[Git][security-tracker-team/security-tracker][updatedocs] Update for review comments
Neil Williams pushed to branch updatedocs at Debian Security Tracker / security-tracker Commits: d188babe by Neil Williams at 2022-02-16T07:44:02+00:00 Update for review comments - - - - - 1 changed file: - doc/security-team.d.o/security_tracker Changes: = doc/security-team.d.o/security_tracker = @@ -25,10 +25,6 @@ For example, systems with some additional or modified packages compared to Debia a separate triage process for every NFU to find ones which are relevant to what has been added as well as a triage on packages which differ from Debian. -When a vulnerability relates to a package, the triage will need to include an -assessment of the severity of the vulnerability as it affects Debian. See [Severity -levels](#security-levels). - Entries in the Debian Security Tracker do not imply anything about how a vulnerability may affect systems other than Debian. @@ -437,12 +433,10 @@ assess these levels. Certain packages may get higher or lower rating than usual, based on their importance. -Assessments of severity are made against the binaries as provided by Debian. A -vulnerability where an exploit would rely on changing configuration in a non-standard -way or rebuilding the binary from source to enable|disable some feature is not -considered to be of high severity. For each vulnerability, the severity assigned within -the Debian Security Tracker only relates to how Debian views that vulnerability and how -quickly the fix may need to be applied to the specified package(s) within Debian. +Assessments of severity are made against the binaries as provided by Debian. For each +vulnerability, the severity assigned within the Debian Security Tracker only relates to +how Debian views that vulnerability and how quickly the fix may need to be applied to +the specified package(s) within Debian. ### Vulnerabilities without an assigned CVE id @@ -569,8 +563,8 @@ Summary of tracker syntax For a vulnerability in a package in Debian or proposed for introduction into Debian, the syntax should contain at least the `PKG_NAME` tabbed line and a `NOTE:` providing a -URL to the fixing commit. Other lines are added, where relevant, within the general -syntax. +URL to useful references, like commit references, bug tracker entries and advisories. +Other lines are added, where relevant, within the general syntax. CVE--NN [(description)] \t RESERVED @@ -588,7 +582,10 @@ syntax. - The pre-commit hook will check the syntax of each entry. The description of the CVE is not edited in the security tracker but it will be -shortened in the tracker page for the vulnerability. +shortened in the tracker page for the vulnerability. A temporary description can be +added with the `[description]` syntax, for example for clarification. This will not be +overridden by an automatic update unless there is a change in the description of the +CVE in the MITRE feed For ``, the comment needs to include the bug number as `(bug #NN)`. @@ -604,8 +601,9 @@ mailing list and IRC notifications (see [Automatic issue updates](#automatic-iss However, changes to the tracker website itself (e.g., the files in `lib/*` and `bin/tracker_service.py`) should be vetted and approved before being committed. The preferred way to do this is to send a patch to the -`debian-security-trac...@lists.debian.org` mailing list. +`debian-security-trac...@lists.debian.org` mailing list or a merge request in Salsa. +- [Salsa](https://salsa.debian.org/security-tracker-team/security-tracker/) - [https://lists.debian.org/debian-security-tracker/](https://lists.debian.org/debian-security-tracker/) Commits are checked for syntax errors before they are actually committed, @@ -733,7 +731,7 @@ project. * `./bin/report-vuln` - generate the correct email body to report a bug against a source package relating to an unfixed CVE(s). -### Useful search support for checking new CVES +### Useful search support for checking new CVEs - [https://www.debian.org/distrib/packages#search_packages](https://www.debian.org/distrib/packages#search_packages) - [https://wnpp.debian.net/](https://wnpp.debian.net/) (Be aware, forwarded ITPs might View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d188babe55290bc94a7f28c6ba2e031816ceacf7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d188babe55290bc94a7f28c6ba2e031816ceacf7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5563b815 by Salvatore Bonaccorso at 2022-02-16T08:38:52+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17053,9 +17053,9 @@ CVE-2021-43955 CVE-2021-43954 RESERVED CVE-2021-43953 (Affected versions of Atlassian Jira Server and Data Center allow unaut ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-43952 (Affected versions of Atlassian Jira Server and Data Center allow unaut ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-43951 (Affected versions of Atlassian Jira Service Management Server and Data ...) NOT-FOR-US: Atlassian CVE-2021-43950 (Affected versions of Atlassian Jira Service Management Server and Data ...) @@ -18441,7 +18441,7 @@ CVE-2021-43736 CVE-2021-43735 RESERVED CVE-2021-43734 (kkFileview v4.0.0 has arbitrary file read through a directory traversa ...) - TODO: check + NOT-FOR-US: kkFileview CVE-2021-43733 RESERVED CVE-2021-43732 @@ -21230,9 +21230,9 @@ CVE-2021-43052 (The Realm Server component of TIBCO Software Inc.'s TIBCO FTL - CVE-2021-43051 (The Spotfire Server component of TIBCO Software Inc.'s TIBCO Spotfire ...) NOT-FOR-US: Spotfire Server component of TIBCO CVE-2021-43050 (The Auth Server component of TIBCO Software Inc.'s TIBCO BusinessConne ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2021-43049 (The Database component of TIBCO Software Inc.'s TIBCO BusinessConnect ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2021-43048 (The Interior Server and Gateway Server components of TIBCO Software In ...) NOT-FOR-US: TIBCO CVE-2021-43047 (The Interior Server and Gateway Server components of TIBCO Software In ...) @@ -22064,11 +22064,11 @@ CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. Th NOTE: https://github.com/nothings/stb/issues/1224 NOTE: https://github.com/nothings/stb/pull/1223 CVE-2021-42714 (Splashtop Remote Client (Business Edition) through 3.4.8.3 creates a T ...) - TODO: check + NOT-FOR-US: Splashtop Remote Client CVE-2021-42713 (Splashtop Remote Client (Personal Edition) through 3.4.6.1 creates a T ...) - TODO: check + NOT-FOR-US: Splashtop Remote Client CVE-2021-42712 (Splashtop Streamer through 3.4.8.3 creates a Temporary File in a Direc ...) - TODO: check + NOT-FOR-US: Splashtop Streamer CVE-2021-42711 (Barracuda Network Access Client before 5.2.2 creates a Temporary File ...) NOT-FOR-US: Barracuda Network Access Client CVE-2021-42710 @@ -26085,7 +26085,7 @@ CVE-2021-41554 (** UNSUPPORTED WHEN ASSIGNED ** ARCHIBUS Web Central 21.3.3.815 CVE-2021-41553 (** UNSUPPORTED WHEN ASSIGNED ** In ARCHIBUS Web Central 21.3.3.815 (a ...) NOT-FOR-US: ARCHIBUS Web Central CVE-2021-41552 (CommScope URFboard SBG6950AC2 9.1.103AA23 devices allow Command Inject ...) - TODO: check + NOT-FOR-US: CommScope CVE-2021-41551 (Leostream Connection Broker 9.0.40.17 allows administrators to conduct ...) NOT-FOR-US: Leostream Connection Broker CVE-2021-41550 (Leostream Connection Broker 9.0.40.17 allows administrator to upload a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5563b815933dad925fa2ce227c8aadde567fe5a1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5563b815933dad925fa2ce227c8aadde567fe5a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-44960/svgpp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fcaba362 by Salvatore Bonaccorso at 2022-02-16T08:35:19+01:00 Add CVE-2021-44960/svgpp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13649,7 +13649,8 @@ CVE-2021-44962 CVE-2021-44961 RESERVED CVE-2021-44960 (In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the ...) - TODO: check + - svgpp + NOTE: https://github.com/svgpp/svgpp/issues/101 CVE-2021-44959 RESERVED CVE-2021-44958 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcaba36296fd4d6b0ddeaa001eae92e11120f489 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcaba36296fd4d6b0ddeaa001eae92e11120f489 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3596/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b219f6b1 by Salvatore Bonaccorso at 2022-02-16T08:11:38+01:00 Add CVE-2021-3596/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43206,8 +43206,12 @@ CVE-2021-34560 (In PEPPERL+FUCHS WirelessHART-Gateway = 3.0.9 a form contain NOT-FOR-US: PEPPERL+FUCHS WirelessHART-Gateway CVE-2021-34559 (In PEPPERL+FUCHS WirelessHART-Gateway = 3.0.8 a vulnerability may ...) NOT-FOR-US: PEPPERL+FUCHS WirelessHART-Gateway -CVE-2021-3596 +CVE-2021-3596 [NULL pointer dereference in ReadSVGImage() in coders/svg.c] RESERVED + - imagemagick + NOTE: https://github.com/ImageMagick/ImageMagick/issues/2624 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/43dfb1894761c4929d5d5c98dc80ba4e59a0d114 + TODO: check if affects Imagemagick6 CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP network ...) {DLA-2753-1} - libslirp 4.6.1-1 (bug #989996) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b219f6b103cc52158de3ced99f8388c41b6b8331 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b219f6b103cc52158de3ced99f8388c41b6b8331 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-3700/usbredir
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c6d32c7 by Salvatore Bonaccorso at 2022-02-16T08:07:27+01:00 Add CVE-2021-3700/usbredir - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33392,6 +33392,8 @@ CVE-2021-3701 NOTE: https://github.com/ansible/ansible-runner/pull/742/commits/60b059f00409224acae1e417153a241c8591ad89 CVE-2021-3700 RESERVED + - usbredir 0.11.0-1 + NOTE: https://gitlab.freedesktop.org/spice/usbredir/-/commit/03c519ff5831ba75120e00ebebbf1d5a1f7220ab (usbredir-0.11.0) CVE-2021-38562 (Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4. ...) - request-tracker5 (bug #995167) - request-tracker4 4.4.4+dfsg-3 (bug #995175) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c6d32c7897bae83f53415e22119ff326e204d36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c6d32c7897bae83f53415e22119ff326e204d36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0585/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc32fcc4 by Salvatore Bonaccorso at 2022-02-16T07:47:54+01:00 Add CVE-2022-0585/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -589,6 +589,21 @@ CVE-2022-0586 (Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-01.html CVE-2022-0585 RESERVED + - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2054049 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-02.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17829 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17842 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17847 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17855 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17891 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17925 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17926 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17931 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17932 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17933 CVE-2022-0584 RESERVED CVE-2022-0583 (Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc32fcc41043ad34e0e16068ac825804e8db1a9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc32fcc41043ad34e0e16068ac825804e8db1a9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-0617/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f73bc4d0 by Salvatore Bonaccorso at 2022-02-16T07:42:16+01:00 Update information for CVE-2022-0617/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,7 +18,9 @@ CVE-2022-0618 RESERVED CVE-2022-0617 [Null pointer dereference can be triggered when write to an ICB inode] RESERVED - - linux + - linux 5.16.7-1 + NOTE: https://git.kernel.org/linus/7fc3b7c2981bbd1047916ade327beccb90994eee + NOTE: https://git.kernel.org/linus/ea8569194b43f0f01f0a84c689388542c7254a1f CVE-2022-0616 RESERVED CVE-2022-0615 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f73bc4d04b81daa218e28bcd28c902425cea3867 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f73bc4d04b81daa218e28bcd28c902425cea3867 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0617/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ddaa22bd by Salvatore Bonaccorso at 2022-02-16T07:35:49+01:00 Add CVE-2022-0617/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16,8 +16,9 @@ CVE-2022-21159 RESERVED CVE-2022-0618 RESERVED -CVE-2022-0617 +CVE-2022-0617 [Null pointer dereference can be triggered when write to an ICB inode] RESERVED + - linux CVE-2022-0616 RESERVED CVE-2022-0615 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddaa22bd37008274fbe00699c25a8cc41563252a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddaa22bd37008274fbe00699c25a8cc41563252a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45005/mujs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e1a4163d by Salvatore Bonaccorso at 2022-02-16T06:51:31+01:00 Add CVE-2021-45005/mujs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13529,7 +13529,9 @@ CVE-2021-45007 CVE-2021-45006 RESERVED CVE-2021-45005 (Artifex MuJS v1.1.3 was discovered to contain a heap buffer overflow w ...) - TODO: check + - mujs + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=704749 (not public) + NOTE: http://git.ghostscript.com/?p=mujs.git;h=df8559e7bdbc6065276e78621770f28fce66 (1.2.0) CVE-2021-45004 RESERVED CVE-2021-45003 (Laundry Booking Management System 1.0 (Latest) and previous versions a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1a4163d0ef6d801d4fef2956c23041ecdfe1465 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1a4163d0ef6d801d4fef2956c23041ecdfe1465 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d4ef1b1 by Salvatore Bonaccorso at 2022-02-16T06:42:15+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3983,9 +3983,9 @@ CVE-2022-0343 CVE-2022-0342 RESERVED CVE-2021-46558 (Multiple cross-site scripting (XSS) vulnerabilities in the Add User mo ...) - TODO: check + NOT-FOR-US: Issabel CVE-2021-46557 (Vicidial 2.14-783a was discovered to contain a cross-site scripting (X ...) - TODO: check + NOT-FOR-US: Vicidial CVE-2021-46556 (Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ...) NOT-FOR-US: Cesanta MJS CVE-2021-46555 @@ -4173,11 +4173,11 @@ CVE-2021-46465 CVE-2021-46464 RESERVED CVE-2021-46463 (njs through 0.7.1, used in NGINX, was discovered to contain a control ...) - TODO: check + NOT-FOR-US: njs CVE-2021-46462 (njs through 0.7.1, used in NGINX, was discovered to contain a segmenta ...) - TODO: check + NOT-FOR-US: njs CVE-2021-46461 (njs through 0.7.0, used in NGINX, was discovered to contain an out-of- ...) - TODO: check + NOT-FOR-US: njs CVE-2021-46460 RESERVED CVE-2021-46459 (Victor CMS v1.0 was discovered to contain multiple SQL injection vulne ...) @@ -4923,7 +4923,7 @@ CVE-2022-23639 (crossbeam-utils provides atomics, synchronization primitives, sc CVE-2022-23638 (svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scri ...) TODO: check CVE-2022-23637 (K-Box is a web-based application to manage documents, images, videos a ...) - TODO: check + NOT-FOR-US: K-Box CVE-2022-23636 RESERVED CVE-2022-23635 @@ -5012,7 +5012,7 @@ CVE-2022-23606 CVE-2022-23605 (Wire webapp is a web client for the wire messaging protocol. In versio ...) NOT-FOR-US: Wire webapp CVE-2022-23604 (x26-Cogs is a repository of cogs made by Twentysix for the Red Discord ...) - TODO: check + NOT-FOR-US: x26-Cogs CVE-2022-23603 (iTunesRPC-Remastered is a discord rich presence application for use wi ...) NOT-FOR-US: iTunesRPC-Remastered CVE-2022-23602 (Nimforum is a lightweight alternative to Discourse written in Nim. In ...) @@ -5622,7 +5622,7 @@ CVE-2022-23386 CVE-2022-23385 RESERVED CVE-2022-23384 (YzmCMS v6.3 is affected by Cross Site Request Forgery (CSRF) in /admin ...) - TODO: check + NOT-FOR-US: YzmCMS CVE-2022-23383 RESERVED CVE-2022-23382 @@ -5756,7 +5756,7 @@ CVE-2022-23319 CVE-2022-23318 RESERVED CVE-2022-23317 (CobaltStrike =4.5 HTTP(S) listener does not determine whether the ...) - TODO: check + NOT-FOR-US: CobaltStrike CVE-2022-23316 (An issue was discovered in taoCMS v3.0.2. There is an arbitrary file r ...) NOT-FOR-US: taocms CVE-2022-23315 (MCMS v5.2.4 was discovered to contain an arbitrary file upload vulnera ...) @@ -7935,7 +7935,7 @@ CVE-2022-22772 CVE-2022-22771 RESERVED CVE-2022-22770 (The Web Server component of TIBCO Software Inc.'s TIBCO AuditSafe cont ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2022-22769 (The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX ...) NOT-FOR-US: TIBCO CVE-2022-22768 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d4ef1b1f50fbaef15997a687a961ed7a747b684 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d4ef1b1f50fbaef15997a687a961ed7a747b684 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-24684/nomad
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c432594d by Salvatore Bonaccorso at 2022-02-16T06:28:25+01:00 Add CVE-2022-24684/nomad - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1297,7 +1297,8 @@ CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.1 CVE-2022-24685 RESERVED CVE-2022-24684 (HashiCorp Nomad and Nomad Enterprise before 1.0.17, 1.1.x before 1.1.1 ...) - TODO: check + - nomad + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562 CVE-2022-24683 RESERVED CVE-2022-24682 (An issue was discovered in the Calendar feature in Zimbra Collaboratio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c432594d682c6cc81ca167802130b2ad088da589 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c432594d682c6cc81ca167802130b2ad088da589 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 496c07ff by Salvatore Bonaccorso at 2022-02-16T06:21:46+01:00 chromium issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -154,49 +154,49 @@ CVE-2022-25147 RESERVED CVE-2022-0610 RESERVED - - chromium + - chromium 98.0.4758.102-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html CVE-2022-0609 RESERVED - - chromium + - chromium 98.0.4758.102-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html CVE-2022-0608 RESERVED - - chromium + - chromium 98.0.4758.102-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html CVE-2022-0607 RESERVED - - chromium + - chromium 98.0.4758.102-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html CVE-2022-0606 RESERVED - - chromium + - chromium 98.0.4758.102-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html CVE-2022-0605 RESERVED - - chromium + - chromium 98.0.4758.102-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html CVE-2022-0604 RESERVED - - chromium + - chromium 98.0.4758.102-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html CVE-2022-0603 RESERVED - - chromium + - chromium 98.0.4758.102-1 [buster] - chromium (see DSA 5046) [stretch] - chromium (see DSA 4562) NOTE: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/496c07ffe1a334cf94027bd5bd36366ca2087c45 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/496c07ffe1a334cf94027bd5bd36366ca2087c45 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-21698/golang-github-prometheus-client-golang
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dfa0c3b2 by Salvatore Bonaccorso at 2022-02-15T22:39:19+01:00 Add CVE-2022-21698/golang-github-prometheus-client-golang - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16832,7 +16832,10 @@ CVE-2022-21699 (IPython (Interactive Python) is a command shell for interactive NOTE: Testcase: https://github.com/ipython/ipython/commit/56665dfcf7df8690da46aab1278df8e47b14fe3b NOTE: https://ipython.readthedocs.io/en/stable/whatsnew/version8.html#ipython-8-0-1-cve-2022-21699 CVE-2022-21698 (client_golang is the instrumentation library for Go applications in Pr ...) - TODO: check + - golang-github-prometheus-client-golang + NOTE: https://github.com/prometheus/client_golang/security/advisories/GHSA-cg3q-j54f-5p7p + NOTE: https://github.com/prometheus/client_golang/pull/962 + NOTE: https://github.com/prometheus/client_golang/pull/987 CVE-2022-21697 (Jupyter Server Proxy is a Jupyter notebook server extension to proxy w ...) TODO: check CVE-2022-21696 (OnionShare is an open source tool that lets you securely and anonymous ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfa0c3b26af9e39b6abc11ef32b3380e03e84e05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dfa0c3b26af9e39b6abc11ef32b3380e03e84e05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2924-1 for libxstream-java
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: def4d7cf by Chris Lamb at 2022-02-15T13:34:09-08:00 Reserve DLA-2924-1 for libxstream-java - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Feb 2022] DLA-2924-1 libxstream-java - security update + {CVE-2021-43859} + [stretch] - libxstream-java 1.4.11.1-1+deb9u5 [15 Feb 2022] DLA-2923-1 h2database - security update {CVE-2021-42392 CVE-2022-23221} [stretch] - h2database 1.4.193-1+deb9u1 = data/dla-needed.txt = @@ -52,8 +52,6 @@ libarchive (Thorsten Alteholz) libgit2 (Utkarsh) NOTE: 20220208: got clearance. will upload this week. (utkarsh) -- -libxstream-java (Chris Lamb) --- linux (Ben Hutchings) -- linux-4.19 (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/def4d7cf001d3d77c647504f9b1de77ba5b8664e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/def4d7cf001d3d77c647504f9b1de77ba5b8664e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2012-4427/gnome-shell
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a25aed1e by Salvatore Bonaccorso at 2022-02-15T22:23:12+01:00 Update information for CVE-2012-4427/gnome-shell The problem is with GNOME Shells NPAPI browser extension which is not shipped anymore since GNOME 3.32. We can mark thus the first version landing in unstable as fixed, which was 3.34.0-2. Thanks: Simon McVittie for the update. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -431279,10 +431279,11 @@ CVE-2012-4428 (openslp: SLPIntersectStringList()' Function has a DoS vulnerabili [squeeze] - openslp-dfsg (Minor issue) [wheezy] - openslp-dfsg (Minor issue) CVE-2012-4427 (The gnome-shell plugin 3.4.1 in GNOME allows remote attackers to force ...) - - gnome-shell (unimportant) + - gnome-shell 3.34.0-2 (unimportant) NOTE: I don't see much of a problem here, if you install from a repo, you need to trust it NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=684215 - NOTE: As far as I can see there is still a yes/no prompt for the user. I suggest unfixed unimportant. -- helmut + NOTE: Problem with GNOME Shell's NPAPI browser extension which is not shipped + NOTE: anymore since GNOME 3.32. CVE-2012-4426 (Multiple format string vulnerabilities in mcrypt 2.6.8 and earlier mig ...) - mcrypt 2.6.8-1.1 [squeeze] - mcrypt (minor issue, it doesn't affect libmcrypt) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a25aed1e18e4b61cd3167b9d27b12bde48545361 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a25aed1e18e4b61cd3167b9d27b12bde48545361 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new pluxml issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab2d457f by Salvatore Bonaccorso at 2022-02-15T21:58:05+01:00 Add three new pluxml issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1604,11 +1604,17 @@ CVE-2022-24589 (Burden v3.0 was discovered to contain a stored cross-site script CVE-2022-24588 (Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS ...) NOT-FOR-US: Flatpress CVE-2022-24587 (A stored cross-site scripting (XSS) vulnerability in the component cor ...) - TODO: check + - pluxml + NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24587/CVE-2022-24587.pdf + TODO: check if reported upstream CVE-2022-24586 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) - TODO: check + - pluxml + NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24586/CVE-2022-24586.pdf + TODO: check if reported upstream CVE-2022-24585 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) - TODO: check + - pluxml + NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24585/CVE-2022-24585.pdf + TODO: check if reported upstream CVE-2022-24584 RESERVED CVE-2022-24583 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab2d457f98f293f3cbdcf31d94df7e09b34a5231 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab2d457f98f293f3cbdcf31d94df7e09b34a5231 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24d6331c by Salvatore Bonaccorso at 2022-02-15T21:57:34+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -563,7 +563,7 @@ CVE-2022-24990 CVE-2022-24989 RESERVED CVE-2022-24988 (In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-b ...) - TODO: check + NOT-FOR-US: galois_2p8 CVE-2022-24987 RESERVED CVE-2022-24986 @@ -1200,9 +1200,9 @@ CVE-2022-24707 CVE-2022-24706 RESERVED CVE-2022-24705 (The rad_packet_recv function in radius/packet.c suffers from a memcpy ...) - TODO: check + NOT-FOR-US: ACCEL-PPP CVE-2022-24704 (The rad_packet_recv function in opt/src/accel-pppd/radius/packet.c suf ...) - TODO: check + NOT-FOR-US: ACCEL-PPP CVE-2022-23922 RESERVED CVE-2022-23104 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24d6331cc517f9ffc1a631161df1774bd06f5f4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24d6331cc517f9ffc1a631161df1774bd06f5f4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note for CVE-2022-0563/util-linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b46f327d by Salvatore Bonaccorso at 2022-02-15T21:44:53+01:00 Update note for CVE-2022-0563/util-linux Unfortunately the situation is compliated. util-linux is compiled with readline support. But additionally it is configured with --disable-chfn-chsh. The chfn and chsh utilities are until now provided by src:shadow (and the passwd binary package). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1213,7 +1213,8 @@ CVE-2022-0563 [partial disclosure of arbitrary files in chfn and chsh when compi NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2053151 NOTE: https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoi...@ws.net.home/T/#u NOTE: https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 - NOTE: util-linux in Debian not built with readline support + NOTE: util-linux in Debian does build with readline support but chfn and chsh are provided + NOTE: by src:shadow and util-linux is configured with --disable-chfn-chsh CVE-2022-0562 (Null source pointer passed as an argument to memcpy() function within ...) - tiff 4.3.0-4 [bullseye] - tiff (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46f327d060e2ef661451e76273d97ad9c7b18be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b46f327d060e2ef661451e76273d97ad9c7b18be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-associate four CVEs with pluxml
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bd3cfe04 by Salvatore Bonaccorso at 2022-02-15T21:28:53+01:00 Re-associate four CVEs with pluxml - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -430448,9 +430448,9 @@ CVE-2012-4677 (Tunnelblick 3.3beta20 and earlier allows local users to gain priv CVE-2012-4676 (The errorExitIfAttackViaString function in Tunnelblick 3.3beta20 and e ...) NOT-FOR-US: Tunnelblick CVE-2012-4675 (Cross-site scripting (XSS) vulnerability in PluXml 5.1.6 allows remote ...) - NOT-FOR-US: PluXml + - pluxml CVE-2012-4674 (PluXml before 5.1.6 allows remote attackers to obtain the installation ...) - NOT-FOR-US: PluXml + - pluxml CVE-2012-4673 (SQL injection vulnerability in application/controllers/invoice.php in ...) NOT-FOR-US: Neoinvoice CVE-2012-4672 (Apple iChat Server does not verify that a request was made for an XMPP ...) @@ -509004,7 +509004,7 @@ CVE-2007-3543 (Unrestricted file upload vulnerability in WordPress before 2.2.1 - wordpress 2.2.1-1 [etch] - wordpress (Vulnerable code not present) CVE-2007-3542 (Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0 ...) - NOT-FOR-US: Pluxml + - pluxml CVE-2007-3541 (Cross-site scripting (XSS) vulnerability in Kurinton sHTTPd 20070408 a ...) NOT-FOR-US: Kurinton sHTTPd CVE-2007-3540 (Multiple cross-site scripting (XSS) vulnerabilities in search.asp in r ...) @@ -509341,7 +509341,7 @@ CVE-2007-3434 (index.php in Pharmacy System 2 and earlier allows remote attacker CVE-2007-3433 (SQL injection vulnerability in index.php in Pharmacy System 2 and earl ...) NOT-FOR-US: Pharmacy System CVE-2007-3432 (Unrestricted file upload vulnerability in admin/images.php in Pluxml 0 ...) - NOT-FOR-US: Pluxml + - pluxml CVE-2007-3431 (PHP remote file inclusion vulnerability in cal.func.php in Valerio Cap ...) NOT-FOR-US: Dagger CVE-2007-3430 (SQL injection vulnerability in index.php in Simple Invoices 2007 05 25 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd3cfe045a7309df3a19ad041f6ca4a58b37cf93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd3cfe045a7309df3a19ad041f6ca4a58b37cf93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d551301 by Salvatore Bonaccorso at 2022-02-15T21:24:40+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -261,7 +261,7 @@ CVE-2022-25141 CVE-2022-25140 RESERVED CVE-2022-25139 (njs through 0.7.0, used in NGINX, was discovered to contain a heap use ...) - TODO: check + NOT-FOR-US: njs CVE-2022-25138 RESERVED CVE-2022-25137 @@ -1597,11 +1597,11 @@ CVE-2022-24592 CVE-2022-24591 RESERVED CVE-2022-24590 (A stored cross-site scripting (XSS) vulnerability in the Add Link func ...) - TODO: check + NOT-FOR-US: BackdropCMS CVE-2022-24589 (Burden v3.0 was discovered to contain a stored cross-site scripting (X ...) - TODO: check + NOT-FOR-US: Burden CVE-2022-24588 (Flatpress v1.2.1 was discovered to contain a cross-site scripting (XSS ...) - TODO: check + NOT-FOR-US: Flatpress CVE-2022-24587 (A stored cross-site scripting (XSS) vulnerability in the component cor ...) TODO: check CVE-2022-24586 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) @@ -2711,9 +2711,9 @@ CVE-2022-24229 CVE-2022-24228 RESERVED CVE-2022-24227 (A cross-site scripting (XSS) vulnerability in BoltWire v7.10 allows at ...) - TODO: check + NOT-FOR-US: BoltWire CVE-2022-24226 (Hospital Management System v4.0 was discovered to contain a blind SQL ...) - TODO: check + NOT-FOR-US: Hospital Management System CVE-2022-24225 RESERVED CVE-2022-24224 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d551301433b93b46198ad55840102bc81eb0e29 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d551301433b93b46198ad55840102bc81eb0e29 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 151f7195 by Salvatore Bonaccorso at 2022-02-15T21:21:14+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2022-25209 (Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XM ...) - TODO: check + NOT-FOR-US: Jenkins Chef Sinatra Plugin CVE-2022-25175 (Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier use ...) - TODO: check + NOT-FOR-US: Jenkins Pipeline: Multibranch Plugin CVE-2022-25169 RESERVED CVE-2022-25168 @@ -211,9 +211,9 @@ CVE-2022-0599 CVE-2022-0598 RESERVED CVE-2022-0597 (Open Redirect in Packagist microweber/microweber prior to 1.2.11. ...) - TODO: check + NOT-FOR-US: microweber CVE-2022-0596 (Business Logic Errors in Packagist microweber/microweber prior to 1.2. ...) - TODO: check + NOT-FOR-US: microweber CVE-2022-0595 RESERVED CVE-2022-0594 @@ -227,11 +227,11 @@ CVE-2022-0591 CVE-2022-0590 RESERVED CVE-2022-0589 (Cross-site Scripting (XSS) - Stored in Packagist librenms/librenms pri ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2022-0588 (Exposure of Sensitive Information to an Unauthorized Actor in Packagis ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2022-0587 (Improper Authorization in Packagist librenms/librenms prior to 22.2.0. ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2021-46687 RESERVED CVE-2021-46270 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/151f71959838da4e5e543773e2764127a7d66fb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/151f71959838da4e5e543773e2764127a7d66fb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upcoming TALOS advisories for gerbv issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 743587fc by Salvatore Bonaccorso at 2022-02-15T21:15:44+01:00 Reference upcoming TALOS advisories for gerbv issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28904,6 +28904,7 @@ CVE-2021-40402 RESERVED - gerbv NOTE: https://github.com/gerbv/gerbv/issues/80 + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1416 CVE-2021-40401 (A use-after-free vulnerability exists in the RS-274X aperture definiti ...) - gerbv NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1415 @@ -28913,6 +28914,7 @@ CVE-2021-40400 RESERVED - gerbv NOTE: https://github.com/gerbv/gerbv/issues/79 + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1413 CVE-2021-40399 RESERVED CVE-2021-40398 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/743587fc9e6e326398913e8d300262cfc5e08490 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/743587fc9e6e326398913e8d300262cfc5e08490 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f8748a52 by security tracker role at 2022-02-15T20:11:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,78 +1,110 @@ -CVE-2022-25212 +CVE-2022-25209 (Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure its XM ...) + TODO: check +CVE-2022-25175 (Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier use ...) + TODO: check +CVE-2022-25169 + RESERVED +CVE-2022-25168 + RESERVED +CVE-2022-25167 + RESERVED +CVE-2022-24435 + RESERVED +CVE-2022-23986 + RESERVED +CVE-2022-21159 + RESERVED +CVE-2022-0618 + RESERVED +CVE-2022-0617 + RESERVED +CVE-2022-0616 + RESERVED +CVE-2022-0615 + RESERVED +CVE-2022-0614 + RESERVED +CVE-2022-0613 + RESERVED +CVE-2021-4220 + RESERVED +CVE-2021-4219 + RESERVED +CVE-2022-25212 (A cross-site request forgery (CSRF) vulnerability in Jenkins SWAMP Plu ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25211 +CVE-2022-25211 (A missing permission check in Jenkins SWAMP Plugin 1.2.6 and earlier a ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25210 +CVE-2022-25210 (Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25208 +CVE-2022-25208 (A missing permission check in Jenkins Chef Sinatra Plugin 1.20 and ear ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25207 +CVE-2022-25207 (A cross-site request forgery (CSRF) vulnerability in Jenkins Chef Sina ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25206 +CVE-2022-25206 (A missing check in Jenkins dbCharts Plugin 0.5.2 and earlier allows at ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25205 +CVE-2022-25205 (A cross-site request forgery (CSRF) vulnerability in Jenkins dbCharts ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25204 +CVE-2022-25204 (Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25203 +CVE-2022-25203 (Jenkins Team Views Plugin 0.9.0 and earlier does not escape team names ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25202 +CVE-2022-25202 (Jenkins Promoted Builds (Simple) Plugin 1.9 and earlier does not escap ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25201 +CVE-2022-25201 (Missing permission checks in Jenkins Checkmarx Plugin 2022.1.2 and ear ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25200 +CVE-2022-25200 (A cross-site request forgery (CSRF) vulnerability in Jenkins Checkmarx ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25199 +CVE-2022-25199 (A missing permission check in Jenkins SCP publisher Plugin 1.8 and ear ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25198 +CVE-2022-25198 (A cross-site request forgery (CSRF) vulnerability in Jenkins SCP publi ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25197 +CVE-2022-25197 (Jenkins HashiCorp Vault Plugin 336.v182c0fbaaeb7 and earlier implement ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25196 +CVE-2022-25196 (Jenkins GitLab Authentication Plugin 1.13 and earlier records the HTTP ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25195 +CVE-2022-25195 (A missing permission check in Jenkins autonomiq Plugin 1.15 and earlie ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25194 +CVE-2022-25194 (A cross-site request forgery (CSRF) vulnerability in Jenkins autonomiq ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25193 +CVE-2022-25193 (Missing permission checks in Jenkins Snow Commander Plugin 2.0 and ear ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25192 +CVE-2022-25192 (A cross-site request forgery (CSRF) vulnerability in Jenkins Snow Comm ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25191 +CVE-2022-25191 (Jenkins Agent Server Parameter Plugin 1.0 and earlier does not escape ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25190 +CVE-2022-25190 (A missing permission check in Jenkins Conjur Secrets Plugin 1.0.11 and ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25189 +CVE-2022-25189 (Jenkins Custom Checkbox Parameter Plugin 1.1 and earlier does not esca ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25188 +CVE-2022-25188 (Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appNa ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25187 +CVE-2022-25187 (Jenkins Support Core Plugin 2.79 and earlier does not redact some sens ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25186 +CVE-2022-25186 (Jenkins HashiCorp Vault Plugin 3.8.0 and earlier implements functional ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25185 +CVE-2022-25185 (Jenkins Generic Webhook Trigger Plugin 1.81 and earlier does not escap ...) NOT-FOR-US: Jenkins plugin -CVE-2022-25184 +CVE-2022-25184 (Jenkins
[Git][security-tracker-team/security-tracker][master] librecad DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b6c2dced by Moritz Mühlenhoff at 2022-02-15T20:03:10+01:00 librecad DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[15 Feb 2022] DSA-5077-1 librecad - security update + {CVE-2021-21898 CVE-2021-21899 CVE-2021-21900 CVE-2021-45341 CVE-2021-45342 CVE-2021-45343} + [buster] - librecad 2.1.3-1.2+deb10u1 + [bullseye] - librecad 2.1.3-1.3+deb11u1 [15 Feb 2022] DSA-5076-1 h2database - security update {CVE-2021-42392 CVE-2022-23221} [buster] - h2database 1.4.197-4+deb10u1 = data/dsa-needed.txt = @@ -20,9 +20,6 @@ condor -- faad2/oldstable (jmm) -- -librecad - Aron Xu proposed update for {bullseye,buster}-security for review --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6c2dcedc9c1801b061a70491f4e7720c9e30611 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6c2dcedc9c1801b061a70491f4e7720c9e30611 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one qemu issue n/a for buster
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 88b2a0ed by Moritz Muehlenhoff at 2022-02-15T18:48:49+01:00 one qemu issue n/a for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3732,6 +3732,7 @@ CVE-2022-0359 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to CVE-2022-0358 RESERVED - qemu + [buster] - qemu (Vulnerable code not present) [stretch] - qemu (virtiofsd added in 5.0) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88b2a0edeff86444e9f6c80a442ba6bd59704b9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88b2a0edeff86444e9f6c80a442ba6bd59704b9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1caf80a4 by Moritz Muehlenhoff at 2022-02-15T17:17:32+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,79 @@ +CVE-2022-25212 + NOT-FOR-US: Jenkins plugin +CVE-2022-25211 + NOT-FOR-US: Jenkins plugin +CVE-2022-25210 + NOT-FOR-US: Jenkins plugin +CVE-2022-25208 + NOT-FOR-US: Jenkins plugin +CVE-2022-25207 + NOT-FOR-US: Jenkins plugin +CVE-2022-25206 + NOT-FOR-US: Jenkins plugin +CVE-2022-25205 + NOT-FOR-US: Jenkins plugin +CVE-2022-25204 + NOT-FOR-US: Jenkins plugin +CVE-2022-25203 + NOT-FOR-US: Jenkins plugin +CVE-2022-25202 + NOT-FOR-US: Jenkins plugin +CVE-2022-25201 + NOT-FOR-US: Jenkins plugin +CVE-2022-25200 + NOT-FOR-US: Jenkins plugin +CVE-2022-25199 + NOT-FOR-US: Jenkins plugin +CVE-2022-25198 + NOT-FOR-US: Jenkins plugin +CVE-2022-25197 + NOT-FOR-US: Jenkins plugin +CVE-2022-25196 + NOT-FOR-US: Jenkins plugin +CVE-2022-25195 + NOT-FOR-US: Jenkins plugin +CVE-2022-25194 + NOT-FOR-US: Jenkins plugin +CVE-2022-25193 + NOT-FOR-US: Jenkins plugin +CVE-2022-25192 + NOT-FOR-US: Jenkins plugin +CVE-2022-25191 + NOT-FOR-US: Jenkins plugin +CVE-2022-25190 + NOT-FOR-US: Jenkins plugin +CVE-2022-25189 + NOT-FOR-US: Jenkins plugin +CVE-2022-25188 + NOT-FOR-US: Jenkins plugin +CVE-2022-25187 + NOT-FOR-US: Jenkins plugin +CVE-2022-25186 + NOT-FOR-US: Jenkins plugin +CVE-2022-25185 + NOT-FOR-US: Jenkins plugin +CVE-2022-25184 + NOT-FOR-US: Jenkins plugin +CVE-2022-25183 + NOT-FOR-US: Jenkins plugin +CVE-2022-25182 + NOT-FOR-US: Jenkins plugin +CVE-2022-25181 + NOT-FOR-US: Jenkins plugin +CVE-2022-25180 + NOT-FOR-US: Jenkins plugin +CVE-2022-25179 + NOT-FOR-US: Jenkins plugin +CVE-2022-25178 + NOT-FOR-US: Jenkins plugin +CVE-2022-25177 + NOT-FOR-US: Jenkins plugin +CVE-2022-25176 + NOT-FOR-US: Jenkins plugin +CVE-2022-25174 + NOT-FOR-US: Jenkins plugin +CVE-2022-25173 + NOT-FOR-US: Jenkins plugin CVE-2022-25166 RESERVED CVE-2022-25165 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1caf80a42379c1424893eb6115bb65a414e00b17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1caf80a42379c1424893eb6115bb65a414e00b17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] atheme-services fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c604aeb by Moritz Muehlenhoff at 2022-02-15T17:13:23+01:00 atheme-services fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -513,7 +513,7 @@ CVE-2022-0579 (Improper Privilege Management in Packagist snipe/snipe-it prior t CVE-2022-0578 RESERVED CVE-2022-24976 (Atheme IRC Services before 7.2.12, when used in conjunction with InspI ...) - - atheme-services + - atheme-services 7.2.12-1 [bullseye] - atheme-services (Minor issue; can be fixed via point release) [buster] - atheme-services (Minor issue; can be fixed via point release) [stretch] - atheme-services (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c604aeb4eef3c2b80c147feb0f9319955132440 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c604aeb4eef3c2b80c147feb0f9319955132440 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim gpac
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: e59da219 by Roberto C. Sánchez at 2022-02-15T10:34:08-05:00 LTS: reclaim gpac - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -36,7 +36,7 @@ gif2apng (Anton) NOTE: 20220114: orphaned package with inactive upstream, maybe coordinate with Debian QA to write our own patches (Beuc) NOTE: 20220114: CVEs unrelated to apng2gif's (Beuc) -- -gpac +gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e59da219744b40a794c0833b7455f73ba2d40593 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e59da219744b40a794c0833b7455f73ba2d40593 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: f6d728c8 by Neil Williams at 2022-02-15T15:11:42+00:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16918,11 +16918,11 @@ CVE-2021-43952 (Affected versions of Atlassian Jira Server and Data Center allow CVE-2021-43951 (Affected versions of Atlassian Jira Service Management Server and Data ...) NOT-FOR-US: Atlassian CVE-2021-43950 (Affected versions of Atlassian Jira Service Management Server and Data ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-43949 (Affected versions of Atlassian Jira Service Management Server and Data ...) NOT-FOR-US: Atlassian CVE-2021-43948 (Affected versions of Atlassian Jira Service Management Server and Data ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-43947 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2021-43946 (Affected versions of Atlassian Jira Server and Data Center allow authe ...) @@ -16936,9 +16936,9 @@ CVE-2021-43943 CVE-2021-43942 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) NOT-FOR-US: Atlassian CVE-2021-43941 (Affected versions of Atlassian Jira Server and Data Center allow remot ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2021-43940 (Affected versions of Atlassian Confluence Server and Data Center allow ...) - TODO: check + NOT-FOR-US: Atlassian Confluence CVE-2021-43939 RESERVED CVE-2021-43938 @@ -20935,7 +20935,7 @@ CVE-2021-43108 CVE-2021-43107 RESERVED CVE-2021-43106 (A Header Injection vulnerability exists in Compass Plus TranzWare Onli ...) - TODO: check + NOT-FOR-US: Compass Plus TranzWare CVE-2021-43105 RESERVED CVE-2021-43104 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6d728c8fc52e445506ef13ae6c9876c204ce476 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6d728c8fc52e445506ef13ae6c9876c204ce476 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-32036/mongodb
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 69a0a858 by Neil Williams at 2022-02-15T15:02:00+00:00 CVE-2021-32036/mongodb removed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49336,7 +49336,9 @@ CVE-2021-32037 (An authorized user may trigger an invariant which may result in [stretch] - mongodb (https://lists.debian.org/debian-lts/2020/11/msg00058.html) NOTE: https://jira.mongodb.org/browse/SERVER-59071 CVE-2021-32036 (An authenticated user without any specific authorizations may be able ...) - TODO: check + - mongodb + [stretch] - mongodb (https://lists.debian.org/debian-lts/2020/11/msg00058.html) + NOTE: https://jira.mongodb.org/browse/SERVER-59294 CVE-2021-32035 RESERVED CVE-2021-32034 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69a0a85851a31ea909a9580dd1d7eb76260518af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69a0a85851a31ea909a9580dd1d7eb76260518af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 98967047 by Neil Williams at 2022-02-15T14:54:16+00:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54122,15 +54122,15 @@ CVE-2021-30328 CVE-2021-30327 RESERVED CVE-2021-30326 (Possible assertion due to improper size validation while processing th ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2021-30325 (Possible out of bound access of DCI resources due to lack of validatio ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2021-30324 (Possible out of bound write due to lack of boundary check for the maxi ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2021-30323 (Improper validation of maximum size of data write to EFS file can lead ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2021-30322 (Possible out of bounds write due to improper validation of number of G ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2021-30321 (Possible buffer overflow due to lack of parameter length check during ...) NOT-FOR-US: Snapdragon CVE-2021-30320 @@ -54138,9 +54138,9 @@ CVE-2021-30320 CVE-2021-30319 (Possible integer overflow due to improper validation of command length ...) NOT-FOR-US: Qualcomm CVE-2021-30318 (Improper validation of input when provisioning the HDCP key can lead t ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2021-30317 (Improper validation of program headers containing ELF metadata can lea ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2021-30316 (Possible out of bound memory access due to improper boundary check whi ...) NOT-FOR-US: Snapdragon CVE-2021-30315 (Improper handling of sensor HAL structure in absence of sensor can lea ...) @@ -54156,7 +54156,7 @@ CVE-2021-30311 (Possible heap overflow due to lack of index validation before al CVE-2021-30310 (Possible buffer overflow due to Improper validation of received CF-ACK ...) NOT-FOR-US: Qualcomm components for Android CVE-2021-30309 (Improper size validation of QXDM commands can lead to memory corruptio ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2021-30308 (Possible buffer overflow while printing the HARQ memory partition deta ...) NOT-FOR-US: Qualcomm CVE-2021-30307 (Possible denial of service due to improper validation of DNS response ...) @@ -63349,13 +63349,13 @@ CVE-2021-26618 CVE-2021-26617 RESERVED CVE-2021-26616 (An OS command injection was found in SecuwaySSL, when special characte ...) - TODO: check + NOT-FOR-US: SecuwaySSL client for MacOS CVE-2021-26615 (ARK library allows attackers to execute remote code via the parameter( ...) NOT-FOR-US: ARK library CVE-2021-26614 (ius_get.cgi in IpTime C200 camera allows remote code execution. A remo ...) NOT-FOR-US: IpTime C200 camera CVE-2021-26613 (improper input validation vulnerability in nexacro permits copying fil ...) - TODO: check + NOT-FOR-US: Tobesoft Nexacro CVE-2021-26612 (An improper input validation leading to arbitrary file creation was di ...) NOT-FOR-US: Tobesoft Nexacro CVE-2021-26611 (HejHome GKW-IC052 IP Camera contained a hard-coded credentials vulnera ...) @@ -65000,7 +65000,7 @@ CVE-2021-25994 (In Userfrosting, versions v0.3.1 to v4.6.2 are vulnerable to Hos CVE-2021-25993 (In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected b ...) NOT-FOR-US: Requarks wiki.js CVE-2021-25992 (In Ifme, versions 1.0.0 to v.7.33.2 dont properly invalidate a ...) - TODO: check + NOT-FOR-US: Ifme CVE-2021-25991 (In Ifme, versions v5.0.0 to v7.32 are vulnerable against an improper a ...) NOT-FOR-US: Ifme CVE-2021-25990 (In ifme, versions v7.22.0 to v7.31.4 are vulnerable agai ...) @@ -70823,7 +70823,7 @@ CVE-2021-23557 CVE-2021-23556 RESERVED CVE-2021-23555 (The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via dire ...) - TODO: check + NOT-FOR-US: Node vm2 CVE-2021-23554 RESERVED CVE-2021-23553 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/989670471cc921ba746b6efa9da9737faadfc5c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/989670471cc921ba746b6efa9da9737faadfc5c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Allow merge-cve-files to let RESERVED through
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 001347cd by Neil Williams at 2022-02-15T14:31:42+00:00 Allow merge-cve-files to let RESERVED through Avoid merge-cve-files stumbling over FlagAnnotations like RESERVED and REJECTED. Also add code to tidy up the .xpck files that can be generated by the merge process. - - - - - 1 changed file: - bin/merge-cve-files Changes: = bin/merge-cve-files = @@ -6,7 +6,7 @@ # Copyright © 2020 Emilio Pozuelo Monfort # Copyright (c) 2021-2022 Neil Williams -import os.path +import os import sys import setup_paths # noqa @@ -129,6 +129,8 @@ for extra_bug in extra_data: notes = {} new_annotations = bug.annotations for extra_annotation in extra_bug.annotations: +if isinstance(extra_annotation, FlagAnnotation): +continue if isinstance(extra_annotation, StringAnnotation): cve = f"{extra_bug.header.name}" note_tag = notes.setdefault(cve, []) @@ -142,3 +144,8 @@ for extra_bug in extra_data: with open(main_list, 'w') as f: writecvelist(data, f) + +# check for and erase an .xpck file built from the merge +xpck = f"{extra_list}.xpck" +if os.path.exists(xpck): +os.unlink(xpck) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/001347cd46337213de1ab445c7dc789f6ab55133 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/001347cd46337213de1ab445c7dc789f6ab55133 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-25939/arangodb as
Neil Williams pushed to branch master at Debian Security Tracker / security-tracker Commits: 0833affe by Neil Williams at 2022-02-15T14:18:53+00:00 Add CVE-2021-25939/arangodb as itp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65109,7 +65109,7 @@ CVE-2021-25941 (Prototype pollution vulnerability in 'deep-override' versions 1. CVE-2021-25940 (In ArangoDB, versions v3.7.6 through v3.8.3 are vulnerable to Insuffic ...) - arangodb (bug #761817) CVE-2021-25939 (In ArangoDB, versions v3.7.0 through v3.9.0-alpha.1 have a feature whi ...) - TODO: check + - arangodb (bug #761817) CVE-2021-25938 (In ArangoDB, versions v2.2.6.2 through v3.7.10 are vulnerable to Cross ...) - arangodb (bug #761817) CVE-2021-25937 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0833affe7c1eca24631042a9e3ad694bbdfcb1d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0833affe7c1eca24631042a9e3ad694bbdfcb1d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5076-1 h2database
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: a5065f71 by Markus Koschany at 2022-02-15T14:58:49+01:00 Reserve DSA-5076-1 h2database - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[15 Feb 2022] DSA-5076-1 h2database - security update + {CVE-2021-42392 CVE-2022-23221} + [buster] - h2database 1.4.197-4+deb10u1 + [bullseye] - h2database 1.4.197-4+deb11u1 [13 Feb 2022] DSA-5075-1 minetest - security update {CVE-2022-24300 CVE-2022-24301} [buster] - minetest 0.4.17.1+repack-1+deb10u1 = data/dsa-needed.txt = @@ -20,8 +20,6 @@ condor -- faad2/oldstable (jmm) -- -h2database (apo) --- librecad Aron Xu proposed update for {bullseye,buster}-security for review -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5065f71656ddbea4d3d7b586154b6f13d83453c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5065f71656ddbea4d3d7b586154b6f13d83453c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add and take redis in dsa-needed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b9c7cd5 by Moritz Muehlenhoff at 2022-02-15T13:11:12+01:00 add and take redis in dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -35,6 +35,8 @@ nodejs (jmm) -- python-pysaml2 (jmm) -- +redis (jmm) +-- rpki-client/stable new 7.6 release required libretls, which isn't in Bullseye -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b9c7cd5b21ddac4884c6d0ac2ab6062bc5467f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b9c7cd5b21ddac4884c6d0ac2ab6062bc5467f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Pushed new branch updatedocs
Neil Williams pushed new branch updatedocs at Debian Security Tracker / security-tracker -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/tree/updatedocs You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gerbv updates
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0aa4625a by Moritz Muehlenhoff at 2022-02-15T11:16:43+01:00 gerbv updates - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28787,17 +28787,23 @@ CVE-2021-40405 CVE-2021-40404 (An authentication bypass vulnerability exists in the cgiserver.cgi Log ...) NOT-FOR-US: Reolink CVE-2021-40403 (An information disclosure vulnerability exists in the pick-and-place r ...) - - gerbv + - gerbv NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1417 - TODO: check details + NOTE: https://github.com/gerbv/gerbv/issues/82 + NOTE: Proposed patch: https://github.com/gerbv/gerbv/commit/387f07b163cc30cd95e9bedf53bc07e7b38cc318 CVE-2021-40402 RESERVED + - gerbv + NOTE: https://github.com/gerbv/gerbv/issues/80 CVE-2021-40401 (A use-after-free vulnerability exists in the RS-274X aperture definiti ...) - - gerbv + - gerbv NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1415 - TODO: check details + NOTE: https://github.com/gerbv/gerbv/commit/68ee18945bcf68ff964c42f12af79c5c0e2f4069 + NOTE: https://github.com/gerbv/gerbv/issues/81 CVE-2021-40400 RESERVED + - gerbv + NOTE: https://github.com/gerbv/gerbv/issues/79 CVE-2021-40399 RESERVED CVE-2021-40398 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0aa4625a4b2c7df16147b3a9cfa3237c07a28cca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0aa4625a4b2c7df16147b3a9cfa3237c07a28cca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eaeb30e2 by Moritz Muehlenhoff at 2022-02-15T11:06:57+01:00 buster/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -472,6 +472,8 @@ CVE-2022-24981 RESERVED CVE-2022-0586 (Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17813 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-01.html CVE-2022-0585 @@ -480,14 +482,20 @@ CVE-2022-0584 RESERVED CVE-2022-0583 (Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3 ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17840 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-03.html CVE-2022-0582 (Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17882 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-04.html CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3. ...) - wireshark + [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17935 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-05.html CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...) @@ -1093,10 +1101,11 @@ CVE-2022-23104 RESERVED CVE-2022-0563 [partial disclosure of arbitrary files in chfn and chsh when compiled with libreadline] RESERVED - - util-linux + - util-linux (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2053151 NOTE: https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoi...@ws.net.home/T/#u NOTE: https://github.com/util-linux/util-linux/commit/faa5a3a83ad0cb5e2c303edbfd8cd823c9d94c17 + NOTE: util-linux in Debian not built with readline support CVE-2022-0562 (Null source pointer passed as an argument to memcpy() function within ...) - tiff 4.3.0-4 [bullseye] - tiff (Minor issue) @@ -13087,6 +13096,7 @@ CVE-2021-4116 (yetiforcecrm is vulnerable to Improper Neutralization of Input Du CVE-2021-4115 [file descriptor leak allows an unprivileged user to cause a crash] RESERVED - policykit-1 (bug #1005784) + [bullseye] - policykit-1 (Minor issue) [buster] - policykit-1 (Vulnerable code not present, patch introducing issue not backported) [stretch] - policykit-1 (Vulnerable code not present, patch introducing issue not backported) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2007534 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaeb30e27c7c179334bfb3c7b75b425a26c8d9ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaeb30e27c7c179334bfb3c7b75b425a26c8d9ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-45845/freecad
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18b20294 by Salvatore Bonaccorso at 2022-02-15T10:00:09+01:00 Add CVE-2021-45845/freecad - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10327,7 +10327,10 @@ CVE-2021-45846 (A flaw in the AMF parser of Slic3r libslic3r 1.3.0 allows an att - slic3r NOTE: https://github.com/slic3r/Slic3r/issues/5117 CVE-2021-45845 (The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS comma ...) - TODO: check + - freecad + NOTE: https://github.com/FreeCAD/FreeCAD/pull/5306 + NOTE: Fixed by: https://github.com/FreeCAD/FreeCAD/commit/169eb655f30180b95e5923be2eb3bc4de6e02406 + NOTE: https://tracker.freecad.org/view.php?id=4810 CVE-2021-45844 (Improper sanitization in the invocation of ODA File Converter from Fre ...) - freecad (bug #1005747) NOTE: https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6 (0.20) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18b2029436efb361a86e59427aac7c91270388b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18b2029436efb361a86e59427aac7c91270388b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-24686/nomad
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3ad8975 by Salvatore Bonaccorso at 2022-02-15T09:43:17+01:00 Add CVE-2022-24686/nomad - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1174,7 +1174,8 @@ CVE-2022-24688 CVE-2022-24687 RESERVED CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and ...) - TODO: check + - nomad + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 CVE-2022-24685 RESERVED CVE-2022-24684 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ad89751acca9bbba86530e9fa2e59e2d5a15b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ad89751acca9bbba86530e9fa2e59e2d5a15b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4878a678 by Salvatore Bonaccorso at 2022-02-15T09:41:18+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -491,7 +491,7 @@ CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 a NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17935 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-05.html CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...) - TODO: check + NOT-FOR-US: LibreNMS CVE-2022-24980 RESERVED CVE-2022-24979 @@ -501,7 +501,7 @@ CVE-2022-24978 CVE-2022-24977 (ImpressCMS before 1.4.2 allows unauthenticated remote code execution v ...) NOT-FOR-US: ImpressCMS CVE-2022-0579 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...) - TODO: check + NOT-FOR-US: snipe-it CVE-2022-0578 RESERVED CVE-2022-24976 (Atheme IRC Services before 7.2.12, when used in conjunction with InspI ...) @@ -1237,7 +1237,7 @@ CVE-2022-0541 CVE-2022-0540 RESERVED CVE-2022-0539 (Cross-site Scripting (XSS) - Stored in Packagist ptrofimov/beanstalk_c ...) - TODO: check + NOT-FOR-US: beanstalk_console CVE-2022-0538 (Jenkins 2.333 and earlier, LTS 2.319.2 and earlier defines custom XStr ...) - jenkins CVE-2022-0537 @@ -1290,15 +1290,15 @@ CVE-2022-24666 (A program using swift-nio-http2 is vulnerable to a denial of ser CVE-2022-0528 RESERVED CVE-2022-0527 (Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chat ...) - TODO: check + NOT-FOR-US: chatwoot CVE-2022-0526 (Cross-site Scripting (XSS) - Stored in GitHub repository chatwoot/chat ...) - TODO: check + NOT-FOR-US: chatwoot CVE-2022-0525 (Out-of-bounds Read in Homebrew mruby prior to 3.2. ...) - mruby (Vulnerable code introduced later) NOTE: https://huntr.dev/bounties/e19e109f-acf0-4048-8ee8-1b10a870f1e9 NOTE: https://github.com/mruby/mruby/commit/0849a2885f81cfd82134992c06df3ccd59052ac7 CVE-2022-0524 (Business Logic Errors in GitHub repository publify/publify prior to 9. ...) - TODO: check + NOT-FOR-US: Publify CVE-2022-0523 (Expired Pointer Dereference in GitHub repository radareorg/radare2 pri ...) - radare2 NOTE: https://huntr.dev/bounties/9d8d6ae0-fe00-40b9-ae1e-b0e8103bac69 @@ -1868,7 +1868,7 @@ CVE-2007-20001 (StarWind iSCSI SAN before 3.5 build 2007-08-09 allows socket exh CVE-2022-24408 RESERVED CVE-2022-0501 (Cross-site Scripting (XSS) - Reflected in Packagist ptrofimov/beanstal ...) - TODO: check + NOT-FOR-US: beanstalk_console CVE-2022-0500 RESERVED CVE-2022-0499 @@ -2635,7 +2635,7 @@ CVE-2022-24208 CVE-2022-24207 RESERVED CVE-2022-24206 (Tongda2000 v11.10 was discovered to contain a SQL injection vulnerabil ...) - TODO: check + NOT-FOR-US: Tongda2000 CVE-2022-24205 RESERVED CVE-2022-24204 @@ -3457,7 +3457,7 @@ CVE-2022-23994 (An Improper access control vulnerability in StBedtimeModeReceive CVE-2022-23993 (/usr/local/www/pkg.php in pfSense through 2.5.2 uses $_REQUEST['pkg_fi ...) NOT-FOR-US: pfSense CVE-2022-23992 (XCOM Data Transport for Windows, Linux, and UNIX 11.6 releases contain ...) - TODO: check + NOT-FOR-US: XCOM Data Transport CVE-2022-23991 RESERVED CVE-2022-23990 (Expat (aka libexpat) before 2.4.4 has an integer overflow in the doPro ...) @@ -3754,7 +3754,7 @@ CVE-2022-23904 CVE-2022-23903 RESERVED CVE-2022-23902 (Tongda2000 v11.10 was discovered to contain a SQL injection vulnerabil ...) - TODO: check + NOT-FOR-US: Tongda2000 CVE-2022-23901 RESERVED CVE-2022-23900 @@ -5443,7 +5443,7 @@ CVE-2022-23412 CVE-2022-23411 RESERVED CVE-2022-23410 (AXIS IP Utility prior to 4.17.0 allows for remote code execution and l ...) - TODO: check + NOT-FOR-US: AXIS IP Utility CVE-2022-23409 (The Logs plugin before 3.0.4 for Craft CMS allows remote attackers to ...) NOT-FOR-US: Craft CMS CVE-2022-23408 (wolfSSL 5.x before 5.1.1 uses non-random IV values in certain situatio ...) @@ -5481,11 +5481,11 @@ CVE-2022-23393 CVE-2022-23392 RESERVED CVE-2022-23391 (A cross-site scripting (XSS) vulnerability in Pybbs v6.0 allows attack ...) - TODO: check + NOT-FOR-US: Pybbs CVE-2022-23390 (An issue in the getType function of BBS Forum v5.3 and below allows at ...) - TODO: check + NOT-FOR-US: BBS Forum CVE-2022-23389 (PublicCMS v4.0 was discovered to contain a remote code execution (RCE) ...) - TODO: check + NOT-FOR-US: PublicCMS CVE-2022-23388 RESERVED CVE-2022-23387 @@ -5589,11 +5589,11 @@ CVE-2022-23339
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0581/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ea8e3ca9 by Salvatore Bonaccorso at 2022-02-15T09:36:46+01:00 Add CVE-2022-0581/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -487,7 +487,9 @@ CVE-2022-0582 (Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17882 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-04.html CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3. ...) - TODO: check + - wireshark + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17935 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-05.html CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...) TODO: check CVE-2022-24980 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea8e3ca95f7cc2405c61ab3d5f01337c1070727b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea8e3ca95f7cc2405c61ab3d5f01337c1070727b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0582/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3924423 by Salvatore Bonaccorso at 2022-02-15T09:35:46+01:00 Add CVE-2022-0582/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -483,7 +483,9 @@ CVE-2022-0583 (Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17840 NOTE: https://www.wireshark.org/security/wnpa-sec-2022-03.html CVE-2022-0582 (Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to ...) - TODO: check + - wireshark + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17882 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-04.html CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3. ...) TODO: check CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3924423f0bf9facd15fc1be5cec62b4496a7ae0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3924423f0bf9facd15fc1be5cec62b4496a7ae0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0583/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4040f51f by Salvatore Bonaccorso at 2022-02-15T09:34:19+01:00 Add CVE-2022-0583/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -479,7 +479,9 @@ CVE-2022-0585 CVE-2022-0584 RESERVED CVE-2022-0583 (Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3 ...) - TODO: check + - wireshark + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17840 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-03.html CVE-2022-0582 (Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to ...) TODO: check CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4040f51f5162d356c31d9a9357436cf4e2117690 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4040f51f5162d356c31d9a9357436cf4e2117690 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0586/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e164bffa by Salvatore Bonaccorso at 2022-02-15T09:33:09+01:00 Add CVE-2022-0586/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -471,7 +471,9 @@ CVE-2022-24982 CVE-2022-24981 RESERVED CVE-2022-0586 (Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 ...) - TODO: check + - wireshark + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17813 + NOTE: https://www.wireshark.org/security/wnpa-sec-2022-01.html CVE-2022-0585 RESERVED CVE-2022-0584 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e164bffa2b631337202e1b598a77157b93c4e0fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e164bffa2b631337202e1b598a77157b93c4e0fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6eea78bf by Salvatore Bonaccorso at 2022-02-15T09:32:04+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,7 +31,7 @@ CVE-2022-25152 CVE-2022-25151 RESERVED CVE-2022-25150 (In Malwarebytes Binisoft Windows Firewall Control before 6.8.1.0, prog ...) - TODO: check + NOT-FOR-US: Malwarebytes Binisoft Windows Firewall Control CVE-2022-25149 RESERVED CVE-2022-25148 @@ -41,7 +41,7 @@ CVE-2022-0612 CVE-2022-0611 RESERVED CVE-2019-25057 (In Corda before 4.1, the meaning of serialized data can be modified vi ...) - TODO: check + NOT-FOR-US: Corda CVE-2022-25147 RESERVED CVE-2022-0610 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eea78bfe6301306058138f1b7e9b05dea6b2907 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eea78bfe6301306058138f1b7e9b05dea6b2907 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eab0c008 by security tracker role at 2022-02-15T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,47 @@ +CVE-2022-25166 + RESERVED +CVE-2022-25165 + RESERVED +CVE-2022-25164 + RESERVED +CVE-2022-25163 + RESERVED +CVE-2022-25162 + RESERVED +CVE-2022-25161 + RESERVED +CVE-2022-25160 + RESERVED +CVE-2022-25159 + RESERVED +CVE-2022-25158 + RESERVED +CVE-2022-25157 + RESERVED +CVE-2022-25156 + RESERVED +CVE-2022-25155 + RESERVED +CVE-2022-25154 + RESERVED +CVE-2022-25153 + RESERVED +CVE-2022-25152 + RESERVED +CVE-2022-25151 + RESERVED +CVE-2022-25150 (In Malwarebytes Binisoft Windows Firewall Control before 6.8.1.0, prog ...) + TODO: check +CVE-2022-25149 + RESERVED +CVE-2022-25148 + RESERVED +CVE-2022-0612 + RESERVED +CVE-2022-0611 + RESERVED +CVE-2019-25057 (In Corda before 4.1, the meaning of serialized data can be modified vi ...) + TODO: check CVE-2022-25147 RESERVED CVE-2022-0610 @@ -108,8 +152,8 @@ CVE-2022-25141 RESERVED CVE-2022-25140 RESERVED -CVE-2022-25139 - RESERVED +CVE-2022-25139 (njs through 0.7.0, used in NGINX, was discovered to contain a heap use ...) + TODO: check CVE-2022-25138 RESERVED CVE-2022-25137 @@ -410,8 +454,8 @@ CVE-2022-24990 RESERVED CVE-2022-24989 RESERVED -CVE-2022-24988 - RESERVED +CVE-2022-24988 (In galois_2p8 before 0.1.2, PrimitivePolynomialField::new has an off-b ...) + TODO: check CVE-2022-24987 RESERVED CVE-2022-24986 @@ -426,20 +470,20 @@ CVE-2022-24982 RESERVED CVE-2022-24981 RESERVED -CVE-2022-0586 - RESERVED +CVE-2022-0586 (Infinite loop in RTMPT protocol dissector in Wireshark 3.6.0 to 3.6.1 ...) + TODO: check CVE-2022-0585 RESERVED CVE-2022-0584 RESERVED -CVE-2022-0583 - RESERVED -CVE-2022-0582 - RESERVED -CVE-2022-0581 - RESERVED -CVE-2022-0580 - RESERVED +CVE-2022-0583 (Crash in the PVFS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3 ...) + TODO: check +CVE-2022-0582 (Unaligned access in the CSN.1 protocol dissector in Wireshark 3.6.0 to ...) + TODO: check +CVE-2022-0581 (Crash in the CMS protocol dissector in Wireshark 3.6.0 to 3.6.1 and 3. ...) + TODO: check +CVE-2022-0580 (Improper Access Control in Packagist librenms/librenms prior to 22.2.0 ...) + TODO: check CVE-2022-24980 RESERVED CVE-2022-24979 @@ -448,8 +492,8 @@ CVE-2022-24978 RESERVED CVE-2022-24977 (ImpressCMS before 1.4.2 allows unauthenticated remote code execution v ...) NOT-FOR-US: ImpressCMS -CVE-2022-0579 - RESERVED +CVE-2022-0579 (Improper Privilege Management in Packagist snipe/snipe-it prior to 5.3 ...) + TODO: check CVE-2022-0578 RESERVED CVE-2022-24976 (Atheme IRC Services before 7.2.12, when used in conjunction with InspI ...) @@ -1031,10 +1075,10 @@ CVE-2022-24707 RESERVED CVE-2022-24706 RESERVED -CVE-2022-24705 - RESERVED -CVE-2022-24704 - RESERVED +CVE-2022-24705 (The rad_packet_recv function in radius/packet.c suffers from a memcpy ...) + TODO: check +CVE-2022-24704 (The rad_packet_recv function in opt/src/accel-pppd/radius/packet.c suf ...) + TODO: check CVE-2022-23922 RESERVED CVE-2022-23104 @@ -2582,8 +2626,8 @@ CVE-2022-24208 RESERVED CVE-2022-24207 RESERVED -CVE-2022-24206 - RESERVED +CVE-2022-24206 (Tongda2000 v11.10 was discovered to contain a SQL injection vulnerabil ...) + TODO: check CVE-2022-24205 RESERVED CVE-2022-24204 @@ -3404,8 +3448,8 @@ CVE-2022-23994 (An Improper access control vulnerability in StBedtimeModeReceive NOT-FOR-US: Samsung CVE-2022-23993 (/usr/local/www/pkg.php in pfSense through 2.5.2 uses $_REQUEST['pkg_fi ...) NOT-FOR-US: pfSense -CVE-2022-23992 - RESERVED +CVE-2022-23992 (XCOM Data Transport for Windows, Linux, and UNIX 11.6 releases contain ...) + TODO: check CVE-2022-23991 RESERVED CVE-2022-23990 (Expat (aka libexpat) before 2.4.4 has an integer overflow in the doPro ...) @@ -3701,8 +3745,8 @@ CVE-2022-23904 RESERVED CVE-2022-23903 RESERVED -CVE-2022-23902 - RESERVED +CVE-2022-23902 (Tongda2000 v11.10 was discovered to contain a SQL injection vulnerabil ...) + TODO: check CVE-2022-23901 RESERVED CVE-2022-23900 @@ -3993,12 +4037,12 @@ CVE-2021-46465 RESERVED CVE-2021-46464 RESERVED -CVE-2021-46463 - RESERVED -CVE-2021-46462 - RESERVED -CVE-2021-46461 - RESERVED +CVE-2021-46463 (njs through 0.7.1, used in NGINX, was discovered