[Git][security-tracker-team/security-tracker][master] CVE-2017-16909: fix commit id of patch
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 27b04511 by Helmut Grohne at 2022-11-28T08:32:04+01:00 CVE-2017-16909: fix commit id of patch I've also re-checked buster to really be fixed. The code has been significantly redone and includes the necessary checks. Later releases will be fixed as well. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -336749,7 +336749,7 @@ CVE-2017-16909 (An error related to the "LibRaw::panasonic_load_raw()" function [jessie] - libraw (Minor issue) [wheezy] - libraw (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 - NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e + NOTE: https://github.com/LibRaw/LibRaw/commit/f1394822a0152ceed77815eafa5cac4e8baab10a CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field during crea ...) {DLA-2350-1} - php-horde-kronolith 4.2.24-1 (bug #909738) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b045113279caaaf2ddecfc97a35b1377137ee0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27b045113279caaaf2ddecfc97a35b1377137ee0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-4145 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b9fbb284 by Salvatore Bonaccorso at 2022-11-28T07:57:03+01:00 Mark CVE-2022-4145 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52,6 +52,7 @@ CVE-2022-45911 RESERVED CVE-2022-4145 RESERVED + NOT-FOR-US: OpenShift CVE-2022-45910 RESERVED CVE-2022-45909 (drachtio-server 0.8.18 has a heap-based buffer over-read via a long Re ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9fbb28412bf7db315db899a9734cdd9a891f67e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9fbb28412bf7db315db899a9734cdd9a891f67e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-3650
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc659545 by Salvatore Bonaccorso at 2022-11-28T06:22:47+01:00 Add Debian bug reference for CVE-2022-3650 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9105,7 +9105,7 @@ CVE-2022-3651 RESERVED CVE-2022-3650 [ceph-crash.service allows local ceph user to root exploit] RESERVED - - ceph + - ceph (bug #1024932) NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/1 NOTE: https://tracker.ceph.com/issues/57967 NOTE: https://github.com/ceph/ceph/pull/48713 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc659545a1c12455ad3b7fc6572ed064c10124c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc659545a1c12455ad3b7fc6572ed064c10124c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim jhead in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b579936 by Markus Koschany at 2022-11-28T00:07:05+01:00 Claim jhead in dla-needed.txt - - - - - dd79809b by Markus Koschany at 2022-11-28T00:07:26+01:00 Claim jhead in dsa-needed.txt - - - - - 2 changed files: - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/dla-needed.txt = @@ -93,7 +93,7 @@ ini4j (Markus Koschany) NOTE: 20221012: Programming language: Java. NOTE: 20221012: Require investigation (lamby) -- -jhead +jhead (Markus Koschany) NOTE: 20221031: Programming language: C. NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. NOTE: 20221031: It should be stated in the DLA that multiple options are affected.. = data/dsa-needed.txt = @@ -18,7 +18,7 @@ frr -- gerbv -- -jhead +jhead (apo) -- lava -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59f40b51cd3d93ffb48e068d699ecf8c01f08008...dd79809b6bdcc9e456bc0989db484fb14c42087b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/59f40b51cd3d93ffb48e068d699ecf8c01f08008...dd79809b6bdcc9e456bc0989db484fb14c42087b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim commons-configuration2 in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 59f40b51 by Markus Koschany at 2022-11-28T00:04:07+01:00 Claim commons-configuration2 in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -12,7 +12,7 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -commons-configuration2 +commons-configuration2 (apo) -- frr -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59f40b51cd3d93ffb48e068d699ecf8c01f08008 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59f40b51cd3d93ffb48e068d699ecf8c01f08008 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim ini4j in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 02490bd0 by Markus Koschany at 2022-11-27T23:27:51+01:00 Claim ini4j in dla-needed.txt - - - - - 3f7f5edd by Markus Koschany at 2022-11-27T23:28:52+01:00 Reserve DLA-3208-1 for varnish - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -194003,7 +194003,6 @@ CVE-2020-11654 RESERVED CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6 ...) - varnish 6.4.0-1 (bug #956307) - [buster] - varnish (Can be fixed along in next DSA) [stretch] - varnish (Only affects 6.x) [jessie] - varnish (Only affects 6.x) NOTE: https://varnish-cache.org/security/VSV5.html#vsv5 = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Nov 2022] DLA-3208-1 varnish - security update + {CVE-2020-11653 CVE-2022-45060} + [buster] - varnish 6.1.1-1+deb10u4 [27 Nov 2022] DLA-3207-1 jackson-databind - security update {CVE-2020-36518 CVE-2022-42003 CVE-2022-42004} [buster] - jackson-databind 2.9.8-3+deb10u4 = data/dla-needed.txt = @@ -89,7 +89,7 @@ imagemagick (Roberto C. Sánchez) NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) -- -ini4j +ini4j (Markus Koschany) NOTE: 20221012: Programming language: Java. NOTE: 20221012: Require investigation (lamby) -- @@ -331,10 +331,6 @@ trafficserver twisted (Dominik George) NOTE: 20221030: Programming language: Python. -- -varnish (Markus Koschany) - NOTE: 20221109: Programming language: C. - NOTE: 20221109: First DLA, 3 minor CVEs to fix (Beuc/front-desk) --- virglrenderer (Thorsten Alteholz) NOTE: 20221009: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1af13e3376f0932c4781fd9a7241373b91e149e8...3f7f5edd18002d34426498de0b7eb14a7e3506da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1af13e3376f0932c4781fd9a7241373b91e149e8...3f7f5edd18002d34426498de0b7eb14a7e3506da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1af13e33 by Moritz Muehlenhoff at 2022-11-27T22:45:21+01:00 bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -94,6 +94,7 @@ CVE-2022-4142 RESERVED CVE-2022-4141 (The target's backtrace indicates that libc has detected a heap error o ...) - vim + [bullseye] - vim (Minor issue) NOTE: https://huntr.dev/bounties/20ece512-c600-45ac-8a84-d0931e05541f NOTE: https://github.com/vim/vim/commit/cc762a48d42b579fb7bdec2c614636b830342dd5 (v9.0.0947) CVE-2022-4140 @@ -9596,6 +9597,7 @@ CVE-2022-3607 (Failure to Sanitize Special Elements into a Different Plane (Spec - octoprint (bug #718591) CVE-2022-3606 (A vulnerability was found in Linux Kernel. It has been classified as p ...) - libbpf (bug #1023717) + [bullseye] - libbpf (Minor issue) NOTE: Introduced by: https://github.com/libbpf/libbpf/commit/a3abae5122f30b83baebd4e4dd8ba4578a87cd4b (v0.2) NOTE: Fixed by: https://github.com/libbpf/libbpf/commit/3a3ef0c1d09e1894740db71cdcb7be0bfd713671 CVE-2022-3605 @@ -10803,6 +10805,7 @@ CVE-2022-3535 (A vulnerability classified as problematic was found in Linux Kern NOTE: https://git.kernel.org/linus/0152dfee235e87660f52a117fc9f70dc55956bb4 (6.1-rc1) CVE-2022-3534 (A vulnerability classified as critical has been found in Linux Kernel. ...) - libbpf (bug #1023717) + [bullseye] - libbpf (Minor issue) NOTE: Introduced by: https://github.com/libbpf/libbpf/commit/7ac1547f32f060d84b06c74edbb2c6896cc07949 (v0.2) NOTE: Fixed by: https://github.com/libbpf/libbpf/commit/54caf920db0e489de90f341e2a51ddbcd084 CVE-2022-3533 (A vulnerability was found in Linux Kernel. It has been rated as proble ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1af13e3376f0932c4781fd9a7241373b91e149e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1af13e3376f0932c4781fd9a7241373b91e149e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 558c7707 by Moritz Mühlenhoff at 2022-11-27T22:25:26+01:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[27 Nov 2022] DSA-5289-1 chromium - security update + {CVE-2022-4135} + [bullseye] - chromium 107.0.5304.121-1~deb11u1 [25 Nov 2022] DSA-5288-1 graphicsmagick - security update {CVE-2022-1270} [bullseye] - graphicsmagick 1.4+really1.3.36+hg16481-2+deb11u1 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -chromium -- commons-configuration2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/558c77079fff4f06f05d0075cb8fd5be28032c4e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/558c77079fff4f06f05d0075cb8fd5be28032c4e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-45907/pytorch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9176c81e by Salvatore Bonaccorso at 2022-11-27T21:11:39+01:00 Add Debian bug reference for CVE-2022-45907/pytorch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59,7 +59,7 @@ CVE-2022-45909 (drachtio-server 0.8.18 has a heap-based buffer over-read via a l CVE-2022-45908 (In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vuln ...) TODO: check CVE-2022-45907 (In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line c ...) - - pytorch + - pytorch (bug #1024903) [bullseye] - pytorch (Minor issue) NOTE: https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3 NOTE: https://github.com/pytorch/pytorch/issues/88868 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9176c81e2cc08e53dd60f3787a0e7a8c6698e16a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9176c81e2cc08e53dd60f3787a0e7a8c6698e16a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e0708ff by security tracker role at 2022-11-27T20:10:31+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2022-45935 + RESERVED CVE-2022-45934 (An issue was discovered in the Linux kernel through 6.0.10. l2cap_conf ...) - linux NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ae4569813a6e931258db627cdfe50dfb4f917d5d @@ -13313,13 +13315,13 @@ CVE-2022-42006 CVE-2022-42005 RESERVED CVE-2022-42004 (In FasterXML jackson-databind before 2.13.4, resource exhaustion can o ...) - {DSA-5283-1} + {DSA-5283-1 DLA-3207-1} - jackson-databind 2.14.0-1 NOTE: https://github.com/FasterXML/jackson-databind/issues/3582 NOTE: https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9293ed2f17ec53ea80ba88 (jackson-databind-2.13.4) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50490 CVE-2022-42003 (In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion c ...) - {DSA-5283-1} + {DSA-5283-1 DLA-3207-1} - jackson-databind 2.14.0-1 NOTE: https://github.com/FasterXML/jackson-databind/issues/3590 NOTE: https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33 (jackson-databind-2.14.0-rc1) @@ -55198,7 +55200,7 @@ CVE-2021-46708 (The swagger-ui-dist package before 4.1.3 for Node.js could allow - node-swagger-ui (bug #871461) - swagger-ui (bug #895422) CVE-2020-36518 (jackson-databind before 2.13.0 allows a Java StackOverflow exception a ...) - {DSA-5283-1 DLA-2990-1} + {DSA-5283-1 DLA-3207-1 DLA-2990-1} - jackson-databind 2.13.2.2-1 (bug #1007109) NOTE: https://github.com/FasterXML/jackson-databind/issues/2816 CVE-2018-25031 (Swagger UI before 4.1.3 could allow a remote attacker to conduct spoof ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e0708ff57808933be3fa327163fe84de7e186b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e0708ff57808933be3fa327163fe84de7e186b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-45907 as no-dsa for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb1466f5 by Salvatore Bonaccorso at 2022-11-27T20:35:38+01:00 Mark CVE-2022-45907 as no-dsa for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58,6 +58,7 @@ CVE-2022-45908 (In PaddlePaddle before 2.4, paddle.audio.functional.get_window i TODO: check CVE-2022-45907 (In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line c ...) - pytorch + [bullseye] - pytorch (Minor issue) NOTE: https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3 NOTE: https://github.com/pytorch/pytorch/issues/88868 CVE-2022-45906 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb1466f5e774f57da4c72e05b1db8ea3a1161b66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb1466f5e774f57da4c72e05b1db8ea3a1161b66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for various heimdal issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dfe99cca by Salvatore Bonaccorso at 2022-11-27T20:22:27+01:00 Track fixed version for various heimdal issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4702,7 +4702,7 @@ CVE-2022-44641 (In Linaro Automated Validation Architecture (LAVA) before 2022.1 CVE-2022-44640 [Invalid free in ASN.1 codec] RESERVED {DSA-5287-1 DLA-3206-1} - - heimdal (bug #1024187) + - heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187) NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-88pm-hfmq-7vv4 NOTE: https://github.com/heimdal/heimdal/commit/ea5ec8f174920cb80ce2b168b49195378420449e (heimdal-7.7.1) CVE-2022-44639 @@ -11168,7 +11168,7 @@ CVE-2022-42899 (Bentley MicroStation and MicroStation-based applications may be CVE-2022-42898 [krb5_pac_parse() buffer parsing vulnerability] RESERVED {DSA-5287-1 DSA-5286-1 DLA-3206-1} - - heimdal (bug #1024187) + - heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187) - krb5 1.20.1-1 (bug #1024267) - samba 2:4.17.3+dfsg-1 NOTE: https://www.samba.org/samba/security/CVE-2022-42898.html @@ -11717,7 +11717,7 @@ CVE-2022-3437 [Buffer overflow in Heimdal unwrap_des3()] RESERVED {DSA-5287-1 DLA-3206-1} - samba 2:4.16.6+dfsg-1 - - heimdal (bug #1024187) + - heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187) NOTE: https://www.samba.org/samba/security/CVE-2022-3437.html NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15134 NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-45j3-5v39-rf9j @@ -13508,7 +13508,7 @@ CVE-2022-41917 (OpenSearch is a community-driven, open source fork of Elasticsea NOT-FOR-US: OpenSearch CVE-2022-41916 (Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Version ...) {DSA-5287-1 DLA-3206-1} - - heimdal (bug #1024187) + - heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187) NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-mgqr-gvh6-23cx NOTE: https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c (heimdal-7.7.1) CVE-2022-41915 @@ -75254,7 +75254,7 @@ CVE-2021-4081 (pimcore is vulnerable to Improper Neutralization of Input During CVE-2021-44758 [spnego: send_reject when no mech selected] RESERVED {DSA-5287-1 DLA-3206-1} - - heimdal (bug #1024187) + - heimdal 7.8.git20221115.a6cf945+dfsg-1 (bug #1024187) NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-69h9-669w-88xv NOTE: https://github.com/heimdal/heimdal/commit/f9ec7002cdd526ae84fbacbf153162e118f22580 (heimdal-7.7.1) CVE-2021-44757 (Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Centr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfe99ccabc00a38667788bfa7a77d8b6b204cf5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfe99ccabc00a38667788bfa7a77d8b6b204cf5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-39237/golang-github-sylabs-sif
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d5f2dc2a by Salvatore Bonaccorso at 2022-11-27T20:18:48+01:00 Track fixed version for CVE-2022-39237/golang-github-sylabs-sif - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20087,7 +20087,7 @@ CVE-2022-39239 (netlify-ipx is an on-Demand image optimization for Netlify using CVE-2022-39238 (Arvados is an open source platform for managing and analyzing biomedic ...) NOT-FOR-US: Arvados CVE-2022-39237 (syslabs/sif is the Singularity Image Format (SIF) reference implementa ...) - - golang-github-sylabs-sif (bug #1023570) + - golang-github-sylabs-sif 2.8.3-1 (bug #1023570) [bullseye] - golang-github-sylabs-sif (Minor issue) - singularity-container 3.10.3+ds1-1 NOTE: https://github.com/sylabs/sif/security/advisories/GHSA-m5m3-46gj-wch8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5f2dc2a527b064c8081e7431d0f02b401f59ea4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5f2dc2a527b064c8081e7431d0f02b401f59ea4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3207-1 for jackson-databind
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7864de by Markus Koschany at 2022-11-27T19:50:08+01:00 Reserve DLA-3207-1 for jackson-databind - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -55199,7 +55199,6 @@ CVE-2021-46708 (The swagger-ui-dist package before 4.1.3 for Node.js could allow CVE-2020-36518 (jackson-databind before 2.13.0 allows a Java StackOverflow exception a ...) {DSA-5283-1 DLA-2990-1} - jackson-databind 2.13.2.2-1 (bug #1007109) - [buster] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2816 CVE-2018-25031 (Swagger UI before 4.1.3 could allow a remote attacker to conduct spoof ...) - node-swagger-ui (bug #871461) = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Nov 2022] DLA-3207-1 jackson-databind - security update + {CVE-2020-36518 CVE-2022-42003 CVE-2022-42004} + [buster] - jackson-databind 2.9.8-3+deb10u4 [26 Nov 2022] DLA-3206-1 heimdal - security update {CVE-2019-14870 CVE-2021-3671 CVE-2021-44758 CVE-2022-3437 CVE-2022-41916 CVE-2022-42898 CVE-2022-44640} [buster] - heimdal 7.5.0+dfsg-3+deb10u1 = data/dla-needed.txt = @@ -93,9 +93,6 @@ ini4j NOTE: 20221012: Programming language: Java. NOTE: 20221012: Require investigation (lamby) -- -jackson-databind (Markus Koschany) - NOTE: 20221030: Programming language: Java. --- jhead NOTE: 20221031: Programming language: C. NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7864debc3bf998f83a9cf99927a672c729d72a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7864debc3bf998f83a9cf99927a672c729d72a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim netatalk in dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e41abfa by Anton Gladky at 2022-11-27T09:43:32+01:00 LTS: claim netatalk in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -162,7 +162,7 @@ multipath-tools net-snmp NOTE: 20221120: Programming language: C. -- -netatalk +netatalk (gladk) NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e41abfade4a23199d26118243f0f81251a49df4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e41abfade4a23199d26118243f0f81251a49df4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Mark CVE-2009-1143/open-vm-tools as postponed for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 918a2392 by Utkarsh Gupta at 2022-11-27T14:10:46+05:30 Mark CVE-2009-1143/open-vm-tools as postponed for buster - - - - - 1fba0734 by Utkarsh Gupta at 2022-11-27T14:10:47+05:30 Mark CVE-2022-396{4,5}/ffmpeg as postponed for buster - - - - - d34e07f6 by Utkarsh Gupta at 2022-11-27T14:10:47+05:30 Add lava to dla-needed - - - - - e8fe3b20 by Utkarsh Gupta at 2022-11-27T14:10:47+05:30 Add pngcheck to dla-needed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2234,10 +2234,12 @@ CVE-2022-3966 (A vulnerability, which was classified as critical, has been found CVE-2022-3965 (A vulnerability classified as problematic was found in ffmpeg. This vu ...) - ffmpeg [bullseye] - ffmpeg (Wait until it lands in 4.1.x) + [buster] - ffmpeg (Wait until it lands in 4.1.x) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/13c13109759090b7f7182480d075e13b36ed8edd CVE-2022-3964 (A vulnerability classified as problematic has been found in ffmpeg. Th ...) - ffmpeg [bullseye] - ffmpeg (Wait until it lands in 4.1.x) + [buster] - ffmpeg (Wait until it lands in 4.1.x) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984 CVE-2022-45197 RESERVED @@ -544432,6 +544434,7 @@ CVE-2009-1144 (Untrusted search path vulnerability in the Gentoo package of Xpdf CVE-2009-1143 (An issue was discovered in open-vm-tools 2009.03.18-154848. Local user ...) - open-vm-tools 2:12.0.0-1 [bullseye] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) + [buster] - open-vm-tools (Minor issue; mount.vmhgfs not suid root in Debian) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=372070 NOTE: Removing hgfsmounter/mount.vmhgfs: https://github.com/vmware/open-vm-tools/commit/61331a189a0eeb76f014db28288b06c0323bc0b9 (stable-12.0.0) CVE-2009-1142 (An issue was discovered in open-vm-tools 2009.03.18-154848. Local user ...) = data/dla-needed.txt = @@ -112,6 +112,9 @@ kopanocore krb5 (Chris Lamb) NOTE: 20221117: Programming language: C. -- +lava + NOTE: 20221127: Programming language: Python. +-- libapreq2 NOTE: 20221031: Programming language: C. -- @@ -249,6 +252,9 @@ pluxml NOTE: 20220913: Programming language: PHP. NOTE: 20220913: Special attention: orphaned package. -- +pngcheck + NOTE: 20221127: Programming language: C. +-- protobuf NOTE: 20221031: Programming language: Several. NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1efc6d893859bc3052b4d8017cc2caf411f3e63d...e8fe3b20dd7c213bff3b4f969acab04d97d66eff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1efc6d893859bc3052b4d8017cc2caf411f3e63d...e8fe3b20dd7c213bff3b4f969acab04d97d66eff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45907/pytorch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1efc6d89 by Salvatore Bonaccorso at 2022-11-27T09:37:17+01:00 Add CVE-2022-45907/pytorch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57,7 +57,9 @@ CVE-2022-45909 (drachtio-server 0.8.18 has a heap-based buffer over-read via a l CVE-2022-45908 (In PaddlePaddle before 2.4, paddle.audio.functional.get_window is vuln ...) TODO: check CVE-2022-45907 (In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line c ...) - TODO: check + - pytorch + NOTE: https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3 + NOTE: https://github.com/pytorch/pytorch/issues/88868 CVE-2022-45906 RESERVED CVE-2022-45905 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1efc6d893859bc3052b4d8017cc2caf411f3e63d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1efc6d893859bc3052b4d8017cc2caf411f3e63d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove todo item for CVE-2022-45919
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cb1e1c6d by Salvatore Bonaccorso at 2022-11-27T09:36:30+01:00 Remove todo item for CVE-2022-45919 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32,7 +32,6 @@ CVE-2022-45920 CVE-2022-45919 (An issue was discovered in the Linux kernel through 6.0.10. In drivers ...) - linux NOTE: https://lore.kernel.org/linux-media/20221121063308.GA33821%40ubuntu/T/#u - TODO: check CVE-2022-45918 RESERVED CVE-2022-45917 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb1e1c6ddec5ed6b7191f11da4a588194c16fa06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb1e1c6ddec5ed6b7191f11da4a588194c16fa06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa4f396c by Salvatore Bonaccorso at 2022-11-27T09:35:56+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,13 +2,13 @@ CVE-2022-45934 (An issue was discovered in the Linux kernel through 6.0.10. l2ca - linux NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ae4569813a6e931258db627cdfe50dfb4f917d5d CVE-2022-45933 (KubeView through 0.1.31 allows attackers to obtain control of a Kubern ...) - TODO: check + NOT-FOR-US: KubeView CVE-2022-45932 (A SQL injection issue was discovered in AAA in OpenDaylight (ODL) befo ...) - TODO: check + NOT-FOR-US: OpenDaylight CVE-2022-45931 (A SQL injection issue was discovered in AAA in OpenDaylight (ODL) befo ...) - TODO: check + NOT-FOR-US: OpenDaylight CVE-2022-45930 (A SQL injection issue was discovered in AAA in OpenDaylight (ODL) befo ...) - TODO: check + NOT-FOR-US: OpenDaylight CVE-2022-45929 RESERVED CVE-2022-45928 @@ -2099,7 +2099,7 @@ CVE-2022-45227 CVE-2022-45226 RESERVED CVE-2022-45225 (Book Store Management System v1.0 was discovered to contain a cross-si ...) - TODO: check + NOT-FOR-US: Book Store Management System CVE-2022-45224 RESERVED CVE-2022-45223 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa4f396c1b8cb50b4ad5863b0c6aebe6c58ac2b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa4f396c1b8cb50b4ad5863b0c6aebe6c58ac2b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45934/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b558620 by Salvatore Bonaccorso at 2022-11-27T09:31:12+01:00 Add CVE-2022-45934/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2022-45934 (An issue was discovered in the Linux kernel through 6.0.10. l2cap_conf ...) - TODO: check + - linux + NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ae4569813a6e931258db627cdfe50dfb4f917d5d CVE-2022-45933 (KubeView through 0.1.31 allows attackers to obtain control of a Kubern ...) TODO: check CVE-2022-45932 (A SQL injection issue was discovered in AAA in OpenDaylight (ODL) befo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b558620a5cf1018f190109c828d772f59ee2b4a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b558620a5cf1018f190109c828d772f59ee2b4a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-45919/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2df6f3de by Salvatore Bonaccorso at 2022-11-27T09:26:50+01:00 Add CVE-2022-45919/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,6 +29,8 @@ CVE-2022-45921 CVE-2022-45920 RESERVED CVE-2022-45919 (An issue was discovered in the Linux kernel through 6.0.10. In drivers ...) + - linux + NOTE: https://lore.kernel.org/linux-media/20221121063308.GA33821%40ubuntu/T/#u TODO: check CVE-2022-45918 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2df6f3debcabd7a32151ca02f338024dbf8e70fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2df6f3debcabd7a32151ca02f338024dbf8e70fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed vrersion for chromium issue (CVE-2022-4135) via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9196af4d by Salvatore Bonaccorso at 2022-11-27T09:24:22+01:00 Track fixed vrersion for chromium issue (CVE-2022-4135) via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -174,7 +174,7 @@ CVE-2022-45866 (qpress before PierreLvx/qpress 20220819 and before version 11.3, CVE-2022-4136 (Dangerous method exposed which can lead to RCE in qmpass/leadshop v1.4 ...) NOT-FOR-US: leadshop CVE-2022-4135 (Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 a ...) - - chromium + - chromium 107.0.5304.121-1 [buster] - chromium (see DSA 5046) CVE-2022-4134 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9196af4dbcdf6613f026923d1453ee03064130cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9196af4dbcdf6613f026923d1453ee03064130cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 57088072 by security tracker role at 2022-11-27T08:10:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,53 @@ +CVE-2022-45934 (An issue was discovered in the Linux kernel through 6.0.10. l2cap_conf ...) + TODO: check +CVE-2022-45933 (KubeView through 0.1.31 allows attackers to obtain control of a Kubern ...) + TODO: check +CVE-2022-45932 (A SQL injection issue was discovered in AAA in OpenDaylight (ODL) befo ...) + TODO: check +CVE-2022-45931 (A SQL injection issue was discovered in AAA in OpenDaylight (ODL) befo ...) + TODO: check +CVE-2022-45930 (A SQL injection issue was discovered in AAA in OpenDaylight (ODL) befo ...) + TODO: check +CVE-2022-45929 + RESERVED +CVE-2022-45928 + RESERVED +CVE-2022-45927 + RESERVED +CVE-2022-45926 + RESERVED +CVE-2022-45925 + RESERVED +CVE-2022-45924 + RESERVED +CVE-2022-45923 + RESERVED +CVE-2022-45922 + RESERVED +CVE-2022-45921 + RESERVED +CVE-2022-45920 + RESERVED +CVE-2022-45919 (An issue was discovered in the Linux kernel through 6.0.10. In drivers ...) + TODO: check +CVE-2022-45918 + RESERVED +CVE-2022-45917 + RESERVED +CVE-2022-45916 + RESERVED +CVE-2022-45915 + RESERVED +CVE-2022-45914 (The ESL (Electronic Shelf Label) protocol, as implemented by (for exam ...) + TODO: check +CVE-2022-45913 + RESERVED +CVE-2022-45912 + RESERVED +CVE-2022-45911 + RESERVED +CVE-2022-4145 + RESERVED CVE-2022-45910 RESERVED CVE-2022-45909 (drachtio-server 0.8.18 has a heap-based buffer over-read via a long Re ...) @@ -8732,8 +8782,7 @@ CVE-2022-43707 (MyBB 1.8.31 has a Cross-site scripting (XSS) vulnerability in th NOT-FOR-US: MyBB CVE-2022-43706 RESERVED -CVE-2022-43705 [malicious OCSP responder could forge OCSP responses] - RESERVED +CVE-2022-43705 (In Botan before 2.19.3, it is possible to forge OCSP responses due to ...) - botan 2.19.3+dfsg-1 [bullseye] - botan (Minor issue) [buster] - botan (Minor issue) @@ -23439,7 +23488,7 @@ CVE-2022-38168 (Broken Access Control in User Authentication in Avaya Scopia Pat NOT-FOR-US: Avaya Scopia Pathfinder CVE-2022-38167 (The Nintex Workflow plugin 5.2.2.30 for SharePoint allows XSS. ...) NOT-FOR-US: Nintex Workflow plugin for SharePoint -CVE-2022-38166 (In F‑Secure Endpoint Protection for Windows and macOS before cha ...) +CVE-2022-38166 (In F-Secure Endpoint Protection for Windows and macOS before channel w ...) NOT-FOR-US: F-Secure CVE-2022-38165 (Arbitrary file write in F-Secure Policy Manager through 2022-08-10 all ...) NOT-FOR-US: WithSecure @@ -60381,8 +60430,8 @@ CVE-2022-25001 RESERVED CVE-2022-25000 RESERVED -CVE-2022-24999 - RESERVED +CVE-2022-24999 (qs before 6.10.3, as used in Express before 4.17.3 and other products, ...) + TODO: check CVE-2022-24998 RESERVED CVE-2022-24997 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/570880726c9ef97ab796c8b5360b17a436f0d3ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/570880726c9ef97ab796c8b5360b17a436f0d3ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits