[Git][security-tracker-team/security-tracker][master] gpac fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eacce7a7 by Moritz Muehlenhoff at 2022-02-25T23:49:34+01:00 gpac fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5044,8 +5044,7 @@ CVE-2022-24251 CVE-2022-24250 RESERVED CVE-2022-24249 (A Null Pointer Dereference vulnerability exists in GPAC 1.1.0 via the ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2081 @@ -8417,8 +8416,7 @@ CVE-2021-46315 (Remote Command Execution (RCE) vulnerability exists in HNAP1/con CVE-2021-46314 (A Remote Command Execution (RCE) vulnerability exists in HNAP1/control ...) NOT-FOR-US: D-Link CVE-2021-46313 (The binary MP4Box in GPAC v1.0.1 was discovered to contain a segmentat ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2039 @@ -8426,8 +8424,7 @@ CVE-2021-46313 (The binary MP4Box in GPAC v1.0.1 was discovered to contain a seg CVE-2021-46312 RESERVED CVE-2021-46311 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2038 @@ -9927,36 +9924,31 @@ CVE-2021-46242 (HDF5 v1.13.1-1 was discovered to contain a heap-use-after free v CVE-2021-46241 RESERVED CVE-2021-46240 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2028 NOTE: https://github.com/gpac/gpac/commit/31eb879ea67b3a6ff67d3211f4c6b83369d4898d (v2.0.0) CVE-2021-46239 (The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2026 NOTE: https://github.com/gpac/gpac/commit/4e1215758fa89455e8de1262df36f11740bb1bc4 (v2.0.0) CVE-2021-46238 (GPAC v1.1.0 was discovered to contain a stack overflow via the functio ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2027 NOTE: https://github.com/gpac/gpac/commit/4b9736ab8c9274db5858e5bf9fe0470bc3e7b6cf (v2.0.0) CVE-2021-46237 (An untrusted pointer dereference vulnerability exists in GPAC v1.1.0 v ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2033 NOTE: https://github.com/gpac/gpac/commit/3cc122ad664a2355cce9784f50b59c6272d43f00 (v2.0.0) CVE-2021-46236 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2024 @@ -9964,8 +9956,7 @@ CVE-2021-46236 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 v CVE-2021-46235 RESERVED CVE-2021-46234 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2023 @@ -11999,8 +11990,7 @@ CVE-2021-46052 (A Denial of Service vulnerability exists in Binaryen 104 due to NOTE: https://github.com/WebAssembly/binaryen/issues/4411 NOTE: Crash in CLI tool, no security impact CVE-2021-46051 (A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the Media ...) - [experimental] - gpac 2.0.0+dfsg1-1 - - gpac + - gpac 2.0.0+dfsg1-2 [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2011 @@ -12010,8 +12000,7 @@ CVE-2021-46050 (A Stack Overflow vulnerability exists in Binaryen 103 via the pr NOTE:
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for cyrus-sasl2 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c9190975 by Salvatore Bonaccorso at 2022-02-25T23:10:51+01:00 Reserve DSA number for cyrus-sasl2 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[25 Feb 2022] DSA-5087-1 cyrus-sasl2 - security update + {CVE-2022-24407} + [buster] - cyrus-sasl2 2.1.27+dfsg-1+deb10u2 + [bullseye] - cyrus-sasl2 2.1.27+dfsg-2.1+deb11u1 [23 Feb 2022] DSA-5086-1 thunderbird - security update {CVE-2022-0566} [buster] - thunderbird 1:91.6.1-1~deb10u1 = data/dsa-needed.txt = @@ -16,8 +16,6 @@ asterisk/oldstable -- condor -- -cyrus-sasl2 (carnil) --- faad2/oldstable (jmm) -- freecad (aron) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9190975a8be9f60f0ea0451b6b55f1efc0307e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9190975a8be9f60f0ea0451b6b55f1efc0307e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2022-24407/cyrus-sasl2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6cbc2b7 by Salvatore Bonaccorso at 2022-02-25T23:09:34+01:00 Track fixed version via unstable for CVE-2022-24407/cyrus-sasl2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4380,7 +4380,7 @@ CVE-2021-46671 (options.c in atftp before 0.7.5 reads past the end of an array, NOTE: https://sourceforge.net/p/atftp/code/ci/9cf799c40738722001552618518279e9f0ef62e5 (v0.7.5) CVE-2022-24407 (In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does ...) [experimental] - cyrus-sasl2 2.1.28+dfsg-1 - - cyrus-sasl2 + - cyrus-sasl2 2.1.28+dfsg-2 NOTE: Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/9eff746c9daecbcc0041b09a5a51ba30738cdcbc (cyrus-sasl-2.1.28) NOTE: Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/2d2e97b0eb53fa7f87a3bf1529d8f712dd954480 (master) NOTE: https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6cbc2b77316418399c712ef0adaa6ee9d0280c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6cbc2b77316418399c712ef0adaa6ee9d0280c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cdc5f508 by Moritz Muehlenhoff at 2022-02-25T22:31:01+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4541,9 +4541,9 @@ CVE-2022-24348 (Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory tra CVE-2022-24347 (JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS vi ...) NOT-FOR-US: JetBrains YouTrack CVE-2022-24346 (In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via R ...) - TODO: check + - intellij-idea (bug #747616) CVE-2022-24345 (In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (with ...) - TODO: check + - intellij-idea (bug #747616) CVE-2022-24344 (JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on ...) NOT-FOR-US: JetBrains YouTrack CVE-2022-24343 (In JetBrains YouTrack before 2021.4.31698, a custom logo could be set ...) @@ -7287,11 +7287,11 @@ CVE-2022-23655 (Octobercms is a self-hosted CMS platform based on the Laravel PH CVE-2022-23654 (Wiki.js is a wiki app built on Node.js. In affected versions an authen ...) NOT-FOR-US: Wiki.js CVE-2022-23653 (B2 Command Line Tool is the official command line tool for the backbla ...) - TODO: check + NOT-FOR-US: B2 (CLI tool for Backblaze) CVE-2022-23652 (capsule-proxy is a reverse proxy for Capsule Operator which provides m ...) NOT-FOR-US: capsule-proxy CVE-2022-23651 (b2-sdk-python is a python library to access cloud storage provided by ...) - TODO: check + NOT-FOR-US: b2-sdk-python CVE-2022-23650 (Netmaker is a platform for creating and managing virtual overlay netwo ...) NOT-FOR-US: Netmaker CVE-2022-23649 (Cosign provides container signing, verification, and storage in an OCI ...) @@ -8085,7 +8085,7 @@ CVE-2022-23359 CVE-2022-23358 (EasyCMS v1.6 allows for SQL injection via ArticlemAction.class.php. In ...) NOT-FOR-US: EasyCMS CVE-2022-23357 (mozilo2.0 was discovered to be vulnerable to directory traversal attac ...) - TODO: check + NOT-FOR-US: mozilo CVE-2022-23356 RESERVED CVE-2022-23355 @@ -8509,7 +8509,7 @@ CVE-2022-0249 CVE-2022-0248 RESERVED CVE-2022-0247 (An issue exists in Fuchsia where VMO data can be modified through acce ...) - TODO: check + NOT-FOR-US: Fuchsia CVE-2022-0246 RESERVED CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_supplica ...) @@ -12240,7 +12240,7 @@ CVE-2021-45979 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remot CVE-2021-45978 (Foxit PDF Reader and PDF Editor before 11.1 on macOS allow remote atta ...) NOT-FOR-US: Foxit CVE-2021-45977 (JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, P ...) - TODO: check + - intellij-idea (bug #747616) CVE-2021-45976 RESERVED CVE-2021-45975 (In ListCheck.exe in Acer Care Center 4.x before 4.00.3038, a vulnerabi ...) @@ -17360,9 +17360,9 @@ CVE-2021-44552 CVE-2021-44551 RESERVED CVE-2021-44550 (An Incorrect Access Control vulnerability exists in CoreNLP 4.3.2 via ...) - TODO: check + NOT-FOR-US: CoreNLP CVE-2021-4070 (Off-by-one Error in GitHub repository v2fly/v2ray-core prior to 4.44.0 ...) - TODO: check + NOT-FOR-US: v2fly/v2ray-core CVE-2021-44549 (Apache Sling Commons Messaging Mail provides a simple layer on top of ...) NOT-FOR-US: Apache Sling CVE-2021-4069 (vim is vulnerable to Use After Free ...) @@ -32620,7 +32620,6 @@ CVE-2021-39944 (An issue has been discovered in GitLab CE/EE affecting all versi - gitlab CVE-2021-39943 (An authorization logic error in the External Status Check API in GitLa ...) - gitlab - TODO: reach out for details CVE-2021-39942 (A denial of service vulnerability in GitLab CE/EE affecting all versio ...) - gitlab CVE-2021-39941 (An information disclosure vulnerability in GitLab CE/EE versions 12.0 ...) @@ -32790,7 +32789,7 @@ CVE-2021-39881 (In all versions of GitLab CE/EE since version 7.7, the applicati CVE-2021-39880 (A Denial Of Service vulnerability in the apollo_upload_server Ruby gem ...) - gitlab - ruby-apollo-upload-server - TODO: reach out for details + TODO: reach out for details for ruby-apollo-upload-server CVE-2021-39879 (Missing authentication in all versions of GitLab CE/EE since version 7 ...) - gitlab CVE-2021-39878 (A stored Reflected Cross-Site Scripting vulnerability in the Jira inte ...) @@ -56370,7 +56369,7 @@ CVE-2021-30506 (Incorrect security UI in Web App Installs in Google Chrome on An CVE-2021-30505 RESERVED CVE-2021-30504 (In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of ...) -
[Git][security-tracker-team/security-tracker][master] new rust-crossbeam issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 64a4de9c by Moritz Muehlenhoff at 2022-02-25T22:27:25+01:00 new rust-crossbeam issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7322,7 +7322,9 @@ CVE-2022-23641 (Discourse is an open source discussion platform. In versions pri CVE-2022-23640 RESERVED CVE-2022-23639 (crossbeam-utils provides atomics, synchronization primitives, scoped t ...) - TODO: check + - rust-crossbeam + NOTE: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926 + NOTE: https://github.com/crossbeam-rs/crossbeam/pull/781 CVE-2022-23638 (svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scri ...) NOT-FOR-US: darylldoyle svg-sanitizer CVE-2022-23637 (K-Box is a web-based application to manage documents, images, videos a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64a4de9c0e016fc0b73902a9b538b5afb94d0c86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64a4de9c0e016fc0b73902a9b538b5afb94d0c86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] more gpac fixes in experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 75fdfb7f by Moritz Muehlenhoff at 2022-02-25T22:24:46+01:00 more gpac fixes in experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5044,11 +5044,12 @@ CVE-2022-24251 CVE-2022-24250 RESERVED CVE-2022-24249 (A Null Pointer Dereference vulnerability exists in GPAC 1.1.0 via the ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2081 - NOTE: https://github.com/gpac/gpac/commit/71f9871fc210e60df041b58c84572782b4849de9 + NOTE: https://github.com/gpac/gpac/commit/71f9871fc210e60df041b58c84572782b4849de9 (v2.0.0) CVE-2022-24248 RESERVED CVE-2022-24247 @@ -8414,19 +8415,21 @@ CVE-2021-46315 (Remote Command Execution (RCE) vulnerability exists in HNAP1/con CVE-2021-46314 (A Remote Command Execution (RCE) vulnerability exists in HNAP1/control ...) NOT-FOR-US: D-Link CVE-2021-46313 (The binary MP4Box in GPAC v1.0.1 was discovered to contain a segmentat ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2039 - NOTE: https://github.com/gpac/gpac/commit/ee969d3c4c425ecb25999eb68ada616925b58eba + NOTE: https://github.com/gpac/gpac/commit/ee969d3c4c425ecb25999eb68ada616925b58eba (v2.0.0) CVE-2021-46312 RESERVED CVE-2021-46311 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2038 - NOTE: https://github.com/gpac/gpac/commit/ad19e0c4504a89ca273442b1b1483ae7adfb9491 + NOTE: https://github.com/gpac/gpac/commit/ad19e0c4504a89ca273442b1b1483ae7adfb9491 (v2.0.0) CVE-2021-46310 RESERVED CVE-2021-46309 (An SQL Injection vulnerability exists in Sourcecodester Employee and V ...) @@ -9922,38 +9925,44 @@ CVE-2021-46242 (HDF5 v1.13.1-1 was discovered to contain a heap-use-after free v CVE-2021-46241 RESERVED CVE-2021-46240 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2028 - NOTE: https://github.com/gpac/gpac/commit/31eb879ea67b3a6ff67d3211f4c6b83369d4898d + NOTE: https://github.com/gpac/gpac/commit/31eb879ea67b3a6ff67d3211f4c6b83369d4898d (v2.0.0) CVE-2021-46239 (The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2026 - NOTE: https://github.com/gpac/gpac/commit/4e1215758fa89455e8de1262df36f11740bb1bc4 + NOTE: https://github.com/gpac/gpac/commit/4e1215758fa89455e8de1262df36f11740bb1bc4 (v2.0.0) CVE-2021-46238 (GPAC v1.1.0 was discovered to contain a stack overflow via the functio ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2027 - NOTE: https://github.com/gpac/gpac/commit/4b9736ab8c9274db5858e5bf9fe0470bc3e7b6cf + NOTE: https://github.com/gpac/gpac/commit/4b9736ab8c9274db5858e5bf9fe0470bc3e7b6cf (v2.0.0) CVE-2021-46237 (An untrusted pointer dereference vulnerability exists in GPAC v1.1.0 v ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2033 - NOTE: https://github.com/gpac/gpac/commit/3cc122ad664a2355cce9784f50b59c6272d43f00 + NOTE: https://github.com/gpac/gpac/commit/3cc122ad664a2355cce9784f50b59c6272d43f00 (v2.0.0) CVE-2021-46236 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2024 - NOTE: https://github.com/gpac/gpac/commit/6a5effb57153cb05e72f6e9bd72afefc334a673d + NOTE: https://github.com/gpac/gpac/commit/6a5effb57153cb05e72f6e9bd72afefc334a673d (v2.0.0) CVE-2021-46235 RESERVED CVE-2021-46234 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...) +
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-45005/mujs via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ede133f by Salvatore Bonaccorso at 2022-02-25T21:40:58+01:00 Track fixed version for CVE-2021-45005/mujs via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15997,7 +15997,7 @@ CVE-2021-45007 (** DISPUTED ** Plesk 18.0.37 is affected by a Cross Site Request CVE-2021-45006 RESERVED CVE-2021-45005 (Artifex MuJS v1.1.3 was discovered to contain a heap buffer overflow w ...) - - mujs + - mujs 1.1.3-4 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=704749 (not public) NOTE: http://git.ghostscript.com/?p=mujs.git;h=df8559e7bdbc6065276e78621770f28fce66 (1.2.0) CVE-2021-45004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ede133ffac392783aad207032e212b718889eec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ede133ffac392783aad207032e212b718889eec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 76abc052 by Salvatore Bonaccorso at 2022-02-25T21:31:54+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4577,9 +4577,9 @@ CVE-2022-24330 (In JetBrains TeamCity before 2021.2.1, a redirection to an exter CVE-2022-24329 (In JetBrains Kotlin before 1.6.0, it was not possible to lock dependen ...) TODO: check CVE-2022-24328 (In JetBrains Hub before 2021.1.13956, an unprivileged user could perfo ...) - TODO: check + NOT-FOR-US: JetBrains Hub CVE-2022-24327 (In JetBrains Hub before 2021.1.13890, integration with JetBrains Accou ...) - TODO: check + NOT-FOR-US: JetBrains Hub CVE-2022-24326 RESERVED CVE-2022-24325 @@ -20917,7 +20917,7 @@ CVE-2021-3959 (A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpda CVE-2021-3958 (Due to improper sanitization iPack SCADA Automation software suffers f ...) NOT-FOR-US: iPack SCADA Automation CVE-2021-43745 (A Denial of Service vulnerabilty exists in Trilium Notes 0.48.6 in the ...) - TODO: check + NOT-FOR-US: Trilium Notes CVE-2021-43744 RESERVED CVE-2021-43743 @@ -26899,7 +26899,7 @@ CVE-2021-42246 CVE-2021-42245 RESERVED CVE-2021-42244 (A cross-site scripting (XSS) vulnerability in PaquitoSoftware Notimoo ...) - TODO: check + NOT-FOR-US: PaquitoSoftware Notimoo CVE-2021-42243 RESERVED CVE-2021-42242 @@ -32391,13 +32391,13 @@ CVE-2021-40048 CVE-2021-40047 RESERVED CVE-2021-40046 (PCManager versions 11.1.1.95 has a privilege escalation vulnerability. ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-40045 (There is a vulnerability of signature verification mechanism failure i ...) NOT-FOR-US: Huawei CVE-2021-40044 (There is a permission verification vulnerability in the Bluetooth modu ...) NOT-FOR-US: Huawei CVE-2021-40043 (The laser command injection vulnerability exists on AIS-BW80H-00 versi ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-40042 (There is a release of invalid pointer vulnerability in some Huawei pro ...) NOT-FOR-US: Huawei CVE-2021-40041 (There is a Cross-Site Scripting(XSS) vulnerability in HUAWEI WS318n pr ...) @@ -33933,9 +33933,9 @@ CVE-2021-39365 (In GNOME grilo though 0.3.13, grl-net-wc.c does not enable TLS c NOTE: https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ NOTE: https://gitlab.gnome.org/GNOME/grilo/-/issues/146 CVE-2021-39364 (Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allo ...) - TODO: check + NOT-FOR-US: Honeywell CVE-2021-39363 (Honeywell HDZP252DI 1.00.HW02.4 and HBW2PER1 1.000.HW01.3 devices allo ...) - TODO: check + NOT-FOR-US: Honeywell CVE-2020-36478 (An issue was discovered in Mbed TLS before 2.25.0 (and before 2.16.9 L ...) {DLA-2826-1} - mbedtls 2.16.9-0.1 @@ -39766,7 +39766,7 @@ CVE-2021-37105 (There is an improper file upload control vulnerability in Fusion CVE-2021-37104 (There is a server-side request forgery vulnerability in HUAWEI P40 ver ...) NOT-FOR-US: Huawei CVE-2021-37103 (There is an improper permission management vulnerability in the Wallet ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-37102 (There is a command injection vulnerability in CMA service module of Fu ...) NOT-FOR-US: Huawei CVE-2021-37101 (There is an improper authorization vulnerability in AIS-BW50-00 9.0.6. ...) @@ -39918,7 +39918,7 @@ CVE-2021-37029 (There is an Identity verification vulnerability in Huawei Smartp CVE-2021-37028 (There is a command injection vulnerability in the HG8045Q product. Whe ...) NOT-FOR-US: Huawei CVE-2021-37027 (There is a DoS vulnerability in smartphones. Successful exploitation o ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-37026 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) NOT-FOR-US: Huawei CVE-2021-37025 (There is a Improper Input Validation vulnerability in Huawei Smartphon ...) @@ -46244,11 +46244,11 @@ CVE-2021-34363 (The thefuck (aka The Fuck) package before 3.31 for Python allows CVE-2021-34362 (A command injection vulnerability has been reported to affect QNAP dev ...) NOT-FOR-US: QNAP CVE-2021-34361 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-34360 RESERVED CVE-2021-34359 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US: QNAP CVE-2021-34358 (We have already fixed this vulnerability in the following versions of ...) NOT-FOR-US: QNAP
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9642c7a1 by Salvatore Bonaccorso at 2022-02-25T21:27:17+01:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1036,17 +1036,17 @@ CVE-2022-25650 CVE-2022-25172 RESERVED CVE-2022-25170 (The affected product is vulnerable to a stack-based buffer overflow wh ...) - TODO: check + NOT-FOR-US: FATEK Automation CVE-2022-24910 RESERVED CVE-2022-23985 (The affected product is vulnerable to an out-of-bounds write while pro ...) - TODO: check + NOT-FOR-US: FATEK Automation CVE-2022-21809 RESERVED CVE-2022-21238 RESERVED CVE-2022-21209 (The affected product is vulnerable to an out-of-bounds read while proc ...) - TODO: check + NOT-FOR-US: FATEK Automation CVE-2022-0730 RESERVED CVE-2022-0729 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) @@ -1693,7 +1693,7 @@ CVE-2022-25375 (An issue was discovered in drivers/usb/gadget/function/rndis.c i NOTE: https://www.openwall.com/lists/oss-security/2022/02/21/1 NOTE: https://git.kernel.org/linus/38ea1eac7d88072bbffb630e2b3db83ca649b826 (5.17-rc4) CVE-2022-25374 (HashiCorp Terraform Enterprise before 202202-1 inserts Sensitive Infor ...) - TODO: check + NOT-FOR-US: HashiCorp Terraform Enterprise CVE-2022-25373 RESERVED CVE-2022-25372 (Pritunl Client through 1.2.3019.52 on Windows allows local privilege e ...) @@ -2314,7 +2314,7 @@ CVE-2022-0617 (A flaw null pointer dereference in the Linux kernel UDF file syst CVE-2022-0616 RESERVED CVE-2022-0615 (Use-after-free in eset_rtp kernel module used in ESET products for Lin ...) - TODO: check + NOT-FOR-US: ESET CVE-2022-0614 (Use of Out-of-range Pointer Offset in Homebrew mruby prior to 3.2. ...) - mruby (Vulnerable code introduced later) NOTE: https://huntr.dev/bounties/a980ce4d-c359-4425-92c4-e844c0055879 @@ -3901,7 +3901,7 @@ CVE-2022-24613 (metadata-extractor up to 2.16.0 can throw various uncaught excep - libmetadata-extractor-java NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561 CVE-2022-24612 (An authenticated user can upload an XML file containing an XSS via the ...) - TODO: check + NOT-FOR-US: EyesOfNetwork (EON) eonweb CVE-2022-24611 RESERVED CVE-2022-24610 (Settings/network settings/wireless settings on the Alecto DVC-215IP ca ...) @@ -4539,41 +4539,41 @@ CVE-2022-24349 CVE-2022-24348 (Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal ...) NOT-FOR-US: Argo CD CVE-2022-24347 (JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS vi ...) - TODO: check + NOT-FOR-US: JetBrains YouTrack CVE-2022-24346 (In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via R ...) TODO: check CVE-2022-24345 (In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (with ...) TODO: check CVE-2022-24344 (JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on ...) - TODO: check + NOT-FOR-US: JetBrains YouTrack CVE-2022-24343 (In JetBrains YouTrack before 2021.4.31698, a custom logo could be set ...) - TODO: check + NOT-FOR-US: JetBrains YouTrack CVE-2022-24342 (In JetBrains TeamCity before 2021.2.1, URL injection leading to CSRF w ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24341 (In JetBrains TeamCity before 2021.2.1, editing a user account to chang ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24340 (In JetBrains TeamCity before 2021.2.1, XXE during the parsing of the c ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24339 (JetBrains TeamCity before 2021.2.1 was vulnerable to stored XSS. ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24338 (JetBrains TeamCity before 2021.2.1 was vulnerable to reflected XSS. ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24337 (In JetBrains TeamCity before 2021.2, health items of pull requests wer ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24336 (In JetBrains TeamCity before 2021.2.1, an unauthenticated attacker can ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24335 (JetBrains TeamCity before 2021.2 was vulnerable to a Time-of-check/Tim ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24334 (In JetBrains TeamCity before 2021.2.1, the Agent Push feature allowed ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2022-24333 (In JetBrains TeamCity before 2021.2, blind SSRF via an XML-RPC call wa ...) - TODO: check + NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-0746/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 442b0579 by Salvatore Bonaccorso at 2022-02-25T21:26:32+01:00 Add CVE-2022-0746/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -627,7 +627,7 @@ CVE-2022-0748 CVE-2022-0747 RESERVED CVE-2022-0746 (Business Logic Errors in GitHub repository dolibarr/dolibarr prior to ...) - TODO: check + - dolibarr CVE-2022-0745 RESERVED CVE-2022-0744 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/442b057941d00e38e477dea0ae9fe87db87fbf7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/442b057941d00e38e477dea0ae9fe87db87fbf7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21a039e7 by Salvatore Bonaccorso at 2022-02-25T21:18:26+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34967,7 +34967,7 @@ CVE-2021-38995 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged CVE-2021-38994 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local ...) NOT-FOR-US: IBM CVE-2021-38993 (IBM AIX 7.1, 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-38992 RESERVED CVE-2021-38991 (IBM AIX 7.0, 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21a039e73fa91b609fa6af2b149dca67524775c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21a039e73fa91b609fa6af2b149dca67524775c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82d2ff1d by security tracker role at 2022-02-25T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,53 @@ +CVE-2022-26129 + RESERVED +CVE-2022-26128 + RESERVED +CVE-2022-26127 + RESERVED +CVE-2022-26126 + RESERVED +CVE-2022-26125 + RESERVED +CVE-2022-26122 + RESERVED +CVE-2022-26121 + RESERVED +CVE-2022-26120 + RESERVED +CVE-2022-26119 + RESERVED +CVE-2022-26118 + RESERVED +CVE-2022-26117 + RESERVED +CVE-2022-26116 + RESERVED +CVE-2022-26115 + RESERVED +CVE-2022-26114 + RESERVED +CVE-2022-26113 + RESERVED +CVE-2022-26112 + RESERVED +CVE-2022-26042 + RESERVED +CVE-2022-26007 + RESERVED +CVE-2022-26002 + RESERVED +CVE-2022-25995 + RESERVED +CVE-2022-0765 + RESERVED +CVE-2022-0764 + RESERVED +CVE-2022-0763 + RESERVED +CVE-2022-0762 + RESERVED +CVE-2021-4224 + RESERVED CVE-2022-26111 RESERVED CVE-2022-26110 @@ -576,8 +626,8 @@ CVE-2022-0748 RESERVED CVE-2022-0747 RESERVED -CVE-2022-0746 - RESERVED +CVE-2022-0746 (Business Logic Errors in GitHub repository dolibarr/dolibarr prior to ...) + TODO: check CVE-2022-0745 RESERVED CVE-2022-0744 @@ -985,18 +1035,18 @@ CVE-2022-25650 RESERVED CVE-2022-25172 RESERVED -CVE-2022-25170 - RESERVED +CVE-2022-25170 (The affected product is vulnerable to a stack-based buffer overflow wh ...) + TODO: check CVE-2022-24910 RESERVED -CVE-2022-23985 - RESERVED +CVE-2022-23985 (The affected product is vulnerable to an out-of-bounds write while pro ...) + TODO: check CVE-2022-21809 RESERVED CVE-2022-21238 RESERVED -CVE-2022-21209 - RESERVED +CVE-2022-21209 (The affected product is vulnerable to an out-of-bounds read while proc ...) + TODO: check CVE-2022-0730 RESERVED CVE-2022-0729 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior ...) @@ -1642,8 +1692,8 @@ CVE-2022-25375 (An issue was discovered in drivers/usb/gadget/function/rndis.c i NOTE: https://github.com/szymonh/rndis-co NOTE: https://www.openwall.com/lists/oss-security/2022/02/21/1 NOTE: https://git.kernel.org/linus/38ea1eac7d88072bbffb630e2b3db83ca649b826 (5.17-rc4) -CVE-2022-25374 - RESERVED +CVE-2022-25374 (HashiCorp Terraform Enterprise before 202202-1 inserts Sensitive Infor ...) + TODO: check CVE-2022-25373 RESERVED CVE-2022-25372 (Pritunl Client through 1.2.3019.52 on Windows allows local privilege e ...) @@ -1792,15 +1842,13 @@ CVE-2022-25330 (Integer overflow conditions that exist in Trend Micro ServerProt NOT-FOR-US: Trend Micro CVE-2022-25329 (Trend Micro ServerProtect 6.0/5.8 Information Server uses a static cre ...) NOT-FOR-US: Trend Micro -CVE-2022-25328 - RESERVED +CVE-2022-25328 (The bash_completion script for fscrypt allows injection of commands vi ...) - fscrypt [bullseye] - fscrypt (Minor issue) [buster] - fscrypt (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/02/24/1 NOTE: https://github.com/google/fscrypt/commit/fa1a1fdbdea65829ce24a6b6f86ce2961e465b02 -CVE-2022-25327 - RESERVED +CVE-2022-25327 (The PAM module for fscrypt doesn't adequately validate fscrypt metadat ...) - fscrypt [bullseye] - fscrypt (Minor issue) [buster] - fscrypt (Minor issue) @@ -1808,8 +1856,7 @@ CVE-2022-25327 NOTE: https://github.com/google/fscrypt/commit/1a47718420317f893831b0223153d56005d5b02b NOTE: https://github.com/google/fscrypt/commit/74e870b7bd1585b4b509da47e0e75db66336e576 NOTE: https://github.com/google/fscrypt/commit/b44fbe71e1e93c47050322af51725bac997641e0 -CVE-2022-25326 - RESERVED +CVE-2022-25326 (fscrypt through v0.3.2 creates a world-writable directory by default w ...) - fscrypt [bullseye] - fscrypt (Minor issue) [buster] - fscrypt (Minor issue) @@ -2026,7 +2073,7 @@ CVE-2022-25258 (An issue was discovered in drivers/usb/gadget/composite.c in the NOTE: https://github.com/szymonh/d-os-descriptor NOTE: https://git.kernel.org/linus/75e5b4849b81e19e9efe1654b30d7f3151c33c2c (5.17-rc4) CVE-2022-0655 - RESERVED + REJECTED CVE-2022-0654 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) NOT-FOR-US: Node request-retry CVE-2022-0653 (The Profile Builder User Profile User Registration Forms ...) @@ -2266,8 +2313,8 @@ CVE-2022-0617 (A flaw null pointer dereference in the Linux kernel UDF file syst NOTE:
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-25636/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a892469c by Salvatore Bonaccorso at 2022-02-25T18:18:31+01:00 Track fixed version for CVE-2022-25636/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1107,7 +1107,7 @@ CVE-2022-0713 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 NOTE: https://huntr.dev/bounties/d35b3dff-768d-4a09-a742-c18ca8f56d3c NOTE: https://github.com/radareorg/radare2/commit/a35f89f86ed12161af09330e92e5a213014e46a1 CVE-2022-25636 (net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 a ...) - - linux + - linux 5.16.11-1 [buster] - linux (Vulnerable code not present) [stretch] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/02/21/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a892469c45dca102c7dacc7810c8bd624929f222 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a892469c45dca102c7dacc7810c8bd624929f222 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 86386d76 by Thorsten Alteholz at 2022-02-25T16:37:38+01:00 update note - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,12 +54,13 @@ gpac (Roberto C. Sánchez) NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto) -- htmldoc (Thorsten Alteholz) + NOTE: 20220225: testing package -- intel-microcode NOTE: 20220213: please recheck -- libarchive (Thorsten Alteholz) - NOTE: 20220213: testing package + NOTE: 20220225: fix seems to be incomplete -- libgit2 (Utkarsh) NOTE: 20220208: got clearance. will upload this week. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86386d764c50fedb3ba1989744dd74d3a79d1ed2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86386d764c50fedb3ba1989744dd74d3a79d1ed2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] more gpac security fixes in experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f9dceb9 by Moritz Muehlenhoff at 2022-02-25T16:23:23+01:00 more gpac security fixes in experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12879,9 +12879,10 @@ CVE-2021-45832 (A Stack-based Buffer Overflow Vulnerability exists in HDF5 1.13. NOTE: https://github.com/HDFGroup/hdf5/issues/1315 NOTE: https://github.com/advisories/GHSA-hvh7-f5p9-68g8 CVE-2021-45831 (A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Bo ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1990 - NOTE: https://github.com/gpac/gpac/commit/4613a35362e15a6df90453bd632d083645e5a765 + NOTE: https://github.com/gpac/gpac/commit/4613a35362e15a6df90453bd632d083645e5a765 (v2.0.0) CVE-2021-45830 (A heap-based buffer overflow vulnerability exists in HDF5 1.13.1-1 via ...) - hdf5 NOTE: https://github.com/HDFGroup/hdf5/issues/1314 @@ -13013,31 +13014,36 @@ CVE-2021-45769 (A NULL pointer dereference in AcseConnection_parseMessage at src CVE-2021-45768 RESERVED CVE-2021-45767 (GPAC 1.1.0 was discovered to contain an invalid memory address derefer ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1982 - NOTE: https://github.com/gpac/gpac/commit/830548acd030467e857f4cf0b79af8ebf1e04dde + NOTE: https://github.com/gpac/gpac/commit/830548acd030467e857f4cf0b79af8ebf1e04dde (v2.0.0) CVE-2021-45766 RESERVED CVE-2021-45765 RESERVED CVE-2021-45764 (GPAC v1.1.0 was discovered to contain an invalid memory address derefe ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1971 - NOTE: https://github.com/gpac/gpac/commit/e54df17892bee983d09d9437e44e6a1528fb46cb + NOTE: https://github.com/gpac/gpac/commit/e54df17892bee983d09d9437e44e6a1528fb46cb (v2.0.0) CVE-2021-45763 (GPAC v1.1.0 was discovered to contain an invalid call in the function ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1974 - NOTE: https://github.com/gpac/gpac/commit/d2f74e49f2cb8d687c0dc38f66b99e3c5c7d7fec + NOTE: https://github.com/gpac/gpac/commit/d2f74e49f2cb8d687c0dc38f66b99e3c5c7d7fec (v2.0.0) CVE-2021-45762 (GPAC v1.1.0 was discovered to contain an invalid memory address derefe ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1978 - NOTE: https://github.com/gpac/gpac/commit/6d647f6e458c9b727eae1a8077d27fa433ced788 + NOTE: https://github.com/gpac/gpac/commit/6d647f6e458c9b727eae1a8077d27fa433ced788 (v2.0.0) CVE-2021-45761 (ROPium v3.1 was discovered to contain an invalid memory address derefe ...) NOT-FOR-US: ROPium CVE-2021-45760 (GPAC v1.1.0 was discovered to contain an invalid memory address derefe ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1966 - NOTE: https://github.com/gpac/gpac/commit/5041fcbaa904a89d280561905a163171b3828cea + NOTE: https://github.com/gpac/gpac/commit/5041fcbaa904a89d280561905a163171b3828cea (v2.0.0) CVE-2021-45759 RESERVED CVE-2021-45758 @@ -14645,9 +14651,10 @@ CVE-2021-45299 CVE-2021-45298 RESERVED CVE-2021-45297 (An infinite loop vulnerability exists in Gpac 1.0.1 in gf_get_bit_size ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1973 - NOTE: https://github.com/gpac/gpac/commit/fb13af36286b9d898e332e8762a286eb83bd1770 + NOTE: https://github.com/gpac/gpac/commit/fb13af36286b9d898e332e8762a286eb83bd1770 (v2.0.0) CVE-2021-45296 RESERVED CVE-2021-45295 @@ -14661,13 +14668,15 @@ CVE-2021-45293 (A Denial of Service vulnerability exists in Binaryen 103 due to NOTE: https://github.com/WebAssembly/binaryen/commit/b1f6298ed8756bdc3336429c04b92ba58d000b49 (version_104) NOTE: Crash in CLI tool, no security impact CVE-2021-45292 (The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows attackers to c ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1958 - NOTE: https://github.com/gpac/gpac/commit/3dafcb5e71e9ffebb50238784dcad8b105da81f6 + NOTE: https://github.com/gpac/gpac/commit/3dafcb5e71e9ffebb50238784dcad8b105da81f6 (v2.0.0) CVE-2021-45291 (The gf_dump_setup function in GPAC 1.0.1 allows malicoius users to cau ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1955 - NOTE:
[Git][security-tracker-team/security-tracker][master] gpac security fixes in experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 939390e8 by Moritz Muehlenhoff at 2022-02-25T16:01:14+01:00 gpac security fixes in experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17503,12 +17503,13 @@ CVE-2021-4044 (Internally libssl in OpenSSL calls X509_verify_cert() on the clie - openssl (Vulnerable code not present) NOTE: https://www.openssl.org/news/secadv/20211214.txt CVE-2021-4043 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 1.1.0 ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://huntr.dev/bounties/d7a534cb-df7a-48ba-8ce3-46b1551a9c47 NOTE: https://github.com/gpac/gpac/issues/2092 - NOTE: https://github.com/gpac/gpac/commit/64a2e1b799352ac7d7aad1989bc06e7b0f2b01db + NOTE: https://github.com/gpac/gpac/commit/64a2e1b799352ac7d7aad1989bc06e7b0f2b01db (v2.0.0) CVE-2021-4042 RESERVED CVE-2021-4041 [Improper shell escaping in ansible-runner] @@ -41247,23 +41248,26 @@ CVE-2021-36419 CVE-2021-36418 RESERVED CVE-2021-36417 (A heap-based buffer overflow vulnerability exists in GPAC v1.0.1 in th ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1846 - NOTE: https://github.com/gpac/gpac/commit/737e1f39da80e02912953269966d89afd196ad30 + NOTE: https://github.com/gpac/gpac/commit/737e1f39da80e02912953269966d89afd196ad30 (v2.0.0) CVE-2021-36416 RESERVED CVE-2021-36415 RESERVED CVE-2021-36414 (A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1. ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1840 - NOTE: https://github.com/gpac/gpac/commit/6007c7145eb0fcd29fe05b6e5983a065b42c6b21 + NOTE: https://github.com/gpac/gpac/commit/6007c7145eb0fcd29fe05b6e5983a065b42c6b21 (v2.0.0) CVE-2021-36413 RESERVED CVE-2021-36412 (A heap-based buffer overflow vulnerability exists in MP4Box in GPAC 1. ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac NOTE: https://github.com/gpac/gpac/issues/1838 - NOTE: https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e + NOTE: https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e (v2.0.0) CVE-2021-36411 (An issue has been found in libde265 v1.0.8 due to incorrect access con ...) - libde265 [bullseye] - libde265 (Minor issue) @@ -48551,6 +48555,7 @@ CVE-2021-33363 (Memory leak in the infe_box_read function in MP4Box in GPAC 1.0. NOTE: https://github.com/gpac/gpac/issues/1786 NOTE: Negligible security impact CVE-2021-33362 (Stack buffer overflow in the hevc_parse_vps_extension function in MP4B ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) @@ -48558,7 +48563,7 @@ CVE-2021-33362 (Stack buffer overflow in the hevc_parse_vps_extension function i - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Minor issue) [buster] - ccextractor (Minor issue) - NOTE: https://github.com/gpac/gpac/commit/1273cdc706eeedf8346d4b9faa5b33435056061d + NOTE: https://github.com/gpac/gpac/commit/1273cdc706eeedf8346d4b9faa5b33435056061d (v2.0.0) NOTE: https://github.com/gpac/gpac/issues/1780 CVE-2021-33361 (Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allo ...) - gpac (unimportant) @@ -50956,6 +50961,7 @@ CVE-2021-32442 CVE-2021-32441 RESERVED CVE-2021-32440 (The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers to ca ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) @@ -50963,26 +50969,29 @@ CVE-2021-32440 (The Media_RewriteODFrame function in GPAC 1.0.1 allows attackers - ccextractor 0.93+ds2-1 (bug #994746) [bullseye] - ccextractor (Minor issue) [buster] - ccextractor (Minor issue) - NOTE: https://github.com/gpac/gpac/commit/f0ba83717b6e4d7a15a1676d1fe06152e199b011 + NOTE: https://github.com/gpac/gpac/commit/f0ba83717b6e4d7a15a1676d1fe06152e199b011 (v2.0.0) NOTE: https://github.com/gpac/gpac/issues/1772 CVE-2021-32439 (Buffer overflow in the stbl_AppendSize function in MP4Box in GPAC 1.0. ...) + [experimental] - gpac 2.0.0+dfsg1-1 - gpac [stretch] - gpac (Minor issue; can be fixed in next update) - NOTE: https://github.com/gpac/gpac/commit/77ed81c069e10b3861d88f72e1c6be1277ee7eae + NOTE:
[Git][security-tracker-team/security-tracker][master] Remove unstable entry for CVE-2021-21263 for next oldstable point release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e27cfe3e by Salvatore Bonaccorso at 2022-02-25T14:50:33+01:00 Remove unstable entry for CVE-2021-21263 for next oldstable point release - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -243,5 +243,4 @@ CVE-2021-40874 CVE-2021- [SQL Server LIMIT / OFFSET SQL Injection] [buster] - php-illuminate-database 5.7.27-1+deb10u1 CVE-2021-21263 (Laravel is a web application framework. Versions of Laravel before 6.2 ...) - - php-laravel-framework 6.20.11+dfsg-1 (bug #980095) [buster] - php-illuminate-database 5.7.27-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e27cfe3e4d3f0a209f32e351ed4778f500f2a4cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e27cfe3e4d3f0a209f32e351ed4778f500f2a4cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] intel-microcode fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e800b87c by Moritz Muehlenhoff at 2022-02-25T14:44:30+01:00 intel-microcode fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49178,7 +49178,7 @@ CVE-2021-33122 CVE-2021-33121 RESERVED CVE-2021-33120 (Out of bounds read under complex microarchitectural condition in memor ...) - - intel-microcode + - intel-microcode 3.20220207.1 [bullseye] - intel-microcode (Wait until exposed in unstable; tendency to point release) [buster] - intel-microcode (Wait until exposed in unstable; tendency point release) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00589.html @@ -94874,7 +94874,7 @@ CVE-2021-0146 (Hardware allows activation of test or debug logic at runtime for NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00528.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20220207 CVE-2021-0145 (Improper initialization of shared resources in some Intel(R) Processor ...) - - intel-microcode + - intel-microcode 3.20220207.1 [bullseye] - intel-microcode (Wait until exposed in unstable; tendency to point release) [buster] - intel-microcode (Wait until exposed in unstable; tendency point release) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00561.html @@ -94920,7 +94920,7 @@ CVE-2021-0129 (Improper access control in BlueZ may allow an authenticated user CVE-2021-0128 RESERVED CVE-2021-0127 (Insufficient control flow management in some Intel(R) Processors may a ...) - - intel-microcode + - intel-microcode 3.20220207.1 [bullseye] - intel-microcode (Wait until exposed in unstable; tendency to point release) [buster] - intel-microcode (Wait until exposed in unstable; tendency point release) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00532.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e800b87cf72afceeb69ac087caca1ed8d5a15222 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e800b87cf72afceeb69ac087caca1ed8d5a15222 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: fix cyrus-sasl2 package name
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 46958a94 by Anton Gladky at 2022-02-25T14:29:05+01:00 LTS: fix cyrus-sasl2 package name - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,7 +20,7 @@ ansible -- asterisk (Abhijith PA) -- -cyrus-sasl +cyrus-sasl2 NOTE: 20220225: Please wait for DSA and take if C-knowledge are sufficient. (Anton) -- debian-archive-keyring (Anton) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46958a94a3e35119b3747d1fc83e4093d15efaa1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46958a94a3e35119b3747d1fc83e4093d15efaa1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add cyrus-sasl
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e007ff23 by Anton Gladky at 2022-02-25T14:28:04+01:00 LTS: add cyrus-sasl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,6 +20,9 @@ ansible -- asterisk (Abhijith PA) -- +cyrus-sasl + NOTE: 20220225: Please wait for DSA and take if C-knowledge are sufficient. (Anton) +-- debian-archive-keyring (Anton) NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html NOTE: 20210920: Raphael answered. will backport today. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e007ff2333637254596028ff430601494cc0ad07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e007ff2333637254596028ff430601494cc0ad07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add details for kcron
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b5be048 by Moritz Muehlenhoff at 2022-02-25T13:48:22+01:00 add details for kcron - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2824,8 +2824,13 @@ CVE-2022-24987 RESERVED CVE-2022-24986 RESERVED - TODO: check + - kcron + [bullseye] - kcron (Minor issue) + [buster] - kcron (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/02/25/3 + NOTE: https://invent.kde.org/system/kcron/-/commit/ef4266e3d5ea741c4d4f442a2cb12a317d7502a1 + NOTE: https://invent.kde.org/system/kcron/-/merge_requests/14 (followup fix) + NOTE: https://kde.org/info/security/advisory-20220216-1.txt CVE-2022-24985 (Forms generated by JQueryForm.com before 2022-02-05 allows a remote au ...) NOT-FOR-US: JQueryForm.com CVE-2022-24984 (Forms generated by JQueryForm.com before 2022-02-05 (if file-upload ca ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b5be04810a97157510ab0257825dd099a845865 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b5be04810a97157510ab0257825dd099a845865 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bf15f3f6 by Moritz Muehlenhoff at 2022-02-25T13:45:22+01:00 buster/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1795,11 +1795,15 @@ CVE-2022-25329 (Trend Micro ServerProtect 6.0/5.8 Information Server uses a stat CVE-2022-25328 RESERVED - fscrypt + [bullseye] - fscrypt (Minor issue) + [buster] - fscrypt (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/02/24/1 NOTE: https://github.com/google/fscrypt/commit/fa1a1fdbdea65829ce24a6b6f86ce2961e465b02 CVE-2022-25327 RESERVED - fscrypt + [bullseye] - fscrypt (Minor issue) + [buster] - fscrypt (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/02/24/1 NOTE: https://github.com/google/fscrypt/commit/1a47718420317f893831b0223153d56005d5b02b NOTE: https://github.com/google/fscrypt/commit/74e870b7bd1585b4b509da47e0e75db66336e576 @@ -1807,6 +1811,8 @@ CVE-2022-25327 CVE-2022-25326 RESERVED - fscrypt + [bullseye] - fscrypt (Minor issue) + [buster] - fscrypt (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/02/24/1 NOTE: https://github.com/google/fscrypt/commit/6e355131670ad014e45f879475ddf800f0080d41 CVE-2022-23183 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf15f3f68e57064574fbb79c9ffcc58d54dc145b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf15f3f68e57064574fbb79c9ffcc58d54dc145b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24986: KCron: Insecure temporary file handling
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: b3df1883 by Henri Salo at 2022-02-25T14:11:49+02:00 CVE-2022-24986: KCron: Insecure temporary file handling - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2818,6 +2818,8 @@ CVE-2022-24987 RESERVED CVE-2022-24986 RESERVED + TODO: check + NOTE: https://www.openwall.com/lists/oss-security/2022/02/25/3 CVE-2022-24985 (Forms generated by JQueryForm.com before 2022-02-05 allows a remote au ...) NOT-FOR-US: JQueryForm.com CVE-2022-24984 (Forms generated by JQueryForm.com before 2022-02-05 (if file-upload ca ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3df1883f6c572ec19526c84e3b11bc5a4912f8d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3df1883f6c572ec19526c84e3b11bc5a4912f8d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24948
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: 0778ac16 by Henri Salo at 2022-02-25T14:02:11+02:00 CVE-2022-24948 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2995,6 +2995,7 @@ CVE-2022-24949 RESERVED CVE-2022-24948 RESERVED + - jspwiki CVE-2022-24947 RESERVED - jspwiki View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0778ac162f6403f75c7f31ef94b87626e41c72d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0778ac162f6403f75c7f31ef94b87626e41c72d5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-24947
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: bd747801 by Henri Salo at 2022-02-25T13:59:39+02:00 CVE-2022-24947 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2997,6 +2997,7 @@ CVE-2022-24948 RESERVED CVE-2022-24947 RESERVED + - jspwiki CVE-2022-24946 RESERVED CVE-2022-24945 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd747801e11bd4a0aee32412d5674af6d76a3571 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd747801e11bd4a0aee32412d5674af6d76a3571 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] php-illuminate-database, lemonldap ospus
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 85910636 by Moritz Mühlenhoff at 2022-02-25T12:14:10+01:00 php-illuminate-database, lemonldap ospus - - - - - 2 changed files: - data/CVE/list - data/next-oldstable-point-update.txt Changes: = data/CVE/list = @@ -69552,6 +69552,7 @@ CVE-2021-25281 (An issue was discovered in through SaltStack Salt before 3002.5. CVE-2021- [SQL Server LIMIT / OFFSET SQL Injection] - php-laravel-framework 6.20.14+dfsg-2 (bug #987831) - php-illuminate-database (bug #987848) + [buster] - php-illuminate-database (Minor issue) NOTE: https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j NOTE: https://blog.laravel.com/security-sql-injection-in-sql-server-limit-offset CVE-2021- [Unexpected database bindings via requests (follow-up)] @@ -69561,6 +69562,7 @@ CVE-2021- [Unexpected database bindings via requests (follow-up)] CVE-2021-21263 (Laravel is a web application framework. Versions of Laravel before 6.2 ...) - php-laravel-framework 6.20.11+dfsg-1 (bug #980095) - php-illuminate-database (bug #980899) + [buster] - php-illuminate-database (Minor issue) NOTE: https://blog.laravel.com/security-laravel-62011-7302-8221-released NOTE: https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x NOTE: https://github.com/laravel/framework/pull/35865 = data/next-oldstable-point-update.txt = @@ -238,3 +238,10 @@ CVE-2022-23307 [buster] - apache-log4j1.2 1.2.17-8+deb10u2 CVE-2021-44832 [buster] - apache-log4j2 2.17.1-1~deb10u1 +CVE-2021-40874 + [buster] - lemonldap-ng 2.0.2+ds-7+deb10u7 +CVE-2021- [SQL Server LIMIT / OFFSET SQL Injection] + [buster] - php-illuminate-database 5.7.27-1+deb10u1 +CVE-2021-21263 (Laravel is a web application framework. Versions of Laravel before 6.2 ...) + - php-laravel-framework 6.20.11+dfsg-1 (bug #980095) + [buster] - php-illuminate-database 5.7.27-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/859106362281d56fedb24453e1fdf48ce82efb91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/859106362281d56fedb24453e1fdf48ce82efb91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f02490a by Salvatore Bonaccorso at 2022-02-25T09:20:12+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6729,7 +6729,7 @@ CVE-2022-23837 (In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit CVE-2022-23836 RESERVED CVE-2022-23835 (** DISPUTED ** The Visual Voice Mail (VVM) application through 2022-02 ...) - TODO: check + NOT-FOR-US: Visual Voice Mail (VVM) application CVE-2022-0337 RESERVED CVE-2022-0336 [Samba AD users with permission to write to an account can impersonate arbitrary services] @@ -7131,7 +7131,7 @@ CVE-2022-23703 CVE-2022-23702 RESERVED CVE-2022-23701 (A potential remote host header injection security vulnerability has be ...) - TODO: check + NOT-FOR-US: HPE CVE-2022-23700 RESERVED CVE-2022-23699 @@ -16984,9 +16984,9 @@ CVE-2021-44667 CVE-2021-44666 RESERVED CVE-2021-44665 (A Directory Traversal vulnerability exists in the Xerte Project Xerte ...) - TODO: check + NOT-FOR-US: Xerte CVE-2021-44664 (An Authenticated Remote Code Exection (RCE) vulnerability exists in Xe ...) - TODO: check + NOT-FOR-US: Xerte CVE-2021-44663 (A Remote Code Execution (RCE) vulnerability exists in the Xerte Projec ...) NOT-FOR-US: Xerte CVE-2021-44662 (A Site Scripting (XSS) vulnerability exists in the Xerte Project Xerte ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f02490ab665be5d753d26999ce7b92528b018d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f02490ab665be5d753d26999ce7b92528b018d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-202-2461{3,4}/libmetadata-extractor-java
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5338d1c8 by Salvatore Bonaccorso at 2022-02-25T09:19:07+01:00 Add CVE-202-2461{3,4}/libmetadata-extractor-java - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3835,9 +3835,11 @@ CVE-2022-24615 (zip4j up to 2.9.0 can throw various uncaught exceptions while pa NOTE: https://github.com/srikanth-lingala/zip4j/issues/377 TODO: check details CVE-2022-24614 (When reading a specially crafted JPEG file, metadata-extractor up to 2 ...) - TODO: check + - libmetadata-extractor-java + NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561 CVE-2022-24613 (metadata-extractor up to 2.16.0 can throw various uncaught exceptions ...) - TODO: check + - libmetadata-extractor-java + NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561 CVE-2022-24612 RESERVED CVE-2022-24611 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5338d1c819b86274fd9d8927f9a8523ed05098e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5338d1c819b86274fd9d8927f9a8523ed05098e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-24687/consul
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fd930ff by Salvatore Bonaccorso at 2022-02-25T09:18:33+01:00 Add CVE-2022-24687/consul - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3561,7 +3561,8 @@ CVE-2022-24689 CVE-2022-24688 RESERVED CVE-2022-24687 (HashiCorp Consul and Consul Enterprise 1.8.0 through 1.9.14, 1.10.7, a ...) - TODO: check + - consul + NOTE: https://discuss.hashicorp.com/t/hcsec-2022-05-consul-ingress-gateway-panic-can-shutdown-servers/ CVE-2022-24686 (HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and ...) - nomad NOTE: https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd930ff91cfdbf87cf9d164fb1fe237f7c24a01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd930ff91cfdbf87cf9d164fb1fe237f7c24a01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process various NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 48fe9611 by Salvatore Bonaccorso at 2022-02-25T09:16:23+01:00 Process various NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -758,7 +758,7 @@ CVE-2022-0734 CVE-2022-0733 RESERVED CVE-2022-0732 (The backend infrastructure shared by multiple mobile device monitoring ...) - TODO: check + NOT-FOR-US: Various vendors for Mobile device monitoring services CVE-2022-0731 (Improper Access Control (IDOR) in GitHub repository dolibarr/dolibarr ...) - dolibarr CVE-2022- [Account Takeover via Email of OpenOffice file containing XSS exploit] @@ -3462,11 +3462,11 @@ CVE-2022-24711 CVE-2022-24710 RESERVED CVE-2022-24709 (@awsui/components-react is the main AWS UI package which contains Reac ...) - TODO: check + NOT-FOR-US: Node components-react CVE-2022-24708 (Anuko Time Tracker is an open source, web-based time tracking applicat ...) - TODO: check + NOT-FOR-US: Anuko Time Tracker CVE-2022-24707 (Anuko Time Tracker is an open source, web-based time tracking applicat ...) - TODO: check + NOT-FOR-US: Anuko Time Tracker CVE-2022-24706 RESERVED CVE-2022-24705 (The rad_packet_recv function in radius/packet.c suffers from a memcpy ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48fe9611197a46bf3ed556104e079b68587ab4ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48fe9611197a46bf3ed556104e079b68587ab4ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a1f9497 by security tracker role at 2022-02-25T08:10:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,57 @@ +CVE-2022-26111 + RESERVED +CVE-2022-26110 + RESERVED +CVE-2022-26109 + RESERVED +CVE-2022-26108 + RESERVED +CVE-2022-26107 + RESERVED +CVE-2022-26106 + RESERVED +CVE-2022-26105 + RESERVED +CVE-2022-26104 + RESERVED +CVE-2022-26103 + RESERVED +CVE-2022-26102 + RESERVED +CVE-2022-26101 + RESERVED +CVE-2022-26100 + RESERVED +CVE-2022-26099 + RESERVED +CVE-2022-26098 + RESERVED +CVE-2022-26097 + RESERVED +CVE-2022-26096 + RESERVED +CVE-2022-26095 + RESERVED +CVE-2022-26094 + RESERVED +CVE-2022-26093 + RESERVED +CVE-2022-26092 + RESERVED +CVE-2022-26091 + RESERVED +CVE-2022-26090 + RESERVED +CVE-2022-26089 + RESERVED +CVE-2022-26088 + RESERVED +CVE-2022-0761 + RESERVED +CVE-2022-0760 + RESERVED +CVE-2022-0759 + RESERVED CVE-2022-26085 RESERVED CVE-2022-26068 @@ -3407,8 +3461,8 @@ CVE-2022-24711 RESERVED CVE-2022-24710 RESERVED -CVE-2022-24709 - RESERVED +CVE-2022-24709 (@awsui/components-react is the main AWS UI package which contains Reac ...) + TODO: check CVE-2022-24708 (Anuko Time Tracker is an open source, web-based time tracking applicat ...) TODO: check CVE-2022-24707 (Anuko Time Tracker is an open source, web-based time tracking applicat ...) @@ -5460,20 +5514,20 @@ CVE-2022-24054 RESERVED CVE-2022-24053 RESERVED -CVE-2022-24052 (This vulnerability allows local attackers to escalate privileges on af ...) +CVE-2022-24052 (MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Es ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 - mariadb-10.3 NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-366/ -CVE-2022-24051 (This vulnerability allows local attackers to escalate privileges on af ...) +CVE-2022-24051 (MariaDB CONNECT Storage Engine Format String Privilege Escalation Vuln ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 - mariadb-10.3 NOTE: Fixed in MariaDB: 10.6.6, 10.5.14, 10.4.23, 10.3.33, 10.2.42 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-318/ NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-365/ -CVE-2022-24050 (This vulnerability allows local attackers to escalate privileges on af ...) +CVE-2022-24050 (MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vul ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 - mariadb-10.3 @@ -5481,7 +5535,7 @@ CVE-2022-24050 (This vulnerability allows local attackers to escalate privileges NOTE: https://www.zerodayinitiative.com/advisories/ZDI-22-364/ CVE-2022-24049 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Sonos One Speaker -CVE-2022-24048 (This vulnerability allows local attackers to escalate privileges on af ...) +CVE-2022-24048 (MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege E ...) - mariadb-10.6 1:10.6.7-1 - mariadb-10.5 - mariadb-10.3 @@ -5709,7 +5763,7 @@ CVE-2021-46616 (This vulnerability allows remote attackers to disclose sensitive NOT-FOR-US: Bentley CVE-2021-46615 (This vulnerability allows remote attackers to disclose sensitive infor ...) NOT-FOR-US: Bentley -CVE-2021-46614 (This vulnerability allows remote attackers to execute arbitrary code o ...) +CVE-2021-46614 (Bentley MicroStation CONNECT 10.16.0.80 J2K File Parsing Out-Of-Bounds ...) NOT-FOR-US: Bentley CVE-2021-46613 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: Bentley @@ -6671,8 +6725,8 @@ CVE-2022-23837 (In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit NOTE: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 (v6.4.0) CVE-2022-23836 RESERVED -CVE-2022-23835 - RESERVED +CVE-2022-23835 (** DISPUTED ** The Visual Voice Mail (VVM) application through 2022-02 ...) + TODO: check CVE-2022-0337 RESERVED CVE-2022-0336 [Samba AD users with permission to write to an account can impersonate arbitrary services] @@ -7073,8 +7127,8 @@ CVE-2022-23703 RESERVED CVE-2022-23702 RESERVED -CVE-2022-23701 - RESERVED +CVE-2022-23701 (A potential remote host header injection security vulnerability has be ...) + TODO: check CVE-2022-23700 RESERVED CVE-2022-23699 @@ -16926,10 +16980,10 @@
[Git][security-tracker-team/security-tracker][master] Mark CVE-2021-3155 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb11291f by Salvatore Bonaccorso at 2022-02-25T09:00:48+01:00 Mark CVE-2021-3155 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69728,6 +69728,8 @@ CVE-2021-3156 (Sudo before 1.9.5p2 contains an off-by-one error that can result NOTE: https://www.openwall.com/lists/oss-security/2021/01/26/3 CVE-2021-3155 (snapd 2.54.2 and earlier created ~/snap directories in user home direc ...) - snapd 2.54-1 + [bullseye] - snapd (Minor issue) + [buster] - snapd (Minor issue) NOTE: https://github.com/snapcore/snapd/pull/9841 NOTE: https://github.com/snapcore/snapd/commit/6bcaeeccd16ed8298a301dd92f6907f88c24cc85 (2.52) NOTE: https://github.com/snapcore/snapd/commit/7d2a966620002149891446a53cf114804808dcca (2.54) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb11291f7d8c2cc55aae43ee2434f1e45691eeba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb11291f7d8c2cc55aae43ee2434f1e45691eeba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits