Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0a9201d8 by Moritz Muehlenhoff at 2022-05-06T13:06:18+02:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -36,6 +36,8 @@ CVE-2022-1589
RESERVED
CVE-2022-30292 (thread_call in sqbaselib.cpp in SQUIRREL 3.2 lacks a certain
sq_reserv ...)
- squirrel3 <unfixed>
+ [bullseye] - squirrel3 <no-dsa> (Minor issue)
+ [buster] - squirrel3 <no-dsa> (Minor issue)
NOTE:
https://github.com/albertodemichelis/squirrel/commit/a6413aa690e0bdfef648c68693349a7b878fe60d
CVE-2022-30291
RESERVED
@@ -808,6 +810,8 @@ CVE-2022-29974
RESERVED
CVE-2022-29973 (relan exFAT 1.3.0 allows local users to obtain sensitive
information ( ...)
- fuse-exfat <unfixed>
+ [bullseye] - fuse-exfat <no-dsa> (Minor issue)
+ [buster] - fuse-exfat <no-dsa> (Minor issue)
NOTE: https://github.com/relan/exfat/issues/185
CVE-2022-29972
RESERVED
@@ -2697,10 +2701,14 @@ CVE-2022-29341
RESERVED
CVE-2022-29340 (GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer
Dereference vul ...)
- gpac <unfixed>
+ [bullseye] - gpac <ignored> (Minor issue)
+ [buster] - gpac <ignored> (Minor issue)
NOTE:
https://github.com/gpac/gpac/commit/37592ad86c6ca934d34740012213e467acc4a3b0
NOTE: https://github.com/gpac/gpac/issues/2163
CVE-2022-29339 (In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte()
in utils ...)
- gpac <unfixed>
+ [bullseye] - gpac <ignored> (Minor issue)
+ [buster] - gpac <ignored> (Minor issue)
NOTE:
https://github.com/gpac/gpac/commit/9ea93a2ec8f555ceed1ee27294cf94822f14f10f
NOTE: https://github.com/gpac/gpac/issues/2165
CVE-2022-29338
@@ -6371,6 +6379,8 @@ CVE-2022-28067 (An incorrect access control issue in
Sandboxie Classic v5.55.13
NOT-FOR-US: Sandboxie Classic
CVE-2022-28066 (Libarchive v3.6.0 was discovered to contain a read memory
access vulne ...)
- libarchive <unfixed>
+ [bullseye] - libarchive <no-dsa> (Minor issue)
+ [buster] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/issues/1672
NOTE:
https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff
(v3.6.1)
CVE-2022-28065
@@ -8225,6 +8235,8 @@ CVE-2022-27338
RESERVED
CVE-2022-27337 (A logic error in the Hints::Hints function of Poppler v22.03.0
allows ...)
- poppler <unfixed>
+ [bullseye] - poppler <no-dsa> (Minor issue)
+ [buster] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230
NOTE:
https://gitlab.freedesktop.org/poppler/poppler/-/commit/81044c64b9ed9a10ae82a28bac753060bdfdac74
(poppler-22.04.0)
CVE-2022-27336 (Seacms v11.6 was discovered to contain a remote code execution
(RCE) v ...)
@@ -21893,6 +21905,8 @@ CVE-2022-22966 (An authenticated, high privileged
malicious actor with network a
NOT-FOR-US: VMware
CVE-2022-22965 (A Spring MVC or Spring WebFlux application running on JDK 9+
may be vu ...)
- libspring-java <unfixed>
+ [bullseye] - libspring-java <no-dsa> (No reverse dependencies in the
archive affected)
+ [buster] - libspring-java <no-dsa> (No reverse dependencies in the
archive affected)
[stretch] - libspring-java <end-of-life> (EOL'd for stretch)
NOTE: https://bugalert.org/content/notices/2022-03-30-spring.html
NOTE: https://tanzu.vmware.com/security/cve-2022-22965
@@ -21926,9 +21940,10 @@ CVE-2022-22951 (VMware Carbon Black App Control (8.5.x
prior to 8.5.14, 8.6.x pr
NOT-FOR-US: VMware
CVE-2022-22950 (n Spring Framework versions 5.3.0 - 5.3.16 and older
unsupported versi ...)
- libspring-java <unfixed>
+ [bullseye] - libspring-java <no-dsa> (Minor issue)
+ [buster] - libspring-java <no-dsa> (Minor issue)
[stretch] - libspring-java <end-of-life> (EOL'd for stretch)
NOTE: https://tanzu.vmware.com/security/cve-2022-22950
- TODO: check, no details available
CVE-2022-22949
RESERVED
CVE-2022-22948 (The vCenter Server contains an information disclosure
vulnerability du ...)
@@ -93474,10 +93489,12 @@ CVE-2021-21240 (httplib2 is a comprehensive HTTP
client library for Python. In h
CVE-2021-21239 (PySAML2 is a pure python implementation of SAML Version 2
Standard. Py ...)
{DLA-2577-1}
- python-pysaml2 6.5.1-1 (bug #980772)
+ [buster] - python-pysaml2 <no-dsa> (Minor issue)
NOTE:
https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
NOTE:
https://github.com/IdentityPython/pysaml2/commit/751dbf50a51131b13d55989395f9b115045f9737
CVE-2021-21238 (PySAML2 is a pure python implementation of SAML Version 2
Standard. Py ...)
- python-pysaml2 6.5.1-1 (bug #980773)
+ [buster] - python-pysaml2 <no-dsa> (Minor issue)
[stretch] - python-pysaml2 <ignored> (python3-xmlschema not available
in stretch for fix)
NOTE:
https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9
NOTE:
https://github.com/IdentityPython/pysaml2/commit/3b707723dcf1bf60677b424aac398c0c3557641d
=====================================
data/dsa-needed.txt
=====================================
@@ -22,8 +22,6 @@ epiphany-browser
--
freecad (aron)
--
-libspring-java
---
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
@@ -34,8 +32,6 @@ nodejs (jmm)
--
puma
--
-python-pysaml2 (jmm)
---
qemu/stable
Maintainer is proposing update for some CVEs, need review
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a9201d829e82e9d68df93fb48556a0373eb72b7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a9201d829e82e9d68df93fb48556a0373eb72b7
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
