prio ...) NOT-FOR-US: Shopware CVE-2022-24878 (Flux is an open and extensible continuous delivery solution for Kubern ...) - TODO: check + NOT-FOR-US: Flux project fluxcd CVE-2022-24877 (Flux is an open and extensible continuous delivery solution for Kubern ...) - TODO: check + NOT-FOR-US: Flux project fluxcd CVE-2022-24876 RESERVED CVE-2022-24875 (The CVEProject/cve-services is an open source project used to operate ...) @@ -15292,7 +15292,7 @@ CVE-2022-24819 (XWiki Platform is a generic wiki platform offering runtime servi CVE-2022-24818 (GeoTools is an open source Java library that provides tools for geospa ...) NOT-FOR-US: GeoTools CVE-2022-24817 (Flux2 is an open and extensible continuous delivery solution for Kuber ...) - TODO: check + NOT-FOR-US: Flux project fluxcd CVE-2022-24816 (JAI-EXT is an open-source project which aims to extend the Java Advanc ...) NOT-FOR-US: JAI-EXT CVE-2022-24815 (JHipster is a development platform to quickly generate, develop, & ...) @@ -19422,7 +19422,7 @@ CVE-2022-23726 CVE-2022-23725 RESERVED CVE-2022-23724 (Use of static encryption key material allows forging an authentication ...) - TODO: check + NOT-FOR-US: pingidentity CVE-2022-23723 (An MFA bypass vulnerability exists in the PingFederate PingOne MFA Int ...) NOT-FOR-US: pingidentity CVE-2022-23722 (When a password reset mechanism is configured to use the Authenticatio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e863127a98348598e5581fc2fc72980545b18c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e863127a98348598e5581fc2fc72980545b18c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c634484 by Neil Williams at 2022-05-06T13:07:51+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10143,7 +10143,7 @@ CVE-2022-0884 (The Profile Builder WordPress plugin before 3.6.8 does not saniti CVE-2022-0883 RESERVED CVE-2022-0882 (A bug exists where an attacker can read the kernel log through exposed ...) - TODO: check + NOT-FOR-US: Google fuchsia CVE-2022-0881 (Insecure Storage of Sensitive Information in GitHub repository chocobo ...) - peertube (bug #950821) CVE-2022-26847 (SPIP before 3.2.14 and 4.x before 4.0.5 allows unauthenticated access ...) @@ -30890,7 +30890,7 @@ CVE-2022-21745 CVE-2022-21744 RESERVED CVE-2022-21743 (In ion, there is a possible use after free due to an integer overflow. ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2021-44230 (PortSwigger Burp Suite Enterprise Edition before 2021.11 on Windows ha ...) NOT-FOR-US: Burp Suite (different from src:burp) CVE-2021-44229 @@ -39247,61 +39247,61 @@ CVE-2021-42330 (The “Teacher Edit” function of ShinHer StudyOnline S CVE-2021-42329 (The “List_Add” function of message board of ShinHer StudyO ...) NOT-FOR-US: ShinHer StudyOnline System CVE-2022-20111 (In ion, there is a possible use after free due to incorrect error hand ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20110 (In ion, there is a possible use after free due to a race condition. Th ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20109 (In ion, there is a possible use after free due to improper update of r ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20108 (In voice service, there is a possible out of bounds write due to a sta ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20107 (In subtitle service, there is a possible application crash due to an i ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20106 (In MM service, there is a possible out of bounds write due to a heap-b ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20105 (In MM service, there is a possible out of bounds write due to a stack- ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20104 (In aee daemon, there is a possible information disclosure due to impro ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20103 (In aee daemon, there is a possible information disclosure due to symbo ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20102 (In aee daemon, there is a possible information disclosure due to a mis ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20101 (In aee daemon, there is a possible information disclosure due to a pat ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20100 (In aee daemon, there is a possible information disclosure due to a mis ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20099 (In aee daemon, there is a possible out of bounds write due to improper ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20098 (In aee daemon, there is a possible information disclosure due to a mis ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20097 (In aee daemon, there is a possible information disclosure due to a rac ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20096 (In camera, there is a possible information disclosure due to uninitial ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20095 (In imgsensor, there is a possible out of bounds write due to a missing ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20094 (In imgsensor, there is a possible out of bounds write due to an incorr ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20093 (In telephony, there is a possible way to disable receiving SMS message ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20092 (In alac decoder, there is a possible out of bounds read due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20091 (In aee driver, there is a possible use after free due to a race condit ...) - TODO: check + NOT-FOR-US: MediaTek driver for Android CVE-2022-20090 (In aee driver, there is a possible use after free due to a race condit ...) - TODO: check + NOT-FOR-US: MediaTek dr
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a9201d8 by Moritz Muehlenhoff at 2022-05-06T13:06:18+02:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -36,6 +36,8 @@ CVE-2022-1589 RESERVED CVE-2022-30292 (thread_call in sqbaselib.cpp in SQUIRREL 3.2 lacks a certain sq_reserv ...) - squirrel3 + [bullseye] - squirrel3 (Minor issue) + [buster] - squirrel3 (Minor issue) NOTE: https://github.com/albertodemichelis/squirrel/commit/a6413aa690e0bdfef648c68693349a7b878fe60d CVE-2022-30291 RESERVED @@ -808,6 +810,8 @@ CVE-2022-29974 RESERVED CVE-2022-29973 (relan exFAT 1.3.0 allows local users to obtain sensitive information ( ...) - fuse-exfat + [bullseye] - fuse-exfat (Minor issue) + [buster] - fuse-exfat (Minor issue) NOTE: https://github.com/relan/exfat/issues/185 CVE-2022-29972 RESERVED @@ -2697,10 +2701,14 @@ CVE-2022-29341 RESERVED CVE-2022-29340 (GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer Dereference vul ...) - gpac + [bullseye] - gpac (Minor issue) + [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/37592ad86c6ca934d34740012213e467acc4a3b0 NOTE: https://github.com/gpac/gpac/issues/2163 CVE-2022-29339 (In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in utils ...) - gpac + [bullseye] - gpac (Minor issue) + [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/9ea93a2ec8f555ceed1ee27294cf94822f14f10f NOTE: https://github.com/gpac/gpac/issues/2165 CVE-2022-29338 @@ -6371,6 +6379,8 @@ CVE-2022-28067 (An incorrect access control issue in Sandboxie Classic v5.55.13 NOT-FOR-US: Sandboxie Classic CVE-2022-28066 (Libarchive v3.6.0 was discovered to contain a read memory access vulne ...) - libarchive + [bullseye] - libarchive (Minor issue) + [buster] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1672 NOTE: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff (v3.6.1) CVE-2022-28065 @@ -8225,6 +8235,8 @@ CVE-2022-27338 RESERVED CVE-2022-27337 (A logic error in the Hints::Hints function of Poppler v22.03.0 allows ...) - poppler + [bullseye] - poppler (Minor issue) + [buster] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230 NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/81044c64b9ed9a10ae82a28bac753060bdfdac74 (poppler-22.04.0) CVE-2022-27336 (Seacms v11.6 was discovered to contain a remote code execution (RCE) v ...) @@ -21893,6 +21905,8 @@ CVE-2022-22966 (An authenticated, high privileged malicious actor with network a NOT-FOR-US: VMware CVE-2022-22965 (A Spring MVC or Spring WebFlux application running on JDK 9+ may be vu ...) - libspring-java + [bullseye] - libspring-java (No reverse dependencies in the archive affected) + [buster] - libspring-java (No reverse dependencies in the archive affected) [stretch] - libspring-java (EOL'd for stretch) NOTE: https://bugalert.org/content/notices/2022-03-30-spring.html NOTE: https://tanzu.vmware.com/security/cve-2022-22965 @@ -21926,9 +21940,10 @@ CVE-2022-22951 (VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x pr NOT-FOR-US: VMware CVE-2022-22950 (n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versi ...) - libspring-java + [bullseye] - libspring-java (Minor issue) + [buster] - libspring-java (Minor issue) [stretch] - libspring-java (EOL'd for stretch) NOTE: https://tanzu.vmware.com/security/cve-2022-22950 - TODO: check, no details available CVE-2022-22949 RESERVED CVE-2022-22948 (The vCenter Server contains an information disclosure vulnerability du ...) @@ -93474,10 +93489,12 @@ CVE-2021-21240 (httplib2 is a comprehensive HTTP client library for Python. In h CVE-2021-21239 (PySAML2 is a pure python implementation of SAML Version 2 Standard. Py ...) {DLA-2577-1} - python-pysaml2 6.5.1-1 (bug #980772) + [buster] - python-pysaml2 (Minor issue) NOTE: https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62 NOTE: https://github.com/IdentityPython/pysaml2/commit/751dbf50a51131b13d55989395f9b115045f9737 CVE-2021-21238 (PySAML2 is a pure python implementation of SAML Version 2 Standard. Py ...) - python-pysaml2 6.5.1-1 (bug #980773) + [buster] - python-pysaml2 (Minor issue) [stretch] - python-pysaml2 (python3-xmlschema not available in stretc
[Git][security-tracker-team/security-tracker][master] Unclaim pdns, documenting partial work done
Enrico Zini pushed to branch master at Debian Security Tracker / security-tracker Commits: 41f3335e by Enrico Zini at 2022-05-06T11:30:23+02:00 Unclaim pdns, documenting partial work done - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -124,8 +124,14 @@ nvidia-graphics-drivers -- openjdk-8 (pochu) -- -pdns (enrico) +pdns NOTE: 20220402: harmonize with buster/10.8 (Beuc) + NOTE: 20220506: buster patches backported in https://salsa.debian.org/enrico/pdns/-/tree/stretch + NOTE: 20220506: and #debian-dns notified (enrico) + NOTE: 20220506: the patch for https://security-tracker.debian.org/tracker/CVE-2022-27227 + NOTE: 20220506: would need to be completely rewritten for the stretch codebase (enrico) + NOTE: 20220506: package builds but does not run a test suite, and I lack the + NOTE: 20220506: know-how for testing manually (enrico) -- puma -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41f3335ef4a9d66d13842e8ece25aca88ebfcf78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41f3335ef4a9d66d13842e8ece25aca88ebfcf78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bbe27da by Neil Williams at 2022-05-06T10:23:07+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40946,7 +40946,7 @@ CVE-2021-41741 CVE-2021-41740 RESERVED CVE-2021-41739 (A OS Command Injection vulnerability was discovered in Artica Proxy 4. ...) - TODO: check + NOT-FOR-US: Artica Web Proxy CVE-2021-41738 RESERVED CVE-2021-41737 @@ -42707,7 +42707,7 @@ CVE-2021-41034 (The build of some language stacks of Eclipse Che version 6 inclu CVE-2021-41033 (In all released versions of Eclipse Equinox, at least until version 4. ...) NOT-FOR-US: Eclipse Equinox CVE-2021-41032 (An improper access control vulnerability [CWE-284] in FortiOS versions ...) - TODO: check + NOT-FOR-US: Fortiguard CVE-2021-41031 RESERVED CVE-2021-41030 (An authentication bypass by capture-replay vulnerability [CWE-294] in ...) @@ -42731,7 +42731,7 @@ CVE-2021-41022 (A improper privilege management in Fortinet FortiSIEM Windows Ag CVE-2021-41021 (A privilege escalation vulnerability in FortiNAC versions 8.8.8 and be ...) NOT-FOR-US: FortiGuard CVE-2021-41020 (An improper access control vulnerability [CWE-284] in FortiIsolator ve ...) - TODO: check + NOT-FOR-US: Fortiguard CVE-2021-41019 (An improper validation of certificate with host mismatch [CWE-297] vul ...) NOT-FOR-US: Fortiguard CVE-2021-41018 (A improper neutralization of special elements used in an os command (' ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bbe27da2afb593544400a3eda0075cf828a2fe7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bbe27da2afb593544400a3eda0075cf828a2fe7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFU
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 95db19c8 by Neil Williams at 2022-05-06T10:09:15+01:00 Process NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65130,7 +65130,7 @@ CVE-2021-3530 (A flaw was discovered in GNU libiberty within demangle_path() in CVE-2021-32011 RESERVED CVE-2021-32010 (Inadequate Encryption Strength vulnerability in TLS stack of Secomea S ...) - TODO: check + NOT-FOR-US: Secomea CVE-2021-32009 (Cross-site Scripting (XSS) vulnerability in firmware section of Secome ...) NOT-FOR-US: Secomea GateManager CVE-2021-32008 (This issue affects: Secomea GateManager Version 9.6.621421014 and all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95db19c85337bc11badf7660e97e7f98dd18175d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95db19c85337bc11badf7660e97e7f98dd18175d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 310b47db by Neil Williams at 2022-05-06T10:08:10+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -77015,7 +77015,7 @@ CVE-2021-27441 CVE-2021-27440 (The software contains a hard-coded password it uses for its own inboun ...) NOT-FOR-US: GE CVE-2021-27439 (TencentOS-tiny version 3.1.0 is vulnerable to integer wrap-around in f ...) - TODO: check + NOT-FOR-US: Tencent CVE-2021-27438 (The software contains a hard-coded password it uses for its own inboun ...) NOT-FOR-US: GE CVE-2021-27437 (The affected product allows attackers to obtain sensitive information ...) @@ -77023,15 +77023,15 @@ CVE-2021-27437 (The affected product allows attackers to obtain sensitive inform CVE-2021-27436 (WebAccess/SCADA Versions 9.0 and prior is vulnerable to cross-site scr ...) NOT-FOR-US: WebAccess/SCADA CVE-2021-27435 (ARM mbed product Version 6.3.0 is vulnerable to integer wrap-around in ...) - TODO: check + NOT-FOR-US: ARM mbed CVE-2021-27434 (Products with Unified Automation .NET based OPC UA Client/Server SDK B ...) NOT-FOR-US: Unified Automation .NET CVE-2021-27433 (ARM mbed-ualloc memory library version 1.3.0 is vulnerable to integer ...) - TODO: check + NOT-FOR-US: ARM mbed CVE-2021-27432 (OPC Foundation UA .NET Standard versions prior to 1.4.365.48 and OPC U ...) NOT-FOR-US: OPC Foundation UA .NET CVE-2021-27431 (ARM CMSIS RTOS2 versions prior to 2.1.3 are vulnerable to integer wrap ...) - TODO: check + NOT-FOR-US: ARM CMSIS RTOS2 CVE-2021-27430 (GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused ha ...) NOT-FOR-US: General Electric Universal Relays CVE-2021-27429 @@ -77039,7 +77039,7 @@ CVE-2021-27429 CVE-2021-27428 (GE UR IED firmware versions prior to version 8.1x supports upgrading f ...) NOT-FOR-US: General Electric Universal Relays CVE-2021-27427 (RIOT OS version 2020.01.1 is vulnerable to integer wrap-around in its ...) - TODO: check + NOT-FOR-US: RIOT RIOT-OS CVE-2021-27426 (GE UR IED firmware versions prior to version 8.1x with “Basic ...) NOT-FOR-US: General Electric Universal Relays CVE-2021-27425 (Cesanta Software Mongoose-OS v2.17.0 is vulnerable to integer wrap-aro ...) @@ -77059,7 +77059,7 @@ CVE-2021-27419 (uClibc-ng versions prior to 1.0.37 are vulnerable to integer wra CVE-2021-27418 (GE UR firmware versions prior to version 8.1x supports web interface w ...) NOT-FOR-US: General Electric Universal Relays CVE-2021-27417 (eCosCentric eCosPro RTOS Versions 2.0.1 through 4.5.3 are vulnerable t ...) - TODO: check + NOT-FOR-US: eCosCentric eCosPro RTOS CVE-2021-27416 (An attacker could exploit this vulnerability in Hitachi ABB Power Grid ...) NOT-FOR-US: Hitachi ABB Power Grids Ellipse Enterprise Asset Management (EAM) CVE-2021-27415 @@ -77071,7 +77071,7 @@ CVE-2021-27413 (Omron CX-One Versions 4.60 and prior, including CX-Server Versio CVE-2021-27412 (Delta Electronics DOPSoft Versions 4.0.10.17 and prior are vulnerable ...) NOT-FOR-US: Delta Electronics CVE-2021-27411 (Micrium OS Versions 5.10.1 and prior are vulnerable to integer wrap-ar ...) - TODO: check + NOT-FOR-US: Micrium CVE-2021-27410 (The affected product is vulnerable to an out-of-bounds write, which ma ...) NOT-FOR-US: Welch Allyn CVE-2021-27409 @@ -82680,9 +82680,9 @@ CVE-2021-25270 (A local attacker could execute arbitrary code with administrator CVE-2021-25269 (A local administrator could prevent the HMPA service from starting des ...) NOT-FOR-US: Sophos CVE-2021-25268 (Multiple XSS vulnerabilities in Webadmin allow for privilege escalatio ...) - TODO: check + NOT-FOR-US: Sophos CVE-2021-25267 (Multiple XSS vulnerabilities in Webadmin allow for privilege escalatio ...) - TODO: check + NOT-FOR-US: Sophos CVE-2021-25266 (An insecure data storage vulnerability allows a physical attacker with ...) NOT-FOR-US: Sophos Authenticator for Android CVE-2021-25265 (A malicious website could execute code remotely in Sophos Connect Clie ...) @@ -88645,7 +88645,7 @@ CVE-2021-22682 (Cscape (All versions prior to 9.90 SP4) is configured by default CVE-2021-22681 (Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, ...) NOT-FOR-US: Rockwell Automation CVE-2021-22680 (NXP MQX Versions 5.1 and prior are vulnerable to integer overflow in m ...) - TODO: check + NOT-FOR-US: NXP MQX CVE-2021-22679 (The affected product is vulnerable to an integer overflow while proces ...) NOT-FOR-US: SimpleLink CVE-2021-22678 (Cscape (All versions prior to 9.90 SP4) lacks proper validation of use ...) View it on
[Git][security-tracker-team/security-tracker][master] CVE-2021-22573/google-oauth-client-java unfixed bug 1010657
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 05e8e092 by Neil Williams at 2022-05-06T09:52:23+01:00 CVE-2021-22573/google-oauth-client-java unfixed bug 1010657 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -88867,7 +88867,10 @@ CVE-2021-22575 CVE-2021-22574 RESERVED CVE-2021-22573 (The vulnerability is that IDToken verifier does not verify if token is ...) - TODO: check + - google-oauth-client-java (bug #1010657) + NOTE: https://github.com/googleapis/google-oauth-java-client/issues/786 + NOTE: https://github.com/googleapis/google-oauth-java-client/pull/861 + NOTE: https://github.com/googleapis/google-oauth-java-client/pull/872 (1.33.3) CVE-2021-22572 (On unix-like systems, the system temporary directory is shared between ...) NOT-FOR-US: Google Data Transfer Project CVE-2021-22571 (A local attacker could read files from some other users' SA360 reports ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05e8e0926f0c02985d578935daf0fe47ed71b74d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05e8e0926f0c02985d578935daf0fe47ed71b74d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process 2 NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 751ab617 by Neil Williams at 2022-05-06T09:34:01+01:00 Process 2 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -88922,7 +88922,7 @@ CVE-2021-22558 CVE-2021-22557 (SLO generator allows for loading of YAML files that if crafted in a sp ...) NOT-FOR-US: SLO generator CVE-2021-22556 (The Security Team discovered an integer overflow bug that allows an at ...) - TODO: check + NOT-FOR-US: Google fuchsia CVE-2021-22555 (A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was disco ...) - linux 5.10.38-1 [buster] - linux 4.19.194-1 @@ -96996,7 +96996,7 @@ CVE-2021-20053 CVE-2021-20052 RESERVED CVE-2021-20051 (SonicWall Global VPN Client 4.10.7.1117 installer (32-bit and 64-bit) ...) - TODO: check + NOT-FOR-US: SonicWall CVE-2021-20050 (An Improper Access Control Vulnerability in the SMA100 series leads to ...) NOT-FOR-US: SonicWall CVE-2021-20049 (A vulnerability in SonicWall SMA100 password change API allows a remot ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/751ab617e89d6a15d3caf4ebaf42eb8d6268c2b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/751ab617e89d6a15d3caf4ebaf42eb8d6268c2b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim asterisk, update not for ring
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 11a7d03d by Abhijith PA at 2022-05-06T13:56:45+05:30 data/dla-needed.txt: claim asterisk, update not for ring - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,7 +26,7 @@ ansible NOTE: 20220427: Lee Garrett (maintainer) took over the work a while ago. See NOTE: 20220427: https://salsa.debian.org/debian/ansible/-/commits/stretch/ -- -asterisk +asterisk (Abhijith PA) NOTE: 20220424: programming language C -- ark @@ -136,6 +136,7 @@ ring (Abhijith PA) NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) NOTE: 20220404: a network error (abhijith) + NOTE: 20220506: Pinged maintainer team and maintainer (abhijith) -- ruby-devise-two-factor NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11a7d03d9e60909349a71f402465ec4fc8d33119 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11a7d03d9e60909349a71f402465ec4fc8d33119 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Review old XMP Toolkit SDK NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 60280f60 by Neil Williams at 2022-05-06T09:19:57+01:00 Review old XMP Toolkit SDK NFUs exempi is a port of Adobe XMP SDK to work on UNIX. 2.6.0 updated the Adobe SDK from 2016.07 through to 2021.10 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37683,6 +37683,7 @@ CVE-2021-42532 (XMP Toolkit SDK version 2021.07 (and earlier) is affected by a s - exempi 2.6.0-1 NOTE: https://helpx.adobe.com/security/products/xmpcore/apsb21-108.html NOTE: https://cgit.freedesktop.org/exempi/commit/?h=2.6.0&id=77a3fe7096f8ebf301e2bfe1e6dc023b4ff6dc48 + NOTE: https://gitlab.freedesktop.org/libopenraw/exempi/-/releases TODO: check for fixing commit CVE-2021-42531 (XMP Toolkit SDK version 2021.07 (and earlier) is affected by a stack-b ...) - exempi 2.6.0-1 @@ -43422,7 +43423,11 @@ CVE-2021-40734 (Adobe Audition version 14.4 (and earlier) is affected by a memor CVE-2021-40733 (Adobe Animate version 21.0.9 (and earlier) is affected by a memory cor ...) NOT-FOR-US: Adobe CVE-2021-40732 (XMP Toolkit version 2020.1 (and earlier) is affected by a null pointer ...) - NOT-FOR-US: Adobe + - exempi 2.6.0-1 + NOTE: https://helpx.adobe.com/security/products/xmpcore/apsb21-85.html + NOTE: https://cgit.freedesktop.org/exempi/commit/?h=2.6.0&id=77a3fe7096f8ebf301e2bfe1e6dc023b4ff6dc48 + NOTE: https://gitlab.freedesktop.org/libopenraw/exempi/-/releases + TODO: check for fixing commit CVE-2021-40731 (Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.200 ...) NOT-FOR-US: Adobe CVE-2021-40730 (Adobe Acrobat Reader DC version 21.007.20095 (and earlier), 21.007.200 ...) @@ -43454,7 +43459,11 @@ CVE-2021-40718 CVE-2021-40717 RESERVED CVE-2021-40716 (XMP Toolkit SDK versions 2021.07 (and earlier) are affected by an out- ...) - NOT-FOR-US: Adobe + - exempi 2.6.0-1 + NOTE: https://helpx.adobe.com/security/products/xmpcore/apsb21-85.html + NOTE: https://cgit.freedesktop.org/exempi/commit/?h=2.6.0&id=77a3fe7096f8ebf301e2bfe1e6dc023b4ff6dc48 + NOTE: https://gitlab.freedesktop.org/libopenraw/exempi/-/releases + TODO: check for fixing commit CVE-2021-40715 (Adobe Premiere Pro version 15.4 (and earlier) is affected by a memory ...) NOT-FOR-US: Adobe CVE-2021-40714 (Adobe Experience Manager version 6.5.9.0 (and earlier) is affected by ...) @@ -45619,7 +45628,11 @@ CVE-2021-39849 (Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.00 CVE-2021-39848 RESERVED CVE-2021-39847 (XMP Toolkit SDK version 2020.1 (and earlier) is affected by a stack-ba ...) - NOT-FOR-US: Adobe + - exempi 2.6.0-1 + NOTE: https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html + NOTE: https://cgit.freedesktop.org/exempi/commit/?h=2.6.0&id=77a3fe7096f8ebf301e2bfe1e6dc023b4ff6dc48 + NOTE: https://gitlab.freedesktop.org/libopenraw/exempi/-/releases + TODO: check for fixing commit CVE-2021-39846 (Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.3000 ...) NOT-FOR-US: Adobe CVE-2021-39845 (Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.3000 ...) @@ -55161,7 +55174,11 @@ CVE-2021-36066 (Adobe Photoshop versions 21.2.10 (and earlier) and 22.4.3 (and e CVE-2021-36065 (Adobe Photoshop versions 21.2.10 (and earlier) and 22.4.3 (and earlier ...) NOT-FOR-US: Adobe CVE-2021-36064 (XMP Toolkit version 2020.1 (and earlier) is affected by a Buffer Under ...) - NOT-FOR-US: Adobe + - exempi 2.6.0-1 + NOTE: https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html + NOTE: https://cgit.freedesktop.org/exempi/commit/?h=2.6.0&id=77a3fe7096f8ebf301e2bfe1e6dc023b4ff6dc48 + NOTE: https://gitlab.freedesktop.org/libopenraw/exempi/-/releases + TODO: check for fixing commit CVE-2021-36063 (Adobe Connect version 11.2.2 (and earlier) is affected by a Reflected ...) NOT-FOR-US: Adobe CVE-2021-36062 (Adobe Connect version 11.2.2 (and earlier) is affected by a Reflected ...) @@ -55173,33 +55190,85 @@ CVE-2021-36060 CVE-2021-36059 (Adobe Bridge version 11.1 (and earlier) is affected by a memory corrup ...) NOT-FOR-US: Adobe CVE-2021-36058 (XMP Toolkit SDK version 2020.1 (and earlier) is affected by an Integer ...) - NOT-FOR-US: Adobe + - exempi 2.6.0-1 + NOTE: https://helpx.adobe.com/security/products/xmpcore/apsb21-65.html + NOTE: https://cgit.freedesktop.org/exempi/commit/?h=2.6.0&id=77a3fe7096f8ebf301e2bfe1e6dc023b4ff6dc48 + NOTE: https://gitlab.freedesktop.org/libopenraw/exempi/-/releases + TODO: check for fixing commit CVE-2021-36057 (XMP Toolkit SDK version 2020.1 (and earlier) is affected by a wr
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2996-1 for mruby
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: a5729bd6 by Abhijith PA at 2022-05-06T13:43:14+05:30 Reserve DLA-2996-1 for mruby - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -134677,7 +134677,6 @@ CVE-2020-15867 (The git hook feature in Gogs 0.5.5 through 0.12.2 allows for aut CVE-2020-15866 (mruby through 2.1.2-rc has a heap-based buffer overflow in the mrb_yie ...) - mruby 2.1.2-1 (bug #972051) [buster] - mruby (Minor issue) - [stretch] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/5042 NOTE: https://github.com/mruby/mruby/commit/6334949ba69363cb909a57d6871895bd6d98bb6b (3.0.0-preview) NOTE: https://github.com/mruby/mruby/commit/63956036e116ef6a33a91e16348c4d1a09f6f72c (2.1.2-rc2) @@ -248862,7 +248861,6 @@ CVE-2018-14338 (samples/geotag.cpp in the example code of Exiv2 0.26 misuses the NOTE: Issue in example code of Exiv2 CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 ...) - mruby 2.0.0-1 (low; bug #903985) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/4062 NOTE: https://github.com/mruby/mruby/commit/695f29cd604787f43be1af16e38d13610bf8312b @@ -254205,7 +254203,6 @@ CVE-2018-12250 (An issue was discovered in Elite CMS Pro 2.01. In /admin/add_sid NOT-FOR-US: Elite CMS CVE-2018-12249 (An issue was discovered in mruby 1.4.1. There is a NULL pointer derefe ...) - mruby 1.4.1+20180622+git640fca32-1 (bug #901652) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/commit/faa4eaf6803bd11669bc324b4c34e7162286bfa3 NOTE: https://github.com/mruby/mruby/issues/4037 @@ -255598,7 +255595,6 @@ CVE-2018-11744 (Cloudera Manager through 5.15 has Incorrect Access Control. ...) NOT-FOR-US: Cloudera CVE-2018-11743 (The init_copy function in kernel.c in mruby 1.4.1 makes initialize_cop ...) - mruby 1.4.1+20180622+git640fca32-1 (bug #900845) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/commit/b64ce17852b180dfeea81cf458660be41a78974d NOTE: https://github.com/mruby/mruby/issues/4027 @@ -260044,7 +260040,6 @@ CVE-2018-10192 (IPVanish 3.0.11 for macOS suffers from a root privilege escalati NOT-FOR-US: IPVanish for macOS CVE-2018-10191 (In versions of mruby up to and including 1.4.0, an integer overflow ex ...) - mruby 1.4.0+20180418+git54905e98-1 (bug #896020) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/3995 NOTE: https://github.com/mruby/mruby/commit/1905091634a6a2925c911484434448e568330626 @@ -312366,7 +312361,6 @@ CVE-2017-9528 (IrfanView version 4.44 (32bit) with FPX Plugin 4.46 allows remote CVE-2017-9527 (The mark_context_stack function in gc.c in mruby through 1.2.0 allows ...) [experimental] - mruby 1.2.0+20170601+git51e0e690-1 - mruby 1.3.0-1 (low; bug #865778) - [stretch] - mruby (Minor issue) [jessie] - mruby (Minor issue) NOTE: https://github.com/mruby/mruby/issues/3486 NOTE: Fixed by: https://github.com/mruby/mruby/commit/5c114c91d4ff31859fcd84cf8bf349b737b90d99 = data/DLA/list = @@ -1,3 +1,6 @@ +[06 May 2022] DLA-2996-1 mruby - security update + {CVE-2017-9527 CVE-2018-10191 CVE-2018-11743 CVE-2018-12249 CVE-2018-14337 CVE-2020-15866} + [stretch] - mruby 1.2.0+20161228+git30d5424a-1+deb9u1 [05 May 2022] DLA-2995-1 smarty3 - security update {CVE-2021-21408 CVE-2021-29454} [stretch] - smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u5 = data/dla-needed.txt = @@ -111,9 +111,6 @@ mbedtls (Utkarsh) NOTE: 20220502: will upload with 1 fix and mark the other one NOTE: 20220502: as no-dsa today/tomorrow. (utkarsh) -- -mruby (Abhijith PA) - NOTE: https://people.debian.org/~abhijith/upload/mruby/mruby_1.2.0+20161228+git30d5424a-1+deb9u1.dsc (abhijith) --- mutt (Utkarsh) NOTE: 20220502: update prepared. smoke test pending. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5729bd6d1e132d10990a4177253a211885771bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5729bd6d1e132d10990a4177253a211885771bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-track
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6f37609 by security tracker role at 2022-05-06T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2022-30295 (uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predictable D ...) + TODO: check +CVE-2022-30294 (In WebKitGTK through 2.36.0 (and WPE WebKit), there is a use-after-fre ...) + TODO: check +CVE-2022-30293 (In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based bu ...) + TODO: check +CVE-2022-29894 + RESERVED +CVE-2022-1602 + RESERVED +CVE-2022-1601 + RESERVED CVE-2022-1600 RESERVED CVE-2022-1599 @@ -2181,8 +2193,8 @@ CVE-2022-29536 (In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML docu NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1106 NOTE: Introduced by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/232c613472b38ff0d0d97338f366024ddb9cd228 (3.29.2) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/epiphany/-/commit/486da133569ebfc436c959a7419565ab102e8525 -CVE-2022-29535 - RESERVED +CVE-2022-29535 (Zoho ManageEngine OPManager through 125588 allows SQL Injection via a ...) + TODO: check CVE-2022-29534 (An issue was discovered in MISP before 2.4.158. In UsersController.php ...) NOT-FOR-US: MISP CVE-2022-29533 (An issue was discovered in MISP before 2.4.158. There is XSS in app/Co ...) @@ -3107,38 +3119,38 @@ CVE-2022-29178 RESERVED CVE-2022-29177 RESERVED -CVE-2022-29176 - RESERVED -CVE-2022-29175 - RESERVED +CVE-2022-29176 (Rubygems is a package registry used to supply software for the Ruby la ...) + TODO: check +CVE-2022-29175 (Vyper is a pythonic smart contract language for the ethereum virtual m ...) + TODO: check CVE-2022-29174 RESERVED -CVE-2022-29173 - RESERVED -CVE-2022-29172 - RESERVED -CVE-2022-29171 - RESERVED +CVE-2022-29173 (go-tuf is a Go implementation of The Update Framework (TUF). go-tuf do ...) + TODO: check +CVE-2022-29172 (Auth0 is an authentication broker that supports both social and enterp ...) + TODO: check +CVE-2022-29171 (Sourcegraph is a fast and featureful code search and navigation engine ...) + TODO: check CVE-2022-29170 RESERVED CVE-2022-29169 RESERVED CVE-2022-29168 RESERVED -CVE-2022-29167 - RESERVED -CVE-2022-29166 - RESERVED +CVE-2022-29167 (Hawk is an HTTP authentication scheme providing mechanisms for making ...) + TODO: check +CVE-2022-29166 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. The vulnerab ...) + TODO: check CVE-2022-29165 RESERVED -CVE-2022-29164 - RESERVED +CVE-2022-29164 (Argo Workflows is an open source container-native workflow engine for ...) + TODO: check CVE-2022-29163 RESERVED CVE-2022-29162 RESERVED -CVE-2022-29161 - RESERVED +CVE-2022-29161 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check CVE-2022-29160 RESERVED CVE-2022-29159 @@ -15058,20 +15070,19 @@ CVE-2022-24905 RESERVED CVE-2022-24904 RESERVED -CVE-2022-24903 - RESERVED +CVE-2022-24903 (Rsyslog is a rocket-fast system for log processing. Modules for TCP sy ...) - rsyslog (bug #1010619) NOTE: https://www.openwall.com/lists/oss-security/2022/05/05/3 NOTE: https://github.com/rsyslog/rsyslog/security/advisories/GHSA-ggw7-xr6h-mmr8#advisory-comment-72243 NOTE: https://github.com/rsyslog/rsyslog/commit/89955b0bcb1ff105e1374aad7e0e993faa6a038f (v8.2204.1) -CVE-2022-24902 - RESERVED +CVE-2022-24902 (TkVideoplayer is a simple library to play video files in tkinter. Unco ...) + TODO: check CVE-2022-24901 (Improper validation of the Apple certificate URL in the Apple Game Cen ...) TODO: check CVE-2022-24900 (Piano LED Visualizer is software that allows LED lights to light up as ...) NOT-FOR-US: Piano LED Visualizer -CVE-2022-24899 - RESERVED +CVE-2022-24899 (Contao is a powerful open source CMS that allows you to create profess ...) + TODO: check CVE-2022-24898 (org.xwiki.commons:xwiki-commons-xml is a common module used by other X ...) NOT-FOR-US: Xwiki CVE-2022-24897 (APIs to evaluate content with Velocity is a package for APIs to evalua ...) @@ -15103,8 +15114,8 @@ CVE-2022-24886 (Nextcloud Android app is the Android client for Nextcloud, a sel NOT-FOR-US: Nextcloud Android app CVE-2022-24885 (Nextcloud Android app is the Android client for Nextcloud, a self-host ...) NOT-FOR-US: Nextcloud Android app -CVE-2022-24884 - RESERVED +CVE-2022-24884 (ecdsautils is a tiny collection of programs used