[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-45136/apache-jena
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: de8c1656 by Salvatore Bonaccorso at 2022-11-24T07:21:19+01:00 Add Debian bug reference for CVE-2022-45136/apache-jena - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2228,7 +2228,7 @@ CVE-2022-45138 CVE-2022-45137 RESERVED CVE-2022-45136 (** UNSUPPORTED WHEN ASSIGNED ** Apache Jena SDB 3.17.0 and earlier is ...) - - apache-jena + - apache-jena (bug #1024738) NOTE: https://www.openwall.com/lists/oss-security/2022/11/14/5 TODO: check correctness/details if src:apache-jena affected CVE-2022-45135 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de8c1656b5e8d5543482648d02be14a61ca52687 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de8c1656b5e8d5543482648d02be14a61ca52687 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-39353/node-xmldom
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dd1bf6c9 by Salvatore Bonaccorso at 2022-11-24T07:04:52+01:00 Add Debian bug reference for CVE-2022-39353/node-xmldom - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19525,7 +19525,7 @@ CVE-2022-39355 (Discourse Patreon enables syncronization between Discourse Group CVE-2022-39354 (SputnikVM, also called evm, is a Rust implementation of Ethereum Virtu ...) NOT-FOR-US: Rust crate evm CVE-2022-39353 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ...) - - node-xmldom + - node-xmldom (bug #1024736) NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 NOTE: https://github.com/jindw/xmldom/issues/150 CVE-2022-39352 (OpenFGA is a high-performance authorization/permission engine inspired ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd1bf6c9d4451b43aba1c4d3cc86843ced00237a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd1bf6c9d4451b43aba1c4d3cc86843ced00237a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-3970/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8969b911 by Salvatore Bonaccorso at 2022-11-24T07:04:10+01:00 Add Debian bug reference for CVE-2022-3970/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2019,7 +2019,7 @@ CVE-2022-3972 (A vulnerability was found in Pingkon HMS-PHP. It has been rated a CVE-2022-3971 (A vulnerability was found in matrix-appservice-irc up to 0.35.1. It ha ...) NOT-FOR-US: matrix-appservice-irc CVE-2022-3970 (A vulnerability was found in LibTIFF. It has been classified as critic ...) - - tiff + - tiff (bug #1024737) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53137 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/227500897dfb07fb7d27f7aa570050e62617e3be NOTE: https://oss-fuzz.com/download?testcase_id=5738253143900160 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8969b91120f22f855604d0e68038e7f533023e42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8969b91120f22f855604d0e68038e7f533023e42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2022-4127/ipxe issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb13d782 by Salvatore Bonaccorso at 2022-11-24T06:57:10+01:00 Update status for CVE-2022-4127/ipxe issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -876,9 +876,9 @@ CVE-2022-4089 CVE-2022-4088 RESERVED CVE-2022-4087 (A vulnerability was found in iPXE. It has been declared as problematic ...) - - ipxe + - ipxe (Vulnerable code not present) + NOTE: Introduced by: https://github.com/ipxe/ipxe/commit/634a86093af9a6d134be8662f25616f4edfec683 NOTE: Fixed by: https://github.com/ipxe/ipxe/commit/186306d6199096b7a7c4b4574d4be8cdb8426729 - TODO: check, might be introduced later than the packaged version CVE-2022-4086 REJECTED CVE-2022-4085 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb13d78298edaed2a63e6c0baee37a8198e8e63c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb13d78298edaed2a63e6c0baee37a8198e8e63c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4127/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8613eb24 by Salvatore Bonaccorso at 2022-11-24T06:36:10+01:00 Add CVE-2022-4127/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -144,6 +144,8 @@ CVE-2022-4128 NOTE: https://git.kernel.org/linus/5c835bb142d4013c2ab24bff5ae9f6709a39cbcf (5.19-rc7) CVE-2022-4127 RESERVED + - linux (Vulnerable code only in 5.19-rcX versions) + NOTE: https://git.kernel.org/linus/d785a773bed966a75ca1f11d108ae1897189975b (5.19-rc6) CVE-2022-4126 RESERVED CVE-2022-4125 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8613eb24e991ed8c467afda35409d79d33518d4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8613eb24e991ed8c467afda35409d79d33518d4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4128/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f54197b by Salvatore Bonaccorso at 2022-11-24T06:31:58+01:00 Add CVE-2022-4128/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -138,6 +138,10 @@ CVE-2022-4129 NOTE: https://lore.kernel.org/all/20221114191619.124659-1-ja...@cloudflare.com/t CVE-2022-4128 RESERVED + - linux 5.18.14-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/5c835bb142d4013c2ab24bff5ae9f6709a39cbcf (5.19-rc7) CVE-2022-4127 RESERVED CVE-2022-4126 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f54197bbff67115f67872c3305cc94b9b433673 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f54197bbff67115f67872c3305cc94b9b433673 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4129/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15e03eaa by Salvatore Bonaccorso at 2022-11-24T06:16:14+01:00 Add CVE-2022-4129/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -134,6 +134,8 @@ CVE-2022-4130 RESERVED CVE-2022-4129 RESERVED + - linux + NOTE: https://lore.kernel.org/all/20221114191619.124659-1-ja...@cloudflare.com/t CVE-2022-4128 RESERVED CVE-2022-4127 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15e03eaa93db0779ce9eb28939ab345e6942f597 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15e03eaa93db0779ce9eb28939ab345e6942f597 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim curl in dla-needed.txt
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 92825cd5 by Roberto C. Sánchez at 2022-11-23T21:45:46-05:00 LTS: claim curl in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl +curl (Roberto C. Sánchez) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92825cd50cd6241b0aec3bd93ba6443e1cb5896e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92825cd50cd6241b0aec3bd93ba6443e1cb5896e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim heimdal
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: f462e6ab by Guilhem Moulin at 2022-11-23T23:55:33+01:00 claim heimdal - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,7 +79,7 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -heimdal +heimdal (guilhem) NOTE: 20221117: Programming language: C. -- hsqldb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f462e6ab9698669c220734a3c385d93494320ea9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f462e6ab9698669c220734a3c385d93494320ea9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2009-114{2,3}/open-vm-tools
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ec37e33 by Salvatore Bonaccorso at 2022-11-23T22:27:57+01:00 Add CVE-2009-114{2,3}/open-vm-tools - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -544185,9 +544185,14 @@ CVE-2009-1145 CVE-2009-1144 (Untrusted search path vulnerability in the Gentoo package of Xpdf befo ...) - xpdf (Gentoo specific vulnerability in building xpdf) CVE-2009-1143 (An issue was discovered in open-vm-tools 2009.03.18-154848. Local user ...) - TODO: check + - open-vm-tools 2:12.0.0-1 + [bullseye] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=372070 + NOTE: Removing hgfsmounter/mount.vmhgfs: https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 (stable-12.0.0) CVE-2009-1142 (An issue was discovered in open-vm-tools 2009.03.18-154848. Local user ...) - TODO: check + - open-vm-tools 2:8.4.2+2011.08.21-471295-1 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=474285 + NOTE: https://github.com/vmware/open-vm-tools/commit/76dccec4dd4002cec240e71e0042cdacfae6cca7 (2011.03.28-387002) CVE-2009-1141 (Microsoft Internet Explorer 6 for Windows XP SP2 and SP3 and Server 20 ...) NOT-FOR-US: Microsoft CVE-2009-1140 (Microsoft Internet Explorer 5.01 SP4; 6 SP1; 6 and 7 for Windows XP SP ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ec37e33a9233a98ed30aee7ed1077b61656138e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ec37e33a9233a98ed30aee7ed1077b61656138e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-41922/yii
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eacc683d by Salvatore Bonaccorso at 2022-11-23T21:50:07+01:00 Add CVE-2022-41922/yii - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13276,7 +13276,7 @@ CVE-2022-41924 (A vulnerability identified in the Tailscale Windows client allow CVE-2022-41923 (Grails Spring Security Core plugin is vulnerable to privilege escalati ...) TODO: check CVE-2022-41922 (`yiisoft/yii` before version 1.1.27 are vulnerable to Remote Code Exec ...) - TODO: check + - yii (bug #597899) CVE-2022-41921 RESERVED CVE-2022-41920 (Lancet is a general utility library for the go programming language. A ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eacc683d96201d67c954d034cd134944dceb10f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eacc683d96201d67c954d034cd134944dceb10f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 96b89fb1 by Salvatore Bonaccorso at 2022-11-23T21:45:43+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -995,7 +995,7 @@ CVE-2022-4055 (When xdg-mail is configured to use thunderbird for mailto URLs, i CVE-2022-4054 RESERVED CVE-2022-45462 (Alarm instance management has command injection when there is a specif ...) - TODO: check + NOT-FOR-US: Apache DolphinScheduler CVE-2022-45461 (The Java Admin Console in Veritas NetBackup through 10.1 and related V ...) NOT-FOR-US: Veritas NetBackup CVE-2022-45460 @@ -5515,11 +5515,11 @@ CVE-2022-44282 CVE-2022-44281 RESERVED CVE-2022-44280 (Automotive Shop Management System v1.0 is vulnerable to Delete any fil ...) - TODO: check + NOT-FOR-US: Automotive Shop Management System CVE-2022-44279 RESERVED CVE-2022-44278 (Sanitization Management System v1.0 is vulnerable to SQL Injection via ...) - TODO: check + NOT-FOR-US: Sanitization Management System CVE-2022-44277 RESERVED CVE-2022-44276 @@ -,29 +,29 @@ CVE-2022-44262 CVE-2022-44261 RESERVED CVE-2022-44260 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication b ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44259 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication b ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44258 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication b ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44257 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication b ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44256 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication b ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44255 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a pre-authentication bu ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44254 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication b ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44253 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication b ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44252 (TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection v ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44251 (TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection v ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44250 (TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection v ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44249 (TOTOLINK NR1800X V9.1.0u.6279_B20210910 contains a command injection v ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2022-44248 RESERVED CVE-2022-44247 @@ -5797,7 +5797,7 @@ CVE-2022-44141 CVE-2022-44140 RESERVED CVE-2022-44139 (Apartment Visitor Management System v1.0 is vulnerable to SQL Injectio ...) - TODO: check + NOT-FOR-US: Apartment Visitor Management System CVE-2022-44138 RESERVED CVE-2022-44137 @@ -13264,9 +13264,9 @@ CVE-2022-41930 CVE-2022-41929 (org.xwiki.platform:xwiki-platform-oldcore is missing authorization in ...) TODO: check CVE-2022-41928 (XWiki Platform vulnerable to Improper Neutralization of Directives in ...) - TODO: check + NOT-FOR-US: XWiki CVE-2022-41927 (XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that ...) - TODO: check + NOT-FOR-US: XWiki CVE-2022-41926 RESERVED CVE-2022-41925 (A vulnerability identified in the Tailscale client allows a malicious ...) @@ -16151,9 +16151,9 @@ CVE-2022-40774 (An issue was discovered in Bento4 through 1.6.0-639. There is a CVE-2022-40773 (Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter ...) NOT-FOR-US: Zoho ManageEngine CVE-2022-40772 (Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulner ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2022-40771 (Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulner ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2022-40770 (Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulner ...) NOT-FOR-US: Zoho ManageEngine CVE-2022-40769 (profanity through 1.60 has only four billion possible RNG initializati ...) @@ -23415,11 +23415,11 @@ CVE-2022-38150 (In Varnish Cache 7.0.0, 7.0.1, 7.0.2, and 7.1.0, it is possible NOTE: Fixed by: https://github.com/varnishcache/varnish-cache/commit/c5fd097e5cce8b461c6443af02b3448baef2491d (master) NOTE: Fixed by: https://github.com/varnis
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2021-46849 (duplicate of CVE-2021-29421)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29fc6588 by Salvatore Bonaccorso at 2022-11-23T21:34:15+01:00 Remove notes from CVE-2021-46849 (duplicate of CVE-2021-29421) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8734,10 +8734,6 @@ CVE-2021-46850 (myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel NOT-FOR-US: myVesta Control Panel CVE-2021-46849 REJECTED - - pikepdf 3.2.0+dfsg-1 - [bullseye] - pikepdf (Minor issue) - [buster] - pikepdf (Minor issue) - NOTE: https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100 CVE-2021-46848 (GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check ...) - libtasn1-6 4.19.0-2 [bullseye] - libtasn1-6 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29fc65888a786b5273d35b9cb19d1caba3c3621c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/29fc65888a786b5273d35b9cb19d1caba3c3621c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c138355 by security tracker role at 2022-11-23T20:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,149 @@ +CVE-2022-45865 + RESERVED +CVE-2022-45864 + RESERVED +CVE-2022-45863 + RESERVED +CVE-2022-45862 + RESERVED +CVE-2022-45861 + RESERVED +CVE-2022-45860 + RESERVED +CVE-2022-45859 + RESERVED +CVE-2022-45858 + RESERVED +CVE-2022-45857 + RESERVED +CVE-2022-45856 + RESERVED +CVE-2022-45855 + RESERVED +CVE-2022-45854 + RESERVED +CVE-2022-45853 + RESERVED +CVE-2022-45852 + RESERVED +CVE-2022-45851 + RESERVED +CVE-2022-45850 + RESERVED +CVE-2022-45849 + RESERVED +CVE-2022-45848 + RESERVED +CVE-2022-45847 + RESERVED +CVE-2022-45846 + RESERVED +CVE-2022-45845 + RESERVED +CVE-2022-45844 + RESERVED +CVE-2022-45843 + RESERVED +CVE-2022-45842 + RESERVED +CVE-2022-45841 + RESERVED +CVE-2022-45840 + RESERVED +CVE-2022-45839 + RESERVED +CVE-2022-45838 + RESERVED +CVE-2022-45837 + RESERVED +CVE-2022-45836 + RESERVED +CVE-2022-45835 + RESERVED +CVE-2022-45834 + RESERVED +CVE-2022-45833 + RESERVED +CVE-2022-45832 + RESERVED +CVE-2022-45831 + RESERVED +CVE-2022-45830 + RESERVED +CVE-2022-45829 + RESERVED +CVE-2022-45828 + RESERVED +CVE-2022-45827 + RESERVED +CVE-2022-45826 + RESERVED +CVE-2022-45825 + RESERVED +CVE-2022-45824 + RESERVED +CVE-2022-45823 + RESERVED +CVE-2022-45822 + RESERVED +CVE-2022-45821 + RESERVED +CVE-2022-45820 + RESERVED +CVE-2022-45819 + RESERVED +CVE-2022-45818 + RESERVED +CVE-2022-45817 + RESERVED +CVE-2022-45816 + RESERVED +CVE-2022-45815 + RESERVED +CVE-2022-45814 + RESERVED +CVE-2022-45813 + RESERVED +CVE-2022-45812 + RESERVED +CVE-2022-45811 + RESERVED +CVE-2022-45810 + RESERVED +CVE-2022-45809 + RESERVED +CVE-2022-45808 + RESERVED +CVE-2022-45807 + RESERVED +CVE-2022-45806 + RESERVED +CVE-2022-45805 + RESERVED +CVE-2022-45804 + RESERVED +CVE-2022-45803 + RESERVED +CVE-2022-45802 + RESERVED +CVE-2022-45801 + RESERVED +CVE-2022-4131 + RESERVED +CVE-2022-4130 + RESERVED +CVE-2022-4129 + RESERVED +CVE-2022-4128 + RESERVED +CVE-2022-4127 + RESERVED +CVE-2022-4126 + RESERVED +CVE-2022-4125 + RESERVED +CVE-2022-4124 + RESERVED CVE-2022-45800 RESERVED CVE-2022-45799 @@ -848,8 +994,8 @@ CVE-2022-4055 (When xdg-mail is configured to use thunderbird for mailto URLs, i NOTE: https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267 CVE-2022-4054 RESERVED -CVE-2022-45462 - RESERVED +CVE-2022-45462 (Alarm instance management has command injection when there is a specif ...) + TODO: check CVE-2022-45461 (The Java Admin Console in Veritas NetBackup through 10.1 and related V ...) NOT-FOR-US: Veritas NetBackup CVE-2022-45460 @@ -1987,14 +2133,11 @@ CVE-2022-45153 CVE-2022-45152 RESERVED - moodle -CVE-2022-45151 - RESERVED +CVE-2022-45151 (The stored-XSS vulnerability was discovered in Moodle which exists due ...) - moodle -CVE-2022-45150 - RESERVED +CVE-2022-45150 (A reflected cross-site scripting vulnerability was discovered in Moodl ...) - moodle -CVE-2022-45149 - RESERVED +CVE-2022-45149 (A vulnerability was found in Moodle which exists due to insufficient v ...) - moodle CVE-2022-45148 RESERVED @@ -5371,12 +5514,12 @@ CVE-2022-44282 RESERVED CVE-2022-44281 RESERVED -CVE-2022-44280 - RESERVED +CVE-2022-44280 (Automotive Shop Management System v1.0 is vulnerable to Delete any fil ...) + TODO: check CVE-2022-44279 RESERVED -CVE-2022-44278 - RESERVED +CVE-2022-44278 (Sanitization Management System v1.0 is vulnerable to SQL Injection via ...) + TODO: check CVE-2022-44277 RESERVED CVE-2022-44276 @@ -5411,30 +5554,30 @@ CVE-2022-44262 RESERVED CVE-2022-44261 RESERVED -CVE-2022-44260 - RESERVED -CVE-2022-44259 - RESERVED -CVE-2022-44258 - RESERVED -CVE-2022-44257 - RESERVED -CVE-2022-44256 - RESERVED -CVE-2022-44255 - RESERVED -CVE-2022-44254 - RESERVED -CVE-2022-44253 - RESERVED -CVE-2022-44252 - RESERVED -CVE-2022-44251 - RESERVED -CVE-2022-44250 - RESERVED -CVE-2022-44249 - RESERVED +CVE-2022-44260 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contains a post-authentication b ...) + TODO: check +CVE-2022-44259 (TOTOLINK LR350 V9.3.5u.6369_B20220309 contai
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 55038710 by Moritz Muehlenhoff at 2022-11-23T21:06:46+01:00 bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -7864,6 +7864,7 @@ CVE-2022-3716 (A vulnerability classified as problematic was found in SourceCode CVE-2022-3715 [a heap-buffer-overflow in valid_parameter_transform] RESERVED - bash + [bullseye] - bash (Minor issue) [buster] - bash (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126720 NOTE: https://lists.gnu.org/archive/html/bug-bash/2022-08/msg00147.html @@ -8590,6 +8591,7 @@ CVE-2021-46850 (myVesta Control Panel before 0.9.8-26-43 and Vesta Control Panel NOT-FOR-US: myVesta Control Panel CVE-2021-46849 (pikepdf before 2.10.0 allows an XXE attack against PDF XMP metadata pa ...) - pikepdf 3.2.0+dfsg-1 + [bullseye] - pikepdf (Minor issue) [buster] - pikepdf (Minor issue) NOTE: https://github.com/pikepdf/pikepdf/blob/v2.10.0/docs/release_notes.rst#v2100 CVE-2021-46848 (GNU Libtasn1 before 4.19.0 has an ETYPE_OK off-by-one array size check ...) @@ -19642,6 +19644,7 @@ CVE-2022-39261 (Twig is a template language for PHP. Versions 1.x prior to 1.44. NOTE: https://github.com/twigphp/Twig/commit/35f3035c5deb0041da7b84daf02dea074ddc7a0b (v1.44.7, v2.15.3, v3.4.3) CVE-2022-39260 (Git is an open source, scalable, distributed revision control system. ...) - git 1:2.38.1-1 (bug #1022046) + [bullseye] - git (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/10/18/5 NOTE: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u NOTE: https://github.com/git/git/commit/32696a4cbe90929ae79ea442f5102c513ce3dfaa (v2.30.6) @@ -19664,6 +19667,7 @@ CVE-2022-39254 (matrix-nio is a Python Matrix client library, designed according NOTE: https://github.com/poljar/matrix-nio/commit/b1cbf234a831daa160673defd596e6450e9c29f0 (0.20.0) CVE-2022-39253 (Git is an open source, scalable, distributed revision control system. ...) - git 1:2.38.1-1 (bug #1022046) + [bullseye] - git (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/10/18/5 NOTE: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u NOTE: https://github.com/git/git/commit/6f054f9fb3a501c35b55c65e547a244f14c38d56 (v2.30.6) @@ -19723,6 +19727,7 @@ CVE-2022-39238 (Arvados is an open source platform for managing and analyzing bi NOT-FOR-US: Arvados CVE-2022-39237 (syslabs/sif is the Singularity Image Format (SIF) reference implementa ...) - golang-github-sylabs-sif (bug #1023570) + [bullseye] - golang-github-sylabs-sif (Minor issue) - singularity-container 3.10.3+ds1-1 NOTE: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 NOTE: https://github.com/sylabs/sif/commit/21972852d8783bc93fbf080190de8e1978f1c254 (v2.8.1) @@ -38927,10 +38932,10 @@ CVE-2022-1969 (The Mobile browser color select plugin for WordPress is vulnerabl NOT-FOR-US: Mobile browser color select plugin for WordPress CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3182-1 DLA-3053-1} - - vim 2:9.0.0135-1 (bug #1015984) - [bullseye] - vim (Minor issue) + - vim 2:9.0.0135-1 (bug #1015984; unimportant) NOTE: https://huntr.dev/bounties/949090e5-f4ea-4edf-bd79-cd98f0498a5b NOTE: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e110895 (v8.2.5050) + NOTE: Crash in CLI tool, no security impact CVE-2022-1967 (The WP Championship WordPress plugin before 9.3 is lacking CSRF checks ...) NOT-FOR-US: WordPress plugin CVE-2022-1966 @@ -40316,10 +40321,10 @@ CVE-2022-1899 (Out-of-bounds Read in GitHub repository radareorg/radare2 prior t NOTE: https://github.com/radareorg/radare2/commit/193f4fe01d7f626e2ea937450f2e0c4604420e9d CVE-2022-1898 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3182-1 DLA-3053-1} - - vim 2:9.0.0135-1 (bug #1015984) - [bullseye] - vim (Minor issue) + - vim 2:9.0.0135-1 (bug #1015984; unimportant) NOTE: https://huntr.dev/bounties/45aad635-c2f1-47ca-a4f9-db5b25979cea NOTE: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a (v8.2.5024) + NOTE: Crash in CLI tool, no security impact CVE-2022-1897 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) @@ -40922,10 +40927,10 @@ CVE-2022-1852 (A NULL pointer dereference flaw was found in the Linux kernelR NOTE: https://git.kernel.org/linus/fee060cd
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2021-46854/proftpd-dfsg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 66f84df3 by Salvatore Bonaccorso at 2022-11-23T14:05:48+01:00 Update information on CVE-2021-46854/proftpd-dfsg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,8 +9,9 @@ CVE-2022-4123 CVE-2022-4122 RESERVED CVE-2021-46854 (mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS ...) - - proftpd-dfsg 1.3.7c+dfsg-1 - [bullseye] - proftpd-dfsg (Minor issue) + - proftpd-dfsg 1.3.7c+dfsg-1 (bug #993173) + [bullseye] - proftpd-dfsg 1.3.7a+dfsg-12+deb11u1 + [buster] - proftpd-dfsg 1.3.6-4+deb10u6 NOTE: https://github.com/proftpd/proftpd/issues/1284 NOTE: https://github.com/proftpd/proftpd/pull/1285 NOTE: Fixed by: https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43 (v1.3.8rc2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66f84df30b9fd4b8484f1443044b0d0b4fcd0093 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66f84df30b9fd4b8484f1443044b0d0b4fcd0093 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 70450616 by Moritz Muehlenhoff at 2022-11-23T12:29:05+01:00 bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,6 +10,7 @@ CVE-2022-4122 RESERVED CVE-2021-46854 (mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS ...) - proftpd-dfsg 1.3.7c+dfsg-1 + [bullseye] - proftpd-dfsg (Minor issue) NOTE: https://github.com/proftpd/proftpd/issues/1284 NOTE: https://github.com/proftpd/proftpd/pull/1285 NOTE: Fixed by: https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43 (v1.3.8rc2) @@ -42870,10 +42871,10 @@ CVE-2022-1721 (Path Traversal in WellKnownServlet in GitHub repository jgraph/dr NOT-FOR-US: jgraph/drawio CVE-2022-1720 (Buffer Over-read in function grab_file_name in GitHub repository vim/v ...) {DLA-3182-1 DLA-3053-1} - - vim 2:9.0.0135-1 (bug #1015984) - [bullseye] - vim (Minor issue) + - vim 2:9.0.0135-1 (bug #1015984; unimportant) NOTE: https://huntr.dev/bounties/5ccfb386-7eb9-46e5-98e5-243ea4b358a8 NOTE: https://github.com/vim/vim/commit/395bd1f6d3edc9f7edb5d1f2d7deaf5a9e3ab93c (v8.2.4956) + NOTE: Crash in CLI tool, no security impact CVE-2022-1719 (Reflected XSS on ticket filter function in GitHub repository polonel/t ...) NOT-FOR-US: Trudesk CVE-2022-1718 (The trudesk application allows large characters to insert in the input ...) @@ -44485,11 +44486,10 @@ CVE-2022-1622 (LibTIFF master branch has an out-of-bounds read in LZWDecode in l NOTE: https://gitlab.com/libtiff/libtiff/-/issues/410 CVE-2022-1621 (Heap buffer overflow in vim_strncpy find_word in GitHub repository vim ...) {DLA-3011-1} - - vim 2:9.0.0135-1 (bug #1015984) - [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) + - vim 2:9.0.0135-1 (bug #1015984; unimportant) NOTE: https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb NOTE: https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b (v8.2.4919) + NOTE: Crash in CLI tool, no security impact CVE-2018-25033 (ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_ ...) {DLA-3019-1} - admesh 0.98.4-2 (bug #1010770) @@ -44504,11 +44504,10 @@ CVE-2022-1620 (NULL Pointer Dereference in function vim_regexec_string at regexp NOTE: Crash in CLI tool, no security impact CVE-2022-1619 (Heap-based Buffer Overflow in function cmdline_erase_chars in GitHub r ...) {DLA-3011-1} - - vim 2:9.0.0135-1 (bug #1015984) - [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) + - vim 2:9.0.0135-1 (bug #1015984; unimportant) NOTE: https://huntr.dev/bounties/b3200483-624e-4c76-a070-e246f62a7450 NOTE: https://github.com/vim/vim/commit/ef02f16609ff0a26ffc6e20263523424980898fe (v8.2.4899) + NOTE: Crash in CLI tool, no security impact CVE-2022-1618 RESERVED CVE-2022-1617 @@ -46905,11 +46904,11 @@ CVE-2022-1422 (The Discy WordPress theme before 5.2 does not check for CSRF toke CVE-2022-1421 (The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX ac ...) NOT-FOR-US: WordPress theme CVE-2022-1420 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) - - vim 2:8.2.4793-1 - [bullseye] - vim (Minor issue) + - vim 2:8.2.4793-1 (unimportant) [buster] - vim (method call operator -> introduced in 8.1.1803) NOTE: https://huntr.dev/bounties/a4323ef8-90ea-4e1c-90e9-c778f0ecf326 NOTE: https://github.com/vim/vim/commit/8b91e71441069b1dde9ac9ff9d9a829b1b4aecca (v8.2.4774) + NOTE: Crash in CLI tool, no security impact CVE-2021-46784 (In Squid 3.x through 3.5.28, 4.x through 4.17, and 5.x before 5.6, due ...) {DSA-5171-1} - squid 5.6-1 @@ -51061,10 +51060,10 @@ CVE-2022-1155 (Old sessions are not blocked by the login enable function. in Git - snipe-it (bug #1005172) CVE-2022-1154 (Use after free in utf_ptr2char in GitHub repository vim/vim prior to 8 ...) {DLA-3182-1 DLA-3011-1} - - vim 2:8.2.4659-1 - [bullseye] - vim (Minor issue) + - vim 2:8.2.4659-1 (unimportant) NOTE: https://huntr.dev/bounties/7f0ec6bc-ea0e-45b0-8128-caac72d23425 NOTE: https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5 (v8.2.4646) + NOTE: Crash in CLI tool, no security impact CVE-2022-1153 (The LayerSlider WordPress plugin before 7.1.2 does not sanitise and es ...) NOT-FOR-US: WordPress plugin CVE-2022-1152 (The Menubar WordPress plugin before 5.8 does not sanitise and escape t ...) View it on GitLab: https://salsa.debian.org/security-tra
[Git][security-tracker-team/security-tracker][master] drop ELTS annotation for vim to allow changing it in ELTS tracker
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 1564b16c by Helmut Grohne at 2022-11-23T11:39:16+01:00 drop ELTS annotation for vim to allow changing it in ELTS tracker - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90090,7 +90090,6 @@ CVE-2021-3770 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.3455-1 (bug #994076) [bullseye] - vim 2:8.2.2434-3+deb11u1 [buster] - vim 2:8.1.0875-5+deb10u1 - [stretch] - vim (Vulnerable code not present) NOTE: https://huntr.dev/bounties/016ad2f2-07c1-4d14-a8ce-6eed10729365/ NOTE: Fixed by: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9 (v8.2.3402) NOTE: Followup fix for introduced memory leak: https://github.com/vim/vim/commit/2ddb89f8a94425cda1e5491efc80c1b6e08e (v8.2.3403) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1564b16c9015e1bc4d03afcef255966277748156 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1564b16c9015e1bc4d03afcef255966277748156 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-42095/backdrop, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 689969d1 by Salvatore Bonaccorso at 2022-11-23T10:52:24+01:00 Add CVE-2022-42095/backdrop, itp'ed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12759,7 +12759,7 @@ CVE-2022-42097 (Backdrop CMS version 1.23.0 was discovered to contain a stored c CVE-2022-42096 (Backdrop CMS version 1.23.0 was discovered to contain a stored cross-s ...) - backdrop (bug #914257) CVE-2022-42095 (Backdrop CMS version 1.23.0 was discovered to contain a stored cross-s ...) - TODO: check + - backdrop (bug #914257) CVE-2022-42094 (Backdrop CMS version 1.23.0 was discovered to contain a stored cross-s ...) - backdrop (bug #914257) CVE-2022-42093 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/689969d1eddca8fbb74aa0fd1167b8291b9f5c66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/689969d1eddca8fbb74aa0fd1167b8291b9f5c66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09893385 by Salvatore Bonaccorso at 2022-11-23T10:51:51+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1532,9 +1532,9 @@ CVE-2022-45333 CVE-2022-45332 RESERVED CVE-2022-45331 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) - TODO: check + NOT-FOR-US: AeroCMS CVE-2022-45330 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) - TODO: check + NOT-FOR-US: AeroCMS CVE-2022-45329 RESERVED CVE-2022-45328 @@ -8318,7 +8318,7 @@ CVE-2022-43753 (A Improper Limitation of a Pathname to a Restricted Directory (' CVE-2022-43752 (** UNSUPPORTED WHEN ASSIGNED ** Oracle Solaris version 10 1/13, when u ...) NOT-FOR-US: Oracle Solaris CVE-2022-43751 (McAfee Total Protection prior to version 16.0.49 contains an uncontrol ...) - TODO: check + NOT-FOR-US: McAfee CVE-2022-43750 (drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 ...) {DLA-3173-1} - linux 6.0.2-1 @@ -9828,7 +9828,7 @@ CVE-2022-43215 (Billing System Project v1.0 was discovered to contain a SQL inje CVE-2022-43214 (Billing System Project v1.0 was discovered to contain a SQL injection ...) NOT-FOR-US: Billing System Project CVE-2022-43213 (Billing System Project v1.0 was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: Billing System Project CVE-2022-43212 (Billing System Project v1.0 was discovered to contain a SQL injection ...) NOT-FOR-US: Billing System Project CVE-2022-43211 @@ -16013,7 +16013,7 @@ CVE-2022-40772 CVE-2022-40771 RESERVED CVE-2022-40770 (Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulner ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2022-40769 (profanity through 1.60 has only four billion possible RNG initializati ...) NOT-FOR-US: profanity (not same as src:profanity) CVE-2022-40768 (drivers/scsi/stex.c in the Linux kernel through 5.19.9 allows local us ...) @@ -21261,7 +21261,7 @@ CVE-2022-38726 CVE-2022-38725 RESERVED CVE-2022-38724 (Silverstripe silverstripe/framework through 4.11.0, silverstripe/asset ...) - TODO: check + NOT-FOR-US: SilverStripe CMS CVE-2022-38723 RESERVED CVE-2022-38722 @@ -23039,7 +23039,7 @@ CVE-2022-2793 (Emerson Electric's Proficy Machine Edition Version 9.00 and prior CVE-2022-2792 (Emerson Electric's Proficy Machine Edition Version 9.00 and prior is v ...) NOT-FOR-US: Emerson CVE-2022-2791 (Emerson Electric's Proficy Machine Edition Version 9.00 and prior is v ...) - TODO: check + NOT-FOR-US: Emerson Electric's Proficy Machine Edition CVE-2022-2790 (Emerson Electric's Proficy Machine Edition Version 9.00 and prior is v ...) NOT-FOR-US: Emerson CVE-2022-2789 (Emerson Electric's Proficy Machine Edition Version 9.00 and prior is v ...) @@ -23165,11 +23165,11 @@ CVE-2022-38149 (HashiCorp Consul Template up to 0.27.2, 0.28.2, and 0.29.1 may e CVE-2022-38148 (Silverstripe silverstripe/framework through 4.11 allows SQL Injection. ...) NOT-FOR-US: SilverStripe CMS CVE-2022-38147 (Silverstripe silverstripe/framework through 4.11 allows XSS (issue 3 o ...) - TODO: check + NOT-FOR-US: SilverStripe CMS CVE-2022-38146 (Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 o ...) NOT-FOR-US: SilverStripe CMS CVE-2022-38145 (Silverstripe silverstripe/framework through 4.11 allows XSS (issue 1 o ...) - TODO: check + NOT-FOR-US: SilverStripe CMS CVE-2022-38133 (In JetBrains TeamCity before 2022.04.3 the private SSH key could be wr ...) NOT-FOR-US: JetBrains TeamCity CVE-2022-38132 (Command injection vulnerability in Linksys MR8300 router while Registr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/098933859d0beb653536b20d2cf5f90613490045 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/098933859d0beb653536b20d2cf5f90613490045 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-404{4,5}/mattermost-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d86ed13 by Salvatore Bonaccorso at 2022-11-23T10:50:41+01:00 Add CVE-2022-404{4,5}/mattermost-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -869,9 +869,9 @@ CVE-2022-4047 CVE-2022-4046 RESERVED CVE-2022-4045 (A denial-of-service vulnerability in the Mattermost allows an authenti ...) - TODO: check + - mattermost-server (bug #823556) CVE-2022-4044 (A denial-of-service vulnerability in Mattermost allows an authenticate ...) - TODO: check + - mattermost-server (bug #823556) CVE-2022-4043 RESERVED CVE-2022-4042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d86ed1338e5014a5859c8262d0c05dcad04e6fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d86ed1338e5014a5859c8262d0c05dcad04e6fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fbbc639 by Salvatore Bonaccorso at 2022-11-23T09:49:42+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -572,9 +572,9 @@ CVE-2022-45538 CVE-2022-45537 RESERVED CVE-2022-45536 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) - TODO: check + NOT-FOR-US: AeroCMS CVE-2022-45535 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) - TODO: check + NOT-FOR-US: AeroCMS CVE-2022-45534 RESERVED CVE-2022-45533 @@ -586,7 +586,7 @@ CVE-2022-45531 CVE-2022-45530 RESERVED CVE-2022-45529 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) - TODO: check + NOT-FOR-US: AeroCMS CVE-2022-45528 RESERVED CVE-2022-45527 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fbbc639b1486ccd48fb14f5a6e1b21189a745a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fbbc639b1486ccd48fb14f5a6e1b21189a745a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46854/proftpd-dfsg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18af4dcd by Salvatore Bonaccorso at 2022-11-23T09:37:22+01:00 Add CVE-2021-46854/proftpd-dfsg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,11 @@ CVE-2022-4123 CVE-2022-4122 RESERVED CVE-2021-46854 (mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS ...) - TODO: check + - proftpd-dfsg 1.3.7c+dfsg-1 + NOTE: https://github.com/proftpd/proftpd/issues/1284 + NOTE: https://github.com/proftpd/proftpd/pull/1285 + NOTE: Fixed by: https://github.com/proftpd/proftpd/commit/10a227b4d50e0a2cd2faf87926f58d865da44e43 (v1.3.8rc2) + NOTE: Fixed by: https://github.com/proftpd/proftpd/commit/e7c0b6e78a81fa97ec41ea6332e5e11b864089b8 (v1.3.7c) CVE-2022-45797 RESERVED CVE-2022-45796 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18af4dcd08761919fc2c0f0bee99a36f8b517617 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18af4dcd08761919fc2c0f0bee99a36f8b517617 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed libvncserver update for bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7eeba1c0 by Salvatore Bonaccorso at 2022-11-23T09:23:46+01:00 Track proposed libvncserver update for bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -64,3 +64,5 @@ CVE-2022-21690 [bullseye] - onionshare 2.2-3+deb11u1 CVE-2022-21689 [bullseye] - onionshare 2.2-3+deb11u1 +CVE-2020-29260 + [bullseye] - libvncserver 0.9.13+dfsg-2+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eeba1c0a87fd1da06e3e2649907dc51068f455b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eeba1c0a87fd1da06e3e2649907dc51068f455b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f568f619 by security tracker role at 2022-11-23T08:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2022-45800 + RESERVED +CVE-2022-45799 + RESERVED +CVE-2022-45798 + RESERVED +CVE-2022-4123 + RESERVED +CVE-2022-4122 + RESERVED +CVE-2021-46854 (mod_radius in ProFTPD before 1.3.7c allows memory disclosure to RADIUS ...) + TODO: check CVE-2022-45797 RESERVED CVE-2022-45796 @@ -555,10 +567,10 @@ CVE-2022-45538 RESERVED CVE-2022-45537 RESERVED -CVE-2022-45536 - RESERVED -CVE-2022-45535 - RESERVED +CVE-2022-45536 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) + TODO: check +CVE-2022-45535 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) + TODO: check CVE-2022-45534 RESERVED CVE-2022-45533 @@ -569,8 +581,8 @@ CVE-2022-45531 RESERVED CVE-2022-45530 RESERVED -CVE-2022-45529 - RESERVED +CVE-2022-45529 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) + TODO: check CVE-2022-45528 RESERVED CVE-2022-45527 @@ -785,8 +797,8 @@ CVE-2022-45474 (drachtio-server 0.8.18 has a request-handler.cpp event_cb use-af NOT-FOR-US: drachtio-server CVE-2022-45473 (In drachtio-server 0.8.18, /var/log/drachtio has mode 0777 and drachti ...) NOT-FOR-US: drachtio-server -CVE-2022-45472 - RESERVED +CVE-2022-45472 (CAE LearningSpace Enterprise (with Intuity License) image 267r patch 6 ...) + TODO: check CVE-2022-45471 (In JetBrains Hub before 2022.3.15181 Throttling was missed when sendin ...) NOT-FOR-US: JetBrains Hub CVE-2022-45470 (** UNSUPPORTED WHEN ASSIGNED ** missing input validation in Apache Ham ...) @@ -852,10 +864,10 @@ CVE-2022-4047 RESERVED CVE-2022-4046 RESERVED -CVE-2022-4045 - RESERVED -CVE-2022-4044 - RESERVED +CVE-2022-4045 (A denial-of-service vulnerability in the Mattermost allows an authenti ...) + TODO: check +CVE-2022-4044 (A denial-of-service vulnerability in Mattermost allows an authenticate ...) + TODO: check CVE-2022-4043 RESERVED CVE-2022-4042 @@ -930,8 +942,8 @@ CVE-2022-4021 (The Permalink Manager Lite plugin for WordPress is vulnerable to NOT-FOR-US: Permalink Manager Lite plugin for WordPress CVE-2022-4020 RESERVED -CVE-2022-4019 - RESERVED +CVE-2022-4019 (A denial-of-service vulnerability in the Mattermost Playbooks plugin a ...) + TODO: check CVE-2022-4018 (Missing Authentication for Critical Function in GitHub repository ikus ...) - rdiffweb (bug #969974) CVE-2022-4017 @@ -1515,10 +1527,10 @@ CVE-2022-45333 RESERVED CVE-2022-45332 RESERVED -CVE-2022-45331 - RESERVED -CVE-2022-45330 - RESERVED +CVE-2022-45331 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) + TODO: check +CVE-2022-45330 (AeroCMS v0.0.1 was discovered to contain a SQL Injection vulnerability ...) + TODO: check CVE-2022-45329 RESERVED CVE-2022-45328 @@ -8301,8 +8313,8 @@ CVE-2022-43753 (A Improper Limitation of a Pathname to a Restricted Directory (' NOT-FOR-US: Uyuni CVE-2022-43752 (** UNSUPPORTED WHEN ASSIGNED ** Oracle Solaris version 10 1/13, when u ...) NOT-FOR-US: Oracle Solaris -CVE-2022-43751 - RESERVED +CVE-2022-43751 (McAfee Total Protection prior to version 16.0.49 contains an uncontrol ...) + TODO: check CVE-2022-43750 (drivers/usb/mon/mon_bin.c in usbmon in the Linux kernel before 5.19.15 ...) {DLA-3173-1} - linux 6.0.2-1 @@ -9637,9 +9649,9 @@ CVE-2022-43287 RESERVED CVE-2022-43286 (Nginx NJS v0.7.2 was discovered to contain a heap-use-after-free bug c ...) NOT-FOR-US: njs -CVE-2022-43285 (Nginx NJS v0.7.4 was discovered to contain a segmentation violation in ...) +CVE-2022-43285 (** DISPUTED ** Nginx NJS v0.7.4 was discovered to contain a segmentati ...) NOT-FOR-US: njs -CVE-2022-43284 (Nginx NJS v0.7.2 to v0.7.4 was discovered to contain a segmentation vi ...) +CVE-2022-43284 (** DISPUTED ** Nginx NJS v0.7.2 to v0.7.4 was discovered to contain a ...) NOT-FOR-US: njs CVE-2022-43283 (wasm2c v1.0.29 was discovered to contain an abort in CWriter::Write. ...) - wabt (unimportant) @@ -9811,8 +9823,8 @@ CVE-2022-43215 (Billing System Project v1.0 was discovered to contain a SQL inje NOT-FOR-US: Billing System Project CVE-2022-43214 (Billing System Project v1.0 was discovered to contain a SQL injection ...) NOT-FOR-US: Billing System Project -CVE-2022-43213 - RESERVED +CVE-2022-43213 (Billing System Project v1.0 was discover
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for four tiff issues, #1024670
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 776c2ad2 by Salvatore Bonaccorso at 2022-11-23T09:06:25+01:00 Add Debian bug reference for four tiff issues, #1024670 Signed-off-by: Salvatore Bonaccorso- - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21433,7 +21433,7 @@ CVE-2022-38668 (HTTP applications (servers) based on Crow through 1.0+4 may reve CVE-2022-38667 (HTTP applications (servers) based on Crow through 1.0+4 may allow a Us ...) NOT-FOR-US: CrowCpp CVE-2022-2953 (LibTIFF 4.4.0 has an out-of-bounds read in extractImageSection in tool ...) - - tiff (unimportant) + - tiff (unimportant; bug #1024670) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/414 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba @@ -27515,21 +27515,21 @@ CVE-2022-2522 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to NOTE: https://github.com/vim/vim/commit/5fa9f23a63651a8abdb074b4fc2ec9b1adc6b089 (v9.0.0061) NOTE: Crash in CLI tool, no security impact CVE-2022-2521 (It was found in libtiff 4.4.0rc1 that there is an invalid pointer free ...) - - tiff (unimportant) + - tiff (unimportant; bug #1024670) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/422 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba NOTE: Crash in CLI tool, no security impact CVE-2022-2520 (A flaw was found in libtiff 4.4.0rc1. There is a sysmalloc assertion f ...) - - tiff (unimportant) + - tiff (unimportant; bug #1024670) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/424 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bad48e90b410df32172006c7876da449ba62cdba NOTE: Crash in CLI tool, no security impact CVE-2022-2519 (There is a double free or corruption in rotateImage() at tiffcrop.c:88 ...) - - tiff (unimportant) + - tiff (unimportant; bug #1024670) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/423 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/378 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/8fe3735942ea1d90d8cef843b55b3efe8ab6feaf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/776c2ad2e6592d29ca04cad7303b16b1df93c286 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/776c2ad2e6592d29ca04cad7303b16b1df93c286 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits