Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
95d31930 by Moritz Muehlenhoff at 2022-08-11T23:41:25+02:00
bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1653,8 +1653,11 @@ CVE-2022-37452 (Exim before 4.95 has a heap-based buffer
overflow for the alias
NOTE:
https://github.com/Exim/exim/commit/d4bc023436e4cce7c23c5f8bb5199e178b4cc743
(exim-4.95-RC0)
CVE-2022-37451 (Exim before 4.96 has an invalid free in pam_converse in
auths/call_pam ...)
- exim4 4.95-4
+ [bullseye] - exim4 <not-affected> (Vulnerable code not present)
+ [buster] - exim4 <not-affected> (Vulnerable code not present)
NOTE: https://github.com/ivd38/exim_invalid_free
NOTE:
https://github.com/Exim/exim/commit/51be321b27825c01829dffd90f11bfff256f7e42
(exim-4.96-RC0)
+ NOTE: Introduced in
https://github.com/Exim/exim/commit/1e30b0199daf7a7a882458251a3dc10d45d4c7d1
(exim-4.95-RC0)
CVE-2022-37450 (Go Ethereum (aka geth) through 1.10.21 allows attackers to
increase re ...)
- golang-github-go-ethereum <itp> (bug #890541)
CVE-2022-37449
@@ -1915,6 +1918,7 @@ CVE-2022-37395
RESERVED
CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x
before 2 ...)
- nova <unfixed> (bug #1016980)
+ [bullseye] - nova <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/ossa/+bug/1981813
NOTE: https://review.opendev.org/c/openstack/nova/+/849985
NOTE: https://review.opendev.org/c/openstack/nova/+/850003
@@ -2113,6 +2117,7 @@ CVE-2022-2625 [extension scripts replace objects not
owned by the extension]
{DLA-3072-1}
- postgresql-14 14.5-1
- postgresql-13 <removed>
+ [bullseye] - postgresql-13 <postponed> (Minor issue, fix along in next
update)
- postgresql-11 <removed>
NOTE: https://www.postgresql.org/support/security/CVE-2022-2625/
CVE-2022-2624
@@ -2808,6 +2813,7 @@ CVE-2022-37036
RESERVED
CVE-2022-37035 (An issue was discovered in bgpd in FRRouting (FRR) 8.3. In
bgp_notify_ ...)
- frr <unfixed> (bug #1016978)
+ [bullseye] - frr <no-dsa> (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/11698
CVE-2022-37034
RESERVED
@@ -5732,6 +5738,7 @@ CVE-2022-35864 (This vulnerability allows remote
attackers to disclose sensitive
NOT-FOR-US: BMC Track-It!
CVE-2022-2414 (Access to external entities when parsing XML documents can lead
to XML ...)
- dogtag-pki <unfixed> (bug #1014957)
+ [bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2104676
NOTE: https://github.com/dogtagpki/pki/pull/4021
NOTE:
https://github.com/dogtagpki/pki/commit/4e893243d72ad766558c10c907841f5f9c047055
@@ -6746,6 +6753,7 @@ CVE-2022-35415
RESERVED
CVE-2022-35414 (softmmu/physmem.c in QEMU through 7.0.0 can perform an
uninitialized r ...)
- qemu <unfixed> (bug #1014958)
+ [bullseye] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1065
NOTE:
https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c
NOTE: https://sick.codes/sick-2022-113
@@ -7880,9 +7888,10 @@ CVE-2022-34929
CVE-2022-34928 (JFinal CMS v5.1.0 was discovered to contain a SQL injection
vulnerabil ...)
NOT-FOR-US: JFinal CMS
CVE-2022-34927 (MilkyTracker v1.03.00 was discovered to contain a stack
overflow via t ...)
- - milkytracker <unfixed> (bug #1016578)
+ - milkytracker <unfixed> (unimportant; bug #1016578)
NOTE:
https://github.com/milkytracker/MilkyTracker/commit/3a5474f9102cbdc10fbd9e7b1b2c8d3f3f45d91b
NOTE: https://github.com/milkytracker/MilkyTracker/issues/275
+ NOTE: Crash in GUI tool, no security impact
CVE-2022-34926
RESERVED
CVE-2022-34925
@@ -8468,6 +8477,7 @@ CVE-2022-34750 (An issue was discovered in MediaWiki
through 1.38.1. The lemma l
NOT-FOR-US: MediaWiki extension WikiBase
CVE-2022-34749 (In mistune through 2.0.2, support of inline markup is
implemented by u ...)
- mistune 2.0.3-1 (bug #1016089)
+ [bullseye] - mistune <no-dsa> (Minor issue)
NOTE:
https://github.com/lepture/mistune/commit/a6d43215132fe4f3d93f8d7e90ba83b16a0838b2
(v2.0.3)
CVE-2022-34748 (A vulnerability has been identified in Simcenter Femap (All
versions & ...)
NOT-FOR-US: Siemens
@@ -9063,6 +9073,7 @@ CVE-2022-34527 (D-Link DSL-3782 v1.03 and below was
discovered to contain a comm
NOT-FOR-US: D-Link
CVE-2022-34526 (A stack overflow was discovered in the _TIFFVGetField function
of Tiff ...)
- tiff 4.4.0-4
+ [bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/433
NOTE:
https://gitlab.com/libtiff/libtiff/-/commit/275735d0354e39c0ac1dc3c0db2120d6f31d1990
CVE-2022-34525
@@ -25712,6 +25723,7 @@ CVE-2022-1228 (The Opensea WordPress plugin before
1.0.3 does not sanitize and e
CVE-2022-1227 (A privilege escalation flaw was found in Podman. This flaw
allows an a ...)
- libpod 3.4.7+ds1-1
- golang-github-containers-psgo 1.7.1+ds1-1
+ [bullseye] - golang-github-containers-psgo <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070368
NOTE: https://github.com/containers/psgo/pull/92
NOTE:
https://github.com/containers/psgo/commit/d9467da9f563a9de1ece79dcae86b37b1db75443
(v1.7.2)
@@ -178367,6 +178379,7 @@ CVE-2020-8288 (The `specializedRendering` function in
Rocket.Chat server before
CVE-2020-8287 (Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow
two co ...)
{DSA-4826-1}
- http-parser 2.9.4-5 (bug #1016690)
+ [bullseye] - http-parser <no-dsa> (Minor issue)
- nodejs 12.20.1~dfsg-1 (bug #979364)
[stretch] - nodejs <ignored> (Nodejs in stretch not covered by security
support)
NOTE: https://nodejs.org/en/blog/release/v10.23.1/
@@ -381604,6 +381617,7 @@ CVE-2016-3710 (The VGA module in QEMU improperly
performs bounds checking on ban
NOTE: mitigation: run HVM in stubdomains, PV, default video card not
vulnerable, i386-only
CVE-2016-3709 (Possible cross-site scripting vulnerability in libxml after
commit 960 ...)
- libxml2 2.9.12+dfsg-3
+ [bullseye] - libxml2 <no-dsa> (Minor issue)
NOTE: https://mail.gnome.org/archives/xml/2018-January/msg00010.html
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=769760
NOTE: Introduced by:
https://github.com/GNOME/libxml2/commit/960f0e275616cadc29671a218d7fb9b69eb35588
(v2.9.2-rc1)c
=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ epiphany-browser
--
freecad (aron)
--
+gdk-pixbuf
+--
kicad (jmm)
--
linux (carnil)
@@ -55,3 +57,5 @@ webkit2gtk (berto)
--
wpewebkit (berto)
--
+zlib
+--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95d3193032a69c9f122c8c253cf591a8e87dc4eb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95d3193032a69c9f122c8c253cf591a8e87dc4eb
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
