[Git][security-tracker-team/security-tracker][master] NFUs

Moritz Muehlenhoff (@jmm) Tue, 11 Oct 2022 04:21:55 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
3d423a1c by Moritz Muehlenhoff at 2022-10-11T13:21:13+02:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -8239,7 +8239,7 @@ CVE-2022-39247
 CVE-2022-39246 (matrix-android-sdk2 is the Matrix SDK for Android. Prior to 
version 1. ...)
        NOT-FOR-US: Matrix SDK for Android
 CVE-2022-39245 (Mist is the command-line interface for the makedeb Package 
Repository. ...)
-       TODO: check
+       NOT-FOR-US: Makedeb Mist
 CVE-2022-39244 (PJSIP is a free and open source multimedia communication 
library writt ...)
        - asterisk <unfixed>
        - pjproject <removed>
@@ -8247,7 +8247,7 @@ CVE-2022-39244 (PJSIP is a free and open source 
multimedia communication library
        NOTE: 
https://github.com/pjsip/pjproject/security/advisories/GHSA-fq45-m3f7-3mhj
        NOTE: 
https://github.com/pjsip/pjproject/commit/c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae
 CVE-2022-39243 (NuProcess is an external process execution implementation for 
Java. In ...)
-       TODO: check
+       NOT-FOR-US: NuProcess
 CVE-2022-39242 (Frontier is an Ethereum compatibility layer for Substrate. 
Prior to co ...)
        NOT-FOR-US: Frontier
 CVE-2022-39241
@@ -8255,7 +8255,7 @@ CVE-2022-39241
 CVE-2022-39240 (MyGraph is a permission management system. Versions prior to 
1.0.4 are ...)
        NOT-FOR-US: MyGraph
 CVE-2022-39239 (netlify-ipx is an on-Demand image optimization for Netlify 
using ipx.  ...)
-       TODO: check
+       NOT-FOR-US: netlify-ipx
 CVE-2022-39238 (Arvados is an open source platform for managing and analyzing 
biomedic ...)
        NOT-FOR-US: Arvados
 CVE-2022-39237 (syslabs/sif is the Singularity Image Format (SIF) reference 
implementa ...)
@@ -8296,7 +8296,7 @@ CVE-2022-39224 (Arr-pm is an RPM reader/writer library 
written in Ruby. Versions
 CVE-2022-39223
        RESERVED
 CVE-2022-39222 (Dex is an identity service that uses OpenID Connect to drive 
authentic ...)
-       TODO: check
+       - coreos-dex <itp> (bug #879562)
 CVE-2022-39221 (McWebserver mod runs a simple HTTP server alongside the 
Minecraft serv ...)
        NOT-FOR-US: McWebserver
 CVE-2022-39220 (SFTPGo is an SFTP server written in Go. Versions prior to 
2.3.5 are su ...)
@@ -9102,7 +9102,7 @@ CVE-2022-38938
 CVE-2022-38937
        RESERVED
 CVE-2022-38936 (An issue has been found in PBC through 2022-8-27. A SEGV issue 
detecte ...)
-       TODO: check
+       NOT-FOR-US: PBC
 CVE-2022-38935
        RESERVED
 CVE-2022-38934 (readelf in ToaruOS 2.0.1 has some arbitrary address read 
vulnerabiliti ...)
@@ -9754,7 +9754,7 @@ CVE-2022-2982 (Use After Free in GitHub repository 
vim/vim prior to 9.0.0260. ..
        NOTE: https://huntr.dev/bounties/53f53d9a-ba8a-4985-b7ba-23efbe6833be
        NOTE: 
https://github.com/vim/vim/commit/d6c67629ed05aae436164eec474832daf8ba7420 
(v9.0.0260)
 CVE-2022-2981 (The Download Monitor WordPress plugin before 4.5.98 does not 
ensure th ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2022-2980 (NULL Pointer Dereference in GitHub repository vim/vim prior to 
9.0.025 ...)
        - vim 2:9.0.0626-1 (unimportant)
        NOTE: https://huntr.dev/bounties/6e7b12a5-242c-453d-b39e-9625d563b0ea
@@ -10291,7 +10291,7 @@ CVE-2022-38547
 CVE-2022-38546
        RESERVED
 CVE-2022-38545 (Valine v1.4.18 was discovered to contain a remote code 
execution (RCE) ...)
-       TODO: check
+       NOT-FOR-US: Valine
 CVE-2022-38544
        RESERVED
 CVE-2022-38543
@@ -10437,7 +10437,7 @@ CVE-2022-38487
 CVE-2022-38486
        RESERVED
 CVE-2022-2922 (Relative Path Traversal in GitHub repository 
dnnsoftware/dnn.platform  ...)
-       TODO: check
+       NOT-FOR-US: DNNPlatform
 CVE-2022-2921 (Exposure of Private Personal Information to an Unauthorized 
Actor in G ...)
        NOT-FOR-US: NotrinosERP
 CVE-2022-38485
@@ -10766,7 +10766,7 @@ CVE-2022-38398 (Server-Side Request Forgery (SSRF) 
vulnerability in Batik of Apa
 CVE-2022-38397
        RESERVED
 CVE-2022-2891 (The WP 2FA WordPress plugin before 2.3.0 uses comparison 
operators tha ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2022-2890 (Cross-site Scripting (XSS) - Stored in GitHub repository 
yetiforcecomp ...)
        NOT-FOR-US: yetiforcecrm
 CVE-2022-2889 (Use After Free in GitHub repository vim/vim prior to 9.0.0225. 
...)
@@ -11187,7 +11187,7 @@ CVE-2022-2825
 CVE-2022-2824 (Improper Access Control in GitHub repository openemr/openemr 
prior to  ...)
        NOT-FOR-US: OpenEMR
 CVE-2022-2823 (The Slider, Gallery, and Carousel by MetaSlider WordPress 
plugin befor ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2022-2822 (An attacker can freely brute force username and password and 
can takeo ...)
        - octoprint <itp> (bug #718591)
 CVE-2022-2821 (Missing Critical Step in Authentication in GitHub repository 
namelessm ...)
@@ -13660,7 +13660,7 @@ CVE-2022-2630
        - gitlab <unfixed>
        NOTE: 
https://about.gitlab.com/releases/2022/08/30/critical-security-release-gitlab-15-3-2-released/
 CVE-2022-2629 (The Top Bar WordPress plugin before 3.0.4 does not sanitise and 
escape ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2022-2628 (The DSGVO All in one for WP WordPress plugin before 4.2 does 
not sanit ...)
        NOT-FOR-US: WordPress plugin
 CVE-2022-2627
@@ -13934,25 +13934,25 @@ CVE-2022-37268
 CVE-2022-37267
        RESERVED
 CVE-2022-37266 (Prototype pollution vulnerability in function extend in 
babel.js in st ...)
-       TODO: check
+       NOT-FOR-US: stealjs
 CVE-2022-37265 (Prototype pollution vulnerability in stealjs steal 2.2.4 via 
the alias ...)
-       TODO: check
+       NOT-FOR-US: stealjs
 CVE-2022-37264 (Prototype pollution vulnerability in stealjs steal 2.2.4 via 
the optio ...)
-       TODO: check
+       NOT-FOR-US: stealjs
 CVE-2022-37263
        RESERVED
 CVE-2022-37262 (A Regular Expression Denial of Service (ReDoS) flaw was found 
in steal ...)
-       TODO: check
+       NOT-FOR-US: stealjs
 CVE-2022-37261
        RESERVED
 CVE-2022-37260 (A Regular Expression Denial of Service (ReDoS) flaw was found 
in steal ...)
-       TODO: check
+       NOT-FOR-US: stealjs
 CVE-2022-37259 (A Regular Expression Denial of Service (ReDoS) flaw was found 
in steal ...)
-       TODO: check
+       NOT-FOR-US: stealjs
 CVE-2022-37258 (Prototype pollution vulnerability in function convertLater in 
npm-conv ...)
-       TODO: check
+       NOT-FOR-US: stealjs
 CVE-2022-37257 (Prototype pollution vulnerability in function convertLater in 
npm-conv ...)
-       TODO: check
+       NOT-FOR-US: stealjs
 CVE-2022-37256
        RESERVED
 CVE-2022-37255
@@ -14832,7 +14832,7 @@ CVE-2022-2556 (The Mailchimp for WooCommerce WordPress 
plugin before 2.7.2 has a
 CVE-2022-2555 (The Yotpo Reviews for WooCommerce WordPress plugin through 
2.0.4 lacks ...)
        NOT-FOR-US: WordPress plugin
 CVE-2022-2554 (The Enable Media Replace WordPress plugin before 4.0.0 does not 
ensure ...)
-       TODO: check
+       NOT-FOR-US: WordPress plugin
 CVE-2022-2553 (The authfile directive in the booth config file is ignored, 
preventing ...)
        {DSA-5194-1}
        - booth 1.0-268-gdce51f9-1
@@ -15124,7 +15124,7 @@ CVE-2022-36780 (Avdor CIS - crystal quality Credentials 
Management Errors. The p
 CVE-2022-36779 (PROSCEND - PROSCEND / ADVICE .Ltd - G/5G Industrial Cellular 
Router (w ...)
        NOT-FOR-US: PROSCEND
 CVE-2022-36778 (insert HTML / js code inside input how to get to the 
vulnerable input  ...)
-       TODO: check
+       NOT-FOR-US: Synel - eHarmony
 CVE-2022-36777
        RESERVED
 CVE-2022-36776
@@ -15437,9 +15437,9 @@ CVE-2022-36637 (Garage Management System v1.0 was 
discovered to contain a persis
 CVE-2022-36636 (Garage Management System v1.0 was discovered to contain a SQL 
injectio ...)
        NOT-FOR-US: Garage Management System
 CVE-2022-36635 (ZKteco ZKBioSecurity V5000 4.1.3 was discovered to contain a 
SQL injec ...)
-       TODO: check
+       NOT-FOR-US: ZKteco
 CVE-2022-36634 (An access control issue in ZKTeco ZKBioSecurity V5000 3.0.5_r 
allows a ...)
-       TODO: check
+       NOT-FOR-US: ZKteco
 CVE-2022-36633 (Teleport 9.3.6 is vulnerable to Command injection leading to 
Remote Co ...)
        NOT-FOR-US: Teleport
 CVE-2022-36632
@@ -146136,7 +146136,7 @@ CVE-2020-26291 (URI.js is a javascript URL mutation 
library (npm package urijs).
        NOTE: https://github.com/medialize/URI.js/releases/tag/v1.19.4
        NOTE: 
https://github.com/medialize/URI.js/commit/b02bf037c99ac9316b77ff8bfd840e90becf1155
 (v1.19.4)
 CVE-2020-26290 (Dex is a federated OpenID Connect provider written in Go. In 
Dex befor ...)
-       NOT-FOR-US: Dex OIDC provider (differnet from src:dex)
+       - coreos-dex <itp> (bug #879562)
 CVE-2020-26289 (date-and-time is an npm package for manipulating date and 
time. In dat ...)
        NOT-FOR-US: Node date-and-time (different from src:node-date-time)
 CVE-2020-26288 (Parse Server is an open source backend that can be deployed to 
any inf ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d423a1c45a23c6c37d0d3e6fd6505c289650725

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d423a1c45a23c6c37d0d3e6fd6505c289650725
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

Reply via email to