[Git][security-tracker-team/security-tracker][master] Reserve DLA-3175-1 for python3.7
Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c4e80d1 by Stefano Rivera at 2022-11-01T08:39:36+02:00 Reserve DLA-3175-1 for python3.7 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Nov 2022] DLA-3175-1 python3.7 - security update + {CVE-2022-37454} + [buster] - python3.7 3.7.3-2+deb10u4 [31 Oct 2022] DLA-3174-1 pysha3 - security update {CVE-2022-37454} [buster] - pysha3 1.0.2-2+deb10u1 = data/dla-needed.txt = @@ -184,10 +184,6 @@ pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- -python3.7 (Stefano Rivera) - NOTE: 20221031: Programming language: C. - NOTE: 20221031: Special attention: urgent. --- protobuf NOTE: 20221031: Programming language: Several. NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c4e80d1b3e92932d8c5a142aaa48f361398414b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c4e80d1b3e92932d8c5a142aaa48f361398414b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-39253/git and CVE-2022-39260/git fixed via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7241fcb9 by Salvatore Bonaccorso at 2022-11-01T07:01:30+01:00 CVE-2022-39253/git and CVE-2022-39260/git fixed via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14560,7 +14560,7 @@ CVE-2022-39261 (Twig is a template language for PHP. Versions 1.x prior to 1.44. NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-52m2-vc4m-jj33 NOTE: https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b (v1.44.7, v2.15.3, v3.4.3) CVE-2022-39260 (Git is an open source, scalable, distributed revision control system. ...) - - git (bug #1022046) + - git 1:2.38.1-1 (bug #1022046) NOTE: https://www.openwall.com/lists/oss-security/2022/10/18/5 NOTE: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u NOTE: https://github.com/git/git/commit/32696a4cbe90929ae79ea442f5102c513ce3dfaa (v2.30.6) @@ -14582,7 +14582,7 @@ CVE-2022-39254 (matrix-nio is a Python Matrix client library, designed according NOTE: https://github.com/poljar/matrix-nio/security/advisories/GHSA-w4pr-4vjg-hffh NOTE: https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0 (0.20.0) CVE-2022-39253 (Git is an open source, scalable, distributed revision control system. ...) - - git (bug #1022046) + - git 1:2.38.1-1 (bug #1022046) NOTE: https://www.openwall.com/lists/oss-security/2022/10/18/5 NOTE: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u NOTE: https://github.com/git/git/commit/6f054f9fb3a501c35b55c65e547a244f14c38d56 (v2.30.6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7241fcb9c4f8a90ce43ac16593cc4fa5fcb66a35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7241fcb9c4f8a90ce43ac16593cc4fa5fcb66a35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-31778 as ignored for buster
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 19db2921 by Abhijith PA at 2022-11-01T11:19:16+05:30 Mark CVE-2022-31778 as ignored for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34853,6 +34853,7 @@ CVE-2022-31779 (Improper Input Validation vulnerability in HTTP/2 header parsing CVE-2022-31778 (Improper Input Validation vulnerability in handling the Transfer-Encod ...) {DSA-5206-1} - trafficserver 9.1.3+ds-1 + [buster] - trafficserver (Minor issue, intrusive to backport) NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21 CVE-2022-31777 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19db2921e8f9c9d1ada3d8318bbd394238c2a11c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19db2921e8f9c9d1ada3d8318bbd394238c2a11c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix dla-needed after git conflicts
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e974ebb3 by Anton Gladky at 2022-11-01T06:19:34+01:00 Fix dla-needed after git conflicts - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -100,11 +100,13 @@ ini4j jackson-databind NOTE: 20221030: Programming language: Java. -- +jhead NOTE: 20221031: Programming language: C. NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. NOTE: 20221031: It should be stated in the DLA that multiple options are affected.. -- joblib + NOTE: 20221006: Programming language: Python. -- kopanocore NOTE: 20220801: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e974ebb3d78665d97f63a5e22df1c09797f26c7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e974ebb3d78665d97f63a5e22df1c09797f26c7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark pysha3 as removed from unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9ec9555 by Salvatore Bonaccorso at 2022-11-01T06:17:51+01:00 Mark pysha3 as removed from unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19611,7 +19611,7 @@ CVE-2022-37454 (The Keccak XKCP SHA-3 reference implementation before fdc6fef ha - python3.10 (unimportant) - python3.9 (unimportant) - python3.7 - - pysha3 (bug #1023030) + - pysha3 (bug #1023030) - pypy3 7.3.9+dfsg-5 [buster] - pypy3 (Vulnerable code not present before we switch to the 3.6 branch in 7.1.1+dfsg-1) NOTE: https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9ec95559445ace69345e088c1823d46521f43a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9ec95559445ace69345e088c1823d46521f43a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add ntfs-3g to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e30faf70 by Salvatore Bonaccorso at 2022-10-31T22:29:41+01:00 Add ntfs-3g to dsa-needed list - - - - - 23c08961 by Salvatore Bonaccorso at 2022-10-31T22:30:14+01:00 Take ntfs-3g from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -33,6 +33,8 @@ netatalk -- nodejs -- +ntfs-3g (carnil) +-- multipath-tools -- openexr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0076ed8e08340af238232179fa66f74f779dfb40...23c089614339a22d4d0b09d45c827e07fb7672f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0076ed8e08340af238232179fa66f74f779dfb40...23c089614339a22d4d0b09d45c827e07fb7672f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-31008/rabbitmq-server: references patches reducing the affected versions range
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0076ed8e by Sylvain Beucler at 2022-10-31T22:23:20+01:00 CVE-2022-31008/rabbitmq-server: references patches reducing the affected versions range not triaging, letting LTS front-desk and/or security-team confirm that buster&bullseye shouldn't be affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37187,6 +37187,9 @@ CVE-2022-31008 (RabbitMQ is a multi-protocol messaging and streaming broker. In - rabbitmq-server 3.10.8-1 NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8 NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/4841 + NOTE: obfuscation introduced in (built-in) Shovel plugin in: https://github.com/rabbitmq/rabbitmq-server/commit/6dbdc991c3111aa4ffa12a150b1402cf5c5e798e (v3.10.0-beta.2) + NOTE: obfuscation introduced in (built-in) Federation plugin in: https://github.com/rabbitmq/rabbitmq-server/commit/c1b5812cee6ac038737d62ca0b32cfd2db537653 (v3.8.10-rc.1) + NOTE: set_credentials_obfuscation_secret introduced in: https://github.com/rabbitmq/rabbitmq-server/commit/5ea51050452ea45874e89166090cb825c1277656 (v3.8.10) CVE-2022-31007 (eLabFTW is an electronic lab notebook manager for research teams. Prio ...) NOT-FOR-US: eLabFTW CVE-2022-31006 (indy-node is the server portion of Hyperledger Indy, a distributed led ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0076ed8e08340af238232179fa66f74f779dfb40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0076ed8e08340af238232179fa66f74f779dfb40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45d0f666 by Salvatore Bonaccorso at 2022-10-31T21:29:40+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -177,15 +177,15 @@ CVE-2022-3776 CVE-2022-3775 RESERVED CVE-2022-3774 (A vulnerability was found in SourceCodester Train Scheduler App 1.0 an ...) - TODO: check + NOT-FOR-US: SourceCodester Train Scheduler App CVE-2022-3773 (A vulnerability has been found in EmbedPress Plugin and classified as ...) - TODO: check + NOT-FOR-US: EmbedPress Plugin CVE-2022-3772 (A vulnerability, which was classified as problematic, was found in eas ...) - TODO: check + NOT-FOR-US: easyii CMS CVE-2022-3771 (A vulnerability, which was classified as critical, has been found in e ...) - TODO: check + NOT-FOR-US: easyii CMS CVE-2022-3770 (A vulnerability classified as critical was found in Yunjing CMS. This ...) - TODO: check + NOT-FOR-US: Yunjing CMS CVE-2022-3769 RESERVED CVE-2022-3768 @@ -193,9 +193,9 @@ CVE-2022-3768 CVE-2022-3767 RESERVED CVE-2022-3766 (Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/p ...) - TODO: check + NOT-FOR-US: phpmyfaq CVE-2022-3765 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) - TODO: check + NOT-FOR-US: phpmyfaq CVE-2022-3764 RESERVED CVE-2022-3763 @@ -949,7 +949,7 @@ CVE-2022-44083 CVE-2022-44082 RESERVED CVE-2022-44081 (Lodepng v20220717 was discovered to contain a segmentation fault via t ...) - TODO: check + NOT-FOR-US: Lodepng CVE-2022-44080 RESERVED CVE-2022-44079 (pycdc commit 44a730f3a889503014fec94ae6e62d8401cb75e5 was discovered t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d0f6668b50fddbcd7309e71b88d98dfedaeb4a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d0f6668b50fddbcd7309e71b88d98dfedaeb4a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b75a1cff by Salvatore Bonaccorso at 2022-10-31T21:20:06+01:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6358,9 +6358,9 @@ CVE-2022-3443 CVE-2022-3442 (A vulnerability was found in Crealogix EBICS 7.0. It has been rated as ...) NOT-FOR-US: Crealogix EBICS CVE-2022-3441 (The Rock Convert WordPress plugin before 2.11.0 does not sanitise and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3440 (The Rock Convert WordPress plugin before 2.11.0 does not sanitise and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3439 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) - rdiffweb (bug #969974) CVE-2022-3438 (Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.0a4. ...) @@ -6966,9 +6966,9 @@ CVE-2022-3422 (Account Takeover :: when see the info i can see the hash pass i c CVE-2022-3421 (An attacker can pre-create the `/Applications/Google\ Drive.app/Conten ...) NOT-FOR-US: Drive for Desktop MacOS CVE-2022-3420 (The Official Integration for Billingo WordPress plugin before 3.4.0 do ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3419 (The Automatic User Roles Switcher WordPress plugin before 1.1.2 does n ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-42468 (Apache Flume versions 1.4.0 through 1.10.1 are vulnerable to a remote ...) NOT-FOR-US: Apache Flume CVE-2022-42467 (When running in prototype mode, the h2 webconsole module (accessible f ...) @@ -7012,7 +7012,7 @@ CVE-2022-3410 CVE-2022-3409 (A vulnerability in bmcweb of OpenBMC Project allows user to cause deni ...) NOT-FOR-US: OpenBMC CVE-2022-3408 (The WP Word Count WordPress plugin through 3.2.3 does not sanitise and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3407 RESERVED CVE-2022-42457 (Generex CS141 through 2.10 allows remote command execution by administ ...) @@ -8321,7 +8321,7 @@ CVE-2022-36795 (In BIG-IP versions 17.0.x before 17.0.0.1, 16.1.x before 16.1.3. CVE-2022-3381 RESERVED CVE-2022-3380 (The Customizer Export/Import WordPress plugin before 0.9.5 unserialize ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3379 (Horner Automation's Cscape version 9.90 SP7 and prior does not properl ...) NOT-FOR-US: Horner Automation's Cscape CVE-2022-3378 (Horner Automation's Cscape version 9.90 SP 7 and prior does not proper ...) @@ -8333,7 +8333,7 @@ CVE-2022-3376 (Weak Password Requirements in GitHub repository ikus060/rdiffweb CVE-2022-3375 RESERVED CVE-2022-3374 (The Ocean Extra WordPress plugin before 2.0.5 unserialises the content ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3373 RESERVED {DSA-5245-1} @@ -8427,7 +8427,7 @@ CVE-2022-38973 CVE-2022-3367 RESERVED CVE-2022-3366 (The PublishPress Capabilities WordPress plugin before 2.5.2, PublishPr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3365 RESERVED CVE-2022-3364 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) @@ -8522,7 +8522,7 @@ CVE-2022-38142 (Delta Electronics InfraSuite Device Master versions 00.00.01a an CVE-2022-3361 RESERVED CVE-2022-3360 (The LearnPress WordPress plugin before 4.1.7.2 unserialises user input ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3359 RESERVED CVE-2022-3358 (OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_me ...) @@ -8531,7 +8531,7 @@ CVE-2022-3358 (OpenSSL supports creating a custom cipher via the legacy EVP_CIPH [buster] - openssl (Only affects 3.x) NOTE: https://www.openssl.org/news/secadv/20221011.txt CVE-2022-3357 (The Smart Slider 3 WordPress plugin before 3.5.1.11 unserialises the c ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-3356 RESERVED CVE-2022-3355 (Cross-site Scripting (XSS) - Stored in GitHub repository inventree/inv ...) @@ -9010,7 +9010,7 @@ CVE-2022-3336 CVE-2022-3335 (The Kadence WooCommerce Email Designer WordPress plugin before 1.5.7 u ...) NOT-FOR-US: WordPress plugin CVE-2022-3334 (The Easy WP SMTP WordPress plugin before 1.5.0 unserialises the conten ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022- (A vulnerability, which was classified as problematic, was found in Zep ...) NOT-FOR-US: WordPress plugin CVE-2022-3332 (A vulnerability classified as critical has been found in SourceCodeste ...) @@ -9952,7 +9952,7 @@ CVE-2022-3256 (Use After Free in GitHub repository vim/vim prior to 9.0.0530. .. CVE-2022-3255 (If an attacker can contr
[Git][security-tracker-team/security-tracker][master] Added ceph to dla-needed. Do not have good enough experience with ceph to...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 77facee8 by Ola Lundqvist at 2022-10-31T21:12:41+01:00 Added ceph to dla-needed. Do not have good enough experience with ceph to conclude whether the vulnerability can be exploited in a Debian system. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,6 +20,11 @@ asterisk (Markus Koschany) NOTE: 20221002: Done. Will ask for a public review tomorrow though. (apo) NOTE: 20221018: https://lists.debian.org/debian-lts/2022/10/msg00037.html -- +ceph + NOTE: 20221031: Programming language: C++. + NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. + NOTE: 20221031: What should be checked is whether any user with ceph permission can do the actions described in the exploit. +-- clickhouse (Tobias Frost) NOTE: 20221003: Programming language: C++. NOTE: 20221003: One pull request closes several CVEs. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77facee879a520bcc8f28e9a0476f21fb381389a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77facee879a520bcc8f28e9a0476f21fb381389a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 12a48cc6 by security tracker role at 2022-10-31T20:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,209 @@ +CVE-2022-44531 + RESERVED +CVE-2022-44530 + RESERVED +CVE-2022-44529 + RESERVED +CVE-2022-44528 + RESERVED +CVE-2022-44527 + RESERVED +CVE-2022-44526 + RESERVED +CVE-2022-44525 + RESERVED +CVE-2022-44524 + RESERVED +CVE-2022-44523 + RESERVED +CVE-2022-44522 + RESERVED +CVE-2022-44521 + RESERVED +CVE-2022-44520 + RESERVED +CVE-2022-44519 + RESERVED +CVE-2022-44518 + RESERVED +CVE-2022-44517 + RESERVED +CVE-2022-44516 + RESERVED +CVE-2022-44515 + RESERVED +CVE-2022-44514 + RESERVED +CVE-2022-44513 + RESERVED +CVE-2022-44512 + RESERVED +CVE-2022-44511 + RESERVED +CVE-2022-44510 + RESERVED +CVE-2022-44509 + RESERVED +CVE-2022-44508 + RESERVED +CVE-2022-44507 + RESERVED +CVE-2022-44506 + RESERVED +CVE-2022-44505 + RESERVED +CVE-2022-44504 + RESERVED +CVE-2022-44503 + RESERVED +CVE-2022-44502 + RESERVED +CVE-2022-44501 + RESERVED +CVE-2022-44500 + RESERVED +CVE-2022-44499 + RESERVED +CVE-2022-44498 + RESERVED +CVE-2022-44497 + RESERVED +CVE-2022-44496 + RESERVED +CVE-2022-44495 + RESERVED +CVE-2022-44494 + RESERVED +CVE-2022-44493 + RESERVED +CVE-2022-44492 + RESERVED +CVE-2022-44491 + RESERVED +CVE-2022-44490 + RESERVED +CVE-2022-44489 + RESERVED +CVE-2022-44488 + RESERVED +CVE-2022-44487 + RESERVED +CVE-2022-44486 + RESERVED +CVE-2022-44485 + RESERVED +CVE-2022-44484 + RESERVED +CVE-2022-44483 + RESERVED +CVE-2022-44482 + RESERVED +CVE-2022-44481 + RESERVED +CVE-2022-44480 + RESERVED +CVE-2022-44479 + RESERVED +CVE-2022-44478 + RESERVED +CVE-2022-44477 + RESERVED +CVE-2022-44476 + RESERVED +CVE-2022-44475 + RESERVED +CVE-2022-44474 + RESERVED +CVE-2022-44473 + RESERVED +CVE-2022-44472 + RESERVED +CVE-2022-44471 + RESERVED +CVE-2022-44470 + RESERVED +CVE-2022-44469 + RESERVED +CVE-2022-44468 + RESERVED +CVE-2022-44467 + RESERVED +CVE-2022-44466 + RESERVED +CVE-2022-44465 + RESERVED +CVE-2022-44464 + RESERVED +CVE-2022-44463 + RESERVED +CVE-2022-44462 + RESERVED +CVE-2022-44461 + RESERVED +CVE-2022-44460 + RESERVED +CVE-2022-44459 + RESERVED +CVE-2022-44458 + RESERVED +CVE-2022-44457 + RESERVED +CVE-2022-43506 + RESERVED +CVE-2022-43495 + RESERVED +CVE-2022-43457 + RESERVED +CVE-2022-43452 + RESERVED +CVE-2022-43451 + RESERVED +CVE-2022-43449 + RESERVED +CVE-2022-43447 + RESERVED +CVE-2022-41775 + RESERVED +CVE-2022-3780 + RESERVED +CVE-2022-3779 + RESERVED +CVE-2022-3778 + RESERVED +CVE-2022-3777 + RESERVED +CVE-2022-3776 + RESERVED +CVE-2022-3775 + RESERVED +CVE-2022-3774 (A vulnerability was found in SourceCodester Train Scheduler App 1.0 an ...) + TODO: check +CVE-2022-3773 (A vulnerability has been found in EmbedPress Plugin and classified as ...) + TODO: check +CVE-2022-3772 (A vulnerability, which was classified as problematic, was found in eas ...) + TODO: check +CVE-2022-3771 (A vulnerability, which was classified as critical, has been found in e ...) + TODO: check +CVE-2022-3770 (A vulnerability classified as critical was found in Yunjing CMS. This ...) + TODO: check +CVE-2022-3769 + RESERVED +CVE-2022-3768 + RESERVED +CVE-2022-3767 + RESERVED +CVE-2022-3766 (Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/p ...) + TODO: check +CVE-2022-3765 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) + TODO: check +CVE-2022-3764 + RESERVED +CVE-2022-3763 + RESERVED +CVE-2022-3762 + RESERVED +CVE-2022-3761 + RESERVED CVE-2023-20853 RESERVED CVE-2023-20852 @@ -742,12 +948,12 @@ CVE-2022-44083 RESERVED CVE-2022-44082 RESERVED -CVE-2022-44081 - RESERVED +CVE-2022-44081 (Lodepng v20220717 was discovered to contain a segmentation fault via t ...) + TODO: check CVE-2022-44080 RESERVED -CVE-2022-44079 - RESERVED +CVE-2022-44079 (pycdc commit 44a730f3a889503014fec94ae6e62d8401cb75e5 was discovered t ...) + TODO: check CVE-2022-44078 RESERVED CVE-2022-44077 @@ -4891,16 +5097,16 @@ CVE-2022-43154 RESERVED CVE-2022-43153 RESERVED -CVE-2022-43152 - RESERVED -CVE-2022-43151 - RESERVED +CVE-2022-43152 (tsMuxer v2.6.16 wa
[Git][security-tracker-team/security-tracker][master] Marked CVE-2022-42920 for node-minimatch as no-dsa for buster following decision for bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c6923bf by Ola Lundqvist at 2022-10-31T20:49:44+01:00 Marked CVE-2022-42920 for node-minimatch as no-dsa for buster following decision for bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5573,6 +5573,7 @@ CVE-2022-42920 CVE-2022-3517 (A vulnerability was found in the minimatch package. This flaw allows a ...) - node-minimatch 3.0.5+~3.0.5-1 [bullseye] - node-minimatch (Minor issue) + [buster] - node-minimatch (Minor issue) NOTE: https://github.com/grafana/grafana-image-renderer/issues/329 NOTE: https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6 (v3.0.5) CVE-2022-3516 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c6923bf48484d53fe64a411c0427db5fad86f78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c6923bf48484d53fe64a411c0427db5fad86f78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added ntfs-3g to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 5822ccf1 by Ola Lundqvist at 2022-10-31T20:35:02+01:00 Added ntfs-3g to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -153,6 +153,10 @@ node-css-what node-tar NOTE: 20220907: Programming language: JavaScript. -- +ntfs-3g + NOTE: 20221031: Programming language: C. + NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/ntfs-3g.git +-- openexr NOTE: 20220904: Programming language: C++. NOTE: 20220904: Should be synced with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5822ccf1793b602f8291020ecb53f456e78493ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5822ccf1793b602f8291020ecb53f456e78493ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for libxml2 issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e852f8e0 by Salvatore Bonaccorso at 2022-10-31T19:29:49+01:00 Track fixed version for libxml2 issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11968,12 +11968,12 @@ CVE-2022-40305 (A Server-Side Request Forgery issue in Canto Cumulus through 11. CVE-2022-40304 [dict corruption caused by entity reference cycles] RESERVED {DLA-3172-1} - - libxml2 (bug #105) + - libxml2 2.9.14+dfsg-1.1 (bug #105) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1b41ec4e9433b05bb0376be4725804c54ef1d80b (v2.10.3) CVE-2022-40303 [integer overflows with XML_PARSE_HUGE] RESERVED {DLA-3172-1} - - libxml2 (bug #104) + - libxml2 2.9.14+dfsg-1.1 (bug #104) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0 (v2.10.3) CVE-2022-40302 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e852f8e0a74e72d777f5d9801d0b92093638be41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e852f8e0a74e72d777f5d9801d0b92093638be41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-40284/ntfs-3g via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab74f9d7 by Salvatore Bonaccorso at 2022-10-31T19:28:21+01:00 Track fixed version for CVE-2022-40284/ntfs-3g via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12017,7 +12017,7 @@ CVE-2022-40285 RESERVED CVE-2022-40284 RESERVED - - ntfs-3g + - ntfs-3g 1:2022.10.3-1 NOTE: https://www.openwall.com/lists/oss-security/2022/10/31/2 NOTE: https://github.com/tuxera/ntfs-3g/commit/18bfc676119a1188e8135287b8327b0760ba44a1 (2022.10.3) NOTE: https://github.com/tuxera/ntfs-3g/commit/76c3a799a97fbcedeeeca57f598be508ae2a1656 (2022.10.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab74f9d790a33b22b0124fdb560e5d7deb77121b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab74f9d790a33b22b0124fdb560e5d7deb77121b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track upstream commits for CVE-2022-40284/ntfs-3g
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47b9536d by Salvatore Bonaccorso at 2022-10-31T19:25:40+01:00 Track upstream commits for CVE-2022-40284/ntfs-3g - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12019,6 +12019,8 @@ CVE-2022-40284 RESERVED - ntfs-3g NOTE: https://www.openwall.com/lists/oss-security/2022/10/31/2 + NOTE: https://github.com/tuxera/ntfs-3g/commit/18bfc676119a1188e8135287b8327b0760ba44a1 (2022.10.3) + NOTE: https://github.com/tuxera/ntfs-3g/commit/76c3a799a97fbcedeeeca57f598be508ae2a1656 (2022.10.3) CVE-2022-40283 RESERVED CVE-2022-40282 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47b9536de6db76ddb27f17a70f76ed6a618e4313 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47b9536de6db76ddb27f17a70f76ed6a618e4313 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: be1ec401 by Anton Gladky at 2022-10-31T19:24:32+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky <gl...@debian.org> - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,7 @@ hsqldb NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. -- -imagemagick (gladk) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) @@ -95,13 +95,11 @@ ini4j jackson-databind NOTE: 20221030: Programming language: Java. -- -jhead NOTE: 20221031: Programming language: C. NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. NOTE: 20221031: It should be stated in the DLA that multiple options are affected.. -- -joblib (Utkarsh) - NOTE: 20221006: Programming language: Python. +joblib -- kopanocore NOTE: 20220801: Programming language: C++. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be1ec401e29f107f5a4d23d79b02d1f9299b44aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be1ec401e29f107f5a4d23d79b02d1f9299b44aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove two check items for CVE-2022-3168 and CVE-2022-20128
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd693cb3 by Salvatore Bonaccorso at 2022-10-31T19:21:26+01:00 Remove two check items for CVE-2022-3168 and CVE-2022-20128 Entries looks correct with temporary tracking of fixed version in experimental. Thanks: Sylvain Beucler - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12120,7 +12120,6 @@ CVE-2022-3168 [experimental] - android-platform-tools 33.0.3-1~exp1 - android-platform-tools NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 - TODO: check CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) - openvswitch (bug #1021740) [bullseye] - openvswitch (Minor issue) @@ -79239,7 +79238,6 @@ CVE-2022-20128 [experimental] - android-platform-tools 33.0.3-1~exp1 - android-platform-tools NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 - TODO: check CVE-2022-20127 (In ce_t4t_data_cback of ce_t4t.cc, there is a possible out of bounds w ...) NOT-FOR-US: Android CVE-2022-20126 (In setScanMode of AdapterService.java, there is a possible way to enab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd693cb3ab58d335af67d2be59f625d669624040 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd693cb3ab58d335af67d2be59f625d669624040 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-3276/puppet-module-puppetlabs-mysql: reference commits following upstream confirmation
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fd20b1f by Sylvain Beucler at 2022-10-31T16:36:30+01:00 CVE-2022-3276/puppet-module-puppetlabs-mysql: reference commits following upstream confirmation - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9547,8 +9547,10 @@ CVE-2020-36604 (hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisonin CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prior to ...) - puppet-module-puppetlabs-mysql NOTE: https://puppet.com/security/cve/CVE-2022-3276 - NOTE: Possible fix https://github.com/puppetlabs/puppetlabs-mysql/pull/1484 - NOTE: https://github.com/puppetlabs/puppetlabs-mysql/pull/1484#issuecomment-1296367876 + NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/f83792b256fa6acc1b1375b3bfed257629a5c02d (v13.0.0) + NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/18813a151f150a374a52141db520ed2a8d38b071 (v13.0.0) + NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/6f531ad85c22ceeb5076347e6998e1d25b056dfd (v13.0.0) + NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/e70e7fd130aaa2fe1cefe4ccb628b304ad3c180a (v13.0.0) CVE-2022-3275 (Command injection is possible in the puppetlabs-apt module prior to ve ...) - puppet-module-puppetlabs-apt NOTE: https://puppet.com/security/cve/CVE-2022-3275 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fd20b1fe0491fdbff213dedcdd7858b25e3ebb7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fd20b1fe0491fdbff213dedcdd7858b25e3ebb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added php7.3 to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a63903c0 by Ola Lundqvist at 2022-10-31T15:59:09+01:00 Added php7.3 to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -163,6 +163,10 @@ php-phpseclib NOTE: 20220909: Programming language: PHP. NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. -- +php7.3 + NOTE: 20221031: Programming language: C. + NOTE: 20221031: CVE-2022-37454 is what is of most concern. +-- phpseclib NOTE: 20220909: Programming language: PHP. NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63903c0e8f9a4c49d17fafd588aecb3590de570 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63903c0e8f9a4c49d17fafd588aecb3590de570 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triaged python-cmarkgfm for LTS (buster) and concluded CVE-2022-24724 and...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: b8c1e028 by Ola Lundqvist at 2022-10-31T15:51:43+01:00 Triaged python-cmarkgfm for LTS (buster) and concluded CVE-2022-24724 and CVE-2022-39209 to be minor issues. Same conclusion as cmark-gfm. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14497,6 +14497,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - cmark-gfm 0.29.0.gfm.6-2 (bug #1020588) [buster] - cmark-gfm (Minor issue) - python-cmarkgfm + [buster] - python-cmarkgfm (Minor issue) - ghostwriter (unimportant) - ruby-commonmarker - r-cran-commonmark @@ -55608,6 +55609,7 @@ CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implem [bullseye] - ghostwriter (Vulnerable code not present) [buster] - ghostwriter (Vulnerable code not present) - python-cmarkgfm 0.7.0-1 (bug #1006758) + [buster] - python-cmarkgfm (Minor issue) - ruby-commonmarker (bug #1006759) - r-cran-commonmark 1.8.0-1 (bug #1006760) [bullseye] - r-cran-commonmark (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8c1e028fbcfa6be28a7f5412ed8350012cce046 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8c1e028fbcfa6be28a7f5412ed8350012cce046 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-20128,CVE-2022-3168/android-platform-tools (adb): reference public disclosure
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 35eb7223 by Sylvain Beucler at 2022-10-31T15:29:27+01:00 CVE-2022-20128,CVE-2022-3168/android-platform-tools (adb): reference public disclosure - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12115,6 +12115,10 @@ CVE-2022-3169 (A flaw was found in the Linux kernel. A denial of service flaw ma NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=214771 CVE-2022-3168 RESERVED + [experimental] - android-platform-tools 33.0.3-1~exp1 + - android-platform-tools + NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 + TODO: check CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) - openvswitch (bug #1021740) [bullseye] - openvswitch (Minor issue) @@ -79228,6 +79232,10 @@ CVE-2022-20129 (In registerPhoneAccount of PhoneAccountRegistrar.java, there is NOT-FOR-US: Android CVE-2022-20128 RESERVED + [experimental] - android-platform-tools 33.0.3-1~exp1 + - android-platform-tools + NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 + TODO: check CVE-2022-20127 (In ce_t4t_data_cback of ce_t4t.cc, there is a possible out of bounds w ...) NOT-FOR-US: Android CVE-2022-20126 (In setScanMode of AdapterService.java, there is a possible way to enab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35eb72233021215178ec03cac7fb99f0eb345489 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35eb72233021215178ec03cac7fb99f0eb345489 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-40284/ntfs-3g
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ec4db72 by Salvatore Bonaccorso at 2022-10-31T15:12:33+01:00 Add CVE-2022-40284/ntfs-3g - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12015,6 +12015,8 @@ CVE-2022-40285 RESERVED CVE-2022-40284 RESERVED + - ntfs-3g + NOTE: https://www.openwall.com/lists/oss-security/2022/10/31/2 CVE-2022-40283 RESERVED CVE-2022-40282 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ec4db7281f961b173fbc4e4d0cdb59c6bc1fe46 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ec4db7281f961b173fbc4e4d0cdb59c6bc1fe46 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added libapreq2 to dla-needed. Webserver crash is not a good thing so it should be solved.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 54134012 by Ola Lundqvist at 2022-10-31T15:11:18+01:00 Added libapreq2 to dla-needed. Webserver crash is not a good thing so it should be solved. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -110,6 +110,9 @@ kopanocore lava NOTE: 20221031: Programming language: Python. -- +libapreq2 + NOTE: 20221031: Programming language: C. +-- libcommons-jxpath-java NOTE: 20221027: Programming language: Java. NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5413401272b1ebb9ead9f0e477ca8fc1497f0402 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5413401272b1ebb9ead9f0e477ca8fc1497f0402 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added rabbitmq-server to dla-needed. It should be checked further since the...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4cda4ada by Ola Lundqvist at 2022-10-31T15:08:25+01:00 Added rabbitmq-server to dla-needed. It should be checked further since the solution involves a new configuration option. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -188,6 +188,11 @@ r-cran-commonmark NOTE: 20221009: Programming language: R. NOTE: 20221009: Please synchronize with ghostwriter. -- +rabbitmq-server + NOTE: 20221031: Programming language: Erlang. + NOTE: 20221031: New configuration option. Should be studied further.. + NOTE: 20221031: Potentially the outcome is to ignore the issue.. +-- rails (Abhijith PA) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cda4ada8832efbba3c13b285ae64efe118c6910 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4cda4ada8832efbba3c13b285ae64efe118c6910 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Added hsqldb to dla-needed for further investigation. It is possibly a...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a38a497a by Ola Lundqvist at 2022-10-31T14:35:45+01:00 Added hsqldb to dla-needed for further investigation. It is possibly a breaking change. A possible outcome is to ignore the issue. - - - - - 3fbc4c14 by Ola Lundqvist at 2022-10-31T14:35:45+01:00 Adding jhead to dla-needed. One can argue that you have to trick someone to use some specific command option but arbitrary command execution should be fixed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,6 +78,11 @@ golang-websocket graphicsmagick NOTE: 20221027: Programming language: C. -- +hsqldb + NOTE: 20221031: Programming language: Java. + NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. + NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. +-- imagemagick (gladk) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git @@ -90,6 +95,11 @@ ini4j jackson-databind NOTE: 20221030: Programming language: Java. -- +jhead + NOTE: 20221031: Programming language: C. + NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. + NOTE: 20221031: It should be stated in the DLA that multiple options are affected.. +-- joblib (Utkarsh) NOTE: 20221006: Programming language: Python. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/38f016b32cb272c7d81309d8a49e449b05af4867...3fbc4c148d62c33824b00b11e1b9b3c35f40e179 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/38f016b32cb272c7d81309d8a49e449b05af4867...3fbc4c148d62c33824b00b11e1b9b3c35f40e179 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-37454/php*: introduced in 7.2
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 38f016b3 by Sylvain Beucler at 2022-10-31T14:18:51+01:00 CVE-2022-37454/php*: introduced in 7.2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19402,6 +19402,7 @@ CVE-2022-37454 (The Keccak XKCP SHA-3 reference implementation before fdc6fef ha NOTE: https://mouha.be/sha-3-buffer-overflow/ NOTE: PHP Bug: https://bugs.php.net/bug.php?id=81738 NOTE: PHP fixed in: 7.4.33, 8.0.25, 8.1.12 + NOTE: For PHP, introduced in: https://github.com/php/php-src/commit/91663a92d1697fc30a7ba4687d73e0f63ec2baa1 (php-7.2.0alpha1) NOTE: Fixed by: https://github.com/php/php-src/commit/248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd (php-8.2.0RC5) NOTE: https://github.com/python/cpython/issues/98517 NOTE: https://github.com/python/cpython/commit/0e4e058602d93b88256ff90bbef501ba20be9dd3 (3.10-branch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38f016b32cb272c7d81309d8a49e449b05af4867 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38f016b32cb272c7d81309d8a49e449b05af4867 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-41853,hsqldb: Link to possible fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fabc7c5a by Markus Koschany at 2022-10-31T13:36:30+01:00 CVE-2022-41853,hsqldb: Link to possible fixing commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8071,6 +8071,7 @@ CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in - hsqldb NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50212#c7 NOTE: http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control + NOTE: https://sourceforge.net/p/hsqldb/svn/6614/ CVE-2022-41852 (Those using JXPath to interpret untrusted XPath expressions may be vul ...) - libcommons-jxpath-java NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fabc7c5aba000e98ba161e2792dbd4dd90a0a54a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fabc7c5aba000e98ba161e2792dbd4dd90a0a54a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Triaged cmark-gfm for LTS (buster) and concluded CVE-2022-24724 and...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e691a37 by Ola Lundqvist at 2022-10-31T12:39:58+01:00 Triaged cmark-gfm for LTS (buster) and concluded CVE-2022-24724 and CVE-2022-39209 to be minor issues. Same conclusion as for similar packages. - - - - - 9ecf7397 by Ola Lundqvist at 2022-10-31T12:43:48+01:00 Added protobuf to dla-needed. - - - - - 7ab81f4b by Ola Lundqvist at 2022-10-31T12:45:14+01:00 Added consul to dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -14488,6 +14488,7 @@ CVE-2022-39210 (Nextcloud android is the official Android client for the Nextclo NOT-FOR-US: Nextcloud android CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - cmark-gfm 0.29.0.gfm.6-2 (bug #1020588) + [buster] - cmark-gfm (Minor issue) - python-cmarkgfm - ghostwriter (unimportant) - ruby-commonmarker @@ -55594,6 +55595,7 @@ CVE-2022-24725 (Shescape is a shell escape package for JavaScript. An issue in v NOT-FOR-US: Node shescape CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implementati ...) - cmark-gfm 0.29.0.gfm.3-3 (bug #1006756) + [buster] - cmark-gfm (Minor issue) - ghostwriter (bug #1006757) [bullseye] - ghostwriter (Vulnerable code not present) [buster] - ghostwriter (Vulnerable code not present) = data/dla-needed.txt = @@ -25,6 +25,10 @@ clickhouse (Tobias Frost) NOTE: 20221003: One pull request closes several CVEs. NOTE: 20221003: Please evaluate, whether it can be applied. -- +consul + NOTE: 20221031: Programming language: Go. + NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. +-- curl (Emilio) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git @@ -158,6 +162,10 @@ python3.7 (Stefano Rivera) NOTE: 20221031: Programming language: C. NOTE: 20221031: Special attention: urgent. -- +protobuf + NOTE: 20221031: Programming language: Several. + NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. +-- python-django NOTE: 20221031: Programming language: Python. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/python-django.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/edf4189a63cb7a47cf1acd41f9682aab7a0d3db4...7ab81f4b68492e6834031c728c226c4fc40b6116 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/edf4189a63cb7a47cf1acd41f9682aab7a0d3db4...7ab81f4b68492e6834031c728c226c4fc40b6116 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3174-1 for pysha3
Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker Commits: edf4189a by Stefano Rivera at 2022-10-31T12:44:44+02:00 Reserve DLA-3174-1 for pysha3 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Oct 2022] DLA-3174-1 pysha3 - security update + {CVE-2022-37454} + [buster] - pysha3 1.0.2-2+deb10u1 [31 Oct 2022] DLA-3173-1 linux-5.10 - security update {CVE-2021-4037 CVE-2022-0171 CVE-2022-1184 CVE-2022-1679 CVE-2022-2153 CVE-2022-2602 CVE-2022-2663 CVE-2022-2905 CVE-2022-3028 CVE-2022-3061 CVE-2022-3176 CVE-2022-3303 CVE-2022-3586 CVE-2022-3621 CVE-2022-3625 CVE-2022-3629 CVE-2022-3633 CVE-2022-3635 CVE-2022-3646 CVE-2022-3649 CVE-2022-20421 CVE-2022-20422 CVE-2022-39188 CVE-2022-39190 CVE-2022-39842 CVE-2022-40307 CVE-2022-41222 CVE-2022-41674 CVE-2022-42719 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-43750} [buster] - linux-5.10 5.10.149-2~deb10u1 = data/dla-needed.txt = @@ -154,10 +154,6 @@ pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- -pysha3 (Stefano Rivera) - NOTE: 20221031: Programming language: Python. - NOTE: 20221031: Special attention: urgent. --- python3.7 (Stefano Rivera) NOTE: 20221031: Programming language: C. NOTE: 20221031: Special attention: urgent. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edf4189a63cb7a47cf1acd41f9682aab7a0d3db4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edf4189a63cb7a47cf1acd41f9682aab7a0d3db4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-37454/python3*: introduced in 3.6
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 380c2080 by Sylvain Beucler at 2022-10-31T11:10:29+01:00 CVE-2022-37454/python3*: introduced in 3.6 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19406,6 +19406,7 @@ CVE-2022-37454 (The Keccak XKCP SHA-3 reference implementation before fdc6fef ha NOTE: https://github.com/python/cpython/commit/857efee6d2d43c5c12fc7e377ce437144c728ab8 (3.9-branch) NOTE: https://github.com/python/cpython/commit/948c6794711458fd148a3fa62296cadeeb2ed631 (3.8-branch) NOTE: https://github.com/python/cpython/commit/8088c90044ba04cd5624b278340ebf934dbee4a5 (3.7-branch) + NOTE: For Python, introduced in: https://github.com/python/cpython/commit/6fe2a75b645044ca2b5dac03e8d850567b547a9a (3.6) NOTE: Versions which have the OpenSSL sha3 delegation are not affected by the issue and only ship NOTE: source-wise the bundled _sha3 XKCP module code. NOTE: OpenSSL sha3 delegation added in https://github.com/python/cpython/commit/d5b3f6b7f9fc74438009af63f1de01bd77be9385 (v3.9.0b1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/380c2080a59b272d609f0ff196435416de201713 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/380c2080a59b272d609f0ff196435416de201713 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify pypy3.6 in history
Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker Commits: 08647d86 by Stefano Rivera at 2022-10-31T11:30:16+02:00 Clarify pypy3.6 in history - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19394,7 +19394,7 @@ CVE-2022-37454 (The Keccak XKCP SHA-3 reference implementation before fdc6fef ha - python3.7 - pysha3 (bug #1023030) - pypy3 7.3.9+dfsg-5 - [buster] - pypy3 (Vulnerable code not present before pypy3.6) + [buster] - pypy3 (Vulnerable code not present before we switch to the 3.6 branch in 7.1.1+dfsg-1) NOTE: https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658 NOTE: https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a NOTE: https://mouha.be/sha-3-buffer-overflow/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08647d86ee61cf4093d1c11e6e2eb6fb6d3c6a31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/08647d86ee61cf4093d1c11e6e2eb6fb6d3c6a31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim pysha3
Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cfaca81 by Stefano Rivera at 2022-10-31T11:24:39+02:00 Claim pysha3 - - - - - e14d8d98 by Stefano Rivera at 2022-10-31T11:24:53+02:00 Add and claim python3.7 (as discussed on IRC) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -154,10 +154,14 @@ pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- -pysha3 +pysha3 (Stefano Rivera) NOTE: 20221031: Programming language: Python. NOTE: 20221031: Special attention: urgent. -- +python3.7 (Stefano Rivera) + NOTE: 20221031: Programming language: C. + NOTE: 20221031: Special attention: urgent. +-- python-django NOTE: 20221031: Programming language: Python. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/python-django.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0ee0cb8897d88cba67de1501442b1c60bdd9fdf5...e14d8d980665fca92b63149b9990ea8defa87051 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0ee0cb8897d88cba67de1501442b1c60bdd9fdf5...e14d8d980665fca92b63149b9990ea8defa87051 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ee0cb88 by Salvatore Bonaccorso at 2022-10-31T10:17:22+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10872,9 +10872,9 @@ CVE-2022-3229 CVE-2022-3228 (Using custom code, an attacker can write into name or description fiel ...) TODO: check CVE-2022-40742 (Mail SQR Expert system has a Local File Inclusion vulnerability. An un ...) - TODO: check + NOT-FOR-US: Mail SQR Expert system CVE-2022-40741 (Mail SQR Expert’s specific function has insufficient filtering f ...) - TODO: check + NOT-FOR-US: Mail SQR Expert system CVE-2022-40740 RESERVED CVE-2022-40739 (Ragic report generation page has insufficient filtering for special ch ...) @@ -15000,19 +15000,19 @@ CVE-2022-39030 (smart eVision has inadequate authorization for system informatio CVE-2022-39029 (Smart eVision has inadequate authorization for the database query func ...) NOT-FOR-US: Smart eVision CVE-2022-39027 (U-Office Force Forum function has insufficient filtering for special c ...) - TODO: check + NOT-FOR-US: U-Office Force CVE-2022-39026 (U-Office Force UserDefault page has insufficient filtering for special ...) - TODO: check + NOT-FOR-US: U-Office Force CVE-2022-39025 (U-Office Force PrintMessage function has insufficient filtering for sp ...) - TODO: check + NOT-FOR-US: U-Office Force CVE-2022-39024 (U-Office Force Bulletin function has insufficient filtering for specia ...) - TODO: check + NOT-FOR-US: U-Office Force CVE-2022-39023 (U-Office Force Download function has a path traversal vulnerability. A ...) - TODO: check + NOT-FOR-US: U-Office Force CVE-2022-39022 (U-Office Force Download function has a path traversal vulnerability. A ...) - TODO: check + NOT-FOR-US: U-Office Force CVE-2022-39021 (U-Office Force login function has an Open Redirect vulnerability. An u ...) - TODO: check + NOT-FOR-US: U-Office Force CVE-2022-39020 RESERVED CVE-2022-39019 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ee0cb8897d88cba67de1501442b1c60bdd9fdf5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ee0cb8897d88cba67de1501442b1c60bdd9fdf5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b0513b34 by security tracker role at 2022-10-31T08:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,73 @@ +CVE-2023-20853 + RESERVED +CVE-2023-20852 + RESERVED +CVE-2022-8 + RESERVED +CVE-2022-7 + RESERVED +CVE-2022-6 + RESERVED +CVE-2022-5 + RESERVED +CVE-2022-4 + RESERVED +CVE-2022-3 + RESERVED +CVE-2022-2 + RESERVED +CVE-2022-1 + RESERVED +CVE-2022-0 + RESERVED +CVE-2022-44439 + RESERVED +CVE-2022-44438 + RESERVED +CVE-2022-44437 + RESERVED +CVE-2022-44436 + RESERVED +CVE-2022-44435 + RESERVED +CVE-2022-44434 + RESERVED +CVE-2022-44433 + RESERVED +CVE-2022-44432 + RESERVED +CVE-2022-44431 + RESERVED +CVE-2022-44430 + RESERVED +CVE-2022-44429 + RESERVED +CVE-2022-44428 + RESERVED +CVE-2022-44427 + RESERVED +CVE-2022-44426 + RESERVED +CVE-2022-44425 + RESERVED +CVE-2022-44424 + RESERVED +CVE-2022-44423 + RESERVED +CVE-2022-44422 + RESERVED +CVE-2022-44421 + RESERVED +CVE-2022-44420 + RESERVED +CVE-2022-44419 + RESERVED +CVE-2022-3760 + RESERVED +CVE-2022-3759 + RESERVED +CVE-2022-3758 + RESERVED CVE-2022-44418 RESERVED CVE-2022-44417 @@ -3233,6 +3303,7 @@ CVE-2022-43752 CVE-2022-43751 RESERVED CVE-2022-43750 (drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 ...) + {DLA-3173-1} - linux 6.0.2-1 [bullseye] - linux 5.10.148-1 NOTE: https://git.kernel.org/linus/a659daf63d16aa883be42f3f34ff84235c302198 (6.1-rc1) @@ -3389,7 +3460,7 @@ CVE-2022-43682 CVE-2022-43681 RESERVED CVE-2022-43680 (In libexpat through 2.4.9, there is a use-after free caused by overeag ...) - {DLA-3165-1} + {DSA-5266-1 DLA-3165-1} - expat 2.5.0-1 (bug #1022743) NOTE: https://github.com/libexpat/libexpat/issues/649 NOTE: https://github.com/libexpat/libexpat/pull/616 @@ -3652,6 +3723,7 @@ CVE-2022-3650 [ceph-crash.service allows local ceph user to root exploit] - ceph NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/1 CVE-2022-3649 (A vulnerability was found in Linux Kernel. It has been classified as p ...) + {DLA-3173-1} - linux 6.0.2-1 [bullseye] - linux 5.10.148-1 NOTE: https://git.kernel.org/linus/d325dc6eb763c10f591c239550b8c7e5466a5d09 @@ -4003,6 +4075,7 @@ CVE-2022-3647 (A vulnerability, which was classified as problematic, was found i NOTE: Crash inside the crash report when redis already crashed due to calling an invalid NOTE: function pointer, negligible security impact CVE-2022-3646 (A vulnerability, which was classified as problematic, has been found i ...) + {DLA-3173-1} - linux 6.0.2-1 [bullseye] - linux 5.10.148-1 NOTE: https://git.kernel.org/linus/d0d51a97063db4704a5ef6bc978dddab1636a306 (6.1-rc1) @@ -4037,6 +4110,7 @@ CVE-2022-3636 (A vulnerability, which was classified as critical, was found in L - linux (No vulnerable code in any upstream or Debian released version) NOTE: https://git.kernel.org/linus/17a5f6a78dc7b8db385de346092d7d9f9dc24df6 CVE-2022-3635 (A vulnerability, which was classified as critical, has been found in L ...) + {DLA-3173-1} - linux 5.19.6-1 [bullseye] - linux 5.10.140-1 [buster] - linux 4.19.260-1 @@ -4044,6 +4118,7 @@ CVE-2022-3635 (A vulnerability, which was classified as critical, has been found CVE-2022-3634 RESERVED CVE-2022-3633 (A vulnerability classified as problematic has been found in Linux Kern ...) + {DLA-3173-1} - linux 5.19.6-1 [bullseye] - linux 5.10.140-1 [buster] - linux (Vulnerable code not present) @@ -4058,6 +4133,7 @@ CVE-2022-3630 (A vulnerability was found in Linux Kernel. It has been rated as p [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/fb24771faf72a2fd62b3b6287af3c610c3ec9cf1 (6.0-rc1) CVE-2022-3629 (A vulnerability was found in Linux Kernel. It has been declared as pro ...) + {DLA-3173-1} - linux 5.19.6-1 [bullseye] - linux 5.10.140-1 [buster] - linux 4.19.260-1 @@ -4075,6 +4151,7 @@ CVE-2022-3626 (LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtif NOTE: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/426 CVE-2022-3625 (A vulnerability was found in Linux Kernel. It has been classified as c ...) + {DLA-3173-1} - linux 5.19.6-1 [bullseye] - linu
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3707/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7da36de5 by Salvatore Bonaccorso at 2022-10-31T08:38:53+01:00 Add CVE-2022-3707/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2822,6 +2822,9 @@ CVE-2022-3708 (The Web Stories plugin for WordPress is vulnerable to Server-Side NOT-FOR-US: Web Stories plugin for WordPress CVE-2022-3707 RESERVED + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2137979 + NOTE: https://lore.kernel.org/all/20221007013708.1946061-1-zyytlz...@163.com/ CVE-2022-3706 RESERVED CVE-2022-43932 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7da36de584f7aa963995f9be921fad1808c1b85a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7da36de584f7aa963995f9be921fad1808c1b85a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3500 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc139021 by Salvatore Bonaccorso at 2022-10-31T08:29:23+01:00 Add CVE-2022-3500 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5534,6 +5534,7 @@ CVE-2022-3501 (Article template contents with sensitive data could be accessed f TODO: check CVE-2022-3500 RESERVED + NOT-FOR-US: keylime CVE-2022-42918 RESERVED CVE-2022-42917 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc1390216e1e004b4effa352865b4cefbd97bab9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc1390216e1e004b4effa352865b4cefbd97bab9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1415 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8f21266 by Salvatore Bonaccorso at 2022-10-31T08:28:30+01:00 Add CVE-2022-1415 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41513,6 +41513,7 @@ CVE-2022-1416 (Missing sanitization of data in Pipeline error messages in GitLab - gitlab CVE-2022-1415 RESERVED + NOT-FOR-US: drools CVE-2022-1414 (3scale API Management 2 does not perform adequate sanitation for user ...) NOT-FOR-US: 3scale API Management CVE-2022-1413 (Missing input masking in GitLab CE/EE affecting all versions starting ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8f212660b9f6828a4e2709833ac670df986c333 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8f212660b9f6828a4e2709833ac670df986c333 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-3705/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a078ad85 by Salvatore Bonaccorso at 2022-10-31T08:06:51+01:00 Track fixed version for CVE-2022-3705/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3169,7 +3169,7 @@ CVE-2022-43762 CVE-2022-43761 RESERVED CVE-2022-3705 (A vulnerability was found in vim and classified as problematic. Affect ...) - - vim + - vim 2:9.0.0813-1 NOTE: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 (v9.0.0805) CVE-2022-3704 (A vulnerability classified as problematic has been found in Ruby on Ra ...) - rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a078ad856379c37a6f86999b3a5d029e5f1c957c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a078ad856379c37a6f86999b3a5d029e5f1c957c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits