[Git][security-tracker-team/security-tracker][master] Track fixed version for chromium issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9cb6fb3b by Salvatore Bonaccorso at 2022-09-15T06:57:31+02:00 Track fixed version for chromium issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -212,31 +212,31 @@ CVE-2022-3202 (A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Jo NOTE: https://git.kernel.org/linus/a53046291020ec41e09181396c1e829287b48d47 (5.18-rc1) CVE-2022-3201 RESERVED - - chromium + - chromium 105.0.5195.125-1 [buster] - chromium (see DSA 5046) CVE-2022-3200 RESERVED - - chromium + - chromium 105.0.5195.125-1 [buster] - chromium (see DSA 5046) CVE-2022-3199 RESERVED - - chromium + - chromium 105.0.5195.125-1 [buster] - chromium (see DSA 5046) CVE-2022-3198 RESERVED - - chromium + - chromium 105.0.5195.125-1 [buster] - chromium (see DSA 5046) CVE-2022-3197 RESERVED - - chromium + - chromium 105.0.5195.125-1 [buster] - chromium (see DSA 5046) CVE-2022-3196 RESERVED - - chromium + - chromium 105.0.5195.125-1 [buster] - chromium (see DSA 5046) CVE-2022-3195 RESERVED - - chromium + - chromium 105.0.5195.125-1 [buster] - chromium (see DSA 5046) CVE-2022-3194 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cb6fb3bae7a00434f11b185b8e0031f722ddc1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cb6fb3bae7a00434f11b185b8e0031f722ddc1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3108-1 for pcs
Valentin Vidic pushed to branch master at Debian Security Tracker / security-tracker Commits: b31594f7 by Valentin Vidic at 2022-09-14T23:51:09+02:00 Reserve DLA-3108-1 for pcs - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -35552,7 +35552,6 @@ CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtu CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The pcs da ...) {DSA-5226-1} - pcs 0.11.3-1 - [buster] - pcs (Minor issue) [stretch] - pcs (Vulnerable code introduced later, ./pcs/daemon/ not present) NOTE: https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5 NOTE: https://github.com/ClusterLabs/pcs/commit/fb860005117dc9e092649687dfa1304fb423efc5 = data/DLA/list = @@ -1,3 +1,6 @@ +[14 Sep 2022] DLA-3108-1 pcs - security update + {CVE-2022-1049} + [buster] - pcs 0.10.1-2+deb10u1 [13 Sep 2022] DLA-3107-1 sqlite3 - security update {CVE-2020-35525 CVE-2020-35527 CVE-2021-20223} [buster] - sqlite3 3.27.2-3+deb10u2 = data/dla-needed.txt = @@ -114,15 +114,6 @@ openexr openvswitch NOTE: 20220911: No known patch for this problem. -- -pcs (Valentin Vidic) - NOTE: 20220905: Programming language: Python. - NOTE: 20220905: Local access needed to get exploit the vulnerability. - NOTE: 20220905: One could argue that the vulnerability is in Thin::Backends::UnixServer:connect - NOTE: 20220905: since the solution is to override that function with a new umask. - NOTE: 20220905: https://lists.debian.org/debian-lts/2022/09/msg7.html - NOTE: 20220908: CVE-2022-2735 not-affected: Vulnerable code not present, see #1018930. - NOTE: 20220908: CVE-2022-1049 vulnerable --- php-phpseclib NOTE: 20220909: Programming language: PHP. NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b31594f766d64ae5e3da7050217be1148d84c313 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b31594f766d64ae5e3da7050217be1148d84c313 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 58ad2f5b by Moritz Muehlenhoff at 2022-09-14T23:48:38+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -102,7 +102,7 @@ CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent func NOTE: https://github.com/libexpat/libexpat/pull/640 NOTE: https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b CVE-2022-40673 (KDiskMark before 3.1.0 lacks authorization checking for D-Bus methods ...) - TODO: check + NOT-FOR-US: KDiskMark CVE-2022-40670 RESERVED CVE-2022-40669 @@ -200,7 +200,7 @@ CVE-2022-3207 CVE-2022-3206 RESERVED CVE-2022-3205 (An XSS exists in automation controller UI where the project name is su ...) - TODO: check + NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2022-3204 RESERVED CVE-2022-3203 @@ -,9 +,9 @@ CVE-2022-39205 (Onedev is an open source, self-hosted Git Server with CI/CD and CVE-2022-39204 RESERVED CVE-2022-39203 (matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. ...) - TODO: check + NOT-FOR-US: matrix-appservice-irc CVE-2022-39202 (matrix-appservice-irc is an open source Node.js IRC bridge for Matrix. ...) - TODO: check + NOT-FOR-US: matrix-appservice-irc CVE-2022-39201 RESERVED CVE-2022-39200 (Dendrite is a Matrix homeserver written in Go. In affected versions ev ...) @@ -6929,7 +6929,7 @@ CVE-2022-38009 (Microsoft SharePoint Server Remote Code Execution Vulnerability. CVE-2022-38008 (Microsoft SharePoint Server Remote Code Execution Vulnerability. This ...) NOT-FOR-US: Microsoft CVE-2022-38007 (Azure Guest Configuration and Azure Arc-enabled servers Elevation of P ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38006 (Windows Graphics Component Information Disclosure Vulnerability. This ...) NOT-FOR-US: Microsoft CVE-2022-38005 (Windows Print Spooler Elevation of Privilege Vulnerability. ...) @@ -7027,7 +7027,7 @@ CVE-2022-37960 CVE-2022-37959 (Network Device Enrollment Service (NDES) Security Feature Bypass Vulne ...) NOT-FOR-US: Microsoft CVE-2022-37958 (SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Information Di ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37957 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) NOT-FOR-US: Microsoft CVE-2022-37956 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58ad2f5b8997696dba5021a0298a3c4788f7663b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58ad2f5b8997696dba5021a0298a3c4788f7663b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-36087 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 25e61d80 by Salvatore Bonaccorso at 2022-09-14T23:03:02+02:00 Track fixed version for CVE-2022-36087 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11810,7 +11810,7 @@ CVE-2022-36089 (KubeVela is an application delivery platform Users using KubeVel CVE-2022-36088 (GoCD is a continuous delivery server. Windows installations via either ...) NOT-FOR-US: GoCD CVE-2022-36087 (OAuthLib is an implementation of the OAuth request-signing logic for P ...) - - python-oauthlib (bug #1019710) + - python-oauthlib 3.2.1-1 (bug #1019710) [bullseye] - python-oauthlib (Vulnerable code introduced later) [buster] - python-oauthlib (Vulnerable code introduced later) NOTE: https://github.com/oauthlib/oauthlib/security/advisories/GHSA-3pgj-pg6c-r5p7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25e61d8055b204a1e88796fb91b44b1810f87e19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25e61d8055b204a1e88796fb91b44b1810f87e19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new glpi issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 086c1ec6 by Salvatore Bonaccorso at 2022-09-14T22:39:44+02:00 Add new glpi issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11756,7 +11756,8 @@ CVE-2022-36114 (Cargo is a package manager for the rust programming language. It CVE-2022-36113 (Cargo is a package manager for the rust programming language. After a ...) TODO: check CVE-2022-36112 (GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free ...) - TODO: check + - glpi (unimportant) + NOTE: Only supported behind an authenticated HTTP zone CVE-2022-36111 RESERVED CVE-2022-36110 (Netmaker makes networks with WireGuard. Prior to version 0.15.1, Impro ...) @@ -12120,11 +12121,14 @@ CVE-2022-35948 (undici is an HTTP/1.1 client, written from scratch for Node.js.` NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3 NOTE: https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 (v5.8.2) CVE-2022-35947 (GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free ...) - TODO: check + - glpi (unimportant) + NOTE: Only supported behind an authenticated HTTP zone CVE-2022-35946 (GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free ...) - TODO: check + - glpi (unimportant) + NOTE: Only supported behind an authenticated HTTP zone CVE-2022-35945 (GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free ...) - TODO: check + - glpi (unimportant) + NOTE: Only supported behind an authenticated HTTP zone CVE-2022-35944 RESERVED CVE-2022-35943 (Shield is an authentication and authorization framework for CodeIgnite ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086c1ec6f550e1e20d163c6356c6c75f8ab46aff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086c1ec6f550e1e20d163c6356c6c75f8ab46aff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-37703/amanda
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a7efb7e by Salvatore Bonaccorso at 2022-09-14T22:38:29+02:00 Add CVE-2022-37703/amanda - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7596,7 +7596,8 @@ CVE-2022-37705 CVE-2022-37704 RESERVED CVE-2022-37703 (In Amanda 3.5.1, an information leak vulnerability was found in the ca ...) - TODO: check + - amanda + NOTE: https://github.com/MaherAzzouzi/CVE-2022-37703 CVE-2022-37702 RESERVED CVE-2022-37701 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7efb7e2aea5efa1a3a0331d55a03f29417787a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7efb7e2aea5efa1a3a0331d55a03f29417787a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9ef618e by Salvatore Bonaccorso at 2022-09-14T22:37:52+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4384,7 +4384,7 @@ CVE-2022-38798 CVE-2022-38797 RESERVED CVE-2022-38796 (A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an ...) - TODO: check + NOT-FOR-US: Feehi CMS CVE-2022-38453 (Multiple binary application files on the CMS8000 device are compiled w ...) NOT-FOR-US: Contec Health CVE-2022-38399 (Missing protection mechanism for alternate hardware interface in SmaCa ...) @@ -5046,7 +5046,7 @@ CVE-2022-38635 CVE-2022-38634 RESERVED CVE-2022-38633 (Genymotion Desktop v3.2.1 was discovered to contain a DLL hijacking vu ...) - TODO: check + NOT-FOR-US: Genymotion Desktop CVE-2022-38632 RESERVED CVE-2022-38631 @@ -5228,17 +5228,17 @@ CVE-2022-38544 CVE-2022-38543 RESERVED CVE-2022-38542 (Archery v1.4.0 to v1.8.5 was discovered to contain a SQL injection vul ...) - TODO: check + NOT-FOR-US: Archery CVE-2022-38541 (Archery v1.8.3 to v1.8.5 was discovered to contain multiple SQL inject ...) - TODO: check + NOT-FOR-US: Archery CVE-2022-38540 (Archery v1.4.0 to v1.8.5 was discovered to contain a SQL injection vul ...) - TODO: check + NOT-FOR-US: Archery CVE-2022-38539 (Archery v1.7.5 to v1.8.5 was discovered to contain a SQL injection vul ...) - TODO: check + NOT-FOR-US: Archery CVE-2022-38538 (Archery v1.7.0 to v1.8.5 was discovered to contain a SQL injection vul ...) - TODO: check + NOT-FOR-US: Archery CVE-2022-38537 (Archery v1.4.5 to v1.8.5 was discovered to contain multiple SQL inject ...) - TODO: check + NOT-FOR-US: Archery CVE-2022-38536 RESERVED CVE-2022-38535 @@ -5329,11 +5329,11 @@ CVE-2022-38499 CVE-2022-38498 RESERVED CVE-2022-38497 (LIEF commit 365a16a was discovered to contain a segmentation violation ...) - TODO: check + NOT-FOR-US: LIEF CVE-2022-38496 (LIEF commit 365a16a was discovered to contain a reachable assertion ab ...) - TODO: check + NOT-FOR-US: LIEF CVE-2022-38495 (LIEF commit 365a16a was discovered to contain a heap-buffer overflow v ...) - TODO: check + NOT-FOR-US: LIEF CVE-2022-38078 (Movable Type XMLRPC API provided by Six Apart Ltd. contains a command ...) - movabletype-opensource CVE-2022-2925 (Cross-site Scripting (XSS) - Stored in GitHub repository appwrite/appw ...) @@ -6083,9 +6083,9 @@ CVE-2022-38309 (Tenda AC18 router v15.03.05.19 and v15.03.05.05 was discovered t CVE-2022-38308 RESERVED CVE-2022-38307 (LIEF commit 5d1d643 was discovered to contain a segmentation violation ...) - TODO: check + NOT-FOR-US: LIEF CVE-2022-38306 (LIEF commit 5d1d643 was discovered to contain a heap-buffer overflow i ...) - TODO: check + NOT-FOR-US: LIEF CVE-2022-36403 (Untrusted search path vulnerability in the installer of Device Softwar ...) NOT-FOR-US: Ricoh CVE-2022-2825 @@ -7680,7 +7680,7 @@ CVE-2022-37663 CVE-2022-37662 RESERVED CVE-2022-37661 (SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remo ...) - TODO: check + NOT-FOR-US: SmartRG CVE-2022-37660 RESERVED CVE-2022-37659 @@ -8723,7 +8723,7 @@ CVE-2022-37304 CVE-2022-37303 RESERVED CVE-2022-37302 (A CWE-119: Improper Restriction of Operations within the Bounds of a M ...) - TODO: check + NOT-FOR-US: EcoStruxure Control Expert CVE-2022-37301 RESERVED CVE-2022-37300 (A CWE-640: Weak Password Recovery Mechanism for Forgotten Password vul ...) @@ -9473,7 +9473,7 @@ CVE-2022-37013 CVE-2022-37012 RESERVED CVE-2022-37011 (A vulnerability has been identified in Mendix SAML Module (Mendix 7 co ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-37010 (In JetBrains IntelliJ IDEA before 2022.2 email address validation in t ...) - intellij-idea (bug #747616) CVE-2022-37009 (In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Va ...) @@ -9990,13 +9990,13 @@ CVE-2022-36784 CVE-2022-36783 RESERVED CVE-2022-36782 (Pal Electronics Systems - Pal Gate Authorization Errors. The vulnerabi ...) - TODO: check + NOT-FOR-US: Pal Electronics Systems CVE-2022-36781 RESERVED CVE-2022-36780 (Avdor CIS - crystal quality Credentials Management Errors. The product ...) - TODO: check + NOT-FOR-US: Avdor CIS CVE-2022-36779 (PROSCEND - PROSCEND / ADVICE .Ltd - G/5G Industrial Cellular Router (w ...) - TODO: check + NOT-FOR-US: PROSCEND CVE-2022-36778 (insert HTML / js code inside input how to get to the vulnerable input ...) TODO: check
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97f4ca16 by Salvatore Bonaccorso at 2022-09-14T22:29:43+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -76858,7 +76858,7 @@ CVE-2021-38926 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server CVE-2021-38925 (IBM Sterling B2B Integrator Standard Edition 5.2.0. 0 through 6.1.1.0 ...) NOT-FOR-US: IBM CVE-2021-38924 (IBM Maximo Asset Management 7.6.1.1 and 7.6.1.2 could allow a remote a ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38923 (IBM PowerVM Hypervisor FW1010 could allow a privileged user to gain ac ...) NOT-FOR-US: IBM CVE-2021-38922 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97f4ca16ddcf04bd91ba62cfd0dd288ca49429f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97f4ca16ddcf04bd91ba62cfd0dd288ca49429f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update tracking for CVE-2022-2078 (and rejected CVE-2022-1972)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 278a5456 by Salvatore Bonaccorso at 2022-09-14T22:25:33+02:00 Update tracking for CVE-2022-2078 (and rejected CVE-2022-1972) - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -19261,9 +19261,10 @@ CVE-2022-2079 (Cross-site Scripting (XSS) - Stored in GitHub repository nocodb/n NOT-FOR-US: nocodb CVE-2022-2078 (A vulnerability was found in the Linux kernel's nft_set_desc_concat_pa ...) - linux 5.18.2-1 - [bullseye] - linux 5.10.120-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2096178 + NOTE: https://www.openwall.com/lists/oss-security/2022/06/02/1 NOTE: https://git.kernel.org/linus/fecf31ee395b0295f2d7260aa29946b7605f7c85 (5.19-rc1) CVE-2022-33207 RESERVED @@ -21933,12 +21934,6 @@ CVE-2022-1973 (A use-after-free flaw was found in the Linux kernel in log_replay NOTE: https://git.kernel.org/linus/f26967b9f7a830e228bb13fb41bd516ddd9d789d (5.19-rc1) CVE-2022-1972 REJECTED - {DSA-5161-1} - - linux 5.18.2-1 - [buster] - linux (Vulnerable code not present) - [stretch] - linux (Vulnerable code not present) - NOTE: https://www.openwall.com/lists/oss-security/2022/06/02/1 - NOTE: https://git.kernel.org/linus/fecf31ee395b0295f2d7260aa29946b7605f7c85 CVE-2022-32204 RESERVED CVE-2022-32203 = data/DSA/list = @@ -221,7 +221,7 @@ {CVE-2022-24769 CVE-2022-31030} [bullseye] - containerd 1.4.13~ds1-1~deb11u2 [11 Jun 2022] DSA-5161-1 linux - security update - {CVE-2022-0494 CVE-2022-0854 CVE-2022-1012 CVE-2022-1729 CVE-2022-1786 CVE-2022-1789 CVE-2022-1852 CVE-2022-32250 CVE-2022-1972 CVE-2022-1974 CVE-2022-1975 CVE-2022-21499 CVE-2022-28893} + {CVE-2022-0494 CVE-2022-0854 CVE-2022-1012 CVE-2022-1729 CVE-2022-1786 CVE-2022-1789 CVE-2022-1852 CVE-2022-32250 CVE-2022-1974 CVE-2022-1975 CVE-2022-2078 CVE-2022-21499 CVE-2022-28893} [bullseye] - linux 5.10.120-1 [10 Jun 2022] DSA-5160-1 ntfs-3g - security update {CVE-2021-46790 CVE-2022-30783 CVE-2022-30784 CVE-2022-30785 CVE-2022-30786 CVE-2022-30787 CVE-2022-30788 CVE-2022-30789} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/278a54568954d5c1c612f9558614cada02e9a7d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/278a54568954d5c1c612f9558614cada02e9a7d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-40626/zabbix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab7e0aac by Salvatore Bonaccorso at 2022-09-14T22:16:15+02:00 Add CVE-2022-40626/zabbix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -252,7 +252,10 @@ CVE-2022-40628 CVE-2022-40627 RESERVED CVE-2022-40626 (An unauthenticated user can create a link with reflected Javascript co ...) - TODO: check + - zabbix 1:6.0.7+dfsg-2 + NOTE: https://support.zabbix.com/browse/ZBX-21350 + NOTE: https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/55eb14d0a394b362d5df00ed9e06a3918472deec (6.0.7rc1) + TODO: check, verify it really did not affect versions before 6.0.0 CVE-2022-40625 RESERVED CVE-2022-40624 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7e0aaca76dd5d1cb09341cc830a80a7b2c5599 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab7e0aaca76dd5d1cb09341cc830a80a7b2c5599 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a82a9178 by security tracker role at 2022-09-14T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,101 @@ +CVE-2022-40706 + RESERVED +CVE-2022-40705 + RESERVED +CVE-2022-40696 + RESERVED +CVE-2022-40684 + RESERVED +CVE-2022-40683 + RESERVED +CVE-2022-40682 + RESERVED +CVE-2022-40681 + RESERVED +CVE-2022-40680 + RESERVED +CVE-2022-40679 + RESERVED +CVE-2022-40678 + RESERVED +CVE-2022-40677 + RESERVED +CVE-2022-40676 + RESERVED +CVE-2022-40675 + RESERVED +CVE-2022-40672 + RESERVED +CVE-2022-40671 + RESERVED +CVE-2022-40632 + RESERVED +CVE-2022-40312 + RESERVED +CVE-2022-40310 + RESERVED +CVE-2022-40223 + RESERVED +CVE-2022-40219 + RESERVED +CVE-2022-40217 + RESERVED +CVE-2022-40215 + RESERVED +CVE-2022-40213 + RESERVED +CVE-2022-40211 + RESERVED +CVE-2022-40206 + RESERVED +CVE-2022-40205 + RESERVED +CVE-2022-40193 + RESERVED +CVE-2022-40131 + RESERVED +CVE-2022-38974 + RESERVED +CVE-2022-38468 + RESERVED +CVE-2022-38461 + RESERVED +CVE-2022-38454 + RESERVED +CVE-2022-38104 + RESERVED +CVE-2022-38079 + RESERVED +CVE-2022-38074 + RESERVED +CVE-2022-38073 + RESERVED +CVE-2022-36424 + RESERVED +CVE-2022-36417 + RESERVED +CVE-2022-36404 + RESERVED +CVE-2022-35238 + RESERVED +CVE-2022-33978 + RESERVED +CVE-2022-3216 + RESERVED +CVE-2022-3215 + RESERVED +CVE-2022-3214 + RESERVED +CVE-2022-3213 + RESERVED +CVE-2022-3212 (bytes::Bytes as axum_core::extract::FromRequest::from_request ...) + TODO: check +CVE-2022-3211 + RESERVED +CVE-2022-30545 + RESERVED +CVE-2020-36603 + RESERVED CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent function i ...) - expat (bug #1019761) NOTE: https://github.com/libexpat/libexpat/pull/629 @@ -107,8 +205,7 @@ CVE-2022-3204 RESERVED CVE-2022-3203 RESERVED -CVE-2022-3202 - RESERVED +CVE-2022-3202 (A NULL pointer dereference flaw in diFree in fs/jfs/inode.c in Journal ...) - linux 5.17.3-1 [bullseye] - linux 5.10.113-1 [buster] - linux 4.19.249-1 @@ -4283,8 +4380,8 @@ CVE-2022-38798 RESERVED CVE-2022-38797 RESERVED -CVE-2022-38796 - RESERVED +CVE-2022-38796 (A Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an ...) + TODO: check CVE-2022-38453 (Multiple binary application files on the CMS8000 device are compiled w ...) NOT-FOR-US: Contec Health CVE-2022-38399 (Missing protection mechanism for alternate hardware interface in SmaCa ...) @@ -5409,8 +5506,8 @@ CVE-2022-2902 RESERVED CVE-2022-2901 (Improper Authorization in GitHub repository chatwoot/chatwoot prior to ...) NOT-FOR-US: chatwoot -CVE-2022-2900 - RESERVED +CVE-2022-2900 (Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/pa ...) + TODO: check CVE-2022-38464 RESERVED CVE-2022-38463 (ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS ...) @@ -7579,8 +7676,8 @@ CVE-2022-37663 RESERVED CVE-2022-37662 RESERVED -CVE-2022-37661 - RESERVED +CVE-2022-37661 (SmartRG SR506n 2.5.15 and SR510n 2.6.13 routers are vulnerable to Remo ...) + TODO: check CVE-2022-37660 RESERVED CVE-2022-37659 @@ -11650,12 +11747,12 @@ CVE-2022-36116 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.0 NOT-FOR-US: Blue Prism Enterprise CVE-2022-36115 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In ...) NOT-FOR-US: Blue Prism Enterprise -CVE-2022-36114 - RESERVED -CVE-2022-36113 - RESERVED -CVE-2022-36112 - RESERVED +CVE-2022-36114 (Cargo is a package manager for the rust programming language. It was d ...) + TODO: check +CVE-2022-36113 (Cargo is a package manager for the rust programming language. After a ...) + TODO: check +CVE-2022-36112 (GLPI stands for Gestionnaire Libre de Parc Informatique and is a Free ...) + TODO: check CVE-2022-36111 RESERVED CVE-2022-36110 (Netmaker makes networks with WireGuard. Prior to version 0.15.1, Impro ...) @@ -12018,12 +12115,12 @@ CVE-2022-35948 (undici is an HTTP/1.1 client, written from scratch for Node.js.` - node-undici 5.8.2+dfsg1+~cs18.9.18.1-1 NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-f772-66g8-q5h3 NOTE: https://github.com/nodejs/undici/commit/66165d604fd0aee70a93ed5c44ad4cc2df395f80 (v5.8.2) -CVE-2022-35947 - RESERVED -CVE-2022-35946 - RESERVED
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-40674/expat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 044d0119 by Salvatore Bonaccorso at 2022-09-14T21:52:18+02:00 Add Debian bug reference for CVE-2022-40674/expat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent function i ...) - - expat + - expat (bug #1019761) NOTE: https://github.com/libexpat/libexpat/pull/629 NOTE: https://github.com/libexpat/libexpat/pull/640 NOTE: https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/044d01196cc42474118506a6c7f1b4fddd34ea7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/044d01196cc42474118506a6c7f1b4fddd34ea7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference merge request for CVE-2022-1615
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 106401af by Salvatore Bonaccorso at 2022-09-14T21:34:58+02:00 Reference merge request for CVE-2022-1615 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27505,6 +27505,7 @@ CVE-2022-1615 (In Samba, GnuTLS gnutls_rnd() can fail and give predictable rando - samba [bullseye] - samba (Minor issue) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15103 + NOTE: https://gitlab.com/samba-team/samba/-/merge_requests/2644 NOTE: https://gitlab.com/samba-team/samba/-/commit/9849e7440e30853c61a80ce1f11b7b244ed766fe (samba-4.17.0rc1) CVE-2022-1614 (The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visi ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/106401afc9ce34dc7886373fc5ed579b93df361c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/106401afc9ce34dc7886373fc5ed579b93df361c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2022-1615
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af644d23 by Salvatore Bonaccorso at 2022-09-14T21:33:13+02:00 Add upstream tag information for CVE-2022-1615 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27505,7 +27505,7 @@ CVE-2022-1615 (In Samba, GnuTLS gnutls_rnd() can fail and give predictable rando - samba [bullseye] - samba (Minor issue) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15103 - NOTE: https://gitlab.com/samba-team/samba/-/commit/9849e7440e30853c61a80ce1f11b7b244ed766fe (v4-17-stable) + NOTE: https://gitlab.com/samba-team/samba/-/commit/9849e7440e30853c61a80ce1f11b7b244ed766fe (samba-4.17.0rc1) CVE-2022-1614 (The WP-EMail WordPress plugin before 2.69.0 prioritizes getting a visi ...) NOT-FOR-US: WordPress plugin CVE-2022-1613 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af644d23916da66614feb1d3f44699265f3f788f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af644d23916da66614feb1d3f44699265f3f788f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 57bdd7b0 by Salvatore Bonaccorso at 2022-09-14T21:31:12+02:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk (apo) -- +chromium +-- commons-configuration -- connman (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57bdd7b09124f902fd82a2ec88ad55db375da73a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57bdd7b09124f902fd82a2ec88ad55db375da73a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new crhomium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0288d08 by Salvatore Bonaccorso at 2022-09-14T21:30:01+02:00 Add new crhomium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115,18 +115,32 @@ CVE-2022-3202 NOTE: https://git.kernel.org/linus/a53046291020ec41e09181396c1e829287b48d47 (5.18-rc1) CVE-2022-3201 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3200 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3199 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3198 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3197 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3196 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3195 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3194 RESERVED CVE-2022-3193 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0288d08e8c2e5fe5f8789017a2bb670f346465a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0288d08e8c2e5fe5f8789017a2bb670f346465a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-30630/golang: introduced in 1.16
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 50c4c9b8 by Sylvain Beucler at 2022-09-14T19:42:52+02:00 CVE-2022-30630/golang: introduced in 1.16 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26415,12 +26415,12 @@ CVE-2022-30630 (Uncontrolled recursion in Glob in io/fs before Go 1.17.12 and Go - golang-1.18 1.18.4-1 - golang-1.17 1.17.13-1 - golang-1.15 - - golang-1.11 - [buster] - golang-1.11 (Limited support) NOTE: https://go.dev/issue/53415 NOTE: https://github.com/golang/go/commit/fa2d41d0ca736f3ad6b200b2a4e134364e9acc59 (go1.19rc2) NOTE: https://github.com/golang/go/commit/315e80d293b684ac2902819e58f618f1b5a14d49 (go1.18.4) NOTE: https://github.com/golang/go/commit/8c1d8c836270615cfb5b229932269048ef59ac07 (go1.17.12) + NOTE: Introduced by https://github.com/golang/go/commit/b64202bc29b9c1cf0118878d1c0acc9cdb2308f6 (go1.16beta1) + NOTE: io/fs/Glob.go introduced in 1.16; see CVE-2022-30632 for similar older code in path/filepath/ CVE-2022-30629 (Non-random values for ticket_age_add in session tickets in crypto/tls ...) - golang-1.18 1.18.3-1 - golang-1.17 1.17.11-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50c4c9b854212249d80efd2bfe0361146d3c947e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50c4c9b854212249d80efd2bfe0361146d3c947e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-28131/golang: reference patches
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 57672f15 by Sylvain Beucler at 2022-09-14T19:24:02+02:00 CVE-2022-28131/golang: reference patches - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33990,6 +33990,10 @@ CVE-2022-28131 (In Decoder.Skip in encoding/xml in Go before 1.17.12 and 1.18.x - golang-1.15 - golang-1.11 [buster] - golang-1.11 (Limited support) + NOTE: https://github.com/golang/go/issues/53614 + NOTE: https://github.com/golang/go/commit/08c46ed43d80bbb67cb904944ea3417989be4af3 (go1.19rc2) + NOTE: https://github.com/golang/go/commit/90f040ec510dd678b7860d70ca77e5682f4c7e96 (go1.18.4) + NOTE: https://github.com/golang/go/commit/58facfbe7db2fbb9afed794b281a70bdb12a60ae (go1.17.12) CVE-2022-28130 RESERVED CVE-2022-28129 (Improper Input Validation vulnerability in HTTP/1.1 header parsing of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57672f15b9f0332de0f814ba02b953e94e473122 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57672f15b9f0332de0f814ba02b953e94e473122 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 01392162 by Moritz Muehlenhoff at 2022-09-14T17:25:06+02:00 bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -186,6 +186,7 @@ CVE-2022-3191 RESERVED CVE-2022-3190 (Infinite loop in the F5 Ethernet Trailer protocol dissector in Wiresha ...) - wireshark 3.6.8-1 + [bullseye] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18307 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-06.html CVE-2022-3189 @@ -1482,6 +1483,7 @@ CVE-2022-40024 RESERVED CVE-2022-40023 (Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denia ...) - mako 1.2.2+ds1-1 + [bullseye] - mako (Minor issue) NOTE: https://github.com/sqlalchemy/mako/commit/925760291d6efec64fda6e9dd1fd9cfbd5be068c (rel_1_2_2) NOTE: https://github.com/sqlalchemy/mako/issues/366 CVE-2022-40022 @@ -3284,12 +3286,14 @@ CVE-2022-39178 RESERVED CVE-2022-39177 (BlueZ before 5.59 allows physically proximate attackers to cause a den ...) - bluez 5.61-1 + [bullseye] - bluez (Minor issue) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b (5.59) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a (5.59) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4 (5.60) NOTE: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/1977968 CVE-2022-39176 (BlueZ before 5.59 allows physically proximate attackers to obtain sens ...) - bluez 5.61-1 + [bullseye] - bluez (Minor issue) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b (5.59) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a (5.59) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4 (5.60) @@ -4488,18 +4492,22 @@ CVE-2022-2994 RESERVED CVE-2022-38752 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...) - snakeyaml + [bullseye] - snakeyaml (Minor issue) NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081 (not public) CVE-2022-38751 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...) - snakeyaml + [bullseye] - snakeyaml (Minor issue) NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039 CVE-2022-38750 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...) - snakeyaml + [bullseye] - snakeyaml (Minor issue) NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027 CVE-2022-38749 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...) - snakeyaml + [bullseye] - snakeyaml (Minor issue) NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/525/got-stackoverflowerror-for-many-open NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47024 CVE-2022-38748 @@ -4531,6 +4539,7 @@ CVE-2022-2990 (An incorrect handling of the supplementary groups in the Buildah NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121453 CVE-2022-2989 (An incorrect handling of the supplementary groups in the Podman contai ...) - libpod (bug #1019591) + [bullseye] - libpod (Minor issue) NOTE: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121445 CVE-2022-2988 @@ -5143,6 +5152,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered to contain a heap-buffer o NOTE: https://github.com/syoyo/tinyexr/commit/82984a37d1dba67000a35b083b26df5e57a2bb72 CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was discovered to co ...) - assimp + [bullseye] - assimp (Minor issue) NOTE: https://github.com/assimp/assimp/issues/4662 CVE-2022-38527 RESERVED @@ -6422,9 +6432,11 @@ CVE-2022-38154 RESERVED CVE-2022-38153 (An issue was discovered in wolfSSL before 5.5.0 (when --enable-session ...) - wolfssl + [bullseye] - wolfssl (Vulnerable code not present and session tickets not enabled)
[Git][security-tracker-team/security-tracker][master] otfcc non issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0568dfee by Moritz Muehlenhoff at 2022-09-14T16:46:17+02:00 otfcc non issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13107,191 +13107,196 @@ CVE-2022-35486 (OTFCC v0.10.4 was discovered to contain a segmentation violation - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35485 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35484 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35483 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35482 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35481 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35480 RESERVED CVE-2022-35479 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35478 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35477 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35476 (OTFCC v0.10.4 was discovered to contain a segmentation violation via / ...) - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) - NOTE: Crash in CLI tool, no security impact) + NOTE: Crash in CLI tool, no security impact and affected code not built, see #1019602 CVE-2022-35475 (OTFCC v0.10.4 was discovered to contain a heap-buffer overflow via /re ...) - - texlive-bin (bug #1019602) + - texlive-bin (unimportant; bug #1019602) [bullseye] - texlive-bin (Vulnerable code not present) [buster] - texlive-bin (Vulnerable code not present) + NOTE: Affected code not built, see #1019602 CVE-2022-35474 (OTFCC v0.10.4 was discovered to contain a heap-buffer
[Git][security-tracker-team/security-tracker][master] drop CVE-2022-32224 from DLA-3093-1
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: de0c07b1 by Abhijith PA at 2022-09-14T19:08:39+05:30 drop CVE-2022-32224 from DLA-3093-1 - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -21681,7 +21681,6 @@ CVE-2022-32225 (A reflected DOM-Based XSS vulnerability has been discovered in t NOT-FOR-US: Veeam CVE-2022-32224 RESERVED - {DLA-3093-1} - rails 2:6.1.6.1+dfsg-1 (bug #1016140) NOTE: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j NOTE: Fixed by: https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a (main) = data/DLA/list = @@ -41,7 +41,7 @@ {CVE-2021-0561} [buster] - flac 1.3.2-3+deb10u2 [03 Sep 2022] DLA-3093-1 rails - security update - {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2 CVE-2022-32224} + {CVE-2022-21831 CVE-2022-22577 CVE-2022-23633 CVE-2022-2} [buster] - rails 2:5.2.2.1+dfsg-1+deb10u4 [02 Sep 2022] DLA-3092-1 dpdk - security update {CVE-2022-2132} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de0c07b172ab04ca843894f92d959ef044c5a652 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de0c07b172ab04ca843894f92d959ef044c5a652 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item for CVE-2022-36087, confirmed by maintainer
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3106d66 by Salvatore Bonaccorso at 2022-09-14T15:36:29+02:00 Remove todo item for CVE-2022-36087, confirmed by maintainer And the upload addressing the issue will contain the two needed commits not in 3.2.1. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11688,7 +11688,6 @@ CVE-2022-36087 (OAuthLib is an implementation of the OAuth request-signing logic NOTE: Introduced with: https://github.com/oauthlib/oauthlib/commit/2b8a44855a51ad5a5b0c348a08c2564a2e197ea2 (v3.1.1) NOTE: Fixed by: https://github.com/oauthlib/oauthlib/commit/e514826eea15f2b62bbc13da407b71552ef5ff4c NOTE: Fixed by: https://github.com/oauthlib/oauthlib/commit/5d85c61998692643dd9d17e05d2646e06ce391e8 - TODO: double-check, the fix has not landed in 3.2.1 actually CVE-2022-36086 (linked_list_allocator is an allocator usable for no_std systems. Prior ...) NOT-FOR-US: linked_list_allocator CVE-2022-36085 (Open Policy Agent (OPA) is an open source, general-purpose policy engi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3106d663aec780d2eb31be21628de00843837ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3106d663aec780d2eb31be21628de00843837ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-38266/leptonlib: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e5e33f82 by Sylvain Beucler at 2022-09-14T14:37:38+02:00 CVE-2022-38266/leptonlib: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6063,6 +6063,7 @@ CVE-2022-38267 (School Activity Updates with SMS Notification v1.0 was discovere CVE-2022-38266 (An issue in the Leptonica linked library (v1.79.0) in Tesseract v5.0.0 ...) - leptonlib 1.82.0-1 [bullseye] - leptonlib (Minor issue) + [buster] - leptonlib (Minor issue, SIGFPE in CLI tools) NOTE: https://github.com/DanBloomberg/leptonica/commit/f062b42c0ea8dddebdc6a152fd16152de215d614 (1.81.0) NOTE: https://github.com/tesseract-ocr/tesseract/issues/3498 CVE-2022-38265 (Apartment Visitor Management System v1.0 was discovered to contain a S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5e33f820d74e64764292873c5614c100ada7c89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5e33f820d74e64764292873c5614c100ada7c89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take bzip2
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f9df9b5 by Emilio Pozuelo Monfort at 2022-09-14T14:05:46+02:00 lts: take bzip2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -22,6 +22,9 @@ bluez NOTE: 20220902: Programming language: C. NOTE: 20220902: Consider synchronizing with Stretch. (apo) -- +bzip2 (Emilio) + NOTE: 20220914: https://lists.debian.org/debian-lts/2022/09/msg00041.html +-- curl NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f9df9b56078798a8524ffdae9af9980363129da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f9df9b56078798a8524ffdae9af9980363129da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Move CVE-2022-1748 to a NFU entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0dcf6a2e by Salvatore Bonaccorso at 2022-09-14T13:04:30+02:00 Move CVE-2022-1748 to a NFU entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -203496,7 +203496,7 @@ CVE-2020-1749 (A flaw was found in the Linux kernel's implementation of some net [stretch] - linux 4.9.228-1 NOTE: https://git.kernel.org/linus/6c8991f41546c3c472503dff1ea9daaddf9331c2 CVE-2020-1748 (A flaw was found in all supported versions before wildfly-elytron-1.6. ...) - - wildfly (bug #752018) + NOT-FOR-US: WildFly Elytron CVE-2020-1747 (A vulnerability was discovered in the PyYAML library in versions befor ...) - pyyaml 5.3-2 (bug #953013) [buster] - pyyaml (Loader/Constructor classes are unsafe in this version) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dcf6a2e514463e73e12505d9e5d71c681ebe064 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0dcf6a2e514463e73e12505d9e5d71c681ebe064 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU, concludes external check
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 54b2c084 by Moritz Muehlenhoff at 2022-09-14T12:24:25+02:00 NFU, concludes external check - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1247,6 +1247,7 @@ CVE-2022-3144 RESERVED CVE-2022-3143 RESERVED + NOT-FOR-US: WildFly Elytron CVE-2022-40137 RESERVED CVE-2022-40136 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54b2c08480dfb22b2633f8c5fe4d1a5d91eb263e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54b2c08480dfb22b2633f8c5fe4d1a5d91eb263e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a0d5201 by Salvatore Bonaccorso at 2022-09-14T11:04:14+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5350,7 +5350,7 @@ CVE-2022-2910 CVE-2022-2909 (A vulnerability was found in SourceCodester Simple and Nice Shopping C ...) NOT-FOR-US: SourceCodester Simple and Nice Shopping Cart Script CVE-2022-38466 (A vulnerability has been identified in CoreShield One-Way Gateway (OWG ...) - TODO: check + NOT-FOR-US: CoreShield One-Way Gateway (OWG) CVE-2022-38465 RESERVED CVE-2022-38089 (Stored cross-site scripting vulnerability in Exment ((PHP8) exceedone/ ...) @@ -5888,7 +5888,7 @@ CVE-2022-38344 CVE-2022-38343 RESERVED CVE-2022-38342 (Safe Software FME Server v2022.0.1.1 and below was discovered to conta ...) - TODO: check + NOT-FOR-US: Safe Software FME Server CVE-2022-38341 RESERVED CVE-2022-38340 @@ -5914,7 +5914,7 @@ CVE-2022-38331 CVE-2022-38330 RESERVED CVE-2022-38329 (An issue was discovered in Shopxian CMS 3.0.0. There is a CSRF vulnera ...) - TODO: check + NOT-FOR-US: Shopxian CMS CVE-2022-38328 RESERVED CVE-2022-38327 @@ -5982,7 +5982,7 @@ CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to CVE-2022-2818 (Authentication Bypass by Primary Weakness in GitHub repository cockpit ...) NOT-FOR-US: Cockpit-HQ/Cockpit CVE-2022-38305 (AeroCMS v0.0.1 was discovered to contain an arbitrary file upload vuln ...) - TODO: check + NOT-FOR-US: AeroCMS CVE-2022-38304 (Online Leave Management System v1.0 was discovered to contain a SQL in ...) NOT-FOR-US: Online Leave Management System CVE-2022-38303 (Online Leave Management System v1.0 was discovered to contain a SQL in ...) @@ -6775,9 +6775,9 @@ CVE-2022-38022 CVE-2022-38021 RESERVED CVE-2022-38020 (Visual Studio Code Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38019 (AV1 Video Extension Remote Code Execution Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38018 RESERVED CVE-2022-38017 @@ -6789,25 +6789,25 @@ CVE-2022-38015 CVE-2022-38014 RESERVED CVE-2022-38013 (.NET Core and Visual Studio Denial of Service Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38012 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38011 (Raw Image Extension Remote Code Execution Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38010 (Microsoft Office Visio Remote Code Execution Vulnerability. This CVE I ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38009 (Microsoft SharePoint Server Remote Code Execution Vulnerability. This ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38008 (Microsoft SharePoint Server Remote Code Execution Vulnerability. This ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38007 (Azure Guest Configuration and Azure Arc-enabled servers Elevation of P ...) TODO: check CVE-2022-38006 (Windows Graphics Component Information Disclosure Vulnerability. This ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38005 (Windows Print Spooler Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38004 (Windows Fax Service Remote Code Execution Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38003 RESERVED CVE-2022-38002 @@ -6877,7 +6877,7 @@ CVE-2022-37971 CVE-2022-37970 RESERVED CVE-2022-37969 (Windows Common Log File System Driver Elevation of Privilege Vulnerabi ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37968 RESERVED CVE-2022-37967 @@ -6887,27 +6887,27 @@ CVE-2022-37966 CVE-2022-37965 RESERVED CVE-2022-37964 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37963 (Microsoft Office Visio Remote Code Execution Vulnerability. This CVE I ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37962 (Microsoft PowerPoint Remote Code Execution Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37961 (Microsoft SharePoint Server Remote Code Execution Vulnerability. This ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37960 RESERVED CVE-2022-37959 (Network Device Enrollment Service (NDES) Security Feature Bypass Vulne ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37958 (SPNEGO Extended Negotiation (NEGOEX) Security Mechanism
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 343cfa65 by Salvatore Bonaccorso at 2022-09-14T11:00:32+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -147,11 +147,11 @@ CVE-2022-40625 CVE-2022-40624 RESERVED CVE-2022-40623 (The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030 ...) - TODO: check + NOT-FOR-US: WAVLINK CVE-2022-40622 (The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030 ...) - TODO: check + NOT-FOR-US: WAVLINK CVE-2022-40621 (Because the WAVLINK Quantum D4G (WN531G3) running firmware version M31 ...) - TODO: check + NOT-FOR-US: WAVLINK CVE-2022-40620 RESERVED CVE-2022-40619 @@ -203,7 +203,7 @@ CVE-2022-3184 CVE-2022-3183 RESERVED CVE-2022-3182 (Improper Access Control vulnerability in the Duo SMS two-factor of Dev ...) - TODO: check + NOT-FOR-US: Devolutions Remote Desktop Manager CVE-2022-40606 RESERVED CVE-2022-40605 @@ -1928,21 +1928,21 @@ CVE-2022-39823 CVE-2022-39822 RESERVED CVE-2022-39821 (In NOKIA 1350 OMS R14.2, an Insertion of Sensitive Information into an ...) - TODO: check + NOT-FOR-US: NOKIA CVE-2022-39820 RESERVED CVE-2022-39819 (In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities ...) - TODO: check + NOT-FOR-US: NOKIA CVE-2022-39818 RESERVED CVE-2022-39817 (In NOKIA 1350 OMS R14.2, multiple SQL Injection vulnerabilities occur ...) - TODO: check + NOT-FOR-US: NOKIA CVE-2022-39816 (In NOKIA 1350 OMS R14.2, Insufficiently Protected Credentials (clearte ...) - TODO: check + NOT-FOR-US: NOKIA CVE-2022-39815 (In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities ...) - TODO: check + NOT-FOR-US: NOKIA CVE-2022-39814 (In NOKIA 1350 OMS R14.2, an Open Redirect vulnerability occurs is the ...) - TODO: check + NOT-FOR-US: NOKIA CVE-2022-39813 RESERVED CVE-2022-39812 @@ -4305,7 +4305,7 @@ CVE-2022-3028 (A race condition was found in the Linux kernel's IP framework for NOTE: https://lore.kernel.org/all/ytowqekkzvimz...@gondor.apana.org.au/T/ NOTE: https://git.kernel.org/linus/ba953a9d89a00c078b85f4b190bc1dde66fe16b5 (6.0-rc3) CVE-2022-3027 (The CMS8000 device does not properly control or sanitize the SSID name ...) - TODO: check + NOT-FOR-US: CMS8000 device CVE-2022-3026 (The WP Users Exporter plugin for WordPress is vulnerable to CSV Inject ...) NOT-FOR-US: WP Users Exporter plugin for WordPress CVE-2022-3025 @@ -4433,13 +4433,13 @@ CVE-2022-3000 CVE-2022-38772 (Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Co ...) NOT-FOR-US: Zoho ManageEngine CVE-2022-38771 (The mobile application in Transtek Mojodat FAM (Fixed Asset Management ...) - TODO: check + NOT-FOR-US: Transtek CVE-2022-38770 (The mobile application in Transtek Mojodat FAM (Fixed Asset Management ...) - TODO: check + NOT-FOR-US: Transtek CVE-2022-38769 (The mobile application in Transtek Mojodat FAM (Fixed Asset Management ...) - TODO: check + NOT-FOR-US: Transtek CVE-2022-38768 (The mobile application in Transtek Mojodat FAM (Fixed Asset Management ...) - TODO: check + NOT-FOR-US: Transtek CVE-2022-38767 RESERVED CVE-2022-38766 @@ -4914,7 +4914,7 @@ CVE-2022-38639 (A cross-site scripting (XSS) vulnerability in Markdown-Nice v1.8 CVE-2022-38638 (Casdoor v1.97.3 was discovered to contain an arbitrary file write vuln ...) NOT-FOR-US: Casdoor CVE-2022-38637 (Hospital Management System v1.0 was discovered to contain multiple SQL ...) - TODO: check + NOT-FOR-US: Hospital Management System CVE-2022-38636 RESERVED CVE-2022-38635 @@ -4956,7 +4956,7 @@ CVE-2022-38618 CVE-2022-38617 RESERVED CVE-2022-38616 (SmartVista SVFE2 v2.2.22 was discovered to contain a SQL injection vul ...) - TODO: check + NOT-FOR-US: SmartVista CVE-2022-38615 (SmartVista SVFE2 v2.2.22 was discovered to contain multiple SQL inject ...) NOT-FOR-US: SmartVista CVE-2022-38614 (An issue in the IGB Files and OutfileService features of SmartVista Ca ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/343cfa65daf417bf7428b98c0f3a961a8a6c28fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/343cfa65daf417bf7428b98c0f3a961a8a6c28fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f02e3cb by Salvatore Bonaccorso at 2022-09-14T10:52:10+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9889,7 +9889,7 @@ CVE-2022-36770 CVE-2022-36769 RESERVED CVE-2022-36768 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-2546 RESERVED CVE-2022-2545 @@ -12755,7 +12755,7 @@ CVE-2022-35639 (IBM Sterling Partner Engagement Manager 6.1, 6.2, and Cloud 22.2 CVE-2022-35638 RESERVED CVE-2022-35637 (IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-35636 RESERVED CVE-2022-35635 @@ -16248,7 +16248,7 @@ CVE-2022-34358 (IBM i 7.2, 7.3, 7.4, and 7.5 is vulnerable to cross-site scripti CVE-2022-34357 RESERVED CVE-2022-34356 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-34355 RESERVED CVE-2022-34354 @@ -16302,7 +16302,7 @@ CVE-2022-34338 (IBM Robotic Process Automation 21.0.0, 21.0.1, and 21.0.2 could CVE-2022-34337 RESERVED CVE-2022-34336 (IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-34335 RESERVED CVE-2022-34334 @@ -52181,7 +52181,7 @@ CVE-2022-22485 (In some cases, an unsuccessful attempt to log into IBM Spectrum CVE-2022-22484 (IBM Spectrum Protect Operations Center 8.1.12 and 8.1.13 could allow a ...) NOT-FOR-US: IBM CVE-2022-22483 (IBM Db2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, 11.1, and 11.5 is ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-22482 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 a ...) NOT-FOR-US: IBM CVE-2022-22481 (IBM Navigator for i 7.2, 7.3, and 7.4 (heritage version) could allow a ...) @@ -52487,9 +52487,9 @@ CVE-2022-22332 (IBM Sterling Partner Engagement Manager 6.2.0 could allow an att CVE-2022-22331 (IBM SterlingPartner Engagement Manager 6.2.0 could allow a remote auth ...) NOT-FOR-US: IBM CVE-2022-22330 (IBM Control Desk 7.6.1 could allow a remote attacker to obtain sensiti ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-22329 (IBM Control Desk 7.6.1 does not set the secure attribute on authorizat ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-22328 (IBM SterlingPartner Engagement Manager 6.2.0 could allow a malicious u ...) NOT-FOR-US: IBM CVE-2022-22327 (IBM UrbanCode Deploy (UCD) 7.0.5, 7.1.0, 7.1.1, and 7.1.2 uses weaker ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f02e3cbe7de06298a08c2e92024c2db8b074598 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f02e3cbe7de06298a08c2e92024c2db8b074598 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Record upstream commit for CVE-2022-40674
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a644df52 by Salvatore Bonaccorso at 2022-09-14T10:51:02+02:00 Record upstream commit for CVE-2022-40674 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,6 +2,7 @@ CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent func - expat NOTE: https://github.com/libexpat/libexpat/pull/629 NOTE: https://github.com/libexpat/libexpat/pull/640 + NOTE: https://github.com/libexpat/libexpat/commit/4a32da87e931ba54393d465bb77c40b5c33d343b CVE-2022-40673 (KDiskMark before 3.1.0 lacks authorization checking for D-Bus methods ...) TODO: check CVE-2022-40670 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a644df52764e93147ae8712a2b16e296340c6e30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a644df52764e93147ae8712a2b16e296340c6e30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new enlightenment issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a6e6739 by Moritz Muehlenhoff at 2022-09-14T10:49:07+02:00 new enlightenment issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7459,6 +7459,8 @@ CVE-2022-37707 RESERVED CVE-2022-37706 RESERVED + - e17 + NOTE: https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit CVE-2022-37705 RESERVED CVE-2022-37704 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a6e67395839934dbb0d54e20eb63951b8e6251d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a6e67395839934dbb0d54e20eb63951b8e6251d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-40674/expat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: acf44d90 by Salvatore Bonaccorso at 2022-09-14T10:47:53+02:00 Add CVE-2022-40674/expat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent function i ...) - TODO: check + - expat + NOTE: https://github.com/libexpat/libexpat/pull/629 + NOTE: https://github.com/libexpat/libexpat/pull/640 CVE-2022-40673 (KDiskMark before 3.1.0 lacks authorization checking for D-Bus methods ...) TODO: check CVE-2022-40670 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acf44d907118d303efe5b6e8d26ca7d22ad4e496 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acf44d907118d303efe5b6e8d26ca7d22ad4e496 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78a370a2 by security tracker role at 2022-09-14T08:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,83 @@ +CVE-2022-40674 (libexpat before 2.4.9 has a use-after-free in the doContent function i ...) + TODO: check +CVE-2022-40673 (KDiskMark before 3.1.0 lacks authorization checking for D-Bus methods ...) + TODO: check +CVE-2022-40670 + RESERVED +CVE-2022-40669 + RESERVED +CVE-2022-40668 + RESERVED +CVE-2022-40667 + RESERVED +CVE-2022-40666 + RESERVED +CVE-2022-40665 + RESERVED +CVE-2022-40664 + RESERVED +CVE-2022-40663 + RESERVED +CVE-2022-40662 + RESERVED +CVE-2022-40661 + RESERVED +CVE-2022-40660 + RESERVED +CVE-2022-40659 + RESERVED +CVE-2022-40658 + RESERVED +CVE-2022-40657 + RESERVED +CVE-2022-40656 + RESERVED +CVE-2022-40655 + RESERVED +CVE-2022-40654 + RESERVED +CVE-2022-40653 + RESERVED +CVE-2022-40652 + RESERVED +CVE-2022-40651 + RESERVED +CVE-2022-40650 + RESERVED +CVE-2022-40649 + RESERVED +CVE-2022-40648 + RESERVED +CVE-2022-40647 + RESERVED +CVE-2022-40646 + RESERVED +CVE-2022-40645 + RESERVED +CVE-2022-40644 + RESERVED +CVE-2022-40643 + RESERVED +CVE-2022-40642 + RESERVED +CVE-2022-40641 + RESERVED +CVE-2022-40640 + RESERVED +CVE-2022-40639 + RESERVED +CVE-2022-40638 + RESERVED +CVE-2022-40637 + RESERVED +CVE-2022-40636 + RESERVED +CVE-2022-3210 + RESERVED +CVE-2022-31735 + RESERVED +CVE-2021-46838 + RESERVED CVE-2022-40635 (Improper Control of Dynamically-Managed Code Resources vulnerability i ...) NOT-FOR-US: Crafter Studio of Crafter CMS CVE-2022-40634 (Improper Control of Dynamically-Managed Code Resources vulnerability i ...) @@ -18,8 +98,8 @@ CVE-2022-3207 RESERVED CVE-2022-3206 RESERVED -CVE-2022-3205 - RESERVED +CVE-2022-3205 (An XSS exists in automation controller UI where the project name is su ...) + TODO: check CVE-2022-3204 RESERVED CVE-2022-3203 @@ -57,18 +137,18 @@ CVE-2022-40628 RESERVED CVE-2022-40627 RESERVED -CVE-2022-40626 - RESERVED +CVE-2022-40626 (An unauthenticated user can create a link with reflected Javascript co ...) + TODO: check CVE-2022-40625 RESERVED CVE-2022-40624 RESERVED -CVE-2022-40623 - RESERVED -CVE-2022-40622 - RESERVED -CVE-2022-40621 - RESERVED +CVE-2022-40623 (The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030 ...) + TODO: check +CVE-2022-40622 (The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030 ...) + TODO: check +CVE-2022-40621 (Because the WAVLINK Quantum D4G (WN531G3) running firmware version M31 ...) + TODO: check CVE-2022-40620 RESERVED CVE-2022-40619 @@ -119,8 +199,8 @@ CVE-2022-3184 RESERVED CVE-2022-3183 RESERVED -CVE-2022-3182 - RESERVED +CVE-2022-3182 (Improper Access Control vulnerability in the Duo SMS two-factor of Dev ...) + TODO: check CVE-2022-40606 RESERVED CVE-2022-40605 @@ -1844,22 +1924,22 @@ CVE-2022-39823 RESERVED CVE-2022-39822 RESERVED -CVE-2022-39821 - RESERVED +CVE-2022-39821 (In NOKIA 1350 OMS R14.2, an Insertion of Sensitive Information into an ...) + TODO: check CVE-2022-39820 RESERVED -CVE-2022-39819 - RESERVED +CVE-2022-39819 (In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities ...) + TODO: check CVE-2022-39818 RESERVED -CVE-2022-39817 - RESERVED -CVE-2022-39816 - RESERVED -CVE-2022-39815 - RESERVED -CVE-2022-39814 - RESERVED +CVE-2022-39817 (In NOKIA 1350 OMS R14.2, multiple SQL Injection vulnerabilities occur ...) + TODO: check +CVE-2022-39816 (In NOKIA 1350 OMS R14.2, Insufficiently Protected Credentials (clearte ...) + TODO: check +CVE-2022-39815 (In NOKIA 1350 OMS R14.2, multiple OS Command Injection vulnerabilities ...) + TODO: check +CVE-2022-39814 (In NOKIA 1350 OMS R14.2, an Open Redirect vulnerability occurs is the ...) + TODO: check CVE-2022-39813 RESERVED CVE-2022-39812 @@ -4349,14 +4429,14 @@ CVE-2022-3000 RESERVED CVE-2022-38772 (Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Co ...) NOT-FOR-US: Zoho ManageEngine -CVE-2022-38771 - RESERVED -CVE-2022-38770 - RESERVED -CVE-2022-38769 - RESERVED -CVE-2022-38768 - RESERVED +CVE-2022-38771 (The mobile application in Transtek Mojodat FAM (Fixed Asset Management ...) + TODO: check +CVE-2022-38770 (The mobile application in Transtek Mojodat FAM (Fixed
[Git][security-tracker-team/security-tracker][master] two samba issues fixed in experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bb1d5493 by Moritz Muehlenhoff at 2022-09-14T09:55:36+02:00 two samba issues fixed in experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20171,6 +20171,7 @@ CVE-2022-32744 (A flaw was found in Samba. The KDC accepts kpasswd requests encr [buster] - samba (Minor issue; affects Samba as AD DC) NOTE: https://www.samba.org/samba/security/CVE-2022-32744.html CVE-2022-32743 (Samba does not validate the Validated-DNS-Host-Name right for the dNSH ...) + [experimental] - samba 2:4.17.0+dfsg-1 - samba [bullseye] - samba (Minor issue) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14833 @@ -27379,6 +27380,7 @@ CVE-2022-29483 (Incorrect Default Permissions vulnerability in ABB e-Design allo CVE-2022-28702 (Incorrect Default Permissions vulnerability in ABB e-Design allows att ...) NOT-FOR-US: ABB e-Design CVE-2022-1615 (In Samba, GnuTLS gnutls_rnd() can fail and give predictable random val ...) + [experimental] - samba 2:4.17.0+dfsg-1 - samba [bullseye] - samba (Minor issue) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15103 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb1d5493ae8b559d87e5ff2cb8378c1dea746e42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb1d5493ae8b559d87e5ff2cb8378c1dea746e42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1278/wildfly
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0edd7b03 by Salvatore Bonaccorso at 2022-09-14T09:02:23+02:00 Add CVE-2022-1278/wildfly - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32120,7 +32120,7 @@ CVE-2022-1280 (A use-after-free vulnerability was found in drm_lease_held in dri CVE-2022-1279 (A vulnerability in the encryption implementation of EBICS messages in ...) NOT-FOR-US: ebics-java CVE-2022-1278 (A flaw was found in WildFly, where an attacker can see deployment name ...) - TODO: check + - wildfly (bug #752018) CVE-2022-1277 (Inavitas Solar Log product has an unauthenticated SQL Injection vulner ...) NOT-FOR-US: Inavitas Solar Log CVE-2022-1276 (Out-of-bounds Read in mrb_get_args in GitHub repository mruby/mruby pr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0edd7b03a55c95d0bb64af4e1aa72eb20b853bea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0edd7b03a55c95d0bb64af4e1aa72eb20b853bea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-3193 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 738a74e3 by Salvatore Bonaccorso at 2022-09-14T08:58:25+02:00 Mark CVE-2022-3193 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48,6 +48,7 @@ CVE-2022-3194 RESERVED CVE-2022-3193 RESERVED + NOT-FOR-US: ovirt-engine CVE-2022-40630 RESERVED CVE-2022-40629 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/738a74e39c881551427f83faec9d3c3dd1b1df40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/738a74e39c881551427f83faec9d3c3dd1b1df40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3202/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f461908b by Salvatore Bonaccorso at 2022-09-14T08:53:36+02:00 Add CVE-2022-3202/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26,6 +26,10 @@ CVE-2022-3203 RESERVED CVE-2022-3202 RESERVED + - linux 5.17.3-1 + [bullseye] - linux 5.10.113-1 + [buster] - linux 4.19.249-1 + NOTE: https://git.kernel.org/linus/a53046291020ec41e09181396c1e829287b48d47 (5.18-rc1) CVE-2022-3201 RESERVED CVE-2022-3200 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f461908b4755ee2c397dc8aa12ef42e8e155b512 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f461908b4755ee2c397dc8aa12ef42e8e155b512 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark ntp as removed from unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 638d973c by Salvatore Bonaccorso at 2022-09-14T08:48:27+02:00 Mark ntp as removed from unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -283075,7 +283075,7 @@ CVE-2018-12329 (Protection Mechanism Failure in ECOS Secure Boot Stick (aka SBS) CVE-2018-12328 RESERVED CVE-2018-12327 (Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 ...) - - ntp (unimportant) + - ntp (unimportant) NOTE: https://gist.github.com/fakhrizulkifli/9b58ed8e0354e8deee50b0eebd1c011f NOTE: Negligible security impact CVE-2018-12326 (Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/638d973c86d87fdad1c9b621da6893a807a1d4fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/638d973c86d87fdad1c9b621da6893a807a1d4fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits