[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f86ad91b by Salvatore Bonaccorso at 2022-05-11T07:29:05+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2911,7 +2911,7 @@ CVE-2022-1399 CVE-2022-1398 RESERVED CVE-2022-1397 (API Privilege Escalation in GitHub repository alextselegidis/easyappoi ...) - TODO: check + NOT-FOR-US: alextselegidis/easyappointments CVE-2022-1396 (The Donorbox WordPress plugin before 7.1.7 does not sanitise and escap ...) NOT-FOR-US: WordPress plugin CVE-2022-1395 @@ -4335,7 +4335,7 @@ CVE-2022-28988 CVE-2022-28987 RESERVED CVE-2022-28986 (LMS Doctor Simple 2 Factor Authentication Plugin For Moodle Affected: ...) - TODO: check + NOT-FOR-US: LMS Doctor Simple 2 Factor Authentication Plugin For Moodle CVE-2022-28985 RESERVED CVE-2022-28984 @@ -6598,9 +6598,9 @@ CVE-2022-28164 (Brocade SANnav before SANnav 2.2.0 application uses the Blowfish CVE-2022-28163 (In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints asso ...) NOT-FOR-US: Brocade SANnav CVE-2022-28162 (Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentic ...) - TODO: check + NOT-FOR-US: Brocade SANnav CVE-2022-28161 (An information exposure through log file vulnerability in Brocade SANN ...) - TODO: check + NOT-FOR-US: Brocade SANnav CVE-2022-1159 (Rockwell Automation Studio 5000 Logix Designer (all versions) are vuln ...) NOT-FOR-US: Rockwell Automation CVE-2022-1158 @@ -8927,7 +8927,7 @@ CVE-2022-27310 CVE-2022-27309 RESERVED CVE-2022-27308 (A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimp ...) - TODO: check + NOT-FOR-US: PHProjekt PhpSimplyGest CVE-2022-27307 RESERVED CVE-2022-27306 @@ -9099,7 +9099,7 @@ CVE-2022-27244 (An issue was discovered in MISP before 2.4.156. A malicious site CVE-2022-27243 (An issue was discovered in MISP before 2.4.156. app/View/Users/terms.c ...) NOT-FOR-US: MISP CVE-2022-27242 (A vulnerability has been identified in OpenV2G (V0.9.4). The OpenV2G E ...) - TODO: check + NOT-FOR-US: OpenV2G / Siemens CVE-2022-27241 (A vulnerability has been identified in Mendix Applications using Mendi ...) NOT-FOR-US: Siemens CVE-2022-1027 (The Page Restriction WordPress (WP) WordPress plugin before 1.2.7 allo ...) @@ -9249,7 +9249,7 @@ CVE-2022-0994 (The Hummingbird WordPress plugin before 3.3.2 does not sanitise a CVE-2022-27225 (Gradle Enterprise before 2021.4.3 relies on cleartext data transmissio ...) NOT-FOR-US: Gradle Enterprise CVE-2022-27224 (An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6 ...) - TODO: check + NOT-FOR-US: Galleon NTS-6002-GPS CVE-2022-27223 (In drivers/usb/gadget/udc/udc-xilinx.c in the Linux kernel before 5.16 ...) - linux 5.16.12-1 [bullseye] - linux 5.10.103-1 @@ -9967,7 +9967,7 @@ CVE-2022-26983 CVE-2022-26982 (SimpleMachinesForum 2.1.1 and earlier allows remote authenticated admi ...) NOT-FOR-US: Simple Machines Forum (SMF) CVE-2022-0947 (A vulnerability in ABB ARG600 Wireless Gateway series that could allow ...) - TODO: check + NOT-FOR-US: ABB ARG600 Wireless Gateway CVE-2022-0946 (Stored XSS viva cshtm file upload in GitHub repository star7th/showdoc ...) NOT-FOR-US: ShowDoc CVE-2022-0945 (Stored XSS viva axd and cshtml file upload in star7th/showdoc in GitHu ...) @@ -17555,13 +17555,13 @@ CVE-2022-24292 (Certain HP Print devices may be vulnerable to potential informat CVE-2022-24291 (Certain HP Print devices may be vulnerable to potential information di ...) NOT-FOR-US: HP CVE-2022-24290 (A vulnerability has been identified in Teamcenter V12.4 (All versions ...) - TODO: check + NOT-FOR-US: Teamcenter /Siemens CVE-2022-24289 (Hessian serialization is a network protocol that supports object-based ...) NOT-FOR-US: Apache Cayenne CVE-2022-24288 (In Apache Airflow, prior to version 2.2.4, some example DAGs did not p ...) - airflow (bug #819700) CVE-2022-24287 (A vulnerability has been identified in SIMATIC PCS 7 V9.0 and earlier ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-21799 (Cross-site scripting vulnerability in ELECOM LAN router WRC-300FEBK-R ...) NOT-FOR-US: ELECOM CVE-2022-21173 (Hidden functionality vulnerability in ELECOM LAN routers (WRH-300BK3 f ...) @@ -18491,19 +18491,19 @@ CVE-2022-24047 (This vulnerability allows remote attackers to bypass authenticat CVE-2022-24046 (This vulnerability allows network-adjacent attackers to execute arbitr ...) NOT-FOR-US: Sonos One Speaker CVE-2022-24045 (A vulnerability has been identified in Desigo DXR2 (All versions ...) -
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-27114/htmldoc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c51e2f79 by Salvatore Bonaccorso at 2022-05-10T22:58:58+02:00 Add CVE-2022-27114/htmldoc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9684,7 +9684,10 @@ CVE-2022-27116 CVE-2022-27115 (In Studio-42 elFinder 2.1.60, there is a vulnerability that causes rem ...) NOT-FOR-US: Studio-42 elFinder CVE-2022-27114 (There is a vulnerability in htmldoc 1.9.16. In image_load_jpeg functio ...) - TODO: check + - htmldoc (unimportant) + NOTE: https://github.com/michaelrsweet/htmldoc/issues/471 + NOTE: https://github.com/michaelrsweet/htmldoc/commit/31f780487e5ddc426888638786cdc47631687275 + NOTE: Crash in CLI tool, no security impact CVE-2022-27113 RESERVED CVE-2022-27112 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c51e2f798c6e555bc5861b512a079c961309a043 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c51e2f798c6e555bc5861b512a079c961309a043 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c750ee89 by Salvatore Bonaccorso at 2022-05-10T22:53:22+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1690,29 +1690,29 @@ CVE-2022-29885 CVE-2022-29884 RESERVED CVE-2022-29883 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29882 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29881 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29880 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29879 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29878 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29877 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29876 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29875 RESERVED CVE-2022-29874 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29873 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29872 (A vulnerability has been identified in SICAM P850 (All versions V ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-29518 RESERVED CVE-2022-29513 @@ -3350,23 +3350,23 @@ CVE-2022-29331 CVE-2022-29330 RESERVED CVE-2022-29329 (D-Link DAP-1330_OSS-firmware_1.00b21 was discovered to contain a heap ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29328 (D-Link DAP-1330_OSS-firmware_1.00b21 was discovered to contain a stack ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29327 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack overflo ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29326 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack overflo ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29325 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack overflo ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29324 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack overflo ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29323 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack overflo ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29322 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack overflo ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29321 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a stack overflo ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-29320 RESERVED CVE-2022-29319 @@ -4139,17 +4139,17 @@ CVE-2022-29035 (In JetBrains Ktor Native before version 2.0.0 random values used CVE-2022-29034 RESERVED CVE-2022-29033 (A vulnerability has been identified in JT2Go (All versions V13.3. ...) - TODO: check + NOT-FOR-US: JT2Go / Siemens CVE-2022-29032 (A vulnerability has been identified in JT2Go (All versions V13.3. ...) - TODO: check + NOT-FOR-US: JT2Go / Siemens CVE-2022-29031 (A vulnerability has been identified in JT2Go (All versions V13.3. ...) - TODO: check + NOT-FOR-US: JT2Go / Siemens CVE-2022-29030 (A vulnerability has been identified in JT2Go (All versions V13.3. ...) - TODO: check + NOT-FOR-US: JT2Go / Siemens CVE-2022-29029 (A vulnerability has been identified in JT2Go (All versions V13.3. ...) - TODO: check + NOT-FOR-US: JT2Go / Siemens CVE-2022-29028 (A vulnerability has been identified in JT2Go (All versions V13.3. ...) - TODO: check + NOT-FOR-US: JT2Go / Siemens CVE-2022-1315 RESERVED CVE-2022-1314 @@ -4477,27 +4477,27 @@ CVE-2022-28917 CVE-2022-28916 RESERVED CVE-2022-28915 (D-Link DIR-816 A2_v1.10CNB04 was discovered to contain a command injec ...) - TODO: check + NOT-FOR-US: D-Link CVE-2022-28914 RESERVED CVE-2022-28913 (TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a comman ...) - TODO: check + NOT-FOR-US: TOTOLink CVE-2022-28912 (TOTOLink N600R V5.3c.7159_B20190425 was discovered to contain a comman ...) - TODO: check + NOT-FOR-US: TOTOLink
[Git][security-tracker-team/security-tracker][master] Reserve DLA-2999-1 for mutt
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 805279e2 by Utkarsh Gupta at 2022-05-11T02:19:57+05:30 Reserve DLA-2999-1 for mutt - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[11 May 2022] DLA-2999-1 mutt - security update + {CVE-2022-1328} + [stretch] - mutt 1.7.2-1+deb9u6 [09 May 2022] DLA-2998-1 kicad - security update {CVE-2022-23803 CVE-2022-23804 CVE-2022-23946 CVE-2022-23947} [stretch] - kicad 4.0.5+dfsg1-4+deb9u1 = data/dla-needed.txt = @@ -117,9 +117,6 @@ mbedtls (Utkarsh) NOTE: 20220502: will upload with 1 fix and mark the other one NOTE: 20220502: as no-dsa today/tomorrow. (utkarsh) -- -mutt (Utkarsh) - NOTE: 20220502: update prepared. smoke test pending. (utkarsh) --- nvidia-cuda-toolkit NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/805279e204b70d5080e0019f4474508ab1439d70 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/805279e204b70d5080e0019f4474508ab1439d70 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1629/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ae81162 by Salvatore Bonaccorso at 2022-05-10T22:47:58+02:00 Add CVE-2022-1629/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -82,7 +82,9 @@ CVE-2022-1631 (Users Account Pre-Takeover or Users Account Takeover. in GitHub r CVE-2022-1630 RESERVED CVE-2022-1629 (Buffer Over-read in function find_next_quote in GitHub repository vim/ ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/e26d08d4-1886-41f0-9af4-f3e1bf3d52ee + NOTE: https://github.com/vim/vim/commit/53a70289c2712808e6d4e88927e03cac01b470dd (v8.2.4925) CVE-2022-1628 RESERVED CVE-2022-1627 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae81162cfc1646e64d5499617a17c5fc38d4b16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ae81162cfc1646e64d5499617a17c5fc38d4b16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take cifs-utils from dla-needed
Andreas Rönnquist pushed to branch master at Debian Security Tracker / security-tracker Commits: bcef1c21 by Andreas Rönnquist at 2022-05-10T22:42:19+02:00 Take cifs-utils from dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ ark (Markus Koschany) cgal NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton) -- -cifs-utils +cifs-utils (Andreas Rönnquist) NOTE: 20220510: Programming language C. (apo) -- ckeditor (Sylvain Beucler) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcef1c21ae3c7058fb24c1aa88d15f06a10256e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcef1c21ae3c7058fb24c1aa88d15f06a10256e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1649/radare2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce96448f by Salvatore Bonaccorso at 2022-05-10T22:30:36+02:00 Add CVE-2022-1649/radare2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,9 @@ CVE-2022-1651 CVE-2022-1650 RESERVED CVE-2022-1649 (Null pointer dereference in libr/bin/format/mach0/mach0.c in radareorg ...) - TODO: check + - radare2 + NOTE: https://huntr.dev/bounties/c07e4918-cf86-4d2e-8969-5fb63575b449 + NOTE: https://github.com/radareorg/radare2/commit/a5aafb99c3965259c84ddcf45a91144bf7eb4cf1 CVE-2022-1648 RESERVED CVE-2022-1647 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce96448f3714716f5d434e4ada971818c7c4bc43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce96448f3714716f5d434e4ada971818c7c4bc43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 352a4832 by Salvatore Bonaccorso at 2022-05-10T22:20:27+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2629,7 +2629,7 @@ CVE-2022-1441 (MP4Box is a component of GPAC-2.0.0, which is a widely-used third CVE-2022-29592 (Tenda TX9 Pro 22.03.02.10 devices allow OS command injection via set_r ...) NOT-FOR-US: Tenda CVE-2022-29591 (Tenda TX9 Pro 22.03.02.10 devices have a SetNetControlList buffer over ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-29590 RESERVED CVE-2022-29589 (Crypt Server before 3.3.0 allows XSS in the index view. This is relate ...) @@ -24553,7 +24553,7 @@ CVE-2022-22456 CVE-2022-22455 RESERVED CVE-2022-22454 (IBM InfoSphere Information Server 11.7 could allow a locally authentic ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-22453 RESERVED CVE-2022-22452 @@ -48394,7 +48394,7 @@ CVE-2021-39026 (IBM Guardium Data Encryption (GDE) 5.0.0.2 and 5.0.0.3 could all CVE-2021-39025 (IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 could disclose ...) NOT-FOR-US: IBM CVE-2021-39024 (IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 is vulnerable t ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-39023 (IBM Guardium Data Encryption (GDE) 4.0.0 and 5.0.0 could allow a remot ...) NOT-FOR-US: IBM CVE-2021-39022 (IBM Guardium Data Encryption (GDE) 4.0.0.0 and 5.0.0.0 saves user-prov ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/352a483240438fd6e0ed917e7b856fd14809eaa6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/352a483240438fd6e0ed917e7b856fd14809eaa6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add clamav to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e83881a1 by Markus Koschany at 2022-05-10T22:18:54+02:00 Add clamav to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -44,6 +44,9 @@ cifs-utils ckeditor (Sylvain Beucler) NOTE: 20220402: multiple pendings vulnerabilities (Beuc) -- +clamav + NOTE: 20220510: Programming language C. (apo) +-- curl NOTE: 20220510: Programming language C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e83881a166b31b10ff30615a37e9c487646ce69f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e83881a166b31b10ff30615a37e9c487646ce69f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 937e9a01 by security tracker role at 2022-05-10T20:10:21+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,39 @@ +CVE-2022-30529 + RESERVED +CVE-2022-30528 + RESERVED +CVE-2022-30527 + RESERVED +CVE-2022-1661 + RESERVED +CVE-2022-1660 + RESERVED +CVE-2022-1659 + RESERVED +CVE-2022-1658 + RESERVED +CVE-2022-1657 + RESERVED +CVE-2022-1656 + RESERVED +CVE-2022-1655 + RESERVED +CVE-2022-1654 + RESERVED +CVE-2022-1653 + RESERVED +CVE-2022-1652 + RESERVED +CVE-2022-1651 + RESERVED +CVE-2022-1650 + RESERVED +CVE-2022-1649 (Null pointer dereference in libr/bin/format/mach0/mach0.c in radareorg ...) + TODO: check +CVE-2022-1648 + RESERVED +CVE-2022-1647 + RESERVED CVE-2022-30526 RESERVED CVE-2022-30525 @@ -43,8 +79,8 @@ CVE-2022-1631 (Users Account Pre-Takeover or Users Account Takeover. in GitHub r NOT-FOR-US: microweber CVE-2022-1630 RESERVED -CVE-2022-1629 - RESERVED +CVE-2022-1629 (Buffer Over-read in function find_next_quote in GitHub repository vim/ ...) + TODO: check CVE-2022-1628 RESERVED CVE-2022-1627 @@ -1589,8 +1625,8 @@ CVE-2022-1539 RESERVED CVE-2022-1538 RESERVED -CVE-2022-1537 - RESERVED +CVE-2022-1537 (file.copy operations in GruntJS are vulnerable to a TOCTOU race condit ...) + TODO: check CVE-2022-1536 (A vulnerability has been found in automad up to 1.10.9 and classified ...) NOT-FOR-US: automad CVE-2022-1535 @@ -1649,30 +1685,30 @@ CVE-2022-29885 RESERVED CVE-2022-29884 RESERVED -CVE-2022-29883 - RESERVED -CVE-2022-29882 - RESERVED -CVE-2022-29881 - RESERVED -CVE-2022-29880 - RESERVED -CVE-2022-29879 - RESERVED -CVE-2022-29878 - RESERVED -CVE-2022-29877 - RESERVED -CVE-2022-29876 - RESERVED +CVE-2022-29883 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29882 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29881 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29880 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29879 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29878 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29877 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29876 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check CVE-2022-29875 RESERVED -CVE-2022-29874 - RESERVED -CVE-2022-29873 - RESERVED -CVE-2022-29872 - RESERVED +CVE-2022-29874 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29873 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check +CVE-2022-29872 (A vulnerability has been identified in SICAM P850 (All versions V ...) + TODO: check CVE-2022-29518 RESERVED CVE-2022-29513 @@ -1880,7 +1916,7 @@ CVE-2022-1505 RESERVED CVE-2022-1504 (XSS in /demo/module/?module=HERE in GitHub repository microweber/micro ...) NOT-FOR-US: microweber -CVE-2022-29810 (The Hashicorp go-getter library before 1.5.11 could write SSH credenti ...) +CVE-2022-29810 (The Hashicorp go-getter library before 1.5.11 does not redact an SSH k ...) - golang-github-hashicorp-go-getter (Vulnerable code introduced later) NOTE: https://github.com/hashicorp/go-getter/commit/36b68b2f68a3ed10ee7ecbb0cb9f6b1dc5da49cc (v1.5.11) NOTE: introduced in https://github.com/hashicorp/go-getter/commit/854150ffed2dc250662096b4309b3510a13e0574 (v1.5.8) @@ -2089,8 +2125,8 @@ CVE-2022-1467 RESERVED CVE-2022-1466 (Due to improper authorization, Red Hat Single Sign-On is vulnerable to ...) NOT-FOR-US: Red Hat Single Sign-On / Keycloak -CVE-2022-29801 - RESERVED +CVE-2022-29801 (A vulnerability has been identified in Teamcenter V12.4 (All versions ...) + TODO: check CVE-2022-29800 RESERVED - networkd-dispatcher (bug #1010303) @@ -2592,8 +2628,8 @@ CVE-2022-1441 (MP4Box is a component of GPAC-2.0.0, which is a widely-used third NOTE: https://github.com/gpac/gpac/commit/3dbe11b37d65c8472faf0654410068e5500b3adb CVE-2022-29592 (Tenda TX9 Pro 22.03.02.10 devices allow OS command injection via set_r ...) NOT-FOR-US: Tenda -CVE-2022-29591 - RESERVED
[Git][security-tracker-team/security-tracker][master] Add cifs-utils to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 31cd53c5 by Markus Koschany at 2022-05-10T22:01:31+02:00 Add cifs-utils to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,6 +38,9 @@ ark (Markus Koschany) cgal NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton) -- +cifs-utils + NOTE: 20220510: Programming language C. (apo) +-- ckeditor (Sylvain Beucler) NOTE: 20220402: multiple pendings vulnerabilities (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31cd53c52016e4360096ebc47e93cd706f461177 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31cd53c52016e4360096ebc47e93cd706f461177 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add curl to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f11f310c by Markus Koschany at 2022-05-10T21:47:48+02:00 Add curl to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -41,6 +41,9 @@ cgal ckeditor (Sylvain Beucler) NOTE: 20220402: multiple pendings vulnerabilities (Beuc) -- +curl + NOTE: 20220510: Programming language C. +-- debian-security-support (Utkarsh) NOTE: 20220402: need to update the list of unsupported packages (Beuc) NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f11f310c64bcc040c20830d6c949efff7031be35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f11f310c64bcc040c20830d6c949efff7031be35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for cifs-utils issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fbdf7e06 by Salvatore Bonaccorso at 2022-05-10T21:43:50+02:00 Add Debian bug reference for cifs-utils issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9085,12 +9085,12 @@ CVE-2022-27240 (scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a [buster] - glewlwyd (Minor issue) NOTE: https://github.com/babelouest/glewlwyd/commit/4c5597c155bfbaf6491cf6b83479d241ae66940a (v2.6.2) CVE-2022-29869 (cifs-utils through 6.14, with verbose logging, can cause an informatio ...) - - cifs-utils + - cifs-utils (bug #1010818) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15026 NOTE: https://github.com/piastry/cifs-utils/pull/7 NOTE: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 (cifs-utils-6.15) CVE-2022-27239 (In cifs-utils through 6.14, a stack-based buffer overflow when parsing ...) - - cifs-utils + - cifs-utils (bug #1010818) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15025 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1197216 NOTE: https://github.com/piastry/cifs-utils/pull/7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbdf7e0663c9a4817f51273e4133408d313c510f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbdf7e0663c9a4817f51273e4133408d313c510f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Replace reference for CVE-2022-29869 with upstream repo commit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b63d7a36 by Salvatore Bonaccorso at 2022-05-10T21:28:04+02:00 Replace reference for CVE-2022-29869 with upstream repo commit - - - - - a25e4341 by Salvatore Bonaccorso at 2022-05-10T21:28:04+02:00 Add upstream git tag information for CVE-2022-27239 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9088,13 +9088,13 @@ CVE-2022-29869 (cifs-utils through 6.14, with verbose logging, can cause an info - cifs-utils NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15026 NOTE: https://github.com/piastry/cifs-utils/pull/7 - NOTE: https://github.com/piastry/cifs-utils/commit/8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 + NOTE: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 (cifs-utils-6.15) CVE-2022-27239 (In cifs-utils through 6.14, a stack-based buffer overflow when parsing ...) - cifs-utils NOTE: https://bugzilla.samba.org/show_bug.cgi?id=15025 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1197216 NOTE: https://github.com/piastry/cifs-utils/pull/7 - NOTE: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d + NOTE: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=007c07fd91b6d42f8bd45187cf78ebb06801139d (cifs-utils-6.15) CVE-2022-27238 RESERVED CVE-2022-27237 (There is a cross-site scripting (XSS) vulnerability in an NI Web Serve ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52fefa46cfc3802ea799bbf9086a017453abd8c7...a25e43412ee12519e3a726f5099b37ab56135445 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52fefa46cfc3802ea799bbf9086a017453abd8c7...a25e43412ee12519e3a726f5099b37ab56135445 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add redis to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 52fefa46 by Markus Koschany at 2022-05-10T21:27:23+02:00 Add redis to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -137,6 +137,9 @@ puma puppet-module-puppetlabs-firewall NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc) -- +redis + NOTE: 20220510: Chris Lamb is the maintainer. Programming language C. (apo) +-- ring (Abhijith PA) NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52fefa46cfc3802ea799bbf9086a017453abd8c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52fefa46cfc3802ea799bbf9086a017453abd8c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2021-22573/google-oauth-client-java
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8e4eee1 by Salvatore Bonaccorso at 2022-05-10T21:08:10+02:00 Track fixed version via unstable for CVE-2021-22573/google-oauth-client-java - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89523,7 +89523,7 @@ CVE-2021-22575 CVE-2021-22574 RESERVED CVE-2021-22573 (The vulnerability is that IDToken verifier does not verify if token is ...) - - google-oauth-client-java (bug #1010657) + - google-oauth-client-java 1.33.3-1 (bug #1010657) NOTE: https://github.com/googleapis/google-oauth-java-client/issues/786 NOTE: https://github.com/googleapis/google-oauth-java-client/pull/861 NOTE: https://github.com/googleapis/google-oauth-java-client/pull/872 (1.33.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8e4eee1fdabe7eeae6356eb7b353b339b9bff48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8e4eee1fdabe7eeae6356eb7b353b339b9bff48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-30333/rar
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01435054 by Salvatore Bonaccorso at 2022-05-10T21:05:52+02:00 Add CVE-2022-30333/rar - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -462,6 +462,9 @@ CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory trav - unrar-nonfree 1:6.1.7-1 [bullseye] - unrar-nonfree (Non-free not supported) [buster] - unrar-nonfree (Non-free not supported) + - rar + [bullseye] - rar (Non-free not supported) + [buster] - rar (Non-free not supported) NOTE: 6.12 application version corresponds to 6.1.7 source version: NOTE: https://github.com/debian-calibre/unrar-nonfree/compare/upstream/6.1.6...upstream/6.1.7 CVE-2022-30332 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/014350540ba1d1f1d98c62da5c733e80aa7bd1cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/014350540ba1d1f1d98c62da5c733e80aa7bd1cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update note for adminer.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e54d740 by Chris Lamb at 2022-05-10T09:18:21-07:00 Update note for adminer. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -18,6 +18,7 @@ adminer (Chris Lamb) NOTE: 20220414: https://sourceforge.net/p/adminer/discussion/960419/thread/1b64510b71/?limit=25#2971 (lamby) NOTE: 20220421: pinged upstream (lamby) NOTE: 20220429: pinged upstream (lamby) + NOTE: 20220510: pinged upstream (lamby) -- admesh (Anton Gladky) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e54d740032e77d40cebac72d237ff068854b60a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e54d740032e77d40cebac72d237ff068854b60a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take cifs-utils from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2520bd0c by Salvatore Bonaccorso at 2022-05-10T17:59:21+02:00 Take cifs-utils from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,7 +16,7 @@ asterisk/oldstable -- cacti -- -cifs-utils +cifs-utils (carnil) -- condor/oldstable (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2520bd0ca34e4a370d1c60eabe2abc862590e1c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2520bd0ca34e4a370d1c60eabe2abc862590e1c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2022-30333/unrar-nonfree
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 766fcd93 by Salvatore Bonaccorso at 2022-05-10T17:51:48+02:00 Update information on CVE-2022-30333/unrar-nonfree - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -459,10 +459,11 @@ CVE-2022-1617 CVE-2022-30334 (Brave before 1.34, when a Private Window with Tor Connectivity is used ...) - brave-browser (bug #864795) CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal ...) - - unrar-nonfree + - unrar-nonfree 1:6.1.7-1 [bullseye] - unrar-nonfree (Non-free not supported) [buster] - unrar-nonfree (Non-free not supported) - TODO: check details, 6.1.1 -> 6.1.2 upstream changes does not seem related + NOTE: 6.12 application version corresponds to 6.1.7 source version: + NOTE: https://github.com/debian-calibre/unrar-nonfree/compare/upstream/6.1.6...upstream/6.1.7 CVE-2022-30332 RESERVED CVE-2022-30331 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/766fcd9396ff90866f4748193ece34c6c48fde74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/766fcd9396ff90866f4748193ece34c6c48fde74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag for commit for CVE-2022-1621/vim
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9acc7061 by Salvatore Bonaccorso at 2022-05-10T14:34:12+02:00 Add upstream tag for commit for CVE-2022-1621/vim - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -434,7 +434,7 @@ CVE-2022-1621 (Heap buffer overflow in vim_strncpy find_word in GitHub repositor [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb - NOTE: https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b + NOTE: https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b (v8.2.4919) CVE-2018-25033 (ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_ ...) - admesh (bug #1010770) [bullseye] - admesh (Minor issue; can be fixed via point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9acc7061e77fafdd3f5e1b0e6d7f3d72a9846ada -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9acc7061e77fafdd3f5e1b0e6d7f3d72a9846ada You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new vim issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 996a707b by Moritz Muehlenhoff at 2022-05-10T13:49:23+02:00 new vim issue NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,7 @@ CVE-2022-1644 CVE-2022-1643 RESERVED CVE-2022-30524 (There is an invalid memory access in the TextLine class in TextOutputD ...) - TODO: check + - xpdf (Debian uses poppler, which is not affected) CVE-2022-30523 RESERVED CVE-2022-30522 @@ -40,7 +40,7 @@ CVE-2022-1632 RESERVED NOT-FOR-US: OpenShift CVE-2022-1631 (Users Account Pre-Takeover or Users Account Takeover. in GitHub reposi ...) - TODO: check + NOT-FOR-US: microweber CVE-2022-1630 RESERVED CVE-2022-1629 @@ -422,7 +422,7 @@ CVE-2022-30340 CVE-2022-30336 RESERVED CVE-2022-30335 (Bonanza Wealth Management System (BWM) 7.3.2 allows SQL injection via ...) - TODO: check + NOT-FOR-US: Bonanza Wealth Management System CVE-2022-26041 RESERVED CVE-2022-1623 @@ -430,7 +430,11 @@ CVE-2022-1623 CVE-2022-1622 RESERVED CVE-2022-1621 (Heap buffer overflow in vim_strncpy find_word in GitHub repository vim ...) - TODO: check + - vim + [bullseye] - vim (Minor issue) + [buster] - vim (Minor issue) + NOTE: https://huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fb + NOTE: https://github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089b CVE-2018-25033 (ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_ ...) - admesh (bug #1010770) [bullseye] - admesh (Minor issue; can be fixed via point release) @@ -453,7 +457,7 @@ CVE-2022-1618 CVE-2022-1617 RESERVED CVE-2022-30334 (Brave before 1.34, when a Private Window with Tor Connectivity is used ...) - TODO: check + - brave-browser (bug #864795) CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal ...) - unrar-nonfree [bullseye] - unrar-nonfree (Non-free not supported) @@ -725,11 +729,11 @@ CVE-2022-30243 CVE-2022-30242 RESERVED CVE-2022-30241 (The jquery.json-viewer library through 1.4.0 for Node.js does not prop ...) - TODO: check + NOT-FOR-US: Node jquery.json-viewer CVE-2022-30240 (An argument injection vulnerability in the browser-based authenticatio ...) - TODO: check + NOT-FOR-US: Magnitude Simba Amazon Redshift JDBC Driver CVE-2022-30239 (An argument injection vulnerability in the browser-based authenticatio ...) - TODO: check + NOT-FOR-US: Magnitude Simba Amazon Athena JDBC Driver CVE-2022-30238 RESERVED CVE-2022-30237 @@ -1386,7 +1390,7 @@ CVE-2022-29973 (relan exFAT 1.3.0 allows local users to obtain sensitive informa [buster] - fuse-exfat (Minor issue) NOTE: https://github.com/relan/exfat/issues/185 CVE-2022-29972 (An argument injection vulnerability in the browser-based authenticatio ...) - TODO: check + NOT-FOR-US: Magnitude Simba Amazon Redshift ODBC Driver CVE-2022-29971 (An argument injection vulnerability in the browser-based authenticatio ...) TODO: check CVE-2022-29970 (Sinatra before 2.2.0 does not validate that the expanded path matches ...) @@ -1480,7 +1484,7 @@ CVE-2022-29935 (USU Oracle Optimization before 5.17.5 allows attackers to discov CVE-2022-29934 (USU Oracle Optimization before 5.17.5 lacks Polkit authentication, whi ...) NOT-FOR-US: USU Oracle Optimization CVE-2022-29933 (Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who ...) - TODO: check + NOT-FOR-US: Craft CMS CVE-2022-29932 RESERVED CVE-2022-29931 @@ -1737,7 +1741,7 @@ CVE-2022-1510 CVE-2022-1509 (Sed Injection Vulnerability in GitHub repository hestiacp/hestiacp pri ...) NOT-FOR-US: Hestia Control Panel CVE-2022-29868 (1Password for Mac 7.2.4 through 7.9.x before 7.9.3 is vulnerable to a ...) - TODO: check + NOT-FOR-US: 1Password CVE-2022-29867 RESERVED CVE-2022-29866 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/996a707b6ecfafc74438edeb0ff6fd54d540c3f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/996a707b6ecfafc74438edeb0ff6fd54d540c3f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b43eafdd by Moritz Muehlenhoff at 2022-05-10T10:21:10+02:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -456,6 +456,8 @@ CVE-2022-30334 (Brave before 1.34, when a Private Window with Tor Connectivity i TODO: check CVE-2022-30333 (RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal ...) - unrar-nonfree + [bullseye] - unrar-nonfree (Non-free not supported) + [buster] - unrar-nonfree (Non-free not supported) TODO: check details, 6.1.1 -> 6.1.2 upstream changes does not seem related CVE-2022-30332 RESERVED @@ -86658,6 +86660,8 @@ CVE-2021-23793 RESERVED CVE-2021-23792 (The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 ar ...) - libtwelvemonkeys-java 3.8.0-1 + [bullseye] - libtwelvemonkeys-java (Minor issue) + [buster] - libtwelvemonkeys-java (Minor issue) NOTE: https://snyk.io/vuln/SNYK-JAVA-COMTWELVEMONKEYSIMAGEIO-2316763 NOTE: https://github.com/haraldk/TwelveMonkeys/commit/da4efe98bf09e1cce91b7633cb251958a200fc80 (twelvemonkeys-3.8.0) CVE-2021-23791 = data/dsa-needed.txt = @@ -16,6 +16,8 @@ asterisk/oldstable -- cacti -- +cifs-utils +-- condor/oldstable (apo) -- ecdsautils (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b43eafdd52df278263e5e4eb5068ef1979594dd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b43eafdd52df278263e5e4eb5068ef1979594dd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf0aa6e3 by security tracker role at 2022-05-10T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2022-30526 + RESERVED +CVE-2022-30525 + RESERVED +CVE-2022-1646 + RESERVED +CVE-2022-1645 + RESERVED +CVE-2022-1644 + RESERVED +CVE-2022-1643 + RESERVED CVE-2022-30524 (There is an invalid memory access in the TextLine class in TextOutputD ...) TODO: check CVE-2022-30523 @@ -417,8 +429,8 @@ CVE-2022-1623 RESERVED CVE-2022-1622 RESERVED -CVE-2022-1621 - RESERVED +CVE-2022-1621 (Heap buffer overflow in vim_strncpy find_word in GitHub repository vim ...) + TODO: check CVE-2018-25033 (ADMesh through 0.98.4 has a heap-based buffer over-read in stl_update_ ...) - admesh (bug #1010770) [bullseye] - admesh (Minor issue; can be fixed via point release) @@ -11584,13 +11596,14 @@ CVE-2022-26356 (Racy interactions between dirty vram tracking and paging log dir CVE-2022-26355 (Citrix Federated Authentication Service (FAS) 7.17 - 10.6 causes deplo ...) NOT-FOR-US: Citrix CVE-2022-26354 (A flaw was found in the vhost-vsock device of QEMU. In case of error, ...) - {DLA-2970-1} + {DSA-5133-1 DLA-2970-1} - qemu 1:7.0+dfsg-1 [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063257 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/8d1b247f3748ac4078524130c6d7ae42b6140aaf NOTE: vulnerable code in buster in vhost_vsock_send_transport_reset CVE-2022-26353 (A flaw was found in the virtio-net device of QEMU. This flaw was inadv ...) + {DSA-5133-1} - qemu 1:7.0+dfsg-1 [buster] - qemu (Original upstream fix for CVE-2021-3748 not applied) [stretch] - qemu (Original upstream fix for CVE-2021-3748 not applied) @@ -18927,12 +18940,14 @@ CVE-2021-46559 (The firmware on Moxa TN-5900 devices through 3.1 has a weak algo CVE-2019-25056 (In Bromite through 78.0.3904.130, there are adblock rules in the relea ...) NOT-FOR-US: Bromite CVE-2022-23947 (A stack-based buffer overflow vulnerability exists in the Gerber Viewe ...) + {DLA-2998-1} - kicad 6.0.2+dfsg-1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1460 NOTE: https://gitlab.com/kicad/code/kicad/-/issues/10700 NOTE: https://gitlab.com/kicad/code/kicad/-/commit/54b20cb0492ee20eb9efaff478eaa51fe17b4ca3 (master) NOTE: https://gitlab.com/kicad/code/kicad/-/commit/a7fbdfe9182fe075d1f36cf1f23432b28caf03b3 (6.0.2) CVE-2022-23946 (A stack-based buffer overflow vulnerability exists in the Gerber Viewe ...) + {DLA-2998-1} - kicad 6.0.2+dfsg-1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1460 NOTE: https://gitlab.com/kicad/code/kicad/-/issues/10700 @@ -18991,6 +19006,7 @@ CVE-2022-0359 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to NOTE: https://github.com/vim/vim/commit/85b6747abc15a7a81086db31289cf1b8b17e6cb1 (v8.2.4214) CVE-2022-0358 RESERVED + {DSA-5133-1} - qemu 1:7.0+dfsg-1 [buster] - qemu (Vulnerable code not present) [stretch] - qemu (virtiofsd added in 5.0) @@ -19768,12 +19784,14 @@ CVE-2022-23806 (Curve.IsOnCurve in crypto/elliptic in Go before 1.16.14 and 1.17 CVE-2022-23805 (A security out-of-bounds read information disclosure vulnerability in ...) NOT-FOR-US: Trend Micro CVE-2022-23804 (A stack-based buffer overflow vulnerability exists in the Gerber Viewe ...) + {DLA-2998-1} - kicad 6.0.2+dfsg-1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1453 NOTE: https://gitlab.com/kicad/code/kicad/-/issues/10719 NOTE: https://gitlab.com/kicad/code/kicad/-/commit/927afe313d1f104391814ee7d5d9cca0a520aa50 (6.0.2) NOTE: https://gitlab.com/kicad/code/kicad/-/commit/7ed569058c516974c47b4a506daa3daea4248e05 (master) CVE-2022-23803 (A stack-based buffer overflow vulnerability exists in the Gerber Viewe ...) + {DLA-2998-1} - kicad 6.0.2+dfsg-1 NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1453 NOTE: https://gitlab.com/kicad/code/kicad/-/issues/10719 @@ -20040,10 +20058,10 @@ CVE-2022-23707 (An XSS vulnerability was found in Kibana index patterns. Using t - kibana (bug #700337) CVE-2022-23706 RESERVED -CVE-2022-23705 - RESERVED -CVE-2022-23704 - RESERVED +CVE-2022-23705 (A security vulnerability has been identified in HPE Nimble Storage Hyb ...) + TODO: check +CVE-2022-23704 (A potential security vulnerability has been identified in
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-1632
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cffb301 by Salvatore Bonaccorso at 2022-05-10T08:24:01+02:00 Add CVE-2022-1632 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26,6 +26,7 @@ CVE-2022-1633 RESERVED CVE-2022-1632 RESERVED + NOT-FOR-US: OpenShift CVE-2022-1631 (Users Account Pre-Takeover or Users Account Takeover. in GitHub reposi ...) TODO: check CVE-2022-1630 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cffb301d114162688954e8168961b8e9b8e5949 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cffb301d114162688954e8168961b8e9b8e5949 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits