Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7feae34c by Moritz Muehlenhoff at 2022-02-04T14:25:10+01:00
bullseyre/buster triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -856,6 +856,8 @@ CVE-2022-0415
RESERVED
CVE-2022-24130 (xterm through Patch 370, when Sixel support is enabled, allows
attacke ...)
- xterm 370-2 (bug #1004689)
+ [bullseye] - xterm <no-dsa> (Minor issue)
+ [buster] - xterm <no-dsa> (Minor issue)
NOTE: https://twitter.com/nickblack/status/1487731459398025216
NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2
NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3
@@ -1176,6 +1178,11 @@ CVE-2022-0392 (Heap-based Buffer Overflow in GitHub
repository vim/vim prior to
CVE-2022-0391 [urllib.parse does not sanitize URLs containing ASCII newline
and tabs]
RESERVED
- python3.9 3.9.7-1
+ [bullseye] - python3.9 <no-dsa> (Minor issue)
+ - python3.7 <removed>
+ [buster] - python3.7 <no-dsa> (Minor issue)
+ - python3.5 <removed>
+ - python3.4 <removed>
NOTE: https://bugs.python.org/issue43882
NOTE: Fixed by:
https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4
(v3.10.0b1)
NOTE: Followup for 3.10.x:
https://github.com/python/cpython/commit/24f1d1a8a2c4aa58a606b4b6d5fa4305a3b91705
(v3.10.0b2)
@@ -3145,11 +3152,15 @@ CVE-2022-23453
CVE-2022-23452
RESERVED
- barbican <unfixed>
+ [bullseye] - barbican <no-dsa> (Minor issue)
+ [buster] - barbican <no-dsa> (Minor issue)
NOTE: https://storyboard.openstack.org/#!/story/2009297
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025090
CVE-2022-23451
RESERVED
- barbican <unfixed>
+ [bullseye] - barbican <no-dsa> (Minor issue)
+ [buster] - barbican <no-dsa> (Minor issue)
NOTE: https://storyboard.openstack.org/#!/story/2009253
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2025089
CVE-2022-23450
@@ -4766,16 +4777,19 @@ CVE-2022-23036
RESERVED
CVE-2022-23035 (Insufficient cleanup of passed-through device IRQs The
management of I ...)
- xen <unfixed>
+ [bullseye] - xen <postponed> (Fix along with next DSA round)
[buster] - xen <end-of-life> (DSA 4677-1)
[stretch] - xen <end-of-life> (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-395.html
CVE-2022-23034 (A PV guest could DoS Xen while unmapping a grant To address
XSA-380, r ...)
- xen <unfixed>
+ [bullseye] - xen <postponed> (Fix along with next DSA round)
[buster] - xen <end-of-life> (DSA 4677-1)
[stretch] - xen <end-of-life> (DSA 4602-1)
NOTE: https://xenbits.xen.org/xsa/advisory-394.html
CVE-2022-23033 (arm: guest_physmap_remove_page not removing the p2m mappings
The funct ...)
- xen <unfixed>
+ [bullseye] - xen <postponed> (Fix along with next DSA round)
[buster] - xen <not-affected> (Vulnerable code introduced later)
[stretch] - xen <not-affected> (Vulnerable code introduced later)
NOTE: https://xenbits.xen.org/xsa/advisory-393.html
@@ -14582,12 +14596,16 @@ CVE-2022-21682 (Flatpak is a Linux application
sandboxing and distribution frame
NOTE: 1.12.4 added further changes to avoid regressions for some
workflows
CVE-2022-21681 (Marked is a markdown parser and compiler. Prior to version
4.0.10, the ...)
- node-marked 4.0.12+ds+~4.0.1-1
+ [bullseye] - node-marked <no-dsa> (Minor issue)
+ [buster] - node-marked <no-dsa> (Minor issue)
NOTE:
https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj
NOTE:
https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5
NOTE:
https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
(4.0.10)
NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10
CVE-2022-21680 (Marked is a markdown parser and compiler. Prior to version
4.0.10, the ...)
- node-marked 4.0.12+ds+~4.0.1-1
+ [bullseye] - node-marked <no-dsa> (Minor issue)
+ [buster] - node-marked <no-dsa> (Minor issue)
NOTE:
https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0
(4.0.10)
NOTE: https://github.com/markedjs/marked/releases/tag/v4.0.10
NOTE:
https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf
@@ -17141,11 +17159,15 @@ CVE-2021-43358 (Sunnet eHRD has inadequate filtering
for special characters in U
NOT-FOR-US: Sunnet eHRD
CVE-2021-3928 (vim is vulnerable to Use of Uninitialized Variable ...)
- vim 2:8.2.3995-1
+ [bullseye] - vim <no-dsa> (Minor issue)
+ [buster] - vim <no-dsa> (Minor issue)
[stretch] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/29c3ebd2-d601-481c-bf96-76975369d0cd
NOTE: Fixed by:
https://github.com/vim/vim/commit/15d9890eee53afc61eb0a03b878a19cb5672f732
(v8.2.3582)
CVE-2021-3927 (vim is vulnerable to Heap-based Buffer Overflow ...)
- vim 2:8.2.3995-1
+ [bullseye] - vim <no-dsa> (Minor issue)
+ [buster] - vim <no-dsa> (Minor issue)
[stretch] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/9c2b2c82-48bb-4be9-ab8f-a48ea252d1b0
NOTE: Fixed by:
https://github.com/vim/vim/commit/0b5b06cb4777d1401fdf83e7d48d287662236e7e
(v8.2.3581)
@@ -36439,17 +36461,25 @@ CVE-2021-36412 (A heap-based buffer overflow
vulnerability exists in MP4Box in G
NOTE:
https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e
CVE-2021-36411 (An issue has been found in libde265 v1.0.8 due to incorrect
access con ...)
- libde265 <unfixed>
+ [bullseye] - libde265 <no-dsa> (Minor issue)
+ [buster] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/302
CVE-2021-36410 (A stack-buffer-overflow exists in libde265 v1.0.8 via
fallback-motion. ...)
- libde265 <unfixed>
+ [bullseye] - libde265 <no-dsa> (Minor issue)
+ [buster] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/301
CVE-2021-3641 (Improper Link Resolution Before File Access ('Link Following')
vulnera ...)
NOT-FOR-US: Bitdefender
CVE-2021-36409 (There is an Assertion `scaling_list_pred_matrix_id_delta==1'
failed at ...)
- libde265 <unfixed>
+ [bullseye] - libde265 <no-dsa> (Minor issue)
+ [buster] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/300
CVE-2021-36408 (An issue was discovered in libde265 v1.0.8.There is a
Heap-use-after-f ...)
- libde265 <unfixed>
+ [bullseye] - libde265 <no-dsa> (Minor issue)
+ [buster] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/299
CVE-2021-36407
RESERVED
@@ -224924,6 +224954,7 @@ CVE-2018-16473 (A path traversal in takeapeek module
versions <=0.2.2 allows
NOT-FOR-US: takeapeek
CVE-2018-16472 (A prototype pollution attack in cached-path-relative versions
<=1.0 ...)
- node-cached-path-relative 1.0.2-1
+ [buster] - node-cached-path-relative <no-dsa> (Minor issue)
NOTE: https://hackerone.com/reports/390847
NOTE: https://github.com/ashaffer/cached-path-relative/issues/3
NOTE: Fixed by:
https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7feae34caf6072e33b2858c194e75d9f6600346c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7feae34caf6072e33b2858c194e75d9f6600346c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
