[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2021-44103
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 710bb111 by Salvatore Bonaccorso at 2022-06-14T07:45:46+02:00 Remove notes from CVE-2021-44103 CVE-2021-44103 was found to be a duplicate of CVE-2021-42192. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39652,7 +39652,6 @@ CVE-2021-44104 RESERVED CVE-2021-44103 REJECTED - NOT-FOR-US: KONGA CVE-2021-44102 RESERVED CVE-2021-44101 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/710bb11137385dc7aabbfbe80a0bf7527f031485 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/710bb11137385dc7aabbfbe80a0bf7527f031485 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop notes from several CVEs originally for libsolv
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eddd8ba0 by Salvatore Bonaccorso at 2022-06-14T07:44:37+02:00 Drop notes from several CVEs originally for libsolv They were all found to be duplicate assignments for the CVE-2021-3200 ID. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38056,54 +38056,22 @@ CVE-2021-44578 RESERVED CVE-2021-44577 REJECTED - - libsolv 0.7.17-1 (unimportant) - NOTE: https://github.com/openSUSE/libsolv/issues/428 - NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) - NOTE: Issue is fixed in the testcase; negligible security impact CVE-2021-44576 REJECTED - - libsolv 0.7.17-1 (unimportant) - NOTE: https://github.com/openSUSE/libsolv/issues/426 - NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) - NOTE: Issue is fixed in the testcase; negligible security impact CVE-2021-44575 REJECTED - - libsolv 0.7.17-1 (unimportant) - NOTE: https://github.com/openSUSE/libsolv/issues/427 - NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) - NOTE: Issue is fixed in the testcase; negligible security impact CVE-2021-44574 REJECTED - - libsolv 0.7.17-1 (unimportant) - NOTE: https://github.com/openSUSE/libsolv/issues/429 - NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) - NOTE: Issue is fixed in the testcase; negligible security impact CVE-2021-44573 REJECTED - - libsolv 0.7.17-1 (unimportant) - NOTE: https://github.com/openSUSE/libsolv/issues/430 - NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) - NOTE: Issue is fixed in the testcase; negligible security impact CVE-2021-44572 RESERVED CVE-2021-44571 REJECTED - - libsolv 0.7.17-1 (unimportant) - NOTE: https://github.com/openSUSE/libsolv/issues/421 - NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) - NOTE: Issue is fixed in the testcase; negligible security impact CVE-2021-44570 REJECTED - - libsolv 0.7.17-1 (unimportant) - NOTE: https://github.com/openSUSE/libsolv/issues/424 - NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) - NOTE: Issue is fixed in the testcase; negligible security impact CVE-2021-44569 REJECTED - - libsolv 0.7.17-1 (unimportant) - NOTE: https://github.com/openSUSE/libsolv/issues/423 - NOTE: https://github.com/openSUSE/libsolv/commit/0077ef29eb46d2e1df2f230fc95a1d9748d49dec (0.7.17) - NOTE: Issue is fixed in the testcase; negligible security impact CVE-2021-44568 (Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv th ...) - libsolv 0.7.17-1 (unimportant) NOTE: https://github.com/openSUSE/libsolv/issues/425 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eddd8ba03295862c0403c720d0557e167086f9db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eddd8ba03295862c0403c720d0557e167086f9db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2022-25029
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2892f3fc by Salvatore Bonaccorso at 2022-06-14T07:41:47+02:00 Remove notes from CVE-2022-25029 CVE-2022-25029 is a duplicate assignment of CVE-2022-25096. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22902,7 +22902,6 @@ CVE-2022-25030 RESERVED CVE-2022-25029 REJECTED - NOT-FOR-US: Home Owners Collection Management System CVE-2022-25028 (Home Owners Collection Management System v1.0 was discovered to contai ...) NOT-FOR-US: Home Owners Collection Management System CVE-2022-25027 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2892f3fc112dc7f6c17a492fe0ebcd67f9b150bc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2892f3fc112dc7f6c17a492fe0ebcd67f9b150bc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Cleanup notes for CVE-2022-27427
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7560b47 by Salvatore Bonaccorso at 2022-06-14T07:40:29+02:00 Cleanup notes for CVE-2022-27427 CVE-2022-27427 was found to be a duplicate of CVE-2021-38745. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16084,7 +16084,6 @@ CVE-2022-27428 (A stored cross-site scripting (XSS) vulnerability in /index.php/ NOT-FOR-US: GalleryCMS CVE-2022-27427 REJECTED - NOT-FOR-US: Chamilo LMS CVE-2022-27426 (A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows at ...) NOT-FOR-US: Chamilo LMS CVE-2022-27425 (Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7560b472e04971f6a0dcc8c472b456efcfc9d00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7560b472e04971f6a0dcc8c472b456efcfc9d00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record upstream tag information for CVE-2022-26280
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fe88b40 by Salvatore Bonaccorso at 2022-06-14T07:39:13+02:00 Record upstream tag information for CVE-2022-26280 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19435,7 +19435,7 @@ CVE-2022-26280 (Libarchive v3.6.0 was discovered to contain an out-of-bounds rea [stretch] - libarchive (Vulnerable code not present) NOTE: https://github.com/libarchive/libarchive/issues/1672 NOTE: Introduced by: https://github.com/libarchive/libarchive/commit/121035c83e18b70d3128e9ac966109ebedb7e516 (v3.4.0) - NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff + NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff (v3.6.1) CVE-2022-26279 (EyouCMS v1.5.5 was discovered to have no access control in the compone ...) NOT-FOR-US: EyouCMS CVE-2022-26278 (Tenda AC9 v15.03.2.21_cn was discovered to contain a stack overflow vi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fe88b40e4c90a4084bdce72cb661a8cc6fa8e13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fe88b40e4c90a4084bdce72cb661a8cc6fa8e13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes for CVE-2022-28066
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 25e3305e by Salvatore Bonaccorso at 2022-06-14T07:36:02+02:00 Remove notes for CVE-2022-28066 CVE-2022-28066 was found to be a duplicate of CVE-2022-26280 and the latter should be used. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14453,12 +14453,6 @@ CVE-2022-28067 (An incorrect access control issue in Sandboxie Classic v5.55.13 NOT-FOR-US: Sandboxie Classic CVE-2022-28066 REJECTED - - libarchive (bug #1010696) - [bullseye] - libarchive (Minor issue) - [buster] - libarchive (Vulnerable code introduced later) - [stretch] - libarchive (Vulnerable code introduced later) - NOTE: https://github.com/libarchive/libarchive/issues/1672 - NOTE: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff (v3.6.1) CVE-2022-28065 RESERVED CVE-2022-28064 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25e3305e2d99bd7861e82cd1a431b8ec620d4841 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25e3305e2d99bd7861e82cd1a431b8ec620d4841 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove tracking of CVE-2022-30294
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b14de13c by Salvatore Bonaccorso at 2022-06-14T07:29:00+02:00 Remove tracking of CVE-2022-30294 It was found to be a duplicate of CVE-2022-30293 and got rejected. - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -7754,10 +7754,6 @@ CVE-2022-30295 (uClibc-ng through 1.0.40 and uClibc through 0.9.33.2 use predict NOTE: src:uclibc switched to the uClibc-ng source codebase with the 1.0.20-1 upload. CVE-2022-30294 REJECTED - {DSA-5155-1 DSA-5154-1} - - webkit2gtk 2.36.1-1 - [stretch] - webkit2gtk (Not covered by security support in stretch) - - wpewebkit 2.36.1-1 CVE-2022-30293 (In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-based bu ...) {DSA-5155-1 DSA-5154-1} - webkit2gtk 2.36.1-1 = data/DSA/list = @@ -28,10 +28,10 @@ [buster] - firefox-esr 91.10.0esr-1~deb10u1 [bullseye] - firefox-esr 91.10.0esr-1~deb11u1 [01 Jun 2022] DSA-5155-1 wpewebkit - security update - {CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-30293 CVE-2022-30294} + {CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-30293} [bullseye] - wpewebkit 2.36.3-1~deb11u1 [01 Jun 2022] DSA-5154-1 webkit2gtk - security update - {CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-30293 CVE-2022-30294} + {CVE-2022-26700 CVE-2022-26709 CVE-2022-26716 CVE-2022-26717 CVE-2022-26719 CVE-2022-30293} [buster] - webkit2gtk 2.36.3-1~deb10u1 [bullseye] - webkit2gtk 2.36.3-1~deb11u1 [30 May 2022] DSA-5153-1 trafficserver - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b14de13c245d6ec09f297a4c0c15128a5adef8d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b14de13c245d6ec09f297a4c0c15128a5adef8d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2022-29162/runc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c0f062a by Salvatore Bonaccorso at 2022-06-14T07:25:52+02:00 Track fixed version via unstable for CVE-2022-29162/runc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11072,7 +11072,7 @@ CVE-2022-29164 (Argo Workflows is an open source container-native workflow engin CVE-2022-29163 (Nextcloud Server is the file server software for Nextcloud, a self-hos ...) - nextcloud-server (bug #941708) CVE-2022-29162 (runc is a CLI tool for spawning and running containers on Linux accord ...) - - runc + - runc 1.1.3+ds1-1 [bullseye] - runc (Minor issue) [buster] - runc (Minor issue) [stretch] - runc (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c0f062a2c3e9658fbfee6fb6b26ac46b8ed3ee9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c0f062a2c3e9658fbfee6fb6b26ac46b8ed3ee9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b897eccc by Salvatore Bonaccorso at 2022-06-14T07:24:07+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -413,7 +413,7 @@ CVE-2022-2069 CVE-2022-2068 RESERVED CVE-2022-2067 (SQL Injection in GitHub repository francoisjacquet/rosariosis prior to ...) - TODO: check + NOT-FOR-US: francoisjacquet/rosariosis CVE-2022-2066 (Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/ ...) NOT-FOR-US: neorazorx/facturascripts CVE-2022-2065 (Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/fac ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b897eccc3a42c47f73b9be66d59952f220ff8a6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b897eccc3a42c47f73b9be66d59952f220ff8a6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim modsecurity-crs
Andreas Rönnquist pushed to branch master at Debian Security Tracker / security-tracker Commits: eace0e7e by Andreas Rönnquist at 2022-06-13T23:22:02+02:00 Claim modsecurity-crs - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -170,7 +170,7 @@ mbedtls (Utkarsh) NOTE: 20220516: helf off upload to see if the other one should NOTE: 20220516: be squeezed in. waiting on -pu. (utkarsh) -- -modsecurity-crs +modsecurity-crs (Andreas Rönnquist) NOTE: 20220529: Programming language: C. NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 and 10.11 (2 CVEs) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eace0e7eac928588844f8f6280d3a0b6f8748caa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eace0e7eac928588844f8f6280d3a0b6f8748caa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2060/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61b14cf3 by Salvatore Bonaccorso at 2022-06-13T22:33:06+02:00 Add CVE-2022-2060/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -427,7 +427,7 @@ CVE-2022-2062 (Exposure of Sensitive Information to an Unauthorized Actor in Git CVE-2022-2061 (Heap-based Buffer Overflow in GitHub repository hpjansson/chafa prior ...) TODO: check CVE-2022-2060 (Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/doli ...) - TODO: check + - dolibarr CVE-2022-2059 RESERVED CVE-2021-46820 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61b14cf36fdf3beb37522da460b0f5e2e7d42a3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61b14cf36fdf3beb37522da460b0f5e2e7d42a3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e5f3ceba by Salvatore Bonaccorso at 2022-06-13T22:30:23+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,9 +19,9 @@ CVE-2022-33179 CVE-2022-33178 RESERVED CVE-2022-33175 (Power Distribution Units running on Powertek firmware (multiple brands ...) - TODO: check + NOT-FOR-US: Powertek CVE-2022-33174 (Power Distribution Units running on Powertek firmware (multiple brands ...) - TODO: check + NOT-FOR-US: Powertek CVE-2022-33173 RESERVED CVE-2022-33172 @@ -415,15 +415,15 @@ CVE-2022-2068 CVE-2022-2067 (SQL Injection in GitHub repository francoisjacquet/rosariosis prior to ...) TODO: check CVE-2022-2066 (Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/ ...) - TODO: check + NOT-FOR-US: neorazorx/facturascripts CVE-2022-2065 (Cross-site Scripting (XSS) - Stored in GitHub repository neorazorx/fac ...) - TODO: check + NOT-FOR-US: neorazorx/facturascripts CVE-2022-2064 (Insufficient Session Expiration in GitHub repository nocodb/nocodb pri ...) - TODO: check + NOT-FOR-US: nocodb CVE-2022-2063 (Improper Privilege Management in GitHub repository nocodb/nocodb prior ...) - TODO: check + NOT-FOR-US: nocodb CVE-2022-2062 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) - TODO: check + NOT-FOR-US: nocodb CVE-2022-2061 (Heap-based Buffer Overflow in GitHub repository hpjansson/chafa prior ...) TODO: check CVE-2022-2060 (Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/doli ...) @@ -933,11 +933,11 @@ CVE-2022-2040 CVE-2021-46819 RESERVED CVE-2021-46818 (Adobe Media Encoder version 15.4 (and earlier) are affected by a memor ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-46817 (Adobe Media Encoder version 15.4 (and earlier) are affected by a memor ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-46816 (Adobe Premiere Pro version 15.4 (and earlier) are affected by a memory ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-32769 RESERVED CVE-2022-32768 @@ -1705,13 +1705,13 @@ CVE-2022-1995 CVE-2022-1994 RESERVED CVE-2017-20045 (A vulnerability was found in Navetti PricePoint 4.6.0.0. It has been d ...) - TODO: check + NOT-FOR-US: Navetti PricePoint CVE-2017-20044 (A vulnerability was found in Navetti PricePoint 4.6.0.0. It has been c ...) - TODO: check + NOT-FOR-US: Navetti PricePoint CVE-2017-20043 (A vulnerability was found in Navetti PricePoint 4.6.0.0 and classified ...) - TODO: check + NOT-FOR-US: Navetti PricePoint CVE-2017-20042 (A vulnerability has been found in Navetti PricePoint 4.6.0.0 and class ...) - TODO: check + NOT-FOR-US: Navetti PricePoint CVE-2017-20041 (A vulnerability was found in Ucweb UC Browser 11.2.5.932. It has been ...) TODO: check CVE-2022-32452 @@ -2301,7 +2301,7 @@ CVE-2022-29926 CVE-2022-29512 RESERVED CVE-2022-1985 (The Download Manager Plugin for WordPress is vulnerable to reflected C ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1984 RESERVED CVE-2022-1983 @@ -2587,7 +2587,7 @@ CVE-2022-29519 CVE-2022-1962 RESERVED CVE-2022-1961 (The Google Tag Manager for WordPress (GTM4WP) plugin is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1960 RESERVED CVE-2022-1959 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5f3cebabc7913ed630f552946c01a3ede02bf3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5f3cebabc7913ed630f552946c01a3ede02bf3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ec9cf3b by Salvatore Bonaccorso at 2022-06-13T22:18:43+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2411,7 +2411,7 @@ CVE-2022-1970 RESERVED NOT-FOR-US: Keycloak CVE-2022-1969 (The Mobile browser color select plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: Mobile browser color select plugin for WordPress CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) - vim [bullseye] - vim (Minor issue) @@ -3488,7 +3488,7 @@ CVE-2022-1919 - firefox 101.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-20/#CVE-2022-1919 CVE-2022-1918 (The ToolBar to Share plugin for WordPress is vulnerable to Cross-Site ...) - TODO: check + NOT-FOR-US: ToolBar to Share plugin for WordPress CVE-2022-1917 RESERVED CVE-2022-1916 @@ -3559,7 +3559,7 @@ CVE-2022-1902 CVE-2022-1901 RESERVED CVE-2022-1900 (The Copify plugin for WordPress is vulnerable to Cross-Site Request Fo ...) - TODO: check + NOT-FOR-US: Copify plugin for WordPress CVE-2021-46815 (Configuration defects in the secure OS module. Successful exploitation ...) TODO: check CVE-2021-46814 (The video framework has an out-of-bounds memory read/write vulnerabili ...) @@ -4957,13 +4957,13 @@ CVE-2022-1824 CVE-2022-1823 RESERVED CVE-2022-1822 (The Zephyr Project Manager plugin for WordPress is vulnerable to Refle ...) - TODO: check + NOT-FOR-US: Zephyr Project Manager plugin for WordPress CVE-2022-1821 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) [experimental] - gitlab 14.9.5+ds1-1 - gitlab NOTE: https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/ CVE-2022-1820 (The Keep Backup Daily plugin for WordPress is vulnerable to Reflected ...) - TODO: check + NOT-FOR-US: Keep Backup Daily plugin for WordPress CVE-2022-1819 (A vulnerability, which was classified as problematic, was found in Stu ...) NOT-FOR-US: Student Information System CVE-2022-1818 @@ -4975,7 +4975,7 @@ CVE-2022-1816 (A vulnerability, which was classified as problematic, has been fo CVE-2022-1815 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) NOT-FOR-US: jgraph/drawio CVE-2022-1814 (The WP Admin Style WordPress plugin through 0.1.2 does not sanitise an ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-30549 RESERVED CVE-2022-29524 @@ -5126,7 +5126,7 @@ CVE-2022-31216 CVE-2022-1801 RESERVED CVE-2022-1800 (The Export any WordPress data to XML/CSV WordPress plugin before 1.3.5 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1799 RESERVED CVE-2022-1798 @@ -5654,21 +5654,21 @@ CVE-2022-1795 (Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV CVE-2022-1794 RESERVED CVE-2022-1793 (The Private Files WordPress plugin through 0.40 is missing CSRF check ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1792 (The Quick Subscribe WordPress plugin through 1.7.1 does not have CSRF ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1791 (The One Click Plugin Updater WordPress plugin through 2.4.14 does not ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1790 (The New User Email Set Up WordPress plugin through 0.5.2 does not have ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1789 (With shadow paging enabled, the INVPCID instruction results in a call ...) {DSA-5161-1} - linux 5.17.11-1 NOTE: https://git.kernel.org/linus/9f46c187e2e680ecd9de7983e4d081c3391acc76 CVE-2022-1788 (Due to missing checks the Change Uploaded File Permissions WordPress p ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1787 (The Sideblog WordPress plugin through 6.0 does not have CSRF check in ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1786 (A use-after-free flaw was found in the Linux kernel’s io_uring s ...) {DSA-5161-1} - linux 5.14.6-1 @@ -5691,15 +5691,15 @@ CVE-2022-1783 (An issue has been discovered in GitLab CE/EE affecting all versio CVE-2022-1782 (Cross-site Scripting (XSS) - Generic in GitHub repository erudika/para ...) NOT-FOR-US: erudika/para CVE-2022-1781 (The postTabs WordPress plugin through 2.10.6 does not have CSRF check ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-1780 (The LaTeX for WordPress plugin through 3.4.10 does not have CSRF check ...) - TODO: check + NOT-FOR-US: WordPress pl
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0df9630e by security tracker role at 2022-06-13T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,451 @@ +CVE-2022-33187 + RESERVED +CVE-2022-33186 + RESERVED +CVE-2022-33185 + RESERVED +CVE-2022-33184 + RESERVED +CVE-2022-33183 + RESERVED +CVE-2022-33182 + RESERVED +CVE-2022-33181 + RESERVED +CVE-2022-33180 + RESERVED +CVE-2022-33179 + RESERVED +CVE-2022-33178 + RESERVED +CVE-2022-33175 (Power Distribution Units running on Powertek firmware (multiple brands ...) + TODO: check +CVE-2022-33174 (Power Distribution Units running on Powertek firmware (multiple brands ...) + TODO: check +CVE-2022-33173 + RESERVED +CVE-2022-33172 + RESERVED +CVE-2022-33171 + RESERVED +CVE-2022-33170 + RESERVED +CVE-2022-33169 + RESERVED +CVE-2022-33168 + RESERVED +CVE-2022-33167 + RESERVED +CVE-2022-33166 + RESERVED +CVE-2022-33165 + RESERVED +CVE-2022-33164 + RESERVED +CVE-2022-33163 + RESERVED +CVE-2022-33162 + RESERVED +CVE-2022-33161 + RESERVED +CVE-2022-33160 + RESERVED +CVE-2022-33159 + RESERVED +CVE-2022-33158 + RESERVED +CVE-2022-33157 + RESERVED +CVE-2022-33156 + RESERVED +CVE-2022-33155 + RESERVED +CVE-2022-33154 + RESERVED +CVE-2022-33153 + RESERVED +CVE-2022-33152 + RESERVED +CVE-2022-33149 + RESERVED +CVE-2022-33148 + RESERVED +CVE-2022-33147 + RESERVED +CVE-2022-33140 + RESERVED +CVE-2022-33139 + RESERVED +CVE-2022-33138 + RESERVED +CVE-2022-33137 + RESERVED +CVE-2022-33136 + RESERVED +CVE-2022-33135 + RESERVED +CVE-2022-33134 + RESERVED +CVE-2022-33133 + RESERVED +CVE-2022-33132 + RESERVED +CVE-2022-33131 + RESERVED +CVE-2022-33130 + RESERVED +CVE-2022-33129 + RESERVED +CVE-2022-33128 + RESERVED +CVE-2022-33127 + RESERVED +CVE-2022-33126 + RESERVED +CVE-2022-33125 + RESERVED +CVE-2022-33124 + RESERVED +CVE-2022-33123 + RESERVED +CVE-2022-33122 + RESERVED +CVE-2022-33121 + RESERVED +CVE-2022-33120 + RESERVED +CVE-2022-33119 + RESERVED +CVE-2022-33118 + RESERVED +CVE-2022-33117 + RESERVED +CVE-2022-33116 + RESERVED +CVE-2022-33115 + RESERVED +CVE-2022-33114 + RESERVED +CVE-2022-33113 + RESERVED +CVE-2022-33112 + RESERVED +CVE-2022-33111 + RESERVED +CVE-2022-33110 + RESERVED +CVE-2022-33109 + RESERVED +CVE-2022-33108 + RESERVED +CVE-2022-33107 + RESERVED +CVE-2022-33106 + RESERVED +CVE-2022-33105 + RESERVED +CVE-2022-33104 + RESERVED +CVE-2022-33103 + RESERVED +CVE-2022-33102 + RESERVED +CVE-2022-33101 + RESERVED +CVE-2022-33100 + RESERVED +CVE-2022-33099 + RESERVED +CVE-2022-33098 + RESERVED +CVE-2022-33097 + RESERVED +CVE-2022-33096 + RESERVED +CVE-2022-33095 + RESERVED +CVE-2022-33094 + RESERVED +CVE-2022-33093 + RESERVED +CVE-2022-33092 + RESERVED +CVE-2022-33091 + RESERVED +CVE-2022-33090 + RESERVED +CVE-2022-33089 + RESERVED +CVE-2022-33088 + RESERVED +CVE-2022-33087 + RESERVED +CVE-2022-33086 + RESERVED +CVE-2022-33085 + RESERVED +CVE-2022-33084 + RESERVED +CVE-2022-33083 + RESERVED +CVE-2022-33082 + RESERVED +CVE-2022-33081 + RESERVED +CVE-2022-33080 + RESERVED +CVE-2022-33079 + RESERVED +CVE-2022-33078 + RESERVED +CVE-2022-33077 + RESERVED +CVE-2022-33076 + RESERVED +CVE-2022-33075 + RESERVED +CVE-2022-33074 + RESERVED +CVE-2022-33073 + RESERVED +CVE-2022-33072 + RESERVED +CVE-2022-33071 + RESERVED +CVE-2022-33070 + RESERVED +CVE-2022-33069 + RESERVED +CVE-2022-33068 + RESERVED +CVE-2022-33067 + RESERVED +CVE-2022-33066 + RESERVED +CVE-2022-33065 + RESERVED +CVE-2022-33064 + RESERVED +CVE-2022-33063 + RESERVED +CVE-2022-33062 + RESERVED +CVE-2022-33061 + RESERVED +CVE-2022-33060 + RESERVED +CVE-2022-33059 + RESERVED +CVE-2022-33058 + RESERVED +CVE-2022-33057 + RESERVED +CVE-2022-33056 + RESERVED +CVE-2022-33055 + RESERVED +CVE-2022-33054 + RESERVED +CVE-2022-33053 + RESERVED +CVE-2022-33052 + RESERVED +CVE-2022-33051 + RESERVED +CVE-2022-33050 + RESERVED +CVE-2022-33049 + RESERVED +CVE-2022-33048 + RESERVED +CVE-2022-33047 + RESERVED +CVE-2022-33046 + RESERVED +CVE-2022-33045 + RESERVED +CVE-2022-33044 + RESERVED +CVE-2022-33043 + RESERVED +CVE-2022-33042 + RESERVE
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f80932d5 by Anton Gladky at 2022-06-13T22:02:06+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky- - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,7 +39,7 @@ ckeditor NOTE: 20220510: waiting for ckeditor_3_ discussion to close up first (Beuc) NOTE: 20220510: https://lists.debian.org/debian-lts/2022/05/msg00018.html -- -curl (Emilio) +curl NOTE: 20220529: Programming language: C. NOTE: 20220530: update prepared, but there are test regressions, investigating (pochu) -- @@ -56,7 +56,7 @@ exempi NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis NOTE: 20220517: is needed. -- -firmware-nonfree (Markus Koschany) +firmware-nonfree NOTE: 20220529: Programming language: binary blob. NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag @@ -128,7 +128,7 @@ lemonldap-ng NOTE: 20220529: Programming language: Perl. NOTE: 20220523: Follow buster: harmonize with with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk) -- -liblouis (Andreas Rönnquist) +liblouis NOTE: 20220529: Programming language: C. NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too. @@ -240,7 +240,7 @@ pyjwt NOTE: 20220610: intention to mark as no-dsa for stretch, and will do so in a few days NOTE: 20220610: see https://lists.debian.org/msgid-search/20220610102343.6o3ak3ehc3jdo...@enricozini.org (enrico) -- -qemu (Abhijith PA) +qemu NOTE: 20220529: Programming language: C. NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years, NOTE: 20220527: so maybe coordinate to start anticipating the next LTS (Beuc/front-desk) @@ -305,7 +305,7 @@ systemd (Stefano Rivera) NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but at the NOTE: 20220524: same time is severe and was fixed in other old distros (Beuc/front-desk) -- -tiff (Utkarsh) +tiff NOTE: 20220529: Programming language: C. NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff. NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f80932d5012591d55da525bfa43fcdd2c194cdfb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f80932d5012591d55da525bfa43fcdd2c194cdfb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-23712/elasticsearch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4e0f451 by Salvatore Bonaccorso at 2022-06-13T20:58:52+02:00 Add CVE-2022-23712/elasticsearch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27274,7 +27274,7 @@ CVE-2022-23714 CVE-2022-23713 RESERVED CVE-2022-23712 (A Denial of Service flaw was discovered in Elasticsearch. Using this v ...) - TODO: check + - elasticsearch CVE-2022-23711 (A vulnerability in Kibana could expose sensitive information related t ...) - kibana (bug #700337) CVE-2022-23710 (A cross-site-scripting (XSS) vulnerability was discovered in the Data ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4e0f451c4a37b88788dd47e7a630694b3dae46c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4e0f451c4a37b88788dd47e7a630694b3dae46c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a4f0eb9a by Salvatore Bonaccorso at 2022-06-13T20:56:21+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6271,11 +6271,11 @@ CVE-2022-30618 (An authenticated user with access to the Strapi admin panel can CVE-2022-30617 (An authenticated user with access to the Strapi admin panel can view p ...) NOT-FOR-US: Strapi CVE-2022-29525 (Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded cred ...) - TODO: check + NOT-FOR-US: Rakuten Casa CVE-2022-28704 (Improper access control vulnerability in Rakuten Casa version AP_F_V1_ ...) - TODO: check + NOT-FOR-US: Rakuten Casa CVE-2022-26834 (Improper access control vulnerability in Rakuten Casa version AP_F_V1_ ...) - TODO: check + NOT-FOR-US: Rakuten Casa CVE-2022-1705 RESERVED CVE-2022-1704 @@ -6319,7 +6319,7 @@ CVE-2022-29522 CVE-2022-29482 RESERVED CVE-2022-27231 (Cross-site scripting vulnerability exists in WP Statistics versions pr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-26302 RESERVED CVE-2022-1699 (Uncontrolled Resource Consumption in GitHub repository causefx/organiz ...) @@ -6403,9 +6403,9 @@ CVE-2022-30589 CVE-2022-30588 RESERVED CVE-2022-30587 (Gradle Enterprise through 2022.2.2 has Incorrect Access Control that l ...) - TODO: check + NOT-FOR-US: Gradle Enterprise CVE-2022-30586 (Gradle Enterprise through 2022.2.2 has Incorrect Access Control that l ...) - TODO: check + NOT-FOR-US: Gradle Enterprise CVE-2022-30585 (The REST API in Archer Platform 6.x before 6.11 (6.11.0.0) contains an ...) NOT-FOR-US: Archer CVE-2022-30584 (Archer Platform 6.3 before 6.11 (6.11.0.0) contains an Improper Access ...) @@ -6807,7 +6807,7 @@ CVE-2022-30498 CVE-2022-30497 RESERVED CVE-2022-30496 (SQL injection in Logon Page of IDCE MV's application, version 1.0, all ...) - TODO: check + NOT-FOR-US: IDCE MV's application CVE-2022-30495 (In oretnom23 Automotive Shop Management System v1.0, the name id param ...) NOT-FOR-US: oretnom23 Automotive Shop Management System CVE-2022-30494 (In oretnom23 Automotive Shop Management System v1.0, the first and las ...) @@ -7125,7 +7125,7 @@ CVE-2022-30336 CVE-2022-30335 (Bonanza Wealth Management System (BWM) 7.3.2 allows SQL injection via ...) NOT-FOR-US: Bonanza Wealth Management System CVE-2022-26041 (Directory traversal vulnerability in RCCMD 4.26 and earlier allows a r ...) - TODO: check + NOT-FOR-US: RCCMD CVE-2022-1623 (LibTIFF master branch has an out-of-bounds read in LZWDecode in libtif ...) - tiff [bullseye] - tiff (Minor issue) @@ -7315,7 +7315,7 @@ CVE-2022-30293 (In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-ba [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.36.1-1 CVE-2022-29894 (Strapi v3.x.x versions and earlier contain a stored cross-site scripti ...) - TODO: check + NOT-FOR-US: Strapi CVE-2022-1602 RESERVED CVE-2022-1601 @@ -9309,7 +9309,7 @@ CVE-2022-29619 CVE-2022-29618 RESERVED CVE-2022-29617 (Due to improper error handling an authenticated user can crash CLA ass ...) - TODO: check + NOT-FOR-US: CLA assistant CVE-2022-29616 (SAP Host Agent, SAP NetWeaver and ABAP Platform allow an attacker to l ...) NOT-FOR-US: SAP CVE-2022-29615 @@ -14042,7 +14042,7 @@ CVE-2022-28053 (Typemill v1.5.3 was discovered to contain an arbitrary file uplo CVE-2022-28052 (Directory Traversal vulnerability in file cn/roothub/store/FileSystemS ...) NOT-FOR-US: Roothub CVE-2022-28051 (The "Add category" functionality inside the "Global Keywords" menu in ...) - TODO: check + NOT-FOR-US: SeedDMS CVE-2022-28050 RESERVED CVE-2022-28049 (NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference v ...) @@ -15425,7 +15425,7 @@ CVE-2022-27504 CVE-2022-27503 (Cross-site Scripting (XSS) vulnerability in Citrix StoreFront affects ...) NOT-FOR-US: Citrix CVE-2022-27502 (RealVNC VNC Server 6.9.0 through 5.1.0 for Windows allows local privil ...) - TODO: check + NOT-FOR-US: RealVNC VNC Server CVE-2022-27501 RESERVED CVE-2022-27500 @@ -15621,7 +15621,7 @@ CVE-2022-27440 CVE-2022-27439 RESERVED CVE-2022-27438 (Caphyon Ltd Advanced Installer 19.2 was discovered to contain a remote ...) - TODO: check + NOT-FOR-US: Caphyon Ltd Advanced Installer CVE-2022-27437 RESERVED CVE-2022-27436 (A cross-site scripting (XSS) vulnerability in /public/admin/index.php? ...) @@ -18798,7 +18798,7 @@ CVE-2022-0825 (The Amelia WordPress plugin before 1.0.49 does not
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c946259b by Moritz Muehlenhoff at 2022-06-13T18:42:16+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,7 @@ CVE-2022-2056 CVE-2022-2055 RESERVED CVE-2022-2054 (Command Injection in GitHub repository nuitka/nuitka prior to 0.9. ...) - - nuitka + - nuitka (bug #1012762) [bullseye] - nuitka (Minor issue) [buster] - nuitka (Minor issue) NOTE: https://huntr.dev/bounties/ea4a842c-c48c-4aae-a599-3305125c63a7/ @@ -1247,7 +1247,7 @@ CVE-2022-1998 (A use after free in the Linux kernel File System notify functiona CVE-2022-1997 (Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacqu ...) NOT-FOR-US: francoisjacquet/rosariosis CVE-2022-1996 (Authorization Bypass Through User-Controlled Key in GitHub repository ...) - - golang-github-emicklei-go-restful + - golang-github-emicklei-go-restful (bug #1012763) [bullseye] - golang-github-emicklei-go-restful (Minor issue) [buster] - golang-github-emicklei-go-restful (Minor issue) NOTE: https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c946259b1b80f40b60d785fd74847e45a4ac846d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c946259b1b80f40b60d785fd74847e45a4ac846d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5fe6c91 by Moritz Muehlenhoff at 2022-06-13T18:41:23+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1759,9 +1759,9 @@ CVE-2022-1988 (Cross-site Scripting (XSS) - Generic in GitHub repository neorazo CVE-2022-32274 RESERVED CVE-2022-32273 (As a result of an observable discrepancy in returned messages, OPSWAT ...) - TODO: check + NOT-FOR-US: OPSWAT MetaDefender Core CVE-2022-32272 (OPSWAT MetaDefender Core (MDCore) before 5.1.2 has incorrect access co ...) - TODO: check + NOT-FOR-US: OPSWAT MetaDefender Core CVE-2022-32271 (In Real Player 20.0.8.310, there is a DCP:// URI Remote Arbitrary Code ...) NOT-FOR-US: Real Player CVE-2022-32270 (In Real Player 20.0.7.309 and 20.0.8.310, external::Import() allows do ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5fe6c918f1920958a8fadc223d74bb9eb8bfa08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5fe6c918f1920958a8fadc223d74bb9eb8bfa08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-14374, CVE-2020-14375, CVE-2020-14376, CVE-2020-14377, CVE-2020-14378/dpd...
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ac6b3779 by Sylvain Beucler at 2022-06-13T18:33:18+02:00 CVE-2020-14374,CVE-2020-14375,CVE-2020-14376,CVE-2020-14377,CVE-2020-14378/dpdk: reference upstream patches - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -147098,26 +147098,31 @@ CVE-2020-14378 (An integer underflow in dpdk versions before 18.11.10 and before [buster] - dpdk 18.11.10-1~deb10u1 [stretch] - dpdk (Minor issue) NOTE: https://bugs.dpdk.org/show_bug.cgi?id=272 + NOTE: https://git.dpdk.org/dpdk-stable/commit/?id=7a5af91f8bf46f121cc1a7873045ef37f63d56c2 (v18.11.10) CVE-2020-14377 (A flaw was found in dpdk in versions before 18.11.10 and before 19.11. ...) - dpdk 19.11.5-1 (bug #971269) [buster] - dpdk 18.11.10-1~deb10u1 [stretch] - dpdk (Minor issue) NOTE: https://bugs.dpdk.org/show_bug.cgi?id=272 + NOTE: https://git.dpdk.org/dpdk-stable/commit/?id=7e7c75edc6351ecdc5b108ab2ff4be8852d9e090 (v18.11.10) CVE-2020-14376 (A flaw was found in dpdk in versions before 18.11.10 and before 19.11. ...) - dpdk 19.11.5-1 (bug #971269) [buster] - dpdk 18.11.10-1~deb10u1 [stretch] - dpdk (Minor issue) NOTE: https://bugs.dpdk.org/show_bug.cgi?id=272 + NOTE: https://git.dpdk.org/dpdk-stable/commit/?id=7e7c75edc6351ecdc5b108ab2ff4be8852d9e090 (v18.11.10) CVE-2020-14375 (A flaw was found in dpdk in versions before 18.11.10 and before 19.11. ...) - dpdk 19.11.5-1 (bug #971269) [buster] - dpdk 18.11.10-1~deb10u1 [stretch] - dpdk (Minor issue) NOTE: https://bugs.dpdk.org/show_bug.cgi?id=272 + NOTE: https://git.dpdk.org/dpdk-stable/commit/?id=6e8a4da39e68c581c236b1f109fef4b6e22b35ef (v18.11.10) CVE-2020-14374 (A flaw was found in dpdk in versions before 18.11.10 and before 19.11. ...) - dpdk 19.11.5-1 (bug #971269) [buster] - dpdk 18.11.10-1~deb10u1 [stretch] - dpdk (Minor issue) NOTE: https://bugs.dpdk.org/show_bug.cgi?id=272 + NOTE: https://git.dpdk.org/dpdk-stable/commit/?id=75f8df70a2c8a477ed61bf3145746ef1164466ce (v18.11.10) CVE-2020-14373 (A use after free was found in igc_reloc_struct_ptr() of psi/igc.c of g ...) - ghostscript 9.26~dfsg-1 [stretch] - ghostscript 9.26~dfsg-0+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac6b37790c03543304d412a738abed76bbd4f2cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac6b37790c03543304d412a738abed76bbd4f2cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new spring security issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 41b24e18 by Moritz Mühlenhoff at 2022-06-13T18:06:54+02:00 new spring security issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29713,11 +29713,11 @@ CVE-2022-22980 CVE-2022-22979 RESERVED CVE-2022-22978 (In Spring Security versions 5.5.6 and 5.6.3 and older unsupported vers ...) - TODO: check + - libspring-security-2.0-java CVE-2022-22977 (VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML Ex ...) NOT-FOR-US: VMware CVE-2022-22976 (Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, a ...) - TODO: check + - libspring-security-2.0-java CVE-2022-22975 (An issue was discovered in the Pinniped Supervisor with either LADPIde ...) NOT-FOR-US: vmware-tanzu/pinniped CVE-2022-22974 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41b24e185abc95311bb1c0994d8c9479ea52b97e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41b24e185abc95311bb1c0994d8c9479ea52b97e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] runc spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 054fdb68 by Moritz Mühlenhoff at 2022-06-13T18:04:48+02:00 runc spu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -10624,6 +10624,8 @@ CVE-2022-29163 (Nextcloud Server is the file server software for Nextcloud, a se - nextcloud-server (bug #941708) CVE-2022-29162 (runc is a CLI tool for spawning and running containers on Linux accord ...) - runc + [bullseye] - runc (Minor issue) + [buster] - runc (Minor issue) [stretch] - runc (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/05/12/1 NOTE: https://github.com/opencontainers/runc/commit/364ec0f1b4fa188ad96049c590ecb42fa70ea165 (v1.1.2) = data/next-point-update.txt = @@ -124,3 +124,5 @@ CVE-2022-30556 [bullseye] - apache2 2.4.54-1~deb11u1 CVE-2022-31813 [bullseye] - apache2 2.4.54-1~deb11u1 +CVE-2022-29162 + [bullseye] - runc 1.0.0~rc93+ds1-5+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/054fdb689a3eba7c109f14c2939cb9db6f75c6bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/054fdb689a3eba7c109f14c2939cb9db6f75c6bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new golang-github-emicklei-go-restful issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b99eba4 by Moritz Muehlenhoff at 2022-06-13T14:55:09+02:00 new golang-github-emicklei-go-restful issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1097,7 +1097,7 @@ CVE-2022-32500 CVE-2022-32499 RESERVED CVE-2022-2013 (In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if ...) - TODO: check + NOT-FOR-US: Octopus Server CVE-2022-2012 RESERVED CVE-2022-2011 @@ -1247,7 +1247,11 @@ CVE-2022-1998 (A use after free in the Linux kernel File System notify functiona CVE-2022-1997 (Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacqu ...) NOT-FOR-US: francoisjacquet/rosariosis CVE-2022-1996 (Authorization Bypass Through User-Controlled Key in GitHub repository ...) - TODO: check + - golang-github-emicklei-go-restful + [bullseye] - golang-github-emicklei-go-restful (Minor issue) + [buster] - golang-github-emicklei-go-restful (Minor issue) + NOTE: https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/ + NOTE: https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 CVE-2022-1995 RESERVED CVE-2022-1994 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b99eba4fcfd0d6fbf17746434996b4a33eb2666 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b99eba4fcfd0d6fbf17746434996b4a33eb2666 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] golang-gopkg-yaml.v3 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 74801e73 by Moritz Muehlenhoff at 2022-06-13T14:40:02+02:00 golang-gopkg-yaml.v3 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11283,7 +11283,7 @@ CVE-2022-28950 CVE-2022-28949 RESERVED CVE-2022-28948 (An issue in the Unmarshal function in Go-Yaml v3 causes the program to ...) - - golang-gopkg-yaml.v3 (bug #1011338) + - golang-gopkg-yaml.v3 3.0.1-1 (bug #1011338) NOTE: https://github.com/go-yaml/yaml/issues/666 NOTE: https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754 (v3.0.0) CVE-2022-28947 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74801e73dd4b69da0af05500c7655fc6c6ce956b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74801e73dd4b69da0af05500c7655fc6c6ce956b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: debb0e2a by Thorsten Alteholz at 2022-06-13T10:25:36+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -25,6 +25,7 @@ blender (Thorsten Alteholz) NOTE: 20220529: Programming language: C++. NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was approached to fix in stable/oldstable, NOTE: 20220528: maybe coordinate with them (Beuc/front-desk) + NOTE: 20220613: testing package -- cgal NOTE: 20220529: Programming language: C++. @@ -75,6 +76,7 @@ golang-github-hashicorp-go-getter (Thorsten Alteholz) NOTE: 20220529: Programming language: Go. NOTE: 20220528: limited golang support in stretch (cf. stretch release notes) NOTE: 20220528: no rdeps AFAICS so no need to rebuild other golang packages (Beuc/front-desk) + NOTE: 20220613: testing package -- golang-go.crypto NOTE: 20220529: Programming language: Go. @@ -175,6 +177,7 @@ modsecurity-crs ncurses (Thorsten Alteholz) NOTE: 20220529: Programming language: C. NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk) + NOTE: 20220613: testing package -- ntfs-3g NOTE: 20220529: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/debb0e2a201d08b07f97426d6b5c54f5cf42fb21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/debb0e2a201d08b07f97426d6b5c54f5cf42fb21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: babd4332 by security tracker role at 2022-06-13T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2022-2058 + RESERVED +CVE-2022-2057 + RESERVED +CVE-2022-2056 + RESERVED +CVE-2022-2055 + RESERVED CVE-2022-2054 (Command Injection in GitHub repository nuitka/nuitka prior to 0.9. ...) - nuitka [bullseye] - nuitka (Minor issue) @@ -1088,8 +1096,8 @@ CVE-2022-32500 RESERVED CVE-2022-32499 RESERVED -CVE-2022-2013 - RESERVED +CVE-2022-2013 (In Octopus Server after version 2022.1.1495 and before 2022.1.2647 if ...) + TODO: check CVE-2022-2012 RESERVED CVE-2022-2011 @@ -6258,12 +6266,12 @@ CVE-2022-30618 (An authenticated user with access to the Strapi admin panel can NOT-FOR-US: Strapi CVE-2022-30617 (An authenticated user with access to the Strapi admin panel can view p ...) NOT-FOR-US: Strapi -CVE-2022-29525 - RESERVED -CVE-2022-28704 - RESERVED -CVE-2022-26834 - RESERVED +CVE-2022-29525 (Rakuten Casa version AP_F_V1_4_1 or AP_F_V2_0_0 uses a hard-coded cred ...) + TODO: check +CVE-2022-28704 (Improper access control vulnerability in Rakuten Casa version AP_F_V1_ ...) + TODO: check +CVE-2022-26834 (Improper access control vulnerability in Rakuten Casa version AP_F_V1_ ...) + TODO: check CVE-2022-1705 RESERVED CVE-2022-1704 @@ -6306,8 +6314,8 @@ CVE-2022-29522 RESERVED CVE-2022-29482 RESERVED -CVE-2022-27231 - RESERVED +CVE-2022-27231 (Cross-site scripting vulnerability exists in WP Statistics versions pr ...) + TODO: check CVE-2022-26302 RESERVED CVE-2022-1699 (Uncontrolled Resource Consumption in GitHub repository causefx/organiz ...) @@ -7112,8 +7120,8 @@ CVE-2022-30336 RESERVED CVE-2022-30335 (Bonanza Wealth Management System (BWM) 7.3.2 allows SQL injection via ...) NOT-FOR-US: Bonanza Wealth Management System -CVE-2022-26041 - RESERVED +CVE-2022-26041 (Directory traversal vulnerability in RCCMD 4.26 and earlier allows a r ...) + TODO: check CVE-2022-1623 (LibTIFF master branch has an out-of-bounds read in LZWDecode in libtif ...) - tiff [bullseye] - tiff (Minor issue) @@ -7302,8 +7310,8 @@ CVE-2022-30293 (In WebKitGTK through 2.36.0 (and WPE WebKit), there is a heap-ba - webkit2gtk 2.36.1-1 [stretch] - webkit2gtk (Not covered by security support in stretch) - wpewebkit 2.36.1-1 -CVE-2022-29894 - RESERVED +CVE-2022-29894 (Strapi v3.x.x versions and earlier contain a stored cross-site scripti ...) + TODO: check CVE-2022-1602 RESERVED CVE-2022-1601 @@ -8915,8 +8923,8 @@ CVE-2022-29790 (The graphics acceleration service has a vulnerability in multi-t NOT-FOR-US: Huawei CVE-2022-29789 (The HiAIserver has a vulnerability in verifying the validity of the pr ...) NOT-FOR-US: Huawei -CVE-2022-27174 - RESERVED +CVE-2022-27174 (Cross-site request forgery (CSRF) vulnerability in Easy Blog for EC-CU ...) + TODO: check CVE-2022-1465 (The WPC Smart Wishlist for WooCommerce WordPress plugin before 2.9.9 d ...) NOT-FOR-US: WordPress plugin CVE-2022-1464 (Stored xss bug in GitHub repository gogs/gogs prior to 0.12.7. As the ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/babd433266e4dd51908e242ea5335be391303766 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/babd433266e4dd51908e242ea5335be391303766 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits