[Git][security-tracker-team/security-tracker][master] Cleanup additional whitespaces
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6073828a by Salvatore Bonaccorso at 2022-06-22T07:29:12+02:00 Cleanup additional whitespaces - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32239,7 +32239,7 @@ CVE-2022-23124 NOTE: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074 NOTE: Probably the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013303 NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf - NOTE: but not reviewed/merged upstream so far + NOTE: but not reviewed/merged upstream so far CVE-2022-23123 RESERVED - netatalk 3.1.13~ds-1 @@ -32250,7 +32250,7 @@ CVE-2022-23123 NOTE: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074 NOTE: Probably the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013303 NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf - NOTE: but not reviewed/merged upstream so far + NOTE: but not reviewed/merged upstream so far CVE-2022-23122 RESERVED - netatalk 3.1.13~ds-1 @@ -32260,7 +32260,7 @@ CVE-2022-23122 NOTE: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074 NOTE: Probably the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013303 NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf - NOTE: but not reviewed/merged upstream so far + NOTE: but not reviewed/merged upstream so far CVE-2022-23121 RESERVED - netatalk 3.1.13~ds-1 @@ -32316,7 +32316,7 @@ CVE-2022-0194 NOTE: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074 NOTE: Probably the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013303 NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf - NOTE: but not reviewed/merged upstream so far + NOTE: but not reviewed/merged upstream so far CVE-2022-0193 (The Complianz WordPress plugin before 6.0.0 does not escape the s para ...) NOT-FOR-US: WordPress plugin CVE-2022-0192 (A DLL search path vulnerability was reported in Lenovo PCManager prior ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6073828a5fe34d3a8c1acb253945dc3927d98332 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6073828a5fe34d3a8c1acb253945dc3927d98332 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed versions for chromium issues in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04894579 by Salvatore Bonaccorso at 2022-06-22T07:28:38+02:00 Track fixed versions for chromium issues in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,49 +10,49 @@ CVE-2022-33208 RESERVED CVE-2022-2165 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2164 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2163 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2162 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2161 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2160 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2159 RESERVED CVE-2022-2158 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2157 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2156 RESERVED - - chromium + - chromium 103.0.5060.53-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) CVE-2022-2155 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0489457981408f83405892f05cf88c80fde33002 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0489457981408f83405892f05cf88c80fde33002 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2153/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e83e103 by Salvatore Bonaccorso at 2022-06-22T07:24:05+02:00 Add CVE-2022-2153/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,6 +61,12 @@ CVE-2022-2154 RESERVED CVE-2022-2153 RESERVED + - linux 5.17.3-1 + [bullseye] - linux 5.10.113-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2069736 + NOTE: https://git.kernel.org/linus/7ec37d1cbe17d8189d9562178d8b29167fe1c31a (5.18-rc1) + NOTE: https://git.kernel.org/linus/00b5f37189d24ac3ed46cb7f11742094778c46ce (5.18-rc1) + NOTE: https://git.kernel.org/linus/b1e34d325397a33d97d845e312d7cf2a8b646b44 (5.18-rc1) CVE-2022-2152 RESERVED CVE-2022-2151 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e83e103bf8e88b230b46baa944ca2a430050eb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e83e103bf8e88b230b46baa944ca2a430050eb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-1508/linux for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0141ef3 by Salvatore Bonaccorso at 2022-06-22T06:53:42+02:00 Track fixed version for CVE-2022-1508/linux for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11548,6 +11548,7 @@ CVE-2022-29811 (In JetBrains Hub before 2022.1.14638 stored XSS via project icon CVE-2022-1508 RESERVED - linux 5.15.3-1 + [bullseye] - linux 5.10.120-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/89c2b3b74918200e46699338d7bcc19b1ea12110 (5.15-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0141ef369f04078f4938d247770dde4ae221fdd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0141ef369f04078f4938d247770dde4ae221fdd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af8c9c63 by Salvatore Bonaccorso at 2022-06-21T22:56:43+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11875,9 +11875,9 @@ CVE-2022-29777 (Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 an CVE-2022-29776 (Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and belo ...) NOT-FOR-US: Onlyoffice Document Server CVE-2022-29775 (iSpyConnect iSpy v7.2.2.0 allows attackers to bypass authentication vi ...) - TODO: check + NOT-FOR-US: iSpyConnect iSpy CVE-2022-29774 (iSpyConnect iSpy v7.2.2.0 is vulnerable to path traversal. ...) - TODO: check + NOT-FOR-US: iSpyConnect iSpy CVE-2022-29773 (An access control issue in aleksis/core/util/auth_helpers.py: ClientPr ...) NOT-FOR-US: AlekSIS CVE-2022-29772 @@ -17353,17 +17353,17 @@ CVE-2022-27881 (engine.c in slaacd in OpenBSD 6.9 and 7.0 before 2022-02-21 has CVE-2022-27873 RESERVED CVE-2022-27872 (A maliciously crafted PDF file may be used to dereference a pointer fo ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2022-27871 (Autodesk AutoCAD product suite, Revit, Design Review and Navisworks re ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2022-27870 (A maliciously crafted TGA file in Autodesk AutoCAD 2023 may be used to ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2022-27869 (A maliciously crafted TIFF file in Autodesk AutoCAD 2023 can be forced ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2022-27868 (A maliciously crafted CAT file in Autodesk AutoCAD 2023 can be used to ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2022-27867 (A maliciously crafted JT file in Autodesk AutoCAD 2022, 2021, 2020, 20 ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2022-27866 RESERVED CVE-2022-27865 @@ -22350,7 +22350,7 @@ CVE-2022-26149 (MODX Revolution through 2.8.3-pl allows remote authenticated adm CVE-2022-26148 (An issue was discovered in Grafana through 7.3.4, when integrated with ...) - grafana CVE-2022-26147 (The Quectel RG502Q-EA modem before 2022-02-23 allow OS Command Injecti ...) - TODO: check + NOT-FOR-US: Quectel RG502Q-EA modem CVE-2022-26146 (Tricentis qTest before 10.4 allows stored XSS by an authenticated atta ...) NOT-FOR-US: Tricentis qTest CVE-2022-26145 @@ -23764,7 +23764,7 @@ CVE-2022-25587 CVE-2022-25586 RESERVED CVE-2022-25585 (Unioncms v1.0.13 was discovered to contain a stored cross-site scripti ...) - TODO: check + NOT-FOR-US: Unioncms CVE-2022-25584 (Seyeon Tech Co., Ltd FlexWATCH FW3170-PS-E Network Video System 4.23-3 ...) NOT-FOR-US: FlexWATCH FW3170-PS-E CVE-2022-25583 @@ -31169,7 +31169,7 @@ CVE-2022-23344 CVE-2022-23343 RESERVED CVE-2022-23342 (The Hyland Onbase Application Server releases prior to 20.3.58.1000 an ...) - TODO: check + NOT-FOR-US: Hyland Onbase Application Server CVE-2022-23341 RESERVED CVE-2022-23340 (Joplin 2.6.10 allows remote attackers to execute system commands throu ...) @@ -32100,7 +32100,7 @@ CVE-2022-23173 CVE-2022-23172 RESERVED CVE-2022-23171 (AtlasVPN - Privilege Escalation Lack of proper security controls on na ...) - TODO: check + NOT-FOR-US: AtlasVPN CVE-2022-23170 RESERVED CVE-2022-23169 (attacker needs to craft a SQL payload. the vulnerable parameter is "ag ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af8c9c633e97dc820c5a25a893eb4d5ddc39e1e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af8c9c633e97dc820c5a25a893eb4d5ddc39e1e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 05674844 by Salvatore Bonaccorso at 2022-06-21T22:51:16+02:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,6 +16,8 @@ asterisk/oldstable -- cacti -- +chromium +-- curl -- epiphany-browser View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05674844dab73d9ba710c540a68fcd9d6c076b8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05674844dab73d9ba710c540a68fcd9d6c076b8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 42df8c1a by Salvatore Bonaccorso at 2022-06-21T22:48:11+02:00 Add new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,24 +10,51 @@ CVE-2022-33208 RESERVED CVE-2022-2165 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2164 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2163 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2162 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2161 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2160 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2159 RESERVED CVE-2022-2158 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2157 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2156 RESERVED + - chromium + [buster] - chromium (see DSA 5046) + [stretch] - chromium (see DSA 4562) CVE-2022-2155 RESERVED CVE-2022-2154 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42df8c1a49e94920d2a4a5956c3a2474d6b2f5dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/42df8c1a49e94920d2a4a5956c3a2474d6b2f5dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 103bde87 by Salvatore Bonaccorso at 2022-06-21T22:28:01+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -382,7 +382,7 @@ CVE-2022-34010 CVE-2022-34009 RESERVED CVE-2022-34008 (Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privile ...) - TODO: check + NOT-FOR-US: Comodo Antivirus CVE-2022-34007 RESERVED CVE-2022-34006 (An issue was discovered in TitanFTP (aka Titan FTP) NextGen before 1.2 ...) @@ -411,7 +411,7 @@ CVE-2022-33997 CVE-2022-33996 RESERVED CVE-2022-33995 (A path traversal issue in entry attachments in Devolutions Remote Desk ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2022-33994 RESERVED CVE-2017-20091 @@ -554,7 +554,7 @@ CVE-2017-20067 (A vulnerability was found in Hindu Matrimonial Script. It has be CVE-2017-20066 (A vulnerability has been found in Adminer Login 1.4.4 and classified a ...) TODO: check CVE-2017-20065 (A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classifi ...) - TODO: check + NOT-FOR-US: Supsystic Popup Plugin CVE-2017-20064 (A vulnerability was found in Elefant CMS 1.3.12-RC. It has been declar ...) NOT-FOR-US: Elefant CMS CVE-2017-20063 (A vulnerability was found in Elefant CMS 1.3.12-RC. It has been classi ...) @@ -2427,7 +2427,7 @@ CVE-2022-33147 CVE-2022-33140 (The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 an ...) NOT-FOR-US: Apache NiFi CVE-2022-33139 (A vulnerability has been identified in SIMATIC WinCC OA V3.16 (All ver ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-33138 RESERVED CVE-2022-33137 @@ -2467,7 +2467,7 @@ CVE-2022-33121 CVE-2022-33120 RESERVED CVE-2022-33119 (NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contai ...) - TODO: check + NOT-FOR-US: NUUO Network Video Recorder NVRsolo CVE-2022-33118 RESERVED CVE-2022-33117 @@ -2593,9 +2593,9 @@ CVE-2022-33058 CVE-2022-33057 RESERVED CVE-2022-33056 (Online Railway Reservation System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Online Railway Reservation System CVE-2022-33055 (Online Railway Reservation System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Online Railway Reservation System CVE-2022-33054 RESERVED CVE-2022-33053 @@ -2607,9 +2607,9 @@ CVE-2022-33051 CVE-2022-33050 RESERVED CVE-2022-33049 (Online Railway Reservation System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Online Railway Reservation System CVE-2022-33048 (Online Railway Reservation System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Online Railway Reservation System CVE-2022-33047 RESERVED CVE-2022-33046 @@ -4181,7 +4181,7 @@ CVE-2022-32416 CVE-2022-32415 RESERVED CVE-2022-32414 (Nginx NJS v0.7.2 was discovered to contain a segmentation violation in ...) - TODO: check + NOT-FOR-US: njs CVE-2022-32413 RESERVED CVE-2022-32412 @@ -5695,9 +5695,9 @@ CVE-2022-31803 CVE-2022-31802 RESERVED CVE-2022-31801 (An unauthenticated, remote attacker could upload malicious logic to th ...) - TODO: check + NOT-FOR-US: ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool CVE-2022-31800 (An unauthenticated, remote attacker could upload malicious logic to de ...) - TODO: check + NOT-FOR-US: ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool CVE-2022-1945 (The Coming Soon & Maintenance Mode by Colorlib WordPress plugin be ...) NOT-FOR-US: WordPress plugin CVE-2022-1944 (When the feature is configured, improper authorization in the Interact ...) @@ -5820,7 +5820,7 @@ CVE-2022-31788 (IdeaLMS 2022 allows SQL injection via the IdeaLMS/ChatRoom/Class CVE-2022-31787 RESERVED CVE-2022-31786 (IdeaLMS 2022 allows reflected Cross Site Scripting (XSS) via the IdeaL ...) - TODO: check + NOT-FOR-US: IdeaLMS CVE-2022-31785 RESERVED CVE-2022-31784 (A vulnerability in the management interface of MiVoice Business throug ...) @@ -6900,7 +6900,7 @@ CVE-2022-31480 (An unauthenticated attacker could arbitrarily upload firmware fi CVE-2022-31479 (An unauthenticated attacker can update the hostname with a specially c ...) NOT-FOR-US: HID Mercury Intelligent Controllers CVE-2022-31478 (The UserTakeOver plugin before 4.0.1 for ILIAS allows an attacker to l ...) - TODO: check + NOT-FOR-US: UserTakeOver plugin for ILIAS CVE-2022-1841 RESERVED CVE-2022-1840 (A vulnerability, which was classified as problematic, has been found i ...) @@ -7104,9 +7104,9 @@ CVE-2022-3
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cea7cbe by Salvatore Bonaccorso at 2022-06-21T22:17:07+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9449,7 +9449,7 @@ CVE-2022-1667 CVE-2022-1666 RESERVED CVE-2022-1665 (A set of pre-production kernel packages of Red Hat Enterprise Linux fo ...) - TODO: check + NOT-FOR-US: pre-production kernel packages of Red Hat Enterprise Linux for IBM Power architecture CVE-2022-1664 (Dpkg::Source::Archive in dpkg, the Debian package management system, b ...) {DSA-5147-1 DLA-3022-1} - dpkg 1.21.8 @@ -58786,7 +58786,7 @@ CVE-2021-39008 CVE-2021-39007 RESERVED CVE-2021-39006 (IBM QRadar WinCollect Agent 10.0 and 10.0.1 could allow an attacker to ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-39005 RESERVED CVE-2021-39004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cea7cbe11a8f18c213a17569c8bf0ae76989f32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cea7cbe11a8f18c213a17569c8bf0ae76989f32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e980287e by security tracker role at 2022-06-21T20:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,57 @@ +CVE-2022-34169 + RESERVED +CVE-2022-34168 + RESERVED +CVE-2022-34151 + RESERVED +CVE-2022-33971 + RESERVED +CVE-2022-33208 + RESERVED +CVE-2022-2165 + RESERVED +CVE-2022-2164 + RESERVED +CVE-2022-2163 + RESERVED +CVE-2022-2162 + RESERVED +CVE-2022-2161 + RESERVED +CVE-2022-2160 + RESERVED +CVE-2022-2159 + RESERVED +CVE-2022-2158 + RESERVED +CVE-2022-2157 + RESERVED +CVE-2022-2156 + RESERVED +CVE-2022-2155 + RESERVED +CVE-2022-2154 + RESERVED +CVE-2022-2153 + RESERVED +CVE-2022-2152 + RESERVED +CVE-2022-2151 + RESERVED +CVE-2022-2150 + RESERVED +CVE-2022-2149 + RESERVED +CVE-2022-2148 + RESERVED +CVE-2022-2147 + RESERVED +CVE-2022-2146 + RESERVED +CVE-2022-2145 + RESERVED +CVE-2022-2144 + RESERVED CVE-2022-34167 RESERVED CVE-2022-34166 @@ -327,8 +381,8 @@ CVE-2022-34010 RESERVED CVE-2022-34009 RESERVED -CVE-2022-34008 - RESERVED +CVE-2022-34008 (Comodo Antivirus 12.2.2.8012 has a quarantine flaw that allows privile ...) + TODO: check CVE-2022-34007 RESERVED CVE-2022-34006 (An issue was discovered in TitanFTP (aka Titan FTP) NextGen before 1.2 ...) @@ -356,8 +410,8 @@ CVE-2022-33997 RESERVED CVE-2022-33996 RESERVED -CVE-2022-33995 - RESERVED +CVE-2022-33995 (A path traversal issue in entry attachments in Devolutions Remote Desk ...) + TODO: check CVE-2022-33994 RESERVED CVE-2017-20091 @@ -2372,8 +2426,8 @@ CVE-2022-33147 RESERVED CVE-2022-33140 (The optional ShellUserGroupProvider in Apache NiFi 1.10.0 to 1.16.2 an ...) NOT-FOR-US: Apache NiFi -CVE-2022-33139 - RESERVED +CVE-2022-33139 (A vulnerability has been identified in SIMATIC WinCC OA V3.16 (All ver ...) + TODO: check CVE-2022-33138 RESERVED CVE-2022-33137 @@ -2412,8 +2466,8 @@ CVE-2022-33121 RESERVED CVE-2022-33120 RESERVED -CVE-2022-33119 - RESERVED +CVE-2022-33119 (NUUO Network Video Recorder NVRsolo v03.06.02 was discovered to contai ...) + TODO: check CVE-2022-33118 RESERVED CVE-2022-33117 @@ -2538,10 +2592,10 @@ CVE-2022-33058 RESERVED CVE-2022-33057 RESERVED -CVE-2022-33056 - RESERVED -CVE-2022-33055 - RESERVED +CVE-2022-33056 (Online Railway Reservation System v1.0 was discovered to contain a SQL ...) + TODO: check +CVE-2022-33055 (Online Railway Reservation System v1.0 was discovered to contain a SQL ...) + TODO: check CVE-2022-33054 RESERVED CVE-2022-33053 @@ -2552,10 +2606,10 @@ CVE-2022-33051 RESERVED CVE-2022-33050 RESERVED -CVE-2022-33049 - RESERVED -CVE-2022-33048 - RESERVED +CVE-2022-33049 (Online Railway Reservation System v1.0 was discovered to contain a SQL ...) + TODO: check +CVE-2022-33048 (Online Railway Reservation System v1.0 was discovered to contain a SQL ...) + TODO: check CVE-2022-33047 RESERVED CVE-2022-33046 @@ -2708,8 +2762,7 @@ CVE-2022-2070 RESERVED CVE-2022-2069 RESERVED -CVE-2022-2068 [The c_rehash script allows command injection] - RESERVED +CVE-2022-2068 (In addition to the c_rehash shell command injection identified in CVE- ...) - openssl NOTE: https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa (openssl-3.0.4) NOTE: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7 (OpenSSL_1_1_1p) @@ -2799,10 +2852,10 @@ CVE-2022-32976 RESERVED CVE-2022-32975 RESERVED -CVE-2022-32974 - RESERVED -CVE-2022-32973 - RESERVED +CVE-2022-32974 (An authenticated attacker could read arbitrary files from the underlyi ...) + TODO: check +CVE-2022-32973 (An authenticated attacker could create an audit file that bypasses Pow ...) + TODO: check CVE-2022-32972 RESERVED CVE-2022-32969 @@ -4127,8 +4180,8 @@ CVE-2022-32416 RESERVED CVE-2022-32415 RESERVED -CVE-2022-32414 - RESERVED +CVE-2022-32414 (Nginx NJS v0.7.2 was discovered to contain a segmentation violation in ...) + TODO: check CVE-2022-32413 RESERVED CVE-2022-32412 @@ -4547,7 +4600,7 @@ CVE-2022-32274 RESERVED CVE-2022-32273 (As a result of an observable discrepancy in returned messages, OPSWAT ...) NOT-FOR-US: OPSWAT MetaDefender Core -CVE-2022-32272 (OPSWAT MetaDefender Core (MDCore) before 5.1.2 has incorrect access co ...) +CVE-2022-32272 (OPSWAT MetaDefender Core before 5.1.2, Met
[Git][security-tracker-team/security-tracker][master] CVE-2022-31214/firejail: reference upstream backports
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 7492d950 by Sylvain Beucler at 2022-06-21T18:14:37+02:00 CVE-2022-31214/firejail: reference upstream backports - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7489,6 +7489,7 @@ CVE-2022-31214 (A Privilege Context Switching issue was discovered in join.c in NOTE: https://github.com/netblue30/firejail/commit/04ff0edf74395ddcbbcec955279c74ed9a6c0f86 (0.9.70) NOTE: https://github.com/netblue30/firejail/commit/dab835e7a0eb287822016f5ae4e87f46e1d363e7 (0.9.70) NOTE: https://github.com/netblue30/firejail/commit/1884ea22a90d225950d81c804f1771b42ae55f54 (0.9.70) + NOTE: https://github.com/netblue30/firejail/files/8913178/CVE-2022-31214.zip (0.9.58.2 - 0.9.68 backports) CVE-2022-31213 RESERVED CVE-2022-31212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7492d950e731c98eace6713c47ff746219c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7492d950e731c98eace6713c47ff746219c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim firejail
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 620a by Sylvain Beucler at 2022-06-21T17:04:15+02:00 dla: claim firejail - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,7 +60,7 @@ exempi exo NOTE: 20220621: Programming language: C/GLib -- -firejail +firejail (Sylvain Beucler) NOTE: 20220616: Programming language: C -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/620a9130e8422d46b248bf516118b8e65d60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/620a9130e8422d46b248bf516118b8e65d60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify upstream tag information for CVE-2022-2068
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5538c44 by Salvatore Bonaccorso at 2022-06-21T16:36:59+02:00 Clarify upstream tag information for CVE-2022-2068 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2711,9 +2711,9 @@ CVE-2022-2069 CVE-2022-2068 [The c_rehash script allows command injection] RESERVED - openssl - NOTE: https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa (openssl-3.0) - NOTE: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7 (OpenSSL_1_1_1-stable) - NOTE: https://github.com/openssl/openssl/commit/7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9 (not public) + NOTE: https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa (openssl-3.0.4) + NOTE: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7 (OpenSSL_1_1_1p) + NOTE: https://github.com/openssl/openssl/commit/7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9 (not public, 1.0.2zf) NOTE: https://www.openssl.org/news/secadv/20220621.txt CVE-2022-2067 (SQL Injection in GitHub repository francoisjacquet/rosariosis prior to ...) NOT-FOR-US: francoisjacquet/rosariosis View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5538c445292adebfc6aefca76d0e1ccfd55895b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5538c445292adebfc6aefca76d0e1ccfd55895b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2068/openssl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 258175c3 by Salvatore Bonaccorso at 2022-06-21T16:35:33+02:00 Add CVE-2022-2068/openssl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2708,8 +2708,13 @@ CVE-2022-2070 RESERVED CVE-2022-2069 RESERVED -CVE-2022-2068 +CVE-2022-2068 [The c_rehash script allows command injection] RESERVED + - openssl + NOTE: https://github.com/openssl/openssl/commit/2c9c35870601b4a44d86ddbf512b38df38285cfa (openssl-3.0) + NOTE: https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7 (OpenSSL_1_1_1-stable) + NOTE: https://github.com/openssl/openssl/commit/7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9 (not public) + NOTE: https://www.openssl.org/news/secadv/20220621.txt CVE-2022-2067 (SQL Injection in GitHub repository francoisjacquet/rosariosis prior to ...) NOT-FOR-US: francoisjacquet/rosariosis CVE-2022-2066 (Cross-site Scripting (XSS) - Reflected in GitHub repository neorazorx/ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/258175c3a56eec05873ba29be40242f1e530e6d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/258175c3a56eec05873ba29be40242f1e530e6d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 31661ef1 by Moritz Muehlenhoff at 2022-06-21T15:45:53+02:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -461,6 +461,8 @@ CVE-2022-2124 (Buffer Over-read in GitHub repository vim/vim prior to 8.2. ...) NOTE: https://github.com/vim/vim/commit/2f074f4685897ab7212e25931eeeb0212292829f (v8.2.5120) CVE-2021-46823 (python-ldap before 3.4.0 is vulnerable to a denial of service when lda ...) - python-ldap 3.4.0-1 + [bullseye] - python-ldap (Minor issue) + [buster] - python-ldap (Minor issue) NOTE: https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r8wq-qrxc-hmcm CVE-2021-46822 (The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoa ...) - libjpeg-turbo 1:2.1.1-1 @@ -12346,7 +12348,7 @@ CVE-2021-46784 - squid 5.6-1 - squid3 NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-f5cp-6rh3-284w - NOTE: Squid 4: http://www.squid-cache.org/Versions/v4/changesets/SQUID-2021_7.patch + NOTE: https://github.com/squid-cache/squid/commit/780c4ea1b4c9d2fb41f6962aa6ed73ae57f74b2b (v4) NOTE: Squid 5: http://www.squid-cache.org/Versions/v5/changesets/SQUID-2021_7.patch CVE-2022-29559 RESERVED @@ -17504,6 +17506,8 @@ CVE-2022-27812 RESERVED CVE-2022-27811 (GNOME OCRFeeder before 0.8.4 allows OS command injection via shell met ...) - ocrfeeder (bug #1008320) + [bullseye] - ocrfeeder (Minor issue) + [buster] - ocrfeeder (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/ocrfeeder/-/merge_requests/13 NOTE: https://gitlab.gnome.org/GNOME/ocrfeeder/-/commit/9209bce8afaf6fde19cdac7f5eaea1b744c3e79e (0.8.5) NOTE: https://gitlab.gnome.org/GNOME/ocrfeeder/-/commit/afea0e722f1d14eaf14bf0e5ebb444d3271ff1ef (0.8.5) @@ -25796,6 +25800,8 @@ CVE-2022-24860 (Databasir is a team-oriented relational database model document CVE-2022-24859 (PyPDF2 is an open source python PDF library capable of splitting, merg ...) {DLA-3039-1} - pypdf2 1.27.9-1 (bug #1009879) + [bullseye] - pypdf2 (Minor issue) + [buster] - pypdf2 (Minor issue) NOTE: https://github.com/py-pdf/PyPDF2/security/advisories/GHSA-xcjx-m2pj-8g79 NOTE: https://github.com/py-pdf/PyPDF2/issues/329 NOTE: https://github.com/py-pdf/PyPDF2/pull/740 @@ -47744,6 +47750,8 @@ CVE-2021-42837 (An issue was discovered in Talend Data Catalog before 7.3-202109 NOT-FOR-US: Talend Data Catalog CVE-2021-42836 (GJSON before 1.9.3 allows a ReDoS (regular expression denial of servic ...) - golang-github-tidwall-gjson (bug #1000225) + [bullseye] - golang-github-tidwall-gjson (Minor issue) + [buster] - golang-github-tidwall-gjson (Minor issue) NOTE: https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944 NOTE: https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96 NOTE: https://github.com/tidwall/gjson/issues/236 @@ -50514,6 +50522,8 @@ CVE-2021-42249 RESERVED CVE-2021-42248 (GJSON <= 1.9.2 allows attackers to cause a redos via crafted JSON i ...) - golang-github-tidwall-gjson (bug #1011616) + [bullseye] - golang-github-tidwall-gjson (Minor issue) + [buster] - golang-github-tidwall-gjson (Minor issue) NOTE: https://github.com/tidwall/gjson/issues/237 NOTE: https://github.com/tidwall/gjson/commit/77a57fda87dca6d0d7d4627d512a630f89a91c96 (v1.9.3) CVE-2021-42247 @@ -104016,6 +104026,8 @@ CVE-2021-21417 (fluidsynth is a software synthesizer based on the SoundFont 2 sp NOTE: https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9 CVE-2021-21416 (django-registration is a user registration package for Django. The dja ...) - python-django-registration (bug #987366) + [bullseye] - python-django-registration (Minor issue) + [buster] - python-django-registration (Minor issue) [stretch] - python-django-registration (Minor issue) NOTE: https://github.com/ubernostrum/django-registration/security/advisories/GHSA-58c7-px5v-82hh NOTE: https://github.com/ubernostrum/django-registration/commit/8206af081e239598cfd15d165d4d8ab9849ee23c @@ -106991,6 +107003,7 @@ CVE-2021-20292 (There is a flaw reported in the Linux kernel in versions before CVE-2021-20291 (A deadlock vulnerability was found in 'github.com/containers/storage' ...) [experimental] - golang-github-containers-storage 1.29.0+ds1-1 - golang-github-containers-storage 1.34.1+ds1-1 (bug #988942) + [bullseye] - golang-github-containers-storage (Minor issue) NOTE: https://git
[Git][security-tracker-team/security-tracker][master] netatalk references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2960b590 by Moritz Muehlenhoff at 2022-06-21T14:11:24+02:00 netatalk references - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -32131,22 +32131,44 @@ CVE-2022-23125 RESERVED - netatalk 3.1.13~ds-1 NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html + NOTE: https://github.com/Netatalk/Netatalk/commit/d801ed421800bcd5df9045f7327c92cd4fc944aa CVE-2022-23124 RESERVED - netatalk 3.1.13~ds-1 NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html + NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d + NOTE: 4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d causes a regression: + NOTE: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074 + NOTE: Probably the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013303 + NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf + NOTE: but not reviewed/merged upstream so far CVE-2022-23123 RESERVED - netatalk 3.1.13~ds-1 NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html + NOTE: https://github.com/Netatalk/Netatalk/commit/a6fbccb0f2478108add188df023cfbb7428aac33 + NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d + NOTE: Causes a regression: + NOTE: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074 + NOTE: Probably the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013303 + NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf + NOTE: but not reviewed/merged upstream so far CVE-2022-23122 RESERVED - netatalk 3.1.13~ds-1 NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html + NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d + NOTE: Causes a regression: + NOTE: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074 + NOTE: Probably the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013303 + NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf + NOTE: but not reviewed/merged upstream so far CVE-2022-23121 RESERVED - netatalk 3.1.13~ds-1 NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html + NOTE: https://github.com/Netatalk/Netatalk/commit/0c0465e4e85a27105b61b3918df8f8df0565367c + NOTE: https://github.com/Netatalk/Netatalk/commit/62d4013c62be3b1b4a14f37057cb1c8f393c5fd1 CVE-2022-23120 (A code injection vulnerability in Trend Micro Deep Security and Cloud ...) NOT-FOR-US: Trend Micro CVE-2022-23119 (A directory traversal vulnerability in Trend Micro Deep Security and C ...) @@ -32191,6 +32213,12 @@ CVE-2022-0194 RESERVED - netatalk 3.1.13~ds-1 NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html + NOTE: https://github.com/Netatalk/Netatalk/commit/4a8f6c964d5ca86df27c50e50dc1b60d39c9b76d + NOTE: Causes a regression: + NOTE: https://sourceforge.net/p/netatalk/mailman/netatalk-devel/thread/49864b1b-6aa1-6859-3f53-a2018598b8ce%40synology.com/#msg37632074 + NOTE: Probably the same as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1013303 + NOTE: 3.1.13~ds-2 merged a patch: https://salsa.debian.org/netatalk-team/netatalk/-/commit/9b7e96c9023402d4f7aa49e28e13aef31aeb1caf + NOTE: but not reviewed/merged upstream so far CVE-2022-0193 (The Complianz WordPress plugin before 6.0.0 does not escape the s para ...) NOT-FOR-US: WordPress plugin CVE-2022-0192 (A DLL search path vulnerability was reported in Lenovo PCManager prior ...) @@ -41435,7 +41463,7 @@ CVE-2021-44268 CVE-2021-44267 RESERVED CVE-2021-44266 (GUnet Open eClass (aka openeclass) before 3.12.2 allows XSS via the mo ...) - NOT-FOR-US: GUnet Open eClass + NOT-FOR-US: GUnet Open eClass CVE-2021-44265 RESERVED CVE-2021-44264 @@ -77722,6 +77750,7 @@ CVE-2021-31440 (This vulnerability allows local attackers to escalate privileges CVE-2021-31439 (This vulnerability allows network-adjacent attackers to execute arbitr ...) - netatalk 3.1.13~ds-1 NOTE: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html +
[Git][security-tracker-team/security-tracker][master] 7 commits: Triage CVE-2021-41458 in gpac for stretch LTS.
I (The OWASP Enterprise Security API) is a free, open source - libowasp-esapi-java 2.4.0.0-1 (bug #1010339) [bullseye] - libowasp-esapi-java (Minor issue) [buster] - libowasp-esapi-java (Minor issue) + [stretch] - libowasp-esapi-java (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/ NOTE: https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2 NOTE: https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt @@ -52491,6 +52499,7 @@ CVE-2021-41459 (There is a stack buffer overflow in MP4Box v1.0.1 at src/filters NOTE: Fixed by: https://github.com/gpac/gpac/commit/7d4538e104f2b3ff6a65a41394795654e6972339 (v2.0.0) CVE-2021-41458 (In GPAC MP4Box v1.1.0, there is a stack buffer overflow at src/utils/e ...) - gpac 2.0.0+dfsg1-2 + [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/1910 NOTE: https://github.com/gpac/gpac/commit/74695dea7278e78af3db467e586233fe8773c07e (v2.0.0) CVE-2021-41457 (There is a stack buffer overflow in MP4Box 1.1.0 at src/filters/dmx_nh ...) = data/dla-needed.txt = @@ -57,6 +57,9 @@ exempi NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis NOTE: 20220517: is needed. -- +exo + NOTE: 20220621: Programming language: C/GLib +-- firejail NOTE: 20220616: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5dfb8dbfc0d49c53b8f81d85533effc7b36895f4...640c566fc40da1a03cf9ee8f77d36c53ff14cce5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5dfb8dbfc0d49c53b8f81d85533effc7b36895f4...640c566fc40da1a03cf9ee8f77d36c53ff14cce5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gen-DSA: check for extra cve file only for first dist
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 5dfb8dbf by Emilio Pozuelo Monfort at 2022-06-21T13:27:06+02:00 gen-DSA: check for extra cve file only for first dist If the advisory is for multiple distributions, check for the extra cve file in the first one. - - - - - 1 changed file: - bin/gen-DSA Changes: = bin/gen-DSA = @@ -415,7 +415,10 @@ EOF if [ "$IDMODE" = "DLA" ] || [ "$IDMODE" = "ELA" ]; then idmode=$(echo "$IDMODE" | tr A-Z a-z) if [ -n "${DISTS}" ]; then - extracvefile=`jq -r ".distributions.${DISTS}.maincvefile // empty" data/config.json` + # in case the advisory applies to several dists, we only look for an + # extra cve file in the first one + DIST="`echo ${DISTS} | sed 's/,.*//'`" + extracvefile=`jq -r ".distributions.${DIST}.maincvefile // empty" data/config.json` fi if [ -d .git ]; then echo "Made the following changes:" View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dfb8dbfc0d49c53b8f81d85533effc7b36895f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dfb8dbfc0d49c53b8f81d85533effc7b36895f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bea29cf by Salvatore Bonaccorso at 2022-06-21T13:23:19+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -466,35 +466,35 @@ CVE-2021-46822 (The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of - libjpeg-turbo 1:2.1.1-1 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2 (2.1.0) CVE-2017-20081 (A vulnerability, which was classified as critical, was found in Hindu ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20080 (A vulnerability, which was classified as critical, has been found in H ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20079 (A vulnerability classified as critical was found in Hindu Matrimonial ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20078 (A vulnerability classified as critical has been found in Hindu Matrimo ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20077 (A vulnerability was found in Hindu Matrimonial Script. It has been rat ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20076 (A vulnerability was found in Hindu Matrimonial Script. It has been dec ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20075 (A vulnerability was found in Hindu Matrimonial Script. It has been cla ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20074 (A vulnerability was found in Hindu Matrimonial Script and classified a ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20073 (A vulnerability has been found in Hindu Matrimonial Script and classif ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20072 (A vulnerability, which was classified as critical, was found in Hindu ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20071 (A vulnerability, which was classified as critical, has been found in H ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20070 (A vulnerability classified as critical was found in Hindu Matrimonial ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20069 (A vulnerability classified as critical has been found in Hindu Matrimo ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20068 (A vulnerability was found in Hindu Matrimonial Script. It has been rat ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20067 (A vulnerability was found in Hindu Matrimonial Script. It has been dec ...) - TODO: check + NOT-FOR-US: Hindu Matrimonial Script CVE-2017-20066 (A vulnerability has been found in Adminer Login 1.4.4 and classified a ...) TODO: check CVE-2017-20065 (A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classifi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bea29cfaf259ea36801e5984de433277b83df49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bea29cfaf259ea36801e5984de433277b83df49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3055-1 for ntfs-3g
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9da6b34f by Sylvain Beucler at 2022-06-21T13:21:40+02:00 Reserve DLA-3055-1 for ntfs-3g - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[21 Jun 2022] DLA-3055-1 ntfs-3g - security update + {CVE-2022-30783 CVE-2022-30784 CVE-2022-30785 CVE-2022-30786 CVE-2022-30787 CVE-2022-30788 CVE-2022-30789} + [stretch] - ntfs-3g 1:2016.2.22AR.1+dfsg-1+deb9u3 [20 Jun 2022] DLA-3054-1 sleuthkit - security update {CVE-2017-13755 CVE-2017-13756 CVE-2017-13760 CVE-2018-19497 CVE-2020-10232 CVE-2019-1010065} [stretch] - sleuthkit 4.4.0-5+deb9u1 = data/dla-needed.txt = @@ -191,11 +191,6 @@ ncurses (Thorsten Alteholz) netatalk NOTE: 20220616: Programming language: C. -- -ntfs-3g (Sylvain Beucler) - NOTE: 20220529: Programming language: C. - NOTE: 20220515: Please recheck. There are currently not enough information - NOTE: available. (apo) --- nvidia-cuda-toolkit NOTE: 20220529: Programming language: C. NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9da6b34ff94123c04dd9dedfba3702d0ddef7fcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9da6b34ff94123c04dd9dedfba3702d0ddef7fcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f0baa43 by Moritz Muehlenhoff at 2022-06-21T12:45:13+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7378,6 +7378,7 @@ CVE-2022-31249 RESERVED CVE-2022-31248 RESERVED + NOT-FOR-US: Uyuni CVE-2022-31247 RESERVED CVE-2022-1807 @@ -38559,6 +38560,7 @@ CVE-2022-21953 RESERVED CVE-2022-21952 RESERVED + NOT-FOR-US: Uyuni CVE-2022-21951 (A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, ...) NOT-FOR-US: Rancher CVE-2022-21950 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f0baa436d11d4a65c20af9177a2d784e976a9ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f0baa436d11d4a65c20af9177a2d784e976a9ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2020-25073/plinth as not-affected in stretch.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 231095f4 by Chris Lamb at 2022-06-21T09:42:01+01:00 Mark CVE-2020-25073/plinth as not-affected in stretch. - - - - - 93bf53e5 by Chris Lamb at 2022-06-21T09:42:02+01:00 Mark CVE-2021-/plinth as ignored for stretch LTS; not possible to backport fix due to Django compat. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -83517,7 +83517,7 @@ CVE-2021- [first_boot: Use session to verify first boot welcome step] - freedombox 21.4.2 - plinth [buster] - plinth 19.1+deb10u2 - [stretch] - plinth (Minor issue) + [stretch] - plinth (Minor issue; Not possible to backport fix due to cookie/session support) NOTE: https://salsa.debian.org/freedombox-team/freedombox/-/issues/2074 NOTE: https://salsa.debian.org/freedombox-team/freedombox/-/commit/f2005f56aa44d15c0fb82c5211c548a575961b03 CVE-2021-29273 @@ -125717,7 +125717,7 @@ CVE-2020-25069 (USVN (aka User-friendly SVN) before 1.0.10 allows attackers to e CVE-2020-25073 (FreedomBox through 20.13 allows remote attackers to obtain sensitive i ...) - plinth 20.14 [buster] - plinth 19.1+deb10u1 - [stretch] - plinth (Minor issue) + [stretch] - plinth (in-depth Apache integration added in 0.15.2) NOTE: https://salsa.debian.org/freedombox-team/freedombox/-/issues/1935 NOTE: https://salsa.debian.org/freedombox-team/freedombox/-/commit/822c322d20d12f81c6cfca47b66f900542a5aac2 CVE-2020-25068 (Setelsa Conacwin v3.7.1.2 is vulnerable to a local file inclusion vuln ...) = data/dla-needed.txt = @@ -228,10 +228,6 @@ pdns php-horde-turba NOTE: 20220603: Programming language: PHP. -- -plinth (Chris Lamb) - NOTE: 20220529: Programming language: Python. - NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk) --- postgresql-9.6 (Roberto C. Sánchez) NOTE: 20220529: Programming language: C. NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3f05b998cd855bf461dcdb23b5f0d027e014d20...93bf53e5ae34af4d26ef198842e3bffbd5330e5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3f05b998cd855bf461dcdb23b5f0d027e014d20...93bf53e5ae34af4d26ef198842e3bffbd5330e5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c3f05b99 by security tracker role at 2022-06-21T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -465,40 +465,40 @@ CVE-2021-46823 (python-ldap before 3.4.0 is vulnerable to a denial of service wh CVE-2021-46822 (The PPM reader in libjpeg-turbo through 2.0.90 mishandles use of tjLoa ...) - libjpeg-turbo 1:2.1.1-1 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2 (2.1.0) -CVE-2017-20081 - RESERVED -CVE-2017-20080 - RESERVED -CVE-2017-20079 - RESERVED -CVE-2017-20078 - RESERVED -CVE-2017-20077 - RESERVED -CVE-2017-20076 - RESERVED -CVE-2017-20075 - RESERVED -CVE-2017-20074 - RESERVED -CVE-2017-20073 - RESERVED -CVE-2017-20072 - RESERVED -CVE-2017-20071 - RESERVED -CVE-2017-20070 - RESERVED -CVE-2017-20069 - RESERVED -CVE-2017-20068 - RESERVED -CVE-2017-20067 - RESERVED -CVE-2017-20066 - RESERVED -CVE-2017-20065 - RESERVED +CVE-2017-20081 (A vulnerability, which was classified as critical, was found in Hindu ...) + TODO: check +CVE-2017-20080 (A vulnerability, which was classified as critical, has been found in H ...) + TODO: check +CVE-2017-20079 (A vulnerability classified as critical was found in Hindu Matrimonial ...) + TODO: check +CVE-2017-20078 (A vulnerability classified as critical has been found in Hindu Matrimo ...) + TODO: check +CVE-2017-20077 (A vulnerability was found in Hindu Matrimonial Script. It has been rat ...) + TODO: check +CVE-2017-20076 (A vulnerability was found in Hindu Matrimonial Script. It has been dec ...) + TODO: check +CVE-2017-20075 (A vulnerability was found in Hindu Matrimonial Script. It has been cla ...) + TODO: check +CVE-2017-20074 (A vulnerability was found in Hindu Matrimonial Script and classified a ...) + TODO: check +CVE-2017-20073 (A vulnerability has been found in Hindu Matrimonial Script and classif ...) + TODO: check +CVE-2017-20072 (A vulnerability, which was classified as critical, was found in Hindu ...) + TODO: check +CVE-2017-20071 (A vulnerability, which was classified as critical, has been found in H ...) + TODO: check +CVE-2017-20070 (A vulnerability classified as critical was found in Hindu Matrimonial ...) + TODO: check +CVE-2017-20069 (A vulnerability classified as critical has been found in Hindu Matrimo ...) + TODO: check +CVE-2017-20068 (A vulnerability was found in Hindu Matrimonial Script. It has been rat ...) + TODO: check +CVE-2017-20067 (A vulnerability was found in Hindu Matrimonial Script. It has been dec ...) + TODO: check +CVE-2017-20066 (A vulnerability has been found in Adminer Login 1.4.4 and classified a ...) + TODO: check +CVE-2017-20065 (A vulnerability was found in Supsystic Popup Plugin 1.7.6 and classifi ...) + TODO: check CVE-2017-20064 (A vulnerability was found in Elefant CMS 1.3.12-RC. It has been declar ...) NOT-FOR-US: Elefant CMS CVE-2017-20063 (A vulnerability was found in Elefant CMS 1.3.12-RC. It has been classi ...) @@ -7783,8 +7783,8 @@ CVE-2022-31064 RESERVED CVE-2022-31063 RESERVED -CVE-2022-31062 - RESERVED +CVE-2022-31062 (### Impact A plugin public script can be used to read content of syste ...) + TODO: check CVE-2022-31061 RESERVED CVE-2022-31060 (Discourse is an open-source discussion platform. Prior to version 2.8. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3f05b998cd855bf461dcdb23b5f0d027e014d20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3f05b998cd855bf461dcdb23b5f0d027e014d20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits