[Git][security-tracker-team/security-tracker][master] Add CVE-2021-4197/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d752c9c2 by Salvatore Bonaccorso at 2022-01-04T06:42:29+01:00 Add CVE-2021-4197/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -320,8 +320,11 @@ CVE-2021-45986 RESERVED CVE-2021-45985 RESERVED -CVE-2021-4197 +CVE-2021-4197 [cgroup: Use open-time creds and namespace for migration perm checks] RESERVED + - linux + NOTE: https://lore.kernel.org/lkml/20211209214707.805617-1...@kernel.org/T/ + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2035652 CVE-2021- [XSS vulnerability via HTML messages with malicious CSS content] - roundcube (bug #1003027) NOTE: https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0 (1.5.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d752c9c2bd46680616d662f0da60afff67344abb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d752c9c2bd46680616d662f0da60afff67344abb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track several fixed CVEs for vim via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28510af7 by Salvatore Bonaccorso at 2022-01-04T06:28:12+01:00 Track several fixed CVEs for vim via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -572,13 +572,13 @@ CVE-2021-44466 (Bitmask Riseup VPN 0.21.6 contains a local privilege escalation CVE-2021-4194 RESERVED CVE-2021-4193 (vim is vulnerable to Out-of-bounds Read ...) - - vim + - vim 2:8.2.3995-1 [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/92c1940d-8154-473f-84ce-0de43b0c2eb0 NOTE: Fixed by: https://github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738b (v8.2.3950) CVE-2021-4192 (vim is vulnerable to Use After Free ...) - - vim + - vim 2:8.2.3995-1 [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/6dd9cb2e-a940-4093-856e-59b502429f22 @@ -808,7 +808,7 @@ CVE-2021-44775 CVE-2021-44465 RESERVED CVE-2021-4187 (vim is vulnerable to Use After Free ...) - - vim + - vim 2:8.2.3995-1 [bullseye] - vim (Minor issue) [buster] - vim (Vulnerable code introduced later) [stretch] - vim (Vulnerable code introduced later) @@ -1372,7 +1372,7 @@ CVE-2018-25023 (An issue was discovered in the smallvec crate before 0.6.13 for CVE-2021-4174 RESERVED CVE-2021-4173 (vim is vulnerable to Use After Free ...) - - vim + - vim 2:8.2.3995-1 [bullseye] - vim (Minor issue) [buster] - vim (Vulnerable code introduced later) [stretch] - vim (Vulnerable code introduced later) @@ -1813,7 +1813,7 @@ CVE-2021-45476 CVE-2021-45475 RESERVED CVE-2021-4166 (vim is vulnerable to Out-of-bounds Read ...) - - vim + - vim 2:8.2.3995-1 [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/229df5dd-5507-44e9-832c-c70364bdf035 @@ -3317,7 +3317,7 @@ CVE-2021-44462 CVE-2021-4137 RESERVED CVE-2021-4136 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim (bug #1002534) + - vim 2:8.2.3995-1 (bug #1002534) [bullseye] - vim (Minor issue) [buster] - vim (Vulnerable code introduced later) [stretch] - vim (Vulnerable code introduced later) @@ -5152,7 +5152,7 @@ CVE-2021-4070 CVE-2021-44549 (Apache Sling Commons Messaging Mail provides a simple layer on top of ...) NOT-FOR-US: Apache Sling CVE-2021-4069 (vim is vulnerable to Use After Free ...) - - vim + - vim 2:8.2.3995-1 NOTE: https://huntr.dev/bounties/0efd6d23-2259-4081-9ff1-3ade26907d74/ NOTE: https://github.com/vim/vim/commit/e031fe90cf2e375ce861ff5e5e281e4ad229ebb9 (v8.2.3741) CVE-2021-44548 (An Improper Input Validation vulnerability in DataImportHandler of Apa ...) @@ -6172,7 +6172,7 @@ CVE-2021-4020 (janus-gateway is vulnerable to Improper Neutralization of Input D NOTE: https://github.com/meetecho/janus-gateway/commit/ba166e9adebfe5343f826c6a9e02299d35414ffd NOTE: Issues only in janus-demos built from src:janus CVE-2021-4019 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim + - vim 2:8.2.3995-1 NOTE: https://huntr.dev/bounties/d8798584-a6c9-4619-b18f-001b9a6fca92 NOTE: https://github.com/vim/vim/commit/bd228fd097b41a798f90944b5d1245eddd484142 (v8.2.3669) CVE-2021-44220 @@ -6644,7 +6644,7 @@ CVE-2021-44041 (UiPath Assistant 21.4.4 will load and execute attacker controlle CVE-2021-3985 (kimai2 is vulnerable to Improper Neutralization of Input During Web Pa ...) NOT-FOR-US: kimai2 CVE-2021-3984 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim (bug #1001896) + - vim 2:8.2.3995-1 (bug #1001896) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/b114b5a2-18e2-49f0-b350-15994d71426a @@ -6863,14 +6863,14 @@ CVE-2021-43961 CVE-2021-43960 RESERVED CVE-2021-3974 (vim is vulnerable to Use After Free ...) - - vim (bug #1001897) + - vim 2:8.2.3995-1 (bug #1001897) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/e402cb2c-8ec4-4828-a692-c95f8e0de6d4 NOTE: https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6 (v8.2.3612) CVE-2021-3973 (vim is vulnerable to Heap-based Buffer Overflow ...) - - vim (bug #1001899) + - vim 2:8.2.3995-1 (bug #1001899) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) @@ -6885,7 +6885,7 @@ CVE-2021-3970 CVE-2021-3969
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: 10f94880 by Jeremiah C. Foster at 2022-01-03T19:13:45-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Jeremiah C. Foster jerem...@jeremiahfoster.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,7 +81,7 @@ nvidia-graphics-drivers (Markus Koschany) NOTE: 20211108: now fixes all 5 CVEs (bunk) NOTE: 20211229: https://people.debian.org/~apo/lts/nvidia-graphics-drivers/ -- -pgbouncer (Christoph Berg) +pgbouncer NOTE: 20211220: maintainer might want to upload fixed version -- php-nette (Utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10f94880677751472fa9afa1c1270fb678700196 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10f94880677751472fa9afa1c1270fb678700196 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim ghostscript in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 82e63bef by Markus Koschany at 2022-01-03T22:51:23+01:00 Claim ghostscript in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -45,7 +45,7 @@ firmware-nonfree (Markus Koschany) NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag NOTE: 20211207: Intend to release this week. -- -ghostscript +ghostscript (Markus Koschany) -- gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82e63bef97c2418fb47561a4df2b052ca51cd079 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82e63bef97c2418fb47561a4df2b052ca51cd079 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add roundcube to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18170088 by Salvatore Bonaccorso at 2022-01-03T22:41:43+01:00 Add roundcube to dsa-needed list - - - - - 3fe4e604 by Salvatore Bonaccorso at 2022-01-03T22:42:07+01:00 Take ghostscript from dsa-needed list for clarification - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -27,7 +27,7 @@ condor -- faad2/oldstable (jmm) -- -ghostscript +ghostscript (carnil) -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point @@ -41,6 +41,9 @@ puppetdb (jmm) -- python-pysaml2 (jmm) -- +roundcube (seb) + Maintainer is preparing updates +-- ruby2.5/oldstable Maintainer is preparing updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/290f64b7d440f944dbcecc9c4ffe16396dd583d4...3fe4e604d25953837825f3c00cd20b4ae2f9c7ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/290f64b7d440f944dbcecc9c4ffe16396dd583d4...3fe4e604d25953837825f3c00cd20b4ae2f9c7ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-43861/node-mermaid
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 290f64b7 by Salvatore Bonaccorso at 2022-01-03T21:32:23+01:00 Add CVE-2021-43861/node-mermaid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7288,7 +7288,9 @@ CVE-2021-43863 CVE-2021-43862 (jQuery Terminal Emulator is a plugin for creating command line interpr ...) TODO: check CVE-2021-43861 (Mermaid is a Javascript based diagramming and charting tool that uses ...) - TODO: check + - node-mermaid + NOTE: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v + NOTE: https://github.com/mermaid-js/mermaid/commit/066b7a0d0bda274d94a2f2d21e4323dab5776d83 CVE-2021-43860 RESERVED CVE-2021-43859 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/290f64b7d440f944dbcecc9c4ffe16396dd583d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/290f64b7d440f944dbcecc9c4ffe16396dd583d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c7a9dc51 by Salvatore Bonaccorso at 2022-01-03T21:31:33+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71,7 +71,7 @@ CVE-2021-46111 CVE-2021-46110 RESERVED CVE-2021-46109 (Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) ...) - TODO: check + NOT-FOR-US: ASUS CVE-2021-46108 RESERVED CVE-2021-46107 @@ -788,9 +788,9 @@ CVE-2022-0011 CVE-2021-45918 RESERVED CVE-2021-45917 (The server-request receiver function of Shockwall system has an improp ...) - TODO: check + NOT-FOR-US: Shockwall system CVE-2021-45916 (The programming function of Shockwall system has an improper input val ...) - TODO: check + NOT-FOR-US: Shockwall system CVE-2021-45915 RESERVED CVE-2021-45914 @@ -1048,7 +1048,7 @@ CVE-2021-45819 CVE-2021-45818 (SAFARI Montage 8.7.32 is affected by a CRLF injection vulnerability wh ...) NOT-FOR-US: SAFARI Montage CVE-2021-45817 (Web Viewer for Hanwha DVR version 2.17 is affected by a Cross Site Scr ...) - TODO: check + NOT-FOR-US: Web Viewer for Hanwha DVR CVE-2021-45816 RESERVED CVE-2021-45815 (Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Script ...) @@ -2429,9 +2429,9 @@ CVE-2021-45430 CVE-2021-45429 RESERVED CVE-2021-45428 (TLR-2005KSH is affected by an incorrect access control vulnerability. ...) - TODO: check + NOT-FOR-US: TLR-2005KSH CVE-2021-45427 (Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: unauthenticated ar ...) - TODO: check + NOT-FOR-US: Emerson CVE-2021-45426 RESERVED CVE-2021-45425 (Reflected Cross Site Scripting (XSS) in SAFARI Montage versions 8.3 an ...) @@ -4171,7 +4171,7 @@ CVE-2021-44898 CVE-2021-44897 RESERVED CVE-2021-44896 (DMP Roadmap before 3.0.4 allows XSS. ...) - TODO: check + NOT-FOR-US: DMP Roadmap CVE-2021-44895 RESERVED CVE-2021-44894 @@ -4286,7 +4286,7 @@ CVE-2021-44854 [REST API incorrectly publicly caches autocomplete search results CVE-2021-44853 RESERVED CVE-2021-44852 (An issue was discovered in BS_RCIO64.sys in Biostar RACING GT Evo 2.1. ...) - TODO: check + NOT-FOR-US: Biostar RACING GT Evo CVE-2021-44851 RESERVED CVE-2021-44850 @@ -4898,7 +4898,7 @@ CVE-2021-4072 (elgg is vulnerable to Improper Neutralization of Input During Web CVE-2021-4071 RESERVED CVE-2021-44674 (An information exposure issue has been discovered in Opmantek Open-Aud ...) - TODO: check + NOT-FOR-US: Open-AudIT CVE-2021-44673 RESERVED CVE-2021-44672 @@ -6310,13 +6310,13 @@ CVE-2021-44163 (Chain Sea ai chatbot backend has improper filtering of special c CVE-2021-44162 (Chain Sea ai chatbot systems specific file download function ha ...) NOT-FOR-US: Chain Sea CVE-2021-44161 (Changing MOTP (Mobile One Time Password) systems specific funct ...) - TODO: check + NOT-FOR-US: MOTP (Mobile One Time Password) system& CVE-2021-44160 (Carinal Tien Hospital Health Report Systems login page has impr ...) NOT-FOR-US: Carinal Tien Hospital Health Report System& CVE-2021-44159 (4MOSAn GCB Doctors file upload function has improper user privi ...) NOT-FOR-US: 4MOSAn GCB Doctor CVE-2021-44158 (ASUS RT-AX56U Wi-Fi Router is vulnerable to stack-based buffer overflo ...) - TODO: check + NOT-FOR-US: ASUS CVE-2021-4011 (A flaw was found in xorg-x11-server in versions before 21.1.2 and befo ...) {DSA-5027-1 DLA-2869-1} - xorg-server 2:1.20.13-3 @@ -7258,7 +7258,7 @@ CVE-2021-43878 CVE-2021-43877 (ASP.NET Core and Visual Studio Elevation of Privilege Vulnerability ...) NOT-FOR-US: .NET core CVE-2021-43876 (Microsoft SharePoint Elevation of Privilege Vulnerability. ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2021-43875 (Microsoft Office Graphics Remote Code Execution Vulnerability ...) NOT-FOR-US: Microsoft CVE-2021-43874 @@ -9505,7 +9505,7 @@ CVE-2021-43335 CVE-2021-43334 RESERVED CVE-2021-4 (The Datalogic DXU service on (for example) DL-Axist devices does not r ...) - TODO: check + NOT-FOR-US: Datalogic CVE-2021-43332 (In GNU Mailman before 2.1.36, the CSRF token for the Cgi/admindb.py ad ...) - mailman (bug #1000367) [buster] - mailman (Minor issue) @@ -15517,7 +15517,7 @@ CVE-2021-41768 CVE-2021-41767 RESERVED CVE-2021-3837 (openwhyd is vulnerable to Improper Authorization ...) - TODO: check + NOT-FOR-US: openwhyd CVE-2021-41766 RESERVED CVE-2021-3836 (dbeaver is vulnerable to Improper Restriction of XML External Entity R ...) @@ -22899,7 +22899,7 @@ CVE-2021-38689 CVE-2021-38688 (An improper
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2021-45959, withdrawn as it is no security issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98816f08 by Salvatore Bonaccorso at 2022-01-03T21:18:43+01:00 Remove notes from CVE-2021-45959, withdrawn as it is no security issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -402,12 +402,6 @@ CVE-2022-0078 RESERVED CVE-2021-45959 REJECTED - - fmtlib (unimportant) - NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36110 - NOTE: https://github.com/fmtlib/fmt/issues/2685 - NOTE: Fixed by: https://github.com/fmtlib/fmt/commit/2038bf61831eb8faede0883965364a974d1350fe - NOTE: The CVE is basically invalid, as the report was one of a series of false positives - NOTE: and the "upstream fix" is effectively a noop. CVE-2021-45958 (UltraJSON (aka ujson) 4.0.2 through 5.0.0 has a stack-based buffer ove ...) - ujson NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36009 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98816f08fcd0a512b5eefbc7b59f4495c31ac108 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98816f08fcd0a512b5eefbc7b59f4495c31ac108 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2560dde by security tracker role at 2022-01-03T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,327 @@ +CVE-2022-22306 + RESERVED +CVE-2022-22305 + RESERVED +CVE-2022-22304 + RESERVED +CVE-2022-22303 + RESERVED +CVE-2022-22302 + RESERVED +CVE-2022-22301 + RESERVED +CVE-2022-22300 + RESERVED +CVE-2022-22299 + RESERVED +CVE-2022-22298 + RESERVED +CVE-2022-22297 + RESERVED +CVE-2022-22296 + RESERVED +CVE-2022-22295 + RESERVED +CVE-2022-22294 + RESERVED +CVE-2022-0086 + RESERVED +CVE-2022-0085 + RESERVED +CVE-2022-0084 + RESERVED +CVE-2021-46129 + RESERVED +CVE-2021-46128 + RESERVED +CVE-2021-46127 + RESERVED +CVE-2021-46126 + RESERVED +CVE-2021-46125 + RESERVED +CVE-2021-46124 + RESERVED +CVE-2021-46123 + RESERVED +CVE-2021-46122 + RESERVED +CVE-2021-46121 + RESERVED +CVE-2021-46120 + RESERVED +CVE-2021-46119 + RESERVED +CVE-2021-46118 + RESERVED +CVE-2021-46117 + RESERVED +CVE-2021-46116 + RESERVED +CVE-2021-46115 + RESERVED +CVE-2021-46114 + RESERVED +CVE-2021-46113 + RESERVED +CVE-2021-46112 + RESERVED +CVE-2021-46111 + RESERVED +CVE-2021-46110 + RESERVED +CVE-2021-46109 (Invalid input sanitizing leads to reflected Cross Site Scripting (XSS) ...) + TODO: check +CVE-2021-46108 + RESERVED +CVE-2021-46107 + RESERVED +CVE-2021-46106 + RESERVED +CVE-2021-46105 + RESERVED +CVE-2021-46104 + RESERVED +CVE-2021-46103 + RESERVED +CVE-2021-46102 + RESERVED +CVE-2021-46101 + RESERVED +CVE-2021-46100 + RESERVED +CVE-2021-46099 + RESERVED +CVE-2021-46098 + RESERVED +CVE-2021-46097 + RESERVED +CVE-2021-46096 + RESERVED +CVE-2021-46095 + RESERVED +CVE-2021-46094 + RESERVED +CVE-2021-46093 + RESERVED +CVE-2021-46092 + RESERVED +CVE-2021-46091 + RESERVED +CVE-2021-46090 + RESERVED +CVE-2021-46089 + RESERVED +CVE-2021-46088 + RESERVED +CVE-2021-46087 + RESERVED +CVE-2021-46086 + RESERVED +CVE-2021-46085 + RESERVED +CVE-2021-46084 + RESERVED +CVE-2021-46083 + RESERVED +CVE-2021-46082 + RESERVED +CVE-2021-46081 + RESERVED +CVE-2021-46080 + RESERVED +CVE-2021-46079 + RESERVED +CVE-2021-46078 + RESERVED +CVE-2021-46077 + RESERVED +CVE-2021-46076 + RESERVED +CVE-2021-46075 + RESERVED +CVE-2021-46074 + RESERVED +CVE-2021-46073 + RESERVED +CVE-2021-46072 + RESERVED +CVE-2021-46071 + RESERVED +CVE-2021-46070 + RESERVED +CVE-2021-46069 + RESERVED +CVE-2021-46068 + RESERVED +CVE-2021-46067 + RESERVED +CVE-2021-46066 + RESERVED +CVE-2021-46065 + RESERVED +CVE-2021-46064 + RESERVED +CVE-2021-46063 + RESERVED +CVE-2021-46062 + RESERVED +CVE-2021-46061 + RESERVED +CVE-2021-46060 + RESERVED +CVE-2021-46059 + RESERVED +CVE-2021-46058 + RESERVED +CVE-2021-46057 + RESERVED +CVE-2021-46056 + RESERVED +CVE-2021-46055 + RESERVED +CVE-2021-46054 + RESERVED +CVE-2021-46053 + RESERVED +CVE-2021-46052 + RESERVED +CVE-2021-46051 + RESERVED +CVE-2021-46050 + RESERVED +CVE-2021-46049 + RESERVED +CVE-2021-46048 + RESERVED +CVE-2021-46047 + RESERVED +CVE-2021-46046 + RESERVED +CVE-2021-46045 + RESERVED +CVE-2021-46044 + RESERVED +CVE-2021-46043 + RESERVED +CVE-2021-46042 + RESERVED +CVE-2021-46041 + RESERVED +CVE-2021-46040 + RESERVED +CVE-2021-46039 + RESERVED +CVE-2021-46038 + RESERVED +CVE-2021-46037 + RESERVED +CVE-2021-46036 + RESERVED +CVE-2021-46035 + RESERVED +CVE-2021-46034 + RESERVED +CVE-2021-46033 + RESERVED +CVE-2021-46032 + RESERVED +CVE-2021-46031 + RESERVED +CVE-2021-46030 + RESERVED +CVE-2021-46029 + RESERVED +CVE-2021-46028 + RESERVED +CVE-2021-46027 + RESERVED +CVE-2021-46026 + RESERVED +CVE-2021-46025 + RESERVED +CVE-2021-46024 + RESERVED +CVE-2021-46023 + RESERVED +CVE-2021-46022 + RESERVED +CVE-2021-46021 + RESERVED +CVE-2021-46020 + RESERVED +CVE-2021-46019 + RESERVED +CVE-2021-46018 + RESERVED +CVE-2021-46017 + RESERVED +CVE-2021-46016 + RESERVED +CVE-2021-46015 + RESERVED +CVE-2021-46014 + RESERVED +CVE-2021-46013 + RESERVED +CVE-2021-46012 + RESERVED +CVE-2021-46011 + RESERVED +CVE-2021-46010 + RESERVED +CVE-2021-46009 + RESERVED +CVE-2021-46008 + RESERVED +CVE-2021-46007
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2480-2 for salt
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 48fd1fa5 by Sylvain Beucler at 2022-01-03T20:59:59+01:00 Reserve DLA-2480-2 for salt - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[03 Jan 2022] DLA-2480-2 salt - regression update + [stretch] - salt 2016.11.2+ds-1+deb9u10 [31 Dec 2021] DLA-2873-1 aria2 - security update {CVE-2019-3500} [stretch] - aria2 1.30.0-2+deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48fd1fa51bf8aa69f7f78c86d4d7db3e4cdadd25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48fd1fa51bf8aa69f7f78c86d4d7db3e4cdadd25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Status update
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c501aa2 by Anton Gladky at 2022-01-03T20:25:23+01:00 LTS: Status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,4 +113,5 @@ vim (Anton) NOTE: 20211203: so worth fixing in stretch, too. Co-ordinate w/ NOTE: 20211203: Emilio since he's working on it for jessie. (utkarsh) NOTE: 20211220: WIP (Anton) + NOTE: 20220103: Upload is planed this week (Anton) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c501aa28b0ba57342201ed188ce974645576d79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c501aa28b0ba57342201ed188ce974645576d79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2021-4181, CVE-2021-4182, CVE-2021-4183, CVE-2021-4184,...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f938670 by Chris Lamb at 2022-01-03T16:27:36+00:00 Triage CVE-2021-4181, CVE-2021-4182, CVE-2021-4183, CVE-2021-4184, CVE-2021-4186 CVE-2021-4190 in wireshark for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -314,6 +314,7 @@ CVE-2021-4190 (Large loop in the Kafka dissector in Wireshark 3.6.0 allows denia - wireshark [bullseye] - wireshark (Minor issue) [buster] - wireshark (Minor issue) + [stretch] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-22.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17811 CVE-2021-4189 [ftplib should not use the host from the PASV response] @@ -555,36 +556,42 @@ CVE-2021-4186 (Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allow - wireshark 3.6.0-1 [bullseye] - wireshark (Minor issue) [buster] - wireshark (Minor issue) + [stretch] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-16.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17737 CVE-2021-4185 (Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3 ...) - wireshark [bullseye] - wireshark (Minor issue) [buster] - wireshark (Minor issue) + [stretch] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-17.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17745 CVE-2021-4184 (Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3 ...) - wireshark [bullseye] - wireshark (Minor issue) [buster] - wireshark (Minor issue) + [stretch] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-18.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17754 CVE-2021-4183 (Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of se ...) - wireshark [bullseye] - wireshark (Minor issue) [buster] - wireshark (Minor issue) + [stretch] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-19.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17755 CVE-2021-4182 (Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 ...) - wireshark [bullseye] - wireshark (Minor issue) [buster] - wireshark (Minor issue) + [stretch] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-20.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17801 CVE-2021-4181 (Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3. ...) - wireshark [bullseye] - wireshark (Minor issue) [buster] - wireshark (Minor issue) + [stretch] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-21.html NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/5429 CVE-2021-45884 (In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f938670f9ac83b91135b99b9a8108e03c370902 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f938670f9ac83b91135b99b9a8108e03c370902 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: data/dla-needed.txt: Triage ghostscript for stretch LTS (CVE-2021-45944 & CVE-2021-45949)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e71f99b7 by Chris Lamb at 2022-01-03T16:22:25+00:00 data/dla-needed.txt: Triage ghostscript for stretch LTS (CVE-2021-45944 CVE-2021-45949) - - - - - 7650692a by Chris Lamb at 2022-01-03T16:22:45+00:00 Triage CVE-2021-43854 in nltk for stretch LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6979,6 +6979,7 @@ CVE-2021-43854 (NLTK (Natural Language Toolkit) is a suite of open source Python - nltk (bug #1002623) [bullseye] - nltk (Minor issue) [buster] - nltk (Minor issue) + [stretch] - nltk (Minor issue) NOTE: https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x NOTE: https://github.com/nltk/nltk/issues/2866 NOTE: https://github.com/nltk/nltk/pull/2869 = data/dla-needed.txt = @@ -45,6 +45,8 @@ firmware-nonfree (Markus Koschany) NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag NOTE: 20211207: Intend to release this week. -- +ghostscript +-- gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/35d25521bbd30e038df081a17c1cde6db6843e8e...7650692ae803f7735e3cdfa47eab5dae2e088667 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/35d25521bbd30e038df081a17c1cde6db6843e8e...7650692ae803f7735e3cdfa47eab5dae2e088667 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] "new" rust-smallvec issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 35d25521 by Moritz Muehlenhoff at 2022-01-03T16:39:07+01:00 new rust-smallvec issue rust-sha2 n/a NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -950,7 +950,8 @@ CVE-2021-45698 (An issue was discovered in the ckb crate before 0.40.0 for Rust. CVE-2021-45697 (An issue was discovered in the molecule crate before 0.7.2 for Rust. A ...) NOT-FOR-US: Rust crate molecule CVE-2021-45696 (An issue was discovered in the sha2 crate 0.9.7 before 0.9.8 for Rust. ...) - TODO: check + - rust-sha2 (Only affetced 0.9.7, never uploaded to the archive) + NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0100.html CVE-2021-45695 (An issue was discovered in the mopa crate through 2021-06-01 for Rust. ...) NOT-FOR-US: Rust crate mopa CVE-2021-45694 (An issue was discovered in the rdiff crate through 2021-02-03 for Rust ...) @@ -972,17 +973,17 @@ CVE-2021-45687 (An issue was discovered in the raw-cpuid crate before 9.1.1 for CVE-2021-45686 (An issue was discovered in the csv-sniffer crate through 2021-01-05 fo ...) NOT-FOR-US: Rust crate csv-sniffer CVE-2021-45685 (An issue was discovered in the columnar crate through 2021-01-07 for R ...) - TODO: check + NOT-FOR-US: Rust crate columnar CVE-2021-45684 (An issue was discovered in the flumedb crate through 2021-01-07 for Ru ...) - TODO: check + NOT-FOR-US: Rust crate flumedb CVE-2021-45683 (An issue was discovered in the binjs_io crate through 2021-01-03 for R ...) - TODO: check + NOT-FOR-US: Rust crate binjs CVE-2021-45682 (An issue was discovered in the bronzedb-protocol crate through 2021-01 ...) - TODO: check + NOT-FOR-US: Rust crate bronzedb-protocol CVE-2021-45681 (An issue was discovered in the derive-com-impl crate before 0.1.2 for ...) - TODO: check + NOT-FOR-US: Rust crate derive-com-impl CVE-2021-45680 (An issue was discovered in the vec-const crate before 2.0.0 for Rust. ...) - TODO: check + NOT-FOR-US: Rust crate vec-const CVE-2021-45111 RESERVED CVE-2021-45071 @@ -1016,29 +1017,32 @@ CVE-2021-23176 CVE-2021-23166 RESERVED CVE-2020-36514 (An issue was discovered in the acc_reader crate through 2020-12-27 for ...) - TODO: check + NOT-FOR-US: Rust crate acc_reader CVE-2020-36513 (An issue was discovered in the acc_reader crate through 2020-12-27 for ...) - TODO: check + NOT-FOR-US: Rust crate acc_reader CVE-2020-36512 (An issue was discovered in the buffoon crate through 2020-12-31 for Ru ...) - TODO: check + NOT-FOR-US: Rust crate buffoon CVE-2020-36511 (An issue was discovered in the bite crate through 2020-12-31 for Rust. ...) - TODO: check + NOT-FOR-US: Rust crate bite CVE-2019-25055 (An issue was discovered in the libpulse-binding crate before 2.6.0 for ...) - TODO: check + NOT-FOR-US: Rust crate libpulse-binding CVE-2019-25054 (An issue was discovered in the pnet crate before 0.27.2 for Rust. Ther ...) - TODO: check + NOT-FOR-US: Rust crate pnet CVE-2018-25028 (An issue was discovered in the libpulse-binding crate before 1.2.1 for ...) - TODO: check + NOT-FOR-US: Rust crate libpulse-binding CVE-2018-25027 (An issue was discovered in the libpulse-binding crate before 1.2.1 for ...) - TODO: check + NOT-FOR-US: Rust crate libpulse-binding CVE-2018-25026 (An issue was discovered in the actix-web crate before 0.7.15 for Rust. ...) - TODO: check + NOT-FOR-US: Rust crate actix-web CVE-2018-25025 (An issue was discovered in the actix-web crate before 0.7.15 for Rust. ...) - TODO: check + NOT-FOR-US: Rust crate actix-web CVE-2018-25024 (An issue was discovered in the actix-web crate before 0.7.15 for Rust. ...) - TODO: check + NOT-FOR-US: Rust crate actix-web CVE-2018-25023 (An issue was discovered in the smallvec crate before 0.6.13 for Rust. ...) - TODO: check + - rust-smallvec 1.1.0-1 + [buster] - rust-smallvec (Minor issue) + NOTE: https://rustsec.org/advisories/RUSTSEC-2018-0018.html + NOTE: https://github.com/servo/rust-smallvec/issues/126 CVE-2021-4174 RESERVED CVE-2021-4173 (vim is vulnerable to Use After Free ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35d25521bbd30e038df081a17c1cde6db6843e8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35d25521bbd30e038df081a17c1cde6db6843e8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list
[Git][security-tracker-team/security-tracker][master] new rust-nix, rust-tokio issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 379f42ac by Moritz Muehlenhoff at 2022-01-03T16:01:43+01:00 new rust-nix, rust-tokio issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -916,13 +916,19 @@ CVE-2021-45712 (An issue was discovered in the rust-embed crate before 6.3.0 for CVE-2021-45711 (An issue was discovered in the simple_asn1 crate 0.6.0 before 0.6.1 fo ...) NOT-FOR-US: Rust crate simple_asn1 CVE-2021-45710 (An issue was discovered in the tokio crate before 1.8.4, and 1.9.x thr ...) - TODO: check + - rust-tokio + [bullseye] - rust-tokio (Minor issue) + NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0124.html + NOTE: https://github.com/tokio-rs/tokio/issues/4225 CVE-2021-45709 (An issue was discovered in the crypto2 crate through 2021-10-08 for Ru ...) NOT-FOR-US: Rust crate crypto2 CVE-2021-45708 (An issue was discovered in the abomonation crate through 2021-10-17 fo ...) NOT-FOR-US: Rust crate abomonation CVE-2021-45707 (An issue was discovered in the nix crate before 0.20.2, 0.21.x before ...) - TODO: check + - rust-nix 0.23.0-1 + [bullseye] - rust-nix (Minor issue) + [buster] - rust-nix (Introduced in 0.16) + NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0119.html CVE-2021-45706 (An issue was discovered in the zeroize_derive crate before 1.1.1 for R ...) NOT-FOR-US: Rust crate zeroize_derive CVE-2021-45705 (An issue was discovered in the nanorand crate before 0.6.1 for Rust. T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/379f42ac960b30e0e91e451d58b1fdbc9572ebf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/379f42ac960b30e0e91e451d58b1fdbc9572ebf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new libgrokj2k, openexr issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a2d66857 by Moritz Muehlenhoff at 2022-01-03T15:53:17+01:00 new libgrokj2k, openexr issues NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -136,11 +136,11 @@ CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a hea NOTE: https://github.com/assimp/assimp/pull/4146 NOTE: https://github.com/assimp/assimp/commit/30f17aa2064b86c0096f0ec701b9e8ea9312fef2 (v5.1.0) CVE-2021-45947 (Wasm3 0.5.0 has an out-of-bounds write in Runtime_Release (called from ...) - TODO: check + NOT-FOR-US: wasm3 CVE-2021-45946 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...) - TODO: check + NOT-FOR-US: wasm3 CVE-2021-45945 (uWebSockets 19.0.0 through 20.8.0 has an out-of-bounds write in std::_ ...) - TODO: check + NOT-FOR-US: uWebSockets CVE-2021-45944 (Ghostscript GhostPDL 9.50 through 9.53.3 has a use-after-free in sampl ...) - ghostscript NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29903 @@ -156,7 +156,9 @@ CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCI NOTE: https://github.com/OSGeo/gdal/commit/9b2bcbc47d1649adc0ab65b801f96f56156cf017 (v3.4.1RC1) NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yaml CVE-2021-45942 (OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_ ...) - TODO: check + - openexr + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416 + NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/db217f29dfb24f6b4b5100c24ac5e7490e1c57d0 CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...) - libbpf NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957 @@ -168,21 +170,23 @@ CVE-2021-45940 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started CVE-2021-45939 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) - TODO: check + NOT-FOR-US: uWebSockets CVE-2021-45938 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45937 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45936 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttDecode_Di ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45935 (Grok 9.5.0 has a heap-based buffer overflow in openhtj2k::T1OpenHTJ2K: ...) - TODO: check + - libgrokj2k + NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=39021 + NOTE: Referenced fix isn't in the upstream repo CVE-2021-45934 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45933 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (8 bytes) in Mqt ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45932 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow (4 bytes) in Mqt ...) - TODO: check + NOT-FOR-US: wolfMQTT CVE-2021-45931 (HarfBuzz 2.9.0 has an out-of-bounds write in hb_bit_set_invertible_t:: ...) - harfbuzz NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37425 @@ -200,7 +204,7 @@ CVE-2021-45930 (Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an NOTE: https://github.com/qt/qtsvg/commit/a3b753c2d077313fc9eb93af547051b956e383fc (v5.12.12) TODO: check if impact present for qt4-x11, furthermore while fixed in 5.12.12 it is not in 5.15.y. CVE-2021-45929 (Wasm3 0.5.0 has an out-of-bounds write in CompileBlock (called from Co ...) - TODO: check + NOT-FOR-US: wasm3 CVE-2021-45928 (libjxl b02d6b9, as used in libvips 8.11 through 8.11.2 and other produ ...) - jpeg-xl (Vulnerable code not present in a released Debian version; fixed before inital upload to Debian) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36456 @@ -892,75 +896,75 @@ CVE-2021-4180 CVE-2021-4179 (livehelperchat is vulnerable to Improper Neutralization of Input Durin ...) NOT-FOR-US: livehelperchat CVE-2021-45720 (An issue was discovered in the lru crate before 0.7.1 for Rust. The it ...) - TODO: check + NOT-FOR-US: Rust crate lru CVE-2021-45719 (An issue was discovered in the rusqlite crate 0.25.x before 0.25.4 and ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4790e347 by Moritz Muehlenhoff at 2022-01-03T15:29:07+01:00 buster/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6963,6 +6963,8 @@ CVE-2021-43855 (Wiki.js is a wiki app built on node.js. Wiki.js 2.5.263 and earl NOT-FOR-US: Wiki.js CVE-2021-43854 (NLTK (Natural Language Toolkit) is a suite of open source Python modul ...) - nltk (bug #1002623) + [bullseye] - nltk (Minor issue) + [buster] - nltk (Minor issue) NOTE: https://github.com/nltk/nltk/security/advisories/GHSA-f8m6-h2c7-8h9x NOTE: https://github.com/nltk/nltk/issues/2866 NOTE: https://github.com/nltk/nltk/pull/2869 @@ -10543,7 +10545,9 @@ CVE-2021-43173 (In NLnet Labs Routinator prior to 0.10.2, a validation run can b CVE-2021-43172 (NLnet Labs Routinator prior to 0.10.2 happily processes a chain of RRD ...) - routinator (bug #929024) - fort-validator + [bullseye] - fort-validator (Minor issue, revisit when fixed upstream) - cfrpki + [bullseye] - cfrpki (Minor issue, revisit when fixed upstream) - rpki-client 7.5-1 NOTE: https://www.nlnetlabs.nl/downloads/routinator/CVE-2021-43172_CVE-2021-43173_CVE-2021-43174.txt NOTE: https://github.com/NLnetLabs/routinator/pull/665 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4790e3475603ca694671aeb453f87db9d0ca2677 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4790e3475603ca694671aeb453f87db9d0ca2677 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Updating Front Desk file for 2022.
Jeremiah C. Foster pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f5b59b3 by Jeremiah C. Foster at 2022-01-03T01:48:20-05:00 Updating Front Desk file for 2022. - - - - - e54e854a by Jeremiah C. Foster at 2022-01-03T08:53:46-05:00 Merge branch master of salsa.debian.org:security-tracker-team/security-tracker - - - - - 1 changed file: - org/lts-frontdesk.2022.txt Changes: = org/lts-frontdesk.2022.txt = @@ -15,51 +15,51 @@ From 03-01 to 09-01:Chris Lamb From 10-01 to 16-01:Sylvain Beucler From 17-01 to 23-01:Thorsten Alteholz From 24-01 to 30-01:Utkarsh Gupta -From 31-01 to 06-02:Sylvain Beucler -From 07-02 to 13-02:Chris Lamb +From 31-01 to 06-02:Chris Lamb +From 07-02 to 13-02:Thorsten Alteholz From 14-02 to 20-02:Utkarsh Gupta -From 21-02 to 27-02:Thorsten Alteholz +From 21-02 to 27-02:Emilio Pozuelo Monfort From 28-02 to 06-03:Sylvain Beucler From 07-03 to 13-03:Chris Lamb -From 14-03 to 20-03:Utkarsh Gupta -From 21-03 to 27-03:Thorsten Alteholz -From 28-03 to 03-04:Sylvain Beucler -From 04-04 to 10-04:Chris Lamb -From 11-04 to 17-04:Utkarsh Gupta -From 18-04 to 24-04:Thorsten Alteholz -From 25-04 to 01-05:Utkarsh Gupta -From 02-05 to 08-05:Sylvain Beucler -From 09-05 to 15-05:Chris Lamb -From 16-05 to 22-05:Utkarsh Gupta -From 23-05 to 29-05:Thorsten Alteholz -From 30-05 to 05-06:Sylvain Beucler -From 06-06 to 12-06:Chris Lamb -From 13-06 to 19-06:Utkarsh Gupta -From 20-06 to 26-06:Thorsten Alteholz -From 27-06 to 03-07:Utkarsh Gupta -From 04-07 to 10-07:Sylvain Beucler -From 11-07 to 17-07:Chris Lamb -From 18-07 to 24-07:Thorsten Alteholz -From 25-07 to 31-07:Utkarsh Gupta -From 01-08 to 07-08:Sylvain Beucler -From 08-08 to 14-08:Utkarsh Gupta -From 15-08 to 21-08:Chris Lamb -From 22-08 to 28-08:Thorsten Alteholz -From 29-08 to 04-09:Sylvain Beucler -From 05-09 to 11-09:Chris Lamb -From 12-09 to 18-09:Utkarsh Gupta -From 19-09 to 25-09:Thorsten Alteholz -From 26-09 to 02-10:Utkarsh Gupta -From 03-10 to 09-10:Sylvain Beucler -From 10-10 to 16-10:Utkarsh Gupta -From 17-10 to 23-10:Chris Lamb -From 24-10 to 30-10:Thorsten Alteholz -From 31-10 to 06-11:Sylvain Beucler -From 07-11 to 13-11:Utkarsh Gupta -From 14-11 to 20-11:Anton Gladky -From 21-11 to 27-11:Thorsten Alteholz -From 28-11 to 04-12:Sylvain Beucler -From 05-12 to 11-12:Chris Lamb -From 12-12 to 18-12:Thorsten Alteholz -From 19-12 to 25-12:Utkarsh Gupta -From 26-12 to 01-01:Anton Gladky +From 14-03 to 20-03:Chris Lamb +From 21-03 to 27-03:Utkarsh Gupta +From 28-03 to 03-04:Anton Gladky +From 04-04 to 10-04:Thorsten Alteholz +From 11-04 to 17-04:Thorsten Alteholz +From 18-04 to 24-04:Thorsten Alteholz +From 25-04 to 01-05:Emilio Pozuelo Monfort +From 02-05 to 08-05:Chris Lamb +From 09-05 to 15-05:Ola Lundqvist +From 16-05 to 22-05:Sylvain Beucler +From 23-05 to 29-05:Anton Gladky +From 30-05 to 05-06:Ola Lundqvist +From 06-06 to 12-06:Ola Lundqvist +From 13-06 to 19-06:Thorsten Alteholz +From 20-06 to 26-06:Ola Lundqvist +From 27-06 to 03-07:Anton Gladky +From 04-07 to 10-07:Ola Lundqvist +From 11-07 to 17-07:Emilio Pozuelo Monfort +From 18-07 to 24-07:Emilio Pozuelo Monfort +From 25-07 to 31-07:Chris Lamb +From 01-08 to 07-08:Ola Lundqvist +From 08-08 to 14-08:Emilio Pozuelo Monfort +From 15-08 to 21-08:Sylvain Beucler +From 22-08 to 28-08:Emilio Pozuelo Monfort +From 29-08 to 04-09:Anton Gladky +From 05-09 to 11-09:Anton Gladky +From 12-09 to 18-09:Sylvain Beucler +From 19-09 to 25-09:Anton Gladky +From 26-09 to 02-10:Sylvain Beucler +From 03-10 to 09-10:Utkarsh Gupta +From 10-10 to 16-10:Ola Lundqvist +From 17-10 to 23-10:Anton Gladky +From 24-10 to 30-10:Ola Lundqvist +From 31-10 to 06-11:Chris Lamb +From 07-11 to 13-11:Chris Lamb +From 14-11 to 20-11:Emilio Pozuelo Monfort +From 21-11 to 27-11:Utkarsh Gupta +From 28-11 to 04-12:Utkarsh Gupta +From 05-12 to 11-12:Anton Gladky +From 12-12 to 18-12:Thorsten Alteholz +From 19-12 to 25-12:Thorsten Alteholz +From 26-12 to 01-01:Anton Gladky View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6ba8808a5b008d774811d1dccf26c3850481c750...e54e854a39b6383e1e80b1532ec6952b34a96356 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6ba8808a5b008d774811d1dccf26c3850481c750...e54e854a39b6383e1e80b1532ec6952b34a96356 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-36980/openvswitch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ba8808a by Salvatore Bonaccorso at 2022-01-03T14:20:44+01:00 Track fixed version via unstable for CVE-2021-36980/openvswitch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26798,7 +26798,7 @@ CVE-2021-23203 CVE-2021-23184 RESERVED CVE-2021-36980 (Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-f ...) - - openvswitch (bug #991308) + - openvswitch 2.15.0+ds1-10 (bug #991308) [bullseye] - openvswitch (Minor issue) [buster] - openvswitch (Vulnerable code not present, introduced in 2.11) [stretch] - openvswitch (Vulnerable code not present, introduced in 2.11) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba8808a5b008d774811d1dccf26c3850481c750 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba8808a5b008d774811d1dccf26c3850481c750 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2021-45949
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c87d945 by Salvatore Bonaccorso at 2022-01-03T14:15:13+01:00 Add additional reference for CVE-2021-45949 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -127,6 +127,7 @@ CVE-2021-45950 (LibreDWG 0.12.4.4313 through 0.12.4.4367 has an out-of-bounds wr CVE-2021-45949 (Ghostscript GhostPDL 9.50 through 9.54.0 has a heap-based buffer overf ...) - ghostscript 9.55.0~dfsg-1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34675 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703902 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=2a3129365d3bc0d4a41f107ef175920d1505d1f7 CVE-2021-45948 (Open Asset Import Library (aka assimp) 5.1.0 and 5.1.1 has a heap-base ...) - assimp 5.1.1~ds0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c87d945022d01ca7f0d832407d1e04f417b7b36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c87d945022d01ca7f0d832407d1e04f417b7b36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take clamav
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f7c1c7ae by Emilio Pozuelo Monfort at 2022-01-03T13:37:34+01:00 lts: take clamav - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,6 +24,8 @@ apng2gif NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk) -- +clamav (Emilio) +-- condor (Anton) NOTE: 20211216: full details embargoed NOTE: 20211227: the fix is out and now available; cf: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7c1c7aea623f75e54a9d54229e61ffeef0d794a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7c1c7aea623f75e54a9d54229e61ffeef0d794a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: update notes
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 32b98d5d by Emilio Pozuelo Monfort at 2022-01-03T12:38:59+01:00 lts: update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -102,6 +102,7 @@ thunderbird (Emilio) NOTE: 20211122: blocked on toolchain backports (pochu) NOTE: 20211206: progressing on the toolchain front (pochu) NOTE: 20211220: backport in progress, making it build with python3.5 (pochu) + NOTE: 20210103: DSA released, DLA will follow today (pochu) -- vim (Anton) NOTE: 20211203: adding here as it's in the ela-needed as well View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32b98d5dac11206866e242a5645f264e4211ffc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32b98d5dac11206866e242a5645f264e4211ffc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a683fc19 by Moritz Muehlenhoff at 2022-01-03T11:44:28+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -307,6 +307,8 @@ CVE-2021-45919 RESERVED CVE-2021-4190 (Large loop in the Kafka dissector in Wireshark 3.6.0 allows denial of ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-22.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17811 CVE-2021-4189 [ftplib should not use the host from the PASV response] @@ -546,26 +548,38 @@ CVE-2021-45885 (An issue was discovered in Stormshield Network Security (SNS) 4. NOT-FOR-US: Stormshield Network Security (SNS) CVE-2021-4186 (Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows den ...) - wireshark 3.6.0-1 + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-16.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17737 CVE-2021-4185 (Infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3 ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-17.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17745 CVE-2021-4184 (Infinite loop in the BitTorrent DHT dissector in Wireshark 3.6.0 and 3 ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-18.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17754 CVE-2021-4183 (Crash in the pcapng file parser in Wireshark 3.6.0 allows denial of se ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-19.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17755 CVE-2021-4182 (Crash in the RFC 7468 dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-20.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17801 CVE-2021-4181 (Crash in the Sysdig Event dissector in Wireshark 3.6.0 and 3.4.0 to 3. ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2021-21.html NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/5429 CVE-2021-45884 (In Brave Desktop 1.17 through 1.33 before 1.33.106, when CNAME-based a ...) @@ -1511,6 +1525,8 @@ CVE-2021-45464 RESERVED CVE-2021-45463 (GEGL before 0.4.34, as used (for example) in GIMP before 2.10.30, allo ...) - gegl 1:0.4.34-1 (bug #1002661) + [bullseye] - gegl (Minor issue) + [buster] - gegl (Minor issue) [stretch] - gegl (Minor issue; can be fixed later) NOTE: Fixed by: https://gitlab.gnome.org/GNOME/gegl/-/commit/bfce470f0f2f37968862129d5038b35429f2909b (GEGL_0_4_34) NOTE: Followup: https://gitlab.gnome.org/GNOME/gegl/-/commit/2172cf7e8d7e8891ae2053d6eef213d5bef939cb (GEGL_0_4_34) = data/dsa-needed.txt = @@ -27,6 +27,8 @@ condor -- faad2/oldstable (jmm) -- +ghostscript +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a683fc19f56af499938ee5f02a09f9e872676cf4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a683fc19f56af499938ee5f02a09f9e872676cf4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2021-45960 in expat for stretch LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: d033b1b8 by Chris Lamb at 2022-01-03T10:09:42+00:00 Triage CVE-2021-45960 in expat for stretch LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69,6 +69,7 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor - expat (bug #1002994) [bullseye] - expat (Minor issue; can be fixed via point release) [buster] - expat (Minor issue; can be fixed via point release) + [stretch] - expat (Minor issue) NOTE: https://github.com/libexpat/libexpat/issues/531 NOTE: https://github.com/libexpat/libexpat/pull/534 CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d033b1b8b273e2123a01d59071f481afe98cfbac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d033b1b8b273e2123a01d59071f481afe98cfbac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new roundcube issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04bc36b3 by Salvatore Bonaccorso at 2022-01-03T09:50:21+01:00 Add new roundcube issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2021- [XSS vulnerability via HTML messages with malicious CSS content] + - roundcube (bug #1003027) + NOTE: https://github.com/roundcube/roundcubemail/commit/8894fddd59b770399eed4ef8d4da5773913b5bf0 (1.5.2) + NOTE: https://github.com/roundcube/roundcubemail/commit/b2400a4b592e3094b6c84e6000d512f99ae0eed8 (1.4.13) + NOTE: https://roundcube.net/news/2021/12/30/update-1.5.2-released + NOTE: https://roundcube.net/news/2021/12/30/security-update-1.4.13-released CVE-2022-0083 RESERVED CVE-2022-0082 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04bc36b388bad8f98a26b9ad1ccf4c57d621d871 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04bc36b388bad8f98a26b9ad1ccf4c57d621d871 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4ef0f6a by Salvatore Bonaccorso at 2022-01-03T09:35:39+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,7 +66,7 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor NOTE: https://github.com/libexpat/libexpat/issues/531 NOTE: https://github.com/libexpat/libexpat/pull/534 CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...) - TODO: check + NOT-FOR-US: showdoc CVE-2022-0078 RESERVED CVE-2021-45959 (** DISPUTED ** {fmt} 7.1.0 through 8.0.1 has a stack-based buffer over ...) @@ -54262,7 +54262,7 @@ CVE-2021-25983 (In Factor (App Framework Headless CMS) forum plugin, versi CVE-2021-25982 (In Factor (App Framework Headless CMS) forum plugin, versions 1. ...) NOT-FOR-US: Factor (App Framework & Headless CMS) CVE-2021-25981 (In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev ve ...) - TODO: check + NOT-FOR-US: Talkyard CVE-2021-25980 (In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22 ...) NOT-FOR-US: Talkyard CVE-2021-25979 (Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insuffi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4ef0f6a6857d19f88e0fb971c97f05436e65169 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4ef0f6a6857d19f88e0fb971c97f05436e65169 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7ffa5d0 by security tracker role at 2022-01-03T08:10:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2022-0083 + RESERVED +CVE-2022-0082 + RESERVED CVE-2022-22293 (admin/limits.php in Dolibarr 7.0.2 allows HTML injection, as demonstra ...) - dolibarr CVE-2022-0081 @@ -61,8 +65,8 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor [buster] - expat (Minor issue; can be fixed via point release) NOTE: https://github.com/libexpat/libexpat/issues/531 NOTE: https://github.com/libexpat/libexpat/pull/534 -CVE-2022-0079 - RESERVED +CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...) + TODO: check CVE-2022-0078 RESERVED CVE-2021-45959 (** DISPUTED ** {fmt} 7.1.0 through 8.0.1 has a stack-based buffer over ...) @@ -54231,8 +54235,8 @@ CVE-2021-25996 RESERVED CVE-2021-25995 RESERVED -CVE-2021-25994 - RESERVED +CVE-2021-25994 (In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Host Head ...) + TODO: check CVE-2021-25993 (In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected b ...) TODO: check CVE-2021-25992 @@ -54257,8 +54261,8 @@ CVE-2021-25983 (In Factor (App Framework Headless CMS) forum plugin, versi NOT-FOR-US: Factor (App Framework & Headless CMS) CVE-2021-25982 (In Factor (App Framework Headless CMS) forum plugin, versions 1. ...) NOT-FOR-US: Factor (App Framework & Headless CMS) -CVE-2021-25981 - RESERVED +CVE-2021-25981 (In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev ve ...) + TODO: check CVE-2021-25980 (In Talkyard, versions v0.04.01 through v0.6.74-WIP-63220cb, v0.2020.22 ...) NOT-FOR-US: Talkyard CVE-2021-25979 (Apostrophe CMS versions between 2.63.0 to 3.3.1 affected by an insuffi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7ffa5d0726c1faf8cb8ff225003d8b5c91b9742 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7ffa5d0726c1faf8cb8ff225003d8b5c91b9742 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits