[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0400/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a7216ea by Salvatore Bonaccorso at 2022-01-31T08:55:00+01:00 Add CVE-2022-0400/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -114,8 +114,11 @@ CVE-2022-0402 RESERVED CVE-2022-0401 RESERVED -CVE-2022-0400 +CVE-2022-0400 [Out of bounds read in the smc protocol stack] RESERVED + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044575 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2040604 (not public) CVE-2022-0399 RESERVED CVE-2022-0398 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7216ea548b7162822cdca00a846d3cf985c015 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7216ea548b7162822cdca00a846d3cf985c015 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-24130/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f019646f by Salvatore Bonaccorso at 2022-01-31T07:14:18+01:00 Add CVE-2022-24130/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6,6 +6,11 @@ CVE-2022-0416 RESERVED CVE-2022-0415 RESERVED +CVE-2022-24130 [xterm buffer overflow via crafted sixel] + - xterm + NOTE: https://twitter.com/nickblack/status/1487731459398025216 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 CVE-2022-24129 RESERVED CVE-2022-24128 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f019646f362693dc2037ebcea1bd7366dd9de91f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f019646f362693dc2037ebcea1bd7366dd9de91f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Adjust tracking for CVE-2022-23808
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0f022e1 by Salvatore Bonaccorso at 2022-01-31T06:20:08+01:00 Adjust tracking for CVE-2022-23808 Rationale: CVE-2022-23808 is about the setup for pypmyadmin, not available in Debian according to the reference, but the code affected. Thus demote the severity to unimportant and mark it as fixed once 5.1.2 lands. - - - - - 33591c4c by Salvatore Bonaccorso at 2022-01-31T06:21:58+01:00 Adjust tracking for CVE-2022-23807 Rationale: The 2FA support is not packages according to the research and references, but the affected source code is. Demote the severity to unimprtant and mark it as fixed once 5.1.2 lands in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1500,18 +1500,17 @@ CVE-2021-4208 CVE-2022-23809 RESERVED CVE-2022-23808 (An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker ca ...) - - phpmyadmin (2FA is not packaged yet and the setup is not available to be used) + - phpmyadmin (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2022-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927bf51c46feeaf38 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16af91ceea335d59 NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/28 (setup not available) - NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/3 (missing 2FA packages) CVE-2022-23807 (An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before ...) - - phpmyadmin (2FA is not packaged yet and the setup is not available to be used) + - phpmyadmin (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2022-1/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5d7796fdf4b32 - NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/28 (setup not available) NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/3 (missing 2FA packages) + NOTE: 2FA support is not packaged in Debian CVE-2022-23806 RESERVED CVE-2022-23805 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/34982fa7b201b730fa6c8cff987430f27a1bf11b...33591c4ccae719c469d82dbf97e5263e0ab02f21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/34982fa7b201b730fa6c8cff987430f27a1bf11b...33591c4ccae719c469d82dbf97e5263e0ab02f21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 11 commits: Mark CVE-2021-22060/libspring-java as end-of-life for stretch
versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older ...) - libspring-java + [stretch] - libspring-java (EOL'd for stretch) NOTE: follow-up to CVE-2021-22096 NOTE: https://tanzu.vmware.com/security/cve-2021-22060 CVE-2021-22059 = data/dla-needed.txt = @@ -64,10 +64,15 @@ libarchive (Thorsten Alteholz) libgit2 (Utkarsh) NOTE: 20220125: got clearance. will upload this week. (utkarsh) -- +librecad +-- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- +minetest + NOTE: 20220130: double check for impact. (utkarsh) +-- openjdk-8 (Emilio) -- pgbouncer @@ -86,9 +91,16 @@ samba (Utkarsh Gupta) NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) NOTE: 20220125: ftbfs, wip. (utkarsh) -- +spip + NOTE: 20220130: git.spip.net doesn't load for me atm, so check. :) (utkarsh) +-- ujson (Anton) NOTE: 20220121: please reheck, at least the mentioned function is available in Stretch -- +varnish + NOTE: 20220130: also fix no-dsa issues. (utkarsh) + NOTE: 20220130: VRB_Ignore function is very different from what's in the patch. (utkarsh) +-- vim (Emilio) -- wpa (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50b5939d4ff47cea06ba1862964a3cb225a9a68d...34982fa7b201b730fa6c8cff987430f27a1bf11b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50b5939d4ff47cea06ba1862964a3cb225a9a68d...34982fa7b201b730fa6c8cff987430f27a1bf11b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 50b5939d by Thorsten Alteholz at 2022-01-30T23:34:35+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,8 +58,8 @@ guacamole-client (Markus Koschany) NOTE: 20220114: package unmaintained AFAICS and only present in stretch (Beuc) -- libarchive (Thorsten Alteholz) - NOTE: 20220102: testing package NOTE: 20220116: waiting for upload in higher releases + NOTE: 20220130: new CVEs arrived -- libgit2 (Utkarsh) NOTE: 20220125: got clearance. will upload this week. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50b5939d4ff47cea06ba1862964a3cb225a9a68d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50b5939d4ff47cea06ba1862964a3cb225a9a68d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2021-45960,expat: Remove no-dsa tag for Stretch
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e6ca95ac by Markus Koschany at 2022-01-30T21:57:29+01:00
CVE-2021-45960,expat: Remove no-dsa tag for Stretch
- - - - -
99ecc09a by Markus Koschany at 2022-01-30T21:58:50+01:00
Claim apache-log4j1.2, guacamole-client and wpa in dla-needed.txt
- - - - -
27ce04a9 by Markus Koschany at 2022-01-30T22:00:03+01:00
Reserve DLA-2904-1 for expat
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -6614,7 +6614,6 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a
left shift by 29 (or mor
- expat 2.4.3-1 (bug #1002994)
[bullseye] - expat (Minor issue; can be fixed via point
release)
[buster] - expat (Minor issue; can be fixed via point release)
- [stretch] - expat (Minor issue)
NOTE: https://github.com/libexpat/libexpat/issues/531
NOTE: https://github.com/libexpat/libexpat/pull/534
CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing
Sensit ...)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Jan 2022] DLA-2904-1 expat - security update
+ {CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823
CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852
CVE-2022-23990}
+ [stretch] - expat 2.2.0-2+deb9u4
[29 Jan 2022] DLA-2903-1 libraw - security update
{CVE-2017-13735 CVE-2017-14265 CVE-2017-14348 CVE-2017-14608
CVE-2017-16909 CVE-2017-16910 CVE-2018-5800 CVE-2018-5801 CVE-2018-5802
CVE-2018-5804 CVE-2018-5805 CVE-2018-5806 CVE-2018-5807 CVE-2018-5808
CVE-2018-5810 CVE-2018-5811 CVE-2018-5812 CVE-2018-5813 CVE-2018-5815
CVE-2018-5817 CVE-2018-5818 CVE-2018-5819 CVE-2018-20363 CVE-2018-20364
CVE-2018-20365}
[stretch] - libraw 0.17.2-6+deb9u2
=
data/dla-needed.txt
=
@@ -18,7 +18,7 @@ ansible
NOTE: 20210411: after that LTS. (apo)
NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
--
-apache-log4j1.2
+apache-log4j1.2 (Markus Koschany)
--
apache2 (Anton)
NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2
(Anton)
@@ -37,8 +37,6 @@ debian-archive-keyring
NOTE: 20211018: Jonathan is prepping the branch; will work
NOTE: 20211018: with him and upload and publish the DLA. (utkarsh)
--
-expat (Markus Koschany)
---
firmware-nonfree
NOTE: 20210731: WIP:
https://salsa.debian.org/lts-team/packages/firmware-nonfree
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding
possible "ignore" tag
@@ -56,7 +54,7 @@ gpac (Roberto C. Sánchez)
NOTE: 20211120: received OK from secteam for buster update, working on
stretch/buster in parallel (roberto)
NOTE: 20211228: Returning to active work on this now that llvm/rustc update
is complete (roberto)
--
-guacamole-client
+guacamole-client (Markus Koschany)
NOTE: 20220114: package unmaintained AFAICS and only present in stretch
(Beuc)
--
libarchive (Thorsten Alteholz)
@@ -93,7 +91,7 @@ ujson (Anton)
--
vim (Emilio)
--
-wpa
+wpa (Markus Koschany)
NOTE: 20220124: CVE-2018-9495 has been applied
--
zabbix (Sylvain Beucler)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5...27ce04a95a8a22ee9fd206b18c1c1f8986728bec
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5...27ce04a95a8a22ee9fd206b18c1c1f8986728bec
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new vim issues from fuzzing reports
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b663d572 by Salvatore Bonaccorso at 2022-01-30T21:27:36+01:00 Add three new vim issues from fuzzing reports - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,7 +47,11 @@ CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application CVE-2022-0414 RESERVED CVE-2022-0413 (Use After Free in Conda vim prior to 8.2. ...) - TODO: check + - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) + NOTE: https://huntr.dev/bounties/563d1e8f-5c3d-4669-941c-3216f4a87c38 + NOTE: https://github.com/vim/vim/commit/37f47958b8a2a44abc60614271d9537e7f14e51a (v8.2.4253) CVE-2022-0412 RESERVED CVE-2022-0411 @@ -80,9 +84,17 @@ CVE-2022-24113 CVE-2022-0409 RESERVED CVE-2022-0408 (Stack-based Buffer Overflow in Conda vim prior to 8.2. ...) - TODO: check + - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) + NOTE: https://huntr.dev/bounties/5e635bad-5cf6-46cd-aeac-34ef224e179d + NOTE: https://github.com/vim/vim/commit/06f15416bb8d5636200a10776f1752c4d6e49f31 (v8.2.4247) CVE-2022-0407 (Heap-based Buffer Overflow in Conda vim prior to 8.2. ...) - TODO: check + - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) + NOTE: https://huntr.dev/bounties/81822bf7-aafe-4d37-b836-1255d46e572c + NOTE: https://github.com/vim/vim/commit/44db8213d38c39877d2148eff6a72f4beccfb94e (v8.2.4219) CVE-2022-24112 RESERVED CVE-2022-0406 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46659/MariaDB
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1309fab7 by Salvatore Bonaccorso at 2022-01-30T21:21:53+01:00 Add CVE-2021-46659/MariaDB - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,11 @@ CVE-2022-24121 CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) a ...) TODO: check CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it does not ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25631 + NOTE: Fixed in MariaDB: 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2 CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) - mariadb-10.6 (Fixed before initial upload to Debian) - mariadb-10.5 1:10.5.11-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1309fab78dcedc4da36091b703252fc035a355b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1309fab78dcedc4da36091b703252fc035a355b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9daa1ec7 by security tracker role at 2022-01-30T20:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2022-0418 + RESERVED +CVE-2022-0417 + RESERVED +CVE-2022-0416 + RESERVED +CVE-2022-0415 + RESERVED CVE-2022-24129 RESERVED CVE-2022-24128 @@ -34,8 +42,8 @@ CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2022-0414 RESERVED -CVE-2022-0413 - RESERVED +CVE-2022-0413 (Use After Free in Conda vim prior to 8.2. ...) + TODO: check CVE-2022-0412 RESERVED CVE-2022-0411 @@ -67,10 +75,10 @@ CVE-2022-24113 RESERVED CVE-2022-0409 RESERVED -CVE-2022-0408 - RESERVED -CVE-2022-0407 - RESERVED +CVE-2022-0408 (Stack-based Buffer Overflow in Conda vim prior to 8.2. ...) + TODO: check +CVE-2022-0407 (Heap-based Buffer Overflow in Conda vim prior to 8.2. ...) + TODO: check CVE-2022-24112 RESERVED CVE-2022-0406 @@ -1351,8 +1359,8 @@ CVE-2022-23850 (xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) th - epub2txt2 (bug #1004115) CVE-2022-23849 RESERVED -CVE-2022-0339 - RESERVED +CVE-2022-0339 (Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16. ...) + TODO: check CVE-2022-0338 (Improper Privilege Management in Conda loguru prior to 0.5.3. ...) - loguru (unimportant) NOTE: https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0/ @@ -2695,8 +2703,8 @@ CVE-2022-21796 (A memory corruption vulnerability exists in the netserver parse_ NOT-FOR-US: Reolink CVE-2022-0274 (Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.C ...) NOT-FOR-US: Orchard CMS -CVE-2022-0273 - RESERVED +CVE-2022-0273 (Improper Access Control in Pypi calibreweb prior to 0.6.16. ...) + TODO: check CVE-2022-0272 RESERVED CVE-2022-0271 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9daa1ec76189fff7e2f7932de4e17925e5d94897 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9daa1ec76189fff7e2f7932de4e17925e5d94897 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ignore CVE-2022-21682 and CVE-2021-43860 for flatpak in buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
053f0cd7 by Salvatore Bonaccorso at 2022-01-30T21:01:10+01:00
Ignore CVE-2022-21682 and CVE-2021-43860 for flatpak in buster
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -13521,6 +13521,7 @@ CVE-2022-21683 (Wagtail is a Django based content
management system focused on f
CVE-2022-21682 (Flatpak is a Linux application sandboxing and distribution
framework. ...)
{DSA-5049-1}
- flatpak 1.12.3-1
+ [buster] - flatpak (Intrusive and risky to backport)
NOTE:
https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx
NOTE:
https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a
NOTE: Documentation:
https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa
@@ -13835,6 +13836,7 @@ CVE-2021-43861 (Mermaid is a Javascript based
diagramming and charting tool that
CVE-2021-43860 (Flatpak is a Linux application sandboxing and distribution
framework. ...)
{DSA-5049-1}
- flatpak 1.12.3-1
+ [buster] - flatpak (Intrusive and risky to backport)
NOTE:
https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j
NOTE:
https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e
NOTE:
https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/053f0cd77086c6f73f0d6d33b93833e99ba796c0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/053f0cd77086c6f73f0d6d33b93833e99ba796c0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Restore reference to Debian bug for librecad issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a8b51449 by Salvatore Bonaccorso at 2022-01-30T20:41:25+01:00 Restore reference to Debian bug for librecad issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8867,17 +8867,17 @@ CVE-2021-45345 CVE-2021-45344 RESERVED CVE-2021-45343 (In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of ...) - - librecad 2.1.3-3 + - librecad 2.1.3-3 (bug #1004518) NOTE: https://github.com/LibreCAD/LibreCAD/issues/1468 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1469 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/5771425808bd16e78e1c6f28728c0712c47316f7 CVE-2021-45342 (A buffer overflow vulnerability in CDataList of the jwwlib component o ...) - - librecad 2.1.3-3 + - librecad 2.1.3-3 (bug #1004518) NOTE: https://github.com/LibreCAD/LibreCAD/issues/1464 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1465 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/4edcbe72679f95cb60979c77a348c1522a20b0f4 CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib component o ...) - - librecad 2.1.3-3 + - librecad 2.1.3-3 (bug #1004518) NOTE: https://github.com/LibreCAD/LibreCAD/issues/1462 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1463 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8b51449d91bb554a7a4619f6c8092c54b1609f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8b51449d91bb554a7a4619f6c8092c54b1609f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] librecad fixed in sid
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: 14161dcd by Aron Xu at 2022-01-30T21:11:17+08:00 librecad fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8867,17 +8867,17 @@ CVE-2021-45345 CVE-2021-45344 RESERVED CVE-2021-45343 (In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of ...) - - librecad (bug #1004518) + - librecad 2.1.3-3 NOTE: https://github.com/LibreCAD/LibreCAD/issues/1468 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1469 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/5771425808bd16e78e1c6f28728c0712c47316f7 CVE-2021-45342 (A buffer overflow vulnerability in CDataList of the jwwlib component o ...) - - librecad (bug #1004518) + - librecad 2.1.3-3 NOTE: https://github.com/LibreCAD/LibreCAD/issues/1464 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1465 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/4edcbe72679f95cb60979c77a348c1522a20b0f4 CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib component o ...) - - librecad (bug #1004518) + - librecad 2.1.3-3 NOTE: https://github.com/LibreCAD/LibreCAD/issues/1462 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1463 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14161dcd62310a87ab5793ba6b841f42de6ac954 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14161dcd62310a87ab5793ba6b841f42de6ac954 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add and take ipython
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d2821ee2 by Moritz Muehlenhoff at 2022-01-30T11:30:05+01:00
add and take ipython
- - - - -
1 changed file:
- data/dsa-needed.txt
Changes:
=
data/dsa-needed.txt
=
@@ -21,6 +21,8 @@ cryptsetup/stable (corsac)
--
faad2/oldstable (jmm)
--
+ipython (jmm)
+--
librecad
Aron Xu proposed update for {bullseye,buster}-security for review
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2821ee209a39871e1a4829274f2bf75a2499d0b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2821ee209a39871e1a4829274f2bf75a2499d0b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for four linux issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e45af11d by Salvatore Bonaccorso at 2022-01-30T11:28:53+01:00 Track fixed version for four linux issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,7 +43,7 @@ CVE-2022-0411 CVE-2022-0410 RESERVED CVE-2022-24122 (kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivil ...) - - linux + - linux 5.15.15-2 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) @@ -1457,7 +1457,7 @@ CVE-2022-0331 RESERVED CVE-2022-0330 [drm/i915: Flush TLBs before releasing backing store] RESERVED - - linux + - linux 5.15.15-2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/25/12 NOTE: https://git.kernel.org/linus/7938d61591d33394a21bdd7797a245b65428f44c CVE-2022-0329 (Code Injection in PyPi loguru prior to and including 0.5.3. ...) @@ -4041,7 +4041,7 @@ CVE-2022-22943 RESERVED CVE-2022-22942 [drm/vmwgfx: Fix stale file descriptors on failed usercopy] RESERVED - - linux + - linux 5.15.15-2 [stretch] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/01/27/4 NOTE: Fixed by; https://git.kernel.org/linus/a0f90c8815706981c483a652a6aefca51a5e191c @@ -13318,7 +13318,7 @@ CVE-2021-43978 (Allegro WIndows 3.3.4152.0, embeds software administrator databa CVE-2021-43977 (SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows X ...) NOT-FOR-US: SmarterTools CVE-2021-43976 (In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wi ...) - - linux + - linux 5.15.15-2 NOTE: https://patchwork.kernel.org/project/linux-wireless/patch/yx4cqjfrcta6b...@zekuns-mbp-16.fios-router.home/ CVE-2021-43975 (In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in driver ...) - linux 5.15.5-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e45af11d6c6de02a37d68dbb6b0c8249dacc9a19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e45af11d6c6de02a37d68dbb6b0c8249dacc9a19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim pjproject
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 1118918b by Abhijith PA at 2022-01-30T15:48:03+05:30 data/dla-needed.txt: Claim pjproject - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,7 +75,7 @@ openjdk-8 (Emilio) pgbouncer NOTE: 20220104: maintainer might want to upload fixed version -- -pjproject +pjproject (Abhijith PA) NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) -- python2.7 (Anton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1118918bab590c96eaf9c9f99fadc2fa79fb0710 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1118918bab590c96eaf9c9f99fadc2fa79fb0710 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46658/MariaDB
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b14d9617 by Salvatore Bonaccorso at 2022-01-30T09:41:44+01:00 Add CVE-2021-46658/MariaDB - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,12 @@ CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity ( CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it does not ...) TODO: check CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) - TODO: check + - mariadb-10.6 (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25630 + NOTE: Fixed in MariaDB: 10.2.40, 10.3.31, 10.4.21, 10.5.12, 10.6.3 CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application crash ...) - mariadb-10.6 (Fixed before initial upload to Debian) - mariadb-10.5 1:10.5.11-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b14d96174fd06b868fc9bddc6e7470e939820e9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b14d96174fd06b868fc9bddc6e7470e939820e9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46657/MariaDB
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b61c3b62 by Salvatore Bonaccorso at 2022-01-30T09:39:37+01:00 Add CVE-2021-46657/MariaDB - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,12 @@ CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it doe CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) TODO: check CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application crash ...) - TODO: check + - mariadb-10.6 (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25629 + NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2022-0414 RESERVED CVE-2022-0413 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b61c3b626f27f85061b0c89938a1ab057e3b2093 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b61c3b626f27f85061b0c89938a1ab057e3b2093 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
94ee66c3 by security tracker role at 2022-01-30T08:10:13+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,27 @@
+CVE-2022-24129
+ RESERVED
+CVE-2022-24128
+ RESERVED
+CVE-2022-24127
+ RESERVED
+CVE-2022-24126
+ RESERVED
+CVE-2022-24125
+ RESERVED
+CVE-2022-24124 (The query API in Casdoor before 1.13.1 has a SQL injection
vulnerabili ...)
+ TODO: check
+CVE-2022-24123 (MarkText through 0.16.3 does not sanitize the input of a
mermaid block ...)
+ TODO: check
+CVE-2022-24121
+ RESERVED
+CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity
(XXE) a ...)
+ TODO: check
+CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it
does not ...)
+ TODO: check
+CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an
applica ...)
+ TODO: check
+CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an
application crash ...)
+ TODO: check
CVE-2022-0414
RESERVED
CVE-2022-0413
@@ -8,7 +32,7 @@ CVE-2022-0411
RESERVED
CVE-2022-0410
RESERVED
-CVE-2022-24122 [ucount: Make get_ucount a safe get_user replacement]
+CVE-2022-24122 (kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when
unprivil ...)
- linux
[bullseye] - linux (Vulnerable code not present)
[buster] - linux (Vulnerable code not present)
@@ -288,8 +312,8 @@ CVE-2022-24034
RESERVED
CVE-2022-24033
RESERVED
-CVE-2022-24032
- RESERVED
+CVE-2022-24032 (Adenza AxiomSL ControllerView through 10.8.1 is vulnerable to
user enu ...)
+ TODO: check
CVE-2022-24031
RESERVED
CVE-2022-24030
@@ -4055,8 +4079,8 @@ CVE-2022-22921
RESERVED
CVE-2022-22920
RESERVED
-CVE-2022-22919
- RESERVED
+CVE-2022-22919 (Adenza AxiomSL ControllerView through 10.8.1 allows
redirection for SS ...)
+ TODO: check
CVE-2022-22918
RESERVED
CVE-2022-22917
@@ -23845,6 +23869,7 @@ CVE-2021-41057 (In WIBU CodeMeter Runtime before 7.30a,
creating a crafted CmDon
CVE-2021-41056
RESERVED
CVE-2021-41055 (Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to
cause a ...)
+ {DSA-5064-1}
- python-nbxmpp 2.0.4-1
[buster] - python-nbxmpp (Vulnerable code not present)
[stretch] - python-nbxmpp (Vulnerable code introduced
later (modules added in v1.0.0))
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94ee66c31d9fee35e9b0e43ea61ea1f69ca06d20
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94ee66c31d9fee35e9b0e43ea61ea1f69ca06d20
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
