Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
66c973af by Moritz Muehlenhoff at 2022-06-29T11:46:14+02:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -39,7 +39,7 @@ CVE-2022-34752
CVE-2022-34751
RESERVED
CVE-2022-34750 (An issue was discovered in MediaWiki through 1.38.1. The lemma
length ...)
- TODO: check
+ NOT-FOR-US: MediaWiki extension WikiBase
CVE-2022-34749
RESERVED
CVE-2022-34748
@@ -708,9 +708,10 @@ CVE-2022-2211 [Buffer overflow in get_keys leads to Dos]
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
TODO: check, upstream references, mentioned code is actually in
src:guestfs-tools
CVE-2022-2210 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.
...)
- - vim <unfixed>
+ - vim <unfixed> (unimportant)
NOTE: https://huntr.dev/bounties/020845f8-f047-4072-af0f-3726fe1aea25
NOTE:
https://github.com/vim/vim/commit/c101abff4c6756db4f5e740fde289decb9452efa
(v8.2.5164)
+ NOTE: Crash in CLI tool, no security impact
CVE-2022-2209
RESERVED
CVE-2022-2208 (NULL Pointer Dereference in GitHub repository vim/vim prior to
8.2. ...)
@@ -2144,6 +2145,8 @@ CVE-2021-46823 (python-ldap before 3.4.0 is vulnerable to
a denial of service wh
NOTE:
https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r8wq-qrxc-hmcm
CVE-2021-46822 (The PPM reader in libjpeg-turbo through 2.0.90 mishandles use
of tjLoa ...)
- libjpeg-turbo 1:2.1.1-1
+ [bullseye] - libjpeg-turbo <no-dsa> (Minor issue)
+ [buster] - libjpeg-turbo <no-dsa> (Minor issue)
NOTE:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/f35fd27ec641c42d6b115bfa595e483ec58188d2
(2.1.0)
CVE-2017-20081 (A vulnerability, which was classified as critical, was found
in Hindu ...)
NOT-FOR-US: Hindu Matrimonial Script
@@ -2521,6 +2524,8 @@ CVE-2022-33880
RESERVED
CVE-2022-33879 (The initial fixes in CVE-2022-30126 and CVE-2022-30973 for
regexes in ...)
- tika <unfixed>
+ [bullseye] - tika <no-dsa> (Minor issue)
+ [buster] - tika <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/27/5
CVE-2022-33878
RESERVED
@@ -9857,9 +9862,8 @@ CVE-2022-1771 (Uncontrolled Recursion in GitHub
repository vim/vim prior to 8.2.
CVE-2019-25061 (The random_password_generator (aka RandomPasswordGenerator)
gem throug ...)
NOT-FOR-US: bvsatyaram/random_password_generator
CVE-2022-30973 (We failed to apply the fix for CVE-2022-30126 to the 1.x
branch in the ...)
- - tika <unfixed>
+ - tika <not-affected> (Affected release which missed the fix was never
shipped, issue tracked via CVE-2022-30126)
NOTE: http://www.openwall.com/lists/oss-security/2022/05/31/2
- TODO: check how we want to handle that, because technically this is CVE
is for the missing fix for CVE-2022-30126 in upstream 1.x patching specific
CVE-2022-1770 (Improper Privilege Management in GitHub repository
polonel/trudesk pri ...)
NOT-FOR-US: Trudesk
CVE-2022-1769 (Buffer Over-read in GitHub repository vim/vim prior to
8.2.4974. ...)
@@ -12385,6 +12389,8 @@ CVE-2022-1554 (Path Traversal due to `send_file` call
in GitHub repository clini
NOT-FOR-US: clinical-genomics/scout
CVE-2022-30126 (In Apache Tika, a regular expression in our StandardsText
class, used ...)
- tika <unfixed>
+ [bullseye] - tika <no-dsa> (Minor issue)
+ [buster] - tika <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/05/16/3
CVE-2022-1553 (Leaking password protected articles content due to improper
access con ...)
NOT-FOR-US: Publify
@@ -16373,6 +16379,8 @@ CVE-2022-28738 (A double free was found in the Regexp
compiler in Ruby 3.x befor
CVE-2022-28737
RESERVED
- shim <unfixed>
+ [bullseye] - shim <no-dsa> (Fix via point update)
+ [buster] - shim <no-dsa> (Fix via point update)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/07/5
NOTE:
https://github.com/rhboot/shim/commit/e99bdbb827a50cde019393d3ca1e89397db221a7
(15.6)
NOTE:
https://github.com/rhboot/shim/commit/159151b6649008793d6204a34d7b9c41221fb4b0
(15.6)
@@ -26604,6 +26612,8 @@ CVE-2022-25175 (Jenkins Pipeline: Multibranch Plugin
706.vd43c65dec013 and earli
NOT-FOR-US: Jenkins Pipeline: Multibranch Plugin
CVE-2022-25169 (The BPG parser in versions of Apache Tika before 1.28.2 and
2.4.0 may ...)
- tika <unfixed>
+ [bullseye] - tika <no-dsa> (Minor issue)
+ [buster] - tika <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/05/16/4
CVE-2022-25168
RESERVED
@@ -28105,6 +28115,8 @@ CVE-2022-24713 (regex is an implementation of regular
expressions for the Rust l
- firefox-esr 91.8.0esr-1
- thunderbird 1:91.8.0-1
- rust-regex 1.5.5-1 (bug #1007176)
+ [bullseye] - rust-regex <no-dsa> (Minor issue)
+ [buster] - rust-regex <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0013.html
NOTE:
https://github.com/rust-lang/regex/security/advisories/GHSA-m5pq-gvj9-9vr8
NOTE:
https://github.com/rust-lang/regex/commit/ae70b41d4f46641dbc45c7a4f87954aea356283e
(1.5.5)
=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ curl
--
epiphany-browser
--
+firefox-esr (jmm)
+--
freecad (aron)
--
kicad (jmm)
@@ -56,6 +58,8 @@ slurm-llnl/oldstable
sox
patch needed for CVE-2021-40426, check with upstream
--
+thunderbird (jmm)
+--
unzip
unclear information, initial report indicates writable memory corruption, but
some identified patch is just for a NULL deref, needs more clarification
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66c973af617378ad69d31895267b22aab265ff7b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66c973af617378ad69d31895267b22aab265ff7b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
