[Git][security-tracker-team/security-tracker][master] two k8s issues, NFUs

Moritz Muehlenhoff (@jmm) Thu, 10 Nov 2022 09:49:37 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
652bf02a by Moritz Muehlenhoff at 2022-11-10T18:48:56+01:00
two k8s issues, NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -8352,7 +8352,7 @@ CVE-2022-42966 (An exponential ReDoS (Regular Expression 
Denial of Service) can
        NOTE: https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186/
        NOTE: Doesn't seem to be reported upstream so far
 CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) 
can be tri ...)
-       TODO: check
+       NOT-FOR-US: snowflake-connector-python
 CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) 
can be tri ...)
        - pymatgen <unfixed>
        NOTE: 
https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/
@@ -12467,6 +12467,9 @@ CVE-2022-3295 (Allocation of Resources Without Limits 
or Throttling in GitHub re
        - rdiffweb <itp> (bug #969974)
 CVE-2022-3294
        RESERVED
+       - kubernetes 1.20.5+really1.20.2-1
+       NOTE: Server components no longer built since 1.20.5+really1.20.2-1, 
marking that as fixed version
+       NOTE: The source package itself it still vulnerable, but custom 
rebuilds are not really a usecase here
 CVE-2022-3293 (Email addresses were leaked in WebHook logs in GitLab EE 
affecting all ...)
        - gitlab <not-affected> (Only affects Gitlab EE)
 CVE-2022-3292 (Use of Cache Containing Sensitive Information in GitHub 
repository iku ...)
@@ -15284,6 +15287,9 @@ CVE-2022-40176 (A vulnerability has been identified in 
Desigo PXM30-1 (All versi
        NOT-FOR-US: Siemens
 CVE-2022-3162
        RESERVED
+       - kubernetes 1.20.5+really1.20.2-1
+       NOTE: Server components no longer built since 1.20.5+really1.20.2-1, 
marking that as fixed version
+       NOTE: The source package itself it still vulnerable, but custom 
rebuilds are not really a usecase here
 CVE-2022-3161
        RESERVED
 CVE-2022-3160
@@ -15962,35 +15968,35 @@ CVE-2022-39895
 CVE-2022-39894
        RESERVED
 CVE-2022-39893 (Sensitive information exposure vulnerability in FmmBaseModel 
in Galaxy ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39892 (Improper access control in Samsung Pass prior to version 
4.0.05.1 allo ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39891 (Heap overflow vulnerability in parse_pce function in 
libsavsaudio.so i ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39890 (Improper Authorization in Samsung Billing prior to version 
5.0.56.0 al ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39889 (Improper access control vulnerability in GalaxyWatch4Plugin 
prior to v ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39888
        RESERVED
 CVE-2022-39887 (Improper access control vulnerability in clearAllGlobalProxy 
in MiscPo ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39886 (Improper access control vulnerability in 
IpcRxServiceModeBigDataInfo i ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39885 (Improper access control vulnerability in 
BootCompletedReceiver_CMCC in ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39884 (Improper access control vulnerability in IImsService prior to 
SMR Nov- ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39883 (Improper authorization vulnerability in StorageManagerService 
prior to ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39882 (Heap overflow vulnerability in sflacf_fal_bytes_peek function 
in libsm ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39881 (Improper input validation vulnerability for processing SIB12 
PDU in Ex ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39880 (Improper input validation vulnerability in DualOutFocusViewer 
prior to ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39879 (Improper authorization vulnerability in?CallBGProvider prior 
to SMR No ...)
-       TODO: check
+       NOT-FOR-US: Samsung
 CVE-2022-39878 (Improper access control vulnerability in Samsung Checkout 
prior to ver ...)
        NOT-FOR-US: Samsung
 CVE-2022-39877 (Improper access control vulnerability in ProfileSharingAccount 
in Grou ...)
@@ -17062,11 +17068,11 @@ CVE-2022-39399 (Vulnerability in the Oracle Java SE, 
Oracle GraalVM Enterprise E
        - openjdk-17 17.0.5+8-1
        [bullseye] - openjdk-17 <postponed> (Minor issue, fix along with next 
CPU)
 CVE-2022-39398 (tasklists is a tasklists plugin for GLPI (Kanban). Versions 
prior to 2 ...)
-       TODO: check
+       NOT-FOR-US: GLPI plugin
 CVE-2022-39397
        RESERVED
 CVE-2022-39396 (Parse Server is an open source backend that can be deployed to 
any inf ...)
-       TODO: check
+       NOT-FOR-US: Node parse-server
 CVE-2022-39395
        RESERVED
 CVE-2022-39394
@@ -17087,7 +17093,7 @@ CVE-2022-39388
 CVE-2022-39387 (XWiki OIDC has various tools to manipulate OpenID Connect 
protocol in  ...)
        NOT-FOR-US: XWiki
 CVE-2022-39386 (@fastify/websocket provides WebSocket support for Fastify. Any 
applica ...)
-       TODO: check
+       NOT-FOR-US: @fastify/websocket
 CVE-2022-39385
        RESERVED
 CVE-2022-39384 (OpenZeppelin Contracts is a library for secure smart contract 
developm ...)
@@ -17138,7 +17144,7 @@ CVE-2022-39369 (phpCAS is an authentication library 
that allows PHP applications
        NOTE: 
https://github.com/apereo/phpCAS/security/advisories/GHSA-8q72-6qq8-xv64
        NOTE: Fixed by: 
https://github.com/apereo/phpCAS/commit/b759361d904a2cb2a3bcee9411fc348cfde5d163
 (1.6.0)
 CVE-2022-39368 (Eclipse Californium is a Java implementation of RFC7252 - 
Constrained  ...)
-       TODO: check
+       NOT-FOR-US: Eclipse Californium
 CVE-2022-39367 (QTIWorks is a software suite for standards-based assessment 
delivery.  ...)
        NOT-FOR-US: QTIWorks
 CVE-2022-39366 (DataHub is an open-source metadata platform. Prior to version 
0.8.45,  ...)
@@ -17176,7 +17182,7 @@ CVE-2022-39351 (Dependency-Track is a Component 
Analysis platform that allows or
 CVE-2022-39350 (@dependencytrack/frontend is a Single Page Application (SPA) 
used in D ...)
        TODO: check
 CVE-2022-39349 (The Tasks.org Android app is an open-source app for to-do 
lists and re ...)
-       TODO: check
+       NOT-FOR-US: Tasks.org Android app
 CVE-2022-39348 (Twisted is an event-based framework for internet applications. 
Started ...)
        - twisted <unfixed> (bug #1023359)
        [bullseye] - twisted <no-dsa> (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/652bf02ac028032fed4494341842326401066372

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/652bf02ac028032fed4494341842326401066372
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] two k8s issues, NFUs

Reply via email to