[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3916 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01264aec by Salvatore Bonaccorso at 2022-11-11T08:47:32+01:00 Add CVE-2022-3916 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -174,6 +174,7 @@ CVE-2022-3917 RESERVED CVE-2022-3916 RESERVED + NOT-FOR-US: Keycloak CVE-2022-3915 RESERVED CVE-2022-3914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01264aecd74e0a466bb751a6001c3c49b6c73ae2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01264aecd74e0a466bb751a6001c3c49b6c73ae2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3715/bash
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dde85ea by Salvatore Bonaccorso at 2022-11-11T08:46:43+01:00 Add CVE-2022-3715/bash - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5781,8 +5781,11 @@ CVE-2022-3717 (A vulnerability, which was classified as critical, has been found NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/a58e52ed702d3bc7b8bab7ec1d70a4849eebece3 CVE-2022-3716 (A vulnerability classified as problematic was found in SourceCodester ...) NOT-FOR-US: SourceCodester Online Medicine Ordering System -CVE-2022-3715 +CVE-2022-3715 [a heap-buffer-overflow in valid_parameter_transform] RESERVED + - bash + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126720 + NOTE: https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html CVE-2022-3714 (A vulnerability classified as critical has been found in SourceCodeste ...) NOT-FOR-US: SourceCodester Online Medicine Ordering System CVE-2022-43945 (The Linux kernel NFSD implementation prior to versions 5.19.17 and 6.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dde85ea936191fd4e6bc3d4b68eae0362b26a79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dde85ea936191fd4e6bc3d4b68eae0362b26a79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-45061/python3.7: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 457048bf by Sylvain Beucler at 2022-11-11T08:42:03+01:00 CVE-2022-45061/python3.7: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -205,6 +205,7 @@ CVE-2022-45061 (An issue was discovered in Python before 3.11.1. An unnecessary - python3.9 [bullseye] - python3.9 (Minor issue) - python3.7 + [buster] - python3.7 (Minor issue; fix along with next DLA) NOTE: https://github.com/python/cpython/issues/98433 NOTE: https://github.com/python/cpython/pull/99092 NOTE: https://github.com/python/cpython/commit/a6f6c3a3d6f2b580f2d87885c9b8a9350ad7bf15 (3.11-branch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457048bf53a1d01e83915bfd3d6ab2812310eef6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/457048bf53a1d01e83915bfd3d6ab2812310eef6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-31684 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 39d5ebb8 by Salvatore Bonaccorso at 2022-11-11T08:34:50+01:00 Mark CVE-2022-31684 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38183,7 +38183,7 @@ CVE-2022-31686 (VMware Workspace ONE Assist prior to 22.10 contains a Broken Aut CVE-2022-31685 (VMware Workspace ONE Assist prior to 22.10 contains an Authentication ...) NOT-FOR-US: VMware CVE-2022-31684 (Reactor Netty HTTP Server, in versions 1.0.11 - 1.0.23, may log reques ...) - TODO: check + NOT-FOR-US: Reactor Netty, different from src:netty CVE-2022-31683 RESERVED CVE-2022-31682 (VMware Aria Operations contains an arbitrary file read vulnerability. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39d5ebb8abe985cf5c0ad64d6713285d03126a62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39d5ebb8abe985cf5c0ad64d6713285d03126a62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: php-cas: update note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 768dcc5c by Sylvain Beucler at 2022-11-11T08:18:10+01:00 dla: php-cas: update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -185,6 +185,7 @@ php-cas NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports), NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk) + NOTE: 20221110: upcoming DSA (Beuc/front-desk) -- php-phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/768dcc5c5db8dc922c01eca1ea6843fdc90718ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/768dcc5c5db8dc922c01eca1ea6843fdc90718ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c9d0a80 by Moritz Mühlenhoff at 2022-11-10T23:34:23+01:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[10 Nov 2022] DSA-5275-1 chromium - security update + {CVE-2022-3885 CVE-2022-3886 CVE-2022-3887 CVE-2022-3888 CVE-2022-3889 CVE-2022-3890} + [bullseye] - chromium 107.0.5304.110-1~deb11u1 [08 Nov 2022] DSA-5274-1 wpewebkit - security update {CVE-2022-42799 CVE-2022-42823 CVE-2022-42824} [bullseye] - wpewebkit 2.38.2-1~deb11u1 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk (apo) -- -chromium --- commons-configuration2 -- frr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c9d0a80a2e79c2c77442d1a98e3f16d597a8d7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c9d0a80a2e79c2c77442d1a98e3f16d597a8d7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-39377/sysstat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58869224 by Salvatore Bonaccorso at 2022-11-10T23:22:03+01:00 Add Debian bug reference for CVE-2022-39377/sysstat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17158,7 +17158,7 @@ CVE-2022-39379 (Fluentd collects events from various data sources and writes the CVE-2022-39378 (Discourse is a platform for community discussion. Under certain condit ...) NOT-FOR-US: Discourse CVE-2022-39377 (sysstat is a set of system performance tools for the Linux operating s ...) - - sysstat + - sysstat (bug #1023832) NOTE: https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x NOTE: https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540 (v12.7.1) CVE-2022-39376 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58869224b4efce08f0205a7632cada04b1369d81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58869224b4efce08f0205a7632cada04b1369d81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to upstream commit for CVE-2022-39377/sysstat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8df6b35 by Salvatore Bonaccorso at 2022-11-10T23:13:28+01:00 Add reference to upstream commit for CVE-2022-39377/sysstat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17160,6 +17160,7 @@ CVE-2022-39378 (Discourse is a platform for community discussion. Under certain CVE-2022-39377 (sysstat is a set of system performance tools for the Linux operating s ...) - sysstat NOTE: https://github.com/sysstat/sysstat/security/advisories/GHSA-q8r6-g56f-9w7x + NOTE: https://github.com/sysstat/sysstat/commit/9c4eaf150662ad40607923389d4519bc83b93540 (v12.7.1) CVE-2022-39376 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...) - glpi (unimportant) NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-6rh5-m5g7-327w View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8df6b354f65556cb2b5f939465c34a788558627 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8df6b354f65556cb2b5f939465c34a788558627 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c8a573e by Salvatore Bonaccorso at 2022-11-10T21:53:17+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18101,11 +18101,11 @@ CVE-2022-39040 CVE-2022-39039 RESERVED CVE-2022-39038 (Agentflow BPM enterprise management system has improper authentication ...) - TODO: check + NOT-FOR-US: Agentflow BPM enterprise management system CVE-2022-39037 (Agentflow BPM file download function has a path traversal vulnerabilit ...) - TODO: check + NOT-FOR-US: Agentflow BPM file download function CVE-2022-39036 (The file upload function of Agentflow BPM has insufficient filtering f ...) - TODO: check + NOT-FOR-US: Agentflow BPM CVE-2022-39035 (Smart eVision has insufficient filtering for special characters in the ...) NOT-FOR-US: Smart eVision CVE-2022-39034 (Smart eVision has a path traversal vulnerability in the Report API fun ...) @@ -21009,13 +21009,13 @@ CVE-2022-38124 CVE-2022-38123 RESERVED CVE-2022-38122 (UPSMON PRO transmits sensitive data in cleartext over HTTP protocol. A ...) - TODO: check + NOT-FOR-US: UPSMON PRO CVE-2022-38121 (UPSMON PRO configuration file stores user password in plaintext under ...) - TODO: check + NOT-FOR-US: UPSMON PRO CVE-2022-38120 (UPSMON PRO’s has a path traversal vulnerability. A remote attack ...) - TODO: check + NOT-FOR-US: UPSMON PRO CVE-2022-38119 (UPSMON Pro login function has insufficient authentication. An unauthen ...) - TODO: check + NOT-FOR-US: UPSMON PRO CVE-2022-38118 (OAKlouds Portal website’s Meeting Room has insufficient validati ...) NOT-FOR-US: OAKlouds CVE-2022-38117 (Juiker app hard-coded its AES key in the source code. A physical attac ...) @@ -21310,7 +21310,7 @@ CVE-2022-38025 (Windows Distributed File System (DFS) Information Disclosure Vul CVE-2022-38024 RESERVED CVE-2022-38023 (Netlogon RPC Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38022 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) NOT-FOR-US: Microsoft CVE-2022-38021 (Connected User Experiences and Telemetry Elevation of Privilege Vulner ...) @@ -21326,9 +21326,9 @@ CVE-2022-38017 (StorSimple 8000 Series Elevation of Privilege Vulnerability. ... CVE-2022-38016 (Windows Local Security Authority (LSA) Elevation of Privilege Vulnerab ...) NOT-FOR-US: Microsoft CVE-2022-38015 (Windows Hyper-V Denial of Service Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38014 (Windows Subsystem for Linux (WSL2) Kernel Elevation of Privilege Vulne ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-38013 (.NET Core and Visual Studio Denial of Service Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-38012 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. ...) @@ -21372,7 +21372,7 @@ CVE-2022-37994 (Windows Group Policy Preference Client Elevation of Privilege Vu CVE-2022-37993 (Windows Group Policy Preference Client Elevation of Privilege Vulnerab ...) NOT-FOR-US: Microsoft CVE-2022-37992 (Windows Group Policy Elevation of Privilege Vulnerability. This CVE ID ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37991 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) NOT-FOR-US: Microsoft CVE-2022-37990 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) @@ -21422,9 +21422,9 @@ CVE-2022-37969 (Windows Common Log File System Driver Elevation of Privilege Vul CVE-2022-37968 (Azure Arc-enabled Kubernetes cluster Connect Elevation of Privilege Vu ...) NOT-FOR-US: Microsoft CVE-2022-37967 (Windows Kerberos Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37966 (Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-37965 (Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerabil ...) NOT-FOR-US: Microsoft CVE-2022-37964 (Windows Kernel Elevation of Privilege Vulnerability. This CVE ID is un ...) @@ -34621,7 +34621,7 @@ CVE-2022-32959 (HiCOS’ client-side citizen digital certificate component h CVE-2022-32958 (A remote attacker with general user privilege can send a message to Te ...) NOT-FOR-US: TeamPlus Pro CVE-2022-32588 (An out-of-bounds write vulnerability exists in the PICT parsing pctwre ...) - TODO: check + NOT-FOR-US: Accusoft ImageGear CVE-2022-32281 RESERVED CVE-2022-2053 (When a POST request comes through AJP and the request exceeds the max- ...) @@ -38172,15 +38172,15 @
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad0a5be5 by Salvatore Bonaccorso at 2022-11-10T21:29:28+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1044,7 +1044,7 @@ CVE-2022-44729 CVE-2022-44728 RESERVED CVE-2022-44727 (The EU Cookie Law GDPR (Banner + Blocker) module before 2.1.3 for Pres ...) - TODO: check + NOT-FOR-US: PrestaShop module CVE-2022-44726 RESERVED CVE-2022-44725 @@ -3657,11 +3657,11 @@ CVE-2022-44091 CVE-2022-44090 RESERVED CVE-2022-44089 (ESPCMS P8.21120101 was discovered to contain a remote code execution ( ...) - TODO: check + NOT-FOR-US: ESPCMS CVE-2022-44088 (ESPCMS P8.21120101 was discovered to contain a remote code execution ( ...) - TODO: check + NOT-FOR-US: ESPCMS CVE-2022-44087 (ESPCMS P8.21120101 was discovered to contain a remote code execution ( ...) - TODO: check + NOT-FOR-US: ESPCMS CVE-2022-44086 RESERVED CVE-2022-44085 @@ -8992,9 +8992,9 @@ CVE-2022-42789 (An issue in code signature validation was addressed with improve CVE-2022-42788 (A permissions issue existed. This issue was addressed with improved pe ...) NOT-FOR-US: Apple CVE-2022-42787 (Multiple W&T products of the Comserver Series use a small number s ...) - TODO: check + NOT-FOR-US: Wiesemann & Theis GmbH products CVE-2022-42786 (Multiple W&T Products of the ComServer Series are prone to an XSS ...) - TODO: check + NOT-FOR-US: Wiesemann & Theis GmbH products CVE-2022-42785 RESERVED CVE-2022-42784 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad0a5be56304e734318ebe3fafb5a0e389e9cbbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad0a5be56304e734318ebe3fafb5a0e389e9cbbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2022-39390
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f2f32e11 by Salvatore Bonaccorso at 2022-11-10T21:17:05+01:00 Remove notes from CVE-2022-39390 It was found to be a duplicate of an earlier CVE and got rejected by the assigning CNA. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17133,7 +17133,6 @@ CVE-2022-39391 RESERVED CVE-2022-39390 REJECTED - NOT-FOR-US: Octocat.js CVE-2022-39389 RESERVED CVE-2022-39388 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2f32e112897b3623f161dc17625ab5a7e20f8c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2f32e112897b3623f161dc17625ab5a7e20f8c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes for CVE-2022-3642 as it got rejected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97e28bee by Salvatore Bonaccorso at 2022-11-10T21:14:20+01:00 Remove notes for CVE-2022-3642 as it got rejected The issue did not affect any released or Linux mainline commit. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7015,7 +7015,6 @@ CVE-2022-3643 RESERVED CVE-2022-3642 REJECTED - - linux (Vulnerable code not present in any released or mainline commit; only wireless-next) CVE-2022-3641 RESERVED CVE-2022-36401 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97e28bee0defa910602708cfb0b4f8fcf0035765 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97e28bee0defa910602708cfb0b4f8fcf0035765 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dffed5e1 by security tracker role at 2022-11-10T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,45 @@ +CVE-2022-45143 + RESERVED +CVE-2022-45142 + RESERVED +CVE-2022-45141 + RESERVED +CVE-2022-45140 + RESERVED +CVE-2022-45139 + RESERVED +CVE-2022-45138 + RESERVED +CVE-2022-45137 + RESERVED +CVE-2022-45136 + RESERVED +CVE-2022-45135 + RESERVED +CVE-2022-43668 + RESERVED +CVE-2022-3932 + RESERVED +CVE-2022-3931 + RESERVED +CVE-2022-3930 + RESERVED +CVE-2022-3929 + RESERVED +CVE-2022-3928 + RESERVED +CVE-2022-3927 + RESERVED +CVE-2022-3926 + RESERVED +CVE-2022-3925 + RESERVED +CVE-2022-3924 + RESERVED +CVE-2022-3923 + RESERVED +CVE-2022-3922 + RESERVED CVE-2022-45134 RESERVED CVE-2022-45133 @@ -146,8 +188,7 @@ CVE-2022-3910 RESERVED CVE-2022-3909 RESERVED -CVE-2022-45063 - RESERVED +CVE-2022-45063 (xterm before 375 allows code execution via font ops, e.g., because an ...) - xterm 375-1 [bullseye] - xterm (Minor issue; mitigated by default in Debian) NOTE: https://www.openwall.com/lists/oss-security/2022/11/10/1 @@ -1002,8 +1043,8 @@ CVE-2022-44729 RESERVED CVE-2022-44728 RESERVED -CVE-2022-44727 - RESERVED +CVE-2022-44727 (The EU Cookie Law GDPR (Banner + Blocker) module before 2.1.3 for Pres ...) + TODO: check CVE-2022-44726 RESERVED CVE-2022-44725 @@ -3615,12 +3656,12 @@ CVE-2022-44091 RESERVED CVE-2022-44090 RESERVED -CVE-2022-44089 - RESERVED -CVE-2022-44088 - RESERVED -CVE-2022-44087 - RESERVED +CVE-2022-44089 (ESPCMS P8.21120101 was discovered to contain a remote code execution ( ...) + TODO: check +CVE-2022-44088 (ESPCMS P8.21120101 was discovered to contain a remote code execution ( ...) + TODO: check +CVE-2022-44087 (ESPCMS P8.21120101 was discovered to contain a remote code execution ( ...) + TODO: check CVE-2022-44086 RESERVED CVE-2022-44085 @@ -3811,6 +3852,7 @@ CVE-2022-3757 (A vulnerability was found in Exiv2. It has been declared as criti NOTE: Issue introduced after: https://github.com/Exiv2/exiv2/commit/e4adf388aaaaf08fc0fc38419a5b0117b299 NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/d3651fdbd352cbaf259f89abf7557da343339378 CVE-2022-3756 (A vulnerability was found in Exiv2. It has been classified as critical ...) + {DLA-3186-1} - exiv2 NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/bf4f28b727bdedbd7c88179c30d360e54568a62e CVE-2022-3755 (A vulnerability was found in Exiv2 and classified as problematic. This ...) @@ -6186,11 +6228,9 @@ CVE-2022-43756 RESERVED CVE-2022-43755 RESERVED -CVE-2022-43754 - RESERVED +CVE-2022-43754 (An Improper Neutralization of Input During Web Page Generation ('Cross ...) NOT-FOR-US: Uyuni -CVE-2022-43753 - RESERVED +CVE-2022-43753 (A Improper Limitation of a Pathname to a Restricted Directory ('Path T ...) NOT-FOR-US: Uyuni CVE-2022-43752 (** UNSUPPORTED WHEN ASSIGNED ** Oracle Solaris version 10 1/13, when u ...) NOT-FOR-US: Oracle Solaris @@ -6973,7 +7013,8 @@ CVE-2022-3644 (The collection remote for pulp_ansible stores tokens in plaintext NOT-FOR-US: Pulp (Red Hat) CVE-2022-3643 RESERVED -CVE-2022-3642 (A vulnerability classified as problematic has been found in Linux Kern ...) +CVE-2022-3642 + REJECTED - linux (Vulnerable code not present in any released or mainline commit; only wireless-next) CVE-2022-3641 RESERVED @@ -8213,11 +8254,13 @@ CVE-2022-3553 (A vulnerability, which was classified as problematic, was found i CVE-2022-3552 (Unrestricted Upload of File with Dangerous Type in GitHub repository b ...) NOT-FOR-US: boxbilling CVE-2022-3551 (A vulnerability, which was classified as problematic, has been found i ...) + {DLA-3185-1} - xorg-server [bullseye] - xorg-server (Minor issue) - xwayland NOTE: https://gitlab.freedesktop.org/xorg/xserver/commit/18f91b950e22c2a342a4fbc55e9ddf7534a707d2 CVE-2022-3550 (A vulnerability classified as critical was found in X.org Server. Affe ...) + {DLA-3185-1} - xorg-server - xwayland NOTE: https://gitlab.freedesktop.org/xorg/xserver/commit/11beef0b7f1ed290348e45618e5fa0d2bffcb72e @@ -8949,10 +8992,10 @@ CVE-2022-42789 (An issue in code signature validation was addressed with improve NOT-FOR-US: Apple CVE-2022-42788 (A permissions issue existed. This issue was addressed with improved pe ...) NOT-FOR-US: Apple -CVE-2022-42
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45063/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 60f5aa23 by Salvatore Bonaccorso at 2022-11-10T20:35:33+01:00 Add CVE-2022-45063/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -148,6 +148,11 @@ CVE-2022-3909 RESERVED CVE-2022-45063 RESERVED + - xterm 375-1 + [bullseye] - xterm (Minor issue; mitigated by default in Debian) + NOTE: https://www.openwall.com/lists/oss-security/2022/11/10/1 + NOTE: Debian sets defaults for allowWindowOps and allowFontOps resources to false since + NOTE: 238-1, mitigating the issue. CVE-2022-45062 (In Xfce xfce4-settings before 4.16.4 and 4.17.x before 4.17.1, there i ...) - xfce4-settings (bug #1023732) NOTE: https://gitlab.xfce.org/xfce/xfce4-settings/-/issues/390 (not public) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60f5aa23f59b1190a4bc8e56a174be9c0dcf64b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60f5aa23f59b1190a4bc8e56a174be9c0dcf64b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for several wolfssl issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd02f90b by Salvatore Bonaccorso at 2022-11-10T20:29:26+01:00 Track fixed version for several wolfssl issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8368,7 +8368,7 @@ CVE-2022-42963 CVE-2022-42962 RESERVED CVE-2022-42961 (An issue was discovered in wolfSSL before 5.5.0. A fault injection att ...) - - wolfssl (bug #1023574) + - wolfssl 5.5.3-1 (bug #1023574) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable CVE-2022-42960 RESERVED @@ -17672,7 +17672,7 @@ CVE-2022-39175 CVE-2022-39174 RESERVED CVE-2022-39173 (In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow ...) - - wolfssl (bug #1021021) + - wolfssl 5.5.3-1 (bug #1021021) CVE-2022-39172 RESERVED CVE-2022-39171 @@ -20911,11 +20911,11 @@ CVE-2022-38155 (TEE_Malloc in Samsung mTower through 0.3.0 allows a trusted appl CVE-2022-38154 RESERVED CVE-2022-38153 (An issue was discovered in wolfSSL before 5.5.0 (when --enable-session ...) - - wolfssl (bug #1021021) + - wolfssl 5.5.3-1 (bug #1021021) [bullseye] - wolfssl (Vulnerable code not present and session tickets not enabled) NOTE: https://github.com/wolfSSL/wolfssl/pull/5476 CVE-2022-38152 (An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client ...) - - wolfssl (bug #1021021) + - wolfssl 5.5.3-1 (bug #1021021) [bullseye] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/pull/5468 CVE-2022-38151 @@ -31204,7 +31204,7 @@ CVE-2022-34295 (totd before 1.5.3 does not properly randomize mesg IDs. ...) CVE-2022-34294 (totd 1.5.3 uses a fixed UDP source port in upstream queries sent to DN ...) NOT-FOR-US: totd CVE-2022-34293 (wolfSSL before 5.4.0 allows remote attackers to cause a denial of serv ...) - - wolfssl (bug #1016981) + - wolfssl 5.5.3-1 (bug #1016981) [bullseye] - wolfssl (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2022/08/08/6 CVE-2022-34292 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd02f90bb56e8821a02a2efd23a2a5db78b8dac7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd02f90bb56e8821a02a2efd23a2a5db78b8dac7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two k8s issues, NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 652bf02a by Moritz Muehlenhoff at 2022-11-10T18:48:56+01:00 two k8s issues, NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8352,7 +8352,7 @@ CVE-2022-42966 (An exponential ReDoS (Regular Expression Denial of Service) can NOTE: https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186/ NOTE: Doesn't seem to be reported upstream so far CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - TODO: check + NOT-FOR-US: snowflake-connector-python CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - pymatgen NOTE: https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/ @@ -12467,6 +12467,9 @@ CVE-2022-3295 (Allocation of Resources Without Limits or Throttling in GitHub re - rdiffweb (bug #969974) CVE-2022-3294 RESERVED + - kubernetes 1.20.5+really1.20.2-1 + NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version + NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2022-3293 (Email addresses were leaked in WebHook logs in GitLab EE affecting all ...) - gitlab (Only affects Gitlab EE) CVE-2022-3292 (Use of Cache Containing Sensitive Information in GitHub repository iku ...) @@ -15284,6 +15287,9 @@ CVE-2022-40176 (A vulnerability has been identified in Desigo PXM30-1 (All versi NOT-FOR-US: Siemens CVE-2022-3162 RESERVED + - kubernetes 1.20.5+really1.20.2-1 + NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version + NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2022-3161 RESERVED CVE-2022-3160 @@ -15962,35 +15968,35 @@ CVE-2022-39895 CVE-2022-39894 RESERVED CVE-2022-39893 (Sensitive information exposure vulnerability in FmmBaseModel in Galaxy ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39892 (Improper access control in Samsung Pass prior to version 4.0.05.1 allo ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39891 (Heap overflow vulnerability in parse_pce function in libsavsaudio.so i ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39890 (Improper Authorization in Samsung Billing prior to version 5.0.56.0 al ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39889 (Improper access control vulnerability in GalaxyWatch4Plugin prior to v ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39888 RESERVED CVE-2022-39887 (Improper access control vulnerability in clearAllGlobalProxy in MiscPo ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39886 (Improper access control vulnerability in IpcRxServiceModeBigDataInfo i ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39885 (Improper access control vulnerability in BootCompletedReceiver_CMCC in ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39884 (Improper access control vulnerability in IImsService prior to SMR Nov- ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39883 (Improper authorization vulnerability in StorageManagerService prior to ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39882 (Heap overflow vulnerability in sflacf_fal_bytes_peek function in libsm ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39881 (Improper input validation vulnerability for processing SIB12 PDU in Ex ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39880 (Improper input validation vulnerability in DualOutFocusViewer prior to ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39879 (Improper authorization vulnerability in?CallBGProvider prior to SMR No ...) - TODO: check + NOT-FOR-US: Samsung CVE-2022-39878 (Improper access control vulnerability in Samsung Checkout prior to ver ...) NOT-FOR-US: Samsung CVE-2022-39877 (Improper access control vulnerability in ProfileSharingAccount in Grou ...) @@ -17062,11 +17068,11 @@ CVE-2022-39399 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-17 17.0.5+8-1 [bullseye] - openjdk-17 (Minor issue, fix along with next CPU) CVE-2022-39398 (tasklists is a tasklists plugin for GLPI (Kanban). Versions prior to 2 ...) - TODO: check + NOT-FOR-US: GLPI plugin CVE-2022-39397 RESERVED CVE-2022-39396 (Parse Server is an open source backend that can be deployed to any inf ...) - TODO: check + NOT-FOR-US: Node parse-server CVE-2022-39395 RESERVED CVE-2022-39394 @@ -17087,7 +17093,7
[Git][security-tracker-team/security-tracker][master] new pymatgen issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e0e1e694 by Moritz Muehlenhoff at 2022-11-10T16:58:30+01:00 new pymatgen issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8354,7 +8354,9 @@ CVE-2022-42966 (An exponential ReDoS (Regular Expression Denial of Service) can CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) TODO: check CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - TODO: check + - pymatgen + NOTE: https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/ + NOTE: Doesn't seem to be reported upstream so far CVE-2022-3520 RESERVED CVE-2022-3519 (A vulnerability classified as problematic was found in SourceCodester ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0e1e694ccdc380c31917344585f3a1078809eb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0e1e694ccdc380c31917344585f3a1078809eb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new python-cleo issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6857f652 by Moritz Muehlenhoff at 2022-11-10T16:55:59+01:00 new python-cleo issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8348,7 +8348,9 @@ CVE-2022-42968 (Gitea before 1.17.3 does not sanitize and escape refs in the git CVE-2022-42967 RESERVED CVE-2022-42966 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - TODO: check + - python-cleo + NOTE: https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186/ + NOTE: Doesn't seem to be reported upstream so far CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) TODO: check CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6857f652e46b97f1ab356afaaf0ddf14be4990c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6857f652e46b97f1ab356afaaf0ddf14be4990c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] "new" pikepdf issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5352b6ae by Moritz Muehlenhoff at 2022-11-10T16:53:02+01:00 "new" pikepdf issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6447,7 +6447,8 @@ CVE-2022-3662 (A vulnerability was found in Axiomatic Bento4. It has been declar CVE-2021-46850 (myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel befor ...) NOT-FOR-US: myVesta Control Panel CVE-2021-46849 (pikepdf before 2.10.0 allows an XXE attack against PDF XMP metadata pa ...) - TODO: check + - pikepdf 3.2.0+dfsg-1 + NOTE: https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100 CVE-2021-46848 (GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check ...) - libtasn1-6 4.19.0-2 [bullseye] - libtasn1-6 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5352b6ae45659b34d616c9cabea83216dd755536 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5352b6ae45659b34d616c9cabea83216dd755536 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim some Python packages
Dominik George pushed to branch master at Debian Security Tracker / security-tracker Commits: 43f07226 by Dominik George at 2022-11-10T16:17:50+01:00 Claim some Python packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -107,17 +107,17 @@ jhead NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. NOTE: 20221031: It should be stated in the DLA that multiple options are affected.. -- -joblib +joblib (Dominik George) NOTE: 20221006: Programming language: Python. -- -jupyter-core +jupyter-core (Dominik George) NOTE: 20221102: Programming language: Python. -- kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) -- -lava +lava (Dominik George) NOTE: 20221031: Programming language: Python. -- libapreq2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43f0722669c022937aef99bdb704d6aadcb3e5d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43f0722669c022937aef99bdb704d6aadcb3e5d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3186-1 for exiv2
Dominik George pushed to branch master at Debian Security Tracker / security-tracker Commits: cc35d972 by Dominik George at 2022-11-10T15:37:49+01:00 Reserve DLA-3186-1 for exiv2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -241631,7 +241631,7 @@ CVE-2019-13114 (http.c in Exiv2 through 0.27.1 allows a malicious http server to NOTE: https://github.com/Exiv2/exiv2/issues/793 CVE-2019-13113 (Exiv2 through 0.27.1 allows an attacker to cause a denial of service ( ...) - exiv2 0.27.2-6 (unimportant) -[buster] - exiv2 (Vulnerable code introduced later) + [buster] - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/commit/6212806b7637be683a56c769a8d905153996d933 NOTE: https://github.com/Exiv2/exiv2/commit/ccde30afa8ca787a3fe17388a15977f107a53b72 NOTE: https://github.com/Exiv2/exiv2/issues/841 = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Nov 2022] DLA-3186-1 exiv2 - security update + {CVE-2017-11683 CVE-2020-19716 CVE-2022-3756} + [buster] - exiv2 0.25-4+deb10u3 [10 Nov 2022] DLA-3185-1 xorg-server - security update {CVE-2022-3550 CVE-2022-3551} [buster] - xorg-server 2:1.20.4-1+deb10u6 = data/dla-needed.txt = @@ -44,10 +44,6 @@ curl (Emilio) dropbear (Utkarsh) NOTE: 20221027: Programming language: C. -- -exiv2 (Dominik George) - NOTE: 20220819: Programming language: C++. - NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb) --- firmware-nonfree NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc35d972357a33295e50c9f527ec258d578b18a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc35d972357a33295e50c9f527ec258d578b18a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nomad n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 98d84560 by Moritz Muehlenhoff at 2022-11-10T15:25:34+01:00 nomad n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -944,9 +944,11 @@ CVE-2022-44733 (Local privilege escalation due to insecure folder permissions. T CVE-2022-44732 (Local privilege escalation due to insecure folder permissions. The fol ...) NOT-FOR-US: Acronis CVE-2022-3867 (HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream su ...) - TODO: check + - nomad (Only affects 1.4) + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-26-nomad-s-event-stream-subscriber-using-acl-token-with-ttl-receive-updates-until-garbage-collected/46168 CVE-2022-3866 (HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identi ...) - TODO: check + - nomad (Only affects 1.4) + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-25-nomad-s-workload-identity-token-can-list-non-sensitive-metadata-for-nomad-paths/46167 CVE-2022-3865 RESERVED CVE-2022-3864 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98d845606fc362a45133492aff74fd03ce7097eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98d845606fc362a45133492aff74fd03ce7097eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eddc0381 by Moritz Muehlenhoff at 2022-11-10T14:39:05+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,9 +7,9 @@ CVE-2022-45132 CVE-2022-45131 RESERVED CVE-2022-45130 (Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/command ...) - TODO: check + NOT-FOR-US: Plesk CVE-2022-45129 (Payara before 2022-11-04, when deployed to the root context, allows at ...) - TODO: check + NOT-FOR-US: Payara CVE-2022-45128 RESERVED CVE-2022-45117 @@ -11042,7 +11042,7 @@ CVE-2022-41876 CVE-2022-41875 RESERVED CVE-2022-41874 (Tauri is a framework for building binaries for all major desktop platf ...) - TODO: check + NOT-FOR-US: Tauri CVE-2022-41873 RESERVED CVE-2022-41872 @@ -13042,37 +13042,37 @@ CVE-2022-41130 CVE-2022-41129 RESERVED CVE-2022-41128 (Windows Scripting Languages Remote Code Execution Vulnerability. This ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41127 RESERVED CVE-2022-41126 RESERVED CVE-2022-41125 (Windows CNG Key Isolation Service Elevation of Privilege Vulnerability ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41124 RESERVED CVE-2022-41123 (Microsoft Exchange Server Elevation of Privilege Vulnerability. This C ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41122 (Microsoft SharePoint Server Spoofing Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41121 RESERVED CVE-2022-41120 (Microsoft Windows Sysmon Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41119 (Visual Studio Remote Code Execution Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41118 (Windows Scripting Languages Remote Code Execution Vulnerability. This ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41117 RESERVED CVE-2022-41116 (Windows Point-to-Point Tunneling Protocol Denial of Service Vulnerabil ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41115 RESERVED CVE-2022-41114 (Windows Bind Filter Driver Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41113 (Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41112 RESERVED CVE-2022-4 @@ -13080,55 +13080,55 @@ CVE-2022-4 CVE-2022-41110 RESERVED CVE-2022-41109 (Windows Win32k Elevation of Privilege Vulnerability. This CVE ID is un ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41108 RESERVED CVE-2022-41107 (Microsoft Office Graphics Remote Code Execution Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41106 (Microsoft Excel Remote Code Execution Vulnerability. This CVE ID is un ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41105 (Microsoft Excel Information Disclosure Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41104 (Microsoft Excel Security Feature Bypass Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41103 (Microsoft Word Information Disclosure Vulnerability. This CVE ID is un ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41102 (Windows Overlay Filter Elevation of Privilege Vulnerability. This CVE ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41101 (Windows Overlay Filter Elevation of Privilege Vulnerability. This CVE ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41100 (Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vu ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41099 (BitLocker Security Feature Bypass Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41098 (Windows GDI+ Information Disclosure Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41097 (Network Policy Server (NPS) RADIUS Protocol Information Disclosure Vul ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41096 (Microsoft DWM Core Library Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41095 (Windows Digital Media Receiver Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41094 RESERVED CVE-2022-41093 (Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vu ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2022-41092 (Windows Win32k Elevation of Privilege Vulnerability. This CVE ID is un ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 50dbe3e8 by Moritz Muehlenhoff at 2022-11-10T14:27:48+01:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -242,22 +242,22 @@ CVE-2022-3891 CVE-2022-45045 RESERVED CVE-2022-3890 (Heap buffer overflow in Crashpad in Google Chrome on Android prior to ...) - - chromium + - chromium 107.0.5304.110-1 [buster] - chromium (see DSA 5046) CVE-2022-3889 (Type confusion in V8 in Google Chrome prior to 107.0.5304.106 allowed ...) - - chromium + - chromium 107.0.5304.110-1 [buster] - chromium (see DSA 5046) CVE-2022-3888 (Use after free in WebCodecs in Google Chrome prior to 107.0.5304.106 a ...) - - chromium + - chromium 107.0.5304.110-1 [buster] - chromium (see DSA 5046) CVE-2022-3887 (Use after free in Web Workers in Google Chrome prior to 107.0.5304.106 ...) - - chromium + - chromium 107.0.5304.110-1 [buster] - chromium (see DSA 5046) CVE-2022-3886 (Use after free in Speech Recognition in Google Chrome prior to 107.0.5 ...) - - chromium + - chromium 107.0.5304.110-1 [buster] - chromium (see DSA 5046) CVE-2022-3885 (Use after free in V8 in Google Chrome prior to 107.0.5304.106 allowed ...) - - chromium + - chromium 107.0.5304.110-1 [buster] - chromium (see DSA 5046) CVE-2022-3884 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50dbe3e8f298122c18982b1850a1e3c627b346a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50dbe3e8f298122c18982b1850a1e3c627b346a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-13113: Mark buster unaffected
Dominik George pushed to branch master at Debian Security Tracker / security-tracker Commits: fc233276 by Dominik George at 2022-11-10T14:18:53+01:00 CVE-2019-13113: Mark buster unaffected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -241629,6 +241629,7 @@ CVE-2019-13114 (http.c in Exiv2 through 0.27.1 allows a malicious http server to NOTE: https://github.com/Exiv2/exiv2/issues/793 CVE-2019-13113 (Exiv2 through 0.27.1 allows an attacker to cause a denial of service ( ...) - exiv2 0.27.2-6 (unimportant) +[buster] - exiv2 (Vulnerable code introduced later) NOTE: https://github.com/Exiv2/exiv2/commit/6212806b7637be683a56c769a8d905153996d933 NOTE: https://github.com/Exiv2/exiv2/commit/ccde30afa8ca787a3fe17388a15977f107a53b72 NOTE: https://github.com/Exiv2/exiv2/issues/841 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc233276bbbc184207ef895c69b671e95a7c613b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc233276bbbc184207ef895c69b671e95a7c613b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3185-1 for xorg-server
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 01f6c795 by Emilio Pozuelo Monfort at 2022-11-10T13:38:25+01:00 Reserve DLA-3185-1 for xorg-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Nov 2022] DLA-3185-1 xorg-server - security update + {CVE-2022-3550 CVE-2022-3551} + [buster] - xorg-server 2:1.20.4-1+deb10u6 [10 Nov 2022] DLA-3184-1 libjettison-java - security update {CVE-2022-40149} [buster] - libjettison-java 1.4.0-1+deb10u1 = data/dla-needed.txt = @@ -306,11 +306,6 @@ vim (Helmut) virglrenderer (Thorsten Alteholz) NOTE: 20221009: Programming language: C. -- -xorg-server (Emilio) - NOTE: 20221106: Programming language: C. - NOTE: 20221106: VCS: https://salsa.debian.org/lts-team/packages/xorg-server.git - NOTE: 20221107: evaluating severity, will upload today/tomorrow (pochu) --- zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01f6c7951ebeb264fec606644e763ee6bb31bcd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01f6c7951ebeb264fec606644e763ee6bb31bcd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2022-37601/node-loader-utils as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e2378e1 by Salvatore Bonaccorso at 2022-11-10T12:34:31+01:00 Mark CVE-2022-37601/node-loader-utils as no-dsa - - - - - b49f0984 by Salvatore Bonaccorso at 2022-11-10T12:34:50+01:00 Track proposed node-loader-utils update via bullseye-pu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -22166,6 +22166,7 @@ CVE-2022-37602 (Prototype pollution vulnerability in karma-runner grunt-karma 4. NOT-FOR-US: karma-runner grunt-karma CVE-2022-37601 (Prototype pollution vulnerability in function parseQuery in parseQuery ...) - node-loader-utils 2.0.3-1 + [bullseye] - node-loader-utils (Minor issue; will be fixed via point release) NOTE: https://github.com/webpack/loader-utils/issues/212 NOTE: https://github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c (v2.0.3) CVE-2022-37600 = data/next-point-update.txt = @@ -54,3 +54,5 @@ CVE-2022-2996 [bullseye] - python-scciclient 0.8.0-2+deb11u1 CVE-2021-40241 [bullseye] - xfig 1:3.2.8-3+deb11u1 +CVE-2022-37601 + [bullseye] - node-loader-utils 2.0.0-1+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1e284f7425b9ac6ec8e88447c2ad33042866931a...b49f09840c1104ea34fbe48dde73f0b6875f6e4a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1e284f7425b9ac6ec8e88447c2ad33042866931a...b49f09840c1104ea34fbe48dde73f0b6875f6e4a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Adjust tracking for CVE-2022-37601: Associate with node-loader-utils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 32b1ce60 by Salvatore Bonaccorso at 2022-11-10T12:32:11+01:00 Adjust tracking for CVE-2022-37601: Associate with node-loader-utils - - - - - 1e284f74 by Salvatore Bonaccorso at 2022-11-10T12:32:12+01:00 Track two more CVEs for node-loader-utils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22160,15 +22160,19 @@ CVE-2022-37605 CVE-2022-37604 RESERVED CVE-2022-37603 (A Regular expression denial of service (ReDoS) flaw was found in Funct ...) - NOT-FOR-US: loader-utils + - node-loader-utils + NOTE: https://github.com/webpack/loader-utils/issues/213 CVE-2022-37602 (Prototype pollution vulnerability in karma-runner grunt-karma 4.0.1 vi ...) NOT-FOR-US: karma-runner grunt-karma CVE-2022-37601 (Prototype pollution vulnerability in function parseQuery in parseQuery ...) - NOT-FOR-US: loader-utils + - node-loader-utils 2.0.3-1 + NOTE: https://github.com/webpack/loader-utils/issues/212 + NOTE: https://github.com/webpack/loader-utils/commit/a93cf6f4702012030f6b5ee8340d5c95ec1c7d4c (v2.0.3) CVE-2022-37600 RESERVED CVE-2022-37599 (A Regular expression denial of service (ReDoS) flaw was found in Funct ...) - NOT-FOR-US: loader-utils + - node-loader-utils + NOTE: https://github.com/webpack/loader-utils/issues/211 CVE-2022-37598 (Prototype pollution vulnerability in function DEFNODE in ast.js in mis ...) - uglify-js (unimportant) - uglifyjs (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/023a0626fb934a8b7a2093939b6bd07503469167...1e284f7425b9ac6ec8e88447c2ad33042866931a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/023a0626fb934a8b7a2093939b6bd07503469167...1e284f7425b9ac6ec8e88447c2ad33042866931a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim vim dla
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 023a0626 by Helmut Grohne at 2022-11-10T12:30:50+01:00 claim vim dla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -299,7 +299,7 @@ varnish NOTE: 20221109: Programming language: C. NOTE: 20221109: First DLA, 3 minor CVEs to fix (Beuc/front-desk) -- -vim +vim (Helmut) NOTE: 20221108: Programming language: C. NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/023a0626fb934a8b7a2093939b6bd07503469167 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/023a0626fb934a8b7a2093939b6bd07503469167 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] delete more conflicting glibc elts annotations
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 67cfa5eb by Helmut Grohne at 2022-11-10T12:23:26+01:00 delete more conflicting glibc elts annotations - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -206128,7 +206128,6 @@ CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atft CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv7 mem ...) {DLA-3152-1} - glibc 2.31-2 (low; bug #961452) - [stretch] - glibc (Minor issue) [jessie] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25620 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019 @@ -260712,8 +260711,6 @@ CVE-2019-6501 (In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c NOTE: vulnerability not present prior 2.12.50 CVE-2016-10739 (In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinf ...) - glibc 2.28-6 (bug #920047) - [stretch] - glibc (Minor issue) - [jessie] - glibc (Minor issue) - eglibc NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1347549 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=20018 @@ -367666,7 +367663,6 @@ CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0. CVE-2016-10228 (The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and e ...) {DLA-3152-1} - glibc 2.31-3 (low; bug #856503) - [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19519 @@ -411831,7 +411827,6 @@ CVE-2014-9762 (imlib2 before 1.4.7 allows remote attackers to cause a denial of CVE-2014-9761 (Multiple stack-based buffer overflows in the GNU C Library (aka glibc ...) {DLA-411-1} - glibc 2.23-1 (bug #813187) - [jessie] - glibc (Minor issue) - eglibc [wheezy] - eglibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=16962 @@ -425222,7 +425217,6 @@ CVE-2015-5181 (The JBoss console in A-MQ allows remote attackers to execute arbi NOT-FOR-US: A-MQ's Hawtio console CVE-2015-5180 (res_query in libresolv in glibc before 2.25 allows remote attackers to ...) - glibc 2.24-9 (low; bug #796106) - [jessie] - glibc (Minor issue, too intrusive to backport) - eglibc (low) [wheezy] - eglibc (Minor issue) [squeeze] - eglibc (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cfa5eb394182d2d26fc3a9edcbaf1e1091e1be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67cfa5eb394182d2d26fc3a9edcbaf1e1091e1be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3184-1 for libjettison-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 6317c91d by Markus Koschany at 2022-11-10T12:01:24+01:00 Reserve DLA-3184-1 for libjettison-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Nov 2022] DLA-3184-1 libjettison-java - security update + {CVE-2022-40149} + [buster] - libjettison-java 1.4.0-1+deb10u1 [09 Nov 2022] DLA-3183-1 webkit2gtk - security update {CVE-2022-42799 CVE-2022-42823 CVE-2022-42824} [buster] - webkit2gtk 2.38.2-1~deb10u1 = data/dla-needed.txt = @@ -136,9 +136,6 @@ libde265 NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) -- -libjettison-java (Markus Koschany) - NOTE: 20221030: Programming language: Java. --- libreoffice NOTE: 20221012: Programming language: C++. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6317c91da22b01769f3bf0ad23e47c87fbb1012e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6317c91da22b01769f3bf0ad23e47c87fbb1012e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ac776cb5 by Salvatore Bonaccorso at 2022-11-10T10:55:49+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2484,7 +2484,7 @@ CVE-2022-44592 CVE-2022-44591 RESERVED CVE-2022-44590 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-44589 RESERVED CVE-2022-44588 @@ -2596,41 +2596,41 @@ CVE-2022-3786 (A buffer overrun can be triggered in X.509 certificate verificati NOTE: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a (openssl-3.0.7) CVE-2022-44563 (There is a race condition vulnerability in SD upgrade mode. Successful ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44562 (The system framework layer has a vulnerability of serialization/deseri ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44561 (The preset launcher module has a permission verification vulnerability ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44560 (The launcher module has an Intent redirection vulnerability. Successfu ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44559 (The AMS module has a vulnerability of serialization/deserialization mi ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44558 (The AMS module has a vulnerability of serialization/deserialization mi ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44557 (The SmartTrimProcessEvent module has a vulnerability of obtaining the ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44556 (Missing parameter type validation in the DRM module. Successful exploi ...) NOT-FOR-US: Huawei CVE-2022-44555 (The DDMP/ODMF module has a service hijacking vulnerability. Successful ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44554 (The power module has a vulnerability in permission verification. Succe ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44553 (The HiView module has a vulnerability of not filtering third-party app ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44552 (The lock screen module has defects introduced in the design process. S ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44551 (The iaware module has a vulnerability in thread security. Successful e ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44550 (The graphics display module has a UAF vulnerability when traversing gr ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44549 (The LBS module has a vulnerability in geofencing API access. Successfu ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44548 (There is a vulnerability in permission verification during the Bluetoo ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44547 (The Display Service module has a UAF vulnerability. Successful exploit ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44546 (The kernel module has the vulnerability that the mapping is not cleare ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44545 RESERVED CVE-2022-44544 (Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04. ...) @@ -2670,9 +2670,9 @@ CVE-2022-3782 CVE-2022-3781 (Dashlane password and Keepass Server password in My Account Settings a ...) NOT-FOR-US: Devolutions Remote Desktop Manager CVE-2021-46852 (The memory management module has the logic bypass vulnerability. Succe ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2021-46851 (The DRM module has a vulnerability in verifying the secure memory attr ...) - TODO: check + NOT-FOR-US: Hauwei CVE-2022-44531 RESERVED CVE-2022-44530 @@ -3299,7 +3299,7 @@ CVE-2022-44246 CVE-2022-44245 RESERVED CVE-2022-44244 (An authentication bypass in Lin-CMS v0.2.1 allows attackers to escalat ...) - TODO: check + NOT-FOR-US: Lin-CMS CVE-2022-44243 RESERVED CVE-2022-44242 @@ -7992,7 +7992,7 @@ CVE-2022-43060 CVE-2022-43059 RESERVED CVE-2022-43058 (Online Diagnostic Lab Management System v1.0 was discovered to contain ...) - TODO: check + NOT-FOR-US: Online Diagnostic Lab Management System CVE-2022-43057 RESERVED CVE-2022-43056 @@ -8070,7 +8070,7 @@ CVE-2022-43033 (An issue was discovered in Bento4 1.6.0-639. There is a bad free CVE-2022-43032 (An issue was discovered in Bento4 v1.6.0-639. There is a memory leak i ...) NOT-FOR-US: Bento4 CVE-2022-43031 (DedeCMS v6.1.9 was discovered to contain a Cross-Site Request Forgery ...) - TODO: check + NOT-FOR-US: De
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a52469d6 by Salvatore Bonaccorso at 2022-11-10T10:12:52+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7455,7 +7455,7 @@ CVE-2022-43312 CVE-2022-43311 RESERVED CVE-2022-43310 (An Uncontrolled Search Path Element in Foxit Software released Foxit R ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2022-43309 RESERVED CVE-2022-43308 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a52469d6ff7af60dddb46961cec2613b5d239fad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a52469d6ff7af60dddb46961cec2613b5d239fad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3930{6,7}/grafana
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45d3ccce by Salvatore Bonaccorso at 2022-11-10T10:08:11+01:00 Add CVE-2022-3930{6,7}/grafana - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17262,9 +17262,9 @@ CVE-2022-39309 (GoCD is a continuous delivery server. GoCD helps you automate an CVE-2022-39308 (GoCD is a continuous delivery server. GoCD helps you automate and stre ...) NOT-FOR-US: GoCD CVE-2022-39307 (Grafana is an open-source platform for monitoring and observability. W ...) - TODO: check + - grafana CVE-2022-39306 (Grafana is an open-source platform for monitoring and observability. V ...) - TODO: check + - grafana CVE-2022-39305 (Gin-vue-admin is a backstage management system based on vue and gin, w ...) NOT-FOR-US: Gin-vue-admin CVE-2022-39304 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d3ccce384ce134aa8a82a833629a77f0107e35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45d3ccce384ce134aa8a82a833629a77f0107e35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3903/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eaf011be by Salvatore Bonaccorso at 2022-11-10T09:49:13+01:00 Add CVE-2022-3903/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -186,8 +186,9 @@ CVE-2022-3905 RESERVED CVE-2022-3904 RESERVED -CVE-2022-3903 +CVE-2022-3903 [An invalid pipe direction in the mceusb driver cause the kernel to DOS] RESERVED + - linux CVE-2022-3902 RESERVED CVE-2022-3901 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaf011be9d67fd10cf64b1520c646f84cea66fed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaf011be9d67fd10cf64b1520c646f84cea66fed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync status for two linux issues with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9075c927 by Salvatore Bonaccorso at 2022-11-10T09:48:18+01:00 Sync status for two linux issues with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8328,6 +8328,8 @@ CVE-2022-3523 (A vulnerability was found in Linux Kernel. It has been classified NOTE: https://git.kernel.org/linus/16ce101db85db694a91380aa4c89b25530871d33 CVE-2022-3522 (A vulnerability was found in Linux Kernel and classified as problemati ...) - linux + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/f9bf6c03eca1077cae8de0e6d86427656fa42a9b CVE-2022-3521 (A vulnerability has been found in Linux Kernel and classified as probl ...) - linux @@ -32781,6 +32783,7 @@ CVE-2022-33744 (Arm guests can cause Dom0 DoS via PV devices When mapping pages CVE-2022-33743 (network backend may cause Linux netfront to use freed SKBs While addin ...) {DSA-5191-1} - linux 5.18.14-1 + [buster] - linux (Vulnerable code not present) NOTE: https://xenbits.xen.org/xsa/advisory-405.html CVE-2022-33742 (Linux disk/nic frontends data leaks T[his CNA information record relat ...) {DSA-5191-1 DLA-3131-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9075c9273d453c26d49cde3bb1aa79b5e3a0d131 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9075c9273d453c26d49cde3bb1aa79b5e3a0d131 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f00a0f47 by security tracker role at 2022-11-10T08:10:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,39 @@ +CVE-2022-45134 + RESERVED +CVE-2022-45133 + RESERVED +CVE-2022-45132 + RESERVED +CVE-2022-45131 + RESERVED +CVE-2022-45130 (Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/command ...) + TODO: check +CVE-2022-45129 (Payara before 2022-11-04, when deployed to the root context, allows at ...) + TODO: check +CVE-2022-45128 + RESERVED +CVE-2022-45117 + RESERVED +CVE-2022-45114 + RESERVED +CVE-2022-45109 + RESERVED +CVE-2022-44612 + RESERVED +CVE-2022-44611 + RESERVED +CVE-2022-43505 + RESERVED +CVE-2022-43477 + RESERVED +CVE-2022-41808 + RESERVED +CVE-2022-41659 + RESERVED +CVE-2022-3921 + RESERVED +CVE-2022-3920 + RESERVED CVE-2022-45108 RESERVED CVE-2022-45107 @@ -906,10 +942,10 @@ CVE-2022-44733 (Local privilege escalation due to insecure folder permissions. T NOT-FOR-US: Acronis CVE-2022-44732 (Local privilege escalation due to insecure folder permissions. The fol ...) NOT-FOR-US: Acronis -CVE-2022-3867 - RESERVED -CVE-2022-3866 - RESERVED +CVE-2022-3867 (HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream su ...) + TODO: check +CVE-2022-3866 (HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 workload identi ...) + TODO: check CVE-2022-3865 RESERVED CVE-2022-3864 @@ -2298,11 +2334,9 @@ CVE-2022-3821 (An off-by-one Error issue was discovered in Systemd in format_tim NOTE: https://github.com/systemd/systemd-stable/commit/72d4c15a946d20143cd4c6783c802124bc894dc7 (v251.3) CVE-2022-3820 RESERVED -CVE-2022-3819 - RESERVED +CVE-2022-3819 (An improper authorization issue in GitLab CE/EE affecting all versions ...) - gitlab -CVE-2022-3818 - RESERVED +CVE-2022-3818 (An uncontrolled resource consumption issue when parsing URLs in GitLab ...) - gitlab CVE-2022-3817 (A vulnerability has been found in Axiomatic Bento4 and classified as p ...) NOT-FOR-US: Bento4 @@ -2448,8 +2482,8 @@ CVE-2022-44592 RESERVED CVE-2022-44591 RESERVED -CVE-2022-44590 - RESERVED +CVE-2022-44590 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) + TODO: check CVE-2022-44589 RESERVED CVE-2022-44588 @@ -2538,8 +2572,7 @@ CVE-2022-3795 RESERVED CVE-2022-3794 RESERVED -CVE-2022-3793 - RESERVED +CVE-2022-3793 (An improper authorization issue in GitLab CE/EE affecting all versions ...) - gitlab CVE-2022-3792 RESERVED @@ -2561,42 +2594,42 @@ CVE-2022-3786 (A buffer overrun can be triggered in X.509 certificate verificati NOTE: https://www.openssl.org/news/secadv/20221101.txt NOTE: https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/ NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c42165b5706e42f67ef8ef4c351a9a4c5d21639a (openssl-3.0.7) -CVE-2022-44563 - RESERVED -CVE-2022-44562 - RESERVED -CVE-2022-44561 - RESERVED -CVE-2022-44560 - RESERVED -CVE-2022-44559 - RESERVED -CVE-2022-44558 - RESERVED -CVE-2022-44557 - RESERVED +CVE-2022-44563 (There is a race condition vulnerability in SD upgrade mode. Successful ...) + TODO: check +CVE-2022-44562 (The system framework layer has a vulnerability of serialization/deseri ...) + TODO: check +CVE-2022-44561 (The preset launcher module has a permission verification vulnerability ...) + TODO: check +CVE-2022-44560 (The launcher module has an Intent redirection vulnerability. Successfu ...) + TODO: check +CVE-2022-44559 (The AMS module has a vulnerability of serialization/deserialization mi ...) + TODO: check +CVE-2022-44558 (The AMS module has a vulnerability of serialization/deserialization mi ...) + TODO: check +CVE-2022-44557 (The SmartTrimProcessEvent module has a vulnerability of obtaining the ...) + TODO: check CVE-2022-44556 (Missing parameter type validation in the DRM module. Successful exploi ...) NOT-FOR-US: Huawei -CVE-2022-44555 - RESERVED -CVE-2022-44554 - RESERVED -CVE-2022-44553 - RESERVED -CVE-2022-44552 - RESERVED -CVE-2022-44551 - RESERVED -CVE-2022-44550 - RESERVED -CVE-2022-44549 - RESERVED -CVE-2022-44548 - RESERVED -CVE-2022-44547 - RESERVED -CVE-2022-44546 - RESERVED +CVE-2022-44555 (The DDMP/ODMF module has a service hijacking vulnerability. Successful ...) + TODO: check +CVE-2022-44554 (The power module has a vulnerability in permission verific