Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9980e90e by Moritz Muehlenhoff at 2022-04-19T11:56:57+02:00
buster/bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -34,6 +34,8 @@ CVE-2022-29459
RESERVED
CVE-2022-29458 (ncurses 6.3 before patch 20220416 has an out-of-bounds read
and segmen ...)
- ncurses <unfixed>
+ [bullseye] - ncurses <no-dsa> (Minor issue)
+ [buster] - ncurses <no-dsa> (Minor issue)
NOTE:
https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html
NOTE:
https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html
CVE-2022-29457 (Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus
7060, Ex ...)
@@ -844,9 +846,13 @@ CVE-2022-1333 (Mattermost Playbooks plugin v1.24.0 and
earlier fails to properly
CVE-2015-20107 (In Python (aka CPython) through 3.10.4, the mailcap module
does not ad ...)
- python3.10 <unfixed>
- python3.9 <unfixed>
+ [bullseye] - python3.9 <no-dsa> (Minor issue)
- python3.7 <removed>
+ [buster] - python3.7 <no-dsa> (Minor issue)
- python3.5 <removed>
- python2.7 <unfixed>
+ [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by
security support)
+ [buster] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue24778
NOTE: https://github.com/python/cpython/issues/68966
NOTE: https://github.com/python/cpython/pull/91542
@@ -38153,6 +38159,8 @@ CVE-2021-41716 (Maharashtra State Electricity Board
Mahavitara Android Applicati
NOT-FOR-US: Maharashtra State Electricity Board Mahavitara Android
Application
CVE-2021-41715 (libsixel 1.10.0 is vulnerable to Use after free in
libsixel/src/dither ...)
- libsixel 1.10.3-1
+ [bullseye] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel <no-dsa> (Minor issue)
NOTE:
https://github.com/libsixel/libsixel/commit/d299d67c532a5133a57aade5c35ff8e612c73dd8
(1.10.1)
NOTE: https://github.com/libsixel/libsixel/pull/28
NOTE: https://github.com/libsixel/libsixel/issues/27
@@ -39593,6 +39601,8 @@ CVE-2021-41120 (sylius/paypal-plugin is a paypal plugin
for the Sylius developme
NOT-FOR-US: sylius/paypal-plugin
CVE-2021-41119 (Wire-server is the system server for the wire back-end
services. Relea ...)
- haskell-aeson <unfixed> (bug #1009678)
+ [bullseye] - haskell-aeson <no-dsa> (Minor issue)
+ [buster] - haskell-aeson <no-dsa> (Minor issue)
NOTE: https://cs-syd.eu/posts/2021-09-11-json-vulnerability
NOTE: https://github.com/haskell/aeson/issues/864
NOTE: https://hackage.haskell.org/package/aeson-2.0.1.0
@@ -40746,6 +40756,8 @@ CVE-2021-40657
RESERVED
CVE-2021-40656 (libsixel before 1.10 is vulnerable to Buffer Overflow in
libsixel/src/ ...)
- libsixel 1.10.3-1
+ [bullseye] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel <no-dsa> (Minor issue)
NOTE:
https://github.com/libsixel/libsixel/commit/dc96cdc27fb53e8595af67aaf68001033c808e42
(1.10.0)
NOTE: https://github.com/libsixel/libsixel/pull/26
NOTE: https://github.com/libsixel/libsixel/issues/25
@@ -42863,9 +42875,10 @@ CVE-2021-39798 (In Bitmap_createFromParcel of
Bitmap.cpp, there is a possible ar
CVE-2021-39797 (In several functions of of LauncherApps.java, there is a
possible esca ...)
NOT-FOR-US: Android
CVE-2021-39796 (In HarmfulAppWarningActivity of
HarmfulAppWarningActivity.java, there ...)
- - android-platform-frameworks-base <unfixed> (bug #1009626)
+ - android-platform-frameworks-base <unfixed> (unimportant; bug #1009626)
NOTE:
https://android.googlesource.com/platform/frameworks/base/+/e74a2a320bf896bc30618ce486203bafe453c469
NOTE: https://source.android.com/security/bulletin/2022-04-01
+ NOTE: No security impact for Android as provided in Debian
CVE-2021-39795 (In multiple locations of MediaProvider.java , there is a
possible way ...)
NOT-FOR-US: Android
CVE-2021-39794 (In broadcastPortInfo of AdbService.java, there is a possible
way for a ...)
@@ -72994,6 +73007,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and
1.16.x before 1.16.1 has an
- golang-1.16 1.16.3-1
- golang-1.15 1.15.9-1
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <postponed> (Minor issue, DoS)
- golang-1.7 <removed>
@@ -101141,6 +101155,7 @@ CVE-2020-28367 (Go before 1.14.12 and 1.15.x before
1.15.5 allows Argument Injec
{DLA-2460-1}
- golang-1.15 1.15.5-1
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
- golang-1.7 <removed>
[stretch] - golang-1.7 <ignored> (validation of cgo flags first
introduced in golang-1.8 / CVE-2018-6574)
@@ -101149,6 +101164,7 @@ CVE-2020-28367 (Go before 1.14.12 and 1.15.x before
1.15.5 allows Argument Injec
CVE-2020-28366 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Code
Injection. ...)
- golang-1.15 1.15.5-1
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (Minor issue, too intrusive to
backport)
- golang-1.7 <removed>
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9980e90e0d686c5cca91d1980d569897cec826e1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9980e90e0d686c5cca91d1980d569897cec826e1
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
