[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7f1f2d4 by Salvatore Bonaccorso at 2022-10-03T23:32:13+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -249,25 +249,25 @@ CVE-2022-42310 CVE-2022-42309 RESERVED CVE-2022-42308 (An issue was discovered in Veritas NetBackup through 8.2 and related V ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42307 (An issue was discovered in Veritas NetBackup through 10.0.0.1 and rela ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42306 (An issue was discovered in Veritas NetBackup through 8.2 and related V ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42305 (An issue was discovered in Veritas NetBackup through 10.0.0.1 and rela ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42304 (An issue was discovered in Veritas NetBackup through 10.0 and related ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42303 (An issue was discovered in Veritas NetBackup through 10.0 and related ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42302 (An issue was discovered in Veritas NetBackup through 10.0 and related ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42301 (An issue was discovered in Veritas NetBackup through 10.0.0.1 and rela ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42300 (An issue was discovered in Veritas NetBackup through 10.0.0.1 and rela ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42299 (An issue was discovered in Veritas NetBackup through 10.0.0.1 and rela ...) - TODO: check + NOT-FOR-US: Veritas CVE-2022-42298 RESERVED CVE-2022-42297 @@ -403,7 +403,7 @@ CVE-2022-42249 CVE-2022-42248 RESERVED CVE-2022-42247 (pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) ...) - TODO: check + NOT-FOR-US: pfSense CVE-2022-42246 RESERVED CVE-2022-42245 @@ -2315,21 +2315,21 @@ CVE-2022-41432 CVE-2022-41431 RESERVED CVE-2022-41430 (Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41429 (Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41428 (Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41427 (Bento4 v1.6.0-639 was discovered to contain a memory leak in the AP4_A ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41426 (Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_ ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41425 (Bento4 v1.6.0-639 was discovered to contain a segmentation violation v ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41424 (Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_ ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41423 (Bento4 v1.6.0-639 was discovered to contain a segmentation violation i ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41422 RESERVED CVE-2022-41421 @@ -2337,7 +2337,7 @@ CVE-2022-41421 CVE-2022-41420 (nasm v2.16 was discovered to contain a stack overflow in the Ndisasm c ...) TODO: check CVE-2022-41419 (Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_ ...) - TODO: check + NOT-FOR-US: Bento4 CVE-2022-41418 RESERVED CVE-2022-41417 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7f1f2d4a90bc287e5fbb137846e0e8682f1183e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7f1f2d4a90bc287e5fbb137846e0e8682f1183e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage knot-resolver
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e60a01cc by Anton Gladky at 2022-10-03T22:46:49+02:00 LTS: triage knot-resolver - - - - - 84709f8f by Anton Gladky at 2022-10-03T23:08:57+02:00 LTS: triage libpgjava - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,10 +79,16 @@ imagemagick NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) -- +knot-resolver + NOTE: 20221003: Programming language: C. +-- kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- +libpgjava + NOTE: 20221003: Programming language: Java. +-- linux (Ben Hutchings) -- mbedtls View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ac0d0b0e140bf61f6919e3a69d942db1948efb8...84709f8f6c01c866b3874361a3c6c9ab441e636e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ac0d0b0e140bf61f6919e3a69d942db1948efb8...84709f8f6c01c866b3874361a3c6c9ab441e636e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: triage clickhouse
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 55d774d9 by Anton Gladky at 2022-10-03T22:27:52+02:00 LTS: triage clickhouse - - - - - 5ac0d0b0 by Anton Gladky at 2022-10-03T22:39:42+02:00 LTS: triage fwupd - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,11 @@ bluez NOTE: 20220902: Programming language: C. NOTE: 20220902: Consider synchronizing with Stretch. (apo) -- +clickhouse + NOTE: 20221003: Programming language: C++. + NOTE: 20221003: One pull request closes several CVEs. + NOTE: 20221003: Please evaluate, whether it can be applied. +-- curl (gladk) NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git @@ -41,6 +46,9 @@ firmware-nonfree frr (Thorsten Alteholz) NOTE: 20220923: Programming language: C. -- +fwupd + NOTE: 20221003: Programming language: C++. +-- gerbv NOTE: 20220923: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6c778ad6eebfb2fbc27cb33126ff197e98ca1b4...5ac0d0b0e140bf61f6919e3a69d942db1948efb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6c778ad6eebfb2fbc27cb33126ff197e98ca1b4...5ac0d0b0e140bf61f6919e3a69d942db1948efb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6c778ad by security tracker role at 2022-10-03T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,399 @@ +CVE-2022-42433 + RESERVED +CVE-2022-42432 + RESERVED +CVE-2022-42431 + RESERVED +CVE-2022-42430 + RESERVED +CVE-2022-42429 + RESERVED +CVE-2022-42428 + RESERVED +CVE-2022-42427 + RESERVED +CVE-2022-42426 + RESERVED +CVE-2022-42425 + RESERVED +CVE-2022-42424 + RESERVED +CVE-2022-42423 + RESERVED +CVE-2022-42422 + RESERVED +CVE-2022-42421 + RESERVED +CVE-2022-42420 + RESERVED +CVE-2022-42419 + RESERVED +CVE-2022-42418 + RESERVED +CVE-2022-42417 + RESERVED +CVE-2022-42416 + RESERVED +CVE-2022-42415 + RESERVED +CVE-2022-42414 + RESERVED +CVE-2022-42413 + RESERVED +CVE-2022-42412 + RESERVED +CVE-2022-42411 + RESERVED +CVE-2022-42410 + RESERVED +CVE-2022-42409 + RESERVED +CVE-2022-42408 + RESERVED +CVE-2022-42407 + RESERVED +CVE-2022-42406 + RESERVED +CVE-2022-42405 + RESERVED +CVE-2022-42404 + RESERVED +CVE-2022-42403 + RESERVED +CVE-2022-42402 + RESERVED +CVE-2022-42401 + RESERVED +CVE-2022-42400 + RESERVED +CVE-2022-42399 + RESERVED +CVE-2022-42398 + RESERVED +CVE-2022-42397 + RESERVED +CVE-2022-42396 + RESERVED +CVE-2022-42395 + RESERVED +CVE-2022-42394 + RESERVED +CVE-2022-42393 + RESERVED +CVE-2022-42392 + RESERVED +CVE-2022-42391 + RESERVED +CVE-2022-42390 + RESERVED +CVE-2022-42389 + RESERVED +CVE-2022-42388 + RESERVED +CVE-2022-42387 + RESERVED +CVE-2022-42386 + RESERVED +CVE-2022-42385 + RESERVED +CVE-2022-42384 + RESERVED +CVE-2022-42383 + RESERVED +CVE-2022-42382 + RESERVED +CVE-2022-42381 + RESERVED +CVE-2022-42380 + RESERVED +CVE-2022-42379 + RESERVED +CVE-2022-42378 + RESERVED +CVE-2022-42377 + RESERVED +CVE-2022-42376 + RESERVED +CVE-2022-42375 + RESERVED +CVE-2022-42374 + RESERVED +CVE-2022-42373 + RESERVED +CVE-2022-42372 + RESERVED +CVE-2022-42371 + RESERVED +CVE-2022-42370 + RESERVED +CVE-2022-42369 + RESERVED +CVE-2022-42368 + RESERVED +CVE-2022-42367 + RESERVED +CVE-2022-42366 + RESERVED +CVE-2022-42365 + RESERVED +CVE-2022-42364 + RESERVED +CVE-2022-42363 + RESERVED +CVE-2022-42362 + RESERVED +CVE-2022-42361 + RESERVED +CVE-2022-42360 + RESERVED +CVE-2022-42359 + RESERVED +CVE-2022-42358 + RESERVED +CVE-2022-42357 + RESERVED +CVE-2022-42356 + RESERVED +CVE-2022-42355 + RESERVED +CVE-2022-42354 + RESERVED +CVE-2022-42353 + RESERVED +CVE-2022-42352 + RESERVED +CVE-2022-42351 + RESERVED +CVE-2022-42350 + RESERVED +CVE-2022-42349 + RESERVED +CVE-2022-42348 + RESERVED +CVE-2022-42347 + RESERVED +CVE-2022-42346 + RESERVED +CVE-2022-42345 + RESERVED +CVE-2022-42344 + RESERVED +CVE-2022-42343 + RESERVED +CVE-2022-42342 + RESERVED +CVE-2022-42341 + RESERVED +CVE-2022-42340 + RESERVED +CVE-2022-42339 + RESERVED +CVE-2022-42338 + RESERVED +CVE-2022-42337 + RESERVED +CVE-2022-42336 + RESERVED +CVE-2022-42335 + RESERVED +CVE-2022-42334 + RESERVED +CVE-2022-42333 + RESERVED +CVE-2022-42332 + RESERVED +CVE-2022-42331 + RESERVED +CVE-2022-42330 + RESERVED +CVE-2022-42329 + RESERVED +CVE-2022-42328 + RESERVED +CVE-2022-42327 + RESERVED +CVE-2022-42326 + RESERVED +CVE-2022-42325 + RESERVED +CVE-2022-42324 + RESERVED +CVE-2022-42323 + RESERVED +CVE-2022-42322 + RESERVED +CVE-2022-42321 + RESERVED +CVE-2022-42320 + RESERVED +CVE-2022-42319 + RESERVED +CVE-2022-42318 + RESERVED +CVE-2022-42317 + RESERVED +CVE-2022-42316 + RESERVED +CVE-2022-42315 + RESERVED +CVE-2022-42314 + RESERVED +CVE-2022-42313 + RESERVED +CVE-2022-42312 + RESERVED +CVE-2022-42311 + RESERVED +CVE-2022-42310 + RESERVED +CVE-2022-42309 + RESERVED +CVE-2022-42308 (An issue was discovered in Veritas NetBackup through 8.2 and related V ...) + TODO: check +CVE-2022-42307 (An issue was discovered in Veritas NetBackup through 10.0.0.1 and rela ...) + TODO: check +CVE-2022-42306 (An issue was discovered in Veritas NetBackup through 8.2 and related V ...) + TODO: check +CVE-2022-42305 (An issue was discovered in Veritas NetBackup through 10.0.0.1 and rela ...) + TODO: check +CVE-2022-42304 (An issue was discovered in Veritas NetBackup
[Git][security-tracker-team/security-tracker][master] tinyexr spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e9b712c0 by Moritz Mühlenhoff at 2022-10-03T22:07:48+02:00 tinyexr spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -26,3 +26,7 @@ CVE-2021-23450 [bullseye] - dojo 1.15.4+dfsg1-1+deb11u1 CVE-2022-2255 [bullseye] - mod-wsgi 4.7.1-3+deb11u1 +CVE-2022-38529 + [bullseye] - tinyexr 1.0.1+dfsg-1+deb11u1 +CVE-2022-34300 + [bullseye] - tinyexr 1.0.1+dfsg-1+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9b712c033562610c14869c45dfb53f39b5f7bc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9b712c033562610c14869c45dfb53f39b5f7bc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2022-2308/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f73a54f6 by Salvatore Bonaccorso at 2022-10-03T21:52:19+02:00 Reference upstream commit for CVE-2022-2308/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17893,6 +17893,7 @@ CVE-2022-2308 (A flaw was found in vDPA with VDUSE backend. There are currently [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2103900 + NOTE: https://git.kernel.org/linus/46f8a29272e51b6df7393d58fc5cb8967397ef2b (6.0) CVE-2022-2318 (There are use-after-free vulnerabilities caused by timer handler in ne ...) {DSA-5191-1 DLA-3131-1} - linux 5.18.14-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f73a54f626612ef759366ae6c92f424e3a0153d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f73a54f626612ef759366ae6c92f424e3a0153d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for four modsecurity-crs issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 55b04dd5 by Salvatore Bonaccorso at 2022-10-03T21:16:14+02:00 Track fixed version via unstable for four modsecurity-crs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5413,21 +5413,21 @@ CVE-2022-3134 (Use After Free in GitHub repository vim/vim prior to 9.0.0389. .. CVE-2022-39959 RESERVED CVE-2022-39958 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a response bo ...) - - modsecurity-crs (bug #1021137) + - modsecurity-crs 3.3.4-1 (bug #1021137) [bullseye] - modsecurity-crs (Minor issues; will be fixed in point release) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39957 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a response bo ...) - - modsecurity-crs (bug #1021137) + - modsecurity-crs 3.3.4-1 (bug #1021137) [bullseye] - modsecurity-crs (Minor issues; will be fixed in point release) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39956 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rul ...) - - modsecurity-crs (bug #1021137) + - modsecurity-crs 3.3.4-1 (bug #1021137) [bullseye] - modsecurity-crs (Minor issues; will be fixed in point release) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ NOTE: Depends on changes to be done in src:libmodsecurity3 / src:modsecurity-apache, cf. NOTE: https://bugs.debian.org/1020303 CVE-2022-39955 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rul ...) - - modsecurity-crs (bug #1021137) + - modsecurity-crs 3.3.4-1 (bug #1021137) [bullseye] - modsecurity-crs (Minor issues; will be fixed in point release) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39954 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55b04dd5877a9c355ed8817dea064f47351a919b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55b04dd5877a9c355ed8817dea064f47351a919b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for mediawiki issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56a7ad0b by Salvatore Bonaccorso at 2022-10-03T21:14:50+02:00 Track fixed version for mediawiki issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1043,7 +1043,7 @@ CVE-2022-41768 RESERVED CVE-2022-41767 [mediawiki: reassignEdits doesn't update results in an IP range check on Special:Contributions] RESERVED - - mediawiki + - mediawiki 1:1.35.8-1 NOTE: https://phabricator.wikimedia.org/T316304 CVE-2022-41766 [mediawiki: On action=rollback the message "alreadyrolled" can leak revision deleted user name] RESERVED @@ -1053,7 +1053,7 @@ CVE-2022-41766 [mediawiki: On action=rollback the message "alreadyrolled" can le NOTE: https://phabricator.wikimedia.org/T307278 CVE-2022-41765 [mediawiki: HTMLUserTextField exposes existence of hidden users] RESERVED - - mediawiki + - mediawiki 1:1.35.8-1 NOTE: https://phabricator.wikimedia.org/T309894 CVE-2022-41764 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56a7ad0bb9f167648c824797b4aeac186b8c4a6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56a7ad0bb9f167648c824797b4aeac186b8c4a6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-41556
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 748bd05a by Salvatore Bonaccorso at 2022-10-03T21:08:35+02:00 Update information for CVE-2022-41556 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1576,7 +1576,8 @@ CVE-2022-41556 [handle RDHUP when collecting chunked body] - lighttpd 1.4.67-1 [buster] - lighttpd (vulnerable code inserted in lighttpd-1.4.55-211-gbcddbe18) NOTE: https://github.com/lighttpd/lighttpd1.4/pull/115 - NOTE: https://github.com/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50 (lighttpd-1.4.67) + NOTE: Introduced by: https://github.com/lighttpd/lighttpd1.4/commit/bcddbe186f010e2964f7551141c0b8350b36817d (lighttpd-1.4.56-rc1) + NOTE: Fixed by: https://github.com/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50 (lighttpd-1.4.67) CVE-2022-40690 RESERVED CVE-2022-3322 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/748bd05a92e0e3e8dc86cfb82dc0925d92d4bd3f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/748bd05a92e0e3e8dc86cfb82dc0925d92d4bd3f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2022-3875{0,1}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f5be1d26 by Salvatore Bonaccorso at 2022-10-03T21:05:47+02:00 Add upstream tag information for CVE-2022-3875{0,1} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8365,15 +8365,15 @@ CVE-2022-38751 (Using snakeYAML to parse untrusted YAML files may be vulnerable [bullseye] - snakeyaml (Minor issue) NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/530/stackoverflow-oss-fuzz-47039 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039 - NOTE: Fixed by https://bitbucket.org/snakeyaml/snakeyaml/commits/f3ab4e0f54c37ddb10f00b71d04187bb0ef1799c - NOTE: Fixed by https://bitbucket.org/snakeyaml/snakeyaml/commits/6aedd33a811f7347c5dae2940e75940966f59466 + NOTE: Fixed by https://bitbucket.org/snakeyaml/snakeyaml/commits/f3ab4e0f54c37ddb10f00b71d04187bb0ef1799c (snakeyaml-1.31) + NOTE: Fixed by https://bitbucket.org/snakeyaml/snakeyaml/commits/6aedd33a811f7347c5dae2940e75940966f59466 (snakeyaml-1.31) CVE-2022-38750 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...) {DLA-3132-1} - snakeyaml 1.31-1 [bullseye] - snakeyaml (Minor issue) NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027 - NOTE: Test case: https://bitbucket.org/snakeyaml/snakeyaml/commits/a8a072311547574274036f4a1b91a751b397a055 + NOTE: Test case: https://bitbucket.org/snakeyaml/snakeyaml/commits/a8a072311547574274036f4a1b91a751b397a055 (snakeyaml-1.31) CVE-2022-38749 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...) {DLA-3132-1} - snakeyaml 1.31-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5be1d260bd2875162e0b297162feb00080acc29 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5be1d260bd2875162e0b297162feb00080acc29 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to upstream commit for CVE-2022-3100
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 469f9d42 by Salvatore Bonaccorso at 2022-10-03T20:51:44+02:00 Add reference to upstream commit for CVE-2022-3100 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5835,6 +5835,7 @@ CVE-2022-3100 [access policy bypass via query string injection] RESERVED - barbican (bug #1021139) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2125404 + NOTE: https://review.opendev.org/c/openstack/barbican/+/859852 CVE-2022-39798 RESERVED CVE-2022-39797 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469f9d42dd1fe17067b7194de648fa7e66fbeb48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/469f9d42dd1fe17067b7194de648fa7e66fbeb48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: triage CVE-2022-3080/bind9 as n/a on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 5405e55f by Emilio Pozuelo Monfort at 2022-10-03T18:47:04+02:00 lts: triage CVE-2022-3080/bind9 as n/a on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7367,6 +7367,7 @@ CVE-2022-3081 CVE-2022-3080 (By sending specific queries to the resolver, an attacker can cause nam ...) {DSA-5235-1} - bind9 1:9.18.7-1 + [buster] - bind9 (Vulnerable code introduced later) NOTE: https://kb.isc.org/docs/cve-2022-3080 NOTE: Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/b9e2fd0d29deb3ef932aa7aeb28086f153bd (v9_18_7) NOTE: Fixed by: https://gitlab.isc.org/isc-projects/bind9/-/commit/3f68e2ad838b3c12a725ccb1082a54b0e8b69562 (v9_16_33) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5405e55f44935b7c04c8a025dda373d0173e562a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5405e55f44935b7c04c8a025dda373d0173e562a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take bind9
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: c95f9814 by Emilio Pozuelo Monfort at 2022-10-03T17:17:49+02:00 lts: take bind9 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -19,7 +19,7 @@ asterisk (Markus Koschany) NOTE: 20220829: bullseye and buster. (apo) NOTE: 20221002: Done. Will ask for a public review tomorrow though. (apo) -- -bind9 +bind9 (Emilio) NOTE: 20220925: Programming language: C. -- bluez View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c95f9814ba20b4c3036f111df265791c9ec10e15 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c95f9814ba20b4c3036f111df265791c9ec10e15 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-44537/owncloud-client via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c0a421e4 by Salvatore Bonaccorso at 2022-10-03T15:00:05+02:00 Track fixed version for CVE-2021-44537/owncloud-client via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62536,7 +62536,7 @@ CVE-2021-44538 (The olm_session_describe function in Matrix libolm before 3.2.7 NOTE: Introduced by: https://gitlab.matrix.org/matrix-org/olm/-/commit/39a1ee0b18f0fced6d7bc293cc9a46ea70ec9e96 (3.1.4) NOTE: Fixed by: https://gitlab.matrix.org/matrix-org/olm/-/commit/c23ce70fc66c26db5839ddb5a3b46d4c3d3abed6 (3.2.8) CVE-2021-44537 (ownCloud owncloud/client before 2.9.2 allows Resource Injection by a s ...) - - owncloud-client (bug #1014810) + - owncloud-client 2.11.0.8354+dfsg-1 (bug #1014810) [buster] - owncloud-client (Minor issue) [stretch] - owncloud-client (OAuth support introduced in 2.4) NOTE: https://owncloud.com/security-advisories/cve-2021-44537/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0a421e4fd3a77b88146dad0ffa25606bb63f9f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0a421e4fd3a77b88146dad0ffa25606bb63f9f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-35255/nodejs: reference patches, buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ac1e0a17 by Sylvain Beucler at 2022-10-03T13:03:36+02:00 CVE-2022-35255/nodejs: reference patches, buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17747,7 +17747,10 @@ CVE-2022-35256 [HTTP Request Smuggling Due to Incorrect Parsing of Header Fields CVE-2022-35255 [Weak randomness in WebCrypto keygen] RESERVED - nodejs 18.10.0+dfsg-1 + [buster] - nodejs (Vulnerable code introduced later) NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255 + NOTE: https://github.com/nodejs/node/commit/0c2a5723beff39d1f62daec96b5389da3d427e79 (v18.9.1) + NOTE: Introduced by https://github.com/nodejs/node/commit/dae283d96fd31ad0f30840a7e55ac97294f505ac (v15.0.0) CVE-2022-35254 RESERVED CVE-2022-35253 (A vulnerability exists in Hyperledger Fabric 2.4 could allow an at ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1e0a177b3c67d23c6b3dcf4bbf2d4bccfa67fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1e0a177b3c67d23c6b3dcf4bbf2d4bccfa67fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-35256/nodejs: reference patches, buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cc7a7b4d by Sylvain Beucler at 2022-10-03T12:53:56+02:00 CVE-2022-35256/nodejs: reference patches, buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17739,8 +17739,11 @@ CVE-2022-35257 (A local privilege escalation vulnerability in UI Desktop for Win CVE-2022-35256 [HTTP Request Smuggling Due to Incorrect Parsing of Header Fields] RESERVED - nodejs 18.10.0+dfsg-1 + [buster] - nodejs (llhttp dependency/embedding introduced in 12.x) - llhttp (bug #977716) NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256 + NOTE: https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main) + NOTE: https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 (v14.20.1) CVE-2022-35255 [Weak randomness in WebCrypto keygen] RESERVED - nodejs 18.10.0+dfsg-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc7a7b4d099479af64d325cf3bbd4b811c757c87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc7a7b4d099479af64d325cf3bbd4b811c757c87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove lts-frontdesk.py (integrated into the dispatch-front-desk script)
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 52b9feeb by Anton Gladky at 2022-10-03T12:02:15+02:00 Remove lts-frontdesk.py (integrated into the dispatch-front-desk script) - - - - - fec88202 by Anton Gladky at 2022-10-03T12:03:08+02:00 LTS: dispatch frontdesk slots for 2023/H1 - - - - - 2 changed files: - + org/lts-frontdesk.2023.txt - − org/lts-frontdesk.py Changes: = org/lts-frontdesk.2023.txt = @@ -0,0 +1,52 @@ +From 02-01 to 08-01:Sylvain Beucler +From 09-01 to 15-01:Thorsten Alteholz +From 16-01 to 22-01:Utkarsh Gupta +From 23-01 to 29-01:Anton Gladky +From 30-01 to 05-02:Chris Lamb +From 06-02 to 12-02:Emilio Pozuelo Monfort +From 13-02 to 19-02:Markus Koschany +From 20-02 to 26-02:Ola Lundqvist +From 27-02 to 05-03:Sylvain Beucler +From 06-03 to 12-03:Thorsten Alteholz +From 13-03 to 19-03:Utkarsh Gupta +From 20-03 to 26-03:Anton Gladky +From 27-03 to 02-04:Chris Lamb +From 03-04 to 09-04:Emilio Pozuelo Monfort +From 10-04 to 16-04:Markus Koschany +From 17-04 to 23-04:Ola Lundqvist +From 24-04 to 30-04:Sylvain Beucler +From 01-05 to 07-05:Thorsten Alteholz +From 08-05 to 14-05:Utkarsh Gupta +From 15-05 to 21-05:Anton Gladky +From 22-05 to 28-05:Chris Lamb +From 29-05 to 04-06:Emilio Pozuelo Monfort +From 05-06 to 11-06:Markus Koschany +From 12-06 to 18-06:Ola Lundqvist +From 19-06 to 25-06:Sylvain Beucler +From 26-06 to 02-07:Thorsten Alteholz +From 03-07 to 09-07: +From 10-07 to 16-07: +From 17-07 to 23-07: +From 24-07 to 30-07: +From 31-07 to 06-08: +From 07-08 to 13-08: +From 14-08 to 20-08: +From 21-08 to 27-08: +From 28-08 to 03-09: +From 04-09 to 10-09: +From 11-09 to 17-09: +From 18-09 to 24-09: +From 25-09 to 01-10: +From 02-10 to 08-10: +From 09-10 to 15-10: +From 16-10 to 22-10: +From 23-10 to 29-10: +From 30-10 to 05-11: +From 06-11 to 12-11: +From 13-11 to 19-11: +From 20-11 to 26-11: +From 27-11 to 03-12: +From 04-12 to 10-12: +From 11-12 to 17-12: +From 18-12 to 24-12: +From 25-12 to 31-12: \ No newline at end of file = org/lts-frontdesk.py deleted = @@ -1,42 +0,0 @@ -#!/usr/bin/env python3 - -import sys -import datetime - -HEADER = """ -Presentation - - -The LTS frontdesk handles: - - * CVE triaging: - https://wiki.debian.org/LTS/Development#Triage_new_security_issues - - * Making sure that queries on debian-...@lists.debian.org get an answer.. - -Who is in charge ? --- -""" - -LINE = """From {0.day:02d}-{0.month:02d} to {1.day:02d}-{1.month:02d}:""" - - -def main(year): -print(HEADER.strip()) -print() - -for x, y in generate_weeks(int(year)): -print(LINE.format(x, y)) - - -def generate_weeks(year): -dt = datetime.date(year, 1, 1) - -while dt.year == year: -if dt.weekday() == 0: -yield (dt, dt + datetime.timedelta(days=6)) -dt += datetime.timedelta(days=1) - - -if __name__ == '__main__': -sys.exit(main(*sys.argv[1:])) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99ff65e75540ca7b1ad602eb52c027abe97ac5ef...fec882025036401c20b9119851c6c867fe7ad508 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/99ff65e75540ca7b1ad602eb52c027abe97ac5ef...fec882025036401c20b9119851c6c867fe7ad508 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Partially revert fixed version marking in buster for lighttpd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 99ff65e7 by Salvatore Bonaccorso at 2022-10-03T11:00:29+02:00 Partially revert fixed version marking in buster for lighttpd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11182,7 +11182,6 @@ CVE-2022-37798 (Tenda AC1206 V15.03.06.23 was discovered to contain a stack over CVE-2022-37797 (In lighttpd 1.4.65, mod_wstunnel does not initialize a handler functio ...) {DSA-5243-1 DLA-3133-1} - lighttpd 1.4.66-1 - [buster] - lighttpd 1.4.53-1+deb10u3 NOTE: https://redmine.lighttpd.net/issues/3165 NOTE: https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/971773f1fae600074b46ef64f3ca1f76c227985f (lighttpd-1.4.66) CVE-2022-37796 (In Simple Online Book Store System 1.0 in /admin_book.php the Title, A ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99ff65e75540ca7b1ad602eb52c027abe97ac5ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99ff65e75540ca7b1ad602eb52c027abe97ac5ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3135-1 for libdatetime-timezone-perl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: c3b40580 by Emilio Pozuelo Monfort at 2022-10-03T10:33:13+02:00 Reserve DLA-3135-1 for libdatetime-timezone-perl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[03 Oct 2022] DLA-3135-1 libdatetime-timezone-perl - new timezone database + [buster] - libdatetime-timezone-perl 1:2.23-1+2022d [03 Oct 2022] DLA-3134-1 tzdata - new timezone database [buster] - tzdata 2021a-0+deb10u7 [03 Oct 2022] DLA-3133-1 lighttpd - security update = data/dla-needed.txt = @@ -75,8 +75,6 @@ kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) -- -libdatetime-timezone-perl (Emilio) --- linux (Ben Hutchings) -- mbedtls View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3b40580e5cecfe57a928b696575a016928e5108 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3b40580e5cecfe57a928b696575a016928e5108 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3134-1 for tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c4a710d by Emilio Pozuelo Monfort at 2022-10-03T10:14:37+02:00 Reserve DLA-3134-1 for tzdata - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[03 Oct 2022] DLA-3134-1 tzdata - new timezone database + [buster] - tzdata 2021a-0+deb10u7 [03 Oct 2022] DLA-3133-1 lighttpd - security update {CVE-2022-37797} [buster] - lighttpd 1.4.53-4+deb10u3 = data/dla-needed.txt = @@ -174,8 +174,6 @@ squid (Abhijith PA) trafficserver (Abhijith PA) NOTE: 20220905: Programming language: C. -- -tzdata (Emilio) --- vim (Markus Koschany) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/vim.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c4a710d4555bc9d80af5dbb0aade4a7b5baa08c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c4a710d4555bc9d80af5dbb0aade4a7b5baa08c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 563ac9f8 by security tracker role at 2022-10-03T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,489 @@ +CVE-2022-42251 + RESERVED +CVE-2022-42250 + RESERVED +CVE-2022-42249 + RESERVED +CVE-2022-42248 + RESERVED +CVE-2022-42247 + RESERVED +CVE-2022-42246 + RESERVED +CVE-2022-42245 + RESERVED +CVE-2022-42244 + RESERVED +CVE-2022-42243 + RESERVED +CVE-2022-42242 + RESERVED +CVE-2022-42241 + RESERVED +CVE-2022-42240 + RESERVED +CVE-2022-42239 + RESERVED +CVE-2022-42238 + RESERVED +CVE-2022-42237 + RESERVED +CVE-2022-42236 + RESERVED +CVE-2022-42235 + RESERVED +CVE-2022-42234 + RESERVED +CVE-2022-42233 + RESERVED +CVE-2022-42232 + RESERVED +CVE-2022-42231 + RESERVED +CVE-2022-42230 + RESERVED +CVE-2022-42229 + RESERVED +CVE-2022-42228 + RESERVED +CVE-2022-42227 + RESERVED +CVE-2022-42226 + RESERVED +CVE-2022-42225 + RESERVED +CVE-2022-42224 + RESERVED +CVE-2022-42223 + RESERVED +CVE-2022-4 + RESERVED +CVE-2022-42221 + RESERVED +CVE-2022-42220 + RESERVED +CVE-2022-42219 + RESERVED +CVE-2022-42218 + RESERVED +CVE-2022-42217 + RESERVED +CVE-2022-42216 + RESERVED +CVE-2022-42215 + RESERVED +CVE-2022-42214 + RESERVED +CVE-2022-42213 + RESERVED +CVE-2022-42212 + RESERVED +CVE-2022-42211 + RESERVED +CVE-2022-42210 + RESERVED +CVE-2022-42209 + RESERVED +CVE-2022-42208 + RESERVED +CVE-2022-42207 + RESERVED +CVE-2022-42206 + RESERVED +CVE-2022-42205 + RESERVED +CVE-2022-42204 + RESERVED +CVE-2022-42203 + RESERVED +CVE-2022-42202 + RESERVED +CVE-2022-42201 + RESERVED +CVE-2022-42200 + RESERVED +CVE-2022-42199 + RESERVED +CVE-2022-42198 + RESERVED +CVE-2022-42197 + RESERVED +CVE-2022-42196 + RESERVED +CVE-2022-42195 + RESERVED +CVE-2022-42194 + RESERVED +CVE-2022-42193 + RESERVED +CVE-2022-42192 + RESERVED +CVE-2022-42191 + RESERVED +CVE-2022-42190 + RESERVED +CVE-2022-42189 + RESERVED +CVE-2022-42188 + RESERVED +CVE-2022-42187 + RESERVED +CVE-2022-42186 + RESERVED +CVE-2022-42185 + RESERVED +CVE-2022-42184 + RESERVED +CVE-2022-42183 + RESERVED +CVE-2022-42182 + RESERVED +CVE-2022-42181 + RESERVED +CVE-2022-42180 + RESERVED +CVE-2022-42179 + RESERVED +CVE-2022-42178 + RESERVED +CVE-2022-42177 + RESERVED +CVE-2022-42176 + RESERVED +CVE-2022-42175 + RESERVED +CVE-2022-42174 + RESERVED +CVE-2022-42173 + RESERVED +CVE-2022-42172 + RESERVED +CVE-2022-42171 + RESERVED +CVE-2022-42170 + RESERVED +CVE-2022-42169 + RESERVED +CVE-2022-42168 + RESERVED +CVE-2022-42167 + RESERVED +CVE-2022-42166 + RESERVED +CVE-2022-42165 + RESERVED +CVE-2022-42164 + RESERVED +CVE-2022-42163 + RESERVED +CVE-2022-42162 + RESERVED +CVE-2022-42161 + RESERVED +CVE-2022-42160 + RESERVED +CVE-2022-42159 + RESERVED +CVE-2022-42158 + RESERVED +CVE-2022-42157 + RESERVED +CVE-2022-42156 + RESERVED +CVE-2022-42155 + RESERVED +CVE-2022-42154 + RESERVED +CVE-2022-42153 + RESERVED +CVE-2022-42152 + RESERVED +CVE-2022-42151 + RESERVED +CVE-2022-42150 + RESERVED +CVE-2022-42149 + RESERVED +CVE-2022-42148 + RESERVED +CVE-2022-42147 + RESERVED +CVE-2022-42146 + RESERVED +CVE-2022-42145 + RESERVED +CVE-2022-42144 + RESERVED +CVE-2022-42143 + RESERVED +CVE-2022-42142 + RESERVED +CVE-2022-42141 + RESERVED +CVE-2022-42140 + RESERVED +CVE-2022-42139 + RESERVED +CVE-2022-42138 + RESERVED +CVE-2022-42137 + RESERVED +CVE-2022-42136 + RESERVED +CVE-2022-42135 + RESERVED +CVE-2022-42134 + RESERVED +CVE-2022-42133 + RESERVED +CVE-2022-42132 + RESERVED +CVE-2022-42131 + RESERVED +CVE-2022-42130 + RESERVED +CVE-2022-42129 + RESERVED +CVE-2022-42128 + RESERVED +CVE-2022-42127 + RESERVED +CVE-2022-42126 + RESERVED +CVE-2022-42125 + RESERVED +CVE-2022-42124 + RESERVED +CVE-2022-42123 + RESERVED +CVE-2022-42122 + RESERVED +CVE-2022-42121 + RESERVED +CVE-2022-42120 + RESERVED +CVE-2022-42119 + RESERVED +CVE-2022-42118 + RESERVED +CVE-2022-42117 + RESERVED +CVE-2022-42116 + RESERVED +CVE-2022-42115 + RESERVED +CVE-2022-42114 + RESERVED +CVE-2022-42113 + RESERVED +CVE-2022-42112 + RESERVED +CVE-2022-42111 +
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: a7e3a4a4 by Anton Gladky at 2022-10-03T10:01:51+02:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -79,10 +79,10 @@ libdatetime-timezone-perl (Emilio) -- linux (Ben Hutchings) -- -mbedtls (Utkarsh) +mbedtls NOTE: 20220821: Programming language: C. -- -netatalk (Stefano Rivera) +netatalk NOTE: 20220816: Programming language: C. NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7e3a4a486614207cb5d7d990a5bfd39c1555b9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7e3a4a486614207cb5d7d990a5bfd39c1555b9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] issue DLA-3133-1 for lighttpd fixing CVE-2022-37797
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: 8caef9cb by Helmut Grohne at 2022-10-03T09:48:48+02:00 issue DLA-3133-1 for lighttpd fixing CVE-2022-37797 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Oct 2022] DLA-3133-1 lighttpd - security update + {CVE-2022-37797} + [buster] - lighttpd 1.4.53-4+deb10u3 [02 Oct 2022] DLA-3132-1 snakeyaml - security update {CVE-2022-25857 CVE-2022-38749 CVE-2022-38750 CVE-2022-38751} [buster] - snakeyaml 1.23-1+deb10u1 = data/dla-needed.txt = @@ -77,9 +77,6 @@ kopanocore -- libdatetime-timezone-perl (Emilio) -- -lighttpd (Helmut Grohne) - NOTE: 20220928: Programming language: C. --- linux (Ben Hutchings) -- mbedtls (Utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caef9cb2f7994a4eb6247ae99773baa1b70fb60 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8caef9cb2f7994a4eb6247ae99773baa1b70fb60 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add and claim php-twig
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: f599a628 by Sébastien Delafond at 2022-10-03T08:27:46+02:00 Add and claim php-twig - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -33,6 +33,9 @@ php-horde-mime-viewer -- php-horde-turba -- +php-twig (seb) + 2022-09-30: maintainer proposed debdiff +-- rails -- rpki-client View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f599a62861640b42c059a55b91d572d176f36457 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f599a62861640b42c059a55b91d572d176f36457 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update note. Claim trafficserver,squid
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: c41fd934 by Abhijith PA at 2022-10-03T11:54:28+05:30 update note. Claim trafficserver,squid - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -129,6 +129,7 @@ rails (Abhijith PA) NOTE: 20220909: upstream report https://github.com/rails/rails/issues/45590 (abhijith) NOTE: 20220915: 2:5.2.2.1+dfsg-1+deb10u5 uploaded without the regression causing patch (abhijith) NOTE: 20220915: Utkarsh prepared a patch and is on testing (abhijith) + NOTE: 20221003: https://github.com/rails/rails/issues/45590#issuecomment-1249123907 (abhijith) -- rainloop NOTE: 20220913: Programming language: PHP, JavaScript. @@ -164,15 +165,16 @@ samba snort NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored. -- -sox (Abhijith PA) +sox NOTE: 20220818: Programming language: C. NOTE: 20220818: Requires some investigation; see #1012138 etc. + NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) -- -squid +squid (Abhijith PA) NOTE: 20220923: Programming language: C. NOTE: 20220923: CVE-2022-41317 should be not-affected, but CVE-2022-41318 should be an issue, pleae recheck -- -trafficserver +trafficserver (Abhijith PA) NOTE: 20220905: Programming language: C. -- tzdata (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c41fd9342a34670671c0c80e8f1df1b30e462f90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c41fd9342a34670671c0c80e8f1df1b30e462f90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] triage/fix lighttpd CVEs in buster
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: f81458e3 by Helmut Grohne at 2022-10-03T08:11:06+02:00 triage/fix lighttpd CVEs in buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1088,6 +1088,7 @@ CVE-2022-41556 [handle RDHUP when collecting chunked body] RESERVED {DSA-5243-1} - lighttpd 1.4.67-1 + [buster] - lighttpd (vulnerable code inserted in lighttpd-1.4.55-211-gbcddbe18) NOTE: https://github.com/lighttpd/lighttpd1.4/pull/115 NOTE: https://github.com/lighttpd/lighttpd1.4/commit/b18de6f9264f914f7bf493abd3b6059343548e50 (lighttpd-1.4.67) CVE-2022-40690 @@ -10692,7 +10693,7 @@ CVE-2022-37798 (Tenda AC1206 V15.03.06.23 was discovered to contain a stack over CVE-2022-37797 (In lighttpd 1.4.65, mod_wstunnel does not initialize a handler functio ...) {DSA-5243-1} - lighttpd 1.4.66-1 - [buster] - lighttpd (Minor issue) + [buster] - lighttpd 1.4.53-1+deb10u3 NOTE: https://redmine.lighttpd.net/issues/3165 NOTE: https://git.lighttpd.net/lighttpd/lighttpd1.4/commit/971773f1fae600074b46ef64f3ca1f76c227985f (lighttpd-1.4.66) CVE-2022-37796 (In Simple Online Book Store System 1.0 in /admin_book.php the Title, A ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f81458e34fc0ca1d6adb86b268f55a58c270c95e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f81458e34fc0ca1d6adb86b268f55a58c270c95e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ffec4fe by Salvatore Bonaccorso at 2022-10-03T07:42:22+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17259,7 +17259,7 @@ CVE-2022-35255 [Weak randomness in WebCrypto keygen] CVE-2022-35254 RESERVED CVE-2022-35253 (A vulnerability exists in Hyperledger Fabric 2.4 could allow an at ...) - TODO: check + NOT-FOR-US: Hyperledger Fabric CVE-2022-35252 (When curl is used to retrieve and parse cookies from a HTTP(S) server, ...) - curl 7.85.0-1 (bug #1018831) [bullseye] - curl 7.74.0-1.3+deb11u3 @@ -24337,7 +24337,7 @@ CVE-2022-32542 CVE-2022-32541 RESERVED CVE-2022-32540 (Information Disclosure in Operator Client application in BVMS 10.1.1, ...) - TODO: check + NOT-FOR-US: Information Disclosure in Operator Client application in BVMS nd VIDEOJET Decoder VJD-7513 CVE-2022-32539 RESERVED CVE-2022-32538 @@ -30748,7 +30748,7 @@ CVE-2022-30428 (In ginadmin through 05-10-2022, the incoming path value is not f CVE-2022-30427 (In ginadmin through 05-10-2022 the incoming path value is not filtered ...) NOT-FOR-US: ginadmin CVE-2022-30426 (There is a stack buffer overflow vulnerability, which could lead to ar ...) - TODO: check + NOT-FOR-US: Acer CVE-2022-30425 (Tenda Technology Co.,Ltd HG6 3.3.0-210926 was discovered to contain a ...) NOT-FOR-US: Tenda CVE-2022-30424 @@ -31651,7 +31651,7 @@ CVE-2022-30122 [Denial of Service Vulnerability in Rack Multipart Parsing] NOTE: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk NOTE: https://github.com/advisories/GHSA-hxqx-xwvh-44m2 CVE-2022-30121 (The LANDesk(R) Management Agent service exposes a socket ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2022-30120 (XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. Whe ...) NOT-FOR-US: Concrete CMS CVE-2022-30119 (XSS in /dashboard/reports/logs/view - old browsers only. When using In ...) @@ -48434,7 +48434,7 @@ CVE-2022-0496 (A vulnerbiility was found in Openscad, where a DXF-format drawing NOTE: https://github.com/openscad/openscad/issues/4037 NOTE: Crash in CLI tool, no security impact CVE-2022-0495 (The library automation system product KOHA developed by Parantez Tekno ...) - TODO: check + NOT-FOR-US: KOHA library automation system CVE-2022-0494 (A kernel information leak flaw was identified in the scsi_ioctl functi ...) {DSA-5173-1 DSA-5161-1 DLA-3065-1} - linux 5.16.14-1 @@ -60438,7 +60438,7 @@ CVE-2021-45037 CVE-2021-45036 RESERVED CVE-2021-45035 (Velneo vClient on its 28.1.3 version, does not correctly check the cer ...) - TODO: check + NOT-FOR-US: Velneo vClient CVE-2021-45034 (A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O ...) NOT-FOR-US: Siemens CVE-2021-45033 (A vulnerability has been identified in CP-8000 MASTER MODULE WITH I/O ...) @@ -74042,15 +74042,15 @@ CVE-2021-41439 CVE-2021-41438 REJECTED CVE-2021-41437 (An HTTP response splitting attack in web application in ASUS RT-AX88U ...) - TODO: check + NOT-FOR-US: ASUS CVE-2021-41436 (An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX ...) NOT-FOR-US: ASUS CVE-2021-41435 (A brute-force protection bypass in CAPTCHA protection in ASUS ROG Rapt ...) NOT-FOR-US: ASUS CVE-2021-41434 (A stored Cross-Site Scripting (XSS) vulnerability exists in version 1. ...) - TODO: check + NOT-FOR-US: Expense Management System application CVE-2021-41433 (SQL Injection vulnerability exists in version 1.0 of the Resumes Manag ...) - TODO: check + NOT-FOR-US: Resumes Management and Job Application Website application CVE-2021-41432 (A stored cross-site scripting (XSS) vulnerability exists in FlatPress ...) NOT-FOR-US: FlatPress CVE-2021-41431 @@ -77695,7 +77695,7 @@ CVE-2021-40026 (There is a Heap-based buffer overflow vulnerability in the AOD m CVE-2021-40025 (The eID module has a vulnerability that causes the memory to be used w ...) NOT-FOR-US: Huawei CVE-2021-40024 (Implementation of the WLAN module interfaces has the information discl ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-40023 (Configuration defects in the secure OS module. Successful exploitation ...) NOT-FOR-US: Huawei CVE-2021-40022 (The weaver module has a vulnerability in parameter type verification,S ...) @@ -77709,7 +77709,7 @@ CVE-2021-40019 (Out-of-bounds heap read vulnerability in the HW_KEYMASTER module CVE-2021-40018 (The eID module has a null pointer reference vulnerability. Successful ...) NOT-FOR-US: Huawei CVE-2021-40017 (The HW_KEYMASTER module