Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
dd810cc0 by Moritz Muehlenhoff at 2023-02-27T17:29:00+01:00
bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -56924,6 +56924,7 @@ CVE-2022-34300 (In tinyexr 1.0.1, there is a heap-based
buffer over-read in tiny
NOTE: https://github.com/syoyo/tinyexr/pull/175
CVE-2022-34299 (There is a heap-based buffer over-read in libdwarf 0.4.0. This
issue i ...)
- dwarfutils <unfixed> (bug #1014493)
+ [bookworm] - dwarfutils <no-dsa> (Minor issue)
[bullseye] - dwarfutils <no-dsa> (Minor issue)
[buster] - dwarfutils <no-dsa> (Minor issue)
[stretch] - dwarfutils <no-dsa> (Minor issue)
@@ -62404,6 +62405,7 @@ CVE-2022-32201 (In libjpeg 1.63, there is a NULL
pointer dereference in Componen
NOTE: Crash in CLI tool, no security impact
CVE-2022-32200 (libdwarf 0.4.0 has a heap-based buffer over-read in
_dwarf_check_strin ...)
- dwarfutils <unfixed> (bug #1012515)
+ [bookworm] - dwarfutils <no-dsa> (Minor issue)
[bullseye] - dwarfutils <no-dsa> (Minor issue)
[buster] - dwarfutils <no-dsa> (Minor issue)
[stretch] - dwarfutils <no-dsa> (Minor issue)
@@ -118405,11 +118407,12 @@ CVE-2021-38580
CVE-2021-38579
RESERVED
CVE-2021-38578 (Existing CommBuffer checks in SmmEntryPoint will not catch
underflow w ...)
- - edk2 <unfixed> (bug #1014468)
+ - edk2 2022.11-1 (bug #1014468)
[bullseye] - edk2 <no-dsa> (Minor issue)
[buster] - edk2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3387 (private)
NOTE: https://edk2.groups.io/g/devel/message/90516
+ NOTE:
https://github.com/tianocore/edk2/commit/cab1f02565d3b29081dd21afb074f35fdb4e1fd6
CVE-2021-38577
REJECTED
CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the
Platform a ...)
@@ -144077,6 +144080,7 @@ CVE-2021-3448 (A flaw was found in dnsmasq in
versions before 2.85. When configu
NOTE:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2
CVE-2021-3447 (A flaw was found in several ansible modules, where parameters
containi ...)
- ansible <unfixed> (bug #1014721)
+ [bookworm] - ansible <no-dsa> (Minor issue)
[bullseye] - ansible <no-dsa> (Minor issue)
[buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939349
@@ -244446,9 +244450,8 @@ CVE-2019-19380
CVE-2019-19379 (In app/Controller/TagsController.php in MISP 2.4.118, users
can bypass ...)
NOT-FOR-US: MISP
CVE-2019-19378 (In the Linux kernel 5.0.21, mounting a crafted btrfs
filesystem image ...)
- - linux <unfixed>
- [bullseye] - linux <no-dsa> (Minor issue)
- [buster] - linux <no-dsa> (Minor issue)
+ - linux <unfixed> (unimportant)
+ NOTE: raid 5/6 is marked as not production ready for btrfs
CVE-2019-19377 (In the Linux kernel 5.0.21, mounting a crafted btrfs
filesystem image, ...)
{DLA-2483-1}
- linux 5.6.7-1
@@ -261170,6 +261173,7 @@ CVE-2019-14855 (A flaw was found in the way
certificate signatures could be forg
[stretch] - gnupg2 <no-dsa> (Minor issue)
[jessie] - gnupg2 <ignored> (No backport to version << 2.2.x, low
impact, danger of breaking things)
- gnupg1 <unfixed> (low)
+ [bookworm] - gnupg1 <ignored> (Minor issue)
[bullseye] - gnupg1 <ignored> (Minor issue)
[buster] - gnupg1 <ignored> (Minor issue)
[stretch] - gnupg1 <no-dsa> (Minor issue)
@@ -270228,6 +270232,7 @@ CVE-2019-12215 (** DISPUTED ** A full path disclosure
vulnerability was discover
- matomo <itp> (bug #448532)
CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of
mishand ...)
- freeimage <unfixed> (bug #947478)
+ [bookworm] - freeimage <postponed> (Revisit when upstream fixes are
available)
[bullseye] - freeimage <postponed> (Revisit when upstream fixes are
available)
[buster] - freeimage <postponed> (Revisit when upstream fixes are
available)
[stretch] - freeimage <postponed> (Revisit when upstream fixes are
available)
@@ -270245,6 +270250,7 @@ CVE-2019-12213 (When FreeImage 3.18.0 reads a special
TIFF file, the TIFFReadDir
NOTE: https://sourceforge.net/p/freeimage/svn/1825/
CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the
StreamCalcIFDSize ...)
- freeimage <unfixed> (bug #947477)
+ [bookworm] - freeimage <postponed> (Revisit when upstream fixes are
available)
[bullseye] - freeimage <postponed> (Revisit when upstream fixes are
available)
[buster] - freeimage <postponed> (Revisit when upstream fixes are
available)
[stretch] - freeimage <postponed> (Revisit when upstream fixes are
available)
@@ -336924,12 +336930,8 @@ CVE-2018-7588 (An issue was discovered in CImg
v.220. A heap-based buffer over-r
NOTE: https://github.com/dtschump/CImg/issues/183
NOTE:
https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4
CVE-2018-7587 (An issue was discovered in CImg v.220. DoS occurs when loading
a craft ...)
- - cimg <unfixed> (low; bug #892780; bug #940951)
- [bullseye] - cimg <no-dsa> (Minor issue)
- [buster] - cimg <no-dsa> (Minor issue)
- [stretch] - cimg <no-dsa> (Minor issue)
- [jessie] - cimg <no-dsa> (Minor issue)
- [wheezy] - cimg <no-dsa> (Minor issue)
+ - cimg <unfixed> (unimportant; bug #892780; bug #940951)
+ NOTE: Crash in CLI tool, no security impact
CVE-2018-7586 (In the nextgen-gallery plugin before 2.2.50 for WordPress,
gallery pat ...)
NOT-FOR-US: nextgen-gallery plugin for WordPress
CVE-2017-18212 (An issue was discovered in JerryScript 1.0. There is a
heap-based buff ...)
@@ -415744,11 +415746,7 @@ CVE-2016-7965 (DokuWiki 2016-06-26a and older uses
$_SERVER[HTTP_HOST] instead o
NOTE: Can be adresesd by properly configure dokuwiki as per
NOTE:
https://github.com/splitbrain/dokuwiki/issues/1709#issuecomment-262337572
CVE-2016-7964 (The sendRequest method in HTTPClient Class in file
/inc/HTTPClient.php ...)
- - dokuwiki <unfixed> (low; bug #844731)
- [bullseye] - dokuwiki <ignored> (Minor issue)
- [buster] - dokuwiki <ignored> (Minor issue)
- [jessie] - dokuwiki <no-dsa> (Minor issue)
- [wheezy] - dokuwiki <no-dsa> (Minor issue)
+ NOTE: Documented as out-of-scope/wontfix by Dokuwiki upstream
NOTE: https://github.com/splitbrain/dokuwiki/issues/1708
CVE-2016-7963
RESERVED
@@ -432696,6 +432694,7 @@ CVE-2016-2782 (The treo_attach function in
drivers/usb/serial/visor.c in the Lin
NOTE: Upstream commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0
(v4.5-rc2)
CVE-2016-2781 (chroot in GNU coreutils, when used with --userspec, allows
local users ...)
- coreutils <unfixed> (low; bug #816320)
+ [bookworm] - coreutils <ignored> (Minor issue)
[bullseye] - coreutils <ignored> (Minor issue)
[buster] - coreutils <ignored> (Minor issue)
[stretch] - coreutils <ignored> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd810cc0f43a5dc3d2a0fd1cfaa563a86efe0f03
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd810cc0f43a5dc3d2a0fd1cfaa563a86efe0f03
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
