Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
11c51a2c by Moritz Muehlenhoff at 2022-07-24T20:49:29+02:00
new liblivemedia issue
waitress n/a for released suites
- - - - -
b8d25a52 by Moritz Muehlenhoff at 2022-07-24T20:58:18+02:00
new angular.js issue
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -14050,12 +14050,13 @@ CVE-2022-31016 (Argo CD is a declarative continuous
deployment for Kubernetes. A
NOT-FOR-US: Argo CD
CVE-2022-31015 (Waitress is a Web Server Gateway Interface server for Python 2
and 3. ...)
- waitress <unfixed> (bug #1012315)
+ [bullseye] - waitress <not-affected> (Only affects 2.1.x)
+ [buster] - waitress <not-affected> (Only affects 2.1.x)
[stretch] - waitress <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/Pylons/waitress/security/advisories/GHSA-f5x9-8jwc-25rw
NOTE:
https://github.com/Pylons/waitress/commit/4f6789b035610e0552738cdc4b35ca809a592d48
(v2.1.2)
NOTE: https://github.com/Pylons/waitress/issues/374
NOTE: https://github.com/Pylons/waitress/pull/377
- TODO: double check, the problem seems to be introduced in version 2.1.0
only
CVE-2022-31014 (Nextcloud server is an open source personal cloud server.
Affected ver ...)
- nextcloud-server <itp> (bug #941708)
CVE-2022-31013 (Chat Server is the chat server for Vartalap, an open-source
messaging ...)
@@ -28986,7 +28987,8 @@ CVE-2022-25872 (All versions of package
fast-string-search are vulnerable to Out
CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype
Pollution ...)
NOT-FOR-US: Node querymen
CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site
Scripting ...)
- TODO: check
+ - angular.js <unfixed>
+ NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
CVE-2022-25867
RESERVED
CVE-2022-25866 (The package czproject/git-php before 4.0.3 are vulnerable to
Command I ...)
@@ -46727,10 +46729,13 @@ CVE-2021-44648 (GNOME gdk-pixbuf 2.42.6 is vulnerable
to a heap-buffer overflow
NOTE: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130
CVE-2021-44647 (Lua v5.4.3 and above are affected by SEGV by type confusion in
funcnam ...)
- lua5.4 5.4.4-1 (bug #1004189)
+ - lua5.3 <not-affected> (Specific to 5.4)
+ - lua5.2 <not-affected> (Specific to 5.4)
+ - lua5.1 <not-affected> (Specific to 5.4)
+ - lua50 <not-affected> (Specific to 5.4)
NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00195.html
NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00204.html
NOTE: Fixed by:
https://github.com/lua/lua/commit/1de95e97ef65632a88e08b6184bd9d1ceba7ec2f
- TODO: check older versions if issue is present, reproducer do not
crash, but needs inspection of the code yet
CVE-2021-44646
RESERVED
CVE-2021-44645
@@ -58257,7 +58262,6 @@ CVE-2021-41753 (A denial-of-service attack in WPA2, and
WPA3-SAE authentication
NOT-FOR-US: D-Link
CVE-2021-41752 (Stack overflow vulnerability in Jerryscript before commit
e1ce7dd72712 ...)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4779
- TODO: check - could be only a test artifact
CVE-2021-41751 (Buffer overflow vulnerability in file
ecma-builtin-array-prototype.c:9 ...)
- iotjs <unfixed> (bug #1015219)
[bullseye] - iotjs <no-dsa> (Minor issue)
@@ -59093,7 +59097,7 @@ CVE-2021-41398
CVE-2021-41397
RESERVED
CVE-2021-41396 (Live555 through 1.08 does not handle socket connections
properly. A hu ...)
- TODO: check
+ - liblivemedia <removed>
CVE-2021-41395 (Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers
to contro ...)
NOT-FOR-US: Teleport
CVE-2021-41394 (Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12,
and 7.x b ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/446bcea1f7e283568f02db1a384a94093b388258...b8d25a52cef18cfabbdb7160f99136b18afa9679
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/446bcea1f7e283568f02db1a384a94093b388258...b8d25a52cef18cfabbdb7160f99136b18afa9679
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
