[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0400/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a7216ea by Salvatore Bonaccorso at 2022-01-31T08:55:00+01:00 Add CVE-2022-0400/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -114,8 +114,11 @@ CVE-2022-0402 RESERVED CVE-2022-0401 RESERVED -CVE-2022-0400 +CVE-2022-0400 [Out of bounds read in the smc protocol stack] RESERVED + - linux + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044575 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2040604 (not public) CVE-2022-0399 RESERVED CVE-2022-0398 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7216ea548b7162822cdca00a846d3cf985c015 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a7216ea548b7162822cdca00a846d3cf985c015 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-24130/xterm
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f019646f by Salvatore Bonaccorso at 2022-01-31T07:14:18+01:00 Add CVE-2022-24130/xterm - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6,6 +6,11 @@ CVE-2022-0416 RESERVED CVE-2022-0415 RESERVED +CVE-2022-24130 [xterm buffer overflow via crafted sixel] + - xterm + NOTE: https://twitter.com/nickblack/status/1487731459398025216 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/2 + NOTE: https://www.openwall.com/lists/oss-security/2022/01/30/3 CVE-2022-24129 RESERVED CVE-2022-24128 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f019646f362693dc2037ebcea1bd7366dd9de91f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f019646f362693dc2037ebcea1bd7366dd9de91f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Adjust tracking for CVE-2022-23808
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0f022e1 by Salvatore Bonaccorso at 2022-01-31T06:20:08+01:00 Adjust tracking for CVE-2022-23808 Rationale: CVE-2022-23808 is about the setup for pypmyadmin, not available in Debian according to the reference, but the code affected. Thus demote the severity to unimportant and mark it as fixed once 5.1.2 lands. - - - - - 33591c4c by Salvatore Bonaccorso at 2022-01-31T06:21:58+01:00 Adjust tracking for CVE-2022-23807 Rationale: The 2FA support is not packages according to the research and references, but the affected source code is. Demote the severity to unimprtant and mark it as fixed once 5.1.2 lands in unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1500,18 +1500,17 @@ CVE-2021-4208 CVE-2022-23809 RESERVED CVE-2022-23808 (An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker ca ...) - - phpmyadmin (2FA is not packaged yet and the setup is not available to be used) + - phpmyadmin (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2022-2/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927bf51c46feeaf38 NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16af91ceea335d59 NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/28 (setup not available) - NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/3 (missing 2FA packages) CVE-2022-23807 (An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before ...) - - phpmyadmin (2FA is not packaged yet and the setup is not available to be used) + - phpmyadmin (unimportant) NOTE: https://www.phpmyadmin.net/security/PMASA-2022-1/ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5d7796fdf4b32 - NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/28 (setup not available) NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/3 (missing 2FA packages) + NOTE: 2FA support is not packaged in Debian CVE-2022-23806 RESERVED CVE-2022-23805 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/34982fa7b201b730fa6c8cff987430f27a1bf11b...33591c4ccae719c469d82dbf97e5263e0ab02f21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/34982fa7b201b730fa6c8cff987430f27a1bf11b...33591c4ccae719c469d82dbf97e5263e0ab02f21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 11 commits: Mark CVE-2021-22060/libspring-java as end-of-life for stretch
versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older ...) - libspring-java + [stretch] - libspring-java (EOL'd for stretch) NOTE: follow-up to CVE-2021-22096 NOTE: https://tanzu.vmware.com/security/cve-2021-22060 CVE-2021-22059 = data/dla-needed.txt = @@ -64,10 +64,15 @@ libarchive (Thorsten Alteholz) libgit2 (Utkarsh) NOTE: 20220125: got clearance. will upload this week. (utkarsh) -- +librecad +-- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) -- +minetest + NOTE: 20220130: double check for impact. (utkarsh) +-- openjdk-8 (Emilio) -- pgbouncer @@ -86,9 +91,16 @@ samba (Utkarsh Gupta) NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh) NOTE: 20220125: ftbfs, wip. (utkarsh) -- +spip + NOTE: 20220130: git.spip.net doesn't load for me atm, so check. :) (utkarsh) +-- ujson (Anton) NOTE: 20220121: please reheck, at least the mentioned function is available in Stretch -- +varnish + NOTE: 20220130: also fix no-dsa issues. (utkarsh) + NOTE: 20220130: VRB_Ignore function is very different from what's in the patch. (utkarsh) +-- vim (Emilio) -- wpa (Markus Koschany) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50b5939d4ff47cea06ba1862964a3cb225a9a68d...34982fa7b201b730fa6c8cff987430f27a1bf11b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50b5939d4ff47cea06ba1862964a3cb225a9a68d...34982fa7b201b730fa6c8cff987430f27a1bf11b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 50b5939d by Thorsten Alteholz at 2022-01-30T23:34:35+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,8 +58,8 @@ guacamole-client (Markus Koschany) NOTE: 20220114: package unmaintained AFAICS and only present in stretch (Beuc) -- libarchive (Thorsten Alteholz) - NOTE: 20220102: testing package NOTE: 20220116: waiting for upload in higher releases + NOTE: 20220130: new CVEs arrived -- libgit2 (Utkarsh) NOTE: 20220125: got clearance. will upload this week. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50b5939d4ff47cea06ba1862964a3cb225a9a68d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50b5939d4ff47cea06ba1862964a3cb225a9a68d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2021-45960,expat: Remove no-dsa tag for Stretch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e6ca95ac by Markus Koschany at 2022-01-30T21:57:29+01:00 CVE-2021-45960,expat: Remove no-dsa tag for Stretch - - - - - 99ecc09a by Markus Koschany at 2022-01-30T21:58:50+01:00 Claim apache-log4j1.2, guacamole-client and wpa in dla-needed.txt - - - - - 27ce04a9 by Markus Koschany at 2022-01-30T22:00:03+01:00 Reserve DLA-2904-1 for expat - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -6614,7 +6614,6 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor - expat 2.4.3-1 (bug #1002994) [bullseye] - expat (Minor issue; can be fixed via point release) [buster] - expat (Minor issue; can be fixed via point release) - [stretch] - expat (Minor issue) NOTE: https://github.com/libexpat/libexpat/issues/531 NOTE: https://github.com/libexpat/libexpat/pull/534 CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...) = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Jan 2022] DLA-2904-1 expat - security update + {CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990} + [stretch] - expat 2.2.0-2+deb9u4 [29 Jan 2022] DLA-2903-1 libraw - security update {CVE-2017-13735 CVE-2017-14265 CVE-2017-14348 CVE-2017-14608 CVE-2017-16909 CVE-2017-16910 CVE-2018-5800 CVE-2018-5801 CVE-2018-5802 CVE-2018-5804 CVE-2018-5805 CVE-2018-5806 CVE-2018-5807 CVE-2018-5808 CVE-2018-5810 CVE-2018-5811 CVE-2018-5812 CVE-2018-5813 CVE-2018-5815 CVE-2018-5817 CVE-2018-5818 CVE-2018-5819 CVE-2018-20363 CVE-2018-20364 CVE-2018-20365} [stretch] - libraw 0.17.2-6+deb9u2 = data/dla-needed.txt = @@ -18,7 +18,7 @@ ansible NOTE: 20210411: after that LTS. (apo) NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- -apache-log4j1.2 +apache-log4j1.2 (Markus Koschany) -- apache2 (Anton) NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton) @@ -37,8 +37,6 @@ debian-archive-keyring NOTE: 20211018: Jonathan is prepping the branch; will work NOTE: 20211018: with him and upload and publish the DLA. (utkarsh) -- -expat (Markus Koschany) --- firmware-nonfree NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag @@ -56,7 +54,7 @@ gpac (Roberto C. Sánchez) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- -guacamole-client +guacamole-client (Markus Koschany) NOTE: 20220114: package unmaintained AFAICS and only present in stretch (Beuc) -- libarchive (Thorsten Alteholz) @@ -93,7 +91,7 @@ ujson (Anton) -- vim (Emilio) -- -wpa +wpa (Markus Koschany) NOTE: 20220124: CVE-2018-9495 has been applied -- zabbix (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5...27ce04a95a8a22ee9fd206b18c1c1f8986728bec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5...27ce04a95a8a22ee9fd206b18c1c1f8986728bec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new vim issues from fuzzing reports
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b663d572 by Salvatore Bonaccorso at 2022-01-30T21:27:36+01:00 Add three new vim issues from fuzzing reports - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,7 +47,11 @@ CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application CVE-2022-0414 RESERVED CVE-2022-0413 (Use After Free in Conda vim prior to 8.2. ...) - TODO: check + - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) + NOTE: https://huntr.dev/bounties/563d1e8f-5c3d-4669-941c-3216f4a87c38 + NOTE: https://github.com/vim/vim/commit/37f47958b8a2a44abc60614271d9537e7f14e51a (v8.2.4253) CVE-2022-0412 RESERVED CVE-2022-0411 @@ -80,9 +84,17 @@ CVE-2022-24113 CVE-2022-0409 RESERVED CVE-2022-0408 (Stack-based Buffer Overflow in Conda vim prior to 8.2. ...) - TODO: check + - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) + NOTE: https://huntr.dev/bounties/5e635bad-5cf6-46cd-aeac-34ef224e179d + NOTE: https://github.com/vim/vim/commit/06f15416bb8d5636200a10776f1752c4d6e49f31 (v8.2.4247) CVE-2022-0407 (Heap-based Buffer Overflow in Conda vim prior to 8.2. ...) - TODO: check + - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) + NOTE: https://huntr.dev/bounties/81822bf7-aafe-4d37-b836-1255d46e572c + NOTE: https://github.com/vim/vim/commit/44db8213d38c39877d2148eff6a72f4beccfb94e (v8.2.4219) CVE-2022-24112 RESERVED CVE-2022-0406 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46659/MariaDB
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1309fab7 by Salvatore Bonaccorso at 2022-01-30T21:21:53+01:00 Add CVE-2021-46659/MariaDB - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,11 @@ CVE-2022-24121 CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) a ...) TODO: check CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it does not ...) - TODO: check + - mariadb-10.6 + - mariadb-10.5 + - mariadb-10.3 + NOTE: https://jira.mariadb.org/browse/MDEV-25631 + NOTE: Fixed in MariaDB: 10.2.42, 10.3.33, 10.4.23, 10.5.14, 10.6.6, 10.7.2 CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) - mariadb-10.6 (Fixed before initial upload to Debian) - mariadb-10.5 1:10.5.11-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1309fab78dcedc4da36091b703252fc035a355b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1309fab78dcedc4da36091b703252fc035a355b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9daa1ec7 by security tracker role at 2022-01-30T20:10:19+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2022-0418 + RESERVED +CVE-2022-0417 + RESERVED +CVE-2022-0416 + RESERVED +CVE-2022-0415 + RESERVED CVE-2022-24129 RESERVED CVE-2022-24128 @@ -34,8 +42,8 @@ CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2022-0414 RESERVED -CVE-2022-0413 - RESERVED +CVE-2022-0413 (Use After Free in Conda vim prior to 8.2. ...) + TODO: check CVE-2022-0412 RESERVED CVE-2022-0411 @@ -67,10 +75,10 @@ CVE-2022-24113 RESERVED CVE-2022-0409 RESERVED -CVE-2022-0408 - RESERVED -CVE-2022-0407 - RESERVED +CVE-2022-0408 (Stack-based Buffer Overflow in Conda vim prior to 8.2. ...) + TODO: check +CVE-2022-0407 (Heap-based Buffer Overflow in Conda vim prior to 8.2. ...) + TODO: check CVE-2022-24112 RESERVED CVE-2022-0406 @@ -1351,8 +1359,8 @@ CVE-2022-23850 (xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) th - epub2txt2 (bug #1004115) CVE-2022-23849 RESERVED -CVE-2022-0339 - RESERVED +CVE-2022-0339 (Server-Side Request Forgery (SSRF) in Pypi calibreweb prior to 0.6.16. ...) + TODO: check CVE-2022-0338 (Improper Privilege Management in Conda loguru prior to 0.5.3. ...) - loguru (unimportant) NOTE: https://huntr.dev/bounties/359bea50-2bc6-426a-b2f9-175d401b1ed0/ @@ -2695,8 +2703,8 @@ CVE-2022-21796 (A memory corruption vulnerability exists in the netserver parse_ NOT-FOR-US: Reolink CVE-2022-0274 (Cross-site Scripting (XSS) - Stored in NuGet OrchardCore.Application.C ...) NOT-FOR-US: Orchard CMS -CVE-2022-0273 - RESERVED +CVE-2022-0273 (Improper Access Control in Pypi calibreweb prior to 0.6.16. ...) + TODO: check CVE-2022-0272 RESERVED CVE-2022-0271 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9daa1ec76189fff7e2f7932de4e17925e5d94897 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9daa1ec76189fff7e2f7932de4e17925e5d94897 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Ignore CVE-2022-21682 and CVE-2021-43860 for flatpak in buster
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 053f0cd7 by Salvatore Bonaccorso at 2022-01-30T21:01:10+01:00 Ignore CVE-2022-21682 and CVE-2021-43860 for flatpak in buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13521,6 +13521,7 @@ CVE-2022-21683 (Wagtail is a Django based content management system focused on f CVE-2022-21682 (Flatpak is a Linux application sandboxing and distribution framework. ...) {DSA-5049-1} - flatpak 1.12.3-1 + [buster] - flatpak (Intrusive and risky to backport) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-8ch7-5j3h-g4fx NOTE: https://github.com/flatpak/flatpak/commit/445bddeee657fdc8d2a0a1f0de12975400d4fc1a NOTE: Documentation: https://github.com/flatpak/flatpak/commit/4d11f77aa7fd3e64cfa80af89d92567ab9e8e6fa @@ -13835,6 +13836,7 @@ CVE-2021-43861 (Mermaid is a Javascript based diagramming and charting tool that CVE-2021-43860 (Flatpak is a Linux application sandboxing and distribution framework. ...) {DSA-5049-1} - flatpak 1.12.3-1 + [buster] - flatpak (Intrusive and risky to backport) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-qpjc-vq3c-572j NOTE: https://github.com/flatpak/flatpak/commit/ba818f504c926baaf6e362be8159cfacf994310e NOTE: https://github.com/flatpak/flatpak/commit/d9a8f9d8ccc0b7c1135d0ecde006a75d25f66aee View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/053f0cd77086c6f73f0d6d33b93833e99ba796c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/053f0cd77086c6f73f0d6d33b93833e99ba796c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Restore reference to Debian bug for librecad issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a8b51449 by Salvatore Bonaccorso at 2022-01-30T20:41:25+01:00 Restore reference to Debian bug for librecad issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8867,17 +8867,17 @@ CVE-2021-45345 CVE-2021-45344 RESERVED CVE-2021-45343 (In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of ...) - - librecad 2.1.3-3 + - librecad 2.1.3-3 (bug #1004518) NOTE: https://github.com/LibreCAD/LibreCAD/issues/1468 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1469 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/5771425808bd16e78e1c6f28728c0712c47316f7 CVE-2021-45342 (A buffer overflow vulnerability in CDataList of the jwwlib component o ...) - - librecad 2.1.3-3 + - librecad 2.1.3-3 (bug #1004518) NOTE: https://github.com/LibreCAD/LibreCAD/issues/1464 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1465 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/4edcbe72679f95cb60979c77a348c1522a20b0f4 CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib component o ...) - - librecad 2.1.3-3 + - librecad 2.1.3-3 (bug #1004518) NOTE: https://github.com/LibreCAD/LibreCAD/issues/1462 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1463 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8b51449d91bb554a7a4619f6c8092c54b1609f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8b51449d91bb554a7a4619f6c8092c54b1609f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] librecad fixed in sid
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: 14161dcd by Aron Xu at 2022-01-30T21:11:17+08:00 librecad fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8867,17 +8867,17 @@ CVE-2021-45345 CVE-2021-45344 RESERVED CVE-2021-45343 (In LibreCAD 2.2.0, a NULL pointer dereference in the HATCH handling of ...) - - librecad (bug #1004518) + - librecad 2.1.3-3 NOTE: https://github.com/LibreCAD/LibreCAD/issues/1468 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1469 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/5771425808bd16e78e1c6f28728c0712c47316f7 CVE-2021-45342 (A buffer overflow vulnerability in CDataList of the jwwlib component o ...) - - librecad (bug #1004518) + - librecad 2.1.3-3 NOTE: https://github.com/LibreCAD/LibreCAD/issues/1464 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1465 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/4edcbe72679f95cb60979c77a348c1522a20b0f4 CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib component o ...) - - librecad (bug #1004518) + - librecad 2.1.3-3 NOTE: https://github.com/LibreCAD/LibreCAD/issues/1462 NOTE: https://github.com/LibreCAD/LibreCAD/pull/1463 NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14161dcd62310a87ab5793ba6b841f42de6ac954 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14161dcd62310a87ab5793ba6b841f42de6ac954 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add and take ipython
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d2821ee2 by Moritz Muehlenhoff at 2022-01-30T11:30:05+01:00 add and take ipython - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -21,6 +21,8 @@ cryptsetup/stable (corsac) -- faad2/oldstable (jmm) -- +ipython (jmm) +-- librecad Aron Xu proposed update for {bullseye,buster}-security for review -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2821ee209a39871e1a4829274f2bf75a2499d0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2821ee209a39871e1a4829274f2bf75a2499d0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for four linux issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e45af11d by Salvatore Bonaccorso at 2022-01-30T11:28:53+01:00 Track fixed version for four linux issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,7 +43,7 @@ CVE-2022-0411 CVE-2022-0410 RESERVED CVE-2022-24122 (kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivil ...) - - linux + - linux 5.15.15-2 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) @@ -1457,7 +1457,7 @@ CVE-2022-0331 RESERVED CVE-2022-0330 [drm/i915: Flush TLBs before releasing backing store] RESERVED - - linux + - linux 5.15.15-2 NOTE: https://www.openwall.com/lists/oss-security/2022/01/25/12 NOTE: https://git.kernel.org/linus/7938d61591d33394a21bdd7797a245b65428f44c CVE-2022-0329 (Code Injection in PyPi loguru prior to and including 0.5.3. ...) @@ -4041,7 +4041,7 @@ CVE-2022-22943 RESERVED CVE-2022-22942 [drm/vmwgfx: Fix stale file descriptors on failed usercopy] RESERVED - - linux + - linux 5.15.15-2 [stretch] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/01/27/4 NOTE: Fixed by; https://git.kernel.org/linus/a0f90c8815706981c483a652a6aefca51a5e191c @@ -13318,7 +13318,7 @@ CVE-2021-43978 (Allegro WIndows 3.3.4152.0, embeds software administrator databa CVE-2021-43977 (SmarterTools SmarterMail 16.x through 100.x before 100.0.7803 allows X ...) NOT-FOR-US: SmarterTools CVE-2021-43976 (In the Linux kernel through 5.15.2, mwifiex_usb_recv in drivers/net/wi ...) - - linux + - linux 5.15.15-2 NOTE: https://patchwork.kernel.org/project/linux-wireless/patch/yx4cqjfrcta6b...@zekuns-mbp-16.fios-router.home/ CVE-2021-43975 (In the Linux kernel through 5.15.2, hw_atl_utils_fw_rpc_wait in driver ...) - linux 5.15.5-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e45af11d6c6de02a37d68dbb6b0c8249dacc9a19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e45af11d6c6de02a37d68dbb6b0c8249dacc9a19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim pjproject
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 1118918b by Abhijith PA at 2022-01-30T15:48:03+05:30 data/dla-needed.txt: Claim pjproject - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -75,7 +75,7 @@ openjdk-8 (Emilio) pgbouncer NOTE: 20220104: maintainer might want to upload fixed version -- -pjproject +pjproject (Abhijith PA) NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) -- python2.7 (Anton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1118918bab590c96eaf9c9f99fadc2fa79fb0710 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1118918bab590c96eaf9c9f99fadc2fa79fb0710 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46658/MariaDB
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b14d9617 by Salvatore Bonaccorso at 2022-01-30T09:41:44+01:00 Add CVE-2021-46658/MariaDB - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,12 @@ CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity ( CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it does not ...) TODO: check CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) - TODO: check + - mariadb-10.6 (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25630 + NOTE: Fixed in MariaDB: 10.2.40, 10.3.31, 10.4.21, 10.5.12, 10.6.3 CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application crash ...) - mariadb-10.6 (Fixed before initial upload to Debian) - mariadb-10.5 1:10.5.11-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b14d96174fd06b868fc9bddc6e7470e939820e9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b14d96174fd06b868fc9bddc6e7470e939820e9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-46657/MariaDB
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b61c3b62 by Salvatore Bonaccorso at 2022-01-30T09:39:37+01:00 Add CVE-2021-46657/MariaDB - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,12 @@ CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it doe CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) TODO: check CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application crash ...) - TODO: check + - mariadb-10.6 (Fixed before initial upload to Debian) + - mariadb-10.5 1:10.5.11-1 + - mariadb-10.3 + [buster] - mariadb-10.3 1:10.3.31-0+deb10u1 + NOTE: https://jira.mariadb.org/browse/MDEV-25629 + NOTE: Fixed in MariaDB: 10.2.39, 10.3.30, 10.4.20, 10.5.11, 10.6.2 CVE-2022-0414 RESERVED CVE-2022-0413 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b61c3b626f27f85061b0c89938a1ab057e3b2093 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b61c3b626f27f85061b0c89938a1ab057e3b2093 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 94ee66c3 by security tracker role at 2022-01-30T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2022-24129 + RESERVED +CVE-2022-24128 + RESERVED +CVE-2022-24127 + RESERVED +CVE-2022-24126 + RESERVED +CVE-2022-24125 + RESERVED +CVE-2022-24124 (The query API in Casdoor before 1.13.1 has a SQL injection vulnerabili ...) + TODO: check +CVE-2022-24123 (MarkText through 0.16.3 does not sanitize the input of a mermaid block ...) + TODO: check +CVE-2022-24121 + RESERVED +CVE-2021-46660 (Signiant Manager+Agents before 15.1 allows XML External Entity (XXE) a ...) + TODO: check +CVE-2021-46659 (MariaDB before 10.7.2 allows an application crash because it does not ...) + TODO: check +CVE-2021-46658 (save_window_function_values in MariaDB before 10.6.3 allows an applica ...) + TODO: check +CVE-2021-46657 (get_sort_by_table in MariaDB before 10.6.2 allows an application crash ...) + TODO: check CVE-2022-0414 RESERVED CVE-2022-0413 @@ -8,7 +32,7 @@ CVE-2022-0411 RESERVED CVE-2022-0410 RESERVED -CVE-2022-24122 [ucount: Make get_ucount a safe get_user replacement] +CVE-2022-24122 (kernel/ucount.c in the Linux kernel 5.14 through 5.16.4, when unprivil ...) - linux [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) @@ -288,8 +312,8 @@ CVE-2022-24034 RESERVED CVE-2022-24033 RESERVED -CVE-2022-24032 - RESERVED +CVE-2022-24032 (Adenza AxiomSL ControllerView through 10.8.1 is vulnerable to user enu ...) + TODO: check CVE-2022-24031 RESERVED CVE-2022-24030 @@ -4055,8 +4079,8 @@ CVE-2022-22921 RESERVED CVE-2022-22920 RESERVED -CVE-2022-22919 - RESERVED +CVE-2022-22919 (Adenza AxiomSL ControllerView through 10.8.1 allows redirection for SS ...) + TODO: check CVE-2022-22918 RESERVED CVE-2022-22917 @@ -23845,6 +23869,7 @@ CVE-2021-41057 (In WIBU CodeMeter Runtime before 7.30a, creating a crafted CmDon CVE-2021-41056 RESERVED CVE-2021-41055 (Gajim 1.2.x and 1.3.x before 1.3.3 allows remote attackers to cause a ...) + {DSA-5064-1} - python-nbxmpp 2.0.4-1 [buster] - python-nbxmpp (Vulnerable code not present) [stretch] - python-nbxmpp (Vulnerable code introduced later (modules added in v1.0.0)) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94ee66c31d9fee35e9b0e43ea61ea1f69ca06d20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94ee66c31d9fee35e9b0e43ea61ea1f69ca06d20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits