Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ec9c2e6e by Moritz Muehlenhoff at 2023-03-02T21:11:57+01:00
bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -90052,6 +90052,7 @@ CVE-2022-23438 (An improper neutralization of input
during web page generation (
NOT-FOR-US: Fortinet
CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java
(XercesJ) XML pa ...)
- libxerces2-java <unfixed> (bug #1016975)
+ [bookworm] - libxerces2-java <postponed> (revisit when/if fix is
complete)
[bullseye] - libxerces2-java <postponed> (revisit when/if fix is
complete)
[buster] - libxerces2-java <postponed> (revisit when/if fix is complete)
[stretch] - libxerces2-java <postponed> (revisit when/if fix is
complete)
@@ -117782,8 +117783,9 @@ CVE-2021-3715 (A flaw was found in the "Routing
decision" classifier in the Linu
NOTE: https://www.openwall.com/lists/oss-security/2021/09/07/1
NOTE:
https://git.kernel.org/linus/ef299cc3fa1a9e1288665a9fdc8bff55629fd359 (5.6)
CVE-2021-3714 (A flaw was found in the Linux kernels memory deduplication
mechanism. ...)
- - linux <unfixed>
+ - linux <unfixed> (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1931327
+ NOTE: Inherent design limitation, can be avoided by not using KSM
CVE-2021-39245 (Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus
Nexto, ...)
NOT-FOR-US: Altus
CVE-2021-39244 (Authenticated Semi-Blind Command Injection (via Parameter
Injection) e ...)
@@ -131810,6 +131812,7 @@ CVE-2021-33565
RESERVED
CVE-2016-20011 (libgrss through 0.7.0 fails to perform TLS certificate
verification wh ...)
- libgrss <unfixed> (bug #989149)
+ [bookworm] - libgrss <ignored> (Minor issue)
[bullseye] - libgrss <ignored> (Minor issue)
[buster] - libgrss <ignored> (Minor issue)
[stretch] - libgrss <ignored> (Minor issue)
@@ -181932,18 +181935,14 @@ CVE-2020-26562
CVE-2020-26561 (** UNSUPPORTED WHEN ASSIGNED ** Belkin LINKSYS WRT160NL
1.0.04.002_US_ ...)
NOT-FOR-US: Belkin
CVE-2020-26560 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0
and 1.0. ...)
- - bluez <unfixed> (bug #1006406)
- [bullseye] - bluez <no-dsa> (Minor issue)
- [buster] - bluez <no-dsa> (Minor issue)
- [stretch] - bluez <not-affected> (Mesh support introduced later)
+ NOT-FOR-US: Bluetooth
+ NOTE: There's no indication that any Bluetooth software in Debian is
affected
NOTE: https://kb.cert.org/vuls/id/799380
NOTE:
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-mesh/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959994
CVE-2020-26559 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0
and 1.0. ...)
- - bluez <unfixed> (bug #1006406)
- [bullseye] - bluez <no-dsa> (Minor issue)
- [buster] - bluez <no-dsa> (Minor issue)
- [stretch] - bluez <not-affected> (Mesh support introduced later)
+ NOT-FOR-US: Bluetooth
+ NOTE: There's no indication that any Bluetooth software in Debian is
affected
NOTE: https://kb.cert.org/vuls/id/799380
NOTE:
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960011
@@ -181959,10 +181958,8 @@ CVE-2020-26558 (Bluetooth LE and BR/EDR secure
pairing in Bluetooth Core Specifi
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738
CVE-2020-26557 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1
may perm ...)
- - bluez <unfixed> (bug #1006406)
- [bullseye] - bluez <no-dsa> (Minor issue)
- [buster] - bluez <no-dsa> (Minor issue)
- [stretch] - bluez <not-affected> (Mesh support introduced later)
+ NOT-FOR-US: Bluetooth
+ NOTE: There's no indication that any Bluetooth software in Debian is
affected
NOTE: https://kb.cert.org/vuls/id/799380
NOTE:
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/predicatable-authvalue/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960009
@@ -435368,6 +435365,7 @@ CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses
world-readable permissions
NOT-FOR-US: OpenShift
CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the
ENCRYPT ...)
- libjgroups-java <unfixed> (low; bug #867493)
+ [bookworm] - libjgroups-java <ignored> (Minor issue, only used as build
dep)
[bullseye] - libjgroups-java <ignored> (Minor issue, only used as build
dep)
[buster] - libjgroups-java <ignored> (Minor issue, only used as build
dep)
[stretch] - libjgroups-java <ignored> (Minor issue, only used as build
dep)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec9c2e6e3ff15665a2c22e849bad4d0066eda69d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec9c2e6e3ff15665a2c22e849bad4d0066eda69d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
