[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13bf1151 by Salvatore Bonaccorso at 2022-11-09T07:56:49+01:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- asterisk (apo) -- +chromium +-- commons-configuration2 -- frr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13bf1151fd7f8b4e1bc15ce2b9bd03f20259 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13bf1151fd7f8b4e1bc15ce2b9bd03f20259 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b9d7bc9 by Salvatore Bonaccorso at 2022-11-09T07:55:50+01:00 Add new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46,16 +46,28 @@ CVE-2022-45045 RESERVED CVE-2022-3890 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3889 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3888 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3887 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3886 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3885 RESERVED + - chromium + [buster] - chromium (see DSA 5046) CVE-2022-3884 RESERVED CVE-2022-45044 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b9d7bc91f7c4f845541712d8e8a25e4c570506d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b9d7bc91f7c4f845541712d8e8a25e4c570506d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: claim graphicsmagick
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c44a1dd by Thorsten Alteholz at 2022-11-08T23:47:09+01:00 claim graphicsmagick - - - - - 56e94243 by Thorsten Alteholz at 2022-11-09T00:20:08+01:00 claim ntfs-3g - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,7 +82,7 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -graphicsmagick +graphicsmagick (Thorsten Alteholz) NOTE: 20221027: Programming language: C. -- hsqldb @@ -175,7 +175,7 @@ nodejs NOTE: 20221105: VCS: https://salsa.debian.org/lts-team/packages/nodejs.git NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster. -- -ntfs-3g +ntfs-3g (Thorsten Alteholz) NOTE: 20221031: Programming language: C. NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/ntfs-3g.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1a8aba6cbb50136d9809ebd85bd0fd14e4b8d9be...56e9424377bd5bfb79634619de753652a13ebded -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1a8aba6cbb50136d9809ebd85bd0fd14e4b8d9be...56e9424377bd5bfb79634619de753652a13ebded You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for libbpf issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a8aba6c by Salvatore Bonaccorso at 2022-11-08T23:14:22+01:00 Add Debian bug reference for libbpf issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6882,7 +6882,7 @@ CVE-2022-3608 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten CVE-2022-3607 (Failure to Sanitize Special Elements into a Different Plane (Special E ...) - octoprint (bug #718591) CVE-2022-3606 (A vulnerability was found in Linux Kernel. It has been classified as p ...) - - libbpf + - libbpf (bug #1023717) NOTE: Introduced by: https://github.com/libbpf/libbpf/commit/a3abae5122f30b83baebd4e4dd8ba4578a87cd4b (v0.2) NOTE: Fixed by: https://github.com/libbpf/libbpf/commit/3a3ef0c1d09e1894740db71cdcb7be0bfd713671 CVE-2022-3605 @@ -8088,11 +8088,11 @@ CVE-2022-3535 (A vulnerability classified as problematic was found in Linux Kern - linux 6.0.3-1 NOTE: https://git.kernel.org/linus/0152dfee235e87660f52a117fc9f70dc55956bb4 (6.1-rc1) CVE-2022-3534 (A vulnerability classified as critical has been found in Linux Kernel. ...) - - libbpf + - libbpf (bug #1023717) NOTE: Introduced by: https://github.com/libbpf/libbpf/commit/7ac1547f32f060d84b06c74edbb2c6896cc07949 (v0.2) NOTE: Fixed by: https://github.com/libbpf/libbpf/commit/54caf920db0e489de90f341e2a51ddbcd084 CVE-2022-3533 (A vulnerability was found in Linux Kernel. It has been rated as proble ...) - - libbpf + - libbpf (bug #1023717) [bullseye] - libbpf (Vulnerable code introduced later) NOTE: Introduced by: https://github.com/libbpf/libbpf/commit/557499a13ede6ea86883d070af06621fe990572f (v0.8.0) NOTE: Fixed by: https://github.com/libbpf/libbpf/commit/881a10980b7ded995da5d9cc1919992c36c9d2be View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a8aba6cbb50136d9809ebd85bd0fd14e4b8d9be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a8aba6cbb50136d9809ebd85bd0fd14e4b8d9be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix up one entry
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 10f31aaf by Moritz Muehlenhoff at 2022-11-08T22:20:44+01:00 fix up one entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30217,7 +30217,7 @@ CVE-2022-34558 (WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, CVE-2022-34557 (Barangay Management System v1.0 was discovered to contain a SQL inject ...) NOT-FOR-US: Barangay Management System CVE-2022-34556 (PicoC v3.2.2 was discovered to contain a NULL pointer dereference at v ...) - NOTE: PicoC + NOT-FOR-US: PicoC CVE-2022-34555 (TP-LINK TL-R473G 2.0.1 Build 220529 Rel.65574n was discovered to conta ...) NOT-FOR-US: TP-LINK CVE-2022-34554 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10f31aaf46876491b8404f1f3e0edcc98d9929ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10f31aaf46876491b8404f1f3e0edcc98d9929ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] take php7.4/php-cas, add pixman
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 63d6d0a8 by Moritz Mühlenhoff at 2022-11-08T22:13:45+01:00 take php7.4/php-cas, add pixman - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -33,7 +33,11 @@ multipath-tools -- openexr -- -php7.4 +pixman (carnil) +-- +php7.4 (jmm) +-- +php-cas (jmm) -- php-horde-mime-viewer -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63d6d0a81cd20b27662900109c2e80a4708befc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63d6d0a81cd20b27662900109c2e80a4708befc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-36077/electron
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fd8cd97 by Salvatore Bonaccorso at 2022-11-08T22:00:17+01:00 Add CVE-2022-36077/electron - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26067,7 +26067,7 @@ CVE-2022-36079 (Parse Server is an open source backend that can be deployed to a CVE-2022-36078 (Binary provides encoding/decoding in Borsh and other formats. The vuln ...) NOT-FOR-US: gagliardetto/Binary (tool to provide encoding/decoding in Borsh and other formats) CVE-2022-36077 (The Electron framework enables writing cross-platform desktop applicat ...) - TODO: check + - electron (bug #842420) CVE-2022-36076 (NodeBB Forum Software is powered by Node.js and supports either Redis, ...) NOT-FOR-US: NodeBB CVE-2022-36075 (Nextcloud files access control is a nextcloud app to manage access con ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fd8cd975452984d8610ff41eab3da0f0ee28412 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fd8cd975452984d8610ff41eab3da0f0ee28412 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b563796 by Salvatore Bonaccorso at 2022-11-08T21:57:43+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16963,7 +16963,7 @@ CVE-2022-39354 (SputnikVM, also called evm, is a Rust implementation of Ethereum CVE-2022-39353 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) ...) TODO: check CVE-2022-39352 (OpenFGA is a high-performance authorization/permission engine inspired ...) - TODO: check + NOT-FOR-US: OpenFGA CVE-2022-39351 (Dependency-Track is a Component Analysis platform that allows organiza ...) NOT-FOR-US: Dependency-Track CVE-2022-39350 (@dependencytrack/frontend is a Single Page Application (SPA) used in D ...) @@ -16985,7 +16985,7 @@ CVE-2022-39345 (Gin-vue-admin is a backstage management system based on vue and CVE-2022-39344 (Azure RTOS USBX is a USB host, device, and on-the-go (OTG) embedded st ...) NOT-FOR-US: Azure RTOS USBX CVE-2022-39343 (Azure RTOS FileX is a FAT-compatible file system thats fully in ...) - TODO: check + NOT-FOR-US: Azure RTOS FileX CVE-2022-39342 (OpenFGA is an authorization/permission engine. Versions prior to versi ...) NOT-FOR-US: OpenFGA CVE-2022-39341 (OpenFGA is an authorization/permission engine. Versions prior to versi ...) @@ -17528,7 +17528,7 @@ CVE-2022-39159 CVE-2022-39158 (A vulnerability has been identified in RUGGEDCOM ROS RMC30 V4.X (All v ...) NOT-FOR-US: Siemens CVE-2022-39157 (A vulnerability has been identified in Parasolid V34.0 (All versions & ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-39156 (A vulnerability has been identified in Parasolid V33.1 (All versions & ...) NOT-FOR-US: Siemens CVE-2022-39155 (A vulnerability has been identified in Parasolid V33.1 (All versions & ...) @@ -17570,7 +17570,7 @@ CVE-2022-39138 (A vulnerability has been identified in Parasolid V33.1 (All vers CVE-2022-39137 (A vulnerability has been identified in Parasolid V33.1 (All versions & ...) NOT-FOR-US: Siemens CVE-2022-39136 (A vulnerability has been identified in JT2Go (All versions V14.1. ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-39135 (In Apache Calcite prior to version 1.32.0 the SQL operators EXISTS_NOD ...) NOT-FOR-US: Apache Calcite CVE-2022-39134 @@ -17758,7 +17758,7 @@ CVE-2022-39071 CVE-2022-39070 RESERVED CVE-2022-39069 (There is a SQL injection vulnerability in ZTE ZAIP-AIE. Due to lack of ...) - TODO: check + NOT-FOR-US: ZTE CVE-2022-39068 RESERVED CVE-2022-39067 @@ -29395,9 +29395,9 @@ CVE-2022-33177 (Cross-Site Request Forgery (CSRF) vulnerability in WPdevelop/Opl CVE-2022-32970 RESERVED CVE-2022-32776 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Adva ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-32587 (Cross-Site Request Forgery (CSRF) vulnerability in CodeAndMore WP Page ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-30998 (Multiple Authenticated (subscriber or higher user role) SQL Injection ...) NOT-FOR-US: WordPress plugin CVE-2022-30705 @@ -39361,7 +39361,7 @@ CVE-2022-31201 (SoftGuard Web (SGW) before 5.1.5 allows HTML injection. ...) CVE-2022-31200 RESERVED CVE-2022-31199 (Remote code execution vulnerabilities exist in the Netwrix Auditor Use ...) - TODO: check + NOT-FOR-US: Netwrix Auditor CVE-2022-1797 (A malformed Class 3 common industrial protocol message with a cached c ...) NOT-FOR-US: Rockwell Automation CVE-2022-31198 (OpenZeppelin Contracts is a library for secure smart contract developm ...) @@ -40813,7 +40813,7 @@ CVE-2022-30696 (Local privilege escalation due to a DLL hijacking vulnerability. CVE-2022-30695 (Local privilege escalation due to excessive permissions assigned to ch ...) NOT-FOR-US: Acronis CVE-2022-30694 (A vulnerability has been identified in SIMATIC Drive Controller family ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-30543 RESERVED CVE-2022-29485 (Cross-site scripting vulnerability in SHIRASAGI v1.0.0 to v1.14.2, and ...) @@ -49270,7 +49270,7 @@ CVE-2022-27916 CVE-2022-27915 RESERVED CVE-2022-27914 (An issue was discovered in Joomla! 4.0.0 through 4.2.4. Inadequate fil ...) - TODO: check + NOT-FOR-US: Joomla! CVE-2022-27913 (An issue was discovered in Joomla! 4.2.0 through 4.2.3. Inadequate fil ...) NOT-FOR-US: Joomla! CVE-2022-27912 (An issue was discovered in Joomla! 4.0.0 through 4.2.3. Sites with pub ...) @@ -49474,13 +49474,13 @@ CVE-2022-27860 (Cross-Site Request Forgery (CSRF) leading to Cross-Site Scriptin CVE-2022-27859 (Multiple Authenticated (contributor or
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 724450e2 by Salvatore Bonaccorso at 2022-11-08T21:33:12+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6525,9 +6525,9 @@ CVE-2022-43548 [DNS rebinding in --inspect via invalid octal IP address] CVE-2022-43547 RESERVED CVE-2022-43546 (A vulnerability has been identified in POWER METER SICAM Q100 (All ver ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-43545 (A vulnerability has been identified in POWER METER SICAM Q100 (All ver ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-43542 RESERVED CVE-2022-43541 @@ -6593,7 +6593,7 @@ CVE-2022-43499 CVE-2022-43492 RESERVED CVE-2022-43491 (Cross-Site Request Forgery (CSRF) vulnerability in Advanced Dynamic Pr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-43490 RESERVED CVE-2022-43488 @@ -6601,7 +6601,7 @@ CVE-2022-43488 CVE-2022-43482 RESERVED CVE-2022-43481 (Cross-Site Request Forgery (CSRF) vulnerability in Advanced Coupons fo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-43480 RESERVED CVE-2022-43479 @@ -6633,7 +6633,7 @@ CVE-2022-43445 CVE-2022-43441 RESERVED CVE-2022-43439 (A vulnerability has been identified in POWER METER SICAM Q100 (All ver ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-43438 RESERVED CVE-2022-43437 @@ -6657,7 +6657,7 @@ CVE-2022-42698 CVE-2022-42497 RESERVED CVE-2022-42494 (Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-42485 RESERVED CVE-2022-42479 @@ -6681,7 +6681,7 @@ CVE-2022-41990 CVE-2022-41987 RESERVED CVE-2022-41980 (Auth. (admin+) Cross-Site Scripting (XSS) vulnerability in Mantenimien ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-41978 RESERVED CVE-2022-41840 @@ -7013,9 +7013,9 @@ CVE-2022-3592 [Wide links protection broken] CVE-2022-43399 RESERVED CVE-2022-43398 (A vulnerability has been identified in POWER METER SICAM Q100 (All ver ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-43397 (A vulnerability has been identified in Parasolid V34.0 (All versions & ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-43396 RESERVED CVE-2022-3591 @@ -7155,7 +7155,7 @@ CVE-2022-43361 (Senayan Library Management System v9.4.2 was discovered to conta CVE-2022-43360 RESERVED CVE-2022-43359 (Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was discovered ...) - TODO: check + NOT-FOR-US: Gifdec CVE-2022-43358 RESERVED CVE-2022-43357 @@ -7187,7 +7187,7 @@ CVE-2022-43345 CVE-2022-43344 RESERVED CVE-2022-43343 (N-Prolog v1.91 was discovered to contain a global buffer overflow vuln ...) - TODO: check + NOT-FOR-US: N-Prolog CVE-2022-43342 RESERVED CVE-2022-43341 @@ -11184,7 +11184,7 @@ CVE-2022-41759 CVE-2022-41758 RESERVED CVE-2022-41757 (An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privi ...) - TODO: check + NOT-FOR-US: Arm Mali GPU Kernel Driver CVE-2022-41756 RESERVED CVE-2022-41755 @@ -11410,15 +11410,15 @@ CVE-2022-41666 (A CWE-347: Improper Verification of Cryptographic Signature vuln CVE-2022-41665 (A vulnerability has been identified in SICAM P850 (All versions V ...) NOT-FOR-US: Siemens CVE-2022-41664 (A vulnerability has been identified in JT2Go (All versions V14.1. ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-41663 (A vulnerability has been identified in JT2Go (All versions V14.1. ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-41662 (A vulnerability has been identified in JT2Go (All versions V14.1. ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-41661 (A vulnerability has been identified in JT2Go (All versions V14.1. ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-41660 (A vulnerability has been identified in JT2Go (All versions V14.1. ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-41656 RESERVED CVE-2022-41655 @@ -11537,7 +11537,7 @@ CVE-2022-41315 CVE-2022-41155 RESERVED CVE-2022-41136 (Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cros ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-41135 RESERVED CVE-2022-41134 @@ -11573,7 +11573,7 @@ CVE-2022-40192 CVE-2022-40130 RESERVED CVE-2022-40128 (Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Expo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-39044 RESERVED CVE-2022-38467 @@ -12036,11 +12036,11 @@ CVE-2022-41436 (An issue
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07c5fb1e by Salvatore Bonaccorso at 2022-11-08T21:21:10+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2938,27 +2938,27 @@ CVE-2022-44323 CVE-2022-44322 RESERVED CVE-2022-44321 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44320 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44319 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44318 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44317 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44316 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44315 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44314 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44313 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44312 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) - TODO: check + NOT-FOR-US: PicoC CVE-2022-44311 (html2xhtml v1.3 was discovered to contain an Out-Of-Bounds read in the ...) - TODO: check + NOT-FOR-US: html2xhtml CVE-2022-44310 RESERVED CVE-2022-44309 @@ -5461,7 +5461,7 @@ CVE-2023-0002 CVE-2023-0001 RESERVED CVE-2022-43958 (A vulnerability has been identified in QMS Automotive (All versions). ...) - TODO: check + NOT-FOR-US: QMS Automotive CVE-2022-43957 RESERVED CVE-2022-43956 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07c5fb1ecc3c85277082660d3334c4cd3751a4c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07c5fb1ecc3c85277082660d3334c4cd3751a4c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct association for CVE-2022-34556 to PicoC
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ed7ddb08 by Salvatore Bonaccorso at 2022-11-08T21:17:09+01:00 Correct association for CVE-2022-34556 to PicoC - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30217,7 +30217,7 @@ CVE-2022-34558 (WMAgent v1.3.3rc2 and 1.3.3rc1, reqmgr 2 1.4.1rc5 and 1.4.0rc2, CVE-2022-34557 (Barangay Management System v1.0 was discovered to contain a SQL inject ...) NOT-FOR-US: Barangay Management System CVE-2022-34556 (PicoC v3.2.2 was discovered to contain a NULL pointer dereference at v ...) - NOT-FOR-US: Node picoc-js + NOTE: PicoC CVE-2022-34555 (TP-LINK TL-R473G 2.0.1 Build 220529 Rel.65574n was discovered to conta ...) NOT-FOR-US: TP-LINK CVE-2022-34554 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed7ddb08c1967b73b0f88d37d9938e32a8f0d64f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed7ddb08c1967b73b0f88d37d9938e32a8f0d64f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7e7b05b by Salvatore Bonaccorso at 2022-11-08T21:15:13+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -721,7 +721,7 @@ CVE-2022-44743 CVE-2022-44742 RESERVED CVE-2022-44741 (Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-44740 RESERVED CVE-2022-44739 @@ -2403,7 +2403,7 @@ CVE-2022-44558 CVE-2022-44557 RESERVED CVE-2022-44556 (Missing parameter type validation in the DRM module. Successful exploi ...) - TODO: check + NOT-FOR-US: Huawei CVE-2022-44555 RESERVED CVE-2022-44554 @@ -2615,7 +2615,7 @@ CVE-2022-44459 CVE-2022-44458 RESERVED CVE-2022-44457 (A vulnerability has been identified in Mendix SAML Module (Mendix 7 co ...) - TODO: check + NOT-FOR-US: Siemens CVE-2022-43506 RESERVED CVE-2022-43495 (OpenHarmony-v3.1.2 and prior versions had a DOS vulnerability in distr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7e7b05b1ca1e94caf06b7cb4a626f0ab47f49e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7e7b05b1ca1e94caf06b7cb4a626f0ab47f49e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c38c374a by security tracker role at 2022-11-08T20:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,47 @@ +CVE-2022-45058 + RESERVED +CVE-2022-45057 + RESERVED +CVE-2022-45056 + RESERVED +CVE-2022-45055 + RESERVED +CVE-2022-45054 + RESERVED +CVE-2022-45053 + RESERVED +CVE-2022-45052 + RESERVED +CVE-2022-45051 + RESERVED +CVE-2022-45050 + RESERVED +CVE-2022-45049 + RESERVED +CVE-2022-45048 + RESERVED +CVE-2022-45047 + RESERVED +CVE-2022-45046 + RESERVED +CVE-2022-3899 + RESERVED +CVE-2022-3898 + RESERVED +CVE-2022-3897 + RESERVED +CVE-2022-3896 + RESERVED +CVE-2022-3895 + RESERVED +CVE-2022-3894 + RESERVED +CVE-2022-3893 + RESERVED +CVE-2022-3892 + RESERVED +CVE-2022-3891 + RESERVED CVE-2022-45045 RESERVED CVE-2022-3890 @@ -676,8 +720,8 @@ CVE-2022-44743 RESERVED CVE-2022-44742 RESERVED -CVE-2022-44741 - RESERVED +CVE-2022-44741 (Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site ...) + TODO: check CVE-2022-44740 RESERVED CVE-2022-44739 @@ -2358,8 +2402,8 @@ CVE-2022-44558 RESERVED CVE-2022-44557 RESERVED -CVE-2022-44556 - RESERVED +CVE-2022-44556 (Missing parameter type validation in the DRM module. Successful exploi ...) + TODO: check CVE-2022-44555 RESERVED CVE-2022-44554 @@ -2570,8 +2614,8 @@ CVE-2022-44459 RESERVED CVE-2022-44458 RESERVED -CVE-2022-44457 - RESERVED +CVE-2022-44457 (A vulnerability has been identified in Mendix SAML Module (Mendix 7 co ...) + TODO: check CVE-2022-43506 RESERVED CVE-2022-43495 (OpenHarmony-v3.1.2 and prior versions had a DOS vulnerability in distr ...) @@ -2893,28 +2937,28 @@ CVE-2022-44323 RESERVED CVE-2022-44322 RESERVED -CVE-2022-44321 - RESERVED -CVE-2022-44320 - RESERVED -CVE-2022-44319 - RESERVED -CVE-2022-44318 - RESERVED -CVE-2022-44317 - RESERVED -CVE-2022-44316 - RESERVED -CVE-2022-44315 - RESERVED -CVE-2022-44314 - RESERVED -CVE-2022-44313 - RESERVED -CVE-2022-44312 - RESERVED -CVE-2022-44311 - RESERVED +CVE-2022-44321 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44320 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44319 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44318 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44317 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44316 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44315 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44314 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44313 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44312 (PicoC Version 3.2.2 was discovered to contain a heap buffer overflow i ...) + TODO: check +CVE-2022-44311 (html2xhtml v1.3 was discovered to contain an Out-Of-Bounds read in the ...) + TODO: check CVE-2022-44310 RESERVED CVE-2022-44309 @@ -5416,8 +5460,8 @@ CVE-2023-0002 RESERVED CVE-2023-0001 RESERVED -CVE-2022-43958 - RESERVED +CVE-2022-43958 (A vulnerability has been identified in QMS Automotive (All versions). ...) + TODO: check CVE-2022-43957 RESERVED CVE-2022-43956 @@ -5877,6 +5921,7 @@ CVE-2022-43762 CVE-2022-43761 RESERVED CVE-2022-3705 (A vulnerability was found in vim and classified as problematic. Affect ...) + {DLA-3182-1} - vim 2:9.0.0813-1 NOTE: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 (v9.0.0805) CVE-2022-3704 (A vulnerability classified as problematic has been found in Ruby on Ra ...) @@ -6479,10 +6524,10 @@ CVE-2022-43548 [DNS rebinding in --inspect via invalid octal IP address] NOTE: https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/#dns-rebinding-in-inspect-via-invalid-octal-ip-address-medium-cve-2022-43548 CVE-2022-43547 RESERVED -CVE-2022-43546 - RESERVED -CVE-2022-43545 - RESERVED +CVE-2022-43546 (A vulnerability has been identified in POWER METER SICAM Q100 (All ver ...) + TODO: check +CVE-2022-43545 (A vulnerability has
[Git][security-tracker-team/security-tracker][master] Update information according to XSA-422
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 729ac14a by Salvatore Bonaccorso at 2022-11-08T21:08:18+01:00 Update information according to XSA-422 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61967,8 +61967,15 @@ CVE-2022-23825 (Aliases in the branch predictor may cause some AMD processors to NOTE: https://comsec.ethz.ch/wp-content/files/retbleed_addendum_sec22.pdf NOTE: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037 NOTE: https://xenbits.xen.org/xsa/advisory-407.html -CVE-2022-23824 + NOTE: Followup (which did not got a new CVE allocated by AMD): + NOTE: https://xenbits.xen.org/xsa/advisory-422.html + NOTE: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1044 +CVE-2022-23824 [x86: Multiple speculative security issues] RESERVED + - xen + [buster] - xen (DSA 4677-1) + NOTE: https://xenbits.xen.org/xsa/advisory-422.html + NOTE: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1040 CVE-2022-23823 (A potential vulnerability in some AMD processors using frequency scali ...) NOT-FOR-US: hardware vulnerability in AMD CPUs NOTE: https://www.hertzbleed.com/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/729ac14a65bb46e36e89aa5898213f59c5a1adc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/729ac14a65bb46e36e89aa5898213f59c5a1adc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2021-37789/libstb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 00168749 by Salvatore Bonaccorso at 2022-11-08T20:54:46+01:00 Add Debian bug reference for CVE-2021-37789/libstb - - - - - bce19224 by Salvatore Bonaccorso at 2022-11-08T21:01:18+01:00 Mark for now CVE-2022-41852 as unimportant According to the current upstream discussion the CVE might even be rejected completely as the issue is not to be considered a security vulnerability by upstream. Link: https://github.com/apache/commons-jxpath/pull/26#issuecomment-1307567283 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10846,10 +10846,13 @@ CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in NOTE: http://hsqldb.org/doc/2.0/guide/sqlroutines-chapt.html#src_jrt_access_control NOTE: https://sourceforge.net/p/hsqldb/svn/6614/ CVE-2022-41852 (Those using JXPath to interpret untrusted XPath expressions may be vul ...) - - libcommons-jxpath-java + - libcommons-jxpath-java (unimportant) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133 NOTE: https://github.com/apache/commons-jxpath/pull/25 NOTE: https://github.com/apache/commons-jxpath/pull/26 + NOTE: https://github.com/apache/commons-jxpath/pull/26#issuecomment-1307567283 + NOTE: JEXL is NOT expected to safely handle untrusted input, not considered a + NOTE: vulnerability by upstream CVE-2022-41851 (A vulnerability has been identified in JTTK (All versions V11.1.1 ...) NOT-FOR-US: JTTK CVE-2022-41836 (When an 'Attack Signature False Positive Mode' enabled security policy ...) @@ -94492,7 +94495,7 @@ CVE-2021-37791 (MyAdmin v1.0 is affected by an incorrect access control vulnerab CVE-2021-37790 RESERVED CVE-2021-37789 (stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, lead ...) - - libstb + - libstb (bug #1023693) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1178 CVE-2021-37788 (A vulnerability in the web UI of Gurock TestRail v5.3.0.3603 could all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a5a10cee15787ce0a2f1514aa40e0e84e40504ca...bce19224ade71d2bae993366f097deb6c84e5691 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a5a10cee15787ce0a2f1514aa40e0e84e40504ca...bce19224ade71d2bae993366f097deb6c84e5691 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add qemu
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a5a10cee by Sylvain Beucler at 2022-11-08T20:08:34+01:00 dla: add qemu - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -227,6 +227,11 @@ python-django (Chris Lamb) NOTE: 20221103: Re-added pre-20221031 comments from Git and reclaimed; will upload at least CVE-2022-28346 soon. (lamby) NOTE: 20221104: Uploaded with three more CVEs: CVE-2022-28346 CVE-2021-45115 CVE-2021-45116 (lamby) -- +qemu + NOTE: 20221108: Programming language: C. + NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch, + NOTE: 20221108: there's about half of them that can be fixed (or definitely ignored if we can't) (Beuc/front-desk) +-- r-cran-commonmark NOTE: 20221009: Programming language: R. NOTE: 20221009: Please synchronize with ghostwriter. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5a10cee15787ce0a2f1514aa40e0e84e40504ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5a10cee15787ce0a2f1514aa40e0e84e40504ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5273-1 and wpewebkit DSA-5274-1
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f1fc72e by Alberto Garcia at 2022-11-08T18:48:10+01:00 webkit2gtk DSA-5273-1 and wpewebkit DSA-5274-1 - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,9 @@ +[08 Nov 2022] DSA-5274-1 wpewebkit - security update + {CVE-2022-42799 CVE-2022-42823 CVE-2022-42824} + [bullseye] - wpewebkit 2.38.2-1~deb11u1 +[08 Nov 2022] DSA-5273-1 webkit2gtk - security update + {CVE-2022-42799 CVE-2022-42823 CVE-2022-42824} + [bullseye] - webkit2gtk 2.38.2-1~deb11u1 [06 Nov 2022] DSA-5272-1 xen - security update {CVE-2022-33745 CVE-2022-33746 CVE-2022-33747 CVE-2022-33748 CVE-2022-42309 CVE-2022-42310 CVE-2022-42311 CVE-2022-42312 CVE-2022-42313 CVE-2022-42314 CVE-2022-42315 CVE-2022-42316 CVE-2022-42317 CVE-2022-42318 CVE-2022-42319 CVE-2022-42320 CVE-2022-42321 CVE-2022-42322 CVE-2022-42323 CVE-2022-42324 CVE-2022-42325 CVE-2022-42326} [bullseye] - xen 4.14.5+86-g1c354767d5-1 = data/dsa-needed.txt = @@ -64,7 +64,3 @@ sox -- tiff -- -webkit2gtk (berto) --- -wpewebkit (berto) --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f1fc72e077032248306871ce12bdeabe1b0a430 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f1fc72e077032248306871ce12bdeabe1b0a430 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qemu: update buster triage 2019-2020 for LTS
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 7563bbe4 by Sylvain Beucler at 2022-11-08T17:57:30+01:00 qemu: update buster triage 2019-2020 for LTS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -140657,10 +140657,10 @@ CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SCSI hos ...) - qemu (bug #979678) [bullseye] - qemu (Minor issue) - [buster] - qemu (Fix along in future DSA) - [stretch] - qemu (Fix along in future DLA) + [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346 - NOTE: No upstream patch as of 2022-04-21 + NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg06065.html + NOTE: No sanctioned upstream patch as of 2022-11-08 CVE-2020-35502 (A flaw was found in Privoxy in versions before 3.0.29. Memory leaks wh ...) {DLA-2548-1} - privoxy 3.0.29-1 @@ -144896,7 +144896,7 @@ CVE-2020-29130 (slirp.c in libslirp through 4.3.1 has a buffer over-read because {DLA-2560-1} - libslirp 4.4.0-1 - qemu 1:4.1-2 - [buster] - qemu (Fix along in future DSA) + [buster] - qemu (Fix along with next DLA, fixed in stretch-lts) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f (v4.4.0) NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed. NOTE: https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-2j37-w439-87q3 @@ -156645,27 +156645,24 @@ CVE-2020-25744 (SaferVPN before 5.0.3.3 on Windows could allow low-privileged us CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereferen ...) - qemu (bug #970940) [bullseye] - qemu (Minor issue, revisit when fixed upstream) - [buster] - qemu (Fix along in next qemu DSA) - [stretch] - qemu (Fix along in future DLA) + [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fide_nullptr1 - NOTE: No upstream patch as of 2022-04-21 + NOTE: No sanctioned upstream patch as of 2022-11-08 CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL p ...) - qemu (bug #971390) [bullseye] - qemu (Minor issue, revisit when fixed upstream) - [buster] - qemu (Fix along in next qemu DSA) - [stretch] - qemu (Fix along in future DLA) + [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05294.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1 - NOTE: No upstream patch as of 2022-04-21 + NOTE: No sanctioned upstream patch as of 2022-11-08 CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer d ...) - qemu (bug #970939) [bullseye] - qemu (Minor issue, revisit when fixed upstream) - [buster] - qemu (Fix along in next qemu DSA) - [stretch] - qemu (Fix along in future DLA) + [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Ffdc_nullptr1 - NOTE: No upstream patch as of 2022-04-21 + NOTE: No sanctioned upstream patch as of 2022-11-08 CVE-2020-25740 RESERVED CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...) @@ -158425,7 +158422,7 @@ CVE-2020-25086 (Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in CVE-2021-3409 (The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffectiv ...) {DLA-2623-1} - qemu 1:5.2+dfsg-10 (bug #986795) - [buster] - qemu (CVE-2020-17380/CVE-2020-25085 weren't backported to Buster) + [buster] - qemu (CVE-2020-17380 wasn't backported to Buster) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1928146 NOTE: https://www.openwall.com/lists/oss-security/2021/03/09/1 NOTE: New patch series: https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html @@ -158434,6 +158431,7 @@ CVE-2021-3409 (The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineff NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=bc6f28995ff88f5d82c38afcfd65406f0ae375aa NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=5cd7aa3451b76bb19c0f6adc2b931f091e5d7fcd NOTE:
[Git][security-tracker-team/security-tracker][master] 2 commits: Add vim to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: af7fcaff by Markus Koschany at 2022-11-08T16:30:31+01:00 Add vim to dla-needed.txt - - - - - 0e237003 by Markus Koschany at 2022-11-08T16:30:53+01:00 Claim libjettison-java in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -132,7 +132,7 @@ libde265 NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk) NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk) -- -libjettison-java +libjettison-java (Markus Koschany) NOTE: 20221030: Programming language: Java. -- libreoffice @@ -289,6 +289,10 @@ trafficserver (Abhijith PA) twisted NOTE: 20221030: Programming language: Python. -- +vim + NOTE: 20221108: Programming language: C. + NOTE: 20221108: VCS: https://salsa.debian.org/lts-team/packages/vim.git +-- virglrenderer (Thorsten Alteholz) NOTE: 20221009: Programming language: C. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3e24d0f64c1f632f06dc68f5a4c3725b012d27f3...0e2370039c9512ec9e1a7752f92b2907c21cc4e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3e24d0f64c1f632f06dc68f5a4c3725b012d27f3...0e2370039c9512ec9e1a7752f92b2907c21cc4e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE of vim/buster
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e24d0f6 by Markus Koschany at 2022-11-08T16:18:04+01:00 Triage CVE of vim/buster Triage several CVE as not affected because the vulnerable code was introduced later - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19890,6 +19890,7 @@ CVE-2022-2863 (The Migration, Backup, Staging WordPress plugin before 0.9.76 doe NOT-FOR-US: WordPress plugin CVE-2022-2862 (Use After Free in GitHub repository vim/vim prior to 9.0.0221. ...) - vim 2:9.0.0229-1 + [buster] - vim (The vulnerable code was introduced later) NOTE: https://huntr.dev/bounties/71180988-1ab6-4311-bca8-e9a879b06765 NOTE: https://github.com/vim/vim/commit/1889f499a4f248cd84e0e0bf6d0d820016774494 (v9.0.0221) CVE-2022-2861 (Inappropriate implementation in Extensions API in Google Chrome prior ...) @@ -20176,6 +20177,7 @@ CVE-2022-2820 (Improper Access Control in GitHub repository namelessmc/nameless NOT-FOR-US: NamelessMC/Nameless CVE-2022-2819 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - vim 2:9.0.0229-1 + [buster] - vim (The vulnerable code was introduced later) NOTE: https://huntr.dev/bounties/0a9bd71e-66b8-4eb1-9566-7dfd9b097e59 NOTE: https://github.com/vim/vim/commit/d1d8f6bacb489036d0fd479c9dd3c0102c99 (v9.0.0211) CVE-2022-2818 (Authentication Bypass by Primary Weakness in GitHub repository cockpit ...) @@ -20365,6 +20367,7 @@ CVE-2022-38218 RESERVED CVE-2022-2817 (Use After Free in GitHub repository vim/vim prior to 9.0.0213. ...) - vim 2:9.0.0229-1 (unimportant) + [buster] - vim (The vulnerable code was introduced later) NOTE: https://huntr.dev/bounties/a7b7d242-3d88-4bde-a681-6c986aff886f NOTE: https://github.com/vim/vim/commit/249e1b903a9c0460d618f6dcc59aeb8c03b24b20 (v9.0.0213) NOTE: Crash in CLI tool, no security impact @@ -23609,6 +23612,7 @@ CVE-2022-2572 (In affected versions of Octopus Server where access is managed by NOT-FOR-US: Octopus Server CVE-2022-2571 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - vim 2:9.0.0135-1 (unimportant) + [buster] - vim (The vulnerable code was introduced later) NOTE: https://huntr.dev/bounties/2e5a1dc4-2dfb-4e5f-8c70-e1ede21f3571/ NOTE: https://github.com/vim/vim/commit/a6f9e300161f4cb54713da22f65b261595e8e614 (v9.0.0102) NOTE: Crash in CLI tool, no security impact @@ -60469,8 +60473,8 @@ CVE-2022-0408 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to CVE-2022-0407 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - vim 2:8.2.4659-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (vulnerable code is not present) + [buster] - vim (The vulnerable code is not present) + [stretch] - vim (The vulnerable code is not present) NOTE: https://huntr.dev/bounties/81822bf7-aafe-4d37-b836-1255d46e572c NOTE: https://github.com/vim/vim/commit/44db8213d38c39877d2148eff6a72f4beccfb94e (v8.2.4219) CVE-2022-24112 (An attacker can abuse the batch-requests plugin to send requests to by ...) @@ -60628,8 +60632,8 @@ CVE-2022-0394 (Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelpe CVE-2022-0393 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) - vim 2:8.2.4659-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (vulnerable code is not present) + [buster] - vim (The vulnerable code is not present) + [stretch] - vim (The vulnerable code is not present) NOTE: https://huntr.dev/bounties/ecc8f488-01a0-477f-848f-e30b8e524bba NOTE: https://github.com/vim/vim/commit/a4bc2dd7cccf5a4a9f78b58b6f35a45d17164323 (v8.2.4233) CVE-2022-24069 (An issue was discovered in AhciBusDxe in Insyde InsydeH2O with kernel ...) @@ -65442,8 +65446,8 @@ CVE-2022-0159 (orchardcore is vulnerable to Improper Neutralization of Input Dur CVE-2022-0158 (vim is vulnerable to Heap-based Buffer Overflow ...) - vim 2:8.2.4659-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) - [stretch] - vim (vulnerable code was introduced later) + [buster] - vim (The vulnerable code was introduced later) + [stretch] - vim (The vulnerable code was introduced later) NOTE: https://huntr.dev/bounties/ac5d7005-07c6-4a0a-b251-ba9cdbf6738b/ NOTE: https://github.com/vim/vim/commit/5f25c3855071bd7e26255c68bf458b1b5cf92f39 (v8.2.4049) CVE-2022-0157 (phoronix-test-suite is vulnerable to Improper Neutralization of Input ...) @@ -74891,8 +74895,8 @@ CVE-2021-3969 (A Time of Check
[Git][security-tracker-team/security-tracker][master] lts: take webkit2gtk
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: ad21c7ea by Emilio Pozuelo Monfort at 2022-11-08T15:44:53+01:00 lts: take webkit2gtk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -292,7 +292,7 @@ twisted virglrenderer (Thorsten Alteholz) NOTE: 20221009: Programming language: C. -- -webkit2gtk +webkit2gtk (Emilio) NOTE: 20221105: Programming language: C++. -- xorg-server (Emilio) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad21c7ea149483171ae962f3fd14e0ee6b4bd522 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad21c7ea149483171ae962f3fd14e0ee6b4bd522 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3182-1 for vim
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e709418e by Markus Koschany at 2022-11-08T15:40:35+01:00 Reserve DLA-3182-1 for vim - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -29062,7 +29062,6 @@ CVE-2022-2305 (The WordPress Popup WordPress plugin through 1.9.3.8 does not san CVE-2022-2304 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...) - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/eb7402f3-025a-402f-97a7-c38700d9548a/ NOTE: https://github.com/vim/vim/commit/54e5fed6d27b747ff152cdb6edfb72ff60e70939 (v9.0.0035) CVE-2022-2303 (An issue has been discovered in GitLab CE/EE affecting all versions be ...) @@ -29205,7 +29204,6 @@ CVE-2022-34894 (In JetBrains Hub before 2022.2.14799, insufficient access contro CVE-2022-2285 (Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9 ...) - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/64574b28-1779-458d-a221-06c434042736/ NOTE: https://github.com/vim/vim/commit/27efc62f5d86afcb2ecb7565587fe8dea4b036fe (v9.0.0018) CVE-2022-2284 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...) @@ -36350,7 +36348,6 @@ CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/949090e5-f4ea-4edf-bd79-cd98f0498a5b NOTE: https://github.com/vim/vim/commit/409510c588b1eec1ae33511ae97a21eb8e110895 (v8.2.5050) CVE-2022-1967 (The WP Championship WordPress plugin before 9.3 is lacking CSRF checks ...) @@ -37737,7 +37734,6 @@ CVE-2022-1898 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/45aad635-c2f1-47ca-a4f9-db5b25979cea NOTE: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a (v8.2.5024) CVE-2022-1897 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) @@ -38345,7 +38341,6 @@ CVE-2022-1851 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ... {DLA-3053-1} - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/f8af901a-9a46-440d-942a-8f815b59394d NOTE: https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9ad (v8.2.5013) CVE-2022-1850 (Path Traversal in GitHub repository filegator/filegator prior to 7.8.0 ...) @@ -40297,7 +40292,6 @@ CVE-2022-1720 (Buffer Over-read in function grab_file_name in GitHub repository {DLA-3053-1} - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/5ccfb386-7eb9-46e5-98e5-243ea4b358a8 NOTE: https://github.com/vim/vim/commit/395bd1f6d3edc9f7edb5d1f2d7deaf5a9e3ab93c (v8.2.4956) CVE-2022-1719 (Reflected XSS on ticket filter function in GitHub repository polonel/t ...) @@ -41991,7 +41985,6 @@ CVE-2022-1616 (Use after free in append_command in GitHub repository vim/vim pri {DLA-3011-1} - vim 2:9.0.0135-1 (bug #1015984) [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/40f1d75f-fb2f-4281-b585-a41017f217e2 NOTE: https://github.com/vim/vim/commit/d88934406c5375d88f8f1b65331c9f0cab68cc6c (v8.2.4895) CVE-2022-30320 (Saia Burgess Controls (SBC) PCD through 2022-05-06 uses a Broken or Ri ...) @@ -48485,7 +48478,6 @@ CVE-2022-1154 (Use after free in utf_ptr2char in GitHub repository vim/vim prior {DLA-3011-1} - vim 2:8.2.4659-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/7f0ec6bc-ea0e-45b0-8128-caac72d23425 NOTE: https://github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5 (v8.2.4646) CVE-2022-1153 (The LayerSlider WordPress plugin before 7.1.2 does not sanitise and es ...) @@ -51914,7 +51906,6 @@ CVE-2022-0943 (Heap-based Buffer Overflow occurs in vim in GitHub repository vim {DLA-3053-1} - vim 2:8.2.4659-1 [bullseye] - vim (Minor issue) - [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/9e4de32f-ad5f-4830-b3ae-9467b5ab90a1 NOTE:
[Git][security-tracker-team/security-tracker][master] qemu: update buster triage 2021-2022 for LTS
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e85e39d by Sylvain Beucler at 2022-11-08T14:14:18+01:00 qemu: update buster triage 2021-2022 for LTS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50003,9 +50003,9 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin before 5.2, used as a co CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - qemu 1:7.1+dfsg-2 (bug #1014589) [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) + [buster] - qemu (Minor issue, waiting for sanctioned patch, patch included in unstable) [stretch] - qemu (rdma devices introduced in v2.12) - NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg05197.html + NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-04/msg00273.html CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The pcs da ...) {DSA-5226-1 DLA-3108-1} - pcs 0.11.3-1 @@ -53665,7 +53665,7 @@ CVE-2022-26354 (A flaw was found in the vhost-vsock device of QEMU. In case of e CVE-2022-26353 (A flaw was found in the virtio-net device of QEMU. This flaw was inadv ...) {DSA-5133-1} - qemu 1:7.0+dfsg-1 - [buster] - qemu (Original upstream fix for CVE-2021-3748 not applied) + [buster] - qemu (Original upstream fix for CVE-2021-3748 not applied, new fix applied in DSA) [stretch] - qemu (Original upstream fix for CVE-2021-3748 not applied) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2063197 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-03/msg02438.html @@ -64081,7 +64081,7 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is vulnerable to unauthorized a CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI Host B ...) - qemu 1:7.1+dfsg-1 (bug #1014590) [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) + [buster] - qemu (Minor issue, DoS, fix along with next DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953 NOTE: https://starlabs.sg/advisories/22/22-0216/ NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972 @@ -77748,7 +77748,7 @@ CVE-2021-3930 (An off-by-one error was found in the SCSI device emulation in QEM CVE-2021-3929 (A DMA reentrancy issue was found in the NVM Express Controller (NVME) ...) - qemu 1:7.0+dfsg-1 [bullseye] - qemu (Minor issue; nvme support preliminary supported) - [buster] - qemu (Minor issue; nvme support preliminary supported) + [buster] - qemu (Minor issue; nvme support preliminary supported, possibly not-affected) [stretch] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020298 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/556 @@ -88053,8 +88053,8 @@ CVE-2021-40320 CVE-2021-3750 (A DMA reentrancy issue was found in the USB EHCI controller emulation ...) - qemu 1:7.0+dfsg-1 [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) - [stretch] - qemu (Fix along with a future DLA) + [buster] - qemu (Minor issue, fix along with next DLA) + [stretch] - qemu (Fix along with next DLA) NOTE: https://gitlab.com/qemu-project/qemu/-/issues/541 NOTE: Fix for whole class of DMA MMIO reentrancy issues: https://gitlab.com/qemu-project/qemu/-/issues/556 NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html @@ -88072,6 +88072,7 @@ CVE-2021-3748 (A use-after-free vulnerability was found in the virtio-net device {DSA-4980-1 DLA-3099-1 DLA-2970-1} - qemu 1:6.1+dfsg-6 (bug #993401) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1998514 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6 (v6.2.0-rc0) NOTE: When fixing this issue make sure to not open CVE-2022-26353 CVE-2021-40319 RESERVED @@ -88638,10 +88639,9 @@ CVE-2021-3739 (A NULL pointer dereference flaw was found in the btrfs_rm_device CVE-2021-3735 (A deadlock issue was found in the AHCI controller device of QEMU. It o ...) - qemu (bug #1014767) [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue) - [stretch] - qemu (Fix along with a future DLA) + [buster] - qemu (Minor issue, waiting for patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184 - NOTE: No upstream patch as of 2022-01-28 + NOTE: No upstream patch as of 2022-11-08 CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...) [experimental] - knot-resolver 5.4.1-1 - knot-resolver 5.4.1-2
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 65770c45 by Salvatore Bonaccorso at 2022-11-08T13:13:59+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7757,19 +7757,19 @@ CVE-2022-43054 CVE-2022-43053 RESERVED CVE-2022-43052 (Online Diagnostic Lab Management System v1.0 was discovered to contain ...) - TODO: check + NOT-FOR-US: Online Diagnostic Lab Management System CVE-2022-43051 (Online Diagnostic Lab Management System v1.0 was discovered to contain ...) - TODO: check + NOT-FOR-US: Online Diagnostic Lab Management System CVE-2022-43050 (Online Tours Travels Management System v1.0 was discovered to co ...) - TODO: check + NOT-FOR-US: Online Tours & Travels Management System CVE-2022-43049 (Canteen Management System Project v1.0 was discovered to contain a SQL ...) - TODO: check + NOT-FOR-US: Canteen Management System Project CVE-2022-43048 RESERVED CVE-2022-43047 RESERVED CVE-2022-43046 (Food Ordering Management System v1.0 was discovered to contain a cross ...) - TODO: check + NOT-FOR-US: Food Ordering Management System CVE-2022-43045 (GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segm ...) - gpac [bullseye] - gpac (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65770c458b04c62d984b858d2372c05cff95a727 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/65770c458b04c62d984b858d2372c05cff95a727 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-3872/qemu: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 81631ea8 by Sylvain Beucler at 2022-11-08T12:16:33+01:00 CVE-2022-3872/qemu: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40,8 +40,10 @@ CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/draw NOT-FOR-US: jgraph/drawio CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of QEMU. ...) - qemu + [buster] - qemu (Minor issue, DoS, waiting for sanctioned patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567 - NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html + NOTE: patch proposal 1: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html + NOTE: patch proposal 2: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01161.html CVE-2022-45043 RESERVED CVE-2022-45042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81631ea8c16d131e8d4a951a70ed5e6fb430e2a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81631ea8c16d131e8d4a951a70ed5e6fb430e2a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: phpseclib,php-phpseclib: update status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 00ea0937 by Sylvain Beucler at 2022-11-08T12:01:58+01:00 dla: phpseclib,php-phpseclib: update status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -191,7 +191,9 @@ php-cas -- php-phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. - NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. + NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. (ola) + NOTE: 20221104: Attempted to clarify vulnerability status (cf. 02cd83d1d917dc5964440185226aa11e40058546) (Beuc) + NOTE: 20221108: buster is missing testsuite in both phpseclib packages, contacted maintainer to decide whether to backport testsuite or just bump version (Beuc) -- php7.3 NOTE: 20221031: Programming language: C. @@ -199,7 +201,9 @@ php7.3 -- phpseclib (Sylvain Beucler) NOTE: 20220909: Programming language: PHP. - NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. + NOTE: 20220909: Note the discussion whether 1.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix.. (ola) + NOTE: 20221104: Attempted to clarify vulnerability status (cf. 02cd83d1d917dc5964440185226aa11e40058546) (Beuc) + NOTE: 20221108: buster is missing testsuite in both phpseclib packages, contacted maintainer to decide whether to backport testsuite or just bump version (Beuc) -- pluxml NOTE: 20220913: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00ea09374e10b0c8053c5eaf0f3eb6a856eaca00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00ea09374e10b0c8053c5eaf0f3eb6a856eaca00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1065b6a6 by security tracker role at 2022-11-08T08:10:17+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2022-45045 + RESERVED +CVE-2022-3890 + RESERVED +CVE-2022-3889 + RESERVED +CVE-2022-3888 + RESERVED +CVE-2022-3887 + RESERVED +CVE-2022-3886 + RESERVED +CVE-2022-3885 + RESERVED +CVE-2022-3884 + RESERVED CVE-2022-45044 RESERVED CVE-2022-3883 @@ -22,8 +38,7 @@ CVE-2022-3874 RESERVED CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio pr ...) NOT-FOR-US: jgraph/drawio -CVE-2022-3872 [sdhci: buffer data port register off-by-one read/write] - RESERVED +CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of QEMU. ...) - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html @@ -7092,8 +7107,8 @@ CVE-2022-43361 (Senayan Library Management System v9.4.2 was discovered to conta NOT-FOR-US: Senayan Library Management System CVE-2022-43360 RESERVED -CVE-2022-43359 - RESERVED +CVE-2022-43359 (Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was discovered ...) + TODO: check CVE-2022-43358 RESERVED CVE-2022-43357 @@ -7739,20 +7754,20 @@ CVE-2022-43054 RESERVED CVE-2022-43053 RESERVED -CVE-2022-43052 - RESERVED -CVE-2022-43051 - RESERVED -CVE-2022-43050 - RESERVED -CVE-2022-43049 - RESERVED +CVE-2022-43052 (Online Diagnostic Lab Management System v1.0 was discovered to contain ...) + TODO: check +CVE-2022-43051 (Online Diagnostic Lab Management System v1.0 was discovered to contain ...) + TODO: check +CVE-2022-43050 (Online Tours Travels Management System v1.0 was discovered to co ...) + TODO: check +CVE-2022-43049 (Canteen Management System Project v1.0 was discovered to contain a SQL ...) + TODO: check CVE-2022-43048 RESERVED CVE-2022-43047 RESERVED -CVE-2022-43046 - RESERVED +CVE-2022-43046 (Food Ordering Management System v1.0 was discovered to contain a cross ...) + TODO: check CVE-2022-43045 (GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segm ...) - gpac [bullseye] - gpac (Minor issue) @@ -11966,12 +11981,12 @@ CVE-2022-41436 (An issue in OXHOO TP50 OXH1.50 allows unauthenticated attackers NOT-FOR-US: OXHOO CVE-2022-41435 (OpenWRT LuCI version git-22.140.66206-02913be was discovered to contai ...) NOT-FOR-US: OpenWRT LuCI -CVE-2022-41434 - RESERVED -CVE-2022-41433 - RESERVED -CVE-2022-41432 - RESERVED +CVE-2022-41434 (EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected ...) + TODO: check +CVE-2022-41433 (EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected ...) + TODO: check +CVE-2022-41432 (EyesOfNetwork Web Interface v5.3 was discovered to contain a reflected ...) + TODO: check CVE-2022-41431 (xzs v3.8.0 was discovered to contain a cross-site scripting (XSS) vuln ...) NOT-FOR-US: xzs CVE-2022-41430 (Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP ...) @@ -39285,8 +39300,8 @@ CVE-2022-31201 (SoftGuard Web (SGW) before 5.1.5 allows HTML injection. ...) NOT-FOR-US: SoftGuard Web CVE-2022-31200 RESERVED -CVE-2022-31199 - RESERVED +CVE-2022-31199 (Remote code execution vulnerabilities exist in the Netwrix Auditor Use ...) + TODO: check CVE-2022-1797 (A malformed Class 3 common industrial protocol message with a cached c ...) NOT-FOR-US: Rockwell Automation CVE-2022-31198 (OpenZeppelin Contracts is a library for secure smart contract developm ...) @@ -140932,8 +140947,8 @@ CVE-2020-35474 (In MediaWiki before 1.35.1, the combination of Html::rawElement [stretch] - mediawiki (Introduced in 1.35) NOTE: https://phabricator.wikimedia.org/T268894 NOTE: https://lists.wikimedia.org/pipermail/wikitech-l/2020-December/094126.html -CVE-2020-35473 - RESERVED +CVE-2020-35473 (An information leakage vulnerability in the Bluetooth Low Energy adver ...) + TODO: check CVE-2020-35472 RESERVED CVE-2020-35471 (Envoy before 1.16.1 mishandles dropped and truncated datagrams, as dem ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1065b6a6b3854e083a6f1cfb9834e495273f3548 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1065b6a6b3854e083a6f1cfb9834e495273f3548 You're receiving this email because of your account on salsa.debian.org.