Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c757a127 by security tracker role at 2022-08-23T20:10:24+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,3 +1,77 @@
+CVE-2022-38714
+ RESERVED
+CVE-2022-38713
+ RESERVED
+CVE-2022-38712
+ RESERVED
+CVE-2022-38711
+ RESERVED
+CVE-2022-38710
+ RESERVED
+CVE-2022-38709
+ RESERVED
+CVE-2022-38708
+ RESERVED
+CVE-2022-38707
+ RESERVED
+CVE-2022-38706
+ RESERVED
+CVE-2022-38705
+ RESERVED
+CVE-2022-38458
+ RESERVED
+CVE-2022-38394
+ RESERVED
+CVE-2022-38094
+ RESERVED
+CVE-2022-37337
+ RESERVED
+CVE-2022-36429
+ RESERVED
+CVE-2022-35273
+ RESERVED
+CVE-2022-34869
+ RESERVED
+CVE-2022-2973
+ RESERVED
+CVE-2022-2972
+ RESERVED
+CVE-2022-2971
+ RESERVED
+CVE-2022-2970
+ RESERVED
+CVE-2022-2969
+ RESERVED
+CVE-2022-2968
+ RESERVED
+CVE-2022-2967
+ RESERVED
+CVE-2022-2966
+ RESERVED
+CVE-2022-2965 (Improper Restriction of Rendered UI Layers or Frames in GitHub
reposit ...)
+ TODO: check
+CVE-2022-2964
+ RESERVED
+CVE-2022-2963
+ RESERVED
+CVE-2022-2962
+ RESERVED
+CVE-2022-2961
+ RESERVED
+CVE-2022-2960
+ RESERVED
+CVE-2022-2959
+ RESERVED
+CVE-2022-2958
+ RESERVED
+CVE-2022-2957
+ RESERVED
+CVE-2022-2956 (A vulnerability classified as problematic has been found in
ConsoleTVs ...)
+ TODO: check
+CVE-2022-2955
+ RESERVED
+CVE-2022-2954
+ RESERVED
CVE-2022-38699
RESERVED
CVE-2022-38698
@@ -80,12 +154,12 @@ CVE-2022-2947
RESERVED
CVE-2022-38666
RESERVED
-CVE-2022-38665
- RESERVED
-CVE-2022-38664
- RESERVED
-CVE-2022-38663
- RESERVED
+CVE-2022-38665 (Jenkins CollabNet Plugins Plugin 2.0.8 and earlier stores a
RabbitMQ p ...)
+ TODO: check
+CVE-2022-38664 (Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597
and earlie ...)
+ TODO: check
+CVE-2022-38663 (Jenkins Git Plugin 4.11.4 and earlier does not properly mask
(i.e., re ...)
+ TODO: check
CVE-2022-38662
RESERVED
CVE-2022-38661
@@ -116,8 +190,8 @@ CVE-2022-38649
RESERVED
CVE-2022-38648
RESERVED
-CVE-2022-2946
- RESERVED
+CVE-2022-2946 (Use After Free in GitHub repository vim/vim prior to 9.0.0245.
...)
+ TODO: check
CVE-2022-2945
RESERVED
CVE-2022-2944
@@ -474,7 +548,7 @@ CVE-2022-2925
RESERVED
CVE-2022-2924
RESERVED
-CVE-2022-2923 (NULL Pointer Dereference in GitHub repository vim/vim prior to
9.0.023 ...)
+CVE-2022-2923 (NULL Pointer Dereference in GitHub repository vim/vim prior to
9.0.024 ...)
- vim 2:9.0.0242-1
NOTE: https://huntr.dev/bounties/fd3a3ab8-ab0f-452f-afea-8c613e283fd2
NOTE:
https://github.com/vim/vim/commit/6669de1b235843968e88844ca6d3c8dec4b01a9e
(v9.0.0240)
@@ -1474,8 +1548,8 @@ CVE-2022-2798
RESERVED
CVE-2022-2797 (A vulnerability classified as critical was found in
SourceCodester Stu ...)
NOT-FOR-US: SourceCodester Student Information System
-CVE-2022-2796
- RESERVED
+CVE-2022-2796 (Cross-site Scripting (XSS) - Stored in GitHub repository
pimcore/pimco ...)
+ TODO: check
CVE-2022-2795
RESERVED
CVE-2022-38176
@@ -1486,8 +1560,8 @@ CVE-2022-38174
RESERVED
CVE-2022-38173
RESERVED
-CVE-2022-38172
- RESERVED
+CVE-2022-38172 (ServiceNow through San Diego Patch 3 allows XSS via the name
field dur ...)
+ TODO: check
CVE-2022-38171 (Xpdf prior to version 4.04 contains an integer overflow in the
JBIG2 d ...)
TODO: check, https://bugzilla.redhat.com/show_bug.cgi?id=2120439, might
be N/A for us as using poppler
CVE-2022-2794
@@ -1793,10 +1867,10 @@ CVE-2022-36425
RESERVED
CVE-2022-36422
RESERVED
-CVE-2022-36405
- RESERVED
-CVE-2022-36394
- RESERVED
+CVE-2022-36405 (Authenticated (contributor+) Stored Cross-Site Scripting (XSS)
vulnera ...)
+ TODO: check
+CVE-2022-36394 (Authenticated (author+) SQL Injection (SQLi) vulnerability in
Contest ...)
+ TODO: check
CVE-2022-36390
RESERVED
CVE-2022-36387
@@ -1815,26 +1889,26 @@ CVE-2022-36355
RESERVED
CVE-2022-36352
RESERVED
-CVE-2022-36347
- RESERVED
+CVE-2022-36347 (Authenticated (admin+) Stored Cross-Site Scripting (XSS)
vulnerability ...)
+ TODO: check
CVE-2022-36345
RESERVED
-CVE-2022-35726
- RESERVED
+CVE-2022-35726 (Broken Authentication vulnerability in yotuwp Video Gallery
plugin < ...)
+ TODO: check
CVE-2022-35725
RESERVED
CVE-2022-35277
RESERVED
CVE-2022-35275
RESERVED
-CVE-2022-35242
- RESERVED
-CVE-2022-35235
- RESERVED
+CVE-2022-35242 (Unauthenticated plugin settings change vulnerability in 59sec
THE Lead ...)
+ TODO: check
+CVE-2022-35235 (Authenticated (admin+) Arbitrary File Read vulnerability in
XplodedThe ...)
+ TODO: check
CVE-2022-31474
RESERVED
-CVE-2022-29476
- RESERVED
+CVE-2022-29476 (Unauthenticated Stored Cross-Site Scripting (XSS)
vulnerability in 8 D ...)
+ TODO: check
CVE-2022-2743
RESERVED
CVE-2022-2742
@@ -3264,8 +3338,7 @@ CVE-2022-37430
RESERVED
CVE-2022-37429
RESERVED
-CVE-2022-37428
- RESERVED
+CVE-2022-37428 (PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1,
when pro ...)
- pdns-recursor <unfixed>
NOTE: https://www.openwall.com/lists/oss-security/2022/08/23/1
NOTE: https://downloads.powerdns.com/patches/2022-02/
@@ -3307,8 +3380,8 @@ CVE-2022-37399
RESERVED
CVE-2022-37398 (A stack-based buffer overflow vulnerability was found inside
ADM when ...)
NOT-FOR-US: ASUSTOR Data Master (ADM)
-CVE-2022-36350
- RESERVED
+CVE-2022-36350 (Stored cross-site scripting vulnerability in PukiWiki versions
1.3.1 t ...)
+ TODO: check
CVE-2022-2667 (A vulnerability was found in SourceCodester Loan Management
System and ...)
NOT-FOR-US: SourceCodester
CVE-2022-2666
@@ -3919,8 +3992,8 @@ CVE-2022-37225
RESERVED
CVE-2022-37224
RESERVED
-CVE-2022-37223
- RESERVED
+CVE-2022-37223 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via
/jfinal_cms/system ...)
+ TODO: check
CVE-2022-37222
RESERVED
CVE-2022-37221
@@ -3967,8 +4040,8 @@ CVE-2022-37201
RESERVED
CVE-2022-37200
RESERVED
-CVE-2022-37199
- RESERVED
+CVE-2022-37199 (JFinal CMS 5.1.0 is vulnerable to SQL Injection via
/jfinal_cms/system ...)
+ TODO: check
CVE-2022-37198
RESERVED
CVE-2022-37197
@@ -4139,12 +4212,12 @@ CVE-2022-37115
RESERVED
CVE-2022-37114
RESERVED
-CVE-2022-37113
- RESERVED
-CVE-2022-37112
- RESERVED
-CVE-2022-37111
- RESERVED
+CVE-2022-37113 (Bluecms 1.6 has SQL injection in line 132 of admin/area.php
...)
+ TODO: check
+CVE-2022-37112 (BlueCMS 1.6 has SQL injection in line 55 of admin/model.php
...)
+ TODO: check
+CVE-2022-37111 (BlueCMS 1.6 has SQL injection in line 132 of admin/article.php
...)
+ TODO: check
CVE-2022-37110
RESERVED
CVE-2022-37109
@@ -5862,12 +5935,12 @@ CVE-2018-25045 (Django REST framework (aka
django-rest-framework) before 3.9.1 a
NOTE:
https://github.com/encode/django-rest-framework/commit/4bb9a3c48427867ef1e46f7dee945a4c25a4f9b8
(3.9.1)
CVE-2022-36407
RESERVED
-CVE-2022-36389
- RESERVED
+CVE-2022-36389 (Cross-Site Request Forgery (CSRF) vulnerability in WordPlus
Better Mes ...)
+ TODO: check
CVE-2022-36386
RESERVED
-CVE-2022-36379
- RESERVED
+CVE-2022-36379 (Cross-Site Request Forgery (CSRF) leading to plugin settings
update in ...)
+ TODO: check
CVE-2022-36378 (Authenticated (author or higher user role) Stored Cross-Site
Scripting ...)
NOT-FOR-US: WordPress plugin
CVE-2022-36375 (Authenticated (high role user) WordPress Options Change
vulnerability ...)
@@ -5882,34 +5955,34 @@ CVE-2022-36344 (An unquoted search path vulnerability
exists in 'JustSystems JUS
NOT-FOR-US: JustSystems
CVE-2022-36343 (Authenticated (author or higher user role) Stored Cross-Site
Scripting ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-36341
- RESERVED
+CVE-2022-36341 (Authenticated (subscriber+) plugin settings change leading to
Stored C ...)
+ TODO: check
CVE-2022-36296 (Broken Authentication vulnerability in JumpDEMAND Inc.
ActiveDEMAND pl ...)
NOT-FOR-US: JumpDEMAND
-CVE-2022-36292
- RESERVED
-CVE-2022-36288
- RESERVED
-CVE-2022-36285
- RESERVED
+CVE-2022-36292 (Cross-Site Request Forgery (CSRF) vulnerabilities in WPChill
Gallery P ...)
+ TODO: check
+CVE-2022-36288 (Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in
W3 Eden ...)
+ TODO: check
+CVE-2022-36285 (Authenticated Arbitrary File Upload vulnerability in
dmitrylitvinov Up ...)
+ TODO: check
CVE-2022-36284 (Authenticated IDOR vulnerability in StoreApps Affiliate For
WooCommerc ...)
NOT-FOR-US: WooCommerce addon
-CVE-2022-36282
- RESERVED
+CVE-2022-36282 (Authenticated (editor+) Stored Cross-Site Scripting (XSS)
vulnerabilit ...)
+ TODO: check
CVE-2022-35882 (Authenticated (author or higher user role) Stored Cross-Site
Scripting ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-34868
- RESERVED
+CVE-2022-34868 (Authenticated Arbitrary Settings Update vulnerability in
YooMoney 
 ...)
+ TODO: check
CVE-2022-34867
RESERVED
CVE-2022-34857 (Reflected Cross-Site Scripting (XSS) vulnerability in
smartypants SP P ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-34658
- RESERVED
+CVE-2022-34658 (Multiple Authenticated (contributor+) Persistent Cross-Site
Scripting ...)
+ TODO: check
CVE-2022-34656
RESERVED
-CVE-2022-34648
- RESERVED
+CVE-2022-34648 (Authenticated (author+) Stored Cross-Site Scripting (XSS)
vulnerabilit ...)
+ TODO: check
CVE-2022-34344
RESERVED
CVE-2022-34154 (Authenticated (author or higher user role) Arbitrary File
Upload vulne ...)
@@ -5922,8 +5995,8 @@ CVE-2022-33943 (Authenticated (contributor or higher user
role) Cross-Site Scrip
NOT-FOR-US: WordPress plugin
CVE-2022-33201 (Cross-Site Request Forgery (CSRF) vulnerability in MailerLite
– ...)
NOT-FOR-US: MailerLite
-CVE-2022-33142
- RESERVED
+CVE-2022-33142 (Authenticated (subscriber+) Denial Of Service (DoS)
vulnerability in W ...)
+ TODO: check
CVE-2022-2515
RESERVED
CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are
vulnerable t ...)
@@ -6354,8 +6427,8 @@ CVE-2022-36263 (StreamLabs Desktop Application 1.9.0 is
vulnerable to Incorrect
NOT-FOR-US: StreamLabs Desktop Application
CVE-2022-36262 (An issue was discovered in taocms 3.0.2. in the website
settings that ...)
NOT-FOR-US: taocms
-CVE-2022-36261
- RESERVED
+CVE-2022-36261 (An arbitrary file deletion vulnerability was discovered in
taocms 3.0. ...)
+ TODO: check
CVE-2022-36260
RESERVED
CVE-2022-36259
@@ -8677,8 +8750,8 @@ CVE-2022-35280 (IBM Robotic Process Automation 21.0.0,
21.0.1, and 21.0.2 does n
NOT-FOR-US: IBM
CVE-2022-35279
RESERVED
-CVE-2022-35278
- RESERVED
+CVE-2022-35278 (In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could
show mal ...)
+ TODO: check
CVE-2022-34850
RESERVED
CVE-2022-34845
@@ -8905,8 +8978,8 @@ CVE-2022-35205
RESERVED
CVE-2022-35204 (Vitejs Vite before v2.9.13 was discovered to allow attackers
to perfor ...)
NOT-FOR-US: Vitejs Vite
-CVE-2022-35203
- RESERVED
+CVE-2022-35203 (An access control issue in TrendNet TV-IP572PI v1.0 allows
unauthentic ...)
+ TODO: check
CVE-2022-35202
RESERVED
CVE-2022-35201 (Tenda-AC18 V15.03.05.05 was discovered to contain a remote
command exe ...)
@@ -9085,8 +9158,8 @@ CVE-2022-35117 (Clinic's Patient Management System v1.0
was discovered to contai
NOT-FOR-US: Clinic's Patient Management System
CVE-2022-35116
RESERVED
-CVE-2022-35115
- RESERVED
+CVE-2022-35115 (IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was
discovered to ...)
+ TODO: check
CVE-2022-35114 (SWFTools commit 772e55a2 was discovered to contain a
segmentation viol ...)
- swftools <removed>
NOTE: https://github.com/matthiaskramm/swftools/issues/185
@@ -10789,10 +10862,10 @@ CVE-2022-2206 (Out-of-bounds Read in GitHub
repository vim/vim prior to 8.2. ...
NOTE: https://huntr.dev/bounties/01d01e74-55d0-4d9e-878e-79ba599be668
NOTE:
https://github.com/vim/vim/commit/e178af5a586ea023622d460779fdcabbbfac0908
(v8.2.5160)
NOTE: Crash in CLI tool, no security impact
-CVE-2022-34486
- RESERVED
-CVE-2022-27637
- RESERVED
+CVE-2022-34486 (Path traversal vulnerability in PukiWiki versions 1.4.5 to
1.5.3 allow ...)
+ TODO: check
+CVE-2022-27637 (Reflected cross-site scripting vulnerability in PukiWiki
versions 1.5. ...)
+ TODO: check
CVE-2022-2205
RESERVED
- firefox 103.0-1
@@ -16459,8 +16532,8 @@ CVE-2022-1991 (A vulnerability classified as
problematic has been found in Fast
NOT-FOR-US: Fast Food Ordering System
CVE-2022-1990 (The Nested Pages WordPress plugin before 3.1.21 does not escape
and sa ...)
NOT-FOR-US: WordPress plugin
-CVE-2022-1989
- RESERVED
+CVE-2022-1989 (All CODESYS Visualization versions before V4.2.0.0 generate a
login di ...)
+ TODO: check
CVE-2022-1988 (Cross-site Scripting (XSS) - Generic in GitHub repository
neorazorx/fa ...)
NOT-FOR-US: neorazorx/facturascripts
CVE-2022-32274 (The Transition Scheduler add-on 6.5.0 for Atlassian Jira is
prone to s ...)
@@ -23630,8 +23703,8 @@ CVE-2022-1515 (A memory leak was discovered in matio
1.5.21 and earlier in Mat_V
NOTE: Fixed by:
https://github.com/tbeu/matio/commit/b53b62b756920f4c1509f4ee06427f66c3b5c9c4
(v1.5.22)
CVE-2022-1514 (Stored XSS via upload plugin functionality in zip format in
GitHub rep ...)
NOT-FOR-US: facturascripts
-CVE-2022-1513
- RESERVED
+CVE-2022-1513 (A potential vulnerability was reported in Lenovo PCManager
prior to ve ...)
+ TODO: check
CVE-2022-1512 (The ScrollReveal.js Effects WordPress plugin through 1.2 does
not sani ...)
NOT-FOR-US: WordPress plugin
CVE-2022-1511 (Improper Access Control in GitHub repository snipe/snipe-it
prior to 5 ...)
@@ -26566,10 +26639,10 @@ CVE-2022-28885
RESERVED
CVE-2022-28884
RESERVED
-CVE-2022-28883
- RESERVED
-CVE-2022-28882
- RESERVED
+CVE-2022-28883 (A Denial-of-Service (DoS) vulnerability was discovered in
F-Secure &am ...)
+ TODO: check
+CVE-2022-28882 (A Denial-of-Service (DoS) vulnerability was discovered in
F-Secure &am ...)
+ TODO: check
CVE-2022-28881 (A Denial-of-Service (DoS) vulnerability was discovered in
F-Secure Atl ...)
NOT-FOR-US: F-Secure
CVE-2022-28880 (A Denial-of-Service vulnerability was discovered in the
F-Secure Atlan ...)
@@ -26697,7 +26770,7 @@ CVE-2022-28819 (Adobe Character Animator versions 4.4.2
(and earlier) and 22.3 (
CVE-2022-28818 (ColdFusion versions CF2021U3 (and earlier) and CF2018U13 are
affected ...)
NOT-FOR-US: Adobe
CVE-2022-28817
- RESERVED
+ REJECTED
CVE-2022-28816
RESERVED
CVE-2022-28815
@@ -42210,7 +42283,7 @@ CVE-2022-23817
RESERVED
CVE-2022-23816
RESERVED
- {DSA-5184-1}
+ {DSA-5207-1 DSA-5184-1}
- linux 5.18.14-1
- xen 4.16.2-1
[buster] - xen <end-of-life> (DSA 4677-1)
@@ -51135,8 +51208,7 @@ CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1
through 2.16.0 (excluding 2.12
- apache-log4j2 2.17.0-1 (bug #1001891)
NOTE: https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105
NOTE: https://issues.apache.org/jira/browse/LOG4J2-3230
-CVE-2021-31566 [symbolic links incorrectly followed when changing modes,
times, ACL and flags of a file while extracting an archive]
- RESERVED
+CVE-2021-31566 (An improper link resolution flaw can occur while extracting an
archive ...)
{DLA-2987-1}
- libarchive 3.5.2-1 (bug #1001990)
[bullseye] - libarchive 3.4.3-2+deb11u1
@@ -51144,8 +51216,7 @@ CVE-2021-31566 [symbolic links incorrectly followed
when changing modes, times,
NOTE: https://github.com/libarchive/libarchive/issues/1566
NOTE:
https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
(v3.5.2)
NOTE:
https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b
(v3.5.2)
-CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target]
- RESERVED
+CVE-2021-23177 (An improper link resolution flaw while extracting an archive
can lead ...)
{DLA-2987-1}
- libarchive 3.5.2-1 (bug #1001986)
[bullseye] - libarchive 3.4.3-2+deb11u1
@@ -59908,8 +59979,7 @@ CVE-2021-43012 (Adobe Prelude version 10.1 (and
earlier) are affected by a memor
NOT-FOR-US: Adobe
CVE-2021-43011 (Adobe Prelude version 10.1 (and earlier) are affected by a
memory corr ...)
NOT-FOR-US: Adobe
-CVE-2021-3905 [External triggered memory leak in Open vSwitch while processing
fragmented packets]
- RESERVED
+CVE-2021-3905 (A memory leak was found in Open vSwitch (OVS) during userspace
IP frag ...)
- openvswitch <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/openvswitch/ovs-issues/issues/226
NOTE: Introduced by:
https://github.com/openvswitch/ovs/commit/640d4db788eda96bb904abcfc7de2327107bafe1
(v2.16.0)
@@ -60641,7 +60711,7 @@ CVE-2021-42719 (Adobe Bridge version 11.1.1 (and
earlier) is affected by an out-
CVE-2021-42718
RESERVED
CVE-2021-3894 [sctp: local DoS: unprivileged user can cause BUG()]
- RESERVED
+ REJECTED
- linux 5.14.16-1
[bullseye] - linux 5.10.84-1
[stretch] - linux <not-affected> (Vulnerable code not present)
@@ -60852,8 +60922,8 @@ CVE-2021-42629
RESERVED
CVE-2021-42628
RESERVED
-CVE-2021-42627
- RESERVED
+CVE-2021-42627 (The WAN configuration page "wan.htm" on D-Link DIR-615 devices
with fi ...)
+ TODO: check
CVE-2021-42626
RESERVED
CVE-2021-42625
@@ -64321,8 +64391,7 @@ CVE-2021-41773 (A flaw was found in a change made to
path normalization in Apach
NOTE: Fixed by: https://svn.apache.org/r1893775
NOTE: https://www.openwall.com/lists/oss-security/2021/10/05/2
NOTE: https://www.openwall.com/lists/oss-security/2021/10/08/1
-CVE-2021-3839
- RESERVED
+CVE-2021-3839 (A flaw was found in the vhost library in DPDK. Function
vhost_user_set ...)
{DSA-5130-1}
- dpdk 20.11.5-1 (bug #1010641)
[buster] - dpdk <not-affected> (Vulnerable code introduced later)
@@ -64839,8 +64908,7 @@ CVE-2021-41574
RESERVED
CVE-2021-41573 (Hitachi Content Platform Anywhere (HCP-AW) 4.4.5 and later
allows info ...)
NOT-FOR-US: Hitachi
-CVE-2021-3827
- RESERVED
+CVE-2021-3827 (A flaw was found in keycloak, where the default ECP binding
flow allow ...)
NOT-FOR-US: Keycloak
CVE-2021-41572
RESERVED
@@ -66334,8 +66402,8 @@ CVE-2021-40987 (A remote arbitrary command execution
vulnerability was discovere
NOT-FOR-US: Aruba
CVE-2021-40986 (A remote arbitrary command execution vulnerability was
discovered in A ...)
NOT-FOR-US: Aruba
-CVE-2021-3800
- RESERVED
+CVE-2021-3800 (A flaw was found in glib before version 2.63.6. Due to random
charset ...)
+ TODO: check
CVE-2021-40985 (A stack-based buffer under-read in htmldoc before 1.9.12,
allows attac ...)
{DLA-2928-1}
- htmldoc 1.9.13-1 (unimportant)
@@ -66618,8 +66686,7 @@ CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has
a buffer overflow becaus
[bullseye] - atftp 0.7.git20120829-3.3+deb11u1
[buster] - atftp 0.7.git20120829-3.2~deb10u2
NOTE:
https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
-CVE-2021-3798 [Soft token does not check if an EC key is valid]
- RESERVED
+CVE-2021-3798 (A flaw was found in openCryptoki. The openCryptoki Soft token
does not ...)
- opencryptoki <not-affected> (Vulnerable code introduced later)
NOTE:
https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1928780
NOTE: Introduced with:
https://github.com/opencryptoki/opencryptoki/commit/a179fd01a265a98194d9c06ec5958da1dd2ecae3
(v3.15.0)
@@ -67557,7 +67624,7 @@ CVE-2021-3772 (A flaw was found in the Linux SCTP
stack. A blind attacker may be
[buster] - linux 4.19.235-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2000694
CVE-2021-3771
- RESERVED
+ REJECTED
CVE-2021-40524 (In Pure-FTPd before 1.0.50, an incorrect max_filesize quota
mechanism ...)
- pure-ftpd 1.0.50-1 (bug #993810)
[bullseye] - pure-ftpd <no-dsa> (Minor issue)
@@ -67754,16 +67821,14 @@ CVE-2021-40441 (Windows Media Center Elevation of
Privilege Vulnerability ...)
NOT-FOR-US: Microsoft
CVE-2021-40440 (Microsoft Dynamics Business Central Cross-site Scripting
Vulnerability ...)
NOT-FOR-US: Microsoft
-CVE-2021-3764 [DoS in ccp_run_aes_gcm_cmd() function]
- RESERVED
+CVE-2021-3764 (A memory leak flaw was found in the Linux kernel's
ccp_run_aes_gcm_cmd ...)
{DSA-5096-1 DLA-2941-1}
- linux 5.14.12-1
[bullseye] - linux 5.10.84-1
[stretch] - linux <not-affected> (Vulnerability introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997467
NOTE:
https://git.kernel.org/linus/505d9dcb0f7ddf9d075e729523a33d38642ae680 (5.15-rc4)
-CVE-2021-3763
- RESERVED
+CVE-2021-3763 (A flaw was found in the Red Hat AMQ Broker management console
in versi ...)
NOT-FOR-US: Red Hat AMQ Broker
CVE-2021-3762 (A directory traversal vulnerability was found in the ClairCore
engine ...)
NOT-FOR-US: Quay/clair
@@ -68055,8 +68120,7 @@ CVE-2021-40333 (Weak Password Requirements
vulnerability in Hitachi Energy FOX61
NOT-FOR-US: Hitachi
CVE-2021-40332
RESERVED
-CVE-2021-3759 [unaccounted ipc objects in Linux kernel lead to breaking memcg
limits and DoS attacks]
- RESERVED
+CVE-2021-3759 (A memory overflow vulnerability was found in the Linux
kernel’s ...)
- linux 5.15.3-1
NOTE:
https://lore.kernel.org/linux-mm/[email protected]/
CVE-2021-3758 (bookstack is vulnerable to Server-Side Request Forgery (SSRF)
...)
@@ -68554,8 +68618,7 @@ CVE-2021-3737 (A flaw was found in python. An
improperly handled HTTP response i
NOTE:
https://github.com/python/cpython/commit/0389426fa4af4dfc8b1d7f3f291932d928392d8b
(3.8 branch)
NOTE:
https://github.com/python/cpython/commit/fee96422e6f0056561cf74fef2012cc066c9db86
(v3.7.11)
NOTE:
https://github.com/python/cpython/commit/1b6f4e5e13ebd1f957b47f7415b53d0869bdbac6
(v3.6.14
-CVE-2021-3736 [uninitialized kernel stack may lead to information disclosure]
- RESERVED
+CVE-2021-3736 (A flaw was found in the Linux kernel. A memory leak problem was
found ...)
- linux 5.14.6-1 (unimportant)
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
@@ -70553,13 +70616,13 @@ CVE-2021-3726 (# Vulnerability in `title` function
**Description**: the `title`
CVE-2021-3725 (Vulnerability in dirhistory plugin Description: the widgets
that go ba ...)
NOT-FOR-US: ohmyzsh
CVE-2021-3724
- RESERVED
+ REJECTED
NOT-FOR-US: Red Hat Serverless
CVE-2021-23161
- RESERVED
+ REJECTED
NOT-FOR-US: Red Hat Serverless
CVE-2021-23156
- RESERVED
+ REJECTED
NOT-FOR-US: Red Hat Serverless
CVE-2021-39294
RESERVED
@@ -70769,8 +70832,7 @@ CVE-2021-3715 (A flaw was found in the "Routing
decision" classifier in the Linu
[stretch] - linux 4.9.228-1
NOTE: https://www.openwall.com/lists/oss-security/2021/09/07/1
NOTE:
https://git.kernel.org/linus/ef299cc3fa1a9e1288665a9fdc8bff55629fd359 (5.6)
-CVE-2021-3714
- RESERVED
+CVE-2021-3714 (A flaw was found in the Linux kernels memory deduplication
mechanism. ...)
- linux <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1931327
CVE-2021-39245 (Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus
Nexto, ...)
@@ -72346,13 +72408,11 @@ CVE-2021-38563 (An issue was discovered in Foxit PDF
Reader before 11.0.1 and PD
CVE-2021-3703
RESERVED
NOT-FOR-US: Red Hat Serverless
-CVE-2021-3702
- RESERVED
+CVE-2021-3702 (A race condition flaw was found in ansible-runner, where an
attacker c ...)
- ansible-runner <not-affected> (Vulnerable code introduced later)
NOTE:
https://github.com/ansible/ansible-runner/pull/742/commits/0e9aa8a97e7832ef9a1553ef2908632a32d2b8c4
NOTE: Introduced in
https://github.com/ansible/ansible-runner/commit/93e95a3df9021a38010386d07df121392d249253
-CVE-2021-3701
- RESERVED
+CVE-2021-3701 (A flaw was found in ansible-runner where the default temporary
files c ...)
- ansible-runner 2.1.1-1
NOTE: https://github.com/ansible/ansible-runner/issues/738
NOTE:
https://github.com/ansible/ansible-runner/pull/742/commits/60b059f00409224acae1e417153a241c8591ad89
@@ -73292,8 +73352,7 @@ CVE-2021-38210
RESERVED
CVE-2021-3691
RESERVED
-CVE-2021-3690 [buffer leak on incoming websocket PONG message may lead to DoS]
- RESERVED
+CVE-2021-3690 (A flaw was found in Undertow. A buffer leak on the incoming
WebSocket ...)
- undertow 2.2.10-1
NOTE: https://issues.redhat.com/browse/UNDERTOW-1935
CVE-2021-38209 (net/netfilter/nf_conntrack_standalone.c in the Linux kernel
before 5.1 ...)
@@ -74771,8 +74830,7 @@ CVE-2021-3671 (A null pointer de-reference was found in
the way samba kerberos s
NOTE: Followup:
https://github.com/heimdal/heimdal/commit/773802aecfb4b6a73817fa522faeb55b2a7cdb2a
NOTE: "Equivalent" issue for CVE-2021-37750 for the MIT krb5
vulnerability.
NOTE: Fixed by (Samba):
https://gitlab.com/samba-team/samba/-/commit/0cb4b939f192376bf5e33637863a91a20f74c5a5
-CVE-2021-3670 [MaxQueryDuration not honoured in Samba AD DC LDAP]
- RESERVED
+CVE-2021-3670 (MaxQueryDuration not honoured in Samba AD DC LDAP ...)
- ldb 2:2.2.3-1
[buster] - ldb <no-dsa> (Minor issue)
[stretch] - ldb <no-dsa> (Minor issue)
@@ -119549,8 +119607,7 @@ CVE-2021-20317 (A flaw was found in the Linux kernel.
A corrupted timer tree cau
{DSA-5096-1 DLA-2941-1 DLA-2843-1}
- linux 5.4.6-1
NOTE:
https://git.kernel.org/linus/511885d7061eda3eb1faf3f57dcc936ff75863f1 (5.4-rc1)
-CVE-2021-20316
- RESERVED
+CVE-2021-20316 (A flaw was found in the way Samba handled file/directory
metadata. Thi ...)
[experimental] - samba 2:4.16.0+dfsg-1
- samba 2:4.16.0+dfsg-2 (bug #1004690)
[bullseye] - samba <ignored> (Minor issue; no backport to older
versions, mitigations exists)
@@ -119628,8 +119685,7 @@ CVE-2021-20305 (A flaw was found in Nettle in
versions before 3.7.2, where sever
NOTE:
https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b
NOTE: Fix canonical reduction in gostdsa_vko:
NOTE:
https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9
-CVE-2021-20304 [Undefined-shift in Imf_2_5::hufDecode]
- RESERVED
+CVE-2021-20304 (A flaw was found in OpenEXR's hufDecode functionality. This
flaw allow ...)
- openexr 2.5.4-1 (unimportant)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e
@@ -119660,8 +119716,7 @@ CVE-2021-20299 (A flaw was found in OpenEXR's
Multipart input file functionality
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25740
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/840
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/25e9515b06a6bc293d871622b8cafaee7af84e0f
-CVE-2021-20298 [Out-of-memory in B44Compressor]
- RESERVED
+CVE-2021-20298 (A flaw was found in OpenEXR's B44Compressor. This flaw allows
an attac ...)
- openexr 2.5.4-1
[buster] - openexr <ignored> (Minor issue)
[stretch] - openexr <postponed> (Minor issue, OOM, revisit when there's
a full fix upstream)
@@ -120613,8 +120668,7 @@ CVE-2020-35511
RESERVED
CVE-2020-35510 (A flaw was found in jboss-remoting in versions before
5.0.20.SP1-redha ...)
- libjboss-remoting-java <removed>
-CVE-2020-35509
- RESERVED
+CVE-2020-35509 (A flaw was found in keycloak affecting versions 11.0.3 and
12.0.0. An ...)
NOT-FOR-US: Keycloak
CVE-2020-35508 (A flaw possibility of race condition and incorrect
initialization of t ...)
- linux 5.9.9-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c757a12708906eadb8f35ff6fedfe41f4b895dd5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c757a12708906eadb8f35ff6fedfe41f4b895dd5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
