[Git][security-tracker-team/security-tracker][master] Add new moodle issues: CVE-2022-45149, CVE-2022-4515[0-2]
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5077e6ba by Salvatore Bonaccorso at 2022-11-23T08:08:46+01:00 Add new moodle issues: CVE-2022-45149, CVE-2022-4515[0-2] - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1968,12 +1968,16 @@ CVE-2022-45153 RESERVED CVE-2022-45152 RESERVED + - moodle CVE-2022-45151 RESERVED + - moodle CVE-2022-45150 RESERVED + - moodle CVE-2022-45149 RESERVED + - moodle CVE-2022-45148 RESERVED CVE-2022-45147 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5077e6ba278d4bb0764ae5bdad4fcc35c29a5812 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5077e6ba278d4bb0764ae5bdad4fcc35c29a5812 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-41858/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f94fc6ed by Salvatore Bonaccorso at 2022-11-23T08:05:28+01:00 Add CVE-2022-41858/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13254,6 +13254,10 @@ CVE-2022-41859 RESERVED CVE-2022-41858 RESERVED + - linux 5.17.6-1 + [bullseye] - linux 5.10.113-1 + [buster] - linux 4.19.249-1 + NOTE: https://git.kernel.org/linus/ec4eb8a86ade4d22633e1da2a7d85a846b7d1798 (5.18-rc2) CVE-2022-41857 RESERVED CVE-2022-41856 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f94fc6ede5615ea8ce3b3b54629abbff77c273e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f94fc6ede5615ea8ce3b3b54629abbff77c273e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3203-1 for nginx
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: cce5b8db by Markus Koschany at 2022-11-23T00:30:31+01:00 Reserve DLA-3203-1 for nginx - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -102703,7 +102703,6 @@ CVE-2021-35475 (SAS Environment Manager 2.5 allows XSS through the Name field wh CVE-2021-3618 (ALPACA is an application layer protocol content confusion attack, expl ...) - nginx 1.20.2-2 (bug #991328) [bullseye] - nginx 1.18.0-6.1+deb11u2 - [buster] - nginx (Minor issue) [stretch] - nginx (Minor issue) - vsftpd (bug #991329) [bullseye] - vsftpd (Minor issue) = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Nov 2022] DLA-3203-1 nginx - security update + {CVE-2021-3618 CVE-2022-41741 CVE-2022-41742} + [buster] - nginx 1.14.2-2+deb10u5 [22 Nov 2022] DLA-3202-1 libarchive - security update {CVE-2019-19221 CVE-2021-23177 CVE-2021-31566} [buster] - libarchive 3.3.3-4+deb10u2 = data/dla-needed.txt = @@ -170,10 +170,6 @@ netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- -nginx (Markus Koschany) - NOTE: 2022: Programming language: C. - NOTE: 2022: Upcoming DSA + follow fixes from bullseye 11.4 (Beuc/front-desk) --- node-cached-path-relative NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.3 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cce5b8db805ffdb3d64fb059333bcdf52d6b2240 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cce5b8db805ffdb3d64fb059333bcdf52d6b2240 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-36227/libarchive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c378dccd by Salvatore Bonaccorso at 2022-11-22T22:47:13+01:00 Add Debian bug reference for CVE-2022-36227/libarchive - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28101,7 +28101,7 @@ CVE-2022-36229 CVE-2022-36228 RESERVED CVE-2022-36227 (In libarchive 3.6.1, the software does not check for an error after ca ...) - - libarchive + - libarchive (bug #1024669) [bullseye] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1754 NOTE: https://github.com/libarchive/libarchive/pull/1759 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c378dccd0716b44ea0994e2bbc0e58616d7ec5d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c378dccd0716b44ea0994e2bbc0e58616d7ec5d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-36227/libarchive as no-dsa for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b511020 by Salvatore Bonaccorso at 2022-11-22T22:41:16+01:00 Mark CVE-2022-36227/libarchive as no-dsa for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28102,6 +28102,7 @@ CVE-2022-36228 RESERVED CVE-2022-36227 (In libarchive 3.6.1, the software does not check for an error after ca ...) - libarchive + [bullseye] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1754 NOTE: https://github.com/libarchive/libarchive/pull/1759 NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b5110200b6228fdda6ef4fe860539d9cc0d0246 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b5110200b6228fdda6ef4fe860539d9cc0d0246 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b853d3b0 by Salvatore Bonaccorso at 2022-11-22T22:28:33+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13058,7 +13058,7 @@ CVE-2022-41952 (Synapse before 1.52.0 with URL preview functionality enabled wil CVE-2022-41951 RESERVED CVE-2022-41950 (super-xray is the GUI alternative for vulnerability scanning tool xray ...) - TODO: check + NOT-FOR-US: super-xray CVE-2022-41949 RESERVED CVE-2022-41948 @@ -13068,13 +13068,13 @@ CVE-2022-41947 CVE-2022-41946 RESERVED CVE-2022-41945 (super-xray is a vulnerability scanner (xray) GUI launcher. In version ...) - TODO: check + NOT-FOR-US: super-xray CVE-2022-41944 RESERVED CVE-2022-41943 (sourcegraph is a code intelligence platform. As a site admin it was po ...) - TODO: check + NOT-FOR-US: Sourcegraph CVE-2022-41942 (Sourcegraph is a code intelligence platform. In versions prior to 4.1. ...) - TODO: check + NOT-FOR-US: Sourcegraph CVE-2022-41941 RESERVED CVE-2022-41940 (Engine.IO is the implementation of transport-based cross-browser/cross ...) @@ -20174,15 +20174,15 @@ CVE-2022-39072 CVE-2022-39071 RESERVED CVE-2022-39070 (There is an access control vulnerability in some ZTE PON OLT products. ...) - TODO: check + NOT-FOR-US: ZTE CVE-2022-39069 (There is a SQL injection vulnerability in ZTE ZAIP-AIE. Due to lack of ...) NOT-FOR-US: ZTE CVE-2022-39068 RESERVED CVE-2022-39067 (There is a buffer overflow vulnerability in ZTE MF286R. Due to lack of ...) - TODO: check + NOT-FOR-US: ZTE CVE-2022-39066 (There is a SQL injection vulnerability in ZTE MF286R. Due to insuffici ...) - TODO: check + NOT-FOR-US: ZTE CVE-2022-39065 (A single malformed IEEE 802.15.4 (Zigbee) frame makes the TRÅDFRI ...) NOT-FOR-US: Ikea CVE-2022-39064 (An attacker sending a single malformed IEEE 802.15.4 (Zigbee) frame ma ...) @@ -22056,7 +22056,7 @@ CVE-2022-38464 CVE-2022-38463 (ServiceNow through San Diego Patch 4b and Patch 6 allows reflected XSS ...) NOT-FOR-US: ServiceNow CVE-2022-38462 (Silverstripe silverstripe/framework through 4.11 is vulnerable to XSS ...) - TODO: check + NOT-FOR-US: SilverStripe CMS CVE-2022-38450 (Adobe Acrobat Reader versions 22.002.20212 (and earlier) and 20.005.30 ...) NOT-FOR-US: Adobe CVE-2022-38449 (Adobe Acrobat Reader versions 22.002.20212 (and earlier) and 20.005.30 ...) @@ -23140,11 +23140,11 @@ CVE-2022-38151 CVE-2022-38149 (HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may expose ...) NOT-FOR-US: Consul Template CVE-2022-38148 (Silverstripe silverstripe/framework through 4.11 allows SQL Injection. ...) - TODO: check + NOT-FOR-US: SilverStripe CMS CVE-2022-38147 RESERVED CVE-2022-38146 (Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 o ...) - TODO: check + NOT-FOR-US: SilverStripe CMS CVE-2022-38145 RESERVED CVE-2022-38133 (In JetBrains TeamCity before 2022.04.3 the private SSH key could be wr ...) @@ -30240,7 +30240,7 @@ CVE-2022-35409 (An issue was discovered in Mbed TLS before 2.28.1 and 3.x before CVE-2022-35408 (An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5. ...) NOT-FOR-US: Insyde CVE-2022-35407 (An issue was discovered in Insyde InsydeH2O with kernel 5.0 through 5. ...) - TODO: check + NOT-FOR-US: Insyde CVE-2022-35406 (A URL disclosure issue was discovered in Burp Suite before 2022.6. If ...) - burpsuite (bug #832943) CVE-2022-35405 (Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before ...) @@ -36615,7 +36615,7 @@ CVE-2022-33014 CVE-2022-33013 RESERVED CVE-2022-33012 (Microweber v1.2.15 was discovered to allow attackers to perform an acc ...) - TODO: check + NOT-FOR-US: microweber CVE-2022-33011 (Known v1.3.1+2020120201 was discovered to allow attackers to perform a ...) NOT-FOR-US: Known CVE-2022-33010 @@ -44769,9 +44769,9 @@ CVE-2022-1585 (The Project Source Code Download WordPress plugin through 1.0.0 d CVE-2022-30259 RESERVED CVE-2022-30258 (An issue was discovered in Technitium DNS Server through 8.0.2 that al ...) - TODO: check + NOT-FOR-US: Technitium DNS Server CVE-2022-30257 (An issue was discovered in Technitium DNS Server through 8.0.2 that al ...) - TODO: check + NOT-FOR-US: Technitium DNS Server CVE-2022-30256 (An issue was discovered in MaraDNS Deadwood through 3.5.0021 that allo ...) - maradns NOTE: https://maradns.samiam.org/security.html#CVE-2022-30256 @@ -52878,7 +52878,7 @@ CVE-2022-1040 (An authentication bypass vulnerabili
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-3910/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6432744c by Salvatore Bonaccorso at 2022-11-22T21:45:25+01:00 Add CVE-2022-3910/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2235,7 +2235,10 @@ CVE-2022-3912 CVE-2022-3911 RESERVED CVE-2022-3910 (Use After Free vulnerability in Linux Kernel allows Privilege Escalati ...) - TODO: check + - linux 5.19.11-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/fc7222c3a9f56271fba02aabbfbae999042f1679 (6.0-rc6) CVE-2022-3909 RESERVED CVE-2022-45063 (xterm before 375 allows code execution via font ops, e.g., because an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6432744c5887c43a7af7101da598803f59b69906 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6432744c5887c43a7af7101da598803f59b69906 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-41952/matrix-synapse
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c897b5e5 by Salvatore Bonaccorso at 2022-11-22T21:34:25+01:00 Add CVE-2022-41952/matrix-synapse - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13047,7 +13047,11 @@ CVE-2022-41954 CVE-2022-41953 RESERVED CVE-2022-41952 (Synapse before 1.52.0 with URL preview functionality enabled will atte ...) - TODO: check + - matrix-synapse 1.53.0-1 + NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h + NOTE: https://github.com/matrix-org/synapse/pull/11784 + NOTE: https://github.com/matrix-org/synapse/pull/11936 + NOTE: First bugfix in 1.52.0 but 1.53.0 does fully fix the issue. CVE-2022-41951 RESERVED CVE-2022-41950 (super-xray is the GUI alternative for vulnerability scanning tool xray ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c897b5e5aa9cf03002628ea9e8d12ba95feca39c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c897b5e5aa9cf03002628ea9e8d12ba95feca39c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track two CVEs for backdrop, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 80952d92 by Salvatore Bonaccorso at 2022-11-22T21:29:54+01:00 Track two CVEs for backdrop, itp'ed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12732,13 +12732,13 @@ CVE-2022-42099 CVE-2022-42098 (KLiK SocialMediaWebsite version v1.0.1 is vulnerable to SQL Injection ...) NOT-FOR-US: KLiK SocialMediaWebsite CVE-2022-42097 (Backdrop CMS version 1.23.0 was discovered to contain a stored cross-s ...) - TODO: check + - backdrop (bug #914257) CVE-2022-42096 (Backdrop CMS version 1.23.0 was discovered to contain a stored cross-s ...) - backdrop (bug #914257) CVE-2022-42095 RESERVED CVE-2022-42094 (Backdrop CMS version 1.23.0 was discovered to contain a stored cross-s ...) - TODO: check + - backdrop (bug #914257) CVE-2022-42093 RESERVED CVE-2022-42092 (Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'th ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80952d92d7d5914544a1e6aef362040fd5decbc5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/80952d92d7d5914544a1e6aef362040fd5decbc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-24590: Associate with backdrop, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50888da3 by Salvatore Bonaccorso at 2022-11-22T21:28:58+01:00 Update information for CVE-2022-24590: Associate with backdrop, itp'ed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61509,7 +61509,7 @@ CVE-2022-24592 CVE-2022-24591 RESERVED CVE-2022-24590 (A stored cross-site scripting (XSS) vulnerability in the Add Link func ...) - NOT-FOR-US: BackdropCMS + - backdrop (bug #914257) CVE-2022-24589 (Burden v3.0 was discovered to contain a stored cross-site scripting (X ...) NOT-FOR-US: Burden CVE-2022-24588 (Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50888da3c1ebe923f8e529af72b60dc9bbfbada3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50888da3c1ebe923f8e529af72b60dc9bbfbada3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e24fb18 by Salvatore Bonaccorso at 2022-11-22T21:28:06+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,7 +33,7 @@ CVE-2022-4118 CVE-2022-4117 RESERVED CVE-2022-4116 (A vulnerability was found in quarkus. This security flaw happens in De ...) - TODO: check + NOT-FOR-US: Quarkus CVE-2022-4115 RESERVED CVE-2022- [rust-atty: Potential unaligned read] @@ -1456,7 +1456,7 @@ CVE-2022-45365 CVE-2022-45364 RESERVED CVE-2022-45363 (Auth. (subscriber+) Stored Cross-Site Scripting (XSS) in Muffingroup B ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-45362 RESERVED CVE-2022-45361 @@ -2867,21 +2867,21 @@ CVE-2022-44810 CVE-2022-44809 RESERVED CVE-2022-44808 (A command injection vulnerability has been found on D-Link DIR-823G de ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-44807 (D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow vi ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-44806 (D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow. ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-44805 RESERVED CVE-2022-44804 (D-Link DIR-882 1.10B02 and1.20B06 is vulnerable to Buffer Overflow via ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-44803 RESERVED CVE-2022-44802 RESERVED CVE-2022-44801 (D-Link DIR-878 1.02B05 is vulnerable to Incorrect Access Control. ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-44800 RESERVED CVE-2022-44799 @@ -5503,43 +5503,43 @@ CVE-2022-44204 (D-Link DIR3060 DIR3060A1_FW111B04.bin is vulnerable to Buffer Ov CVE-2022-44203 RESERVED CVE-2022-44202 (D-Link DIR878 1.02B04 and 1.02B05 are vulnerable to Buffer Overflow. ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-44201 (D-Link DIR823G 1.02B05 is vulnerable to Commad Injection. ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-44200 (Netgear R7000P V1.3.0.8, V1.3.1.64 is vulnerable to Buffer Overflow vi ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44199 (Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via paramete ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44198 (Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via paramete ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44197 (Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44196 (Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44195 RESERVED CVE-2022-44194 (Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via parameter ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44193 (Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44192 RESERVED CVE-2022-44191 (Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via paramete ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44190 (Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via paramete ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44189 RESERVED CVE-2022-44188 (Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/ ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44187 (Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow via wan_dns1_ ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44186 (Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow in /usr/sbin ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44185 RESERVED CVE-2022-44184 (Netgear R7000P V1.3.0.8 is vulnerable to Buffer Overflow in /usr/sbin/ ...) - TODO: check + NOT-FOR-US: Netgear CVE-2022-44183 (Tenda AC18 V15.03.05.19 is vulnerable to Buffer Overflow via function ...) NOT-FOR-US: Tenda CVE-2022-44182 @@ -9807,7 +9807,7 @@ CVE-2022-43214 (Billing System Project v1.0 was discovered to contain a SQL inje CVE-2022-43213 RESERVED CVE-2022-43212 (Billing System Project v1.0 was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: Billing System Project CVE-2022-43211 RESERVED CVE-2022-43210 @@ -10280,7 +10280,7 @@ CVE-2022-42991 (A stored cross-site scripting (XSS) vulnerability in Simple Onli CVE-2022-42990 (Food Ordering Management System v1.0 was discovered to contain a SQL i ...) NOT-FOR-US: Food Ordering Management System CVE-2022-42989 (ERP Sankhya before v4.11b81 was discovered to contain a
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb8083b2 by Salvatore Bonaccorso at 2022-11-22T21:19:10+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3037,7 +3037,7 @@ CVE-2022-44739 CVE-2022-44738 RESERVED CVE-2022-44737 (Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Secu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-44736 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Cham ...) NOT-FOR-US: WordPress plugin CVE-2022-44735 @@ -17344,7 +17344,7 @@ CVE-2022-40230 ("IBM MQ Appliance 9.2 CD, 9.2 LTS, 9.3 CD, and LTS 9.3 does not CVE-2022-40229 RESERVED CVE-2022-40228 (IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0 ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-40227 (A vulnerability has been identified in SIMATIC HMI Comfort Panels (inc ...) NOT-FOR-US: Siemens CVE-2022-40226 (A vulnerability has been identified in SICAM P850 (All versions < V ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb8083b2bda17692452143ce239b40488261e8d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb8083b2bda17692452143ce239b40488261e8d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d0430c6 by security tracker role at 2022-11-22T20:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,41 @@ +CVE-2022-45797 + RESERVED +CVE-2022-45796 + RESERVED +CVE-2022-45795 + RESERVED +CVE-2022-45794 + RESERVED +CVE-2022-45793 + RESERVED +CVE-2022-45792 + RESERVED +CVE-2022-45791 + RESERVED +CVE-2022-45790 + RESERVED +CVE-2022-45789 + RESERVED +CVE-2022-45788 + RESERVED +CVE-2022-45787 + RESERVED +CVE-2022-45786 + RESERVED +CVE-2022-4121 + RESERVED +CVE-2022-4120 + RESERVED +CVE-2022-4119 + RESERVED +CVE-2022-4118 + RESERVED +CVE-2022-4117 + RESERVED +CVE-2022-4116 (A vulnerability was found in quarkus. This security flaw happens in De ...) + TODO: check +CVE-2022-4115 + RESERVED CVE-2022- [rust-atty: Potential unaligned read] - rust-atty (Windows-specific) NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0145.html @@ -1417,8 +1455,8 @@ CVE-2022-45365 RESERVED CVE-2022-45364 RESERVED -CVE-2022-45363 - RESERVED +CVE-2022-45363 (Auth. (subscriber+) Stored Cross-Site Scripting (XSS) in Muffingroup B ...) + TODO: check CVE-2022-45362 RESERVED CVE-2022-45361 @@ -2196,8 +2234,8 @@ CVE-2022-3912 RESERVED CVE-2022-3911 RESERVED -CVE-2022-3910 - RESERVED +CVE-2022-3910 (Use After Free vulnerability in Linux Kernel allows Privilege Escalati ...) + TODO: check CVE-2022-3909 RESERVED CVE-2022-45063 (xterm before 375 allows code execution via font ops, e.g., because an ...) @@ -2828,22 +2866,22 @@ CVE-2022-44810 RESERVED CVE-2022-44809 RESERVED -CVE-2022-44808 - RESERVED -CVE-2022-44807 - RESERVED -CVE-2022-44806 - RESERVED +CVE-2022-44808 (A command injection vulnerability has been found on D-Link DIR-823G de ...) + TODO: check +CVE-2022-44807 (D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow vi ...) + TODO: check +CVE-2022-44806 (D-Link DIR-882 1.10B02 and 1.20B06 is vulnerable to Buffer Overflow. ...) + TODO: check CVE-2022-44805 RESERVED -CVE-2022-44804 - RESERVED +CVE-2022-44804 (D-Link DIR-882 1.10B02 and1.20B06 is vulnerable to Buffer Overflow via ...) + TODO: check CVE-2022-44803 RESERVED CVE-2022-44802 RESERVED -CVE-2022-44801 - RESERVED +CVE-2022-44801 (D-Link DIR-878 1.02B05 is vulnerable to Incorrect Access Control. ...) + TODO: check CVE-2022-44800 RESERVED CVE-2022-44799 @@ -2998,8 +3036,8 @@ CVE-2022-44739 RESERVED CVE-2022-44738 RESERVED -CVE-2022-44737 - RESERVED +CVE-2022-44737 (Multiple Cross-Site Request Forgery vulnerabilities in All-In-One Secu ...) + TODO: check CVE-2022-44736 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Cham ...) NOT-FOR-US: WordPress plugin CVE-2022-44735 @@ -4280,6 +4318,7 @@ CVE-2022-44641 (In Linaro Automated Validation Architecture (LAVA) before 2022.1 NOTE: https://git.lavasoftware.org/lava/lava/-/commit/1bee0f8957741582c2bed800974f31439c6f3ff5 (2022.11) CVE-2022-44640 [Invalid free in ASN.1 codec] RESERVED + {DSA-5287-1} - heimdal (bug #1024187) NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-88pm-hfmq-7vv4 NOTE: https://github.com/heimdal/heimdal/commit/ea5ec8f174920cb80ce2b168b49195378420449e (heimdal-7.7.1) @@ -4587,7 +4626,7 @@ CVE-2022-44579 RESERVED CVE-2022-44578 RESERVED -CVE-2022-44577 (Auth. CSV Injection vulnerability in Export Users With Meta plugin < ...) +CVE-2022-44577 (This CVE ID has been rejected or withdrawn by its CVE Numbering Author ...) NOT-FOR-US: WordPress plugin CVE-2022-44576 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Agen ...) NOT-FOR-US: WordPress plugin @@ -5463,44 +5502,44 @@ CVE-2022-44204 (D-Link DIR3060 DIR3060A1_FW111B04.bin is vulnerable to Buffer Ov NOT-FOR-US: D-Link CVE-2022-44203 RESERVED -CVE-2022-44202 - RESERVED -CVE-2022-44201 - RESERVED -CVE-2022-44200 - RESERVED -CVE-2022-44199 - RESERVED -CVE-2022-44198 - RESERVED -CVE-2022-44197 - RESERVED -CVE-2022-44196 - RESERVED +CVE-2022-44202 (D-Link DIR878 1.02B04 and 1.02B05 are vulnerable to Buffer Overflow. ...) + TODO: check +CVE-2022-44201 (D-Link DIR823G 1.02B05 is vulnerable to Commad Injection. ...) + TODO: check +CVE-2022-44200 (Netgear R7000P V1.3.0.8, V1.3.1.64 is vulnerable to Buffer Overflow vi ...) + TODO: check +CVE-2022-44199 (Netgear R7000P V1.3.1.64 is vulnerable to Buffer Overflow via paramete ...) +
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for heimdal update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e150f200 by Salvatore Bonaccorso at 2022-11-22T20:37:52+01:00 Reserve DSA number for heimdal update - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -97189,7 +97189,6 @@ CVE-2021-37715 (A remote cross-site scripting (XSS) vulnerability was discovered NOT-FOR-US: Aruba CVE-2021-3671 (A null pointer de-reference was found in the way samba kerberos server ...) - heimdal 7.7.0+dfsg-3 (bug #996586) - [bullseye] - heimdal (Minor issue) [buster] - heimdal (Minor issue) [stretch] - heimdal (Minor issue) - samba 2:4.13.13+dfsg-1 = data/DSA/list = @@ -1,3 +1,6 @@ +[22 Nov 2022] DSA-5287-1 heimdal - security update + {CVE-2021-3671 CVE-2021-44758 CVE-2022-3437 CVE-2022-41916 CVE-2022-42898 CVE-2022-44640} + [bullseye] - heimdal 7.7.0+dfsg-2+deb11u2 [19 Nov 2022] DSA-5286-1 krb5 - security update {CVE-2022-42898} [bullseye] - krb5 1.18.3-6+deb11u3 = data/dsa-needed.txt = @@ -18,8 +18,6 @@ frr -- gerbv -- -heimdal (carnil) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e150f200e4557c27f9b07d182870cbbed153fb3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e150f200e4557c27f9b07d182870cbbed153fb3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3202-1 for libarchive
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 65152569 by Sylvain Beucler at 2022-11-22T15:39:06+01:00 Reserve DLA-3202-1 for libarchive - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -73415,7 +73415,6 @@ CVE-2021-31566 (An improper link resolution flaw can occur while extracting an a {DLA-2987-1} - libarchive 3.5.2-1 (bug #1001990) [bullseye] - libarchive 3.4.3-2+deb11u1 - [buster] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1566 NOTE: https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 (v3.5.2) NOTE: https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b (v3.5.2) @@ -73423,7 +73422,6 @@ CVE-2021-23177 (An improper link resolution flaw while extracting an archive can {DLA-2987-1} - libarchive 3.5.2-1 (bug #1001986) [bullseye] - libarchive 3.4.3-2+deb11u1 - [buster] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/issues/1565 NOTE: https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad (v3.5.2) CVE-2022-21943 @@ -221421,7 +221419,6 @@ CVE-2019-19222 (A Stored XSS issue in the D-Link DSL-2680 web administration int CVE-2019-19221 (In Libarchive 3.4.0, archive_wstring_append_from_mbs in archive_string ...) {DLA-2987-1} - libarchive 3.4.2-1 (bug #945287) - [buster] - libarchive (Minor issue) [jessie] - libarchive (Minor issue) NOTE: https://github.com/libarchive/libarchive/commit/22b1db9d46654afc6f0c28f90af8cdc84a199f41 NOTE: https://github.com/libarchive/libarchive/issues/1276 = data/DLA/list = @@ -1,3 +1,6 @@ +[22 Nov 2022] DLA-3202-1 libarchive - security update + {CVE-2019-19221 CVE-2021-23177 CVE-2021-31566} + [buster] - libarchive 3.3.3-4+deb10u2 [22 Nov 2022] DLA-3201-1 ntfs-3g - security update {CVE-2022-40284} [buster] - ntfs-3g 1:2017.3.23AR.3-3+deb10u3 = data/dla-needed.txt = @@ -122,10 +122,6 @@ krb5 (Chris Lamb) libapreq2 NOTE: 20221031: Programming language: C. -- -libarchive (Sylvain Beucler) - NOTE: 2022: Programming language: C. - NOTE: 2022: Sync with jessie/stretch/bullseye-11.3 (Beuc/front-desk) --- libcommons-jxpath-java NOTE: 20221027: Programming language: Java. NOTE: 20221027: Maintainer notes: Wait for the outcome of upstream discussion. See CVE-2022-41852 for pull requests. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65152569c75cc7c40720ec04d273bee705fcc9d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65152569c75cc7c40720ec04d273bee705fcc9d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] rust-atty n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b7e5ca61 by Moritz Muehlenhoff at 2022-11-22T15:19:52+01:00 rust-atty n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2022- [rust-atty: Potential unaligned read] + - rust-atty (Windows-specific) + NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0145.html CVE-2022-45785 RESERVED CVE-2022-45784 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7e5ca614cce8e52f751ecc68e504e63bcfe9148 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7e5ca614cce8e52f751ecc68e504e63bcfe9148 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-37026,erlang: Link to Debian bug
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 78a35fe5 by Markus Koschany at 2022-11-22T14:41:02+01:00 CVE-2022-37026,erlang: Link to Debian bug - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25928,7 +25928,7 @@ CVE-2022-37028 (ISAMS 22.2.3.2 is prone to stored Cross-site Scripting (XSS) att CVE-2022-37027 (Ahsay AhsayCBS 9.1.4.0 allows an authenticated system user to inject a ...) NOT-FOR-US: Ahsay AhsayCBS CVE-2022-37026 (In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before ...) - - erlang 1:24.3.4.5+dfsg-1 + - erlang 1:24.3.4.5+dfsg-1 (bug #1024632) [bullseye] - erlang (Minor issue) [buster] - erlang (Minor issue) NOTE: https://erlangforums.com/t/otp-25-1-released/1854 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78a35fe50d43b4a1540be25ce57f5966b369c30d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78a35fe50d43b4a1540be25ce57f5966b369c30d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-36227/libarchive
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e12857e6 by Salvatore Bonaccorso at 2022-11-22T11:14:23+01:00 Add CVE-2022-36227/libarchive - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28055,7 +28055,10 @@ CVE-2022-36229 CVE-2022-36228 RESERVED CVE-2022-36227 (In libarchive 3.6.1, the software does not check for an error after ca ...) - TODO: check + - libarchive + NOTE: https://github.com/libarchive/libarchive/issues/1754 + NOTE: https://github.com/libarchive/libarchive/pull/1759 + NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5 CVE-2022-36226 (SiteServerCMS 5.X has a Remote-download-Getshell-vulnerability via /Si ...) NOT-FOR-US: SiteServerCMS CVE-2022-36225 (EyouCMS V1.5.8-UTF8-SP1 is vulnerable to Cross Site Request Forgery (C ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e12857e62bcc6ff50df3e1cc80cf2c0bd75dcb99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e12857e62bcc6ff50df3e1cc80cf2c0bd75dcb99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: de1d3186 by Salvatore Bonaccorso at 2022-11-22T10:48:55+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13035,9 +13035,9 @@ CVE-2022-41939 (knative.dev/func is is a client library and CLI enabling the dev CVE-2022-41938 (Flarum is an open source discussion platform. Flarum's page title syst ...) NOT-FOR-US: Flarum CVE-2022-41937 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2022-41936 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2022-41935 RESERVED CVE-2022-41934 @@ -14642,7 +14642,7 @@ CVE-2022-3283 (A potential DOS vulnerability was discovered in GitLab CE/EE affe CVE-2022-3282 (The Drag and Drop Multiple File Upload WordPress plugin before 1.3.6.5 ...) NOT-FOR-US: WordPress plugin CVE-2022-41326 (The web conferencing component of Mitel MiCollab through 9.6.0.13 coul ...) - TODO: check + NOT-FOR-US: Mitel CVE-2022-41325 RESERVED CVE-2022-41324 @@ -14863,7 +14863,7 @@ CVE-2022-41257 CVE-2022-41256 RESERVED CVE-2022-41223 (The Director database component of MiVoice Connect through 19.3 (22.22 ...) - TODO: check + NOT-FOR-US: Mitel CVE-2022-41221 RESERVED CVE-2022-40224 @@ -15377,7 +15377,7 @@ CVE-2022-41032 (NuGet Client Elevation of Privilege Vulnerability. ...) CVE-2022-41031 (Microsoft Word Remote Code Execution Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-40129 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) - TODO: check + NOT-FOR-US: Foxit CVE-2022-41030 RESERVED CVE-2022-41029 @@ -15797,7 +15797,7 @@ CVE-2022-40844 (In Tenda (Shenzhen Tenda Technology Co., Ltd) AC1200 Router mode CVE-2022-40843 (The Tenda AC1200 V-W15Ev2 V15.11.0.10(1576) router is vulnerable to im ...) NOT-FOR-US: Tenda CVE-2022-40842 (ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Serve ...) - TODO: check + NOT-FOR-US: NdkAdvancedCustomizationFields CVE-2022-40841 RESERVED CVE-2022-40840 (ndk design NdkAdvancedCustomizationFields 3.5.0 is vulnerable to Cross ...) @@ -15954,7 +15954,7 @@ CVE-2022-40767 CVE-2022-40766 (Modern Campus Omni CMS (formerly OU Campus) 10.2.4 allows login-page S ...) NOT-FOR-US: Modern Campus Omni CMS (formerly OU Campus) CVE-2022-40765 (A vulnerability in the Edge Gateway component of Mitel MiVoice Connect ...) - TODO: check + NOT-FOR-US: Mitel CVE-2022-40764 (Snyk CLI before 1.996.0 allows arbitrary command execution, affecting ...) NOT-FOR-US: Snyk CLI CVE-2022-3236 (A code injection vulnerability in the User Portal and Webadmin allows ...) @@ -16322,11 +16322,11 @@ CVE-2022-40634 (Improper Control of Dynamically-Managed Code Resources vulnerabi CVE-2022-40631 (A vulnerability has been identified in SCALANCE X200-4P IRT (All versi ...) NOT-FOR-US: Siemens CVE-2022-38097 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) - TODO: check + NOT-FOR-US: Foxit CVE-2022-37332 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) - TODO: check + NOT-FOR-US: Foxit CVE-2022-32774 (A use-after-free vulnerability exists in the JavaScript engine of Foxi ...) - TODO: check + NOT-FOR-US: Foxit CVE-2022-3209 (The soledad WordPress theme before 8.2.5 does not sanitise the {id,dat ...) NOT-FOR-US: WordPress theme CVE-2022-3208 (The Simple File List WordPress plugin before 4.4.12 does not implement ...) @@ -16471,7 +16471,7 @@ CVE-2022-40604 (In Apache Airflow 2.3.0 through 2.3.4, part of a url was unneces CVE-2022-40603 RESERVED CVE-2022-40602 (A flaw in the Zyxel LTE3301-M209 firmware verisons prior to V1.00(ABLG ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2022-40601 RESERVED CVE-2022-40600 @@ -16758,7 +16758,7 @@ CVE-2022-40472 (ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 202 CVE-2022-40471 (Remote Code Execution in Clinic's Patient Management System v 1.0 allo ...) NOT-FOR-US: Clinic's Patient Management System CVE-2022-40470 (Phpgurukul Blood Donor Management System 1.0 allows Cross Site Scripti ...) - TODO: check + NOT-FOR-US: Phpgurukul Blood Donor Management System CVE-2022-40469 (iKuai OS v3.6.7 was discovered to contain an authenticated remote code ...) NOT-FOR-US: iKuai8 CVE-2022-40468 (Potential leak of left-over heap data if custom error page templates c ...) @@ -23609,7 +23609,7 @@ CVE-2022-37933 CVE-2022-37932 RESERVED CVE-2022-37931 (A vulnerability in NetBatch-Plus s
[Git][security-tracker-team/security-tracker][master] Add new airflow CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 169b987b by Salvatore Bonaccorso at 2022-11-22T09:43:06+01:00 Add new airflow CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15173,6 +15173,7 @@ CVE-2016-20015 (In the ebuild package through smokeping-2.7.3-r1 for SmokePing o NOT-FOR-US: ebuild package for SmokePing on Gentoo CVE-2022-41131 RESERVED + - airflow (bug #819700) CVE-2022-41130 RESERVED CVE-2022-41129 @@ -15543,6 +15544,7 @@ CVE-2022-40955 (In versions of Apache InLong prior to 1.3.0, an attacker with su NOT-FOR-US: Apache InLong CVE-2022-40954 RESERVED + - airflow (bug #819700) CVE-2022-40701 RESERVED CVE-2022-40220 @@ -17322,6 +17324,7 @@ CVE-2022-40191 (Authenticated (subscriber+) Stored Cross-Site Scripting (XSS) vu NOT-FOR-US: WordPress plugin CVE-2022-40189 RESERVED + - airflow (bug #819700) CVE-2022-40132 (Cross-Site Request Forgery (CSRF) vulnerability in Seriously Simple Po ...) NOT-FOR-US: WordPress plugin CVE-2022-38976 @@ -21428,6 +21431,7 @@ CVE-2022-38650 (** UNSUPPORTED WHEN ASSIGNED ** A remote unauthenticated insecur NOT-FOR-US: VMware CVE-2022-38649 RESERVED + - airflow (bug #819700) CVE-2022-38648 (Server-Side Request Forgery (SSRF) vulnerability in Batik of Apache XM ...) - batik 1.15+dfsg-1 (bug #1020589) [bullseye] - batik (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/169b987b35fe3923e45fcdedd1a7a7b1c63bb32e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/169b987b35fe3923e45fcdedd1a7a7b1c63bb32e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate three Backdrop CMS CVEs with backdrop itp'ed entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b611f9c by Salvatore Bonaccorso at 2022-11-22T09:40:15+01:00 Associate three Backdrop CMS CVEs with backdrop itp'ed entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12700,7 +12700,7 @@ CVE-2022-42094 CVE-2022-42093 RESERVED CVE-2022-42092 (Backdrop CMS 1.22.0 has Unrestricted File Upload vulnerability via 'th ...) - NOT-FOR-US: Backdrop CMS + - backdrop (bug #914257) CVE-2022-42091 RESERVED CVE-2022-42090 @@ -32704,7 +32704,7 @@ CVE-2022-34532 CVE-2022-34531 (DedeCMS v5.7.95 was discovered to contain a remote code execution (RCE ...) NOT-FOR-US: DedeCMS CVE-2022-34530 (An issue in the login and reset password functionality of Backdrop CMS ...) - NOT-FOR-US: Backdrop CMS + - backdrop (bug #914257) CVE-2022-34529 (WASM3 v0.5.0 was discovered to contain a segmentation fault via the co ...) NOT-FOR-US: WASM3 CVE-2022-34528 (D-Link DSL-3782 v1.03 and below was discovered to contain a stack over ...) @@ -72737,7 +72737,7 @@ CVE-2021-45270 CVE-2021-45269 RESERVED CVE-2021-45268 (** DISPUTED ** A Cross Site Request Forgery (CSRF) vulnerability exist ...) - NOT-FOR-US: Backdrop CMS + - backdrop (bug #914257) CVE-2021-45267 (An invalid memory address dereference vulnerability exists in gpac 1.1 ...) - gpac 2.0.0+dfsg1-2 [buster] - gpac (EOL in buster LTS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b611f9c6a928ad79d1bab846c128ffa9ce215f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b611f9c6a928ad79d1bab846c128ffa9ce215f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-42096/backdrop
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 138d2804 by Salvatore Bonaccorso at 2022-11-22T09:37:30+01:00 Add CVE-2022-42096/backdrop - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12692,7 +12692,7 @@ CVE-2022-42098 CVE-2022-42097 RESERVED CVE-2022-42096 (Backdrop CMS version 1.23.0 was discovered to contain a stored cross-s ...) - TODO: check + - backdrop (bug #914257) CVE-2022-42095 RESERVED CVE-2022-42094 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138d280417da8e5c988d1c43f13a8ae565c6b5e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/138d280417da8e5c988d1c43f13a8ae565c6b5e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eaa8125c by Salvatore Bonaccorso at 2022-11-22T09:36:14+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2022-4113 CVE-2022-4112 RESERVED CVE-2022-4111 (What happens if a bot net starts uploading 100MB files from 100 machin ...) - TODO: check + NOT-FOR-US: ToolJet CVE-2022-4110 RESERVED CVE-2022-4109 @@ -2870,15 +2870,15 @@ CVE-2022-44790 CVE-2022-44789 RESERVED CVE-2022-44788 (An issue was discovered in Appalti & Contratti 9.12.2. It allows S ...) - TODO: check + NOT-FOR-US: Appalti & Contratti CVE-2022-44787 (An issue was discovered in Appalti & Contratti 9.12.2. The web app ...) - TODO: check + NOT-FOR-US: Appalti & Contratti CVE-2022-44786 (An issue was discovered in Appalti & Contratti 9.12.2. The target ...) - TODO: check + NOT-FOR-US: Appalti & Contratti CVE-2022-44785 (An issue was discovered in Appalti & Contratti 9.12.2. The target ...) - TODO: check + NOT-FOR-US: Appalti & Contratti CVE-2022-44784 (An issue was discovered in Appalti & Contratti 9.12.2. The target ...) - TODO: check + NOT-FOR-US: Appalti & Contratti CVE-2022-44619 RESERVED CVE-2022-44610 @@ -8354,11 +8354,11 @@ CVE-2022-43711 CVE-2022-43710 RESERVED CVE-2022-43709 (MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users ...) - TODO: check + NOT-FOR-US: MyBB CVE-2022-43708 (MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabil ...) - TODO: check + NOT-FOR-US: MyBB CVE-2022-43707 (MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visu ...) - TODO: check + NOT-FOR-US: MyBB CVE-2022-43706 RESERVED CVE-2022-43705 [malicious OCSP responder could forge OCSP responses] @@ -9759,9 +9759,9 @@ CVE-2022-43217 CVE-2022-43216 RESERVED CVE-2022-43215 (Billing System Project v1.0 was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: Billing System Project CVE-2022-43214 (Billing System Project v1.0 was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: Billing System Project CVE-2022-43213 RESERVED CVE-2022-43212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaa8125cd4eb759f03b0c40da0f8c6b880126765 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaa8125cd4eb759f03b0c40da0f8c6b880126765 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4095/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01170a10 by Salvatore Bonaccorso at 2022-11-22T09:31:38+01:00 Add CVE-2022-4095/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -642,6 +642,10 @@ CVE-2022-4096 (Server-Side Request Forgery (SSRF) in GitHub repository appsmitho NOT-FOR-US: appsmith CVE-2022-4095 RESERVED + - linux 5.19.11-1 + [bullseye] - linux 5.10.148-1 + [buster] - linux 4.19.260-1 + NOTE: https://git.kernel.org/linus/e230a4455ac3e9b112f0367d1b8e255e141afae0 (6.0-rc4) CVE-2022-4094 RESERVED CVE-2022-4093 (SQL injection attacks can result in unauthorized access to sensitive d ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01170a1075bb36a374000f4749f20eaac23cdc0f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01170a1075bb36a374000f4749f20eaac23cdc0f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d0a5186 by security tracker role at 2022-11-22T08:10:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,29 @@ +CVE-2022-45785 + RESERVED +CVE-2022-45784 + RESERVED +CVE-2022-45783 + RESERVED +CVE-2022-45782 + RESERVED +CVE-2022-4114 + RESERVED +CVE-2022-4113 + RESERVED +CVE-2022-4112 + RESERVED +CVE-2022-4111 (What happens if a bot net starts uploading 100MB files from 100 machin ...) + TODO: check +CVE-2022-4110 + RESERVED +CVE-2022-4109 + RESERVED +CVE-2022-4108 + RESERVED +CVE-2022-4107 + RESERVED +CVE-2022-4106 + RESERVED CVE-2022-45781 RESERVED CVE-2022-45780 @@ -594,8 +620,8 @@ CVE-2022-45485 RESERVED CVE-2022-45484 RESERVED -CVE-2022-4105 - RESERVED +CVE-2022-4105 (A stored XSS in a kiwi Test Plan can run malicious javascript which co ...) + TODO: check CVE-2022-4104 RESERVED CVE-2022-4103 @@ -2839,16 +2865,16 @@ CVE-2022-44790 RESERVED CVE-2022-44789 RESERVED -CVE-2022-44788 - RESERVED -CVE-2022-44787 - RESERVED -CVE-2022-44786 - RESERVED -CVE-2022-44785 - RESERVED -CVE-2022-44784 - RESERVED +CVE-2022-44788 (An issue was discovered in Appalti & Contratti 9.12.2. It allows S ...) + TODO: check +CVE-2022-44787 (An issue was discovered in Appalti & Contratti 9.12.2. The web app ...) + TODO: check +CVE-2022-44786 (An issue was discovered in Appalti & Contratti 9.12.2. The target ...) + TODO: check +CVE-2022-44785 (An issue was discovered in Appalti & Contratti 9.12.2. The target ...) + TODO: check +CVE-2022-44784 (An issue was discovered in Appalti & Contratti 9.12.2. The target ...) + TODO: check CVE-2022-44619 RESERVED CVE-2022-44610 @@ -8323,12 +8349,12 @@ CVE-2022-43711 RESERVED CVE-2022-43710 RESERVED -CVE-2022-43709 - RESERVED -CVE-2022-43708 - RESERVED -CVE-2022-43707 - RESERVED +CVE-2022-43709 (MyBB 1.8.31 has a SQL injection vulnerability in the Admin CP's Users ...) + TODO: check +CVE-2022-43708 (MyBB 1.8.31 has a (issue 2 of 2) cross-site scripting (XSS) vulnerabil ...) + TODO: check +CVE-2022-43707 (MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in the visu ...) + TODO: check CVE-2022-43706 RESERVED CVE-2022-43705 [malicious OCSP responder could forge OCSP responses] @@ -8383,8 +8409,8 @@ CVE-2022-43687 (Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 NOT-FOR-US: Concrete CMS CVE-2022-43686 (In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 an ...) NOT-FOR-US: Concrete CMS -CVE-2022-43685 - RESERVED +CVE-2022-43685 (CKAN through 2.9.6 account takeovers by unauthenticated users when an ...) + TODO: check CVE-2022-43684 RESERVED CVE-2022-43683 @@ -9728,10 +9754,10 @@ CVE-2022-43217 RESERVED CVE-2022-43216 RESERVED -CVE-2022-43215 - RESERVED -CVE-2022-43214 - RESERVED +CVE-2022-43215 (Billing System Project v1.0 was discovered to contain a SQL injection ...) + TODO: check +CVE-2022-43214 (Billing System Project v1.0 was discovered to contain a SQL injection ...) + TODO: check CVE-2022-43213 RESERVED CVE-2022-43212 @@ -9875,8 +9901,8 @@ CVE-2022-43145 RESERVED CVE-2022-43144 (A cross-site scripting (XSS) vulnerability in Canteen Management Syste ...) NOT-FOR-US: Canteen Management System -CVE-2022-43143 - RESERVED +CVE-2022-43143 (A cross-site scripting (XSS) vulnerability in Beekeeper Studio v3.6.6 ...) + TODO: check CVE-2022-43142 (A cross-site scripting (XSS) vulnerability in the add-fee.php componen ...) NOT-FOR-US: Password Storage Application CVE-2022-43141 @@ -12661,8 +12687,8 @@ CVE-2022-42098 RESERVED CVE-2022-42097 RESERVED -CVE-2022-42096 - RESERVED +CVE-2022-42096 (Backdrop CMS version 1.23.0 was discovered to contain a stored cross-s ...) + TODO: check CVE-2022-42095 RESERVED CVE-2022-42094 @@ -12888,7 +12914,7 @@ CVE-2022-38143 RESERVED CVE-2022-36354 RESERVED -CVE-2022-3388 (Improper Input Validation vulnerability in Hitachi Energy MicroSCADA P ...) +CVE-2022-3388 (An input validation vulnerability exists in the Monitor Pro interface ...) NOT-FOR-US: MicroSCADA CVE-2022-3387 (Advantech R-SeeNet Versions 2.4.19 and prior are vulnerable to path tr ...) NOT-FOR-US: Advantech R-SeeNet @@ -12988,8 +13014,8 @@ CVE-2022-41947 RESERVED CVE-2022-41946 RESERVED -CVE-2022-41945 - RESERVED +CVE-2022-41945 (super-xray is a vulnerability scanner (xray) GUI launcher. In version ...) +