Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
774a0214 by security tracker role at 2022-10-05T20:10:27+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -10622,13 +10622,13 @@ CVE-2022-38180 (In JetBrains Ktor before 2.1.0 the
wrong authentication provider
CVE-2022-38179 (JetBrains Ktor before 2.1.0 was vulnerable to the Reflect File
Downloa ...)
NOT-FOR-US: JetBrains Ktor
CVE-2022-38178 (By spoofing the target resolver with responses that have a
malformed E ...)
- {DSA-5235-1}
+ {DSA-5235-1 DLA-3138-1}
- bind9 1:9.18.7-1
NOTE: https://kb.isc.org/docs/cve-2022-38178
NOTE: Fixed by:
https://gitlab.isc.org/isc-projects/bind9/-/commit/7c0028cfad2ae5fdf82c4d02d3b8b3a1e96dc6ec
(v9_18_7)
NOTE: Fixed by:
https://gitlab.isc.org/isc-projects/bind9/-/commit/1af23378ebb11da2eb0f412e4563d6c4165fbd3d
(v9_16_33)
CVE-2022-38177 (By spoofing the target resolver with responses that have a
malformed E ...)
- {DSA-5235-1}
+ {DSA-5235-1 DLA-3138-1}
- bind9 1:9.17.20-1
NOTE: https://kb.isc.org/docs/cve-2022-38177
NOTE: Fixed by (while refactoring):
https://gitlab.isc.org/isc-projects/bind9/-/commit/d4eb6e0a57a7eeb42328ff66865fa66688603c17
(v9_17_20)
@@ -10661,7 +10661,7 @@ CVE-2022-2797 (A vulnerability classified as critical
was found in SourceCodeste
CVE-2022-2796 (Cross-site Scripting (XSS) - Stored in GitHub repository
pimcore/pimco ...)
NOT-FOR-US: pimcore
CVE-2022-2795 (By flooding the target resolver with queries exploiting this
flaw an a ...)
- {DSA-5235-1}
+ {DSA-5235-1 DLA-3138-1}
- bind9 1:9.18.7-1
NOTE: https://kb.isc.org/docs/cve-2022-2795
NOTE: Fixed by:
https://gitlab.isc.org/isc-projects/bind9/-/commit/e2014ba9e3b4236b0384ba17abfb2c9a155412f6
(v9_18_7)
@@ -26279,6 +26279,7 @@ CVE-2022-32213 (The llhttp parser <v14.20.1,
<v16.17.1 and <v18.9.1 in
NOTE:
https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a
(main)
NOTE:
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#cve-2022-32213-bypass-via-obs-fold-mechanic-medium-cve-2022-32213
CVE-2022-32212 (A OS Command Injection vulnerability exists in Node.js
versions <14 ...)
+ {DLA-3137-1}
- nodejs 18.6.0+dfsg-3
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#dns-rebinding-in-inspect-via-invalid-ip-addresses-high-cve-2022-32212
NOTE:
https://github.com/nodejs/node/commit/48c5aa5cab718d04473fa2761d532657c84b8131
(v14.x)
@@ -63011,7 +63012,7 @@ CVE-2021-44536
CVE-2021-44535
RESERVED
CVE-2022-21824 (Due to the formatting logic of the "console.table()" function
it was n ...)
- {DSA-5170-1}
+ {DSA-5170-1 DLA-3137-1}
- nodejs 12.22.9~dfsg-1 (bug #1004177)
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE:
https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/#prototype-pollution-via-console-table-properties-low-cve-2022-21824
@@ -121528,6 +121529,7 @@ CVE-2021-22942 (A possible open redirect
vulnerability in the Host Authorization
CVE-2021-22941 (Improper Access Control in Citrix ShareFile storage zones
controller b ...)
NOT-FOR-US: Citrix
CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a
use aft ...)
+ {DLA-3137-1}
- nodejs 12.22.5~dfsg-1
[bullseye] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930
not applied)
[stretch] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930
not applied)
@@ -121535,6 +121537,7 @@ CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and
12.22.5 is vulnerable to a u
NOTE:
https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b
(v12.22.5)
NOTE:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940
CVE-2021-22939 (If the Node.js https API was used incorrectly and "undefined"
was in p ...)
+ {DLA-3137-1}
- nodejs 12.22.5~dfsg-1
[bullseye] - nodejs 12.22.5~dfsg-2~11u1
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
@@ -121558,6 +121561,7 @@ CVE-2021-22931 (Node.js before 16.6.0, 14.17.4, and
12.22.4 is vulnerable to Rem
- nodejs <not-affected> (Debian builds nodejs against src:c-ares)
NOTE:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#cares-upgrade-improper-handling-of-untypical-characters-in-domain-names-high-cve-2021-22931
CVE-2021-22930 (Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a
use aft ...)
+ {DLA-3137-1}
- nodejs 12.22.4~dfsg-1
[bullseye] - nodejs 12.22.5~dfsg-2~11u1
[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by
security support)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/774a02141e3524ddd74aca137be4c8a481264180
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/774a02141e3524ddd74aca137be4c8a481264180
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
