Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9a8af819 by Moritz Muehlenhoff at 2022-08-12T09:33:58+02:00
bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2805,6 +2805,7 @@ CVE-2022-2590
NOTE: https://www.openwall.com/lists/oss-security/2022/08/08/1
CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository
beancount/ ...)
- fava <unfixed> (bug #1016971)
+ [bullseye] - fava <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/
NOTE:
https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539
(v1.22.3)
CVE-2022-37037
@@ -4273,6 +4274,7 @@ CVE-2022-33963
RESERVED
CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository
beancount/ ...)
- fava <unfixed> (bug #1016971)
+ [bullseye] - fava <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f
NOTE:
https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b
(v1.22.2)
CVE-2022-36381
@@ -4410,6 +4412,7 @@ CVE-2022-2515
RESERVED
CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are
vulnerable t ...)
- fava <unfixed> (bug #1016971)
+ [bullseye] - fava <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429
NOTE:
https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711
(v1.22)
CVE-2022-2513
@@ -20658,16 +20661,19 @@ CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise
version 0.2.0 up to 1.3.0 w
- nomad <not-affected> (In Debian Nomad doesn't bundle go-getter, but
build depends a shared deb)
CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing
password-pro ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource
exhaustio ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access
via go- ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
@@ -30647,6 +30653,7 @@ CVE-2022-26946
RESERVED
CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching,
endless r ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
@@ -64579,6 +64586,7 @@ CVE-2021-41040 (In Eclipse Wakaama, ever since its
inception until 2021-01-14, t
NOT-FOR-US: Eclipse Wakaama
CVE-2021-41039 (In versions 1.6 to 2.0.11 of Eclipse Mosquitto, an MQTT v5
client conn ...)
- mosquitto <unfixed> (bug #1001028)
+ [bullseye] - mosquitto <no-dsa> (Minor issue)
[buster] - mosquitto <not-affected> (Vulnerable code introduced later)
[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575314
@@ -80991,6 +80999,7 @@ CVE-2021-34435 (In Eclipse Theia 0.3.9 to 1.8.1, the
"mini-browser" extension al
NOT-FOR-US: Eclipse Theia
CVE-2021-34434 (In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the
dynamic se ...)
- mosquitto <unfixed> (bug #993400)
+ [bullseye] - mosquitto <no-dsa> (Minor issue)
[buster] - mosquitto <not-affected> (Vulnerable code introduced later)
[stretch] - mosquitto <not-affected> (Vulnerable code introduced later)
NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=575324
@@ -109030,6 +109039,7 @@ CVE-2021-23386 (This affects the package dns-packet
before 5.2.2. It creates buf
NOT-FOR-US: Node dns-packet
CVE-2021-23385 (This affects all versions of package Flask-Security. When
using the ge ...)
- flask-security <unfixed>
+ [bullseye] - flask-security <no-dsa> (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234
CVE-2021-23384 (The package koa-remove-trailing-slashes before 2.0.2 are
vulnerable to ...)
NOT-FOR-US: Node koa-remove-trailing-slashes before
=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v5.10.y versions
--
+maven-shared-utils
+--
net-snmp
--
netatalk
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a8af81995adedb8681cc8ae5e4ed259edd67f43
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a8af81995adedb8681cc8ae5e4ed259edd67f43
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
