[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e961d2fb by Salvatore Bonaccorso at 2022-12-31T21:18:52+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,19 +3,19 @@ CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor prior CVE-2022-4867 (Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor ...) - froxlor (bug #581792) CVE-2022-4866 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) - TODO: check + NOT-FOR-US: usememos CVE-2022-4865 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) - TODO: check + NOT-FOR-US: usememos CVE-2017-20159 (A vulnerability was found in rf Keynote up to 0.x. It has been rated a ...) TODO: check CVE-2017-20158 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in vova07 Yi ...) TODO: check CVE-2017-20157 (A vulnerability was found in Ariadne Component Library up to 2.x. It h ...) - TODO: check + NOT-FOR-US: Ariadne Component Library CVE-2017-20156 (A vulnerability was found in Exciting Printer and classified as critic ...) TODO: check CVE-2014-125027 (A vulnerability has been found in Yuna Scatari TBDev up to 2.1.17 and ...) - TODO: check + NOT-FOR-US: Yuna Scatari TBDev CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0 ...) - froxlor (bug #581792) CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard for MODX ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e961d2fba09b732782f648435b5b29e35641adf7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e961d2fba09b732782f648435b5b29e35641adf7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two CVes for froxlor, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba64b273 by Salvatore Bonaccorso at 2022-12-31T21:18:11+01:00 Add two CVes for froxlor, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor prior to 2 ...) - TODO: check + - froxlor (bug #581792) CVE-2022-4867 (Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor ...) - TODO: check + - froxlor (bug #581792) CVE-2022-4866 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) TODO: check CVE-2022-4865 (Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba64b273984922702ea67c77553e4ad0af76ae45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba64b273984922702ea67c77553e4ad0af76ae45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
25ed095d by security tracker role at 2022-12-31T20:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,21 @@
+CVE-2022-4868 (Improper Authorization in GitHub repository froxlor/froxlor
prior to 2 ...)
+ TODO: check
+CVE-2022-4867 (Cross-Site Request Forgery (CSRF) in GitHub repository
froxlor/froxlor ...)
+ TODO: check
+CVE-2022-4866 (Cross-site Scripting (XSS) - Stored in GitHub repository
usememos/memo ...)
+ TODO: check
+CVE-2022-4865 (Cross-site Scripting (XSS) - Stored in GitHub repository
usememos/memo ...)
+ TODO: check
+CVE-2017-20159 (A vulnerability was found in rf Keynote up to 0.x. It has been
rated a ...)
+ TODO: check
+CVE-2017-20158 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in
vova07 Yi ...)
+ TODO: check
+CVE-2017-20157 (A vulnerability was found in Ariadne Component Library up to
2.x. It h ...)
+ TODO: check
+CVE-2017-20156 (A vulnerability was found in Exciting Printer and classified
as critic ...)
+ TODO: check
+CVE-2014-125027 (A vulnerability has been found in Yuna Scatari TBDev up to
2.1.17 and ...)
+ TODO: check
CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior
to 2.0.0 ...)
- froxlor (bug #581792)
CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard
for MODX ...)
@@ -3841,6 +3859,7 @@ CVE-2022-4517
CVE-2022-4516
REJECTED
CVE-2022-4515 (A flaw was found in Exuberant Ctags in the way it handles the
"-o" opt ...)
+ {DLA-3254-1}
- exuberant-ctags 1:5.9~svn20110310-18 (bug #1026995)
- universal-ctags (Fixed before initial upload to Debian)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2153519
@@ -5923,6 +5942,7 @@ CVE-2022-4339
REJECTED
CVE-2022-4338 [Integer Underflow in Organization Specific TLV]
RESERVED
+ {DLA-3253-1}
- openvswitch (bug #1027273)
NOTE: https://www.openwall.com/lists/oss-security/2022/12/20/2
NOTE:
https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
@@ -5931,6 +5951,7 @@ CVE-2022-4338 [Integer Underflow in Organization Specific
TLV]
NOTE: Fixed by:
https://github.com/openvswitch/ovs/commit/7490f281f09a8455c48e19b0cf1b99ab758ee4f4
CVE-2022-4337 [Out-of-Bounds Read in Organization Specific TLV]
RESERVED
+ {DLA-3253-1}
- openvswitch (bug #1027273)
NOTE: https://www.openwall.com/lists/oss-security/2022/12/20/2
NOTE:
https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html
@@ -6832,7 +6853,7 @@ CVE-2022-4285
CVE-2022-4284
RESERVED
CVE-2022-4283 (A vulnerability was found in X.Org. This security flaw occurs
because ...)
- {DSA-5304-1}
+ {DSA-5304-1 DLA-3256-1}
- xorg-server 2:21.1.5-1 (bug #1026071)
- xwayland 2:22.1.6-1
NOTE:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
@@ -7330,31 +7351,31 @@ CVE-2022-4225
CVE-2021-4242 (A vulnerability was found in Sapido BR270n, BRC76n, GR297 and
RB1732 a ...)
NOT-FOR-US: Sapido
CVE-2022-46344 (A vulnerability was found in X.Org. This security flaw occurs
because ...)
- {DSA-5304-1}
+ {DSA-5304-1 DLA-3256-1}
- xorg-server 2:21.1.5-1 (bug #1026071)
- xwayland 2:22.1.6-1
NOTE:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
NOTE:
https://gitlab.freedesktop.org/xorg/xserver/commit/8f454b793e1f13c99872c15f0eed1d7f3b823fe8
CVE-2022-46343 (A vulnerability was found in X.Org. This security flaw occurs
because ...)
- {DSA-5304-1}
+ {DSA-5304-1 DLA-3256-1}
- xorg-server 2:21.1.5-1 (bug #1026071)
- xwayland 2:22.1.6-1
NOTE:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
NOTE:
https://gitlab.freedesktop.org/xorg/xserver/commit/842ca3ccef100ce010d1d8f5f6d6cc1915055900
CVE-2022-46342 (A vulnerability was found in X.Org. This security flaw occurs
because ...)
- {DSA-5304-1}
+ {DSA-5304-1 DLA-3256-1}
- xorg-server 2:21.1.5-1 (bug #1026071)
- xwayland 2:22.1.6-1
NOTE:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
NOTE:
https://gitlab.freedesktop.org/xorg/xserver/commit/b79f32b57cc0c1186b2899bce7cf89f7b325161b
CVE-2022-46341 (A vulnerability was found in X.Org. This security flaw occurs
because ...)
- {DSA-5304-1}
+ {DSA-5304-1 DLA-3256-1}
- xorg-server 2:21.1.5-1 (bug #1026071)
- xwayland 2:22.1.6-1
NOTE:
https://lists.x.org/archives/xorg-announce/2022-December/003302.html
NOTE:
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim xrdp
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fcf4f9d by Abhijith PA at 2022-12-31T23:52:54+05:30 data/dla-needed.txt: claim xrdp - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -325,7 +325,7 @@ xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet -- -xrdp +xrdp (Abhijith PA) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcf4f9d632cb746e32ca23b9bbff339c0e526e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fcf4f9d632cb746e32ca23b9bbff339c0e526e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim node-xmldom in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 926036c6 by Guilhem Moulin at 2022-12-31T18:52:13+01:00 LTS: claim node-xmldom in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -189,7 +189,7 @@ node-url-parse NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk) -- -node-xmldom +node-xmldom (guilhem) NOTE: 20221130: Programming language: JavaScript. NOTE: 20221130: VCS: https://salsa.debian.org/lts-team/packages/node-xmldom.git NOTE: 20221130: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 (gladk). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/926036c6ed25f647781777a425a8220bb9129ef1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/926036c6ed25f647781777a425a8220bb9129ef1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3259-1 for libjettison-java
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b3a5378a by Markus Koschany at 2022-12-31T18:17:33+01:00
Reserve DLA-3259-1 for libjettison-java
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Dec 2022] DLA-3259-1 libjettison-java - security update
+ {CVE-2022-40150 CVE-2022-45685 CVE-2022-45693}
+ [buster] - libjettison-java 1.5.3-1~deb10u1
[31 Dec 2022] DLA-3258-1 node-loader-utils - security update
{CVE-2022-37601}
[buster] - node-loader-utils 1.1.0-2+deb10u1
=
data/dla-needed.txt
=
@@ -117,10 +117,6 @@ libetpan (Utkarsh)
libitext5-java (Markus Koschany)
NOTE: 20221225: Programming language: Java.
--
-libjettison-java (Markus Koschany)
- NOTE: 20221225: Programming language: Java.
- NOTE: 20221225: VCS:
https://salsa.debian.org/lts-team/packages/libjettison-java.git
---
libreoffice
NOTE: 20221012: Programming language: C++.
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3a5378ab2a47dc47d8eb7ae482375bde82d57cb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3a5378ab2a47dc47d8eb7ae482375bde82d57cb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3258-1 for node-loader-utils
Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2b698bb1 by Guilhem Moulin at 2022-12-31T17:18:20+01:00
Reserve DLA-3258-1 for node-loader-utils
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Dec 2022] DLA-3258-1 node-loader-utils - security update
+ {CVE-2022-37601}
+ [buster] - node-loader-utils 1.1.0-2+deb10u1
[31 Dec 2022] DLA-3257-1 emacs - security update
{CVE-2022-45939}
[buster] - emacs 1:26.1+1-3.2+deb10u3
=
data/dla-needed.txt
=
@@ -175,10 +175,6 @@ node-got
NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk)
NOTE: 20221223: Module has been rewritten in Typescript since Buster
released (lamby).
--
-node-loader-utils (guilhem)
- NOTE: 2022: Programming language: JavaScript.
- NOTE: 2022: upcoming bullseye PU
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk)
---
node-moment (Utkarsh)
NOTE: 2022: Programming language: JavaScript.
NOTE: 2022: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b698bb16b84476bbf30c1515255e3b26d114063
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b698bb16b84476bbf30c1515255e3b26d114063
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge notes in dla-needed referring to ruby-sidekiq
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c7dc42e by Salvatore Bonaccorso at 2022-12-31T16:55:17+01:00 Merge notes in dla-needed referring to ruby-sidekiq Fixes: 5ef178c97007 (Merge notes in dla-needed referring to ruby-sidekiq) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,10 +17,6 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). -- -CVE-2022-23837 - NOTE: 20221231: Programming language: Ruby. - NOTE: 20221231: Was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). --- apache2 NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git @@ -283,6 +279,7 @@ ruby-rails-html-sanitizer -- ruby-sidekiq NOTE: 20221231: Programming language: Ruby. + NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). -- ruby-sinatra NOTE: 20221231: Programming language: Ruby. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c7dc42e6801f24ef771b24ea132f81d23a88f3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c7dc42e6801f24ef771b24ea132f81d23a88f3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add ruby-sidekiq to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 335f5b24 by Ola Lundqvist at 2022-12-31T15:15:31+01:00 LTS: add ruby-sidekiq to dla-needed.txt - - - - - 9ff425fd by Ola Lundqvist at 2022-12-31T15:15:42+01:00 LTS: add ruby-sinatra to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,6 +17,10 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). -- +CVE-2022-23837 + NOTE: 20221231: Programming language: Ruby. + NOTE: 20221231: Was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). +-- apache2 NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git @@ -277,6 +281,13 @@ ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git -- +ruby-sidekiq + NOTE: 20221231: Programming language: Ruby. +-- +ruby-sinatra + NOTE: 20221231: Programming language: Ruby. + NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-sinatra.git +-- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4bae6fd2796538a8de1fbdd856e6166a1706...9ff425fdcdbf90db988f39a5f6f745de970ae388 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4bae6fd2796538a8de1fbdd856e6166a1706...9ff425fdcdbf90db988f39a5f6f745de970ae388 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2020-23599 as no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bae6fd2 by Ola Lundqvist at 2022-12-31T15:06:01+01:00 Marked CVE-2020-23599 as no-dsa for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31459,6 +31459,7 @@ CVE-2021-46834 (A permission bypass vulnerability in Huawei cross device task ma CVE-2020-36599 (lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before ...) [experimental] - ruby-omniauth 2.0.4-1~exp1 - ruby-omniauth + [buster] - ruby-omniauth (Minor issue) NOTE: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2 (v2.0.0-rc1) CVE-2020-36598 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bae6fd2796538a8de1fbdd856e6166a1706 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bae6fd2796538a8de1fbdd856e6166a1706 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Marked CVE-2022-23514 and CVE-2022-23516 as no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: eaa7ac3f by Ola Lundqvist at 2022-12-31T14:59:56+01:00 Marked CVE-2022-23514 and CVE-2022-23516 as no-dsa for buster. - - - - - 6b93acdc by Ola Lundqvist at 2022-12-31T15:00:19+01:00 LTS: add ruby-loofah to dla-needed.txt - - - - - aaef304f by Ola Lundqvist at 2022-12-31T15:00:50+01:00 LTS: add ruby-rails-html-sanitizer to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -74768,12 +74768,14 @@ CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML fragment NOTE: https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 CVE-2022-23516 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) + [buster] - ruby-loofah (Minor issue) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm CVE-2022-23515 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx CVE-2022-23514 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) + [buster] - ruby-loofah (Minor issue) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh CVE-2022-23513 (Pi-Hole is a network-wide ad blocking via your own Linux hardware, Adm ...) NOT-FOR-US: Pi-Hole = data/dla-needed.txt = @@ -270,6 +270,13 @@ rainloop ring NOTE: 20221120: Programming language: C. -- +ruby-loofah + NOTE: 20221231: Programming language: Ruby. +-- +ruby-rails-html-sanitizer + NOTE: 20221231: Programming language: Ruby. + NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git +-- runc NOTE: 20220905: Programming language: Go. NOTE: 20220905: Special attention: Sync with Bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/57fcc46b76de022fe15f97a00c6ec7c61c971cb5...aaef304f68c7725031fb3b94e2c8643982ba2554 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/57fcc46b76de022fe15f97a00c6ec7c61c971cb5...aaef304f68c7725031fb3b94e2c8643982ba2554 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2022-23520, CVE-2022-23519 and CVE-2022-23517 as no-dsa or postponed for bustser.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 57fcc46b by Ola Lundqvist at 2022-12-31T14:54:29+01:00 Marked CVE-2022-23520, CVE-2022-23519 and CVE-2022-23517 as no-dsa or postponed for bustser. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74751,9 +74751,11 @@ CVE-2022-23521 RESERVED CVE-2022-23520 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - ruby-rails-html-sanitizer (bug #1027153) + [buster] - ruby-rails-html-sanitizer (Minor issue) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8 CVE-2022-23519 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - ruby-rails-html-sanitizer (bug #1027153) + [buster] - ruby-rails-html-sanitizer (Minor issue can be fixed later) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h CVE-2022-23518 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - ruby-rails-html-sanitizer (bug #1027153) @@ -74761,6 +74763,7 @@ CVE-2022-23518 (rails-html-sanitizer is responsible for sanitizing HTML fragment NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - ruby-rails-html-sanitizer (bug #1027153) + [buster] - ruby-rails-html-sanitizer (Minor issue) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w NOTE: https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 CVE-2022-23516 (Loofah is a general library for manipulating and transforming HTML/XML ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57fcc46b76de022fe15f97a00c6ec7c61c971cb5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57fcc46b76de022fe15f97a00c6ec7c61c971cb5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add 389-ds-base to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 7535cac9 by Ola Lundqvist at 2022-12-31T14:34:02+01:00 LTS: add 389-ds-base to dla-needed.txt - - - - - 62569b8c by Ola Lundqvist at 2022-12-31T14:36:54+01:00 LTS: add python-oslo.privsep to dla-needed.txt - - - - - f224115f by Ola Lundqvist at 2022-12-31T14:43:44+01:00 Marked CVE-2019-25078 as no-dsa for buster. Minor issue. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4355,6 +4355,7 @@ CVE-2022-4442 RESERVED CVE-2019-25078 (A vulnerability classified as problematic was found in pacparser up to ...) - pacparser (bug #1026106) + [buster] - pacparser (Minor issue) NOTE: https://github.com/manugarg/pacparser/issues/99 NOTE: https://github.com/manugarg/pacparser/commit/853e8f45607cb07b877ffd270c63dbcdd5201ad9 (v1.4.0) CVE-2022-47371 = data/dla-needed.txt = @@ -12,6 +12,10 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. +-- +389-ds-base + NOTE: 20221231: Programming language: C. + NOTE: 20221231: Few users. Low prio. (opal). -- apache2 NOTE: 20221227: Programming language: C. @@ -229,6 +233,9 @@ protobuf puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. -- +python-oslo.privsep + NOTE: 20221231: Programming language: Python. +-- qemu NOTE: 20221108: Programming language: C. NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03ff8af06fc4f458fd3bec9af6dced087dc8ce83...f224115fbfa8eca31584ea0d75def9161b4ab7e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03ff8af06fc4f458fd3bec9af6dced087dc8ce83...f224115fbfa8eca31584ea0d75def9161b4ab7e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Marked CVE-2018-25060 as no-dsa for buster since it is a minor issue.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 975b5e3f by Ola Lundqvist at 2022-12-31T14:24:31+01:00 Marked CVE-2018-25060 as no-dsa for buster since it is a minor issue. - - - - - 03ff8af0 by Ola Lundqvist at 2022-12-31T14:28:50+01:00 LTS: add libxstream-java to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -30,6 +30,7 @@ CVE-2020-36637 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chr NOT-FOR-US: Chris92de AdminServ CVE-2018-25060 (A vulnerability was found in Macaron csrf and classified as problemati ...) - golang-github-go-macaron-csrf + [buster] - golang-github-go-macaron-csrf (Minor issue) NOTE: https://github.com/go-macaron/csrf/commit/dadd1711a617000b70e5e408a76531b73187031c NOTE: https://github.com/go-macaron/csrf/pull/7 CVE-2018-25059 (A vulnerability was found in pastebinit up to 0.2.2 and classified as ...) = data/dla-needed.txt = @@ -127,6 +127,11 @@ libsdl2 libstb NOTE: 2022: Programming language: C. -- +libxstream-java + NOTE: 20221231: Programming language: Java. + NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/libxstream-java.git + NOTE: 20221231: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/libxstream-java.html +-- linux (Ben Hutchings) -- man2html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9aae874e08afafc808aa4f0ca3b5f45f6a916abe...03ff8af06fc4f458fd3bec9af6dced087dc8ce83 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9aae874e08afafc808aa4f0ca3b5f45f6a916abe...03ff8af06fc4f458fd3bec9af6dced087dc8ce83 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2020-36367 as no-dsa since it is a minor issue.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aae874e by Ola Lundqvist at 2022-12-31T14:18:15+01:00 Marked CVE-2020-36367 as no-dsa since it is a minor issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35300,6 +35300,7 @@ CVE-2020-36568 (Unsanitized input in the query parser in github.com/revel/revel TODO: check CVE-2020-36567 (Unsanitized input in the default logger in github.com/gin-gonic/gin be ...) - golang-github-gin-gonic-gin 1.6.3-1 + [buster] - golang-github-gin-gonic-gin (Minor issue) NOTE: https://github.com/gin-gonic/gin/pull/2237 NOTE: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d (v1.6.0) CVE-2020-36566 (Due to improper path santization, archives containing relative file pa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aae874e08afafc808aa4f0ca3b5f45f6a916abe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aae874e08afafc808aa4f0ca3b5f45f6a916abe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3257-1 for emacs
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
460da0a2 by Chris Lamb at 2022-12-31T12:44:48+00:00
Reserve DLA-3257-1 for emacs
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Dec 2022] DLA-3257-1 emacs - security update
+ {CVE-2022-45939}
+ [buster] - emacs 1:26.1+1-3.2+deb10u3
[31 Dec 2022] DLA-3256-1 xorg-server - security update
{CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342
CVE-2022-46343 CVE-2022-46344}
[buster] - xorg-server 2:1.20.4-1+deb10u7
=
data/dla-needed.txt
=
@@ -39,9 +39,6 @@ curl (Roberto C. Sánchez)
NOTE: 20220904: Special attention: high popcon!.
NOTE: 20221209: Testsuite:
https://lts-team.pages.debian.net/wiki/TestSuites/curl.html
--
-emacs (Chris Lamb)
- NOTE: 20221227: Programming language: Lisp.
---
erlang
NOTE: 20221119: Programming language: Erlang.
NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request
has been for Stretch)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/460da0a2eaa90d6c546db8e030fd265975680590
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/460da0a2eaa90d6c546db8e030fd265975680590
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3256-1 for xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4d7fba62 by Thorsten Alteholz at 2022-12-31T13:43:33+01:00
Reserve DLA-3256-1 for xorg-server
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Dec 2022] DLA-3256-1 xorg-server - security update
+ {CVE-2022-4283 CVE-2022-46340 CVE-2022-46341 CVE-2022-46342
CVE-2022-46343 CVE-2022-46344}
+ [buster] - xorg-server 2:1.20.4-1+deb10u7
[31 Dec 2022] DLA-3255-1 mplayer - security update
{CVE-2022-38850 CVE-2022-38851 CVE-2022-38855 CVE-2022-38858
CVE-2022-38860 CVE-2022-38861 CVE-2022-38863 CVE-2022-38864 CVE-2022-38865
CVE-2022-38866}
[buster] - mplayer 2:1.3.0-8+deb10u1
=
data/dla-needed.txt
=
@@ -309,10 +309,6 @@ xdg-utils
NOTE: 20221120: Programming language: C.
NOTE: 20221120: no real fix yet
--
-xorg-server (Thorsten Alteholz)
- NOTE: 20221225: Programming language: C.
- NOTE: 20221225: VCS:
https://salsa.debian.org/lts-team/packages/xorg-server.git
---
xrdp
NOTE: 20221225: Programming language: C.
NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d7fba6293ad7f69de5cb65ed67304bdc2796efb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d7fba6293ad7f69de5cb65ed67304bdc2796efb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3255-1 for mplayer
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
329ddfd6 by Thorsten Alteholz at 2022-12-31T13:32:31+01:00
Reserve DLA-3255-1 for mplayer
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Dec 2022] DLA-3255-1 mplayer - security update
+ {CVE-2022-38850 CVE-2022-38851 CVE-2022-38855 CVE-2022-38858
CVE-2022-38860 CVE-2022-38861 CVE-2022-38863 CVE-2022-38864 CVE-2022-38865
CVE-2022-38866}
+ [buster] - mplayer 2:1.3.0-8+deb10u1
[31 Dec 2022] DLA-3254-1 exuberant-ctags - security update
{CVE-2022-4515}
[buster] - exuberant-ctags 1:5.9~svn20110310-12+deb10u1
=
data/dla-needed.txt
=
@@ -141,10 +141,6 @@ modsecurity-crs
NOTE: 20221006: Programming language: Other.
NOTE: 20221006: Maintainer notes: Please contact maintainer. Consider
uploading of newer version.
--
-mplayer (Thorsten Alteholz)
- NOTE: 20221009: Programming language: C.
- NOTE: 20221009: Many open CVEs.
---
net-snmp
NOTE: 20221120: Programming language: C.
NOTE: 20221206: no upstream patch yet.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/329ddfd612a06b786290d495e1652058d27f8fbc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/329ddfd612a06b786290d495e1652058d27f8fbc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3254-1 for exuberant-ctags
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b797ded2 by Chris Lamb at 2022-12-31T11:46:04+00:00
Reserve DLA-3254-1 for exuberant-ctags
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Dec 2022] DLA-3254-1 exuberant-ctags - security update
+ {CVE-2022-4515}
+ [buster] - exuberant-ctags 1:5.9~svn20110310-12+deb10u1
[31 Dec 2022] DLA-3253-1 openvswitch - security update
{CVE-2022-4337 CVE-2022-4338}
[buster] - openvswitch 2.10.7+ds1-0+deb10u3
=
data/dla-needed.txt
=
@@ -49,10 +49,6 @@ erlang
exiv2 (Helmut Grohne)
NOTE: 20221119: Programming language: C.
--
-exuberant-ctags (Chris Lamb)
- NOTE: 20221225: Programming language: C.
- NOTE: 20221225: Special attention: Needs further investigation.
---
firmware-nonfree (Markus Koschany)
NOTE: 20220906: Consider to check the severity of the issues again and judge
whether a correction is worth it.
NOTE: 20221204: Coming soon in the first week of December. (apo)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b797ded245691be02c4ef22393a246300bffbf8b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b797ded245691be02c4ef22393a246300bffbf8b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3253-1 for openvswitch
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
241b327c by Chris Lamb at 2022-12-31T11:23:25+00:00
Reserve DLA-3253-1 for openvswitch
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[31 Dec 2022] DLA-3253-1 openvswitch - security update
+ {CVE-2022-4337 CVE-2022-4338}
+ [buster] - openvswitch 2.10.7+ds1-0+deb10u3
[31 Dec 2022] DLA-3252-1 cacti - security update
{CVE-2020-8813 CVE-2020-23226 CVE-2020-25706 CVE-2022-0730
CVE-2022-46169}
[buster] - cacti 1.2.2+ds1-2+deb10u5
=
data/dla-needed.txt
=
@@ -217,10 +217,6 @@ openimageio
NOTE: 20221225: Programming language: C.
NOTE: 20221225: VCS:
https://salsa.debian.org/lts-team/packages/openimageio.git
--
-openvswitch (Chris Lamb)
- NOTE: 20221228: Programming language: C.
- NOTE: 20221228: VCS:
https://salsa.debian.org/lts-team/packages/openvswitch.git
---
php-cas
NOTE: 20221105: Programming language: PHP.
NOTE: 20221105: The fix is not backwards compatible. Should be investigated
further whether this issue should be solved or ignored.. (ola)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/241b327cc9e539ddacae082493b69c56e7229cce
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/241b327cc9e539ddacae082493b69c56e7229cce
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-40150, CVE-2022-45685, CVE-2022-45693,libjettison-java: fixed in
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e90802f by Markus Koschany at 2022-12-31T11:30:13+01:00 CVE-2022-40150, CVE-2022-45685, CVE-2022-45693,libjettison-java: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9048,7 +9048,7 @@ CVE-2022-45695 CVE-2022-45694 RESERVED CVE-2022-45693 (Jettison before v1.5.2 was discovered to contain a stack overflow via ...) - - libjettison-java + - libjettison-java 1.5.3-1 NOTE: https://github.com/jettison-json/jettison/issues/52 CVE-2022-45692 RESERVED @@ -9065,7 +9065,7 @@ CVE-2022-45687 CVE-2022-45686 RESERVED CVE-2022-45685 (A stack overflow in Jettison before v1.5.2 allows attackers to cause a ...) - - libjettison-java + - libjettison-java 1.5.3-1 NOTE: https://github.com/jettison-json/jettison/issues/54 CVE-2022-45684 RESERVED @@ -26728,7 +26728,7 @@ CVE-2022-40151 (Those using Xstream to seralize XML data may be vulnerable to De - libxstream-java NOTE: https://github.com/x-stream/xstream/issues/304 CVE-2022-40150 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...) - - libjettison-java (bug #1022553) + - libjettison-java 1.5.3-1 (bug #1022553) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46549 NOTE: https://github.com/jettison-json/jettison/issues/45 CVE-2022-40149 (Those using Jettison to parse untrusted XML or JSON data may be vulner ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e90802f61721ac20a140ba880f96239c1c96ebb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e90802f61721ac20a140ba880f96239c1c96ebb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for ruby-image-processing update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
dab4dd6d by Salvatore Bonaccorso at 2022-12-31T10:36:35+01:00
Reserve DSA number for ruby-image-processing update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[31 Dec 2022] DSA-5310-1 ruby-image-processing - security update
+ {CVE-2022-24720}
+ [bullseye] - ruby-image-processing 1.10.3-1+deb11u1
[31 Dec 2022] DSA-5309-1 wpewebkit - security update
{CVE-2022-42852 CVE-2022-42856 CVE-2022-42867 CVE-2022-46692
CVE-2022-46698 CVE-2022-46699 CVE-2022-46700}
[bullseye] - wpewebkit 2.38.3-1~deb11u1
=
data/dsa-needed.txt
=
@@ -41,8 +41,6 @@ php-horde-turba
--
rails
--
-ruby-image-processing
---
ruby-nokogiri
--
ruby-rack
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dab4dd6da7828c7ebbe762ed5f63c7be78aa49c5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dab4dd6da7828c7ebbe762ed5f63c7be78aa49c5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for commits for CVE-2021-3638/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c287799c by Salvatore Bonaccorso at 2022-12-31T10:10:50+01:00 Add references for commits for CVE-2021-3638/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -110192,6 +110192,8 @@ CVE-2021-3638 (An out-of-bounds memory access flaw was found in the ATI VGA devi [stretch] - qemu (Vulnerable code introduced in ATI VGA device emulation added later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1979858 NOTE: https://lore.kernel.org/qemu-devel/caa8xkjxkdwpyxsaerb+2mfhrrbil_kh9unvkemfxlff68ux...@mail.gmail.com + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/584acf34cb05f16e13a46d666196a7583d232616 (v4.1.0-rc0) + NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/205ccfd7a5ec86bd9a5678b8bd157562fc9a1643 (v7.2.0-rc0) CVE-2021-36235 (An issue was discovered in Ivanti Workspace Control before 10.6.30.0. ...) NOT-FOR-US: Ivanti CVE-2021-36234 (Use of a hard-coded cryptographic key in MIK.starlight 7.9.5.24363 all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c287799c0336b0b4e57219280927e221523c1deb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c287799c0336b0b4e57219280927e221523c1deb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe79fd33 by Salvatore Bonaccorso at 2022-12-31T09:39:56+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0 ...) - froxlor (bug #581792) CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard for MODX ...) - TODO: check + NOT-FOR-US: Sterc Google Analytics Dashboard for MODX CVE-2017-20154 (A vulnerability was found in ghostlander Phoenixcoin. It has been clas ...) - TODO: check + NOT-FOR-US: ghostlander Phoenixcoin CVE-2022-4863 (Improper Handling of Insufficient Permissions or Privileges in GitHub ...) NOT-FOR-US: usememos CVE-2022-4862 @@ -13,7 +13,7 @@ CVE-2022-4861 (Incorrect implementation in authentication protocol in M-Files Cl CVE-2022-4860 (A vulnerability was found in KBase Metrics. It has been classified as ...) NOT-FOR-US: KBase Metrics CVE-2022-4859 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Joget CVE-2022-4858 (Insertion of Sensitive Information into Log Files in M-Files Server be ...) NOT-FOR-US: M-Files CVE-2022-4857 (A vulnerability was found in Modbus Tools Modbus Poll up to 9.10.0 and ...) @@ -35,13 +35,13 @@ CVE-2018-25060 (A vulnerability was found in Macaron csrf and classified as prob CVE-2018-25059 (A vulnerability was found in pastebinit up to 0.2.2 and classified as ...) TODO: check CVE-2017-20153 (A vulnerability has been found in aerouk imageserve and classified as ...) - TODO: check + NOT-FOR-US: aerouk imageserve CVE-2017-20152 (A vulnerability, which was classified as problematic, was found in aer ...) - TODO: check + NOT-FOR-US: aerouk imageserve CVE-2017-20151 (A vulnerability classified as problematic was found in iText RUPS. Thi ...) NOT-FOR-US: iText RUPS CVE-2022-48195 (An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When ...) - TODO: check + NOT-FOR-US: Mellium CVE-2022-48194 (TP-Link TL-WR902AC devices through V3 0.9.1 allow remote authenticated ...) NOT-FOR-US: TP-Link CVE-2022-48193 @@ -782,7 +782,7 @@ CVE-2018-25052 (A vulnerability has been found in Catalyst-Plugin-Session up to - libcatalyst-plugin-session-perl 0.41-1 NOTE: https://github.com/perl-catalyst/Catalyst-Plugin-Session/commit/88d1b599e1163761c9bd53bec53ba078f13e09d4 (0.41) CVE-2018-25051 (A vulnerability, which was classified as problematic, was found in JmP ...) - TODO: check + NOT-FOR-US: JmPotato Pomash CVE-2018-25050 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Harvest Chosen CVE-2017-20150 (A vulnerability was found in challenge website. It has been rated as c ...) @@ -6432,49 +6432,49 @@ CVE-2022-46603 CVE-2022-46602 RESERVED CVE-2022-46601 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46600 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46599 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46598 (TRENDnet TEW755AP 1.13B01 was discovered to contain a command injectio ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46597 (TRENDnet TEW755AP 1.13B01 was discovered to contain a command injectio ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46596 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46595 RESERVED CVE-2022-46594 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46593 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46592 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46591 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46590 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46589 (TRENDnet TEW755AP 1.13B01 was discovered to contain a stack overflow v ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2022-46588 (TRENDnet TEW755AP 1.13B01 was discovered to contain a
[Git][security-tracker-team/security-tracker][master] Associate some NFUs with itp entry for froxlor
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d68e33b3 by Salvatore Bonaccorso at 2022-12-31T09:29:41+01:00
Associate some NFUs with itp entry for froxlor
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -94823,7 +94823,7 @@ CVE-2021-42326 (Redmine before 4.1.5 and 4.2.x before
4.2.3 may disclose the nam
NOTE:
https://www.redmine.org/projects/redmine/wiki/Changelog_4_2#423-2021-10-10
NOTE:
https://www.redmine.org/projects/redmine/repository/revisions/21209
CVE-2021-42325 (Froxlor through 0.10.29.1 allows SQL injection in
Database/Manager/DbM ...)
- NOT-FOR-US: Froxlor
+ - froxlor (bug #581792)
CVE-2021-42324 (An issue was discovered on DCN (Digital China Networks)
S4600-10P-SI d ...)
NOT-FOR-US: DCN S4600 switches
CVE-2021-42323 (Azure RTOS Information Disclosure Vulnerability This CVE ID is
unique ...)
@@ -154902,7 +154902,7 @@ CVE-2020-29655 (An injection vulnerability exists in
RT-AC88U Download Master be
CVE-2020-29654 (Western Digital Dashboard before 3.2.2.9 allows DLL Hijacking
that lea ...)
NOT-FOR-US: Western Digital Dashboard
CVE-2020-29653 (Froxlor through 0.10.22 does not perform validation on user
input pass ...)
- NOT-FOR-US: Froxlor
+ - froxlor (bug #581792)
CVE-2020-29652 (A nil pointer dereference in the golang.org/x/crypto/ssh
component thr ...)
- golang-go.crypto 1:0.0~git20201221.eec23a3-1
[buster] - golang-go.crypto (Vulnerable code not present)
@@ -207354,11 +207354,11 @@ CVE-2020-10239 (An issue was discovered in Joomla!
before 3.9.16. Incorrect Acce
CVE-2020-10238 (An issue was discovered in Joomla! before 3.9.16. Various
actions in c ...)
NOT-FOR-US: Joomla!
CVE-2020-10237 (An issue was discovered in Froxlor through 0.10.15. The
installer wrot ...)
- NOT-FOR-US: Froxlor
+ - froxlor (bug #581792)
CVE-2020-10236 (An issue was discovered in Froxlor before 0.10.14. It created
files wi ...)
- NOT-FOR-US: Froxlor
+ - froxlor (bug #581792)
CVE-2020-10235 (An issue was discovered in Froxlor before 0.10.14. Remote
attackers wi ...)
- NOT-FOR-US: Froxlor
+ - froxlor (bug #581792)
CVE-2020-10234 (The AscRegistryFilter.sys kernel driver in IObit Advanced
SystemCare 1 ...)
NOT-FOR-US: IObit Advanced SystemCare
CVE-2020-10233 (In version 4.8.0 and earlier of The Sleuth Kit (TSK), there is
a heap- ...)
@@ -308806,7 +308806,7 @@ CVE-2018-1000528 (GONICUS GOsa version before commit
56070d6289d47ba3f5918885954
NOTE:
https://github.com/gosa-project/gosa-core/commit/56070d6289d47ba3f5918885954dcceb75606001
NOTE: https://github.com/gosa-project/gosa-core/issues/14
CVE-2018-1000527 (Froxlor version = 0.9.39.5 contains a PHP Object
Injection vulnera ...)
- NOT-FOR-US: Froxlor
+ - froxlor (bug #581792)
CVE-2018-1000526 (Openpsa contains a XML Injection vulnerability in RSS file
upload feat ...)
NOT-FOR-US: openpsa
CVE-2018-1000525 (openpsa contains a PHP Object Injection vulnerability in
Form data pas ...)
@@ -411234,7 +411234,7 @@ CVE-2016-5102 (Buffer overflow in the readgifimage
function in gif2tiff.c in the
CVE-2016-5101 (Unspecified vulnerability in Opera Mail before 2016-02-16 on
Windows a ...)
NOT-FOR-US: Opera
CVE-2016-5100 (Froxlor before 0.9.35 uses the PHP rand function for random
number gen ...)
- NOT-FOR-US: Froxlor
+ - froxlor (bug #581792)
CVE-2016-5099 (Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x
before 4. ...)
{DSA-3627-1}
- phpmyadmin 4:4.6.2-1 (low)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d68e33b30708cc73536b29aa39de534e32282947
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d68e33b30708cc73536b29aa39de534e32282947
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4864/froxlor, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e299879 by Salvatore Bonaccorso at 2022-12-31T09:28:28+01:00 Add CVE-2022-4864/froxlor, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0 ...) - TODO: check + - froxlor (bug #581792) CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard for MODX ...) TODO: check CVE-2017-20154 (A vulnerability was found in ghostlander Phoenixcoin. It has been clas ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e299879da13b577caa8b4d84408f62ed35253eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e299879da13b577caa8b4d84408f62ed35253eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d69187d7 by Salvatore Bonaccorso at 2022-12-31T09:23:04+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4879,33 +4879,33 @@ CVE-2022-47130 CVE-2022-47129 RESERVED CVE-2022-47128 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47127 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47126 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47125 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47124 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47123 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47122 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47121 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47120 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47119 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47118 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47117 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47116 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47115 (Tenda A15 V15.13.07.13 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-47114 RESERVED CVE-2022-47113 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d69187d7d5899ad02afb9a1d5b099bf12577d72a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d69187d7d5899ad02afb9a1d5b099bf12577d72a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d327ae85 by security tracker role at 2022-12-31T08:10:11+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2022-4864 (Argument Injection in GitHub repository froxlor/froxlor prior
to 2.0.0 ...)
+ TODO: check
+CVE-2017-20155 (A vulnerability was found in Sterc Google Analytics Dashboard
for MODX ...)
+ TODO: check
+CVE-2017-20154 (A vulnerability was found in ghostlander Phoenixcoin. It has
been clas ...)
+ TODO: check
CVE-2022-4863 (Improper Handling of Insufficient Permissions or Privileges in
GitHub ...)
NOT-FOR-US: usememos
CVE-2022-4862
@@ -34,8 +40,8 @@ CVE-2017-20152 (A vulnerability, which was classified as
problematic, was found
TODO: check
CVE-2017-20151 (A vulnerability classified as problematic was found in iText
RUPS. Thi ...)
NOT-FOR-US: iText RUPS
-CVE-2022-48195
- RESERVED
+CVE-2022-48195 (An issue was discovered in Mellium mellium.im/sasl before
0.3.1. When ...)
+ TODO: check
CVE-2022-48194 (TP-Link TL-WR902AC devices through V3 0.9.1 allow remote
authenticated ...)
NOT-FOR-US: TP-Link
CVE-2022-48193
@@ -1397,7 +1403,7 @@ CVE-2022-4661
CVE-2022-4660
RESERVED
CVE-2022-4659
- RESERVED
+ REJECTED
CVE-2022-4658
RESERVED
CVE-2022-4657
@@ -2233,7 +2239,7 @@ CVE-2022-4620
CVE-2022-4619 (The Sidebar Widgets by CodeLights plugin for WordPress is
vulnerable t ...)
NOT-FOR-US: Sidebar Widgets by CodeLights plugin for WordPress
CVE-2022-4618
- RESERVED
+ REJECTED
CVE-2022-4617 (Cross-site Scripting (XSS) - Reflected in GitHub repository
microweber ...)
NOT-FOR-US: microweber
CVE-2022-47579
@@ -4872,34 +4878,34 @@ CVE-2022-47130
RESERVED
CVE-2022-47129
RESERVED
-CVE-2022-47128
- RESERVED
-CVE-2022-47127
- RESERVED
-CVE-2022-47126
- RESERVED
-CVE-2022-47125
- RESERVED
-CVE-2022-47124
- RESERVED
-CVE-2022-47123
- RESERVED
-CVE-2022-47122
- RESERVED
-CVE-2022-47121
- RESERVED
-CVE-2022-47120
- RESERVED
-CVE-2022-47119
- RESERVED
-CVE-2022-47118
- RESERVED
-CVE-2022-47117
- RESERVED
-CVE-2022-47116
- RESERVED
-CVE-2022-47115
- RESERVED
+CVE-2022-47128 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47127 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47126 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47125 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47124 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47123 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47122 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47121 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47120 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47119 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47118 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47117 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47116 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
+CVE-2022-47115 (Tenda A15 V15.13.07.13 was discovered to contain a stack
overflow via ...)
+ TODO: check
CVE-2022-47114
RESERVED
CVE-2022-47113
@@ -5912,7 +5918,7 @@ CVE-2022-46751
CVE-2022-4340
RESERVED
CVE-2022-4339
- RESERVED
+ REJECTED
CVE-2022-4338 [Integer Underflow in Organization Specific TLV]
RESERVED
- openvswitch (bug #1027273)
@@ -5934,7 +5940,7 @@ CVE-2022-4336 (In BAOTA linux panel there exists a stored
xss vulnerability atta
CVE-2022-4335
RESERVED
CVE-2022-4334
- RESERVED
+ REJECTED
CVE-2022-4333
RESERVED
CVE-2022-4332
@@ -6138,14 +6144,17 @@ CVE-2022-46702 (The issue was addressed with improved
memory handling. This issu
CVE-2022-46701 (The issue was addressed with improved bounds checks. This
issue is fix ...)
NOT-FOR-US: Apple
CVE-2022-46700 (A memory corruption issue was addressed with improved input
validation ...)
+ {DSA-5309-1 DSA-5308-1}
- webkit2gtk 2.38.3-1
- wpewebkit 2.38.3-1
NOTE:
