[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e961d2fb by Salvatore Bonaccorso at 2022-12-31T21:18:52+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,19 +3,19 @@ CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor prior CVE-2022-4867 (Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor ...) - froxlor (bug #581792) CVE-2022-4866 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) - TODO: check + NOT-FOR-US: usememos CVE-2022-4865 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) - TODO: check + NOT-FOR-US: usememos CVE-2017-20159 (A vulnerability was found in rf Keynote up to 0.x. It has been rated a ...) TODO: check CVE-2017-20158 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yi ...) TODO: check CVE-2017-20157 (A vulnerability was found in Ariadne Component Library up to 2.x. It h ...) - TODO: check + NOT-FOR-US: Ariadne Component Library CVE-2017-20156 (A vulnerability was found in Exciting Printer and classified as critic ...) TODO: check CVE-2014-125027 (A vulnerability has been found in Yuna Scatari TBDev up to 2.1.17 and ...) - TODO: check + NOT-FOR-US: Yuna Scatari TBDev CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0 ...) - froxlor (bug #581792) CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard for MODX ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e961d2fba09b732782f648435b5b29e35641adf7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e961d2fba09b732782f648435b5b29e35641adf7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two CVes for froxlor, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba64b273 by Salvatore Bonaccorso at 2022-12-31T21:18:11+01:00 Add two CVes for froxlor, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor prior to 2 ...) - TODO: check + - froxlor (bug #581792) CVE-2022-4867 (Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor ...) - TODO: check + - froxlor (bug #581792) CVE-2022-4866 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) TODO: check CVE-2022-4865 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba64b273984922702ea67c77553e4ad0af76ae45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba64b273984922702ea67c77553e4ad0af76ae45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 25ed095d by security tracker role at 2022-12-31T20:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor prior to 2 ...) + TODO: check +CVE-2022-4867 (Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor ...) + TODO: check +CVE-2022-4866 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) + TODO: check +CVE-2022-4865 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) + TODO: check +CVE-2017-20159 (A vulnerability was found in rf Keynote up to 0.x. It has been rated a ...) + TODO: check +CVE-2017-20158 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yi ...) + TODO: check +CVE-2017-20157 (A vulnerability was found in Ariadne Component Library up to 2.x. It h ...) + TODO: check +CVE-2017-20156 (A vulnerability was found in Exciting Printer and classified as critic ...) + TODO: check +CVE-2014-125027 (A vulnerability has been found in Yuna Scatari TBDev up to 2.1.17 and ...) + TODO: check CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0 ...) - froxlor (bug #581792) CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard for MODX ...) @@ -3841,6 +3859,7 @@ CVE-2022-4517 CVE-2022-4516 REJECTED CVE-2022-4515 (A flaw was found in Exuberant Ctags in the way it handles the "-o" opt ...) + {DLA-3254-1} - exuberant-ctags 1:5.9~svn20110310-18 (bug #1026995) - universal-ctags (Fixed before initial upload to Debian) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2153519 @@ -5923,6 +5942,7 @@ CVE-2022-4339 REJECTED CVE-2022-4338 [Integer Underflow in Organization Specific TLV] RESERVED + {DLA-3253-1} - openvswitch (bug #1027273) NOTE: https://www.openwall.com/lists/oss-security/2022/12/20/2 NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html @@ -5931,6 +5951,7 @@ CVE-2022-4338 [Integer Underflow in Organization Specific TLV] NOTE: Fixed by: https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4 CVE-2022-4337 [Out-of-Bounds Read in Organization Specific TLV] RESERVED + {DLA-3253-1} - openvswitch (bug #1027273) NOTE: https://www.openwall.com/lists/oss-security/2022/12/20/2 NOTE: https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html @@ -6832,7 +6853,7 @@ CVE-2022-4285 CVE-2022-4284 RESERVED CVE-2022-4283 (A vulnerability was found in X.Org. This security flaw occurs because ...) - {DSA-5304-1} + {DSA-5304-1 DLA-3256-1} - xorg-server 2:21.1.5-1 (bug #1026071) - xwayland 2:22.1.6-1 NOTE: https://lists.x.org/archives/xorg-announce/2022-December/003302.html @@ -7330,31 +7351,31 @@ CVE-2022-4225 CVE-2021-4242 (A vulnerability was found in Sapido BR270n, BRC76n, GR297 and RB1732 a ...) NOT-FOR-US: Sapido CVE-2022-46344 (A vulnerability was found in X.Org. This security flaw occurs because ...) - {DSA-5304-1} + {DSA-5304-1 DLA-3256-1} - xorg-server 2:21.1.5-1 (bug #1026071) - xwayland 2:22.1.6-1 NOTE: https://lists.x.org/archives/xorg-announce/2022-December/003302.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8 CVE-2022-46343 (A vulnerability was found in X.Org. This security flaw occurs because ...) - {DSA-5304-1} + {DSA-5304-1 DLA-3256-1} - xorg-server 2:21.1.5-1 (bug #1026071) - xwayland 2:22.1.6-1 NOTE: https://lists.x.org/archives/xorg-announce/2022-December/003302.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900 CVE-2022-46342 (A vulnerability was found in X.Org. This security flaw occurs because ...) - {DSA-5304-1} + {DSA-5304-1 DLA-3256-1} - xorg-server 2:21.1.5-1 (bug #1026071) - xwayland 2:22.1.6-1 NOTE: https://lists.x.org/archives/xorg-announce/2022-December/003302.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b CVE-2022-46341 (A vulnerability was found in X.Org. This security flaw occurs because ...) - {DSA-5304-1} + {DSA-5304-1 DLA-3256-1} - xorg-server 2:21.1.5-1 (bug #1026071) - xwayland 2:22.1.6-1 NOTE: https://lists.x.org/archives/xorg-announce/2022-December/003302.html NOTE:
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim xrdp
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fcf4f9d by Abhijith PA at 2022-12-31T23:52:54+05:30 data/dla-needed.txt: claim xrdp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -325,7 +325,7 @@ xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet -- -xrdp +xrdp (Abhijith PA) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcf4f9d632cb746e32ca23b9bbff339c0e526e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcf4f9d632cb746e32ca23b9bbff339c0e526e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim node-xmldom in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 926036c6 by Guilhem Moulin at 2022-12-31T18:52:13+01:00 LTS: claim node-xmldom in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -189,7 +189,7 @@ node-url-parse NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk) -- -node-xmldom +node-xmldom (guilhem) NOTE: 20221130: Programming language: JavaScript. NOTE: 20221130: VCS: https://salsa.debian.org/lts-team/packages/node-xmldom.git NOTE: 20221130: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 (gladk). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/926036c6ed25f647781777a425a8220bb9129ef1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/926036c6ed25f647781777a425a8220bb9129ef1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3259-1 for libjettison-java
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b3a5378a by Markus Koschany at 2022-12-31T18:17:33+01:00 Reserve DLA-3259-1 for libjettison-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DLA-3259-1 libjettison-java - security update + {CVE-2022-40150 CVE-2022-45685 CVE-2022-45693} + [buster] - libjettison-java 1.5.3-1~deb10u1 [31 Dec 2022] DLA-3258-1 node-loader-utils - security update {CVE-2022-37601} [buster] - node-loader-utils 1.1.0-2+deb10u1 = data/dla-needed.txt = @@ -117,10 +117,6 @@ libetpan (Utkarsh) libitext5-java (Markus Koschany) NOTE: 20221225: Programming language: Java. -- -libjettison-java (Markus Koschany) - NOTE: 20221225: Programming language: Java. - NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/libjettison-java.git --- libreoffice NOTE: 20221012: Programming language: C++. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3a5378ab2a47dc47d8eb7ae482375bde82d57cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3a5378ab2a47dc47d8eb7ae482375bde82d57cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3258-1 for node-loader-utils
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b698bb1 by Guilhem Moulin at 2022-12-31T17:18:20+01:00 Reserve DLA-3258-1 for node-loader-utils - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DLA-3258-1 node-loader-utils - security update + {CVE-2022-37601} + [buster] - node-loader-utils 1.1.0-2+deb10u1 [31 Dec 2022] DLA-3257-1 emacs - security update {CVE-2022-45939} [buster] - emacs 1:26.1+1-3.2+deb10u3 = data/dla-needed.txt = @@ -175,10 +175,6 @@ node-got NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). -- -node-loader-utils (guilhem) - NOTE: 2022: Programming language: JavaScript. - NOTE: 2022: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk) --- node-moment (Utkarsh) NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b698bb16b84476bbf30c1515255e3b26d114063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b698bb16b84476bbf30c1515255e3b26d114063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge notes in dla-needed referring to ruby-sidekiq
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c7dc42e by Salvatore Bonaccorso at 2022-12-31T16:55:17+01:00 Merge notes in dla-needed referring to ruby-sidekiq Fixes: 5ef178c97007 (Merge notes in dla-needed referring to ruby-sidekiq) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,10 +17,6 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). -- -CVE-2022-23837 - NOTE: 20221231: Programming language: Ruby. - NOTE: 20221231: Was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). --- apache2 NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git @@ -283,6 +279,7 @@ ruby-rails-html-sanitizer -- ruby-sidekiq NOTE: 20221231: Programming language: Ruby. + NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). -- ruby-sinatra NOTE: 20221231: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c7dc42e6801f24ef771b24ea132f81d23a88f3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c7dc42e6801f24ef771b24ea132f81d23a88f3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add ruby-sidekiq to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 335f5b24 by Ola Lundqvist at 2022-12-31T15:15:31+01:00 LTS: add ruby-sidekiq to dla-needed.txt - - - - - 9ff425fd by Ola Lundqvist at 2022-12-31T15:15:42+01:00 LTS: add ruby-sinatra to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,6 +17,10 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). -- +CVE-2022-23837 + NOTE: 20221231: Programming language: Ruby. + NOTE: 20221231: Was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). +-- apache2 NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git @@ -277,6 +281,13 @@ ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git -- +ruby-sidekiq + NOTE: 20221231: Programming language: Ruby. +-- +ruby-sinatra + NOTE: 20221231: Programming language: Ruby. + NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-sinatra.git +-- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4bae6fd2796538a8de1fbdd856e6166a1706...9ff425fdcdbf90db988f39a5f6f745de970ae388 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4bae6fd2796538a8de1fbdd856e6166a1706...9ff425fdcdbf90db988f39a5f6f745de970ae388 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2020-23599 as no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bae6fd2 by Ola Lundqvist at 2022-12-31T15:06:01+01:00 Marked CVE-2020-23599 as no-dsa for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31459,6 +31459,7 @@ CVE-2021-46834 (A permission bypass vulnerability in Huawei cross device task ma CVE-2020-36599 (lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before ...) [experimental] - ruby-omniauth 2.0.4-1~exp1 - ruby-omniauth + [buster] - ruby-omniauth (Minor issue) NOTE: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2 (v2.0.0-rc1) CVE-2020-36598 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bae6fd2796538a8de1fbdd856e6166a1706 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bae6fd2796538a8de1fbdd856e6166a1706 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Marked CVE-2022-23514 and CVE-2022-23516 as no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: eaa7ac3f by Ola Lundqvist at 2022-12-31T14:59:56+01:00 Marked CVE-2022-23514 and CVE-2022-23516 as no-dsa for buster. - - - - - 6b93acdc by Ola Lundqvist at 2022-12-31T15:00:19+01:00 LTS: add ruby-loofah to dla-needed.txt - - - - - aaef304f by Ola Lundqvist at 2022-12-31T15:00:50+01:00 LTS: add ruby-rails-html-sanitizer to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -74768,12 +74768,14 @@ CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML fragment NOTE: https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 CVE-2022-23516 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) + [buster] - ruby-loofah (Minor issue) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm CVE-2022-23515 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx CVE-2022-23514 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) + [buster] - ruby-loofah (Minor issue) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh CVE-2022-23513 (Pi-Hole is a network-wide ad blocking via your own Linux hardware, Adm ...) NOT-FOR-US: Pi-Hole = data/dla-needed.txt = @@ -270,6 +270,13 @@ rainloop ring NOTE: 20221120: Programming language: C. -- +ruby-loofah + NOTE: 20221231: Programming language: Ruby. +-- +ruby-rails-html-sanitizer + NOTE: 20221231: Programming language: Ruby. + NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git +-- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/57fcc46b76de022fe15f97a00c6ec7c61c971cb5...aaef304f68c7725031fb3b94e2c8643982ba2554 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/57fcc46b76de022fe15f97a00c6ec7c61c971cb5...aaef304f68c7725031fb3b94e2c8643982ba2554 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2022-23520, CVE-2022-23519 and CVE-2022-23517 as no-dsa or postponed for bustser.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 57fcc46b by Ola Lundqvist at 2022-12-31T14:54:29+01:00 Marked CVE-2022-23520, CVE-2022-23519 and CVE-2022-23517 as no-dsa or postponed for bustser. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74751,9 +74751,11 @@ CVE-2022-23521 RESERVED CVE-2022-23520 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - ruby-rails-html-sanitizer (bug #1027153) + [buster] - ruby-rails-html-sanitizer (Minor issue) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8 CVE-2022-23519 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - ruby-rails-html-sanitizer (bug #1027153) + [buster] - ruby-rails-html-sanitizer (Minor issue can be fixed later) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h CVE-2022-23518 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - ruby-rails-html-sanitizer (bug #1027153) @@ -74761,6 +74763,7 @@ CVE-2022-23518 (rails-html-sanitizer is responsible for sanitizing HTML fragment NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - ruby-rails-html-sanitizer (bug #1027153) + [buster] - ruby-rails-html-sanitizer (Minor issue) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w NOTE: https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 CVE-2022-23516 (Loofah is a general library for manipulating and transforming HTML/XML ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57fcc46b76de022fe15f97a00c6ec7c61c971cb5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57fcc46b76de022fe15f97a00c6ec7c61c971cb5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add 389-ds-base to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 7535cac9 by Ola Lundqvist at 2022-12-31T14:34:02+01:00 LTS: add 389-ds-base to dla-needed.txt - - - - - 62569b8c by Ola Lundqvist at 2022-12-31T14:36:54+01:00 LTS: add python-oslo.privsep to dla-needed.txt - - - - - f224115f by Ola Lundqvist at 2022-12-31T14:43:44+01:00 Marked CVE-2019-25078 as no-dsa for buster. Minor issue. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4355,6 +4355,7 @@ CVE-2022-4442 RESERVED CVE-2019-25078 (A vulnerability classified as problematic was found in pacparser up to ...) - pacparser (bug #1026106) + [buster] - pacparser (Minor issue) NOTE: https://github.com/manugarg/pacparser/issues/99 NOTE: https://github.com/manugarg/pacparser/commit/853e8f45607cb07b877ffd270c63dbcdd5201ad9 (v1.4.0) CVE-2022-47371 = data/dla-needed.txt = @@ -12,6 +12,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. +-- +389-ds-base + NOTE: 20221231: Programming language: C. + NOTE: 20221231: Few users. Low prio. (opal). -- apache2 NOTE: 20221227: Programming language: C. @@ -229,6 +233,9 @@ protobuf puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. -- +python-oslo.privsep + NOTE: 20221231: Programming language: Python. +-- qemu NOTE: 20221108: Programming language: C. NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03ff8af06fc4f458fd3bec9af6dced087dc8ce83...f224115fbfa8eca31584ea0d75def9161b4ab7e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03ff8af06fc4f458fd3bec9af6dced087dc8ce83...f224115fbfa8eca31584ea0d75def9161b4ab7e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Marked CVE-2018-25060 as no-dsa for buster since it is a minor issue.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 975b5e3f by Ola Lundqvist at 2022-12-31T14:24:31+01:00 Marked CVE-2018-25060 as no-dsa for buster since it is a minor issue. - - - - - 03ff8af0 by Ola Lundqvist at 2022-12-31T14:28:50+01:00 LTS: add libxstream-java to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -30,6 +30,7 @@ CVE-2020-36637 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chr NOT-FOR-US: Chris92de AdminServ CVE-2018-25060 (A vulnerability was found in Macaron csrf and classified as problemati ...) - golang-github-go-macaron-csrf + [buster] - golang-github-go-macaron-csrf (Minor issue) NOTE: https://github.com/go-macaron/csrf/commit/dadd1711a617000b70e5e408a76531b73187031c NOTE: https://github.com/go-macaron/csrf/pull/7 CVE-2018-25059 (A vulnerability was found in pastebinit up to 0.2.2 and classified as ...) = data/dla-needed.txt = @@ -127,6 +127,11 @@ libsdl2 libstb NOTE: 2022: Programming language: C. -- +libxstream-java + NOTE: 20221231: Programming language: Java. + NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/libxstream-java.git + NOTE: 20221231: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/libxstream-java.html +-- linux (Ben Hutchings) -- man2html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9aae874e08afafc808aa4f0ca3b5f45f6a916abe...03ff8af06fc4f458fd3bec9af6dced087dc8ce83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9aae874e08afafc808aa4f0ca3b5f45f6a916abe...03ff8af06fc4f458fd3bec9af6dced087dc8ce83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2020-36367 as no-dsa since it is a minor issue.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aae874e by Ola Lundqvist at 2022-12-31T14:18:15+01:00 Marked CVE-2020-36367 as no-dsa since it is a minor issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35300,6 +35300,7 @@ CVE-2020-36568 (Unsanitized input in the query parser in github.com/revel/revel TODO: check CVE-2020-36567 (Unsanitized input in the default logger in github.com/gin-gonic/gin be ...) - golang-github-gin-gonic-gin 1.6.3-1 + [buster] - golang-github-gin-gonic-gin (Minor issue) NOTE: https://github.com/gin-gonic/gin/pull/2237 NOTE: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d (v1.6.0) CVE-2020-36566 (Due to improper path santization, archives containing relative file pa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aae874e08afafc808aa4f0ca3b5f45f6a916abe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aae874e08afafc808aa4f0ca3b5f45f6a916abe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3257-1 for emacs
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 460da0a2 by Chris Lamb at 2022-12-31T12:44:48+00:00 Reserve DLA-3257-1 for emacs - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DLA-3257-1 emacs - security update + {CVE-2022-45939} + [buster] - emacs 1:26.1+1-3.2+deb10u3 [31 Dec 2022] DLA-3256-1 xorg-server - security update {CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344} [buster] - xorg-server 2:1.20.4-1+deb10u7 = data/dla-needed.txt = @@ -39,9 +39,6 @@ curl (Roberto C. Sánchez) NOTE: 20220904: Special attention: high popcon!. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html -- -emacs (Chris Lamb) - NOTE: 20221227: Programming language: Lisp. --- erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/460da0a2eaa90d6c546db8e030fd265975680590 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/460da0a2eaa90d6c546db8e030fd265975680590 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3256-1 for xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d7fba62 by Thorsten Alteholz at 2022-12-31T13:43:33+01:00 Reserve DLA-3256-1 for xorg-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DLA-3256-1 xorg-server - security update + {CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342 CVE-2022-46343 CVE-2022-46344} + [buster] - xorg-server 2:1.20.4-1+deb10u7 [31 Dec 2022] DLA-3255-1 mplayer - security update {CVE-2022-38850 CVE-2022-38851 CVE-2022-38855 CVE-2022-38858 CVE-2022-38860 CVE-2022-38861 CVE-2022-38863 CVE-2022-38864 CVE-2022-38865 CVE-2022-38866} [buster] - mplayer 2:1.3.0-8+deb10u1 = data/dla-needed.txt = @@ -309,10 +309,6 @@ xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet -- -xorg-server (Thorsten Alteholz) - NOTE: 20221225: Programming language: C. - NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xorg-server.git --- xrdp NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d7fba6293ad7f69de5cb65ed67304bdc2796efb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d7fba6293ad7f69de5cb65ed67304bdc2796efb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3255-1 for mplayer
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 329ddfd6 by Thorsten Alteholz at 2022-12-31T13:32:31+01:00 Reserve DLA-3255-1 for mplayer - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DLA-3255-1 mplayer - security update + {CVE-2022-38850 CVE-2022-38851 CVE-2022-38855 CVE-2022-38858 CVE-2022-38860 CVE-2022-38861 CVE-2022-38863 CVE-2022-38864 CVE-2022-38865 CVE-2022-38866} + [buster] - mplayer 2:1.3.0-8+deb10u1 [31 Dec 2022] DLA-3254-1 exuberant-ctags - security update {CVE-2022-4515} [buster] - exuberant-ctags 1:5.9~svn20110310-12+deb10u1 = data/dla-needed.txt = @@ -141,10 +141,6 @@ modsecurity-crs NOTE: 20221006: Programming language: Other. NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider uploading of newer version. -- -mplayer (Thorsten Alteholz) - NOTE: 20221009: Programming language: C. - NOTE: 20221009: Many open CVEs. --- net-snmp NOTE: 20221120: Programming language: C. NOTE: 20221206: no upstream patch yet. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/329ddfd612a06b786290d495e1652058d27f8fbc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/329ddfd612a06b786290d495e1652058d27f8fbc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3254-1 for exuberant-ctags
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: b797ded2 by Chris Lamb at 2022-12-31T11:46:04+00:00 Reserve DLA-3254-1 for exuberant-ctags - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DLA-3254-1 exuberant-ctags - security update + {CVE-2022-4515} + [buster] - exuberant-ctags 1:5.9~svn20110310-12+deb10u1 [31 Dec 2022] DLA-3253-1 openvswitch - security update {CVE-2022-4337 CVE-2022-4338} [buster] - openvswitch 2.10.7+ds1-0+deb10u3 = data/dla-needed.txt = @@ -49,10 +49,6 @@ erlang exiv2 (Helmut Grohne) NOTE: 20221119: Programming language: C. -- -exuberant-ctags (Chris Lamb) - NOTE: 20221225: Programming language: C. - NOTE: 20221225: Special attention: Needs further investigation. --- firmware-nonfree (Markus Koschany) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b797ded245691be02c4ef22393a246300bffbf8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b797ded245691be02c4ef22393a246300bffbf8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3253-1 for openvswitch
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 241b327c by Chris Lamb at 2022-12-31T11:23:25+00:00 Reserve DLA-3253-1 for openvswitch - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DLA-3253-1 openvswitch - security update + {CVE-2022-4337 CVE-2022-4338} + [buster] - openvswitch 2.10.7+ds1-0+deb10u3 [31 Dec 2022] DLA-3252-1 cacti - security update {CVE-2020-8813 CVE-2020-23226 CVE-2020-25706 CVE-2022-0730 CVE-2022-46169} [buster] - cacti 1.2.2+ds1-2+deb10u5 = data/dla-needed.txt = @@ -217,10 +217,6 @@ openimageio NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- -openvswitch (Chris Lamb) - NOTE: 20221228: Programming language: C. - NOTE: 20221228: VCS: https://salsa.debian.org/lts-team/packages/openvswitch.git --- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/241b327cc9e539ddacae082493b69c56e7229cce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/241b327cc9e539ddacae082493b69c56e7229cce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-40150, CVE-2022-45685, CVE-2022-45693,libjettison-java: fixed in
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e90802f by Markus Koschany at 2022-12-31T11:30:13+01:00 CVE-2022-40150, CVE-2022-45685, CVE-2022-45693,libjettison-java: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9048,7 +9048,7 @@ CVE-2022-45695 CVE-2022-45694 RESERVED CVE-2022-45693 (Jettison before v1.5.2 was discovered to contain a stack overflow via ...) - - libjettison-java + - libjettison-java 1.5.3-1 NOTE: https://github.com/jettison-json/jettison/issues/52 CVE-2022-45692 RESERVED @@ -9065,7 +9065,7 @@ CVE-2022-45687 CVE-2022-45686 RESERVED CVE-2022-45685 (A stack overflow in Jettison before v1.5.2 allows attackers to cause a ...) - - libjettison-java + - libjettison-java 1.5.3-1 NOTE: https://github.com/jettison-json/jettison/issues/54 CVE-2022-45684 RESERVED @@ -26728,7 +26728,7 @@ CVE-2022-40151 (Those using Xstream to seralize XML data may be vulnerable to De - libxstream-java NOTE: https://github.com/x-stream/xstream/issues/304 CVE-2022-40150 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...) - - libjettison-java (bug #1022553) + - libjettison-java 1.5.3-1 (bug #1022553) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549 NOTE: https://github.com/jettison-json/jettison/issues/45 CVE-2022-40149 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e90802f61721ac20a140ba880f96239c1c96ebb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e90802f61721ac20a140ba880f96239c1c96ebb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for ruby-image-processing update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dab4dd6d by Salvatore Bonaccorso at 2022-12-31T10:36:35+01:00 Reserve DSA number for ruby-image-processing update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[31 Dec 2022] DSA-5310-1 ruby-image-processing - security update + {CVE-2022-24720} + [bullseye] - ruby-image-processing 1.10.3-1+deb11u1 [31 Dec 2022] DSA-5309-1 wpewebkit - security update {CVE-2022-42852 CVE-2022-42856 CVE-2022-42867 CVE-2022-46692 CVE-2022-46698 CVE-2022-46699 CVE-2022-46700} [bullseye] - wpewebkit 2.38.3-1~deb11u1 = data/dsa-needed.txt = @@ -41,8 +41,6 @@ php-horde-turba -- rails -- -ruby-image-processing --- ruby-nokogiri -- ruby-rack View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dab4dd6da7828c7ebbe762ed5f63c7be78aa49c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dab4dd6da7828c7ebbe762ed5f63c7be78aa49c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for commits for CVE-2021-3638/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c287799c by Salvatore Bonaccorso at 2022-12-31T10:10:50+01:00 Add references for commits for CVE-2021-3638/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -110192,6 +110192,8 @@ CVE-2021-3638 (An out-of-bounds memory access flaw was found in the ATI VGA devi [stretch] - qemu (Vulnerable code introduced in ATI VGA device emulation added later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1979858 NOTE: https://lore.kernel.org/qemu-devel/caa8xkjxkdwpyxsaerb+2mfhrrbil_kh9unvkemfxlff68ux...@mail.gmail.com + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/584acf34cb05f16e13a46d666196a7583d232616 (v4.1.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643 (v7.2.0-rc0) CVE-2021-36235 (An issue was discovered in Ivanti Workspace Control before 10.6.30.0. ...) NOT-FOR-US: Ivanti CVE-2021-36234 (Use of a hard-coded cryptographic key in MIK.starlight 7.9.5.24363 all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c287799c0336b0b4e57219280927e221523c1deb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c287799c0336b0b4e57219280927e221523c1deb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe79fd33 by Salvatore Bonaccorso at 2022-12-31T09:39:56+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0 ...) - froxlor (bug #581792) CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard for MODX ...) - TODO: check + NOT-FOR-US: Sterc Google Analytics Dashboard for MODX CVE-2017-20154 (A vulnerability was found in ghostlander Phoenixcoin. It has been clas ...) - TODO: check + NOT-FOR-US: ghostlander Phoenixcoin CVE-2022-4863 (Improper Handling of Insufficient Permissions or Privileges in GitHub ...) NOT-FOR-US: usememos CVE-2022-4862 @@ -13,7 +13,7 @@ CVE-2022-4861 (Incorrect implementation in authentication protocol in M-Files Cl CVE-2022-4860 (A vulnerability was found in KBase Metrics. It has been classified as ...) NOT-FOR-US: KBase Metrics CVE-2022-4859 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Joget CVE-2022-4858 (Insertion of Sensitive Information into Log Files in M-Files Server be ...) NOT-FOR-US: M-Files CVE-2022-4857 (A vulnerability was found in Modbus Tools Modbus Poll up to 9.10.0 and ...) @@ -35,13 +35,13 @@ CVE-2018-25060 (A vulnerability was found in Macaron csrf and classified as prob CVE-2018-25059 (A vulnerability was found in pastebinit up to 0.2.2 and classified as ...) TODO: check CVE-2017-20153 (A vulnerability has been found in aerouk imageserve and classified as ...) - TODO: check + NOT-FOR-US: aerouk imageserve CVE-2017-20152 (A vulnerability, which was classified as problematic, was found in aer ...) - TODO: check + NOT-FOR-US: aerouk imageserve CVE-2017-20151 (A vulnerability classified as problematic was found in iText RUPS. Thi ...) NOT-FOR-US: iText RUPS CVE-2022-48195 (An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When ...) - TODO: check + NOT-FOR-US: Mellium CVE-2022-48194 (TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated ...) NOT-FOR-US: TP-Link CVE-2022-48193 @@ -782,7 +782,7 @@ CVE-2018-25052 (A vulnerability has been found in Catalyst-Plugin-Session up to - libcatalyst-plugin-session-perl 0.41-1 NOTE: https://github.com/perl-catalyst/Catalyst-Plugin-Session/commit/88d1b599e1163761c9bd53bec53ba078f13e09d4 (0.41) CVE-2018-25051 (A vulnerability, which was classified as problematic, was found in JmP ...) - TODO: check + NOT-FOR-US: JmPotato Pomash CVE-2018-25050 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Harvest Chosen CVE-2017-20150 (A vulnerability was found in challenge website. It has been rated as c ...) @@ -6432,49 +6432,49 @@ CVE-2022-46603 CVE-2022-46602 RESERVED CVE-2022-46601 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46600 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46599 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46598 (TRENDnet TEW755AP 1.13B01 was discovered to contain a command injectio ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46597 (TRENDnet TEW755AP 1.13B01 was discovered to contain a command injectio ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46596 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46595 RESERVED CVE-2022-46594 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46593 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46592 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46591 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46590 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46589 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46588 (TRENDnet TEW755AP 1.13B01 was discovered to contain a
[Git][security-tracker-team/security-tracker][master] Associate some NFUs with itp entry for froxlor
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d68e33b3 by Salvatore Bonaccorso at 2022-12-31T09:29:41+01:00 Associate some NFUs with itp entry for froxlor - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -94823,7 +94823,7 @@ CVE-2021-42326 (Redmine before 4.1.5 and 4.2.x before 4.2.3 may disclose the nam NOTE: https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10 NOTE: https://www.redmine.org/projects/redmine/repository/revisions/21209 CVE-2021-42325 (Froxlor through 0.10.29.1 allows SQL injection in Database/Manager/DbM ...) - NOT-FOR-US: Froxlor + - froxlor (bug #581792) CVE-2021-42324 (An issue was discovered on DCN (Digital China Networks) S4600-10P-SI d ...) NOT-FOR-US: DCN S4600 switches CVE-2021-42323 (Azure RTOS Information Disclosure Vulnerability This CVE ID is unique ...) @@ -154902,7 +154902,7 @@ CVE-2020-29655 (An injection vulnerability exists in RT-AC88U Download Master be CVE-2020-29654 (Western Digital Dashboard before 3.2.2.9 allows DLL Hijacking that lea ...) NOT-FOR-US: Western Digital Dashboard CVE-2020-29653 (Froxlor through 0.10.22 does not perform validation on user input pass ...) - NOT-FOR-US: Froxlor + - froxlor (bug #581792) CVE-2020-29652 (A nil pointer dereference in the golang.org/x/crypto/ssh component thr ...) - golang-go.crypto 1:0.0~git20201221.eec23a3-1 [buster] - golang-go.crypto (Vulnerable code not present) @@ -207354,11 +207354,11 @@ CVE-2020-10239 (An issue was discovered in Joomla! before 3.9.16. Incorrect Acce CVE-2020-10238 (An issue was discovered in Joomla! before 3.9.16. Various actions in c ...) NOT-FOR-US: Joomla! CVE-2020-10237 (An issue was discovered in Froxlor through 0.10.15. The installer wrot ...) - NOT-FOR-US: Froxlor + - froxlor (bug #581792) CVE-2020-10236 (An issue was discovered in Froxlor before 0.10.14. It created files wi ...) - NOT-FOR-US: Froxlor + - froxlor (bug #581792) CVE-2020-10235 (An issue was discovered in Froxlor before 0.10.14. Remote attackers wi ...) - NOT-FOR-US: Froxlor + - froxlor (bug #581792) CVE-2020-10234 (The AscRegistryFilter.sys kernel driver in IObit Advanced SystemCare 1 ...) NOT-FOR-US: IObit Advanced SystemCare CVE-2020-10233 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is a heap- ...) @@ -308806,7 +308806,7 @@ CVE-2018-1000528 (GONICUS GOsa version before commit 56070d6289d47ba3f5918885954 NOTE: https://github.com/gosa-project/gosa-core/commit/56070d6289d47ba3f5918885954dcceb75606001 NOTE: https://github.com/gosa-project/gosa-core/issues/14 CVE-2018-1000527 (Froxlor version = 0.9.39.5 contains a PHP Object Injection vulnera ...) - NOT-FOR-US: Froxlor + - froxlor (bug #581792) CVE-2018-1000526 (Openpsa contains a XML Injection vulnerability in RSS file upload feat ...) NOT-FOR-US: openpsa CVE-2018-1000525 (openpsa contains a PHP Object Injection vulnerability in Form data pas ...) @@ -411234,7 +411234,7 @@ CVE-2016-5102 (Buffer overflow in the readgifimage function in gif2tiff.c in the CVE-2016-5101 (Unspecified vulnerability in Opera Mail before 2016-02-16 on Windows a ...) NOT-FOR-US: Opera CVE-2016-5100 (Froxlor before 0.9.35 uses the PHP rand function for random number gen ...) - NOT-FOR-US: Froxlor + - froxlor (bug #581792) CVE-2016-5099 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4. ...) {DSA-3627-1} - phpmyadmin 4:4.6.2-1 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d68e33b30708cc73536b29aa39de534e32282947 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d68e33b30708cc73536b29aa39de534e32282947 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4864/froxlor, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e299879 by Salvatore Bonaccorso at 2022-12-31T09:28:28+01:00 Add CVE-2022-4864/froxlor, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0 ...) - TODO: check + - froxlor (bug #581792) CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard for MODX ...) TODO: check CVE-2017-20154 (A vulnerability was found in ghostlander Phoenixcoin. It has been clas ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e299879da13b577caa8b4d84408f62ed35253eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e299879da13b577caa8b4d84408f62ed35253eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d69187d7 by Salvatore Bonaccorso at 2022-12-31T09:23:04+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4879,33 +4879,33 @@ CVE-2022-47130 CVE-2022-47129 RESERVED CVE-2022-47128 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47127 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47126 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47125 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47124 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47123 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47122 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47121 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47120 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47119 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47118 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47117 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47116 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47115 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47114 RESERVED CVE-2022-47113 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d69187d7d5899ad02afb9a1d5b099bf12577d72a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d69187d7d5899ad02afb9a1d5b099bf12577d72a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d327ae85 by security tracker role at 2022-12-31T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0 ...) + TODO: check +CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard for MODX ...) + TODO: check +CVE-2017-20154 (A vulnerability was found in ghostlander Phoenixcoin. It has been clas ...) + TODO: check CVE-2022-4863 (Improper Handling of Insufficient Permissions or Privileges in GitHub ...) NOT-FOR-US: usememos CVE-2022-4862 @@ -34,8 +40,8 @@ CVE-2017-20152 (A vulnerability, which was classified as problematic, was found TODO: check CVE-2017-20151 (A vulnerability classified as problematic was found in iText RUPS. Thi ...) NOT-FOR-US: iText RUPS -CVE-2022-48195 - RESERVED +CVE-2022-48195 (An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When ...) + TODO: check CVE-2022-48194 (TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated ...) NOT-FOR-US: TP-Link CVE-2022-48193 @@ -1397,7 +1403,7 @@ CVE-2022-4661 CVE-2022-4660 RESERVED CVE-2022-4659 - RESERVED + REJECTED CVE-2022-4658 RESERVED CVE-2022-4657 @@ -2233,7 +2239,7 @@ CVE-2022-4620 CVE-2022-4619 (The Sidebar Widgets by CodeLights plugin for WordPress is vulnerable t ...) NOT-FOR-US: Sidebar Widgets by CodeLights plugin for WordPress CVE-2022-4618 - RESERVED + REJECTED CVE-2022-4617 (Cross-site Scripting (XSS) - Reflected in GitHub repository microweber ...) NOT-FOR-US: microweber CVE-2022-47579 @@ -4872,34 +4878,34 @@ CVE-2022-47130 RESERVED CVE-2022-47129 RESERVED -CVE-2022-47128 - RESERVED -CVE-2022-47127 - RESERVED -CVE-2022-47126 - RESERVED -CVE-2022-47125 - RESERVED -CVE-2022-47124 - RESERVED -CVE-2022-47123 - RESERVED -CVE-2022-47122 - RESERVED -CVE-2022-47121 - RESERVED -CVE-2022-47120 - RESERVED -CVE-2022-47119 - RESERVED -CVE-2022-47118 - RESERVED -CVE-2022-47117 - RESERVED -CVE-2022-47116 - RESERVED -CVE-2022-47115 - RESERVED +CVE-2022-47128 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47127 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47126 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47125 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47124 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47123 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47122 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47121 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47120 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47119 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47118 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47117 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47116 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check +CVE-2022-47115 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) + TODO: check CVE-2022-47114 RESERVED CVE-2022-47113 @@ -5912,7 +5918,7 @@ CVE-2022-46751 CVE-2022-4340 RESERVED CVE-2022-4339 - RESERVED + REJECTED CVE-2022-4338 [Integer Underflow in Organization Specific TLV] RESERVED - openvswitch (bug #1027273) @@ -5934,7 +5940,7 @@ CVE-2022-4336 (In BAOTA linux panel there exists a stored xss vulnerability atta CVE-2022-4335 RESERVED CVE-2022-4334 - RESERVED + REJECTED CVE-2022-4333 RESERVED CVE-2022-4332 @@ -6138,14 +6144,17 @@ CVE-2022-46702 (The issue was addressed with improved memory handling. This issu CVE-2022-46701 (The issue was addressed with improved bounds checks. This issue is fix ...) NOT-FOR-US: Apple CVE-2022-46700 (A memory corruption issue was addressed with improved input validation ...) + {DSA-5309-1 DSA-5308-1} - webkit2gtk 2.38.3-1 - wpewebkit 2.38.3-1 NOTE: