Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
39444394 by Moritz Muehlenhoff at 2022-09-12T15:57:12+02:00
bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -364,6 +364,7 @@ CVE-2022-3173
RESERVED
CVE-2022-40320 (cfg_tilde_expand in confuse.c in libConfuse 3.3 has a
heap-based buffe ...)
- libconfuse <unfixed>
+ [bullseye] - libconfuse <no-dsa> (Minor issue)
NOTE: https://github.com/libconfuse/libconfuse/issues/163
NOTE: Fixed by:
https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b
CVE-2022-40319
@@ -553,6 +554,7 @@ CVE-2022-3168
RESERVED
CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x
through 2.1 ...)
- openvswitch <unfixed>
+ [bullseye] - openvswitch <no-dsa> (Minor issue)
NOTE: https://arxiv.org/abs/2011.09107
NOTE: https://sites.google.com/view/tuple-space-explosion
NOTE: https://dl.acm.org/doi/10.1145/3359989.3365431
@@ -4043,6 +4045,7 @@ CVE-2022-2997 (Session Fixation in GitHub repository
snipe/snipe-it prior to 6.0
- snipe-it <itp> (bug #1005172)
CVE-2022-2996 (A flaw was found in the python-scciclient when making an HTTPS
connect ...)
- python-scciclient <unfixed> (bug #1018213)
+ [bullseye] - python-scciclient <no-dsa> (Minor issue)
NOTE:
https://opendev.org/x/python-scciclient/commit/274dca0344b65b4ac113d3271d21c17e970a636c
(0.12)
CVE-2022-2995
RESERVED
@@ -11193,6 +11196,7 @@ CVE-2022-36110 (Netmaker makes networks with WireGuard.
Prior to version 0.15.1,
TODO: check
CVE-2022-36109 (Moby is an open-source project created by Docker to enable
software co ...)
- docker.io <unfixed>
+ [bullseye] - docker.io <no-dsa> (Minor issue)
NOTE:
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
NOTE:
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
CVE-2022-36108
@@ -41481,6 +41485,7 @@ CVE-2022-0671 (A flaw was found in vscode-xml in
versions prior to 0.19.0. Schem
NOT-FOR-US: vscode-xml
CVE-2022-0670 (A flaw was found in Openstack manilla owning a Ceph File system
"share ...)
- ceph 16.2.10+ds-1 (bug #1016069)
+ [bullseye] - ceph <no-dsa> (Minor issue)
[buster] - ceph <no-dsa> (Minor issue)
NOTE: https://ceph.io/en/news/blog/2022/v17-2-2-quincy-released/
NOTE: https://docs.ceph.com/en/latest/security/CVE-2022-0670/
@@ -43917,12 +43922,14 @@ CVE-2022-24578 (GPAC 1.0.1 is affected by a
heap-based buffer overflow in SFS_Ad
NOTE:
https://github.com/gpac/gpac/commit/b5741da08e88e8dcc8da0a7669b92405b9862850
(v2.0.0)
CVE-2022-24577 (GPAC 1.0.1 is affected by a NULL pointer dereference in
gf_utf8_wcslen ...)
- gpac 2.0.0+dfsg1-2
+ [bullseye] - gpac <no-dsa> (Minor issue)
[buster] - gpac <end-of-life> (EOL in buster LTS)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://huntr.dev/bounties/0758b3a2-8ff2-45fc-8543-7633d605d24e/
NOTE:
https://github.com/gpac/gpac/commit/586e817dcd531bb3e75438390f1f753cfe6e940a
(v2.0.0)
CVE-2022-24576 (GPAC 1.0.1 is affected by Use After Free through MP4Box. ...)
- gpac 2.0.0+dfsg1-2
+ [bullseye] - gpac <no-dsa> (Minor issue)
[buster] - gpac <end-of-life> (EOL in buster LTS)
[stretch] - gpac <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/gpac/gpac/issues/2061
@@ -44663,6 +44670,7 @@ CVE-2022-24303 (Pillow before 9.0.1 allows attackers to
delete files because spa
CVE-2022-24302 (In Paramiko before 2.10.1, a race condition (between creation
and chmo ...)
{DLA-2959-1}
- paramiko 2.10.3-1 (bug #1008012)
+ [bullseye] - paramiko <no-dsa> (Minor issue)
NOTE:
https://github.com/paramiko/paramiko/commit/4c491e299c9b800358b16fa4886d8d94f45abe2e
(2.10.1)
CVE-2022-24296 (Use of a Broken or Risky Cryptographic Algorithm vulnerability
in Air ...)
NOT-FOR-US: Mitsubishi
@@ -79262,10 +79270,12 @@ CVE-2021-37820
RESERVED
CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an
infinite loop ...)
- pdftk-java 3.3.2-1
- - pdftk <unfixed>
+ [bullseye] - pdftk-java <no-dsa> (Minor issue)
+ - pdftk 2.02-5
NOTE: https://gitlab.com/pdftk-java/pdftk/-/merge_requests/21
NOTE:
https://gitlab.com/pdftk-java/pdftk/-/commit/75deacdf5c46fd4eefb310c784eb9dfdc7b9fdc9
(v3.3.0)
NOTE:
https://gitlab.com/pdftk-java/pdftk/-/commit/9b0cbb76c8434a8505f02ada02a94263dcae9247
(v3.3.0)
+ NOTE: Starting with 2.02-5 src:pdftk is just a transition package
towards src:pdftk-java
TODO: check impact on other sources embedding
lowagie/text/pdf/PdfReader.java
CVE-2021-37818
RESERVED
=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ connman (carnil)
--
freecad (aron)
--
+gdal
+--
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v5.10.y versions
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39444394b4dc0fee27b256ee5c13377fe1d9276a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/39444394b4dc0fee27b256ee5c13377fe1d9276a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
