[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3857/libpng1.6
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 428fffd5 by Salvatore Bonaccorso at 2022-11-17T08:10:06+01:00 Add CVE-2022-3857/libpng1.6 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2266,8 +2266,11 @@ CVE-2022-3859 RESERVED CVE-2022-3858 RESERVED -CVE-2022-3857 +CVE-2022-3857 [Null pointer dereference leads to segmentation fault] RESERVED + - libpng1.6 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2142600 + TODO: very unspecific report on RHBZ#, wailt for more details CVE-2022-3856 RESERVED CVE-2023-21403 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/428fffd5b91fdb4d33d7aed731b887861bf5d28f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/428fffd5b91fdb4d33d7aed731b887861bf5d28f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5279-2 for wordpress
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c2446c9 by Sébastien Delafond at 2022-11-17T08:03:43+01:00 Reserve DSA-5279-2 for wordpress - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,5 @@ +[17 Nov 2022] DSA-5279-2 wordpress - security update + [bullseye] - wordpress 5.7.8+dfsg1-0+deb11u2 [16 Nov 2022] DSA-5282-1 firefox-esr - security update {CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420 CVE-2022-45421} [bullseye] - firefox-esr 102.5.0esr-1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c2446c92d312129886462192507efb80074e8da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c2446c92d312129886462192507efb80074e8da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2020-25657/m2crypto via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db741351 by Salvatore Bonaccorso at 2022-11-17T07:21:43+01:00 Track fixed version for CVE-2020-25657/m2crypto via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -158645,7 +158645,7 @@ CVE-2020-25658 (It was found that python-rsa is vulnerable to Bleichenbacher tim NOTE: Presumed fix upstream in 4.7 does not address the issue: NOTE: https://github.com/sybrenstuvel/python-rsa/issues/165#issuecomment-727580521 CVE-2020-25657 (A flaw was found in all released versions of m2crypto, where they are ...) - - m2crypto (bug #975002) + - m2crypto 0.38.0-4 (bug #975002) [bullseye] - m2crypto (Minor issue) [buster] - m2crypto (Minor issue) [stretch] - m2crypto (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db741351261ba114426860cf9cf0f788ac022957 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db741351261ba114426860cf9cf0f788ac022957 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2020-25657/m2crypto
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a285cc2 by Salvatore Bonaccorso at 2022-11-17T07:19:59+01:00 Reference upstream commit for CVE-2020-25657/m2crypto - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -158652,6 +158652,7 @@ CVE-2020-25657 (A flaw was found in all released versions of m2crypto, where the NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1889823 NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/285 NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/282 (restricted) + NOTE: https://gitlab.com/m2crypto/m2crypto/-/commit/84c53958def0f510e92119fca14d74f94215827a CVE-2020-25656 (A flaw was found in the Linux kernel. A use-after-free was found in th ...) {DLA-2494-1 DLA-2483-1} - linux 5.9.6-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a285cc27b00c17311b4a675aff5e3dfe08b63cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a285cc27b00c17311b4a675aff5e3dfe08b63cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-3704/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56643c86 by Salvatore Bonaccorso at 2022-11-16T22:47:40+01:00 Add Debian bug reference for CVE-2022-3704/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7375,7 +7375,7 @@ CVE-2022-3705 (A vulnerability was found in vim and classified as problematic. A - vim 2:9.0.0813-1 NOTE: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 (v9.0.0805) CVE-2022-3704 (A vulnerability classified as problematic has been found in Ruby on Ra ...) - - rails + - rails (bug #1024274) NOTE: https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4 NOTE: https://github.com/rails/rails/issues/46244 CVE-2022-3703 (All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56643c86c480ad2a09e544617462ba075eb2885f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56643c86c480ad2a09e544617462ba075eb2885f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2021-34055/jhead
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eac6d10b by Salvatore Bonaccorso at 2022-11-16T22:32:56+01:00 Add Debian bug reference for CVE-2021-34055/jhead - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104988,7 +104988,7 @@ CVE-2021-34057 CVE-2021-34056 RESERVED CVE-2021-34055 (jhead 3.06 is vulnerable to Buffer Overflow via exif.c in function Put ...) - - jhead + - jhead (bug #1024272) NOTE: https://github.com/Matthias-Wandel/jhead/issues/36 NOTE: Fixed by: https://github.com/Matthias-Wandel/jhead/commit/f0a884210cc46830b176f71fd61569adc8f230a7 CVE-2021-34054 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eac6d10b03505753355a38fbb6d71d128fa4fda9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eac6d10b03505753355a38fbb6d71d128fa4fda9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2022-2764/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f5648410 by Salvatore Bonaccorso at 2022-11-16T22:31:56+01:00 Update status for CVE-2022-2764/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22169,7 +22169,13 @@ CVE-2022-2766 (A vulnerability was found in SourceCodester Loan Management Syste CVE-2022-2765 (A vulnerability was found in SourceCodester Company Website CMS 1.0. I ...) NOT-FOR-US: SourceCodester Company Website CMS CVE-2022-2764 (A flaw was found in Undertow. Denial of service can be achieved as Und ...) - - undertow + - undertow 2.2.21-1 + NOTE: https://issues.redhat.com/browse/UNDERTOW-2048 + NOTE: https://github.com/undertow-io/undertow/pull/1382 + NOTE: https://github.com/undertow-io/undertow/pull/1386 + NOTE: https://github.com/undertow-io/undertow/commit/09d4dc44da0eb7a0cfa5d943de32e06c7cb2f7d2 (2.2.21.Final) + NOTE: https://github.com/undertow-io/undertow/commit/05ab8777ed7cc3510acf4550102e5e38fc706fd1 (2.2.21.Final) + NOTE: https://github.com/undertow-io/undertow/commit/f60972d29949c6c7c557d591171e89c74013edd0 (2.2.21.Final) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2117506 CVE-2022-2763 (The WP Socializer WordPress plugin before 7.3 does not sanitise and es ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5648410fcdc47e905bb06e6e430322ef7f1d261 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5648410fcdc47e905bb06e6e430322ef7f1d261 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a5aa3676 by Salvatore Bonaccorso at 2022-11-16T21:29:03+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -67,15 +67,15 @@ CVE-2022-4017 CVE-2022-4016 RESERVED CVE-2022-4015 (A vulnerability, which was classified as critical, was found in Sports ...) - TODO: check + NOT-FOR-US: Sports Club Management System CVE-2022-4014 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: FeehiCMS CVE-2022-4013 (A vulnerability classified as problematic was found in Hospital Manage ...) - TODO: check + NOT-FOR-US: Hospital Management Center CVE-2022-4012 (A vulnerability classified as critical has been found in Hospital Mana ...) - TODO: check + NOT-FOR-US: Hospital Management Center CVE-2022-4011 (A vulnerability was found in Simple History Plugin. It has been rated ...) - TODO: check + NOT-FOR-US: Simple History Plugin CVE-2022-43468 RESERVED CVE-2022-41783 @@ -934,7 +934,7 @@ CVE-2022-3982 CVE-2022-3981 RESERVED CVE-2022-3980 (An XML External Entity (XEE) vulnerability allows server-side request ...) - TODO: check + NOT-FOR-US: Sophos CVE-2022-37406 RESERVED CVE-2022-45199 (Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. ...) @@ -4882,15 +4882,15 @@ CVE-2022-44075 CVE-2022-44074 RESERVED CVE-2022-44073 (Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via ...) - TODO: check + NOT-FOR-US: Zenario CMS CVE-2022-44072 RESERVED CVE-2022-44071 (Zenario CMS 9.3.57186 is is vulnerable to Cross Site Scripting (XSS) v ...) - TODO: check + NOT-FOR-US: Zenario CMS CVE-2022-44070 (Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via ...) - TODO: check + NOT-FOR-US: Zenario CMS CVE-2022-44069 (Zenario CMS 9.3.57186 is vulnerable to Cross Site Scripting (XSS) via ...) - TODO: check + NOT-FOR-US: Zenario CMS CVE-2022-44068 RESERVED CVE-2022-44067 @@ -8805,11 +8805,11 @@ CVE-2022-43266 CVE-2022-43265 (An arbitrary file upload vulnerability in the component /pages/save_us ...) NOT-FOR-US: Canteen Management System CVE-2022-43264 (Arobas Music Guitar Pro for iPad and iPhone before v1.10.2 allows atta ...) - TODO: check + NOT-FOR-US: Arobas Music Guitar Pro for iPad and iPhone CVE-2022-43263 (A cross-site scripting (XSS) vulnerability in Arobas Music Guitar Pro ...) - TODO: check + NOT-FOR-US: Arobas Music Guitar Pro for iPad and iPhone CVE-2022-43262 (Human Resource Management System v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Human Resource Management System CVE-2022-43261 RESERVED CVE-2022-43260 (Tenda AC18 V15.03.05.19(6318) was discovered to contain a stack overfl ...) @@ -8821,7 +8821,7 @@ CVE-2022-43258 CVE-2022-43257 RESERVED CVE-2022-43256 (SeaCms before v12.6 was discovered to contain a SQL injection vulnerab ...) - TODO: check + NOT-FOR-US: SeaCms CVE-2022-43255 (GPAC v2.1-DEV-rev368-gfd054169b-master was discovered to contain a mem ...) - gpac (unimportant) NOTE: https://github.com/gpac/gpac/issues/2285 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5aa3676282f3e7f3af2b173b1e4d078de2637a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5aa3676282f3e7f3af2b173b1e4d078de2637a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4018/rdiffweb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50a6da91 by Salvatore Bonaccorso at 2022-11-16T21:28:20+01:00 Add CVE-2022-4018/rdiffweb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,7 +61,7 @@ CVE-2022-4020 CVE-2022-4019 RESERVED CVE-2022-4018 (Missing Authentication for Critical Function in GitHub repository ikus ...) - TODO: check + - rdiffweb (bug #969974) CVE-2022-4017 RESERVED CVE-2022-4016 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50a6da9167c02b1b1adebc10f9cf491b50bd7bd5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50a6da9167c02b1b1adebc10f9cf491b50bd7bd5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4adc7b52 by Salvatore Bonaccorso at 2022-11-16T21:18:18+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,9 +53,9 @@ CVE-2022-4024 CVE-2022-4023 RESERVED CVE-2022-4022 (The SVG Support plugin for WordPress defaults to insecure settings in ...) - TODO: check + NOT-FOR-US: SVG Support plugin for WordPress CVE-2022-4021 (The Permalink Manager Lite plugin for WordPress is vulnerable to Cross ...) - TODO: check + NOT-FOR-US: Permalink Manager Lite plugin for WordPress CVE-2022-4020 RESERVED CVE-2022-4019 @@ -32335,7 +32335,7 @@ CVE-2022-34356 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged CVE-2022-34355 RESERVED CVE-2022-34354 (IBM Sterling Partner Engagement Manager 2.0 allows encrypted storage o ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-34353 RESERVED CVE-2022-34352 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4adc7b526575833740413fc431d2c207f440fcd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4adc7b526575833740413fc431d2c207f440fcd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 91f5ab52 by security tracker role at 2022-11-16T20:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,81 @@ +CVE-2022-45459 + RESERVED +CVE-2022-45458 + RESERVED +CVE-2022-45457 + RESERVED +CVE-2022-45456 + RESERVED +CVE-2022-45455 + RESERVED +CVE-2022-45454 + RESERVED +CVE-2022-45453 + RESERVED +CVE-2022-45452 + RESERVED +CVE-2022-45451 + RESERVED +CVE-2022-45450 + RESERVED +CVE-2022-45449 + RESERVED +CVE-2022-45448 + RESERVED +CVE-2022-45447 + RESERVED +CVE-2022-4036 + RESERVED +CVE-2022-4035 + RESERVED +CVE-2022-4034 + RESERVED +CVE-2022-4033 + RESERVED +CVE-2022-4032 + RESERVED +CVE-2022-4031 + RESERVED +CVE-2022-4030 + RESERVED +CVE-2022-4029 + RESERVED +CVE-2022-4028 + RESERVED +CVE-2022-4027 + RESERVED +CVE-2022-4026 + RESERVED +CVE-2022-4025 + RESERVED +CVE-2022-4024 + RESERVED +CVE-2022-4023 + RESERVED +CVE-2022-4022 (The SVG Support plugin for WordPress defaults to insecure settings in ...) + TODO: check +CVE-2022-4021 (The Permalink Manager Lite plugin for WordPress is vulnerable to Cross ...) + TODO: check +CVE-2022-4020 + RESERVED +CVE-2022-4019 + RESERVED +CVE-2022-4018 (Missing Authentication for Critical Function in GitHub repository ikus ...) + TODO: check +CVE-2022-4017 + RESERVED +CVE-2022-4016 + RESERVED +CVE-2022-4015 (A vulnerability, which was classified as critical, was found in Sports ...) + TODO: check +CVE-2022-4014 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2022-4013 (A vulnerability classified as problematic was found in Hospital Manage ...) + TODO: check +CVE-2022-4012 (A vulnerability classified as critical has been found in Hospital Mana ...) + TODO: check +CVE-2022-4011 (A vulnerability was found in Simple History Plugin. It has been rated ...) + TODO: check CVE-2022-43468 RESERVED CVE-2022-41783 @@ -290,6 +368,7 @@ CVE-2023-21419 RESERVED CVE-2022-45421 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -298,6 +377,7 @@ CVE-2022-45421 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45421 CVE-2022-45420 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -310,6 +390,7 @@ CVE-2022-45419 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45419 CVE-2022-45418 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -322,6 +403,7 @@ CVE-2022-45417 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45417 CVE-2022-45416 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -340,6 +422,7 @@ CVE-2022-45413 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45413 CVE-2022-45412 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -348,6 +431,7 @@ CVE-2022-45412 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45412 CVE-2022-45411 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -356,6 +440,7 @@ CVE-2022-45411 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45411 CVE-2022-45410 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -364,6 +449,7 @@ CVE-2022-45410 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45410 CVE-2022-45409 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -372,6 +458,7 @@ CVE-2022-45409 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45409 CVE-2022-45408 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 @@ -384,6 +471,7 @@ CVE-2022-45407 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45407 CVE-2022-45406 RESERVED + {DSA-5282-1} - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-42898/krb5
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e33fee5 by Salvatore Bonaccorso at 2022-11-16T20:31:28+01:00 Add Debian bug reference for CVE-2022-42898/krb5 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9817,7 +9817,7 @@ CVE-2022-42899 (Bentley MicroStation and MicroStation-based applications may be CVE-2022-42898 [krb5_pac_parse() buffer parsing vulnerability] RESERVED - heimdal (bug #1024187) - - krb5 + - krb5 (bug #1024267) - samba 2:4.17.3+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2022-42898.html NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15203 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e33fee522e0cc1c899fd9628c147cc184195cb2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e33fee522e0cc1c899fd9628c147cc184195cb2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox-esr DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6cf6d54f by Moritz Mühlenhoff at 2022-11-16T19:50:40+01:00 firefox-esr DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[16 Nov 2022] DSA-5282-1 firefox-esr - security update + {CVE-2022-45403 CVE-2022-45404 CVE-2022-45405 CVE-2022-45406 CVE-2022-45408 CVE-2022-45409 CVE-2022-45410 CVE-2022-45411 CVE-2022-45412 CVE-2022-45416 CVE-2022-45418 CVE-2022-45420 CVE-2022-45421} + [bullseye] - firefox-esr 102.5.0esr-1~deb11u1 [15 Nov 2022] DSA-5281-1 nginx - security update {CVE-2022-41741 CVE-2022-41742} [bullseye] - nginx 1.18.0-6.1+deb11u3 = data/dsa-needed.txt = @@ -16,8 +16,6 @@ asterisk (apo) -- commons-configuration2 -- -firefox-esr (jmm) --- frr -- gerbv View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cf6d54ffbbc573f343aca788aae5465754a1d2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cf6d54ffbbc573f343aca788aae5465754a1d2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-42898/heimdal: Reference pull request for regression which contains better details
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 27abb735 by Salvatore Bonaccorso at 2022-11-16T16:34:54+01:00 CVE-2022-42898/heimdal: Reference pull request for regression which contains better details - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9825,7 +9825,7 @@ CVE-2022-42898 [krb5_pac_parse() buffer parsing vulnerability] NOTE: MIT-krb5: https://github.com/krb5/krb5/commit/b99de751dd35360c0fccac74a40f4a60dbf1ceea (krb5-1.20.1-final) NOTE: MIT-krb5: https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4 (krb5-1.19.4-final) NOTE: Heimdal: https://github.com/heimdal/heimdal/commit/0c56257bdac80da015878fffdb0f8a42b8d73246 (heimdal-7.7.1) - NOTE: Heimdal regression: https://github.com/heimdal/heimdal/pull/1024 + NOTE: Heimdal regression: https://github.com/heimdal/heimdal/pull/1025 CVE-2022-42897 (Array Networks AG/vxAG with ArrayOS AG before 9.4.0.469 allows unauthe ...) NOT-FOR-US: Array Networks CVE-2022-3478 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27abb73596c5ae1691eba57d6e4a744321d87c65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27abb73596c5ae1691eba57d6e4a744321d87c65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track regression report for CVE-2022-42898/heimdal
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe43b6a9 by Salvatore Bonaccorso at 2022-11-16T16:12:33+01:00 Track regression report for CVE-2022-42898/heimdal - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9825,6 +9825,7 @@ CVE-2022-42898 [krb5_pac_parse() buffer parsing vulnerability] NOTE: MIT-krb5: https://github.com/krb5/krb5/commit/b99de751dd35360c0fccac74a40f4a60dbf1ceea (krb5-1.20.1-final) NOTE: MIT-krb5: https://github.com/krb5/krb5/commit/4e661f0085ec5f969c76c0896a34322c6c432de4 (krb5-1.19.4-final) NOTE: Heimdal: https://github.com/heimdal/heimdal/commit/0c56257bdac80da015878fffdb0f8a42b8d73246 (heimdal-7.7.1) + NOTE: Heimdal regression: https://github.com/heimdal/heimdal/pull/1024 CVE-2022-42897 (Array Networks AG/vxAG with ArrayOS AG before 9.4.0.469 allows unauthe ...) NOT-FOR-US: Array Networks CVE-2022-3478 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe43b6a95771231a8239943393f141b61bc8127f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe43b6a95771231a8239943393f141b61bc8127f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-2166/mastodon
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f280d03 by Salvatore Bonaccorso at 2022-11-16T16:11:19+01:00 Add CVE-2022-2166/mastodon - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32707,7 +32707,7 @@ CVE-2022-34171 (In Jenkins 2.321 through 2.355 (both inclusive) and LTS 2.332.1 CVE-2022-34170 (In Jenkins 2.320 through 2.355 (both inclusive) and LTS 2.332.1 throug ...) - jenkins CVE-2022-2166 (Improper Restriction of Excessive Authentication Attempts in GitHub re ...) - TODO: check + - mastodon (bug #859741) CVE-2022-34169 (The Apache Xalan Java XSLT library is vulnerable to an integer truncat ...) {DSA-5256-1 DSA-5192-1 DSA-5188-1 DLA-3155-1} - openjdk-8 8u342-b07-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f280d03675bd2a460e9c3dfa10154943c6cdcfe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f280d03675bd2a460e9c3dfa10154943c6cdcfe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-41882/nextcloud-desktop
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50919499 by Salvatore Bonaccorso at 2022-11-16T16:10:46+01:00 Add CVE-2022-41882/nextcloud-desktop - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12214,7 +12214,11 @@ CVE-2022-41884 CVE-2022-41883 RESERVED CVE-2022-41882 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) - TODO: check + - nextcloud-desktop 3.6.1-1 + NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3w86-rm38-8w63 + NOTE: https://github.com/nextcloud/desktop/pull/5039 + NOTE: https://github.com/nextcloud/server/pull/34559 + TODO: check details, is owncloud-client similarly affected? CVE-2022-41881 RESERVED CVE-2022-41880 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/509194998fbac8d2a90814c1c79730662eba6165 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/509194998fbac8d2a90814c1c79730662eba6165 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3920/consul
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a48e2a46 by Salvatore Bonaccorso at 2022-11-16T16:10:17+01:00 Add CVE-2022-3920/consul - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1159,7 +1159,9 @@ CVE-2022-41659 CVE-2022-3921 RESERVED CVE-2022-3920 (HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filt ...) - TODO: check + - consul + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-28-consul-cluster-peering-leaks-imported-nodes-services-information/46946 + TODO: check if affecting versions before 1.13.0 CVE-2022-45108 RESERVED CVE-2022-45107 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48e2a46ccb64e53761521e544b78f89a22ba10d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48e2a46ccb64e53761521e544b78f89a22ba10d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 426e7541 by Salvatore Bonaccorso at 2022-11-16T16:09:22+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -817,7 +817,7 @@ CVE-2022-45201 CVE-2022-45200 RESERVED CVE-2022-3993 (Authentication Bypass by Primary Weakness in GitHub repository kareadi ...) - TODO: check + NOT-FOR-US: Kavita CVE-2022-3992 (A vulnerability classified as problematic was found in SourceCodester ...) NOT-FOR-US: SourceCodester Sanitization Management System CVE-2022-3991 @@ -8645,7 +8645,7 @@ CVE-2022-43296 CVE-2022-43295 (XPDF v4.04 was discovered to contain a stack overflow via the function ...) TODO: check CVE-2022-43294 (Tasmota before commit 066878da4d4762a9b6cb169fdf353e804d735cfd was dis ...) - TODO: check + NOT-FOR-US: Tasmota CVE-2022-43293 RESERVED CVE-2022-43292 (Canteen Management System v1.0 was discovered to contain a SQL injecti ...) @@ -8711,7 +8711,7 @@ CVE-2022-43267 CVE-2022-43266 RESERVED CVE-2022-43265 (An arbitrary file upload vulnerability in the component /pages/save_us ...) - TODO: check + NOT-FOR-US: Canteen Management System CVE-2022-43264 RESERVED CVE-2022-43263 @@ -18287,7 +18287,7 @@ CVE-2022-39387 (XWiki OIDC has various tools to manipulate OpenID Connect protoc CVE-2022-39386 (@fastify/websocket provides WebSocket support for Fastify. Any applica ...) NOT-FOR-US: @fastify/websocket CVE-2022-39385 (Discourse is the an open source discussion platform. In some rare case ...) - TODO: check + NOT-FOR-US: Discourse CVE-2022-39384 (OpenZeppelin Contracts is a library for secure smart contract developm ...) NOT-FOR-US: OpenZeppelin CVE-2022-39383 @@ -20436,7 +20436,7 @@ CVE-2022-2948 CVE-2022-2947 RESERVED CVE-2022-38666 (Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.146 and e ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2022-38665 (Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a RabbitMQ p ...) NOT-FOR-US: Jenkins CollabNet Plugins Plugin CVE-2022-38664 (Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlie ...) @@ -21897,7 +21897,7 @@ CVE-2022-38203 CVE-2022-38202 RESERVED CVE-2022-38201 (An unvalidated redirect vulnerability exists in Esri Portal for ArcGIS ...) - TODO: check + NOT-FOR-US: Esri Portal for ArcGIS Quick Capture Web Designer CVE-2022-38200 (A cross site scripting vulnerability exists in some map service config ...) NOT-FOR-US: ArcGIS Server CVE-2022-38199 (A remote file download issue can occur in some capabilities of Esri Ar ...) @@ -22087,7 +22087,7 @@ CVE-2022-38169 CVE-2022-38168 (Broken Access Control in User Authentication in Avaya Scopia Pathfinde ...) NOT-FOR-US: Avaya Scopia Pathfinder CVE-2022-38167 (The Nintex Workflow plugin 5.2.2.30 for SharePoint allows XSS. ...) - TODO: check + NOT-FOR-US: Nintex Workflow plugin for SharePoint CVE-2022-38166 RESERVED CVE-2022-38165 @@ -24765,7 +24765,7 @@ CVE-2022-37111 (BlueCMS 1.6 has SQL injection in line 132 of admin/article.php . CVE-2022-37110 RESERVED CVE-2022-37109 (patrickfuller camp up to and including commit bbd53a256ed70e79bd875808 ...) - TODO: check + NOT-FOR-US: patrickfuller camp CVE-2022-37108 (An injection vulnerability in the syslog-ng configuration wizard in Se ...) NOT-FOR-US: Securonix Snypr CVE-2022-37107 @@ -35061,17 +35061,17 @@ CVE-2022-33241 CVE-2022-33240 RESERVED CVE-2022-33239 (Transient DOS due to loop with unreachable exit condition in WLAN firm ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2022-33238 RESERVED CVE-2022-33237 (Transient DOS due to buffer over-read in WLAN firmware while processin ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2022-33236 (Transient DOS due to buffer over-read in WLAN firmware while parsing c ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2022-33235 RESERVED CVE-2022-33234 (Memory corruption in video due to configuration weakness. in Snapdrago ...) - TODO: check + NOT-FOR-US: Snapdragon CVE-2022-33233 RESERVED CVE-2022-33232 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/426e75410028b9b15cf84fd60fff8de0229e5f47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/426e75410028b9b15cf84fd60fff8de0229e5f47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.deb
[Git][security-tracker-team/security-tracker][master] Revert "cargo not yet fixed in latest upload"
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d7366d5 by Moritz Muehlenhoff at 2022-11-16T15:17:29+01:00 Revert "cargo not yet fixed in latest upload" This reverts commit 76b08f2eaf67d08c67514331577bd1f0b4d5a93d. These are in fact fixed via cherrypicked patches. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27394,7 +27394,7 @@ CVE-2022-36116 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.0 CVE-2022-36115 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In ...) NOT-FOR-US: Blue Prism Enterprise CVE-2022-36114 (Cargo is a package manager for the rust programming language. It was d ...) - - cargo (bug #1021142) + - cargo 0.63.1-1 (bug #1021142) [bullseye] - cargo (Minor issue) [buster] - cargo (Minor issue) - rust-cargo (bug #1021143) @@ -27403,7 +27403,7 @@ CVE-2022-36114 (Cargo is a package manager for the rust programming language. It NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp NOTE: https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 CVE-2022-36113 (Cargo is a package manager for the rust programming language. After a ...) - - cargo (bug #1021142) + - cargo 0.63.1-1 (bug #1021142) [bullseye] - cargo (Minor issue) [buster] - cargo (Minor issue) - rust-cargo (bug #1021143) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d7366d5570aa24e7fb1396fdca2f9df15513972 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d7366d5570aa24e7fb1396fdca2f9df15513972 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cargo not yet fixed in latest upload
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 76b08f2e by Moritz Muehlenhoff at 2022-11-16T15:13:14+01:00 cargo not yet fixed in latest upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27394,7 +27394,7 @@ CVE-2022-36116 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.0 CVE-2022-36115 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In ...) NOT-FOR-US: Blue Prism Enterprise CVE-2022-36114 (Cargo is a package manager for the rust programming language. It was d ...) - - cargo 0.63.1-1 (bug #1021142) + - cargo (bug #1021142) [bullseye] - cargo (Minor issue) [buster] - cargo (Minor issue) - rust-cargo (bug #1021143) @@ -27403,7 +27403,7 @@ CVE-2022-36114 (Cargo is a package manager for the rust programming language. It NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp NOTE: https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 CVE-2022-36113 (Cargo is a package manager for the rust programming language. After a ...) - - cargo 0.63.1-1 (bug #1021142) + - cargo (bug #1021142) [bullseye] - cargo (Minor issue) [buster] - cargo (Minor issue) - rust-cargo (bug #1021143) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b08f2eaf67d08c67514331577bd1f0b4d5a93d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b08f2eaf67d08c67514331577bd1f0b4d5a93d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-2978/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6334ac17 by Salvatore Bonaccorso at 2022-11-16T14:52:18+01:00 Update information for CVE-2022-2978/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20215,7 +20215,8 @@ CVE-2022-2980 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9. CVE-2022-2979 (Opening a specially crafted file could cause the affected product to f ...) NOT-FOR-US: Omron CVE-2022-2978 (A flaw use after free in the Linux kernel NILFS file system was found ...) - - linux + - linux 6.0.2-1 + [bullseye] - linux 5.10.148-1 NOTE: https://lore.kernel.org/linux-fsdevel/20220816040859.659129-1-dz...@hust.edu.cn/T/#u CVE-2022-38730 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6334ac17f6aba1e4ccb62a89915bcd0afec08dd3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6334ac17f6aba1e4ccb62a89915bcd0afec08dd3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] xen fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9dce62de by Moritz Muehlenhoff at 2022-11-16T14:35:00+01:00 xen fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11202,98 +11202,98 @@ CVE-2022-42329 CVE-2022-42328 RESERVED CVE-2022-42327 (x86: unintended memory sharing between guests On Intel systems that su ...) - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [bullseye] - xen (Vulnerable code introduced later in 4.16) [buster] - xen (Vulnerable code introduced later in 4.16) NOTE: https://xenbits.xen.org/xsa/advisory-412.html CVE-2022-42326 (Xenstore: Guests can create arbitrary number of nodes via transactions ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-421.html CVE-2022-42325 (Xenstore: Guests can create arbitrary number of nodes via transactions ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-421.html CVE-2022-42324 (Oxenstored 32->31 bit integer truncation issues Integers in Ocaml a ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-420.html CVE-2022-42323 (Xenstore: Cooperating guests can create arbitrary numbers of nodes T[h ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-419.html CVE-2022-42322 (Xenstore: Cooperating guests can create arbitrary numbers of nodes T[h ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-419.html CVE-2022-42321 (Xenstore: Guests can crash xenstored via exhausting the stack Xenstore ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-418.html CVE-2022-42320 (Xenstore: Guests can get access to Xenstore nodes of deleted domains A ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-417.html CVE-2022-42319 (Xenstore: Guests can cause Xenstore to not free temporary memory When ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-416.html CVE-2022-42318 (Xenstore: guests can let run xenstored out of memory T[his CNA informa ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-326.html CVE-2022-42317 (Xenstore: guests can let run xenstored out of memory T[his CNA informa ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-326.html CVE-2022-42316 (Xenstore: guests can let run xenstored out of memory T[his CNA informa ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-326.html CVE-2022-42315 (Xenstore: guests can let run xenstored out of memory T[his CNA informa ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-326.html CVE-2022-42314 (Xenstore: guests can let run xenstored out of memory T[his CNA informa ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-326.html CVE-2022-42313 (Xenstore: guests can let run xenstored out of memory T[his CNA informa ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-326.html CVE-2022-42312 (Xenstore: guests can let run xenstored out of memory T[his CNA informa ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-326.html CVE-2022-42311 (Xenstore: guests can let run xenstored out of memory T[his CNA informa ...) {DSA-5272-1} - - xen + - xen 4.16.2+90-g0d39a6d1ae-1 [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-326.html CVE-2022-42310
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-3564/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eaf64d44 by Salvatore Bonaccorso at 2022-11-16T14:27:01+01:00 Update information for CVE-2022-3564/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9327,8 +9327,8 @@ CVE-2022-3565 (A vulnerability, which was classified as critical, has been found - linux 6.0.3-1 NOTE: https://git.kernel.org/linus/2568a7e0832ee30b0a351016d03062ab4e0e0a3f (6.1-rc1) CVE-2022-3564 (A vulnerability classified as critical was found in Linux Kernel. Affe ...) - - linux - NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=89f9f3cb86b1c63badaf392a83dd661d56cc50b1 + - linux 6.0.8-1 + NOTE: https://git.kernel.org/linus/3aff8aaca4e36dc8b17eaa011684881a80238966 CVE-2022-3563 (A vulnerability classified as problematic has been found in Linux Kern ...) - bluez 5.65-1 [bullseye] - bluez (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaf64d446e4286c046c6e876a29337157b28e6b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaf64d446e4286c046c6e876a29337157b28e6b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cargo fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a67515a9 by Moritz Muehlenhoff at 2022-11-16T14:25:31+01:00 cargo fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27393,7 +27393,7 @@ CVE-2022-36116 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.0 CVE-2022-36115 (An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In ...) NOT-FOR-US: Blue Prism Enterprise CVE-2022-36114 (Cargo is a package manager for the rust programming language. It was d ...) - - cargo (bug #1021142) + - cargo 0.63.1-1 (bug #1021142) [bullseye] - cargo (Minor issue) [buster] - cargo (Minor issue) - rust-cargo (bug #1021143) @@ -27402,7 +27402,7 @@ CVE-2022-36114 (Cargo is a package manager for the rust programming language. It NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp NOTE: https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 CVE-2022-36113 (Cargo is a package manager for the rust programming language. After a ...) - - cargo (bug #1021142) + - cargo 0.63.1-1 (bug #1021142) [bullseye] - cargo (Minor issue) [buster] - cargo (Minor issue) - rust-cargo (bug #1021143) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a67515a91be25a71974ace6dba8941a062992741 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a67515a91be25a71974ace6dba8941a062992741 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-3619/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fac80d7e by Salvatore Bonaccorso at 2022-11-16T14:23:40+01:00 Update information for CVE-2022-3619/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8212,10 +8212,10 @@ CVE-2022-3620 (A vulnerability was found in Exim and classified as problematic. NOTE: Fixed by: https://git.exim.org/exim.git/commit/12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445 NOTE: Debian binary packages not built with DMARC support CVE-2022-3619 (A vulnerability has been found in Linux Kernel and classified as probl ...) - - linux + - linux 6.0.8-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=97097c85c088e11651146da32a4e1cdb9dfa6193 + NOTE: https://git.kernel.org/linus/7c9524d929648935bac2bbb4c20437df8f9c3f42 CVE-2022-3618 RESERVED CVE-2022-3617 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fac80d7ef2d1d40c7a27b53900569fd8fadbeb4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fac80d7ef2d1d40c7a27b53900569fd8fadbeb4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-3640/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c17691b3 by Salvatore Bonaccorso at 2022-11-16T14:20:23+01:00 Update information for CVE-2022-3640/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8130,8 +8130,8 @@ CVE-2022-3641 CVE-2022-36401 RESERVED CVE-2022-3640 (A vulnerability, which was classified as critical, was found in Linux ...) - - linux - NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=42cf46dea905a80f6de218e837ba4d4cc33d6979 + - linux 6.0.8-1 + NOTE: https://git.kernel.org/linus/0d0e2d032811280b927650ff3c15fe5020e82533 CVE-2022-3639 (A potential DOS vulnerability was discovered in GitLab CE/EE affecting ...) - gitlab CVE-2022-3638 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c17691b3f957b90c67bd58d745e6b4653414db36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c17691b3f957b90c67bd58d745e6b4653414db36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-3903/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce78a30a by Salvatore Bonaccorso at 2022-11-16T14:14:03+01:00 Update information for CVE-2022-3903/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1320,7 +1320,8 @@ CVE-2022-3905 CVE-2022-3904 RESERVED CVE-2022-3903 (An incorrect read request flaw was found in the Infrared Transceiver U ...) - - linux + - linux 5.19.11-1 + [bullseye] - linux 5.10.148-1 CVE-2022-3902 RESERVED CVE-2022-3901 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce78a30aa7a114a0de64a6a0dac5f51ec2e287d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce78a30aa7a114a0de64a6a0dac5f51ec2e287d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1604946b by Moritz Muehlenhoff at 2022-11-16T14:07:33+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8682,7 +8682,7 @@ CVE-2022-43280 (wasm-interp v1.0.29 was discovered to contain an out-of-bounds r NOTE: https://github.com/WebAssembly/wabt/issues/1982 NOTE: Crash in CLI tool, no security impact CVE-2022-43279 (LimeSurvey v5.4.4 was discovered to contain a SQL injection vulnerabil ...) - TODO: check + - limesurvey (bug #472802) CVE-2022-43278 (Canteen Management System v1.0 was discovered to contain a SQL injecti ...) NOT-FOR-US: Canteen Management System CVE-2022-43277 (Canteen Management System v1.0 was discovered to contain an arbitrary ...) @@ -9415,7 +9415,7 @@ CVE-2022-42986 CVE-2022-42985 RESERVED CVE-2022-42984 (WoWonder Social Network Platform 4.1.4 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: WoWonder Social Network Platform CVE-2022-42983 (anji-plus AJ-Report 0.9.8.6 allows remote attackers to bypass login au ...) NOT-FOR-US: anji-plus AJ-Report CVE-2022-42982 @@ -9427,9 +9427,9 @@ CVE-2022-42980 (go-admin (aka GO Admin) 2.0.12 uses the string go-admin as a pro CVE-2022-42979 RESERVED CVE-2022-42978 (In the Netic User Export add-on before 1.3.5 for Atlassian Confluence, ...) - TODO: check + NOT-FOR-US: Atlassian Confluence addon CVE-2022-42977 (The Netic User Export add-on before 1.3.5 for Atlassian Confluence has ...) - TODO: check + NOT-FOR-US: Atlassian Confluence addon CVE-2022-42976 RESERVED CVE-2022-42975 (socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin w ...) @@ -9785,7 +9785,7 @@ CVE-2022-3482 CVE-2022-3481 (The WooCommerce Dropshipping WordPress plugin before 4.4 does not prop ...) NOT-FOR-US: WordPress plugin CVE-2022-3480 (A remote, unauthenticated attacker could cause a denial-of-service of ...) - TODO: check + NOT-FOR-US: PHOENIX CVE-2022-3479 (A vulnerability found in nss. By this security vulnerability, nss clie ...) - nss (bug #1021786) [bullseye] - nss (Minor issue) @@ -9934,7 +9934,7 @@ CVE-2022-41687 CVE-2022-40221 RESERVED CVE-2022-3461 (In PHOENIX CONTACT Automationworx Software Suite up to version 1.89 ma ...) - TODO: check + NOT-FOR-US: PHOENIX CVE-2022-3460 RESERVED CVE-2022-3459 @@ -10115,7 +10115,7 @@ CVE-2022-42787 (Multiple W&T products of the Comserver Series use a small nu CVE-2022-42786 (Multiple W&T Products of the ComServer Series are prone to an XSS ...) NOT-FOR-US: Wiesemann & Theis GmbH products CVE-2022-42785 (Multiple W&T products of the ComServer Series are prone to an auth ...) - TODO: check + NOT-FOR-US: Wiesemann & Theis GmbH products CVE-2022-42784 RESERVED CVE-2022-3457 (Origin Validation Error in GitHub repository ikus060/rdiffweb prior to ...) @@ -10905,19 +10905,19 @@ CVE-2022-42466 (Prior to 2.0.0-M9, it was possible for an end-user to set the va CVE-2022-42458 RESERVED CVE-2022-42001 (Cross-site Scripting (XSS) vulnerability in BlueSpiceBookshelf extensi ...) - TODO: check + NOT-FOR-US: Bluespice extension CVE-2022-42000 (Cross-site Scripting (XSS) vulnerability in BlueSpiceSocialProfile ext ...) - TODO: check + NOT-FOR-US: Bluespice extension CVE-2022-41986 (Information disclosure vulnerability in Android App 'IIJ SmartKey' ver ...) NOT-FOR-US: Android App 'IIJ SmartKey' CVE-2022-41814 (Cross-site Scripting (XSS) vulnerability in BlueSpiceFoundation extens ...) - TODO: check + NOT-FOR-US: Bluespice extension CVE-2022-41796 (Untrusted search path vulnerability in the installer of Content Transf ...) NOT-FOR-US: installer of Content Transfer (for Windows) CVE-2022-41789 (Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of ...) - TODO: check + NOT-FOR-US: Bluespice skin CVE-2022-41611 (Cross-site Scripting (XSS) vulnerability in BlueSpiceDiscovery skin of ...) - TODO: check + NOT-FOR-US: Bluespice skin CVE-2022-3418 (The Import any XML or CSV File to WordPress plugin before 3.6.9 is not ...) NOT-FOR-US: WordPress plugin CVE-2022-3417 @@ -11686,35 +11686,35 @@ CVE-2022-42134 CVE-2022-42133 RESERVED CVE-2022-42132 (The Test LDAP Users functionality in Liferay Portal 7.0.0 through 7.4. ...) - TODO: check + NOT-FOR-US: Liferay CVE-2022-42131 (Certain Liferay products are affected by: Missing SSL Certificate Vali ...) - TODO: check + NOT-FOR-US: Liferay CVE-2022-42130 (The Dynamic Data Mapping module in Liferay Portal 7.1.0 through 7.4.3. ...) - TODO: check + NOT-FOR-US: Liferay CV
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-40768/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cfa351b by Salvatore Bonaccorso at 2022-11-16T14:01:25+01:00 Update information for CVE-2022-40768/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15005,8 +15005,10 @@ CVE-2022-40770 CVE-2022-40769 (profanity through 1.60 has only four billion possible RNG initializati ...) NOT-FOR-US: profanity (not same as src:profanity) CVE-2022-40768 (drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local us ...) - - linux + - linux 6.0.2-1 + [bullseye] - linux 5.10.148-1 NOTE: https://www.openwall.com/lists/oss-security/2022/09/09/1 + NOTE: https://git.kernel.org/linus/6022f210461fef67e6e676fd8544ca02d1bcfa7a CVE-2022-40767 RESERVED CVE-2022-40766 (Modern Campus Omni CMS (formerly OU Campus) 10.2.4 allows login-page S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cfa351bdf291fa4411f199ff60993423e117f09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cfa351bdf291fa4411f199ff60993423e117f09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 597c53d8 by Moritz Muehlenhoff at 2022-11-16T13:34:36+01:00 firefox fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -290,7 +290,7 @@ CVE-2023-21419 RESERVED CVE-2022-45421 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45421 @@ -298,7 +298,7 @@ CVE-2022-45421 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45421 CVE-2022-45420 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45420 @@ -306,11 +306,11 @@ CVE-2022-45420 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45420 CVE-2022-45419 RESERVED - - firefox + - firefox 107.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45419 CVE-2022-45418 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45418 @@ -318,11 +318,11 @@ CVE-2022-45418 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45418 CVE-2022-45417 RESERVED - - firefox + - firefox 107.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45417 CVE-2022-45416 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45416 @@ -330,7 +330,7 @@ CVE-2022-45416 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45416 CVE-2022-45415 RESERVED - - firefox + - firefox 107.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45415 CVE-2022-45414 RESERVED @@ -340,7 +340,7 @@ CVE-2022-45413 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45413 CVE-2022-45412 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45412 @@ -348,7 +348,7 @@ CVE-2022-45412 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45412 CVE-2022-45411 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45411 @@ -356,7 +356,7 @@ CVE-2022-45411 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45411 CVE-2022-45410 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45410 @@ -364,7 +364,7 @@ CVE-2022-45410 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45410 CVE-2022-45409 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45409 @@ -372,7 +372,7 @@ CVE-2022-45409 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45409 CVE-2022-45408 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45408 @@ -380,11 +380,11 @@ CVE-2022-45408 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45408 CVE-2022-45407 RESERVED - - firefox + - firefox 107.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45407 CVE-2022-45406 RESERVED - - firefox + - firefox 107.0-1 - firefox-esr 102.5.0esr-1 - thunderbird 1:102.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/#CVE-2022-45406 @@ -392,7 +392,7 @@ CVE-2022-45406 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45406 CVE-2022-45405 RESERVED - - firefox + - firefox 107.0-1
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 16267b2d by Moritz Muehlenhoff at 2022-11-16T12:25:00+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1351,6 +1351,7 @@ CVE-2022-45048 RESERVED CVE-2022-45047 RESERVED + NOT-FOR-US: Apache Mina SSHD CVE-2022-45046 RESERVED CVE-2022-3899 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16267b2d2e345fd900db3eeefc8b6aaaede28bde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16267b2d2e345fd900db3eeefc8b6aaaede28bde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-41850/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92de32ca by Salvatore Bonaccorso at 2022-11-16T12:04:23+01:00 Update information for CVE-2022-41850/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12433,7 +12433,7 @@ CVE-2022-3363 (Business Logic Errors in GitHub repository ikus060/rdiffweb prior CVE-2022-3362 (Insufficient Session Expiration in GitHub repository ikus060/rdiffweb ...) TODO: check CVE-2022-41850 (roccat_report_event in drivers/hid/hid-roccat.c in the Linux kernel th ...) - - linux + - linux 6.0.3-1 NOTE: https://lore.kernel.org/all/20220904193115.GA28134@ubuntu/t/#u CVE-2022-41849 (drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has ...) - linux 6.0.3-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92de32ca5df00fa98c52303e1ca210d711ffedf0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92de32ca5df00fa98c52303e1ca210d711ffedf0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2022-41849/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef145bde by Salvatore Bonaccorso at 2022-11-16T11:54:20+01:00 Update status for CVE-2022-41849/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12436,7 +12436,7 @@ CVE-2022-41850 (roccat_report_event in drivers/hid/hid-roccat.c in the Linux ker - linux NOTE: https://lore.kernel.org/all/20220904193115.GA28134@ubuntu/t/#u CVE-2022-41849 (drivers/video/fbdev/smscufx.c in the Linux kernel through 5.19.12 has ...) - - linux + - linux 6.0.3-1 NOTE: https://lore.kernel.org/all/20220925133243.GA383897@ubuntu/T/ CVE-2022-41848 (drivers/char/pcmcia/synclink_cs.c in the Linux kernel through 5.19.12 ...) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef145bde42c41e799f72d1f17d0a5e35ff2c4ef3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef145bde42c41e799f72d1f17d0a5e35ff2c4ef3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a131135 by Thorsten Alteholz at 2022-11-16T11:38:43+01:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,8 +84,9 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -graphicsmagick +graphicsmagick (Thorsten Alteholz) NOTE: 20221027: Programming language: C. + NOTE: 20221116: testing package -- hsqldb NOTE: 20221031: Programming language: Java. @@ -386,7 +387,7 @@ vim (Helmut) NOTE: 20221108: Programming language: C. NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git -- -virglrenderer +virglrenderer (Thorsten Alteholz) NOTE: 20221009: Programming language: C. -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a1311355dcc2525847f3c7119b64b16c2be4d8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a1311355dcc2525847f3c7119b64b16c2be4d8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] jupyterhub fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a7341097 by Moritz Muehlenhoff at 2022-11-16T11:05:43+01:00 jupyterhub fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -130878,7 +130878,7 @@ CVE-2021-23922 (An issue was discovered in Devolutions Remote Desktop Manager be CVE-2021-23921 (An issue was discovered in Devolutions Server before 2020.3. There is ...) NOT-FOR-US: Devolutions Server CVE-2020-36191 (JupyterHub 1.1.0 allows CSRF in the admin panel via a request that lac ...) - - jupyterhub (bug #1014774) + - jupyterhub 3.0.0+ds1-1 (bug #1014774) NOTE: https://github.com/jupyterhub/jupyterhub/issues/3304 CVE-2020-36190 (RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows ...) NOT-FOR-US: RailsAdmin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7341097e42f1b2dff8020a47c1fb34e1d823188 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7341097e42f1b2dff8020a47c1fb34e1d823188 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d82dbd02 by Moritz Muehlenhoff at 2022-11-16T11:04:49+01:00 bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -9888,6 +9888,7 @@ CVE-2022-3462 (The Highlight Focus WordPress plugin through 1.1 does not sanitis NOT-FOR-US: WordPress plugin CVE-2022-42889 (Apache Commons Text performs variable interpolation, allowing properti ...) - commons-text 1.10.0-1 (bug #1021787) + [bullseye] - commons-text (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/10/13/4 NOTE: https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/ NOTE: https://blogs.apache.org/security/entry/cve-2022-42889 @@ -62120,12 +62121,12 @@ CVE-2022-0395 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelpe CVE-2022-0394 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat ...) NOT-FOR-US: livehelperchat CVE-2022-0393 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) - - vim 2:8.2.4659-1 - [bullseye] - vim (Minor issue) + - vim 2:8.2.4659-1 (unimportant) [buster] - vim (The vulnerable code is not present) [stretch] - vim (The vulnerable code is not present) NOTE: https://huntr.dev/bounties/ecc8f488-01a0-477f-848f-e30b8e524bba NOTE: https://github.com/vim/vim/commit/a4bc2dd7cccf5a4a9f78b58b6f35a45d17164323 (v8.2.4233) + NOTE: Crash in CLI tool, no security impact CVE-2022-24069 (An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel ...) NOT-FOR-US: Insyde CVE-2022-24064 (This vulnerability allows remote attackers to execute arbitrary code o ...) @@ -62728,10 +62729,10 @@ CVE-2022-21184 (An information disclosure vulnerability exists in the License re NOT-FOR-US: Bachmann Visutec GmbH Atvise CVE-2022-0368 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) {DLA-3182-1 DLA-2947-1} - - vim 2:8.2.4659-1 - [bullseye] - vim (Minor issue) + - vim 2:8.2.4659-1 (unimportant) NOTE: https://huntr.dev/bounties/bca9ce1f-400a-4bf9-9207-3f3187cb3fa9/ NOTE: https://github.com/vim/vim/commit/8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baa (v8.2.4217) + NOTE: Crash in CLI tool, no security impact CVE-2022-0367 (A heap-based buffer overflow flaw was found in libmodbus in function m ...) {DLA-3098-1} - libmodbus 3.1.6-2.1 (bug #1021270) @@ -63650,17 +63651,16 @@ CVE-2022-0320 (The Essential Addons for Elementor WordPress plugin before 5.0.5 NOT-FOR-US: WordPress plugin CVE-2022-0319 (Out-of-bounds Read in vim/vim prior to 8.2. ...) {DLA-3182-1 DLA-2947-1} - - vim 2:8.2.4659-1 - [bullseye] - vim (Minor issue) + - vim 2:8.2.4659-1 (unimportant) NOTE: https://huntr.dev/bounties/ba622fd2-e6ef-4ad9-95b4-17f87b68755b NOTE: https://github.com/vim/vim/commit/05b27615481e72e3b338bb12990fb3e0c2ecc2a9 (v8.2.4154) + NOTE: Crash in CLI tool, no security impact CVE-2022-0318 (Heap-based Buffer Overflow in vim/vim prior to 8.2. ...) - - vim 2:8.2.4659-1 (bug #1004859) - [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) + - vim 2:8.2.4659-1 (bug #1004859; unimportant) [stretch] - vim (Fix introduces a test regression) NOTE: https://huntr.dev/bounties/0d10ba02-b138-4e68-a284-67f781a62d08 NOTE: https://github.com/vim/vim/commit/57df9e8a9f9ae1aafdde9b86b10ad907627a87dc (v8.2.4151) + NOTE: Crash in CLI tool, no security impact CVE-2022-0317 (An improper input validation vulnerability in go-attestation before 0. ...) NOT-FOR-US: go-attestation CVE-2022-0316 @@ -67546,9 +67546,10 @@ CVE-2022-0139 (Use After Free in GitHub repository radareorg/radare2 prior to 5. CVE-2022-0138 (MMP: All versions prior to v1.0.3, PTP C-series: Device versions prior ...) NOT-FOR-US: Airspan Networks CVE-2022-0137 (A heap buffer overflow in image_set_mask function of HTMLDOC before 1. ...) - - htmldoc 1.9.15-1 + - htmldoc 1.9.15-1 (unimportant) NOTE: https://github.com/michaelrsweet/htmldoc/issues/461 NOTE: Fixed by: https://github.com/michaelrsweet/htmldoc/commit/71fe87878c9cbc3db429f5e5c70f28e4b3d96e3b (v1.9.15) + NOTE: Crash in CLI tool, no security impact CVE-2022-0136 (A vulnerability was discovered in GitLab versions 10.5 to 14.5.4, 14.6 ...) - gitlab CVE-2022-0135 (An out-of-bounds write issue was found in the VirGL virtual OpenGL ren ...) = data/dsa-needed.txt = @@ -26,6 +26,8 @@ heimdal (carnil) -- jackson-databind (apo) -- +krb5 +-- linux (carnil) Wait unt
[Git][security-tracker-team/security-tracker][master] Take fwupd
Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker Commits: d7159710 by Stefano Rivera at 2022-11-16T11:46:37+02:00 Take fwupd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ firmware-nonfree frr NOTE: 20220923: Programming language: C. -- -fwupd +fwupd (Stefano Rivera) NOTE: 20221003: Programming language: C++. -- gerbv View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d715971083e8ffa74e7b7d490bea5cad8353d9a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d715971083e8ffa74e7b7d490bea5cad8353d9a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3190-1 for grub2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 33f3e7d9 by Salvatore Bonaccorso at 2022-11-16T10:04:27+01:00 Reserve DLA-3190-1 for grub2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Nov 2022] DLA-3190-1 grub2 - security update + {CVE-2022-2601 CVE-2022-3775} + [buster] - grub2 2.06-3~deb10u2 [15 Nov 2022] DLA-3189-1 postgresql-11 - bugfix update [buster] - postgresql-11 11.18-0+deb10u1 [14 Nov 2022] DLA-3188-1 sysstat - security update = data/dla-needed.txt = @@ -87,9 +87,6 @@ golang-websocket graphicsmagick NOTE: 20221027: Programming language: C. -- -grub2 (Salvatore Bonaccorso) - NOTE: 20221116: Maintainer prepared as well buster-security updates for release --- hsqldb NOTE: 20221031: Programming language: Java. NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33f3e7d98f72fdc8fbe6ca75aaafaa8c2546d8d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33f3e7d98f72fdc8fbe6ca75aaafaa8c2546d8d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6e43e84 by Salvatore Bonaccorso at 2022-11-16T09:37:27+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,15 +11,15 @@ CVE-2022-4008 CVE-2022-4007 RESERVED CVE-2022-4006 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: WBCE CMS CVE-2022-4005 RESERVED CVE-2022-4004 RESERVED CVE-2021-4241 (A vulnerability, which was classified as problematic, was found in php ...) - TODO: check + NOT-FOR-US: phpservermon CVE-2021-4240 (A vulnerability, which was classified as problematic, was found in php ...) - TODO: check + NOT-FOR-US: phpservermon CVE-2022-45442 RESERVED CVE-2022-45441 @@ -417,51 +417,51 @@ CVE-2022-45403 CVE-2022-45402 (In Apache Airflow versions prior to 2.4.3, there was an open redirect ...) - airflow (bug #819700) CVE-2022-45401 (Jenkins Associated Files Plugin 0.2.1 and earlier does not escape name ...) - TODO: check + NOT-FOR-US: Jenkins Associated Files Plugin CVE-2022-45400 (Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser ...) - TODO: check + NOT-FOR-US: Jenkins JAPEX Plugin CVE-2022-45399 (A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 ...) - TODO: check + NOT-FOR-US: Jenkins Cluster Statistics Plugin CVE-2022-45398 (A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster S ...) - TODO: check + NOT-FOR-US: Jenkins Cluster Statistics Plugin CVE-2022-45397 (Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does ...) - TODO: check + NOT-FOR-US: Jenkins OSF Builder Suite : : XML Linter Plugin CVE-2022-45396 (Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XM ...) - TODO: check + NOT-FOR-US: Jenkins SourceMonitor Plugin CVE-2022-45395 (Jenkins Plugin 0.6 and earlier does not configure its XML parser ...) - TODO: check + NOT-FOR-US: Jenkins Plugin CVE-2022-45394 (A missing permission check in Jenkins Delete log Plugin 1.0 and earlie ...) - TODO: check + NOT-FOR-US: Jenkins Delete log Plugin CVE-2022-45393 (A cross-site request forgery (CSRF) vulnerability in Jenkins Delete lo ...) - TODO: check + NOT-FOR-US: Jenkins Delete log Plugin CVE-2022-45392 (Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and e ...) - TODO: check + NOT-FOR-US: Jenkins NS-ND Integration Performance Publisher Plugin CVE-2022-45391 (Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and e ...) - TODO: check + NOT-FOR-US: Jenkins NS-ND Integration Performance Publisher Plugin CVE-2022-45390 (A missing permission check in Jenkins loader.io Plugin 1.0.1 and earli ...) - TODO: check + NOT-FOR-US: Jenkins loader.io Plugin CVE-2022-45389 (A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier al ...) - TODO: check + NOT-FOR-US: Jenkins XP-Dev Plugin CVE-2022-45388 (Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a fi ...) - TODO: check + NOT-FOR-US: Jenkins Config Rotator Plugin CVE-2022-45387 (Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed conte ...) - TODO: check + NOT-FOR-US: Jenkins BART Plugin CVE-2022-45386 (Jenkins Violations Plugin 0.7.11 and earlier does not configure its XM ...) - TODO: check + NOT-FOR-US: Jenkins Violations Plugin CVE-2022-45385 (A missing permission check in Jenkins CloudBees Docker Hub/Registry No ...) - TODO: check + NOT-FOR-US: CloudBees Docker Hub/Registry Notification Plugin CVE-2022-45384 (Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP ma ...) - TODO: check + NOT-FOR-US: Jenkins Reverse Proxy Auth Plugin CVE-2022-45383 (An incorrect permission check in Jenkins Support Core Plugin 1206.v140 ...) - TODO: check + NOT-FOR-US: Jenkins Support Core Plugin CVE-2022-45382 (Jenkins Naginator Plugin 1.18.1 and earlier does not escape display na ...) - TODO: check + NOT-FOR-US: Jenkins Naginator Plugin CVE-2022-45381 (Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not rest ...) - TODO: check + NOT-FOR-US: Jenkins Pipeline Utility Steps Plugin CVE-2022-45380 (Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) ...) - TODO: check + NOT-FOR-US: Jenkins JUnit Plugin CVE-2022-45379 (Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier store ...) - TODO: check + NOT-FOR-US: Jenkins Script Security Plugin CVE-2022-45378 (** UNSUPPORTED WHEN ASSIGNED ** In the default configuration
[Git][security-tracker-team/security-tracker][master] Triage CVE-2021-44420 in python-django for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 83f418a5 by Chris Lamb at 2022-11-16T08:35:32+00:00 Triage CVE-2021-44420 in python-django for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74988,7 +74988,7 @@ CVE-2021-44421 (The pointer-validation logic in util/mem_util.rs in Occlum befor CVE-2021-44420 (In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, ...) - python-django 2:3.2.10-1 [bullseye] - python-django 2:2.2.25-1~deb11u1 - [buster] - python-django (Minor issue) + [buster] - python-django (Vulnerable code not present; is_endpoint support added later) [stretch] - python-django (Vulnerable code not present; path converters added later) NOTE: https://www.openwall.com/lists/oss-security/2021/12/07/1 NOTE: https://www.djangoproject.com/weblog/2021/dec/07/security-releases/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83f418a5333df852f436d176a72fef542efdcd62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83f418a5333df852f436d176a72fef542efdcd62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add grub2 to dla needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a6597f0 by Salvatore Bonaccorso at 2022-11-16T09:32:27+01:00 Add grub2 to dla needed list - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -87,6 +87,9 @@ golang-websocket graphicsmagick NOTE: 20221027: Programming language: C. -- +grub2 (Salvatore Bonaccorso) + NOTE: 20221116: Maintainer prepared as well buster-security updates for release +-- hsqldb NOTE: 20221031: Programming language: Java. NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a6597f0d579cd65074204c61fa451951cbc68d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a6597f0d579cd65074204c61fa451951cbc68d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fb292f6 by Salvatore Bonaccorso at 2022-11-16T09:30:49+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15046,7 +15046,7 @@ CVE-2022-3234 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to CVE-2022-40754 (In Apache Airflow 2.3.0 through 2.3.4, there was an open redirect in t ...) - airflow (bug #819700) CVE-2022-40753 (IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scr ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-40752 RESERVED CVE-2022-40751 @@ -21315,7 +21315,7 @@ CVE-2022-38387 (IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 coul CVE-2022-38386 RESERVED CVE-2022-38385 (IBM Cloud Pak for Security (CP4S) 1.10.0.0 through 1.10.2.0 could allo ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-38384 RESERVED CVE-2022-38383 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fb292f63e905f933aaa88bc4a5535dd5577471e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fb292f63e905f933aaa88bc4a5535dd5577471e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-41916/heimdal which got retrospectively a CVE assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4437527a by Salvatore Bonaccorso at 2022-11-16T09:26:41+01:00 Add CVE-2022-41916/heimdal which got retrospectively a CVE assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12139,7 +12139,9 @@ CVE-2022-41918 (OpenSearch is a community-driven, open source fork of Elasticsea CVE-2022-41917 (OpenSearch is a community-driven, open source fork of Elasticsearch an ...) TODO: check CVE-2022-41916 (Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Version ...) - TODO: check + - heimdal (bug #1024187) + NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-mgqr-gvh6-23cx + NOTE: https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c (heimdal-7.7.1) CVE-2022-41915 RESERVED CVE-2022-41914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4437527a3927ee9ec36c4296b764f1c1883baf54 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4437527a3927ee9ec36c4296b764f1c1883baf54 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 589281fb by security tracker role at 2022-11-16T08:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2022-43468 + RESERVED +CVE-2022-41783 + RESERVED +CVE-2022-4010 + RESERVED +CVE-2022-4009 + RESERVED +CVE-2022-4008 + RESERVED +CVE-2022-4007 + RESERVED +CVE-2022-4006 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2022-4005 + RESERVED +CVE-2022-4004 + RESERVED +CVE-2021-4241 (A vulnerability, which was classified as problematic, was found in php ...) + TODO: check +CVE-2021-4240 (A vulnerability, which was classified as problematic, was found in php ...) + TODO: check CVE-2022-45442 RESERVED CVE-2022-45441 @@ -394,52 +416,52 @@ CVE-2022-45403 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/#CVE-2022-45403 CVE-2022-45402 (In Apache Airflow versions prior to 2.4.3, there was an open redirect ...) - airflow (bug #819700) -CVE-2022-45401 - RESERVED -CVE-2022-45400 - RESERVED -CVE-2022-45399 - RESERVED -CVE-2022-45398 - RESERVED -CVE-2022-45397 - RESERVED -CVE-2022-45396 - RESERVED -CVE-2022-45395 - RESERVED -CVE-2022-45394 - RESERVED -CVE-2022-45393 - RESERVED -CVE-2022-45392 - RESERVED -CVE-2022-45391 - RESERVED -CVE-2022-45390 - RESERVED -CVE-2022-45389 - RESERVED -CVE-2022-45388 - RESERVED -CVE-2022-45387 - RESERVED -CVE-2022-45386 - RESERVED -CVE-2022-45385 - RESERVED -CVE-2022-45384 - RESERVED -CVE-2022-45383 - RESERVED -CVE-2022-45382 - RESERVED -CVE-2022-45381 - RESERVED -CVE-2022-45380 - RESERVED -CVE-2022-45379 - RESERVED +CVE-2022-45401 (Jenkins Associated Files Plugin 0.2.1 and earlier does not escape name ...) + TODO: check +CVE-2022-45400 (Jenkins JAPEX Plugin 1.7 and earlier does not configure its XML parser ...) + TODO: check +CVE-2022-45399 (A missing permission check in Jenkins Cluster Statistics Plugin 0.4.6 ...) + TODO: check +CVE-2022-45398 (A cross-site request forgery (CSRF) vulnerability in Jenkins Cluster S ...) + TODO: check +CVE-2022-45397 (Jenkins OSF Builder Suite : : XML Linter Plugin 1.0.2 and earlier does ...) + TODO: check +CVE-2022-45396 (Jenkins SourceMonitor Plugin 0.2 and earlier does not configure its XM ...) + TODO: check +CVE-2022-45395 (Jenkins Plugin 0.6 and earlier does not configure its XML parser ...) + TODO: check +CVE-2022-45394 (A missing permission check in Jenkins Delete log Plugin 1.0 and earlie ...) + TODO: check +CVE-2022-45393 (A cross-site request forgery (CSRF) vulnerability in Jenkins Delete lo ...) + TODO: check +CVE-2022-45392 (Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and e ...) + TODO: check +CVE-2022-45391 (Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and e ...) + TODO: check +CVE-2022-45390 (A missing permission check in Jenkins loader.io Plugin 1.0.1 and earli ...) + TODO: check +CVE-2022-45389 (A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier al ...) + TODO: check +CVE-2022-45388 (Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a fi ...) + TODO: check +CVE-2022-45387 (Jenkins BART Plugin 1.0.3 and earlier does not escape the parsed conte ...) + TODO: check +CVE-2022-45386 (Jenkins Violations Plugin 0.7.11 and earlier does not configure its XM ...) + TODO: check +CVE-2022-45385 (A missing permission check in Jenkins CloudBees Docker Hub/Registry No ...) + TODO: check +CVE-2022-45384 (Jenkins Reverse Proxy Auth Plugin 1.7.3 and earlier stores the LDAP ma ...) + TODO: check +CVE-2022-45383 (An incorrect permission check in Jenkins Support Core Plugin 1206.v140 ...) + TODO: check +CVE-2022-45382 (Jenkins Naginator Plugin 1.18.1 and earlier does not escape display na ...) + TODO: check +CVE-2022-45381 (Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not rest ...) + TODO: check +CVE-2022-45380 (Jenkins JUnit Plugin 1159.v0b_396e1e07dd and earlier converts HTTP(S) ...) + TODO: check +CVE-2022-45379 (Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier store ...) + TODO: check CVE-2022-45378 (** UNSUPPORTED WHEN ASSIGNED ** In the default configuration of Apache ...) NOT-FOR-US: Apache SOAP CVE-2022-45377 @@ -1136,8 +1158,8 @@ CVE-2022-41659 RESERVED CVE-2022-3921 RESERVED -CVE-2022-3920 - RESERVED +CVE-2022-3920 (HashiCorp Consul and Consul Enterprise 1.13.0 up to 1.13.3 do not filt ...) + TODO