[Git][security-tracker-team/security-tracker][master] CVE-2019-15167,tcpdump: Earliest fix was in 4.9.3-1~deb10u1
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 93072b33 by Markus Koschany at 2022-09-01T07:28:44+02:00 CVE-2019-15167,tcpdump: Earliest fix was in 4.9.3-1~deb10u1 CVE-2019-15167 is also fixed in Buster, correct the version accordingly. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -214884,7 +214884,7 @@ CVE-2019-15169 CVE-2019-15168 RESERVED CVE-2019-15167 (The VRRP parser in tcpdump before 4.9.3 has a buffer over-read in prin ...) - - tcpdump 4.9.3-1 + - tcpdump 4.9.3-1~deb10u1 NOTE: Fixed by: https://github.com/the-tcpdump-group/tcpdump/commit/a152aebfd1114376ba266ed30416be596ef9d806 (tcpdump-4.9.3) CVE-2019-15166 (lmp_print_data_link_subobjs() in print-lmp.c in tcpdump before 4.9.3 l ...) {DSA-4547-1 DLA-1955-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93072b331a738474a9b1430441cfa863bf35b275 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93072b331a738474a9b1430441cfa863bf35b275 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new tiff issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bf3d59d by Salvatore Bonaccorso at 2022-08-31T23:20:21+02:00 Add three new tiff issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7053,11 +7053,23 @@ CVE-2022-2522 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to NOTE: https://huntr.dev/bounties/3a2d83af-9542-4d93-8784-98b115135a22 NOTE: https://github.com/vim/vim/commit/5fa9f23a63651a8abdb074b4fc2ec9b1adc6b089 (v9.0.0061) CVE-2022-2521 (It was found in libtiff 4.4.0rc1 that there is an invalid pointer free ...) - TODO: check + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/422 + NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba CVE-2022-2520 (A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion f ...) - TODO: check + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/424 + NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba CVE-2022-2519 (There is a double free or corruption in rotateImage() at tiffcrop.c:88 ...) - TODO: check +- tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/423 + NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba CVE-2022-2518 RESERVED CVE-2022-2517 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bf3d59d783d98fcc5e19b21a4b6485382a75206 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bf3d59d783d98fcc5e19b21a4b6485382a75206 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new wolfssl issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5c9affd by Salvatore Bonaccorso at 2022-08-31T23:15:09+02:00 Add two new wolfssl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2783,9 +2783,11 @@ CVE-2022-38155 (TEE_Malloc in Samsung mTower through 0.3.0 allows a trusted appl CVE-2022-38154 RESERVED CVE-2022-38153 (An issue was discovered in wolfSSL before 5.5.0 (when --enable-session ...) - TODO: check + - wolfssl + NOTE: https://github.com/wolfSSL/wolfssl/pull/5476 CVE-2022-38152 (An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client ...) - TODO: check + - wolfssl + NOTE: https://github.com/wolfSSL/wolfssl/pull/5468 CVE-2022-38151 RESERVED CVE-2022-38149 (HashiCorp Consul Template through 0.29.1 inserts Sensitive Information ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5c9affd59b3360f569cb37d2afb8fb584345ff0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5c9affd59b3360f569cb37d2afb8fb584345ff0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3028/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3de98831 by Salvatore Bonaccorso at 2022-08-31T22:31:35+02:00 Add CVE-2022-3028/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -694,7 +694,9 @@ CVE-2022-3030 CVE-2022-3029 RESERVED CVE-2022-3028 (A race condition was found in the Linux kernel's IP framework for tran ...) - TODO: check + - linux + NOTE: https://lore.kernel.org/all/ytowqekkzvimz...@gondor.apana.org.au/T/ + NOTE: https://git.kernel.org/linus/ba953a9d89a00c078b85f4b190bc1dde66fe16b5 (6.0-rc3) CVE-2022-3027 RESERVED CVE-2022-3026 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3de9883144bdbd8b2f52020125e10592a69eda10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3de9883144bdbd8b2f52020125e10592a69eda10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cd3078c by Salvatore Bonaccorso at 2022-08-31T22:24:37+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -635,7 +635,7 @@ CVE-2022-38814 CVE-2022-38813 RESERVED CVE-2022-38812 (AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter. ...) - TODO: check + NOT-FOR-US: AeroCMS CVE-2022-38811 RESERVED CVE-2022-38810 @@ -2037,7 +2037,7 @@ CVE-2022-2867 (libtiff's tiffcrop utility has a uint32_t underflow that can lead NOTE: https://gitlab.com/libtiff/libtiff/-/issues/351 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c (v4.4.0rc1) CVE-2022-2866 (FATEK FvDesigner version 1.5.103 and prior is vulnerable to an out-of- ...) - TODO: check + NOT-FOR-US: FATEK FvDesigner CVE-2022-2865 RESERVED [experimental] - gitlab 15.2.3+ds1-1 @@ -2855,9 +2855,9 @@ CVE-2022-36351 CVE-2022-33893 RESERVED CVE-2022-2759 (Delta Electronics Delta Robot Automation Studio (DRAS) versions prior ...) - TODO: check + NOT-FOR-US: Delta Electronics CVE-2022-2758 (All versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric PLCs ...) - TODO: check + NOT-FOR-US: LS Industrial Systems (LSIS) Co. Ltd CVE-2022-2757 RESERVED CVE-2022-2756 (Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavi ...) @@ -5193,7 +5193,7 @@ CVE-2022-37186 CVE-2022-37185 RESERVED CVE-2022-37184 (The application manage_website.php on Garage Management System 1.0 is ...) - TODO: check + NOT-FOR-US: Garage Management System CVE-2022-37183 (Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/ ...) - piwigo CVE-2022-37182 @@ -5317,7 +5317,7 @@ CVE-2022-37124 CVE-2022-37123 RESERVED CVE-2022-37122 (Carel pCOWeb HVAC BACnet Gateway 2.1.0, Firmware: A2.1.0 - B2.1.0, App ...) - TODO: check + NOT-FOR-US: Carel pCOWeb HVAC BACnet Gateway CVE-2022-37121 RESERVED CVE-2022-37120 @@ -7391,7 +7391,7 @@ CVE-2022-33949 CVE-2022-32575 RESERVED CVE-2022-2485 (Any attempt (good or bad) to log into AutomationDirect Stride Field I/ ...) - TODO: check + NOT-FOR-US: AutomationDirect CVE-2022-2484 RESERVED CVE-2022-2483 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cd3078cb13770a97d4a2658db7593f9db3692bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cd3078cb13770a97d4a2658db7593f9db3692bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-37183/piwigo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 41913e67 by Salvatore Bonaccorso at 2022-08-31T22:23:22+02:00 Add CVE-2022-37183/piwigo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5195,7 +5195,7 @@ CVE-2022-37185 CVE-2022-37184 (The application manage_website.php on Garage Management System 1.0 is ...) TODO: check CVE-2022-37183 (Piwigo 12.3.0 is vulnerable to Cross Site Scripting (XSS) via /search/ ...) - TODO: check + - piwigo CVE-2022-37182 RESERVED CVE-2022-37181 (72crm 9.0 has an Arbitrary file upload vulnerability. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41913e675c1ba870cb7b614924cb5fdea7a6cd82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41913e675c1ba870cb7b614924cb5fdea7a6cd82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 777ecff8 by Salvatore Bonaccorso at 2022-08-31T22:19:53+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35394,9 +35394,9 @@ CVE-2022-26333 CVE-2022-26332 (Cipi 3.1.15 allows Add Server stored XSS via the /api/servers name fie ...) NOT-FOR-US: Cipi CVE-2022-26331 (Potential vulnerabilities have been identified in Micro Focus ArcSight ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2022-26330 (Potential vulnerabilities have been identified in Micro Focus ArcSight ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2022-26329 RESERVED CVE-2022-26328 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/777ecff8dc99dd70e5e8c8f259fb391095be9409 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/777ecff8dc99dd70e5e8c8f259fb391095be9409 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-39047/freeciv fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 42983945 by Salvatore Bonaccorso at 2022-08-31T22:17:15+02:00 CVE-2022-39047/freeciv fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1972,7 +1972,7 @@ CVE-2022-2877 CVE-2022-2876 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester CVE-2022-39047 (Freeciv before 2.6.7 and before 3.0.3 is prone to a buffer overflow vu ...) - - freeciv (bug #1017579) + - freeciv 3.0.3-1 (bug #1017579) [bullseye] - freeciv (Minor issue) [buster] - freeciv (Minor issue) NOTE: https://osdn.net/projects/freeciv/ticket/45299 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4298394540a26c7a18aeae698167101d34b950a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4298394540a26c7a18aeae698167101d34b950a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2963291a by security tracker role at 2022-08-31T20:10:36+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,65 @@ +CVE-2022-39077 + RESERVED +CVE-2022-39076 + RESERVED +CVE-2022-39075 + RESERVED +CVE-2022-39074 + RESERVED +CVE-2022-39073 + RESERVED +CVE-2022-39072 + RESERVED +CVE-2022-39071 + RESERVED +CVE-2022-39070 + RESERVED +CVE-2022-39069 + RESERVED +CVE-2022-39068 + RESERVED +CVE-2022-39067 + RESERVED +CVE-2022-39066 + RESERVED +CVE-2022-39065 + RESERVED +CVE-2022-39064 + RESERVED +CVE-2022-39063 + RESERVED +CVE-2022-39062 + RESERVED +CVE-2022-39061 + RESERVED +CVE-2022-39060 + RESERVED +CVE-2022-39059 + RESERVED +CVE-2022-39058 + RESERVED +CVE-2022-39057 + RESERVED +CVE-2022-39056 + RESERVED +CVE-2022-39055 + RESERVED +CVE-2022-39054 + RESERVED +CVE-2022-39053 + RESERVED +CVE-2022-39052 + RESERVED +CVE-2022-39051 + RESERVED +CVE-2022-39050 + RESERVED +CVE-2022-39049 + RESERVED +CVE-2022-3069 + RESERVED +CVE-2022-3068 + RESERVED CVE-2022-39048 RESERVED CVE-2022-39046 (An issue was discovered in the GNU C Library (glibc) 2.36. When the sy ...) @@ -168,7 +230,7 @@ CVE-2022-3038 RESERVED - chromium [buster] - chromium (see DSA 5046) -CVE-2022-3037 (Use After Free in GitHub repository vim/vim prior to 9.0.0321. ...) +CVE-2022-3037 (Use After Free in GitHub repository vim/vim prior to 9.0.0322. ...) - vim NOTE: https://huntr.dev/bounties/af4c2f2d-d754-4607-b565-9e92f3f717b5 NOTE: https://github.com/vim/vim/commit/4f1b083be43f351bc107541e7b0c9655a5d2c0bb (v9.0.0322) @@ -572,8 +634,8 @@ CVE-2022-38814 RESERVED CVE-2022-38813 RESERVED -CVE-2022-38812 - RESERVED +CVE-2022-38812 (AeroCMS 0.1.1 is vulnerable to SQL Injection via the author parameter. ...) + TODO: check CVE-2022-38811 RESERVED CVE-2022-38810 @@ -631,8 +693,8 @@ CVE-2022-3030 RESERVED CVE-2022-3029 RESERVED -CVE-2022-3028 - RESERVED +CVE-2022-3028 (A race condition was found in the Linux kernel's IP framework for tran ...) + TODO: check CVE-2022-3027 RESERVED CVE-2022-3026 @@ -1253,7 +1315,7 @@ CVE-2022-38627 RESERVED CVE-2022-38626 RESERVED -CVE-2022-38625 (Patlite NH-FB v1.46 and below was discovered to contain insufficient f ...) +CVE-2022-38625 (** DISPUTED ** Patlite NH-FB v1.46 and below was discovered to contain ...) NOT-FOR-US: Patlite NH-FB CVE-2022-38624 RESERVED @@ -1974,8 +2036,8 @@ CVE-2022-2867 (libtiff's tiffcrop utility has a uint32_t underflow that can lead NOTE: https://gitlab.com/libtiff/libtiff/-/issues/350 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/351 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/07d79fcac2ead271b60e32aeb80f7b4f3be9ac8c (v4.4.0rc1) -CVE-2022-2866 - RESERVED +CVE-2022-2866 (FATEK FvDesigner version 1.5.103 and prior is vulnerable to an out-of- ...) + TODO: check CVE-2022-2865 RESERVED [experimental] - gitlab 15.2.3+ds1-1 @@ -2718,10 +2780,10 @@ CVE-2022-38155 (TEE_Malloc in Samsung mTower through 0.3.0 allows a trusted appl NOT-FOR-US: Samsung mTower CVE-2022-38154 RESERVED -CVE-2022-38153 - RESERVED -CVE-2022-38152 - RESERVED +CVE-2022-38153 (An issue was discovered in wolfSSL before 5.5.0 (when --enable-session ...) + TODO: check +CVE-2022-38152 (An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client ...) + TODO: check CVE-2022-38151 RESERVED CVE-2022-38149 (HashiCorp Consul Template through 0.29.1 inserts Sensitive Information ...) @@ -2792,10 +2854,10 @@ CVE-2022-36351 RESERVED CVE-2022-33893 RESERVED -CVE-2022-2759 - RESERVED -CVE-2022-2758 - RESERVED +CVE-2022-2759 (Delta Electronics Delta Robot Automation Studio (DRAS) versions prior ...) + TODO: check +CVE-2022-2758 (All versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric PLCs ...) + TODO: check CVE-2022-2757 RESERVED CVE-2022-2756 (Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavi ...) @@ -4768,7 +4830,7 @@ CVE-2022-36281 RESERVED CVE-2022-33940 RESERVED -CVE-2022-2625 (A vulnerability found in postgresql. On this security issue an attack ...) +CVE-2022-2625 (A vulnerability was found in PostgreSQL. This attack requires permissi ...) {DLA-3072-1} - postgresql-14 14.5-1 - postgresql-13 @@ -5130,10 +5192,10 @@ CVE-2022-37186 RESERVED CVE-2022-37185 RESERVED -CVE-2022-37184 -
[Git][security-tracker-team/security-tracker][master] 3 commits: Wrap slightly a long note
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d193dd3 by Salvatore Bonaccorso at 2022-08-31T14:28:56+02:00 Wrap slightly a long note - - - - - c7a140b5 by Salvatore Bonaccorso at 2022-08-31T14:28:57+02:00 CVE-2022-35252: Reference upstream information and upstream tag - - - - - a5b5c0e9 by Salvatore Bonaccorso at 2022-08-31T14:44:35+02:00 Add Debian bug reference for CVE-2022-35252/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9133,7 +9133,9 @@ CVE-2022-35583 (wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacke - wkhtmltopdf (unimportant) NOTE: https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/5249 - NOTE: By design, wkhtmltopdf retrieves external resources. If it is employed inside a protected network in an automated way, a malicious actor may access internal resources. A user of wkhtmltopdf should restrict such access. + NOTE: By design, wkhtmltopdf retrieves external resources. If it is employed inside + NOTE: a protected network in an automated way, a malicious actor may access internal + NOTE: resources. A user of wkhtmltopdf should restrict such access. CVE-2022-35582 RESERVED CVE-2022-35581 @@ -10010,9 +10012,10 @@ CVE-2022-35253 RESERVED CVE-2022-35252 RESERVED - - curl + - curl (bug #1018831) [bullseye] - curl (Minor issue) - NOTE: https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb + NOTE: https://curl.se/docs/CVE-2022-35252.html + NOTE: Fixed by: https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb0ed786592c65c3 (curl-7_85_0) NOTE: https://www.openwall.com/lists/oss-security/2022/08/31/2 CVE-2022-35251 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37e036fc2adbb6251b8b24c763b70ae0f31edb2d...a5b5c0e91b164c0b801b1616e5a8448d21783c29 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37e036fc2adbb6251b8b24c763b70ae0f31edb2d...a5b5c0e91b164c0b801b1616e5a8448d21783c29 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add xpdf/poppler clarification
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 37e036fc by Moritz Muehlenhoff at 2022-08-31T13:52:26+02:00 add xpdf/poppler clarification - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -706,6 +706,8 @@ CVE-2022-38785 CVE-2022-38784 (Poppler prior to and including 22.08.0 contains an integer overflow in ...) - poppler NOTE: Fixed by: https://gitlab.freedesktop.org/poppler/poppler/-/commit/27354e9d9696ee2bc063910a6c9a6b27c5184a52 + NOTE: This is CVE-2021-30860 in Apple CoreGraphics and CVE-2022-38171 in xpdf + NOTE: https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6 CVE-2022-38783 RESERVED CVE-2022-38782 @@ -2605,7 +2607,9 @@ CVE-2022-38173 CVE-2022-38172 (ServiceNow through San Diego Patch 3 allows XSS via the name field dur ...) NOT-FOR-US: ServiceNow CVE-2022-38171 (Xpdf prior to version 4.04 contains an integer overflow in the JBIG2 d ...) - TODO: check, https://bugzilla.redhat.com/show_bug.cgi?id=2120439, might be N/A for us as using poppler + NOT-FOR-US: xpdf (relevant issue for Poppler tracked as CVE-2022-38784) + NOTE: This is CVE-2021-30860 in Apple CoreGraphics and CVE-2022-38171 in xpdf + NOTE: https://gist.github.com/zmanion/b2ed0d1a0cec163ecd07d5e3d9740dc6 CVE-2022-2794 RESERVED CVE-2022-2793 (Emerson Electric's Proficy Machine Edition Version 9.00 and prior is v ...) = data/dsa-needed.txt = @@ -35,6 +35,8 @@ php-horde-mime-viewer -- php-horde-turba -- +poppler +-- rails -- rpki-client View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37e036fc2adbb6251b8b24c763b70ae0f31edb2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37e036fc2adbb6251b8b24c763b70ae0f31edb2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new curl issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ee36381 by Moritz Muehlenhoff at 2022-08-31T13:49:34+02:00 new curl issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10006,6 +10006,10 @@ CVE-2022-35253 RESERVED CVE-2022-35252 RESERVED + - curl + [bullseye] - curl (Minor issue) + NOTE: https://github.com/curl/curl/commit/8dfc93e573ca740544a2d79ebb + NOTE: https://www.openwall.com/lists/oss-security/2022/08/31/2 CVE-2022-35251 RESERVED CVE-2022-35250 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee36381e2c38152e0dabeea009b45eb6eb5f042 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee36381e2c38152e0dabeea009b45eb6eb5f042 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] flag wkhtmltopdf CVE-2022-35583 unimportant
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: b46b41cc by Helmut Grohne at 2022-08-31T13:43:11+02:00 flag wkhtmltopdf CVE-2022-35583 unimportant - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9126,9 +9126,10 @@ CVE-2022-35585 (A stored cross-site scripting (XSS) issue in the ForkCMS version CVE-2022-35584 RESERVED CVE-2022-35583 (wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to g ...) - - wkhtmltopdf + - wkhtmltopdf (unimportant) NOTE: https://cyber-guy.gitbook.io/cyber-guys-blog/blogs/initial-access-via-pdf-file-silently NOTE: https://github.com/wkhtmltopdf/wkhtmltopdf/issues/5249 + NOTE: By design, wkhtmltopdf retrieves external resources. If it is employed inside a protected network in an automated way, a malicious actor may access internal resources. A user of wkhtmltopdf should restrict such access. CVE-2022-35582 RESERVED CVE-2022-35581 = data/dla-needed.txt = @@ -87,10 +87,6 @@ upx-ucl (Thorsten Alteholz) NOTE: 20220820: Programming language: C. NOTE: 20220820: CVE-2020-27787 may be not-affected. (Chris Lamb) -- -wkhtmltopdf - NOTE: 20220819: Programming language: C++. - NOTE: 20220830: No progress yet, upstream --- zlib (Emilio) NOTE: 20220813: Programming language: C. NOTE: 20220813: VCS: https://salsa.debian.org/lts-team/packages/zlib/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46b41ccb8af865460ef2c1923833d64edd48fe1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46b41ccb8af865460ef2c1923833d64edd48fe1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4420a021 by Salvatore Bonaccorso at 2022-08-31T10:48:20+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6228,9 +6228,9 @@ CVE-2022-36748 (PicUploader v2.6.3 was discovered to contain a cross-site script CVE-2022-36747 (Razor v0.8.0 was discovered to contain a cross-site scripting (XSS) vu ...) TODO: check CVE-2022-36746 (LibreNMS v22.6.0 was discovered to contain a cross-site scripting (XSS ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2022-36745 (LibreNMS v22.6.0 was discovered to contain a cross-site scripting (XSS ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2022-36744 RESERVED CVE-2022-36743 @@ -6250,17 +6250,17 @@ CVE-2022-36737 CVE-2022-36736 RESERVED CVE-2022-36735 (Library Management System v1.0 was discovered to contain a SQL injecti ...) - TODO: check + NOT-FOR-US: Library Management System CVE-2022-36734 (Library Management System v1.0 was discovered to contain a SQL injecti ...) - TODO: check + NOT-FOR-US: Library Management System CVE-2022-36733 (Library Management System v1.0 was discovered to contain a SQL injecti ...) - TODO: check + NOT-FOR-US: Library Management System CVE-2022-36732 (Library Management System v1.0 was discovered to contain a SQL injecti ...) - TODO: check + NOT-FOR-US: Library Management System CVE-2022-36731 (Library Management System v1.0 was discovered to contain a SQL injecti ...) - TODO: check + NOT-FOR-US: Library Management System CVE-2022-36730 (Library Management System v1.0 was discovered to contain a SQL injecti ...) - TODO: check + NOT-FOR-US: Library Management System CVE-2022-36729 (Library Management System v1.0 was discovered to contain a SQL injecti ...) NOT-FOR-US: Library Management System CVE-2022-36728 (Library Management System v1.0 was discovered to contain a SQL injecti ...) @@ -6406,7 +6406,7 @@ CVE-2022-36659 CVE-2022-36658 RESERVED CVE-2022-36657 (Library Management System v1.0 was discovered to contain a cross-site ...) - TODO: check + NOT-FOR-US: Library Management System CVE-2022-36656 RESERVED CVE-2022-36655 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4420a0214c8915e9ebcb88db6b06ad8cb88d6755 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4420a0214c8915e9ebcb88db6b06ad8cb88d6755 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-39046/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 43884d67 by Salvatore Bonaccorso at 2022-08-31T10:44:24+02:00 Update information for CVE-2022-39046/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,10 +1,11 @@ CVE-2022-39048 RESERVED CVE-2022-39046 (An issue was discovered in the GNU C Library (glibc) 2.36. When the sy ...) - - glibc + - glibc (Vulnerable code introduced later) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29536 NOTE: https://sourceware.org/pipermail/libc-alpha/2022-August/141707.html - TODO: check details + NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=a583b6add407c17cdcd4146be3876061a5e1d555 (glibc-2.36) + NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=52a5be0df411ef3ff45c10c7c308cb92993d15b1 CVE-2022-3067 RESERVED CVE-2022-3066 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43884d6701dfd8982c5d9474f9fa98bb1afa495b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43884d6701dfd8982c5d9474f9fa98bb1afa495b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3090-1 for php-horde-turba
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: cf2f0e1c by Chris Lamb at 2022-08-31T09:41:49+01:00 Reserve DLA-3090-1 for php-horde-turba - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Aug 2022] DLA-3090-1 php-horde-turba - security update + {CVE-2022-30287} + [buster] - php-horde-turba 4.2.23-1+deb10u1 [31 Aug 2022] DLA-3089-1 php-horde-mime-viewer - security update {CVE-2022-26874} [buster] - php-horde-mime-viewer 2.2.2-3+deb10u1 = data/dla-needed.txt = @@ -56,9 +56,6 @@ nodejs (Sylvain Beucler) NOTE: 20220801: Programming language: JavaScript, C/C++, Python. NOTE: 20220801: one of the upstream fixes doesn't address the security issue (jmm) -- -php-horde-turba (Chris Lamb) - NOTE: 20220816: Programming language: PHP. --- qemu (Abhijith PA) NOTE: 20220802: Programming language: C. NOTE: 20220802: debdiff of backported fixes was submitted to buster-proposed-updates: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007931 and View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf2f0e1c7c05e9f9b5631e03f2d584aac19f85db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf2f0e1c7c05e9f9b5631e03f2d584aac19f85db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-202-3037/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ea3cde9 by Salvatore Bonaccorso at 2022-08-31T10:38:16+02:00 Add CVE-202-3037/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -168,7 +168,9 @@ CVE-2022-3038 - chromium [buster] - chromium (see DSA 5046) CVE-2022-3037 (Use After Free in GitHub repository vim/vim prior to 9.0.0321. ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/af4c2f2d-d754-4607-b565-9e92f3f717b5 + NOTE: https://github.com/vim/vim/commit/4f1b083be43f351bc107541e7b0c9655a5d2c0bb (v9.0.0322) CVE-2022-3036 RESERVED CVE-2022-3035 (Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ea3cde9535eebc20fa6a8243a1e6b786bc19b45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ea3cde9535eebc20fa6a8243a1e6b786bc19b45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-39046/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1fdc40d4 by Salvatore Bonaccorso at 2022-08-31T10:36:17+02:00 Add CVE-2022-39046/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,10 @@ CVE-2022-39048 RESERVED CVE-2022-39046 (An issue was discovered in the GNU C Library (glibc) 2.36. When the sy ...) - TODO: check + - glibc + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29536 + NOTE: https://sourceware.org/pipermail/libc-alpha/2022-August/141707.html + TODO: check details CVE-2022-3067 RESERVED CVE-2022-3066 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fdc40d4f041a5f6bedd66b90a20abba1601e08a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fdc40d4f041a5f6bedd66b90a20abba1601e08a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09806a59 by Salvatore Bonaccorso at 2022-08-31T10:27:25+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12432,7 +12432,7 @@ CVE-2022-34370 CVE-2022-34369 RESERVED CVE-2022-34368 (Dell EMC NetWorker 19.2.1.x 19.3.x, 19.4.x, 19.5.x, 19.6.x and 19.7.0. ...) - TODO: check + NOT-FOR-US: EMC CVE-2022-34367 (Dell EMC Data Protection Central versions 19.1, 19.2, 19.3, 19.4, 19.5 ...) NOT-FOR-US: Dell CVE-2022-34366 @@ -13750,7 +13750,7 @@ CVE-2022-33937 CVE-2022-33936 (Cloud Mobility for Dell EMC Storage, 1.3.0.XXX contains a RCE vulnerab ...) NOT-FOR-US: EMC CVE-2022-33935 (Dell EMC Data Protection Advisor versions 19.6 and earlier, contains a ...) - TODO: check + NOT-FOR-US: EMC CVE-2022-33934 RESERVED CVE-2022-33933 @@ -96040,7 +96040,7 @@ CVE-2021-29866 CVE-2021-29865 (IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow ...) NOT-FOR-US: IBM CVE-2021-29864 (IBM Security Identity Manager 6.0 and 6.0.2 could allow a remote attac ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-29863 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to server side request forge ...) NOT-FOR-US: IBM CVE-2021-29862 (IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09806a59fd8849373deb345da6ba13add37420f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09806a59fd8849373deb345da6ba13add37420f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4002b5de by security tracker role at 2022-08-31T08:10:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2022-39048 + RESERVED +CVE-2022-39046 (An issue was discovered in the GNU C Library (glibc) 2.36. When the sy ...) + TODO: check +CVE-2022-3067 + RESERVED +CVE-2022-3066 + RESERVED CVE-2022-3065 RESERVED CVE-2022-3064 @@ -73,70 +81,91 @@ CVE-2022-3060 CVE-2022-3059 RESERVED CVE-2022-3058 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3057 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3056 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3055 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3054 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3053 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3052 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3051 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3050 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3049 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3048 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3047 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3046 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3045 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3044 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3043 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3042 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3041 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3040 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3039 + RESERVED - chromium [buster] - chromium (see DSA 5046) CVE-2022-3038 + RESERVED - chromium [buster] - chromium (see DSA 5046) -CVE-2022-3037 - RESERVED +CVE-2022-3037 (Use After Free in GitHub repository vim/vim prior to 9.0.0321. ...) + TODO: check CVE-2022-3036 RESERVED CVE-2022-3035 (Cross-site Scripting (XSS) - Stored in GitHub repository snipe/snipe-i ...) @@ -1872,7 +1901,7 @@ CVE-2022-2877 RESERVED CVE-2022-2876 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester -CVE-2022-39047 [freeciv modpack installer buffer overflow] +CVE-2022-39047 (Freeciv before 2.6.7 and before 3.0.3 is prone to a buffer overflow vu ...) - freeciv (bug #1017579) [bullseye] - freeciv (Minor issue) [buster] - freeciv (Minor issue) @@ -5113,10 +5142,10 @@ CVE-2022-37175 (Tenda ac15 firmware V15.03.05.18 httpd server has stack buffer o NOT-FOR-US: Tenda CVE-2022-37174 RESERVED -CVE-2022-37173 - RESERVED -CVE-2022-37172 - RESERVED +CVE-2022-37173 (An issue in the installer of gvim 9.0. allows authenticated attack ...) + TODO: check +CVE-2022-37172 (Incorrect access control in the install directory (C:\msys64) of Msys2 ...) + TODO: check CVE-2022-37171 RESERVED CVE-2022-37170 @@ -6186,16 +6215,16 @@ CVE-2022-36751 RESERVED CVE-2022-36750 (Clinic's Patient Management System v1.0 is vulnerable to SQL injection ...) NOT-FOR-US: Clinic's Patient Management System -CVE-2022-36749 - RESERVED -CVE-2022-36748 - RESERVED -CVE-2022-36747 - RESERVED -CVE-2022-36746 - RESERVED -CVE-2022-36745 - RESERVED +CVE-2022-36749 (RPi-Jukebox-RFID v2.3.0 was discovered to contain a command injection ...) + TODO: check +CVE-2022-36748 (PicUploader v2.6.3 was discovered to contain a cross-site scripting (X ...) + TODO: check +CVE-2022-36747 (Razor v0.8.0 was discovered to contain a cross-site scripting (XSS) vu ...) + TODO: check +CVE-2022-36746 (LibreNMS v22.6.0 was discovered to contain a cross-site scripting (XSS ...) + TODO: check +CVE-2022-36745 (LibreNMS v22.6.0 was discovered to contain a cross-site scripting (XSS ...) + TODO: check CVE-2022-36744 RESERVED CVE-2022-36743 @@ -6214,18 +6243,18 @@ CVE-2022-36737 RESERVED CVE-2022-36736 RESERVED
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim php-horde-turba.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b41cf73 by Chris Lamb at 2022-08-31T08:34:23+01:00 data/dla-needed.txt: Claim php-horde-turba. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,7 +56,7 @@ nodejs (Sylvain Beucler) NOTE: 20220801: Programming language: JavaScript, C/C++, Python. NOTE: 20220801: one of the upstream fixes doesn't address the security issue (jmm) -- -php-horde-turba +php-horde-turba (Chris Lamb) NOTE: 20220816: Programming language: PHP. -- qemu (Abhijith PA) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b41cf73a3f6898c71f4b375bac612c6b673f4a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b41cf73a3f6898c71f4b375bac612c6b673f4a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3089-1 for php-horde-mime-viewer
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 4add43d4 by Chris Lamb at 2022-08-31T08:10:55+01:00 Reserve DLA-3089-1 for php-horde-mime-viewer - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Aug 2022] DLA-3089-1 php-horde-mime-viewer - security update + {CVE-2022-26874} + [buster] - php-horde-mime-viewer 2.2.2-3+deb10u1 [30 Aug 2022] DLA-3088-1 net-snmp - security update {CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810} [buster] - net-snmp 5.7.3+dfsg-5+deb10u3 = data/dla-needed.txt = @@ -56,9 +56,6 @@ nodejs (Sylvain Beucler) NOTE: 20220801: Programming language: JavaScript, C/C++, Python. NOTE: 20220801: one of the upstream fixes doesn't address the security issue (jmm) -- -php-horde-mime-viewer (Chris Lamb) - NOTE: 20220816: Programming language: PHP. --- php-horde-turba NOTE: 20220816: Programming language: PHP. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4add43d4d18303420b46537bde3ed12ae00f5616 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4add43d4d18303420b46537bde3ed12ae00f5616 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-35527/sqlite3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 76ee7ddb by Salvatore Bonaccorso at 2022-08-31T09:03:36+02:00 Add CVE-2020-35527/sqlite3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -121764,8 +121764,11 @@ CVE-2020-35529 RESERVED CVE-2020-35528 RESERVED -CVE-2020-35527 +CVE-2020-35527 [Out of bounds access during table rename] RESERVED + - sqlite3 3.32.0-1 + NOTE: https://www.sqlite.org/src/info/c431b3fd8fd0f6a6 + NOTE: https://github.com/sqlite/sqlite/commit/0990c415f65d2556a5e4122cbe5727d500411aeb (version-3.32.0) CVE-2020-35526 RESERVED CVE-2020-35525 [Null pointer derreference in src/select.c] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76ee7ddb2c35aa78b26584938c96eada8f225854 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76ee7ddb2c35aa78b26584938c96eada8f225854 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-35525/sqlite3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bba2e6db by Salvatore Bonaccorso at 2022-08-31T08:56:52+02:00 Add CVE-2020-35525/sqlite3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -121768,8 +121768,11 @@ CVE-2020-35527 RESERVED CVE-2020-35526 RESERVED -CVE-2020-35525 +CVE-2020-35525 [Null pointer derreference in src/select.c] RESERVED + - sqlite3 3.32.0-1 + NOTE: https://www.sqlite.org/src/info/a67cf5b7d37d5b14 + NOTE: https://github.com/sqlite/sqlite/commit/5f69512404cd2e5153ddf90ea277fbba6dd58ab7 (version-3.32.0) CVE-2020-35524 (A heap-based buffer overflow flaw was found in libtiff in the handling ...) {DSA-4869-1 DLA-2694-1} - tiff 4.1.0+git201212-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bba2e6db0b5708896978d2c3c4d470cdb66cd9c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bba2e6db0b5708896978d2c3c4d470cdb66cd9c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim php-horde-mime-viewer.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 41e22c5e by Chris Lamb at 2022-08-31T07:43:04+01:00 data/dla-needed.txt: Claim php-horde-mime-viewer. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,7 +56,7 @@ nodejs (Sylvain Beucler) NOTE: 20220801: Programming language: JavaScript, C/C++, Python. NOTE: 20220801: one of the upstream fixes doesn't address the security issue (jmm) -- -php-horde-mime-viewer +php-horde-mime-viewer (Chris Lamb) NOTE: 20220816: Programming language: PHP. -- php-horde-turba View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e22c5efe156e026ec9c54ac753c663f12a52df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e22c5efe156e026ec9c54ac753c663f12a52df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process three NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5686173a by Salvatore Bonaccorso at 2022-08-31T08:26:13+02:00 Process three NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5504,10 +5504,13 @@ CVE-2016-15005 RESERVED CVE-2022-37023 RESERVED + NOT-FOR-US: Apache Geode CVE-2022-37022 RESERVED + NOT-FOR-US: Apache Geode CVE-2022-37021 RESERVED + NOT-FOR-US: Apache Geode CVE-2022-2581 (Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.0104. ...) - vim 2:9.0.0135-1 (unimportant) NOTE: https://huntr.dev/bounties/0bedbae2-82ae-46ae-aa68-1c28b309b60b/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5686173a92b781db6f9ffe4db6a610c8d4fcf50c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5686173a92b781db6f9ffe4db6a610c8d4fcf50c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits