[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26353/qemu and update note for CVE-2021-3748
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d7ff114 by Salvatore Bonaccorso at 2022-03-14T06:58:04+01:00 Add CVE-2022-26353/qemu and update note for CVE-2021-3748 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1592,8 +1592,14 @@ CVE-2022-26354 [vhost-vsock: missing virtqueue detach on error can lead to memor - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063257 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf -CVE-2022-26353 +CVE-2022-26353 [virtio-net: map leaking on error during receive] RESERVED + - qemu + [buster] - qemu (Original upstream fix for CVE-2021-3748 not applied) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063197 + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 (v6.2.0-rc0) + NOTE: Introduced by the original fix for CVE-2021-3748. CVE-2022-0835 RESERVED CVE-2022-0834 @@ -34241,6 +34247,7 @@ CVE-2021-3748 [virtio-net: heap use-after-free in virtio_net_receive_rcu] - qemu 1:6.1+dfsg-6 (bug #993401) [stretch] - qemu (Fix along with a future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1998514 + NOTE: When fixing this issue make sure to not open CVE-2022-26353 CVE-2021-40319 RESERVED CVE-2021-40318 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7ff11450d8881ec701eb9311d7c783d5c90b20 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7ff11450d8881ec701eb9311d7c783d5c90b20 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26354/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: baaa570d by Salvatore Bonaccorso at 2022-03-14T06:51:42+01:00 Add CVE-2022-26354/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1587,8 +1587,11 @@ CVE-2022-26356 RESERVED CVE-2022-26355 (Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deplo ...) NOT-FOR-US: Citrix -CVE-2022-26354 +CVE-2022-26354 [vhost-vsock: missing virtqueue detach on error can lead to memory leak] RESERVED + - qemu + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063257 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf CVE-2022-26353 RESERVED CVE-2022-0835 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baaa570df223cd557e3a31dd33b5fd1393da5f9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baaa570df223cd557e3a31dd33b5fd1393da5f9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note in dla-needed.txt
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 86dba41b by Abhijith PA at 2022-03-14T09:48:35+05:30 update note in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,6 +19,7 @@ ansible NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/ -- asterisk (Abhijith PA) + NOTE: 20220314: Looking on back log no-dsa (abhijith) -- cacti (Sylvain Beucler) -- @@ -61,12 +62,14 @@ pjproject (Abhijith PA) NOTE: 20211230: patch available for the no-dsa issue, check its NOTE (pochu) NOTE: 20220215: Asterisk and ring have embedded copy of pjproject (abhijith) NOTE: 20220302: uploading asterisk, ring and pjproject in one go (abhijith) + NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/pjproject_2.5.5~dfsg-6+deb9u3.dsc -- python-scrapy -- python-treq -- ring (Abhijith PA) + NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc -- samba NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86dba41b94ee612f0c51dfb64af7065a0b5e3321 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86dba41b94ee612f0c51dfb64af7065a0b5e3321 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-24720/ruby-image-processing
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3aab97ec by Salvatore Bonaccorso at 2022-03-13T22:52:51+01:00 Add Debian bug reference for CVE-2022-24720/ruby-image-processing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5899,7 +5899,7 @@ CVE-2022-24722 (VIewComponent is a framework for building view components in Rub CVE-2022-24721 RESERVED CVE-2022-24720 (image_processing is an image processing wrapper for libvips and ImageM ...) - - ruby-image-processing + - ruby-image-processing (bug #1007225) NOTE: https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446 NOTE: https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada (v1.12.2) CVE-2022-24719 (Fluture-Node is a FP-style HTTP and streaming utils for Node based on ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3aab97ec9000c83d1977cd33d4ab380d2b1add31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3aab97ec9000c83d1977cd33d4ab380d2b1add31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-26967/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bfbc4d0 by Salvatore Bonaccorso at 2022-03-13T22:48:48+01:00 Add Debian bug reference for CVE-2022-26967/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42,7 +42,7 @@ CVE-2022-26969 CVE-2022-26968 RESERVED CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) - - gpac + - gpac (bug #1007224) NOTE: https://github.com/gpac/gpac/issues/2138 NOTE: https://github.com/gpac/gpac/commit/ea1eca00fd92fa17f0e25ac25652622924a9a6a0 CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. drivers/ne ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bfbc4d08ecc15d9a6779c5dabd384669e2e828d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bfbc4d08ecc15d9a6779c5dabd384669e2e828d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2948-1 for debian-archive-keyring
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7cf043ff by Anton Gladky at 2022-03-13T22:02:54+01:00
Reserve DLA-2948-1 for debian-archive-keyring
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[13 Mar 2022] DLA-2948-1 debian-archive-keyring - security update
+ [stretch] - debian-archive-keyring 2017.5+deb9u2
[11 Mar 2022] DLA-2947-1 vim - security update
{CVE-2021-3984 CVE-2021-4019 CVE-2021-4069 CVE-2021-4193 CVE-2022-0213
CVE-2022-0319 CVE-2022-0368 CVE-2022-0554 CVE-2022-0361 CVE-2022-0408
CVE-2022-0685 CVE-2022-0714 CVE-2022-0359 CVE-2021-4192 CVE-2021-3872
CVE-2021-3927 CVE-2021-3928 CVE-2021-3973 CVE-2021-3974 CVE-2022-0729}
[stretch] - vim 2:8.0.0197-4+deb9u5
=
data/dla-needed.txt
=
@@ -22,16 +22,6 @@ asterisk (Abhijith PA)
--
cacti (Sylvain Beucler)
--
-debian-archive-keyring (Anton)
- NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
- NOTE: 20210920: Raphael answered. will backport today. (utkarsh)
- NOTE: 20211003: waiting for Jonathan to get back as his keys
- NOTE: 20211003: seemed to have expired and the build is thus
- NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh)
- NOTE: 20211018: Jonathan is prepping the branch; will work
- NOTE: 20211018: with him and upload and publish the DLA. (utkarsh)
- NOTE: 20220307: WIP (Anton)
---
firmware-nonfree (Markus Koschany)
NOTE: 20210731: WIP:
https://salsa.debian.org/lts-team/packages/firmware-nonfree
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding
possible "ignore" tag
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf043ff3eca5c22da05a6fbd88e2e75ea2fb198
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf043ff3eca5c22da05a6fbd88e2e75ea2fb198
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26981/liblouis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d57f515 by Salvatore Bonaccorso at 2022-03-13T21:34:44+01:00 Add CVE-2022-26981/liblouis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2022-26981 (Liblouis through 3.21.0 has a buffer overflow in compilePassOpcode in ...) - TODO: check + - liblouis + NOTE: https://github.com/liblouis/liblouis/issues/1171 CVE-2022-26980 RESERVED CVE-2022-0942 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d57f5153a058dd07c861fe06d893f4f53b5322a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d57f5153a058dd07c861fe06d893f4f53b5322a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track possible fixes for CVE-2017-25{79,80,81}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
130a2414 by Salvatore Bonaccorso at 2022-03-13T21:29:19+01:00
Track possible fixes for CVE-2017-25{79,80,81}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -323862,18 +323862,21 @@ CVE-2017-2581 (An out-of-bounds write vulnerability
was found in netpbm before 1
NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7
NOTE: PoC+report attached to #854978
NOTE: Similar code path seems protected by earlier stricter size checks
("object too large")
+ NOTE: Possible fix: https://sourceforge.net/p/netpbm/code/2989/
(10.78.05)
CVE-2017-2580 (An out-of-bounds write vulnerability was found in netpbm before
10.61. ...)
- netpbm-free (bug #854978)
[jessie] - netpbm-free (pnm/giftopnm.c and bpm/libpm.c
rewritten, PoC triggers clean check "Zero byte allocation" missing in later
versions)
NOTE: Debian uses an old fork of netpbm
NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7
NOTE: PoC+report attached to #854978
+ NOTE: Possible fix: https://sourceforge.net/p/netpbm/code/2821
(10.47.63)
CVE-2017-2579 (An out-of-bounds read vulnerability was found in netpbm before
10.61. ...)
- netpbm-free (bug #854978)
[jessie] - netpbm-free (pnm/giftopnm.c rewritten, PoC
triggers clean application error handling)
NOTE: Debian uses an old fork of netpbm
NOTE: https://www.openwall.com/lists/oss-security/2017/02/05/7
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1024288 (reproducer)
+ NOTE: Possible fix: https://sourceforge.net/p/netpbm/code/2821
(10.47.63)
CVE-2017-2577
REJECTED
CVE-2017-2575 (A vulnerability was found while fuzzing libbpg 0.9.7. It is a
NULL poi ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/130a24147f887d8f6975647d75d99347428aaf4f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/130a24147f887d8f6975647d75d99347428aaf4f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
4d388608 by security tracker role at 2022-03-13T20:10:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,4 +1,18 @@
-CVE-2021-46709 [cross-site-scripting with newRows GET parameter]
+CVE-2022-26981 (Liblouis through 3.21.0 has a buffer overflow in
compilePassOpcode in ...)
+ TODO: check
+CVE-2022-26980
+ RESERVED
+CVE-2022-0942
+ RESERVED
+CVE-2022-0941
+ RESERVED
+CVE-2022-0940
+ RESERVED
+CVE-2022-0939
+ RESERVED
+CVE-2022-0938
+ RESERVED
+CVE-2021-46709 (phpLiteAdmin through 1.9.8.2 allows XSS via the index.php
newRows para ...)
- phpliteadmin 1.9.8.2-2
NOTE:
https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability
NOTE:
https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows
@@ -1716,7 +1730,7 @@ CVE-2022-26320
RESERVED
CVE-2022-26319 (An installer search patch element vulnerability in Trend Micro
Portabl ...)
NOT-FOR-US: Trend Micro
-CVE-2022-26318 (Null pointer dereference in WatchGuard Firebox and XTM
appliances allo ...)
+CVE-2022-26318 (On WatchGuard Firebox and XTM appliances, an unauthenticated
user can ...)
NOT-FOR-US: WatchGuard
CVE-2022-26317 (A vulnerability has been identified in Mendix Applications
using Mendi ...)
NOT-FOR-US: Mendix (Siemens)
@@ -3535,6 +3549,7 @@ CVE-2022-0712 (NULL Pointer Dereference in GitHub
repository radareorg/radare2 p
NOTE: https://huntr.dev/bounties/1e572820-e502-49d1-af0e-81833e2eb466
NOTE:
https://github.com/radareorg/radare2/commit/515e592b9bea0612bc63d8e93239ff35bcf645c7
CVE-2022-0711 (A flaw was found in the way HAProxy processed HTTP responses
containin ...)
+ {DSA-5102-1}
- haproxy 2.4.13-1
[buster] - haproxy (Vulnerable code introduced later)
[stretch] - haproxy (Vulnerable code introduced later)
@@ -5008,7 +5023,7 @@ CVE-2022-25092
RESERVED
CVE-2022-25091
RESERVED
-CVE-2022-25090 (Printix Secure Cloud Print Management 1.3.1035.0 creates a
temporary f ...)
+CVE-2022-25090 (Printix Secure Cloud Print Management through 1.3.1106.0
creates a tem ...)
NOT-FOR-US: Printix Secure Cloud Print Management
CVE-2022-25089 (Printix Secure Cloud Print Management through 1.3.1106.0
incorrectly u ...)
NOT-FOR-US: Printix Secure Cloud Print Management
@@ -6004,8 +6019,8 @@ CVE-2022-0549
NOTE:
https://about.gitlab.com/releases/2022/02/25/critical-security-release-gitlab-14-8-2-released/
CVE-2022-0548
RESERVED
-CVE-2022-24696
- RESERVED
+CVE-2022-24696 (Mirametrix Glance before 5.1.1.42207 (released on 2018-08-30)
allows a ...)
+ TODO: check
CVE-2022-24695
RESERVED
CVE-2022-24694 (In Mahara 20.10 before 20.10.4, 21.04 before 21.04.3, and
21.10 before ...)
@@ -7736,8 +7751,8 @@ CVE-2022-24130 (xterm through Patch 370, when Sixel
support is enabled, allows a
NOTE:
https://github.com/ThomasDickey/xterm-snapshots/commit/1584fc227673264661250d3a8d673c168ac9512d
CVE-2022-24129 (The OIDC OP plugin before 3.0.4 for Shibboleth Identity
Provider allow ...)
NOT-FOR-US: Shibboleth identity provider OIDC OP plugin
-CVE-2022-24128
- RESERVED
+CVE-2022-24128 (Timescale TimescaleDB 1.x and 2.x before 2.5.2 may allow
privilege esc ...)
+ TODO: check
CVE-2022-24127
RESERVED
CVE-2022-24126
@@ -30339,7 +30354,7 @@ CVE-2021-41851
CVE-2021-3851 (firefly-iii is vulnerable to URL Redirection to Untrusted Site
...)
NOT-FOR-US: firefly-iii
CVE-2021-3850 (Authentication Bypass by Primary Weakness in GitHub repository
adodb/a ...)
- {DLA-2912-1}
+ {DSA-5101-1 DLA-2912-1}
- libphp-adodb 5.21.4-1 (bug #1004376)
NOTE: https://github.com/ADOdb/ADOdb/issues/793
NOTE:
https://github.com/adodb/adodb/commit/b4d5ce70034c5aac3a1d51d317d93c037a0938d2
(v5.21.4)
@@ -64034,7 +64049,7 @@ CVE-2021-28490 (In OWASP CSRFGuard through 3.1.0, CSRF
can occur because the CSR
NOT-FOR-US: OWASP CSRFGuard
CVE-2021-28489
RESERVED
-CVE-2021-28488 (Ericsson Network Manager 20.2 has Insecure Permissions. ...)
+CVE-2021-28488 (Ericsson Network Manager (ENM) before 21.2 has incorrect
access-contro ...)
NOT-FOR-US: Ericsson
CVE-2021-28487
RESERVED
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d3886082572a08981574cd2a8f300c699974fa4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d3886082572a08981574cd2a8f300c699974fa4
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing
[Git][security-tracker-team/security-tracker][master] CVE-2021-46709/phpliteadmin assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bcefb2a5 by Salvatore Bonaccorso at 2022-03-13T20:31:09+01:00 CVE-2021-46709/phpliteadmin assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,4 @@ -CVE-2022- [cross-site-scripting with newRows GET parameter] +CVE-2021-46709 [cross-site-scripting with newRows GET parameter] - phpliteadmin 1.9.8.2-2 NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcefb2a57f152b89d659312632380dbd73ec4ddd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcefb2a57f152b89d659312632380dbd73ec4ddd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for some tiff issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b69394f by Salvatore Bonaccorso at 2022-03-13T17:32:12+01:00 Track fixed version for some tiff issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -286,7 +286,7 @@ CVE-2022-26852 CVE-2022-26851 RESERVED CVE-2022-0924 (Out-of-bounds Read error in tiffcp in libtiff 4.3.0 allows attackers t ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/278 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/311 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/88d79a45a31c74cba98c697892fed5f7db8b963a @@ -467,16 +467,16 @@ CVE-2022-25905 CVE-2022-0910 RESERVED CVE-2022-0909 (Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/393 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/310 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/32ea0722ee68f503b7a3f9b2d557acb293fc8cde CVE-2022-0908 (Null source pointer passed as an argument to memcpy() function within ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/a95b799f65064e4ba2e2dfc206808f86faf93e85 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/383 CVE-2022-0907 (Unchecked Return Value to NULL Pointer Dereference in tiffcrop in libt ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/392 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/314 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/40b00cfb32256d377608b4d4cd30fac338d0a0bc @@ -529,7 +529,7 @@ CVE-2022-26778 (Veritas System Recovery (VSR) 18 and 21 stores a network destina CVE-2022-26777 RESERVED CVE-2022-0891 (A heap buffer overflow in ExtractImageSection function in tiffcrop.c i ...) - - tiff + - tiff 4.3.0-6 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/232282fd8f9c21eefe8d2d2b96cdbbb172fe7b7c NOTE: https://gitlab.com/libtiff/libtiff/-/issues/380 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/382 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b69394f99e02a31f49cbaacb54be1053e5c0467 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b69394f99e02a31f49cbaacb54be1053e5c0467 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for haproxy update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d3b0bc1a by Salvatore Bonaccorso at 2022-03-13T17:16:57+01:00
Reserve DSA number for haproxy update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[13 Mar 2022] DSA-5102-1 haproxy - security update
+ {CVE-2022-0711}
+ [bullseye] - haproxy 2.2.9-2+deb11u3
[13 Mar 2022] DSA-5085-2 expat - regression update
[buster] - expat 2.2.6-2+deb10u4
[bullseye] - expat 2.2.10-2+deb11u3
=
data/dsa-needed.txt
=
@@ -22,8 +22,6 @@ faad2/oldstable (jmm)
--
freecad (aron)
--
-haproxy/stable (carnil)
---
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3b0bc1a050ee35a7ab42c008f206fac691699fe
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3b0bc1a050ee35a7ab42c008f206fac691699fe
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA for expat functional regression update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2951638b by Salvatore Bonaccorso at 2022-03-13T16:09:08+01:00
Reserve DSA for expat functional regression update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[13 Mar 2022] DSA-5085-2 expat - regression update
+ [buster] - expat 2.2.6-2+deb10u4
+ [bullseye] - expat 2.2.10-2+deb11u3
[13 Mar 2022] DSA-5101-1 libphp-adodb - security update
{CVE-2021-3850}
[buster] - libphp-adodb 5.20.14-1+deb10u1
=
data/dsa-needed.txt
=
@@ -18,8 +18,6 @@ containerd (jmm)
--
condor/oldstable
--
-expat (carnil)
---
faad2/oldstable (jmm)
--
freecad (aron)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2951638b574c280343ea028f11cf8f5bddfc3763
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2951638b574c280343ea028f11cf8f5bddfc3763
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for libphp-adodb update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
14e016dd by Salvatore Bonaccorso at 2022-03-13T15:43:09+01:00
Reserve DSA number for libphp-adodb update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[13 Mar 2022] DSA-5101-1 libphp-adodb - security update
+ {CVE-2021-3850}
+ [buster] - libphp-adodb 5.20.14-1+deb10u1
+ [bullseye] - libphp-adodb 5.20.19-1+deb11u1
[12 Mar 2022] DSA-5100-1 nbd - security update
{CVE-2022-26495 CVE-2022-26496}
[buster] - nbd 1:3.19-3+deb10u1
=
data/dsa-needed.txt
=
@@ -26,8 +26,6 @@ freecad (aron)
--
haproxy/stable (carnil)
--
-libphp-adodb (carnil)
---
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14e016dd4ef26cba2242c1dd86c25ba58610f939
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14e016dd4ef26cba2242c1dd86c25ba58610f939
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tempoary entry for phpliteadmin issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7374eae7 by Salvatore Bonaccorso at 2022-03-13T09:39:04+01:00 Add tempoary entry for phpliteadmin issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2022- [cross-site-scripting with newRows GET parameter] + - phpliteadmin 1.9.8.2-2 + NOTE: https://bitbucket.org/phpliteadmin/public/issues/399/xss-vulnerability + NOTE: https://bitbucket.org/phpliteadmin/public/pull-requests/16/fix-an-xss-vulnerability-with-the-newrows CVE-2022-26979 RESERVED CVE-2022-26978 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7374eae792e3fa436ca51ddfb1071168c90753a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7374eae792e3fa436ca51ddfb1071168c90753a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26967/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c8f133b8 by Salvatore Bonaccorso at 2022-03-13T09:30:41+01:00 Add CVE-2022-26967/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,9 @@ CVE-2022-26969 CVE-2022-26968 RESERVED CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2138 + NOTE: https://github.com/gpac/gpac/commit/ea1eca00fd92fa17f0e25ac25652622924a9a6a0 CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. drivers/ne ...) - linux 5.16.12-1 [bullseye] - linux 5.10.103-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8f133b86f567fc2bc0017091bd82d91ff6a14b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8f133b86f567fc2bc0017091bd82d91ff6a14b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-26966/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d96999d5 by Salvatore Bonaccorso at 2022-03-13T09:17:40+01:00 Add CVE-2022-26966/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,10 @@ CVE-2022-26968 CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) TODO: check CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. drivers/ne ...) - TODO: check + - linux 5.16.12-1 + [bullseye] - linux 5.10.103-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/e9da0b56fe27206b49f39805f7dcda8a89379062 (5.17-rc6) CVE-2022-26965 RESERVED CVE-2022-26964 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d96999d5c0cbcf5e08a93f10ae00ebdef6932a0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d96999d5c0cbcf5e08a93f10ae00ebdef6932a0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02d4ca6b by security tracker role at 2022-03-13T08:10:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,55 @@ +CVE-2022-26979 + RESERVED +CVE-2022-26978 + RESERVED +CVE-2022-26977 + RESERVED +CVE-2022-26976 + RESERVED +CVE-2022-26975 + RESERVED +CVE-2022-26974 + RESERVED +CVE-2022-26973 + RESERVED +CVE-2022-26972 + RESERVED +CVE-2022-26971 + RESERVED +CVE-2022-26970 + RESERVED +CVE-2022-26969 + RESERVED +CVE-2022-26968 + RESERVED +CVE-2022-26967 (GPAC 2.0 allows a heap-based buffer overflow in gf_base64_encode. It c ...) + TODO: check +CVE-2022-26966 (An issue was discovered in the Linux kernel before 5.16.12. drivers/ne ...) + TODO: check +CVE-2022-26965 + RESERVED +CVE-2022-26964 + RESERVED +CVE-2022-26963 + RESERVED +CVE-2022-26962 + RESERVED +CVE-2022-26961 + RESERVED +CVE-2022-26960 + RESERVED +CVE-2022-26959 + RESERVED +CVE-2022-26958 + RESERVED +CVE-2022-26957 + RESERVED +CVE-2022-26956 + RESERVED +CVE-2022-26955 + RESERVED +CVE-2022-0937 + RESERVED CVE-2022-26954 RESERVED CVE-2022-26953 @@ -8421,8 +8473,7 @@ CVE-2022-23962 RESERVED CVE-2022-23961 RESERVED -CVE-2022-23960 - RESERVED +CVE-2022-23960 (Certain Arm Cortex and Neoverse processors through 2022-03-08 do not p ...) - linux NOTE: https://www.vusec.net/projects/bhi-spectre-bhb/ NOTE: https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability/spectre-bhb @@ -15172,14 +15223,14 @@ CVE-2021-45891 RESERVED CVE-2021-45890 (basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authenti ...) NOT-FOR-US: AuthGuard -CVE-2021-45889 - RESERVED -CVE-2021-45888 - RESERVED -CVE-2021-45887 - RESERVED -CVE-2021-45886 - RESERVED +CVE-2021-45889 (An issue was discovered in PONTON X/P Messenger before 3.11.2. Several ...) + TODO: check +CVE-2021-45888 (An issue was discovered in PONTON X/P Messenger before 3.11.2. The nav ...) + TODO: check +CVE-2021-45887 (An issue was discovered in PONTON X/P Messenger before 3.11.2. Due to ...) + TODO: check +CVE-2021-45886 (An issue was discovered in PONTON X/P Messenger before 3.11.2. Anti-CS ...) + TODO: check CVE-2021-45885 (An issue was discovered in Stormshield Network Security (SNS) 4.2.2 th ...) NOT-FOR-US: Stormshield Network Security (SNS) CVE-2021-4186 (Crash in the Gryphon dissector in Wireshark 3.4.0 to 3.4.10 allows den ...) @@ -43903,8 +43954,8 @@ CVE-2021-36370 (An issue was discovered in Midnight Commander through 4.8.26. Wh NOTE: https://github.com/MidnightCommander/mc/commit/9235d3c232d13ad7f973346077c9cf2eaa77dc5f CVE-2021-36369 RESERVED -CVE-2021-36368 - RESERVED +CVE-2021-36368 (** DISPUTED ** An issue was discovered in OpenSSH before 8.9. If a cli ...) + TODO: check CVE-2021-36367 (PuTTY through 0.75 proceeds with establishing an SSH session even if i ...) - putty 0.75-3 (bug #990901) [bullseye] - putty (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d4ca6bde1a6d31cb70e966a8a4c367d89ddd09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d4ca6bde1a6d31cb70e966a8a4c367d89ddd09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
